bpfire

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00

Author	SHA1	Message	Date
Vincent Li	1bf1cdc190	xdp-geoip UI: location block ipset to XDP change location-block UI from calling ipset to calling xdp_geoip to update geoip_map bpf map. see https://github.com/vincentmli/BPFire/issues/53 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-13 03:05:01 +00:00
Vincent Li	86a9264a25	xdp-geoip: add XDP GeoIP program Add XDP GeoIP program to do location IP block in XDP. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-12 20:33:12 +00:00
Vincent Li	f204528cf4	README: Add XDP GeoIP/Country blocklist Vincent Li <vincent.mc.li@gmail.com>	2024-10-12 18:58:01 +00:00
Vincent Li	b21febe3e1	xdp-sni UI: XDP TLS/SSL SNI UI management XDP TLS/SSL SNI UI to manage the web blocklist Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-09 20:38:13 +00:00
Vincent Li	a118df6060	xdp-sni: switch LPM trie map to hash map switch xdp_sni.bpf.o LPM trie map to hash map to reduce code complexity and avoid verifier error now need to add domain and its sub domain to hash map to block each domain and its sub domain site. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-09 02:48:38 +00:00
Vincent Li	5db52b1717	xdp-sni UI: XDP TLS/SSL SNI log view from UI Signed-off-by: Vincent Li <vincent.mc.li@gmail.com.	2024-10-09 00:34:07 +00:00
Vincent Li	e6ac495dfb	xdp-sni: safe call wrapper program to xdpsni init safe call wrapper program to xdpsni init script for UI to call Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-08 17:41:17 +00:00
Vincent Li	34f9da85dd	xdp-sni: add XDP TLS SNI init script xdpsni add xdpsni init script and enable XDP TLS SNI by default on first boot and reboot. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-08 02:21:17 +00:00
Vincent Li	d334d39e3f	xdp-sni: add XDP TLS SNI logging add XDP TLS SNI logging with bpf ringbuf drop xdp_sni.bpf.o reverse_string due to bpf verifier complaining program is too large. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-08 01:05:01 +00:00
Vincent Li	07c6172576	xdp-dns: missing xdpdns-settings and domainfile add the missing config/cfgroot/xdpdns-settings file and use ENABLE_DNSBLOCK=on by default, so XDP DNS Blocklist is enabled by default. also add domainfile so when BPFire reboot first time and when xdpdns init startup, it will not complain missing domainfile Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-07 03:01:36 +00:00
Vincent Li	4d6f8d68a3	xdp-dns UI: change running state check Status relies on checking if xdp_dns_log is running, but xdp_dns_log could mysteriously disappear at some point, which result in XDP DNS Blocklist shows Stopped, let /etc/rc.d/init.d/xdpdns status relies on if the xdp_dns_denylist XDP program is still attached to green0 interface. two related issues https://github.com/vincentmli/BPFire/issues/50 https://github.com/vincentmli/BPFire/issues/49 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-05 23:17:26 +00:00
Vincent Li	4c2fd11de2	xdp-dns UI: rename deny to blocklist Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-05 21:37:04 +00:00
Vincent Li	8b3cdb2ebe	xdp-tools: fix xdp-dns XDP program byte reverse domain name in xdp_dns.bpf.o not reversed properly result in domain name mismatch with domain inserted from user space xdp_dns Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-04 21:36:09 +00:00
Vincent Li	2c233eac63	xdp-dns log UI: view DNS query log allow user to view DNS query logged by xdp_dns_log from UI Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-04 21:36:03 +00:00
Vincent Li	2f4174b560	xdp-dns: xdpdns init script to populate denylist run xdp_dns in xdpdns init script to populate domain_denylist from domainfile saved from UI. either xdpdns restart or bpfire reboot, the domain_denylist is restored with domain blocklist Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-04 17:31:12 +00:00
Vincent Li	ccf49b1105	xdp-dns: update xdp_dns to correct map change xdp_dns to use /sys/fs/bpf/xdp-dns-denylist/domain_denylist Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-04 04:06:00 +00:00
Vincent Li	a165595116	xdp-dns: allow UI to run xdp_dns to update map Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-04 04:06:00 +00:00
Vincent Li	cdbaa41364	xdp-dns UI: web interface to add XDP DNS blocklist Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-04 04:05:53 +00:00
