During GSoC 2017, I worked with mentors Cody Doucette and Sachin Paryani, with my mentor organisation: Boston University/Linux XIA group. My main
responsibility was to add security software queuing discipline functionality to the Linux kernel. And in order to access this queuing
discipline, to write enabling code in tc(8)
userspace; a part of the iproute-2
codebase, (mirrored repo found here). Secondarily, I was also required to modify tc(8)
code to allow
bandwidth limits to be specified in percentages of the interface capacity, to make tc commands more user friendly.
The queueing discipline is called Gatekeeper Priority Queue (standalone codebase maintained here.)
Gatekeeper is an open source defence against denial-of-service (DoS) attacks. To protect server
resources from an attack, it services requests based on priority: the higher its priority, the closer to the exit of the egress queue its
placed. Additionally, it also limits the requests’ maximum link bandwidth occupancy to 5%
. These countermeasures are implemented through
the priority queue data structure which holds all requests in a single priority queue dropping low-priority requests when resources are
low, allowing to allocate as many resources as possible to high-priority requests while servicing low-priority requests only when
resources are idle. The detailed project description can be seen here. It is noteworthy to mention that Gatekeeper has been merged into DPDK and merging into the kernel would further promote both Gatekeeper and open source security.
Gatekeeper (GK) was added in as a kernel module in the net/sched
directory of the kernel, the pull request containing GK code is here
(branch name: Gatekeeper_2
). Currently, the GK module tests well and according to required
functionality. We plan to upstream this code (to the latest net-next
repo, maintained by David Miller) after GSoC, after a final code review.
The enabling code in tc(8)
userspace along with the percentage bandwidth specification functionality can be seen here (branch name: gk
).
In addition to the GK module in the kernel, after GSoC, we would upstream this code as well (which would be required to enable and access Gatekeeper).