ProHoster > Блог > Gudanarwa > Muna rubuta kariya daga harin DDoS akan XDP. Bangaren nukiliya
Muna rubuta kariya daga harin DDoS akan XDP. Bangaren nukiliya
Fasahar eXpress Data Path (XDP) tana ba da damar sarrafa zirga-zirgar ababen hawa a kan mu'amalar Linux kafin fakitin su shiga tarin cibiyar sadarwar kwaya. Aikace-aikacen XDP - kariya daga hare-haren DDoS (CloudFlare), matattara masu rikitarwa, tarin ƙididdiga (Netflix). Ana aiwatar da shirye-shiryen XDP ta na'urar kama-da-wane ta eBPF, don haka suna da hani akan duka lambar su da ayyukan kernel da ke akwai dangane da nau'in tacewa.
An yi nufin labarin don cika gazawar abubuwa da yawa akan XDP. Da fari dai, suna ba da lambar da aka shirya wanda nan da nan ke ƙetare sifofin XDP: an shirya shi don tabbatarwa ko kuma yana da sauƙin haifar da matsala. Lokacin da kuke ƙoƙarin rubuta lambar ku daga karce, ba ku da masaniyar abin da za ku yi da kurakurai na yau da kullun. Na biyu, hanyoyin da za a gwada XDP a cikin gida ba tare da VM da hardware ba ba a rufe su ba, duk da cewa suna da nasu ramukan. An yi nufin rubutun ga masu shirye-shirye da suka saba da hanyar sadarwa da Linux waɗanda ke sha'awar XDP da eBPF.
A cikin wannan ɓangaren, za mu fahimci dalla-dalla yadda ake haɗa matatun XDP da yadda za a gwada shi, sannan za mu rubuta sassauƙan sigar sanannen kukis na SYN a matakin sarrafa fakiti. Ba za mu ƙirƙiri "jerin farar fata" ba tukuna
ingantattun abokan ciniki, kiyaye ƙididdiga da sarrafa tacewa - isassun rajistan ayyukan.
Za mu rubuta a C - ba gaye ba ne, amma yana da amfani. Ana samun duk lambar akan GitHub ta hanyar haɗin gwiwa a ƙarshen kuma an raba shi zuwa aikatawa bisa ga matakan da aka bayyana a cikin labarin.
Bayarwa. A tsawon wannan labarin, zan samar da ƙaramin bayani don kawar da hare-haren DDoS, saboda wannan aiki ne na gaske ga XDP da yanki na gwaninta. Koyaya, babban burin shine fahimtar fasaha; wannan ba jagora bane don ƙirƙirar kariyar da aka shirya. Ba a inganta lambar koyawa ba kuma ta tsallake wasu nuances.
Takaitaccen Bayani na XDP
Zan zayyana mahimman mahimman bayanai ne kawai don kada in kwafin takardu da labaran da ke akwai.
Don haka, ana loda lambar tacewa a cikin kwaya. Ana wuce fakiti masu shigowa zuwa tace. A sakamakon haka, tace dole ne ya yanke shawara: shigar da fakitin cikin kwaya (XDP_PASS), fakitin sauke (XDP_DROP) ko kuma mayar da shi (XDP_TX). Tace na iya canza kunshin, wannan gaskiya ne musamman ga XDP_TX. Hakanan zaka iya soke shirin (XDP_ABORTED) kuma sake saita kunshin, amma wannan kwatankwacin ne assert(0) - don gyara kuskure.
EBPF (Extended Berkley Packet Filter) na'ura mai kama da gaskiya an yi shi da gangan don kernel zai iya bincika cewa lambar ba ta madauki kuma baya lalata ƙwaƙwalwar wasu mutane. Tarin hani da dubawa:
An haramta madaukai (na baya).
Akwai tarin bayanai, amma babu ayyuka (duk ayyukan C dole ne a sanya su cikin layi).
An hana samun damar ƙwaƙwalwar ajiya a waje da tari da buffer.
Girman lambar yana da iyaka, amma a aikace wannan ba shi da mahimmanci.
Kira zuwa ayyukan kwaya na musamman (mataimakan eBPF) ne kawai aka yarda.
Zanewa da sanya tacewa yayi kama da haka:
Lambar tushe (misali kernel.c) an haɗa shi cikin abu (kernel.o) don tsarin gine-ginen injina na eBPF. Tun daga Oktoba 2019, Clang yana samun goyan bayan haɗawa zuwa eBPF kuma an yi alkawarinsa a cikin GCC 10.1.
Idan wannan lambar abu ta ƙunshi kira zuwa tsarin kernel (misali, teburi da ƙididdiga), ana maye gurbin ID ɗin su da sifili, wanda ke nufin ba za a iya aiwatar da irin wannan lambar ba. Kafin lodawa cikin kwaya, kuna buƙatar maye gurbin waɗannan sifilai tare da ID na takamaiman abubuwan da aka ƙirƙira ta hanyar kiran kernel (haɗa lambar). Kuna iya yin wannan tare da abubuwan amfani na waje, ko kuma kuna iya rubuta shirin da zai haɗa da loda takamaiman tacewa.
Kwayar tana tabbatar da shirin da aka ɗora. Ana duba rashin hawan keke da gazawar wuce fakiti da iyakoki. Idan mai tabbatarwa ba zai iya tabbatar da cewa lambar daidai ba ne, an ƙi shirin - kuna buƙatar samun damar faranta masa rai.
Bayan ingantaccen tabbaci, kernel ɗin yana tattara lambar abu na eBPF cikin lambar injin don tsarin gine-gine (daidai-lokaci).
Shirin yana haɗawa da ke dubawa kuma ya fara sarrafa fakiti.
Tun da XDP ke gudana a cikin kwaya, ana aiwatar da gyara kuskure ta amfani da rajistan ayyukan ganowa kuma, a zahiri, fakiti waɗanda shirin ke tacewa ko samarwa. Koyaya, eBPF yana tabbatar da cewa lambar da aka zazzage tana da tsaro ga tsarin, saboda haka zaku iya gwaji tare da XDP kai tsaye akan Linux na gida.
Shirya Muhalli
Majalisar
Clang ba zai iya samar da lambar abu kai tsaye don gine-ginen eBPF ba, don haka tsarin ya ƙunshi matakai biyu:
Haɗa lambar C zuwa bytecode LLVM (clang -emit-llvm).
Maida bytecode zuwa lambar abu na eBPF (llc -march=bpf -filetype=obj).
Lokacin rubuta tacewa, fayiloli guda biyu tare da ayyukan taimako da macros zasu yi amfani daga gwajin kwaya. Yana da mahimmanci cewa sun dace da sigar kernel (KVER). Zazzage su zuwa helpers/:
KDIR ya ƙunshi hanyar zuwa kanun kernel, ARCH - tsarin gine-gine. Hanyoyi da kayan aikin na iya bambanta dan kadan tsakanin rarrabawa.
Misali na bambance-bambance na Debian 10 (kernel 4.19.67)
# другая команда
CLANG ?= clang
LLC ?= llc-7
# другой каталог
KDIR ?= /usr/src/linux-headers-$(shell uname -r)
ARCH ?= $(subst x86_64,x86,$(shell uname -m))
# два дополнительных каталога -I
CFLAGS =
-Ihelpers
-I/usr/src/linux-headers-4.19.0-6-common/include
-I/usr/src/linux-headers-4.19.0-6-common/arch/$(ARCH)/include
# далее без изменений
CFLAGS haɗa kundin adireshi tare da masu kai taimako da kundayen adireshi da yawa tare da kanun kernel. Alama __KERNEL__ yana nufin cewa UAPI (userspace API) an ayyana masu kai don lambar kwaya, tunda ana aiwatar da tacewa a cikin kernel.
Ana iya kashe kariyar tari (-fno-stack-protector), saboda mai tabbatar da lambar eBPF har yanzu yana bincikar rashin iyakoki. Yana da daraja kunna ingantawa nan da nan, saboda girman eBPF bytecode yana iyakance.
Bari mu fara da tacewa wanda ya wuce duk fakiti kuma bai yi komai ba:
tawagar make yana tarawa xdp_filter.o. A ina zan gwada shi yanzu?
Gwajin tsayawa
Dole ne wurin tsayawa ya haɗa da musaya guda biyu: waɗanda za a sami tacewa kuma daga waɗanne fakiti za a aika. Waɗannan dole ne su zama cikakkun na'urorin Linux tare da nasu IPs don bincika yadda aikace-aikacen yau da kullun ke aiki tare da tacewa.
Nau'in na'urar veth (virtual Ethernet) sun dace da mu: waɗannan nau'ikan mu'amalar hanyar sadarwa ce ta “haɗa” kai tsaye da juna. Kuna iya ƙirƙirar su kamar haka (a cikin wannan sashe duk umarni ip ana gudanar da su daga root):
ip link add xdp-remote type veth peer name xdp-local
Yana da xdp-remote и xdp-local - sunayen na'ura. Kunna xdp-local (192.0.2.1/24) za a haɗa tace, tare da xdp-remote (192.0.2.2/24) za a aika zirga-zirga mai shigowa. Duk da haka, akwai matsala: musaya suna kan na'ura ɗaya, kuma Linux ba zai aika da zirga-zirga zuwa ɗayansu ta ɗayan ba. Kuna iya magance wannan tare da ƙa'idodi masu banƙyama iptables, amma dole ne su canza fakiti, wanda bai dace ba don cirewa. Yana da kyau a yi amfani da wuraren sunaye na cibiyar sadarwa (netns daga baya).
Wurin sunan cibiyar sadarwa yana ƙunshe da saitin musaya, teburi, da ka'idojin NetFilter waɗanda ke ware daga abubuwa iri ɗaya a cikin sauran gidajen yanar sadarwa. Kowane tsari yana gudana a cikin sararin suna kuma yana da damar yin amfani da abubuwan wannan hanyar sadarwa kawai. Ta hanyar tsoho, tsarin yana da sararin sunan cibiyar sadarwa guda ɗaya don duk abubuwa, don haka zaku iya aiki a cikin Linux kuma ba ku sani ba game da netns.
Bari mu ƙirƙiri sabon filin suna xdp-test kuma motsa shi zuwa can xdp-remote.
ip netns add xdp-test
ip link set dev xdp-remote netns xdp-test
Sa'an nan kuma tsari yana gudana xdp-test, ba zai "gani ba" xdp-local (zai kasance a cikin netns ta tsohuwa) kuma lokacin aika fakiti zuwa 192.0.2.1 zai wuce ta. xdp-remotesaboda ita ce kawai ke dubawa akan 192.0.2.0/24 m ga wannan tsari. Wannan kuma yana aiki a kishiyar shugabanci.
Lokacin matsawa tsakanin netns, mahaɗin yana sauka kuma ya rasa adireshinsa. Don saita dubawa a cikin netns, kuna buƙatar gudu ip ... a cikin wannan umarnin sunaye ip netns exec:
ip netns exec xdp-test
ip address add 192.0.2.2/24 dev xdp-remote
ip netns exec xdp-test
ip link set xdp-remote up
Kamar yadda kuke gani, wannan bai bambanta da saitin ba xdp-local a cikin tsohowar sunaye:
ip address add 192.0.2.1/24 dev xdp-local
ip link set xdp-local up
Idan ka gudu tcpdump -tnevi xdp-local, kuna iya ganin fakitin da aka aiko daga xdp-test, ana isar da su zuwa wannan keɓancewa:
ip netns exec xdp-test ping 192.0.2.1
Ya dace don ƙaddamar da harsashi a ciki xdp-test. Wurin ajiya yana da rubutun da ke sarrafa aiki tare da tsayawar; misali, zaku iya saita tsayawar tare da umarni sudo ./stand up kuma share shi sudo ./stand down.
Bibiya
Ana haɗa tacewa da na'urar kamar haka:
ip -force link set dev xdp-local xdp object xdp_filter.o verbose
Key -force ana buƙatar haɗa sabon shirin idan an riga an haɗa wani. "Babu labari mai kyau" ba game da wannan umarni ba ne, ƙarshe yana da yawa a kowane hali. nuna verbose na zaɓi, amma tare da shi rahoto yana bayyana akan aikin mai tabbatar da lambar tare da lissafin taro:
Verifier analysis:
0: (b7) r0 = 2
1: (95) exit
Cire haɗin shirin daga mahaɗin:
ip link set dev xdp-local xdp off
A cikin rubutun waɗannan umarni ne sudo ./stand attach и sudo ./stand detach.
Ta hanyar haɗa tacewa, zaku iya tabbatar da hakan ping ya ci gaba da gudana, amma shirin yana aiki? Bari mu ƙara rajistan ayyukan. Aiki bpf_trace_printk() kama da printf(), amma kawai yana goyan bayan har zuwa gardama guda uku ban da ƙirar, da taƙaitaccen jerin ƙididdiga. Macro bpf_printk() sauƙaƙa kiran.
Gaskiyar ita ce, shirye-shiryen eBPF ba su da sashin bayanai, don haka kawai hanyar da za a ɓoye kirtani mai ƙira ita ce gardama nan da nan na umarnin VM:
Saboda wannan dalili, fitar da gyara kuskure yana lalata lambar da aka samu sosai.
Aika Fakitin XDP
Bari mu canza tace: bari ya mayar da duk fakiti masu shigowa. Wannan ba daidai ba ne daga ra'ayi na cibiyar sadarwa, tun da zai zama dole don canza adiresoshin a cikin masu kai, amma yanzu aikin a cikin mahimmanci yana da mahimmanci.
Kaddamarwa tcpdump a kan xdp-remote. Ya kamata ya nuna irin mai fita da mai shigowa ICMP Echo Request kuma a daina nuna ICMP Echo Reply. Amma bai nuna ba. Sai dai itace don aiki XDP_TX a cikin shirin a kan xdp-localya zama dolezuwa biyu dubawa xdp-remote an kuma sanya wani shiri ko da babu komai sai aka tashe shi.
Ta yaya na san wannan?
Bincika hanyar kunshin a cikin kwaya Tsarin abubuwan da suka faru na perf yana ba da damar, ta hanya, ta amfani da injin kama-da-wane, wato, ana amfani da eBPF don rarrabuwa tare da eBPF.
Dole ne ku yi alheri daga mugunta, domin ba abin da za ku iya yi.
Idan kawai aka nuna ARPs maimakon, kuna buƙatar cire masu tacewa (wannan yana yi sudo ./stand detach), bari mu tafi ping, sannan saita tacewa kuma a sake gwadawa. Matsalar tace XDP_TX inganci duka akan ARP kuma idan tari
wuraren suna xdp-test gudanar da "manta" da MAC address 192.0.2.1, shi ba zai iya warware wannan IP.
Tsara matsalar
Bari mu matsa zuwa aikin da aka bayyana: rubuta tsarin kukis na SYN akan XDP.
Ambaliyar SYN ta kasance sanannen harin DDoS, wanda asalinsa shine kamar haka. Lokacin da aka kafa haɗi (musafaha TCP), uwar garken yana karɓar SYN, ya ware albarkatu don haɗin gaba, amsa tare da fakitin SYNACK kuma yana jiran ACK. Maharin yana aika dubunnan fakitin SYN a sakan daya daga adiresoshin da ba su da tushe daga kowane mai masaukin baki a cikin botnet mai ƙarfi-dubu-dubu. Ana tilasta uwar garken don ware albarkatu nan da nan bayan isowar fakitin, amma ta sake su bayan babban lokacin ƙarewa; sakamakon haka, ƙwaƙwalwar ajiya ko iyakoki sun ƙare, ba a karɓi sabbin hanyoyin sadarwa ba, kuma babu sabis ɗin.
Idan baku ware albarkatu bisa fakitin SYN ba, amma kawai amsa da fakitin SYNACK, ta yaya uwar garken zata iya fahimtar cewa fakitin ACK da ya zo daga baya yana nufin fakitin SYN da ba a ajiye ba? Bayan haka, maharin kuma yana iya ƙirƙirar ACKs na karya. Manufar kuki ɗin SYN shine a ɓoye shi a ciki seqnum sigogin haɗin kai azaman hash na adireshi, tashar jiragen ruwa da canza gishiri. Idan ACK yayi nasarar isowa kafin a canza gishiri, zaku iya sake lissafin zanta kuma ku kwatanta shi da acknum. Ƙirƙira acknum maharin ba zai iya ba, tunda gishiri ya haɗa da sirrin, kuma ba zai sami lokaci don warware shi ba saboda ƙayyadaddun tashoshi.
