14
What if any role did "AI" play in this project?
You mean, you don’t use “init” for all your commits?
caught me! still learning the 'professional' way to do things. at least it's better than 'fix1', 'fix2', 'asdfgh'..
“Be sure to commit with a descriptive message after each change”
Assuming you didn’t one-and-done this. Please tell me you didn’t.
I got in the zone :)
I used AI to help with the eBPF parts since it's a new and complex topic for me. It also helped me translate the README and polish this post because English isn't my first language
How have tests gone so far?
also cool concept, you can actually get eBPF XDP to compile to FPGA on some smart NICs even further pushing it away from the core system if it works!
Sorry, I'm failing to understand what this does, mostly because your description is mixing tcpip, socket, and xdp terminology.
It's an implementation of Single Packet Authorization that works at the XDP level.
Sure, but to do what, exactly? Is this meant to run on Linux routers as a prefilter? Or on hosts themselves? In the second case, why not just use 802.11x?
I don't get the use case, or what this has to do with DDOS.
Thanks for the feedback! You’re right, my description was a bit messy. Let me clarify the goal and the use case
The goal to make a VPS on the public internet completely invisible to unauthorized scans while allowing access to services (like SSH) only after a valid SPA packet is received
Traditional SPA tools (like fwknop) often use libpcap to sniff packets or iptables to block them. In both cases, unauthorized packets still hit the kernel network stack. If an attacker floods the port with junk, the kernel still spends CPU cycles processing them before they get dropped
By using XDP, I move the "drop-all" logic to the earliest possible stage. This is where the DDoS resilience comes from we drop unauthorized traffic before sk_buff allocation, making it significantly cheaper in terms of CPU resources
It’s designed to run on the host itself, acting as a "stealth" firewall
A major advantage here is that xSpa doesn't touch the netfilter/iptables stack. Unlike fwknop, which has to dynamically manage firewall rules (often leading to conflicts with Docker, UFW, or complex rulesets), xSpa operates at a lower level. It’s completely independent of whatever you have going on in your iptables configuration
And you can’t use 802.1X to protect an SSH port on a public cloud VPS
How does it route an xdp packet across an IP network of unknown hops? I thought xdp required the same broadcast domain for hosts to be able to use it.
this post was submitted on 19 Mar 2026
14 points (88.9% liked)
Linux
65428 readers
431 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 7 years ago
MODERATORS