{"id":13576550,"url":"https://github.com/AltraMayor/gatekeeper","last_synced_at":"2025-04-05T08:32:18.050Z","repository":{"id":38707997,"uuid":"62745741","full_name":"AltraMayor/gatekeeper","owner":"AltraMayor","description":"The first open-source DDoS protection system","archived":false,"fork":false,"pushed_at":"2024-12-31T00:18:15.000Z","size":2843,"stargazers_count":1436,"open_issues_count":94,"forks_count":229,"subscribers_count":53,"default_branch":"master","last_synced_at":"2025-03-29T10:04:12.735Z","etag":null,"topics":["anti-ddos","ddos","ddos-mitigation","ddos-protection","dpdk"],"latest_commit_sha":null,"homepage":"https://github.com/AltraMayor/gatekeeper/wiki","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AltraMayor.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-07-06T18:53:45.000Z","updated_at":"2025-03-28T21:58:29.000Z","dependencies_parsed_at":"2024-01-03T04:13:19.470Z","dependency_job_id":"2bd454ce-c03b-4b6f-bb23-edb1b0ae17be","html_url":"https://github.com/AltraMayor/gatekeeper","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AltraMayor%2Fgatekeeper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AltraMayor%2Fgatekeeper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AltraMayor%2Fgatekeeper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AltraMayor%2Fgatekeeper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AltraMayor","download_url":"https://codeload.github.com/AltraMayor/gatekeeper/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247311772,"owners_count":20918337,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anti-ddos","ddos","ddos-mitigation","ddos-protection","dpdk"],"created_at":"2024-08-01T15:01:11.303Z","updated_at":"2025-04-05T08:32:18.032Z","avatar_url":"https://github.com/AltraMayor.png","language":"C","readme":"# Gatekeeper\n\n\u003ca href=\"https://github.com/AltraMayor/gatekeeper/actions?query=workflow%3compile\"\u003e\n  \u003cimg alt=\"Gatekeeper compilation status\"\n       src=\"https://github.com/AltraMayor/gatekeeper/workflows/compile/badge.svg\"\u003e\n\u003c/a\u003e\n\n## What is Gatekeeper?\n\nGatekeeper is the first open source DDoS protection system. It is designed to\nscale to any peak bandwidth, so it can withstand DDoS attacks both of today\nand of tomorrow. In spite of the geographically distributed architecture of\nGatekeeper, the network policy that describes all decisions that have to be\nenforced on the incoming traffic is centralized. This centralized policy\nenables network operators to leverage distributed algorithms that would not\nbe viable under very high latency (e.g. distributed databases) and to fight\nmultiple multi-vector DDoS attacks at once.\n\nThe intended users of Gatekeeper are network operators of institutions,\nservice and content providers, enterprise networks, etc. It is not intended\nto be used by individual Internet users.\n\nFor more information, see the [Gatekeeper wiki](https://github.com/AltraMayor/gatekeeper/wiki).\n\n## How to Set Up\n\n### Configure Hugepages\n\nDPDK requires the use of hugepages; instructions for mounting hugepages are\navailable in the [requirements documentation](http://doc.dpdk.org/guides/linux_gsg/sys_reqs.html#use-of-hugepages-in-the-linux-environment).\nOn many systems, the following hugepages setup is sufficient:\n\n```console\n$ echo 256 | sudo tee /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages\n```\n\n### Enable the kernel module `vfio-pci`\n\nThe Linux kernel module `vfio-pci` is needed to bind NICs to DPDK/Gatekeeper.\nIn order for `vfio-pci` to work, both the BIOS and the kernel must support it.\nBIOSes must have VT-d enabled.\nBIOSes may identify VT-d as \"Intel (R) VT for Directed I/O\",\n\"Intel (R) VT-d Feature\", \"Intel VT-d\", \"VT-d\", or similar variations;\nfor more examples, search \"BIOS VT-d\" on\n[Google Images](https://images.google.com/).\nSome BIOS may require that an option called\n\"Intel (R) Virtualization Technology\" (or variations of this string) to be\nenabled before VT-d can be enabled.\n\nTo check that VT-d is enabled at the BIOS, run the following command after\nLinux boots up:\n\n```console\n$ dmesg | grep -e DMAR\n```\n\nIf the command above returns some lines, VT-d should be enabled.\nOtherwise, one has to go back to the BIOS to enable it.\nMore information on how to check that VT-d is enabled at the BIOS is\navailable on [this page](https://stackoverflow.com/questions/51261999/check-if-vt-d-iommu-has-been-enabled-in-the-bios-uefi).\n\nOnce VT-d is enabled at the BIOS, one must ensure that the kernel supports\nIOMMU.\nNotice that one needs a kernel version greater than 3.6 to support IOMMU.\nOne can verify if the running kernel has IOMMU enabled by default with\nthe following command:\n\n```console\n$ grep CONFIG_INTEL_IOMMU_DEFAULT_ON /boot/config-`uname -r`\n```\n\nMost likely, the command above will output\n`# CONFIG_INTEL_IOMMU_DEFAULT_ON is not set`, that is,\nthe running kernel does not have IOMMU enabled by default.\nAlternatives ways to check for kernel build options\n(i.e. `CONFIG_INTEL_IOMMU_DEFAULT_ON`) is available on\n[this page](https://unix.stackexchange.com/questions/83319/where-are-the-current-kernel-build-options-stored).\n\nIf the kernel does not have IOMMU enabled by default,\none has to pass the kernel boot parameter `intel_iommu=on` via GRUB.\nFor information on the why the boot parameter `intel_iommu=on` is needed,\nsee [this page](https://unix.stackexchange.com/questions/595353/vt-d-support-enabled-but-iommu-groups-are-missing).\nOne can check if the running kernel received this parameter with\nthe command below:\n\n```console\n$ cat /proc/cmdline | grep intel_iommu=on\n```\n\nIf the running kernel has not received the parameter `intel_iommu=on`,\nadd it to GRUB, and reboot the machine.\nInformation on how to add a boot parameter to GRUB is found\n[here](https://askubuntu.com/questions/19486/how-do-i-add-a-kernel-boot-parameter).\n\nOnce VT-d is enabled at the BIOS and the kernel supports IOMMU,\none can verify that everything is all set with one of the following commands:\n\n```console\n$ ls /sys/kernel/iommu_groups\n```\n\nOR\n\n```console\n$ dmesg | grep -ie 'IOMMU\\s\\+enabled'\n```\n\nEverything is all set if the outputs of the commands above are not empty.\n\n### Option 1: Obtain Packages\n\nGatekeeper Debian packages are available for Ubuntu 24.04 LTS at the project's\n[Releases](https://github.com/AltraMayor/gatekeeper/releases)\npage.\n\n#### Install\n\nOnce the packages are downloaded, they can be installed with the commands below:\n\n```console\n$ tar -zxvf gatekeeper-ubuntu-24.04-packages.tar.gz\n$ cd gatekeeper-ubuntu-24.04-packages\n$ sudo dpkg -i gatekeeper-bird_*_amd64.deb gatekeeper_*_amd64.deb\n```\n\n#### Configure Gatekeeper\n\nWhen installed via Debian packages, Gatekeeper configuration files are located\nin `/etc/gatekeeper`. You should edit at least the `net.lua` file, and set the\n`front_ports`, `front_ips`, `back_ports` and `back_ips` variables according to\nyour environment.\n\nThe other Lua files configure different Gatekeeper functional blocks. Please\nrefer to the project's [wiki](https://github.com/AltraMayor/gatekeeper/wiki)\nfor further information on whether these need to be changed in your setup.\n\nYou also need to edit the `/etc/gatekeeper/envvars` file and set the\n`GATEKEEPER_INTERFACES` variable to the PCI addresses of the network adapters\nto be bound to DPDK. These can found using the `lshw` command. For example:\n\n```console\n# lshw -c network -businfo\nBus info          Device     Class          Description\n=======================================================\npci@0000:08:00.0  eth0       network        I350 Gigabit Network Connection\npci@0000:08:00.1  eth1       network        I350 Gigabit Network Connection\n...\n```\n\nGiven this output, set `GATEKEEPER_INTERFACES` as below:\n\n```sh\nGATEKEEPER_INTERFACES=\"08:00.0 08:00.1\"\n```\n\nIn the same file, you can optionally specify\n[Environmental Abstraction Layer options](https://doc.dpdk.org/guides/linux_gsg/linux_eal_parameters.html)\nin the `DPDK_ARGS` variable and\n[Gatekeeper-specific options](https://github.com/AltraMayor/gatekeeper/wiki/Configuration#application-configuration)\nin `GATEKEEPER_ARGS`.\n\n#### How to run\n\nRun the commands below to start Gatekeeper and to ensure it is started\nautomatically on reboots.\n\n```console\n$ sudo systemctl start gatekeeper\n$ sudo systemctl enable gatekeeper\n```\n\n### Option 2: Build from Source\n\n#### Install Dependencies\n\nInstall the following software dependencies:\n\n```console\n$ sudo apt-get update\n$ sudo apt-get -y -q install git clang devscripts doxygen libhugetlbfs-bin \\\n    build-essential gcc-multilib linux-headers-`uname -r` libmnl0 libmnl-dev \\\n    libkmod2 libkmod-dev libnuma-dev libelf1 libelf-dev libc6-dev-i386 \\\n    autoconf flex bison libncurses5-dev libreadline-dev python3 \\\n    python3-pyelftools libcap-dev libcap2 meson ninja-build pkg-config\n```\n\nNote: Both `libmnl0` and `libmnl-dev` are needed to compile and run\n`gatekeeper`, but only `libmnl0` is needed for simply running `gatekeeper`.