How Merbridge Uses eBPF to Accelerate Istio Traffic: A Deep Dive

Merbridge Open Source Launch: Network Acceleration Takes a Step Forward

Merbridge is an open‑source project that, with a single command in an Istio cluster, uses eBPF to replace iptables, achieving network acceleration.

Why Replace iptables?

Istio relies on a sidecar proxy and iptables to intercept inbound and outbound traffic. This double interception forces packets to traverse the kernel four times instead of two, causing noticeable performance loss in latency‑sensitive scenarios.

eBPF Emergence and Merbridge Creation

With the rise of eBPF, projects such as Cilium have demonstrated its power for observability and packet processing. DaoCloud engineers leveraged eBPF’s sockops and redir capabilities to replace iptables in Istio, creating the Merbridge project.

One‑Line Installation

<code>kubectl apply -f https://raw.githubusercontent.com/merbridge/merbridge/main/deploy/all-in-one.yaml</code>

Note: Requires Linux kernel 5.7 or newer.

Performance Optimization with eBPF Sockops

eBPF provides the

bpf_msg_redirect_hash

helper to forward packets directly to the destination socket, bypassing iptables and greatly speeding up kernel processing.

The sock_map stores socket rules; during connection establishment, the original destination address is saved, and a rule (typically a 4‑tuple) is used to look up the appropriate socket.

Implementation Principles

Merbridge mimics iptables’s DNAT behavior using eBPF:

Modify the destination address at connection time (using an eBPF

connect

program) while preserving the original address in a cookie.

Ensure Envoy can retrieve the original destination via the

ORIGINAL_DST

mechanism.

For outbound traffic, the eBPF

connect

program changes the target to

127.x.y.z:15001

and stores the original address in

cookie_original_dst

. The

sockops

program records the socket and its 4‑tuple in

sock_pair_map

and maps the original destination in

pair_original_dst

. Envoy then calls

getsockopt

to retrieve the original address, establishing the connection.

During data transmission, the

redir

program reads the socket from

sock_pair_map

and uses

bpf_msg_redirect_hash

to forward packets directly.

Ingress Traffic Handling

Ingress processing mirrors outbound handling, changing the destination to port

15006

. Because eBPF operates cluster‑wide, a lightweight control plane (deployed as a DaemonSet) watches all Pods, records the IPs of Pods with injected sidecars in

local_pod_ips

, and skips processing for non‑Istio Pods to avoid unintended interference.

Same‑Node Acceleration and Feedback Mechanism

When both source and destination Pods reside on the same node, Envoy may mistakenly route traffic to the sidecar port, causing recursion. Merbridge detects this by comparing source and destination IPs in the

sockops

stage; if they match, the connection is dropped and the process‑IP mapping is recorded in

process_ip

for subsequent fast‑path checks.

Performance Results

Benchmarks (using

wrk

) show that replacing iptables with eBPF reduces overall latency and increases QPS significantly.

Project Invitation

Merbridge is an independent early‑stage open‑source project. Contributors are welcome to help improve its components and advance service‑mesh technology.

Project repository: https://github.com/merbridge/merbridge

Community Slack: https://join.slack.com/t/merbridge/shared_invite/...

Illustrative Diagrams