I tested hardware filters on my Ubuntu+82599 development environment and everything seemed to work great. I've further read Intel and ethtool documentation, but I've been unable to find a solution to my next question. I've got a DNS analysis tool and I would like to only accept UDP packets sent to/from 53 port (DNS request/responses) and drop everything else. In your opinion, is by any means possible to implement a hardware filter like this one (drop all non-UDP packets and not sent to 53 port) below:
ethtool --config-ntuple eth4 flow-type !udp4 dst-port !53 action -1
Thanks in advance and best regards,
Good day. Please try to use the following command :
Iptables –A INPUT –p UDP –i eth4 –destination-port 53 –j ALLOW
Or iptables –A INPUT –p UDP –i eth4 –destination-port !53 –j DROP
Hope this helps.
thank you for your answer. That's how we do it currently, but we are developing a very cpu-intensive system and want to release the linux kernel from this processing. Hardware filters or Perfect filters running on the NIC are going to be used, but we would prefer one single negative ( ! ) filter to drop all packets not intended to be analyzed, rather than multiple filters to drop, for instance:
* udp and dst port 161 or 162...
* and so on
I'm starting to think that the filter we are searching for is not feasible at all (running on the NIC).
Thanks and best regards,
Since it seems to be impossible to be accomplished with one single filter rule, I'm trying to add as many filter rules as required. My first rule is for DNS requests (analyzed traffic is mainly DNS and this filter is supposed to filter out 40 to 50% from original traffic) and it runs fine. When I try to add a rule to filter out TCP traffic it fails as shown below:sudo ethtool --config-ntuple em50 flow-type udp4 dst-port 53 action -1
Added rule with ID 8189
sudo ethtool --config-ntuple em50 flow-type tcp4 action -1
rmgr: Cannot insert RX class rule: Invalid argument
If I change the order of the rules the same error is returned, but both rules work fine when applied alone. It's the same when I try to filter out any of the other protocols supported for flow-type.
I would greatly appreciate any suggestion on how to solve this issue.
Thank you very much and best regards,
Thanks for the update.
The filters you are trying to configure cannot be done on the network card. That's why you are getting those errors. You will have to do it on the firewall.
Hope this helps.