test out the new loxilb with fix for kernel 6.12 issue
git clone --recurse-submodules https://github.com/loxilb-io/loxilb.git
mv loxilb loxilb-0.9.9
tar czvf loxilb-0.9.9.tar.gz loxilb-0.9.9
mv loxilb-0.9.9.tar.gz <BPFire source>/cache
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
UDP DDoS has pattern of flooding game server with
random source IP and UDP with random payload. game
server UDP traffic requires certain payload
pattern, so this XDP program can serve as example
to stop UDP DDoS attack with UDP payload that does not
match game UDP traffic payload pattern.
without UDP DDoS protection, under DDoS attack:
BPFire UI RED Traffic: in 9xx Mbit/s.
with UDP DDoS protection, under DDoS attack:
BPFire UI RED Traffic: in 1xx Mbit/s.
Tested-by: Muhammad Haikal <eykalpirates@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
XDP generated SYNACK tcp options with window
scaling and timestamp could intermittently cause
small packet transmission on DDoS protected server.
allow user to disable window scaling when such
problem occurs. see [0]
[0]: https://github.com/vincentmli/xdp-tools/issues/7
Reported-by: DNSPROXY.ORG LLC <dnsproxyorg@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
move haproxy to core package
prepare /var/ipfire/haproxy for haproxy UI, use
/var/ipfire/haproxy/haproxy.cfg
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
When XDP DDoS syncookie program is attached
to red0 interface, green network client internet
connection to website like gmail/youtube... failed.
it is because these sites does not have IP DF flag
set for each tcp packet, and syncookie_xdp program
would drop these packets when they arrived at red0
interface.
see https://github.com/vincentmli/BPFire/issues/59
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
suricata XDP support requires xdp-tools with
libbpf 1.4 to resolve stack smash issue.
also workaround memlock operation not permitted
by running suricata as root since load/attach
XDP program requires root privilige anyway.
see: https://github.com/vincentmli/BPFire/issues/54
Usage scenario:
since suricata IPS XDP capture mode works as
layer 2 bridge, BPFire netfilter firewall, NAT
IP route will be bypassed. no IP address should
be assigned to red0 and green0 interface.
172.16.1.0/24 inline 172.16.1.0/24
red network<-->red0(xdp)<-->green0(xdp)<-->green network
we can run setup command to assign IP/Mask 0.0.0.0/0.0.0.0
to red0 and green0, then reboot BPFire, BPFire DHCP
will stops working after reboot. green network client
can get DHCP IP from upstream dhcp server.
start suricata manually
suricata -c /etc/suricata/suricata-xdp.yaml --af-packet
xdp_filter.bpf program will be attached to red0 and gree0
interface
not sure if we should add GUI for suricata XDP capture mode
since this is not common use case.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
switch xdp_sni.bpf.o LPM trie map to hash map
to reduce code complexity and avoid verifier error
now need to add domain and its sub domain to hash
map to block each domain and its sub domain site.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
add XDP TLS SNI logging with bpf ringbuf
drop xdp_sni.bpf.o reverse_string due to
bpf verifier complaining program is too large.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
add the missing config/cfgroot/xdpdns-settings file
and use ENABLE_DNSBLOCK=on by default, so XDP DNS
Blocklist is enabled by default.
also add domainfile so when BPFire reboot first time
and when xdpdns init startup, it will not complain
missing domainfile
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
domain name in xdp_dns.bpf.o not reversed properly
result in domain name mismatch with domain inserted
from user space xdp_dns
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
if XDP DNS is enabled, and BPFire reboot, XDP
DNS program should be attached and DNS query being
monitored after reboot.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
add xdpdns init script to load/unload xdp_dns_denylist
program and run xdp_dns_log to log dns query to system log
rm log/configroot log/initscripts to build image
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
compile and install perf tool from linux
source for performance monitoring.
change the setting before run perf
echo -1 > /proc/sys/kernel/perf_event_paranoid
echo 0 > /proc/sys/kernel/kptr_restrict
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Add the missing serial linux command so the
flash image can be converted to qcow2, the
bpfire qcow2 image can be deployed in KVM
virtual environment through serial console
installation.
for exmaple:
virsh define BPFire-VM.xml
virsh start BPFire-VM
virsh console BPFire-VM
we will have serial console access to BPFire
VM and the installation will start.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
how to generate logo format:
apt-get install netpbm
1 convert png format to ppm format
pngtopnm bpfire-logo.png > bpfire-logo.ppm
2 reduce the color count to 224
ppmquant 224 bpfire-logo.ppm > bpfire-logo-224.ppm
3 convert ppm raw format to ascii format
pnmnoraw bpfire-logo-224.ppm > bpfire-logo-ascii.ppm
cp bpfire-logo-ascii.ppm config/kernel/
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
whenever compile kernel due to kernel change
lunatik needs to be recompiled too since
lunatik depends on kernel
change filter example Makefile to depend on
current kernel build version
diff --git a/examples/filter/Makefile b/examples/filter/Makefile
index f7eb0f6d..e30566a2 100644
--- a/examples/filter/Makefile
+++ b/examples/filter/Makefile
@@ -1,10 +1,12 @@
# SPDX-FileCopyrightText: (c) 2023-2024 Ring Zero Desenvolvimento de Software LTDA
# SPDX-License-Identifier: MIT OR GPL-2.0-only
+VMLINUX_BTF_PATH = /lib/modules/${shell uname -r}/build
+
all: vmlinux https.o
vmlinux:
- bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h
+ bpftool btf dump file $(VMLINUX_BTF_PATH)/vmlinux format c > vmlinux.h
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
upgrade kernel to recent stable release 6.10.11
1, scripts/kconfig/merge_config.sh does not work for 6.10.11
2, vmlinux BTF binary name changed in 6.10.11
3, remove rtl8812au for now since it has compiling error
4, remove 5.15 nfqueue patch since it does not apply cleanly
also see [0]
[0]: https://github.com/vincentmli/BPFire/issues/41
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
error when run lunatik which loads lunatik kernel modules
root@bpfire-2 lua]# lunatik run examples/filter/sni false
[root@bpfire-2 lua]# dmesg
[ 330.411665] lunatik: loading out-of-tree module taints kernel.
[ 330.411680] lunatik: module verification failed: signature and/or required key missing - tainting kernel
[ 330.433955] Kernel module BTF mismatch detected, BTF debug info may be unavailable for some modules
[ 330.767701] missing module BTF, cannot register kfuncs
BPFire chroot build mount /sys/kernel/btf/vmlinux which is
the host binary vmlinux BTF to build against lunatik kernel module,
which result in above error. adjust BPFire kernel build to save
the binary vmlinux BTF to chroot
/lib/modules/6.6.15-ipfire/build/vmlinux for lunatik kernel module.
create the vmlinux.h from the same binary vmlinux BTF for the ebpf https.o
lunatik kernel module is depending on kernel build, adjust the lunatik
build accordingly when kerne upgrade in future.
See https://github.com/vincentmli/BPFire/issues/40
see https://github.com/luainkernel/lunatik/issues/189
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
xdp-loader to load https.o result in error below:
libbpf: loading kernel BTF '/sys/kernel/btf/vmlinux': 0
libbpf: extern (func ksym) 'bpf_luaxdp_run': not found in kernel or module BTFs
libbpf: failed to load object '/usr/lib/bpf/https.o'
libxdp: Failed to load program filter_https: Invalid argument
Couldn't attach XDP program on iface 'green0': Invalid argument(-22)
xdp-tools/xdp-loader is built statically with libbpf 1.2
should not be xdp-loader libbpf issue
still try to upgrade bpfire libbpf to 1.3.0 for testing
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
lunatik kernel modules requires kernel to be built first
so /lib/modules is available for lunatik
lunatik also requires resolve_btfids under:
/lib/modules/$(VER)-$(VERSUFIX)/build/tools/bpf/resolve_btfids/
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
when add loxilb development tree, loxilb requires go >= 1.23.0
ranlib libloxilbdp.a
make[3]: Leaving directory '/usr/src/loxilb-0.9.x/loxilb-ebpf/kernel'
make[2]: Leaving directory '/usr/src/loxilb-0.9.x/loxilb-ebpf'
go: go.mod requires go >= 1.23.0 (running go 1.22.0)
make[1]: *** [Makefile:14: build] Error 1
make[1]: Leaving directory '/usr/src/loxilb-0.9.x'
make: *** [loxilb:76: /usr/src/log/loxilb-0.9.x] Error 2
after upgrading golang to 1.23.0, loxilb development tree result in error
make[2]: Leaving directory '/usr/src/loxilb-0.9.x/loxilb-ebpf'
# runtime
/usr/lib/go/src/runtime/mbitmap_noallocheaders.go:53:2: mallocHeaderSize redeclared in this block
/usr/lib/go/src/runtime/mbitmap.go:71:2: other declaration of mallocHeaderSize
/usr/lib/go/src/runtime/mbitmap_noallocheaders.go:54:2: minSizeForMallocHeader redeclared in this block
the workaround is to remove build/usr/lib/go directory, then
rm log/go-1.23.0, ./make.sh build to re-add go 1.23.0
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
