github.com/cilium/cilium@v1.16.2/Documentation/network/ebpf/lifeofapacket.rst

github.com/cilium/cilium@v1.16.2/Documentation/network/ebpf/lifeofapacket.rst (about)

     1  .. only:: not (epub or latex or html)
     2  
     3      WARNING: You are looking at unreleased Cilium documentation.
     4      Please use the official rendered version released here:
     5      https://docs.cilium.io
     6  
     7  ################
     8  Life of a Packet
     9  ################
    10  
    11  This documentation page overviews the life of a packet from an eBPF datapath perspective
    12  by explaining three different scenarios.
    13  
    14  .. admonition:: Video
    15    :class: attention
    16  
    17    You can also watch a video explanation of this topic that also explores the tools available within Cilium to help
    18    you understand the life of a packet in `eCHO Episode 51: Life of a Packet with Cilium <https://www.youtube.com/watch?v=0BKU6avwS98&t=494s>`__.
    19  
    20  Endpoint to Endpoint
    21  ====================
    22  
    23  First we show the local endpoint to endpoint flow with optional L7 Policy on
    24  egress and ingress. Followed by the same endpoint to endpoint flow with
    25  socket layer enforcement enabled. With socket layer enforcement enabled for TCP
    26  traffic the
    27  handshake initiating the connection will traverse the endpoint policy object until TCP state
    28  is ESTABLISHED. Then after the connection is ESTABLISHED only the L7 Policy
    29  object is still required.
    30  
    31  .. image:: _static/cilium_bpf_endpoint.svg
    32  
    33  Egress from Endpoint
    34  ====================
    35  
    36  Next we show local endpoint to egress with optional overlay network. In the
    37  optional overlay network traffic is forwarded out the Linux network interface
    38  corresponding to the overlay. In the default case the overlay interface is
    39  named cilium_vxlan. Similar to above, when socket layer enforcement is enabled
    40  and a L7 proxy is in use we can avoid running the endpoint policy block between
    41  the endpoint and the L7 Policy for TCP traffic. An optional L3 encryption block
    42  will encrypt the packet if enabled.
    43  
    44  .. image:: _static/cilium_bpf_egress.svg
    45  
    46  Ingress to Endpoint
    47  ===================
    48  
    49  Finally we show ingress to local endpoint also with optional overlay network.
    50  Similar to above socket layer enforcement can be used to avoid a set of
    51  policy traversals between the proxy and the endpoint socket. If the packet
    52  is encrypted upon receive it is first decrypted and then handled through
    53  the normal flow.
    54  
    55  .. image:: _static/cilium_bpf_ingress.svg
    56  
    57  This completes the datapath overview. More BPF specifics can be found in the
    58  :ref:`bpf_guide`. Additional details on how to extend the L7 Policy
    59  exist in the :ref:`envoy` section.