webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-19 23:43:00 +02:00
Code Issues Packages Projects Releases Wiki Activity
21,614 Commits 2 Branches 1 Tag
20c65fa4ec8e0476a709f1b00fce8b012030ca65
Commit Graph

21614 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Vincent Li
20c65fa4ec kernel: enable signature force config 
Kernel module signature force is disabled
for lunatik kernel module build, enable it
for now.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-11-06 20:28:40 +00:00
Vincent Li
30d6e75af1 haproxy: add HAProxy UI draft patch 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-11-06 19:09:21 +00:00
Vincent Li
d94f83d1bf haproxy: add safe call to haproxy init script 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-30 16:52:28 +00:00
Vincent Li
0a726a99ac haproxy: move haproxy to core package 
move haproxy to core package

prepare /var/ipfire/haproxy for haproxy UI, use
/var/ipfire/haproxy/haproxy.cfg

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-28 02:44:48 +00:00
Vincent Li
a600787c67 xdp-synproxy: drop IP don't fragment check 
When XDP DDoS syncookie program is attached
to red0 interface, green network client internet
connection to website like gmail/youtube... failed.
it is because these sites does not have IP DF flag
set for each tcp packet, and syncookie_xdp program
would drop these packets when they arrived at red0
interface.

see https://github.com/vincentmli/BPFire/issues/59

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-25 20:35:33 +00:00
Vincent Li
b935dd5b1d xdp-sni UI: allow UI to enable/disable XDP SNI 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-22 18:48:33 +00:00
Vincent Li
25da9eb467 ddos: Load/Attach XDP DDoS when reboot 
fix: https://github.com/vincentmli/BPFire/issues/58

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-22 18:48:11 +00:00
Vincent Li
eadd074122 README: add Suricata multi XDP attachment support 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-18 20:04:35 +00:00
Vincent Li
8b29912521 suricata-xdp: resolve memlock and stack smashing 
suricata XDP support requires xdp-tools with
libbpf 1.4 to resolve stack smash issue.

also workaround memlock operation not permitted
by running suricata as root since load/attach
XDP program requires root privilige anyway.

see: https://github.com/vincentmli/BPFire/issues/54

Usage scenario:

since suricata IPS XDP capture mode works as
layer 2 bridge, BPFire netfilter firewall, NAT
IP route  will be bypassed. no IP address should
be assigned to red0 and green0 interface.

172.16.1.0/24          inline              172.16.1.0/24
red network<-->red0(xdp)<-->green0(xdp)<-->green network

we can run setup command to assign IP/Mask 0.0.0.0/0.0.0.0
to red0 and green0, then reboot BPFire, BPFire DHCP
will stops working after reboot. green network client
can get DHCP IP from upstream dhcp server.

start suricata manually

suricata -c /etc/suricata/suricata-xdp.yaml --af-packet
xdp_filter.bpf program will be attached to red0 and gree0
interface

not sure if we should add GUI for suricata XDP capture mode
since this is not common use case.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-18 19:47:59 +00:00
Vincent Li
3e17c7b30b xdp-tools: build xdp-tools with libbpf 1.4.6 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-18 17:16:17 +00:00
Vincent Li
40c097ff8a libbpf: upgrade to 1.4.6 
xdp-tools libxdb requires libbpf 1.4.0 and above
to fix stack smashing issue.

see: https://github.com/xdp-project/xdp-tools/issues/446

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-18 17:16:09 +00:00
Vincent Li
1eceb143ed suricata: add suricata ebpf xdp capture mode 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-17 02:11:19 +00:00
Vincent Li
f689a70b7e Revert "Revert "lunatik: 'bpf_luaxdp_run': BTF not found in kernel"" 
This reverts commit 0e29b73703.

switch to libbpf 1.3
 2024-10-15 15:25:50 +00:00
Vincent Li
88e5d0aba7 xdp-geoip: move location block sub menu to BPFire 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-14 01:45:39 +00:00
Vincent Li
8d6014683f xdp-geoip: safe call to xdpgeoip init script 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-13 20:59:48 +00:00
Vincent Li
9c28bd419d xdp-geoip: Add XDP GeoIP location init 
Add XDP GeoIP country/region location block init script

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-13 20:35:44 +00:00
Vincent Li
1bf1cdc190 xdp-geoip UI: location block ipset to XDP 
change location-block UI from calling ipset to calling
xdp_geoip to update geoip_map bpf map.

