Netronome, profile picture
Uploaded byNetronome
578 views

Offloading TC Rules on OVS Internal Ports

This document discusses two approaches to allowing traffic control (TC) rules to offload rules on internal ports in Open vSwitch (OVS). The first approach is to add a TC ingress hook to OVS internal port modules so the rules can be applied. The second approach is to offload rules as egress hooks, which achieves the same outcome as ingress hooks on internal ports by generating an OVS ingress action when egressing an internal port. Currently, TC rules outputting to an internal port are not offloaded, so this bypasses the OVS kernel datapath. The proposed approaches aim to address this by allowing hardware offload of rules on internal ports.

Embed presentation

Downloaded 20 times
© 2019 NETRONOME SYSTEMS, INC. John Hurley presented by Simon Horman Offloading TC rules on OVS Internal Ports
© 2019 NETRONOME SYSTEMS, INC. 2CONFIDENTIAL Internal Ports in OVS ● Registered in kernel by OVS and treated as standard netdevs ● Main differences with standard bridge devs: ○ If an OVS rule egresses to an internal port, the packet is passed to the network stack (ingress) rather than dev_queue_xmit ○ ndo_start_xmit() injects packet into OVS kernel datapath ● Rules applied to internal ports are not hit — TC ingress is bypassed ● Wish to address this to allow hardware offload of these rules ● TC rules outputting to an internal port should use Ingress redirect ● Two approaches to allowing TC to offload rules on internal ports: ○ Add TC ingress hook to OVS internal port modules ■ Required as it bypasses hook in the network stack ○ Offload rules as egress hooks ■ [RFC OVS 0/2] ovs-tc: support OVS internal port offload
© 2019 NETRONOME SYSTEMS, INC. 3CONFIDENTIAL OVS Kernel (Encap with Tunnel IP on Bridge) Network RX stack OVS Kernel datapath eth0 Ingress hooks Rx handler Network TX stack Internal Port (br0) vxlan0 eth1 1. In_port: eth0 -> actions: output vxlan0 2. In_port: br0, src/dst mac -> actions: output eth1 Egress hooks 1 2 3 - xmit 4 5 1. Packet enters OVS datapath and matches rule 1 2. Action is to egress port vxlan0 3. Passes ip_tun stack and finds br0 as next hop (neigh_output) and calls dev_queue_xmit on this 4. ndo_start_xmit on internal port pushes packet into OVS kernel datapath with br0 as ingress port 5. Matches rule 2 and egresses port eth1
© 2019 NETRONOME SYSTEMS, INC. 4CONFIDENTIAL OVS-TC — Current Network RX stack OVS Kernel datapath eth0 Ingress hooks Rx handler Network TX stack Internal Port (br0) vxlan0 eth1 1. In_port: eth0 -> actions: output vxlan0 2. In_port: br0, src/dst mac -> actions: output eth1 Egress hooks 1 2 3 - xmit 4 5 1. Rule 1 is offloaded as a TC flower ingress filter on eth0 so packet is directed straight to vxlan0 without entering the OVS datapath 2. Rule 2 is not offloaded to TC so path (2-5) through OVS kernel is taken
© 2019 NETRONOME SYSTEMS, INC. 5CONFIDENTIAL OVS-TC — Modified to Use TC Egress Hook Network RX stack OVS Kernel datapath eth0 Ingress hooks Rx handler Network TX stack Internal Port (br0) vxlan0 eth1 1. In_port: eth0 -> actions: output vxlan0 2. In_port: br0, src/dst mac -> actions: output eth1 Egress hooks 1 2 3 - xmit 1. Packet matches ingress hook on eth0 and is directed to egress vxlan0 2. Next hop is determined as br0 so it is directed to egress that internal port 3. Rule 2 is installed on egress hook and packet is directed to eth1, bypassing OVS kernel datapath — egressing an internal port generates an OVS ingress action, so applying rule that match internal ports as egress hooks, achieves the same outcome as having an ingress hook in the internal port handlers
© 2019 NETRONOME SYSTEMS, INC. 6CONFIDENTIAL OVS-TC — Modified to Use TC Ingress Hook Network RX stack OVS Kernel datapath eth0 Ingress hooks Rx handler Network TX stack Internal Port (br0) vxlan0 eth1 1. In_port: eth0 -> actions: output vxlan0 2. In_port: br0, src/dst mac -> actions: output eth1 Egress hooks 1 2 3 - xmit 1. Packet matches ingress hook on eth0 and is directed to egress vxlan0 2. Next hop is determined as br0 so it is directed to egress that internal port 3. When received by the internal port packet is passed to TC ingress hooks 4. Rule 2 is installed on ingress hook 5. Packet egresses via eth1 4 5
© 2019 NETRONOME SYSTEMS, INC. Thank You

