@@ -15,7 +15,7 @@ leading to CPU overload and excessive memory usage.
1515eBPF-based flow filtering solves this challenge by selecting only important flows,
1616reducing system strain while maintaining visibility.
1717
18- ## Why Flow Filtering?
18+ ## Why Flow Filtering
1919
2020The primary goal of flow filtering is resource efficiency.
2121Instead of capturing and analyzing every flow, filtering mechanisms allow us to:
@@ -29,9 +29,10 @@ Instead of capturing and analyzing every flow, filtering mechanisms allow us to:
2929✅ Focus on Critical Traffic – Prioritize important flows for security, compliance, and performance monitoring.
3030
3131## How Flow Filtering Works in eBPF
32+
3233eBPF allows filtering flows at the source, avoiding costly user-space processing. This typically involves:
3334
34- 1- Defining Filtering Rules – Specify criteria such as source/destination IP, port, protocol,
35+ 1- Defining Filtering Rules – Specify criteria such as source/destination IP, port, protocol,
3536or application metadata.
3637The following table shows all possible filtering options and their default setting:
3738
@@ -45,15 +46,15 @@ The following table shows all possible filtering options and their default setti
4546| destPorts | Possible options for destination port settings | | |
4647| | Single port to match on the flow | for example 80 or 443 or 49051 | |
4748| | Range of ports to match on the flow or | for example 80-100 | |
48- | | Two ports to match on | for example 80,100 | |
49+ | | Two ports to match on | for example 80,100 | |
4950| sourcePorts | Possible options for source port settings | | |
5051| | Single port to match on the flow | for example 80 or 443 or 49051 | |
5152| | Range of ports to match on the flow or | for example 80-100 | |
52- | | Two ports to match on | for example 80,100 | |
53+ | | Two ports to match on | for example 80,100 | |
5354| ports | Possible options for destination or source port settings | | |
5455| | Single port to match on the flow | for example 80 or 443 or 49051 | |
5556| | Range of ports to match on the flow or | for example 80-100 | |
56- | | Two ports to match on | for example 80,100 | |
57+ | | Two ports to match on | for example 80,100 | |
5758| icmpType | ICMP type to match on the flow | for example 8 or 13 | |
5859| icmpCode | ICMP code to match on the flow | for example 0 or 1 | |
5960| peerIP | Peer IP to match on the flow | for example 1.1.1.1 or 1::1 | |
@@ -134,7 +135,7 @@ The dual matching approach ensures bidirectional flow tracking, enabling users t
134135directions of a given flow.
135136
136137In cases where no matching rules exist, the default behavior is to reject the flow.
137- However, users can customize the handling of unmatched flows by adding a catch-all entry
138+ However, users can customize the handling of unmatched flows by adding a catch-all entry
138139`(cidr : 0.0.0.0/0)` and specifying a global action to enforce their preferred policy.
139140
140141# # Key Use Cases
@@ -176,7 +177,7 @@ agent:
176177 peerCIDR: 10.128.0.0/14
177178 protocol: ICMP
178179 icmpType: 8
179- ` ` `
180+ ` ` `
180181
181182<img src="{page.image('ebpf-flows-filtering/ebpf-svc-and-pods-flows.png')}" alt="eBPF Flows Filtering Kubernetes NorthSouth and EastWest Flows">
182183<p style="text-align : center">Figure 2: eBPF Flows Filtering Kubernetes NorthSouth and EastWest Flows</p>
@@ -211,7 +212,7 @@ agent:
211212
212213Filtering based on TCP flags is an effective method to detect and mitigate TCP SYN flood attacks in a cluster.
213214A SYN flood is a Denial-of-Service (DoS) attack where an attacker overwhelms a target system by sending a large
214- number of SYN packets without completing the three-way handshake,
215+ number of SYN packets without completing the three-way handshake,
215216depleting system resources and disrupting legitimate connections.
216217
217218` ` ` yaml
0 commit comments