ebpf: add XDP Syncookie program

Add XDP Syncookie program to enable Suricata
in af-packet IDS mode to stop host from SYN
flooding attack.

Signed-off-by: Vincent Li <[email protected]>

ebpf/Makefile.am

@@ -1,5 +1,5 @@
 EXTRA_DIST= include bypass_filter.c filter.c lb.c vlan_filter.c xdp_filter.c \
-	    xdp_lb.c hash_func01.h
+	    xdp_lb.c xdp_synproxy_kern.c hash_func01.h
 
 if BUILD_EBPF
 
@@ -12,6 +12,7 @@ BPF_TARGETS += bypass_filter.bpf
 BPF_TARGETS += xdp_filter.bpf
 BPF_TARGETS += xdp_lb.bpf
 BPF_TARGETS += vlan_filter.bpf
+BPF_TARGETS += xdp_synproxy_kern.bpf
 
 all: $(BPF_TARGETS)
 
@@ -21,6 +22,9 @@ $(BPF_TARGETS): %.bpf: %.c
 	${CLANG} -Wall $(BPF_CFLAGS) -O2 -g \
 		-I/usr/include/$(build_cpu)-$(build_os)/ \
 		-D__KERNEL__ -D__ASM_SYSREG_H \
+		-Wno-unused-value \
+		-Wno-pointer-sign \
+		-Wno-compare-distinct-pointer-types \
 		-target bpf -S -emit-llvm $< -o ${@:.bpf=.ll}
 #      From LLVM-IR to BPF-bytecode in ELF-obj file
 	${LLC} -march=bpf -filetype=obj ${@:.bpf=.ll} -o $@

ebpf/include/vmlinux/vmlinux_common.h

@@ -0,0 +1,33 @@
+#ifndef __VMLINUX_COMMON_H__
+#define __VMLINUX_COMMON_H__
+
+enum {
+	false = 0,
+	true = 1,
+};
+
+typedef _Bool bool;
+
+struct list_head {
+	struct list_head *next;
+	struct list_head *prev;
+};
+
+struct rb_node {
+	long unsigned int __rb_parent_color;
+	struct rb_node *rb_right;
+	struct rb_node *rb_left;
+};
+
+typedef struct {
+	int counter;
+} atomic_t;
+
+struct refcount_struct {
+	atomic_t refs;
+};
+
+typedef struct refcount_struct refcount_t;
+
+
+#endif /* __VMLINUX_COMMON_H__ */

