switch xdp_sni.bpf.o LPM trie map to hash map
to reduce code complexity and avoid verifier error
now need to add domain and its sub domain to hash
map to block each domain and its sub domain site.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
add XDP TLS SNI logging with bpf ringbuf
drop xdp_sni.bpf.o reverse_string due to
bpf verifier complaining program is too large.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
add the missing config/cfgroot/xdpdns-settings file
and use ENABLE_DNSBLOCK=on by default, so XDP DNS
Blocklist is enabled by default.
also add domainfile so when BPFire reboot first time
and when xdpdns init startup, it will not complain
missing domainfile
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
domain name in xdp_dns.bpf.o not reversed properly
result in domain name mismatch with domain inserted
from user space xdp_dns
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
if XDP DNS is enabled, and BPFire reboot, XDP
DNS program should be attached and DNS query being
monitored after reboot.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
add xdpdns init script to load/unload xdp_dns_denylist
program and run xdp_dns_log to log dns query to system log
rm log/configroot log/initscripts to build image
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
compile and install perf tool from linux
source for performance monitoring.
change the setting before run perf
echo -1 > /proc/sys/kernel/perf_event_paranoid
echo 0 > /proc/sys/kernel/kptr_restrict
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Add the missing serial linux command so the
flash image can be converted to qcow2, the
bpfire qcow2 image can be deployed in KVM
virtual environment through serial console
installation.
for exmaple:
virsh define BPFire-VM.xml
virsh start BPFire-VM
virsh console BPFire-VM
we will have serial console access to BPFire
VM and the installation will start.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
how to generate logo format:
apt-get install netpbm
1 convert png format to ppm format
pngtopnm bpfire-logo.png > bpfire-logo.ppm
2 reduce the color count to 224
ppmquant 224 bpfire-logo.ppm > bpfire-logo-224.ppm
3 convert ppm raw format to ascii format
pnmnoraw bpfire-logo-224.ppm > bpfire-logo-ascii.ppm
cp bpfire-logo-ascii.ppm config/kernel/
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
whenever compile kernel due to kernel change
lunatik needs to be recompiled too since
lunatik depends on kernel
change filter example Makefile to depend on
current kernel build version
diff --git a/examples/filter/Makefile b/examples/filter/Makefile
index f7eb0f6d..e30566a2 100644
--- a/examples/filter/Makefile
+++ b/examples/filter/Makefile
@@ -1,10 +1,12 @@
# SPDX-FileCopyrightText: (c) 2023-2024 Ring Zero Desenvolvimento de Software LTDA
# SPDX-License-Identifier: MIT OR GPL-2.0-only
+VMLINUX_BTF_PATH = /lib/modules/${shell uname -r}/build
+
all: vmlinux https.o
vmlinux:
- bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h
+ bpftool btf dump file $(VMLINUX_BTF_PATH)/vmlinux format c > vmlinux.h
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
upgrade kernel to recent stable release 6.10.11
1, scripts/kconfig/merge_config.sh does not work for 6.10.11
2, vmlinux BTF binary name changed in 6.10.11
3, remove rtl8812au for now since it has compiling error
4, remove 5.15 nfqueue patch since it does not apply cleanly
also see [0]
[0]: https://github.com/vincentmli/BPFire/issues/41
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
error when run lunatik which loads lunatik kernel modules
root@bpfire-2 lua]# lunatik run examples/filter/sni false
[root@bpfire-2 lua]# dmesg
[ 330.411665] lunatik: loading out-of-tree module taints kernel.
[ 330.411680] lunatik: module verification failed: signature and/or required key missing - tainting kernel
[ 330.433955] Kernel module BTF mismatch detected, BTF debug info may be unavailable for some modules
[ 330.767701] missing module BTF, cannot register kfuncs
BPFire chroot build mount /sys/kernel/btf/vmlinux which is
the host binary vmlinux BTF to build against lunatik kernel module,
which result in above error. adjust BPFire kernel build to save
the binary vmlinux BTF to chroot
/lib/modules/6.6.15-ipfire/build/vmlinux for lunatik kernel module.
create the vmlinux.h from the same binary vmlinux BTF for the ebpf https.o
lunatik kernel module is depending on kernel build, adjust the lunatik
build accordingly when kerne upgrade in future.
