Sign In Deploy Now
← Back to Engineering

Migrating from iptables to eBPF for Ingress Filtering

Published on OCT 1, 2025 by Infrastructure Team

The Linux kernel's networking stack is incredibly versatile, but it wasn't designed to handle the line-rate packet drops required during a massive DDoS attack. As our edge network scaled, we hit a wall with iptables performance.

eBPF represents a paradigm shift. By injecting sandboxed programs directly into the Linux kernel, we can manipulate network traffic before it ever hits the standard networking stack. In this article, we explore our journey of migrating from iptables to eBPF for our edge ingress layer.

The Shift to Kernel Space

By pushing filtering rules into the eBPF layer, we eliminate the need for the kernel to allocate socket buffers (sk_buff) for dropped packets.

# Compile and load the eBPF XDP program clang -O2 -target bpf -c filter.c -o filter.o ip link set dev eth0 xdp obj filter.o sec ingress

This allows our mitigation engines to run at wire speed, ensuring legitimate traffic isn't delayed by CPU bottlenecks.

Conclusion

eBPF has completely transformed our edge architecture. We are now exploring ways to use it for L7 inspection at our global PoPs.