A firewall that utilizes the Linux kernel's XDP hook. The XDP hook allows for very fast network processing on Linux systems. This is great for dropping malicious traffic from a (D)DoS attack. IPv6 is supported with this firewall! I hope this helps network engineers/programmers interested in utilizing XDP!
Working on a project using AF_XDP for both monitoring and filtering purposes.
I have below code on eBPF side. And also has userspace written by GoLang. With the userspace programming, I want to manipulate or modify a packet at the Ethernet/IPv4/TCP layers and then send it to the kernel. This way, for example, I can block it. I actually found that when I segmented the packet into Ethernet, IPv4, and TCP layers in the user space, setting TCP.rst = true, recalculating the checksum, modifying the packet, it worked, but not stable actually. I could send a TCP Connection Reset this way. However, this approach only applies to TCP.eBPF Packet Analysis and Blocking Implementation
I want to experiment with the scenario where TCP.rst = false, then block it. So with that way, I can block all the protocols included for example UDP in user space writing packet to socket.
SEC("xdp_sock")
int xdp_sock_prog(struct xdp_md *ctx) {
int index = ctx->rx_queue_index;
// L2
__u32 *pkt_count;
pkt_count = bpf_map_lookup_elem(&xdp_stats_map, &index);
if (pkt_count) {
/* We pass every other packet */
if ((*pkt_count)++ & 1)
return XDP_PASS;
}
/* A set entry here means that the correspnding queue_id
* has an active AF_XDP socket bound to it. */
if (bpf_map_lookup_elem(&xsks_map, &index)){
return bpf_redirect_map(&xsks_map, index, 0);
}
return XDP_PASS;
}
Working on a project using AF_XDP for both monitoring and filtering purposes.
I have below code on eBPF side. And also has userspace written by GoLang. With the userspace programming, I want to manipulate or modify a packet at the Ethernet/IPv4/TCP layers and then send it to the kernel. This way, for example, I can block it. I actually found that when I segmented the packet into Ethernet, IPv4, and TCP layers in the user space, setting TCP.rst = true, recalculating the checksum, modifying the packet, it worked, but not stable actually. I could send a TCP Connection Reset this way. However, this approach only applies to TCP.eBPF Packet Analysis and Blocking Implementation
I want to experiment with the scenario where TCP.rst = false, then block it. So with that way, I can block all the protocols included for example UDP in user space writing packet to socket.