- write_rule(ip_to_rule(proto, nets[0], "daddr", offset))
- elif step.strip().startswith("proto") and proto == 4:
- write_rule(proto_to_rule(4, step.strip()[6:]))
- elif step.strip().startswith("next header") and proto == 6:
- write_rule(proto_to_rule(6, step.strip()[12:]))
- elif step.strip().startswith("icmp type"):
- write_rule(icmp_type_to_rule(proto, step.strip()[10:]))
- elif step.strip().startswith("icmp code"):
- write_rule(icmp_code_to_rule(proto, step.strip()[10:]))
- elif step.strip().startswith("sport") or step.strip().startswith("dport") or step.strip().startswith("port"):
- write_rule(port_to_rule(step.strip().split(" ")[0], step.strip().split(" ", 1)[1]))
- elif step.strip().startswith("length"):
- write_rule(len_to_rule(step.strip()[7:]))
- elif step.strip().startswith("dscp"):
- write_rule(dscp_to_rule(proto, step.strip()[5:]))
- elif step.strip().startswith("tcp flags"):
- write_rule(tcp_flags_to_rule(step.strip()[10:]))
- elif step.strip().startswith("label"):
- write_rule(flow_label_to_rule(step.strip()[6:]))
- elif step.strip().startswith("fragment"):
- if proto == 6:
- use_v6_frags = True
- write_rule(fragment_to_rule(proto, step.strip()[9:]))
- elif step.strip() == "":
- pass
+ assert False
+
+ # Now write the match handling!
+ first_action = None
+ last_action = None
+ for community in line.split("("):
+ if not community.startswith("generic, "):
+ continue
+ blocks = community.split(",")
+ assert len(blocks) == 3
+ if len(blocks[1].strip()) != 10: # Should be 0x12345678
+ continue
+ ty = blocks[1].strip()[:6]
+ low_bytes = int(blocks[2].strip(") \n"), 16)
+ if ty == "0x8006":
+ if first_action is not None:
+ assert False # Two ratelimit actions?
+ if low_bytes == 0:
+ first_action = "return XDP_DROP;"
+ else:
+ if low_bytes & (1 << 31) != 0:
+ assert False # Negative ratelimit?
+ exp = (low_bytes & (0xff << 23)) >> 23
+ if exp == 0xff:
+ assert False # NaN/INF?
+ if exp <= 127: # < 1
+ first_action = "return XDP_DROP;"
+ if exp >= 127 + 63: # The count won't even fit in 64-bits, just accept
+ first_action = "return XDP_PASS;"
+ mantissa = low_bytes & ((1 << 23) - 1)
+ value = 1.0 + mantissa / (2**23)
+ value *= 2**(exp-127)
+ first_action = "uint64_t secs = bpf_ktime_get_ns() / 1000000000;\n"
+ first_action += f"const uint32_t ratelimitidx = {ratelimitcnt};\n"
+ first_action += "struct ratelimit *rate = bpf_map_lookup_elem(&rate_map, &ratelimitidx);\n"
+ first_action += "if (rate) {\n"
+ first_action += "\tbpf_spin_lock(&rate->lock);\n"
+ first_action += "\tif (secs != rate->bucket_secs) {\n"
+ first_action += "\t\trate->bucket_secs = secs;\n"
+ first_action += "\t\trate->bucket_count = 0;\n"
+ first_action += "\t}\n"
+ first_action += f"\tif (rate->bucket_count + (data_end - pktdata) > {math.floor(value)})\n"
+ first_action += "\t\t{ bpf_spin_unlock(&rate->lock); return XDP_DROP; }\n"
+ first_action += "\trate->bucket_count += data_end - pktdata;\n"
+ first_action += "\tbpf_spin_unlock(&rate->lock);\n"
+ first_action += "}\n"
+ ratelimitcnt += 1
+ elif ty == "0x8007":
+ if low_bytes & 1 == 0:
+ last_action = "return XDP_PASS;"
+ if low_bytes & 2 == 2:
+ write_rule(f"const uint32_t ruleidx = STATIC_RULE_CNT + {rulecnt};")
+ write_rule("INCREMENT_MATCH(ruleidx);")
+ elif ty == "0x8008":
+ assert False # We do not implement the redirect action
+ elif ty == "0x8009":
+ if low_bytes & ~0b111111 != 0:
+ assert False # Invalid DSCP value
+ if proto == 4:
+ write_rule("int32_t chk = ~BE16(ip->check) & 0xffff;")
+ write_rule("uint8_t orig_tos = ip->tos;")
+ write_rule("ip->tos = (ip->tos & 3) | " + str(low_bytes << 2) + ";")
+ write_rule("chk = (chk - orig_tos + ip->tos);")
+ write_rule("if (unlikely(chk < 0)) { chk += 65534; }")
+ write_rule("ip->check = ~BE16(chk);")
+ else:
+ write_rule("ip6->priority = " + str(low_bytes >> 2) + ";")
+ write_rule("ip6->flow_lbl[0] = (ip6->flow_lbl[0] & 0x3f) | " + str((low_bytes & 3) << 6) + ";")
+ if first_action is not None:
+ write_rule(first_action)
+ if last_action is not None:
+ write_rule(last_action)
+ if proto == 6:
+ rules6 += "\t} while(0);\\\n"