oracular (8) xdp-filter.8.gz

Provided by: xdp-tools_1.4.2-1ubuntu4_amd64 bug

NAME

       xdp-filter - a simple XDP-powered packet filter

SYNOPSIS

       XDP-filter  is a packet filtering utility powered by XDP. It is deliberately simple and so
       does not have the same matching capabilities as, e.g., netfilter.  Instead, thanks to XDP,
       it  can  achieve  very high drop rates: tens of millions of packets per second on a single
       CPU core.

   Running xdp-filter
       The syntax for running xdp-filter is:

              xdp-filter COMMAND [options]

              Where COMMAND can be one of:
                     load        - load xdp-filter on an interface
                     unload      - unload xdp-filter from an interface
                     port        - add a port to the filter list
                     ip          - add an IP address to the filter list
                     ether       - add an Ethernet MAC address to the filter list
                     status      - show current xdp-filter status
                     poll        - poll statistics output
                     help        - show the list of available commands

       Each command, and its options are explained below. Or use xdp-filter COMMAND --help to see
       the options for each command.

The LOAD command

       To  use  xdp-filter,  it must first be loaded onto an interface. This is accomplished with
       the load command, which takes the name of the interface as  a  parameter,  and  optionally
       allows  specifying  the  features  that  should  be  included. By default all features are
       loaded, but de-selecting some features can speed up  the  packet  matching,  and  increase
       performance by a substantial amount.

       The syntax for the load command is:

       xdp-filter load [options] <ifname>

       Where  <ifname>  is  the  name  of  the  interface  to  load  xdp-filter onto, and must be
       specified. The supported options are:

   -m, --mode <mode>
       Specifies which mode to load the XDP program  to  be  loaded  in.  The  valid  values  are
       'native',  which  is the default in-driver XDP mode, 'skb', which causes the so-called skb
       mode (also known as generic XDP) to be used, or  'hw'  which  causes  the  program  to  be
       offloaded to the hardware.

   -p, --policy <policy>
       This sets the policy xdp-filter applies to packets not matched by any of the filter rules.
       The default is allow, in which packets not matching any rules are  allowed  to  pass.  The
       other  option is deny, in which all packets are dropped except those matched by the filter
       options.

       xdp-filter cannot be loaded simultaneously in deny and allow policy modes on  the  system.
       Note  that  loading  xdp-filter  in deny mode will drop all traffic on the interface until
       suitable allow rules are installed, so some care is needed to avoid being locked out of  a
       remote system.

   -f, --features <feats>
       Use  this  option to select which features to include when loaded xdp-filter.  The default
       is to load all available features. So select individual features specify one  or  more  of
       these:

       •   tcp: Support filtering on TCP port number

       •   udp: Support filtering on UDP port number

       •   ipv6: Support filtering on IPv6 addresses

       •   ipv4: Support filtering on IPv4 addresses

       •   ethernet: Support filtering on Ethernet MAC addresses

       Specify multiple features by separating them with a comma. E.g.: tcp,udp,ipv6.

   -v, --verbose
       Enable debug logging. Specify twice for even more verbosity.

   -h, --help
       Display a summary of the available options

The UNLOAD command

       The  unload  command  unloads  xdp-filter  from one (or all) interfaces, and cleans up the
       program state.

       The syntax for the load command is:

       xdp-filter unload [options] <ifname>

       Where <ifname> is the name of the  interface  to  unload  xdp-filter  from,  and  must  be
       specified unless the --all option is used. The supported options are:

   -a, --all
       Specify  this  option to remove xdp-filter from all interfaces it was loaded onto. If this
       option is specified, no <ifname> is needed.

       This option can also be used to clean up all xdp-filter state if the XDP  program(s)  were
       unloaded by other means.

   -k, --keep-maps
       Specify this option to prevent xdp-filter from clearing its map state. By default, all BPF
       maps no longer needed by any loaded program are removed.  However, this will  also  remove
       the  contents  of  the  maps (the filtering rules), so this option can be used to keep the
       maps around so the rules persist until xdp-filter is loaded again.

   -v, --verbose
       Enable debug logging. Specify twice for even more verbosity.

   -h, --help
       Display a summary of the available options

The PORT command

       Use the port command to add a TCP or UDP port to the xdp-filter match list.  For  this  to
       work,  xdp-filter  must  be  loaded with either the udp or the tcp feature (or both) on at
       least one interface.

       The syntax for the port command is:

       xdp-filter port [options] <port>

       Where <port> is the port number to add (or remove  if  the  --remove  is  specified).  The
       supported options are:

   -r, --remove
       Remove the port instead of adding it.

   -m, --mode <mode>
       Select  filtering  mode.  Valid options are src and dst, both of which may be specified as
       src,dst. If src is specified, the port number will added as a source port match, while  if
       dst  is  specified, the port number will be added as a destination port match. If both are
       specified, a packet will be matched if either  its  source  or  destination  port  is  the
       specified port number.

