443/TCP service/memcached-server ClusterIP None 11211/TC NAME READY STATUS RESTARTS AGE pod/a-wing-67db8d5fcc-dpwl4 protec�on mechanisms. Traffic Control Ingress/Egress: BPF programs a�ached to the traffic control (tc) ingress hook are a�ached to a networking interface, same as XDP, but will run a�er the networking applying L3/L4 endpoint policy and redirec�ng traffic to endpoints. For networking facing devices the tc ingress hook can be coupled with above XDP hook. When this is done it is reasonable to assume that

protection mechanisms. Traffic Control Ingress/Egress: BPF programs attached to the traffic control (tc) ingress hook are attached to a networking interface, same as XDP, but will run after the networking applying L3/L4 endpoint policy and redirecting traffic to endpoints. For networking facing devices the tc ingress hook can be coupled with above XDP hook. When this is done it is reasonable to assume that a veth pair which acts as a virtual wire connecting the container to the host. By attaching to the TC ingress hook of the host side of this veth pair Cilium can monitor and enforce policy on all traffic

BPF sysctls Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous Program Types XDP tc (traffic control) Further Reading Kernel Developer FAQ Projects using BPF XDP Newbies BPF Newsletter protection mechanisms. Traffic Control Ingress/Egress: BPF programs attached to the traffic control (tc) ingress hook are attached to a networking interface, same as XDP, but will run after the networking applying L3/L4 endpoint policy and redirecting traffic to endpoints. For networking facing devices the tc ingress hook can be coupled with above XDP hook. When this is done it is reasonable to assume that

BPF sysctls Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous Program Types XDP tc (traffic control) Further Reading Kernel Developer FAQ Projects using BPF XDP Newbies BPF Newsletter protection mechanisms. Traffic Control Ingress/Egress: BPF programs attached to the traffic control (tc) ingress hook are attached to a networking interface, same as XDP, but will run after the networking applying L3/L4 endpoint policy and redirecting traffic to endpoints. For networking facing devices the tc ingress hook can be coupled with above XDP hook. When this is done it is reasonable to assume that

BPF sysctls Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous Program Types XDP tc (traffic control) Further Reading Kernel Developer FAQ Projects using BPF XDP Newbies BPF Newsletter level=warning msg="+ bpftool cgroup attach /var/run/cilium/cgroupv2 connect6 pinned /sys/fs/bpf/tc/globals/cilium_cgroups_connect6" subsys=datapath-loader level=warning msg="Error: failed to attach network facing interfaces, or matching the configuration of --encrypt- interface (if specified). $ tc filter show dev eth0 ingress filter protocol all pref 1 bpf chain 0 filter protocol all pref 1 bpf

BPF sysctls Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous Program Types XDP tc (traffic control) Further Reading Kernel Developer FAQ Projects using BPF XDP Newbies BPF Newsletter level=warning msg="+ bpftool cgroup attach /var/run/cilium/cgroupv2 connect6 pinned /sys/fs/bpf/tc/globals/cilium_cgroups_connect6" subsys=datapath-loader level=warning msg="Error: failed to attach protection mechanisms. Traffic Control Ingress/Egress: BPF programs attached to the traffic control (tc) ingress hook are attached to a networking interface, same as XDP, but will run after the networking

BPF sysctls Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous Program Types XDP tc (traffic control) Further Reading Kernel Developer FAQ Projects using BPF XDP Newbies BPF Newsletter level=warning msg="+ bpftool cgroup attach /var/run/cilium/cgroupv2 connect6 pinned /sys/fs/bpf/tc/globals/cilium_cgroups_connect6" subsys=datapath-loader level=warning msg="Error: failed to attach Namespace Cilium has built-in support for bypassing the socket-level loadbalancer and falling back to the tc loadbalancer at the veth interface when a custom redirection/operation relies on the original ClusterIP

理请求的结果，或者改变内核处理请求的流程。 极大提升了内核处理事件的效率。 截止 linux 5.14 版本，eBPF 有32种类型程序。而 cilium 主要使用了如下类型程序： • sched_cls 。cilium在内核 TC 处实现数据包转发、负载均衡、过滤 • xdp 。cilium在内核 XDP 处实现数据包的转发、负载均衡、过滤 • cgroup_sock_addr 。cilium在 cgroup 中实现对service解析 stack raw PREROUTING mangle PREROUTING nat PREROUTING tc ingress conntrack filter FORWARD mangle POSTROUING nat POSTROUING tc egress veth pod 2 veth woker node1 pod1 process kernel network stack tc ingress kernel network stack netfilter tc egress veth veth eth0 tc ingress tc egress redirect_peer redirect_neigh kernel network

for analyzing), does not affect original packets • `tc` can actually control packets! And use BPF! • Let’s add support for it in RedBPF `tc` Support in RedBPF • BPF programs are all the “same” • “Type” really depends on the input and how the kernel interprets the output • `tc` programs also take `sk_buff` - steal from SocketFilter • Use Enum to wrap potential return codes • Done Can we protect the Rabbit? Without Limiter Attach `tc` Program $ cargo make release $ sudo tc qdisc add dev [device name] clsact $ sudo tc filter add dev [device name] ingress \ bpf da obj

Technical Committee The openEuler Technical Committee (TC) is the technical leader of the openEuler community. The main responsibilities of the TC are as follows: 1. Makes the final decision on technical technical influence of the community. Conference Organization Official conference (public): The TC holds a public online discussion at 10:00 a.m. (GMT+8) on alternating Wednesdays. Details on how to To report explicit or inappropriate behaviors, you can contact the openEuler Technical Committee at: tc@openeuler.org. Commitment of Contributors To maintain an open and professional environment, the openEuler