Top-level XDP project management

Some drivers are not updating the "ifconfig" stats counters, when in XDP mode. This makes receive or send via XDP invisible to sysadm/management tools. This for-sure is going to cause confusion.

Closer look at other drivers.

• ixgbe driver is doing the right thing.
• i40e had a bug, where RX/TX stats are swapped (fixed in commit cdec2141c24e(v4.20-rc1) ("i40e: report correct statistics when XDP is enabled")).
• mlx5 driver is not updating the regular RX/TX counters, but A LOT of other ethtool stats counters (which are the ones I usually monitor when testing).

Need to have an upstream discussion, on what is the semantic. IHMO the regular RX/TX counters must be updated even for XDP frames.

Accounting per XDP-action is also inconsistent across drivers. Some driver account nothing, while others have elaborate counters exposed as ethtool stats.

The common pattern is that XDP programs do their own accounting of action as they see fit, and export this as BPF maps to their associated userspace application, which a very per application specific approach.

David Ahern (@dsahern) argues that sysadm's need something more generic and consistent, as they need a way to diagnose the system, regardless of the XDP program that some developer asked to get installed. This argument that a 3rd person should be able to diagnose a running XDP program was generally accepted upstream.

There were a lot of performance concerns around introducing XDP-action counters. Generally upstream voices wanted this to be opt-in, e.g. something that the sysadm explicitly enable when needed, and not default on.

To be able to tie resource allocation to the interface maps (devmap), we first need to change the non-map redirect variant so it uses a map under the hood. Since xdp_redirect_map() is also significantly faster than the non-map variant, this change should be a win in itself.

v1 comments and discussion: Patch 1 Patch 2

v3 patchwork link

Turns out the initial idea of using insertion into devmap as a trigger for resource allocation doesn't work because of generic XDP. So we'll need an ethtool interface; look into the existing channel configuration interface on the kernel side and figure out how to express XDP resource allocation in a good way.

Because we can't tie resource allocation to map insertion on the kernel side, we need to solve the UI interface in userspace. So add a hook/wrapper to libbpf that will automatically allocate TX resources when inserting into a map.

CLOSED: [2019-07-31 Wed 17:10]

Title:

• Improving the XDP User eXperience: via feature detection

Abstract:

The most common asked question is: Does my NIC support XDP, and our current answer is read the source code. We really need to come up with a better answer.

The real issue is that users can attach an XDP bpf_prog to a drivers that use features the driver doesn't implement, which cause silent drops. Or user doesn't notice, that NIC loading fallback to generic-XDP, which is first discovered when observing lower performance, or worse not all features are supported with generic-XDP, resulting in unexpected packet drops.

BPF feature detection, recently added to bpftool, is based on probing the BPF-core by loading BPF-programs using individual features (notice BPF load time, not attaching it).

Even if your BPF loader doesn't use feature probing, it will notice if loaded on a incompatible kernel. As an BPF-prog using something the kernel BPF-core doesn't support will get rejected at load-time, before you attach the BPF-prog.

This doesn't work for XDP, as features vary on a per driver basis. Currently an XDP BPF-prog isn't aware of that driver it will get used on, until driver attach-time. Unfortunately, due to BPF tail-calls, we cannot use the driver attach-time hook to check for compatibility (given new XDP BPF-progs can be indirectly "attached" via tail-call map inserts).

In this talk, we will investigate the possibilities of doing XDP feature check at BPF load-time, by assigning an ifindex to the BPF-prog. The ground work have already been laid by XDP hardware offload, which already need ifindex at BPF load-time (to perform BPF byte-code translation into NIC compatible code).

The open question are:

• Can the verifier detect/deduce XDP feature in use, for us?
• How does drivers express/expose XDP features?
• Are features more than XDP return codes, like meta-data support?
• How does this interact with generic-XDP?
• How to expose this to userspace? (to answer does NIC support XDP)
• How to handle tail-call map inserts?

• Daniel: Needs to go through driver BPF ndo

Needs to be an API that queries support. We cannot validate on program load time because of tail call. Not even with cooperation from the tail-calling program, because that may not know what features are used by the programs it is tail-calling into.

Netlink? Ethtool?

CLOSED: [2020-06-02 Tue 18:45]

This is implemented as part of libxdp in the XDP tools repo. The current implementation works for loading a dispatcher with multiple programs, but only if they are all attached at the same time (until kernel support for re-attaching freplace programs land).

CLOSED: [2020-12-15 Tue 13:17]

To support seamlessly attaching additional XDP programs onto an interface, we need the kernel to support re-attaching an existing freplace program in multiple places, so the programs can be attached to a new dispatcher which can then be atomically swapped onto the interface XDP hook.

This is now supported in the 5.10 kernel, with the userspace support available in libxdp and xdp-tools.

CLOSED: [2019-06-25 Tue 13:32]

Fixed by https://patchwork.ozlabs.org/patch/1121683/

Simply include/sample the net_device TX stats.

CLOSED: [2020-01-24 Fri 10:50]

The XDP sample programs unconditionally unload the current running XDP program (via -1) on exit. If users are not careful with the order in-which they start and stop XDP programs, then they get confused.

This was fixed upstream by by Maciej Fijalkowski.

The default behaviour when attaching an XDP program on a driver that doesn't have native-XDP is to fallback to generic-XDP, without notifying the user of the end-state.

This behaviour is also used by xdp-samples, which unfortunately have lead end-users to falsely think a given driver supports native-XDP. (QA are using these xdp-samples and create cases due to this confusion).

Proposal is to change xdp-samples to enforce native-XDP, and report if this was not possible, together with help text that display cmdline option for enabling generic-XDP/SKB-mode.

In AF_XDP zero-copy mode, sending frame to the network stack via XDP_PASS results in an expense code path, e.g new page_alloc for copy of payload and SKB alloc. We need this test how slow this code path is.

Also consider testing XDP-level redirect out another net_device with AF_XDP-ZC enabled. (I think this will just drop the packets due to mem_type).

It would be a big help diagnosing XDP issues if the xdp_monitor program also reported the errno.

The raw-tracepoints are suppose to be much faster, and XDP monitor want to have as little impact on the system as possible. Thus, convert to use raw-tracepoints.

CLOSED: [2020-01-24 Fri 10:55]

Assignment is to improve the selftest shell-script to test both generic-XDP and native-XDP (for veth driver).

In-progress:

• Patchset V1

XDP add/remove VLAN headers have a selftest in tools/testing/selftests/bpf/ in files test_xdp_vlan.c and test_xdp_vlan.sh. This test was developed in conjunction with fixing a bug in generic-XDP (see kernel commit 297249569932 ("net: fix generic XDP to handle if eth header was mangled")).

Since driver veth got native-XDP support, the selftest no-longer tests generic-XDP code path.

The ip utility (from iproute2) already support specifying, that an XDP prog must use generic XDP when loading an XDP prog (option xdpgeneric).

When driver veth got native-XDP support, then the XDP-selftests that were based on veth changed from testing generic-XDP into testing native-XDP.

Assignments:

1. Determine how many and which veth based XDP-selftests are affected
2. Convert these selftests to test both generic-XDP and native-XDP

Tweet by Björn Töpel (@bjorntopel):

Many people aren't aware of the BPF_PROG_TEST_RUN command. It's really neat being able to test your XDP programs "offline". The selftests use this a lot. Docs: https://t.co/GDd7SfNYng and examples in tools/testing/selftests/bpf/.

The obvious next step is a l2 bridging helper that mirrors the l3 routing one. Should be fairly straight forward to implement.

RFC series posted for this.

Exposing either full conntrack, or the more light-weight flow tracking support would make things like stateful firewalls easier to implement. Probably need a concrete use case for this first, though.

CLOSED: [2020-10-19 Mon 12:55]

DONE: Merge commit: https://git.kernel.org/torvalds/c/5cc5924d8315

The length of the XDP frame (as opposed to the data packet) is needed for various things:

• Tail-extend (e.g., DNS); currently packets can only be shrunk at the tail
• Correctly reporting skb true-size when generated from XDP frame
• For moving skb allocation out of drivers (long-term)

There are various hardware metadata items that would be useful for XDP programs to access, to reduce the amount of processing that needs to happen in eBPF. These include:

• Checksum
• Hash value
• Flow designator
• Higher-level protocol header offsets
• Timestamps

We want to be able to REDIRECT a packet to multiple interfaces in order to implement multicast. Relevant for the Layer-2 bridging helper.

From the discussion at netconf2019 (), we probably want to implement it by:

• Using a map-in-map (or map flag) to designate a group of egress interfaces (put multiple ifaces into a map and send to all of them in one operation).
• Just copy the packet rather than try to do clever refcnt stuff for multi-xmit.

As a first pass, we probably want to implement a simple multi-xmit, and leave off the possibility for the eBPF program to modify the packet between destinations.

.

There is currently no queueing in XDP_REDIRECT, apart from the bulking queue used in the devmaps. This means that rate transitions can't be handled properly (e.g., redirect 100Gbps->10Gbps).

To fix this, we would need to allow queueing of some sort. Options:

• Allow user to define a queueing structure as part of the TXQ setup
• Create the low-level hooks necessary for eBPF-programmable queueing
• Have some kind of "intermediate queueing structure" that can be a redirect target, does queueing, and can forward packets on afterwards

Presently, an XDP program cannot know if a call to bpf_redirect_map() is going to fail. This means that programs end up doing things like using duplicate maps for checking if a redirect map entry exists, or to packets being silently dropped.

CLOSED: [2019-07-03 Wed 13:15]

Link to upstream discussion: https://lore.kernel.org/netdev/20190626103829.5360ef2d@carbon/

As Willem points out: As long as we don't arrive at a design that cannot be extended with those features later.

We need some developers that have an actual use-case for this multi-buffer feature, and also buy-in from some driver team, else this sub-project will not see any progress. The Amazon guys seems to have a interest.

CLOSED: [2020-02-24 Mon 17:58]

Fixed with commit: ad1e03b2b3d4 ("core: Don't skip generic XDP program execution for cloned SKBs")

BUG: cpumap not working for generic-XDP