webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
21,663 Commits 2 Branches 1 Tag
0f4e6612dfd8e2ba674a16b79afbecfa5489cb6b
Commit Graph

11781 Commits

Author SHA1 Message Date
Vincent Li
dd9a60e720 wireguard-tools: backport IPFire wireguard-tools 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-07-02 16:04:52 +00:00
Vincent Li
4e665f6a3c dnsdist: correct xsk sample config 
when use /etc/rc.d/init.d/dnsdist to start dnsdist with the sample
xsk config, it results in startup error [0]. Correct the xsk sample config.

[0]: https://github.com/PowerDNS/pdns/discussions/15713

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-06-25 16:17:36 +00:00
Vincent Li
b78ee945cd xdp-tools: add dnsdist XDP program 
upgrade xdp-tools to 1.5.5 and add dnsdist_xdp.bpf.o
for dnsdist xsk AF_XDP

xdp-loader load green0 -P 90 -p /sys/fs/bpf/dnsdist \
    -n xdp_dns_filter /usr/lib/bpf/dnsdist_xdp.bpf.o

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-06-21 17:40:40 +00:00
Vincent Li
d81f2b838e dnsdist: add sample xsk AF_XDP config 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-06-21 17:37:01 +00:00
Vincent Li
e51ee79752 dnsdist: move dnsdist to core package 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-06-21 17:32:06 +00:00
Vincent Li
2e3ea0ae64 pwru: ebpf pwru addon for network diagnosis 
preparation for pwru:

mount -t debugfs none /sys/kernel/debug
echo 0 > /proc/sys/kernel/kptr_restrict

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-06-11 23:00:56 +00:00
Vincent Li
bdee533f04 libbpf-bootstrap: base for importing libbpf-tools 
add libbpf-bootstrap as base to import bcc libbpf-tools

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-05-23 20:05:48 +00:00
Vincent Li
465f1e2328 Perl: add Net-ISP-Balance addon 
Perl Net-ISP-Balance can be used for ISP Internet connection
load balancing [0], it depends on Net-Netmask module.

[0]: https://lstein.github.io/Net-ISP-Balance/

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-05-21 15:53:12 +00:00
Vincent Li
3b672339ef keepalived: remove keepalived.conf.sample 
keepalived configuration is moved to /var/ipfire/keepalived

fix: https://github.com/vincentmli/BPFire/issues/92
Reported-by: Harvey Li <lhw365@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-05-21 15:53:12 +00:00
Vincent Li
33f4a2b1b1 haproxy: remove /etc/haproxy/haproxy.cfg 
remove /etc/haproxy/haproxy.cfg since lfs/haproxy
installed haproxy.cfg to /var/ipfire/haproxy

fix: https://github.com/vincentmli/BPFire/issues/92
Reported-by: Harvey Li <lhw365@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-05-21 15:53:12 +00:00
Vincent Li
93a5a7af7b xdp-tools: rebased on upstream 1.5.4 
included recent changes:

1 fix for xdp-dns for [0]
2 tc-loader to load tc ebpf program

[0]: https://github.com/vincentmli/BPFire/issues/87

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-05-14 20:35:57 +00:00
Vincent Li
25421aed06 logo: add missing bpfire logo 
commit f89feeb19 "kernel: use BPFire logo in kernel" replaced
ipfire logo with bpfire logo, but forgot to add the bpfire logo
file and remove the ipfire logo file

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-05-10 03:38:17 +00:00
Vincent Li
e2856c1c7e loxilb-tc: remove loxilb-tc 
loxilb 0.9.8 load tc BPF program through libbpf
so iproute tc utility is not needed.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-03-03 17:19:15 +00:00
Vincent Li
0e2047f080 linux: enable bootparam hardlockup/softlockup 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-02-23 04:36:14 +00:00
Vincent Li
f3881747be loxilb: change default loxilb firewall setting 
loxilb 0.9.8 requires --egress flag for firewall
rule to masquerade/SNAT GREEN network source IP
for Internet access. to access host in RED network
another firewall rule is required.  see [0].

[0]: https://github.com/loxilb-io/loxilb/issues/957

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-02-10 16:44:58 +00:00
Vincent Li
2daee785d4 lunatik: remove lunatik 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-02-04 17:07:13 +00:00
Vincent Li
0ba17ebe5d lfs/linux: perf tool install missed 
perf tool is built alone with Linux, but
missed to install the perf tool in image

fix: https://github.com/vincentmli/BPFire/issues/65

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-12-03 03:46:09 +00:00
Vincent Li
1bfeb4b322 lfs/linux: enable CONFIG_FPROBE for multi kprobe 
pwru is an utility to trouble shoot network issue,
and to speed up pwru kprobe attachement, kernel needs
to have CONFIG_FPROBE.

running pwru also result in:

Opening kprobe-multi: invalid argument \
(missing kernel symbol or prog's AttachType not AttachTraceKprobeMulti?)

