Tuesday March 04, 2008
Tuesday March 04, 2008 Network in a Box (Sun Tech Day in Hyderabad)
Network in a Box (Sun Tech Day in Hyderabad)
I did a session for developers during the Sun Tech Day in Hyderabad and Raju Alluri had printed out 100 copies of the workshop and we were carrying 100 DVDs with Crossbow iso images (they are available on web here. The people just loved it. We had sooo underestimated the demand that printouts and DVDs disappeared in less than a minute. I had a presentation that included 30 odd slides but I couldn't even go past slide 7 since the workshop was so interesting to people. And between the tech day presentation and user group meeting in the evening, people pointed out a lot of interesting uses and why this can be such a powerful thing.
The idea that you can create any arbitrarily complex physical network as a virtual network and run your favorite workload, do performance analysis and debug it is very appealing to people. Remember that we are not simulating the network. This is the real thing i.e. real applications running and real packets flowing. If you application runs on any OS, it will run on this virtual network and will send and receive real packets!!
The concept is pretty useful even to people like us because now we don't need to pester our lab staff to create us a network for us to test or experiment on. And best part is, we can use xVM and run Linux and Windows as hosts as well.
We are thinking of writing a book which reinvents how you learn networking in schools and universities. And oh by the way, do people really care about CCNA now that they can do all this on their laptop :) If someone is interested in contributing real examples for this workshop module and the book, you are more than welcome. Just drop us a line.
networking virtualization crossbow (2008-03-04 18:05:48.0) Permalink Comments [5]
Friday February 29, 2008 Network in a Box (Creating a real Networks on your Laptop)
Network in a Box (Creating a real Network on your Laptop)
Crossbow: Network Virtualization & Resource Control
Objective
Create a real network comprising of Hosts, Switches and Routers as a Virtual Network on a laptop. The Virtual Network is created using OpenSolaris project Crossbow Technology and the hosts etc are created using Solaris Zones (a light weight virtualization technology). All the steps necessary to create the virtual topology are explained.The users can use this hands on demo/workshop and exercises in the end to become an expert in
- Configuring IPv4 and IPv6 networks
- Hands on experience with OpenSolaris
- Configure and manage a real Router
- IP Routing technologies including RIP, OSPF and BGP
- Debugging configuration and connectivity issues
- Network performance and bottleneck Analysis
Introduction
Crossbow (Network Virtualization and Resource Control) allows users to create a Virtual Network with fixed link speeds in a box. Multiple subnet connected via a Virtual Router is pretty easy to configure. This allows the network administrators to do a full network configuration, verify IP address, subnet masks and router ports and addresses. They can test connectivity and link speeds and when fully satisfied, they can instantiate the configuration on the real network.Another great application is to debug problems by simulating a real network in a box. If network administrators are having issues with connectivity or performance, they can create a virtual network and debug their issues using snoop, kernel stats and dtrace. They don't need to use the expensive H/W based network analyzers.
The network developers and researchers working with protocols (like high speed TCP) can use OpenSolaris to write their implementation and then try it out with other production implementations. They can debug and fine tune their protocol quite a bit before sending even a single packet on the real network.
Note1: Users can use Solaris Zones, Xen or ldom guests to create the virtual hosts while Crossbow provides the virtual network building blocks. There is no simulation but real protocol code at work. Users run real applications on the host and clients which generate real packets.
Note2: The Solaris protocol code executed for a virtual network or Solaris acting a real router or host is common all the way to bottom of MAC layer. In case of virtual networks, the device driver code for a physical NIC is the only code that is not needed.
Try it Yourself
Lets do a simple exercise. As part of this exercise, you will learn- How to configure a virtual network having two subnets and connected via a Virtual Router using Crossbow and Zones
- How to set the various link speeds to simulate multiple speed network
- Do some performance runs to verify connectivity
A laptop or machine running Crossbow snapshot from Feb 28, 2008 or later http://www.opensolaris.org/os/project/crossbow/snapshots/
Virtual Network Example
Lets take a physical network. The example in Fig 1a is representing the real network showing how my desktop connects to the Lab servers. The desktop is on 20.0.0.0/24 network while the server machines (host1 and host2) are on 10.0.0.0/24 network. In addition, host1 has got a 10/100 Mbps NIC limiting its connectivity to 100Mbps.
Fig. 1a
We will represent the network shown in Fig 1a on my Crossbow enabled laptop as
a Virtual Network. We use Zones to act as host1, host2 and the Router while
the global zone (gz) acts as the client (as a user exercise, create another
client zone and assign VNIC6 to it to act as a client).
Fig. 1a
Note 3: The Crossbow MAC layer itself does the switching between the VNICs. The Etherstub is craeated as a dummy device to connect the various virtual NICs. User can imagine etherstub as a Virtual Switch to help visualize the virtual network as a replacement for a physical network where each physical switch is replaced by a virtual switch (implemented by a Crossbow etherstub).
Create the Virtual Network
Lets start by creating the 2 etherstubs using the dladm commandgz# dladm create-etherstub 1 gz# dladm create-etherstub 3 gz# dladm show-etherstub LINK etherstub1 etherstub3
Create the necessary Virtual NICs. VNIC1 has a limited speed of 100Mbs while others have no limit
gz# dladm create-vnic -d etherstub1 1 gz# dladm create-vnic -d etherstub1 2 gz# dladm create-vnic -d etherstub1 3 gz# dladm create-vnic -d etherstub3 6 gz# dladm create-vnic -d etherstub3 9 gz# dladm show-vnic LINK OVER SPEED MACADDRESS MACADDRTYPE vnic1 etherstub1 - Mbps 2:8:20:8d:de:b1 random vnic2 etherstub1 - Mbps 2:8:20:4a:b0:f1 random vnic3 etherstub1 - Mbps 2:8:20:46:14:52 random vnic6 etherstub3 - Mbps 2:8:20:bf:13:2f random vnic9 etherstub3 - Mbps 2:8:20:ed:1:45 random
Create the hosts and assign them the VNICs. Also create the Virtual Router and assign it VNIC3 and VNIC9 over etherstub1 and etherstub3 respectively. Both the Virtual Router and Hosts are created using Zones in this example but you can easily use Xen or logical domains.
Create a base Zone which we can clone.
gz# zonecfg -z vnmbase vnmbase: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:vnmbase> create zonecfg:vnmbase> set zonepath=/vnm/vnmbase zonecfg:vnmbase> set ip-type=exclusive zonecfg:vnmbase> add inherit-pkg-dir zonecfg:vnmbase:inherit-pkg-dir> set dir=/opt zonecfg:vnmbase:inherit-pkg-dir> set dir=/etc/crypto zonecfg:vnmbase:inherit-pkg-dir> end zonecfg:vnmbase> verify zonecfg:vnmbase> commit zonecfg:vnmbase> exit
This part takes 15-20 minutes
gz# zoneadm -z vnmbase install
Now lets create the 2 hosts and the Virtual Router as follow
gz# zonecfg -z host1 host1: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:vnmbase> create zonecfg:vnmbase> set zonepath=/vnm/host1 zonecfg:vnmbase> set ip-type=exclusive zonecfg:vnmbase> add inherit-pkg-dir zonecfg:vnmbase:inherit-pkg-dir> set dir=/opt zonecfg:vnmbase:inherit-pkg-dir> set dir=/etc/crypto zonecfg:vnmbase:inherit-pkg-dir> end zonecfg:vnmbase> add net zonecfg:vnmbase:net> set physical=vnic1 zonecfg:vnmbase:net> end zonecfg:vnmbase> verify zonecfg:vnmbase> commit zonecfg:vnmbase> exit gz# zoneadm -z host1 clone vnmbase gz# zoneadm -z host1 boot gz# zlogin -C host1
Connect to the console and go through the sysid config. For this example, we assign 10.0.0.1/24 as IP address for vnic1. You can specify this during sysidcfg. For default route, specify 10.0.0.3 as the default route. You can say 'none' for naming service, IPv6, kerberos etc for the purpose of this example.
