diff --git a/eBPF_Supermarket/Network_Subsystem/net_manager/Makefile b/eBPF_Supermarket/Network_Subsystem/net_manager/Makefile
index 7bbe2ad6b..3f0306b8d 100644
--- a/eBPF_Supermarket/Network_Subsystem/net_manager/Makefile
+++ b/eBPF_Supermarket/Network_Subsystem/net_manager/Makefile
@@ -12,7 +12,7 @@ MAKEFLAGS += --no-print-directory -s
 Q = @
 endif
 
-PROJ := xacl_ip router xacl_mac xstate
+PROJ := xacl_ip router xacl_mac xstate net_manager
 
 
 
diff --git a/eBPF_Supermarket/Network_Subsystem/net_manager/net_manager/Makefile b/eBPF_Supermarket/Network_Subsystem/net_manager/net_manager/Makefile
new file mode 100644
index 000000000..e29a040e9
--- /dev/null
+++ b/eBPF_Supermarket/Network_Subsystem/net_manager/net_manager/Makefile
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause)
+
+XDP_TARGETS  := xdp_prog_kern
+USER_TARGETS := xdp_loader
+
+COMMON_DIR = ../common
+
+# Extend with another COMMON_OBJS
+COMMON_OBJS += $(COMMON_DIR)/common_user_bpf_xdp.o
+
+
+EXTRA_DEPS := $(COMMON_DIR)/parsing_helpers.h
+
+include $(COMMON_DIR)/common.mk
diff --git a/eBPF_Supermarket/Network_Subsystem/net_manager/net_manager/common_kern_user.h b/eBPF_Supermarket/Network_Subsystem/net_manager/net_manager/common_kern_user.h
new file mode 100644
index 000000000..079c3201f
--- /dev/null
+++ b/eBPF_Supermarket/Network_Subsystem/net_manager/net_manager/common_kern_user.h
@@ -0,0 +1,96 @@
+/* This common_kern_user.h is used by kernel side BPF-progs and
+ * userspace programs, for sharing common struct's and DEFINEs.
+ */
+#ifndef __COMMON_KERN_USER_H
+#define __COMMON_KERN_USER_H
+
+#include <linux/bpf.h>
+
+typedef __u32 xdp_act;
+#define ETH_ALEN 6
+
+#define ALERT_ERR_STR "[XACL] ERROR:"
+
+
+#define MAX_RULES 256
+
+
+#ifndef PATH_MAX
+#define PATH_MAX	4096
+#endif
+
+//#define DEBUG_PRINT
+//#define DEBUG_PRINT_EVERY
+
+struct datarec {
+	__u64 rx_packets;
+	__u64 rx_bytes;
+};
+
+struct conn_ipv4 {
+	__u32 saddr;
+	__u32 daddr;
+	__u16 sport;
+	__u16 dport;
+	__u16 ip_proto;
+};
+
+struct rules_ipv4 {
+	__u32 saddr;
+	__u32 daddr;
+	__u8  saddr_mask;
+	__u8  daddr_mask;
+	__u16 sport;
+	__u16 dport;
+	__u16 ip_proto;
+	__u16 action;
+	__u16 prev_rule;
+	__u16 next_rule;
+};
+
+
+// 转发表项
+struct rt_item {
+	__u32 saddr;
+	__u8 eth_source[ETH_ALEN]; // 封装帧的源MAC地址。
+	__u8 eth_dest[ETH_ALEN]; // 封装帧的目标MAC地址。
+};
+
+// mac 过滤
+struct mac_addr {
+    __u8 addr[ETH_ALEN];
+};
+
+
+// 会话保持
+struct conn_ipv4_key {
+	__u32 saddr;
+	__u32 daddr;
+	__u16 sport;
+	__u16 dport;
+	__u16 proto;
+};
+
+struct conn_ipv4_val {
+	__u32 tcp_state;
+	__u32 rid;
+};
+
+enum {
+	TCP_S_NONE = 0U,
+	TCP_S_ESTABLISHED,
+	TCP_S_SYN_SENT,
+	TCP_S_SYN_RECV,
+	TCP_S_FIN_WAIT1,
+	TCP_S_FIN_WAIT2,
+	TCP_S_CLOSE_WAIT,
+	TCP_S_CLOSE,
+};
+
+
+
+#ifndef XDP_ACTION_MAX
+#define XDP_ACTION_MAX (XDP_REDIRECT + 1)
+#endif
+
+#endif /* __COMMON_KERN_USER_H */
diff --git a/eBPF_Supermarket/Network_Subsystem/net_manager/net_manager/conf.d/black_ipv4.conf b/eBPF_Supermarket/Network_Subsystem/net_manager/net_manager/conf.d/black_ipv4.conf
new file mode 100644
index 000000000..730cdf8f6
--- /dev/null
+++ b/eBPF_Supermarket/Network_Subsystem/net_manager/net_manager/conf.d/black_ipv4.conf
@@ -0,0 +1,2 @@
+192.168.207.138/0 192.168.207.177/0 0 0 0 DENY
+192.168.207.129/0 192.168.207.177/0 0 0 0 ALLOW
\ No newline at end of file
diff --git a/eBPF_Supermarket/Network_Subsystem/net_manager/net_manager/conf.d/mac_load.conf b/eBPF_Supermarket/Network_Subsystem/net_manager/net_manager/conf.d/mac_load.conf
new file mode 100644
index 000000000..3b41e21a5
--- /dev/null
+++ b/eBPF_Supermarket/Network_Subsystem/net_manager/net_manager/conf.d/mac_load.conf
@@ -0,0 +1,2 @@
+00:0c:29:dd:17:2c DENY
+00:0c:29:fd:69:58 DENY
\ No newline at end of file
diff --git a/eBPF_Supermarket/Network_Subsystem/net_manager/net_manager/conf.d/router_load.conf b/eBPF_Supermarket/Network_Subsystem/net_manager/net_manager/conf.d/router_load.conf
new file mode 100644
index 000000000..ac552338c
--- /dev/null
+++ b/eBPF_Supermarket/Network_Subsystem/net_manager/net_manager/conf.d/router_load.conf
@@ -0,0 +1,2 @@
+0.0.0.0 00:0c:29:7b:a6:d9 00:0c:29:fd:69:58
+1.2.3.4 00:0c:29:7b:a6:d9 00:0c:29:dd:17:2c
\ No newline at end of file
diff --git a/eBPF_Supermarket/Network_Subsystem/net_manager/net_manager/xdp_loader.c b/eBPF_Supermarket/Network_Subsystem/net_manager/net_manager/xdp_loader.c
new file mode 100644
index 000000000..78c70ee66
--- /dev/null
+++ b/eBPF_Supermarket/Network_Subsystem/net_manager/net_manager/xdp_loader.c
@@ -0,0 +1,817 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+static const char *__doc__ = "XDP loader\n"
+	" - Allows selecting BPF program --progname name to XDP-attach to --dev\n"
+	" - Collects and displays stats from XDP program\n";
+
+#include <arpa/inet.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <getopt.h>
+
+#include <locale.h>
+#include <unistd.h>
+#include <time.h>
+
+#include <bpf/bpf.h>
+#include <bpf/libbpf.h>
+#include <xdp/libxdp.h>
+
+#include <net/if.h>
+#include <linux/if_link.h> /* depend on kernel-headers installed */
+
+#include "../common/common_params.h"
+#include "../common/common_user_bpf_xdp.h"
+#include "../common/common_libbpf.h"
+#include "common_kern_user.h"
+
+static const char *default_filename = "xdp_prog_kern.o";
+static const char *default_progname = "xdp_entry_state";
+
+static const struct option_wrapper long_options[] = {
+
+	{{"help",        no_argument,		NULL, 'h' },
+	 "Show help", false},
+
+	{{"dev",         required_argument,	NULL, 'd' },
+	 "Operate on device <ifname>", "<ifname>", true},
+
+	{{"skb-mode",    no_argument,		NULL, 'S' },
+	 "Install XDP program in SKB (AKA generic) mode"},
+
+	{{"native-mode", no_argument,		NULL, 'N' },
+	 "Install XDP program in native mode"},
+
+	{{"auto-mode",   no_argument,		NULL, 'A' },
+	 "Auto-detect SKB or native mode"},
+
+	{{"force",       no_argument,		NULL, 'F' },
+	 "Force install, replacing existing program on interface"},
+
+	{{"unload",      no_argument,		NULL, 'U' },
+	 "Unload XDP program instead of loading"},
+
+	{{"quiet",       no_argument,		NULL, 'q' },
+	 "Quiet mode (no output)"},
+
+	{{"progname",    required_argument,	NULL,  2  },
+	 "Load program from function <name> in the ELF file", "<name>"},
+
+	{{"stats",       no_argument,       NULL, 't' },
+	 "Show XDP stats"},
+
+	{{"ip-filter",   no_argument,       NULL, 'i' },
+	 "ip_filter"},
+
+	{{"mac_filter",  no_argument,       NULL, 'm' },
+	 "mac_filter"},
+
+	{{"router",      no_argument,       NULL, 'k' },
+	 "package_router"},
+	
+	{{"clear",       no_argument,       NULL, 'n' },
+	 "clear_map"},
+	
+	{{0, 0, NULL,  0 }, NULL, false}
+};
+
+#ifndef PATH_MAX
+#define PATH_MAX	4096
+#endif
+
+const char *pin_basedir =  "/sys/fs/bpf";
+const char *map_name    =  "xdp_stats_map";
+char pin_dir[PATH_MAX];
+char map_filename[PATH_MAX];
+
+
+static void list_avail_progs(struct bpf_object *obj)
+{
+	struct bpf_program *pos;
+
+	printf("BPF object (%s) listing available XDP functions\n",
+	       bpf_object__name(obj));
+
+	bpf_object__for_each_program(pos, obj) {
+		if (bpf_program__type(pos) == BPF_PROG_TYPE_XDP)
+			printf(" %s\n", bpf_program__name(pos));
+	}
+}
+
+
+#define NANOSEC_PER_SEC 1000000000 /* 10^9 */
+static __u64 gettime(void)
+{
+	struct timespec t;
+	int res;
+
+	res = clock_gettime(CLOCK_MONOTONIC, &t);
+	if (res < 0) {
+		fprintf(stderr, "Error with gettimeofday! (%i)\n", res);
+		exit(EXIT_FAIL);
+	}
+	return (__u64) t.tv_sec * NANOSEC_PER_SEC + t.tv_nsec;
+}
+
+struct record {
+	__u64 timestamp;
+	struct datarec total; /* defined in common_kern_user.h */
+};
+
+struct stats_record {
+	struct record stats[XDP_ACTION_MAX];
+};
+
+static double calc_period(struct record *r, struct record *p)
+{
+	double period_ = 0;
+	__u64 period = 0;
+
+	period = r->timestamp - p->timestamp;
+	if (period > 0)
+		period_ = ((double) period / NANOSEC_PER_SEC);
+
+	return period_;
+}
+
+static void stats_print_header()
+{
+	/* Print stats "header" */
+	printf("%-12s\n", "XDP-action");
+}
+
+static void stats_print(struct stats_record *stats_rec,
+			struct stats_record *stats_prev)
+{
+	struct record *rec, *prev;
+	__u64 packets, bytes;
+	double period;
+	double pps; /* packets per sec */
+	double bps; /* bits per sec */
+	int i;
+
+	stats_print_header(); /* Print stats "header" */
+
+	/* Print for each XDP actions stats */
+	for (i = 0; i < XDP_ACTION_MAX; i++)
+	{
+		char *fmt = "%-12s %'11lld pkts (%'10.0f pps)"
+			" %'11lld Kbytes (%'6.0f Mbits/s)"
+			" period:%f\n";
+		const char *action = action2str(i);
+
+		rec  = &stats_rec->stats[i];
+		prev = &stats_prev->stats[i];
+
+		period = calc_period(rec, prev);
+		if (period == 0)
+		       return;
+
+		packets = rec->total.rx_packets - prev->total.rx_packets;
+		pps     = packets / period;
+
+		bytes   = rec->total.rx_bytes   - prev->total.rx_bytes;
+		bps     = (bytes * 8)/ period / 1000000;
+
+		printf(fmt, action, rec->total.rx_packets, pps,
+		       rec->total.rx_bytes / 1000 , bps,
+		       period);
+	}
+	printf("\n");
+}
+
+
+/* BPF_MAP_TYPE_ARRAY */
+void map_get_value_array(int fd, __u32 key, struct datarec *value)
+{
+	if ((bpf_map_lookup_elem(fd, &key, value)) != 0) {
+		fprintf(stderr,
+			"ERR: bpf_map_lookup_elem failed key:0x%X\n", key);
+	}
+}
+
+/* BPF_MAP_TYPE_PERCPU_ARRAY */
+void map_get_value_percpu_array(int fd, __u32 key, struct datarec *value)
+{
+	/* For percpu maps, userspace gets a value per possible CPU */
+	unsigned int nr_cpus = libbpf_num_possible_cpus();
+	struct datarec values[nr_cpus];
+	__u64 sum_bytes = 0;
+	__u64 sum_pkts = 0;
+	int i;
+
+	if ((bpf_map_lookup_elem(fd, &key, values)) != 0) {
+		fprintf(stderr,
+			"ERR: bpf_map_lookup_elem failed key:0x%X\n", key);
+		return;
+	}
+
+	/* Sum values from each CPU */
+	for (i = 0; i < nr_cpus; i++) {
+		sum_pkts  += values[i].rx_packets;
+		sum_bytes += values[i].rx_bytes;
+	}
+	value->rx_packets = sum_pkts;
+	value->rx_bytes   = sum_bytes;
+}
+
+static bool map_collect(int fd, __u32 map_type, __u32 key, struct record *rec)
+{
+	struct datarec value;
+
+	/* Get time as close as possible to reading map contents */
+	rec->timestamp = gettime();
+
+	switch (map_type) {
+	case BPF_MAP_TYPE_ARRAY:
+		map_get_value_array(fd, key, &value);
+		break;
+	case BPF_MAP_TYPE_PERCPU_ARRAY:
+		map_get_value_percpu_array(fd, key, &value);
+		break;
+	default:
+		fprintf(stderr, "ERR: Unknown map_type(%u) cannot handle\n",
+			map_type);
+		return false;
+		break;
+	}
+
+	rec->total.rx_packets = value.rx_packets;
+	rec->total.rx_bytes   = value.rx_bytes;
+	return true;
+}
+
+static void stats_collect(int map_fd, __u32 map_type,
+			  struct stats_record *stats_rec)
+{
+	/* Collect all XDP actions stats  */
+	__u32 key;
+
+	for (key = 0; key < XDP_ACTION_MAX; key++) {
+		map_collect(map_fd, map_type, key, &stats_rec->stats[key]);
+	}
+}
+
+static void stats_poll(int map_fd, __u32 map_type, int interval)
+{
+	struct stats_record prev, record = { 0 };
+
+	/* Trick to pretty printf with thousands separators use %' */
+	setlocale(LC_NUMERIC, "en_US");
+
+	/* Get initial reading quickly */
+	stats_collect(map_fd, map_type, &record);
+	usleep(1000000/4);
+
+	while (1) {
+		prev = record; /* struct copy */
+		stats_collect(map_fd, map_type, &record);
+		stats_print(&record, &prev);
+		sleep(interval);
+	}
+}
+
+
+
+int unpin_maps(struct bpf_object *bpf_obj)
+{
+	int err;
+	/* Existing/previous XDP prog might not have cleaned up */
+	if (access(map_filename, F_OK ) != -1 ) {
+		if (verbose)
+			printf(" - Unpinning (remove) prev maps in %s/\n",
+			       pin_dir);
+
+		/* Basically calls unlink(3) on map_filename */
+		err = bpf_object__unpin_maps(bpf_obj, pin_dir);
+		if (err) {
+			fprintf(stderr, "ERR: UNpinning maps in %s\n", pin_dir);
+			return EXIT_FAIL_BPF;
+		}
+	}
+	return 0;
+}
+
+/* Pinning maps under /sys/fs/bpf in subdir */
+int pin_maps_in_bpf_object(struct bpf_object *bpf_obj)
+{
+	int err;
+	unpin_maps(bpf_obj);
+	if (verbose)
+		printf(" - Pinning maps in %s/\n", pin_dir);
+
+	/* This will pin all maps in our bpf_object */
+	err = bpf_object__pin_maps(bpf_obj, pin_dir);
+	if (err)
+		return EXIT_FAIL_BPF;
+
+	return 0;
+}
+
+
+char *ifname;
+int rules_ipv4_map;
+int rtcache_map4;
+int src_macs;
+
+int print_usage(int id){
+    switch(id){
+        case 0:
+            fprintf(stderr, "Usage: <command> <arg1> <arg2>\n");
+            break;
+        default:
+            break;
+    };
+
+    return 0;
+}
+
+
+int open_map(const char *ifname, const char *map_name){
+    int len;
+    char pin_dir[PATH_MAX];
+    const char *pin_basedir =  "/sys/fs/bpf";
+    struct bpf_map_info info = { 0 };
+
+    /* Use the --dev name as subdir for finding pinned maps */
+    len = snprintf(pin_dir, PATH_MAX, "%s/%s", pin_basedir, ifname);
+    if (len < 0) {
+        fprintf(stderr, "ERR: creating pin dirname\n");
+        return -1;
+    }
+
+    int fd = open_bpf_map_file(pin_dir, map_name, &info);
+    if (fd < 0) {
+        fprintf(stderr, "ERR: Failed to open map file: %s\n", map_name);
+        return -1;
+    }
+    printf("Opened BPF map\n");
+    printf(" - BPF map (bpf_map_type:%d) fd: %d id:%d name:%s"
+           " key_size:%d value_size:%d max_entries:%d\n",
+           info.type, fd, info.id, info.name,
+           info.key_size, info.value_size, info.max_entries);
+
+    return fd;
+}
+
+
+int load_bpf_map(){
+    rules_ipv4_map = open_map(ifname, "rules_ipv4_map");
+    rtcache_map4 = open_map(ifname, "rtcache_map4");
+    src_macs = open_map(ifname, "src_macs");
+
+    // Check if any map failed to open
+    if (rules_ipv4_map < 0) {
+        fprintf(stderr, "Failed to open rules_ipv4_map\n");
+    }
+    if (rtcache_map4 < 0) {
+        fprintf(stderr, "Failed to open rtcache_map4\n");
+    }
+    if (src_macs < 0) {
+        fprintf(stderr, "Failed to open src_macs\n");
+    }
+
+    if (rules_ipv4_map < 0 || rtcache_map4 < 0 || src_macs < 0) {
+        fprintf(stderr, "load bpf map error, check device name\n");
+        return -1;
+    }
+
+    return 0;
+}
+
+
+static __u32 ip_to_u32(__u8 *ip_u8) {
+    __u32 ip_u32 = 0;
+    ip_u32 = (ip_u8[0]<<24) | (ip_u8[1]<<16) | (ip_u8[2]<<8) | (ip_u8[3]);
+    //printf("%hhu.%hhu.%hhu.%hhu,%u\n",ip_u8[0],ip_u8[1],ip_u8[2],ip_u8[3],ip_u32);
+    return ip_u32;
+}
+
+int clear_map(){
+    __u16 keys[MAX_RULES];
+    for(int i=0; i<MAX_RULES; i++){
+        keys[i] = i;
+    }
+
+    DECLARE_LIBBPF_OPTS(bpf_map_batch_opts, opts,
+		.elem_flags = 0,
+		.flags = 0,
+	);
+
+    __u32 count = MAX_RULES - 1;
+
+    bpf_map_delete_batch(rules_ipv4_map, &keys, &count, &opts);
+    bpf_map_delete_batch(rtcache_map4, &keys, &count, &opts);
+    bpf_map_delete_batch(src_macs, &keys, &count, &opts);
+
+    return count;
+}
+
+
+int load_handler_router(int argc, char *argv[]){
+    if(argc < 1){
+        print_usage(1);
+        return EXIT_FAILURE;
+    }
+
+    char *path = argv[0];
+    printf("loading config file:%s\n",path);
+    
+    FILE *file = fopen(path, "r");
+    if (file == NULL) {
+        perror("Error opening file");
+        return 1;
+    }
+
+
+    __u32 keys[MAX_RULES];
+    struct rt_item rules[MAX_RULES];
+
+    __u32 i = 0;
+    keys[0] = 0;
+    char line[MAX_RULES];
+
+    while (fgets(line, sizeof(line), file) != NULL) {
+        line[strcspn(line, "\n")] = '\0';
+
+        __u8 saddr[4];
+        __u8 eth_source[ETH_ALEN];
+        __u8 eth_dest[ETH_ALEN];
+        
+
+        sscanf(line, "%hhu.%hhu.%hhu.%hhu %hhx:%hhx:%hhx:%hhx:%hhx:%hhx %hhx:%hhx:%hhx:%hhx:%hhx:%hhx" ,
+            &saddr[0] ,&saddr[1] ,&saddr[2] ,&saddr[3],
+            &eth_source[0], &eth_source[1], &eth_source[2], &eth_source[3], &eth_source[4], &eth_source[5], 
+            &eth_dest[0], &eth_dest[1], &eth_dest[2], &eth_dest[3], &eth_dest[4], &eth_dest[5]);
+
+        rules[i].saddr = ip_to_u32(saddr);
+        memcpy(rules[i].eth_source, eth_source, ETH_ALEN);
+        memcpy(rules[i].eth_dest, eth_dest, ETH_ALEN);
+
+        keys[i] = i;
+        i += 1;
+       
+    } 
+    printf("%d rules loaded\n",i);
+
+    DECLARE_LIBBPF_OPTS(bpf_map_batch_opts, opts,
+		.elem_flags = 0,
+		.flags = 0,
+	);
+    clear_map();
+
+    bpf_map_update_batch(rtcache_map4, keys, rules, &i, &opts);
+    return 0;  
+}
+
+
+int load_handler_ipv4(int argc, char *argv[]){
+    if(argc < 1){
+        print_usage(1);
+        return EXIT_FAILURE;
+    }
+
+    char *path = argv[0];
+    printf("loading config file:%s\n",path);
+    
+    FILE *file = fopen(path, "r");
+    if (file == NULL) {
+        perror("Error opening file");
+        return 1;
+    }
+
+    __u16 keys[MAX_RULES];
+    struct rules_ipv4 rules[MAX_RULES];
+
+    __u32 i = 1;
+    keys[0] = 0;
+    char line[256];
+    while (fgets(line, sizeof(line), file) != NULL) {
+        line[strcspn(line, "\n")] = '\0';
+
+        __u8 saddr[4];
+        __u8 daddr[4];
+        char proto[10];
+        char action[10];
+        sscanf(line, "%hhu.%hhu.%hhu.%hhu/%hhu %hhu.%hhu.%hhu.%hhu/%hhu %hu %hu %s %s",
+           &saddr[0] ,&saddr[1] ,&saddr[2] ,&saddr[3] ,&rules[i].saddr_mask, 
+           &daddr[0] ,&daddr[1] ,&daddr[2] ,&daddr[3] ,&rules[i].daddr_mask, 
+           &rules[i].sport, &rules[i].dport, proto, action);
+
+        rules[i].saddr = ip_to_u32(saddr);
+        rules[i].daddr = ip_to_u32(daddr);
+
+        if(strcmp("TCP", proto) == 0){
+            rules[i].ip_proto = IPPROTO_TCP;
+        }else if(strcmp("UDP", proto) == 0){
+            rules[i].ip_proto = IPPROTO_UDP;
+        }else if(strcmp("ICMP", proto) == 0){
+            rules[i].ip_proto = IPPROTO_ICMP;
+        }else{
+            rules[i].ip_proto = 0;
+        }
+
+        if(strcmp("ALLOW", action) == 0){
+            rules[i].action = XDP_PASS;
+        }else if(strcmp("DENY", action) == 0){
+            rules[i].action = XDP_DROP;
+        }else{
+            rules[i].action = XDP_ABORTED;
+        }
+
+        rules[i-1].next_rule = i;
+        rules[i].prev_rule = i - 1;
+        rules[i].next_rule = 0;
+        keys[i] = i;
+
+        i += 1;
+    }
+    printf("%d rules loaded\n",i-1);
+    rules[0].prev_rule = i - 1;
+
+    DECLARE_LIBBPF_OPTS(bpf_map_batch_opts, opts,
+		.elem_flags = 0,
+		.flags = 0,
+	);
+    clear_map();
+    // 使用 libbpf 库中的 bpf_map_update_batch 函数批量更新 BPF 映射。
+    // 这个函数用于一次性更新多个键值对，以提高效率。
+
+    // rules_ipv4_map: 要更新的 BPF 映射的文件描述符（FD）。
+    // keys: 包含要更新的键（key）的数组。
+    // rules: 包含要更新的值的数组。
+    // &i: 这是一个指向整数的指针，表示要更新的键值对的数量。在调用函数后，该整数将包含实际更新的键值对数量。
+    // &opts: 用于配置更新选项的结构体，这里是通过 DECLARE_LIBBPF_OPTS 宏声明并初始化的。
+
+    // 在这里，代码中的 bpf_map_update_batch 操作的目的是将多个键值对一次性更新到 BPF 映射中。
+    // 这样可以通过一次系统调用来完成多个更新操作，提高了效率。
+
+    bpf_map_update_batch(rules_ipv4_map, keys, rules, &i, &opts);
+
+    return 0;   
+}
+
+
+int load_handler_mac(int argc, char *argv[]){
+    if(argc < 1){
+        print_usage(1);
+        return EXIT_FAILURE;
+    }
+
+    char *path = argv[0];
+    printf("loading config file:%s\n",path);
+    
+    FILE *file = fopen(path, "r");
+    if (file == NULL) {
+        perror("Error opening file");
+        return 1;
+    }
+
+
+    //__u64 src_mac_u64;
+    __u32 action_mac;
+    char line[256];
+
+    clear_map();
+    while (fgets(line, sizeof(line), file) != NULL) {
+        line[strcspn(line, "\n")] = '\0';
+
+        __u8 src_mac[6];
+        char action[10];
+        sscanf(line, "%hhx:%hhx:%hhx:%hhx:%hhx:%hhx %s",
+           &src_mac[0], &src_mac[1], &src_mac[2], &src_mac[3], &src_mac[4], &src_mac[5],
+           action);
+
+        //src_mac_u64 = mac_to_u64(src_mac);
+        printf("MAC: %02x:%02x:%02x:%02x:%02x:%02x, Action: %s\n",
+                          src_mac[0], src_mac[1], src_mac[2],
+                          src_mac[3], src_mac[4], src_mac[5], action);
+
+        if(strcmp("ALLOW", action) == 0){
+            action_mac = XDP_PASS;
+        }else if(strcmp("DENY", action) == 0){
+            action_mac = XDP_DROP;
+        }else{
+            action_mac = XDP_ABORTED;
+        }
+
+        bpf_map_update_elem(src_macs, src_mac, &action_mac, BPF_ANY);
+    }
+    
+
+    return 0;   
+}
+
+
+int clear_handler(int argc, char *argv[]){
+    int ret = clear_map();
+    printf("%d rules are cleared\n", ret-1);
+    return 0;
+}
+
+
+
+int main(int argc, char **argv)
+{
+	int i;
+	int map_fd;
+	struct bpf_object *obj;
+	struct xdp_program *program;  // XDP程序对象指针
+	struct bpf_map_info map_expect = { 0 };
+	struct bpf_map_info info = { 0 };
+	int stats_map_fd;
+	int interval = 2;
+	int err;  // 错误码
+	int len;  // 字符串长度
+	char errmsg[1024];  // 错误消息字符串
+
+
+	// 配置结构体，包括XDP模式、接口索引、是否卸载程序以及程序名称等信息
+	struct config cfg = {
+		.attach_mode = XDP_MODE_NATIVE,
+		.ifindex     = -1,
+		//.redirect_ifindex   = -1,
+		.do_unload   = false,
+		.ip_filter   = false,       //ip过滤
+		.mac_filter  = false,       //mac过滤
+	    .router      = false,       //路由
+	    .state       = false,       //会话保持
+	    .clear       = false,       //清理
+	};
+	/* Set default BPF-ELF object file and BPF program name */
+	// 设置默认的BPF ELF对象文件名和BPF程序名称
+	strncpy(cfg.filename, default_filename, sizeof(cfg.filename));
+	strncpy(cfg.progname,  default_progname,  sizeof(cfg.progname));
+	/* Cmdline options can change progname */
+	// 解析命令行参数，可能会修改程序名称等配置信息
+	parse_cmdline_args(argc, argv, long_options, &cfg, __doc__);
+
+	/* Required option */
+	// 检查是否提供了必需的选项
+	if (cfg.ifindex == -1) {
+		fprintf(stderr, "ERR: required option --dev missing\n\n");
+		usage(argv[0], __doc__, long_options, (argc == 1));
+		return EXIT_FAIL_OPTION;
+	}
+
+	if (cfg.show_stats) {
+		/* Use the --dev name as subdir for finding pinned maps */
+		len = snprintf(pin_dir, PATH_MAX, "%s/%s", pin_basedir, cfg.ifname);
+		if (len < 0) {
+			fprintf(stderr, "ERR: creating pin dirname\n");
+			return EXIT_FAIL_OPTION;
+		}
+
+		stats_map_fd = open_bpf_map_file(pin_dir, "xdp_stats_map", &info);
+		if (stats_map_fd < 0) {
+			return EXIT_FAIL_BPF;
+		}
+
+		/* check map info, e.g. datarec is expected size */
+		map_expect.key_size    = sizeof(__u32);
+		map_expect.value_size  = sizeof(struct datarec);
+		map_expect.max_entries = XDP_ACTION_MAX;
+		err = check_map_fd_info(&info, &map_expect);
+		if (err) {
+			fprintf(stderr, "ERR: map via FD not compatible\n");
+			return err;
+		}
+		if (verbose) {
+			printf("\nCollecting stats from BPF map\n");
+			printf(" - BPF map (bpf_map_type:%d) id:%d name:%s"
+			       " key_size:%d value_size:%d max_entries:%d\n",
+			       info.type, info.id, info.name,
+			       info.key_size, info.value_size, info.max_entries
+			       );
+		}
+
+		stats_poll(stats_map_fd, info.type, interval);
+		return EXIT_OK;
+	}
+
+
+	/* Generate pin_dir & map_filename string */
+	// 生成pin目录和映射文件名字符串
+	len = snprintf(pin_dir, PATH_MAX, "%s/%s", pin_basedir, cfg.ifname);
+	if (len < 0) {
+		fprintf(stderr, "ERR: creating pin dirname\n");
+		return EXIT_FAIL_OPTION;
+	}
+	len = snprintf(map_filename, PATH_MAX, "%s/%s/%s",
+		       pin_basedir, cfg.ifname, map_name);
+	if (len < 0) {
+		fprintf(stderr, "ERR: creating map_name\n");
+		return EXIT_FAIL_OPTION;
+	}
+
+	// 加载BPF程序并将其附加到XDP
+	DECLARE_LIBBPF_OPTS(bpf_object_open_opts, bpf_opts);
+    obj = bpf_object__open_file(cfg.filename, &bpf_opts);
+    err = libbpf_get_error(obj);
+    if (err) {
+        libxdp_strerror(err, errmsg, sizeof(errmsg));
+        fprintf(stderr, "Couldn't open BPF object file %s: %s\n",
+            cfg.filename, errmsg);
+            return err;
+    }
+
+
+	if (verbose)
+		list_avail_progs(obj);
+	
+	DECLARE_LIBXDP_OPTS(xdp_program_opts, xdp_opts,
+                            .obj = obj,
+                            .prog_name = cfg.progname);
+	program = xdp_program__create(&xdp_opts);
+	err = libxdp_get_error(program);
+	if (err) {
+		libxdp_strerror(err, errmsg, sizeof(errmsg));
+		fprintf(stderr, "ERR: loading program %s: %s\n", cfg.progname, errmsg);
+		exit(EXIT_FAIL_BPF);
+	}
+
+	err = xdp_program__attach(program, cfg.ifindex, cfg.attach_mode, 0);
+	if (err) {
+		perror("xdp_program__attach");
+		exit(err);
+	}
+
+	/* do unload */
+	// 如果指定了卸载选项，则执行卸载操作
+	if (cfg.do_unload) {
+		unpin_maps(xdp_program__bpf_obj(program));  // 解除BPF程序固定的映射
+		err = do_unload(&cfg);
+		if (err) {
+			libxdp_strerror(err, errmsg, sizeof(errmsg));
+			fprintf(stderr, "Couldn't unload XDP program %s: %s\n",
+				cfg.progname, errmsg);  // 打印卸载错误消息
+			return err;
+		}
+
+		printf("Success: Unloading XDP prog name: %s\n", cfg.progname);
+		return EXIT_OK;; 
+	}
+
+	// 如果启用了详细模式，则打印加载的BPF对象文件和程序名称，以及附加的XDP程序的设备信息
+	if (verbose) {
+		printf("Success: Loaded BPF-object(%s) and used program(%s)\n",
+		       cfg.filename, cfg.progname);
+		printf(" - XDP prog attached on device:%s(ifindex:%d)\n",
+		       cfg.ifname, cfg.ifindex);
+	}
+
+	/* Use the --dev name as subdir for exporting/pinning maps */
+	// 使用--dev名称作为子目录来导出/固定映射
+	err = pin_maps_in_bpf_object(xdp_program__bpf_obj(program));
+	if (err) {
+		fprintf(stderr, "ERR: pinning maps\n");
+		return err;
+	}
+
+	ifname = argv[2];
+
+	// 根据不同的选项加载不同的配置文件
+    if (cfg.ip_filter) {
+		load_bpf_map();
+        err = load_handler_ipv4(argc - 3, argv + 6);
+        if (err) {
+            fprintf(stderr, "ERR: loading IP filter config file\n");
+            return err;
+        }
+    } else if (cfg.mac_filter) {
+		load_bpf_map();
+        err = load_handler_mac(argc - 3, argv + 6);
+        if (err) {
+            fprintf(stderr, "ERR: loading MAC filter config file\n");
+            return err;
+        }
+    } else if (cfg.router) {
+		load_bpf_map();
+        err = load_handler_router(argc - 3, argv + 6);
+        if (err) {
+            fprintf(stderr, "ERR: loading router config file\n");
+            return err;
+        }
+    } else if (cfg.clear) {
+		load_bpf_map();
+        err = clear_handler(argc - 3, argv + 6);
+        if (err) {
+            fprintf(stderr, "ERR: clearing maps\n");
+            return err;
+        }
+    }
+
+
+
+	map_fd = open_bpf_map_file(pin_dir, "tx_port", NULL);
+	if (map_fd < 0) {
+		return EXIT_FAIL_BPF;
+	}
+
+	i = 0;
+	bpf_map_update_elem(map_fd, &i, &cfg.ifindex, 0);	
+	printf("redirect from ifnum=%d to ifnum=%d\n", cfg.ifindex, cfg.ifindex);
+	return EXIT_OK;
+}
diff --git a/eBPF_Supermarket/Network_Subsystem/net_manager/net_manager/xdp_prog_kern.c b/eBPF_Supermarket/Network_Subsystem/net_manager/net_manager/xdp_prog_kern.c
new file mode 100644
index 000000000..6933463d6
--- /dev/null
+++ b/eBPF_Supermarket/Network_Subsystem/net_manager/net_manager/xdp_prog_kern.c
@@ -0,0 +1,710 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#include <linux/bpf.h>
+#include <linux/in.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_endian.h>
+
+#include "common_kern_user.h" 
+#include "../common/parsing_helpers.h"
+
+
+
+#ifndef memcpy
+#define memcpy(dest, src, n) __builtin_memcpy((dest), (src), (n))
+#endif
+
+//重定义
+#undef AF_INET
+#define AF_INET 2
+#undef AF_INET6
+#define AF_INET6 10
+#define IPV6_FLOWINFO_MASK bpf_htonl(0x0FFFFFFF)
+
+// 数据包统计
+struct {
+	__uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
+	__type(key, __u32);
+	__type(value, struct datarec);
+	__uint(max_entries, XDP_ACTION_MAX);
+} xdp_stats_map SEC(".maps");
+
+// ipv4—filter
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__type(key, __u16);
+	__type(value, struct rules_ipv4);
+	__uint(max_entries, MAX_RULES);
+} rules_ipv4_map SEC(".maps");
+
+
+// router
+struct {
+	__uint(type, BPF_MAP_TYPE_DEVMAP);
+	__type(key, int);
+	__type(value, int);
+	__uint(max_entries, 256);
+} tx_port SEC(".maps");
+
+// 路由转发表缓存
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__type(key, __u32);
+	__type(value, struct rt_item);
+	__uint(max_entries, MAX_RULES);
+} rtcache_map4 SEC(".maps");
+
+
+/*filter-pass-drop*/
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__type(key, ETH_ALEN);
+	__type(value, __u32);
+	__uint(max_entries, MAX_RULES);
+} src_macs SEC(".maps");
+
+
+// 会话保持
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__type(key, struct conn_ipv4_key);
+	__type(value, struct conn_ipv4_val);
+	__uint(max_entries, MAX_RULES);
+} conn_ipv4_map SEC(".maps");
+
+
+static __always_inline
+__u32 xdp_stats_record_action(struct xdp_md *ctx, __u32 action)
+{
+	void *data_end = (void *)(long)ctx->data_end;
+	void *data     = (void *)(long)ctx->data;
+
+	if (action >= XDP_ACTION_MAX)
+		return XDP_ABORTED;
+
+	/* Lookup in kernel BPF-side return pointer to actual data record */
+	struct datarec *rec = bpf_map_lookup_elem(&xdp_stats_map, &action);
+	if (!rec)
+		return XDP_ABORTED;
+
+	/* Calculate packet length */
+	__u64 bytes = data_end - data;
+
+	/* BPF_MAP_TYPE_PERCPU_ARRAY returns a data record specific to current
+	 * CPU and XDP hooks runs under Softirq, which makes it safe to update
+	 * without atomic operations.
