From mboxrd@z Thu Jan  1 00:00:00 1970
From: Vincent Li <vincent.mc.li@gmail.com>
To: development@lists.ipfire.org
Subject: Enable eBPF XDP/TC kernel feature for IPFire
Date: Tue, 09 Apr 2024 10:36:41 -0700
Message-ID:
 <CAK3+h2wnTKji1sdWJRTP3Lj7ww-aC-g1cpK+n-4m_Sk4=VB5WA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0467444980761314218=="
List-Id: <development.lists.ipfire.org>

--===============0467444980761314218==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

I have been working on enabling eBPF XDP/TC kernel feature for IPFire,
please refer to
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
for where XDP fit in Linux network datapath, XDP will not interfere
with existing IPFire firewall rules. XDP is especially good at DDoS
packet filtering at high speed, see
https://netdevconf.info/0x15/slides/30/Netdev%200x15%20Accelerating%20synprox=
y%20with%20XDP.pdf

I think we only need to enable XDP/TC network filtering capability
without eBPF tracing capability which some users are concerned about
potential host security information leaks.

Please let me know what you think, thanks!

Vincent

--===============0467444980761314218==--