Skip to content

Commit

Permalink
fix maps duplicates
Browse files Browse the repository at this point in the history
  • Loading branch information
@adgaultier
adgaultier committed Oct 9, 2024
1 parent 7ea7f44 commit d827a17
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 16 deletions.
57 changes: 45 additions & 12 deletions oryx-ebpf/src/main.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,16 +34,11 @@ static TRANSPORT_FILTERS: Array<u32> = Array::with_max_entries(8, 0);
static LINK_FILTERS: Array<u32> = Array::with_max_entries(8, 0);

#[map]
static BLOCKLIST_IPV6_INGRESS: HashMap<u128, [u16; 32]> =
static BLOCKLIST_IPV6: HashMap<u128, [u16; 32]> =
HashMap::<u128, [u16; 32]>::with_max_entries(128, 0);

#[map]
static BLOCKLIST_IPV6_EGRESS: HashMap<u128, [u16; 32]> =
HashMap::<u128, [u16; 32]>::with_max_entries(128, 0);
#[map]
static BLOCKLIST_IPV4_INGRESS: HashMap<u32, [u16; 32]> =
HashMap::<u32, [u16; 32]>::with_max_entries(128, 0);
#[map]
static BLOCKLIST_IPV4_EGRESS: HashMap<u32, [u16; 32]> =
static BLOCKLIST_IPV4: HashMap<u32, [u16; 32]> =
HashMap::<u32, [u16; 32]>::with_max_entries(128, 0);

#[classifier]
Expand Down Expand Up @@ -96,6 +91,28 @@ fn filter_for_ipv4_address(
false
}

#[inline]
fn filter_for_ipv6_address(
addr: u128,
port: u16,
blocked_ports_map: &HashMap<u128, [u16; 32]>,
) -> bool {
if let Some(blocked_ports) = unsafe { blocked_ports_map.get(&addr) } {
for (idx, blocked_port) in blocked_ports.iter().enumerate() {
if *blocked_port == 0 {
if idx == 0 {
return true;
} else {
break;
}
} else if *blocked_port == port {
return true;
}
}
}
false
}

#[inline]
fn filter_packet(protocol: Protocol) -> bool {
match protocol {
Expand Down Expand Up @@ -134,8 +151,8 @@ fn process(ctx: TcContext) -> Result<i32, ()> {
let src_port = u16::from_be(unsafe { (*tcphdr).source });
let dst_port = u16::from_be(unsafe { (*tcphdr).dest });

if filter_for_ipv4_address(src_addr, src_port, &BLOCKLIST_IPV4_INGRESS)
|| filter_for_ipv4_address(dst_addr, dst_port, &BLOCKLIST_IPV4_EGRESS)
if filter_for_ipv4_address(src_addr, src_port, &BLOCKLIST_IPV4)
|| filter_for_ipv4_address(dst_addr, dst_port, &BLOCKLIST_IPV4)
{
return Ok(TC_ACT_SHOT);
}
Expand All @@ -155,8 +172,8 @@ fn process(ctx: TcContext) -> Result<i32, ()> {
let src_port = u16::from_be(unsafe { (*udphdr).source });
let dst_port = u16::from_be(unsafe { (*udphdr).dest });

if filter_for_ipv4_address(src_addr, src_port, &BLOCKLIST_IPV4_INGRESS)
|| filter_for_ipv4_address(dst_addr, dst_port, &BLOCKLIST_IPV4_EGRESS)
if filter_for_ipv4_address(src_addr, src_port, &BLOCKLIST_IPV4)
|| filter_for_ipv4_address(dst_addr, dst_port, &BLOCKLIST_IPV4)
{
return Ok(TC_ACT_SHOT);
}
Expand Down Expand Up @@ -187,11 +204,20 @@ fn process(ctx: TcContext) -> Result<i32, ()> {
}
EtherType::Ipv6 => {
let header: Ipv6Hdr = ctx.load(EthHdr::LEN).map_err(|_| ())?;
let src_addr = header.src_addr().to_bits();
let dst_addr = header.dst_addr().to_bits();

match header.next_hdr {
IpProto::Tcp => {
let tcphdr: *const TcpHdr = ptr_at(&ctx, EthHdr::LEN + Ipv6Hdr::LEN)?;
let src_port = u16::from_be(unsafe { (*tcphdr).source });
let dst_port = u16::from_be(unsafe { (*tcphdr).dest });

if filter_for_ipv6_address(src_addr, src_port, &BLOCKLIST_IPV6)
|| filter_for_ipv6_address(dst_addr, dst_port, &BLOCKLIST_IPV6)
{
return Ok(TC_ACT_SHOT);
}
if filter_packet(Protocol::Network(NetworkProtocol::Ipv6))
|| filter_packet(Protocol::Transport(TransportProtocol::TCP))
{
Expand All @@ -204,7 +230,14 @@ fn process(ctx: TcContext) -> Result<i32, ()> {
}
IpProto::Udp => {
let udphdr: *const UdpHdr = ptr_at(&ctx, EthHdr::LEN + Ipv6Hdr::LEN)?;
let src_port = u16::from_be(unsafe { (*udphdr).source });
let dst_port = u16::from_be(unsafe { (*udphdr).dest });

if filter_for_ipv6_address(src_addr, src_port, &BLOCKLIST_IPV6)
|| filter_for_ipv6_address(dst_addr, dst_port, &BLOCKLIST_IPV6)
{
return Ok(TC_ACT_SHOT);
}
if filter_packet(Protocol::Network(NetworkProtocol::Ipv6))
|| filter_packet(Protocol::Transport(TransportProtocol::UDP))
{
Expand Down
8 changes: 4 additions & 4 deletions oryx-tui/src/ebpf.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -295,9 +295,9 @@ impl Ebpf {
Array::try_from(bpf.take_map("LINK_FILTERS").unwrap()).unwrap();
// firewall-ebpf interface
let mut ipv4_firewall: HashMap<_, u32, [u16; 32]> =
HashMap::try_from(bpf.take_map("BLOCKLIST_IPV4_INGRESS").unwrap()).unwrap();
HashMap::try_from(bpf.take_map("BLOCKLIST_IPV4").unwrap()).unwrap();
let mut ipv6_firewall: HashMap<_, u128, [u16; 32]> =
HashMap::try_from(bpf.take_map("BLOCKLIST_IPV6_INGRESS").unwrap()).unwrap();
HashMap::try_from(bpf.take_map("BLOCKLIST_IPV6").unwrap()).unwrap();

thread::spawn(move || loop {
if let Ok(signal) = firewall_ingress_receiver.recv() {
Expand Down Expand Up @@ -482,9 +482,9 @@ impl Ebpf {

// firewall-ebpf interface
let mut ipv4_firewall: HashMap<_, u32, [u16; 32]> =
HashMap::try_from(bpf.take_map("BLOCKLIST_IPV4_EGRESS").unwrap()).unwrap();
HashMap::try_from(bpf.take_map("BLOCKLIST_IPV4").unwrap()).unwrap();
let mut ipv6_firewall: HashMap<_, u128, [u16; 32]> =
HashMap::try_from(bpf.take_map("BLOCKLIST_IPV6_EGRESS").unwrap()).unwrap();
HashMap::try_from(bpf.take_map("BLOCKLIST_IPV6").unwrap()).unwrap();
thread::spawn(move || loop {
if let Ok(signal) = firewall_egress_receiver.recv() {
match signal {
Expand Down

0 comments on commit d827a17

Please sign in to comment.