-
Notifications
You must be signed in to change notification settings - Fork 151
/
xdp-filter.8
371 lines (295 loc) · 11 KB
/
xdp-filter.8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
.TH "xdp-filter" "8" "SEPTEMBER 5, 2022" "V1.4.3" "A simple XDP-powered packet filter"
.SH "NAME"
xdp-filter \- a simple XDP-powered packet filter
.SH "SYNOPSIS"
.PP
XDP-filter is a packet filtering utility powered by XDP. It is deliberately
simple and so does not have the same matching capabilities as, e.g., netfilter.
Instead, thanks to XDP, it can achieve very high drop rates: tens of millions of
packets per second on a single CPU core.
.SS "Running xdp-filter"
.PP
The syntax for running xdp-filter is:
.RS
.nf
\fCxdp-filter COMMAND [options]
Where COMMAND can be one of:
load - load xdp-filter on an interface
unload - unload xdp-filter from an interface
port - add a port to the filter list
ip - add an IP address to the filter list
ether - add an Ethernet MAC address to the filter list
status - show current xdp-filter status
poll - poll statistics output
help - show the list of available commands
\fP
.fi
.RE
.PP
Each command, and its options are explained below. Or use \fIxdp\-filter COMMAND
\-\-help\fP to see the options for each command.
.SH "The LOAD command"
.PP
To use \fIxdp\-filter\fP, it must first be loaded onto an interface. This is
accomplished with the \fIload\fP command, which takes the name of the interface as a
parameter, and optionally allows specifying the features that should be
included. By default all features are loaded, but de-selecting some features can
speed up the packet matching, and increase performance by a substantial amount.
.PP
The syntax for the \fIload\fP command is:
.PP
\fIxdp\-filter load [options] <ifname>\fP
.PP
Where \fI<ifname>\fP is the name of the interface to load \fIxdp\-filter\fP onto, and
must be specified. The supported options are:
.SS "-m, --mode <mode>"
.PP
Specifies which mode to load the XDP program to be loaded in. The valid values
are 'native', which is the default in-driver XDP mode, 'skb', which causes the
so-called \fIskb mode\fP (also known as \fIgeneric XDP\fP) to be used, or 'hw' which
causes the program to be offloaded to the hardware.
.SS "-p, --policy <policy>"
.PP
This sets the policy \fIxdp\-filter\fP applies to packets \fBnot\fP matched by any of the
filter rules. The default is \fIallow\fP, in which packets not matching any rules
are allowed to pass. The other option is \fIdeny\fP, in which \fBall\fP packets are
dropped \fBexcept\fP those matched by the filter options.
.PP
\fIxdp\-filter\fP cannot be loaded simultaneously in \fIdeny\fP and \fIallow\fP policy modes
on the system. Note that loading \fIxdp\-filter\fP in \fIdeny\fP mode will drop all
traffic on the interface until suitable allow rules are installed, so some care
is needed to avoid being locked out of a remote system.
.SS "-f, --features <feats>"
.PP
Use this option to select which features to include when loaded \fIxdp\-filter\fP.
The default is to load all available features. So select individual features
specify one or more of these:
.IP \(bu 4
\fBtcp\fP: Support filtering on TCP port number
.IP \(bu 4
\fBudp\fP: Support filtering on UDP port number
.IP \(bu 4
\fBipv6\fP: Support filtering on IPv6 addresses
.IP \(bu 4
\fBipv4\fP: Support filtering on IPv4 addresses
.IP \(bu 4
\fBethernet\fP: Support filtering on Ethernet MAC addresses
.PP
Specify multiple features by separating them with a comma. E.g.: \fItcp,udp,ipv6\fP.
.SS "-v, --verbose"
.PP
Enable debug logging. Specify twice for even more verbosity.
.SS "-h, --help"
.PP
Display a summary of the available options
.SH "The UNLOAD command"
.PP
The \fIunload\fP command unloads \fIxdp\-filter\fP from one (or all) interfaces, and
cleans up the program state.
.PP
The syntax for the \fIload\fP command is:
.PP
\fIxdp\-filter unload [options] <ifname>\fP
.PP
Where \fI<ifname>\fP is the name of the interface to unload \fIxdp\-filter\fP from, and
must be specified unless the \fB--all\fP option is used. The supported options are:
.SS "-a, --all"
.PP
Specify this option to remove \fIxdp\-filter\fP from all interfaces it was loaded
onto. If this option is specified, no \fI<ifname>\fP is needed.
.PP
This option can also be used to clean up all \fIxdp\-filter\fP state if the XDP
program(s) were unloaded by other means.
.SS "-k, --keep-maps"
.PP
Specify this option to prevent \fIxdp\-filter\fP from clearing its map state. By
default, all BPF maps no longer needed by any loaded program are removed.
However, this will also remove the contents of the maps (the filtering rules),
so this option can be used to keep the maps around so the rules persist until
\fIxdp\-filter\fP is loaded again.
.SS "-v, --verbose"
.PP
Enable debug logging. Specify twice for even more verbosity.
.SS "-h, --help"
.PP
Display a summary of the available options
.SH "The PORT command"
.PP
Use the \fIport\fP command to add a TCP or UDP port to the \fIxdp\-filter\fP match list.
For this to work, \fIxdp\-filter\fP must be loaded with either the \fBudp\fP or the \fBtcp\fP
feature (or both) on at least one interface.
.PP
The syntax for the \fIport\fP command is:
.PP
\fIxdp\-filter port [options] <port>\fP
.PP
Where \fI<port>\fP is the port number to add (or remove if the \fB--remove\fP is
specified). The supported options are:
.SS "-r, --remove"
.PP
Remove the port instead of adding it.
.SS "-m, --mode <mode>"
.PP
Select filtering mode. Valid options are \fBsrc\fP and \fBdst\fP, both of which may be
specified as \fIsrc,dst\fP. If \fBsrc\fP is specified, the port number will added as a
\fIsource port\fP match, while if \fBdst\fP is specified, the port number will be added
as a \fIdestination port\fP match. If both are specified, a packet will be matched
if \fBeither\fP its source or destination port is the specified port number.
.SS "-p, --proto <proto>"
.PP
Specify one (or both) of \fBudp\fP and/or \fBtcp\fP to match UDP or TCP ports,
respectively.
.SS "-s, --status"
.PP
If this option is specified, the current list of matched ports will be printed
after inserting the port number. Otherwise, nothing will be printed.
.SS "-v, --verbose"
.PP
Enable debug logging. Specify twice for even more verbosity.
.SS "-h, --help"
.PP
Display a summary of the available options
.SH "The IP command"
.PP
Use the \fIip\fP command to add an IPv6 or an IPv4 address to the \fIxdp\-filter\fP match
list.
.PP
The syntax for the \fIip\fP command is:
.PP
\fIxdp\-filter ip [options] <ip>\fP
.PP
Where \fI<ip>\fP is the IP address to add (or remove if the \fB--remove\fP is
specified). Either IPv4 or IPv6 addresses can be specified, but \fIxdp\-filter\fP
must be loaded with the corresponding features (\fBipv4\fP and \fBipv6\fP,
respectively). The supported options are:
.SS "-r, --remove"
.PP
Remove the IP address instead of adding it.
.SS "-m, --mode <mode>"
.PP
Select filtering mode. Valid options are \fBsrc\fP and \fBdst\fP, both of which may be
specified as \fIsrc,dst\fP. If \fBsrc\fP is specified, the IP address will added as a
\fIsource IP\fP match, while if \fBdst\fP is specified, the IP address will be added
as a \fIdestination IP\fP match. If both are specified, a packet will be matched
if \fBeither\fP its source or destination IP is the specified IP address.
.SS "-s, --status"
.PP
If this option is specified, the current list of matched ips will be printed
after inserting the IP address. Otherwise, nothing will be printed.
.SS "-v, --verbose"
.PP
Enable debug logging. Specify twice for even more verbosity.
