The need to configure and manage virtual functions (VFs) on a NIC in order to apply policy has grown to the point that we have implemented a small, DPDK based, tool to do so. The tool, VFd
(Virtual Function daemon), allows users to configure VFs using a per VF description provided by an external source (e.g. a virtualization manager such as Openstack).
We would like to exercise the use case described here[1]
“Software Defined Network (SDN) trends are demanding fast host-based packet handling. In a virtualization environment, the DPDK VF PMD driver performs the same throughput result as a non-VT native environment.
With such host instance fast packet processing, lots of services such as filtering, QoS, DPI can be offloaded on the host fast path.”
The following has been identified to be offloaded into the host fast path:
VLAN_FILTER – Filters traffic based on a list of VLAN ID(s), this filter is applied on SR-IOV VF before passing the traffic to VM.
VLAN_STRIP – Enable to strip outer VLAN tag per VF
INSERT_STAG – Enable to Insert outer VLAN tag per VF
BROADCAST_ALLOW – Enable to allow broadcast per VF
UNKNOWN_UNICAST_ALLOW – Enable to allow unicast per VF
UNKNOWN_MULTICAST_ALLOW – Enable to allow multicast per VF
MAC_FILTER – Directs outbound traffic based on a list of MAC address. This will allow a VM to transmit packets with specified source MAC address in addition to MAC which belongs to VM.
VLAN_ANTI_SPOOF_CHECK – Enable to ensure anti MAC spoof checks are done at the SR-IOV VF level to comply with security.
Some API extension is needed for the user to pass the VF configuration.
The extensions for per VF configuration are suggested to go into any of the following:
1. The port’s profile:binding field
2. The port’s profile:vif_details
3. A new vf_policy object to manage vf_policies, where vf_policy_id is an attached synthetic field on port, see [2]
4. Distribute properties across neutron
a. VLAN_STRIP and INSERT_STAG, are added as network attributes
b. BROADCAST, UNICAST, MULTICAST, are added into security groups [3]
c. VLAN_FILTER, MAC_FILTER, and VLAN_ANTI_SPOOF_CHECK are TBD perhaps added as an extension of port-security (if it doesn’t exist already)
Using the existing SR-IOV agent we can configure virtual functions to use a tool called IPLEX[4] to interface with VFd[5] to complete the requested operations.
VFd was added as experimental in the DPDK Release 17.02[6]
[1] http://dpdk.readthedocs.io/en/latest/nics/intel_vf.html#dpdk-sr-iov-pmd-pf-vf-driver-usage-model
[2] https://review.openstack.org/#/c/453904/
[3] https://review.openstack.org/#/c/455445/
[4] https://github.com/att/vfd/blob/master/src/system/iplex
[5] https://github.com/att/vfd/wiki
[6] http://dpdk.org/doc/guides/rel_notes/release_17_02.html
Fix proposed to branch: master
Review: https:/