Introducing GoXDP: Utilizing the Power of XDP for Advanced Linux Firewall

GoXDP is a simple and powerful XDP filter with kernel-space code built with C and user-space code built with Golang that utilizes the power of the longest prefix matching (LPM) algorithm to drop packets from specific subnets and IP addresses with predefined timeouts. Also, interacting with GoXDP can be through the RestfulAPI or the CLI client commands. GoXDP introduces the following features:

• A CLI tool for interacting with GoXDP service used for various operations including (attaching or detaching XDP code to/from the network interface, blocking IP address, showing statistics, etc)
• A Rest API interface to interact with GoXDP to ease the automation processes.
• Blocking single IP addresses or subnets with timeout.
• Statistics about the number of blocked packets per IP address.

Installation

Download the GoXDP binary from the GitHub repository from this link then run the GoXDP service using the following command:

goxdp server -privateIP=127.0.0.1

Or using docker:

  docker run -d --network host --name goxdp --privileged --restart always ahsifer/goxdp:2.1 server -privateIP=127.0.0.1

Note: the -privateIP parameter is the IP address that GoXDP will listen to that is used by the CLI tool and RestAPI http requests.

GoXDP Operations

1- Load XDP code to the interfaces

[root@netfilter1 ~]# goxdp client --action=load --interfaces=ens2f0 --mode=skb
XDP Program loaded successfully
[root@netfilter1 ~]# goxdp client --action=load --interfaces=ens2f1 --mode=skb
XDP Program loaded successfully

2- Blocking IP address or subnet with or without timeout

The following command will block the 100.2.2.0/24 forever.

[root@netfilter1 ~]# goxdp client --action=block --src=100.2.2.0/24
src is blocked successfully

Note: /32 prefix can be used in case of blocking single IP address.

To block an IP address or subnet with a timeout (500 seconds)

[root@netfilter1 ~]# goxdp client --action=block --src=100.2.2.0/24 --timeout=500
src is blocked successfully

3- Show the status of the blocked IP addresses and subnets:

[root@netfilter1 ~]# goxdp client -action=status
Loaded Interfaces are:
 1- ens2f0
 2- ens2f1

Blocked IP address are:
 1- 100.2.2.0/24

Filtered IP addresses' timeouts:
 IP Address             Timeout             Remaining Time
 1- 100.2.2.0/24   2024-03-24 13:57:07          497s

Filtered IP addresses' status:
 IP Address     Rx_count   Bytes_dropped
 1- 100.2.2.6   15173232   849700992
 2- 100.2.2.5   16808693   941286808

4- Unblock the IP address or subnet

[root@netfilter1 ~]# goxdp client --action=allow --src=100.2.2.0/24
src is allowed successfully

5- Unload the XDP code from the interface

[root@netfilter1 ~]# goxdp client --action=unload --interfaces=ens2f1
XDP Program unloaded successfully to ens2f1
[root@netfilter1 ~]# goxdp client --action=unload --interfaces=ens2f0
XDP Program unloaded successfully to ens2f0

Also, all the previous operations can be done using Rest API requests. Please consider visiting the GitHub repository for the full documentation.

Conclusion

GoXDP provides the capability of blocking IP addresses and subnets with timeouts. Utilizing the power of Linux XDP by attaching the eBPF code to the network card’s driver and dropping the packets, makes it an ideal solution in DDoS mitigation systems.

Further reading

iptables vs. GoXDP: The Ultimate Packet Filtering Benchmark Setup and Results

Resources

GitHub - ahsifer/goxdp: This repository includes the source code of GoXDP firewall

L4Drop: XDP DDoS Mitigations

GitHub - cilium/ebpf: ebpf-go is a pure-Go library to read, modify and load eBPF programs and…

Thank you for reading my article on GoXDP. I hope you find it informative and helpful. If you enjoy the article and would like to support my work, follow me or you can buy me a coffee at https://www.buymeacoffee.com/ahsifer. Your support is greatly appreciated.