1.. SPDX-License-Identifier: GPL-2.0 2 3====== 4AF_XDP 5====== 6 7Overview 8======== 9 10AF_XDP is an address family that is optimized for high performance 11packet processing. 12 13This document assumes that the reader is familiar with BPF and XDP. If 14not, the Cilium project has an excellent reference guide at 15http://cilium.readthedocs.io/en/latest/bpf/. 16 17Using the XDP_REDIRECT action from an XDP program, the program can 18redirect ingress frames to other XDP enabled netdevs, using the 19bpf_redirect_map() function. AF_XDP sockets enable the possibility for 20XDP programs to redirect frames to a memory buffer in a user-space 21application. 22 23An AF_XDP socket (XSK) is created with the normal socket() 24syscall. Associated with each XSK are two rings: the RX ring and the 25TX ring. A socket can receive packets on the RX ring and it can send 26packets on the TX ring. These rings are registered and sized with the 27setsockopts XDP_RX_RING and XDP_TX_RING, respectively. It is mandatory 28to have at least one of these rings for each socket. An RX or TX 29descriptor ring points to a data buffer in a memory area called a 30UMEM. RX and TX can share the same UMEM so that a packet does not have 31to be copied between RX and TX. Moreover, if a packet needs to be kept 32for a while due to a possible retransmit, the descriptor that points 33to that packet can be changed to point to another and reused right 34away. This again avoids copying data. 35 36The UMEM consists of a number of equally sized chunks. A descriptor in 37one of the rings references a frame by referencing its addr. The addr 38is simply an offset within the entire UMEM region. The user space 39allocates memory for this UMEM using whatever means it feels is most 40appropriate (malloc, mmap, huge pages, etc). This memory area is then 41registered with the kernel using the new setsockopt XDP_UMEM_REG. The 42UMEM also has two rings: the FILL ring and the COMPLETION ring. The 43FILL ring is used by the application to send down addr for the kernel 44to fill in with RX packet data. References to these frames will then 45appear in the RX ring once each packet has been received. The 46COMPLETION ring, on the other hand, contains frame addr that the 47kernel has transmitted completely and can now be used again by user 48space, for either TX or RX. Thus, the frame addrs appearing in the 49COMPLETION ring are addrs that were previously transmitted using the 50TX ring. In summary, the RX and FILL rings are used for the RX path 51and the TX and COMPLETION rings are used for the TX path. 52 53The socket is then finally bound with a bind() call to a device and a 54specific queue id on that device, and it is not until bind is 55completed that traffic starts to flow. 56 57The UMEM can be shared between processes, if desired. If a process 58wants to do this, it simply skips the registration of the UMEM and its 59corresponding two rings, sets the XDP_SHARED_UMEM flag in the bind 60call and submits the XSK of the process it would like to share UMEM 61with as well as its own newly created XSK socket. The new process will 62then receive frame addr references in its own RX ring that point to 63this shared UMEM. Note that since the ring structures are 64single-consumer / single-producer (for performance reasons), the new 65process has to create its own socket with associated RX and TX rings, 66since it cannot share this with the other process. This is also the 67reason that there is only one set of FILL and COMPLETION rings per 68UMEM. It is the responsibility of a single process to handle the UMEM. 69 70How is then packets distributed from an XDP program to the XSKs? There 71is a BPF map called XSKMAP (or BPF_MAP_TYPE_XSKMAP in full). The 72user-space application can place an XSK at an arbitrary place in this 73map. The XDP program can then redirect a packet to a specific index in 74this map and at this point XDP validates that the XSK in that map was 75indeed bound to that device and ring number. If not, the packet is 