Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Building a Lightning Fast Firewall with Java & ...
Search
Johannes Bechberger
September 02, 2024
0
280
Building a Lightning Fast Firewall with Java & eBPF (JavaZone 2024)
Johannes Bechberger
September 02, 2024
Tweet
Share
More Decks by Johannes Bechberger
See All by Johannes Bechberger
Sound of Scheduling: Writing Linux Schedulers in Java with eBPF
parttimenerd
0
11
hello-ebpf: Writing eBPF programs directly in Java
parttimenerd
0
12
Writing a Linux scheduler in Java with eBPF
parttimenerd
0
39
Instrument to remove (JavaForum Stuttgart 2024)
parttimenerd
0
37
Python 3.12's new monitoring and debugging API (PyConDE 2024)
parttimenerd
0
54
Instrument to remove (VoxxedDays Zürich 2024)
parttimenerd
0
44
Let’s create a Python Debugger together (PyConLt 2024)
parttimenerd
0
47
Python 3.12's new monitoring and debugging API
parttimenerd
0
110
Inner Workings of Safepoints
parttimenerd
0
83
Featured
See All Featured
Building a Scalable Design System with Sketch
lauravandoore
461
33k
Producing Creativity
orderedlist
PRO
344
39k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
33
2.8k
[RailsConf 2023] Rails as a piece of cake
palkan
53
5.2k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
4 Signs Your Business is Dying
shpigford
182
22k
For a Future-Friendly Web
brad_frost
176
9.5k
Six Lessons from altMBA
skipperchong
27
3.6k
Automating Front-end Workflow
addyosmani
1368
200k
Building Adaptive Systems
keathley
40
2.4k
Building Applications with DynamoDB
mza
93
6.2k
What's in a price? How to price your products and services
michaelherold
244
12k
Transcript
Building a Lightning Fast Firewall in Java & eBPF Mohammed
Aboullaite @laytoun Sr Backend Engineer, Spotify Java Champion Google Developer Expert Johannes Bechberger mostlynerdless.de OpenJDK Developer, SAP Creator of hello-ebpf
We have a simple web application
We have a simple web application DDoS Attack
The naïve way?
None
Drop packets in your application
Any Problems?
Sockets https://mostlynerdless.de/blog/2024/08/13/hello-ebpf-a-packet-logger-in-pure-java-using-tc-and-xdp-hooks-13/
Alternative: Use a Firewall
How to improve it?
https://blog.cloudflare.com/how-to-drop-10-million-packets/
Become a 10x Firewall
vs https://blog.cloudflare.com/how-to-drop-10-million-packets/
Sockets Allocations XDP
https://blog.cloudflare.com/how-to-drop-10-million-packets/ vs even faster with offloading
Option 1: Change Kernel Traditional ways Option 2: Kernel Module
Greg Kroah-Hartman “ https://www.kernel.org/doc/html/latest/process/stable-api-nonsense.html https://www.youtube.com/watch?v=agC5N9I6jRE You think you want a
stable kernel interface, but you really do not, and you don’t even know it.
Option 1: Change Kernel Traditional ways Option 2: Kernel Module
Can we do better?
None
eBPF is a crazy technology, it’s like putting JavaScript into
the Linux kernel Brendan Gregg “ https://www.youtube.com/watch?v=tDacjrSCeq4
https://www.facesofopensource.com/brendan-gregg/ eBPF is a crazy technology, it’s like putting JavaScript
into the Linux kernel “ Brendan Gregg
eBPF is making the Linux Kernel programmable at native execution
speed!
eBPF runtime
None
None
eBPF runtime Safety and Security Efficiency Continuous delivery Standard
How to share data? https://mostlynerdless.de/blog/2024/01/12/hello-ebpf-recording-data-in-basic-ebpf-maps-2/
How to share data? Any Problems?
How to share data? https://mostlynerdless.de/blog/2024/01/12/hello-ebpf-recording-data-in-basic-ebpf-maps-2/
eBPF Maps
eBPF Maps Map Types • (LRU) Hash Maps • Arrays
• Ring Buffers • … https://mostlynerdless.de/blog/2024/03/12/hello-ebpf-ring-buffers-in-libbpf-6/
eBPF hooks https://ebpf.io/what-is-ebpf/
Tracing & Profiling
Observability and Monitoring https://coralogix.com/blog/what-ebpf-why-important-for-observability/
Security Control https://coralogix.com/blog/what-ebpf-why-important-for-observability/ https://ubuntu.com/wp-content/uploads/1e80/AppArmour.png
https://commons.wikimedia.org/wiki/File:CrowdStrike_BSOD_at_LGA.jpg
eBPF has bugs too (and kernel level access) https://nvd.nist.gov/vuln/
eBPF Ecosystem https://ebpf.io
https://github.com/parttimenerd/hello-ebpf eBPF Ecosystem
eBPF is a crazy technology, it’s like putting JavaScript into
the Linux kernel https://www.youtube.com/watch?v=tDacjrSCeq4 “ Brendan Gregg
eBPF is a crazy technology, it’s like putting JavaScript into
the Linux kernel https://www.youtube.com/watch?v=tDacjrSCeq4 “ Brendan Gregg
https://www.youtube.com/watch?v=X3AWV5lJ6RY
https://www.youtube.com/watch?v=X3AWV5lJ6RY user land
None
Work in Progress
Live Coding
Live Coding Having fun with eBPF
Firewall Demo
XDP https://mostlynerdless.de/blog/2024/04/22/hello-ebpf-xdp-based-packet-filter-9
Sockets XDP
XDP https://mostlynerdless.de/blog/2024/04/22/hello-ebpf-xdp-based-packet-filter-9
The only way of disco- vering the limits of the
possible is to venture a little way past them into the impossible. Clarke’s second law “ https://www.flickr.com/photos/itupictures/16636142906
Project Panama
None
And for the compiler nerds https://godbolt.org/z/9xoMzsc4b
Blog Posts A post every other week since January
A glimpse into the future Java as a first class
language for eBPF
A glimpse into the future https://www.infoq.com/presentations/facebook-google-bpf-linux-kernel/ https://en.wikipedia.org/wiki/File:Pistachio_macro_whitebackground_NS.jpg Towards a Micro-Kernel
A glimpse into the future Kernel Fixes Reimagined https://www.infoq.com/presentations/facebook-google-bpf-linux-kernel/
A glimpse into the future Kernel Recipes 2023 - sched_ext:
pluggable scheduling in the Linux kernel
None
Final thoughts!
Thank you Mohammed Aboullaite @laytoun
[email protected]
Thanks to Dylan Reimerink
Resources Johannes Bechberger mostlynerdless.de @parttimen3rd @
[email protected]