Think of your computer network as a house with many rooms. Your network has doors and windows (called ports) that allow traffic to pass. Some of this traffic is good (like emails and websites) while some is bad (like viruses and hacking). Our offloader helps keep the bad traffic out and let the good traffic in fast. The offloader works by examining every packet that enters your network. It checks whether the traffic is allowed to enter the network due to established connections. If the traffic is allowed, it is forwarded to the appropriate room (called the server).

The VT AIR XDP/eBPF Offloader differs from other firewalls because it is very fast and efficient. It can process traffic extremely quickly. This means your network runs faster and smoother, even when traffic is high. Additionally, VT AIR XDP Offloader can handle many different types of traffic including websites, emails, videos and more. This makes it a versatile solution to protect your network from all types of threats. Overall, the VT AIR XDP Offloader is a powerful tool that helps keep your network running securely and smoothly while also providing fast and efficient packet processing capabilities.

By using XDP and eBPF you can achieve significant performance improvements over iptables/nftables. VT AIR XDP Offloader offers 5x faster throughput than iptables/nftables, making it a compelling addition for high-speed network environments.

In addition, the VT AIR XDP Offloader can handle SNAT (Source Network Address Translation), DNAT (Destination Network Address Translation) and routing. SNAT and DNAT are techniques to modify the source and destination addresses of network packets, respectively, while routing is the function that directs the packets between different networks. By supporting these functions, our offloader provides flexible and powerful network filtering capabilities.

Explanation:

1. iptables is a commonly used firewall program in Linux that uses a set of rules to filter traffic based on criteria such as source and destination IP addresses, ports, and protocols. Although iptables is a mature and reliable technology, it can become a bottleneck for high-speed networks due to the overhead of processing rules in software.
2. nftables is a network packet filtering framework (firewall) in Linux that replaces the old iptables system. It was designed to provide a more flexible and efficient way to filter and process network traffic.

XDP (eXpress Data Path) was developed to work very efficiently and without unnecessary overhead. This makes XDP particularly suitable for applications that require fast processing of network data, such as network filtering and firewalling. In other words, XDP is a technology that allows network data to be processed in an efficient and performant way to improve network security and performance. In addition, compared to the kernel, XDP offers the ability to access and manipulate network data at a very low level, directly in the network driver, which enables even faster processing and greater flexibility in network data processing.

By combining XDP (eXpress Data Path) and eBPF (extended Berkeley Packet Filter), a program can be written that offloads network traffic filtering to the NIC (Network Interface Card) driver for faster processing and better performance . It attaches the eBPF program directly to the NIC driver to handle network data at a very low level. eBPF is used to implement the network traffic logic. In this way, processing of network data can be done directly in the NIC driver without the data having to traverse the entire Linux kernel, resulting in faster processing and better performance. Advantage: By combining XDP and eBPF, flexible and powerful network programs can be created.

In summary, the VT AIR XDP Offloader is a smart technology that offers significant advantages over traditional firewall solutions. By offloading network processing to the NIC driver using XDP and eBPF, our offloader can handle a variety of network traffic scenarios while maintaining high performance and low overhead. The VT AIR XDP Offloader supports both TCP and UDP traffic, SNAT, DNAT and routing as well as VLAN, QinQ and PPPoE connections. This makes it a versatile solution for different network environments. In addition, the VT AIR XDP Offloader is five times faster than iptables/nftables, allowing for a significant increase in network performance and throughput.

VT AIR uses nftables as a firewall backend. nftables is a network packet filtering (firewall) framework in Linux that replaces the old iptables system. It was designed to provide a more flexible and efficient way to filter and process network traffic.

After a flow (conntrack state) has been created in nftables, our VT AIR XDP offloader steps in. This receives the necessary data of a packet by fetching its flow data from the kernel. It can then process these by changing the source IP (SNAT), destination IP (DNAT) and also determining the routing destination and sending the packet to the correct network interface. All of these steps are performed very efficiently immediately after the network packet has reached the network driver, and therefore enable very fast packet forwarding with firewall protection.

The VT AIR XDP Offloader is an integral part of the VT AIR Firewall solution. VT AIR is the powerful Next Generation Firewall for business. The smart technology from Germany perfectly combines the advantages of the proven enterprise world with the undisputed advantages of the Linux world.

RSS, or Receiver-Side Scaling, is a technique used in network processing to distribute incoming network traffic across multiple CPUs in a system. By distributing the work of processing network packets across multiple CPU cores, RSS enables a significant increase in network throughput and reduces the risk of network congestion. This is because RSS can handle a much larger number of packets than a single CPU, resulting in a linear speed increase as the number of CPUs increases.

In addition, RSS reduces the load on a single CPU and avoids overload that can lead to packet loss and network slowdowns. Overall, RSS is an important tool for high-speed networks that enables efficient and effective distribution of network traffic across multiple CPUs, resulting in faster and more reliable network performance. Without RSS, we could only process network packets on a single CPU.

VT AIR relies heavily on the NIC’s ability to distribute incoming network traffic across all available CPUs in the hardware before it hits the network driver. This allows our XDP program to run in parallel on all available CPUs to fully utilize the device’s full computing power and get the best packet processing speed.

RSS, or Receiver-Side Scaling, is a technique used in network processing to distribute incoming network traffic across multiple CPUs in a system. By distributing the work of processing network packets across multiple CPU cores, RSS enables a significant increase in network throughput and reduces the risk of network congestion. This is because RSS can handle a much larger number of packets than a single CPU, resulting in a linear speed increase as the number of CPUs increases.

In addition, RSS reduces the load on a single CPU and avoids overload that can lead to packet loss and network slowdowns. Overall, RSS is an important tool for high-speed networks that enables efficient and effective distribution of network traffic across multiple CPUs, resulting in faster and more reliable network performance. Without RSS, we could NeFirewalling is a critical aspect of network security, and a firewall’s effectiveness depends largely on its packet-handling capabilities. The rate at which it can process firewall packets is usually measured in packets per second (pps), and this metric is often used as an indicator of a firewall’s performance. When it comes to network speeds, there are several important factors to consider, including maximum and minimum packet size and IMIX (Internet Mix) packet size.

Maximum packet size refers to the largest packet that can be transmitted over the network, while minimum packet size is the smallest packet that can be transmitted. IMIX packet size, on the other hand, is a weighted average of packet sizes based on real network traffic. Maximum and minimum packet sizes can have a significant impact on network speed, as larger packets can transfer more data per unit of time, but also take longer to process. On the other hand, smaller packets can be processed faster, but may not transfer as much data per unit of time.

IMIX packet size is typically used to provide a more accurate representation of real-world network traffic, which can help ensure a firewall is able to handle a variety of network traffic scenarios. Overall, it’s important to understand the maximum, minimum, and IMIX packet sizes know to accurately measure network speeds and determine firewall performance.

We tested our VT AIR XDP Offloader against a normal nftables firewall. For the test we used three different devices on three different architectures. Only process network packets on a single CPU.

VT AIR relies heavily on the NIC’s ability to distribute incoming network traffic across all available CPUs in the hardware before it hits the network driver. This allows our XDP program to run in parallel on all available CPUs to fully utilize the device’s full computing power and get the best packet processing speed.

At the same time, the CPU power used to achieve these speeds was far less:

Device	CPUs	NFTables CPU	VT AIR XDP CPU	Speedup
VT AIR 100 (armhf)	2x Cortex v7	100%	100%	~ 5,3
VT AIR 600 (arm64)	4x A72	100%	65%	~ 4,8
VT AIR 500 (x86)	4x Intel Atom C3558	90%	65%	~ 4,8

VT AIR XDP Offloader can not only speed up network traffic, but also block DDoS attacks with very high efficiency. It is also capable of blocking DDoS traffic at very high rates. This is an important capability for networks at high risk of DDoS attacks, such as For example, those hosting critical infrastructure, popular websites, or other high-value destinations. By using our offloader to block DDoS attacks, network operators can help keep their networks running smoothly and avoid costly downtime.

XDP is important in firewalls because it is a high-performance data path technology that processes network traffic directly in the network driver. This results in a significant reduction in latency and increases the throughput rate.

That was exactly our goal when we started developing the VT AIR XDP Offloader. We wanted to enable faster and more efficient processing of network traffic while reinforcing the security of the network. In times of increasing cybercrime, security is the key element. VT AIR XDP network acceleration enables the firewall to achieve five times more data throughput while maintaining a high level of protection. We are consequently following our mission: we protect your company value!