76dropped. If the map is empty at that index, the packet is also 77dropped. This also means that it is currently mandatory to have an XDP 78program loaded (and one XSK in the XSKMAP) to be able to get any 79traffic to user space through the XSK. 80 81AF_XDP can operate in two different modes: XDP_SKB and XDP_DRV. If the 82driver does not have support for XDP, or XDP_SKB is explicitly chosen 83when loading the XDP program, XDP_SKB mode is employed that uses SKBs 84together with the generic XDP support and copies out the data to user 85space. A fallback mode that works for any network device. On the other 86hand, if the driver has support for XDP, it will be used by the AF_XDP 87code to provide better performance, but there is still a copy of the 88data into user space. 89 90Concepts 91======== 92 93In order to use an AF_XDP socket, a number of associated objects need 94to be setup. These objects and their options are explained in the 95following sections. 96 97For an overview on how AF_XDP works, you can also take a look at the 98Linux Plumbers paper from 2018 on the subject: 99http://vger.kernel.org/lpc_net2018_talks/lpc18_paper_af_xdp_perf-v2.pdf. Do 100NOT consult the paper from 2017 on "AF_PACKET v4", the first attempt 101at AF_XDP. Nearly everything changed since then. Jonathan Corbet has 102also written an excellent article on LWN, "Accelerating networking 103with AF_XDP". It can be found at https://lwn.net/Articles/750845/. 104 105UMEM 106---- 107 108UMEM is a region of virtual contiguous memory, divided into 109equal-sized frames. An UMEM is associated to a netdev and a specific 110queue id of that netdev. It is created and configured (chunk size, 111headroom, start address and size) by using the XDP_UMEM_REG setsockopt 112system call. A UMEM is bound to a netdev and queue id, via the bind() 113system call. 114 115An AF_XDP is socket linked to a single UMEM, but one UMEM can have 116multiple AF_XDP sockets. To share an UMEM created via one socket A, 117the next socket B can do this by setting the XDP_SHARED_UMEM flag in 118struct sockaddr_xdp member sxdp_flags, and passing the file descriptor 119of A to struct sockaddr_xdp member sxdp_shared_umem_fd. 120 121The UMEM has two single-producer/single-consumer rings that are used 122to transfer ownership of UMEM frames between the kernel and the 123user-space application. 124 125Rings 126----- 127 128There are a four different kind of rings: FILL, COMPLETION, RX and 129TX. All rings are single-producer/single-consumer, so the user-space 130application need explicit synchronization of multiple 131processes/threads are reading/writing to them. 132 133The UMEM uses two rings: FILL and COMPLETION. Each socket associated 134with the UMEM must have an RX queue, TX queue or both. Say, that there 135is a setup with four sockets (all doing TX and RX). Then there will be 136one FILL ring, one COMPLETION ring, four TX rings and four RX rings. 137 138The rings are head(producer)/tail(consumer) based rings. A producer 139writes the data ring at the index pointed out by struct xdp_ring 140producer member, and increasing the producer index. A consumer reads 141the data ring at the index pointed out by struct xdp_ring consumer 142member, and increasing the consumer index. 143 144The rings are configured and created via the _RING setsockopt system 145calls and mmapped to user-space using the appropriate offset to mmap() 146(XDP_PGOFF_RX_RING, XDP_PGOFF_TX_RING, XDP_UMEM_PGOFF_FILL_RING and 147XDP_UMEM_PGOFF_COMPLETION_RING). 148 149The size of the rings need to be of size power of two. 150 151UMEM Fill Ring 152~~~~~~~~~~~~~~ 153 154The FILL ring is used to transfer ownership of UMEM frames from 155user-space to kernel-space. The UMEM addrs are passed in the ring. As 156an example, if the UMEM is 64k and each chunk is 4k, then the UMEM has 15716 chunks and can pass addrs between 0 and 64k. 158 159Frames passed to the kernel are used for the ingress path (RX rings). 