gamemann / XDP-Firewall

A firewall that utilizes the Linux kernel's XDP hook. The XDP hook allows for very fast network processing on Linux systems. This is great for dropping malicious traffic from a (D)DoS attack. IPv6 is supported with this firewall! I hope this helps network engineers/programmers interested in utilizing XDP!
https://deaconn.net/
MIT License
557 stars 91 forks source link

LibBPF fails to load xdp_prog #39

Closed g00g1 closed 1 year ago

g00g1 commented 1 year ago

I am sorry to bother you once more again, but since my previous issue (#38) I have tried to change environment where I am trying to evaluate and hack on this project.

The new host is: CPU: 2x Intel(R) Xeon(R) Silver 4208 NIC: Intel Corporation Ethernet Controller XL710 for 40GbE QSFP+ (i40e) Kernel: 5.14.0-70.13.1.el9_0.x86_64

I have successfully built xdpfw, but when running xdpfw -t 5 I have encountered LibBPF error, full log is attached below

xdpfw.txt

UPD: exactly the same behavior was reproduced on another machine (as in issue #38)

g00g1 commented 1 year ago

I have increased BPF_COMPLEXITY_LIMIT_INSNS from 1000000 (1M) to 10000000 (10M) at include/linux/bpf.h and after kernel rebuild eBPF validator allowed the XDP program to load.

I think this should be mentioned at the README as it is important clarification - currently it is not possible to use XDP-Firewall without applying Linux kernel patch.

gamemann commented 1 year ago

Hey, thank you for reporting this and no need to be sorry!

It appears in newer Linux kernels the BPF limitations are more strict. Although, the complexity limit has always been 1 million which makes this issue strange to me. The firewall has worked for years until this issue arose.

I've decreased the maximum filters from 100 to 90 in commit 8fbab9b which resolves the issue without needing to apply a patch to the kernel. I'll update the README soon and add information from my XDP Forwarding project here that goes over how to increase the limits along with including a patch if anybody needs more than 90 filtering rules.

gamemann commented 1 year ago

I'm going to close this for now since the firewall builds successfully. Thank you again for the report!