webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
21,654 Commits 2 Branches 1 Tag
4e665f6a3c31a92e0450e6e3a178d6c8ccd1b3cd
Commit Graph

21654 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Vincent Li
4e665f6a3c dnsdist: correct xsk sample config 
when use /etc/rc.d/init.d/dnsdist to start dnsdist with the sample
xsk config, it results in startup error [0]. Correct the xsk sample config.

[0]: https://github.com/PowerDNS/pdns/discussions/15713

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-06-25 16:17:36 +00:00
Vincent Li
279f1e8e86 knot: upgrade to 3.4.7 and add kxdpgun 
enable XDP to add kxdpgun utility for dnsdist AF_XDP performance test [0]

[0]: https://www.dnsdist.org/advanced/xsk.html

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-06-23 18:41:56 +00:00
Vincent Li
b78ee945cd xdp-tools: add dnsdist XDP program 
upgrade xdp-tools to 1.5.5 and add dnsdist_xdp.bpf.o
for dnsdist xsk AF_XDP

xdp-loader load green0 -P 90 -p /sys/fs/bpf/dnsdist \
    -n xdp_dns_filter /usr/lib/bpf/dnsdist_xdp.bpf.o

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-06-21 17:40:40 +00:00
Vincent Li
d81f2b838e dnsdist: add sample xsk AF_XDP config 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-06-21 17:37:01 +00:00
Vincent Li
e51ee79752 dnsdist: move dnsdist to core package 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-06-21 17:32:06 +00:00
Vincent Li
3132f7bc78 dnsdist: enable ebpf xsk AF_XDP 
upgrade to 1.9.10 and enable ebpf AF_XDP

    We use xdp-loader to load dnsdist_xdp.bpf.o for dnsdist running
    AF_XDP:

    xdp-loader load green0 -P 90 -p /sys/fs/bpf/dnsdist -n xdp_dns_filter /usr/lib/bpf/dnsdist_xdp.bpf.o

    so the xsk v4/v6 destination map would be:

    /sys/fs/bpf/dnsdist/xskDestinationsV4
    /sys/fs/bpf/dnsdist/xskDestinationsV6

    but dnsdist-xsk.cc has:

    static std::string getDestinationMap(bool isV6)
        {
          return !isV6 ? "/sys/fs/bpf/dnsdist/xsk-destinations-v4" : "/sys/fs/bpf/dnsdist/xsk-destinations-v6";
        }

    we can't use xsk-destinations-v4/v6 in dnsdist_xdp.bpf.o because bpf map
    could not use '-' in map definition, '-' would result in compiling
    error.

    so we patch dnsdist-xsk.cc to use xskDestinationsV4/V6 that matches the
    map name in dnsdist_xdp.bpf.o

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-06-21 17:27:52 +00:00
Vincent Li
2e3ea0ae64 pwru: ebpf pwru addon for network diagnosis 
preparation for pwru:

mount -t debugfs none /sys/kernel/debug
echo 0 > /proc/sys/kernel/kptr_restrict

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-06-11 23:00:56 +00:00
Vincent Li
9d50babeb9 golang: upgrade to 1.24.4 
pwru requires golang > 1.24.1

Delete existing build/usr/lib/go directory before upgrade go

rm -rf build/usr/lib/go

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-06-11 22:31:03 +00:00
Vincent Li
bdee533f04 libbpf-bootstrap: base for importing libbpf-tools 
add libbpf-bootstrap as base to import bcc libbpf-tools

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-05-23 20:05:48 +00:00
Vincent Li
465f1e2328 Perl: add Net-ISP-Balance addon 
Perl Net-ISP-Balance can be used for ISP Internet connection
load balancing [0], it depends on Net-Netmask module.

[0]: https://lstein.github.io/Net-ISP-Balance/

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-05-21 15:53:12 +00:00
Vincent Li
3b672339ef keepalived: remove keepalived.conf.sample 
keepalived configuration is moved to /var/ipfire/keepalived

fix: https://github.com/vincentmli/BPFire/issues/92
Reported-by: Harvey Li <lhw365@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-05-21 15:53:12 +00:00
Vincent Li
33f4a2b1b1 haproxy: remove /etc/haproxy/haproxy.cfg 
remove /etc/haproxy/haproxy.cfg since lfs/haproxy
installed haproxy.cfg to /var/ipfire/haproxy

fix: https://github.com/vincentmli/BPFire/issues/92
Reported-by: Harvey Li <lhw365@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-05-21 15:53:12 +00:00
Vincent Li
0879d828a7 README: use TLS url for bpfire.net 2025-05-21 15:53:12 +00:00
Vincent Li
1726f3bd3b strace: sync strace 6.12 upgrade from ipfire 
sync strace upgrade from ipfire strace 6.12

fix: https://github.com/vincentmli/BPFire/issues/90
Reported-by: Harvey Li <lhw365@gmail.com>
Signd-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-05-21 15:53:12 +00:00
Vincent Li
18ec4f2b87 udev: sync update from ipfire 
commit d19b71301d08db94341eae1d62500a928a8f6712
Author: Arne Fitzenreiter <arne_f@ipfire.org>
Date:   Thu Dec 26 10:19:20 2024 +0100

    udev: patch to handle pidfs and bcachefs

    this is needed to build udev with kernel 6.12 headers

    Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

fix: https://github.com/vincentmli/BPFire/issues/89
Reported-by: Harvey Li <lhw365@gmail.com>
Signd-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-05-21 15:53:03 +00:00
Vincent Li
93a5a7af7b xdp-tools: rebased on upstream 1.5.4 
included recent changes:

1 fix for xdp-dns for [0]
2 tc-loader to load tc ebpf program

[0]: https://github.com/vincentmli/BPFire/issues/87

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-05-14 20:35:57 +00:00
Vincent Li
25421aed06 logo: add missing bpfire logo 
commit f89feeb19 "kernel: use BPFire logo in kernel" replaced
ipfire logo with bpfire logo, but forgot to add the bpfire logo
file and remove the ipfire logo file

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-05-10 03:38:17 +00:00
Vincent Li
c25bc27049 dnsdist: upgrade to 1.9.9 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-05-09 20:19:42 +00:00
Vincent Li
58e92cbb36 loxilb: upgrade to 0.9.8.3 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-05-09 20:19:42 +00:00
Vincent Li
8af09f38e0 README: update README 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-05-09 20:19:35 +00:00
Vincent Li
e2856c1c7e loxilb-tc: remove loxilb-tc 
loxilb 0.9.8 load tc BPF program through libbpf
so iproute tc utility is not needed.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-03-03 17:19:15 +00:00
Vincent Li
83cf08dfa0 loxilb: upgrade loxilb to 0.9.8.1 
0.9.8.1 release workaround linux kernel 6.12 bpf
verifier issue.

git clone --recurse-submodules --branch v0.9.8.1 https://github.com/loxilb-io/loxilb.git
cd loxilb
go mod vendor
cd ..
mv loxilb loxilb-0.9.8.1
tar czvf loxilb-0.9.8.1.tar.gz loxilb-0.9.8.1

see https://github.com/loxilb-io/loxilb/issues/953

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-03-03 17:14:47 +00:00
Vincent Li
0e2047f080 linux: enable bootparam hardlockup/softlockup 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-02-23 04:36:14 +00:00
Vincent Li
1cbd76f718 linux: upgrade kernel to 6.12.5 
loxilb dev branch has fix for kernel 6.12. now
we can upgrade kernel to 6.12.5

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-02-11 23:44:14 +00:00
Vincent Li
fe2ad5da66 loxilb: upgrade to loxilb dev main branch 
test out the new loxilb with fix for kernel 6.12 issue

git clone --recurse-submodules https://github.com/loxilb-io/loxilb.git
mv loxilb loxilb-0.9.9
tar czvf loxilb-0.9.9.tar.gz loxilb-0.9.9
mv loxilb-0.9.9.tar.gz <BPFire source>/cache

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-02-11 23:40:53 +00:00
Vincent Li
f3881747be loxilb: change default loxilb firewall setting 
loxilb 0.9.8 requires --egress flag for firewall
rule to masquerade/SNAT GREEN network source IP
for Internet access. to access host in RED network
another firewall rule is required.  see [0].

[0]: https://github.com/loxilb-io/loxilb/issues/957

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-02-10 16:44:58 +00:00
Vincent Li
2daee785d4 lunatik: remove lunatik 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-02-04 17:07:13 +00:00
Vincent Li
064136634c linux: downgrade kernel to 6.10.11 
workaround https://github.com/vincentmli/BPFire/issues/75

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-02-04 16:56:51 +00:00
Vincent Li
b040fb1c8a llvm-project: upgrade to 19.1.7 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-02-04 16:47:07 +00:00
Vincent Li
4e9bff5b57 loxicmd: upgrade loxicmd to 0.9.8 
git clone --branch v0.9.8 https://github.com/loxilb-io/loxicmd.git
cd loxicmd
go mod vendor
cd ..
mv loxicmd loxicmd-0.9.8
tar czvf loxicmd-0.9.8.tar.gz loxicmd-0.9.8

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-01-29 16:27:08 +00:00
Vincent Li
017a03c86b loxilb: upgrade loxilb to 0.9.8 
when upgrading loxilb to 0.9.7, running
into issue https://github.com/loxilb-io/loxilb/issues/948

following method to prepare the loxilb source tar ball
resolves the issue

git clone --recurse-submodules --branch v0.9.8 https://github.com/loxilb-io/loxilb.git
cd loxilb
go mod vendor
cd ..
mv loxilb loxilb-0.9.8
tar zcvf loxilb-0.9.8.tar.gz loxilb-0.9.8
mv loxilb-0.9.8.tar.gz <BPFire source>/cache/

fix: https://github.com/vincentmli/BPFire/issues/74

also backported libbpf 1.2.3 lonngarch64 to libbpf 0.8
for loxilb

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-01-29 01:19:21 +00:00
Vincent Li
bad31e01b9 xdp-tools: xdpsni/xdpdns init bpf path argument 
now x86 and loongarch64 share same user space
xdp_sni xdp_dns program with path argument to
bpf map, change xdpsni and xdpdns init script
with bpf path argument.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-01-12 03:42:49 +00:00
Vincent Li
17d49c9d64 linux: upgrade kernel to 6.12.5 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-01-02 18:11:19 +00:00
Vincent Li
0ba17ebe5d lfs/linux: perf tool install missed 
perf tool is built alone with Linux, but
missed to install the perf tool in image

fix: https://github.com/vincentmli/BPFire/issues/65

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-12-03 03:46:09 +00:00
Vincent Li
1bfeb4b322 lfs/linux: enable CONFIG_FPROBE for multi kprobe 
pwru is an utility to trouble shoot network issue,
and to speed up pwru kprobe attachement, kernel needs
to have CONFIG_FPROBE.

running pwru also result in:

Opening kprobe-multi: invalid argument \
(missing kernel symbol or prog's AttachType not AttachTraceKprobeMulti?)

need following to avoid above invalid argument

    echo -1 > /proc/sys/kernel/perf_event_paranoid
    echo 0 > /proc/sys/kernel/kptr_restrict

see https://github.com/cilium/pwru/issues/460

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-12-03 02:44:14 +00:00
Vincent Li
09c182c75a xdp-tools: XDP UDP DDoS for online game protection 
UDP DDoS has pattern of flooding game server with
random source IP and UDP with random payload. game
server UDP traffic requires certain payload
pattern, so this XDP program can serve as example
to stop UDP DDoS attack with UDP payload that does not
match game UDP traffic payload pattern.

without UDP DDoS protection, under DDoS attack:

BPFire UI RED Traffic: in 9xx Mbit/s.

with UDP DDoS protection, under DDoS attack:

BPFire UI RED Traffic: in 1xx Mbit/s.

Tested-by: Muhammad Haikal <eykalpirates@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-11-27 18:32:10 +00:00
Vincent Li
db7b863fa4 README: add image download link and discord 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-11-27 18:32:04 +00:00
Vincent Li
92324f8cbd ddos: set net.ipv4.tcp_syncookies to 1 
set tcp_syncookies to 1 alone with iptables
SYNPROXY module reduce latency, this improves
situation when XDP acceleration is not enabled
and just let iptables SYNPROXY handles SYN flood
attack, see [0]

[0]: https://bugzilla.kernel.org/show_bug.cgi?id=219500

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-11-14 18:30:29 +00:00
Vincent Li
eac34c4210 ddos: disable XDP SYNACK window scale option 
disable window scaling for XDP generated
SYNACK in ddos script by default

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-11-12 02:12:35 +00:00
Vincent Li
5de3f44cc7 xdp-synproxy: enable or disable window scaling 
XDP generated SYNACK tcp options with window
scaling and timestamp could intermittently cause
small packet transmission on DDoS protected server.
allow user to disable window scaling when such
problem occurs. see [0]

[0]: https://github.com/vincentmli/xdp-tools/issues/7

Reported-by: DNSPROXY.ORG LLC <dnsproxyorg@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-11-12 01:22:27 +00:00
Vincent Li
20c65fa4ec kernel: enable signature force config 
Kernel module signature force is disabled
for lunatik kernel module build, enable it
for now.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-11-06 20:28:40 +00:00
Vincent Li
30d6e75af1 haproxy: add HAProxy UI draft patch 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-11-06 19:09:21 +00:00
Vincent Li
d94f83d1bf haproxy: add safe call to haproxy init script 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-30 16:52:28 +00:00
Vincent Li
0a726a99ac haproxy: move haproxy to core package 
move haproxy to core package

prepare /var/ipfire/haproxy for haproxy UI, use
/var/ipfire/haproxy/haproxy.cfg

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-28 02:44:48 +00:00
Vincent Li
a600787c67 xdp-synproxy: drop IP don't fragment check 
When XDP DDoS syncookie program is attached
to red0 interface, green network client internet
connection to website like gmail/youtube... failed.
it is because these sites does not have IP DF flag
set for each tcp packet, and syncookie_xdp program
would drop these packets when they arrived at red0
interface.

see https://github.com/vincentmli/BPFire/issues/59

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-25 20:35:33 +00:00
Vincent Li
b935dd5b1d xdp-sni UI: allow UI to enable/disable XDP SNI 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-22 18:48:33 +00:00
Vincent Li
25da9eb467 ddos: Load/Attach XDP DDoS when reboot 
fix: https://github.com/vincentmli/BPFire/issues/58

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-22 18:48:11 +00:00
Vincent Li
eadd074122 README: add Suricata multi XDP attachment support 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-18 20:04:35 +00:00
Vincent Li
8b29912521 suricata-xdp: resolve memlock and stack smashing 
suricata XDP support requires xdp-tools with
libbpf 1.4 to resolve stack smash issue.

also workaround memlock operation not permitted
by running suricata as root since load/attach
XDP program requires root privilige anyway.

see: https://github.com/vincentmli/BPFire/issues/54

Usage scenario:

since suricata IPS XDP capture mode works as
layer 2 bridge, BPFire netfilter firewall, NAT
IP route  will be bypassed. no IP address should
be assigned to red0 and green0 interface.

172.16.1.0/24          inline              172.16.1.0/24
red network<-->red0(xdp)<-->green0(xdp)<-->green network

we can run setup command to assign IP/Mask 0.0.0.0/0.0.0.0
to red0 and green0, then reboot BPFire, BPFire DHCP
will stops working after reboot. green network client
can get DHCP IP from upstream dhcp server.

start suricata manually

suricata -c /etc/suricata/suricata-xdp.yaml --af-packet
xdp_filter.bpf program will be attached to red0 and gree0
interface

not sure if we should add GUI for suricata XDP capture mode
since this is not common use case.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-18 19:47:59 +00:00
Vincent Li
3e17c7b30b xdp-tools: build xdp-tools with libbpf 1.4.6 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-10-18 17:16:17 +00:00