diff options
| author |   Steven Luong <sluong@cisco.com> | 2024-11-18 12:08:57 -0800 |
|---|---|---|
| committer |   Florin Coras <florin.coras@gmail.com> | 2024-12-23 21:28:08 +0000 |
| commit | 6d4dbd4f29d6789cf4ea799d0b2eb9d489fa339d (patch) | |
| tree | 3c1b6b1d56bd86a1d6a99e36c020a81f54a43f8b /src/vnet/tcp | |
| parent | 755690c6c31671bdce4771db04199e151c32c5d0 (diff) | |
session: add auto sdl
New CLI to enable/disable auto-sdl (requires session enable rt-backend sdl)
auto-sdl <enable|disable> [threshold <n>] [remove-timeout <t>]
threshold is defined as the number of packets before the SDL entry is created to deny the source.
remove-timeout is defined as the duration to remove the SDL entry which was created earlier.
Type: feature
Change-Id: I513094a59663970beae33257006c652674643764
Signed-off-by: Steven Luong <sluong@cisco.com>
Diffstat (limited to 'src/vnet/tcp')
| -rw-r--r-- | src/vnet/tcp/tcp.c | 8 | ||||
| -rw-r--r-- | src/vnet/tcp/tcp.h | 3 | ||||
| -rw-r--r-- | src/vnet/tcp/tcp_output.c | 28 | ||||
| -rw-r--r-- | src/vnet/tcp/tcp_sdl.h | 27 |
4 files changed, 66 insertions, 0 deletions
diff --git a/src/vnet/tcp/tcp.c b/src/vnet/tcp/tcp.c index 1afc07918b7..aea49558882 100644 --- a/src/vnet/tcp/tcp.c +++ b/src/vnet/tcp/tcp.c @@ -1616,6 +1616,14 @@ tcp_punt_unknown (vlib_main_t * vm, u8 is_ip4, u8 is_add) tm->punt_unknown6 = is_add; } +void +tcp_sdl_enable_disable (tcp_sdl_cb_fn_t fp) +{ + tcp_main_t *tm = &tcp_main; + + tm->sdl_cb = fp; +} + /** * Initialize default values for tcp parameters */ diff --git a/src/vnet/tcp/tcp.h b/src/vnet/tcp/tcp.h index 8676db413a0..8feac807d59 100644 --- a/src/vnet/tcp/tcp.h +++ b/src/vnet/tcp/tcp.h @@ -25,6 +25,7 @@ #include <vnet/tcp/tcp_sack.h> #include <vnet/tcp/tcp_bt.h> #include <vnet/tcp/tcp_cc.h> +#include <vnet/tcp/tcp_sdl.h> typedef void (timer_expiration_handler) (tcp_connection_t * tc); @@ -265,6 +266,8 @@ typedef struct _tcp_main /** message ID base for API */ u16 msg_id_base; + + tcp_sdl_cb_fn_t sdl_cb; } tcp_main_t; extern tcp_main_t tcp_main; diff --git a/src/vnet/tcp/tcp_output.c b/src/vnet/tcp/tcp_output.c index dd1ec555902..2fd20acf241 100644 --- a/src/vnet/tcp/tcp_output.c +++ b/src/vnet/tcp/tcp_output.c @@ -1282,6 +1282,32 @@ tcp_cc_init_rxt_timeout (tcp_connection_t * tc) tcp_recovery_on (tc); } +static void +tcp_check_syn_flood (tcp_connection_t *tc) +{ + tcp_main_t *tm = &tcp_main; + auto_sdl_track_prefix_args_t args = {}; + + if (tm->sdl_cb == 0) + return; + + args.prefix.fp_addr = tc->c_rmt_ip; + if (tc->c_is_ip4) + { + args.prefix.fp_proto = FIB_PROTOCOL_IP4; + args.prefix.fp_len = 32; + } + else + { + args.prefix.fp_proto = FIB_PROTOCOL_IP6; + args.prefix.fp_len = 128; + } + args.fib_index = tc->c_fib_index; + args.action_index = 0; + args.tag = 0; + tm->sdl_cb (&args); +} + void tcp_timer_retransmit_handler (tcp_connection_t * tc) { @@ -1397,6 +1423,8 @@ tcp_timer_retransmit_handler (tcp_connection_t * tc) tcp_connection_timers_reset (tc); tcp_program_cleanup (wrk, tc); tcp_worker_stats_inc (wrk, tr_abort, 1); + + tcp_check_syn_flood (tc); return; } diff --git a/src/vnet/tcp/tcp_sdl.h b/src/vnet/tcp/tcp_sdl.h new file mode 100644 index 00000000000..482881b5b43 --- /dev/null +++ b/src/vnet/tcp/tcp_sdl.h @@ -0,0 +1,27 @@ +/* SPDX-License-Identifier: Apache-2.0 + * Copyright (c) 2024 Cisco Systems, Inc. + */ + +#ifndef _vnet_tcp_sdl_h_ +#define _vnet_tcp_sdl_h_ + +typedef struct _auto_sdl_track_prefix_args +{ + fib_prefix_t prefix; + u8 *tag; + u32 action_index; + u32 fib_index; +} auto_sdl_track_prefix_args_t; + +typedef int (*tcp_sdl_cb_fn_t) (auto_sdl_track_prefix_args_t *args); +extern void tcp_sdl_enable_disable (tcp_sdl_cb_fn_t fp); + +#endif /* _vnet_tcp_sdl_h_ */ + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ |