Merge branch 'igornovg/icbn-nft' into 'master'

feat(BOUN-1135): ic-boundary firewall bouncer Ban clients by IP based on the request rate. * Disabled by default, enabled by `--bouncer-enable` CLI arg * A lot of configuration knobs (see `cli.rs`) * Nftables sets manipulation using JSON API * Separate sets for v4 and v6 * Metrics See merge request dfinity-lab/public/ic!19160
dfinity · May 8, 2024 · 0b21f36 · 0b21f36
2 parents 153f512 + 14a6fbe
commit 0b21f36
Show file tree

Hide file tree

Showing 18 changed files with 1,293 additions and 106 deletions.
diff --git a/Cargo.Bazel.Fuzzing.json.lock b/Cargo.Bazel.Fuzzing.json.lock
@@ -1,5 +1,5 @@
 {
-  "checksum": "0d9fc574a89c8e83f40566d9aefec80b074dfd1a6764c61ed96ff290ab1e5d22",
+  "checksum": "cef35cb67751e139908bdd90e61d18887e63d2ad0ac230dc6c2dc63360421644",
   "crates": {
     "abnf 0.12.0": {
       "name": "abnf",
@@ -11766,14 +11766,14 @@
       ],
       "license_file": "LICENSE-APACHE"
     },
-    "clocksource 0.6.0": {
+    "clocksource 0.8.1": {
       "name": "clocksource",
-      "version": "0.6.0",
+      "version": "0.8.1",
       "package_url": "https://github.com/pelikan-io/rustcommon",
       "repository": {
         "Http": {
-          "url": "https://static.crates.io/crates/clocksource/0.6.0/download",
-          "sha256": "b90cc4cec392a6d97223f008b5da7a3c2c71aa6d5ffdf0e3e14d8b2432738387"
+          "url": "https://static.crates.io/crates/clocksource/0.8.1/download",
+          "sha256": "129026dd5a8a9592d96916258f3a5379589e513ea5e86aeb0bd2530286e44e9e"
         }
       },
       "targets": [
@@ -11807,23 +11807,7 @@
             }
           ],
           "selects": {
-            "cfg(all(not(windows), not(unix), not(target_os = \"macos\"), not(target_os = \"ios\")))": [
-              {
-                "id": "lazy_static 1.4.0",
-                "target": "lazy_static"
-              }
-            ],
-            "cfg(any(target_os = \"macos\", target_os = \"ios\"))": [
-              {
-                "id": "mach 0.3.2",
-                "target": "mach"
-              }
-            ],
             "cfg(windows)": [
-              {
-                "id": "lazy_static 1.4.0",
-                "target": "lazy_static"
-              },
               {
                 "id": "winapi 0.3.9",
                 "target": "winapi"
@@ -11832,13 +11816,14 @@
           }
         },
         "edition": "2021",
-        "version": "0.6.0"
+        "version": "0.8.1"
       },
-      "license": "Apache-2.0",
+      "license": "MIT OR Apache-2.0",
       "license_ids": [
-        "Apache-2.0"
+        "Apache-2.0",
+        "MIT"
       ],
-      "license_file": null
+      "license_file": "LICENSE-APACHE"
     },
     "cloudabi 0.0.3": {
       "name": "cloudabi",
@@ -17655,6 +17640,10 @@
               "id": "more-asserts 0.3.1",
               "target": "more_asserts"
             },
+            {
+              "id": "nftables 0.4.0",
+              "target": "nftables"
+            },
             {
               "id": "nix 0.24.3",
               "target": "nix"
@@ -17836,7 +17825,7 @@
               "target": "randomkit"
             },
             {
-              "id": "ratelimit 0.7.1",
+              "id": "ratelimit 0.9.1",
               "target": "ratelimit"
             },
             {
@@ -38366,7 +38355,8 @@
             "default",
             "future",
             "futures-util",
-            "quanta"
+            "quanta",
+            "sync"
           ],
           "selects": {}
         },
@@ -38906,6 +38896,79 @@
       ],
       "license_file": "LICENSE-MIT"
     },
+    "nftables 0.4.0": {
+      "name": "nftables",
+      "version": "0.4.0",
+      "package_url": "https://github.com/namib-project/nftables-rs",
+      "repository": {
+        "Http": {
+          "url": "https://static.crates.io/crates/nftables/0.4.0/download",
+          "sha256": "e689b44b33fc8c2894b6f609701f785a0c1816b7fcf43d05797bd25a513028d1"
+        }
+      },
+      "targets": [
+        {
+          "Library": {
+            "crate_name": "nftables",
+            "crate_root": "src/lib.rs",
+            "srcs": {
+              "allow_empty": false,
+              "include": [
+                "**/*.rs"
+              ]
+            }
+          }
+        }
+      ],
+      "library_target_name": "nftables",
+      "common_attrs": {
+        "compile_data_glob": [
+          "**"
+        ],
+        "deps": {
+          "common": [
+            {
+              "id": "serde 1.0.195",
+              "target": "serde"
+            },
+            {
+              "id": "serde_json 1.0.107",
+              "target": "serde_json"
+            },
+            {
+              "id": "serde_path_to_error 0.1.14",
+              "target": "serde_path_to_error"
+            },
+            {
+              "id": "strum 0.26.2",
+              "target": "strum"
+            },
+            {
+              "id": "thiserror 1.0.57",
+              "target": "thiserror"
+            }
+          ],
+          "selects": {}
+        },
+        "edition": "2021",
+        "proc_macro_deps": {
+          "common": [
+            {
+              "id": "strum_macros 0.26.2",
+              "target": "strum_macros"
+            }
+          ],
+          "selects": {}
+        },
+        "version": "0.4.0"
+      },
+      "license": "MIT OR Apache-2.0",
+      "license_ids": [
+        "Apache-2.0",
+        "MIT"
+      ],
+      "license_file": "LICENSE-APACHE"
+    },
     "nix 0.24.3": {
       "name": "nix",
       "version": "0.24.3",
@@ -50312,14 +50375,14 @@
       ],
       "license_file": "LICENSE-APACHE"
     },
-    "ratelimit 0.7.1": {
+    "ratelimit 0.9.1": {
       "name": "ratelimit",
-      "version": "0.7.1",
+      "version": "0.9.1",
       "package_url": "https://github.com/pelikan-io/rustcommon",
       "repository": {
         "Http": {
-          "url": "https://static.crates.io/crates/ratelimit/0.7.1/download",
-          "sha256": "bf5bcfab8fa35f78da44c3ebb3437381c0ae11e9fab355b7a27f581d8d2028a2"
+          "url": "https://static.crates.io/crates/ratelimit/0.9.1/download",
+          "sha256": "6c1bb13e2dcfa2232ac6887157aad8d9b3fe4ca57f7c8d4938ff5ea9be742300"
         }
       },
       "targets": [
@@ -50344,7 +50407,7 @@
         "deps": {
           "common": [
             {
-              "id": "clocksource 0.6.0",
+              "id": "clocksource 0.8.1",
               "target": "clocksource"
             },
             {
@@ -50359,7 +50422,7 @@
           "selects": {}
         },
         "edition": "2021",
-        "version": "0.7.1"
+        "version": "0.9.1"
       },
       "license": "MIT OR Apache-2.0",
       "license_ids": [
@@ -75825,15 +75888,6 @@
       "x86_64-unknown-freebsd",
       "x86_64-unknown-none"
     ],
-    "cfg(all(not(windows), not(unix), not(target_os = \"macos\"), not(target_os = \"ios\")))": [
-      "riscv32imc-unknown-none-elf",
-      "riscv64gc-unknown-none-elf",
-      "thumbv7em-none-eabi",
-      "thumbv8m.main-none-eabi",
-      "wasm32-unknown-unknown",
-      "wasm32-wasi",
-      "x86_64-unknown-none"
-    ],
     "cfg(all(target_arch = \"aarch64\", target_env = \"msvc\", not(windows_raw_dylib)))": [
       "aarch64-pc-windows-msvc"
     ],
@@ -76996,6 +77050,7 @@
     "mockito 1.2.0",
     "moka 0.12.1",
     "more-asserts 0.3.1",
+    "nftables 0.4.0",
     "nix 0.24.3",
     "notify 4.0.17",
     "num 0.4.1",
@@ -77044,7 +77099,7 @@
     "rand_distr 0.4.3",
     "rand_pcg 0.3.1",
     "randomkit 0.1.1",
-    "ratelimit 0.7.1",
+    "ratelimit 0.9.1",
     "rayon 1.8.0",
     "rcgen 0.11.3",
     "regex 1.10.2",

diff --git a/Cargo.Bazel.Fuzzing.toml.lock b/Cargo.Bazel.Fuzzing.toml.lock
@@ -1993,13 +1993,11 @@ checksum = "cd7cc57abe963c6d3b9d8be5b06ba7c8957a930305ca90304f24ef040aa6f961"
 
 [[package]]
 name = "clocksource"
-version = "0.6.0"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b90cc4cec392a6d97223f008b5da7a3c2c71aa6d5ffdf0e3e14d8b2432738387"
+checksum = "129026dd5a8a9592d96916258f3a5379589e513ea5e86aeb0bd2530286e44e9e"
 dependencies = [
- "lazy_static",
  "libc",
- "mach",
  "time",
  "winapi 0.3.9",
 ]
@@ -3059,6 +3057,7 @@ dependencies = [
  "mockito",
  "moka",
  "more-asserts",
+ "nftables",
  "nix 0.24.3",
  "notify",
  "num",
@@ -6712,6 +6711,20 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e4a24736216ec316047a1fc4252e27dabb04218aa4a3f37c6e7ddbf1f9782b54"
 
+[[package]]
+name = "nftables"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e689b44b33fc8c2894b6f609701f785a0c1816b7fcf43d05797bd25a513028d1"
+dependencies = [
+ "serde",
+ "serde_json",
+ "serde_path_to_error",
+ "strum 0.26.2",
+ "strum_macros 0.26.2",
+ "thiserror",
+]
+
 [[package]]
 name = "nix"
 version = "0.24.3"
@@ -8553,9 +8566,9 @@ checksum = "977b1e897f9d764566891689e642653e5ed90c6895106acd005eb4c1d0203991"
 
 [[package]]
 name = "ratelimit"
-version = "0.7.1"
+version = "0.9.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bf5bcfab8fa35f78da44c3ebb3437381c0ae11e9fab355b7a27f581d8d2028a2"
+checksum = "6c1bb13e2dcfa2232ac6887157aad8d9b3fe4ca57f7c8d4938ff5ea9be742300"
 dependencies = [
  "clocksource",
  "parking_lot 0.12.1",