Skip to content

feat: merge socket tracker into redirector #102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ctrox merged 2 commits into from
Oct 25, 2025
Merged

feat: merge socket tracker into redirector #102

ctrox merged 2 commits into from
Oct 25, 2025

Conversation

@ctrox
Copy link
Owner

@ctrox ctrox commented Oct 15, 2025

This merges the two bpf programs into one. This has several advantages:

  • we don't need to match container traffic via PIDs anymore as the activator already runs once per container. So we can just track activity in there.
  • we no longer need to have a special PID resolver for running in kind.
  • should be more reliable in general as long-running TCP connections will be tracked more accurately.

One disadvantage is that we now do more processing in the hot-path of ingress traffic as we track activity on every packet, not just on every TCP accept. Looking at bpftop the ingress path takes ~1700ns and egress (which is unchanged) ~700ns. But the ingress path was already more expensive before this change as it needs to do the disabled check. There might still be room for optimization here.

@ctrox ctrox force-pushed the socket-tracker-activator branch 16 times, most recently from 961a7e6 to 55e77e7 Compare October 18, 2025 14:42
ctrox added 2 commits October 20, 2025 15:48
@ctrox
feat: merge socket tracker into redirector
eb94a2e 
This merges the two bpf programs into one. This has several advantages:

* we don't need to match container traffic via PIDs anymore as the
  activator already runs once per container. So we can just track
  activity in there.
* we no longer need to have a special PID resolver for running in kind.
* should be more reliable in general as long-running TCP connections
  will be tracked more accurately.

One disadvantage is that we now do more processing in the hot-path of
ingress traffic as we track activity on every packet, not just on every
TCP accept. Looking at bpftop the ingress path takes ~1700ns and egress
(which is unchanged) ~700ns. But the ingress path was already more
expensive before this change as it needs to do the disabled check. There
might still be room for optimization here.
@ctrox
test: improve error feedback
7e6af71
@ctrox ctrox force-pushed the socket-tracker-activator branch from 8467820 to 7e6af71 Compare October 21, 2025 15:36
@ctrox ctrox merged commit 8e2bfb1 into main Oct 25, 2025
7 checks passed
@ctrox ctrox deleted the socket-tracker-activator branch October 25, 2025 08:42
@ctrox ctrox mentioned this pull request Oct 25, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ctrox