moevm · KonstantinKondratenko · May 15, 2026 · May 14, 2026 · May 14, 2026 · May 14, 2026
diff --git a/admin/config.toml b/admin/config.toml
@@ -2,6 +2,9 @@
 block_categories = ["MALWARE", "SOCIAL"]
 block_domains = ["youtube.com", "tiktok.com"]
 allow_domains = ["github.com", "stackoverflow.com"]
+# 7 * 24 * 60 * 60 = 604800
+ttl_ip = 604800
+ttl_domain = 604800
 min_trust_level = 5
 
 [global.rules.block_by_trust]

diff --git a/controller/internal/manager/policy_manager.go b/controller/internal/manager/policy_manager.go
@@ -17,6 +17,8 @@ type TOMLRules struct {
 	BlockIps        []string               `toml:"block_ips"`
 	AllowIps        []string               `toml:"allow_ips"`
 	MinTrustLevel   *int32                 `toml:"min_trust_level"`
+	TtlIp           *int32                 `toml:"ttl_ip"`
+	TtlDomain       *int32                 `toml:"ttl_domain"`
 	Extra           map[string]interface{} `toml:",remain"`
 }
 
@@ -70,6 +72,14 @@ func (pm *PolicyManager) GetWorkerPolicyProto(workerID uint64) *pb.WorkerPolicy
 		policy.MinTrustLevel = *pm.config.Global.Rules.MinTrustLevel
 	}
 
+	if pm.config.Global.Rules.TtlIp != nil {
+		policy.TtlIp = *pm.config.Global.Rules.TtlIp
+	}
+
+	if pm.config.Global.Rules.TtlDomain != nil {
+		policy.TtlDomain = *pm.config.Global.Rules.TtlDomain
+	}
+
 	filterName := fmt.Sprintf("filter_%d", workerID)
 	if filter, ok := pm.config.Filters[filterName]; ok {
 		if len(filter.BlockCategories) > 0 {
@@ -135,10 +145,19 @@ func (pm *PolicyManager) GetWorkerPolicyProto(workerID uint64) *pb.WorkerPolicy
 				}
 			}
 		}
+
 		if filter.MinTrustLevel != nil {
 			policy.MinTrustLevel = *filter.MinTrustLevel
 		}
 
+		if filter.TtlIp != nil {
+			policy.TtlIp = *filter.TtlIp
+		}
+
+		if filter.TtlDomain != nil {
+			policy.TtlDomain = *filter.TtlDomain
+		}
+
 		if len(filter.Extra) > 0 {
 			if extraStruct, err := structpb.NewStruct(filter.Extra); err == nil {
 				policy.Extra = extraStruct

diff --git a/controller/pkg/proto/communication/communication.proto b/controller/pkg/proto/communication/communication.proto
@@ -32,8 +32,10 @@ message WorkerPolicy {
     repeated string block_ips = 5;
     repeated string allow_ips = 6;
     int32 min_trust_level = 7;
-    uint64 config_version = 8;
-    google.protobuf.Struct extra = 9;
+    int32 ttl_ip = 8;
+    int32 ttl_domain = 9;
+    uint64 config_version = 10;
+    google.protobuf.Struct extra = 11;
 }
 
 message ClassifyRequest {

diff --git a/worker/communication.proto b/worker/communication.proto
@@ -32,8 +32,10 @@ message WorkerPolicy {
     repeated string block_ips = 5;
     repeated string allow_ips = 6;
     int32 min_trust_level = 7;
-    uint64 config_version = 8;
-    google.protobuf.Struct extra = 9;
+    int32 ttl_ip = 8;
+    int32 ttl_domain = 9;
+    uint64 config_version = 10;
+    google.protobuf.Struct extra = 11;
 }
 
 message ClassifyRequest {

diff --git a/worker/include/dpdk_filter/constants.h b/worker/include/dpdk_filter/constants.h
@@ -14,8 +14,6 @@
 #define DOMAIN_MAX_LEN 260
 #define MAX_CATEGORIES 100
 #define CATEGORY_MAX_LEN 64
-#define DNS_CACHE_DEFAULT_TTL (7 * 24 * 60 * 60)
-#define IP_CACHE_DEFAULT_TTL (7 * 24 * 60 * 60)
 #define LEN_LIST_EXCEPTION_PORTS 1
 extern const uint16_t LIST_EXCEPTION_PORTS[LEN_LIST_EXCEPTION_PORTS];
 

diff --git a/worker/include/dpdk_filter/domain_cache.h b/worker/include/dpdk_filter/domain_cache.h
@@ -20,7 +20,8 @@ void clear_dns_cache(void);
 
 int lookup_dns_cache(const char *domain,
                      struct node_cache_domain **return_node);
-void add_to_dns_cache(const char *domain, struct node_cache_domain *node);
+void add_to_dns_cache(const char *domain, struct node_cache_domain *node,
+                      int ttl_dns);
 
 void init_tables_sqlite_dns_cache(void);
 void load_cache_from_sqlite(void);

