Merge pull request #32 from netfoundry/v0.5.15-release-candidate

V0.5.15 release candidate
netfoundry · Apr 24, 2024 · 778074e · 778074e
2 parents bce37bb + 823a6e4
commit 778074e
Show file tree

Hide file tree

Showing 4 changed files with 1,098 additions and 387 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,17 @@
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+# [0.5.15] - 2024-04-12
+
+###
+
+- Added map to track tcp syn count for packets sent to the firewall ip address on port 443.
+- Ddos protection is meant for the FW host accept/deny logic was moved to first bpf program. 
+- ddos dport map was created to specify ports to be protected when an interface is in 
+  ddos_protect mode.
+- ddos saddr map was created to specify whitelisted IP addresses to be allowed to reach protected ports
+  when an interface is in ddos_protect mode.
+
 # [0.5.14] - 2024-04-02
 
 ###

diff --git a/files/scripts/start_ebpf_controller.py b/files/scripts/start_ebpf_controller.py
@@ -62,6 +62,7 @@ def add_link_listener_rules(lan_ip, lan_mask):
                                                 port = addr_array[-1].strip()
                                                 if((int(port) > 0) and (addr_array[0] == 'tls')):
                                                     os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0  -p tcp') 
+                                                    os.system('/opt/openziti/bin/zfw --ddos-dport-add ' + port)
                                             except Exception as e:
                                                 print(e) 
                                                 pass
@@ -85,6 +86,7 @@ def add_controller_edge_listener_rules(lan_ip, lan_mask):
                                         port = addr_array[-1].strip()
                                         if((int(port) > 0)):
                                             os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0  -p tcp')
+                                            os.system('/opt/openziti/bin/zfw --ddos-dport-add ' + port)
                                     except Exception as e:
                                         print(e)
                                         pass
@@ -107,6 +109,7 @@ def add_controller_ctrl_listener_rules(lan_ip, lan_mask):
                                     port = addr_array[-1].strip()
                                     if((int(port) > 0) and (addr_array[0] == 'tls')):
                                         os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0  -p tcp')
+                                        os.system('/opt/openziti/bin/zfw --ddos-dport-add ' + port)
                                 except Exception as e:
                                     print(e)
                                     pass
@@ -161,6 +164,7 @@ def add_controller_port_forwarding_rule(lan_ip, lan_mask):
     if(not test):
         port = "80"
         os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0  -p tcp')
+        os.system('/opt/openziti/bin/zfw --ddos-dport-add ' + port)
     else:
         print("Port forwarding rul not found")