Red Hat Training
A Red Hat training course is available for RHEL 8
Chapter 48. Using xdp-filter for high-performance traffic filtering to prevent DDoS attacks
Compared to packet filters, such as nftables
, Express Data Path (XDP) processes and drops network packets right at the network interface. Therefore, XDP determines the next step for the package before it reaches a firewall or other applications. As a result, XDP filters require less resources and can process network packets at a much higher rate than conventional packet filters to defend against distributed denial of service (DDoS) attacks. For example, during testing, Red Hat dropped 26 million network packets per second on a single core, which is significantly higher than the drop rate of nftables
on the same hardware.
The xdp-filter
utility allows or drops incoming network packets using XDP. You can create rules to filter traffic to or from specific:
- IP addresses
- MAC addresses
- Ports
Note that, even if xdp-filter
has a significantly higher packet-processing rate, it does not have the same capabilities as, for example, nftables
. Consider xdp-filter
a conceptual utility to demonstrate packet filtering using XDP. Additionally, you can use the code of the utility for a better understanding of how to write your own XDP applications.
On other architectures than AMD and Intel 64-bit, the xdp-filter
utility is provided as a Technology Preview only. Technology Preview features are not supported with Red Hat production Service Level Agreements (SLAs), might not be functionally complete, and Red Hat does not recommend using them for production. These previews provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
See Technology Preview Features Support Scope on the Red Hat Customer Portal for information about the support scope for Technology Preview features.
48.1. Dropping network packets that match an xdp-filter rule
You can use xdp-filter
to drop network packets:
- To a specific destination port
- From a specific IP address
- From a specific MAC address
The allow
policy of xdp-filter
defines that all traffic is allowed and the filter drops only network packets that match a particular rule. For example, use this method if you know the source IP addresses of packets you want to drop.
Prerequisites
-
The
xdp-tools
package is installed. - A network driver that supports XDP programs.
Procedure
Load
xdp-filter
to process incoming packets on a certain interface, such asenp1s0
:# xdp-filter load enp1s0
By default,
xdp-filter
uses theallow
policy, and the utility drops only traffic that matches any rule.Optionally, use the
-f feature
option to enable only particular features, such astcp
,ipv4
, orethernet
. Loading only the required features instead of all of them increases the speed of packet processing. To enable multiple features, separate them with a comma.If the command fails with an error, the network driver does not support XDP programs.
Add rules to drop packets that match them. For example:
To drop incoming packets to port
22
, enter:# xdp-filter port 22
This command adds a rule that matches TCP and UDP traffic. To match only a particular protocol, use the
-p protocol
option.To drop incoming packets from
192.0.2.1
, enter:# xdp-filter ip 192.0.2.1 -m src
Note that
xdp-filter
does not support IP ranges.To drop incoming packets from MAC address
00:53:00:AA:07:BE
, enter:# xdp-filter ether 00:53:00:AA:07:BE -m src
Verification
Use the following command to display statistics about dropped and allowed packets:
# xdp-filter status
Additional resources
-
xdp-filter(8)
man page -
If you are a developer and interested in the code of
xdp-filter
, download and install the corresponding source RPM (SRPM) from the Red Hat Customer Portal.
48.2. Dropping all network packets except the ones that match an xdp-filter rule
You can use xdp-filter
to allow only network packets:
- From and to a specific destination port
- From and to a specific IP address
- From and to specific MAC address
To do so, use the deny
policy of xdp-filter
which defines that the filter drops all network packets except the ones that match a particular rule. For example, use this method if you do not know the source IP addresses of packets you want to drop.
If you set the default policy to deny
when you load xdp-filter
on an interface, the kernel immediately drops all packets from this interface until you create rules that allow certain traffic. To avoid being locked out from the system, enter the commands locally or connect through a different network interface to the host.
Prerequisites
-
The
xdp-tools
package is installed. - You are logged in to the host either locally or using a network interface for which you do not plan to filter the traffic.
- A network driver that supports XDP programs.
Procedure
Load
xdp-filter
to process packets on a certain interface, such asenp1s0
:# xdp-filter load enp1s0 -p deny
Optionally, use the
-f feature
option to enable only particular features, such astcp
,ipv4
, orethernet
. Loading only the required features instead of all of them increases the speed of packet processing. To enable multiple features, separate them with a comma.If the command fails with an error, the network driver does not support XDP programs.
Add rules to allow packets that match them. For example:
To allow packets to port
22
, enter:# xdp-filter port 22
This command adds a rule that matches TCP and UDP traffic. To match only a particular protocol, pass the
-p protocol
option to the command.To allow packets to
192.0.2.1
, enter:# xdp-filter ip 192.0.2.1
Note that
xdp-filter
does not support IP ranges.To allow packets to MAC address
00:53:00:AA:07:BE
, enter:# xdp-filter ether 00:53:00:AA:07:BE
ImportantThe
xdp-filter
utility does not support stateful packet inspection. This requires that you either do not set a mode using the-m mode
option or you add explicit rules to allow incoming traffic that the machine receives in reply to outgoing traffic.
Verification
Use the following command to display statistics about dropped and allowed packets:
# xdp-filter status
Additional resources
-
xdp-filter(8)
man page. -
If you are a developer and you are interested in the code of
xdp-filter
, download and install the corresponding source RPM (SRPM) from the Red Hat Customer Portal.