dnsdist: Optionally skip userspace blocking of eBPF-backed dynblocks

[rgacogne]

• Program: dnsdist
• Issue type: Feature request

Short description

Our dynamic blocking mechanism can intercept queries in either kernel-space (eBPF/XDP) or user-space. When we insert a rule that is using eBPF (bpf field set to true, see

pdns/pdns/dnsdistdist/dnsdist-dynblocks.cc

Line 267 in 56b827c

db.bpf = bpf;

) the lookup is still done in userspace as well (

pdns/pdns/dnsdist.cc

Line 945 in 56b827c

if (auto got = holders.dynNMGBlock->lookup(AddressAndPortRange(*dq.remote, dq.remote->isIPv4() ? 32 : 128, 16))) {

).
Historically this was needed because some distributions shipped a combination of userspace includes and kernel that made it very hard to detect if eBPF was actually supported, so falling back to userspace blocking made sense.
Today this is mostly useful to keep the pruning and reporting parts unified between the two ways of blocking queries.
Still in some cases this leads to issues, as when some addresses are allow-listed in an eBPF/XDP program but not in userspace. One option would be to keep the allow-list synchronized with 1 but that might prove difficult if the list is dynamic.
I see two possible ways of fixing that:

• separate the rules that are enforced in kernel-space from the user-space ones. This will make the management of dynamic blocks more complicated, as we will have to look into two lists when determining if a block is a new one, when computing metrics and pruning expired entries, but will avoid having to do a double-lookup (kernel-space then user-space) for each query
• keep the rules in the same place but stop enforcing rules whose bpf field is set to true in user-space. This is a lot easier, but the useless double lookup remains.