From: Remi Gacogne Date: Thu, 22 Apr 2021 08:15:54 +0000 (+0200) Subject: dnsdist: Document that eBPF is only used for "drop" actions X-Git-Tag: dnsdist-1.6.0-rc2~2^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c416cfe4a120e4da1fd654f3eb39a0fccc450c47;p=thirdparty%2Fpdns.git dnsdist: Document that eBPF is only used for "drop" actions --- diff --git a/pdns/dnsdistdist/docs/advanced/ebpf.rst b/pdns/dnsdistdist/docs/advanced/ebpf.rst index ba3b50f2cd..2d82845016 100644 --- a/pdns/dnsdistdist/docs/advanced/ebpf.rst +++ b/pdns/dnsdistdist/docs/advanced/ebpf.rst @@ -63,7 +63,7 @@ The dynamic eBPF blocks and the number of queries they blocked can be seen in th They can be unregistered at a later point using the :func:`unregisterDynBPFFilter` function. -Since 1.6.0, the default BPF filter set via :func:`setDefaultBPFFilter` will automatically get used when a dynamic block is inserted via a :ref:`DynBlockRulesGroup`. +Since 1.6.0, the default BPF filter set via :func:`setDefaultBPFFilter` will automatically get used when a "drop" dynamic block is inserted via a :ref:`DynBlockRulesGroup`. That feature might require an increase of the memory limit associated to a socket, via the sysctl setting ``net.core.optmem_max``. When attaching an eBPF program to a socket, the size of the program is checked against this limit, and the default value might not be enough. diff --git a/pdns/dnsdistdist/docs/guides/dynblocks.rst b/pdns/dnsdistdist/docs/guides/dynblocks.rst index 4936cdc465..10e52d3777 100644 --- a/pdns/dnsdistdist/docs/guides/dynblocks.rst +++ b/pdns/dnsdistdist/docs/guides/dynblocks.rst @@ -85,4 +85,4 @@ action is applied. -- If the query rate raises above 300 qps for 10 seconds, we'll block the client for 60s. dbr:setQueryRate(300, 10, "Exceeded query rate", 60, DNSAction.Drop, 100) -Since 1.6.0, if a default eBPF filter has been set via :func:`setDefaultBPFFilter` dnsdist will automatically try to use it when a dynamic block is inserted via a :ref:`DynBlockRulesGroup`. eBPF blocks are applied in kernel space and are much more efficient than user space ones. Note that a regular block is also inserted so that any failure will result in a regular block being used instead of the eBPF one. +Since 1.6.0, if a default eBPF filter has been set via :func:`setDefaultBPFFilter` dnsdist will automatically try to use it when a "drop" dynamic block is inserted via a :ref:`DynBlockRulesGroup`. eBPF blocks are applied in kernel space and are much more efficient than user space ones. Note that a regular block is also inserted so that any failure will result in a regular block being used instead of the eBPF one.