see https://github.com/vincentmli/BPFire/issues/53

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-13 03:05:01 +00:00
Vincent Li
86a9264a25 xdp-geoip: add XDP GeoIP program 
Add XDP GeoIP program to do location
IP block in XDP.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-12 20:33:12 +00:00
Vincent Li
f204528cf4 README: Add XDP GeoIP/Country blocklist 
Vincent Li <vincent.mc.li@gmail.com>
 2024-10-12 18:58:01 +00:00
Vincent Li
b21febe3e1 xdp-sni UI: XDP TLS/SSL SNI UI management 
XDP TLS/SSL SNI UI to manage the web blocklist

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-09 20:38:13 +00:00
Vincent Li
a118df6060 xdp-sni: switch LPM trie map to hash map 
switch xdp_sni.bpf.o LPM trie map to hash map
to reduce code complexity and avoid verifier error

now need to add domain and its sub domain to hash
map to block each domain and its sub domain site.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-09 02:48:38 +00:00
Vincent Li
5db52b1717 xdp-sni UI: XDP TLS/SSL SNI log view from UI 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com.
 2024-10-09 00:34:07 +00:00
Vincent Li
e6ac495dfb xdp-sni: safe call wrapper program to xdpsni init 
safe call wrapper program to xdpsni init script
for UI to call

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-08 17:41:17 +00:00
Vincent Li
34f9da85dd xdp-sni: add XDP TLS SNI init script xdpsni 
add xdpsni init script and enable XDP TLS SNI by default
on first boot and reboot.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-08 02:21:17 +00:00
Vincent Li
d334d39e3f xdp-sni: add XDP TLS SNI logging 
add XDP TLS SNI logging with bpf ringbuf
drop xdp_sni.bpf.o reverse_string due to
bpf verifier complaining program is too large.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-08 01:05:01 +00:00
Vincent Li
07c6172576 xdp-dns: missing xdpdns-settings and domainfile 
add the missing config/cfgroot/xdpdns-settings file
and use ENABLE_DNSBLOCK=on by default, so XDP DNS
Blocklist is enabled by default.

also add domainfile so when BPFire reboot first time
and when xdpdns init startup, it will not complain
missing domainfile

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-07 03:01:36 +00:00
Vincent Li
4d6f8d68a3 xdp-dns UI: change running state check 
Status relies on checking if xdp_dns_log is running,
but xdp_dns_log could mysteriously disappear at some point,
which result in XDP DNS Blocklist shows Stopped,
let /etc/rc.d/init.d/xdpdns status relies on if the
xdp_dns_denylist XDP program is still attached
to green0 interface.

two related issues

https://github.com/vincentmli/BPFire/issues/50
https://github.com/vincentmli/BPFire/issues/49

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-05 23:17:26 +00:00
Vincent Li
4c2fd11de2 xdp-dns UI: rename deny to blocklist 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-05 21:37:04 +00:00
Vincent Li
8b3cdb2ebe xdp-tools: fix xdp-dns XDP program byte reverse 
domain name in xdp_dns.bpf.o not reversed properly
result in domain name mismatch with domain inserted
from user space xdp_dns

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-04 21:36:09 +00:00
Vincent Li
2c233eac63 xdp-dns log UI: view DNS query log 
allow user to view DNS query logged by xdp_dns_log
from UI

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-04 21:36:03 +00:00
Vincent Li
2f4174b560 xdp-dns: xdpdns init script to populate denylist 
run xdp_dns in xdpdns init script to populate
domain_denylist from domainfile saved from UI.
either xdpdns restart or bpfire reboot, the domain_denylist
is restored with domain blocklist

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-04 17:31:12 +00:00
Vincent Li
ccf49b1105 xdp-dns: update xdp_dns to correct map 
change xdp_dns to use
/sys/fs/bpf/xdp-dns-denylist/domain_denylist

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-04 04:06:00 +00:00
Vincent Li
a165595116 xdp-dns: allow UI to run xdp_dns to update map 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-04 04:06:00 +00:00
Vincent Li
cdbaa41364 xdp-dns UI: web interface to add XDP DNS blocklist 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-04 04:05:53 +00:00
Vincent Li
cc8ccb35bf xdp-dns: enable XDP DNS block when reboot 
if XDP DNS is enabled, and BPFire reboot, XDP
DNS program should be attached and DNS query being
monitored after reboot.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-03 17:29:16 +00:00
Vincent Li
92cd7ca970 llvm-project: upgrade to 18.1.0 
xdp_dns.bpf.o failed to load with verifier
error program too large, upgrade llvm/clang
to 18.1.0 resolves the issue

fix: https://github.com/vincentmli/BPFire/issues/47

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-03 00:48:43 +00:00
Vincent Li
13530fa1ef xdp-tools: remove dns query from xdp-dnsrrl 
also change user space xdp_dns_log program to
use map /sys/fs/bpf/xdp-dns-denylist/dns_ringbuf

