feat: nft_fw_access to manage IP addresses with aw-bpfctl commands to…

… monitor user's traffic Signed-off-by: Dengfeng Liu <[email protected]>
liudf0716 · Feb 7, 2025 · cd6f84d · cd6f84d
1 parent 301a3c1
commit cd6f84d
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 2 deletions.
diff --git a/src/fw_nft.c b/src/fw_nft.c
@@ -805,13 +805,14 @@ nft_fw_del_rule_by_ip_and_mac(const char *ip, const char *mac, const char *chain
 int
 nft_fw_access(fw_access_t type, const char *ip, const char *mac, int tag)
 {
+    char cmd[128] = {0};
     if (is_bypass_mode()) {
         if (!ip) {
             debug(LOG_ERR, "Invalid parameters: ip is NULL");
             return 1;
         }
 
-        char cmd[128] = {0};
+
         switch(type) {
             case FW_ACCESS_ALLOW:
                 snprintf(cmd, sizeof(cmd), "vppctl redirect set auth user %s", ip);
@@ -843,6 +844,9 @@ nft_fw_access(fw_access_t type, const char *ip, const char *mac, int tag)
                 // Add incoming traffic rule with counter
                 nftables_do_command("add rule inet fw4 mangle_postrouting_wifidogx_incoming "
                                 "ip daddr %s counter accept", ip);
+
+                snprintf(cmd, sizeof(cmd), "aw-bpfctl ipv4 add %s", ip);
+                execute(cmd, 0);
             } else if (is_valid_ip6(ip)){
                 nftables_do_command("add rule inet fw4 mangle_prerouting_wifidogx_outgoing "
                                 "ether saddr %s ip6 saddr %s counter mark set 0x20000 accept", 
@@ -851,6 +855,9 @@ nft_fw_access(fw_access_t type, const char *ip, const char *mac, int tag)
                 // Add incoming traffic rule with counter
                 nftables_do_command("add rule inet fw4 mangle_postrouting_wifidogx_incoming "
                                 "ip6 daddr %s counter accept", ip);
+
+                snprintf(cmd, sizeof(cmd), "aw-bpfctl ipv6 add %s", ip);
+                execute(cmd, 0);
             } else {
                 debug(LOG_ERR, "Invalid IP address: %s", ip);
             }
@@ -863,6 +870,16 @@ nft_fw_access(fw_access_t type, const char *ip, const char *mac, int tag)
 
             // Remove client rules from incoming chain
             nft_fw_del_rule_by_ip_and_mac(ip, NULL, "mangle_postrouting_wifidogx_incoming");
+
+            if (is_valid_ip(ip)) {
+                snprintf(cmd, sizeof(cmd), "aw-bpfctl ipv4 del %s", ip);
+                execute(cmd, 0);
+            } else if (is_valid_ip6(ip)) {
+                snprintf(cmd, sizeof(cmd), "aw-bpfctl ipv6 del %s", ip);
+                execute(cmd, 0);
+            } else {
+                debug(LOG_ERR, "Invalid IP address: %s", ip);
+            }
             break;
 
         default:

diff --git a/src/version.h b/src/version.h
@@ -6,5 +6,5 @@
 
 #ifndef _VERSION_
 #define _VERSION_
-#define VERSION "8.02.2377"
+#define VERSION "8.02.2378"
 #endif