Accelerating Linux Security with eBPF iptables

Nowadays, the traditional security features of a Linux system are centered in iptables, which has been the most used packet filtering mechanism in the Linux kernel for almost 20+ years. However the increase in network speed and the transformation of the type of applications running in a Linuz server has led to the consciousness that the current implementation may not be able to cope with the modern requirements particularly in terms of scalability, as the number of rules is dramatically increasing.

In recent years, the extended BPF (eBPF) subsystem has been added to the Linuz kernel, offering the possibility to execute (almost) arbitrary code when a packet is received or sent, including stateful processing. Notably, this does not require any additional kernel module and offers the possibility to compile and inject this code dynamically, hence facilitating over-the-air updates.

The above characteristics make eBPF a perfect candidate to build an iptable clone which can be considered more an initial proof-of-concept that filters traffic based on IP addresses that a full iptables replacement. This paper starts from the above activities and presents a first eBPF-based prototype, bpf-iptables which emulate the iptables filtering semantic and exploits a more efficient matching algorithm. Finally, we evaluate our prototype comparing it with the current implementation of iptables, showing how this allows obtaining a notable advantage in terms of performance particularly when a high number of rues is involved, without requiring custom kernels or invasive software frameworks that could not be allowed in some scenarios.