Minimum kernel version?

Question

Minimum kernel version?

mrbluecoat opened this issue 4 years ago · comments

Mr. Blue Coat commented 4 years ago

This project requires for/while loop support with BPF. Older kernels will not support this

What is the minimum kernel version that supports this?

Christian Deacon · Answer 1 · Fri Jul 24 2020 21:51:37 GMT+0800 (China Standard Time)

It looks like BPF while/for loop support was added in kernel 5.3 according to the following article:

https://lwn.net/Articles/794934/

Therefore, the minimum version would be 5.3 for this program.

Edit
I've added these notes to the README.

Thanks!

Mr. Blue Coat · Answer 2 · Fri Jul 24 2020 22:57:23 GMT+0800 (China Standard Time)

Hmm.. My SBC has

# uname -r
5.4.43-sunxi64

but I still get that error. Perhaps it's because XDP-Firewall doesn't support ARM64?

Christian Deacon · Answer 3 · Fri Jul 24 2020 23:15:17 GMT+0800 (China Standard Time)

Interesting. I haven't tested ARM64 with this program yet, but I will look into testing this later today.

Can you provide the full error you're getting?

Mr. Blue Coat · Answer 4 · Sat Jul 25 2020 01:58:47 GMT+0800 (China Standard Time)

Sure, here's my process (all run as root):

uname -r

5.4.43-sunxi64

cat /etc/issue

Armbian 20.05.2 Buster

apt -t buster-backports install -yq llvm clang libelf-dev libconfig-dev git build-essential  
git clone --recursive https://github.com/gamemann/XDP-Firewall.git
cd XDP-Firewall
make && make install
service xdpfw start

service xdpfw status

● xdpfw.service - XDP Firewall tool.
Loaded: loaded (/etc/systemd/system/xdpfw.service; disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2020-07-24 18:45:18 BST; 20ms ago
Process: 794 ExecStart=/usr/bin/xdpfw (code=exited, status=1/FAILURE)
Main PID: 794 (code=exited, status=1/FAILURE)

Jul 24 18:45:18 DietPi systemd[1]: xdpfw.service: Failed with result 'exit-code'.
Jul 24 18:45:18 DietPi systemd[1]: xdpfw.service: Service RestartSec=100ms expired, scheduling restart.
Jul 24 18:45:18 DietPi systemd[1]: xdpfw.service: Scheduled restart job, restart counter is at 5.
Jul 24 18:45:18 DietPi systemd[1]: Stopped XDP Firewall tool..
Jul 24 18:45:18 DietPi systemd[1]: xdpfw.service: Start request repeated too quickly.
Jul 24 18:45:18 DietPi systemd[1]: xdpfw.service: Failed with result 'exit-code'.
Jul 24 18:45:18 DietPi systemd[1]: Failed to start XDP Firewall tool..

Relevant entries in journalctl -xe

Jul 24 18:44:03 DietPi systemd[1]: Detected architecture arm64.
Jul 24 18:44:03 DietPi systemd[1]: File /lib/systemd/system/systemd-journald.service:12 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
Jul 24 18:44:03 DietPi systemd[1]: Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)

...

Jul 24 18:45:17 DietPi systemd[1]: Started XDP Firewall tool..
-- Subject: A start job for unit xdpfw.service has finished successfully
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- A start job for unit xdpfw.service has finished successfully.
-- 
-- The job identifier is 152.
Jul 24 18:45:17 DietPi xdpfw[782]: libbpf: Error in bpf_object__probe_name():Function not implemented(38). Couldn't load basic 'r0 = 0' BPF 
program.
Jul 24 18:45:17 DietPi xdpfw[782]: libbpf: Error in bpf_object__probe_global_data():Function not implemented(38). Couldn't create simple arr
ay map.
Jul 24 18:45:17 DietPi xdpfw[782]: libbpf: map 'filters_map': failed to create: Function not implemented(-38)
Jul 24 18:45:17 DietPi xdpfw[782]: libbpf: failed to load object '/etc/xdpfw/xdpfw_kern.o'
Jul 24 18:45:17 DietPi xdpfw[782]: Error loading XDP program. File => /etc/xdpfw/xdpfw_kern.o. Error => Function not implemented. Error Num 
=> -38
Jul 24 18:45:17 DietPi xdpfw[782]: Error loading eBPF object file. File name => /etc/xdpfw/xdpfw_kern.o.
Jul 24 18:45:17 DietPi systemd[1]: xdpfw.service: Main process exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- An ExecStart= process belonging to unit xdpfw.service has exited.
-- 
-- The process' exit code is 'exited' and its exit status is 1.
Jul 24 18:45:17 DietPi systemd[1]: xdpfw.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- The unit xdpfw.service has entered the 'failed' state with result 'exit-code'.

...

Jul 24 18:45:18 DietPi systemd[1]: xdpfw.service: Start request repeated too quickly.
Jul 24 18:45:18 DietPi systemd[1]: xdpfw.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- The unit xdpfw.service has entered the 'failed' state with result 'exit-code'.
Jul 24 18:45:18 DietPi systemd[1]: Failed to start XDP Firewall tool..
-- Subject: A start job for unit xdpfw.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- A start job for unit xdpfw.service has finished with a failure.
-- 
-- The job identifier is 417 and the job result is failed.

Mr. Blue Coat · Answer 5 · Sat Jul 25 2020 02:06:39 GMT+0800 (China Standard Time)

https://unix.stackexchange.com/questions/467362/how-to-fix-file-service-configures-an-ip-firewall-ipaddressdeny-any-but suggests I need a custom kernel config. Here's my current settings:

# grep BPF /boot/config-5.4.43-sunxi64 
CONFIG_BPF=y
# CONFIG_BPF_SYSCALL is not set
CONFIG_IPV6_SEG6_BPF=y
CONFIG_NETFILTER_XT_MATCH_BPF=m
CONFIG_BPFILTER=y
CONFIG_BPFILTER_UMH=m
CONFIG_NET_CLS_BPF=m
CONFIG_NET_ACT_BPF=m
CONFIG_BPF_JIT=y
CONFIG_LWTUNNEL_BPF=y
CONFIG_HAVE_EBPF_JIT=y
CONFIG_TEST_BPF=m

I'll try some testing with

CONFIG_BPF_SYSCALL=y
CONFIG_CGROUP_BPF=y
CONFIG_BPF_EVENTS=y

Mr. Blue Coat · Answer 6 · Sat Jul 25 2020 02:46:12 GMT+0800 (China Standard Time)

Looks like Armbian fixed in June: https://armbian.atlassian.net/browse/AR-309

But they only release quarterly at the end of February, May, August, November so I either need to compile myself or wait until September 1.

Mr. Blue Coat · Answer 7 · Sat Jul 25 2020 08:57:00 GMT+0800 (China Standard Time)

Woot! After installing Armbian from trunk (which is a wicked cool experience thanks to their awesome compile script - props!), I was able to get XDP-Firewall running:

# uname -r

5.7.8-sunxi64

# cat /etc/issue

Armbian 20.08.0-trunk Buster

# grep BPF /boot/config-5.7.8-sunxi64

CONFIG_CGROUP_BPF=y
CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
# CONFIG_BPF_JIT_ALWAYS_ON is not set
CONFIG_BPF_JIT_DEFAULT_ON=y
CONFIG_IPV6_SEG6_BPF=y
CONFIG_NETFILTER_XT_MATCH_BPF=m
# CONFIG_BPFILTER is not set
# CONFIG_NET_CLS_BPF is not set
CONFIG_BPF_JIT=y
# CONFIG_BPF_STREAM_PARSER is not set
# CONFIG_LWTUNNEL_BPF is not set
CONFIG_HAVE_EBPF_JIT=y
CONFIG_TEST_BPF=m

# service xdpfw status

● xdpfw.service - XDP Firewall tool.
   Loaded: loaded (/etc/systemd/system/xdpfw.service; disabled; vendor preset: enabled)
   Active: active (running) since Fri 2020-07-24 17:53:24 MST; 3s ago
 Main PID: 3110 (xdpfw)
    Tasks: 1 (limit: 1018)
   Memory: 472.0K
   CGroup: /system.slice/xdpfw.service
           └─3110 /usr/bin/xdpfw

Jul 24 17:53:24 orangepioneplus systemd[1]: Started XDP Firewall tool..

Christian Deacon · Answer 8 · Sat Jul 25 2020 10:55:36 GMT+0800 (China Standard Time)

I'm glad you got it working and thank you for all the information as well! I still plan to setup something similar just so I can gain experience, etc.