Reduced Feature-set Packet Filter
High throughput software firewall
The RFPF project aims at bridging the performance gap between the traditional software firewalls (typically choking at 10 Gbit/s line speeds or less) and the already ubiquitous 100 Gbit/s Ethernet. We are developing a user-space software firewall capable of sustaining 100 Mpps processing rates while doing multiple longest prefix matching (LPM) lookups in large datasets (such as BGP or GeoIP) on each packet. The main focus is on locally dampening large-scale packet-flooding attacks, while still being sufficiently flexible for many general-purpose firewalling application scenarios. RFPF uses a multithreaded, lockless userspace datapath, and forwards 60+ Mpps while doing multiple LPM lookups per packet with randomized traffic load, all at a fraction of max. CPU frequency. Working both on Linux and FreeBSD, RFPF currently relies on Netmap for fast packet I/O in user space, with a more efficient DPDK based datapath variant being on the near-term roadmap, along with improvements in our LPM lookup engine.
- The project's own website: http://www.nxlab.fer.hr/dxr
This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI).
