Affiliation:
1. Politecnico di Torino, Italy
2. Futurewei Technologies, Inc.
Abstract
The sheer increase in network speed and the massive deployment of containerized applications in a Linux server has led to the consciousness that iptables, the current de-facto firewall in Linux, may not be able to cope with the current requirements particularly in terms of scalability in the number of rules. This paper presents an eBPF-based firewall, bpf-iptables, which emulates the iptables filtering semantic while guaranteeing higher throughput. We compare our implementation against the current version of iptables and other Linux firewalls, showing how it achieves a notable boost in terms of performance particularly when a high number of rules is involved. This result is achieved without requiring custom kernels or additional software frameworks (e.g., DPDK) that could not be allowed in some scenarios such as public data-centers.
Publisher
Association for Computing Machinery (ACM)
Subject
Computer Networks and Communications,Software
Cited by
21 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. Accelerating network analytics with an on-NIC streaming engine;Computer Networks;2024-02
2. Disaggregate Applications Along End-Host Data-Path;Proceedings of the on CoNEXT Student Workshop 2023;2023-12-05
3. Supercharge WebRTC: Accelerate TURN Services with eBPF/XDP;Proceedings of the 1st Workshop on eBPF and Kernel Extensions;2023-09-10
4. TENSOR: Lightweight BGP Non-Stop Routing;Proceedings of the ACM SIGCOMM 2023 Conference;2023-09
5. Building a High-Performance Data Channel for the Federal Cyber Range;2023 8th International Conference on Data Science in Cyberspace (DSC);2023-08-18