160 161The user application produces UMEM addrs to this ring. Note that, if 162running the application with aligned chunk mode, the kernel will mask 163the incoming addr. E.g. for a chunk size of 2k, the log2(2048) LSB of 164the addr will be masked off, meaning that 2048, 2050 and 3000 refers 165to the same chunk. If the user application is run in the unaligned 166chunks mode, then the incoming addr will be left untouched. 167 168 169UMEM Completion Ring 170~~~~~~~~~~~~~~~~~~~~ 171 172The COMPLETION Ring is used transfer ownership of UMEM frames from 173kernel-space to user-space. Just like the FILL ring, UMEM indices are 174used. 175 176Frames passed from the kernel to user-space are frames that has been 177sent (TX ring) and can be used by user-space again. 178 179The user application consumes UMEM addrs from this ring. 180 181 182RX Ring 183~~~~~~~ 184 185The RX ring is the receiving side of a socket. Each entry in the ring 186is a struct xdp_desc descriptor. The descriptor contains UMEM offset 187(addr) and the length of the data (len). 188 189If no frames have been passed to kernel via the FILL ring, no 190descriptors will (or can) appear on the RX ring. 191 192The user application consumes struct xdp_desc descriptors from this 193ring. 194 195TX Ring 196~~~~~~~ 197 198The TX ring is used to send frames. The struct xdp_desc descriptor is 199filled (index, length and offset) and passed into the ring. 200 201To start the transfer a sendmsg() system call is required. This might 202be relaxed in the future. 203 204The user application produces struct xdp_desc descriptors to this 205ring. 206 207Libbpf 208====== 209 210Libbpf is a helper library for eBPF and XDP that makes using these 211technologies a lot simpler. It also contains specific helper functions 212in tools/lib/bpf/xsk.h for facilitating the use of AF_XDP. It 213contains two types of functions: those that can be used to make the 214setup of AF_XDP socket easier and ones that can be used in the data 215plane to access the rings safely and quickly. To see an example on how 216to use this API, please take a look at the sample application in 217samples/bpf/xdpsock_usr.c which uses libbpf for both setup and data 218plane operations. 219 220We recommend that you use this library unless you have become a power 221user. It will make your program a lot simpler. 222 223XSKMAP / BPF_MAP_TYPE_XSKMAP 224============================ 225 226On XDP side there is a BPF map type BPF_MAP_TYPE_XSKMAP (XSKMAP) that 227is used in conjunction with bpf_redirect_map() to pass the ingress 228frame to a socket. 229 230The user application inserts the socket into the map, via the bpf() 231system call. 232 233Note that if an XDP program tries to redirect to a socket that does 234not match the queue configuration and netdev, the frame will be 235dropped. E.g. an AF_XDP socket is bound to netdev eth0 and 236queue 17. Only the XDP program executing for eth0 and queue 17 will 237successfully pass data to the socket. Please refer to the sample 238application (samples/bpf/) in for an example. 239 240Configuration Flags and Socket Options 241====================================== 242 243These are the various configuration flags that can be used to control 244and monitor the behavior of AF_XDP sockets. 245 246XDP_COPY and XDP_ZERO_COPY bind flags 247------------------------------------- 248 249When you bind to a socket, the kernel will first try to use zero-copy 250copy. If zero-copy is not supported, it will fall back on using copy 251mode, i.e. copying all packets out to user space. But if you would 252like to force a certain mode, you can use the following flags. If you 253pass the XDP_COPY flag to the bind call, the kernel will force the 254socket into copy mode. If it cannot use copy mode, the bind call will 255fail with an error. Conversely, the XDP_ZERO_COPY flag will force the 256socket into zero-copy mode or fail. 257 258XDP_SHARED_UMEM bind flag 259------------------------- 260 261This flag enables you to bind multiple sockets to the same UMEM, but 262only if they share the same queue id. In this mode, each socket has 263their own RX and TX rings, but the UMEM (tied to the fist socket 264created) only has a single FILL ring and a single COMPLETION 265ring. To use this mode, create the first socket and bind it in the normal 266way. Create a second socket and create an RX and a TX ring, or at 267least one of them, but no FILL or COMPLETION rings as the ones from 268the first socket will be used. In the bind call, set he 269XDP_SHARED_UMEM option and provide the initial socket's fd in the 270sxdp_shared_umem_fd field. You can attach an arbitrary number of extra 271sockets this way. 272 273What socket will then a packet arrive on? This is decided by the XDP 274program. Put all the sockets in the XSK_MAP and just indicate which 275index in the array you would like to send each packet to. A simple 276round-robin example of distributing packets is shown below: 277 278.. code-block:: c 279 280 #include <linux/bpf.h> 281 #include "bpf_helpers.h" 282 283 #define MAX_SOCKS 16 284 285 struct { 286 __uint(type, BPF_MAP_TYPE_XSKMAP); 287 __uint(max_entries, MAX_SOCKS); 288 __uint(key_size, sizeof(int)); 289 __uint(value_size, sizeof(int)); 290 } xsks_map SEC(".maps"); 291 292 static unsigned int rr; 293 294 SEC("xdp_sock") int xdp_sock_prog(struct xdp_md *ctx) 295 { 296 rr = (rr + 1) & (MAX_SOCKS - 1); 297 298 return bpf_redirect_map(&xsks_map, rr, 0); 299 } 300 301Note, that since there is only a single set of FILL and COMPLETION 302rings, and they are single producer, single consumer rings, you need 303to make sure that multiple processes or threads do not use these rings 304concurrently. There are no synchronization primitives in the 305libbpf code that protects multiple users at this point in time. 306 307XDP_USE_NEED_WAKEUP bind flag 308----------------------------- 309 310This option adds support for a new flag called need_wakeup that is 311present in the FILL ring and the TX ring, the rings for which user 312space is a producer. When this option is set in the bind call, the 313need_wakeup flag will be set if the kernel needs to be explicitly 314woken up by a syscall to continue processing packets. If the flag is 315zero, no syscall is needed. 316 317If the flag is set on the FILL ring, the application needs to call 318poll() to be able to continue to receive packets on the RX ring. This 319can happen, for example, when the kernel has detected that there are no 320more buffers on the FILL ring and no buffers left on the RX HW ring of 321the NIC. In this case, interrupts are turned off as the NIC cannot 322receive any packets (as there are no buffers to put them in), and the 323need_wakeup flag is set so that user space can put buffers on the 324FILL ring and then call poll() so that the kernel driver can put these 325buffers on the HW ring and start to receive packets. 326 327If the flag is set for the TX ring, it means that the application 328needs to explicitly notify the kernel to send any packets put on the 329TX ring. This can be accomplished either by a poll() call, as in the 330RX path, or by calling sendto(). 331 332An example of how to use this flag can be found in 333samples/bpf/xdpsock_user.c. An example with the use of libbpf helpers 334would look like this for the TX path: 335 336.. code-block:: c 337 338 if (xsk_ring_prod__needs_wakeup(&my_tx_ring)) 339 sendto(xsk_socket__fd(xsk_handle), NULL, 0, MSG_DONTWAIT, NULL, 0); 340 341I.e., only use the syscall if the flag is set. 342 343We recommend that you always enable this mode as it usually leads to 344better performance especially if you run the application and the 345driver on the same core, but also if you use different cores for the 346application and the kernel driver, as it reduces the number of 347syscalls needed for the TX path. 348 349XDP_{RX|TX|UMEM_FILL|UMEM_COMPLETION}_RING setsockopts 350------------------------------------------------------ 351 352These setsockopts sets the number of descriptors that the RX, TX, 353FILL, and COMPLETION rings respectively should have. It is mandatory 354to set the size of at least one of the RX and TX rings. If you set 355both, you will be able to both receive and send traffic from your 356application, but if you only want to do one of them, you can save 357resources by only setting up one of them. Both the FILL ring and the 358COMPLETION ring are mandatory if you have a UMEM tied to your socket, 359which is the normal case. But if the XDP_SHARED_UMEM flag is used, any 360socket after the first one does not have a UMEM and should in that 361case not have any FILL or COMPLETION rings created. 362 363XDP_UMEM_REG setsockopt 364----------------------- 365 366This setsockopt registers a UMEM to a socket. This is the area that 367contain all the buffers that packet can recide in. The call takes a 368pointer to the beginning of this area and the size of it. Moreover, it 369also has parameter called chunk_size that is the size that the UMEM is 370divided into. It can only be 2K or 4K at the moment. If you have an 371UMEM area that is 128K and a chunk size of 2K, this means that you 372will be able to hold a maximum of 128K / 2K = 64 packets in your UMEM 373area and that your largest packet size can be 2K. 374 375There is also an option to set the headroom of each single buffer in 376the UMEM. If you set this to N bytes, it means that the packet will 377start N bytes into the buffer leaving the first N bytes for the 378application to use. The final option is the flags field, but it will 379be dealt with in separate sections for each UMEM flag. 380 381SO_BINDTODEVICE setsockopt 382-------------------------- 383 384This is a generic SOL_SOCKET option that can be used to tie AF_XDP 385socket to a particular network interface. It is useful when a socket 386is created by a privileged process and passed to a non-privileged one. 387Once the option is set, kernel will refuse attempts to bind that socket 388to a different interface. Updating the value requires CAP_NET_RAW. 389 390XDP_STATISTICS getsockopt 391------------------------- 392 393Gets drop statistics of a socket that can be useful for debug 394purposes. The supported statistics are shown below: 395 396.. code-block:: c 397 398 struct xdp_statistics { 399 __u64 rx_dropped; /* Dropped for reasons other than invalid desc */ 400 __u64 rx_invalid_descs; /* Dropped due to invalid descriptor */ 401 __u64 tx_invalid_descs; /* Dropped due to invalid descriptor */ 402 }; 403 404XDP_OPTIONS getsockopt 405---------------------- 406 407Gets options from an XDP socket. The only one supported so far is 408XDP_OPTIONS_ZEROCOPY which tells you if zero-copy is on or not. 409 410Usage 411===== 412 413In order to use AF_XDP sockets two parts are needed. The 414user-space application and the XDP program. For a complete setup and 415usage example, please refer to the sample application. The user-space 416side is xdpsock_user.c and the XDP side is part of libbpf. 417 418The XDP code sample included in tools/lib/bpf/xsk.c is the following: 419 420.. code-block:: c 421 422 SEC("xdp_sock") int xdp_sock_prog(struct xdp_md *ctx) 423 { 424 int index = ctx->rx_queue_index; 425 426 // A set entry here means that the corresponding queue_id 427 // has an active AF_XDP socket bound to it. 428 if (bpf_map_lookup_elem(&xsks_map, &index)) 429 return bpf_redirect_map(&xsks_map, index, 0); 430 431 return XDP_PASS; 432 } 433 434A simple but not so performance ring dequeue and enqueue could look 435like this: 436 437.. code-block:: c 438 439 // struct xdp_rxtx_ring { 440 // __u32 *producer; 441 // __u32 *consumer; 442 // struct xdp_desc *desc; 443 // }; 444 445 // struct xdp_umem_ring { 446 // __u32 *producer; 447 // __u32 *consumer; 448 // __u64 *desc; 449 // }; 450 451 // typedef struct xdp_rxtx_ring RING; 452 // typedef struct xdp_umem_ring RING; 453 454 // typedef struct xdp_desc RING_TYPE; 455 // typedef __u64 RING_TYPE; 456 457 int dequeue_one(RING *ring, RING_TYPE *item) 458 { 459 __u32 entries = *ring->producer - *ring->consumer; 460 461 if (entries == 0) 462 return -1; 463 464 // read-barrier! 465 466 *item = ring->desc[*ring->consumer & (RING_SIZE - 1)]; 467 (*ring->consumer)++; 468 return 0; 469 } 470 471 int enqueue_one(RING *ring, const RING_TYPE *item) 472 { 473 u32 free_entries = RING_SIZE - (*ring->producer - *ring->consumer); 474 475 if (free_entries == 0) 476 return -1; 477 478 ring->desc[*ring->producer & (RING_SIZE - 1)] = *item; 479 480 // write-barrier! 481 482 (*ring->producer)++; 483 return 0; 484 } 485 486But please use the libbpf functions as they are optimized and ready to 487use. Will make your life easier. 488 489Sample application 490================== 491 492There is a xdpsock benchmarking/test application included that 493demonstrates how to use AF_XDP sockets with private UMEMs. Say that 494you would like your UDP traffic from port 4242 to end up in queue 16, 495that we will enable AF_XDP on. Here, we use ethtool for this:: 496 497 ethtool -N p3p2 rx-flow-hash udp4 fn 498 ethtool -N p3p2 flow-type udp4 src-port 4242 dst-port 4242 \ 499 action 16 500 501Running the rxdrop benchmark in XDP_DRV mode can then be done 502using:: 503 504 samples/bpf/xdpsock -i p3p2 -q 16 -r -N 505 506For XDP_SKB mode, use the switch "-S" instead of "-N" and all options 507can be displayed with "-h", as usual. 508 509This sample application uses libbpf to make the setup and usage of 510AF_XDP simpler. If you want to know how the raw uapi of AF_XDP is 511really used to make something more advanced, take a look at the libbpf 512code in tools/lib/bpf/xsk.[ch]. 513 514FAQ 515======= 516 517Q: I am not seeing any traffic on the socket. What am I doing wrong? 518 519A: When a netdev of a physical NIC is initialized, Linux usually 520 allocates one RX and TX queue pair per core. So on a 8 core system, 521 queue ids 0 to 7 will be allocated, one per core. In the AF_XDP 522 bind call or the xsk_socket__create libbpf function call, you 523 specify a specific queue id to bind to and it is only the traffic 524 towards that queue you are going to get on you socket. So in the 525 example above, if you bind to queue 0, you are NOT going to get any 526 traffic that is distributed to queues 1 through 7. If you are 527 lucky, you will see the traffic, but usually it will end up on one 528 of the queues you have not bound to. 529 530 There are a number of ways to solve the problem of getting the 531 traffic you want to the queue id you bound to. If you want to see 532 all the traffic, you can force the netdev to only have 1 queue, queue 533 id 0, and then bind to queue 0. You can use ethtool to do this:: 534 535 sudo ethtool -L <interface> combined 1 536 537 If you want to only see part of the traffic, you can program the 538 NIC through ethtool to filter out your traffic to a single queue id 539 that you can bind your XDP socket to. Here is one example in which 540 UDP traffic to and from port 4242 are sent to queue 2:: 541 542 sudo ethtool -N <interface> rx-flow-hash udp4 fn 543 sudo ethtool -N <interface> flow-type udp4 src-port 4242 dst-port \ 544 4242 action 2 545 546 A number of other ways are possible all up to the capabilities of 547 the NIC you have. 548 549Q: Can I use the XSKMAP to implement a switch betwen different umems 550 in copy mode? 551 552A: The short answer is no, that is not supported at the moment. The 553 XSKMAP can only be used to switch traffic coming in on queue id X 554 to sockets bound to the same queue id X. The XSKMAP can contain 555 sockets bound to different queue ids, for example X and Y, but only 556 traffic goming in from queue id Y can be directed to sockets bound 557 to the same queue id Y. In zero-copy mode, you should use the 558 switch, or other distribution mechanism, in your NIC to direct 559 traffic to the correct queue id and socket. 560 561Credits 562======= 563 564- Björn Töpel (AF_XDP core) 565- Magnus Karlsson (AF_XDP core) 566- Alexander Duyck 567- Alexei Starovoitov 568- Daniel Borkmann 569- Jesper Dangaard Brouer 570- John Fastabend 571- Jonathan Corbet (LWN coverage) 572- Michael S. Tsirkin 573- Qi Z Zhang 574- Willem de Bruijn 575