A linux XDP based firewall/loadbalancer with a gui and api
Feature | Current Support | Future Support |
---|---|---|
Address Types | IPv4, IPv6 | MAC |
Address Filtering | Source | Destination |
Protocols | TCP, UDP | ICMP, ARP |
Ports | Single, Range | |
Actions | Allow, Block | Redirect |
Protection | DDOS detection/mitigation | |
Performance | Quality of Service, Rate Limiting |
Feature | Current Support | Future Support |
---|---|---|
Debugging | Packet Path Simulation, Packet Flow Visualization |
|
Authentication | PAM, Basic |
- A web application firewall
Minimum Supported Kernel Version: SpeeXDP requires at least linux kernel version 6.0.8
to run. Run the following to check which version you have.
$ uname --kernel-name --kernel-release
Linux 6.0.8
Optional high performance network driver support. See if your network driver is supported (here)[https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md#xdp].
Download the git repository and build SpeedXDP.
$ git clone --depth=1 https://github.com/FallingSnow/speexdp.git
$ cd speexdp
$ cargo build
# cargo xtask run
You can visit the web UI at http://localhost:6565
.
Explorer API endpoints using the built in documentation viewer at http://localhost:6565/api
.
- bpftool
6.0
- libclang
14.0.6
Arch Linux
# pacman -S bpf
- Install a rust stable toolchain:
rustup install stable
- Install a rust nightly toolchain:
rustup install nightly
- Install bpf-linker:
cargo install bpf-linker
Ensure you have the at least the MSRV
. It should be at least 1.62.0
.
$ rustc --version
rustc 1.62.0
# $ cargo install bpf-linker
$ cargo xtask codegen # Build bpf bindings
$ cargo xtask build-ebpf # Build eBPF
$ cargo build # Build Userspace
$ cargo xtask run # Run
To perform a release build you can use the --release
flag.
You may also change the target architecture with the --target
flag
Running with debug output.
$ RUST_LOG=debug cargo xtask run
- Seeing what you can get out of bpftool's header generation.
bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h
-
Documentation on different bpf map types: https://docs.kernel.org/next/bpf/maps.html
-
XDP command list:
XDP command | Action/Reason |
---|---|
XDP_PASS | Allow |
XDP_DROP | Deny |
XDP_ABORTED | Error |
XDP_REDIRECT | Another Interface |
XDP_TX | Another Host |
TX sends the packet out, REDIRECT redirects to the receive queue of another interface
If you want to redirect to another port on the same NIC, you mutate the packet and return pass
Socketmaps are for redirecting to existing sockets
https://discord.com/channels/855676609003651072/855676609003651075/1049099838781935758
$ cargo test