+	 */
+	rec->rx_packets++;
+	rec->rx_bytes += bytes;
+
+	return action;
+}
+
+
+/*会话保持功能*/
+
+// 定义一个始终内联的辅助函数，用于交换连接键中的源和目的地址以及端口号
+static __always_inline
+int swap_conn_src_dst(struct conn_ipv4_key *conn)
+{
+	 // 交换源和目的 IPv4 地址
+	{	
+		__u32 tmp = conn->daddr;
+		conn->daddr = conn->saddr;
+		conn->saddr = tmp;
+	}
+
+	// 交换源和目的端口号
+	{
+		__u16 tmp = conn->sport;
+		conn->sport = conn->dport;
+		conn->dport = tmp;
+	}
+
+	return 0;
+}
+
+
+// 全局变量，用于循环轮询的循环计数器
+int rr = 0;
+
+// 定义一个始终内联的辅助函数，用于获取轮询循环计数器的值
+static __always_inline
+int get_rs_rr(){
+
+	// 如果循环计数器超过 6，则重置为 0
+	if(rr >= 6){
+		rr = 0;
+	}
+
+	// 自增循环计数器并返回其当前值
+	rr++;
+	return rr;
+}
+
+/*路由功能*/
+
+/* from include/net/ip.h */
+static __always_inline int ip_decrease_ttl(struct iphdr *iph)
+{
+	__u32 check = iph->check;
+	check += bpf_htons(0x0100);
+	iph->check = (__u16)(check + (check >= 0xFFFF));
+	return --iph->ttl;
+}
+
+static __always_inline
+int mac_zero(const __u8 *mac_addr) {
+    // 检查MAC地址是否不全为零
+    for (int i = 0; i < ETH_ALEN; i++) {
+        if (mac_addr[i] != 0)
+            return 1; // 如果有一个字节不为零，返回1表示不为零
+    }
+    return 0; // 如果所有字节都为零，返回0表示全为零
+}
+
+
+static __always_inline
+int ipv4_match(__u32 conn_addr, __u32 rule_addr) {
+    // 直接比较IPv4地址和网络地址
+	if( (!rule_addr) || (conn_addr == rule_addr) ) //0 , match all
+		return 1;
+	return 0;
+}
+
+static int match_rules_loop(__u32 index, void *ctx)
+{
+	struct rt_item *p_ctx = (struct rt_item *)ctx;
+
+
+	struct rt_item *p_r = bpf_map_lookup_elem(&rtcache_map4, &index);
+	if(!p_r){
+		return 1; //out of range
+	}
+	
+
+	if( ipv4_match(p_ctx->saddr, p_r->saddr) ) {
+	
+		memcpy(p_ctx->eth_source, p_r->eth_source, ETH_ALEN);
+		memcpy(p_ctx->eth_dest, p_r->eth_dest, ETH_ALEN);
+		
+
+		return 1;
+	}
+
+
+	return 1;
+}
+
+static __always_inline 
+int match_rules(struct rt_item *conn)
+{
+	struct rt_item *ctx = conn;
+	
+	bpf_loop(MAX_RULES, match_rules_loop, ctx, 0);
+	
+	return 1;
+}
+
+/*使用 IP 进行过滤*/
+
+struct match_rules_loop_ctx{
+	__u16 action;
+	__u16 next_rule;
+	struct conn_ipv4 *conn;
+};
+
+static __always_inline
+int ipv4_cidr_match(__u32 ip_addr, __u32 network_addr, __u8 cidr) {
+	if(network_addr == 0 && cidr == 0)
+        return 1;
+	
+    __u32 subnet_mask = (0xFFFFFFFFU << (32 - cidr)) & 0xFFFFFFFFU;
+
+    __u32 masked_ip = ip_addr & subnet_mask;
+    __u32 masked_network = network_addr & subnet_mask;
+
+    return masked_ip == masked_network;
+}
+
+static __always_inline
+int port_match(__u16 conn_port, __u16 rule_port){
+	if( (!rule_port) || (rule_port == conn_port) ) //0 , match all
+		return 1;
+	return 0;
+}
+
+static int match_rules_ipv4_loop(__u32 index, void *ctx)
+{
+	struct match_rules_loop_ctx *p_ctx = (struct match_rules_loop_ctx *)ctx;
+	if(index != p_ctx->next_rule)
+		return 0;
+
+	struct rules_ipv4 *p_r = bpf_map_lookup_elem(&rules_ipv4_map, &index);
+	if(!p_r){
+		return 1; //out of range
+	}
+
+	p_ctx->next_rule = p_r->next_rule;
+
+	if(index == 0)
+		goto out_match_rules_ipv4_loop;
+
+	if( ipv4_cidr_match(p_ctx->conn->saddr, p_r->saddr, p_r->saddr_mask) && 
+		ipv4_cidr_match(p_ctx->conn->daddr, p_r->daddr, p_r->daddr_mask) &&
+		port_match(p_ctx->conn->sport, p_r->sport) &&
+		port_match(p_ctx->conn->dport, p_r->dport) &&
+		port_match(p_ctx->conn->ip_proto, p_r->ip_proto) ) 
+	{
+		p_ctx->action = p_r->action;
+		return 1;
+	}
+
+out_match_rules_ipv4_loop:
+	if(p_r->next_rule == 0)
+		return 1; //go out loop
+
+	return 0;
+}
+
+static __always_inline
+xdp_act match_rules_ipv4(struct conn_ipv4 *conn)
+{
+	struct match_rules_loop_ctx ctx = {.action = XDP_PASS, .conn = conn, .next_rule = 0};
+	
+	
+	for(int i=0; i<MAX_RULES; i++){
+		if(match_rules_ipv4_loop(i,&ctx))
+			break;
+	}
+
+	return ctx.action;
+}
+
+SEC("xdp")
+int xdp_entry_ipv4(struct xdp_md *ctx)
+{
+	xdp_act action = XDP_PASS; 
+	void *data_end = (void *)(long)ctx->data_end;
+	void *data = (void *)(long)ctx->data;
+	struct hdr_cursor nh;
+	int nh_type; //next header type
+	struct ethhdr *eth;
+	struct iphdr *iph;
+	struct tcphdr *tcph; 
+	struct udphdr *udph;
+	struct conn_ipv4 conn = {.saddr = 0, .daddr = 0, .sport = 0, .dport = 0, .ip_proto = 0};
+
+	nh.pos = data;
+	
+	nh_type = parse_ethhdr(&nh, data_end, &eth);
+
+	if(nh_type < 0)
+		goto out;
+
+	if (nh_type == bpf_htons(ETH_P_IP)) { 
+
+		nh_type = parse_iphdr(&nh, data_end, &iph);
+
+		if(nh_type < 0)
+			goto out;
+		
+		if (nh_type == IPPROTO_TCP) {
+			if(parse_tcphdr(&nh, data_end, &tcph) < 0)
+				goto out;
+			
+			conn.sport = bpf_ntohs(tcph -> source);
+			conn.dport = bpf_ntohs(tcph -> dest);
+			
+		}
+		else if(nh_type == IPPROTO_UDP){
+			if(parse_udphdr(&nh, data_end, &udph) < 0){
+				goto out;
+			}
+			conn.sport = bpf_ntohs(udph -> source);
+			conn.dport = bpf_ntohs(udph -> dest);
+		}
+
+		conn.saddr = bpf_ntohl(iph -> saddr);
+		conn.daddr = bpf_ntohl(iph -> daddr);
+		conn.ip_proto = nh_type;
+
+		#ifdef DEBUG_PRINT_EVERY
+		if(conn.dport != 22)
+			bpf_printk("conn(%u:%u to %u:%u)", conn.saddr, conn.sport, conn.daddr, conn.dport);
+		#endif
+
+		action = match_rules_ipv4(&conn);
+
+	}
+	
+		
+out:
