rust-xdp-firewall
High-performance eBPF XDP firewall written in pure Rust using Aya. Processes packets at NIC level before they reach the kernel network stack.
A high-performance packet filtering firewall leveraging eBPF XDP (eXpress Data Path) for NIC-level packet processing.
Features
- Wire-speed filtering: Processes packets before they reach the kernel network stack
- Pure Rust: Both userspace and eBPF components written in Rust using Aya
- Dynamic rules: Update filtering rules at runtime without reloading
- Minimal overhead: <0.1% CPU overhead under typical workloads
Technical Highlights
- Uses
ayafor eBPF program loading and map management - Implements efficient LPM (Longest Prefix Match) for IP filtering
- Supports IPv4/IPv6, TCP/UDP port filtering
- Integrates with
nftablesfor complex rule chains
Why XDP?
Traditional firewalls (iptables, nftables) process packets after they’ve been parsed by the kernel. XDP hooks into the network driver, allowing packet decisions before memory allocation — resulting in significant performance gains for high-throughput scenarios.