-
-
Notifications
You must be signed in to change notification settings - Fork 96
/
xdpfw.h
153 lines (112 loc) · 3.1 KB
/
xdpfw.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
#pragma once
#include <linux/types.h>
#define MAX_PCKT_LENGTH 65535
#define MAX_FILTERS 60
#define MAX_TRACK_IPS 100000
#define MAX_CPUS 256
#define NANO_TO_SEC 1000000000
#define __u128 __uint128_t
// Additional options for XDP program.
//#define DEBUG
// Feel free to comment this out if you don't want the `blocked` entry on the stats map to be incremented every single time a packet is dropped from the source IP being on the blocked map. Commenting this line out should increase performance when blocking malicious traffic.
#define DOSTATSONBLOCKMAP
// When this is defined, a check will occur inside the IPv4 and IPv6 filters. For IPv6 packets, if no IPv6 source/destination IP addresses are set, but there is an IPv4 address, it will ignore the filter. The same goes for IPv4, if there is no IPv4 source/destination IP addresses set, if an IPv6 address is set, it will ignore the filter.
#define ALLOWSINGLEIPV4V6
#ifdef __BPF__
#define likely(x) __builtin_expect(!!(x), 1)
#define unlikely(x) __builtin_expect(!!(x), 0)
#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
#define htons(x) ((__be16)___constant_swab16((x)))
#define ntohs(x) ((__be16)___constant_swab16((x)))
#define htonl(x) ((__be32)___constant_swab32((x)))
#define ntohl(x) ((__be32)___constant_swab32((x)))
#elif __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
#define htons(x) (x)
#define ntohs(X) (x)
#define htonl(x) (x)
#define ntohl(x) (x)
#endif
#endif
struct tcpopts
{
unsigned int enabled : 1;
unsigned int do_sport : 1;
__u16 sport;
unsigned int do_dport : 1;
__u16 dport;
// TCP flags.
unsigned int do_urg : 1;
unsigned int urg : 1;
unsigned int do_ack : 1;
unsigned int ack : 1;
unsigned int do_rst : 1;
unsigned int rst : 1;
unsigned int do_psh : 1;
unsigned int psh : 1;
unsigned int do_syn : 1;
unsigned int syn : 1;
unsigned int do_fin : 1;
unsigned int fin : 1;
unsigned int do_ece : 1;
unsigned int ece : 1;
unsigned int do_cwr : 1;
unsigned int cwr : 1;
};
struct udpopts
{
unsigned int enabled : 1;
unsigned int do_sport : 1;
__u16 sport;
unsigned int do_dport : 1;
__u16 dport;
};
struct icmpopts
{
unsigned int enabled : 1;
unsigned int do_code : 1;
__u8 code;
unsigned int do_type : 1;
__u8 type;
};
struct filter
{
__u8 id;
unsigned int enabled : 1;
__u8 action;
__u32 src_ip;
__u8 src_cidr;
__u32 dst_ip;
__u8 dst_cidr;
__u32 src_ip6[4];
__u32 dst_ip6[4];
unsigned int do_min_ttl : 1;
__u8 min_ttl;
unsigned int do_max_ttl : 1;
__u8 max_ttl;
unsigned int do_min_len : 1;
__u16 min_len;
unsigned int do_max_len : 1;
__u16 max_len;
unsigned int do_tos : 1;
int8_t tos;
unsigned int do_pps : 1;
__u64 pps;
unsigned int do_bps : 1;
__u64 bps;
__u64 blocktime;
struct tcpopts tcpopts;
struct udpopts udpopts;
struct icmpopts icmpopts;
} __attribute__((__aligned__(8)));
struct stats
{
__u64 allowed;
__u64 dropped;
__u64 passed;
};
struct ip_stats
{
__u64 pps;
__u64 bps;
__u64 next_update;
};