makedumpfile build by default in BPFire use static libdw.a, libelf.a but
libdw.a, libelf.a are not build with zstd which makdedumpfile static
build requires, so build makedumpfile dynamically, see [0].
[0]: https://github.com/vincentmli/bpfire/issues/109
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 68a3334413efb1a963b7cc6c6dca1ec0126e1cc1
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Jul 18 08:42:12 2025 +0000
wireguard-functions.pl: Automatically skip IPv6 subnets
Since we do not support this and some VPN providers generate
configuration files that send any data over to them, we simply ignore
any IPv6 subnets.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit f7565a885b55384a64edd8bd73079143a04da519
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Jul 18 09:57:34 2025 +0000
wireguard-functions.pl: Remove any carriage returns on import
Some files might include carriage returns which won't be removed by
chomp() on Linux. To be extra safe, we remove them manually.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Choose one IP from client pool and add it to road warrior interface
wg0 so road warrior VPN client could reach firewall through the VPN
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
6.15.6 include:
From 06a34f7db773e01efa8a90c5b4d912207a80dd60 Mon Sep 17 00:00:00 2001
From: Daniel Borkmann <daniel@iogearbox.net>
Date: Sun, 17 Nov 2024 22:20:30 +0100
Subject: [PATCH] wireguard: device: support big tcp GSO
Advertise GSO_MAX_SIZE as TSO max size in order support BIG TCP for wireguard.
This helps to improve wireguard performance a bit when enabled as it allows
wireguard to aggregate larger skbs in wg_packet_consume_data_done() via
napi_gro_receive(), but also allows the stack to build larger skbs on xmit
where the driver then segments them before encryption inside wg_xmit().
We've seen a 15% improvement in TCP stream performance.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Link: https://patch.msgid.link/20241117212030.629159-5-Jason@zx2c4.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---
drivers/net/wireguard/device.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireguard/device.c b/drivers/net/wireguard/device.c
index a2ba71fbbed46..6cf173a008e78 100644
--- a/drivers/net/wireguard/device.c
+++ b/drivers/net/wireguard/device.c
@@ -302,6 +302,8 @@ static void wg_setup(struct net_device *dev)
/* We need to keep the dst around in case of icmp replies. */
netif_keep_dst(dev);
+ netif_set_tso_max_size(dev, GSO_MAX_SIZE);
+
wg->dev = dev;
}
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 0ee4f61deaf50b5c091d94afbedd5615c002cfae
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed Jun 25 15:22:32 2025 +0100
firewall.cgi: Remove some left-over debugging code
This code prevented that any firewall rules could have been created due
to the WUI always assuming that there would be some error.
Fixes: #13860 - Error message when creating a firewall rule with a subnet for src
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
ipfire has changed theme css style and wireguard.cgi relies
on the new css style, replace the bpfire css style with ipfire style
breaks other cgi style, so make the change minium that is only
relevant to wireguard.cgi VPN peers status.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
wireguard.cgi calls errorbox and opensection/closesection,
but they are missing from header.pl. ipfire had functons.pl
removed and moved subroutines to header.pl and added errorbox
in header.pl. to keep the change minimum so not affect other
features, add errorbox and opensection/closesection in functions.pl
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
missing set_defaults sub result in error when generate
flash image during build after add wireguard UI
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit c29a07b2ee505811a6cd78ca643bf816beb77375
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon May 26 11:38:57 2025 +0200
index.cgi: Show WireGuard status using the function library
The settings file is also loaded all the time and we don't need to load
it again.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit d6868ae94c63d0f708985e6bb6604a4bd40cf1a8
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Sep 6 18:20:46 2024 +0200
firewall: Allow WG traffic when the firewall is in permissive mode
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 50b4c402226cda390832d3124a2a46187cc635c3
Author: Stephen Cuka <stephen@firemypi.org>
Date: Thu Feb 27 16:34:16 2025 -0700
fwhosts.cgi: Add button spacing on 'Firewall/Firewall Groups' page.
Add spacing between showmenu() buttons on Firewall/Firewall Groups page to improve the look of the page.
No changes to the functions of the page.
