I've just read in these answers about two options for developing packet filters in linux.
The first is using iptables and netfilter, probably with NFQUEUE and libnetfilter_queue library.
The second is by using BPF (Berkeley Packet Filter), that seems in a quick reading to have similar capabilities for filtering purposes.
So, which of these alternatives is a better way to create a packet filter? What are the differences? My software is going to run as a gateway proxy, or "man-in-the-middle" that should receive a packet from one computer (with destination address to another one, not the filter's local address), and send it out after some filtering.
Thanks a lot!
Though my understanding is limited to the theoretical, I've done some reading while debugging the Kubernetes networking implementation and can thus take a stab at answering this.
Broadly, both
netfilterandeBPF(the successor to BPF) implement a virtual machine that execute some logic while processing packets.netfilter's implementation appears to strive for compatibility withiptablesprevious implementation, being essentially a more performant successor toiptables.However, there are still performance problems when using
iptables-- particularly when there are large sets ofiptablesrules. The wayeBPFis structured can alleviate some of these performance problems; specifically:Though it was initially used for network processing, eBPF is also being used for kernel instrumentation (sysdig, iovisor). It has a far larger set of use cases, but because of this, is likely a much tougher learning curve.
So, in summary:
Relevant:
Notes: