diff --git a/oryx-tui/src/app.rs b/oryx-tui/src/app.rs index 9c82fb3..7425ce2 100644 --- a/oryx-tui/src/app.rs +++ b/oryx-tui/src/app.rs @@ -58,6 +58,7 @@ impl App { let (sender, receiver) = kanal::unbounded(); let (firewall_ingress_sender, firewall_ingress_receiver) = kanal::unbounded(); + let (firewall_egress_sender, firewall_egress_receiver) = kanal::unbounded(); thread::spawn({ let packets = packets.clone(); @@ -76,11 +77,15 @@ impl App { Self { running: true, help: Help::new(), - filter: Filter::new(firewall_ingress_receiver), + filter: Filter::new(firewall_ingress_receiver, firewall_egress_receiver), start_sniffing: false, packets: packets.clone(), notifications: Vec::new(), - section: Section::new(packets.clone(), firewall_ingress_sender), + section: Section::new( + packets.clone(), + firewall_ingress_sender, + firewall_egress_sender, + ), data_channel_sender: sender, is_editing: false, active_popup: None, diff --git a/oryx-tui/src/ebpf.rs b/oryx-tui/src/ebpf.rs index e9c47ee..9c77d91 100644 --- a/oryx-tui/src/ebpf.rs +++ b/oryx-tui/src/ebpf.rs @@ -3,7 +3,7 @@ use std::{ net::{IpAddr, Ipv4Addr, Ipv6Addr}, os::fd::AsRawFd, sync::{atomic::AtomicBool, Arc}, - thread::{self, spawn}, + thread, time::Duration, }; @@ -383,7 +383,7 @@ impl Ebpf { notification_sender: kanal::Sender, data_sender: kanal::Sender<[u8; RawPacket::LEN]>, filter_channel_receiver: kanal::Receiver<(Protocol, bool)>, - _firewall_channel_receiver: kanal::Receiver<(Protocol, bool)>, + firewall_egress_receiver: kanal::Receiver, terminate: Arc, ) { thread::spawn({ @@ -460,6 +460,7 @@ impl Ebpf { let mut poll = Poll::new().unwrap(); let mut events = Events::with_capacity(128); + //filter-ebpf interface let mut transport_filters: Array<_, u32> = Array::try_from(bpf.take_map("TRANSPORT_FILTERS").unwrap()).unwrap(); @@ -469,7 +470,32 @@ impl Ebpf { let mut link_filters: Array<_, u32> = Array::try_from(bpf.take_map("LINK_FILTERS").unwrap()).unwrap(); - spawn(move || loop { + // firewall-ebpf interface + let mut ipv4_firewall: HashMap<_, u32, [u16; 32]> = + HashMap::try_from(bpf.take_map("BLOCKLIST_IPV4_EGRESS").unwrap()).unwrap(); + let mut ipv6_firewall: HashMap<_, u128, [u16; 32]> = + HashMap::try_from(bpf.take_map("BLOCKLIST_IPV6_EGRESS").unwrap()).unwrap(); + thread::spawn(move || loop { + if let Ok(rule) = firewall_egress_receiver.recv() { + match rule.ip { + IpAddr::V4(addr) => update_ipv4_blocklist( + &mut ipv4_firewall, + addr, + rule.port, + rule.enabled, + ), + + IpAddr::V6(addr) => update_ipv6_blocklist( + &mut ipv6_firewall, + addr, + rule.port, + rule.enabled, + ), + } + } + }); + + thread::spawn(move || loop { if let Ok((filter, flag)) = filter_channel_receiver.recv() { match filter { Protocol::Transport(p) => { diff --git a/oryx-tui/src/filter.rs b/oryx-tui/src/filter.rs index b42774d..932fa11 100644 --- a/oryx-tui/src/filter.rs +++ b/oryx-tui/src/filter.rs @@ -92,10 +92,14 @@ pub struct Filter { pub firewall_chans: IoChans, pub focused_block: FocusedBlock, pub firewall_ingress_receiver: kanal::Receiver, + pub firewall_egress_receiver: kanal::Receiver, } impl Filter { - pub fn new(firewall_ingress_receiver: kanal::Receiver) -> Self { + pub fn new( + firewall_ingress_receiver: kanal::Receiver, + firewall_egress_receiver: kanal::Receiver, + ) -> Self { Self { interface: Interface::new(), network: NetworkFilter::new(), @@ -106,6 +110,7 @@ impl Filter { firewall_chans: IoChans::new(), focused_block: FocusedBlock::Interface, firewall_ingress_receiver, + firewall_egress_receiver, } } @@ -148,7 +153,7 @@ impl Filter { notification_sender, data_sender, self.filter_chans.egress.receiver.clone(), - self.firewall_chans.egress.receiver.clone(), + self.firewall_egress_receiver.clone(), self.traffic_direction.terminate_egress.clone(), ); } @@ -282,7 +287,7 @@ impl Filter { notification_sender.clone(), data_sender.clone(), self.filter_chans.egress.receiver.clone(), - self.firewall_chans.egress.receiver.clone(), + self.firewall_egress_receiver.clone(), self.traffic_direction.terminate_egress.clone(), ); } diff --git a/oryx-tui/src/section.rs b/oryx-tui/src/section.rs index 0b20077..110fc49 100644 --- a/oryx-tui/src/section.rs +++ b/oryx-tui/src/section.rs @@ -42,13 +42,14 @@ impl Section { pub fn new( packets: Arc>>, firewall_ingress_sender: kanal::Sender, + firewall_egress_sender: kanal::Sender, ) -> Self { Self { focused_section: FocusedSection::Inspection, inspection: Inspection::new(packets.clone()), stats: Stats::new(packets.clone()), alert: Alert::new(packets.clone()), - firewall: Firewall::new(firewall_ingress_sender), + firewall: Firewall::new(firewall_ingress_sender, firewall_egress_sender), } } fn title_span(&self, header_section: FocusedSection) -> Span { diff --git a/oryx-tui/src/section/firewall.rs b/oryx-tui/src/section/firewall.rs index 25fccbc..2915a13 100644 --- a/oryx-tui/src/section/firewall.rs +++ b/oryx-tui/src/section/firewall.rs @@ -263,15 +263,20 @@ pub struct Firewall { state: TableState, user_input: Option, ingress_sender: kanal::Sender, + egress_sender: kanal::Sender, } impl Firewall { - pub fn new(ingress_sender: kanal::Sender) -> Self { + pub fn new( + ingress_sender: kanal::Sender, + egress_sender: kanal::Sender, + ) -> Self { Self { rules: Vec::new(), state: TableState::default(), user_input: None, ingress_sender, + egress_sender, } } @@ -390,7 +395,8 @@ impl Firewall { KeyCode::Char(' ') => { if let Some(index) = self.state.selected() { self.rules[index].enabled = !self.rules[index].enabled; - self.ingress_sender.send(self.rules[index].clone())? + self.ingress_sender.send(self.rules[index].clone())?; + self.egress_sender.send(self.rules[index].clone())? } } @@ -413,6 +419,7 @@ impl Firewall { if let Some(index) = self.state.selected() { self.rules[index].enabled = false; self.ingress_sender.send(self.rules[index].clone())?; + self.egress_sender.send(self.rules[index].clone())?; self.rules.remove(index); } }