commit fa10708e3c87519f8e9c85cdff7a2bdd80dbd699 (HEAD -> main)
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Fri Oct 24 20:58:18 2025 -0700
tc-basic-classifier: allow port range for classification
Improve user space class_filter to add port range like:
./class_filter -i red0 --add-port "8080-8082:10:40mbit"
or
./class_filter -i red0 --add-port "8083:20:60mbit"
each port will still be added as individual entry in port map, so no
code change required in bpf side.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 5852f6184e3d129667df01011c4ecdf6df994266
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Wed Oct 22 19:41:05 2025 -0700
tc-basic-classifier: make tcp and udp port classification
make port classification for both UDP and TCP.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 0bda902c82c755bda1d5ba40d1404051de4e9102
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Tue Oct 21 19:28:15 2025 -0700
tc-basic-classifier: fix IP endiness and classification on red0
the IP in user space is stored in host order but bpf program IP lookup
by network order. also tested IP classification green0 not working. so
should do destination IP classification on red0 interface, and the
destination IP is going to be Internet destination IP addresses. need to
figure out how to do IP based classification on LAN/green0 network IPs
if required.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit ced17feca631f6963a2439f41ef09a7db048f316 (HEAD -> main)
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Mon Oct 20 21:28:17 2025 -0700
tc-basic-classifier: fix tcp port Endianess bug by AI
AI generated class_filter program stored the tcp port in network order,
but in bpf program the tcp port is converted to host order, and result in
tcp port lookup failure, unable to get the correct classid, fail to do rate
classification.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit a18fe4be0374ab1efb21c1228a5c5790ded7636e
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Mon Oct 20 19:15:34 2025 -0700
tc-basic-classifier: classify port and IP from bpf map
add port and IP rate classification based on bpf map so user could
add or remove port/IP rate classification dynamically at run time
since TC class works on egress direction, so port rate classification
works on red0 egress, and IP rate classification works on green0 egress
port rate classification:
class_filter -a -b ./class_filter.bpf.o -i red0 -v
class_filter -i red0 --add-port 8080:10:80mbit
class_filter -i red0 --add-port 8081:20:40mbit
class_filter -i red0 --delete-port 8080
class_filter -i red0 --list-ports
IP rate classification:
class_filter -a -b ./class_filter.bpf.o -i green0 -v
class_filter -i red0 --add-ip 192.168.1.0/24:40:30mbit
class_filter -i red0 --delete-ip 192.168.1.0/24
class_filter -i red0 --list-ips
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 12280ef22ae49f75eda047144ed3e9dc0f73e04a
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Fri Oct 17 19:45:07 2025 -0700
tc-basic-classifier: add user space program
the bpf skel header is generated only if USER_TARGETS
is added in Makefile, so add a dummy user space program.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit fe5cc1814af4c995f61ec08708110deef7a65c45
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Fri Oct 17 19:28:45 2025 -0700
xdp-tools: rebase on upstream xdp-tools main branch
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 7dee7fd954c06a3c58bedbb5561b9ee65c3f749f
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Fri Oct 17 18:39:59 2025 -0700
tc-basic-classifier: rename the class filter
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
UDP DDoS has pattern of flooding game server with
random source IP and UDP with random payload. game
server UDP traffic requires certain payload
pattern, so this XDP program can serve as example
to stop UDP DDoS attack with UDP payload that does not
match game UDP traffic payload pattern.
without UDP DDoS protection, under DDoS attack:
BPFire UI RED Traffic: in 9xx Mbit/s.
with UDP DDoS protection, under DDoS attack:
BPFire UI RED Traffic: in 1xx Mbit/s.
Tested-by: Muhammad Haikal <eykalpirates@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
XDP generated SYNACK tcp options with window
scaling and timestamp could intermittently cause
small packet transmission on DDoS protected server.
allow user to disable window scaling when such
problem occurs. see [0]
[0]: https://github.com/vincentmli/xdp-tools/issues/7
Reported-by: DNSPROXY.ORG LLC <dnsproxyorg@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
When XDP DDoS syncookie program is attached
to red0 interface, green network client internet
connection to website like gmail/youtube... failed.
it is because these sites does not have IP DF flag
set for each tcp packet, and syncookie_xdp program
would drop these packets when they arrived at red0
interface.
see https://github.com/vincentmli/BPFire/issues/59
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
switch xdp_sni.bpf.o LPM trie map to hash map
to reduce code complexity and avoid verifier error
now need to add domain and its sub domain to hash
map to block each domain and its sub domain site.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
add XDP TLS SNI logging with bpf ringbuf
drop xdp_sni.bpf.o reverse_string due to
bpf verifier complaining program is too large.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
domain name in xdp_dns.bpf.o not reversed properly
result in domain name mismatch with domain inserted
from user space xdp_dns
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
XDP dns rate limit program has static tail call
which requires revert xdp-tool commit:
(039bdea "xdp-loader: Only load the BPF program we need from object files")
XDP dns rate limit program also uses bpf_printk helper which is not
supported on FireBeeOS since kernel CONFIG_BPF_EVENTS which allows user
to do kprobe, uprobe, tracepoint is not enabled, so bpf_printk helper is
not available, so removed bpf_printk
see discussion in [0] xdp-loader load xdp program with bpf tail call result in Bad file descriptor(-9)
[0] https://github.com/xdp-project/xdp-tools/issues/377
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
