You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
This repo contains source code implementing a basic layer3 filteringusing Linux fast-path XDP design. This code is an experiment in orderto extend current Keepalvied/VRRP framework to support high-performancefiltering.
This code operate in stand-alone mode with no extra lib dependencies.In order to make it properly working you need to use a recent toolchain.This code has been implemented and tested on Ubuntu bionic with Ubuntuprovided kernel 4.20.3. It implements BPF object pinning in order tomanipulate filtering rules and keep them persistent.
Experiments have been made using a KVM/Qemu env. In order to get itworking following configurations has been done to Qemu conf :
$ cd xdp_fw$ make CLANG-bpf xdp_fw.bpf$ lsMakefile xdp_fw.bpf xdp_fw.c xdp_fw.lltry loading with iproute2 :$ ip link set dev ens3 xdp object xdp_fw.bpf section xdp_fw$ ip link show dev ens32: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 xdp qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 52:50:00:40:30:37 brd ff:ff:ff:ff:ff:ff prog/xdp id 46 tag 128273917ea96a84 jited $ ip link set dev ens3 xdp off
Userspace XDP/eBPF handling code
$ cd xdpfwadm$ make CC main.o CC bpf_standalone.o Linking xdpfwadm$ ./xdpfwadm --helpUsage: ./xdpfwadm [OPTION...] -l, --load-bpfLoad a BPF prog -u, --unload-bpfUnload a BPF prog -i, --ifindexNet device ifindex to bind BPF prog to -a, --rule-addAdd a filtering rule -d, --rule-delDelete a filtering rule -L, --rule-listDisplay Rules list -A, --vrid-addAdd a VRRP VRID -D, --vrid-delDelete a VRRP VRID -V, --vrid-listDisplay VRRP VRID bitmaps -h, --helpDisplay this help message
Having fun
$ ./xdpfwadm --load-bpf xdp_fw.bpf --ifindex 2 - Loaded bpf-map:l3_filter from file:/sys/fs/bpf/xdpfw_l3_filter$ ip link show dev ens32: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 xdp qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 52:50:00:40:30:37 brd ff:ff:ff:ff:ff:ff prog/xdp id 47 tag 128273917ea96a84 jited $ ./xdpfwadm --rule-add 10.1.1.11$ ./xdpfwadm --rule-list * [IPv4] 10.1.1.11$ ./xdpfwadm --rule-del 10.1.1.11...