On Wed, Jul 31, 2019 at 11:48:24PM +0100, Tom Smyth wrote: > Hi all, > I was just wondering is there an ethtool equivalent in OpenBSD > in particular Im interested in trying to harness some of the features > in the xl710 and more advanced intel Ethernet chipsets where they > allow a (limited) number of filter rules to be applied to a given network > interface, > example to drop high packet rate udp floods / amplification attacks > #drop NTP responses (good and bad) inbound on interface enp134s0f0 > ethtool --config-ntuple enp134s0f0 flow-type udp4 src-port 123 action -1 > #drop DNS responses (good and bad) inbound on interface enp134s0f0 > ethtool --config-ntuple enp134s0f0 flow-type udp4 src-port 53 action -1 >
Not hardware filter features, no. But you may be interested in the bpf(4) "filter drop" feature extended recently by dlg@, and added to tcpdump(8), it can be useful in cases where pf(4) cannot. https://marc.info/?l=openbsd-cvs&m=155286777331151&w=2 https://man.openbsd.org/tcpdump#B > the benefit of using the NICs ability to filter would be to reduce the > effects > of a high packet rate attack against the OpenBSD router > what way would the openBSD devs think this should be done. > extending ifconfig ? > or a separate tool ? > > It would be nice that the tools commands would be more like pf and less > like eth tools (cause the syntax of ethtools sucks a little here) > some downside risks of the hardware filtering offload is that is not > immediately obvious to someone analysing the firewall rules that there is > a hardware filter in place... perhaps this could be mitigated by some sort > of > > so it might be an idea to prepend a line comment to /etc.pf.conf to give > the sysadmin a hint that there is a hardware filter in play before the > firewall gets > to see the packets... > > any interest ? ideas? alternative view points on it ... > Thanks for your time > > Tom Smyth. >