Networking (OVS/XDP)
Networking (OVS/XDP)
HookProbe uses OpenVSwitch for software-defined networking and XDP/eBPF for kernel-level packet processing.
Overview
| Technology | Purpose | Layer |
|---|---|---|
| XDP/eBPF | Kernel-level DDoS mitigation | L2-L3 |
| OpenVSwitch | VLAN segmentation, SDN | L2-L3 |
| PSK-VXLAN | Encrypted inter-POD tunnels | L2 overlay |
| Nftables | Host firewall | L3-L4 |
XDP/eBPF
What is XDP?
eXpress Data Path processes packets at the earliest possible point in the network stack - before the kernel allocates memory for them.
┌─────────────────────────────────────────────────────────────────┐│ PACKET PROCESSING │├─────────────────────────────────────────────────────────────────┤│ ││ NIC Driver ││ │ ││ ▼ ││ ┌─────────────────────────────────────────────────────────┐ ││ │ XDP/eBPF │ ││ │ ┌──────────────────────────────────────────────────┐ │ ││ │ │ if (is_ddos(packet)) return XDP_DROP; │ │ ││ │ │ if (rate_exceeded(src_ip)) return XDP_DROP; │ │ ││ │ │ return XDP_PASS; │ │ ││ │ └──────────────────────────────────────────────────┘ │ ││ └───────────────────────────┬─────────────────────────────┘ ││ │ ││ XDP_PASS │ ││ ▼ ││ ┌─────────────────────────────────────────────────────────┐ ││ │ Kernel Network Stack │ ││ │ (Only reaches here if XDP_PASS) │ ││ └─────────────────────────────────────────────────────────┘ ││ ││ Packets dropped at XDP never consume kernel resources ││ │└─────────────────────────────────────────────────────────────────┘XDP Modes
| Mode | Driver Support | Performance |
|---|---|---|
| XDP-DRV (Native) | Required | Fastest |
| XDP-SKB (Generic) | Any | Good |
| XDP-HW | Limited NICs | Line rate |
Supported NICs
Native XDP (XDP-DRV):
- Intel igb (I210, I211, I350)
- Intel igc (I225, I226)
- Intel i40e (X710, XL710)
- Intel ice (E810)
- Mellanox mlx5 (ConnectX-5+)
Generic XDP (any driver):
- All other NICs
- Virtual interfaces
- USB network adapters
Enable XDP
# Edit systemd environmentsudo systemctl edit hookprobe-agent.service
# Add:[Service]Environment="XDP_ENABLED=true"
# Restartsudo systemctl daemon-reloadsudo systemctl restart hookprobe-agent.serviceVerify XDP
# Check XDP attachmentip link show | grep xdp
# View XDP statshookprobe-ctl metrics | grep xdpXDP Actions
| Action | Effect |
|---|---|
XDP_DROP | Silently drop packet |
XDP_PASS | Continue to kernel |
XDP_TX | Bounce back to sender |
XDP_REDIRECT | Forward to another interface |
OpenVSwitch
Overview
OpenVSwitch provides:
- VLAN segmentation
- OpenFlow ACL rules
- Traffic engineering
- Port mirroring
Bridge Configuration
# View bridgeovs-vsctl show
# List portsovs-vsctl list-ports br0
# Add portovs-vsctl add-port br0 eth1
# Set VLANovs-vsctl set port eth1 tag=10VLAN Configuration
| VLAN | ID | Purpose | Policy |
|---|---|---|---|
| IoT | 10 | Smart devices | Internet only |
| Cameras | 20 | Security cameras | NVR only |
| Guest | 30 | Visitors | Isolated |
| Trusted | 40 | Work devices | Full access |
| Quarantine | 99 | Compromised | Blocked |
OpenFlow Rules
