-
Notifications
You must be signed in to change notification settings - Fork 0
Integration of filtering policy and traffic loop analysis #111
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: traffic_filtering
Are you sure you want to change the base?
Changes from all commits
772d281
abd3dad
5bee3e4
203ae98
b610905
1e55242
2967fb0
65eca24
8283bfb
c50b312
c770dce
601ae03
ea99a79
5017313
4c76460
b4ee8e8
2a8a6fb
cd0ecf6
cac500e
b970eda
74a2853
abf0ff9
aa52eb6
997f0aa
10248e9
da6b922
a06f32d
5e04ff8
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,17 +1,50 @@ | ||
| FROM alpine:3.21.3 AS builder | ||
|
|
||
| RUN apk update && apk add --no-cache g++ openssl-dev cmake make curl-dev protobuf-dev | ||
| RUN apk add bazel --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing/ | ||
| FROM ubuntu:22.04 AS builder | ||
|
|
||
| RUN apt-get update && apt-get install -y \ | ||
| build-essential=12.9* \ | ||
| cmake=3.22* \ | ||
| curl=7.81* \ | ||
| git=1:2.34* \ | ||
| wget=1.21* \ | ||
| meson=0.61* \ | ||
| ninja-build=1.10* \ | ||
| libssl-dev=3.0* \ | ||
| protobuf-compiler=3.12* \ | ||
| libprotobuf-dev=3.12* \ | ||
| python3=3.10* \ | ||
| python3-pip=22.0* \ | ||
| libnuma-dev=2.0* \ | ||
| pkg-config=0.29* \ | ||
| libcurl4-openssl-dev=7.81* \ | ||
| libbpf-dev=1:0.5* \ | ||
| gcc=4:11* \ | ||
| g++=4:11* \ | ||
| m4=1.4* \ | ||
| libpcap-dev=1.10* \ | ||
| libsqlite3-dev=3.37* \ | ||
| && rm -rf /var/lib/apt/lists/* | ||
|
|
||
| RUN pip3 install pyelftools | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. аналогично про версии
|
||
|
|
||
| RUN wget https://github.com/bazelbuild/bazel/releases/download/8.2.1/bazel-8.2.1-linux-x86_64 \ | ||
| && chmod +x bazel-8.2.1-linux-x86_64 \ | ||
| && mv bazel-8.2.1-linux-x86_64 /usr/local/bin/bazel | ||
|
|
||
| RUN wget https://fast.dpdk.org/rel/dpdk-23.11.tar.xz && \ | ||
| tar -xf dpdk-23.11.tar.xz && \ | ||
| cd dpdk-23.11 && \ | ||
| meson setup build --libdir=lib && \ | ||
| ninja -C build && \ | ||
| ninja -C build install && \ | ||
| cd .. && \ | ||
| rm -rf dpdk-23.11 dpdk-23.11.tar.xz | ||
|
|
||
| ENV PKG_CONFIG_PATH=/usr/local/lib/pkgconfig | ||
|
|
||
| WORKDIR /app | ||
|
|
||
| COPY scripts/get_prometheus_cpp.sh scripts/ | ||
| RUN sh scripts/get_prometheus_cpp.sh | ||
| RUN apk add --no-cache llvm18 clang18 | ||
| RUN ln -s /usr/lib/llvm18/bin/llvm-ar /bin/llvm-ar-18 | ||
| RUN ln -s /usr/bin/clang++-18 /usr/bin/clang++ | ||
| RUN ln -s /usr/bin/clang-18 /usr/bin/clang | ||
|
|
||
|
|
||
| COPY ./src/ ./src/ | ||
| COPY ./include/ ./include/ | ||
|
|
@@ -21,17 +54,10 @@ COPY ./communication.proto ./ | |
| COPY ./toolchains ./toolchains | ||
| COPY ./platforms ./platforms | ||
|
|
||
|
|
||
| RUN bazel build //:worker --extra_toolchains=//toolchains/x86_64:cc_toolchain_for_linux_x86_64 --platforms=//platforms:x86_64_linux | ||
|
|
||
| FROM alpine:3.21.3 | ||
|
|
||
| RUN apk update && apk add --no-cache libstdc++ libgcc libssl3 libcurl protobuf-dev | ||
|
|
||
| COPY --from=builder /app/bazel-bin/worker /usr/local/bin/worker | ||
| COPY --from=builder /app/prometheus-cpp-with-submodules/build/lib/ /usr/lib | ||
|
|
||
| RUN bazel build //:worker | ||
|
|
||
| WORKDIR /data | ||
|
|
||
| ENTRYPOINT ["/usr/local/bin/worker", "/data/test.txt", "sha256"] | ||
| RUN ldconfig | ||
|
|
||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. наверное стоит какой-то мюльтистейдж прикрутить в перспективе |
||
| ENTRYPOINT ["/app/bazel-bin/worker"] | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| CC = gcc | ||
| CFLAGS_BASE = -Iinclude -O2 -msse4.2 -mpclmul -maes | ||
| LDFLAGS = -lrte_eal -lrte_ethdev -lrte_mempool -lrte_mbuf -lrte_bus_vdev -lpthread -lnuma -ldl -lrte_net -lrte_hash -lsqlite3 | ||
| LDFLAGS = -lrte_eal -lrte_ethdev -lrte_mempool -lrte_mbuf -lrte_bus_vdev -lpthread -lnuma -ldl -lrte_net -lrte_hash -lsqlite3 -lrte_timer | ||
|
|
||
| SRCS = src/dpdk_filter/main.c src/dpdk_filter/net_port.c src/dpdk_filter/filtr_packets.c src/dpdk_filter/pars_packets.c src/dpdk_filter/proc_packets.c src/dpdk_filter/dns_cache.c | ||
|
|
||
|
|
@@ -20,4 +20,4 @@ $(TARGET_VIRT): $(SRCS) | |
| clean: | ||
| rm -f $(TARGET_REAL) $(TARGET_VIRT) | ||
|
|
||
| .PHONY: all clean virt | ||
