ddos.cgi add UDP DDoS WebUI

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>

config/cfgroot/udp-ddos-settings

@@ -0,0 +1,5 @@
+53=off
+ENABLE_UDP_DDOS=off
+5060=off
+5061=off
+10408=off

config/cfgroot/udp_ports

@@ -0,0 +1,5 @@
+domain           53/udp     # Domain Name Server
+game1           10408/udp   # Domain Name Server
+sip		5060/udp    # Voice over Internet
+siptls		5061/udp    # Voice over Internet TLS
+

html/cgi-bin/ddos.cgi

@@ -3,7 +3,7 @@
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
 # Copyright (C) 2007-2020  IPFire Team  <info@ipfire.org>                     #
-# Copyright (C) 2024  FireBeeOS <vincent.mc.li@gmail.com>                     #
+# Copyright (C) 2024  BPFire <vincent.mc.li@gmail.com>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -36,14 +36,19 @@ require "${General::swroot}/header.pl";
 my %color = ();
 my %mainsettings = ();
 my %ddossettings=();
+my %udpddossettings=();
 my %checked=();
 my $errormessage='';
 my $counter = 0;
 my %tcp_ports=();
-my $portfile = "${General::swroot}/ddos/tcp_ports";
+my %udp_ports=();
+my $tcp_portfile = "${General::swroot}/ddos/tcp_ports";
+my $udp_portfile = "${General::swroot}/ddos/udp_ports";
 my $ddossettingfile = "${General::swroot}/ddos/settings";
+my $udpddossettingfile = "${General::swroot}/ddos/udp-ddos-settings";
 
 &get_tcp_ports();
+&get_udp_ports();
 
 # Read configuration file.
 
@@ -53,7 +58,10 @@ my $ddossettingfile = "${General::swroot}/ddos/settings";
 &Header::showhttpheaders();
 
 $ddossettings{'ENABLE_DDOS'} = 'off';
+$udpddossettings{'ENABLE_UDP_DDOS'} = 'off';
 $ddossettings{'ACTION'} = '';
+$udpddossettings{'UDP_ACTION'} = '';
+
 &Header::getcgihash(\%ddossettings);
 
 if ($ddossettings{'ACTION'} eq $Lang::tr{'save'})
@@ -84,17 +92,38 @@ if ($ddossettings{'ACTION'} eq $Lang::tr{'save'})
 
 }
 
-# Read configuration file.
+&Header::getcgihash(\%udpddossettings);
-&General::readhash("$ddossettingfile", \%ddossettings);
+
+if ($udpddossettings{'UDP_ACTION'} eq $Lang::tr{'save'})
+{
+
+        # Loop through our locations array to prevent from
+        # non existing countries or code.
+        foreach my $p (values %udp_ports) {
+                # Check if blocking for this country should be enabled/disabled.
+                if (exists $udpddossettings{$p}) {
+                        $udpddossettings{$p} = "on";
+                } else {
+                        $udpddossettings{$p} = "off";
+                }
+        }
+
+	&General::writehash("$udpddossettingfile", \%udpddossettings);
+
+	if ($udpddossettings{'ENABLE_UDP_DDOS'} eq 'on') {
+		&General::log($Lang::tr{'ddos is enabled'});
+		&General::system('/usr/bin/touch', "${General::swroot}/ddos/enableddos");
+		&General::system('/usr/local/bin/ddosctrl', 'start');
+	} else {
+		&General::log($Lang::tr{'ddos is disabled'});
+		&General::system('/usr/local/bin/ddosctrl', 'stop');
+		unlink "${General::swroot}/ddos/enableddos";
+	}
+
+}
 
 &Header::openpage($Lang::tr{'ebpf xdp ddos'}, 1, '');
 
-# Checkbox pre-selection.
-my $checked;
-if ($ddossettings{'ENABLE_DDOS'} eq "on") {
-        $checked = "checked='checked'";
-}
-
 &Header::openbigbox('100%', 'left', '', $errormessage);
 
 if ($errormessage) {
@@ -103,10 +132,19 @@ if ($errormessage) {
 	&Header::closebox();
 }
 
