Implement XDP firewall with real-time TUI monitoring

Features: - High-performance packet filtering via eBPF/XDP - Instant blocklist with dynamic CLI management - Exact-match rules with Drop/Pass/Log actions - CIDR-based IP range dropping via LPM trie - Token-bucket rate limiting (IP-based and flow-based) - Auto temp bans for rate limit violators - Real-time event logging via BPF ring buffer - Interactive TUI monitor with live stats Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 09:10:52 +07:00
commit 6101de6887
24 changed files with 3235 additions and 0 deletions
--- a/xdp-firewall-common/Cargo.toml
+++ b/xdp-firewall-common/Cargo.toml
@@ -0,0 +1,10 @@
+[package]
+name = "xdp-firewall-common"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+aya = { version = "0.13.1", optional = true }
+
+[features]
+userspace = ["aya"]
--- a/xdp-firewall-common/src/lib.rs
+++ b/xdp-firewall-common/src/lib.rs
@@ -0,0 +1,103 @@
+#![no_std]
+
+#[repr(C)]
+#[derive(Clone, Copy, Debug, Default, PartialEq, Eq)]
+pub struct RuleKey {
+    pub src_ip: u32,
+    pub dst_ip: u32,
+    pub src_port: u16,
+    pub dst_port: u16,
+    pub proto: u8,
+    pub _pad: [u8; 3],
+}
+
+#[repr(C)]
+#[derive(Clone, Copy, Debug, Default, PartialEq, Eq)]
+pub struct RuleValue {
+    pub action: u8,
+    pub rule_id: u32,
+    pub _pad: [u8; 3],
+}
+
+#[repr(C)]
+#[derive(Clone, Copy, Debug, Default, PartialEq, Eq)]
+pub struct RateLimitKey {
+    pub key_type: u8,
+    pub _pad: [u8; 3],
+    pub src_ip: u32,
+    pub dst_ip: u32,
+    pub proto: u8,
+    pub _pad2: [u8; 3],
+    pub src_port: u16,
+    pub dst_port: u16,
+}
+
+#[repr(C)]
+#[derive(Clone, Copy, Debug, Default, PartialEq, Eq)]
+pub struct RateLimitState {
+    pub tokens: u64,
+    pub last_update_ns: u64,
+    pub violations: u32,
+    pub _pad: u32,
+}
+
+#[repr(C)]
+#[derive(Clone, Copy, Debug, Default, PartialEq, Eq)]
+pub struct RateLimitConfig {
+    pub rate_per_sec: u64,
+    pub burst: u64,
+    pub ban_threshold: u32,
+    pub ban_duration_sec: u32,
+    pub enabled: u8,
+    pub _pad: [u8; 3],
+}
+
+#[repr(C)]
+#[derive(Clone, Copy, Debug, Default, PartialEq, Eq)]
+pub struct Stats {
+    pub packets: u64,
+    pub bytes: u64,
+}
+
+#[repr(C)]
+#[derive(Clone, Copy, Debug, Default, PartialEq, Eq)]
+pub struct FirewallEvent {
+    pub ts_ns: u64,
+    pub src_ip: u32,
+    pub dst_ip: u32,
+    pub src_port: u16,
+    pub dst_port: u16,
+    pub proto: u8,
+    pub action: u8,
+    pub rule_id: u32,
+}
+
+#[repr(C)]
+#[derive(Clone, Copy, Debug, Default, PartialEq, Eq)]
+pub struct Ipv4LpmKey {
+    pub prefix_len: u32,
+    pub addr: u32,
+}
+
+pub const ACTION_DROP: u8 = 0;
+pub const ACTION_PASS: u8 = 1;
+pub const ACTION_LOG: u8 = 2;
+pub const ACTION_RATELIMIT_DROP: u8 = 3;
+pub const ACTION_BLOCKLIST_DROP: u8 = 4;
+pub const ACTION_RANGE_DROP: u8 = 5;
+
+pub const RL_TYPE_IP: u8 = 0;
+pub const RL_TYPE_FLOW: u8 = 1;
+
+#[cfg(feature = "userspace")]
+mod pod {
+    use super::*;
+    unsafe impl aya::Pod for RuleKey {}
+    unsafe impl aya::Pod for RuleValue {}
+    unsafe impl aya::Pod for RateLimitKey {}
+    unsafe impl aya::Pod for RateLimitState {}
+    unsafe impl aya::Pod for RateLimitConfig {}
+    unsafe impl aya::Pod for Stats {}
+    unsafe impl aya::Pod for FirewallEvent {}
+    unsafe impl aya::Pod for Ipv4LpmKey {}
+}