Hacker News
Netfence is a new project presented on Hacker News' Show HN, offering a solution for applying eBPF filters to network traffic. It functions like Envoy's xDS for eBPF, allowing a central control plane to manage allowlists/denylists and synchronize them with daemons running on hosts.
AI 生成摘要
Netfence 是 Hacker News 的 Show HN 上展示的新專案,提供了一種將 eBPF 過濾器應用於網路流量的解決方案。它的功能類似於 Envoy 的 xDS,允許中央控制平面管理允許/拒絕列表,並與運行在主機上的守護進程同步。
We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Like Envoy xDS, but for eBPF filters.
Netfence runs as a daemon on your VM/container hosts and automatically injects eBPF filter programs into cgroups and network interfaces, with a built-in DNS server that resolves allowed domains and populates the IP allowlist.
Netfence daemons connect to a central control plane that you implement via gRPC to synchronize allowlists/denylists with your backend.
Your control plane pushes network rules like ALLOW *.pypi.org or ALLOW 10.0.0.0/16 to attached interfaces/cgroups. When a VM/container queries DNS, Netfence resolves it, adds the IPs to the eBPF filter, and drops traffic to unknown IPs before it leaves the host without any performance penalty.
Each attachment gets a unique DNS address (port) provisioned by the daemon. Containers/VMs should be configured to use their assigned DNS address.
Run the daemon, which:
Start the daemon:
Check daemon status:
Your orchestration system calls the daemon's local API.
RPC:
CLI:
RPC:
CLI:
List attachments:
Implement ControlPlane.Connect RPC - a bidirectional stream:
Receive from daemon:
Send to daemon:
When the daemon receives Subscribed, it blocks waiting for SubscribedAck before returning success to the caller. This ensures the attachment has its initial configuration before traffic flows. Use the metadata to identify which VM/tenant/container this attachment belongs to and respond with the appropriate initial rules.
There was an error while loading. Please reload this page.
0