/* SPDX-License-Identifier: LGPL-2.1-or-later */

/* <linux/bpf.h> must precede <bpf/bpf_helpers.h> due to integer types
 * in bpf helpers signatures.
 */
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>

const volatile __u8 is_allow_list = 0;

/* Map containing the network interfaces indexes.
 * The interpretation of the map depends on the value of is_allow_list.
 */
struct {
        __uint(type, BPF_MAP_TYPE_HASH);
        __type(key, __u32);
        __type(value, __u8);
} sd_restrictif SEC(".maps");

#define DROP 0
#define PASS 1

static __always_inline int restrict_network_interfaces_impl(const struct __sk_buff *sk) {
        __u32 zero = 0, ifindex;
        __u8 *lookup_result;

        ifindex = sk->ifindex;
        lookup_result = bpf_map_lookup_elem(&sd_restrictif, &ifindex);
        if (is_allow_list) {
                /* allow-list: let the packet pass if iface in the list */
                if (lookup_result)
                        return PASS;
        } else {
            /* deny-list: let the packet pass if iface *not* in the list */
                if (!lookup_result)
                        return PASS;
        }

        return DROP;
}

SEC("cgroup_skb/egress")
int sd_restrictif_e(const struct __sk_buff *sk) {
        return restrict_network_interfaces_impl(sk);
}

SEC("cgroup_skb/ingress")
int sd_restrictif_i(const struct __sk_buff *sk) {
        return restrict_network_interfaces_impl(sk);
}

static const char _license[] SEC("license") = "LGPL-2.1-or-later";