Vincent Li	cc8ccb35bf	xdp-dns: enable XDP DNS block when reboot if XDP DNS is enabled, and BPFire reboot, XDP DNS program should be attached and DNS query being monitored after reboot. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-03 17:29:16 +00:00
Vincent Li	92cd7ca970	llvm-project: upgrade to 18.1.0 xdp_dns.bpf.o failed to load with verifier error program too large, upgrade llvm/clang to 18.1.0 resolves the issue fix: https://github.com/vincentmli/BPFire/issues/47 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-03 00:48:43 +00:00
Vincent Li	13530fa1ef	xdp-tools: remove dns query from xdp-dnsrrl also change user space xdp_dns_log program to use map /sys/fs/bpf/xdp-dns-denylist/dns_ringbuf Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-02 20:20:48 +00:00
Vincent Li	f9c8259050	Add xdpdnsctrl program for safe execution add xdpdnsctrl to start/stop/status XDP program from xdpdns.cgi safely. permission of xdpdnsctrl chown root.nobody /usr/local/bin/xdpdnsctrl chmod u+s /usr/local/bin/xdpdnsctrl result: -rwsr-x--- 1 root nobody 14672 Mar 19 09:58 /usr/local/bin/xdpdnsctrl	2024-10-02 18:31:21 +00:00
Vincent Li	d30a7b2318	xdp-dns: add start/stop init script and settings add xdpdns init script to load/unload xdp_dns_denylist program and run xdp_dns_log to log dns query to system log rm log/configroot log/initscripts to build image Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-02 18:23:44 +00:00
Vincent Li	652ab98e1a	xdp-tools: add xdp-dns system logging add bpf ringbuf to xdp-dns program and user space program to log DNS query to system log. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-01 23:45:03 +00:00
Vincent Li	17d5413bc2	README: update TLS/SSL SNI blocklist to XDP Lunatik sni filter currently does not work for BPFire when chrome browser is used due to clienthello > 1500 bytes, XDP TLS/SSL has the same issue, to block domain access, it appears XDP DNS domain blocking works more reliable than SNI, so if there is need to block chrome browser for some domain, use XDP DNS domain blocking as mitigation. see https://github.com/vincentmli/BPFire/issues/40 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-01 00:28:37 +00:00
Vincent Li	c1281a47ea	lunatik: checksum update Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-30 16:28:51 +00:00
Vincent Li	32c15c3fe3	xdp-tools: add xdp-sni add XDP TLS/SSL SNI parsing Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-30 03:24:30 +00:00
Vincent Li	1b9810cfd9	Merge pull request #45 from selboo/bpfire 修复: 前端端口和后端端口显示错位问题	2024-09-26 07:00:43 -07:00
Selboo	781187a6d3	修复: 前端端口和后端端口显示错位问题	2024-09-26 17:33:50 +08:00
Vincent Li	2cf44838bf	lfs/linux: install perf tool from linux source compile and install perf tool from linux source for performance monitoring. change the setting before run perf echo -1 > /proc/sys/kernel/perf_event_paranoid echo 0 > /proc/sys/kernel/kptr_restrict Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-23 23:44:53 +00:00
Vincent Li	6f60c4696f	lfs/flash-images: missing serial linux command Add the missing serial linux command so the flash image can be converted to qcow2, the bpfire qcow2 image can be deployed in KVM virtual environment through serial console installation. for exmaple: virsh define BPFire-VM.xml virsh start BPFire-VM virsh console BPFire-VM we will have serial console access to BPFire VM and the installation will start. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-23 17:56:26 +00:00
Vincent Li	f89feeb197	kernel: use BPFire logo in kernel how to generate logo format: apt-get install netpbm 1 convert png format to ppm format pngtopnm bpfire-logo.png > bpfire-logo.ppm 2 reduce the color count to 224 ppmquant 224 bpfire-logo.ppm > bpfire-logo-224.ppm 3 convert ppm raw format to ascii format pnmnoraw bpfire-logo-224.ppm > bpfire-logo-ascii.ppm cp bpfire-logo-ascii.ppm config/kernel/ Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-21 02:41:51 +00:00
Vincent Li	e5ee2e8127	grub2: use bpfire logo in grub2 splash Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-21 02:41:51 +00:00
Vincent Li	89baa34b8d	Revert "grub: replace ipfire logo with bpfire logo" This reverts commit `bb773a05d5`. drivers/video/logo/logo_linux_clut224.ppm: Binary PNM is not supported Use pnmnoraw(1) to convert it to ASCII PNM make[6]: * [drivers/video/logo/Makefile:31: drivers/video/logo/logo_linux_clut224.c] Error 1 make[5]: * [scripts/Makefile.build:485: drivers/video/logo] Error 2 make[4]: *** [scripts/Makefile.build:485: drivers/video] Error 2 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-21 02:41:51 +00:00
