Cilium - Container Networking with BPF & XDP

This proposal has been rejected.


One Line Summary

Fast in-kernel networking and security policy enforcement for containers based on eBPF programs generated on the fly


We present a new open source project which provides IPv6 & IPv4 networking for Linux Containers by generating programs for each individual container on the fly and then runs them as JITed BPF code in the kernel. By generating and compiling the code, the program is reduced to the minimally required feature set and then heavily optimised by the compiler as parameters become plain variables. The upcoming addition of the Express Data Plane (XDP) to the kernel will make this approach even more efficient as the programs will get invoked directly from the network driver.


networking, containers, IPv6, bpf, policy, xdp


  • Biography

    Thomas Graf has been a Linux kernel developer for 10 years, working on a variety of networking subsystems. His current focus is on container network and security. He contributes to various open source projects, such as the Linux kernel, Cilium and Open vSwitch. Thomas is currently at Noiro Networks, a Cisco project.