PORTO @ Archivio Istituzionale della Ricerca

The sheer increase in network speed and the massive deployment of containerized applications in a Linux server has led to the consciousness that iptables, the current de-facto firewall in Linux, may not be able to cope with the current requirements particularly in terms of scalability in the number of rules. This paper presents an eBPF-based firewall, bpf-iptables, which emulates the iptables filtering semantic while guaranteeing higher throughput. We compare our implementation against the current version of iptables and other Linux firewalls, showing how it achieves a notable boost in terms of performance particularly when a high number of rules is involved. This result is achieved without requiring custom kernels or additional software frameworks (e.g., DPDK) that could not be allowed in some scenarios such as public data-centers.

Securing Linux with a Faster and Scalable Iptables / Miano, Sebastiano; Bertrone, Matteo; Risso, FULVIO GIOVANNI OTTAVIO; VASQUEZ BERNAL, Mauricio; Lu, Junsong; Pi, Jianwen. - In: COMPUTER COMMUNICATION REVIEW. - ISSN 0146-4833. - ELETTRONICO. - 49:3(2019), pp. 3-17. [10.1145/3371927.3371929]

Securing Linux with a Faster and Scalable Iptables

Sebastiano Miano;Matteo Bertrone;Fulvio Risso;Mauricio Vásquez Bernal;
2019

Abstract

The sheer increase in network speed and the massive deployment of containerized applications in a Linux server has led to the consciousness that iptables, the current de-facto firewall in Linux, may not be able to cope with the current requirements particularly in terms of scalability in the number of rules. This paper presents an eBPF-based firewall, bpf-iptables, which emulates the iptables filtering semantic while guaranteeing higher throughput. We compare our implementation against the current version of iptables and other Linux firewalls, showing how it achieves a notable boost in terms of performance particularly when a high number of rules is involved. This result is achieved without requiring custom kernels or additional software frameworks (e.g., DPDK) that could not be allowed in some scenarios such as public data-centers.
2019
COMPUTER COMMUNICATION REVIEW
1.1 Articolo in rivista
File in questo prodotto:
File Dimensione Formato  
2019-Iptables-preprint.pdf

accesso aperto

Tipologia: 2. Post-print / Author's Accepted Manuscript
Licenza: PUBBLICO - Tutti i diritti riservati
Dimensione 1.89 MB
Formato Adobe PDF
Visualizza/Apri
1.89 MB Adobe PDF Visualizza/Apri
19CCR-Iptables-published.pdf

non disponibili

Tipologia: 2a Post-print versione editoriale / Version of Record
Licenza: Non Pubblico - Accesso privato/ristretto
Dimensione 2.27 MB
Formato Adobe PDF
  Visualizza/Apri   Richiedi una copia
2.27 MB Adobe PDF   Visualizza/Apri   Richiedi una copia
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11583/2751684