diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a8b99f3..a52f1aa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -146,7 +146,7 @@ jobs: run: | sudo apt-get update -qq sudo apt-get upgrade -yqq - sudo apt-get install -y jq gcc clang libbpfcc-dev libbpf-dev libjson-c-dev alien + sudo apt-get install -y jq gcc clang libbpfcc-dev libbpf-dev libjson-c-dev sudo apt-get install -y linux-headers-$(uname -r) - name: Compile Object file from Source @@ -230,20 +230,9 @@ jobs: - name: Build deb package run: | dpkg-deb --build -Z gzip --root-owner-group ${{ steps.deb_dir.outputs.deb_dir }} - - - name: Build rpm package - run: | - sudo alien -r ${{ steps.deb_dir.outputs.deb_dir }}.deb - mv ${{ env.APP_NAME }}-${{ matrix.ziti_type }}-${{ steps.version.outputs.version }}-2.${{ matrix.goarch }}.rpm ${{ env.APP_NAME }}-${{ matrix.ziti_type }}-${{ steps.version.outputs.version }}.${{ matrix.goarch }}.rpm - uses: actions/upload-artifact@v4 with: name: artifact-${{ matrix.ziti_type }}-${{ matrix.goarch }}-deb path: | ./*.deb - - - uses: actions/upload-artifact@v4 - with: - name: artifact-${{ matrix.ziti_type }}-${{ matrix.goarch }}-rpm - path: | - ./*.rpm diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 82e3ec5..2fb7798 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -147,7 +147,7 @@ jobs: run: | sudo apt-get update -qq sudo apt-get upgrade -yqq - sudo apt-get install -y jq gcc clang libbpfcc-dev libbpf-dev libjson-c-dev alien + sudo apt-get install -y jq gcc clang libbpfcc-dev libbpf-dev libjson-c-dev sudo apt-get install -y linux-headers-$(uname -r) - name: Compile Object file from Source @@ -231,23 +231,12 @@ jobs: - name: Build deb package run: | dpkg-deb --build -Z gzip --root-owner-group ${{ steps.deb_dir.outputs.deb_dir }} - - - name: Build rpm package - run: | - sudo alien -r ${{ steps.deb_dir.outputs.deb_dir }}.deb - mv ${{ env.APP_NAME }}-${{ matrix.ziti_type }}-${{ steps.version.outputs.version }}-2.${{ matrix.goarch }}.rpm ${{ env.APP_NAME }}-${{ matrix.ziti_type }}-${{ steps.version.outputs.version }}.${{ matrix.goarch }}.rpm - uses: actions/upload-artifact@v4 with: name: artifact-${{ matrix.ziti_type }}-${{ matrix.goarch }}-deb path: | ./*.deb - - - uses: actions/upload-artifact@v4 - with: - name: artifact-${{ matrix.ziti_type }}-${{ matrix.goarch }}-rpm - path: | - ./*.rpm deploy_release: runs-on: ubuntu-22.04 @@ -281,7 +270,14 @@ jobs: goarch: [amd64, arm64] pkg_type: [deb, rpm] steps: - - uses: actions/download-artifact@v4 + - name: download x86 artifacts + if: ${{ (matrix.goarch == 'amd64') && ((matrix.pkg_type != 'deb') || (matrix.pkg_type != 'rpm')) }} + uses: actions/download-artifact@v4 + with: + name: artifact-${{ matrix.ziti_type }}-${{ matrix.goarch }}-${{ matrix.pkg_type }} + - name: download arm64 artifacts + if: ${{ (matrix.goarch == 'arm64') && (matrix.pkg_type == 'deb') }} + uses: actions/download-artifact@v4 with: name: artifact-${{ matrix.ziti_type }}-${{ matrix.goarch }}-${{ matrix.pkg_type }} - name: Upload built deb artifacts @@ -302,12 +298,3 @@ jobs: file: ./${{ env.APP_NAME }}-${{ matrix.ziti_type }}-${{ needs.build_amd64_release.outputs.version }}.x86_64.${{ matrix.pkg_type }} release_name: ${{ needs.build_amd64_release.outputs.version }} tag: v${{ needs.build_amd64_release.outputs.version }} - - name: Upload built arm64 rpm artifacts - if: ${{ (matrix.pkg_type == 'rpm') && (matrix.goarch == 'arm64') }} - uses: svenstaro/upload-release-action@2.9.0 - env: - GITHUB_TOKEN: ${{ github.token }} - with: - file: ./${{ env.APP_NAME }}-${{ matrix.ziti_type }}-${{ needs.build_amd64_release.outputs.version }}.${{ matrix.goarch }}.${{ matrix.pkg_type }} - release_name: ${{ needs.build_amd64_release.outputs.version }} - tag: v${{ needs.build_amd64_release.outputs.version }} diff --git a/BUILD.md b/BUILD.md index 1dbd217..5121085 100644 --- a/BUILD.md +++ b/BUILD.md @@ -1,6 +1,6 @@ ## Build from source --- -- OS/Platform: Ubuntu 22.04 / amd64 +- OS/Platform: Ubuntu 22.04+ / amd64 1. install libraries **Ubuntu 22.04 server / amd64** (kernel 5.15 or higher) @@ -12,18 +12,8 @@ sudo apt install -y gcc clang libc6-dev-i386 libbpfcc-dev libbpf-dev libjson-c-dev make ``` - 1. Compile: - ```bash - mkdir ~/repos - cd repos - git clone https://github.com/netfoundry/zfw.git - cd zfw/src - make all - sudo make install ARGS= - ``` - -- OS/Platform: Ubuntu 22.04 / arm64 +- OS/Platform: Ubuntu 22.04+ / arm64 1. install libraries **Ubuntu 22.04 server / arm** (kernel 5.15 or higher) @@ -35,16 +25,23 @@ sudo apt-get install -y gcc clang libbpfcc-dev libbpf-dev libjson-c-dev make ``` - 1. Compile: +- OS/Platform: RH 9.4 / x86_64 + 1. install libraries + ```bash + sudo yum update + sudo subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms + sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm + sudo yum install -y clang bcc-devel libbpf-devel iproute-devel iproute-tc glibc-devel.i686 git json-c-devel + ``` + +- Build + 1. compile binaries ```bash mkdir ~/repos cd repos - git clone https://github.com/netfoundry/zfw.git + git clone https://github.com/netfoundry/zfw.git cd zfw/src make all sudo make install ARGS= - ``` - - - + ``` diff --git a/CHANGELOG.md b/CHANGELOG.md index 837a0d3..b5aecc3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,14 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- +### +# [0.8.9] - 2024-07-28 + +- Removed arm64 rpm package build for RH from workflows +- updated BUILD.md with info on x86_64 RH build prerequisites +- Fixed issue with -F, --flush introduced when adding flush for all, ingress and egress +- Updated start_ebpf_router.py and start_ebpf_tunnel.py to only clear ingress filters on restart. + ### # [0.8.8] - 2024-07-24 diff --git a/README.md b/README.md index 7be64e6..82aacdb 100644 --- a/README.md +++ b/README.md @@ -252,7 +252,7 @@ The program is designed to integrated into an existing Openziti ziti-router inst ``` sudo dpkg -i zfw-router__.deb ``` -Install from source ubuntu 22.04+ / Debian 12 +Install from source ubuntu 22.04+ / Debian 12 / Redhat 9.4 [build / install zfw from source](./BUILD.md) **The following instructions pertain to both zfw-tunnel and zfw-router. Platform specific functions will be noted explicitly** diff --git a/files/scripts/start_ebpf_router.py b/files/scripts/start_ebpf_router.py index c8c87a2..5d89a12 100755 --- a/files/scripts/start_ebpf_router.py +++ b/files/scripts/start_ebpf_router.py @@ -370,7 +370,7 @@ def set_local_rules(resolver): os.system("/opt/openziti/bin/user/user_rules.sh") else: print("ebpf already running!"); - os.system("/usr/sbin/zfw -F -r") + os.system("/usr/sbin/zfw -F -z ingress -r") print("Flushed Table") for i in internal_list: if(not tc_status(i, "ingress")): diff --git a/files/scripts/start_ebpf_tunnel.py b/files/scripts/start_ebpf_tunnel.py index c252759..29f0e9d 100755 --- a/files/scripts/start_ebpf_tunnel.py +++ b/files/scripts/start_ebpf_tunnel.py @@ -135,7 +135,7 @@ def tc_status(interface, direction): os.system("/opt/openziti/bin/user/user_rules.sh") else: print("ebpf already running!"); - os.system("/usr/sbin/zfw -F") + os.system("/usr/sbin/zfw -F -z ingress") print("Flushed Table") for i in internal_list: if(not tc_status(i, "ingress")): diff --git a/src/zfw.c b/src/zfw.c index 67b93e1..dcfabe3 100644 --- a/src/zfw.c +++ b/src/zfw.c @@ -234,7 +234,7 @@ char *object_file; char *direction_string; char check_alt[IF_NAMESIZE]; -const char *argp_program_version = "0.8.8"; +const char *argp_program_version = "0.8.9"; struct ring_buffer *ring_buffer; __u32 if_list[MAX_IF_LIST_ENTRIES]; @@ -4674,6 +4674,114 @@ int flush6() } } close(count_fd); + union bpf_attr tp_map; + struct tproxy_extension_key tp_init_key = {0}; + struct tproxy_extension_key *tp_key = &tp_init_key; + struct tproxy_extension_key tp_current_key; + struct tproxy_extension_mapping tp_orule; + // Open BPF zt_tproxy_map map + memset(&tp_map, 0, sizeof(tp_map)); + if(egress){ + tp_map.pathname = (uint64_t)egress_ext_map_path; + }else{ + tp_map.pathname = (uint64_t)tp_ext_map_path; + } + tp_map.bpf_fd = 0; + tp_map.file_flags = 0; + int tp_fd = syscall(__NR_bpf, BPF_OBJ_GET, &tp_map, sizeof(tp_map)); + if (tp_fd == -1) + { + printf("BPF_OBJ_GET: %s \n", strerror(errno)); + close_maps(1); + } + tp_map.map_fd = tp_fd; + tp_map.key = (uint64_t)tp_key; + tp_map.value = (uint64_t)&tp_orule; + int tp_ret = 0; + while (true) + { + tp_ret = syscall(__NR_bpf, BPF_MAP_GET_NEXT_KEY, &tp_map, sizeof(tp_map)); + if (tp_ret == -1) + { + break; + } + tp_map.key = tp_map.next_key; + tp_current_key = *(struct tproxy_extension_key *)tp_map.key; + tp_ext_delete_key(tp_current_key); + } + close(tp_fd); + union bpf_attr ra_map; + struct port_extension_key ra_init_key = {0}; + struct port_extension_key *ra_key = &ra_init_key; + struct port_extension_key ra_current_key; + struct range_mapping ra_orule; + // Open BPF zt_tproxy_map map + memset(&ra_map, 0, sizeof(ra_map)); + if(egress){ + ra_map.pathname = (uint64_t)egress_range_map_path; + }else{ + ra_map.pathname = (uint64_t)range_map_path; + } + ra_map.bpf_fd = 0; + ra_map.file_flags = 0; + int ra_fd = syscall(__NR_bpf, BPF_OBJ_GET, &ra_map, sizeof(ra_map)); + if (ra_fd == -1) + { + printf("BPF_OBJ_GET: %s \n", strerror(errno)); + close_maps(1); + } + ra_map.map_fd = ra_fd; + ra_map.key = (uint64_t)ra_key; + ra_map.value = (uint64_t)&ra_orule; + int ra_ret = 0; + while (true) + { + ra_ret = syscall(__NR_bpf, BPF_MAP_GET_NEXT_KEY, &ra_map, sizeof(ra_map)); + if (ra_ret == -1) + { + break; + } + ra_map.key = ra_map.next_key; + ra_current_key = *(struct port_extension_key *)ra_map.key; + range_delete_key(ra_current_key); + } + close(ra_fd); + union bpf_attr ix_map; + struct port_extension_key ix_init_key = {0}; + struct port_extension_key *ix_key = &ix_init_key; + struct port_extension_key ix_current_key; + struct if_list_extension_mapping ix_orule; + // Open BPF zt_tproxy_map map + memset(&ix_map, 0, sizeof(ix_map)); + if(egress){ + ix_map.pathname = (uint64_t)egress_if_list_ext_map_path; + }else{ + ix_map.pathname = (uint64_t)if_list_ext_map_path; + } + ix_map.bpf_fd = 0; + ix_map.file_flags = 0; + int ix_fd = syscall(__NR_bpf, BPF_OBJ_GET, &ix_map, sizeof(ix_map)); + if (ix_fd == -1) + { + printf("BPF_OBJ_GET: %s \n", strerror(errno)); + close_maps(1); + } + ix_map.map_fd = ix_fd; + ix_map.key = (uint64_t)ix_key; + ix_map.value = (uint64_t)&ix_orule; + int ix_ret = 0; + while (true) + { + ix_ret = syscall(__NR_bpf, BPF_MAP_GET_NEXT_KEY, &ix_map, sizeof(ix_map)); + if (ix_ret == -1) + { + break; + } + ix_map.key = ix_map.next_key; + ix_current_key = *(struct port_extension_key *)ix_map.key; + if_list_ext_delete_key(ix_current_key); + } + close(ix_fd); return 0; } @@ -4686,7 +4794,7 @@ int flush4() struct tproxy_tuple orule; // Open BPF zt_tproxy_map map memset(&map, 0, sizeof(map)); - if(!egress){ + if(!egress){ map.pathname = (uint64_t)tproxy_map_path; }else{ map.pathname = (uint64_t)egress_map_path; @@ -4749,26 +4857,6 @@ int flush4() } } close(count_fd); - return 0; -} - -void map_flush() -{ - if(ingress && !egress){ - flush4(); - flush6(); - }else if(!ingress && !egress){ - flush4(); - flush6(); - if(!(access(egress6_map_path, F_OK) != 0)){ - egress = true; - flush4(); - flush6(); - } - }else{ - flush4(); - flush6(); - } union bpf_attr tp_map; struct tproxy_extension_key tp_init_key = {0}; struct tproxy_extension_key *tp_key = &tp_init_key; @@ -4776,7 +4864,11 @@ void map_flush() struct tproxy_extension_mapping tp_orule; // Open BPF zt_tproxy_map map memset(&tp_map, 0, sizeof(tp_map)); - tp_map.pathname = (uint64_t)tp_ext_map_path; + if(egress){ + tp_map.pathname = (uint64_t)egress_ext_map_path; + }else{ + tp_map.pathname = (uint64_t)tp_ext_map_path; + } tp_map.bpf_fd = 0; tp_map.file_flags = 0; int tp_fd = syscall(__NR_bpf, BPF_OBJ_GET, &tp_map, sizeof(tp_map)); @@ -4808,7 +4900,11 @@ void map_flush() struct range_mapping ra_orule; // Open BPF zt_tproxy_map map memset(&ra_map, 0, sizeof(ra_map)); - ra_map.pathname = (uint64_t)range_map_path; + if(egress){ + ra_map.pathname = (uint64_t)egress_range_map_path; + }else{ + ra_map.pathname = (uint64_t)range_map_path; + } ra_map.bpf_fd = 0; ra_map.file_flags = 0; int ra_fd = syscall(__NR_bpf, BPF_OBJ_GET, &ra_map, sizeof(ra_map)); @@ -4840,7 +4936,11 @@ void map_flush() struct if_list_extension_mapping ix_orule; // Open BPF zt_tproxy_map map memset(&ix_map, 0, sizeof(ix_map)); - ix_map.pathname = (uint64_t)if_list_ext_map_path; + if(egress){ + ix_map.pathname = (uint64_t)egress_if_list_ext_map_path; + }else{ + ix_map.pathname = (uint64_t)if_list_ext_map_path; + } ix_map.bpf_fd = 0; ix_map.file_flags = 0; int ix_fd = syscall(__NR_bpf, BPF_OBJ_GET, &ix_map, sizeof(ix_map)); @@ -4865,6 +4965,26 @@ void map_flush() if_list_ext_delete_key(ix_current_key); } close(ix_fd); + return 0; +} + +void map_flush() +{ + if(ingress && !egress){ + flush4(); + flush6(); + }else if(!ingress && !egress){ + flush4(); + flush6(); + if(!(access(egress6_map_path, F_OK) != 0)){ + egress = true; + flush4(); + flush6(); + } + }else{ + flush4(); + flush6(); + } } void map_list()