need following to avoid above invalid argument

    echo -1 > /proc/sys/kernel/perf_event_paranoid
    echo 0 > /proc/sys/kernel/kptr_restrict

see https://github.com/cilium/pwru/issues/460

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-12-03 02:44:14 +00:00
Vincent Li
09c182c75a xdp-tools: XDP UDP DDoS for online game protection 
UDP DDoS has pattern of flooding game server with
random source IP and UDP with random payload. game
server UDP traffic requires certain payload
pattern, so this XDP program can serve as example
to stop UDP DDoS attack with UDP payload that does not
match game UDP traffic payload pattern.

without UDP DDoS protection, under DDoS attack:

BPFire UI RED Traffic: in 9xx Mbit/s.

with UDP DDoS protection, under DDoS attack:

BPFire UI RED Traffic: in 1xx Mbit/s.

Tested-by: Muhammad Haikal <eykalpirates@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-11-27 18:32:10 +00:00
Vincent Li
20c65fa4ec kernel: enable signature force config 
Kernel module signature force is disabled
for lunatik kernel module build, enable it
for now.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-11-06 20:28:40 +00:00
Vincent Li
0a726a99ac haproxy: move haproxy to core package 
move haproxy to core package

prepare /var/ipfire/haproxy for haproxy UI, use
/var/ipfire/haproxy/haproxy.cfg

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-28 02:44:48 +00:00
Vincent Li
25da9eb467 ddos: Load/Attach XDP DDoS when reboot 
fix: https://github.com/vincentmli/BPFire/issues/58

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-22 18:48:11 +00:00
Vincent Li
8b29912521 suricata-xdp: resolve memlock and stack smashing 
suricata XDP support requires xdp-tools with
libbpf 1.4 to resolve stack smash issue.

also workaround memlock operation not permitted
by running suricata as root since load/attach
XDP program requires root privilige anyway.

see: https://github.com/vincentmli/BPFire/issues/54

Usage scenario:

since suricata IPS XDP capture mode works as
layer 2 bridge, BPFire netfilter firewall, NAT
IP route  will be bypassed. no IP address should
be assigned to red0 and green0 interface.

172.16.1.0/24          inline              172.16.1.0/24
red network<-->red0(xdp)<-->green0(xdp)<-->green network

we can run setup command to assign IP/Mask 0.0.0.0/0.0.0.0
to red0 and green0, then reboot BPFire, BPFire DHCP
will stops working after reboot. green network client
can get DHCP IP from upstream dhcp server.

start suricata manually

suricata -c /etc/suricata/suricata-xdp.yaml --af-packet
xdp_filter.bpf program will be attached to red0 and gree0
interface

not sure if we should add GUI for suricata XDP capture mode
since this is not common use case.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-18 19:47:59 +00:00
Vincent Li
40c097ff8a libbpf: upgrade to 1.4.6 
xdp-tools libxdb requires libbpf 1.4.0 and above
to fix stack smashing issue.

see: https://github.com/xdp-project/xdp-tools/issues/446

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-18 17:16:09 +00:00
Vincent Li
1eceb143ed suricata: add suricata ebpf xdp capture mode 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-17 02:11:19 +00:00
Vincent Li
f689a70b7e Revert "Revert "lunatik: 'bpf_luaxdp_run': BTF not found in kernel"" 
This reverts commit 0e29b73703.

switch to libbpf 1.3
 2024-10-15 15:25:50 +00:00
Vincent Li
88e5d0aba7 xdp-geoip: move location block sub menu to BPFire 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-14 01:45:39 +00:00
Vincent Li
8d6014683f xdp-geoip: safe call to xdpgeoip init script 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-13 20:59:48 +00:00
Vincent Li
9c28bd419d xdp-geoip: Add XDP GeoIP location init 
Add XDP GeoIP country/region location block init script

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-13 20:35:44 +00:00
Vincent Li
86a9264a25 xdp-geoip: add XDP GeoIP program 
Add XDP GeoIP program to do location
IP block in XDP.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-12 20:33:12 +00:00
Vincent Li
b21febe3e1 xdp-sni UI: XDP TLS/SSL SNI UI management 
XDP TLS/SSL SNI UI to manage the web blocklist

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-09 20:38:13 +00:00
Vincent Li
5db52b1717 xdp-sni UI: XDP TLS/SSL SNI log view from UI 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com.
 2024-10-09 00:34:07 +00:00
Vincent Li
e6ac495dfb xdp-sni: safe call wrapper program to xdpsni init 
safe call wrapper program to xdpsni init script
for UI to call

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-08 17:41:17 +00:00
Vincent Li
34f9da85dd xdp-sni: add XDP TLS SNI init script xdpsni 
add xdpsni init script and enable XDP TLS SNI by default
on first boot and reboot.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-08 02:21:17 +00:00
Vincent Li
d334d39e3f xdp-sni: add XDP TLS SNI logging 
add XDP TLS SNI logging with bpf ringbuf
drop xdp_sni.bpf.o reverse_string due to
bpf verifier complaining program is too large.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-08 01:05:01 +00:00
Vincent Li
07c6172576 xdp-dns: missing xdpdns-settings and domainfile 
add the missing config/cfgroot/xdpdns-settings file
and use ENABLE_DNSBLOCK=on by default, so XDP DNS
Blocklist is enabled by default.

