Netfence
Like Envoy xDS, but for eBPF filters.
Netfence runs as a daemon on your VM/container hosts and automatically injects eBPF filter programs into cgroups and network interfaces, with a built-in DNS server that resolves allowed domains and populates the IP allowlist.
Netfence daemons connect to a central control plane that you implement via gRPC to synchronize allowlists/denylists with your backend.
Your control plane pushes network rules like ALLOW *.pypi.org or ALLOW 10.0.0.0/16 to attached interfaces/cgroups. When a VM/container queries DNS, Netfence resolves it, adds the IPs to the eBPF filter, and drops traffic to unknown IPs before it leaves the host without any performance penalty.
Features
Attach eBPF filters to network interfaces (TC) or cgroups
Policy modes: disabled, allowlist, denylist, block-all
IPv4 and IPv6 CIDR support with optional TTLs
Per-attachment DNS server with domain allowlist/denylist
... continue reading