On Wed, Jun 8, 2022 at 6:34 AM 刘梦馨 <[email protected]> wrote: > > Just give some input about eBPF/XDP support. > > We used to use OVN L2 LB to replace kube-proxy in Kubernetes, but found > that > the L2 LB will use conntrack and ovs clone which hurts performance badly. > The latency > for 1byte udp packet jumps from 18.5us to 25.7us and bandwidth drop from > 6Mb/s to 2.8Mb/s. > > Even if the traffic does not target to LB VIPs has the same performance > drop and it also leads to the > total datapath cannot be offloaded to hardware. > > And finally we turn to using Cilium's chaining mode to replace the OVN L2 > LB to implement kube-proxy to > resolve the above issues. We hope to see the lb optimization by eBPF/XDP on > the OVN side. >
Thanks for your comments and inputs. I think we should definitely explore optimizing this use case and see if its possible to leverage eBPF/XDP for this. > On Wed, 8 Jun 2022 at 14:43, Han Zhou <[email protected]> wrote: > > > On Mon, May 30, 2022 at 5:46 PM <[email protected]> wrote: > > > > > > From: Numan Siddique <[email protected]> > > > > > > XDP program - ovn_xdp.c added in this RFC patch series implements basic > > port > > > security and drops any packet if the port security check fails. > > > There are still few TODOs in the port security checks. Like > > > - Make ovn xdp configurable. > > > - Removing the ingress Openflow rules from table 73 and 74 if ovn > > xdp > > > is enabled. > > > - Add IPv6 support. > > > - Enhance the port security xdp program for ARP/IPv6 ND checks. > > > > > > This patch adds a basic XDP support in OVN and in future we can > > > leverage eBPF/XDP features. > > > > > > I'm not sure how much value this RFC patch adds to make use of eBPF/XDP > > > just for port security. Submitting as RFC to get some feedback and > > > start some conversation on eBPF/XDP in OVN. > > > > > Hi Numan, > > > > This is really cool. It demonstrates how OVN could leverage eBPF/XDP. > > > > On the other hand, for the port-security feature in XDP, I keep thinking > > about the scenarios and it is still not very clear to me. One advantage I > > can think of is to prevent DOS attacks from VM/Pod when invalid IP/MAC are > > used, XDP may perform better and drop packets with lower CPU cost > > (comparing with OVS kernel datapath). However, I am also wondering why > > would a attacker use invalid IP/MAC for DOS attacks? Do you have some more > > thoughts about the use cases? My idea was to demonstrate the use of eBPF/XDP and port security checks were easy to do before the packet hits the OVS pipeline. If we were to move the port security check to XDP, then the only advantage we would be getting in my opinion is to remove the corresponding ingress port security check related OF rules from ovs-vswitchd, thereby decreasing some looks up during flow translation. I'm not sure why an attacker would use invalid IP/MAC for DOS attacks. But from what I know, ovn-kubernetes do want to restrict each POD to its assigned IP/MAC. And do you have any performance results > > comparing with the current OVS implementation? I didn't do any scale/performance related tests. If we were to move port security feature to XDP in OVN, then I think we need to - Complete the TODO's like adding IPv6 and ARP/ND related checks - Do some scale testing and see whether its reducing memory footprint of ovs-vswitchd and ovn-controller because of the reduction in OF rules > > > > Another question is, would it work with smart NIC HW-offload, where VF > > representer ports are added to OVS on the smart NIC? I guess XDP doesn't > > support representer port, right? I think so. I don't have much experience/knowledge on this. From what I understand, if datapath flows are offloaded and since XDP is not offloaded, the xdo checks will be totally missed. So if XDP is to be used, then offloading should be disabled. Thanks Numan > > > > Thanks, > > Han > > > > > In order to attach and detach xdp programs, libxdp [1] and libbpf is > > used. > > > > > > To test it out locally, please install libxdp-devel and libbpf-devel > > > and the compile OVN first and then compile ovn_xdp by running "make > > > bpf". Copy ovn_xdp.o to either /usr/share/ovn/ or /usr/local/share/ovn/ > > > > > > > > > Numan Siddique (2): > > > RFC: Add basic xdp/eBPF support in OVN. > > > RFC: ovn-controller: Attach XDP progs to the VIFs of the logical > > > ports. > > > > > > Makefile.am | 6 +- > > > bpf/.gitignore | 5 + > > > bpf/automake.mk | 23 +++ > > > bpf/ovn_xdp.c | 156 +++++++++++++++ > > > configure.ac | 2 + > > > controller/automake.mk | 4 +- > > > controller/binding.c | 45 +++-- > > > controller/binding.h | 7 + > > > controller/ovn-controller.c | 79 +++++++- > > > controller/xdp.c | 389 ++++++++++++++++++++++++++++++++++++ > > > controller/xdp.h | 41 ++++ > > > m4/ovn.m4 | 20 ++ > > > tests/automake.mk | 1 + > > > 13 files changed, 753 insertions(+), 25 deletions(-) > > > create mode 100644 bpf/.gitignore > > > create mode 100644 bpf/automake.mk > > > create mode 100644 bpf/ovn_xdp.c > > > create mode 100644 controller/xdp.c > > > create mode 100644 controller/xdp.h > > > > > > -- > > > 2.35.3 > > > > > > _______________________________________________ > > > dev mailing list > > > [email protected] > > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > _______________________________________________ > > dev mailing list > > [email protected] > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > > > > -- > 刘梦馨 > Blog: http://oilbeater.com > Weibo: @oilbeater <http://weibo.com/oilbeater> > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
