bpfire

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00

Author	SHA1	Message	Date
Vincent Li	fe2ad5da66	loxilb: upgrade to loxilb dev main branch test out the new loxilb with fix for kernel 6.12 issue git clone --recurse-submodules https://github.com/loxilb-io/loxilb.git mv loxilb loxilb-0.9.9 tar czvf loxilb-0.9.9.tar.gz loxilb-0.9.9 mv loxilb-0.9.9.tar.gz <BPFire source>/cache Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-02-11 23:40:53 +00:00
Vincent Li	f3881747be	loxilb: change default loxilb firewall setting loxilb 0.9.8 requires --egress flag for firewall rule to masquerade/SNAT GREEN network source IP for Internet access. to access host in RED network another firewall rule is required. see [0]. [0]: https://github.com/loxilb-io/loxilb/issues/957 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-02-10 16:44:58 +00:00
Vincent Li	2daee785d4	lunatik: remove lunatik Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-02-04 17:07:13 +00:00
Vincent Li	064136634c	linux: downgrade kernel to 6.10.11 workaround https://github.com/vincentmli/BPFire/issues/75 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-02-04 16:56:51 +00:00
Vincent Li	b040fb1c8a	llvm-project: upgrade to 19.1.7 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-02-04 16:47:07 +00:00
Vincent Li	4e9bff5b57	loxicmd: upgrade loxicmd to 0.9.8 git clone --branch v0.9.8 https://github.com/loxilb-io/loxicmd.git cd loxicmd go mod vendor cd .. mv loxicmd loxicmd-0.9.8 tar czvf loxicmd-0.9.8.tar.gz loxicmd-0.9.8 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-01-29 16:27:08 +00:00
Vincent Li	017a03c86b	loxilb: upgrade loxilb to 0.9.8 when upgrading loxilb to 0.9.7, running into issue https://github.com/loxilb-io/loxilb/issues/948 following method to prepare the loxilb source tar ball resolves the issue git clone --recurse-submodules --branch v0.9.8 https://github.com/loxilb-io/loxilb.git cd loxilb go mod vendor cd .. mv loxilb loxilb-0.9.8 tar zcvf loxilb-0.9.8.tar.gz loxilb-0.9.8 mv loxilb-0.9.8.tar.gz <BPFire source>/cache/ fix: https://github.com/vincentmli/BPFire/issues/74 also backported libbpf 1.2.3 lonngarch64 to libbpf 0.8 for loxilb Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-01-29 01:19:21 +00:00
Vincent Li	bad31e01b9	xdp-tools: xdpsni/xdpdns init bpf path argument now x86 and loongarch64 share same user space xdp_sni xdp_dns program with path argument to bpf map, change xdpsni and xdpdns init script with bpf path argument. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-01-12 03:42:49 +00:00
Vincent Li	17d49c9d64	linux: upgrade kernel to 6.12.5 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-01-02 18:11:19 +00:00
Vincent Li	0ba17ebe5d	lfs/linux: perf tool install missed perf tool is built alone with Linux, but missed to install the perf tool in image fix: https://github.com/vincentmli/BPFire/issues/65 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-12-03 03:46:09 +00:00
Vincent Li	1bfeb4b322	lfs/linux: enable CONFIG_FPROBE for multi kprobe pwru is an utility to trouble shoot network issue, and to speed up pwru kprobe attachement, kernel needs to have CONFIG_FPROBE. running pwru also result in: Opening kprobe-multi: invalid argument \ (missing kernel symbol or prog's AttachType not AttachTraceKprobeMulti?) need following to avoid above invalid argument echo -1 > /proc/sys/kernel/perf_event_paranoid echo 0 > /proc/sys/kernel/kptr_restrict see https://github.com/cilium/pwru/issues/460 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-12-03 02:44:14 +00:00
Vincent Li	09c182c75a	xdp-tools: XDP UDP DDoS for online game protection UDP DDoS has pattern of flooding game server with random source IP and UDP with random payload. game server UDP traffic requires certain payload pattern, so this XDP program can serve as example to stop UDP DDoS attack with UDP payload that does not match game UDP traffic payload pattern. without UDP DDoS protection, under DDoS attack: BPFire UI RED Traffic: in 9xx Mbit/s. with UDP DDoS protection, under DDoS attack: BPFire UI RED Traffic: in 1xx Mbit/s. Tested-by: Muhammad Haikal <eykalpirates@gmail.com> Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-11-27 18:32:10 +00:00
Vincent Li	db7b863fa4	README: add image download link and discord Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-11-27 18:32:04 +00:00
Vincent Li	92324f8cbd	ddos: set net.ipv4.tcp_syncookies to 1 set tcp_syncookies to 1 alone with iptables SYNPROXY module reduce latency, this improves situation when XDP acceleration is not enabled and just let iptables SYNPROXY handles SYN flood attack, see [0] [0]: https://bugzilla.kernel.org/show_bug.cgi?id=219500 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-11-14 18:30:29 +00:00