+# Read configuration file.
+&General::readhash("$ddossettingfile", \%ddossettings);
+
+# Checkbox pre-selection.
+my $checked;
+if ($ddossettings{'ENABLE_DDOS'} eq "on") {
+        $checked = "checked='checked'";
+}
+
 # Print box to enable/disable locationblock.
 print"<form method='POST' action='$ENV{'SCRIPT_NAME'}'>\n";
 
-&Header::openbox('100%', 'center', $Lang::tr{'xdp'});
+&Header::openbox('100%', 'center', $Lang::tr{'xdp tcp'});
 print <<END;
         <table width='95%'>
                 <tr>
@@ -120,7 +158,7 @@ END
 
 &Header::closebox();
 
-&Header::openbox('100%', 'center', $Lang::tr{'xdp port'});
+&Header::openbox('100%', 'center', $Lang::tr{'xdp tcp port'});
 print <<END;
 
 <table width='95%' class='tbl' id="countries">
@@ -206,6 +244,116 @@ END
 
 print "</form>\n";
 
+# Read configuration file.
+&General::readhash("$udpddossettingfile", \%udpddossettings);
+
+# Checkbox pre-selection.
+my $udp_checked;
+if ($udpddossettings{'ENABLE_UDP_DDOS'} eq "on") {
+        $udp_checked = "checked='checked'";
+}
+
+# Print box to enable/disable locationblock.
+print"<form method='POST' action='$ENV{'SCRIPT_NAME'}'>\n";
+
+&Header::openbox('100%', 'center', $Lang::tr{'xdp udp'});
+print <<END;
+        <table width='95%'>
+                <tr>
+                        <td width='50%' class='base'>$Lang::tr{'xdp enable'}
+                        <td><input type='checkbox' name='ENABLE_UDP_DDOS' $udp_checked></td>
+                        <td align='center'><input type='submit' name='UDP_ACTION' value='$Lang::tr{'save'}'></td>
+                </tr>
+        </table>
+
+END
+
+&Header::closebox();
+
+&Header::openbox('100%', 'center', $Lang::tr{'xdp udp port'});
+print <<END;
+
+<table width='95%' class='tbl' id="countries">
+        <tr>
+                <td width='5%' align='center' bgcolor='$color{'color20'}'></td>
+                <td width='5%' align='center' bgcolor='$color{'color20'}'>
+                        <b>$Lang::tr{'port'}</b>
+                </td>
+                <td with='35%' align='left' bgcolor='$color{'color20'}'>
+                        <b>$Lang::tr{'service'}</b>
+                </td>
+
+                <td width='5%' bgcolor='$color{'color20'}'>&nbsp;</td>
+
+                <td width='5%' align='center' bgcolor='$color{'color20'}'></td>
+                <td width='5%' align='center' bgcolor='$color{'color20'}'>
+                        <b>$Lang::tr{'port'}</b>
+                </td>
+                <td with='35%' align='left' bgcolor='$color{'color20'}'>
+                        <b>$Lang::tr{'service'}</b>
+                </td>
+
+        </tr>
+END
+
+my $udp_lines;
+my $udp_lines2;
+my $udp_col;
+
+# Sort output based on hash value port number
+for my $service ( sort { $udp_ports{$a} cmp $udp_ports{$b} }
+    keys %udp_ports )
+{
+        my $port = $udp_ports{$service};
+
+        # Checkbox pre-selection.
+        my $checked;
+        if ($udpddossettings{$port} eq "on") {
+                $checked = "checked='checked'";
+        }
+
+        # Colour lines.
+        if ($udp_lines % 2) {
+                $col="bgcolor='$color{'color20'}'";
+        } else {
+                $col="bgcolor='$color{'color22'}'";
+        }
+
+        # Grouping elements.
+        my $line_start;
+        my $line_end;
+        if ($udp_lines2 % 2) {
+                # Increase lines (background color by once.
+                $lines++;
+
+                # Add empty column in front.
+                $line_start="<td $udp_col>&nbsp;</td>";
+
+                # When the line number can be diveded by "2",
+                # we are going to close the line.
+                $line_end="</tr>";
+        } else {
+                # When the line number is  not divideable by "2",
+                # we are starting a new line.
+                $line_start="<tr>";
+                $line_end;
+        }
+
+        print "$line_start<td align='center' $udp_col><input type='checkbox' name='$port' $checked></td>\n";
+        print "<td align='center' $udp_col>$port</td>\n";
+        print "<td align='left' $udp_col>$service</td>$line_end\n";
+
+$udp_lines2++;
+}
+print <<END;
+</table>
+
+END
+
+&Header::closebox();
+
+print "</form>\n";
+
 &Header::openbox('100%', 'center', $Lang::tr{'xdp status'});
 
