this is initial kdump and kdump scripts, it looks when run kdump-config
load the first time, the kdump kernel can be loaded, and test crash dump
with echo c > /proc/sysrq-trigger result in system hang forever, then
had to power reset. after power reset, kdump-config load could no longer
load the kdump kernel, errors out with:
[root@bpfire-3 crash]# kdump-config load
cp: cannot stat '/etc/kdump/sysctl.conf': No such file or directory
Creating symlink /var/lib/kdump/vmlinuz.
ln: failed to create symbolic link '/var/lib/kdump/vmlinuz': No such file or directory
Unable to locate kernel hook ... failed!
Can't find kernel text map area from kcore
Cannot load /boot/vmlinuz-6.15.6-ipfire
failed to load kdump kernel ... failed!
so kdump is not working properly, but add the kdump scripts anyway, the
issue can be investigated later in future.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
makedumpfile build by default in BPFire use static libdw.a, libelf.a but
libdw.a, libelf.a are not build with zstd which makdedumpfile static
build requires, so build makedumpfile dynamically, see [0].
[0]: https://github.com/vincentmli/bpfire/issues/109
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 68a3334413efb1a963b7cc6c6dca1ec0126e1cc1
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Jul 18 08:42:12 2025 +0000
wireguard-functions.pl: Automatically skip IPv6 subnets
Since we do not support this and some VPN providers generate
configuration files that send any data over to them, we simply ignore
any IPv6 subnets.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit f7565a885b55384a64edd8bd73079143a04da519
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Jul 18 09:57:34 2025 +0000
wireguard-functions.pl: Remove any carriage returns on import
Some files might include carriage returns which won't be removed by
chomp() on Linux. To be extra safe, we remove them manually.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Choose one IP from client pool and add it to road warrior interface
wg0 so road warrior VPN client could reach firewall through the VPN
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
missing set_defaults sub result in error when generate
flash image during build after add wireguard UI
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit d6868ae94c63d0f708985e6bb6604a4bd40cf1a8
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Sep 6 18:20:46 2024 +0200
firewall: Allow WG traffic when the firewall is in permissive mode
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 1de96a83d6d6cec5d4d3eda1792aa80bfbd8fafe
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed Apr 23 12:35:52 2025 +0200
firewall: Add support for WireGuard peers to groups
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 37174e29de670a33f9be4b90c88b0a96c695dad1
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Sep 27 17:55:46 2024 +0200
wireguard.cgi: Normalize filenames
This is because Windows clients won't import any configurations that
have spaces in the filename. Therefore we replace it and remove anything
else unwanted on the way.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 06dbc836a47160d51ab10f8b9d4ca356beaa7cdb
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Apr 16 18:06:47 2024 +0200
wireguard.cgi: Add a basic CGI to configure the global settings
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
preparation for pwru:
mount -t debugfs none /sys/kernel/debug
echo 0 > /proc/sys/kernel/kptr_restrict
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit f89feeb19 "kernel: use BPFire logo in kernel" replaced
ipfire logo with bpfire logo, but forgot to add the bpfire logo
file and remove the ipfire logo file
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
loxilb 0.9.8 requires --egress flag for firewall
rule to masquerade/SNAT GREEN network source IP
for Internet access. to access host in RED network
another firewall rule is required. see [0].
[0]: https://github.com/loxilb-io/loxilb/issues/957
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
pwru is an utility to trouble shoot network issue,
and to speed up pwru kprobe attachement, kernel needs
to have CONFIG_FPROBE.
running pwru also result in:
Opening kprobe-multi: invalid argument \
(missing kernel symbol or prog's AttachType not AttachTraceKprobeMulti?)
need following to avoid above invalid argument
echo -1 > /proc/sys/kernel/perf_event_paranoid
echo 0 > /proc/sys/kernel/kptr_restrict
see https://github.com/cilium/pwru/issues/460
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
UDP DDoS has pattern of flooding game server with
random source IP and UDP with random payload. game
server UDP traffic requires certain payload
pattern, so this XDP program can serve as example
to stop UDP DDoS attack with UDP payload that does not
match game UDP traffic payload pattern.
without UDP DDoS protection, under DDoS attack:
BPFire UI RED Traffic: in 9xx Mbit/s.
with UDP DDoS protection, under DDoS attack:
BPFire UI RED Traffic: in 1xx Mbit/s.
Tested-by: Muhammad Haikal <eykalpirates@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
move haproxy to core package
prepare /var/ipfire/haproxy for haproxy UI, use
/var/ipfire/haproxy/haproxy.cfg
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
suricata XDP support requires xdp-tools with
libbpf 1.4 to resolve stack smash issue.
also workaround memlock operation not permitted
by running suricata as root since load/attach
XDP program requires root privilige anyway.
see: https://github.com/vincentmli/BPFire/issues/54
Usage scenario:
since suricata IPS XDP capture mode works as
layer 2 bridge, BPFire netfilter firewall, NAT
IP route will be bypassed. no IP address should
be assigned to red0 and green0 interface.
172.16.1.0/24 inline 172.16.1.0/24
red network<-->red0(xdp)<-->green0(xdp)<-->green network
we can run setup command to assign IP/Mask 0.0.0.0/0.0.0.0
to red0 and green0, then reboot BPFire, BPFire DHCP
will stops working after reboot. green network client
can get DHCP IP from upstream dhcp server.
start suricata manually
suricata -c /etc/suricata/suricata-xdp.yaml --af-packet
xdp_filter.bpf program will be attached to red0 and gree0
interface
not sure if we should add GUI for suricata XDP capture mode
since this is not common use case.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
