add xdpdns init script to load/unload xdp_dns_denylist
program and run xdp_dns_log to log dns query to system log
rm log/configroot log/initscripts to build image
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Lunatik sni filter currently does not work
for BPFire when chrome browser is used due to
clienthello > 1500 bytes, XDP TLS/SSL has
the same issue, to block domain access, it
appears XDP DNS domain blocking works more
reliable than SNI, so if there is need to block
chrome browser for some domain, use XDP DNS
domain blocking as mitigation.
see https://github.com/vincentmli/BPFire/issues/40
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
compile and install perf tool from linux
source for performance monitoring.
change the setting before run perf
echo -1 > /proc/sys/kernel/perf_event_paranoid
echo 0 > /proc/sys/kernel/kptr_restrict
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Add the missing serial linux command so the
flash image can be converted to qcow2, the
bpfire qcow2 image can be deployed in KVM
virtual environment through serial console
installation.
for exmaple:
virsh define BPFire-VM.xml
virsh start BPFire-VM
virsh console BPFire-VM
we will have serial console access to BPFire
VM and the installation will start.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
how to generate logo format:
apt-get install netpbm
1 convert png format to ppm format
pngtopnm bpfire-logo.png > bpfire-logo.ppm
2 reduce the color count to 224
ppmquant 224 bpfire-logo.ppm > bpfire-logo-224.ppm
3 convert ppm raw format to ascii format
pnmnoraw bpfire-logo-224.ppm > bpfire-logo-ascii.ppm
cp bpfire-logo-ascii.ppm config/kernel/
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
This reverts commit bb773a05d5.
drivers/video/logo/logo_linux_clut224.ppm: Binary PNM is not supported
Use pnmnoraw(1) to convert it to ASCII PNM
make[6]: *** [drivers/video/logo/Makefile:31: drivers/video/logo/logo_linux_clut224.c] Error 1
make[5]: *** [scripts/Makefile.build:485: drivers/video/logo] Error 2
make[4]: *** [scripts/Makefile.build:485: drivers/video] Error 2
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
whenever compile kernel due to kernel change
lunatik needs to be recompiled too since
lunatik depends on kernel
change filter example Makefile to depend on
current kernel build version
diff --git a/examples/filter/Makefile b/examples/filter/Makefile
index f7eb0f6d..e30566a2 100644
--- a/examples/filter/Makefile
+++ b/examples/filter/Makefile
@@ -1,10 +1,12 @@
# SPDX-FileCopyrightText: (c) 2023-2024 Ring Zero Desenvolvimento de Software LTDA
# SPDX-License-Identifier: MIT OR GPL-2.0-only
+VMLINUX_BTF_PATH = /lib/modules/${shell uname -r}/build
+
all: vmlinux https.o
vmlinux:
- bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h
+ bpftool btf dump file $(VMLINUX_BTF_PATH)/vmlinux format c > vmlinux.h
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
upgrade kernel to recent stable release 6.10.11
1, scripts/kconfig/merge_config.sh does not work for 6.10.11
2, vmlinux BTF binary name changed in 6.10.11
3, remove rtl8812au for now since it has compiling error
4, remove 5.15 nfqueue patch since it does not apply cleanly
also see [0]
[0]: https://github.com/vincentmli/BPFire/issues/41
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
BTF mismatch is not an issue since
we addressed lunatik kernel module
BTF mismatch issue using the same
chroot binary vmlinux BTF.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
error when run lunatik which loads lunatik kernel modules
root@bpfire-2 lua]# lunatik run examples/filter/sni false
[root@bpfire-2 lua]# dmesg
[ 330.411665] lunatik: loading out-of-tree module taints kernel.
[ 330.411680] lunatik: module verification failed: signature and/or required key missing - tainting kernel
[ 330.433955] Kernel module BTF mismatch detected, BTF debug info may be unavailable for some modules
[ 330.767701] missing module BTF, cannot register kfuncs
BPFire chroot build mount /sys/kernel/btf/vmlinux which is
the host binary vmlinux BTF to build against lunatik kernel module,
which result in above error. adjust BPFire kernel build to save
the binary vmlinux BTF to chroot
/lib/modules/6.6.15-ipfire/build/vmlinux for lunatik kernel module.
create the vmlinux.h from the same binary vmlinux BTF for the ebpf https.o
lunatik kernel module is depending on kernel build, adjust the lunatik
build accordingly when kerne upgrade in future.