An dade ana aiwatar da kuki na SYN a cikin kwaya ta Linux kuma ana iya kunna ta ta atomatik idan SYNs sun zo da sauri da yawa.
Shirin ilimi akan musafaha TCP
TCP yana ba da watsa bayanai azaman rafi na bytes, misali, buƙatun HTTP ana watsa su akan TCP. Ana watsa rafi a guntu a cikin fakiti. Duk fakitin TCP suna da tutoci masu ma'ana da lambobi masu 32-bit:
Haɗin tutoci yana ƙayyade rawar wani kunshin. Tutar SYN tana nuna cewa wannan shine fakitin farko na mai aikawa akan haɗin. Tutar ACK tana nufin cewa mai aikawa ya karɓi duk bayanan haɗin kai har zuwa byte acknum. Fakiti na iya samun tutoci da yawa kuma ana kiran su ta hanyar haɗin gwiwa, misali, fakitin SYNACK.
Lambar jeri (seqnum) tana ƙayyadad da kashewa a cikin rafin bayanai don byte na farko da aka watsa a cikin wannan fakiti. Misali, idan a cikin fakitin farko mai x bytes na bayanai wannan lambar N, a fakiti na gaba mai sabbin bayanai zai zama N+X. A farkon haɗin, kowane gefe yana zaɓar wannan lambar ba da gangan ba.
Lambar girmamawa (acknum) - daidaitaccen daidai yake da seqnum, amma bai ƙayyade adadin byte ɗin da ake watsawa ba, amma lambar farkon byte daga mai karɓa, wanda mai aikawa bai gani ba.
A farkon haɗin gwiwar, dole ne ƙungiyoyi su amince seqnum и acknum. Abokin ciniki yana aika fakitin SYN tare da shi seqnum = X. Sabar tana amsawa da fakitin SYNACK, inda yake yin rikodin sa seqnum = Y da fallasa acknum = X + 1. Abokin ciniki yana amsa SYNACK tare da fakitin ACK, inda seqnum = X + 1, acknum = Y + 1. Bayan wannan, ainihin canja wurin bayanai yana farawa.
Idan takwarorinsu bai amince da karɓar fakitin ba, TCP yana sake aika shi bayan an ƙare.
Me yasa ba koyaushe ake amfani da kukis na SYN ba?
Da farko, idan SYNACK ko ACK ya ɓace, dole ne ku jira don sake aika shi - saitin haɗin zai ragu. Abu na biyu, a cikin kunshin SYN - kuma kawai a ciki! - da dama zažužžukan da ake aikatãwa da cewa rinjayar da ƙarin aiki na dangane. Ba tare da tunawa da fakitin SYN masu shigowa ba, uwar garken ta yi watsi da waɗannan zaɓuɓɓukan; abokin ciniki ba zai aika su cikin fakiti na gaba ba. TCP na iya aiki a wannan yanayin, amma aƙalla a matakin farko ingancin haɗin zai ragu.
Ta fuskar fakiti, shirin XDP dole ne ya yi abubuwan da ke biyowa:
amsa SYN tare da SYNACK tare da kuki;
amsa ga ACK tare da RST (cire haɗin gwiwa);
jefar da sauran fakitin.
Pseudocode na algorithm tare da fakitin fakiti:
Если это не Ethernet,
пропустить пакет.
Если это не IPv4,
пропустить пакет.
Если адрес в таблице проверенных, (*)
уменьшить счетчик оставшихся проверок,
пропустить пакет.
Если это не TCP,
сбросить пакет. (**)
Если это SYN,
ответить SYN-ACK с cookie.
Если это ACK,
если в acknum лежит не cookie,
сбросить пакет.
Занести в таблицу адрес с N оставшихся проверок. (*)
Ответить RST. (**)
В остальных случаях сбросить пакет.
