Added cli support for ddos map updates and updated start_ebpf_control…

…ler to add controller listening ports to ddos port list
netfoundry · Apr 22, 2024 · ee3f660 · ee3f660
1 parent 9117781
commit ee3f660
Show file tree

Hide file tree

Showing 4 changed files with 939 additions and 329 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,9 +8,11 @@ All notable changes to this project will be documented in this file. The format
 ###
 
 - Added map to track tcp syn count for packets sent to the firewall ip address on port 443.
-- Ddos protection is meant for the FW host accept/deny logic was moved to first bpf program and
-  and addresses in ddos_protect_map supersede fw rules for locally terminated service on port 443.
-  Currently only for ports 80,443 and 6262. 
+- Ddos protection is meant for the FW host accept/deny logic was moved to first bpf program. 
+- ddos dport map was created to specify ports to be protected when an interface is in 
+  ddos_protect mode.
+- ddos saddr map was created to specify whitelisted IP addresses to be allowed to reach protected ports
+  when an interface is in ddos_protect mode.
 
 # [0.5.14] - 2024-04-02
 

diff --git a/files/scripts/start_ebpf_controller.py b/files/scripts/start_ebpf_controller.py
@@ -62,6 +62,7 @@ def add_link_listener_rules(lan_ip, lan_mask):
                                                 port = addr_array[-1].strip()
                                                 if((int(port) > 0) and (addr_array[0] == 'tls')):
                                                     os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0  -p tcp') 
+                                                    os.system('/opt/openziti/bin/zfw --ddos-dport-add ' + port)
                                             except Exception as e:
                                                 print(e) 
                                                 pass
@@ -85,6 +86,7 @@ def add_controller_edge_listener_rules(lan_ip, lan_mask):
                                         port = addr_array[-1].strip()
                                         if((int(port) > 0)):
                                             os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0  -p tcp')
+                                            os.system('/opt/openziti/bin/zfw --ddos-dport-add ' + port)
                                     except Exception as e:
                                         print(e)
                                         pass
@@ -107,6 +109,7 @@ def add_controller_ctrl_listener_rules(lan_ip, lan_mask):
                                     port = addr_array[-1].strip()
                                     if((int(port) > 0) and (addr_array[0] == 'tls')):
                                         os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0  -p tcp')
+                                        os.system('/opt/openziti/bin/zfw --ddos-dport-add ' + port)
                                 except Exception as e:
                                     print(e)
                                     pass
@@ -161,6 +164,7 @@ def add_controller_port_forwarding_rule(lan_ip, lan_mask):
     if(not test):
         port = "80"
         os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0  -p tcp')
+        os.system('/opt/openziti/bin/zfw --ddos-dport-add ' + port)
     else:
         print("Port forwarding rul not found")