tooling to provide: Event monitoring with metadata: When a packet is dropped, the tool doesn’t just report the source and destination IP of the packet, the tool provides the full label information of both the the sender and receiver among a lot of other information. Policy decision tracing: Why is a packet being dropped or a request rejected. The policy tracing framework allows to trace the policy decision viewing security policies, and configuring network monitoring behavior. Linux Kernel BPF Berkeley Packet Filter (BPF) is a Linux kernel bytecode interpreter originally introduced to filter network packets

tooling to provide: Event monitoring with metadata: When a packet is dropped, the tool doesn’t just report the source and des�na�on IP of the packet, the tool provides the full label informa�on of both the the sender and receiver among a lot of other informa�on. Policy decision tracing: Why is a packet being dropped or a request rejected. The policy tracing framework allows to trace the policy decision process viewing security policies, and configuring network monitoring behavior. Linux Kernel BPF Berkeley Packet Filter (BPF) is a Linux kernel bytecode interpreter originally introduced to filter network packets

tooling to provide: Event monitoring with metadata: When a packet is dropped, the tool doesn’t just report the source and destination IP of the packet, the tool provides the full label information of both the the sender and receiver among a lot of other information. Policy decision tracing: Why is a packet being dropped or a request rejected. The policy tracing framework allows to trace the policy decision Cilium in chaining configuration on top of Calico, the L7 policies may not work because of conflicting packet mark usage. This limitation is currently tracked at #12454 [https://github.com/cilium/cilium/issues/12454]

service-to-backend translation right in the Linux kernel’s socket layer (e.g. at TCP connect time) such that per-packet NAT operations overhead can be avoided in lower layers. Bandwidth Management Cilium implements tooling to provide: Event monitoring with metadata: When a packet is dropped, the tool doesn’t just report the source and destination IP of the packet, the tool provides the full label information of both the the sender and receiver among a lot of other information. Policy decision tracing: Why is a packet being dropped or a request rejected. The policy tracing framework allows to trace the policy decision

tooling to provide: Event monitoring with metadata: When a packet is dropped, the tool doesn’t just report the source and destination IP of the packet, the tool provides the full label information of both the the sender and receiver among a lot of other information. Policy decision tracing: Why is a packet being dropped or a request rejected. The policy tracing framework allows to trace the policy decision L7 policies at egress, the source identity context is lost as it is currently not carried in the packet. This means that traffic will look like it is coming from outside of the cluster to the receiving

service-to-backend translation right in the Linux kernel’s socket layer (e.g. at TCP connect time) such that per-packet NAT operations overhead can be avoided in lower layers. Bandwidth Management Cilium implements tooling to provide: Event monitoring with metadata: When a packet is dropped, the tool doesn’t just report the source and destination IP of the packet, the tool provides the full label information of both the the sender and receiver among a lot of other information. Policy decision tracing: Why is a packet being dropped or a request rejected. The policy tracing framework allows to trace the policy decision

service-to-backend translation right in the Linux kernel’s socket layer (e.g. at TCP connect time) such that per-packet NAT operations overhead can be avoided in lower layers. Bandwidth Management Cilium implements tooling to provide: Event monitoring with metadata: When a packet is dropped, the tool doesn’t just report the source and destination IP of the packet, the tool provides the full label information of both the To determine if a packet needs to be encrypted or not, transparent encryption relies on the same mechanisms as policy enforcement to decide if the destination of an outgoing packet belongs to a Cilium-managed

SocketFilter programs, however… Traffic Control for Real • XDP doesn’t seem would work (full TCP packet hasn’t been constructed yet - I could be wrong) • SocketFilter is not useful: it only duplicates com/redsift/redbpf/pull/97 Write BPF in Rust • Ethernet frame, IP header, TCP header • Only look at IPv4, TCP packet to AMQP port • Extract source IP & port as BPF map key Extract AMQP Methods Use BPF Maps Use consumers per connection • Increase when declare • Decrease when cancel • Drop (Shot) the declare packet if count is 10 See it in Action! Can we protect the Rabbit? Without Limiter Attach `tc` Program

Ring Buffer forward Wikipedia - Packet flow in Netfilter and General Networking Receive path for local delivery Service dispatch with BPF socket lookup packet metadata BPF program lookup result SK_DROP : SK_PASS; } is echo service configured on this port? get echo server socket dispatch the packet to echo server Load echo_dispatch program $ make echo_dispatch.bpf.o clang -I…/linux/usr/include

“We wish to help, to innovate, and we’re on your side!” eBPF comes from the original Berkeley Packet Filter (used in tcpdump), but now extends way beyond just networking, enabling users to programmatically receivers, They installed and rewired a boosted antenna. eBPF enhances networking by enabling efficient packet processing and filtering in the kernel decoupled from hard- ware-specific details while integrating instrumentation of the LSM hooks. eBPF combines seeing and understanding all system calls with a packet and socket-level view of all networking. This creates security systems operating with richer context