From 5df5d88abdf924d3802fa90afae63812ea2e7b98 Mon Sep 17 00:00:00 2001 From: Vincent Li Date: Sun, 27 Apr 2025 10:48:42 -0700 Subject: [PATCH] loxilb: add loxilb init script add loxilb init script and initial loxilb FW settings Signed-off-by: Vincent Li --- config/cfgroot/loxilb-FWconfig.txt | 1 + config/cfgroot/loxilb-settings | 1 + config/rootfiles/common/configroot | 1 + .../rootfiles/common/loongarch64/initscripts | 1 + config/rootfiles/common/loxilb | 1 + lfs/configroot | 6 +- lfs/initscripts | 1 + src/initscripts/system/loxilb | 71 +++++++++++++++++++ 8 files changed, 81 insertions(+), 2 deletions(-) create mode 100644 config/cfgroot/loxilb-FWconfig.txt create mode 100644 config/cfgroot/loxilb-settings create mode 100755 src/initscripts/system/loxilb diff --git a/config/cfgroot/loxilb-FWconfig.txt b/config/cfgroot/loxilb-FWconfig.txt new file mode 100644 index 000000000..c817bed26 --- /dev/null +++ b/config/cfgroot/loxilb-FWconfig.txt @@ -0,0 +1 @@ +{"fwAttr":[{"opts":{"counter":"0:0","doSnat":true,"onDefault":true,"toIP":"REDIP"},"ruleArguments":{"destinationIP":"0.0.0.0/0","portName":"green0","sourceIP":"0.0.0.0/0"}}]} diff --git a/config/cfgroot/loxilb-settings b/config/cfgroot/loxilb-settings new file mode 100644 index 000000000..f4f4b44e1 --- /dev/null +++ b/config/cfgroot/loxilb-settings @@ -0,0 +1 @@ +ENABLE_LOXILB=off diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index 33cc508e1..abe7d94e8 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -100,6 +100,7 @@ var/ipfire/langs #var/ipfire/langs/tr.pl var/ipfire/logging #var/ipfire/logging/settings +var/ipfire/loxilb var/ipfire/mac #var/ipfire/mac/settings var/ipfire/main diff --git a/config/rootfiles/common/loongarch64/initscripts b/config/rootfiles/common/loongarch64/initscripts index 15ed42704..8b976d9ae 100644 --- a/config/rootfiles/common/loongarch64/initscripts +++ b/config/rootfiles/common/loongarch64/initscripts @@ -31,6 +31,7 @@ etc/rc.d/init.d/halt etc/rc.d/init.d/ipsec etc/rc.d/init.d/leds etc/rc.d/init.d/localnet +etc/rc.d/init.d/loxilb etc/rc.d/init.d/modules etc/rc.d/init.d/mountfs etc/rc.d/init.d/mountkernfs diff --git a/config/rootfiles/common/loxilb b/config/rootfiles/common/loxilb index fb7c05444..cd9c34e07 100644 --- a/config/rootfiles/common/loxilb +++ b/config/rootfiles/common/loxilb @@ -4,3 +4,4 @@ opt/loxilb/llb_kern_sock.o opt/loxilb/llb_xdp_main.o opt/loxilb/loxilb_libdp.o usr/bin/loxilb +etc/rc.d/rc3.d/S106loxilb diff --git a/lfs/configroot b/lfs/configroot index 811505762..dc3e47259 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -51,7 +51,7 @@ $(TARGET) : # Create all directories for i in addon-lang auth backup ca captive certs connscheduler crls ddns dhcp dhcpc dns dnsforward \ - ethernet extrahd/bin fwlogs fwhosts firewall ipblocklist key langs logging mac main \ + ethernet extrahd/bin fwlogs fwhosts firewall ipblocklist key langs logging loxilb mac main \ menu.d modem optionsfw \ ovpn patches pakfire portfw ppp private proxy/advanced/cre \ proxy/calamaris/bin qos/bin red remote sensors suricata time \ @@ -66,7 +66,7 @@ $(TARGET) : dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dns/servers dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \ ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings firewall/settings firewall/locationblock firewall/input firewall/outgoing \ fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwhosts/customlocationgrp fwlogs/ipsettings fwlogs/portsettings ipblocklist/modified \ - ipblocklist/settings mac/settings main/hosts main/routing main/security main/settings optionsfw/settings \ + ipblocklist/settings loxilb/settings mac/settings main/hosts main/routing main/security main/settings optionsfw/settings \ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \ ppp/settings-5 ppp/settings proxy/settings proxy/squid.conf proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \ qos/tosconfig suricata/settings vpn/config vpn/settings vpn/ipsec.conf \ @@ -115,6 +115,8 @@ $(TARGET) : cp $(DIR_SRC)/config/cfgroot/ddos-settings $(CONFIG_ROOT)/ddos/settings cp $(DIR_SRC)/config/cfgroot/tcp-ddos-settings $(CONFIG_ROOT)/ddos/tcp-ddos-settings cp $(DIR_SRC)/config/cfgroot/tcp_ports $(CONFIG_ROOT)/ddos/tcp_ports + cp $(DIR_SRC)/config/cfgroot/loxilb-settings $(CONFIG_ROOT)/loxilb/settings + cp $(DIR_SRC)/config/cfgroot/loxilb-FWconfig.txt $(CONFIG_ROOT)/loxilb/FWconfig.txt # Oneliner configfiles echo "ENABLED=off" > $(CONFIG_ROOT)/vpn/settings echo "01" > $(CONFIG_ROOT)/certs/serial diff --git a/lfs/initscripts b/lfs/initscripts index f3538e17f..2352642af 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -185,6 +185,7 @@ $(TARGET) : #ln -sf ../init.d/xdpsni /etc/rc.d/rc3.d/S103xdpsni #ln -sf ../init.d/xdpgeoip /etc/rc.d/rc3.d/S104xdpgeoip ln -sf ../init.d/ddos /etc/rc.d/rc3.d/S105ddos + ln -sf ../init.d/loxilb /etc/rc.d/rc3.d/S106loxilb ln -sf ../../../../../usr/local/bin/qosctrl \ /etc/rc.d/init.d/networking/red.up/24-RS-qos diff --git a/src/initscripts/system/loxilb b/src/initscripts/system/loxilb new file mode 100755 index 000000000..42e09e8be --- /dev/null +++ b/src/initscripts/system/loxilb @@ -0,0 +1,71 @@ +#!/bin/sh +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2022 IPFire Team # +# Copyright (C) 2024-2025 BPFire # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +. /etc/sysconfig/rc +. $rc_functions + +eval $(/usr/local/bin/readhash /var/ipfire/loxilb/settings) + +case "$1" in + start) + boot_mesg -n "Starting loxilb..." + if [ "$ENABLE_LOXILB" == "on" ]; then + if [ -d /opt/loxilb/dp/ ]; then + umount /opt/loxilb/dp/ + rm -fr /opt/loxilb/dp/bpf + fi + + mkdir -p /opt/loxilb/dp/ + mount -t bpf bpf /opt/loxilb/dp/ + + #enable egress firewall SNAT for green network + redip=$(< /var/ipfire/red/local-ipaddress) + sed -i "s/\"REDIP\"/\"$redip\"/" /var/ipfire/loxilb/FWconfig.txt + + loadproc -b loxilb --config-path="/var/ipfire/loxilb/" --blacklist="eth[0-9]" + fi + ;; + + stop) + boot_mesg "Stopping loxilb..." + if [ "$ENABLE_LOXILB" == "off" ]; then + #remove egress firewall SNAT for green network + loxicmd delete firewall --firewallRule="portName:green0" + killproc loxilb + fi + ;; + + status) + statusproc /usr/bin/loxilb + ;; + + restart) + $0 stop + sleep 1 + $0 start + ;; + + *) + echo "Usage: $0 {start|stop|restart}" + exit 1 + ;; +esac