eBPF firewall that cuts fast!
A lightweight XDP-powered network filtering solution controllable through a REST API.
XDP-based Packet Processing
Express Data Path (XDP) integration enables line-rate packet filtering at the network driver level, processing millions of packets per second before kernel stack ingress.
RESTful JSON API
Programmable interface for dynamic rule management with atomic operations. Features role-based access control (RBAC), Unix domain socket transport, and comprehensive OpenAPI specification.
Static Configuration with Sets
Define persistent filtering rules using .couic set files. Supports hot reloading with differential updates, adapted for scheduled tasks and infrastructure-as-code workflows.
Dual-stack CIDR Support
Native IPv4 and IPv6 prefix handling with automatic network address canonicalization. eBPF LPM (Longest Prefix Match) trie implementation ensures efficient lookup operations.
Automatic Entry Expiration
Configurable TTL (Time-To-Live) for dynamically added entries with automatic expiration. Enables temporary mitigation strategies during active incidents without manual cleanup requirements.
Rule Taxonomy System
Tagging mechanism for rule organization and lifecycle management. Supports filtering and statistical aggregation.
Command-line Interface
The couicctl binary provides administrative operations for both local and remote management modes. Features include rule manipulation, policy control, statistics retrieval, and client authentication management.
Prometheus Metrics Export
Native metrics endpoint exposing XDP counters, CIDR statistics, and per-tag packet/byte accounting. Enables integration with standard observability stacks for monitoring and alerting.
Multi-instance Synchronization
Peering protocol for distributed rule propagation across infrastructure. Batched transmission with conflict resolution ensures eventual consistency in multi-node deployments.