Refactor the eBPF C code and Go code of xdp_acl.
- Use CO-RE to enable XDP log with
--debugdynamically. - Use specified BTF file with
--kernel-btf. - Upgrade to dynamic bitmap size by rules number.
- Upgrade bpf map of rule action to percpu-array map by replacing percpu-hash map.
- Update ACL rules without detaching/attaching XDP.
The original reference is eBPF / XDP based firewall and packet filtering.
From the reference, the advice is really important to deploy XDP ACL.
We do not write or update these maps once the program is loaded to avoid any lock
contentions. Instead, for any change in configuration, we create a new program with
new maps and modify the XDP program in the program array.Inspired by this paper
Performance comparison test of dropping 64 byte syn packet
- Linux kernel required: v4.15 or later
- How to upgrade kernel quickly ?
- Build development environment basied on VMs (Recommended)
- Build development environment basied on Docker image
- Build development environment basied on Host
Download directly from release tab or compile by yourself.
# Compile
$ make
# Get help
$ ./xdp_acl -h
# Start (Inner web server will default listen on 0.0.0.0:9090).
$ ./xdp_acl -D eth1 -S
