SOCKMAP - TCP splicing of the future
Cloudflare's blog explains how SOCKMAP enables high-performance TCP splicing in the Linux kernel, allowing data to be forwarded between connections without copying to userspace, reducing CPU overhead and improving throughput for reverse proxies and tunneling services.
Background
- Cloudflare is a major CDN and internet security company. To serve traffic at massive scale, it needs to move data between two TCP connections (e.g., a visitor's and the origin server's) as fast as possible — this is called "TCP splicing."
- Linux kernel's extended Berkeley Packet Filter (eBPF) allows running sandboxed programs inside the kernel to observe or redirect network traffic without modifying kernel source.
- SOCKMAP is a special eBPF map (a key/value store in kernel memory) that can hold socket references. By attaching eBPF programs to it, Cloudflare can redirect data from one socket directly into another inside the kernel — avoiding userspace copies and context switches.
- The post explains Cloudflare's implementation: using SOCKMAP + BPF "sock_ops" and "sk_skb" programs to splice connections in kernel space, then handling TLS termination and HTTP routing in userspace only when needed. This cuts latency and CPU usage compared to older splice() or userspace proxy approaches.
- Prior art includes the Linux `splice()` syscall and classic `ktcp` splicing, but SOCKMAP offers finer-grained control and works with modern encrypted flows.