bpfire

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00

Author	SHA1	Message	Date
Vincent Li	d854559daf	initscripts: sync networking functions from IPFire following commit made changes to networking functions commit 76ea485d9edb781328e307c68b1f878d933408e5 Author: Michael Tremer <michael.tremer@ipfire.org> Date: Fri Sep 27 17:39:22 2024 +0200 wireguard: Select the correct source IP address for N2N peers This is so that the firewall chooses the correct IP address when trying to establish connections to the remote networks. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> commit `d99826dc71` Author: Michael Tremer <michael.tremer@ipfire.org> Date: Tue Sep 24 10:33:22 2024 +0200 suricata: Enable scanning IPsec packets Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> commit `db151ad716` Author: Michael Tremer <michael.tremer@ipfire.org> Date: Sun Sep 22 17:08:03 2024 +0200 suricata: Add support for zones having multiple interfaces Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> commit `1b7d1abdf0` Author: Michael Tremer <michael.tremer@ipfire.org> Date: Tue Sep 10 10:50:15 2024 +0200 suricata: Add option to scan WireGuard Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> commit `79cce701a9` Author: Michael Tremer <michael.tremer@ipfire.org> Date: Tue Sep 10 10:40:28 2024 +0200 suricata: Restore the interface selection Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> commit `3f863ee70d` Author: Michael Tremer <michael.tremer@ipfire.org> Date: Sat Mar 23 14:32:30 2024 +0100 initscripts: Add some basic functions for IP address maths Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> commit `e340d393d3` Author: Michael Tremer <michael.tremer@ipfire.org> Date: Fri Mar 22 17:40:15 2024 +0100 network: Don't include initscript headers twice Everywhere we import the functions, we have already imported the standard includes. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-07-02 16:55:13 +00:00
Vincent Li	dd9a60e720	wireguard-tools: backport IPFire wireguard-tools Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-07-02 16:04:52 +00:00
Vincent Li	d30518a04a	README: update the build url link Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-06-30 19:54:22 +00:00
Vincent Li	4e665f6a3c	dnsdist: correct xsk sample config when use /etc/rc.d/init.d/dnsdist to start dnsdist with the sample xsk config, it results in startup error [0]. Correct the xsk sample config. [0]: https://github.com/PowerDNS/pdns/discussions/15713 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-06-25 16:17:36 +00:00
Vincent Li	279f1e8e86	knot: upgrade to 3.4.7 and add kxdpgun enable XDP to add kxdpgun utility for dnsdist AF_XDP performance test [0] [0]: https://www.dnsdist.org/advanced/xsk.html Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-06-23 18:41:56 +00:00
Vincent Li	b78ee945cd	xdp-tools: add dnsdist XDP program upgrade xdp-tools to 1.5.5 and add dnsdist_xdp.bpf.o for dnsdist xsk AF_XDP xdp-loader load green0 -P 90 -p /sys/fs/bpf/dnsdist \ -n xdp_dns_filter /usr/lib/bpf/dnsdist_xdp.bpf.o Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-06-21 17:40:40 +00:00
Vincent Li	d81f2b838e	dnsdist: add sample xsk AF_XDP config Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-06-21 17:37:01 +00:00
Vincent Li	e51ee79752	dnsdist: move dnsdist to core package Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-06-21 17:32:06 +00:00
Vincent Li	3132f7bc78	dnsdist: enable ebpf xsk AF_XDP upgrade to 1.9.10 and enable ebpf AF_XDP We use xdp-loader to load dnsdist_xdp.bpf.o for dnsdist running AF_XDP: xdp-loader load green0 -P 90 -p /sys/fs/bpf/dnsdist -n xdp_dns_filter /usr/lib/bpf/dnsdist_xdp.bpf.o so the xsk v4/v6 destination map would be: /sys/fs/bpf/dnsdist/xskDestinationsV4 /sys/fs/bpf/dnsdist/xskDestinationsV6 but dnsdist-xsk.cc has: static std::string getDestinationMap(bool isV6) { return !isV6 ? "/sys/fs/bpf/dnsdist/xsk-destinations-v4" : "/sys/fs/bpf/dnsdist/xsk-destinations-v6"; } we can't use xsk-destinations-v4/v6 in dnsdist_xdp.bpf.o because bpf map could not use '-' in map definition, '-' would result in compiling error. so we patch dnsdist-xsk.cc to use xskDestinationsV4/V6 that matches the map name in dnsdist_xdp.bpf.o Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-06-21 17:27:52 +00:00
Vincent Li	2e3ea0ae64	pwru: ebpf pwru addon for network diagnosis preparation for pwru: mount -t debugfs none /sys/kernel/debug echo 0 > /proc/sys/kernel/kptr_restrict Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-06-11 23:00:56 +00:00
Vincent Li	9d50babeb9	golang: upgrade to 1.24.4 pwru requires golang > 1.24.1 Delete existing build/usr/lib/go directory before upgrade go rm -rf build/usr/lib/go Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-06-11 22:31:03 +00:00
Vincent Li	bdee533f04	libbpf-bootstrap: base for importing libbpf-tools add libbpf-bootstrap as base to import bcc libbpf-tools Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-05-23 20:05:48 +00:00
Vincent Li	465f1e2328	Perl: add Net-ISP-Balance addon Perl Net-ISP-Balance can be used for ISP Internet connection load balancing [0], it depends on Net-Netmask module. [0]: https://lstein.github.io/Net-ISP-Balance/ Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-05-21 15:53:12 +00:00
Vincent Li	3b672339ef	keepalived: remove keepalived.conf.sample keepalived configuration is moved to /var/ipfire/keepalived fix: https://github.com/vincentmli/BPFire/issues/92 Reported-by: Harvey Li <lhw365@gmail.com> Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-05-21 15:53:12 +00:00
Vincent Li	33f4a2b1b1	haproxy: remove /etc/haproxy/haproxy.cfg remove /etc/haproxy/haproxy.cfg since lfs/haproxy installed haproxy.cfg to /var/ipfire/haproxy fix: https://github.com/vincentmli/BPFire/issues/92 Reported-by: Harvey Li <lhw365@gmail.com> Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-05-21 15:53:12 +00:00
Vincent Li	0879d828a7	README: use TLS url for bpfire.net	2025-05-21 15:53:12 +00:00
Vincent Li	1726f3bd3b	strace: sync strace 6.12 upgrade from ipfire sync strace upgrade from ipfire strace 6.12 fix: https://github.com/vincentmli/BPFire/issues/90 Reported-by: Harvey Li <lhw365@gmail.com> Signd-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-05-21 15:53:12 +00:00
Vincent Li	18ec4f2b87	udev: sync update from ipfire commit d19b71301d08db94341eae1d62500a928a8f6712 Author: Arne Fitzenreiter <arne_f@ipfire.org> Date: Thu Dec 26 10:19:20 2024 +0100 udev: patch to handle pidfs and bcachefs this is needed to build udev with kernel 6.12 headers Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> fix: https://github.com/vincentmli/BPFire/issues/89 Reported-by: Harvey Li <lhw365@gmail.com> Signd-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-05-21 15:53:03 +00:00
Vincent Li	93a5a7af7b	xdp-tools: rebased on upstream 1.5.4 included recent changes: 1 fix for xdp-dns for [0] 2 tc-loader to load tc ebpf program [0]: https://github.com/vincentmli/BPFire/issues/87 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-05-14 20:35:57 +00:00
Vincent Li	25421aed06	logo: add missing bpfire logo commit `f89feeb19` "kernel: use BPFire logo in kernel" replaced ipfire logo with bpfire logo, but forgot to add the bpfire logo file and remove the ipfire logo file Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-05-10 03:38:17 +00:00
Vincent Li	c25bc27049	dnsdist: upgrade to 1.9.9 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-05-09 20:19:42 +00:00
Vincent Li	58e92cbb36	loxilb: upgrade to 0.9.8.3 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-05-09 20:19:42 +00:00
Vincent Li	8af09f38e0	README: update README Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-05-09 20:19:35 +00:00
Vincent Li	e2856c1c7e	loxilb-tc: remove loxilb-tc loxilb 0.9.8 load tc BPF program through libbpf so iproute tc utility is not needed. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-03-03 17:19:15 +00:00
Vincent Li	83cf08dfa0	loxilb: upgrade loxilb to 0.9.8.1 0.9.8.1 release workaround linux kernel 6.12 bpf verifier issue. git clone --recurse-submodules --branch v0.9.8.1 https://github.com/loxilb-io/loxilb.git cd loxilb go mod vendor cd .. mv loxilb loxilb-0.9.8.1 tar czvf loxilb-0.9.8.1.tar.gz loxilb-0.9.8.1 see https://github.com/loxilb-io/loxilb/issues/953 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-03-03 17:14:47 +00:00
Vincent Li	0e2047f080	linux: enable bootparam hardlockup/softlockup Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-02-23 04:36:14 +00:00
Vincent Li	1cbd76f718	linux: upgrade kernel to 6.12.5 loxilb dev branch has fix for kernel 6.12. now we can upgrade kernel to 6.12.5 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-02-11 23:44:14 +00:00
Vincent Li	fe2ad5da66	loxilb: upgrade to loxilb dev main branch test out the new loxilb with fix for kernel 6.12 issue git clone --recurse-submodules https://github.com/loxilb-io/loxilb.git mv loxilb loxilb-0.9.9 tar czvf loxilb-0.9.9.tar.gz loxilb-0.9.9 mv loxilb-0.9.9.tar.gz <BPFire source>/cache Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-02-11 23:40:53 +00:00
Vincent Li	f3881747be	loxilb: change default loxilb firewall setting loxilb 0.9.8 requires --egress flag for firewall rule to masquerade/SNAT GREEN network source IP for Internet access. to access host in RED network another firewall rule is required. see [0]. [0]: https://github.com/loxilb-io/loxilb/issues/957 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-02-10 16:44:58 +00:00
Vincent Li	2daee785d4	lunatik: remove lunatik Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-02-04 17:07:13 +00:00
Vincent Li	064136634c	linux: downgrade kernel to 6.10.11 workaround https://github.com/vincentmli/BPFire/issues/75 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-02-04 16:56:51 +00:00
Vincent Li	b040fb1c8a	llvm-project: upgrade to 19.1.7 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-02-04 16:47:07 +00:00
Vincent Li	4e9bff5b57	loxicmd: upgrade loxicmd to 0.9.8 git clone --branch v0.9.8 https://github.com/loxilb-io/loxicmd.git cd loxicmd go mod vendor cd .. mv loxicmd loxicmd-0.9.8 tar czvf loxicmd-0.9.8.tar.gz loxicmd-0.9.8 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-01-29 16:27:08 +00:00
Vincent Li	017a03c86b	loxilb: upgrade loxilb to 0.9.8 when upgrading loxilb to 0.9.7, running into issue https://github.com/loxilb-io/loxilb/issues/948 following method to prepare the loxilb source tar ball resolves the issue git clone --recurse-submodules --branch v0.9.8 https://github.com/loxilb-io/loxilb.git cd loxilb go mod vendor cd .. mv loxilb loxilb-0.9.8 tar zcvf loxilb-0.9.8.tar.gz loxilb-0.9.8 mv loxilb-0.9.8.tar.gz <BPFire source>/cache/ fix: https://github.com/vincentmli/BPFire/issues/74 also backported libbpf 1.2.3 lonngarch64 to libbpf 0.8 for loxilb Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-01-29 01:19:21 +00:00
Vincent Li	bad31e01b9	xdp-tools: xdpsni/xdpdns init bpf path argument now x86 and loongarch64 share same user space xdp_sni xdp_dns program with path argument to bpf map, change xdpsni and xdpdns init script with bpf path argument. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-01-12 03:42:49 +00:00
Vincent Li	17d49c9d64	linux: upgrade kernel to 6.12.5 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-01-02 18:11:19 +00:00
Vincent Li	0ba17ebe5d	lfs/linux: perf tool install missed perf tool is built alone with Linux, but missed to install the perf tool in image fix: https://github.com/vincentmli/BPFire/issues/65 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-12-03 03:46:09 +00:00
