From a57469cf3b83efdc8f65681d1dc39a2bbce56e3d Mon Sep 17 00:00:00 2001 From: SinnoLn Date: Mon, 7 Oct 2024 19:37:14 +0900 Subject: [PATCH 1/6] Enhance firewall logging for API calls and rule actions. --- api/restapi/handler/firewall.go | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/api/restapi/handler/firewall.go b/api/restapi/handler/firewall.go index d090bec0f..7899694b7 100644 --- a/api/restapi/handler/firewall.go +++ b/api/restapi/handler/firewall.go @@ -26,7 +26,7 @@ import ( ) func ConfigPostFW(params operations.PostConfigFirewallParams) middleware.Responder { - tk.LogIt(tk.LogDebug, "[API] Firewall %s API callded. url : %s\n", params.HTTPRequest.Method, params.HTTPRequest.URL) + tk.LogIt(tk.LogDebug, "[API] Firewall %s API called by IP: %s. url : %s\n", params.HTTPRequest.Method, params.HTTPRequest.RemoteAddr, params.HTTPRequest.URL) Opts := cmn.FwOptArg{} Rules := cmn.FwRuleArg{} FW := cmn.FwRuleMod{} @@ -62,6 +62,15 @@ func ConfigPostFW(params operations.PostConfigFirewallParams) middleware.Respond FW.Rule = Rules FW.Opts = Opts + + if Opts.Allow { + tk.LogIt(tk.LogInfo, "[FW] Allowed traffic: SrcIP: %s, DstIP: %s, Protocol: %d, SrcPortMin: %d, SrcPortMax: %d, DstPortMin: %d, DstPortMax: %d, Preference: %d, InPort: %s\n", + Rules.SrcIP, Rules.DstIP, Rules.Proto, Rules.SrcPortMin, Rules.SrcPortMax, Rules.DstPortMin, Rules.DstPortMax, Rules.Pref, Rules.InPort) + } else if Opts.Drop { + tk.LogIt(tk.LogInfo, "[FW] Dropped traffic: SrcIP: %s, DstIP: %s, Protocol: %d, SrcPortMin: %d, SrcPortMax: %d, DstPortMin: %d, DstPortMax: %d, Preference: %d, InPort: %s\n", + Rules.SrcIP, Rules.DstIP, Rules.Proto, Rules.SrcPortMin, Rules.SrcPortMax, Rules.DstPortMin, Rules.DstPortMax, Rules.Pref, Rules.InPort) + } + fmt.Printf("FW: %v\n", FW) _, err := ApiHooks.NetFwRuleAdd(&FW) if err != nil { @@ -71,7 +80,7 @@ func ConfigPostFW(params operations.PostConfigFirewallParams) middleware.Respond } func ConfigDeleteFW(params operations.DeleteConfigFirewallParams) middleware.Responder { - tk.LogIt(tk.LogDebug, "[API] Firewall %s API callded. url : %s\n", params.HTTPRequest.Method, params.HTTPRequest.URL) + tk.LogIt(tk.LogDebug, "[API] Firewall %s API called by IP: %s. url : %s\n", params.HTTPRequest.Method, params.HTTPRequest.RemoteAddr, params.HTTPRequest.URL) Rules := cmn.FwRuleArg{} FW := cmn.FwRuleMod{} @@ -128,11 +137,14 @@ func ConfigDeleteFW(params operations.DeleteConfigFirewallParams) middleware.Res return &ResultResponse{Result: "fail"} } + tk.LogIt(tk.LogInfo, "[FW] Deleted traffic rule: SrcIP: %s, DstIP: %s, Protocol: %d, SrcPortMin: %d, SrcPortMax: %d, DstPortMin: %d, DstPortMax: %d, Preference: %d, InPort: %s\n", + Rules.SrcIP, Rules.DstIP, Rules.Proto, Rules.SrcPortMin, Rules.SrcPortMax, Rules.DstPortMin, Rules.DstPortMax, Rules.Pref, Rules.InPort) + return &ResultResponse{Result: "Success"} } func ConfigGetFW(params operations.GetConfigFirewallAllParams) middleware.Responder { - tk.LogIt(tk.LogDebug, "[API] Firewall %s API callded. url : %s\n", params.HTTPRequest.Method, params.HTTPRequest.URL) + tk.LogIt(tk.LogDebug, "[API] Firewall %s API called by IP: %s. url : %s\n", params.HTTPRequest.Method, params.HTTPRequest.RemoteAddr, params.HTTPRequest.URL) res, _ := ApiHooks.NetFwRuleGet() var result []*models.FirewallEntry result = make([]*models.FirewallEntry, 0) From c5c66228a7844fba884ff5c71c0249b21c4ac577 Mon Sep 17 00:00:00 2001 From: SinnoLn Date: Tue, 8 Oct 2024 23:16:07 +0900 Subject: [PATCH 2/6] Fix typos and grammatical errors in README.md --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 9273017bd..c0ce4f64b 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ Kubernetes defines many service constructs like cluster-ip, node-port, load-bala ![LoxiLB Cover](https://github.com/loxilb-io/loxilbdocs/blob/main/docs/photos/loxilb-cover.png) -All these services are provided by load-balancers/proxies operating at Layer4/Layer7. Since Kubernetes's is highly modular, these services can be provided by different software modules. For example, kube-proxy is used by default to provide cluster-ip and node-port services. For some services like LB and Ingress, no default is usually provided. +All these services are provided by load-balancers/proxies operating at Layer4/Layer7. Since Kubernetes is highly modular, these services can be provided by different software modules. For example, kube-proxy is used by default to provide cluster-ip and node-port services. For some services like LB and Ingress, no default is usually provided. Service type load-balancer is usually provided by public cloud-provider(s) as a managed entity. But for on-prem and self-managed clusters, there are only a few good options available. Even for provider-managed K8s like EKS, there are many who would want to bring their own LB to clusters running anywhere. Additionally, Telco 5G and edge services introduce unique challenges due to the variety of exotic protocols involved, including GTP, SCTP, SRv6, SEPP, and DTLS, making seamless integration particularly challenging. loxilb provides service type load-balancer as its main use-case. loxilb can be run in-cluster or ext-to-cluster as per user need. @@ -46,7 +46,7 @@ Telco-cloud requires load-balancing and communication across various interfaces/ * [Multi-Node Performance](https://loxilb-io.github.io/loxilbdocs/perf-multi/) * [Performance on ARM](https://www.loxilb.io/post/running-loxilb-on-aws-graviton2-based-ec2-instance) * [Short Demo on Performance](https://www.youtube.com/watch?v=MJXcM0x6IeQ) -- Utitlizes ebpf which makes it ```flexible``` as well as ```customizable``` +- Utilizes ebpf which makes it ```flexible``` as well as ```customizable``` - Advanced ```quality of service``` for workloads (per LB, per end-point or per client) - Works with ```any``` Kubernetes distribution/CNI - k8s/k3s/k0s/kind/OpenShift + Calico/Flannel/Cilium/Weave/Multus etc - Kube-proxy replacement with loxilb allows ```simple plug-in``` with any existing/deployed pod-networking software @@ -62,7 +62,7 @@ Telco-cloud requires load-balancing and communication across various interfaces/ - High-availability support with BFD detection for hitless/maglev/cgnat clustering - Extensive and scalable end-point liveness probes for cloud-native environments - Stateful firewalling and IPSEC/Wireguard support -- Optimized implementation for features like [Conntrack](https://thermalcircle.de/doku.php?id=blog:linux:connection_tracking_1_modules_and_hooks), QoS etc +- Optimized implementation for features like [Conntrack](https://thermalcircle.de/doku.php?id=blog:linux:connection_tracking_1_modules_and_hooks), QoS, etc - Full compatibility for ipvs (ipvs policies can be auto inherited) - Policy oriented L7 proxy support - HTTP1.0, 1.1, 2.0, 3.0 @@ -131,7 +131,7 @@ Telco-cloud requires load-balancing and communication across various interfaces/ - [Development Roadmap](https://github.com/loxilb-io/loxilbdocs/blob/main/docs/roadmap.md) - [Contribute](https://github.com/loxilb-io/loxilbdocs/blob/main/docs/contribute.md) - [System Requirements](https://github.com/loxilb-io/loxilbdocs/blob/main/docs/requirements.md) -- [Frequenctly Asked Questions- FAQs](https://github.com/loxilb-io/loxilbdocs/blob/main/docs/faq.md) +- [Frequently Asked Questions- FAQs](https://github.com/loxilb-io/loxilbdocs/blob/main/docs/faq.md) - [Blogs](https://www.loxilb.io/blog) - [Demo Videos](https://www.youtube.com/@loxilb697) From 03ca8944ecaca8548b6a0bd3f6e09c5452f8a7d1 Mon Sep 17 00:00:00 2001 From: Trekkie Coder Date: Wed, 9 Oct 2024 19:38:50 +0900 Subject: [PATCH 3/6] Improvements to locking in proxy threads --- loxilb-ebpf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/loxilb-ebpf b/loxilb-ebpf index 69240d58a..75e909b7a 160000 --- a/loxilb-ebpf +++ b/loxilb-ebpf @@ -1 +1 @@ -Subproject commit 69240d58a1732d4326bee7d0841c083ff5170079 +Subproject commit 75e909b7a32c55f9c9f16db650058c4658c3a993 From beb387b47703abc362f1fbf671bab1a12de56e6a Mon Sep 17 00:00:00 2001 From: Trekkie Coder Date: Thu, 10 Oct 2024 21:51:26 +0900 Subject: [PATCH 4/6] Improvements to scalability in proxy implementation --- loxilb-ebpf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/loxilb-ebpf b/loxilb-ebpf index 75e909b7a..7bca92d85 160000 --- a/loxilb-ebpf +++ b/loxilb-ebpf @@ -1 +1 @@ -Subproject commit 75e909b7a32c55f9c9f16db650058c4658c3a993 +Subproject commit 7bca92d858292dfe82ec45036f135dcda870ca9a From 27bb05ba737d3832bfa79c38e68cb0e27b0598ef Mon Sep 17 00:00:00 2001 From: Trekkie Coder Date: Mon, 14 Oct 2024 00:09:51 +0900 Subject: [PATCH 5/6] chore:Updated Dockerfile to include k8s crd manpulation scripts --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 86b5d1b5b..1482bb3d0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -87,8 +87,10 @@ ARG DEBIAN_FRONTEND=noninteractive ENV PATH="${PATH}:/usr/local/go/bin" ENV LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:/usr/lib64/" -RUN apt-get update && apt-get install -y --no-install-recommends sudo \ +RUN apt-get update && apt-get install -y --no-install-recommends sudo wget \ libbsd-dev iproute2 tcpdump bridge-utils net-tools libllvm10 ca-certificates && \ + wget https://raw.githubusercontent.com/loxilb-io/tools/refs/heads/main/k8s/mkllb-url.sh && \ + chmod +x mkllb-url.sh && mv mkllb-url.sh /usr/local/sbin/mkllb-url && \ rm -rf /var/lib/apt/lists/* && apt clean COPY --from=build /usr/lib64/libbpf* /usr/lib64/ From 20da6e1979b23c443cea014f0e858e9429def03f Mon Sep 17 00:00:00 2001 From: Trekkie Coder Date: Mon, 14 Oct 2024 18:59:11 +0900 Subject: [PATCH 6/6] chore:Updated Dockerfile to include k8s crd manpulation scripts --- Dockerfile | 10 +++++---- tools/k8s/mkllb-url | 54 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+), 4 deletions(-) create mode 100755 tools/k8s/mkllb-url diff --git a/Dockerfile b/Dockerfile index 1482bb3d0..78b81df5f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,9 +10,11 @@ ARG TAG=main ENV PATH="${PATH}:/usr/local/go/bin" ENV LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:/usr/lib64/" +RUN mkdir -p /root/loxilb-io/loxilb +COPY . /root/loxilb-io/loxilb/ + # Install loxilb related packages RUN mkdir -p /opt/loxilb && \ - mkdir -p /root/loxilb-io/loxilb/ && \ mkdir -p /usr/lib64/ && \ mkdir -p /opt/loxilb/cert/ && \ mkdir -p /etc/loxilb/certs/ && \ @@ -45,11 +47,12 @@ RUN mkdir -p /opt/loxilb && \ make && cp ./loxicmd /usr/local/sbin/loxicmd && cd - && rm -fr loxicmd && \ /usr/local/sbin/loxicmd completion bash > /etc/bash_completion.d/loxi_completion && \ # Install loxilb - git clone --recurse-submodules https://github.com/loxilb-io/loxilb /root/loxilb-io/loxilb/ && \ + # git clone --recurse-submodules https://github.com/loxilb-io/loxilb /root/loxilb-io/loxilb/ && \ cd /root/loxilb-io/loxilb/ && git fetch --all --tags && git checkout $TAG && \ cd loxilb-ebpf && git fetch --all --tags && git checkout $TAG && cd .. \ go get . && if [ "$arch" = "arm64" ] ; then DOCKER_BUILDX_ARM64=true make; \ else make ;fi && cp loxilb-ebpf/utils/mkllb_bpffs.sh /usr/local/sbin/mkllb_bpffs && \ + cp tools/k8s/mkllb-url /usr/local/sbin/mkllb-url && \ cp loxilb-ebpf/utils/mkllb_cgroup.sh /usr/local/sbin/mkllb_cgroup && \ cp /root/loxilb-io/loxilb/loxilb-ebpf/kernel/loxilb_dp_debug /usr/local/sbin/loxilb_dp_debug && \ cp /root/loxilb-io/loxilb/loxilb /usr/local/sbin/loxilb && \ @@ -89,14 +92,13 @@ ENV LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:/usr/lib64/" RUN apt-get update && apt-get install -y --no-install-recommends sudo wget \ libbsd-dev iproute2 tcpdump bridge-utils net-tools libllvm10 ca-certificates && \ - wget https://raw.githubusercontent.com/loxilb-io/tools/refs/heads/main/k8s/mkllb-url.sh && \ - chmod +x mkllb-url.sh && mv mkllb-url.sh /usr/local/sbin/mkllb-url && \ rm -rf /var/lib/apt/lists/* && apt clean COPY --from=build /usr/lib64/libbpf* /usr/lib64/ COPY --from=build /usr/local/build/lib/* /usr/lib64 COPY --from=build /usr/local/go/bin /usr/local/go/bin COPY --from=build /usr/local/sbin/mkllb_bpffs /usr/local/sbin/mkllb_bpffs +COPY --from=build /usr/local/sbin/mkllb-url /usr/local/sbin/mkllb-url COPY --from=build /usr/local/sbin/mkllb_cgroup /usr/local/sbin/mkllb_cgroup COPY --from=build /usr/local/sbin/loxilb_dp_debug /usr/local/sbin/loxilb_dp_debug COPY --from=build /usr/local/sbin/loxicmd /usr/local/sbin/loxicmd diff --git a/tools/k8s/mkllb-url b/tools/k8s/mkllb-url new file mode 100755 index 000000000..6e0c0a279 --- /dev/null +++ b/tools/k8s/mkllb-url @@ -0,0 +1,54 @@ +#!/bin/bash + +usage() { + echo "Usage: $0 -a -z -t " + echo " $0 -a -z -t -d" +} + +if [[ $# -gt 7 ]] || [[ $# -lt 6 ]]; then + usage + exit +fi + +if [[ ! -f /usr/local/sbin/kubectl ]]; then + apt-get update && apt-get install -y curl + curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" + chmod +x kubectl + sudo mv kubectl /usr/local/sbin/kubectl +fi + +addr="" +zone="llb" +utype="default" +cmd="apply" + +while getopts a:z:t:x opt +do + case "${opt}" in + a) addr=${OPTARG};; + z) zone=${OPTARG};; + t) utype=${OPTARG};; + x) cmd="delete";; + ?) usage;exit;; + esac +done + +echo "============" +echo "Applying CRD" +echo "============" +echo addr $addr +echo zone $zone +echo utype $utype +echo cmd $cmd +echo "============" + +cat <