Excellent post on why BPF is replacing iptables in the Linux kernel. Note that Thomas Graf founded Cilium to be a networking policy engine for Kubernetes and having a better packet munging function is a good thing.
From humble roots as the packet filtering capability underlying popular tools like tcpdump and Wireshark, BPF has grown into a rich framework to extend the capabilities of Linux in a highly flexible manner without sacrificing key properties like performance and safety. This powerful combination has led forward-leaning users of Linux kernel technology like Google, Facebook, and Netflix to choose BPF for use cases ranging from network security and load-balancing to performance monitoring and troubleshooting. Brendan Gregg of Netflix first called BPF Superpowers for Linux. This post will cover how these “superpowers” render long-standing kernel sub-systems like iptables redundant while simultaneous enabling new in-kernel use cases that few would have previously imagined were possible.
Why is the kernel community replacing iptables with BPF? — Cilium : https://cilium.io/blog/2018/04/17/why-is-the-kernel-community-replacing-iptables/