Skip to content

Commit

Permalink
Merge pull request #39 from netfoundry/v0.6.2-release-candidate
Browse files Browse the repository at this point in the history 
V0.6.2 release candidate
  • Loading branch information
@r-caamano
r-caamano authored May 17, 2024
2 parents 9a4e45a + 6504ba6 commit 8476993
Show file tree
Hide file tree
Showing 5 changed files with 60 additions and 95 deletions.
8 changes: 8 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,14 @@
All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

---
# [0.6.2] - 2024-05-16

###

- Reverted to only support per-interface rules if an interface ifindex is < 255. This was done to
reduce per rule memory load which can greatly increase memory requirements when dealing with 1000s or rules.
- Reverted addition of service_id as well since it also greatly increased memory requirements

# [0.6.1] - 2024-05-14

###
Expand Down
52 changes: 26 additions & 26 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,10 +111,10 @@ If running:
```
Assuming you are using the default address range for ziti-edge-tunnel should see output like:
service id proto origin destination mapping: interface list
---------------------- ----- --------------- ------------------ --------------------------------------------------------- ----------------
0000000000000000000000 tcp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:tun0 []
0000000000000000000000 udp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:tun0 []
target proto origin destination mapping: interface list
-------- ----- ----------------- ------------------ ------------------------------------------------------- -----------------
TUNMODE tcp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:tun0 []
TUNMODE udp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:tun0 []
```

Verify running: (zfw-router)
Expand All @@ -125,8 +125,8 @@ If running:
```
Assuming no services configured yet:
service id proto origin destination mapping: interface list
---------------------- ----- --------------- ------------------ --------------------------------------------------------- ----------------
target proto origin destination mapping: interface list
-------- ----- ----------------- ------------------ ------------------------------------------------------- -----------------
Rule Count: 0
prefix_tuple_count: 0 / 100000
Expand Down Expand Up @@ -367,19 +367,19 @@ Example: List all rules in Firewall
sudo zfw -L
```
```
service id proto origin destination mapping: interface list
---------------------- ----- --------------- ------------------ --------------------------------------------------------- ----------------
5XzC8mf1RrFO2vmfHGG5GL tcp 0.0.0.0/0 10.0.0.16/28 dpts=22:22 TPROXY redirect 127.0.0.1:33381 [ens33,lo]
5XzC8mf1RrFO2vmfHGG5GL tcp 0.0.0.0/0 10.0.0.16/28 dpts=30000:40000 TPROXY redirect 127.0.0.1:33381 []
0000000000000000000000 udp 0.0.0.0/0 172.20.1.0/24 dpts=5000:10000 TPROXY redirect 127.0.0.1:59394 []
5XzC8mf1RrFO2vmfHGG5GL tcp 0.0.0.0/0 172.16.1.0/24 dpts=22:22 TPROXY redirect 127.0.0.1:33381 []
5XzC8mf1RrFO2vmfHGG5GL tcp 0.0.0.0/0 172.16.1.0/24 dpts=30000:40000 TPROXY redirect 127.0.0.1:33381 []
0000000000000000000000 udp 0.0.0.0/0 192.168.3.0/24 dpts=5:7 PASSTHRU to 192.168.3.0/24 []
0000000000000000000000 udp 10.1.1.1/32 192.168.100.100/32 dpts=50000:60000 PASSTHRU to 192.168.100.100/32 []
0000000000000000000000 tcp 10.230.40.1/32 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 []
FO2vmfHGG5GLvmfHGG5GLU udp 0.0.0.0/0 192.168.0.3/32 dpts=5000:10000 TPROXY redirect 127.0.0.1:59394 []
0000000000000000000000 tcp 0.0.0.0/0 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 []
FO2vmfHGG5GLvmfHGG5GLU udp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:tun0 []
target proto origin destination mapping: interface list
------ ----- --------------- ------------------ --------------------------------------------------------- ----------------
TPROXY tcp 0.0.0.0/0 10.0.0.16/28 dpts=22:22 TPROXY redirect 127.0.0.1:33381 [ens33,lo]
TPROXY tcp 0.0.0.0/0 10.0.0.16/28 dpts=30000:40000 TPROXY redirect 127.0.0.1:33381 []
TPROXY udp 0.0.0.0/0 172.20.1.0/24 dpts=5000:10000 TPROXY redirect 127.0.0.1:59394 []
TPROXY tcp 0.0.0.0/0 172.16.1.0/24 dpts=22:22 TPROXY redirect 127.0.0.1:33381 []
TPROXY tcp 0.0.0.0/0 172.16.1.0/24 dpts=30000:40000 TPROXY redirect 127.0.0.1:33381 []
PASSTHRU udp 0.0.0.0/0 192.168.3.0/24 dpts=5:7 PASSTHRU to 192.168.3.0/24 []
PASSTHRU udp 10.1.1.1/32 192.168.100.100/32 dpts=50000:60000 PASSTHRU to 192.168.100.100/32 []
PASSTHRU tcp 10.230.40.1/32 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 []
TPROXY udp 0.0.0.0/0 192.168.0.3/32 dpts=5000:10000 TPROXY redirect 127.0.0.1:59394 []
PASSTHRU tcp 0.0.0.0/0 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 []
TUNMODE udp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:tun0 []
```

