Skip to main content

Lab 5: Service Chain Deployment

Final lab: deploy a simple service chain using netkit.

Scenario

We will chain two functions: an XDP firewall and a tc load balancer, on a single node for simplicity.

Steps (Outline)

  1. Build CNF containers: (Pre-built for this lab) Launch one container that loads xdp_firewall.o and another that loads tc_lb.o.
  2. Define chain: Create a netkit chain manifest YAML linking firewall -> load balancer, both on the same node interface.
  3. Apply chain: Use netkit to instantiate the chain (it will attach programs accordingly).
  4. Test traffic: Send test traffic that should be dropped by firewall (e.g., ping from a blocked IP) and traffic that should pass and be load-balanced (simulate with two backend IPs in the LB program map).

Verification

  • Firewall drop counters increase for blocked traffic (check via bpftool map dump for firewall's stats map).
  • Load balancer forwards allowed traffic to one of the backend IPs (you might simulate backend responses or check LB map hits).

This lab will be fleshed out in the next course update, with ready-to-use container images and configuration files.