   -p, --proto <proto>
       Specify one (or both) of udp and/or tcp to match UDP or TCP ports, respectively.

   -s, --status
       If  this  option  is  specified,  the  current list of matched ports will be printed after
       inserting the port number. Otherwise, nothing will be printed.

   -v, --verbose
       Enable debug logging. Specify twice for even more verbosity.

   -h, --help
       Display a summary of the available options

The IP command

       Use the ip command to add an IPv6 or an IPv4 address to the xdp-filter match list.

       The syntax for the ip command is:

       xdp-filter ip [options] <ip>

       Where <ip> is the IP address to add (or remove if the --remove is specified). Either  IPv4
       or  IPv6  addresses can be specified, but xdp-filter must be loaded with the corresponding
       features (ipv4 and ipv6, respectively). The supported options are:

   -r, --remove
       Remove the IP address instead of adding it.

   -m, --mode <mode>
       Select filtering mode. Valid options are src and dst, both of which may  be  specified  as
       src,dst. If src is specified, the IP address will added as a source IP match, while if dst
       is specified, the IP address will be  added  as  a  destination  IP  match.  If  both  are
       specified,  a  packet  will  be  matched  if  either  its  source or destination IP is the
       specified IP address.

   -s, --status
       If this option is specified, the current  list  of  matched  ips  will  be  printed  after
       inserting the IP address. Otherwise, nothing will be printed.

   -v, --verbose
       Enable debug logging. Specify twice for even more verbosity.

   -h, --help
       Display a summary of the available options

The ETHER command

       Use  the  ether  command  to add an Ethernet MAC address to the xdp-filter match list. For
       this to work, xdp-filter must be loaded with either the ethernet feature on at  least  one
       interface.

       The syntax for the ether command is:

       xdp-filter ether [options] <addr>

       Where  <addr>  is  the  MAC  address  to add (or remove if the --remove is specified). The
       supported options are:

   -r, --remove
       Remove the MAC address instead of adding it.

   -m, --mode <mode>
       Select filtering mode. Valid options are src and dst, both of which may  be  specified  as
       src,dst.  If  src is specified, the MAC address will added as a source MAC match, while if
       dst is specified, the MAC address will be added as a destination MAC match.  If  both  are
       specified,  a  packet  will  be  matched  if  either  its source or destination MAC is the
       specified MAC address.

   -s, --status
       If this option is specified, the current  list  of  matched  ips  will  be  printed  after
       inserting the MAC address. Otherwise, nothing will be printed.

   -v, --verbose
       Enable debug logging. Specify twice for even more verbosity.

   -h, --help
       Display a summary of the available options

The STATUS command

       The  status command prints the current status of xdp-filter: Which interfaces it is loaded
       on, the current list of rules,  and  some  statistics  for  how  many  packets  have  been
       processed in total, and how many times each rule has been hit.

       The syntax for the status command is:

       xdp-filter status [options]

       Where the supported options are:

   -v, --verbose
       Enable debug logging. Specify twice for even more verbosity.

   -h, --help
       Display a summary of the available options

The POLL command

       The poll command periodically polls the xdp-filter statistics map and prints out the total
       number of packets and bytes processed by xdp-filter, as well as the  number  in  the  last
       polling interval, converted to packets (and bytes) per second. This can be used to inspect
       the performance of xdp-filter, and to compare the performance  of  the  different  feature
       sets selectable by the load parameter.

       The syntax for the poll command is:

       xdp-filter poll [options]

       Where the supported options are:

   -i, --interval <interval>
       The polling interval, in milliseconds. Defaults to 1000 (1 second).

   -v, --verbose
       Enable debug logging. Specify twice for even more verbosity.

   -h, --help
       Display a summary of the available options

Examples

       To filter all packets arriving on port 80 on eth0, issue the following commands:

              # xdp-filter load eth0 -f tcp,udp
              # xdp-filter port 80

       To  filter  all packets except those from IP address fc00:dead:cafe::1 issue the following
       commands (careful, this can lock you out of remote access!):

              # xdp-filter load eth0 -f ipv6 -p deny
              # xdp-filter ip fc00:dead:cafe::1 -m src

       To allow packets from either IP fc00:dead:cafe::1  or  arriving  on  port  22,  issue  the
       following (careful, this can lock you out of remote access!):

              # xdp-filter load eth0 -f ipv6,tcp -p deny
              # xdp-filter port 22
              # xdp-filter ip fc00:dead:cafe::1 -m src

BUGS

       Please report any bugs on Github: https://github.com/xdp-project/xdp-tools/issues

AUTHOR

       xdp-filter  was  written  by  Toke Høiland-Jørgensen and Jesper Dangaard Brouer.  This man
       page was written by Toke Høiland-Jørgensen.