Skip to content

Commit

Permalink
Merge pull request #69 from netfoundry/v0.8.13-release-candidate
Browse files Browse the repository at this point in the history 
V0.8.13 release candidate
  • Loading branch information
@r-caamano
r-caamano committed Aug 16, 2024
2 parents 3b4018d + 182bdf9 commit 3c269dc
Show file tree
Hide file tree
Showing 9 changed files with 866 additions and 33 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ jobs:
cd ../../
clang -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -Wextra -target bpf -c -o files/bin/zfw_tc_ingress.o src/zfw_tc_ingress.c
clang -g -O2 -Wall -Wextra -target bpf -c -o files/bin/zfw_xdp_tun_ingress.o src/zfw_xdp_tun_ingress.c
clang -g -O2 -Wall -Wextra -target bpf -c -o files/bin/zfw_tc_outbound_track.o src/zfw_tc_outbound_track.c
clang -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -Wextra -target bpf -c -o files/bin/zfw_tc_outbound_track.o src/zfw_tc_outbound_track.c
clang -g -O2 -Wall -D BPF_MAX_ENTRIES=100000 -O1 src/zfw.c -L ../../libbpf/src/root/usr/lib64/ -lbpf -lelf -lz -o files/bin/zfw -static
clang -g -O2 -Wall -O1 src/zfw_monitor.c -L ../../libbpf/src/root/usr/lib64/ -lbpf -lelf -lz -o files/bin/zfw_monitor -static
gcc -o files/bin/zfw_tunnwrapper src/zfw_tunnel_wrapper.c -l json-c
Expand Down Expand Up @@ -164,7 +164,7 @@ jobs:
cd ../../
clang -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -Wextra -target bpf -c -o files/bin/zfw_tc_ingress.o src/zfw_tc_ingress.c
clang -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -Wextra -target bpf -c -o files/bin/zfw_xdp_tun_ingress.o src/zfw_xdp_tun_ingress.c
clang -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -Wextra -target bpf -c -o files/bin/zfw_tc_outbound_track.o src/zfw_tc_outbound_track.c
clang -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -Wextra -target bpf -c -o files/bin/zfw_tc_outbound_track.o src/zfw_tc_outbound_track.c
clang -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -D BPF_MAX_ENTRIES=100000 -O1 src/zfw.c -L ../../libbpf/src/root/usr/lib64/ -lbpf -lelf -lz -o files/bin/zfw -static
clang -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -O1 src/zfw_monitor.c -L ../../libbpf/src/root/usr/lib64/ -lbpf -lelf -lz -o files/bin/zfw_monitor -static
gcc -o files/bin/zfw_tunnwrapper src/zfw_tunnel_wrapper.c -l json-c
Expand Down
343 changes: 343 additions & 0 deletions .github/workflows/pr.yml
View file

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ jobs:
cd ../../
clang -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -Wextra -target bpf -c -o files/bin/zfw_tc_ingress.o src/zfw_tc_ingress.c
clang -g -O2 -Wall -Wextra -target bpf -c -o files/bin/zfw_xdp_tun_ingress.o src/zfw_xdp_tun_ingress.c
clang -g -O2 -Wall -Wextra -target bpf -c -o files/bin/zfw_tc_outbound_track.o src/zfw_tc_outbound_track.c
clang -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -Wextra -target bpf -c -o files/bin/zfw_tc_outbound_track.o src/zfw_tc_outbound_track.c
clang -g -O2 -Wall -D BPF_MAX_ENTRIES=100000 -O1 src/zfw.c -L ../../libbpf/src/root/usr/lib64/ -lbpf -lelf -lz -o files/bin/zfw -static
clang -g -O2 -Wall -O1 src/zfw_monitor.c -L ../../libbpf/src/root/usr/lib64/ -lbpf -lelf -lz -o files/bin/zfw_monitor -static
gcc -o files/bin/zfw_tunnwrapper src/zfw_tunnel_wrapper.c -l json-c
Expand Down Expand Up @@ -162,7 +162,7 @@ jobs:
cd ../../
clang -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -Wextra -target bpf -c -o files/bin/zfw_tc_ingress.o src/zfw_tc_ingress.c
clang -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -Wextra -target bpf -c -o files/bin/zfw_xdp_tun_ingress.o src/zfw_xdp_tun_ingress.c
clang -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -Wextra -target bpf -c -o files/bin/zfw_tc_outbound_track.o src/zfw_tc_outbound_track.c
clang -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -Wextra -target bpf -c -o files/bin/zfw_tc_outbound_track.o src/zfw_tc_outbound_track.c
clang -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -D BPF_MAX_ENTRIES=100000 -O1 src/zfw.c -L ../../libbpf/src/root/usr/lib64/ -lbpf -lelf -lz -o files/bin/zfw -static
clang -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -O1 src/zfw_monitor.c -L ../../libbpf/src/root/usr/lib64/ -lbpf -lelf -lz -o files/bin/zfw_monitor -static
gcc -o files/bin/zfw_tunnwrapper src/zfw_tunnel_wrapper.c -l json-c
Expand Down
8 changes: 8 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,14 @@
All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

---
###
# [0.8.13] - 2024-08-12
- Added Outbound tracking for IPv4 and IPv6 ICMP Echo
- Added Masquerade for passthrough icmp echos.
- Fixed an issue where both the packages and Makefile were limiting egress rule entries to 100 instead of 100000.
- Fixed issue where incorrect count check was being performed on insert for ipv6 rules to verify if they had reached
BPF_MAX_ENTRIES.

###
# [0.8.12] - 2024-08-07
- Change ci workflow display name and to trigger on push to branches other than main.
Expand Down
4 changes: 2 additions & 2 deletions src/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,9 @@ else
endif
zfw_tc_outbound_track.o: zfw_tc_outbound_track.c
ifeq ($(uname_m),aarch64)
$(CC) -g -O2 -Wall -Wextra -target bpf -c -o zfw_tc_outbound_track.o zfw_tc_outbound_track.c $(CFLAGS)
$(CC) -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -Wextra -target bpf -c -o zfw_tc_outbound_track.o zfw_tc_outbound_track.c $(CFLAGS)
else
$(CC) -g -O2 -Wall -Wextra -target bpf -c -o zfw_tc_outbound_track.o zfw_tc_outbound_track.c
$(CC) -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -Wextra -target bpf -c -o zfw_tc_outbound_track.o zfw_tc_outbound_track.c
endif
zfw_tunnwrapper: zfw_tunnel_wrapper.c
$(CC) -o zfw_tunnwrapper zfw_tunnel_wrapper.c -l json-c
Expand Down
79 changes: 72 additions & 7 deletions src/zfw.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,9 @@
#define INGRESS_SERVER_RST_RCVD 24
#define INGRESS_SERVER_FINAL_ACK_RCVD 25
#define MATCHED_DROP_FILTER 26
#define ICMP_MATCHED_EXPIRED_STATE 27
#define ICMP_MATCHED_ACTIVE_STATE 28
#define CLIENT_INITIATED_ICMP_ECHO 29
#define IP6_HEADER_TOO_BIG 30
#define IPV6_TUPLE_TOO_BIG 31

Expand Down Expand Up @@ -215,6 +218,8 @@ const char *egress6_map_path = "/sys/fs/bpf/tc/globals/zt_egress6_map";
const char *egress_count_map_path = "/sys/fs/bpf/tc/globals/egress_count_map";
const char *egress_count6_map_path = "/sys/fs/bpf/tc/globals/egress6_count_map";
const char *masquerade_map_path = "/sys/fs/bpf/tc/globals/masquerade_map";
const char *icmp_masquerade_map_path = "/sys/fs/bpf/tc/globals/icmp_masquerade_map";
const char *icmp_echo_map_path = "/sys/fs/bpf/tc/globals/icmp_echo_map";
char doc[] = "zfw -- ebpf firewall configuration tool";
const char *if_map_path;
char *diag_interface;
Expand All @@ -236,7 +241,7 @@ char *direction_string;
char *masq_interface;
char check_alt[IF_NAMESIZE];

const char *argp_program_version = "0.8.12";
const char *argp_program_version = "0.8.13";
struct ring_buffer *ring_buffer;

__u32 if_list[MAX_IF_LIST_ENTRIES];
Expand Down Expand Up @@ -306,6 +311,7 @@ void open_range_map();
void if_list_ext_delete_key(struct port_extension_key key);
bool interface_map();
void interface_map6();
int get_key_count6();
void close_maps(int code);
void if_delete_key(uint32_t key);
void if6_delete_key(uint32_t key);
Expand Down Expand Up @@ -651,14 +657,15 @@ void disable_ebpf()
disable = true;
tc = true;
interface_tc();
const char *maps[34] = {tproxy_map_path, diag_map_path, if_map_path, count_map_path,
const char *maps[36] = {tproxy_map_path, diag_map_path, if_map_path, count_map_path,
udp_map_path, matched_map_path, tcp_map_path, tun_map_path, if_tun_map_path,
transp_map_path, rb_map_path, ddos_saddr_map_path, ddos_dport_map_path, syn_count_map_path,
tp_ext_map_path, if_list_ext_map_path, range_map_path, wildcard_port_map_path, tproxy6_map_path,
if6_map_path, count6_map_path, matched6_map_path, egress_range_map_path, egress_if_list_ext_map_path,
egress_ext_map_path, egress_map_path, egress6_map_path, egress_count_map_path, egress_count6_map_path,
egress_matched6_map_path, egress_matched_map_path, udp_ingress_map_path, tcp_ingress_map_path, masquerade_map_path};
for (int map_count = 0; map_count < 34; map_count++)
egress_matched6_map_path, egress_matched_map_path, udp_ingress_map_path, tcp_ingress_map_path,
masquerade_map_path, icmp_masquerade_map_path, icmp_echo_map_path};
for (int map_count = 0; map_count < 36; map_count++)
{

int stat = remove(maps[map_count]);
Expand Down Expand Up @@ -3098,7 +3105,10 @@ static int process_events(void *ctx, void *data, size_t len)
{
state = "MATCHED_DROP_FILTER";
}
printf("code=%d\n", code);
else if (code == MATCHED_DROP_FILTER)
{
state = "MATCHED_DROP_FILTER";
}

if (state)
{
Expand All @@ -3116,10 +3126,36 @@ static int process_events(void *ctx, void *data, size_t len)
}
else if (evt->proto == IPPROTO_ICMP && ifname)
{
char *state = NULL;
__u16 code = evt->tracking_code;
__u8 inner_ttl = evt->dest[0];
__u8 outer_ttl = evt->source[0];
if (code == 4)
if (code == ICMP_MATCHED_ACTIVE_STATE)
{
state = "ICMP_MATCHED_ACTIVE_STATE";
}
else if (code == ICMP_MATCHED_EXPIRED_STATE)
{
state = "ICMP_MATCHED_EXPIRED_STATE";
}
else if (code == CLIENT_INITIATED_ICMP_ECHO)
{
state = "CLIENT_INITIATED_ICMP_ECHO";
}
if(state)
{
sprintf(message, "%s : %s : %s : %s : %s > %s outbound_tracking ICMP %s ---> %s\n", ts, ifname,
(evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol, saddr, daddr,(evt->direction == INGRESS) ? "ECHO-REPLY" : "ECHO" ,state);
if (logging)
{
res = write_log(log_file_name, message);
}
else
{
printf("%s", message);
}
}
else if (code == 4)
{
/*evt->sport is use repurposed store next hop mtu*/
sprintf(message, "%s : %s : %s : %s :%s --> reported next hop mtu:%d > FRAGMENTATION NEEDED IN PATH TO:%s:%d\n", ts, ifname,
Expand Down Expand Up @@ -3426,6 +3462,35 @@ static int process_events(void *ctx, void *data, size_t len)
printf("%s", message);
}
}
}else if (evt->proto == IPPROTO_ICMPV6 && ifname)
{
char *state = NULL;
__u16 code = evt->tracking_code;
if (code == ICMP_MATCHED_ACTIVE_STATE)
{
state = "ICMP_MATCHED_ACTIVE_STATE";
}
else if (code == ICMP_MATCHED_EXPIRED_STATE)
{
state = "ICMP_MATCHED_EXPIRED_STATE";
}
else if (code == CLIENT_INITIATED_ICMP_ECHO)
{
state = "CLIENT_INITIATED_ICMP_ECHO";
}
if(state)
{
sprintf(message, "%s : %s : %s : %s : %s > %s outbound_tracking ICMP %s ---> %s\n", ts, ifname,
(evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol, saddr6, daddr6,(evt->direction == INGRESS) ? "ECHO-REPLY" : "ECHO" ,state);
if (logging)
{
res = write_log(log_file_name, message);
}
else
{
printf("%s", message);
}
}
}
else if (ifname)
{
Expand Down Expand Up @@ -3577,7 +3642,7 @@ void map_insert6()
printf("INSERT FAILURE -- INVALID PORT RANGE: low_port(%u) > high_port(%u)\n", low_port, high_port);
close_maps(1);
}
if (get_key_count() == BPF_MAX_ENTRIES)
if (get_key_count6() == BPF_MAX_ENTRIES)
{
printf("INSERT FAILURE -- MAX PREFIX TUPLES REACHED\n");
close_maps(1);
Expand Down
63 changes: 60 additions & 3 deletions src/zfw_monitor.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,9 @@
#define INGRESS_SERVER_RST_RCVD 24
#define INGRESS_SERVER_FINAL_ACK_RCVD 25
#define MATCHED_DROP_FILTER 26
#define ICMP_MATCHED_EXPIRED_STATE 27
#define ICMP_MATCHED_ACTIVE_STATE 28
#define CLIENT_INITIATED_ICMP_ECHO 29
#define IP6_HEADER_TOO_BIG 30
#define IPV6_TUPLE_TOO_BIG 31

Expand All @@ -78,7 +81,7 @@ char check_alt[IF_NAMESIZE];
char doc[] = "zfw_monitor -- ebpf firewall monitor tool";
const char *rb_map_path = "/sys/fs/bpf/tc/globals/rb_map";
const char *tproxy_map_path = "/sys/fs/bpf/tc/globals/zt_tproxy_map";
const char *argp_program_version = "0.8.12";
const char *argp_program_version = "0.8.13";
union bpf_attr rb_map;
int rb_fd = -1;

Expand Down Expand Up @@ -507,7 +510,6 @@ static int process_events(void *ctx, void *data, size_t len)
{
state = "MATCHED_DROP_FILTER";
}
printf("code=%d\n", code);

if (state)
{
Expand All @@ -525,10 +527,36 @@ static int process_events(void *ctx, void *data, size_t len)
}
else if (evt->proto == IPPROTO_ICMP && ifname)
{
char *state = NULL;
__u16 code = evt->tracking_code;
__u8 inner_ttl = evt->dest[0];
__u8 outer_ttl = evt->source[0];
if (code == 4)
if (code == ICMP_MATCHED_ACTIVE_STATE)
{
state = "ICMP_MATCHED_ACTIVE_STATE";
}
else if (code == ICMP_MATCHED_EXPIRED_STATE)
{
state = "ICMP_MATCHED_EXPIRED_STATE";
}
else if (code == CLIENT_INITIATED_ICMP_ECHO)
{
state = "CLIENT_INITIATED_ICMP_ECHO";
}
if(state)
{
sprintf(message, "%s : %s : %s : %s : %s > %s outbound_tracking ICMP %s ---> %s\n", ts, ifname,
(evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol, saddr, daddr,(evt->direction == INGRESS) ? "ECHO-REPLY" : "ECHO" ,state);
if (logging)
{
res = write_log(log_file_name, message);
}
else
{
printf("%s", message);
}
}
else if (code == 4)
{
/*evt->sport is use repurposed store next hop mtu*/
sprintf(message, "%s : %s : %s : %s :%s --> reported next hop mtu:%d > FRAGMENTATION NEEDED IN PATH TO:%s:%d\n", ts, ifname,
Expand Down Expand Up @@ -835,6 +863,35 @@ static int process_events(void *ctx, void *data, size_t len)
printf("%s", message);
}
}
}else if (evt->proto == IPPROTO_ICMPV6 && ifname)
{
char *state = NULL;
__u16 code = evt->tracking_code;
if (code == ICMP_MATCHED_ACTIVE_STATE)
{
state = "ICMP_MATCHED_ACTIVE_STATE";
}
else if (code == ICMP_MATCHED_EXPIRED_STATE)
{
state = "ICMP_MATCHED_EXPIRED_STATE";
}
else if (code == CLIENT_INITIATED_ICMP_ECHO)
{
state = "CLIENT_INITIATED_ICMP_ECHO";
}
if(state)
{
sprintf(message, "%s : %s : %s : %s : %s > %s outbound_tracking ICMP %s ---> %s\n", ts, ifname,
(evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol, saddr6, daddr6,(evt->direction == INGRESS) ? "ECHO-REPLY" : "ECHO" ,state);
if (logging)
{
res = write_log(log_file_name, message);
}
else
{
printf("%s", message);
}
}
}
else if (ifname)
{
Expand Down
Loading

0 comments on commit 3c269dc

Please sign in to comment.