Skip to content

Instantly share code, notes, and snippets.

@ndev2

ndev2/GSoC 2017.md

Last active August 29, 2017 04:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ndev2/062a94d4d32ecb829cfb0574cfee7b3d to your computer and use it in GitHub Desktop.
Save ndev2/062a94d4d32ecb829cfb0574cfee7b3d to your computer and use it in GitHub Desktop.
Download ZIP
Summary of the work done during Google Summer of Code 2017 - by Nishanth Devarajan
Raw
GSoC 2017.md

During GSoC 2017, I worked with mentors Cody Doucette and Sachin Paryani, with my mentor organisation: Boston University/Linux XIA group. My main responsibility was to add security software queuing discipline functionality to the Linux kernel. And in order to access this queuing discipline, to write enabling code in tc(8) userspace; a part of the iproute-2 codebase, (mirrored repo found here). Secondarily, I was also required to modify tc(8) code to allow bandwidth limits to be specified in percentages of the interface capacity, to make tc commands more user friendly.

The queueing discipline is called Gatekeeper Priority Queue (standalone codebase maintained here.) Gatekeeper is an open source defence against denial-of-service (DoS) attacks. To protect server resources from an attack, it services requests based on priority: the higher its priority, the closer to the exit of the egress queue its placed. Additionally, it also limits the requests’ maximum link bandwidth occupancy to 5%. These countermeasures are implemented through the priority queue data structure which holds all requests in a single priority queue dropping low-priority requests when resources are low, allowing to allocate as many resources as possible to high-priority requests while servicing low-priority requests only when resources are idle. The detailed project description can be seen here. It is noteworthy to mention that Gatekeeper has been merged into DPDK and merging into the kernel would further promote both Gatekeeper and open source security.

Gatekeeper (GK) was added in as a kernel module in the net/sched directory of the kernel, the pull request containing GK code is here (branch name: Gatekeeper_2). Currently, the GK module tests well and according to required functionality. We plan to upstream this code (to the latest net-next repo, maintained by David Miller) after GSoC, after a final code review.

The enabling code in tc(8) userspace along with the percentage bandwidth specification functionality can be seen here (branch name: gk). In addition to the GK module in the kernel, after GSoC, we would upstream this code as well (which would be required to enable and access Gatekeeper).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment