Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

agent: add tcp connection disruptor #357

Merged
merged 5 commits into from
Nov 7, 2023
Merged

agent: add tcp connection disruptor #357

merged 5 commits into from
Nov 7, 2023

Conversation

roobre
Copy link
Collaborator

@roobre roobre commented Oct 20, 2023
edited

Description

This PR implements the TCP connection disruptor as proposed in #154.

In its current state, includes a working disruptor with its associated command, which has been tested manually.

The following things remain to be addressed:

  • The current NFQueue library sometimes hangs when closing, for which a workaround has been added Replaced.
  • Unit test for the new iptables helper
  • Integration tests for the command using testcontainers
  • Kill connections in both directions, instead of only for ingress packets
  • Rebase the ungodly amount of commits

Checklist:

  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works.
  • I have run linter locally (make lint) and all checks pass.
  • I have run tests locally (make test) and all tests pass.
  • I have run relevant integration test locally (make integration-xxx for affected packages)
  • I have run relevant e2e test locally (make e2e-xxx for disruptors, or cluster related changes)
  • Any dependent changes have been merged and published in downstream modules

@roobre roobre force-pushed the conndisruptor branch 20 times, most recently from 71f4272 to cf7e29d Compare October 27, 2023 08:12
@roobre roobre force-pushed the conndisruptor branch 4 times, most recently from 32b4110 to f7c9e26 Compare October 30, 2023 11:46
@roobre roobre marked this pull request as ready for review October 30, 2023 11:50
@roobre roobre changed the title WIP: add tcp connection disruptor agent: add tcp connection disruptor Oct 30, 2023
@roobre roobre force-pushed the conndisruptor branch 4 times, most recently from 522f2a4 to 8ee5904 Compare October 30, 2023 19:30
pablochacin
pablochacin requested changes Oct 31, 2023
View reviewed changes
Copy link
Collaborator

@pablochacin pablochacin left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@roobre I'm liking the PR. I have some comments in the structure of the code but I think overall we have a very solid base. I haven't had time to run the tests, I'll do it later but I wanted to give you some feedback as soon as possible.

Also, I remember you commented you were concerned regarding the performance. I think there are two relatively easy changes we could try, if not in this PR, in a follow-up PR but I want to take note here so we don't forget:

  1. Copy only the metadata of the packages, instead of the whole package. I haven't checked how this would actually work, but I think it is worth researching
  2. Change the way we calculate the hash for each connection. This is in the critical path for processing packages We are using CRC32. After some research, I found xxHash which is optimized for small inputs, as in our case. Moreover, given our input is of a fixed size, I was wondering if we could use a block cipher instead.

pkg/agent/tcpconn/disruptor.go Outdated Show resolved Hide resolved
cmd/agent/commands/tcpdrop.go Outdated Show resolved Hide resolved
pkg/agent/tcpconn/disruptor.go Outdated Show resolved Hide resolved
pkg/agent/tcpconn/disruptor.go Outdated Show resolved Hide resolved
pkg/agent/tcpconn/queue.go Outdated Show resolved Hide resolved
pkg/iptables/ruler.go Outdated Show resolved Hide resolved
pkg/iptables/ruler_test.go Outdated Show resolved Hide resolved
pkg/agent/tcpconn/queue.go Outdated Show resolved Hide resolved
testcontainers/echoserver/echoserver.go Outdated Show resolved Hide resolved
pkg/agent/tcpconn/queue.go Outdated Show resolved Hide resolved
@roobre roobre force-pushed the conndisruptor branch 3 times, most recently from 38c1e34 to 7e9cf08 Compare November 1, 2023 17:21
@roobre roobre force-pushed the conndisruptor branch 2 times, most recently from 3339b17 to 621666e Compare November 6, 2023 11:17
@roobre
iptables: add helper to add and remove rules
f721f09 
iptables: remove unused methods, add unit tests
pablochacin
pablochacin approved these changes Nov 7, 2023
View reviewed changes
Copy link
Collaborator

@pablochacin pablochacin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only to minor non blocking comments

cmd/agent/commands/tcpdrop.go Outdated Show resolved Hide resolved
cmd/agent/commands/tcpdrop.go Outdated Show resolved Hide resolved
@roobre roobre force-pushed the conndisruptor branch 2 times, most recently from 365245b to ddf89d1 Compare November 7, 2023 16:33
@roobre roobre merged commit 181cdd7 into main Nov 7, 2023
8 checks passed
@roobre roobre deleted the conndisruptor branch November 7, 2023 16:41
@roobre roobre mentioned this pull request Nov 8, 2023
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pablochacin pablochacin pablochacin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@roobre @pablochacin