cloudflare / Rakelimit
Licence: bsd-3-clause
A fair-share ratelimiter implemented in BPF
Stars: ✭ 97
Programming Languages
c
50402 projects - #5 most used programming language
Projects that are alternatives of or similar to Rakelimit
pwru
Packet, where are you? -- Linux kernel networking debugger
Stars: ✭ 694 (+615.46%)
Mutual labels: bpf
Bpfd
Framework for running BPF programs with rules on Linux as a daemon. Container aware.
Stars: ✭ 396 (+308.25%)
Mutual labels: bpf
el7-bpf-specs
RPM specs for building bpf related tools on CentOS 7
Stars: ✭ 38 (-60.82%)
Mutual labels: bpf
Libbpf
Automated upstream mirror for libbpf stand-alone build.
Stars: ✭ 353 (+263.92%)
Mutual labels: bpf
Cilium
eBPF-based Networking, Security, and Observability
Stars: ✭ 10,256 (+10473.2%)
Mutual labels: bpf
oxdpus
A toy tool that leverages the super powers of XDP to bring in-kernel IP filtering
Stars: ✭ 59 (-39.18%)
Mutual labels: bpf
Capstone
Capstone disassembly/disassembler framework: Core (Arm, Arm64, BPF, EVM, M68K, M680X, MOS65xx, Mips, PPC, RISCV, Sparc, SystemZ, TMS320C64x, Web Assembly, X86, X86_64, XCore) + bindings.
Stars: ✭ 5,374 (+5440.21%)
Mutual labels: bpf
Kubectl Trace
Schedule bpftrace programs on your kubernetes cluster using the kubectl
Stars: ✭ 1,194 (+1130.93%)
Mutual labels: bpf
Awesome Ebpf
A curated list of awesome projects related to eBPF.
Stars: ✭ 1,102 (+1036.08%)
Mutual labels: bpf
Rakelimit
A multi-dimensional fair-share rate limiter in BPF, designed for UDP. The algorithm is based on Hierarchical Heavy Hitters, and ensures that no party can exceed a certain rate of packets. For more information please take a look at our blog post.
Usage
First we need to increase the optmem memory
sudo sysctl -w net.core.optmem_max=65536
To activate rakelimit create a new instance and provide a file descriptor and a rate limit that you think the service in question won't be able to handle anymore:
conn, err := net.ListenPacket("udp4", "127.0.0.1:0")
if err != nil {
tb.Fatal("Can't listen:", err)
}
udpConn := conn.(*net.UDPConn)
// We don't want to allow anyone to use more than 128 packets per second
ppsPerSecond := 128
rake, err := New(udpConn, ppsPerSecond)
defer rake.Close()
// rate limiter stays active even after closing
That's all! The library now enforces rate limits on incoming packets, and it happens within the kernel.
Requirements
The library should be go-gettable, and has been tested on Linux 5.4.
You will need a clang-9 binary if you want to recompile the filter. Simply run go generate in the root of the project.
Limitations
- no IPv6 (we're working on adding it)
- requires tweaking of optmem
- not tested in production
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].