gamemann
commented
3 years ago Hey @laxxie,
When you load the XDP program on these VLAN interfaces, you should receive a specific error in stderr indicating why it can't be loaded with DRV mode. I did not see the vlan interface type listed under drivers supported with XDP DRV here:
https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md#xdp
However, I'd like to confirm that by seeing what error it provides when you try to do that. With that said, what Linux kernel are you running on?
In regards to support for loading the XDP Firewall program on more than one interface. Unfortunately, you won't be able to do this with a single XDP Firewall process. However, you could run more than one process, create another config file, and set the -c flag by pointing it to the other config file. The disadvantage to this is you won't be able to sync firewall rules, etc. regularly since more than one config file will be used.
As for the statistics, you should be able to see how many packets were passed and dropped as a total. I haven't added support for per second statistics, but I will look into that in the future!
Hi, i'm looking for a XDP solution to drop unwanted traffic when needed (like a DDoS) which is easy to handle. So i came to your firewall solution. We will have several VLAN interfaces on a single bond (with 4 interfaces). If i load the filter for a VLAN interface everything is working as expected except XDP is running in skb and not in native mode but i think that is an issue which cannot get handled because it's not a physical interface, am i right? And two more questions:
Thank you for your work :) Andi