XDP Packet Processing

Rate Limiting and IP Blocklist

Rate limiting and IP blocklist with XDP - the fundamental building blocks of your DDoS engine.

Rate Limiting

Lab: eBPF Rate Limiting

What you will learn in this lab:

• Keeping per-client state (BPF_MAP_TYPE_HASH or BPF_MAP_TYPE_LRU_HASH)
• Time measurement with bpf_ktime_get_ns()
• Token bucket style logic
• Dropping packets with XDP_DROP

Token Bucket Pattern

struct rate_state {
    u64 last_seen;
    u64 tokens;
};

// For each incoming packet:
// 1. Calculate elapsed time
// 2. Replenish tokens (based on elapsed time)
// 3. If tokens available, pass (XDP_PASS); otherwise drop (XDP_DROP)

Note: This lab implements ICMPv6 rate limiting. You will adapt it for DNS (UDP port 53).

---

IP Blocklist and LPM_TRIE

Lab: eBPF Firewall

What you will learn in this lab:

• BPF_MAP_TYPE_LPM_TRIE (CIDR block support)
• Longest prefix matching
• struct bpf_lpm_trie_key
• Firewall logic: whitelist vs blacklist

LPM_TRIE Usage

struct lpm_key {
    __u32 prefixlen;  // CIDR prefix length
    __u32 addr;       // IP address
};

struct {
    __uint(type, BPF_MAP_TYPE_LPM_TRIE);
    __uint(max_entries, 1024);
    __type(key, struct lpm_key);
    __type(value, __u32);
    __uint(map_flags, BPF_F_NO_PREALLOC);
} blocklist SEC(".maps");

Critical for DDoS Engine: IP range based blocklist/allowlist.

Reading: Facebook BPF Firewall - production XDP firewall usage.