Comment by leath
4 years ago
We already have a token in the protocol and this is indeed a viable way to help drop invalid traffic. However, none of us are really experienced enough with the networking stack of the linux kernel (nor are these things very well documented) to craft a conntrack module or an XDP program to parse the header and keep track of the assigned tokens. Dropping these any later than the nftables stage is just not enough as we already do that.
We have a small team who work on this project during our free times and most of us just don’t currently have the time to dig into conntrack/nftables/xdp.
I found this tutorial [0] and example [1] how to read/update BPF hashtable data from python bcc module. If UDP packet structure is not too complex, it might be not too hard to implement I guess.
[0] https://duo.com/labs/tech-notes/writing-an-xdp-network-filte...
[1] https://lwn.net/Articles/747640/