kaffa/XDP-Firewall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rework IPv6 header matching with dynamic filters and add packet length to logging event.

Browse Source
This commit is contained in:
Christian Deacon
2025-03-10 17:08:03 -04:00
parent 9ecbf7fc4a
commit c88a010aae
5 changed files with 20 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/xdp/prog.c
View File

@@ -334,25 +334,25 @@ int xdp_prog_main(struct xdp_md *ctx)
#endif
// Max TTL length.
if (filter->ip.do_max_ttl && filter->ip.max_ttl > iph6->hop_limit)
if (filter->ip.do_max_ttl && filter->ip.max_ttl < iph6->hop_limit)
{
continue;
}
// Min TTL length.
if (filter->ip.do_min_ttl && filter->ip.min_ttl < iph6->hop_limit)
if (filter->ip.do_min_ttl && filter->ip.min_ttl > iph6->hop_limit)
{
continue;
}
// Max packet length.
if (filter->ip.do_max_len && filter->ip.max_len > (ntohs(iph6->payload_len) + sizeof(struct ethhdr)))
if (filter->ip.do_max_len && filter->ip.max_len < pkt_len)
{
continue;
}
// Min packet length.
if (filter->ip.do_min_len && filter->ip.min_len < (ntohs(iph6->payload_len) + sizeof(struct ethhdr)))
if (filter->ip.do_min_len && filter->ip.min_len > pkt_len)
{
continue;
}
@@ -400,33 +400,33 @@ int xdp_prog_main(struct xdp_md *ctx)
continue;
}
// Max TTL length.
// Max TTL.
if (filter->ip.do_max_ttl && filter->ip.max_ttl < iph->ttl)
{
continue;
}
// Min TTL length.
// Min TTL.
if (filter->ip.do_min_ttl && filter->ip.min_ttl > iph->ttl)
{
continue;
}
// Max packet length.
if (filter->ip.do_max_len && filter->ip.max_len < (ntohs(iph->tot_len) + sizeof(struct ethhdr)))
if (filter->ip.do_max_len && filter->ip.max_len < pkt_len)
{
continue;
}
// Min packet length.
if (filter->ip.do_min_len && filter->ip.min_len > (ntohs(iph->tot_len) + sizeof(struct ethhdr)))
if (filter->ip.do_min_len && filter->ip.min_len > pkt_len)
{
continue;
}
}
// PPS.
if (filter->do_pps && pps < filter->pps)
if (filter->do_pps && pps < filter->pps)
{
continue;
}
@@ -564,7 +564,7 @@ int xdp_prog_main(struct xdp_md *ctx)
#ifdef ENABLE_FILTER_LOGGING
if (filter->log > 0)
{
log_filter_msg(iph, iph6, src_port, dst_port, protocol, now, pps, bps, i);
log_filter_msg(iph, iph6, src_port, dst_port, protocol, now, pps, bps, pkt_len, i);
}
#endif

5
src/xdp/utils/logging.c
View File

@@ -16,11 +16,12 @@
* @param now The timestamp.
* @param pps The current PPS rate.
* @param bps The current BPS rate.
* @param pkt_len The full packet length.
* @param filter_id The filter ID that matched.
*
* @return always 0
*/
static __always_inline int log_filter_msg(struct iphdr* iph, struct ipv6hdr* iph6, u16 src_port, u16 dst_port, u8 protocol, u64 now, u64 pps, u64 bps, int filter_id)
static __always_inline int log_filter_msg(struct iphdr* iph, struct ipv6hdr* iph6, u16 src_port, u16 dst_port, u8 protocol, u64 now, u64 pps, u64 bps, int pkt_len, int filter_id)
{
filter_log_event_t* e = bpf_ringbuf_reserve(&map_filter_log, sizeof(*e), 0);
@@ -47,6 +48,8 @@ static __always_inline int log_filter_msg(struct iphdr* iph, struct ipv6hdr* iph
e->pps = pps;
e->bps = bps;
e->length = pkt_len;
bpf_ringbuf_submit(e, 0);
}

2
src/xdp/utils/logging.h
View File

@@ -6,7 +6,7 @@
#include <xdp/prog_dispatcher.h>
#if defined(ENABLE_FILTERS) && defined(ENABLE_FILTER_LOGGING)
static __always_inline int log_filter_msg(struct iphdr* iph, struct ipv6hdr* iph6, u16 src_port, u16 dst_port, u8 protocol, u64 now, u64 pps, u64 bps, int filter_id);
static __always_inline int log_filter_msg(struct iphdr* iph, struct ipv6hdr* iph6, u16 src_port, u16 dst_port, u8 protocol, u64 now, u64 pps, u64 bps, int pkt_len, int filter_id);
#endif
// The source file is included directly below instead of compiled and linked as an object because when linking, there is no guarantee the compiler will inline the function (which is crucial for performance).