mule-proxy: hybrid Go + eBPF L4 proxy

Mule attempts to provide the best of both worlds:

  • full expressivity of Go for connection establishment (and rejection decisions)
  • pure kernel-space proxying for established connections using the eBPF sockhash infrastructure


These benchmarks establish a TLS connection over the loopback interface and performs HTTP requests over the established connection:

cpu: Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz
BenchmarkNewConnBaseline-8       	  102624	     58409 ns/op	    4861 B/op	      60 allocs/op
BenchmarkNewConnMule-8           	   86451	     69386 ns/op	    4861 B/op	      60 allocs/op
BenchmarkNewConnGo-8             	   72558	     85488 ns/op	    4860 B/op	      60 allocs/op

On Intel systems (with a kernel patch applied to reduce the added latency of eBPF redirects from ~15 microseconds to ~10 microseconds), proxying a TLS connection with a naive Go L4 Proxy incurs a 40% overhead – mule reduces this overhead to 16%. Cilium has a blog post describing a (more complicated and full featured) similar L4 proxy suggesting an eBPF-based approach has the potential for significant CPU reduction over a userspace (like haproxy) or IPVS-based implementation.


View Github