bpf/api/mitigator__bpf_8h_source.html

 /* SPDX-License-Identifier: BSD-3-Clause

  * Copyright (c) 2022 BIFIT Mitigator Team <info@mitigator.ru>

  */

 #pragma once


 #include <stdbool.h>

 #include <stddef.h>

 #include <stdint.h>


 #define ENTRYPOINT_SECTION "filter_v2"


 #define SECTION(name) __attribute__((section(name), used))


 #ifdef __cplusplus

 #define STATIC_ASSERT(x) static_assert(x, "")

 #else

 #define STATIC_ASSERT(x) _Static_assert(x, "")

 #endif


 #define PROGRAM_DISPLAY_ID(id) \

     SECTION("meta.display_id") \

     static const char _mitigator_meta_program_id[] = id;


 #define ENTRYPOINT SECTION(ENTRYPOINT_SECTION)


 #define LOCAL static inline __attribute__((always_inline))


 #define PACKED __attribute__((packed))


 #if defined(__clang__)

 #define UNROLL _Pragma("unroll")

 #else

 #define UNROLL

 #endif


 #define MAX_PAYLOAD_LENGTH 1536


 #define MAX_PARAMETERS_LENGTH 1024


 #ifdef __cplusplus

 namespace mitigator {

 extern "C" {

 #endif


 typedef void* Context;


 enum Result {

     RESULT_PASS,

     RESULT_DROP,

     RESULT_BACK,

     RESULT_LIMIT,

     RESULT_SORB

 };


 typedef uint64_t Bool;


 typedef uint32_t Time;


 const void* parameters_get(Context ctx);


 struct EtherAddr {

     uint8_t u8[6];

 };


 struct EtherHeader {

     struct EtherAddr ether_dhost; /* Destination host MAC address */

     struct EtherAddr ether_shost; /* Source host MAC address */

     uint16_t ether_type;          /* Next protocol ID (big-endian) */

 };


 struct VlanHeader {

     uint16_t control; /* Tag Control Information (big-endian) */

     uint16_t type;    /* Next protocol ID (big-endian) */

 };


 enum EtherType {

     ETHER_TYPE_IP    = 0x0800, /* Internet Protocol version 4 */

     ETHER_TYPE_ARP   = 0x0806, /* Address Resolution Protocol */

     ETHER_TYPE_8021Q = 0x8100, /* IEEE 802.1q (VLAN) */

     ETHER_TYPE_IP6   = 0x86DD  /* Internet Protocol version 6 */

 };


 typedef uint32_t IpAddr;


 struct IpHeader {

     uint32_t ip_hl : 4; /* 0     header length         */

     uint32_t ip_v  : 4; /*       version == 4          */

     uint8_t ip_tos;     /* 1     type of service       */

     uint16_t ip_len;    /* 2-3   total length          */

     uint16_t ip_id;     /* 4-5   packet ID             */

     uint16_t ip_off;    /* 6-7   fragmentation offset  */

     uint8_t ip_ttl;     /* 8     time to live          */

     uint8_t ip_p;       /* 9     protocol ID           */

     uint16_t ip_sum;    /* 10-11 header checksum       */

     uint32_t ip_src;    /* 12-15 source address        */

     uint32_t ip_dst;    /* 16-19 destination address   */

 };


 struct Ip6Addr {

     uint8_t u8[16];

 };


 struct Ip6Header {

     uint32_t ip6_vfc;       /* Version, traffic class, flow label */

     uint16_t ip6_plen;      /* Payload length */

     uint8_t ip6_next;       /* Next header */

     uint8_t ip6_hoplim;     /* Hop limit */

     struct Ip6Addr ip6_src; /* Source address */

     struct Ip6Addr ip6_dst; /* Destination address */

 };


 enum IpProto {

     IP_PROTO_ICMP = 1,

     IP_PROTO_TCP = 6,

     IP_PROTO_UDP = 17,

     IP_PROTO_IPV6 = 41,

     IP_PROTO_ICMPV6 = 58,

 };


 struct UdpHeader {

     uint16_t uh_sport; /* 0-1   source port      */

     uint16_t uh_dport; /* 2-3   destination port */

     uint16_t uh_ulen;  /* 4-5   UDP length       */

     uint16_t uh_sum;   /* 6-7   checksum         */

 };


