import ipaddress
from enum import Enum
import argparse
+import math
IP_PROTO_ICMP = 1
rules4 = ""
use_v6_frags = False
rulecnt = 0
+ ratelimitcnt = 0
lastrule = None
for line in sys.stdin.readlines():
continue
ty = blocks[1].strip()[:6]
low_bytes = int(blocks[2].strip(") \n"), 16)
- if ty == "0x8006":
+ if ty == "0x8006" or ty == "0x800c":
+ if first_action is not None:
+ # Two ratelimit actions, just drop the old one. RFC 8955 says we can.
+ first_action = None
+ exp = (low_bytes & (0xff << 23)) >> 23
if low_bytes == 0:
first_action = "return XDP_DROP;"
+ elif low_bytes & (1 << 31) != 0:
+ # Negative limit, just drop
+ first_action = "return XDP_DROP;"
+ elif exp == 0xff:
+ # NaN/INF. Just treat as INF and accept
+ first_action = None
+ elif exp <= 127: # < 1
+ first_action = "return XDP_DROP;"
+ elif exp >= 127 + 63: # The count won't even fit in 64-bits, just accept
+ first_action = None
else:
- assert False # Not yet supported
+ mantissa = low_bytes & ((1 << 23) - 1)
+ value = 1.0 + mantissa / (2**23)
+ value *= 2**(exp-127)
+ if ty == "0x8006":
+ accessor = "rate->rate.sent_bytes"
+ else:
+ accessor = "rate->rate.sent_packets"
+ # Note that int64_t will overflow after 292 years of uptime
+ first_action = "int64_t time = bpf_ktime_get_ns();\n"
+ first_action += f"const uint32_t ratelimitidx = {ratelimitcnt};\n"
+ first_action += "uint64_t allowed_since_last = 0;\n"
+ first_action += "struct ratelimit *rate = bpf_map_lookup_elem(&rate_map, &ratelimitidx);\n"
+ first_action += "if (rate) {\n"
+ first_action += "\tbpf_spin_lock(&rate->lock);\n"
+ first_action += f"\tif (likely({accessor} > 0))" + " {\n"
+ first_action += "\t\tint64_t diff = time - rate->sent_time;\n"
+ # Unlikely or not, if the flow is slow, take a perf hit (though with the else if branch it doesn't matter)
+ first_action += "\t\tif (unlikely(diff > 1000000000))\n"
+ first_action += f"\t\t\t{accessor} = 0;\n"
+ first_action += "\t\telse if (likely(diff > 0))\n"
+ first_action += f"\t\t\tallowed_since_last = ((uint64_t)diff) * {math.floor(value)} / 1000000000;\n"
+ first_action += "\t}\n"
+ first_action += f"\tif ({accessor} - ((int64_t)allowed_since_last) <= 0)" + " {\n"
+ if ty == "0x8006":
+ first_action += f"\t\t{accessor} = data_end - pktdata;\n"
+ else:
+ first_action += f"\t\t{accessor} = 1;\n"
+ first_action += "\t\trate->sent_time = time;\n"
+ first_action += "\t\tbpf_spin_unlock(&rate->lock);\n"
+ first_action += "\t} else {\n"
+ first_action += "\t\tbpf_spin_unlock(&rate->lock);\n"
+ first_action += "\t\treturn XDP_DROP;\n"
+ first_action += "\t}\n"
+ first_action += "}\n"
+ ratelimitcnt += 1
elif ty == "0x8007":
if low_bytes & 1 == 0:
last_action = "return XDP_PASS;"
write_rule("uint8_t orig_tos = ip->tos;")
write_rule("ip->tos = (ip->tos & 3) | " + str(low_bytes << 2) + ";")
write_rule("chk = (chk - orig_tos + ip->tos);")
- write_rule("if (unlikely(chk < 0)) { chk += 65534; }")
+ write_rule("if (unlikely(chk > 0xffff)) { chk -= 65535; }")
+ write_rule("else if (unlikely(chk < 0)) { chk += 65535; }")
write_rule("ip->check = ~BE16(chk);")
else:
write_rule("ip6->priority = " + str(low_bytes >> 2) + ";")
out.write("\n")
out.write(f"#define RULECNT {rulecnt}\n")
+ if ratelimitcnt != 0:
+ out.write(f"#define RATE_CNT {ratelimitcnt}\n")
if rules4 != "":
out.write("#define NEED_V4_PARSE\n")
out.write("#define RULES4 {\\\n" + rules4 + "}\n")
projects / flowspec-xdp / blobdiff