lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87lgcryizi.fsf@toke.dk>
Date:   Thu, 10 May 2018 11:09:53 +0200
From:   Toke Høiland-Jørgensen <toke@...e.dk>
To:     Jesper Dangaard Brouer <brouer@...hat.com>,
        David Ahern <dsahern@...il.com>
Cc:     netdev@...r.kernel.org, borkmann@...earbox.net, ast@...nel.org,
        davem@...emloft.net, shm@...ulusnetworks.com,
        roopa@...ulusnetworks.com, john.fastabend@...il.com,
        brouer@...hat.com
Subject: Re: [bpf-next v3 8/9] bpf: Provide helper to do forwarding lookups in kernel FIB table

Jesper Dangaard Brouer <brouer@...hat.com> writes:

> On Wed,  9 May 2018 20:34:26 -0700
> David Ahern <dsahern@...il.com> wrote:
>
>> Provide a helper for doing a FIB and neighbor lookup in the kernel
>> tables from an XDP program. The helper provides a fastpath for forwarding
>> packets. If the packet is a local delivery or for any reason is not a
>> simple lookup and forward, the packet continues up the stack.
>> 
>> If it is to be forwarded, the forwarding can be done directly if the
>> neighbor is already known. If the neighbor does not exist, the first
>> few packets go up the stack for neighbor resolution. Once resolved, the
>> xdp program provides the fast path.
>> 
>> On successful lookup the nexthop dmac, current device smac and egress
>> device index are returned.
>> 
>> The API supports IPv4, IPv6 and MPLS protocols, but only IPv4 and IPv6
>> are implemented in this patch. The API includes layer 4 parameters if
>> the XDP program chooses to do deep packet inspection to allow compare
>> against ACLs implemented as FIB rules.
>> 
>> Header rewrite is left to the XDP program.
>> 
>> The lookup takes 2 flags:
>> - BPF_FIB_LOOKUP_DIRECT to do a lookup that bypasses FIB rules and goes
>>   straight to the table associated with the device (expert setting for
>>   those looking to maximize throughput)
>> 
>> - BPF_FIB_LOOKUP_OUTPUT to do a lookup from the egress perspective.
>>   Default is an ingress lookup.
>> 
>> Initial performance numbers collected by Jesper, forwarded packets/sec:
>> 
>>        Full stack    XDP FIB lookup    XDP Direct lookup
>> IPv4   1,947,969       7,074,156          7,415,333
>> IPv6   1,728,000       6,165,504          7,262,720
>> 
>
> The "Full stack" tests were with netfilter modules unloaded.  Default
> setting with netfilter conntrack loaded and default Fedora firewall
> rules, show around 700Kpps.
>
>> These number are single CPU core forwarding on a Broadwell
>> E5-1650 v4 @ 3.60GHz.
>> 
>> Signed-off-by: David Ahern <dsahern@...il.com>
>
> Acked-by: Jesper Dangaard Brouer <brouer@...hat.com>
>
> This helper is awesome, as it really shows how XDP is meant to work in
> concert and cooperate with the existing network stack.

+1!

-Toke

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