Similarly create host2 and configure it with vnic2 i.e.
gz# zonecfg -z host2 host2: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:vnmbase> create zonecfg:vnmbase> set zonepath=/vnm/host2 zonecfg:vnmbase> set ip-type=exclusive zonecfg:vnmbase> add inherit-pkg-dir zonecfg:vnmbase:inherit-pkg-dir> set dir=/opt zonecfg:vnmbase:inherit-pkg-dir> set dir=/etc/crypto zonecfg:vnmbase:inherit-pkg-dir> end zonecfg:vnmbase> add net zonecfg:vnmbase:net> set physical=vnic2 zonecfg:vnmbase:net> end zonecfg:vnmbase> verify zonecfg:vnmbase> commit zonecfg:vnmbase> exit gz# zoneadm -z host2 clone vnmbase gz# zoneadm -z host2 boot gz# zlogin -C host2
Connect to the console and go through the sysid config. For this example, we assign 10.0.0.2/24 as IP address for vnic2. You can specify this during sysidcfg. For default route, specify 10.0.0.3 as the default route. You can say 'none' for naming service, IPv6, kerberos etc for the purpose of this example.
Lets now create the Virtual Router as
gz# zonecfg -z vRouter vRouter: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:vnmbase> create zonecfg:vnmbase> set zonepath=/vnm/vRouter zonecfg:vnmbase> set ip-type=exclusive zonecfg:vnmbase> add inherit-pkg-dir zonecfg:vnmbase:inherit-pkg-dir> set dir=/opt zonecfg:vnmbase:inherit-pkg-dir> set dir=/etc/crypto zonecfg:vnmbase:inherit-pkg-dir> end zonecfg:vnmbase> add net zonecfg:vnmbase:net> set physical=vnic3 zonecfg:vnmbase:net> end zonecfg:vnmbase> add net zonecfg:vnmbase:net> set physical=vnic9 zonecfg:vnmbase:net> end zonecfg:vnmbase> verify zonecfg:vnmbase> commit zonecfg:vnmbase> exit gz# zoneadm -z vRouter clone vnmbase gz# zoneadm -z vRouter boot gz# zlogin -C vRouter
Connect to the console and go through the sysid config. For this example, we assign 10.0.0.3/24 as IP address for vnic3 and 20.0.0.1/24 as the IP address for vnic9. You can specify this during sysidcfg. For default route, specify 'none' as the default route. You can say 'none' for naming service, IPv6, kerberos etc for the purpose of this example. Lets enable forwarding on the Virtual Router to connect the 10.x.x.x and 20.x.x.x networks.
vRouter# svcadm enable network/ipv4-forwarding:default
Note 5: The above is done inside virtual router. Make sure you are in the window where you did the zlogin -C vRouter above
Now lets bringup VNIC6 and configure it including setting up routes in the global zone. You can easily create another host called host3 as the client on 20.x.x.x network by creating a host3 zone and assigning it 20.0.0.1/24 IP address
Lets configure the VNIC6. Open a xterm in the global zone
gz# ifconfig vnic6 plumb 20.0.0.3/24 up gz# route add 10.0.0.0 20.0.0.1 gz# ping 10.0.0.1 10.0.0.1 is alive gz# ping 10.0.0.2 10.0.0.2 is alive
Similarly, login into host1 and/or host2 and verify connectivity
host1# ping 20.0.0.3 20.0.0.3 is alive host1# ping 10.0.0.2 10.0.0.2 is alive
Set up Link Speed
What we configured above are unlimited B/W links. We can configure a link speed on all the links. For this example, lets configure the link speed of 100Mbps on VNIC1gz# dladm set-linkprop -p maxbw=100 vnic1
We could have configured the link speed (or B/W limit) while we were creating the vnic itself by adding the
-p maxbw=100option to create-vnic command.
Test the performance
Start 'netserver' (or tool of your choice) in host1 and host2. You wil have to install the tools in the relevant placeshost1# /opt/tools/netserver & host2# /opt/tools/netserver & gz# /opt/tools/netperf -H 10.0.0.2 TCP STREAM TEST to 10.0.0.2 : histogram Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 49152 49152 49152 10.00 2089.87 gz# /opt/tools/netperf -H 10.0.0.1 TCP STREAM TEST to 10.0.0.1 : histogram Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 49152 49152 49152 10.00 98.78
Note6: Since 10.0.0.2 is assigned to VNIC2 which has no limit, we get the max speed possible. 10.0.0.1 is configured over VNIC1 which is assigned to host1 and we just set the link speed to 100Mbps and thats why we get only 98.78Mbps.
Cleanup
gz# zoneadm -z host1 halt gz# zoneadm -z host1 uninstall
delete the zone
gz# zonecfg -z host1 zonecfg:host1> delete Are you sure you want to delete zone host1 (y/[n])? y zonecfg:host1> exit
In this way, delete host2 and vRouter zones. Make sure you don't delete vnmbase since re creating it takes time.
gz# ifconfig vnic6 unplumb
After you have deleted the zone, you can delete vnics and etherstubs as follows
# dladm delete-vnic 1 /* Delete VNIC */ # dladm delete-vnic 2 # dladm delete-vnic 3 # dladm delete-vnic 6 # dladm delete-vnic 9 # dladm delete-etherstub 3 /* Delete etherstub */ # dladm delete-etherstub 1
Make sure that VNICs are unplumbed (ifconfig vnic6 unplumb) and not assigned to a zone (delete the zone first) before you can delete them. You need to delete all the vnics on the etherstub before you can delete the etherstub.
User Exercises
Now that you are familiar with the concepts and technology, you are ready to do some experiments of your own. Cleanup the machine as mentioned above. The exercises below will help you master IP routing, configuring networks, and debugging for performance bottlenecks.- Recreate the Virtual Networkwork as show in Fig 1b but this time create
an additional zone called client and assigned vnic6 to that client zone.
client Zone vRouter host1 host2 | | | | | ---- etherstub3 --- -------- etherstub 1----------
Run all your connectivity tests from zloging into the client. Now change all IPv4 addresses to be IPv6 addresses and verify that client and hosts still have connectivity - Leave the Virtual Network as in 1, but configure OSPF in vRouter instead of RIP by default. Verify that you can still get the connectivity. Note the steps needed to configure OSPF
- Configure 20.0.0.0 and 10.0.0.0 networks as two separate autonomous networks, assign them unique ASN numbers and configure unique BGP domains. Verify that connectivity still works. Note the steps needed to configure BGP domains.
- Cleanup everything and recreate the virtual network in 1 above but instead of statically assigning the IP addresses to hosts and clients, configure NAT on the vRouter to give out address on subnet 10.0.0.0/24 on vnic3 and address on 20.0.0.0/24 for vnic9. While creating the hosts and clients, configure them to get their IP address through DHCP.
- Cleanup everything and recreate the virtual network in 1 above. Add
additional router vRouter2 which has a vnic each on the 2 etherstubs.
vRouter1 / \ 20.0.0.0/24 10.0.0.0/24 \ / vRouter2
This provides a redundant path from client to the hosts. Experiment with running different routing protocols and assign different weight to each path and see what path you take from client to host (use traceroute to detect). Now configure the routing protocol on two vRouters to be OSPF and play with link speeds and see how the path changes. Note the configuration and observations. - Cleanup. Lets now introduce another Virtual Router between two
subnets i.e.
client Zone vRouter1 vRouter2 host1 host2 | | | | | | | ---- etherstub3 --- -etherstub 2- -----etherstub 3---------- 20.0.0.0/24 30.0.0.0/24 10.0.0.0/24
Now set the link (VNIC) between vRouter1 and etherstub2 to be 75 Mbps. Use snmp from client to retrive the stats from the vRouter1 and check where the packets are getting dropped when you run netperf from client to host2.
Remove the limit set earlier and instead set the link speed of 75 Mbps on link between etherstub2 and vRouter2. Again use snmp to get the stats out on vRouter1. Do you see similar results as vRouter1? If not, can you explain why?
Conclusion and More resources
Use the real example and configure the virtual network to get familiar with the techniques used. At this point, have a look at your network and try to create a virtual network.Get more details on the OpenSolaris Crossbow page http://www.opensolaris.org/os/project/crossbow
You can find high level presentations, architectural documents, man pages etc at http://www.opensolaris.org/os/project/crossbow/Docs
Join the crossbow-discuss@opensolaris.org mailing list at http://www.opensolaris.org/os/project/crossbow/discussions
Send in your questions or your configuration samples and we will put it in the use cases examples.
A similar Virtual Network example using global zone as a NAT can be found on Nicolas's blog at http://blogs.sun.com/droux
Kais has a a example of dynamic bandwidth paritioning at http://blogs.sun.com/kais
Venu talks about some of the cool crossbow features at http://blogs.sun.com/iyer which allows virtualizing services with Crossbow technology using flowadm.
networking virtualization crossbow (2008-02-29 02:59:01.0) Permalink Comments [2]
Thursday August 24, 2006 CrossBow: Solaris Network Virtualization & Resource Control
CrossBow: Solaris Network Virtualization & Resource Control
1. CrossBow (the name):
It makes some sense to explain the relatonship between the technology (Network Virtualization and Resource Control) and the project name (CrossBow). It is believed that Crossbow was invented in 341B.C. in China but the use became prevalent in middle ages specially when steel was used to make the weapon. More powerful Crossbows could penetrate the armour at 200 yards and gave the typical horse mounted knights real nightmares. But the biggest differentiator was the simplicity in their use. Crossbow could be used effectively after a week of training, while a comparable single-shot skill with a longbow could take years of practice.Similary, if you take a look at the existing QOS mechanisms on a end host, they are very difficult to use and normally take a very skilled administrator to use effectively. Even then, the existing QOS mechanism come with heavy performance penalties which is also pretty common with any kind of virtualization as well. In Solaris land, we have invented a new way of imposing bandwidth resource control as attribute to a real or a virtual NIC such that it is built in as part of the Solaris network stack and comes without any performance penalties. Since the virtualization aspects and/or resource control aspects are just the attributes of the NIC/VNIC (specified when a NIC or Virtual NIC is created), a normal user and configure them without needing a docterate in QOS or virtualization. "CrossBow" was the most suitable name for this project since we are trying to achieve similar results in the field of virtualization and resource control as the weapon did in medivial times in the battlefield.
2. CrossBow (the background):
Crossbow provides the building blocks for network virtualization and resource control by creating virtual stacks around any service (HTTP, HTTPS, FTP, NFS, etc.), protocol (TCP, UDP, SCTP, etc.), or Virtual machines like Containers, Xen and ldoms.The project allows the system administrator to carve out any physical NIC into multiple virtual NICs which are pretty similar to real NICs and are administered just like real NICs. Each Virtual NIC can be assigned its own priority and band-width on a shared NIC without causing any performance degradation. The virtual NICs can have their own NIC hardware resources (Rx/Tx rings, DMA channels), MAC addresses, kernel threads and queues which are private to the VNIC and are not shared accross all traffic. In case of Solaris Containers, the Container can be assigned a virtual Stack Instance as well along with one or more virtual NICs. As such traffic for one VNIC can be totally isolated from other traffic and assigned any kind of limits or guarantees on amount of bandwidth it can use.
3. Overview:
Project Crossbow extends Solaris reach in several markets.3a. OS/Network/Server Consolidation:
The application, network and server consolidation environments where both OS and network virtualization play a big role. This market is typically driven by the cost of owning and managing physical machines and physical networks. The sweet spot for these horizontally scaled environment are the 2-4 socket machines which appear as 4-8 CPU machines in case of x86/x64 systems and 32-64 CPU machines in case of SUN's new Niagara based servers. From total cost of ownership perspective, these blades have only one physical NIC (1Gb or 10Gb) but are trying to run multiple virtual machines (Xen, Containers, ldoms) which have to share the NIC resources and the available bandwidth.
The problem gets worse because for 3 decades we have been designing application to go as fast as possible and any congestion control is the job of the transport layer (if at all). So if one virtual machine is using UDP based traffic, then other virtual machines on the same system using TCP traffic will suffer badly. Even within same transport (TCP for instance), bulk througput applications like ftp/http etc will have a very negetive impact on interactive traffic and latency sensitive applications.
The goal of the project Crossbow is to different virtual machines share the common NIC in a fair manner and allow system administrators to set preferential policies where necessary (e.g. the ISP selling limited B/W on a common pipe) without any performance impact.
3b. Traditional QOS and application consolidation:
Exisiting host based QOS mechanism are very complex to setup and typically come with a sizable performance penalty and increase in latency. The big part of the problem is the interrupt based delivery mechanism for inbound packets and the QOS being implemented by a separate layer (typically between NIC driver and IP). The network and transport layer of the host stack is unware about the QOS layer. The packets are already delivered to the host memory by means of interrupts and the QOS layer needs to classify the packets to various queues before it can apply the policies. In case the packet can not be processed because the bandwidth usage for that class is exceeded, it sits in a queue while still consuming system memory.Project Crossbow integrates stack virtualization and QOS as part of the stack architecture itself to offer a large subset of QOS type functionality at zero performance penalty and simple administrative interfaces. It also integrates diffserv with the stack where a virtual NIC can set and read the diffserv based labels. Since Crossbow architecture is limited in differentiating the traffic based on layer 2, 3, and 4 headers only i.e. the VLAN tag, local mac address, local IP address, protocol, and ports; the functionality offered is a subset of exisiting QOS mechanism although it covers 90% of the use cases without any performance penalty. This is the prime reason why project Crossbow refers to the bandwidth related policies as 'Bandwidth resource control' instead of QOS.
3c. Horizontally scaled markets:
This is the market segment made up of low priced volume servers (typically 2-4 socket machines) which offer services which require little or no sharing of data between them. The small servers can be standalone machines in a rack or blades in a chasis. Grids are another way to use volume servers to achieve the output of the traditional large SMP machines or main frames.In case of blades which share a common 10Gb NIC to the chasis, Crossbow again provides the sharing of bandwidth in a fair manner. In addition, the Crossbow provided APIs for network management, virtualization and bandwidth resource control can be use by 3rd party management softwares to propogate the common policy throughout the server farm or all the blades in the chasis. In a Solaris based homogenous environments, its very easy to mark an application or a virtual machine (based on port or IP address) as critical and propogate the same policy through all the machines. The diffserv labels can be added appropriately such that the policy is honoured by all machines and network element in the center.
4. Technical problems in exisiting architectures:
As mentioned earlier, the host based QOS systems work as a layer between the network stack and as such are pretty inefficient in providing the QOS services required of them. But that is not all.The exisiting interrupt driven packet delivery model pecludes any kind of policy enforcement and fair sharing. When a NIC interrupt is raise, it is at a highest priority and the CPU has to context switch whatever processing to deal with the interrupt. Most of the time, the processing of a critical packet is interrupted to deal with the arrival of a non critical packet.
The anonymous packet processing in the kernel is another major problem in virtualizing the stack and enforcing any kind of bandwidth resource control (including fairness). 80% of the work is already done for an incoming packet when the stack determines that no one is actually interested in the packet and it needs to drop it. In other words, the cost of dropping unwanted packets is too high.
Everything in the host flows through common queues and is processed by common threads which make enforcing policies based on traffic type very difficult. Recv or xmit of each packet impacts processing on any other packet on that particular CPU.
In most of the virtualized environments, the pseudo NIC in the virtual machines has no way of knowing about the hardware capabilities of the real hardware (even simple things like hardware checksum) because of the presense of the bridge in between and ends up making negetive performance impact. In addition, there is no mechanism to share the NIC in a fair manner. The transition of typical packet from the dom0 to domU also causes severe performance problems.
5. CrossBow Architecture:
The Crossbow architecture starts out by integrating network virtualization and resource control as part of the stack architecture. The Solaris 10 network stack has already been designed for the next decade where the connection to CPU affinity is maintained and the upper stack has tight control over the NIC resources.Crossbow builds on top of that by pushing the classification of packets based on services, protocols or virtual machines as far below as possible. If the NIC hardware itself has ability to divide onboard memory into segements/queues (know as Rx and Tx rings) which can preferably haev their own DMA channels and MSI-X interrupts, the stack programs the NIC classifier to classify packets based on configured policies to different Rx rings. Each Rx/Tx ring is owned by a CPU and a separate kernel queue know as serialization queue which controls the rate of packet arrival into the system based on configured bandwidth.
The Rx/Tx ring, the associated DMA channel, MSI-X interrupt, the serialization queue, the CPU, and processing threads are all unique for the service, protocol or virtual machine in question and can be assigned a unique MAC address and a Virtual NIC which becomes the administration entity that can be administered like a normal NIC. The NIC classifier drives the incoming packets to the correct RX ring from where the Squeue owning the Rx ring (and VNIC) will pull the packets via polling mode based on fair sharing of resources or configured bandwidth. The interrupt mode is used only when the Squeue has no packets to process and the Rx ring is empty. Each individual Rx ring is dynamically switched between interrupt and polling mode. Incoming packets that exceed the configured bandwidth limit remain in the NIC itself in their corresponding Rx ring and are pulled in the system only when they are ready to be processed.
The creation of an administrative entity (VNIC) is optional and typically associated with a virtual machine like Solaris containers, Xen or ldoms. For application or protocol based resource control, a separate data path is created to provide the isolation and resource control but a VNIC is not configured.
As mentioned above the VNIC is just an administrative entity. If the classification has already been done by the NIC to a particular Rx ring, the packets as delivered directly to IP layer by means of function calls when Rx ring is interrupt mode or the squeue residing in IP layer pulls the packet chain directly from the Rx ring when in the polling mode. In essence, the entire data link layer is bypassed resulting in improved performance and lower latencies. If the VNIC is placed in promiscous mode, the data link bypass is abandoned and the Rx ring delivers packets via the VNIC layer which creates a copy of the packet for promiscous stream. Similarly, in polling mode, the squeues poll entry point are changed to point at VNIC which is turns pulls the packets from Rx rings, makes a copy and then gives the chain to the Squeue poll thread.
The entire layered architecture is built on function pointers know as 'upcall_func' and 'downcall_func' with corresponding 'upcall_arg' and 'downcall_arg' for context. Every layer provides a pointer of its recv function as 'upcall_func' and a context as 'upcall_arg' to the layer below. Similarly, every layer provides pointer to its transmit function as 'downcall_func' and a context cookie as 'downcall_arg' to layer above. This is how the packet path is constructed. Any layer can short circuit itself out by providing the 'upcall_func' and 'upcall_arg' of the layer above to layer below (and same for transmit side if needed). All context cookies for a layer work on reference based system when each layer pointed to it gets a reference and ensure that data structures don't get freed till all references are dropped.
In case, the NIC hardware does not have classification capability (unlikely since most of intel, broadcom and SUN 1Gb NICs and pretty much all 10Gb NICs shipping for past several years have this capability) or have run out of the classification capability, the architecture provides a classification capability in the mac layer and employs soft rings which are similar to functionality as NIC hardware classifier and RX rings. The NIC hardware layer coupled with lower MAC layer and soft rings are termed as 'Pseudo Hardware layer'. A request by administartor to create a new VNIC or flow will always return successful from the pseudo hardware layer. The pseudo hardware layer manages the hardware and software classification capability and Rx rings and soft rings transparently from upper layers.
6. Crossbow layers, data structures and packet flow:
Its easier to illustrate this with 2 flows. The first one is for IP_addr = a.b.c.d && TCP and it goes through normal path via Upper dls etc. This is under the assumption that either snoop (or someone else in DLS) is interested in this flow and we can't bypass data link processing. The squeue poll function in this case is dls_poll_ring and argument is dls_impl_t.The 2nd flow is for IP_addr = m.n.o.p && port = 80 && TCP which is unique and no one is interested in snooping it. In this case, the dls layer allows itself to be pypassed by setting the upcall_func and upcall_arg for soft_ring/Rx_rings to directly call into IP. The squeue is directly polling the H/W Rx ring in this case.
7. The administrative model:
Crossbow introduces a new command called 'netrcm' and further augments 'dladm' which was introduced as part of the new high performance device driver framework (GLDv3) in Solaris 10.'dladm (1M)' - This is primarily used to create, modify and destroy VNIC based on mac or IP addresses. The created VNIC is visible and managed by ifconfig just like any otehr NIC and can get its IP address assigned via DHCP if necessary.
The examples below can illustrate this better:
Example 1: Configuring VNICs
To create two VNICs interfaces with vinc-ids 1 and 2
over a single physical device bge0, enter the following com-
mands:
# dladm create-vnic -d bge0 1
# dladm create-vnic -d bge0 2
The new links will be called vnic1 and vnic2.
Example 2: Configuring VNICs and allocating bandwidth & priority
To create two VNIC interfaces with vinc-ids 1 and 2
over a single physical device bge0 and make vnic1 a higher
priority VNIC using factory assigned MAC address with guarantee
to use upto 90% of the bandwidth and vnic2 having a lower priority
with a random MAC address and a hard limit of 100Mbps:
# dladm create-vnic -d bge0 -m factory -b 90% -G -p high 1
# dladm create-vnic -d bge0 -m random -b 100M -L -p low 2
Example 3: Configure a VNIC by choosing a factory MAC address
To create a VNIC interface with vinc-id 1 by first
listing the factory available MAC address and then using one
of them:
# dladm show-dev -d bge0 -m
bge0
link: up speed: 1000 Mbps duplex: full
MAC addresses:
slot-ident Address In Use
1 0:e0:81:27:d4:47 Yes
2 8:0:20:fe:4e:a5 No
# dladm create-vnic -d bge0 -m factory -n 2 1
# dladm show-dev -d bge0
bge0
link: up speed: 1000 Mbps duplex: full
MAC addresses:
slot-ident Address In Use
1 0:e0:81:27:d4:47 Yes
2 8:0:20:fe:4e:a5 Yes
Example 4: Configuring VNICs sharing a MAC address
To create two VNICs with vnic-id 1 and 2 by first listing the
available factory assigned MAC addresses and then picking one
that will be shared by the newly created VNICs
# dladm show-dev -d bge0 -m
bge0
link: up speed: 1000 Mbps duplex: full
MAC addresses:
slot-ident Address In Use
1 0:e0:81:27:d4:47 Yes
2 8:0:20:fe:4e:a5 No
# dladm create-vnic -d bge0 -m shared -n 2 1
# dladm create-vnic -d bge0 -m shared -n 2 2
Example 5: Creating a VNIC with user specified MAC address
To create a VNIC with vnic-id 1 by providing a user specified
mac address
# dladm create-vnic -d bge0 -m 8:0:20:fe:4e:b8
'netrcm (1M)' - This command is primarily used to provide isolation and private resources to an application traffic or protocol. In addition, we can also configure bandwidth limits and guarantees for the flows. Again some example can illustrate the usage better:
Example 1: Create a policy around mission critical port 443 traffic
which is https service.
To create a policy around inbound https traffic on a https server
so that https gets it dedicated NIC hardware and kernel TCP/IP
resources. The policy-id specified is https-1 which is used to
later modify of delete the policy.
# netrcm add-policy -d bge0 -H transport = TCP local port = 443 https-1
Example 2: Modify an existing policy to add bandwidth resource control
To modify https-1 policy to add bandwidth control and give it a
high priority
# netrcm modify-policy -d bge0 -b 90% -G -p high https-1
Example 3: Limit the bandwidth usage of UDP protocol
To create a policy for UDP protocol so that it can not consume more
than 10% of available bandwidth. The policy-id is called limit-udp-1.
# netrcm add-policy -d bge0 -b 90% -L -p low limit-udp-1
8. Crossbow Observability - Stats, history and APIs:
Apart from the functionality related to network virtualization and bandwidth resource control, Crossbow offers a whole range of news tools and mechanism to understand the bandwidth usage. Administrators can see real time bandwidth usage for various VNICs or configured flows (via 'netrcm') without causing any performance penalties.The Rx rings and squeues dealing with a particular flow keep track of normal stats which are pulled by a userland daemon from time to time. The daemon also logs the information in special log files which allows users to see history at any given time. A user can request usage for a time period in past to understand the system behaviour.
Crossbow will provide more tools to help capacity planning by allowing the system to be put under capacity planning mode where bandwdith usage for top traffic is monitored and displayed.
All the observability and administrative interfaces can be accessed by APIs which allow other applications to use and manage the system.
9. Resources:
Crossbow project page on OpenSolaris is a good source of information http://www.opensolaris.org/os/project/crossbowThe Crossbow mailing list is where all the day to day business for the project is conducted. Anyone can join the mailing list crossbow-discuss@opensolaris.org.
Crossbow slide presentation can be found here Crossbow Team members are:
* Kais Belgaied
* Stephanie Brucker
* Eric Cheng
* Nicolas Droux
* Markus Flierl
* Carol Gayo
* Mohan Iyer
* Darrin Johnson
* Michael Lim
* Rajagopal Kunhappan
* Erik Nordmark
* Ethan Solomita
* Thirumalai Srinivasan
* Sunay Tripathi
* Nicky Veitch
* Bill Watson
* Roamer Lu
Email: first.last@sun.com
networking virtualization crossbow (2006-08-24 02:26:02.0) Permalink Comments [1]
Sunday April 02, 2006 Project Crossbow: Network Virtualization and Resource Control going live
Project Crossbow going live on OpenSolaris
Hello and Welcome to project Crossbow!! We are going to add Network Virtualization and Resource Control to Solaris without degrading performance.At this time, we are seeking members from open solaris community to become part of Crossbow i-team. Its the charter of i-team to gather requirements and deliver the project including design, docs and testing. We would love to have members of the community get involved from day one. The participation opportunities include (but are not limited to):
- helping define the project
- gathering requirements
- designing the project
- writing code
- creating demos
- doing talks and evangalizing the project
Apart from active participation, you can also participate via the mailing lists and discussion groups where we will be posting various documents for review and comments apart from day to day discussion.
The project Crossbow page is visible here
You can sign up for the discussion group here (2006-04-02 20:41:15.0) Permalink Comments [1]
Wednesday December 07, 2005 (2005-12-07 21:09:58.0) Permalink Comments [2]
Tuesday December 06, 2005 Niagara - Designed for Network Throughput
Niagara - Designed for Network throughput
We finally announce Niagara based servers to the public! Billed as the low cost, energy efficient, huge network throughput processors - marketing mumbo jumbo you think?? Well, try it and you will see. I was priviledged enough that one of the earliest prototype landed on my desk (or in my lab to be precise) so Solaris networking could be tailored to take advantage of the chip. And boy, together with Solaris, this thing rocks!!
So you know that Niagara is multi core, multi threaded chip and Solaris takes advantage in multiple way. Let me highlight some of them.
Network performance
The load from the NIC is fanned out to multiple soft rings in the GLDv3 layer based on the src IP address and port information. Each soft ring in turn is tied to a Niagara thread and a Vertical Perimeter such that packets from a connection have locality to specific H/W thread on a core and the NIC has locality to specific core. Think of this model as 4 H/W threads per core processing the NIC such that if one thread stalls for resource, the CPU cycles are not wasted. The result is amazing network performance for this beast. Performs 5-6 times the performance of your typical x86 based CPU.Virtualization
Imagine you are a ISP or someone wanting to consolidate multiple machines on one physical machine. Well, Niagara based platforms lends themselves beautifully to this concept because there are so many H/W threads around which appear as individual CPUs to Solaris. We have a project underway called Crossbow (details available on Network Community page on OpenSolaris) which will allow you to carve the machine (create virtual network stacks) into multiple virtual machines and tied specific CPUs to them and control the B/W utilization for each virtual machine on a shared NIC.Real Time Networking/Offload
With GLDv3 based drivers and FireEngine architecture in Solaris 10, the stack controls the rate of interrupts and can dynamically switch the NIC between interrupt and polling mode. Couple with Niagara platform, Solaris can run the entire networking stack on one core and provide real time capabilities to the application. Meanwhile, the application them selves run on different core without worrying about networking interrupts pinning them down. You can get pretty bounded latencies provided application can do some admission control. We are also planning to hide the core running networking from the application effectively getting TOE for free without suffering from the drawbacks of offloading networking to a spearate piece of hardware.[ T: NiagaraCMT ]
(2005-12-06 17:31:01.0) Permalink Comments [1]
Monday November 14, 2005 Solaris Networking - The Magic Revealed (Part I)
Solaris Networking - The Magic Revealed
(Part I)
- Background
- Solaris 10 stack
- TCP
- UDP
- IP
- Solaris 10 Device Driver framework
- Tuning for performance:
- Future
- Acknowledgments
1 Background
The networking stack of Solaris 1.x was a BSD variant and was pretty similar to the BSD Reno implementation. The BSD stack worked fine for low end machines but Solaris wanted to satisfy the needs of low end customers as well as enterprise customers and such migrated to AT&T SVR4 architecture which became Solaris 2.x.With Solaris 2.x, the networking stack went through a make over and transitioned from a BSD style stack to STREAMs based stack. The STREAMs framework provided an easy message passing interface which allowed the flexibility of one STREAMs module interacting with other STREAM module. Using the STREAMs inner and outer perimeter, the module writer could provide mutual exclusion without making the implementation complex. The cost of setting up a STREAM was high but number of connection setup per second was not an important criterion and connections were usually long lived. When the connections were more long lived (NFS, ftp, etc.), the cost of setting up a new stream was amortized over the life of the connection.
During late 90s, the servers became heavily SMP running large number of CPUs. The cost of switching processing from one CPU to another became high as the mid to high end machines became more NUMA centric. Since STREAMs by design did not have any CPU affinity, packets for a particular connections moved around to different CPU. It was apparent that Solaris needed to move away from STREAMs architecture.
Late 90s also saw the explosion of web and increase in processing power meant a large number of short lived connections making connection setup time equally important. With Solaris 10, the networking stack went through one more transition where the core pieces (i.e. socket layer, TCP, UPD, IP, and device driver) used an IP Classifier and serialization queue to improve the connection setup time, scalability, and packet processing cost. STREAMs are still used to provide the flexibility that ISVs need to implement additional functionality.
2 Solaris 10 stack
Lets have a look at how the new framework and its key components.Overview
The pre SOlaris 10 stack uses STREAMS perimeter and kernel adaptive
mutexes for multi-threading. TCP uses a STREAMS QPAIR perimeter, UDP
uses a STREAMS QPAIR with PUTSHARED, and IP a PERMOD perimeter with
PUTSHARED and various TCP, UDP, and IP global data structures protected
by mutexes. The stack was executed by both user-land threads executing
various system-calls, the network device driver read-side interrupt or
device driver worker thread, and by STREAMS framework worker threads.
As the current perimeter provides per module, per protocol stack layer,
or horizontal perimeter. This can, and often does, lead to a packet
being processed on more than one CPU and by more than one thread
leading to excessive context switching and poor CPU data locality. The
problem gets even more compounded by the various places packet can get
queued under load and various threads that finally process the packet.The "FireEngine" approach is to merge all protocol layers into one STREAMs module which is fully multi threaded. Inside the merged module, instead of using per data structure locks, use a per CPU synchronization mechanism called "vertical perimeter". The "vertical perimeter" is implemented using a serialization queue abstraction called "squeue". Each squeue is bound to a CPU and each connection is in turn bound to a squeue which provides any synchronization and mutual exclusion needed for the connection specific data structures.
The connection (or context) lookup for inbound packets is done outside the perimeter, using an IP connection classifier, as soon as the packet reaches IP. Based on the classification, the connection structure is identified. Since the lookup happens outside the perimeter, we can bind a connection to an instance of the vertical perimeter or "squeue" when the connection is initialized and process all packets for that connection on the squeue it is bound to maintaining better cache locality. More details about the vertical perimeter and classifier are given later sections. The classifier also becomes the database for storing a sequence of function calls necessary for all inbound and outbound packets. This allows to change the Solaris networking stacks from the current message passing interface to a BSD style function call interface. The string of functions created on the fly (event-list) for processing a packet for a connection is the basis for an eventual new framework where other modules and 3rd party high performance modules can participate in this framework.
Vertical
perimeter
Squeue guarantees that only a single thread can process a given
connection at any given time thus serializing access to the TCP
connection structure by multiple threads (both from read and write
side) in the merged TCP/IP module. It is similar to the STREAMS QPAIR
perimeter but instead of just protecting a module instance, it protects
the whole connection state from IP to sockfs. Vertical perimeter or squeue by themselves just provide packet serialization and mutual exclusion for the data structures, but by creating per CPU perimeter and binding a connection to the instance attached to the CPU processing interrupts, we can guarantee much better data locality.
We could have chosen between creating a per connection perimeter or a per CPU perimeter i.e. a instance per connection or per CPU. The overheads involved with a per connection perimeter and thread contention gives lower performance and made us choose a per CPU instance. For a per CPU instance, we had the choice of queuing a connection structure for processing or instead just queue the packet itself and store the connection structure pointer in the packet itself. The former approach leads to some interesting starvation scenarios where packets for a connection keep arriving and to prevent such a situation, the overheads caused a lowered performance. Queuing the packet themselves allows us to protect the ordering and is much simpler and thus the approach we have taken for FireEngine.
As mentioned before, each connection instance is assigned to a single squeue and is thus only processed within the vertical perimeter. As a squeue is processed by a single thread at a time all data structures used to process a given connection from within the perimeter can be accessed without additional locking. This improves both the CPU and thread context data locality of access of both the connection meta data, the packet meta data, and the packet payload data. In addition this will allow the removal of per device driver worker thread schemes which are problematic in solving a system wide resource issue and allow additional strategic algorithms to be implemented to best handle a given network interface based on throughput of the network interface and the system throughput (e.g. fanning out per connection packet processing to a group of CPUs). The thread, entering squeue may either process the packet right away or queue it for later processing by another thread or worker thread. The choice depends on the squeue entry point and on the state of the squeue. The immediate processing is only possible when no other thread has entered the same squeue. The squeue is represented by the following abstraction:
typedef struct squeue_s {
int_t sq_flag; /* Flags tells squeue status */
kmutex_t sq_lock; /* Lock to protect the flag etc */
mblk_t *sq_first; /* First Packet */
mblk_t *sq_last; /* Last Packet */
thread_t sq_worker; /* the worker thread for squeue */
} squeue_t;
Its important to note that the squeues are created on the basic of per
H/W execution pipeline i.e. cores, hyper threads, etc. The stack
processing of the serialization queue (and the H/W execution pipeline)
is limited to one thread at a time but this actually improves
performance because the new stack ensure that there are no waits for
any resources such as memory or locks inside the vertical perimeter and
allowing more than one kernel thread to time share the H/W execution
pipelines has more overheads vs allowing only one thread to run
uninterrupted. - Queuing Model - The queue is strictly FIFO (first in first out) for both read and write side which ensures that any particular connection doesn't suffer or is starved. A read side or a write side thread enqueues packet at the end of the chain. It can then be allowed to process the packet or signal the worker thread based on the processing model below.
- Processing Model - After enqueueing its packet, if another thread is already processing the squeue, the enqueuing thread returns and the packet is drained later based on the drain model. If the squeue is not being processed and there are no packets queued, the thread can mark the squeue as being processed (represented by 'sq_flag'), and processes the packet. Once it completes processing the packet, it removes the 'processing in progress' flag and makes the squeue free for future processing.
- Drain Model - A thread, which was successfully able to process its own packet, can also drain any packets that were enqueued while it was processing the request. In addition, if the squeue is not being processed but there are packets already queued, then instead of queuing its packet and leaving, the thread can drain the queue and then process its own packets.
The worker thread is always allowed to drain the entire queue. Choosing the correct Drain model is quite complicated. Choices are
between,
- "always queue",
- "process your own packet if you can",
- "time bounded process and drain".
Typically, the draining by an interrupt thread should always be time-bounded "drain and process" while the write thread can choose between "processes your own" and time bounded "process and drain". For Solaris 10, the write thread behavior is a tunable with default being "process your own" while the read side is fixed to "time bounded process and drain".
The signaling of worker thread is another option worth exploring. If the packet arrival rate is low and a thread is forced to queue its packet, then the worker thread should be allowed to run as soon as the entering thread finished processing the squeue when there is work to be done.
On the other hand, if the packet arrival rate is high, it may be desirable to delay waking up the worker thread hoping for an interrupt to arrive shortly after to complete the drain. Waking up the worker thread immediately when the packet arrival rate is high creates unnecessary contention between the worker and interrupt threads.
The default for Solaris 10 is delayed wakeup of the worker thread. Initial experiments on available servers showed that the best results are obtained by waking up the worker thread after a 10ms delay.
Placing a request on the squeue requires a per-squeue lock to protect the state of the queue, but this doesn't introduce scalability problems because it is distributed between CPU's and is only held for a short period of time. We also utilize optimizations, which allow avoiding context switches while still preserving the single-threaded semantics of squeue processing. We create an instance of an squeue per CPU in the system and bind the worker thread to that CPU. Each connection is then bound to a specific squeue and thus to a specific CPU as well.
The binding of an squeue to a CPU can be changed but binding of a connection to an squeue never changes because of the squeue protection semantics. In the merged TCP/IP case, the vertical perimeter protects the TCP state for each connection. The squeue instance used by each connection is chosen either at the "open", "bind" or "connect" time for outbound connections or at "eager connection creation time" for inbound ones.
The choice of the squeue instance depends on the relative speeds of the CPUs and the NICs in the system. There are two cases:
- CPU is faster than the NIC: the incoming connections are assigned to the "squeue instance" of the interrupted CPU. For the outbound case, connections are assigned to the squeue instance of the CPU the application is running on.
- NIC is faster than the CPU: A single CPU is not capable of handling the NIC. The connections are bounded in random manner on all available squeue.
The squeue APIs look like:
squeue_t *squeue_create(squeue_t *, uint32_t, processorid_t, void (*)(), void *, clock_t, pri_t);Squeue_create instantiates a new squeue and uses squeue_bind()/squeue_unbind() to bind or unbind itself from a particular CPU. The squeue once created are never destroyed. The squeue_enter() is used to try and access the squeue and the thread entering is allowed to process and drain the squeue based on models discussed before. squeue_fill() is used just to queue a packet on the squeue to be processed by worker thread or other threads.
void squeue_bind(squeue_t *, processorid_t);
void squeue_unbind(squeue_t *);
void squeue_enter(squeue_t *, mblk_t *, void (*)(), void *);
void squeue_fill(squeue_t *, mblk_t *, void (*)(), void *);
IP classifier
The IP connection fanout mechanism consists of 3 hash tables. A 5-tuple hash table {protocol, remote and local IP addresses, remote and local ports} to keep fully qualified TCP (ESTABLISHED) connections, A 3-tuple lookup consisting of protocol, local address and local port to keep the listeners and a single-tuple lookup for protocol listeners. As part of the lookup, a connection structure (a superset of all connection information) is returned. This connection structure is called 'conn_t' and is abstracted below.The interesting member to note is the pointer to the squeue or vertical perimeter. The lookup is done outside the perimeter and the packet is processed/queued on the squeue connection is attached to. Also, conn_recv and conn_send point to the read side and write side functions. The read side function can be 'tcp_input' if the packet is meant for TCP.
typedef struct conn_s {
kmutex_t conn_lock; /* Lock for conn_ref */
uint32_t conn_ref; /* Reference counter */
uint32_t conn_flags; /* Flags */
struct ill_s *conn_ill; /* The ill packets are coming on */
struct ire_s *conn_ire; /* ire cache for outbound packets */
tcp_t *conn_tcp; /* Pointer to tcp struct */
void *conn_ulp /* Pointer for upper layer*/
edesc_pf conn_send; /* Function to call on read side */
edesc_pf conn_recv; /* Function to call on write side */
squeue_t *conn_sqp; /* Squeue for processing */
/* Address and Ports */
struct {
in6_addr_t connua_laddr; /* Local address */
in6_addr_t connua_faddr; /* Remote address. */
} connua_v6addr;
#define conn_src V4_PART_OF_V6(connua_v6addr.connua_laddr)
#define conn_rem V4_PART_OF_V6(connua_v6addr.connua_faddr)
#define conn_srcv6 connua_v6addr.connua_laddr
#define conn_remv6 connua_v6addr.connua_faddr
union {
/* Used for classifier match performance */
uint32_t conn_ports2;
struct {
in_port_t tcpu_fport; /* Remote port */
in_port_t tcpu_lport; /* Local port */
} tcpu_ports;
} u_port;
#define conn_fport u_port.tcpu_ports.tcpu_fport
#define conn_lport u_port.tcpu_ports.tcpu_lport
#define conn_ports u_port.conn_ports2
uint8_t conn_protocol; /* protocol type */
kcondvar_t conn_cv;
} conn_t;
Also, the connection fan-out mechanism has provisions for supporting wildcard listener's i.e. INADDR ANY. Currently, the connected and bind tables are primarily for TCP and UDP only. A listener entry is made during a listen() call. The entry is made into the connected table after the three-way handshake is complete for TCP.
The IPCLassifier APIs look like:
The names of the functions are pretty self explanatory.
conn_t *ipcl_conn_create(uint32_t type, int sleep);
void ipcl_conn_destroy(conn_t *connp);
int ipcl_proto_insert(conn_t *connp, uint8_t protocol);
int ipcl_proto_insert_v6(conn_t *connp, uint8_t protocol);
conn_t *ipcl_proto_classify(uint8_t protocol);
int *ipcl_bind_insert(conn_t *connp, uint8_t protocol, ipaddr_t src,
uint16_t lport);
int *ipcl_bind_insert_v6(conn_t *connp, uint8_t protocol,
const in6_addr_t * src, uint16_t lport);
int *ipcl_conn_insert(conn_t *connp, uint8_t protocol, ipaddr_t src,
ipaddr_t dst, uint32_t ports);
int *ipcl_conn_insert_v6(conn_t *connp, uint8_t protocol,
in6_addr_t *src, in6_addr_t *dst, uint32_t ports);
void ipcl_hash_remove(conn_t *connp);
conn_t *ipcl_classify_v4(mblk_t *mp);
conn_t *ipcl_classify_v6(mblk_t *mp);
conn_t *ipcl_classify(mblk_t *mp);
Synchronization mechanism
Since the stack is fully multi-threaded (barring the per CPU serialization enforced by the vertical perimeter), it uses a reference based scheme to ensure that connection instance are available when needed. The reference count is implemented by 'conn_t' member 'conn_ref' and protected by 'conn_lock'. The prime purpose of the lock in not to protect bulk of 'conn_t' but just the reference count. Each time some entity takes reference to the data structure (stores a pointer to the data structure for later processing), it increments the reference count by calling the CONN_INC_REF macro which basically acquires the 'conn_lock', increments the 'conn_ref' and drops the 'conn_lock'. Each time the entity drops the reference to the connection instance, it drops its reference using the CONN_DEC_REF macro.For an established TCP connection, There are guaranteed to be 3 references on it. Each protocol layer has a reference on the instance (one each for TCP and IP) and the classifier itself has a reference since its a established connection. Each time a packet arrive for the connection and classifier looks up the connection instance, an extra reference is place which is dropped when the protocol layer finishes processing that packet. Similarly, any timers running on the connection instance have a reference to ensure that the instance is around whenever timer fires. The memory associated with the connection instance is freed once the last reference is dropped.
3 TCP
Solaris 10 provides the same view for TCP as previous releases i.e. TCP
appears as a clone device but it is actually a composite, with the TCP
and IP code merged into a single D_MP STREAMS module. The merged TCP/IP
module's STREAMS entry points for open and close are the same as IP's
entry points viz ip_open and ip_close. Based on the major number passed
during open, IP decides whether the open corresponds to a TCP open or
an IP open. The put and service STREAMS entry points for TCP are
tcp_wput, tcp_wsrv and tcp_rsrv. The tcp_wput entry point simply serves
as a wrapper routine and enable sockfs and other modules from the top
to talk to TCP using STREAMs. Note that tcp_rput is missing since IP
calls TCP functions directly. IP's STREAMS entry points remain
unchanged. The operational part of TCP is fully protected by the vertical perimeter which entered through the squeue_* primitives as illustrated in Fig 4. Packets flowing from the top enter into TCP through the wrapper function tcp_wput, which then tries to execute the real TCP output processing function tcp_output after entering the corresponding vertical perimeter. Similarly packets coming from the bottom try to execute the real TCP input processing function tcp_input after entering the vertical perimeter. There are multiple entry points into TCP through the vertical perimeter.
Fig. 4
tcp_input - All inbound data packets and control messages
tcp_output - All outbound data packets and control messages
tcp_close_output - On user close
tcp_timewait_output - timewait expiry
tcp_rsrv_input - Flowcontrol relief on read side.
tcp_timer - All tcp timers
The Interface between TCP and IP
FireEngine changes the interface between TCP and IP from the existing STREAMS based message passing interface to a functional call based interface, both in the control and data paths. On the outbound side TCP passes a fully prepared packet directly to IP by calling ip_output, while being inside the vertical perimeter.Similarly control messages are also passed directly as function arguments. ip_bind_v{4, 6} receives a bind message as an argument, performs the required action and returns a result mp to the caller. TCP directly calls ip_bind_v{4, 6} in the connect(), bind() and listen() paths. IP still retains all its STREAMs entry point but TCP (/dev/tcp) becomes a real device driver i.e. It can't be pushed over other device drivers.
The basic protocol processing code was unchanged. Lets have a look at common socket calls and see how they interact with the framework.
Socket
A socket open of TCP or open of /dev/tcp eventually calls into ip_open. The open then calls into the IP connection classifier and allocates the per-TCP endpoint control block already integrated with the conn_t. It chooses the squeue for this connection. In the case of an internal open i.e by sockfs for an acceptor stream, almost nothing is done, and we delay doing useful work till accept time.Bind
tcp_bind eventually needs to talk to IP to figure out whether the address passed in is valid. FireEngine TCP prepares this request as usual in the form of a TPI message. However this messages is directly passed as a function argument to ip_bind_v{4, 6}, which returns the result as another message. The use of messages as parameters is helpful in leveraging the existing code with minimal change. The port hash table used by TCP to validate binds still remains in TCP, since the classifier has no use for it.Connect
The changes in tcp_connect are similar to tcp_bind. The full bind() request is prepared as a TPI message and passed as a function argument to ip_bind_v{4, 6}. IP calls into the classifier and inserts the connection in the connected hash table. The conn_ hash table in TCP is no longer used.Listen
This path is part of tcp_bind. The tcp_bind prepares a local bind TPI message and passes it as a function argument to ip_bind_v{4, 6}. IP calls the classifier and inserts the connection in the bind hash table. The listen hash table of TCP does not exist any more.Accept
The pre Solaris 10 accept implementation did the bulk of the connection setup processing in the listener context. The three way handshake was completed in listener's perimeter and the connection indication was sent up the listener's STREAM. The messages necessary to perform the accept were sent down on the listener STREAM and the listener was single threaded from the point of sending the T_CONN_RES message to TCP till sockfs received the acknowledgment. If the connection arrival rate was high, the ability of pre Solaris 10 stack to accept new connections deteriorated significantly.Furthermore, there were some additional TCP overhead involved, which contribute to slower accept rate. When sockfs opened an acceptor STREAM to TCP to accept a new connection, TCP was not aware that the data structures necessary for the new connection have already been allocated. So it allocated new structures and initializes them but later as part of the accept processing these are freed. Another major problem with the pre Solaris 10 design was that packets for a newly created connection arrived on the listener's perimeter. This requires a check for every incoming packet and packets landing on the wrong perimeter need to be sent to their correct perimeter causing additional delay.
