├── .github └── workflows │ ├── ci.yml │ ├── pr.yml │ └── release.yml ├── BUILD.md ├── CHANGELOG.md ├── LICENSE ├── README.md ├── files ├── bin │ └── .gitkeep ├── json │ └── ebpf_config.json.sample ├── scripts │ ├── revert_ebpf_controller.py │ ├── revert_ebpf_router.py │ ├── set_xdp_redirect.py │ ├── start_ebpf_controller.py │ ├── start_ebpf_router.py │ ├── start_ebpf_tunnel.py │ ├── user_rules.sh.sample │ ├── zfw_refresh │ └── zfwlogs └── services │ ├── fw-init.service │ ├── zfw-logging.service │ ├── ziti-fw-init.service │ └── ziti-wrapper.service └── src ├── Makefile ├── install.sh ├── zfw.c ├── zfw_monitor.c ├── zfw_tc_ingress.c ├── zfw_tc_outbound_track.c ├── zfw_tunnel_wrapper.c └── zfw_xdp_tun_ingress.c /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: ci 3 | 4 | on: 5 | push: 6 | branches: 7 | - '*' 8 | - '!main' 9 | 10 | env: 11 | APP_NAME: 'zfw' 12 | MAINTAINER: 'Robert Caamano' 13 | DESC: 'An ebpf based statefull fw for openziti edge-routers and tunnelers' 14 | 15 | jobs: 16 | build_amd64_release: 17 | runs-on: ubuntu-22.04 18 | outputs: 19 | version: ${{ steps.version.outputs.version }} 20 | strategy: 21 | matrix: 22 | goos: [linux] 23 | ziti_type: [tunnel, router] 24 | goarch: [amd64] 25 | steps: 26 | - name: Check out code 27 | uses: actions/checkout@v4 28 | 29 | - name: Install EBPF Packages 30 | run: | 31 | sudo apt-get update -qq 32 | sudo apt-get upgrade -yqq 33 | sudo apt-get install -y jq gcc clang libc6-dev-i386 libbpfcc-dev libbpf-dev libjson-c-dev alien 34 | 35 | - name: Compile Object file from Source 36 | run: | 37 | git clone https://github.com/libbpf/libbpf.git 38 | cd libbpf/src 39 | mkdir build root 40 | BUILD_STATIC_ONLY=y OBJDIR=build DESTDIR=root make install 41 | cd ../../ 42 | clang -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -Wextra -target bpf -c -o files/bin/zfw_tc_ingress.o src/zfw_tc_ingress.c 43 | clang -g -O2 -Wall -Wextra -target bpf -c -o files/bin/zfw_xdp_tun_ingress.o src/zfw_xdp_tun_ingress.c 44 | clang -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -Wextra -target bpf -c -o files/bin/zfw_tc_outbound_track.o src/zfw_tc_outbound_track.c 45 | clang -g -O2 -Wall -D BPF_MAX_ENTRIES=100000 -O1 src/zfw.c -L ../../libbpf/src/root/usr/lib64/ -lbpf -lelf -lz -o files/bin/zfw -static 46 | clang -g -O2 -Wall -O1 src/zfw_monitor.c -L ../../libbpf/src/root/usr/lib64/ -lbpf -lelf -lz -o files/bin/zfw_monitor -static 47 | gcc -o files/bin/zfw_tunnwrapper src/zfw_tunnel_wrapper.c -l json-c 48 | 49 | - name: Get version 50 | run: echo "version=`files/bin/zfw -V`" >> $GITHUB_OUTPUT 51 | id: version 52 | 53 | - name: Deb directory 54 | run: echo "deb_dir=${{ env.APP_NAME }}-${{ matrix.ziti_type }}_${{ steps.version.outputs.version }}_${{ matrix.goarch }}" >> $GITHUB_OUTPUT 55 | id: deb_dir 56 | 57 | - name: Deb Object File 58 | run: | 59 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN 60 | touch ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 61 | echo Package: ${{ env.APP_NAME }}-${{ matrix.ziti_type }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 62 | echo Version: ${{ steps.version.outputs.version }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 63 | echo Architecture: ${{ matrix.goarch }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 64 | echo Maintainer: ${{ env.MAINTAINER }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 65 | echo Description: ${{ env.DESC }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 66 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user 67 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc 68 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system 69 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin 70 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d 71 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d 72 | cp -p CHANGELOG.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 73 | cp -p README.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 74 | cp -p LICENSE ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 75 | cp -p files/bin/zfw_tc_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 76 | cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 77 | cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 78 | cp -p files/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 79 | cp -p files/bin/zfw_monitor ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 80 | cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 81 | cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ 82 | cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ 83 | cp -p files/scripts/zfw_refresh ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/ 84 | cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ 85 | cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 86 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw 87 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_monitor 88 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py 89 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample 90 | chmod 644 ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/zfw_refresh 91 | ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw 92 | ln -s /opt/openziti/bin/zfw_monitor ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw_monitor 93 | 94 | - name: Set Deb Predepends 95 | if: ${{ matrix.ziti_type == 'tunnel' }} 96 | run: | 97 | echo 'Pre-Depends: ziti-edge-tunnel (>= 0.22.5)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 98 | cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 99 | cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 100 | cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 101 | cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 102 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_tunnwrapper 103 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py 104 | 105 | - name: Standalone FW service and router revert 106 | if: ${{ matrix.ziti_type == 'router' }} 107 | run: | 108 | cp -p files/services/fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 109 | cp -p files/scripts/revert_ebpf_router.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 110 | cp -p files/scripts/start_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 111 | cp -p files/scripts/revert_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 112 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_router.py 113 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_controller.py 114 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_controller.py 115 | 116 | - name: Build Deb package 117 | run: | 118 | dpkg-deb --build -Z gzip --root-owner-group ${{ steps.deb_dir.outputs.deb_dir }} 119 | 120 | - name: Build rpm package 121 | run: | 122 | sudo alien -r ${{ steps.deb_dir.outputs.deb_dir }}.deb 123 | mv ${{ env.APP_NAME }}-${{ matrix.ziti_type }}-${{ steps.version.outputs.version }}-2.x86_64.rpm ${{ env.APP_NAME }}-${{ matrix.ziti_type }}-${{ steps.version.outputs.version }}.x86_64.rpm 124 | 125 | - uses: actions/upload-artifact@v4 126 | with: 127 | name: artifact-${{ matrix.ziti_type }}-${{ matrix.goarch }}-deb 128 | path: | 129 | ./*.deb 130 | 131 | - uses: actions/upload-artifact@v4 132 | with: 133 | name: artifact-${{ matrix.ziti_type }}-${{ matrix.goarch }}-rpm 134 | path: | 135 | ./*.rpm 136 | 137 | 138 | build_arm64_release: 139 | runs-on: [self-hosted, linux, ARM64] 140 | outputs: 141 | version: ${{ steps.version.outputs.version }} 142 | strategy: 143 | matrix: 144 | goos: [linux] 145 | ziti_type: [tunnel, router] 146 | goarch: [arm64] 147 | steps: 148 | - name: Check out code 149 | uses: actions/checkout@v4 150 | 151 | - name: Install EBPF Packages 152 | run: | 153 | sudo apt-get update -qq 154 | sudo apt-get upgrade -yqq 155 | sudo apt-get install -y jq gcc clang libbpfcc-dev libbpf-dev libjson-c-dev 156 | sudo apt-get install -y linux-headers-$(uname -r) 157 | 158 | - name: Compile Object file from Source 159 | run: | 160 | git clone https://github.com/libbpf/libbpf.git 161 | cd libbpf/src 162 | mkdir build root 163 | BUILD_STATIC_ONLY=y OBJDIR=build DESTDIR=root make install 164 | cd ../../ 165 | clang -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -Wextra -target bpf -c -o files/bin/zfw_tc_ingress.o src/zfw_tc_ingress.c 166 | clang -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -Wextra -target bpf -c -o files/bin/zfw_xdp_tun_ingress.o src/zfw_xdp_tun_ingress.c 167 | clang -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -Wextra -target bpf -c -o files/bin/zfw_tc_outbound_track.o src/zfw_tc_outbound_track.c 168 | clang -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -D BPF_MAX_ENTRIES=100000 -O1 src/zfw.c -L ../../libbpf/src/root/usr/lib64/ -lbpf -lelf -lz -o files/bin/zfw -static 169 | clang -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -O1 src/zfw_monitor.c -L ../../libbpf/src/root/usr/lib64/ -lbpf -lelf -lz -o files/bin/zfw_monitor -static 170 | gcc -o files/bin/zfw_tunnwrapper src/zfw_tunnel_wrapper.c -l json-c 171 | 172 | - name: Get version 173 | run: echo "version=`files/bin/zfw -V`" >> $GITHUB_OUTPUT 174 | id: version 175 | 176 | - name: Deb directory 177 | run: echo "deb_dir=${{ env.APP_NAME }}-${{ matrix.ziti_type }}_${{ steps.version.outputs.version }}_${{ matrix.goarch }}" >> $GITHUB_OUTPUT 178 | id: deb_dir 179 | 180 | - name: Deb artifact directory setup 181 | run: | 182 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN 183 | touch ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 184 | echo Package: ${{ env.APP_NAME }}-${{ matrix.ziti_type }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 185 | echo Version: ${{ steps.version.outputs.version }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 186 | echo Architecture: ${{ matrix.goarch }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 187 | echo Maintainer: ${{ env.MAINTAINER }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 188 | echo Description: ${{ env.DESC }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 189 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user 190 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc 191 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system 192 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin 193 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d 194 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d 195 | cp -p CHANGELOG.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 196 | cp -p README.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 197 | cp -p LICENSE ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 198 | cp -p files/bin/zfw_tc_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 199 | cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 200 | cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 201 | cp -p files/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 202 | cp -p files/bin/zfw_monitor ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 203 | cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 204 | cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ 205 | cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ 206 | cp -p files/scripts/zfw_refresh ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/ 207 | cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ 208 | cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 209 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw 210 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_monitor 211 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py 212 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample 213 | chmod 644 ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/zfw_refresh 214 | ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw 215 | ln -s /opt/openziti/bin/zfw_monitor ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw_monitor 216 | 217 | - name: Set Deb Predepends 218 | if: ${{ matrix.ziti_type == 'tunnel' }} 219 | run: | 220 | echo 'Pre-Depends: ziti-edge-tunnel (>= 0.22.5)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 221 | cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 222 | cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 223 | cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 224 | cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 225 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_tunnwrapper 226 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py 227 | 228 | - name: Standalone FW service and router revert 229 | if: ${{ matrix.ziti_type == 'router' }} 230 | run: | 231 | cp -p files/services/fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 232 | cp -p files/scripts/revert_ebpf_router.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 233 | cp -p files/scripts/start_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 234 | cp -p files/scripts/revert_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 235 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_router.py 236 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_controller.py 237 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_controller.py 238 | 239 | - name: Build deb package 240 | run: | 241 | dpkg-deb --build -Z gzip --root-owner-group ${{ steps.deb_dir.outputs.deb_dir }} 242 | 243 | - uses: actions/upload-artifact@v4 244 | with: 245 | name: artifact-${{ matrix.ziti_type }}-${{ matrix.goarch }}-deb 246 | path: | 247 | ./*.deb 248 | -------------------------------------------------------------------------------- /.github/workflows/pr.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: pr 3 | 4 | on: 5 | pull_request: 6 | types: [opened, synchronize] 7 | 8 | env: 9 | APP_NAME: 'zfw' 10 | MAINTAINER: 'Robert Caamano' 11 | DESC: 'An ebpf based statefull fw for openziti edge-routers and tunnelers' 12 | ROUTER_PREFIX: 'zfw-er' 13 | NF_NETWORK_NAME: 'dariuszdev02' 14 | TF_VAR_test_iterate_count: ${{ fromJSON(vars.TEST_ITERATE_COUNT) }} 15 | TF_VAR_github_pt: ${{ secrets.PAT }} 16 | NF_API_CLIENT_ID: "${{ secrets.NF_API_CLIENT_ID }}" 17 | NF_API_CLIENT_SECRET: "${{ secrets.NF_API_CLIENT_SECRET }}" 18 | 19 | jobs: 20 | build_amd64_release: 21 | runs-on: ubuntu-22.04 22 | outputs: 23 | version: ${{ steps.version.outputs.version }} 24 | strategy: 25 | matrix: 26 | goos: [linux] 27 | ziti_type: [tunnel, router] 28 | goarch: [amd64] 29 | steps: 30 | - name: Check out code 31 | uses: actions/checkout@v4 32 | 33 | - name: Install EBPF Packages 34 | run: | 35 | sudo apt-get update -qq 36 | sudo apt-get upgrade -yqq 37 | sudo apt-get install -y jq gcc clang libc6-dev-i386 libbpfcc-dev libbpf-dev libjson-c-dev alien 38 | 39 | - name: Compile Object file from Source 40 | run: | 41 | git clone https://github.com/libbpf/libbpf.git 42 | cd libbpf/src 43 | mkdir build root 44 | BUILD_STATIC_ONLY=y OBJDIR=build DESTDIR=root make install 45 | cd ../../ 46 | clang -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -Wextra -target bpf -c -o files/bin/zfw_tc_ingress.o src/zfw_tc_ingress.c 47 | clang -g -O2 -Wall -Wextra -target bpf -c -o files/bin/zfw_xdp_tun_ingress.o src/zfw_xdp_tun_ingress.c 48 | clang -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -Wextra -target bpf -c -o files/bin/zfw_tc_outbound_track.o src/zfw_tc_outbound_track.c 49 | clang -g -O2 -Wall -D BPF_MAX_ENTRIES=100000 -O1 src/zfw.c -L ../../libbpf/src/root/usr/lib64/ -lbpf -lelf -lz -o files/bin/zfw -static 50 | clang -g -O2 -Wall -O1 src/zfw_monitor.c -L ../../libbpf/src/root/usr/lib64/ -lbpf -lelf -lz -o files/bin/zfw_monitor -static 51 | gcc -o files/bin/zfw_tunnwrapper src/zfw_tunnel_wrapper.c -l json-c 52 | 53 | - name: Get version 54 | run: echo "version=`files/bin/zfw -V`" >> $GITHUB_OUTPUT 55 | id: version 56 | 57 | - name: Deb directory 58 | run: echo "deb_dir=${{ env.APP_NAME }}-${{ matrix.ziti_type }}_${{ steps.version.outputs.version }}_${{ matrix.goarch }}" >> $GITHUB_OUTPUT 59 | id: deb_dir 60 | 61 | - name: Deb Object File 62 | run: | 63 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN 64 | touch ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 65 | echo Package: ${{ env.APP_NAME }}-${{ matrix.ziti_type }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 66 | echo Version: ${{ steps.version.outputs.version }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 67 | echo Architecture: ${{ matrix.goarch }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 68 | echo Maintainer: ${{ env.MAINTAINER }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 69 | echo Description: ${{ env.DESC }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 70 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user 71 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc 72 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system 73 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin 74 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d 75 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d 76 | cp -p CHANGELOG.