BPF-Based Linux Firewall "bpfilter" Shows Impressive Performance Potential

Written by Michael Larabel in Linux Networking on 23 September 2021 at 04:00 PM EDT. 19 Comments
LINUX NETWORKING
Generating much excitement back in 2018 was bpfilter for the potential to better Linux's firewall and packet filtering by making it more robust and performance. Recently work on this BPF-based firewall solution was renewed and the performance potential over iptables and nftables is looking very good for the future.

This year the BPF-based firewall code work was taken up by Facebook's Dmitrii Banshchikov and he's trying to push the code along now. Ahead of the next iteration of these patches, Dmitrii presented at this week's Linux Plumbers Conference on the effort.

The bpfilter firewall support so far with these patches allows processing basic rules in INPUT/OUTPUT chains and translating them into XDP/TC programs. Leveraging BPF, the potential is there for security advantages, more robust firewall rule handling, and being more performant than iptables/nftables.

A current look at the bpfilter performance is what gets us really excited:


Moving forward more feature work is planned around new matches and targets, containers integration, in-place upgrades support, privilege separation, and BPF code optimization support.

Learn more about this Linux BPF-based firewall effort via the slide deck and the video presentation embedded below.


The current v2 patch series for bpfilter can be found on the BPF mailing list while the "v3" series is expected soon.
19 Comments
Related News
OpenVPN DCO Looks Like It Might Be Ready For Linux 6.14 To Speed-Up VPN Performance
Many Networking Changes In Linux 6.13 - One Line Of Code Helping WireGuard Performance
Intel IWD 3.0 Wireless Daemon Released For Linux Systems
Linux 6.12-rc3 Released With Some Late NTFS Driver Enhancements
NetworkManager 1.50 Released - Now Ensures Offensive Terms Don't Appear In Settings
OpenVPN Kernel Driver Patches Updated For Improving VPN Performance
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
KDE Starts December By Landing A Number Of New Features
NTSYNC Linux Patches Revived To Help Boost Steam Play Gaming Performance
Rust-Based, Memory-Safe PNG Decoders "Vastly Outperform" C-Based PNG Libraries