bpfire

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00

Author	SHA1	Message	Date
Vincent Li	c74e903b32	wireguard: Add a custom routing tables for peers commit 43867c1e070fc96420a666b0bb21182eff16787b Author: Michael Tremer <michael.tremer@ipfire.org> Date: Sun Apr 27 18:30:59 2025 +0200 wireguard: Add a custom routing table for peers This is a dirty hack to make connections to VPN providers actually work. We mark all WG packets after encryption and use a secondary routing table to look up any routes to the peers. That way, we can replace the default route in the main routing table without having to care about the special routes there. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-07-02 18:43:53 +00:00
Vincent Li	dd9a60e720	wireguard-tools: backport IPFire wireguard-tools Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-07-02 16:04:52 +00:00
Vincent Li	279f1e8e86	knot: upgrade to 3.4.7 and add kxdpgun enable XDP to add kxdpgun utility for dnsdist AF_XDP performance test [0] [0]: https://www.dnsdist.org/advanced/xsk.html Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-06-23 18:41:56 +00:00
Vincent Li	b78ee945cd	xdp-tools: add dnsdist XDP program upgrade xdp-tools to 1.5.5 and add dnsdist_xdp.bpf.o for dnsdist xsk AF_XDP xdp-loader load green0 -P 90 -p /sys/fs/bpf/dnsdist \ -n xdp_dns_filter /usr/lib/bpf/dnsdist_xdp.bpf.o Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-06-21 17:40:40 +00:00
Vincent Li	d81f2b838e	dnsdist: add sample xsk AF_XDP config Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-06-21 17:37:01 +00:00
Vincent Li	3132f7bc78	dnsdist: enable ebpf xsk AF_XDP upgrade to 1.9.10 and enable ebpf AF_XDP We use xdp-loader to load dnsdist_xdp.bpf.o for dnsdist running AF_XDP: xdp-loader load green0 -P 90 -p /sys/fs/bpf/dnsdist -n xdp_dns_filter /usr/lib/bpf/dnsdist_xdp.bpf.o so the xsk v4/v6 destination map would be: /sys/fs/bpf/dnsdist/xskDestinationsV4 /sys/fs/bpf/dnsdist/xskDestinationsV6 but dnsdist-xsk.cc has: static std::string getDestinationMap(bool isV6) { return !isV6 ? "/sys/fs/bpf/dnsdist/xsk-destinations-v4" : "/sys/fs/bpf/dnsdist/xsk-destinations-v6"; } we can't use xsk-destinations-v4/v6 in dnsdist_xdp.bpf.o because bpf map could not use '-' in map definition, '-' would result in compiling error. so we patch dnsdist-xsk.cc to use xskDestinationsV4/V6 that matches the map name in dnsdist_xdp.bpf.o Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-06-21 17:27:52 +00:00
Vincent Li	2e3ea0ae64	pwru: ebpf pwru addon for network diagnosis preparation for pwru: mount -t debugfs none /sys/kernel/debug echo 0 > /proc/sys/kernel/kptr_restrict Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-06-11 23:00:56 +00:00
Vincent Li	9d50babeb9	golang: upgrade to 1.24.4 pwru requires golang > 1.24.1 Delete existing build/usr/lib/go directory before upgrade go rm -rf build/usr/lib/go Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-06-11 22:31:03 +00:00
Vincent Li	bdee533f04	libbpf-bootstrap: base for importing libbpf-tools add libbpf-bootstrap as base to import bcc libbpf-tools Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-05-23 20:05:48 +00:00
Vincent Li	465f1e2328	Perl: add Net-ISP-Balance addon Perl Net-ISP-Balance can be used for ISP Internet connection load balancing [0], it depends on Net-Netmask module. [0]: https://lstein.github.io/Net-ISP-Balance/ Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-05-21 15:53:12 +00:00
Vincent Li	1726f3bd3b	strace: sync strace 6.12 upgrade from ipfire sync strace upgrade from ipfire strace 6.12 fix: https://github.com/vincentmli/BPFire/issues/90 Reported-by: Harvey Li <lhw365@gmail.com> Signd-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-05-21 15:53:12 +00:00
Vincent Li	18ec4f2b87	udev: sync update from ipfire commit d19b71301d08db94341eae1d62500a928a8f6712 Author: Arne Fitzenreiter <arne_f@ipfire.org> Date: Thu Dec 26 10:19:20 2024 +0100 udev: patch to handle pidfs and bcachefs this is needed to build udev with kernel 6.12 headers Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> fix: https://github.com/vincentmli/BPFire/issues/89 Reported-by: Harvey Li <lhw365@gmail.com> Signd-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-05-21 15:53:03 +00:00
Vincent Li	93a5a7af7b	xdp-tools: rebased on upstream 1.5.4 included recent changes: 1 fix for xdp-dns for [0] 2 tc-loader to load tc ebpf program [0]: https://github.com/vincentmli/BPFire/issues/87 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-05-14 20:35:57 +00:00
Vincent Li	c25bc27049	dnsdist: upgrade to 1.9.9 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-05-09 20:19:42 +00:00
Vincent Li	58e92cbb36	loxilb: upgrade to 0.9.8.3 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-05-09 20:19:42 +00:00
Vincent Li	8af09f38e0	README: update README Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-05-09 20:19:35 +00:00
Vincent Li	e2856c1c7e	loxilb-tc: remove loxilb-tc loxilb 0.9.8 load tc BPF program through libbpf so iproute tc utility is not needed. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-03-03 17:19:15 +00:00
Vincent Li	83cf08dfa0	loxilb: upgrade loxilb to 0.9.8.1 0.9.8.1 release workaround linux kernel 6.12 bpf verifier issue. git clone --recurse-submodules --branch v0.9.8.1 https://github.com/loxilb-io/loxilb.git cd loxilb go mod vendor cd .. mv loxilb loxilb-0.9.8.1 tar czvf loxilb-0.9.8.1.tar.gz loxilb-0.9.8.1 see https://github.com/loxilb-io/loxilb/issues/953 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-03-03 17:14:47 +00:00
Vincent Li	1cbd76f718	linux: upgrade kernel to 6.12.5 loxilb dev branch has fix for kernel 6.12. now we can upgrade kernel to 6.12.5 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-02-11 23:44:14 +00:00
Vincent Li	fe2ad5da66	loxilb: upgrade to loxilb dev main branch test out the new loxilb with fix for kernel 6.12 issue git clone --recurse-submodules https://github.com/loxilb-io/loxilb.git mv loxilb loxilb-0.9.9 tar czvf loxilb-0.9.9.tar.gz loxilb-0.9.9 mv loxilb-0.9.9.tar.gz <BPFire source>/cache Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-02-11 23:40:53 +00:00
Vincent Li	2daee785d4	lunatik: remove lunatik Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-02-04 17:07:13 +00:00
Vincent Li	064136634c	linux: downgrade kernel to 6.10.11 workaround https://github.com/vincentmli/BPFire/issues/75 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-02-04 16:56:51 +00:00
Vincent Li	b040fb1c8a	llvm-project: upgrade to 19.1.7 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-02-04 16:47:07 +00:00
Vincent Li	4e9bff5b57	loxicmd: upgrade loxicmd to 0.9.8 git clone --branch v0.9.8 https://github.com/loxilb-io/loxicmd.git cd loxicmd go mod vendor cd .. mv loxicmd loxicmd-0.9.8 tar czvf loxicmd-0.9.8.tar.gz loxicmd-0.9.8 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-01-29 16:27:08 +00:00
Vincent Li	017a03c86b	loxilb: upgrade loxilb to 0.9.8 when upgrading loxilb to 0.9.7, running into issue https://github.com/loxilb-io/loxilb/issues/948 following method to prepare the loxilb source tar ball resolves the issue git clone --recurse-submodules --branch v0.9.8 https://github.com/loxilb-io/loxilb.git cd loxilb go mod vendor cd .. mv loxilb loxilb-0.9.8 tar zcvf loxilb-0.9.8.tar.gz loxilb-0.9.8 mv loxilb-0.9.8.tar.gz <BPFire source>/cache/ fix: https://github.com/vincentmli/BPFire/issues/74 also backported libbpf 1.2.3 lonngarch64 to libbpf 0.8 for loxilb Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-01-29 01:19:21 +00:00
