Start the wireguard peer handshake logging in wireguard init script
through lightweight kernel bpf trampoline fentry tracing on wireguard
kernel function.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit c2eba600d753df95a81707f7da0ab172ed864ab0
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Sep 20 14:02:01 2025 +0000
arpwatch: Fix the envelope sender
arpwatch invokes sendmail without passing the envelope sender
explicitely. This causes that mails can get rejected if the From: header
does not match the envelope sender.
This patch passes the correct address as the envelope sender.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
this is initial kdump and kdump scripts, it looks when run kdump-config
load the first time, the kdump kernel can be loaded, and test crash dump
with echo c > /proc/sysrq-trigger result in system hang forever, then
had to power reset. after power reset, kdump-config load could no longer
load the kdump kernel, errors out with:
[root@bpfire-3 crash]# kdump-config load
cp: cannot stat '/etc/kdump/sysctl.conf': No such file or directory
Creating symlink /var/lib/kdump/vmlinuz.
ln: failed to create symbolic link '/var/lib/kdump/vmlinuz': No such file or directory
Unable to locate kernel hook ... failed!
Can't find kernel text map area from kcore
Cannot load /boot/vmlinuz-6.15.6-ipfire
failed to load kdump kernel ... failed!
so kdump is not working properly, but add the kdump scripts anyway, the
issue can be investigated later in future.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Choose one IP from client pool and add it to road warrior interface
wg0 so road warrior VPN client could reach firewall through the VPN
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 8fa1831bff7e1d76eb83b145976211aa703062e1
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Mar 31 16:31:43 2025 +0200
firewall: Collect all networks that should not be NATed in an array
No functional changes.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
firewall: Explicitely don't NAT any aliases
It seems that there is a problem with local connections that have
preselected an outgoing interface. That will work just fine, but
ultimately the packet will be NATed back to the primary RED IP address.
To prevent this, we are adding some extra rules that skip the MASQUERADE
target.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
readhash is added in functions, but it appears not used
in initscripts except for testing, assume no impact to
bpfire initscripts.
commit 1c1ff05cdc37fe9ccabda9413c270935c3a45478
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Mar 31 16:35:26 2025 +0200
firewall: Explicitely don't NAT any aliases
It seems that there is a problem with local connections that have
preselected an outgoing interface. That will work just fine, but
ultimately the packet will be NATed back to the primary RED IP address.
To prevent this, we are adding some extra rules that skip the MASQUERADE
target.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ff4ff2cfe0c8565a431bf499708dcb6e5c2fb3dc
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Dec 6 16:42:17 2024 +0000
initscripts: readhash: Fix handling = signs
The function expected that a line only contains exactly one equals sign
(=) which is not fit for purpose. In the WireGuard code we hold key
material that is encoded in base64 and therefore contains padding that
uses =.
This patch fixes that we expect exactly one equals sign immediately
after the key and we will then accept more = in the value - which was
already permitted.
Furthermore, this patch fixes the splitting if the key and value at the
first =.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
commit 73661e5ee1acc30e40e41493c8dfca10aa1097d0
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Dec 6 16:42:16 2024 +0000
initscripts: readhash: Only strip quotes if they exist
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
commit 80c1cb5a0a
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:44 2024 +0200
initscripts fkt: Fix shebang
We use features only available in bash. So we should state correctly
that the script should be executed in bash. As sh is a symlink to bash
this makes not differences on a ipfire system. But my linter is less
chatty with this change.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 14ecdd86f1
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:43 2024 +0200
initscripts fkt: keep readhash compatible with older implementation
With the use of eval BLUE_DEV='blue0 net0' stored "blue0 net0" in the
variable BLUE_DEV not "'blue0 net0'"
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit f1d94e7457
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:42 2024 +0200
initscripts fkt: readhash should only parse lines with a =
A line without a = is clearly invalid.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 9f72b7bc5f
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:41 2024 +0200
initscripts fkt: Check for invalid values in readhash
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 02254f5543
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:40 2024 +0200
initscripts fkt: ignore invalid keys in readhash
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit d289bc28be
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:39 2024 +0200
initscripts fkt: Ignore comments in readhash
As '#Another Comment' is a valid key we test this change by checking if
the comments do not end up as keys in our array.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 59e3c2a217
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:38 2024 +0200
initscript fkt: ignore blank lines in readhash
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 96bb3ba8b8
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:37 2024 +0200
initscript functions: add readhash
To avoid the usage of eval and to store the config in an key value
array, we introduce an new function. The tests only check if we
read the correct value to the correct variable.
