]> git.bitcoin.ninja Git - flowspec-xdp/log
flowspec-xdp
5 months agoUse common per-source lookup between v4 and v6/64
Matt Corallo [Mon, 17 Jun 2024 06:27:11 +0000 (06:27 +0000)]
Use common per-source lookup between v4 and v6/64

Since v4 has 32 bits of slack in the struct anyway, we might as
well just make it a u64 and unify the codepaths.

5 months agoCOrrect daddr gt handling in RuleNode::__lt__
Matt Corallo [Mon, 17 Jun 2024 05:34:43 +0000 (05:34 +0000)]
COrrect daddr gt handling in RuleNode::__lt__

5 months agoUse -Oz rather than -O3, which seems more robust
Matt Corallo [Sun, 16 Jun 2024 02:49:16 +0000 (02:49 +0000)]
Use -Oz rather than -O3, which seems more robust

5 months agoAavoid incomparable assertion when using mixed src/no-src rules
Matt Corallo [Sun, 16 Jun 2024 02:42:27 +0000 (02:42 +0000)]
Aavoid incomparable assertion when using mixed src/no-src rules

5 months agoRemove extra shift in per_pkt_ns for readability
Matt Corallo [Sun, 16 Jun 2024 00:52:58 +0000 (00:52 +0000)]
Remove extra shift in per_pkt_ns for readability

Having a shift in one place and unshift in a totally different file
is confusing.

5 months agoCorrect three bugs in the rate limiter.
Matt Corallo [Sun, 16 Jun 2024 00:52:37 +0000 (00:52 +0000)]
Correct three bugs in the rate limiter.

 * We should be dividing by the packet size, not multiplying, as we
   should be crediting fewer packets for larger packets, not more.
 * We should handle the packet count underflowing as it may have
   been some time since the last packet.
 * The bucket limit needs to be `<= 0xd00`, not `< 0xf00`, as
   `0xf00` + `0x100` overflows our counter and resets the bucket.

5 months agoAdd additional comments explaining how the rate limiter works
Matt Corallo [Sat, 15 Jun 2024 22:31:14 +0000 (22:31 +0000)]
Add additional comments explaining how the rate limiter works

5 months agoPrefer existing src buckets even if others timed out
Matt Corallo [Sat, 15 Jun 2024 21:32:45 +0000 (21:32 +0000)]
Prefer existing src buckets even if others timed out

If we have some timed-out buckets in a source-based ratelimit,
we'll use those even if a later bucket is already storing the
counter for the source of the current packet. This is obviously
busted, so don't do that.

5 months agoClarify what collision_prob is calculating for users
Matt Corallo [Sat, 15 Jun 2024 15:31:48 +0000 (15:31 +0000)]
Clarify what collision_prob is calculating for users

2 years agoStop dumping match count before update, users can get it if they want
Matt Corallo [Fri, 10 Dec 2021 01:39:12 +0000 (01:39 +0000)]
Stop dumping match count before update, users can get it if they want

2 years agoPartially implement sorting
Matt Corallo [Thu, 9 Dec 2021 22:51:51 +0000 (22:51 +0000)]
Partially implement sorting

2 years agoCombine redundant rule conditions to work around LLVM bug 52455 fully
Matt Corallo [Thu, 9 Dec 2021 21:14:52 +0000 (21:14 +0000)]
Combine redundant rule conditions to work around LLVM bug 52455 fully

This adds a trivial optimization pass to combine redundant rule
conditions in back-to-back rules before printing them.

