]>
git.bitcoin.ninja Git - flowspec-xdp/log
summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Matt Corallo [Mon, 17 Jun 2024 18:10:21 +0000 (18:10 +0000)]
Simplify siphash as we always have a round number of 64-bit words
Matt Corallo [Mon, 17 Jun 2024 06:34:35 +0000 (06:34 +0000)]
Allow environment variables to override clang/LLVM paths
Matt Corallo [Mon, 17 Jun 2024 06:27:11 +0000 (06:27 +0000)]
Use common per-source lookup between v4 and v6/64
Since v4 has 32 bits of slack in the struct anyway, we might as
well just make it a u64 and unify the codepaths.
Matt Corallo [Mon, 17 Jun 2024 05:34:43 +0000 (05:34 +0000)]
COrrect daddr gt handling in RuleNode::__lt__
Matt Corallo [Sun, 16 Jun 2024 02:49:16 +0000 (02:49 +0000)]
Use -Oz rather than -O3, which seems more robust
Matt Corallo [Sun, 16 Jun 2024 02:42:27 +0000 (02:42 +0000)]
Aavoid incomparable assertion when using mixed src/no-src rules
Matt Corallo [Sun, 16 Jun 2024 00:52:58 +0000 (00:52 +0000)]
Remove extra shift in per_pkt_ns for readability
Having a shift in one place and unshift in a totally different file
is confusing.
Matt Corallo [Sun, 16 Jun 2024 00:52:37 +0000 (00:52 +0000)]
Correct three bugs in the rate limiter.
* We should be dividing by the packet size, not multiplying, as we
should be crediting fewer packets for larger packets, not more.
* We should handle the packet count underflowing as it may have
been some time since the last packet.
* The bucket limit needs to be `<= 0xd00`, not `< 0xf00`, as
`0xf00` + `0x100` overflows our counter and resets the bucket.
Matt Corallo [Sat, 15 Jun 2024 22:31:14 +0000 (22:31 +0000)]
Add additional comments explaining how the rate limiter works
Matt Corallo [Sat, 15 Jun 2024 21:32:45 +0000 (21:32 +0000)]
Prefer existing src buckets even if others timed out
If we have some timed-out buckets in a source-based ratelimit,
we'll use those even if a later bucket is already storing the
counter for the source of the current packet. This is obviously
busted, so don't do that.
Matt Corallo [Sat, 15 Jun 2024 15:31:48 +0000 (15:31 +0000)]
Clarify what collision_prob is calculating for users
Matt Corallo [Fri, 10 Dec 2021 01:39:12 +0000 (01:39 +0000)]
Stop dumping match count before update, users can get it if they want
Matt Corallo [Thu, 9 Dec 2021 22:51:51 +0000 (22:51 +0000)]
Partially implement sorting
Matt Corallo [Thu, 9 Dec 2021 21:14:52 +0000 (21:14 +0000)]
Combine redundant rule conditions to work around LLVM bug 52455 fully
This adds a trivial optimization pass to combine redundant rule
conditions in back-to-back rules before printing them.
Matt Corallo [Thu, 9 Dec 2021 00:44:57 +0000 (00:44 +0000)]
Make dropcount not stupid slow
Matt Corallo [Wed, 8 Dec 2021 20:14:50 +0000 (20:14 +0000)]
Use best instruction set that the local kernel supports
Matt Corallo [Wed, 8 Dec 2021 19:29:09 +0000 (19:29 +0000)]
Place source-address checks last to work around LLVM bug 52455
Matt Corallo [Wed, 27 Oct 2021 23:58:21 +0000 (23:58 +0000)]
Move ratelimits into map lookup fn to reduce BPF verifier instructions
Matt Corallo [Sat, 23 Oct 2021 19:53:46 +0000 (19:53 +0000)]
Use a single command to install xdp instead of remove+add
Matt Corallo [Sat, 23 Oct 2021 17:34:00 +0000 (17:34 +0000)]
Avoid inlining siphash globally to avoid hitting BPF instruction limits
Matt Corallo [Sat, 23 Oct 2021 16:10:20 +0000 (16:10 +0000)]
Fix/better handling of no-stats-tracking rules
Matt Corallo [Sun, 10 Oct 2021 17:16:50 +0000 (17:16 +0000)]
Reduce bash CPU time for high-core-count machines in dropcount.sh
Matt Corallo [Tue, 14 Sep 2021 19:04:04 +0000 (19:04 +0000)]
Double hashtable bucket size, halve parallelism.
256-way parallelism should suffice for most use-cases, but 16-entry
buckets should allow for much lower collisions than 8-entry buckets.
This also adds calculation for hash table collision.
Matt Corallo [Tue, 14 Sep 2021 18:02:47 +0000 (18:02 +0000)]
Reuse hash table bucket entries if they're stale 32+ seconds
Matt Corallo [Thu, 10 Jun 2021 22:47:53 +0000 (22:47 +0000)]
Rate limit by hard-coded 16-packet leaky bucket with less storage
Matt Corallo [Thu, 10 Jun 2021 15:35:31 +0000 (15:35 +0000)]
Optimize per-src v6 matching on <= /64s to avoid always storing 4 0-bytes
Matt Corallo [Thu, 10 Jun 2021 14:43:09 +0000 (14:43 +0000)]
Now that mem is more compact, bump max tracked src IPs to 1M
Also bump paralellism on maps to 512
Matt Corallo [Thu, 10 Jun 2021 03:43:02 +0000 (03:43 +0000)]
Rewrite per-source ratelimiting rules to use a custom hashtable
The in-kernel hashtable isn't at all fancy, and we can just use a
custom one to get basically the same outcomes, with much less
overhead due to the per-CPU stuff we have to do to get sensible
multicore access rules.
Matt Corallo [Thu, 10 Jun 2021 03:29:45 +0000 (03:29 +0000)]
Use a common function in test and test building in XDP mode as well
Matt Corallo [Sat, 29 May 2021 23:01:01 +0000 (23:01 +0000)]
Check in siphash
Matt Corallo [Tue, 25 May 2021 19:19:54 +0000 (19:19 +0000)]
Drop union in rate limiting struct that is just confusing
Matt Corallo [Tue, 25 May 2021 03:07:17 +0000 (03:07 +0000)]
Use BPF_F_NO_COMMON_LRU on BPF_MAP_TYPE_LRU_PERCPU_HASH maps
Matt Corallo [Tue, 25 May 2021 03:06:53 +0000 (03:06 +0000)]
Drop ports_valid flag, it just wastes a register
Matt Corallo [Thu, 20 May 2021 14:26:41 +0000 (14:26 +0000)]
Satisfy BPF verifier with port swhich it can't prove are init'd values
Matt Corallo [Tue, 18 May 2021 15:13:00 +0000 (15:13 +0000)]
Fix fragment parsing due to further `,` overload confusion.
Ondrej said "No, fragmentation-type is just a variant of bitmask."
Matt Corallo [Tue, 18 May 2021 00:37:14 +0000 (00:37 +0000)]
Pull hash table size limit from extended community byte, up to 256k
Matt Corallo [Mon, 17 May 2021 17:24:13 +0000 (17:24 +0000)]
Properly parse bitmask-match `,`s, which are AND, though it is not documented
Matt Corallo [Mon, 17 May 2021 17:09:17 +0000 (17:09 +0000)]
Only increment match on ratelimits when we reach the limit
Matt Corallo [Mon, 17 May 2021 16:38:55 +0000 (16:38 +0000)]
Add per-source ratelimit support
Matt Corallo [Mon, 17 May 2021 16:38:33 +0000 (16:38 +0000)]
Fix some casting required in mask/endian calculation
Matt Corallo [Tue, 11 May 2021 23:36:00 +0000 (23:36 +0000)]
Fix checksum offset calculation
Matt Corallo [Tue, 11 May 2021 21:00:12 +0000 (21:00 +0000)]
Support a wrapper XDP prog which can call the defined xdp_drop meth
Matt Corallo [Fri, 9 Apr 2021 17:29:11 +0000 (13:29 -0400)]
Handle packet rate limits, too
Matt Corallo [Fri, 9 Apr 2021 16:48:59 +0000 (12:48 -0400)]
Default to parse-options because some people like `ping -R`
Matt Corallo [Wed, 7 Apr 2021 19:36:40 +0000 (15:36 -0400)]
Track both packet count and packet sizes in drop counts.
Matt Corallo [Wed, 7 Apr 2021 19:27:25 +0000 (15:27 -0400)]
Update README to note lack of sorting.
Matt Corallo [Tue, 6 Apr 2021 03:59:52 +0000 (23:59 -0400)]
Update README
Matt Corallo [Tue, 6 Apr 2021 14:05:07 +0000 (10:05 -0400)]
Less effecient, but much, much less naive rate-limiter
Matt Corallo [Tue, 6 Apr 2021 02:40:24 +0000 (22:40 -0400)]
Support ratelimiting communities
Matt Corallo [Mon, 5 Apr 2021 23:30:55 +0000 (19:30 -0400)]
Implement (only manually-tested) flowspec community detection except ratelimit
Matt Corallo [Mon, 5 Apr 2021 16:29:15 +0000 (12:29 -0400)]
Total across loaded interfaces
Matt Corallo [Mon, 5 Apr 2021 03:18:48 +0000 (23:18 -0400)]
Simplify and (correctly) test DSCP matches
Matt Corallo [Sun, 4 Apr 2021 20:55:30 +0000 (16:55 -0400)]
Track and print rule source in drop prints
Matt Corallo [Sun, 4 Apr 2021 20:46:04 +0000 (16:46 -0400)]
Track ports valid directly - as LLVM will | pointers which BPF wont allow
Matt Corallo [Sun, 4 Apr 2021 20:31:34 +0000 (16:31 -0400)]
Help the BPF verifier somewhat by splitting v4 and v6 rules
Matt Corallo [Sun, 4 Apr 2021 18:19:06 +0000 (14:19 -0400)]
Clean up length checks with a macro and comment strange semantics
Matt Corallo [Sun, 4 Apr 2021 17:30:31 +0000 (13:30 -0400)]
Support multi-if map dump and fix last element print
Matt Corallo [Sun, 4 Apr 2021 17:15:06 +0000 (13:15 -0400)]
Print diagnostics about install location
Matt Corallo [Sun, 4 Apr 2021 17:14:08 +0000 (13:14 -0400)]
Correct second-frag L4 matching
Matt Corallo [Sun, 4 Apr 2021 16:42:55 +0000 (12:42 -0400)]
Add README
Matt Corallo [Sun, 4 Apr 2021 16:46:28 +0000 (12:46 -0400)]
Improve drop count printing
Matt Corallo [Sun, 4 Apr 2021 15:54:59 +0000 (11:54 -0400)]
Update (and test) AST grammar based on feedback
Matt Corallo [Sun, 4 Apr 2021 02:14:43 +0000 (22:14 -0400)]
Add default installer script
Matt Corallo [Sun, 4 Apr 2021 01:43:17 +0000 (21:43 -0400)]
Track drops
Matt Corallo [Sun, 4 Apr 2021 00:00:51 +0000 (20:00 -0400)]
Make v6 frag parsing optional
Matt Corallo [Sat, 3 Apr 2021 22:09:57 +0000 (18:09 -0400)]
Only parse v4/v6 if we have relevant rules for them
Matt Corallo [Sat, 3 Apr 2021 22:08:01 +0000 (18:08 -0400)]
Improve arg parsing somewhat and add flexibility/standardness
Matt Corallo [Sat, 3 Apr 2021 21:57:16 +0000 (17:57 -0400)]
Tag short packets as unlikely
Matt Corallo [Sat, 3 Apr 2021 20:41:41 +0000 (16:41 -0400)]
Support v6 fragment parsing
Matt Corallo [Sat, 3 Apr 2021 04:07:27 +0000 (00:07 -0400)]
Initial checkin