Day 2 / Track 1 / Talk 4 Talk – Nuts-n-Bolts: XDP offload with virtio-net Speakers: Jason Wang Report by: Michael S. Tsirkin
The talk started by summarizing the status quo: there are several points at which XDP is already helpful for virtual machines: XDP programs can be attached to and run on tap/macvtap on the host or on the virtio device on the guest. Comparing performance with running on the bare metal, virtualization incurs overhead including need for extra data copies when crossing security boundaries.
By changing all of guest kernel, qemu emulator and host kernel Jason was able to take an XDP program from the guest and run it on the host instead. Fundamentally, XDP is moved out of the hardware-based VM with the assumption that a software VM is secure enough. This brings clear performance advantages for XDP_DROP and XDP_REDIRECT (VM does not need to be woken up to process packets at all). Performance was better for macvtap passthrough mode than for tap, but in both cases very close to processing packets on the bare metal host. Chaining multiple VMs with XDP_REDIRECT is possible - without need to wake up the VMs for data path processing.
Main challenges appear to be around compatibility: as verifier in guest is bypassed, VM guests need ability to be started e.g. on a newer kernel and be migrated to an older one without restarts. Thus probing is not sufficient for capability discovery: ability to supply a list of allowed capabilities and have verifier reject all the rest seems to be needed.
Access to maps from guest would be slow, the hope is that these are uncommon. Detecting whether this access happens a lot and disabling host offloading could be one option that was mentioned during Q&A. Another question that came up was whether AF_XDP is relevant for this work. This is still being looked into.
Site: https://www.netdevconf.info/0x13/session.html?xdp-offload-with-virtio-net