Mitigator BPF API
Functions and types programs can use to filter packets.
|
|
Go to the documentation of this file.
10 #define ABI_V1_ENTRYPOINT "filter_v1"
12 #define SECTION(name) __attribute__((section(name), used))
37 #define PROGRAM_DISPLAY_ID(id) \
38 SECTION("meta.display_id") \
39 static const char _mitigator_meta_program_id[40] = id;
58 #define FILTER_V1 SECTION(ABI_V1_ENTRYPOINT)
76 #define LOCAL static inline __attribute__((always_inline))
103 #if defined(__clang__)
104 #define UNROLL _Pragma("unroll")
119 #define MAX_PAYLOAD_LENGTH 1536
130 #define MAX_PARAMETERS_LENGTH 1024
133 namespace mitigator {
254 uint32_t th_flags2 : 4;
316 TCP_FLAG_PUSH = 0x08,
704 uint32_t
hash_crc32_data(
const void* data,
const void* end, uint32_t init);
715 return __builtin_bswap16(value);
721 return __builtin_bswap32(value);
uint32_t Cookie
Definition: mitigator_bpf.h:564
@ IP_PROTO_ICMP
Definition: mitigator_bpf.h:279
Bool cookie_check(Context ctx, const struct Flow *id, Cookie cookie)
Check if a generic cookie matches the flow and has not expired.
@ TCP_OPT_WSCALE
Definition: mitigator_bpf.h:335
uint32_t hash_crc32_u32(uint32_t value, uint32_t init)
Compute CRC32 (Castagnoli) of a 32-bit value.
Cookie syncookie_make(Context ctx)
Make a cookie value for use as a sequence number in a SYN+ACK packet.
Bool table_find(Context ctx, TableKey key, struct TableRecord *record)
Lookup value in the table by key.
@ RESULT_DROP
Definition: mitigator_bpf.h:149
void set_packet_syncookie(Context ctx)
Convert response packet to an empty TCP SYN+ACK with syncookie.
LOCAL uint32_t bswap32(uint32_t value)
Change byte order of a 32-bit value.
Definition: mitigator_bpf.h:720
#define LOCAL
Force the compiler to inline a local function.
Definition: mitigator_bpf.h:76
void * packet_transport_payload(Context ctx, uint16_t *length)
Get packet transport payload for TCP or UDP.
@ TCP_OPT_MAXSEG
Definition: mitigator_bpf.h:334
void set_src_whitelisted(Context ctx, Time duration)
Add packet source address to temporary whitelist.
Result
Filter verdict.
Definition: mitigator_bpf.h:145
uint32_t Time
Definition: mitigator_bpf.h:168
uint64_t table_size(Context ctx)
Get number of records in the table.
@ TCP_OPT_TIMESTAMPS
Definition: mitigator_bpf.h:338
uint8_t packet_transport_proto(Context ctx)
Get packet transport protocol code, e.g. TCP, UDP, or ICMP.
uint32_t hash_crc32_u64(uint64_t value, uint32_t init)
Compute CRC32 (Castagnoli) of a 64-bit value.
@ TCP_OPT_NOP
Definition: mitigator_bpf.h:333
void set_src_blacklisted(Context ctx, Time duration)
Add packet source address to temporary blacklist.
uint64_t Bool
ABI-safe, eBPF-friendly boolean type.
Definition: mitigator_bpf.h:161
TcpFlags
TCP flags.
Definition: mitigator_bpf.h:312
TcpOption
TCP option codes.
Definition: mitigator_bpf.h:331
@ RESULT_LIMIT
Definition: mitigator_bpf.h:153
uint32_t daddr
Definition: mitigator_bpf.h:354
const void * parameters_get(Context ctx)
Get a pointer to read-only program parameters.
EtherType
Ethernet frame type codes.
Definition: mitigator_bpf.h:266
@ RESULT_BACK
Definition: mitigator_bpf.h:151
@ TCP_OPT_SACK
Definition: mitigator_bpf.h:337
uint16_t dport
Definition: mitigator_bpf.h:356
@ ETHER_TYPE_8021Q
Definition: mitigator_bpf.h:269
@ ETHER_TYPE_IP
Definition: mitigator_bpf.h:267
void * Context
Opaque filter context.
Definition: mitigator_bpf.h:137
void * packet_network_header(Context ctx)
Get packet network header, e.g. IPv4 header.
Bool table_get(Context ctx, TableKey key, struct TableRecord *record)
Lookup value in the table by key and modify record update time.
uint64_t TableValue
Definition: mitigator_bpf.h:517
Bool syncookie_check(Context ctx, uint32_t seqnum_offset, uint32_t acknum_offset)
Check if packet is a TCP ACK carrying a SYN cookie.
uint32_t hash_crc32_data(const void *data, const void *end, uint32_t init)
Compute CRC32 (Castagnoli) over [data; end).
Bool table_put(Context ctx, TableKey key, TableValue value)
Update value in the table, creating a new record if needed.
Time update_time
Definition: mitigator_bpf.h:530
@ ETHER_TYPE_IP6
Definition: mitigator_bpf.h:270
uint64_t TableKey
Definition: mitigator_bpf.h:510
Record in the program-wide table.
Definition: mitigator_bpf.h:528
@ TCP_OPT_EOL
Definition: mitigator_bpf.h:332
@ RESULT_PASS
Definition: mitigator_bpf.h:147
Time time_sec(Context ctx)
Get wallclock time in seconds.
void set_packet_mangled(Context ctx)
Mark the packet as mangled by the program.
TableValue value
Definition: mitigator_bpf.h:529
@ IP_PROTO_TCP
Definition: mitigator_bpf.h:280
LOCAL uint16_t bswap16(uint16_t value)
Change byte order of a 16-bit value.
Definition: mitigator_bpf.h:714
uint16_t sport
Definition: mitigator_bpf.h:355
uint64_t rand64(void)
Generate a pseudo-random, non cryptographically-secure value.
void set_packet_length(Context ctx, uint16_t length)
Set new packet transport payload length (max 1400).
@ ETHER_TYPE_ARP
Definition: mitigator_bpf.h:268
uint32_t padding
Definition: mitigator_bpf.h:357
Cookie cookie_make(Context ctx, const struct Flow *id)
Make a generic cookie value based on random seed, current time, and flow fields that identify the cli...
uint32_t saddr
Definition: mitigator_bpf.h:353
void packet_flow(Context ctx, struct Flow *info)
Get packet flow information, including source and destination.
void set_packet_offset(Context ctx, uint16_t offset)
Set number of bytes to strip from the beginning of transport payload.
void * packet_transport_header(Context ctx)
Get packet transport header, e.g. TCP header.
uint16_t packet_network_proto(Context ctx)
Get packet network protocol code, e.g. IPv4.
@ TCP_OPT_SACK_PERM
Definition: mitigator_bpf.h:336
uint32_t padding
Definition: mitigator_bpf.h:531
IpProto
IPv4 and IPv6 transport protocol codes.
Definition: mitigator_bpf.h:278
Packet flow information.
Definition: mitigator_bpf.h:352
@ IP_PROTO_UDP
Definition: mitigator_bpf.h:281