alt Hacker NewsShow HN: Netfence – Like Envoy for eBPF Filters
To power the firewalling for our agents so that they couldn't contact arbitrary services, I build netfence. It's like Envoy but for eBPF filters.
It allows you to define different DNS-based rules that are resolved in a local daemon to IPs, then pushed to the eBPF filter to allow traffic. By doing it this way, we can still allow DNS-defined rules, but prevent contacting random IPs.
There's also no network performance penalty, since it's just DNS lookups and eBPF filters referencing memory.
It also means you don't have to tamper with the base image, which the agent could potentially manipulate to remove rules (unless you prevent root maybe).
It automatically manages the lifecycle of eBPF filters on cgroups and interfaces, so it works well for both containers and micro VMs (like Firecracker).
You implement a control plane, just like Envoy xDS, which you can manage the rules of each cgroup/interface. You can even manage DNS through the control plane to dynamically resolve records (which is helpful as a normal DNS server doesn't know which interface/cgroup a request might be coming from).
We specifically use this to allow our agents to only contact S3, pip, apt, and npm.
Comments
If you are running kubernetes, is there any reason to use this over cilium? What you are doing sounds very similar to what cilium does.
The first sentence of the README is:
Like Envoy xDS, but for eBPF filters.
Neat. One issue I’ve encountered with lookup-based rules is the latency of updating the client’s name caches when records become stale. How do you handle that here, or does it need to be done in L7?