+	return xdp_stats_record_action(ctx, action);
+}
+
+
+
+
+/* Solution to packet03/assignment-4 */
+SEC("xdp")
+int xdp_entry_router(struct xdp_md *ctx)
+{
+	xdp_act action = XDP_PASS; 
+	void *data_end = (void *)(long)ctx->data_end;
+	void *data = (void *)(long)ctx->data;
+	struct bpf_fib_lookup ifib = {};
+	struct hdr_cursor nh;
+	int nh_type; //next header type
+	struct ethhdr *eth = data;
+	struct ipv6hdr *ip6h;
+	struct iphdr *iph;
+	unsigned int ip4_saddr = 0;
+	//unsigned ifindex = 2;
+	int rc;
+	struct rt_item nitem = {.saddr = 0, .eth_source = {0}, .eth_dest = {0}};
+
+
+	nh.pos = data;
+
+	nh_type = parse_ethhdr(&nh, data_end, &eth);
+
+	if(nh_type < 0)
+		goto out;
+
+	if (nh_type == bpf_htons(ETH_P_IP)) { 
+		nh_type = parse_iphdr(&nh, data_end, &iph);
+
+		if(nh_type < 0)
+			goto out;
+		
+		
+		if (iph->ttl <= 1)
+			goto out;
+		
+
+		ip4_saddr = iph->saddr;
+
+		nitem.saddr = ip4_saddr;
+		
+		// 首先精确查找转发表，如果找到就直接转发，不必再经历最长前缀匹配的慢速通配查找
+		match_rules(&nitem);
+	
+		
+
+		if (mac_zero(nitem.eth_dest)) {
+			ip_decrease_ttl(iph);
+			memcpy(eth->h_dest, nitem.eth_dest, ETH_ALEN);
+			memcpy(eth->h_source, nitem.eth_source, ETH_ALEN);
+			action = bpf_redirect_map(&tx_port, 0, 0);
+
+			goto out;
+		}
+
+		// 否则执行最长前缀匹配了
+		ifib.family = AF_INET;
+		ifib.tos = iph->tos;
+		ifib.l4_protocol = iph->protocol;
+		ifib.sport	= 0;
+		ifib.dport	= 0;
+		ifib.tot_len	= bpf_ntohs(iph->tot_len);
+		ifib.ipv4_src = iph->saddr;
+		ifib.ipv4_dst = iph->daddr;
+		ifib.ifindex = ctx->ingress_ifindex;
+		
+
+		rc = bpf_fib_lookup(ctx, &ifib, sizeof(ifib), 0);
+		switch (rc) {
+		case BPF_FIB_LKUP_RET_SUCCESS:         /* lookup successful */
+			ip_decrease_ttl(iph);
+	
+			memcpy(eth->h_dest, ifib.dmac, ETH_ALEN);
+			memcpy(eth->h_source, ifib.smac, ETH_ALEN);
+			action = bpf_redirect(ifib.ifindex, 0);
+			goto out;
+			break;
+		case BPF_FIB_LKUP_RET_BLACKHOLE:    /* dest is blackholed; can be dropped */
+		case BPF_FIB_LKUP_RET_UNREACHABLE:  /* dest is unreachable; can be dropped */
+		case BPF_FIB_LKUP_RET_PROHIBIT:     /* dest not allowed; can be dropped */
+			action = XDP_DROP;
+			goto out;
+			break;
+		case BPF_FIB_LKUP_RET_NOT_FWDED:    /* packet is not forwarded */
+		case BPF_FIB_LKUP_RET_FWD_DISABLED: /* fwding is not enabled on ingress */
+		case BPF_FIB_LKUP_RET_UNSUPP_LWT:   /* fwd requires encapsulation */
+		case BPF_FIB_LKUP_RET_NO_NEIGH:     /* no neighbor entry for nh */
+		case BPF_FIB_LKUP_RET_FRAG_NEEDED:  /* fragmentation required to fwd */
+			/* PASS */
+			goto out;
+			break;
+		}
+
+	} else if (nh_type == bpf_htons(ETH_P_IPV6)) {
+		nh_type = parse_ip6hdr(&nh, data_end, &ip6h);
+
+		struct in6_addr *src = (struct in6_addr *) ifib.ipv6_src;
+		struct in6_addr *dst = (struct in6_addr *) ifib.ipv6_dst;
+
+		if(nh_type < 0)
+			goto out;
+
+		if (ip6h->hop_limit <= 1)
+			goto out;
+
+		ifib.family	= AF_INET6;
+		ifib.flowinfo	= *(__be32 *) ip6h & IPV6_FLOWINFO_MASK;
+		ifib.l4_protocol	= ip6h->nexthdr;
+		ifib.sport	= 0;
+		ifib.dport	= 0;
+		ifib.tot_len = bpf_ntohs(ip6h->payload_len);
+		*src = ip6h->saddr;
+		*dst = ip6h->daddr;
+		ifib.ifindex = ctx->ingress_ifindex;
+
+		rc = bpf_fib_lookup(ctx, &ifib, sizeof(ifib), 0);
+		switch (rc) {
+		case BPF_FIB_LKUP_RET_SUCCESS:         /* lookup successful */
+			ip6h->hop_limit--;
+
+			memcpy(eth->h_dest, ifib.dmac, ETH_ALEN);
+			memcpy(eth->h_source, ifib.smac, ETH_ALEN);
+			action = bpf_redirect(ifib.ifindex, 0);
+			goto out;
+			break;
+		case BPF_FIB_LKUP_RET_BLACKHOLE:    /* dest is blackholed; can be dropped */
+		case BPF_FIB_LKUP_RET_UNREACHABLE:  /* dest is unreachable; can be dropped */
+		case BPF_FIB_LKUP_RET_PROHIBIT:     /* dest not allowed; can be dropped */
+			action = XDP_DROP;
+			break;
+		case BPF_FIB_LKUP_RET_NOT_FWDED:    /* packet is not forwarded */
+		case BPF_FIB_LKUP_RET_FWD_DISABLED: /* fwding is not enabled on ingress */
+		case BPF_FIB_LKUP_RET_UNSUPP_LWT:   /* fwd requires encapsulation */
+		case BPF_FIB_LKUP_RET_NO_NEIGH:     /* no neighbor entry for nh */
+		case BPF_FIB_LKUP_RET_FRAG_NEEDED:  /* fragmentation required to fwd */
+			/* PASS */
+			break;
+		}
+
+	}
+	else {
+		goto out;
+	}
+
+	
+	
+out:
+	return xdp_stats_record_action(ctx, action);
+}
+
+
+/* accept ethernet addresses and filter everything else */
+SEC("xdp")
+int xdp_entry_mac(struct xdp_md *ctx)
+{
+	xdp_act action = XDP_PASS; 
+	void *data_end = (void *)(long)ctx->data_end;
+	void *data = (void *)(long)ctx->data;
+	struct hdr_cursor nh;
+	int nh_type; //next header type
+	struct ethhdr *eth;
+	__u32 *value;
+
+
+	nh.pos = data;
+
+	nh_type = parse_ethhdr(&nh, data_end, &eth);
+
+	if(nh_type < 0)
+		goto out;
+
+	//action = match_rules_ipv4(&eth->h_source);
+
+	/* check if src mac is in src_macs map */
+	value = bpf_map_lookup_elem(&src_macs, eth->h_source);
+	if (value) {
+        action = *value;
+		goto out;
+    }
+	
+
+out:
+	return xdp_stats_record_action(ctx, action);
+}
+
+SEC("xdp")
+int xdp_entry_state(struct xdp_md *ctx)
+{
+	__u32 action = XDP_PASS; 
+	void *data_end = (void *)(long)ctx->data_end;
