一个 eBPF 漏洞:使用 XDP 处理出口流量
XDP (eXpress Data Path) is the fastest packet processing framework in linux - but it only works for incoming (ingress) traffic. We discovered how to use it for outgoing (egress) traffic by exploiting a loophole in how the linux kernel determines packet direction. Our technique delivers 10x better performance than current solutions, works with existing Docker/Kubernetes containers, and requires zero kernel modifications.
XDP (eXpress Data Path) 是 Linux 中最快的数据包处理框架 - 但它仅适用于传入 (入口) 流量。我们通过利用 Linux 内核确定数据包方向的漏洞发现了如何将其用于传出 (出口) 流量。我们的技术提供了比当前解决方案高出 10 倍的性能,能够与现有的 Docker/Kubernetes 容器配合使用,并且不需要任何内核修改。
This post not only expands on the overall implementation but also outlines how existing container and VM workloads can immediately take advantage with minimal effort and zero infrastructure changes.
这篇文章不仅扩展了整体实现,还概述了现有的容器和虚拟机工作负载如何能够立即以最小的努力和零基础设施更改来受益。
At Loophole Labs, we live migrate everything - containers, VMs, and even network connections.
在Loophole Labs,我们实时迁移一切 - 容器、虚拟机,甚至网络连接。
During a migration every single packet for a workload needs to be intercepted, modified, encapsulated, encrypted, and rerouted to its new destination - all without the application noticing. Our scale requires us to be able to move workloads across clouds at hundreds of gigabits per second - and with that sort of performance requirement, every single CPU cycle matters.
在迁移过程中,工作负载的每一个数据包都需要被拦截、修改、封装、加密,并重新路由到其新目的地 - 所有这些都在应用程序未察觉的情况下进行。我们的规模要求我们能够以 每秒数百吉比特 的速度跨云移动工作负载 - 而在这种性能要求下,每一个 CPU 周期都至关重要。
All of this is to say, we need to be able to process packets at line-rate (however much the underlying network can support, whether that's 20Gbps or 200Gbps), and there's really only one approach that lets us do that:
所有这些都是为了说明,我们需要能够以 线速 处理数据包(无论底层网络支持多少,无论是 20Gbps 还是 200Gbps),而且实际上只有一种方法可以让我们做到这一点:
Linux Packet Processing Performance Comparison
Linux数据包处理性能比较
In Linux, the gold standard for high-performance packet processing is XDP (eXpress Data Path). By intercepting packets as soon as they arrive at the network driver (before reaching the kernel)...