diff --git a/README.md b/README.md index a334c97..fa673d1 100644 --- a/README.md +++ b/README.md @@ -34,8 +34,8 @@ As of this time, I am not aware of any NIC manufacturers that will be able to of ## Configuration File Options ### Main * `interface` => The interface for the XDP program to attach to. -* `updatetime` => How often to update the config and filtering rules. Leaving this at 0 disables auto-updating. -* `nostats` => If true, no accepted/blocked packet statistics will be displayed in `stdout`. +* `update_time` => How often to update the config and filtering rules. Leaving this at 0 disables auto-updating. +* `no_stats` => If true, no accepted/blocked packet statistics will be displayed in `stdout`. * `stdout_update_time` => The amount of time in milliseconds to update `stdout` with counters. Default is set to `1000` (one second). ### Filters @@ -43,10 +43,10 @@ Config option `filters` is an array. Each filter includes the following options: * `enabled` => If true, this rule is enabled. * `action` => What action to perform against the packet if matched. 0 = Block. 1 = Allow. -* `srcip` => The source IP address the packet must match (e.g. 10.50.0.3). -* `dstip` => The destination IP address the packet must match (e.g. 10.50.0.4). -* `srcip6` => The source IPv6 address the packet must match (e.g. fe80::18c4:dfff:fe70:d8a6). -* `dstip6` => The destination IPv6 address the packet must match (e.g. fe80::ac21:14ff:fe4b:3a6d). +* `src_ip` => The source IP address the packet must match (e.g. 10.50.0.3). +* `dst_ip` => The destination IP address the packet must match (e.g. 10.50.0.4). +* `src_ip6` => The source IPv6 address the packet must match (e.g. fe80::18c4:dfff:fe70:d8a6). +* `dst_ip6` => The destination IPv6 address the packet must match (e.g. fe80::ac21:14ff:fe4b:3a6d). * `min_ttl` => The minimum TTL (time to live) the packet must match. * `max_ttl` => The maximum TTL (time to live) the packet must match. * `max_len` => The maximum packet length the packet must match. This includes the entire frame (ethernet header, IP header, L4 header, and data). @@ -54,7 +54,7 @@ Config option `filters` is an array. Each filter includes the following options: * `tos` => The TOS (type of service) the packet must match. * `pps` => The maximum packets per second a source IP can send before matching. * `bps` => The maximum amount of bytes per second a source IP can send before matching. -* `blocktime` => The time in seconds to block the source IP if the rule matches and the action is block (0). Default value is `1`. +* `block_time` => The time in seconds to block the source IP if the rule matches and the action is block (0). Default value is `1`. #### TCP Options TCP options exist in the main filter array and start with `tcp_`. Please see below. @@ -94,7 +94,7 @@ Here's an example of a config: ```squidconf interface = "ens18"; -updatetime = 15; +update_time = 15; filters = ( { @@ -122,7 +122,7 @@ filters = ( { enabled = true, action = 0, - srcip = "10.50.0.4" + src_ip = "10.50.0.4" } ); ``` diff --git a/src/config.c b/src/config.c index 2d85b8c..907e517 100644 --- a/src/config.c +++ b/src/config.c @@ -159,7 +159,7 @@ int readcfg(struct config *cfg) // Get auto update time. int updatetime; - if (config_lookup_int(&conf, "updatetime", &updatetime) == CONFIG_TRUE) + if (config_lookup_int(&conf, "update_time", &updatetime) == CONFIG_TRUE) { cfg->updatetime = updatetime; } @@ -175,7 +175,7 @@ int readcfg(struct config *cfg) // Get no stats. int nostats; - if (config_lookup_bool(&conf, "nostats", &nostats) == CONFIG_TRUE) + if (config_lookup_bool(&conf, "no_stats", &nostats) == CONFIG_TRUE) { cfg->nostats = nostats; } @@ -230,7 +230,7 @@ int readcfg(struct config *cfg) // Source IP (not required). const char *sip; - if (config_setting_lookup_string(filter, "srcip", &sip)) + if (config_setting_lookup_string(filter, "src_ip", &sip)) { cfg->filters[i].srcip = inet_addr(sip); } @@ -238,7 +238,7 @@ int readcfg(struct config *cfg) // Destination IP (not required). const char *dip; - if (config_setting_lookup_string(filter, "dstip", &dip)) + if (config_setting_lookup_string(filter, "dst_ip", &dip)) { cfg->filters[i].dstip = inet_addr(dip); } @@ -246,7 +246,7 @@ int readcfg(struct config *cfg) // Source IP (IPv6) (not required). const char *sip6; - if (config_setting_lookup_string(filter, "srcip6", &sip6)) + if (config_setting_lookup_string(filter, "src_ip6", &sip6)) { struct in6_addr in; @@ -261,7 +261,7 @@ int readcfg(struct config *cfg) // Destination IP (IPv6) (not required). const char *dip6; - if (config_setting_lookup_string(filter, "dstip6", &dip6)) + if (config_setting_lookup_string(filter, "dst_ip6", &dip6)) { struct in6_addr in; @@ -339,7 +339,7 @@ int readcfg(struct config *cfg) // Block time (default 1). long long blocktime; - if (config_setting_lookup_int64(filter, "blocktime", &blocktime)) + if (config_setting_lookup_int64(filter, "block_time", &blocktime)) { cfg->filters[i].blocktime = blocktime; } diff --git a/src/xdpfw.c b/src/xdpfw.c index 559d373..52df448 100644 --- a/src/xdpfw.c +++ b/src/xdpfw.c @@ -472,9 +472,10 @@ int main(int argc, char *argv[]) // Create last updated variable. time_t lastupdatecheck = time(NULL); - time_t statslastupdated = time(NULL); time_t lastupdated = time(NULL); + unsigned int sleep_time = cfg.stdout_update_time * 1000; + while (cont) { // Get current time. @@ -510,7 +511,7 @@ int main(int argc, char *argv[]) } // Update stats. - if ((curTime - statslastupdated) > 2 && !cfg.nostats) + if (!cfg.nostats) { __u32 key = 0; struct stats stats[MAX_CPUS]; @@ -546,11 +547,9 @@ int main(int argc, char *argv[]) fflush(stdout); fprintf(stdout, "\rAllowed: %llu | Dropped: %llu | Passed: %llu", allowed, dropped, passed); - - statslastupdated = time(NULL); } - usleep(500); + usleep(sleep_time); } // Detach XDP program. diff --git a/xdpfw.conf.example b/xdpfw.conf.example index ed29eb1..1d51f6f 100644 --- a/xdpfw.conf.example +++ b/xdpfw.conf.example @@ -1,5 +1,5 @@ interface = "ens18"; -updatetime = 15; +update_time = 15; stdout_update_time = 1000; filters = (