commit 6424fa8757a3a8fd8fde1be6935a1984abe8fdb2 (HEAD -> loongfire-port, origin/loongfire-port)
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Fri Nov 7 19:17:59 2025 -0800
wg_handshake: log wireguard handshake message
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit ced17feca631f6963a2439f41ef09a7db048f316 (HEAD -> main)
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Mon Oct 20 21:28:17 2025 -0700
tc-basic-classifier: fix tcp port Endianess bug by AI
AI generated class_filter program stored the tcp port in network order,
but in bpf program the tcp port is converted to host order, and result in
tcp port lookup failure, unable to get the correct classid, fail to do rate
classification.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit a18fe4be0374ab1efb21c1228a5c5790ded7636e
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Mon Oct 20 19:15:34 2025 -0700
tc-basic-classifier: classify port and IP from bpf map
add port and IP rate classification based on bpf map so user could
add or remove port/IP rate classification dynamically at run time
since TC class works on egress direction, so port rate classification
works on red0 egress, and IP rate classification works on green0 egress
port rate classification:
class_filter -a -b ./class_filter.bpf.o -i red0 -v
class_filter -i red0 --add-port 8080:10:80mbit
class_filter -i red0 --add-port 8081:20:40mbit
class_filter -i red0 --delete-port 8080
class_filter -i red0 --list-ports
IP rate classification:
class_filter -a -b ./class_filter.bpf.o -i green0 -v
class_filter -i red0 --add-ip 192.168.1.0/24:40:30mbit
class_filter -i red0 --delete-ip 192.168.1.0/24
class_filter -i red0 --list-ips
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 12280ef22ae49f75eda047144ed3e9dc0f73e04a
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Fri Oct 17 19:45:07 2025 -0700
tc-basic-classifier: add user space program
the bpf skel header is generated only if USER_TARGETS
is added in Makefile, so add a dummy user space program.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit fe5cc1814af4c995f61ec08708110deef7a65c45
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Fri Oct 17 19:28:45 2025 -0700
xdp-tools: rebase on upstream xdp-tools main branch
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 7dee7fd954c06a3c58bedbb5561b9ee65c3f749f
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Fri Oct 17 18:39:59 2025 -0700
tc-basic-classifier: rename the class filter
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
sync IPFire fwhosts.cgi
commit 2398cc431a3fb2cd4141b6a846f0cd0742f6a97c
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:05:32 2025 +0200
fwhosts.cgi: Escape PROT in the right place
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ad995081302f6b28ea11c74e56306d94a7bee076
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:02:18 2025 +0200
fwhosts.cgi: Check country code before proceeding
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit a2c624b99dbcecb469e6001505731049ef5cbbd3
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:37 2025 +0200
fwhosts.cgi Fix for bug 13876 & bug 13877
Fixes: Bug 13876 savelocationgrp COUNTRY_CODE Stored Cross-Site Scripting
Fixes: Bug 13877 saveservice PROT Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 798556ec29207d5131a7600d5489f1ee92a7b87a
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Jun 23 17:16:57 2025 +0000
fwhosts.cgi: Move the tooltip into the usage counter
This will clutter the page less as we don't have any good icon sets.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 61b277aa9c578a9a69e552f593a8bde421b811bc
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Jun 23 17:16:56 2025 +0000
fwhosts.cgi: Don't show anything if a host/group is unused
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ca811a746a79f0e02cfb780cbd4543a057131e3a
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Jun 23 17:16:55 2025 +0000
fwhosts.cgi: Remove whitespace issues
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 5511d94ed0d8ea6fd372d52cba515b4d6726abed
Author: Peer Dietzmann <dietzmann@brecht-schule.hamburg>
Date: Mon Jun 23 17:16:54 2025 +0000
fwhosts.cgi: Show in which firewall rule objects are being used
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 341eb00a821c4254ddd04968beed2e98e5a33aff
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat May 3 15:10:16 2025 +0200
fwhosts.cgi: Correctly show IP addresses for WireGuard RW peers
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
this is initial kdump and kdump scripts, it looks when run kdump-config
load the first time, the kdump kernel can be loaded, and test crash dump
with echo c > /proc/sysrq-trigger result in system hang forever, then
had to power reset. after power reset, kdump-config load could no longer
load the kdump kernel, errors out with:
[root@bpfire-3 crash]# kdump-config load
cp: cannot stat '/etc/kdump/sysctl.conf': No such file or directory
Creating symlink /var/lib/kdump/vmlinuz.
ln: failed to create symbolic link '/var/lib/kdump/vmlinuz': No such file or directory
Unable to locate kernel hook ... failed!
