V0.8.16 release candidate

CHANGELOG.md

@@ -3,6 +3,13 @@
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+###
+# [0.8.16] - 2024-09-02
+- Fixed incorrect waitpid success/failure conditional checks in zfw.c and zfw_tunnel_wrapper.c.  This did not cause an operational issue but would not
+  report correctly in case system call failures.
+- Refactored csum calc for both ipv4 tcp / udp. 
+- Updated README with latest ```zfw -Q``` printout. 
+
 ###
 # [0.8.15] - 2024-08-26
 - Refactored all startup scripts to default InternalInterfaces to have outbound tracking enabled

README.md

@@ -18,7 +18,7 @@ This function requires that both ingress and egress TC filters are enabled on ou
 static PAT.  Note: When running on later kernels i.e. 6+ some older network hardware may not work with ebpf Dynamic PAT.   
 
 ### Explicit Deny Rules
-This feature adds the ability to enter explicit deny rules by appending ```-d, --disable to the -I, --insert rule``` to both ingress and egress rules.  Rule precedence is based on longest match prefix.  If the prefix is the same then the precedence follows the order entry of the rules, which when listed will go from top to bottom for ports with in the same prefix e.g.  
+This feature adds the ability to enter explicit deny rules by appending ```-d, --disable``` to the ```-I, --insert rule``` to either ingress or egress rules.  Rule precedence is based on longest match prefix.  If the prefix is the same then the precedence follows the order entry of the rules, which when listed will go from top to bottom for ports with in the same prefix e.g.  
 
 If you wanted to allow all tcp 443 traffic outbound except to 10.1.0.0/16 you would enter the following egress rules:
 
@@ -745,7 +745,6 @@ Example: Remove all tc-ebpf on router
 sudo zfw --disable-ebpf
 ```
 ```
-tc parent del : ens33
 removing /sys/fs/bpf/tc/globals/zt_tproxy_map
 removing /sys/fs/bpf/tc/globals/diag_map
 removing /sys/fs/bpf/tc/globals/ifindex_ip_map
@@ -780,6 +779,9 @@ removing /sys/fs/bpf/tc//globals/egress_matched_map
 removing /sys/fs/bpf/tc/globals/udp_ingress_map
 removing /sys/fs/bpf/tc/globals/tcp_ingress_map
 removing /sys/fs/bpf/tc/globals/masquerade_map
+removing /sys/fs/bpf/tc/globals/icmp_masquerade_map
+removing /sys/fs/bpf/tc/globals/icmp_echo_map
+removing /sys/fs/bpf/tc/globals/masquerade_reverse_map
 ```
 
 

src/zfw.c

@@ -246,7 +246,7 @@ char *direction_string;
 char *masq_interface;
 char check_alt[IF_NAMESIZE];
 
-const char *argp_program_version = "0.8.15";
+const char *argp_program_version = "0.8.16";
 struct ring_buffer *ring_buffer;
 
 __u32 if_list[MAX_IF_LIST_ENTRIES];
@@ -560,22 +560,11 @@ void set_tc(char *action)
     else
     {
         int status = 0;
-        if (waitpid(pid, &status, 0) > 0)
+        if(!(waitpid(pid, &status, 0) < 0))
         {
-            if (WIFEXITED(status) && !WEXITSTATUS(status))
+            if(!(WIFEXITED(status) && !WEXITSTATUS(status)))
             {
-                printf("tc parent %s : %s\n", action, tc_interface);
-            }
-            else
-            {
-                if (!strcmp("add", action))
-                {
-                    printf("tc parent already exists : %s\n", tc_interface);
-                }
-                else
-                {
-                    printf("tc parent does not exist : %s\n", tc_interface);
-                }
+                printf("could not set tc parent %s : %s\n", action, tc_interface);
             }
         }
     }
@@ -626,18 +615,13 @@ void set_tc_filter(char *action)
             else
             {
                 int status = 0;
-                if (!(waitpid(pid, &status, 0) > 0))
+                if(!(waitpid(pid, &status, 0) < 0))
                 {
-                    if (WIFEXITED(status) && !WEXITSTATUS(status))
+                    if(!(WIFEXITED(status) && !WEXITSTATUS(status)))
                     {
                         printf("tc %s filter not set : %s\n", direction_string, tc_interface);
                     }
                 }
-                if (status)
-                {
-                    printf("tc %s filter action/%d not set : %s\n", direction_string, x, tc_interface);
-                    close_maps(1);
-                }
             }
         }
     }

src/zfw_monitor.c

@@ -85,7 +85,7 @@ char check_alt[IF_NAMESIZE];
 char doc[] = "zfw_monitor -- ebpf firewall monitor tool";
 const char *rb_map_path = "/sys/fs/bpf/tc/globals/rb_map";
 const char *tproxy_map_path = "/sys/fs/bpf/tc/globals/zt_tproxy_map";
-const char *argp_program_version = "0.8.15";
+const char *argp_program_version = "0.8.16";
 union bpf_attr rb_map;
 int rb_fd = -1;
 

src/zfw_tc_ingress.c

@@ -1897,7 +1897,7 @@ int bpf_sk_splice(struct __sk_buff *skb){
                         }
                         /*Calculate l4 Checksum*/
                         int flags = BPF_F_PSEUDO_HDR;
-                        bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct tcphdr, check), local_ip4->ipaddr[0] ,mv->__in46_u_origin.ip, flags | 4);
+                        bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct tcphdr, check), 0, l3_sum, flags);
                         iph = (struct iphdr *)(skb->data + sizeof(*eth));
                         if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){
                             return TC_ACT_SHOT;
@@ -2121,7 +2121,7 @@ int bpf_sk_splice(struct __sk_buff *skb){
                         /*Calculate l4 Checksum*/
                         if(udph->check != 0){
                             int flags = BPF_F_PSEUDO_HDR;
-                            bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct udphdr, check),local_ip4->ipaddr[0], iph->daddr, flags | 4);
+                            bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct udphdr, check), 0, l3_sum, flags);
                             iph = (struct iphdr *)(skb->data + sizeof(*eth));
                             if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){
                                 return TC_ACT_SHOT;

src/zfw_tc_outbound_track.c

@@ -2374,7 +2374,7 @@ int bpf_sk_splice6(struct __sk_buff *skb){
                 }
                 /*Calculate l4 Checksum*/
                 int flags = BPF_F_PSEUDO_HDR;
-                bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct tcphdr, check), mv.__in46_u_origin.ip ,local_ip4->ipaddr[0], flags | 4);
+                bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct tcphdr, check), 0, l3_sum, flags);
                 iph = (struct iphdr *)(skb->data + sizeof(*eth));
                 if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){
                     return TC_ACT_SHOT;
@@ -2630,7 +2630,7 @@ int bpf_sk_splice6(struct __sk_buff *skb){
                     /*Calculate l4 Checksum if checksum not equal to zero*/
                     if(udph->check != 0){
                         int flags = BPF_F_PSEUDO_HDR;
-                        bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct udphdr, check), mv.__in46_u_origin.ip, iph->saddr, flags | 4);
+                        bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct udphdr, check), 0, l3_sum, flags);
                         iph = (struct iphdr *)(skb->data + sizeof(*eth));
                         if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){
                             return TC_ACT_SHOT;

src/zfw_tunnel_wrapper.c

@@ -843,7 +843,7 @@ void bind_route(struct in_addr *address, unsigned short mask)
         printf("execv error: unknown error binding route");
     }else{
         int status =0;
-        if(!(waitpid(pid, &status, 0) > 0)){
+        if(!(waitpid(pid, &status, 0) < 0)){
             if(WIFEXITED(status) && !WEXITSTATUS(status)){
                 printf("bound %s to dev lo\n", cidr_block);
             }
@@ -870,7 +870,7 @@ void unbind_route_loopback(struct in_addr *address, unsigned short mask)
         printf("execv error: unknown error unbinding route");
     }else{
         int status =0;
-        if(!(waitpid(pid, &status, 0) > 0)){
+        if(!(waitpid(pid, &status, 0) < 0)){
             if(WIFEXITED(status) && !WEXITSTATUS(status)){
                 printf("unbound %s from dev lo\n", cidr_block);
             }
@@ -897,7 +897,7 @@ void unbind_route(struct in_addr *address, unsigned short mask, char *dev)
         printf("execv error: unknown error unbinding route");
     }else{
         int status =0;
-        if(!(waitpid(pid, &status, 0) > 0)){
+        if(!(waitpid(pid, &status, 0) < 0)){
             if(WIFEXITED(status) && !WEXITSTATUS(status)){
                 printf("unbound %s from dev %s\n", cidr_block, dev);
             }
@@ -1025,7 +1025,7 @@ void zfw_update(char *ip, char *mask, char *lowport, char *highport, char *proto
        printf("execv error: unknown error binding\n");
     }else{
         int status =0;
-        if(!(waitpid(pid, &status, 0) > 0)){
+        if(!(waitpid(pid, &status, 0) < 0)){
             if(WIFEXITED(status) && !WEXITSTATUS(status)){
                 printf("zfw %s action for : %s set\n", action,  ip);
             }
@@ -1043,7 +1043,7 @@ bool check_diag(){
        printf("execv error: unknown error binding\n");
     }else{
         int status =0;
-        if(!(waitpid(pid, &status, 0) > 0)){
+        if(!(waitpid(pid, &status, 0) < 0)){
             if(WIFEXITED(status) && !WEXITSTATUS(status)){
                 printf("Diag Interface Listed!\n");
                 return false;