How to build your own VPN, or: the history of WARP
2025-10-29
WARP’s initial implementation resembled a VPN that allows Internet access through it. Here’s how we built it – and how you can, too. ...
Continue reading »
So long, and thanks for all the fish: how to escape the Linux networking stack
2025-10-29
Many products at Cloudflare aren’t possible without pushing the limits of network hardware and software to deliver improved performance, increased efficiency, or novel capabilities such as soft-unicast, our method for sharing IP subnets across data centers. Happily, most people do not need to know the intricacies of how your operating system handles network and Internet access in general. Yes, even most people within Cloudflare. But sometimes we try to push well beyond the design intentions of Linux’s networking stack. This is a story about one of those attempts....
A deep dive into BPF LPM trie performance and optimization
2025-10-21
This post explores the performance of BPF LPM tries, a critical data structure used for IP matching. ...
Safe in the sandbox: security hardening for Cloudflare Workers
2025-09-25
We are further hardening Cloudflare Workers with the latest software and hardware features. We use defense-in-depth, including V8 sandboxes and the CPU's memory protection keys to keep your data safe....
QUIC restarts, slow problems: udpgrm to the rescue
2025-05-07
udpgrm is a lightweight daemon for graceful restarts of UDP servers. It leverages SO_REUSEPORT and eBPF to route new and existing flows to the correct server instance....
MORE POSTS
April 02, 2025 1:00 PM
A steam locomotive from 1993 broke my yarn test
Yarn tests fail consistently at the 27-second mark. The usual suspects are swiftly eliminated. A deep dive is taken to comb through traces, only to be derailed into an unexpected crash investigation....
- By
February 14, 2025 2:00 PM
Searching for the cause of hung tasks in the Linux kernel
The Linux kernel can produce a hung task warning. Searching the Internet and the kernel docs, you can find a brief explanation that the process is stuck in the uninterruptible state....
- By
January 03, 2025 2:00 PM
Multi-Path TCP: revolutionizing connectivity, one path at a time
Multi-Path TCP (MPTCP) leverages multiple network interfaces, like Wi-Fi and cellular, to provide seamless mobility for more reliable connectivity. While promising, MPTCP is still in its early stages,...
- By
March 06, 2024 2:00 PM
Linux kernel security tunables everyone should consider adopting
This post illustrates some of the Linux Kernel features, which are helping us to keep our production systems more secure. We will deep dive into how they work and why you may consider enabling them as well...
- By
February 08, 2024 2:00 PM
connect() - why are you so slow?
This is our story of what we learned about the connect() implementation for TCP in Linux. Both its strong and weak points. How connect() latency changes under pressure, and how to open connection so that the syscall latency is deterministic and time-bound...
- By
November 17, 2023 2:00 PM
How to execute an object file: part 4, AArch64 edition
The initial posts are dedicated to the x86 architecture. Since then, the fleet of our working machines has expanded to include a large and growing number of ARM CPUs. This time we’ll repeat this exercise for the aarch64 architecture....
- By
May 11, 2023 1:00 PM
The Linux Crypto API for user applications
If you run your software on Linux, the Linux Kernel itself can satisfy all your cryptographic needs! In this post we will explore Linux Crypto API for user applications and try to understand its pros and cons...
- By
March 20, 2023 1:00 PM
The quantum state of a TCP port
If I navigate to https://blog.cloudflare.com/, my browser will connect to a remote TCP address from the local IP address assigned to my machine, and a randomly chosen local TCP port. What happens if I then decide to head to another site?...
- By
January 31, 2023 2:00 PM
CVE-2022-47929: traffic control noqueue no problem?
In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control configuration that is set up with "tc qdisc" and "tc class" commands....
- By
January 16, 2023 1:46 PM
A debugging story: corrupt packets in AF_XDP; a kernel bug or user error?
A race condition in the virtual ethernet driver of the Linux kernel led to occasional packet content corruptions, which resulted in unwanted packet drops by one of our DDoS mitigation systems. This blogpost describes the thought process and technique we used to debug this complex...
- By
November 28, 2022 2:57 PM
The Linux Kernel Key Retention Service and why you should use it in your next application
Many leaks happen because of software bugs and security vulnerabilities. In this post we will learn how the Linux kernel can help protect cryptographic keys from a whole class of potential security vulnerabilities: memory access violations....
- By
July 26, 2022 1:00 PM
When the window is not fully open, your TCP stack is doing more than you think
In this blog post I'll share my journey deep into the Linux networking stack, trying to understand the memory and window management of the receiving side of a TCP connection...
- By
July 18, 2022 12:56 PM
A story about AF_XDP, network namespaces and a cookie
A crash in a development version of flowtrackd (the daemon that powers our Advanced TCP Protection) highlighted that libxdp (and specifically the AF_XDP part) was not Linux network namespace aware. ...
- By
July 04, 2022 12:55 PM
A July 4 technical reading list
Here’s a short list of recent technical blog posts to give you something to read today...
- By
June 29, 2022 11:45 AM
Live-patching security vulnerabilities inside the Linux kernel with eBPF Linux Security Module
Learn how to patch Linux security vulnerabilities without rebooting the hardware and how to tighten the security of your Linux operating system with eBPF Linux Security Module...
- By