BPFILTER: Your next Firewall Engine

Since the dawn of human civilization, attacking the civic infrastructure to create mayhem was a well documented history. So, when the Internet was getting popular as a tool of business and collaboration, attacks on the network infrastructure that make’s Internet possible was inevitable. Right from state sponsored hacking efforts to vigilantes that want to punish corporate’s for their capitalist views.

Some of the most popular ways to attack the network infrastructure were to hack into a server via applications that sit on top of the networking layer a.k.a stack smashing or send huge amounts of unwanted traffic on a specific port to create a Denial of Service(DoS) attack. DoS or DDoS (Distriburted DoS) attacks have been successfully used on servers, desktops or networks in the past with varied success that has brought businesses and organizations to their knees, causing security and privacy concerns among customers and end users. Businesses had to bare huge financial losses.

To thwart such attacks, FIREWALL’s were introduced.

Firewall’s to the Rescue

Roughly USD $ 3 billion has been spent on Firewall and Threat Management systems in 2017 alone, which is a whooping number and talks about the shear size of the networks that are getting deployed these days. One of the most popular firewall tool used to protect networks and servers is based on Linux Firewall Engine.

Evolution of Linux Firewall Engines

The current generation of Linux firewall engine is based on IPTABLE and runs in the Linux Kernel.

Before we go into BPFILTER a short background about eBPF and XDP are essential to understand BPFILTER.

About eBPF

Berkeley Packet Filter (BPF) was original designed for packet filtering/tracing, with a custom instruction set and a JIT compiler. The JIT compiler generates byte code that is safea and runs with-in the kernel like mini VMs. Each BPF program can be attached to kprobe, uprobe, sockets and tracepoints to perform the required functionality. This frame work is called eBPF (extended BPF). BPF programs are written in C language and compiled with a JIT compiler called BCC.

The BCC compiler is collection of libraries and python/lua modules for compiling, loading and executing BPF programs. Now you will ask me … Well BPF helps in tracing and performance optimization but how can it accelerate packet processing. Well….. hold your horses, that is where XDP comes in.

About XDP

From a software stack point of view, XDP sits between Device Driver Layer and TCP/IP Stack BPF programs to parse packets are injected to this layer using the eBPF infrastructure.

Once the BPF programs parse the packet they have the option of dropping this packet or forwarding or send to it normal path i.e the TCP/IP stack.

BPF programs can perform packet processing such as packet parsing, table look ups, creating/managing stateful filters, encap/decap packets, etc.


BPFILTER converts iptable commands into BPF programs and attaches them to the XDP layer or layers which support BPF filters. The iptable rule translation happens in the user space and the corresponding BPF program can be injected to XDP layer. Advanced SmartNICs from networking vendors support XDP program offloading and all firewall rule processing can be moved to the NIC itself which is closer to the edge. Security is also improved since the rule processing and parsing is moved to user-space.

By moving firewall rule processing from kernel space to XDP layer, we can achieve higher performance.

Sample IPTABLEs rule:

Sample BPF byte code for the above IPTABLEs rule.

The Linux Kernel community is still yet to select the next firewall engine that is going to replace IPCHAINs that commands major market share currently. But my inclination is towards BPFILTER for its clean and containerized implementation.


  1. [Figure 1]: http://ipwithease.com/network-based-firewall-vs-host-based-firewall/153-network-based-firewall-vs-host-based-firewall-01/
  2. https://www.idc.com/getdoc.jsp?containerId=prUS43066017
  3. https://lwn.net/Articles/747504/