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 77 | cp -p README.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 78 | cp -p LICENSE ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 79 | cp -p files/bin/zfw_tc_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 80 | cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 81 | cp -p files/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 82 | cp -p files/bin/zfw_monitor ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 83 | cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 84 | cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ 85 | cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ 86 | cp -p files/scripts/zfw_refresh ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/ 87 | cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ 88 | cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 89 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw 90 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_monitor 91 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py 92 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample 93 | chmod 644 ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/zfw_refresh 94 | ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw 95 | ln -s /opt/openziti/bin/zfw_monitor ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw_monitor 96 | 97 | - name: Set Deb Predepends 98 | if: ${{ matrix.ziti_type == 'tunnel' }} 99 | run: | 100 | echo 'Pre-Depends: ziti-edge-tunnel (>= 0.22.5)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 101 | cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 102 | cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 103 | cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 104 | cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 105 | cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 106 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_tunnwrapper 107 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py 108 | 109 | - name: Standalone FW service and router revert 110 | if: ${{ matrix.ziti_type == 'router' }} 111 | run: | 112 | cp -p files/services/fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 113 | cp -p files/scripts/revert_ebpf_router.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 114 | cp -p files/scripts/start_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 115 | cp -p files/scripts/revert_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 116 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_router.py 117 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_controller.py 118 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_controller.py 119 | 120 | - name: Build Deb package 121 | run: | 122 | dpkg-deb --build -Z gzip --root-owner-group ${{ steps.deb_dir.outputs.deb_dir }} 123 | 124 | - name: Build rpm package 125 | run: | 126 | sudo alien -r ${{ steps.deb_dir.outputs.deb_dir }}.deb 127 | mv ${{ env.APP_NAME }}-${{ matrix.ziti_type }}-${{ steps.version.outputs.version }}-2.x86_64.rpm ${{ env.APP_NAME }}-${{ matrix.ziti_type }}-${{ steps.version.outputs.version }}.x86_64.rpm 128 | 129 | - uses: actions/upload-artifact@v4 130 | with: 131 | name: artifact-${{ matrix.ziti_type }}-${{ matrix.goarch }}-deb 132 | path: | 133 | ./*.deb 134 | 135 | - uses: actions/upload-artifact@v4 136 | with: 137 | name: artifact-${{ matrix.ziti_type }}-${{ matrix.goarch }}-rpm 138 | path: | 139 | ./*.rpm 140 | 141 | 142 | build_arm64_release: 143 | runs-on: [self-hosted, linux, ARM64] 144 | outputs: 145 | version: ${{ steps.version.outputs.version }} 146 | strategy: 147 | matrix: 148 | goos: [linux] 149 | ziti_type: [tunnel, router] 150 | goarch: [arm64] 151 | steps: 152 | - name: Check out code 153 | uses: actions/checkout@v4 154 | 155 | - name: Install EBPF Packages 156 | run: | 157 | sudo apt-get update -qq 158 | sudo apt-get upgrade -yqq 159 | sudo apt-get install -y jq gcc clang libbpfcc-dev libbpf-dev libjson-c-dev 160 | sudo apt-get install -y linux-headers-$(uname -r) 161 | 162 | - name: Compile Object file from Source 163 | run: | 164 | git clone https://github.com/libbpf/libbpf.git 165 | cd libbpf/src 166 | mkdir build root 167 | BUILD_STATIC_ONLY=y OBJDIR=build DESTDIR=root make install 168 | cd ../../ 169 | clang -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -Wextra -target bpf -c -o files/bin/zfw_tc_ingress.o src/zfw_tc_ingress.c 170 | clang -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -Wextra -target bpf -c -o files/bin/zfw_xdp_tun_ingress.o src/zfw_xdp_tun_ingress.c 171 | clang -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -Wextra -target bpf -c -o files/bin/zfw_tc_outbound_track.o src/zfw_tc_outbound_track.c 172 | clang -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -D BPF_MAX_ENTRIES=100000 -O1 src/zfw.c -L ../../libbpf/src/root/usr/lib64/ -lbpf -lelf -lz -o files/bin/zfw -static 173 | clang -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -O1 src/zfw_monitor.c -L ../../libbpf/src/root/usr/lib64/ -lbpf -lelf -lz -o files/bin/zfw_monitor -static 174 | gcc -o files/bin/zfw_tunnwrapper src/zfw_tunnel_wrapper.c -l json-c 175 | 176 | - name: Get version 177 | run: echo "version=`files/bin/zfw -V`" >> $GITHUB_OUTPUT 178 | id: version 179 | 180 | - name: Deb directory 181 | run: echo "deb_dir=${{ env.APP_NAME }}-${{ matrix.ziti_type }}_${{ steps.version.outputs.version }}_${{ matrix.goarch }}" >> $GITHUB_OUTPUT 182 | id: deb_dir 183 | 184 | - name: Deb artifact directory setup 185 | run: | 186 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN 187 | touch ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 188 | echo Package: ${{ env.APP_NAME }}-${{ matrix.ziti_type }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 189 | echo Version: ${{ steps.version.outputs.version }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 190 | echo Architecture: ${{ matrix.goarch }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 191 | echo Maintainer: ${{ env.MAINTAINER }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 192 | echo Description: ${{ env.DESC }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 193 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user 194 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc 195 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system 196 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin 197 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d 198 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d 199 | cp -p CHANGELOG.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 200 | cp -p README.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 201 | cp -p LICENSE ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 202 | cp -p files/bin/zfw_tc_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 203 | cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 204 | cp -p files/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 205 | cp -p files/bin/zfw_monitor ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 206 | cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 207 | cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ 208 | cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ 209 | cp -p files/scripts/zfw_refresh ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/ 210 | cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ 211 | cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 212 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw 213 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_monitor 214 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py 215 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample 216 | chmod 644 ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/zfw_refresh 217 | ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw 218 | ln -s /opt/openziti/bin/zfw_monitor ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw_monitor 219 | 220 | - name: Set Deb Predepends 221 | if: ${{ matrix.ziti_type == 'tunnel' }} 222 | run: | 223 | echo 'Pre-Depends: ziti-edge-tunnel (>= 0.22.5)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 224 | cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 225 | cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 226 | cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 227 | cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 228 | cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 229 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_tunnwrapper 230 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py 231 | 232 | - name: Standalone FW service and router revert 233 | if: ${{ matrix.ziti_type == 'router' }} 234 | run: | 235 | cp -p files/services/fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 236 | cp -p files/scripts/revert_ebpf_router.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 237 | cp -p files/scripts/start_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 238 | cp -p files/scripts/revert_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 239 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_router.py 240 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_controller.py 241 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_controller.py 242 | 243 | - name: Build deb package 244 | run: | 245 | dpkg-deb --build -Z gzip --root-owner-group ${{ steps.deb_dir.outputs.deb_dir }} 246 | 247 | - uses: actions/upload-artifact@v4 248 | with: 249 | name: artifact-${{ matrix.ziti_type }}-${{ matrix.goarch }}-deb 250 | path: | 251 | ./*.deb 252 | 253 | 254 | regression_test: 255 | needs: [build_amd64_release, build_arm64_release] 256 | runs-on: ubuntu-22.04 257 | permissions: 258 | contents: read 259 | id-token: write 260 | steps: 261 | - 262 | name: Checkout 263 | uses: actions/checkout@v4 264 | with: 265 | repository: netfoundry/cloud-network-lb-ingress 266 | - 267 | name: Authenticate to AWS Cloud 268 | uses: aws-actions/configure-aws-credentials@v4 269 | with: 270 | aws-region: us-east-1 271 | role-to-assume: ${{ secrets.AWS_ROLE_FOR_GITHUB }} 272 | role-session-name: GitHubActions 273 | audience: sts.amazonaws.com 274 | role-duration-seconds: 14400 275 | - 276 | name: Install terraform jq 277 | run: | 278 | sudo apt-get update 279 | sudo apt-get install -y jq gnupg software-properties-common 280 | wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | \ 281 | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg > /dev/null 282 | echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] \ 283 | https://apt.releases.hashicorp.com $(lsb_release -cs) main" | \ 284 | sudo tee /etc/apt/sources.list.d/hashicorp.list 285 | shell: bash 286 | - 287 | name: Start test 288 | if: success() || failure() 289 | run: | 290 | cd ${{ github.workspace }}/AWS/tf-provider/ 291 | ssh-keygen -t rsa -b 4096 -C "cldeng@netfoundry.io" -f ./zfw_rsa -q -N "" 292 | export TF_VAR_ssh_public_key=`cat ./zfw_rsa.pub` 293 | ./test_cases.sh run 294 | shell: bash 295 | - 296 | name: Check intercept side test result 297 | if: success() || failure() 298 | run: | 299 | set +e 300 | cd ${{ github.workspace }}/AWS/tf-provider/ 301 | zfw0_ver=`/usr/bin/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./zfw_rsa ziggy@$(terraform output -json | jq -r .backend_public_ips.value[0]) -tq 'sudo /opt/openziti/bin/zfw -V'` 302 | zfw1_ver=`/usr/bin/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./zfw_rsa ziggy@$(terraform output -json | jq -r .backend_public_ips.value[1]) -tq 'sudo /opt/openziti/bin/zfw -V'` 303 | if [ "$zfw0_ver" != "$zfw1_ver" ]; then 304 | /usr/bin/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./zfw_rsa ziggy@$(terraform output -json | jq -r .backend_public_ips.value[0]) -tq 'sudo cat /var/log/cloud-init-output.log' 305 | /usr/bin/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./zfw_rsa ziggy@$(terraform output -json | jq -r .backend_public_ips.value[1]) -tq 'sudo cat /var/log/cloud-init-output.log' 306 | sleep 60 307 | zfw0_ver=`/usr/bin/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./zfw_rsa ziggy@$(terraform output -json | jq -r .backend_public_ips.value[0]) -tq 'sudo /opt/openziti/bin/zfw -V'` 308 | zfw1_ver=`/usr/bin/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./zfw_rsa ziggy@$(terraform output -json | jq -r .backend_public_ips.value[1]) -tq 'sudo /opt/openziti/bin/zfw -V'` 309 | fi 310 | echo "*** zfw0: $zfw0_ver ***" 311 | echo "*** zfw1: $zfw1_ver ***" 312 | while : 313 | do 314 | sleep 900 315 | /usr/bin/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./zfw_rsa ziggy@$(terraform output -json | jq -r .client_public_ips.value[0]) -tq '/usr/bin/tail -n 1 /var/log/http_test.json' > ${{ github.workspace }}/AWS/tf-provider/result 316 | /usr/bin/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./zfw_rsa ziggy@$(terraform output -json | jq -r .client_public_ips.value[1]) -tq '/usr/bin/tail -n 1 /var/log/http_test.json' >> ${{ github.workspace }}/AWS/tf-provider/result 317 | /usr/bin/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./zfw_rsa ziggy@$(terraform output -json | jq -r .client_public_ips.value[0]) -tq '/usr/bin/tail -n 30 /var/log/http.log' > ${{ github.workspace }}/AWS/tf-provider/test.log 318 | /usr/bin/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./zfw_rsa ziggy@$(terraform output -json | jq -r .client_public_ips.value[1]) -tq '/usr/bin/tail -n 30 /var/log/http.log' >> ${{ github.workspace }}/AWS/tf-provider/test.log 319 | /usr/bin/cat ${{ github.workspace }}/AWS/tf-provider/result 320 | PASS=`/usr/bin/cat ${{ github.workspace }}/AWS/tf-provider/result | grep Passed |wc -l` 321 | FAIL=`/usr/bin/cat ${{ github.workspace }}/AWS/tf-provider/result | grep Failed |wc -l` 322 | echo $PASS 323 | echo $FAIL 324 | if [ $PASS == 2 ]; then 325 | echo -e "\033[32mPASSED\033[m" 326 | cat ./result 327 | exit 0 328 | elif [ $PASS == 1 ]; then 329 | echo -e "\033[33mPARTIALLYPASSED\033[m" 330 | cat ./result 331 | cat ./test.log 332 | exit 1 333 | elif [ $FAIL == 2 ]; then 334 | echo -e "\033[31mFAILED\033[m" 335 | cat ./result 336 | cat ./test.log 337 | exit 1 338 | else 339 | cat ./result 340 | continue 341 | fi 342 | done 343 | shell: bash 344 | timeout-minutes: ${{ fromJSON(vars.STEP_TIMEOUT) }} 345 | - 346 | name: Clean up test 347 | if: success() || failure() 348 | run: | 349 | cd ${{ github.workspace }}/AWS/tf-provider/ 350 | export TF_VAR_ssh_public_key=`cat ./zfw_rsa.pub` 351 | ./test_cases.sh cleanup 352 | rm ./zfw_rsa* 353 | shell: bash 354 | 355 | 356 | 357 | 358 | 359 | 360 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: release 3 | 4 | on: 5 | push: 6 | branches: 7 | - main 8 | env: 9 | APP_NAME: 'zfw' 10 | MAINTAINER: 'Robert Caamano' 11 | DESC: 'An ebpf based statefull fw for openziti edge-routers and tunnelers' 12 | 13 | jobs: 14 | build_amd64_release: 15 | runs-on: ubuntu-22.04 16 | outputs: 17 | version: ${{ steps.version.outputs.version }} 18 | strategy: 19 | matrix: 20 | goos: [linux] 21 | ziti_type: [tunnel, router] 22 | goarch: [amd64] 23 | steps: 24 | - name: Check out code 25 | uses: actions/checkout@v4 26 | 27 | - name: Install EBPF Packages 28 | run: | 29 | sudo apt-get update -qq 30 | sudo apt-get upgrade -yqq 31 | sudo apt-get install -y jq gcc clang libc6-dev-i386 libbpfcc-dev libbpf-dev libjson-c-dev alien 32 | 33 | - name: Compile Object file from Source 34 | run: | 35 | git clone https://github.com/libbpf/libbpf.git 36 | cd libbpf/src 37 | mkdir build root 38 | BUILD_STATIC_ONLY=y OBJDIR=build DESTDIR=root make install 39 | cd ../../ 40 | clang -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -Wextra -target bpf -c -o files/bin/zfw_tc_ingress.o src/zfw_tc_ingress.c 41 | clang -g -O2 -Wall -Wextra -target bpf -c -o files/bin/zfw_xdp_tun_ingress.o src/zfw_xdp_tun_ingress.c 42 | clang -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -Wextra -target bpf -c -o files/bin/zfw_tc_outbound_track.o src/zfw_tc_outbound_track.c 43 | clang -g -O2 -Wall -D BPF_MAX_ENTRIES=100000 -O1 src/zfw.c -L ../../libbpf/src/root/usr/lib64/ -lbpf -lelf -lz -o files/bin/zfw -static 44 | clang -g -O2 -Wall -O1 src/zfw_monitor.c -L ../../libbpf/src/root/usr/lib64/ -lbpf -lelf -lz -o files/bin/zfw_monitor -static 45 | gcc -o files/bin/zfw_tunnwrapper src/zfw_tunnel_wrapper.c -l json-c 46 | 47 | - name: Get version 48 | run: echo "version=`files/bin/zfw -V`" >> $GITHUB_OUTPUT 49 | id: version 50 | 51 | - name: Deb directory 52 | run: echo "deb_dir=${{ env.APP_NAME }}-${{ matrix.ziti_type }}_${{ steps.version.outputs.version }}_${{ matrix.goarch }}" >> $GITHUB_OUTPUT 53 | id: deb_dir 54 | 55 | - name: Deb Object File 56 | run: | 57 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN 58 | touch ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 59 | echo Package: ${{ env.APP_NAME }}-${{ matrix.ziti_type }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 60 | echo Version: ${{ steps.version.outputs.version }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 61 | echo Architecture: ${{ matrix.goarch }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 62 | echo Maintainer: ${{ env.MAINTAINER }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 63 | echo Description: ${{ env.DESC }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 64 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user 65 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc 66 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system 67 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin 68 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d 69 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d 70 | cp -p CHANGELOG.