Hi Vincent,
I am not very familiar at all with this type of stuff but one thing that I noticed is that in the image you provided a link to, the XDP section has a line labelled XDP_TX which completely bypasses the whole Netfilter section which doesn't seem to be a good idea to me.
I don't understand what the difference is between XDP_PASS and XDP_TX but I would expect that nothing should be allowed to bypass the netfilter section unless it is being dropped or rejected already by the XDP process.
Regards,
Adolf.
On 09/04/2024 19:36, Vincent Li wrote:
Hi,
I have been working on enabling eBPF XDP/TC kernel feature for IPFire, please refer to https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.sv... for where XDP fit in Linux network datapath, XDP will not interfere with existing IPFire firewall rules. XDP is especially good at DDoS packet filtering at high speed, see https://netdevconf.info/0x15/slides/30/Netdev%200x15%20Accelerating%20synpro...
I think we only need to enable XDP/TC network filtering capability without eBPF tracing capability which some users are concerned about potential host security information leaks.
Please let me know what you think, thanks!
Vincent