cmd/xdpderper,derp/xdp: implement mode that drops STUN packets (#12527)

This is useful during maintenance as a method for shedding home client load. Updates tailscale/corp#20689 Signed-off-by: Jordan Whited <jordan@tailscale.com>
2025-12-06 12:52:00 +00:00 · 2024-06-18 14:06:00 -07:00
parent d55b105dae
commit a93173b56a
9 changed files with 128 additions and 10 deletions
--- a/derp/xdp/bpf_bpfel.go
+++ b/derp/xdp/bpf_bpfel.go
@@ -12,7 +12,10 @@ import (
 	"github.com/cilium/ebpf"
 )

-type bpfConfig struct{ DstPort uint16 }
+type bpfConfig struct {
+	DstPort  uint16
+	DropStun uint16
+}

 type bpfCounterKeyAf uint32

@@ -46,7 +49,8 @@ const (
 	bpfCounterKeyProgEndCOUNTER_KEY_END_INVALID_IP_CSUM            bpfCounterKeyProgEnd = 3
 	bpfCounterKeyProgEndCOUNTER_KEY_END_NOT_STUN_PORT              bpfCounterKeyProgEnd = 4
 	bpfCounterKeyProgEndCOUNTER_KEY_END_INVALID_SW_ATTR_VAL        bpfCounterKeyProgEnd = 5
-	bpfCounterKeyProgEndCOUNTER_KEY_END_LEN                        bpfCounterKeyProgEnd = 6
+	bpfCounterKeyProgEndCOUNTER_KEY_END_DROP_STUN                  bpfCounterKeyProgEnd = 6
+	bpfCounterKeyProgEndCOUNTER_KEY_END_LEN                        bpfCounterKeyProgEnd = 7
 )

 type bpfCountersKey struct {