Segmentation Fault

[Xulua1499]

https://github.com/gamemann/XDP-Firewall/blob/57da5c8bdb5dcd4e99eac2c532b20a4a2107b94e/src/xdpfw_loader.c#L300

Compiling went fine etc, however attempting to run this after building will segmentation fault at the line specified which I gather is caused by struct config_map *conf = malloc(sizeof(struct config_map));

Any ideas on the cause? This is an awesome project so far, we are currently very limited with IPTable filters in terms of speed and complexity

[gamemann]

Hey @Xulua1499, this should be resolved in the latest commit here. I compiled it from scratch on one of my Ubuntu 18.04 VMs and it ran without any issues. I apologize for that. I missed updating the payload matching length when setting the config defaults.

I hope this project works for you :) I'm planning to implement payload matching in the near future. Sadly, it's very difficult to match packet data with XDP + BPF at the moment. Afterwards, I plan to make a web back-end where you can specify filtering rules and have them deployed to multiple servers running the program (would be very helpful in an Anycast setup for example).

Thanks!

[Xulua1499]

Thanks for the quick response! That seems to have sorted that problem.

Now when running, I'm running into the following error:

root@hgr:~/xdpfilter/XDP-Firewall# ./xdpfw -c /etc/xdpfw/xdpfw.conf
libbpf: load bpf program failed: Invalid argument
libbpf: -- BEGIN DUMP LOG ---
libbpf:
back-edge from insn 113 to 100

libbpf: -- END LOG --
libbpf: failed to load program 'xdp_prog'
libbpf: failed to load object '/etc/xdpfw/xdpfw_kern.o'
Error loading XDP program. File => /etc/xdpfw/xdpfw_kern.o. Error => Unknown error 4007. Error Num => -4007
Error loading eBPF object file. File name => /etc/xdpfw/xdpfw_kern.o.

I'm going to boot up a virtual server and see if I can get it working on there. This main machine is running Ubuntu 18.04.4 so unsure what's going on here

Cheers

[gamemann]

Interesting. Are you using the default config file? Would you also be able to execute make clean and afterwards, execute make and provide me the outputs of this?

[gamemann]

Also, what kernel are you running on? You can provide the outputs from uname -r. If you're running an older kernel, there's a chance BPF doesn't support for/while loops within it which is needed. I'm running kernel 5.6.2-050602-generic on the VM I tested this on.

[Xulua1499]

Looks like I'm on an older kernel, VM is on 4.15.0-96-generic (which also fails) then my main machine is 4.15.0-88-generic

[gamemann]

I believe that is the issue. I don't think for/while loops are supported in that kernel. I'll spin up a VM real quick running that kernel to confirm.

[Xulua1499]

Also, the config files and directories that are created by the program don't actually get created by the looks (they did before the original issue)

[gamemann]

When building the project via make? I haven't experienced that issue and also haven't made any changes to the Makefile.

[Xulua1499]

Probably doing something wrong, I'll take a look at that after upgrading my kernel

[Xulua1499]

Working on my VM now after a kernel upgrade, so will do the same on my main machine

[gamemann]

I can confirm I receive the same error on kernel 4.15.0-96-generic and 4.18.0-13-generic. After installing the latest mainline kernel (5.6.14-050614-generic), it started working. I use the following commands to install the latest mainline kernel if interested:

wget https://raw.githubusercontent.com/pimlie/ubuntu-mainline-kernel.sh/master/ubuntu-mainline-kernel.sh
sudo install ubuntu-mainline-kernel.sh /usr/local/bin/
ubuntu-mainline-kernel.sh -i

[gamemann]

I'm glad it's working! When you have the time, can you try reproducing the other issue regarding the config file and directory not being created when using make? I haven't been able to reproduce this yet.

[Xulua1499]

The make issue was my fault, I had edited it earlier whilst doing another clone and it didn't get overwritten, my bad.

Seems to be running now :)

root@hgr:~/xdpfilter/XDP-Firewall# ./xdpfw
libbpf: Kernel error message: underlying driver does not support XDP in native mode
XDP-Native may not be supported with this NIC. Using SKB instead.
Packets Allowed: 0 | Packets Blocked: 0

Going to look at getting a Smart-NIC and offloading it onto there, allowing a theoretical 10Gbps filtering

Thanks for your help by the way and the quick responses!

[gamemann]

Understood and I'm glad it's running without any issues!

That also sounds good regarding the Smart-NIC. Please let me know how it goes! I plan to build a couple home servers here with NICs supporting up to 40 gbps and XDP-native. I plan to do pen-testing with them using this firewall to drop packets.

No problem as well! If you need anything else, please let me know! I will go ahead and close this issue for now.