zishuo/nip
1
0
Fork 0
mirror of https://github.com/cunnie/sslip.io.git synced 2025-10-05 23:56:50 +08:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Performance-tune the blocklist

Browse Source 
Previously we blocked by CIDRs, not IPs, but that was flawed: of the 746
CIDRs, 744 of them were /32 — in other words, IP addresses. And matching
CIDRs is computationally expensive: consuming 4.8% of the CPU for each
query.

We switched to a string-indexed map instead to accelerate matching.

- Fivefold increase in blocklist lookup speed, dropping from consuming
  4.8% of the CPU to 0.96%
- Added a new member, `xip.BlocklistIPs`
- All blocked sites are IPv4. I have never gotten a takedown for an IPv6
  site
- I wanted to maintain backwards-compatiblity with my blocklist file; I
  didn't want to be forced to coordinate updating that simultaneously
  with a deploy of this code, hence the automated "/32" conversion from
  a CIDR to an IP address
- I cleaned up the test blocklist file (`blocklist-test.txt`); it's
  easier to read & understand
- I added profiling from before, `profile/cpu-cidr.prof`, and after,
  `profile/cpu-ip.prof`, the change.
This commit is contained in:
Brian Cunnie
2025-08-24 14:11:58 -07:00
parent 3fec19f6fc
commit ca19f02369
7 changed files with 114 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
integration_test.go
View File

@@ -452,13 +452,21 @@ var _ = Describe("sslip.io-dns-server", func() {
`\Ans-[a-z-]+.sslip.io.\nns-[a-z-]+.sslip.io.\nns-[a-z-]+.sslip.io.\nns-[a-z-]+.sslip.io.\n\z`,
`TypeNS _acme-challenge.raiffeisen.fe80--.sslip.io. \? ns-do-sg.sslip.io., ns-gce.sslip.io., ns-hetzner.sslip.io., ns-ovh.sslip.io.\n$`),
Entry("an A record with a forbidden CIDR is redirected",
"@localhost nf.43.134.66.67.sslip.io +short",
"@localhost nf.12.34.56.0.sslip.io +short",
`\A52.0.56.137\n\z`,
`TypeA nf.43.134.66.67.sslip.io. \? 52.0.56.137\n$`),
`TypeA nf.12.34.56.0.sslip.io. \? 52.0.56.137\n$`),
Entry("an A record with a forbidden IP is redirected",
"@localhost nf.23.45.67.89.sslip.io +short",
`\A52.0.56.137\n\z`,
`TypeA nf.23.45.67.89.sslip.io. \? 52.0.56.137\n$`),
Entry("an A record with a forbidden IP with dashes is redirected",
"@localhost nf.23-45-67-89.sslip.io +short",
`\A52.0.56.137\n\z`,
`TypeA nf.23-45-67-89.sslip.io. \? 52.0.56.137\n$`),
Entry("an AAAA record with a forbidden CIDR is redirected",
"@localhost 2601-646-100-69f7-cafe-bebe-cafe-baba.sslip.io aaaa +short",
"@localhost 1234--1.sslip.io aaaa +short",
`\A2600:1f18:aaf:6900::a\n\z`,
`TypeAAAA 2601-646-100-69f7-cafe-bebe-cafe-baba.sslip.io. \? 2600:1f18:aaf:6900::a\n$`),
`TypeAAAA 1234--1.sslip.io. \? 2600:1f18:aaf:6900::a\n$`),
)
})
When("it can't bind to any UDP port", func() {