Skip to content

Commit

Permalink
fix firewall
Browse files Browse the repository at this point in the history
  • Loading branch information
@pythops
pythops committed Oct 6, 2024
1 parent 3db3bea commit f3db11e
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 39 deletions.
13 changes: 1 addition & 12 deletions oryx-common/src/lib.rs
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#![no_std]

use core::mem::{self, transmute};
use core::mem;

use network_types::{arp::ArpHdr, icmp::IcmpHdr, ip::IpHdr, tcp::TcpHdr, udp::UdpHdr};

Expand All @@ -24,14 +24,3 @@ pub enum ProtoHdr {
impl RawPacket {
pub const LEN: usize = mem::size_of::<RawPacket>();
}

pub fn to_u128(x: [u16; 8]) -> u128 {
// (u128::from(x[0]) << 96)
// | (u128::from(x[1]) << 64)
// | (u128::from(x[2]) << 32)
// | u128::from(x[3])
// }

let addr16 = x.map(|x| x.to_be());
u128::from_be_bytes(unsafe { transmute::<_, [u8; 16]>(addr16) })
}
32 changes: 10 additions & 22 deletions oryx-ebpf/src/main.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ use network_types::{
};
use oryx_common::{
protocols::{LinkProtocol, NetworkProtocol, Protocol, TransportProtocol},
to_u128, ProtoHdr, RawPacket,
ProtoHdr, RawPacket,
};

#[map]
Expand Down Expand Up @@ -99,8 +99,8 @@ fn process(ctx: TcContext) -> Result<i32, ()> {
match ethhdr.ether_type {
EtherType::Ipv4 => {
let header: Ipv4Hdr = ctx.load(EthHdr::LEN).map_err(|_| ())?;
let src_addr = header.src_addr;
let dst_addr = header.dst_addr;
let src_addr = u32::from_be(header.src_addr);
let dst_addr = u32::from_be(header.dst_addr);

match header.proto {
IpProto::Tcp => {
Expand All @@ -111,7 +111,7 @@ fn process(ctx: TcContext) -> Result<i32, ()> {
if unsafe { BLOCKLIST_IPV4_INGRESS.get(&src_addr) } == Some(&src_port)
|| unsafe { BLOCKLIST_IPV4_EGRESS.get(&dst_addr) } == Some(&dst_port)
{
return Ok(TC_ACT_SHOT); //DROP PACKET
return Ok(TC_ACT_SHOT);
}

if filter_packet(Protocol::Network(NetworkProtocol::Ipv4))
Expand All @@ -132,13 +132,15 @@ fn process(ctx: TcContext) -> Result<i32, ()> {
if unsafe { BLOCKLIST_IPV4_INGRESS.get(&src_addr) } == Some(&src_port)
|| unsafe { BLOCKLIST_IPV4_EGRESS.get(&dst_addr) } == Some(&dst_port)
{
return Ok(TC_ACT_SHOT); //DROP PACKET
return Ok(TC_ACT_SHOT);
}

if filter_packet(Protocol::Network(NetworkProtocol::Ipv4))
|| filter_packet(Protocol::Transport(TransportProtocol::UDP))
{
return Ok(TC_ACT_PIPE); //DONT FWD PACKET TO TUI
return Ok(TC_ACT_PIPE);
}

submit(RawPacket::Ip(
IpHdr::V4(header),
ProtoHdr::Udp(unsafe { *udphdr }),
Expand All @@ -159,19 +161,11 @@ fn process(ctx: TcContext) -> Result<i32, ()> {
}
EtherType::Ipv6 => {
let header: Ipv6Hdr = ctx.load(EthHdr::LEN).map_err(|_| ())?;
let src_addr = to_u128(unsafe { header.src_addr.in6_u.u6_addr16 });
let dst_addr = to_u128(unsafe { header.dst_addr.in6_u.u6_addr16 });

match header.next_hdr {
IpProto::Tcp => {
let tcphdr: *const TcpHdr = ptr_at(&ctx, EthHdr::LEN + Ipv6Hdr::LEN)?;
let src_port = u16::from_be(unsafe { (*tcphdr).source });
let dst_port = u16::from_be(unsafe { (*tcphdr).dest });
if unsafe { BLOCKLIST_IPV6_INGRESS.get(&src_addr) } == Some(&src_port)
|| unsafe { BLOCKLIST_IPV6_EGRESS.get(&dst_addr) } == Some(&dst_port)
{
return Ok(TC_ACT_SHOT); //DROP PACKET
}

if filter_packet(Protocol::Network(NetworkProtocol::Ipv6))
|| filter_packet(Protocol::Transport(TransportProtocol::TCP))
{
Expand All @@ -184,13 +178,7 @@ fn process(ctx: TcContext) -> Result<i32, ()> {
}
IpProto::Udp => {
let udphdr: *const UdpHdr = ptr_at(&ctx, EthHdr::LEN + Ipv6Hdr::LEN)?;
let src_port = u16::from_be(unsafe { (*udphdr).source });
let dst_port = u16::from_be(unsafe { (*udphdr).dest });
if unsafe { BLOCKLIST_IPV6_INGRESS.get(&src_addr.into()) } == Some(&src_port)
|| unsafe { BLOCKLIST_IPV6_EGRESS.get(&dst_addr.into()) } == Some(&dst_port)
{
return Ok(TC_ACT_SHOT); //DROP PACKET
}

if filter_packet(Protocol::Network(NetworkProtocol::Ipv6))
|| filter_packet(Protocol::Transport(TransportProtocol::UDP))
{
Expand Down
9 changes: 5 additions & 4 deletions oryx-tui/src/ebpf.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -165,13 +165,12 @@ impl Ebpf {
let mut ipv6_firewall: HashMap<_, u128, u16> =
HashMap::try_from(bpf.take_map("BLOCKLIST_IPV6_INGRESS").unwrap()).unwrap();

spawn(move || loop {
thread::spawn(move || loop {
if let Ok(rule) = firewall_ingress_receiver.recv() {
match rule.enabled {
true => match rule.ip {
IpAddr::V4(addr) => {
println!("{}", rule);
ipv4_firewall.insert(u32::from(addr), rule.port, 0).unwrap();
ipv4_firewall.insert(addr.to_bits(), rule.port, 0).unwrap();
}
IpAddr::V6(addr) => {
let _ = ipv6_firewall.insert(
Expand All @@ -184,7 +183,7 @@ impl Ebpf {

false => match rule.ip {
IpAddr::V4(addr) => {
let _ = ipv4_firewall.remove(&u32::from(addr));
ipv4_firewall.remove(&addr.to_bits()).unwrap();
}

IpAddr::V6(addr) => {
Expand All @@ -194,7 +193,9 @@ impl Ebpf {
},
}
}
});

thread::spawn(move || loop {
if let Ok((filter, flag)) = filter_channel_receiver.recv() {
match filter {
Protocol::Transport(p) => {
Expand Down
2 changes: 1 addition & 1 deletion oryx-tui/src/handler.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ pub fn handle_key_events(
KeyCode::Enter => {
if app.filter.focused_block == FocusedBlock::Apply {
app.filter
.start(sender.clone(), app.data_channel_sender.clone());
.start(sender.clone(), app.data_channel_sender.clone())?;

app.start_sniffing = true;
}
Expand Down

0 comments on commit f3db11e

Please sign in to comment.