+++ /dev/null
-#!/bin/bash
-
-sudo apt-get update
-
-sudo apt-get -y install build-essential make autoconf automake
-
-sudo apt-get -y install libgmp-dev libsystemd-dev libcurl4-openssl-dev libldap-dev libtss2-dev libgcrypt20-dev libpam0g-dev libip4tc-dev pkg-config init libtss2-tcti-tabrmd0
-
-
-pushd ~
-
-curl -L https://github.com/strongswan/strongswan/releases/download/6.0.1/strongswan-6.0.1.tar.gz -o strongswan-6.0.1.tar.gz
-
-tar -xzf strongswan-6.0.1.tar.gz
-
-pushd strongswan-6.0.1
-
-./configure --prefix=/usr --sysconfdir=/etc --enable-charon --enable-systemd \
---disable-defaults \
---enable-static \
---enable-test-vectors \
---enable-pki --enable-ikev2 --enable-vici --enable-swanctl \
---enable-ldap \
---enable-pkcs11 \
---enable-tpm \
---enable-aesni \
---enable-aes \
---enable-rc2 \
---enable-sha2 \
---enable-sha1 \
---enable-md5 \
---enable-mgf1 \
---enable-rdrand \
---enable-random \
---enable-nonce \
---enable-x509 \
---enable-revocation \
---enable-constraints \
---enable-pubkey \
---enable-pkcs1 \
---enable-pkcs7 \
---enable-pkcs8 \
---enable-pkcs12 \
---enable-pgp \
---enable-dnskey \
---enable-sshkey \
---enable-pem \
---enable-openssl \
---enable-gcrypt \
---enable-af-alg \
---enable-fips-prf \
---enable-gmp \
---enable-curve25519 \
---enable-agent \
---enable-chapoly \
---enable-xcbc \
---enable-cmac \
---enable-hmac \
---enable-ctr \
---enable-ccm \
---enable-gcm \
---enable-ntru \
---enable-drbg \
---enable-curl \
---enable-attr \
---enable-kernel-netlink \
---enable-resolve \
---enable-socket-default \
---enable-connmark \
---enable-forecast \
---enable-farp \
---enable-stroke \
---enable-vici \
---enable-updown \
---enable-eap-identity \
---enable-eap-aka \
---enable-eap-md5 \
---enable-eap-gtc \
---enable-eap-mschapv2 \
---enable-eap-dynamic \
---enable-eap-radius \
---enable-eap-tls \
---enable-eap-ttls \
---enable-eap-peap \
---enable-eap-tnc \
---enable-xauth-generic \
---enable-xauth-eap \
---enable-xauth-pam \
---enable-tnc-tnccs \
---enable-dhcp \
---enable-lookip \
---enable-error-notify \
---enable-certexpire \
---enable-led \
---enable-addrblock \
---enable-unity \
---enable-counters \
---enable-whitelist
-
-make
-
-sudo make install
-
-popd
-
-popd
-
-
-sudo systemctl enable strongswan
-
-sudo systemctl start strongswan
-
-pushd ~
-
-git clone https://github.com/xdp-project/xdp-tools
-
-sudo apt update
-
-sudo apt install -y clang llvm libelf-dev libpcap-dev libc6-dev-i386 m4
-
-sudo apt install -y linux-tools-$(uname -r)
-
-sudo apt install -y linux-headers-$(uname -r)
-
-pushd xdp-tools
-
-./configure
-
-popd
-
-pushd xdp-tools
-
-make
-
-sudo make install
-
-popd
-
-
-pushd xdp-tools/lib/libbpf/src
-
-sudo make install
-
-popd
-
-popd
+++ /dev/null
-#!/bin/bash
-
-set -exo pipefail
-
-sudo ip netns del net1
-sudo ip netns del net2
-sudo ip link del br0
+++ /dev/null
-#!/bin/bash
-
-set -exo pipefail
-
-sudo ip netns add net1
-sudo ip netns add net2
-sudo ip link add dev veth1 type veth peer name veth2 netns net1
-sudo ip netns exec net1 ip link add dev veth3 type veth peer name veth4 netns net2
-
-sudo ip link add br0 type bridge stp_state 0
-sudo ip link set ens3 master br0
-sudo ip link set veth1 master br0
-sudo ip addr add 192.168.101.25/24 dev br0
-sudo ip addr add 10.168.0.254/24 dev br0
-
-sudo ip netns exec net1 ip link add br1 type bridge stp_state 1