 print <<END;
@@ -250,7 +398,8 @@ print "</tbody>\n</table>\n";
 
 sub get_tcp_ports()
 {
-	open(my $fh, '<', $portfile) or die "Unable to open file: $!";
+	my $fh;
+	open($fh, '<', $tcp_portfile) or die "Unable to open file: $!";
 	while (my $line = <$fh>) {
 		chomp $line;
 		next if $line =~ /^\s*#/; # Skip comments
@@ -262,6 +411,21 @@ sub get_tcp_ports()
 	close($fh);
 }
 
+sub get_udp_ports()
+{
+	my $fh;
+	open($fh, '<', $udp_portfile) or die "Unable to open file: $!";
+	while (my $line = <$fh>) {
+		chomp $line;
+		next if $line =~ /^\s*#/; # Skip comments
+		my ($service, $port) = $line =~ /^(\w+)\s+(\d+)\/udp/;
+		if ($service && $port) {
+			$udp_ports{$service} = $port;
+		}
+	}
+	close($fh);
+}
+
 sub printxdp()
 {
 	# print active SSH logins (grep outpout of "who -s")

langs/en/cgi-bin/en.pl

@@ -1513,9 +1513,11 @@
 'intrusion prevention system' => 'Intrusion Prevention System',
 'ebpf xdp ddos' => 'eBPF XDP DDoS Protection',
 'ebpf xdp ddos system' => 'eBPF XDP DDoS Protection System',
-'xdp' => 'XDP',
+'xdp tcp' => 'XDP TCP',
-'xdp enable' => 'Enable XDP DDoS Feature',
+'xdp udp' => 'XDP UDP',
-'xdp port' => 'XDP DDoS Protected TCP Ports',
+'xdp enable' => 'Enable DDoS',
+'xdp tcp port' => 'TCP Ports',
+'xdp udp port' => 'UDP Ports',
 'xdp status' => 'XDP Program Status',
 'xdp interface' => 'Interface',
 'xdp prio' => 'Prio',

lfs/configroot

@@ -68,7 +68,7 @@ $(TARGET) :
 	    fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwhosts/customlocationgrp fwlogs/ipsettings fwlogs/portsettings ipblocklist/modified \
 	    ipblocklist/settings mac/settings main/hosts main/routing main/security main/settings optionsfw/settings \
 	    ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
-	    ppp/settings-5 ppp/settings proxy/settings proxy/squid.conf proxy/advanced/settings proxy/advanced/cre/enable remote/settings ddos/settings ddos/tcp_ports qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
+	    ppp/settings-5 ppp/settings proxy/settings proxy/squid.conf proxy/advanced/settings proxy/advanced/cre/enable remote/settings ddos/settings ddos/tcp_ports ddos/udp-ddos-settings ddos/udp_ports qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
 	    qos/tosconfig suricata/settings vpn/config vpn/settings vpn/ipsec.conf \
 	    vpn/ipsec.secrets vpn/caconfig wakeonlan/clients.conf wireless/config wireless/settings; do \
 	    touch $(CONFIG_ROOT)/$$i; \
@@ -100,6 +100,8 @@ $(TARGET) :
 	cp $(DIR_SRC)/config/cfgroot/ssh-settings		$(CONFIG_ROOT)/remote/settings
 	cp $(DIR_SRC)/config/cfgroot/ddos-settings		$(CONFIG_ROOT)/ddos/settings
 	cp $(DIR_SRC)/config/cfgroot/tcp_ports			$(CONFIG_ROOT)/ddos/tcp_ports
+	cp $(DIR_SRC)/config/cfgroot/udp-ddos-settings		$(CONFIG_ROOT)/ddos/udp-ddos-settings
+	cp $(DIR_SRC)/config/cfgroot/udp_ports			$(CONFIG_ROOT)/ddos/udp_ports
 	cp $(DIR_SRC)/config/cfgroot/time-settings		$(CONFIG_ROOT)/time/settings
 	cp $(DIR_SRC)/config/cfgroot/logging-settings		$(CONFIG_ROOT)/logging/settings
 	cp $(DIR_SRC)/config/cfgroot/ethernet-vlans		$(CONFIG_ROOT)/ethernet/vlans

src/initscripts/system/ddos

@@ -28,6 +28,7 @@ eval $(/usr/local/bin/readhash /var/ipfire/ddos/settings)
 get_ports () {
 # Define an empty variable to store the output
 	local output=""
+	local ddos_port_file="$1"
 
 # Read the input file line by line
 	while IFS= read -r line; do
@@ -38,38 +39,38 @@ get_ports () {
 			# Append the service/port number to the output string
 			output="$output$service,"
 		fi
-	done < /var/ipfire/ddos/settings
+	done < $ddos_port_file
 
 	# Remove the trailing comma from the output string
 	output="${output%,}"
 	echo $output
 }
 
-ports="$(get_ports)"
+tcp_ports="$(get_ports /var/ipfire/ddos/settings)"
 
 case "$1" in
 	start)
 		boot_mesg -n "Starting ddos..."
-		if [ -e /var/ipfire/red/active ]; then
+		if [ "$ENABLE_DDOS" == "on" ]; then
-			boot_mesg ""
+			if [ -e /var/ipfire/red/active ]; then
-			sysctl -w net.ipv4.tcp_syncookies=2
+				sysctl -w net.ipv4.tcp_syncookies=2
-			sysctl -w net.ipv4.tcp_timestamps=1
+				sysctl -w net.ipv4.tcp_timestamps=1
-			sysctl -w net.netfilter.nf_conntrack_tcp_loose=0
+				sysctl -w net.netfilter.nf_conntrack_tcp_loose=0
-			/usr/sbin/xdp-loader status red0 | grep 'syncookie_xdp'
+				/usr/sbin/xdp-loader status red0 | grep 'syncookie_xdp'
-			if [ $? -eq 0 ]; then
+				if [ $? -eq 0 ]; then
-				prog_id=$(xdp-loader status red0 | grep 'syncookie_xdp' | awk '{print $4}')
+					prog_id=$(xdp-loader status red0 | grep 'syncookie_xdp' | awk '{print $4}')
-				xdp_synproxy --prog $prog_id --ports="$ports"
+					xdp_synproxy --prog $prog_id --ports="$tcp_ports"
+				else
+					xdp-loader load red0 -m skb /usr/lib/bpf/xdp_synproxy.bpf.o
+					evaluate_retval
+					prog_id=$(/usr/sbin/xdp-loader status red0 | grep 'syncookie_xdp' | awk '{print $4}')
+					xdp_synproxy --prog $prog_id --ports="$tcp_ports"
+				fi
 			else
-				xdp-loader load red0 -m skb /usr/lib/bpf/xdp_synproxy.bpf.o
+				boot_mesg " ERROR! Red0 interface not online!"
-				evaluate_retval
+				echo_warning
-				prog_id=$(/usr/sbin/xdp-loader status red0 | grep 'syncookie_xdp' | awk '{print $4}')
-				xdp_synproxy --prog $prog_id --ports="$ports"
 			fi
-		else
-			boot_mesg " ERROR! Red0 interface not online!"
-			echo_warning
 		fi
-
 		;;
 
 	stop)