10 #define ENTRYPOINT_SECTION "filter_v2"
12 #define SECTION(name) __attribute__((section(name), used))
15 #define STATIC_ASSERT(x) static_assert(x, "")
17 #define STATIC_ASSERT(x) _Static_assert(x, "")
43 #define PROGRAM_DISPLAY_ID(id) \
44 SECTION("meta.display_id") \
45 static const char _mitigator_meta_program_id[] = id;
64 #define ENTRYPOINT SECTION(ENTRYPOINT_SECTION)
82 #define LOCAL static inline __attribute__((always_inline))
109 #if defined(__clang__)
110 #define UNROLL _Pragma("unroll")
125 #define MAX_PAYLOAD_LENGTH 1536
136 #define MAX_PARAMETERS_LENGTH 1024
139 namespace mitigator {
361 uint32_t th_flags2 : 4;
401 TCP_FLAG_PUSH = 0x08,
700 #define TABLE_EX_KEY_SIZE 16
703 #define TABLE_EX_VALUE_SIZE 8
715 void* value,
void* value_end);
727 void* value,
void* value_end);
740 const void* value,
const void* value_end);
897 return __builtin_bswap16(value);
903 return __builtin_bswap32(value);
906 #define VLAN_ID_MASK 0x0fff
928 STATIC_ASSERT(
sizeof(
struct Ip6Addr) == 16);
930 STATIC_ASSERT(
sizeof(
struct VlanHeader) == 4);
931 STATIC_ASSERT(
sizeof(
struct IpHeader) == 20);
932 STATIC_ASSERT(
sizeof(
struct Ip6Header) == 40);
933 STATIC_ASSERT(
sizeof(
struct TcpHeader) == 20);
934 STATIC_ASSERT(
sizeof(
struct UdpHeader) == 8);
LOCAL void vlan_set_id(struct VlanHeader *vlan, uint16_t id)
Set VLAN ID in 802.1q header.
Definition: mitigator_bpf.h:923
EtherType
Ethernet frame type codes.
Definition: mitigator_bpf.h:216
@ ETHER_TYPE_IP
Definition: mitigator_bpf.h:217
@ ETHER_TYPE_ARP
Definition: mitigator_bpf.h:218
@ ETHER_TYPE_IP6
Definition: mitigator_bpf.h:220
@ ETHER_TYPE_8021Q
Definition: mitigator_bpf.h:219
uint8_t packet_transport_proto(Context ctx)
Get packet transport protocol code, e.g. TCP, UDP, or ICMP.
struct TableExResult table_ex_get(Context ctx, const void *key, const void *key_end, void *value, void *value_end)
Lookup value in the extended table by key and modify record update time.
uint64_t TableValue
Definition: mitigator_bpf.h:627
void * Context
Opaque filter context.
Definition: mitigator_bpf.h:144
LOCAL uint16_t bswap16(uint16_t value)
Change byte order of a 16-bit value.
Definition: mitigator_bpf.h:896
uint64_t table_ex_size(Context ctx)
Get number of records in the extended table.
uint32_t hash_crc32_data(const void *data, const void *end, uint32_t init)
Compute CRC32 (Castagnoli) over [data; end).
uint32_t Time
Definition: mitigator_bpf.h:181
void set_packet_offset(Context ctx, uint16_t offset)
Set number of bytes to strip from the beginning of transport payload.
uint16_t packet_network_proto(Context ctx)
Get packet network protocol code, e.g. IPv4.
Result
Filter verdict.
Definition: mitigator_bpf.h:152
@ RESULT_LIMIT
Definition: mitigator_bpf.h:160
@ RESULT_DROP
Definition: mitigator_bpf.h:156
@ RESULT_SORB
Definition: mitigator_bpf.h:166
@ RESULT_PASS
Definition: mitigator_bpf.h:154
@ RESULT_BACK
Definition: mitigator_bpf.h:158
LOCAL uint16_t vlan_get_id(const struct VlanHeader *vlan)
Get VLAN ID from 802.1q header.
Definition: mitigator_bpf.h:910
#define LOCAL
Force the compiler to inline a local function.
Definition: mitigator_bpf.h:82
Bool table_get(Context ctx, TableKey key, struct TableRecord *record)
Lookup value in the basic table by key and modify record update time.
uint32_t hash_crc32_u64(uint64_t value, uint32_t init)
Compute CRC32 (Castagnoli) of a 64-bit value.
TcpOption
TCP option codes.
Definition: mitigator_bpf.h:416
@ TCP_OPT_MAXSEG
Definition: mitigator_bpf.h:419
@ TCP_OPT_SACK_PERM
Definition: mitigator_bpf.h:421
@ TCP_OPT_SACK
Definition: mitigator_bpf.h:422
@ TCP_OPT_WSCALE
Definition: mitigator_bpf.h:420
@ TCP_OPT_TIMESTAMPS
Definition: mitigator_bpf.h:423
@ TCP_OPT_NOP
Definition: mitigator_bpf.h:418
@ TCP_OPT_EOL
Definition: mitigator_bpf.h:417
IpProto
IPv4 and IPv6 transport protocol codes.
Definition: mitigator_bpf.h:301
@ IP_PROTO_IPV6
Definition: mitigator_bpf.h:305
@ IP_PROTO_ICMP
Definition: mitigator_bpf.h:302
@ IP_PROTO_ICMPV6
Definition: mitigator_bpf.h:306
@ IP_PROTO_UDP
Definition: mitigator_bpf.h:304
@ IP_PROTO_TCP
Definition: mitigator_bpf.h:303
Cookie cookie_make(Context ctx, const struct Flow *id)
Make a generic cookie value based on random seed, current time, and flow fields that identify the cli...
TcpFlags
TCP flags.
Definition: mitigator_bpf.h:397
Cookie syncookie_make(Context ctx)
Make a cookie value for use as a sequence number in a SYN+ACK packet.
void set_packet_length(Context ctx, uint16_t length)
Set new packet transport payload length (max 1400).
uint64_t table_size(Context ctx)
Get number of records in the table.
uint32_t IpAddr
IPv4 address.
Definition: mitigator_bpf.h:224
Bool table_ex_put(Context ctx, const void *key, const void *key_end, const void *value, const void *value_end)
Update value in the extended table, creating a new record if needed.
void * packet_transport_payload(Context ctx, uint16_t *length)
Get packet transport payload for TCP or UDP.
struct TableExResult table_ex_find(Context ctx, const void *key, const void *key_end, void *value, void *value_end)
Lookup value in the extended table by key.
LOCAL uint32_t bswap32(uint32_t value)
Change byte order of a 32-bit value.
Definition: mitigator_bpf.h:902
uint64_t rand64(void)
Generate a pseudo-random, non cryptographically-secure value.
void * packet_ether_header(Context ctx)
Get packet Ethernet header.
uint32_t hash_crc32_u32(uint32_t value, uint32_t init)
Compute CRC32 (Castagnoli) of a 32-bit value.
Bool syncookie_check(Context ctx, uint32_t seqnum_offset, uint32_t acknum_offset)
Check if packet is a TCP ACK carrying a SYN cookie.
void * packet_transport_header(Context ctx)
Get packet transport header, e.g. TCP header.
Bool cookie_check(Context ctx, const struct Flow *id, Cookie cookie)
Check if a generic cookie matches the flow and has not expired.
void set_src_blacklisted(Context ctx, Time duration)
Add packet source address to temporary blacklist.
Bool table_put(Context ctx, TableKey key, TableValue value)
Update value in the basic table, creating a new record if needed.
const void * parameters_get(Context ctx)
Get a pointer to read-only program parameters.
void * packet_network_header(Context ctx)
Get packet network header, e.g. IPv4 header.
Time time_sec(Context ctx)
Get wallclock time in seconds.
uint64_t Bool
ABI-safe, EBPF-friendly boolean type.
Definition: mitigator_bpf.h:174
Bool table_find(Context ctx, TableKey key, struct TableRecord *record)
Lookup value in the basic table by key.
void set_src_whitelisted(Context ctx, Time duration)
Add packet source address to temporary whitelist.
uint64_t TableKey
Definition: mitigator_bpf.h:620
void set_packet_mangled(Context ctx)
Mark the packet as mangled by the program.
void set_packet_syncookie(Context ctx)
Convert response packet to an empty TCP SYN+ACK with syncookie.
void packet_flow(Context ctx, struct Flow *info)
Get packet flow information, including source and destination.
uint32_t Cookie
Definition: mitigator_bpf.h:746
Ethernet address (MAC address).
Definition: mitigator_bpf.h:184
Packet flow information.
Definition: mitigator_bpf.h:446
uint16_t src_port
Definition: mitigator_bpf.h:449
uint16_t dst_port
Definition: mitigator_bpf.h:450
uint32_t padding
Definition: mitigator_bpf.h:451
IPv6 address representation.
Definition: mitigator_bpf.h:264
Result of a lookup in the extended table.
Definition: mitigator_bpf.h:693
Time update_time
Definition: mitigator_bpf.h:696
bool found
Definition: mitigator_bpf.h:694
Record in the program-wide table.
Definition: mitigator_bpf.h:641
Time update_time
Definition: mitigator_bpf.h:643
TableValue value
Definition: mitigator_bpf.h:642
uint32_t padding
Definition: mitigator_bpf.h:644
Network address, either IPv4 or IPv6.
Definition: mitigator_bpf.h:427