{"id":18630,"date":"2025-10-24T19:26:30","date_gmt":"2025-10-24T19:26:30","guid":{"rendered":"https:\/\/pokecon.jp\/job\/?p=18630"},"modified":"2025-10-24T19:26:30","modified_gmt":"2025-10-24T19:26:30","slug":"cilium-connection-tracking-deep-dive-cybozu-inside-out","status":"publish","type":"post","link":"https:\/\/pokecon.jp\/job\/18630\/","title":{"rendered":"Cilium Connection Tracking Deep Dive &#8211; Cybozu Inside Out"},"content":{"rendered":"\n<\/p>\n<div>\n<p>\u3053\u306e\u8a18\u4e8b\u306f\u3001<a target=\"_blank\" href=\"https:\/\/cybozu.github.io\/summer-blog-fes-2025\/\">CYBOZU SUMMER BLOG FES &#8217;25<\/a>\u306e\u8a18\u4e8b\u3067\u3059\u3002<\/p>\n<p>\u3053\u3093\u306b\u3061\u306f\u3002<br \/>\u30af\u30e9\u30a6\u30c9\u57fa\u76e4\u672c\u90e8 Cloud Platform \u90e8\u3067 Kubernetes \u57fa\u76e4\uff08Neco\uff09\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3092\u62c5\u5f53\u3057\u3066\u3044\u308b\u5bfa\u5d8b(<a target=\"_blank\" href=\"https:\/\/github.com\/terassyi\">terassyi<\/a>)\u3067\u3059\u3002<\/p>\n<p>Neco \u3067\u306f Cilium \u3092 Kubernetes \u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b\u63a1\u7528\u3057\u3066\u3044\u307e\u3059\u3002<br \/>\u5148\u65e5\u6211\u3005\u306e Cilium \u6d3b\u7528\u306e\u4e8b\u4f8b\u304c CNCF \u306e\u30b5\u30a4\u30c8\u306b\u516c\u958b\u3055\u308c\u307e\u3057\u305f\u306e\u3067\u3001\u305c\u3072\u305d\u3061\u3089\u3082\u3054\u89a7\u304f\u3060\u3055\u3044\u3002<\/p>\n<p><iframe src=\"https:\/\/hatenablog-parts.com\/embed?url=https%3A%2F%2Fwww.cncf.io%2Fcase-studies%2Fcybozu%2F\" title=\"Cybozu\" class=\"embed-card embed-webcard\" scrolling=\"no\" frameborder=\"0\" style=\"display: block; width: 100%; height: 155px; max-width: 500px; margin: 10px 0px;\" loading=\"lazy\"><\/iframe><cite class=\"hatena-citation\"><a target=\"_blank\" href=\"https:\/\/www.cncf.io\/case-studies\/cybozu\/\">www.cncf.io<\/a><\/cite><\/p>\n<p>\u672c\u8a18\u4e8b\u3067\u306f Cilium \u306e\u901a\u4fe1\u5236\u5fa1\u306e\u30b3\u30a2\u3067\u3042\u308b Cilium \u306e Connection Tracking \u306e\u6319\u52d5\u3068\u5b9f\u88c5\u306b\u3064\u3044\u3066\u89e3\u8aac\u3059\u308b\u3082\u306e\u3067\u3059\u3002<\/p>\n<h2 id=\"\u524d\u66f8\u304d\">\u524d\u66f8\u304d<\/h2>\n<p>Cilium \u306f eBPF \u3092\u30d1\u30b1\u30c3\u30c8\u51e6\u7406\u306a\u3069\u306b\u63a1\u7528\u3057\u305f\u30b3\u30f3\u30c6\u30ca\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3092\u7ba1\u7406\u3059\u308b\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u3067\u3059\u3002Cilium \u306f\u9ad8\u901f\u306a Kubernetes \u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3092\u63d0\u4f9b\u3059\u308b\u305f\u3081\u3001kube-proxy \u4ee3\u66ff\u6a5f\u80fd\u3084 Connection Tracking \u3092 eBPF \u30d9\u30fc\u30b9\u3067\u72ec\u81ea\u306b\u5b9f\u88c5\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u672c\u8a18\u4e8b\u306f\u5927\u304d\u304f\u4ee5\u4e0b\u306e\u4e09\u3064\u306e\u30d1\u30fc\u30c8\u304b\u3089\u69cb\u6210\u3055\u308c\u307e\u3059\u3002<\/p>\n<ul>\n<li>Cilium \u306e\u7d39\u4ecb<\/li>\n<li>Cilium \u306e conntrack \u306e\u7406\u89e3\u306b\u5fc5\u8981\u306a\u8981\u7d20\u306e\u89e3\u8aac\n<ul>\n<li>Conntrack \u306e\u4e00\u822c\u7684\u306a\u89e3\u8aac<\/li>\n<li>Cilium \u304c\u7ba1\u7406\u3059\u308b Kubernetes \u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306e\u6982\u8981<\/li>\n<li>Cilium \u306e BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u3084 BPF \u30de\u30c3\u30d7\u306e\u6982\u8981<\/li>\n<\/ul>\n<\/li>\n<li>Cilium \u306e conntrack \u306e\u6319\u52d5\u3068\u5b9f\u88c5\u306e\u89e3\u8aac<\/li>\n<\/ul>\n<p>\u203b \u672c\u8a18\u4e8b\u306f\u3001 Cilium 1.16.12 \u306e\u30b3\u30fc\u30c9\u3092\u3082\u3068\u306b\u57f7\u7b46\u3057\u307e\u3059\u3002Cilium \u306f\u958b\u767a\u30b9\u30d4\u30fc\u30c9\u304c\u975e\u5e38\u306b\u65e9\u3044\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u3067\u3059\u3002\u672c\u8a18\u4e8b\u3067\u89e3\u8aac\u3057\u305f\u6319\u52d5\u304c\u3001\u65b0\u3057\u3044\u30d0\u30fc\u30b8\u30e7\u30f3\u3067\u306f\u4fee\u6b63\u3055\u308c\u3066\u3044\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u3053\u3068\u306b\u6ce8\u610f\u3057\u3066\u304f\u3060\u3055\u3044\u3002<br \/>\u672c\u8a18\u4e8b\u3067\u89e3\u8aac\u3059\u308b Cilium \u306e\u6319\u52d5\u3084\u5b9f\u88c5\u306f Neco \u3067\u5229\u7528\u3057\u3066\u3044\u308b\u69cb\u6210\u3092\u524d\u63d0\u3068\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<h2 id=\"\u76ee\u6b21\">\u76ee\u6b21<\/h2>\n<h2 id=\"Cilium-\u3068\u306f\">Cilium \u3068\u306f<\/h2>\n<p>Cilium \u306f Kubernetes \u3092\u306f\u3058\u3081\u3068\u3057\u305f\u30af\u30e9\u30a6\u30c9\u30cd\u30a4\u30c6\u30a3\u30d6\u74b0\u5883\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b\u304a\u3051\u308b\u30d1\u30d5\u30a9\u30fc\u30de\u30f3\u30b9\u5411\u4e0a\u3084\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30fb\u30aa\u30d6\u30b6\u30fc\u30d0\u30d3\u30ea\u30c6\u30a3\u3092\u63d0\u4f9b\u3059\u308b\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u3067\u3059\u3002<br \/>\u5f8c\u8ff0\u3059\u308b CNI \u30d7\u30e9\u30b0\u30a4\u30f3\u6a5f\u80fd\u3084 Network Policy \u3084 L4LB\u3001\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u53ef\u8996\u5316\u306a\u3069\u306e\u6a5f\u80fd\u3092\u63d0\u4f9b\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><iframe src=\"https:\/\/hatenablog-parts.com\/embed?url=https%3A%2F%2Fcilium.io%2F\" title=\"Cilium - Cloud Native, eBPF-based Networking, Observability, and Security\" class=\"embed-card embed-webcard\" scrolling=\"no\" frameborder=\"0\" style=\"display: block; width: 100%; height: 155px; max-width: 500px; margin: 10px 0px;\" loading=\"lazy\"><\/iframe><cite class=\"hatena-citation\"><a target=\"_blank\" href=\"https:\/\/cilium.io\/\">cilium.io<\/a><\/cite><\/p>\n<p>Cilium \u306f\u30c7\u30fc\u30bf\u30d7\u30ec\u30fc\u30f3\u306b eBPF \u3092\u63a1\u7528\u3057\u3066\u304a\u308a\u3001 \u9ad8\u901f\u3067\u5b89\u5168\u306a\u30c7\u30fc\u30bf\u30d7\u30ec\u30fc\u30f3\u3092\u5b9f\u73fe\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<h3 id=\"CNI-\u30d7\u30e9\u30b0\u30a4\u30f3\">CNI \u30d7\u30e9\u30b0\u30a4\u30f3<\/h3>\n<p>Cilium \u306f CNI \u30d7\u30e9\u30b0\u30a4\u30f3\u3068\u3057\u3066\u5b9f\u88c5\u3055\u308c\u3066\u3044\u307e\u3059\u3002CNI \u30d7\u30e9\u30b0\u30a4\u30f3\uff08<a target=\"_blank\" href=\"https:\/\/www.cni.dev\/\">CNI<\/a>\uff09 \u3068\u306f\u30b3\u30f3\u30c6\u30ca\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3092\u8a2d\u5b9a\u3059\u308b\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3067\u3059\u3002<a target=\"_blank\" href=\"https:\/\/github.com\/containernetworking\/cni\/blob\/main\/SPEC.md\">CNI Spec<\/a> \u3068\u3044\u3046\u4ed5\u69d8\u304c\u516c\u958b\u3055\u308c\u3066\u304a\u308a\u3001\u5b9f\u88c5\u306f\u5404\u30d7\u30e9\u30b0\u30a4\u30f3\u306b\u59d4\u306d\u3089\u308c\u3066\u3044\u307e\u3059\u3002<br \/>CNI \u30d7\u30e9\u30b0\u30a4\u30f3 \u306f\u69d8\u3005\u306a\u5b9f\u88c5\u304c\u5b58\u5728\u3057\u3066\u3044\u307e\u3059\u3002\u5e83\u304f\u5229\u7528\u3055\u308c\u3066\u3044\u308b\u3082\u306e\u306b <a target=\"_blank\" href=\"https:\/\/docs.tigera.io\/calico\/latest\/about\/\">Calico<\/a> \u3084 <a target=\"_blank\" href=\"https:\/\/github.com\/flannel-io\/flannel\">flannel<\/a> \u304c\u3042\u308a\u307e\u3059\u3002Neco \u3067\u3082\u72ec\u81ea\u306e <a target=\"_blank\" href=\"https:\/\/github.com\/cybozu-go\/coil\">Coil<\/a> \u3068\u3044\u3046\u30d7\u30e9\u30b0\u30a4\u30f3\u3092\u958b\u767a\u3057\u3066\u5229\u7528\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<h3 id=\"eBPF\">eBPF<\/h3>\n<p>Cilium \u306e\u30d1\u30b1\u30c3\u30c8\u51e6\u7406\u306f eBPF \u3067\u5b9f\u88c5\u3055\u308c\u3066\u3044\u307e\u3059\u3002<br \/>\neBPF\u306e\u57fa\u672c\u7684\u306a\u60c5\u5831\u306b\u3064\u3044\u3066\u306f\u4ee5\u4e0b\u306e\u8cc7\u6599\u3092\u3054\u89a7\u304f\u3060\u3055\u3044\u3002<\/p>\n<p><iframe src=\"https:\/\/hatenablog-parts.com\/embed?url=https%3A%2F%2Febpf.io%2Fja%2Fwhat-is-ebpf%2F\" title=\"eBPF \u3068\u306f\uff1feBPF \u3078\u306e\u5165\u9580\u3068\u63a2\u6c42\" class=\"embed-card embed-webcard\" scrolling=\"no\" frameborder=\"0\" style=\"display: block; width: 100%; height: 155px; max-width: 500px; margin: 10px 0px;\" loading=\"lazy\"><\/iframe><cite class=\"hatena-citation\"><a target=\"_blank\" href=\"https:\/\/ebpf.io\/ja\/what-is-ebpf\/\">ebpf.io<\/a><\/cite><\/p>\n<p><iframe src=\"https:\/\/hatenablog-parts.com\/embed?url=https%3A%2F%2Fwww.oreilly.co.jp%2Fbooks%2F9784814400560%2F\" title=\"\u5165\u9580 eBPF\" class=\"embed-card embed-webcard\" scrolling=\"no\" frameborder=\"0\" style=\"display: block; width: 100%; height: 155px; max-width: 500px; margin: 10px 0px;\" loading=\"lazy\"><\/iframe><cite class=\"hatena-citation\"><a target=\"_blank\" href=\"https:\/\/www.oreilly.co.jp\/books\/9784814400560\/\">www.oreilly.co.jp<\/a><\/cite><\/p>\n<h3 id=\"Neco-\u3067\u306e-Cilium-\u306e\u6d3b\u7528\u4f8b\">Neco \u3067\u306e Cilium \u306e\u6d3b\u7528\u4f8b<\/h3>\n<p>Cilium \u306f\u975e\u5e38\u306b\u6a5f\u80fd\u304c\u591a\u3044\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u3067\u3059\u3002Neco \u3067\u306f\u3001\u305d\u306e\u4e2d\u3067\u5fc5\u8981\u306a\u6a5f\u80fd\u306e\u307f\u306b\u7d5e\u3063\u3066\u5229\u7528\u3057\u3066\u3044\u307e\u3059\u3002\u6211\u3005\u304c\u4e3b\u306b\u5229\u7528\u3057\u3066\u3044\u308b\u6a5f\u80fd\u306f\u4ee5\u4e0b\u3067\u3059\u3002<\/p>\n<ul>\n<li>kube-proxy replacement(KPR)<\/li>\n<li>Network Policy<\/li>\n<li>Layer 4 Load Balancer<\/li>\n<\/ul>\n<p>\u6211\u3005\u304c\u3069\u306e\u3088\u3046\u306b Cilium \u3092\u5229\u7528\u3057\u3066 Kubernetes \u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3092\u69cb\u7bc9\u3057\u3066\u3044\u308b\u304b\u306f\u3059\u3067\u306b\u30d6\u30ed\u30b0\u304c\u516c\u958b\u3055\u308c\u3066\u3044\u308b\u306e\u3067\u3053\u3061\u3089\u3092\u8aad\u3093\u3067\u307f\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<p><iframe src=\"https:\/\/hatenablog-parts.com\/embed?url=https%3A%2F%2Fblog.cybozu.io%2Fentry%2F2025%2F05%2F13%2F080000\" title=\"\u3010\u9023\u8f09\u3011Cybozu.com\u30af\u30e9\u30a6\u30c9\u57fa\u76e4\u306e\u5168\u8c8c \u7b2c3\u56de Neco \u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af - Cybozu Inside Out | \u30b5\u30a4\u30dc\u30a6\u30ba\u30a8\u30f3\u30b8\u30cb\u30a2\u306e\u30d6\u30ed\u30b0\" class=\"embed-card embed-blogcard\" scrolling=\"no\" frameborder=\"0\" style=\"display: block; width: 100%; height: 190px; max-width: 500px; margin: 10px 0px;\" loading=\"lazy\"><\/iframe><cite class=\"hatena-citation\"><a target=\"_blank\" href=\"https:\/\/blog.cybozu.io\/entry\/2025\/05\/13\/080000\">blog.cybozu.io<\/a><\/cite><\/p>\n<p>Cilium \u306e\u3059\u3079\u3066\u306e\u6a5f\u80fd\u306e\u571f\u53f0\u3068\u306a\u308b kube-proxy replacement \u306f iptables \u3067\u5b9f\u88c5\u3055\u308c\u3066\u3044\u305f kube-proxy \u306e\u30b9\u30b1\u30fc\u30e9\u30d3\u30ea\u30c6\u30a3\u554f\u984c\u3092\u514b\u670d\u3059\u308b\u305f\u3081\u306b\u958b\u767a\u3055\u308c\u307e\u3057\u305f\u3002<br \/>\u8208\u5473\u306e\u3042\u308b\u65b9\u306f\u4ee5\u4e0b\u306e\u52d5\u753b\u3092\u89b3\u3066\u307f\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<p><iframe loading=\"lazy\" title=\"Liberating Kubernetes From Kube-proxy and Iptables - Martynas Pumputis, Cilium\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/bIRwSIwNHC0?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><cite class=\"hatena-citation\"><a target=\"_blank\" href=\"https:\/\/youtu.be\/bIRwSIwNHC0?si=LxGvtdiESu0ZBcbI\">youtu.be<\/a><\/cite><\/p>\n<h2 id=\"Deep-Dive-\u306e\u6e96\u5099\">Deep Dive \u306e\u6e96\u5099<\/h2>\n<p>\u672c\u30d1\u30fc\u30c8\u3067\u306f Cilium \u306e conntrack \u3092\u6df1\u304f\u77e5\u308b\u305f\u3081\u306e\u6e96\u5099\u3068\u3057\u3066\u3001\u3044\u304f\u3064\u304b\u306e\u524d\u63d0\u3068\u306a\u308b\u77e5\u8b58\u3092\u7d39\u4ecb\u3057\u307e\u3059\u3002<\/p>\n<p>\u59cb\u3081\u306b\u3001conntrack \u306e\u6982\u8981\u3092\u4e00\u822c\u7684\u306a\u8996\u70b9\u3067\u89e3\u8aac\u3057\u307e\u3059\u3002Conntrack \u306f Cilium \u306b\u7279\u6709\u306e\u6280\u8853\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002\u8eab\u8fd1\u306a conntrack \u306e\u5229\u7528\u4f8b\u3092\u7d39\u4ecb\u3057\u3066 conntrack \u3078\u306e\u89e3\u50cf\u5ea6\u3092\u4e0a\u3052\u307e\u3059\u3002<\/p>\n<p>\u6b21\u306b\u3001Cilium \u304c\u7ba1\u7406\u3059\u308b Kubernetes \u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306e\u6982\u8981\u3092\u7d39\u4ecb\u3057\u307e\u3059\u3002<br \/>\u672c\u8a18\u4e8b\u3067\u306f Cilium \u304c\u7ba1\u7406\u3059\u308b Kubernetes \u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3068\u306f\u3001Cilium \u306e kube-proxy replacement\uff08\u4ee5\u4e0b KPR\uff09 \u304c\u5c0e\u5165\u3055\u308c\u305f Kubernetes \u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3092\u6307\u3057\u307e\u3059\u3002<br \/>Cilium \u306e conntrack \u306f Kubernetes \u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b\u6700\u9069\u5316\u3057\u3066\u5b9f\u88c5\u3055\u308c\u3066\u3044\u308b\u306e\u3067\u3001Cilium \u306e conntrack \u3092\u7406\u89e3\u3059\u308b\u306b\u306f KPR \u306e\u901a\u4fe1\u306e\u4ed5\u7d44\u307f\u3092\u7406\u89e3\u3057\u3066\u304a\u304f\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<p>\u6700\u5f8c\u306b\u3001Cilium \u306e conntrack \u306e\u5b9f\u88c5\u3092\u7406\u89e3\u3059\u308b\u305f\u3081\u306b\u5fc5\u8981\u306a Cilium \u306e\u5177\u4f53\u7684\u306a BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u3084 BPF \u30de\u30c3\u30d7\u306e\u69cb\u6210\u3092\u7d39\u4ecb\u3057\u307e\u3059\u3002<\/p>\n<p>\u203b \u672c\u30d1\u30fc\u30c8\u306e\u5404\u9805\u76ee\u306f\u5185\u5bb9\u3092\u65e2\u306b\u77e5\u3063\u3066\u3044\u308b\u5834\u5408\u306f\u8aad\u307f\u98db\u3070\u3057\u3066\u3044\u305f\u3060\u3044\u3066\u69cb\u3044\u307e\u305b\u3093\u3002<\/p>\n<h3 id=\"Connection-Tracking-\u3068\u306f\">Connection Tracking \u3068\u306f<\/h3>\n<p>Connection Tracking\uff08\u4ee5\u4e0b conntrack\uff09\u306f\u3001\u5927\u307e\u304b\u306b\u8a00\u3046\u3068\u901a\u4fe1\u306e\u72b6\u614b\u3092\u4fdd\u5b58\u3001\u8ffd\u8de1\u3059\u308b\u6a5f\u80fd\u3067\u3059\u3002<br \/>\u9001\u4fe1\u5143\u3068\u5b9b\u5148\u306e\u30a2\u30c9\u30ec\u30b9\u3084\u30dd\u30fc\u30c8\u3001\u30d7\u30ed\u30c8\u30b3\u30eb\u306a\u3069\u306e\u60c5\u5831\u3092\u8a18\u9332\u3057\u3001\u30b9\u30c6\u30fc\u30c8\u30d5\u30eb\u306a\u901a\u4fe1\u306e\u5236\u5fa1\u3084\u8ca0\u8377\u5206\u6563\u306a\u3069\u306b\u5229\u7528\u3057\u307e\u3059\u3002<br \/>\u5177\u4f53\u4f8b\u306f\u3001NAT \u3084 Load Balancer\u3001Firewall\u3001Syn Flooding \u653b\u6483\u306b\u5bfe\u3059\u308b\u9632\u5fa1\u306a\u3069\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<h4 id=\"Linux-\u306e-Conntrack\">Linux \u306e Conntrack<\/h4>\n<p>Conntrack \u306f Linux \u3067\u306f <code>netfilter<\/code> \u30b5\u30d6\u30e2\u30b8\u30e5\u30fc\u30eb\u3068\u3057\u3066\u5b9f\u88c5\u3055\u308c\u3066\u3044\u307e\u3059\u3002<br \/><code>netfilter<\/code> \u306f <code>iptables<\/code> \u3084 <code>nftables<\/code> \u30b3\u30de\u30f3\u30c9\u3067\u8a2d\u5b9a\u3067\u304d\u3001IP masquerade\uff08Network Address Port Translation; NAPT\uff09 \u3084\u30d1\u30b1\u30c3\u30c8\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0\u306a\u3069\u306b\u5229\u7528\u3055\u308c\u307e\u3059\u3002<br \/>\u305d\u308c\u3089\u306e\u6a5f\u80fd\u306e\u30b3\u30a2\u3068\u3057\u3066 conntrack \u304c\u5229\u7528\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u3053\u3053\u3067\u306f IP masquerade \u3092\u4f8b\u306b\u3068\u3063\u3066 conntrack \u306e\u4ed5\u7d44\u307f\u3092\u7c21\u5358\u306b\u7d39\u4ecb\u3057\u307e\u3059\u3002<br \/>\u3053\u306e\u56f3\u3067\u306f Local Network \u4e0a\u306e <code>local-b<\/code> \u3068\u3044\u3046\u30a2\u30c9\u30ec\u30b9\u3092\u6301\u3064 <code>Client<\/code> \u304c External Network \u4e0a\u306e\u3001<code>global-b<\/code> \u3068\u3044\u3046\u30a2\u30c9\u30ec\u30b9\u3092\u6301\u3064 <code>Server<\/code> \u306b\u63a5\u7d9a\u3059\u308b\u305f\u3081\u306b\u3001IP masquerade \u304c\u8a2d\u5b9a\u3055\u308c\u305f <code>local-a<\/code> \u3068 <code>global-a<\/code> \u3068\u3044\u3046\u30a2\u30c9\u30ec\u30b9\u3092\u6301\u3064 <code>Proxy<\/code> \u3092\u5229\u7528\u3059\u308b\u30b7\u30ca\u30ea\u30aa\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><figure class=\"figure-image figure-image-fotolife\" title=\"IP masquerade \u306e conntrack \u306e\u52d5\u4f5c\u4f8b\"><span itemscope=\"\" itemtype=\"http:\/\/schema.org\/Photograph\"><img decoding=\"async\" src=\"https:\/\/cdn-ak.f.st-hatena.com\/images\/fotolife\/c\/cybozuinsideout\/20251024\/20251024150007.png\" width=\"800\" height=\"496\" loading=\"lazy\" title=\"\" class=\"hatena-fotolife\" itemprop=\"image\"\/><\/span><figcaption>IP masquerade \u306e conntrack \u306e\u52d5\u4f5c\u4f8b<\/figcaption><\/figure>\n<\/p>\n<ol>\n<li>Client \u306f\u5916\u90e8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306e Server \u306e y \u3068\u3044\u3046\u30dd\u30fc\u30c8\u3067\u516c\u958b\u3055\u308c\u3066\u3044\u308b\u30b5\u30fc\u30d3\u30b9\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u305f\u3081\u306b\u3001<code>local-b:x -&gt; global-b:y<\/code> \u3068\u3044\u3046\u30d1\u30b1\u30c3\u30c8\uff08<code>SYN<\/code>\uff09\u3092 Proxy \u306b\u5411\u3051\u3066\u9001\u51fa\u3057\u307e\u3059\u3002<\/li>\n<li>\u30d1\u30b1\u30c3\u30c8\u3092\u53d7\u3051\u53d6\u3063\u305f Proxy \u306f masquerade \u306e\u8a2d\u5b9a\u306b\u5f93\u3063\u3066\u3001\u305d\u306e\u30d1\u30b1\u30c3\u30c8\u3092\u81ea\u5206\u306e global-a \u3068\u3044\u3046\u30a2\u30c9\u30ec\u30b9\u306b\u5909\u63db\u3057\u307e\u3059\u3002\u3053\u306e\u6642\u306b conntrack table \u306b\u5bfe\u5fdc\u3059\u308b\u30a2\u30c9\u30ec\u30b9\u3068\u30dd\u30fc\u30c8\u3001\u901a\u4fe1\u306e\u72b6\u614b\uff08<code>SYNSENT<\/code>\uff09\u3092\u4fdd\u5b58\u3057\u307e\u3059\u3002<\/li>\n<li>\u30a2\u30c9\u30ec\u30b9\u3068\u30dd\u30fc\u30c8\u3092\u66f8\u304d\u63db\u3048\u3066 <code>global-a:z -&gt; global-b:y<\/code> \u3068\u3057\u3066 Server \u306b\u5411\u3051\u3066\u30d1\u30b1\u30c3\u30c8\u3092\u8ee2\u9001\u3057\u307e\u3059\u3002<\/li>\n<li>Server \u306f<code>global-b:y -&gt; global-a:z<\/code> \u306b\u5bfe\u3057\u3066\u8fd4\u7b54\uff08<code>SYN\/ACK<\/code>\uff09\u3092\u8fd4\u3057\u307e\u3059\u3002<\/li>\n<li>Proxy \u306f Server \u304b\u3089\u306e <code>SYN\/ACK<\/code> \u3092\u89b3\u6e2c\u3057\u3066\u3001conntrack \u30a8\u30f3\u30c8\u30ea\u306e\u72b6\u614b\u3092 <code>SYNRECV<\/code> \u306b\u66f4\u65b0\u3057\u307e\u3059\u3002<\/li>\n<li>Proxy \u306f Server \u304b\u3089\u306e\u5fdc\u7b54\u3092 Client \u306b\u8fd4\u3057\u307e\u3059\u3002<\/li>\n<li>\u305d\u306e\u5f8c\u3001Client \u3068 Server \u9593\u3067 TCP \u30b3\u30cd\u30af\u30b7\u30e7\u30f3\u304c\u78ba\u7acb\u3055\u308c\u3001\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u901a\u4fe1\u304c\u59cb\u307e\u308a\u307e\u3059\u3002\u3053\u306e\u3068\u304d\u3001conntrack \u306f\u63a5\u7d9a\u78ba\u7acb\u3092\u89b3\u6e2c\u3057\u3066 conntrack \u30a8\u30f3\u30c8\u30ea\u306e\u72b6\u614b\u3092 <code>ESTABLISHED<\/code> \u306b\u66f4\u65b0\u3057\u307e\u3059\u3002<\/li>\n<\/ol>\n<p>\u30b3\u30cd\u30af\u30b7\u30e7\u30f3\u306e\u7d42\u4e86\u6642\u3082 TCP \u306e\u7d42\u4e86\u30b7\u30fc\u30b1\u30f3\u30b9\u306b\u5247\u3063\u3066\u4f3c\u305f\u3088\u3046\u306a\u51e6\u7406\u304c\u5b9f\u65bd\u3055\u308c\u3066\u3001\u4fdd\u5b58\u3055\u308c\u3066\u3044\u305f conntrack \u30a8\u30f3\u30c8\u30ea\u306f\u524a\u9664\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>Cilium \u3082\u540c\u3058\u3088\u3046\u306a\u4ed5\u7d44\u307f\u3067 conntrack \u3092\u5b9f\u88c5\u3057\u3066\u3044\u307e\u3059\u304c\u3001\u3088\u308a Kubernetes \u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b\u6700\u9069\u5316\u3055\u308c\u305f\u3082\u306e\u306b\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>Linux \u30ab\u30fc\u30cd\u30eb\u306e conntrack \u306e\u8a73\u7d30\u306b\u8208\u5473\u306e\u3042\u308b\u65b9\u306f\u4ee5\u4e0b\u306e\u8cc7\u6599\u3092\u8aad\u3093\u3067\u307f\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<h4 id=\"Cilium-\u304c\u7ba1\u7406\u3059\u308b-Kubernetes-\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\">Cilium \u304c\u7ba1\u7406\u3059\u308b Kubernetes \u30cd\u30c3\u30c8\u30ef\u30fc\u30af<\/h4>\n<p>Cilium \u306f Kubernetes \u30af\u30e9\u30b9\u30bf\u5185\u306e\u5168\u3066\u306e\u901a\u4fe1\u3092\u6271\u3044\u307e\u3059\u3002\u307e\u305f\u3001Cilium \u306e conntrack \u306f\u5f8c\u8ff0\u3059\u308b Kubernetes \u306e\u5404\u7a2e\u901a\u4fe1\u65b9\u5f0f\u306b\u5fdc\u3058\u3066\u69d8\u3005\u306a\u5f62\u3067\u901a\u4fe1\u3092\u7ba1\u7406\u3057\u307e\u3059\u3002<br \/>\u3053\u3053\u3067\u306f\u3001 Cilium \u3092\u5c0e\u5165\u3057\u305f\u30af\u30e9\u30b9\u30bf\u306b\u304a\u3051\u308b Kubernetes \u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306e\u6982\u8981\u3092\u89e3\u8aac\u3057\u307e\u3059\u3002<\/p>\n<p>\u203b \u5192\u982d\u3067\u8ff0\u3079\u305f\u901a\u308a\u3001\u3053\u3053\u3067\u306f Cilium kube-proxy Replacement(KPR) \u3092\u524d\u63d0\u3068\u3057\u305f\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b\u3064\u3044\u3066\u8aac\u660e\u3057\u307e\u3059\u3002<\/p>\n<p>\u901a\u5e38\u306e kube-proxy \u306f iptables \u3084 nftables \u3092\u5229\u7528\u3057\u3066\u901a\u4fe1\u5236\u5fa1\u3092\u5b9f\u88c5\u3057\u3066\u3044\u307e\u3059\u304c\u3001Cilium \u306e KPR \u306f kube-proxy \u3092\u7121\u52b9\u5316\u3057\u3066\u3001eBPF \u3067\u72ec\u81ea\u306e\u901a\u4fe1\u5236\u5fa1\u3092\u5b9f\u88c5\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<h5 id=\"Pod-\u9593\u901a\u4fe1\">Pod \u9593\u901a\u4fe1<\/h5>\n<p>\u6700\u3082\u57fa\u790e\u7684\u306a\u901a\u4fe1\u3067\u3059\u3002Cilium \u306e BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u304c\u30d1\u30b1\u30c3\u30c8\u3092\u51e6\u7406\u3059\u308b\u4ee5\u5916\u3067\u7279\u5225\u306a\u3053\u3068\u306f\u3042\u308a\u307e\u305b\u3093\u3002<\/p>\n<h5 id=\"ClusterIP-Service-\u306e\u901a\u4fe1\">ClusterIP Service \u306e\u901a\u4fe1<\/h5>\n<p>Service \u30ea\u30bd\u30fc\u30b9\u306e <a target=\"_blank\" href=\"https:\/\/kubernetes.io\/docs\/concepts\/services-networking\/service\/#type-clusterip\">ClusterIP type<\/a> \u306f\u3001Cilium \u3067\u306f Pod \u9593\u901a\u4fe1\u3068\u307b\u3068\u3093\u3069\u5909\u308f\u308a\u307e\u305b\u3093\u3002<\/p>\n<p>Pod \u304b\u3089\u9001\u51fa\u3055\u308c\u305f ClusterIP service \u5b9b\u306e\u901a\u4fe1\u306f Cilium \u306e BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u306b\u3088\u3063\u3066\u3001\u9001\u4fe1\u5143\u306e Pod \u306e\u30ce\u30fc\u30c9\u4e0a\u3067\u305d\u306e ClusterIP \u306e\u4efb\u610f\u306e\u30d0\u30c3\u30af\u30a8\u30f3\u30c9 Pod \u306e\u30a2\u30c9\u30ec\u30b9\u306b\u5909\u63db\u3057\u307e\u3059\u3002\u305d\u308c\u4ee5\u964d\u306f Pod \u9593\u901a\u4fe1\u3068\u540c\u69d8\u306e\u51e6\u7406\u3092\u884c\u3044\u307e\u3059\u3002<\/p>\n<p>\u203b Cilium \u306f ClusterIP Service \u306e\u5b9f\u88c5\u3068\u3057\u3066 <a target=\"_blank\" href=\"https:\/\/docs.cilium.io\/en\/stable\/network\/kubernetes\/kubeproxy-free\/#socket-loadbalancer-bypass-in-pod-namespace\">SocketLB<\/a> \u3068 Per-Packet LB \u306e\u4e8c\u3064\u3092\u63d0\u4f9b\u3057\u3066\u3044\u307e\u3059\u3002\u30c7\u30d5\u30a9\u30eb\u30c8\u306f SocketLB \u3067\u3059\u304c\u3001\u672c\u8a18\u4e8b\u3067\u306f Per-Packet LB \u3092\u89e3\u8aac\u3057\u307e\u3059\u3002<\/p>\n<h5 id=\"LoadBalancer-Service-\u306e\u901a\u4fe1\">LoadBalancer Service \u306e\u901a\u4fe1<\/h5>\n<p>Service \u30ea\u30bd\u30fc\u30b9\u306e <a target=\"_blank\" href=\"https:\/\/kubernetes.io\/docs\/concepts\/services-networking\/service\/#loadbalancer\">LoadBalancer type<\/a> \u306f\u3001\u30af\u30e9\u30b9\u30bf\u5185\u306e\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u3092\u30af\u30e9\u30b9\u30bf\u5916\u90e8\u306b\u516c\u958b\u3059\u308b\u305f\u3081\u306b\u5229\u7528\u3057\u307e\u3059\u3002\u30af\u30e9\u30b9\u30bf\u5916\u90e8\u306b\u30a2\u30c9\u30ec\u30b9\uff08<code>EXTERNAL-IP<\/code>\uff09\u3092\u516c\u958b\u3057\u3066\u5916\u90e8\u304b\u3089\u306e\u901a\u4fe1\u3092\u53d7\u3051\u4ed8\u3051\u3066\u8ca0\u8377\u5206\u6563\u3059\u308b Layer 4 Load Balancer \u3067\u3059\u3002<\/p>\n<p>LoadBalancer service \u306f <code>.spec.externalTrafficPolicy<\/code> \u306e\u5024\uff08<code>Cluster<\/code> or <code>Local<\/code>\uff09\u306b\u3088\u3063\u3066\u51e6\u7406\u304c\u7570\u306a\u308a\u307e\u3059\u3002<\/p>\n<h6 id=\"externalTrafficPolicyCluster\">externalTrafficPolicy=Cluster<\/h6>\n<p><code>externalTrafficPolicy=Cluster(eTP=Cluster)<\/code> \u306e\u5834\u5408\u3001\u304b\u306a\u308a\u8907\u96d1\u306a\u901a\u4fe1\u7d4c\u8def\u306b\u306a\u308a\u307e\u3059\u3002<br \/>\u5229\u7528\u3059\u308b\u30e1\u30ea\u30c3\u30c8\u306f\u3001LoadBalancer service \u306e\u30d0\u30c3\u30af\u30a8\u30f3\u30c9 Pod \u3078\u306e\u8ca0\u8377\u304c\u5747\u7b49\u306b\u306a\u308b\u3053\u3068\u3067\u3059\u3002<\/p>\n<p>Cilium \u306f\u3044\u304f\u3064\u304b\u306e\u5b9f\u88c5\u3092\u63d0\u4f9b\u3057\u3066\u3044\u307e\u3059\u304c\u3001\u6211\u3005\u306f <code>Maglev hashing + DSR(Direct Server Return) with Geneve encap<\/code> \u3068\u3044\u3046\u7d44\u307f\u5408\u308f\u305b\u3067 L4LB \u3092\u5229\u7528\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u203b \u672c\u8a18\u4e8b\u3067\u306f <code>DSR with Geneve encacp<\/code> \u306b\u9650\u3063\u3066\u89e3\u8aac\u3057\u307e\u3059\u3002<\/p>\n<p><code>DSR with Geneve encap<\/code> \u306e\u8a73\u7d30\u306b\u3064\u3044\u3066\u306f\u4ee5\u524d Cloud Native Days \u3067\u767a\u8868\u3057\u3066\u3044\u307e\u3059\u306e\u3067\u305d\u3061\u3089\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<p><iframe src=\"https:\/\/hatenablog-parts.com\/embed?url=https%3A%2F%2Fcloudnativedays.jp%2Fcndt2023%2Ftalks%2F2012\" title=\"Cilium\u306b\u304a\u3051\u308bGeneve\u30d7\u30ed\u30c8\u30b3\u30eb\u3092\u7528\u3044\u305fDSR\u306e\u5b9f\u88c5\u3068\u5c0e\u5165\" class=\"embed-card embed-webcard\" scrolling=\"no\" frameborder=\"0\" style=\"display: block; width: 100%; height: 155px; max-width: 500px; margin: 10px 0px;\" loading=\"lazy\"><\/iframe><cite class=\"hatena-citation\"><a target=\"_blank\" href=\"https:\/\/cloudnativedays.jp\/cndt2023\/talks\/2012\">cloudnativedays.jp<\/a><\/cite><\/p>\n<p><iframe loading=\"lazy\" id=\"talk_frame_1121020\" class=\"speakerdeck-iframe\" src=\"https:\/\/speakerdeck.com\/player\/8824d8d77a284b5ba20e8a71bf0c5d4b\" width=\"710\" height=\"399\" style=\"aspect-ratio:710\/399; border:0; padding:0; margin:0; background:transparent;\" frameborder=\"0\" allowtransparency=\"true\" allowfullscreen=\"allowfullscreen\"><\/iframe> <cite class=\"hatena-citation\"><a target=\"_blank\" href=\"https:\/\/speakerdeck.com\/cybozuinsideout\/cndt2023-cybozu\">speakerdeck.com<\/a><\/cite><\/p>\n<p><code>Maglev hashing<\/code> \u306f consistent hashing \u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u306e\u4e00\u3064\u3067\u3001 \u8010\u969c\u5bb3\u6027\u3084\u9ad8\u3044\u53ef\u7528\u6027\u3092\u5099\u3048\u305f\u8ca0\u8377\u5206\u6563\u3092\u63d0\u4f9b\u3057\u307e\u3059\u3002   <br \/>\u516c\u958b\u8cc7\u6599\u3060\u3068\u4ee5\u4e0b\u304c\u307e\u3068\u307e\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u3053\u3053\u3067\u306f\u7c21\u5358\u306b\u3001<code>DSR with Geneve encacp<\/code> \u306e L4LB \u306e\u901a\u4fe1\u306e\u4ed5\u7d44\u307f\u3092\u89e3\u8aac\u3057\u307e\u3059\u3002<\/p>\n<p>L4LB \u306e\u901a\u4fe1\u3067\u306f\u3001\u91cd\u8981\u306a\u5f79\u5272\u3092\u6301\u3064\u30ce\u30fc\u30c9\u304c\u4e8c\u3064\u3042\u308a\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u4e2d\u9593\u30ce\u30fc\u30c9\uff08Load Balancing Node\uff09\n<ul>\n<li>\u300cLB \u30ce\u30fc\u30c9\u300d\u3068\u547c\u3076\u5834\u5408\u3082\u3042\u308a\u307e\u3059\u304c\u3001\u672c\u8a18\u4e8b\u3067\u306f\u300c\u4e2d\u9593\u30ce\u30fc\u30c9\u300d\u3068\u8868\u8a18\u3057\u307e\u3059<\/li>\n<li>\u5916\u90e8\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u304b\u3089\u306e\u30d1\u30b1\u30c3\u30c8\u3092\u4e00\u6b21\u53d7\u3051\u3059\u308b\u30ce\u30fc\u30c9<\/li>\n<li>\u8ca0\u8377\u5206\u6563\u306e\u5f79\u5272\u3092\u62c5\u3044\u307e\u3059<\/li>\n<\/ul>\n<\/li>\n<li>\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u30ce\u30fc\u30c9\n<ul>\n<li>\u8ee2\u9001\u3059\u3079\u304d\u30d0\u30c3\u30af\u30a8\u30f3\u30c9 Pod \u304c\u5b58\u5728\u3059\u308b\u30ce\u30fc\u30c9<\/li>\n<li>\u3053\u306e\u30ce\u30fc\u30c9\u304b\u3089\u76f4\u63a5\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u306b\u8fd4\u4fe1\u3057\u307e\u3059\uff08DSR\uff09<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>cilium-agent \u304c\u52d5\u4f5c\u3059\u308b\u3059\u3079\u3066\u306e\u30ce\u30fc\u30c9\u304c\u4e2d\u9593\u30ce\u30fc\u30c9\u3068\u3057\u3066\u632f\u308b\u821e\u3046\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002\u4e2d\u9593\u30ce\u30fc\u30c9\u3068\u306a\u308b\u30ce\u30fc\u30c9\u306f\u4f55\u3089\u304b\u306e\u65b9\u6cd5\uff08BGP \u304c\u5229\u7528\u3055\u308c\u308b\u3053\u3068\u304c\u591a\u3044\u3067\u3059\u3002\uff09\u3067\u30af\u30e9\u30b9\u30bf\u306e\u4e0a\u6d41\u306e\u30eb\u30fc\u30bf\u306b LB Service \u306e <code>EXTERNAL-IP<\/code> \u3092\u5e83\u5831\u3057\u307e\u3059\u3002<br \/>\u4e0b\u56f3\u306f\u4e2d\u9593\u30ce\u30fc\u30c9\u3068\u3057\u3066\u9078\u629e\u3055\u308c\u305f <code>NodeA<\/code> \u3068\u3001\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u306e <code>Pod1<\/code> \u304c\u5b58\u5728\u3059\u308b <code>NodeB<\/code> \u304c LB Service \u306e\u901a\u4fe1\u3092\u51e6\u7406\u3059\u308b\u69d8\u5b50\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><figure class=\"figure-image figure-image-fotolife\" title=\"LoadBalancer Service eTP=Cluster \u306e\u901a\u4fe1\u306e\u6d41\u308c\"><span itemscope=\"\" itemtype=\"http:\/\/schema.org\/Photograph\"><img decoding=\"async\" src=\"https:\/\/cdn-ak.f.st-hatena.com\/images\/fotolife\/c\/cybozuinsideout\/20251024\/20251024150011.png\" width=\"661\" height=\"581\" loading=\"lazy\" title=\"\" class=\"hatena-fotolife\" itemprop=\"image\"\/><\/span><figcaption>LoadBalancer eTP=Cluster \u306e\u901a\u4fe1\u306e\u6d41\u308c<\/figcaption><\/figure>\n<\/p>\n<ol>\n<li>\u4e0a\u6d41\u306e\u30eb\u30fc\u30bf\u306f ECMP(Equal Cost Multi Path) \u306e\u4ed5\u7d44\u307f\u3092\u4f7f\u3063\u3066\u3001\u5916\u90e8\u306e\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u304b\u3089\u306e <code>EXTERNAL-IP<\/code> \u5b9b\u306e\u901a\u4fe1\u3092\u4efb\u610f\u306e\u4e2d\u9593\u30ce\u30fc\u30c9\uff08\u4eca\u56de\u306f <code>NodeA<\/code> \u304c\u9078\u629e\u3055\u308c\u305f\u3068\u3044\u3046\u60f3\u5b9a\uff09\u306b\u8ee2\u9001\u3057\u307e\u3059<\/li>\n<li><code>NodeA<\/code> \u304c\u9069\u5207\u306a\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\uff08\u4eca\u56de\u306f <code>NodeB<\/code> \u4e0a\u306e <code>Pod1<\/code>\uff09\u3092\u9078\u629e\u3057\u3066\u3055\u3089\u306b\u30d1\u30b1\u30c3\u30c8\u3092\u8ee2\u9001\u3057\u307e\u3059<\/li>\n<li>\u8ee2\u9001\u306e\u969b\u306b\u3001<code>NodeA<\/code> \u306e cilium-agent \u306f <a target=\"_blank\" href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc8926\">Geneve \u30d7\u30ed\u30c8\u30b3\u30eb<\/a> \u3067\u30ab\u30d7\u30bb\u30eb\u5316\u3057\u3066\u3001LB \u306e <code>EXTERNAL-IP<\/code> \u3068\u30dd\u30fc\u30c8\u306e\u60c5\u5831\u3092 <code>NodeB<\/code> \u306b\u5f15\u304d\u6e21\u3057\u307e\u3059\u3002<\/li>\n<li><code>NodeB<\/code> \u306e cilium-agent \u304c\u30ab\u30d7\u30bb\u30eb\u5316\u306e\u89e3\u9664\u306a\u3069\u306e\u5fc5\u8981\u306a\u51e6\u7406\u3092\u3057\u305f\u5f8c\u3001\u30d0\u30c3\u30af\u30a8\u30f3\u30c9 Pod \u306b\u30d1\u30b1\u30c3\u30c8\u304c\u5230\u9054\u3057\u307e\u3059<br \/>\n\u8fd4\u4fe1\u30d1\u30b1\u30c3\u30c8\u306f <code>NodeB<\/code> \u306e cilium-agent \u304c\u5fc5\u8981\u306a\u30c7\u30fc\u30bf\u3092\u6301\u3063\u3066\u3044\u308b\u306e\u3067\u3001\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u306b\u76f4\u63a5\u9001\u4fe1\u3067\u304d\u307e\u3059<\/li>\n<\/ol>\n<h6 id=\"externalTrafficPolicyLocal\">externalTrafficPolicy=Local<\/h6>\n<p><code>externalTrafficPolicy=Local(eTP=Local)<\/code> \u306e\u5834\u5408\u306f\u304b\u306a\u308a\u30b7\u30f3\u30d7\u30eb\u3067\u3001\u5916\u90e8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u304b\u3089\u901a\u4fe1\u3092\u53d7\u3051\u305f\u6642\u3001\u76f4\u63a5\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u306e Pod \u306b\u8ee2\u9001\u3055\u308c\u307e\u3059\u3002<br \/>\u3053\u306e\u65b9\u5f0f\u306f <code>Cluster<\/code> \u304c\u30d0\u30c3\u30af\u30a8\u30f3\u30c9 Pod \u306b\u5747\u7b49\u306b\u8ca0\u8377\u3092\u5206\u6563\u3067\u304d\u308b\u306e\u306b\u5bfe\u3057\u3066\u3001<code>Local<\/code> \u306f\u30ce\u30fc\u30c9\u5358\u4f4d\u3067\u306e\u8ca0\u8377\u5206\u6563\u307e\u3067\u3057\u304b\u5bfe\u5fdc\u3067\u304d\u307e\u305b\u3093\u3002\u307e\u305f\u3001\u8010\u969c\u5bb3\u6027\u3082\u52a3\u308b\u306e\u3067\u3001\u7279\u5225\u306a\u4e8b\u60c5\u304c\u306a\u3044\u9650\u308a <code>Cluster<\/code>  \u3092\u5229\u7528\u3059\u308b\u65b9\u304c\u597d\u307e\u3057\u3044\u3067\u3059\u3002<\/p>\n<h5 id=\"NodePort-Service-\u306e\u901a\u4fe1\">NodePort Service \u306e\u901a\u4fe1<\/h5>\n<p>Service \u30ea\u30bd\u30fc\u30b9\u306e <a target=\"_blank\" href=\"https:\/\/kubernetes.io\/docs\/concepts\/services-networking\/service\/#type-nodeport\">NodePort  type<\/a> \u3082\u30af\u30e9\u30b9\u30bf\u5185\u306e\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u3092\u30af\u30e9\u30b9\u30bf\u5916\u306b\u516c\u958b\u3059\u308b\u305f\u3081\u306b\u5229\u7528\u3057\u307e\u3059\u3002LoadBalancer service \u3068\u7570\u306a\u308b\u306e\u306f\u3001\u30b5\u30fc\u30d3\u30b9\u306e\u516c\u958b\u306e\u305f\u3081\u306b\u3001<code>EXTERNAL-IP<\/code> \u306e\u4ee3\u308f\u308a\u306b\u30dd\u30fc\u30c8\u3092\u5229\u7528\u3059\u308b\u3053\u3068\u3067\u3059\u3002\u4efb\u610f\u306e Kubernetes \u30ce\u30fc\u30c9\u306e\u305d\u306e\u30dd\u30fc\u30c8\u5b9b\u306e\u901a\u4fe1\u3092\u3001NodePort service \u306b\u7d10\u3065\u3044\u305f\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u306b\u8ee2\u9001\u3057\u307e\u3059\u3002<\/p>\n<p>\u203b Cilium \u306e BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u306e\u5b9f\u88c5\u3068\u3057\u3066\u306f\u3001<code>NodePort<\/code> \u3068 <code>LoadBalancer<\/code> \u306f\u540c\u4e00\u3067\u3059\u3002<\/p>\n<h4 id=\"Cilium-\u306e-BPF-\u30d7\u30ed\u30b0\u30e9\u30e0\u3068\u30de\u30c3\u30d7\u306e\u6982\u8981\">Cilium \u306e BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u3068\u30de\u30c3\u30d7\u306e\u6982\u8981<\/h4>\n<p>Cilium \u306f eBPF \u3067\u30d1\u30b1\u30c3\u30c8\u51e6\u7406\u3092\u884c\u3044\u307e\u3059\u3002<br \/>eBPF \u306f\u30d1\u30b1\u30c3\u30c8\u51e6\u7406\u306e\u305f\u3081\u306b\u3055\u307e\u3056\u307e\u306a\u30d5\u30c3\u30af\u30dd\u30a4\u30f3\u30c8\u3092\u63d0\u4f9b\u3057\u3066\u304a\u308a\u3001Cilium \u3067\u306f\u4e3b\u306b <code>TC<\/code> \u306b\u30a2\u30bf\u30c3\u30c1\u3059\u308b BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u3067\u30d1\u30b1\u30c3\u30c8\u3092\u51e6\u7406\u3057\u307e\u3059\u3002<\/p>\n<p>\u203b Linux \u30ab\u30fc\u30cd\u30eb 6.6 \u4ee5\u964d\u304b\u3089 <code>TC<\/code> \u306e\u5f37\u5316\u7248\u306e <code>TCX<\/code> \u304c\u5b9f\u88c5\u3055\u308c\u307e\u3057\u305f\u3002<br \/>\n<code>TCX<\/code> \u306f\u5f93\u6765\u306e <code>TC Classifier<\/code> \u306e\u5f37\u5316\u7248\u3068\u601d\u3063\u3066\u3044\u305f\u3060\u3051\u308c\u3070\u5341\u5206\u3067\u3059\u3002<br \/>\nCilium \u306f\u3053\u308c\u3092 v1.16 \u304b\u3089\u30b5\u30dd\u30fc\u30c8\u3057\u3066\u3044\u3066\u3001\u30c7\u30d5\u30a9\u30eb\u30c8\u3067\u5229\u7528\u3055\u308c\u308b\u306e\u306f <code>TCX<\/code> \u3067\u3059\u3002<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/lore.kernel.org\/all\/20230719140858.13224-1-daniel@iogearbox.net\/\">[PATCH bpf-next v6 0\/8] BPF link support for tc BPF programs &#8211; Daniel Borkmann<\/a><\/p>\n<p>\u203b BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u4e0a\u306f <code>TC<\/code> \u3068 <code>TCX<\/code> \u3067\u5909\u5316\u306f\u307b\u3068\u3093\u3069\u306a\u304f\u3001\u57fa\u672c\u7684\u306a\u6319\u52d5\u3082\u5909\u308f\u3089\u306a\u3044\u306e\u3067\u3001\u672c\u8a18\u4e8b\u3067\u306f\u99b4\u67d3\u307f\u306e\u3042\u308b <code>TC<\/code> \u3067\u4ee5\u964d\u306e\u89e3\u8aac\u3092\u884c\u3044\u307e\u3059\u3002<\/p>\n<p>\u203b \u8a2d\u5b9a\u6b21\u7b2c\u3067\u306f <code>XDP<\/code> \u30e2\u30fc\u30c9\u3092\u5229\u7528\u3059\u308b\u3053\u3068\u3082\u3067\u304d\u307e\u3059\u3057\u3001\u4e00\u90e8\u3067 <code>cgroup<\/code> \u3082\u5229\u7528\u3057\u307e\u3059\u3002<\/p>\n<p><code>TC<\/code> \u306f Ingress\/Egress \u305d\u308c\u305e\u308c\u306b\u30d7\u30ed\u30b0\u30e9\u30e0\u3092\u30a2\u30bf\u30c3\u30c1\u3067\u304d\u307e\u3059\u3002<br \/>Cilium \u304c\u30ab\u30fc\u30cd\u30eb\u306b\u30a2\u30bf\u30c3\u30c1\u3059\u308b BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u306e\u6982\u8981\u306f\u4ee5\u4e0b\u306e\u56f3\u306e\u3088\u3046\u306b\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure class=\"figure-image figure-image-fotolife\" title=\"Cilium \u306e BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u306e\u69cb\u6210\"><span itemscope=\"\" itemtype=\"http:\/\/schema.org\/Photograph\"><img decoding=\"async\" src=\"https:\/\/cdn-ak.f.st-hatena.com\/images\/fotolife\/c\/cybozuinsideout\/20251024\/20251024150014.png\" width=\"600\" height=\"451\" loading=\"lazy\" title=\"\" class=\"hatena-fotolife\" itemprop=\"image\"\/><\/span><figcaption>Cilium \u306e BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u306e\u69cb\u6210<\/figcaption><\/figure>\n<\/p>\n<p>\u30ce\u30fc\u30c9\u4e0a\u306e Pod \u306f <code>veth(Virtual Ethernet Device)<\/code> \u306e\u30da\u30a2\u304c\u30b3\u30f3\u30c6\u30ca\u5074\u3068\u30db\u30b9\u30c8\u5074\u3067\u4e00\u5bfe\u4e00\u5bfe\u5fdc\u3067\u4f5c\u6210\u3055\u308c\u3066\u3001\u901a\u4fe1\u3092\u884c\u3044\u307e\u3059\u3002<br \/>Cilium \u306f\u4e0a\u306e\u56f3\u306e\u3088\u3046\u306b\u3001\u30ce\u30fc\u30c9\u306e\u30d7\u30e9\u30a4\u30de\u30ea\u306a\u30c7\u30d0\u30a4\u30b9\uff08\u3053\u3053\u3067\u306f <code>eth0<\/code>\uff09\u3068\u5fc5\u8981\u306b\u5fdc\u3058\u3066\u30c8\u30f3\u30cd\u30eb\u30c7\u30d0\u30a4\u30b9\uff08<code>cilium_geneve<\/code>\uff09\u3001\u30db\u30b9\u30c8\u5074\u306e veth \u306b\u305d\u308c\u305e\u308c\u7570\u306a\u308b BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u3092 Ingress\/Egress \u305d\u308c\u305e\u308c\u306b\u30a2\u30bf\u30c3\u30c1\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u203b <code>cilium_geneve<\/code> \u30c7\u30d0\u30a4\u30b9\u306f\u8a2d\u5b9a\u5024\u306b\u5fdc\u3058\u3066 cilium-agent \u304c\u4f5c\u6210\u3059\u308b\u30c7\u30d0\u30a4\u30b9\u3067\u3059\u3002<br \/>\n\u672c\u8a18\u4e8b\u4e2d\u3067\u306f LB \u306e\u30d1\u30b1\u30c3\u30c8\u3092 DSR \u3059\u308b\u305f\u3081\u306b\u5229\u7528\u3055\u308c\u307e\u3059\u3002<\/p>\n<p><a target=\"_blank\" href=\"#externalTrafficPolicyCluster\">externalTrafficPolicy=Cluster<\/a><\/p>\n<p>\u4ee5\u524d\u4f3c\u305f\u5185\u5bb9\u3067 LT \u3092\u3057\u305f\u969b\u306e\u8cc7\u6599\u3067\u3059\u3002\u8208\u5473\u306e\u3042\u308b\u65b9\u306f\u8997\u3044\u3066\u307f\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<p><iframe loading=\"lazy\" id=\"talk_frame_1147606\" class=\"speakerdeck-iframe\" src=\"https:\/\/speakerdeck.com\/player\/4fc0c40201da411f983681065f083b45\" width=\"710\" height=\"399\" style=\"aspect-ratio:710\/399; border:0; padding:0; margin:0; background:transparent;\" frameborder=\"0\" allowtransparency=\"true\" allowfullscreen=\"allowfullscreen\"><\/iframe> <cite class=\"hatena-citation\"><a target=\"_blank\" href=\"https:\/\/speakerdeck.com\/terassyi\/shao-siwakaruciliumnoebpfpuroguramu?slide=9\">speakerdeck.com<\/a><\/cite><\/p>\n<p>Cilium \u306f BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u3068\u540c\u69d8\u306b\u8907\u6570\u306e BPF \u30de\u30c3\u30d7\u3082\u4f5c\u6210\u3057\u307e\u3059\u3002\u305d\u306e\u7528\u9014\u306f\u591a\u5c90\u306b\u6e21\u308a\u307e\u3059\u304c\u3001\u672c\u8a18\u4e8b\u3067\u767b\u5834\u3059\u308b\u306e\u306f CT map(\u6b63\u5f0f\u540d\u79f0\uff1a<code>cilium_ct4_global<\/code>\/<code>cilium_ct_any4_global<\/code>) \u3068 Service map(\u6b63\u5f0f\u540d\u79f0\uff1a<code>cilium_lb4_services_v2<\/code>) \u3001RevNAT map(\u6b63\u5f0f\u540d\u79f0\uff1a<code>cilium_lb4_reverse_nat<\/code>) \u306a\u3069\u3067\u3059\u3002\u305d\u308c\u305e\u308c\u4ee5\u4e0b\u306e\u7528\u9014\u3067\u5229\u7528\u3055\u308c\u307e\u3059\u3002<\/p>\n<ul>\n<li>CT map\n<ul>\n<li><code>cilium_ct4_global<\/code>\uff08TCP \u7528\uff09<\/li>\n<li><code>cilium_ct_any4_global<\/code>\uff08TCP \u4ee5\u5916\u306e\u30d7\u30ed\u30c8\u30b3\u30eb\u7528\uff09<\/li>\n<li>Conntrack \u30c6\u30fc\u30d6\u30eb\u3002\u672c\u8a18\u4e8b\u306e\u4e3b\u5f79<\/li>\n<li>\u8a73\u7d30\u306f <a target=\"_blank\" href=\"#CT-map\">CT map<\/a> \u3067\u89e3\u8aac\u3057\u307e\u3059<\/li>\n<\/ul>\n<\/li>\n<li>Service map\n<ul>\n<li><code>cilium_lb4_services_v2<\/code><\/li>\n<li>Kubernetes \u306e Service \u306e\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u306a\u3069\u306e\u60c5\u5831\u3092\u4fdd\u5b58\u3057\u3066\u304a\u304d\u307e\u3059<\/li>\n<li>\u5404 Service \u306e\u30a2\u30c9\u30ec\u30b9\u3068\u30dd\u30fc\u30c8\u306a\u3069\u3092\u30ad\u30fc\u3001\u4e0a\u8a18\u306e\u3088\u3046\u306a\u60c5\u5831\u3092\u30d0\u30ea\u30e5\u30fc\u306b\u4fdd\u6301\u3057\u307e\u3059<\/li>\n<\/ul>\n<\/li>\n<li>RevNAT map\n<ul>\n<li><code>cilium_lb4_reverse_nat<\/code><\/li>\n<li>Service \u306e\u901a\u4fe1\u306e reverse NAT \u306b\u5229\u7528\u3057\u307e\u3059<\/li>\n<li>Service \u306b\u5bfe\u3057\u3066\u4e00\u610f\u306a ID \u3092\u30ad\u30fc\u3001Service \u306e\u30a2\u30c9\u30ec\u30b9\u3068\u30dd\u30fc\u30c8\u3092\u30d0\u30ea\u30e5\u30fc\u306b\u4fdd\u6301\u3057\u307e\u3059<\/li>\n<\/ul>\n<\/li>\n<li>NAT map\n<ul>\n<li><code>cilium_snat_v4_external<\/code><\/li>\n<li>Pod \u304b\u3089\u30d1\u30b1\u30c3\u30c8\u3092\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u306b DSR \u3059\u308b\u3068\u304d\u306b SNAT \u3059\u308b\u305f\u3081\u306e\u60c5\u5831\u3092\u4fdd\u5b58\u3057\u307e\u3059<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2 id=\"Cilium-Connection-Tracking-Deep-Dive\">Cilium Connection Tracking Deep Dive<\/h2>\n<p>\u3053\u3053\u307e\u3067 Cilium \u306e conntrack \u306e\u524d\u63d0\u77e5\u8b58\u3092\u7d39\u4ecb\u3057\u307e\u3057\u305f\u3002<br \/>\u3053\u3053\u304b\u3089\u306f\u672c\u984c\u306e Cilium \u306e conntrack \u304c\u3069\u306e\u3088\u3046\u306b\u5b9f\u88c5\u3055\u308c\u3001\u52d5\u4f5c\u3057\u3066\u3044\u308b\u304b\u3092\u89e3\u8aac\u3057\u307e\u3059\u3002<\/p>\n<p>\u203b Cilium v1.16.12 \u5b9f\u88c5\u3092\u30d9\u30fc\u30b9\u306b\u7d39\u4ecb\u3057\u307e\u3059\u3002\u6700\u65b0\u7248\u3067\u306f\u7570\u306a\u308b\u5b9f\u88c5\u3068\u306a\u3063\u3066\u3044\u308b\u53ef\u80fd\u6027\u306f\u5341\u5206\u3042\u308b\u306e\u3067\u6ce8\u610f\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/tree\/v1.16.12\">GitHub &#8211; cilium\/cilium at v1.16.12<\/a><\/p>\n<p>\u203b IPv4 \u306e\u5b9f\u88c5\u306e\u307f\u3092\u89e3\u8aac\u3057\u307e\u3059\u3002<\/p>\n<p>\u203b \u4eca\u5f8c CT map \u3068\u66f8\u304f\u3068\u304d\u3001\u57fa\u672c\u7684\u306b\u306f <code>cilium_ct4_global<\/code> \u3092\u6307\u3057\u307e\u3059\u3002<code>cilium_ct_any4_global<\/code> \u306b\u3064\u3044\u3066\u8a00\u53ca\u3059\u308b\u969b\u306f\u660e\u306b\u8a18\u8ff0\u3057\u307e\u3059\u3002<\/p>\n<p>Cilium \u306e conntrack \u306f eBPF \u306b\u3088\u308b  \u30d1\u30b1\u30c3\u30c8\u51e6\u7406\u306e\u5b9f\u88c5\u3068 Go \u3067\u66f8\u304b\u308c\u305f control plane (cilium-agent) \u306e\u4e8c\u3064\u306e\u90e8\u5206\u306b\u5206\u3051\u3089\u308c\u307e\u3059\u3002<br \/>Conntrack \u306b\u3064\u3044\u3066\u306f\u30b3\u30a2\u3068\u306a\u308b\u306e\u306f\u5b9f\u969b\u306b\u30d1\u30b1\u30c3\u30c8\u3092\u51e6\u7406\u3059\u308b BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u3067\u3059\u3002\u307b\u3068\u3093\u3069\u306e\u51e6\u7406\u306f BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u5185\u3067\u5b8c\u7d50\u3057\u307e\u3059\u304c\u3001CT map \u306e GC(Garbage Collection) \u3092 control plane \u3067\u5b9f\u65bd\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<h3 id=\"\u6982\u8981\">\u6982\u8981<\/h3>\n<p>\u307e\u305a\u306f\u6982\u8981\u3092\u63b4\u307f\u307e\u3057\u3087\u3046\u3002<br \/>\n\u4e0b\u56f3\u306f Cilium \u306e conntrack \u306e\u6982\u8981\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure class=\"figure-image figure-image-fotolife\" title=\"Cilium \u306e conntrack \u306e\u6982\u8981\"><span itemscope=\"\" itemtype=\"http:\/\/schema.org\/Photograph\"><img decoding=\"async\" src=\"https:\/\/cdn-ak.f.st-hatena.com\/images\/fotolife\/c\/cybozuinsideout\/20251024\/20251024150018.png\" width=\"464\" height=\"491\" loading=\"lazy\" title=\"\" class=\"hatena-fotolife\" itemprop=\"image\"\/><\/span><figcaption>Cilium \u306e conntrack \u306e\u6982\u8981<\/figcaption><\/figure>\n<\/p>\n<p>CT map \u306f\u30ce\u30fc\u30c9\u3054\u3068\u306b\u4f5c\u6210\u3055\u308c\u3001\u30ce\u30fc\u30c9\u4e0a\u306e\u5404\u30c7\u30d0\u30a4\u30b9\u306b\u30a2\u30bf\u30c3\u30c1\u3055\u308c\u305f BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u304b\u3089\u64cd\u4f5c\u3055\u308c\u3001\u30d1\u30b1\u30c3\u30c8\u3054\u3068\u306b\u5bfe\u5fdc\u3059\u308b\u30a8\u30f3\u30c8\u30ea\u304c\u6700\u65b0\u306e\u72b6\u614b\u306b\u66f4\u65b0\u3055\u308c\u307e\u3059\u3002<br \/>\u307e\u305f\u3001cilium-agent \u306f\u5b9a\u671f\u7684\u306b\u30e6\u30fc\u30b6\u30fc\u7a7a\u9593\u304b\u3089 CT map \u3092 GC \u3057\u3066\u4e0d\u8981\u306a\u30a8\u30f3\u30c8\u30ea\u3092\u524a\u9664\u3057\u307e\u3059\u3002<\/p>\n<h3 id=\"CT-map\">CT map<\/h3>\n<p>\u672c\u683c\u7684\u306b\u901a\u4fe1\u306e\u89e3\u8aac\u306b\u5165\u308b\u524d\u306b\u3001CT map \u306b\u3064\u3044\u3066\u8aac\u660e\u3057\u307e\u3059\u3002<br \/>\n<a target=\"_blank\" href=\"#Cilium-%E3%81%AE-BPF-%E3%83%97%E3%83%AD%E3%82%B0%E3%83%A9%E3%83%A0%E3%81%A8%E3%83%9E%E3%83%83%E3%83%97%E3%81%AE%E6%A6%82%E8%A6%81\">Cilium-\u306e-BPF-\u30d7\u30ed\u30b0\u30e9\u30e0\u3068\u30de\u30c3\u30d7\u306e\u6982\u8981<\/a> \u3067\u8ff0\u3079\u305f\u901a\u308a\u3001CT map \u306b\u306f TCP \u7528\u306e <code>cilium_ct4_global<\/code> \u3068\u305d\u308c\u4ee5\u5916\u306e\u30d7\u30ed\u30c8\u30b3\u30eb\u7528\u306e <code>cilium_ct_any4_global<\/code> \u3068\u3044\u3046\u4e8c\u3064\u304c\u5b58\u5728\u3057\u307e\u3059\u3002<\/p>\n<p>BPF \u30de\u30c3\u30d7\u306f\u57fa\u672c\u7684\u306b\u306f\u30ad\u30fc\u30d0\u30ea\u30e5\u30fc\u30b9\u30c8\u30a2\u3067\u3059\u3002\u30de\u30c3\u30d7\u306e\u30c7\u30fc\u30bf\u69cb\u9020\u306f\u3055\u307e\u3056\u307e\u306a\u3082\u306e\u304c\u9078\u3079\u307e\u3059\u304c\u3001CT map \u306f <code>LRU(Least Recently Used) Hash<\/code> \u3092\u5229\u7528\u3057\u3066\u3044\u307e\u3059\u3002<br \/>LRU Hash \u306b\u3064\u3044\u3066\u306f\u4ee5\u4e0b\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/docs.ebpf.io\/linux\/map-type\/BPF_MAP_TYPE_LRU_HASH\/\">Map Type &#8216;BPF_MAP_TYPE_LRU_HASH&#8217; &#8211; eBPF Docs<\/a><\/p>\n<p><code>cilium_ct4_global<\/code>\u3001<code>cilium_ct_any4_global<\/code> \u3069\u3061\u3089\u3082\u5171\u901a\u306e\u30ad\u30fc\u3068\u30d0\u30ea\u30e5\u30fc\u3092\u6301\u3061\u3001\u30de\u30c3\u30d7\u306e\u30b5\u30a4\u30ba\u306f\u4e0a\u9650\u5024\u306f\u3042\u308a\u307e\u3059\u304c\u3001\u8a2d\u5b9a\u306b\u3088\u3063\u3066\u5909\u66f4\u53ef\u80fd\u3067\u3059\u3002<\/p>\n<h4 id=\"BPF-\u30de\u30c3\u30d7\u306e\u5b9a\u7fa9\">BPF \u30de\u30c3\u30d7\u306e\u5b9a\u7fa9<\/h4>\n<p>\u5b9f\u969b\u306e\u5b9a\u7fa9\u306f\u4ee5\u4e0b\u306e\u3088\u3046\u306b\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/conntrack_map.h#L106-L112\">cilium\/bpf\/lib\/conntrack_map.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/p>\n<pre class=\"code lang-c\" data-lang=\"c\" data-unlink=\"\"><span class=\"synType\">struct<\/span> {\n    <span class=\"synIdentifier\">__uint<\/span>(type, BPF_MAP_TYPE_LRU_HASH);\n    <span class=\"synIdentifier\">__type<\/span>(key, <span class=\"synType\">struct<\/span> ipv4_ct_tuple);\n    <span class=\"synIdentifier\">__type<\/span>(value, <span class=\"synType\">struct<\/span> ct_entry);\n    <span class=\"synIdentifier\">__uint<\/span>(pinning, LIBBPF_PIN_BY_NAME);\n    <span class=\"synIdentifier\">__uint<\/span>(max_entries, CT_MAP_SIZE_TCP);\n} CT_MAP_TCP4 __section_maps_btf;\n<\/pre>\n<h4 id=\"\u30ad\u30fc\u69cb\u9020\u4f53ipv4_ct_tuple\">\u30ad\u30fc\u69cb\u9020\u4f53\uff08ipv4_ct_tuple\uff09<\/h4>\n<p>\u30ad\u30fc\u3068\u306a\u308b <code>ipv4_ct_tuple<\/code> \u306f 5-tuple \u3068 <code>flag<\/code> \u3092\u30d5\u30a3\u30fc\u30eb\u30c9\u3068\u3057\u3066\u6301\u3061\u307e\u3059\u3002<br \/>CT \u30a8\u30f3\u30c8\u30ea\u306f\u5185\u90e8\u7684\u306b\u4ee5\u4e0b\u306e\u4e09\u3064\u306e\u30bf\u30a4\u30d7\u306b\u5206\u985e\u3055\u308c\u3001<code>flag<\/code> \u306b\u57cb\u3081\u8fbc\u307e\u308c\u307e\u3059\u3002<\/p>\n<ul>\n<li><code>CT_SERVICE<\/code>\n<ul>\n<li>Service \u306e\u901a\u4fe1\u7528<\/li>\n<li>Service \u5b9b\u306e\u901a\u4fe1\u306e\u72b6\u614b\u3092\u4fdd\u5b58\u3057\u3066\u3001\u8ee2\u9001\u3059\u3079\u304d\u30d0\u30c3\u30af\u30a8\u30f3\u30c9 Pod \u306a\u3069\u3092\u5224\u65ad\u3067\u304d\u308b\u3088\u3046\u306b\u3057\u307e\u3059<\/li>\n<\/ul>\n<\/li>\n<li><code>CT_EGRESS<\/code>\n<ul>\n<li>Pod \u304b\u3089\u5916\u306b\u51fa\u3066\u3044\u304f\uff08Egress\uff09\u901a\u4fe1\u7528<\/li>\n<\/ul>\n<\/li>\n<li><code>CT_INGRESS<\/code>\n<ul>\n<li>Pod \u306b\u5165\u3063\u3066\u3044\u304f\uff08Ingress\uff09\u901a\u4fe1\u7528<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/common.h#L941-L954\">cilium\/bpf\/lib\/common.