- Example: List rules in firewall for a given prefix and protocol. If source specific you must include the o
Expand All @@ -389,9 +389,9 @@ FO2vmfHGG5GLvmfHGG5GLU udp 0.0.0.0/0 100.64.0.0/10 d
sudo zfw -L -c 192.168.100.100 -m 32 -p udp
```
```
service id proto origin destination mapping: interface list
---------- ----- -------- ------------------ --------------------------------------------------------- ------------------
0000000000000000000000 udp 0.0.0.0/0 192.168.100.100/32 dpts=50000:60000 PASSTHRU to 192.168.100.100/32 []
target proto origin destination mapping: interface list
------ ----- -------- ------------------ --------------------------------------------------------- ------------------
PASSTHRU udp 0.0.0.0/0 192.168.100.100/32 dpts=50000:60000 PASSTHRU to 192.168.100.100/32 []
```

- Example: List rules in firewall for a given prefix
Expand All @@ -400,10 +400,10 @@ Usage: zfw -L -c <ip dest address or prefix> -m <prefix len> -p <protocol>
sudo zfw -L -c 192.168.100.100 -m 32
```
```
service id proto origin destination mapping: interface list
---------- ----- -------- ------------------ --------------------------------------------------------- ------------------
0000000000000000000000 udp 0.0.0.0/0 192.168.100.100/32 dpts=50000:60000 PASSTHRU to 192.168.100.100/32 []
0000000000000000000000 tcp 0.0.0.0/0 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 []
target proto origin destination mapping: interface list
------ ----- -------- ------------------ --------------------------------------------------------- -------------------
PASSTHRU udp 0.0.0.0/0 192.168.100.100/32 dpts=50000:60000 PASSTHRU to 192.168.100.100/32 []
PASSTHRU tcp 0.0.0.0/0 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 []
```
- Example: List all interface settings

Expand Down
67 changes: 18 additions & 49 deletions src/zfw.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,6 @@ bool interface = false;
bool disable = false;
bool all_interface = false;
bool ssh_disable = false;
bool service = false;
bool tc = false;
bool tcfilter = false;
bool direction = false;
Expand Down Expand Up @@ -166,14 +165,13 @@ char *vrrp_interface;
char *ddos_interface;
char *monitor_interface;
char *tc_interface;
char *service_string;
char *log_file_name;
char *object_file;
char *direction_string;
const char *argp_program_version = "0.6.1";
const char *argp_program_version = "0.6.2";
struct ring_buffer *ring_buffer;

__u32 if_list[MAX_IF_LIST_ENTRIES];
__u8 if_list[MAX_IF_LIST_ENTRIES];
struct interface
{
uint32_t index;
Expand Down Expand Up @@ -251,8 +249,7 @@ struct tproxy_port_mapping
__u16 low_port;
__u16 high_port;
__u16 tproxy_port;
__u32 if_list[MAX_IF_LIST_ENTRIES];
char service_id[23];
__u8 if_list[MAX_IF_LIST_ENTRIES];
};

struct tproxy_tuple
Expand Down Expand Up @@ -671,14 +668,14 @@ void print_rule(struct tproxy_key *key, struct tproxy_tuple *tuple, int *rule_co
bool entry_exists = false;
if (tun_mode && ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port) == 65535)
{
printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTUNMODE redirect:%-15s", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block,
printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTUNMODE redirect:%-15s", "TUNMODE", proto, scidr_block, dcidr_block,
dpts, o_tunif.ifname);
entry_exists = true;
*rule_count += 1;
}
else if (ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port) > 0)
{
printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTPROXY redirect 127.0.0.1:%-6d", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block,
printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTPROXY redirect 127.0.0.1:%-6d", "TPROXY", proto, scidr_block, dcidr_block,
dpts, ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port));
entry_exists = true;
*rule_count += 1;
Expand Down Expand Up @@ -712,7 +709,7 @@ void print_rule(struct tproxy_key *key, struct tproxy_tuple *tuple, int *rule_co
{
if (ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port) == 0)
{
printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\t%s to %-20s", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block,
printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\t%s to %-20s", "PASSTHRU", proto, scidr_block, dcidr_block,
dpts, "PASSTHRU", dcidr_block);
char interfaces[IF_NAMESIZE * MAX_IF_LIST_ENTRIES + 8] = "";
for (int i = 0; i < MAX_IF_LIST_ENTRIES; i++)
Expand Down Expand Up @@ -745,17 +742,17 @@ void print_rule(struct tproxy_key *key, struct tproxy_tuple *tuple, int *rule_co
{
if (tun_mode && ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port) == 65535)
{
printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTUNMODE redirect:%-15s", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block,
printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTUNMODE redirect:%-15s", "TUNMODE", proto, scidr_block, dcidr_block,
dpts, o_tunif.ifname);
}
else if (ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port) > 0)
{
printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTPROXY redirect 127.0.0.1:%-6d", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block,
printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTPROXY redirect 127.0.0.1:%-6d", "TPROXY", proto, scidr_block, dcidr_block,
dpts, ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port));
}
else
{
printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\t%s to %-20s", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block,
printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\t%s to %-20s", "PASSTHRU", proto, scidr_block, dcidr_block,
dpts, "PASSTHRU", dcidr_block);
}
char interfaces[IF_NAMESIZE * MAX_IF_LIST_ENTRIES + 8] = "";
Expand Down Expand Up @@ -2308,17 +2305,6 @@ void map_insert()
port_mapping->if_list[x] = if_list[x];
}
}
/*if(service){
sprintf(port_mapping->service_id, "%s", service_string);
}else{
sprintf(port_mapping->service_id, "%s", "0000000000000000000000");
}*/
char *sid = "0000000000000000000000";
if(service){
memcpy(port_mapping->service_id, service_string, strlen(service_string) + 1);
}else{
memcpy(port_mapping->service_id, sid, strlen(sid) + 1);
}
/*
* Check result of lookup if not 0 then create a new entry
* else edit an existing entry
Expand Down Expand Up @@ -2769,8 +2755,8 @@ void map_list()
map.key = (uint64_t)&key;
map.value = (uint64_t)&orule;
int lookup = 0;
printf("%-22s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "service id", "proto", "origin", "destination", "mapping:", " interface list");
printf("----------------------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n");
printf("%-8s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "target", "proto", "origin", "destination", "mapping:", " interface list");
printf("--------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n");
int rule_count = 0;
if (prot)
{
Expand All @@ -2797,8 +2783,8 @@ void map_list()
printf("Rule Count: %d\n", rule_count);
if (x == 0)
{
printf("%-22s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "service id", "proto", "origin", "destination", "mapping:", " interface list");
printf("----------------------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n");
printf("%-8s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "target", "proto", "origin", "destination", "mapping:", " interface list");
printf("--------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n");
}
}
}
Expand Down Expand Up @@ -2987,8 +2973,8 @@ void map_list_all()
map.value = (uint64_t)&orule;
int lookup = 0;
int ret = 0;
printf("%-22s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "service id", "proto", "origin", "destination", "mapping:", " interface list");
printf("----------------------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n");
printf("%-8s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "target", "proto", "origin", "destination", "mapping:", " interface list");
printf("--------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n");
int rule_count = 0;
while (true)
{
Expand Down Expand Up @@ -3044,7 +3030,6 @@ static struct argp_option options[] = {
{"oprefix-len", 'n', "", 0, "Set origin prefix length (1-32) <mandatory for insert/delete/list >", 0},
{"ocidr-block", 'o', "", 0, "Set origin ip prefix i.e. 192.168.1.0 <mandatory for insert/delete/list>", 0},
{"protocol", 'p', "", 0, "Set protocol (tcp or udp) <mandatory insert/delete>", 0},
{"service-id", 's', "", 0, "set ziti service id", 0},
{"route", 'r', NULL, 0, "Add or Delete static ip/prefix for intercept dest to lo interface <optional insert/delete>", 0},
{"tproxy-port", 't', "", 0, "Set high-port value (0-65535)> <mandatory for insert>", 0},
{"verbose", 'v', "", 0, "Enable verbose tracing on interface", 0},
Expand Down Expand Up @@ -3117,9 +3102,11 @@ static error_t parse_opt(int key, char *arg, struct argp_state *state)
}
if (ifcount < MAX_IF_LIST_ENTRIES)
{
if ((idx > 0) && (idx < UINT32_MAX))
if ((idx > 0) && (idx < MAX_IF_ENTRIES))
{
if_list[ifcount] = idx;
}else{
printf("A rule can be assigned to interfaces with ifindex 1 - %d\n", MAX_IF_ENTRIES-1);
}
}
else
Expand Down Expand Up @@ -3360,20 +3347,6 @@ static error_t parse_opt(int key, char *arg, struct argp_state *state)
case 'r':
route = true;
break;
case 's':
if (!strlen(arg))
{
fprintf(stderr, "service id required as arg to -s, --service-id: %s\n", arg);
fprintf(stderr, "%s --help for more info\n", program_name);
exit(1);
}
if(strlen(arg) > 22){
printf("Invalid service ID: ID too long\n");
exit(1);
}
service = true;
service_string = arg;
break;
case 't':
tproxy_port = port2s(arg);
tpt = true;
Expand Down Expand Up @@ -3638,10 +3611,6 @@ int main(int argc, char **argv)
signal(SIGTERM, INThandler);
argp_parse(&argp, argc, argv, 0, 0, 0);

