Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 49. Using xdp-filter for high-performance traffic filtering to prevent DDoS attacks

Compared to packet filters, such as nftables, Express Data Path (XDP) processes and drops network packets right at the network interface. Therefore, XDP determines the next step for the package before it reaches a firewall or other applications. As a result, XDP filters require less resources and can process network packets at a much higher rate than conventional packet filters to defend against distributed denial of service (DDoS) attacks. For example, during testing, Red Hat dropped 26 million network packets per second on a single core, which is significantly higher than the drop rate of nftables on the same hardware.

The xdp-filter utility allows or drops incoming network packets using XDP. You can create rules to filter traffic to or from specific:

  • IP addresses
  • MAC addresses
  • Ports

Note that, even if xdp-filter has a significantly higher packet-processing rate, it does not have the same capabilities as, for example, nftables. Consider xdp-filter a conceptual utility to demonstrate packet filtering using XDP. Additionally, you can use the code of the utility for a better understanding of how to write your own XDP applications.

Important

On other architectures than AMD and Intel 64-bit, the xdp-filter utility is provided as a Technology Preview only. Technology Preview features are not supported with Red Hat production Service Level Agreements (SLAs), might not be functionally complete, and Red Hat does not recommend using them for production. These previews provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

See Technology Preview Features Support Scope on the Red Hat Customer Portal for information about the support scope for Technology Preview features.

49.1. Dropping network packets that match an xdp-filter rule

This section describes how to use xdp-filter to drop network packets:

  • To a specific destination port
  • From a specific IP address
  • From a specific MAC address

The allow policy of xdp-filter defines that all traffic is allowed and the filter drops only network packets that match a particular rule. For example, use this method if you know the source IP addresses of packets you want to drop.

Prerequisites

  • The xdp-tools package is installed.
  • A network driver that supports XDP programs.

Procedure

  1. Load xdp-filter to process incoming packets on a certain interface, such as enp1s0: 

    # xdp-filter load enp1s0

    By default, xdp-filter uses the allow policy, and the utility drops only traffic that matches any rule.

    Optionally, use the -f feature option to enable only particular features, such as tcp, ipv4, or ethernet. Loading only the required features instead of all of them increases the speed of package processing. To enable multiple features, separate them with a comma.

    If the command fails with an error, the network driver does not support XDP programs.

  2. Add rules to drop packets that match them. For example:

    • To drop incoming packets to port 22, enter: 

      # xdp-filter port 22

      This command adds a rule that matches TCP and UDP traffic. To match only a particular protocol, use the -p protocol option.

    • To drop incoming packets from 192.0.2.1, enter: 

      # xdp-filter ip 192.0.2.1 -m src

      Note that xdp-filter does not support IP ranges.

    • To drop incoming packets from MAC address 00:53:00:AA:07:BE, enter: 

      # xdp-filter ether 00:53:00:AA:07:BE -m src

Verification steps

  • Use the following command to display statistics about dropped and allowed packets: 

    # xdp-filter status

Additional resources

  • For further details about xdp-filter, see the xdp-filter(8) man page.
  • If you are a developer and interested in the code of xdp-filter, download and install the corresponding source RPM (SRPM) from the Red Hat Customer Portal.

49.2. Dropping all network packets except the ones that match an xdp-filter rule

This section describes how to use xdp-filter to allow only network pakets:

  • From and to a specific destination port
  • From and to a specific IP address
  • From and to specific MAC address

To do so, use the deny policy of xdp-filter which defines that the filter drops all network packets except the ones that match a particular rule. For example, use this method if you do not know the source IP addresses of packets you want to drop.

Warning

If you set the default policy to deny when you load xdp-filter on an interface, the kernel immediately drops all packets from this interface until you create rules that allow certain traffic. To avoid being locked out from the system, enter the commands locally or connect through a different network interface to the host.

Prerequisites

  • The xdp-tools package is installed.
  • You are logged in to the host either locally or using a network interface for which you do not plan to filter the traffic.
  • A network driver that supports XDP programs.

Procedure

  1. Load xdp-filter to process packets on a certain interface, such as enp1s0: 

    # xdp-filter load enp1s0 -p deny

    Optionally, use the -f feature option to enable only particular features, such as tcp, ipv4, or ethernet. Loading only the required features instead of all of them increases the speed of package processing. To enable multiple features, separate them with a comma.

    If the command fails with an error, the network driver does not support XDP programs.

  2. Add rules to allow packets that match them. For example:

    • To allow packets from and to port 22, enter: 

      # xdp-filter port 22

      This command adds a rule that matches TCP and UDP traffic. To match only a particular protocol, pass the -p protocol option to the command.

    • To allow packets from and to 192.0.2.1, enter: 

      # xdp-filter ip 192.0.2.1

      Note that xdp-filter does not support IP ranges.

    • To allow packets from and to MAC address 00:53:00:AA:07:BE, enter: 

      # xdp-filter ether 00:53:00:AA:07:BE
    Important

    The xdp-filter utility does not support stateful packet inspection. This requires that you either do not set a mode using the -m mode option or you add explicit rules to allow incoming traffic that the machine receives in reply to outgoing traffic.

Verification steps

  • Use the following command to display statistics about dropped and allowed packets: 

    # xdp-filter status

Additional resources

  • For further details about xdp-filter, see the xdp-filter(8) man page.
  • If you are a developer and you are interested in the code of xdp-filter, download and install the corresponding source RPM (SRPM) from the Red Hat Customer Portal.