2 years agoMake dropcount not stupid slow
Matt Corallo [Thu, 9 Dec 2021 00:44:57 +0000 (00:44 +0000)]
Make dropcount not stupid slow

2 years agoUse best instruction set that the local kernel supports
Matt Corallo [Wed, 8 Dec 2021 20:14:50 +0000 (20:14 +0000)]
Use best instruction set that the local kernel supports

2 years agoPlace source-address checks last to work around LLVM bug 52455
Matt Corallo [Wed, 8 Dec 2021 19:29:09 +0000 (19:29 +0000)]
Place source-address checks last to work around LLVM bug 52455

3 years agoMove ratelimits into map lookup fn to reduce BPF verifier instructions
Matt Corallo [Wed, 27 Oct 2021 23:58:21 +0000 (23:58 +0000)]
Move ratelimits into map lookup fn to reduce BPF verifier instructions

3 years agoUse a single command to install xdp instead of remove+add
Matt Corallo [Sat, 23 Oct 2021 19:53:46 +0000 (19:53 +0000)]
Use a single command to install xdp instead of remove+add

3 years agoAvoid inlining siphash globally to avoid hitting BPF instruction limits
Matt Corallo [Sat, 23 Oct 2021 17:34:00 +0000 (17:34 +0000)]
Avoid inlining siphash globally to avoid hitting BPF instruction limits

3 years agoFix/better handling of no-stats-tracking rules
Matt Corallo [Sat, 23 Oct 2021 16:10:20 +0000 (16:10 +0000)]
Fix/better handling of no-stats-tracking rules

3 years agoReduce bash CPU time for high-core-count machines in dropcount.sh
Matt Corallo [Sun, 10 Oct 2021 17:16:50 +0000 (17:16 +0000)]
Reduce bash CPU time for high-core-count machines in dropcount.sh

3 years agoDouble hashtable bucket size, halve parallelism.
Matt Corallo [Tue, 14 Sep 2021 19:04:04 +0000 (19:04 +0000)]
Double hashtable bucket size, halve parallelism.

256-way parallelism should suffice for most use-cases, but 16-entry
buckets should allow for much lower collisions than 8-entry buckets.

This also adds calculation for hash table collision.

3 years agoReuse hash table bucket entries if they're stale 32+ seconds
Matt Corallo [Tue, 14 Sep 2021 18:02:47 +0000 (18:02 +0000)]
Reuse hash table bucket entries if they're stale 32+ seconds

3 years agoRate limit by hard-coded 16-packet leaky bucket with less storage
Matt Corallo [Thu, 10 Jun 2021 22:47:53 +0000 (22:47 +0000)]
Rate limit by hard-coded 16-packet leaky bucket with less storage

3 years agoOptimize per-src v6 matching on <= /64s to avoid always storing 4 0-bytes
Matt Corallo [Thu, 10 Jun 2021 15:35:31 +0000 (15:35 +0000)]
Optimize per-src v6 matching on <= /64s to avoid always storing 4 0-bytes

3 years agoNow that mem is more compact, bump max tracked src IPs to 1M
Matt Corallo [Thu, 10 Jun 2021 14:43:09 +0000 (14:43 +0000)]
Now that mem is more compact, bump max tracked src IPs to 1M

Also bump paralellism on maps to 512

3 years agoRewrite per-source ratelimiting rules to use a custom hashtable
Matt Corallo [Thu, 10 Jun 2021 03:43:02 +0000 (03:43 +0000)]
Rewrite per-source ratelimiting rules to use a custom hashtable

The in-kernel hashtable isn't at all fancy, and we can just use a
custom one to get basically the same outcomes, with much less
overhead due to the per-CPU stuff we have to do to get sensible
multicore access rules.

3 years agoUse a common function in test and test building in XDP mode as well
Matt Corallo [Thu, 10 Jun 2021 03:29:45 +0000 (03:29 +0000)]
Use a common function in test and test building in XDP mode as well

3 years agoCheck in siphash
Matt Corallo [Sat, 29 May 2021 23:01:01 +0000 (23:01 +0000)]
Check in siphash

3 years agoDrop union in rate limiting struct that is just confusing
Matt Corallo [Tue, 25 May 2021 19:19:54 +0000 (19:19 +0000)]
Drop union in rate limiting struct that is just confusing

