Technology

How Neurowall works.

This page is for engineers who want to understand the technology before deploying it. Business buyers don't need to read this — but engineers usually want to.

Foundation

Why eBPF.

eBPF (extended Berkeley Packet Filter) lets programs run safely inside the Linux kernel without modifying kernel source code or loading kernel modules. It is the foundation of Neurowall's fast-path packet filtering.

Performance

eBPF programs run in kernel space, eliminating the overhead of copying packets between kernel and userspace. JIT-compiled to native machine code at load time.

Safety

The eBPF verifier checks every program before it runs — it cannot crash the kernel, access unauthorized memory, or loop indefinitely. Kernel performance, userspace safety.

Programmability

Programs can be loaded, updated, and replaced at runtime without rebooting. Firewall rules change without service interruption.

Approach Performance Flexibility Kernel modification
Kernel module Excellent Low Yes — risky
Userspace proxy Moderate High No
nftables Good High No
eBPF Excellent High No — verified safe

eBPF is used in production by Google, Meta, Netflix, Cloudflare, and Cilium. Neurowall builds on this proven foundation.

Fast Path

Why XDP.

XDP (eXpress Data Path) processes packets at the network driver level — the earliest possible point in the Linux networking stack, before the kernel allocates socket buffers. Neurowall uses XDP as its primary fast-path data plane.

Packet decision path

Packet arrives at NIC
XDP Program (eBPF)
check allowlist · check blocklist · check rate limit
XDP_DROPblocked immediately
XDP_PASSkernel stack
nftables (NAT, stateful)
Application

XDP attach modes

Mode Where it runs Performance
Native NIC driver Best
Generic Kernel network layer Good — all drivers
Offload NIC hardware Maximum

Neurowall automatically selects the best available mode for each network interface.

DDoS resilience

During a DDoS attack, packets are dropped at the driver level before the kernel allocates memory for them. Attack traffic consumes minimal CPU. The system stays responsive for legitimate traffic even under sustained load.

Architecture

How Neurowall is built.

Neurowall is a layered gateway firewall platform. Four layers — management, business logic, data access, and kernel data plane — each with a clear job.

API & Management Layer
REST · gRPC · Web UI · CLI
JWT · API Keys · RBAC
Business Logic Layer
Rule Management · Threat Intelligence
HA · Audit Logging · Backup
Data Access Layer
PostgreSQL / SQLite · Redis Cache
Schema Migration
Data Plane — Kernel Space
eBPF/XDP (fast path) · nftables (flexible path)
Auto rule sync
Fast Path — eBPF/XDP

Processes packets at the network driver level. Handles allow/block decisions, rate limiting, and DDoS filtering. Rules stored in eBPF maps for O(1) lookup. Malicious packets are dropped before they enter the kernel network stack.

Flexible Path — nftables

Operates within the kernel's netfilter framework. Handles NAT, port forwarding, and stateful inspection. Supports complex rule matching — protocol, port ranges, connection state. Atomic rule updates for consistent policy application.

High Availability

Active-passive HA with etcd.

Leader Election

etcd Raft consensus determines the active node. The standby node monitors the leader lease and assumes the active role on failure.

State Sync

Rules, configuration, and threat intelligence data synchronize continuously via etcd watches. The standby node stays ready to take over.

Graceful Degradation

Neurowall operates as a standalone node if etcd is unavailable. Security policy remains enforced.

Threat Intelligence

Multi-source, kernel-enforced.

Component Role
Threat feedsAbuseIPDB, OTX, MISP, custom sources
Intelligence serviceFetch, normalize, deduplicate across sources
Redis cacheFast lookup before eBPF map update
eBPF mapsKernel-space enforcement — O(1) lookup per packet
Deployment Requirements

Runs on standard Linux.

Requirement Minimum
Operating SystemLinux kernel 5.4+
CPU2 cores
Memory512 MB
Storage1 GB
NetworkOne or more Ethernet interfaces
DatabasePostgreSQL (production) · SQLite (single-node)

NICs with native XDP driver support are recommended for high-throughput production deployments.

Performance

Built to avoid becoming your bottleneck.

Security should not slow your network. Neurowall processes packets at the XDP layer — before the kernel allocates memory — keeping throughput high and latency low.

10–24 Gbps
Software line-rate throughput
< 50 µs
Per-packet filtering latency
250k+
IP rules with no measurable throughput drop
Metric Behavior
Throughput with rulesMaintained full ISP line rate with 250,000+ IP rules loaded
Rule count impacteBPF map lookups are O(1) — adding rules does not reduce throughput
CPU usageScales with packet rate, not rule count
MemoryLightweight runtime — eBPF maps scale proportionally with rule count
HA failoverSub-3-second failover with etcd leader election
Factor Impact on performance
NIC driverNative XDP support delivers best results; generic mode works on all drivers
XDP modeNative > Generic; Offload pushes filtering to NIC hardware
Packet sizeSmall packets (DDoS) are CPU-bound; large packets are bandwidth-bound
Rule typeIP rules use hash maps O(1); CIDR rules use LPM trie
Benchmarks

Test it yourself. We mean it.

Performance claims should be verifiable. We provide testing methodology so you can benchmark Neurowall in your own environment with your own traffic profiles — not vendor-controlled lab results.

Recommended test scenarios
Test What it measures
Baseline throughputMaximum system throughput with no rules
Rule scaling1k, 10k, 100k, 250k rules — impact on throughput
Rate limitingDDoS filtering performance under per-source limits
Mixed trafficLegitimate + attack traffic — filtering accuracy under load
HA failoverKill active node — failover time and traffic loss
Recommended tools
Tool Purpose
iperf3TCP/UDP throughput testing
TRexStateful and stateless traffic generation
pktgenLinux kernel packet generator for high packet rates
PrometheusMetrics collection during tests
GrafanaReal-time visualization of results
Fair comparison methodology

When comparing Neurowall against other solutions, ensure a level playing field:

✓  Same hardware for all solutions
✓  Same traffic generator and profiles
✓  Equivalent firewall rule sets
✓  Same metrics collection tools
✓  Include DDoS and mixed traffic scenarios
✓  Test under sustained load, not just peak
Ready to evaluate?

Our team can walk you through a guided benchmark.

We will help you set up the test environment, generate representative traffic, and interpret results against your specific hardware and deployment requirements.