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 71 | cp -p README.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 72 | cp -p LICENSE ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 73 | cp -p files/bin/zfw_tc_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 74 | cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 75 | cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 76 | cp -p files/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 77 | cp -p files/bin/zfw_monitor ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 78 | cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 79 | cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ 80 | cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ 81 | cp -p files/scripts/zfw_refresh ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/ 82 | cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ 83 | cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 84 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw 85 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_monitor 86 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py 87 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample 88 | chmod 644 ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/zfw_refresh 89 | ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw 90 | ln -s /opt/openziti/bin/zfw_monitor ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw_monitor 91 | 92 | - name: Set Deb Predepends 93 | if: ${{ matrix.ziti_type == 'tunnel' }} 94 | run: | 95 | echo 'Pre-Depends: ziti-edge-tunnel (>= 0.22.5)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 96 | cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 97 | cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 98 | cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 99 | cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 100 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_tunnwrapper 101 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py 102 | 103 | - name: Standalone FW service, controller and router revert 104 | if: ${{ matrix.ziti_type == 'router' }} 105 | run: | 106 | cp -p files/services/fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 107 | cp -p files/scripts/revert_ebpf_router.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 108 | cp -p files/scripts/start_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 109 | cp -p files/scripts/revert_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 110 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_router.py 111 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_controller.py 112 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_controller.py 113 | 114 | 115 | - name: Build Deb package 116 | run: | 117 | dpkg-deb --build -Z gzip --root-owner-group ${{ steps.deb_dir.outputs.deb_dir }} 118 | 119 | - name: Build rpm package 120 | run: | 121 | sudo alien -r ${{ steps.deb_dir.outputs.deb_dir }}.deb 122 | mv ${{ env.APP_NAME }}-${{ matrix.ziti_type }}-${{ steps.version.outputs.version }}-2.x86_64.rpm ${{ env.APP_NAME }}-${{ matrix.ziti_type }}-${{ steps.version.outputs.version }}.x86_64.rpm 123 | 124 | - uses: actions/upload-artifact@v4 125 | with: 126 | name: artifact-${{ matrix.ziti_type }}-${{ matrix.goarch }}-deb 127 | path: | 128 | ./*.deb 129 | 130 | - uses: actions/upload-artifact@v4 131 | with: 132 | name: artifact-${{ matrix.ziti_type }}-${{ matrix.goarch }}-rpm 133 | path: | 134 | ./*.rpm 135 | 136 | build_arm64_release: 137 | runs-on: [self-hosted, linux, ARM64] 138 | outputs: 139 | version: ${{ steps.version.outputs.version }} 140 | strategy: 141 | matrix: 142 | goos: [linux] 143 | ziti_type: [tunnel, router] 144 | goarch: [arm64] 145 | steps: 146 | - name: Check out code 147 | uses: actions/checkout@v4 148 | 149 | - name: Install EBPF Packages 150 | run: | 151 | sudo apt-get update -qq 152 | sudo apt-get upgrade -yqq 153 | sudo apt-get install -y jq gcc clang libbpfcc-dev libbpf-dev libjson-c-dev 154 | sudo apt-get install -y linux-headers-$(uname -r) 155 | 156 | - name: Compile Object file from Source 157 | run: | 158 | git clone https://github.com/libbpf/libbpf.git 159 | cd libbpf/src 160 | mkdir build root 161 | BUILD_STATIC_ONLY=y OBJDIR=build DESTDIR=root make install 162 | cd ../../ 163 | clang -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -Wextra -target bpf -c -o files/bin/zfw_tc_ingress.o src/zfw_tc_ingress.c 164 | clang -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -Wextra -target bpf -c -o files/bin/zfw_xdp_tun_ingress.o src/zfw_xdp_tun_ingress.c 165 | clang -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -Wextra -target bpf -c -o files/bin/zfw_tc_outbound_track.o src/zfw_tc_outbound_track.c 166 | clang -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -D BPF_MAX_ENTRIES=100000 -O1 src/zfw.c -L ../../libbpf/src/root/usr/lib64/ -lbpf -lelf -lz -o files/bin/zfw -static 167 | clang -g -O2 -Wall -I /usr/include/aarch64-linux-gnu/ -O1 src/zfw_monitor.c -L ../../libbpf/src/root/usr/lib64/ -lbpf -lelf -lz -o files/bin/zfw_monitor -static 168 | gcc -o files/bin/zfw_tunnwrapper src/zfw_tunnel_wrapper.c -l json-c 169 | 170 | - name: Get version 171 | run: echo "version=`files/bin/zfw -V`" >> $GITHUB_OUTPUT 172 | id: version 173 | 174 | - name: Deb directory 175 | run: echo "deb_dir=${{ env.APP_NAME }}-${{ matrix.ziti_type }}_${{ steps.version.outputs.version }}_${{ matrix.goarch }}" >> $GITHUB_OUTPUT 176 | id: deb_dir 177 | 178 | - name: Deb artifact directory setup 179 | run: | 180 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN 181 | touch ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 182 | echo Package: ${{ env.APP_NAME }}-${{ matrix.ziti_type }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 183 | echo Version: ${{ steps.version.outputs.version }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 184 | echo Architecture: ${{ matrix.goarch }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 185 | echo Maintainer: ${{ env.MAINTAINER }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 186 | echo Description: ${{ env.DESC }} >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 187 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user 188 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc 189 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system 190 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin 191 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d 192 | mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d 193 | cp -p CHANGELOG.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 194 | cp -p README.md ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 195 | cp -p LICENSE ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 196 | cp -p files/bin/zfw_tc_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 197 | cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 198 | cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 199 | cp -p files/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 200 | cp -p files/bin/zfw_monitor ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 201 | cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 202 | cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ 203 | cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ 204 | cp -p files/scripts/zfw_refresh ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/ 205 | cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ 206 | cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 207 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw 208 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_monitor 209 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py 210 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample 211 | chmod 644 ${{ steps.deb_dir.outputs.deb_dir }}/etc/cron.d/zfw_refresh 212 | ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw 213 | ln -s /opt/openziti/bin/zfw_monitor ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw_monitor 214 | 215 | - name: Set Deb Predepends 216 | if: ${{ matrix.ziti_type == 'tunnel' }} 217 | run: | 218 | echo 'Pre-Depends: ziti-edge-tunnel (>= 0.22.5)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control 219 | cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 220 | cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 221 | cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 222 | cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 223 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_tunnwrapper 224 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py 225 | 226 | - name: Standalone FW service, controller and router revert 227 | if: ${{ matrix.ziti_type == 'router' }} 228 | run: | 229 | cp -p files/services/fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ 230 | cp -p files/scripts/revert_ebpf_router.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 231 | cp -p files/scripts/start_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 232 | cp -p files/scripts/revert_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ 233 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_router.py 234 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_controller.py 235 | chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_controller.py 236 | 237 | - name: Build deb package 238 | run: | 239 | dpkg-deb --build -Z gzip --root-owner-group ${{ steps.deb_dir.outputs.deb_dir }} 240 | 241 | - uses: actions/upload-artifact@v4 242 | with: 243 | name: artifact-${{ matrix.ziti_type }}-${{ matrix.goarch }}-deb 244 | path: | 245 | ./*.deb 246 | 247 | deploy_release: 248 | runs-on: ubuntu-22.04 249 | needs: 250 | - build_amd64_release 251 | - build_arm64_release 252 | strategy: 253 | matrix: 254 | goos: [linux] 255 | steps: 256 | - name: Create release 257 | uses: ncipollo/release-action@v1.14.0 258 | id: release 259 | with: 260 | draft: false 261 | prerelease: false 262 | tag: v${{ needs.build_amd64_release.outputs.version }} 263 | env: 264 | GITHUB_TOKEN: ${{ github.token }} 265 | 266 | deploy_packages: 267 | runs-on: ubuntu-22.04 268 | needs: 269 | - build_amd64_release 270 | - build_arm64_release 271 | - deploy_release 272 | strategy: 273 | matrix: 274 | goos: [linux] 275 | ziti_type: [tunnel, router] 276 | goarch: [amd64, arm64] 277 | pkg_type: [deb, rpm] 278 | 279 | steps: 280 | - name: download x86 artifacts 281 | if: ${{ (matrix.goarch == 'amd64') && ((matrix.pkg_type != 'deb') || (matrix.pkg_type != 'rpm')) }} 282 | uses: actions/download-artifact@v4 283 | with: 284 | name: artifact-${{ matrix.ziti_type }}-${{ matrix.goarch }}-${{ matrix.pkg_type }} 285 | - name: download arm64 artifacts 286 | if: ${{ (matrix.goarch == 'arm64') && (matrix.pkg_type == 'deb') }} 287 | uses: actions/download-artifact@v4 288 | with: 289 | name: artifact-${{ matrix.ziti_type }}-${{ matrix.goarch }}-${{ matrix.pkg_type }} 290 | - name: Upload built deb artifacts 291 | if: ${{ matrix.pkg_type == 'deb'}} 292 | uses: svenstaro/upload-release-action@2.9.0 293 | env: 294 | GITHUB_TOKEN: ${{ github.token }} 295 | with: 296 | file: ./${{ env.APP_NAME }}-${{ matrix.ziti_type }}_${{ needs.build_amd64_release.outputs.version }}_${{ matrix.goarch }}.${{ matrix.pkg_type }} 297 | release_name: ${{ needs.build_amd64_release.outputs.version }} 298 | tag: v${{ needs.build_amd64_release.outputs.version }} 299 | - name: Upload built x86_64 rpm artifacts 300 | if: ${{ (matrix.pkg_type == 'rpm') && (matrix.goarch == 'amd64') }} 301 | uses: svenstaro/upload-release-action@2.9.0 302 | env: 303 | GITHUB_TOKEN: ${{ github.token }} 304 | with: 305 | file: ./${{ env.APP_NAME }}-${{ matrix.ziti_type }}-${{ needs.build_amd64_release.outputs.version }}.x86_64.${{ matrix.pkg_type }} 306 | release_name: ${{ needs.build_amd64_release.outputs.version }} 307 | tag: v${{ needs.build_amd64_release.outputs.version }} 308 | 309 | upload_jfrog: 310 | runs-on: ubuntu-22.04 311 | needs: 312 | - build_amd64_release 313 | - build_arm64_release 314 | - deploy_packages 315 | strategy: 316 | matrix: 317 | goos: [linux] 318 | goarch: [amd64, arm64] 319 | pkg_type: [deb] 320 | distro_name: [focal, jammy, noble] 321 | steps: 322 | - name: Configure jFrog CLI 323 | if: ${{ matrix.pkg_type == 'deb'}} 324 | uses: jfrog/setup-jfrog-cli@v4 325 | - name: Upload DEB to Artifactory with jFrog CLI 326 | if: ${{ matrix.pkg_type == 'deb'}} 327 | env: 328 | GH_TOKEN: ${{ github.token }} 329 | JF_USER: ${{ secrets.JF_USER }} 330 | JF_PASSWORD: ${{ secrets.JF_PASSWORD }} 331 | shell: bash 332 | run: | 333 | asset=$(gh api /repos/netfoundry/zfw/releases --jq '( last ((.[].assets | sort_by(.created_at)).[] | select(.name=="${{ env.APP_NAME }}-router_${{ needs.build_amd64_release.outputs.version }}_${{ matrix.goarch }}.${{ matrix.pkg_type }}")))') 334 | curl -Ls "$(jq -r .browser_download_url <<< "$asset")" -H "Accept: application/vnd.github.v3+json" --output ./"$(jq -r .name <<< "$asset")" 335 | jf rt upload \ 336 | ./${{ env.APP_NAME }}-router_${{ needs.build_amd64_release.outputs.version }}_${{ matrix.goarch }}.