Table of contents
Architecture
New to Kernloom? Start with Core Concepts for a plain-language overview. To install and run, see Getting started.
Kernel requirement: 5.10 LTS or newer. Kernloom relies on BPF ring buffer (available from 5.8) and stable XDP driver support. 5.10 LTS is the minimum tested and recommended baseline. On Synology NAS systems this requires a newer nk-platform (DSM 7.2+ on supported models).
The model: PDP and PEP
Kernloom is structured around the standard Zero Trust pattern of separating policy decisions from policy enforcement:
- Policy Decision Point (PDP) β Kernloom IQ (
kliq). Reads telemetry, computes per-source severity, decides what action to take. - Policy Enforcement Point (PEP) β Kernloom Shield (
klshield). Applies decisions at line rate in the kernel. First PEP adapter in the Kernloom ecosystem.
This split matters: IQ’s policy logic is PEP-agnostic. Future adapters (nginx, nftables, OpenZiti) can plug in without changing how IQ reasons about traffic. Configuration files β PolicyPack and PDPConfig YAML β are written once and work across all adapters.
Data flow
Packets arrive at NIC
β
βΌ
[ Shield / XDP β kernel space ]
1. Check allowlist (CIDR, LPM trie)
2. Check denylist (exact IP, hash map)
3. Apply rate-limit (token bucket, per-source override)
4. Update per-source telemetry counters
5. PASS or DROP
β
βΌ (kernel eBPF maps, pinned to /sys/fs/bpf/)
β
[ IQ β userspace, every tick (default 1s) ]
1. Read per-source deltas (PPS, SYN/s, scan/s, DropRL/s)
2. Compute per-source severity score
3. Run per-source FSM: OBSERVE β RATE_SOFT β RATE_HARD β BLOCK
4. Write enforcement decisions back to Shield's maps
5. (if graph enabled) Record sourceβdestination edges
Enforcement levels
For each source IP (IPv4 and IPv6), IQ manages one of four states:
| Level | Shield action | When IQ applies it |
|---|---|---|
| OBSERVE | None β traffic passes | Below severity thresholds |
| RATE_SOFT | Per-source token bucket (gentle) | Strike count reaches --soft-at |
| RATE_HARD | Per-source token bucket (strict) | Strike count reaches --hard-at |
| BLOCK | Deny entry in hash map | Strike count reaches --block-at, block gate passes |
Escalation is gradual. IQ requires sustained signals across multiple ticks before escalating, and requires a streak of clean ticks before stepping down. See IQ reference for the full engine description.
Pinned maps (reference)
Shield and IQ communicate exclusively through eBPF maps pinned at /sys/fs/bpf/:
| Map | Path | Used by |
|---|---|---|
| XDP link | kernloom_shield_xdp_link | klshield attach/detach |
| Totals (per-CPU) | kernloom_totals | klshield stats; IQ learn gating |
| IPv4 telemetry | kernloom_src4_stats | IQ reads every tick |
| IPv6 telemetry | kernloom_src6_stats | IQ reads every tick |
| Allow LPM v4 | kernloom_allow4_lpm | klshield add-allow-cidr |
| Allow LPM v6 | kernloom_allow6_lpm | klshield add-allow-cidr |
| Deny hash v4 | kernloom_deny4_hash | IQ writes on BLOCK |
| Deny hash v6 | kernloom_deny6_hash | IQ writes on BLOCK |
| Runtime config | kernloom_cfg | allow enforcement mode, sampling mask |
| Global RL config | kernloom_rl_cfg | token bucket defaults |
| RL overrides v4 | kernloom_rl_policy4 | IQ writes on RATE_SOFT / RATE_HARD |
| RL overrides v6 | kernloom_rl_policy6 | IQ writes on RATE_SOFT / RATE_HARD |
| Events ring buffer | kernloom_events | klshield events |
| Flow telemetry | kernloom_flow4_stats | XDP writes always; IQ reads in graph-learning mode |
| Edge deny | kernloom_edge4_deny | Tuple blacklist; IQ writes on freeze violation |
| Edge allow | kernloom_edge4_allow | Tuple whitelist; IQ populates from frozen graph |
| Edge RL policy | kernloom_edge4_rl_policy | Per-(src,port,proto) rate limit |
| Edge enforce config | kernloom_edge4_cfg | Tuple enforcement mode (off/deny/allow) |
Graph Learner
The Graph Learner is an optional IQ module that builds a baseline of observed sourceβdestination communication edges.
Edge lifecycle:
candidate β learned β frozen
ββββββββββββββββββββ denied (explicit)
approved (explicit override)
| State | Meaning |
|---|---|
candidate | Seen, evidence accumulating |
learned | Promoted: meets count + time-window + age criteria |
frozen | Locked into baseline β violations are acted on |
denied | Explicitly blocked, never overwritten by learning |
Modes:
| Mode | Behaviour |
|---|---|
learn | Record edges, accumulate evidence. No enforcement on unknown paths. |
frozen-observe | Baseline is frozen. Unknown edges emit signals and add FSM strikes, but full blocking is still gradual. |
frozen-enforce | Unknown edges force the source immediately to BLOCK, bypassing normal accumulation gates. |
Baseline is stored in a unified SQLite database (kliq.db, at /var/lib/kernloom/iq/kliq.db). Since v0.2.0 this database contains graph edges, edge baselines, and source baseline data in separate tables. Suspicious sources (already being rate-limited or blocked) are automatically excluded from the learning corpus.
Two deployment scenarios
Kernloom serves two fundamentally different use cases with different feature profile choices:
Scenario A β DoS prevention (public-facing nodes)
Used when the node faces the internet or a large number of unknown clients: Ziti controller, Ziti router, public web server, reverse proxy.
Graph learning is not useful here β new internet client IPs appear constantly and xdp_flow4_stats (32k entries) fills instantly. The maximum useful feature profile on a public-facing node is iq-learning: per-source EWMA baseline and progressive enforcement, but no flow telemetry and no graph.
Focus: early source-level rate limiting and autotune-based progressive enforcement. Protects WAF, proxy, and application from absorbing connection noise.
Scenario B β Microsegmentation (internal nodes)
Used when the node communicates with a small, stable set of internal services: identity provider, database, internal API, NAS. These are the nodes behind the public-facing layer β they never see raw internet clients directly.
Graph learning maps all communication edges over 7β14 days; freeze creates a Zero Trust boundary enforced at XDP level. Use feature profile graph-learning β graph-enforce.
Focus: learn normal service-to-service communication, freeze the baseline, block any unrecognised path immediately. Catches lateral movement and unintended communication.
The two scenarios are complementary, not competing. A typical deployment has public-facing nodes (Scenario A) absorbing internet noise and passing clean traffic inward, while internal nodes (Scenario B) enforce microsegmentation between services. Scenario A protects the perimeter; Scenario B limits blast radius if something gets through.
Configuration files
From v0.1.2, IQ can be driven by two structured YAML files instead of CLI flags:
- PDPConfig β how IQ operates (thresholds, autotune settings, graph mode, intervals). Scoped to the IQ instance.
- PolicyPack β what to enforce (profiles, block gates, rate-limit levels). PEP-agnostic β the same PolicyPack works with Shield today and future adapters.
Both formats are forward-compatible with Kernloom Forge. See IQ reference for YAML schema details.
Coming: Kernloom Forge
In standalone mode (current), IQ is configured and managed per node. Kernloom Forge is the upcoming Policy Management System:
Kernloom Forge (PMS)
βββ compile PolicyPacks
βββ sign + version bundles
βββ distribute to registered IQ nodes
kliq node-01 kliq node-02
βββ enforces βββ enforces
βββ receipts βββ receipts
Every enforcement decision IQ makes produces a signed receipt. Forge will aggregate these for fleet-wide audit and anomaly detection.
PolicyPack and PDPConfig files you write today will work with Forge without migration.
Build from source
If you prefer to build manually:
# BPF object (requires clang + llvm + bpftool)
make -C shield/bpf
# Go binaries
go build -o bin/klshield ./shield/cmd/klshield
go build -o bin/kliq ./iq/cmd/kliq
See Getting started for the one-liner installer.
See also
| Getting started | Install, bootstrap, and go from dry-run to enforcement |
| IQ reference | Full PDPConfig reference, graph learner workflow, all flags |
| Shield reference | XDP commands, tuple enforcement, map capacity limits |
| Integration Patterns | How the two-scenario model maps to real deployments |
Answer a few questions to estimate your exposure level, control gaps, and where Kernloom can reduce risk β without installing anything.