On Wed, Dec 14, 2022 at 2:53 PM Toke Høiland-Jørgensen <toke@xxxxxxxxxx> wrote: > > Vincent Li <vincent.mc.li@xxxxxxxxx> writes: > > > Hi, > > > > If I have an user space stack like mTCP works on top of AF_XDP as tcp > > stateful packet filter to drop tcp packet like tcp syn/rst/ack flood > > or other tcp attack, and redirect good tcp packet back to linux host > > stack after mTCP filtering, is that possible? > > Not really, no. You can inject it using regular userspace methods (say, > a TUN device), or using AF_XDP on a veth device. But in both cases the > packet will come in on a different interface, so it's not really > transparent. And performance is not great either. I have thought about it more :) what about this scenario good tcp rst/ack or bad flooding rst/ack -> NIC1 -> mTCP+AF_XDP ->NIC2 NIC1 and NIC2 on the same host, drop flooding rst/ack by mTCP, redirect good tcp rst/ack to NIC2, is that possible? any performance impact? > > In general, if you want to filter traffic before passing it on to the > kernel, the best bet is to implement your filtering in BPF and run it as > an XDP program. I am thinking for scenario like tcp rst/ack flood DDOS attack to NIC1 above, I can't simply drop every rst/ack because there could be legitimate rst/ack, in this case since mTCP can validate legitimate stateful tcp connection, drop flooding rst/ack packet, redirect good rst/ack to NIC2. I am not sure a BPF XDP program attached to NIC1 is able to do stateful TCP packet filtering, does that make sense to you? > > -Toke >
|