${{ matrix.pkg_type }} \ 337 | netfoundry-deb-stable/pool/${{ env.APP_NAME }}-router/${{ matrix.distro_name }}/${{ matrix.goarch }}/ \ 338 | --url https://netfoundry.jfrog.io/artifactory/ \ 339 | --user ${{ secrets.JF_USER}} \ 340 | --password ${{ secrets.JF_PASSWORD }} \ 341 | --deb=${{ matrix.distro_name }}/main/${{ matrix.goarch }} \ 342 | --recursive=false \ 343 | --flat=true 344 | -------------------------------------------------------------------------------- /BUILD.md: -------------------------------------------------------------------------------- 1 | ## Build from source 2 | --- 3 | - OS/Platform: Ubuntu 22.04+ / amd64 4 | 1. install libraries 5 | 6 | **Ubuntu 22.04 server / amd64** (kernel 5.15 or higher) 7 | 8 | ```bash 9 | sudo apt update 10 | sudo apt upgrade 11 | sudo reboot 12 | sudo apt install -y gcc clang libc6-dev-i386 libbpfcc-dev libbpf-dev libjson-c-dev make 13 | ``` 14 | 15 | 16 | - OS/Platform: Ubuntu 22.04+ / arm64 17 | 1. install libraries 18 | 19 | **Ubuntu 22.04 server / arm** (kernel 5.15 or higher) 20 | 21 | ```bash 22 | sudo apt update 23 | sudo apt upgrade 24 | sudo reboot 25 | sudo apt-get install -y gcc clang libbpfcc-dev libbpf-dev libjson-c-dev make 26 | ``` 27 | 28 | - OS/Platform: RH 9.4 / x86_64 29 | 1. install libraries 30 | 31 | ```bash 32 | sudo yum update 33 | sudo subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms 34 | sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm 35 | sudo yum install -y clang bcc-devel libbpf-devel iproute-devel iproute-tc glibc-devel.i686 git json-c-devel 36 | ``` 37 | 38 | - Build 39 | 1. compile binaries 40 | ```bash 41 | mkdir ~/repos 42 | cd repos 43 | git clone https://github.com/netfoundry/zfw.git 44 | cd zfw/src 45 | make all 46 | sudo make install ARGS= 47 | ``` 48 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | -------------------------------------------------------------------------------- /files/bin/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netfoundry/zfw/2039cb5ad6062f4ea646910dc51af68aabe5fdf6/files/bin/.gitkeep -------------------------------------------------------------------------------- /files/json/ebpf_config.json.sample: -------------------------------------------------------------------------------- 1 | {"InternalInterfaces":[{"Name":"ens33", "OutboundPassThroughTrack": true, "PerInterfaceRules": false}], 2 | "ExternalInterfaces":[]} 3 | -------------------------------------------------------------------------------- /files/scripts/revert_ebpf_controller.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import os 3 | import subprocess 4 | import sys 5 | import json 6 | import yaml 7 | from signal import signal, SIGPIPE, SIG_DFL 8 | signal(SIGPIPE,SIG_DFL) 9 | 10 | 11 | def set_tproxy_mode(): 12 | if(os.path.exists('/opt/openziti/ziti-router/config.yml')): 13 | try: 14 | with open('/opt/openziti/ziti-router/config.yml') as config_file: 15 | config = yaml.load(config_file, Loader=yaml.FullLoader) 16 | if(config): 17 | if('listeners' in config.keys()): 18 | for key in config['listeners']: 19 | if(('binding' in key.keys()) and (key['binding'] == 'tunnel')): 20 | if('options' in key.keys()): 21 | if('mode' in key['options']): 22 | if(key['options']['mode'] == 'tproxy'): 23 | print("ziti-router config.yml already converted to use tproxy!") 24 | elif(key['options']['mode'] == 'tproxy:/opt/openziti/bin/zfw'): 25 | key['options']['mode'] = 'tproxy' 26 | write_config(config) 27 | return True 28 | else: 29 | print("ziti-router config.yml already converted to use tproxy!") 30 | else: 31 | print('Mandatory key \'options\' missing from binding: tunnel') 32 | sys.exit(1) 33 | else: 34 | print('Mandatory key \'listeners\' missing in config.yml') 35 | sys.exit(1) 36 | except Exception as e: 37 | print(e) 38 | sys.exit(1) 39 | else: 40 | print('ziti-router not installed, skipping ebpf router configuration!') 41 | sys.exit(1) 42 | return False 43 | 44 | def write_config(config): 45 | try: 46 | with open('/opt/openziti/ziti-router/config.yml', 'w') as config_file: 47 | yaml.dump(config, config_file, sort_keys=False) 48 | except Exception as e: 49 | print(e) 50 | sys.exit(1) 51 | 52 | def delete(rule): 53 | os.system('yes | /usr/sbin/ufw delete ' + str(rule) + ' > /dev/null 2>&1') 54 | 55 | def remove_ufw_rule(rule): 56 | process = subprocess.Popen(['ufw', 'status', 'numbered'], stdout=subprocess.PIPE, stderr=subprocess.PIPE) 57 | out, err = process.communicate() 58 | data = out.decode().splitlines() 59 | count = 1 60 | for line in data: 61 | if((line.find(rule) >= 0) and (line.find('ALLOW IN') >= 0)): 62 | print("removing:", line) 63 | delete(count) 64 | if(line.startswith('[')): 65 | count = count + 1 66 | 67 | def iterate_rules(intf): 68 | rules = ['Anywhere on ' + intf, 'Anywhere (v6) on ' + intf] 69 | for rule in rules: 70 | remove_ufw_rule(rule) 71 | 72 | if(os.path.exists('/opt/openziti/etc/ebpf_config.json')): 73 | with open('/opt/openziti/etc/ebpf_config.json','r') as jfile: 74 | try: 75 | config = json.loads(jfile.read()) 76 | if(config): 77 | if("InternalInterfaces" in config.keys()): 78 | i_interfaces = config["InternalInterfaces"] 79 | if len(i_interfaces): 80 | for interface in i_interfaces: 81 | if("Name" in interface.keys()): 82 | if(interface["Name"] != "lo"): 83 | print("Attempting to restore ufw state: ",interface["Name"]) 84 | iterate_rules(interface["Name"]) 85 | else: 86 | print('Mandatory key \"Name\" missing skipping internal interface entry!') 87 | else: 88 | print("No internal interfaces listed in /opt/openziti/etc/ebpf_config.json skipping internal interface ufw reversion interface!") 89 | if("ExternalInterfaces" in config.keys()): 90 | e_interfaces = config["ExternalInterfaces"] 91 | if len(e_interfaces): 92 | for interface in e_interfaces: 93 | if("Name" in interface.keys()): 94 | if(interface["Name"] != "lo"): 95 | print("Attempting to restore ufw state: ",interface["Name"]) 96 | iterate_rules(interface["Name"]) 97 | else: 98 | print('Mandatory key \"Name\" missing skipping external interface ufw reversion!') 99 | except Exception as e: 100 | print("Malformed or missing json object in /opt/openziti/etc/ebpf_config.json can't revert ufw!") 101 | 102 | service = False 103 | if(os.path.exists('/etc/systemd/system/zfw-logging.service')): 104 | unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_controller.py' /etc/systemd/system/zfw-logging.service") 105 | if(not unconfigured): 106 | test1 = os.system("sed -i '/ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_controller.py/d' /etc/systemd/system/zfw-logging.service") 107 | if(not test1): 108 | test1 = os.system("systemctl daemon-reload") 109 | if(not test1): 110 | service = True 111 | test1 = os.system("systemctl disable zfw-logging.service") 112 | test1 = os.system("systemctl disable fw-init.service") 113 | os.system("/opt/openziti/bin/zfw -Q") 114 | if(os.path.exists("/opt/openziti/etc/ebpf_config.json")): 115 | os.remove("/opt/openziti/etc/ebpf_config.json") 116 | if(os.path.exists("/opt/openziti/bin/user/user_rules.sh")): 117 | os.remove("/opt/openziti/bin/user/user_rules.sh") 118 | print("Successfully reverted ziti-logging.service!") 119 | else: 120 | print("Failed to revert zfw-logging.service!") 121 | else: 122 | print("zfw-logging.service already reverted. Nothing to do!") 123 | else: 124 | print("Skipping zfw-logging.service reversal. File does not exist!") 125 | 126 | if service: 127 | print("config.yml successfully reverted. restarting ziti-controller.service") 128 | os.system('systemctl restart ziti-controller.service') 129 | if(not os.system('systemctl is-active --quiet ziti-controller.service')): 130 | print("ziti-controller.service successfully restarted") 131 | if(os.path.exists('/opt/netfoundry/ziti/ziti-controller/conf/controller01.config.yml')): 132 | print("Detected Netfoundry controller install!") 133 | if(os.path.exists('/opt/openziti/ziti-controller/controller01.config.yml')): 134 | print("Removing symlink from /opt/openziti/ziti-controller to /opt/netfoundry/ziti/ziti-controller/conf") 135 | os.unlink('/opt/openziti/ziti-controller') 136 | else: 137 | print("No symlink found nothing to do!") 138 | if(os.path.exists('/opt/netfoundry/ziti/ziti-router/config.yml')): 139 | print("Detected Netfoundry install/registration!") 140 | if(os.path.exists('/opt/openziti/ziti-router/config.yml')): 141 | print("Removing symlink from /opt/openziti/ziti-router to /opt/netfoundry/ziti/ziti-router") 142 | os.unlink('/opt/openziti/ziti-router') 143 | else: 144 | print("No symlink found nothing to do!") 145 | else: 146 | print('ziti-router.service unable to start check router logs') 147 | else: 148 | print("ziti-router config already not set to use ebpf!") 149 | -------------------------------------------------------------------------------- /files/scripts/revert_ebpf_router.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import os 3 | import subprocess 4 | import sys 5 | import json 6 | import yaml 7 | from signal import signal, SIGPIPE, SIG_DFL 8 | signal(SIGPIPE,SIG_DFL) 9 | 10 | 11 | def set_tproxy_mode(): 12 | if(os.path.exists('/opt/openziti/ziti-router/config.yml')): 13 | try: 14 | with open('/opt/openziti/ziti-router/config.yml') as config_file: 15 | config = yaml.load(config_file, Loader=yaml.FullLoader) 16 | if(config): 17 | if('listeners' in config.keys()): 18 | for key in config['listeners']: 19 | if(('binding' in key.keys()) and (key['binding'] == 'tunnel')): 20 | if('options' in key.keys()): 21 | if('mode' in key['options']): 22 | if(key['options']['mode'] == 'tproxy'): 23 | print("ziti-router config.yml already converted to use tproxy!") 24 | elif(key['options']['mode'] == 'tproxy:/opt/openziti/bin/zfw'): 25 | key['options']['mode'] = 'tproxy' 26 | write_config(config) 27 | return True 28 | else: 29 | print("ziti-router config.yml already converted to use tproxy!") 30 | else: 31 | print('Mandatory key \'options\' missing from binding: tunnel') 32 | sys.exit(1) 33 | else: 34 | print('Mandatory key \'listeners\' missing in config.yml') 35 | sys.exit(1) 36 | except Exception as e: 37 | print(e) 38 | sys.exit(1) 39 | else: 40 | print('ziti-router not installed, skipping ebpf router configuration!') 41 | sys.exit(1) 42 | return False 43 | 44 | def write_config(config): 45 | try: 46 | with open('/opt/openziti/ziti-router/config.yml', 'w') as config_file: 47 | yaml.dump(config, config_file, sort_keys=False) 48 | except Exception as e: 49 | print(e) 50 | sys.exit(1) 51 | 52 | def delete(rule): 53 | os.system('yes | /usr/sbin/ufw delete ' + str(rule) + ' > /dev/null 2>&1') 54 | 55 | def remove_ufw_rule(rule): 56 | process = subprocess.Popen(['ufw', 'status', 'numbered'], stdout=subprocess.PIPE, stderr=subprocess.PIPE) 57 | out, err = process.communicate() 58 | data = out.decode().splitlines() 59 | count = 1 60 | for line in data: 61 | if((line.find(rule) >= 0) and (line.find('ALLOW IN') >= 0)): 62 | print("removing:", line) 63 | delete(count) 64 | if(line.startswith('[')): 65 | count = count + 1 66 | 67 | def iterate_rules(intf): 68 | rules = ['Anywhere on ' + intf, 'Anywhere (v6) on ' + intf] 69 | for rule in rules: 70 | remove_ufw_rule(rule) 71 | 72 | if(os.path.exists('/opt/openziti/etc/ebpf_config.json')): 73 | with open('/opt/openziti/etc/ebpf_config.json','r') as jfile: 74 | try: 75 | config = json.loads(jfile.read()) 76 | if(config): 77 | if("InternalInterfaces" in config.keys()): 78 | i_interfaces = config["InternalInterfaces"] 79 | if len(i_interfaces): 80 | for interface in i_interfaces: 81 | if("Name" in interface.keys()): 82 | if(interface["Name"] != "lo"): 83 | print("Attempting to restore ufw state: ",interface["Name"]) 84 | iterate_rules(interface["Name"]) 85 | else: 86 | print('Mandatory key \"Name\" missing skipping internal interface entry!') 87 | else: 88 | print("No internal interfaces listed in /opt/openziti/etc/ebpf_config.json skipping internal interface ufw reversion interface!") 89 | if("ExternalInterfaces" in config.keys()): 90 | e_interfaces = config["ExternalInterfaces"] 91 | if len(e_interfaces): 92 | for interface in e_interfaces: 93 | if("Name" in interface.keys()): 94 | if(interface["Name"] != "lo"): 95 | print("Attempting to restore ufw state: ",interface["Name"]) 96 | iterate_rules(interface["Name"]) 97 | else: 98 | print('Mandatory key \"Name\" missing skipping external interface ufw reversion!') 99 | except Exception as e: 100 | print("Malformed or missing json object in /opt/openziti/etc/ebpf_config.json can't revert ufw!") 101 | 102 | service = False 103 | if(os.path.exists('/etc/systemd/system/ziti-router.service')): 104 | unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_router.py' /etc/systemd/system/ziti-router.service") 105 | if(not unconfigured): 106 | os.system("sed -i 's/#ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/objects\/etables \-F \-r/ExecStartPre\=-\/opt\/netfoundry\/ebpf\/objects\/etables \-F \-r/g' /etc/systemd/system/ziti-router.service") 107 | os.system("sed -i 's/#ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/scripts\/tproxy_splicer_startup.sh/ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/scripts\/tproxy_splicer_startup.sh/g' /etc/systemd/system/ziti-router.service") 108 | test1 = os.system("sed -i '/ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_router.py/d' /etc/systemd/system/ziti-router.service") 109 | if(not test1): 110 | test1 = os.system("systemctl daemon-reload") 111 | if(not test1): 112 | service = True 113 | os.system("/opt/openziti/bin/zfw -Q") 114 | if(os.path.exists("/opt/openziti/etc/ebpf_config.json")): 115 | os.remove("/opt/openziti/etc/ebpf_config.json") 116 | if(os.path.exists("/opt/openziti/bin/user/user_rules.sh")): 117 | os.remove("/opt/openziti/bin/user/user_rules.sh") 118 | print("Successfully reverted ziti-router.service!") 119 | else: 120 | print("Failed to revert ziti-router.service!") 121 | else: 122 | print("ziti-router.service already reverted. Nothing to do!") 123 | else: 124 | print("Skipping ziti-router.service reversal. File does not exist!") 125 | 126 | if(set_tproxy_mode()): 127 | if service: 128 | print("config.yml successfully reverted. restarting ziti-router.service") 129 | os.system('systemctl restart ziti-router.service') 130 | if(not os.system('systemctl is-active --quiet ziti-router.service')): 131 | print("ziti-router.service successfully restarted") 132 | if(os.path.exists('/opt/netfoundry/ziti/ziti-router/config.yml')): 133 | print("Detected Netfoundry install/registration!") 134 | if(os.path.exists('/opt/openziti/ziti-router/config.yml')): 135 | print("Removing symlink from /opt/openziti/ziti-router to /opt/netfoundry/ziti/ziti-router") 136 | os.unlink('/opt/openziti/ziti-router') 137 | else: 138 | print("No symlink found nothing to do!") 139 | else: 140 | print('ziti-router.service unable to start check router logs') 141 | else: 142 | print("ziti-router config already not set to use ebpf!") 143 | -------------------------------------------------------------------------------- /files/scripts/set_xdp_redirect.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import subprocess 3 | import os 4 | 5 | def xdp_status(interface): 6 | process = subprocess.Popen(['/usr/sbin/ip', 'link', 'show', interface], stdout=subprocess.PIPE, stderr=subprocess.PIPE) 7 | out, err = process.communicate() 8 | data = out.decode().splitlines() 9 | if(len(data)): 10 | for line in data: 11 | if(line.find('prog/xdp') >= 0): 12 | return True 13 | else: 14 | return False 15 | 16 | process = subprocess.Popen(['ip', 'add'], stdout=subprocess.PIPE, stderr=subprocess.PIPE) 17 | out, err = process.communicate() 18 | data = out.decode().splitlines() 19 | interfaceName = None 20 | ip = '100.64.0.1' 21 | iprange = os.environ.get('ZITI_DNS_IP_RANGE') 22 | if(iprange): 23 | print('Reading ip from ZITI_DNS_IP_RANGE: ' + iprange) 24 | ip = iprange.split('/')[0] 25 | else: 26 | print('Using default tun ip: ' + ip) 27 | for line in data: 28 | if (line.find(ip) != -1): 29 | interfaceName = line.split(" ")[-1] 30 | if interfaceName: 31 | if(not xdp_status(interfaceName)): 32 | os.system('/usr/sbin/ip link set ' + interfaceName + ' xdpgeneric obj /opt/openziti/bin/zfw_xdp_tun_ingress.o sec xdp_redirect') 33 | 34 | -------------------------------------------------------------------------------- /files/scripts/start_ebpf_controller.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import os 3 | import sys 4 | import json 5 | import subprocess 6 | import time 7 | import yaml 8 | import argparse 9 | 10 | controller = False 11 | router = False 12 | 13 | def tc_status(interface, direction): 14 | process = subprocess.Popen(['tc', 'filter', 'show', 'dev', interface, direction], stdout=subprocess.PIPE, stderr=subprocess.PIPE) 15 | out, err = process.communicate() 16 | data = out.decode().splitlines() 17 | if(len(data)): 18 | return True 19 | else: 20 | return False 21 | 22 | def add_health_check_rules(lan_ip, lan_mask): 23 | if(os.path.exists('/opt/openziti/ziti-router/config.yml')): 24 | try: 25 | with open('/opt/openziti/ziti-router/config.yml') as config_file: 26 | config = yaml.load(config_file, Loader=yaml.FullLoader) 27 | if(config): 28 | if('web' in config.keys()): 29 | for key in config['web']: 30 | if(('name' in key.keys()) and (key['name'] == 'health-check')): 31 | if('bindPoints' in key.keys()): 32 | for point in key['bindPoints']: 33 | address = point['address'] 34 | addr_array = address.split(':') 35 | if(len(addr_array)): 36 | try: 37 | port = addr_array[-1].strip() 38 | if(int(port) > 0): 39 | os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') 40 | except Exception as e: 41 | print(e) 42 | pass 43 | except Exception as e: 44 | print(e) 45 | 46 | 47 | def add_link_listener_rules(lan_ip, lan_mask): 48 | if(os.path.exists('/opt/openziti/ziti-router/config.yml')): 49 | try: 50 | with open('/opt/openziti/ziti-router/config.yml') as config_file: 51 | config = yaml.load(config_file, Loader=yaml.FullLoader) 52 | if(config): 53 | if('link' in config.keys()): 54 | if('listeners' in config['link'].keys()): 55 | for key in config['link']['listeners']: 56 | if(('binding' in key.keys()) and (key['binding'] == 'transport')): 57 | if('bind' in key.keys()): 58 | address = key['bind'] 59 | addr_array = address.split(':') 60 | if(len(addr_array) == 3): 61 | try: 62 | port = addr_array[-1].strip() 63 | if((int(port) > 0) and (addr_array[0] == 'tls')): 64 | os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') 65 | os.system('/opt/openziti/bin/zfw --ddos-dport-add ' + port) 66 | except Exception as e: 67 | print(e) 68 | pass 69 | except Exception as e: 70 | print(e) 71 | 72 | def add_controller_edge_listener_rules(lan_ip, lan_mask): 73 | if(os.path.exists('/opt/openziti/ziti-router/config.yml')): 74 | try: 75 | with open('/opt/openziti/ziti-controller/controller01.config.yml') as config_file: 76 | config = yaml.load(config_file, Loader=yaml.FullLoader) 77 | if(config): 78 | if('edge' in config.keys()): 79 | if 'api' in config['edge'].keys(): 80 | if("address" in config['edge']['api'].keys()): 81 | address = config['edge']['api']['address'] 82 | addr_array = address.split(':') 83 | if(len(addr_array) == 2): 84 | port = addr_array[-1].strip() 85 | try: 86 | port = addr_array[-1].strip() 87 | if((int(port) > 0)): 88 | os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') 89 | os.system('/opt/openziti/bin/zfw --ddos-dport-add ' + port) 90 | except Exception as e: 91 | print(e) 92 | pass 93 | except Exception as e: 94 | print(e) 95 | 96 | def add_controller_ctrl_listener_rules(lan_ip, lan_mask): 97 | if(os.path.exists('/opt/openziti/ziti-router/config.yml')): 98 | try: 99 | with open('/opt/openziti/ziti-controller/controller01.config.yml') as config_file: 100 | config = yaml.load(config_file, Loader=yaml.FullLoader) 101 | if(config): 102 | if('ctrl' in config.keys()): 103 | if 'listener' in config['ctrl'].keys(): 104 | address = config['ctrl']['listener'] 105 | addr_array = address.split(':') 106 | if(len(addr_array) == 3): 107 | port = addr_array[-1].strip() 108 | try: 109 | port = addr_array[-1].strip() 110 | if((int(port) > 0) and (addr_array[0] == 'tls')): 111 | os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') 112 | os.system('/opt/openziti/bin/zfw --ddos-dport-add ' + port) 113 | except Exception as e: 114 | print(e) 115 | pass 116 | except Exception as e: 117 | print(e) 118 | 119 | def add_controller_web_listener_rules(lan_ip, lan_mask): 120 | if(os.path.exists('/opt/openziti/ziti-router/config.yml')): 121 | try: 122 | with open('/opt/openziti/ziti-controller/controller01.config.yml') as config_file: 123 | config = yaml.load(config_file, Loader=yaml.FullLoader) 124 | if(config): 125 | if('web' in config.keys()): 126 | for key in config['web']: 127 | if('bindPoints' in key.keys()): 128 | for bind in key['bindPoints']: 129 | address = bind['interface'] 130 | addr_array = address.split(':') 131 | if(len(addr_array) == 2): 132 | port = addr_array[-1].strip() 133 | try: 134 | port = addr_array[-1].strip() 135 | if((int(port) > 0)): 136 | os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') 137 | except Exception as e: 138 | print(e) 139 | pass 140 | except Exception as e: 141 | print(e) 142 | 143 | def add_controller_salt_api_listener_rules(lan_ip, lan_mask): 144 | if(os.path.exists('/etc/salt/master.d/nf_master.conf')): 145 | try: 146 | with open('/etc/salt/master.d/nf_master.conf') as config_file: 147 | config = yaml.load(config_file, Loader=yaml.FullLoader) 148 | if(config): 149 | if('rest_cherrypy' in config.keys()): 150 | if('port' in config['rest_cherrypy'].keys()): 151 | try: 152 | port = config['rest_cherrypy']['port'] 153 | if(port > 0): 154 | os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + str(port) + ' -h ' + str(port) + ' -t 0 -p tcp') 155 | except Exception as e: 156 | print(e) 157 | pass 158 | except Exception as e: 159 | print(e) 160 | 161 | 162 | def add_controller_port_forwarding_rule(lan_ip, lan_mask): 163 | test = os.system("grep -rnw \'A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 443\' /etc/ufw/before.rules") 164 | if(not test): 165 | port = "80" 166 | os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') 167 | os.system('/opt/openziti/bin/zfw --ddos-dport-add ' + port) 168 | else: 169 | print("Port forwarding rul not found") 170 | 171 | def add_edge_listener_rules(lan_ip, lan_mask): 172 | if(os.path.exists('/opt/openziti/ziti-router/config.yml')): 173 | try: 174 | with open('/opt/openziti/ziti-router/config.yml') as config_file: 175 | config = yaml.load(config_file, Loader=yaml.FullLoader) 176 | if(config): 177 | if('listeners' in config.keys()): 178 | for key in config['listeners']: 179 | if(('binding' in key.keys()) and (key['binding'] == 'edge')): 180 | if('address' in key.keys()): 181 | address = key['address'] 182 | addr_array = address.split(':') 183 | if(len(addr_array) == 3): 184 | port = addr_array[-1].strip() 185 | try: 186 | port = addr_array[-1].strip() 187 | if((int(port) > 0) and (addr_array[0] == 'tls')): 188 | os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') 189 | except Exception as e: 190 | print(e) 191 | pass 192 | except Exception as e: 193 | print(e) 194 | 195 | def add_resolver_rules(): 196 | if(os.path.exists('/opt/openziti/ziti-router/config.yml')): 197 | try: 198 | with open('/opt/openziti/ziti-router/config.yml') as config_file: 199 | config = yaml.load(config_file, Loader=yaml.FullLoader) 200 | if(config): 201 | if('listeners' in config.keys()): 202 | for key in config['listeners']: 203 | if(('binding' in key.keys()) and (key['binding'] == 'tunnel')): 204 | if('options' in key.keys()): 205 | if('resolver' in key['options']): 206 | address = key['options']['resolver'] 207 | addr_array = address.split(':') 208 | if(len(addr_array) == 3): 209 | port = addr_array[-1].strip() 210 | lan_ip = addr_array[1].split('//') 211 | lan_mask = '32' 212 | try: 213 | port = addr_array[-1].strip() 214 | lan_ip = addr_array[1].split('//')[1] 215 | if((int(port) > 0)): 216 | os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') 217 | if(lan_ip == '100.127.255.254'): 218 | #special case for NF AWS Gateway loadbalance via DNS over GENEVE using 100.127.255.254 on loopback so add route on loopback 219 | os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p udp -r') 220 | else: 221 | os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p udp') 222 | except Exception as e: 223 | print(e) 224 | pass 225 | except Exception as e: 226 | print(e) 227 | 228 | def write_config(config): 229 | try: 230 | with open('/opt/openziti/ziti-router/config.yml', 'w') as config_file: 231 | yaml.dump(config, config_file, sort_keys=False) 232 | except Exception as e: 233 | print(e) 234 | 235 | def get_if_ip(intf): 236 | process = subprocess.Popen(['ip', 'add'], stdout=subprocess.PIPE, stderr=subprocess.PIPE) 237 | out, err = process.communicate() 238 | data = out.decode().splitlines() 239 | for line in data: 240 | if((line.find(intf) >= 0) and (line.find('inet') >= 0)): 241 | search_list = line.strip().split(" ") 242 | if search_list[-1].strip() == intf: 243 | return search_list[1] 244 | return "" 245 | 246 | def set_local_rules(ip): 247 | default_ip = '0.0.0.0' 248 | default_mask = '0' 249 | if len(ip.split('/')) == 2: 250 | lan_ip = ip.split('/')[0] 251 | lan_mask = '32' 252 | else: 253 | lan_ip = default_ip 254 | lan_mask = default_mask 255 | if controller: 256 | add_controller_edge_listener_rules(lan_ip, lan_mask) 257 | add_controller_web_listener_rules(lan_ip, lan_mask) 258 | add_controller_port_forwarding_rule(lan_ip, lan_mask) 259 | add_controller_salt_api_listener_rules(lan_ip, lan_mask) 260 | if router: 261 | add_link_listener_rules(lan_ip, lan_mask) 262 | 263 | 264 | parser = argparse.ArgumentParser(description="Network build script") 265 | parser.add_argument("--lanIf", required=True, help='') 266 | args = parser.parse_args() 267 | lanIf = args.lanIf 268 | if(os.path.exists('/opt/netfoundry/ziti/ziti-controller/conf/controller01.config.yml')): 269 | controller = True 270 | print("Detected Netfoundry install") 271 | if(not os.path.exists('/opt/openziti/ziti-controller/controller01.config.yml')): 272 | print("Installing symlink from /opt/openziti/ziti-controller to /opt/netfoundry/ziti/ziti-controller/conf") 273 | os.symlink('/opt/netfoundry/ziti/ziti-controller/conf', '/opt/openziti/ziti-controller') 274 | else: 275 | print("Symlink found nothing to do!") 276 | if(os.path.exists('/opt/netfoundry/ziti/ziti-router/config.yml')): 277 | router = True 278 | print("Detected Netfoundry install/registration!") 279 | if(not os.path.exists('/opt/openziti/ziti-router/config.yml')): 280 | print("Installing symlink from /opt/openziti/ziti-router to /opt/netfoundry/ziti/ziti-router!") 281 | os.symlink('/opt/netfoundry/ziti/ziti-router', '/opt/openziti/ziti-router') 282 | else: 283 | print("Symlink found nothing to do!") 284 | 285 | if(not os.path.exists('/opt/openziti/etc/ebpf_config.json')): 286 | if(os.path.exists('/opt/openziti/etc/ebpf_config.json.sample')): 287 | with open('/opt/openziti/etc/ebpf_config.json.sample','r') as jfile: 288 | try: 289 | config = json.loads(jfile.read()) 290 | if(config): 291 | if("InternalInterfaces" in config.keys()): 292 | interfaces = config["InternalInterfaces"] 293 | if len(interfaces): 294 | interface = interfaces[0] 295 | if("Name" in interface.keys()): 296 | interface['Name'] = lanIf 297 | else: 298 | print('Missing mandatory key: Name') 299 | sys.exit(1) 300 | else: 301 | print('Invalid config no interfaces found!') 302 | sys.exit(1) 303 | with open('/opt/openziti/etc/ebpf_config.json', 'w') as ofile: 304 | json.dump(config, ofile) 305 | except Exception as e: 306 | print('Malformed or missing json object in /opt/openziti/etc/ebpf_config.json.sample') 307 | sys.exit(1) 308 | else: 309 | print('File does not exist: /opt/openziti/etc/ebpf_config.json.sample') 310 | else: 311 | print('File already exist: /opt/openziti/etc/ebpf_config.json') 312 | 313 | internal_list = [] 314 | external_list = [] 315 | per_interface_rules = dict() 316 | outbound_passthrough_track = dict() 317 | if(os.path.exists('/opt/openziti/etc/ebpf_config.json')): 318 | with open('/opt/openziti/etc/ebpf_config.json','r') as jfile: 319 | try: 320 | config = json.loads(jfile.read()) 321 | if(config): 322 | if "InternalInterfaces" in config.keys(): 323 | i_interfaces = config["InternalInterfaces"] 324 | if len(i_interfaces): 325 | for interface in i_interfaces: 326 | if("Name" in interface.keys()): 327 | print("Attempting to add ebpf ingress to: ",interface["Name"]) 328 | internal_list.append(interface["Name"]) 329 | if("OutboundPassThroughTrack") in interface.keys(): 330 | if(interface["OutboundPassThroughTrack"]): 331 | outbound_passthrough_track[interface["Name"]] = True; 332 | else: 333 | outbound_passthrough_track[interface["Name"]] = False; 334 | else: 335 | outbound_passthrough_track[interface["Name"]] = True; 336 | if("PerInterfaceRules") in interface.keys(): 337 | if(interface["PerInterfaceRules"]): 338 | per_interface_rules[interface["Name"]] = True; 339 | else: 340 | per_interface_rules[interface["Name"]] = False; 341 | else: 342 | per_interface_rules[interface["Name"]] = False; 343 | else: 344 | print('Mandatory key \"Name\" missing skipping internal interface entry!') 345 | 346 | else: 347 | print("No internal interfaces listed in /opt/openziti/etc/ebpf_config.json add at least one interface") 348 | sys.exit(1) 349 | if("ExternalInterfaces" in config.keys()): 350 | e_interfaces = config["ExternalInterfaces"] 351 | if len(e_interfaces): 352 | for interface in e_interfaces: 353 | if("Name" in interface.keys()): 354 | print("Attempting to add ebpf egress to: ",interface["Name"]) 355 | external_list.append(interface["Name"]) 356 | if("OutboundPassThroughTrack") in interface.keys(): 357 | if(interface["OutboundPassThroughTrack"]): 358 | outbound_passthrough_track[interface["Name"]] = True; 359 | else: 360 | outbound_passthrough_track[interface["Name"]] = False; 361 | else: 362 | outbound_passthrough_track[interface["Name"]] = True; 363 | if("PerInterfaceRules") in interface.keys(): 364 | if(interface["PerInterfaceRules"]): 365 | per_interface_rules[interface["Name"]] = True; 366 | else: 367 | per_interface_rules[interface["Name"]] = False; 368 | else: 369 | per_interface_rules[interface["Name"]] = True; 370 | else: 371 | print('Mandatory key \"Name\" missing skipping external interface entry!') 372 | else: 373 | print("No External interfaces listed in /opt/openziti/etc/ebpf_config.json") 374 | except Exception as e: 375 | print("Malformed or missing json object in /opt/openziti/etc/ebpf_config.json") 376 | sys.exit(1) 377 | else: 378 | print("Missing /opt/openziti/etc/ebpf_config.json can't set ebpf interface config") 379 | sys.exit(1) 380 | lanIp = get_if_ip(lanIf) 381 | ingress_object_file = '/opt/openziti/bin/zfw_tc_ingress.o' 382 | egress_object_file = '/opt/openziti/bin/zfw_tc_outbound_track.o' 383 | status = subprocess.run(['/opt/openziti/bin/zfw', '-L', '-E'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) 384 | if(status.returncode): 385 | test1 = subprocess.run(['/opt/openziti/bin/zfw', '-Q'],stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) 386 | if(test1.returncode): 387 | print("Ebpf not running no maps to clear") 388 | for i in internal_list: 389 | if(not tc_status(i, "ingress")): 390 | test1 = os.system("/opt/openziti/bin/zfw -X " + i + " -O " + ingress_object_file + " -z ingress") 391 | time.sleep(1) 392 | if(test1): 393 | print("Cant attach " + i + " to tc ingress with " + ingress_object_file) 394 | continue 395 | else: 396 | print("Attached " + ingress_object_file + " to " + i) 397 | os.system("sudo ufw allow in on " + i + " to any") 398 | if(per_interface_rules[i]): 399 | os.system("/opt/openziti/bin/zfw -P " + i) 400 | if(not tc_status(i, "egress")): 401 | if(outbound_passthrough_track[i]): 402 | test1 = os.system("/opt/openziti/bin/zfw -X " + i + " -O " + egress_object_file + " -z egress") 403 | if(test1): 404 | print("Cant attach " + i + " to tc egress with " + egress_object_file) 405 | continue 406 | else: 407 | print("Attached " + egress_object_file + " to " + i) 408 | for e in external_list: 409 | if(not tc_status(e, "ingress")): 410 | test1 = os.system("/opt/openziti/bin/zfw -X " + e + " -O " + ingress_object_file + " -z ingress") 411 | if(test1): 412 | os.system("/opt/openziti/bin/zfw -Q") 413 | print("Cant attach " + e + " to tc ingress with " + ingress_object_file) 414 | continue 415 | else: 416 | print("Attached " + ingress_object_file + " to " + e) 417 | os.system("sudo ufw allow in on " +e + " to any") 418 | time.sleep(1) 419 | if(per_interface_rules[e]): 420 | os.system("/opt/openziti/bin/zfw -P " + e) 421 | if(not tc_status(e, "egress")): 422 | if(outbound_passthrough_track[e]): 423 | test1 = os.system("/opt/openziti/bin/zfw -X " + e + " -O " + egress_object_file + " -z egress") 424 | if(test1): 425 | print("Cant attach " + e + " to tc egress with " + egress_object_file) 426 | os.system("/opt/openziti/bin/zfw -Q") 427 | continue 428 | else: 429 | print("Attached " + egress_object_file + " to " + e) 430 | 431 | if(len(lanIp)): 432 | set_local_rules(lanIp) 433 | if(os.path.exists("/opt/openziti/bin/user/user_rules.sh")): 434 | print("Adding user defined rules") 435 | os.system("/opt/openziti/bin/user/user_rules.sh") 436 | else: 437 | print("ebpf already running!"); 438 | os.system("/usr/sbin/zfw -F -z ingress") 439 | print("Flushed Table") 440 | for i in internal_list: 441 | if(not tc_status(i, "ingress")): 442 | test1 = os.system("/opt/openziti/bin/zfw -X " + i + " -O " + ingress_object_file + " -z ingress") 443 | time.sleep(1) 444 | if(test1): 445 | print("Cant attach " + i + " to tc ingress with " + ingress_object_file) 446 | else: 447 | print("Attached " + ingress_object_file + " to " + i) 448 | os.system("sudo ufw allow in on " + i + " to any") 449 | if(per_interface_rules[i]): 450 | os.system("/opt/openziti/bin/zfw -P " + i) 451 | if(not tc_status(i, "egress")): 452 | if(outbound_passthrough_track[i]): 453 | test1 = os.system("/opt/openziti/bin/zfw -X " + i + " -O " + egress_object_file + " -z egress") 454 | if(test1): 455 | print("Cant attach " + i + " to tc egress with " + egress_object_file) 456 | else: 457 | print("Attached " + egress_object_file + " to " + i) 458 | for e in external_list: 459 | if(not tc_status(e, "ingress")): 460 | test1 = os.system("/opt/openziti/bin/zfw -X " + e + " -O " + ingress_object_file + " -z ingress") 461 | if(test1): 462 | print("Cant attach " + e + " to tc ingress with " + ingress_object_file) 463 | else: 464 | print("Attached " + ingress_object_file + " to " + e) 465 | os.system("sudo ufw allow in on " +e + " to any") 466 | time.sleep(1) 467 | if(per_interface_rules[e]): 468 | os.system("/opt/openziti/bin/zfw -P " + e) 469 | if(not tc_status(e, "egress")): 470 | if(outbound_passthrough_track[e]): 471 | test1 = os.system("/opt/openziti/bin/zfw -X " + e + " -O " + egress_object_file + " -z egress") 472 | if(test1): 473 | print("Cant attach " + e + " to tc egress with " + egress_object_file) 474 | else: 475 | print("Attached " + egress_object_file + " to " + e) 476 | if(len(lanIp)): 477 | set_local_rules(lanIp) 478 | if(os.path.exists("/opt/openziti/bin/user/user_rules.sh")): 479 | print("Adding user defined rules!") 