Daya (*) wuraren da kuke buƙatar sarrafa yanayin tsarin suna alama - a matakin farko za ku iya yin ba tare da su ba ta hanyar aiwatar da musafaha na TCP kawai tare da tsara kuki na SYN azaman seqnum.
A wurin (**), yayin da ba mu da tebur, za mu tsallake fakitin.
Ana aiwatar da musafaha na TCP
Fassara fakitin da tabbatar da lambar
Za mu buƙaci tsarin kan hanyar sadarwa: Ethernet (uapi/linux/if_ether.hIPv4 (uapi/linux/ip.hda TCP (uapi/linux/tcp.h). Na kasa haɗa na ƙarshe saboda kurakuran da suka shafi atomic64_t, Dole ne in kwafi ma'anar da suka dace a cikin lambar.
Duk ayyukan da aka yi wa alama a cikin C don karantawa dole ne a sanya su cikin layi a wurin kira, tunda mai tabbatar da eBPF a cikin kernel ya hana ja da baya, wato, madaukai da kiran aiki.
Shirin mai isar da ayyuka ne. Kowannensu yana karɓar fakiti wanda a cikinsa aka haskaka taken matakin daidai, misali, process_ether() yana sa ran a cika shi ether. Dangane da sakamakon binciken filin, aikin zai iya wuce fakitin zuwa matsayi mafi girma. Sakamakon aikin shine aikin XDP. A yanzu, masu SYN da ACK sun wuce duk fakiti.
Mabuɗin kirtani invalid access to packet, off=13 size=1, R7(id=0,off=0,r=0): Akwai hanyoyin aiwatarwa lokacin da byte na goma sha uku daga farkon buffer yana wajen fakitin. Yana da wuya a fahimta daga jeri ko wane layi muke magana akai, amma akwai lambar umarni (12) da mai rarrabawa da ke nuna layin lambar tushe:
wanda ya bayyana cewa matsalar ita ce ether. Zai kasance haka koyaushe.
Amsa ga SYN
Manufar a wannan mataki shine samar da fakitin SYNACK daidai tare da kafaffen seqnum, wanda za a maye gurbinsa a nan gaba ta hanyar kuki na SYN. Duk canje-canje suna faruwa a cikin process_tcp_syn() da kewaye.
Tabbatar da fakitin
Abin ban mamaki, ga layi mafi ban mamaki, ko kuma, sharhin da aka yi masa:
Lokacin rubuta sigar farko ta lambar, an yi amfani da kernel 5.1, don tabbatarwa wanda akwai bambanci tsakanin data_end и (const void*)ctx->data_end. A lokacin rubutawa, kernel 5.3.1 bai sami wannan matsala ba. Yana yiwuwa mai tarawa yana samun dama ga canjin gida daban da filin. Dabi'ar labarin: Sauƙaƙe lambar na iya taimakawa lokacin da ake yawan gida.
Na gaba akwai duba tsawon lokaci na yau da kullun don ɗaukakar mai tabbatarwa; O MAX_CSUM_BYTES a kasa.
Canza tashar jiragen ruwa na TCP, adireshin IP da adiresoshin MAC. Ba a iya samun daidaitaccen ɗakin karatu daga shirin XDP, don haka memcpy() - macro wanda ke ɓoye abubuwan Clang.
IPV4 da TCP checksum suna buƙatar ƙarin duk kalmomin 16-bit a cikin masu kai, kuma an rubuta girman rubutun a cikin su, wato, ba a sani ba a lokacin tattarawa. Wannan matsala ce saboda mai tabbatarwa ba zai tsallake madaidaicin madaidaicin madaidaicin iyaka ba. Amma girman kai yana iyakance: har zuwa 64 bytes kowanne. Kuna iya yin madauki tare da ƙayyadadden adadin maimaitawa, wanda zai iya ƙare da wuri.
Na lura cewa akwai RFC 1624 game da yadda za a sake ƙididdige juzu'i na checksum idan kawai an canza ƙayyadaddun kalmomin fakitin. Duk da haka, hanyar ba ta duniya ba ce, kuma aiwatarwa zai fi wuya a kiyaye.
Aikin lissafin Checksum:
#define MAX_CSUM_WORDS 32
#define MAX_CSUM_BYTES (MAX_CSUM_WORDS * 2)
INTERNAL u32
sum16(const void* data, u32 size, const void* data_end) {
u32 s = 0;
#pragma unroll
for (u32 i = 0; i < MAX_CSUM_WORDS; i++) {
if (2*i >= size) {
return s; /* normal exit */
}
if (data + 2*i + 1 + 1 > data_end) {
return 0; /* should be unreachable */
}
s += ((const u16*)data)[i];
}
return s;
}
Ko da yake size tabbatar da lambar kiran, yanayin fita na biyu ya zama dole domin mai tabbatarwa zai iya tabbatar da kammala madauki.
Don kalmomi 32-bit, ana aiwatar da mafi sauƙi:
INTERNAL u32
sum16_32(u32 v) {
return (v >> 16) + (v & 0xffff);
}
A haƙiƙa ana sake ƙididdige ƙididdige ƙididdiga da aika fakitin baya:
aiki carry() yana yin lissafin kuɗi daga jimlar 32-bit na kalmomi 16-bit, bisa ga RFC 791.
Tabbatar da musafaha TCP
Tace daidai yana kafa haɗi tare da netcat, ya ɓace ACK na ƙarshe, wanda Linux ya amsa tare da fakitin RST, tun da tarin cibiyar sadarwa bai karɓi SYN ba - an canza shi zuwa SYNACK kuma an mayar da shi - kuma daga ma'anar OS, fakiti ya zo wanda ba shi da alaƙa da buɗewa. haɗi.
$ sudo ip netns exec xdp-test nc -nv 192.0.2.1 6666
192.0.2.1 6666: Connection reset by peer
Yana da mahimmanci a bincika tare da cikakkun aikace-aikacen aikace-aikacen da lura tcpdump a kan xdp-remote domin misali, hping3 baya mayar da martani ga lissafin da ba daidai ba.
SYN kuki
Daga ra'ayi na XDP, tabbatarwa kanta ba komai bane. Algorithm na ƙididdigewa na farko ne kuma mai yuwuwa yana da rauni ga ƙwararrun mahari. Kernel na Linux, alal misali, yana amfani da SipHash na sirri, amma aiwatar da shi don XDP a sarari ya wuce iyakar wannan labarin.
An gabatar don sababbin TODOs masu alaƙa da sadarwar waje:
Shirin XDP ba zai iya adanawa ba cookie_seed (ɓangaren sirri na gishiri) a cikin canjin duniya, kuna buƙatar ajiya a cikin kwaya, wanda za a sabunta darajarsa lokaci-lokaci daga janareta mai dogara.
Idan kuki SYN yayi daidai a cikin fakitin ACK, ba kwa buƙatar buga saƙo, amma ku tuna IP na abokin ciniki da aka tabbatar don ci gaba da wucewa fakiti daga ciki.
Duk da yake babu jerin ingantattun IPs, ba za a sami kariya daga ambaliyar SYN da kanta ba, amma ga martani ga ambaliya ta ACK da aka ƙaddamar ta hanyar umarni mai zuwa:
sudo ip netns exec xdp-test hping3 --flood -A -s 1111 -p 2222 192.0.2.1
Wani lokaci eBPF gabaɗaya da XDP musamman ana gabatar da su azaman kayan aikin mai ci gaba fiye da azaman dandamali na haɓakawa. Lallai, XDP kayan aiki ne don tsoma baki tare da sarrafa fakiti ta kernel, kuma ba madadin tarin kwaya ba, kamar DPDK da sauran zaɓuɓɓukan kewayar kwaya. A gefe guda, XDP yana ba ku damar aiwatar da dabaru masu rikitarwa, wanda, ƙari kuma, yana da sauƙin sabuntawa ba tare da katsewa ba a cikin sarrafa zirga-zirga. Mai tabbatarwa baya haifar da manyan matsaloli; da kaina, ba zan ƙi wannan don sassan lambar sararin mai amfani ba.
A kashi na biyu, idan batun yana da ban sha'awa, za mu kammala tebur na abokan ciniki da aka tabbatar da kuma cire haɗin, aiwatar da ƙididdiga da rubuta mai amfani da sararin samaniya don sarrafa tacewa.