Why is my XDP_DROP action not reducing CPU usage?

If you are using Generic XDP (SKB mode), the kernel still allocates memory for the packet before dropping it, which consumes CPU. To see performance gains, you must use Native XDP (DRV mode) which drops packets before memory allocation.

How can I verify if a packet was dropped by XDP or the firewall?

Packets dropped by Native XDP will not appear in tcpdump or iptables logs. If you still see the packets in tcpdump, the XDP program is either not attached, or it is returning XDP_PASS instead of XDP_DROP.

Does HookProbe require a specific NIC for XDP?

HookProbe works with any NIC using Generic XDP, but for high-performance edge protection, we recommend Intel (i40e/ixgbe) or Mellanox (mlx5) cards that support Native XDP.

What happens if my kernel doesn't support eBPF?

HookProbe will fallback to standard socket-based inspection, which is less efficient but still provides security coverage. We highly recommend upgrading to kernel 5.4+ for XDP features.

howto

Troubleshooting eBPF XDP Packet Drop Not Working | HookProbe Guide

March 23, 2026

Solving the Mystery: ebpf xdp packet drop not working troubleshooting

In the world of high-performance networking, eXpress Data Path (XDP) is the gold standard for packet processing. However, security engineers often find themselves in a situation where their ebpf xdp packet drop not working troubleshooting attempts lead to dead ends. Whether the packets are bypassing the XDP program entirely or the kernel is ignoring the XDP_DROP action, identifying the root cause requires a systematic approach. HookProbe, an AI-native edge IDS, leverages XDP for lightning-fast threat mitigation, and ensuring this layer functions correctly is critical for your perimeter defense.

Before diving into the technical steps, it is essential to understand that XDP processes packets at the earliest possible point in the network stack—before the kernel allocates a sk_buff (socket buffer). If your drops aren't working, the breakdown usually occurs in the driver handoff, the BPF program loading sequence, or a conflict with existing software-defined networking (SDN) layers like Open vSwitch (OVS). For further details on our platform architecture, visit our docs or explore our blog for more deep dives.

Understanding the XDP Packet Processing Pipeline

To troubleshoot effectively, you must visualize where XDP sits. The packet processing flow follows this hierarchy:


┌─────────────────────────────────────────────────────────────────┐
│                     PACKET PROCESSING                            │
├─────────────────────────────────────────────────────────────────┤
│  1. NIC Hardware (DMA)                                          │
│  2. XDP Hook (Native/Driver Mode) <-- Your Drops Happen Here    │
│  3. Generic XDP (SKB Mode)                                      │
│  4. Linux Kernel Network Stack (IP, TCP/UDP)                    │
│  5. User Space Application                                      │
└─────────────────────────────────────────────────────────────────┘

If your XDP program returns XDP_DROP but the packet still reaches the application, the program might be attached in the wrong mode, or the NIC driver might not support native XDP, forcing a fallback to a less effective layer.

Step 1: Verify Hardware and Kernel Compatibility

The first step in any troubleshooting workflow is ensuring your environment supports eBPF and XDP. XDP requires a modern kernel (5.4 or higher is recommended) and a compatible network interface card (NIC) driver.

Check Your Kernel Version

Run the following command to ensure your kernel is capable of running advanced eBPF features:

uname -r

If your kernel is older than 5.4, you may experience inconsistent behavior with XDP maps and packet redirection.

Identify the NIC Driver

Not all drivers support "Native XDP" (running directly in the driver's RX path). Check your driver with:

ethtool -i eth0 | grep driver

Common drivers like ixgbe, i40e, mlx5_core, and virtio_net have excellent XDP support. If you are using a legacy or niche driver, you may be limited to "Generic XDP" (SKB mode), which is slower and sometimes bypasses certain drop logic under heavy load.

Step 2: Inspect XDP Loading and Program Status

If your XDP program is supposed to be dropping packets but isn't, verify that it is actually loaded and attached to the correct interface.

Check Attachment with ip link

Use the ip command to see the current status of your interfaces:

ip link show | grep xdp

You should see an output indicating xdp/id:[ID]. If you see xdpgeneric, your system is using the emulated mode. If you see nothing, the program failed to attach.

List BPF Programs

Use bpftool to get a detailed view of all BPF programs currently residing in the kernel memory:

sudo bpftool prog list

Look for programs of type xdp. Note the ID and verify it matches the ID shown in the ip link output. If the program is loaded but not attached, your drops will never execute.

Step 3: Configure HookProbe XDP Settings

HookProbe simplifies XDP management, but it must be explicitly enabled in the agent configuration. If you are using the HookProbe agent to manage your edge IDS, ensure the environment variables are correctly set.

Enable XDP in HookProbe Service

To force HookProbe to utilize XDP for packet dropping and inspection, edit the systemd service:

sudo systemctl edit hookprobe-agent.service

Add the following environment configuration:

[Service]
Environment="XDP_ENABLED=true"
Environment="XDP_MODE=drv"

Restart the service to apply changes:

sudo systemctl daemon-reload
sudo systemctl restart hookprobe-agent

Understanding XDP Modes

Choosing the right mode is vital for effective packet dropping:

drv (Native): Fastest. Packets are dropped at the driver level. Requires driver support.
skb (Generic): Works on any NIC. Packets are dropped after the kernel allocates a buffer. Slower, but useful for testing.
auto: HookProbe will attempt to select drv and fallback to skb if necessary.

Step 4: Troubleshoot Open vSwitch (OVS) Conflicts

In many cloud and edge environments, Open vSwitch (OVS) manages the networking. OVS can sometimes conflict with XDP programs because both attempt to hook into the packet ingress path. If your ebpf xdp packet drop not working troubleshooting involves a virtualized environment, check OVS.

Check OVS Status

systemctl status openvswitch-switch
journalctl -u openvswitch-switch

If OVS is overriding the interface hooks, you may need to reset the OVS configuration or ensure that HookProbe is initialized after OVS has claimed the interfaces.

ovs-vsctl emer-reset

Additionally, if you are using DPDK with OVS, XDP may not be able to bind to the same physical interface. Ensure other_config:dpdk-init=true is only set if you are not relying on standard kernel XDP hooks.

Step 5: Optimize NIC Performance for Packet Dropping

Sometimes "not working" actually means "not keeping up." If packets are leaking through under high load, your NIC might be dropping packets due to buffer overflows before XDP can even process them, or the CPU might be saturated.

Adjust Ring Buffers

Increase the descriptor ring size to handle bursts of traffic without dropping packets before they reach your eBPF program:

ethtool -G eth0 rx 4096 tx 4096

Interrupt Coalescing

Tune how the NIC handles interrupts to reduce CPU overhead:

ethtool -C eth0 rx-usecs 50

IRQ Affinity

Ensure that the network interrupts are distributed across your CPU cores. This prevents a single core from becoming a bottleneck during a DDoS attack:

echo 2 > /proc/irq/<irq_number>/smp_affinity

Step 6: Implement Rate Limits for Mitigation

If your XDP program is working but the system is still overwhelmed, you may need to configure specific rate limits within HookProbe to manage the flow of traffic. This prevents the eBPF maps from being flooded.

# HookProbe DDoS mitigation settings
XDP_RATE_LIMIT_PPS=10000
XDP_SYN_RATE_LIMIT=1000
XDP_UDP_RATE_LIMIT=5000

These settings allow HookProbe to drop excessive traffic at the edge, preserving system resources for legitimate packets.

Step 7: Final Verification and Health Checks

Once you have applied the fixes, use the HookProbe control utility to verify the health of the agent and the XDP hooks.

# Check general status
hookprobe-ctl status

# Check health of the eBPF hooks
hookprobe-ctl health

# Tail logs for XDP-related errors
hookprobe-ctl logs -f

If the health check returns green and the logs show XDP program attached successfully, your packet dropping should now be functional. For enterprise-grade support and advanced features, check our pricing page.

Conclusion

Troubleshooting eBPF XDP packet drops requires a deep dive into the interaction between the NIC, the kernel, and your BPF bytecode. By following this guide—checking driver compatibility, verifying attachment modes, and tuning NIC parameters—you can ensure that HookProbe provides maximum protection at the edge. Remember that XDP is a powerful tool, but it relies on a correctly configured underlying environment to perform its best.

Frequently Asked Questions

Why does my XDP program work in SKB mode but not DRV mode? This is usually due to driver limitations. Not all NIC drivers support the XDP metadata area or multi-buffer XDP. Ensure your driver is up to date and supports native XDP.
Can I use XDP and OVS together? Yes, but it requires careful coordination. OVS can manage the data plane while XDP acts as a fast-path filter. However, ensure they aren't both trying to manage the same hardware offload features.
How do I know if XDP is actually dropping packets? Use hookprobe-ctl logs or look at the BPF map statistics. You can also use tcpdump on the interface; if XDP is dropping packets in native mode, tcpdump will usually not see them because they are dropped before reaching the tap point.
Does HookProbe support auto-updates for BPF programs? Yes, you can enable this feature using sudo hookprobe-ctl enable-autoupdate to ensure you always have the latest security logic.

Ready to secure your network?

HookProbe delivers AI-native intrusion detection on affordable hardware.

View Pricing GitHub