Merge pull request #103 from vincentmli/vli-dev

Add xdp-synproxy to bpf-examples

Author: tohojo

Makefile

@@ -25,6 +25,7 @@ SUBDIRS += tc-policy
 SUBDIRS += traffic-pacing-edt
 SUBDIRS += AF_XDP-forwarding
 SUBDIRS += AF_XDP-example
+SUBDIRS += xdp-synproxy
 
 .PHONY: check_submodule help clobber distclean clean $(SUBDIRS)
 

headers/vmlinux/vmlinux_common.h

@@ -1,6 +1,13 @@
 #ifndef __VMLINUX_COMMON_H__
 #define __VMLINUX_COMMON_H__
 
+enum {
+	false = 0,
+	true = 1,
+};
+
+typedef _Bool bool;
+
 struct list_head {
 	struct list_head *next;
 	struct list_head *prev;

headers/vmlinux/vmlinux_net.h

@@ -135,4 +135,13 @@ struct sk_buff {
 	struct skb_ext *extensions;
 };
 
+struct nf_conn {
+	unsigned long status;
+};
+
+enum ip_conntrack_status {
+	/* Connection is confirmed: originating packet has left box */
+	IPS_CONFIRMED_BIT = 3,
+};
+
 #endif /* __VMLINUX_NET_H__ */

xdp-synproxy/Dockerfile

@@ -0,0 +1,18 @@
+#docker build . -t xdp-synproxy:0.1
+#docker run -it -h xdp-synproxy --network=host --privileged xdp-synproxy:0.1
+
+FROM ubuntu:latest
+
+RUN apt-get update && \
+    apt-get install -y libelf1 \
+                       iptables \
+                       iproute2
+
+COPY bpftool /usr/local/bin
+COPY install-rules.sh /
+COPY uninstall-rules.sh /
+COPY xdp_synproxy /usr/local/bin
+
+#ENTRYPOINT ["/usr/local/bin/xdp_synproxy", "--iface", "ens192", "--file", "/usr/local/bin/xdp_synproxy_kern.o", "--mss4", "1460", "--mss6", "1440", "--wscale", "7", "--ttl", "254", "--ports", "80,8080"]
+
+

xdp-synproxy/Makefile

@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause)
+
+USER_TARGETS := xdp_synproxy
+BPF_TARGETS := xdp_synproxy_kern
+BPF_SKEL_OBJ := xdp_synproxy_kern.o
+
+LIB_DIR = ../lib
+
+include $(LIB_DIR)/common.mk

xdp-synproxy/README.org

@@ -0,0 +1,61 @@
+#+Title: XDP SYNPROXY sample application
+
+This is a sample application for XDP SYNPROXY. It was cloned from
+the Linux source code tree under tools/testing/selftests/bpf and called
+xdp_synproxy. main purpose of it is to demonstrate capabilities of
+XDP accelerating SYN Proxying for SYN flood DDOS protection. It is
+a real practical example for user to use. For an overview of accelerating
+SYNPROXY WITH XDP, Please refer to this paper
+(https://netdevconf.info/0x15/slides/30/Netdev%200x15%20Accelerating%20synproxy%20with%20XDP.pdf)
+
+This sample application is tested with Ubuntu 22.04 with 6.2 kernel.
+
+Note XDP SYNPROXY requires netfilter connection tracking and here are the
+sysctl knobs and iptables rules preparation for XDP SYNPROXY:
+#+BEGIN_SRC sh
+  sudo sysctl -w net.ipv4.tcp_syncookies=2
+  sudo sysctl -w net.ipv4.tcp_timestamps=1
+  sudo sysctl -w net.netfilter.nf_conntrack_tcp_loose=0
+  sudo iptables -t raw -I PREROUTING  -i <interface> -p tcp -m tcp --syn --dport <port> -j CT --notrack
+  sudo iptables -t filter -A INPUT -i <interface> -p tcp -m tcp --dport <port> -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
+  sudo iptables -t filter -A INPUT -i <interface> -m state --state INVALID -j DROP
+#+END_SRC
+
+Here is how to start the XDP SYNPROXY application:
+#+BEGIN_SRC sh
+  sudo xdp_synproxy --iface <interface> --mss4 1460 --mss6 1440 --wscale 7 --ttl 64 --ports <port1>,<port2>
+#+END_SRC
+
+XDP SYNPROXY could be built in in container and run by docker
+#+BEGIN_SRC sh
+  sudo docker build . -t xdp-synproxy:0.1
+  sudo docker run -it -h xdp-synproxy --network=host --privileged xdp-synproxy:0.1
+#+END_SRC
+
+XDP SYNPROXY could be deployed in Kubernetes cluster as DaemonSet, Please see
+(https://youtu.be/nIrp0Lv-e0g?si=g-pXl4agVQM6_FYW)
+#+BEGIN_SRC sh
+  sudo kubectl apply -f xdp-synproxy-daemonset.yaml
+  sudo kubectl get po  -o wide -l app=xdp-synproxy
+
+  NAME                 READY   STATUS    RESTARTS   AGE    IP              NODE                     NOMINATED NODE   READINESS GATES
+  xdp-synproxy-6x29j   1/1     Running   0          5d2h   10.169.72.239   cilium-dev               <none>           <none>
+  xdp-synproxy-xj98j   1/1     Running   0          5d2h   10.169.72.233   centos-dev.localdomain   <none>           <none>
+#+END_SRC
+
+XDP SYNPROXY can coexist with other XDP programs since we use libxdp
+to attach the XDP SYNPROXY program, meaning you could build chain of
+XDP programs and attach them to same network interface. Note xdp-loader
+could be built statically and shipped with xdp-synproxy container.
+
+#+BEGIN_SRC sh
+  sudo kubectl exec -it xdp-synproxy-6x29j  -- xdp-loader status
+
+  CURRENT XDP PROGRAM STATUS:
+
+  Interface        Prio  Program name      Mode     ID   Tag               Chain actions
+  --------------------------------------------------------------------------------------
+  ens192                 xdp_dispatcher    native   899  90f686eb86991928
+  =>               50    syncookie_xdp              908  6c6615566a2e0419  XDP_PASS
+#+END_SRC
+

