This is a simple XDP firewall written in Rust. It is based on the Aya and project structure generated by aya-template via cargo-generate.
The program will load the eBPF program into the kernel and attach it to the XDP
hook of the specified interface. It will then listen for incoming packets and drop any packets that are not allowed by the rules.
- Create a file named
block.list
in the same directory as the binary. This file will contain the list of IP addresses that are not allowed to pass through the firewall. Each IP address should be on a separate line. For example:touch block.list
- Add ip addresses in CIDR format to the
block.list
file:1.1.1.1/32 192.168.1.1/32
- Run the binary with
sudo
:sudo ./xdp-firewall-rs
If you are developing on a Linux machine, you can use the following
- Install
rustup
following the instructions on https://rustup.rs/. - Install a rust stable toolchain:
rustup install stable
- Install a rust nightly toolchain:
rustup toolchain install nightly --component rust-src
- Ensure C compiler and linker are installed. On Ubuntu, you can install them with:
sudo apt install build-essential sudo apt install pkg-config
- Install bpf-linker:
cargo install bpf-linker
First clone the repository:
git clone https://github.com/hackerchai/xdp-firewall-rs
cd xdp-firewall-rs
- debug build:
cargo xtask build-ebpf
# or you can run
make build
- release build:
cargo xtask build-ebpf --release
# or you can run
make release
- debug build:
cargo build
- release build:
cargo build --release
- run release binary
sudo ./target/release/xdp-firewall-rs
# or you can run
make run
- run debug binary
sudo ./target/debug/xdp-firewall-rs
# or you can run
make dev
RUST_LOG=info cargo xtask run
This program can be cross-compiled on a Mac(intel/arm64):
rustup target add x86_64-unknown-linux-musl
brew install FiloSottile/musl-cross/musl-cross
brew install llvm@16
LLVM_SYS_160_PREFIX=$(brew --prefix llvm) cargo install bpf-linker --no-default-features
cargo xtask build-ebpf --release
export CROSSARCH="x86_64"
RUSTFLAGS="-Clinker=${CROSSARCH}-linux-musl-ld -C link-arg=-s" cargo build --release --target=${CROSSARCH}-unknown-linux-musl
The cross-compiled binary can found at target/x86_64-unknown-linux-musl/release/xdp-firewall-rs
, which can be copied to a Linux server or VM and run there.
This program can be built in a Docker container.
docker build -t xdp-firewall-rs .
Prepare the block.list
file and put it in the same directory as the Dockerfile.
touch block.list
echo "1.1.1.1/32" >> block.list # add ip addresses in CIDR format to the block.list file
Then you can run the container with:
docker run --privileged --user=root --rm -it -v ./block.list:/ebpf/block.list xdp-firewall-rs