WingNews logo WingNews
top | item 46663772

(no title)

metmac | 1 month ago

Just came here to say this is awesome to see more folks do novel stuff with XDP!

After reading loophole labs post [0] a few months ago. I was hoping someone would cook on this for security research.

[0] https://loopholelabs.io/blog/xdp-for-egress-traffic

discuss

order

spliffedr|1 month ago

I think (not 100% sure) Cillium [0][1] kinda already does this. This loophole is good for packet processing/routing and even introducing XDP based ACL to bypass any ip/nf tables and get that almost wire speed benefit. I use Cilium with these features for custom made k8s clusters with Talos OS without any kube-proxy.

[0]https://docs.cilium.io/en/stable/operations/performance/tuni...

[1]https://isovalent.com/blog/post/cilium-netkit-a-new-containe...

shivanshvij|1 month ago

Founder of loophole labs here!

Cilium is definitely the gold standard if you’re working with Kubernetes clusters and need a full CNI, but if you want to extend CNI functionality without replacing it, then this approach is the only option.

It works quite well because Cillium (and all CNIs that I’m aware of) don’t use XDP like the blog post mentions, they use Netkit instead which is an alternative to veth designed for netfilter-like use cases.

This means XDP can work alongside Cillium (with enough tweaking) which is what we wanted to be able to do.

If you’re using pure containers and no CNI, then of course this provides a significant speed up even beyond netkit devices.