Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Building a Lightning Fast Firewall with Java & ...
Search
Johannes Bechberger
September 02, 2024
0
280
Building a Lightning Fast Firewall with Java & eBPF (JavaZone 2024)
Johannes Bechberger
September 02, 2024
Tweet
Share
More Decks by Johannes Bechberger
See All by Johannes Bechberger
Sound of Scheduling: Writing Linux Schedulers in Java with eBPF
parttimenerd
0
11
hello-ebpf: Writing eBPF programs directly in Java
parttimenerd
0
12
Writing a Linux scheduler in Java with eBPF
parttimenerd
0
40
Instrument to remove (JavaForum Stuttgart 2024)
parttimenerd
0
37
Python 3.12's new monitoring and debugging API (PyConDE 2024)
parttimenerd
0
54
Instrument to remove (VoxxedDays Zürich 2024)
parttimenerd
0
46
Let’s create a Python Debugger together (PyConLt 2024)
parttimenerd
0
48
Python 3.12's new monitoring and debugging API
parttimenerd
0
110
Inner Workings of Safepoints
parttimenerd
0
83
Featured
See All Featured
Large-scale JavaScript Application Architecture
addyosmani
511
110k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
10
1.3k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
366
25k
Building an army of robots
kneath
303
45k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
114
50k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.3k
The Language of Interfaces
destraynor
156
24k
Building Applications with DynamoDB
mza
93
6.2k
Raft: Consensus for Rubyists
vanstee
137
6.8k
Code Review Best Practice
trishagee
67
18k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Transcript
Building a Lightning Fast Firewall in Java & eBPF Mohammed
Aboullaite @laytoun Sr Backend Engineer, Spotify Java Champion Google Developer Expert Johannes Bechberger mostlynerdless.de OpenJDK Developer, SAP Creator of hello-ebpf
We have a simple web application
We have a simple web application DDoS Attack
The naïve way?
None
Drop packets in your application
Any Problems?
Sockets https://mostlynerdless.de/blog/2024/08/13/hello-ebpf-a-packet-logger-in-pure-java-using-tc-and-xdp-hooks-13/
Alternative: Use a Firewall
How to improve it?
https://blog.cloudflare.com/how-to-drop-10-million-packets/
Become a 10x Firewall
vs https://blog.cloudflare.com/how-to-drop-10-million-packets/
Sockets Allocations XDP
https://blog.cloudflare.com/how-to-drop-10-million-packets/ vs even faster with offloading
Option 1: Change Kernel Traditional ways Option 2: Kernel Module
Greg Kroah-Hartman “ https://www.kernel.org/doc/html/latest/process/stable-api-nonsense.html https://www.youtube.com/watch?v=agC5N9I6jRE You think you want a
stable kernel interface, but you really do not, and you don’t even know it.
Option 1: Change Kernel Traditional ways Option 2: Kernel Module
Can we do better?
None
eBPF is a crazy technology, it’s like putting JavaScript into
the Linux kernel Brendan Gregg “ https://www.youtube.com/watch?v=tDacjrSCeq4
https://www.facesofopensource.com/brendan-gregg/ eBPF is a crazy technology, it’s like putting JavaScript
into the Linux kernel “ Brendan Gregg
eBPF is making the Linux Kernel programmable at native execution
speed!
eBPF runtime
None
None
eBPF runtime Safety and Security Efficiency Continuous delivery Standard
How to share data? https://mostlynerdless.de/blog/2024/01/12/hello-ebpf-recording-data-in-basic-ebpf-maps-2/
How to share data? Any Problems?
How to share data? https://mostlynerdless.de/blog/2024/01/12/hello-ebpf-recording-data-in-basic-ebpf-maps-2/
eBPF Maps
eBPF Maps Map Types • (LRU) Hash Maps • Arrays
• Ring Buffers • … https://mostlynerdless.de/blog/2024/03/12/hello-ebpf-ring-buffers-in-libbpf-6/
eBPF hooks https://ebpf.io/what-is-ebpf/
Tracing & Profiling
Observability and Monitoring https://coralogix.com/blog/what-ebpf-why-important-for-observability/
Security Control https://coralogix.com/blog/what-ebpf-why-important-for-observability/ https://ubuntu.com/wp-content/uploads/1e80/AppArmour.png
https://commons.wikimedia.org/wiki/File:CrowdStrike_BSOD_at_LGA.jpg
eBPF has bugs too (and kernel level access) https://nvd.nist.gov/vuln/
eBPF Ecosystem https://ebpf.io
https://github.com/parttimenerd/hello-ebpf eBPF Ecosystem
eBPF is a crazy technology, it’s like putting JavaScript into
the Linux kernel https://www.youtube.com/watch?v=tDacjrSCeq4 “ Brendan Gregg
eBPF is a crazy technology, it’s like putting JavaScript into
the Linux kernel https://www.youtube.com/watch?v=tDacjrSCeq4 “ Brendan Gregg
https://www.youtube.com/watch?v=X3AWV5lJ6RY
https://www.youtube.com/watch?v=X3AWV5lJ6RY user land
None
Work in Progress
Live Coding
Live Coding Having fun with eBPF
Firewall Demo
XDP https://mostlynerdless.de/blog/2024/04/22/hello-ebpf-xdp-based-packet-filter-9
Sockets XDP
XDP https://mostlynerdless.de/blog/2024/04/22/hello-ebpf-xdp-based-packet-filter-9
The only way of disco- vering the limits of the
possible is to venture a little way past them into the impossible. Clarke’s second law “ https://www.flickr.com/photos/itupictures/16636142906
Project Panama
None
And for the compiler nerds https://godbolt.org/z/9xoMzsc4b
Blog Posts A post every other week since January
A glimpse into the future Java as a first class
language for eBPF
A glimpse into the future https://www.infoq.com/presentations/facebook-google-bpf-linux-kernel/ https://en.wikipedia.org/wiki/File:Pistachio_macro_whitebackground_NS.jpg Towards a Micro-Kernel
A glimpse into the future Kernel Fixes Reimagined https://www.infoq.com/presentations/facebook-google-bpf-linux-kernel/
A glimpse into the future Kernel Recipes 2023 - sched_ext:
pluggable scheduling in the Linux kernel
None
Final thoughts!
Thank you Mohammed Aboullaite @laytoun
[email protected]
Thanks to Dylan Reimerink
Resources Johannes Bechberger mostlynerdless.de @parttimen3rd @
[email protected]