 struct TcpHeader {

     uint16_t th_sport;       /* 0-1   source port             */

     uint16_t th_dport;       /* 2-3   destination port        */

     uint32_t th_seq;         /* 4-7   sequence number         */

     uint32_t th_ack;         /* 8-11  acknowledgement number  */

     uint32_t th_flags2 : 4;  /* 12    more flags              */

     uint32_t th_off    : 4;  /*       data offset in words    */

     uint8_t th_flags;        /* 13    flags                   */

     uint16_t th_win;         /* 14-15 window                  */

     uint16_t th_sum;         /* 16-17 checksum                */

     uint16_t th_urp;         /* 18-19 urgent pointer          */

 };


 enum TcpFlags {

     TCP_FLAG_FIN = 0x01,

     TCP_FLAG_SYN = 0x02,

     TCP_FLAG_RST = 0x04,

     TCP_FLAG_PUSH = 0x08,

     TCP_FLAG_ACK = 0x10,

     TCP_FLAG_URG = 0x20,

     TCP_FLAG_ECE = 0x40,

     TCP_FLAG_CWR = 0x80

 };


 enum TcpOption {

     TCP_OPT_EOL = 0,       /* End of Option List */

     TCP_OPT_NOP = 1,       /* No option (used for padding) */

     TCP_OPT_MAXSEG = 2,    /* Maximum segment size (MSS) */

     TCP_OPT_WSCALE = 3,    /* Window scaling factor */

     TCP_OPT_SACK_PERM = 4, /* Selective acknowledgement permitted */

     TCP_OPT_SACK = 5,      /* Selective acknowledgement */

     TCP_OPT_TIMESTAMPS = 8 /* Timestamps */

 };


 struct IcmpHeader {

     uint8_t icmp_type;   /* 0    ICMP type */

     uint8_t icmp_code;   /* 1    ICMP code */

     uint16_t icmp_cksum; /* 2-3  checksum  */

 };


 enum IcmpType {

     ICMP_ECHO_REPLY        = 0,    /* Echo Reply Message */

     ICMP_DEST_UNREACHABLE  = 3,    /* Destination Unreachable */

     ICMP_SOURCE_QUENCH     = 4,    /* Source Quench */

     ICMP_REDIRECT          = 5,    /* Redirect */

     ICMP_ECHO              = 8,    /* Echo Message */

     ICMP_TIME_EXCEEDED     = 11,   /* Time Exceeded */

     ICMP_PARAM_PROBLEM     = 12,   /* Parameter Problem */

     ICMP_TIMESTAMP_REQUEST = 13,   /* Timestamp Request */

     ICMP_TIMESTAMP_REPLY   = 14,   /* Timestamp Reply */

     ICMP_INFO_REQUEST      = 15,   /* Information Request */

     ICMP_INFO_REPLY        = 16,   /* Information Reply */

 };


 enum Icmp6Type {

     ICMP6_DEST_UNREACHABLE = 1,    /* Destination Unreachable */

     ICMP6_PKT_TOO_BIG      = 2,    /* Packet Too Big */

     ICMP6_TIME_EXCEEDED    = 3,    /* Time Exceeded */

     ICMP6_PARAM_PROBLEM    = 4,    /* Parameter Problem */

     ICMP6_ECHO_REQUEST     = 128,  /* Echo Request */

     ICMP6_ECHO_REPLY       = 129,  /* Echo Reply */

     ICMP6_ROUTER_SOL       = 133,  /* Router Advertisement */

     ICMP6_ROUTER_ADV       = 134,  /* Router Solicitation */

     ICMP6_NEIGHBOR_SOL     = 135,  /* Neighbor Solicitation */

     ICMP6_NEIGHBOR_ADV     = 136,  /* Neighbor Advertisement */

 };


 union NetAddr {

     struct {

         uint8_t padding[12]; /* Reserved, zero-filled by API */

         IpAddr v4;           /* IPv4 address */

     };

     struct Ip6Addr v6;       /* IPv6 address */

 };


 struct Flow {

     union NetAddr src_ip; /* Source address */

     union NetAddr dst_ip; /* Destination address */

     uint16_t src_port;    /* Source port */

     uint16_t dst_port;    /* Destination port */

     uint32_t padding;     /* Not used and zero-filled by API */

 };


 void packet_flow(Context ctx, struct Flow* info);


 void* packet_ether_header(Context ctx);


 uint16_t packet_network_proto(Context ctx);


 void* packet_network_header(Context ctx);


 uint8_t packet_transport_proto(Context ctx);


 void* packet_transport_header(Context ctx);


 void* packet_transport_payload(Context ctx, uint16_t* length);


 void set_packet_length(Context ctx, uint16_t length);


 void set_packet_offset(Context ctx, uint16_t offset);


 void set_packet_syncookie(Context ctx);


 void set_packet_mangled(Context ctx);


 void set_src_blacklisted(Context ctx, Time duration);


 void set_src_whitelisted(Context ctx, Time duration);


 typedef uint64_t TableKey;


 typedef uint64_t TableValue;


 struct TableRecord {

     TableValue value; /* User data */

     Time update_time; /* Update time maintained by the system */

     uint32_t padding; /* Reserved, not used by API */

 };


 Bool table_find(Context ctx, TableKey key, struct TableRecord* record);


 Bool table_get(Context ctx, TableKey key, struct TableRecord* record);


 Bool table_put(Context ctx, TableKey key, TableValue value);


 uint64_t table_size(Context ctx);


 struct TableExResult {

     bool found;          /* Indicates if the record has been found */

     uint8_t reserved[3]; /* Reserved, do not use */

     Time update_time;    /* Record update time maintained by the system */

 };


 #define TABLE_EX_KEY_SIZE 16


 #define TABLE_EX_VALUE_SIZE 8


 struct TableExResult

 table_ex_find(Context ctx, const void* key, const void* key_end,

         void* value, void* value_end);


 struct TableExResult

 table_ex_get(Context ctx, const void* key, const void* key_end,

         void* value, void* value_end);


 Bool table_ex_put(Context ctx, const void* key, const void* key_end,

         const void* value, const void* value_end);


 uint64_t table_ex_size(Context ctx);


 typedef uint32_t Cookie;


 Cookie cookie_make(Context ctx, const struct Flow* id);


 Bool cookie_check(Context ctx, const struct Flow* id, Cookie cookie);


 Cookie syncookie_make(Context ctx);


 Bool syncookie_check(Context ctx, uint32_t seqnum_offset, uint32_t acknum_offset);


 void set_packet_isn_syncookie(Context ctx);


 Bool isn_syncookie_check(Context ctx, uint32_t seqnum_offset,

         uint32_t acknum_offset);


 void isn_send_ack_packet(Context ctx);


 Bool bloom_check(Context ctx, uint64_t hash);


 void bloom_add(Context ctx, uint64_t hash);


 void bloom_reset(Context ctx);


 uint32_t hash_crc32_u32(uint32_t value, uint32_t init);


 uint32_t hash_crc32_u64(uint64_t value, uint32_t init);


 uint32_t hash_crc32_data(const void* data, const void* end, uint32_t init);


 uint64_t rand64(void);


 Time time_sec(Context ctx);


 LOCAL uint16_t

 bswap16(uint16_t value) {

     return __builtin_bswap16(value);

 }


 LOCAL uint32_t

 bswap32(uint32_t value) {

     return __builtin_bswap32(value);

 }


 LOCAL uint64_t

 bswap64(uint64_t value) {

     return __builtin_bswap64(value);

 }


 #define VLAN_ID_MASK 0x0fff


 LOCAL uint16_t

 vlan_get_id(const struct VlanHeader* vlan) {

     return bswap16(vlan->control) & VLAN_ID_MASK;

 }


 LOCAL void

 vlan_set_id(struct VlanHeader* vlan, uint16_t id) {

     uint16_t bits = vlan->control & ~bswap16(VLAN_ID_MASK);

     vlan->control = bswap16(bswap16(bits) | id);

 }


 STATIC_ASSERT(sizeof(struct EtherHeader) == 14);

 STATIC_ASSERT(sizeof(struct VlanHeader) == 4);

 STATIC_ASSERT(sizeof(struct IpHeader) == 20);

 STATIC_ASSERT(sizeof(struct Ip6Addr) == 16);

 STATIC_ASSERT(sizeof(struct Ip6Header) == 40);

 STATIC_ASSERT(sizeof(struct TcpHeader) == 20);

 STATIC_ASSERT(sizeof(struct UdpHeader) == 8);

 STATIC_ASSERT(sizeof(struct IcmpHeader) == 4);

 STATIC_ASSERT(sizeof(struct TableExResult) == 8);

 STATIC_ASSERT(sizeof(union NetAddr) == sizeof(struct Ip6Addr));


