invert conditionals, removing crazy nesting

Thank you code aesthetic
remove pre-built eBPF programs
2024-05-09 20:17:02 -06:00 · 2024-04-25 21:37:15 -06:00 · 2024-04-25 21:21:27 -06:00 · 2024-04-25 21:16:26 -06:00 · 2024-04-23 22:11:00 -06:00
8 changed files with 84 additions and 22 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,4 +3,6 @@ hyp.secret
 hypd/hypd
 hyp/hyp
 hypd/hypdconfig.json
-hypd/secrets/
+hypd/secrets/
+hypd/server/*.o
+env.sh
--- a/hypd/examples/fortigate/hypdconfig.json
+++ b/hypd/examples/fortigate/hypdconfig.json
@ -0,0 +1,7 @@
+{
+    "networkInterface": "enp0s3",
+    "preSharedKeyDirectory": "./secrets/",
+    "successAction": "./examples/fortigate/openfortigate.sh %s",
+    "timeoutSeconds": 0,
+    "timeoutAction": ""
+}
--- a/hypd/examples/fortigate/openfortigate.sh
+++ b/hypd/examples/fortigate/openfortigate.sh
@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Make sure you have environment variables set for FORTIGATE_MGMT_URL, FORTIGATE_API_TOKEN and FORTIGATE_ADDRESS_OBJECT_GROUP
+# Examples:
+export FORTIGATE_MGMT_URL="https://69.4.20.10:8443" 
+export FORTIGATE_API_KEY="5fkwkkzgQ4s31bdH60qsxxfN093zgt"
+export FORTIGATE_ADDRESS_OBJECT_GROUP="hyp-allowed-clients"
+
+
+if [ $# -lt 1 ]; then
+    echo "Usage: $0 <srcip>"
+    exit 1
+fi
+
+echo $FORTIGATE_MGMT_URL
+echo $1
+
+# Create the address object
+curl "$FORTIGATE_MGMT_URL/api/v2/cmdb/firewall/address?datasource=1" \
+    -X "POST" \
+    -H "Authorization: Bearer $FORTIGATE_API_KEY" \
+    -H "Content-Type: application/json" \
+    --data-raw "{\"name\":\"hyp_$1\",\"subnet\":\"$1/32\",\"color\":\"0\"}" \
+    --insecure # LOL - remove this if you want, but I want this to be easy for noobs
+
+
+# Add to address object group
+curl "$FORTIGATE_MGMT_URL/api/v2/cmdb/firewall/addrgrp/$FORTIGATE_ADDRESS_OBJECT_GROUP/member" \
+    -X "POST" \
+    -H "Authorization: Bearer $FORTIGATE_API_KEY" \
+    -H "Content-Type: application/json" \
+    --data-raw "{\"name\":\"hyp_$1\"}" \
+    --insecure # And here too
--- a/hypd/examples/openwrt-wireguard/README.md
+++ b/hypd/examples/openwrt-wireguard/README.md
@ -0,0 +1,12 @@
+# Using hyp with OpenWrt Wireguard
+
+This example case is to deploy hypd on OpenWrt to open up access to the WireGuard VPN service.
+
+hyp utilizes eBPF technology to ensure runtime overhead is extremely small (in a way, but in a way not).  Most Linux distributions have support for this out of the box, however OpenWrt does not.  OpenWrt has a very stripped down, purpose-configured kernel and does not have the requirements built in to run hyp.  
+
+The good news is, you can build OpenWrt yourself and configure it with the requirements.  Follow the directions at this page: https://openwrt.org/docs/guide-developer/toolchain/use-buildsystem
+
+When you run *make menuconfig*, make sure you check off *Enable additional BTF type information* which is also known as CONFIG_KERNEL_DEBUG_INFO_BTF.  This is required to support eBPF CO:RE. 
+
+![Kernel Config](https://deadbeef.codes/steven/hyp/raw/branch/main/hypd/examples/openwrt-wireguard/kernel_config.png)
+
--- a/hypd/examples/openwrt-wireguard/kernel_config.png
+++ b/hypd/examples/openwrt-wireguard/kernel_config.png
--- a/hypd/server/hyp_bpf.c
+++ b/hypd/server/hyp_bpf.c
@ -35,32 +35,40 @@ int xdp_prog_func(struct xdp_md *ctx) {

 	// A knock should not contain any data
 	if (data_end - data > 60) { 
-		goto done;
+		return XDP_PASS;
 	}

 	// parse ethernet header
 	struct ethhdr *eth = data;
-	if ((void *)eth + sizeof(*eth) <= data_end) {
-		// parse IP header
-		struct iphdr *ip = data + sizeof(*eth);
-		if ((void *)ip + sizeof(*ip) <= data_end) {
-			if (ip->protocol == IPPROTO_UDP) {
-				// parse UDP header
-				struct udphdr *udp = (void *)ip + sizeof(*ip);
-				if ((void *)udp + sizeof(*udp) <= data_end)
-				{
-					// pack into knock structure and send to userspace
-					struct knock_data knock = {
-						.srcip = bpf_ntohl(ip->saddr),
-						.dstport = bpf_htons(udp->dest),
-						.pad = 0
-					};				
-					bpf_ringbuf_output(&rb, &knock, sizeof(knock), BPF_RB_FORCE_WAKEUP);
-				}
-			}
-		}
+	if ((void *)eth + sizeof(*eth) > data_end) {
+		return XDP_PASS;
 	}
-done:
+
+	// parse IP header
+	struct iphdr *ip = data + sizeof(*eth);
+	if ((void *)ip + sizeof(*ip) > data_end) {
+		return XDP_PASS;
+	}
+
+	// Ensure IP header protocol field is UDP (protocol 17)
+	if (ip->protocol != IPPROTO_UDP) {
+		return XDP_PASS;
+	}
+
+	// parse UDP header
+	struct udphdr *udp = (void *)ip + sizeof(*ip);
+	if ((void *)udp + sizeof(*udp) > data_end) {
+		return XDP_PASS;
+	}
+
+	// pack into knock structure and send to userspace
+	struct knock_data knock = {
+		.srcip = bpf_ntohl(ip->saddr),
+		.dstport = bpf_htons(udp->dest),
+		.pad = 0
+	};				
+	bpf_ringbuf_output(&rb, &knock, sizeof(knock), BPF_RB_FORCE_WAKEUP);
+		
 	// We send everything to XDP_PASS
 	return XDP_PASS;
 }
--- a/hypd/server/hyp_bpf_bpfeb.o
+++ b/hypd/server/hyp_bpf_bpfeb.o
--- a/hypd/server/hyp_bpf_bpfel.o
+++ b/hypd/server/hyp_bpf_bpfel.o
Author	SHA1	Message	Date
Steven Polley	b318bcb3c1	invert conditionals, removing crazy nesting continuous-integration/drone/push Build is passing Details Thank you code aesthetic	2024-05-09 20:17:02 -06:00
Steven Polley	390fabe1b4	remove pre-built eBPF programs continuous-integration/drone/push Build is passing Details	2024-04-25 21:37:15 -06:00
Steven Polley	92f5c579e6	add README.md continuous-integration/drone/push Build is passing Details	2024-04-25 21:21:27 -06:00
Steven Polley	305ba29c50	add openwrt kernel configuration instruction continuous-integration/drone/push Build is passing Details	2024-04-25 21:16:26 -06:00
Steven Polley	f8be95c8d0	add fortinet integration example continuous-integration/drone/push Build is passing Details	2024-04-23 22:11:00 -06:00