{"id":20446963,"url":"https://github.com/r-caamano/zfw","last_synced_at":"2025-05-08T19:36:34.521Z","repository":{"id":164473603,"uuid":"639215911","full_name":"r-caamano/zfw","owner":"r-caamano","description":"An ebpf based firewall for openziti edge-routers/tunnelers","archived":false,"fork":false,"pushed_at":"2024-02-27T17:37:33.000Z","size":373,"stargazers_count":19,"open_issues_count":1,"forks_count":2,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-02-27T18:47:40.912Z","etag":null,"topics":["ebpf","firewall","linux-kernel","openziti","packet-filtering","packet-redirect","tc","tc-ebpf","traffic-control","xdp"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/r-caamano.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-05-11T02:27:55.000Z","updated_at":"2024-02-20T13:48:25.000Z","dependencies_parsed_at":null,"dependency_job_id":"fe9d1698-fc6f-4faa-8dc7-3b5c1b068c59","html_url":"https://github.com/r-caamano/zfw","commit_stats":null,"previous_names":[],"tags_count":48,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/r-caamano%2Fzfw","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/r-caamano%2Fzfw/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/r-caamano%2Fzfw/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/r-caamano%2Fzfw/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/r-caamano","download_url":"https://codeload.github.com/r-caamano/zfw/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224764250,"owners_count":17365885,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ebpf","firewall","linux-kernel","openziti","packet-filtering","packet-redirect","tc","tc-ebpf","traffic-control","xdp"],"created_at":"2024-11-15T10:23:55.431Z","updated_at":"2024-11-15T10:23:56.053Z","avatar_url":"https://github.com/r-caamano.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ARCHIVED\n## All further development moved to https://github.com/netfoundry/zfw\n\n\n# Introduction\n\n--- \nThis firewall application utilizes both tc-ebpf and xdp to provide stateful firewalling\nfor an [OpenZiti](https://docs.openziti.io/) ziti-edge-tunnel installation and is meant as a replacement for packet\nfiltering. It can be used in conjunction with ufw's masquerade feature on a Wan facing interface if\nthe zfw_outbound_track.o is activated in the egress direction. It can also be used in conjunction with OpenZiti\nedge-routers.\n\n\n## Build\n\n[To build / install zfw from source. Click here!](./BUILD.md)\n\n## Ziti-Edge-Tunnel Deployment \n\nThe program is designed to be deployed as systemd services if deployed via .deb package with\nan existing ziti-edge-tunnel(v22.5 +) installation on Ubuntu 22.04(amd64/arm64)service installation. If you don't currently\nhave ziti-edge-tunnel installed and an operational OpenZiti network built, follow these \n[instructions](https://docs.openziti.io/docs/guides/Local_Gateway/EdgeTunnel).\n\n\n- Install\n ubuntu 22.04 only (binary deb package)\n```\nsudo dpkg -i zfw-tunnel_\u003cver\u003e_\u003carch\u003e.deb\n```\nInstall from source ubuntu 22.04+ / Debian 12\n[build / install zfw from source](./BUILD.md)\n\n## Ziti-Router Deployment\n\nThe program is designed to integrated into an existing Openziti ziti-router installation if ziti router has been deployed via ziti_auto_enroll\n [instructions](https://docs.openziti.io/docs/guides/Local_Gateway/EdgeRouter). \n\n- Install\n ubuntu 22.04 only (binary deb package)\n```\nsudo dpkg -i zfw-router_\u003cver\u003e_\u003carch\u003e.deb\n```\nInstall from source ubuntu 22.04+ / Debian 12\n[build / install zfw from source](./BUILD.md)\n\n**The following instructions pertain to both zfw-tunnel and zfw-router. Platform specific functions will be noted explicitly**\n\nPackages files will be installed in the following directories.\n```\n/etc/systemd/system \u003csystemd service files\u003e \n/usr/sbin \u003csymbolic link to zfw executable\u003e\n/opt/openziti/etc : \u003cconfig files\u003e \n/opt/openziti/bin : \u003cbinary executables, executable scripts, binary object files\u003e\n/opt/openziti/bin/user/: \u003cuser configured rules\u003e\n```\nConfigure:\n- Edit interfaces (zfw-tunnel) note: ziti-router will automatically add lanIf: from config.yml\n```\nsudo cp /opt/openziti/etc/ebpf_config.json.sample /opt/openziti/etc/ebpf_config.json\nsudo vi /opt/openziti/etc/ebpf_config.json\n```\n- Adding interfaces\n Replace ens33 in line with:{\"InternalInterfaces\":[{\"Name\":\"ens33\" ,\"OutboundPassThroughTrack\": false, \"PerInterfaceRules\": false}], \"ExternalInterfaces\":[]}\n Replace with interface that you want to enable for ingress firewalling / openziti interception and \n optionally ExternalInterfaces if running containers or other subtending devices (Described in more detail\n later in this README.md).\n```\ni.e. ens33\n {\"InternalInterfaces\":[{\"Name\":\"ens33\"}], \"ExternalInterfaces\":[]}\nNote if you want to add more than one add to list\n {\"InternalInterfaces\":[{\"Name\":\"ens33\"}, {\"Name\":\"ens37\"}], \"ExternalInterfaces\":[]}\n```\n\n- Add user configured rules:\n```\nsudo cp /opt/openziti/bin/user/user_rules.sh.sample /opt/openziti/bin/user/user_rules.sh\nsudo vi /opt/openziti/bin/user/user_rules.sh\n``` \n\n- Enable services:(zfw-tunnel)\n``` \nsudo systemctl enable ziti-fw-init.service\nsudo systemctl enable ziti-wrapper.service \nsudo systemctl restart ziti-edge-tunnel.service \n```\n\n- Enable services:(zfw-router)\n``` \nsudo /opt/openziti/bin/start_ebpf_router.py \n```\n\nThe Service/Scripts will automatically configure ufw (if enabled) to hand off to ebpf on configured interface(s). Exception is icmp\nwhich must be manually enabled if it's been disabled in ufw. \n\n/etc/ufw/before.rules:\n```\n-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT\n```\n\nAlso to allow icmp echos to reach the ip of attached interface you would need to\nset icmp to enabled in the /opt/openziti/bin/user/user_rules.sh file i.e. \n```\nsudo zfw -e ens33 \nsudo systemctl restart ziti-wrapper.service \n```\n\n\nVerify running: (zfw-tunnel)\n```\nsudo zfw -L\n```\nIf running:\n```\nAssuming you are using the default address range for ziti-edge-tunnel should see output like:\n\ntarget \tproto\torigin destination mapping: \t\t\t\t interface list \n--------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\nTUNMODE \ttcp\t 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 \tTUNMODE redirect:tun0 []\nTUNMODE \tudp\t 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 \tTUNMODE redirect:tun0 []\n```\n\nVerify running: (zfw-router)\n```\nsudo zfw -L\n```\nIf running:\n```\nAssuming no services configured yet:\n\ntarget \tproto\torigin \tdestination mapping: \t\t\t\t interface list \n--------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\nRule Count: 0\nprefix_tuple_count: 0 / 100000\n\n```\n\nIf not running:\n```\nNot enough privileges or ebpf not enabled!\nRun as \"sudo\" with ingress tc filter [filter -X, --set-tc-filter] set on at least one interface\n\n```\nVerify running on the configured interface i.e.