kaffa/XDP-Firewall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rename some config constants.

Browse Source
This commit is contained in:
Christian Deacon
2025-02-22 10:05:49 -05:00
parent 50b0efa58a
commit c7a1822ce5
2 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/common/config.h
View File

@@ -1,10 +1,10 @@
#pragma once #pragma once
// Feel free to comment this out if you don't want the `blocked` entry on the stats map to be incremented every single time a packet is dropped from the source IP being on the blocked map. Commenting this line out should increase performance when blocking malicious traffic. // Feel free to comment this out if you don't want the `blocked` entry on the stats map to be incremented every single time a packet is dropped from the source IP being on the blocked map. Commenting this line out should increase performance when blocking malicious traffic.
#define DOSTATSONBLOCKMAP #define DO_STATS_ON_BLOCK_MAP
// When this is defined, a check will occur inside the IPv4 and IPv6 filters. For IPv6 packets, if no IPv6 source/destination IP addresses are set, but there is an IPv4 address, it will ignore the filter. The same goes for IPv4, if there is no IPv4 source/destination IP addresses set, if an IPv6 address is set, it will ignore the filter. // When this is defined, a check will occur inside the IPv4 and IPv6 filters. For IPv6 packets, if no IPv6 source/destination IP addresses are set, but there is an IPv4 address, it will ignore the filter. The same goes for IPv4, if there is no IPv4 source/destination IP addresses set, if an IPv6 address is set, it will ignore the filter.
#define ALLOWSINGLEIPV4V6 #define ALLOW_SINGLE_IP_V4_V6
// If uncommented, rate limits for clients are determined using the source IP, port, and protocol instead of just the source IP. // If uncommented, rate limits for clients are determined using the source IP, port, and protocol instead of just the source IP.
// This allows for more precise rate limits (connection-specific instead of a single source IP). // This allows for more precise rate limits (connection-specific instead of a single source IP).

6
src/xdp/prog.c
View File

@@ -107,7 +107,7 @@ int xdp_prog_main(struct xdp_md *ctx)
} }
else else
{ {
#ifdef DOSTATSONBLOCKMAP #ifdef DO_STATS_ON_BLOCK_MAP
// Increase blocked stats entry. // Increase blocked stats entry.
if (stats) if (stats)
{ {
@@ -273,7 +273,7 @@ int xdp_prog_main(struct xdp_md *ctx)
continue; continue;
} }
#ifdef ALLOWSINGLEIPV4V6 #ifdef ALLOW_SINGLE_IP_V4_V6
if (filter->src_ip != 0 || filter->dst_ip != 0) if (filter->src_ip != 0 || filter->dst_ip != 0)
{ {
continue; continue;
@@ -334,7 +334,7 @@ int xdp_prog_main(struct xdp_md *ctx)
} }
} }
#ifdef ALLOWSINGLEIPV4V6 #ifdef ALLOW_SINGLE_IP_V4_V6
if ((filter->src_ip6[0] != 0 || filter->src_ip6[1] != 0 || filter->src_ip6[2] != 0 || filter->src_ip6[3] != 0) || (filter->dst_ip6[0] != 0 || filter->dst_ip6[1] != 0 || filter->dst_ip6[2] != 0 || filter->dst_ip6[3] != 0)) if ((filter->src_ip6[0] != 0 || filter->src_ip6[1] != 0 || filter->src_ip6[2] != 0 || filter->src_ip6[3] != 0) || (filter->dst_ip6[0] != 0 || filter->dst_ip6[1] != 0 || filter->dst_ip6[2] != 0 || filter->dst_ip6[3] != 0))
{ {
continue; continue;