Skip to content

Week 15 - XDP and AF_XDP

15.1 Conceptual Core

  • XDP (eXpress Data Path) is an eBPF hookpoint at the driver level, before the kernel constructs an sk_buff. The earliest possible point to drop, redirect, or pass packets. Used for DDoS scrubbers, custom load balancers (Katran), and eBPF-based service meshes (Cilium).
  • AF_XDP is a userspace-fast-path: pin a NIC queue to a userspace process, exchange packets via shared-memory rings. Throughput approaching DPDK with lower complexity.
  • The four XDP actions: XDP_DROP, XDP_PASS (continue to kernel stack), XDP_TX (back out the same NIC), XDP_REDIRECT (to another NIC, or to AF_XDP socket, or to CPU map).

15.2 Mechanical Detail

  • Drivers vary in XDP support level: native (best), generic (slow, software fallback), offloaded (some smartNICs).
  • Verify with ip link show <iface> - look forxdp` mode.
  • Attach: bpftool prog load my_xdp.o /sys/fs/bpf/my_xdp; bpftool net attach xdp pinned /sys/fs/bpf/my_xdp dev eth0.
  • XDP programs are constrained: no helpers that allocate memory, no looping past the verifier's bound, no kernel function calls outside the eBPF helpers list.

15.3 Lab-"An XDP DDoS Scrubber"

Write an XDP program that: - Drops UDP packets with source port < 1024 (a coarse DDoS-vector heuristic). - Counts dropped packets per source IP in an LRU-hash map (1M entries). - Userspace tool reads the map every second and emits Prometheus metrics. - Test with pktgen or trafgen. Measure throughput and CPU overhead.

15.4 Hardening Drill

  • XDP programs require CAP_NET_ADMIN (and CAP_BPF). Document the operational privilege required.

15.5 Performance Tuning Slice

  • Measure pps capacity with vs without XDP on the same NIC. Modern 25/40 Gbps NICs can drop 10s of Mpps with native XDP.

Comments