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/p>\n<pre class=\"code lang-c\" data-lang=\"c\" data-unlink=\"\"><span class=\"synType\">struct<\/span> ipv4_ct_tuple {\n    \n\n\n    __be32      daddr;\n    __be32      saddr;\n    \n\n\n    __be16      dport;\n    __be16      sport;\n    __u8        nexthdr;\n    __u8        flags;\n} __packed;\n<\/pre>\n<h4 id=\"\u30d0\u30ea\u30e5\u30fc\u69cb\u9020\u4f53ct_entry\">\u30d0\u30ea\u30e5\u30fc\u69cb\u9020\u4f53\uff08ct_entry\uff09<\/h4>\n<p>\u30d0\u30ea\u30e5\u30fc\u3068\u306a\u308b <code>ct_entry<\/code> \u306f\u591a\u304f\u306e\u30d5\u30a3\u30fc\u30eb\u30c9\u3092\u6301\u3061\u307e\u3059\u3002\u3053\u3053\u3067\u5168\u3066\u3092\u7d39\u4ecb\u306f\u3067\u304d\u306a\u3044\u306e\u3067\u3001\u9069\u5b9c\u8aac\u660e\u3059\u308b\u3053\u3068\u3068\u3057\u307e\u3059\u3002<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/common.h#L956-L994\">cilium\/bpf\/lib\/common.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/p>\n<pre class=\"code lang-c\" data-lang=\"c\" data-unlink=\"\"><span class=\"synType\">struct<\/span> ct_entry {\n    __u64 reserved0;    \n    __u64 backend_id;\n    __u64 packets;\n    __u64 bytes;\n    __u32 lifetime;\n    __u16 rx_closing:<span class=\"synConstant\">1<\/span>,\n          tx_closing:<span class=\"synConstant\">1<\/span>,\n          reserved1:<span class=\"synConstant\">1<\/span>, \n          lb_loopback:<span class=\"synConstant\">1<\/span>,\n          seen_non_syn:<span class=\"synConstant\">1<\/span>,\n          node_port:<span class=\"synConstant\">1<\/span>,\n          proxy_redirect:<span class=\"synConstant\">1<\/span>,    \n          dsr_internal:<span class=\"synConstant\">1<\/span>,  \n          from_l7lb:<span class=\"synConstant\">1<\/span>, \n          reserved2:<span class=\"synConstant\">1<\/span>, \n          from_tunnel:<span class=\"synConstant\">1<\/span>,   \n          reserved3:<span class=\"synConstant\">5<\/span>;\n    __u16 rev_nat_index;\n    \n<\/pre>\n<p>\u4ee5\u964d\u306f <a target=\"_blank\" href=\"#Cilium-%E3%81%8C%E7%AE%A1%E7%90%86%E3%81%99%E3%82%8B-Kubernetes-%E3%83%8D%E3%83%83%E3%83%88%E3%83%AF%E3%83%BC%E3%82%AF\">Kubernetes \u306e\u5404\u901a\u4fe1\u65b9\u5f0f<\/a>\u3054\u3068\u306b Cilium \u306e conntrack \u304c\u3069\u306e\u3088\u3046\u306b\u52d5\u4f5c\u3059\u308b\u304b\u8aac\u660e\u3057\u307e\u3059\u3002<\/p>\n<p>\u203b \u4ee5\u964d\u306e\u89e3\u8aac\u3067\u306f <code>NodePort<\/code> \u3068 <code>LoadBalancer<\/code> \u3092\u540c\u4e00\u8996\u3057\u3001\u4fbf\u5b9c\u4e0a <code>LoadBalancer<\/code> \u3068\u3057\u3066\u89e3\u8aac\u3057\u307e\u3059\u3002<br \/>\n\u307e\u305f\u3001<code>LoadBalancer<\/code> \u306b\u3064\u3044\u3066\u306f <code>externalTrafficPolicy=Cluster<\/code> \u306e\u307f\u3092\u89e3\u8aac\u3057\u307e\u3059\u3002<\/p>\n<p>\u203b Neco \u3067\u73fe\u5728\u5229\u7528\u3057\u3066\u3044\u308b\u8a2d\u5b9a <code>Maglev hashing + DSR with Geneve encap<\/code> \u306b\u9650\u3063\u3066\u89e3\u8aac\u3057\u307e\u3059\u3002<\/p>\n<p>\u203b \u4ee5\u964d\u306e\u89e3\u8aac\u3067\u306f Cilium \u306e eBPF \u306e\u30b3\u30fc\u30c9\u3092 GitHub \u3078\u306e\u30ea\u30f3\u30af\u3092\u30dd\u30a4\u30f3\u30c8\u3057\u306a\u304c\u3089\u89e3\u8aac\u3057\u307e\u3059\u3002Cilium \u306e BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u306f tail call \u3084\u30de\u30af\u30ed\u3092\u591a\u7528\u3057\u305f\u975e\u5e38\u306b\u8907\u96d1\u306a\u30b3\u30fc\u30c9\u306b\u306a\u3063\u3066\u3044\u307e\u3059\u3002<br \/>\n\u30a8\u30c7\u30a3\u30bf\u306e\u5b9a\u7fa9\u30b8\u30e3\u30f3\u30d7\u304c\u6a5f\u80fd\u3057\u306a\u3044\u305f\u3081\u3001\u30b3\u30fc\u30c9\u3092\u8aad\u3080\u969b\u306f tail call \u3092\u610f\u8b58\u3057\u3066\u6587\u5b57\u5217\u691c\u7d22\u3092\u99c6\u4f7f\u3057\u3066\u9811\u5f35\u3063\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/docs.ebpf.io\/linux\/concepts\/tail-calls\/\">Tail calls &#8211; eBPF Docs<\/a><\/p>\n<h3 id=\"Pod-\u9593\u901a\u4fe1-1\">Pod \u9593\u901a\u4fe1<\/h3>\n<p>\u6700\u3082\u57fa\u672c\u7684\u306a\u901a\u4fe1\u3067\u3059\u3002\u305d\u306e\u305f\u3081 conntrack \u306e\u64cd\u4f5c\u3082\u6700\u3082\u30b7\u30f3\u30d7\u30eb\u3067\u3059\u3002<br \/>\u3057\u304b\u3057\u3001\u3053\u308c\u4ee5\u964d\u306b\u7d39\u4ecb\u3059\u308b Service \u95a2\u9023\u306e\u901a\u4fe1\u306e\u57fa\u790e\u3068\u306a\u308b\u306e\u3067\u975e\u5e38\u306b\u91cd\u8981\u3067\u3082\u3042\u308a\u307e\u3059\u3002<\/p>\n<p><code>NodeA<\/code> \u4e0a\u306e <code>Pod1(10.64.0.36)<\/code> \u304b\u3089 <code>NodeB<\/code> \u4e0a\u306e <code>Pod2(10.64.0.64)<\/code> \u3078\u306e\u901a\u4fe1\u3092\u4f8b\u306b\u52d5\u4f5c\u3092\u4e0b\u56f3\u3092\u7528\u3044\u3066\u89e3\u8aac\u3057\u307e\u3059\u3002<\/p>\n<figure class=\"figure-image figure-image-fotolife\" title=\"Pod \u9593\u901a\u4fe1\u306e conntrack \u64cd\u4f5c\u3068\u30d1\u30b1\u30c3\u30c8\u306e\u6d41\u308c\"><span itemscope=\"\" itemtype=\"http:\/\/schema.org\/Photograph\"><img decoding=\"async\" src=\"https:\/\/cdn-ak.f.st-hatena.com\/images\/fotolife\/c\/cybozuinsideout\/20251024\/20251024150022.png\" width=\"800\" height=\"466\" loading=\"lazy\" title=\"\" class=\"hatena-fotolife\" itemprop=\"image\"\/><\/span><figcaption>Pod \u9593\u901a\u4fe1\u306e conntrack \u64cd\u4f5c\u3068\u30d1\u30b1\u30c3\u30c8\u306e\u6d41\u308c<\/figcaption><\/figure>\n<\/p>\n<p>Pod \u9593\u901a\u4fe1\u3092\u884c\u3046\u6642\u3001\u9001\u4fe1\u5074\uff08Egress\uff09\u3068\u53d7\u4fe1\u5074\uff08Ingress\uff09\u53cc\u65b9\u3067 conntrack \u306e\u51e6\u7406\u304c\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002\u305d\u306e\u305f\u3081\u3001\u3053\u3053\u3067\u306f Egress\/Ingress \u306b\u5206\u3051\u3066\u8aac\u660e\u3057\u307e\u3059\u3002<\/p>\n<h4 id=\"Pod1-\u304b\u3089\u306e-Egress\">Pod1 \u304b\u3089\u306e Egress<\/h4>\n<p><code>Pod1<\/code> \u304b\u3089 <code>Pod2<\/code> \u306b\u901a\u4fe1\u3092\u3059\u308b\u6642\u3001\u30b3\u30f3\u30c6\u30ca\u5185\u90e8\u3067\u306f\u4e00\u822c\u7684\u306a\u30b3\u30f3\u30c6\u30ca\u3068\u540c\u69d8\u306b Linux \u30ab\u30fc\u30cd\u30eb\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u30bf\u30c3\u30af\u3092\u901a\u3063\u3066\u30db\u30b9\u30c8\u5074\u306e veth \u30c7\u30d0\u30a4\u30b9\u306b\u30d1\u30b1\u30c3\u30c8\u304c\u5f15\u304d\u6e21\u3055\u308c\u307e\u3059\u3002<br \/>\u305d\u306e\u5f8c\u3001<code>cil_from_container<\/code> \u30d7\u30ed\u30b0\u30e9\u30e0\u304c\u5b9f\u884c\u3055\u308c\u3001\u4ee5\u4e0b\u306e\u3088\u3046\u306a conntrack \u306e\u51e6\u7406\u304c\u5b9f\u884c\u3055\u308c\u3066 <code>Pod2<\/code> \u306b\u30d1\u30b1\u30c3\u30c8\u304c\u9001\u51fa\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>\u203b \u7b87\u6761\u66f8\u304d\u306e\u756a\u53f7\u306f\u4e0a\u56f3\u306e <code>NodeA<\/code> \u4e0a\u306e\u9ed2\u306e\u756a\u53f7\u3068\u5bfe\u5fdc\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<ol>\n<li>CT map \u3092 lookup\uff08\u691c\u7d22\uff09\u3057\u3066\u65e2\u5b58\u306e\u30a8\u30f3\u30c8\u30ea\u304c\u306a\u3044\u304b\u8abf\u3079\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/bpf_lxc.c#L1346\">cilium\/bpf\/bpf_lxc.c at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<li>\u65b0\u898f\u901a\u4fe1\u306e\u5834\u5408\u3001<code>CT_NEW<\/code> \u3068\u3044\u3046\u30a2\u30af\u30b7\u30e7\u30f3\u304c\u9078\u629e\u3055\u308c\u307e\u3059<\/li>\n<\/ol>\n<\/li>\n<li>CT map \u306b <code>CT_EGRESS<\/code> \u306e\u30a8\u30f3\u30c8\u30ea\u3092\u4f5c\u6210\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/bpf_lxc.c#L998-L999\">cilium\/bpf\/bpf_lxc.c at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<li>\u4e0a\u56f3\u306e <code>NodeA CT map<\/code> \u306b\u793a\u3057\u305f <code>CT_EGRESS<\/code> \u30a8\u30f3\u30c8\u30ea\u3092\u4f5c\u6210\u3057\u307e\u3059<\/li>\n<li>ICMP \u3092\u6271\u3046\u305f\u3081\u306b\u3001<code>cilium_ct_any4_global<\/code> CT map \u306b\u3082\u30a8\u30f3\u30c8\u30ea\u304c\u4f5c\u6210\u3055\u308c\u307e\u3059\n<ol type=\"a\">\n<li>\u3053\u306e\u30b3\u30cd\u30af\u30b7\u30e7\u30f3\u306b\u5bfe\u3057\u3066 ICMP \u30d1\u30b1\u30c3\u30c8\u304c\u8fd4\u3063\u3066\u304d\u305f\u5834\u5408\u306b Network Policy \u306e\u5224\u5b9a\u3092\u30b9\u30ad\u30c3\u30d7\u3059\u308b\u305f\u3081\u306b\u4f5c\u6210\u3055\u308c\u307e\u3059<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<li>\u30db\u30b9\u30c8\u4e0a\u306e <code>eth0<\/code> \u306b\u30a2\u30bf\u30c3\u30c1\u3055\u308c\u305f <code>cil_to_netdev<\/code> \u3092\u901a\u3063\u305f\u5f8c\u3001Pod2 \u306b\u5411\u3051\u3066\u9001\u51fa\u3055\u308c\u307e\u3059<\/li>\n<\/ol>\n<p>\u4ee5\u4e0b\u304c\u5b9f\u969b\u306e conntrack \u30a8\u30f3\u30c8\u30ea\u3067\u3059\u3002<\/p>\n<pre class=\"code\" data-lang=\"\" data-unlink=\"\">node-a# cilium bpf ct list global | grep 10.64.0.64\nTCP OUT 10.64.0.36:54260 -&gt; 10.64.0.64:8000 expires=3026362 Packets=0 Bytes=0 RxFlagsSeen=0x1b LastRxReport=3026352 TxFlagsSeen=0x1b LastTxReport=3026352 Flags=0x0013 [ RxClosing TxClosing SeenNonSyn ] RevNAT=0 SourceSecurityID=3096 IfIndex=0 BackendID=0\nICMP OUT 10.64.0.36:0 -&gt; 10.64.0.64:0 related expires=3026412 Packets=0 Bytes=0 RxFlagsSeen=0x00 LastRxReport=0 TxFlagsSeen=0x02 LastTxReport=3026352 Flags=0x0000 [ ] RevNAT=0 SourceSecurityID=3096 IfIndex=0 BackendID=0<\/pre>\n<h4 id=\"Pod2-\u3078\u306e-Ingress\">Pod2 \u3078\u306e Ingress<\/h4>\n<p><code>Pod1<\/code> \u304b\u3089\u306e\u30d1\u30b1\u30c3\u30c8\u3092 <code>NodeB<\/code> \u304c\u53d7\u4fe1\u3059\u308b\u3068\u3001\u307e\u305a\u306f\u30db\u30b9\u30c8\u30c7\u30d0\u30a4\u30b9\u306e <code>cil_from_netdev<\/code> \u3067\u5fc5\u8981\u306a\u51e6\u7406\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<br \/>\u305d\u306e\u5f8c\u3001\u30b3\u30f3\u30c6\u30ca\u306e\u30db\u30b9\u30c8\u5074 veth \u306b\u8ee2\u9001\u3055\u308c\u3001<code>cil_to_container<\/code> \u30d7\u30ed\u30b0\u30e9\u30e0\u3067\u4ee5\u4e0b\u306e\u3088\u3046\u306b conntrack \u306b\u95a2\u9023\u3059\u308b\u51e6\u7406\u304c\u5b9f\u65bd\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>\u203b \u7b87\u6761\u66f8\u304d\u306e\u756a\u53f7\u306f\u4e0a\u56f3\u306e <code>NodeB<\/code> \u4e0a\u306e<span style=\"color: #ff0000\">\u8d64<\/span>\u306e\u756a\u53f7\u3068\u5bfe\u5fdc\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<ol>\n<li>\u53d7\u4fe1\u3057\u305f\u30d1\u30b1\u30c3\u30c8\u306b\u7d10\u3065\u304f\u30a8\u30f3\u30c8\u30ea\u3092 lookup \u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/bpf_lxc.c#L2171-L2172\">cilium\/bpf\/bpf_lxc.c at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<li>\u65b0\u898f\u901a\u4fe1\u306e\u5834\u5408\u3001<code>CT_NEW<\/code> \u30a2\u30af\u30b7\u30e7\u30f3\u304c\u9078\u629e\u3055\u308c\u307e\u3059<\/li>\n<\/ol>\n<\/li>\n<li>CT map \u306b <code>CT_INGRESS<\/code> \u306e\u30a8\u30f3\u30c8\u30ea\u3092\u4f5c\u6210\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/bpf_lxc.c#L1973-L1974\">cilium\/bpf\/bpf_lxc.c at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<li>\u4e0a\u56f3\u306e <code>NodeB CT map<\/code> \u306b <code>CT_INGRESS<\/code> \u30a8\u30f3\u30c8\u30ea\u3092\u4f5c\u6210\u3057\u307e\u3059<\/li>\n<li>ICMP \u3092\u6271\u3046\u305f\u3081\u306b\u3001<code>cilium_ct_any4_global<\/code> CT map \u306b\u3082\u30a8\u30f3\u30c8\u30ea\u304c\u4f5c\u6210\u3055\u308c\u307e\u3059<\/li>\n<\/ol>\n<\/li>\n<li><code>Pod1<\/code> \u3078\u306e\u8fd4\u4fe1\u30d1\u30b1\u30c3\u30c8\u306f\u3001\u3059\u3067\u306b (5) \u3067 <code>CT_INGRESS<\/code> \u30a8\u30f3\u30c8\u30ea\u3092\u4f5c\u6210\u3057\u3066\u3044\u308b\u305f\u3081\u3001\u3053\u306e\u30a8\u30f3\u30c8\u30ea\u3092\u5229\u7528\u3057\u3066\u7ba1\u7406\u3055\u308c\u3001\u9001\u51fa\u3055\u308c\u307e\u3059<\/li>\n<\/ol>\n<p>\u4ee5\u4e0b\u304c\u5b9f\u969b\u306e conntrack \u30a8\u30f3\u30c8\u30ea\u3067\u3059\u3002<\/p>\n<pre class=\"code\" data-lang=\"\" data-unlink=\"\">node-b$ cilium bpf ct list global | grep 10.64.0.64\nTCP IN 10.64.0.36:54260 -&gt; 10.64.0.64:8000 expires=3026362 Packets=0 Bytes=0 RxFlagsSeen=0x1b LastRxReport=3026352 TxFlagsSeen=0x1b LastTxReport=3026352 Flags=0x0013 [ RxClosing TxClosing SeenNonSyn ] RevNAT=0 SourceSecurityID=3096 IfIndex=0 BackendID=0\nICMP IN 10.64.0.36:0 -&gt; 10.64.0.64:0 related expires=3026412 Packets=0 Bytes=0 RxFlagsSeen=0x02 LastRxReport=3026352 TxFlagsSeen=0x00 LastTxReport=0 Flags=0x0000 [ ] RevNAT=0 SourceSecurityID=3096 IfIndex=0 BackendID=0<\/pre>\n<h3 id=\"ClusterIP-Service-\u306e\u901a\u4fe1-1\">ClusterIP Service \u306e\u901a\u4fe1<\/h3>\n<p><a target=\"_blank\" href=\"#ClusterIP-Service-%E3%81%AE%E9%80%9A%E4%BF%A1\">Cilium \u304c\u7ba1\u7406\u3059\u308b Kubernetes \u30cd\u30c3\u30c8\u30ef\u30fc\u30af &#8211; ClusterIP Service \u306e\u901a\u4fe1<\/a> \u3067\u8ff0\u3079\u305f\u3088\u3046\u306b\u3001\u30d1\u30b1\u30c3\u30c8\u30d5\u30ed\u30fc\u306e\u89b3\u70b9\u304b\u3089\u306f ClusterIP \u306e\u901a\u4fe1\u306f Pod \u9593\u901a\u4fe1\u3068\u3042\u307e\u308a\u5909\u308f\u308a\u307e\u305b\u3093\u304c\u3001conntrack \u306e\u89b3\u70b9\u3067\u306f\u5c11\u3057\u8907\u96d1\u306b\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u672c\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u306f <code>NodeA<\/code> \u4e0a\u306e <code>Pod1(10.64.0.36)<\/code> \u304b\u3089 ClusterIP Service \u306e <code>SvcA(10.68.174.146:80)<\/code> \u3067\u3001\u305d\u306e\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u306e <code>Pod2(10.64.0.98)<\/code> \u306b\u901a\u4fe1\u3059\u308b\u5834\u5408\u3092\u4f8b\u306b\u89e3\u8aac\u3057\u307e\u3059\u3002<\/p>\n<p>\u3053\u3053\u3067\u306f\u3001<code>Pod1<\/code> \u306e Egress\/Ingress \u306e\u51e6\u7406\u306b\u9650\u3063\u3066\u89e3\u8aac\u3057\u307e\u3059\u3002<\/p>\n<p>\u203b ClusterIP \u901a\u4fe1\u306e <code>Pod2<\/code> \u5074\u306e conntrack \u51e6\u7406\u306f Pod \u9593\u901a\u4fe1\u3068\u540c\u3058\u306a\u306e\u3067\u7701\u7565\u3057\u307e\u3059\u3002\u540c\u3058\u306b\u306a\u308b\u7406\u7531\u306f <a target=\"_blank\" href=\"#ClusterIP-Service-%E3%81%AE%E9%80%9A%E4%BF%A1\">Cilium \u304c\u7ba1\u7406\u3059\u308b Kubernetes \u30cd\u30c3\u30c8\u30ef\u30fc\u30af &#8211; ClusterIP Service \u306e\u901a\u4fe1<\/a> \u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<h4 id=\"Pod1-\u304b\u3089\u306e-Egress-1\">Pod1 \u304b\u3089\u306e Egress<\/h4>\n<p>ClusterIP \u306e\u901a\u4fe1\u304c Pod \u9593\u901a\u4fe1\u3068\u9055\u3046\u3068\u3053\u308d\u306f\u3001<code>Pod1<\/code> \u306f ClusterIP \u306e VIP\uff08Virtual IP\uff09 \u5b9b\u306b\u901a\u4fe1\u3059\u308b\u3068\u3044\u3046\u70b9\u3067\u3059\u3002<br \/>\u3057\u304b\u3057\u3001\u5b9f\u969b\u306b\u306f <code>NodeA<\/code> \u4e0a\u3067 Cilium \u304c\u305d\u306e ClusterIP \u306b\u7d10\u3065\u304f\u30d0\u30c3\u30af\u30a8\u30f3\u30c9 Pod\uff08\u4eca\u56de\u306f <code>Pod2<\/code>\uff09\u306b\u5b9b\u5148\u3092\u66f8\u304d\u63db\u3048\u3066\u8ee2\u9001\u3057\u307e\u3059\u3002<br \/>\u305d\u306e\u904e\u7a0b\u3067\u3001Pod \u9593\u901a\u4fe1\u3068\u7570\u306a\u308b conntrack \u306e\u51e6\u7406\u304c\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>\u4e0b\u56f3\u306f <code>Pod1(10.64.0.36)<\/code> \u304b\u3089 ClusterIP <code>Svc1(10.68.174.146)<\/code> \u5b9b\u306e\u901a\u4fe1\u304c <code>Pod2(10.64.0.98)<\/code> \u306b\u8ee2\u9001\u3055\u308c\u308b\u307e\u3067\u306e conntrack \u306b\u95a2\u3059\u308b\u51e6\u7406\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><figure class=\"figure-image figure-image-fotolife\" title=\"Pod1 \u304b\u3089\u306e Egress \u901a\u4fe1\u306e conntrack \u64cd\u4f5c\u3068\u30d1\u30b1\u30c3\u30c8\u306e\u6d41\u308c\"><span itemscope=\"\" itemtype=\"http:\/\/schema.org\/Photograph\"><img decoding=\"async\" src=\"https:\/\/cdn-ak.f.st-hatena.com\/images\/fotolife\/c\/cybozuinsideout\/20251024\/20251024150027.png\" width=\"800\" height=\"459\" loading=\"lazy\" title=\"\" class=\"hatena-fotolife\" itemprop=\"image\"\/><\/span><figcaption>Pod1 \u304b\u3089\u306e Egress \u901a\u4fe1\u306e conntrack \u64cd\u4f5c\u3068\u30d1\u30b1\u30c3\u30c8\u306e\u6d41\u308c<\/figcaption><\/figure>\n<\/p>\n<p>Pod \u9593\u901a\u4fe1\u3068\u540c\u69d8\u306b\u3001Cilium \u7684\u306b\u51e6\u7406\u306e\u30a8\u30f3\u30c8\u30ea\u30fc\u30dd\u30a4\u30f3\u30c8\u306f <code>cil_from_container<\/code> \u3067\u3059\u3002<\/p>\n<ol>\n<li><code>Pod1<\/code> \u304b\u3089\u901a\u4fe1\u3092\u958b\u59cb\u3059\u308b\u6642\u3001\u305d\u306e\u5b9b\u5148\u304c Service \u306b\u7d10\u3065\u304f\u30a2\u30c9\u30ec\u30b9\u304b\u3092 Service map \u304b\u3089\u691c\u7d22\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/bpf_lxc.c#L100-L101\">cilium\/bpf\/bpf_lxc.c at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<li>\u4eca\u56de\u306f ClusterIP \u5b9b\u306e\u901a\u4fe1\u306e\u305f\u3081\u305d\u306e ClusterIP \u306e\u60c5\u5831\u3092\u53d6\u5f97\u3057\u307e\u3059<\/li>\n<\/ol>\n<\/li>\n<li>\u30d1\u30b1\u30c3\u30c8\u306b\u7d10\u3065\u3044\u305f <code>CT_SERVICE<\/code> \u306e\u30a8\u30f3\u30c8\u30ea\u3092\u691c\u7d22\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/lb.h#L1620-L1621\">cilium\/bpf\/lib\/lb.