A crash in a development version of flowtrackd (the daemon that powers our Advanced TCP Protection) highlighted the fact that libxdp (and specifically the AF_XDP part) was not Linux network namespace aware.This blogpost describes the debugging journey to find the bug, as well as a fix.flowtrackd is a volumetric denial of service defense mechanism that sits in the Magic Transit customer’s data path and protects the network from complex randomized TCP floods. It does so by challenging TCP connection
When a packet is determined to be valid (after a challenge or under some thresholds), it is forwarded to the second network interface.For the rest of this post the network setup will be the following:flowtrackd network setupe.g. eyeball packets arrive at the outer device in the root network namespace, they are picked up by flowtrackd and then forwarded to the inner device in the inner-ns namespace.AF_XDPThe kernel and the userspace share a memory buffer called the UMEM. This is where packet bytes are written to and read from.The UMEM is split in contiguous equal-sized “frames” that are referenced by “descriptors” which are just offsets from the start address of the UMEM.