feat(ids/bypass): kernel packet-depth elephant cap (Route A bytes-OR-packets)#393
Open
pigri wants to merge 2 commits into
Open
feat(ids/bypass): kernel packet-depth elephant cap (Route A bytes-OR-packets)#393pigri wants to merge 2 commits into
pigri wants to merge 2 commits into
Conversation
…packets) Route A previously bypassed an IDS flow only on cumulative bytes (depth_bytes). Add a companion packet cap so a flow is bypassed once it crosses depth_bytes OR depth_packets, sharing the dendrite flow_is_elephant() primitive instead of open-coding the comparison: - ids_export.h: include flow/elephant.h; ids_flow_bypass_check takes depth_packets and decides via flow_is_elephant(packets, bytes, depth_packets, depth_bytes); track unknown flows when either dimension is set. - xdp_maps.h: ids_export_config gains bypass_depth_packets. - cli.rs: IdsBypassConfig.depth_packets (default 0 = disabled; behaviour unchanged unless configured). - thalamus_ids.rs: push the 16-byte config incl bypass_depth_packets; log it. Requires dendrite providing flow/elephant.h (already on the BPF include path via the ja4/ headers). Default 0 keeps byte-depth as the sole cap unless set.
bpf_stats read index 3 (IDS_EXPORT_STAT_BYPASSED) of ids_export_stats and add ids_bypassed to BpfAccessStats + the summary line, so the bypass feature's suppression count is observable (exported/ringbuf_dropped/invalid/bypassed). Previously the kernel counted bypassed packets but userspace never surfaced it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Route A (kernel byte-depth IDS auto-bypass) previously capped a flow only on cumulative bytes (
ids.bypass.depth_bytes). This adds a companion packet cap so a flow stops being exported to the IDS once it crossesdepth_bytesORdepth_packets, using the sharedflow_is_elephant()primitive instead of open-coding the comparison.Changes
bpf/lib/ids_export.h—#include "flow/elephant.h";ids_flow_bypass_check()takesdepth_packetsand decides viaflow_is_elephant(packets, bytes, depth_packets, depth_bytes); unknown flows are tracked when either dimension is set.bpf/xdp_maps.h—struct ids_export_configgainsbypass_depth_packets.synapse-core/cli.rs—IdsBypassConfig.depth_packets,#[serde(default)], default 0 (disabled) → behaviour unchanged unless configured; byte-depth stays the default cap.synapse-idp/thalamus_ids.rs— push the 16-byte config inclbypass_depth_packets; debug-log it. (Config read path is length-defensive, so the size bump is backward-compatible.)Dependency
Uses
flow/elephant.hfrom dendrite (gen0sec/dendrite#88). It's on the BPF include path already (same dir as theja4/headersxdp.bpf.cincludes). This merges after a dendrite version that ships the header.Verification
xdp.bpf.ccompiles to object underclang -target bpfwith the header on the include path.ids.bypass.depth_packetsis set. Full workspace build / clippy / kernel-verifier load to run in CI.