Netdev Conf is a community-driven conference dedicated to technical Linux networking where the most important and relevant contributors, maintainers and open source supported companies meet together to present the brand new techniques and researches that has been done since the last Netdev Conf about Linux networking.
Looking at the high level of the topics that have been proposed, we’re going to try to summarize in this post the most important ones.
The event began with Stephen Hemminger from Microsoft who presented the current problem with the diversity of the network device names in Linux, not only in kernel space but also in user space. By other hand, Eric Dumazet from Google talked about the improvements of Busypolling technique that permits to reduce the network drivers latency taking into advantages the multicore architecture (~ 16 CPUs) that we’re using in data centers nowadays, instead of the old poll modes that were optimized for few CPUs. Willem de Brujin from Google as well presented the MSG_ZEROCOPY to leverage the copy to user space up to 79% of CPU performance.
By other hand, DDoS protection topics has been quite popular due to the concern of the big ones to build high performance protections against such severe threats. In this matter, Gilberto Bertin from Cloudflare presented their current implementation for DDoS mitigation at L3 called GateBot using iptables (currently, not testing with nftables from ingress) and their approach using XDP and BPF. Facebook for instance, presented their DDos mitigation and L4LB system based on 2 maps to maintain a consistent hashing and sessions persistence.
In regards to Savoir-Faire Linux presented use cases where the legend project Distributed Switch Architecture has came to live again to solve them.
Jon from Ericsson presented his research about an algorithm to create a cluster with 1000 nodes based on a gossip protocol and ring architecture.
Verizon in this occasion showed the benchmarks of different TCP congestion control methods like Cubic (with different kernel versions) and BBR, performing a download of 20MB during 6 hours through a highway. In conclusion, BBR keeps the RTT much lower when the coverage is low and less RTO (retransmission timeouts). Regarding this topic, Hajime from IIJ also presented his work playing with BBR in user space.
During the talk XDP for the rest of us was presented an example of how to create a simple XDP+BPF program for blacklisting, not free of bugs though as detected on the live presentation 🙂 Also, it was compared to the performance with iptables but unfortunately, no comparison against equals alternatives with nftables from ingress or tc was performed.
Jamal Hadi Halim was chairing a very complete talk about TC and the hardware offload challenges mainly headed by Mellanox.
David Miller, netdev subsystem maintainer, in their talk about XDP (eXpress Data Path) mythbusters we’ve been discussing about what is and what is not XDP for. The final conclusion is to use XDP for a very high performance for a very specific task, as they’ve to be fully programmable by the user.
Joe Stringer from Vmware presented their work with supporting SDN capabilities to Openvswitch like centralized stateful information, flow tables, datapath definition with match + actions, presented the megaflow concept like a marked tuple matching and the shared flow tables, and finally, how flow tables can be connected to the conntrack.
In regards to the conntrack subsystem, Florian Westphal from Red Hat explained a deep description of what is it and how to use the conntrack information not well known by every user like it maintains the flows and NAT is built on top, the possibility to subscribe to conntrack events, it assures the 3 way hand shake, only non-assured packets will be early-dropped, the idea of maintain the helpers outside the main, and even some improvements like overflow handling, free extensions (kfree) remove variable sized extensions. This comes with a very great work and not easy task of improvement of such very stable and complex piece of code, good job for Florian!
Pablo Neira, maintainer of netfilter project, presented in the workshop a complete review of what nftables currently provides and the latest updates of the netfilter project, which faces that is not as slow as much people could think. Among the brand new capabilities of nftables we can find the support of nflog for logging features, quota for limiting resources, nfacc for programmable counters, no track to avoid the conntrack handling, fib, rt, payload for stateless NAT capabilities, helpers are now integrated, vmaps with wilcard support, support of bitmaps that could be million of packets faster than hashtables, etc. In conclusion, nftables is a very flexible and powerful tool build on top of a virtual machine of only 25 simple instructions. Nftables almost duplicate the iptables performance!