commit 977bc146d4eb7070118d8a974919b33bb52732b4 Author: Eduard Zingerman <eddyz87@gmail.com> Date: Tue Nov 21 04:06:51 2023 +0200 selftests/bpf: track tcp payload offset as scalar in xdp_synproxy This change prepares syncookie_{tc,xdp} for update in callbakcs verification logic. To allow bpf_loop() verification converge when multiple callback itreations are considered: - track offset inside TCP payload explicitly, not as a part of the pointer; - make sure that offset does not exceed MAX_PACKET_OFF enforced by verifier; - make sure that offset is tracked as unbound scalar between iterations, otherwise verifier won't be able infer that bpf_loop callback reaches identical states. Acked-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Eduard Zingerman <eddyz87@gmail.com> Link: https://lore.kernel.org/r/20231121020701.26440-2-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> without above commit, syncookie_xdp program failed on kernel 6.7 with verifier error: "BPF program is too large. Processed 1000001 insn" Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
XDP SYNPROXY sample application
This is a sample application for XDP SYNPROXY. It was cloned from the Linux source code tree under tools/testing/selftests/bpf and called xdp_synproxy. main purpose of it is to demonstrate capabilities of XDP accelerating SYN Proxying for SYN flood DDOS protection. It is a real practical example for user to use. For an overview of accelerating SYNPROXY WITH XDP, Please refer to this paper (https://netdevconf.info/0x15/slides/30/Netdev%200x15%20Accelerating%20synproxy%20with%20XDP.pdf)
This sample application is tested with Ubuntu 22.04 with 6.2 kernel.
Note XDP SYNPROXY requires netfilter connection tracking and here are the sysctl knobs and iptables rules preparation for XDP SYNPROXY:
sudo sysctl -w net.ipv4.tcp_syncookies=2
sudo sysctl -w net.ipv4.tcp_timestamps=1
sudo sysctl -w net.netfilter.nf_conntrack_tcp_loose=0
sudo iptables -t raw -I PREROUTING -i <interface> -p tcp -m tcp --syn --dport <port> -j CT --notrack
sudo iptables -t filter -A INPUT -i <interface> -p tcp -m tcp --dport <port> -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
sudo iptables -t filter -A INPUT -i <interface> -m state --state INVALID -j DROP
Here is how to start the XDP SYNPROXY application:
sudo xdp_synproxy --iface <interface> --mss4 1460 --mss6 1440 --wscale 7 --ttl 64 --ports <port1>,<port2>
XDP SYNPROXY could be built in in container and run by docker
sudo docker build . -t xdp-synproxy:0.1
sudo docker run -it -h xdp-synproxy --network=host --privileged xdp-synproxy:0.1
XDP SYNPROXY could be deployed in Kubernetes cluster as DaemonSet, Please see (https://youtu.be/nIrp0Lv-e0g?si=g-pXl4agVQM6_FYW)
sudo kubectl apply -f xdp-synproxy-daemonset.yaml
sudo kubectl get po -o wide -l app=xdp-synproxy
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
xdp-synproxy-6x29j 1/1 Running 0 5d2h 10.169.72.239 cilium-dev <none> <none>
xdp-synproxy-xj98j 1/1 Running 0 5d2h 10.169.72.233 centos-dev.localdomain <none> <none>
XDP SYNPROXY can coexist with other XDP programs since we use libxdp to attach the XDP SYNPROXY program, meaning you could build chain of XDP programs and attach them to same network interface. Note xdp-loader could be built statically and shipped with xdp-synproxy container.
sudo kubectl exec -it xdp-synproxy-6x29j -- xdp-loader status
CURRENT XDP PROGRAM STATUS:
Interface Prio Program name Mode ID Tag Chain actions
--------------------------------------------------------------------------------------
ens192 xdp_dispatcher native 899 90f686eb86991928
=> 50 syncookie_xdp 908 6c6615566a2e0419 XDP_PASS
XDP SYNPROXY can also be deployed in Linux router/Firewall, it requires iptables SYNPROXY to be added in filter table FORWARD chain. see https://youtu.be/Cj7SeviTXrw?si=adZ0FrGq84Ygmmy0 for example.
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv4.tcp_syncookies=2
sudo sysctl -w net.ipv4.tcp_timestamps=1
sudo sysctl -w net.netfilter.nf_conntrack_tcp_loose=0
sudo iptables -t raw -I PREROUTING -i ens7 -p tcp -m tcp --syn --dport 80 -j CT --notrack
sudo iptables -t filter -A FORWARD -i ens7 -p tcp -m tcp --dport 80 -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
sudo iptables -t filter -A FORWARD -i ens7 -m state --state INVALID -j DROP
sudo ./xdp_synproxy --iface ens7 --ports 80 --mss4 1460 --mss6 1440 --wscale 7 --ttl 64
Simple test diagram
client: server:
ip r add 10.6.6.0/24 ip r add 10.3.3.0/24
via 10.3.3.8 via 10.6.6.8
+---------------+ +----------------------------+ +--------------+
| | | | | |
| client | | Firewall/router | | server |
| 10.3.3.9 eno2---ens7 10.3.3.8 10.6.6.8 ens9----ens9 10.6.6.6 |
| | | | | |
| | | | | |
+---------------+ +----------------------------+ +--------------+