\n```\nsudo tc filter show dev ens33 ingress\n``` \nIf running on interface:\n```\nfilter protocol all pref 1 bpf chain 0 \nfilter protocol all pref 1 bpf chain 0 handle 0x1 zfw_tc_ingress.o:[action] direct-action not_in_hw id 26 tag e8986d00fc5c5f5a \nfilter protocol all pref 2 bpf chain 0 \nfilter protocol all pref 2 bpf chain 0 handle 0x1 zfw_tc_ingress.o:[action/1] direct-action not_in_hw id 31 tag ae5f218d80f4f200 \nfilter protocol all pref 3 bpf chain 0 \nfilter protocol all pref 3 bpf chain 0 handle 0x1 zfw_tc_ingress.o:[action/2] direct-action not_in_hw id 36 tag 751abd4726b3131a \nfilter protocol all pref 4 bpf chain 0 \nfilter protocol all pref 4 bpf chain 0 handle 0x1 zfw_tc_ingress.o:[action/3] direct-action not_in_hw id 41 tag 63aad9fa64a9e4d2 \nfilter protocol all pref 5 bpf chain 0 \nfilter protocol all pref 5 bpf chain 0 handle 0x1 zfw_tc_ingress.o:[action/4] direct-action not_in_hw id 46 tag 6c63760ceaa339b7 \nfilter protocol all pref 6 bpf chain 0 \nfilter protocol all pref 6 bpf chain 0 handle 0x1 zfw_tc_ingress.o:[action/5] direct-action not_in_hw id 51 tag b7573c4cb901a5da\n``` \n\nServices configured via the openziti controller for ingress on the running ziti-edge-tunnel/ziti-router identity will auto populate into\nthe firewall's inbound rule list.\n\nAlso note for zfw-tunnel xdp is enabled on the tunX interface that ziti-edge tunnel is attached to support functions like bi-directional \nip transparency which would otherwise not be possible without this firewall/wrapper.\n\nYou can verify this as follows:\n```\nsudo ip link show tun0\n```\nexpected output:\n```\n9: tun0: \u003cPOINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP\u003e mtu 1500 xdpgeneric qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 500\n link/none \n prog/xdp id 249 tag 06c4719358c6de42 jited \u003cThis line will be there if exp forwarder is running\u003e\n```\n\n### Outbound External passthrough traffic\n\nThe firewall can support subtending devices for two interface scenarios i.e.\nexternal and trusted.\n\nexternal inet \u003c----\u003e (ens33)[ebpf-router](ens37) \u003c----\u003e trusted client(s)\n\nwith zfw_tc_ingress.o applied ingress on ens33 and zfw_tc_oubound_track.o applied egress on ens33 the router will\nstatefully track outbound udp and tcp connections on ens33 and allow the associated inbound traffic. While\nrunning in this mode it does not make sense to add ziti tproxy rules and is meant for running as a traditional fw.\nAs be for you can also create passthrough FW rules (set -t --tproxy-port to 0) which would also make sense in the mode for\nspecific internet-initiated traffic you might want to allow in.\n\nTCP:\n If the tcp connections close gracefully then the entries will remove upon connection closure. \n if not, then there is a 60-minute timeout that will remove the in active state if no traffic seen\n in either direction.\n\nUDP:\n State will remain active as long as packets tuples matching SRCIP/SPORT/DSTIP/DPORT are seen in\n either direction within 30 seconds. If no packets seen in either direction the state will expire.\n If an external packet enters the interface after expiring the entry will be deleted. if an egress\n packet fined a matching expired state it will return the state to active.\n\nIn order to support this per interface rule awareness was added which allows each port range within a prefix\nto match a list of connected interfaces. On a per interface basis you can decide to honor that list or not via\na per-prefix-rules setting in the following manner via the zfw utility\n\n\n#### Two Interface config with ens33 facing internet and ens37 facing local lan\n\n```\nsudo vi /opt/openziti/etc/ebpf_config.json\n```\n```\n{\"InternalInterfaces\":[{\"Name\":\"ens37\",\"OutboundPassThroughTrack\": false, PerInterfaceRules: false}],\n \"ExternalInterfaces\":[{\"Name\":\"ens33\", OutboundPassThroughTrack: true, PerInterfaceRules: true}]}\n```\nThe above JSON sets up ens33 to be an internal interface (No outbound tracking) and ens33 as an external interface\nwith outbound tracking (Default for External Interface). It also automatically adds runs the sudo zfw -P ens33 so ens33\n(default for ExternalInterfaces) which requires -N to add inbound rules to it and will ignore rules where it is not in the interface list.\nKeys \"OutboundPassThroughTrack\" and \"PerInterfaceRules\" are shown with their default values, you only need to add them if you\nwant change the default operation for the interface type.\n\n#### Single Interface config with ens33 facing lan local lan\n```\nsudo vi /opt/openziti/etc/ebpf_config.json\n```\n```\n{\"InternalInterfaces\":[{\"Name\":\"ens37\",\"OutboundPassthroughTrack\": true, PerInterfaceRules: false}],\n \"ExternalInterfaces\":[]}\n```\n**Double check that your json formatting is correct since mistakes could render the firewall inoperable.**\n\nAfter editing disable zfw and restart ziti-edge-wrapper service\n \n(zfw-tunnel)\n```\nsudo zfw -Q\nsudo /opt/openziti/bin/start_ebpf_tunnel.py\nsudo systemctl restart ziti-edge-wrapper.service \n\n```\n\n(zfw-router)\n```\nsudo zfw -Q\nsudo systemctl restart ziti-router.service\n\n```\n\n### Ziti Edge Tunnel Bidirectional Transparency (zfw-tunnel only)\n\nIn order to allow internal tunneler connections over ziti the default operation has been set to not delete any tunX link routes. This will disable the ability to support transparency. There is an environmental variable ```TRANSPARENT_MODE='true'``` that can be set in the ```/opt/openziti/etc/ziti-edge-tunnel.env``` file to enable deletion of tunX routes if bi-directional transparency is required at the expense of disabling internal tunneler interception.\n\n### Supporting Internal Containers / VMs\n\nTraffic from containers like docker appears just like passthrough traffic to ZFW so you configure it the same as described above for \nnormal external pass-through traffic.\n\n### Upgrading zfw-tunnel\n```\nsudo systemctl stop ziti-wrapper.service\nsudo dpkg -i \u003czfw-tunnel_\u003cver\u003e_\u003carch\u003e.deb\n```\nAfter updating reboot the system \n```\nsudo reboot\n```\n\n### Upgrading zfw-router\n```\nsudo dpkg -i \u003czfw-router_\u003cver\u003e_\u003carch\u003e.deb\n```\nAfter updating reboot the system \n```\nsudo reboot\n```\n\n## Ebpf Map User Space Management\n---\n### User space manual configuration\nziti-edge-tunnel/ziti-router will automatically populate rules for configured ziti services so the following is if\nyou want to configure additional rules outside of the automated ones. zfw-tunnel will also auto-populate /opt/openziti/bin/user/user_rules.sh\nwith listening ports in the config.yml.\n\n**Note the ```zfw-router_\u003cversion\u003e_\u003carch\u003e.deb``` will install an un-enabled service ```fw-init.service```. If you install the zfw-router package without an OpenZiti ziti-router installation and enable this service it will start the ebpf fw after reboot and load the commands from /opt/openziti/bin/user/user_rules.sh. If you later decide to install ziti-router this service should be disabled and you should run ```/opt/openziti/bin/start_ebpf_router.py``` you will also need to manually copy the /opt/openziti/etc/ebpf_config.json.sample to ebpf_config.json and edit interface name**\n\n**(All commands listed in this section need to be put in /opt/openziti/bin/user/user_rules.shin order to survive reboot)**\n\n### ssh default operation\nBy default ssh is enabled to pass through to the ip address of the attached interface from any source.\nIf secondary addresses exist on the interface this will only work for the first 10. After that you would need\nto add manual entries via ```zfw -I```. \n\nThe following command will disable default ssh action to pass to the IP addresses of the local interface and will\nfall through to rule check instead where a more specific rule could be applied. This is a per\ninterface setting and can be set for all interfaces except loopback. This would need to be put in\n /opt/openziti/bin/user/user_rules.sh to survive reboot.\n\n- Disable\n```\nsudo zfw -x \u003cens33 | all\u003e\n```\n\n- Enable\n```\nsudo zfw -x \u003cens33 | all\u003e -d\n```\n\n### vrrp passthrough\n- Enable\n```\nsudo zfw --vrrp-enable \u003cens33 | all\u003e\n```\n\n- Disable\n``` \nsudo zfw --vrrp-enable \u003cens33 | all\u003e -d\n```\n\n\n### Inserting / Deleting rules\n \nThe -t, --tproxy-port is has a dual purpose one it to signify the tproxy port used by openziti routers in tproxy mode and the other is to identify either local passthrough with value of 0 and the other is tunnel redirect mode with value of 65535.\n\n- Example Insert\nIf you disable default ssh handling with a device interface ip of 172.16.240.1 and you want to insert a user rule with source \nfiltering that only allows source ip 10.1.1.1/32 to reach 172.16.240.1:22. \n\nParticularly notice -t 0 which means that matched packets will pass to the local OS stack and are not redirected to tproxy ports or tunnel interface.\n```\nsudo zfw -I -c 172.16.240.1 -m 32 -o 10.1.1.1 -n 32 -p tcp -l 22 -h 22 -t 0\n```\n \n- Example Delete\n \n```\nsudo zfw -D -c 172.16.240.1 -m 32 -o 10.1.1.1 -n 32 -p tcp -l 22\n```\n\n- Example: Remove all rule entries from FW\n\n```\nsudo zfw -F\n```\n\n### Debugging\n\nExample: Monitor ebpf trace messages\n\n```\nsudo zfw -M \u003cifname\u003e|all\n\n```\n \n```\nJul 26 2023 01:42:24.108913490 : ens33 : TCP :172.16.240.139:51166[0:c:29:6a:d1:61] \u003e 192.168.1.1:5201[0:c:29:bb:24:a1] redirect ---\u003e ziti0\nJul 26 2023 01:42:24.108964534 : ziti0 : TCP :192.168.1.1:0[0:c:29:bb:24:a1] \u003e 172.16.240.139:0[0:c:29:6a:d1:61] redirect ---\u003e ens33\nJul 26 2023 01:42:24.109011595 : ziti0 : TCP :192.168.1.1:0[0:c:29:bb:24:a1] \u003e 172.16.240.139:0[0:c:29:6a:d1:61] redirect ---\u003e ens33\nJul 26 2023 01:42:24.109036999 : ziti0 : TCP :192.168.1.1:0[0:c:29:bb:24:a1] \u003e 172.16.240.139:0[0:c:29:6a:d1:61] redirect ---\u003e ens33\nJul 26 2023 01:42:24.108913490 : ens33 : TCP :172.16.240.139:51166[0:c:29:6a:d1:61] \u003e 192.168.1.1:5201[0:c:29:bb:24:a1] redirect ---\u003e ziti0\nJul 26 2023 01:42:24.108964534 : ziti0 : TCP :192.168.1.1:0[0:c:29:bb:24:a1] \u003e 172.16.240.139:0[0:c:29:6a:d1:61] redirect ---\u003e ens33\nJul 26 2023 01:42:24.109011595 : ziti0 : TCP :192.168.1.1:0[0:c:29:bb:24:a1] \u003e 172.16.240.139:0[0:c:29:6a:d1:61] redirect ---\u003e ens33\n```\n\nExample: List all rules in Firewall\n\n```\nsudo zfw -L\n```\n```\ntarget proto origin destination mapping: interface list\n------ ----- --------------- ------------------ --------------------------------------------------------- ----------------\nTPROXY tcp 0.0.0.0/0 10.0.0.16/28 dpts=22:22 TPROXY redirect 127.0.0.1:33381 [ens33,lo]\nTPROXY tcp 0.0.0.0/0 10.0.0.16/28 dpts=30000:40000 TPROXY redirect 127.0.0.1:33381 []\nTPROXY udp 0.0.0.0/0 172.20.1.0/24 dpts=5000:10000 TPROXY redirect 127.0.0.1:59394 []\nTPROXY tcp 0.0.0.0/0 172.16.1.0/24 dpts=22:22 TPROXY redirect 127.0.0.1:33381 []\nTPROXY tcp 0.0.0.0/0 172.16.1.0/24 dpts=30000:40000 TPROXY redirect 127.0.0.1:33381 []\nPASSTHRU udp 0.0.0.0/0 192.168.3.0/24 dpts=5:7 PASSTHRU to 192.168.3.0/24 []\nPASSTHRU udp 10.1.1.1/32 192.168.100.100/32 dpts=50000:60000 PASSTHRU to 192.168.100.100/32 []\nPASSTHRU tcp 10.230.40.1/32 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 []\nTPROXY udp 0.0.0.0/0 192.168.0.3/32 dpts=5000:10000 TPROXY redirect 127.0.0.1:59394 []\nPASSTHRU tcp 0.0.0.0/0 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 []\nTUNMODE udp\t 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 \t TUNMODE redirect:tun0 []\n```\n \n- Example: List rules in firewall for a given prefix and protocol. If source specific you must include the o \n \u003corigin address or prefix\u003e -n \u003corigin prefix len\u003e\n\n``` \nsudo zfw -L -c 192.168.100.100 -m 32 -p udp\n```\n``` \ntarget proto origin destination mapping: interface list\n------ ----- -------- ------------------ --------------------------------------------------------- ------------------ \nPASSTHRU udp 0.0.0.0/0 192.168.100.100/32 dpts=50000:60000 \t PASSTHRU to 192.168.100.100/32 []\n```\n\n- Example: List rules in firewall for a given prefix\nUsage: zfw -L -c \u003cip dest address or prefix\u003e -m \u003cprefix len\u003e -p \u003cprotocol\u003e\n```\nsudo zfw -L -c 192.168.100.100 -m 32\n```\n```\ntarget proto origin destination mapping: interface list\n------ ----- -------- ------------------ --------------------------------------------------------- -------------------\nPASSTHRU udp 0.0.0.0/0 192.168.100.100/32 dpts=50000:60000 \t PASSTHRU to 192.168.100.100/32 []\nPASSTHRU tcp 0.0.0.0/0 192.168.100.100/32 dpts=60000:65535\t PASSTHRU to 192.168.100.100/32 []\n```\n- Example: List all interface settings\n\n```\nsudo zfw -L -E\n```\n```\nlo: 1\n--------------------------\nicmp echo :1\nverbose :0\nssh disable :0\nper interface :0\ntc ingress filter :0\ntc egress filter :0\ntun mode intercept :0\nvrrp enable :0\n--------------------------\n\nens33: 2\n--------------------------\nicmp echo :0\nverbose :0\nssh disable :0\nper interface :0\ntc ingress filter :1\ntc egress filter :1\ntun mode intercept :1\nvrrp enable :1\n--------------------------\n\nens37: 3\n--------------------------\nicmp echo :0\nverbose :0\nssh disable :0\nper interface :0\ntc ingress filter :0\ntc egress filter :0\ntun mode intercept :0\nvrrp enable :0\n--------------------------\n\ntun0: 18\n--------------------------\nverbose :0\ncidr :100.64.0.0\nmask :10\n--------------------------\n```\n\n- Example Detaching bpf from interface:\n\n```\nsudo zfw --set-tc-filter \u003cinterface name\u003e --direction \u003cingress | egress\u003e --disable\n```\n\nExample: Remove all tc-ebpf on router\n\n```\nsudo zfw --disable-ebpf\n```\n```\ntc parent del : lo\ntc parent del : ens33\ntc parent del : ens37\nremoving /sys/fs/bpf/tc/globals/zt_tproxy_map\nremoving /sys/fs/bpf/tc/globals/diag_map\nremoving /sys/fs/bpf/tc/globals/ifindex_ip_map\nremoving /sys/fs/bpf/tc/globals/tuple_count_map\nremoving /sys/fs/bpf/tc/globals/prog_map\nremoving /sys/fs/bpf/tc/globals/udp_map\nremoving /sys/fs/bpf/tc//globals/matched_map\nremoving /sys/fs/bpf/tc/globals/tcp_map\n```\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fr-caamano%2Fzfw","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fr-caamano%2Fzfw","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fr-caamano%2Fzfw/lists"}