Vincent Li	17d49c9d64	linux: upgrade kernel to 6.12.5 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-01-02 18:11:19 +00:00
Vincent Li	09c182c75a	xdp-tools: XDP UDP DDoS for online game protection UDP DDoS has pattern of flooding game server with random source IP and UDP with random payload. game server UDP traffic requires certain payload pattern, so this XDP program can serve as example to stop UDP DDoS attack with UDP payload that does not match game UDP traffic payload pattern. without UDP DDoS protection, under DDoS attack: BPFire UI RED Traffic: in 9xx Mbit/s. with UDP DDoS protection, under DDoS attack: BPFire UI RED Traffic: in 1xx Mbit/s. Tested-by: Muhammad Haikal <eykalpirates@gmail.com> Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-11-27 18:32:10 +00:00
Vincent Li	5de3f44cc7	xdp-synproxy: enable or disable window scaling XDP generated SYNACK tcp options with window scaling and timestamp could intermittently cause small packet transmission on DDoS protected server. allow user to disable window scaling when such problem occurs. see [0] [0]: https://github.com/vincentmli/xdp-tools/issues/7 Reported-by: DNSPROXY.ORG LLC <dnsproxyorg@gmail.com> Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-11-12 01:22:27 +00:00
Vincent Li	0a726a99ac	haproxy: move haproxy to core package move haproxy to core package prepare /var/ipfire/haproxy for haproxy UI, use /var/ipfire/haproxy/haproxy.cfg Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-28 02:44:48 +00:00
Vincent Li	a600787c67	xdp-synproxy: drop IP don't fragment check When XDP DDoS syncookie program is attached to red0 interface, green network client internet connection to website like gmail/youtube... failed. it is because these sites does not have IP DF flag set for each tcp packet, and syncookie_xdp program would drop these packets when they arrived at red0 interface. see https://github.com/vincentmli/BPFire/issues/59 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-25 20:35:33 +00:00
Vincent Li	25da9eb467	ddos: Load/Attach XDP DDoS when reboot fix: https://github.com/vincentmli/BPFire/issues/58 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-22 18:48:11 +00:00
Vincent Li	8b29912521	suricata-xdp: resolve memlock and stack smashing suricata XDP support requires xdp-tools with libbpf 1.4 to resolve stack smash issue. also workaround memlock operation not permitted by running suricata as root since load/attach XDP program requires root privilige anyway. see: https://github.com/vincentmli/BPFire/issues/54 Usage scenario: since suricata IPS XDP capture mode works as layer 2 bridge, BPFire netfilter firewall, NAT IP route will be bypassed. no IP address should be assigned to red0 and green0 interface. 172.16.1.0/24 inline 172.16.1.0/24 red network<-->red0(xdp)<-->green0(xdp)<-->green network we can run setup command to assign IP/Mask 0.0.0.0/0.0.0.0 to red0 and green0, then reboot BPFire, BPFire DHCP will stops working after reboot. green network client can get DHCP IP from upstream dhcp server. start suricata manually suricata -c /etc/suricata/suricata-xdp.yaml --af-packet xdp_filter.bpf program will be attached to red0 and gree0 interface not sure if we should add GUI for suricata XDP capture mode since this is not common use case. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-18 19:47:59 +00:00
Vincent Li	3e17c7b30b	xdp-tools: build xdp-tools with libbpf 1.4.6 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-18 17:16:17 +00:00
Vincent Li	40c097ff8a	libbpf: upgrade to 1.4.6 xdp-tools libxdb requires libbpf 1.4.0 and above to fix stack smashing issue. see: https://github.com/xdp-project/xdp-tools/issues/446 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-18 17:16:09 +00:00
Vincent Li	1eceb143ed	suricata: add suricata ebpf xdp capture mode Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-17 02:11:19 +00:00
Vincent Li	f689a70b7e	Revert "Revert "lunatik: 'bpf_luaxdp_run': BTF not found in kernel"" This reverts commit `0e29b73703`. switch to libbpf 1.3	2024-10-15 15:25:50 +00:00
Vincent Li	9c28bd419d	xdp-geoip: Add XDP GeoIP location init Add XDP GeoIP country/region location block init script Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-13 20:35:44 +00:00
Vincent Li	86a9264a25	xdp-geoip: add XDP GeoIP program Add XDP GeoIP program to do location IP block in XDP. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-12 20:33:12 +00:00
Vincent Li	a118df6060	xdp-sni: switch LPM trie map to hash map switch xdp_sni.bpf.o LPM trie map to hash map to reduce code complexity and avoid verifier error now need to add domain and its sub domain to hash map to block each domain and its sub domain site. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-09 02:48:38 +00:00
Vincent Li	34f9da85dd	xdp-sni: add XDP TLS SNI init script xdpsni add xdpsni init script and enable XDP TLS SNI by default on first boot and reboot. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-08 02:21:17 +00:00
Vincent Li	d334d39e3f	xdp-sni: add XDP TLS SNI logging add XDP TLS SNI logging with bpf ringbuf drop xdp_sni.bpf.o reverse_string due to bpf verifier complaining program is too large. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-08 01:05:01 +00:00
Vincent Li	07c6172576	xdp-dns: missing xdpdns-settings and domainfile add the missing config/cfgroot/xdpdns-settings file and use ENABLE_DNSBLOCK=on by default, so XDP DNS Blocklist is enabled by default. also add domainfile so when BPFire reboot first time and when xdpdns init startup, it will not complain missing domainfile Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-07 03:01:36 +00:00
Vincent Li	8b3cdb2ebe	xdp-tools: fix xdp-dns XDP program byte reverse domain name in xdp_dns.bpf.o not reversed properly result in domain name mismatch with domain inserted from user space xdp_dns Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-04 21:36:09 +00:00
Vincent Li	ccf49b1105	xdp-dns: update xdp_dns to correct map change xdp_dns to use /sys/fs/bpf/xdp-dns-denylist/domain_denylist Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-04 04:06:00 +00:00
Vincent Li	cc8ccb35bf	xdp-dns: enable XDP DNS block when reboot if XDP DNS is enabled, and BPFire reboot, XDP DNS program should be attached and DNS query being monitored after reboot. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-03 17:29:16 +00:00
Vincent Li	92cd7ca970	llvm-project: upgrade to 18.1.0 xdp_dns.bpf.o failed to load with verifier error program too large, upgrade llvm/clang to 18.1.0 resolves the issue fix: https://github.com/vincentmli/BPFire/issues/47 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-03 00:48:43 +00:00
Vincent Li	13530fa1ef	xdp-tools: remove dns query from xdp-dnsrrl also change user space xdp_dns_log program to use map /sys/fs/bpf/xdp-dns-denylist/dns_ringbuf Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-02 20:20:48 +00:00
Vincent Li	d30a7b2318	xdp-dns: add start/stop init script and settings add xdpdns init script to load/unload xdp_dns_denylist program and run xdp_dns_log to log dns query to system log rm log/configroot log/initscripts to build image Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-02 18:23:44 +00:00
Vincent Li	652ab98e1a	xdp-tools: add xdp-dns system logging add bpf ringbuf to xdp-dns program and user space program to log DNS query to system log. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-01 23:45:03 +00:00
Vincent Li	c1281a47ea	lunatik: checksum update Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-30 16:28:51 +00:00

1 2 3 4 5 ...

9416 Commits