mitigator_bpf.h

Go to the documentation of this file.

/* SPDX-License-Identifier: BSD-3-Clause
 * Copyright (c) 2020 BIFIT Mitigator Team <info@mitigator.ru>
 */
#pragma once
 
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
 
#define ENTRYPOINT_SECTION "filter_v2"
 
#define SECTION(name) __attribute__((section(name), used))
 
#ifdef __cplusplus
#define STATIC_ASSERT(x) static_assert(x, "")
#else
#define STATIC_ASSERT(x) _Static_assert(x, "")
#endif
 
#define PROGRAM_DISPLAY_ID(id) \
    SECTION("meta.display_id") \
    static const char _mitigator_meta_program_id[] = id;
 
#define ENTRYPOINT SECTION(ENTRYPOINT_SECTION)
 
#define LOCAL static inline __attribute__((always_inline))
 
#if defined(__clang__)
#define UNROLL _Pragma("unroll")
#else
#define UNROLL
#endif
 
#define MAX_PAYLOAD_LENGTH 1536
 
#define MAX_PARAMETERS_LENGTH 1024
 
#ifdef __cplusplus
namespace mitigator {
extern "C" {
#endif
 
typedef void* Context;
 
enum Result {
    RESULT_PASS,
    RESULT_DROP,
    RESULT_BACK,
    RESULT_LIMIT,
    RESULT_SORB
};
 
typedef uint64_t Bool;
 
typedef uint32_t Time;
 
struct EtherAddr {
    uint8_t u8[6];
};
 
struct EtherHeader {
    struct EtherAddr ether_dhost; 
    struct EtherAddr ether_shost; 
    uint16_t ether_type;          
};
 
struct VlanHeader {
    uint16_t control; 
    uint16_t type;    
};
 
enum EtherType {
    ETHER_TYPE_IP    = 0x0800,  
    ETHER_TYPE_ARP   = 0x0806,  
    ETHER_TYPE_8021Q = 0x8100,  
    ETHER_TYPE_IP6   = 0x86DD   
};
 
typedef uint32_t IpAddr;
 
struct IpHeader {
    uint32_t ip_hl : 4; /* 0     header length         */
    uint32_t ip_v  : 4; /*       version == 4          */
    uint8_t ip_tos;     /* 1     type of service       */
    uint16_t ip_len;    /* 2-3   total length          */
    uint16_t ip_id;     /* 4-5   packet ID             */
    uint16_t ip_off;    /* 6-7   fragmentation offset  */
    uint8_t ip_ttl;     /* 8     time to live          */
    uint8_t ip_p;       /* 9     protocol ID           */
    uint16_t ip_sum;    /* 10-11 header checksum       */
    uint32_t ip_src;    /* 12-15 source address        */
    uint32_t ip_dst;    /* 16-19 destination address   */
};
 
struct Ip6Addr {
    uint8_t u8[16];
};
 
struct Ip6Header {
    uint32_t ip6_vfc;       /* version, traffic class, flow label */
    uint16_t ip6_plen;      /* payload length */
    uint8_t ip6_next;       /* next header */
    uint8_t ip6_hoplim;     /* hop limit */
    struct Ip6Addr ip6_src; /* source address */
    struct Ip6Addr ip6_dst; /* destination address */
};
 
enum IpProto {
    IP_PROTO_ICMP = 1,    
    IP_PROTO_TCP = 6,     
    IP_PROTO_UDP = 17,    
    IP_PROTO_IPV6 = 41,   
    IP_PROTO_ICMPV6 = 58, 
};
 
struct UdpHeader {
    uint16_t uh_sport; /* 0-1   source port       */
    uint16_t uh_dport; /* 2-3   destination port  */
    uint16_t uh_ulen;  /* 4-5   UDP length        */
    uint16_t uh_sum;   /* 6-7   checksum          */
};
 
struct TcpHeader {
    uint16_t th_sport;       /* 0-1   source port             */
    uint16_t th_dport;       /* 2-3   destination port        */
    uint32_t th_seq;         /* 4-7   sequence number         */
    uint32_t th_ack;         /* 8-11  acknowledgement number  */
    uint32_t th_flags2 : 4;  /* 12    more flags              */
    uint32_t th_off    : 4;  /*       data offset in words    */
    uint8_t th_flags;        /* 13    flags                   */
    uint16_t th_win;         /* 14-15 window                  */
    uint16_t th_sum;         /* 16-17 checksum                */
    uint16_t th_urp;         /* 18-19 urgent pointer          */
};
 
enum TcpFlags {
    TCP_FLAG_FIN = 0x01,
    TCP_FLAG_SYN = 0x02,
    TCP_FLAG_RST = 0x04,
    TCP_FLAG_PUSH = 0x08,
    TCP_FLAG_ACK = 0x10,
    TCP_FLAG_URG = 0x20,
    TCP_FLAG_ECE = 0x40,
    TCP_FLAG_CWR = 0x80
};
 