-sudo ip netns exec net1 ip link set veth2 master br1
-sudo ip netns exec net1 ip link set veth3 master br1
-sudo ip netns exec net1 ip addr add 10.168.0.1/24 dev br1
-
-sudo ip netns exec net2 ip addr add 10.168.0.2/24 dev veth4
-
-sudo ip link set up ens3
-sudo ip link set up veth1
-sudo ip link set up br0
-sudo ip route add default via 192.168.101.1 dev br0
-sudo sysctl -w net.ipv4.ip_forward=1
-
-sudo ip netns exec net1 ip link set up lo
-sudo ip netns exec net1 ip link set up veth2
-sudo ip netns exec net1 ip link set up veth3
-sudo ip netns exec net1 ip link set up br1
-sudo ip netns exec net1 ip route add default via 10.168.0.254 dev br1
-sudo ip netns exec net1 sysctl -w net.ipv4.ip_forward=1
-
-sudo ip netns exec net2 ip link set up lo
-sudo ip netns exec net2 ip link set up veth4
-sudo ip netns exec net2 ip route add default via 10.168.0.1 dev veth4
-sudo ip netns exec net2 sysctl -w net.ipv4.ip_forward=1
--- /dev/null
+all:
+ clang -O2 -g -Wall -c -target bpf -o bpf_ctl.o bpf_ctl.c
+clean:
+ rm -rf *.o
\ No newline at end of file
--- /dev/null
+
+#define AF_INET 2 /* Internet IP Protocol */
+#define ETH_ALEN 6
+#define PROTO_IP 0x0800
+
+#include <linux/bpf.h>
+
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_endian.h>
+
+#include <linux/if_ether.h>
+#include <linux/if_vlan.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/udp.h>
+#include <linux/in.h>
+#include <linux/string.h>
+
+#include "xsk_def_xdp_prog.h"
+
+struct hwaddr {
+ __u8 data[6];
+ __u8 rsvd[2];
+};
+
+struct {
+ __uint(type, BPF_MAP_TYPE_HASH);
+ __type(key, __u32);
+ __type(value, struct hwaddr);
+ __uint(map_flags, BPF_F_NO_PREALLOC);
+ __uint(max_entries, 64);
+} inline_hw SEC(".maps");
+
+
+SEC("xdp_pass")
+int xdp_pass_prog(struct xdp_md *ctx){
+
+ unsigned char *data_end = (unsigned char *)(long)ctx->data_end;
+ unsigned char *data = (unsigned char *)(long)ctx->data;
+
+
+ struct ethhdr *ether = (struct ethhdr *)data;
+ if (data + sizeof(*ether) > data_end) {
+
+ return XDP_DROP;
+ }
+
+// bpf_printk("h proto: %d\n", bpf_ntohs(ether->h_proto));
+ __u16 h_proto = ether->h_proto;
+
+ //bpf_printk("h_proto orig: %02x\n", h_proto);
+ //bpf_printk("h_proto hton: %02x\n", bpf_htons(h_proto));
+
+ if (bpf_htons(h_proto) != PROTO_IP) {
+ // bpf_printk("proto not ip\n");
+ return XDP_PASS;
+ }
+
+ //broadcast & multicast
+ if(ether->h_dest[0] & 0x01){
+ return XDP_PASS;
+ }
+
+ __u32 key = 0;
+ struct hwaddr *value = NULL;
+
+ value = bpf_map_lookup_elem(&inline_hw, &key);
+
+ if(!value){
+ bpf_printk("inline hw addr not found\n");
+ return XDP_DROP;
+ }
+
+ //bpf_printk("inline hwaddr: %02x:%02x:%02x:%02x:%02x:%02x\n", value->data[0], value->data[1], value->data[2], value->data[3], value->data[4], value->data[5]);
+
+ memcpy(ether->h_dest, value->data, 6);
+
+ return XDP_PASS;
+}
+
+char _license[] SEC("license") = "GPL";
\ No newline at end of file
--- /dev/null
+// SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause)
+
+#ifndef __LIBXDP_XSK_DEF_XDP_PROG_H
+#define __LIBXDP_XSK_DEF_XDP_PROG_H
+
+#define XDP_METADATA_SECTION "xdp_metadata"
+#define XSK_PROG_VERSION 1
+
+#endif /* __LIBXDP_XSK_DEF_XDP_PROG_H */
\ No newline at end of file
--- /dev/null
+#!/bin/bash
+
+sudo apt-get update
+
+sudo apt-get -y install build-essential make autoconf automake
+
+sudo apt-get -y install libgmp-dev libsystemd-dev libcurl4-openssl-dev libldap-dev libtss2-dev libgcrypt20-dev libpam0g-dev libip4tc-dev pkg-config init libtss2-tcti-tabrmd0
+
+
+pushd ~
+
+curl -L https://github.com/strongswan/strongswan/releases/download/6.0.1/strongswan-6.0.1.tar.gz -o strongswan-6.0.1.tar.gz
+
+tar -xzf strongswan-6.0.1.tar.gz
+
+pushd strongswan-6.0.1
+
+./configure --prefix=/usr --sysconfdir=/etc --enable-charon --enable-systemd \
+--disable-defaults \
+--enable-static \
+--enable-test-vectors \
+--enable-pki --enable-ikev2 --enable-vici --enable-swanctl \
+--enable-ldap \
+--enable-pkcs11 \
+--enable-tpm \
+--enable-aesni \
+--enable-aes \
+--enable-rc2 \
+--enable-sha2 \
+--enable-sha1 \
+--enable-md5 \
+--enable-mgf1 \
+--enable-rdrand \
+--enable-random \
+--enable-nonce \
+--enable-x509 \
+--enable-revocation \
+--enable-constraints \
+--enable-pubkey \
+--enable-pkcs1 \
+--enable-pkcs7 \
+--enable-pkcs8 \
+--enable-pkcs12 \
+--enable-pgp \
+--enable-dnskey \
+--enable-sshkey \
+--enable-pem \
+--enable-openssl \
+--enable-gcrypt \
+--enable-af-alg \
+--enable-fips-prf \
+--enable-gmp \
+--enable-curve25519 \
+--enable-agent \
+--enable-chapoly \
+--enable-xcbc \
+--enable-cmac \
+--enable-hmac \
+--enable-ctr \
+--enable-ccm \
+--enable-gcm \
+--enable-ntru \
+--enable-drbg \
+--enable-curl \
+--enable-attr \
+--enable-kernel-netlink \
+--enable-resolve \
+--enable-socket-default \
+--enable-connmark \
+--enable-forecast \
+--enable-farp \
+--enable-stroke \
+--enable-vici \
+--enable-updown \
+--enable-eap-identity \
+--enable-eap-aka \
+--enable-eap-md5 \
+--enable-eap-gtc \
+--enable-eap-mschapv2 \
+--enable-eap-dynamic \
+--enable-eap-radius \
+--enable-eap-tls \
+--enable-eap-ttls \
+--enable-eap-peap \
+--enable-eap-tnc \
+--enable-xauth-generic \
+--enable-xauth-eap \
+--enable-xauth-pam \
+--enable-tnc-tnccs \
+--enable-dhcp \
+--enable-lookip \
+--enable-error-notify \
+--enable-certexpire \
+--enable-led \
+--enable-addrblock \
+--enable-unity \
+--enable-counters \
+--enable-whitelist
+
+make
+
+sudo make install
+
+popd
+
+popd
+
+
+sudo systemctl enable strongswan
+
+sudo systemctl start strongswan
+
+pushd ~
+
+git clone https://github.com/xdp-project/xdp-tools
+
+sudo apt update
+
+sudo apt install -y clang llvm libelf-dev libpcap-dev libc6-dev-i386 m4
+
+sudo apt install -y linux-tools-$(uname -r)
+
+sudo apt install -y linux-headers-$(uname -r)
+
+pushd xdp-tools
+
+./configure
+
+popd
+
+pushd xdp-tools
+
+make
+
+sudo make install
+
+popd
+
+
+pushd xdp-tools/lib/libbpf/src
+
+sudo make install
+
+popd
+
+popd
+
--- /dev/null
+#!/bin/bash
+
+set -exo pipefail
+
+sudo ip netns del net1
+sudo ip netns del net2
+sudo ip link del br0
--- /dev/null
+#!/bin/bash
+
+set -exo pipefail
+
+sudo modprobe br_netfilter
+
+sudo ip netns add net1
+sudo ip netns add net2
+sudo ip link add dev veth1 type veth peer name veth2 netns net1
+sudo ip netns exec net1 ip link add dev veth3 type veth peer name veth4 netns net2
+
+sudo ip link add br0 type bridge stp_state 0
+sudo ip link set ens3 master br0
+sudo ip link set veth1 master br0
+sudo ip addr add 192.168.101.25/24 dev br0
+sudo ip addr add 10.168.0.254/24 dev br0
+
+sudo ip netns exec net1 ip link add br1 type bridge stp_state 1
+sudo ip netns exec net1 ip link set veth2 master br1
+sudo ip netns exec net1 ip link set veth3 master br1
+sudo ip netns exec net1 ip addr add 10.168.0.1/24 dev br1
+
+sudo ip netns exec net2 ip addr add 10.168.0.2/24 dev veth4
+
+sudo ip link set up ens3
+sudo ip link set up veth1
+sudo ip link set up br0
+sudo ip route add default via 192.168.101.1 dev br0
+sudo sysctl -w net.ipv4.ip_forward=1
+
+sudo ip netns exec net1 ip link set up lo
+sudo ip netns exec net1 ip link set up veth2
+sudo ip netns exec net1 ip link set up veth3
+sudo ip netns exec net1 ip link set up br1
+sudo ip netns exec net1 ip route add default via 10.168.0.254 dev br1
+sudo ip netns exec net1 sysctl -w net.ipv4.ip_forward=1
+
+sudo ip netns exec net2 ip link set up lo
+sudo ip netns exec net2 ip link set up veth4
+sudo ip netns exec net2 ip route add default via 10.168.0.1 dev veth4
+sudo ip netns exec net2 sysctl -w net.ipv4.ip_forward=1
--- /dev/null
+*.pem
+*.srl
+*.csr
+*.tar.gz
\ No newline at end of file
--- /dev/null
+#!/bin/bash
+
+
+SCONFIG="authorityKeyIdentifier = keyid,issuer:always\n" && \
+SCONFIG="${SCONFIG}basicConstraints = CA:FALSE\n" && \
+SCONFIG="${SCONFIG}keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\n" && \
+SCONFIG="${SCONFIG}extendedKeyUsage = serverAuth\n"
+
+CCONFIG="authorityKeyIdentifier = keyid,issuer:always\n" && \
+CCONFIG="${CCONFIG}basicConstraints = CA:FALSE\n" && \
+CCONFIG="${CCONFIG}keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\n" && \
+CCONFIG="${CCONFIG}extendedKeyUsage = clientAuth\n"
+
+
+openssl genrsa -out ca_priv.pem 4096
+openssl rsa -in ca_priv.pem -outform PEM -pubout -out ca_pub.pem
+openssl req -x509 -new -key ca_priv.pem -days 365 -out ca.cert.pem -subj "/CN=dev1ca"
+
+openssl genrsa -out server.key.pem 4096
+openssl rsa -in server.key.pem -outform PEM -pubout -out ser_pub.pem
+openssl req -key server.key.pem -new -sha256 -out server.csr -subj "/CN=dev1server"
+openssl x509 -req -days 180 -in server.csr -extfile <(printf "${SCONFIG}") -CA ca.cert.pem -CAkey ca_priv.pem -CAcreateserial -sha256 -out server.cert.pem
+
+openssl genrsa -out client.key.pem 4096
+openssl rsa -in client.key.pem -outform PEM -pubout -out cli_pub.pem
+openssl req -key client.key.pem -new -sha256 -out client.csr -subj "/CN=dev1client"
+openssl x509 -req -days 180 -in client.csr -extfile <(printf "${CCONFIG}") -CA ca.cert.pem -CAkey ca_priv.pem -CAcreateserial -sha256 -out client.cert.pem
+
+sudo /bin/cp -Rf swanctl.conf /etc/swanctl/swanctl.conf
+sudo /bin/cp -Rf ca.cert.pem /etc/swanctl/x509ca/
+sudo /bin/cp -Rf server.cert.pem /etc/swanctl/x509
+sudo /bin/cp -Rf server.key.pem /etc/swanctl/private
+
+tar czf dev2.vpn.tar.gz ca.cert.pem client.cert.pem client.key.pem
+
+sudo cp dev2.vpn.tar.gz /tmp/
+sudo chmod 777 /tmp/dev2.vpn.tar.gz
+
+sudo systemctl restart strongswan
\ No newline at end of file
--- /dev/null
+connections {
+
+ dev1 {
+ local_addrs = 192.168.101.25
+ pools = dev1_pool
+ version = 2
+ proposals = aes256gcm16-sha256-modp2048
+ unique = never
+ encap = yes
+
+ local {
+ auth = pubkey
+ certs = server.cert.pem
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.168.0.0/24
+ mode = tunnel
+ esp_proposals = aes256gcm16-sha256
+ dpd_action = restart
+ rekey_time = 0
+ }
+ }
+ }
+}
+
+pools{
+ dev1_pool {
+ addrs = 10.9.0.0/24
+ }
+}
\ No newline at end of file
--- /dev/null
+#!/bin/bash
+
