Merge pull request #70 from netfoundry/v0.8.14-release-candidate

V0.8.14 release candidate
netfoundry · Aug 18, 2024 · 72f5ff2 · 72f5ff2
2 parents 3c269dc + 78a3c5a
commit 72f5ff2
Show file tree

Hide file tree

Showing 6 changed files with 256 additions and 33 deletions.
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -10,7 +10,9 @@ env:
   MAINTAINER: 'Robert Caamano'
   DESC: 'An ebpf based statefull fw for openziti edge-routers and tunnelers'
   ROUTER_PREFIX: 'zfw-er'
-  TF_VAR_test_iterate_count: ${{ vars.TEST_ITERATE_COUNT }}
+  NF_NETWORK_NAME: 'dariuszdev02'
+  TF_VAR_test_iterate_count: ${{ fromJSON(vars.TEST_ITERATE_COUNT) }}
+  TF_VAR_github_pt: ${{ secrets.PAT  }}
   NF_API_CLIENT_ID: "${{ secrets.NF_API_CLIENT_ID }}"
   NF_API_CLIENT_SECRET: "${{ secrets.NF_API_CLIENT_SECRET }}"
 
@@ -296,11 +298,15 @@ jobs:
         run: |
           set +e
           cd ${{ github.workspace }}/AWS/tf-provider/
+          /usr/bin/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./zfw_rsa ziggy@$(terraform output -json | jq -r .backend_public_ips.value[0]) -tq 'sudo /opt/openziti/bin/zfw -V'
+          /usr/bin/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./zfw_rsa ziggy@$(terraform output -json | jq -r .backend_public_ips.value[1]) -tq 'sudo /opt/openziti/bin/zfw -V'
           while :
           do
             sleep 900
             /usr/bin/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./zfw_rsa ziggy@$(terraform output -json | jq -r .client_public_ips.value[0]) -tq '/usr/bin/tail -n 1 /var/log/http_test.json' > ${{ github.workspace }}/AWS/tf-provider/result
             /usr/bin/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./zfw_rsa ziggy@$(terraform output -json | jq -r .client_public_ips.value[1]) -tq '/usr/bin/tail -n 1 /var/log/http_test.json' >> ${{ github.workspace }}/AWS/tf-provider/result
+            /usr/bin/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./zfw_rsa ziggy@$(terraform output -json | jq -r .client_public_ips.value[0]) -tq '/usr/bin/tail -n 30 /var/log/http.log' > ${{ github.workspace }}/AWS/tf-provider/test.log
+            /usr/bin/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./zfw_rsa ziggy@$(terraform output -json | jq -r .client_public_ips.value[1]) -tq '/usr/bin/tail -n 30 /var/log/http.log' >> ${{ github.workspace }}/AWS/tf-provider/test.log
             /usr/bin/cat ${{ github.workspace }}/AWS/tf-provider/result
             PASS=`/usr/bin/cat ${{ github.workspace }}/AWS/tf-provider/result | grep Passed |wc -l`
             FAIL=`/usr/bin/cat ${{ github.workspace }}/AWS/tf-provider/result | grep Failed |wc -l`
@@ -313,18 +319,20 @@ jobs:
             elif [ $PASS == 1 ]; then
               echo -e "\033[33mPARTIALLYPASSED\033[m"
               cat ./result
+              cat ./test.log
               exit 1
             elif [ $FAIL == 2 ]; then
               echo -e "\033[31mFAILED\033[m"
               cat ./result
+              cat ./test.log
               exit 1
             else
               cat ./result
               continue
             fi
           done
         shell: bash
-        timeout-minutes: 180
+        timeout-minutes: ${{ fromJSON(vars.STEP_TIMEOUT) }}
       - 
         name: Clean up test
         if: success() || failure()

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+###
+# [0.8.14] - 2024-08-16
+- Fixed issue where icmp type 3 tcp only accepting inbound for ports associated with local listening ports
+- Added support for stateful IPv4 icmp unreachable support both in the case of masquerade and non masquerade, for udp
+  and tcp outgoing initiated connections only.
+
 ###
 # [0.8.13] - 2024-08-12
 - Added Outbound tracking for IPv4 and IPv6 ICMP Echo

diff --git a/README.md b/README.md
@@ -17,7 +17,7 @@ zfw can now provide native IPv4/IPv6 masquerade operation for outbound pass thro
 This function requires that both ingress and egress TC filters are enabled on outbound interface. 
 
 ### Explicit Deny Rules
-This feature adds the ability to enter explicit deny rules by appending ```-d, --disable to the -I, --insert rule`` to both ingress and egress rules.  Rule precedence is based on longest match prefix.  If the prefix is the same then the precedence follows the order entry of the rules, which when listed will go from top to bottom for ports with in the same prefix e.g.  
+This feature adds the ability to enter explicit deny rules by appending ```-d, --disable to the -I, --insert rule``` to both ingress and egress rules.  Rule precedence is based on longest match prefix.  If the prefix is the same then the precedence follows the order entry of the rules, which when listed will go from top to bottom for ports with in the same prefix e.g.  
 
 If you wanted to allow all tcp 443 traffic outbound except to 10.1.0.0/16 you would enter the following egress rules:
 

diff --git a/src/zfw.c b/src/zfw.c
@@ -241,7 +241,7 @@ char *direction_string;
 char *masq_interface;
 char check_alt[IF_NAMESIZE];
 
-const char *argp_program_version = "0.8.13";
+const char *argp_program_version = "0.8.14";
 struct ring_buffer *ring_buffer;
 
 __u32 if_list[MAX_IF_LIST_ENTRIES];

diff --git a/src/zfw_monitor.c b/src/zfw_monitor.c
@@ -81,7 +81,7 @@ char check_alt[IF_NAMESIZE];
 char doc[] = "zfw_monitor -- ebpf firewall monitor tool";
 const char *rb_map_path = "/sys/fs/bpf/tc/globals/rb_map";
 const char *tproxy_map_path = "/sys/fs/bpf/tc/globals/zt_tproxy_map";
-const char *argp_program_version = "0.8.13";
+const char *argp_program_version = "0.8.14";
 union bpf_attr rb_map;
 int rb_fd = -1;