also add domainfile so when BPFire reboot first time
and when xdpdns init startup, it will not complain
missing domainfile

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-07 03:01:36 +00:00
Vincent Li
2c233eac63 xdp-dns log UI: view DNS query log 
allow user to view DNS query logged by xdp_dns_log
from UI

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-04 21:36:03 +00:00
Vincent Li
cdbaa41364 xdp-dns UI: web interface to add XDP DNS blocklist 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-04 04:05:53 +00:00
Vincent Li
cc8ccb35bf xdp-dns: enable XDP DNS block when reboot 
if XDP DNS is enabled, and BPFire reboot, XDP
DNS program should be attached and DNS query being
monitored after reboot.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-03 17:29:16 +00:00
Vincent Li
f9c8259050 Add xdpdnsctrl program for safe execution 
add xdpdnsctrl to start/stop/status XDP
program from xdpdns.cgi safely.

permission of xdpdnsctrl

chown root.nobody /usr/local/bin/xdpdnsctrl
chmod u+s /usr/local/bin/xdpdnsctrl

result:

-rwsr-x--- 1 root nobody 14672 Mar 19 09:58 /usr/local/bin/xdpdnsctrl
 2024-10-02 18:31:21 +00:00
Vincent Li
d30a7b2318 xdp-dns: add start/stop init script and settings 
add xdpdns init script to load/unload xdp_dns_denylist
program and run xdp_dns_log to log dns query to system log

rm log/configroot log/initscripts to build image

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-02 18:23:44 +00:00
Vincent Li
652ab98e1a xdp-tools: add xdp-dns system logging 
add bpf ringbuf to xdp-dns program and
user space program to log DNS query to
system log.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-01 23:45:03 +00:00
Vincent Li
32c15c3fe3 xdp-tools: add xdp-sni 
add XDP TLS/SSL SNI parsing

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-09-30 03:24:30 +00:00
Vincent Li
e5ee2e8127 grub2: use bpfire logo in grub2 splash 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-09-21 02:41:51 +00:00
Vincent Li
89baa34b8d Revert "grub: replace ipfire logo with bpfire logo" 
This reverts commit bb773a05d5.

drivers/video/logo/logo_linux_clut224.ppm: Binary PNM is not supported
Use pnmnoraw(1) to convert it to ASCII PNM
make[6]: *** [drivers/video/logo/Makefile:31: drivers/video/logo/logo_linux_clut224.c] Error 1
make[5]: *** [scripts/Makefile.build:485: drivers/video/logo] Error 2
make[4]: *** [scripts/Makefile.build:485: drivers/video] Error 2

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-09-21 02:41:51 +00:00
Vincent Li
ecad4000f2 lunatik: change /lib/modules kernel path to 6.10 
whenever compile kernel due to kernel change
lunatik needs to be recompiled too since
lunatik depends on kernel

change filter example Makefile to depend on
current kernel build version

diff --git a/examples/filter/Makefile b/examples/filter/Makefile
index f7eb0f6d..e30566a2 100644
--- a/examples/filter/Makefile
+++ b/examples/filter/Makefile
@@ -1,10 +1,12 @@
 # SPDX-FileCopyrightText: (c) 2023-2024 Ring Zero Desenvolvimento de Software LTDA
 # SPDX-License-Identifier: MIT OR GPL-2.0-only

+VMLINUX_BTF_PATH = /lib/modules/${shell uname -r}/build
+
 all: vmlinux https.o

 vmlinux:
-       bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h
+       bpftool btf dump file $(VMLINUX_BTF_PATH)/vmlinux format c > vmlinux.h

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-09-21 02:41:51 +00:00
Vincent Li
1f42b720d0 kernel: upgrade to 6.10.11 
upgrade kernel to recent stable release 6.10.11

1, scripts/kconfig/merge_config.sh does not work for 6.10.11
2, vmlinux BTF binary name changed in 6.10.11
3, remove rtl8812au for now since it has compiling error
4, remove 5.15 nfqueue patch since it does not apply cleanly

also see [0]

[0]: https://github.com/vincentmli/BPFire/issues/41

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-09-21 02:39:49 +00:00
Vincent Li
bb773a05d5 grub: replace ipfire logo with bpfire logo 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-09-20 21:31:43 +00:00
Vincent Li
7586e5e517 kernel: disable BTF mismatch 
BTF mismatch is not an issue since
we addressed lunatik kernel module
BTF mismatch issue using the same
chroot binary vmlinux BTF.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-09-18 22:27:39 +00:00
Vincent Li
0e29b73703 Revert "lunatik: 'bpf_luaxdp_run': BTF not found in kernel" 
This reverts commit cacf5f209d.

libbpf version is irrelevant, revert the change

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-09-17 17:23:27 +00:00