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<li>\u65b0\u898f\u901a\u4fe1\u306e\u5834\u5408\u3001<code>CT_NEW<\/code> \u30a2\u30af\u30b7\u30e7\u30f3\u304c\u9078\u629e\u3055\u308c\u307e\u3059<\/li>\n<li>(1) \u3067\u53d6\u5f97\u3057\u305f ClusterIP \u306e\u60c5\u5831\u3092\u3082\u3068\u306b\u3001\u5b9f\u969b\u306b\u8ee2\u9001\u3059\u308b\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u3092\u6c7a\u5b9a\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/lb.h#L1630-L1648\">cilium\/bpf\/lib\/lb.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<li>\u4f59\u8ac7\u3067\u3059\u304c\u3001session affinity \u306e\u51e6\u7406\u3082\u3053\u3053\u3067\u5b9f\u884c\u3057\u307e\u3059<\/li>\n<\/ol>\n<\/li>\n<li>CT map \u306b <code>CT_SERVICE<\/code> \u306e\u30a8\u30f3\u30c8\u30ea\u3092\u4f5c\u6210\u3057\u307e\u3059\n<ol type=\"a\">\n<li>\u9078\u629e\u3057\u305f\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u306e ID \u3092 <code>ct_entry.backend_id<\/code> \u306b\u4fdd\u5b58\u3057\u307e\u3059<\/li>\n<li>Ingress on Pod1 \u3067\u5f8c\u8ff0\u3059\u308b reverse NAT \u306e\u305f\u3081\u306e <code>ct_entry.rev_nat_index<\/code> \u3082\u4fdd\u5b58\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/lb.h#L1618\">cilium\/bpf\/lib\/lb.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<li>ClusterIP \u306e VIP \u304b\u3089\u9078\u629e\u3057\u305f\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u306e IP \u306b DNAT\uff08Destination NAT\uff09\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/lb.h#L1393-L1440\">cilium\/bpf\/lib\/lb.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<\/ol>\n<\/li>\n<li>\u3053\u3053\u304b\u3089 Pod \u9593\u901a\u4fe1\u3067\u901a\u3063\u305f\u30d1\u30b9\u3068\u5408\u6d41\u3057\u3066\u3001CT map \u306b <code>CT_EGRESS<\/code> \u306e\u30a8\u30f3\u30c8\u30ea\u3092\u4f5c\u6210\u3057\u307e\u3059\n<ol type=\"a\">\n<li>\u6ce8\u610f\u304c\u5fc5\u8981\u306a\u306e\u306f\u3001\u3053\u306e <code>CT_EGRESS<\/code> \u306e\u30a8\u30f3\u30c8\u30ea\u306f\u8fd4\u4fe1\u30d1\u30b1\u30c3\u30c8\u306e\u51e6\u7406\u3067\u5229\u7528\u3055\u308c\u308b\u306e\u3067\u3001(2) \u3067\u4f5c\u6210\u3057\u305f <code>CT_SERVICE<\/code> \u306e\u30a8\u30f3\u30c8\u30ea\u306e\u60c5\u5831\u3092\u5f15\u304d\u7d99\u3044\u3067\u30a8\u30f3\u30c8\u30ea\u304c\u4f5c\u6210\u3055\u308c\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/bpf_lxc.c#L875\">cilium\/bpf\/bpf_lxc.c at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p>\u4ee5\u4e0b\u304c <code>NodeA<\/code> \u3067\u306e CT map \u306e\u69d8\u5b50\u3067\u3059\u3002<\/p>\n<pre class=\"code\" data-lang=\"\" data-unlink=\"\">node-a# cilium bpf ct list global | grep 10.64.0.36\nTCP SVC 10.64.0.36:59530 -&gt; 10.68.174.146:80 expires=3034283 Packets=0 Bytes=0 RxFlagsSeen=0x00 LastRxReport=0 TxFlagsSeen=0x1b LastTxReport=3034273 Flags=0x0013 [ RxClosing TxClosing SeenNonSyn ] RevNAT=15 SourceSecurityID=0 IfIndex=0 BackendID=19\nTCP OUT 10.64.0.36:59530 -&gt; 10.64.0.98:8000 expires=3034283 Packets=0 Bytes=0 RxFlagsSeen=0x1b LastRxReport=3034273 TxFlagsSeen=0x1b LastTxReport=3034273 Flags=0x0013 [ RxClosing TxClosing SeenNonSyn ] RevNAT=15 SourceSecurityID=3096 IfIndex=0 BackendID=0\nICMP OUT 10.64.0.36:0 -&gt; 10.64.0.98:0 related expires=3034333 Packets=0 Bytes=0 RxFlagsSeen=0x00 LastRxReport=0 TxFlagsSeen=0x02 LastTxReport=3034273 Flags=0x0000 [ ] RevNAT=15 SourceSecurityID=3096 IfIndex=0 BackendID=0<\/pre>\n<h4 id=\"Pod1-\u3078\u306e-Ingress\">Pod1 \u3078\u306e Ingress<\/h4>\n<p>\u6b21\u306b <code>Pod2<\/code> \u304b\u3089\u306e\u8fd4\u4fe1\u30d1\u30b1\u30c3\u30c8\u304c <code>Pod1<\/code> \u306b\u5230\u7740\u3059\u308b\u307e\u3067\u306e\u51e6\u7406\u3092\u89e3\u8aac\u3057\u307e\u3059\u3002<br \/><a target=\"_blank\" href=\"#Pod1-%E3%81%8B%E3%82%89%E3%81%AE-Egress\">Pod1 \u304b\u3089\u306e Egress<\/a> \u3067\u793a\u3057\u305f\u3088\u3046\u306b\u3001<code>Pod2<\/code> \u3078\u306e\u901a\u4fe1\u306f\u6700\u7d42\u7684\u306b\u306f\u5358\u306a\u308b Pod \u9593\u901a\u4fe1\u3067\u3059\u3002\u305d\u306e\u305f\u3081\u3001<code>Pod2<\/code> \u306f\u3053\u306e\u901a\u4fe1\u304c ClusterIP \u5b9b\u306e\u901a\u4fe1\u3067\u3042\u308b\u3053\u3068\u3092\u8a8d\u8b58\u305b\u305a\u3001\u5358\u306b <code>Pod1<\/code> \u3078\u306e\u8fd4\u4fe1\u3068\u3057\u3066\u30d1\u30b1\u30c3\u30c8\u3092\u9001\u51fa\u3057\u307e\u3059\u3002<\/p>\n<p>\u203b \u4ee5\u4e0b\u306f <code>NodeB<\/code> \u4e0a\u306e Conntrack \u30a8\u30f3\u30c8\u30ea\u3067\u3059\u3002\u3053\u306e\u3088\u3046\u306b\u3001<code>NodeB<\/code> \u3067\u306f <code>CT_SERVICE<\/code> \u306e\u30a8\u30f3\u30c8\u30ea\u306f\u4f5c\u6210\u3055\u308c\u3066\u3044\u307e\u305b\u3093\u3002<\/p>\n<pre class=\"code\" data-lang=\"\" data-unlink=\"\">node-b# cilium bpf ct list global | grep 10.64.0.36\nTCP IN 10.64.0.36:59530 -&gt; 10.64.0.98:8000 expires=3034283 Packets=0 Bytes=0 RxFlagsSeen=0x1b LastRxReport=3034273 TxFlagsSeen=0x1b LastTxReport=3034273 Flags=0x0013 [ RxClosing TxClosing SeenNonSyn ] RevNAT=0 SourceSecurityID=3096 IfIndex=0 BackendID=0\nICMP IN 10.64.0.36:0 -&gt; 10.64.0.98:0 related expires=3034333 Packets=0 Bytes=0 RxFlagsSeen=0x02 LastRxReport=3034273 TxFlagsSeen=0x00 LastTxReport=0 Flags=0x0000 [ ] RevNAT=0 SourceSecurityID=3096 IfIndex=0 BackendID=0<\/pre>\n<p>\u4e0b\u56f3\u306f <code>Pod2(10.64.0.98)<\/code> \u304b\u3089\u306e\u8fd4\u4fe1\u30d1\u30b1\u30c3\u30c8\u304c <code>Pod1(10.64.0.36)<\/code> \u306b\u5230\u7740\u3057\u3066\u3001<code>Pod1<\/code> \u304c <code>Svc1(10.68.174.146:80)<\/code> \u304b\u3089\u306e\u8fd4\u4fe1\u3068\u3057\u3066\u30d1\u30b1\u30c3\u30c8\u3092\u53d7\u3051\u53d6\u308b\u307e\u3067\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><figure class=\"figure-image figure-image-fotolife\" title=\"Pod2 \u304b\u3089\u306e Ingress \u306e conntrack \u64cd\u4f5c\u3068\u30d1\u30b1\u30c3\u30c8\u306e\u6d41\u308c\"><span itemscope=\"\" itemtype=\"http:\/\/schema.org\/Photograph\"><img decoding=\"async\" src=\"https:\/\/cdn-ak.f.st-hatena.com\/images\/fotolife\/c\/cybozuinsideout\/20251024\/20251024150031.png\" width=\"800\" height=\"453\" loading=\"lazy\" title=\"\" class=\"hatena-fotolife\" itemprop=\"image\"\/><\/span><figcaption>Pod2 \u304b\u3089\u306e Ingress \u306e conntrack \u64cd\u4f5c\u3068\u30d1\u30b1\u30c3\u30c8\u306e\u6d41\u308c<\/figcaption><\/figure>\n<\/p>\n<p>BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u306e\u30a8\u30f3\u30c8\u30ea\u30fc\u30dd\u30a4\u30f3\u30c8\u306f <code>cil_to_container<\/code> \u3067\u3059\u3002<\/p>\n<ol>\n<li><code>Pod2<\/code> \u304b\u3089\u306e\u8fd4\u4fe1\u30d1\u30b1\u30c3\u30c8\u304c <code>NodeA<\/code> \u306b\u5230\u9054\u3057\u3066\u3001<code>Pod1<\/code> \u306e <code>cil_to_container<\/code> \u3067\u51e6\u7406\u3055\u308c\u307e\u3059<\/li>\n<li>CT map \u3092\u691c\u7d22\u3057\u3066 <a target=\"_blank\" href=\"#Pod1-%E3%81%8B%E3%82%89%E3%81%AE-Egress\">Pod1 \u304b\u3089\u306e Egress<\/a> \u306e (4) \u3067\u4f5c\u6210\u3057\u305f\u65e2\u5b58\u306e\u30a8\u30f3\u30c8\u30ea\uff08<code>CT_EGRESS<\/code>\uff09\u3092\u53d6\u5f97\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/bpf_lxc.c#L298-L299\">cilium\/bpf\/bpf_lxc.c at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<li><code>TAIL_CT_LOOKUP4<\/code> \u3068\u3044\u3046\u30de\u30af\u30ed\u4e2d\u306e\u30b3\u30fc\u30c9\u3067\u3059<\/li>\n<\/ol>\n<\/li>\n<li>\u53d6\u5f97\u3057\u305f\u30a8\u30f3\u30c8\u30ea\u4e2d\u306e <code>rev_nat_index<\/code> \u3092\u5143\u306b\u3001RevNAT map \u304b\u3089 ClusterIP \u306e\u60c5\u5831\u3092\u53d6\u5f97\u3057\u3001reverse NAT \u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/bpf_lxc.c#L1884-L1897\">cilium\/bpf\/bpf_lxc.c at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<li>\u3053\u3053\u3067 reverse NAT \u3057\u3066\u3001\u30d1\u30b1\u30c3\u30c8\u3092 ClusterIP \u304b\u3089\u306e\u8fd4\u4fe1\u306b\u898b\u305b\u304b\u3051\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/lb.h#L1107\">cilium\/bpf\/lib\/lb.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<li>\u30b3\u30f3\u30c6\u30ca\u5074\u306e veth \u30c7\u30d0\u30a4\u30b9\u3067 <code>Svc1<\/code> \u304b\u3089\u306e\u30d1\u30b1\u30c3\u30c8\u3068\u3057\u3066\u53d7\u4fe1\u3057\u307e\u3059<\/li>\n<\/ol>\n<h3 id=\"LoadBalancer-Service-\u306e\u901a\u4fe1-1\">LoadBalancer Service \u306e\u901a\u4fe1<\/h3>\n<p><a target=\"_blank\" href=\"#LoadBalancer-Service-%E3%81%AE%E9%80%9A%E4%BF%A1\">Cilium \u304c\u7ba1\u7406\u3059\u308b Kubernetes \u30cd\u30c3\u30c8\u30ef\u30fc\u30af &#8211; LoadBalancer Service \u306e\u901a\u4fe1<\/a> \u3067\u8ff0\u3079\u305f\u3088\u3046\u306b\u3001LoadBalancer \u306e\u901a\u4fe1\u306f\u3055\u3089\u306b\u8907\u96d1\u3067\u3001\u4e2d\u9593\u30ce\u30fc\u30c9\u3068\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u30ce\u30fc\u30c9\u305d\u308c\u305e\u308c\u306e Ingress\/Egress \u306e BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u3067 conntrack \u306e\u51e6\u7406\u304c\u767a\u751f\u3057\u307e\u3059\u3002<\/p>\n<p>\u3053\u3053\u3067\u306f\u3001\u4ee5\u4e0b\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u306b\u5206\u3051\u3066\u89e3\u8aac\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u4e2d\u9593\u30ce\u30fc\u30c9\u3078\u306e Ingress\n<ul>\n<li>\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u304b\u3089\u4e00\u6b21\u53d7\u3051\u306e\u4e2d\u9593\u30ce\u30fc\u30c9\u3067\u30d1\u30b1\u30c3\u30c8\u3092\u53d7\u4fe1\u3057\u305f\u969b\u306b Geneve \u3067\u30ab\u30d7\u30bb\u30eb\u5316\u3057\u3066\u8ee2\u9001\u3057\u307e\u3059<\/li>\n<\/ul>\n<\/li>\n<li>\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u30ce\u30fc\u30c9\u3078\u306e Ingress\n<ul>\n<li>\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u30ce\u30fc\u30c9\u3067 Geneve \u30d1\u30b1\u30c3\u30c8\u3092\u53d7\u4fe1\u3057\u3066 Pod \u306b\u8ee2\u9001\u3057\u307e\u3059<\/li>\n<\/ul>\n<\/li>\n<li>\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u30ce\u30fc\u30c9\u304b\u3089\u306e Egress\n<ul>\n<li>Pod \u304b\u3089\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u306b DSR \u3067\u9001\u4fe1\u3057\u307e\u3059<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>\u672c\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u306f\u4ee5\u4e0b\u306e\u3088\u3046\u306a LoadBalancer \u306e\u901a\u4fe1\u3092\u4f8b\u306b\u53d6\u308a\u3001\u4e2d\u9593\u30ce\u30fc\u30c9\u3068\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u30ce\u30fc\u30c9\u306e Ingress\/Egress \u306b\u5206\u3051\u3066\u89e3\u8aac\u3057\u307e\u3059\u3002<\/p>\n<ol>\n<li>\u30af\u30e9\u30b9\u30bf\u5916\u90e8\u306e\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\uff08<code>172.191.0.1<\/code>\uff09\u304b\u3089 LoadBalancer Service \u306e <code>LB1(172.190.0.17:80)<\/code> \u5b9b\u306b\u901a\u4fe1\u3059\u308b<\/li>\n<li><code>NodeA<\/code> \u304c\u4e2d\u9593\u30ce\u30fc\u30c9\u3068\u3057\u3066\u632f\u308b\u821e\u3044\u3001\u30d0\u30c3\u30af\u30a8\u30f3\u30c9 Pod \u306b <code>NodeB<\/code> \u4e0a\u306b\u5b58\u5728\u3059\u308b <code>Pod1(10.64.0.39)<\/code>  \u3092\u9078\u629e\u3057\u3066\u8ee2\u9001\u3059\u308b<\/li>\n<li><code>Pod1<\/code> \u304b\u3089\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u306b DSR \u3059\u308b<\/li>\n<\/ol>\n<h4 id=\"\u4e2d\u9593\u30ce\u30fc\u30c9\u3078\u306e-Ingress\">\u4e2d\u9593\u30ce\u30fc\u30c9\u3078\u306e Ingress<\/h4>\n<p>\u4e0b\u56f3\u306f\u30af\u30e9\u30b9\u30bf\u5916\u90e8\u306e\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\uff08<code>172.191.0.1<\/code>\uff09\u304b\u3089 LoadBalancer Service \u306e <code>LB1(172.190.0.17:80)<\/code> \u5b9b\u306b\u901a\u4fe1\u3057\u305f\u6642\u3001<code>NodeA<\/code> \u304c\u4e2d\u9593\u30ce\u30fc\u30c9\u3068\u3057\u3066\u632f\u308b\u821e\u3044\u3001<code>NodeB<\/code> \u4e0a\u306e <code>Pod1(10.64.0.39)<\/code> \u306b\u5230\u9054\u3059\u308b\u307e\u3067\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><figure class=\"figure-image figure-image-fotolife\" title=\"\u4e2d\u9593\u30ce\u30fc\u30c9\u3078\u306e Ingress \u306e conntrack \u64cd\u4f5c\u3068\u30d1\u30b1\u30c3\u30c8\u306e\u6d41\u308c\"><span itemscope=\"\" itemtype=\"http:\/\/schema.org\/Photograph\"><img decoding=\"async\" src=\"https:\/\/cdn-ak.f.st-hatena.com\/images\/fotolife\/c\/cybozuinsideout\/20251024\/20251024150036.png\" width=\"800\" height=\"487\" loading=\"lazy\" title=\"\" class=\"hatena-fotolife\" itemprop=\"image\"\/><\/span><figcaption>\u4e2d\u9593\u30ce\u30fc\u30c9\u3078\u306e Ingress \u306e conntrack \u64cd\u4f5c\u3068\u30d1\u30b1\u30c3\u30c8\u306e\u6d41\u308c<\/figcaption><\/figure>\n<\/p>\n<p>\u4e2d\u9593\u30ce\u30fc\u30c9\u3067\u306e\u51e6\u7406\u306f\u56f3\u5185\u306e <code>eth0<\/code> \u306e Ingress \u306b\u30a2\u30bf\u30c3\u30c1\u3055\u308c\u305f <code>cil_from_netdev<\/code> \u3067\u307e\u305a\u306f\u51e6\u7406\u3055\u308c\u307e\u3059\u3002<br \/>LoadBalancer\uff08\u4ee5\u4e0b LB\uff09 \u3068 NodePort \u306e\u51e6\u7406\u306f <code>nodeport_lb4<\/code> \u3068\u3044\u3046\u95a2\u6570\u3067\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/bpf_host.c#L615\">cilium\/bpf\/bpf_host.c at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/p>\n<ol>\n<li>\u5b9b\u5148\u30a2\u30c9\u30ec\u30b9\u3068\u30dd\u30fc\u30c8\u304b\u3089 Service map \u3092\u691c\u7d22\u3057\u3066\u3001LB \u5b9b\u306e\u30d1\u30b1\u30c3\u30c8\u306e\u5834\u5408\u3001LB \u306e\u60c5\u5831\u3092\u53d6\u5f97\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/nodeport.h#L3002\">cilium\/bpf\/lib\/nodeport.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<\/ol>\n<\/li>\n<li>\u53d6\u5f97\u3057\u305f LB \u306e\u60c5\u5831\u3068\u30d1\u30b1\u30c3\u30c8\u3092\u5143\u306b <code>CT_SERVICE<\/code> \u306e\u30a8\u30f3\u30c8\u30ea\u3092\u691c\u7d22\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/lb.h#L1620\">cilium\/bpf\/lib\/lb.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<li>\u3053\u306e\u8fba\u308a\u306e\u51e6\u7406\u306f <code>lb4_local<\/code> \u3067\u51e6\u7406\u3055\u308c\u3066\u3044\u3066\u3001ClusterIP \u306e\u6642\u3068\u540c\u4e00\u3067\u3059<\/li>\n<li>\u65b0\u898f\u901a\u4fe1\u306e\u5834\u5408\u3001 <code>CT_NEW<\/code> \u30a2\u30af\u30b7\u30e7\u30f3\u304c\u9078\u629e\u3055\u308c\u307e\u3059<\/li>\n<li>(1) \u3067\u53d6\u5f97\u3057\u305f LB \u306e\u60c5\u5831\u3092\u3082\u3068\u306b\u3001\u5b9f\u969b\u306b\u8ee2\u9001\u3059\u308b\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u3092\u6c7a\u5b9a\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/lb.h#L1642-L1643\">cilium\/bpf\/lib\/lb.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<li><code>Maglev hashing<\/code> \u306b\u57fa\u3065\u3044\u3066\u30d0\u30c3\u30af\u30a8\u30f3\u30c9 Pod \u306e\u9078\u629e\u3092\u884c\u3044\u307e\u3059<\/li>\n<\/ol>\n<\/li>\n<li>CT map \u306b CT_SERVICE \u306e\u30a8\u30f3\u30c8\u30ea\u3092\u4f5c\u6210\u3057\u307e\u3059<\/li>\n<li>\u30d1\u30b1\u30c3\u30c8\u306e\u5b9b\u5148\u3092\u30d0\u30c3\u30af\u30a8\u30f3\u30c9 Pod \u306b DNAT \u3057\u307e\u3059<\/li>\n<\/ol>\n<\/li>\n<li>\u9078\u629e\u3057\u305f\u30d0\u30c3\u30af\u30a8\u30f3\u30c9 Pod \u304c\u4e2d\u9593\u30ce\u30fc\u30c9\u4e0a\u306b\u5b58\u5728\u3059\u308b\u304b\u3092\u5224\u5b9a\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/nodeport.h#L2873\">cilium\/bpf\/lib\/nodeport.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<li>\u4e2d\u9593\u30ce\u30fc\u30c9\u306b\u30d0\u30c3\u30af\u30a8\u30f3\u30c9 Pod \u304c\u5b58\u5728\u3059\u308b\u306a\u3089 CT map \u306b <code>CT_EGRESS<\/code> \u306e\u30a8\u30f3\u30c8\u30ea\u3092\u4f5c\u3063\u3066 Pod \u306b\u8ee2\u9001\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/nodeport.h#L2879-L2943\">cilium\/bpf\/lib\/nodeport.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<li>\u672c\u8a18\u4e8b\u3067\u306f\u3001\u9078\u629e\u3057\u305f\u30d0\u30c3\u30af\u30a8\u30f3\u30c9 Pod \u304c\u4e2d\u9593\u30ce\u30fc\u30c9\u4e0a\u306b\u5b58\u5728\u3057\u305f\u5834\u5408\u306e\u89e3\u8aac\u3092\u7701\u7565\u3057\u307e\u3059<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<li>LB \u306e\u60c5\u5831\u3092 Geneve \u30d1\u30b1\u30c3\u30c8\u306e\u30aa\u30d7\u30b7\u30e7\u30f3\u9818\u57df\u306b\u8a70\u3081\u3066 <code>cilium_geneve<\/code> \u30c7\u30d0\u30a4\u30b9\u306b\u8ee2\u9001\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/nodeport.h#L2295-L2300\">cilium\/bpf\/lib\/nodeport.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<li>Geneve \u306e\u30ab\u30b9\u30bf\u30e0\u30aa\u30d7\u30b7\u30e7\u30f3\u69cb\u9020\u4f53\u306b\u3001LB \u306e <code>EXTERNAL-IP<\/code> \u3068\u30dd\u30fc\u30c8\u3092\u4fdd\u5b58\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/nodeport.h#L1975\">cilium\/bpf\/lib\/nodeport.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<\/ol>\n<\/li>\n<li>\u4fdd\u5b58\u3057\u305f\u60c5\u5831\u304c\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u6642\u306b\u5f15\u304d\u6e21\u3055\u308c\u308b\u3088\u3046\u306b\u767b\u9332\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/nodeport.h#L2041\">cilium\/bpf\/lib\/nodeport.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<\/ol>\n<\/li>\n<li><code>cilium_geneve<\/code> \u3078\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/nodeport.h#L2300\">cilium\/bpf\/lib\/nodeport.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<li><code>cilium_geneve<\/code> \u3067\u30ab\u30d7\u30bb\u30eb\u5316\u3055\u308c\u3001 Geneve \u30d1\u30b1\u30c3\u30c8\u304c <code>NodeB<\/code> \u306b\u5411\u3051\u3066\u9001\u4fe1\u3055\u308c\u307e\u3059\n<ol type=\"a\">\n<li>\u5b9f\u969b\u306b\u306f <code>eth0<\/code> \u3092\u7d4c\u7531\u3057\u3066 <code>NodeB<\/code> \u306b\u8ee2\u9001\u3055\u308c\u307e\u3059\u304c\u3001\u7c21\u5358\u306e\u305f\u3081\u3001\u3053\u3053\u3067\u306f <code>cilium_geneve<\/code> \u304b\u3089\u77e2\u5370\u3092\u51fa\u3057\u3066\u3044\u307e\u3059<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p>\u4ee5\u4e0b\u306f\u4e2d\u9593\u30ce\u30fc\u30c9\u306e\u5b9f\u969b\u306e CT map \u306e\u69d8\u5b50\u3067\u3059\u3002<\/p>\n<pre class=\"code\" data-lang=\"\" data-unlink=\"\">node-a# cilium bpf ct list global --time-diff | grep 172.191.0.1\nTCP SVC 172.191.0.1:53438 -&gt; 172.190.0.17:80 expires=3619996 (remaining: -305 sec(s)) Packets=0 Bytes=0 RxFlagsSeen=0x00 LastRxReport=0 TxFlagsSeen=0x1b LastTxReport=3619986 Flags=0x0013 [ RxClosing TxClosing SeenNonSyn ] RevNAT=24 SourceSecurityID=0 IfIndex=0 BackendID=24<\/pre>\n<h4 id=\"\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u30ce\u30fc\u30c9\u3078\u306e-Ingress\">\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u30ce\u30fc\u30c9\u3078\u306e Ingress<\/h4>\n<p>\u4e0b\u56f3\u306f <code>NodeB<\/code> \u304c Geneve \u30d1\u30b1\u30c3\u30c8\u3092\u53d7\u3051\u53d6\u3063\u3066\u3001\u30ab\u30d7\u30bb\u30eb\u5316\u3092\u89e3\u3044\u3066 <code>Pod1(10.64.0.39)<\/code> \u306b\u30d1\u30b1\u30c3\u30c8\u3092\u8ee2\u9001\u3059\u308b\u69d8\u5b50\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<br \/>\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u30ce\u30fc\u30c9\u3067\u306f NAT map \u3068\u3044\u3046 BPF \u30de\u30c3\u30d7\u304c\u5229\u7528\u3055\u308c\u307e\u3059\u3002<\/p>\n<p><figure class=\"figure-image figure-image-fotolife\" title=\"\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u30ce\u30fc\u30c9\u3078\u306e Ingress \u306e conntrack \u64cd\u4f5c\u3068\u30d1\u30b1\u30c3\u30c8\u306e\u6d41\u308c\"><span itemscope=\"\" itemtype=\"http:\/\/schema.org\/Photograph\"><img decoding=\"async\" src=\"https:\/\/cdn-ak.f.st-hatena.com\/images\/fotolife\/c\/cybozuinsideout\/20251024\/20251024150041.png\" width=\"800\" height=\"593\" loading=\"lazy\" title=\"\" class=\"hatena-fotolife\" itemprop=\"image\"\/><\/span><figcaption>\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u30ce\u30fc\u30c9\u3078\u306e Ingress \u306e conntrack \u64cd\u4f5c\u3068\u30d1\u30b1\u30c3\u30c8\u306e\u6d41\u308c<\/figcaption><\/figure>\n<\/p>\n<p>\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u30ce\u30fc\u30c9\u306b\u5230\u9054\u3057\u305f Geneve \u30d1\u30b1\u30c3\u30c8\u306f\u307e\u305a <code>eth0<\/code> \u3067\u53d7\u4fe1\u3057\u3066\u30ab\u30fc\u30cd\u30eb\u5185\u90e8\u3067\u3000<code>cilium_geneve<\/code> \u306b\u8ee2\u9001\u3055\u308c\u307e\u3059\u3002\u56f3\u3067\u306f\u7c21\u5358\u306e\u305f\u3081 <code>cilium_geneve<\/code> \u3067\u76f4\u63a5\u53d7\u4fe1\u3059\u308b\u3088\u3046\u306b\u63cf\u3044\u3066\u3044\u307e\u3059\u3002\u4e3b\u306a\u51e6\u7406\u306f <code>cilium_geneve<\/code> \u306b\u30a2\u30bf\u30c3\u30c1\u3055\u308c\u305f <code>cil_from_overlay<\/code> \u3067\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002<\/p>\n<ol>\n<li>\n<p><code>cilium_geneve<\/code> \u306b Geneve \u3067\u30ab\u30d7\u30bb\u30eb\u5316\u3057\u305f LB \u306e\u30d1\u30b1\u30c3\u30c8\u304c\u5230\u9054\u3057\u307e\u3059<\/p>\n<ol type=\"a\">\n<li><code>cilium_geneve<\/code> \u306e Ingress TC \u3067\u51e6\u7406\u3059\u308b\u6bb5\u968e\u3067\u306f\u3059\u3067\u306b\u30ab\u30fc\u30cd\u30eb\u306b\u3088\u3063\u3066\u30ab\u30d7\u30bb\u30eb\u5316\u304c\u89e3\u304b\u308c\u3066\u3044\u307e\u3059<\/li>\n<\/ol>\n<\/li>\n<li>\n<p><a target=\"_blank\" href=\"#%E4%B8%AD%E9%96%93%E3%83%8E%E3%83%BC%E3%83%89%E3%81%B8%E3%81%AE-Ingress\">\u4e2d\u9593\u30ce\u30fc\u30c9\u3078\u306e Ingress<\/a> \u3068\u540c\u69d8\u306b <code>nodeport_lb4<\/code> \u304c\u5b9f\u884c\u3055\u308c\u307e\u3059<\/p>\n<ol type=\"a\">\n<li><code>cil_from_overlay<\/code> \u304b\u3089\u5b9f\u884c\u3055\u308c\u308b\u306e\u3067\u3001<code>IS_BPF_OVERLAY=1<\/code> \u3067\u4ee5\u4e0b\u304c\u5b9f\u884c\u3055\u308c\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/nodeport.h#L3019-L3039\">cilium\/bpf\/lib\/nodeport.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<\/ol>\n<\/li>\n<li>DSR \u304c\u5fc5\u8981\u306a\u30d1\u30b1\u30c3\u30c8\u306e\u5834\u5408\u3001Geneve \u30aa\u30d7\u30b7\u30e7\u30f3\u304b\u3089 LB \u306e\u30a2\u30c9\u30ec\u30b9\u3068\u30dd\u30fc\u30c8\u60c5\u5831\u3092\u53d6\u308a\u51fa\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/nodeport.h#L3026\">cilium\/bpf\/lib\/nodeport.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<li>CT map \u304b\u3089 <code>CT_EGRESS<\/code> \u304b\u3064 DSR \u30d5\u30e9\u30b0\uff08<code>ct_entry.dsr_internal<\/code>\uff09\u304c\u7acb\u3063\u3066\u3044\u308b\u30a8\u30f3\u30c8\u30ea\u3092\u691c\u7d22\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/nodeport.h#L2337\">cilium\/bpf\/lib\/nodeport.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<li>\u65b0\u898f\u901a\u4fe1\u306e\u5834\u5408\u3001<code>CT_NEW<\/code> \u30a2\u30af\u30b7\u30e7\u30f3\u304c\u9078\u629e\u3055\u308c\u307e\u3059<\/li>\n<li>\u3053\u3053\u3067\u4f5c\u308b\u30a8\u30f3\u30c8\u30ea\u306f Egress \u7528\u306a\u306e\u3067\u5165\u3063\u3066\u304d\u305f\u30d1\u30b1\u30c3\u30c8\u3068\u5b9b\u5148\u3092\u9006\u5411\u304d\u306b\u3057\u3066\u30a8\u30f3\u30c8\u30ea\u3092\u4f5c\u308a\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/nodeport.h#L2335\">cilium\/bpf\/lib\/nodeport.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<\/ol>\n<\/li>\n<li>CT map \u306b <code>CT_EGRESS<\/code> \u304b\u3064 <code>dsr_internal=true<\/code> \u3067\u30a8\u30f3\u30c8\u30ea\u3092\u4f5c\u308a\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/nodeport.h#L2354-L2357\">cilium\/bpf\/lib\/nodeport.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<li>DSR \u306e\u305f\u3081\u306b NAT map \u306b (3) \u3067\u4f5c\u6210\u3057\u305f CT \u30a8\u30f3\u30c8\u30ea\u306e\u30ad\u30fc\u3068 LB \u306e\u60c5\u5831\u3092\u4fdd\u5b58\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/nodeport.h#L2359\">cilium\/bpf\/lib\/nodeport.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<\/ol>\n<\/li>\n<li><code>Pod1<\/code> \u306e veth \u30c7\u30d0\u30a4\u30b9\u306b\u30d1\u30b1\u30c3\u30c8\u3092\u8ee2\u9001\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/bpf_overlay.c#L451\">cilium\/bpf\/bpf_overlay.c at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<li>\u30d1\u30b1\u30c3\u30c8\u306e\u30c7\u30fc\u30bf\u69cb\u9020\uff08<code>sk_buff<\/code>\uff09\u306e\u30e1\u30bf\u30c7\u30fc\u30bf\u9818\u57df\u306b <code>from_tunnel=true<\/code> \uff08\u30c8\u30f3\u30cd\u30eb\u30c7\u30d0\u30a4\u30b9\u304b\u3089\u306e\u30d1\u30b1\u30c3\u30c8\u3067\u3042\u308b\u30d5\u30e9\u30b0\uff09\u3092\u4fdd\u5b58\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/l3.h#L117\">cilium\/bpf\/lib\/l3.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<\/ol>\n<\/li>\n<li>\u8ee2\u9001\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/bpf_overlay.c#L451\">cilium\/bpf\/bpf_overlay.c at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<li><code>Pod1<\/code> \u306e\u30db\u30b9\u30c8\u5074 veth \u30c7\u30d0\u30a4\u30b9\u306b\u30a2\u30bf\u30c3\u30c1\u3055\u308c\u305f <code>cil_to_container<\/code> \u3067\u51e6\u7406\u3055\u308c\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"#Pod2-%E3%81%B8%E3%81%AE-Ingress\">Pod \u9593\u901a\u4fe1\u306e Ingress<\/a> \u3068\u540c\u69d8\u306e\u51e6\u7406\u304c\u5b9f\u884c\u3055\u308c\u307e\u3059\n<ol type=\"a\">\n<li>\u7570\u306a\u308b\u70b9\u3068\u3057\u3066\u3001(4-b) \u3067<code>sk_buff<\/code> \u306e\u30e1\u30bf\u30c7\u30fc\u30bf\u306b\u4fdd\u5b58\u3057\u305f <code>from_tunnel=true<\/code> \u3092\u6271\u3046\u3053\u3068\u304c\u6319\u3052\u3089\u308c\u307e\u3059<\/li>\n<\/ol>\n<\/li>\n<li>CT map \u3092 <code>CT_INGRESS<\/code> \u304b\u3064 <code>ct_entry.from_tunnel=true<\/code> \u3067\u30a8\u30f3\u30c8\u30ea\u3092\u4f5c\u6210\u3057\u307e\u3059<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p>\u4ee5\u4e0b\u306f\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u30ce\u30fc\u30c9\u306e\u5b9f\u969b\u306e CT map \u306e\u69d8\u5b50\u3067\u3059\u3002<\/p>\n<pre class=\"code\" data-lang=\"\" data-unlink=\"\">node-b# cilium bpf ct list global | grep 10.64.0.39\nTCP IN 172.191.0.1:53438 -&gt; 10.64.0.39:8000 expires=3619996 Packets=0 Bytes=0 RxFlagsSeen=0x1b LastRxReport=3619986 TxFlagsSeen=0x1b LastTxReport=3619986 Flags=0x0413 [ RxClosing TxClosing SeenNonSyn FromTunnel ] RevNAT=0 SourceSecurityID=2 IfIndex=0 BackendID=0\nTCP OUT 172.191.0.1:53438 -&gt; 10.64.0.39:8000 expires=3619996 Packets=0 Bytes=0 RxFlagsSeen=0x1b LastRxReport=3619986 TxFlagsSeen=0x1b LastTxReport=3619986 Flags=0x0093 [ RxClosing TxClosing SeenNonSyn DSRInternal ] RevNAT=0 SourceSecurityID=2 IfIndex=0 BackendID=0\nICMP IN 172.191.0.1:0 -&gt; 10.64.0.39:0 related expires=3620046 Packets=0 Bytes=0 RxFlagsSeen=0x02 LastRxReport=3619986 TxFlagsSeen=0x00 LastTxReport=0 Flags=0x0400 [ FromTunnel ] RevNAT=0 SourceSecurityID=2 IfIndex=0 BackendID=0<\/pre>\n<h4 id=\"\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u30ce\u30fc\u30c9\u304b\u3089\u306e-Egress\">\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u30ce\u30fc\u30c9\u304b\u3089\u306e Egress<\/h4>\n<p>\u4e0b\u56f3\u306f <code>Pod1(10.64.0.39)<\/code> \u304c\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u304b\u3089\u306e\u30d1\u30b1\u30c3\u30c8\u3092\u51e6\u7406\u3057\u3066\u3001DSR \u3067\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u306b\u76f4\u63a5\u8fd4\u4fe1\u30d1\u30b1\u30c3\u30c8\u3092\u9001\u4fe1\u3059\u308b\u69d8\u5b50\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><figure class=\"figure-image figure-image-fotolife\" title=\"\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u30ce\u30fc\u30c9\u304b\u3089\u306e Egress \u306e conntrack \u64cd\u4f5c\u3068\u30d1\u30b1\u30c3\u30c8\u306e\u6d41\u308c\"><span itemscope=\"\" itemtype=\"http:\/\/schema.org\/Photograph\"><img decoding=\"async\" src=\"https:\/\/cdn-ak.f.st-hatena.com\/images\/fotolife\/c\/cybozuinsideout\/20251024\/20251024150047.png\" width=\"800\" height=\"481\" loading=\"lazy\" title=\"\" class=\"hatena-fotolife\" itemprop=\"image\"\/><\/span><figcaption>\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u30ce\u30fc\u30c9\u304b\u3089\u306e Egress \u306e conntrack \u64cd\u4f5c\u3068\u30d1\u30b1\u30c3\u30c8\u306e\u6d41\u308c<\/figcaption><\/figure>\n<\/p>\n<p>\u30a8\u30f3\u30c8\u30ea\u30fc\u30dd\u30a4\u30f3\u30c8\u306f <code>cil_from_container<\/code> \u3067\u3001\u7d9a\u3044\u3066 <code>cil_to_netdev<\/code> \u306b\u5f15\u304d\u6e21\u3055\u308c\u3066\u51e6\u7406\u304c\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002<\/p>\n<ol>\n<li>CT map \u3092 <code>CT_EGRESS<\/code> \u3067\u691c\u7d22\u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/bpf_lxc.c#L133\">cilium\/bpf\/bpf_lxc.c at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<li>\u30a8\u30f3\u30c8\u30ea\u304c\u5b58\u5728\u3059\u308b\u306e\u3067\u3001\u305d\u308c\u306b\u5f93\u3063\u3066\u5fc5\u8981\u306a\u51e6\u7406\u3092\u3057\u307e\u3059<\/li>\n<\/ol>\n<\/li>\n<li>\n<p><code>eth0<\/code> \u306b\u30d1\u30b1\u30c3\u30c8\u3092\u8ee2\u9001\u3057\u307e\u3059<\/p>\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/nodeport.h#L2539\">cilium\/bpf\/lib\/nodeport.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<\/ol>\n<\/li>\n<li>\n<p><code>eth0<\/code> \u4e0a\u306e <code>cil_to_netdev<\/code> \u3067 DSR \u306e\u30d1\u30b1\u30c3\u30c8\u304b\u5224\u5b9a\u3057\u3066\u3001NAT map \u3092\u691c\u7d22\u3057\u307e\u3059<\/p>\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/bpf_host.c#L1602\">cilium\/bpf\/bpf_host.c at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<li>NAT map \u304b\u3089\u53d6\u5f97\u3057\u305f\u60c5\u5831\u3092\u5143\u306b\u3001\u30d1\u30b1\u30c3\u30c8\u306e\u9001\u4fe1\u5143\u30a2\u30c9\u30ec\u30b9\u3068\u30dd\u30fc\u30c8\u3092 LB \u306e\u3082\u306e\u306b SNAT \u3057\u307e\u3059\n<ol type=\"a\">\n<li><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/main\/bpf\/lib\/nodeport.h#L2215\">cilium\/bpf\/lib\/nodeport.h at main \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<li>\u5916\u90e8\u306e\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u306b\u8ee2\u9001\u3057\u307e\u3059<\/li>\n<\/ol>\n<h3 id=\"Cilium-\u306e-conntrack-\u306e\u72b6\u614b\u7ba1\u7406\">Cilium \u306e conntrack \u306e\u72b6\u614b\u7ba1\u7406<\/h3>\n<p>Conntrack \u306f CT map \u306b\u30a8\u30f3\u30c8\u30ea\u3092\u4f5c\u3063\u3066\u7d42\u308f\u308a\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002\u7279\u306b TCP \u306e\u5834\u5408\u3001End to End \u306e\u30b3\u30cd\u30af\u30b7\u30e7\u30f3\u306e\u72b6\u614b\u3092\u8ffd\u8de1\u3001\u7ba1\u7406\u3057\u306a\u3051\u308c\u3070\u306a\u308a\u307e\u305b\u3093\u3002<br \/>Cilium \u306f BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u4e0a\u3067\u89b3\u6e2c\u3057\u305f TCP \u30d5\u30e9\u30b0\u306b\u5fdc\u3058\u3066 conntrack \u30a8\u30f3\u30c8\u30ea\u306e\u30d5\u30e9\u30b0\u3092\u7acb\u3066\u3066\u72b6\u614b\u3092\u7ba1\u7406\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>CT \u30a8\u30f3\u30c8\u30ea\u306e\u8a73\u7d30\u306f <a target=\"_blank\" href=\"#%E3%83%90%E3%83%AA%E3%83%A5%E3%83%BC%E6%A7%8B%E9%80%A0%E4%BD%93ct_entry\">CT map &#8211; \u30d0\u30ea\u30e5\u30fc\u69cb\u9020\u4f53\uff08ct_entry\uff09<\/a>\u3092\u53c2\u7167\u3057\u3066\u4e0b\u3055\u3044\u3002<\/p>\n<p>TCP \u306e\u72b6\u614b\u7ba1\u7406\u3067\u91cd\u8981\u306a\u306e\u306f\u4e3b\u306b\u4ee5\u4e0b\u306e\u30d5\u30a3\u30fc\u30eb\u30c9\u3067\u3059\u3002<\/p>\n<ul>\n<li>lifetime\n<ul>\n<li>\u305d\u306e\u30a8\u30f3\u30c8\u30ea\u306e\u6709\u52b9\u671f\u9650\u304c\u5207\u308c\u308b\u6642\u523b\u306e\u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\uff08\u4ee5\u964d\u3001\u751f\u5b58\u671f\u9593\u3068\u8a18\u8ff0\u3057\u307e\u3059\uff09<\/li>\n<li>\u751f\u5b58\u671f\u9593\u304c\u5207\u308c\u3066\u3044\u305f\u3089\u3001\u5f8c\u8ff0\u306e GC \u3067\u524a\u9664\u3055\u308c\u307e\u3059<\/li>\n<\/ul>\n<\/li>\n<li>tx_closing\n<ul>\n<li>\u9001\u4fe1\u5074\u306e TCP FIN \u3092\u89b3\u6e2c\u3057\u305f\u3089\u7acb\u3061\u307e\u3059<\/li>\n<\/ul>\n<\/li>\n<li>rx_closing\n<ul>\n<li>\u53d7\u4fe1\u5074\u306e TCP FIN \u3092\u89b3\u6e2c\u3057\u305f\u3089\u7acb\u3061\u307e\u3059<\/li>\n<\/ul>\n<\/li>\n<li>seen_no_syn\n<ul>\n<li>TCP SYN \u4ee5\u5916\u306e\u30d5\u30e9\u30b0\u306e\u3064\u3044\u305f TCP \u30d1\u30b1\u30c3\u30c8\u3092\u89b3\u6e2c\u3057\u305f\u3089\u7acb\u3061\u307e\u3059<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h4 id=\"tx_closingrx_closing\">tx_closing\/rx_closing<\/h4>\n<p><code>tx_closing<\/code> \u3068 <code>rx_closing<\/code> \u306f TCP \u306e\u7d42\u4e86\u51e6\u7406\u306b\u95a2\u9023\u3059\u308b\u30d5\u30e9\u30b0\u3067\u3001\u9001\u4fe1\u5074\u3001\u53d7\u4fe1\u5074\u305d\u308c\u305e\u308c\u3067 TCP FIN \u30d5\u30e9\u30b0\u3092\u89b3\u6e2c\u3057\u305f\u5834\u5408\u306b <code>1<\/code> \u304c\u30bb\u30c3\u30c8\u3055\u308c\u307e\u3059\u3002<br \/><code>ct_tcp_select_action<\/code> \u95a2\u6570\u3067 TCP \u30d1\u30b1\u30c3\u30c8\u306e\u30d5\u30e9\u30b0\u3092\u89e3\u6790\u3057\u3066\u3001\u5bfe\u5fdc\u3059\u308b CT \u30a8\u30f3\u30c8\u30ea\u306b\u3069\u306e\u3088\u3046\u306a\u64cd\u4f5c\u3092\u884c\u3046\u304b\u3092\u6c7a\u5b9a\u3057\u307e\u3059\u3002<code>FIN<\/code> \u304b <code>RST<\/code> \u3092\u89b3\u6e2c\u3059\u308b\u3068 <code>ACTION_CLOSE<\/code> \u304c\u8fd4\u308a\u307e\u3059\u3002<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/conntrack.h#L56-L65\">cilium\/bpf\/lib\/conntrack.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/p>\n<p><code>ACTION_CLOSE<\/code> \u304c\u9078\u629e\u3055\u308c\u308b\u3068\u3001<code>__ct_lookup<\/code> \u95a2\u6570\u3067 CT \u30a8\u30f3\u30c8\u30ea\u3092\u53d6\u5f97\u3057\u305f\u3068\u304d\u306b\u3001\u305d\u308c\u305e\u308c\u306e CT \u30bf\u30a4\u30d7\uff08\u3053\u3053\u3067\u306f <code>dir<\/code> \u5909\u6570\uff09\u306b\u5fdc\u3058\u3066\u3001<code>tx_closing<\/code> \u3068 <code>rx_closing<\/code> \u306e\u30d5\u30e9\u30b0\u304c\u30bb\u30c3\u30c8\u3055\u308c\u307e\u3059\u3002<\/p>\n<p><code>CT_SERVICE<\/code> \u306e\u30a8\u30f3\u30c8\u30ea\u306b\u3064\u3044\u3066\u306f ClusterIP \u306e\u6642\u3068 LoadBalancer(NodePort) + DSR \u306e\u6642\u3067\u30d1\u30b1\u30c3\u30c8\u306e\u5411\u304d\u306f\u7570\u306a\u308a\u307e\u3059\u304c\u3001\u3069\u3061\u3089\u3082 TCP \u30d5\u30e9\u30b0\u3092\u7247\u65b9\u5411\u304b\u3089\u3057\u304b\u89b3\u6e2c\u3067\u304d\u307e\u305b\u3093\u3002<br \/>\u305d\u306e\u305f\u3081\u3001\u7247\u65b9\u306e <code>FIN<\/code> \u3092\u89b3\u6e2c\u3057\u305f\u6642\u306b <code>tx_closing<\/code> \u3001<code>rx_closing<\/code> \u5171\u306b\u30bb\u30c3\u30c8\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li>ClusterIP\n<\/li>\n<li>LoadBalancer(NodePort) + DSR\n<\/li>\n<\/ul>\n<p>CT \u30a8\u30f3\u30c8\u30ea\u304c\u307e\u3060\u6709\u52b9\u304b\u3069\u3046\u304b\u306f <code>ct_entry_alive<\/code> \u95a2\u6570\u3067\u5224\u5b9a\u3055\u308c\u307e\u3059\u3002<br \/>\u9006\u306b\u3001\u3053\u308c\u304c <code>false<\/code> \u3092\u8fd4\u3057\u305f\u6642\u306f\u3001\u305d\u306e\u30a8\u30f3\u30c8\u30ea\u306e\u30b3\u30cd\u30af\u30b7\u30e7\u30f3\u306f\u7d42\u4e86\u3057\u305f\u3068\u307f\u306a\u3055\u308c\u307e\u3059\u3002<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/conntrack.h#L225-L228\">cilium\/bpf\/lib\/conntrack.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/p>\n<h4 id=\"lifetime\">lifetime<\/h4>\n<p>\u524d\u8ff0\u306e\u901a\u308a\u3001<code>lifetime<\/code> \u306f\u305d\u306e\u30a8\u30f3\u30c8\u30ea\u306e\u751f\u5b58\u671f\u9593\u3067\u3059\u3002TCP \u3084 UDP \u306e\u30d7\u30ed\u30c8\u30b3\u30eb\u3001\u8ffd\u8de1\u3057\u3066\u3044\u308b TCP \u306e\u72b6\u614b\u306a\u3069\u306b\u3088\u308a\u7d30\u304b\u304f\u751f\u5b58\u671f\u9593\u304c\u5b9a\u3081\u3089\u308c\u3066\u3044\u307e\u3059\u3002<br \/>\u305d\u306e\u5024\u306f cilium-agent \u306e\u30d5\u30e9\u30b0\u3067\u6307\u5b9a\u3067\u304d\u307e\u3059\u3002v1.16.12 \u73fe\u5728\u306f\u4ee5\u4e0b\u306e\u3088\u3046\u306b\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<pre class=\"code\" data-lang=\"\" data-unlink=\"\">--bpf-ct-timeout-regular-any duration                       Timeout for entries in non-TCP CT table (default 1m0s)\n--bpf-ct-timeout-regular-tcp duration                       Timeout for established entries in TCP CT table (default 2h13m20s)\n--bpf-ct-timeout-regular-tcp-fin duration                   Teardown timeout for entries in TCP CT table (default 10s)\n--bpf-ct-timeout-regular-tcp-syn duration                   Establishment timeout for entries in TCP CT table (default 1m0s)\n--bpf-ct-timeout-service-any duration                       Timeout for service entries in non-TCP CT table (default 1m0s)\n--bpf-ct-timeout-service-tcp duration                       Timeout for established service entries in TCP CT table (default 2h13m20s)\n--bpf-ct-timeout-service-tcp-grace duration                 Timeout for graceful shutdown of service entries in TCP CT table (default 1m0s)<\/pre>\n<p><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/Documentation\/cmdref\/cilium-agent.md?plain=1#L32-L38\">cilium\/Documentation\/cmdref\/cilium-agent.md at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/p>\n<p>\u3053\u308c\u3089\u306e\u30d5\u30e9\u30b0\u306e\u5024\u306f\u6700\u7d42\u7684\u306b\u3001\u4ee5\u4e0b\u306e\u5b9a\u6570\u306b\u57cb\u3081\u8fbc\u307e\u308c\u3066 BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u4e0a\u3067\u5229\u7528\u3055\u308c\u307e\u3059\u3002<\/p>\n<pre class=\"code lang-c\" data-lang=\"c\" data-unlink=\"\"><span class=\"synPreProc\">#define CT_CONNECTION_LIFETIME_TCP  <\/span><span class=\"synConstant\">21600<\/span>\n<span class=\"synPreProc\">#define CT_CONNECTION_LIFETIME_NONTCP  <\/span><span class=\"synConstant\">60<\/span>\n<span class=\"synPreProc\">#define CT_SERVICE_LIFETIME_TCP        <\/span><span class=\"synConstant\">21600<\/span>\n<span class=\"synPreProc\">#define CT_SERVICE_LIFETIME_NONTCP <\/span><span class=\"synConstant\">60<\/span>\n<span class=\"synPreProc\">#define CT_SERVICE_CLOSE_REBALANCE <\/span><span class=\"synConstant\">30<\/span>\n<span class=\"synPreProc\">#define CT_SYN_TIMEOUT         <\/span><span class=\"synConstant\">60<\/span>\n<span class=\"synPreProc\">#define CT_CLOSE_TIMEOUT       <\/span><span class=\"synConstant\">10<\/span>\n<\/pre>\n<p><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/node_config.h#L77-L83\">cilium\/bpf\/node_config.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/p>\n<p><code>lifetime<\/code> \u3082\u69d8\u3005\u306a\u7b87\u6240\u3067\u66f4\u65b0\u3055\u308c\u307e\u3059\u304c\u3001\u4e3b\u306b\u66f4\u65b0\u3059\u308b\u306e\u306f <code>ct_update_timeout<\/code> \u95a2\u6570\u3067\u3059\u3002<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/conntrack.h#L166-L188\">cilium\/bpf\/lib\/conntrack.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/p>\n<p>\u3053\u306e\u95a2\u6570\u304b\u3089\u547c\u3073\u51fa\u3055\u308c\u308b <code>__ct_update_timeout<\/code> \u95a2\u6570\u3067 <code>lifetime<\/code> \u306e\u5024\u3092 <code>\u73fe\u5728\u6642\u523b + \u305d\u306e\u72b6\u614b\u306e\u30bf\u30a4\u30e0\u30a2\u30a6\u30c8\u5024<\/code> \u3067\u4e0a\u66f8\u304d\u3057\u307e\u3059\u3002<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/bpf\/lib\/conntrack.h#L104\">cilium\/bpf\/lib\/conntrack.h at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/p>\n<p><code>ct_update_timeout<\/code> \u306f\u4e0a\u8ff0\u306e <code>__ct_lookup<\/code> \u95a2\u6570\u306e\u4e2d\u3067\u547c\u3073\u51fa\u3055\u308c\u308b\u305f\u3081\u3001\u30d1\u30b1\u30c3\u30c8\u6bce\u306b\u751f\u5b58\u671f\u9593\u306f\u66f4\u65b0\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u3088\u3046\u306b\u3057\u3066\u3001BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u4e0a\u3067\u306f\u30a8\u30f3\u30c8\u30ea\u306e\u751f\u5b58\u671f\u9593\u3092\u7ba1\u7406\u3057\u3066\u3044\u3066\u3001\u671f\u9650\u5207\u308c\u306e\u30a8\u30f3\u30c8\u30ea\u306e\u524a\u9664\u306f\u5f8c\u8ff0\u306e GC \u306b\u3088\u308a\u5b9f\u65bd\u3055\u308c\u307e\u3059\u3002<\/p>\n<h3 id=\"\u30ac\u30fc\u30d9\u30b8\u30b3\u30ec\u30af\u30b7\u30e7\u30f3GC\">\u30ac\u30fc\u30d9\u30b8\u30b3\u30ec\u30af\u30b7\u30e7\u30f3\uff08GC\uff09<\/h3>\n<p>\u3053\u308c\u307e\u3067\u306f\u3001BPF \u30d7\u30ed\u30b0\u30e9\u30e0\u4e0a\u3067 Cilium \u306e conntrack \u304c\u3069\u306e\u3088\u3046\u306b\u5b9f\u88c5\u3055\u308c\u3066\u3044\u308b\u304b\u3092\u898b\u3066\u304d\u307e\u3057\u305f\u3002<\/p>\n<p>Cilium \u306f conntrack \u306e GC \u3092 cilium-agent \u5185\u306e\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3068\u3057\u3066\u5b9f\u88c5\u3057\u3066\u304a\u308a\u3001CT map \u306e\u30a8\u30f3\u30c8\u30ea\u524a\u9664\u3092\u5168\u3066 GC \u3067\u5b9f\u65bd\u3057\u3066\u3044\u307e\u3059\u3002<br \/>GC \u304c\u30c8\u30ea\u30ac\u30fc\u3055\u308c\u308b\u8981\u56e0\u306f\u4ee5\u4e0b\u306e 2 \u3064\u3067\u3059\u3002<\/p>\n<ul>\n<li>\u30a4\u30f3\u30bf\u30fc\u30d0\u30eb\n<ul>\n<li>\u751f\u5b58\u671f\u9593\uff08<code>lifetime<\/code>\uff09\u304c\u5207\u308c\u305f\u30a8\u30f3\u30c8\u30ea\u3092\u5168\u3066\u524a\u9664\u3057\u307e\u3059<\/li>\n<\/ul>\n<\/li>\n<li>endpoint regeneration \uff08\u672c\u8a18\u4e8b\u3067\u306f\u30b9\u30b3\u30fc\u30d7\u5916\u3067\u3059\uff09\n<ul>\n<li>Pod \u304c\u524a\u9664\u3055\u308c\u308b\u306a\u3069\u3001\u69d8\u3005\u306a\u30a4\u30d9\u30f3\u30c8\u306b\u3088\u308a\u30c8\u30ea\u30ac\u30fc\u3055\u308c\u307e\u3059<\/li>\n<li>\u5bfe\u8c61\u306e Pod \u306b\u95a2\u9023\u3059\u308b\u30a8\u30f3\u30c8\u30ea\u3092\u5168\u3066\u524a\u9664\u3057\u307e\u3059<\/li>\n<li>\u3053\u306e\u6642\u3001\u5bfe\u8c61 Pod \u3068\u7121\u95a2\u4fc2\u306a\u751f\u5b58\u671f\u9593\u5207\u308c\u306e\u30a8\u30f3\u30c8\u30ea\u306f\u524a\u9664\u3055\u308c\u307e\u305b\u3093<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>\u3053\u3053\u3067\u306f\u30a4\u30f3\u30bf\u30fc\u30d0\u30eb\u306b\u3088\u308a\u30c8\u30ea\u30ac\u30fc\u3055\u308c\u308b GC \u3092\u89e3\u8aac\u3057\u307e\u3059\u3002<\/p>\n<h4 id=\"GC-\u30a4\u30f3\u30bf\u30fc\u30d0\u30eb\u8a08\u7b97\">GC \u30a4\u30f3\u30bf\u30fc\u30d0\u30eb\u8a08\u7b97<\/h4>\n<p>\u4ee5\u4e0b\u306b\u793a\u3059 goroutine \u304c cilium-agent \u8d77\u52d5\u6642\u306b\u8d77\u52d5\u3057\u3066\u3001GC \u30a4\u30f3\u30bf\u30fc\u30d0\u30eb\u6bce\u306b GC \u304c\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/pkg\/maps\/ctmap\/gc\/gc.go#L105\">cilium\/pkg\/maps\/ctmap\/gc\/gc.go at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/p>\n<p>Cilium \u306f\u30c7\u30d5\u30a9\u30eb\u30c8\u3067\u306f GC \u30a4\u30f3\u30bf\u30fc\u30d0\u30eb\u306f\u3042\u3089\u304b\u3058\u3081\u8a2d\u5b9a\u3055\u308c\u305f\u6700\u5927\u3001\u6700\u5c0f\u5024\u306e\u7bc4\u56f2\u5185\u3067\u81ea\u52d5\u8a08\u7b97\u3055\u308c\u305f\u5024\u3092\u5229\u7528\u3057\u307e\u3059\u3002<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/pkg\/maps\/ctmap\/ctmap.go#L887\">cilium\/pkg\/maps\/ctmap\/ctmap.go at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/p>\n<pre class=\"code lang-go\" data-lang=\"go\" data-unlink=\"\"><span class=\"synStatement\">func<\/span> calculateInterval(prevInterval time.Duration, maxDeleteRatio <span class=\"synType\">float64<\/span>) (interval time.Duration) {\n    interval = prevInterval\n\n    <span class=\"synStatement\">if<\/span> maxDeleteRatio == <span class=\"synConstant\">0.0<\/span> {\n        <span class=\"synStatement\">return<\/span>\n    }\n\n    <span class=\"synStatement\">switch<\/span> {\n    <span class=\"synStatement\">case<\/span> maxDeleteRatio &gt; <span class=\"synConstant\">0.25<\/span>:\n        <span class=\"synStatement\">if<\/span> maxDeleteRatio &gt; <span class=\"synConstant\">0.9<\/span> {\n            maxDeleteRatio = <span class=\"synConstant\">0.9<\/span>\n        }\n        \n        interval = time.Duration(<span class=\"synType\">float64<\/span>(interval) * (<span class=\"synConstant\">1.0<\/span> - maxDeleteRatio)).Round(time.Second)\n\n        <span class=\"synStatement\">if<\/span> interval case maxDeleteRatio 0.05:\n        \n        \n        \n        \n        interval = time.Duration(<span class=\"synType\">float64<\/span>(interval) * <span class=\"synConstant\">1.5<\/span>).Round(time.Second)\n        <span class=\"synStatement\">if<\/span> interval &gt; defaults.ConntrackGCMaxLRUInterval {\n            interval = defaults.ConntrackGCMaxLRUInterval\n        }\n    }\n\n    cachedGCInterval = interval\n\n    <span class=\"synStatement\">return<\/span>\n}\n<\/pre>\n<p>\u524d\u56de\u306e GC \u306e\u30a8\u30f3\u30c8\u30ea\u524a\u9664\u7387 <code>maxDeleteRatio<\/code> \u3068\u3001\u524d\u56de\u306e GC \u30a4\u30f3\u30bf\u30fc\u30d0\u30eb <code>prevInterval<\/code> \u304b\u3089\u6b21\u306e GC \u30a4\u30f3\u30bf\u30fc\u30d0\u30eb interval \u3092\u7b97\u51fa\u3057\u307e\u3059\u3002<\/p>\n<p><code>maxDeleteRatio<\/code> \u304c 25% \u3088\u308a\u5927\u304d\u3044\u6642\u306f\u4ee5\u4e0b\u306e\u5f0f\u306b\u5f93\u3063\u3066 <code>interval<\/code> \u3092\u8a08\u7b97\u3057\u307e\u3059\u3002<\/p>\n<blockquote>\n<p><code>interval<\/code> = <code>prevInterval<\/code> * (1.0 &#8211; <code>maxDeleteRatio<\/code>)<\/p>\n<\/blockquote>\n<p>\u3064\u307e\u308a\u3001\u6b21\u306e GC \u306f\u524d\u56de\u306e GC \u3088\u308a\u3082\u77ed\u3044\u9593\u9694\u3067\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>\u4e00\u65b9\u3001<code>maxDeleteRatio<\/code> \u304c 5% \u3088\u308a\u5c0f\u3055\u3044\u6642\u306f\u4ee5\u4e0b\u306e\u5f0f\u306b\u5f93\u3044\u307e\u3059\u3002<\/p>\n<blockquote>\n<p><code>interval<\/code> = <code>prevInterval<\/code> * 1.5<\/p>\n<\/blockquote>\n<p>\u3064\u307e\u308a\u3001\u6b21\u306e GC \u306f\u524d\u56de\u306e GC \u3088\u308a\u3082 1.5 \u500d\u9577\u3044\u9593\u9694\u3067\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002<br \/>\u6700\u5f8c\u306b\u3001\u8a08\u7b97\u3057\u305f\u5024\u304c\u8a2d\u5b9a\u3057\u305f\u6700\u5927\u3001\u6700\u5c0f\u5024\u306e\u7bc4\u56f2\u5185\u306b\u3042\u308b\u304b\u3069\u3046\u304b\u3092\u78ba\u304b\u3081\u3066\u3001\u6b21\u56de\u306e GC \u30a4\u30f3\u30bf\u30fc\u30d0\u30eb\u304c\u6c7a\u5b9a\u3057\u307e\u3059\u3002<\/p>\n<h4 id=\"GC-\u306e\u5185\u90e8\u51e6\u7406\">GC \u306e\u5185\u90e8\u51e6\u7406<\/h4>\n<p>GC \u306e\u30a8\u30f3\u30c8\u30ea\u30fc\u30dd\u30a4\u30f3\u30c8\u306f <code>runGC<\/code> \u95a2\u6570\u3067\u3059\u3002<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/pkg\/maps\/ctmap\/gc\/gc.go#L243\">cilium\/pkg\/maps\/ctmap\/gc\/gc.go at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/p>\n<p><code>cilium_ct4_global<\/code> \u3068 <code>cilium_ct_any4_global<\/code> \u305d\u308c\u305e\u308c\u306b\u5bfe\u3057\u3066\u751f\u5b58\u671f\u9593\u5207\u308c\u306e\u30a8\u30f3\u30c8\u30ea\u306e\u524a\u9664\u304c\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002<br \/>\u5404\u30de\u30c3\u30d7\u306e\u30a8\u30f3\u30c8\u30ea\u306e\u524a\u9664\u306f <code>doGC4<\/code> \u95a2\u6570\u5185\u3067\u51e6\u7406\u3055\u308c\u307e\u3059\u3002<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/pkg\/maps\/ctmap\/ctmap.go#L473\">cilium\/pkg\/maps\/ctmap\/ctmap.go at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/p>\n<p>\u6700\u7d42\u7684\u306b\u3001<code>Map.DumpReliablyWithCallback(cb DumpCallback, stats *DumpStats)<\/code> \u3068\u3044\u3046\u95a2\u6570\u304c\u5b9f\u884c\u3055\u308c\u3066\u3001\u30de\u30c3\u30d7\u5185\u306e\u5168\u3066\u306e\u30a8\u30f3\u30c8\u30ea\u3092 <strong>Lookup<\/strong> \u3057\u3066\u3001\u305d\u308c\u3089\u306b\u5bfe\u3057\u3066\u5f15\u6570\u306b\u6e21\u3057\u3066\u3044\u308b <code>DumpCallback<\/code> \u578b\u306e\u30b3\u30fc\u30eb\u30d0\u30c3\u30af\u95a2\u6570 <code>cb<\/code> \u304c\u305d\u308c\u305e\u308c\u306e\u30a8\u30f3\u30c8\u30ea\u306b\u5bfe\u3057\u3066\u547c\u3073\u51fa\u3055\u308c\u307e\u3059\u3002<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/pkg\/bpf\/map_linux.go#L656\">cilium\/pkg\/bpf\/map_linux.go at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/p>\n<p>\u3053\u3053\u306b\u6e21\u3059\u30b3\u30fc\u30eb\u30d0\u30c3\u30af\u95a2\u6570\u306f <code>doGC4<\/code> \u5185\u3067\u5b9a\u7fa9\u3055\u308c\u3066\u3044\u3066\u3001\u3053\u306e\u30b3\u30fc\u30eb\u30d0\u30c3\u30af\u95a2\u6570\u306e\u4e2d\u3067\u3001\u524a\u9664\u5bfe\u8c61\u3067\u3042\u308c\u3070\u30a8\u30f3\u30c8\u30ea\u3092 <strong>Remove<\/strong> \u3057\u307e\u3059\u3002<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/pkg\/maps\/ctmap\/ctmap.go#L505-L552\">cilium\/pkg\/maps\/ctmap\/ctmap.go at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/p>\n<p>\u751f\u5b58\u671f\u9593\u5207\u308c\u304b\u3069\u3046\u304b\u306f\u4ee5\u4e0b\u3067\u691c\u67fb\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/github.com\/cilium\/cilium\/blob\/v1.16.12\/pkg\/maps\/ctmap\/ctmap.go#L563-L565\">cilium\/pkg\/maps\/ctmap\/ctmap.go at v1.16.12 \u00b7 cilium\/cilium \u00b7 GitHub<\/a><\/p>\n<p>\u3053\u3053\u3067\u3001Lookup\u3001Remove \u3092\u5f37\u8abf\u3057\u305f\u306e\u306f\u3001\u3053\u308c\u3089\u304c\u500b\u5225\u306e\u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u3068\u3057\u3066\u547c\u3073\u51fa\u3055\u308c\u308b\u305f\u3081\u3067\u3059\u3002<\/p>\n<p>\u3064\u307e\u308a\u3001GC \u3067\u306f <code>\u5404\u30de\u30c3\u30d7\u306e\u7dcf\u30a8\u30f3\u30c8\u30ea\u6570 + \u524a\u9664\u5bfe\u8c61\u30a8\u30f3\u30c8\u30ea\u6570<\/code> \u5206\u306e bpf \u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u304c\u767a\u884c\u3055\u308c\u307e\u3059\u3002\u6570\u767e\u4e07\u30a8\u30f3\u30c8\u30ea\u5b58\u5728\u3059\u308b\u3088\u3046\u306a CT map \u306e GC \u306b\u306f\u304b\u306a\u308a\u306e\u6642\u9593\u3068 CPU \u8ca0\u8377\u304c\u304b\u304b\u308a\u307e\u3059\u3002<\/p>\n<p>\u203b Cilium 1.18 \u304b\u3089\u3001CT map \u306e Lookup \u304c Batch Lookup \u306b\u5909\u66f4\u3055\u308c\u307e\u3057\u305f\u3002<br \/>\n\u3053\u308c\u306f bpf_map_lookup_batch \u3092\u5229\u7528\u3057\u305f\u3082\u306e\u3067\u30011 \u56de\u306e\u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u3067\u6307\u5b9a\u3057\u305f\u6570\u306e\u30a8\u30f3\u30c8\u30ea\u3092\u4e00\u6c17\u306b Lookup \u3067\u304d\u307e\u3059\u3002<br \/>\n\u3053\u308c\u306b\u3088\u308a\u3001GC \u306e\u8ca0\u8377\u4f4e\u6e1b\u304c\u671f\u5f85\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>Neco \u3067\u306f\u904e\u53bb\u306b CT map \u4f7f\u7528\u7387\u304c 80% \u307e\u3067\u5897\u5927\u3057\u305f\u3053\u3068\u304c\u3042\u308a\u307e\u3059\u3002<br \/>\u305d\u306e\u6642\u306e\u72b6\u6cc1\u3084\u5bfe\u51e6\u306b\u3064\u3044\u3066\u3001\u904e\u53bb\u306b\u30d6\u30ed\u30b0\u3092\u66f8\u3044\u3066\u3044\u308b\u306e\u3067\u8208\u5473\u306e\u3042\u308b\u65b9\u306f\u8aad\u3093\u3067\u307f\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<p><iframe src=\"https:\/\/hatenablog-parts.com\/embed?url=https%3A%2F%2Fblog.cybozu.io%2Fentry%2F2024%2F08%2F21%2F170000\" title=\"Cilium \u904b\u7528\u3067\u906d\u9047\u3057\u305f\u554f\u984c\u3068\u305d\u306e\u5bfe\u5fdc - Cybozu Inside Out | \u30b5\u30a4\u30dc\u30a6\u30ba\u30a8\u30f3\u30b8\u30cb\u30a2\u306e\u30d6\u30ed\u30b0\" class=\"embed-card embed-blogcard\" scrolling=\"no\" frameborder=\"0\" style=\"display: block; width: 100%; height: 190px; max-width: 500px; margin: 10px 0px;\" loading=\"lazy\"><\/iframe><cite class=\"hatena-citation\"><a target=\"_blank\" href=\"https:\/\/blog.cybozu.io\/entry\/2024\/08\/21\/170000\">blog.cybozu.io<\/a><\/cite><\/p>\n<h3 id=\"\u307e\u3068\u3081\">\u307e\u3068\u3081<\/h3>\n<p>\u4ee5\u4e0a\u3001Kubernetes \u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b\u304a\u3051\u308b Cilium \u306e conntrack \u306e\u6319\u52d5\u3068\u5b9f\u88c5\u3092\u89e3\u8aac\u3057\u307e\u3057\u305f\u3002<\/p>\n<p>eBPF \u306b\u3088\u308b\u30d1\u30b1\u30c3\u30c8\u51e6\u7406\u306e\u5b9f\u88c5\u3067\u306f\u3001\u57fa\u672c\u7684\u306b\u306f Egress\/Ingress \u305d\u308c\u305e\u308c\u306e Pod \u304c\u5b58\u5728\u3059\u308b\u30ce\u30fc\u30c9\u4e0a\u306b\u3001\u305d\u308c\u305e\u308c\u306e\u65b9\u5411\u306e CT \u30a8\u30f3\u30c8\u30ea\u304c\u4f5c\u6210\u3055\u308c\u307e\u3059\u3002\u307e\u305f\u3001\u305d\u308c\u306b\u5fdc\u3058\u3066 ICMP \u7528\u306e\u30a8\u30f3\u30c8\u30ea\u3082\u4f5c\u6210\u3055\u308c\u307e\u3059\u3002<br \/>\u305d\u308c\u306b\u52a0\u3048\u3066\u3001Service \u7d4c\u7531\u306e\u901a\u4fe1\u306f\u3001\u305d\u306e\u901a\u4fe1\u304c Service \u306e\u3082\u306e\u3067\u3042\u308b\u3053\u3068\u3092\u793a\u3059\u305f\u3081\u306b\u7279\u5225\u306a CT \u30a8\u30f3\u30c8\u30ea\u304c\u5225\u9014\u4f5c\u6210\u3055\u308c\u308b\u3053\u3068\u306b\u306a\u308a\u307e\u3059\u3002<br \/>\u305d\u308c\u3089\u306e CT \u30a8\u30f3\u30c8\u30ea\u3092\u901a\u4fe1\u306e\u72b6\u614b\u306b\u5fdc\u3058\u3066\u66f4\u65b0\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u307e\u305f\u3001cilium-agent \u304c\u5b9a\u671f\u7684\u306b GC \u3057\u3066\u3001CT map \u3092\u5065\u5168\u306a\u72b6\u614b\u306b\u4fdd\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u3088\u3046\u306b\u3001Cilium \u306f eBPF \u3092\u7528\u3044\u3066 conntrack \u3092\u5b9f\u88c5\u3057\u3066\u304a\u308a\u3001\u3053\u308c\u3092\u57fa\u790e\u3068\u3057\u3066\u9ad8\u5ea6\u306a\u901a\u4fe1\u5236\u5fa1\u3092\u5b9f\u73fe\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<\/div>\n<p><script>(function(d, s, id) {\n  var js, fjs = d.getElementsByTagName(s)[0];\n  if (d.getElementById(id)) return;\n  js = d.createElement(s); js.id = id;\n  js.src = \"\/\/connect.facebook.net\/ja_JP\/sdk.js#xfbml=1&version=v2.3\";\n  fjs.parentNode.insertBefore(js, fjs);\n}(document, 'script', 'facebook-jssdk'));<\/script><br \/>\n<br \/>\n<br \/><a href=\"https:\/\/blog.cybozu.io\/entry\/2025\/10\/24\/150000\">\u5143\u306e\u8a18\u4e8b\u3092\u78ba\u8a8d\u3059\u308b <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"\u3053\u306e\u8a18\u4e8b\u306f\u3001CYBOZU SUMMER BLOG FES &#8217;25\u306e\u8a18\u4e8b\u3067\u3059\u3002 \u3053\u3093\u306b\u3061\u306f\u3002\u30af\u30e9\u30a6\u30c9\u57fa\u76e4\u672c\u90e8 Cloud Platform \u90e8\u3067 Kubernetes \u57fa\u76e4\uff08Neco\uff09\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3092\u62c5\u5f53\u3057\u3066\u3044 [&hellip;]","protected":false},"author":1,"featured_media":18631,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[4],"tags":[],"class_list":["post-18630","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-company-tec"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Cilium Connection Tracking Deep Dive - Cybozu Inside Out - \u30dd\u30b1\u30b3\u30f3<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.cybozu.io\/entry\/2025\/10\/24\/150000\" \/>\n<meta property=\"og:locale\" content=\"ja_JP\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cilium Connection Tracking Deep Dive - Cybozu Inside Out - \u30dd\u30b1\u30b3\u30f3\" \/>\n<meta property=\"og:description\" content=\"\u3053\u306e\u8a18\u4e8b\u306f\u3001CYBOZU SUMMER BLOG FES &#8217;25\u306e\u8a18\u4e8b\u3067\u3059\u3002 \u3053\u3093\u306b\u3061\u306f\u3002\u30af\u30e9\u30a6\u30c9\u57fa\u76e4\u672c\u90e8 Cloud Platform \u90e8\u3067 Kubernetes \u57fa\u76e4\uff08Neco\uff09\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3092\u62c5\u5f53\u3057\u3066\u3044 [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.cybozu.io\/entry\/2025\/10\/24\/150000\" \/>\n<meta property=\"og:site_name\" content=\"\u30dd\u30b1\u30b3\u30f3\" \/>\n<meta property=\"article:published_time\" content=\"2025-10-24T19:26:30+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pokecon.jp\/job\/wp-content\/uploads\/2025\/10\/1761333990_https3A2F2Fcdn-ak.f.st-hatena.com2Fimages2Ffotolife2Fc2Fcybozuinsideout2F202510242F20251024.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1300\" \/>\n\t<meta property=\"og:image:height\" content=\"683\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"info@pokecon.jp\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u57f7\u7b46\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"info@pokecon.jp\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u63a8\u5b9a\u8aad\u307f\u53d6\u308a\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"13\u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/blog.cybozu.io\\\/entry\\\/2025\\\/10\\\/24\\\/150000#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/18630\\\/\"},\"author\":{\"name\":\"info@pokecon.jp\",\"@id\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/#\\\/schema\\\/person\\\/16c9f07b1ba984d165d9aee259bda997\"},\"headline\":\"Cilium Connection Tracking Deep Dive &#8211; Cybozu Inside Out\",\"datePublished\":\"2025-10-24T19:26:30+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/18630\\\/\"},\"wordCount\":1446,\"image\":{\"@id\":\"https:\\\/\\\/blog.cybozu.io\\\/entry\\\/2025\\\/10\\\/24\\\/150000#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/wp-content\\\/uploads\\\/2025\\\/10\\\/1761333990_https3A2F2Fcdn-ak.f.st-hatena.com2Fimages2Ffotolife2Fc2Fcybozuinsideout2F202510242F20251024.png\",\"articleSection\":[\"\u4f01\u696d\u30c6\u30c3\u30af\"],\"inLanguage\":\"ja\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/18630\\\/\",\"url\":\"https:\\\/\\\/blog.cybozu.io\\\/entry\\\/2025\\\/10\\\/24\\\/150000\",\"name\":\"Cilium Connection Tracking Deep Dive - Cybozu Inside Out - \u30dd\u30b1\u30b3\u30f3\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/blog.cybozu.io\\\/entry\\\/2025\\\/10\\\/24\\\/150000#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/blog.cybozu.io\\\/entry\\\/2025\\\/10\\\/24\\\/150000#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/wp-content\\\/uploads\\\/2025\\\/10\\\/1761333990_https3A2F2Fcdn-ak.f.st-hatena.com2Fimages2Ffotolife2Fc2Fcybozuinsideout2F202510242F20251024.png\",\"datePublished\":\"2025-10-24T19:26:30+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/#\\\/schema\\\/person\\\/16c9f07b1ba984d165d9aee259bda997\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/blog.cybozu.io\\\/entry\\\/2025\\\/10\\\/24\\\/150000#breadcrumb\"},\"inLanguage\":\"ja\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/blog.cybozu.io\\\/entry\\\/2025\\\/10\\\/24\\\/150000\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"ja\",\"@id\":\"https:\\\/\\\/blog.cybozu.io\\\/entry\\\/2025\\\/10\\\/24\\\/150000#primaryimage\",\"url\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/wp-content\\\/uploads\\\/2025\\\/10\\\/1761333990_https3A2F2Fcdn-ak.f.st-hatena.com2Fimages2Ffotolife2Fc2Fcybozuinsideout2F202510242F20251024.png\",\"contentUrl\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/wp-content\\\/uploads\\\/2025\\\/10\\\/1761333990_https3A2F2Fcdn-ak.f.st-hatena.com2Fimages2Ffotolife2Fc2Fcybozuinsideout2F202510242F20251024.png\",\"width\":1300,\"height\":683},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/blog.cybozu.io\\\/entry\\\/2025\\\/10\\\/24\\\/150000#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u30db\u30fc\u30e0\",\"item\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cilium Connection Tracking Deep Dive &#8211; Cybozu Inside Out\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/#website\",\"url\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/\",\"name\":\"\u30dd\u30b1\u30b3\u30f3\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"ja\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/#\\\/schema\\\/person\\\/16c9f07b1ba984d165d9aee259bda997\",\"name\":\"info@pokecon.jp\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"ja\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2b0549cd9f7907c092ca5fbb283baf72337f235726e4b46fa39ec0b701ac2fe2?s=96&d=wavatar&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2b0549cd9f7907c092ca5fbb283baf72337f235726e4b46fa39ec0b701ac2fe2?s=96&d=wavatar&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2b0549cd9f7907c092ca5fbb283baf72337f235726e4b46fa39ec0b701ac2fe2?s=96&d=wavatar&r=g\",\"caption\":\"info@pokecon.jp\"},\"url\":\"https:\\\/\\\/pokecon.jp\\\/job\\\/author\\\/infopokecon-jp\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cilium Connection Tracking Deep Dive - Cybozu Inside Out - \u30dd\u30b1\u30b3\u30f3","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.cybozu.io\/entry\/2025\/10\/24\/150000","og_locale":"ja_JP","og_type":"article","og_title":"Cilium Connection Tracking Deep Dive - Cybozu Inside Out - \u30dd\u30b1\u30b3\u30f3","og_description":"\u3053\u306e\u8a18\u4e8b\u306f\u3001CYBOZU SUMMER BLOG FES &#8217;25\u306e\u8a18\u4e8b\u3067\u3059\u3002 \u3053\u3093\u306b\u3061\u306f\u3002\u30af\u30e9\u30a6\u30c9\u57fa\u76e4\u672c\u90e8 Cloud Platform \u90e8\u3067 Kubernetes \u57fa\u76e4\uff08Neco\uff09\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3092\u62c5\u5f53\u3057\u3066\u3044 [&hellip;]","og_url":"https:\/\/blog.cybozu.io\/entry\/2025\/10\/24\/150000","og_site_name":"\u30dd\u30b1\u30b3\u30f3","article_published_time":"2025-10-24T19:26:30+00:00","og_image":[{"width":1300,"height":683,"url":"https:\/\/pokecon.jp\/job\/wp-content\/uploads\/2025\/10\/1761333990_https3A2F2Fcdn-ak.f.st-hatena.com2Fimages2Ffotolife2Fc2Fcybozuinsideout2F202510242F20251024.png","type":"image\/png"}],"author":"info@pokecon.jp","twitter_card":"summary_large_image","twitter_misc":{"\u57f7\u7b46\u8005":"info@pokecon.jp","\u63a8\u5b9a\u8aad\u307f\u53d6\u308a\u6642\u9593":"13\u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.cybozu.io\/entry\/2025\/10\/24\/150000#article","isPartOf":{"@id":"https:\/\/pokecon.jp\/job\/18630\/"},"author":{"name":"info@pokecon.jp","@id":"https:\/\/pokecon.jp\/job\/#\/schema\/person\/16c9f07b1ba984d165d9aee259bda997"},"headline":"Cilium Connection Tracking Deep Dive &#8211; Cybozu Inside Out","datePublished":"2025-10-24T19:26:30+00:00","mainEntityOfPage":{"@id":"https:\/\/pokecon.jp\/job\/18630\/"},"wordCount":1446,"image":{"@id":"https:\/\/blog.cybozu.io\/entry\/2025\/10\/24\/150000#primaryimage"},"thumbnailUrl":"https:\/\/pokecon.jp\/job\/wp-content\/uploads\/2025\/10\/1761333990_https3A2F2Fcdn-ak.f.st-hatena.com2Fimages2Ffotolife2Fc2Fcybozuinsideout2F202510242F20251024.png","articleSection":["\u4f01\u696d\u30c6\u30c3\u30af"],"inLanguage":"ja"},{"@type":"WebPage","@id":"https:\/\/pokecon.jp\/job\/18630\/","url":"https:\/\/blog.cybozu.io\/entry\/2025\/10\/24\/150000","name":"Cilium Connection Tracking Deep Dive - Cybozu Inside Out - \u30dd\u30b1\u30b3\u30f3","isPartOf":{"@id":"https:\/\/pokecon.jp\/job\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.cybozu.io\/entry\/2025\/10\/24\/150000#primaryimage"},"image":{"@id":"https:\/\/blog.cybozu.io\/entry\/2025\/10\/24\/150000#primaryimage"},"thumbnailUrl":"https:\/\/pokecon.jp\/job\/wp-content\/uploads\/2025\/10\/1761333990_https3A2F2Fcdn-ak.f.st-hatena.com2Fimages2Ffotolife2Fc2Fcybozuinsideout2F202510242F20251024.png","datePublished":"2025-10-24T19:26:30+00:00","author":{"@id":"https:\/\/pokecon.jp\/job\/#\/schema\/person\/16c9f07b1ba984d165d9aee259bda997"},"breadcrumb":{"@id":"https:\/\/blog.cybozu.io\/entry\/2025\/10\/24\/150000#breadcrumb"},"inLanguage":"ja","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.cybozu.io\/entry\/2025\/10\/24\/150000"]}]},{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/blog.cybozu.io\/entry\/2025\/10\/24\/150000#primaryimage","url":"https:\/\/pokecon.jp\/job\/wp-content\/uploads\/2025\/10\/1761333990_https3A2F2Fcdn-ak.f.st-hatena.com2Fimages2Ffotolife2Fc2Fcybozuinsideout2F202510242F20251024.png","contentUrl":"https:\/\/pokecon.jp\/job\/wp-content\/uploads\/2025\/10\/1761333990_https3A2F2Fcdn-ak.f.st-hatena.com2Fimages2Ffotolife2Fc2Fcybozuinsideout2F202510242F20251024.png","width":1300,"height":683},{"@type":"BreadcrumbList","@id":"https:\/\/blog.cybozu.io\/entry\/2025\/10\/24\/150000#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u30db\u30fc\u30e0","item":"https:\/\/pokecon.jp\/job\/"},{"@type":"ListItem","position":2,"name":"Cilium Connection Tracking Deep Dive &#8211; Cybozu Inside Out"}]},{"@type":"WebSite","@id":"https:\/\/pokecon.jp\/job\/#website","url":"https:\/\/pokecon.jp\/job\/","name":"\u30dd\u30b1\u30b3\u30f3","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/pokecon.jp\/job\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ja"},{"@type":"Person","@id":"https:\/\/pokecon.jp\/job\/#\/schema\/person\/16c9f07b1ba984d165d9aee259bda997","name":"info@pokecon.jp","image":{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/secure.gravatar.com\/avatar\/2b0549cd9f7907c092ca5fbb283baf72337f235726e4b46fa39ec0b701ac2fe2?s=96&d=wavatar&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/2b0549cd9f7907c092ca5fbb283baf72337f235726e4b46fa39ec0b701ac2fe2?s=96&d=wavatar&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2b0549cd9f7907c092ca5fbb283baf72337f235726e4b46fa39ec0b701ac2fe2?s=96&d=wavatar&r=g","caption":"info@pokecon.jp"},"url":"https:\/\/pokecon.jp\/job\/author\/infopokecon-jp\/"}]}},"_links":{"self":[{"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/posts\/18630","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/comments?post=18630"}],"version-history":[{"count":1,"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/posts\/18630\/revisions"}],"predecessor-version":[{"id":18632,"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/posts\/18630\/revisions\/18632"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/media\/18631"}],"wp:attachment":[{"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/media?parent=18630"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/categories?post=18630"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pokecon.jp\/job\/wp-json\/wp\/v2\/tags?post=18630"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}