[GUIDE] XDP Program for protecting a FiveM Server

XDP Program for Protecting a FiveM Server

This XDP program protects a FiveM server by filtering out non-FiveM traffic. The program inspects incoming packets and drops any packets that are not UDP packets destined for the FiveM server IP address and port. Additionally, it includes rate-limiting and safety checks to prevent legitimate traffic from being inadvertently dropped.

Download Here (Github Repo) :arrow_double_down:

Requirements

  • Linux based kernel only with XDP support enabled. (Windows not supported)
  • Clang compiler for compiling the XDP program.
  • Basic knowledge of Linux networking and handling interfaces.

Installation

Step 1: Modify the XDP Program

Before compiling the program, update the FIVEM_SERVER_IP and FIVEM_SERVER_PORT macros in the XDP script to match your FiveM server’s IP address and port.

  1. Open the xdp_program.c file.
  2. Modify the following macros:
#define FIVEM_SERVER_IP  0x7F000001  // Replace with your server's IP in hex format (e.g., 192.168.1.1 -> 0xC0A80101 or 0x7F000001 for 172.0.0.1 (Localhost)
#define FIVEM_SERVER_PORT 30120      // Replace with your server's port if different

Note: Changing the default FiveM port (30120) to something else is recommended for better security!

Step 2: Compile the XDP Program

Use the clang compiler to compile the XDP program for your system:

clang -O2 -target bpf -c xdp_program.c -o xdp_program.o

This will produce the xdp_program.o object file that you can load into your network interface.

Step 3: Load the XDP Program

Load the compiled XDP program into the network interface that your FiveM server uses. Replace <interface> with the name of your network interface (e.g., eth0):

ip link set dev <interface> xdp obj xdp_program.o sec xdp_program

Step 4: Verify the XDP Program

Test the XDP program by generating traffic to your FiveM server on the configured port (default: 30120). Ensure that non-FiveM traffic is being dropped and legitimate FiveM traffic is allowed to pass through.

You can use packet-capturing tools like tcpdump to verify traffic behavior:

tcpdump -i <interface>

Step 5: Monitor Packet Counts

The program includes logging for tracking how many packets are dropped or passed. Use bpftool to check the statistics:

bpftool map dump name packet_count_map

Unloading the XDP Program

If you need to unload the XDP program from the interface, run the following command:

ip link set dev <interface> xdp off

License

This XDP program is released under the MIT license. See the LICENSE file for more information.

2 Likes

Thanks for the guide. This is very helpful!

There’s an alternative tool to this called IPtables HOWEVER, based on this medium article, it looks like it’s not optimize to handle high load as well as xdp.

Cheers!

IPTables/NFTables is too slow if you’re dealing with million of DDoS packets.

1 CPU core is able to drop more than 10Mpps with XDP, IPTables/NFTables can’t do that.

And if you’re running XDP, make sure it’s running in native mode than the SKB one.

2 Likes

You are correct. XDP drops packets at the kernel without saturating your link, which makes it much faster than iptables. I definitely need testers of this program, let me know if you know anyone who is willing to test this out.

I’m currently trying on my test machine (Dell PowerEdge R630, 64C + 128G) along with some other logic modifications I added.

For million of packets per seconds (PPS), I would recommend using DPDK instead, since it way faster and can handle tenth millions PPS easily with very little CPU cycles.

I put FxServer inside a VM for easier management, backup, snapshot, restore, etc. Web Server for managing the DB is also on a different VM. XDP is loaded on the physical Ethernet though (can’t use HW offload mode since my NIC doesn’t support, so it’s running in native mode)