A story about AF_XDP, network namespaces and a cookie

A crash in a development version of flowtrackd highlighted an issue with libxdp, specifically the AF_XDP part not being Linux network namespace aware. The blog post describes the debugging journey to find the bug and fix it. Flowtrackd is a volumetric denial of service defense mechanism that sits in the Magic Transit customer's data path and protects the network from complex randomized TCP floods. It uses the Linux kernel AF_XDP feature to transfer packets from a network device in kernel space to a memory buffer in user space without going through the network stack. The issue was resolved by retrieving the netns_cookie associated with the socket at its creation and adding it in the comparison operation. The fix has been submitted, merged, and backported in libbpf and updated in the Rust crate accordingly.