Lead Image © alphaspirit, 123RF.com

Bpfilter offers a new approach to packet filtering in Linux

New Filter

Article from ADMIN 50/2019

By Martin Loschwitz

The netfilter layer is not getting any younger, and the iptables interface doesn't exactly impress with user friendliness. Bpfilter is the latest chance for Linux to adopt a state-of-art packet filter.

Netfilter [1], the most important tool on Linux for inspecting packets from the network, does not have a very good reputation. It is regarded as old-fashioned and inefficient, and the associated userspace tool iptables is considered clumsy and difficult to use. Many users have come to rely on third-party solutions that embellish iptables with an appealing GUI and hide the most egregious complications of netfilter from the admin's eyes, but the Linux world has long hoped for a better solution.

For many year, nftables has been considered the heir-apparent for netfilter/iptables, but nftables has some issues of its own and hasn't really caught on (see the "What about nftables?" box).

What about nftables?

Another alternative to netfilter/iptables appeared a few years ago. Nftables introduced a kind of virtual machine in the kernel to check network traffic. The VM is the actual filter, based on rules defined by the admin. The rules for nftables use a different format from those for iptables, which led to significant resistance among many admins to even consider nftables. Anyone who has painstakingly built a complicated set of rules for iptables will not simply want to discard it and start over with another tool. However, nftables lacked a compatibility layer for iptables for a long time, as well as any functional GUIs that could generate nftables rules.

Nftables can now interpret and adequately implement iptables rules, but it still hasn't caught on. At the same time, nftables is seeing competition from an unexpected direction as BPF and bpfilter enter the scene.

Now another contender has appeared on the scene: The bpfilter project launched in 2018, and it isn't really ready for production use yet, but it represents an exciting development in the

...

Use Express-Checkout link below to read the full article (PDF).