if interface does not support native mode
re-run xdp-loader with skb mode, got error
Attaching XDP program in native mode not supported - try SKB mode.
TCP Native mode not supported, try SKB
Replacing allowed ports
Added port 80
Added port 8090
libxdp: Retried more than 11 times, giving up
Couldn't attach XDP program on iface 'lo': Device or resource busy(-16)
UDP Native mode not supported, try SKB
Replacing allowed udp ports
Added port 10408
but it looks loaded ok
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
write to /var/ipfire/ddos/settings file before
enable ddos to allow /etc/rc.d/init.d/ddos script
start up ddos according to the setting from
/var/ipfire/ddos/settings
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
We need to disable BPF trace capability and disallow
unprivileged BPF so
This reverts commit d0bd3cc033.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
XDP dns rate limit program has static tail call
which requires revert xdp-tool commit:
(039bdea "xdp-loader: Only load the BPF program we need from object files")
XDP dns rate limit program also uses bpf_printk helper which is not
supported on FireBeeOS since kernel CONFIG_BPF_EVENTS which allows user
to do kprobe, uprobe, tracepoint is not enabled, so bpf_printk helper is
not available, so removed bpf_printk
see discussion in [0] xdp-loader load xdp program with bpf tail call result in Bad file descriptor(-9)
[0] https://github.com/xdp-project/xdp-tools/issues/377
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
xdp-loader will only load the XDP program without
xdp dispatcher if bpffs is not mounted, flash image
has bpffs mounted already, add bpffs mount for ISO image
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
This reverts commit 0864b3a5ba.
User might be concerned firewall admin user capture SSL clear
text, so remove ecapture.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
This reverts commit 7773f82726.
After ISO installation in real hardware and reboot,
the boot process appears to be "stucking" in
"dracut: Switching root".
see https://github.com/vincentmli/FireBeeOS/issues/1
revert the commit resolves the issue, I suspect maybe
the output after "dractu: Switching root" is directed
to serial console? anyway revert this change temporarily.
flash image build still need to have serial console access
for better user experience when trying flash image in KVM/Libvirt
virtual environment.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
add ddosctrl to start/stop/status XDP
program from ddos.cgi safely.
permission of ddosctrl
chown root.nobody /usr/local/bin/ddosctrl
chmod u+s /usr/local/bin/ddosctrl
result:
-rwsr-x--- 1 root nobody 14672 Mar 19 09:58 /usr/local/bin/ddosctrl
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
XDP SYNPROXY requires setting up iptables rule
in raw table PREROUTING chain and filter table
INPUT chain.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
XDP SYNPROXY rules needs to be first in filter table
INPUT user defined chain and raw table PREROUTING
user defined chain.
To list the custom chain evaluation order for example:
iptables -L INPUT --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 INSYNPROXY all -- anywhere anywhere
2 IPSBYPASS all -- anywhere anywhere mark match 0xc0000000/0xc0000000
3 BADTCP tcp -- anywhere anywhere
4 CUSTOMINPUT all -- anywhere anywhere
5 HOSTILE all -- anywhere anywhere
6 BLOCKLISTIN !icmp -- anywhere anywhere
7 GUARDIAN all -- anywhere anywhere
8 OVPNBLOCK all -- anywhere anywhere
9 IPS_INPUT all -- anywhere anywhere mark match 0x0/0xc0000000
10 IPTVINPUT all -- anywhere anywhere
11 ICMPINPUT all -- anywhere anywhere
12 LOOPBACK all -- anywhere anywhere
13 CAPTIVE_PORTAL all -- anywhere anywhere
14 CONNTRACK all -- anywhere anywhere
15 DHCPGREENINPUT all -- anywhere anywhere
16 TOR_INPUT all -- anywhere anywhere
17 LOCATIONBLOCK all -- anywhere anywhere
18 IPSECINPUT all -- anywhere anywhere
19 GUIINPUT all -- anywhere anywhere
20 WIRELESSINPUT all -- anywhere anywhere ctstate NEW
21 OVPNINPUT all -- anywhere anywhere
22 INPUTFW all -- anywhere anywhere
23 REDINPUT all -- anywhere anywhere
24 POLICYIN all -- anywhere anywhere
iptables -t raw -L PREROUTING --line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 RAWSYNPROXY all -- anywhere anywhere
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
when mouse select, vim automatically turns into
visual mode, this is not convienent when copy
and paste in vim with mouse select.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Add China mainland, China hk, China tw
translation. remember to remove log/configroot
to re-build image with new language support
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
bpftool comes with Linux kernel source and
it is handy to have bpftool on ipfire kernel
with BPF/BTF enabled to diagnosis BPF related
issue.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
serial console allows user to easy access
to ipfire image instance in KVM/Libvirt
environment by virt console <ipfire instance>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
We disable cores if the are affected by some cpu vulnerabilities
this cores report errors if you try to change the settings.
So only print the output for core0 and hide it for all cores.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
the initskript loads a test-modul for amd-pstate (which traces on intel)
and off course reports errors if firmware settings are missing.
this also fix the error at start because also amd-pstate doesn't support
ondemand mode.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- OpenSSL was updated to 3.1.4 in CU181 and to 3.2.1 in CU183 but in both cases freeradius
was not incremented to cause it to be shipped.
- This patch increments the freeradius PAK_VER to ensure it will be shipped.
Fixes: Bug#13590
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- If a fresh install is done then only the DROP_HOSTILE_IN & DROP_HOSTILE_OUT
rrd directories are created.
- With the DROP_HOSTILE directory missing then when the fwhits graph is updated an error
message is caused by the inability to open the required files.
- This patch adds an if/else loop into the fwhits graph code to deal with the two cases
of the DROP_HOSTILE being present or not depending on the history and if a backup with
logs has been restored from when DROP_HOSTILE was in use.
- Tested on vm testbed and created a historical line for the hostile data when it was not
split
- There might be a simpler or better approach than this but it was the only option I
could identify. I couldn't find anything about being able to use if loops within the
RRD::Graph loop
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