480 | os.system("/opt/openziti/bin/user/user_rules.sh") 481 | 482 | lanIp = get_if_ip(lanIf) 483 | if(len(lanIp)): 484 | set_local_rules(lanIp) 485 | if(os.path.exists('/etc/systemd/system/zfw-logging.service') and controller): 486 | unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_controller.py' /etc/systemd/system/zfw-logging.service") 487 | if(unconfigured): 488 | test1 = 1 489 | test1 = os.system("sed -i '/ExecStart=/i ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_controller.py --lanIf " + lanIf + "' /etc/systemd/system/zfw-logging.service") 490 | test1 = os.system("sed -i 's/ziti-router/ziti-controller/g' /etc/systemd/system/zfw-logging.service") 491 | test1 = os.system("sed -i 's/_router.py/_controller.py --lanIf " + lanIf + "/g' /etc/systemd/system/fw-init.service") 492 | test1 = os.system("sed -i 's/ddos-monitor enp0s5/ddos-monitor " + lanIf + "/g' /etc/systemd/system/ddos-monitor.service") 493 | if(not test1): 494 | test1 = os.system("systemctl daemon-reload") 495 | if(not test1): 496 | print("Successfully converted services. Enabling/Starting now!") 497 | os.system('systemctl enable --now zfw-logging.service') 498 | os.system('systemctl enable --now fw-init.service') 499 | os.system('systemctl enable --now ddos-monitor.service') 500 | os.system('systemctl enable --now api-session-monitor.service') 501 | else: 502 | print("Failed to init services!") 503 | else: 504 | print("zfw-logging.service already converted. Nothing to do!") 505 | else: 506 | print("Skipping zfw-logging.service conversion. File does not exist or is already converted to run ebpf!") 507 | sys.exit(0) 508 | -------------------------------------------------------------------------------- /files/scripts/start_ebpf_router.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import os 3 | import sys 4 | import json 5 | import subprocess 6 | import time 7 | import yaml 8 | 9 | def tc_status(interface, direction): 10 | process = subprocess.Popen(['tc', 'filter', 'show', 'dev', interface, direction], stdout=subprocess.PIPE, stderr=subprocess.PIPE) 11 | out, err = process.communicate() 12 | data = out.decode().splitlines() 13 | if(len(data)): 14 | return True 15 | else: 16 | return False 17 | 18 | def add_health_check_rules(lan_ip, lan_mask): 19 | if(os.path.exists('/opt/openziti/ziti-router/config.yml')): 20 | try: 21 | with open('/opt/openziti/ziti-router/config.yml') as config_file: 22 | config = yaml.load(config_file, Loader=yaml.FullLoader) 23 | if(config): 24 | if('web' in config.keys()): 25 | for key in config['web']: 26 | if(('name' in key.keys()) and (key['name'] == 'health-check')): 27 | if('bindPoints' in key.keys()): 28 | for point in key['bindPoints']: 29 | address = point['address'] 30 | addr_array = address.split(':') 31 | if(len(addr_array)): 32 | try: 33 | port = addr_array[-1].strip() 34 | if(int(port) > 0): 35 | os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') 36 | except Exception as e: 37 | print(e) 38 | pass 39 | except Exception as e: 40 | print(e) 41 | 42 | 43 | def add_link_listener_rules(lan_ip, lan_mask): 44 | if(os.path.exists('/opt/openziti/ziti-router/config.yml')): 45 | try: 46 | with open('/opt/openziti/ziti-router/config.yml') as config_file: 47 | config = yaml.load(config_file, Loader=yaml.FullLoader) 48 | if(config): 49 | if('link' in config.keys()): 50 | if('listeners' in config['link'].keys()): 51 | for key in config['link']['listeners']: 52 | if(('binding' in key.keys()) and (key['binding'] == 'transport')): 53 | if('bind' in key.keys()): 54 | address = key['bind'] 55 | addr_array = address.split(':') 56 | if(len(addr_array) == 3): 57 | try: 58 | port = addr_array[-1].strip() 59 | if((int(port) > 0) and (addr_array[0] == 'tls')): 60 | os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') 61 | except Exception as e: 62 | print(e) 63 | pass 64 | except Exception as e: 65 | print(e) 66 | 67 | def add_edge_listener_rules(lan_ip, lan_mask): 68 | if(os.path.exists('/opt/openziti/ziti-router/config.yml')): 69 | try: 70 | with open('/opt/openziti/ziti-router/config.yml') as config_file: 71 | config = yaml.load(config_file, Loader=yaml.FullLoader) 72 | if(config): 73 | if('listeners' in config.keys()): 74 | for key in config['listeners']: 75 | if(('binding' in key.keys()) and (key['binding'] == 'edge')): 76 | if('address' in key.keys()): 77 | address = key['address'] 78 | addr_array = address.split(':') 79 | if(len(addr_array) == 3): 80 | port = addr_array[-1].strip() 81 | try: 82 | port = addr_array[-1].strip() 83 | if((int(port) > 0) and (addr_array[0] == 'tls')): 84 | os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') 85 | except Exception as e: 86 | print(e) 87 | pass 88 | except Exception as e: 89 | print(e) 90 | 91 | def add_resolver_rules(): 92 | if(os.path.exists('/opt/openziti/ziti-router/config.yml')): 93 | try: 94 | with open('/opt/openziti/ziti-router/config.yml') as config_file: 95 | config = yaml.load(config_file, Loader=yaml.FullLoader) 96 | if(config): 97 | if('listeners' in config.keys()): 98 | for key in config['listeners']: 99 | if(('binding' in key.keys()) and (key['binding'] == 'tunnel')): 100 | if('options' in key.keys()): 101 | if('resolver' in key['options']): 102 | address = key['options']['resolver'] 103 | addr_array = address.split(':') 104 | if(len(addr_array) == 3): 105 | port = addr_array[-1].strip() 106 | lan_ip = addr_array[1].split('//') 107 | lan_mask = '32' 108 | try: 109 | port = addr_array[-1].strip() 110 | lan_ip = addr_array[1].split('//')[1] 111 | if((int(port) > 0)): 112 | os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') 113 | if(lan_ip == '100.127.255.254'): 114 | #special case for NF AWS Gateway loadbalance via DNS over GENEVE using 100.127.255.254 on loopback so add route on loopback 115 | os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p udp -r') 116 | else: 117 | os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p udp') 118 | except Exception as e: 119 | print(e) 120 | pass 121 | except Exception as e: 122 | print(e) 123 | 124 | def set_zfw_mode(): 125 | if(os.path.exists('/opt/openziti/ziti-router/config.yml')): 126 | try: 127 | with open('/opt/openziti/ziti-router/config.yml') as config_file: 128 | config = yaml.load(config_file, Loader=yaml.FullLoader) 129 | if(config): 130 | if('listeners' in config.keys()): 131 | for key in config['listeners']: 132 | if(('binding' in key.keys()) and (key['binding'] == 'tunnel')): 133 | if('options' in key.keys()): 134 | if('mode' in key['options']): 135 | if(key['options']['mode'] == 'tproxy:/opt/openziti/bin/zfw'): 136 | print("ziti-router config already converted to use ebpf diverter!") 137 | else: 138 | key['options']['mode'] = 'tproxy:/opt/openziti/bin/zfw' 139 | write_config(config) 140 | return True 141 | else: 142 | key['options']['mode'] = 'tproxy:/opt/openziti/bin/zfw' 143 | write_config(config) 144 | return True 145 | else: 146 | print('Mandatory key \'options\' missing from binding: tunnel') 147 | else: 148 | print('Mandatory key \'listeners\' missing in config.yml') 149 | except Exception as e: 150 | print(e) 151 | else: 152 | print('ziti-router not installed, skipping ebpf router configuration!') 153 | return False 154 | 155 | def write_config(config): 156 | try: 157 | with open('/opt/openziti/ziti-router/config.yml', 'w') as config_file: 158 | yaml.dump(config, config_file, sort_keys=False) 159 | except Exception as e: 160 | print(e) 161 | 162 | def get_lanIf(): 163 | if(os.path.exists('/opt/openziti/ziti-router/config.yml')): 164 | try: 165 | with open('/opt/openziti/ziti-router/config.yml') as config_file: 166 | config = yaml.load(config_file, Loader=yaml.FullLoader) 167 | if(config): 168 | if('listeners' in config.keys()): 169 | for key in config['listeners']: 170 | if(('binding' in key.keys()) and (key['binding'] == 'tunnel')): 171 | if('options' in key.keys()): 172 | if('lanIf' in key['options']): 173 | return key['options']['lanIf'] 174 | else: 175 | print('Mandatory key \'options\' missing from binding: tunnel') 176 | else: 177 | print('Mandatory key \'listeners\' missing in config.yml') 178 | except Exception as e: 179 | print(e) 180 | else: 181 | print('ziti-router not installed, skipping ebpf router configuration!') 182 | return '' 183 | 184 | def get_if_ip(intf): 185 | process = subprocess.Popen(['ip', 'add'], stdout=subprocess.PIPE, stderr=subprocess.PIPE) 186 | out, err = process.communicate() 187 | data = out.decode().splitlines() 188 | for line in data: 189 | if((line.find(intf) >= 0) and (line.find('inet') >= 0)): 190 | search_list = line.strip().split(" ") 191 | if(search_list[-1].strip() == intf): 192 | return search_list[1] 193 | else: 194 | return "" 195 | 196 | def set_local_rules(resolver): 197 | default_ip = '0.0.0.0' 198 | default_mask = '0' 199 | if(len(resolver.split('/')) == 2): 200 | lan_ip = resolver.split('/')[0] 201 | lan_mask = '32' 202 | else: 203 | lan_ip = default_ip 204 | lan_mask = default_mask 205 | add_edge_listener_rules(lan_ip, lan_mask) 206 | add_link_listener_rules(lan_ip, lan_mask) 207 | add_health_check_rules(lan_ip, lan_mask) 208 | add_resolver_rules() 209 | 210 | netfoundry = False 211 | if(os.path.exists('/opt/netfoundry/ziti/ziti-router/config.yml')): 212 | netfoundry = True 213 | print("Detected Netfoundry install/registration!") 214 | if(not os.path.exists('/opt/openziti/ziti-router/config.yml')): 215 | print("Installing symlink from /opt/openziti/ziti-router to /opt/netfoundry/ziti/ziti-router!") 216 | os.symlink('/opt/netfoundry/ziti/ziti-router', '/opt/openziti/ziti-router') 217 | else: 218 | print("Symlink found nothing to do!") 219 | 220 | lanIf = get_lanIf() 221 | if(not len(lanIf)): 222 | print("Unable to retrieve LanIf!") 223 | else: 224 | if(not os.path.exists('/opt/openziti/etc/ebpf_config.json')): 225 | if(os.path.exists('/opt/openziti/etc/ebpf_config.json.sample')): 226 | with open('/opt/openziti/etc/ebpf_config.json.sample','r') as jfile: 227 | try: 228 | config = json.loads(jfile.read()) 229 | if(config): 230 | if("InternalInterfaces" in config.keys()): 231 | interfaces = config["InternalInterfaces"] 232 | if len(interfaces): 233 | interface = interfaces[0] 234 | if("Name" in interface.keys()): 235 | interface['Name'] = lanIf 236 | else: 237 | print('Missing mandatory key: Name') 238 | sys.exit(1) 239 | else: 240 | print('Invalid config no interfaces found!') 241 | sys.exit(1) 242 | with open('/opt/openziti/etc/ebpf_config.json', 'w') as ofile: 243 | json.dump(config, ofile) 244 | except Exception as e: 245 | print('Malformed or missing json object in /opt/openziti/etc/ebpf_config.json.sample') 246 | sys.exit(1) 247 | else: 248 | print('File does not exist: /opt/openziti/etc/ebpf_config.json.sample') 249 | else: 250 | print('File already exist: /opt/openziti/etc/ebpf_config.json') 251 | 252 | router_config = set_zfw_mode() 253 | internal_list = [] 254 | external_list = [] 255 | per_interface_rules = dict() 256 | outbound_passthrough_track = dict() 257 | if(os.path.exists('/opt/openziti/etc/ebpf_config.json')): 258 | with open('/opt/openziti/etc/ebpf_config.json','r') as jfile: 259 | try: 260 | config = json.loads(jfile.read()) 261 | if(config): 262 | if("InternalInterfaces" in config.keys()): 263 | i_interfaces = config["InternalInterfaces"] 264 | if len(i_interfaces): 265 | for interface in i_interfaces: 266 | if("Name" in interface.keys()): 267 | print("Attempting to add ebpf ingress to: ",interface["Name"]) 268 | internal_list.append(interface["Name"]) 269 | if("OutboundPassThroughTrack") in interface.keys(): 270 | if(interface["OutboundPassThroughTrack"]): 271 | outbound_passthrough_track[interface["Name"]] = True; 272 | else: 273 | outbound_passthrough_track[interface["Name"]] = False; 274 | else: 275 | outbound_passthrough_track[interface["Name"]] = True; 276 | if("PerInterfaceRules") in interface.keys(): 277 | if(interface["PerInterfaceRules"]): 278 | per_interface_rules[interface["Name"]] = True; 279 | else: 280 | per_interface_rules[interface["Name"]] = False; 281 | else: 282 | per_interface_rules[interface["Name"]] = False; 283 | else: 284 | print('Mandatory key \"Name\" missing skipping internal interface entry!') 285 | 286 | else: 287 | print("No internal interfaces listed in /opt/openziti/etc/ebpf_config.json add at least one interface") 288 | sys.exit(1) 289 | if("ExternalInterfaces" in config.keys()): 290 | e_interfaces = config["ExternalInterfaces"] 291 | if len(e_interfaces): 292 | for interface in e_interfaces: 293 | if("Name" in interface.keys()): 294 | print("Attempting to add ebpf egress to: ",interface["Name"]) 295 | external_list.append(interface["Name"]) 296 | if("OutboundPassThroughTrack") in interface.keys(): 297 | if(interface["OutboundPassThroughTrack"]): 298 | outbound_passthrough_track[interface["Name"]] = True; 299 | else: 300 | outbound_passthrough_track[interface["Name"]] = False; 301 | else: 302 | outbound_passthrough_track[interface["Name"]] = True; 303 | if("PerInterfaceRules") in interface.keys(): 304 | if(interface["PerInterfaceRules"]): 305 | per_interface_rules[interface["Name"]] = True; 306 | else: 307 | per_interface_rules[interface["Name"]] = False; 308 | else: 309 | per_interface_rules[interface["Name"]] = True; 310 | else: 311 | print('Mandatory key \"Name\" missing skipping external interface entry!') 312 | else: 313 | print("No External interfaces listed in /opt/openziti/etc/ebpf_config.json") 314 | except Exception as e: 315 | print("Malformed or missing json object in /opt/openziti/etc/ebpf_config.json") 316 | sys.exit(1) 317 | else: 318 | print("Missing /opt/openziti/etc/ebpf_config.json can't set ebpf interface config") 319 | sys.exit(1) 320 | resolver = get_if_ip(lanIf) 321 | ingress_object_file = '/opt/openziti/bin/zfw_tc_ingress.o' 322 | egress_object_file = '/opt/openziti/bin/zfw_tc_outbound_track.o' 323 | status = subprocess.run(['/opt/openziti/bin/zfw', '-L', '-E'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) 324 | if(status.returncode): 325 | test1 = subprocess.run(['/opt/openziti/bin/zfw', '-Q'],stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) 326 | if(test1.returncode): 327 | print("Ebpf not running no maps to clear") 328 | for i in internal_list: 329 | if(not tc_status(i, "ingress")): 330 | test1 = os.system("/opt/openziti/bin/zfw -X " + i + " -O " + ingress_object_file + " -z ingress") 331 | time.sleep(1) 332 | if(test1): 333 | print("Cant attach " + i + " to tc ingress with " + ingress_object_file) 334 | continue 335 | else: 336 | print("Attached " + ingress_object_file + " to " + i) 337 | os.system("sudo ufw allow in on " + i + " to any") 338 | if(per_interface_rules[i]): 339 | os.system("/opt/openziti/bin/zfw -P " + i) 340 | if(not tc_status(i, "egress")): 341 | if(outbound_passthrough_track[i]): 342 | test1 = os.system("/opt/openziti/bin/zfw -X " + i + " -O " + egress_object_file + " -z egress") 343 | if(test1): 344 | print("Cant attach " + i + " to tc egress with " + egress_object_file) 345 | continue 346 | else: 347 | print("Attached " + egress_object_file + " to " + i) 348 | for e in external_list: 349 | if(not tc_status(e, "ingress")): 350 | test1 = os.system("/opt/openziti/bin/zfw -X " + e + " -O " + ingress_object_file + " -z ingress") 351 | if(test1): 352 | print("Cant attach " + e + " to tc ingress with " + ingress_object_file) 353 | continue 354 | else: 355 | print("Attached " + ingress_object_file + " to " + e) 356 | os.system("sudo ufw allow in on " +e + " to any") 357 | time.sleep(1) 358 | if(per_interface_rules[e]): 359 | os.system("/opt/openziti/bin/zfw -P " + e) 360 | if(not tc_status(e, "egress")): 361 | if(outbound_passthrough_track[e]): 362 | test1 = os.system("/opt/openziti/bin/zfw -X " + e + " -O " + egress_object_file + " -z egress") 363 | if(test1): 364 | print("Cant attach " + e + " to tc egress with " + egress_object_file) 365 | continue 366 | else: 367 | print("Attached " + egress_object_file + " to " + e) 368 | if(len(resolver)): 369 | set_local_rules(resolver) 370 | if(os.path.exists("/opt/openziti/bin/user/user_rules.sh")): 371 | print("Adding user defined rules") 372 | os.system("/opt/openziti/bin/user/user_rules.sh") 373 | else: 374 | print("ebpf already running!"); 375 | os.system("/usr/sbin/zfw -F -z ingress -r") 376 | print("Flushed Table") 377 | for i in internal_list: 378 | if(not tc_status(i, "ingress")): 379 | test1 = os.system("/opt/openziti/bin/zfw -X " + i + " -O " + ingress_object_file + " -z ingress") 380 | time.sleep(1) 381 | if(test1): 382 | print("Cant attach " + i + " to tc ingress with " + ingress_object_file) 383 | else: 384 | print("Attached " + ingress_object_file + " to " + i) 385 | os.system("sudo ufw allow in on " + i + " to any") 386 | if(per_interface_rules[i]): 387 | os.system("/opt/openziti/bin/zfw -P " + i) 388 | if(not tc_status(i, "egress")): 389 | if(outbound_passthrough_track[i]): 390 | test1 = os.system("/opt/openziti/bin/zfw -X " + i + " -O " + egress_object_file + " -z egress") 391 | if(test1): 392 | print("Cant attach " + i + " to tc egress with " + egress_object_file) 393 | else: 394 | print("Attached " + egress_object_file + " to " + i) 395 | for e in external_list: 396 | if(not tc_status(e, "ingress")): 397 | test1 = os.system("/opt/openziti/bin/zfw -X " + e + " -O " + ingress_object_file + " -z ingress") 398 | if(test1): 399 | print("Cant attach " + e + " to tc ingress with " + ingress_object_file) 400 | else: 401 | print("Attached " + ingress_object_file + " to " + e) 402 | os.system("sudo ufw allow in on " +e + " to any") 403 | time.sleep(1) 404 | if(per_interface_rules[e]): 405 | os.system("/opt/openziti/bin/zfw -P " + e) 406 | if(not tc_status(e, "egress")): 407 | if(outbound_passthrough_track[e]): 408 | test1 = os.system("/opt/openziti/bin/zfw -X " + e + " -O " + egress_object_file + " -z egress") 409 | if(test1): 410 | print("Cant attach " + e + " to tc egress with " + egress_object_file) 411 | else: 412 | print("Attached " + egress_object_file + " to " + e) 413 | if(len(resolver)): 414 | set_local_rules(resolver) 415 | if(os.path.exists("/opt/openziti/bin/user/user_rules.sh")): 416 | print("Adding user defined rules!") 417 | os.system("/opt/openziti/bin/user/user_rules.sh") 418 | 419 | if(os.path.exists('/etc/systemd/system/ziti-router.service') and router_config): 420 | unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_router.py' /etc/systemd/system/ziti-router.service") 421 | if(unconfigured): 422 | test1 = 1 423 | test1 = os.system("sed -i '/ExecStart=/i ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_router.py' /etc/systemd/system/ziti-router.service") 424 | if(not test1): 425 | test1 = os.system("systemctl daemon-reload") 426 | if(not test1): 427 | print("Successfully converted ziti-router.service. Restarting!") 428 | os.system('systemctl restart ziti-router.service') 429 | if(not os.system('systemctl is-active --quiet ziti-router.service')): 430 | print("ziti-router.service successfully restarted!") 431 | else: 432 | print('ziti-router.service unable to start check router logs!') 433 | else: 434 | print("Failed to convert ziti-router.service!") 435 | else: 436 | print("ziti-router.service already converted. Nothing to do!") 437 | else: 438 | print("Skipping ziti-router.service conversion. File does not exist or is already converted to run ebpf!") 439 | sys.exit(0) 440 | -------------------------------------------------------------------------------- /files/scripts/start_ebpf_tunnel.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import os 3 | import sys 4 | import json 5 | import subprocess 6 | import time 7 | 8 | def tc_status(interface, direction): 9 | process = subprocess.Popen(['tc', 'filter', 'show', 'dev', interface, direction], stdout=subprocess.PIPE, stderr=subprocess.PIPE) 10 | out, err = process.communicate() 11 | data = out.decode().splitlines() 12 | if(len(data)): 13 | return True 14 | else: 15 | return False 16 | 17 | internal_list = [] 18 | external_list = [] 19 | per_interface_rules = dict() 20 | outbound_passthrough_track = dict() 21 | if(os.path.exists('/opt/openziti/etc/ebpf_config.json')): 22 | with open('/opt/openziti/etc/ebpf_config.json','r') as jfile: 23 | try: 24 | config = json.loads(jfile.read()) 25 | if(config): 26 | if("InternalInterfaces" in config.keys()): 27 | i_interfaces = config["InternalInterfaces"] 28 | if len(i_interfaces): 29 | for interface in i_interfaces: 30 | if("Name" in interface.keys()): 31 | print("Attempting to add ebpf ingress to: ",interface["Name"]) 32 | internal_list.append(interface["Name"]) 33 | if("OutboundPassThroughTrack") in interface.keys(): 34 | if(interface["OutboundPassThroughTrack"]): 35 | outbound_passthrough_track[interface["Name"]] = True; 36 | else: 37 | outbound_passthrough_track[interface["Name"]] = False; 38 | else: 39 | outbound_passthrough_track[interface["Name"]] = True; 40 | if("PerInterfaceRules") in interface.keys(): 41 | if(interface["PerInterfaceRules"]): 42 | per_interface_rules[interface["Name"]] = True; 43 | else: 44 | per_interface_rules[interface["Name"]] = False; 45 | else: 46 | per_interface_rules[interface["Name"]] = False; 47 | else: 48 | print('Mandatory key \"Name\" missing skipping internal interface entry!') 49 | 50 | else: 51 | print("No internal interfaces listed in /opt/openziti/etc/ebpf_config.json add at least one interface") 52 | sys.exit(1) 53 | if("ExternalInterfaces" in config.keys()): 54 | e_interfaces = config["ExternalInterfaces"] 55 | if len(e_interfaces): 56 | for interface in e_interfaces: 57 | if("Name" in interface.keys()): 58 | print("Attempting to add ebpf egress to: ",interface["Name"]) 59 | external_list.append(interface["Name"]) 60 | if("OutboundPassThroughTrack") in interface.keys(): 61 | if(interface["OutboundPassThroughTrack"]): 62 | outbound_passthrough_track[interface["Name"]] = True; 63 | else: 64 | outbound_passthrough_track[interface["Name"]] = False; 65 | else: 66 | outbound_passthrough_track[interface["Name"]] = True; 67 | if("PerInterfaceRules") in interface.keys(): 68 | if(interface["PerInterfaceRules"]): 69 | per_interface_rules[interface["Name"]] = True; 70 | else: 71 | per_interface_rules[interface["Name"]] = False; 72 | else: 73 | per_interface_rules[interface["Name"]] = True; 74 | else: 75 | print('Mandatory key \"Name\" missing skipping external interface entry!') 76 | else: 77 | print("No External interfaces listed in /opt/openziti/etc/ebpf_config.json") 78 | except Exception as e: 79 | print("Malformed or missing json object in /opt/openziti/etc/ebpf_config.json") 80 | sys.exit(1) 81 | else: 82 | print("Missing /opt/openziti/etc/ebpf_config.json can't set ebpf interface config") 83 | sys.exit(1) 84 | 85 | ingress_object_file = '/opt/openziti/bin/zfw_tc_ingress.o' 86 | egress_object_file = '/opt/openziti/bin/zfw_tc_outbound_track.o' 87 | if os.system("/opt/openziti/bin/zfw -L -E"): 88 | test1 = os.system("/opt/openziti/bin/zfw -Q") 89 | if test1: 90 | print("failed to clear ebpf maps") 91 | for i in internal_list: 92 | if(not tc_status(i, "ingress")): 93 | test1 = os.system("/opt/openziti/bin/zfw -X " + i + " -O " + ingress_object_file + " -z ingress") 94 | time.sleep(1) 95 | if(test1): 96 | print("Cant attach " + i + " to tc ingress with " + ingress_object_file) 97 | continue 98 | else: 99 | print("Attached " + ingress_object_file + " to " + i) 100 | os.system("sudo ufw allow in on " + i + " to any") 101 | os.system("/opt/openziti/bin/zfw -T " + i) 102 | if(per_interface_rules[i]): 103 | os.system("/opt/openziti/bin/zfw -P " + i) 104 | if(not tc_status(i, "egress")): 105 | if(outbound_passthrough_track[i]): 106 | test1 = os.system("/opt/openziti/bin/zfw -X " + i + " -O " + egress_object_file + " -z egress") 107 | if(test1): 108 | print("Cant attach " + i + " to tc egress with " + egress_object_file) 109 | continue 110 | else: 111 | print("Attached " + egress_object_file + " to " + i) 112 | for e in external_list: 113 | if(not tc_status(e, "ingress")): 114 | test1 = os.system("/opt/openziti/bin/zfw -X " + e + " -O " + ingress_object_file + " -z ingress") 115 | if(test1): 116 | print("Cant attach " + e + " to tc ingress with " + ingress_object_file) 117 | continue 118 | else: 119 | print("Attached " + ingress_object_file + " to " + e) 120 | os.system("sudo ufw allow in on " +e + " to any") 121 | time.sleep(1) 122 | os.system("/opt/openziti/bin/zfw -T " + e) 123 | if(per_interface_rules[e]): 124 | os.system("/opt/openziti/bin/zfw -P " + e) 125 | if(not tc_status(e, "egress")): 126 | if(outbound_passthrough_track[e]): 127 | test1 = os.system("/opt/openziti/bin/zfw -X " + e + " -O " + egress_object_file + " -z egress") 128 | if(test1): 129 | print("Cant attach " + e + " to tc egress with " + egress_object_file) 130 | continue 131 | else: 132 | print("Attached " + egress_object_file + " to " + e) 133 | if(os.path.exists("/opt/openziti/bin/user/user_rules.sh")): 134 | print("Adding user defined rules") 135 | os.system("/opt/openziti/bin/user/user_rules.sh") 136 | else: 137 | print("ebpf already running!"); 138 | os.system("/usr/sbin/zfw -F -z ingress") 139 | print("Flushed Table") 140 | for i in internal_list: 141 | if(not tc_status(i, "ingress")): 142 | test1 = os.system("/opt/openziti/bin/zfw -X " + i + " -O " + ingress_object_file + " -z ingress") 143 | time.sleep(1) 144 | if(test1): 145 | print("Cant attach " + i + " to tc ingress with " + ingress_object_file) 146 | else: 147 | print("Attached " + ingress_object_file + " to " + i) 148 | os.system("sudo ufw allow in on " + i + " to any") 149 | os.system("/opt/openziti/bin/zfw -T " + i) 150 | if(per_interface_rules[i]): 151 | os.system("/opt/openziti/bin/zfw -P " + i) 152 | if(not tc_status(i, "egress")): 153 | if(outbound_passthrough_track[i]): 154 | test1 = os.system("/opt/openziti/bin/zfw -X " + i + " -O " + egress_object_file + " -z egress") 155 | if(test1): 156 | print("Cant attach " + i + " to tc egress with " + egress_object_file) 157 | else: 158 | print("Attached " + egress_object_file + " to " + i) 159 | for e in external_list: 160 | if(not tc_status(e, "ingress")): 161 | test1 = os.system("/opt/openziti/bin/zfw -X " + e + " -O " + ingress_object_file + " -z ingress") 162 | if(test1): 163 | print("Cant attach " + e + " to tc ingress with " + ingress_object_file) 164 | else: 165 | print("Attached " + ingress_object_file + " to " + e) 166 | os.system("sudo ufw allow in on " +e + " to any") 167 | time.sleep(1) 168 | os.system("/opt/openziti/bin/zfw -T " + e) 169 | if(per_interface_rules[e]): 170 | os.system("/opt/openziti/bin/zfw -P " + e) 171 | if(not tc_status(e, "egress")): 172 | if(outbound_passthrough_track[e]): 173 | test1 = os.system("/opt/openziti/bin/zfw -X " + e + " -O " + egress_object_file + " -z egress") 174 | if(test1): 175 | print("Cant attach " + e + " to tc egress with " + egress_object_file) 176 | else: 177 | print("Attached " + egress_object_file + " to " + e) 178 | if(os.path.exists("/opt/openziti/bin/user/user_rules.sh")): 179 | print("Adding user defined rules") 180 | os.system("/opt/openziti/bin/user/user_rules.sh") 181 | sys.exit(0) 182 | -------------------------------------------------------------------------------- /files/scripts/user_rules.sh.sample: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #sudo /usr/sbin/zfw -I -c 192.168.1.108 -m 32 -l 8000 -h 8000 -t 0 -p tcp 3 | -------------------------------------------------------------------------------- /files/scripts/zfw_refresh: -------------------------------------------------------------------------------- 1 | * * * * * root /opt/openziti/bin/zfw -L -E > /dev/null 2 | * * * * * root /opt/openziti/bin/zfw -L -G > /dev/null 3 | 4 | -------------------------------------------------------------------------------- /files/scripts/zfwlogs: -------------------------------------------------------------------------------- 1 | /var/log/zfw.log { 2 | su root root 3 | weekly 4 | maxsize 1G 5 | minsize 500M 6 | rotate 7 7 | compress 8 | delaycompress 9 | missingok 10 | notifempty 11 | dateext 12 | create 644 root root 13 | postrotate 14 | /usr/bin/killall -HUP rsyslogd 15 | endscript 16 | } 17 | -------------------------------------------------------------------------------- /files/services/fw-init.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Ziti-FW-Init 3 | Requires=network.target 4 | After=network.target 5 | 6 | [Service] 7 | User=root 8 | WorkingDirectory=/opt/openziti/bin 9 | ExecStart=/opt/openziti/bin/start_ebpf_router.py 10 | RestartSec=5 11 | Restart=on-failure 12 | TimeoutStartSec=60 13 | 14 | [Install] 15 | WantedBy=multi-user.target 16 | -------------------------------------------------------------------------------- /files/services/zfw-logging.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=zfw-logging 3 | BindsTo=ziti-router.service 4 | After=ziti-router.service 5 | 6 | [Service] 7 | User=root 8 | ExecStart=/opt/openziti/bin/zfw_monitor -i all -W /var/log/zfw.log 9 | Restart=always 10 | RestartSec=3 11 | 12 | [Install] 13 | WantedBy=ziti-router.service 14 | -------------------------------------------------------------------------------- /files/services/ziti-fw-init.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Ziti-FW-Init 3 | Requires=network.target 4 | After=network.target 5 | 6 | [Service] 7 | User=root 8 | WorkingDirectory=/opt/openziti/bin 9 | ExecStart=/opt/openziti/bin/start_ebpf_tunnel.py 10 | RestartSec=5 11 | Restart=on-failure 12 | TimeoutStartSec=60 13 | 14 | [Install] 15 | WantedBy=multi-user.target 16 | -------------------------------------------------------------------------------- /files/services/ziti-wrapper.