Faster Firewalls with Bpfilter
a year ago
- #performance
- #BPF
- #network-security
- Bpfilter is a project that improves network traffic filtering performance by using BPF (Berkeley Packet Filter).
- It was proposed in 2018 to enhance iptables performance by translating filtering rules into BPF programs.
- Bpfilter consists of three components: the bpfilter daemon, libbpfilter library, and bfcli command-line tool.
- The project supports iptables and nftables, though nftables support is currently broken and planned for refactoring in 2025.
- Bpfilter translates rules into BPF bytecode, which is then loaded into the kernel for efficient packet filtering.
- Performance benchmarks show bpfilter handles larger rulesets more efficiently than iptables and nftables before performance drops.
- Future plans include better nftables support, integration of user-provided BPF programs, and generic sets.