Skip to content

Commit

Permalink
Merge pull request #43 from netfoundry/v0.7.0-release-candidate
Browse files Browse the repository at this point in the history 
V0.7.0 release candidate
  • Loading branch information
@r-caamano
r-caamano authored May 28, 2024
2 parents 60b2849 + 91c8f5c commit 8f6acc2
Show file tree
Hide file tree
Showing 5 changed files with 550 additions and 66 deletions.
34 changes: 34 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,40 @@
All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

---
# [0.7.0] - 2024-05-26

###

- Fixed issue found with Ubuntu 24.04 on Raspberry Pi where the ebpf interface was not
discovering its IP address due to some timing issue at boot. Added diag check when adding a service for
the first time via zfw_tunnel_wrapper.c to ensure IP is up when ebpf enumerates the interface.
- Fixed potential memory leak in zfw.c ringbuff monitoring
- Refactored to support add and removal of individual url based services.
Summary rules below will no longer be inserted and will be replaced with explicit host rules:
```
(removed)
0000000000000000000000 tcp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:ziti0 []
0000000000000000000000 tcp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:ziti0 []
(example new dynamic rule)
5XzC8mf1RrFO2vmfHGG5GL tcp 0.0.0.0/0 100.64.0.5/32 dpts=5201:5201 TUNMODE redirect:ziti0 []
```
A rule will also be entered for the ziti resolver ip upon the first configured hostname based service i.e.
```
0000000000000000000000 udp 0.0.0.0/0 100.64.0.2/32 dpts=53:53 TUNMODE redirect:ziti0 []
This entry will remain unless ziti-edge-tunnel is stopped and will again be reentered upon reading the first hostname based service entry
```

If wild card hostnames are used i.e. *.test.ziti then zfw will enter summary rules for the entire ziti DNS range for the specific ports defined for the service i.e.
```
0000000000000000000000 tcp 0.0.0.0/0 100.64.0.0/10 dpts=5201:5201 TUNMODE redirect:ziti0 []
0000000000000000000000 udp 0.0.0.0/0 100.64.0.0/10 dpts=5201:5201 TUNMODE redirect:ziti0 []
IMPORTANT: These entries will remain until as long as there is at least one wildcard in a service using the port/port range via cli and will not be removed by ziti service deletion. It is recommended to use single ports with wild card since the low port acts as a key and thus the first service that gets entered will dictate the range for the ports and there is only one prefix.
```


# [0.6.5] - 2024-05-24

###
Expand Down
44 changes: 27 additions & 17 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,21 +102,6 @@ sudo zfw -e ens33
sudo systemctl restart ziti-wrapper.service
```


Verify running: (zfw-tunnel)
```
sudo zfw -L
```
If running:
```
Assuming you are using the default address range for ziti-edge-tunnel should see output like:
service id proto origin destination mapping: interface list
---------------------- ----- --------------- ------------------ --------------------------------------------------------- ----------------
0000000000000000000000 tcp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:tun0 []
0000000000000000000000 udp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:tun0 []
```

Verify running: (zfw-router)
```
sudo zfw -L
Expand All @@ -127,7 +112,7 @@ Assuming no services configured yet:
service id proto origin destination mapping: interface list
---------------------- ----- --------------- ------------------ --------------------------------------------------------- ----------------
Rule Count: 0
Rule Count: 0 / 250000
prefix_tuple_count: 0 / 100000
```
Expand Down Expand Up @@ -275,6 +260,30 @@ After updating reboot the system
sudo reboot
```

### URL based services
Summary rules below will no longer be inserted and will be replaced with explicit host rules:
```
(removed)
0000000000000000000000 tcp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:ziti0 []
0000000000000000000000 tcp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:ziti0 []
(example new dynamic rule)
5XzC8mf1RrFO2vmfHGG5GL tcp 0.0.0.0/0 100.64.0.5/32 dpts=5201:5201 TUNMODE redirect:ziti0 []
```
A rule will also be entered for the ziti resolver ip upon the first configured hostname based service i.e.
```
0000000000000000000000 udp 0.0.0.0/0 100.64.0.2/32 dpts=53:53 TUNMODE redirect:ziti0 []
This entry will remain unless ziti-edge-tunnel is stopped and will again be reentered upon reading the first hostname based service entry
```

If wild card hostnames are used i.e. *.test.ziti then zfw will enter summary rules for the entire ziti DNS range for the specific ports defined for the service i.e.
```
0000000000000000000000 tcp 0.0.0.0/0 100.64.0.0/10 dpts=5201:5201 TUNMODE redirect:ziti0 []
0000000000000000000000 udp 0.0.0.0/0 100.64.0.0/10 dpts=5201:5201 TUNMODE redirect:ziti0 []
IMPORTANT: These entries will remain until as long as there is at least one wildcard in a service using the port/port range via cli and will not be removed by ziti service deletion. It is recommended to use single ports with wild card since the low port acts as a key and thus the first service that gets entered will dictate the range for the ports and there is only one prefix.
## Ebpf Map User Space Management
---
### User space manual configuration
Expand Down Expand Up @@ -380,7 +389,8 @@ service id proto origin destination m
0000000000000000000000 tcp 10.230.40.1/32 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 []
FO2vmfHGG5GLvmfHGG5GLU udp 0.0.0.0/0 192.168.0.3/32 dpts=5000:10000 TPROXY redirect 127.0.0.1:59394 []
0000000000000000000000 tcp 0.0.0.0/0 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 []
FO2vmfHGG5GLvmfHGG5GLU udp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:tun0 []
FO2vmfHGG5GLvmfHGG5GLU udp 0.0.0.0/0 100.64.0.5/10 dpts=5000:10000 TUNMODE redirect:tun0 []
0000000000000000000000 udp 0.0.0.0/0 100.64.0.2/32 dpts=53:53 TUNMODE redirect:ziti0 []
```
- Example: List rules in firewall for a given prefix and protocol. If source specific you must include the o
Expand Down
28 changes: 19 additions & 9 deletions src/zfw.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,7 @@ const char *ddos_dport_map_path = "/sys/fs/bpf/tc/globals/ddos_dport_map";
const char *syn_count_map_path = "/sys/fs/bpf/tc/globals/syn_count_map";
const char *tp_ext_map_path = "/sys/fs/bpf/tc/globals/tproxy_extension_map";
const char *if_list_ext_map_path = "/sys/fs/bpf/tc/globals/if_list_extension_map";
const char *wildcard_port_map_path = "/sys/fs/bpf/tc/globals/wildcard_port_map";
const char *range_map_path = "/sys/fs/bpf/tc/globals/range_map";
char doc[] = "zfw -- ebpf firewall configuration tool";
const char *if_map_path;
Expand All @@ -181,7 +182,7 @@ char *log_file_name;
char *object_file;
char *direction_string;

const char *argp_program_version = "0.6.5";
const char *argp_program_version = "0.7.0";
struct ring_buffer *ring_buffer;

__u32 if_list[MAX_IF_LIST_ENTRIES];
Expand Down Expand Up @@ -496,10 +497,11 @@ void disable_ebpf()
disable = true;
tc = true;
interface_tc();
const char *maps[17] = {tproxy_map_path, diag_map_path, if_map_path, count_map_path,
const char *maps[18] = {tproxy_map_path, diag_map_path, if_map_path, count_map_path,
udp_map_path, matched_map_path, tcp_map_path, tun_map_path, if_tun_map_path,
transp_map_path, rb_map_path, ddos_saddr_map_path, ddos_dport_map_path, syn_count_map_path, tp_ext_map_path, if_list_ext_map_path, range_map_path};
for (int map_count = 0; map_count < 17; map_count++)
transp_map_path, rb_map_path, ddos_saddr_map_path, ddos_dport_map_path, syn_count_map_path,
tp_ext_map_path, if_list_ext_map_path, range_map_path, wildcard_port_map_path};
for (int map_count = 0; map_count < 18; map_count++)
{

int stat = remove(maps[map_count]);
Expand Down Expand Up @@ -2308,7 +2310,7 @@ static int process_events(void *ctx, void *data, size_t len)
{
free(saddr);
}
if (saddr)
if (daddr)
{
free(daddr);
}
Expand Down Expand Up @@ -2630,10 +2632,18 @@ void range_delete_key(struct port_extension_key key)
{
char *saddr = nitoa(ntohl(key.src_ip));
char *daddr = nitoa(ntohl(key.dst_ip));
printf("cleared range_map entry: Range dest=%s/%u, source=%s/%u, protocol=%s, low_port=%u\n", daddr, key.dprefix_len, saddr,
key.sprefix_len, key.protocol == 6 ? "tcp" : "udp" , htons(key.low_port));
free(saddr);
free(daddr);
if (saddr && daddr){
printf("cleared range_map entry: Range dest=%s/%u, source=%s/%u, protocol=%s, low_port=%u\n", daddr, key.dprefix_len, saddr,
key.sprefix_len, key.protocol == 6 ? "tcp" : "udp" , htons(key.low_port));
}
if (saddr)
{
free(saddr);
}
if (daddr)
{
free(daddr);
}
}
close(fd);
}
Expand Down
17 changes: 17 additions & 0 deletions src/zfw_tc_ingress.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,14 @@ struct port_extension_key {
__u8 pad;
};

struct wildcard_port_key {
__u16 low_port;
__u8 protocol;
__u8 pad;
};



struct range_mapping {
__u16 high_port;
__u16 tproxy_port;
Expand Down Expand Up @@ -302,6 +310,15 @@ struct {
__uint(map_flags, BPF_F_NO_PREALLOC);
} ifindex_ip_map SEC(".maps");

struct {
__uint(type, BPF_MAP_TYPE_HASH);
__uint(key_size, sizeof(struct wildcard_port_key));
__uint(value_size, sizeof(uint32_t));
__uint(max_entries, MAX_TABLE_SIZE * 2);
__uint(pinning, LIBBPF_PIN_BY_NAME);
__uint(map_flags, BPF_F_NO_PREALLOC);
} wildcard_port_map SEC(".maps");

/*tun ifindex map*/
struct {
__uint(type, BPF_MAP_TYPE_ARRAY);
Expand Down
Loading

0 comments on commit 8f6acc2

Please sign in to comment.