xdp-synproxy/install-rules.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+set -e
+
+sysctl -w net.ipv4.tcp_syncookies=2
+sysctl -w net.ipv4.tcp_timestamps=1
+sysctl -w net.netfilter.nf_conntrack_tcp_loose=0
+
+SYNPROXY="-m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460"
+CT="-j CT --notrack"
+
+while test $# -gt 0; do
+  case "$1" in
+    --interface*)
+      # shellcheck disable=SC2001
+      # the below sed is to support both formats "--flag value" and "--flag=value"
+      INTERFACE=$(echo "$1" | sed -e 's/^[^=]*=//g')
+      shift
+      ;;
+    --ports*)
+      # shellcheck disable=SC2001
+      # the below sed is to support both formats "--flag value" and "--flag=value"
+      PORTS=$(echo "$1" | sed -e 's/^[^=]*=//g')
+      shift
+      ;;
+    *)
+      break
+      ;;
+  esac
+done
+
+
+
+COMMA=','
+if [[ "$PORTS" == *"$COMMA"* ]]; then
+
+   IFS=',' read -ra PORT <<< "$PORTS"
+   for p in "${PORT[@]}"; do
+     echo $p
+     /usr/sbin/iptables -t raw -I PREROUTING -i $INTERFACE -p tcp -m tcp --syn --dport $p $CT
+     /usr/sbin/iptables -t filter -A INPUT -i $INTERFACE -p tcp -m tcp --dport $p $SYNPROXY
+   done
+else 
+     /usr/sbin/iptables -t raw -I PREROUTING -i $INTERFACE -p tcp -m tcp --syn --dport $PORTS $CT
+     /usr/sbin/iptables -t filter -A INPUT -i $INTERFACE -p tcp -m tcp --dport $PORTS $SYNPROXY
+fi
+
+/usr/sbin/iptables -t filter -A INPUT -i $INTERFACE -m state --state INVALID -j DROP

xdp-synproxy/uninstall-rules.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+set -e
+
+SYNPROXY="-m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460"
+CT="-j CT --notrack"
+
+while test $# -gt 0; do
+  case "$1" in
+    --interface*)
+      # shellcheck disable=SC2001
+      # the below sed is to support both formats "--flag value" and "--flag=value"
+      INTERFACE=$(echo "$1" | sed -e 's/^[^=]*=//g')
+      shift
+      ;;
+    --ports*)
+      # shellcheck disable=SC2001
+      # the below sed is to support both formats "--flag value" and "--flag=value"
+      PORTS=$(echo "$1" | sed -e 's/^[^=]*=//g')
+      shift
+      ;;
+    *)
+      break
+      ;;
+  esac
+done
+
+
+
+COMMA=','
+if [[ "$PORTS" == *"$COMMA"* ]]; then
+
+   IFS=',' read -ra PORT <<< "$PORTS"
+   for p in "${PORT[@]}"; do
+     echo $p
+     /usr/sbin/iptables -t raw -D PREROUTING -i $INTERFACE -p tcp -m tcp --syn --dport $p $CT
+     /usr/sbin/iptables -t filter -D INPUT -i $INTERFACE -p tcp -m tcp --dport $p $SYNPROXY
+   done
+else 
+     /usr/sbin/iptables -t raw -D PREROUTING -i $INTERFACE -p tcp -m tcp --syn --dport $PORTS $CT
+     /usr/sbin/iptables -t filter -D INPUT -i $INTERFACE -p tcp -m tcp --dport $PORTS $SYNPROXY
+fi
+
+/usr/sbin/iptables -t filter -D INPUT -i $INTERFACE -m state --state INVALID -j DROP

xdp-synproxy/xdp-synproxy-daemonset.yaml

@@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: xdp-synproxy
+  labels:
+    app: xdp-synproxy
+spec:
+  selector:
+    matchLabels:
+      app: xdp-synproxy
+  template:
+    metadata:
+      labels:
+        app: xdp-synproxy
+    spec:
+      hostNetwork: true
+      containers:
+      - args:
+        - "--iface=ens192"
+        - "--mss4=1460"
+        - "--mss6=1440"
+        - "--wscale=7"
+        - "--ttl=254"
+        - "--ports=80,8080"
+        command:
+        - /usr/local/bin/xdp_synproxy
+        image: vli39/xdp-synproxy:0.1
+        imagePullPolicy: Always
+        lifecycle:
+          postStart:
+            exec:
+              command:
+              - "/install-rules.sh"
+              - "--interface=ens192"
+              - "--ports=80,8080"
+          preStop:
+            exec:
+              command:
+              - "/uninstall-rules.sh"
+              - "--interface=ens192"
+              - "--ports=80,8080"
+        name: xdp-synproxy
+        securityContext:
+          capabilities:
+            add:
+              - NET_ADMIN
+          privileged: true
+        volumeMounts:
+        - mountPath: /sys/fs/bpf
+          name: xdp-synproxy 
+      volumes:
+      - hostPath:
+          path: /sys/fs/bpf
+          type: DirectoryOrCreate
+        name: xdp-synproxy