if interface does not support native mode
re-run xdp-loader with skb mode, got error
Attaching XDP program in native mode not supported - try SKB mode.
TCP Native mode not supported, try SKB
Replacing allowed ports
Added port 80
Added port 8090
libxdp: Retried more than 11 times, giving up
Couldn't attach XDP program on iface 'lo': Device or resource busy(-16)
UDP Native mode not supported, try SKB
Replacing allowed udp ports
Added port 10408
but it looks loaded ok
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
write to /var/ipfire/ddos/settings file before
enable ddos to allow /etc/rc.d/init.d/ddos script
start up ddos according to the setting from
/var/ipfire/ddos/settings
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
We need to disable BPF trace capability and disallow
unprivileged BPF so
This reverts commit d0bd3cc033.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
XDP dns rate limit program has static tail call
which requires revert xdp-tool commit:
(039bdea "xdp-loader: Only load the BPF program we need from object files")
XDP dns rate limit program also uses bpf_printk helper which is not
supported on FireBeeOS since kernel CONFIG_BPF_EVENTS which allows user
to do kprobe, uprobe, tracepoint is not enabled, so bpf_printk helper is
not available, so removed bpf_printk
see discussion in [0] xdp-loader load xdp program with bpf tail call result in Bad file descriptor(-9)
[0] https://github.com/xdp-project/xdp-tools/issues/377
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
xdp-loader will only load the XDP program without
xdp dispatcher if bpffs is not mounted, flash image
has bpffs mounted already, add bpffs mount for ISO image
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
This reverts commit 0864b3a5ba.
User might be concerned firewall admin user capture SSL clear
text, so remove ecapture.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
This reverts commit 7773f82726.
After ISO installation in real hardware and reboot,
the boot process appears to be "stucking" in
"dracut: Switching root".
see https://github.com/vincentmli/FireBeeOS/issues/1
revert the commit resolves the issue, I suspect maybe
the output after "dractu: Switching root" is directed
to serial console? anyway revert this change temporarily.
flash image build still need to have serial console access
for better user experience when trying flash image in KVM/Libvirt
virtual environment.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
add ddosctrl to start/stop/status XDP
program from ddos.cgi safely.
permission of ddosctrl
chown root.nobody /usr/local/bin/ddosctrl
chmod u+s /usr/local/bin/ddosctrl
result:
-rwsr-x--- 1 root nobody 14672 Mar 19 09:58 /usr/local/bin/ddosctrl
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
XDP SYNPROXY requires setting up iptables rule
in raw table PREROUTING chain and filter table
INPUT chain.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
XDP SYNPROXY rules needs to be first in filter table
INPUT user defined chain and raw table PREROUTING
user defined chain.
To list the custom chain evaluation order for example:
iptables -L INPUT --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 INSYNPROXY all -- anywhere anywhere
2 IPSBYPASS all -- anywhere anywhere mark match 0xc0000000/0xc0000000
3 BADTCP tcp -- anywhere anywhere
4 CUSTOMINPUT all -- anywhere anywhere
5 HOSTILE all -- anywhere anywhere
6 BLOCKLISTIN !icmp -- anywhere anywhere
7 GUARDIAN all -- anywhere anywhere
8 OVPNBLOCK all -- anywhere anywhere
9 IPS_INPUT all -- anywhere anywhere mark match 0x0/0xc0000000
10 IPTVINPUT all -- anywhere anywhere
11 ICMPINPUT all -- anywhere anywhere
12 LOOPBACK all -- anywhere anywhere
13 CAPTIVE_PORTAL all -- anywhere anywhere
14 CONNTRACK all -- anywhere anywhere
15 DHCPGREENINPUT all -- anywhere anywhere
16 TOR_INPUT all -- anywhere anywhere
17 LOCATIONBLOCK all -- anywhere anywhere
18 IPSECINPUT all -- anywhere anywhere
19 GUIINPUT all -- anywhere anywhere
20 WIRELESSINPUT all -- anywhere anywhere ctstate NEW
21 OVPNINPUT all -- anywhere anywhere
22 INPUTFW all -- anywhere anywhere
23 REDINPUT all -- anywhere anywhere
24 POLICYIN all -- anywhere anywhere
iptables -t raw -L PREROUTING --line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 RAWSYNPROXY all -- anywhere anywhere
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
when mouse select, vim automatically turns into
visual mode, this is not convienent when copy
and paste in vim with mouse select.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