enum TcpOption {
    TCP_OPT_EOL = 0,       
    TCP_OPT_NOP = 1,       
    TCP_OPT_MAXSEG = 2,    
    TCP_OPT_WSCALE = 3,    
    TCP_OPT_SACK_PERM = 4, 
    TCP_OPT_SACK = 5,      
    TCP_OPT_TIMESTAMPS = 8 
};
 
union NetAddr {
    struct {
        uint8_t padding[12]; 
        IpAddr v4;           
    };
    struct Ip6Addr v6; 
};
 
struct Flow {
    union NetAddr src_ip; 
    union NetAddr dst_ip; 
    uint16_t src_port;    
    uint16_t dst_port;    
    uint32_t padding;     
};
 
void packet_flow(Context ctx, struct Flow* info);
 
void* packet_ether_header(Context ctx);
 
uint16_t packet_network_proto(Context ctx);
 
void* packet_network_header(Context ctx);
 
uint8_t packet_transport_proto(Context ctx);
 
void* packet_transport_header(Context ctx);
 
void* packet_transport_payload(Context ctx, uint16_t* length);
 
void set_packet_length(Context ctx, uint16_t length);
 
void set_packet_offset(Context ctx, uint16_t offset);
 
void set_packet_syncookie(Context ctx);
 
void set_packet_mangled(Context ctx);
 
void set_src_blacklisted(Context ctx, Time duration);
 
void set_src_whitelisted(Context ctx, Time duration);
 
typedef uint64_t TableKey;
 
typedef uint64_t TableValue;
 
struct TableRecord {
    TableValue value; 
    Time update_time; 
    uint32_t padding; 
};
 
Bool table_find(Context ctx, TableKey key, struct TableRecord* record);
 
Bool table_get(Context ctx, TableKey key, struct TableRecord* record);
 
Bool table_put(Context ctx, TableKey key, TableValue value);
 
uint64_t table_size(Context ctx);
 
struct TableExResult {
    bool found;          
    uint8_t reserved[3]; 
    Time update_time;    
};
 
#define TABLE_EX_KEY_SIZE 16
 
#define TABLE_EX_VALUE_SIZE 8
 
struct TableExResult
table_ex_find(Context ctx, const void* key, const void* key_end,
        void* value, void* value_end);
 
struct TableExResult
table_ex_get(Context ctx, const void* key, const void* key_end,
        void* value, void* value_end);
 
Bool table_ex_put(Context ctx, const void* key, const void* key_end,
        const void* value, const void* value_end);
 
uint64_t table_ex_size(Context ctx);
 
typedef uint32_t Cookie;
 
Cookie syncookie_make(Context ctx);
 
Bool syncookie_check(Context ctx, uint32_t seqnum_offset, uint32_t acknum_offset);
 
Cookie cookie_make(Context ctx, const struct Flow* id);
 
Bool cookie_check(Context ctx, const struct Flow* id, Cookie cookie);
 
const void* parameters_get(Context ctx);
 
uint32_t hash_crc32_u32(uint32_t value, uint32_t init);
 
uint32_t hash_crc32_u64(uint64_t value, uint32_t init);
 
uint32_t hash_crc32_data(const void* data, const void* end, uint32_t init);
 
Time time_sec(Context ctx);
 
uint64_t rand64(void);
 
LOCAL uint16_t
bswap16(uint16_t value) {
    return __builtin_bswap16(value);
}
 
LOCAL uint32_t
bswap32(uint32_t value) {
    return __builtin_bswap32(value);
}
 
#define VLAN_ID_MASK 0x0fff
 
LOCAL uint16_t
vlan_get_id(const struct VlanHeader* vlan) {
    return bswap16(vlan->control) & VLAN_ID_MASK;
}
 
LOCAL void
vlan_set_id(struct VlanHeader* vlan, uint16_t id) {
    uint16_t bits = vlan->control & ~bswap16(VLAN_ID_MASK);
    vlan->control = bswap16(bswap16(bits) | id);
}
 
STATIC_ASSERT(sizeof(struct Ip6Addr) == 16);
STATIC_ASSERT(sizeof(struct EtherHeader) == 14);
STATIC_ASSERT(sizeof(struct VlanHeader) == 4);
STATIC_ASSERT(sizeof(struct IpHeader) == 20);
STATIC_ASSERT(sizeof(struct Ip6Header) == 40);
STATIC_ASSERT(sizeof(struct TcpHeader) == 20);
STATIC_ASSERT(sizeof(struct UdpHeader) == 8);
STATIC_ASSERT(sizeof(struct TableExResult) == 8);
STATIC_ASSERT(sizeof(union NetAddr) == sizeof(struct Ip6Addr));
 
#ifdef __cplusplus
} // extern "C"
} // namespace mitigator
#endif