Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP]ruleset: make synflood lighter using ct state #31

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

[WIP]ruleset: make synflood lighter using ct state #31

wants to merge 3 commits into from

Conversation

brada4
Copy link

@brada4 brada4 commented May 29, 2024

Make synflood inteject as found in default setup quicker by using ct state attribute and avoiding packet data examination.

Bytecode before:

// block A implicit
  [ meta load l4proto => reg 1 ]
  [ cmp eq reg 1 0x00000006 ]
// block B V1
  [ payload load 1b @ transport header + 13 => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ]
  [ cmp eq reg 1 0x00000002 ]
// verdict
  [ immediate reg 0 jump -> syn_flood ]

After:

// block B V2
  [ ct load state => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0x00000008 ) ^ 0x00000000 ]
  [ cmp neq reg 1 0x00000000 ]
// block A explicit
  [ meta load l4proto => reg 1 ]
  [ cmp eq reg 1 0x00000006 ]
// verdict
  [ immediate reg 0 jump -> syn_flood ]

Signed-Off-By: Andris PE [email protected]

ruleset: make synflood lighter using ct meta
38a6069 
Make synflood inteject as found in default setup quicker by using ct state attribute and avoiding packet data examination.

Bytecode before:
```
// block A implicit
  [ meta load l4proto => reg 1 ]
  [ cmp eq reg 1 0x00000006 ]
// block B V1
  [ payload load 1b @ transport header + 13 => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ]
  [ cmp eq reg 1 0x00000002 ]
// verdict
  [ immediate reg 0 jump -> syn_flood ]
```
After:
```
// block B V2
  [ ct load state => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0x00000008 ) ^ 0x00000000 ]
  [ cmp neq reg 1 0x00000000 ]
// block A explicit
  [ meta load l4proto => reg 1 ]
  [ cmp eq reg 1 0x00000006 ]
// verdict
  [ immediate reg 0 jump -> syn_flood ]
```
@brada4
Copy link
Author

brada4 commented May 29, 2024
edited
Loading

Reordering conditions presumes ct state is cache-hot at the point, can be vice-versa. Either way falls under measurable timer resolution compared to payload loading.

EDIT: hi @jow-

Andris PE added 2 commits June 1, 2024 18:49
Relocate rule to drop unneeded packets asap
aeb6cac 
Somewhat similar to PR22 to discard packets as soon as it is known they
need to be discarded.
Proto first not viable in this place
Revert "Relocate rule to drop unneeded packets asap"
c3f104f 
quite dumb to add extra checks before mainstream state plays

This reverts commit aeb6cac.
@brada4 brada4 changed the title ruleset: make synflood lighter using ct state [WIP]ruleset: make synflood lighter using ct state Aug 30, 2024
@brada4
Copy link
Author

brada4 commented Aug 30, 2024
edited
Loading

Got hint in forums another (starting empty) chain of similar power is useful in forward chain.
Will work that out incl adding to nftabled.d/README example on prepending something to existing chains.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@brada4