if(service && (!add && !delete)){
usage("-s, --service-id requires -I, --insert or -D, --delete");
}

if (tcfilter && !object && !disable)
{
usage("-X, --set-tc-filter requires -O, --object-file for add operation");
Expand Down
11 changes: 1 addition & 10 deletions src/zfw_tc_ingress.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,8 +71,7 @@ struct tproxy_port_mapping {
__u16 low_port;
__u16 high_port;
__u16 tproxy_port;
__u32 if_list[MAX_IF_LIST_ENTRIES];
char service_id[23];
__u8 if_list[MAX_IF_LIST_ENTRIES];
};

struct tproxy_tuple {
Expand Down Expand Up @@ -237,14 +236,6 @@ struct {
__uint(map_flags, BPF_F_NO_PREALLOC);
} zet_transp_map SEC(".maps");

/*struct {
__uint(type, BPF_MAP_TYPE_ARRAY);
__uint(key_size, sizeof(uint32_t));
__uint(value_size,sizeof(uint32_t));
__uint(max_entries, 1);
__uint(pinning, LIBBPF_PIN_BY_NAME);
} syn_count_map SEC(".maps");*/

struct {
__uint(type, BPF_MAP_TYPE_HASH);
__uint(key_size, sizeof(uint32_t));
Expand Down
Loading

0 comments on commit 8476993

Please sign in to comment.