Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Building a Lightning Fast Firewall with Java & ...
Search
Johannes Bechberger
September 02, 2024
0
28
Building a Lightning Fast Firewall with Java & eBPF (JavaZone 2024)
Johannes Bechberger
September 02, 2024
Tweet
Share
More Decks by Johannes Bechberger
See All by Johannes Bechberger
Writing a Linux scheduler in Java with eBPF
parttimenerd
0
16
Instrument to remove (JavaForum Stuttgart 2024)
parttimenerd
0
20
Python 3.12's new monitoring and debugging API (PyConDE 2024)
parttimenerd
0
36
Instrument to remove (VoxxedDays Zürich 2024)
parttimenerd
0
21
Let’s create a Python Debugger together (PyConLt 2024)
parttimenerd
0
31
Python 3.12's new monitoring and debugging API
parttimenerd
0
88
Inner Workings of Safepoints
parttimenerd
0
61
Do you trust profilers? I once did too
parttimenerd
0
53
DIY Python Debugger
parttimenerd
0
5k
Featured
See All Featured
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
Into the Great Unknown - MozCon
thekraken
32
1.5k
The Cult of Friendly URLs
andyhume
78
6k
Making Projects Easy
brettharned
115
5.9k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Happy Clients
brianwarren
98
6.7k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
We Have a Design System, Now What?
morganepeng
50
7.2k
Building Your Own Lightsaber
phodgson
103
6.1k
Embracing the Ebb and Flow
colly
84
4.5k
A designer walks into a library…
pauljervisheath
203
24k
Transcript
Building a Lightning Fast Firewall in Java & eBPF Mohammed
Aboullaite @laytoun Sr Backend Engineer, Spotify Java Champion Google Developer Expert Johannes Bechberger mostlynerdless.de OpenJDK Developer, SAP Creator of hello-ebpf
We have a simple web application
We have a simple web application DDoS Attack
The naïve way?
None
Drop packets in your application
Any Problems?
Sockets https://mostlynerdless.de/blog/2024/08/13/hello-ebpf-a-packet-logger-in-pure-java-using-tc-and-xdp-hooks-13/
Alternative: Use a Firewall
How to improve it?
https://blog.cloudflare.com/how-to-drop-10-million-packets/
Become a 10x Firewall
vs https://blog.cloudflare.com/how-to-drop-10-million-packets/
Sockets Allocations XDP
https://blog.cloudflare.com/how-to-drop-10-million-packets/ vs even faster with offloading
Option 1: Change Kernel Traditional ways Option 2: Kernel Module
Greg Kroah-Hartman “ https://www.kernel.org/doc/html/latest/process/stable-api-nonsense.html https://www.youtube.com/watch?v=agC5N9I6jRE You think you want a
stable kernel interface, but you really do not, and you don’t even know it.
Option 1: Change Kernel Traditional ways Option 2: Kernel Module
Can we do better?
None
eBPF is a crazy technology, it’s like putting JavaScript into
the Linux kernel Brendan Gregg “ https://www.youtube.com/watch?v=tDacjrSCeq4
https://www.facesofopensource.com/brendan-gregg/ eBPF is a crazy technology, it’s like putting JavaScript
into the Linux kernel “ Brendan Gregg
eBPF is making the Linux Kernel programmable at native execution
speed!
eBPF runtime
None
None
eBPF runtime Safety and Security Efficiency Continuous delivery Standard
How to share data? https://mostlynerdless.de/blog/2024/01/12/hello-ebpf-recording-data-in-basic-ebpf-maps-2/
How to share data? Any Problems?
How to share data? https://mostlynerdless.de/blog/2024/01/12/hello-ebpf-recording-data-in-basic-ebpf-maps-2/
eBPF Maps
eBPF Maps Map Types • (LRU) Hash Maps • Arrays
• Ring Buffers • … https://mostlynerdless.de/blog/2024/03/12/hello-ebpf-ring-buffers-in-libbpf-6/
eBPF hooks https://ebpf.io/what-is-ebpf/
Tracing & Profiling
Observability and Monitoring https://coralogix.com/blog/what-ebpf-why-important-for-observability/
Security Control https://coralogix.com/blog/what-ebpf-why-important-for-observability/ https://ubuntu.com/wp-content/uploads/1e80/AppArmour.png
https://commons.wikimedia.org/wiki/File:CrowdStrike_BSOD_at_LGA.jpg
eBPF has bugs too (and kernel level access) https://nvd.nist.gov/vuln/
eBPF Ecosystem https://ebpf.io
https://github.com/parttimenerd/hello-ebpf eBPF Ecosystem
eBPF is a crazy technology, it’s like putting JavaScript into
the Linux kernel https://www.youtube.com/watch?v=tDacjrSCeq4 “ Brendan Gregg
eBPF is a crazy technology, it’s like putting JavaScript into
the Linux kernel https://www.youtube.com/watch?v=tDacjrSCeq4 “ Brendan Gregg
https://www.youtube.com/watch?v=X3AWV5lJ6RY
https://www.youtube.com/watch?v=X3AWV5lJ6RY user land
None
Work in Progress
Live Coding
Live Coding Having fun with eBPF
Firewall Demo
XDP https://mostlynerdless.de/blog/2024/04/22/hello-ebpf-xdp-based-packet-filter-9
Sockets XDP
XDP https://mostlynerdless.de/blog/2024/04/22/hello-ebpf-xdp-based-packet-filter-9
The only way of disco- vering the limits of the
possible is to venture a little way past them into the impossible. Clarke’s second law “ https://www.flickr.com/photos/itupictures/16636142906
Project Panama
None
And for the compiler nerds https://godbolt.org/z/9xoMzsc4b
Blog Posts A post every other week since January
A glimpse into the future Java as a first class
language for eBPF
A glimpse into the future https://www.infoq.com/presentations/facebook-google-bpf-linux-kernel/ https://en.wikipedia.org/wiki/File:Pistachio_macro_whitebackground_NS.jpg Towards a Micro-Kernel
A glimpse into the future Kernel Fixes Reimagined https://www.infoq.com/presentations/facebook-google-bpf-linux-kernel/
A glimpse into the future Kernel Recipes 2023 - sched_ext:
pluggable scheduling in the Linux kernel
None
Final thoughts!
Thank you Mohammed Aboullaite @laytoun
[email protected]
Thanks to Dylan Reimerink
Resources Johannes Bechberger mostlynerdless.de @parttimen3rd @
[email protected]