Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 42. Using xdp-filter for high-performance traffic filtering to prevent DDoS attacks
The xdp-filter utility uses XDP to drop packets directly at the network interface, making it faster than filters, such as nftables. It helps block traffic quickly during DDoS attacks and you can filter by IP, MAC address, or port.
For example, during testing, Red Hat dropped 26 million network packets per second on a single core, which is significantly higher than the drop rate of nftables on the same hardware.
The xdp-filter utility allows or drops incoming network packets using XDP. You can create rules to filter traffic to or from specific:
- IP addresses
- MAC addresses
- Ports
Note that, even if xdp-filter has a significantly higher packet-processing rate, it does not have the same capabilities as, for example, nftables. Consider xdp-filter a conceptual utility to demonstrate packet filtering using XDP. Additionally, you can use the code of the utility for a better understanding of how to write your own XDP applications.
On other architectures than AMD and Intel 64-bit, the xdp-filter utility is provided as a Technology Preview only. Technology Preview features are not supported with Red Hat production Service Level Agreements (SLAs), might not be functionally complete, and Red Hat does not recommend using them for production. These previews provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
See Technology Preview Features Support Scope on the Red Hat Customer Portal for information about the support scope for Technology Preview features.
42.1. Dropping network packets that match an xdp-filter rule
The xdp-filter utility can use an allow policy that allows all traffic except packets that match specific rules, such as those from a particular source IP address, source MAC address, or to a specific destination port.
If you are a developer and interested in the code of xdp-filter, download and install the corresponding source RPM (SRPM) from the Red Hat Customer Portal.
Prerequisites
-
The
xdp-toolspackage is installed. - A network driver that supports XDP programs.
Procedure
Load
xdp-filterto process incoming packets on a certain interface, such asenp1s0:xdp-filter load enp1s0
# xdp-filter load enp1s0Copy to Clipboard Copied! Toggle word wrap Toggle overflow By default,
xdp-filteruses theallowpolicy, and the utility drops only traffic that matches any rule.Optionally, use the
-f featureoption to enable only particular features, such astcp,ipv4, orethernet. Loading only the required features instead of all of them increases the speed of packet processing. To enable multiple features, separate them with a comma.If the command fails with an error, the network driver does not support XDP programs.
Add rules to drop packets that match them. For example:
To drop incoming packets to port
22, enter:xdp-filter port 22
# xdp-filter port 22Copy to Clipboard Copied! Toggle word wrap Toggle overflow This command adds a rule that matches TCP and UDP traffic. To match only a particular protocol, use the
-p protocoloption.To drop incoming packets from
192.0.2.1, enter:xdp-filter ip 192.0.2.1 -m src
# xdp-filter ip 192.0.2.1 -m srcCopy to Clipboard Copied! Toggle word wrap Toggle overflow Note that
xdp-filterdoes not support IP ranges.To drop incoming packets from MAC address
00:53:00:AA:07:BE, enter:xdp-filter ether 00:53:00:AA:07:BE -m src
# xdp-filter ether 00:53:00:AA:07:BE -m srcCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Use the following command to display statistics about dropped and allowed packets:
xdp-filter status
# xdp-filter statusCopy to Clipboard Copied! Toggle word wrap Toggle overflow
42.2. Dropping all network packets except the ones that match an xdp-filter rule
The xdp-filter utility can use a deny policy that drops all traffic except packets that match specific rules, such as those from a particular source IP address, source MAC address, or to a specific destination port.
If you set the default policy to deny when you load xdp-filter on an interface, the kernel immediately drops all packets from this interface until you create rules that allow certain traffic. To avoid being locked out from the system, enter the commands locally or connect through a different network interface to the host.
If you are a developer and you are interested in the code of xdp-filter, download and install the corresponding source RPM (SRPM) from the Red Hat Customer Portal.
Prerequisites
-
The
xdp-toolspackage is installed. - You are logged in to the host either locally or using a network interface for which you do not plan to filter the traffic.
- A network driver that supports XDP programs.
Procedure
Load
xdp-filterto process packets on a certain interface, such asenp1s0:xdp-filter load enp1s0 -p deny
# xdp-filter load enp1s0 -p denyCopy to Clipboard Copied! Toggle word wrap Toggle overflow Optionally, use the
-f featureoption to enable only particular features, such astcp,ipv4, orethernet. Loading only the required features instead of all of them increases the speed of packet processing. To enable multiple features, separate them with a comma.If the command fails with an error, the network driver does not support XDP programs.
Add rules to allow packets that match them. For example:
To allow packets to port
22, enter:xdp-filter port 22
# xdp-filter port 22Copy to Clipboard Copied! Toggle word wrap Toggle overflow This command adds a rule that matches TCP and UDP traffic. To match only a particular protocol, pass the
-p protocoloption to the command.To allow packets to
192.0.2.1, enter:xdp-filter ip 192.0.2.1
# xdp-filter ip 192.0.2.1Copy to Clipboard Copied! Toggle word wrap Toggle overflow Note that
xdp-filterdoes not support IP ranges.To allow packets to MAC address
00:53:00:AA:07:BE, enter:xdp-filter ether 00:53:00:AA:07:BE
# xdp-filter ether 00:53:00:AA:07:BECopy to Clipboard Copied! Toggle word wrap Toggle overflow
ImportantThe
xdp-filterutility does not support stateful packet inspection. This requires that you either do not set a mode using the-m modeoption or you add explicit rules to allow incoming traffic that the machine receives in reply to outgoing traffic.
Verification
Use the following command to display statistics about dropped and allowed packets:
xdp-filter status
# xdp-filter statusCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}