eXpress Data Path (XDP) provides high-performance packet processing inside the Linux kernel. In this chapter, we outline XDP layers, packet descriptors, and drop filters.
XDP Driver Execution
XDP code is executed by the kernel inside the network card’s driver layer, before the OS allocates standard socket memory structures (sk_buff). This allows processing packets with absolute minimum cycle counts.
eBPF Program Structure
An eBPF filter inspects packet boundaries and returns a decision code:
XDP_DROP: Discards the packet immediately (ideal for DDOS filtering).XDP_PASS: Passes the packet up to the normal kernel network stack.XDP_TX: Bounces the packet back out of the same interface.
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
SEC("xdp")
int filter_packet(struct xdp_md *ctx) {
// Read packet memory pointers
void *data = (void *)(long)ctx->data;
void *data_end = (void *)(long)ctx->data_end;
// Safety checks required by the kernel verifier before passing
return XDP_PASS;
}