Add options and functionality for running with other XDP programs via xdp-loader. (#86)

There's no need to try to unpin the map if its not enabled at first. Just to prevent:

[WARNING] Failed to un-pin BPF map 'map_block6' from file system (1)

README.md

@@ -188,6 +188,7 @@ Here are more details on the layout of the runtime configuration.
 | dst_ip6 | string | `NULL` | The destination IPv6 address to match (e.g. `fe80::ac21:14ff:fe4b:3a6d`). |
 | min_ttl | int | `NULL` | The minimum TTL (time-to-live) to match. |
 | max_ttl | int | `NULL` | The maximum TTL (time-to-live) to match. |
+| min_len | int | `NULL` | The minimum packet length to match (includes the entire packet including the ethernet header and payload). |
 | max_len | int | `NULL` | The maximum packet length to match (includes the entire packet including the ethernet header and payload). |
 | tos | int | `NULL` | The ToS (type-of-service) to match. |
 
@@ -306,9 +307,9 @@ The following CLI arguments are supported.
 | --log | `--log 1` | Enables or disables logging for the dynamic filter. |
 | --block-time | `--block-time 60` | How long to block the source IP for if the packet is matched and the action is drop in the dynamic filter (0 = no time). | 
 | --sip | `--sip 192.168.1.0/24` | The source IPv4 address/range to match with the dynamic filter. |
-| --dip | `--sip 10.90.0.0/24` | The destination IPv4 address/range to match with the dynamic filter. |
+| --dip | `--dip 10.90.0.0/24` | The destination IPv4 address/range to match with the dynamic filter. |
-| --sip6 | `--sip 192.168.1.0/24` | The source IPv6 address to match with the dynamic filter. |
+| --sip6 | `--sip6 192.168.1.0/24` | The source IPv6 address to match with the dynamic filter. |
-| --dip6 | `--sip 192.168.1.0/24` | The destination IPv6 address to match with the dynamic filter. |
+| --dip6 | `--dip6 192.168.1.0/24` | The destination IPv6 address to match with the dynamic filter. |
 | --min-ttl | `--min-ttl 0` | The IP's minimum TTL to match with the dynamic filter. |
 | --max-ttl | `--max-ttl 6` | The IP's maximum TTL to match with the dynamic filter. |
 | --min-len | `--min-len 42` | The packet's mimimum length to match with the dynamic filter. |
@@ -386,6 +387,8 @@ This firewall supports both source **flow-based** (`flow_pps` and `flow_bps` set
 
 The reason source IP-based rate limiting is disabled by default is because both methods require seperate calculations which isn't ideal if both methods aren't used inside of filter rules. I've found most users prefer flow-based rate limiting which is why I decided to only enable that by default.
 
+Additionally, if you're encountering a large amount of spoofed packets, it is **highly recommended** that you disable rate limiting entirely, at least temporarily until you stop receiving the spoofed packets. This is because a large amount of spoofed packets from different IPs and ports will cause the rate limit BPF maps to rapidly recycle entries and this can cause very high CPU usage depending on how many spoofed packets are being sent and the host's hardware.
+
 ### Filter Logging
 This tool uses `bpf_ringbuf_reserve()` and `bpf_ringbuf_submit()` for filter match logging. At this time, there is no rate limit for the amount of log messages that may be sent. Therefore, if you're encountering a spoofed attack that is matching a filter rule with logging enabled, it will cause additional processing and disk load.
 

src/common/config.h

@@ -58,3 +58,12 @@
 // If enabled, uses a newer bpf_loop() function when choosing a source port for a new connection.
 // This allows for a much higher source port range. However, it requires a more recent kernel.
 #define USE_NEW_LOOP
+
+// Whether to enable chaining multiple XDP programs with this tool (1 = enable. 0 = disable).
+#define XDP_MULTIPROG_ENABLED 1
+
+// The XDP program's run priority (used for running multiple XDP programs together).
+#define XDP_MULTIPROG_PRIORITY 10
+
+// The action that indicates it should go onto the next program (default XDP_PASS).
+#define XDP_MULTIPROG_ACTION XDP_PASS

src/loader/prog.c

@@ -32,6 +32,15 @@ static void unpin_needed_maps(config__t* cfg, struct bpf_object* obj, int ignore
 {
     int ret;
 
