Ship your firewall rules with your application using eBPF

silav delalĂȘ,

this week’s paper is a classic again: How to use eBPF to enhance network package filtering in Linux. The authors discuss two use cases for eBPF and also provide example code, so you can check out what exactly they did and how.

Quite a nice idea to ship your firewall rules with your application, e.g. directly do DoS prevention against your home-backed network protocol (and we all love building them from time to time) and still keep high performance by running the code in the Kernel (that is where eBPF differs, you can run your code directly in the kernel, no loops and only ~4kb program size though)

The paper gave an overall nice intro into eBPF and use cases, so definitely check it out!


Firewall capabilities of operating systems are traditionally provided by inflexible filter routines or hooks in the kernel. These require privileged access to be configured and are
not easily extensible for custom low-level actions. Since Linux 3.0, the Berkeley Packet Filter (BPF) allows user-written extensions in the kernel processing path. The successor, extended BPF (eBPF), improves flexibility and is realized via a virtual machine featuring
both a just-in-time (JIT) compiler and an interpreter running in the kernel. It executes custom eBPF programs supplied by the user, effectively moving kernel functionality into user space. We present two case studies on the usage of Linux eBPF. First, we analyze the performance of the eXpress Data Path (XDP). XDP uses eBPF to process ingress traffic before the allocation of kernel data structures, which comes along with performance benefits. In the second case study, eBPF is used to install application-specific packet filtering configurations acting on the socket level. Our case studies focus on performance aspects and discuss benefits and drawbacks.

Download Link:

Additional Links:

Weekly in-depth computer science knowledge to become a better programmer. For free!
Over 2000 subcribers. One click unsubscribe.