See https://github.com/vincentmli/BPFire/issues/40
see https://github.com/luainkernel/lunatik/issues/189
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
xdp-loader to load https.o result in error below:
libbpf: loading kernel BTF '/sys/kernel/btf/vmlinux': 0
libbpf: extern (func ksym) 'bpf_luaxdp_run': not found in kernel or module BTFs
libbpf: failed to load object '/usr/lib/bpf/https.o'
libxdp: Failed to load program filter_https: Invalid argument
Couldn't attach XDP program on iface 'green0': Invalid argument(-22)
xdp-tools/xdp-loader is built statically with libbpf 1.2
should not be xdp-loader libbpf issue
still try to upgrade bpfire libbpf to 1.3.0 for testing
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
lunatik kernel modules requires kernel to be built first
so /lib/modules is available for lunatik
lunatik also requires resolve_btfids under:
/lib/modules/$(VER)-$(VERSUFIX)/build/tools/bpf/resolve_btfids/
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
when add loxilb development tree, loxilb requires go >= 1.23.0
ranlib libloxilbdp.a
make[3]: Leaving directory '/usr/src/loxilb-0.9.x/loxilb-ebpf/kernel'
make[2]: Leaving directory '/usr/src/loxilb-0.9.x/loxilb-ebpf'
go: go.mod requires go >= 1.23.0 (running go 1.22.0)
make[1]: *** [Makefile:14: build] Error 1
make[1]: Leaving directory '/usr/src/loxilb-0.9.x'
make: *** [loxilb:76: /usr/src/log/loxilb-0.9.x] Error 2
after upgrading golang to 1.23.0, loxilb development tree result in error
make[2]: Leaving directory '/usr/src/loxilb-0.9.x/loxilb-ebpf'
# runtime
/usr/lib/go/src/runtime/mbitmap_noallocheaders.go:53:2: mallocHeaderSize redeclared in this block
/usr/lib/go/src/runtime/mbitmap.go:71:2: other declaration of mallocHeaderSize
/usr/lib/go/src/runtime/mbitmap_noallocheaders.go:54:2: minSizeForMallocHeader redeclared in this block
the workaround is to remove build/usr/lib/go directory, then
rm log/go-1.23.0, ./make.sh build to re-add go 1.23.0
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
when mouse select, vim automatically turns into
visual mode, this is not convienent when copy
and paste in vim with mouse select. create this
setting for root user.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
when loxilb is enabled and started, enable the
firewall SNAT for green network so green network
could have initiate outgoing traffic like internet
access.
we can achieve this by restoring firewall SNAT setting
from default /var/ipfire/loxilb/FWconfig.txt when loxilb
start up with --config-path=/var/ipfire/loxilb thanks
to the enhancement addressed in issue:
https://github.com/loxilb-io/loxilb/issues/706
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
LoxiLB 0.9.4 lack of SNAT feature for egress traffic
initiated from BPFire green network, when loxilb is
enabled, it breaks BPFire green network client Internet
access, this issue is fixed in the loxilb development
branch, temporarily I make loxilb development branch
as 0.9.5 in BPFire so I could test the SNAT feature and
it works.
see detail in https://github.com/loxilb-io/loxilb/issues/718
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
When loxilb and keepalived are enabled, after BPFire
rebooted, loxilb and keepalived failed to start and
shows as "STOPPED" from UI, this is not expected since
we want to loxilb and keepalived to continue to be enabled
after reboot based on the enabled state of loxilb and
keepalived before reboot.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
BPFire red0 does not support multicast, need to
have unicast peer configured, then the virtual
ipaddress can be added to red0 interface.
the UI requires /var/ipfire/keepalived/runsettings
/var/ipfire/keepalived/settings to be created, so
add them lfs/configroot
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
change keepalived default config to
/var/ipfire/keepalived/keepalived.conf so keepalived WebUI
could read/write the configuration file. also add
/var/ipfire/keepalived directory
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
keepalived: create /var/ipfire/keepalived
upgrade procedure:
git clone https://github.com/loxilb-io/loxicmd.git
cd loxicmd
git checkout -b v0.9.4 v0.9.4
go mod vendor
cd ..
mv loxicmd loxicmd-0.9.4
tar cvf loxicmd-0.9.4.tar loxicmd-0.9.4
gzip loxicmd-0.9.4.tar
cp loxicmd-0.9.4.tar.gz <BPFire source>/cache/
b2sum <BPFire source>/cache/loxicmd-0.9.4.tar.gz
modify lfs/loxicmd to change the version and b2sum checksum
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
upgrade procedure:
git clone --recurse-submodules https://github.com/loxilb-io/loxilb.git
cd loxilb
git checkout -b v0.9.4 v0.9.4
go mod vendor
cd ..
mv loxilb loxilb-0.9.4
tar cvf loxilb-0.9.4.tar loxilb-0.9.4
gzip loxilb-0.9.4.tar
cp loxilb-0.9.4.tar.gz <BPFire source>/cache/
b2sum <BPFire source>/cache/loxilb-0.9.4.tar.gz
modify lfs/loxilb to change the version and b2sum checksum
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Avoid downloading golang dependency packages
during build time due to issue [0], run
go mod vendor so loxicmd source include vendor
directory to include golang dependency packages
[0]: https://github.com/vincentmli/BPFire/issues/18
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
