It's crowded in here!

Cloudflare has recently presented a solution for programming socket lookup with BPF at the Linux Plumbers Conference 2019 in Lisbon, Portugal. The company's edge servers are crowded with numerous public-facing services and internal ones that operate behind the scenes. To manage these efficiently, every Cloudflare edge server runs all services and responds to each Anycast address. However, setting up network services to listen on hundreds of IP addresses without overwhelming the network stack is a challenge. The solution proposed by Cloudflare engineers involves using BPF (Berkeley Packet Filter) to program the socket lookup with BPF inet_lookup. This new mechanism allows users to tweak how incoming packets are matched with listening sockets, ignoring the address the socket is bound to. This approach offers flexibility and can be used for various scenarios such as binding a service to a single port, all ports, or a network prefix. It also enables services to bind to all addresses and all ports without needing extra capabilities. The implementation of BPF inet_lookup has been made possible through teamwork, with contributions from Lorenz Bauer, Marek Majkowski, and Gilberto Bertin.