Add xdp-synproxy Dockerfile and Kubernetes DaemonSet manifest

User could build xdp-synproxy container and runs in kubernetes
as daemonset to protect kubernetes node from SYN flood attack

Signed-off-by: Vincent Li <[email protected]>

Author: vincentmli

xdp-synproxy/Dockerfile

@@ -0,0 +1,18 @@
+#docker build . -t xdp-synproxy:0.1
+#docker run -it -h xdp-synproxy --network=host --privileged xdp-synproxy:0.1
+
+FROM ubuntu:latest
+
+RUN apt-get update && \
+    apt-get install -y libelf1 \
+                       iptables \
+                       iproute2
+
+COPY bpftool /usr/local/bin
+COPY install-rules.sh /
+COPY uninstall-rules.sh /
+COPY xdp_synproxy /usr/local/bin
+
+#ENTRYPOINT ["/usr/local/bin/xdp_synproxy", "--iface", "ens192", "--file", "/usr/local/bin/xdp_synproxy_kern.o", "--mss4", "1460", "--mss6", "1440", "--wscale", "7", "--ttl", "254", "--ports", "80,8080"]
+
+

xdp-synproxy/README.org

@@ -8,6 +8,8 @@ a real practical example for user to use. For an overview of accelerating
 SYNPROXY WITH XDP, Please refer to this paper
 (https://netdevconf.info/0x15/slides/30/Netdev%200x15%20Accelerating%20synproxy%20with%20XDP.pdf)
 
+This sample application is tested with Ubuntu 22.04 with 6.2 kernel.
+
 Note XDP SYNPROXY requires netfilter connection tracking and here are the
 sysctl knobs and iptables rules preparation for XDP SYNPROXY:
 #+BEGIN_SRC sh
@@ -21,9 +23,39 @@ sysctl knobs and iptables rules preparation for XDP SYNPROXY:
 
 Here is how to start the XDP SYNPROXY application:
 #+BEGIN_SRC sh
-  sudo xdp_synproxy --iface <interface> --file <path-to-xdp_synproxy_kern.o> --mss4 1460 --mss6 1440 --wscale 7 --ttl 254 --ports <port1>,<port2>
+  sudo xdp_synproxy --iface <interface> --mss4 1460 --mss6 1440 --wscale 7 --ttl 64 --ports <port1>,<port2>
+#+END_SRC
+
+XDP SYNPROXY could be built in in container and run by docker
+#+BEGIN_SRC sh
+  sudo docker build . -t xdp-synproxy:0.1
+  sudo docker run -it -h xdp-synproxy --network=host --privileged xdp-synproxy:0.1
+#+END_SRC
+
+XDP SYNPROXY could be deployed in Kubernetes cluster as DaemonSet, Please see
+(https://youtu.be/nIrp0Lv-e0g?si=g-pXl4agVQM6_FYW)
+#+BEGIN_SRC sh
+  sudo kubectl apply -f xdp-synproxy-daemonset.yaml
+  sudo kubectl get po  -o wide -l app=xdp-synproxy
+
+  NAME                 READY   STATUS    RESTARTS   AGE    IP              NODE                     NOMINATED NODE   READINESS GATES
+  xdp-synproxy-6x29j   1/1     Running   0          5d2h   10.169.72.239   cilium-dev               <none>           <none>
+  xdp-synproxy-xj98j   1/1     Running   0          5d2h   10.169.72.233   centos-dev.localdomain   <none>           <none>
 #+END_SRC
 
 XDP SYNPROXY can coexist with other XDP programs since we use libxdp
 to attach the XDP SYNPROXY program, meaning you could build chain of
-XDP programs and attach them to same network interface.
+XDP programs and attach them to same network interface. Note xdp-loader
+could be built statically and shipped with xdp-synproxy container.
+
+#+BEGIN_SRC sh
+  sudo kubectl exec -it xdp-synproxy-6x29j  -- xdp-loader status
+
+  CURRENT XDP PROGRAM STATUS:
+
+  Interface        Prio  Program name      Mode     ID   Tag               Chain actions
+  --------------------------------------------------------------------------------------
+  ens192                 xdp_dispatcher    native   899  90f686eb86991928
+  =>               50    syncookie_xdp              908  6c6615566a2e0419  XDP_PASS
+#+END_SRC
+

