Project 10: XDP Packet Firewall (DDoS Protection)

A high-performance packet filtering firewall using XDP that can block malicious traffic, rate-limit connections, and protect against DDoS attacks—all at line rate.

Quick Reference

Attribute	Value
Primary Language	C (libbpf)
Alternative Languages	Rust (aya)
Difficulty	Level 4: Expert
Time Estimate	3-4 weeks
Knowledge Area	Networking / Security / XDP
Tooling	libbpf, XDP
Prerequisites	Projects 1-9 completed (especially Project 5)

---

What You Will Build

A high-performance packet filtering firewall using XDP that can block malicious traffic, rate-limit connections, and protect against DDoS attacks—all at line rate.

Why It Matters

This combines XDP packet processing with dynamic rule management. You’ll build a system that can drop millions of packets per second while maintaining manageable rules from userspace.

Core Challenges

• Rule storage and lookup → maps to LPM trie maps for CIDR, hash maps for IPs
• Rate limiting → maps to token bucket algorithm in BPF
• Dynamic rule updates → maps to map updates from userspace
• Statistics and logging → maps to counters, ring buffers

Key Concepts

• XDP Deep Dive: “Learning eBPF” Chapter 8 - Liz Rice
• LPM Trie Maps: Cloudflare on LPM
• Rate Limiting: Token Bucket Algorithm
• DDoS Mitigation: Cloudflare XDP

Real-World Outcome

$ sudo ./xdp-firewall eth0

XDP Firewall loaded on eth0 (native mode)

# Add rules via CLI
$ sudo ./xdp-fw add block 192.168.1.100
Rule added: BLOCK 192.168.1.100/32

$ sudo ./xdp-fw add block 10.0.0.0/8
Rule added: BLOCK 10.0.0.0/8

$ sudo ./xdp-fw add ratelimit 0.0.0.0/0 --pps 10000
Rule added: RATE_LIMIT 0.0.0.0/0 @ 10000 pps

# Show statistics
$ sudo ./xdp-fw stats
RULE                        MATCHED     DROPPED     PASSED
────────────────────────────────────────────────────────────
BLOCK 192.168.1.100/32     12,345,678  12,345,678         0
BLOCK 10.0.0.0/8               45,678      45,678         0
RATE_LIMIT 0.0.0.0/0       98,765,432   1,234,567  97,530,865

Total: 98.7M packets, 1.3M dropped (1.3%), 14.2 Mpps

---

Implementation Guide

1. Reproduce the simplest happy-path scenario.
2. Build the smallest working version of the core feature.
3. Add input validation and error handling.
4. Add instrumentation/logging to confirm behavior.
5. Refactor into clean modules with tests.

Milestones

• Milestone 1: Minimal working program that runs end-to-end.
• Milestone 2: Correct outputs for typical inputs.
• Milestone 3: Robust handling of edge cases.
• Milestone 4: Clean structure and documented usage.

Validation Checklist

• Output matches the real-world outcome example
• Handles invalid inputs safely
• Provides clear errors and exit codes
• Repeatable results across runs

References

• Main guide: LEARN_BPF_EBPF_LINUX.md
• “Learning eBPF” by Liz Rice