High-Performance XDP/TC Firewall & Traffic Analyzer written in Rust. Zero-overhead packet filtering, stateful connection tracking, and heuristic intrusion detection.
Aegis is a next-generation firewall built on eBPF (Extended Berkeley Packet Filter), XDP (eXpress Data Path), and TC (Traffic Control). It operates at the earliest possible point in the networking stack, filtering both ingress and egress traffic before the OS kernel processes it.
| Feature | iptables/nftables | Aegis |
|---|---|---|
| Packet processing | Kernel netfilter | XDP (driver level) |
| Performance | ~1M pps | 10M+ pps ¹ |
| Egress filtering | Yes | Yes (TC) |
| Connection tracking | Conntrack module | Native eBPF |
| Real-time TUI | No | Yes |
| Memory safety | C | Rust |
| Deployment | Multiple packages | Single binary |
¹ Theoretical throughput for XDP in NIC driver mode with minimal rule set. Actual performance depends on NIC driver, kernel version, rule complexity, and hardware. Independent benchmarks pending.
- XDP Ingress Filtering — Drop packets at NIC driver level
- TC Egress Filtering — Block outbound connections to malicious destinations
- Stateful Connection Tracking — Native eBPF conntrack (no kernel module)
- CIDR Blocklists — LPM Trie for efficient prefix matching
- IPv4 + IPv6 Support — Dual-stack filtering with extension header security
- IP Allowlist — Trusted IPs bypass all checks (config-driven)
- Port Scan Detection — Bitmap-based unique port tracking with auto-ban
- SYN Flood Protection — Token bucket rate limiting (XDP layer)
- TCP Anomaly Detection — Xmas, Null, SYN+FIN scans
- TLS ClientHello Fingerprinting — Native eBPF TLS payload extraction for JA3 scoring
- Dynamic Auto-Ban (OODA Loop) — O(1) lock-free userspace threat mitigation
- ConnTrack Garbage Collection — Clock-synced map cleanup preventing state exhaustion
- Interactive TUI (fd-isolated — zero stdout pollution):
- Connections view with offline GeoIP lookup (MaxMind GeoLite2)
- Live statistics with sparklines (packets/sec, drops/sec)
- Security event log
- ISP/Geo/Country display per connection
- Module Hotkeys — Toggle PortScan, RateLimit, Threats, ConnTrack, ScanDetect, Verbose on-the-fly
- Space-to-Ban — One-key IP blocking from connections list
- Daemon Mode — Background operation with stdout log printer
- JSON Logging — Machine-readable output for SIEM integration
- Shell Completions — bash, zsh, fish, PowerShell, elvish
- TOML Config File —
/etc/aegis/config.tomlfor persistent settings - Threat Feeds — Download and load CIDR blocklists from public sources
- Save/Restore — Persist and reload block rules
- Status Command — Query running daemon state via pinned BPF maps
- Single Binary — eBPF bytecode embedded, no external files
- Multi-Distro Installer — Fedora, Ubuntu, Debian, Arch, Alpine
- Auto XDP Mode — Automatic fallback from driver to SKB mode
- Systemd Integration — Hardened service file with
CAP_BPF+CAP_NET_ADMIN
- Linux Kernel >= 5.4 (5.8+ recommended for CAP_BPF)
- Root privileges (for eBPF loading)
curl -sSfL https://raw.githubusercontent.com/m4rba4s/Aegis-eBPF/main/install.sh | sudo bash# Clone and install
git clone https://github.com/m4rba4s/Aegis-eBPF.git
cd Aegis-eBPF
sudo ./install.shThe installer will:
- Detect your distro and install dependencies
- Build from source (or use pre-built if available)
- Install systemd service
- Create config directories
# Build
cargo run -p xtask -- build-all --profile release
cargo build --release -p aegis-cli
# Run (eBPF is embedded in binary)
sudo ./target/release/aegis-cli -i eth0 tui# Build release binaries in Docker
docker build --output=dist .
