Access Rules
Access rules in Moat provide ultra-low latency access control through XDP (eXpress Data Path) packet filtering at the kernel level. Rules are enforced before packets reach the application, providing the fastest possible protection.
Overview
Moat's XDP-based access rules allow you to:
- Block or allow specific IP addresses at kernel level
- Enforce rules before packets reach user space
- Dynamic rule updates from Arxignis threat intelligence
- Zero-latency filtering with BPF/XDP technology
- Monitor dropped packets with real-time statistics
How It Works
Moat loads access rules into an XDP/BPF program attached to network interfaces. When a packet arrives:
- XDP program inspects the source IP at kernel level
- BPF map lookup checks if IP is in blocklist or allowlist
- Packet is dropped or passed before reaching user space
- Statistics are collected for monitoring and analysis
Configuration
Network Interface Setup
Configure which network interfaces should have XDP filtering enabled:
network:
# Single interface
iface: "eth0"
# Or multiple interfaces
ifaces: ["eth0", "eth1"]
# Disable XDP for testing (not recommended for production)
disable_xdp: false
Arxignis Integration
Moat automatically fetches and updates access rules from Arxignis threat intelligence:
arxignis:
api_key: "your-api-key-here"
base_url: "https://api.arxignis.com/v1"
Rules are periodically updated from the Arxignis platform, which provides:
- Real-time threat intelligence from 30+ sources
- Automatically updated IP blocklists
- Country and ASN-based filtering
- Custom rule management through the dashboard
BPF Statistics
Monitor the effectiveness of your access rules with real-time statistics:
bpf_stats:
enabled: true
log_interval_secs: 60
enable_dropped_ip_events: true
dropped_ip_events_interval_secs: 30
Statistics Collected
- Total packets processed at XDP level
- Packets dropped by access rules
- Per-IP drop counts for threat analysis
- Processing latency in nanoseconds
- XDP action distribution (PASS, DROP, ABORTED)
Example Statistics Output
{
"type": "bpf_stats",
"timestamp": "2024-01-15T10:30:00Z",
"stats": {
"total_packets": 1500000,
"packets_dropped": 15000,
"drop_rate": 0.01,
"interfaces": {
"eth0": {
"packets": 1500000,
"dropped": 15000
}
}
}
}
Rule Management
Automatic Updates
Moat automatically syncs access rules from Arxignis:
- Initial fetch on startup
- Periodic updates every few minutes
- XDP map updates without service interruption
- Rollback support if updates fail
Manual Configuration
For testing or offline deployments, rules can be managed through the Arxignis dashboard or API.
Performance Characteristics
XDP Benefits
- Sub-microsecond latency - Filtering at kernel level
- CPU-efficient - No context switches to user space
- Scalable - Handles millions of packets per second
- Minimal overhead - ~100ns per packet for map lookup
Resource Usage
- Memory: ~100MB base + ~1KB per blocked IP
- CPU: Less than 1% for typical traffic patterns
- Network: No impact on throughput
Best Practices
Production Deployment
- Enable BPF statistics to monitor filtering effectiveness
- Set appropriate log intervals to avoid log spam
- Monitor dropped IP events for threat intelligence
- Test with disable_xdp=false first before production
Security Considerations
- Requires CAP_SYS_ADMIN, CAP_BPF, CAP_NET_ADMIN capabilities
- Run with minimal privileges using dedicated user/group
- Regular rule updates ensure latest threat intelligence
- Monitor for false positives in dropped IP logs
Troubleshooting
If XDP filtering isn't working:
- Check kernel version - Requires Linux 4.18+
- Verify BPF support -
ls /sys/kernel/btf/vmlinux - Check capabilities - Ensure container has required caps
- Review logs - Look for XDP program load errors
- Test without XDP - Set
disable_xdp: truetemporarily