3 years agoUse BPF_F_NO_COMMON_LRU on BPF_MAP_TYPE_LRU_PERCPU_HASH maps
Matt Corallo [Tue, 25 May 2021 03:07:17 +0000 (03:07 +0000)]
Use BPF_F_NO_COMMON_LRU on BPF_MAP_TYPE_LRU_PERCPU_HASH maps

3 years agoDrop ports_valid flag, it just wastes a register
Matt Corallo [Tue, 25 May 2021 03:06:53 +0000 (03:06 +0000)]
Drop ports_valid flag, it just wastes a register

3 years agoSatisfy BPF verifier with port swhich it can't prove are init'd values
Matt Corallo [Thu, 20 May 2021 14:26:41 +0000 (14:26 +0000)]
Satisfy BPF verifier with port swhich it can't prove are init'd values

3 years agoFix fragment parsing due to further `,` overload confusion.
Matt Corallo [Tue, 18 May 2021 15:13:00 +0000 (15:13 +0000)]
Fix fragment parsing due to further `,` overload confusion.

Ondrej said "No, fragmentation-type is just a variant of bitmask."

3 years agoPull hash table size limit from extended community byte, up to 256k
Matt Corallo [Tue, 18 May 2021 00:37:14 +0000 (00:37 +0000)]
Pull hash table size limit from extended community byte, up to 256k

3 years agoProperly parse bitmask-match `,`s, which are AND, though it is not documented
Matt Corallo [Mon, 17 May 2021 17:24:13 +0000 (17:24 +0000)]
Properly parse bitmask-match `,`s, which are AND, though it is not documented

3 years agoOnly increment match on ratelimits when we reach the limit
Matt Corallo [Mon, 17 May 2021 17:09:17 +0000 (17:09 +0000)]
Only increment match on ratelimits when we reach the limit

3 years agoAdd per-source ratelimit support
Matt Corallo [Mon, 17 May 2021 16:38:55 +0000 (16:38 +0000)]
Add per-source ratelimit support

3 years agoFix some casting required in mask/endian calculation
Matt Corallo [Mon, 17 May 2021 16:38:33 +0000 (16:38 +0000)]
Fix some casting required in mask/endian calculation

3 years agoFix checksum offset calculation
Matt Corallo [Tue, 11 May 2021 23:36:00 +0000 (23:36 +0000)]
Fix checksum offset calculation

3 years agoSupport a wrapper XDP prog which can call the defined xdp_drop meth
Matt Corallo [Tue, 11 May 2021 21:00:12 +0000 (21:00 +0000)]
Support a wrapper XDP prog which can call the defined xdp_drop meth

3 years agoHandle packet rate limits, too
Matt Corallo [Fri, 9 Apr 2021 17:29:11 +0000 (13:29 -0400)]
Handle packet rate limits, too

3 years agoDefault to parse-options because some people like `ping -R`
Matt Corallo [Fri, 9 Apr 2021 16:48:59 +0000 (12:48 -0400)]
Default to parse-options because some people like `ping -R`

3 years agoTrack both packet count and packet sizes in drop counts.
Matt Corallo [Wed, 7 Apr 2021 19:36:40 +0000 (15:36 -0400)]
Track both packet count and packet sizes in drop counts.

3 years agoUpdate README to note lack of sorting.
Matt Corallo [Wed, 7 Apr 2021 19:27:25 +0000 (15:27 -0400)]
Update README to note lack of sorting.

3 years agoUpdate README
Matt Corallo [Tue, 6 Apr 2021 03:59:52 +0000 (23:59 -0400)]
Update README

3 years agoLess effecient, but much, much less naive rate-limiter
Matt Corallo [Tue, 6 Apr 2021 14:05:07 +0000 (10:05 -0400)]
Less effecient, but much, much less naive rate-limiter

3 years agoSupport ratelimiting communities
Matt Corallo [Tue, 6 Apr 2021 02:40:24 +0000 (22:40 -0400)]
Support ratelimiting communities

3 years agoImplement (only manually-tested) flowspec community detection except ratelimit
Matt Corallo [Mon, 5 Apr 2021 23:30:55 +0000 (19:30 -0400)]
Implement (only manually-tested) flowspec community detection except ratelimit

