I’ve been working on Shibuya, a next-generation Web Application Firewall (WAF) built from the ground up in Rust.

I wanted to build a WAF that didn't just rely on legacy regex signatures but could understand intent and perform at line-rate using modern kernel features.

What makes Shibuya different:

Multi-Layer Pipeline: It integrates a high-performance proxy (built on Pingora) with rate limiting, bot detection, and threat intelligence.

eBPF Kernel Filtering: For volumetric attacks, Shibuya can drop malicious packets at the kernel level using XDP before they consume userspace resources.

Dual ML Engine: It uses an ONNX-based engine for anomaly detection and a Random Forest classifier to identify specific attack classes like SQLi, XSS, and RCE.

API & GraphQL Protection: Includes deep inspection for GraphQL (depth and complexity analysis) and OpenAPI schema validation.

WASM Extensibility: You can write and hot-load custom security logic using WebAssembly plugins.

Ashigaru Lab: The project includes a deliberately vulnerable lab environment with 6 different services and a "Red Team Bot" to test the WAF against 100+ simulated payloads.

The Dashboard: The dashboard is built with SvelteKit and offers real-time monitoring (ECharts), a "Panic Mode" for instant hardening, and a visual editor for the YAML configuration.

I'm looking for feedback on the architecture and the performance of the Rust-eBPF integration.