Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add IPv6 support to BPF rate limit #1458

Merged
merged 2 commits into from
Sep 18, 2023
Merged

Conversation

kevsecurity
Copy link
Contributor

See commits.

First commit fixes a couple of (pseudo?) bugs in the in-BPF rate limit code. It worked before, but it wasn't optimal.
Second commit adds support for IPv6 tuples so that rate limiting isn't just limited to IPv4.

The in-BPF message rate limit specified that the maximum number of bytes
per argument included had to be a power of 2 as we used 1 less than that
amount as a mask to limit the size of a parameter. Two problems emerge
from this restriction: first, we might want a max number of bytes per
argument that is not a power of 2 – given we multiply this by 5 and then
use this in a hash key, forcing a power of 2 could have significant
effects on the volume of bytes being hashed - and second, the use of the
mask actually reduced the maximum number of bytes by 1, which is a bit
annoying.

This commit reworks the code slightly to remove these two problems.

Signed-off-by: Kevin Sheldrake <kevin.sheldrake@isovalent.com>
The original in-BPF message rate limit only supported IPv4 as we didn't
have IPv6 support in general. Now we do.

This commit adds extra space to the rate limit key so that it can
support an IPv6 tuple.

Signed-off-by: Kevin Sheldrake <kevin.sheldrake@isovalent.com>
@kevsecurity kevsecurity requested a review from a team as a code owner September 12, 2023 16:14
@kevsecurity kevsecurity added the release-note/minor This PR introduces a minor user-visible change label Sep 12, 2023
__uint(max_entries, 1);
__type(key, __u32);
__type(value, __u8[sizeof(struct ratelimit_key) + 128]);
} ratelimit_ro_heap SEC(".maps");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would be nice to preface with tg_ratelimit_ro_heap and above so that bpftool reports them with tetragon 'tg' map preface. Not sure we have hit all the maps yet with the naming convention but will be nice going forward.

@jrfastab jrfastab merged commit 6e56055 into main Sep 18, 2023
@jrfastab jrfastab deleted the pr/kevsecurity/rate-limit-ipv6 branch September 18, 2023 22:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release-note/minor This PR introduces a minor user-visible change
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants