From: Numan Siddique <[email protected]>
XDP program - ovn_xdp.c added in this RFC patch series implements basic port
security and drops any packet if the port security check fails.
There are still few TODOs in the port security checks. Like
- Make ovn xdp configurable.
- Removing the ingress Openflow rules from table 73 and 74 if ovn xdp
is enabled.
- Add IPv6 support.
- Enhance the port security xdp program for ARP/IPv6 ND checks.
This patch adds a basic XDP support in OVN and in future we can
leverage eBPF/XDP features.
I'm not sure how much value this RFC patch adds to make use of eBPF/XDP
just for port security. Submitting as RFC to get some feedback and
start some conversation on eBPF/XDP in OVN.
In order to attach and detach xdp programs, libxdp [1] and libbpf is used.
To test it out locally, please install libxdp-devel and libbpf-devel
and the compile OVN first and then compile ovn_xdp by running "make
bpf". Copy ovn_xdp.o to either /usr/share/ovn/ or /usr/local/share/ovn/
Numan Siddique (2):
RFC: Add basic xdp/eBPF support in OVN.
RFC: ovn-controller: Attach XDP progs to the VIFs of the logical
ports.
Makefile.am | 6 +-
bpf/.gitignore | 5 +
bpf/automake.mk | 23 +++
bpf/ovn_xdp.c | 156 +++++++++++++++
configure.ac | 2 +
controller/automake.mk | 4 +-
controller/binding.c | 45 +++--
controller/binding.h | 7 +
controller/ovn-controller.c | 79 +++++++-
controller/xdp.c | 389 ++++++++++++++++++++++++++++++++++++
controller/xdp.h | 41 ++++
m4/ovn.m4 | 20 ++
tests/automake.mk | 1 +
13 files changed, 753 insertions(+), 25 deletions(-)
create mode 100644 bpf/.gitignore
create mode 100644 bpf/automake.mk
create mode 100644 bpf/ovn_xdp.c
create mode 100644 controller/xdp.c
create mode 100644 controller/xdp.h
--
2.35.3
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