.SS "-h, --help"
.PP
Display a summary of the available options
.SH "The ETHER command"
.PP
Use the \fIether\fP command to add an Ethernet MAC address to the \fIxdp\-filter\fP match
list. For this to work, \fIxdp\-filter\fP must be loaded with either the \fBethernet\fP
feature on at least one interface.
.PP
The syntax for the \fIether\fP command is:
.PP
\fIxdp\-filter ether [options] <addr>\fP
.PP
Where \fI<addr>\fP is the MAC address to add (or remove if the \fB--remove\fP is
specified). The supported options are:
.SS "-r, --remove"
.PP
Remove the MAC address instead of adding it.
.SS "-m, --mode <mode>"
.PP
Select filtering mode. Valid options are \fBsrc\fP and \fBdst\fP, both of which may be
specified as \fIsrc,dst\fP. If \fBsrc\fP is specified, the MAC address will added as a
\fIsource MAC\fP match, while if \fBdst\fP is specified, the MAC address will be added
as a \fIdestination MAC\fP match. If both are specified, a packet will be matched
if \fBeither\fP its source or destination MAC is the specified MAC address.
.SS "-s, --status"
.PP
If this option is specified, the current list of matched ips will be printed
after inserting the MAC address. Otherwise, nothing will be printed.
.SS "-v, --verbose"
.PP
Enable debug logging. Specify twice for even more verbosity.
.SS "-h, --help"
.PP
Display a summary of the available options
.SH "The STATUS command"
.PP
The \fIstatus\fP command prints the current status of \fIxdp\-filter\fP: Which interfaces
it is loaded on, the current list of rules, and some statistics for how many
packets have been processed in total, and how many times each rule has been hit.
.PP
The syntax for the \fIstatus\fP command is:
.PP
\fIxdp\-filter status [options]\fP
.PP
Where the supported options are:
.SS "-v, --verbose"
.PP
Enable debug logging. Specify twice for even more verbosity.
.SS "-h, --help"
.PP
Display a summary of the available options
.SH "The POLL command"
.PP
The \fIpoll\fP command periodically polls the \fIxdp\-filter\fP statistics map and prints
out the total number of packets and bytes processed by \fIxdp\-filter\fP, as well as
the number in the last polling interval, converted to packets (and bytes) per
second. This can be used to inspect the performance of \fIxdp\-filter\fP, and to
compare the performance of the different feature sets selectable by the \fIload\fP
parameter.
.PP
The syntax for the \fIpoll\fP command is:
.PP
\fIxdp\-filter poll [options]\fP
.PP
Where the supported options are:
.SS "-i, --interval <interval>"
.PP
The polling interval, in milliseconds. Defaults to 1000 (1 second).
.SS "-v, --verbose"
.PP
Enable debug logging. Specify twice for even more verbosity.
.SS "-h, --help"
.PP
Display a summary of the available options
.SH "Examples"
.PP
To filter all packets arriving on port 80 on eth0, issue the
following commands:
.RS
.nf
\fC# xdp-filter load eth0 -f tcp,udp
# xdp-filter port 80
\fP
.fi
.RE
.PP
To filter all packets \fBexcept\fP those from IP address fc00:dead:cafe::1 issue the
following commands (careful, this can lock you out of remote access!):
.RS
.nf
\fC# xdp-filter load eth0 -f ipv6 -p deny
# xdp-filter ip fc00:dead:cafe::1 -m src
\fP
.fi
.RE
.PP
To allow packets from \fBeither\fP IP fc00:dead:cafe::1 \fBor\fP arriving on port 22,
issue the following (careful, this can lock you out of remote access!):
.RS
.nf
\fC# xdp-filter load eth0 -f ipv6,tcp -p deny
# xdp-filter port 22
# xdp-filter ip fc00:dead:cafe::1 -m src
\fP
.fi
.RE
.SH "BUGS"
.PP
Please report any bugs on Github: \fIhttps://github.com/xdp-project/xdp-tools/issues\fP
.SH "AUTHOR"
.PP
xdp-filter was written by Toke Høiland-Jørgensen and Jesper Dangaard Brouer.
This man page was written by Toke Høiland-Jørgensen.