Show HN: Netfence – Like Envoy for eBPF Filters

Summary

Netfence Like Envoy xDS, but for eBPF filters. Netfence runs as a daemon on your VM/container hosts and automatically injects eBPF filter programs into cgroups and network interfaces, with a built-in DNS server that resolves allowed domains and populates the IP allowlist. Netfence daemons connect to a central control plane that you implement via gRPC to synchronize allowlists/denylists with your backend. Your control plane pushes network rules like ALLOW *.pypi.org or ALLOW 10.0.0.0/16 to attached interfaces/cgroups. When a VM/container queries DNS, Netfence resolves it, adds the IPs to the eBPF filter, and drops traffic to unknown IPs before it leaves the host without any performance penalty. Features Attach eBPF filters to network interfaces (TC) or cgroups Policy modes: disabled, allowlist, denylist, block-all IPv4 and IPv6 CIDR support with optional TTLs Per-attachment DNS server with domain allowlist/denylist Domain rules support subdomains with specificity-based matching (more specific rules win) Resolved domains auto-populate IP filter Metadata on daemons and attachments for associating with VM ID, tenant, etc. Support for proxying DNS queries to the control plane to make DNS decisions per-attachment Design Architecture +------------------+ +-------------------------+ | Your Control |<------->| Daemon (per host) | | Plane (gRPC) | stream | | +------------------+ | +-------------------+ | | | DNS Server | | | | (per-attachment) | | | +-------------------+ | +-------------------------+ | +------+------+ | | TC Filter Cgroup Filter (veth, eth) (containers) Each attachment gets a unique DNS address (port) provisioned by the daemon. Containers/VMs should be configured to use their assigned DNS address. Per host Run the daemon, which: Exposes a local gRPC API ( DaemonService ) for attaching/detaching filters ) for attaching/detaching filters Connects to your control plane via bidirectional stream ( ControlPlane.Connect ) ) Loads and manages eBPF programs Start the ...