{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,19]],"date-time":"2026-02-19T05:25:52Z","timestamp":1771478752593,"version":"3.50.1"},"reference-count":40,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2019,11,8]],"date-time":"2019-11-08T00:00:00Z","timestamp":1573171200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["SIGCOMM Comput. Commun. Rev."],"published-print":{"date-parts":[[2019,11,8]]},"abstract":"<jats:p>The sheer increase in network speed and the massive deployment of containerized applications in a Linux server has led to the consciousness that iptables, the current de-facto firewall in Linux, may not be able to cope with the current requirements particularly in terms of scalability in the number of rules. This paper presents an eBPF-based firewall, bpf-iptables, which emulates the iptables filtering semantic while guaranteeing higher throughput. We compare our implementation against the current version of iptables and other Linux firewalls, showing how it achieves a notable boost in terms of performance particularly when a high number of rules is involved. This result is achieved without requiring custom kernels or additional software frameworks (e.g., DPDK) that could not be allowed in some scenarios such as public data-centers.<\/jats:p>","DOI":"10.1145\/3371927.3371929","type":"journal-article","created":{"date-parts":[[2019,11,8]],"date-time":"2019-11-08T20:27:58Z","timestamp":1573244878000},"page":"2-17","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":44,"title":["Securing Linux with a faster and scalable iptables"],"prefix":"10.1145","volume":"49","author":[{"given":"Sebastiano","family":"Miano","sequence":"first","affiliation":[{"name":"Politecnico di Torino, Italy"}]},{"given":"Matteo","family":"Bertrone","sequence":"additional","affiliation":[{"name":"Politecnico di Torino, Italy"}]},{"given":"Fulvio","family":"Risso","sequence":"additional","affiliation":[{"name":"Politecnico di Torino, Italy"}]},{"given":"Mauricio V\u00e1squez","family":"Bernal","sequence":"additional","affiliation":[{"name":"Politecnico di Torino, Italy"}]},{"given":"Yunsong","family":"Lu","sequence":"additional","affiliation":[{"name":"Futurewei Technologies, Inc."}]},{"given":"Jianwen","family":"Pi","sequence":"additional","affiliation":[]}],"member":"320","published-online":{"date-parts":[[2019,11,8]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"HTTP Filter. https:\/\/github.com\/iovisor\/bcc\/tree\/master\/examples\/networking\/http_filter [Online","author":"Authors BCC","year":"2018","unstructured":"BCC Authors . 2016. HTTP Filter. https:\/\/github.com\/iovisor\/bcc\/tree\/master\/examples\/networking\/http_filter [Online ; last-retrieved 15- November - 2018 ]. BCC Authors. 2016. HTTP Filter. https:\/\/github.com\/iovisor\/bcc\/tree\/master\/examples\/networking\/http_filter [Online; last-retrieved 15-November-2018]."},{"key":"e_1_2_1_2_1","volume-title":"BPF and XDP Reference Guide. https:\/\/cilium.readthedocs.io\/en\/latest\/bpf\/ [Online","author":"Authors Cilium","year":"2019","unstructured":"Cilium Authors . 2018. BPF and XDP Reference Guide. https:\/\/cilium.readthedocs.io\/en\/latest\/bpf\/ [Online ; last-retrieved 29- March - 2019 ]. Cilium Authors. 2018. BPF and XDP Reference Guide. https:\/\/cilium.readthedocs.io\/en\/latest\/bpf\/ [Online; last-retrieved 29-March-2019]."},{"key":"e_1_2_1_3_1","volume-title":"weighttp: a lightweight and simple webserver benchmarking tool. https:\/\/redmine.lighttpd.net\/projects\/weighttp\/wiki [Online","author":"Lighttpd","year":"2018","unstructured":"Lighttpd authors. 2018. weighttp: a lightweight and simple webserver benchmarking tool. https:\/\/redmine.lighttpd.net\/projects\/weighttp\/wiki [Online ; last-retrieved 10- November - 2018 ]. Lighttpd authors. 2018. weighttp: a lightweight and simple webserver benchmarking tool. https:\/\/redmine.lighttpd.net\/projects\/weighttp\/wiki [Online; last-retrieved 10-November-2018]."},{"key":"e_1_2_1_4_1","volume-title":"Moving from iptables to nftables. https:\/\/wiki.nftables.org\/wiki-nftables\/index.php\/Moving_from_iptables_to_nftables [Online","author":"Authors Netfilter","year":"2018","unstructured":"Netfilter Authors . 2018. Moving from iptables to nftables. https:\/\/wiki.nftables.org\/wiki-nftables\/index.php\/Moving_from_iptables_to_nftables [Online ; last-retrieved 10- October - 2018 ]. Netfilter Authors. 2018. Moving from iptables to nftables. https:\/\/wiki.nftables.org\/wiki-nftables\/index.php\/Moving_from_iptables_to_nftables [Online; last-retrieved 10-October-2018]."},{"key":"e_1_2_1_5_1","volume-title":"https:\/\/www.mail-archive.com\/netdev@vger.kernel.org\/msg217425.html [Online","author":"Ayuso Pablo Neira","year":"2019","unstructured":"Pablo Neira Ayuso . 2018. [ PATCH RFC PoC 0\/3] nftables meets bpf. https:\/\/www.mail-archive.com\/netdev@vger.kernel.org\/msg217425.html [Online ; last-retrieved 29- March - 2019 ]. Pablo Neira Ayuso. 2018. [PATCH RFC PoC 0\/3] nftables meets bpf. https:\/\/www.mail-archive.com\/netdev@vger.kernel.org\/msg217425.html [Online; last-retrieved 29-March-2019]."},{"key":"e_1_2_1_6_1","volume-title":"https:\/\/www.netronome.com\/blog\/hello-xdp_drop\/ [Online","author":"Beckett David","year":"2018","unstructured":"David Beckett . 2018. Hello XDP_DROP. https:\/\/www.netronome.com\/blog\/hello-xdp_drop\/ [Online ; last-retrieved 15- November - 2018 ]. David Beckett. 2018. Hello XDP_DROP. https:\/\/www.netronome.com\/blog\/hello-xdp_drop\/ [Online; last-retrieved 15-November-2018]."},{"key":"e_1_2_1_7_1","volume-title":"net: add bpfilter. https:\/\/lwn.net\/Articles\/747504\/ [Online","author":"Borkmann D.","year":"2018","unstructured":"D. Borkmann . 2018. net: add bpfilter. https:\/\/lwn.net\/Articles\/747504\/ [Online ; last-retrieved 30- June - 2018 ]. D. Borkmann. 2018. net: add bpfilter. https:\/\/lwn.net\/Articles\/747504\/ [Online; last-retrieved 30-June-2018]."},{"key":"e_1_2_1_8_1","volume-title":"https:\/\/prototype-kernel.readthedocs.io\/en\/latest\/networking\/XDP\/implementation\/drivers.html [Online","author":"Brouer Jesper Dangaard","year":"2018","unstructured":"Jesper Dangaard Brouer . 2018. XDP Drivers . https:\/\/prototype-kernel.readthedocs.io\/en\/latest\/networking\/XDP\/implementation\/drivers.html [Online ; last-retrieved 18- September - 2018 ]. Jesper Dangaard Brouer. 2018. XDP Drivers. https:\/\/prototype-kernel.readthedocs.io\/en\/latest\/networking\/XDP\/implementation\/drivers.html [Online; last-retrieved 18-September-2018]."},{"key":"e_1_2_1_9_1","volume-title":"LPC'18 Networking Track. Linux Plumbers Conference.","author":"Brouer Jesper Dangaard","year":"2018","unstructured":"Jesper Dangaard Brouer and Toke H\u00f8iland-J\u00f8rgensen . 2018 . XDP: challenges and future work . In LPC'18 Networking Track. Linux Plumbers Conference. Jesper Dangaard Brouer and Toke H\u00f8iland-J\u00f8rgensen. 2018. XDP: challenges and future work. In LPC'18 Networking Track. Linux Plumbers Conference."},{"key":"e_1_2_1_10_1","volume-title":"Nftables: a new packet filtering engine. https:\/\/lwn.net\/Articles\/324989 [Online","author":"Corbet J.","year":"2018","unstructured":"J. Corbet . 2009. Nftables: a new packet filtering engine. https:\/\/lwn.net\/Articles\/324989 [Online ; last-retrieved 30- June - 2018 ]. J. Corbet. 2009. Nftables: a new packet filtering engine. https:\/\/lwn.net\/Articles\/324989 [Online; last-retrieved 30-June-2018]."},{"key":"e_1_2_1_11_1","volume-title":"Bounded loops in BPF programs. https:\/\/lwn.net\/Articles\/773605\/ [Online","author":"Corbet Jonathan","year":"2019","unstructured":"Jonathan Corbet . 2018. Bounded loops in BPF programs. https:\/\/lwn.net\/Articles\/773605\/ [Online ; last-retrieved 29- March - 2019 ]. Jonathan Corbet. 2018. Bounded loops in BPF programs. https:\/\/lwn.net\/Articles\/773605\/ [Online; last-retrieved 29-March-2019]."},{"key":"e_1_2_1_12_1","volume-title":"BPF comes to firewalls. https:\/\/lwn.net\/Articles\/747551\/ [Online","author":"Corbet Jonathan","year":"2019","unstructured":"Jonathan Corbet . 2018. BPF comes to firewalls. https:\/\/lwn.net\/Articles\/747551\/ [Online ; last-retrieved 29- March - 2019 ]. Jonathan Corbet. 2018. BPF comes to firewalls. https:\/\/lwn.net\/Articles\/747551\/ [Online; last-retrieved 29-March-2019]."},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCCN.2017.8038399"},{"key":"e_1_2_1_14_1","unstructured":"DPDK. 2018. Pktgen Traffic Generator Using DPDK. http:\/\/dpdk.org\/git\/apps\/pktgen-dpdk  DPDK. 2018. Pktgen Traffic Generator Using DPDK. http:\/\/dpdk.org\/git\/apps\/pktgen-dpdk"},{"key":"e_1_2_1_15_1","volume-title":"bounded loop support work in progress. https:\/\/lwn.net\/Articles\/756284\/ [Online","author":"Fastabend John","year":"2019","unstructured":"John Fastabend . 2018. Bpf , bounded loop support work in progress. https:\/\/lwn.net\/Articles\/756284\/ [Online ; last-retrieved 29- March - 2019 ]. John Fastabend. 2018. Bpf, bounded loop support work in progress. https:\/\/lwn.net\/Articles\/756284\/ [Online; last-retrieved 29-March-2019]."},{"key":"e_1_2_1_16_1","unstructured":"Matt Fleming. 2017. A thorough introduction to eBPF. https:\/\/lwn.net\/Articles\/740157\/  Matt Fleming. 2017. A thorough introduction to eBPF. https:\/\/lwn.net\/Articles\/740157\/"},{"key":"e_1_2_1_17_1","volume-title":"Why is the kernel community replacing iptables with BPF? https:\/\/cilium.io\/blog\/2018\/04\/17\/why-is-the-kernel-community-replacing-iptables [Online","author":"Graf T.","year":"2018","unstructured":"T. Graf . 2018. Why is the kernel community replacing iptables with BPF? https:\/\/cilium.io\/blog\/2018\/04\/17\/why-is-the-kernel-community-replacing-iptables [Online ; last-retrieved 30- June - 2018 ]. T. Graf. 2018. Why is the kernel community replacing iptables with BPF? https:\/\/cilium.io\/blog\/2018\/04\/17\/why-is-the-kernel-community-replacing-iptables [Online; last-retrieved 30-June-2018]."},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/3281411.3281443"},{"key":"e_1_2_1_19_1","volume-title":"https:\/\/www.docker.com\/ [Online","author":"Docker Inc. 2018. Docker.","year":"2018","unstructured":"Docker Inc. 2018. Docker. https:\/\/www.docker.com\/ [Online ; last-retrieved 30- June - 2018 ]. Docker Inc. 2018. Docker. https:\/\/www.docker.com\/ [Online; last-retrieved 30-June-2018]."},{"key":"e_1_2_1_20_1","volume-title":"Kubernetes: Production-Grade Container Orchestration. https:\/\/kubernetes.io\/ [Online","author":"Facebook Inc.","year":"2018","unstructured":"Facebook Inc. 2018 . Kubernetes: Production-Grade Container Orchestration. https:\/\/kubernetes.io\/ [Online ; last-retrieved 30-June-2018]. Facebook Inc. 2018. Kubernetes: Production-Grade Container Orchestration. https:\/\/kubernetes.io\/ [Online; last-retrieved 30-June-2018]."},{"key":"e_1_2_1_21_1","volume-title":"Intel\u00ae Data Direct I\/O Technology. https:\/\/www.intel.it\/content\/www\/it\/it\/io\/data-direct-i-o-technology.html [Online","year":"2018","unstructured":"Intel(R). 2018. Intel\u00ae Data Direct I\/O Technology. https:\/\/www.intel.it\/content\/www\/it\/it\/io\/data-direct-i-o-technology.html [Online ; last-retrieved 09- November - 2018 ]. Intel(R). 2018. Intel\u00ae Data Direct I\/O Technology. https:\/\/www.intel.it\/content\/www\/it\/it\/io\/data-direct-i-o-technology.html [Online; last-retrieved 09-November-2018]."},{"key":"e_1_2_1_22_1","unstructured":"J\u00f3zsef Kadlecsik and Gy\u00f6rgy P\u00e1sztor. 2004. Netfilter performance testing. (2004).  J\u00f3zsef Kadlecsik and Gy\u00f6rgy P\u00e1sztor. 2004. Netfilter performance testing. (2004)."},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/285243.285283"},{"key":"e_1_2_1_24_1","volume-title":"Using de Bruijn sequences to index a 1 in a computer word. Available on the Internet from http:\/\/supertech.csail.mit.edu\/papers.html 3","author":"Leiserson Charles E","year":"1998","unstructured":"Charles E Leiserson , Harald Prokop , and Keith H Randall . 1998. Using de Bruijn sequences to index a 1 in a computer word. Available on the Internet from http:\/\/supertech.csail.mit.edu\/papers.html 3 ( 1998 ), 5. Charles E Leiserson, Harald Prokop, and Keith H Randall. 1998. Using de Bruijn sequences to index a 1 in a computer word. Available on the Internet from http:\/\/supertech.csail.mit.edu\/papers.html 3 (1998), 5."},{"key":"e_1_2_1_25_1","unstructured":"Sebastiano Miano. 2018. Custom Pktgen-DPDK version. https:\/\/github.com\/sebymiano\/pktgen-dpdk  Sebastiano Miano. 2018. Custom Pktgen-DPDK version. https:\/\/github.com\/sebymiano\/pktgen-dpdk"},{"key":"e_1_2_1_26_1","unstructured":"Sebastiano Miano. 2019. eBPF Iptables with Netfilter conntrack. https:\/\/github.com\/sebymiano\/polycube\/tree\/iptables_linux_conntrack  Sebastiano Miano. 2019. eBPF Iptables with Netfilter conntrack. https:\/\/github.com\/sebymiano\/polycube\/tree\/iptables_linux_conntrack"},{"key":"e_1_2_1_27_1","doi-asserted-by":"crossref","unstructured":"S. Miano M. Bertrone F. Risso M. V\u00e1squez Bernal and M. Tumolo. 2018. Creating Complex Network Service with eBPF: Experience and Lessons Learned. In High Performance Switching and Routing (HPSR). IEEE.  S. Miano M. Bertrone F. Risso M. V\u00e1squez Bernal and M. Tumolo. 2018. Creating Complex Network Service with eBPF: Experience and Lessons Learned. In High Performance Switching and Routing (HPSR). IEEE.","DOI":"10.1109\/HPSR.2018.8850758"},{"key":"e_1_2_1_28_1","unstructured":"Thomas Heinz Michael Bellion. 2002. NF-HIPAC: High Performance Packet Classification for Netfilter. https:\/\/lwn.net\/Articles\/10951\/  Thomas Heinz Michael Bellion. 2002. NF-HIPAC: High Performance Packet Classification for Netfilter. https:\/\/lwn.net\/Articles\/10951\/"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/INFCOM.2009.5061972"},{"key":"e_1_2_1_30_1","volume-title":"The netfilter.org project. https:\/\/netfilter.org\/ [Online","author":"Russell P.","year":"2018","unstructured":"P. Russell . 1998. The netfilter.org project. https:\/\/netfilter.org\/ [Online ; last-retrieved 30- June - 2018 ]. P. Russell. 1998. The netfilter.org project. https:\/\/netfilter.org\/ [Online; last-retrieved 30-June-2018]."},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/863955.863980"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/316194.316216"},{"key":"e_1_2_1_33_1","volume-title":"Fast and scalable layer four switching","author":"Srinivasan Venkatachary","unstructured":"Venkatachary Srinivasan , George Varghese , Subhash Suri , and Marcel Waldvogel . 1998. Fast and scalable layer four switching . Vol. 28 . ACM. Venkatachary Srinivasan, George Varghese, Subhash Suri, and Marcel Waldvogel. 