Switched egress allowedSourceAddress discovery to event channel due t…

…o new feature in ZET 0.22.5, also added support for eapol frames and added "make" to compile prerequisites in BUILD.md

.github/workflows/ci.yml

@@ -71,12 +71,11 @@ jobs:
           chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py
           chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample
           ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw
-          dpkg-deb --build -Z gzip --root-owner-group ${{ steps.deb_dir.outputs.deb_dir }}
 
       - name: Set Deb Predepends
         if: ${{ matrix.ziti_type == 'tunnel' }}
         run: |
-          echo 'Pre-Depends: ziti-edge-tunnel (>= 0.21.0)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control
+          echo 'Pre-Depends: ziti-edge-tunnel (>= 0.22.5)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control
           cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/
           cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/
           cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/
@@ -165,7 +164,7 @@ jobs:
       - name: Set Deb Predepends
         if: ${{ matrix.ziti_type == 'tunnel' }}
         run: |
-          echo 'Pre-Depends: ziti-edge-tunnel (>= 0.21.0)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control
+          echo 'Pre-Depends: ziti-edge-tunnel (>= 0.22.5)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control
           cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/
           cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/
           cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/

.github/workflows/release.yml

@@ -72,12 +72,11 @@ jobs:
           chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py
           chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample
           ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw
-          dpkg-deb --build -Z gzip --root-owner-group ${{ steps.deb_dir.outputs.deb_dir }}
 
       - name: Set Deb Predepends
         if: ${{ matrix.ziti_type == 'tunnel' }}
         run: |
-         echo 'Pre-Depends: ziti-edge-tunnel (>= 0.21.0)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control
+          echo 'Pre-Depends: ziti-edge-tunnel (>= 0.22.5)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control
           cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/
           cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/
           cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/
@@ -166,7 +165,7 @@ jobs:
       - name: Set Deb Predepends
         if: ${{ matrix.ziti_type == 'tunnel' }}
         run: |
-          echo 'Pre-Depends: ziti-edge-tunnel (>= 0.21.0)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control
+          echo 'Pre-Depends: ziti-edge-tunnel (>= 0.22.5)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control
           cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/
           cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/
           cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/

BUILD.md

@@ -9,7 +9,7 @@
         sudo apt update
         sudo apt upgrade
         sudo reboot
-        sudo apt install -y gcc clang libc6-dev-i386 libbpfcc-dev libbpf-dev libjson-c-dev
+        sudo apt install -y gcc clang libc6-dev-i386 libbpfcc-dev libbpf-dev libjson-c-dev make
         ```          
 
     1. Compile:
@@ -32,7 +32,7 @@
         sudo apt update
         sudo apt upgrade
         sudo reboot
-        sudo apt-get install -y gcc clang libbpfcc-dev libbpf-dev libjson-c-dev
+        sudo apt-get install -y gcc clang libbpfcc-dev libbpf-dev libjson-c-dev make
         ```          
 
     1. Compile:

CHANGELOG.md

@@ -3,6 +3,16 @@
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+
+# [0.5.0] - 2023-08-18
+
+###
+
+- Added make to pre-compile binary package installs listed in BUILD.md
+- Changed bind service lookup from dumpfile to event channel.  0.5.0 will only work with
+  ZET 0.22.4 or above
+- Added passthrough support for eapol (802.1X) frames
+
 # [0.4.6] - 2023-08-13
 
 ###
@@ -28,7 +38,7 @@ All notable changes to this project will be documented in this file. The format
   properly updating the ziti-router.service file.
 
 # [0.4.3] - 2023-07-25
-
+ 
 ###
 
 -- Refactored monitoring to use ring buffer and removed all bpf_printk() helper calls

README.md

@@ -15,7 +15,7 @@ edge-routers deb package.
 ## Ziti-Edge-Tunnel Deployment 
 
 The program is designed to be deployed as systemd services if deployed via .deb package with
-an existing ziti-edge-tunnel(v21.0 +) installation on Ubuntu 22.04(amd64/arm64)service installation. If you don't currently
+an existing ziti-edge-tunnel(v22.5 +) installation on Ubuntu 22.04(amd64/arm64)service installation. If you don't currently
 have ziti-edge-tunnel installed and an operational OpenZiti network built, follow these 
 [instructions](https://docs.openziti.io/docs/guides/Local_Gateway/EdgeTunnel).
 

src/zfw.c

@@ -90,6 +90,7 @@ bool route = false;
 bool passthru = false;
 bool intercept = false;
 bool echo = false;
+bool eapol = false;
 bool verbose = false;
 bool vrrp = false;
 bool per_interface = false;
@@ -138,6 +139,7 @@ char doc[] = "zfw -- ebpf firewall configuration tool";
 const char *if_map_path;
 char *diag_interface;
 char *echo_interface;
+char *eapol_interface;
 char *verbose_interface;
 char *ssh_interface;
 char *prefix_interface;
@@ -147,7 +149,7 @@ char *monitor_interface;
 char *tc_interface;
 char *object_file;
 char *direction_string;
-const char *argp_program_version = "0.4.6";
+const char *argp_program_version = "0.5.0";
 struct ring_buffer *ring_buffer;
 
 __u8 if_list[MAX_IF_LIST_ENTRIES];
@@ -206,6 +208,7 @@ struct diag_ip4
     bool tc_egress;
     bool tun_mode;
     bool vrrp;
+    bool eapol;
 };
 
 struct tproxy_port_mapping
@@ -886,6 +889,18 @@ bool set_diag(uint32_t *idx)
                 }
                 printf("Set verbose to %d for %s\n", !disable, verbose_interface);
             }
+            if (eapol)
+            {
+                if (!disable)
+                {
+                    o_diag.eapol = true;
+                }
+                else
+                {
+                    o_diag.eapol = false;
+                }
+                printf("Set eapol to %d for %s\n", !disable, eapol_interface);
+            }
             if (per_interface)
             {
                 if (!disable)
@@ -992,6 +1007,7 @@ bool set_diag(uint32_t *idx)
             printf("%-24s:%d\n", "tc egress filter", o_diag.tc_egress);
             printf("%-24s:%d\n", "tun mode intercept", o_diag.tun_mode);
             printf("%-24s:%d\n", "vrrp enable", o_diag.vrrp);
+            printf("%-24s:%d\n", "eapol enable", o_diag.eapol);
             printf("--------------------------\n\n");
         }
     }
@@ -1150,8 +1166,9 @@ void interface_diag()
                 diag_interface = address->ifa_name;
                 tun_interface = address->ifa_name;
                 vrrp_interface = address->ifa_name;
+                eapol_interface = address->ifa_name;
             }
-            if(!strncmp(address->ifa_name, "tun", 3) && (tun || per_interface || ssh_disable || echo || vrrp)){
+            if(!strncmp(address->ifa_name, "tun", 3) && (tun || per_interface || ssh_disable || echo || vrrp || eapol)){
                 if(per_interface && !strncmp(prefix_interface, "tun", 3)){
                     printf("%s:zfw does not allow setting on tun interfaces!\n", address->ifa_name);
                 }
@@ -1167,10 +1184,13 @@ void interface_diag()
                 if(vrrp && !strncmp(vrrp_interface, "tun", 3)){
                     printf("%s:zfw does not allow setting on tun interfaces!\n", address->ifa_name);
                 }
+                if(eapol && !strncmp(eapol_interface, "tun", 3)){
+                    printf("%s:zfw does not allow setting on tun interfaces!\n", address->ifa_name);
+                }
                 address = address->ifa_next;
                 continue;
             }
-            if(!strncmp(address->ifa_name, "ziti", 4) && (tun || per_interface || ssh_disable || echo || vrrp)){
+            if(!strncmp(address->ifa_name, "ziti", 4) && (tun || per_interface || ssh_disable || echo || vrrp || eapol)){
                 if(per_interface && !strncmp(prefix_interface, "ziti", 4)){
                     printf("%s:zfw does not allow setting on tun interfaces!\n", address->ifa_name);
                 }
@@ -1186,6 +1206,9 @@ void interface_diag()
                 if(vrrp && !strncmp(vrrp_interface, "ziti", 4)){
                     printf("%s:zfw does not allow setting on tun interfaces!\n", address->ifa_name);
                 }
+                if(eapol && !strncmp(eapol_interface, "ziti", 4)){
+                    printf("%s:zfw does not allow setting on tun interfaces!\n", address->ifa_name);
+                }
                 address = address->ifa_next;
                 continue;
             }
@@ -1205,6 +1228,14 @@ void interface_diag()
                 }
             }
 
+            if (eapol)
+            {
+                if (!strcmp(eapol_interface, address->ifa_name))
+                {
+                    set_diag(&idx);
+                }
+            }
+
             if (verbose)
             {
                 if(!strncmp(address->ifa_name, "tun", 3) && !strncmp(verbose_interface,"tun", 3)){
@@ -2159,6 +2190,7 @@ static struct argp_option options[] = {
     {"set-tc-filter", 'X', "", 0, "Add/remove TC filter to/from interface", 0},
     {"object-file", 'O', "", 0, "Set object file", 0},
     {"direction", 'z', "", 0, "Set direction", 0},
+    {"enable-eapol", 'w', "", 0, "enable 802.1X eapol packets inbound on interface", 0},
     {0}};
 
 static error_t parse_opt(int key, char *arg, struct argp_state *state)
@@ -2445,6 +2477,28 @@ static error_t parse_opt(int key, char *arg, struct argp_state *state)
             verbose_interface = arg;
         }
         break;
+    case 'w':
+        if (!strlen(arg) || (strchr(arg, '-') != NULL))
+        {
+            fprintf(stderr, "Interface name or all required as arg to -w, --enable-eapol: %s\n", arg);
+            fprintf(stderr, "%s --help for more info\n", program_name);
+            exit(1);
+        }
+        idx = if_nametoindex(arg);
+        if(strcmp("all", arg) && idx == 0){
+            printf("Interface not found: %s\n", arg);
+            exit(1);
+        }
+        eapol = true;
+        if (!strcmp("all", arg))
+        {
+            all_interface = true;
+        }
+        else
+        {
+           eapol_interface = arg;
+        }
+        break;
     case 'x':
         if (!strlen(arg) || (strchr(arg, '-') != NULL))
         {
@@ -2606,7 +2660,7 @@ int main(int argc, char **argv)
 
     if (ebpf_disable)
     {
-        if (tcfilter || echo || ssh_disable || verbose || per_interface || add || delete || list || flush)
+        if (tcfilter || echo || ssh_disable || verbose || per_interface || add || delete || list || flush || monitor || eapol)
         {
             usage("Q, --disable-ebpf cannot be used in combination call");
         }
@@ -2633,6 +2687,11 @@ int main(int argc, char **argv)
         usage("-T, --set-tun-mode cannot be set as a part of combination call to zfw");
     }
 
+    if ((eapol && (monitor || tun || echo || ssh_disable || verbose || per_interface || add || delete || list || flush || tcfilter || vrrp)))
+    {
+        usage("-M, --enable-eapol cannot be set as a part of combination call to zfw");
+    }
+
     if (( monitor && (tun || echo || ssh_disable || verbose || per_interface || add || delete || list || flush || tcfilter || vrrp)))
     {
         usage("-M, --monitor cannot be set as a part of combination call to zfw");
@@ -2678,9 +2737,9 @@ int main(int argc, char **argv)
         usage("Missing argument -r, --route requires -I --insert, -D --delete or -F --flush");
     }
 
-    if (disable && (!ssh_disable && !echo && !verbose && !per_interface && !tcfilter && !tun && !vrrp))
+    if (disable && (!ssh_disable && !echo && !verbose && !per_interface && !tcfilter && !tun && !vrrp && !eapol))
     {
-        usage("Missing argument at least one of -e, -v, -x, or -E, -P, -R, -T, -X");
+        usage("Missing argument at least one of -e, -v, -x, w, or -E, -P, -R, -T, -X");
     }
 
     if (direction && !tcfilter)
@@ -2831,7 +2890,7 @@ int main(int argc, char **argv)
             map_list();
         }
     }
-    else if (vrrp || verbose || ssh_disable || echo || per_interface || tun)
+    else if (vrrp || verbose || ssh_disable || echo || per_interface || tun || eapol)
     {
         interface_diag();
         exit(0);

src/zfw_tc_ingress.c

@@ -191,6 +191,7 @@ struct diag_ip4 {
     bool tc_egress;
     bool tun_mode;
     bool vrrp;
+    bool eapol;
 };
 
 /*Value to tun_map*/
@@ -678,6 +679,11 @@ int bpf_sk_splice(struct __sk_buff *skb){
     if ((unsigned long)(eth + 1) > (unsigned long)skb->data_end){
         return TC_ACT_SHOT;
 	}
+
+    /*check if 802.1X and passthrough is enabled*/
+    if((bpf_ntohs(eth->h_proto) == 0x888e) && local_diag->eapol){
+        return TC_ACT_OK;
+    }
 
     /* check if incoming packet is a UDP or TCP tuple */
     tuple = get_tuple(skb, sizeof(*eth), eth->h_proto, &ipv4,&ipv6, &udp, &tcp, &arp, &icmp, &vrrp, &event, local_diag);