i just saw a fork of ipfire bpfire it has implemented ebpf for the following features.
DDos attacks have no effect on cpu with this implementation
can we have similar features in ipfire ??
Have you read the recent blog post?
Not sure how to implement this.?
https://www.ipfire.org/blog/ipfire-against-the-bad-guys-denial-of-service-protection-of-up-to-hundreds-of-gigabit-s
Two extra checkboxes have been implemented in the rule creation page.
If you select them then you can specify number of concurrent connections and/or the number per second.
The SYN Flood Protection has also been added to the firewall rules documentation.
https://www.ipfire.org/docs/configuration/firewall/rules#syn-flood-protection
Did not realize it was enabled there.
That feature has bin there for a long time.
Has it not?
Or has the underpinning just bin improved?
ebpf system is not mentioned anywhere ,it is like a vm running inside linux kernel
Sorry, I got it wrong, the code was put into Core Update 187, although the checkboxes are in my CU186 production system but in the git repo those checkboxes and the code for the SYN Flood protection was put into CU187.
No eBPF is not used for the SYN Flood Protection and it is not a vm running in the kernel.
It is using the firewall rules but with the addition of a SYN cookie as mentioned in the blog post.
You can go and look at the code if you want to.
https://git.ipfire.org/?p=ipfire-2.x.git;a=shortlog;h=refs/heads/core187
yes ebpf is not used in ipfire,but in this fork he is using is what i meant, facebook also uses this ebpf & xdp technology
eBPF when I’ve looked at it a little.
The first thing it talks about is
analytics grabbing at the kernel level.
yes bpf & xdp it is a revolutionary technology for linux its applications are Networking , Observability, Tracing & Profiling, Security
Sorry, my misunderstanding.
Vincent Li has had communications with the IPFire devs on this topic earlier in the year but he has not come back to the Dev Mailing list since his last post in April.
While eBPF is a great opportunity for us, for the DDoS protection it comes with a couple of disadvantages that were too severe for us.
We also ran benchmarks and reached very good results using plain iptables. So we went that way, as it allows us more flexibility.
hello @ms michael thanks again for the awesome project ,yes i was going through your conversations with Li and i understand your views ,my 2 cents none of any open source firewall programs out there has ebpf feature we could be the first, ok i understand for ddos it may not be worthwhile (since you are the expert) but maybe in future we can use a combination of both traditional methods and innovative approaches like eBPF, each playing a role in defending against increasingly sophisticated threats.
on linux side we are the only opensource project with web gui(maybe soohos home but its ram usage is limited for free versions),the reason opnsense is famous is because of their gui ,but they have a slow development operating system free bsd so their users also know its limitations.
DDoS protection is worthwhile, but I don’t quite understand why it has to involve eBPF? We run this in native code and that is usually faster.
I don’t believe that we have a large user-base that has network interfaces that can run the eBPF code as demonstrated by Li.
@himurae thanks for raising eBPF interest to ipfire community, I had the same thought as you. I think ipfire is the open source firewall distribution that could innovate with eBPF since ipfire ships modern Linux kernel that other open source firewall distribution lack of. I cloned ipfire to bpfire with ebpf networking features including load balancing, ebpf firewall…etc. I am willing to contribute ipfire if ipfire community is interested in some ebpf features in the future.
