Userspace netmap-powered JIT-compiled firewall

Project description

The objective of this project is to develop a netmap-powered firewall with JIT-compiling and Capsicum support. Doing this we will be able to change the firewalling rules while running and provide the userspace with a very efficient and secure firewall.

Also, a very important part of this project is the benchmarking itself.

Approach to solve the problem


The final deliverable will be the final version of a JIT-compiled firewall that uses IPFW, used with netmap. This would allow to have a variable set of rules that change dynamically the behavior of the firewall.


Test Plan

The test plan for this project is to test individual rules and its working inside the JIT-compiler separately, and when finished, do some tests with real sets of rules.

The Code

My code can be found here (svn), and here (github)


For now, I encountered a bug on netmap that prevented the filtration of any more than 1000 packets. I benchmarked that in the worst case scenario (just one rule), and I got a 7x faster firewall.

The firewall is not completed yet (there are some rules to implement yet, but that is easy). Before finishing it, I'll port it to the C LLVM API.

SummerOfCode2014/ConvertingIPFWRulesets (last edited 2014-09-25T08:45:38+0000 by DanielPeyrolon)