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-02 20:20:48 +00:00
Vincent Li
f9c8259050 Add xdpdnsctrl program for safe execution 
add xdpdnsctrl to start/stop/status XDP
program from xdpdns.cgi safely.

permission of xdpdnsctrl

chown root.nobody /usr/local/bin/xdpdnsctrl
chmod u+s /usr/local/bin/xdpdnsctrl

result:

-rwsr-x--- 1 root nobody 14672 Mar 19 09:58 /usr/local/bin/xdpdnsctrl
 2024-10-02 18:31:21 +00:00
Vincent Li
d30a7b2318 xdp-dns: add start/stop init script and settings 
add xdpdns init script to load/unload xdp_dns_denylist
program and run xdp_dns_log to log dns query to system log

rm log/configroot log/initscripts to build image

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-02 18:23:44 +00:00
Vincent Li
652ab98e1a xdp-tools: add xdp-dns system logging 
add bpf ringbuf to xdp-dns program and
user space program to log DNS query to
system log.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-01 23:45:03 +00:00
Vincent Li
17d5413bc2 README: update TLS/SSL SNI blocklist to XDP 
Lunatik sni filter currently does not work
for BPFire when chrome browser is used due to
clienthello > 1500 bytes, XDP TLS/SSL has
the same issue, to block domain access, it
appears XDP DNS domain blocking works more
reliable than SNI, so if there is need to block
chrome browser for some domain, use XDP DNS
domain blocking as mitigation.

see https://github.com/vincentmli/BPFire/issues/40

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-01 00:28:37 +00:00
Vincent Li
c1281a47ea lunatik: checksum update 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-09-30 16:28:51 +00:00
Vincent Li
32c15c3fe3 xdp-tools: add xdp-sni 
add XDP TLS/SSL SNI parsing

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-09-30 03:24:30 +00:00
Vincent Li
1b9810cfd9 Merge pull request #45 from selboo/bpfire 
修复: 前端端口和后端端口显示错位问题
 2024-09-26 07:00:43 -07:00
Selboo
781187a6d3 修复: 前端端口和后端端口显示错位问题 2024-09-26 17:33:50 +08:00
Vincent Li
2cf44838bf lfs/linux: install perf tool from linux source 
compile and install perf tool from linux
source for performance monitoring.

change the setting before run perf

echo -1 > /proc/sys/kernel/perf_event_paranoid
echo 0 > /proc/sys/kernel/kptr_restrict

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-09-23 23:44:53 +00:00
Vincent Li
6f60c4696f lfs/flash-images: missing serial linux command 
Add the missing serial linux command so the
flash image can be converted to qcow2, the
bpfire qcow2 image can be deployed in KVM
virtual environment through serial console
installation.

for exmaple:

virsh define BPFire-VM.xml
virsh start BPFire-VM
virsh console BPFire-VM

we will have serial console access to BPFire
VM and the installation will start.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-09-23 17:56:26 +00:00
Vincent Li
f89feeb197 kernel: use BPFire logo in kernel 
how to generate logo format:

apt-get install netpbm

1 convert png format to ppm format

pngtopnm bpfire-logo.png > bpfire-logo.ppm

2 reduce the color count to 224

ppmquant 224 bpfire-logo.ppm > bpfire-logo-224.ppm

3 convert ppm raw format to ascii format

pnmnoraw bpfire-logo-224.ppm > bpfire-logo-ascii.ppm
cp bpfire-logo-ascii.ppm config/kernel/

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-09-21 02:41:51 +00:00
Vincent Li
e5ee2e8127 grub2: use bpfire logo in grub2 splash 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-09-21 02:41:51 +00:00
Vincent Li
89baa34b8d Revert "grub: replace ipfire logo with bpfire logo" 
This reverts commit bb773a05d5.

drivers/video/logo/logo_linux_clut224.ppm: Binary PNM is not supported
Use pnmnoraw(1) to convert it to ASCII PNM
make[6]: *** [drivers/video/logo/Makefile:31: drivers/video/logo/logo_linux_clut224.c] Error 1
make[5]: *** [scripts/Makefile.build:485: drivers/video/logo] Error 2
make[4]: *** [scripts/Makefile.build:485: drivers/video] Error 2

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-09-21 02:41:51 +00:00