Extensible virtual switch datapath

US 10,530,711 B2
Filed: 11/09/2017
Issued: 01/07/2020
Est. Priority Date: 11/09/2017
Status: Active Grant

First Claim

Patent Images

1. A method for processing data packets at a generic packet filtering subsystem on a host machine, the method comprising:

receiving a packet;

generating a flow key by parsing at least one of header information and metadata of the packet;

looking up a flow table to determine whether there is a match for the flow key;

identifying a fixed length array returned by the flow table based on the flow key, the fixed-length array including a plurality of elements, wherein each of the plurality of elements provides an indication of a type of action to execute on the packet; and

executing one or more actions corresponding to one or more types of actions indicated by the plurality of elements of the fixed-length array using one or more action programs.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Certain embodiments described herein are generally directed to configuring an extended Berkeley Packet Filter (eBPF) fast path. In some embodiments, a fixed-length array of actions is generated and loaded into the eBPF fast path, where each element of the array indicates a type of action for execution on a packet received by the eBPF fast path. In some embodiments, the eBPF fast path is loaded with a number of eBPF programs, each configured to execute a different type of action.

29 Citations

View as Search Results

24 Claims

1. A method for processing data packets at a generic packet filtering subsystem on a host machine, the method comprising:
- receiving a packet;
  
  generating a flow key by parsing at least one of header information and metadata of the packet;
  
  looking up a flow table to determine whether there is a match for the flow key;
  
  identifying a fixed length array returned by the flow table based on the flow key, the fixed-length array including a plurality of elements, wherein each of the plurality of elements provides an indication of a type of action to execute on the packet; and
  
  executing one or more actions corresponding to one or more types of actions indicated by the plurality of elements of the fixed-length array using one or more action programs.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the generic packet filtering subsystem comprises an extended Berkeley Packet Filter (eBPF) subsystem.
  - 3. The method of claim 1, wherein the generic packet filtering subsystem is configured to at least one of:
    - disallow loading an action program that exceeds a certain fixed number of bytecode instructions into a kernel space of a host operating system running on the host machine;
      
      ordisallow loading an action program having bytecode instructions that comprise dynamic looping into the kernel space of the host operating system running on the host machine.
  - 4. The method of claim 1, wherein each of the plurality of elements further includes action-specific metadata relating to the packet.
  - 5. The method of claim 1, wherein the executing the one or more actions further comprises:
    - examining, using a program, a first element of the plurality of elements of the fixed-length array to determine a type of action indicated by the first element to execute on the packet;
      
      identifying, using the program, a first action program from the one or more action programs to execute a first action corresponding to the type of action indicated by the first element, based on the examining; and
      
      tail calling, using the program, to the first action program; and
      
      executing, using the first action program, the first action utilizing action-specific metadata from the first element.
  - 6. The method of claim 5, wherein the tail calling further comprises transferring a state from the program to the first action program.
  - 7. The method of claim 6, wherein the state comprises the key and an array index number of the first element.
  - 8. The method of claim 5, wherein the executing the one or more actions further comprises:
    - examining, using the first action program, a second element of the plurality of elements of the fixed-length array to determine a type of action indicated by the second element to execute on the packet;
      
      identifying, using the first action program, a second action program from the one or more action programs to execute a second action corresponding to the type of action indicated by the second element based on the examining;
      
      tail calling, using the first action program, to the second action program; and
      
      executing, using the second action program, the second action utilizing action-specific metadata from the second element.

9. A non-transitory computer readable medium comprising instructions to be executed in a computer system, wherein the instructions when executed in the computer system perform a method for processing data packets at a generic packet filtering subsystem on a host machine, the method comprising:
- receive a packet;
  
  generate a flow key by parsing at least one of header information and metadata of the packet;
  
  look up a flow table to determine whether there is a match for the flow key;
  
  identify a fixed length array returned by the flow table based on the flow key, the fixed-length array including a plurality of elements, wherein each of the plurality of elements provides an indication of a type of action to execute on the packet;
  
  execute one or more actions corresponding to one or more types of actions indicated by the plurality of elements of the fixed-length array using one or more action programs.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory computer readable medium of claim 9, wherein the generic packet filtering subsystem comprises an extended Berkeley Packet Filter (eBPF) subsystem.
  - 11. The non-transitory computer readable medium of claim 10, wherein the generic packet filtering subsystem is configured to at least one of:
    - disallow loading an action program that exceeds a certain fixed number of bytecode instructions into a kernel space of a host operating system running on the host machine;
      