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Ziti-Wrapper 3 | BindsTo=ziti-edge-tunnel.service 4 | After=ziti-edge-tunnel.service 5 | 6 | [Service] 7 | User=root 8 | MemoryAccounting=yes 9 | MemoryHigh=80% 10 | EnvironmentFile=/opt/openziti/etc/ziti-edge-tunnel.env 11 | ExecStartPre=/bin/bash -c '! /usr/bin/systemctl is-active --quiet ziti-fw-init.service' 12 | ExecStartPre=/opt/openziti/bin/start_ebpf_tunnel.py 13 | ExecStart=/opt/openziti/bin/zfw_tunnwrapper 14 | ExecStartPost=-/opt/openziti/bin/set_xdp_redirect.py 15 | Restart=always 16 | RestartSec=3 17 | 18 | [Install] 19 | WantedBy=ziti-edge-tunnel.service 20 | -------------------------------------------------------------------------------- /src/Makefile: -------------------------------------------------------------------------------- 1 | SHELL=/bin/bash 2 | IDIR = /usr/include/aarch64-linux-gnu/ 3 | CFLAGS=-I$(IDIR) 4 | CC=clang 5 | uname_m := $(shell uname -m) 6 | all: zfw zfw_monitor zfw_tc_ingress.o zfw_tc_ingress.o zfw_xdp_tun_ingress.o zfw_tc_outbound_track.o zfw_tunnwrapper 7 | zfw: zfw.c 8 | ifeq ($(uname_m),aarch64) 9 | $(CC) -D BPF_MAX_ENTRIES=100000 -O1 -lbpf -o zfw zfw.c $(CFLAGS) 10 | else 11 | $(CC) -D BPF_MAX_ENTRIES=100000 -O1 -lbpf -o zfw zfw.c 12 | endif 13 | zfw_monitor: zfw_monitor.c 14 | ifeq ($(uname_m),aarch64) 15 | $(CC) -O1 -lbpf -o zfw_monitor zfw_monitor.c $(CFLAGS) 16 | else 17 | $(CC) -O1 -lbpf -o zfw_monitor zfw_monitor.c 18 | endif 19 | zfw_tc_ingress.o: zfw_tc_ingress.c 20 | ifeq ($(uname_m),aarch64) 21 | $(CC) -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -Wextra -target bpf -c zfw_tc_ingress.c -o zfw_tc_ingress.o $(CFLAGS) 22 | else 23 | $(CC) -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -Wextra -target bpf -c zfw_tc_ingress.c -o zfw_tc_ingress.o 24 | endif 25 | zfw_xdp_tun_ingress.o: zfw_xdp_tun_ingress.c 26 | ifeq ($(uname_m),aarch64) 27 | $(CC) -O2 -g -Wall -target bpf -c zfw_xdp_tun_ingress.c -o zfw_xdp_tun_ingress.o $(CFLAGS) 28 | else 29 | $(CC) -O2 -g -Wall -target bpf -c zfw_xdp_tun_ingress.c -o zfw_xdp_tun_ingress.o 30 | endif 31 | zfw_tc_outbound_track.o: zfw_tc_outbound_track.c 32 | ifeq ($(uname_m),aarch64) 33 | $(CC) -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -Wextra -target bpf -c -o zfw_tc_outbound_track.o zfw_tc_outbound_track.c $(CFLAGS) 34 | else 35 | $(CC) -D BPF_MAX_ENTRIES=100000 -g -O2 -Wall -Wextra -target bpf -c -o zfw_tc_outbound_track.o zfw_tc_outbound_track.c 36 | endif 37 | zfw_tunnwrapper: zfw_tunnel_wrapper.c 38 | $(CC) -o zfw_tunnwrapper zfw_tunnel_wrapper.c -l json-c 39 | clean: 40 | rm -fr zfw zfw_monitor zfw_tc_ingress.o zfw_tunnwrapper zfw_tc_ingress.o zfw_xdp_tun_ingress.o zfw_tc_outbound_track.o 41 | install: 42 | ./install.sh $(ARGS) 43 | -------------------------------------------------------------------------------- /src/install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | if [ $# -lt 1 ]; then 3 | echo "" 4 | echo "Usage:" 5 | echo " $0 " 6 | exit 7 | fi 8 | if [ $1 == "router" ] 9 | then 10 | if [ ! -d "/opt/openziti/bin/user" ] 11 | then 12 | mkdir -p /opt/openziti/bin/user 13 | fi 14 | if [ ! -d "/opt/openziti/etc" ] 15 | then 16 | mkdir -p /opt/openziti/etc 17 | fi 18 | cp zfw /opt/openziti/bin 19 | cp zfw_monitor /opt/openziti/bin 20 | cp zfw_tc_ingress.o /opt/openziti/bin 21 | cp zfw_tc_outbound_track.o /opt/openziti/bin 22 | cp ../files/scripts/start_ebpf_router.py /opt/openziti/bin 23 | cp ../files/scripts/zfw_refresh /etc/cron.d 24 | cp ../files/scripts/revert_ebpf_router.py /opt/openziti/bin 25 | cp ../files/scripts/revert_ebpf_router.py /opt/openziti/bin 26 | cp ../files/scripts/zfwlogs /etc/logrotate.d 27 | cp ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user 28 | cp ../files/json/ebpf_config.json.sample /opt/openziti/etc 29 | cp ../files/services/zfw-logging.service /etc/systemd/system 30 | cp ../files/services/fw-init.service /etc/systemd/system 31 | chmod 744 /opt/openziti/bin/start_ebpf_router.py 32 | chmod 744 /opt/openziti/bin/revert_ebpf_router.py 33 | chmod 744 /opt/openziti/bin/user/user_rules.sh.sample 34 | chmod 744 /opt/openziti/bin/zfw 35 | chmod 644 /etc/cron.d/zfw_refresh 36 | if [ ! -L "/usr/sbin/zfw" ] 37 | then 38 | ln -s /opt/openziti/bin/zfw /usr/sbin/zfw 39 | fi 40 | chmod 744 /opt/openziti/bin/zfw_monitor 41 | if [ ! -L "/usr/sbin/zfw_monitor" ] 42 | then 43 | ln -s /opt/openziti/bin/zfw_monitor /usr/sbin/zfw_monitor 44 | fi 45 | elif [ $1 == "tunnel" ] 46 | then 47 | if [ -d "/opt/openziti/bin" ] && [ -d "/opt/openziti/etc" ] 48 | then 49 | if [ ! -d "/opt/openziti/bin/user" ] 50 | then 51 | mkdir -p /opt/openziti/bin/user 52 | fi 53 | cp zfw /opt/openziti/bin 54 | cp zfw_monitor /opt/openziti/bin 55 | cp zfw_tc_ingress.o /opt/openziti/bin 56 | cp zfw_tc_outbound_track.o /opt/openziti/bin 57 | cp zfw_xdp_tun_ingress.o /opt/openziti/bin 58 | cp zfw_tunnwrapper /opt/openziti/bin 59 | cp ../files/scripts/start_ebpf_tunnel.py /opt/openziti/bin 60 | cp ../files/scripts/zfw_refresh /etc/cron.d 61 | cp ../files/scripts/set_xdp_redirect.py /opt/openziti/bin 62 | cp ../files/scripts/zfwlogs /etc/logrotate.d 63 | cp ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user 64 | cp ../files/json/ebpf_config.json.sample /opt/openziti/etc 65 | cp ../files/services/ziti-wrapper.service /etc/systemd/system 66 | cp ../files/services/ziti-fw-init.service /etc/systemd/system 67 | cp ../files/services/zfw-logging.service /etc/systemd/system 68 | chmod 744 /opt/openziti/bin/start_ebpf_tunnel.py 69 | chmod 744 /opt/openziti/bin/set_xdp_redirect.py 70 | chmod 744 /opt/openziti/bin/user/user_rules.sh.sample 71 | chmod 744 /opt/openziti/bin/zfw_tunnwrapper 72 | chmod 744 /opt/openziti/bin/zfw 73 | chmod 644 /etc/cron.d/zfw_refresh 74 | if [ ! -L "/usr/sbin/zfw" ] 75 | then 76 | ln -s /opt/openziti/bin/zfw /usr/sbin/zfw 77 | fi 78 | chmod 744 /opt/openziti/bin/zfw_monitor 79 | if [ ! -L "/usr/sbin/zfw_monitor" ] 80 | then 81 | ln -s /opt/openziti/bin/zfw_monitor /usr/sbin/zfw_monitor 82 | fi 83 | else 84 | echo "ziti-edge-tunnel not installed!" 85 | exit 1 86 | fi 87 | elif [ $1 == "controller" ] 88 | then 89 | if [ ! -d "/opt/openziti/bin/user" ] 90 | then 91 | mkdir -p /opt/openziti/bin/user 92 | fi 93 | if [ ! -d "/opt/openziti/etc" ] 94 | then 95 | mkdir -p /opt/openziti/etc 96 | fi 97 | cp zfw /opt/openziti/bin 98 | cp zfw_monitor /opt/openziti/bin 99 | cp zfw_tc_ingress.o /opt/openziti/bin 100 | cp zfw_tc_outbound_track.o /opt/openziti/bin 101 | cp ../files/scripts/start_ebpf_controller.py /opt/openziti/bin 102 | cp ../files/scripts/zfw_refresh /etc/cron.d 103 | cp ../files/scripts/revert_ebpf_controller.py /opt/openziti/bin 104 | cp ../files/scripts/zfwlogs /etc/logrotate.d 105 | cp ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user 106 | cp ../files/json/ebpf_config.json.sample /opt/openziti/etc 107 | cp ../files/services/zfw-logging.service /etc/systemd/system 108 | cp ../files/services/fw-init.service /etc/systemd/system 109 | chmod 744 /opt/openziti/bin/start_ebpf_controller.py 110 | chmod 744 /opt/openziti/bin/user/user_rules.sh.sample 111 | chmod 744 /opt/openziti/bin/zfw 112 | chmod 644 /etc/cron.d/zfw_refresh 113 | if [ ! -L "/usr/sbin/zfw" ] 114 | then 115 | ln -s /opt/openziti/bin/zfw /usr/sbin/zfw 116 | fi 117 | chmod 744 /opt/openziti/bin/zfw_monitor 118 | if [ ! -L "/usr/sbin/zfw_monitor" ] 119 | then 120 | ln -s /opt/openziti/bin/zfw_monitor /usr/sbin/zfw_monitor 121 | fi 122 | fi 123 | exit 0 124 | -------------------------------------------------------------------------------- /src/zfw_xdp_tun_ingress.c: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2022 Robert Caamano */ 2 | /* SPDIX-License-Identifier: SPDX-License-Identifier: LGPL-2.1+ 3 | * This program is free software: you can redistribute it and/or modify 4 | * it under the terms of the GNU General Public License as published by 5 | * the Free Software Foundation, either version 3 of the License, or 6 | * (at your option) any later version. 7 | 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * GNU General Public License for more details. 12 | * see . 13 | */ 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | 28 | #ifndef memcpy 29 | #define memcpy(dest, src, n) __builtin_memcpy((dest), (src), (n)) 30 | #endif 31 | #define MAX_IF_ENTRIES 30 32 | #define BPF_MAX_TUN_SESSIONS 10000 33 | #define INGRESS 0 34 | #define NO_REDIRECT_STATE_FOUND 10 35 | 36 | struct bpf_event{ 37 | __u8 version; 38 | unsigned long long tstamp; 39 | __u32 ifindex; 40 | __u32 tun_ifindex; 41 | __u32 daddr[4]; 42 | __u32 saddr[4]; 43 | __u16 sport; 44 | __u16 dport; 45 | __u16 tport; 46 | __u8 proto; 47 | __u8 direction; 48 | __u8 error_code; 49 | __u8 tracking_code; 50 | unsigned char source[6]; 51 | unsigned char dest[6]; 52 | }; 53 | 54 | /*Key to tun_map*/ 55 | struct tun_key { 56 | union { 57 | __u32 ip; 58 | __u32 ip6[4]; 59 | }__in46_u_dst; 60 | union { 61 | __u32 ip; 62 | __u32 ip6[4]; 63 | }__in46_u_src; 64 | __u16 sport; 65 | __u16 dport; 66 | __u8 protocol; 67 | __u8 type; 68 | }; 69 | 70 | /*Value to tun_map*/ 71 | struct tun_state { 72 | unsigned long long tstamp; 73 | unsigned int ifindex; 74 | unsigned char source[6]; 75 | unsigned char dest[6]; 76 | }; 77 | 78 | /*value to ifindex_tun_map*/ 79 | struct ifindex_tun { 80 | uint32_t index; 81 | char ifname[IFNAMSIZ]; 82 | char cidr[16]; 83 | uint32_t resolver; 84 | char mask[3]; 85 | bool verbose; 86 | }; 87 | 88 | /*tun ifindex map*/ 89 | struct { 90 | __uint(type, BPF_MAP_TYPE_ARRAY); 91 | __uint(key_size, sizeof(uint32_t)); 92 | __uint(value_size, sizeof(struct ifindex_tun)); 93 | __uint(max_entries, 1); 94 | __uint(pinning, LIBBPF_PIN_BY_NAME); 95 | } ifindex_tun_map SEC(".maps"); 96 | 97 | /*Ringbuf map*/ 98 | struct { 99 | __uint(type, BPF_MAP_TYPE_RINGBUF); 100 | __uint(max_entries, 256 * 1024); 101 | __uint(pinning, LIBBPF_PIN_BY_NAME); 102 | } rb_map SEC(".maps"); 103 | 104 | /*Hashmap to track tun interface inbound passthrough connections*/ 105 | struct { 106 | __uint(type, BPF_MAP_TYPE_LRU_HASH); 107 | __uint(key_size, sizeof(struct tun_key)); 108 | __uint(value_size,sizeof(struct tun_state)); 109 | __uint(max_entries, BPF_MAX_TUN_SESSIONS); 110 | __uint(pinning, LIBBPF_PIN_BY_NAME); 111 | } tun_map SEC(".maps"); 112 | 113 | static inline struct tun_state *get_tun(struct tun_key key){ 114 | struct tun_state *ts; 115 | ts = bpf_map_lookup_elem(&tun_map, &key); 116 | return ts; 117 | } 118 | 119 | /*get entry from tun ifindex map*/ 120 | static inline struct ifindex_tun *get_tun_index(uint32_t key){ 121 | struct ifindex_tun *iftun; 122 | iftun = bpf_map_lookup_elem(&ifindex_tun_map, &key); 123 | return iftun; 124 | } 125 | 126 | static inline void send_event(struct bpf_event *new_event){ 127 | struct bpf_event *rb_event; 128 | rb_event = bpf_ringbuf_reserve(&rb_map, sizeof(*rb_event), 0); 129 | if(rb_event){ 130 | rb_event->version = new_event->version; 131 | rb_event->ifindex = new_event->ifindex; 132 | rb_event->tun_ifindex = new_event->tun_ifindex; 133 | rb_event->tstamp = new_event->tstamp; 134 | memcpy(rb_event->daddr, new_event->daddr, sizeof(rb_event->daddr)); 135 | memcpy(rb_event->saddr, new_event->saddr, sizeof(rb_event->saddr)); 136 | rb_event->dport = new_event->dport; 137 | rb_event->sport = new_event->sport; 138 | rb_event->tport = new_event->tport; 139 | rb_event->proto = new_event->proto; 140 | rb_event->direction = new_event->direction; 141 | rb_event->tracking_code = new_event->tracking_code; 142 | rb_event->error_code = new_event->error_code; 143 | for(int x =0; x < 6; x++){ 144 | rb_event->source[x] = new_event->source[x]; 145 | rb_event->dest[x] = new_event->dest[x]; 146 | } 147 | bpf_ringbuf_submit(rb_event, 0); 148 | } 149 | } 150 | 151 | SEC("xdp_redirect") 152 | int xdp_redirect_prog(struct xdp_md *ctx) 153 | { 154 | /*look up attached interface inbound diag status*/ 155 | struct ifindex_tun *tun_diag = get_tun_index(0); 156 | if (!tun_diag) 157 | { 158 | return XDP_PASS; 159 | } 160 | struct iphdr *iph = (struct iphdr *)(unsigned long)(ctx->data); 161 | /* ensure ip header is in packet bounds */ 162 | if ((unsigned long)(iph + 1) > (unsigned long)ctx->data_end){ 163 | return XDP_PASS; 164 | } 165 | /* ip options not allowed */ 166 | if (iph->ihl != 5){ 167 | 168 | return XDP_PASS; 169 | } 170 | unsigned long long tstamp = bpf_ktime_get_ns(); 171 | struct bpf_event event = { 172 | 0, 173 | tstamp, 174 | ctx->ingress_ifindex, 175 | 0, 176 | {0,0,0,0}, 177 | {0,0,0,0}, 178 | 0, 179 | 0, 180 | 0, 181 | 0, 182 | INGRESS, 183 | 0, 184 | 0, 185 | {0}, 186 | {0} 187 | }; 188 | struct tun_key tun_state_key = {0}; 189 | if(iph->version == 4){ 190 | event.version = iph->version; 191 | __u8 protocol = iph->protocol; 192 | tun_state_key.__in46_u_dst.ip = iph->saddr; 193 | tun_state_key.__in46_u_src.ip = iph->daddr; 194 | tun_state_key.protocol = protocol; 195 | event.proto = protocol; 196 | if(protocol == IPPROTO_TCP){ 197 | struct tcphdr *tcph = (struct tcphdr *)((unsigned long)iph + sizeof(*iph)); 198 | if ((unsigned long)(tcph + 1) > (unsigned long)ctx->data_end){ 199 | return XDP_PASS; 200 | } 201 | event.dport = tcph->dest; 202 | event.sport = tcph->source; 203 | tun_state_key.sport = tcph->dest; 204 | tun_state_key.dport = tcph->source; 205 | }else if (protocol == IPPROTO_UDP){ 206 | struct udphdr *udph = (struct udphdr *)((unsigned long)iph + sizeof(*iph)); 207 | if ((unsigned long)(udph + 1) > (unsigned long)ctx->data_end){ 208 | return XDP_PASS; 209 | } 210 | event.dport = udph->dest; 211 | event.sport = udph->source; 212 | tun_state_key.sport = udph->dest; 213 | tun_state_key.dport = udph->source; 214 | } 215 | tun_state_key.type = 4; 216 | struct tun_state *tus = get_tun(tun_state_key); 217 | if(tus){ 218 | bpf_xdp_adjust_head(ctx, -14); 219 | struct ethhdr *eth = (struct ethhdr *)(unsigned long)(ctx->data); 220 | /* verify its a valid eth header within the packet bounds */ 221 | if ((unsigned long)(eth + 1) > (unsigned long)ctx->data_end){ 222 | return XDP_PASS; 223 | } 224 | if(tun_diag->verbose){ 225 | event.tun_ifindex = tus->ifindex; 226 | __u32 saddr_array[4] = {tun_state_key.__in46_u_dst.ip,0,0,0}; 227 | __u32 daddr_array[4] = {tun_state_key.__in46_u_src.ip,0,0,0}; 228 | memcpy(event.saddr,saddr_array, sizeof(event.saddr)); 229 | memcpy(event.daddr,daddr_array, sizeof(event.daddr)); 230 | memcpy(&event.source, &tus->dest, 6); 231 | memcpy(&event.dest, &tus->source, 6); 232 | send_event(&event); 233 | } 234 | memcpy(ð->h_dest, &tus->source,6); 235 | memcpy(ð->h_source, &tus->dest,6); 236 | unsigned short proto = bpf_htons(ETH_P_IP); 237 | memcpy(ð->h_proto, &proto, sizeof(proto)); 238 | return bpf_redirect(tus->ifindex,0); 239 | } 240 | }else 241 | { 242 | struct ipv6hdr *ip6h = (struct ipv6hdr *)(unsigned long)(ctx->data); 243 | /* ensure ip header is in packet bounds */ 244 | if ((unsigned long)(ip6h + 1) > (unsigned long)ctx->data_end){ 245 | return XDP_PASS; 246 | } 247 | __u8 protocol = ip6h->nexthdr; 248 | memcpy(tun_state_key.__in46_u_dst.ip6, ip6h->saddr.in6_u.u6_addr32, sizeof(ip6h->saddr.in6_u.u6_addr32)); 249 | memcpy(tun_state_key.__in46_u_src.ip6, ip6h->daddr.in6_u.u6_addr32, sizeof(ip6h->daddr.in6_u.u6_addr32)); 250 | tun_state_key.protocol = protocol; 251 | event.proto = protocol; 252 | if(protocol == IPPROTO_TCP){ 253 | struct tcphdr *tcph = (struct tcphdr *)((unsigned long)ip6h + sizeof(*ip6h)); 254 | if ((unsigned long)(tcph + 1) > (unsigned long)ctx->data_end){ 255 | return XDP_PASS; 256 | } 257 | event.dport = tcph->dest; 258 | event.sport = tcph->source; 259 | tun_state_key.sport = tcph->dest; 260 | tun_state_key.dport = tcph->source; 261 | }else if (protocol == IPPROTO_UDP){ 262 | struct udphdr *udph = (struct udphdr *)((unsigned long)ip6h + sizeof(*ip6h)); 263 | if ((unsigned long)(udph + 1) > (unsigned long)ctx->data_end){ 264 | return XDP_PASS; 265 | } 266 | event.dport = udph->dest; 267 | event.sport = udph->source; 268 | tun_state_key.sport = udph->dest; 269 | tun_state_key.dport = udph->source; 270 | } 271 | struct tun_state *tus = get_tun(tun_state_key); 272 | if(tus){ 273 | bpf_xdp_adjust_head(ctx, -14); 274 | struct ethhdr *eth = (struct ethhdr *)(unsigned long)(ctx->data); 275 | /* verify its a valid eth header within the packet bounds */ 276 | if ((unsigned long)(eth + 1) > (unsigned long)ctx->data_end){ 277 | return XDP_PASS; 278 | } 279 | if(tun_diag->verbose){ 280 | event.tun_ifindex = tus->ifindex; 281 | memcpy(event.saddr, tun_state_key.__in46_u_dst.ip6, sizeof(event.saddr)); 282 | memcpy(event.daddr, tun_state_key.__in46_u_src.ip6, sizeof(event.daddr)); 283 | memcpy(&event.source, &tus->dest, 6); 284 | memcpy(&event.dest, &tus->source, 6); 285 | send_event(&event); 286 | } 287 | memcpy(ð->h_dest, &tus->source,6); 288 | memcpy(ð->h_source, &tus->dest,6); 289 | unsigned short proto = bpf_htons(ETH_P_IPV6); 290 | memcpy(ð->h_proto, &proto, sizeof(proto)); 291 | return bpf_redirect(tus->ifindex,0); 292 | } 293 | } 294 | if(tun_diag->verbose){ 295 | event.error_code = NO_REDIRECT_STATE_FOUND; 296 | send_event(&event); 297 | } 298 | return XDP_PASS; 299 | } 300 | 301 | char _license[] SEC("license") = "GPL"; 302 | --------------------------------------------------------------------------------