Vincent Li	eac34c4210	ddos: disable XDP SYNACK window scale option disable window scaling for XDP generated SYNACK in ddos script by default Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-11-12 02:12:35 +00:00
Vincent Li	5de3f44cc7	xdp-synproxy: enable or disable window scaling XDP generated SYNACK tcp options with window scaling and timestamp could intermittently cause small packet transmission on DDoS protected server. allow user to disable window scaling when such problem occurs. see [0] [0]: https://github.com/vincentmli/xdp-tools/issues/7 Reported-by: DNSPROXY.ORG LLC <dnsproxyorg@gmail.com> Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-11-12 01:22:27 +00:00
Vincent Li	20c65fa4ec	kernel: enable signature force config Kernel module signature force is disabled for lunatik kernel module build, enable it for now. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-11-06 20:28:40 +00:00
Vincent Li	30d6e75af1	haproxy: add HAProxy UI draft patch Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-11-06 19:09:21 +00:00
Vincent Li	d94f83d1bf	haproxy: add safe call to haproxy init script Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-30 16:52:28 +00:00
Vincent Li	0a726a99ac	haproxy: move haproxy to core package move haproxy to core package prepare /var/ipfire/haproxy for haproxy UI, use /var/ipfire/haproxy/haproxy.cfg Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-28 02:44:48 +00:00
Vincent Li	a600787c67	xdp-synproxy: drop IP don't fragment check When XDP DDoS syncookie program is attached to red0 interface, green network client internet connection to website like gmail/youtube... failed. it is because these sites does not have IP DF flag set for each tcp packet, and syncookie_xdp program would drop these packets when they arrived at red0 interface. see https://github.com/vincentmli/BPFire/issues/59 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-25 20:35:33 +00:00
Vincent Li	b935dd5b1d	xdp-sni UI: allow UI to enable/disable XDP SNI Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-22 18:48:33 +00:00
Vincent Li	25da9eb467	ddos: Load/Attach XDP DDoS when reboot fix: https://github.com/vincentmli/BPFire/issues/58 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-22 18:48:11 +00:00
Vincent Li	eadd074122	README: add Suricata multi XDP attachment support Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-18 20:04:35 +00:00
Vincent Li	8b29912521	suricata-xdp: resolve memlock and stack smashing suricata XDP support requires xdp-tools with libbpf 1.4 to resolve stack smash issue. also workaround memlock operation not permitted by running suricata as root since load/attach XDP program requires root privilige anyway. see: https://github.com/vincentmli/BPFire/issues/54 Usage scenario: since suricata IPS XDP capture mode works as layer 2 bridge, BPFire netfilter firewall, NAT IP route will be bypassed. no IP address should be assigned to red0 and green0 interface. 172.16.1.0/24 inline 172.16.1.0/24 red network<-->red0(xdp)<-->green0(xdp)<-->green network we can run setup command to assign IP/Mask 0.0.0.0/0.0.0.0 to red0 and green0, then reboot BPFire, BPFire DHCP will stops working after reboot. green network client can get DHCP IP from upstream dhcp server. start suricata manually suricata -c /etc/suricata/suricata-xdp.yaml --af-packet xdp_filter.bpf program will be attached to red0 and gree0 interface not sure if we should add GUI for suricata XDP capture mode since this is not common use case. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-18 19:47:59 +00:00
Vincent Li	3e17c7b30b	xdp-tools: build xdp-tools with libbpf 1.4.6 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-18 17:16:17 +00:00
Vincent Li	40c097ff8a	libbpf: upgrade to 1.4.6 xdp-tools libxdb requires libbpf 1.4.0 and above to fix stack smashing issue. see: https://github.com/xdp-project/xdp-tools/issues/446 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-18 17:16:09 +00:00
Vincent Li	1eceb143ed	suricata: add suricata ebpf xdp capture mode Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-17 02:11:19 +00:00
Vincent Li	f689a70b7e	Revert "Revert "lunatik: 'bpf_luaxdp_run': BTF not found in kernel"" This reverts commit `0e29b73703`. switch to libbpf 1.3	2024-10-15 15:25:50 +00:00
Vincent Li	88e5d0aba7	xdp-geoip: move location block sub menu to BPFire Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-14 01:45:39 +00:00
Vincent Li	8d6014683f	xdp-geoip: safe call to xdpgeoip init script Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-13 20:59:48 +00:00
Vincent Li	9c28bd419d	xdp-geoip: Add XDP GeoIP location init Add XDP GeoIP country/region location block init script Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-13 20:35:44 +00:00
Vincent Li	1bf1cdc190	xdp-geoip UI: location block ipset to XDP change location-block UI from calling ipset to calling xdp_geoip to update geoip_map bpf map. see https://github.com/vincentmli/BPFire/issues/53 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-13 03:05:01 +00:00
Vincent Li	86a9264a25	xdp-geoip: add XDP GeoIP program Add XDP GeoIP program to do location IP block in XDP. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-12 20:33:12 +00:00
Vincent Li	f204528cf4	README: Add XDP GeoIP/Country blocklist Vincent Li <vincent.mc.li@gmail.com>	2024-10-12 18:58:01 +00:00
Vincent Li	b21febe3e1	xdp-sni UI: XDP TLS/SSL SNI UI management XDP TLS/SSL SNI UI to manage the web blocklist Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-09 20:38:13 +00:00
Vincent Li	a118df6060	xdp-sni: switch LPM trie map to hash map switch xdp_sni.bpf.o LPM trie map to hash map to reduce code complexity and avoid verifier error now need to add domain and its sub domain to hash map to block each domain and its sub domain site. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-09 02:48:38 +00:00
Vincent Li	5db52b1717	xdp-sni UI: XDP TLS/SSL SNI log view from UI Signed-off-by: Vincent Li <vincent.mc.li@gmail.com.	2024-10-09 00:34:07 +00:00
Vincent Li	e6ac495dfb	xdp-sni: safe call wrapper program to xdpsni init safe call wrapper program to xdpsni init script for UI to call Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-08 17:41:17 +00:00
Vincent Li	34f9da85dd	xdp-sni: add XDP TLS SNI init script xdpsni add xdpsni init script and enable XDP TLS SNI by default on first boot and reboot. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-08 02:21:17 +00:00
Vincent Li	d334d39e3f	xdp-sni: add XDP TLS SNI logging add XDP TLS SNI logging with bpf ringbuf drop xdp_sni.bpf.o reverse_string due to bpf verifier complaining program is too large. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-08 01:05:01 +00:00
Vincent Li	07c6172576	xdp-dns: missing xdpdns-settings and domainfile add the missing config/cfgroot/xdpdns-settings file and use ENABLE_DNSBLOCK=on by default, so XDP DNS Blocklist is enabled by default. also add domainfile so when BPFire reboot first time and when xdpdns init startup, it will not complain missing domainfile Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-07 03:01:36 +00:00
Vincent Li	4d6f8d68a3	xdp-dns UI: change running state check Status relies on checking if xdp_dns_log is running, but xdp_dns_log could mysteriously disappear at some point, which result in XDP DNS Blocklist shows Stopped, let /etc/rc.d/init.d/xdpdns status relies on if the xdp_dns_denylist XDP program is still attached to green0 interface. two related issues https://github.com/vincentmli/BPFire/issues/50 https://github.com/vincentmli/BPFire/issues/49 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-05 23:17:26 +00:00
Vincent Li	4c2fd11de2	xdp-dns UI: rename deny to blocklist Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-05 21:37:04 +00:00
Vincent Li	8b3cdb2ebe	xdp-tools: fix xdp-dns XDP program byte reverse domain name in xdp_dns.bpf.o not reversed properly result in domain name mismatch with domain inserted from user space xdp_dns Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-04 21:36:09 +00:00
Vincent Li	2c233eac63	xdp-dns log UI: view DNS query log allow user to view DNS query logged by xdp_dns_log from UI Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-04 21:36:03 +00:00
Vincent Li	2f4174b560	xdp-dns: xdpdns init script to populate denylist run xdp_dns in xdpdns init script to populate domain_denylist from domainfile saved from UI. either xdpdns restart or bpfire reboot, the domain_denylist is restored with domain blocklist Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-04 17:31:12 +00:00
Vincent Li	ccf49b1105	xdp-dns: update xdp_dns to correct map change xdp_dns to use /sys/fs/bpf/xdp-dns-denylist/domain_denylist Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-04 04:06:00 +00:00
Vincent Li	a165595116	xdp-dns: allow UI to run xdp_dns to update map Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-04 04:06:00 +00:00
Vincent Li	cdbaa41364	xdp-dns UI: web interface to add XDP DNS blocklist Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-10-04 04:05:53 +00:00

1 2 3 4 5 ...

21630 Commits