Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Building a Lightning Fast Firewall with Java & ...
Search
Johannes Bechberger
September 02, 2024
0
320
Building a Lightning Fast Firewall with Java & eBPF (JavaZone 2024)
Johannes Bechberger
September 02, 2024
Tweet
Share
More Decks by Johannes Bechberger
See All by Johannes Bechberger
Who instruments the instrumenters?
parttimenerd
0
4
hello-ebpf: Writing eBPF programs directly in Java
parttimenerd
0
4
Writing a Minimal Scheduler with eBPF, sched_ext, and C
parttimenerd
0
23
Sound of Scheduling: Writing Linux Schedulers in Java with eBPF
parttimenerd
0
18
hello-ebpf: Writing eBPF programs directly in Java
parttimenerd
0
33
Writing a Linux scheduler in Java with eBPF
parttimenerd
0
63
Instrument to remove (JavaForum Stuttgart 2024)
parttimenerd
0
62
Python 3.12's new monitoring and debugging API (PyConDE 2024)
parttimenerd
0
69
Instrument to remove (VoxxedDays Zürich 2024)
parttimenerd
0
62
Featured
See All Featured
Typedesign – Prime Four
hannesfritz
42
2.7k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
44
2.4k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
50
5.5k
Adopting Sorbet at Scale
ufuk
77
9.5k
Docker and Python
trallard
45
3.5k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
138
34k
Optimizing for Happiness
mojombo
379
70k
We Have a Design System, Now What?
morganepeng
53
7.7k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
10
970
Fireside Chat
paigeccino
37
3.5k
A Modern Web Designer's Workflow
chriscoyier
695
190k
Producing Creativity
orderedlist
PRO
346
40k
Transcript
Building a Lightning Fast Firewall in Java & eBPF Mohammed
Aboullaite @laytoun Sr Backend Engineer, Spotify Java Champion Google Developer Expert Johannes Bechberger mostlynerdless.de OpenJDK Developer, SAP Creator of hello-ebpf
We have a simple web application
We have a simple web application DDoS Attack
The naïve way?
None
Drop packets in your application
Any Problems?
Sockets https://mostlynerdless.de/blog/2024/08/13/hello-ebpf-a-packet-logger-in-pure-java-using-tc-and-xdp-hooks-13/
Alternative: Use a Firewall
How to improve it?
https://blog.cloudflare.com/how-to-drop-10-million-packets/
Become a 10x Firewall
vs https://blog.cloudflare.com/how-to-drop-10-million-packets/
Sockets Allocations XDP
https://blog.cloudflare.com/how-to-drop-10-million-packets/ vs even faster with offloading
Option 1: Change Kernel Traditional ways Option 2: Kernel Module
Greg Kroah-Hartman “ https://www.kernel.org/doc/html/latest/process/stable-api-nonsense.html https://www.youtube.com/watch?v=agC5N9I6jRE You think you want a
stable kernel interface, but you really do not, and you don’t even know it.
Option 1: Change Kernel Traditional ways Option 2: Kernel Module
Can we do better?
None
eBPF is a crazy technology, it’s like putting JavaScript into
the Linux kernel Brendan Gregg “ https://www.youtube.com/watch?v=tDacjrSCeq4
https://www.facesofopensource.com/brendan-gregg/ eBPF is a crazy technology, it’s like putting JavaScript
into the Linux kernel “ Brendan Gregg
eBPF is making the Linux Kernel programmable at native execution
speed!
eBPF runtime
None
None
eBPF runtime Safety and Security Efficiency Continuous delivery Standard
How to share data? https://mostlynerdless.de/blog/2024/01/12/hello-ebpf-recording-data-in-basic-ebpf-maps-2/
How to share data? Any Problems?
How to share data? https://mostlynerdless.de/blog/2024/01/12/hello-ebpf-recording-data-in-basic-ebpf-maps-2/
eBPF Maps
eBPF Maps Map Types • (LRU) Hash Maps • Arrays
• Ring Buffers • … https://mostlynerdless.de/blog/2024/03/12/hello-ebpf-ring-buffers-in-libbpf-6/
eBPF hooks https://ebpf.io/what-is-ebpf/
Tracing & Profiling
Observability and Monitoring https://coralogix.com/blog/what-ebpf-why-important-for-observability/
Security Control https://coralogix.com/blog/what-ebpf-why-important-for-observability/ https://ubuntu.com/wp-content/uploads/1e80/AppArmour.png
https://commons.wikimedia.org/wiki/File:CrowdStrike_BSOD_at_LGA.jpg
eBPF has bugs too (and kernel level access) https://nvd.nist.gov/vuln/
eBPF Ecosystem https://ebpf.io
https://github.com/parttimenerd/hello-ebpf eBPF Ecosystem
eBPF is a crazy technology, it’s like putting JavaScript into
the Linux kernel https://www.youtube.com/watch?v=tDacjrSCeq4 “ Brendan Gregg
eBPF is a crazy technology, it’s like putting JavaScript into
the Linux kernel https://www.youtube.com/watch?v=tDacjrSCeq4 “ Brendan Gregg
https://www.youtube.com/watch?v=X3AWV5lJ6RY
https://www.youtube.com/watch?v=X3AWV5lJ6RY user land
None
Work in Progress
Live Coding
Live Coding Having fun with eBPF
Firewall Demo
XDP https://mostlynerdless.de/blog/2024/04/22/hello-ebpf-xdp-based-packet-filter-9
Sockets XDP
XDP https://mostlynerdless.de/blog/2024/04/22/hello-ebpf-xdp-based-packet-filter-9
The only way of disco- vering the limits of the
possible is to venture a little way past them into the impossible. Clarke’s second law “ https://www.flickr.com/photos/itupictures/16636142906
Project Panama
None
And for the compiler nerds https://godbolt.org/z/9xoMzsc4b
Blog Posts A post every other week since January
A glimpse into the future Java as a first class
language for eBPF
A glimpse into the future https://www.infoq.com/presentations/facebook-google-bpf-linux-kernel/ https://en.wikipedia.org/wiki/File:Pistachio_macro_whitebackground_NS.jpg Towards a Micro-Kernel
A glimpse into the future Kernel Fixes Reimagined https://www.infoq.com/presentations/facebook-google-bpf-linux-kernel/
A glimpse into the future Kernel Recipes 2023 - sched_ext:
pluggable scheduling in the Linux kernel
None
Final thoughts!
Thank you Mohammed Aboullaite @laytoun
[email protected]
Thanks to Dylan Reimerink
Resources Johannes Bechberger mostlynerdless.de @parttimen3rd @
[email protected]