mitigator_bpf.h

Go to the documentation of this file.

/* SPDX-License-Identifier: BSD-3-Clause
 * Copyright (c) 2020 BIFIT <mitigator@bifit.com>
 */
#pragma once
 
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
 
#define ABI_V1_ENTRYPOINT "filter_v1"
 
#define SECTION(name) __attribute__((section(name), used))
 
#define PROGRAM_DISPLAY_ID(id) \
    SECTION("meta.display_id") \
    static const char _mitigator_meta_program_id[40] = id;
 
#define FILTER_V1 SECTION(ABI_V1_ENTRYPOINT)
 
#define LOCAL static inline __attribute__((always_inline))
 
#if defined(__clang__)
#define UNROLL _Pragma("unroll")
#else
#define UNROLL
#endif
 
#define MAX_PAYLOAD_LENGTH 1536
 
#define MAX_PARAMETERS_LENGTH 1024
 
#ifdef __cplusplus
namespace mitigator {
#endif
 
typedef void* Context;
 
enum Result {
    RESULT_PASS,
    RESULT_DROP,
    RESULT_BACK,
    RESULT_LIMIT
};
 
typedef uint64_t Bool;
 
typedef uint32_t Time;
 
struct IpHeader {
    uint32_t ip_hl : 4; /* 0     header length         */
    uint32_t ip_v  : 4; /*       version == 4          */
    uint8_t ip_tos;     /* 1     type of service       */
    uint16_t ip_len;    /* 2-3   total length          */
    uint16_t ip_id;     /* 4-5   packet ID             */
    uint16_t ip_off;    /* 6-7   fragmentation offset  */
    uint8_t ip_ttl;     /* 8     time to live          */
    uint8_t ip_p;       /* 9     protocol ID           */
    uint16_t ip_sum;    /* 10-11 header checksum       */
    uint32_t ip_src;    /* 12-15 source address        */
    uint32_t ip_dst;    /* 16-19 destination address   */
};
 
struct UdpHeader {
    uint16_t uh_sport; /* 0-1   source port       */
    uint16_t uh_dport; /* 2-3   destination port  */
    uint16_t uh_ulen;  /* 4-5   UDP length        */
    uint16_t uh_sum;   /* 6-7   checksum          */
};
 
struct TcpHeader {
    uint16_t th_sport;       /* 0-1   source port             */
    uint16_t th_dport;       /* 2-3   destination port        */
    uint32_t th_seq;         /* 4-7   sequence number         */
    uint32_t th_ack;         /* 8-11  acknowledgement number  */
    uint32_t th_flags2 : 4;  /* 12    more flags              */
    uint32_t th_off    : 4;  /*       data offset in words    */
    uint8_t th_flags;        /* 13    flags                   */
    uint16_t th_win;         /* 14-15 window                  */
    uint16_t th_sum;         /* 16-17 checksum                */
    uint16_t th_urp;         /* 18-19 urgent pointer          */
};
 
enum EtherType {
    ETHER_TYPE_IP    = 0x0800,  
    ETHER_TYPE_ARP   = 0x0806,  
    ETHER_TYPE_8021Q = 0x8100,  
    ETHER_TYPE_IP6   = 0x86DD   
};
 
enum IpProto {
    IP_PROTO_ICMP = 1,   
    IP_PROTO_TCP  = 6,   
    IP_PROTO_UDP  = 17   
};
 
enum TcpFlags {
    TCP_FLAG_FIN = 0x01,
    TCP_FLAG_SYN = 0x02,
    TCP_FLAG_RST = 0x04,
    TCP_FLAG_PUSH = 0x08,
    TCP_FLAG_ACK = 0x10,
    TCP_FLAG_URG = 0x20,
    TCP_FLAG_ECE = 0x40,
    TCP_FLAG_CWR = 0x80
};
 
enum TcpOption {
    TCP_OPT_EOL = 0,       
    TCP_OPT_NOP = 1,       
    TCP_OPT_MAXSEG = 2,    
    TCP_OPT_WSCALE = 3,    
    TCP_OPT_SACK_PERM = 4, 
    TCP_OPT_SACK = 5,      
    TCP_OPT_TIMESTAMPS = 8 
};
 
struct Flow {
    uint32_t saddr;   
    uint32_t daddr;   
    uint16_t sport;   
    uint16_t dport;   
    uint32_t padding; 
};
 
void packet_flow(Context ctx, struct Flow* info);
 
uint16_t packet_network_proto(Context ctx);
 
void* packet_network_header(Context ctx);
 
uint8_t packet_transport_proto(Context ctx);
 
void* packet_transport_header(Context ctx);
 
void* packet_transport_payload(Context ctx, uint16_t* length);
 
void set_packet_length(Context ctx, uint16_t length);
 
void set_packet_offset(Context ctx, uint16_t offset);
 
void set_packet_syncookie(Context ctx);
 
void set_packet_mangled(Context ctx);
 
void set_src_blacklisted(Context ctx, Time duration);
 
void set_src_whitelisted(Context ctx, Time duration);
 
typedef uint64_t TableKey;
 
typedef uint64_t TableValue;
 
struct TableRecord {
    TableValue value; 
    Time update_time; 
    uint32_t padding; 
};
 
Bool table_find(Context ctx, TableKey key, struct TableRecord* record);
 
Bool table_get(Context ctx, TableKey key, struct TableRecord* record);
 
Bool table_put(Context ctx, TableKey key, TableValue value);
 
uint64_t table_size(Context ctx);
 
typedef uint32_t Cookie;
 
Cookie syncookie_make(Context ctx);
 
Bool syncookie_check(Context ctx, uint32_t seqnum_offset, uint32_t acknum_offset);
 
Cookie cookie_make(Context ctx, const struct Flow* id);
 
Bool cookie_check(Context ctx, const struct Flow* id, Cookie cookie);
 
const void* parameters_get(Context ctx);
 
uint32_t hash_crc32_u32(uint32_t value, uint32_t init);
 
uint32_t hash_crc32_u64(uint64_t value, uint32_t init);
 
uint32_t hash_crc32_data(const void* data, const void* end, uint32_t init);
 
Time time_sec(Context ctx);
 
uint64_t rand64(void);
 
LOCAL uint16_t
bswap16(uint16_t value) {
    return __builtin_bswap16(value);
}
 
LOCAL uint32_t
bswap32(uint32_t value) {
    return __builtin_bswap32(value);
}
 
#ifdef __cplusplus
} // namespace mitigator
#endif