Skip to content

Commit

Permalink
traffic direction as global
Browse files Browse the repository at this point in the history
  • Loading branch information
@adgaultier
adgaultier committed Oct 11, 2024
1 parent c286bb5 commit 4d8fcb6
Show file tree
Hide file tree
Showing 6 changed files with 64 additions and 180 deletions.
28 changes: 14 additions & 14 deletions oryx-ebpf/src/main.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ static TRANSPORT_FILTERS: Array<u32> = Array::with_max_entries(8, 0);
static LINK_FILTERS: Array<u32> = Array::with_max_entries(8, 0);

#[map]
static TRAFFIC_DIRECTION_FILTERS: Array<u32> = Array::with_max_entries(2, 0);
static TRAFFIC_DIRECTION_FILTER: Array<u8> = Array::with_max_entries(1, 0);

#[map]
static BLOCKLIST_IPV6: HashMap<u128, [u16; MAX_RULES_PORT]> =
Expand All @@ -44,6 +44,9 @@ static BLOCKLIST_IPV6: HashMap<u128, [u16; MAX_RULES_PORT]> =
static BLOCKLIST_IPV4: HashMap<u32, [u16; MAX_RULES_PORT]> =
HashMap::<u32, [u16; MAX_RULES_PORT]>::with_max_entries(MAX_FIREWALL_RULES, 0);

#[no_mangle]
static TRAFFIC_DIRECTION: i32 = 0;

#[classifier]
pub fn oryx(ctx: TcContext) -> i32 {
match process(ctx) {
Expand Down Expand Up @@ -76,19 +79,16 @@ fn ptr_at<T>(ctx: &TcContext, offset: usize) -> Result<*const T, ()> {
#[inline]
fn filter_direction() -> bool {
// 0(default) -> false(send to tui), 1 -> true(filter)
if let Some(v) = TRAFFIC_DIRECTION_FILTERS.get(0) {
if let Some(v) = TRAFFIC_DIRECTION_FILTER.get(0) {
return *v != 0;
}
false
}

#[inline]
fn is_ingress() -> bool {
// 0(default) -> true(is ingress), 1 -> false (is egress)
if let Some(v) = TRAFFIC_DIRECTION_FILTERS.get(1) {
return *v == 0;
}
true
let traffic_direction = unsafe { core::ptr::read_volatile(&TRAFFIC_DIRECTION) };
traffic_direction == -1
}

#[inline]
Expand Down Expand Up @@ -173,14 +173,14 @@ fn process(ctx: TcContext) -> Result<i32, ()> {
};

if block_ipv4(addr, port) {
return Ok(TC_ACT_SHOT);
return Ok(TC_ACT_SHOT); //block packet
}

if filter_packet(Protocol::Network(NetworkProtocol::Ipv4))
|| filter_packet(Protocol::Transport(TransportProtocol::TCP))
|| filter_direction()
{
return Ok(TC_ACT_PIPE); //DONT FWD PACKET TO TUI
return Ok(TC_ACT_PIPE);
}

submit(RawPacket::Ip(
Expand All @@ -197,7 +197,7 @@ fn process(ctx: TcContext) -> Result<i32, ()> {
};

if block_ipv4(addr, port) {
return Ok(TC_ACT_SHOT);
return Ok(TC_ACT_SHOT); //block packet
}

if filter_packet(Protocol::Network(NetworkProtocol::Ipv4))
Expand Down Expand Up @@ -243,14 +243,14 @@ fn process(ctx: TcContext) -> Result<i32, ()> {
};

if block_ipv6(addr, port) {
return Ok(TC_ACT_SHOT);
return Ok(TC_ACT_SHOT); //block packet
}

if filter_packet(Protocol::Network(NetworkProtocol::Ipv6))
|| filter_packet(Protocol::Transport(TransportProtocol::TCP))
|| filter_direction()
{
return Ok(TC_ACT_PIPE); //DONT FWD PACKET TO TUI
return Ok(TC_ACT_PIPE);
}
submit(RawPacket::Ip(
IpHdr::V6(header),
Expand All @@ -266,14 +266,14 @@ fn process(ctx: TcContext) -> Result<i32, ()> {
};

if block_ipv6(addr, port) {
return Ok(TC_ACT_SHOT);
return Ok(TC_ACT_SHOT); //block packet
}

if filter_packet(Protocol::Network(NetworkProtocol::Ipv6))
|| filter_packet(Protocol::Transport(TransportProtocol::UDP))
|| filter_direction()
{
return Ok(TC_ACT_PIPE); //DONT FWD PACKET TO TUI
return Ok(TC_ACT_PIPE);
}
submit(RawPacket::Ip(
IpHdr::V6(header),
Expand Down
55 changes: 31 additions & 24 deletions oryx-tui/src/ebpf.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ use aya::{
include_bytes_aligned,
maps::{ring_buf::RingBufItem, Array, HashMap, MapData, RingBuf},
programs::{tc, SchedClassifier, TcAttachType},
Ebpf,
Ebpf, EbpfLoader,
};
use oryx_common::{protocols::Protocol, RawPacket, MAX_RULES_PORT};

