Vincent Li <vincent.mc.li@xxxxxxxxx> writes: > Hi, > > If I have an user space stack like mTCP works on top of AF_XDP as tcp > stateful packet filter to drop tcp packet like tcp syn/rst/ack flood > or other tcp attack, and redirect good tcp packet back to linux host > stack after mTCP filtering, is that possible? Not really, no. You can inject it using regular userspace methods (say, a TUN device), or using AF_XDP on a veth device. But in both cases the packet will come in on a different interface, so it's not really transparent. And performance is not great either. In general, if you want to filter traffic before passing it on to the kernel, the best bet is to implement your filtering in BPF and run it as an XDP program. -Toke
|