BPF-Based Linux Firewall "bpfilter" Shows Impressive Performance Potential
Generating much excitement back in 2018 was bpfilter for the potential to better Linux's firewall and packet filtering by making it more robust and performance. Recently work on this BPF-based firewall solution was renewed and the performance potential over iptables and nftables is looking very good for the future with more feature work planned around new matches and targets, containers integration, in-place upgrades support, privilege separation, and BPF code optimization support.
This year the BPF-based firewall code work was taken up by Facebook's Dmitrii Banshchikov and he's trying to push the code along now. Ahead of the next iteration of these patches, Dmitrii presented at this week's Linux Plumbers Conference on the effort.
The bpfilter firewall support so far with these patches allows processing basic rules in INPUT/OUTPUT chains and translating them into XDP/TC programs. Leveraging BPF, the potential is there for security advantages, more robust firewall rule handling, and being more performant than iptables/nftables.