XDP Packet Filter

A high-performance packet filtering solution built with eXpress Data Path (XDP) for Linux. This filter operates at the NIC level to provide extremely fast packet processing and filtering capabilities.

Features

• High Performance: Operates at the NIC level for minimal latency and maximum throughput
• Port-based Filtering: Blocks traffic to predefined ports commonly targeted by scanners
• IP-based Blocking: Blocks traffic from specific IP addresses or subnets using Longest Prefix Match (LPM) trie
• Rate Limiting: Implements rate limiting for ICMP packets to prevent abuse
• Dynamic IP Management: Add or remove IP addresses from the block list without reloading the program
• Real-time Logging: Optional debug logging for monitoring blocked packets
• Multi-protocol Support: Handles TCP, UDP, and ICMP protocols

Prerequisites

• Linux kernel 4.18 or newer with XDP support
• clang for compiling the BPF program
• iproute2 package for loading/unloading XDP programs
• xdp-loader for checking XDP program status
• bpftool for managing BPF maps

Install required packages on Debian/Ubuntu:

sudo apt update
sudo apt install clang iproute2 linux-tools-common linux-tools-generic

Building the XDP Program

Compile the XDP program using the provided build script:

./build.sh

This will generate xdp_packet_filter.o which can be loaded onto a network interface.

Loading and Unloading

Loading the XDP Program

Load the XDP program onto a network interface (replace eth0 with your interface):

sudo ./xload eth0

Unloading the XDP Program

Unload the XDP program from a network interface:

sudo ./xunload eth0

Reloading the XDP Program

Reload the XDP program on a network interface:

sudo ./xreload eth0

Managing Blocked IPs

The blokir.sh script provides a convenient way to manage blocked IP addresses:

Adding IP Addresses to Block List

# Block a single IP
sudo ./blokir.sh 192.168.1.100

# Block an IP range
sudo ./blokir.sh 192.168.1.0/24

# Block multiple IPs
sudo ./blokir.sh 192.168.1.100 10.0.0.0/16

Removing IP Addresses from Block List

# Unblock a specific IP or range
sudo ./blokir.sh unblock 192.168.1.100

# Unblock multiple IPs
sudo ./blokir.sh unblock 192.168.1.100 10.0.0/16

Viewing Blocked IPs

# Show all currently blocked IPs
sudo ./blokir.sh show

Resetting the Block List

# Clear all blocked IPs
sudo ./blokir.sh reset

Importing/Exporting Block Lists

# Export current block list to a file
sudo ./blokir.sh export blocked_ips.conf

# Import block list from a file
sudo ./blokir.sh import blocked_ips.conf

Configuration

Blocked Ports

The filter blocks traffic to a predefined list of ports commonly targeted by port scanners. These ports are defined in the DAFTAR_BLOKIR macro in xdp_packet_filter.c.

Default Blocked IPs

The blocked_ips.conf file contains a list of IP ranges that can be imported into the block list:

57.141.2.0/24
139.59.224.0/20
178.156.172.0/24
141.148.153.0/24

To import these IPs:

sudo ./blokir.sh import blocked_ips.conf

Debugging and Monitoring

Enable debug mode by setting DEBUG to 1 in xdp_packet_filter.c to log blocked packets.

View debug logs:

sudo ./xlog

This will display real-time logs of blocked packets, showing:

• Blocked IP addresses
• Blocked ports
• Protocol information

How It Works

Packet Processing Flow

1. Ethernet Validation: Validates Ethernet header and ensures it's an IPv4 packet
2. IP Validation: Checks IP header integrity and extracts source/destination addresses
3. IP Blocking Check: Drops packets from already blocked IP addresses immediately
4. Protocol Handling:
   • TCP/UDP: Validates transport headers and checks destination ports against the blocked list
   • ICMP: Applies rate limiting and blocks IPs that exceed the limit
5. Port Blocking: Drops packets destined for blocked ports and adds source IPs to the block list
6. Allow: Passes all other packets through

IP Blocking Mechanism

The IP blocking system uses a Longest Prefix Match (LPM) trie map that supports:

• /32 exact matches (single IP)
• /24 subnet matches (256 IPs)
• /20 subnet matches (4096 IPs)

When checking if an IP is blocked, the system tries to match in this order:

1. Exact /32 match
2. /24 subnet match
3. /20 subnet match

Rate Limiting

ICMP packets are rate-limited to prevent abuse:

• Each IP is tracked with a timestamp
• If an IP sends ICMP packets too frequently (less than 1 second apart), the IP is blocked
• Blocked ICMP sources are added to the IP block list

Performance Considerations

• XDP programs operate at the earliest possible point in the network stack for maximum performance
• The BPF maps are per-CPU to minimize contention
• The LPM trie provides efficient IP lookups with O(k) complexity where k is the key length
• Minimal processing is done on each packet to maintain high throughput

Security Notes

• The filter blocks traffic to common ports targeted by scanners but can be customized
• IP blocking is dynamic and can be updated without restarting the program
• Debug logging should be disabled in production environments for optimal performance
• Regular updates to the blocked IP list help protect against known malicious sources

License

This project is licensed under the GPL License - see the LICENSE file for details.