mitigator_bpf.h

Go to the documentation of this file.

/* SPDX-License-Identifier: BSD-3-Clause
 * Copyright (c) 2022 BIFIT Mitigator Team <info@mitigator.ru>
 */
#pragma once
 
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
 
#define ENTRYPOINT_SECTION "filter_v2"
 
#define SECTION(name) __attribute__((section(name), used))
 
#ifdef __cplusplus
#define STATIC_ASSERT(x) static_assert(x, "")
#else
#define STATIC_ASSERT(x) _Static_assert(x, "")
#endif
 
#define PROGRAM_DISPLAY_ID(id) \
    SECTION("meta.display_id") \
    static const char _mitigator_meta_program_id[] = id;
 
#define ENTRYPOINT SECTION(ENTRYPOINT_SECTION)
 
#define LOCAL static inline __attribute__((always_inline))
 
#define PACKED __attribute__((packed))
 
#if defined(__clang__)
#define UNROLL _Pragma("unroll")
#else
#define UNROLL
#endif
 
#define MAX_PAYLOAD_LENGTH 1536
 
#define MAX_PARAMETERS_LENGTH 1024
 
#ifdef __cplusplus
namespace mitigator {
extern "C" {
#endif
 
typedef void* Context;
 
enum Result {
    RESULT_PASS,
    RESULT_DROP,
    RESULT_BACK,
    RESULT_LIMIT,
    RESULT_SORB
};
 
typedef uint64_t Bool;
 
typedef uint32_t Time;
 
const void* parameters_get(Context ctx);
 
struct EtherAddr {
    uint8_t u8[6];
};
 
struct EtherHeader {
    struct EtherAddr ether_dhost; /* Destination host MAC address */
    struct EtherAddr ether_shost; /* Source host MAC address */
    uint16_t ether_type;          /* Next protocol ID (big-endian) */
};
 
struct VlanHeader {
    uint16_t control; /* Tag Control Information (big-endian) */
    uint16_t type;    /* Next protocol ID (big-endian) */
};
 
enum EtherType {
    ETHER_TYPE_IP    = 0x0800, /* Internet Protocol version 4 */
    ETHER_TYPE_ARP   = 0x0806, /* Address Resolution Protocol */
    ETHER_TYPE_8021Q = 0x8100, /* IEEE 802.1q (VLAN) */
    ETHER_TYPE_IP6   = 0x86DD  /* Internet Protocol version 6 */
};
 
typedef uint32_t IpAddr;
 
struct IpHeader {
    uint32_t ip_hl : 4; /* 0     header length         */
    uint32_t ip_v  : 4; /*       version == 4          */
    uint8_t ip_tos;     /* 1     type of service       */
    uint16_t ip_len;    /* 2-3   total length          */
    uint16_t ip_id;     /* 4-5   packet ID             */
    uint16_t ip_off;    /* 6-7   fragmentation offset  */
    uint8_t ip_ttl;     /* 8     time to live          */
    uint8_t ip_p;       /* 9     protocol ID           */
    uint16_t ip_sum;    /* 10-11 header checksum       */
    uint32_t ip_src;    /* 12-15 source address        */
    uint32_t ip_dst;    /* 16-19 destination address   */
};
 
struct Ip6Addr {
    uint8_t u8[16];
};
 
struct Ip6Header {
    uint32_t ip6_vfc;       /* Version, traffic class, flow label */
    uint16_t ip6_plen;      /* Payload length */
    uint8_t ip6_next;       /* Next header */
    uint8_t ip6_hoplim;     /* Hop limit */
    struct Ip6Addr ip6_src; /* Source address */
    struct Ip6Addr ip6_dst; /* Destination address */
};
 
enum IpProto {
    IP_PROTO_ICMP = 1,
    IP_PROTO_TCP = 6,
    IP_PROTO_UDP = 17,
    IP_PROTO_IPV6 = 41,
    IP_PROTO_ICMPV6 = 58,
};
 
struct UdpHeader {
    uint16_t uh_sport; /* 0-1   source port      */
    uint16_t uh_dport; /* 2-3   destination port */
    uint16_t uh_ulen;  /* 4-5   UDP length       */
    uint16_t uh_sum;   /* 6-7   checksum         */
};
 
struct TcpHeader {
    uint16_t th_sport;       /* 0-1   source port             */
    uint16_t th_dport;       /* 2-3   destination port        */
    uint32_t th_seq;         /* 4-7   sequence number         */
    uint32_t th_ack;         /* 8-11  acknowledgement number  */
    uint32_t th_flags2 : 4;  /* 12    more flags              */
    uint32_t th_off    : 4;  /*       data offset in words    */
    uint8_t th_flags;        /* 13    flags                   */
    uint16_t th_win;         /* 14-15 window                  */
    uint16_t th_sum;         /* 16-17 checksum                */
    uint16_t th_urp;         /* 18-19 urgent pointer          */
};
 
enum TcpFlags {
    TCP_FLAG_FIN = 0x01,
    TCP_FLAG_SYN = 0x02,
    TCP_FLAG_RST = 0x04,
    TCP_FLAG_PUSH = 0x08,
    TCP_FLAG_ACK = 0x10,
    TCP_FLAG_URG = 0x20,
    TCP_FLAG_ECE = 0x40,
    TCP_FLAG_CWR = 0x80
};
 
enum TcpOption {
    TCP_OPT_EOL = 0,       /* End of Option List */
    TCP_OPT_NOP = 1,       /* No option (used for padding) */
    TCP_OPT_MAXSEG = 2,    /* Maximum segment size (MSS) */
    TCP_OPT_WSCALE = 3,    /* Window scaling factor */
    TCP_OPT_SACK_PERM = 4, /* Selective acknowledgement permitted */
    TCP_OPT_SACK = 5,      /* Selective acknowledgement */
    TCP_OPT_TIMESTAMPS = 8 /* Timestamps */
};
 
struct IcmpHeader {
    uint8_t icmp_type;   /* 0    ICMP type */
    uint8_t icmp_code;   /* 1    ICMP code */
    uint16_t icmp_cksum; /* 2-3  checksum  */
};
 
enum IcmpType {
    ICMP_ECHO_REPLY        = 0,    /* Echo Reply Message */
    ICMP_DEST_UNREACHABLE  = 3,    /* Destination Unreachable */
    ICMP_SOURCE_QUENCH     = 4,    /* Source Quench */
    ICMP_REDIRECT          = 5,    /* Redirect */
    ICMP_ECHO              = 8,    /* Echo Message */
    ICMP_TIME_EXCEEDED     = 11,   /* Time Exceeded */
    ICMP_PARAM_PROBLEM     = 12,   /* Parameter Problem */
    ICMP_TIMESTAMP_REQUEST = 13,   /* Timestamp Request */
    ICMP_TIMESTAMP_REPLY   = 14,   /* Timestamp Reply */
    ICMP_INFO_REQUEST      = 15,   /* Information Request */
    ICMP_INFO_REPLY        = 16,   /* Information Reply */
};
 
enum Icmp6Type {
    ICMP6_DEST_UNREACHABLE = 1,    /* Destination Unreachable */
    ICMP6_PKT_TOO_BIG      = 2,    /* Packet Too Big */
    ICMP6_TIME_EXCEEDED    = 3,    /* Time Exceeded */
    ICMP6_PARAM_PROBLEM    = 4,    /* Parameter Problem */
    ICMP6_ECHO_REQUEST     = 128,  /* Echo Request */
    ICMP6_ECHO_REPLY       = 129,  /* Echo Reply */
    ICMP6_ROUTER_SOL       = 133,  /* Router Advertisement */
    ICMP6_ROUTER_ADV       = 134,  /* Router Solicitation */
    ICMP6_NEIGHBOR_SOL     = 135,  /* Neighbor Solicitation */
    ICMP6_NEIGHBOR_ADV     = 136,  /* Neighbor Advertisement */
};
 
union NetAddr {
    struct {
        uint8_t padding[12]; /* Reserved, zero-filled by API */
        IpAddr v4;           /* IPv4 address */
    };
    struct Ip6Addr v6;       /* IPv6 address */
};
 
struct Flow {
    union NetAddr src_ip; /* Source address */
    union NetAddr dst_ip; /* Destination address */
    uint16_t src_port;    /* Source port */
    uint16_t dst_port;    /* Destination port */
    uint32_t padding;     /* Not used and zero-filled by API */
};
 
void packet_flow(Context ctx, struct Flow* info);
 
void* packet_ether_header(Context ctx);
 
uint16_t packet_network_proto(Context ctx);
 
void* packet_network_header(Context ctx);
 
uint8_t packet_transport_proto(Context ctx);
 
void* packet_transport_header(Context ctx);
 
void* packet_transport_payload(Context ctx, uint16_t* length);
 
void set_packet_length(Context ctx, uint16_t length);
 
void set_packet_offset(Context ctx, uint16_t offset);
 
void set_packet_syncookie(Context ctx);
 
void set_packet_mangled(Context ctx);
 
void set_src_blacklisted(Context ctx, Time duration);
 
void set_src_whitelisted(Context ctx, Time duration);
 
typedef uint64_t TableKey;
 
typedef uint64_t TableValue;
 
struct TableRecord {
    TableValue value; /* User data */
    Time update_time; /* Update time maintained by the system */
    uint32_t padding; /* Reserved, not used by API */
};
 
Bool table_find(Context ctx, TableKey key, struct TableRecord* record);
 
Bool table_get(Context ctx, TableKey key, struct TableRecord* record);
 
Bool table_put(Context ctx, TableKey key, TableValue value);
 
uint64_t table_size(Context ctx);
 
struct TableExResult {
    bool found;          /* Indicates if the record has been found */
    uint8_t reserved[3]; /* Reserved, do not use */
    Time update_time;    /* Record update time maintained by the system */
};
 
#define TABLE_EX_KEY_SIZE 16
 
#define TABLE_EX_VALUE_SIZE 8
 
struct TableExResult
table_ex_find(Context ctx, const void* key, const void* key_end,
        void* value, void* value_end);
 
struct TableExResult
table_ex_get(Context ctx, const void* key, const void* key_end,
        void* value, void* value_end);
 
Bool table_ex_put(Context ctx, const void* key, const void* key_end,
        const void* value, const void* value_end);
 
uint64_t table_ex_size(Context ctx);
 
typedef uint32_t Cookie;
 
Cookie cookie_make(Context ctx, const struct Flow* id);
 
Bool cookie_check(Context ctx, const struct Flow* id, Cookie cookie);
 
Cookie syncookie_make(Context ctx);
 
Bool syncookie_check(Context ctx, uint32_t seqnum_offset, uint32_t acknum_offset);
 
void set_packet_isn_syncookie(Context ctx);
 
Bool isn_syncookie_check(Context ctx, uint32_t seqnum_offset,
        uint32_t acknum_offset);
 
void isn_send_ack_packet(Context ctx);
 
Bool bloom_check(Context ctx, uint64_t hash);
 
void bloom_add(Context ctx, uint64_t hash);
 
void bloom_reset(Context ctx);
 
uint32_t hash_crc32_u32(uint32_t value, uint32_t init);
 
uint32_t hash_crc32_u64(uint64_t value, uint32_t init);
 
uint32_t hash_crc32_data(const void* data, const void* end, uint32_t init);
 
uint64_t rand64(void);
 
Time time_sec(Context ctx);
 
LOCAL uint16_t
bswap16(uint16_t value) {
    return __builtin_bswap16(value);
}
 
LOCAL uint32_t
bswap32(uint32_t value) {
    return __builtin_bswap32(value);
}
 
LOCAL uint64_t
bswap64(uint64_t value) {
    return __builtin_bswap64(value);
}
 
#define VLAN_ID_MASK 0x0fff
 
LOCAL uint16_t
vlan_get_id(const struct VlanHeader* vlan) {
    return bswap16(vlan->control) & VLAN_ID_MASK;
}
 
LOCAL void
vlan_set_id(struct VlanHeader* vlan, uint16_t id) {
    uint16_t bits = vlan->control & ~bswap16(VLAN_ID_MASK);
    vlan->control = bswap16(bswap16(bits) | id);
}
 
STATIC_ASSERT(sizeof(struct EtherHeader) == 14);
STATIC_ASSERT(sizeof(struct VlanHeader) == 4);
STATIC_ASSERT(sizeof(struct IpHeader) == 20);
STATIC_ASSERT(sizeof(struct Ip6Addr) == 16);
STATIC_ASSERT(sizeof(struct Ip6Header) == 40);
STATIC_ASSERT(sizeof(struct TcpHeader) == 20);
STATIC_ASSERT(sizeof(struct UdpHeader) == 8);
STATIC_ASSERT(sizeof(struct IcmpHeader) == 4);
STATIC_ASSERT(sizeof(struct TableExResult) == 8);
STATIC_ASSERT(sizeof(union NetAddr) == sizeof(struct Ip6Addr));
 
#ifdef __cplusplus
} // extern "C"
} // namespace mitigator
#endif