Expand Down Expand Up @@ -220,9 +220,11 @@ pub fn load_ingress(
unsafe { libc::setrlimit(libc::RLIMIT_MEMLOCK, &rlim) };

#[cfg(debug_assertions)]
let mut bpf = match Ebpf::load(include_bytes_aligned!(
"../../target/bpfel-unknown-none/debug/oryx"
)) {
let mut bpf = match EbpfLoader::new()
.set_global("TRAFFIC_DIRECTION", &-1i32, true)
.load(include_bytes_aligned!(
"../../target/bpfel-unknown-none/debug/oryx"
)) {
Ok(v) => v,
Err(e) => {
Notification::send(
Expand All @@ -236,9 +238,11 @@ pub fn load_ingress(
};

#[cfg(not(debug_assertions))]
let mut bpf = match Ebpf::load(include_bytes_aligned!(
"../../target/bpfel-unknown-none/release/oryx"
)) {
let mut bpf = match EbpfLoader::new()
.set_global("TRAFFIC_DIRECTION", &(-1 as i32), true)
.load(include_bytes_aligned!(
"../../target/bpfel-unknown-none/release/oryx"
)) {
Ok(v) => v,
Err(e) => {
Notification::send(
Expand Down Expand Up @@ -295,11 +299,10 @@ pub fn load_ingress(
let mut link_filters: Array<_, u32> =
Array::try_from(bpf.take_map("LINK_FILTERS").unwrap()).unwrap();

let mut traffic_direction_filters: Array<_, u32> =
Array::try_from(bpf.take_map("TRAFFIC_DIRECTION_FILTERS").unwrap()).unwrap();
let _ = traffic_direction_filters.set(0, 0, 0);
let _ = traffic_direction_filters.set(1, 0, 0); //setup ingress flag
// firewall-ebpf interface
let mut traffic_direction_filter: Array<_, u8> =
Array::try_from(bpf.take_map("TRAFFIC_DIRECTION_FILTER").unwrap()).unwrap();

// firewall-ebpf interface
let mut ipv4_firewall: HashMap<_, u32, [u16; MAX_RULES_PORT]> =
HashMap::try_from(bpf.take_map("BLOCKLIST_IPV4").unwrap()).unwrap();

Expand Down Expand Up @@ -348,7 +351,7 @@ pub fn load_ingress(
}
},
FilterChannelSignal::DirectionUpdate(flag) => {
let _ = traffic_direction_filters.set(0, flag as u32, 0);
let _ = traffic_direction_filter.set(0, flag as u8, 0);
}
FilterChannelSignal::Kill => {
break;
Expand All @@ -357,6 +360,7 @@ pub fn load_ingress(
}
});

// packets reader
let mut ring_buf = RingBuffer::new(&mut bpf);

poll.registry()
Expand Down Expand Up @@ -420,9 +424,11 @@ pub fn load_egress(
unsafe { libc::setrlimit(libc::RLIMIT_MEMLOCK, &rlim) };

#[cfg(debug_assertions)]
let mut bpf = match Ebpf::load(include_bytes_aligned!(
"../../target/bpfel-unknown-none/debug/oryx"
)) {
let mut bpf = match EbpfLoader::new()
.set_global("TRAFFIC_DIRECTION", &1i32, true)
.load(include_bytes_aligned!(
"../../target/bpfel-unknown-none/debug/oryx"
)) {
Ok(v) => v,
Err(e) => {
Notification::send(
Expand All @@ -436,9 +442,11 @@ pub fn load_egress(
};

#[cfg(not(debug_assertions))]
let mut bpf = match Ebpf::load(include_bytes_aligned!(
"../../target/bpfel-unknown-none/release/oryx"
)) {
let mut bpf = match EbpfLoader::new()
.set_global("TRAFFIC_DIRECTION", &(1 as i32), true)
.load(include_bytes_aligned!(
"../../target/bpfel-unknown-none/release/oryx"
)) {
Ok(v) => v,
Err(e) => {
Notification::send(
Expand Down Expand Up @@ -491,10 +499,8 @@ pub fn load_egress(
let mut link_filters: Array<_, u32> =
Array::try_from(bpf.take_map("LINK_FILTERS").unwrap()).unwrap();

let mut traffic_direction_filters: Array<_, u32> =
Array::try_from(bpf.take_map("TRAFFIC_DIRECTION_FILTERS").unwrap()).unwrap();
let _ = traffic_direction_filters.set(0, 0, 0);
let _ = traffic_direction_filters.set(1, 1, 0); //setup egress flag
let mut traffic_direction_filter: Array<_, u8> =
Array::try_from(bpf.take_map("TRAFFIC_DIRECTION_FILTER").unwrap()).unwrap();

// firewall-ebpf interface
let mut ipv4_firewall: HashMap<_, u32, [u16; MAX_RULES_PORT]> =
Expand Down Expand Up @@ -545,7 +551,7 @@ pub fn load_egress(
}
},
FilterChannelSignal::DirectionUpdate(flag) => {
let _ = traffic_direction_filters.set(0, flag as u32, 0);
let _ = traffic_direction_filter.set(0, flag as u8, 0);
}
FilterChannelSignal::Kill => {
break;
Expand All @@ -554,6 +560,7 @@ pub fn load_egress(
}
});

// packets reading
let mut ring_buf = RingBuffer::new(&mut bpf);

poll.registry()
Expand Down
107 changes: 0 additions & 107 deletions oryx-tui/src/filter.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -327,113 +327,6 @@ impl Filter {
Ok(())
}

// pub fn update(
// &mut self,
// // notification_sender: kanal::Sender<Event>,
// // data_sender: kanal::Sender<[u8; RawPacket::LEN]>,
// ) -> AppResult<()> {
// // Remove egress
// if self
// .traffic_direction
// .applied_direction
// .contains(&TrafficDirection::Egress)
// && !self
// .traffic_direction
// .selected_direction
// .contains(&TrafficDirection::Egress)
// {
// //self.firewall_egress_sender.send(FirewallSignal::Kill)?;
// self.filter_chans
// .egress
// .sender
// .send(FilterChannelSignal::Kill)?;
// self.traffic_direction.terminate(TrafficDirection::Egress);
// }

// Add egress
// if !self
// .traffic_direction
// .applied_direction
// .contains(&TrafficDirection::Egress)
// && self
// .traffic_direction
// .selected_direction
// .contains(&TrafficDirection::Egress)
// {
// self.traffic_direction
// .terminate_egress
// .store(false, std::sync::atomic::Ordering::Relaxed);

// let iface = self.interface.selected_interface.name.clone();

// load_egress(
// iface,
// notification_sender.clone(),
// data_sender.clone(),
// self.filter_chans.egress.receiver.clone(),
// self.firewall_egress_receiver.clone(),
// self.traffic_direction.terminate_egress.clone(),
// );
// }

// Remove ingress
// if self
// .traffic_direction
// .applied_direction
// .contains(&TrafficDirection::Ingress)
// && !self
// .traffic_direction
// .selected_direction
// .contains(&TrafficDirection::Ingress)
// {
// self.firewall_ingress_sender.send(FirewallSignal::Kill)?;
// self.filter_chans
// .ingress
// .sender
// .send(FilterChannelSignal::Kill)?;
// self.traffic_direction.terminate(TrafficDirection::Ingress);
// }

// Add ingress
// if !self
// .traffic_direction
// .applied_direction
// .contains(&TrafficDirection::Ingress)
// && self
// .traffic_direction
// .selected_direction
// .contains(&TrafficDirection::Ingress)
// {
// let iface = self.interface.selected_interface.name.clone();
// self.traffic_direction
// .terminate_ingress
// .store(false, std::sync::atomic::Ordering::Relaxed);
// load_ingress(
// iface,
// notification_sender.clone(),
// data_sender.clone(),
// self.filter_chans.ingress.receiver.clone(),
// self.firewall_ingress_receiver.clone(),
// self.traffic_direction.terminate_ingress.clone(),
// );
// }

// self.apply();

// thread::sleep(Duration::from_millis(150));

// self.traffic_direction
// .terminate_ingress
// .store(false, std::sync::atomic::Ordering::Relaxed);
// self.traffic_direction
// .terminate_ingress
// .store(false, std::sync::atomic::Ordering::Relaxed);

// self.sync()?;

// Ok(())
// }

pub fn handle_key_events(&mut self, key_event: KeyEvent, is_update_popup_displayed: bool) {
match key_event.code {
KeyCode::Tab => match self.focused_block {
Expand Down
6 changes: 0 additions & 6 deletions oryx-tui/src/handler.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -174,12 +174,6 @@ pub fn handle_key_events(
}
}

KeyCode::Char(' ') => {
if app.section.focused_section == FocusedSection::Firewall {
app.section.firewall.submit_rule()?;
}
}

_ => {
app.section.handle_keys(key_event, event_sender.clone())?;
}
Expand Down
Loading

0 comments on commit 4d8fcb6

Please sign in to comment.