+sudo apt-get update
+
+sudo apt-get -y install build-essential make autoconf automake
+
+sudo apt-get -y install libgmp-dev libsystemd-dev libcurl4-openssl-dev libldap-dev libtss2-dev libgcrypt20-dev libpam0g-dev libip4tc-dev pkg-config init libtss2-tcti-tabrmd0
+
+
+pushd ~
+
+curl -L https://github.com/strongswan/strongswan/releases/download/6.0.1/strongswan-6.0.1.tar.gz -o strongswan-6.0.1.tar.gz
+
+tar -xzf strongswan-6.0.1.tar.gz
+
+pushd strongswan-6.0.1
+
+./configure --prefix=/usr --sysconfdir=/etc --enable-charon --enable-systemd \
+--disable-defaults \
+--enable-static \
+--enable-test-vectors \
+--enable-pki --enable-ikev2 --enable-vici --enable-swanctl \
+--enable-ldap \
+--enable-pkcs11 \
+--enable-tpm \
+--enable-aesni \
+--enable-aes \
+--enable-rc2 \
+--enable-sha2 \
+--enable-sha1 \
+--enable-md5 \
+--enable-mgf1 \
+--enable-rdrand \
+--enable-random \
+--enable-nonce \
+--enable-x509 \
+--enable-revocation \
+--enable-constraints \
+--enable-pubkey \
+--enable-pkcs1 \
+--enable-pkcs7 \
+--enable-pkcs8 \
+--enable-pkcs12 \
+--enable-pgp \
+--enable-dnskey \
+--enable-sshkey \
+--enable-pem \
+--enable-openssl \
+--enable-gcrypt \
+--enable-af-alg \
+--enable-fips-prf \
+--enable-gmp \
+--enable-curve25519 \
+--enable-agent \
+--enable-chapoly \
+--enable-xcbc \
+--enable-cmac \
+--enable-hmac \
+--enable-ctr \
+--enable-ccm \
+--enable-gcm \
+--enable-ntru \
+--enable-drbg \
+--enable-curl \
+--enable-attr \
+--enable-kernel-netlink \
+--enable-resolve \
+--enable-socket-default \
+--enable-connmark \
+--enable-forecast \
+--enable-farp \
+--enable-stroke \
+--enable-vici \
+--enable-updown \
+--enable-eap-identity \
+--enable-eap-aka \
+--enable-eap-md5 \
+--enable-eap-gtc \
+--enable-eap-mschapv2 \
+--enable-eap-dynamic \
+--enable-eap-radius \
+--enable-eap-tls \
+--enable-eap-ttls \
+--enable-eap-peap \
+--enable-eap-tnc \
+--enable-xauth-generic \
+--enable-xauth-eap \
+--enable-xauth-pam \
+--enable-tnc-tnccs \
+--enable-dhcp \
+--enable-lookip \
+--enable-error-notify \
+--enable-certexpire \
+--enable-led \
+--enable-addrblock \
+--enable-unity \
+--enable-counters \
+--enable-whitelist
+
+make
+
+sudo make install
+
+popd
+
+popd
+
+
+sudo systemctl enable strongswan
+
+sudo systemctl start strongswan
+
+
--- /dev/null
+#!/bin/bash
+
+set -exo pipefail
+
+sudo ip netns del net1
--- /dev/null
+#!/bin/bash
+
+set -exo pipefail
+
+sudo ip netns add net1
+sudo ip link set dev enp7s3 netns net1
+sudo ip addr add 192.168.101.21/24 dev ens3
+sudo ip link set dev ens3 up
--- /dev/null
+#!/bin/bash
+
+set -exo pipefail
+
+scp seantywork@192.168.101.25:/tmp/dev2.vpn.tar.gz .
+
+tar xzf dev2.vpn.tar.gz
+
+sudo /bin/cp -Rf swanctl.conf /etc/swanctl/swanctl.conf
+sudo /bin/cp -Rf ca.cert.pem /etc/swanctl/x509ca/
+sudo /bin/cp -Rf client.cert.pem /etc/swanctl/x509
+sudo /bin/cp -Rf client.key.pem /etc/swanctl/private
+
+sudo systemctl restart strongswan
--- /dev/null
+connections {
+ home {
+ remote_addrs = 192.168.101.25
+ vips = 0.0.0.0
+ version = 2
+ proposals = aes256gcm16-sha256-modp2048
+
+ local {
+ auth = pubkey
+ certs = client.cert.pem
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ home {
+ remote_ts = 10.168.0.0/24
+ start_action = start
+ esp_proposals = aes256gcm16-sha256
+ }
+ }
+ }
+}
\ No newline at end of file
projects / linuxyz.git / commitdiff