On Wed, Dec 14, 2022 at 2:53 PM Toke Høiland-Jørgensen <toke@xxxxxxxxxx> wrote: > > Vincent Li <vincent.mc.li@xxxxxxxxx> writes: > > > Hi, > > > > If I have an user space stack like mTCP works on top of AF_XDP as tcp > > stateful packet filter to drop tcp packet like tcp syn/rst/ack flood > > or other tcp attack, and redirect good tcp packet back to linux host > > stack after mTCP filtering, is that possible? > > Not really, no. You can inject it using regular userspace methods (say, > a TUN device), or using AF_XDP on a veth device. But in both cases the > packet will come in on a different interface, so it's not really > transparent. And performance is not great either. > I see > In general, if you want to filter traffic before passing it on to the > kernel, the best bet is to implement your filtering in BPF and run it as > an XDP program. > I read about this https://eric-keller.github.io/papers/2020/HybridNetworkStack_ieee_nfvsdn2020_slides.pdf, thought that is good idea to run mTCP on top of AF_XDP as anti DDOS tool > -Toke >
|