Packet Filtering & Network Queuing
at Line Rate
Deep-dive resources, practical guides, and expert knowledge for Linux-based packet filtering, network queuing, and high-throughput network programming.
Explore Resources Learn NetworkingWhat We Cover
From kernel internals to production-grade network stacks
Packet Filtering
In-depth coverage of BPF, eBPF, iptables, nftables, and XDP for high-performance packet classification and filtering.
Network Queuing
Understand Linux Traffic Control (tc), queueing disciplines (qdiscs), and how to shape traffic at multi-gigabit speeds.
Kernel Networking
Explore the Linux networking stack, NAPI, RSS, RPS, and kernel bypass techniques like DPDK and AF_XDP.
Tools & Utilities
Practical guides for tcpdump, Wireshark, iproute2, ethtool, perf, and specialized packet capture tools.
Understanding Packet Filtering & Queuing in Linux
Linux has one of the most sophisticated networking stacks in the world. At its core, packet filtering is the mechanism by which the kernel decides what to do with each incoming or outgoing network packet — accept it, drop it, redirect it, or modify it. Technologies like iptables and the newer nftables sit in the netfilter layer of the kernel, providing stateful and stateless packet inspection. More recently, eBPF (extended Berkeley Packet Filter) has revolutionized the space by allowing safe, sandboxed programs to run directly in the kernel at near-hardware speeds, enabling use cases from DDoS mitigation to application-aware load balancing.
Network queuing, managed by Linux's Traffic Control (tc) subsystem, governs how packets are scheduled, shaped, and prioritized before they leave or after they enter a network interface. Queueing disciplines (qdiscs) like fq_codel, HTB (Hierarchical Token Bucket), and CAKE allow operators to implement sophisticated Quality of Service (QoS) policies. Whether you're running a datacenter, an ISP, or an embedded router, understanding qdiscs is essential for managing latency and throughput under load. The combination of tc with BPF classifiers brings unprecedented programmability to traffic shaping pipelines.
For workloads demanding the absolute highest throughput — think 100Gbps+ packet processing — kernel bypass frameworks like DPDK (Data Plane Development Kit) and the kernel-native AF_XDP socket interface allow user-space applications to send and receive packets without the overhead of the traditional kernel network stack. AF_XDP in particular integrates tightly with XDP (eXpress Data Path) programs written in eBPF, giving developers a zero-copy, low-latency path from NIC hardware directly to user space. These technologies power modern firewalls, intrusion detection systems, 5G core networks, and cloud-native load balancers.
Profiling and observing network performance is equally critical. Tools like perf, bpftrace, ss, and netstat provide visibility into queue depths, socket buffers, interrupt coalescing, and CPU affinity. Tuning parameters such as net.core.rmem_max, net.ipv4.tcp_rmem, RSS (Receive Side Scaling), and IRQ affinity can dramatically improve throughput and reduce jitter on multi-core systems. Mastering these parameters separates a well-tuned production network from one that struggles under load.
Why Master Linux Networking?
Skills that power modern infrastructure at every scale
Industry Demand
Network engineers with eBPF and DPDK expertise are among the highest-paid in cloud, telecom, and cybersecurity sectors.
Security Foundation
Packet filtering is the bedrock of firewalls, IDS/IPS systems, and DDoS mitigation — critical for every organization.
Performance at Scale
Understanding queueing disciplines and kernel bypass lets you design systems that handle millions of packets per second.
Cloud-Native Relevance
Kubernetes CNI plugins, service meshes, and cloud load balancers all rely on Linux networking primitives under the hood.
Open Source Ecosystem
Contribute to or leverage projects like Cilium, Suricata, VPP, and Open vSwitch — all built on these fundamentals.
Deep Transferable Knowledge
Networking concepts learned at the Linux kernel level transfer directly to understanding any modern OS or network stack.
Frequently Asked Questions
Common questions about packet filtering and Linux networking
What is the difference between iptables and nftables?
iptables is the legacy Linux packet filtering framework using separate tables for IPv4, IPv6, ARP, and bridging. nftables is its modern replacement, introduced in kernel 3.13, offering a unified framework with a more expressive rule language, better performance through atomic rule updates, and a single tool for all protocol families. New deployments should prefer nftables, though iptables compatibility layers exist for legacy tools.
What is eBPF and why is it important for networking?
eBPF (extended Berkeley Packet Filter) is a technology that allows sandboxed programs to run in the Linux kernel without changing kernel source code or loading kernel modules. In networking, eBPF programs can be attached to XDP hooks (before memory allocation), tc hooks, and socket hooks to perform packet filtering, load balancing, telemetry collection, and protocol parsing at wire speed — making it the foundation of modern observability and security tools.
What is XDP and how does it differ from DPDK?
XDP (eXpress Data Path) is a kernel-integrated framework that runs eBPF programs at the earliest point in the network receive path — often in the NIC driver itself — without allocating full socket buffers. DPDK (Data Plane Development Kit) is a user-space framework that bypasses the kernel entirely by mapping NIC memory directly into user space. XDP has lower latency improvements but maintains kernel integration and safety; DPDK achieves maximum throughput but requires dedicated CPU cores and application redesign.
How do Linux queueing disciplines (qdiscs) work?
When a packet is ready to leave a network interface, it passes through a queueing discipline (qdisc) attached to that interface. The qdisc determines the order packets are dequeued and transmitted, enabling traffic shaping, policing, and scheduling. Simple qdiscs like pfifo are pure FIFO queues; advanced ones like HTB enable hierarchical bandwidth allocation, while fq_codel uses fair queuing and CoDel AQM to minimize bufferbloat. Qdiscs can be chained into trees for complex QoS policies.
How do I start learning Linux packet filtering and networking?
Begin with the fundamentals: understand the OSI model, then study the Linux network stack flow (NIC → driver → netdev → netfilter → sockets). Practice with tcpdump and Wireshark to observe real traffic. Learn nftables for firewall rules, then explore tc for traffic shaping. Once comfortable, dive into eBPF with the BCC toolkit or libbpf. Resources include the Linux kernel documentation, the Linux Networking Cookbook, and the eBPF.io learning portal.