1998. Fast and scalable layer four switching. Vol. 28. ACM."},{"key":"e_1_2_1_34_1","unstructured":"Alexei Starovoitov. 2014. net: filter: rework\/optimize internal BPF interpreter's instruction set. In Linux Kernel commit bd4cf0ed331a.  Alexei Starovoitov. 2014. net: filter: rework\/optimize internal BPF interpreter's instruction set. In Linux Kernel commit bd4cf0ed331a."},{"key":"e_1_2_1_35_1","volume-title":"bpf: improve verifier scalability. https:\/\/patchwork.ozlabs.org\/cover\/1073775\/ [Online","author":"Starovoitov Alexei","year":"2019","unstructured":"Alexei Starovoitov . 2019. bpf: improve verifier scalability. https:\/\/patchwork.ozlabs.org\/cover\/1073775\/ [Online ; last-retrieved 02- April - 2019 ]. Alexei Starovoitov. 2019. bpf: improve verifier scalability. https:\/\/patchwork.ozlabs.org\/cover\/1073775\/ [Online; last-retrieved 02-April-2019]."},{"key":"e_1_2_1_36_1","volume-title":"add connection tracking helper functions. https:\/\/lists.linuxfoundation.org\/pipermail\/iovisor-dev\/2017-September\/001023.html [Online","author":"William Tu.","year":"2019","unstructured":"William Tu. 2017. [iovisor-dev] [PATCH RFC] bpf : add connection tracking helper functions. https:\/\/lists.linuxfoundation.org\/pipermail\/iovisor-dev\/2017-September\/001023.html [Online ; last-retrieved 30- March - 2019 ]. William Tu. 2017. [iovisor-dev] [PATCH RFC] bpf: add connection tracking helper functions. https:\/\/lists.linuxfoundation.org\/pipermail\/iovisor-dev\/2017-September\/001023.html [Online; last-retrieved 30-March-2019]."},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/1851275.1851208"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/1851275.1851208"},{"key":"e_1_2_1_39_1","volume-title":"XDP and Bpfilter...What are These Things and What do They Mean for the Enterprise? https:\/\/goo.gl\/GHaJTz [Online","author":"Viljoen Nic","year":"2018","unstructured":"Nic Viljoen . 2018. BPF , eBPF , XDP and Bpfilter...What are These Things and What do They Mean for the Enterprise? https:\/\/goo.gl\/GHaJTz [Online ; last-retrieved 15- November - 2018 ]. Nic Viljoen. 2018. BPF, eBPF, XDP and Bpfilter...What are These Things and What do They Mean for the Enterprise? https:\/\/goo.gl\/GHaJTz [Online; last-retrieved 15-November-2018]."},{"key":"e_1_2_1_40_1","volume-title":"An Introduction to Uncomplicated Firewall (UFW). https:\/\/www.linux.com\/learn\/introduction-uncomplicated-firewall-ufw [Online","author":"Wallen J.","year":"2018","unstructured":"J. Wallen . 2015. An Introduction to Uncomplicated Firewall (UFW). https:\/\/www.linux.com\/learn\/introduction-uncomplicated-firewall-ufw [Online ; last-retrieved 30- June - 2018 ]. J. Wallen. 2015. An Introduction to Uncomplicated Firewall (UFW). https:\/\/www.linux.com\/learn\/introduction-uncomplicated-firewall-ufw [Online; last-retrieved 30-June-2018]."}],"container-title":["ACM SIGCOMM Computer Communication Review"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3371927.3371929","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3371927.3371929","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T23:44:19Z","timestamp":1750203859000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3371927.3371929"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,11,8]]},"references-count":40,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2019,11,8]]}},"alternative-id":["10.1145\/3371927.3371929"],"URL":"https:\/\/doi.org\/10.1145\/3371927.3371929","relation":{},"ISSN":["0146-4833"],"issn-type":[{"value":"0146-4833","type":"print"}],"subject":[],"published":{"date-parts":[[2019,11,8]]},"assertion":[{"value":"2019-11-08","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}