Fosstodon
NETDEV VIDEOS
Session
Scripting Netfilter with Lua: A Cooperative Kernel-Userspace Pipeline
Speakers
Lourival Vieira Neto
Md. Shehar Yaar Tausif
Firas Shaari
Marcel S. A. de Moura
Arif Alam
Label
Moonshot
Session Type
Talk
Description
Secure Web Gateways protect outbound HTTPS traffic, but their deep packet inspection intercepts TLS by terminating each connection through a CA installed on every client, an approach that the commodity hardware of Wi-Fi access points typically cannot sustain. This paper presents a cooperative kernel-userspace pipeline that filters L7 traffic by inspecting DNS queries, HTTP requests, and TLS handshake metadata rather than intercepting the connection. Both halves run in Lua: a userspace agent generates an nftables bridge ruleset that dispatches each new flow to a Netfilter hook for classification. Then, nftables caches the verdict in a set, and subsequent packets bypass Lua entirely. The pipeline builds on Lunatik, our Linux kernel-scripting framework presented at Netdev 0x14 and 0x17, and contributes three new bindings: luanetfilter for direct Netfilter hooks, luaskb for socket-buffer access and reply synthesis, and luanftables, a userspace libnftables wrapper. On a Wi-Fi 6 access point under a combined Ethernet and Wi-Fi HTTPS workload, the pipeline sustains 1.4 Gbps at parity with a plain Linux bridge in throughput and tail latency. The pipeline ships in production as Ring Zero Dome, the in-kernel engine of the NetExperience Secure Wireless Gateway on OpenWiFi access points.
Recent News
Bronze Sponsor, Common Net
[Tue, 16, Jun. 2026]
Bronze Sponsor, secunet
[Fri, 12, Jun. 2026]
Bronze Sponsor, Red Hat
[Fri, 12, Jun. 2026]
Bronze Sponsor, Mpiric
[Tue, 09, Jun. 2026]
Bronze Sponsor, Viasat
[Mon, 08, Jun. 2026]
Important Dates
| Closing of CFS | June 1st |
| Notification by | June 10th |
| Conference dates | July 13th-16th |