iptables and nftables have been the de-facto standard for Linux packet filtering for decades. They are well-documented, and understood by many developers and sysadmins. But when network bandwidth grows, the kernel's netfilter path can become a bottleneck.
BPF offers a way out: attach compiled programs directly to the network stack, running as fast as kernel code. However, you're now writing and maintaining your firewall ruleset as a C program, and fighting with the BPF verifier.
What if you could get the best of both worlds: ease-of-use of iptables, and efficient of BPF?
That's the premise behind bpfilter. It provides a familiar, iptables-like DSL and compiles your rules into BPF bytecode under the hood.
This talk walks through it hands-on:
- A quick look at the current solutions on Linux and their tradeoffs
- Introduction to bpfilter
- Live demos: filtering packets, inspecting the ruleset, debugging network issues
You'll leave knowing whether bpfilter fits your stack, and how to try it tomorrow.
