\end{array} $$ echo_ports BPF HASH map Ncat socket lookup result Ncat socket echo_socket BPF SOCKMAP #### echo_dispatch.bpf.c - BPF sk_lookup program /* Declare BPF maps */ struct bpf_map_def SEC("maps") sizeof(__u8), }; struct bpf_map_def SEC("maps") echo_socket = { .type = BPF_MAP_TYPE_SOCKMAP, .max_entries = 1, .key_size = sizeof(__u32), .value_size = sizeof(__u64), }; #### echo_dispatch 1024 memlock 86016B # bpftool map pin id 28 ~vagrant/bpffs/echo_ports # bpftool map show id 29 29: sockmap name echo_socket flags 0x0 key 4B value 8B max_entries 1 memlock 4096B # bpftool map pin id 29 ~

connections will then have all messages handled by the socket send/recv hook and will be accelerated using sockmap fast redirects. The fast redirect ensures all policies implemented in Cilium are valid for the associated and assuming they are sends the message directly to the peer socket. This is allowed because the sockmap send/recv hooks ensures the message will not need to be processed by any of the objects above. L7 Policy Endpoint bpf_redir.c Sockmap @ Pod bpf_sockops.c Sockops @ Pod Pod Level Enforcement bpf_redir.c Sockmap @ Pod bpf_redir.c Sockmap @ Pod bpf_redir.c Sockmap @ Pod bpf_sockops.c Sockops

负载均衡：支持轮询等负载均衡策略。 - 路由：支持 L4、L7 路由规则。 - 灰度：支持百分比灰度方式选择后端服务策略。 sockamp 网格加速能力：以典型的 service mesh 场景为例，使能 sockmap 网格加速能力之后，业务容器和 envoy 容器之间的通信将被 ebpf 程序短接，通过缩短通信路径从而达到加速效果，对于同节点上 Pod 间通信也能通过 ebpf 程序进行加速。 ## Node Node  注： 1. 使能 sockmap 网格加速能力后创建的数据连接才会被加速，已经建立的连接不会被加速。 2. 当前仅支持同节点上 ipv4 tcp 连接的通信加速，对于跨节点的 ipv4 tcp 连接通信，会存在 10%~20%

connections will then have all messages handled by the socket send/recv hook and will be accelerated using sockmap fast redirects. The fast redirect ensures all policies implemented in Cilium are valid for the associated and assuming they are sends the message directly to the peer socket. This is allowed because the sockmap send/recv hooks ensures the message will not need to be processed by any of the objects above. L7 Policy Endpoint bpf_redir.c Sockmap @ Pod bpf_sockops.c Sockops @ Pod Pod Level Enforcement bpf_redir.c Sockmap @ Pod bpf_redir.c Sockmap @ Pod bpf_redir.c Sockmap @ Pod bpf_sockops.c Sockops

connections will then have all messages handled by the socket send/recv hook and will be accelerated using sockmap fast redirects. The fast redirect ensures all policies implemented in Cilium are valid for the associated and assuming they are sends the message directly to the peer socket. This is allowed because the sockmap send/recv hooks ensures the message will not need to be processed by any of the objects above. L7 Policy Endpoint bpf_redir.c Sockmap @ Pod bpf_sockops.c Sockops @ Pod Pod Level Enforcement bpf_redir.c Sockmap @ Pod bpf_redir.c Sockmap @ Pod bpf_redir.c Sockmap @ Pod bpf_sockops.c Sockops

to hashmap • Attach sk_skb program to hashmap - When socket send a msg, lookup peer socket in sockmap • Redirect  ## I

connections will then have all messages handled by the socket send/recv hook and will be accelerated using sockmap fast redirects. The fast redirect ensures all policies implemented in Cilium are valid for the associated and assuming they are sends the message directly to the peer socket. This is allowed because the sockmap send/recv hooks ensures the message will not need to be processed by any of the objects above. L7 Policy Endpoint bpf_redir.c Sockmap @ Pod bpf_sockops.c Sockops @ Pod Pod Level Enforcement bpf_redir.c Sockmap @ Pod bpf_redir.c Sockmap @ Pod bpf_redir.c Sockmap @ Pod bpf_sockops.c Sockops

done: • Integration with various CNI plugins • Interact with Network Policies • Acceleration with sockmap Contributions to improve the ease of use would be greatly welcomed. Join us in #ambient on the

connections will then have all messages handled by the socket send/recv hook and will be accelerated using sockmap fast redirects. The fast redirect ensures all policies implemented in Cilium are valid for the associated and assuming they are sends the message directly to the peer socket. This is allowed because the sockmap send/recv hooks ensures the message will not need to be processed by any of the objects above. L7

connections will then have all messages handled by the socket send/recv hook and will be accelerated using sockmap fast redirects. The fast redirect ensures all policies implemented in Cilium are valid for the associated and assuming they are sends the message directly to the peer socket. This is allowed because the sockmap send/recv hooks ensures the message will not need to be processed by any of the objects above. •