commit 6424fa8757a3a8fd8fde1be6935a1984abe8fdb2 (HEAD -> loongfire-port, origin/loongfire-port)
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Fri Nov 7 19:17:59 2025 -0800
wg_handshake: log wireguard handshake message
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit fa10708e3c87519f8e9c85cdff7a2bdd80dbd699 (HEAD -> main)
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Fri Oct 24 20:58:18 2025 -0700
tc-basic-classifier: allow port range for classification
Improve user space class_filter to add port range like:
./class_filter -i red0 --add-port "8080-8082:10:40mbit"
or
./class_filter -i red0 --add-port "8083:20:60mbit"
each port will still be added as individual entry in port map, so no
code change required in bpf side.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 5852f6184e3d129667df01011c4ecdf6df994266
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Wed Oct 22 19:41:05 2025 -0700
tc-basic-classifier: make tcp and udp port classification
make port classification for both UDP and TCP.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 0bda902c82c755bda1d5ba40d1404051de4e9102
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Tue Oct 21 19:28:15 2025 -0700
tc-basic-classifier: fix IP endiness and classification on red0
the IP in user space is stored in host order but bpf program IP lookup
by network order. also tested IP classification green0 not working. so
should do destination IP classification on red0 interface, and the
destination IP is going to be Internet destination IP addresses. need to
figure out how to do IP based classification on LAN/green0 network IPs
if required.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit ced17feca631f6963a2439f41ef09a7db048f316 (HEAD -> main)
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Mon Oct 20 21:28:17 2025 -0700
tc-basic-classifier: fix tcp port Endianess bug by AI
AI generated class_filter program stored the tcp port in network order,
but in bpf program the tcp port is converted to host order, and result in
tcp port lookup failure, unable to get the correct classid, fail to do rate
classification.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit a18fe4be0374ab1efb21c1228a5c5790ded7636e
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Mon Oct 20 19:15:34 2025 -0700
tc-basic-classifier: classify port and IP from bpf map
add port and IP rate classification based on bpf map so user could
add or remove port/IP rate classification dynamically at run time
since TC class works on egress direction, so port rate classification
works on red0 egress, and IP rate classification works on green0 egress
port rate classification:
class_filter -a -b ./class_filter.bpf.o -i red0 -v
class_filter -i red0 --add-port 8080:10:80mbit
class_filter -i red0 --add-port 8081:20:40mbit
class_filter -i red0 --delete-port 8080
class_filter -i red0 --list-ports
IP rate classification:
class_filter -a -b ./class_filter.bpf.o -i green0 -v
class_filter -i red0 --add-ip 192.168.1.0/24:40:30mbit
class_filter -i red0 --delete-ip 192.168.1.0/24
class_filter -i red0 --list-ips
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 12280ef22ae49f75eda047144ed3e9dc0f73e04a
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Fri Oct 17 19:45:07 2025 -0700
tc-basic-classifier: add user space program
the bpf skel header is generated only if USER_TARGETS
is added in Makefile, so add a dummy user space program.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit fe5cc1814af4c995f61ec08708110deef7a65c45
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Fri Oct 17 19:28:45 2025 -0700
xdp-tools: rebase on upstream xdp-tools main branch
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 7dee7fd954c06a3c58bedbb5561b9ee65c3f749f
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Fri Oct 17 18:39:59 2025 -0700
tc-basic-classifier: rename the class filter
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit c2eba600d753df95a81707f7da0ab172ed864ab0
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Sep 20 14:02:01 2025 +0000
arpwatch: Fix the envelope sender
arpwatch invokes sendmail without passing the envelope sender
explicitely. This causes that mails can get rejected if the From: header
does not match the envelope sender.
This patch passes the correct address as the envelope sender.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
makedumpfile build by default in BPFire use static libdw.a, libelf.a but
libdw.a, libelf.a are not build with zstd which makdedumpfile static
build requires, so build makedumpfile dynamically, see [0].
[0]: https://github.com/vincentmli/bpfire/issues/109
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
6.15.6 include:
From 06a34f7db773e01efa8a90c5b4d912207a80dd60 Mon Sep 17 00:00:00 2001
From: Daniel Borkmann <daniel@iogearbox.net>
Date: Sun, 17 Nov 2024 22:20:30 +0100
Subject: [PATCH] wireguard: device: support big tcp GSO
Advertise GSO_MAX_SIZE as TSO max size in order support BIG TCP for wireguard.
This helps to improve wireguard performance a bit when enabled as it allows
wireguard to aggregate larger skbs in wg_packet_consume_data_done() via
napi_gro_receive(), but also allows the stack to build larger skbs on xmit
where the driver then segments them before encryption inside wg_xmit().
We've seen a 15% improvement in TCP stream performance.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Link: https://patch.msgid.link/20241117212030.629159-5-Jason@zx2c4.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---
drivers/net/wireguard/device.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireguard/device.c b/drivers/net/wireguard/device.c
index a2ba71fbbed46..6cf173a008e78 100644
--- a/drivers/net/wireguard/device.c
+++ b/drivers/net/wireguard/device.c
@@ -302,6 +302,8 @@ static void wg_setup(struct net_device *dev)
/* We need to keep the dst around in case of icmp replies. */
netif_keep_dst(dev);
+ netif_set_tso_max_size(dev, GSO_MAX_SIZE);
+
wg->dev = dev;
}
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 43867c1e070fc96420a666b0bb21182eff16787b
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun Apr 27 18:30:59 2025 +0200
wireguard: Add a custom routing table for peers
This is a dirty hack to make connections to VPN providers actually work.
We mark all WG packets after encryption and use a secondary routing
table to look up any routes to the peers. That way, we can replace the
default route in the main routing table without having to care about the
special routes there.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
upgrade to 1.9.10 and enable ebpf AF_XDP
We use xdp-loader to load dnsdist_xdp.bpf.o for dnsdist running
AF_XDP:
xdp-loader load green0 -P 90 -p /sys/fs/bpf/dnsdist -n xdp_dns_filter /usr/lib/bpf/dnsdist_xdp.bpf.o
so the xsk v4/v6 destination map would be:
/sys/fs/bpf/dnsdist/xskDestinationsV4
/sys/fs/bpf/dnsdist/xskDestinationsV6
but dnsdist-xsk.cc has:
static std::string getDestinationMap(bool isV6)
{
return !isV6 ? "/sys/fs/bpf/dnsdist/xsk-destinations-v4" : "/sys/fs/bpf/dnsdist/xsk-destinations-v6";
}
we can't use xsk-destinations-v4/v6 in dnsdist_xdp.bpf.o because bpf map
could not use '-' in map definition, '-' would result in compiling
error.
so we patch dnsdist-xsk.cc to use xskDestinationsV4/V6 that matches the
map name in dnsdist_xdp.bpf.o
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
preparation for pwru:
mount -t debugfs none /sys/kernel/debug
echo 0 > /proc/sys/kernel/kptr_restrict
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
pwru requires golang > 1.24.1
Delete existing build/usr/lib/go directory before upgrade go
rm -rf build/usr/lib/go
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
test out the new loxilb with fix for kernel 6.12 issue
git clone --recurse-submodules https://github.com/loxilb-io/loxilb.git
mv loxilb loxilb-0.9.9
tar czvf loxilb-0.9.9.tar.gz loxilb-0.9.9
mv loxilb-0.9.9.tar.gz <BPFire source>/cache
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
UDP DDoS has pattern of flooding game server with
random source IP and UDP with random payload. game
server UDP traffic requires certain payload
pattern, so this XDP program can serve as example
to stop UDP DDoS attack with UDP payload that does not
match game UDP traffic payload pattern.
without UDP DDoS protection, under DDoS attack:
BPFire UI RED Traffic: in 9xx Mbit/s.
with UDP DDoS protection, under DDoS attack:
BPFire UI RED Traffic: in 1xx Mbit/s.
Tested-by: Muhammad Haikal <eykalpirates@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
XDP generated SYNACK tcp options with window
scaling and timestamp could intermittently cause
small packet transmission on DDoS protected server.
allow user to disable window scaling when such
problem occurs. see [0]
[0]: https://github.com/vincentmli/xdp-tools/issues/7
Reported-by: DNSPROXY.ORG LLC <dnsproxyorg@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
move haproxy to core package
prepare /var/ipfire/haproxy for haproxy UI, use
/var/ipfire/haproxy/haproxy.cfg
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
When XDP DDoS syncookie program is attached
to red0 interface, green network client internet
connection to website like gmail/youtube... failed.
it is because these sites does not have IP DF flag
set for each tcp packet, and syncookie_xdp program
would drop these packets when they arrived at red0
interface.
see https://github.com/vincentmli/BPFire/issues/59
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
suricata XDP support requires xdp-tools with
libbpf 1.4 to resolve stack smash issue.
also workaround memlock operation not permitted
by running suricata as root since load/attach
XDP program requires root privilige anyway.
see: https://github.com/vincentmli/BPFire/issues/54
Usage scenario:
since suricata IPS XDP capture mode works as
layer 2 bridge, BPFire netfilter firewall, NAT
IP route will be bypassed. no IP address should
be assigned to red0 and green0 interface.
172.16.1.0/24 inline 172.16.1.0/24
red network<-->red0(xdp)<-->green0(xdp)<-->green network
we can run setup command to assign IP/Mask 0.0.0.0/0.0.0.0
to red0 and green0, then reboot BPFire, BPFire DHCP
will stops working after reboot. green network client
can get DHCP IP from upstream dhcp server.
start suricata manually
suricata -c /etc/suricata/suricata-xdp.yaml --af-packet
xdp_filter.bpf program will be attached to red0 and gree0
interface
not sure if we should add GUI for suricata XDP capture mode
since this is not common use case.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
