Chapter 46. Using xdp-filter for high-performance traffic filtering to prevent DDoS attacks
Compared to packet filters, such as nftables
, Express Data Path (XDP) processes and drops network packets right at the network interface. Therefore, XDP determines the next step for the package before it reaches a firewall or other applications. As a result, XDP filters require less resources and can process network packets at a much higher rate than conventional packet filters to defend against Distributed Denial of Service (DDoS) attacks. For example, during testing, Red Hat dropped 26 million network packets per second on a single core, which is significantly higher than the drop rate of nftables
on the same hardware.
The xdp-filter
utility allows or drops incoming network packets using XDP. You can create rules to filter traffic to or from specific:
- IP addresses
- MAC addresses
- Ports
Note that, even if xdp-filter
has a significantly higher packet-processing rate, it does not have the same capabilities as, for example, nftables
. Consider xdp-filter
a conceptual utility to demonstrate packet filtering using XDP. Additionally, you can use the code of the utility for a better understanding of how to write your own XDP applications.
Red Hat provides the xdp-filter
utility as an unsupported Technology Preview.
46.1. Dropping network packets that match an xdp-filter rule
This section describes how to use xdp-filter
to drop network packets:
- To a specific destination port
- From a specific IP address
- From a specific MAC address
The allow
policy of xdp-filter
defines that all traffic is allowed and the filter drops only network packets that match a particular rule. For example, use this method if you know the source IP addresses of packets you want to drop.
Prerequisites
-
The
xdp-tools
package is installed. - A network driver that supports XDP programs.
Procedure
Load
xdp-filter
to process incoming packets on a certain interface, such asenp1s0
:#
xdp-filter load enp1s0
By default,
xdp-filter
uses theallow
policy, and the utility drops only traffic that matches any rule.Optionally, use the
-f feature
option to enable only particular features, such astcp
,ipv4
, orethernet
. Loading only the required features instead of all of them increases the speed of package processing. To enable multiple features, separate them with a comma.If the command fails with an error, the network driver does not support XDP programs.
Add rules to drop packets that match them. For example:
To drop incoming packets to port
22
, enter:#
xdp-filter port 22
This command adds a rule that matches TCP and UDP traffic. To match only a particular protocol, use the
-p protocol
option.To drop incoming packets from
192.0.2.1
, enter:#
xdp-filter ip 192.0.2.1 -m src
Note that
xdp-filter
does not support IP ranges.To drop incoming packets from MAC address
00:53:00:AA:07:BE
, enter:#
xdp-filter ether 00:53:00:AA:07:BE -m src
Verification steps
Use the following command to display statistics about dropped and allowed packets:
#
xdp-filter status
Additional resources
-
For further details about
xdp-filter
, see thexdp-filter(8)
man page. -
If you are a developer and you are interested in the code of
xdp-filter
, download and install the corresponding source RPM (SRPM) from the Red Hat Customer Portal.
46.2. Dropping all network packets except the ones that match an xdp-filter rule
This section describes how to use xdp-filter
to allow only network pakets:
- From and to a specific destination port
- From and to a specific IP address
- From and to specific MAC address
To do so, use the deny
policy of xdp-filter
which defines that the filter drops all network packets except the ones that match a particular rule. For example, use this method if you do not know the source IP addresses of packets you want to drop.
If you set the default policy to deny
when you load xdp-filter
on an interface, the kernel immediately drops all packets from this interface until you create rules that allow certain traffic. To avoid being locked out from the system, enter the commands locally or connect through a different network interface to the host.
Prerequisites
-
The
xdp-tools
package is installed. - You are logged in to the host either locally or using a network interface for which you do not plan to filter the traffic.
- A network driver that supports XDP programs.
Procedure
Load
xdp-filter
to process packets on a certain interface, such asenp1s0
:#
xdp-filter load enp1s0 -p deny
Optionally, use the
-f feature
option to enable only particular features, such astcp
,ipv4
, orethernet
. Loading only the required features instead of all of them increases the speed of package processing. To enable multiple features, separate them with a comma.If the command fails with an error, the network driver does not support XDP programs.
Add rules to allow packets that match them. For example:
To allow packets from and to port
22
, enter:#
xdp-filter port 22
This command adds a rule that matches TCP and UDP traffic. To match only a particular protocol, pass the
-p protocol
option to the command.To allow packets from and to
192.0.2.1
, enter:#
xdp-filter ip 192.0.2.1
Note that
xdp-filter
does not support IP ranges.To allow packets from and to MAC address
00:53:00:AA:07:BE
, enter:#
xdp-filter ether 00:53:00:AA:07:BE
ImportantThe
xdp-filter
utility does not support stateful packet inspection. This requires that you either do not set a mode using the-m mode
option or you add explicit rules to allow incoming traffic that the machine receives in reply to outgoing traffic.
Verification steps
Use the following command to display statistics about dropped and allowed packets:
#
xdp-filter status
Additional resources
-
For further details about
xdp-filter
, see thexdp-filter(8)
man page. -
If you are a developer and you are interested in the code of
xdp-filter
, download and install the corresponding source RPM (SRPM) from the Red Hat Customer Portal.