From 444a95131a81d6b9f0ab3a3349115268e61d7372 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Tue, 26 Mar 2024 15:42:44 +0000 Subject: [PATCH 01/10] Adding logging service and controller make install --- .github/workflows/ci.yml | 6 + .github/workflows/release.yml | 6 + CHANGELOG.md | 9 + files/scripts/start_ebpf_controller.py | 479 +++++++++++++++++++++++++ files/scripts/zfwlogs | 15 + files/services/zfw-logging.service | 13 + src/install.sh | 64 +++- src/zfw.c | 2 +- src/zfw_tc_ingress.c | 3 +- 9 files changed, 575 insertions(+), 22 deletions(-) create mode 100755 files/scripts/start_ebpf_controller.py create mode 100644 files/scripts/zfwlogs create mode 100644 files/services/zfw-logging.service diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 225a7df..1d0f541 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -58,6 +58,7 @@ jobs: mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin + mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw_tc_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ @@ -65,7 +66,9 @@ jobs: cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ + cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ + cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py @@ -147,6 +150,7 @@ jobs: mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin + mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw_tc_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ @@ -154,7 +158,9 @@ jobs: cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ + cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ + cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c378a55..e300cde 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -59,6 +59,7 @@ jobs: mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin + mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw_tc_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ @@ -66,7 +67,9 @@ jobs: cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ + cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ + cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py @@ -148,6 +151,7 @@ jobs: mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin + mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw_tc_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ @@ -155,7 +159,9 @@ jobs: cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ + cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ + cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py diff --git a/CHANGELOG.md b/CHANGELOG.md index fae0ded..7e50e40 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,15 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- +# [0.5.13] - 2024-03-16 + +### + +- Changed ddos_protect_map to typr BPF_MAP_TYPE_LRU_HASH to allow cycling of entries +- Added controller startup script +- Added optional logging systemd service with log rotation support +- Updated make install.sh for controller install and logging service files +- Removed -p from cp commands in make install.sh so files are installed as owned by root user # [0.5.12] - 2024-03-14 ### diff --git a/files/scripts/start_ebpf_controller.py b/files/scripts/start_ebpf_controller.py new file mode 100755 index 0000000..2369866 --- /dev/null +++ b/files/scripts/start_ebpf_controller.py @@ -0,0 +1,479 @@ +#!/usr/bin/env python3 +import os +import sys +import json +import subprocess +import time +import yaml +import argparse + +controller = False +router = False + +def tc_status(interface, direction): + process = subprocess.Popen(['tc', 'filter', 'show', 'dev', interface, direction], stdout=subprocess.PIPE, stderr=subprocess.PIPE) + out, err = process.communicate() + data = out.decode().splitlines() + if(len(data)): + return True + else: + return False + +def add_health_check_rules(lan_ip, lan_mask): + if(os.path.exists('/opt/openziti/ziti-router/config.yml')): + try: + with open('/opt/openziti/ziti-router/config.yml') as config_file: + config = yaml.load(config_file, Loader=yaml.FullLoader) + if(config): + if('web' in config.keys()): + for key in config['web']: + if(('name' in key.keys()) and (key['name'] == 'health-check')): + if('bindPoints' in key.keys()): + for point in key['bindPoints']: + address = point['address'] + addr_array = address.split(':') + if(len(addr_array)): + try: + port = addr_array[-1].strip() + if(int(port) > 0): + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') + except Exception as e: + print(e) + pass + except Exception as e: + print(e) + + +def add_link_listener_rules(lan_ip, lan_mask): + if(os.path.exists('/opt/openziti/ziti-router/config.yml')): + try: + with open('/opt/openziti/ziti-router/config.yml') as config_file: + config = yaml.load(config_file, Loader=yaml.FullLoader) + if(config): + if('link' in config.keys()): + if('listeners' in config['link'].keys()): + for key in config['link']['listeners']: + if(('binding' in key.keys()) and (key['binding'] == 'transport')): + if('bind' in key.keys()): + address = key['bind'] + addr_array = address.split(':') + if(len(addr_array) == 3): + try: + port = addr_array[-1].strip() + if((int(port) > 0) and (addr_array[0] == 'tls')): + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') + except Exception as e: + print(e) + pass + except Exception as e: + print(e) + +def add_controller_edge_listener_rules(lan_ip, lan_mask): + if(os.path.exists('/opt/openziti/ziti-router/config.yml')): + try: + with open('/opt/openziti/ziti-controller/controller01.config.yml') as config_file: + config = yaml.load(config_file, Loader=yaml.FullLoader) + if(config): + if('edge' in config.keys()): + if 'api' in config['edge'].keys(): + if("address" in config['edge']['api'].keys()): + address = config['edge']['api']['address'] + addr_array = address.split(':') + if(len(addr_array) == 2): + port = addr_array[-1].strip() + try: + port = addr_array[-1].strip() + if((int(port) > 0)): + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') + except Exception as e: + print(e) + pass + except Exception as e: + print(e) + +def add_controller_ctrl_listener_rules(lan_ip, lan_mask): + if(os.path.exists('/opt/openziti/ziti-router/config.yml')): + try: + with open('/opt/openziti/ziti-controller/controller01.config.yml') as config_file: + config = yaml.load(config_file, Loader=yaml.FullLoader) + if(config): + if('ctrl' in config.keys()): + if 'listener' in config['ctrl'].keys(): + address = config['ctrl']['listener'] + addr_array = address.split(':') + if(len(addr_array) == 3): + port = addr_array[-1].strip() + try: + port = addr_array[-1].strip() + if((int(port) > 0) and (addr_array[0] == 'tls')): + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') + except Exception as e: + print(e) + pass + except Exception as e: + print(e) + +def add_controller_web_listener_rules(lan_ip, lan_mask): + if(os.path.exists('/opt/openziti/ziti-router/config.yml')): + try: + with open('/opt/openziti/ziti-controller/controller01.config.yml') as config_file: + config = yaml.load(config_file, Loader=yaml.FullLoader) + if(config): + if('web' in config.keys()): + for key in config['web']: + if('bindPoints' in key.keys()): + for bind in key['bindPoints']: + address = bind['interface'] + addr_array = address.split(':') + if(len(addr_array) == 2): + port = addr_array[-1].strip() + try: + port = addr_array[-1].strip() + if((int(port) > 0)): + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') + except Exception as e: + print(e) + pass + except Exception as e: + print(e) + + +def add_controller_port_forwarding_rule(lan_ip, lan_mask): + test = os.system("grep -rnw \'A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 443\' /etc/ufw/before.rules") + if(not test): + port = "80" + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') + else: + print("Port forwarding rul not found") + +def add_edge_listener_rules(lan_ip, lan_mask): + if(os.path.exists('/opt/openziti/ziti-router/config.yml')): + try: + with open('/opt/openziti/ziti-router/config.yml') as config_file: + config = yaml.load(config_file, Loader=yaml.FullLoader) + if(config): + if('listeners' in config.keys()): + for key in config['listeners']: + if(('binding' in key.keys()) and (key['binding'] == 'edge')): + if('address' in key.keys()): + address = key['address'] + addr_array = address.split(':') + if(len(addr_array) == 3): + port = addr_array[-1].strip() + try: + port = addr_array[-1].strip() + if((int(port) > 0) and (addr_array[0] == 'tls')): + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') + except Exception as e: + print(e) + pass + except Exception as e: + print(e) + +def add_resolver_rules(): + if(os.path.exists('/opt/openziti/ziti-router/config.yml')): + try: + with open('/opt/openziti/ziti-router/config.yml') as config_file: + config = yaml.load(config_file, Loader=yaml.FullLoader) + if(config): + if('listeners' in config.keys()): + for key in config['listeners']: + if(('binding' in key.keys()) and (key['binding'] == 'tunnel')): + if('options' in key.keys()): + if('resolver' in key['options']): + address = key['options']['resolver'] + addr_array = address.split(':') + if(len(addr_array) == 3): + port = addr_array[-1].strip() + lan_ip = addr_array[1].split('//') + lan_mask = '32' + try: + port = addr_array[-1].strip() + lan_ip = addr_array[1].split('//')[1] + if((int(port) > 0)): + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p tcp') + if(lan_ip == '100.127.255.254'): + #special case for NF AWS Gateway loadbalance via DNS over GENEVE using 100.127.255.254 on loopback so add route on loopback + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p udp -r') + else: + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + port + ' -h ' + port + ' -t 0 -p udp') + except Exception as e: + print(e) + pass + except Exception as e: + print(e) + +def write_config(config): + try: + with open('/opt/openziti/ziti-router/config.yml', 'w') as config_file: + yaml.dump(config, config_file, sort_keys=False) + except Exception as e: + print(e) + +def get_if_ip(intf): + process = subprocess.Popen(['ip', 'add'], stdout=subprocess.PIPE, stderr=subprocess.PIPE) + out, err = process.communicate() + data = out.decode().splitlines() + for line in data: + if((line.find(intf) >= 0) and (line.find('inet') >= 0)): + search_list = line.strip().split(" ") + if search_list[-1].strip() == intf: + return search_list[1] + return "" + +def set_local_rules(ip): + default_ip = '0.0.0.0' + default_mask = '0' + if len(ip.split('/')) == 2: + lan_ip = ip.split('/')[0] + lan_mask = '32' + else: + lan_ip = default_ip + lan_mask = default_mask + if controller: + add_controller_edge_listener_rules(lan_ip, lan_mask) + add_controller_web_listener_rules(lan_ip, lan_mask) + add_controller_port_forwarding_rule(lan_ip, lan_mask) + if router: + add_link_listener_rules(lan_ip, lan_mask) + + +parser = argparse.ArgumentParser(description="Network build script") +parser.add_argument("--lanIf", required=True, help='') +args = parser.parse_args() +lanIf = args.lanIf +if(os.path.exists('/opt/netfoundry/ziti/ziti-controller/conf/controller01.config.yml')): + controller = True + print("Detected Netfoundry install") + if(not os.path.exists('/opt/openziti/ziti-controller/controller01.config.yml')): + print("Installing symlink from /opt/openziti/ziti-controller to /opt/netfoundry/ziti/ziti-controller/conf") + os.symlink('/opt/netfoundry/ziti/ziti-controller/conf', '/opt/openziti/ziti-controller') + else: + print("Symlink found nothing to do!") + if(os.path.exists('/opt/netfoundry/ziti/ziti-router/config.yml')): + router = True + print("Detected Netfoundry install/registration!") + if(not os.path.exists('/opt/openziti/ziti-router/config.yml')): + print("Installing symlink from /opt/openziti/ziti-router to /opt/netfoundry/ziti/ziti-router!") + os.symlink('/opt/netfoundry/ziti/ziti-router', '/opt/openziti/ziti-router') + else: + print("Symlink found nothing to do!") + +if(not os.path.exists('/opt/openziti/etc/ebpf_config.json')): + if(os.path.exists('/opt/openziti/etc/ebpf_config.json.sample')): + with open('/opt/openziti/etc/ebpf_config.json.sample','r') as jfile: + try: + config = json.loads(jfile.read()) + if(config): + if("InternalInterfaces" in config.keys()): + interfaces = config["InternalInterfaces"] + if len(interfaces): + interface = interfaces[0] + if("Name" in interface.keys()): + interface['Name'] = lanIf + else: + print('Missing mandatory key: Name') + sys.exit(1) + else: + print('Invalid config no interfaces found!') + sys.exit(1) + with open('/opt/openziti/etc/ebpf_config.json', 'w') as ofile: + json.dump(config, ofile) + except Exception as e: + print('Malformed or missing json object in /opt/openziti/etc/ebpf_config.json.sample') + sys.exit(1) + else: + print('File does not exist: /opt/openziti/etc/ebpf_config.json.sample') +else: + print('File already exist: /opt/openziti/etc/ebpf_config.json') + +internal_list = [] +external_list = [] +per_interface_rules = dict() +outbound_passthrough_track = dict() +if(os.path.exists('/opt/openziti/etc/ebpf_config.json')): + with open('/opt/openziti/etc/ebpf_config.json','r') as jfile: + try: + config = json.loads(jfile.read()) + if(config): + if "InternalInterfaces" in config.keys(): + i_interfaces = config["InternalInterfaces"] + if len(i_interfaces): + for interface in i_interfaces: + if("Name" in interface.keys()): + print("Attempting to add ebpf ingress to: ",interface["Name"]) + internal_list.append(interface["Name"]) + if("OutboundPassThroughTrack") in interface.keys(): + if(interface["OutboundPassThroughTrack"]): + outbound_passthrough_track[interface["Name"]] = True; + else: + outbound_passthrough_track[interface["Name"]] = False; + else: + outbound_passthrough_track[interface["Name"]] = False; + if("PerInterfaceRules") in interface.keys(): + if(interface["PerInterfaceRules"]): + per_interface_rules[interface["Name"]] = True; + else: + per_interface_rules[interface["Name"]] = False; + else: + per_interface_rules[interface["Name"]] = False; + else: + print('Mandatory key \"Name\" missing skipping internal interface entry!') + + else: + print("No internal interfaces listed in /opt/openziti/etc/ebpf_config.json add at least one interface") + sys.exit(1) + if("ExternalInterfaces" in config.keys()): + e_interfaces = config["ExternalInterfaces"] + if len(e_interfaces): + for interface in e_interfaces: + if("Name" in interface.keys()): + print("Attempting to add ebpf egress to: ",interface["Name"]) + external_list.append(interface["Name"]) + if("OutboundPassThroughTrack") in interface.keys(): + if(interface["OutboundPassThroughTrack"]): + outbound_passthrough_track[interface["Name"]] = True; + else: + outbound_passthrough_track[interface["Name"]] = False; + else: + outbound_passthrough_track[interface["Name"]] = True; + if("PerInterfaceRules") in interface.keys(): + if(interface["PerInterfaceRules"]): + per_interface_rules[interface["Name"]] = True; + else: + per_interface_rules[interface["Name"]] = False; + else: + per_interface_rules[interface["Name"]] = True; + else: + print('Mandatory key \"Name\" missing skipping external interface entry!') + else: + print("No External interfaces listed in /opt/openziti/etc/ebpf_config.json") + except Exception as e: + print("Malformed or missing json object in /opt/openziti/etc/ebpf_config.json") + sys.exit(1) +else: + print("Missing /opt/openziti/etc/ebpf_config.json can't set ebpf interface config") + sys.exit(1) + +ingress_object_file = '/opt/openziti/bin/zfw_tc_ingress.o' +egress_object_file = '/opt/openziti/bin/zfw_tc_outbound_track.o' +status = subprocess.run(['/opt/openziti/bin/zfw', '-L', '-E'], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) +if(status.returncode): + test1 = subprocess.run(['/opt/openziti/bin/zfw', '-Q'],stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) + if(test1.returncode): + print("Ebpf not running no maps to clear") + for i in internal_list: + if(not tc_status(i, "ingress")): + test1 = os.system("/opt/openziti/bin/zfw -X " + i + " -O " + ingress_object_file + " -z ingress") + time.sleep(1) + if(test1): + print("Cant attach " + i + " to tc ingress with " + ingress_object_file) + continue + else: + print("Attached " + ingress_object_file + " to " + i) + os.system("sudo ufw allow in on " + i + " to any") + if(per_interface_rules[i]): + os.system("/opt/openziti/bin/zfw -P " + i) + if(not tc_status(i, "egress")): + if(outbound_passthrough_track[i]): + test1 = os.system("/opt/openziti/bin/zfw -X " + i + " -O " + egress_object_file + " -z egress") + if(test1): + print("Cant attach " + i + " to tc egress with " + egress_object_file) + continue + else: + print("Attached " + egress_object_file + " to " + i) + for e in external_list: + if(not tc_status(e, "ingress")): + test1 = os.system("/opt/openziti/bin/zfw -X " + e + " -O " + ingress_object_file + " -z ingress") + if(test1): + os.system("/opt/openziti/bin/zfw -Q") + print("Cant attach " + e + " to tc ingress with " + ingress_object_file) + continue + else: + print("Attached " + ingress_object_file + " to " + e) + os.system("sudo ufw allow in on " +e + " to any") + time.sleep(1) + if(per_interface_rules[e]): + os.system("/opt/openziti/bin/zfw -P " + e) + if(not tc_status(e, "egress")): + if(outbound_passthrough_track[e]): + test1 = os.system("/opt/openziti/bin/zfw -X " + e + " -O " + egress_object_file + " -z egress") + if(test1): + print("Cant attach " + e + " to tc egress with " + egress_object_file) + os.system("/opt/openziti/bin/zfw -Q") + continue + else: + print("Attached " + egress_object_file + " to " + e) + if(os.path.exists("/opt/openziti/bin/user/user_rules.sh")): + print("Adding user defined rules") + os.system("/opt/openziti/bin/user/user_rules.sh") +else: + print("ebpf already running!"); + os.system("/usr/sbin/zfw -F -r") + print("Flushed Table") + for i in internal_list: + if(not tc_status(i, "ingress")): + test1 = os.system("/opt/openziti/bin/zfw -X " + i + " -O " + ingress_object_file + " -z ingress") + time.sleep(1) + if(test1): + print("Cant attach " + i + " to tc ingress with " + ingress_object_file) + else: + print("Attached " + ingress_object_file + " to " + i) + os.system("sudo ufw allow in on " + i + " to any") + if(per_interface_rules[i]): + os.system("/opt/openziti/bin/zfw -P " + i) + if(not tc_status(i, "egress")): + if(outbound_passthrough_track[i]): + test1 = os.system("/opt/openziti/bin/zfw -X " + i + " -O " + egress_object_file + " -z egress") + if(test1): + print("Cant attach " + i + " to tc egress with " + egress_object_file) + else: + print("Attached " + egress_object_file + " to " + i) + for e in external_list: + if(not tc_status(e, "ingress")): + test1 = os.system("/opt/openziti/bin/zfw -X " + e + " -O " + ingress_object_file + " -z ingress") + if(test1): + print("Cant attach " + e + " to tc ingress with " + ingress_object_file) + else: + print("Attached " + ingress_object_file + " to " + e) + os.system("sudo ufw allow in on " +e + " to any") + time.sleep(1) + if(per_interface_rules[e]): + os.system("/opt/openziti/bin/zfw -P " + e) + if(not tc_status(e, "egress")): + if(outbound_passthrough_track[e]): + test1 = os.system("/opt/openziti/bin/zfw -X " + e + " -O " + egress_object_file + " -z egress") + if(test1): + print("Cant attach " + e + " to tc egress with " + egress_object_file) + else: + print("Attached " + egress_object_file + " to " + e) + if(os.path.exists("/opt/openziti/bin/user/user_rules.sh")): + print("Adding user defined rules!") + os.system("/opt/openziti/bin/user/user_rules.sh") + +lanIp = get_if_ip(lanIf) +if(len(lanIp)): + set_local_rules(lanIp) +if(os.path.exists('/etc/systemd/system/ziti-controller.service') and controller): + unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_controller.py' /etc/systemd/system/ziti-controller.service") + if(unconfigured): + test0 = 1 + test0 = os.system("sed -i 's/User\=ziti/User\=root/g' /etc/systemd/system/ziti-controller.service") + test1 = 1 + test1 = os.system("sed -i '/ExecStart=/i ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_controller.py --lanIf " + lanIf + "' /etc/systemd/system/ziti-controller.service") + if((not test0) and (not test1)): + test1 = os.system("systemctl daemon-reload") + if(not test1): + print("Successfully converted ziti-controller.service. Restarting!") + os.system('systemctl restart ziti-controller.service') + if(not os.system('systemctl is-active --quiet ziti-controller.service')): + print("ziti-controller.service successfully restarted!") + else: + print('ziti-controller.service unable to start check router logs!') + else: + print("Failed to convert ziti-controller.service!") + else: + print("ziti-controller.service already converted. Nothing to do!") +else: + print("Skipping ziti-controller.service conversion. File does not exist or is already converted to run ebpf!") +sys.exit(0) diff --git a/files/scripts/zfwlogs b/files/scripts/zfwlogs new file mode 100644 index 0000000..59dc7ca --- /dev/null +++ b/files/scripts/zfwlogs @@ -0,0 +1,15 @@ +/var/log/zfw.log { + weekly + maxsize 1G + minsize 500M + rotate 7 + compress + delaycompress + missingok + notifempty + dateext + create 644 root root + postrotate + /usr/bin/killall -HUP rsyslogd + endscript +} diff --git a/files/services/zfw-logging.service b/files/services/zfw-logging.service new file mode 100644 index 0000000..f3fb5e3 --- /dev/null +++ b/files/services/zfw-logging.service @@ -0,0 +1,13 @@ +[Unit] +Description=zfw-logging +BindsTo=ziti-router.service +After=ziti-router.service + +[Service] +User=root +ExecStart=/opt/openziti/bin/zfw -M all -W /var/log/zfw.log +Restart=always +RestartSec=3 + +[Install] +WantedBy=ziti-router.service diff --git a/src/install.sh b/src/install.sh index 167561d..b82d08a 100755 --- a/src/install.sh +++ b/src/install.sh @@ -15,14 +15,16 @@ then then mkdir -p /opt/openziti/etc fi - cp -p zfw /opt/openziti/bin - cp -p zfw_tc_ingress.o /opt/openziti/bin - cp -p zfw_tc_outbound_track.o /opt/openziti/bin - cp -p ../files/scripts/start_ebpf_router.py /opt/openziti/bin - cp -p ../files/scripts/revert_ebpf_router.py /opt/openziti/bin - cp -p ../files/scripts/revert_ebpf_router.py /opt/openziti/bin - cp -p ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user - cp -p ../files/json/ebpf_config.json.sample /opt/openziti/etc + cp zfw /opt/openziti/bin + cp zfw_tc_ingress.o /opt/openziti/bin + cp zfw_tc_outbound_track.o /opt/openziti/bin + cp ../files/scripts/start_ebpf_router.py /opt/openziti/bin + cp ../files/scripts/revert_ebpf_router.py /opt/openziti/bin + cp ../files/scripts/revert_ebpf_router.py /opt/openziti/bin + cp ../files/scripts/zfwlogs /etc/logrotate.d + cp ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user + cp ../files/json/ebpf_config.json.sample /opt/openziti/etc + cp ../files/services/zfw-logging.service /etc/systemd/system chmod 744 /opt/openziti/bin/start_ebpf_router.py chmod 744 /opt/openziti/bin/revert_ebpf_router.py chmod 744 /opt/openziti/bin/user/user_rules.sh.sample @@ -39,17 +41,19 @@ then then mkdir -p /opt/openziti/bin/user fi - cp -p zfw /opt/openziti/bin - cp -p zfw_tc_ingress.o /opt/openziti/bin - cp -p zfw_tc_outbound_track.o /opt/openziti/bin - cp -p zfw_xdp_tun_ingress.o /opt/openziti/bin - cp -p zfw_tunnwrapper /opt/openziti/bin - cp -p ../files/scripts/start_ebpf_tunnel.py /opt/openziti/bin - cp -p ../files/scripts/set_xdp_redirect.py /opt/openziti/bin - cp -p ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user - cp -p ../files/json/ebpf_config.json.sample /opt/openziti/etc - cp -p ../files/services/ziti-wrapper.service /etc/systemd/system - cp -p ../files/services/ziti-fw-init.service /etc/systemd/system + cp zfw /opt/openziti/bin + cp zfw_tc_ingress.o /opt/openziti/bin + cp zfw_tc_outbound_track.o /opt/openziti/bin + cp zfw_xdp_tun_ingress.o /opt/openziti/bin + cp zfw_tunnwrapper /opt/openziti/bin + cp ../files/scripts/start_ebpf_tunnel.py /opt/openziti/bin + cp ../files/scripts/set_xdp_redirect.py /opt/openziti/bin + cp ../files/scripts/zfwlogs /etc/logrotate.d + cp ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user + cp ../files/json/ebpf_config.json.sample /opt/openziti/etc + cp ../files/services/ziti-wrapper.service /etc/systemd/system + cp ../files/services/ziti-fw-init.service /etc/systemd/system + cp ../files/services/zfw-logging.service /etc/systemd/system chmod 744 /opt/openziti/bin/start_ebpf_tunnel.py chmod 744 /opt/openziti/bin/set_xdp_redirect.py chmod 744 /opt/openziti/bin/user/user_rules.sh.sample @@ -64,5 +68,27 @@ then echo "ziti-edge-tunnel not installed!" exit 1 fi +elif [ $1 == "controller" ] +then + if [ ! -d "/opt/openziti/bin/user" ] + then + mkdir -p /opt/openziti/bin/user + fi + cp zfw /opt/openziti/bin + cp zfw_tc_ingress.o /opt/openziti/bin + cp zfw_tc_outbound_track.o /opt/openziti/bin + cp ../files/scripts/start_ebpf_controller.py /opt/openziti/bin + cp ../files/scripts/zfwlogs /etc/logrotate.d + cp ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user + cp ../files/json/ebpf_config.json.sample /opt/openziti/etc + cp ../files/services/zfw-logging.service /etc/systemd/system + chmod 744 /opt/openziti/bin/start_ebpf_controller.py + chmod 744 /opt/openziti/bin/user/user_rules.sh.sample + chmod 744 /opt/openziti/bin/zfw + + if [ ! -L "/usr/sbin/zfw" ] + then + ln -s /opt/openziti/bin/zfw /usr/sbin/zfw + fi fi exit 0 diff --git a/src/zfw.c b/src/zfw.c index 1ab3c4f..3fa185a 100644 --- a/src/zfw.c +++ b/src/zfw.c @@ -155,7 +155,7 @@ char *tc_interface; char *log_file_name; char *object_file; char *direction_string; -const char *argp_program_version = "0.5.12"; +const char *argp_program_version = "0.5.13"; struct ring_buffer *ring_buffer; __u8 if_list[MAX_IF_LIST_ENTRIES]; diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c index 1cd0670..ebb9a7c 100644 --- a/src/zfw_tc_ingress.c +++ b/src/zfw_tc_ingress.c @@ -238,12 +238,11 @@ struct { } zet_transp_map SEC(".maps"); struct { - __uint(type, BPF_MAP_TYPE_HASH); + __uint(type, BPF_MAP_TYPE_LRU_HASH); __uint(key_size, sizeof(uint32_t)); __uint(value_size,sizeof(bool)); __uint(max_entries, BPF_MAX_ENTRIES); __uint(pinning, LIBBPF_PIN_BY_NAME); - __uint(map_flags, BPF_F_NO_PREALLOC); } ddos_protect_map SEC(".maps"); /*map to track up to 3 key matches per incoming packet search. Map is From 3e258022d76b5f44b5b7aa4d15e25f156c6a6579 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Tue, 26 Mar 2024 16:15:59 +0000 Subject: [PATCH 02/10] added mkdir /opt/openziti/etc for controller case --- src/install.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/install.sh b/src/install.sh index b82d08a..f7a7dad 100755 --- a/src/install.sh +++ b/src/install.sh @@ -74,6 +74,10 @@ then then mkdir -p /opt/openziti/bin/user fi + if [ ! -d "/opt/openziti/etc" ] + then + mkdir -p /opt/openziti/etc + fi cp zfw /opt/openziti/bin cp zfw_tc_ingress.o /opt/openziti/bin cp zfw_tc_outbound_track.o /opt/openziti/bin From 1310ce122d728765f90bb19e7d70c835aef5e8eb Mon Sep 17 00:00:00 2001 From: r-caamano Date: Wed, 27 Mar 2024 15:50:11 +0000 Subject: [PATCH 03/10] added revert script for controller install --- files/scripts/revert_ebpf_controller.py | 148 ++++++++++++++++++++++++ src/install.sh | 1 + 2 files changed, 149 insertions(+) create mode 100755 files/scripts/revert_ebpf_controller.py diff --git a/files/scripts/revert_ebpf_controller.py b/files/scripts/revert_ebpf_controller.py new file mode 100755 index 0000000..a3696dd --- /dev/null +++ b/files/scripts/revert_ebpf_controller.py @@ -0,0 +1,148 @@ +#!/usr/bin/env python3 +import os +import subprocess +import sys +import json +import yaml +from signal import signal, SIGPIPE, SIG_DFL +signal(SIGPIPE,SIG_DFL) + + +def set_tproxy_mode(): + if(os.path.exists('/opt/openziti/ziti-router/config.yml')): + try: + with open('/opt/openziti/ziti-router/config.yml') as config_file: + config = yaml.load(config_file, Loader=yaml.FullLoader) + if(config): + if('listeners' in config.keys()): + for key in config['listeners']: + if(('binding' in key.keys()) and (key['binding'] == 'tunnel')): + if('options' in key.keys()): + if('mode' in key['options']): + if(key['options']['mode'] == 'tproxy'): + print("ziti-router config.yml already converted to use tproxy!") + elif(key['options']['mode'] == 'tproxy:/opt/openziti/bin/zfw'): + key['options']['mode'] = 'tproxy' + write_config(config) + return True + else: + print("ziti-router config.yml already converted to use tproxy!") + else: + print('Mandatory key \'options\' missing from binding: tunnel') + sys.exit(1) + else: + print('Mandatory key \'listeners\' missing in config.yml') + sys.exit(1) + except Exception as e: + print(e) + sys.exit(1) + else: + print('ziti-router not installed, skipping ebpf router configuration!') + sys.exit(1) + return False + +def write_config(config): + try: + with open('/opt/openziti/ziti-router/config.yml', 'w') as config_file: + yaml.dump(config, config_file, sort_keys=False) + except Exception as e: + print(e) + sys.exit(1) + +def delete(rule): + os.system('yes | /usr/sbin/ufw delete ' + str(rule) + ' > /dev/null 2>&1') + +def remove_ufw_rule(rule): + process = subprocess.Popen(['ufw', 'status', 'numbered'], stdout=subprocess.PIPE, stderr=subprocess.PIPE) + out, err = process.communicate() + data = out.decode().splitlines() + count = 1 + for line in data: + if((line.find(rule) >= 0) and (line.find('ALLOW IN') >= 0)): + print("removing:", line) + delete(count) + if(line.startswith('[')): + count = count + 1 + +def iterate_rules(intf): + rules = ['Anywhere on ' + intf, 'Anywhere (v6) on ' + intf] + for rule in rules: + remove_ufw_rule(rule) + +if(os.path.exists('/opt/openziti/etc/ebpf_config.json')): + with open('/opt/openziti/etc/ebpf_config.json','r') as jfile: + try: + config = json.loads(jfile.read()) + if(config): + if("InternalInterfaces" in config.keys()): + i_interfaces = config["InternalInterfaces"] + if len(i_interfaces): + for interface in i_interfaces: + if("Name" in interface.keys()): + if(interface["Name"] != "lo"): + print("Attempting to restore ufw state: ",interface["Name"]) + iterate_rules(interface["Name"]) + else: + print('Mandatory key \"Name\" missing skipping internal interface entry!') + else: + print("No internal interfaces listed in /opt/openziti/etc/ebpf_config.json skipping internal interface ufw reversion interface!") + if("ExternalInterfaces" in config.keys()): + e_interfaces = config["ExternalInterfaces"] + if len(e_interfaces): + for interface in e_interfaces: + if("Name" in interface.keys()): + if(interface["Name"] != "lo"): + print("Attempting to restore ufw state: ",interface["Name"]) + iterate_rules(interface["Name"]) + else: + print('Mandatory key \"Name\" missing skipping external interface ufw reversion!') + except Exception as e: + print("Malformed or missing json object in /opt/openziti/etc/ebpf_config.json can't revert ufw!") + +service = False +if(os.path.exists('/etc/systemd/system/ziti-router.service')): + unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_router.py' /etc/systemd/system/ziti-router.service") + if(not unconfigured): + os.system("sed -i 's/#ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/objects\/etables \-F \-r/ExecStartPre\=-\/opt\/netfoundry\/ebpf\/objects\/etables \-F \-r/g' /etc/systemd/system/ziti-router.service") + os.system("sed -i 's/#ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/scripts\/tproxy_splicer_startup.sh/ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/scripts\/tproxy_splicer_startup.sh/g' /etc/systemd/system/ziti-router.service") + test1 = os.system("sed -i '/ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_router.py/d' /etc/systemd/system/ziti-router.service") + if(not test1): + test1 = os.system("systemctl daemon-reload") + if(not test1): + service = True + os.system("/opt/openziti/bin/zfw -Q") + if(os.path.exists("/opt/openziti/etc/ebpf_config.json")): + os.remove("/opt/openziti/etc/ebpf_config.json") + if(os.path.exists("/opt/openziti/bin/user/user_rules.sh")): + os.remove("/opt/openziti/bin/user/user_rules.sh") + print("Successfully reverted ziti-router.service!") + else: + print("Failed to revert ziti-router.service!") + else: + print("ziti-router.service already reverted. Nothing to do!") +else: + print("Skipping ziti-router.service reversal. File does not exist!") + +if service: + print("config.yml successfully reverted. restarting ziti-controller.service") + os.system('systemctl restart ziti-controller.service') + if(not os.system('systemctl is-active --quiet ziti-controller.service')): + print("ziti-controller.service successfully restarted") + if(os.path.exists('/opt/netfoundry/ziti/ziti-controller/conf/controller01.config.yml')): + print("Detected Netfoundry controller install!") + if(os.path.exists('/opt/openziti/ziti-controller/controller01.config.yml')): + print("Removing symlink from /opt/openziti/ziti-controller to /opt/netfoundry/ziti/ziti-controller/conf") + os.unlink('/opt/openziti/ziti-controller/conf') + else: + print("No symlink found nothing to do!") + if(os.path.exists('/opt/netfoundry/ziti/ziti-router/config.yml')): + print("Detected Netfoundry install/registration!") + if(os.path.exists('/opt/openziti/ziti-router/config.yml')): + print("Removing symlink from /opt/openziti/ziti-router to /opt/netfoundry/ziti/ziti-router") + os.unlink('/opt/openziti/ziti-router') + else: + print("No symlink found nothing to do!") + else: + print('ziti-router.service unable to start check router logs') +else: + print("ziti-router config already not set to use ebpf!") diff --git a/src/install.sh b/src/install.sh index f7a7dad..9fcc834 100755 --- a/src/install.sh +++ b/src/install.sh @@ -82,6 +82,7 @@ then cp zfw_tc_ingress.o /opt/openziti/bin cp zfw_tc_outbound_track.o /opt/openziti/bin cp ../files/scripts/start_ebpf_controller.py /opt/openziti/bin + cp ../files/scripts/revert_ebpf_controller.py /opt/openziti/bin cp ../files/scripts/zfwlogs /etc/logrotate.d cp ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user cp ../files/json/ebpf_config.json.sample /opt/openziti/etc From e0d12a2203cacc96fbd7339b6100539e4043c4b0 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Wed, 27 Mar 2024 20:11:51 +0000 Subject: [PATCH 04/10] edits to revert_ebpf_controller.sh after test --- files/scripts/revert_ebpf_controller.py | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/files/scripts/revert_ebpf_controller.py b/files/scripts/revert_ebpf_controller.py index a3696dd..ce96b41 100755 --- a/files/scripts/revert_ebpf_controller.py +++ b/files/scripts/revert_ebpf_controller.py @@ -100,12 +100,12 @@ def iterate_rules(intf): print("Malformed or missing json object in /opt/openziti/etc/ebpf_config.json can't revert ufw!") service = False -if(os.path.exists('/etc/systemd/system/ziti-router.service')): - unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_router.py' /etc/systemd/system/ziti-router.service") +if(os.path.exists('/etc/systemd/system/ziti-controller.service')): + unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_controller.py' /etc/systemd/system/ziti-controller.service") if(not unconfigured): - os.system("sed -i 's/#ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/objects\/etables \-F \-r/ExecStartPre\=-\/opt\/netfoundry\/ebpf\/objects\/etables \-F \-r/g' /etc/systemd/system/ziti-router.service") - os.system("sed -i 's/#ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/scripts\/tproxy_splicer_startup.sh/ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/scripts\/tproxy_splicer_startup.sh/g' /etc/systemd/system/ziti-router.service") - test1 = os.system("sed -i '/ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_router.py/d' /etc/systemd/system/ziti-router.service") + os.system("sed -i 's/#ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/objects\/etables \-F \-r/ExecStartPre\=-\/opt\/netfoundry\/ebpf\/objects\/etables \-F \-r/g' /etc/systemd/system/ziti-controller.service") + os.system("sed -i 's/#ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/scripts\/tproxy_splicer_startup.sh/ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/scripts\/tproxy_splicer_startup.sh/g' /etc/systemd/system/ziti-controller.service") + test1 = os.system("sed -i '/ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_controller.py/d' /etc/systemd/system/ziti-controller.service") if(not test1): test1 = os.system("systemctl daemon-reload") if(not test1): @@ -115,13 +115,13 @@ def iterate_rules(intf): os.remove("/opt/openziti/etc/ebpf_config.json") if(os.path.exists("/opt/openziti/bin/user/user_rules.sh")): os.remove("/opt/openziti/bin/user/user_rules.sh") - print("Successfully reverted ziti-router.service!") + print("Successfully reverted ziti-controller.service!") else: - print("Failed to revert ziti-router.service!") + print("Failed to revert ziti-controller.service!") else: - print("ziti-router.service already reverted. Nothing to do!") + print("ziti-controller.service already reverted. Nothing to do!") else: - print("Skipping ziti-router.service reversal. File does not exist!") + print("Skipping ziti-controller.service reversal. File does not exist!") if service: print("config.yml successfully reverted. restarting ziti-controller.service") @@ -132,7 +132,7 @@ def iterate_rules(intf): print("Detected Netfoundry controller install!") if(os.path.exists('/opt/openziti/ziti-controller/controller01.config.yml')): print("Removing symlink from /opt/openziti/ziti-controller to /opt/netfoundry/ziti/ziti-controller/conf") - os.unlink('/opt/openziti/ziti-controller/conf') + os.unlink('/opt/openziti/ziti-controller') else: print("No symlink found nothing to do!") if(os.path.exists('/opt/netfoundry/ziti/ziti-router/config.yml')): From eacd170bf23e34a2dba18609fc047b4a315a3c71 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Thu, 28 Mar 2024 20:07:37 +0000 Subject: [PATCH 05/10] Modified workflows to add controller scripts to router package, added fw-init.service to make install.sh router option --- .github/workflows/ci.yml | 8 ++++++++ .github/workflows/release.yml | 13 +++++++++++-- CHANGELOG.md | 5 ++++- src/install.sh | 2 +- 4 files changed, 24 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1d0f541..ea119df 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -89,7 +89,11 @@ jobs: run: | cp -p files/services/fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/scripts/revert_ebpf_router.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/start_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/revert_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_router.py + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_controller.py + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_controller.py - name: Build Deb package run: | @@ -181,7 +185,11 @@ jobs: run: | cp -p files/services/fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/scripts/revert_ebpf_router.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/start_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/revert_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_router.py + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_controller.py + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_controller.py - name: Build Deb package run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e300cde..2a12f66 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -85,12 +85,17 @@ jobs: cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_tunnwrapper - - name: Standalone FW service and router revert + - name: Standalone FW service, controller and router revert if: ${{ matrix.ziti_type == 'router' }} run: | cp -p files/services/fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/scripts/revert_ebpf_router.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/start_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/revert_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_router.py + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_controller.py + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_controller.py + - name: Build Deb package run: | @@ -177,12 +182,16 @@ jobs: cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_tunnwrapper - - name: Standalone FW service and router revert + - name: Standalone FW service, controller and router revert if: ${{ matrix.ziti_type == 'router' }} run: | cp -p files/services/fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/scripts/revert_ebpf_router.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/start_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/revert_ebpf_controller.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_router.py + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_controller.py + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/revert_ebpf_controller.py - name: Build Deb package run: | diff --git a/CHANGELOG.md b/CHANGELOG.md index 7e50e40..eca13a4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,7 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- -# [0.5.13] - 2024-03-16 +# [0.5.13] - 2024-03-28 ### @@ -12,6 +12,9 @@ All notable changes to this project will be documented in this file. The format - Added optional logging systemd service with log rotation support - Updated make install.sh for controller install and logging service files - Removed -p from cp commands in make install.sh so files are installed as owned by root user +- Added fw-init-router.service for standalone firewall deployment in make install.sh +- Updated workflows to add new / updated files + # [0.5.12] - 2024-03-14 ### diff --git a/src/install.sh b/src/install.sh index 9fcc834..21cbcb9 100755 --- a/src/install.sh +++ b/src/install.sh @@ -52,7 +52,7 @@ then cp ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user cp ../files/json/ebpf_config.json.sample /opt/openziti/etc cp ../files/services/ziti-wrapper.service /etc/systemd/system - cp ../files/services/ziti-fw-init.service /etc/systemd/system + cp ../files/services/fw-init.service /etc/systemd/system cp ../files/services/zfw-logging.service /etc/systemd/system chmod 744 /opt/openziti/bin/start_ebpf_tunnel.py chmod 744 /opt/openziti/bin/set_xdp_redirect.py From 904189d278697c041a86988f309239ca1c5a2901 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Thu, 28 Mar 2024 20:25:48 +0000 Subject: [PATCH 06/10] Fixed install.sh fw-init.service entry --- src/install.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/install.sh b/src/install.sh index 21cbcb9..b07f5d5 100755 --- a/src/install.sh +++ b/src/install.sh @@ -25,6 +25,7 @@ then cp ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user cp ../files/json/ebpf_config.json.sample /opt/openziti/etc cp ../files/services/zfw-logging.service /etc/systemd/system + cp ../files/services/fw-init.service /etc/systemd/system chmod 744 /opt/openziti/bin/start_ebpf_router.py chmod 744 /opt/openziti/bin/revert_ebpf_router.py chmod 744 /opt/openziti/bin/user/user_rules.sh.sample @@ -52,7 +53,7 @@ then cp ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user cp ../files/json/ebpf_config.json.sample /opt/openziti/etc cp ../files/services/ziti-wrapper.service /etc/systemd/system - cp ../files/services/fw-init.service /etc/systemd/system + cp ../files/services/ziti-fw-init.service /etc/systemd/system cp ../files/services/zfw-logging.service /etc/systemd/system chmod 744 /opt/openziti/bin/start_ebpf_tunnel.py chmod 744 /opt/openziti/bin/set_xdp_redirect.py From 6bc1e7edf207f30b99f7ad7dfba1cf7ebf17e3ec Mon Sep 17 00:00:00 2001 From: r-caamano Date: Mon, 1 Apr 2024 14:30:00 +0000 Subject: [PATCH 07/10] Removed set_xdp_redirect.py from the base deb package and now will only deploy with the zfw-tunnel package --- .github/workflows/ci.yml | 8 ++++---- .github/workflows/release.yml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ea119df..967cdfd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -64,13 +64,11 @@ jobs: cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ - cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw - chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw @@ -82,7 +80,9 @@ jobs: cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_tunnwrapper + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py - name: Standalone FW service and router revert if: ${{ matrix.ziti_type == 'router' }} @@ -160,13 +160,11 @@ jobs: cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ - cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw - chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw @@ -178,7 +176,9 @@ jobs: cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_tunnwrapper + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py - name: Standalone FW service and router revert if: ${{ matrix.ziti_type == 'router' }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2a12f66..4cfb5a7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -65,13 +65,11 @@ jobs: cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ - cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw - chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw @@ -83,7 +81,9 @@ jobs: cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_tunnwrapper + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py - name: Standalone FW service, controller and router revert if: ${{ matrix.ziti_type == 'router' }} @@ -162,13 +162,11 @@ jobs: cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/start_ebpf_${{ matrix.ziti_type }}.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ - cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/user_rules.sh.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/ cp -p files/scripts/zfwlogs ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d/ cp -p files/json/ebpf_config.json.sample ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/etc/ cp -p files/services/zfw-logging.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw - chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw @@ -180,7 +178,9 @@ jobs: cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_tunnwrapper + chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py - name: Standalone FW service, controller and router revert if: ${{ matrix.ziti_type == 'router' }} From 8b277ca068a382bf0d3710769b72f76187bd72e4 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Mon, 1 Apr 2024 16:05:00 +0000 Subject: [PATCH 08/10] Removed zfw_xdp_tun_ingress.o from the base deb package and now will only deploy with the zfw-tunnel package --- .github/workflows/ci.yml | 4 ++-- .github/workflows/release.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 967cdfd..21ed948 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -59,7 +59,6 @@ jobs: mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d - cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw_tc_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ @@ -81,6 +80,7 @@ jobs: cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_tunnwrapper chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py @@ -155,7 +155,6 @@ jobs: mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d - cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw_tc_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ @@ -177,6 +176,7 @@ jobs: cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_tunnwrapper chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4cfb5a7..56fc63d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -60,7 +60,6 @@ jobs: mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d - cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw_tc_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ @@ -82,6 +81,7 @@ jobs: cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_tunnwrapper chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py @@ -157,7 +157,6 @@ jobs: mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin mkdir -p ${{ steps.deb_dir.outputs.deb_dir }}/etc/logrotate.d - cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw_tc_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw_tc_outbound_track.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ @@ -179,6 +178,7 @@ jobs: cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ cp -p files/scripts/set_xdp_redirect.py ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ + cp -p files/bin/zfw_xdp_tun_ingress.o ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/zfw_tunnwrapper chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/set_xdp_redirect.py From e0a9d8b2fa6a8ee676527f0acb2b1f58e159ad34 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Mon, 1 Apr 2024 18:43:18 +0000 Subject: [PATCH 09/10] Fixed typo in CHANGELOG --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index eca13a4..e0bb617 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,7 @@ All notable changes to this project will be documented in this file. The format ### -- Changed ddos_protect_map to typr BPF_MAP_TYPE_LRU_HASH to allow cycling of entries +- Changed ddos_protect_map to type BPF_MAP_TYPE_LRU_HASH to allow cycling of entries - Added controller startup script - Added optional logging systemd service with log rotation support - Updated make install.sh for controller install and logging service files From b91c69c7f1b775d97afdac7b00b413d3e024ed8a Mon Sep 17 00:00:00 2001 From: r-caamano Date: Tue, 2 Apr 2024 00:47:12 +0000 Subject: [PATCH 10/10] Added salt api port discovery in start_ebpf_controller.py --- files/scripts/start_ebpf_controller.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/files/scripts/start_ebpf_controller.py b/files/scripts/start_ebpf_controller.py index 2369866..01282b7 100755 --- a/files/scripts/start_ebpf_controller.py +++ b/files/scripts/start_ebpf_controller.py @@ -137,6 +137,24 @@ def add_controller_web_listener_rules(lan_ip, lan_mask): except Exception as e: print(e) +def add_controller_salt_api_listener_rules(lan_ip, lan_mask): + if(os.path.exists('/etc/salt/master.d/nf_master.conf')): + try: + with open('/etc/salt/master.d/nf_master.conf') as config_file: + config = yaml.load(config_file, Loader=yaml.FullLoader) + if(config): + if('rest_cherrypy' in config.keys()): + if('port' in config['rest_cherrypy'].keys()): + try: + port = config['rest_cherrypy']['port'] + if(port > 0): + os.system('/opt/openziti/bin/zfw -I -c ' + lan_ip + ' -m ' + lan_mask + ' -l ' + str(port) + ' -h ' + str(port) + ' -t 0 -p tcp') + except Exception as e: + print(e) + pass + except Exception as e: + print(e) + def add_controller_port_forwarding_rule(lan_ip, lan_mask): test = os.system("grep -rnw \'A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 443\' /etc/ufw/before.rules") @@ -234,6 +252,7 @@ def set_local_rules(ip): add_controller_edge_listener_rules(lan_ip, lan_mask) add_controller_web_listener_rules(lan_ip, lan_mask) add_controller_port_forwarding_rule(lan_ip, lan_mask) + add_controller_salt_api_listener_rules(lan_ip, lan_mask) if router: add_link_listener_rules(lan_ip, lan_mask)