From c3c44f1a5478c3c70c95458c06d20642c9bf9328 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Sat, 3 Aug 2024 20:48:44 +0000 Subject: [PATCH 1/4] Added cron script to refresh zfw interface list to index mapping once per minute --- .github/workflows/ci.yml | 6 ++++++ .github/workflows/release.yml | 6 ++++++ CHANGELOG.md | 7 +++++++ README.md | 5 ++++- files/scripts/zfw_refresh | 2 ++ src/install.sh | 6 ++++++ src/zfw.c | 2 +- src/zfw_monitor.c | 2 +- 8 files changed, 33 insertions(+), 3 deletions(-) create mode 100644 files/scripts/zfw_refresh diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a52f1aa..5734d9e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -65,6 +65,7 @@ jobs: mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d + mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d cp -p CHANGELOG.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p README.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p LICENSE ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ @@ -75,12 +76,14 @@ jobs: cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ + cp -p files/scripts/zfw_refresh ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/ cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_monitor chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample + chmod 644 ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/zfw_refresh ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw ln -s /opt/openziti/bin/zfw_monitor ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw_monitor @@ -185,6 +188,7 @@ jobs: mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d + mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d cp -p CHANGELOG.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p README.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p LICENSE ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ @@ -195,12 +199,14 @@ jobs: cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ + cp -p files/scripts/zfw_refresh ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/ cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_monitor chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample + chmod 644 ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/zfw_refresh ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw ln -s /opt/openziti/bin/zfw_monitor ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw_monitor diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2fb7798..2ffaeee 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -66,6 +66,7 @@ jobs: mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d + mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d cp -p CHANGELOG.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p README.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p LICENSE ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ @@ -76,12 +77,14 @@ jobs: cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ + cp -p files/scripts/zfw_refresh ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/ cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_monitor chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample + chmod 644 ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/zfw_refresh ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw ln -s /opt/openziti/bin/zfw_monitor ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw_monitor @@ -186,6 +189,7 @@ jobs: mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d + mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d cp -p CHANGELOG.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p README.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p LICENSE ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ @@ -196,12 +200,14 @@ jobs: cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ + cp -p files/scripts/zfw_refresh ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/ cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_monitor chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample + chmod 644 ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/zfw_refresh ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw ln -s /opt/openziti/bin/zfw_monitor ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw_monitor diff --git a/CHANGELOG.md b/CHANGELOG.md index 26a01ef..c8b90be 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,13 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- +### +# [0.8.11] - 2024-08-03 + +- Edit Readme updated ```zfw -L -E ``` outputs +- Added cron script ```/etc/crond.d/zfw_refresh``` to run ```/opt/openziti/zfw -L -E``` once per minute to refresh the ifindex to ip mappings. This was done + to enable detection of new interfaces and to refresh ip for any interface that might have changed dynamically or otherwise. + ### # [0.8.10] - 2024-07-29 diff --git a/README.md b/README.md index 24d8e77..0dc36ba 100644 --- a/README.md +++ b/README.md @@ -542,7 +542,7 @@ By default ssh is enabled to pass through to the ip address of the attached inte If secondary addresses exist on the interface this will only work for the first 10. After that you would need to add manual entries via ```zfw -I```. -NOTE: **For environments where the IP will change it is highly recommended that a manual ssh rule is entered in /opt/openziti/bin/user_rules.sh with an entry for the entire subnet. e.g if subnet is 192.168.1.0/24 or you will lose ssh access to the system till system restart** +NOTE: **For environments where the IP will change zfw should detect the change with in 1 minute. It is highly recommended that a manual ssh rule is entered in /opt/openziti/bin/user_rules.sh with an entry for the entire subnet as backup unless you have either a manual static address or reserved DHCP address. e.g if subnet is 192.168.1.0/24.** ``` #!/bin/bash sudo /opt/openziti/bin/zfw -I -c 192.168.1.0 -m 24 -l 22 -h 22 -t 0 -p tcp @@ -695,6 +695,7 @@ tun mode intercept :0 vrrp enable :0 eapol enable :0 ddos filtering :0 +masquerade :0 ipv6 enable :1 -------------------------- @@ -711,6 +712,7 @@ tun mode intercept :1 vrrp enable :0 eapol enable :0 ddos filtering :0 +masquerade :0 ipv6 enable :1 -------------------------- @@ -727,6 +729,7 @@ tun mode intercept :0 vrrp enable :0 eapol enable :0 ddos filtering :0 +masquerade :0 ipv6 enable :0 -------------------------- diff --git a/files/scripts/zfw_refresh b/files/scripts/zfw_refresh new file mode 100644 index 0000000..5840c8b --- /dev/null +++ b/files/scripts/zfw_refresh @@ -0,0 +1,2 @@ +* * * * * root /opt/openziti/bin/zfw -L -E >> /var/log/syslog 2>&1 + diff --git a/src/install.sh b/src/install.sh index d28091f..d98f530 100755 --- a/src/install.sh +++ b/src/install.sh @@ -20,6 +20,7 @@ then cp zfw_tc_ingress.o /opt/openziti/bin cp zfw_tc_outbound_track.o /opt/openziti/bin cp ../files/scripts/start_ebpf_router.py /opt/openziti/bin + cp ../files/scripts/zfw_refresh /etc/cron.d cp ../files/scripts/revert_ebpf_router.py /opt/openziti/bin cp ../files/scripts/revert_ebpf_router.py /opt/openziti/bin cp ../files/scripts/zfwlogs /etc/logrotate.d @@ -31,6 +32,7 @@ then chmod 744 /opt/openziti/bin/revert_ebpf_router.py chmod 744 /opt/openziti/bin/user/user_rules.sh.sample chmod 744 /opt/openziti/bin/zfw + chmod 644 /etc/cron.d/zfw_refresh if [ ! -L "/usr/sbin/zfw" ] then ln -s /opt/openziti/bin/zfw /usr/sbin/zfw @@ -55,6 +57,7 @@ then cp zfw_xdp_tun_ingress.o /opt/openziti/bin cp zfw_tunnwrapper /opt/openziti/bin cp ../files/scripts/start_ebpf_tunnel.py /opt/openziti/bin + cp ../files/scripts/zfw_refresh /etc/cron.d cp ../files/scripts/set_xdp_redirect.py /opt/openziti/bin cp ../files/scripts/zfwlogs /etc/logrotate.d cp ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user @@ -67,6 +70,7 @@ then chmod 744 /opt/openziti/bin/user/user_rules.sh.sample chmod 744 /opt/openziti/bin/zfw_tunnwrapper chmod 744 /opt/openziti/bin/zfw + chmod 644 /etc/cron.d/zfw_refresh if [ ! -L "/usr/sbin/zfw" ] then ln -s /opt/openziti/bin/zfw /usr/sbin/zfw @@ -95,6 +99,7 @@ then cp zfw_tc_ingress.o /opt/openziti/bin cp zfw_tc_outbound_track.o /opt/openziti/bin cp ../files/scripts/start_ebpf_controller.py /opt/openziti/bin + cp ../files/scripts/zfw_refresh /etc/cron.d cp ../files/scripts/revert_ebpf_controller.py /opt/openziti/bin cp ../files/scripts/zfwlogs /etc/logrotate.d cp ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user @@ -103,6 +108,7 @@ then chmod 744 /opt/openziti/bin/start_ebpf_controller.py chmod 744 /opt/openziti/bin/user/user_rules.sh.sample chmod 744 /opt/openziti/bin/zfw + chmod 644 /etc/cron.d/zfw_refresh if [ ! -L "/usr/sbin/zfw" ] then ln -s /opt/openziti/bin/zfw /usr/sbin/zfw diff --git a/src/zfw.c b/src/zfw.c index f696968..a751e4f 100644 --- a/src/zfw.c +++ b/src/zfw.c @@ -236,7 +236,7 @@ char *direction_string; char *masq_interface; char check_alt[IF_NAMESIZE]; -const char *argp_program_version = "0.8.10"; +const char *argp_program_version = "0.8.11"; struct ring_buffer *ring_buffer; __u32 if_list[MAX_IF_LIST_ENTRIES]; diff --git a/src/zfw_monitor.c b/src/zfw_monitor.c index ef448f5..627599c 100644 --- a/src/zfw_monitor.c +++ b/src/zfw_monitor.c @@ -78,7 +78,7 @@ char check_alt[IF_NAMESIZE]; char doc[] = "zfw_monitor -- ebpf firewall monitor tool"; const char *rb_map_path = "/sys/fs/bpf/tc/globals/rb_map"; const char *tproxy_map_path = "/sys/fs/bpf/tc/globals/zt_tproxy_map"; -const char *argp_program_version = "0.8.10"; +const char *argp_program_version = "0.8.11"; union bpf_attr rb_map; int rb_fd = -1; From 3cab6a1b40ac5fcec541215b0d8c12f498783fa3 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Sat, 3 Aug 2024 22:18:15 +0000 Subject: [PATCH 2/4] removed log output redirection for zfw_refresh --- files/scripts/zfw_refresh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/scripts/zfw_refresh b/files/scripts/zfw_refresh index 5840c8b..6a4952c 100644 --- a/files/scripts/zfw_refresh +++ b/files/scripts/zfw_refresh @@ -1,2 +1,2 @@ -* * * * * root /opt/openziti/bin/zfw -L -E >> /var/log/syslog 2>&1 +* * * * * root /opt/openziti/bin/zfw -L -E From c59386a125af52dfb052fa9db7e545d88457d93d Mon Sep 17 00:00:00 2001 From: r-caamano Date: Sun, 4 Aug 2024 00:58:52 +0000 Subject: [PATCH 3/4] Updated README --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 0dc36ba..0866a27 100644 --- a/README.md +++ b/README.md @@ -781,6 +781,7 @@ removing /sys/fs/bpf/tc/globals/egress_matched6_map removing /sys/fs/bpf/tc//globals/egress_matched_map removing /sys/fs/bpf/tc/globals/udp_ingress_map removing /sys/fs/bpf/tc/globals/tcp_ingress_map +removing /sys/fs/bpf/tc/globals/masquerade_map ``` From c1f596eed00ef153a88d8a48db817eb133a2cc87 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Sun, 4 Aug 2024 02:45:04 +0000 Subject: [PATCH 4/4] refactored zfw_refresh to send output to /dev/null --- files/scripts/zfw_refresh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/scripts/zfw_refresh b/files/scripts/zfw_refresh index 6a4952c..97d50c1 100644 --- a/files/scripts/zfw_refresh +++ b/files/scripts/zfw_refresh @@ -1,2 +1,2 @@ -* * * * * root /opt/openziti/bin/zfw -L -E +* * * * * root /opt/openziti/bin/zfw -L -E > /dev/null