lunatik addon for BPFire #40

vincentmli · 2024-09-14T22:35:45Z

following diff to lunatik Makefile to build lunatik addon in BPFire

root@r210:/home/vincent/go/src/github.com/vincentmli/BPFire/cache/lunatik-5.3.2# git diff
diff --git a/Makefile b/Makefile
index ec172541..06c0fdb8 100644
--- a/Makefile
+++ b/Makefile
@@ -3,14 +3,14 @@
 
 MODULES_INSTALL_PATH = /lib/modules/${shell uname -r}
 SCRIPTS_INSTALL_PATH = /lib/modules/lua
-LUNATIK_INSTALL_PATH = /usr/local/sbin
-LUA_API = lua/lua.h lua/lauxlib.h lua/lualib.h
+LUNATIK_INSTALL_PATH = /usr/sbin
+LUA_API = $(PWD)/lua/lua.h $(PWD)/lua/lauxlib.h $(PWD)/lua/lualib.h
 KDIR ?= ${MODULES_INSTALL_PATH}/build
 RM = rm -f
 MKDIR = mkdir -p -m 0755
 INSTALL = install -o root -g root
 
-all: lunatik_sym.h
+all: $(LUA_API)/lunatik_sym.h
        ${MAKE} -C ${KDIR} M=${PWD} CONFIG_LUNATIK=m    \
        CONFIG_LUNATIK_RUN=m CONFIG_LUNATIK_RUNTIME=y CONFIG_LUNATIK_DEVICE=m   \
        CONFIG_LUNATIK_LINUX=m CONFIG_LUNATIK_NOTIFIER=m CONFIG_LUNATIK_SOCKET=m \
@@ -70,6 +70,6 @@ install: scripts_install modules_install
 uninstall: scripts_uninstall modules_uninstall
        depmod -a
 
-lunatik_sym.h: $(LUA_API)
+$(LUA_API)/lunatik_sym.h: $(LUA_API)
        ${shell ./gensymbols.sh $(LUA_API) > lunatik_sym.h}

see luainkernel/lunatik#189

The text was updated successfully, but these errors were encountered:

lunatik has LuaXDP that supports scripting XDP for TLS SNI parsing and many other scripting featuers for kernel. see lunatik build workaround in detail luainkernel/lunatik#189 #40 Signed-off-by: Vincent Li <[email protected]>

vincentmli · 2024-09-17T17:19:09Z

lunatik change:

    BPFire lunatik build change
    
    adjust lunatik kernel module and https.o build
    for BPFire chroot environment
    
    see https://github.com/luainkernel/lunatik/issues/189
    
    Signed-off-by: Vincent Li <[email protected]>

diff --git a/Makefile b/Makefile
index ec172541..1c72f3e1 100644
--- a/Makefile
+++ b/Makefile
@@ -3,14 +3,14 @@
 
 MODULES_INSTALL_PATH = /lib/modules/${shell uname -r}
 SCRIPTS_INSTALL_PATH = /lib/modules/lua
-LUNATIK_INSTALL_PATH = /usr/local/sbin
-LUA_API = lua/lua.h lua/lauxlib.h lua/lualib.h
+LUNATIK_INSTALL_PATH = /usr/sbin
+LUNATIK_EBPF_INSTALL_PATH = /usr/lib/bpf
 KDIR ?= ${MODULES_INSTALL_PATH}/build
 RM = rm -f
 MKDIR = mkdir -p -m 0755
 INSTALL = install -o root -g root
 
-all: lunatik_sym.h
+all:
        ${MAKE} -C ${KDIR} M=${PWD} CONFIG_LUNATIK=m    \
        CONFIG_LUNATIK_RUN=m CONFIG_LUNATIK_RUNTIME=y CONFIG_LUNATIK_DEVICE=m   \
        CONFIG_LUNATIK_LINUX=m CONFIG_LUNATIK_NOTIFIER=m CONFIG_LUNATIK_SOCKET=m \
@@ -46,6 +46,7 @@ examples_install:
        ${INSTALL} -m 0644 examples/echod/*.lua ${SCRIPTS_INSTALL_PATH}/examples/echod
        ${MKDIR} ${SCRIPTS_INSTALL_PATH}/examples/filter
        ${INSTALL} -m 0644 examples/filter/*.lua ${SCRIPTS_INSTALL_PATH}/examples/filter
+       ${INSTALL} -m 0644 examples/filter/*.o ${LUNATIK_EBPF_INSTALL_PATH}
        ${MKDIR} ${SCRIPTS_INSTALL_PATH}/examples/dnsblock
        ${INSTALL} -m 0644 examples/dnsblock/*.lua ${SCRIPTS_INSTALL_PATH}/examples/dnsblock
        ${MKDIR} ${SCRIPTS_INSTALL_PATH}/examples/dnsdoctor
@@ -69,7 +70,3 @@ install: scripts_install modules_install
 
 uninstall: scripts_uninstall modules_uninstall
        depmod -a
-
-lunatik_sym.h: $(LUA_API)
-       ${shell ./gensymbols.sh $(LUA_API) > lunatik_sym.h}
-
diff --git a/examples/filter/Makefile b/examples/filter/Makefile
index f7eb0f6d..4d2fd3b9 100644
--- a/examples/filter/Makefile
+++ b/examples/filter/Makefile
@@ -1,10 +1,12 @@
 # SPDX-FileCopyrightText: (c) 2023-2024 Ring Zero Desenvolvimento de Software LTDA
 # SPDX-License-Identifier: MIT OR GPL-2.0-only
 
+VMLINUX_BTF_PATH = /lib/modules/6.6.15-ipfire/build
+
 all: vmlinux https.o
 
 vmlinux:
-       bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h
+       bpftool btf dump file $(VMLINUX_BTF_PATH)/vmlinux format c > vmlinux.h
 
 https.o: https.c
        clang -target bpf -Wall -O2 -c -g $<

error when run lunatik which loads lunatik kernel modules root@bpfire-2 lua]# lunatik run examples/filter/sni false [root@bpfire-2 lua]# dmesg [ 330.411665] lunatik: loading out-of-tree module taints kernel. [ 330.411680] lunatik: module verification failed: signature and/or required key missing - tainting kernel [ 330.433955] Kernel module BTF mismatch detected, BTF debug info may be unavailable for some modules [ 330.767701] missing module BTF, cannot register kfuncs BPFire chroot build mount /sys/kernel/btf/vmlinux which is the host binary vmlinux BTF to build against lunatik kernel module, which result in above error. adjust BPFire kernel build to save the binary vmlinux BTF to chroot /lib/modules/6.6.15-ipfire/build/vmlinux for lunatik kernel module. create the vmlinux.h from the same binary vmlinux BTF for the ebpf https.o lunatik kernel module is depending on kernel build, adjust the lunatik build accordingly when kerne upgrade in future. See #40 see luainkernel/lunatik#189 Signed-off-by: Vincent Li <[email protected]>

vincentmli · 2024-10-01T00:35:35Z

lunatik filter sni for BPFire has limitation for chrome browser in luainkernel/lunatik#193 and chrome browser is very popular

Lunatik sni filter currently does not work for BPFire when chrome browser is used due to clienthello > 1500 bytes, XDP TLS/SSL has the same issue, to block domain access, it appears XDP DNS domain blocking works more reliable than SNI, so if there is need to block chrome browser for some domain, use XDP DNS domain blocking as mitigation. see #40 Signed-off-by: Vincent Li <[email protected]>

vincentmli closed this as completed Oct 3, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

lunatik addon for BPFire #40

lunatik addon for BPFire #40

vincentmli commented Sep 14, 2024

vincentmli commented Sep 17, 2024

vincentmli commented Oct 1, 2024

lunatik addon for BPFire #40

lunatik addon for BPFire #40

Comments

vincentmli commented Sep 14, 2024

vincentmli commented Sep 17, 2024

vincentmli commented Oct 1, 2024