+	void *data = (void *)(long)ctx->data;
+	struct hdr_cursor nh;
+	int nh_type; //next header type
+	struct ethhdr *eth;
+	struct iphdr *iph;
+	struct tcphdr *tcph; 
+	struct udphdr *udph;
+	// 定义IPv4连接关键信息
+	struct conn_ipv4_key conn_k = {.saddr = 0, .daddr = 0, .sport = 0, .dport = 0, .proto = 0};
+
+	nh.pos = data;
+	
+	// 如果下一个头部类型为IPv4
+	nh_type = parse_ethhdr(&nh, data_end, &eth);
+
+	if(nh_type < 0)
+		goto out;
+
+	if (nh_type == bpf_htons(ETH_P_IP)) { 
+
+		nh_type = parse_iphdr(&nh, data_end, &iph);
+
+		if(nh_type < 0)
+			goto out;
+		
+		conn_k.saddr = bpf_ntohl(iph -> saddr);
+		conn_k.daddr = bpf_ntohl(iph -> daddr);
+		conn_k.proto = nh_type;
+
+		
+		// 如果下一个头部类型为TCP
+		if (nh_type == IPPROTO_TCP) {
+			if(parse_tcphdr(&nh, data_end, &tcph) < 0)
+				goto out;
+			
+			// 获取TCP连接信息
+			conn_k.sport = bpf_ntohs(tcph -> source);
+			conn_k.dport = bpf_ntohs(tcph -> dest);
+			
+			// 查找IPv4连接映射表中的值
+			// 如果找到，就说明该连接已经存在，可以在原有连接信息的基础上进行处理。
+			// 如果没有找到，可能是首次遇到这个连接，可以进行一些初始化操作，例如创建新的连接信息并添加到哈希表中。
+			struct conn_ipv4_val *p_conn_v = bpf_map_lookup_elem(&conn_ipv4_map, &conn_k);
+			if(!p_conn_v){
+				// 如果查找失败，交换源目地址和端口信息后再次查找
+				swap_conn_src_dst(&conn_k);
+				p_conn_v = bpf_map_lookup_elem(&conn_ipv4_map, &conn_k);
+
+				// 如果再次查找失败，且TCP报文是SYN并且不是ACK，则创建新的连接项
+				if(!p_conn_v){
+					if(tcph->syn && !tcph->ack){
+						struct conn_ipv4_val conn_v = {.tcp_state = TCP_S_SYN_SENT};
+						conn_v.rid = get_rs_rr();
+						swap_conn_src_dst(&conn_k);
+						// 将新的连接项插入到 IPv4 连接映射中
+						bpf_map_update_elem(&conn_ipv4_map, &conn_k, &conn_v, BPF_ANY);
+						// 输出日志信息，表示创建了一个新的连接项
+						bpf_printk("conn(%u:%u->%u:%u),state:%s,rid:%d",conn_k.saddr, conn_k.sport, conn_k.daddr, conn_k.dport, "SYN_SENT", conn_v.rid);	
+					}
+					goto out;
+				}
+			}
+			// 如果查找成功，继续处理连接项
+			// 如果TCP报文的标志位包含RST（复位），则删除连接项并输出相应的日志信息
+			if(tcph->rst){
+				bpf_map_delete_elem(&conn_ipv4_map, &conn_k);
+				bpf_printk("conn(%u:%u->%u:%u),state:%s,rid:%d",conn_k.saddr, conn_k.sport, conn_k.daddr, conn_k.dport, "RST", p_conn_v->rid);
+				goto out;
+			}
+
+			// 如果连接项的TCP状态为SYN_RECV并且收到了ACK，将TCP状态更新为ESTABLISHED
+			if(p_conn_v->tcp_state == TCP_S_SYN_RECV && tcph->ack){
+				p_conn_v->tcp_state = TCP_S_ESTABLISHED;
+				goto out_tcp_conn;
+			}
+
+			// 如果连接项的TCP状态为ESTABLISHED并且收到了FIN，将TCP状态更新为FIN_WAIT1
+			if(p_conn_v->tcp_state == TCP_S_ESTABLISHED && tcph->fin){
+				p_conn_v->tcp_state = TCP_S_FIN_WAIT1;
+				goto out_tcp_conn;
+			}
+
+			// 如果连接项的TCP状态为FIN_WAIT2并且收到了ACK，将TCP状态更新为CLOSE
+			if(p_conn_v->tcp_state == TCP_S_FIN_WAIT2 && tcph->ack){
+				p_conn_v->tcp_state = TCP_S_CLOSE;
+				goto out_tcp_conn;
+			}
+
+			// 交换源目地址和端口信息
+			swap_conn_src_dst(&conn_k);
+
+
+			// 如果连接项的TCP状态为SYN_SENT且收到了SYN和ACK，将TCP状态更新为SYN_RECV
+			if(p_conn_v->tcp_state == TCP_S_SYN_SENT && tcph->syn && tcph->ack){
+				p_conn_v->tcp_state = TCP_S_SYN_RECV;
+				goto out_tcp_conn;
+			}
+
+			// 如果连接项的TCP状态为FIN_WAIT1且收到了ACK，将TCP状态更新为CLOSE_WAIT
+			if(p_conn_v->tcp_state == TCP_S_FIN_WAIT1 && tcph->ack){
+				p_conn_v->tcp_state = TCP_S_CLOSE_WAIT;
+				bpf_printk("conn(%u:%u->%u:%u),state:%s,rid:%d",conn_k.saddr, conn_k.sport, conn_k.daddr, conn_k.dport, "CLOSE_WAIT", p_conn_v->rid);
+			}
+			
+			// 如果连接项的TCP状态为CLOSE_WAIT且收到了FIN和ACK，将TCP状态更新为FIN_WAIT2
+			if(p_conn_v->tcp_state == TCP_S_CLOSE_WAIT && tcph->fin && tcph->ack){
+				p_conn_v->tcp_state = TCP_S_FIN_WAIT2;
+				goto out_tcp_conn;
+			}
+			const char *tcp_state_str;
+
+			// 根据连接状态设置对应的字符串
+			out_tcp_conn:
+				if(p_conn_v->tcp_state == TCP_S_CLOSE){
+					// 如果是CLOSE状态，从映射表中删除连接信息
+					bpf_map_delete_elem(&conn_ipv4_map, &conn_k);
+				}else{
+					// 否则更新映射表中的连接信息
+					bpf_map_update_elem(&conn_ipv4_map, &conn_k, p_conn_v, BPF_EXIST);
+				}
+				// 根据连接状态打印日志
+				switch(p_conn_v->tcp_state) {
+					case TCP_S_SYN_SENT:
+						tcp_state_str = "SYN_SENT";
+						break;
+					case TCP_S_SYN_RECV:
+						tcp_state_str = "SYN_RECV";
+						break;
+					case TCP_S_ESTABLISHED:
+						tcp_state_str = "ESTABLISHED";
+						break;
+					case TCP_S_FIN_WAIT1:
+						tcp_state_str = "FIN_WAIT1";
+						break;
+					case TCP_S_FIN_WAIT2:
+						tcp_state_str = "FIN_WAIT2";
+						break;
+					case TCP_S_CLOSE_WAIT:
+						tcp_state_str = "CLOSE_WAIT";
+						break;
+					case TCP_S_CLOSE:
+						tcp_state_str = "CLOSE";
+						break;
+					default:
+						tcp_state_str = "";
+				}
+				bpf_printk("conn(%u:%u->%u:%u),state:%s,rid:%d",conn_k.saddr, conn_k.sport, conn_k.daddr, conn_k.dport, tcp_state_str, p_conn_v->rid);				
+				goto out;
+		}
+		else if(nh_type == IPPROTO_UDP){
+			// 如果是UDP包，解析UDP头部并获取端口信息
+			if(parse_udphdr(&nh, data_end, &udph) < 0){
+				goto out;
+			}
+			conn_k.sport = bpf_ntohs(udph -> source);
+			conn_k.dport = bpf_ntohs(udph -> dest);
+		}
+
+		#ifdef DEBUG_PRINT_EVERY
+		// 打印除SSH协议以外的所有连接信息
+		if(conn.dport != 22)
+			bpf_printk("conn(%u:%u to %u:%u)", conn.saddr, conn.sport, conn.daddr, conn.dport);
+		#endif
+
+	}
+	
+		
+out:
+	return xdp_stats_record_action(ctx, action);
+}
+
+
+char _license[] SEC("license") = "GPL";
\ No newline at end of file