Chapter 45. Using xdp-filter for high-performance traffic filtering to prevent DDoS attacks
Compared to packet filters, such as nftables, Express Data Path (XDP) processes and drops network packets right at the network interface. Therefore, XDP determines the next step for the package before it reaches a firewall or other applications. As a result, XDP filters require less resources and can process network packets at a much higher rate than conventional packet filters to defend against Distributed Denial of Service (DDoS) attacks. For example, during testing, Red Hat dropped 26 million network packets per second on a single core, which is significantly higher than the drop rate of nftables on the same hardware.
The xdp-filter utility allows or drops incoming network packets using XDP. You can create rules to filter traffic to or from specific:
- IP addresses
- MAC addresses
- Ports
Note that, even if xdp-filter has a significantly higher packet-processing rate, it does not have the same capabilities as, for example, nftables. Consider xdp-filter a conceptual utility to demonstrate packet filtering using XDP. Additionally, you can use the code of the utility for a better understanding of how to write your own XDP applications.
Red Hat provides the xdp-filter utility as an unsupported Technology Preview.
45.1. Dropping network packets that match an xdp-filter rule
This section describes how to use xdp-filter to drop network packets:
- To a specific destination port
- From a specific IP address
- From a specific MAC address
The allow policy of xdp-filter defines that all traffic is allowed and the filter drops only network packets that match a particular rule. For example, use this method if you know the source IP addresses of packets you want to drop.
Prerequisites
-
The
xdp-toolspackage is installed. - A network driver that supports XDP programs.
Procedure
Load
xdp-filterto process incoming packets on a certain interface, such asenp1s0:#
xdp-filter load enp1s0By default,
xdp-filteruses theallowpolicy, and the utility drops only traffic that matches any rule.Optionally, use the
-f featureoption to enable only particular features, such astcp,ipv4, orethernet. Loading only the required features instead of all of them increases the speed of package processing. To enable multiple features, separate them with a comma.If the command fails with an error, the network driver does not support XDP programs.
Add rules to drop packets that match them. For example:
To drop incoming packets to port
22, enter:#
xdp-filter port 22This command adds a rule that matches TCP and UDP traffic. To match only a particular protocol, use the
-p protocoloption.To drop incoming packets from
192.0.2.1, enter:#
xdp-filter ip 192.0.2.1 -m srcNote that
xdp-filterdoes not support IP ranges.To drop incoming packets from MAC address
00:53:00:AA:07:BE, enter:#
xdp-filter ether 00:53:00:AA:07:BE -m src
Verification steps
Use the following command to display statistics about dropped and allowed packets:
#
xdp-filter status
Additional resources
-
For further details about
xdp-filter, see thexdp-filter(8)man page. -
If you are a developer and you are interested in the code of
xdp-filter, download and install the corresponding source RPM (SRPM) from the Red Hat Customer Portal.
45.2. Dropping all network packets except the ones that match an xdp-filter rule
This section describes how to use xdp-filter to allow only network pakets:
- From and to a specific destination port
- From and to a specific IP address
- From and to specific MAC address
To do so, use the deny policy of xdp-filter which defines that the filter drops all network packets except the ones that match a particular rule. For example, use this method if you do not know the source IP addresses of packets you want to drop.
If you set the default policy to deny when you load xdp-filter on an interface, the kernel immediately drops all packets from this interface until you create rules that allow certain traffic. To avoid being locked out from the system, enter the commands locally or connect through a different network interface to the host.
Prerequisites
-
The
xdp-toolspackage is installed. - You are logged in to the host either locally or using a network interface for which you do not plan to filter the traffic.
- A network driver that supports XDP programs.
Procedure
Load
xdp-filterto process packets on a certain interface, such asenp1s0:#
xdp-filter load enp1s0 -p denyOptionally, use the
-f featureoption to enable only particular features, such astcp,ipv4, orethernet. Loading only the required features instead of all of them increases the speed of package processing. To enable multiple features, separate them with a comma.If the command fails with an error, the network driver does not support XDP programs.
Add rules to allow packets that match them. For example:
To allow packets from and to port
22, enter:#
xdp-filter port 22This command adds a rule that matches TCP and UDP traffic. To match only a particular protocol, pass the
-p protocoloption to the command.To allow packets from and to
192.0.2.1, enter:#
xdp-filter ip 192.0.2.1Note that
xdp-filterdoes not support IP ranges.To allow packets from and to MAC address
00:53:00:AA:07:BE, enter:#
xdp-filter ether 00:53:00:AA:07:BE
ImportantThe
xdp-filterutility does not support stateful packet inspection. This requires that you either do not set a mode using the-m modeoption or you add explicit rules to allow incoming traffic that the machine receives in reply to outgoing traffic.
Verification steps
Use the following command to display statistics about dropped and allowed packets:
#
xdp-filter status
Additional resources
-
For further details about
xdp-filter, see thexdp-filter(8)man page. -
If you are a developer and you are interested in the code of
xdp-filter, download and install the corresponding source RPM (SRPM) from the Red Hat Customer Portal.