Use flowtables to accelerate IP forwarding #6062
Labels
C: core
P: default
Priority: default. Default priority for new issues, to be replaced given sufficient information.
pr submitted
A pull request has been submitted for this issue.
release notes
This issue should be mentioned in the release notes.
Milestone
Comments
DemiMarie
added
P: default
andrewdavidwong
added
the
pr submitted
andrewdavidwong
added
the
release notes
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The problem you're addressing (if any)
At high rates of network traffic, VMs doing IP forwarding can consume significant amounts of CPU time. I have noticed 10-20% of a single core when forwarding traffic at 200Mb/s. This isn’t enormous, but it is noticeable.
Describe the solution you'd like
By using netfilter flowtables, we can bypass most of the kernel’s network stack in the forwarding path. Flowtables are bound to interfaces and handle NAT properly. Flowtables bypass firewall rules, but only for connections that have already been added to them, so they don’t create security issues in QubesOS. They may bypass IPsec policies, however; such users will need to migrate to route-based IPsec instead.
Flowtables use a static list of interfaces, which must be set at creation. This list cannot be modified afterwards. Therefore, they will need to be destroyed and recreated each time an interface is added or removed. Since we are using them purely for performance, this is fine. We should include all interfaces, not just ones provided by QubesOS, so that NetVMs and route-based VPNs benefit.
Where is the value to a user, and who might that user be?
Users who have fast network connections will notice significantly reduced CPU consumption when forwarding large volumes of IP traffic.
Describe alternatives you've considered
We can optimize our existing firewall rules. This is probably a good idea anyway, but it has a higher risk of security-related regressions, and it still will not provide anywhere near as much benefit as flowtables will.
Additional context
Flowtables were developed to optimize NAT in consumer routers. They are extremely fast ― several times faster than the normal forwarding path, IIRC. They operate purely in software, by offloading established connections specified by the administrator to a fast path. The fast path grabs matching packets as they come in and directly sends them out the destination interface.
Flowtables require that flows be explicitly added to them, but this can be done with only minor changes to our existing firewall setup.
Relevant documentation you've consulted
man 8 nft, https://wiki.nftables.org/wiki-nftables/index.php/FlowtableRelated, non-duplicate issues
The text was updated successfully, but these errors were encountered: