Hey Toke,
Thank you for your response!
Regarding the ETA rule, I will keep that noted in the future.
Thank you for the information regarding Bpfilter as well. It appears the
development towards this has stopped at least temporarily. We will be
looking into using XDP-native in this case! I will also take a look at
the XDP-filter project you linked to see how everything is done, etc.
Thanks again!
On 4/21/2020 6:09 AM, Toke Høiland-Jørgensen wrote:
Christian Deacon <gamemann@xxxxxxxxxxx> writes:
Hey everyone,
I apologize if this is the incorrect place to address this. I couldn't
find any mailing list for Bpfilter specifically. If there is a better
place to address this, suggestions are welcomed and appreciated!
I was wondering if Bpfilter is still under development or if the project
development is at a halt. I am planning out my next major project that
will be responsible for forwarding traffic and blocking (D)DoS attacks
based off of filtering rules. As of right now, I'm trying to decide
whether to use Bpfilter or XDP-native for blocking malicious traffic.
With the project's current layout, I feel it would be easier using
something like Bpfilter for this. However, I'm not sure when this will
be completely developed to the point it'd be usable with my application.
If this project is under development, is there any ETA on when it will
be officially supported and in a usable state for most applications
(specifically for dropping malicious traffic)?
As a general rule I think you will find that there are very few upstream
developers who will commit to any ETA other than "when it's done". As
for bpfilter specifically, I am not aware of anyone actively working on
it at all...
One last question I had is if there were any estimates on how fast
Bpfilter would be compared to XDP-native when dropping malicious
packets. I'd assume they would see similar performance, but I'm not
entirely sure.
I would expect that XDP would be significantly faster (as long as you
are using hardware with native XDP support in the driver). For DDOS
filtering specifically, I think it would be a no-brainer to just go with
XDP.
Feel free to use xdp-filter as a starting point:
https://github.com/xdp-project/xdp-tools/tree/master/xdp-filter
It's pretty dumb as far as expressing the filtering rules themselves are
concerned, but it does demonstrate how you might structure such a
program, including how to only load the BPF code needed to support the
active filtering rules. Pull requests always welcome to improve it as
well, of course :)
-Toke