Vincent Li	ecad4000f2	lunatik: change /lib/modules kernel path to 6.10 whenever compile kernel due to kernel change lunatik needs to be recompiled too since lunatik depends on kernel change filter example Makefile to depend on current kernel build version diff --git a/examples/filter/Makefile b/examples/filter/Makefile index f7eb0f6d..e30566a2 100644 --- a/examples/filter/Makefile +++ b/examples/filter/Makefile @@ -1,10 +1,12 @@ # SPDX-FileCopyrightText: (c) 2023-2024 Ring Zero Desenvolvimento de Software LTDA # SPDX-License-Identifier: MIT OR GPL-2.0-only +VMLINUX_BTF_PATH = /lib/modules/${shell uname -r}/build + all: vmlinux https.o vmlinux: - bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h + bpftool btf dump file $(VMLINUX_BTF_PATH)/vmlinux format c > vmlinux.h Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-21 02:41:51 +00:00
Vincent Li	1f42b720d0	kernel: upgrade to 6.10.11 upgrade kernel to recent stable release 6.10.11 1, scripts/kconfig/merge_config.sh does not work for 6.10.11 2, vmlinux BTF binary name changed in 6.10.11 3, remove rtl8812au for now since it has compiling error 4, remove 5.15 nfqueue patch since it does not apply cleanly also see [0] [0]: https://github.com/vincentmli/BPFire/issues/41 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-21 02:39:49 +00:00
Vincent Li	bb773a05d5	grub: replace ipfire logo with bpfire logo Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-20 21:31:43 +00:00
Vincent Li	7586e5e517	kernel: disable BTF mismatch BTF mismatch is not an issue since we addressed lunatik kernel module BTF mismatch issue using the same chroot binary vmlinux BTF. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-18 22:27:39 +00:00
Vincent Li	e5464739c9	README: update XDP DNS and SNI blocklist feature Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-17 23:33:31 +00:00
Vincent Li	0e29b73703	Revert "lunatik: 'bpf_luaxdp_run': BTF not found in kernel" This reverts commit `cacf5f209d`. libbpf version is irrelevant, revert the change Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-17 17:23:27 +00:00
Vincent Li	6723112498	lunatik: missing module BTF kfuncs not regstered error when run lunatik which loads lunatik kernel modules root@bpfire-2 lua]# lunatik run examples/filter/sni false [root@bpfire-2 lua]# dmesg [ 330.411665] lunatik: loading out-of-tree module taints kernel. [ 330.411680] lunatik: module verification failed: signature and/or required key missing - tainting kernel [ 330.433955] Kernel module BTF mismatch detected, BTF debug info may be unavailable for some modules [ 330.767701] missing module BTF, cannot register kfuncs BPFire chroot build mount /sys/kernel/btf/vmlinux which is the host binary vmlinux BTF to build against lunatik kernel module, which result in above error. adjust BPFire kernel build to save the binary vmlinux BTF to chroot /lib/modules/6.6.15-ipfire/build/vmlinux for lunatik kernel module. create the vmlinux.h from the same binary vmlinux BTF for the ebpf https.o lunatik kernel module is depending on kernel build, adjust the lunatik build accordingly when kerne upgrade in future. See https://github.com/vincentmli/BPFire/issues/40 see https://github.com/luainkernel/lunatik/issues/189 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-17 17:22:22 +00:00
Vincent Li	cacf5f209d	lunatik: 'bpf_luaxdp_run': BTF not found in kernel xdp-loader to load https.o result in error below: libbpf: loading kernel BTF '/sys/kernel/btf/vmlinux': 0 libbpf: extern (func ksym) 'bpf_luaxdp_run': not found in kernel or module BTFs libbpf: failed to load object '/usr/lib/bpf/https.o' libxdp: Failed to load program filter_https: Invalid argument Couldn't attach XDP program on iface 'green0': Invalid argument(-22) xdp-tools/xdp-loader is built statically with libbpf 1.2 should not be xdp-loader libbpf issue still try to upgrade bpfire libbpf to 1.3.0 for testing Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-16 01:00:40 +00:00
Vincent Li	dc97ffb40e	lunatik: Unknown symbol in module lunatik requires lunatik_sym.h before build generate the symbols in chroot build. remove lunatik_sym.h in origin lunatik source Makefile root@r210:/home/vincent/go/src/github.com/vincentmli/BPFire/cache/lunatik-5.3.2# git diff diff --git a/Makefile b/Makefile index ec172541..1c72f3e1 100644 --- a/Makefile +++ b/Makefile @@ -3,14 +3,14 @@ MODULES_INSTALL_PATH = /lib/modules/${shell uname -r} SCRIPTS_INSTALL_PATH = /lib/modules/lua -LUNATIK_INSTALL_PATH = /usr/local/sbin -LUA_API = lua/lua.h lua/lauxlib.h lua/lualib.h +LUNATIK_INSTALL_PATH = /usr/sbin +LUNATIK_EBPF_INSTALL_PATH = /usr/lib/bpf KDIR ?= ${MODULES_INSTALL_PATH}/build RM = rm -f MKDIR = mkdir -p -m 0755 INSTALL = install -o root -g root -all: lunatik_sym.h +all: ${MAKE} -C ${KDIR} M=${PWD} CONFIG_LUNATIK=m \ CONFIG_LUNATIK_RUN=m CONFIG_LUNATIK_RUNTIME=y CONFIG_LUNATIK_DEVICE=m \ CONFIG_LUNATIK_LINUX=m CONFIG_LUNATIK_NOTIFIER=m CONFIG_LUNATIK_SOCKET=m \ @@ -46,6 +46,7 @@ examples_install: ${INSTALL} -m 0644 examples/echod/.lua ${SCRIPTS_INSTALL_PATH}/examples/echod ${MKDIR} ${SCRIPTS_INSTALL_PATH}/examples/filter ${INSTALL} -m 0644 examples/filter/.lua ${SCRIPTS_INSTALL_PATH}/examples/filter + ${INSTALL} -m 0644 examples/filter/.o ${LUNATIK_EBPF_INSTALL_PATH} ${MKDIR} ${SCRIPTS_INSTALL_PATH}/examples/dnsblock ${INSTALL} -m 0644 examples/dnsblock/.lua ${SCRIPTS_INSTALL_PATH}/examples/dnsblock ${MKDIR} ${SCRIPTS_INSTALL_PATH}/examples/dnsdoctor @@ -69,7 +70,3 @@ install: scripts_install modules_install uninstall: scripts_uninstall modules_uninstall depmod -a - -lunatik_sym.h: $(LUA_API) - ${shell ./gensymbols.sh $(LUA_API) > lunatik_sym.h} - Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-15 18:48:48 +00:00
Vincent Li	133baf8fc0	lunatik : kernel config change kernel requires module to be signed, disable force signing for now. insmod: ERROR: could not insert module /lib/modules/6.6.15-ipfire/lunatik/lunatik.ko: Key was rejected by service set CONFIG_MODULE_SIG_FORCE=n failed to validate module [lunatik] BTF: -22 set CONFIG_MODULE_ALLOW_BTF_MISMATCH=y Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-15 18:41:35 +00:00
Vincent Li	7212a66761	lunatik: re-arrange lunatik and kernel build order lunatik kernel modules requires kernel to be built first so /lib/modules is available for lunatik lunatik also requires resolve_btfids under: /lib/modules/$(VER)-$(VERSUFIX)/build/tools/bpf/resolve_btfids/ Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-15 02:27:17 +00:00
Vincent Li	c690c0c447	lunatik: add lunatik addon lunatik has LuaXDP that supports scripting XDP for TLS SNI parsing and many other scripting featuers for kernel. see lunatik build workaround in detail https://github.com/luainkernel/lunatik/issues/189 https://github.com/vincentmli/BPFire/issues/40 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-14 22:46:06 +00:00
Vincent Li	74cf8a3943	xdp-tools: add XDP DNS domain denylist upgrade xdp-tools and add XDP DNS domain denylist bpf and user space program. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-12 17:12:16 +00:00
Vincent Li	49d330f2a8	LoxiLB: increase the default session timeout increase default inactive timeout for established sessions like ssh session diff --git a/pkg/loxinet/rules.go b/pkg/loxinet/rules.go index a67d974..27a9c08 100644 --- a/pkg/loxinet/rules.go +++ b/pkg/loxinet/rules.go @@ -85,7 +85,7 @@ const ( DflHostProbeTimeout = 60 // Default probe timeout for end-point host InitHostProbeTimeout = 15 // Initial probe timeout for end-point host MaxHostProbeTime = 24 * 3600 // Max possible host health check duration - LbDefaultInactiveTimeout = 4 * 60 // Default inactive timeout for established sessions + LbDefaultInactiveTimeout = 10 * 60 // Default inactive timeout for established sessions LbDefaultInactiveNSTimeout = 20 // Default inactive timeout for non-session oriented protocols LbMaxInactiveTimeout = 24 * 3600 // Maximum inactive timeout for established sessions MaxEndPointCheckers = 4 // Maximum helpers to check endpoint health Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-10 03:03:28 +00:00
Vincent Li	3e3b5c0e89	UI: adjust credits for BPFire/IPFire support Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-10 03:03:22 +00:00
Vincent Li	6047d1079b	fireinfo: remove fireinfo profile collection should not send bpfire user profile to ipfire to confuse ipfire community, bpfire could setup such profile collection in the future. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-09 04:29:19 +00:00

1 2 3 4 5 ...

21598 Commits