3 years agoTotal across loaded interfaces
Matt Corallo [Mon, 5 Apr 2021 16:29:15 +0000 (12:29 -0400)]
Total across loaded interfaces

3 years agoSimplify and (correctly) test DSCP matches
Matt Corallo [Mon, 5 Apr 2021 03:18:48 +0000 (23:18 -0400)]
Simplify and (correctly) test DSCP matches

3 years agoTrack and print rule source in drop prints
Matt Corallo [Sun, 4 Apr 2021 20:55:30 +0000 (16:55 -0400)]
Track and print rule source in drop prints

3 years agoTrack ports valid directly - as LLVM will | pointers which BPF wont allow
Matt Corallo [Sun, 4 Apr 2021 20:46:04 +0000 (16:46 -0400)]
Track ports valid directly - as LLVM will | pointers which BPF wont allow

3 years agoHelp the BPF verifier somewhat by splitting v4 and v6 rules
Matt Corallo [Sun, 4 Apr 2021 20:31:34 +0000 (16:31 -0400)]
Help the BPF verifier somewhat by splitting v4 and v6 rules

3 years agoClean up length checks with a macro and comment strange semantics
Matt Corallo [Sun, 4 Apr 2021 18:19:06 +0000 (14:19 -0400)]
Clean up length checks with a macro and comment strange semantics

3 years agoSupport multi-if map dump and fix last element print
Matt Corallo [Sun, 4 Apr 2021 17:30:31 +0000 (13:30 -0400)]
Support multi-if map dump and fix last element print

3 years agoPrint diagnostics about install location
Matt Corallo [Sun, 4 Apr 2021 17:15:06 +0000 (13:15 -0400)]
Print diagnostics about install location

3 years agoCorrect second-frag L4 matching
Matt Corallo [Sun, 4 Apr 2021 17:14:08 +0000 (13:14 -0400)]
Correct second-frag L4 matching

3 years agoAdd README
Matt Corallo [Sun, 4 Apr 2021 16:42:55 +0000 (12:42 -0400)]
Add README

3 years agoImprove drop count printing
Matt Corallo [Sun, 4 Apr 2021 16:46:28 +0000 (12:46 -0400)]
Improve drop count printing

3 years agoUpdate (and test) AST grammar based on feedback
Matt Corallo [Sun, 4 Apr 2021 15:54:59 +0000 (11:54 -0400)]
Update (and test) AST grammar based on feedback

3 years agoAdd default installer script
Matt Corallo [Sun, 4 Apr 2021 02:14:43 +0000 (22:14 -0400)]
Add default installer script

3 years agoTrack drops
Matt Corallo [Sun, 4 Apr 2021 01:43:17 +0000 (21:43 -0400)]
Track drops

3 years agoMake v6 frag parsing optional
Matt Corallo [Sun, 4 Apr 2021 00:00:51 +0000 (20:00 -0400)]
Make v6 frag parsing optional

3 years agoOnly parse v4/v6 if we have relevant rules for them
Matt Corallo [Sat, 3 Apr 2021 22:09:57 +0000 (18:09 -0400)]
Only parse v4/v6 if we have relevant rules for them

3 years agoImprove arg parsing somewhat and add flexibility/standardness
Matt Corallo [Sat, 3 Apr 2021 22:08:01 +0000 (18:08 -0400)]
Improve arg parsing somewhat and add flexibility/standardness

3 years agoTag short packets as unlikely
Matt Corallo [Sat, 3 Apr 2021 21:57:16 +0000 (17:57 -0400)]
Tag short packets as unlikely

3 years agoSupport v6 fragment parsing
Matt Corallo [Sat, 3 Apr 2021 20:41:41 +0000 (16:41 -0400)]
Support v6 fragment parsing

3 years agoInitial checkin
Matt Corallo [Sat, 3 Apr 2021 04:07:27 +0000 (00:07 -0400)]
Initial checkin