I'm wondering about eBPF / XDP support in FreeBSD / OPNsense. Is it possible to load eBPF programs into a NIC capable of XDP running FreeBSD?
This has great potential application for a firewall device, because eBPF loaded into an XDP capable NIC hardware is extremely fast, according to Cloudflare's testing (https://blog.cloudflare.com/how-to-drop-10-million-packets/#summary).
For example, I have a DEC850 v2, which appears to have hardware support for this.
Deciso DEC850 v2 has 4x Intel
I225-V 2.5 GbE ports:
sudo pciconf -llcvVBa igc0
Password:
drv selector class rev hdr vendor device subven subdev
igc0@pci0:2:0:0: 020000 03 00 8086 15f3 8086 0000
vendor = 'Intel Corporation'
device = 'Ethernet Controller I225-V'
class = network
subclass = ethernet
cap 01[40] = powerspec 3 supports D0 D3 current D0
cap 05[50] = MSI supports 1 message, 64 bit, vector masks
cap 11[70] = MSI-X supports 5 messages, enabled
Table in map 0x1c[0x0], PBA in map 0x1c[0x2000]
cap 10[a0] = PCI-Express 2 endpoint max data 128(512) FLR RO NS
max read 512
link x1(x1) speed 5.0(5.0) ASPM L1(L1)
ecap 0001[100] = AER 2 0 fatal 0 non-fatal 0 corrected
ecap 0003[140] = Serial 1 f490eaffff010b7a
ecap 0018[1c0] = LTR 1
ecap 001f[1f0] = Precision Time Measurement 1
ecap 001e[1e0] = L1 PM Substates 1According to RedHat's eBPF docs (https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10-beta/html/configuring_firewalls_and_packet_filters/understanding-the-ebpf-networking-features-in-rhel-10#overview-of-xdp-features-in-productshortname-productnumber-by-network-cards), this hardware is capable of XDP (
eXpress Data Path (https://en.wikipedia.org/wiki/Express_Data_Path)):
| Network card | Driver | Basic | Redirect | Target | HW offload | Zero-copy | Large MTU |
| IntelĀ® Ethernet Controller I225-LM/I225-V family | igc | yes | yes | yes [a] | no | yes | yes [c] |
- [a]: Only if an XDP program is loaded on the interface.
- [c]: Transmitting side only. Cannot receive large packets through XDP.
Is it possible to leverage XDP from FreeBSD / OPNsense?
eBPF is Linux only as far as I know.
Quote from: Patrick M. Hausen on March 21, 2025, 04:43:37 PMeBPF is Linux only as far as I know.
For running kernel-space eBPF sandboxed programs, it seems that might be a limitation with FreeBSD's kernel.
🤔 What about loading a pre-compiled XDP into the Intel hardware from FreeBSD? Theoretically, could this be possible?
[1][1]: To be clear, I'm talking about hardware mode / XDP_MODE_HW (https://github.com/xdp-project/xdp-tools/blob/main/xdp-dump/xdpdump.c#L69), assuming that the NIC supports offloading the eBPF program onto the NIC hardware itself.
Quote from: trinitronx on March 21, 2025, 04:30:26 PM[...]
This has great potential application for a firewall device, because eBPF loaded into an XDP capable NIC hardware is extremely fast, according to Cloudflare's testing (https://blog.cloudflare.com/how-to-drop-10-million-packets/#summary).
[...]
I'd have to read that more closely, but offhand it appears as though it can silently (no logs, possibly no sampling or other accounting) selectively discard packets at a high rate. Lots of devices can do that (many switches, a few NICs), at (pick your) line rate. I considered either using a Chelsio NIC or running my Internet link through one of my switches (for line-rate stateless filters), but I'm not exactly Cloudflare - DoS is pretty low on my list of concerns, and I really like having all of my filters in one place.
The deeper you get, the more expensive. You start with the NIC or switch filters, and pretty soon you're trying to shoehorn a hardware-assisted statekeeping plugin into VPP/DPDK running on FreeBSD. Be careful out there.