diff --git a/CHANGELOG.md b/CHANGELOG.md index 5ed7296..12f9b54 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,13 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- +### +# [0.8.16] - 2024-09-02 +- Fixed incorrect waitpid success/failure conditional checks in zfw.c and zfw_tunnel_wrapper.c. This did not cause an operational issue but would not + report correctly in case system call failures. +- Refactored csum calc for both ipv4 tcp / udp. +- Updated README with latest ```zfw -Q``` printout. + ### # [0.8.15] - 2024-08-26 - Refactored all startup scripts to default InternalInterfaces to have outbound tracking enabled diff --git a/README.md b/README.md index fe63b9a..b23436b 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ This function requires that both ingress and egress TC filters are enabled on ou static PAT. Note: When running on later kernels i.e. 6+ some older network hardware may not work with ebpf Dynamic PAT. ### Explicit Deny Rules -This feature adds the ability to enter explicit deny rules by appending ```-d, --disable to the -I, --insert rule``` to both ingress and egress rules. Rule precedence is based on longest match prefix. If the prefix is the same then the precedence follows the order entry of the rules, which when listed will go from top to bottom for ports with in the same prefix e.g. +This feature adds the ability to enter explicit deny rules by appending ```-d, --disable``` to the ```-I, --insert rule``` to either ingress or egress rules. Rule precedence is based on longest match prefix. If the prefix is the same then the precedence follows the order entry of the rules, which when listed will go from top to bottom for ports with in the same prefix e.g. If you wanted to allow all tcp 443 traffic outbound except to 10.1.0.0/16 you would enter the following egress rules: @@ -745,7 +745,6 @@ Example: Remove all tc-ebpf on router sudo zfw --disable-ebpf ``` ``` -tc parent del : ens33 removing /sys/fs/bpf/tc/globals/zt_tproxy_map removing /sys/fs/bpf/tc/globals/diag_map removing /sys/fs/bpf/tc/globals/ifindex_ip_map @@ -780,6 +779,9 @@ removing /sys/fs/bpf/tc//globals/egress_matched_map removing /sys/fs/bpf/tc/globals/udp_ingress_map removing /sys/fs/bpf/tc/globals/tcp_ingress_map removing /sys/fs/bpf/tc/globals/masquerade_map +removing /sys/fs/bpf/tc/globals/icmp_masquerade_map +removing /sys/fs/bpf/tc/globals/icmp_echo_map +removing /sys/fs/bpf/tc/globals/masquerade_reverse_map ``` diff --git a/src/zfw.c b/src/zfw.c index ded555a..32deec3 100644 --- a/src/zfw.c +++ b/src/zfw.c @@ -246,7 +246,7 @@ char *direction_string; char *masq_interface; char check_alt[IF_NAMESIZE]; -const char *argp_program_version = "0.8.15"; +const char *argp_program_version = "0.8.16"; struct ring_buffer *ring_buffer; __u32 if_list[MAX_IF_LIST_ENTRIES]; @@ -560,22 +560,11 @@ void set_tc(char *action) else { int status = 0; - if (waitpid(pid, &status, 0) > 0) + if(!(waitpid(pid, &status, 0) < 0)) { - if (WIFEXITED(status) && !WEXITSTATUS(status)) + if(!(WIFEXITED(status) && !WEXITSTATUS(status))) { - printf("tc parent %s : %s\n", action, tc_interface); - } - else - { - if (!strcmp("add", action)) - { - printf("tc parent already exists : %s\n", tc_interface); - } - else - { - printf("tc parent does not exist : %s\n", tc_interface); - } + printf("could not set tc parent %s : %s\n", action, tc_interface); } } } @@ -626,18 +615,13 @@ void set_tc_filter(char *action) else { int status = 0; - if (!(waitpid(pid, &status, 0) > 0)) + if(!(waitpid(pid, &status, 0) < 0)) { - if (WIFEXITED(status) && !WEXITSTATUS(status)) + if(!(WIFEXITED(status) && !WEXITSTATUS(status))) { printf("tc %s filter not set : %s\n", direction_string, tc_interface); } } - if (status) - { - printf("tc %s filter action/%d not set : %s\n", direction_string, x, tc_interface); - close_maps(1); - } } } } diff --git a/src/zfw_monitor.c b/src/zfw_monitor.c index 9d9806d..3f3b629 100644 --- a/src/zfw_monitor.c +++ b/src/zfw_monitor.c @@ -85,7 +85,7 @@ char check_alt[IF_NAMESIZE]; char doc[] = "zfw_monitor -- ebpf firewall monitor tool"; const char *rb_map_path = "/sys/fs/bpf/tc/globals/rb_map"; const char *tproxy_map_path = "/sys/fs/bpf/tc/globals/zt_tproxy_map"; -const char *argp_program_version = "0.8.15"; +const char *argp_program_version = "0.8.16"; union bpf_attr rb_map; int rb_fd = -1; diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c index 97af5a4..87a5307 100644 --- a/src/zfw_tc_ingress.c +++ b/src/zfw_tc_ingress.c @@ -1897,7 +1897,7 @@ int bpf_sk_splice(struct __sk_buff *skb){ } /*Calculate l4 Checksum*/ int flags = BPF_F_PSEUDO_HDR; - bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct tcphdr, check), local_ip4->ipaddr[0] ,mv->__in46_u_origin.ip, flags | 4); + bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct tcphdr, check), 0, l3_sum, flags); iph = (struct iphdr *)(skb->data + sizeof(*eth)); if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){ return TC_ACT_SHOT; @@ -2121,7 +2121,7 @@ int bpf_sk_splice(struct __sk_buff *skb){ /*Calculate l4 Checksum*/ if(udph->check != 0){ int flags = BPF_F_PSEUDO_HDR; - bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct udphdr, check),local_ip4->ipaddr[0], iph->daddr, flags | 4); + bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct udphdr, check), 0, l3_sum, flags); iph = (struct iphdr *)(skb->data + sizeof(*eth)); if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){ return TC_ACT_SHOT; diff --git a/src/zfw_tc_outbound_track.c b/src/zfw_tc_outbound_track.c index 226e6ff..8c58084 100644 --- a/src/zfw_tc_outbound_track.c +++ b/src/zfw_tc_outbound_track.c @@ -2374,7 +2374,7 @@ int bpf_sk_splice6(struct __sk_buff *skb){ } /*Calculate l4 Checksum*/ int flags = BPF_F_PSEUDO_HDR; - bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct tcphdr, check), mv.__in46_u_origin.ip ,local_ip4->ipaddr[0], flags | 4); + bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct tcphdr, check), 0, l3_sum, flags); iph = (struct iphdr *)(skb->data + sizeof(*eth)); if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){ return TC_ACT_SHOT; @@ -2630,7 +2630,7 @@ int bpf_sk_splice6(struct __sk_buff *skb){ /*Calculate l4 Checksum if checksum not equal to zero*/ if(udph->check != 0){ int flags = BPF_F_PSEUDO_HDR; - bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct udphdr, check), mv.__in46_u_origin.ip, iph->saddr, flags | 4); + bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct udphdr, check), 0, l3_sum, flags); iph = (struct iphdr *)(skb->data + sizeof(*eth)); if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){ return TC_ACT_SHOT; diff --git a/src/zfw_tunnel_wrapper.c b/src/zfw_tunnel_wrapper.c index e8c89bb..4355a8d 100644 --- a/src/zfw_tunnel_wrapper.c +++ b/src/zfw_tunnel_wrapper.c @@ -843,7 +843,7 @@ void bind_route(struct in_addr *address, unsigned short mask) printf("execv error: unknown error binding route"); }else{ int status =0; - if(!(waitpid(pid, &status, 0) > 0)){ + if(!(waitpid(pid, &status, 0) < 0)){ if(WIFEXITED(status) && !WEXITSTATUS(status)){ printf("bound %s to dev lo\n", cidr_block); } @@ -870,7 +870,7 @@ void unbind_route_loopback(struct in_addr *address, unsigned short mask) printf("execv error: unknown error unbinding route"); }else{ int status =0; - if(!(waitpid(pid, &status, 0) > 0)){ + if(!(waitpid(pid, &status, 0) < 0)){ if(WIFEXITED(status) && !WEXITSTATUS(status)){ printf("unbound %s from dev lo\n", cidr_block); } @@ -897,7 +897,7 @@ void unbind_route(struct in_addr *address, unsigned short mask, char *dev) printf("execv error: unknown error unbinding route"); }else{ int status =0; - if(!(waitpid(pid, &status, 0) > 0)){ + if(!(waitpid(pid, &status, 0) < 0)){ if(WIFEXITED(status) && !WEXITSTATUS(status)){ printf("unbound %s from dev %s\n", cidr_block, dev); } @@ -1025,7 +1025,7 @@ void zfw_update(char *ip, char *mask, char *lowport, char *highport, char *proto printf("execv error: unknown error binding\n"); }else{ int status =0; - if(!(waitpid(pid, &status, 0) > 0)){ + if(!(waitpid(pid, &status, 0) < 0)){ if(WIFEXITED(status) && !WEXITSTATUS(status)){ printf("zfw %s action for : %s set\n", action, ip); } @@ -1043,7 +1043,7 @@ bool check_diag(){ printf("execv error: unknown error binding\n"); }else{ int status =0; - if(!(waitpid(pid, &status, 0) > 0)){ + if(!(waitpid(pid, &status, 0) < 0)){ if(WIFEXITED(status) && !WEXITSTATUS(status)){ printf("Diag Interface Listed!\n"); return false;