Chaining

Filters, both ingress (XDP) and egress (TC), are organized into a chain. A filter may consume a packet, meaning that it either drops it or redirects it to the Linux TCP/IP stack. In this case, subsequent filters do not analyze the packet. Otherwise, the packet is processed by filters sequentially until it is consumed by one of the filters or reaches the default policy.

If no rules are loaded, all packets are allowed (no filtering is applied).

Filtration rules are applied in the following order.

IP Filter for IP anomalies and next-level protocols

ICMP messages:

ICMP filter by message type
source filter by source IP address or network

TCP segments:

TCP anomaly filter
source filter by source IP address or network
source filter by source port
TCP authentication filter
TCP RST rate limit
TCP SYN cookies or TCP SYN rate limit
ingress destination filter by <IP address, port, protocol> tuple
egress destination filter by <IP address, port, protocol> tuple

UDP datagrams:

UDP anomaly filter
DNS filter
source filter by source IP address or network
source filter by port
ingress destination filter by <IP address, port, protocol> tuple
egress destination filter by <IP address, port, protocol> tuple

A white list policy for specific source IP addresses can be implemented by using the allow action in the source filter (see details below).

Filters such as source filter by source, source filter by port, destination filter and ICMP filter validate traffic against the default values defined in the defaults section as part of their evaluation. There is no separate default-rule evaluation stage after all filters are processed.

A configuration example🔗

xfw {
    evaluation_mode;

    net ip4 {
        127.0.0.1,
        127.0.0.0/8
    }
    net ip6 {
        3001:db8:85a3::8a2e:370:7334/120
    }

    tcp_anomaly_filter;
    tcp_auth_filter;
    tcp_syncookies passive_timer=1 flood_timer=1;

    ratelimit=whitelist_ratelimit bps=30000 pps=1000;
    ratelimit=ms_ratelimit bps=40000 pps=2000;
    ratelimit=default_ratelimit pps=5 bps=30000;

    src=my_white_list1 ip6.udp : ratelimit=whitelist_ratelimit {
        1001:0db8:85a3:0000:0000:8a2e:0370:7334/100,
        2001:0db8:85a3:0000:0000:8a2e:0370:7334/110,
    }

    src=my_ratelimited2 ip4.udp : allow {
        10.0.0.0/9,
        1.1.1.1,
        :443,
        :80-88,
    }

    src ip4.tcp { uk, au}
    src ip6.tcp { uk, au}

    dst=microservice1 ip4.udp : ratelimit=whitelist_ratelimit {
        1.1.1.1:8001,
        127.0.0.1:50
    }

    dst=microservice2 ip4.udp : ratelimit=ms_ratelimit {
        192.168.1.10:443,
        192.168.1.10:80
    }

    icmp ip6 : allow {10, 12}

    tcp_flags syn : ratelimit=default_ratelimit;

    defaults {
        src_ip ip4.tcp: allow;
        src_ip ip4.udp: block;
        src_ip ip6: ratelimit = default_ratelimit;
        src_port ip4.udp: block;
        src_port ip4.tcp: allow;
        src_port ip6: allow;
        dst: block;
        icmp ip4: allow;
        icmp ip6: block;
    }
}