Видео

could you report your ipv6 checksum issue here github.com/xdp-project/bpf-examples/issues since xdp-synproxy is hosted there. I am not expert on ipv6, but if you can report the issue there with details, either me or others could help

Okk sir thank you

Plz check I reported

@@thekalamart_ I see your report, based on your report, no context about XDP SYNPROXY, but just ipv6 checksum and load balancer, this is more generic ebpf programing, I suggest you to ask such question ini stackoverflow website, or cilium eBPF slack channel

or you can join loxilb slack channel, loxilb is a load balancer project, they are expert on this

you can compile the program here github.com/xdp-project/bpf-examples/tree/master/xdp-synproxy, or even try out github.com/vincentmli/BPFire if possible :)

it supports ipv6

@@BPFireOSthank you for reply

You mean run ipfire under windows hyper v?

yes, it can, just need program XDP to do UDP DDoS

IPFire is Linux based open source operating system, unlike centos though, every IPFire package is built from source and can be installed/removed with pakfire package system

client is from your local network or from public network? and what type of client activities you want to monitor?

or use Ubuntu KVM/qemu hypervisor with flash image that is known to work as this demo has shown

ipfire requires patches to support XDP which is not easy for ipfire user, I have built custom ipfire images with all the required patches and software addon, you can download the ISO or image here www.99os.org/download/, I will publish a video on how to enable DDoS from the Web UI, just a few mouse clicks to enable the feature :)

the iptable-trace.sh is basically borrowed from www.opensourcerers.org/2016/05/27/how-to-trace-iptables-in-rhel7-centos7/, also check the video at about 10:02

I used drawit plugin for vim editor github.com/vim-scripts/DrawIt

I don't recall cilium has ddos feature as standalone XDP layer 4 load balancer on baremetal, I think cloudflare has XDP based ddos but I don't think cloudflare has open sourced it.

@@BPFireOS I meant how to use cilium firewall on baremetal servers like how to install it, how to use it and so on

@@moshonkin I have not played with cilium host firewall, maybe I will try when I get time

here is a link on cilium firewall medium.com/@charled.breteche/kubernetes-security-explore-cilium-host-firewall-and-host-policies-de93ea9da38c, kind of tedious to setup :(

from kernel.googlesource.com/pub/scm/linux/kernel/git/bpf/bpf-next source that I compiled, follow the bpf self test build instruction. you can also clone github.com/vincentmli/go-syncookie and run the build.sh to generate the syncookie object file, but can't load it with cilium ebpf-go yet since ebpf-go does not support kernel module function call yet.

ok, it started making sense after I dug a little deeper, would love to see the final outcome.. 20G sending and 20G receiving from 2 different server. One thing, you did set target mac address of receiving server in the sending server, how to do this using IP?

you don't need anything extra with flannel, if you run standard kubernetes cluster or k3s cluster, flannel is the default CNI and VXLAN is the default see clouddocs.f5.com/containers/latest/userguide/kubernetes/

@@BPFireOS thanks for the reply. :) ill look into the manifests

I have script k3s-cilium.sh to setup k3s with cilium and manifest files here github.com/vincentmli/docs/tree/master/oid-talk-demo

and BIG-IP tunnel/selfip configuration github.com/f5devcentral/f5-ci-docs/blob/master/docs/cilium/cilium-bigip-info.rst

@@BPFireOS tyvm :)

it is manually drawed diagram :-)

i believe it does, but too long and I can't remember anymore, maybe asking in F-Stack github ?

@@BPFireOS Ok. Thank you. I will ask F-Stack github

I have not done it myself, here is an example maybe you can take a look github.com/gamemann/XDP-Dynamic-Payload-Matching