Hi Vincent,

I am not very familiar at all with this type of stuff but one thing that I noticed is that in the image you provided a link to, the XDP section has a line labelled XDP_TX which completely bypasses the whole Netfilter section which doesn't seem to be a good idea to me.

I don't understand what the difference is between XDP_PASS and XDP_TX but I would expect that nothing should be allowed to bypass the netfilter section unless it is being dropped or rejected already by the XDP process.

Regards,

Adolf.

On 09/04/2024 19:36, Vincent Li wrote:
> Hi,
>
> I have been working on enabling eBPF XDP/TC kernel feature for IPFire,
> please refer to
> https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
> for where XDP fit in Linux network datapath, XDP will not interfere
> with existing IPFire firewall rules. XDP is especially good at DDoS
> packet filtering at high speed, see
> https://netdevconf.info/0x15/slides/30/Netdev%200x15%20Accelerating%20synproxy%20with%20XDP.pdf
>
> I think we only need to enable XDP/TC network filtering capability
> without eBPF tracing capability which some users are concerned about
> potential host security information leaks.
>
> Please let me know what you think, thanks!
>
> Vincent