-
Notifications
You must be signed in to change notification settings - Fork 907
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dnsdist: DynBlockGroupRules : eBPF block doesn't use eBPF if DNSAction.Drop is not set exactly in each rule #11504
Comments
We can confirm this issue, also on dnsdist 1.7. Specifying the drop action explicitly as mentioned in the issue works. |
That code indeed ignores the value of |
I just submitted a fix for this issue in #11544. If one of you can test it and confirm that it fixes the issue, that would be great! |
Sure, I can test it. |
I could build custom packages from my backport branch (#11550) but I don't think it would help you as a gentoo user :) I can generate a patch that applies cleanly on top of the 1.7.0 tarball, though, just a minute. |
Nice! That's gonna work for me ))) |
This version is a bit better and does not break the unit tests: https://gist.github.com/rgacogne/4bf1d39e5a1ee29b337988e21ab7de2f (I went a bit too far down the "minimal patch" road with the first version). |
Hi @rgacogne But also it works by default. Even if "setDynBlocksAction(DNSAction.Drop)" is not set. I guess it's correct because Drop action is pre-defined for all the DynBlockRules by default. Also I can confirm that eBPF will not be used if "setDefaultBPFFilter(bpf)" is not set. And it also looks correct according to the manual. |
Thanks a lot for testing and confirming! |
Short description
Since 1.6 ,when dnsdist creates a DynBlock, It should use eBPF as a filter to block IP's if setDefaultBPFFilter() is set properly.
But if the action is not set to 'DNSAction.Drop' for each rule it does not use eBPF.
Environment
Steps to reproduce
Expected behaviour
If I'll emulate NXD rate from loopback dynblock have to block it and also bpf should include it in it's list because of eBPF have to be used.
Actual behaviour
It does not sow up in bf list at all
Other information
I can get it work properly only if I set 'DNSAction.Drop' for each rule in group like that:
So it looks like 'setDynBlocksAction(DNSAction.Drop)' is ignored and nothing goes to eBPF
The text was updated successfully, but these errors were encountered: