At scale, Cilium users often face mysterious TCP connection failures from unexpected RST packets. This session explores a critical bug where Cilium's BPF-based SNAT and its LRU eviction policy prematurely terminate active sessions. We will dissect the root cause in the eBPF datapath and reveal the elegant fix, now merged upstream in Pull Request #37747: proactively restoring the original NAT entry on the reverse traffic path. This solution, born from a real-world production issue, reduced connection failures from up to 10% to nearly zero.

This talk is a must for operators debugging network instability and developers tackling real-world eBPF challenges. You will leave with a clear diagnosis for this "silent killer" and key insights into building robust, high-performance cloud networking.