Add README.md

Signed-off-by: MOVZX <movzx@yahoo.com>

README.md

@@ -0,0 +1,200 @@
+# XDP Packet Filter
+
+A high-performance packet filtering solution built with eXpress Data Path (XDP) for Linux. This filter operates at the NIC level to provide extremely fast packet processing and filtering capabilities.
+
+## Features
+
+- **High Performance**: Operates at the NIC level for minimal latency and maximum throughput
+- **Port-based Filtering**: Blocks traffic to predefined ports commonly targeted by scanners
+- **IP-based Blocking**: Blocks traffic from specific IP addresses or subnets using Longest Prefix Match (LPM) trie
+- **Rate Limiting**: Implements rate limiting for ICMP packets to prevent abuse
+- **Dynamic IP Management**: Add or remove IP addresses from the block list without reloading the program
+- **Real-time Logging**: Optional debug logging for monitoring blocked packets
+- **Multi-protocol Support**: Handles TCP, UDP, and ICMP protocols
+
+## Prerequisites
+
+- Linux kernel 4.18 or newer with XDP support
+- `clang` for compiling the BPF program
+- `iproute2` package for loading/unloading XDP programs
+- `xdp-loader` for checking XDP program status
+- `bpftool` for managing BPF maps
+
+Install required packages on Debian/Ubuntu:
+```bash
+sudo apt update
+sudo apt install clang iproute2 linux-tools-common linux-tools-generic
+```
+
+## Building the XDP Program
+
+Compile the XDP program using the provided build script:
+
+```bash
+./build.sh
+```
+
+This will generate `xdp_packet_filter.o` which can be loaded onto a network interface.
+
+## Loading and Unloading
+
+### Loading the XDP Program
+
+Load the XDP program onto a network interface (replace `eth0` with your interface):
+
+```bash
+sudo ./xload eth0
+```
+
+### Unloading the XDP Program
+
+Unload the XDP program from a network interface:
+
+```bash
+sudo ./xunload eth0
+```
+
+### Reloading the XDP Program
+
+Reload the XDP program on a network interface:
+
+```bash
+sudo ./xreload eth0
+```
+
+## Managing Blocked IPs
+
+The `blokir.sh` script provides a convenient way to manage blocked IP addresses:
+
+### Adding IP Addresses to Block List
+
+```bash
+# Block a single IP
+sudo ./blokir.sh 192.168.1.100
+
+# Block an IP range
+sudo ./blokir.sh 192.168.1.0/24
+
+# Block multiple IPs
+sudo ./blokir.sh 192.168.1.100 10.0.0.0/16
+```
+
+### Removing IP Addresses from Block List
+
+```bash
+# Unblock a specific IP or range
+sudo ./blokir.sh unblock 192.168.1.100
+
+# Unblock multiple IPs
+sudo ./blokir.sh unblock 192.168.1.100 10.0.0/16
+```
+
+### Viewing Blocked IPs
+
+```bash
+# Show all currently blocked IPs
+sudo ./blokir.sh show
+```
+
+### Resetting the Block List
+
+```bash
+# Clear all blocked IPs
+sudo ./blokir.sh reset
+```
+
+### Importing/Exporting Block Lists
+
+```bash
+# Export current block list to a file
+sudo ./blokir.sh export blocked_ips.conf
+
+# Import block list from a file
+sudo ./blokir.sh import blocked_ips.conf
+```
+
+## Configuration
+
+### Blocked Ports
+
+The filter blocks traffic to a predefined list of ports commonly targeted by port scanners. These ports are defined in the `DAFTAR_BLOKIR` macro in `xdp_packet_filter.c`.
+
+### Default Blocked IPs
+
+The `blocked_ips.conf` file contains a list of IP ranges that can be imported into the block list:
+
+```
+57.141.2.0/24
+139.59.224.0/20
+178.156.172.0/24
+141.148.153.0/24
+```
+
+To import these IPs:
+```bash
+sudo ./blokir.sh import blocked_ips.conf
+```
+
+## Debugging and Monitoring
+
+Enable debug mode by setting `DEBUG` to `1` in `xdp_packet_filter.c` to log blocked packets.
+
+View debug logs:
+```bash
+sudo ./xlog
+```
+
+This will display real-time logs of blocked packets, showing:
+- Blocked IP addresses
+- Blocked ports
+- Protocol information
+
+## How It Works
+
+### Packet Processing Flow
+
+1. **Ethernet Validation**: Validates Ethernet header and ensures it's an IPv4 packet
+2. **IP Validation**: Checks IP header integrity and extracts source/destination addresses
+3. **IP Blocking Check**: Drops packets from already blocked IP addresses immediately
+4. **Protocol Handling**:
+   - **TCP/UDP**: Validates transport headers and checks destination ports against the blocked list
+   - **ICMP**: Applies rate limiting and blocks IPs that exceed the limit
+5. **Port Blocking**: Drops packets destined for blocked ports and adds source IPs to the block list
+6. **Allow**: Passes all other packets through
+
+### IP Blocking Mechanism
+
+The IP blocking system uses a Longest Prefix Match (LPM) trie map that supports:
+- /32 exact matches (single IP)
+- /24 subnet matches (256 IPs)
+- /20 subnet matches (4096 IPs)
+
+When checking if an IP is blocked, the system tries to match in this order:
+1. Exact /32 match
+2. /24 subnet match
+3. /20 subnet match
+
+### Rate Limiting
+
+ICMP packets are rate-limited to prevent abuse:
+- Each IP is tracked with a timestamp
+- If an IP sends ICMP packets too frequently (less than 1 second apart), the IP is blocked
+- Blocked ICMP sources are added to the IP block list
+
+## Performance Considerations
+
+- XDP programs operate at the earliest possible point in the network stack for maximum performance
+- The BPF maps are per-CPU to minimize contention
+- The LPM trie provides efficient IP lookups with O(k) complexity where k is the key length
+- Minimal processing is done on each packet to maintain high throughput
+
+## Security Notes
+
+- The filter blocks traffic to common ports targeted by scanners but can be customized
+- IP blocking is dynamic and can be updated without restarting the program
+- Debug logging should be disabled in production environments for optimal performance
+- Regular updates to the blocked IP list help protect against known malicious sources
+
+## License
+
+This project is licensed under the GPL License - see the [LICENSE](LICENSE) file for details.