\nBoth `libkmod2` and `libkmod-dev` are needed to compile and run `gatekeeper`,\nbut only `libkmod2` is needed for simply running `gatekeeper`.\n`libnuma-dev` is needed to compile the latest DPDK and to support NUMA systems.\nThe package `libelf-dev` is needed to compile DPDK with support to reading\nBPF programs from ELF files, but only `libelf1` is needed to run it.\nThe package `libc6-dev-i386` is needed to compile the BPF programs in\nthe folder `bpf/`.\nThe `autoconf`, `flex`, `bison`, `libncurses5-dev`, and\n`libreadline-dev` packages are for BIRD. The `devscripts` package is used to\nbuild Gatekeeper Debian packages.\nThe packages `python3` and `python3-pyelftools` are needed to build DPDK and to\nrun Python scripts such as `dpdk-devbind.py`.\n`libcap-dev` is needed to compile Gatekeeper, but only `libcap2` is needed\nto run Gatekeeper.\n`meson` and `ninja-build` are needed for building DPDK.\n`pkg-config` is needed to compile Gatekeeper.\n\nTo use DPDK, make sure you have all of the [environmental requirements](http://dpdk.org/doc/guides/linux_gsg/sys_reqs.html#running-dpdk-application).\n\n#### Clone Repository\n\nClone the Gatekeeper repository, including the submodules that\ncontain Gatekeeper dependencies:\n\n```console\n$ git clone --recursive http://github.com/AltraMayor/gatekeeper.git\n```\n\nIf you do not use the `--recursive` clone option, you need to obtain the\nsubmodules that contain the dependences from within the `gatekeeper`\ndirectory:\n\n```console\n$ git submodule init\n$ git submodule update\n```\n\n#### Compile\n\nThis section explains how to build Gatekeeper manually. If you want to build\nDebian packages, refer to the section\n[How to build packages](#how-to-build-packages).\n\nWhile in the `gatekeeper` directory, run the setup script:\n\n```console\n$ . setup.sh\n```\n\nThis script compiles DPDK, LuaJIT, and BIRD, and loads the needed\nkernel modules. Additionally, it saves the interface names and their\nrespective PCI addresses in the file `lua/if_map.lua` so that interface\nnames can be used in the Gatekeeper configuration files.\n\nOnce DPDK and LuaJIT are compiled, `gatekeeper` can be compiled:\n\n```console\n$ make\n```\n\n#### Configure Network Adapters\n\nBefore `gatekeeper` can be used, the network adapters must be bound to DPDK.\nFor this, you can use the script `dependencies/dpdk/usertools/dpdk-devbind.py`.\nFor example:\n\n```console\n$ sudo dependencies/dpdk/usertools/dpdk-devbind.py --bind=vfio-pci enp131s0f0\n```\n\nThis command binds the interface `enp131s0f0` to the `vfio-pci` driver\nso that frames can be passed directly to DPDK instead of the kernel. Note\nthat this binding must take place after Gatekeeper is setup in the steps\nabove so that the bound interface appears in the list of interfaces in\n`lua/if_map.lua`.\n\n#### How to Run\n\nOnce `gatekeeper` is compiled and the environment is configured correctly, run:\n\n```console\n$ sudo build/gatekeeper [EAL OPTIONS] -- [GATEKEEPER OPTIONS]\n```\n\nWhere `[EAL OPTIONS]` are specified before a double dash and represent the\nparameters for DPDK's [Environmental Abstraction Layer](https://doc.dpdk.org/guides/linux_gsg/linux_eal_parameters.html)\nand `[GATEKEEPER OPTIONS]` are specified after the double dash and\nrepresent [Gatekeeper-specific options](https://github.com/AltraMayor/gatekeeper/wiki/Configuration#application-configuration).\n\nThe early configuration of the system, including device and memory\nconfiguration in DPDK, will be logged to stdout. Once Gatekeeper is booted,\nall information is output to the Gatekeeper log.\n\n#### How to build packages\n\nGatekeeper Debian packages can be built with the commands below. They are meant\nto be run from the repository root and assume the git submodules have been\npulled, and that the build dependencies have been installed, as instructed\nabove. Gatekeeper and the submodules will be automatically compiled during the\npackage build process.\n\n```console\n$ tar --exclude-vcs -Jcvf ../gatekeeper_1.2.0.orig.tar.xz -C .. gatekeeper\n$ debuild -uc -us\n```\n\nThe Gatekeeper package will be available in the parent directory.\n","funding_links":[],"categories":["C","C (286)","网络外围防御","Network perimeter defenses","Tools"],"sub_categories":["事件证据搜集（取证）","Evidence collection","Satellite"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAltraMayor%2Fgatekeeper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FAltraMayor%2Fgatekeeper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAltraMayor%2Fgatekeeper/lists"}