[dnsdist] eBPF filtering
Aleš Rygl
ales at rygl.net
Thu Oct 31 09:11:17 UTC 2024
Hello,
Let me ask a question related to eBPF filtering. I have following eBPF
setup:
addCapabilitiesToRetain("CAP_SYS_ADMIN")
bpf = newBPFFilter({ipv4MaxItems=4096, ipv6MaxItems=2048,
qnamesMaxItems=1024})
setDefaultBPFFilter(bpf)
setDynBlocksAction(DNSAction.Drop)
And dynamic rules like this:
local dbr = dynBlockRulesGroup()
dbr:setRCodeRate(DNSQType.TXT, 5, 30, "Exceeded TXT rate", 120)
dbr:setRCodeRate(DNSRCode.NXDOMAIN, 20, 30, "Exceeded NXD rate", 120)
dbr:setRCodeRate(DNSRCode.SERVFAIL, 5, 30, "Exceeded ServFail rate", 120)
dbr:setQTypeRate(DNSQType.ANY, 3, 30, "Exceeded ANY rate", 120)
dbr:setResponseByteRate(40000, 10, "Exceeded resp BW rate", 300)
It works fine. But I have noticed a situation when a client that is
allowed to send queries was blocked - his queries were dropped without
any apparent reason. His IP was not present in the output of
showDynBlocks(). This happened on both instances of dnsdist he receives
from the network. Moving VIP of dnsdist to a backup box with freshly
restarted (rebooted) dnsdist solved the problem. When troubleshoting
this I noticed that this client was blocked with eBPF many times in the
past.
Would it be possible that the entry for ePBF block somehow persisted in
the kernel and was not deleted for some reason?
Is it possible do list somehow the eBPF objects manualy?
What happens if there are active eBPF blocks and dnsdist is restarted
(or dies)? Are all of them cleared from the kernel-space?
Thanks
Ales
More information about the dnsdist
mailing list