From fcdc42ea400cb11b77f14ee40f8fbd2f13fa5b75 Mon Sep 17 00:00:00 2001
From: Vincent Li <vincent.mc.li@gmail.com>
Date: Thu, 18 Apr 2024 02:29:27 +0000
Subject: [PATCH] ddos.cgi add DNS DDoS UI

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
---
 config/cfgroot/dns-ddos-settings |  1 +
 html/cgi-bin/ddos.cgi            | 51 ++++++++++++++++++++++++++++++++
 langs/en/cgi-bin/en.pl           |  1 +
 lfs/configroot                   |  3 +-
 src/initscripts/system/ddos      | 29 ++++++++++++++++++
 5 files changed, 84 insertions(+), 1 deletion(-)
 create mode 100644 config/cfgroot/dns-ddos-settings

diff --git a/config/cfgroot/dns-ddos-settings b/config/cfgroot/dns-ddos-settings
new file mode 100644
index 000000000..f40f8c8c4
--- /dev/null
+++ b/config/cfgroot/dns-ddos-settings
@@ -0,0 +1 @@
+ENABLE_DNS_DDOS=off
diff --git a/html/cgi-bin/ddos.cgi b/html/cgi-bin/ddos.cgi
index 4cd5a6dd7..ae3b211d4 100755
--- a/html/cgi-bin/ddos.cgi
+++ b/html/cgi-bin/ddos.cgi
@@ -37,6 +37,7 @@ my %color = ();
 my %mainsettings = ();
 my %ddossettings=();
 my %udpddossettings=();
+my %dnsddossettings=();
 my %checked=();
 my $errormessage='';
 my $counter = 0;
@@ -46,6 +47,7 @@ my $tcp_portfile = "${General::swroot}/ddos/tcp_ports";
 my $udp_portfile = "${General::swroot}/ddos/udp_ports";
 my $ddossettingfile = "${General::swroot}/ddos/settings";
 my $udpddossettingfile = "${General::swroot}/ddos/udp-ddos-settings";
+my $dnsddossettingfile = "${General::swroot}/ddos/dns-ddos-settings";
 
 &get_tcp_ports();
 &get_udp_ports();
@@ -59,8 +61,10 @@ my $udpddossettingfile = "${General::swroot}/ddos/udp-ddos-settings";
 
 $ddossettings{'ENABLE_DDOS'} = 'off';
 $udpddossettings{'ENABLE_UDP_DDOS'} = 'off';
+$dnsddossettings{'ENABLE_DNS_DDOS'} = 'off';
 $ddossettings{'ACTION'} = '';
 $udpddossettings{'UDP_ACTION'} = '';
+$udpddossettings{'DNS_ACTION'} = '';
 
 &Header::getcgihash(\%ddossettings);
 
@@ -122,6 +126,25 @@ if ($udpddossettings{'UDP_ACTION'} eq $Lang::tr{'save'})
 
 }
 
+&Header::getcgihash(\%dnsddossettings);
+
+if ($udpddossettings{'DNS_ACTION'} eq $Lang::tr{'save'})
+{
+
+	&General::writehash("$dnsddossettingfile", \%dnsddossettings);
+
+	if ($dnsddossettings{'ENABLE_DNS_DDOS'} eq 'on') {
+		&General::log($Lang::tr{'ddos is enabled'});
+		&General::system('/usr/bin/touch', "${General::swroot}/ddos/enableddos");
+		&General::system('/usr/local/bin/ddosctrl', 'start');
+	} else {
+		&General::log($Lang::tr{'ddos is disabled'});
+		&General::system('/usr/local/bin/ddosctrl', 'stop');
+		unlink "${General::swroot}/ddos/enableddos";
+	}
+
+}
+
 &Header::openpage($Lang::tr{'ebpf xdp ddos'}, 1, '');
 
 &Header::openbigbox('100%', 'left', '', $errormessage);
@@ -242,6 +265,34 @@ END
 
 &Header::closebox();
 
+print "</form>\n";
+#
+# Read configuration file.
+&General::readhash("$dnsddossettingfile", \%dnsddossettings);
+
+# Checkbox pre-selection.
+my $dns_checked;
+if ($dnsddossettings{'ENABLE_DNS_DDOS'} eq "on") {
+        $dns_checked = "checked='checked'";
+}
+
+# Print box to enable/disable locationblock.
+print"<form method='POST' action='$ENV{'SCRIPT_NAME'}'>\n";
+
+&Header::openbox('100%', 'center', $Lang::tr{'xdp dns'});
+print <<END;
+        <table width='95%'>
+                <tr>
+                        <td width='50%' class='base'>$Lang::tr{'xdp enable'}
+                        <td><input type='checkbox' name='ENABLE_DNS_DDOS' $dns_checked></td>
+                        <td align='center'><input type='submit' name='DNS_ACTION' value='$Lang::tr{'save'}'></td>
+                </tr>
+        </table>
+
+END
+
+&Header::closebox();
+
 print "</form>\n";
 
