On Thu, Dec 15, 2022 at 3:09 AM Toke Høiland-Jørgensen <toke@xxxxxxxxxx> wrote: > > Vincent Li <vincent.mc.li@xxxxxxxxx> writes: > > > On Wed, Dec 14, 2022 at 2:53 PM Toke Høiland-Jørgensen <toke@xxxxxxxxxx> wrote: > >> > >> Vincent Li <vincent.mc.li@xxxxxxxxx> writes: > >> > >> > Hi, > >> > > >> > If I have an user space stack like mTCP works on top of AF_XDP as tcp > >> > stateful packet filter to drop tcp packet like tcp syn/rst/ack flood > >> > or other tcp attack, and redirect good tcp packet back to linux host > >> > stack after mTCP filtering, is that possible? > >> > >> Not really, no. You can inject it using regular userspace methods (say, > >> a TUN device), or using AF_XDP on a veth device. But in both cases the > >> packet will come in on a different interface, so it's not really > >> transparent. And performance is not great either. > >> > > I see > > > >> In general, if you want to filter traffic before passing it on to the > >> kernel, the best bet is to implement your filtering in BPF and run it as > >> an XDP program. > >> > > I read about this > > https://eric-keller.github.io/papers/2020/HybridNetworkStack_ieee_nfvsdn2020_slides.pdf, > > thought that is good idea to run mTCP on top of AF_XDP as anti DDOS > > tool > > Right, that slide deck seems awfully hand-wavy about how they're getting > packets back into the kernel, though... I guess you could ask the author > how they're doing it? :) I will try :), thanks again! > > -Toke >
|