See https://github.com/vincentmli/BPFire/issues/40
see https://github.com/luainkernel/lunatik/issues/189
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
xdp-loader to load https.o result in error below:
libbpf: loading kernel BTF '/sys/kernel/btf/vmlinux': 0
libbpf: extern (func ksym) 'bpf_luaxdp_run': not found in kernel or module BTFs
libbpf: failed to load object '/usr/lib/bpf/https.o'
libxdp: Failed to load program filter_https: Invalid argument
Couldn't attach XDP program on iface 'green0': Invalid argument(-22)
xdp-tools/xdp-loader is built statically with libbpf 1.2
should not be xdp-loader libbpf issue
still try to upgrade bpfire libbpf to 1.3.0 for testing
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
kernel requires module to be signed, disable force
signing for now.
insmod: ERROR: could not insert module /lib/modules/6.6.15-ipfire/lunatik/lunatik.ko: Key was rejected by service
set CONFIG_MODULE_SIG_FORCE=n
failed to validate module [lunatik] BTF: -22
set CONFIG_MODULE_ALLOW_BTF_MISMATCH=y
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
lunatik kernel modules requires kernel to be built first
so /lib/modules is available for lunatik
lunatik also requires resolve_btfids under:
/lib/modules/$(VER)-$(VERSUFIX)/build/tools/bpf/resolve_btfids/
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
should not send bpfire user profile to ipfire
to confuse ipfire community, bpfire could setup
such profile collection in the future.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
To block or rate limit DNS query from green
network client, the xdp-dns program should
be attached to green0 interface to scan the
DNS query. attach to red0 interface only get
the DNS response packet from red0(WAN), not
matching the DNS query we want.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
when add loxilb development tree, loxilb requires go >= 1.23.0
ranlib libloxilbdp.a
make[3]: Leaving directory '/usr/src/loxilb-0.9.x/loxilb-ebpf/kernel'
make[2]: Leaving directory '/usr/src/loxilb-0.9.x/loxilb-ebpf'
go: go.mod requires go >= 1.23.0 (running go 1.22.0)
make[1]: *** [Makefile:14: build] Error 1
make[1]: Leaving directory '/usr/src/loxilb-0.9.x'
make: *** [loxilb:76: /usr/src/log/loxilb-0.9.x] Error 2
after upgrading golang to 1.23.0, loxilb development tree result in error
make[2]: Leaving directory '/usr/src/loxilb-0.9.x/loxilb-ebpf'
# runtime
/usr/lib/go/src/runtime/mbitmap_noallocheaders.go:53:2: mallocHeaderSize redeclared in this block
/usr/lib/go/src/runtime/mbitmap.go:71:2: other declaration of mallocHeaderSize
/usr/lib/go/src/runtime/mbitmap_noallocheaders.go:54:2: minSizeForMallocHeader redeclared in this block
the workaround is to remove build/usr/lib/go directory, then
rm log/go-1.23.0, ./make.sh build to re-add go 1.23.0
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
save IP/LB/FW configuration from loxilb UI so
when loxilb restart or bpfire reboot, the configuration
can be restored.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
allow syscall tracing with eBPF like
bcc libbpf-tools opensnoop to trouble
shoot open syscall for UI user nobody
unable to run loxicmd save -a -c /var/ipfire/loxilib/
see https://github.com/vincentmli/BPFire/issues/30
mount -t debugfs none /sys/kernel/debug/
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
add dummy ip 192.0.2.1 in virutal_ipaddress from (TEST-NET-1)
according to https://www.rfc-editor.org/rfc/rfc5737#section-3
for keepalived HA state tracking, the Master will always
have the dummy ip assigned to green0.
add refresh button for HA state refresh
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
when mouse select, vim automatically turns into
visual mode, this is not convienent when copy
and paste in vim with mouse select. create this
setting for root user.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
in HA scenario, the shared/floating VIP
is not configured on the red0 interface
when setup LoxiLB lb from the UI in standby
BPFire, some VIPs are missing since these
VIPs are only configured in the active BPFire.
get VIPs from /var/ipfire/loxilb/ipconfigfile
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
when run loxicmd save -a -c /var/ipfire/loxilb/
ipconfig directory will be created, which conflicts
with loxilb UI that also save virtual ip to
/var/ipfire/loxilb/ipconfig, so rename ipconfig to
ipconfigfile.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
when loxilb is enabled and started, enable the
firewall SNAT for green network so green network
could have initiate outgoing traffic like internet
access.
we can achieve this by restoring firewall SNAT setting
from default /var/ipfire/loxilb/FWconfig.txt when loxilb
start up with --config-path=/var/ipfire/loxilb thanks
to the enhancement addressed in issue:
https://github.com/loxilb-io/loxilb/issues/706
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
LoxiLB 0.9.4 lack of SNAT feature for egress traffic
initiated from BPFire green network, when loxilb is
enabled, it breaks BPFire green network client Internet
access, this issue is fixed in the loxilb development
branch, temporarily I make loxilb development branch
as 0.9.5 in BPFire so I could test the SNAT feature and
it works.
see detail in https://github.com/loxilb-io/loxilb/issues/718
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
