更新sapp_v4.2.50, tcpdump_mesa_v1.0.8, wangw_v.1.3.5, wire_graft_v1.3.6,

TSG-7544 - sapp inline模式icmp保活应答包seq=0错误; TSG-7563 - 自建GRE测试环境sapp反向发送RST失败; TSG-7440 - sapp设置流BYPASS以抵御flood攻击的影响; TSG-7621 - sapp不支持Vxlan内层HDLC, PPP封装格式; TSG-7542 - 在GRE协议上测试ftp协议时，sub action为rst时，ftp没有阻断; TSG-7561 - sapp和tcpdump_mesa支持捕获bypass的包;
2021-09-09 18:31:11 +08:00
parent d1acec6788
commit 7e5d40653e
4 changed files with 30 additions and 5 deletions
--- a/ansible/install_config/group_vars/rpm_version.yml
+++ b/ansible/install_config/group_vars/rpm_version.yml
@@ -51,8 +51,8 @@ mrzcpd_rpm_version:
  mrzcpd: mrzcpd-4.4.8.566081c

 sapp_rpm_version:
-  sapp: sapp-4.2.49.1c4b0a6
-  tcpdump_mesa: tcpdump_mesa-1.0.6.faa4eba
+  sapp: sapp-4.2.50.dbc910b
+  tcpdump_mesa: tcpdump_mesa-1.0.8.da3eeea

 tfe_rpm_version:
  tfe: tfe-4.5.13.acc67e3
@@ -70,8 +70,8 @@ http_healthcheck_rpm_version:
  http_healthcheck: http_healthcheck-21.06.01.d0685bb

 wannat_wangw_rpm_version:
-  libwangw: libwangw-1.3.4.893165a
+  libwangw: libwangw-1.3.5.5e6c78d

 wire_graft_rpm_version:  
-  wire_graft: wire_graft_plug-1.3.5.9de921b
-  libwire_graft: libwire_graft-1.3.5.9de921b
+  wire_graft: wire_graft_plug-1.3.6.2832a3c
+  libwire_graft: libwire_graft-1.3.6.2832a3c
--- a/ansible/roles/sapp/templates/sapp.toml.j2.j2
+++ b/ansible/roles/sapp/templates/sapp.toml.j2.j2
@@ -75,12 +75,31 @@ dictator_enable=1
 ### note, polling_priority = call sapp_recv_pkt every call polling_entry times,     
    polling_priority=1

+    [packet_io.under_ddos]
+### note, to reduce impact of ddos attack,set some stream bypass, all plugins will not process these streams   
+{% raw %}stream_bypass_enabled={{ sapp_stream_bypass_under_ddos.enable }}
+{% endraw %}
+	
+### note, cpu usage value is percent, for example, config value is 85, means 85%, valid range: [1,100]    
+### sapp change to bypass state immediately when realtime cpu usage > bypass_trigger_cpu_usage
+    bypass_trigger_cpu_usage=90    
+### note, unit of get_cpu_usage_interval is milliseconds(ms)     
+    get_cpu_usage_interval=500
+### note, use the average of the last $smooth_avg_window times as current realtime value 
+    smooth_avg_window=2
+
+    decrease_ratio="0.95"
+    increase_ratio="1.005"
+### note, unit of bypass_observe_time is second(s)     
+    recovery_observe_time=30
+	
 [PROTOCOL_FEATURE]
    ipv6_decapsulation_enabled=1
    ipv6_send_packet_enabled=1
    tcp_drop_pure_ack_pkt=0
    tcp_syn_option_parse_enabled=1 
    skip_not_ip_layer_over_eth=0
+	skip_gtp_seq_field_for_inject=1

 [DUPLICATE_PKT]
 [dup_pkt.traffic.original]
--- a/ansible/roles/tsg-os-provision/files/config_sample/provision.yml.sample.7400MCN0P01R01
+++ b/ansible/roles/tsg-os-provision/files/config_sample/provision.yml.sample.7400MCN0P01R01
@@ -21,6 +21,9 @@ wannat:
 ddossketch:
  enable: 0/1

+sapp_stream_bypass_under_ddos
+  enable: 0/1  
+
 app:
  identify_by:
    user_defined_signature: 0/1
--- a/ansible/roles/tsg-os-provision/files/config_sample/provision.yml.sample.9000NPBP01R01
+++ b/ansible/roles/tsg-os-provision/files/config_sample/provision.yml.sample.9000NPBP01R01
@@ -17,6 +17,9 @@ wannat:

 ddossketch:
  enable: 0/1
+ 
+sapp_stream_bypass_under_ddos
+  enable: 0/1   

 data_center:
  name: City instance