Can't find kernel text map area from kcore
Cannot load /boot/vmlinuz-6.15.6-ipfire
failed to load kdump kernel ... failed!
so kdump is not working properly, but add the kdump scripts anyway, the
issue can be investigated later in future.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
makedumpfile build by default in BPFire use static libdw.a, libelf.a but
libdw.a, libelf.a are not build with zstd which makdedumpfile static
build requires, so build makedumpfile dynamically, see [0].
[0]: https://github.com/vincentmli/bpfire/issues/109
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 68a3334413efb1a963b7cc6c6dca1ec0126e1cc1
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Jul 18 08:42:12 2025 +0000
wireguard-functions.pl: Automatically skip IPv6 subnets
Since we do not support this and some VPN providers generate
configuration files that send any data over to them, we simply ignore
any IPv6 subnets.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit f7565a885b55384a64edd8bd73079143a04da519
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Jul 18 09:57:34 2025 +0000
wireguard-functions.pl: Remove any carriage returns on import
Some files might include carriage returns which won't be removed by
chomp() on Linux. To be extra safe, we remove them manually.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Choose one IP from client pool and add it to road warrior interface
wg0 so road warrior VPN client could reach firewall through the VPN
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
missing set_defaults sub result in error when generate
flash image during build after add wireguard UI
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit d6868ae94c63d0f708985e6bb6604a4bd40cf1a8
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Sep 6 18:20:46 2024 +0200
firewall: Allow WG traffic when the firewall is in permissive mode
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 1de96a83d6d6cec5d4d3eda1792aa80bfbd8fafe
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed Apr 23 12:35:52 2025 +0200
firewall: Add support for WireGuard peers to groups
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 37174e29de670a33f9be4b90c88b0a96c695dad1
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Sep 27 17:55:46 2024 +0200
wireguard.cgi: Normalize filenames
This is because Windows clients won't import any configurations that
have spaces in the filename. Therefore we replace it and remove anything
else unwanted on the way.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 06dbc836a47160d51ab10f8b9d4ca356beaa7cdb
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Apr 16 18:06:47 2024 +0200
wireguard.cgi: Add a basic CGI to configure the global settings
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
preparation for pwru:
mount -t debugfs none /sys/kernel/debug
echo 0 > /proc/sys/kernel/kptr_restrict
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit f89feeb19 "kernel: use BPFire logo in kernel" replaced
ipfire logo with bpfire logo, but forgot to add the bpfire logo
file and remove the ipfire logo file
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
loxilb 0.9.8 requires --egress flag for firewall
rule to masquerade/SNAT GREEN network source IP
for Internet access. to access host in RED network
another firewall rule is required. see [0].
[0]: https://github.com/loxilb-io/loxilb/issues/957
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
pwru is an utility to trouble shoot network issue,
and to speed up pwru kprobe attachement, kernel needs
to have CONFIG_FPROBE.
running pwru also result in:
Opening kprobe-multi: invalid argument \
(missing kernel symbol or prog's AttachType not AttachTraceKprobeMulti?)
need following to avoid above invalid argument
echo -1 > /proc/sys/kernel/perf_event_paranoid
echo 0 > /proc/sys/kernel/kptr_restrict
see https://github.com/cilium/pwru/issues/460
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
UDP DDoS has pattern of flooding game server with
random source IP and UDP with random payload. game
server UDP traffic requires certain payload
pattern, so this XDP program can serve as example
to stop UDP DDoS attack with UDP payload that does not
match game UDP traffic payload pattern.
without UDP DDoS protection, under DDoS attack:
BPFire UI RED Traffic: in 9xx Mbit/s.
with UDP DDoS protection, under DDoS attack:
BPFire UI RED Traffic: in 1xx Mbit/s.
Tested-by: Muhammad Haikal <eykalpirates@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
move haproxy to core package
prepare /var/ipfire/haproxy for haproxy UI, use
/var/ipfire/haproxy/haproxy.cfg
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
suricata XDP support requires xdp-tools with
libbpf 1.4 to resolve stack smash issue.
also workaround memlock operation not permitted
by running suricata as root since load/attach
XDP program requires root privilige anyway.
see: https://github.com/vincentmli/BPFire/issues/54
Usage scenario:
since suricata IPS XDP capture mode works as
layer 2 bridge, BPFire netfilter firewall, NAT
IP route will be bypassed. no IP address should
be assigned to red0 and green0 interface.
172.16.1.0/24 inline 172.16.1.0/24
red network<-->red0(xdp)<-->green0(xdp)<-->green network
we can run setup command to assign IP/Mask 0.0.0.0/0.0.0.0
to red0 and green0, then reboot BPFire, BPFire DHCP
will stops working after reboot. green network client
can get DHCP IP from upstream dhcp server.
start suricata manually
suricata -c /etc/suricata/suricata-xdp.yaml --af-packet
xdp_filter.bpf program will be attached to red0 and gree0
interface
not sure if we should add GUI for suricata XDP capture mode
since this is not common use case.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
