mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-09 18:45:54 +02:00
90a4a51a0e
readhash is added in functions, but it appears not used in initscripts except for testing, assume no impact to bpfire initscripts. commit 1c1ff05cdc37fe9ccabda9413c270935c3a45478 Author: Michael Tremer <michael.tremer@ipfire.org> Date: Mon Mar 31 16:35:26 2025 +0200 firewall: Explicitely don't NAT any aliases It seems that there is a problem with local connections that have preselected an outgoing interface. That will work just fine, but ultimately the packet will be NATed back to the primary RED IP address. To prevent this, we are adding some extra rules that skip the MASQUERADE target. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> commit ff4ff2cfe0c8565a431bf499708dcb6e5c2fb3dc Author: Michael Tremer <michael.tremer@ipfire.org> Date: Fri Dec 6 16:42:17 2024 +0000 initscripts: readhash: Fix handling = signs The function expected that a line only contains exactly one equals sign (=) which is not fit for purpose. In the WireGuard code we hold key material that is encoded in base64 and therefore contains padding that uses =. This patch fixes that we expect exactly one equals sign immediately after the key and we will then accept more = in the value - which was already permitted. Furthermore, this patch fixes the splitting if the key and value at the first =. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> commit 73661e5ee1acc30e40e41493c8dfca10aa1097d0 Author: Michael Tremer <michael.tremer@ipfire.org> Date: Fri Dec 6 16:42:16 2024 +0000 initscripts: readhash: Only strip quotes if they exist Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> commit80c1cb5a0aAuthor: Jonatan Schlag <jonatan.schlag@ipfire.org> Date: Sun Jun 16 18:02:44 2024 +0200 initscripts fkt: Fix shebang We use features only available in bash. So we should state correctly that the script should be executed in bash. As sh is a symlink to bash this makes not differences on a ipfire system. But my linter is less chatty with this change. Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> commit14ecdd86f1Author: Jonatan Schlag <jonatan.schlag@ipfire.org> Date: Sun Jun 16 18:02:43 2024 +0200 initscripts fkt: keep readhash compatible with older implementation With the use of eval BLUE_DEV='blue0 net0' stored "blue0 net0" in the variable BLUE_DEV not "'blue0 net0'" Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> commitf1d94e7457Author: Jonatan Schlag <jonatan.schlag@ipfire.org> Date: Sun Jun 16 18:02:42 2024 +0200 initscripts fkt: readhash should only parse lines with a = A line without a = is clearly invalid. Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> commit9f72b7bc5fAuthor: Jonatan Schlag <jonatan.schlag@ipfire.org> Date: Sun Jun 16 18:02:41 2024 +0200 initscripts fkt: Check for invalid values in readhash Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> commit02254f5543Author: Jonatan Schlag <jonatan.schlag@ipfire.org> Date: Sun Jun 16 18:02:40 2024 +0200 initscripts fkt: ignore invalid keys in readhash Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> commitd289bc28beAuthor: Jonatan Schlag <jonatan.schlag@ipfire.org> Date: Sun Jun 16 18:02:39 2024 +0200 initscripts fkt: Ignore comments in readhash As '#Another Comment' is a valid key we test this change by checking if the comments do not end up as keys in our array. Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> commit59e3c2a217Author: Jonatan Schlag <jonatan.schlag@ipfire.org> Date: Sun Jun 16 18:02:38 2024 +0200 initscript fkt: ignore blank lines in readhash Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> commit96bb3ba8b8Author: Jonatan Schlag <jonatan.schlag@ipfire.org> Date: Sun Jun 16 18:02:37 2024 +0200 initscript functions: add readhash To avoid the usage of eval and to store the config in an key value array, we introduce an new function. The tests only check if we read the correct value to the correct variable. One comment on the implementation as this has created some headache: >From https://www.gnu.org/software/bash/manual/bash.html#Bourne-Shell-Builtins "When used in a function, declare makes each name local, as with the local command, unless the -g option is used." So we need to use -g here Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> commitdb09ea9e5cAuthor: Michael Tremer <michael.tremer@ipfire.org> Date: Sat Mar 23 14:35:39 2024 +0100 initscripts: Don't overwrite the PID file Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> commit5900a95059Author: Michael Tremer <michael.tremer@ipfire.org> Date: Sat Mar 23 14:31:49 2024 +0100 initscripts: Fix reading PIDs An incorrect variable has been used. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> commit6e47a143c9Author: Michael Tremer <michael.tremer@ipfire.org> Date: Sat Mar 23 14:30:33 2024 +0100 initscripts: Handle command arguments as array For some reason, the function is refusing to launch a command that has extra arguments. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> commited91103e22Author: Stefan Schantl <stefan.schantl@ipfire.org> Date: Wed Mar 27 20:39:17 2024 +0100 initscripts: Add generic function to get the filesystem type of a volume Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> commitc3019331dfAuthor: Michael Tremer <michael.tremer@ipfire.org> Date: Thu Jan 11 15:59:34 2024 +0100 initscripts: Implement storing PIDs in loadproc Some programs do not write their own PID files any more, but since our initscripts heavily rely on those, this extension allows to store it easily. Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> commitdd8ef8cc10Author: Michael Tremer <michael.tremer@ipfire.org> Date: Thu Jan 11 15:57:50 2024 +0100 initscripts: Fix wrong variable check for $PIDFILE in getpids getpids() checked whether it needed to pass a pid file to pidofproc, but the check was inverted. Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
BPFire - eBPF Network Firewall OS (eBPF 网络防火墙)
What is BPFire?
BPFire is fork of IPFire 2.x, a hardened, versatile, state-of-the-art Open Source firewall based on Linux. BPFire is to enable revolutionary eBPF technology for non-tech savvy users, make eBPF technology consumable to home users or any size of organizations to secure their network environment. Current supported eBPF network application features:
BPFire 基于IPFire 2.x, 一个基于Linux的安全坚固、多功能、先进的开源防火墙. BPFire 为普罗大众带来革命创新性的eBPF技术,为家庭用户或任何大小组织企业的网络安全保驾护航. 当前支持的eBPF应用包括:
- XDP DDoS protection, See XDP SYNPROXY stops 10G DDoS SYN flood here
- XDP UDP DDoS online game protection
- XDP DNS domain blocklist, ratelimit protection
- XDP SSL/TLS server name indicator (SNI) blocklist
- XDP GeoIP/Country blocklist
- XDP multi attachment and capture mode for Intrusion Detection System Suricata in IPS mode
- eBPF based LoxiLB load balancer, Firewall, Proxy, see full features LoxiLB
Where can I get support?
Open github issue or discord
Where can I get BPFire installation ISO or LoongFire flash image?
中国大陆用户下载地址:
Other download site:
What computer hardwares BPFire support?
BPFire support commodity computer hardware, small or large, old or new, cheap or expensive.
for example:
How do I install BPFire?
flash the ISO to USB on Linux machine, /dev/sdc is your USB thrumb drive.
dd if=bpfire-2.29-core184-x86_64.iso of=/dev/sdc status=progress
BPFire installation on mini industrial PC:
BPFire SYNPROXY throughput with and without XDP acceleration under 10Gbit DDoS SYN flood:
BPFire WebUI screenshot:
English:
Chinese:
Does BPFire run in hypervisor virtual environment?
Yes, We have tested in Linux KVM hypervisor, Proxmox, Microsoft Hyper-v, should support Virtualbox, VMware as well.
Microsoft Hyper-v screen shot:
How to build BPFire?
Build Environment Setup https://www.ipfire.org/docs/devel/ipfire-2-x/build-initial
(It takes a few hours to build image for first build depending on build machine power)
for example on Ubuntu 22.04 LTS:
apt install git-core g++ manpages-pl patch byacc make autoconf automake libltdl-dev
git clone https://github.com/vincentmli/bpfire.git
cd bpfire
wget --mirror --convert-links --adjust-extension --page-requisites --no-parent --cut-dirs=2 -nH --reject "index.html*" --reject "*.gif" https://www.bpfire.net/download/bpfire/cache/
./make.sh build
How do I support BPFire development?
Join or Donate to BPFire paypal