How Merbridge Uses eBPF to Accelerate Istio Traffic: A Deep Dive

Merbridge Open Source Launch: Network Acceleration Takes a Step Forward

Merbridge is an open‑source project that, with a single command in an Istio cluster, uses eBPF to replace iptables, achieving network acceleration.

Why Replace iptables?

Istio relies on a sidecar proxy and iptables to intercept inbound and outbound traffic. This double interception forces packets to traverse the kernel four times instead of two, causing noticeable performance loss in latency‑sensitive scenarios.

eBPF Emergence and Merbridge Creation

With the rise of eBPF, projects such as Cilium have demonstrated its power for observability and packet processing. DaoCloud engineers leveraged eBPF’s sockops and redir capabilities to replace iptables in Istio, creating the Merbridge project.

One‑Line Installation

kubectl apply -f https://raw.githubusercontent.com/merbridge/merbridge/main/deploy/all-in-one.yaml

Note: Requires Linux kernel 5.7 or newer.

Performance Optimization with eBPF Sockops

eBPF provides the bpf_msg_redirect_hash helper to forward packets directly to the destination socket, bypassing iptables and greatly speeding up kernel processing.

The sock_map stores socket rules; during connection establishment, the original destination address is saved, and a rule (typically a 4‑tuple) is used to look up the appropriate socket.

Implementation Principles

Merbridge mimics iptables’s DNAT behavior using eBPF:

Modify the destination address at connection time (using an eBPF connect program) while preserving the original address in a cookie.

Ensure Envoy can retrieve the original destination via the ORIGINAL_DST mechanism.

For outbound traffic, the eBPF connect program changes the target to 127.x.y.z:15001 and stores the original address in cookie_original_dst. The sockops program records the socket and its 4‑tuple in sock_pair_map and maps the original destination in pair_original_dst. Envoy then calls getsockopt to retrieve the original address, establishing the connection.

During data transmission, the redir program reads the socket from sock_pair_map and uses bpf_msg_redirect_hash to forward packets directly.

Ingress Traffic Handling

Ingress processing mirrors outbound handling, changing the destination to port 15006. Because eBPF operates cluster‑wide, a lightweight control plane (deployed as a DaemonSet) watches all Pods, records the IPs of Pods with injected sidecars in local_pod_ips, and skips processing for non‑Istio Pods to avoid unintended interference.

Same‑Node Acceleration and Feedback Mechanism

When both source and destination Pods reside on the same node, Envoy may mistakenly route traffic to the sidecar port, causing recursion. Merbridge detects this by comparing source and destination IPs in the sockops stage; if they match, the connection is dropped and the process‑IP mapping is recorded in process_ip for subsequent fast‑path checks.

Performance Results

Benchmarks (using wrk) show that replacing iptables with eBPF reduces overall latency and increases QPS significantly.

Project Invitation

Merbridge is an independent early‑stage open‑source project. Contributors are welcome to help improve its components and advance service‑mesh technology.

Project repository: https://github.com/merbridge/merbridge

Community Slack: https://join.slack.com/t/merbridge/shared_invite/...

Illustrative Diagrams