Update#7
Merged
Merged
Conversation
Modified Makefile and main.c to integrate rate limiting logic. Added rate_limit.c and rate_limit.h to implement interface-based ARP packet rate limiting. Also included two test scripts to simulate packet traffic above and below the rate threshold. Signed-off-by: Korel <Korelucpinar@gmail.com>
DAI Feature: Add ARP Rate Limiting and Related Test Scripts
Updated the README to clarify kdai's features, including ARP packet inspection, DHCP snooping-based validation, and ARP ACLs, trusted and untrusted interfaces, and rate limiting. Signed-off-by: Korel <Korelucpinar@gmail.com>
Update README.md
Added a clean up for the rate limit entries. This addition ensures memmory that is allocated for the entries is freed the module exits. Signed-off-by: Korel <Korelucpinar@gmail.com>
Ensure entries are freed when exiting Signed-off-by: Korel <Korelucpinar@gmail.com>
Make the clean up funciton publically visible Signed-off-by: Korel <Korelucpinar@gmail.com>
Add DAI Rate Limit Cleanup for Each Entry
…th spinlock protection Each rate limit entry is now created at runtime using kmalloc and inserted into a global list. This change is meant to enhance scalability and decrease the configuration dependency requirements. Signed-off-by: Korel <Korelucpinar@gmail.com>
Switch Rate Limiting from Static Maximum Interfaces to Dynamic Memory Allocation
Refactored existing test cases to align with the changes made in the kernel module. This commit also adds new tests to cover additional functionality introduced in the recent update. Test cases cover ARP poisoning, kernel module insertion, communication from acknowledged and unacknowledged sources, malformed ARP requests, and rate limiting. Signed-off-by: Korel <Korelucpinar@gmail.com>
Workflow is now incorporated into test cases Signed-off-by: Korel <Korelucpinar@gmail.com>
Modified the GitHub Actions workflow to check out the code, set executable permissions for all test scripts, and run the 'Test_Build_Kernel_Module' script. This update ensures that the new test scripts can be integrated into the CI/CD process. Signed-off-by: Korel <Korelucpinar@gmail.com>
Set working-directory to ./tests in workflow and updated script to use 'make -C ..' so it correctly locates the Makefile in the root directory. This ensures the kernel module builds properly during CI. Signed-off-by: Korel <Korelucpinar@gmail.com>
Add the Test Insert Kernel Module, that tests if the module cna be inserted succesfully Signed-off-by: Korel <Korelucpinar@gmail.com>
Dmesg now uses sudo in the test cases Signed-off-by: Korel <Korelucpinar@gmail.com>
Update to DAI Test Cases for DAI per VLAN Testing.
Created a hash table to store the VLANs to be inspected. Support functions to add, check, and remove VLANs from the inspection list are included. Signed-off-by: Korel <Korelucpinar@gmail.com>
This commit refactors the existing DAI logic to support per-VLAN inspection. The previous implementation applied DAI globally, which lacked the ability to distinguish between different VLANs, making the enforcement of DAI rules less flexible and secure. The packet processing now checks for VLAN tags, and if a VLAN is present, the system verifies if DAI should be enabled for that specific VLAN. Signed-off-by: Korel <Korelucpinar@gmail.com>
Each DHCP snooping entry now includes the VLAN ID associated with the lease. When validating ARP packets, the VLAN from the packet (skb) is compared with the VLAN stored in the matching DHCP snooping entry. A match is required for the entry to be considered valid. This ensures that DHCP lease information is only used for validation within the correct VLAN, preventing cross-VLAN spoofing. Signed-off-by: Korel <Korelucpinar@gmail.com>
Trusted and untrusted interfaces must now be associated with a specific VLAN when added. The function find_trusted_interface() now takes a VLAN ID as a parameter. It only returns true if the given interface name exists and matches the specified VLAN ID. This ensures trust decisions are scoped correctly to the VLAN. For example, a trusted interface on VLAN 100 is not automatically trusted on VLAN 200. As a result, callers (e.g. in main.c) must now extract the VLAN ID from the packet and pass it into find_trusted_interface(). Signed-off-by: Korel <Korelucpinar@gmail.com>
Rate limit entries are now associated with a specific VLAN. The create_rate_limit_entry() function has been modified to take the VLAN ID as a parameter, alongside the interface name. This ensures that rate limiting is applied correctly for each VLAN, rather than being global for the interface. The get_rate_limit_entry() function is updated to extract both the interface name and VLAN ID from the packet (skb), and then retrieve or create a rate limit entry accordingly. As a result, rate limit entries are now VLAN-specific, ensuring better control over rate limiting on a per-VLAN basis. Signed-off-by: Korel <Korelucpinar@gmail.com>
Add Feature: Dynamic ARP inspection per VLAN
Add the Test Communication From Unacknowledged Sources Signed-off-by: Korel <Korelucpinar@gmail.com>
Add the Test Communication From Acknowledged Sources Signed-off-by: Korel <Korelucpinar@gmail.com>
Add the Test ARP Poisoning is prevented by DAI Signed-off-by: Korel <Korelucpinar@gmail.com>
Add the Test Malformed ARP reques tis dropped by DAI Signed-off-by: Korel <Korelucpinar@gmail.com>
Add the est Static Entry in the ARP Table is accepted by DAI Signed-off-by: Korel <Korelucpinar@gmail.com>
Add the Test Rate Limiting to ensure that entries are dropped by DAI if they go over the default 15 packets per second Signed-off-by: Korel <Korelucpinar@gmail.com>
Add new edge case tests for malformed user input to the Githubacitons workflow. Signed-off-by: Korel <Korelucpinar@gmail.com>
…tCases Add Setting Dynamic Parameter Test Cases
Add existing Test for Edge Cases to the github workflows Signed-off-by: Korel <Korelucpinar@gmail.com>
Fix: Add Edge Case Tests
Update the trusted interfaces naming to match c style convention Signed-off-by: Korel <Korelucpinar@gmail.com>
Module Initialization test case naming was changed to confirm to C standards Signed-off-by: Korel <Korelucpinar@gmail.com>
Setting Dynamic Parameters test case naming was changed to confirm to C standards Signed-off-by: Korel <Korelucpinar@gmail.com>
Using Dynamic Parameters test case naming was changed to confirm to C standards Signed-off-by: Korel <Korelucpinar@gmail.com>
Core Dai Features test case naming was changed to confirm to C standards Signed-off-by: Korel <Korelucpinar@gmail.com>
Edge Case test case naming was changed to confirm to C standards Signed-off-by: Korel <Korelucpinar@gmail.com>
Remove the name of the file repeated at the top of the file in order to adhere to existing impementaiton of other test cases. Signed-off-by: Korel <Korelucpinar@gmail.com>
Chore: Organize Tests with Consistent Naming and Directory structure
Consolidate System headers to common.h Signed-off-by: Korel <Korelucpinar@gmail.com>
Python Helper Tests naming was changed to confirm to C standards Signed-off-by: Korel <Korelucpinar@gmail.com>
…onHelpers Chore: Organize Python Scripts for Tests to Contain Consistent Naming and Directory structure
Reorganize the project direcotories into sperate secitons. headers are now in 'include/' and source files are now in 'src/'. Makefiles have been updated to correctly refrence these new paths. Build output has also been organized by add a 'build/' directory upon making the module which will contian the final module. Signed-off-by: Korel <Korelucpinar@gmail.com>
Change the compare_u16 function to be static given that it is only used internally. Without doing so the build will fail as this funciton has no corresponding decleraiton in a .h file Signed-off-by: Korel <Korelucpinar@gmail.com>
Refactor: Reorganize Project Directory
Refactor comments and add comments for each function in vlan.c file such that they adhere to the Linux Kernely style comment block Signed-off-by: Korel <Korelucpinar@gmail.com>
Refactor comments and add comments for each function in trusted_interfaces.c file such that they adhere to the Linux Kernely style comment block Signed-off-by: Korel <Korelucpinar@gmail.com>
Refactor comments and add comments for each function in rate_limitc file such that they adhere to the Linux Kernely style comment block Signed-off-by: Korel <Korelucpinar@gmail.com>
Refactor comments and add comments for each function in dhcp.c file such that they adhere to the Linux Kernel style comment block Signed-off-by: Korel <Korelucpinar@gmail.com>
Seperate the module parameters into a sperate file to help wiht readability. Comments have also been added to each module parameter funciton to help wit understanding its functionality Signed-off-by: Korel <Korelucpinar@gmail.com>
Update the hook and associated function name to more accurately represent their funciton. Signed-off-by: Korel <Korelucpinar@gmail.com>
Refactor comments and add comments for each function in main.c file such that they adhere to the Linux Kernel style comment block Signed-off-by: Korel <Korelucpinar@gmail.com>
…ureForReadability Refactor Code Comments and Structure for Readability
Update README to include more informaiton on the key features of KDAI, and any prerequisites for building and installing. More informaiton regarding configuraiton set up is coming soon Signed-off-by: Korel <Korelucpinar@gmail.com>
Simplify the current README to make it more accessible to newcomers. Those interested in learning more about KDAI and how to configure it can use the associated docs.dent.dev page. Since it has not yet been released the README will again be updated when the page is released. Signed-off-by: Korel <Korelucpinar@gmail.com>
Update README
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.