Vincent Li	1bfeb4b322	lfs/linux: enable CONFIG_FPROBE for multi kprobe pwru is an utility to trouble shoot network issue, and to speed up pwru kprobe attachement, kernel needs to have CONFIG_FPROBE. running pwru also result in: Opening kprobe-multi: invalid argument \ (missing kernel symbol or prog's AttachType not AttachTraceKprobeMulti?) need following to avoid above invalid argument echo -1 > /proc/sys/kernel/perf_event_paranoid echo 0 > /proc/sys/kernel/kptr_restrict see https://github.com/cilium/pwru/issues/460 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-12-03 02:44:14 +00:00
Vincent Li	09c182c75a	xdp-tools: XDP UDP DDoS for online game protection UDP DDoS has pattern of flooding game server with random source IP and UDP with random payload. game server UDP traffic requires certain payload pattern, so this XDP program can serve as example to stop UDP DDoS attack with UDP payload that does not match game UDP traffic payload pattern. without UDP DDoS protection, under DDoS attack: BPFire UI RED Traffic: in 9xx Mbit/s. with UDP DDoS protection, under DDoS attack: BPFire UI RED Traffic: in 1xx Mbit/s. Tested-by: Muhammad Haikal <eykalpirates@gmail.com> Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-11-27 18:32:10 +00:00
Vincent Li	db7b863fa4	README: add image download link and discord Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-11-27 18:32:04 +00:00
Vincent Li	92324f8cbd	ddos: set net.ipv4.tcp_syncookies to 1 set tcp_syncookies to 1 alone with iptables SYNPROXY module reduce latency, this improves situation when XDP acceleration is not enabled and just let iptables SYNPROXY handles SYN flood attack, see [0] [0]: https://bugzilla.kernel.org/show_bug.cgi?id=219500 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-11-14 18:30:29 +00:00
Vincent Li	eac34c4210	ddos: disable XDP SYNACK window scale option disable window scaling for XDP generated SYNACK in ddos script by default Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-11-12 02:12:35 +00:00
Vincent Li	5de3f44cc7	xdp-synproxy: enable or disable window scaling XDP generated SYNACK tcp options with window scaling and timestamp could intermittently cause small packet transmission on DDoS protected server. allow user to disable window scaling when such problem occurs. see [0] [0]: https://github.com/vincentmli/xdp-tools/issues/7 Reported-by: DNSPROXY.ORG LLC <dnsproxyorg@gmail.com> Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-11-12 01:22:27 +00:00
Vincent Li	20c65fa4ec	kernel: enable signature force config Kernel module signature force is disabled for lunatik kernel module build, enable it for now. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-11-06 20:28:40 +00:00
Vincent Li	30d6e75af1	haproxy: add HAProxy UI draft patch Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-11-06 19:09:21 +00:00
Vincent Li	d94f83d1bf	haproxy: add safe call to haproxy init script Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-30 16:52:28 +00:00
Vincent Li	0a726a99ac	haproxy: move haproxy to core package move haproxy to core package prepare /var/ipfire/haproxy for haproxy UI, use /var/ipfire/haproxy/haproxy.cfg Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-28 02:44:48 +00:00
Vincent Li	a600787c67	xdp-synproxy: drop IP don't fragment check When XDP DDoS syncookie program is attached to red0 interface, green network client internet connection to website like gmail/youtube... failed. it is because these sites does not have IP DF flag set for each tcp packet, and syncookie_xdp program would drop these packets when they arrived at red0 interface. see https://github.com/vincentmli/BPFire/issues/59 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-25 20:35:33 +00:00
Vincent Li	b935dd5b1d	xdp-sni UI: allow UI to enable/disable XDP SNI Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-22 18:48:33 +00:00
Vincent Li	25da9eb467	ddos: Load/Attach XDP DDoS when reboot fix: https://github.com/vincentmli/BPFire/issues/58 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-22 18:48:11 +00:00

1 2 3 4 5 ...

21657 Commits