xdp-synproxy/install-rules.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+set -e
+
+sysctl -w net.ipv4.tcp_syncookies=2
+sysctl -w net.ipv4.tcp_timestamps=1
+sysctl -w net.netfilter.nf_conntrack_tcp_loose=0
+
+SYNPROXY="-m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460"
+CT="-j CT --notrack"
+
+while test $# -gt 0; do
+  case "$1" in
+    --interface*)
+      # shellcheck disable=SC2001
+      # the below sed is to support both formats "--flag value" and "--flag=value"
+      INTERFACE=$(echo "$1" | sed -e 's/^[^=]*=//g')
+      shift
+      ;;
+    --ports*)
+      # shellcheck disable=SC2001
+      # the below sed is to support both formats "--flag value" and "--flag=value"
+      PORTS=$(echo "$1" | sed -e 's/^[^=]*=//g')
+      shift
+      ;;
+    *)
+      break
+      ;;
+  esac
+done
+
+
+
+COMMA=','
+if [[ "$PORTS" == *"$COMMA"* ]]; then
+
+   IFS=',' read -ra PORT <<< "$PORTS"
+   for p in "${PORT[@]}"; do
+     echo $p
+     /usr/sbin/iptables -t raw -I PREROUTING -i $INTERFACE -p tcp -m tcp --syn --dport $p $CT
+     /usr/sbin/iptables -t filter -A INPUT -i $INTERFACE -p tcp -m tcp --dport $p $SYNPROXY
+   done
+else 
+     /usr/sbin/iptables -t raw -I PREROUTING -i $INTERFACE -p tcp -m tcp --syn --dport $PORTS $CT
+     /usr/sbin/iptables -t filter -A INPUT -i $INTERFACE -p tcp -m tcp --dport $PORTS $SYNPROXY
+fi
+
+/usr/sbin/iptables -t filter -A INPUT -i $INTERFACE -m state --state INVALID -j DROP

xdp-synproxy/uninstall-rules.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+set -e
+
+SYNPROXY="-m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460"
+CT="-j CT --notrack"
+
+while test $# -gt 0; do
+  case "$1" in
+    --interface*)
+      # shellcheck disable=SC2001
+      # the below sed is to support both formats "--flag value" and "--flag=value"
+      INTERFACE=$(echo "$1" | sed -e 's/^[^=]*=//g')
+      shift
+      ;;
+    --ports*)
+      # shellcheck disable=SC2001
+      # the below sed is to support both formats "--flag value" and "--flag=value"
+      PORTS=$(echo "$1" | sed -e 's/^[^=]*=//g')
+      shift
+      ;;
+    *)
+      break
+      ;;
+  esac
+done
+
+
+
+COMMA=','
+if [[ "$PORTS" == *"$COMMA"* ]]; then
+
+   IFS=',' read -ra PORT <<< "$PORTS"
+   for p in "${PORT[@]}"; do
+     echo $p
+     /usr/sbin/iptables -t raw -D PREROUTING -i $INTERFACE -p tcp -m tcp --syn --dport $p $CT
+     /usr/sbin/iptables -t filter -D INPUT -i $INTERFACE -p tcp -m tcp --dport $p $SYNPROXY
+   done
+else 
+     /usr/sbin/iptables -t raw -D PREROUTING -i $INTERFACE -p tcp -m tcp --syn --dport $PORTS $CT
+     /usr/sbin/iptables -t filter -D INPUT -i $INTERFACE -p tcp -m tcp --dport $PORTS $SYNPROXY
+fi
+
+/usr/sbin/iptables -t filter -D INPUT -i $INTERFACE -m state --state INVALID -j DROP

xdp-synproxy/xdp-synproxy-daemonset.yaml

@@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: xdp-synproxy
+  labels:
+    app: xdp-synproxy
+spec:
+  selector:
+    matchLabels:
+      app: xdp-synproxy
+  template:
+    metadata:
+      labels:
+        app: xdp-synproxy
+    spec:
+      hostNetwork: true
+      containers:
+      - args:
+        - "--iface=ens192"
+        - "--mss4=1460"
+        - "--mss6=1440"
+        - "--wscale=7"
+        - "--ttl=254"
+        - "--ports=80,8080"
+        command:
+        - /usr/local/bin/xdp_synproxy
+        image: vli39/xdp-synproxy:0.1
+        imagePullPolicy: Always
+        lifecycle:
+          postStart:
+            exec:
+              command:
+              - "/install-rules.sh"
+              - "--interface=ens192"
+              - "--ports=80,8080"
+          preStop:
+            exec:
+              command:
+              - "/uninstall-rules.sh"
+              - "--interface=ens192"
+              - "--ports=80,8080"
+        name: xdp-synproxy
+        securityContext:
+          capabilities:
+            add:
+              - NET_ADMIN
+          privileged: true
+        volumeMounts:
+        - mountPath: /sys/fs/bpf
+          name: xdp-synproxy 
+      volumes:
+      - hostPath:
+          path: /sys/fs/bpf
+          type: DirectoryOrCreate
+        name: xdp-synproxy