| .PHONY: all clean virt | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. new line лучше оставлять |
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| # Драйвера dpdk | ||
| DPDK должен быть собран с драйверами net/af_xdp net/tap | ||
|
|
||
|
|
||
| # Кросс-компиляция | ||
|
|
||
| ## Окружение | ||
| Скрипт `scripts/setup-riscv-env.sh` автоматически скачивает (при необходимости) и собирает DPDK 23.11 для архитектуры RISC-V. | ||
|
|
||
| ```bash | ||
| ./scripts/setup-riscv-env.sh | ||
| ``` | ||
|
|
||
| ## SQLite | ||
| Если целевая архитектура — RISC-V, SQLite необходимо собрать кросс-компилятором. | ||
|
|
||
| ```bash | ||
| wget https://www.sqlite.org/2024/sqlite-autoconf-3460100.tar.gz | ||
| tar -xzf sqlite-autoconf-3460100.tar.gz | ||
| cd sqlite-autoconf-3460100 | ||
|
|
||
| ./configure --host=riscv64-linux-gnu --prefix=/path/to/sqlite3-riscv-install | ||
| make -j$(nproc) | ||
| make install | ||
| ``` | ||
|
|
||
| После установки в указанном prefix появятся подкаталоги include/ и lib/ с необходимыми файлами. | ||
|
|
||
|
|
||
|
|
||
| # Создание пары veth и TAP-устройства | ||
|
|
||
| ```bash | ||
| sudo ./scripts/set_virt_dev_for_test_xdp.sh | ||
| ``` | ||
| Скрипт создаёт пару veth0 - veth1 | ||
|
|
||
|
|
||
| ```bash | ||
| sudo ./scripts/set_tap_dev.sh | ||
| ``` | ||
| Скрипт создаёт TAP-устройство tap0 | ||
|
|
||
|
|
||
|
|
||
| # Сборка проекта | ||
| Для реальных портов (eth0/eth1): | ||
| ```bash | ||
| make -f Makefile.main_riscv all | ||
| ``` | ||
|
|
||
| Для виртуальных портов (veth0/veth1 + tap0): | ||
| ```bash | ||
| make -f Makefile.main_riscv virt | ||
| ``` | ||
| Определение макроса -DVIRT_PORTS переключает программу на использование виртуальных интерфейсов. | ||
|
|
||
|
|
||
| Перед запуском рекомендуется выполнить скрипт настройки виртуальных устройств: | ||
| ```bash | ||
| sudo ./scripts/set_virt_dev_for_test_xdp.sh | ||
| ``` | ||
|
|
||
|
|
||
| # Очистка | ||
| ```bash | ||
| make -f Makefile.main_riscv clean | ||
| ``` | ||
|
|
||
| # Запуск | ||
| Программа требует прав суперпользователя (для работы с DPDK и XDP): | ||
| ```bash | ||
| sudo ./main-riscv-virt | ||
| ``` | ||
|
|
||
|
|
||
| # Примечания | ||
| Кэш DNS автоматически сохраняется в cache.db (SQLite) и восстанавливается при перезапуске. | ||
|
|
||
| Периодическое сохранение кэша происходит каждый час с помощью таймеров DPDK. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,26 +1,33 @@ | ||
| REQUESTED_CLASSIFICATION структура для передачи от контроллера к воркеру: | ||
| REQUESTED_CLASSIFICATION - структура для передачи от контроллера к воркеру: | ||
|
|
||
| ```code | ||
| struct requested_classification { | ||
| char get_categories[MAX_CATEGORIES][CATEGORY_MAX_LEN] - политика | ||
| int get_trust_level - уровень доверия к сайту | ||
| char get_categories[MAX_CATEGORIES][CATEGORY_MAX_LEN] | ||
| int get_trust_level | ||
| } | ||
| ``` | ||
|
|
||
| Структура для хранения категории с минимальным уровнем доверия для этой категории: | ||
|
|
||
| Структура для хранения категории с минимальным уровнем доверия для этой категории | ||
| ```code | ||
| struct trust_categories_with_lvl { | ||
| char locked_by_trust_category[CATEGORY_MAX_LEN]; | ||
| int trust_lvl; | ||
| } | ||
| ``` | ||
|
|
||
| у нас есть переменные, которые получаем при инициализации воркера и заносим в структуру (периодически обновляем): | ||
|
|
||
| у нас есть переменные, которые получаем при инициализации воркера и заносим в структуру (периодически обновляем) | ||
| ```code | ||
| struct BASE_POLICY { | ||
| char locked_categories[MAX_CATEGORIES][CATEGORY_MAX_LEN]; | ||
| struct trust_categories_with_lvl categories_with_lvl[MAX_CATEGORIES_BY_TRUST_LVL]; | ||
| char block_domains[MAX_DOMAINS][MAX_LEN_DOMEIN]; | ||
| char allow_domains[MAX_DOMAINS][MAX_LEN_DOMEIN]; | ||
| int min_trust_level; | ||
| } | ||
| ``` | ||
|
|
||
|
|
||
| Добавлен tap порт, по которому проходят пакеты исключений в ядро, обрабатываются и ответ отсылается на входящий порт (port_in) | ||
|
|
||
| Добавлен tap порт, по которому проходят пакеты исключений в ядро, обрабатываются и ответ отсылается на входящий порт (port_in) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
версии нужно фиксировать