eBPF dynamic rules: incomplete log messages

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist

https://www.powerdns.com/

GNU General Public License v2.0

3.7k stars 908 forks source link

eBPF dynamic rules: incomplete log messages #13307

Closed pettai closed 1 year ago

pettai commented 1 year ago

[X] This is not a support question, I have read about opensource and will send support questions to the IRC channel, Github Discussions or the mailing list.
[X] I have read and understood the 'out in the open' support policy

Program: dnsdist
Issue type: Bug report

Short description

Then using dynamic rules, a log message typically looks like: bygg-u2204 dnsdist[778485]: Inserting dynamic block for 10.100.10.10 for 10 seconds: Exceeded query rate

But with eBPF dynamic rules, the log message doesn't contain the reason for blocking: bygg-u2204 dnsdist[776321]: Inserting eBPF dynamic block for 10.100.10.10 for 60 seconds: <empty, no explanation>

Environment

Operating system: Ubuntu 22.04 jammy (amd64)
Software version: dnsdist 1.8.x
Software source: Debian built package

Steps to reproduce

Configure dnsdist with similar examples from here: https://dnsdist.org/advanced/ebpf.html and here: https://dnsdist.org/guides/dynblocks.html

Expected behaviour

Same log format as non-eBPF DynBlocks gets

Actual behaviour

See above

Other information

rgacogne commented 1 year ago

Have you considered trying DynBlockRulesGroup 1 instead of addBPFFilterDynBlocks? We should really update the ebpf guide to stop suggesting the addBPFFilterDynBlocks syntax for new setups.

pettai commented 1 year ago

If I do that, like:

bpf = newBPFFilter({ipv4MaxItems=1024, ipv6MaxItems=1024, qnamesMaxItems=1024})
setDefaultBPFFilter(bpf)
bpf = dynBlockRulesGroup()
bpf:setQueryRate(300, 3, "Exceeded query rate", 10, DNSAction.Drop)
bpf:setResponseByteRate(50000, 5, "Exceeded resp BW rate", 10, DNSAction.Drop)

function maintenance()
        bpf:apply()
end

The log says:

Sep 28 15:21:25 bygg-u2204 dnsdist[778907]: Inserting dynamic block for X.X.X.X/32 for 10 seconds: Exceeded query rate

and the stats imply that it's a non-eBPF rule that gets inserted.

rgacogne commented 1 year ago

and the stats imply that it's a non-eBPF rule that gets inserted.

Would you mind sharing exactly the stats you are getting? When I test with your configuration (except I'm not overriding the bpf variable, and using dbpf for the dynBlockRulesGroup instead) , I get:

Inserting dynamic block for 127.0.0.1/32 for 10 seconds: Exceeded query rate

The message is unfortunately unclear, I'll fix that in a minute, but this is indeed an eBPF block, as we can see when looking at the BPF filter metrics:

> bpf:getStats()
127.0.0.1: 3

Unfortunately we do not get the information that it is an eBPF block from showDynBlocks, I'll see if I can fix that as well:

> showDynBlocks()
What                      Seconds   Blocks Warning    Action               Reason
127.0.0.1/32                    3        3 false      Drop                 Exceeded resp BW rate

rgacogne commented 1 year ago

By the way, regarding the initial issue with addBPFFilterDynBlocks no logging the reason, would you mind sharing your exact configuration?

If I do:

addBPFFilterDynBlocks(exceedQRate(20, 10), dbpf, 60, "Exceeded query rate")

I do get a reason in my logs.

pettai commented 1 year ago

I missed that addBPFFilterDynBlocks() accepted an optional msg in the end, but also used the old eBPF configuration way. But with the updated code + docs via #13310, I trust this won't be an issue anymore, so I'll close this one