kaffa/XDP-Firewall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rename config settings for consistency.

Browse Source
This commit is contained in:
Christian Deacon
2024-06-13 20:33:09 -04:00
parent a80458efff
commit f480f06c4b
4 changed files with 21 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
README.md
View File

@@ -34,8 +34,8 @@ As of this time, I am not aware of any NIC manufacturers that will be able to of
## Configuration File Options ## Configuration File Options
### Main ### Main
* `interface` => The interface for the XDP program to attach to. * `interface` => The interface for the XDP program to attach to.
* `updatetime` => How often to update the config and filtering rules. Leaving this at 0 disables auto-updating. * `update_time` => How often to update the config and filtering rules. Leaving this at 0 disables auto-updating.
* `nostats` => If true, no accepted/blocked packet statistics will be displayed in `stdout`. * `no_stats` => If true, no accepted/blocked packet statistics will be displayed in `stdout`.
* `stdout_update_time` => The amount of time in milliseconds to update `stdout` with counters. Default is set to `1000` (one second). * `stdout_update_time` => The amount of time in milliseconds to update `stdout` with counters. Default is set to `1000` (one second).
### Filters ### Filters
@@ -43,10 +43,10 @@ Config option `filters` is an array. Each filter includes the following options:
* `enabled` => If true, this rule is enabled. * `enabled` => If true, this rule is enabled.
* `action` => What action to perform against the packet if matched. 0 = Block. 1 = Allow. * `action` => What action to perform against the packet if matched. 0 = Block. 1 = Allow.
* `srcip` => The source IP address the packet must match (e.g. 10.50.0.3). * `src_ip` => The source IP address the packet must match (e.g. 10.50.0.3).
* `dstip` => The destination IP address the packet must match (e.g. 10.50.0.4). * `dst_ip` => The destination IP address the packet must match (e.g. 10.50.0.4).
* `srcip6` => The source IPv6 address the packet must match (e.g. fe80::18c4:dfff:fe70:d8a6). * `src_ip6` => The source IPv6 address the packet must match (e.g. fe80::18c4:dfff:fe70:d8a6).
* `dstip6` => The destination IPv6 address the packet must match (e.g. fe80::ac21:14ff:fe4b:3a6d). * `dst_ip6` => The destination IPv6 address the packet must match (e.g. fe80::ac21:14ff:fe4b:3a6d).
* `min_ttl` => The minimum TTL (time to live) the packet must match. * `min_ttl` => The minimum TTL (time to live) the packet must match.
* `max_ttl` => The maximum TTL (time to live) the packet must match. * `max_ttl` => The maximum TTL (time to live) the packet must match.
* `max_len` => The maximum packet length the packet must match. This includes the entire frame (ethernet header, IP header, L4 header, and data). * `max_len` => The maximum packet length the packet must match. This includes the entire frame (ethernet header, IP header, L4 header, and data).
@@ -54,7 +54,7 @@ Config option `filters` is an array. Each filter includes the following options:
* `tos` => The TOS (type of service) the packet must match. * `tos` => The TOS (type of service) the packet must match.
* `pps` => The maximum packets per second a source IP can send before matching. * `pps` => The maximum packets per second a source IP can send before matching.
* `bps` => The maximum amount of bytes per second a source IP can send before matching. * `bps` => The maximum amount of bytes per second a source IP can send before matching.
* `blocktime` => The time in seconds to block the source IP if the rule matches and the action is block (0). Default value is `1`. * `block_time` => The time in seconds to block the source IP if the rule matches and the action is block (0). Default value is `1`.
#### TCP Options #### TCP Options
TCP options exist in the main filter array and start with `tcp_`. Please see below. TCP options exist in the main filter array and start with `tcp_`. Please see below.
@@ -94,7 +94,7 @@ Here's an example of a config:
```squidconf ```squidconf
interface = "ens18"; interface = "ens18";
updatetime = 15; update_time = 15;
filters = ( filters = (
{ {
@@ -122,7 +122,7 @@ filters = (
{ {
enabled = true, enabled = true,
action = 0, action = 0,
srcip = "10.50.0.4" src_ip = "10.50.0.4"
} }
); );
``` ```