Signed-off-by: Stephen Cuka <stephen@firemypi.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 1de96a83d6d6cec5d4d3eda1792aa80bfbd8fafe
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed Apr 23 12:35:52 2025 +0200
firewall: Add support for WireGuard peers to groups
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 468e9831d5c7b99a2dc20b66d881f43ecb0a424b
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Apr 22 17:41:12 2025 +0200
firewall.cgi: Add dropdown to add WireGuard peers to a firewall rule
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 37174e29de670a33f9be4b90c88b0a96c695dad1
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Sep 27 17:55:46 2024 +0200
wireguard.cgi: Normalize filenames
This is because Windows clients won't import any configurations that
have spaces in the filename. Therefore we replace it and remove anything
else unwanted on the way.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 06dbc836a47160d51ab10f8b9d4ca356beaa7cdb
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Apr 16 18:06:47 2024 +0200
wireguard.cgi: Add a basic CGI to configure the global settings
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 8fa1831bff7e1d76eb83b145976211aa703062e1
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Mar 31 16:31:43 2025 +0200
firewall: Collect all networks that should not be NATed in an array
No functional changes.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
firewall: Explicitely don't NAT any aliases
It seems that there is a problem with local connections that have
preselected an outgoing interface. That will work just fine, but
ultimately the packet will be NATed back to the primary RED IP address.
To prevent this, we are adding some extra rules that skip the MASQUERADE
target.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
readhash is added in functions, but it appears not used
in initscripts except for testing, assume no impact to
bpfire initscripts.
commit 1c1ff05cdc37fe9ccabda9413c270935c3a45478
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Mar 31 16:35:26 2025 +0200
firewall: Explicitely don't NAT any aliases
It seems that there is a problem with local connections that have
preselected an outgoing interface. That will work just fine, but
ultimately the packet will be NATed back to the primary RED IP address.
To prevent this, we are adding some extra rules that skip the MASQUERADE
target.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ff4ff2cfe0c8565a431bf499708dcb6e5c2fb3dc
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Dec 6 16:42:17 2024 +0000
initscripts: readhash: Fix handling = signs
The function expected that a line only contains exactly one equals sign
(=) which is not fit for purpose. In the WireGuard code we hold key
material that is encoded in base64 and therefore contains padding that
uses =.
This patch fixes that we expect exactly one equals sign immediately
after the key and we will then accept more = in the value - which was
already permitted.
Furthermore, this patch fixes the splitting if the key and value at the
first =.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
commit 73661e5ee1acc30e40e41493c8dfca10aa1097d0
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Dec 6 16:42:16 2024 +0000
initscripts: readhash: Only strip quotes if they exist
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
commit 80c1cb5a0a
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:44 2024 +0200
initscripts fkt: Fix shebang
We use features only available in bash. So we should state correctly
that the script should be executed in bash. As sh is a symlink to bash
this makes not differences on a ipfire system. But my linter is less
chatty with this change.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 14ecdd86f1
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:43 2024 +0200
initscripts fkt: keep readhash compatible with older implementation
With the use of eval BLUE_DEV='blue0 net0' stored "blue0 net0" in the
variable BLUE_DEV not "'blue0 net0'"
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit f1d94e7457
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:42 2024 +0200
initscripts fkt: readhash should only parse lines with a =
A line without a = is clearly invalid.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 9f72b7bc5f
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:41 2024 +0200
initscripts fkt: Check for invalid values in readhash
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 02254f5543
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:40 2024 +0200
initscripts fkt: ignore invalid keys in readhash
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit d289bc28be
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:39 2024 +0200
initscripts fkt: Ignore comments in readhash
As '#Another Comment' is a valid key we test this change by checking if
the comments do not end up as keys in our array.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 59e3c2a217
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:38 2024 +0200
initscript fkt: ignore blank lines in readhash
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 96bb3ba8b8
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:37 2024 +0200
initscript functions: add readhash
To avoid the usage of eval and to store the config in an key value
array, we introduce an new function. The tests only check if we
read the correct value to the correct variable.
One comment on the implementation as this has created some headache:
>From https://www.gnu.org/software/bash/manual/bash.html#Bourne-Shell-Builtins
"When used in a function, declare makes each name local, as with the local command, unless the -g option is used."
