|
| 1 | +# Lesson 14: Getting Started with XDP Packet Filtering |
| 2 | + |
| 3 | +## What is XDP |
| 4 | + |
| 5 | +XDP (eXpress Data Path) is the earliest packet processing point in the Linux kernel. When a packet is just received by the NIC driver, before entering the kernel network stack, XDP can already process it. |
| 6 | + |
| 7 | +``` |
| 8 | +NIC → [XDP Processing Point] → Kernel Network Stack → Application |
| 9 | + ↑ |
| 10 | + This lesson processes here |
| 11 | +``` |
| 12 | + |
| 13 | +**Core Advantage**: Packets can be dropped before entering the kernel network stack, providing extremely high performance, ideal for DDoS protection scenarios. |
| 14 | + |
| 15 | +## Example Functionality |
| 16 | + |
| 17 | +This example implements: |
| 18 | +- Drop all ICMP packets at the XDP layer |
| 19 | +- Count TCP/UDP packet statistics |
| 20 | + |
| 21 | +## XDP Return Values |
| 22 | + |
| 23 | +XDP programs tell the kernel how to handle packets through return values: |
| 24 | + |
| 25 | +| Return Value | Meaning | |
| 26 | +|--------------|---------| |
| 27 | +| `XDP_DROP` | Drop the packet | |
| 28 | +| `XDP_PASS` | Pass normally to kernel network stack | |
| 29 | +| `XDP_TX` | Send back through the receiving NIC | |
| 30 | +| `XDP_REDIRECT` | Redirect to another NIC | |
| 31 | +| `XDP_ABORTED` | Error, drop and log | |
| 32 | + |
| 33 | +## Core Code Analysis |
| 34 | + |
| 35 | +### Kernel-space Program (xdp_filter.bpf.c) |
| 36 | + |
| 37 | +```c |
| 38 | +SEC("xdp") |
| 39 | +int xdp_filter_icmp(struct xdp_md *ctx) |
| 40 | +{ |
| 41 | + // 1. Get packet start and end pointers |
| 42 | + void *data = (void *)(long)ctx->data; |
| 43 | + void *data_end = (void *)(long)ctx->data_end; |
| 44 | + |
| 45 | + // 2. Parse Ethernet header |
| 46 | + struct ethhdr *eth = data; |
| 47 | + if ((void *)(eth + 1) > data_end) // Bounds check, required |
| 48 | + return XDP_PASS; |
| 49 | + |
| 50 | + // 3. Only handle IPv4 |
| 51 | + if (eth->h_proto != bpf_htons(ETH_P_IP)) |
| 52 | + return XDP_PASS; |
| 53 | + |
| 54 | + // 4. Parse IP header |
| 55 | + struct iphdr *ip = (void *)(eth + 1); |
| 56 | + if ((void *)(ip + 1) > data_end) // Bounds check |
| 57 | + return XDP_PASS; |
| 58 | + |
| 59 | + // 5. If ICMP, drop it |
| 60 | + if (ip->protocol == IPPROTO_ICMP) { |
| 61 | + return XDP_DROP; // Drop directly, doesn't enter kernel network stack |
| 62 | + } |
| 63 | + |
| 64 | + // 6. Other protocols pass normally |
| 65 | + return XDP_PASS; |
| 66 | +} |
| 67 | +``` |
| 68 | +
|
| 69 | +**Key Points**: |
| 70 | +- `SEC("xdp")` marks this as an XDP program |
| 71 | +- `struct xdp_md *ctx` contains packet metadata |
| 72 | +- `ctx->data` and `ctx->data_end` are the packet's memory boundaries |
| 73 | +- **Bounds checks are required**, otherwise the BPF verifier will reject loading |
| 74 | +
|
| 75 | +### User-space Program (xdp_filter.c) |
| 76 | +
|
| 77 | +```c |
| 78 | +// Get NIC index |
| 79 | +int ifindex = if_nametoindex(ifname); |
| 80 | +
|
| 81 | +// Attach XDP program to NIC |
| 82 | +int err = bpf_xdp_attach(ifindex, prog_fd, XDP_FLAGS_SKB_MODE, NULL); |
| 83 | +
|
| 84 | +// Detach when program exits |
| 85 | +bpf_xdp_detach(ifindex, XDP_FLAGS_SKB_MODE, NULL); |
| 86 | +``` |
| 87 | + |
| 88 | +**XDP Modes**: |
| 89 | +- `XDP_FLAGS_SKB_MODE`: Generic mode, supported by all NICs, moderate performance |
| 90 | +- `XDP_FLAGS_DRV_MODE`: Driver mode, requires NIC support, high performance |
| 91 | +- `XDP_FLAGS_HW_MODE`: Hardware offload, requires specific NICs, highest performance |
| 92 | + |
| 93 | +This example uses SKB mode for compatibility. |
| 94 | + |
| 95 | +## Build and Run |
| 96 | + |
| 97 | +```bash |
| 98 | +# Build |
| 99 | +cd src/xdp_filter |
| 100 | +make |
| 101 | + |
| 102 | +# Run (requires root privileges) |
| 103 | +sudo ./xdp_filter eth0 # Replace with your NIC name |
| 104 | + |
| 105 | +# Check NIC name |
| 106 | +ip addr show |
| 107 | +``` |
| 108 | + |
| 109 | +## Testing |
| 110 | + |
| 111 | +```bash |
| 112 | +# Terminal 1: Run XDP program |
| 113 | +sudo ./xdp_filter eth0 |
| 114 | + |
| 115 | +# Terminal 2: Test ICMP (will be dropped) |
| 116 | +ping 8.8.8.8 # No response, ICMP is dropped by XDP |
| 117 | + |
| 118 | +# Terminal 2: Test TCP (passes normally) |
| 119 | +curl https://baidu.com # Works normally |
| 120 | +``` |
| 121 | + |
| 122 | +## Common Commands |
| 123 | + |
| 124 | +```bash |
| 125 | +# View XDP program on NIC |
| 126 | +ip link show eth0 |
| 127 | + |
| 128 | +# Manually detach XDP program |
| 129 | +sudo ip link set dev eth0 xdp off |
| 130 | + |
| 131 | +# View loaded BPF programs |
| 132 | +sudo bpftool prog list |
| 133 | +sudo bpftool net list |
| 134 | +``` |
| 135 | + |
| 136 | +## Difference from TC |
| 137 | + |
| 138 | +| | XDP | TC | |
| 139 | +|--|-----|-----| |
| 140 | +| Processing Location | NIC driver layer | Kernel network stack | |
| 141 | +| Direction | Ingress only | Ingress + Egress | |
| 142 | +| Performance | Extremely high | High | |
| 143 | +| Use Cases | DDoS protection, load balancing | Traffic shaping, policy control | |
| 144 | + |
| 145 | +## Exercises |
| 146 | + |
| 147 | +1. **Drop Specific IP**: Modify the code to drop packets from a specific IP address |
| 148 | +2. **Port Filtering**: Only allow specific TCP ports through |
| 149 | +3. **Statistics Optimization**: Use Per-CPU Map to improve statistics performance |
0 commit comments