Unify xdp-blocker and xdp-ddos into single xdp-defense project

Chain two XDP programs via libxdp dispatcher on the same interface: xdp_blocker (priority 10) handles CIDR/country/whitelist blocking, xdp_ddos (priority 20) handles rate limiting, EWMA analysis, and AI anomaly detection. Whitelist maps are shared via BPF map pinning so whitelisted IPs bypass both blocklist checks and DDoS rate limiting. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-07 08:39:21 +09:00
commit 1bcaddce25
12 changed files with 3523 additions and 0 deletions
--- a/102
+++ b/102
@@ -0,0 +1,102 @@
+# XDP Defense - Unified XDP Blocker + DDoS Defense
+# Build, install, and manage the integrated XDP defense system
+
+PROJ_DIR := /opt/xdp-defense
+BPF_DIR := $(PROJ_DIR)/bpf
+LIB_DIR := $(PROJ_DIR)/lib
+BIN_DIR := $(PROJ_DIR)/bin
+CFG_DIR := $(PROJ_DIR)/config
+
+INSTALL_BIN := /usr/local/bin
+SYSTEMD_DIR := /etc/systemd/system
+ETC_DIR := /etc/xdp-defense
+DATA_DIR := /var/lib/xdp-defense
+BLOCKER_CFG := /etc/xdp-blocker
+
+CLANG ?= clang
+CLANG_FLAGS := -O2 -g -Wall -target bpf \
+               -I/usr/include -I/usr/include/bpf -I/usr/include/xdp
+
+BPF_OBJECTS := $(BPF_DIR)/xdp_blocker.o $(BPF_DIR)/xdp_ddos.o
+
+.PHONY: all build install uninstall enable disable clean check-deps status
+
+all: build
+
+build: $(BPF_OBJECTS)
+
+$(BPF_DIR)/xdp_blocker.o: $(BPF_DIR)/xdp_blocker.c
+	$(CLANG) $(CLANG_FLAGS) -c $< -o $@
+
+$(BPF_DIR)/xdp_ddos.o: $(BPF_DIR)/xdp_ddos.c
+	$(CLANG) $(CLANG_FLAGS) -c $< -o $@
+
+install: build
+	@echo "Installing XDP Defense..."
+	# Directories
+	install -d $(ETC_DIR)
+	install -d $(DATA_DIR)
+	install -d $(BLOCKER_CFG)/countries
+	install -d $(BLOCKER_CFG)/whitelist
+	# CLI
+	install -m 755 $(BIN_DIR)/xdp-defense $(INSTALL_BIN)/xdp-defense
+	ln -sf $(INSTALL_BIN)/xdp-defense $(INSTALL_BIN)/xdp-block
+	# Startup script
+	install -m 755 $(BIN_DIR)/xdp-startup.sh $(INSTALL_BIN)/xdp-startup
+	# Python libraries
+	install -m 644 $(LIB_DIR)/xdp_common.py $(INSTALL_BIN)/xdp_common.py
+	install -m 755 $(LIB_DIR)/xdp_country.py $(INSTALL_BIN)/xdp-country
+	install -m 755 $(LIB_DIR)/xdp_whitelist.py $(INSTALL_BIN)/xdp-whitelist
+	install -m 755 $(LIB_DIR)/xdp_defense_daemon.py $(INSTALL_BIN)/xdp-defense-daemon
+	# Config (don't overwrite existing)
+	test -f $(ETC_DIR)/config.yaml || install -m 644 $(CFG_DIR)/config.yaml $(ETC_DIR)/config.yaml
+	# Systemd service
+	install -m 644 $(CFG_DIR)/xdp-defense.service $(SYSTEMD_DIR)/xdp-defense.service
+	systemctl daemon-reload
+	@echo ""
+	@echo "Installed successfully."
+	@echo "  CLI:     $(INSTALL_BIN)/xdp-defense"
+	@echo "  Compat:  $(INSTALL_BIN)/xdp-block -> xdp-defense"
+	@echo "  Config:  $(ETC_DIR)/config.yaml"
+	@echo ""
+	@echo "Run 'make enable' to enable on boot."
+
+uninstall:
+	@echo "Uninstalling XDP Defense..."
+	systemctl stop xdp-defense 2>/dev/null || true
+	systemctl disable xdp-defense 2>/dev/null || true
+	rm -f $(INSTALL_BIN)/xdp-defense
+	rm -f $(INSTALL_BIN)/xdp-block
+	rm -f $(INSTALL_BIN)/xdp-startup
+	rm -f $(INSTALL_BIN)/xdp_common.py
+	rm -f $(INSTALL_BIN)/xdp-country
+	rm -f $(INSTALL_BIN)/xdp-whitelist
+	rm -f $(INSTALL_BIN)/xdp-defense-daemon
+	rm -f $(SYSTEMD_DIR)/xdp-defense.service
+	systemctl daemon-reload
+	@echo "Uninstalled. Config preserved in $(ETC_DIR) and $(BLOCKER_CFG)"
+
+enable:
+	systemctl enable xdp-defense
+	@echo "XDP Defense will start on boot"
+
+disable:
+	systemctl disable xdp-defense
+	@echo "XDP Defense will not start on boot"
+
+status:
+	@systemctl status xdp-defense 2>/dev/null || echo "Service not installed"
+
+clean:
+	rm -f $(BPF_DIR)/*.o
+
+check-deps:
+	@echo "Checking dependencies..."
+	@which clang >/dev/null 2>&1 || (echo "ERROR: clang not found" && exit 1)
+	@which bpftool >/dev/null 2>&1 || (echo "ERROR: bpftool not found" && exit 1)
+	@which ip >/dev/null 2>&1 || (echo "ERROR: iproute2 not found" && exit 1)
+	@which python3 >/dev/null 2>&1 || (echo "ERROR: python3 not found" && exit 1)
+	@which xdp-loader >/dev/null 2>&1 || (echo "ERROR: xdp-loader not found (libxdp)" && exit 1)
+	@python3 -c "import yaml" 2>/dev/null || (echo "ERROR: python3-yaml not found" && exit 1)
+	@test -f /usr/include/xdp/xdp_helpers.h || (echo "ERROR: xdp_helpers.h not found" && exit 1)
+	@echo "All dependencies satisfied"