From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rusty Russell Subject: Re: copyless virtio net thoughts? Date: Thu, 19 Feb 2009 21:26:42 +1030 Message-ID: <200902192126.43174.rusty@rustcorp.com.au> References: <20090205020732.GA27684@sequoia.sous-sol.org> <200902182208.00843.rusty@rustcorp.com.au> <200902181724.07655.arnd@arndb.de> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Cc: Chris Wright , Herbert Xu , kvm@vger.kernel.org To: Arnd Bergmann Return-path: Received: from ozlabs.org ([203.10.76.45]:52224 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751180AbZBSK4s (ORCPT ); Thu, 19 Feb 2009 05:56:48 -0500 In-Reply-To: <200902181724.07655.arnd@arndb.de> Content-Disposition: inline Sender: kvm-owner@vger.kernel.org List-ID: On Thursday 19 February 2009 02:54:06 Arnd Bergmann wrote: > On Wednesday 18 February 2009, Rusty Russell wrote: > > > 2) Direct NIC attachment > > This is particularly interesting with SR-IOV or other multiqueue nics, > > but for boutique cases or benchmarks, could be for normal NICs. So > > far I have some very sketched-out patches: for the attached nic > > dev_alloc_skb() gets an skb from the guest (which supplies them via > > some kind of AIO interface), and a branch in netif_receive_skb() > > which returned it to the guest. This bypasses all firewalling in > > the host though; we're basically having the guest process drive > > the NIC directly. > > If this is not passing the PCI device directly to the guest, but > uses your concept, wouldn't it still be possible to use the firewalling > in the host? You can always inspect the headers, drop the frame, etc > without copying the whole frame at any point. It's possible, but you don't want routing or parsing, etc: the NIC is just "directly" attached to the guest. You could do it in qemu or whatever, but it would not be the kernel scheme (netfilter/iptables). > > 3) Direct interguest networking > > Anthony has been thinking here: vmsplice has already been mentioned. > > The idea of passing directly from one guest to another is an > > interesting one: using dma engines might be possible too. Again, > > host can't firewall this traffic. Simplest as a dedicated "internal > > lan" NIC, but we could theoretically do a fast-path for certain MAC > > addresses on a general guest NIC. > > Another option would be to use an SR-IOV adapter from multiple guests, > with a virtual ethernet bridge in the adapter. This moves the overhead > from the CPU to the bus and/or adapter, so it may or may not be a real > benefit depending on the workload. Yes, I guess this should work. Even different SR-IOV adapters will simply send to one another. I'm not sure this obviates the desire to have direct inter-guest which is more generic though. Thanks! Rusty.