Skip to content

alloc33/xdp-fire

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

22 Commits
.cargo
.cargo
Β 
Β 
scripts
scripts
Β 
Β 
xdp-fire-common
xdp-fire-common
Β 
Β 
xdp-fire-ebpf
xdp-fire-ebpf
Β 
Β 
xdp-fire
xdp-fire
Β 
Β 
.DS_Store
.DS_Store
Β 
Β 
.gitignore
.gitignore
Β 
Β 
Cargo.lock
Cargo.lock
Β 
Β 
Cargo.toml
Cargo.toml
Β 
Β 
LICENSE-APACHE
LICENSE-APACHE
Β 
Β 
LICENSE-GPL2
LICENSE-GPL2
Β 
Β 
LICENSE-MIT
LICENSE-MIT
Β 
Β 
README.md
README.md
Β 
Β 
rustfmt.toml
rustfmt.toml
Β 
Β 

Repository files navigation

xdp-fire

πŸ”₯ XDP-based firewall written in pure Rust πŸ¦€. Filters packets at kernel level before they hit your network stack.

Why

Block unwanted traffic at the XDP layer - the earliest point in Linux networking. Malicious packets get dropped at the NIC, not in userspace.

NIC β†’ XDP (filter here) β†’ Network Stack β†’ Your App

Fast. Efficient. Zero CPU waste on attack traffic.

Features

  • IPv4/IPv6 filtering (allowlist/blocklist)
  • Port-based rules (drop/pass/log)
  • Per-IP rate limiting
  • Real-time statistics
  • Pure Rust (no C)

Usage

# Start filtering
sudo xdp-fire --iface eth0

# Block port
xdp-fire add-rule -p 8080 -a Drop

# Rate limit (1000 pps per IP)
xdp-fire set-rate-limit -e true -l 1000 -w 1000

# Allowlist mode
xdp-fire set-ip-mode -m allowlist
xdp-fire add-ipv4 -i 192.168.1.100

# Stats
xdp-fire show-stats

Project Structure

Standard Aya workspace β€” three crates, one build.

xdp-fire/
β”œβ”€β”€ xdp-fire-common/        # Shared types (kernel ↔ userspace)
β”‚   └── src/lib.rs           #   Action, LogLevel, IpFilterMode, RateLimitState
β”‚                            #   #![no_std] β€” must compile for both BPF and host targets
β”‚
β”œβ”€β”€ xdp-fire-ebpf/           # eBPF program (runs inside the Linux kernel)
β”‚   └── src/main.rs          #   Packet parsing, map lookups, XDP_PASS/XDP_DROP verdicts
β”‚                            #   #![no_std], #![no_main] β€” compiled to BPF bytecode
β”‚
β”œβ”€β”€ xdp-fire/                # Userspace binary (loads eBPF, CLI, map management)
β”‚   β”œβ”€β”€ build.rs             #   Invokes aya_build to compile the eBPF crate
β”‚   β”œβ”€β”€ src/main.rs          #   CLI (clap), map pinning, stats display, XDP attach
β”‚   └── tests/               #   Integration tests β€” load eBPF, poke maps from userspace
β”‚
└── scripts/
    └── benchmark.sh         # iperf3-based throughput comparison (baseline vs XDP)

How they connect: cargo build triggers xdp-fire/build.rs, which compiles xdp-fire-ebpf into BPF bytecode and embeds it into the final binary. At runtime, the userspace binary loads that bytecode into the kernel and communicates with it through eBPF maps pinned at /sys/fs/bpf/xdp-fire/.

Build

# Requirements
rustup toolchain install stable
rustup toolchain install nightly --component rust-src
cargo install bpf-linker

# Build
cargo build --release

# Run (requires root)
sudo ./target/release/xdp-fire --iface <interface>

Testing

25 tests covering eBPF loading, maps, and filtering logic.

cargo test --release

Limitations

Stateless filtering only. No connection tracking, no config persistence, no GeoIP. Add them if you need them.

Stack

Built with Aya - pure Rust eBPF framework.

Kernel and userspace code both in Rust. No C required.

License

Userspace: MIT or Apache-2.0 eBPF: GPL-2 or MIT

About

πŸ”₯ XDP-based firewall written in pure Rust. Filters packets at kernel level before they hit your network stack.

Resources

Readme

License

Apache-2.0 and 2 other licenses found

Licenses found

Apache-2.0
LICENSE-APACHE
GPL-2.0
LICENSE-GPL2
MIT
LICENSE-MIT
Activity

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages