Merge pull request #42 from netfoundry/v0.6.5-release-candidate

V0.6.5 release candidate
netfoundry · May 25, 2024 · 60b2849 · 60b2849
2 parents 1e4f3d2 + 735d69f
commit 60b2849
Show file tree

Hide file tree

Showing 5 changed files with 366 additions and 20 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,14 @@
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+# [0.6.5] - 2024-05-24
+
+###
+
+- For ZET added ziti generated rule removal upon shutdown via zfw_tunnel_wrapper.  Wrapper will also remove any statically entered rules with tproxy_port > 0.
+- Refactored to expressly deny ssh to local interface interface if "diag ssh disable set to true" even if ebpf does not know its ip address yet.  Note this can be overridden 
+  if an explicit ssh rule exists"
+
 # [0.6.4] - 2024-05-21
 
 ###

diff --git a/README.md b/README.md
@@ -217,7 +217,8 @@ The above JSON sets up ens33 to be an internal interface (No outbound tracking)
 with outbound tracking (Default for External Interface).  It also automatically adds runs the sudo zfw -P ens33 so ens33
 (default for ExternalInterfaces) which requires -N to add inbound rules to it and will ignore rules where it is not in the interface list.
 Keys "OutboundPassThroughTrack" and "PerInterfaceRules" are shown with their default values, you only need to add them if you
-want change the default operation for the interface type.
+want change the default operation for the interface type.  Note: if ebpf is enabled on an interface before it has ip address assigned a rule assigned
+with that interface name  and -N it will not show up until at least one diag command is toggled or ebpf is disabled and re-enabled on it via -X, --set-tc-filter.
 
 #### Single Interface config with ens33 facing lan local lan
 ```

diff --git a/src/zfw.c b/src/zfw.c
@@ -181,7 +181,7 @@ char *log_file_name;
 char *object_file;
 char *direction_string;
 
-const char *argp_program_version = "0.6.4";
+const char *argp_program_version = "0.6.5";
 struct ring_buffer *ring_buffer;
 
 __u32 if_list[MAX_IF_LIST_ENTRIES];

diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c
@@ -946,23 +946,25 @@ int bpf_sk_splice(struct __sk_buff *skb){
        return TC_ACT_OK;
     }
     /* allow ssh to local interface ip addresses */
-    if(tcp && (bpf_ntohs(tuple->ipv4.dport) == 22)){
-        if((!local_ip4 || !local_ip4->count)){
-            return TC_ACT_OK;
-        }else{
-            uint8_t addresses = 0; 
-            if(local_ip4->count < MAX_ADDRESSES){
-                addresses = local_ip4->count;
+    if(!local_diag->ssh_disable){
+        if(tcp && (bpf_ntohs(tuple->ipv4.dport) == 22)){
+            if((!local_ip4 || !local_ip4->count)){
+                return TC_ACT_OK;
             }else{
-                addresses = MAX_ADDRESSES;
-            }
-            for(int x = 0; x < addresses; x++){
-                if((tuple->ipv4.daddr == local_ip4->ipaddr[x]) && !local_diag->ssh_disable){
-                    if(local_diag->verbose && ((event.tstamp % 2) == 0)){
-                        event.proto = IPPROTO_TCP;
-                        send_event(&event);
+                uint8_t addresses = 0; 
+                if(local_ip4->count < MAX_ADDRESSES){
+                    addresses = local_ip4->count;
+                }else{
+                    addresses = MAX_ADDRESSES;
+                }
+                for(int x = 0; x < addresses; x++){
+                    if(tuple->ipv4.daddr == local_ip4->ipaddr[x]){
+                        if(local_diag->verbose && ((event.tstamp % 2) == 0)){
+                            event.proto = IPPROTO_TCP;
+                            send_event(&event);
+                        }
+                        return TC_ACT_OK;
                     }
-                    return TC_ACT_OK;
                 }
             }
         }