From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: Enable eBPF XDP/TC kernel feature for IPFire Date: Wed, 10 Apr 2024 11:04:09 +0200 Message-ID: <96b4035d-8ae5-418d-98df-08cecbb58e9d@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2661985966821488772==" List-Id: --===============2661985966821488772== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Vincent, I am not very familiar at all with this type of stuff but one thing that I no= ticed is that in the image you provided a link to, the XDP section has a line= labelled XDP_TX which completely bypasses the whole Netfilter section which = doesn't seem to be a good idea to me. I don't understand what the difference is between XDP_PASS and XDP_TX but I w= ould expect that nothing should be allowed to bypass the netfilter section un= less it is being dropped or rejected already by the XDP process. Regards, Adolf. On 09/04/2024 19:36, Vincent Li wrote: > Hi, > > I have been working on enabling eBPF XDP/TC kernel feature for IPFire, > please refer to > https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.s= vg > for where XDP fit in Linux network datapath, XDP will not interfere > with existing IPFire firewall rules. XDP is especially good at DDoS > packet filtering at high speed, see > https://netdevconf.info/0x15/slides/30/Netdev%200x15%20Accelerating%20synpr= oxy%20with%20XDP.pdf > > I think we only need to enable XDP/TC network filtering capability > without eBPF tracing capability which some users are concerned about > potential host security information leaks. > > Please let me know what you think, thanks! > > Vincent --===============2661985966821488772==--