Re: DoS/DDoS protection for end nodes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 18 Apr 2024, at 4:32 PM, William N. wrote:
> On Thu, 18 Apr 2024 16:11:13 +0200 Florian Kauer wrote:
>
>> So the basic idea is to maintain the iptables and/or nftables
>> interface and "just" translate them to BPFs in the back. So no need
>> to write C if you don't want to.
>
> Then nftables can be used against DDoS with the BPF performance, right?
>
> Has this made it to the mainline kernel or it is still something
> experimental?

See:

http://vger.kernel.org/bpfconf2023_material/bpfilter.pdf
https://www.socallinuxexpo.org/sites/default/files/presentations/Scale21x.pdf

Also:

https://facebook.github.io/bpfilter/index.html
https://github.com/qdeslandes/iptables
https://github.com/qdeslandes/nftables/tree/bpfilter_support

The latter two links are for Deslandes' forks of iptables and nftables. I don't know what Meta are using behind the scenes but both appear to be highly experimental.

-- 
Kerin Millar




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux