BPF-Based Linux Firewall "bpfilter" Shows Impressive Performance Potential
This year the BPF-based firewall code work was taken up by Facebook's Dmitrii Banshchikov and he's trying to push the code along now. Ahead of the next iteration of these patches, Dmitrii presented at this week's Linux Plumbers Conference on the effort.
The bpfilter firewall support so far with these patches allows processing basic rules in INPUT/OUTPUT chains and translating them into XDP/TC programs. Leveraging BPF, the potential is there for security advantages, more robust firewall rule handling, and being more performant than iptables/nftables.
A current look at the bpfilter performance is what gets us really excited:
Moving forward more feature work is planned around new matches and targets, containers integration, in-place upgrades support, privilege separation, and BPF code optimization support.
Learn more about this Linux BPF-based firewall effort via the slide deck and the video presentation embedded below.
The current v2 patch series for bpfilter can be found on the BPF mailing list while the "v3" series is expected soon.