# View flowsovs-ofctl dump-flows br0
# Add flow: Block IoT to trustedovs-ofctl add-flow br0 "priority=50,ip,in_port=1,dl_vlan=10,actions=drop"
# Add flow: Allow trusted outboundovs-ofctl add-flow br0 "priority=50,ip,in_port=1,dl_vlan=40,actions=normal"Example Flow Table
# Allow established connectionscookie=0x1, priority=100, ip, ct_state=+est, actions=NORMAL
# Block IoT to trusted networkcookie=0x2, priority=50, ip, in_port=1, dl_vlan=10, nw_dst=192.168.40.0/24, actions=DROP
# Allow trusted to allcookie=0x3, priority=50, ip, in_port=1, dl_vlan=40, actions=NORMAL
# Log and drop unknowncookie=0xff, priority=1, actions=controllerPSK-VXLAN Tunnels
Overview
VXLAN with Pre-Shared Key encryption for inter-POD communication:
┌─────────────┐ ┌─────────────┐│ POD-006 │ │ POD-005 ││ (IDS) │ │ (Metrics) │└──────┬──────┘ └──────┬──────┘ │ │ │ ╔══════════════════════════╗ │ └──╢ PSK-VXLAN Tunnel ╟───┘ ║ - ChaCha20 encrypted ║ ║ - UDP 4789 ║ ╚══════════════════════════╝Configuration
# Create VXLAN interfaceip link add vxlan100 type vxlan id 100 \ dstport 4789 \ local 10.0.0.1 \ remote 10.0.0.2
# Attach to bridgeovs-vsctl add-port br0 vxlan100Nftables
Host Firewall
# View rulesnft list ruleset
# Flush rulesnft flush rulesetDefault Policy
table inet filter { chain input { type filter hook input priority 0; policy drop;
# Allow established ct state established,related accept
# Allow loopback iif lo accept
# Allow SSH tcp dport 22 accept
# Allow HookProbe health tcp dport 8888 accept
# Drop everything else drop }}Network Topology
Fortress Example
┌───────────────────────────────────────────────────────────────────┐│ FORTRESS NETWORK │├───────────────────────────────────────────────────────────────────┤│ ││ Internet ││ │ ││ ▼ ││ ┌────────────────────────────────────────────────────────────┐ ││ │ OpenVSwitch br0 │ ││ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ ││ │ │ VLAN 10 │ │ VLAN 20 │ │ VLAN 30 │ │ VLAN 40 │ │ ││ │ │ IoT │ │ Cameras │ │ Guest │ │ Trusted │ │ ││ │ └────┬─────┘ └────┬─────┘ └────┬─────┘ └────┬─────┘ │ ││ │ │ │ │ │ │ ││ │ ▼ ▼ ▼ ▼ │ ││ │ ┌────────────────────────────────────────────────────┐ │ ││ │ │ OpenFlow ACL Engine │ │ ││ │ │ ┌────────────────────────────────────────────┐ │ │ ││ │ │ │ • IoT → Internet: ALLOW │ │ │ ││ │ │ │ • IoT → LAN: DROP │ │ │ ││ │ │ │ • Guest → Internet: ALLOW │ │ │ ││ │ │ │ • Guest → LAN: DROP │ │ │ ││ │ │ │ • Trusted → All: ALLOW │ │ │ ││ │ │ └────────────────────────────────────────────┘ │ │ ││ │ └────────────────────────────────────────────────────┘ │ ││ └────────────────────────────────────────────────────────────┘ ││ │└───────────────────────────────────────────────────────────────────┘Performance Tuning
XDP Optimization
# Set NIC ring bufferethtool -G eth0 rx 4096 tx 4096
# Enable interrupt coalescingethtool -C eth0 rx-usecs 50
# Set IRQ affinityecho 2 > /proc/irq/<irq>/smp_affinityOVS Optimization
# Enable DPDK (if available)ovs-vsctl set Open_vSwitch . other_config:dpdk-init=true
# Set flow limitsovs-vsctl set Open_vSwitch . other_config:flow-limit=200000Troubleshooting
XDP Not Loading
# Check NIC driverethtool -i eth0 | grep driver
# Check kernel versionuname -r # Need 5.4+
# Check XDP programbpftool prog listOVS Issues
# Check OVS statussystemctl status openvswitch-switch
# View logsjournalctl -u openvswitch-switch
# Reset OVSovs-vsctl emer-resetNext Steps
- Security Engines - Detection systems
- 7-POD Stack - Container architecture
- Configuration - Network settings