initscripts: add TCP DDoS XDP program init script

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
2026-04-09 18:45:54 +02:00 · 2025-03-31 18:41:49 -07:00
parent 6aaec8d485
commit 245634dacd
5 changed files with 132 additions and 0 deletions
--- a/config/cfgroot/tcp-ddos-settings
+++ b/config/cfgroot/tcp-ddos-settings
@@ -0,0 +1,9 @@
+22=off
+ENABLE_TCP_DDOS=off
+25=off
+80=off
+53=off
+8080=off
+8090=off
+443=off
+5555=off
--- a/config/cfgroot/tcp_ports
+++ b/config/cfgroot/tcp_ports
@@ -0,0 +1,8 @@
+ssh              22/tcp     # The Secure Shell (SSH) Protocol
+smtp             25/tcp     # Simple Mail Transfer
+http             80/tcp     # World Wide Web HTTP
+https            443/tcp    # http protocol over TLS/SSL
+domain           53/tcp     # Domain Name Server
+httpalt         8080/tcp   # HTTP Alternate (see port 80)
+opsmessaging     8090/tcp   # Vehicle to station messaging
+userdefined     5555/tcp   # Vehicle to station messaging
--- a/config/rootfiles/common/loongarch64/initscripts
+++ b/config/rootfiles/common/loongarch64/initscripts
@@ -94,6 +94,7 @@ etc/rc.d/init.d/waitdrives
 etc/rc.d/init.d/wlanclient
 etc/rc.d/init.d/xdptailcall
 etc/rc.d/init.d/ddos
+etc/rc.d/init.d/tcp-ddos
 #etc/rc.d/rc0.d
 etc/rc.d/rc0.d/K01grub-btrfsd
 #etc/rc.d/rc0.d/K01imspetor
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -113,6 +113,8 @@ $(TARGET) :
 	cp $(DIR_SRC)/config/fwhosts/customservices             $(CONFIG_ROOT)/fwhosts/customservices.default
 	cp $(DIR_SRC)/config/cfgroot/xdptailcall-settings	$(CONFIG_ROOT)/xdptailcall/settings
 	cp $(DIR_SRC)/config/cfgroot/ddos-settings		$(CONFIG_ROOT)/ddos/settings
+	cp $(DIR_SRC)/config/cfgroot/tcp-ddos-settings		$(CONFIG_ROOT)/ddos/tcp-ddos-settings
+	cp $(DIR_SRC)/config/cfgroot/tcp_ports			$(CONFIG_ROOT)/ddos/tcp_ports
 	# Oneliner configfiles
 	echo  "ENABLED=off"		> $(CONFIG_ROOT)/vpn/settings
 	echo  "01"			> $(CONFIG_ROOT)/certs/serial
--- a/src/initscripts/system/tcp-ddos
+++ b/src/initscripts/system/tcp-ddos
@@ -0,0 +1,112 @@
+#!/bin/sh
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2024-2025  BPFire <vincent.mc.li@gmail.com>                     #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+. /etc/sysconfig/rc
+. $rc_functions
+
+eval $(/usr/local/bin/readhash /var/ipfire/ddos/tcp-ddos-settings)
+
+MSSOPTS="--mss4 1460 --mss6 1440"
+TTLOPTS="--ttl 64"
+WSCALE="--wscale 0"
+BPF_OBJECT_FILE="/usr/lib/bpf/xdp_synproxy.bpf.o"
+PROG_NAME="syncookie_xdp"
+MAP_PIN_PATH="/sys/fs/bpf/xdp-ddos/ddos_progs"
+KEY=0
+
+get_ports () {
+# Define an empty variable to store the output
+	local output=""
+	local ddos_port_file="$1"
+
+# Read the input file line by line
+	while IFS= read -r line; do
+		# Check if the line contains '=on'
+		if [[ "$line" == [0-9]*"=on" ]]; then
+			# Extract the service/port number
+			service=$(echo "$line" | cut -d'=' -f1)
+			# Append the service/port number to the output string
+			output="$output$service,"
+		fi
+	done < $ddos_port_file
+
+	# Remove the trailing comma from the output string
+	output="${output%,}"
+	echo $output
+}
+
+load_syncookie () {
+	sysctl -w net.ipv4.tcp_syncookies=1
+	sysctl -w net.ipv4.tcp_timestamps=1
+	sysctl -w net.netfilter.nf_conntrack_tcp_loose=0
+	/usr/sbin/xdp_ddos add $BPF_OBJECT_FILE $PROG_NAME $MAP_PIN_PATH $KEY
+	if [ $? -eq 0 ]; then
+		prog_id=$(bpftool prog | grep syncookie_xdp | awk '{print $1}' | cut -d':' -f1)
+		xdp_synproxy --prog $prog_id $MSSOPTS $WSCALE $TTLOPTS --ports="$tcp_ports"
+	else
+		boot_mesg "Error to load $BPF_OBJECT_FILE"
+	fi
+}
+
+unload_syncookie () {
+	sysctl -w net.ipv4.tcp_syncookies=1
+	/usr/sbin/xdp_ddos del $MAP_PIN_PATH $KEY
+	if [ $? -eq 0 ]; then
+		boot_mesg "syncookie_xdp unloaded!"
+	else
+		boot_mesg "Error syncookie_xdp not unloaded!"
+	fi
+}
+
+tcp_ports="$(get_ports /var/ipfire/ddos/tcp-ddos-settings)"
+
+case "$1" in
+	start)
+		if [ ! -e /var/ipfire/red/active ]; then
+			boot_mesg " ERROR! Red0 interface not online!"
+			echo_warning
+			exit 1
+		fi
+		boot_mesg -n "Starting tcp ddos..."
+		if [ "$ENABLE_TCP_DDOS" == "on" ]; then
+			load_syncookie
+		fi
+		;;
+
+	stop)
+		boot_mesg "Stopping tcp ddos..."
+		if [ "$ENABLE_TCP_DDOS" == "off" ]; then
+			unload_syncookie
+		fi
+		;;
+
+	restart)
+		$0 stop
+		sleep 1
+		$0 start
+		;;
+
+	*)
+		echo "Usage: $0 {start|stop|restart}"
+		exit 1
+		;;
+esac