On 01.12.2016 17:19, David Miller wrote: > Saying that ntuple filters can handle the early drop use case doesn't > take into consideration the nature of the tables (hundreds of > thousands of "evil" IP addresses), whether hardware can actually > handle that (it can't), and whether simple IP address matching is the > full extent of it (it isn't).
Yes, that is why you certainly use ntuple filters in combination with some kind of high level business logic in user space. I have to check but am pretty sure you can't even do the simplest thing in XDP, parsing the apexes of DNS packets and checking them against a hash table, because the program won't pass the verifier.
