1xdp-filter(8) A simple XDP-powered packet filter xdp-filter(8)
2
3
4
6 xdp-filter - a simple XDP-powered packet filter
7
9 XDP-filter is a packet filtering utility powered by XDP. It is deliber‐
10 ately simple and so does not have the same matching capabilities as,
11 e.g., netfilter. Instead, thanks to XDP, it can achieve very high drop
12 rates: tens of millions of packets per second on a single CPU core.
13
14
15 Running xdp-filter
16 The syntax for running xdp-filter is:
17
18 xdp-filter COMMAND [options]
19
20 Where COMMAND can be one of:
21 load - load xdp-filter on an interface
22 unload - unload xdp-filter from an interface
23 port - add a port to the filter list
24 ip - add an IP address to the filter list
25 ether - add an Ethernet MAC address to the filter list
26 status - show current xdp-filter status
27 poll - poll statistics output
28 help - show the list of available commands
29
30
31 Each command, and its options are explained below. Or use xdp-filter
32 COMMAND --help to see the options for each command.
33
34
36 To use xdp-filter, it must first be loaded onto an interface. This is
37 accomplished with the load command, which takes the name of the inter‐
38 face as a parameter, and optionally allows specifying the features that
39 should be included. By default all features are loaded, but de-select‐
40 ing some features can speed up the packet matching, and increase per‐
41 formance by a substantial amount.
42
43
44 The syntax for the load command is:
45
46
47 xdp-filter load [options] <ifname>
48
49
50 Where <ifname> is the name of the interface to load xdp-filter onto,
51 and must be specified. The supported options are:
52
53
54 -m, --mode <mode>
55 Specifies which mode to load the XDP program to be loaded in. The valid
56 values are 'native', which is the default in-driver XDP mode, 'skb',
57 which causes the so-called skb mode (also known as generic XDP) to be
58 used, or 'hw' which causes the program to be offloaded to the hardware.
59
60
61 -p, --policy <policy>
62 This sets the policy xdp-filter applies to packets not matched by any
63 of the filter rules. The default is allow, in which packets not match‐
64 ing any rules are allowed to pass. The other option is deny, in which
65 all packets are dropped except those matched by the filter options.
66
67
68 xdp-filter cannot be loaded simultaneously in deny and allow policy
69 modes on the system. Note that loading xdp-filter in deny mode will
70 drop all traffic on the interface until suitable allow rules are in‐
71 stalled, so some care is needed to avoid being locked out of a remote
72 system.
73
74
75 -f, --features <feats>
76 Use this option to select which features to include when loaded
77 xdp-filter. The default is to load all available features. So select
78 individual features specify one or more of these:
79
80
81 • tcp: Support filtering on TCP port number
82
83 • udp: Support filtering on UDP port number
84
85 • ipv6: Support filtering on IPv6 addresses
86
87 • ipv4: Support filtering on IPv4 addresses
88
89 • ethernet: Support filtering on Ethernet MAC addresses
90
91
92 Specify multiple features by separating them with a comma. E.g.:
93 tcp,udp,ipv6.
94
95
96 -v, --verbose
97 Enable debug logging. Specify twice for even more verbosity.
98
99
100 -h, --help
101 Display a summary of the available options
102
103
105 The unload command unloads xdp-filter from one (or all) interfaces, and
106 cleans up the program state.
107
108
109 The syntax for the load command is:
110
111
112 xdp-filter unload [options] <ifname>
113
114
115 Where <ifname> is the name of the interface to unload xdp-filter from,
116 and must be specified unless the --all option is used. The supported
117 options are:
118
119
120 -a, --all
121 Specify this option to remove xdp-filter from all interfaces it was
122 loaded onto. If this option is specified, no <ifname> is needed.
123
124
125 This option can also be used to clean up all xdp-filter state if the
126 XDP program(s) were unloaded by other means.
127
128
129 -k, --keep-maps
130 Specify this option to prevent xdp-filter from clearing its map state.
131 By default, all BPF maps no longer needed by any loaded program are re‐
132 moved. However, this will also remove the contents of the maps (the
133 filtering rules), so this option can be used to keep the maps around so
134 the rules persist until xdp-filter is loaded again.
135
136
137 -v, --verbose
138 Enable debug logging. Specify twice for even more verbosity.
139
140
141 -h, --help
142 Display a summary of the available options
143
144
146 Use the port command to add a TCP or UDP port to the xdp-filter match
147 list. For this to work, xdp-filter must be loaded with either the udp
148 or the tcp feature (or both) on at least one interface.
149
150
151 The syntax for the port command is:
152
153
154 xdp-filter port [options] <port>
155
156
157 Where <port> is the port number to add (or remove if the --remove is
158 specified). The supported options are:
159
160
161 -r, --remove
162 Remove the port instead of adding it.
163
164
165 -m, --mode <mode>
166 Select filtering mode. Valid options are src and dst, both of which may
167 be specified as src,dst. If src is specified, the port number will
168 added as a source port match, while if dst is specified, the port num‐
169 ber will be added as a destination port match. If both are specified, a
170 packet will be matched if either its source or destination port is the
171 specified port number.
172
173
174 -p, --proto <proto>
175 Specify one (or both) of udp and/or tcp to match UDP or TCP ports, re‐
176 spectively.
177
178
179 -s, --status
180 If this option is specified, the current list of matched ports will be
181 printed after inserting the port number. Otherwise, nothing will be
182 printed.
183
184
185 -v, --verbose
186 Enable debug logging. Specify twice for even more verbosity.
187
188
189 -h, --help
190 Display a summary of the available options
191
192
193
195 Use the ip command to add an IPv6 or an IPv4 address to the xdp-filter
196 match list.
197
198
199 The syntax for the ip command is:
200
201
202 xdp-filter ip [options] <ip>
203
204
205 Where <ip> is the IP address to add (or remove if the --remove is spec‐
206 ified). Either IPv4 or IPv6 addresses can be specified, but xdp-filter
207 must be loaded with the corresponding features (ipv4 and ipv6, respec‐
208 tively). The supported options are:
209
210
211 -r, --remove
212 Remove the IP address instead of adding it.
213
214
215 -m, --mode <mode>
216 Select filtering mode. Valid options are src and dst, both of which may
217 be specified as src,dst. If src is specified, the IP address will added
218 as a source IP match, while if dst is specified, the IP address will be
219 added as a destination IP match. If both are specified, a packet will
220 be matched if either its source or destination IP is the specified IP
221 address.
222
223
224 -s, --status
225 If this option is specified, the current list of matched ips will be
226 printed after inserting the IP address. Otherwise, nothing will be
227 printed.
228
229
230 -v, --verbose
231 Enable debug logging. Specify twice for even more verbosity.
232
233
234 -h, --help
235 Display a summary of the available options
236
237
239 Use the ether command to add an Ethernet MAC address to the xdp-filter
240 match list. For this to work, xdp-filter must be loaded with either the
241 ethernet feature on at least one interface.
242
243
244 The syntax for the ether command is:
245
246
247 xdp-filter ether [options] <addr>
248
249
250 Where <addr> is the MAC address to add (or remove if the --remove is
251 specified). The supported options are:
252
253
254 -r, --remove
255 Remove the MAC address instead of adding it.
256
257
258 -m, --mode <mode>
259 Select filtering mode. Valid options are src and dst, both of which may
260 be specified as src,dst. If src is specified, the MAC address will
261 added as a source MAC match, while if dst is specified, the MAC address
262 will be added as a destination MAC match. If both are specified, a
263 packet will be matched if either its source or destination MAC is the
264 specified MAC address.
265
266
267 -s, --status
268 If this option is specified, the current list of matched ips will be
269 printed after inserting the MAC address. Otherwise, nothing will be
270 printed.
271
272
273 -v, --verbose
274 Enable debug logging. Specify twice for even more verbosity.
275
276
277 -h, --help
278 Display a summary of the available options
279
280
282 The status command prints the current status of xdp-filter: Which in‐
283 terfaces it is loaded on, the current list of rules, and some statis‐
284 tics for how many packets have been processed in total, and how many
285 times each rule has been hit.
286
287
288 The syntax for the status command is:
289
290
291 xdp-filter status [options]
292
293
294 Where the supported options are:
295
296
297 -v, --verbose
298 Enable debug logging. Specify twice for even more verbosity.
299
300
301 -h, --help
302 Display a summary of the available options
303
304
306 The poll command periodically polls the xdp-filter statistics map and
307 prints out the total number of packets and bytes processed by xdp-fil‐
308 ter, as well as the number in the last polling interval, converted to
309 packets (and bytes) per second. This can be used to inspect the perfor‐
310 mance of xdp-filter, and to compare the performance of the different
311 feature sets selectable by the load parameter.
312
313
314 The syntax for the poll command is:
315
316
317 xdp-filter poll [options]
318
319
320 Where the supported options are:
321
322
323 -i, --interval <interval>
324 The polling interval, in milliseconds. Defaults to 1000 (1 second).
325
326
327 -v, --verbose
328 Enable debug logging. Specify twice for even more verbosity.
329
330
331 -h, --help
332 Display a summary of the available options
333
334
336 To filter all packets arriving on port 80 on eth0, issue the following
337 commands:
338
339 # xdp-filter load eth0 -f tcp,udp
340 # xdp-filter port 80
341
342
343 To filter all packets except those from IP address fc00:dead:cafe::1
344 issue the following commands (careful, this can lock you out of remote
345 access!):
346
347 # xdp-filter load eth0 -f ipv6 -p deny
348 # xdp-filter ip fc00:dead:cafe::1 -m src
349
350
351 To allow packets from either IP fc00:dead:cafe::1 or arriving on port
352 22, issue the following (careful, this can lock you out of remote ac‐
353 cess!):
354
355 # xdp-filter load eth0 -f ipv6,tcp -p deny
356 # xdp-filter port 22
357 # xdp-filter ip fc00:dead:cafe::1 -m src
358
359
361 Please report any bugs on Github: https://github.com/xdp-project/xdp-
362 tools/issues
363
364
366 xdp-filter was written by Toke Høiland-Jørgensen and Jesper Dangaard
367 Brouer. This man page was written by Toke Høiland-Jørgensen.
368
369
370
371V1.4.1 OCTOBER 20, 2023 xdp-filter(8)