bpfire

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-22 17:02:58 +02:00

Author	SHA1	Message	Date
Vincent Li	dc97ffb40e	lunatik: Unknown symbol in module lunatik requires lunatik_sym.h before build generate the symbols in chroot build. remove lunatik_sym.h in origin lunatik source Makefile root@r210:/home/vincent/go/src/github.com/vincentmli/BPFire/cache/lunatik-5.3.2# git diff diff --git a/Makefile b/Makefile index ec172541..1c72f3e1 100644 --- a/Makefile +++ b/Makefile @@ -3,14 +3,14 @@ MODULES_INSTALL_PATH = /lib/modules/${shell uname -r} SCRIPTS_INSTALL_PATH = /lib/modules/lua -LUNATIK_INSTALL_PATH = /usr/local/sbin -LUA_API = lua/lua.h lua/lauxlib.h lua/lualib.h +LUNATIK_INSTALL_PATH = /usr/sbin +LUNATIK_EBPF_INSTALL_PATH = /usr/lib/bpf KDIR ?= ${MODULES_INSTALL_PATH}/build RM = rm -f MKDIR = mkdir -p -m 0755 INSTALL = install -o root -g root -all: lunatik_sym.h +all: ${MAKE} -C ${KDIR} M=${PWD} CONFIG_LUNATIK=m \ CONFIG_LUNATIK_RUN=m CONFIG_LUNATIK_RUNTIME=y CONFIG_LUNATIK_DEVICE=m \ CONFIG_LUNATIK_LINUX=m CONFIG_LUNATIK_NOTIFIER=m CONFIG_LUNATIK_SOCKET=m \ @@ -46,6 +46,7 @@ examples_install: ${INSTALL} -m 0644 examples/echod/.lua ${SCRIPTS_INSTALL_PATH}/examples/echod ${MKDIR} ${SCRIPTS_INSTALL_PATH}/examples/filter ${INSTALL} -m 0644 examples/filter/.lua ${SCRIPTS_INSTALL_PATH}/examples/filter + ${INSTALL} -m 0644 examples/filter/.o ${LUNATIK_EBPF_INSTALL_PATH} ${MKDIR} ${SCRIPTS_INSTALL_PATH}/examples/dnsblock ${INSTALL} -m 0644 examples/dnsblock/.lua ${SCRIPTS_INSTALL_PATH}/examples/dnsblock ${MKDIR} ${SCRIPTS_INSTALL_PATH}/examples/dnsdoctor @@ -69,7 +70,3 @@ install: scripts_install modules_install uninstall: scripts_uninstall modules_uninstall depmod -a - -lunatik_sym.h: $(LUA_API) - ${shell ./gensymbols.sh $(LUA_API) > lunatik_sym.h} - Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-15 18:48:48 +00:00
Vincent Li	133baf8fc0	lunatik : kernel config change kernel requires module to be signed, disable force signing for now. insmod: ERROR: could not insert module /lib/modules/6.6.15-ipfire/lunatik/lunatik.ko: Key was rejected by service set CONFIG_MODULE_SIG_FORCE=n failed to validate module [lunatik] BTF: -22 set CONFIG_MODULE_ALLOW_BTF_MISMATCH=y Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-15 18:41:35 +00:00
Vincent Li	c690c0c447	lunatik: add lunatik addon lunatik has LuaXDP that supports scripting XDP for TLS SNI parsing and many other scripting featuers for kernel. see lunatik build workaround in detail https://github.com/luainkernel/lunatik/issues/189 https://github.com/vincentmli/BPFire/issues/40 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-14 22:46:06 +00:00
Vincent Li	74cf8a3943	xdp-tools: add XDP DNS domain denylist upgrade xdp-tools and add XDP DNS domain denylist bpf and user space program. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-12 17:12:16 +00:00
Vincent Li	acc96d0726	kernel: enable CONFIG_DEBUG_FS allow syscall tracing with eBPF like bcc libbpf-tools opensnoop to trouble shoot open syscall for UI user nobody unable to run loxicmd save -a -c /var/ipfire/loxilib/ see https://github.com/vincentmli/BPFire/issues/30 mount -t debugfs none /sys/kernel/debug/ Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-07-13 02:14:51 +00:00
Vincent Li	56a1588f96	vim: Disable vim automatic visual mode on mouse select when mouse select, vim automatically turns into visual mode, this is not convienent when copy and paste in vim with mouse select. create this setting for root user. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-07-09 02:41:58 +00:00
Vincent Li	aa7d243558	langs: installer/setup Chinese translation complete the chinese translation referenced below https://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=ca149dc8e2e24f3cfcf7bbc1e2333b2b6d43e0e4 Asked ChatGPT to translate English in msgid to msgstr in Chinese and ChatGPT did the translation automatically with correct format. copied from ChatGPT and pasted in po.zh Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-07-09 01:47:46 +00:00
Vincent Li	02724e7427	LoxiLB: enable firewall SNAT for green network when loxilb is enabled and started, enable the firewall SNAT for green network so green network could have initiate outgoing traffic like internet access. we can achieve this by restoring firewall SNAT setting from default /var/ipfire/loxilb/FWconfig.txt when loxilb start up with --config-path=/var/ipfire/loxilb thanks to the enhancement addressed in issue: https://github.com/loxilb-io/loxilb/issues/706 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-07-09 01:47:46 +00:00
Vincent Li	0f54cfef92	keepalived/ipvs: move ipvsadm to core package prepare keepalived with ipvs for layer 4 load balancer Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-07-02 20:52:49 +00:00
Vincent Li	fa69bf1da3	openssh: update openssh due to CVE-2024-6387 Update from version 9.7p1 to 9.8p1 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-07-02 19:36:16 +00:00
Vincent Li	e7e1e67fc7	initscripts: start loxilb keepalived after reboot When loxilb and keepalived are enabled, after BPFire rebooted, loxilb and keepalived failed to start and shows as "STOPPED" from UI, this is not expected since we want to loxilb and keepalived to continue to be enabled after reboot based on the enabled state of loxilb and keepalived before reboot. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-07-01 17:30:54 +00:00
Vincent Li	6f8ab2d9ec	menu: remove pakfire menu pakfire addon install may cause conflict with BPFire, remove it for now. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-06-30 15:05:49 +00:00
Vincent Li	2cddcb14f6	keepalived: add keepalivedctrl program Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-06-29 20:57:01 +00:00
Vincent Li	ed89f965bf	keepalived UI: add keepalived UI BPFire red0 does not support multicast, need to have unicast peer configured, then the virtual ipaddress can be added to red0 interface. the UI requires /var/ipfire/keepalived/runsettings /var/ipfire/keepalived/settings to be created, so add them lfs/configroot Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-06-29 20:55:28 +00:00
Vincent Li	5955087887	keepalived: move keepalived to core package change keepalived default config to /var/ipfire/keepalived/keepalived.conf so keepalived WebUI could read/write the configuration file. also add /var/ipfire/keepalived directory Signed-off-by: Vincent Li <vincent.mc.li@gmail.com> keepalived: create /var/ipfire/keepalived	2024-06-29 19:13:10 +00:00
Vincent Li	61d054216d	LoxiLB UI: select virtual ip from red0 interface since we added loxilb ip management to add ip on red0 interface, we can select the virtual ip from red0 interface. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-06-20 02:49:02 +00:00
Vincent Li	3f1e411f95	move tcpdump and strace to core package tcpdump and strace are essential for trouble shooting ship it as core package Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-06-18 03:14:29 +00:00
Vincent Li	0003dd9c8c	Loxilb UI: add loxilb firewall UI Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-06-13 04:22:02 +00:00
Vincent Li	8608700ba9	menu: adjust menu titles Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-06-01 14:15:48 +00:00
Vincent Li	6994edf40b	Add loxilb lb config UI Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-06-01 14:15:41 +00:00
Vincent Li	f60a419e84	BPFire menu re-arrange Re-arrange the menu to have BPF centric main menu, this also easy the developing of loxilb load balancer GUI since loxilb will have multiple functions like enable loxilb, create loxilb lb, create loxilb ip ...etc, so each loxilb function has their own CGI UI. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-05-29 18:18:31 +00:00
Vincent Li	9c58dcd145	Add WebUI loxilb.cgi for ebpf load balancer Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-05-27 18:23:17 +00:00
Vincent Li	a9c944483b	Add loxilb load balancer menu run command below when update language menu perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-05-27 18:23:17 +00:00
Vincent Li	61caf1c5eb	Add loxilb safe call program when rebuild image: do rm log/misc-progs Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-05-27 18:23:17 +00:00
Vincent Li	0c2b510130	add loxilb start/stop init script and settings when rebuid the image, do: rm log/configroot rm log/initscripts Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-05-27 18:23:09 +00:00
Vincent Li	fb763397b4	loxilb: add loxilb load balancer addon build loxilb in BPFire requires golang 1.22.0, but then had issue [0], run go mod vendor to prepare the loxilb to download golang dependencies package beforehand to avoid issue [0] loxilb-ebpf build also requires gnu/stubs-32.h use [1] as workaround [0]: https://github.com/vincentmli/BPFire/issues/18 [1]: https://github.com/vincentmli/BPFire/issues/16 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-05-13 18:00:30 +00:00
Vincent Li	927b3dfe54	loxicmd addon Avoid downloading golang dependency packages during build time due to issue [0], run go mod vendor so loxicmd source include vendor directory to include golang dependency packages [0]: https://github.com/vincentmli/BPFire/issues/18 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-05-13 14:33:10 +00:00
Vincent Li	0000eed295	Add Loxilb ntc and libmd libbsd addon Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-05-11 17:41:01 +00:00
Vincent Li	49df562431	ebpf: Enable kernel BPF_EVENTS loxilb or other ebpf program could use bpf_printk for debugging, bpf_printk requires BPF_EVENTS to be enabled, see [0] [0] https://github.com/loxilb-io/loxilb/issues/666#issuecomment-2097850413 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-05-08 03:26:51 +00:00
Vincent Li	d544247a53	linux: change kernel NR_CPUS to 512 loxilb MAX_CPUS for cpu_map set to 128, BPFire original NR_CPUS 64 result in error: libbpf: map 'cpu_map': failed to create: Argument list too long see https://github.com/loxilb-io/loxilb/issues/661 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-05-03 16:56:06 +00:00
Vincent Li	04cb6cc6ff	libbpf: switch to libbpf 0.8.3 use libbpf 0.8.3 for loxilb Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-05-03 16:52:40 +00:00
Vincent Li	be1fc5ce77	xdp-tools: add xdp-udp Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-04-24 00:48:04 +00:00
Vincent Li	fcdc42ea40	ddos.cgi add DNS DDoS UI Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-04-18 02:29:27 +00:00
Vincent Li	9a53289a23	ddos.cgi add UDP DDoS WebUI Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-04-17 00:17:41 +00:00
Vincent Li	d7544e6192	Enable kernel BPF without tracing capability enable kernel BPF XDP/TC capability, no tracing Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-04-09 01:50:14 +00:00
Vincent Li	d9a8ed29e8	Revert "Enable kernel BPF/BTF" We need to disable BPF trace capability and disallow unprivileged BPF so This reverts commit `d0bd3cc033`. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-04-08 19:32:11 +00:00
Vincent Li	9f86b661cb	Add xdp dns rate limit program with bpf_printk deleted XDP dns rate limit program has static tail call which requires revert xdp-tool commit: (039bdea "xdp-loader: Only load the BPF program we need from object files") XDP dns rate limit program also uses bpf_printk helper which is not supported on FireBeeOS since kernel CONFIG_BPF_EVENTS which allows user to do kprobe, uprobe, tracepoint is not enabled, so bpf_printk helper is not available, so removed bpf_printk see discussion in [0] xdp-loader load xdp program with bpf tail call result in Bad file descriptor(-9) [0] https://github.com/xdp-project/xdp-tools/issues/377 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-04-08 19:15:32 +00:00
Vincent Li	35f1987b14	Revert "Add ecapture add-on" This reverts commit `0864b3a5ba`. User might be concerned firewall admin user capture SSL clear text, so remove ecapture. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-04-07 15:22:00 +00:00
Vincent Li	7b90358c1e	Add missing xdp-tools utilities Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-04-06 18:43:15 +00:00
Vincent Li	ef347b3a28	Revert "Enable serial console in default grub" This reverts commit `7773f82726`. After ISO installation in real hardware and reboot, the boot process appears to be "stucking" in "dracut: Switching root". see https://github.com/vincentmli/FireBeeOS/issues/1 revert the commit resolves the issue, I suspect maybe the output after "dractu: Switching root" is directed to serial console? anyway revert this change temporarily. flash image build still need to have serial console access for better user experience when trying flash image in KVM/Libvirt virtual environment. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-04-06 18:43:15 +00:00
Vincent Li	9353496864	Add ddosctrl program for safe execution add ddosctrl to start/stop/status XDP program from ddos.cgi safely. permission of ddosctrl chown root.nobody /usr/local/bin/ddosctrl chmod u+s /usr/local/bin/ddosctrl result: -rwsr-x--- 1 root nobody 14672 Mar 19 09:58 /usr/local/bin/ddosctrl Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-03-20 17:42:30 +00:00
Vincent Li	936c1a4fa0	Add XDP program load/unload script Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-03-20 17:42:30 +00:00
Vincent Li	8e4e24a9b9	Add XDP DDoS ddos.cgi Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-03-20 17:42:07 +00:00
Vincent Li	31f89d1813	Add eBPF XDP DDoS menu Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-03-16 15:54:04 +00:00
Vincent Li	e48a29a3f1	Add XDP SYNPROXY rules in raw and filter table XDP SYNPROXY requires setting up iptables rule in raw table PREROUTING chain and filter table INPUT chain. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-03-16 03:26:18 +00:00
Vincent Li	0864b3a5ba	Add ecapture add-on Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-03-01 04:08:02 +00:00
Vincent Li	05ac4be397	add bpftool and re-arrange lfs build order add lfs bpftool from [0] first to meet lfs xdp-tools requirement. also re-arrange BPF related add-on build order to meet lfs knot build since it requires XDP xsk.h [0] https://github.com/libbpf/bpftool/releases/download/v7.3.0/bpftool-libbpf-v7.3.0-sources.tar.gz Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-03-01 04:08:02 +00:00
Vincent Li	45f0a5d543	Add lfs libbpf 1.3.0 add-on follow [0] to add libbpf add-on for bpf user space program to open,load,attach bpf program. to build libbpf add-on, follow [1] first, then follow [0] [0] https://www.ipfire.org/docs/devel/ipfire-2-x/addon-howto [1] https://www.ipfire.org/docs/devel/ipfire-2-x/build-howto Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-03-01 04:08:01 +00:00
Vincent Li	e97d70d152	Add bpftool bpftool comes with Linux kernel source and it is handy to have bpftool on ipfire kernel with BPF/BTF enabled to diagnosis BPF related issue. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-03-01 04:08:01 +00:00
Vincent Li	d0bd3cc033	Enable kernel BPF/BTF enable kernel BPF/BTF build for ebpf/XDP program packet filtering see hack in [1] [1] https://community.ipfire.org/t/how-to-customize-config-kernel-kernel-config-x86-64-ipfire/11100/7 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-03-01 04:08:01 +00:00

1 2 3 4 5 ...

11730 Commits