AltraMayor Gatekeeper Versions Save

This very first stable version of Gatekeeper is a long-coming dream of our group. The dream of an Internet whose stakeholders do not fear DDoS attacks.

When bad men combine, the good must associate; else they will fall, one by one, an unpitied sacrifice in a contemptible struggle. -- Edmund Burke (1770).

As in a college commencement, this release is not the end, but the beginning of the transition from dreamland to reality. Thank you very much to all of those that have made any contribution to help us to get to this moment. On behalf of these contributors, we welcome all the future members of our community.

This version adds the following items to the RC2:

1. Improved sanity checks to Gatekeeper servers' FIB entries (see pull requests #439, #443, #523 and #526, and commits 69e68957804da6131adae2d464799ad52b9cbdad and 04f3a429f97f0bc41ca19c428e3859e42ea32e30);
2. Added support to load balancing Grantor servers directly on Gatekeeper servers (see pull request #438);
3. Eliminated parameters max_num_ipv4_fib_entries and max_num_ipv6_fib_entries of GK blocks (see issue #440);
4. Improved support to VLANs (see issue #437 and pull request #518);
5. Added support to /31 (IPv4) and /127 (IPv6) subnet masks (see issue #444);
6. Fixed bugs (see pull requests #448, #449, #452, #505 and #522, and commits bd3bd6a1eeb4e01c4c24b25db57b31eb8734bcff and 0691ff29a724330a74e138c56ff4dac9f267a404);
7. Added the Lua function dylib.c.gk_unload_bpf_flow_handler() to unload BPF programs in runtime (see pull request #454);
8. Properly dropped privileges while running under systemd (see pull request #458);
9. Fixed ping replies (see pull request #460);
10. Supported ping and traceroute from the KNI interfaces to help with network diagnoses (see pull requests #461 and #511);
11. Better integrated with NICs that support ntuple filters (see pull requests #465, #513, and #515);
12. Enabled gkctl to wait for Gatekeeper during boot (see pull request #467);
13. Tuned up the Debian packages (see pull requests #459, #468, #471, #476, #478, and #487);
14. Improved generated log in production (see see pull requests #469, #479, #520, and #527, and commit 11af1e8b4950b360561785d54ce2ebae5be5039b);
15. Made Gatekeeper fully functional when running with a non-root user (see pull requests #475, #500, and #501);
16. Reviewed the initialization of the KNI interfaces (see pull requests #482 and #483);
17. Improved support for routing daemons (see pull requests #463, #484, #494, #495, and #496, and commit 538665fefe81fa991eb3779faa72ea43b9a6e655);
18. Speeded up the scripts of gkctl (see pull requests #489 and #493);
19. Updated our patched Bird to the stable version 2.0.8 (see pull request #498);
20. Corrected NUMA node of LPM tables created in Lua policies (see pull request #504);
21. Reviewed Lua lpmlib (see pull request #506);
22. Supported multiple TCP daemons on the KNI interfaces (see pull request #514);
23. Tightened code (see pull request #517);
24. Validated that front and back addresses are not in the same subnet (see pull request #521);
25. Fixed a bug at the IPv6 LPM table of DPDK (see pull requests #524 and #525).

This release is dedicated to all of those that had their lives, projects, and businesses, in any way, disrupted by DDoS.

This release candidate addresses a number of small issues, bugs, and needs identified during tests of the RC1 in production. We expect that the final version will be this release candidate or a small variation of it. The following list summarizes the changes since the RC1:

1. Fix dependencies of Debian packages;
2. Improve installation instructions;
3. Add functions to help to dynamically update LPM tables of policies;
4. Support /30 prefixes for IPv4 on front and back interfaces;
5. Enable GT blocks to reply routers when packets are not destined to neighbors;
6. Fix initialization bug on servers with multiple NUMA nodes;
7. Add example scripts gkctl/scripts/*.lua for command gkctl;
8. Protect Dynamic Configuration block from Lua scripts that return nothing;
9. Improve log messages to help to diagnose issues;
10. Fix IPv4 checksum when packets are sent directly from Gatekeeper servers to destinations;
11. Fix flow entry creation when flow tables are saturated.

This is the version that we are going to use for the first deployment: a single 10Gbps Gatekeeper server and two Grantor servers. This version has been thoroughly tested in test environments. We expected that the final release will be this RC1 with small changes (if needed) due to production demands.