Add xdp-synproxy to bpf-examples

this code is from kernel bpf selftests xdp synproxy, removed the
tc part for simplicity, shows an exmaple of using libxdp
to attach xdp synproxy program on network interface.

if port is not in allowed ports, the packet will be dropped
by xdp synproxy by default, this would break tcp connections
to ports that user does not want to do synproxy, change the
default to allow connection pass through.

Signed-off-by: Vincent Li <[email protected]>

Author: vincentmli

Makefile

@@ -25,6 +25,7 @@ SUBDIRS += tc-policy
 SUBDIRS += traffic-pacing-edt
 SUBDIRS += AF_XDP-forwarding
 SUBDIRS += AF_XDP-example
+SUBDIRS += xdp-synproxy
 
 .PHONY: check_submodule help clobber distclean clean $(SUBDIRS)
 

headers/vmlinux/vmlinux_common.h

@@ -1,6 +1,13 @@
 #ifndef __VMLINUX_COMMON_H__
 #define __VMLINUX_COMMON_H__
 
+enum {
+	false = 0,
+	true = 1,
+};
+
+typedef _Bool bool;
+
 struct list_head {
 	struct list_head *next;
 	struct list_head *prev;

headers/vmlinux/vmlinux_net.h

@@ -135,4 +135,13 @@ struct sk_buff {
 	struct skb_ext *extensions;
 };
 
+struct nf_conn {
+	unsigned long status;
+};
+
+enum ip_conntrack_status {
+	/* Connection is confirmed: originating packet has left box */
+	IPS_CONFIRMED_BIT = 3,
+};
+
 #endif /* __VMLINUX_NET_H__ */

xdp-synproxy/Makefile

@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause)
+
+USER_TARGETS := xdp_synproxy
+BPF_TARGETS := xdp_synproxy_kern
+BPF_SKEL_OBJ := xdp_synproxy_kern.o
+
+LIB_DIR = ../lib
+
+include $(LIB_DIR)/common.mk

xdp-synproxy/README.org

@@ -0,0 +1,29 @@
+#+Title: XDP SYNPROXY sample application
+
+This is a sample application for XDP SYNPROXY. It was cloned from
+the Linux source code tree under tools/testing/selftests/bpf and called
+xdp_synproxy. main purpose of it is to demonstrate capabilities of
+XDP accelerating SYN Proxying for SYN flood DDOS protection. It is
+a real practical example for user to use. For an overview of accelerating
+SYNPROXY WITH XDP, Please refer to this paper
+(https://netdevconf.info/0x15/slides/30/Netdev%200x15%20Accelerating%20synproxy%20with%20XDP.pdf)
+
+Note XDP SYNPROXY requires netfilter connection tracking and here are the
+sysctl knobs and iptables rules preparation for XDP SYNPROXY:
+#+BEGIN_SRC sh
+  sudo sysctl -w net.ipv4.tcp_syncookies=2
+  sudo sysctl -w net.ipv4.tcp_timestamps=1
+  sudo sysctl -w net.netfilter.nf_conntrack_tcp_loose=0
+  sudo iptables -t raw -I PREROUTING  -i <interface> -p tcp -m tcp --syn --dport <port> -j CT --notrack
+  sudo iptables -t filter -A INPUT -i <interface> -p tcp -m tcp --dport <port> -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
+  sudo iptables -t filter -A INPUT -i <interface> -m state --state INVALID -j DROP
+#+END_SRC
+
+Here is how to start the XDP SYNPROXY application:
+#+BEGIN_SRC sh
+  sudo xdp_synproxy --iface <interface> --file <path-to-xdp_synproxy_kern.o> --mss4 1460 --mss6 1440 --wscale 7 --ttl 254 --ports <port1>,<port2>
+#+END_SRC
+
+XDP SYNPROXY can coexist with other XDP programs since we use libxdp
+to attach the XDP SYNPROXY program, meaning you could build chain of
+XDP programs and attach them to same network interface.