Re: Bpfilter Development

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Christian Deacon <gamemann@xxxxxxxxxxx> writes:

> Hey everyone,
>
>
> I apologize if this is the incorrect place to address this. I couldn't 
> find any mailing list for Bpfilter specifically. If there is a better 
> place to address this, suggestions are welcomed and appreciated!
>
>
> I was wondering if Bpfilter is still under development or if the project 
> development is at a halt. I am planning out my next major project that 
> will be responsible for forwarding traffic and blocking (D)DoS attacks 
> based off of filtering rules. As of right now, I'm trying to decide 
> whether to use Bpfilter or XDP-native for blocking malicious traffic. 
> With the project's current layout, I feel it would be easier using 
> something like Bpfilter for this. However, I'm not sure when this will 
> be completely developed to the point it'd be usable with my application. 
> If this project is under development, is there any ETA on when it will 
> be officially supported and in a usable state for most applications 
> (specifically for dropping malicious traffic)?

As a general rule I think you will find that there are very few upstream
developers who will commit to any ETA other than "when it's done". As
for bpfilter specifically, I am not aware of anyone actively working on
it at all...

> One last question I had is if there were any estimates on how fast 
> Bpfilter would be compared to XDP-native when dropping malicious 
> packets. I'd assume they would see similar performance, but I'm not 
> entirely sure.

I would expect that XDP would be significantly faster (as long as you
are using hardware with native XDP support in the driver). For DDOS
filtering specifically, I think it would be a no-brainer to just go with
XDP.

Feel free to use xdp-filter as a starting point:

https://github.com/xdp-project/xdp-tools/tree/master/xdp-filter

It's pretty dumb as far as expressing the filtering rules themselves are
concerned, but it does demonstrate how you might structure such a
program, including how to only load the BPF code needed to support the
active filtering rules. Pull requests always welcome to improve it as
well, of course :)

-Toke
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux