Native driver mode
I moved the XDP program from generic SKB mode to native driver mode on supported network interfaces. Native mode executes the program earlier in the receive path and avoids work that the generic path has already performed.
Simpler hot paths
Loops and repeated parsing can become expensive when the same code runs for every packet. I simplified the hot path, removed unnecessary loops and kept the first decisions inexpensive so clearly invalid traffic exited quickly.
Payload inspection
I added a deep-packet-inspection routine for dynamic payload matching. Combined with the earlier XDP decision point, this improved detection of attacks whose payload changed while retaining a recognizable structure.
Layered detection
Host-level filtering was used alongside Suricata for intrusion detection and prevention. The XDP layer handled fast packet decisions; Suricata supplied broader protocol awareness and a second source of security telemetry.
The production code is confidential, but implementation evidence can be discussed privately where appropriate.