We Put an L7 Firewall in the Kernel for Nanosecond Decisions
We Put an L7 Firewall in the Kernel

We built a Layer 7 firewall that runs directly in the Linux kernel using eBPF, allowing policies written in JavaScript to execute in nanoseconds. By moving decision-making from userspace proxies to the NIC driver, we eliminate costly data copying and context switches. This approach enables blocking malicious traffic like specific User-Agents before it ever touches the network stack, offering massive performance gains without requiring rebuilds or restarts.
"It's the cheapest drop Linux has: the kernel spends nothing on traffic we were going to reject anyway."