mirror of https://github.com/torvalds/linux.git
ab427db178
Introduce sw acceleration for rx path of IPIP tunnels relying on the
netfilter flowtable infrastructure. Subsequent patches will add sw
acceleration for IPIP tunnels tx path.
This series introduces basic infrastructure to accelerate other tunnel
types (e.g. IP6IP6).
IPIP rx sw acceleration can be tested running the following scenario where
the traffic is forwarded between two NICs (eth0 and eth1) and an IPIP
tunnel is used to access a remote site (using eth1 as the underlay device):
ETH0 -- TUN0 <==> ETH1 -- [IP network] -- TUN1 (192.168.100.2)
$ip addr show
6: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:00:22:33:11:55 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.2/24 scope global eth0
valid_lft forever preferred_lft forever
7: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:11:22:33:11:55 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 scope global eth1
valid_lft forever preferred_lft forever
8: tun0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000
link/ipip 192.168.1.1 peer 192.168.1.2
inet 192.168.100.1/24 scope global tun0
valid_lft forever preferred_lft forever
$ip route show
default via 192.168.100.2 dev tun0
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.2
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1
192.168.100.0/24 dev tun0 proto kernel scope link src 192.168.100.1
$nft list ruleset
table inet filter {
flowtable ft {
hook ingress priority filter
devices = { eth0, eth1 }
}
chain forward {
type filter hook forward priority filter; policy accept;
meta l4proto { tcp, udp } flow add @ft
}
}
Reproducing the scenario described above using veths I got the following
results:
- TCP stream received from the IPIP tunnel:
- net-next: (baseline) ~ 71Gbps
- net-next + IPIP flowtbale support: ~101Gbps
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||
|---|---|---|
| .. | ||
| ipv4 | ||
| ipv6 | ||
| br_netfilter.h | ||
| nf_bpf_link.h | ||
| nf_conntrack.h | ||
| nf_conntrack_acct.h | ||
| nf_conntrack_act_ct.h | ||
| nf_conntrack_bpf.h | ||
| nf_conntrack_bridge.h | ||
| nf_conntrack_core.h | ||
| nf_conntrack_count.h | ||
| nf_conntrack_ecache.h | ||
| nf_conntrack_expect.h | ||
| nf_conntrack_extend.h | ||
| nf_conntrack_helper.h | ||
| nf_conntrack_l4proto.h | ||
| nf_conntrack_labels.h | ||
| nf_conntrack_seqadj.h | ||
| nf_conntrack_synproxy.h | ||
| nf_conntrack_timeout.h | ||
| nf_conntrack_timestamp.h | ||
| nf_conntrack_tuple.h | ||
| nf_conntrack_zones.h | ||
| nf_dup_netdev.h | ||
| nf_flow_table.h | ||
| nf_hooks_lwtunnel.h | ||
| nf_log.h | ||
| nf_nat.h | ||
| nf_nat_helper.h | ||
| nf_nat_masquerade.h | ||
| nf_nat_redirect.h | ||
| nf_queue.h | ||
| nf_reject.h | ||
| nf_socket.h | ||
| nf_synproxy.h | ||
| nf_tables.h | ||
| nf_tables_core.h | ||
| nf_tables_ipv4.h | ||
| nf_tables_ipv6.h | ||
| nf_tables_offload.h | ||
| nf_tproxy.h | ||
| nft_fib.h | ||
| nft_meta.h | ||
| nft_reject.h | ||
| xt_rateest.h | ||