commit 468e9831d5c7b99a2dc20b66d881f43ecb0a424b
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Apr 22 17:41:12 2025 +0200
firewall.cgi: Add dropdown to add WireGuard peers to a firewall rule
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 06dbc836a47160d51ab10f8b9d4ca356beaa7cdb
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Apr 16 18:06:47 2024 +0200
wireguard.cgi: Add a basic CGI to configure the global settings
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 8fa1831bff7e1d76eb83b145976211aa703062e1
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Mar 31 16:31:43 2025 +0200
firewall: Collect all networks that should not be NATed in an array
No functional changes.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
firewall: Explicitely don't NAT any aliases
It seems that there is a problem with local connections that have
preselected an outgoing interface. That will work just fine, but
ultimately the packet will be NATed back to the primary RED IP address.
To prevent this, we are adding some extra rules that skip the MASQUERADE
target.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit fc32e7b9147d2eeeb6e2bc1497859fb050001eb5
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Apr 16 16:20:55 2024 +0200
firewall: Automatically open ports for WireGuard
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 459bb750298c09990c0c8d4677f0f442887304d0
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Apr 26 14:30:44 2025 +0200
wireguard: Automatically apply MASQUERADE for peers with local address
In this case we are the client and we cannot leak any local subnets.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 43867c1e070fc96420a666b0bb21182eff16787b
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun Apr 27 18:30:59 2025 +0200
wireguard: Add a custom routing table for peers
This is a dirty hack to make connections to VPN providers actually work.
We mark all WG packets after encryption and use a secondary routing
table to look up any routes to the peers. That way, we can replace the
default route in the main routing table without having to care about the
special routes there.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 76ea485d9edb781328e307c68b1f878d933408e5
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Sep 27 17:39:22 2024 +0200
wireguard: Select the correct source IP address for N2N peers
This is so that the firewall chooses the correct IP address when trying
to establish connections to the remote networks.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
We use xdp-loader to load dnsdist_xdp.bpf.o for dnsdist running
AF_XDP:
xdp-loader load green0 -P 90 -p /sys/fs/bpf/dnsdist -n xdp_dns_filter /usr/lib/bpf/dnsdist_xdp.bpf.o
so the xsk v4/v6 destination map would be:
/sys/fs/bpf/dnsdist/xskDestinationsV4
/sys/fs/bpf/dnsdist/xskDestinationsV6
but dnsdist-xsk.cc has:
static std::string getDestinationMap(bool isV6)
{
return !isV6 ? "/sys/fs/bpf/dnsdist/xsk-destinations-v4" : "/sys/fs/bpf/dnsdist/xsk-destinations-v6";
}
we can't use xsk-destinations-v4/v6 in dnsdist_xdp.bpf.o because bpf map
could not use '-' in map definition, '-' would result in compiling
error.
so we patch dnsdist-xsk.cc to use xskDestinationsV4/V6 that matches the
map name in dnsdist_xdp.bpf.o
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
We are going to add pwru for packet drop related
trouble shooting, pwru by default requires kernel
with kprobe multi attachment, enable kernel config
for that.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Similar to xdp-tools to add ebpf network program.
we can use libbpf-bootstrap as facility to add ebpf
tracing program.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
bpftrace depends on libbcc, so add bcc in build.
bcc build depends on zip, but loongfire does not
have zip
workaround:
copy loongson host Fedora zip command to chroot build
cp /usr/bin/zip to build_loongarch64/usr/bin
Fedora zip depends on libbz2.so.1, libbz2 is from bzip2
addon that loongfire already has, so make symbolic link
cd build_loongarch64/lib64; ln -s libbz2.so.1.0.8 libbz2.so.1
we should build zip addon for loongfire but zip has build error
need to resolve zip build error as long term solution
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
rebase xdp-tools from upstream xdp-tools 1.5.4. there is
Makefile conflict when rebase because 1.5.4 added xdp-forward.
manually resolve the rebase conflict by put loongfire xdp program
at the end:
for example instruction from deepseek:
Open the Makefile in a text editor and locate the conflict:
makefile
ifneq ($(BPFTOOL),)
<<<<<<< HEAD
UTILS += xdp-bench xdp-forward xdp-monitor xdp-trafficgen
=======
UTILS += xdp-bench xdp-monitor xdp-trafficgen xdp-synproxy
>>>>>>> d8ebb16 (Add xdp-synproxy)
endif
Understand the conflict:
The HEAD (upstream/main) version includes xdp-forward.
Your commit (d8ebb16) adds xdp-synproxy but removes xdp-forward.
Resolve the conflict by including both changes:
Keep xdp-forward from HEAD.
Add xdp-synproxy from your commit.
The merged line should look like this:
makefile
UTILS += xdp-bench xdp-forward xdp-monitor xdp-trafficgen xdp-synproxy
Remove the conflict markers (<<<<<<<, =======, >>>>>>>).
edit result:
ifneq ($(BPFTOOL),)
UTILS += xdp-bench xdp-forward xdp-monitor xdp-trafficgen xdp-synproxy
endif
Save the file after making these changes.
Stage the resolved Makefile and continue the rebase:
git add Makefile
git rebase --continue
repeat editing Makefile and git rebase --continue for below program
xdp-dnsrrl
xdp-udp
xdp-dns
xdp-sni
xdp-geoip
xdp-udpddos
xdp-tailcall
xdp-synproxy-tailcall
xdp-ddos
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
CC [M] fuxi-efuse.o
fuxi-gmac-phy.c: In function 'fxgmac_phy_timer_destroy':
fuxi-gmac-phy.c:493:5: error: implicit declaration of function
'del_timer_sync'; did you mean 'dev_mc_sync'?
[-Wimplicit-function-declaration]
493 | del_timer_sync(&pdata->expansion.phy_poll_tm);
| ^~~~~~~~~~~~~~
| dev_mc_sync
make[4]: *** [/lib/modules/6.15.0-rc1-ipfire/build/scripts/Makefile.build:203:
fuxi-gmac-phy.o] Error 1
replace del_timer_sync with timer_delete_sync
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
when firewall switched to bridge mode, we want to
have WebUI access to manage the firewall, allow user
setup IP address on the firewall bridge interface through
the UI.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
