Endpoint to Endpoint Userspace Proxy PREROUTING INPUT OUTPUT POSTROUTING L7 Egress Policy CILIUM_POST_* Userspace Proxy PREROUTING INPUT OUTPUT POSTROUTING L7 Ingress Policy bpf_netdev Cluster/World Overlay Mode (VXLAN, Geneve configured for intra-cluster traffic) Userspace Proxy INPUT PREROUTING OUTPUT POSTROUTING L7 Policy Key Direction of traffic CILIUM_FORWARD bpf_netdev TC @ cilium_host Userspace Proxy bpf_lxc TC @ Endpoint PREROUTING INPUT OUTPUT POSTROUTING CILIUM_POST_* L7 Policy bpf_netdev TC@cilium_host Key

Endpoint to Endpoint Userspace Proxy PREROUTING INPUT OUTPUT POSTROUTING L7 Egress Policy CILIUM_POST_* Userspace Proxy PREROUTING INPUT OUTPUT POSTROUTING L7 Ingress Policy bpf_netdev PREROUTING FORWARD CILIUM_FORWARD bpf_netdev TC @ cilium_host Userspace Proxy bpf_lxc PREROUTING INPUT L7 Policy Key Direction of traffic Optional feature KUBE-SEP-1 -s 10.233.67.32/32 -j KUBE-MARK-MASQ -p tcp -m tcp -j DNAT --to-destination 10.233.67.32:53 INPUT KUBE-SERVICES KUBE-FIREWALL FORWARD (filter) KUBE-FORWARD CILIUM_FORWARD KUBE-FIREWALL -m mark

147 direct1 Direct --- down 10:53:40.147 Channel ipv4 State: DOWN Input filter: ACCEPT Output filter: REJECT ... Basic configuration It’s hard to discuss bird configurations Endpoint to Endpoint Userspace Proxy PREROUTING INPUT OUTPUT POSTROUTING L7 Egress Policy CILIUM_POST_* Userspace Proxy PREROUTING INPUT OUTPUT POSTROUTING L7 Ingress Policy bpf_netdev PREROUTING FORWARD CILIUM_FORWARD bpf_netdev TC @ cilium_host Userspace Proxy bpf_lxc PREROUTING INPUT L7 Policy Key Direction of traffic Optional feature

147 direct1 Direct --- down 10:53:40.147 Channel ipv4 State: DOWN Input filter: ACCEPT Output filter: REJECT ... Basic configuration It’s hard to discuss bird configurations KUBE-SEP-1 -s 10.233.67.32/32 -j KUBE-MARK-MASQ -p tcp -m tcp -j DNAT --to-destination 10.233.67.32:53 INPUT KUBE-SERVICES KUBE-FIREWALL FORWARD (filter) KUBE-FORWARD CILIUM_FORWARD KUBE-FIREWALL -m mark Endpoint to Endpoint Userspace Proxy PREROUTING INPUT OUTPUT POSTROUTING L7 Egress Policy CILIUM_POST_* Userspace Proxy PREROUTING INPUT OUTPUT POSTROUTING L7 Ingress Policy bpf_host TC

147 direct1 Direct --- down 10:53:40.147 Channel ipv4 State: DOWN Input filter: ACCEPT Output filter: REJECT ... Basic configuration It’s hard to discuss bird configurations Endpoint to Endpoint Userspace Proxy PREROUTING INPUT OUTPUT POSTROUTING L7 Egress Policy CILIUM_POST_* Userspace Proxy PREROUTING INPUT OUTPUT POSTROUTING L7 Ingress Policy bpf_host TC PREROUTING FORWARD CILIUM_FORWARD bpf_host TC @ cilium_host Userspace Proxy bpf_lxc PREROUTING INPUT L7 Policy Key Direction of traffic Optional feature

147 direct1 Direct --- down 10:53:40.147 Channel ipv4 State: DOWN Input filter: ACCEPT Output filter: REJECT ... Basic configuration It’s hard to discuss bird configurations Endpoint to Endpoint Userspace Proxy PREROUTING INPUT OUTPUT POSTROUTING L7 Egress Policy CILIUM_POST_* Userspace Proxy PREROUTING INPUT OUTPUT POSTROUTING L7 Ingress Policy bpf_host TC PREROUTING FORWARD CILIUM_FORWARD bpf_host TC @ cilium_host Userspace Proxy bpf_lxc PREROUTING INPUT L7 Policy Key Direction of traffic Optional feature

147 direct1 Direct --- down 10:53:40.147 Channel ipv4 State: DOWN Input filter: ACCEPT Output filter: REJECT ... Basic configuration It’s hard to discuss bird configurations Endpoint to Endpoint Userspace Proxy PREROUTING INPUT OUTPUT POSTROUTING L7 Egress Policy CILIUM_POST_* Userspace Proxy PREROUTING INPUT OUTPUT POSTROUTING L7 Ingress Policy bpf_host TC PREROUTING FORWARD CILIUM_FORWARD bpf_host TC @ cilium_host Userspace Proxy bpf_lxc PREROUTING INPUT L7 Policy Key Direction of traffic Optional feature

的解析和转发，其转发性能能比肩 DPDK 技术，且能节省大量CPU资源 当 PPS 压力越大，提升效果越发显 著，相比 kube-proxy，测量得出以下 效果： 1. TC 转发方式，在10Mpps input压 力下提升 1 倍的吞吐量，在2Mpps 压力下，节省了30%的CPU利用率 2. XDP的性能上限极高，可能是 TC 的 10 倍左右 raw PREROUTING mangle PREROUTING