Towards a faster Iptables with eBPF

Iptables is the de-facto standard Linux firewall. Features are its strength, but its low scalability and poor performance are becoming the bottleneck of network systems. This thesis describes the challenges encountered and, consequently, the choices made while developing a prototype to replace Iptables back-end, the Netfilter, improving performance but keeping the same syntax and semantic. The prototype is developed using eBPF, a technology recently added to the Linux kernel, that allows fast in-kernel packet processing with no modification to the kernel. The results show a great gain over Iptables, and the architecture leaves space for further improvements.