 #ifdef __cplusplus

 } // extern "C"

 } // namespace mitigator

 #endif

vlan_set_id
LOCAL void vlan_set_id(struct VlanHeader *vlan, uint16_t id)
Set VLAN ID in 802.1q header.
Definition: mitigator_bpf.h:1032

EtherType
EtherType
Ethernet frame type codes.
Definition: mitigator_bpf.h:241

packet_transport_proto
uint8_t packet_transport_proto(Context ctx)
Get packet transport protocol code, e.g. TCP, UDP, or ICMP.

table_ex_get
struct TableExResult table_ex_get(Context ctx, const void *key, const void *key_end, void *value, void *value_end)
Lookup value in the extended table by key and modify record update time.

TableValue
uint64_t TableValue
Definition: mitigator_bpf.h:697

Context
void * Context
Opaque filter context.
Definition: mitigator_bpf.h:160

bswap16
LOCAL uint16_t bswap16(uint16_t value)
Change byte order of a 16-bit value.
Definition: mitigator_bpf.h:999

table_ex_size
uint64_t table_ex_size(Context ctx)
Get number of records in the extended table.

IcmpType
IcmpType
ICMPv4 types.
Definition: mitigator_bpf.h:469

bloom_reset
void bloom_reset(Context ctx)
Reset bloom filter to the initial state.

hash_crc32_data
uint32_t hash_crc32_data(const void *data, const void *end, uint32_t init)
Compute CRC32 (Castagnoli) over [data; end).

Time
uint32_t Time
Definition: mitigator_bpf.h:196

set_packet_offset
void set_packet_offset(Context ctx, uint16_t offset)
Set number of bytes to strip from the beginning of transport payload.

packet_network_proto
uint16_t packet_network_proto(Context ctx)
Get packet network protocol code, e.g. IPv4.

Result
Result
Filter verdict.
Definition: mitigator_bpf.h:167

RESULT_LIMIT
@ RESULT_LIMIT
Definition: mitigator_bpf.h:175

RESULT_DROP
@ RESULT_DROP
Definition: mitigator_bpf.h:171

RESULT_SORB
@ RESULT_SORB
Definition: mitigator_bpf.h:181

RESULT_PASS
@ RESULT_PASS
Definition: mitigator_bpf.h:169

RESULT_BACK
@ RESULT_BACK
Definition: mitigator_bpf.h:173

vlan_get_id
LOCAL uint16_t vlan_get_id(const struct VlanHeader *vlan)
Get VLAN ID from 802.1q header.
Definition: mitigator_bpf.h:1019

LOCAL
#define LOCAL
Force the compiler to inline a local function.
Definition: mitigator_bpf.h:82

table_get
Bool table_get(Context ctx, TableKey key, struct TableRecord *record)
Lookup value in the basic table by key and modify record update time.

hash_crc32_u64
uint32_t hash_crc32_u64(uint64_t value, uint32_t init)
Compute CRC32 (Castagnoli) of a 64-bit value.

TcpOption
TcpOption
TCP option codes.
Definition: mitigator_bpf.h:441

IpProto
IpProto
IPv4 and IPv6 transport protocol codes.
Definition: mitigator_bpf.h:326

cookie_make
Cookie cookie_make(Context ctx, const struct Flow *id)
Make a generic cookie value based on random seed, current time, and flow fields that identify the cli...

TcpFlags
TcpFlags
TCP flags.
Definition: mitigator_bpf.h:422

syncookie_make
Cookie syncookie_make(Context ctx)
Make a cookie value for use as a sequence number in a SYN+ACK packet.

bswap64
LOCAL uint64_t bswap64(uint64_t value)
Change byte order of a 64-bit value.
Definition: mitigator_bpf.h:1011

set_packet_length
void set_packet_length(Context ctx, uint16_t length)
Set new packet transport payload length (max 1400).

table_size
uint64_t table_size(Context ctx)
Get number of records in the table.

