gamemann/XDP-Forwarding gamemann/XDP-Forwarding

  • Stars
    star
    154
  • Rank 240,658 (Top 5 %)
  • Language
    C
  • License
    MIT License
  • Created almost 4 years ago
  • Updated almost 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
gamemann/XDP-Forwarding
github

gamemann

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Layer 3/4 packet forwarding software that utilizes the Linux kernel's XDP hook. The XDP hook allows for very fast network processing on Linux systems. Uses source port mapping similar to IPTables and NFTables.

XDP Forwarding

XDP Forwarding Build Workflow XDP Forwarding Run Workflow

Description

A program that attaches to the Linux kernel's XDP hook through (e)BPF for fast packet processing and performs basic layer 3/4 forwarding. This program does source port mapping similar to IPTables and NFTables for handling connections. Existing connections are prioritized based off of the connection's packets per nanosecond. This means on port exhaustion, connections with the least packets per nanosecond will be replaced. I believe this is best since connections with higher packets per nanosecond will be more sensitive.

Additionally, if the host's network configuration or network interface card (NIC) doesn't support the XDP DRV hook (AKA native; occurs before SKB creation), the program will attempt to attach to the XDP SKB hook (AKA generic; occurs after SKB creation which is where IPTables and NFTables are processed via the netfilter kernel module). You may use overrides through the command-line to force SKB or offload modes.

With that said, reasons for a host's network configuration not supporting XDP's DRV hook may be the following.

  • Running an outdated kernel that doesn't support your NIC's driver.
  • Your NIC's driver not yet being supported. Here's a NIC driver XDP support list. With enough Linux kernel development knowledge, you could try implementing XDP DRV support into your non-supported NIC's driver (I'd highly recommend giving this video a watch!).
  • You don't have enough RX/TX queues (e.g. not enabling multi-queue) or your RX/TX queue counts aren't matching. From the information I gathered, it's recommended to have one RX and TX queue per CPU core/thread. You could try learning how to use ethtool and try altering the NIC's RX/TX queue settings (this article may be helpful!).

I hope this project helps existing network engineers/programmers interested in utilizing XDP or anybody interested in getting into those fields! High performing routers/packet forwarding and (D)DoS mitigation/prevention are such important parts of Cyber Security and understanding the concept of networking and packet flow on a low-medium level would certainly help those who are pursuing a career in the field 🙂

WARNING - There are still many things that need to be done to this project and as of right now, it only supports IPv4. IPv6 support will be added before official release. As of right now, the program may include bugs and forwarding features aren't yet available.

Limitations

The default maximum source ports that can be used per bind address is 21 and is set here (you may adjust these if you'd like). We use port range 500 - 520 by default, but this can be configured.

At first, I was trying to use most available ports (1 - 65534). However, due to BPF verifier limitations, I had to raise a couple constants inside the Linux kernel and recompile the kernel. I made patches for these and have everything documented here. I am able to run the program with 65534 max ports per bind address without any issues with the custom kernel I built using the patches I made. Though, keep in mind, the more source ports there are available, the more processing the XDP program will have to do when checking for available ports.

If you plan to use this for production, I'd highly suggest compiling your own kernel with the constants raised above. 21 maximum source ports per bind address is not much, but unfortunately, the default BPF verifier restrictions don't allow us to go any further currently.

The main code that causes these limitations is located here and occurs when we're trying to find the best source port to use for a new connection. There's really no other way to check for the best source port available with the amount of flexibility we have to my understanding since we must loop through all source ports and check the packets per nanosecond value (BPF maps search by key).

Requirements

Packages

You will need make, clang, libelf, and llvm since we use these packages to build the project. Additionally, you will also need libconfig (libconfig-dev is the package on Ubuntu/Debian systems) for parsing the config file.

For Ubuntu/Debian, the following should work.

apt install build-essential make clang libelf-dev llvm libconfig-dev

I'd assume package names are similar on other Linux distros.

Mounting The BPF File System

In order to use xdpfwd-add and xdpfwd-del, you must mount the BPF file system since the XDP program pins the BPF maps to /sys/fs/bpf/xdpfwd. There's a high chance this is already done for you via iproute2 or something similar, but if it isn't, you may use the following command.

mount -t bpf bpf /sys/fs/bpf/

Command Line Usage

Basic

Basic command line usage includes the following.

-o --offload => Attempt to load XDP program with HW/offload mode. If fails, will try DRV and SKB mode in that order.
-s --skb => Force program to load in SKB/generic mode.
-t --time => The amount of time in seconds to run the program for. Unset or 0 = infinite.
-c --config => Location to XDP Forward config (default is /etc/xdpfwd/xdpfwd.conf).
-l --list => List all forwarding rules.
-h --help => Print out command line usage.

Offload Information

Offloading your XDP/BPF program to your system's NIC allows for the fastest packet processing you can achieve due to the NIC processing/forwarding the packets with its hardware. However, there are not many NIC manufacturers that do support this feature and you're limited to the NIC's memory/processing (e.g. your BPF map sizes will be extremely limited). Additionally, there are usually stricter BPF verifier limitations for offloaded BPF programs, but you may try reaching out to the NIC's manufacturer to see if they will give you a special version of their NIC driver raising these limitations (this is what I did with one manufacturer I used).

As of this time, I am not aware of any NIC manufacturers that will be able to offload this tool completely to the NIC due to its BPF complexity and loop requirements. To be honest, in the current networking age, I believe it's best to leave offloaded programs to BPF map lookups and minimum packet inspection. For example, a simple BPF layer 2 route table map lookup and then TX the packets back out of the NIC. However, XDP is still very new and I would imagine we're going to see these limitations loosened or lifted in the next upcoming years. This is why I added support for offload mode into this program.

XDP Add Program

The xdpfwd-add executable which is added to the $PATH via /usr/bin on install accepts the following arguments.

-b --baddr => The address to bind/look for.
-B --bport => The port to bind/look for.
-d --daddr => The destination address.
-D --dport => The destination port.
-p --protocol => The protocol (either "tcp", "udp", "icmp", or unset for all).
-a --save => Save rule to config file.

This will add a forwarding rule while the XDP program is running.

XDP Delete Program

The xdpfwd-del executable which is added to the $PATH via /usr/bin on install accepts the following arguments.

-b --baddr => The address to bind/look for.
-B --bport => The port to bind/look for.
-p --protocol => The protocol (either "tcp", "udp", "icmp", or unset for all).
-a --save => Remove rule from config file.

This will delete a forwarding rule while the XDP program is running.

Configuration

The default config file is located at /etc/xdpfwd/xdpfwd.conf and uses the libconfig syntax. Here's an example config using all of its current features.

interface = "ens18"; // The interface the XDP program attaches to.

// Forwarding rules array.
forwarding = (
    {
        bind = "10.50.0.3",     // The bind address which incoming packets must match.
        bindport = 80,          // The bind port which incoming packets must match.

        protocol = "tcp",       // The protocol (as of right now "udp", "tcp", and "icmp" are supported). Right now, you must specify a protocol. However, in the future I will be implementing functionality so you don't have to and it'll do full layer-3 forwarding.

        dest = "10.50.0.4",     // The address we're forwarding to.
        destport = 8080         // The port we're forwarding to (if not set, will use the bind port).
    },
    ...
);

Building & Installing

Assuming you've downloaded all the required packages, building this project should be straight forward. You may use the following shell and Bash commands!

# Clone respository and its sub-modules such as LibBPF.
git clone --recursive https://github.com/gamemann/XDP-Forwarding

# Change directory.
cd XDP-Forwarding

# Make project using all cores.
make -j $(nproc)

# Install binaries to PATH as root so you may use 'xdpfwd', 'xdpfwd-add', 'xdpfwd-del'.
sudo make install

Credits

More Repositories

1

XDP-Firewall

A firewall that utilizes the Linux kernel's XDP hook. The XDP hook allows for very fast network processing on Linux systems. This is great for dropping malicious traffic from a (D)DoS attack. IPv6 is supported with this firewall! I hope this helps network engineers/programmers interested in utilizing XDP!
C
511
star
2

GitHub-Follow-Bot

A GitHub Follow Bot that utilizes Django's web framework and Python. The bot comes with many features, but please use at your own risk. The bot was made for educational purposes.
Python
136
star
3

gamemann

My GitHub profile ReadMe.
62
star
4

The-DPDK-Examples

Program examples utilizing the DPDK. The DPDK is a kernel-bypass network library that allows for very fast network packet processing. This is great for (D)DoS mitigation and low-latency packet inspection, manipulation, and forwarding.
C
41
star
5

Packet-Sequence

A pen-test/DoS tool that can be used to send single or multiple packets in sequences with a lot of packet customization.
C
36
star
6

BestBuy-Parser

A personal tool using Python's Scrapy framework to scrape Best Buy's product pages for RTX 3080 TIs and notify if available/not sold out.
Python
34
star
7

Pterodactyl-Game-Server-Watch

A tool programmed in Go to automatically restart 'hung' game servers/containers via a Pterodactyl API.
Go
32
star
8

The-DPDK-Common

A repository that includes common helper functions for writing applications in the DPDK. I will be using this for my future projects in the DPDK.
C
31
star
9

Kilimanjaro

A neat packet processing/forwarding program I made for a gaming community I used to be a part of. Includes many features.
C
29
star
10

Discord-Chooseable-Roles

A small open-source Discord Bot that allows you to react to setup messages and obtain roles on reaction. This is being used in a Discord server of mine.
Python
28
star
11

My-Raspberry-Pi-Manager

A simple manager interface I'm using for my Raspberry Pis written in Python. Allows me to start and stop processes such as Steam Link.
Python
28
star
12

TC-IPIP-Mapper

TC programs aimed to add support for multiple remote hosts in IPIP tunnels.
C
27
star
13

Packet-Flooder

A packet flooding/generating program I made that supports TCP, UDP, and ICMP packets. Includes functionality to change characteristics per packet and is also multithreaded.
C
27
star
14

Useful-Linux-Commands

Just a repository I'm using to store useful Linux commands to me and possibly others.
26
star
15

Discord-Global-Chat

Discord bot that syncs global chats.
Python
25
star
16

Rust-Auto-Wipe

A Go application for Rust game servers operating with Pterodactyl that automatically wipes server(s) based off of cron jobs.
Go
24
star
17

Misc

Smaller projects I've made starting from over 10 years ago. Projects in this repository are NOT supported.
JavaScript
24
star
18

Spawn-Protection

A simple SourceMod Spawn Protection plugin that was developed for Counter-Strike: Source and Counter-Strike: Global Offensive.
SourcePawn
24
star
19

The-DPDK-Stats

A simple DPDK application that calculates stats for dropped and forwarded packets depending on the command line.
C
23
star
20

music-list

Music and song list for what I listen to while programming, gaming, or whatever :D
22
star
21

IP-ASN-List

A Go application that outputs prefixes to a text file and supports ASN lookups.
Go
22
star
22

Create-T3-Test

Test application for Create T3! Will be testing things here for @bestmods!
TypeScript
20
star
23

XDP-Dynamic-Payload-Matching

Repository to store findings on matching dynamic payload data in XDP.
C
20
star
24

Home-Lab

Information on my home lab setup.
20
star
25

C-To-Assembly-Tests

A repository that stores results from converting C code to Assembly. I use this repository to analyze performance with my C code.
Assembly
19
star
26

Extra-Spawn-Points

Adds extra CT and T spawn points in Counter-Strike: Source and Counter-Strike: Global Offensive.
SourcePawn
19
star
27

Auto-Cmd-On-Update

SourceMod plugin that executes a console command on SRCDS servers when a game update is detected. Enables automatic game server updating with warning support.
SourcePawn
18
star
28

My-React-Playground

My React playground where I experiment with components and such. TypeScript used.
TypeScript
17
star
29

DPDK-Deploy-Action

A GitHub action to install the DPDK from source inside a GitHub workflow.
17
star
30

UDP-Spoof

A program imported from GFL's GitLab. It simply sends a UDP spoofed packet to a destination.
C
17
star
31

XDP-TCP-Header-Options

Repository for attempting to parse TCP header options in XDP.
C
16
star
32

CSGO_DecoyDodgeball

A fun dodgeball mod and plugin I made in 2015 for Counter-Strike: Global Offensive!
SourcePawn
16
star
33

IPIPDirect-TC

Sends outgoing IPIP packets back to the client directly instead of back through the IPIP tunnel/forwarding server. Uses TC egress filter for fast packet processing.
C
16
star
34

XDP-Stats

XDP programs that increment stat counters for packets/bytes.
C
16
star
35

GLib-Tests

A repository I'm using to learn hashing with GLib.
C
16
star
36

Stat

A small project to gather counter statistics from the file system or output from commands. Useful for retrieving packets per second and bytes per second on a network interface.
C
15
star
37

