How to implement ebpf on vyos

I found that EBPF can bring good performance to the firewall. Would you like to ask if it can be implemented on VYOS?
Below are related test articles
https://www.netronome.com/blog/bpf-ebpf-xdp-and-bpfilter-what-are-these-things-and-what-do-they-mean-enterprise/

Hello, @toadzhou!
We are reviewing a ways to make routing and firewall faster in VyOS, including using hardware offloads and tuned network stacks. So yes, there is a chance that in future we will propose for our users some accelerated version of VyOS or special modes.
We can’t tell now what exactly project will be used for this purposes, but thank you for mentioning eBPF, we will see if it can be used in VyOS.

I was curious about the same question, figured I’d bump this necrothread rather than create a new one

Any progress on that front?

VyOS 1.4 has experimental xdp support which runs on top of ebpf, that is all so far.

Any update about this topic currently?

Work is in progress regarding software and hardware flowtables offloading for the nftables used by Linux 6.1 LTS (which VyOS currently uses as kernel):

https://vyos.dev/T4502

https://vyos.dev/T5419

Currently (but this might change once its released) it looks like it will be enabled per physical interface by command:

set firewall global-options flow-offload software interface xxx, yyy
set firewall global-options flow-offload hardware interface xxx, yyy

Example of the effect enabling flowtables might have:

And some more information about flowtables:

https://wiki.nftables.org/wiki-nftables/index.php/Flowtables

https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks

https://docs.kernel.org/networking/nf_flowtable.html

Parallell with this there is work in progress regarding VPP (DPDK) who will replace XDP: VyOS Project July 2023 Update

https://vyos.dev/T5286

https://vyos.dev/T1797

VPP (DPDK) will have a much larger impact once finished.

Various benchmarks shows (not with VyOS) that regular interrupt based packetprocessing can deal with give or take 250kpps/core. Enabling polling will bring this up about 4x to about 1Mpps/core. While with DPDK you can then push around 10Mpps/core or more.

Of course your mileage may vary but DPDK technology when it comes to routing and firewalling is about as fast as you can go today without having an ASIC or FPGA to offload the heavy lifting (dataplane) to.

What DPDK does is that you set aside cores to act as dataplane and by that they wont have the overhead of kernel processing. For example with a 16 core system you can set aside 2 cores for mgmtplane and 14 cores for dataplane aka packetprocessing.

The 2 cores for mgmtplane will have the linux kernel running as today while the other 14 cores will be dealt with by DPDK and only deal with packets (well network related stuff).

4 Likes