kaffa/XDP-Firewall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Check IP header validity everywhere else.

Browse Source
This commit is contained in:
gamemann
2021-11-12 21:12:50 +00:00
parent 437a3eb45b
commit fe09dece3a
1 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/xdpfw_kern.c
View File

@@ -149,11 +149,11 @@ int xdp_prog_main(struct xdp_md *ctx)
// Check blacklist map. // Check blacklist map.
__u64 *blocked = NULL; __u64 *blocked = NULL;
if (eth->h_proto == htons(ETH_P_IPV6)) if (iph6)
{ {
blocked = bpf_map_lookup_elem(&ip6_blacklist_map, &srcip6); blocked = bpf_map_lookup_elem(&ip6_blacklist_map, &srcip6);
} }
else else if (iph)
{ {
blocked = bpf_map_lookup_elem(&ip_blacklist_map, &iph->saddr); blocked = bpf_map_lookup_elem(&ip_blacklist_map, &iph->saddr);
} }
@@ -167,11 +167,11 @@ int xdp_prog_main(struct xdp_md *ctx)
if (now > *blocked) if (now > *blocked)
{ {
// Remove element from map. // Remove element from map.
if (eth->h_proto == htons(ETH_P_IPV6)) if (iph6)
{ {
bpf_map_delete_elem(&ip6_blacklist_map, &srcip6); bpf_map_delete_elem(&ip6_blacklist_map, &srcip6);
} }
else else if (iph)
{ {
bpf_map_delete_elem(&ip_blacklist_map, &iph->saddr); bpf_map_delete_elem(&ip_blacklist_map, &iph->saddr);
} }
@@ -197,11 +197,11 @@ int xdp_prog_main(struct xdp_md *ctx)
struct ip_stats *ip_stats = NULL; struct ip_stats *ip_stats = NULL;
if (eth->h_proto == htons(ETH_P_IPV6)) if (iph6)
{ {
ip_stats = bpf_map_lookup_elem(&ip6_stats_map, &srcip6); ip_stats = bpf_map_lookup_elem(&ip6_stats_map, &srcip6);
} }
else else if (iph)
{ {
ip_stats = bpf_map_lookup_elem(&ip_stats_map, &iph->saddr); ip_stats = bpf_map_lookup_elem(&ip_stats_map, &iph->saddr);
} }
@@ -235,11 +235,11 @@ int xdp_prog_main(struct xdp_md *ctx)
pps = new.pps; pps = new.pps;
bps = new.bps; bps = new.bps;
if (eth->h_proto == htons(ETH_P_IPV6)) if (iph6)
{ {
bpf_map_update_elem(&ip6_stats_map, &srcip6, &new, BPF_ANY); bpf_map_update_elem(&ip6_stats_map, &srcip6, &new, BPF_ANY);
} }
else else if (iph)
{ {
bpf_map_update_elem(&ip_stats_map, &iph->saddr, &new, BPF_ANY); bpf_map_update_elem(&ip_stats_map, &iph->saddr, &new, BPF_ANY);
} }
@@ -251,7 +251,7 @@ int xdp_prog_main(struct xdp_md *ctx)
struct icmp6hdr *icmp6h = NULL; struct icmp6hdr *icmp6h = NULL;
// Check protocol. // Check protocol.
if (eth->h_proto == htons(ETH_P_IPV6)) if (iph6)
{ {
switch (iph6->nexthdr) switch (iph6->nexthdr)
{ {
@@ -292,7 +292,7 @@ int xdp_prog_main(struct xdp_md *ctx)
break; break;
} }
} }
else else if (iph)
{ {
switch (iph->protocol) switch (iph->protocol)
{ {