BPF, XDP, Packet Filters and UDP

So... this post casually outlines how one could go about build a <i>Global Network Load Balancer</i> at Google-scale. Amazing!<p>A few naïve questions:<p>&gt; <i>You can make any protocol work with a custom proxy. Take DNS: your edge servers listen for UDP packets, slap PROXY headers on them, relay the packets to worker servers, unwrap them, and deliver them to containers.</i><p>Curious: Wouldn&#x27;t SOCKS5 here be a like-for-like replacement for PROXY? Why would one choose one over the other?<p>&gt; <i>WireGuard doesn&#x27;t have link-layer headers, and XDP wants it to</i><p>Is the gist here that WireGuard doesn&#x27;t because it is Layer 3? And that XDP sits one layer below it?<p>&gt; <i>Jason Donenfeld even wrote a patch, but the XDP developers were not enthused, just about the concept of XDP running on WireGuard at all</i><p>Could someone please explain this? Is it that XDP here didn&#x27;t want to add a support to delegate routing onto WireGuard?<p>&gt; <i>It&#x27;s a little hard to articulate how weird it is writing eBPF code. You&#x27;re in a little wrestling match with the verifier</i><p>Would NetMap or Intel&#x27;s dpdk instead make for an non-enterprising choice here? Don&#x27;t they have a similar profile in terms of throughput? I guess, one has to use a userspace TCP&#x2F;IP stack like gVisor&#x27;s NetStack or LwIP to go with NetMap&#x2F;dpdk?<p>&gt; <i>Those configurations are fed into distributed service discovery; our servers listen on changes and, when they occur, they update a routing map</i><p>How is this system implemented? Curious because uptime, availability, durability, and latency must be of prime importance for such a service. Is there a blog about this detailing the challenges inherent here? Or, does it use consul&#x2F;etcd or some such out-of-the-box solution?<p>&gt; <i>a simple map of addresses to actions and next-hops; the Linux bpf(2) system call lets you update these maps on the fly.</i><p>Clarification: does this mean the maps are already in a format the bpf&#x2F;2 command understands, or is something else going on here?<p>Thanks.

&gt;&gt;<i>Linux kernel developers quickly come to the same conclusion the DTrace people came to 15 years ago: if you&#x27;re going to have a compiler and a kernel-resident VM, you might as well use it for everything. So, the seccomp system call filter gets eBPF. Kprobes get eBPF. Kernel tracepoints gets eBPF. Userland tracing gets eBPF. If it&#x27;s in the Linux kernel and it&#x27;s going to be programmable (even if it shouldn&#x27;t be), it&#x27;s going to be programmed with eBPF soon.</i><p>Feels like Oprah Winfrey&#x27;s September 13th, 2004 show: &quot;YOU get a car! YOU get a car! And YOU get a car! Everybody gets a car!&quot;[1]<p>[1] <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=pviYWzu0dzk" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=pviYWzu0dzk</a>

This article is remarkably well written. The first paragraph lays out why you would want to read it, or not. It then presents a well documented history of the problems it is solving to illustrate the whys and wherefores of the product. Well done! Thanks.

I really enjoyed this post, as someone who doesn&#x27;t possess much programming prowess, I am fascinated with eBPF&#x2F;kernel sub-systems and I am always eager to learn more. I might have to take the author&#x27;s advice and build an emulator soon.

The post states:<p>&gt;&quot;You can make any protocol work with a custom proxy. Take DNS: your edge servers listen for UDP packets, slap PROXY headers on them, relay the packets to worker servers, unwrap them, and deliver them to containers. You can intercept all of UDP with AF_PACKET sockets, and write the last hop packet that way too to fake addresses out. And at first, that&#x27;s how I implemented this for Fly.&quot;<p>This is really interesting. I looked at the linked blog post and was hoping there was more implementation details. Does your Fly pi-hole use HAProxy and the PROXY headers then? Is the config for that available anywhere i could see?

I’ve had nothing but good experiences using Fly

<i>“ If you&#x27;re just looking to play around with this stuff, by the way, I can give you a Dockerfile that will get you a janky build environment, which is how I did my BPF development before I started using perf, which I couldn&#x27;t get working under macOS Docker”</i><p>Anyone find this?

You don&#x27;t have to write your eBPF codes in C: You can write them in C++! Or Rust! Or Fortran? About anything that can be translated to LLVM IR. Zig! Nim! Zim!<p>So, that is the way we will get to run C++ code in the Linux kernel. And, soon enough, in the BSDs.<p>It is hard to get a sense of how janky all this is, or how amazing it is that all this Rube Goldberg gimcrackery can be made to work the wonders it is seen to do all day, every day. It&#x27;s not just a dancing bear, it&#x27;s a bear on the Bolshoi stage!<p>(Donenfeld had better get his act together and get wireguard fitting better with how eBPF wants things to be, because that is where the world is headed.)<p>If your program isn&#x27;t spending most of its time inside the kernel running code sorta JITted from eBPF, you&#x27;re just not serious about performance.<p>Unless, of course, you have gone full-on kernel bypass, and the kernel never gets your packets at all. Then you can just run straight-up, optimized native machine code translated directly from C++, or Rust, or even, with masochism enough, C!

So presumably this will also open up avenues for doing QUIC and thus HTTP&#x2F;3 on Fly?

Could this be opened up to other (none http) based protocols and also over UDP?

I was curious about was what is the fly.io container orchestrator that runs this edge architecture and were there any challenges implementing this on that? Cheers.

Really liked this blog post. Thank you. I&#x27;ve always found eBPF to be &quot;magic&quot;

is there any forward proxy I can use which supports HTTP&#x2F;3 so I can monitor the traffic