-
Notifications
You must be signed in to change notification settings - Fork 0
/
ebpf-ratelimiter.db
executable file
·1 lines (1 loc) · 10.8 KB
/
ebpf-ratelimiter.db
1
{"gitRepoUrl": "https://github.com/ebpf-networking/ebpf-ratelimiter.git", "commitId": "ba0d5996651b74b0e995f4f535583db3b050b4c7", "humanFuncDescription": [{"filePath": "./ratelimiting_kern.c", "funcName": "_xdp_ratelimit", "startLine": 100, "endLine": 276, "description": "This function implements a TCP connection rate limiter. Takes in input a packet in struct xdp_mp * ctx form. It first checks if input is a valid ethernet packet. It ignores other than ethernet packets, other than ip packets, other than tcp packets. If the packet is a valid tcp packet, it check if the packet is a TCP syn packet as it performs connection rate limiting it ignores packets other than tcp syn packets and even tcp syn ack packets. If the packet is a TCP SYN hence connection establishment packet, the code reads a map rl_config_map with key set to number 0 and receives the allowed rate of connections configured from the userspace if the map read fails, the function returns XDP_PASS else it continues execution. Next it checks which time window the packet corresponds to, a window is essentially a 1 second sliding window calculated by calling bpf_ktime_get_ns and getting the current time. Current time is used to calculate current window cw_key and previous window(current - 1 s) is used to calculate previous window pw_key. The function then performs a bunch of map reads, 1) rl_window_map twice with keys cw_key and pw_key which gives the cw_count and pw_count essentially current window packet count and previous window packet count. 2) rl_recv_count_map with key set to number 0 which tracks number of incommming connections 3) rl_drop_count_map with key set to number 0 which tracks number of dropped connections. If this is the first packet in this window then the function updates the map rl_window_map with key cw_key and value 0 and sets the cw_count to 0. If this is a new connection and no previous connection were present then the rate limiter allows connection if cw_count < rate and returns XDP_PASS else it drops the connection and returns XDP_DROP. If there had been previous connections then it calculates the number of connections accepted in last 1 sec from current time, if the total connections are higher than allowed rate, it drops the connection and returns XDP_DROP else it allows the connection and returns XDP_PASS. The function also updates the current window count and drop count before returning.", "author": "Theophilus A. Benson", "authorEmail": "[email protected]", "date": "2023-02-20"}, {"filePath": "transformed/ratelimiting_kern-TC.c", "funcName": "_xdp_ratelimit", "startLine": 64, "endLine": 128, "description": "This function implements a TCP connection rate limiter. Takes in input a packet in struct xdp_mp * ctx form. It first checks if input is a valid ethernet packet. It ignores other than ethernet packets, other than ip packets, other than tcp packets. If the packet is a valid tcp packet, it check if the packet is a TCP syn packet as it performs connection rate limiting it ignores packets other than tcp syn packets and even tcp syn ack packets. If the packet is a TCP SYN hence connection establishment packet, the code reads a map rl_config_map with key set to number 0 and receives the allowed rate of connections configured from the userspace if the map read fails, the function returns TC_ACT_OK else it continues execution. Next it checks which time window the packet corresponds to, a window is essentially a 1 second sliding window calculated by calling bpf_ktime_get_ns and getting the current time. Current time is used to calculate current window cw_key and previous window(current - 1 s) is used to calculate previous window pw_key. The function then performs a bunch of map reads, 1) rl_window_map twice with keys cw_key and pw_key which gives the cw_count and pw_count essentially current window packet count and previous window packet count. 2) rl_recv_count_map with key set to number 0 which tracks number of incommming connections 3) rl_drop_count_map with key set to number 0 which tracks number of dropped connections. If this is the first packet in this window then the function updates the map rl_window_map with key cw_key and value 0 and sets the cw_count to 0. If this is a new connection and no previous connection were present then the rate limiter allows connection if cw_count < rate and returns TC_ACT_OK else it drops the connection and returns TC_ACT_SHOT. If there had been previous connections then it calculates the number of connections accepted in last 1 sec from current time, if the total connections are higher than allowed rate, it drops the connection and returns TC_ACT_SHOT else it allows the connection and returns TC_ACT_OK. The function also updates the current window count and drop count before returning.", "author": "Theophilus A. Benson", "authorEmail": "[email protected]", "date": "2023-02-20"}, {"filePath": "./ratelimiting_kern.c", "funcName": "_xdp_ratelimiting", "startLine": 279, "endLine": 289, "description": "This is a wrapper function which calls the base function _xdp_ratelimit with the same arument passed to it and returns its value", "author": "Theophilus A. Benson", "authorEmail": "[email protected]", "date": "2023-02-20"}, {"filePath": "transformed/ratelimiting_kern-TC.c", "funcName": "_xdp_ratelimiting", "startLine": 131, "endLine": 138, "description": "This is a wrapper function which calls the base function _xdp_ratelimit with the same arument passed to it and returns its value", "author": "Theophilus A. Benson", "authorEmail": "[email protected]", "date": "2023-02-20"}, {"filePath": "./ratelimiting_kern.c", "funcName": "_xdp_ratelimit", "startLine": 100, "endLine": 276, "description": "This function implements a TCP connection rate limiter. Takes in input a packet in struct xdp_mp * ctx form. It first checks if input is a valid ethernet packet. It ignores other than ethernet packets, other than ip packets, other than tcp packets. If the packet is a valid tcp packet, it check if the packet is a TCP syn packet as it performs connection rate limiting it ignores packets other than tcp syn packets and even tcp syn ack packets. If the packet is a TCP SYN hence connection establishment packet, the code reads a map rl_config_map with key set to number 0 and receives the allowed rate of connections configured from the userspace if the map read fails, the function returns XDP_PASS else it continues execution. Next it checks which time window the packet corresponds to, a window is essentially a 1 second sliding window calculated by calling bpf_ktime_get_ns and getting the current time. Current time is used to calculate current window cw_key and previous window(current - 1 s) is used to calculate previous window pw_key. The function then performs a bunch of map reads, 1) rl_window_map twice with keys cw_key and pw_key which gives the cw_count and pw_count essentially current window packet count and previous window packet count. 2) rl_recv_count_map with key set to number 0 which tracks number of incommming connections 3) rl_drop_count_map with key set to number 0 which tracks number of dropped connections. If this is the first packet in this window then the function updates the map rl_window_map with key cw_key and value 0 and sets the cw_count to 0. If this is a new connection and no previous connection were present then the rate limiter allows connection if cw_count < rate and returns XDP_PASS else it drops the connection and returns XDP_DROP. If there had been previous connections then it calculates the number of connections accepted in last 1 sec from current time, if the total connections are higher than allowed rate, it drops the connection and returns XDP_DROP else it allows the connection and returns XDP_PASS. The function also updates the current window count and drop count before returning.", "author": "Theophilus A. Benson", "authorEmail": "[email protected]", "date": "2023-02-20"}, {"filePath": "transformed/ratelimiting_kern-TC.c", "funcName": "_xdp_ratelimit", "startLine": 64, "endLine": 128, "description": "This function implements a TCP connection rate limiter. Takes in input a packet in struct xdp_mp * ctx form. It first checks if input is a valid ethernet packet. It ignores other than ethernet packets, other than ip packets, other than tcp packets. If the packet is a valid tcp packet, it check if the packet is a TCP syn packet as it performs connection rate limiting it ignores packets other than tcp syn packets and even tcp syn ack packets. If the packet is a TCP SYN hence connection establishment packet, the code reads a map rl_config_map with key set to number 0 and receives the allowed rate of connections configured from the userspace if the map read fails, the function returns TC_ACT_OK else it continues execution. Next it checks which time window the packet corresponds to, a window is essentially a 1 second sliding window calculated by calling bpf_ktime_get_ns and getting the current time. Current time is used to calculate current window cw_key and previous window(current - 1 s) is used to calculate previous window pw_key. The function then performs a bunch of map reads, 1) rl_window_map twice with keys cw_key and pw_key which gives the cw_count and pw_count essentially current window packet count and previous window packet count. 2) rl_recv_count_map with key set to number 0 which tracks number of incommming connections 3) rl_drop_count_map with key set to number 0 which tracks number of dropped connections. If this is the first packet in this window then the function updates the map rl_window_map with key cw_key and value 0 and sets the cw_count to 0. If this is a new connection and no previous connection were present then the rate limiter allows connection if cw_count < rate and returns TC_ACT_OK else it drops the connection and returns TC_ACT_SHOT. If there had been previous connections then it calculates the number of connections accepted in last 1 sec from current time, if the total connections are higher than allowed rate, it drops the connection and returns TC_ACT_SHOT else it allows the connection and returns TC_ACT_OK. The function also updates the current window count and drop count before returning.", "author": "Theophilus A. Benson", "authorEmail": "[email protected]", "date": "2023-02-20"}, {"filePath": "./ratelimiting_kern.c", "funcName": "_xdp_ratelimiting", "startLine": 279, "endLine": 289, "description": "This is a wrapper function which calls the base function _xdp_ratelimit with the same arument passed to it and returns its value", "author": "Theophilus A. Benson", "authorEmail": "[email protected]", "date": "2023-02-20"}, {"filePath": "transformed/ratelimiting_kern-TC.c", "funcName": "_xdp_ratelimiting", "startLine": 131, "endLine": 138, "description": "This is a wrapper function which calls the base function _xdp_ratelimit with the same arument passed to it and returns its value", "author": "Theophilus A. Benson", "authorEmail": "[email protected]", "date": "2023-02-20"}]}