Unlocking High‑Performance Linux Networking: A Deep Dive into XDP and eBPF

Traditional Linux kernel network stacks prioritize generality, leading to performance bottlenecks that become critical with high‑speed NICs (10G, 25G, 40G, 100G). To overcome these limits, DPDK introduced kernel‑bypass acceleration in 2010, but it remains separate from the kernel.

In 2016, Linux integrated its own high‑performance data path, XDP (eXpress Data Path), built on eBPF, allowing packet processing directly at the NIC driver layer.

What is XDP?

XDP is an eBPF hook in the Linux networking stack that can attach eBPF programs to process packets as soon as they arrive at the driver, providing exceptional data‑plane performance.

XDP Action Codes

XDP_ABORTED : Indicates a program error; the packet is dropped and the error is logged via trace_xdp_exception.

XDP_DROP : Drops the packet at the driver without further processing, conserving CPU resources—useful for mitigating DDoS attacks.

XDP_PASS : Passes the packet to the traditional kernel network stack.

XDP_TX : Sends the packet back out the same NIC.

XDP_REDIRECT : Redirects the packet to another NIC or CPU; combined with AF_XDP it can be sent to user space.

XDP Execution Modes

Native mode : Runs in the early driver path and requires driver support; most 10G+ NICs support it.

Offload mode : Offloads the XDP program onto the NIC itself, freeing host CPU entirely; currently supported by select smart NICs such as Netronome.

Generic mode : Executes after the driver, needing no driver support but offering lower performance; useful for testing.

Background of eBPF

eBPF originated as BPF in 1992 for packet filtering (e.g., tcpdump). It evolved into eBPF in 2013 and was merged into the Linux kernel in 2014, providing a programmable interface for various kernel and application events, including networking, monitoring, and tracing.

AF_XDP

Introduced in Linux 4.18 (2018), AF_XDP is a socket family that allows user‑space programs to receive packets directly from a memory queue (UMEM) populated by XDP redirects, enabling ultra‑low‑latency packet handling.

Advantages of XDP

Part of the Linux kernel, offering a stable, long‑term API maintained by the community.

Works with existing Linux networking tools and drivers, unlike DPDK which requires dedicated frameworks.

Built‑in security via the eBPF verifier.

Does not monopolize CPU cores; runs only when needed and can scale across multiple CPUs.

Supports dynamic injection and updates of eBPF programs.

No need for huge pages or proprietary hardware.

Supported by kernels ≥ 4.8 and most high‑speed NICs.

Real‑World Usage

Projects such as OVS, Cilium, and PolyCube adopt XDP for fast‑path networking. Cloudflare’s L4Drop DDoS protection leverages XDP to drop malicious traffic with minimal CPU overhead. Research demonstrates XDP‑based firewalls and even in‑kernel Memcached achieving performance surpassing DPDK.

Conclusion

XDP, together with AF_XDP, has rapidly matured within a few years, offering performance comparable to DPDK while retaining the benefits of native kernel integration. Ongoing optimizations will likely make XDP a cornerstone of high‑performance network processing.