diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 225a7df..21ed948 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -58,16 +58,16 @@ jobs: mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin - cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d cp -p files/bin/zfw_tc_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ - cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ + cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ + cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw - chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw @@ -79,14 +79,21 @@ jobs: cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_tunnwrapper + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py - name: Standalone FW service and router revert if: ${{ matrix.ziti_type == 'router' }} run: | cp -p files/services/fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/scripts/revert_ebpf_router.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/start_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/revert_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_router.py + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_controller.py + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_controller.py - name: Build Deb package run: | @@ -147,16 +154,16 @@ jobs: mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin - cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d cp -p files/bin/zfw_tc_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ - cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ + cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ + cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw - chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw @@ -168,14 +175,21 @@ jobs: cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_tunnwrapper + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py - name: Standalone FW service and router revert if: ${{ matrix.ziti_type == 'router' }} run: | cp -p files/services/fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/scripts/revert_ebpf_router.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/start_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/revert_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_router.py + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_controller.py + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_controller.py - name: Build Deb package run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c378a55..56fc63d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -59,16 +59,16 @@ jobs: mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin - cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d cp -p files/bin/zfw_tc_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ - cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ + cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ + cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw - chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw @@ -80,14 +80,22 @@ jobs: cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_tunnwrapper + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py - - name: Standalone FW service and router revert + - name: Standalone FW service, controller and router revert if: ${{ matrix.ziti_type == 'router' }} run: | cp -p files/services/fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/scripts/revert_ebpf_router.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/start_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/revert_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_router.py + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_controller.py + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_controller.py + - name: Build Deb package run: | @@ -148,16 +156,16 @@ jobs: mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin - cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d cp -p files/bin/zfw_tc_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ - cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ + cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ + cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw - chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw @@ -169,14 +177,21 @@ jobs: cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_tunnwrapper + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py - - name: Standalone FW service and router revert + - name: Standalone FW service, controller and router revert if: ${{ matrix.ziti_type == 'router' }} run: | cp -p files/services/fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/scripts/revert_ebpf_router.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/start_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/revert_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_router.py + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_controller.py + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_controller.py - name: Build Deb package run: | diff --git a/CHANGELOG.md b/CHANGELOG.md index fae0ded..e0bb617 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,18 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- +# [0.5.13] - 2024-03-28 + +### + +- Changed ddos_protect_map to type BPF_MAP_TYPE_LRU_HASH to allow cycling of entries +- Added controller startup script +- Added optional logging systemd service with log rotation support +- Updated make install.sh for controller install and logging service files +- Removed -p from cp commands in make install.sh so files are installed as owned by root user +- Added fw-init-router.service for standalone firewall deployment in make install.sh +- Updated workflows to add new / updated files + # [0.5.12] - 2024-03-14 ### diff --git a/files/scripts/revert_ebpf_controller.py b/files/scripts/revert_ebpf_controller.py new file mode 100755 index 0000000..ce96b41 --- /dev/null +++ b/files/scripts/revert_ebpf_controller.py @@ -0,0 +1,148 @@ +#!/usr/bin/env python3 +import os +import subprocess +import sys +import json +import yaml +from signal import signal, SIGPIPE, SIG_DFL +signal(SIGPIPE,SIG_DFL) + + +def set_tproxy_mode(): + if(os.path.exists('/opt/openziti/ziti-router/config.yml')): + try: + with open('/opt/openziti/ziti-router/config.yml') as config_file: + config = yaml.load(config_file, Loader=yaml.FullLoader) + if(config): + if('listeners' in config.keys()): + for key in config['listeners']: + if(('binding' in key.keys()) and (key['binding'] == 'tunnel')): + if('options' in key.keys()): + if('mode' in key['options']): + if(key['options']['mode'] == 'tproxy'): + print("ziti-router config.yml already converted to use tproxy!") + elif(key['options']['mode'] == 'tproxy:/opt/openziti/bin/zfw'): + key['options']['mode'] = 'tproxy' + write_config(config) + return True + else: + print("ziti-router config.yml already converted to use tproxy!") + else: + print('Mandatory key \'options\' missing from binding: tunnel') + sys.exit(1) + else: + print('Mandatory key \'listeners\' missing in config.yml') + sys.exit(1) + except Exception as e: + print(e) + sys.exit(1) + else: + print('ziti-router not installed, skipping ebpf router configuration!') + sys.exit(1) + return False + +def write_config(config): + try: + with open('/opt/openziti/ziti-router/config.yml', 'w') as config_file: + yaml.dump(config, config_file, sort_keys=False) + except Exception as e: + print(e) + sys.exit(1) + +def delete(rule): + os.system('yes | /usr/sbin/ufw delete ' + str(rule) + ' > /dev/null 2>&1') + +def remove_ufw_rule(rule): + process = subprocess.Popen(['ufw', 'status', 'numbered'], stdout=subprocess.PIPE, stderr=subprocess.PIPE) + out, err = process.communicate() + data = out.decode().splitlines() + count = 1 + for line in data: + if((line.find(rule) >= 0) and (line.find('ALLOW IN') >= 0)): + print("removing:", line) + delete(count) + if(line.startswith('[')): + count = count + 1 + +def iterate_rules(intf): + rules = ['Anywhere on ' + intf, 'Anywhere (v6) on ' + intf] + for rule in rules: + remove_ufw_rule(rule) + +if(os.path.exists('/opt/openziti/etc/ebpf_config.json')): + with open('/opt/openziti/etc/ebpf_config.json','r') as jfile: + try: + config = json.loads(jfile.read()) + if(config): + if("InternalInterfaces" in config.keys()): + i_interfaces = config["InternalInterfaces"] + if len(i_interfaces): + for interface in i_interfaces: + if("Name" in interface.keys()): + if(interface["Name"] != "lo"): + print("Attempting to restore ufw state: ",interface["Name"]) + iterate_rules(interface["Name"]) + else: + print('Mandatory key \"Name\" missing skipping internal interface entry!') + else: + print("No internal interfaces listed in /opt/openziti/etc/ebpf_config.json skipping internal interface ufw reversion interface!") + if("ExternalInterfaces" in config.keys()): + e_interfaces = config["ExternalInterfaces"] + if len(e_interfaces): + for interface in e_interfaces: + if("Name" in interface.keys()): + if(interface["Name"] != "lo"): + print("Attempting