 # Read configuration file.
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 8e4fc9a4f..52ab7121f 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1515,6 +1515,7 @@
 'ebpf xdp ddos system' => 'eBPF XDP DDoS Protection System',
 'xdp tcp' => 'XDP TCP',
 'xdp udp' => 'XDP UDP',
+'xdp dns' => 'XDP DNS',
 'xdp enable' => 'Enable DDoS',
 'xdp tcp port' => 'TCP Ports',
 'xdp udp port' => 'UDP Ports',
diff --git a/lfs/configroot b/lfs/configroot
index 06c02752a..c2394bff3 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -68,7 +68,7 @@ $(TARGET) :
 	    fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwhosts/customlocationgrp fwlogs/ipsettings fwlogs/portsettings ipblocklist/modified \
 	    ipblocklist/settings mac/settings main/hosts main/routing main/security main/settings optionsfw/settings \
 	    ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
-	    ppp/settings-5 ppp/settings proxy/settings proxy/squid.conf proxy/advanced/settings proxy/advanced/cre/enable remote/settings ddos/settings ddos/tcp_ports ddos/udp-ddos-settings ddos/udp_ports qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
+	    ppp/settings-5 ppp/settings proxy/settings proxy/squid.conf proxy/advanced/settings proxy/advanced/cre/enable remote/settings ddos/settings ddos/tcp_ports ddos/udp-ddos-settings ddos/udp_ports ddos/dns-ddos-settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
 	    qos/tosconfig suricata/settings vpn/config vpn/settings vpn/ipsec.conf \
 	    vpn/ipsec.secrets vpn/caconfig wakeonlan/clients.conf wireless/config wireless/settings; do \
 	    touch $(CONFIG_ROOT)/$$i; \
@@ -102,6 +102,7 @@ $(TARGET) :
 	cp $(DIR_SRC)/config/cfgroot/tcp_ports			$(CONFIG_ROOT)/ddos/tcp_ports
 	cp $(DIR_SRC)/config/cfgroot/udp-ddos-settings		$(CONFIG_ROOT)/ddos/udp-ddos-settings
 	cp $(DIR_SRC)/config/cfgroot/udp_ports			$(CONFIG_ROOT)/ddos/udp_ports
+	cp $(DIR_SRC)/config/cfgroot/dns-ddos-settings		$(CONFIG_ROOT)/ddos/dns-ddos-settings
 	cp $(DIR_SRC)/config/cfgroot/time-settings		$(CONFIG_ROOT)/time/settings
 	cp $(DIR_SRC)/config/cfgroot/logging-settings		$(CONFIG_ROOT)/logging/settings
 	cp $(DIR_SRC)/config/cfgroot/ethernet-vlans		$(CONFIG_ROOT)/ethernet/vlans
diff --git a/src/initscripts/system/ddos b/src/initscripts/system/ddos
index 7e58aa627..857ba539e 100755
--- a/src/initscripts/system/ddos
+++ b/src/initscripts/system/ddos
@@ -25,6 +25,7 @@
 
 eval $(/usr/local/bin/readhash /var/ipfire/ddos/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/ddos/udp-ddos-settings)
+eval $(/usr/local/bin/readhash /var/ipfire/ddos/dns-ddos-settings)
 
 get_ports () {
 # Define an empty variable to store the output
@@ -88,6 +89,17 @@ load_xdpudp () {
 	fi
 }
 
+load_xdpdns () {
+	/usr/sbin/xdp-loader status red0 | grep 'xdp_dns'
+	if [ $? -ne 0 ]; then
+		xdp-loader load red0 -P 80 -p /sys/fs/bpf/xdp-dns -n xdp_dns /usr/lib/bpf/xdp_dnsrrl.bpf.o
+		if [ $? -ge 1 ]; then
+			boot_mesg "Native mode not supported, try SKB"
+			xdp-loader load red0 -m skb -P 80 -p /sys/fs/bpf/xdp-dns -n xdp_dns /usr/lib/bpf/xdp_dnsrrl.bpf.o
+		fi
+	fi
+}
+
 unload_syncookie () {
 	sysctl -w net.ipv4.tcp_syncookies=1
 	/usr/sbin/xdp-loader status red0 | grep 'syncookie_xdp'
@@ -110,6 +122,17 @@ unload_xdpudp () {
 	fi
 }
 
+unload_xdpdns () {
+	/usr/sbin/xdp-loader status red0 | grep 'xdp_dns'
+	if [ $? -eq 0 ]; then
+		prog_id=$(xdp-loader status red0 | grep 'xdp_dns' | awk '{print $4}')
+		/usr/sbin/xdp-loader unload -i $prog_id red0
+		/bin/rm -rf /sys/fs/bpf/xdp-dns
+	else
+		boot_mesg "Error xdp_dns not loaded!"
+	fi
+}
+
 tcp_ports="$(get_ports /var/ipfire/ddos/settings)"
 udp_ports="$(get_ports /var/ipfire/ddos/udp-ddos-settings)"
 
@@ -127,6 +150,9 @@ case "$1" in
 		if [ "$ENABLE_UDP_DDOS" == "on" ]; then
 			load_xdpudp
 		fi
+		if [ "$ENABLE_DNS_DDOS" == "on" ]; then
+			load_xdpdns
+		fi
 		;;
 
 	stop)
@@ -137,6 +163,9 @@ case "$1" in
 		if [ "$ENABLE_UDP_DDOS" == "off" ]; then
 			unload_xdpudp
 		fi
+		if [ "$ENABLE_DNS_DDOS" == "off" ]; then
+			unload_xdpdns
+		fi
 		;;
 
 	restart)