XDP ACL

Refactor the eBPF C code and Go code of xdp_acl.

Updated

Use CO-RE to enable XDP log with --debug dynamically.
Use specified BTF file with --kernel-btf.
Upgrade to dynamic bitmap size by rules number.
Upgrade bpf map of rule action to percpu-array map by replacing percpu-hash map.
Update ACL rules without detaching/attaching XDP.

P.S.

The original reference is eBPF / XDP based firewall and packet filtering.

From the reference, the advice is really important to deploy XDP ACL.

We do not write or update these maps once the program is loaded to avoid any lock
contentions. Instead, for any change in configuration, we create a new program with
new maps and modify the XDP program in the program array.

Inspired by this paper

Benchmarks

Performance comparison test of dropping 64 byte syn packet

Notice

Linux kernel required: v4.15 or later
How to upgrade kernel quickly ?

Docs

Inner web server RESTful API

Environment

Get Started

Download directly from release tab or compile by yourself.

# Compile
$ make

# Get help
$ ./xdp_acl -h

# Start (Inner web server will default listen on 0.0.0.0:9090).
$ ./xdp_acl -D eth1 -S

Name		Name	Last commit message	Last commit date
Latest commit History 32 Commits
docs		docs
ebpf		ebpf
public		public
script		script
.clang-format		.clang-format
.gitignore		.gitignore
LICENSE		LICENSE
Makefile		Makefile
acl.json		acl.json
acl_big.json		acl_big.json
bitmap.go		bitmap.go
flag.go		flag.go
go.mod		go.mod
go.sum		go.sum
log.go		log.go
main.go		main.go
readme.md		readme.md
rule.go		rule.go
rule_addr.go		rule_addr.go
rule_check.go		rule_check.go
rule_port.go		rule_port.go
web.go		web.go
xdp.go		xdp.go
xdp_rule.go		xdp_rule.go

License

Asphaltt/xdp_acl

Folders and files

Latest commit

History

Repository files navigation

XDP ACL

Updated

P.S.

Inspired by this paper

Benchmarks

Notice

Docs

Environment

Get Started

Web console

About

Topics

Resources

License

Stars

Watchers

Forks

Languages