Implement both IP and flow-based rate limiting.
This commit is contained in:
Christian Deacon
@@ -15,10 +15,6 @@
|
||||
// Decrease this value if you receive errors related to the BPF program being too large.
|
||||
#define MAX_FILTERS 60
|
||||
|
||||
// The maximum amount of IPs/flows to track stats for.
|
||||
// The higher this value is, the more memory that'll be used.
|
||||
#define MAX_TRACK_IPS 100000
|
||||
|
||||
// Feel free to comment this out if you don't want the `blocked` entry on the stats map to be incremented every single time a packet is dropped from the source IP being on the blocked map.
|
||||
// Commenting this line out should increase performance when blocking malicious traffic.
|
||||
#define DO_STATS_ON_BLOCK_MAP
|
||||
@@ -31,14 +27,26 @@
|
||||
// The same goes for IPv4, if there is no IPv4 source/destination IP addresses set, if an IPv6 address is set, it will ignore the filter.
|
||||
#define ALLOW_SINGLE_IP_V4_V6
|
||||
|
||||
// If uncommented, rate limits for clients are determined using the source IP, port, and protocol instead of just the source IP.
|
||||
// This allows for more precise rate limits (connection-specific instead of a single source IP).
|
||||
// I decided not to include the destination IP/port because the source IP, port, and protocol should be represent a unique connection.
|
||||
#define USE_FLOW_RL
|
||||
|
||||
// Enables filter logging through XDP.
|
||||
// If performance is a concern, it is best to disable this feature by commenting out the below line with //.
|
||||
#define ENABLE_FILTER_LOGGING
|
||||
|
||||
// Maximum interfaces the firewall can attach to.
|
||||
#define MAX_INTERFACES 6
|
||||
#define MAX_INTERFACES 6
|
||||
|
||||
// NOTE - If you're receiving a high volume of spoofed packets, it is recommended you disable rate limiting below.
|
||||
// This is because the PPS/BPS counters are updated for every packet and with a spoofed attack, the LRU map will recycle a lot of entries resulting in additional load on the CPU.
|
||||
// Enable source IP rate limiting.
|
||||
#define ENABLE_RL_IP
|
||||
|
||||
// Enable source flow rate limiting.
|
||||
#define ENABLE_RL_FLOW
|
||||
|
||||
// Maximum entries in source IP rate limit map.
|
||||
#define MAX_RL_IP 100000
|
||||
|
||||
// Maximum entries in source flow rate limit map.
|
||||
#define MAX_RL_FLOW 100000
|
||||
|
||||
// Maximum entries in block map.
|
||||
#define MAX_BLOCK 100000
|
||||
@@ -108,11 +108,21 @@ struct filter
|
||||
u8 action;
|
||||
u16 block_time;
|
||||
|
||||
unsigned int do_pps : 1;
|
||||
u64 pps;
|
||||
#ifdef ENABLE_RL_IP
|
||||
unsigned int do_ip_pps : 1;
|
||||
u64 ip_pps;
|
||||
|
||||
unsigned int do_bps : 1;
|
||||
u64 bps;
|
||||
unsigned int do_ip_bps : 1;
|
||||
u64 ip_bps;
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_RL_FLOW
|
||||
unsigned int do_flow_pps : 1;
|
||||
u64 flow_pps;
|
||||
|
||||
unsigned int do_flow_bps : 1;
|
||||
u64 flow_bps;
|
||||
#endif
|
||||
|
||||
filter_ip_t ip;
|
||||
|
||||
@@ -128,12 +138,12 @@ struct stats
|
||||
u64 passed;
|
||||
} typedef stats_t;
|
||||
|
||||
struct ip_stats
|
||||
struct cl_stats
|
||||
{
|
||||
u64 pps;
|
||||
u64 bps;
|
||||
u64 next_update;
|
||||
} typedef ip_stats_t ;
|
||||
} typedef cl_stats_t;
|
||||
|
||||
struct flow
|
||||
{
|
||||
@@ -168,8 +178,11 @@ struct filter_log_event
|
||||
|
||||
u8 protocol;
|
||||
|
||||
u64 pps;
|
||||
u64 bps;
|
||||
u64 ip_pps;
|
||||
u64 ip_bps;
|
||||
|
||||
u64 flow_pps;
|
||||
u64 flow_bps;
|
||||
} typedef filter_log_event_t;
|
||||
|
||||
struct lpm_trie_key
|
||||
|
||||
Reference in New Issue
Block a user