From: Eric Leblond <eric@regit.org>
Date: Fri, 1 Dec 2017 19:07:27 +0000 (+0100)
Subject: ebpf: implement vlan filter
X-Git-Tag: suricata-4.1.0-beta1~218
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a2296357927bca505a1ee033f034ae9b186e287d;p=thirdparty%2Fsuricata.git

ebpf: implement vlan filter

Basic filter allowing only a list of VLANs.
---

diff --git a/ebpf/Makefile.am b/ebpf/Makefile.am
index 7e9158be4e..f71767a8d7 100644
--- a/ebpf/Makefile.am
+++ b/ebpf/Makefile.am
@@ -1,6 +1,6 @@
 if BUILD_EBPF
 
-all: lb.bpf filter.bpf bypass_filter.bpf xdp_filter.bpf
+all: lb.bpf filter.bpf bypass_filter.bpf xdp_filter.bpf vlan_filter.bpf
 
 %.bpf: %.c
 	${CC} -Wall -O2 -D__KERNEL__ -D__ASM_SYSREG_H -emit-llvm -c $< -o - | ${LLC} -march=bpf -filetype=obj -o $@
diff --git a/ebpf/vlan_filter.c b/ebpf/vlan_filter.c
new file mode 100644
index 0000000000..f3913d8a8c
--- /dev/null
+++ b/ebpf/vlan_filter.c
@@ -0,0 +1,24 @@
+#include <stdint.h>
+#include <stddef.h>
+#include <linux/bpf.h>
+
+#include "bpf_helpers.h"
+
+#define LINUX_VERSION_CODE 263682
+
+int SEC("filter") hashfilter(struct __sk_buff *skb) {
+    uint16_t vlan_id = skb->vlan_tci & 0x0fff;
+    /* accept VLAN 2 and 4 and drop the rest */
+    switch (vlan_id) {
+        case 2:
+        case 4:
+            return -1;
+        default:
+            return 0;
+    }
+    return 0;
+}
+
+char __license[] SEC("license") = "GPL";
+
+uint32_t __version SEC("version") = LINUX_VERSION_CODE;