      ordisallow loading an action program having bytecode instructions that comprise dynamic looping into the kernel space of the host operating system running on the host machine.
  - 12. The non-transitory computer readable medium of claim 9, wherein each of the plurality of elements further includes action-specific metadata relating to the packet.
  - 13. The non-transitory computer readable medium of claim 9, wherein the executing the one or more actions further comprises:
    - examining, using a program, a first element of the plurality of elements of the fixed-length array to determine a type of action indicated by the first element to execute on the packet;
      
      identifying, using the program, a first action program from the one or more action programs to execute a first action corresponding to the type of action indicated by the first element, based on the examining; and
      
      tail calling, using the program, to the first action program; and
      
      executing, using the first action program, the first action utilizing action-specific metadata from the first element.
  - 14. The non-transitory computer readable medium of claim 13, wherein the tail calling further comprises transferring a state from the program to the first action program.
  - 15. The non-transitory computer readable medium of claim 14, wherein the state comprises the key and an array index number of the first element.
  - 16. The non-transitory computer readable medium of claim 13, wherein the executing the one or more actions further comprises:
    - examining, using the first action program, a second element of the plurality of elements of the fixed-length array to determine a type of action indicated by the second element to execute on the packet;
      
      identifying, using the first action program, a second action program from the one or more action programs to execute a second action corresponding to the type of action indicated by the second element based on the examining;
      
      tail calling, using the first action program, to the second action program; and
      
      executing, using the second action program, the second action utilizing action-specific metadata from the second element.

17. A computer system comprising:
- one or more virtual machines; and
  
  a hypervisor serving as an interface between the one or more virtual machines and hardware resources of the computer system, the hypervisor comprising a virtual switch that comprises;
  
  a slow path subsystem used for configuring a fast path subsystem with a fixed-length array; and
  
  the fast path subsystem configured to;
  
  receive a packet for a virtual machine of the one or more virtual machines;
  
  generate a flow key by parsing at least one of header information and metadata of the packet;
  
  look up a flow table to determine whether there is a match for the flow key;
  
  identify a fixed length array returned by the flow table based on the flow key, the fixed-length array including a plurality of elements, wherein each of the plurality of elements provides an indication of a type of action to execute on the packet;
  
  execute one or more actions corresponding to one or more types of actions indicated by the plurality of elements of the fixed-length array using one or more action programs.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computer system of claim 17, wherein the fast path comprises an extended Berkeley Packet Filter (eBPF) subsystem.
  - 19. The computer system of claim 18, wherein the fast path is configured to at least one of:
    - disallow loading an action program that exceeds a certain fixed number of bytecode instructions into a kernel space of a host operating system running on the host machine;
      
      ordisallow loading an action program having bytecode instructions that comprise dynamic looping into the kernel space of the host operating system running on the host machine.
  - 20. The computer system of claim 17, wherein each of the plurality of elements further includes action-specific metadata relating to the packet.
  - 21. The computer system of claim 17, wherein the executing the one or more actions further comprises:
    - examining, using a program, a first element of the plurality of elements of the fixed-length array to determine a type of action indicated by the first element to execute on the packet;
      
      identifying, using the program, a first action program from the one or more action programs to execute a first action corresponding to the type of action indicated by the first element, based on the examining; and
      
      tail calling, using the program, to the first action program; and
      
      executing, using the first action program, the first action utilizing action-specific metadata from the first element.
  - 22. The computer system of claim 21, wherein the tail calling further comprises transferring a state from the program to the first action program.
  - 23. The computer system of claim 22, wherein the state comprises the key and an array index number of the first element.
  - 24. The computer system of claim 21, wherein the executing the one or more actions further comprises:
    - examining, using the first action program, a second element of the plurality of elements of the fixed-length array to determine a type of action indicated by the second element to execute on the packet;
      
      identifying, using the first action program, a second action program from the one or more action programs to execute a second action corresponding to the type of action indicated by the second element based on the examining;
      
      tail calling, using the first action program, to the second action program; and
      
      executing, using the second action program, the second action utilizing action-specific metadata from the second element.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Yu, Cheng-Chun, Stringer, Jonathan, Pettit, Justin
Primary Examiner(s)
Hsu, Alpus

Application Number

US15/808,161
Publication Number

US 20190140983A1
Time in Patent Office

789 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 43/028   by filtering

H04L 49/65   Re-configuration of fast pa...

H04L 49/70   Virtual switches

H04L 63/0227   Filtering policies mail mes...

H04L 69/22   Parsing or analysis of headers

Extensible virtual switch datapath

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

29 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Extensible virtual switch datapath

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others