Browser.TF

A web-sided server browser for the game Team Fortress 2. Made in 2015.
JavaScript
14
star
38

Steam-Link-Setup-And-Issues-On-Raspberry-Pi

Documenting my adventure to setting up Steam Link on my Raspberry Pi 4 Model B devices to stream low-latency gameplay at 120Hz/FPS on my BenQ projector.
Shell
14
star
39

Laravel-Testing

Testing repository for Laravel, Tailwind CSS, ReactJS, SCSS, and more!
PHP
14
star
40

AI-And-Machine-Learning

A repository where I will release source code while learning AI and machine learning, something I'm very interested in.
13
star
41

joinserver

Joinserver.org - Find your favorite community or game server to join! Retrieves data from @modcommunity!
PHP
13
star
42

Old-Website-1

An old website I made in 2014 while I was in High School! My first advanced project for PHP/MySQL.
PHP
13
star
43

Godot-Testing

A repository that stores my Godot test projects while I'm learning it.
GDScript
13
star
44

Selenium-And-BeautifulSoup-Lab

A full lab and guide on how to use Selenium paired with Beautiful Soup to parse and extract data from a website using Python.
Python
13
star
45

postgresql-docker-image-with-backups

A custom Docker image based off of PostgreSQL's Docker image that implements Cron jobs and a backup Bash script that uploads a database dump to Backblaze B2.
Shell
13
star
46

gmods

gMods.io & gMods.org - Find your favorite game mod or mod community! Retrieves data from @modcommunity!
PHP
12
star
47

TC-Ingress-IPIP-Blocker

A simple TC Ingress program that blocks incoming packets based off of the inner IP header's source IP.
C
12
star
48

Fitbit-Heartrate-Monitor

An application that interacts with a Fitbit API and has options to send external notifications depending on what a person's heart rate is.
Python
12
star
49

Notes-and-Guides

Notes and guides I've made mostly exported from GFLClan.com.
12
star
50

bestservers-old

Find your favorite game servers and great deals from hosting providers! Project ran by the @modcommunity!
12
star
51

FPS-Threshold

Creates a forward for when the average server FPS goes under a threshold.
SourcePawn
11
star
52

Dynamic-Slots

A simple Dynamic Slots plugin for SourceMod.
SourcePawn
11
star
53

Bootstrap-Testing-Website

A Bootstrap testing website.
HTML
11
star
54

Hard-Link-Files

A small C++ application I made in 2016. Imported to GitHub from GFL's Gitlab server.
C++
11
star
55

Linux-BTRFS-Lab

A small lab using Ubuntu 23.04 with the BTRFS file system to test deduplication feature.
11
star
56

Map-Restart

A simple plugin for SourceMod that restarts the map or server after the time limit is up and no clients.
SourcePawn
11
star
57

csharp-websockets-chat

A small project that allows a client and server to communicate together similar to a chat room. I made this project to learn more about web sockets in CSharp/.NET and manage multiple web sockets at once.
C#
11
star
58

-GMod-Purge-Timer

The timer needed for Garry's Mod Purge servers.
Lua
11
star
59

CSGO_ZeusToggle

Toggle whether or not a client should spawn with a Zeus in CS:GO.
SourcePawn
10
star
60

Simple-Discord-Bot

A simple Discord bot imported from GFL's Gitlab. This was made using Java.
Java
10
star
61

Performance-Test-Program

A small program that acts as a C profiler.
C
10
star
62

Go-Spawn-And-Output-Logs-From-Process

This repository shows how to spawn processes within a Go program and output their stdout and stderr pipes to a log file!
Go
10
star
63

UDP-Ping

A UDP Client/Server implementation for pinging. Using for benchmarking.
C
10
star
64

Anycast-Endpoint

Templates, Docker images, Docker Gen, and more for an endpoint Anycast setup.
Shell
10
star
65

Discord-OnConnect

A quick plugin I wrote in SourceMod to open MOTD window on player connect.
SourcePawn
9
star
66

spacegamedevs-website

My website
HTML
9
star
67

AF_XDP-Test

AF_XDP test with XDP DRV/native mode. Testing issues with virtio_net driver (e.g. "Device or resource busy" errors).
C
9
star
68

Test-Kernel-Modules

A repository used to store my test Linux kernel modules I make while I'm learning.
C
9
star
69

