Hi all, I was just wondering is there an ethtool equivalent in OpenBSD in particular Im interested in trying to harness some of the features in the xl710 and more advanced intel Ethernet chipsets where they allow a (limited) number of filter rules to be applied to a given network interface, example to drop high packet rate udp floods / amplification attacks #drop NTP responses (good and bad) inbound on interface enp134s0f0 ethtool --config-ntuple enp134s0f0 flow-type udp4 src-port 123 action -1 #drop DNS responses (good and bad) inbound on interface enp134s0f0 ethtool --config-ntuple enp134s0f0 flow-type udp4 src-port 53 action -1
the benefit of using the NICs ability to filter would be to reduce the effects of a high packet rate attack against the OpenBSD router what way would the openBSD devs think this should be done. extending ifconfig ? or a separate tool ? It would be nice that the tools commands would be more like pf and less like eth tools (cause the syntax of ethtools sucks a little here) some downside risks of the hardware filtering offload is that is not immediately obvious to someone analysing the firewall rules that there is a hardware filter in place... perhaps this could be mitigated by some sort of so it might be an idea to prepend a line comment to /etc.pf.conf to give the sysadmin a hint that there is a hardware filter in play before the firewall gets to see the packets... any interest ? ideas? alternative view points on it ... Thanks for your time Tom Smyth.