Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

V0.8.3 release candidate #56

Merged
merged 22 commits into from
Jul 10, 2024
Merged

V0.8.3 release candidate #56

merged 22 commits into from
Jul 10, 2024

Conversation

r-caamano
Copy link
Member

This pr was mainly created to introduce single interface ingress/egress filtering. While ingress filtering has always been supported, egress filtering has not. Prior to this PR if you wanted to filter outbound traffic it required two interfaces and only subtending client traffic could be filtered the WAN. This PR allows stateful filtering of both host and subtending client traffic with EBPF enabled only on the WAN facing interface.

@r-caamano
Initial foundation for egress filtering
e330335
@r-caamano
Added initial support for displaying egress filters
85db973
@r-caamano
completed preliminary kernel infrastructure for outbound tracking. St…
8e93276 
…ill need to add outbound icmp and rule matching
@r-caamano
Created an additonal ingress bpf program to reduce the instruction se…
5568892 
…t in bpf_sk_splice5 which was limiting the number of allowed key matches to 1
@r-caamano
added tcp ingress tracking logic to bpf_sk_splice6
4f66e5a
@r-caamano
completed initial outbound filter tcp tracking framework
0168415
@r-caamano
added icmp / vrrp outbound clauses and restricted all other non defin…
7a806b5 
…ed protocols
@r-caamano
Modified icmpv6 filter
ca53e7c
@r-caamano
Initial fully functional outbound filtering commit for ipv4/ipv6
e6f512e
@r-caamano
Updated README set example config for outbound filtering with "PerInt…
cd75e1b 
…erfaceRules": false to match the non interface specific rules used in the example /opt/openziti/bin/user/user_rules.sh
@r-caamano
Fixed issue in icmpv6 in zfw_tc_outbound_track.c
acecfee
@r-caamano
Refactored conditional in zfw_tc_ingress.c and fixed conditional in z…
a64c5b6 
…fw_tc_outbound_track.c that was preventing ipv6 support on loopback when appplied.
@r-caamano
zfw_tunnel_wrapper.c hardening
3bfc605
@r-caamano
Added conditional blocking -L, --list and -F, --flush combination call
42c89ea
@r-caamano
Added usage for egress maps not found and updated README
a9cd9c5
@r-caamano
Added path to tcp_ingress_map in zfw.c so that it is cleared when iss…
2c31e48 
…uing sudo zfw -Q
@r-caamano
Fixed incorrect egress_usage conditional
7e7d5e0
@r-caamano r-caamano requested a review from jlin-nf July 9, 2024 00:00
@r-caamano r-caamano merged commit 350de25 into main Jul 10, 2024
4 checks passed
@r-caamano r-caamano deleted the v0.8.3-release-candidate branch August 8, 2024 13:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jlin-nf jlin-nf jlin-nf approved these changes

Assignees

@jlin-nf jlin-nf

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@r-caamano @jlin-nf