IpAddr
uint32_t IpAddr
IPv4 address.
Definition: mitigator_bpf.h:249

table_ex_put
Bool table_ex_put(Context ctx, const void *key, const void *key_end, const void *value, const void *value_end)
Update value in the extended table, creating a new record if needed.

packet_transport_payload
void * packet_transport_payload(Context ctx, uint16_t *length)
Get packet transport payload for TCP or UDP.

isn_syncookie_check
Bool isn_syncookie_check(Context ctx, uint32_t seqnum_offset, uint32_t acknum_offset)
Check if packet is a TCP ACK carrying an ISN SYN cookie.

table_ex_find
struct TableExResult table_ex_find(Context ctx, const void *key, const void *key_end, void *value, void *value_end)
Lookup value in the extended table by key.

bswap32
LOCAL uint32_t bswap32(uint32_t value)
Change byte order of a 32-bit value.
Definition: mitigator_bpf.h:1005

rand64
uint64_t rand64(void)
Generate a pseudo-random, non cryptographically-secure value.

packet_ether_header
void * packet_ether_header(Context ctx)
Get packet Ethernet header.

hash_crc32_u32
uint32_t hash_crc32_u32(uint32_t value, uint32_t init)
Compute CRC32 (Castagnoli) of a 32-bit value.

Icmp6Type
Icmp6Type
ICMPv6 types.
Definition: mitigator_bpf.h:484

syncookie_check
Bool syncookie_check(Context ctx, uint32_t seqnum_offset, uint32_t acknum_offset)
Check if packet is a TCP ACK carrying a SYN cookie.

packet_transport_header
void * packet_transport_header(Context ctx)
Get packet transport header, e.g. TCP header.

cookie_check
Bool cookie_check(Context ctx, const struct Flow *id, Cookie cookie)
Check if a generic cookie matches the flow and has not expired.

set_packet_isn_syncookie
void set_packet_isn_syncookie(Context ctx)
Convert response packet to an empty TCP SYN+ACK with ISN syncookie.

set_src_blacklisted
void set_src_blacklisted(Context ctx, Time duration)
Add packet source address to temporary blacklist.

table_put
Bool table_put(Context ctx, TableKey key, TableValue value)
Update value in the basic table, creating a new record if needed.

parameters_get
const void * parameters_get(Context ctx)
Get a pointer to read-only program parameters.

bloom_check
Bool bloom_check(Context ctx, uint64_t hash)
Check if hash value is stored in the bloom filter.

packet_network_header
void * packet_network_header(Context ctx)
Get packet network header, e.g. IPv4 header.

bloom_add
void bloom_add(Context ctx, uint64_t hash)
Add hash value to the bloom filter.

time_sec
Time time_sec(Context ctx)
Get system time in seconds.

Bool
uint64_t Bool
ABI-safe, EBPF-friendly boolean type.
Definition: mitigator_bpf.h:189

isn_send_ack_packet
void isn_send_ack_packet(Context ctx)
Send ACK packet with ISN syncookie.

table_find
Bool table_find(Context ctx, TableKey key, struct TableRecord *record)
Lookup value in the basic table by key.

set_src_whitelisted
void set_src_whitelisted(Context ctx, Time duration)
Add packet source address to temporary whitelist.

TableKey
uint64_t TableKey
Definition: mitigator_bpf.h:690

set_packet_mangled
void set_packet_mangled(Context ctx)
Mark the packet as mangled by the program.

set_packet_syncookie
void set_packet_syncookie(Context ctx)
Convert response packet to an empty TCP SYN+ACK with syncookie.

packet_flow
void packet_flow(Context ctx, struct Flow *info)
Get packet flow information, including source and destination.

Cookie
uint32_t Cookie
Definition: mitigator_bpf.h:816

EtherAddr
Ethernet address (MAC address).
Definition: mitigator_bpf.h:209

EtherHeader
Ethernet header (802.1).
Definition: mitigator_bpf.h:218

Flow
Packet flow information.
Definition: mitigator_bpf.h:517

IcmpHeader
ICMP and ICMPv6 header.
Definition: mitigator_bpf.h:462

Ip6Addr
IPv6 address representation.
Definition: mitigator_bpf.h:289

Ip6Header
IPv6 header.
Definition: mitigator_bpf.h:312

IpHeader
IPv4 header.
Definition: mitigator_bpf.h:269

TableExResult
Result of a lookup in the extended table.
Definition: mitigator_bpf.h:763

TableRecord
Record in the program-wide table.
Definition: mitigator_bpf.h:711

TcpHeader
TCP header.
Definition: mitigator_bpf.h:381

UdpHeader
UDP header.
Definition: mitigator_bpf.h:354

VlanHeader
VLAN header (802.1q).
Definition: mitigator_bpf.h:232

NetAddr
Network address, either IPv4 or IPv6.
Definition: mitigator_bpf.h:498