Affiliation:
1. Politecnico di Torino, Italy
2. Futurewei Technologies, Inc.
Abstract
The sheer increase in network speed and the massive deployment of containerized applications in a Linux server has led to the consciousness that iptables, the current de-facto firewall in Linux, may not be able to cope with the current requirements particularly in terms of scalability in the number of rules. This paper presents an eBPF-based firewall, bpf-iptables, which emulates the iptables filtering semantic while guaranteeing higher throughput. We compare our implementation against the current version of iptables and other Linux firewalls, showing how it achieves a notable boost in terms of performance particularly when a high number of rules is involved. This result is achieved without requiring custom kernels or additional software frameworks (e.g., DPDK) that could not be allowed in some scenarios such as public data-centers.
Publisher
Association for Computing Machinery (ACM)
Subject
Computer Networks and Communications,Software
Cited by
27 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. iKern: Advanced Intrusion Detection and Prevention at the Kernel Level Using eBPF;Technologies;2024-07-30
2. LinuxFP: Transparently Accelerating Linux Networking;2024 IEEE 44th International Conference on Distributed Computing Systems (ICDCS);2024-07-23
3. Rethinking Cloud Network Stacks with Switch Bypass;2024 IEEE 25th International Conference on High Performance Switching and Routing (HPSR);2024-07-22
4. SPRIGHT: High-Performance eBPF-Based Event-Driven, Shared-Memory Processing for Serverless Computing;IEEE/ACM Transactions on Networking;2024-06
5. Merlin: Multi-tier Optimization of eBPF Code for Performance and Compactness;Proceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 3;2024-04-27