Cilium Series Part 8: Bypass IPTables Connection Tracking

This article was last updated on: May 17, 2026 am

Series Articles

Introduction

Switching the Kubernetes CNI from other components to Cilium can already effectively improve network performance. However, by toggling different Cilium modes and enabling various features, you can further enhance Cilium’s network performance. Tuning options include but are not limited to:

  • Enable Native Routing
  • Fully replace KubeProxy
  • Switch IP Address Masquerading to eBPF-based mode
  • Run Kubernetes NodePort implementation in DSR (Direct Server Return) mode
  • Bypass iptables Connection Tracking
  • Switch Host Routing to BPF-based mode (requires Linux Kernel >= 5.10)
  • Enable IPv6 BIG TCP (requires Linux Kernel >= 5.19)
  • Disable Hubble (not recommended — observability is more important than a marginal performance gain)
  • Change MTU to jumbo frames (requires network conditions to allow it)
  • Enable Bandwidth Manager (requires Kernel >= 5.1)
  • Enable BBR congestion control for Pods (requires Kernel >= 5.18)
  • Enable XDP acceleration (requires native XDP driver support)
  • (Optional for advanced users) Adjust eBPF Map Size
  • Linux Kernel optimization and upgrade
    • CONFIG_PREEMPT_NONE=y
  • Other:
    • tuned network-* profiles, e.g.: tuned-adm profile network-latency or network-throughput
    • Set CPU to performance mode
    • Stop irqbalance and pin NIC interrupts to specific CPUs

When network/NIC/OS conditions permit, we enable as many of these tuning options as possible. Related optimizations will be covered one by one in subsequent articles. Stay tuned.

Today we will tune Cilium by configuring bypass of IPTables connection tracking to improve network performance.

Test Environment

  • Cilium 1.13.4
  • K3s v1.26.6+k3s1
  • OS
    • 3 Ubuntu 23.04 VMs, Kernel 6.2, x86

Bypass IPTables Connection Tracking

When eBPF Host Routing is not available, network packets still need to traverse the regular network stack in the host namespace, and iptables adds significant overhead. By disabling the connection tracking requirement for all Pod traffic, thereby bypassing the iptables connection tracker, this traversal cost can be minimized.

Requirements

  • Kernel >= 4.19.57, >= 5.1.16, >= 5.2
  • Direct-routing configuration
  • eBPF-based kube-proxy replacement
  • eBPF-based masquerading or no masquerading

Implementation Steps

1
2
3
4
helm upgrade cilium cilium/cilium --version 1.13.4 \
  --namespace kube-system \
  --reuse-values \
  --set installNoConntrackIptablesRules=true

Summary

In this article, we tuned Cilium by configuring bypass of IPTables connection tracking to improve network performance.

At this point, the following performance tuning items have been completed:

  • ✔️ Enable Native Routing
  • ✔️ Fully replace KubeProxy
  • ✔️ Switch IP Address Masquerading to eBPF-based mode
  • ✔️ Run Kubernetes NodePort implementation in DSR (Direct Server Return) mode
  • ✔️ Bypass iptables Connection Tracking
  • Switch Host Routing to BPF-based mode (requires Linux Kernel >= 5.10)
  • Enable IPv6 BIG TCP (requires Linux Kernel >= 5.19)
  • Change MTU to jumbo frames (requires network conditions to allow it)
  • Enable Bandwidth Manager (requires Kernel >= 5.1)
  • Enable BBR congestion control for Pods (requires Kernel >= 5.18)
  • Enable XDP acceleration (requires native XDP driver support)

📚️ References