-
Notifications
You must be signed in to change notification settings - Fork 905
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a setTCPQueryRate Dynblock to allow IP to fall back to UDP #12731
Comments
I like the idea, we need to find a generic way to implement that. We can already interact with the BPF maps from Lua, so I'm wondering if it would be possible to implement that in pure Lua, from the |
I tried to implemented an ersatz mechanism using excludeRange to whitelist IPs but it does not seems to do what I expected.
Then I try to remove the whitelisting using
Is it the expected behaviour, and if so is there a way to simply remove the exclusion ? |
Also, if I exclude the same IP with an incorrect network mask, I will have a duplicated entry:
|
Yes, it is the expected behaviour. I agree it might be a bit strange but the idea is that when we insert a new entry it might be more specific than an existing subnet with a different policy (like, we are including
This does really look like a bug, I'm looking into it. |
This should be fixed by #13340 |
|
Short description
We would like to be able to remove an IP from the BPF maps if it is retrying in TCP after getting a TC response.
Usecase
When a legitimate IP is inserted into the BPF maps and is retrying with TCP, we can see a great burst of TCP requests that takes a lot of computing resources and time when the client is a big DNS resolver. We would like to allow IPs to fall back to UDP when flagged as legitimate.
Description
The idea would be to add a setTCPQueryRate DynBlock that match a TCP requests rate and add the corresponding IP to a BPF whitelist map or exclude it from the actual BPF maps for a given time, allowing it to fall back to UDP.
The text was updated successfully, but these errors were encountered: