Merge pull request #67 from netfoundry/v0.8.11-release-candidate

V0.8.11 release candidate
netfoundry · Aug 6, 2024 · 4b78c2c · 4b78c2c
2 parents 52951f0 + c1f596e
commit 4b78c2c
Show file tree

Hide file tree

Showing 8 changed files with 34 additions and 3 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -65,6 +65,7 @@ jobs:
           mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system
           mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin
           mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d
+          mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d
           cp -p CHANGELOG.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/
           cp -p README.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/
           cp -p LICENSE ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/
@@ -75,12 +76,14 @@ jobs:
           cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/
           cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/
           cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/
+          cp -p files/scripts/zfw_refresh ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/
           cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/
           cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/
           chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw
           chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_monitor
           chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py
           chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample
+          chmod 644 ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/zfw_refresh
           ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw
           ln -s /opt/openziti/bin/zfw_monitor ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw_monitor
 
@@ -185,6 +188,7 @@ jobs:
           mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system
           mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin
           mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d
+          mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d
           cp -p CHANGELOG.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/
           cp -p README.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/
           cp -p LICENSE ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/
@@ -195,12 +199,14 @@ jobs:
           cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/
           cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/
           cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/
+          cp -p files/scripts/zfw_refresh ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/
           cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/
           cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/
           chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw
           chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_monitor
           chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py
           chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample
+          chmod 644 ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/zfw_refresh
           ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw
           ln -s /opt/openziti/bin/zfw_monitor ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw_monitor
      

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -66,6 +66,7 @@ jobs:
           mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system
           mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin
           mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d
+          mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d
           cp -p CHANGELOG.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/
           cp -p README.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/
           cp -p LICENSE ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/
@@ -76,12 +77,14 @@ jobs:
           cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/
           cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/
           cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/
+          cp -p files/scripts/zfw_refresh ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/
           cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/
           cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/
           chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw
           chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_monitor
           chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py
           chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample
+          chmod 644 ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/zfw_refresh
           ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw
           ln -s /opt/openziti/bin/zfw_monitor ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw_monitor
 
@@ -186,6 +189,7 @@ jobs:
           mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system
           mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin
           mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d
+          mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d
           cp -p CHANGELOG.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/
           cp -p README.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/
           cp -p LICENSE ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/
@@ -196,12 +200,14 @@ jobs:
           cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/
           cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/
           cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/
+          cp -p files/scripts/zfw_refresh ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/
           cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/
           cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/
           chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw
           chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_monitor
           chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py
           chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample
+          chmod 644 ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/zfw_refresh
           ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw
           ln -s /opt/openziti/bin/zfw_monitor ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw_monitor
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,13 @@
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+###
+# [0.8.11] - 2024-08-03
+
+- Edit Readme updated ```zfw -L -E ``` outputs
+- Added cron script ```/etc/crond.d/zfw_refresh``` to run ```/opt/openziti/zfw -L -E``` once per minute to refresh the ifindex to ip mappings. This was done
+  to enable detection of new interfaces and to refresh ip for any interface that might have changed dynamically or otherwise. 
+
 ###
 # [0.8.10] - 2024-07-29
 

diff --git a/README.md b/README.md
@@ -542,7 +542,7 @@ By default ssh is enabled to pass through to the ip address of the attached inte
 If secondary addresses exist on the interface this will only work for the first 10.  After that you would need
 to add manual entries via ```zfw -I```.  
 
-NOTE: **For environments where the IP will change it is highly recommended that a manual ssh rule is entered in /opt/openziti/bin/user_rules.sh with an entry for the entire subnet. e.g if subnet is 192.168.1.0/24 or you will lose ssh access to the system till system restart**
+NOTE: **For environments where the IP will change zfw should detect the change with in 1 minute. It is highly recommended that a manual ssh rule is entered in /opt/openziti/bin/user_rules.sh with an entry for the entire subnet as backup unless you have either a manual static address or reserved DHCP address. e.g if subnet is 192.168.1.0/24.** 
 ```
 #!/bin/bash
 sudo /opt/openziti/bin/zfw -I -c 192.168.1.0 -m 24 -l 22 -h 22 -t 0 -p tcp
@@ -695,6 +695,7 @@ tun mode intercept      :0
 vrrp enable             :0
 eapol enable            :0
 ddos filtering          :0
+masquerade              :0
 ipv6 enable             :1
 --------------------------
 
@@ -711,6 +712,7 @@ tun mode intercept      :1
 vrrp enable             :0
 eapol enable            :0
 ddos filtering          :0
+masquerade              :0
 ipv6 enable             :1
 --------------------------
 
@@ -727,6 +729,7 @@ tun mode intercept      :0
 vrrp enable             :0
 eapol enable            :0
 ddos filtering          :0
+masquerade              :0
 ipv6 enable             :0
 --------------------------
 
@@ -778,6 +781,7 @@ removing /sys/fs/bpf/tc/globals/egress_matched6_map
 removing /sys/fs/bpf/tc//globals/egress_matched_map
 removing /sys/fs/bpf/tc/globals/udp_ingress_map
 removing /sys/fs/bpf/tc/globals/tcp_ingress_map
+removing /sys/fs/bpf/tc/globals/masquerade_map
 ```
 
 
diff --git a/files/scripts/zfw_refresh b/files/scripts/zfw_refresh
@@ -0,0 +1,2 @@
+* * * * * root /opt/openziti/bin/zfw -L -E > /dev/null
+
diff --git a/src/install.sh b/src/install.sh
@@ -20,6 +20,7 @@ then
    cp zfw_tc_ingress.o /opt/openziti/bin
    cp zfw_tc_outbound_track.o /opt/openziti/bin
    cp ../files/scripts/start_ebpf_router.py /opt/openziti/bin
+   cp ../files/scripts/zfw_refresh /etc/cron.d
    cp ../files/scripts/revert_ebpf_router.py /opt/openziti/bin
    cp ../files/scripts/revert_ebpf_router.py /opt/openziti/bin
    cp ../files/scripts/zfwlogs /etc/logrotate.d
@@ -31,6 +32,7 @@ then
    chmod 744 /opt/openziti/bin/revert_ebpf_router.py
    chmod 744 /opt/openziti/bin/user/user_rules.sh.sample
    chmod 744 /opt/openziti/bin/zfw
+   chmod 644 /etc/cron.d/zfw_refresh
    if [ ! -L "/usr/sbin/zfw" ]
       then
           ln -s /opt/openziti/bin/zfw /usr/sbin/zfw
@@ -55,6 +57,7 @@ then
       cp zfw_xdp_tun_ingress.o /opt/openziti/bin
       cp zfw_tunnwrapper /opt/openziti/bin
       cp ../files/scripts/start_ebpf_tunnel.py /opt/openziti/bin
+      cp ../files/scripts/zfw_refresh /etc/cron.d
       cp ../files/scripts/set_xdp_redirect.py /opt/openziti/bin
       cp ../files/scripts/zfwlogs /etc/logrotate.d
       cp ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user
@@ -67,6 +70,7 @@ then
       chmod 744 /opt/openziti/bin/user/user_rules.sh.sample
       chmod 744 /opt/openziti/bin/zfw_tunnwrapper
       chmod 744 /opt/openziti/bin/zfw
+      chmod 644 /etc/cron.d/zfw_refresh
       if [ ! -L "/usr/sbin/zfw" ]
       then
           ln -s /opt/openziti/bin/zfw /usr/sbin/zfw
@@ -95,6 +99,7 @@ then
    cp  zfw_tc_ingress.o /opt/openziti/bin
    cp  zfw_tc_outbound_track.o /opt/openziti/bin
    cp  ../files/scripts/start_ebpf_controller.py /opt/openziti/bin
+   cp ../files/scripts/zfw_refresh /etc/cron.d
    cp  ../files/scripts/revert_ebpf_controller.py /opt/openziti/bin
    cp  ../files/scripts/zfwlogs /etc/logrotate.d
    cp  ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user
@@ -103,6 +108,7 @@ then
    chmod 744 /opt/openziti/bin/start_ebpf_controller.py
    chmod 744 /opt/openziti/bin/user/user_rules.sh.sample
    chmod 744 /opt/openziti/bin/zfw
+   chmod 644 /etc/cron.d/zfw_refresh
    if [ ! -L "/usr/sbin/zfw" ]
    then
          ln -s /opt/openziti/bin/zfw /usr/sbin/zfw

diff --git a/src/zfw.c b/src/zfw.c
@@ -236,7 +236,7 @@ char *direction_string;
 char *masq_interface;
 char check_alt[IF_NAMESIZE];
 
-const char *argp_program_version = "0.8.10";
+const char *argp_program_version = "0.8.11";
 struct ring_buffer *ring_buffer;
 
 __u32 if_list[MAX_IF_LIST_ENTRIES];

diff --git a/src/zfw_monitor.c b/src/zfw_monitor.c
@@ -78,7 +78,7 @@ char check_alt[IF_NAMESIZE];
 char doc[] = "zfw_monitor -- ebpf firewall monitor tool";
 const char *rb_map_path = "/sys/fs/bpf/tc/globals/rb_map";
 const char *tproxy_map_path = "/sys/fs/bpf/tc/globals/zt_tproxy_map";
-const char *argp_program_version = "0.8.10";
+const char *argp_program_version = "0.8.11";
 union bpf_attr rb_map;
 int rb_fd = -1;