v1.2.0 RC2

Starting with this release candidate, the target operating system is Ubuntu 24.04 LTS. Deployers are advised to only test and deploy this release candidate on the target operating system to leverage the shared experiences toward a rock-solid final release.

This version improves over v1.2.0 RC1 by:

1. Merging MAIN_LOG() into G_LOG() (see pull request #689);
2. Working on Ubuntu 24.04 LTS (see pull requests #690, #693, #701, and #702);
3. Correcting RSS hash of i40e NICs (see pull request #691);
4. Giving an informative error when a NIC does not support enough queues (see pull request #692 and issue #620).

v1.2.0 RC1

This release (1) upgrades Gatekeeper's custom DPDK to version 23.11; (2) brings a new data structure for the flow table, the most important data structure in Gatekeeper; (3) replaces DPDK's deprecated KNI library with Virtio-user; (4) adds valuable information to the log (e.g. flow table occupancy, log level, data and time); among other improvements.

This version improves over v1.1.0 by:

1. Adopting rte_pktmbuf_free_bulk() (see pull request #631 and issue #435);
2. Adjusting code style by renaming lua_State from l to L (see pull request #638);
3. Adding more information to log entries such as DPDK's error strings, log level, date, and time (see pull requests #639 and #663, and issues #574, #616, and #615);
4. Improving code (see pull request #645 and issue #288);
5. Fixing the ICE driver (see pull request #648);
6. Enabling booting Gatekeeper with either IPv4 or IPv6 only (see pull request #649);
7. Introducing the QID library (see pull request #655);
8. Adding flow table occupancy to GK statistics (see pull request #659);
9. Rewriting the flow table to use Hopscotch hashing (see pull requests #664, #669, and #671, and issues #375 and #660);
10. Updating GitHub workflow (see pull requests #667 and #668);
11. Fixing LACP disconnect bug (see pull request #666);
12. Dropping packets of flows not backed by a flow entry (see pull request #670);
13. Replacing DPDK's deprecated KNI library with Virtio-user (see pull request #678, and issues #481, #570, #585, and #674);
14. Upgrading Gatekeeper's custom DPDK to version 23.11 (see pull request #680, issues #621, #672, and #677, and commit dd6a89f);
15. Rewriting the initialization of network interfaces (see pull request #688).

The biggest goal for version 1.2 of Gatekeeper was to eliminate the need for a custom DPDK. Unfortunately, this is not possible due to the limitations of the DPDK's memory allocation library. More related information is available on issue #455.

This release candidate was developed, tested, and deployed in production using Ubuntu 20.04 LTS. This will make it easier for deployers to start integrating v1.2 into their deployments. Having said that, deployers must be aware that the next release candidate will target Ubuntu 24.04 LTS.

v1.1.0

This newer version of Gatekeeper updates Gatekeeper's custom versions of DPDK and LuaJIT, enhances the log subsystem, adds the handy BPF program tcp-services.c, loads large routing tables much faster, allows default routes, supports more NICs, and includes several other improvements.

This version improves over v1.1.0 RC2 by:

1. Implementing our own FIB library (see pull requests #628 and #633 and issues #91 and #632);
2. Loosening verifications of the routing table to enable default routes (see pull request #630);
3. Releasing memory pressure on Lua policies (see pull request #635 and issue #212).

This version has been extensively tested in production.

v1.1.0 RC2

This version improves over v1.1.0 RC1 by:

1. Bringing back our GitHub action (see commit e52bbf2);
2. Fixing issues related to bonding interfaces (see pull requests #566 and #576);
3. Avoiding deadlock when a routing daemon lists the IPv6 routing table (see pull request #569);
4. Adjusting log entries to the new format (see pull requests #573, #605, #609, and #614);
5. Correcting the header file for struct rte_mbuf in BPF programs (see pull request #582);
6. Tuning up the Debian packages (see pull request #583);
7. Replacing "DoS" with "DDoS" in headers (see pull request #584);
8. Polishing BPF programs (see pull requests #587 and #589);
9. Compiling gatekeeper and BPF programs with stricter static verification (see pull request #588);
10. Adding the handy BPF program tcp-services.c (see pull request #590);
11. Logging filters that NICs support to help with diagnosis and debugging (see pull request #592);
12. Dropping rte_panic() while dumping the routing table (see pull request #593);
13. Adding a Routing Information Base to GK blocks (see pull request #594);
14. Adopting rte_hash_lookup_with_hash_bulk() (see issue #597);
15. Enhancing the healing of corrupted flow tables (see pull request #601);
16. Having a conservative lock strategy around the routing table (see pull request #606);
17. Speeding up the loading of large routing tables (see pull request #608);
18. Fixing bugs on Grantor servers (see pull request #610);
19. Supporting variable sizes of RSS hash keys (see pull request #622);
20. Reviewing the KNI operations (see pull request #623);
21. Adding support to the PMD i40e (see pull request #625).

Known issue. Large (production) IPv6 routing tables may not load and/or misbehave for some network prefixes. Fixing this issue should be the last item for the release of the stable version 1.1.0.

Although this release is not a stable version, deployers have been running this version in production side by side with Gatekeeper v1.0.0 for about a month now.

v1.1.0 RC1

This version has the following improvements over v1.0.0:

1. Shorter locks while dumping routing tables (see issue #492);
2. Healing corrupted flow tables (see pull request #531);
3. Updating LuaJIT to version 2.0.5 (see pull request #534);
4. Associating log entries to functional blocks (see issue #497);
5. Updating Gatekeeper's version of DPDK to LTS 20.11.1 (see issues #294, #431, #450, #502, #510, and pull request #563);
6. Code cleanup and small fixes (see pull requests #550 and #561, and commit efb82b7);
7. Time stamping GK block's statistics (see issue #552);
8. Repackaging Gatekeeper and Gatekeeper's custom DPDK (see pull requests #556, #558, #559, and #564);
9. Logging more information on what a NIC does not support (see pull request #560);
10. Correcting user, group, and mode of the server socket (see pull request #562).

v1.0.0

This very first stable version of Gatekeeper is a long-coming dream of our group. The dream of an Internet whose stakeholders do not fear DDoS attacks.

When bad men combine, the good must associate; else they will fall,
one by one, an unpitied sacrifice in a contemptible struggle. -- Edmund Burke (1770).

As in a college commencement, this release is not the end, but the beginning of the transition from dreamland to reality. Thank you very much to all of those that have made any contribution to help us to get to this moment. On behalf of these contributors, we welcome all the future members of our community.

This version adds the following items to the RC2:

1. Improved sanity checks to Gatekeeper servers' FIB entries (see pull requests #439, #443, #523 and #526, and commits 69e6895 and 04f3a42);
2. Added support to load balancing Grantor servers directly on Gatekeeper servers (see pull request #438);
3. Eliminated parameters max_num_ipv4_fib_entries and max_num_ipv6_fib_entries of GK blocks (see issue #440);
4. Improved support to VLANs (see issue #437 and pull request #518);
5. Added support to /31 (IPv4) and /127 (IPv6) subnet masks (see issue #444);
6. Fixed bugs (see pull requests #448, #449, #452, #505 and #522, and commits bd3bd6a and 0691ff2);
7. Added the Lua function dylib.c.gk_unload_bpf_flow_handler() to unload BPF programs in runtime (see pull request #454);
8. Properly dropped privileges while running under systemd (see pull request #458);
9. Fixed ping replies (see pull request #460);
10. Supported ping and traceroute from the KNI interfaces to help with network diagnoses (see pull requests #461 and #511);
11. Better integrated with NICs that support ntuple filters (see pull requests #465, #513, and #515);
12. Enabled gkctl to wait for Gatekeeper during boot (see pull request #467);
13. Tuned up the Debian packages (see pull requests #459, #468, #471, #476, #478, and #487);
14. Improved generated log in production (see see pull requests #469, #479, #520, and #527, and commit 11af1e8);
15. Made Gatekeeper fully functional when running with a non-root user (see pull requests #475, #500, and #501);
16. Reviewed the initialization of the KNI interfaces (see pull requests #482 and #483);
17. Improved support for routing daemons (see pull requests #463, #484, #494, #495, and #496, and commit 538665f);
18. Speeded up the scripts of gkctl (see pull requests #489 and #493);
19. Updated our patched Bird to the stable version 2.0.8 (see pull request #498);
20. Corrected NUMA node of LPM tables created in Lua policies (see pull request #504);
21. Reviewed Lua lpmlib (see pull request #506);
22. Supported multiple TCP daemons on the KNI interfaces (see pull request #514);
23. Tightened code (see pull request #517);
24. Validated that front and back addresses are not in the same subnet (see pull request #521);
25. Fixed a bug at the IPv6 LPM table of DPDK (see pull requests #524 and #525).

This release is dedicated to all of those that had their lives, projects, and businesses, in any way, disrupted by DDoS.

v1.0.0 RC2

This release candidate addresses a number of small issues, bugs, and needs identified during tests of the RC1 in production. We expect that the final version will be this release candidate or a small variation of it. The following list summarizes the changes since the RC1:

1. Fix dependencies of Debian packages;
2. Improve installation instructions;
3. Add functions to help to dynamically update LPM tables of policies;
4. Support /30 prefixes for IPv4 on front and back interfaces;
5. Enable GT blocks to reply routers when packets are not destined to neighbors;
6. Fix initialization bug on servers with multiple NUMA nodes;
7. Add example scripts gkctl/scripts/*.lua for command gkctl;
8. Protect Dynamic Configuration block from Lua scripts that return nothing;
9. Improve log messages to help to diagnose issues;
10. Fix IPv4 checksum when packets are sent directly from Gatekeeper servers to destinations;
11. Fix flow entry creation when flow tables are saturated.

First release candidate of the first stable version of Gatekeeper

This is the version that we are going to use for the first deployment: a single 10Gbps Gatekeeper server and two Grantor servers. This version has been thoroughly tested in test environments. We expected that the final release will be this RC1 with small changes (if needed) due to production demands.