Contexts
With PacketShield, context is identified by the destination of an incoming packet.
For each incoming packet, a lookup on available contexts in the instance is performed:
If a context is found (by matching the packet's destination IP and an optional VLAN tag), then the rules of the context will be applied to this packet.
If the packet does not match any context, then the default context Other applies.
Creating an instance automatically creates the default context named Other which contains the policy used for packets which do not match any other created context.
PacketShield currently supports the following context identifiers:
IPv4 address
IPV4 suffixed by the "at" character (
@
) and a VLAN id
Use sysfs entry
You manage a context using the sysfs entry:
/sys/packetshield/<instance name>/contexts.
Create a context
The create operation also creates a new sysfs directory using the context identifier as name in:
/sys/packetshield/<instance name>/<context id>.
A newly created context does not inherit the configuration from the default Other context.
sysfs
Write the context identifier, prefixed by the the plus sign character (+
) in the sysfs entry.
Create a context for the IP address 1.2.3.5:
$ echo "+10.2.3.5" > /sys/packetshield/myinst/contexts
Create a context for the IP address 1.2.3.5 in the tagged VLAN 100:
$ echo "+10.2.3.5@100" > /sys/packetshield/myinst/contexts
GUI
Use the statement <instance name>/contexts
followed by the context identifier.
Create a context for the IP address 1.2.3.5:
myinst/contexts 10.2.3.5
Create a context for the IP address 1.2.3.5 in the tagged vlan 100:
myinst/contexts 10.2.3.5@100
Destroy a context
This operation also deletes the sysfs directory /sys/packetshield/<instance name>/<context id>
.
sysfs
Write the context identifier, prefixed by the minus sign character (-
) in the sysfs entry.
Destroy the context for the IP address 1.2.3.5:
$ echo "-10.2.3.5" > /sys/packetshield/myinst/contexts
Destroy the context for the IP address 1.2.3.5 in the tagged VLAN 100:
$ echo "-10.2.3.5@100" > /sys/packetshield/myinst/contexts
GUI
Remove the statement <instance name>/contexts <context id>
that matches the context you want to remove.
List contexts
This function is only available through the CLI.
To list existing contexts, open the contents of the sysfs entry /sys/packetshield/<instance name>/contexts
.
One context identifier is displayed per line.
Although not listed, the context Other exists.
$ cat /sys/packetshield/myinst/contexts
10.2.3.5
10.2.3.5@100
Set context options
sysfs
Display and set context options using read and write operations, respectively, on sysfs entries available in the directory /sys/packetshield/<instance name>/<context id>/<option>
GUI
Set context options using the following statement:
<instance name>/<context id>/<option>
The GUI can only set options, not read them.
Options
Available options:
| default: 0, no drop
sysfs example
GUI example
|
| default: ff:ff:ff:ff:ff:ff
sysfs example
GUI example
|
| default: 0-0, disabled
sysfs example To start sending SYN cookies when the incoming rate is above 10000 SYN/s and disable sending when the rate goes below 5000:
GUI example To start sending SYN cookies when the incoming rate is above 10000 SYN/s and disable sending when the rate goes below 5000:
|
| default: 0-0, protection is disabled
sysfs example To start blocking unmatched packets when the incoming rate is above 10000/s and disable blocking when the rate goes below 5000:
GUI example To start blocking unmatched packets when the incoming rate is above 10000/s and disable blocking when the rate goes below 5000:
|
| default: 0-0, protection is disabled
sysfs example To start blocking packets with unknown TTL when the incoming rate is above 10000/s and disable blocking when the rate goes below 5000:
GUI example To start blocking packets with unknown TTL when the incoming rate is above 10000/s and disable blocking when the rate goes below 5000:
|
| default: 0-0, protection is disabled
sysfs example To enable surge protection when outgoing rate is above 10000 packets/s and disable protection when the rate goes below 5000:
GUI example To enable surge protection when outgoing rate is above 10000 packets/s and disable protection when the rate goes below 5000:
|
| default: 0, disabled
See the Context capture section for details. sysfs example Enable capture of incoming packets for this context.
GUI example Enable capture of incoming packets for this context.
|
| default: 0, disabled
sysfs example Enable ECN support for the context.
GUI example Enable ECN support for the context.
|
| default: 1460
sysfs example Set MSS to 1380.
GUI example Set MSS to 1380.
|
| default: 0, disabled
sysfs example Enable SACK.
GUI example Enable SACK.
|
| default: 0, disabled
sysfs example Enable timestamp support.
GUI example Enable timestamp support.
|
| default: none, no window scale support
sysfs example Set window scaling to 14 for 1 GB/s network.
GUI example Set window scaling to 14 for 1 GB/s network.
|
| default: none
sysfs example Specify that only the countries specified in
GUI example Specify that only the countries specified in
|
| default: none
sysfs example Add/remove a country code using the prefix +/-. Set policy to
GUI example Set policy to
Optional: You can replace country codes with your own IP ranges or define your own non-standard codes. Enclose them in braces (
|
| default: 0, unlimited rate
sysfs example Set the maximum ICMP rate to 1000/s.
GUI example Set the maximum ICMP rate to 1000/s.
|
| default: 0, classic mode
sysfs example Enable DSR mode.
GUI example Enable DSR mode.
|
Context protection togglers
A context protection toggler is a list of contexts having a specific protection. Use togglers to list, enable, and disable protections for contexts.
Add a context to a toggler using the plus sign prefix (+
). Remove a context from a toggler using the minus sign prefix (-
).
The togglers are:
| List contexts protected against SYN floods using SYN cookies. sysfs example Enable SYN flood protection for context
GUI example Enable SYN flood protection for context
|
| List contexts protected against ACK/RST floods. sysfs example Enable ACK/RST flood protection for context
GUI example Enable ACK/RST flood protection for context
|
| List contexts protected against unknown TTL value. sysfs example Disable unknown TTL protection in context
GUI example Disable unknown TTL protection in context
|
| List contexts protected against packet surges. sysfs example Enable packet surge protection for context
GUI example Enable packet surge protection for context
|
Context capture
The sysfs entry /sys/packetshield/<instance>/context_capture.map
provides the interface to retrieve a context's packet capture. A read operation on this sysfs entry returns the size of packets captured available in a memory slot (4 bytes). An mmap
on the same file descriptor using this size provide direct access (via pointer) to a full slot. This slot is split into chunks. A chunk provides packets captured on the same context.
Chunk header format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Reserved | Inet family +
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ +
+- -+
+ +
+- Layer3 address -+
+ +
+- -+
+ +
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Layer 4 address (port) | VLAN id +
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Payload length +
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Inet family
field is set to 0
to indicate the Other
context.
Next up
Instances