Giters

hackerchai / xdp-firewall-rs

Simple firewall application using xdp

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

xdp-firewall-rs

Overview

This is a simple XDP firewall written in Rust. It is based on the Aya and project structure generated by aya-template via cargo-generate.

Usage

The program will load the eBPF program into the kernel and attach it to the XDP hook of the specified interface. It will then listen for incoming packets and drop any packets that are not allowed by the rules.

  1. Create a file named block.list in the same directory as the binary. This file will contain the list of IP addresses that are not allowed to pass through the firewall. Each IP address should be on a separate line. For example: 
    touch block.list
  2. Add ip addresses in CIDR format to the block.list file: 
    1.1.1.1/32
192.168.1.1/32
  3. Run the binary with sudo: 
    sudo ./xdp-firewall-rs

Prerequisites

If you are developing on a Linux machine, you can use the following

  1. Install rustup following the instructions on https://rustup.rs/.
  2. Install a rust stable toolchain: rustup install stable
  3. Install a rust nightly toolchain: rustup toolchain install nightly --component rust-src
  4. Ensure C compiler and linker are installed. On Ubuntu, you can install them with: 
    sudo apt install build-essential
sudo apt install pkg-config
  5. Install bpf-linker: cargo install bpf-linker

Build and Run

Clone

First clone the repository:

git clone https://github.com/hackerchai/xdp-firewall-rs
cd xdp-firewall-rs

Build eBPF

  • debug build:
cargo xtask build-ebpf
# or you can run
make build
  • release build:
cargo xtask build-ebpf --release
# or you can run
make release

Build Userspace

  • debug build:
cargo build
  • release build:
cargo build --release

Run

  • run release binary
sudo ./target/release/xdp-firewall-rs
# or you can run
make run
  • run debug binary
sudo ./target/debug/xdp-firewall-rs
# or you can run
make dev

Run with logging

RUST_LOG=info cargo xtask run

Cross Compilation

This program can be cross-compiled on a Mac(intel/arm64):

rustup target add x86_64-unknown-linux-musl
brew install FiloSottile/musl-cross/musl-cross
brew install llvm@16
LLVM_SYS_160_PREFIX=$(brew --prefix llvm) cargo install bpf-linker --no-default-features
cargo xtask build-ebpf --release
export CROSSARCH="x86_64"
RUSTFLAGS="-Clinker=${CROSSARCH}-linux-musl-ld -C link-arg=-s" cargo build --release --target=${CROSSARCH}-unknown-linux-musl

The cross-compiled binary can found at target/x86_64-unknown-linux-musl/release/xdp-firewall-rs, which can be copied to a Linux server or VM and run there.

Run with Docker

This program can be built in a Docker container.

docker build  -t xdp-firewall-rs .

Prepare the block.list file and put it in the same directory as the Dockerfile.

touch block.list
echo "1.1.1.1/32" >> block.list # add ip addresses in CIDR format to the block.list file

Then you can run the container with:

docker run --privileged --user=root --rm -it -v ./block.list:/ebpf/block.list xdp-firewall-rs

About

Simple firewall application using xdp

License:Apache License 2.0

Languages

Language:Rust 94.4%Language:Makefile 4.2%Language:Dockerfile 1.3%