Jump to content

Recommended Posts

Posted

Hi everyone, it's been a while since i've posted but I have a new project that i'd like to share and hopefully get feedback and ideas from the community.

 

Ever since the first 2 x gigabit ethernet devices came out, I've been thinking that there were a lot of potentially interesting networking use cases.

 

I happened to be re-configuring pihole on a new opi zero, and I had some hardware issues that caused my connection to be a bit flaky on a website that I "shouldn't" have been using. This gave me the inspiration to create a gateway that intentionally manipulates traffic in such a way that you train good usage habits of websites that can be addictive.

 

How does it work?

 

Nethadone leverages several eBPF programs to monitor and classify routed traffic as it passes through. Based on the configured policies, packets are slotted into a series of bandwidth classes.

 

For anyone not familiar with eBPF, it's a powerful capability of newer Linux kernels, that allows C and Rust code to be compiled and run in a sort of kernel-space sandbox and loaded in realtime. Due to the efficiency of JIT-optimized eBPF code running inside the kernel, features that were possible only with expensive networking equipment are now feasible on something like an Orange Pi R1Plus.

 

The flow of a packet through the moving parts of the system is here:

 

nethadone-overview.thumb.png.a3a9dac717500e296cc3f5359c0b13a7.png

 

There are three eBPF modules at work:

  • A traffic monitor captures (saddr, daddr) pairs from clients on the network to external IPs, counting the bytes used. These counters are exposed by the webapp and collected in a local prometheus instance.
  • A DNS sniffer captures DNS requests passing through the router, in order to cache the likely domain of a given IP address
  • A throttler eBPF is dynamically recompiled based on traffic patterns, and classifies traffic based on a policy.

 

Packets classified into one of the slower bandwidth classes ends up passing through a netem qdisc, which simulates a slower network connection. As "bad" usage continues, the policy is changed until traffic is passing through the equivalent of a 56k modem. I think most people here would probably get the hint and stop scrolling if they were forced to use a telephone-based modem again :)

 

Deployment Example

 

This diagram shows how I've installed it at home - any device connected to the nethadone AP is subject to throttling:

 

nethadone-secondary-network.drawio.thumb.png.ea8a67cc9cc0441ec39bbeeecdfb4fee.png

 

This setup was mainly to have an easy way to get back online if there were issues, but after a couple of weeks of general usage with both desktop and mobile clients, there have been no major issues, apart from the need to restart after 24h or so.

 

Armbian-related TODOs

 

While there are some things that could be better, the tool is working well enough that it has already had a positive impact on my and my wife's usage of a number of sites. My goal is to now make it as user-friendly to set up as possible.

 

One big issue is that Armbian understandably does not enable BTF in the images that ship. The dae project has been a life-saver, providing BTF-enabled kernel builds for a lot of devices for Armbian 23.08.

 

I tried to create a custom image with a BTF-enabled kernel, but had a lot of difficulty getting something bootable and set it aside. I also ran into some kernel configuration issues when attempting to make an older OPI R1 (not plus) work, even with the dae kernels.

 

My gratitude to everyone who helps maintain Armbian and helps on this forum. In the coming weeks as I try to work on making it easier to use this on other devices, I may seek out some advice from forum members on how to work through these issues.

 

For anyone interested in trying it out, or wants to find out more about how to use eBPF on an arm-based device, the code and documentation can be found here:

https://github.com/atomic77/nethadone

 

👋

-Alex

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines