We Put an L7 Firewall in the Kernel
a day ago
- #eBPF
- #firewall
- #JavaScript
- The firewall uses eBPF in the kernel to make HTTP/2 header decisions in nanoseconds, avoiding userspace proxy delays.
- Policy is written as JavaScript apps, allowing updates via git push without rebuilds, redeploys, or restarts.
- Matches on HTTP/2 headers like :authority, User-Agent, and source address using boolean logic rules.
- Uses XDP hook for early packet filtering, dropping packets before kernel socket allocation for minimal cost.
- Compiles banned User-Agent substrings into a single Aho-Corasick automaton for linear-time scanning, scalable to thousands of patterns.
- Handles HPACK compression by tracking the dynamic table live, ensuring header visibility across requests.
- Exposes real-time metrics via Prometheus and Grafana, including evasion attempts like fragmented headers.
- Deploys as a Docker container, currently tested in production with enterprise traffic.