From: Thomas Graf <tg...@suug.ch> Date: Thu, 1 Dec 2016 15:58:34 +0100
> The benefits of XDP for this use case are extremely obvious in combination > with local applications which need to be protected. ntuple filters won't > cut it. They are limited and subject to a certain rate at which they > can be configured. Any serious mitigation will require stateful filtering > with at least minimal L7 matching abilities and this is exactly where XDP > will excel. +1 Saying that ntuple filters can handle the early drop use case doesn't take into consideration the nature of the tables (hundreds of thousands of "evil" IP addresses), whether hardware can actually handle that (it can't), and whether simple IP address matching is the full extent of it (it isn't). Most of the time when I hear anti-XDP rhetoric, it's usually comes from a crowd who for some reason feels threatened by the technology and what it might replace and make useless. That to me says that we are _exactly_ going down the right path.