One comment on the implementation as this has created some headache:
>From https://www.gnu.org/software/bash/manual/bash.html#Bourne-Shell-Builtins
"When used in a function, declare makes each name local, as with the local command, unless the -g option is used."
So we need to use -g here
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit db09ea9e5c
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Mar 23 14:35:39 2024 +0100
initscripts: Don't overwrite the PID file
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 5900a95059
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Mar 23 14:31:49 2024 +0100
initscripts: Fix reading PIDs
An incorrect variable has been used.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 6e47a143c9
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Mar 23 14:30:33 2024 +0100
initscripts: Handle command arguments as array
For some reason, the function is refusing to launch a command that has
extra arguments.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ed91103e22
Author: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Wed Mar 27 20:39:17 2024 +0100
initscripts: Add generic function to get the filesystem type of a volume
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
commit c3019331df
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Jan 11 15:59:34 2024 +0100
initscripts: Implement storing PIDs in loadproc
Some programs do not write their own PID files any more, but since our
initscripts heavily rely on those, this extension allows to store it
easily.
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
commit dd8ef8cc10
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Jan 11 15:57:50 2024 +0100
initscripts: Fix wrong variable check for $PIDFILE in getpids
getpids() checked whether it needed to pass a pid file to pidofproc, but
the check was inverted.
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit fc32e7b9147d2eeeb6e2bc1497859fb050001eb5
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Apr 16 16:20:55 2024 +0200
firewall: Automatically open ports for WireGuard
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 459bb750298c09990c0c8d4677f0f442887304d0
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Apr 26 14:30:44 2025 +0200
wireguard: Automatically apply MASQUERADE for peers with local address
In this case we are the client and we cannot leak any local subnets.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
following commit made changes to networking functions
commit 76ea485d9edb781328e307c68b1f878d933408e5
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Sep 27 17:39:22 2024 +0200
wireguard: Select the correct source IP address for N2N peers
This is so that the firewall chooses the correct IP address when trying
to establish connections to the remote networks.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit d99826dc71
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Sep 24 10:33:22 2024 +0200
suricata: Enable scanning IPsec packets
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit db151ad716
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun Sep 22 17:08:03 2024 +0200
suricata: Add support for zones having multiple interfaces
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 1b7d1abdf0
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Sep 10 10:50:15 2024 +0200
suricata: Add option to scan WireGuard
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 79cce701a9
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Sep 10 10:40:28 2024 +0200
suricata: Restore the interface selection
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 3f863ee70d
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Mar 23 14:32:30 2024 +0100
initscripts: Add some basic functions for IP address maths
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit e340d393d3
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Mar 22 17:40:15 2024 +0100
network: Don't include initscript headers twice
Everywhere we import the functions, we have already imported the
standard includes.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
now x86 and loongarch64 share same user space
xdp_sni xdp_dns program with path argument to
bpf map, change xdpsni and xdpdns init script
with bpf path argument.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
set tcp_syncookies to 1 alone with iptables
SYNPROXY module reduce latency, this improves
situation when XDP acceleration is not enabled
and just let iptables SYNPROXY handles SYN flood
attack, see [0]
[0]: https://bugzilla.kernel.org/show_bug.cgi?id=219500
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
move haproxy to core package
prepare /var/ipfire/haproxy for haproxy UI, use
/var/ipfire/haproxy/haproxy.cfg
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
run xdp_dns in xdpdns init script to populate
domain_denylist from domainfile saved from UI.