ebpf/include/vmlinux/vmlinux_net.h

@@ -0,0 +1,148 @@
+#ifndef __VMLINUX_NET_H__
+#define __VMLINUX_NET_H__
+
+typedef __u32 __wsum;
+
+typedef unsigned int sk_buff_data_t; // Assumes 64-bit. FIXME see below
+/*
+// BITS_PER_LONG can be wrong with -target bpf
+#if BITS_PER_LONG > 32
+#define NET_SKBUFF_DATA_USES_OFFSET 1
+#endif
+
+#ifdef NET_SKBUFF_DATA_USES_OFFSET
+typedef unsigned int sk_buff_data_t;
+#else
+typedef unsigned char *sk_buff_data_t;
+#endif
+*/
+
+struct sk_buff {
+	union {
+		struct {
+			struct sk_buff *next;
+			struct sk_buff *prev;
+			union {
+				struct net_device *dev;
+				long unsigned int dev_scratch;
+			};
+		};
+		struct rb_node rbnode;
+		struct list_head list;
+	};
+	union {
+		struct sock *sk;
+		int ip_defrag_offset;
+	};
+	union {
+		ktime_t tstamp;
+		u64 skb_mstamp_ns;
+	};
+	char cb[48];
+	union {
+		struct {
+			long unsigned int _skb_refdst;
+			void (*destructor)(struct sk_buff *);
+		};
+		struct list_head tcp_tsorted_anchor;
+	};
+	long unsigned int _nfct;
+	unsigned int len;
+	unsigned int data_len;
+	__u16 mac_len;
+	__u16 hdr_len;
+	__u16 queue_mapping;
+	__u8 __cloned_offset[0];
+	__u8 cloned: 1;
+	__u8 nohdr: 1;
+	__u8 fclone: 2;
+	__u8 peeked: 1;
+	__u8 head_frag: 1;
+	__u8 pfmemalloc: 1;
+	__u8 active_extensions;
+	__u32 headers_start[0];
+	__u8 __pkt_type_offset[0];
+	__u8 pkt_type: 3;
+	__u8 ignore_df: 1;
+	__u8 nf_trace: 1;
+	__u8 ip_summed: 2;
+	__u8 ooo_okay: 1;
+	__u8 l4_hash: 1;
+	__u8 sw_hash: 1;
+	__u8 wifi_acked_valid: 1;
+	__u8 wifi_acked: 1;
+	__u8 no_fcs: 1;
+	__u8 encapsulation: 1;
+	__u8 encap_hdr_csum: 1;
+	__u8 csum_valid: 1;
+	__u8 __pkt_vlan_present_offset[0];
+	__u8 vlan_present: 1;
+	__u8 csum_complete_sw: 1;
+	__u8 csum_level: 2;
+	__u8 csum_not_inet: 1;
+	__u8 dst_pending_confirm: 1;
+	__u8 ndisc_nodetype: 2;
+	__u8 ipvs_property: 1;
+	__u8 inner_protocol_type: 1;
+	__u8 remcsum_offload: 1;
+	__u8 offload_fwd_mark: 1;
+	__u8 offload_l3_fwd_mark: 1;
+	__u8 tc_skip_classify: 1;
+	__u8 tc_at_ingress: 1;
+	__u8 redirected: 1;
+	__u8 from_ingress: 1;
+	__u8 decrypted: 1;
+	__u16 tc_index;
+	union {
+		__wsum csum;
+		struct {
+			__u16 csum_start;
+			__u16 csum_offset;
+		};
+	};
+	__u32 priority;
+	int skb_iif;
+	__u32 hash;
+	__be16 vlan_proto;
+	__u16 vlan_tci;
+	union {
+		unsigned int napi_id;
+		unsigned int sender_cpu;
+	};
+	__u32 secmark;
+	union {
+		__u32 mark;
+		__u32 reserved_tailroom;
+	};
+	union {
+		__be16 inner_protocol;
+		__u8 inner_ipproto;
+	};
+	__u16 inner_transport_header;
+	__u16 inner_network_header;
+	__u16 inner_mac_header;
+	__be16 protocol;
+	__u16 transport_header;
+	__u16 network_header;
+	__u16 mac_header;
+	__u32 headers_end[0];
+	sk_buff_data_t tail;
+	sk_buff_data_t end;
+	unsigned char *head;
+	unsigned char *data;
+	unsigned int truesize;
+	refcount_t users;
+	struct skb_ext *extensions;
+};
+
+struct nf_conn {
+	unsigned long status;
+};
+
+enum ip_conntrack_status {
+	/* Connection is confirmed: originating packet has left box */
+	IPS_CONFIRMED_BIT = 3,
+	IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
+};
+
+#endif /* __VMLINUX_NET_H__ */

ebpf/include/vmlinux/vmlinux_types.h

@@ -0,0 +1,14 @@
+#ifndef __VMLINUX_TYPES_H__
+#define __VMLINUX_TYPES_H__
+
+typedef __u8 u8;
+typedef __s16 s16;
+typedef __u16 u16;
+typedef __s32 s32;
+typedef __u32 u32;
+typedef __s64 s64;
+typedef __u64 u64;
+
+typedef s64 ktime_t;
+
+#endif /* __VMLINUX_TYPES_H__ */

ebpf/include/vmlinux_local.h

@@ -0,0 +1,27 @@
+/*
+ * WARNING: This file shadow vmlinux.h that you can generate yourself
+ *
+ * Cmdline to generate vmlinux.h
+ *  bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h
+ *
+ * This vmlinux.h shadow contains kernel headers reduced to that were
+ * needed in this project.
+ */
+#ifndef __VMLINUX_H__
+#define __VMLINUX_H__
+
+#include <linux/types.h> /* Needed for __uNN in vmlinux/vmlinux_types.h */
+
+#ifndef BPF_NO_PRESERVE_ACCESS_INDEX
+#pragma clang attribute push (__attribute__((preserve_access_index)), apply_to = record)
+#endif
+
+#include "vmlinux/vmlinux_types.h"
+#include "vmlinux/vmlinux_common.h"
+#include "vmlinux/vmlinux_net.h"
+
+#ifndef BPF_NO_PRESERVE_ACCESS_INDEX
+#pragma clang attribute pop
+#endif
+
+#endif /* __VMLINUX_H__ */