More Related Content

PDF
Quality of Service Ingress Rate Limiting and OVS Hardware Offloads
byNetronome
 
PDF
OVS Hardware Offload with TC Flower
byNetronome
 
PDF
TC Flower Offload
byNetronome
 
PDF
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
byLF_OpenvSwitch
 
PDF
LF_OVS_17_Ingress Scheduling
byLF_OpenvSwitch
 
PDF
LF_OVS_17_OVS Performance on Steroids - Hardware Acceleration Methodologies
byLF_OpenvSwitch
 
PDF
LF_OVS_17_OVN and Containers - An update.
byLF_OpenvSwitch
 
PDF
LF_OVS_17_OVS-DPDK Installation and Gotchas
byLF_OpenvSwitch
 
Quality of Service Ingress Rate Limiting and OVS Hardware Offloads
byNetronome
 
OVS Hardware Offload with TC Flower
byNetronome
 
TC Flower Offload
byNetronome
 
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
byLF_OpenvSwitch
 
LF_OVS_17_Ingress Scheduling
byLF_OpenvSwitch
 
LF_OVS_17_OVS Performance on Steroids - Hardware Acceleration Methodologies
byLF_OpenvSwitch
 
LF_OVS_17_OVN and Containers - An update.
byLF_OpenvSwitch
 
LF_OVS_17_OVS-DPDK Installation and Gotchas
byLF_OpenvSwitch
 

What's hot

PPTX
OpenvSwitch Deep Dive
byrajdeep
 
PDF
Open vSwitch - Stateful Connection Tracking & Stateful NAT
byThomas Graf
 
PDF
A new Internet? Intro to HTTP/2, QUIC, DoH and DNS over QUIC
byAPNIC
 
PPTX
TRex Realistic Traffic Generator - Stateless support
byHanoch Haim
 
PDF
Quic illustrated
byAlexander Krizhanovsky
 
PDF
Understanding Open vSwitch
byYongKi Kim
 
PDF
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
byThomas Graf
 
PDF
Software Networking and Interfaces on Linux
byMatt Turner
 
PDF
Cilium - BPF & XDP for containers
byThomas Graf
 
PDF
DPDK Support for New HW Offloads
byNetronome
 
PDF
LF_OVS_17_State of the OVN
byLF_OpenvSwitch
 
PDF
LF_OVS_17_LXC Linux Containers over Open vSwitch
byLF_OpenvSwitch
 
PDF
LF_OVS_17_Open vSwitch Offload: Conntrack and the Upstream Kernel
byLF_OpenvSwitch
 
PDF
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
byShuichi Ohkubo
 
PDF
QUIC
byApache Traffic Server
 
PDF
Introduction to QUIC
byShuya Osaki
 
PDF
Primer to Browser Netwroking
byShuya Osaki
 
PDF
Open vSwitch Implementation Options
byNetronome
 
PDF
Blackholing from a_providers_perspektive_theo_voss
byPavel Odintsov
 
PDF
Sdnds tw-meetup-2
byFei Ji Siao
 
OpenvSwitch Deep Dive
byrajdeep
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
byThomas Graf
 
