search

gamemann / XDP-Firewall

A firewall that utilizes the Linux kernel's XDP hook. The XDP hook allows for very fast network processing on Linux systems. This is great for dropping malicious traffic from a (D)DoS attack. IPv6 is supported with this firewall! I hope this helps network engineers/programmers interested in utilizing XDP!
https://deaconn.net/
MIT License
558 stars 92 forks source link

[Feature Request] New settings/things #26

Closed axl303 closed 1 year ago

axl303 commented 2 years ago

Hello, Great project!!

I'm currently new in EBPF/XDP, so I have some questions:

  1. Can you add a feature like iptables "-m string --algo kmp --hex-string" like to match string/hex string?
  2. I see this is something like a standalone XDP Firewall (Can you give some advice to guys like me, how we can use it with iptables or what we have to do to match some specific rules like one above) I am currently new to this EBPF/XDP.
  3. I'm currently using it for gameservers and If I set port 27015 udp with pps like 10-15/s It will drop the whole connection.

Sorry If this is not for here. I am really a newbie in XDP...

gamemann commented 1 year ago

Hey and sorry for the long delay with this! Unfortunately, my time is very limited now with working on new game and modding projects. I'll try to answer these the best I can though.

  1. There is no functionality built into the firewall to use IPTables at the moment. This project may be what you're looking for though, but I haven't used it in the past.
  2. Sadly there isn't payload support implemented due to how complex eBPF is and my time restraints. I had partial payload matching that I worked on here. However, I'm not sure when I will re-implement this feature properly into this firewall.
  3. What type of game servers are you running? Port 27015 usually refer to SRCDS and HLDS game servers such as Counter-Strike (Source, my favorite, and Global Offensive), Garry's Mod, Team Fotress 2, etc. I have a lot of experience running servers in these games. I really believe your 10 - 15 PPS limitation is far too low. I remember doing TCPDumps for CS:S and I was receiving at least 66 packets per second IIRC because the standard update rate is 66 (since the default tick-rate is also 66).

I hope these help!

axl303 commented 1 year ago

Hello, Thanks for the answer. Can I contact you somewhere by email or something else? I need a bit help (just 2-3 questions about XDP & Gameservers.) I tried sending an email to the one in your github profile, but it gives smtp(yours) timeout.

gamemann commented 1 year ago

Hey! I have a new public email since my TMC email is going to be down for a bit.

Feel free to reach out to me there, but note I have been very busy recently. Therefore, it may take time for me to respond.