xdp-firewall-rs
Overview
This is a simple XDP firewall written in Rust. It is based on the Aya and project structure generated by aya-template via cargo-generate.
Usage
The program will load the eBPF program into the kernel and attach it to the XDP
hook of the specified interface. It will then listen for incoming packets and drop any packets that are not allowed by the rules.
- Create a file named
block.list
in the same directory as the binary. This file will contain the list of IP addresses that are not allowed to pass through the firewall. Each IP address should be on a separate line. For example:touch block.list
- Add ip addresses in CIDR format to the
block.list
file:1.1.1.1/32 192.168.1.1/32
- Run the binary with
sudo
:sudo ./xdp-firewall-rs
Prerequisites
If you are developing on a Linux machine, you can use the following
- Install
rustup
following the instructions on https://rustup.rs/. - Install a rust stable toolchain:
rustup install stable
- Install a rust nightly toolchain:
rustup toolchain install nightly --component rust-src
- Ensure C compiler and linker are installed. On Ubuntu, you can install them with:
sudo apt install build-essential sudo apt install pkg-config
- Install bpf-linker:
cargo install bpf-linker
Build and Run
Clone
First clone the repository:
git clone https://github.com/hackerchai/xdp-firewall-rs
cd xdp-firewall-rs
Build eBPF
- debug build:
cargo xtask build-ebpf
# or you can run
make build
- release build:
cargo xtask build-ebpf --release
# or you can run
make release
Build Userspace
- debug build:
cargo build
- release build:
cargo build --release
Run
- run release binary
sudo ./target/release/xdp-firewall-rs
# or you can run
make run
- run debug binary
sudo ./target/debug/xdp-firewall-rs
# or you can run
make dev
Run with logging
RUST_LOG=info cargo xtask run
Cross Compilation
This program can be cross-compiled on a Mac(intel/arm64):
rustup target add x86_64-unknown-linux-musl
brew install FiloSottile/musl-cross/musl-cross
brew install llvm@16
LLVM_SYS_160_PREFIX=$(brew --prefix llvm) cargo install bpf-linker --no-default-features
cargo xtask build-ebpf --release
export CROSSARCH="x86_64"
RUSTFLAGS="-Clinker=${CROSSARCH}-linux-musl-ld -C link-arg=-s" cargo build --release --target=${CROSSARCH}-unknown-linux-musl
The cross-compiled binary can found at target/x86_64-unknown-linux-musl/release/xdp-firewall-rs
, which can be copied to a Linux server or VM and run there.
Run with Docker
This program can be built in a Docker container.
docker build -t xdp-firewall-rs .
Prepare the block.list
file and put it in the same directory as the Dockerfile.
touch block.list
echo "1.1.1.1/32" >> block.list # add ip addresses in CIDR format to the block.list file
Then you can run the container with:
docker run --privileged --user=root --rm -it -v ./block.list:/ebpf/block.list xdp-firewall-rs