search

gamemann / XDP-Firewall

A firewall that utilizes the Linux kernel's XDP hook. The XDP hook allows for very fast network processing on Linux systems. This is great for dropping malicious traffic from a (D)DoS attack. IPv6 is supported with this firewall! I hope this helps network engineers/programmers interested in utilizing XDP!
https://deaconn.net/
MIT License
492 stars 87 forks source link

[Feature Request] Blacklist file #3

Closed mrbluecoat closed 3 years ago

mrbluecoat commented 3 years ago

Your config file format is fine for a small number of entries but becomes a bit verbose for large block lists. Would it be possible to update the config format to support referencing an external file of IP addresses and CIDR ranges (example: https://github.com/firehol/blocklist-ipsets/blob/master/xroxy_30d.ipset )? It would essentially ignore any line that begins with # and then loop through each IP (expanding the CIDR entries) to set srcip and dstip and a high blocktime for all ports. For now, I'm creating a quick convert script that converts the list into the correct config format to test the performance impact (I'm hoping eBPF has better performance than iptable's ipset).

gamemann commented 3 years ago

This is something I will look into doing in the future. I know I've done this with another program without any issues. I might just implement this type of functionality into my Barricade Firewall project here which is basically this XDP firewall, but with performance improvements and the ability to connect to a backbone to sync filters (still in development).

mrbluecoat commented 3 years ago

Do you recommend I switch over to https://github.com/Barricade-FW/Firewall for further testing? I had noticed it before but I wasn't sure which project was most current/active.

gamemann commented 3 years ago

The XDP firewall itself in the Barricade Firewall project is functional at the moment without the backbone. However, you will need to install Libsodium on the system (it's not in-use right now, but will be in the future). You'll need to install it regardless for compiling, though.

The XDP firewall in the Barricade FW should perform faster than this firewall because of improvements with timestamps. I read a mailing list thread here that states using bpf_ktime_get_ns() inside of the XDP program will decrease performance (this function returns the time in nano seconds since the system has last started and this is the function this firewall uses to get the current time inside the XDP program). I haven't performed benchmark tests myself, but I still decided to just update a BPF map every second in the user space with the UNIX timestamp and use that to identify how long a source IP should be blocked for inside the XDP program. This should be faster than using the other function anyways.

There were some key changes for config options in the Barricade Firewall when I converted everything to JSON. I don't have it documented at the moment, but I will be doing so in the future. In the meantime, I'd recommend reading this file to learn what the key names are (they're in quotes usually inside the json_object_object_get_ex() function).

Here's an example config for the Barricade Firewall:

{
    "interface": "ens18", 
    "stats": true, 

    "filters": [
        {
            "enabled": true, 
            "action": 0, 

            "tcp_enabled": true, 
            "tcp_dport": 8888, 

            "blocktime": 15
        }
    ]
}

I hope this helps!

mrbluecoat commented 3 years ago

Cool, I'll transfer this request to your Barricade Firewall project.