All notable changes to this project will be documented in this file. The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Added ip protocol to matched map key and fixed typo in comment
- Fixed a possible issue where in high performance compute environments there could be more than one packet being processed by the TC filters there could be a mismatched rule where if a new packet matches a rule it could cause other packets in flight to be processed by the same rule.
- Fixed an issue where if tc filter is applied to the loopback interface traffic is dropped if it does not match a filter. The correct action is to pass all traffic to the loopback unless there is a rule explicitly redirecting the traffic to either a tproxy port or ziti(tun) interface.
-- Modified the "zfw -F" system call in start_ebpf_py.py to "zfw -F -r" to ensure that any ziti created loopback routes are also
cleared when restarting ziti-router.
-- Removed deprecated sed entries in start_ebpf_router.py that are no longer required
-- Fixed inaccurate string parse check in start_ebpf_router.py set_local_rules()
-- Fixed issue in outbound tracking for passthrough tcp connections where packets with rst set from server were only accepted if connection was already in established state. Changed to allow rst during tcp handshake which occurs when server refuses a connection.
-- Changed ICMP Unreachable logging to default level -- Added -L, --write-log option to -M, --monitor output to a specified log file -- Removed redundant check on ifname in process_events -- Refactored ring_buffer to report only errors and ICMP Unreachables by default and require verbose for all valid traffic monitoring. -- Added new error code ICMP_INNER_IP_HEADER_TOO_BIG -- Code consolidation in zfw_tc_ingress.c
-- Added support for stateful stateful icmp unreachable inbound support in order to support pmtud and unreachable metric collection. -- Fixed added ring_buffer__free() to INThandler in zfw.c to properly de-allocate memory allocated by ring_buffer__new in main() if -M argument was supplied and SIGINT or SIGTERM is received.
- Fixed issue causing valgrind memory error due to non-initialized struct in add_if_index() in zfw.c.
- Changed ifindex_ip_map to a hashmap and added code to prune stale keys due to index changes for dynamic interfaces.
- cleanup removed redefinitions of global count_map_path in multiple functions
- Fixed outbound tracking broken due to missed addition of eapol to diag_map values.
- Added make to pre-compile binary package installs listed in BUILD.md
- Changed bind service lookup from dumpfile to event channel. 0.5.0 will only work with ZET 0.22.4 or above
- Added passthrough support for eapol (802.1X) frames
- Fixed potential race condition if upstream DHCP server is not functioning when FW inits ebpf. Changed address family match to ethernet when applying TC Filters/Diag settings.
- Fixed ring buffer events for tunnel interface not sending correct source/destination ports. Also changed default xdp RB events to only send if verbose mode is enabled for the tun/ziti interface.
-
Added Makefile and install.sh in src folder to allow build via make.
-
Fixed issue where start_ebpf_router.py was not
properly updating the ziti-router.service file.
-- Refactored monitoring to use ring buffer and removed all bpf_printk() helper calls -- Added ring buffer monitoring to zfw via -M, --monitor <interface | all> flags -- General Code cleanup in zfw.c
- Added support for secondary ip addresses with the auto ssh inbound support function on the incoming interface. Number of total addresses if defined in by MACRO MAX_ADDRESSES. In package deployments this will be set to 10.
- Added support for inbound vrrp on a per port basis.
- Added support for upcoming ziti-edge-tunnel interface name change from tunX to zitiX.
- Added checks to catch exceptions in config.yml
- Refactored start_ebpf_router.py and revert_ebpf_router.py to read / update config.yml using pyyaml python module.
- Fixed missing terminating bold in README.md.
- Refactored start_ebpf_router.py to suppress some output messages.
- Fixed CHANGELOG Duplicate 0.3.5 entry and set to 0.3.6
- Added check to make sure each ebpf program loads into tc filter before proceeding and if failure occurs exit(1) and print the filter# where the failure ocurred.
- Removed unknown import shutil from start_ebpf_router.py
- Refactored auto-load of ziti-router config.yml port rules to dynamically enter rules when ziti-router.service is restarted or the start_ebpf_router.py is executed. Also refactored deb packages to install all scripts, zfw and zfw_tunnwrapper as only root executable.
- Changed zfw-router auto ziti-router config.yml port/rule insertion to limit destination IP to config.yml lanIf
- Fixed bug in start_ebpf_router.py where lan IP mask was set to /24 instead of /32
- Refactored to start_ebpf_router.py to add ziti-router listen ports as passthrough zfw rules on in /user/openziti/bin/user/user_rules.sh for both CloudZiti and OpenZiti deployed ziti-routers.
- Refactored start_ebpf_router.py and revert_ebpf_router.py scripts ziti-router.service auto-edits to key on only the router service for entry for both start and revert respectfully.
- initial integration of ziti-router. Changed package name for ziti-tunnel to zfw-tunnel. Added new package zfw-router. Previous installs with zfw package should remove package first then install new package i.e. sudo dpkg -P zfw && sudo dpkg -i zfw-tunnel__.deb
- Refactored zfw.c to include <linux/if.h> vs <net/if.h> for consistency.
- Refactored zfw_tc_ingress.c and zfw_tc_ingress.c added final seq/ack tracking to more accurately determine tcp session termination.
- Updated README with link to build openziti network and install ziti-edge-tunnel
- Fixed fd leak in zfw.c get_index()
- Interface function refactor / clean
- Fixed missing verbose check for bpf_printk statement in action/5.
- Fixed logic in action/5 for tproxy based forwarding decision (Needed for ziti-router integration).
- Minor README formatting change.
- Changed in operation of transparency route unbinding. In order to allow internal tunneler connections over ziti the default operation has been set to not delete any tunX link routes. This will disable the ability to support transparency on some architectures. There is now an environmental variable TRANSPARENT_MODE='true' that can be set in the /opt/openziti/etc/ziti-edge-tunnel.env file to enable deletion of tun routes if bi-directional transparency is required at the expense of disabling internal tunneler interception.
- Changed ebpf program chaining method from tail calls to tc filter chaining. This change should allow for installation on newer linux releases that do not support legacy ELF maps.
- Fixed issue where if the loopback was set to disable ssh via zfw -x, --disable-ssh the diag setting incorrectly set it to disabled and would not allow the disable to be removed without clearing the ebpf diag map manually.
- Removed unused/unsupported 'id' field from all BTF Maps
- Switched deb compression algorithm to gzip
- Fixed BUILD.md pointing to deprecated repo.
- Increased event buffer size / max line size to support single services with large #s of prefixes.
- Added local route cleanup on SIGTERM/SIGINT.
-
Major operational change. Fixed issue where ziti-edge-tunnel would not bind to egress allows source ip unless there was an exact /32 match. Now binding is possible with a subnet level match. This is a significant improvement as now allowed sources do not have to be host level entries. In order to achieve this the link scoped route to tuX created by ZET for interception is deleted by the wrapper and a local ip route is added to lo in its place. This is made possible by the tc-ebpf-redirect which negates the need for the link scoped route. After update a system reboot should be performed
-
General code cleanup
- Fixed incorrect spelling of privileges in ebpf not enabled output messages.
-
Changed interface ebpf settings assignment which may require alteration of existing config if setup for exteral outbound tracking.
Added keys to /opt/openziti/etc/ebpf_config.json
- PerInterfaceRules - sets state of per interface rules awareness.
- InternalInterfaces default: false
- ExternalInterfaces default: true
- OutboundPassThroughTrack
- InternalInterfaces default: false
- ExternalInterfaces default: true
- PerInterfaceRules - sets state of per interface rules awareness.
-
Added empty ExternalInterfaces key to ebpf_config.json.sample and new keys described above with default values in the InternalInterfaces object. These can be excluded since they are default and provided only for example purposes.
-
/opt/openziti/start_ebpf.py updated to parse new keys and implement new interface deployment logic.
-
Edited debug output in ingress/egress tc to better reflect data captured
- Fixed Usage: output inconsistencies
- Added hyperlink to https://docs.openziti.io/
- Added debug output in both ingress and egress for traffic that matches host initiated connections
- standardized on debug output messaging and corrected spelling errors.
- Reverted ci/release.yml to include 'Pre-Depends: linux-image-generic (>= 5.15.0)'
- Fixed README Missing comma in json sample
- Changed ci/release.yml to include 'Pre-Depends: linux-image-generic (>= 5.15.0)'
- Fixed ci/release.yml
${{ env.MAINTAINER }} missing prepended $ - Added additional src/dest debug info in outbound tracking for udp
- Fixed inconsistency in usage:
- Fixed --help output changed "ssh echo" to ssh
- Added input validation to all interface related commands. If non existent name is given "Interface not found: will be output.
- Fixed output of zfw -L -i
- Added README.md section for containers, fixed some inconsistencies
- Fixed input validation to reject any tc filter commands with out -z, --direction specified
- Added enhanced output for outbound tracking
- Modified tcp state map to have separate fin state for client and server to more accurately identify tcp session close.
- Edits to readme removed ./ and repeated sudo
-Fixed start_ebpf.py syntax error printf() and should have been print() and removed sys.exit(1) on zfw -Q fail. -Fixed README.md inconsistencies/errors. -Fixed zfw -Q not displaying sudo permissions requirement when operated as a non privileged user. -Modified Maximums entries for multiple maps, this included a changed for MAX_BPF_ENTRIES which is settable at compile time and reflected in release.yml/ci.yml workload.
- Fixed some README.md inconsistencies and reduced some instructions to list only the most optimal methods.
- Changed Depends: ziti-edge-tunnel to Pre-Depends: ziti-edge-tunnel '(>= 0.21.0)' in release.yml key to .deb control to prevent installation if ziti-edge-tunnel is not already installed.
- Refactored release.yml to replace deprecated actions.
- Added ability to override automated settings in start_ebpf.sh by moving user_rules.sh read to last item in script
- Refactored release.yml deploy_packages_(arch) jobs to a single deploy_packages job with iteration through ${{ matrix.goarch }}
- Added initial code.
- Added README.md
- Added BUILD.md
- Modified json object in files/json/ebpf_config.json and modified files/scripts/start_ebpf.py to parse it for new key "ExternalInterfaces" which gives the ability to assign an outbound tracking object and set per interface rules on a wan interface as described in README.md
- Fixed memory leak caused b y not calling json_object_put() on the root json objects created by calls to json _token_parse().
- Added initial code.