Skip to main content

L3AF

L3AF is an open-source framework and control plane for managing, orchestrating, and sharing eBPF-based network and security functions on Linux systems (network observability / network security / infrastructure management).

  • Centralized management and orchestration of eBPF programs across hosts (infrastructure management).
  • Packaging, distribution, and reuse of eBPF-based network and security functions via a policy-driven model (network security / network services).
  • Runtime lifecycle control for loading, attaching, updating, and unloading eBPF programs on Linux nodes (systems operations).
  • Support for multi-tenant and multi-function deployment of eBPF programs on shared infrastructure (platform engineering).
  • Integration with LF Networking governance and ecosystem for collaborative development of eBPF-based capabilities (open networking ecosystem).

More About L3AF

L3AF is an open-source project under LF Networking focused on providing a framework and control plane to manage eBPF-based network and security functions on Linux systems (network observability / network security / infrastructure management). eBPF allows sandboxed programs to run in the Linux kernel, and L3AF builds on this to let operators deploy, coordinate, and reuse multiple eBPF functions across distributed environments. The project targets enterprises and service providers that need programmable data-plane capabilities without custom kernel changes.

The core purpose of L3AF is to offer a common control mechanism and packaging model for eBPF programs so they can be maintained as shareable functions rather than one-off, host-specific artifacts (infrastructure automation). Through its control plane, L3AF manages which eBPF programs run on which hosts, how they are attached to kernel hooks, and how they are updated or removed. This enables standardized deployment of network analytics, Traffic Engineering (TE), security filtering, and other eBPF-based logic.

L3AF provides functionality for distributing, loading, attaching, and chaining eBPF programs on Linux nodes (systems operations). It supports configuration and policy constructs that define which eBPF packages should be deployed in various environments, allowing operations teams to treat eBPF functions as reusable building blocks. The framework is designed to coexist with multiple eBPF-based tools or services on the same host, coordinating their lifecycle so they do not conflict at attach points.

In enterprise or carrier environments, L3AF can be used to host network functions such as telemetry collection, observability probes, access controls, and packet processing policies (network observability / network security). Operators can roll out eBPF-based capabilities to fleets of servers and network edge nodes while keeping configuration and versioning under central control. This supports scenarios like per-tenant traffic policies, enhanced flow logging, or programmable mitigation logic, with eBPF programs distributed as standardized packages.

From an architectural perspective, L3AF operates as a control plane that interacts with the underlying Linux kernel’s eBPF subsystem and associated attach points in the networking stack (Linux networking / kernel integration). It treats individual eBPF programs as functions and manages their dependencies, ordering, and chaining so multiple programs can run on the same hook. The project aligns with the broader LF Networking ecosystem, which promotes open, modular building blocks for network automation and cloud-native networking.

For enterprise technical teams, L3AF fits into categories such as network observability, network security, and infrastructure automation. It provides a mechanism to operationalize eBPF at scale, enabling consistent deployment and lifecycle management of programmable data-plane functions. By standardizing how eBPF programs are described, packaged, and controlled, L3AF supports integration into existing Continuous Integration and Continuous Deployment (CI/CD) pipelines, configuration management systems, and network operations workflows.