https://github.com/gamemann/tc-ingress-ipip-blocker

A simple TC Ingress program that blocks incoming packets based off of the inner IP header's source IP.
https://github.com/gamemann/tc-ingress-ipip-blocker

block bpf ingress ipip linux-tc packet tc traffic-control

Last synced: 7 months ago
JSON representation

A simple TC Ingress program that blocks incoming packets based off of the inner IP header's source IP.

• Host: GitHub
• URL: https://github.com/gamemann/tc-ingress-ipip-blocker
• Owner: gamemann
• Created: 2020-07-22T01:38:40.000Z (about 5 years ago)
• Default Branch: master
• Last Pushed: 2020-07-22T13:56:00.000Z (about 5 years ago)
• Last Synced: 2025-02-28T12:30:03.848Z (7 months ago)
• Topics: block, bpf, ingress, ipip, linux-tc, packet, tc, traffic-control
• Language: C
• Homepage: https://moddingcommunity.com/
• Size: 31.3 KB
• Stars: 13
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# TC Ingress IPIP Blocker

## Description

A simple TC BPF program that attaches to the ingress filter and blocks any IPs stored in the specified file (default is `/etc/IPIPBlock/list.conf`). This program checks the source IP of the inner IP header.

## Usage

Usage is as follows:

```

./IPIPBlock --dev  --list  --time  [--help]

```

Where `` is the interface incoming IPIP packets enter and `` is the file that contains all the IPs to blacklist. The default interface is `ens18` and the default file is `/etc/IPIPBlock/list.conf`. The `` value indicates how often to update the blacklist map from the local file.

**Note** - Comments or characters after an IP in the blacklist file should be fine. I've tested this and there were no changes in behavior compared to nothing being added after an IP per line.

For example, the following works:

```

192.168.90.1

80.4.23.12 # Malicious host (not actually) and this will still block regardless of the comment.

garbage # This never gets processed from what I've seen and is just treated as a garbage value.

```

## Building

You may use `git` and `make` to build this project. For example:

```

git --recursive https://github.com/gamemann/TC-Ingress-IPIP-Blocker.git

cd TC-Ingress-IPIP-Blocker/

make && sudo make install

```

**Note** - Clang and LLVM are required to build this project.

## Credits

* [Christian Deacon](https://www.linkedin.com/in/christian-deacon-902042186/) - Creator