cilium | eBPF-based Networking , Security , and Observability | Networking library

I am learning loopback TCP acceleration technique based on the eBPF sockmap / redirection.

I've found that in all the relevant articles and examples, it seems that we just need to add entries to the sockmap table via the bpf_sock_hash_update method, then look up the table and redirect via the bpf_msg_redirect_hash method. For example: here, here, and here.

I didn't find any code to delete entries from the sockmap table (eg: call bpf_map_delete_elem etc). At the same time, I also haven't found any code in the kernel that automatically deletes entries for the closed tcp connections, for example: here.

So I'm curious, why is there no need to delete sockmap entries for closed connections in these articles and code?

And do we need to detect TCP FIN events in our ebpf code and then explicitly delete the corresponding entry in the sockmap?

Thanks :-)

I am trying to enable DNS for my pods with network policy. I am using https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/

When DNS works:

I am unable to unload a BPF program from code. I am using the Cilium eBPF library to load the program and netlink to add the BPF function to an interface. Here's what I'm doing:

I'm trying to compile kaniko on a raspberry pi.

I don't program in golang, but I was able to compile kaniko successfully a few weeks ago on the same raspberry pi, and even wrote myself a guide of the steps to follow, but now, following the same steps, something is broken.

kaiko requires go, but a more recent version of go then found in the raspberry pi repos, so I download and install go from scratch. go requires go to compile, so I first install it (an older version) from the repos, and then remove it after it's done compiling a more recent version of itself:

Install go:

I am currently trying to move my calico based clusters to the new Dataplane V2, which is basically a managed Cilium offering. For local testing, I am running k3d with open source cilium installed, and created a set of NetworkPolicies (k8s native ones, not CiliumPolicies), which lock down the desired namespaces.

My current issue is, that when porting the same Policies on a GKE cluster (with DataPlane enabled), those same policies don't work.

As an example let's take a look into the connection between some app and a database:

How can egress from a Kubernetes pod be limited to only specific FQDN/DNS with Azure CNI Network Policies?

This is something that can be achieved with:

Istio

As the following, bpf verifier log is truncated at the last. How could I get the full log ?

bpf_xdp_adjust_meta(ctx, -delta); is returning error code -13 (permission denied) when delta > 32.
But BPF and XDP Reference Guide states that there are 256 bytes headroom for metadata.
So did I misunderstand something or how can I use 256 bytes for metadata?

I'm trying to create an internal ingress for inter-cluster communication with gke. The service that I'm trying to expose is headless and points to a kafka-broker on the cluster.

However when I try to load up the ingress, it says it cannot find the service?