A new Internet? Intro to HTTP/2, QUIC, DoH and DNS over QUIC
byAPNIC
 
TRex Realistic Traffic Generator - Stateless support
byHanoch Haim
 
Quic illustrated
byAlexander Krizhanovsky
 
Understanding Open vSwitch
byYongKi Kim
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
byThomas Graf
 
Software Networking and Interfaces on Linux
byMatt Turner
 
Cilium - BPF & XDP for containers
byThomas Graf
 
DPDK Support for New HW Offloads
byNetronome
 
LF_OVS_17_State of the OVN
byLF_OpenvSwitch
 
LF_OVS_17_LXC Linux Containers over Open vSwitch
byLF_OpenvSwitch
 
LF_OVS_17_Open vSwitch Offload: Conntrack and the Upstream Kernel
byLF_OpenvSwitch
 
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
byShuichi Ohkubo
 
QUIC
byApache Traffic Server
 
Introduction to QUIC
byShuya Osaki
 
Primer to Browser Netwroking
byShuya Osaki
 
Open vSwitch Implementation Options
byNetronome
 
Blackholing from a_providers_perspektive_theo_voss
byPavel Odintsov
 
Sdnds tw-meetup-2
byFei Ji Siao
 

More from Netronome

PDF
P4 Introduction
byNetronome
 
PDF
Unifying Network Filtering Rules for the Linux Kernel with eBPF
byNetronome
 
PDF
Offloading Linux LAG Devices Via Open vSwitch and TC
byNetronome
 
PPTX
Demystify eBPF JIT Compiler
byNetronome
 
PDF
BPF Hardware Offload Deep Dive
byNetronome
 
PDF
Host Data Plane Acceleration: SmartNIC Deployment Models
byNetronome
 
PDF
eBPF/XDP
byNetronome
 
PDF
Efficient JIT to 32-bit Arches
byNetronome
 
PDF
ODSA Sub-Project Launch
byNetronome
 
PDF
Massively Parallel RISC-V Processing with Transactional Memory
byNetronome
 
PDF
eBPF Tooling and Debugging Infrastructure
byNetronome
 
PPTX
Disaggregation a Primer: Optimizing design for Edge Cloud & Bare Metal applic...
byNetronome
 
PDF
Flexible and Scalable Domain-Specific Architectures
byNetronome
 
PDF
eBPF Debugging Infrastructure - Current Techniques
byNetronome
 
PDF
Comprehensive XDP Off‌load-handling the Edge Cases
byNetronome
 
PDF
The Power of SmartNICs
byNetronome
 
PDF
LFSMM Verifier Optimizations and 1 M Instructions
byNetronome
 
PDF
eBPF & Switch Abstractions
byNetronome
 
PDF
Using Network Acceleration for an Optimized Edge Cloud Server Architecture
byNetronome
 
PDF
LFSMM AF XDP Queue I-DS
byNetronome
 
P4 Introduction
byNetronome
 
Unifying Network Filtering Rules for the Linux Kernel with eBPF
byNetronome
 
Offloading Linux LAG Devices Via Open vSwitch and TC
byNetronome
 
Demystify eBPF JIT Compiler
byNetronome
 
BPF Hardware Offload Deep Dive
byNetronome
 
Host Data Plane Acceleration: SmartNIC Deployment Models
byNetronome
 
eBPF/XDP
byNetronome
 
Efficient JIT to 32-bit Arches
byNetronome
 
ODSA Sub-Project Launch
byNetronome
 
Massively Parallel RISC-V Processing with Transactional Memory
byNetronome
 
eBPF Tooling and Debugging Infrastructure
byNetronome
 
Disaggregation a Primer: Optimizing design for Edge Cloud & Bare Metal applic...
byNetronome
 
Flexible and Scalable Domain-Specific Architectures
byNetronome
 
eBPF Debugging Infrastructure - Current Techniques
byNetronome
 
Comprehensive XDP Off‌load-handling the Edge Cases
byNetronome
 
The Power of SmartNICs
byNetronome
 
LFSMM Verifier Optimizations and 1 M Instructions
byNetronome
 
eBPF & Switch Abstractions
byNetronome
 
Using Network Acceleration for an Optimized Edge Cloud Server Architecture
byNetronome
 
LFSMM AF XDP Queue I-DS
byNetronome
 

Recently uploaded

PDF
Best Bank Statement Converter Software - A Documentation-Based Meta-Analysis ...
bylewisconrada
 
PPTX
SRWE_Module_14_SRWE_ccna_basics_routing_concepts.pptx
byahmedmahmoudece
 
PPTX
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
PDF
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
PDF
Using Change Data Capture (CDC) to Ingest Data into Apache Kafka
byGiovanni Marigi
 
PDF
Scott M. Graffius' Phases of Team Development - Applied to Human Teams and Hu...
byScott M. Graffius
 
PPTX
KTU-PEMET413 -MODULE 2-POLYMER MATRIX COMPOSITES - LECTURE 1.pptx
byVINAY B
 
PPTX
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
PPTX
Visual Foxpro-VFP9-Access-Report-Variable-Outside-the-report.pptx
bymanojbkalla
 
PPTX
On-Device AI with Gemma 3n and PaliGemma 2 Session Slides - GDG VESIT
bygdgcodecellcmpn
 
PDF
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
PDF
Generating Structured Outputs from Unstructured Content Using LLMs
byEnterprise Knowledge
 
PPTX
Sensors-and-Actuators-in-IoT-Systems.pptx
byMuhammedNihal54
 
PDF
The Rise of AI Fashion Tools and Innovations in 2026
bymockitseo
 
PDF
threat-hunters-cookbook for cybersecurity
bylobster6719
 
PDF
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
PDF
Chapter 1 Introduction to Computer Security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
PDF
Digital Transformation Services The Key to Futureproofing Your Business
byQuadrafort Technolgies
 
PDF
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
Best Bank Statement Converter Software - A Documentation-Based Meta-Analysis ...
bylewisconrada
 
SRWE_Module_14_SRWE_ccna_basics_routing_concepts.pptx
byahmedmahmoudece
 
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
Using Change Data Capture (CDC) to Ingest Data into Apache Kafka
byGiovanni Marigi
 
Scott M. Graffius' Phases of Team Development - Applied to Human Teams and Hu...
byScott M. Graffius
 
KTU-PEMET413 -MODULE 2-POLYMER MATRIX COMPOSITES - LECTURE 1.pptx
byVINAY B
 
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
Visual Foxpro-VFP9-Access-Report-Variable-Outside-the-report.pptx
bymanojbkalla
 
On-Device AI with Gemma 3n and PaliGemma 2 Session Slides - GDG VESIT
bygdgcodecellcmpn
 
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
Generating Structured Outputs from Unstructured Content Using LLMs
byEnterprise Knowledge
 
Sensors-and-Actuators-in-IoT-Systems.pptx
byMuhammedNihal54
 
The Rise of AI Fashion Tools and Innovations in 2026
bymockitseo
 
threat-hunters-cookbook for cybersecurity
bylobster6719
 
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
Chapter 1 Introduction to Computer Security.pdf
byGetnet Tigabie Askale -(GM)
 
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
Digital Transformation Services The Key to Futureproofing Your Business
byQuadrafort Technolgies
 
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 

Offloading TC Rules on OVS Internal Ports

  • 1.
    © 2019 NETRONOMESYSTEMS, INC. John Hurley presented by Simon Horman Offloading TC rules on OVS Internal Ports
  • 2.
    © 2019 NETRONOMESYSTEMS, INC. 2CONFIDENTIAL Internal Ports in OVS ● Registered in kernel by OVS and treated as standard netdevs ● Main differences with standard bridge devs: ○ If an OVS rule egresses to an internal port, the packet is passed to the network stack (ingress) rather than dev_queue_xmit ○ ndo_start_xmit() injects packet into OVS kernel datapath ● Rules applied to internal ports are not hit — TC ingress is bypassed ● Wish to address this to allow hardware offload of these rules ● TC rules outputting to an internal port should use Ingress redirect ● Two approaches to allowing TC to offload rules on internal ports: ○ Add TC ingress hook to OVS internal port modules ■ Required as it bypasses hook in the network stack ○ Offload rules as egress hooks ■ [RFC OVS 0/2] ovs-tc: support OVS internal port offload
  • 3.
    © 2019 NETRONOMESYSTEMS, INC. 3CONFIDENTIAL OVS Kernel (Encap with Tunnel IP on Bridge) Network RX stack OVS Kernel datapath eth0 Ingress hooks Rx handler Network TX stack Internal Port (br0) vxlan0 eth1 1. In_port: eth0 -> actions: output vxlan0 2. In_port: br0, src/dst mac -> actions: output eth1 Egress hooks 1 2 3 - xmit 4 5 1. Packet enters OVS datapath and matches rule 1 2. Action is to egress port vxlan0 3. Passes ip_tun stack and finds br0 as next hop (neigh_output) and calls dev_queue_xmit on this 4. ndo_start_xmit on internal port pushes packet into OVS kernel datapath with br0 as ingress port 5. Matches rule 2 and egresses port eth1
  • 4.
    © 2019 NETRONOMESYSTEMS, INC. 4CONFIDENTIAL OVS-TC — Current Network RX stack OVS Kernel datapath eth0 Ingress hooks Rx handler Network TX stack Internal Port (br0) vxlan0 eth1 1. In_port: eth0 -> actions: output vxlan0 2. In_port: br0, src/dst mac -> actions: output eth1 Egress hooks 1 2 3 - xmit 4 5 1. Rule 1 is offloaded as a TC flower ingress filter on eth0 so packet is directed straight to vxlan0 without entering the OVS datapath 2. Rule 2 is not offloaded to TC so path (2-5) through OVS kernel is taken
  • 5.
    © 2019 NETRONOMESYSTEMS, INC. 5CONFIDENTIAL OVS-TC — Modified to Use TC Egress Hook Network RX stack OVS Kernel datapath eth0 Ingress hooks Rx handler Network TX stack Internal Port (br0) vxlan0 eth1 1. In_port: eth0 -> actions: output vxlan0 2. In_port: br0, src/dst mac -> actions: output eth1 Egress hooks 1 2 3 - xmit 1. Packet matches ingress hook on eth0 and is directed to egress vxlan0 2. Next hop is determined as br0 so it is directed to egress that internal port 3. Rule 2 is installed on egress hook and packet is directed to eth1, bypassing OVS kernel datapath — egressing an internal port generates an OVS ingress action, so applying rule that match internal ports as egress hooks, achieves the same outcome as having an ingress hook in the internal port handlers
  • 6.
    © 2019 NETRONOMESYSTEMS, INC. 6CONFIDENTIAL OVS-TC — Modified to Use TC Ingress Hook Network RX stack OVS Kernel datapath eth0 Ingress hooks Rx handler Network TX stack Internal Port (br0) vxlan0 eth1 1. In_port: eth0 -> actions: output vxlan0 2. In_port: br0, src/dst mac -> actions: output eth1 Egress hooks 1 2 3 - xmit 1. Packet matches ingress hook on eth0 and is directed to egress vxlan0 2. Next hop is determined as br0 so it is directed to egress that internal port 3. When received by the internal port packet is passed to TC ingress hooks 4. Rule 2 is installed on ingress hook 5. Packet egresses via eth1 4 5
  • 7.
    © 2019 NETRONOMESYSTEMS, INC. Thank You