From 0cd0d5a65e29f992dd132b9e98de6f16cd551a8f Mon Sep 17 00:00:00 2001 From: r-caamano Date: Wed, 7 Aug 2024 19:58:13 +0000 Subject: [PATCH 1/7] modified ci workflow to only trigger on push to branches other than main --- .github/workflows/ci.yml | 7 +++++-- CHANGELOG.md | 4 ++++ src/zfw.c | 2 +- src/zfw_monitor.c | 2 +- 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5734d9e..f280b70 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,8 +1,11 @@ --- name: release -on: [push] - +on: + push: + branches: + - '*' + - '!main' env: APP_NAME: 'zfw' diff --git a/CHANGELOG.md b/CHANGELOG.md index c8b90be..159bf00 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format --- ### +# [0.8.12] - 2024-08-07 +- Change ci workflow display name and to trigger on puch to branches other than main. +- +### # [0.8.11] - 2024-08-03 - Edit Readme updated ```zfw -L -E ``` outputs diff --git a/src/zfw.c b/src/zfw.c index a751e4f..7d371cb 100644 --- a/src/zfw.c +++ b/src/zfw.c @@ -236,7 +236,7 @@ char *direction_string; char *masq_interface; char check_alt[IF_NAMESIZE]; -const char *argp_program_version = "0.8.11"; +const char *argp_program_version = "0.8.12"; struct ring_buffer *ring_buffer; __u32 if_list[MAX_IF_LIST_ENTRIES]; diff --git a/src/zfw_monitor.c b/src/zfw_monitor.c index 627599c..4ce59e7 100644 --- a/src/zfw_monitor.c +++ b/src/zfw_monitor.c @@ -78,7 +78,7 @@ char check_alt[IF_NAMESIZE]; char doc[] = "zfw_monitor -- ebpf firewall monitor tool"; const char *rb_map_path = "/sys/fs/bpf/tc/globals/rb_map"; const char *tproxy_map_path = "/sys/fs/bpf/tc/globals/zt_tproxy_map"; -const char *argp_program_version = "0.8.11"; +const char *argp_program_version = "0.8.12"; union bpf_attr rb_map; int rb_fd = -1; From ef0587f60fe979fc674124cf6d899c43735c6bba Mon Sep 17 00:00:00 2001 From: r-caamano Date: Fri, 9 Aug 2024 14:41:29 +0000 Subject: [PATCH 2/7] Changed display name of ci.yml to ci from release --- .github/workflows/ci.yml | 2 +- CHANGELOG.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f280b70..e829cb6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,5 @@ --- -name: release +name: ci on: push: diff --git a/CHANGELOG.md b/CHANGELOG.md index 159bf00..0e60bb3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ All notable changes to this project will be documented in this file. The format ### # [0.8.12] - 2024-08-07 - Change ci workflow display name and to trigger on puch to branches other than main. -- + ### # [0.8.11] - 2024-08-03 From 25e15a0107d11128a542007f677bb6338cc5c8e7 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Fri, 9 Aug 2024 21:12:20 +0000 Subject: [PATCH 3/7] Refactored for ziti-controller running as ziti --- CHANGELOG.md | 1 + files/scripts/revert_ebpf_controller.py | 18 +++++++++--------- files/scripts/start_ebpf_controller.py | 23 +++++++++++++---------- src/install.sh | 1 + 4 files changed, 24 insertions(+), 19 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0e60bb3..e3065e2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file. The format ### # [0.8.12] - 2024-08-07 - Change ci workflow display name and to trigger on puch to branches other than main. +- Refactored install.sh, start_ebpf_controller.py and revert_ebpf_controller.py to work with controller not running as root. ### # [0.8.11] - 2024-08-03 diff --git a/files/scripts/revert_ebpf_controller.py b/files/scripts/revert_ebpf_controller.py index ce96b41..82e38f9 100755 --- a/files/scripts/revert_ebpf_controller.py +++ b/files/scripts/revert_ebpf_controller.py @@ -100,28 +100,28 @@ def iterate_rules(intf): print("Malformed or missing json object in /opt/openziti/etc/ebpf_config.json can't revert ufw!") service = False -if(os.path.exists('/etc/systemd/system/ziti-controller.service')): - unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_controller.py' /etc/systemd/system/ziti-controller.service") +if(os.path.exists('/etc/systemd/system/zfw-logging.service')): + unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_controller.py' /etc/systemd/system/zfw-logging.service") if(not unconfigured): - os.system("sed -i 's/#ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/objects\/etables \-F \-r/ExecStartPre\=-\/opt\/netfoundry\/ebpf\/objects\/etables \-F \-r/g' /etc/systemd/system/ziti-controller.service") - os.system("sed -i 's/#ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/scripts\/tproxy_splicer_startup.sh/ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/scripts\/tproxy_splicer_startup.sh/g' /etc/systemd/system/ziti-controller.service") - test1 = os.system("sed -i '/ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_controller.py/d' /etc/systemd/system/ziti-controller.service") + test1 = os.system("sed -i '/ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_controller.py/d' /etc/systemd/system/zfw-logging.service") if(not test1): test1 = os.system("systemctl daemon-reload") if(not test1): service = True + test1 = os.system("systemctl disable zfw-logging.service") + test1 = os.system("systemctl disable fw-init.service") os.system("/opt/openziti/bin/zfw -Q") if(os.path.exists("/opt/openziti/etc/ebpf_config.json")): os.remove("/opt/openziti/etc/ebpf_config.json") if(os.path.exists("/opt/openziti/bin/user/user_rules.sh")): os.remove("/opt/openziti/bin/user/user_rules.sh") - print("Successfully reverted ziti-controller.service!") + print("Successfully reverted ziti-logging.service!") else: - print("Failed to revert ziti-controller.service!") + print("Failed to revert zfw-logging.service!") else: - print("ziti-controller.service already reverted. Nothing to do!") + print("zfw-logging.service already reverted. Nothing to do!") else: - print("Skipping ziti-controller.service reversal. File does not exist!") + print("Skipping zfw-logging.service reversal. File does not exist!") if service: print("config.yml successfully reverted. restarting ziti-controller.service") diff --git a/files/scripts/start_ebpf_controller.py b/files/scripts/start_ebpf_controller.py index 9dd7235..c66ae08 100755 --- a/files/scripts/start_ebpf_controller.py +++ b/files/scripts/start_ebpf_controller.py @@ -432,7 +432,7 @@ def set_local_rules(ip): os.system("/opt/openziti/bin/user/user_rules.sh") else: print("ebpf already running!"); - os.system("/usr/sbin/zfw -F -z ingress") + os.system("/usr/sbin/zfw -F -r") print("Flushed Table") for i in internal_list: if(not tc_status(i, "ingress")): @@ -477,17 +477,20 @@ def set_local_rules(ip): lanIp = get_if_ip(lanIf) if(len(lanIp)): set_local_rules(lanIp) -if(os.path.exists('/etc/systemd/system/ziti-controller.service') and controller): - unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_controller.py' /etc/systemd/system/ziti-controller.service") +if(os.path.exists('/etc/systemd/system/zfw-logging.service') and controller): + unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_controller.py' /etc/systemd/system/zfw-logging.service") if(unconfigured): - test0 = 1 - test0 = os.system("sed -i 's/User\=ziti/User\=root/g' /etc/systemd/system/ziti-controller.service") test1 = 1 - test1 = os.system("sed -i '/ExecStart=/i ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_controller.py --lanIf " + lanIf + "' /etc/systemd/system/ziti-controller.service") - if((not test0) and (not test1)): + test1 = os.system("sed -i '/ExecStart=/i ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_controller.py --lanIf " + lanIf + "' /etc/systemd/system/zfw-logging.service") + test1 = os.system("sed -i 's/ziti-router/ziti-controller/g' /etc/systemd/system/zfw-logging.service") + test1 = os.system("sed -i 's/ziti-router/ziti-controller/g' /etc/systemd/system/fw-init.service") + + if(not test1): test1 = os.system("systemctl daemon-reload") if(not test1): - print("Successfully converted ziti-controller.service. Restarting!") + print("Successfully converted zfw-logging.service. Restarting!") + os.system('systemctl enable zfw-logging.service') + os.system('systemctl enable fw-init.service') os.system('systemctl restart ziti-controller.service') if(not os.system('systemctl is-active --quiet ziti-controller.service')): print("ziti-controller.service successfully restarted!") @@ -496,7 +499,7 @@ def set_local_rules(ip): else: print("Failed to convert ziti-controller.service!") else: - print("ziti-controller.service already converted. Nothing to do!") + print("zfw-logging.service already converted. Nothing to do!") else: - print("Skipping ziti-controller.service conversion. File does not exist or is already converted to run ebpf!") + print("Skipping zfw-logging.service conversion. File does not exist or is already converted to run ebpf!") sys.exit(0) diff --git a/src/install.sh b/src/install.sh index d98f530..d7b6c1f 100755 --- a/src/install.sh +++ b/src/install.sh @@ -105,6 +105,7 @@ then cp ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user cp ../files/json/ebpf_config.json.sample /opt/openziti/etc cp ../files/services/zfw-logging.service /etc/systemd/system + cp ../files/services/fw-init.service /etc/systemd/system chmod 744 /opt/openziti/bin/start_ebpf_controller.py chmod 744 /opt/openziti/bin/user/user_rules.sh.sample chmod 744 /opt/openziti/bin/zfw From 8e09b77e21193044c346e97bf21d60b61bb33dde Mon Sep 17 00:00:00 2001 From: r-caamano Date: Fri, 9 Aug 2024 21:44:19 +0000 Subject: [PATCH 4/7] changed sed statement for controller fw-init.service --- files/scripts/start_ebpf_controller.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/scripts/start_ebpf_controller.py b/files/scripts/start_ebpf_controller.py index c66ae08..d26795d 100755 --- a/files/scripts/start_ebpf_controller.py +++ b/files/scripts/start_ebpf_controller.py @@ -483,7 +483,7 @@ def set_local_rules(ip): test1 = 1 test1 = os.system("sed -i '/ExecStart=/i ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_controller.py --lanIf " + lanIf + "' /etc/systemd/system/zfw-logging.service") test1 = os.system("sed -i 's/ziti-router/ziti-controller/g' /etc/systemd/system/zfw-logging.service") - test1 = os.system("sed -i 's/ziti-router/ziti-controller/g' /etc/systemd/system/fw-init.service") + test1 = os.system("sed -i 's/_router/_controller/g' /etc/systemd/system/fw-init.service") if(not test1): test1 = os.system("systemctl daemon-reload") From a07f381377178aaa0b87479115c29279c5881b70 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Sat, 10 Aug 2024 01:33:27 +0000 Subject: [PATCH 5/7] removed change to zfw -F sys call in start_ebpf_controller.py --- files/scripts/start_ebpf_controller.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/scripts/start_ebpf_controller.py b/files/scripts/start_ebpf_controller.py index d26795d..ae8c124 100755 --- a/files/scripts/start_ebpf_controller.py +++ b/files/scripts/start_ebpf_controller.py @@ -432,7 +432,7 @@ def set_local_rules(ip): os.system("/opt/openziti/bin/user/user_rules.sh") else: print("ebpf already running!"); - os.system("/usr/sbin/zfw -F -r") + os.system("/usr/sbin/zfw -F -z ingress") print("Flushed Table") for i in internal_list: if(not tc_status(i, "ingress")): From 5308ff270bd86b72d5dbb4b9faf0728e50f4805f Mon Sep 17 00:00:00 2001 From: r-caamano Date: Sat, 10 Aug 2024 12:47:20 +0000 Subject: [PATCH 6/7] Fixed syntax in CHANGELOG --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e3065e2..d8583ef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file. The format --- ### # [0.8.12] - 2024-08-07 -- Change ci workflow display name and to trigger on puch to branches other than main. +- Change ci workflow display name and to trigger on push to branches other than main. - Refactored install.sh, start_ebpf_controller.py and revert_ebpf_controller.py to work with controller not running as root. ### From 934e0d61e7541992dc4eba7ce3db86bcefd8231e Mon Sep 17 00:00:00 2001 From: r-caamano Date: Sat, 10 Aug 2024 13:16:49 +0000 Subject: [PATCH 7/7] Fixed issue where fw-init.service was not properly converted to work with start_ebpf_controller.py --- files/scripts/start_ebpf_controller.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/scripts/start_ebpf_controller.py b/files/scripts/start_ebpf_controller.py index ae8c124..55a67e1 100755 --- a/files/scripts/start_ebpf_controller.py +++ b/files/scripts/start_ebpf_controller.py @@ -483,7 +483,7 @@ def set_local_rules(ip): test1 = 1 test1 = os.system("sed -i '/ExecStart=/i ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_controller.py --lanIf " + lanIf + "' /etc/systemd/system/zfw-logging.service") test1 = os.system("sed -i 's/ziti-router/ziti-controller/g' /etc/systemd/system/zfw-logging.service") - test1 = os.system("sed -i 's/_router/_controller/g' /etc/systemd/system/fw-init.service") + test1 = os.system("sed -i 's/_router.py/_controller.py --lanIf " + lanIf + "/g' /etc/systemd/system/fw-init.service") if(not test1): test1 = os.system("systemctl daemon-reload")