commit 43867c1e070fc96420a666b0bb21182eff16787b
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun Apr 27 18:30:59 2025 +0200
wireguard: Add a custom routing table for peers
This is a dirty hack to make connections to VPN providers actually work.
We mark all WG packets after encryption and use a secondary routing
table to look up any routes to the peers. That way, we can replace the
default route in the main routing table without having to care about the
special routes there.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
We use xdp-loader to load dnsdist_xdp.bpf.o for dnsdist running
AF_XDP:
xdp-loader load green0 -P 90 -p /sys/fs/bpf/dnsdist -n xdp_dns_filter /usr/lib/bpf/dnsdist_xdp.bpf.o
so the xsk v4/v6 destination map would be:
/sys/fs/bpf/dnsdist/xskDestinationsV4
/sys/fs/bpf/dnsdist/xskDestinationsV6
but dnsdist-xsk.cc has:
static std::string getDestinationMap(bool isV6)
{
return !isV6 ? "/sys/fs/bpf/dnsdist/xsk-destinations-v4" : "/sys/fs/bpf/dnsdist/xsk-destinations-v6";
}
we can't use xsk-destinations-v4/v6 in dnsdist_xdp.bpf.o because bpf map
could not use '-' in map definition, '-' would result in compiling
error.
so we patch dnsdist-xsk.cc to use xskDestinationsV4/V6 that matches the
map name in dnsdist_xdp.bpf.o
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Similar to xdp-tools to add ebpf network program.
we can use libbpf-bootstrap as facility to add ebpf
tracing program.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
bpftrace depends on libbcc, so add bcc in build.
bcc build depends on zip, but loongfire does not
have zip
workaround:
copy loongson host Fedora zip command to chroot build
cp /usr/bin/zip to build_loongarch64/usr/bin
Fedora zip depends on libbz2.so.1, libbz2 is from bzip2
addon that loongfire already has, so make symbolic link
cd build_loongarch64/lib64; ln -s libbz2.so.1.0.8 libbz2.so.1
we should build zip addon for loongfire but zip has build error
need to resolve zip build error as long term solution
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
rebase xdp-tools from upstream xdp-tools 1.5.4. there is
Makefile conflict when rebase because 1.5.4 added xdp-forward.
manually resolve the rebase conflict by put loongfire xdp program
at the end:
for example instruction from deepseek:
Open the Makefile in a text editor and locate the conflict:
makefile
ifneq ($(BPFTOOL),)
<<<<<<< HEAD
UTILS += xdp-bench xdp-forward xdp-monitor xdp-trafficgen
=======
UTILS += xdp-bench xdp-monitor xdp-trafficgen xdp-synproxy
>>>>>>> d8ebb16 (Add xdp-synproxy)
endif
Understand the conflict:
The HEAD (upstream/main) version includes xdp-forward.
Your commit (d8ebb16) adds xdp-synproxy but removes xdp-forward.
Resolve the conflict by including both changes:
Keep xdp-forward from HEAD.
Add xdp-synproxy from your commit.
The merged line should look like this:
makefile
UTILS += xdp-bench xdp-forward xdp-monitor xdp-trafficgen xdp-synproxy
Remove the conflict markers (<<<<<<<, =======, >>>>>>>).
edit result:
ifneq ($(BPFTOOL),)
UTILS += xdp-bench xdp-forward xdp-monitor xdp-trafficgen xdp-synproxy
endif
Save the file after making these changes.
Stage the resolved Makefile and continue the rebase:
git add Makefile
git rebase --continue
repeat editing Makefile and git rebase --continue for below program
xdp-dnsrrl
xdp-udp
xdp-dns
xdp-sni
xdp-geoip
xdp-udpddos
xdp-tailcall
xdp-synproxy-tailcall
xdp-ddos
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
CC [M] fuxi-efuse.o
fuxi-gmac-phy.c: In function 'fxgmac_phy_timer_destroy':
fuxi-gmac-phy.c:493:5: error: implicit declaration of function
'del_timer_sync'; did you mean 'dev_mc_sync'?
