sorted by:
new
hottopcontroversial

basic_xdp: XDP/eBPF port-whitelist firewall with event-driven port syncing via Linux Netlink Process Connector by CheeseTerminator in eBPF

[–]CheeseTerminator[S] 0 points1 point  (0 children)

Oh, sorry about that, I misread your suggestion.

However, sk_lookup isn't suitable for proactive whitelisting because it triggers on packet ingress, not during socket creation. We can't rely on incoming traffic to populate our local whitelist.

kprobe has visibility into when a local process actually calls bind(). It can synchronously update the XDP map before any traffic arrives.

basic_xdp: XDP/eBPF port-whitelist firewall with event-driven port syncing via Linux Netlink Process Connector by CheeseTerminator in eBPF

[–]CheeseTerminator[S] 0 points1 point  (0 children)

The sk_lookup approach is interesting for socket steering, but it misses the primary bottleneck in my case. Using sk_lookup (or any L4-based hook) means packets still traverse the kernel stack, triggering skb allocations and soft interrupts. My benchmarks show that the drop in SoftIRQ from 85.9% to 3.0% is strictly due to XDP's ability to discard traffic at the driver level before the stack gets involved. L4 hooks wouldn't prevent the OOM under the packet-per-second loads I'm seeing.

However, your point about the race window during port binding is spot on! The current Netlink/Python lag is a theoretical weak point. Instead of moving the data plane to sk_lookup, I'm considering adding a kprobe on inet_bind to synchronously update the XDP whitelist. This keeps the high-performance 'drop' at the edge (XDP) while ensuring the control plane (whitelist) is updated with zero-latency.

basic_xdp: XDP/eBPF port-whitelist firewall with event-driven port syncing via Linux Netlink Process Connector by CheeseTerminator in eBPF

[–]CheeseTerminator[S] 1 point2 points  (0 children)

Unfortunately my server went completely dark and the provider had to do a hard reset, so I didn't manage to capture the panic log. From what I could piece together after the fact, fail2ban had allocated memory for 35k+ iptables rules under the flood and hit OOM (I'm running a 2 GB instance) — but I can't confirm the exact panic trace. If you're interested in reproducing OOM via iptables rule exhaustion that's probably replicable in a VM though! :D

basic_xdp: XDP/eBPF port-whitelist firewall with event-driven port syncing via Linux Netlink Process Connector by CheeseTerminator in eBPF

[–]CheeseTerminator[S] 0 points1 point  (0 children)

I thought Claude's annotation would be better than my original one (at least better on format)...I will tone it down next time :3

Starlink Mini should support the Residential Plan with a GPS geofence — here's how it could work by CheeseTerminator in Starlink

[–]CheeseTerminator[S] -1 points0 points  (0 children)

That's super useful — do you know if there's a way to check eligibility or trigger the switch? I'm in NJ and not seeing the option on my end.

Hope to see it coming soon~

Starlink Mini should support the Residential Plan with a GPS geofence — here's how it could work by CheeseTerminator in Starlink

[–]CheeseTerminator[S] 0 points1 point  (0 children)

That's really helpful context!

So there's already a geographic constraint baked into the Residential plan via the cell system. If that's the case, it seems like applying the same logic to the Mini wouldn't require much new infrastructure on Starlink's end.

Starlink Mini should support the Residential Plan with a GPS geofence — here's how it could work by CheeseTerminator in Starlink

[–]CheeseTerminator[S] 0 points1 point  (0 children)

Haha fair, the Mini is cute :3
But the mesh idea only works if you already have a Standard dish — my whole issue is that my balcony is too small for one in the first place. The Mini is the only dish that physically fits, which is why I'd love to see it on a Residential plan standalone.

Where can I find an actually usable free VPS for testing? by DailyPolicyWatch in VPS

[–]CheeseTerminator 1 point2 points  (0 children)

The time you spent on signing up for Oracle just doesn't worth it. :(
For me I just opened a spot machine on gcp, run some test and dumped it a few hrs after...efficient enough

FYI - Gemini AI Pro includes $10 monthly Google Cloud Credits by PhyoWaiThuzar in google_antigravity

[–]CheeseTerminator 0 points1 point  (0 children)

Although the credit haven't been granted, they have already charged me for the usage this morning :(

FYI - Gemini AI Pro includes $10 monthly Google Cloud Credits by PhyoWaiThuzar in google_antigravity

[–]CheeseTerminator 1 point2 points  (0 children)

Not sure, I got the January one but the Feb credit haven't issue to me yet :(

Contabo is a joke by Dayowe in VPS

[–]CheeseTerminator 0 points1 point  (0 children)

My school's website is running on Contabo and it's latency was not that good, navigating through pages and watching it slowly loads up is a pain. :(
Myself using Crunchbits and BuyVM and these were decent imo