![]() ![]() Are we going to drop it? Forward it? To control a packet’s processing logic, XDP provides a set of predefined actions: We are also able to decide what to do with a packet. And thanks to eBPF Maps we have access to complex data structures for persistent data storage, like tables. We can also access to helper functions to parse packets, compute checksums, and other functionalities, at no cost (avoiding system call cost penalties). We can read them or modify them if we need it. XDP passes packets to our eBPF program which decides what to do with them. ![]() Tunelling: read incoming packets, create a new packet, embed packet into new one and forward it.NAT: read incoming packets, modify headers and forward packet.Firewall: read incoming packets, compare them to a table of rules and execute an action: forward or drop.Linux network stack with XDPĮvery network function, no matter how complex it is, consists of a series of basic operations: Luckily, Linux already features a mechanism that allows user-space code execution within the kernel: the eBPF VM. This checkpoint should pass a packet to an user-space program that will decide what to do with it: drop it or let it continue through the normal path. However this idea could be generalized by adding a checkpoint in the Linux kernel network stack, preferably as soon as a packet is received in the NIC. By dropping packets at the lowest point of the stack, the amount of traffic that reaches the kernel’s networking subsystem gets significantly reduced.Ĭloudflare’s solution used the Netmap toolkit to implement its partial kernel bypass (Source: Single Rx queue kernel bypass with Netmap). Some queues of the NIC are still attached to the kernel while others are attached to an user-space program that decides whether a packet should be dropped or not. Their solution consisted of implementing what they called a “partial kernel bypass”. Under those circumstances, a Linux box starts to be overflooded by IRQ interruptions until it becomes unusable.īecause Cloudflare wanted to keep the convenience of using iptables (and the rest of the kernel’s network stack), they couldn’t go with a solution that takes full control of the hardware, such as DPDK. In the event of a DDoS attack, the amount of spoofed traffic can be up to 3 Mpps. Cloudflare leverages heavily on iptables, which according to their own metrics is able to handle 1 Mpps on a decent server (Source: Why we use the Linux kernel’s TCP stack). The design of XDP has its roots in a DDoS attack mitigation solution presented by Cloudflare at Netdev 1.1. In this new blog post I try to go deeper into XDP. However, I didn’t get much into the details on how XDP works. On the XDP side, I focused only on the motivations behind this new technology, the reasons why rearchitecting the Linux kernel networking layer to enable faster packet processing. Trace pkgs]$ sudo vppctl -s /run/vpp/cli-vpp1.In the previous article I briefly introduced XDP ( eXpress Data Path) and eBPF, the multipurpose in-kernel virtual machine. 去66.6.2.0/24网段,得经过66.6.6.7(vpp1)的网关 pkgs]$ sudo ip route add 66.6.2.0/24 via 66.6.6.7 添加vpp2路由 pkgs]$ sudo vppctl -s /run/vpp/cli-vpp2.sock ip route add 66.6.6.0/24 via 66.6.2.1 Trace Ping pkgs]$ sudo vppctl -s /run/vpp/cli-vpp1.sock clear pkgs]$ sudo vppctl -s /run/vpp/cli-vpp2.sock clear pkgs]$ sudo vppctl -s /run/vpp/cli-vpp1.sock trace add af-packet-input pkgs]$ sudo vppctl -s /run/vpp/cli-vpp1.sock trace add memif-input pkgs]$ sudo vppctl -s /run/vpp/cli-vpp2.sock trace add memif-input 10 Memif0/0 1 up pkgs]$ sudo vppctl -s /run/vpp/cli-vpp2.sock show int addr 元 pkgs]$ sudo vppctl -s /run/vpp/cli-vpp2.sock set int state memif0/0 pkgs]$ sudo vppctl -s /run/vpp/cli-vpp2.sock set int ip address memif0/0 pkgs]$ sudo vppctl -s /run/vpp/cli-vpp2.sock show int Memif0/0 2 up pkgs]$ sudo vppctl -s /run/vpp/cli-vpp1.sock show int address Name Idx State MTU (元/IP4/IP6/MPLS) Counter Count 创建memif sudo vppctl -s /run/vpp/cli-vpp1.sock create interface memif id 0 pkgs]$ sudo vppctl -s /run/vpp/cli-vpp1.sock create interface memif id 0 pkgs]$ sudo vppctl -s /run/vpp/cli-vpp2.sock create interface memif id 0 pkgs]$ sudo vppctl -s /run/vpp/cli-vpp1.sock set int state memif0/0 pkgs]$ sudo vppctl -s /run/vpp/cli-vpp1.sock set int ip address memif0/0 pkgs]$ sudo vppctl -s /run/vpp/cli-vpp1.sock show int ![]()
0 Comments
Leave a Reply. |