either xdpdns restart or bpfire reboot, the domain_denylist
is restored with domain blocklist
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
add xdpdns init script to load/unload xdp_dns_denylist
program and run xdp_dns_log to log dns query to system log
rm log/configroot log/initscripts to build image
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
To block or rate limit DNS query from green
network client, the xdp-dns program should
be attached to green0 interface to scan the
DNS query. attach to red0 interface only get
the DNS response packet from red0(WAN), not
matching the DNS query we want.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
when loxilb is enabled and started, enable the
firewall SNAT for green network so green network
could have initiate outgoing traffic like internet
access.
we can achieve this by restoring firewall SNAT setting
from default /var/ipfire/loxilb/FWconfig.txt when loxilb
start up with --config-path=/var/ipfire/loxilb thanks
to the enhancement addressed in issue:
https://github.com/loxilb-io/loxilb/issues/706
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
When loxilb and keepalived are enabled, after BPFire
rebooted, loxilb and keepalived failed to start and
shows as "STOPPED" from UI, this is not expected since
we want to loxilb and keepalived to continue to be enabled
after reboot based on the enabled state of loxilb and
keepalived before reboot.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
if interface does not support native mode
re-run xdp-loader with skb mode, got error
Attaching XDP program in native mode not supported - try SKB mode.
TCP Native mode not supported, try SKB
Replacing allowed ports
Added port 80
Added port 8090
libxdp: Retried more than 11 times, giving up
Couldn't attach XDP program on iface 'lo': Device or resource busy(-16)
UDP Native mode not supported, try SKB
Replacing allowed udp ports
Added port 10408
but it looks loaded ok
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
xdp-loader will only load the XDP program without
xdp dispatcher if bpffs is not mounted, flash image
has bpffs mounted already, add bpffs mount for ISO image
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
add ddosctrl to start/stop/status XDP
program from ddos.cgi safely.
permission of ddosctrl
chown root.nobody /usr/local/bin/ddosctrl
chmod u+s /usr/local/bin/ddosctrl
result:
-rwsr-x--- 1 root nobody 14672 Mar 19 09:58 /usr/local/bin/ddosctrl
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
XDP SYNPROXY rules needs to be first in filter table
INPUT user defined chain and raw table PREROUTING
user defined chain.
To list the custom chain evaluation order for example:
iptables -L INPUT --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 INSYNPROXY all -- anywhere anywhere
2 IPSBYPASS all -- anywhere anywhere mark match 0xc0000000/0xc0000000
3 BADTCP tcp -- anywhere anywhere
4 CUSTOMINPUT all -- anywhere anywhere
5 HOSTILE all -- anywhere anywhere
6 BLOCKLISTIN !icmp -- anywhere anywhere
7 GUARDIAN all -- anywhere anywhere
8 OVPNBLOCK all -- anywhere anywhere
9 IPS_INPUT all -- anywhere anywhere mark match 0x0/0xc0000000
10 IPTVINPUT all -- anywhere anywhere
11 ICMPINPUT all -- anywhere anywhere
12 LOOPBACK all -- anywhere anywhere
13 CAPTIVE_PORTAL all -- anywhere anywhere
14 CONNTRACK all -- anywhere anywhere
15 DHCPGREENINPUT all -- anywhere anywhere
16 TOR_INPUT all -- anywhere anywhere
17 LOCATIONBLOCK all -- anywhere anywhere
18 IPSECINPUT all -- anywhere anywhere
19 GUIINPUT all -- anywhere anywhere
20 WIRELESSINPUT all -- anywhere anywhere ctstate NEW
21 OVPNINPUT all -- anywhere anywhere
22 INPUTFW all -- anywhere anywhere
23 REDINPUT all -- anywhere anywhere
24 POLICYIN all -- anywhere anywhere
iptables -t raw -L PREROUTING --line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 RAWSYNPROXY all -- anywhere anywhere
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