# Outputs:
# dist/aegis-cli - Main binary (eBPF embedded)
# dist/aegis - Standalone XDP object (optional)
# dist/aegis-tc - Standalone TC object (optional)sudo aegis-cli -i eth0 tui
sudo aegis-cli -i wg0 tui # VPN interface
sudo aegis-cli -i eth0 --no-tc tui # XDP only, no egress filteringControls:
| Key | Action |
|---|---|
Tab |
Switch tabs (Connections / Stats / Logs) |
↑/↓ or j/k |
Navigate list |
Space |
Block/Unblock selected IP |
1-5 |
Toggle modules (PortScan, RateLimit, Threats, ConnTrack, ScanDetect) |
6 |
Toggle verbose logging |
0 |
Toggle ALL modules |
q |
Quit |
# Start as background service
sudo systemctl start aegis@eth0
# Or run directly
sudo aegis-cli -i eth0 daemonsudo aegis-cli -i eth0 load
# Interactive commands:
# block 1.2.3.4
# unblock 1.2.3.4
# list
# save / restoreaegis.yaml supports ingress source blocks and TC egress destination blocks:
rules:
- ip: 198.51.100.10
port: 443
proto: tcp
egress_rules:
- ip: 203.0.113.20
- ip: 2001:db8::20
egress_cidrs:
- cidr: 203.0.113.0/24
- cidr: 2001:db8:bad::/48# Use custom eBPF objects instead of embedded
sudo aegis-cli \
--ebpf-path /custom/path/aegis.o \
--tc-path /custom/path/aegis-tc.o \
-i eth0 tui┌─────────────────────────────────────────────────────────────┐
│ KERNEL SPACE │
├─────────────────────────────────────────────────────────────┤
│ ┌─────────────┐ ┌─────────────┐ │
│ │ aegis-ebpf │ │ aegis-tc │ │
│ │ (XDP) │ │ (TC Egress) │ │
│ │ INGRESS │ │ EGRESS │ │
│ └──────┬──────┘ └──────┬──────┘ │
│ │ │ │
│ └──────────┬──────────────┘ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ BPF MAPS / RING BUFFERS │ │
│ │ BLOCKLIST | CONFIG | STATS | FEEDS | TC CONN_TRACK │ │
│ └─────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
│
▼ BPF RingBuf
┌─────────────────────────────────────────────────────────────┐
│ USER SPACE │
├─────────────────────────────────────────────────────────────┤
│ ┌─────────────────────────────────────────────────────┐ │
│ │ aegis-cli (Rust/Tokio) │ │
│ │ ┌──────────────────────────────────────────────┐ │ │
│ │ │ EMBEDDED eBPF BYTECODE (XDP + TC objects) │ │ │
│ │ └──────────────────────────────────────────────┘ │ │
│ │ ┌─────────┐ ┌─────────┐ ┌─────────────────┐ │ │
│ │ │ TUI │ │ Event │ │ Map Management │ │ │
│ │ │(ratatui)│ │ Loop │ │ (aya) │ │ │
│ │ └─────────┘ └─────────┘ └─────────────────┘ │ │
│ └─────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
Aegis-eBPF/
├── aegis-common/ # Shared types (Single Source of Truth)
│ └── src/lib.rs # PacketLog, Stats, FlowKey, threat/reason constants
├── aegis-ebpf/ # XDP ingress program (no_std, eBPF target)
│ └── src/main.rs # Packet filtering, rate limiting, scan detection, TLS parsing
├── aegis-tc/ # TC egress program
│ └── src/main.rs # Outbound connection blocking
├── aegis-cli/ # Userspace controller
│ ├── build.rs # Embeds eBPF bytecode at compile time
│ ├── src/main.rs # Application bootstrapper
│ ├── src/event_loop.rs # MPSC Lock-Free Perf Event consumers
│ ├── src/loader.rs # eBPF/TC program lifecycles
│ ├── src/map_manager.rs # Map pinning, sizing, and threat feeds
│ ├── src/conntrack_gc.rs # Ktime-synced map garbage collection
│ ├── src/tui/ # Terminal UI (ratatui, fd-isolated)
│ ├── src/config.rs # TOML config parser
│ ├── src/geo.rs # Offline GeoIP (MaxMind GeoLite2)
│ ├── src/compat.rs # Kernel capability detection
│ └── src/feeds/ # Threat feed parser/downloader
├── guide/ # Operational & Architectural Engineering Guides
├── deploy/ # Systemd service files
├── Dockerfile # Reproducible builds
└── install.sh # Multi-distro installer
PRs welcome! Please ensure:
cargo fmtpassescargo clippyhas no warnings- eBPF programs compile with
cargo run -p xtask -- build-all
This tool is intended for defensive security research and system hardening. The author is not responsible for any misuse.
MIT
Crafted with Rust & eBPF