From 8031d30ad259152c36dde89a6fe2060b1b909000 Mon Sep 17 00:00:00 2001
From: Vincent Li <vincent.mc.li@gmail.com>
Date: Tue, 23 Apr 2024 21:50:34 +0000
Subject: [PATCH] ddos init: add ratelimit

---
 langs/en/cgi-bin/en.pl      |  2 ++
 langs/zh/cgi-bin/zh.pl      |  2 ++
 src/initscripts/system/ddos | 15 +++++++++++++++
 3 files changed, 19 insertions(+)

diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 52ab7121f..bab4ee69f 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1519,6 +1519,8 @@
 'xdp enable' => 'Enable DDoS',
 'xdp tcp port' => 'TCP Ports',
 'xdp udp port' => 'UDP Ports',
+'xdp dns ratelimit' => 'DNS Ratelimit:',
+'xdp udp ratelimit' => 'UDP Ratelimit:',
 'xdp status' => 'XDP Program Status',
 'xdp interface' => 'Interface',
 'xdp prio' => 'Prio',
diff --git a/langs/zh/cgi-bin/zh.pl b/langs/zh/cgi-bin/zh.pl
index dd0754448..720e563be 100644
--- a/langs/zh/cgi-bin/zh.pl
+++ b/langs/zh/cgi-bin/zh.pl
@@ -1511,6 +1511,8 @@
 'xdp enable' => '启动XDP DDoS 分布式攻击防御功能',
 'xdp tcp port' => 'XDP DDoS 分布式攻击防御TCP端口',
 'xdp udp port' => 'XDP DDoS 分布式攻击防御UDP端口',
+'xdp dns ratelimit' => 'DNS 网络包每秒接收速率:',
+'xdp udp ratelimit' => 'UDP 网络包每秒接收速率:',
 'xdp status' => 'XDP 程序加载状态',
 'xdp interface' => '网络接口',
 'xdp prio' => '优先级',
diff --git a/src/initscripts/system/ddos b/src/initscripts/system/ddos
index 857ba539e..6fc18083a 100755
--- a/src/initscripts/system/ddos
+++ b/src/initscripts/system/ddos
@@ -133,6 +133,15 @@ unload_xdpdns () {
 	fi
 }
 
+set_ratelimit () {
+	local rate=$1
+	local map=$2
+	hex=$(printf '%08x' "$rate")  # Convert decimal to hexadecimal
+	bytes=$(echo "$hex" | fold -w2 | tac)   # Split the hexadecimal into pairs of bytes and reverse the order
+	hex_le=$(echo "$bytes" | sed 's/^/0x/' | tr '\n' ' ')  # Add prefix "0x" to each byte and concatenate them
+	bpftool map update name $map key hex 00 00 00 00 value $hex_le
+}
+
 tcp_ports="$(get_ports /var/ipfire/ddos/settings)"
 udp_ports="$(get_ports /var/ipfire/ddos/udp-ddos-settings)"
 
@@ -162,9 +171,15 @@ case "$1" in
 		fi
 		if [ "$ENABLE_UDP_DDOS" == "off" ]; then
 			unload_xdpudp
+			if [ -n "$UDP_RATELIMIT" ]; then
+				set_ratelimit $UDP_RATELIMIT "xdp_udp.data"
+			fi
 		fi
 		if [ "$ENABLE_DNS_DDOS" == "off" ]; then
 			unload_xdpdns
+			if [ -n "$DNS_RATELIMIT" ]; then
+				set_ratelimit $DNS_RATELIMIT "xdp_dnsr.data"
+			fi
 		fi
 		;;