14
src/config.c
View File

@@ -159,7 +159,7 @@ int readcfg(struct config *cfg)
// Get auto update time. // Get auto update time.
int updatetime; int updatetime;
if (config_lookup_int(&conf, "updatetime", &updatetime) == CONFIG_TRUE) if (config_lookup_int(&conf, "update_time", &updatetime) == CONFIG_TRUE)
{ {
cfg->updatetime = updatetime; cfg->updatetime = updatetime;
} }
@@ -175,7 +175,7 @@ int readcfg(struct config *cfg)
// Get no stats. // Get no stats.
int nostats; int nostats;
if (config_lookup_bool(&conf, "nostats", &nostats) == CONFIG_TRUE) if (config_lookup_bool(&conf, "no_stats", &nostats) == CONFIG_TRUE)
{ {
cfg->nostats = nostats; cfg->nostats = nostats;
} }
@@ -230,7 +230,7 @@ int readcfg(struct config *cfg)
// Source IP (not required). // Source IP (not required).
const char *sip; const char *sip;
if (config_setting_lookup_string(filter, "srcip", &sip)) if (config_setting_lookup_string(filter, "src_ip", &sip))
{ {
cfg->filters[i].srcip = inet_addr(sip); cfg->filters[i].srcip = inet_addr(sip);
} }
@@ -238,7 +238,7 @@ int readcfg(struct config *cfg)
// Destination IP (not required). // Destination IP (not required).
const char *dip; const char *dip;
if (config_setting_lookup_string(filter, "dstip", &dip)) if (config_setting_lookup_string(filter, "dst_ip", &dip))
{ {
cfg->filters[i].dstip = inet_addr(dip); cfg->filters[i].dstip = inet_addr(dip);
} }
@@ -246,7 +246,7 @@ int readcfg(struct config *cfg)
// Source IP (IPv6) (not required). // Source IP (IPv6) (not required).
const char *sip6; const char *sip6;
if (config_setting_lookup_string(filter, "srcip6", &sip6)) if (config_setting_lookup_string(filter, "src_ip6", &sip6))
{ {
struct in6_addr in; struct in6_addr in;
@@ -261,7 +261,7 @@ int readcfg(struct config *cfg)
// Destination IP (IPv6) (not required). // Destination IP (IPv6) (not required).
const char *dip6; const char *dip6;
if (config_setting_lookup_string(filter, "dstip6", &dip6)) if (config_setting_lookup_string(filter, "dst_ip6", &dip6))
{ {
struct in6_addr in; struct in6_addr in;
@@ -339,7 +339,7 @@ int readcfg(struct config *cfg)
// Block time (default 1). // Block time (default 1).
long long blocktime; long long blocktime;
if (config_setting_lookup_int64(filter, "blocktime", &blocktime)) if (config_setting_lookup_int64(filter, "block_time", &blocktime))
{ {
cfg->filters[i].blocktime = blocktime; cfg->filters[i].blocktime = blocktime;
} }

9
src/xdpfw.c
View File

@@ -472,9 +472,10 @@ int main(int argc, char *argv[])
// Create last updated variable. // Create last updated variable.
time_t lastupdatecheck = time(NULL); time_t lastupdatecheck = time(NULL);
time_t statslastupdated = time(NULL);
time_t lastupdated = time(NULL); time_t lastupdated = time(NULL);
unsigned int sleep_time = cfg.stdout_update_time * 1000;
while (cont) while (cont)
{ {
// Get current time. // Get current time.
@@ -510,7 +511,7 @@ int main(int argc, char *argv[])
} }
// Update stats. // Update stats.
if ((curTime - statslastupdated) > 2 && !cfg.nostats) if (!cfg.nostats)
{ {
__u32 key = 0; __u32 key = 0;
struct stats stats[MAX_CPUS]; struct stats stats[MAX_CPUS];
@@ -546,11 +547,9 @@ int main(int argc, char *argv[])
fflush(stdout); fflush(stdout);
fprintf(stdout, "\rAllowed: %llu | Dropped: %llu | Passed: %llu", allowed, dropped, passed); fprintf(stdout, "\rAllowed: %llu | Dropped: %llu | Passed: %llu", allowed, dropped, passed);
statslastupdated = time(NULL);
} }
usleep(500); usleep(sleep_time);
} }
// Detach XDP program. // Detach XDP program.

2
xdpfw.conf.example
View File

@@ -1,5 +1,5 @@
interface = "ens18"; interface = "ens18";
updatetime = 15; update_time = 15;
stdout_update_time = 1000; stdout_update_time = 1000;
filters = ( filters = (