refacto?

Author: adgaultier

oryx-ebpf/src/main.rs

@@ -33,6 +33,9 @@ static TRANSPORT_FILTERS: Array<u32> = Array::with_max_entries(8, 0);
 #[map]
 static LINK_FILTERS: Array<u32> = Array::with_max_entries(8, 0);
 
+#[map]
+static TRAFFIC_DIRECTION_FILTERS: Array<u32> = Array::with_max_entries(2, 0);
+
 #[map]
 static BLOCKLIST_IPV6: HashMap<u128, [u16; MAX_RULES_PORT]> =
     HashMap::<u128, [u16; MAX_RULES_PORT]>::with_max_entries(MAX_FIREWALL_RULES, 0);
@@ -56,6 +59,7 @@ fn submit(packet: RawPacket) {
         buf.submit(0);
     }
 }
+
 #[inline]
 fn ptr_at<T>(ctx: &TcContext, offset: usize) -> Result<*const T, ()> {
     let start = ctx.data();
@@ -70,12 +74,26 @@ fn ptr_at<T>(ctx: &TcContext, offset: usize) -> Result<*const T, ()> {
 }
 
 #[inline]
-fn filter_for_ipv4_address(
-    addr: u32,
-    port: u16,
-    blocked_ports_map: &HashMap<u32, [u16; 32]>,
-) -> bool {
-    if let Some(blocked_ports) = unsafe { blocked_ports_map.get(&addr) } {
+fn filter_direction() -> bool {
+    // 0(default) -> false(send to tui), 1 -> true(filter)
+    if let Some(v) = TRAFFIC_DIRECTION_FILTERS.get(0) {
+        return *v != 0;
+    }
+    false
+}
+
+#[inline]
+fn is_ingress() -> bool {
+    // 0(default) -> true(is ingress),  1 -> false (is egress)
+    if let Some(v) = TRAFFIC_DIRECTION_FILTERS.get(1) {
+        return *v == 0;
+    }
+    true
+}
+
+#[inline]
+fn block_ipv4(addr: u32, port: u16) -> bool {
+    if let Some(blocked_ports) = unsafe { BLOCKLIST_IPV4.get(&addr) } {
         for (idx, blocked_port) in blocked_ports.iter().enumerate() {
             if *blocked_port == 0 {
                 if idx == 0 {
@@ -92,12 +110,8 @@ fn filter_for_ipv4_address(
 }
 
 #[inline]
-fn filter_for_ipv6_address(
-    addr: u128,
-    port: u16,
-    blocked_ports_map: &HashMap<u128, [u16; 32]>,
-) -> bool {
-    if let Some(blocked_ports) = unsafe { blocked_ports_map.get(&addr) } {
+fn block_ipv6(addr: u128, port: u16) -> bool {
+    if let Some(blocked_ports) = unsafe { BLOCKLIST_IPV6.get(&addr) } {
         for (idx, blocked_port) in blocked_ports.iter().enumerate() {
             if *blocked_port == 0 {
                 if idx == 0 {
@@ -142,44 +156,53 @@ fn process(ctx: TcContext) -> Result<i32, ()> {
     match ethhdr.ether_type {
         EtherType::Ipv4 => {
             let header: Ipv4Hdr = ctx.load(EthHdr::LEN).map_err(|_| ())?;
-            let src_addr = u32::from_be(header.src_addr);
-            let dst_addr = u32::from_be(header.dst_addr);
+
+            let addr = if is_ingress() {
+                u32::from_be(header.src_addr)
+            } else {
+                u32::from_be(header.dst_addr)
+            };
 
             match header.proto {
                 IpProto::Tcp => {
                     let tcphdr: *const TcpHdr = ptr_at(&ctx, EthHdr::LEN + Ipv4Hdr::LEN)?;
-                    let src_port = u16::from_be(unsafe { (*tcphdr).source });
-                    let dst_port = u16::from_be(unsafe { (*tcphdr).dest });
+                    let port = if is_ingress() {
+                        u16::from_be(unsafe { (*tcphdr).source })
+                    } else {
+                        u16::from_be(unsafe { (*tcphdr).dest })
+                    };
 
-                    if filter_for_ipv4_address(src_addr, src_port, &BLOCKLIST_IPV4)
-                        || filter_for_ipv4_address(dst_addr, dst_port, &BLOCKLIST_IPV4)
-                    {
+                    if block_ipv4(addr, port) {
                         return Ok(TC_ACT_SHOT);
                     }
 
                     if filter_packet(Protocol::Network(NetworkProtocol::Ipv4))
                         || filter_packet(Protocol::Transport(TransportProtocol::TCP))
+                        || filter_direction()
                     {
                         return Ok(TC_ACT_PIPE); //DONT FWD PACKET TO TUI
                     }
+
                     submit(RawPacket::Ip(
                         IpHdr::V4(header),
                         ProtoHdr::Tcp(unsafe { *tcphdr }),
                     ));
                 }
                 IpProto::Udp => {
                     let udphdr: *const UdpHdr = ptr_at(&ctx, EthHdr::LEN + Ipv4Hdr::LEN)?;
-                    let src_port = u16::from_be(unsafe { (*udphdr).source });
-                    let dst_port = u16::from_be(unsafe { (*udphdr).dest });
+                    let port = if is_ingress() {
+                        u16::from_be(unsafe { (*udphdr).source })
+                    } else {
+                        u16::from_be(unsafe { (*udphdr).dest })
+                    };
 
-                    if filter_for_ipv4_address(src_addr, src_port, &BLOCKLIST_IPV4)
-                        || filter_for_ipv4_address(dst_addr, dst_port, &BLOCKLIST_IPV4)
-                    {
+                    if block_ipv4(addr, port) {
                         return Ok(TC_ACT_SHOT);
                     }
 
                     if filter_packet(Protocol::Network(NetworkProtocol::Ipv4))
                         || filter_packet(Protocol::Transport(TransportProtocol::UDP))
+                        || filter_direction()
                     {
                         return Ok(TC_ACT_PIPE);
                     }
@@ -204,22 +227,28 @@ fn process(ctx: TcContext) -> Result<i32, ()> {
         }
         EtherType::Ipv6 => {
             let header: Ipv6Hdr = ctx.load(EthHdr::LEN).map_err(|_| ())?;
-            let src_addr = header.src_addr().to_bits();
-            let dst_addr = header.dst_addr().to_bits();
+            let addr = if is_ingress() {
+                header.src_addr().to_bits()
+            } else {
+                header.dst_addr().to_bits()
+            };
 
             match header.next_hdr {
                 IpProto::Tcp => {
                     let tcphdr: *const TcpHdr = ptr_at(&ctx, EthHdr::LEN + Ipv6Hdr::LEN)?;
-                    let src_port = u16::from_be(unsafe { (*tcphdr).source });
-                    let dst_port = u16::from_be(unsafe { (*tcphdr).dest });
+                    let port = if is_ingress() {
+                        u16::from_be(unsafe { (*tcphdr).source })
+                    } else {
+                        u16::from_be(unsafe { (*tcphdr).dest })
+                    };
 
-                    if filter_for_ipv6_address(src_addr, src_port, &BLOCKLIST_IPV6)
-                        || filter_for_ipv6_address(dst_addr, dst_port, &BLOCKLIST_IPV6)
-                    {
+                    if block_ipv6(addr, port) {
                         return Ok(TC_ACT_SHOT);
                     }
+
                     if filter_packet(Protocol::Network(NetworkProtocol::Ipv6))
                         || filter_packet(Protocol::Transport(TransportProtocol::TCP))
+                        || filter_direction()
                     {
                         return Ok(TC_ACT_PIPE); //DONT FWD PACKET TO TUI
                     }
@@ -230,16 +259,19 @@ fn process(ctx: TcContext) -> Result<i32, ()> {
                 }
                 IpProto::Udp => {
                     let udphdr: *const UdpHdr = ptr_at(&ctx, EthHdr::LEN + Ipv6Hdr::LEN)?;
-                    let src_port = u16::from_be(unsafe { (*udphdr).source });
-                    let dst_port = u16::from_be(unsafe { (*udphdr).dest });
+                    let port = if is_ingress() {
+                        u16::from_be(unsafe { (*udphdr).source })
+                    } else {
+                        u16::from_be(unsafe { (*udphdr).dest })
+                    };
 
-                    if filter_for_ipv6_address(src_addr, src_port, &BLOCKLIST_IPV6)
-                        || filter_for_ipv6_address(dst_addr, dst_port, &BLOCKLIST_IPV6)
-                    {
+                    if block_ipv6(addr, port) {
                         return Ok(TC_ACT_SHOT);
                     }
+
                     if filter_packet(Protocol::Network(NetworkProtocol::Ipv6))
                         || filter_packet(Protocol::Transport(TransportProtocol::UDP))
+                        || filter_direction()
                     {
                         return Ok(TC_ACT_PIPE); //DONT FWD PACKET TO TUI
                     }

oryx-tui/src/app.rs

@@ -8,10 +8,11 @@ use std::{
     error,
     sync::{Arc, Mutex},
     thread,
+    time::Duration,
 };
 
-use crate::notification::Notification;
 use crate::{filter::Filter, help::Help};
+use crate::{filter::IoChans, notification::Notification};
 use crate::{packet::AppPacket, section::Section};
 
 pub type AppResult<T> = std::result::Result<T, Box<dyn error::Error>>;
@@ -58,9 +59,7 @@ impl App {
 
         let (sender, receiver) = kanal::unbounded();
 
-        let (firewall_ingress_sender, firewall_ingress_receiver) = kanal::unbounded();
-        let (firewall_egress_sender, firewall_egress_receiver) = kanal::unbounded();
-
+        let firewall_chans = IoChans::new();
         thread::spawn({
             let packets = packets.clone();
             move || loop {
@@ -78,20 +77,11 @@ impl App {
         Self {
             running: true,
             help: Help::new(),
-            filter: Filter::new(
-                firewall_ingress_sender.clone(),
-                firewall_ingress_receiver,
-                firewall_egress_sender.clone(),
-                firewall_egress_receiver,
-            ),
+            filter: Filter::new(firewall_chans.clone()),
             start_sniffing: false,
             packets: packets.clone(),
             notifications: Vec::new(),
-            section: Section::new(
-                packets.clone(),
-                firewall_ingress_sender,
-                firewall_egress_sender,
-            ),
+            section: Section::new(packets.clone(), firewall_chans.clone()),
             data_channel_sender: sender,
             is_editing: false,
             active_popup: None,
@@ -138,7 +128,8 @@ impl App {
         if let Err(e) = self.section.firewall.save_rules() {
             error!("{}", e)
         }
-
+        self.filter.terminate();
+        thread::sleep(Duration::from_millis(110));
         self.running = false;
     }
 }

oryx-tui/src/ebpf.rs

@@ -295,13 +295,18 @@ pub fn load_ingress(
             let mut link_filters: Array<_, u32> =
                 Array::try_from(bpf.take_map("LINK_FILTERS").unwrap()).unwrap();
 
-            // firewall-ebpf interface
+            let mut traffic_direction_filters: Array<_, u32> =
+                Array::try_from(bpf.take_map("TRAFFIC_DIRECTION_FILTERS").unwrap()).unwrap();
+            let _ = traffic_direction_filters.set(0, 0, 0);
+            let _ = traffic_direction_filters.set(1, 0, 0); //setup ingress flag
+                                                            // firewall-ebpf interface
             let mut ipv4_firewall: HashMap<_, u32, [u16; MAX_RULES_PORT]> =
                 HashMap::try_from(bpf.take_map("BLOCKLIST_IPV4").unwrap()).unwrap();
 
             let mut ipv6_firewall: HashMap<_, u128, [u16; MAX_RULES_PORT]> =
                 HashMap::try_from(bpf.take_map("BLOCKLIST_IPV6").unwrap()).unwrap();
 
+            // firewall thread
             thread::spawn(move || loop {
                 if let Ok(signal) = firewall_ingress_receiver.recv() {
                     match signal {
@@ -327,10 +332,11 @@ pub fn load_ingress(
                 }
             });
 
+            // packets filters thread
             thread::spawn(move || loop {
                 if let Ok(signal) = filter_channel_receiver.recv() {
                     match signal {
-                        FilterChannelSignal::Update((filter, flag)) => match filter {
+                        FilterChannelSignal::ProtoUpdate((filter, flag)) => match filter {
                             Protocol::Transport(p) => {
                                 let _ = transport_filters.set(p as u32, flag as u32, 0);
                             }
@@ -341,6 +347,9 @@ pub fn load_ingress(
                                 let _ = link_filters.set(p as u32, flag as u32, 0);
                             }
                         },
+                        FilterChannelSignal::DirectionUpdate(flag) => {
+                            let _ = traffic_direction_filters.set(0, flag as u32, 0);
+                        }
                         FilterChannelSignal::Kill => {
                             break;
                         }
@@ -482,13 +491,19 @@ pub fn load_egress(
             let mut link_filters: Array<_, u32> =
                 Array::try_from(bpf.take_map("LINK_FILTERS").unwrap()).unwrap();
 
+            let mut traffic_direction_filters: Array<_, u32> =
+                Array::try_from(bpf.take_map("TRAFFIC_DIRECTION_FILTERS").unwrap()).unwrap();
+            let _ = traffic_direction_filters.set(0, 0, 0);
+            let _ = traffic_direction_filters.set(1, 1, 0); //setup egress flag
+
             // firewall-ebpf interface
             let mut ipv4_firewall: HashMap<_, u32, [u16; MAX_RULES_PORT]> =
                 HashMap::try_from(bpf.take_map("BLOCKLIST_IPV4").unwrap()).unwrap();
 
             let mut ipv6_firewall: HashMap<_, u128, [u16; MAX_RULES_PORT]> =
                 HashMap::try_from(bpf.take_map("BLOCKLIST_IPV6").unwrap()).unwrap();
 
+            // firewall thread
             thread::spawn(move || loop {
                 if let Ok(signal) = firewall_egress_receiver.recv() {
                     match signal {
@@ -514,10 +529,11 @@ pub fn load_egress(
                 }
             });
 
+            // packets filters thread
             thread::spawn(move || loop {
                 if let Ok(signal) = filter_channel_receiver.recv() {
                     match signal {
-                        FilterChannelSignal::Update((filter, flag)) => match filter {
+                        FilterChannelSignal::ProtoUpdate((filter, flag)) => match filter {
                             Protocol::Transport(p) => {
                                 let _ = transport_filters.set(p as u32, flag as u32, 0);
                             }
@@ -528,6 +544,9 @@ pub fn load_egress(
                                 let _ = link_filters.set(p as u32, flag as u32, 0);
                             }
                         },
+                        FilterChannelSignal::DirectionUpdate(flag) => {
+                            let _ = traffic_direction_filters.set(0, flag as u32, 0);
+                        }
                         FilterChannelSignal::Kill => {
                             break;
                         }