into eBPF assembly code • Inject to kernel • Attach to network tc hooks • Triggered by ingress/egress packets IPVS bypass conntrack • Why IPVS depends on conntrack? • Iptables/conntrack SNAT • NULL during PREROUTING • No de-fragment is done during PREROUTING IPVS bypass conntrack (con.) • Egress • Original way • Nf local-out -> ip_output nf post-route -> ip_finish_output • The new way • • eBPF program is easy to deploy • How to do SNAT in eBPF • Do SNAT in TC egress • Do reverse SNAT in TC ingress Tc egress Hit eBPF map? Does SNAT nic nic Y N • How IPVS talks with eBPF program