to restore ufw state: ",interface["Name"]) + iterate_rules(interface["Name"]) + else: + print('Mandatory key \"Name\" missing skipping external interface ufw reversion!') + except Exception as e: + print("Malformed or missing json object in /opt/openziti/etc/ebpf_config.json can't revert ufw!") + +service = False +if(os.path.exists('/etc/systemd/system/ziti-controller.service')): + unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_controller.py' /etc/systemd/system/ziti-controller.service") + if(not unconfigured): + os.system("sed -i 's/#ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/objects\/etables \-F \-r/ExecStartPre\=-\/opt\/netfoundry\/ebpf\/objects\/etables \-F \-r/g' /etc/systemd/system/ziti-controller.service") + os.system("sed -i 's/#ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/scripts\/tproxy_splicer_startup.sh/ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/scripts\/tproxy_splicer_startup.sh/g' /etc/systemd/system/ziti-controller.service") + test1 = os.system("sed -i '/ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_controller.py/d' /etc/systemd/system/ziti-controller.service") + if(not test1): + test1 = os.system("systemctl daemon-reload") + if(not test1): + service = True + os.system("/opt/openziti/bin/zfw -Q") + if(os.path.exists("/opt/openziti/etc/ebpf_config.json")): + os.remove("/opt/openziti/etc/ebpf_config.json") + if(os.path.exists("/opt/openziti/bin/user/user_rules.sh")): + os.remove("/opt/openziti/bin/user/user_rules.sh") + print("Successfully reverted ziti-controller.service!") + else: + print("Failed to revert ziti-controller.service!") + else: + print("ziti-controller.service already reverted. Nothing to do!") +else: + print("Skipping ziti-controller.service reversal. File does not exist!") + +if service: + print("config.yml successfully reverted. restarting ziti-controller.service") + os.system('systemctl restart ziti-controller.service') + if(not os.system('systemctl is-active --quiet ziti-controller.service')): + print("ziti-controller.service successfully restarted") + if(os.path.exists('/opt/netfoundry/ziti/ziti-controller/conf/controller01.config.yml')): + print("Detected Netfoundry controller install!") + if(os.path.exists('/opt/openziti/ziti-controller/controller01.config.yml')): + print("Removing symlink from /opt/openziti/ziti-controller to /opt/netfoundry/ziti/ziti-controller/conf") + os.unlink('/opt/openziti/ziti-controller') + else: + print("No symlink found nothing to do!") + if(os.path.exists('/opt/netfoundry/ziti/ziti-router/config.yml')): + print("Detected Netfoundry install/registration!") + if(os.path.exists('/opt/openziti/ziti-router/config.yml')): + print("Removing symlink from /opt/openziti/ziti-router to /opt/netfoundry/ziti/ziti-router") + os.unlink('/opt/openziti/ziti-router') + else: + print("No symlink found nothing to do!") + else: + print('ziti-router.service unable to start check router logs') +else: + print("ziti-router config already not set to use ebpf!") diff --git a/files/scripts/start_ebpf_controller.py b/files/scripts/start_ebpf_controller.py new file mode 100755 index 0000000..01282b7 --- /dev/null +++ b/files/scripts/start_ebpf_controller.py @@ -0,0 +1,498 @@ +#!/usr/bin/env python3 +import os +import sys +import json +import subprocess +import time +import yaml +import argparse + +controller = False +router = False + +def tc_status(interface, direction): + process = subprocess.Popen(['tc', 'filter', 'show', 'dev', interface, direction], stdout=subprocess.PIPE, stderr=subprocess.PIPE) + out, err = process.communicate() + data = out.decode().splitlines() + if(len(data)): + return True + else: + return False + +def add_health_check_rules(lan_ip, lan_mask): + if(os.path.exists('/opt/openziti/ziti-router/config.yml')): + try: + with open('/opt/openziti/ziti-router/config.yml') as config_file: + config = yaml.load(config_file, Loader=yaml.FullLoader) + if(config): + if('web' in config.keys()): + for key in config['web']: + if(('name' in key.keys()) and (key['name'] == 'health-check')): + if('bindPoints' in key.keys()): + for point in key['bindPoints']: + address = point['address'] + addr_array = address.split(':') + if(len(addr_array)): + try: + port = addr_array[-1].strip() + if(int(port) > 0): + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') + except Exception as e: + print(e) + pass + except Exception as e: + print(e) + + +def add_link_listener_rules(lan_ip, lan_mask): + if(os.path.exists('/opt/openziti/ziti-router/config.yml')): + try: + with open('/opt/openziti/ziti-router/config.yml') as config_file: + config = yaml.load(config_file, Loader=yaml.FullLoader) + if(config): + if('link' in config.keys()): + if('listeners' in config['link'].keys()): + for key in config['link']['listeners']: + if(('binding' in key.keys()) and (key['binding'] == 'transport')): + if('bind' in key.keys()): + address = key['bind'] + addr_array = address.split(':') + if(len(addr_array) == 3): + try: + port = addr_array[-1].strip() + if((int(port) > 0) and (addr_array[0] == 'tls')): + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') + except Exception as e: + print(e) + pass + except Exception as e: + print(e) + +def add_controller_edge_listener_rules(lan_ip, lan_mask): + if(os.path.exists('/opt/openziti/ziti-router/config.yml')): + try: + with open('/opt/openziti/ziti-controller/controller01.config.yml') as config_file: + config = yaml.load(config_file, Loader=yaml.FullLoader) + if(config): + if('edge' in config.keys()): + if 'api' in config['edge'].keys(): + if("address" in config['edge']['api'].keys()): + address = config['edge']['api']['address'] + addr_array = address.split(':') + if(len(addr_array) == 2): + port = addr_array[-1].strip() + try: + port = addr_array[-1].strip() + if((int(port) > 0)): + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') + except Exception as e: + print(e) + pass + except Exception as e: + print(e) + +def add_controller_ctrl_listener_rules(lan_ip, lan_mask): + if(os.path.exists('/opt/openziti/ziti-router/config.yml')): + try: + with open('/opt/openziti/ziti-controller/controller01.config.yml') as config_file: + config = yaml.load(config_file, Loader=yaml.FullLoader) + if(config): + if('ctrl' in config.keys()): + if 'listener' in config['ctrl'].keys(): + address = config['ctrl']['listener'] + addr_array = address.split(':') + if(len(addr_array) == 3): + port = addr_array[-1].strip() + try: + port = addr_array[-1].strip() + if((int(port) > 0) and (addr_array[0] == 'tls')): + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') + except Exception as e: + print(e) + pass + except Exception as e: + print(e) + +def add_controller_web_listener_rules(lan_ip, lan_mask): + if(os.path.exists('/opt/openziti/ziti-router/config.yml')): + try: + with open('/opt/openziti/ziti-controller/controller01.config.yml') as config_file: + config = yaml.load(config_file, Loader=yaml.FullLoader) + if(config): + if('web' in config.keys()): + for key in config['web']: + if('bindPoints' in key.keys()): + for bind in key['bindPoints']: + address = bind['interface'] + addr_array = address.split(':') + if(len(addr_array) == 2): + port = addr_array[-1].strip() + try: + port = addr_array[-1].strip() + if((int(port) > 0)): + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') + except Exception as e: + print(e) + pass + except Exception as e: + print(e) + +def add_controller_salt_api_listener_rules(lan_ip, lan_mask): + if(os.path.exists('/etc/salt/master.d/nf_master.conf')): + try: + with open('/etc/salt/master.d/nf_master.conf') as config_file: + config = yaml.load(config_file, Loader=yaml.FullLoader) + if(config): + if('rest_cherrypy' in config.keys()): + if('port' in config['rest_cherrypy'].keys()): + try: + port = config['rest_cherrypy']['port'] + if(port > 0): + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + str(port) + ' -h ' + str(port) + ' -t 0 -p tcp') + except Exception as e: + print(e) + pass + except Exception as e: + print(e) + + +def add_controller_port_forwarding_rule(lan_ip, lan_mask): + test = os.system("grep -rnw \'A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 443\' /etc/ufw/before.rules") + if(not test): + port = "80" + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') + else: + print("Port forwarding rul not found") + +def add_edge_listener_rules(lan_ip, lan_mask): + if(os.path.exists('/opt/openziti/ziti-router/config.yml')): + try: + with open('/opt/openziti/ziti-router/config.yml') as config_file: + config = yaml.load(config_file, Loader=yaml.FullLoader) + if(config): + if('listeners' in config.keys()): + for key in config['listeners']: + if(('binding' in key.keys()) and (key['binding'] == 'edge')): + if('address' in key.keys()): + address = key['address'] + addr_array = address.split(':') + if(len(addr_array) == 3): + port = addr_array[-1].strip() + try: + port = addr_array[-1].strip() + if((int(port) > 0) and (addr_array[0] == 'tls')): + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') + except Exception as e: + print(e) + pass + except Exception as e: + print(e) + +def add_resolver_rules(): + if(os.path.exists('/opt/openziti/ziti-router/config.yml')): + try: + with open('/opt/openziti/ziti-router/config.yml') as config_file: + config = yaml.load(config_file, Loader=yaml.FullLoader) + if(config): + if('listeners' in config.keys()): + for key in config['listeners']: + if(('binding' in key.keys()) and (key['binding'] == 'tunnel')): + if('options' in key.keys()): + if('resolver' in key['options']): + address = key['options']['resolver'] + addr_array = address.split(':') + if(len(addr_array) == 3): + port = addr_array[-1].strip() + lan_ip = addr_array[1].split('//') + lan_mask = '32' + try: + port = addr_array[-1].strip() + lan_ip = addr_array[1].split('//')[1] + if((int(port) > 0)): + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') + if(lan_ip == '100.127.255.254'): + #special case for NF AWS Gateway loadbalance via DNS over GENEVE using 100.127.255.254 on loopback so add route on loopback + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p udp -r') + else: + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p udp') + except Exception as e: + print(e) + pass + except Exception as e: + print(e) + +def write_config(config): + try: + with open('/opt/openziti/ziti-router/config.yml', 'w') as config_file: + yaml.dump(config, config_file, sort_keys=False) + except Exception as e: + print(e) + +def get_if_ip(intf): + process = subprocess.Popen(['ip', 'add'], stdout=subprocess.PIPE, stderr=subprocess.PIPE) + out, err = process.communicate() + data = out.decode().splitlines() + for line in data: + if((line.find(intf) >= 0) and (line.find('inet') >= 0)): + search_list = line.strip().split(" ") + if search_list[-1].strip() == intf: + return search_list[1] + return "" + +def set_local_rules(ip): + default_ip = '0.0.0.0' + default_mask = '0' + if len(ip.split('/')) == 2: + lan_ip = ip.split('/')[0] + lan_mask = '32' + else: + lan_ip = default_ip + lan_mask = default_mask + if controller: + add_controller_edge_listener_rules(lan_ip, lan_mask) + add_controller_web_listener_rules(lan_ip, lan_mask) + add_controller_port_forwarding_rule(lan_ip, lan_mask) + add_controller_salt_api_listener_rules(lan_ip, lan_mask) + if router: + add_link_listener_rules(lan_ip, lan_mask) + + +parser = argparse.ArgumentParser(description="Network build script") +parser.add_argument("--lanIf", required=True, help='') +args = parser.parse_args() +lanIf = args.lanIf +if(os.path.exists('/opt/netfoundry/ziti/ziti-controller/conf/controller01.config.yml')): + controller = True + print("Detected Netfoundry install") + if(not os.path.exists('/opt/openziti/ziti-controller/controller01.config.yml')): + print("Installing symlink from /opt/openziti/ziti-controller to /opt/netfoundry/ziti/ziti-controller/conf") + os.symlink('/opt/netfoundry/ziti/ziti-controller/conf', '/opt/openziti/ziti-controller') + else: + print("Symlink found nothing to do!") + if(os.path.exists('/opt/netfoundry/ziti/ziti-router/config.yml')): + router = True + print("Detected Netfoundry install/registration!") + if(not os.path.exists('/opt/openziti/ziti-router/config.yml')): + print("Installing symlink from /opt/openziti/ziti-router to /opt/netfoundry/ziti/ziti-router!") + os.symlink('/opt/netfoundry/ziti/ziti-router', '/opt/openziti/ziti-router') + else: + print("Symlink found nothing to do!") + +if(not os.path.exists('/opt/openziti/etc/ebpf_config.json')): + if(os.path.exists('/opt/openziti/etc/ebpf_config.json.sample')): + with open('/opt/openziti/etc/ebpf_config.json.sample','r') as jfile: + try: + config = json.loads(jfile.read()) + if(config): + if("InternalInterfaces" in config.keys()): + interfaces = config["InternalInterfaces"] + if len(interfaces): + interface = interfaces[0] + if("Name" in interface.keys()): + interface['Name'] = lanIf + else: + print('Missing mandatory key: Name') + sys.exit(1) + else: + print('Invalid config no interfaces found!') + sys.exit(1) + with open('/opt/openziti/etc/ebpf_config.json', 'w') as ofile: + json.dump(config, ofile) + except Exception as e: + print('Malformed or missing json object in /opt/openziti/etc/ebpf_config.json.sample') + sys.exit(1) + else: + print('File does not exist: /opt/openziti/etc/ebpf_config.json.sample') +else: + print('File already exist: /opt/openziti/etc/ebpf_config.json') + +internal_list = [] +external_list = [] +per_interface_rules = dict() +outbound_passthrough_track = dict() +if(os.path.exists('/opt/openziti/etc/ebpf_config.json')): + with open('/opt/openziti/etc/ebpf_config.json','r') as jfile: + try: + config = json.loads(jfile.read()) + if(config): + if "InternalInterfaces" in config.keys(): + i_interfaces = config["InternalInterfaces"] + if len(i_interfaces): + for interface in i_interfaces: + if("Name" in interface.keys()): + print("Attempting to add ebpf ingress to: ",interface["Name"]) + internal_list.append(interface["Name"]) + if("OutboundPassThroughTrack") in interface.keys(): + if(interface["OutboundPassThroughTrack"]): + outbound_passthrough_track[interface["Name"]] = True; + else: + outbound_passthrough_track[interface["Name"]] = False; + else: + outbound_passthrough_track[interface["Name"]] = False; + if("PerInterfaceRules") in interface.keys(): + if(interface["PerInterfaceRules"]): + per_interface_rules[interface["Name"]] = True; + else: + per_interface_rules[interface["Name"]] = False; + else: + per_interface_rules[interface["Name"]] = False; + else: + print('Mandatory key \"Name\" missing skipping internal interface entry!') + + else: + print("No internal interfaces listed in /opt/openziti/etc/ebpf_config.json add at least one interface") + sys.exit(1) + if("ExternalInterfaces" in config.keys()): + e_interfaces = config["ExternalInterfaces"] + if len(e_interfaces): + for interface in e_interfaces: + if("Name" in interface.keys()): + print("Attempting to add ebpf egress to: ",interface["Name"]) + external_list.append(interface["Name"]) + if("OutboundPassThroughTrack") in interface.keys(): + if(interface["OutboundPassThroughTrack"]): + outbound_passthrough_track[interface["Name"]] = True; + else: + outbound_passthrough_track[interface["Name"]] = False; + else: + outbound_passthrough_track[interface["Name"]] = True; + if("PerInterfaceRules") in interface.keys(): + if(interface["PerInterfaceRules"]): + per_interface_rules[interface["Name"]] = True; + else: + per_interface_rules[interface["Name"]] = False; + else: + per_interface_rules[interface["Name"]] = True; + else: + print('Mandatory key \"Name\" missing skipping external interface entry!') + else: + print("No External interfaces listed in /opt/openziti/etc/ebpf_config.json") + except Exception as e: + print("Malformed or missing json object in /opt/openziti/etc/ebpf_config.json") + sys.exit(1) +else: + print("Missing /opt/openziti/etc/ebpf_config.json can't set ebpf interface config") + sys.exit(1) + +ingress_object_file = '/opt/openziti/bin/zfw_tc_ingress.o' +egress_object_file = '/opt/openziti/bin/zfw_tc_outbound_track.o' +status = subprocess.run(['/opt/openziti/bin/zfw', '-L', '-E'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) +if(status.returncode): + test1 = subprocess.run(['/opt/openziti/bin/zfw', '-Q'],stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) + if(test1.returncode): + print("Ebpf not running no maps to clear") + for i in internal_list: + if(not tc_status(i, "ingress")): + test1 = os.system("/opt/openziti/bin/zfw -X " + i + " -O " + ingress_object_file + " -z ingress") + time.sleep(1) + if(test1): + print("Cant attach " + i + " to tc ingress with " + ingress_object_file) + continue + else: + print("Attached " + ingress_object_file + " to " + i) + os.system("sudo ufw allow in on " + i + " to any") + if(per_interface_rules[i]): + os.system("/opt/openziti/bin/zfw -P " + i) + if(not tc_status(i, "egress")): + if(outbound_passthrough_track[i]): + test1 = os.system("/opt/openziti/bin/zfw -X " + i + " -O " + egress_object_file + " -z egress") + if(test1): + print("Cant attach " + i + " to tc egress with " + egress_object_file) + continue + else: + print("Attached " + egress_object_file + " to " + i) + for e in external_list: + if(not tc_status(e, "ingress")): + test1 = os.system("/opt/openziti/bin/zfw -X " + e + " -O " + ingress_object_file + " -z ingress") + if(test1): + os.system("/opt/openziti/bin/zfw -Q") + print("Cant attach " + e + " to tc ingress with " + ingress_object_file) + continue + else: + print("Attached " + ingress_object_file + " to " + e) + os.system("sudo ufw allow in on " +e + " to any") + time.sleep(1) + if(per_interface_rules[e]): + os.system("/opt/openziti/bin/zfw -P " + e) + if(not tc_status(e, "egress")): + if(outbound_passthrough_track[e]): + test1 = os.system("/opt/openziti/bin/zfw -X " + e + " -O " + egress_object_file + " -z egress") + if(test1): + print("Cant attach " + e + " to tc egress with " + egress_object_file) + os.system("/opt/openziti/bin/zfw -Q") + continue + else: + print("Attached " + egress_object_file + " to " + e) + if(os.path.exists("/opt/openziti/bin/user/user_rules.sh")): + print("Adding user defined rules") + os.system("/opt/openziti/bin/user/user_rules.sh") +else: + print("ebpf already running!"); + os.system("/usr/sbin/zfw -F -r") + print("Flushed Table") + for i in internal_list: + if(not tc_status(i, "ingress")): + test1 = os.system("/opt/openziti/bin/zfw -X " + i + " -O " + ingress_object_file + " -z ingress") + time.sleep(1) + if(test1): + print("Cant attach " + i + " to tc ingress with " + ingress_object_file) + else: + print("Attached " + ingress_object_file + " to " + i) + os.system("sudo ufw allow in on " + i + " to any") + if(per_interface_rules[i]): + os.system("/opt/openziti/bin/zfw -P " + i) + if(not tc_status(i, "egress")): + if(outbound_passthrough_track[i]): + test1 = os.system("/opt/openziti/bin/zfw -X " + i + " -O " + egress_object_file + " -z egress") + if(test1): + print("Cant attach " + i + " to tc egress with " + egress_object_file) + else: + print("Attached " + egress_object_file + " to " + i) + for e in external_list: + if(not tc_status(e, "ingress")): + test1 = os.system("/opt/openziti/bin/zfw -X " + e + " -O " + ingress_object_file + " -z ingress") + if(test1): + print("Cant attach " + e + " to tc ingress with " + ingress_object_file) + else: + print("Attached " + ingress_object_file + " to " + e) + os.system("sudo ufw allow in on " +e + " to any") + time.sleep(1) + if(per_interface_rules[e]): + os.system("/opt/openziti/bin/zfw -P " + e) + if(not tc_status(e, "egress")): + if(outbound_passthrough_track[e]): + test1 = os.system("/opt/openziti/bin/zfw -X " + e + " -O " + egress_object_file + " -z egress") + if(test1): + print("Cant attach " + e + " to tc egress with " + egress_object_file) + else: + print("Attached " + egress_object_file + " to " + e) + if(os.path.exists("/opt/openziti/bin/user/user_rules.sh")): + print("Adding user defined rules!") + os.system("/opt/openziti/bin/user/user_rules.sh") + +lanIp = get_if_ip(lanIf) +if(len(lanIp)): + set_local_rules(lanIp) +if(os.path.exists('/etc/systemd/system/ziti-controller.service') and controller): + unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_controller.py' /etc/systemd/system/ziti-controller.service") + if(unconfigured): + test0 = 1 + test0 = os.system("sed -i 's/User\=ziti/User\=root/g' /etc/systemd/system/ziti-controller.service") + test1 = 1 + test1 = os.system("sed -i '/ExecStart=/i ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_controller.py --lanIf " + lanIf + "' /etc/systemd/system/ziti-controller.service") + if((not test0) and (not test1)): + test1 = os.system("systemctl daemon-reload") + if(not test1): + print("Successfully converted ziti-controller.service. Restarting!") + os.system('systemctl restart ziti-controller.service') + if(not os.system('systemctl is-active --quiet ziti-controller.service')): + print("ziti-controller.service successfully restarted!") + else: + print('ziti-controller.service unable to start check router logs!') + else: + print("Failed to convert ziti-controller.service!") + else: + print("ziti-controller.service already converted. Nothing to do!") +else: + print("Skipping ziti-controller.service conversion. File does not exist or is already converted to run ebpf!") +sys.exit(0) diff --git a/files/scripts/zfwlogs b/files/scripts/zfwlogs new file mode 100644 index 0000000..59dc7ca --- /dev/null +++ b/files/scripts/zfwlogs @@ -0,0 +1,15 @@ +/var/log/zfw.log { + weekly + maxsize 1G + minsize 500M + rotate 7 + compress + delaycompress + missingok + notifempty + dateext + create 644 root root + postrotate + /usr/bin/killall -HUP rsyslogd + endscript +} diff --git a/files/services/zfw-logging.service b/files/services/zfw-logging.service new file mode 100644 index 0000000..f3fb5e3 --- /dev/null +++ b/files/services/zfw-logging.service @@ -0,0 +1,13 @@ +[Unit] +Description=zfw-logging +BindsTo=ziti-router.service +After=ziti-router.service + +[Service] +User=root +ExecStart=/opt/openziti/bin/zfw -M all -W /var/log/zfw.log +Restart=always +RestartSec=3 + +[Install] +WantedBy=ziti-router.service diff --git a/src/install.sh b/src/install.sh index 167561d..b07f5d5 100755 --- a/src/install.sh +++ b/src/install.sh @@ -15,14 +15,17 @@ then then mkdir -p /opt/openziti/etc fi - cp -p zfw /opt/openziti/bin - cp -p zfw_tc_ingress.o /opt/openziti/bin - cp -p zfw_tc_outbound_track.o /opt/openziti/bin - cp -p ../files/scripts/start_ebpf_router.py /opt/openziti/bin - cp -p ../files/scripts/revert_ebpf_router.py /opt/openziti/bin - cp -p ../files/scripts/revert_ebpf_router.py /opt/openziti/bin - cp -p ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user - cp -p ../files/json/ebpf_config.json.sample /opt/openziti/etc + cp zfw /opt/openziti/bin + cp zfw_tc_ingress.o /opt/openziti/bin + cp zfw_tc_outbound_track.o /opt/openziti/bin + cp ../files/scripts/start_ebpf_router.py /opt/openziti/bin + cp ../files/scripts/revert_ebpf_router.py /opt/openziti/bin + cp ../files/scripts/revert_ebpf_router.py /opt/openziti/bin + cp ../files/scripts/zfwlogs /etc/logrotate.d + cp ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user + cp ../files/json/ebpf_config.json.sample /opt/openziti/etc + cp ../files/services/zfw-logging.service /etc/systemd/system + cp ../files/services/fw-init.service /etc/systemd/system chmod 744 /opt/openziti/bin/start_ebpf_router.py chmod 744 /opt/openziti/bin/revert_ebpf_router.py chmod 744 /opt/openziti/bin/user/user_rules.sh.sample @@ -39,17 +42,19 @@ then then mkdir -p /opt/openziti/bin/user fi - cp -p zfw /opt/openziti/bin - cp -p zfw_tc_ingress.o /opt/openziti/bin - cp -p zfw_tc_outbound_track.o /opt/openziti/bin - cp -p zfw_xdp_tun_ingress.o /opt/openziti/bin - cp -p zfw_tunnwrapper /opt/openziti/bin - cp -p ../files/scripts/start_ebpf_tunnel.py /opt/openziti/bin - cp -p ../files/scripts/set_xdp_redirect.py /opt/openziti/bin - cp -p ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user - cp -p ../files/json/ebpf_config.json.sample /opt/openziti/etc - cp -p ../files/services/ziti-wrapper.service /etc/systemd/system - cp -p ../files/services/ziti-fw-init.service /etc/systemd/system + cp zfw /opt/openziti/bin + cp zfw_tc_ingress.o /opt/openziti/bin + cp zfw_tc_outbound_track.o /opt/openziti/bin + cp zfw_xdp_tun_ingress.o /opt/openziti/bin + cp zfw_tunnwrapper /opt/openziti/bin + cp ../files/scripts/start_ebpf_tunnel.py /opt/openziti/bin + cp ../files/scripts/set_xdp_redirect.py /opt/openziti/bin + cp ../files/scripts/zfwlogs /etc/logrotate.d + cp ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user + cp ../files/json/ebpf_config.json.sample /opt/openziti/etc + cp ../files/services/ziti-wrapper.service /etc/systemd/system + cp ../files/services/ziti-fw-init.service /etc/systemd/system + cp ../files/services/zfw-logging.service /etc/systemd/system chmod 744 /opt/openziti/bin/start_ebpf_tunnel.py chmod 744 /opt/openziti/bin/set_xdp_redirect.py chmod 744 /opt/openziti/bin/user/user_rules.sh.sample @@ -64,5 +69,32 @@ then echo "ziti-edge-tunnel not installed!" exit 1 fi +elif [ $1 == "controller" ] +then + if [ ! -d "/opt/openziti/bin/user" ] + then + mkdir -p /opt/openziti/bin/user + fi + if [ ! -d "/opt/openziti/etc" ] + then + mkdir -p /opt/openziti/etc + fi + cp zfw /opt/openziti/bin + cp zfw_tc_ingress.o /opt/openziti/bin + cp zfw_tc_outbound_track.o /opt/openziti/bin + cp ../files/scripts/start_ebpf_controller.py /opt/openziti/bin + cp ../files/scripts/revert_ebpf_controller.py /opt/openziti/bin + cp ../files/scripts/zfwlogs /etc/logrotate.d + cp ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user + cp ../files/json/ebpf_config.json.sample /opt/openziti/etc + cp ../files/services/zfw-logging.service /etc/systemd/system + chmod 744 /opt/openziti/bin/start_ebpf_controller.py + chmod 744 /opt/openziti/bin/user/user_rules.sh.sample + chmod 744 /opt/openziti/bin/zfw + + if [ ! -L "/usr/sbin/zfw" ] + then + ln -s /opt/openziti/bin/zfw /usr/sbin/zfw + fi fi exit 0 diff --git a/src/zfw.c b/src/zfw.c index 1ab3c4f..3fa185a 100644 --- a/src/zfw.c +++ b/src/zfw.c @@ -155,7 +155,7 @@ char *tc_interface; char *log_file_name; char *object_file; char *direction_string; -const char *argp_program_version = "0.5.12"; +const char *argp_program_version = "0.5.13"; struct ring_buffer *ring_buffer; __u8 if_list[MAX_IF_LIST_ENTRIES]; diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c index 1cd0670..ebb9a7c 100644 --- a/src/zfw_tc_ingress.c +++ b/src/zfw_tc_ingress.c @@ -238,12 +238,11 @@ struct { } zet_transp_map SEC(".maps"); struct { - __uint(type, BPF_MAP_TYPE_HASH); + __uint(type, BPF_MAP_TYPE_LRU_HASH); __uint(key_size, sizeof(uint32_t)); __uint(value_size,sizeof(bool)); __uint(max_entries, BPF_MAX_ENTRIES); __uint(pinning, LIBBPF_PIN_BY_NAME); - __uint(map_flags, BPF_F_NO_PREALLOC); } ddos_protect_map SEC(".maps"); /*map to track up to 3 key matches per incoming packet search. Map is