bpfilter¶
links: SPA TOC - Linux Firewall - Index
eBPF¶
- Extended Berkeley Packet Filter is a Linux kernel technology that allows running custom programs inside the kernel in a sandboxed environment without changing kernel source code or loading kernel modules
- Use cases: Security, Networking, Tracing and Profiling, Observability & Monitoring (Kubernetes)
- Security: eBPF can see and intercept all system calls and filter them, has also a packet and socket-level view for network-level filtering or process context tracing
- Networking: eBPF enables to implement protocol parsers or any kind of forwarding logic without leaving the packet processing context of the Linux kernel
bpfilter¶
- uses eBPF
- filtering capabilities are implemented as an interpreter program for the BPF virtual machine
- the BPF program can be attached to points in the network packet path like:
- the eXpress Data Path (XDP) layer, where they are run from the network-interface drivers
- the BPF virtual machine can run in user space or in kernel space
Measurements¶
- Some PoC applications show performance improvements of up to 3 to 6 times over iptables or nftables.
links: SPA TOC - Linux Firewall - Index