PCN-IPTABLES

Pcn-iptables is an alternative firewall solution to Linux iptables with eBPF techniques. Pcn-iptables emulates the semantic of iptables and are compatible with iptables CLI, but with more efficient matching algorithm and the benefit of leveraging the XDP technique, its performance is far better than iptables especially for the scenario that user has high volumes of firewall rules. All these can be achieved on the standard Linux version without requiring custom kernel, moreover with pcn-iptables it is easier for user to add customized firewall features than iptables.

Pcn-iptables consists 3 parts：

1, Pcn-iptables-library: a library interprets iptables command line and converts to pcn-iptables semantic, pcn-iptables uses the same command line as iptables so that it is transparent to the iptables user from the perspective of configuring the firewall

2. Pcn-iptables-service: a process that emulates the iptables in managing the INPUT/FORWARD/OUTPUT chain and the rulesets, constructs the packet process pipeline represented by pcn-iptables matching algorithm and manages the eBPF programs chain in the packet process pipeline

3. Pcn-iptables-eBPF: eBPF program chain in kernel to implement the pcn-iptables rule matching algorithm where the packet is determined to pass or drop. Pcn-iptables-eBPF is the data path of pcn-iptables, similar to Netfilter as to the iptables

Limitations:

1. Current version only supports subset of iptables commands, more features support will be on our roadmap

The output of pcn-iptables is different in format with iptables