Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/acassen/xdp-fw

XDP FW: eXpress Data Path FireWall module
https://github.com/acassen/xdp-fw

ebpf firewall xdp

Last synced: 2 months ago
JSON representation

XDP FW: eXpress Data Path FireWall module

Host: GitHub
URL: https://github.com/acassen/xdp-fw
Owner: acassen
License: gpl-2.0
Created: 2019-02-16T21:14:50.000Z (almost 6 years ago)
Default Branch: master
Last Pushed: 2023-11-22T08:03:38.000Z (about 1 year ago)
Last Synced: 2024-05-21T00:51:20.546Z (8 months ago)
Topics: ebpf, firewall, xdp
Language: C
Size: 27.3 KB
Stars: 20
Watchers: 4
Forks: 8
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: COPYING

Awesome Lists containing this project

README

XDP FW: eXpress Data Path FireWall module
=========================================

This repo contains source code implementing a basic layer3 filtering
using Linux fast-path XDP design. This code is an experiment in order
to extend current Keepalvied/VRRP framework to support high-performance
filtering.

This code operate in stand-alone mode with no extra lib dependencies.
In order to make it properly working you need to use a recent toolchain.
This code has been implemented and tested on Ubuntu bionic with Ubuntu
provided kernel 4.20.3. It implements BPF object pinning in order to
manipulate filtering rules and keep them persistent.

Experiments have been made using a KVM/Qemu env. In order to get it
working following configurations has been done to Qemu conf :

$ tail -2 /etc/libvirt/qemu.conf
rx_queue_size = 1024
tx_queue_size = 1024

$ virsh edit node1
...

...

# Content

2 directories are available :

* xdp_fw : 'Kernel' eBPF code
* xdpfwadm : Userspace XDP/eBPF handling code

# 'Kernel' eBPF code

$ cd xdp_fw
$ make
CLANG-bpf xdp_fw.bpf
$ ls
Makefile xdp_fw.bpf xdp_fw.c xdp_fw.ll

try loading with iproute2 :
$ ip link set dev ens3 xdp object xdp_fw.bpf section xdp_fw
$ ip link show dev ens3
2: ens3: mtu 1500 xdp qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 52:50:00:40:30:37 brd ff:ff:ff:ff:ff:ff
prog/xdp id 46 tag 128273917ea96a84 jited
$ ip link set dev ens3 xdp off

# Userspace XDP/eBPF handling code

$ cd xdpfwadm
$ make
CC main.o
CC bpf_standalone.o

Linking xdpfwadm
$ ./xdpfwadm --help
Usage: ./xdpfwadm [OPTION...]
-l, --load-bpf Load a BPF prog
-u, --unload-bpf Unload a BPF prog
-i, --ifindex Net device ifindex to bind BPF prog to
-a, --rule-add Add a filtering rule
-d, --rule-del Delete a filtering rule
-L, --rule-list Display Rules list
-A, --vrid-add Add a VRRP VRID
-D, --vrid-del Delete a VRRP VRID
-V, --vrid-list Display VRRP VRID bitmaps
-h, --help Display this help message

# Having fun

$ ./xdpfwadm --load-bpf xdp_fw.bpf --ifindex 2
- Loaded bpf-map:l3_filter from file:/sys/fs/bpf/xdpfw_l3_filter
$ ip link show dev ens3
2: ens3: mtu 1500 xdp qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 52:50:00:40:30:37 brd ff:ff:ff:ff:ff:ff
prog/xdp id 47 tag 128273917ea96a84 jited
$ ./xdpfwadm --rule-add 10.1.1.11
$ ./xdpfwadm --rule-list
* [IPv4] 10.1.1.11
$ ./xdpfwadm --rule-del 10.1.1.11
...

Enjoy,
Alexandre