mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-09 18:45:54 +02:00
Add XDP SYNPROXY rules in raw and filter table
XDP SYNPROXY requires setting up iptables rule in raw table PREROUTING chain and filter table INPUT chain. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
This commit is contained in:
Vincent Li
@@ -42,6 +42,8 @@ my $CHAIN = $CHAIN_FORWARD;
|
||||
my $CHAIN_NAT_SOURCE = "NAT_SOURCE";
|
||||
my $CHAIN_NAT_DESTINATION = "NAT_DESTINATION";
|
||||
my $CHAIN_MANGLE_NAT_DESTINATION_FIX = "NAT_DESTINATION";
|
||||
my $CHAIN_INSYNPROXY = "INSYNPROXY";
|
||||
my $CHAIN_RAWSYNPROXY = "RAWSYNPROXY";
|
||||
my @VALID_CHAINS = ($CHAIN_INPUT, $CHAIN_FORWARD, $CHAIN_OUTPUT);
|
||||
my @ANY_ADDRESSES = ("0.0.0.0/0.0.0.0", "0.0.0.0/0", "0/0");
|
||||
|
||||
@@ -218,6 +220,8 @@ sub flush {
|
||||
run("$IPTABLES -F $CHAIN_INPUT");
|
||||
run("$IPTABLES -F $CHAIN_FORWARD");
|
||||
run("$IPTABLES -F $CHAIN_OUTPUT");
|
||||
run("$IPTABLES -F $CHAIN_INSYNPROXY");
|
||||
run("$IPTABLES -t raw -F $CHAIN_RAWSYNPROXY");
|
||||
run("$IPTABLES -t nat -F $CHAIN_NAT_SOURCE");
|
||||
run("$IPTABLES -t nat -F $CHAIN_NAT_DESTINATION");
|
||||
run("$IPTABLES -t mangle -F $CHAIN_MANGLE_NAT_DESTINATION_FIX");
|
||||
@@ -297,6 +301,12 @@ sub buildrules {
|
||||
$NAT_MODE = uc($$hash{$key}[31]);
|
||||
}
|
||||
|
||||
# Check if XDP SYNPROXY is turned on
|
||||
my $SYNPROXY;
|
||||
if(exists($$hash{$key}[37])) {
|
||||
$SYNPROXY = ($$hash{$key}[37] eq 'ON');
|
||||
}
|
||||
|
||||
# Set up time constraints.
|
||||
my @time_options = ();
|
||||
if ($$hash{$key}[18] eq 'ON') {
|
||||
@@ -608,6 +618,23 @@ sub buildrules {
|
||||
}
|
||||
run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options -j $target");
|
||||
|
||||
if ($SYNPROXY) {
|
||||
my $dport = &get_external_port($hash, $key);
|
||||
my @raw_options = ("-p", "tcp", "-m", "tcp", "--syn");
|
||||
my @in_options = ("-p", "tcp", "-m", "tcp");
|
||||
my @options = ("--sack-perm", "--timestamp", "--wscale", "7", "--mss", "1460");
|
||||
push(@raw_options, "--dport", "$dport");
|
||||
push(@in_options, "--dport", "$dport", "-m", "state", "--state", "INVALID,UNTRACKED");
|
||||
if ($LOG) {
|
||||
run("$IPTABLES -t raw -A $CHAIN_RAWSYNPROXY -i $RED_DEV @raw_options -j LOG --log-prefix '$CHAIN_RAWSYNPROXY '");
|
||||
}
|
||||
run("$IPTABLES -t raw -A $CHAIN_RAWSYNPROXY -i $RED_DEV @raw_options -j CT --notrack");
|
||||
if ($LOG) {
|
||||
run("$IPTABLES -A $CHAIN_INSYNPROXY -i $RED_DEV @in_options -j LOG --log-prefix '$CHAIN_RAWSYNPROXY ' @options");
|
||||
}
|
||||
run("$IPTABLES -A $CHAIN_INSYNPROXY -i $RED_DEV @in_options -j SYNPROXY @options");
|
||||
}
|
||||
|
||||
# Handle forwarding rules and add corresponding rules for firewall access.
|
||||
if ($chain eq $CHAIN_FORWARD) {
|
||||
# If the firewall is part of the destination subnet and access to the destination network
|
||||
@@ -945,6 +972,22 @@ sub get_dnat_target_port {
|
||||
}
|
||||
}
|
||||
|
||||
sub get_external_port {
|
||||
my $hash = shift;
|
||||
my $key = shift;
|
||||
|
||||
if ($$hash{$key}[14] eq "TGT_PORT") {
|
||||
my $port = $$hash{$key}[15];
|
||||
my $external_port = $$hash{$key}[30];
|
||||
|
||||
if ($external_port && ($port ne $external_port)) {
|
||||
return $external_port;
|
||||
} else {
|
||||
return $port;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sub add_dnat_mangle_rules {
|
||||
my $nat_address = shift;
|
||||
my $interface = shift;
|
||||
|
||||
Reference in New Issue
Block a user