2. XDP Accelerator

By combining XDP (eXpress Data Path) and eBPF (extended Berkeley Packet Filter), a program can be written that outsources the filtering of network traffic to the NIC driver (Network Interface Card) for lighning fast packet processing. The eBPF program is attached directly to the NIC driver to process network data at a very low level. eBPF is used to implement the network traffic logic.

This allows network data processing to be performed directly in the NIC driver without the data having to traverse the entire Linux kernel, resulting in faster processing and better performance.

XDP Stack

VT AIR XDP is an add-on to nftables and accelerates connections by a factor of 5 after they have been confirmed and allowed by the firewall rules. This allows for the traditional and comprehensive protection of nftables and the speed of XDP, the best of both worlds.

Our VTAIR XDP/eBPF offloader is a powerful tool that can handle a variety of network traffic scenarios. It supports both TCP and UDP traffic, the two most common protocols on the Internet. This means that the offloader can handle a wide range of applications such as web browsing, file transfers, and video streaming.

In addition, VT AIR XDP can handle SNAT (Source Network Address Translation), DNAT (Destination Network Address Translation) and routing. SNAT and DNAT are techniques to modify the source and destination addresses of network packets, respectively, while routing is the function that directs the packets between different networks. By supporting these features, our offloader provides flexible and powerful network filtering capabilities.

VT AIR XDP also supports VLAN (Virtual LAN), QinQ (Dual Tagged VLAN) and PPPoE (Point-to-Point Protocol over Ethernet) connections.

XDP Interface Stacking

2.1. VT AIR XDP Speedups

We tested our VT AIR XDP against a normal nftables firewall. For the test we used three different devices on three different architectures.

Device

CPUs

NFTables pps

VT AIR XDP pps

Speedup

VT AIR 100 (armhf)

2x Cortex v7

146 Kpps

775 Kpps

5,3

VT AIR 600 (arm64)

4x A72

594 Kpps

2840 Kpps

4,8

VT AIR 500 (x86)

4x Intel Atom C3558

659 Kpps

3192 Kpps

4,8
XDP Speedup

2.2. VT AIR XDP DDoS Protection

VTAIR XDP is also capable of blocking DDoS traffic at very high rates. This is an important capability for networks at high risk of DDoS attacks, such as hosting environments or critical infrastructure, popular websites, or other high-value targets. By using our offloader to block DDoS attacks, network operators can help keep their networks running smoothly and avoid costly downtime.