Bpfilter — next generation Linux Firewall


The Linux community has been working to enhance the GNU / Linux kernel. When we looked at network traffic filtering, we moved from ipchains to iptables. Recently, we saw the introduction of nftable. Next is bpfilter, which is part of the Linux 4.18 kernel development.

What is bpfilter?

Bpfilter is the abbreviation of BPF based packet filtering framework. In other words, it is a BPF based framework for packet filtering. Interestingly, BPF itself is an acronym for Berkeley packet filter. So obviously, packet filtering is an important part of this function.

To understand bpfilter, we need to understand BPF first. A quick introduction to this technology is that it allows user space tools like tcpdump to filter traffic in the kernel. Suppose you want to see what traffic was received on port 80 (HTTP). We start the tcpdump tool and give it the port number.

tcpdump port 80

BPF will now return only those packets that match this specified criteria. Because it only needs to pass a limited subset of data, it can reduce overhead and achieve high performance.

How BPF works

BPF does not provide user space tools with direct access to the original network, but uses pseudo devices. This means it’s like a controlled staging area. If allowed, BPF allows tools such as tcpdump to retrieve data from this staging area.

Ebpf: Linux BPF implementation

Since BPF comes from the BSD platform, it may not be surprising that Linux has a slightly different implementation. It uses ebpf, which represents the extended BPF. Starting with kernel 3.18, this implementation can also be used for non network activities, such as analysis. This is useful for debugging on a process. 3.19 kernel (2015) added support for attaching to sockets.

Linux 4. X series adds interesting new features in network traffic filtering. For example, kernel version 4.1 (2015) provides entry and exit filters. This allows us to influence incoming and outgoing traffic. Kernel 4.15 (2018) allows ebpf hooks for the Linux security module (LSM).

In short, ebpf has many uses and has become a powerful toolkit for Linux developers. No wonder others built excellent tools around it for performance evaluation and troubleshooting. A good example is the work of Brendan Gregg, who works for Netflix. Brendan has contributed a lot to BCC, a collection of BPF compilers, which is a toolkit for retrieving data through ebpf. It helps to answer many questions, such as:

  • Which TCP connections are active?
  • What is the latency for disk requests?
  • Which MySQL queries are slower than the specified threshold?
  • What safety functions are checked?
  • What is the slowest ext4 call?
  • What NFS calls were made?
  • There’s a lot more

Therefore, through the introduction of BPF and ebpf on Linux, we can see its potential for network traffic filtering. Let’s move on and learn more about bpfilter.

Current progress of bpfilter

The development is at an early stage. Most of the work was done by Alexei starovoitov, Daniel Borkmann and David S. Miller. They work on the network layer and maintain ebpf. So it’s no surprise that they are closely involved in the work of bpfilter. Some of the latest code can be found in Alexei’s bpfilter branch.

Bpfilter -- next generation Linux Firewall

Now, bpfilter works as follows: convert the Netfilter rules used by iptables to BPF programs. These few instructions can be attached to various parts of the kernel, such as the network stack. Transformation itself is called dynamic transformation, also known as JIT compilation or runtime compilation. This means that it happens in user space and executes when needed, rather than ahead of time.

Advantages of bpfilter

Due to JIT compilation, most of the transformation work takes place in user space. This simplifies the work required by the kernel and simplifies code management. Other expected benefits include hardware offloading, easier migration from existing Netfilter rules, and better performance.


Be careful:Bpfilter converts Netfilter rules used by iptables into BPF programs, we can think of the future development of the iptables model of Kube proxy. Personally, it is still IPtable mode, but the bottom layer has become bpfilter to get higher performance and support a large number of rules.