Linux-Back-End-Scripts

A small project I worked on years ago and imported from GFL's GitLab server.
Shell
9
star
70

Compressor-V2-FOU-Wrap-Unwrapper

TC programs made for wrapping and unwrapping marked FOU-encapped packets. Being used for Compressor V2
C
9
star
71

CS-Unlimited-Ammo

CS Unlimited Ammo imported from GFL's Gitlab server.
SourcePawn
9
star
72

Pterodactyl-Packet-Watch

A project based off of my Pterodactyl Game Server Watch project.
Go
9
star
73

Rust-Plugins

A small project I made for the game Rust that contains plugins I've made for Oxide. Imported from GFL's GitLab server.
Lua
9
star
74

-GMod-Server-Hop

A server hop addon for Garry's Mod
PHP
9
star
75

CS_SpawnPoints

Adds extra spawn points in Counter-Strike games (e.g. CS:GO and CS:S).
SourcePawn
9
star
76

Xdp-Access-Last-Byte

Repository to store information accessing the last byte of a packet in BPF and XDP.
C
9
star
77

GFLPublic-SourceMod

GFL's public SourceMod plugins.
SourcePawn
9
star
78

GMod-Server-Browser

Project imported from GFL's Gitlab server. Allows all servers queried in the GMod server browser to be displayed on a web page.
JavaScript
9
star
79

Dot-DM

An open source first person shooter video game with Godot and a work in progress. Will be show-casing tools that @nextgen-modding creates in the future.
9
star
80

Game-Server-Versions

A small project I made a while ago and importing from GFL's GitLab server.
PHP
8
star
81

Killtrocity

A Python program used for communication between Kilimanjaro and Killfrenzy.
Python
8
star
82

CS_MapSpawnsChecker

Checks for the amount of player spawns a map has. If it is below a limit, further actions can be done.
SourcePawn
8
star
83

GMod---Roy-s-Spawn-Protection

GMod spawn protection addon imported from GFL's GitLab server.
Lua
8
star
84

Full-Alltalk-Patch

A CS:GO plugin I made years ago that I'm importing from GFL's GitLab server.
SourcePawn
8
star
85

IPIP-Forward

Simple IPIP Forwarding program made with AF_PACKET sockets.
C
8
star
86

CS-TimeLimit

CS Time Limit Enforcer imported from GFL's Gitlab server.
SourcePawn
8
star
87

Simple-GoLang-Application-With-CircleCI

Testing a simple GoLang web application with CircleCI support for building.
Go
8
star
88

createit

A high-level tool that allows you to create maps, 3D models, textures, and more with simplicity.
8
star
89

Killfrenzy

A Django web application used to sync edge servers running Kilimanjaro and consume/display stats.
Python
8
star
90

Go-Web-Attack-Log-Simulation

A basic Go program imported from GFL's Gitlab. This simply simulates a web attack via logs.
Go
8
star
91

All_PropHealth

Set prop's health. Advanced configuration and more to come!
SourcePawn
8
star
92

Simple-Java-MySQL-Wrapper

A simple Java MySQL wrapper imported from GFL's Gitlab.
Java
8
star
93

Simple-GMod-Discord-Relay

A simple GMod lua addon imported from GFL's Gitlab.
Lua
8
star
94

Continuous-A2S_INFO-Requests

A small C program imported from GFL's GitLab. This continuously sends A2S_INFO requests using cooked Linux sockets.
C
8
star
95

Website-1

A website I made while learning jQuery animation. Uses BootStrap, jQuery, HTML, CSS, and PHP.
JavaScript
8
star
96

GModPropSpamProtection

Deletes penetrating props when the servers lags. Therefore, should prevent prop spammers.
Lua
8
star
97

Lua-User-Management

A small project imported from GFL's GitLab server.
Lua
8
star
98

FPS-Threshold-Noblock

FPS Threshold plugin that forces noblock on all players after average FPS goes under threshold.
SourcePawn
8
star
99

cf-nginx-iptables-automation

A small, but neat Bash script that retrieves the latest IPv4 and IPv6 ranges from CloudFlare and then updates NGINX real IP headers and an IPTables chain.
Shell
8
star
100

CSGO_ZRBurnSlowDown

Slow burning zombies down in Zombie Reloaded on CS:GO.
SourcePawn
7
star