So we need to use -g here
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit db09ea9e5c
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Mar 23 14:35:39 2024 +0100
initscripts: Don't overwrite the PID file
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 5900a95059
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Mar 23 14:31:49 2024 +0100
initscripts: Fix reading PIDs
An incorrect variable has been used.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 6e47a143c9
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Mar 23 14:30:33 2024 +0100
initscripts: Handle command arguments as array
For some reason, the function is refusing to launch a command that has
extra arguments.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ed91103e22
Author: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Wed Mar 27 20:39:17 2024 +0100
initscripts: Add generic function to get the filesystem type of a volume
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
commit c3019331df
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Jan 11 15:59:34 2024 +0100
initscripts: Implement storing PIDs in loadproc
Some programs do not write their own PID files any more, but since our
initscripts heavily rely on those, this extension allows to store it
easily.
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
commit dd8ef8cc10
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Jan 11 15:57:50 2024 +0100
initscripts: Fix wrong variable check for $PIDFILE in getpids
getpids() checked whether it needed to pass a pid file to pidofproc, but
the check was inverted.
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit fc32e7b9147d2eeeb6e2bc1497859fb050001eb5
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Apr 16 16:20:55 2024 +0200
firewall: Automatically open ports for WireGuard
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 459bb750298c09990c0c8d4677f0f442887304d0
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Apr 26 14:30:44 2025 +0200
wireguard: Automatically apply MASQUERADE for peers with local address
In this case we are the client and we cannot leak any local subnets.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 43867c1e070fc96420a666b0bb21182eff16787b
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun Apr 27 18:30:59 2025 +0200
wireguard: Add a custom routing table for peers
This is a dirty hack to make connections to VPN providers actually work.
We mark all WG packets after encryption and use a secondary routing
table to look up any routes to the peers. That way, we can replace the
default route in the main routing table without having to care about the
special routes there.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
following commit made changes to networking functions
commit 76ea485d9edb781328e307c68b1f878d933408e5
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Sep 27 17:39:22 2024 +0200
wireguard: Select the correct source IP address for N2N peers
This is so that the firewall chooses the correct IP address when trying
to establish connections to the remote networks.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit d99826dc71
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Sep 24 10:33:22 2024 +0200
suricata: Enable scanning IPsec packets
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit db151ad716
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun Sep 22 17:08:03 2024 +0200
suricata: Add support for zones having multiple interfaces
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 1b7d1abdf0
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Sep 10 10:50:15 2024 +0200
suricata: Add option to scan WireGuard
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 79cce701a9
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Sep 10 10:40:28 2024 +0200
suricata: Restore the interface selection
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 3f863ee70d
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Mar 23 14:32:30 2024 +0100
initscripts: Add some basic functions for IP address maths
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit e340d393d3
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Mar 22 17:40:15 2024 +0100
network: Don't include initscript headers twice
Everywhere we import the functions, we have already imported the
standard includes.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
upgrade to 1.9.10 and enable ebpf AF_XDP
We use xdp-loader to load dnsdist_xdp.bpf.o for dnsdist running
AF_XDP:
xdp-loader load green0 -P 90 -p /sys/fs/bpf/dnsdist -n xdp_dns_filter /usr/lib/bpf/dnsdist_xdp.bpf.o
so the xsk v4/v6 destination map would be:
/sys/fs/bpf/dnsdist/xskDestinationsV4
/sys/fs/bpf/dnsdist/xskDestinationsV6
but dnsdist-xsk.cc has:
static std::string getDestinationMap(bool isV6)
{
return !isV6 ? "/sys/fs/bpf/dnsdist/xsk-destinations-v4" : "/sys/fs/bpf/dnsdist/xsk-destinations-v6";
}
we can't use xsk-destinations-v4/v6 in dnsdist_xdp.bpf.o because bpf map
could not use '-' in map definition, '-' would result in compiling
error.
so we patch dnsdist-xsk.cc to use xskDestinationsV4/V6 that matches the
map name in dnsdist_xdp.bpf.o
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
preparation for pwru:
mount -t debugfs none /sys/kernel/debug
echo 0 > /proc/sys/kernel/kptr_restrict
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
pwru requires golang > 1.24.1
Delete existing build/usr/lib/go directory before upgrade go
rm -rf build/usr/lib/go
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