+    // Unpin stats map.
+    if ((ret = unpin_bpf_map(obj, XDP_MAP_PIN_DIR, "map_stats")) != 0)
+    {
+        if (!ignore_errors)
+        {
+            log_msg(cfg, 1, 0, "[WARNING] Failed to un-pin BPF map 'map_stats' from file system (%d).", ret);
+        }
+    }
+
     // Unpin block map.
     if ((ret = unpin_bpf_map(obj, XDP_MAP_PIN_DIR, "map_block")) != 0)
     {
@@ -40,7 +49,7 @@ static void unpin_needed_maps(config__t* cfg, struct bpf_object* obj, int ignore
             log_msg(cfg, 1, 0, "[WARNING] Failed to un-pin BPF map 'map_block' from file system (%d).", ret);
         }
     }
-
+#ifdef ENABLE_IPV6
     // Unpin block (IPv6) map.
     if ((ret = unpin_bpf_map(obj, XDP_MAP_PIN_DIR, "map_block6")) != 0)
     {
@@ -49,6 +58,7 @@ static void unpin_needed_maps(config__t* cfg, struct bpf_object* obj, int ignore
             log_msg(cfg, 1, 0, "[WARNING] Failed to un-pin BPF map 'map_block6' from file system (%d).", ret);
         }
     }
+#endif
 
 #ifdef ENABLE_IP_RANGE_DROP
     // Unpin IPv4 range drop map.
@@ -312,6 +322,16 @@ int main(int argc, char *argv[])
         // So it's best to attempt to unpin the maps before pinning while ignoring errors.
         unpin_needed_maps(&cfg, obj, 1);
 
+        // Pin the stats map.
+        if ((ret = pin_bpf_map(obj, XDP_MAP_PIN_DIR, "map_stats")) != 0)
+        {
+            log_msg(&cfg, 1, 0, "[WARNING] Failed to pin 'map_stats' to file system (%d)...", ret);
+        }
+        else
+        {
+            log_msg(&cfg, 3, 0, "BPF map 'map_stats' pinned to '%s/map_stats'.", XDP_MAP_PIN_DIR);
+        }
+
         // Pin the block maps.
         if ((ret = pin_bpf_map(obj, XDP_MAP_PIN_DIR, "map_block")) != 0)
         {

src/loader/utils/config.c

@@ -808,7 +808,7 @@ int save_cfg(config__t* cfg, const char* file_path)
     {
         if (cfg->interfaces_cnt > 1)
         {
-            setting = config_setting_add(root, "interfaces", CONFIG_TYPE_LIST);
+            setting = config_setting_add(root, "interface", CONFIG_TYPE_LIST);
 
             for (int i = 0; i < cfg->interfaces_cnt; i++)
             {
@@ -829,7 +829,7 @@ int save_cfg(config__t* cfg, const char* file_path)
 
             if (interface)
             {
-                setting = config_setting_add(root, "interfaces", CONFIG_TYPE_STRING);
+                setting = config_setting_add(root, "interface", CONFIG_TYPE_STRING);
                 config_setting_set_string(setting, interface);
             }
         }

src/loader/utils/xdp.c

@@ -113,6 +113,10 @@ int attach_xdp(struct xdp_program *prog, char** mode, int ifidx, int detach, int
 {
     int err;
 
+    // Before attaching, set chaining options.
+    xdp_program__set_run_prio(prog, XDP_MULTIPROG_PRIORITY);
+    xdp_program__set_chain_call_enabled(prog, XDP_MULTIPROG_ACTION, XDP_MULTIPROG_ENABLED);
+
     u32 attach_mode = XDP_MODE_NATIVE;
 
     *mode = "DRV/native";

src/xdp/prog.c

@@ -338,19 +338,22 @@ int xdp_prog_main(struct xdp_md *ctx)
     rule.flow_bps = flow_bps;
     rule.ip_pps = ip_pps;
     rule.ip_bps = ip_bps;
-    rule.now = now;
     rule.pkt_len = pkt_len;
-    rule.src_port = src_port;
+
 #ifdef ENABLE_FILTER_LOGGING
+    rule.now = now;
+    rule.protocol = protocol;
+    rule.src_port = src_port;
     rule.dst_port = dst_port;
 #endif
-    rule.protocol = protocol;
     
     rule.iph = iph;
-    rule.iph6 = iph6;
+    
     rule.tcph = tcph;
     rule.udph = udph;
     rule.icmph = icmph;
+
+    rule.iph6 = iph6;
     rule.icmph6 = icmp6h;
 
 #ifdef USE_NEW_LOOP

src/xdp/utils/rule.h

@@ -19,19 +19,21 @@ struct rule_ctx
     int action;
     u64 block_time;
 
+    int pkt_len;
+
     u64 ip_pps;
     u64 ip_bps;
 
     u64 flow_pps;
     u64 flow_bps;
 
-    u64 now;
-    int pkt_len;
-    u16 src_port;
 #ifdef ENABLE_FILTER_LOGGING
+    u64 now;
+
+    u8 protocol;
+    u16 src_port;
     u16 dst_port;
 #endif
-    u8 protocol;
 
     struct iphdr* iph;
     struct ipv6hdr* iph6;