Announcement

Collapse
No announcement yet.

BPF-Based Linux Firewall "bpfilter" Shows Impressive Performance Potential

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • BPF-Based Linux Firewall "bpfilter" Shows Impressive Performance Potential

    Phoronix: BPF-Based Linux Firewall "bpfilter" Shows Impressive Performance Potential

    Generating much excitement back in 2018 was bpfilter for the potential to better Linux's firewall and packet filtering by making it more robust and performance. Recently work on this BPF-based firewall solution was renewed and the performance potential over iptables and nftables is looking very good for the future...

    https://www.phoronix.com/scan.php?pa...=BPFILTER-2021

  • #2
    Nft performs worse than Iptables?? WTF???

    Comment


    • #3
      Originally posted by q2dg View Post
      Nft performs worse than Iptables?? WTF???
      Yeah, what happened here.
      I guess I will stick to iptables now that the is realy no point on learning something thatis slowr...

      Comment


      • #4
        I wouldn't use the slower one cause my rules are most likely to be simple (I wouldn't know yet, I haven't configured one by hand), but wasn't the point of nftables to win on flexibility rather than performance?

        Comment


        • #5
          .....what year is it? Wasn't this the whole reason BPF was invented years ago?

          Comment


          • #6
            Originally posted by Developer12 View Post
            .....what year is it? Wasn't this the whole reason BPF was invented years ago?
            No? AFAIR it was invented for more efficient packet sniffing. Not dropping packets from the system, but before copying them to a raw packet buffer in userspace. The packets would still go through the usual channels, just not to that particular socket.

            Comment


            • #7
              Can this be helpful for application firewalls like OpenSnitch, which uses eBPF ?
              https://github.com/evilsocket/opensnitch/releases
              Or it's completely unrelated ?
              I really don't want to go back from OpenSnitch to any port-based firewall.

              Comment


              • #8
                The Linux firewall iptables and nftables are very good, but also very server-oriented. For the Linux desktop these are rather poor since they only filter IP addresses, protocols and ports, while on the desktop you would like to allow/deny applications access to the network.

                Example, I don't want my PDF reader or image viewer applications to have access to the network. On Windows you get a prompt that asks if you want to grant the application right to the network on the first time when it tries to bind a port for listening on or try to establish a connection.

                Comment


                • #9
                  What you describe as an application firewall can be achieved by cgroups. Flatpak is doing it. You can set the rights for every application. AFAIK it has no dynamic rights management where the user is asked for permissions but maybe they will add it.

                  Comment


                  • #10
                    Originally posted by uid313 View Post
                    The Linux firewall iptables and nftables are very good, but also very server-oriented. For the Linux desktop these are rather poor since they only filter IP addresses, protocols and ports, while on the desktop you would like to allow/deny applications access to the network.

                    Example, I don't want my PDF reader or image viewer applications to have access to the network. On Windows you get a prompt that asks if you want to grant the application right to the network on the first time when it tries to bind a port for listening on or try to establish a connection.
                    For somebody used to simplewall and GlassWire on Windows and AFWall+ on Android, seeing the available firewalls for Linux surely gets a big disappointment and frustration.

                    Great that at least somebody tries to fix this with OpenSnitch.
                    Too bad that the Linux foundation or EFF doesn't want to help out this user friendly firewall project.

                    Comment

                    Working...
                    X