cmd/xdpderper,derp/xdp: implement mode that drops STUN packets (#12527)

This is useful during maintenance as a method for shedding home client load. Updates tailscale/corp#20689 Signed-off-by: Jordan Whited <jordan@tailscale.com>
2024-06-18 14:06:00 -07:00
parent d55b105dae
commit a93173b56a
9 changed files with 128 additions and 10 deletions
@@ -14,6 +14,10 @@ struct config {
 	// the context of the data. cilium/ebpf uses native endian encoding for map
 	// encoding even if we use big endian types here, e.g. __be16.
 	__u16 dst_port;
+	// If drop_stun is set to a nonzero value all UDP packets destined to
+	// dst_port will be dropped. This is useful for shedding home client load
+	// during maintenance.
+	__u16 drop_stun;
 };
 struct config *unused_config __attribute__((unused)); // required by bpf2go -type

@@ -60,6 +64,7 @@ enum counter_key_prog_end {
 	COUNTER_KEY_END_INVALID_IP_CSUM,
 	COUNTER_KEY_END_NOT_STUN_PORT,
 	COUNTER_KEY_END_INVALID_SW_ATTR_VAL,
+	COUNTER_KEY_END_DROP_STUN,
 	COUNTER_KEY_END_LEN
 };
 enum counter_key_prog_end *unused_counter_key_prog_end __attribute__((unused)); // required by bpf2go -type
@@ -334,6 +339,11 @@ static __always_inline int handle_packet(struct xdp_md *ctx, struct packet_conte
 		return XDP_PASS;
 	}

+	if (c->drop_stun) {
+		pctx->prog_end = COUNTER_KEY_END_DROP_STUN;
+		return XDP_DROP;
+	}
+
 	if (validate_udp_csum) {
 		__u16 cs;
 		__u32 pseudo_sum;