YouTube Community Tab 500 Subscribers ( NEW MIND BLOWING TRICK 🤫)

A crash in a development version of flowtrackd (the daemon that powers our Advanced TCP Protection) highlighted the fact that libxdp (and specifically the AF_XDP part) was not Linux network namespace aware.This blogpost describes the debugging journey to find the bug, as well as a fix.flowtrackd is a volumetric denial of service defense mechanism that sits in the Magic Transit customer’s data path and protects the network from complex randomized TCP floods. It does so by challenging TCP connection

establishments and by verifying that TCP packets make sense in an ongoing flow.It uses the Linux kernel AF_XDP feature to transfer packets from a network device in kernel space to a memory buffer in user space without going through the network stack. We use most of the helper functions of the C libbpf with the Rust bindings to interact with AF_XDP.In our setup, both the ingress and the egress network interfaces are in different network namespaces.

When a packet is determined to be valid (after a challenge or under some thresholds), it is forwarded to the second network interface.For the rest of this post the network setup will be the following:flowtrackd network setupe.g. eyeball packets arrive at the outer device in the root network namespace, they are picked up by flowtrackd and then forwarded to the inner device in the inner-ns namespace.AF_XDPThe kernel and the userspace share a memory buffer called the UMEM. This is where packet bytes are written to and read from.The UMEM is split in contiguous equal-sized “frames” that are referenced by “descriptors” which are just offsets from the start address of the UMEM.

Share this note