October 14, 2021 at 1:44 pm #11804
Is there any examples of storing a state table / map or otherwise in memory.
I’m looking at building a list of trusted IPs in memory then only allowing connections from those IPs for example.
Not sure how it would work here, in XDP I would obviously use a map.October 14, 2021 at 2:11 pm #11805
If you are looking for a simple filter table then you could use built-in filters. Please check the filter sample.October 14, 2021 at 3:22 pm #11806
That’s a table of filters, I want to store source IPs I’ve validated somewhere in shared memory that can be checked against. And if the IP isn’t in the array drop the packet basically.October 14, 2021 at 7:53 pm #11811
Well, you could create the filter table using your IP list and load it into the driver.
Alternatively you can implement any kind of filtering logic in user space using one of the packet filtering samples as a base.October 15, 2021 at 2:58 am #11812
Is there any examples at all about storing data in a filtering function then referring back to it, I’m not even entirely sure how this is implemented is mutex locking required etc?October 15, 2021 at 10:04 am #11813
I’m afraid there is no ready-to-use sample like this… But it is quite easy to do. And sure, if your IP address table is accessed from two or more concurrent threads then some of synchronization is required. For example, you could use std::shared_mutex for this. Packet filtering routine could lock it in shared mode (read lock) and “update table” routine could lock it exclusively.October 15, 2021 at 1:05 pm #11814
I see, are filters created under the simple_packet_filter type single threaded then? For starters I modified the dnstrace example, to do some drops which works fine.
But if I wanted to add the state table to that example I’d have to declare a vector and mutex outside the main class then pass it into the creation function of simple_packet_filter correct?October 15, 2021 at 1:20 pm #11815
Yes, simple_packet_filter is single threaded. And yes, you can declare the table and mutex outside and pass a refences into simple_packet_filter inbound packets processing lambda function.October 15, 2021 at 1:25 pm #11816
I didn’t realize it was single threaded, I guess I don’t need the mutex then since the simple_packet_filter will be doing all the logic itself.October 15, 2021 at 1:29 pm #11817
Yes, lambdas passed to to simple_packet_filter executed in the context of the single thread (created inside simple_packet_filter). However, please note that if your external code (in main application thread) can modify the IP table then synchronization is needed.
- You must be logged in to reply to this topic.