XDP - eXpress Data Path: erinevus redaktsioonide vahel
Allikas: Imre kasutab arvutit
Mine navigeerimisribaleMine otsikasti
Resümee puudub |
Resümee puudub |
||
| 52. rida: | 52. rida: | ||
====Jõudlus==== |
====Jõudlus==== |
||
| + | syn flood koormuse tekitamiseks sobib öelda |
||
| + | <pre> |
||
| + | klient-generaator# cat run-hping3-to-66.sh |
||
| + | timeout 260 hping3 -S -c 400000000 --flood -p 80 10.40.135.66 -m 200 & |
||
| + | timeout 260 hping3 -S -c 400000000 --flood -p 80 10.40.135.66 -m 200 & |
||
| + | timeout 260 hping3 -S -c 400000000 --flood -p 80 10.40.135.66 -m 200 & |
||
| + | timeout 260 hping3 -S -c 400000000 --flood -p 80 10.40.135.66 -m 200 & |
||
| + | timeout 260 hping3 -S -c 400000000 --flood -p 80 10.40.135.66 -m 200 & |
||
| + | timeout 260 hping3 -S -c 400000000 --flood -p 80 10.40.135.66 -m 200 & |
||
| + | timeout 260 hping3 -S -c 400000000 --flood -p 80 10.40.135.66 -m 200 & |
||
| + | timeout 260 hping3 -S -c 400000000 --flood -p 80 10.40.135.66 -m 200 & |
||
| + | |||
| + | klient-generaator# sh run-hping3-to-66.sh |
||
| + | </pre> |
||
| + | |||
| + | Tulemusena tekib sihtpunkti võrguliidesele mõni miljon paketti sekundis võrguliiklust (syn paketid ja syn-ack vastuspaketid) |
||
| + | |||
| + | TODO |
||
| + | |||
| + | ning operatsioonisüsteemile nö arvestatav interrupt load |
||
| + | |||
| + | TODO |
||
| + | |||
| + | Seejärel rakendatakse paketifilter server osakonnas. |
||
| + | |||
| + | Tulemusena on eraldi kontroll-klient arvutist rakendadatud http päringute teenindamise juures näha selge muudatus |
||
| + | |||
| + | <pre> |
||
| + | klient-kontroll# httping -G http://10.40.135.66/ |
||
| + | PING 10.40.135.66:80 (/): |
||
| + | connected to 10.40.135.66:80 (242 bytes), seq=0 time=262.70 ms |
||
| + | connected to 10.40.135.66:80 (242 bytes), seq=1 time=1063.66 ms |
||
| + | connected to 10.40.135.66:80 (242 bytes), seq=2 time= 54.99 ms |
||
| + | connected to 10.40.135.66:80 (242 bytes), seq=3 time= 53.62 ms |
||
| + | connected to 10.40.135.66:80 (242 bytes), seq=4 time= 54.85 ms |
||
| + | connected to 10.40.135.66:80 (242 bytes), seq=5 time=239.43 ms |
||
| + | connected to 10.40.135.66:80 (242 bytes), seq=6 time=1005.36 ms |
||
| + | connected to 10.40.135.66:80 (242 bytes), seq=7 time= 0.89 ms |
||
| + | connected to 10.40.135.66:80 (242 bytes), seq=8 time= 1.00 ms |
||
| + | connected to 10.40.135.66:80 (242 bytes), seq=9 time= 1.01 ms |
||
| + | connected to 10.40.135.66:80 (242 bytes), seq=10 time= 0.94 ms |
||
| + | connected to 10.40.135.66:80 (242 bytes), seq=11 time= 1.00 ms |
||
| + | connected to 10.40.135.66:80 (242 bytes), seq=12 time= 0.97 ms |
||
| + | connected to 10.40.135.66:80 (242 bytes), seq=13 time= 1.02 ms |
||
| + | connected to 10.40.135.66:80 (242 bytes), seq=14 time= 0.89 ms |
||
| + | connected to 10.40.135.66:80 (242 bytes), seq=15 time= 0.85 ms |
||
| + | </pre> |
||
| + | |||
| + | Lisaks server arvutis kaob interrupt load. Seejuures on server arvutis näha ethtool statistikas, et xdp osakonnas nö unustatakse pakette |
||
| + | |||
| + | <pre> |
||
| + | # ethtool -S enp6s18 | grep xdp | grep drops |
||
| + | rx_queue_0_xdp_drops: 82764866 |
||
| + | rx_queue_1_xdp_drops: 83376792 |
||
| + | rx_queue_2_xdp_drops: 85489797 |
||
| + | rx_queue_3_xdp_drops: 83264354 |
||
| + | rx_queue_4_xdp_drops: 82815276 |
||
| + | rx_queue_5_xdp_drops: 84101472 |
||
| + | rx_queue_6_xdp_drops: 82785532 |
||
| + | rx_queue_7_xdp_drops: 84213379 |
||
| + | </pre> |
||
===Kasulikud lisamaterjalid=== |
===Kasulikud lisamaterjalid=== |
||
Redaktsioon: 23. juuli 2024, kell 10:43
Sissejuhatus
Tööpõhimõte
TODO
Rakendus - stateless paketifilter
Tööpõhimõte
TODO
Kasutuskoha ettevalmistamine
Nt Debian v. 12 ja Ubuntu v. 24.04 sisaldavad vajalikku kerneli poolset tuge ning user-space utiliitide komplekti, paigaldamiseks sobib öelda
# apt-get install xdp-tools
Muu hulgas paigaldatakse failisüsteemi
- /usr/bin/xdp-filter
Kasutamine
Tuumas XDP osakonna aktiveerimiseks võrgukaardi jaoks sobib öelda
# xdp-filter load ens6s18
Paketifiltri keelava reegli kehtestamiseks
# xdp-filter ip 10.40.13.242 -m src
XDP paketifiltri olukorra hindamiseks sobib öelda
# xdp-filter status ...
Reegli eemaldamiseks
# xdp-filter ip 10.40.13.242 -m src -r
Jõudlus
syn flood koormuse tekitamiseks sobib öelda
klient-generaator# cat run-hping3-to-66.sh timeout 260 hping3 -S -c 400000000 --flood -p 80 10.40.135.66 -m 200 & timeout 260 hping3 -S -c 400000000 --flood -p 80 10.40.135.66 -m 200 & timeout 260 hping3 -S -c 400000000 --flood -p 80 10.40.135.66 -m 200 & timeout 260 hping3 -S -c 400000000 --flood -p 80 10.40.135.66 -m 200 & timeout 260 hping3 -S -c 400000000 --flood -p 80 10.40.135.66 -m 200 & timeout 260 hping3 -S -c 400000000 --flood -p 80 10.40.135.66 -m 200 & timeout 260 hping3 -S -c 400000000 --flood -p 80 10.40.135.66 -m 200 & timeout 260 hping3 -S -c 400000000 --flood -p 80 10.40.135.66 -m 200 & klient-generaator# sh run-hping3-to-66.sh
Tulemusena tekib sihtpunkti võrguliidesele mõni miljon paketti sekundis võrguliiklust (syn paketid ja syn-ack vastuspaketid)
TODO
ning operatsioonisüsteemile nö arvestatav interrupt load
TODO
Seejärel rakendatakse paketifilter server osakonnas.
Tulemusena on eraldi kontroll-klient arvutist rakendadatud http päringute teenindamise juures näha selge muudatus
klient-kontroll# httping -G http://10.40.135.66/ PING 10.40.135.66:80 (/): connected to 10.40.135.66:80 (242 bytes), seq=0 time=262.70 ms connected to 10.40.135.66:80 (242 bytes), seq=1 time=1063.66 ms connected to 10.40.135.66:80 (242 bytes), seq=2 time= 54.99 ms connected to 10.40.135.66:80 (242 bytes), seq=3 time= 53.62 ms connected to 10.40.135.66:80 (242 bytes), seq=4 time= 54.85 ms connected to 10.40.135.66:80 (242 bytes), seq=5 time=239.43 ms connected to 10.40.135.66:80 (242 bytes), seq=6 time=1005.36 ms connected to 10.40.135.66:80 (242 bytes), seq=7 time= 0.89 ms connected to 10.40.135.66:80 (242 bytes), seq=8 time= 1.00 ms connected to 10.40.135.66:80 (242 bytes), seq=9 time= 1.01 ms connected to 10.40.135.66:80 (242 bytes), seq=10 time= 0.94 ms connected to 10.40.135.66:80 (242 bytes), seq=11 time= 1.00 ms connected to 10.40.135.66:80 (242 bytes), seq=12 time= 0.97 ms connected to 10.40.135.66:80 (242 bytes), seq=13 time= 1.02 ms connected to 10.40.135.66:80 (242 bytes), seq=14 time= 0.89 ms connected to 10.40.135.66:80 (242 bytes), seq=15 time= 0.85 ms
Lisaks server arvutis kaob interrupt load. Seejuures on server arvutis näha ethtool statistikas, et xdp osakonnas nö unustatakse pakette
# ethtool -S enp6s18 | grep xdp | grep drops
rx_queue_0_xdp_drops: 82764866
rx_queue_1_xdp_drops: 83376792
rx_queue_2_xdp_drops: 85489797
rx_queue_3_xdp_drops: 83264354
rx_queue_4_xdp_drops: 82815276
rx_queue_5_xdp_drops: 84101472
rx_queue_6_xdp_drops: 82785532
rx_queue_7_xdp_drops: 84213379
Kasulikud lisamaterjalid
- https://www.iovisor.org/technology/xdp
- https://github.com/Xilinx-CNS/onload
- 'Migrating from DPDK to AF_XDP for High-Performance Networking in... - Maryam Tahhan & Dave Tucker' - https://www.youtube.com/watch?v=yGZhzXN31SA
- https://www.electronicdesign.com/markets/automation/article/21136402/xilinx-smartnic-architectures-a-shift-to-accelerators-and-why-fpgas-are-poised-to-dominate
- https://github.com/aterlo/afxdp-rs
- https://www.bizety.com/2020/06/24/open-source-load-balancers-neutrino-katran-maglev-seesaw-traefix-and-haproxy/
- https://github.com/facebookincubator/katran
- https://fedepaol.github.io/blog/2023/09/06/ebpf-journey-by-examples-l4-load-balancing-with-xdp-and-katran/
- https://blog.cloudflare.com/how-to-receive-a-million-packets/
- https://blog.cloudflare.com/l4drop-xdp-ebpf-based-ddos-mitigations/
- https://events19.linuxfoundation.cn/wp-content/uploads/2017/11/Accelerating-VM-Networking-through-XDP_Jason-Wang.pdf
- https://www.knot-dns.cz/docs/latest/html/man_kxdpgun.html
- https://github.com/yeze
- https://cilium.io/blog/2021/05/20/cilium-110/#standalonelb
- https://developer.nvidia.com/blog/accelerating-with-xdp-over-mellanox-connectx-nics/
- https://blog.path.net/application-filters/
- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/using-xdp-filter-for-high-performance-traffic-filtering-to-prevent-ddos-attacks_configuring-and-managing-networking#dropping-network-packets-that-match-an-xdp-filter-rule_using-xdp-filter-for-high-performance-traffic-filtering-to-prevent-ddos-attacks