[-Wimplicit-function-declaration]
493 | del_timer_sync(&pdata->expansion.phy_poll_tm);
| ^~~~~~~~~~~~~~
| dev_mc_sync
make[4]: *** [/lib/modules/6.15.0-rc1-ipfire/build/scripts/Makefile.build:203:
fuxi-gmac-phy.o] Error 1
replace del_timer_sync with timer_delete_sync
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
add firewall bridge mode so it can be used as
layer 2 inline bridge for either DDoS protection
or firewall filter by iptable rules configured in
netfilter filter table forward chain.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
This reverts commit 284c7c99881b7cbec8cbd462f667789d8d726057.
yt6801 NIC driver fail to compile with 6.15-rc1, revert the
change till yt6801 driver code is updated.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
note config/etc/* is copied through lfs/stage2
so changes made in config/etc/* requires to
rm stage2 build log to rebuild stage2.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
add xdp_ddos XDP main program with bpf tail
call table and user space xdp-ddos program
to load and insert protocol DDoS program like
TCP or UDP or ICMP into bpf tail call table.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
add ddos init to load/attach XDP DDoS main
program with empty tail call table as place
holder for tcp, udp, icmp...etc XDP DDoS program
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
loxilb ebpf program relies on libbpf 0.8
which does not have loongarch64 support.
backported libbpf 1.2.3 loongarch support
to libbpf 0.8
loxilb 0.9.8 now load ebpf program through
libbpf, no external ntc command required, so
remove ntc
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit f938e63dc6b2cd8a271bb4aa58d8371f4a9fa94c
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Sat Jan 11 10:55:23 2025 -0800
xdp-dns: fix XDP dns log stack smashing error
gdb --args xdp_dns_log /sys/fs/bpf/xdp-tailcall/dns_ringbuf
result in backtrace:
(gdb) bt
0x00007ffff7d5fa80 in ?? () from /lib64/libc.so.6
0x00007ffff7d0be1c in raise () from /lib64/libc.so.6
0x00007ffff7cf49fc in abort () from /lib64/libc.so.6
0x00007ffff7d50ff0 in ?? () from /lib64/libc.so.6
0x00007ffff7de32d4 in __fortify_fail () from /lib64/libc.so.6
0x00007ffff7de42b0 in __stack_chk_fail () from /lib64/libc.so.6
0x000000012000f248 in handle_event ()
0x00007ffff7eca0fc in ?? () from /usr/lib64/libbpf.so.1
0x00007ffff7eca8c8 in ring_buffer.poll () from /usr/lib64/libbpf.so.1
0x000000012000372c in main ()
Paste the gdb backtrace in ChatGPT and ChatGPT suggested the fix
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Loongarch64 does not support bpf trampoline
and freplace, so we can't use libxdp to attach
multiple XDP program to same network interface.
Loongarch64 supports bpf tail call, so we can still
use xdp-loader to load XDP program, and use bpf tail
call to call each XDP program. now we can tail call
DNS and TLS SNI XDP program on green0 interface
change user space program to take bpf map path as
command line argument so X86 and Loongarch64 can share
same user space program
https://github.com/vincentmli/xdp-tools
commit d18f8a7b48094c861a8ee0d5c0d52e93a01edca4
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Tue Jan 7 22:14:40 2025 -0800
xdp-tools: add bpf map path as cmd line argument
add XDP DNS and TLS SNI user space program command
line argument for bpf map so X86 and Loongarch can
share the same XDP user space program
commit 5d713b40dd2d0ce399f618179a2add6c07882e2a
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Mon Jan 6 21:09:25 2025 -0800
xdp-tailcall: add DNS XDP program
add DNS XDP program as tail called program
commit ad2a4e600140f8bf7a577470566efcdf11f6e214
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Mon Jan 6 20:36:43 2025 -0800
xdp-tailcall: add XDP tailcall
Loongarch64 does not support bpf trampoline and
freplace, so use tail call to call XDP program.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
after moving strace to core package and
recompile strace, it errors out with:
macros.h:141:9: error: static assertion failed:
"Unexpected size of sysoff.rsv (sizeof(unsigned int) * 3 expected).
--enabled-bundled=yes configure option may be used to work around that."
fix the error as the error log message suggested
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
