On 04/27/2018 03:41 PM, Bobby Powers wrote: > On Fri, Apr 27, 2018 at 9:36 AM, Edward Cree <ecree@xxxxxxxxxxxxxx> wrote: >> The higher performance of XDP is because the processing, being done in >> the driver, happens earlier in the RX path (thus avoiding the bulk of >> network stack processing for packets that e.g. are only going to be >> dropped anyway). >> But on TX, the analogous driver code would be the _last_ thing in the >> path, rather than the first, so in such a case the `tc` approach >> should probably perform better than an XDP analogue. > > Thanks, that is super useful for my mental model! > > Does that mean it is possible (if slow) to use an XDP filter for TX? > I attached a simple one based on the DDOS filter from here: > > https://github.com/netoptimizer/prototype-kernel/tree/master/kernel/samples/bpf > > that just debug logged IPs + ports, and I only seemed to see incoming > (and not outgoing) packets in the logs. Is there a different/extra > flag to pass to have an XDP filter run on TX? Check out the extensive doc at http://cilium.readthedocs.io/en/latest/bpf/ there are XDP and tc program types described besides many other things. What you propose to attach BPF to tc's clsact egress hook would be most suitable for what you describe. Thanks, Daniel
|