Commit Graph

21 Commits

Author SHA1 Message Date
Nate Brown 8f44f22c37 In the middle 2024-02-05 10:23:10 -06:00
Nate Brown 5181cb0474
Use generics for CIDRTrees to avoid casting issues (#1004) 2023-11-02 17:05:08 -05:00
Nate Brown 54a8499c7b
Fix go vet (#868) 2023-05-09 11:01:30 -05:00
Ilya Lukyanov 1701087035
Add destination CIDR checking (#507) 2023-05-09 10:37:23 -05:00
Caleb Jasik 5da79e2a4c
Run `make vet` in CI (#693) 2023-03-13 15:35:12 -04:00
Nate Brown c177126ed0
Fix possible panic in the timerwheels (#802) 2023-01-11 19:35:19 -06:00
Nate Brown 4453964e34
Move util to test, contextual errors to util (#575) 2021-11-10 21:47:38 -06:00
Nate Brown bcabcfdaca
Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
Nathan Brown 3ea7e1b75f
Don't use a global logger (#423) 2021-03-26 09:46:30 -05:00
Wade Simmons 2a4beb41b9
Routine-local conntrack cache (#391)
Previously, every packet we see gets a lock on the conntrack table and updates it. When running with multiple routines, this can cause heavy lock contention and limit our ability for the threads to run independently. This change caches reads from the conntrack table for a very short period of time to reduce this lock contention. This cache will currently default to disabled unless you are running with multiple routines, in which case the default cache delay will be 1 second. This means that entries in the conntrack table may be up to 1 second out of date and remain in a routine local cache for up to 1 second longer than the global table.

Instead of calling time.Now() for every packet, this cache system relies on a tick thread that updates the current cache "version" each tick. Every packet we check if the cache version is out of date, and reset the cache if so.
2021-03-01 19:52:17 -05:00
Wade Simmons f3a6d8d990
Preserve conntrack table during firewall rules reload (SIGHUP) (#233)
Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe).

This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
Patrick Bogen 363c836422
log the reason for fw drops (#220)
* log the reason for fw drops

* only prepare log if we will end up sending it
2020-04-10 10:57:21 -07:00
Wade Simmons add1b21777
only create a CIDRTree for each host if necessary (#198)
A CIDRTree can be expensive to create, so only do it if we need
it. If the remote host only has one IP address and no subnets, just do
an exact IP match instead.

Fixes: #171
2020-03-02 16:21:33 -05:00
Nate Brown 2d8a8143de Actual fix for the real issue with tests 2019-12-18 21:23:59 -08:00
Nate Brown 4e378fdb5b Add test for current bug in master, reduce log output in test 2019-12-18 11:06:51 -08:00
Nate Brown 99cac0da55 Remove println 2019-12-17 23:48:33 -08:00
Nate Brown 56657065e0 Fix ca* checks 2019-12-17 23:36:12 -08:00
Nate Brown a9c93da8cb Detect group array usage and try to be kind 2019-12-13 13:46:42 -08:00
Ryan Huber 9333a8e3b7 subnet support 2019-12-12 16:34:17 +00:00
Wade Simmons df43f6466e gofmt 2019-12-11 23:15:57 -05:00
Slack Security Team f22b4b584d Public Release 2019-11-19 17:00:20 +00:00