Remove ebpf, add tun write implementation

.github/workflows/test_and_deploy.yml

@@ -19,10 +19,7 @@ jobs:
         run: sudo apt update && sudo apt upgrade
 
       - name: Install build tools
-        run: sudo apt install -y make wget llvm clang gcc git npm gulp libbpf-dev libpam0g-dev
-
-      - name: Link correct asm headers
-        run: sudo ln -s /usr/include/$(uname -m)-linux-gnu/asm /usr/include/asm
+        run: sudo apt install -y make git npm gulp libpam0g-dev
 
       - name: build
         run: make release

Makefile

@@ -9,17 +9,14 @@ GID=$(shell id -g)
 goonly:
 	go build -ldflags="$(LDFLAGS)"
 
-debug: .generate_ebpf  .build_ui
+debug:  .build_ui
 	go build -ldflags="$(LDFLAGS)"
 
-release: .generate_ebpf .build_ui
+release: .build_ui
 	go build -ldflags="$(LDFLAGS_RELEASE)"
 
 docker:
 	sudo docker run -u "$(ID):$(GID)" --rm -t -v `pwd`:/wag wag_builder
 
-.generate_ebpf:
-	BPF_CLANG=clang BPF_CFLAGS='-O2 -g -Wall -Werror' go generate ./internal/...
-
 .build_ui:
 	cd ui/src; npm install; gulp build

README.md

@@ -50,7 +50,7 @@ sudo ./wag gen-config
 sudo ./wag start -config <generated_config_name>
 ```
 
-From source (will require `go1.19`, `npm`, `gulp`, `clang`, `llvm-strip`, `libbpf`):  
+From source (will require `go1.19`, `npm`, `gulp`):  
 ```
 git clone git@github.com:NHAS/wag.git
 cd wag
@@ -549,9 +549,7 @@ Example:
 
 # Limitations
 - Only supports clients with one `AllowedIP`, which is perfect for site to site, or client -> server based architecture.  
-- IPv4 only.
-- Linux only
-- Very Modern kernel 5.9+ at least (>5.9 allows loops in ebpf and `bpf_link`)
+- Primarily Linux only but windows may work with some effort
 
 
 # Development 
@@ -579,8 +577,6 @@ cd internal/router
 sudo go test -v .
 ```
 
-Sudo is required to load the eBPF program into the kernel.
-
 ## Building a release
 
 

adminui/src/vendor/bootstrap/scss/_reboot.scss

@@ -30,7 +30,6 @@ html {
 }
 
 // Shim for "new" HTML5 structural elements to display correctly (IE10, older browsers)
-// TODO: remove in v5
 // stylelint-disable-next-line selector-list-comma-newline-after
 article, aside, figcaption, figure, footer, header, hgroup, main, nav, section {
   display: block;

commands/start.go

@@ -18,7 +18,6 @@ import (
 
 	"github.com/NHAS/wag/internal/router"
 	"github.com/NHAS/wag/pkg/control/server"
-	"golang.org/x/sys/unix"
 )
 
 type start struct {
@@ -64,33 +63,14 @@ func (g *start) Check() error {
 		}
 	})
 
-	// Taken from: https://github.com/cilium/ebpf/blob/9444f0c545e0bda2f3db40bdaf69381df9f51af4/internal/version.go
-	var uname unix.Utsname
-	err := unix.Uname(&uname)
-	if err != nil {
-		return errors.New("could not get kernel version: " + err.Error())
-	}
-
-	kernelVersion := unix.ByteSliceToString(uname.Release[:])
-
-	var major, minor, patch uint16
-	n, _ := fmt.Sscanf(kernelVersion, "%d.%d.%d", &major, &minor, &patch)
-	if n < 2 {
-		return errors.New("this kernel version did not conform to kernel version format: " + kernelVersion)
-	}
-
-	if major < 5 || major == 5 && minor < 9 {
-		return errors.New("kernel is too old(" + kernelVersion + "), wag requires kernel version > 5.9")
-	}
-
 	if g.clusterJoinToken == "" {
-		err = config.Load(g.config)
+		err := config.Load(g.config)
 		if err != nil {
 			return err
 		}
 	}
 
-	err = data.Load(config.Values.DatabaseLocation, g.clusterJoinToken, false)
+	err := data.Load(config.Values.DatabaseLocation, g.clusterJoinToken, false)
 	if err != nil {
 		return fmt.Errorf("cannot load database: %v", err)
 	}

commands/version.go

@@ -73,14 +73,8 @@ func (g *version) Run() error {
 			return err
 		}
 
-		hash, err := ctl.GetBPFVersion()
-		if err != nil {
-			return err
-		}
-
 		fmt.Println("remote")
 		fmt.Println("Version:", ver)
-		fmt.Println("Hash:", hash)
 		return nil
 	}
 

internal/router/wireguard.go

@@ -36,16 +36,19 @@ type Wrapper struct {
 	// closed signals poll (by closing) when the device is closed.
 	closed chan struct{}
 
+	fw *Firewall
+
 	closeOnce sync.Once
 }
 
-func NewWrap(tdev tun.Device) *Wrapper {
+func NewWrap(tdev tun.Device, fw *Firewall) *Wrapper {
 	w := &Wrapper{
 		Device: tdev,
 		closed: make(chan struct{}),
 
 		eventsUpDown: make(chan tun.Event),
 		eventsOther:  make(chan tun.Event),
+		fw:           fw,
 	}
 
 	go w.pumpEvents()
@@ -104,6 +107,7 @@ func (t *Wrapper) Close() error {
 	return err
 }
 
+// Read from the OS tun device
 func (t *Wrapper) Read(buffs [][]byte, sizes []int, offset int) (int, error) {
 
 	p := parsedPacketPool.Get().(*packet.Parsed)
@@ -126,6 +130,7 @@ func (t *Wrapper) Read(buffs [][]byte, sizes []int, offset int) (int, error) {
 	return n, err
 }
 
+// Write to the OS tun device i.e going from wireguard peer -> real world
 func (t *Wrapper) Write(buffs [][]byte, offset int) (int, error) {
 
 	p := parsedPacketPool.Get().(*packet.Parsed)
@@ -135,10 +140,10 @@ func (t *Wrapper) Write(buffs [][]byte, offset int) (int, error) {
 	for _, buff := range buffs {
 		p.Decode(buff[offset:])
 
-		// if globalFirewall.Evaluate(p.Src, p.Dst, uint16(p.IPProto)) {
-		// 	buffs[i] = buff
-		// 	i++
-		// }
+		if t.fw.Evaluate(p.Src, p.Dst, uint16(p.IPProto)) {
+			buffs[i] = buff
+			i++
+		}
 	}
 
 	buffs = buffs[:i]
@@ -220,7 +225,7 @@ func (f *Firewall) setupWireguard() error {
 		return fmt.Errorf("UAPI listen error: %v", err)
 	}
 
-	tdev = NewWrap(tdev)
+	tdev = NewWrap(tdev, f)
 	device := device.NewDevice(tdev, conn.NewDefaultBind(), logger)
 	device.SetEventHandler(f.endpointChange)