diff --git a/worker/include/dpdk_filter/ip_cache.h b/worker/include/dpdk_filter/ip_cache.h
@@ -20,7 +20,8 @@ void clear_ip_cache(void);
 
 int lookup_ip_cache(const struct ip_key *key,
                     struct node_cache_ip **return_node);
-void add_to_ip_cache(const struct ip_key *key, struct node_cache_ip *node);
+void add_to_ip_cache(const struct ip_key *key, struct node_cache_ip *node,
+                     int ttl_ip);
 
 void init_tables_sqlite_ip_cache(void);
 void load_cache_ip_from_sqlite(void);

diff --git a/worker/include/dpdk_filter/types.h b/worker/include/dpdk_filter/types.h
@@ -64,6 +64,8 @@ struct BASE_POLICY {
   char locked_categories[MAX_CATEGORIES][CATEGORY_MAX_LEN];
   struct trust_categories_with_lvl
       categories_with_lvl[MAX_CATEGORIES_BY_TRUST_LVL];
+  int ttl_ip;
+  int ttl_domain;
   char block_domains[MAX_DOMAINS][DOMAIN_MAX_LEN];
   char allow_domains[MAX_DOMAINS][DOMAIN_MAX_LEN];
   uint32_t block_ip4[MAX_IP4];

diff --git a/worker/src/dpdk_filter/domain_cache.c b/worker/src/dpdk_filter/domain_cache.c
@@ -432,7 +432,8 @@ int lookup_dns_cache(const char *domain,
   return ret;
 }
 
-void add_to_dns_cache(const char *domain, struct node_cache_domain *node) {
+void add_to_dns_cache(const char *domain, struct node_cache_domain *node,
+                      int ttl_dns) {
   char *key_copy = rte_malloc("dns_key(domain)", DOMAIN_MAX_LEN, 0);
   if (!key_copy) {
     LOG_ERROR("Failed to allocate memory for key cache");
@@ -442,7 +443,7 @@ void add_to_dns_cache(const char *domain, struct node_cache_domain *node) {
   strncpy(key_copy, domain, DOMAIN_MAX_LEN);
   key_copy[DOMAIN_MAX_LEN - 1] = '\0';
   node->timestamp = rte_get_timer_cycles();
-  node->ttl_seconds = DNS_CACHE_DEFAULT_TTL;
+  node->ttl_seconds = ttl_dns;
   node->key_domain = key_copy;
 
   rte_spinlock_lock(&cache_spinlock_domain);

diff --git a/worker/src/dpdk_filter/ip_cache.c b/worker/src/dpdk_filter/ip_cache.c
@@ -475,7 +475,8 @@ int lookup_ip_cache(const struct ip_key *key,
   return ret;
 }
 
-void add_to_ip_cache(const struct ip_key *key, struct node_cache_ip *node) {
+void add_to_ip_cache(const struct ip_key *key, struct node_cache_ip *node,
+                     int ttl_ip) {
 
   struct ip_key *key_copy = rte_malloc("ip_key(ip)", IP_MAX_LEN, 0);
   if (!key_copy) {
@@ -486,7 +487,7 @@ void add_to_ip_cache(const struct ip_key *key, struct node_cache_ip *node) {
 
   memcpy(key_copy, key, IP_MAX_LEN);
   node->timestamp = rte_get_timer_cycles();
-  node->ttl_seconds = IP_CACHE_DEFAULT_TTL;
+  node->ttl_seconds = ttl_ip;
   node->key = key_copy;
 
   rte_spinlock_lock(&cache_spinlock_ip);

diff --git a/worker/src/dpdk_filter/proc_packets.c b/worker/src/dpdk_filter/proc_packets.c
@@ -96,11 +96,11 @@ void pakage_processing(struct net_port *port_in, struct net_port *port_out,
         if (info_pac.ip_version == IP_4) {
           key.version = 4;
           key.addr.ip4 = info_pac.ip4_dist;
-          add_to_ip_cache(&key, new_node);
+          add_to_ip_cache(&key, new_node, policy->ttl_ip);
         } else {
           key.version = 6;
           memcpy(key.addr.ip6, info_pac.ip6_dist, 16);
-          add_to_ip_cache(&key, new_node);
+          add_to_ip_cache(&key, new_node, policy->ttl_ip);
         }
 
       } else {
@@ -148,7 +148,7 @@ void pakage_processing(struct net_port *port_in, struct net_port *port_out,
 
         new_node->solution_is_send = solution_is_send;
 
-        add_to_dns_cache(info_pac.domain, new_node);
+        add_to_dns_cache(info_pac.domain, new_node, policy->ttl_domain);
       } else {
         LOG_ERROR("Failed to search a key-value pair in the hash table: %s",
                   strerror(-ret));

diff --git a/worker/src/worker.cpp b/worker/src/worker.cpp
@@ -167,6 +167,8 @@ void Worker::requestPolicyFromController() {
       }
 
       current_policy.min_trust_level = pol.min_trust_level();
+      current_policy.ttl_ip = pol.ttl_ip();
+      current_policy.ttl_domain = pol.ttl_domain();
 
       current_config_version = pol.config_version();
       clear_cache();