handle egress(WIP)

pythops · Oct 8, 2024 · 567cfcb · 567cfcb
1 parent 81829c6
commit 567cfcb
Show file tree

Hide file tree

Showing 5 changed files with 55 additions and 11 deletions.
diff --git a/oryx-tui/src/app.rs b/oryx-tui/src/app.rs
@@ -58,6 +58,7 @@ impl App {
         let (sender, receiver) = kanal::unbounded();
 
         let (firewall_ingress_sender, firewall_ingress_receiver) = kanal::unbounded();
+        let (firewall_egress_sender, firewall_egress_receiver) = kanal::unbounded();
 
         thread::spawn({
             let packets = packets.clone();
@@ -76,11 +77,15 @@ impl App {
         Self {
             running: true,
             help: Help::new(),
-            filter: Filter::new(firewall_ingress_receiver),
+            filter: Filter::new(firewall_ingress_receiver, firewall_egress_receiver),
             start_sniffing: false,
             packets: packets.clone(),
             notifications: Vec::new(),
-            section: Section::new(packets.clone(), firewall_ingress_sender),
+            section: Section::new(
+                packets.clone(),
+                firewall_ingress_sender,
+                firewall_egress_sender,
+            ),
             data_channel_sender: sender,
             is_editing: false,
             active_popup: None,

diff --git a/oryx-tui/src/ebpf.rs b/oryx-tui/src/ebpf.rs
@@ -3,7 +3,7 @@ use std::{
     net::{IpAddr, Ipv4Addr, Ipv6Addr},
     os::fd::AsRawFd,
     sync::{atomic::AtomicBool, Arc},
-    thread::{self, spawn},
+    thread,
     time::Duration,
 };
 
@@ -383,7 +383,7 @@ impl Ebpf {
         notification_sender: kanal::Sender<Event>,
         data_sender: kanal::Sender<[u8; RawPacket::LEN]>,
         filter_channel_receiver: kanal::Receiver<(Protocol, bool)>,
-        _firewall_channel_receiver: kanal::Receiver<(Protocol, bool)>,
+        firewall_egress_receiver: kanal::Receiver<FirewallRule>,
         terminate: Arc<AtomicBool>,
     ) {
         thread::spawn({
@@ -460,6 +460,7 @@ impl Ebpf {
                 let mut poll = Poll::new().unwrap();
                 let mut events = Events::with_capacity(128);
 
+                //filter-ebpf interface
                 let mut transport_filters: Array<_, u32> =
                     Array::try_from(bpf.take_map("TRANSPORT_FILTERS").unwrap()).unwrap();
 
@@ -469,7 +470,32 @@ impl Ebpf {
                 let mut link_filters: Array<_, u32> =
                     Array::try_from(bpf.take_map("LINK_FILTERS").unwrap()).unwrap();
 
-                spawn(move || loop {
+                // firewall-ebpf interface
+                let mut ipv4_firewall: HashMap<_, u32, [u16; 32]> =
+                    HashMap::try_from(bpf.take_map("BLOCKLIST_IPV4_EGRESS").unwrap()).unwrap();
+                let mut ipv6_firewall: HashMap<_, u128, [u16; 32]> =
+                    HashMap::try_from(bpf.take_map("BLOCKLIST_IPV6_EGRESS").unwrap()).unwrap();
+                thread::spawn(move || loop {
+                    if let Ok(rule) = firewall_egress_receiver.recv() {
+                        match rule.ip {
+                            IpAddr::V4(addr) => update_ipv4_blocklist(
+                                &mut ipv4_firewall,
+                                addr,
+                                rule.port,
+                                rule.enabled,
+                            ),
+
+                            IpAddr::V6(addr) => update_ipv6_blocklist(
+                                &mut ipv6_firewall,
+                                addr,
+                                rule.port,
+                                rule.enabled,
+                            ),
+                        }
+                    }
+                });
+
+                thread::spawn(move || loop {
                     if let Ok((filter, flag)) = filter_channel_receiver.recv() {
                         match filter {
                             Protocol::Transport(p) => {

diff --git a/oryx-tui/src/filter.rs b/oryx-tui/src/filter.rs
@@ -92,10 +92,14 @@ pub struct Filter {
     pub firewall_chans: IoChans,
     pub focused_block: FocusedBlock,
     pub firewall_ingress_receiver: kanal::Receiver<FirewallRule>,
+    pub firewall_egress_receiver: kanal::Receiver<FirewallRule>,
 }
 
 impl Filter {
-    pub fn new(firewall_ingress_receiver: kanal::Receiver<FirewallRule>) -> Self {
+    pub fn new(
+        firewall_ingress_receiver: kanal::Receiver<FirewallRule>,
+        firewall_egress_receiver: kanal::Receiver<FirewallRule>,
+    ) -> Self {
         Self {
             interface: Interface::new(),
             network: NetworkFilter::new(),
@@ -106,6 +110,7 @@ impl Filter {
             firewall_chans: IoChans::new(),
             focused_block: FocusedBlock::Interface,
             firewall_ingress_receiver,
+            firewall_egress_receiver,
         }
     }
 
@@ -148,7 +153,7 @@ impl Filter {
                 notification_sender,
                 data_sender,
                 self.filter_chans.egress.receiver.clone(),
-                self.firewall_chans.egress.receiver.clone(),
+                self.firewall_egress_receiver.clone(),
                 self.traffic_direction.terminate_egress.clone(),
             );
         }
@@ -282,7 +287,7 @@ impl Filter {
                 notification_sender.clone(),
                 data_sender.clone(),
                 self.filter_chans.egress.receiver.clone(),
-                self.firewall_chans.egress.receiver.clone(),
+                self.firewall_egress_receiver.clone(),
                 self.traffic_direction.terminate_egress.clone(),
             );
         }

diff --git a/oryx-tui/src/section.rs b/oryx-tui/src/section.rs
@@ -42,13 +42,14 @@ impl Section {
     pub fn new(
         packets: Arc<Mutex<Vec<AppPacket>>>,
         firewall_ingress_sender: kanal::Sender<FirewallRule>,
+        firewall_egress_sender: kanal::Sender<FirewallRule>,
     ) -> Self {
         Self {
             focused_section: FocusedSection::Inspection,
             inspection: Inspection::new(packets.clone()),
             stats: Stats::new(packets.clone()),
             alert: Alert::new(packets.clone()),
-            firewall: Firewall::new(firewall_ingress_sender),
+            firewall: Firewall::new(firewall_ingress_sender, firewall_egress_sender),
         }
     }
     fn title_span(&self, header_section: FocusedSection) -> Span {

diff --git a/oryx-tui/src/section/firewall.rs b/oryx-tui/src/section/firewall.rs
@@ -263,15 +263,20 @@ pub struct Firewall {
     state: TableState,
     user_input: Option<UserInput>,
     ingress_sender: kanal::Sender<FirewallRule>,
+    egress_sender: kanal::Sender<FirewallRule>,
 }
 
 impl Firewall {
-    pub fn new(ingress_sender: kanal::Sender<FirewallRule>) -> Self {
+    pub fn new(
+        ingress_sender: kanal::Sender<FirewallRule>,
+        egress_sender: kanal::Sender<FirewallRule>,
+    ) -> Self {
         Self {
             rules: Vec::new(),
             state: TableState::default(),
             user_input: None,
             ingress_sender,
+            egress_sender,
         }
     }
 
@@ -390,7 +395,8 @@ impl Firewall {
                 KeyCode::Char(' ') => {
                     if let Some(index) = self.state.selected() {
                         self.rules[index].enabled = !self.rules[index].enabled;
-                        self.ingress_sender.send(self.rules[index].clone())?
+                        self.ingress_sender.send(self.rules[index].clone())?;
+                        self.egress_sender.send(self.rules[index].clone())?
                     }
                 }
 
@@ -413,6 +419,7 @@ impl Firewall {
                     if let Some(index) = self.state.selected() {
                         self.rules[index].enabled = false;
                         self.ingress_sender.send(self.rules[index].clone())?;
+                        self.egress_sender.send(self.rules[index].clone())?;
                         self.rules.remove(index);
                     }
                 }