Closed Xulua1499 closed 4 years ago
Hey @Xulua1499, this should be resolved in the latest commit here. I compiled it from scratch on one of my Ubuntu 18.04 VMs and it ran without any issues. I apologize for that. I missed updating the payload matching length when setting the config defaults.
I hope this project works for you :) I'm planning to implement payload matching in the near future. Sadly, it's very difficult to match packet data with XDP + BPF at the moment. Afterwards, I plan to make a web back-end where you can specify filtering rules and have them deployed to multiple servers running the program (would be very helpful in an Anycast setup for example).
Thanks!
Thanks for the quick response! That seems to have sorted that problem.
Now when running, I'm running into the following error:
root@hgr:~/xdpfilter/XDP-Firewall# ./xdpfw -c /etc/xdpfw/xdpfw.conf
libbpf: load bpf program failed: Invalid argument
libbpf: -- BEGIN DUMP LOG ---
libbpf:
back-edge from insn 113 to 100
libbpf: -- END LOG --
libbpf: failed to load program 'xdp_prog'
libbpf: failed to load object '/etc/xdpfw/xdpfw_kern.o'
Error loading XDP program. File => /etc/xdpfw/xdpfw_kern.o. Error => Unknown error 4007. Error Num => -4007
Error loading eBPF object file. File name => /etc/xdpfw/xdpfw_kern.o.
I'm going to boot up a virtual server and see if I can get it working on there. This main machine is running Ubuntu 18.04.4 so unsure what's going on here
Cheers
Interesting. Are you using the default config file? Would you also be able to execute make clean
and afterwards, execute make
and provide me the outputs of this?
Also, what kernel are you running on? You can provide the outputs from uname -r
. If you're running an older kernel, there's a chance BPF doesn't support for/while loops within it which is needed. I'm running kernel 5.6.2-050602-generic
on the VM I tested this on.
Looks like I'm on an older kernel, VM is on 4.15.0-96-generic (which also fails) then my main machine is 4.15.0-88-generic
I believe that is the issue. I don't think for/while loops are supported in that kernel. I'll spin up a VM real quick running that kernel to confirm.
Also, the config files and directories that are created by the program don't actually get created by the looks (they did before the original issue)
When building the project via make
? I haven't experienced that issue and also haven't made any changes to the Makefile
.
Probably doing something wrong, I'll take a look at that after upgrading my kernel
Working on my VM now after a kernel upgrade, so will do the same on my main machine
I can confirm I receive the same error on kernel 4.15.0-96-generic
and 4.18.0-13-generic
. After installing the latest mainline kernel (5.6.14-050614-generic
), it started working. I use the following commands to install the latest mainline kernel if interested:
wget https://raw.githubusercontent.com/pimlie/ubuntu-mainline-kernel.sh/master/ubuntu-mainline-kernel.sh
sudo install ubuntu-mainline-kernel.sh /usr/local/bin/
ubuntu-mainline-kernel.sh -i
I'm glad it's working! When you have the time, can you try reproducing the other issue regarding the config file and directory not being created when using make
? I haven't been able to reproduce this yet.
The make issue was my fault, I had edited it earlier whilst doing another clone and it didn't get overwritten, my bad.
Seems to be running now :)
root@hgr:~/xdpfilter/XDP-Firewall# ./xdpfw
libbpf: Kernel error message: underlying driver does not support XDP in native mode
XDP-Native may not be supported with this NIC. Using SKB instead.
Packets Allowed: 0 | Packets Blocked: 0
Going to look at getting a Smart-NIC and offloading it onto there, allowing a theoretical 10Gbps filtering
Thanks for your help by the way and the quick responses!
Understood and I'm glad it's running without any issues!
That also sounds good regarding the Smart-NIC. Please let me know how it goes! I plan to build a couple home servers here with NICs supporting up to 40 gbps and XDP-native. I plan to do pen-testing with them using this firewall to drop packets.
No problem as well! If you need anything else, please let me know! I will go ahead and close this issue for now.
https://github.com/gamemann/XDP-Firewall/blob/57da5c8bdb5dcd4e99eac2c532b20a4a2107b94e/src/xdpfw_loader.c#L300
Compiling went fine etc, however attempting to run this after building will segmentation fault at the line specified which I gather is caused by
struct config_map *conf = malloc(sizeof(struct config_map));
Any ideas on the cause? This is an awesome project so far, we are currently very limited with IPTable filters in terms of speed and complexity