The FireEngine model establishes an eager connection (a incoming connection is called eager till accept completes) in its own perimeter as soon as a SYN packet arrives thus making sure that packets always land on the correct connection. As a result it is possible to completely eliminate the TCP global queues. The connection indication is still sent to the listener on the listener's STREAM but the accept happens on the newly created acceptor STREAM (thus, there is no need to allocate data structures for this STREAM) and the acknowledgment can be sent on the acceptor STREAM. As a result, sockfs doesn't need to become single threaded at any time during the accept processing.
The new model was carefully implemented because the new incoming connection (eager) exists only because there is a listener for it and both eager and listener can disappear at any time during accept processing as a result of eager receiving a reset or listener closing.
The eager starts out by placing a reference on the listener so that the eager reference to the listener is always valid even though the listener might close. When a connection indication needs to be sent after the three way handshake is completed, the eager places a reference on itself so that it can close on receiving a reset but any reference to it is still valid. The eager sends a pointer to itself as part of the connection indication message, which is sent via the listener's STREAM after checking that the listener has not closed. When the T_CONN_RES message comes down the newly created acceptor STREAM, we again enter the eager's perimeter and check that the eager has not closed because of receiving a reset before completing the accept processing. For TLI/XTI based applications, the T_CONN_RES message is still handled on the listener's STREAM and the acknowledgment is sent back on listener's STREAMs so there is no change in behavior.
Close
Close processing in tcp now does not have to wait till the reference count drops to zero since references to the closing queue and references to the TCP are now decoupled. Close can return as soon as all references to the closing queue are gone. The TCP data structures themself may continue to stay around as a detached TCP in most cases. The release of the last reference to the TCP frees up the TCP data structure.A user initiated close only closes the stream. The underlying TCP structures may continue to stay around. The TCP then goes through the FIN/ACK exchange with the peer after all user data is transferred and enters the TIME_WAIT state where it stays around for a certain duration of time. This is called a detached TCP. These detached TCPs also need protection to prevent outbound and inbound processing from happening at the same time on a given detached TCP.
Data path
TCP does not even need to call IP to transmit the outbound packet in the most common case, if it can access the IRE. With a merged TCP/IP we have the advantage of being able to access the cached ire for a connection, and TCP can putnext the data directly to the link layer driver based on the information in the IRE. FireEngine does exactly the above.TCP Loopback
TCP Fusion is a protocol-less data path for loopback TCP connections in Solaris 10. The fusion of two local TCP endpoints occurs at connection establishment time. By default, all loopback TCP connections are fused. This behavior may be changed by setting the system wide tunable do tcp fusion to 0. Various conditions on both endpoints need to be met for fusion to be successful:- They must share a common squeue.
- They must be TCP and not "raw socket".
- They must not require protocol-level processing, i.e. IPsec or IPQoS policy is not present
for the connection.
Locking in TCP Fusion is handled by squeue and the mutex tcp fuse lock. One of the requirements for fusion to succeed is that both endpoints need to be using the same squeue. This ensures that neither side can disappear while the other side is still sending data. By itself, squeue is not sufficient for guaranteeing safe access when synchronous STREAMS is enabled. The reason is that tcp fuse rrw() doesn't enter the squeue, and its access to tcp rcv list and other fusion-related fields needs to be synchronized with the sender. tcp fuse lock is used for this purpose.
Rate Limit for Small Writes Flow control for TCP Fusion in synchronous stream mode is achieved by checking the size of receive buffer and the number of data blocks, both set to different limits. This is different than regular STREAMS flow control where cumulative size check dominates data block count check (STREAMS queue high water mark typically represents bytes). Each enqueue triggers notifications sent to the receiving process; a build up of data blocks indicates a slow receiver and the sender should be blocked or informed at the earliest moment instead of further wasting system resources. In effect, this is equivalent to limiting the number of outstanding segments in flight.
The minimum number of allowable enqueued data blocks defaults to 8 and is changeable via the system wide tunable tcp_fusion_burst_min to either a higher value or to 0 (the latter disables the burst check).
4 UDP
Apart from the framework improvements, Solaris 10 made additional changes in the UDP packets move through the stack. The internal code name for the project was "Yosemite". Pre Solaris 10, the UDP processing cost was evenly divided between per packet processing cost and per byte processing cost. The packet processing cost was generally due to STREAMS; the stream head processing; and packet drops in the stack and driver. The per byte processing cost was due to lack of H/W cksum and unoptimized code branches throughout the network stack.UDP packet drop within the stack
Although UDP is supposed to be unreliable, the local area networks have become pretty reliable and applications tend to assume that there will be no packet loss in a LAN environment. This assumption was largely true but pre Solaris 10 stack was not very effective in dealing with UDP overload and tended to drop packets within the stack itself.On Inbound, packets were dropped at more than one layers throughout the receive path. For UDP, the most common and obvious place is at the IP layer due to the lack of resources needed to queue the packets. Another important yet in-apparent place of packet drops is at the network adapter layer. This type of drop is fairly common to occur when the machine is dealing with a high rate of incoming packets.
UDP sockfs The UDP sockfs extension (sockudp) is an alternative path to socktpi used for handling sockets-based UDP applications. It provides for a more direct channel between the application and the network stack by eliminating the stream head and TPI message-passing interface. This allows for a direct data and function access throughout the socket and transport layers. This allows the stack to become more efficient and coupled with UDP H/W checksum offload (even for fragmented UDP), ensures that UDP packets are rarely dropped within the stack.
UDP Module
A fully multi-threaded UDP module running under the same protection domain as IP. It allows for a tighter integration of the transport (UDP) with the layers above and below it. This allows socktpi to make direct calls to UDP. Similarly UDP may also make direct calls to the data link layer. In the post GLDv3 world, the data link layer may also make direct calls to the transport. In addition, utility functions can be called directly instead of using message-based interface.UDP needs exclusive operation on a per-endpoint basis, when executing functions that modify the endpoint state. udp rput other() deals with packets with IP options, and processing these packets end up having to update the endpoint's option related state. udp wput other() deals with control operations from the top, e.g. connect(3SOCKET) that needs to update the endpoint state. In the STREAMS world this synchronization was achieved by using shared inner perimeter entry points, and by using qwriter inner() to get exclusive access to the endpoint.
The Solaris 10 model uses an internal, STREAMS-independent perimeter to achieve the above synchronization and is described below:
- udp enter() - Enter the UDP endpoint perimeter. udp become writer() i.e.become exclusive on the UDP endpoint. Specifies a function that will be called exclusively either immediately or later when the perimeter is available exclusively.
- udp exit() - Exit the UDP endpoint perimeter.
To support this, the new UDP model employs two modes of operation namely UDP MT HOT mode and UDP SQUEUE mode. In the UDP MT HOT mode, multiple threads may enter a UDP endpoint concurrently. This is used for sending or receiving normal data and is similar to the putshared STREAMS entry points. Control operations and other special cases call udp become writer() to become exclusive on a per-endpoint basis and this results in transitioning to the UDP SQUEUE mode. squeue by definition serializes access to the conn t. When there are no more pending messages on the squeue for the UDP connection, the endpoint reverts to MT HOT mode. In between when not all MT threads of an endpoint have finished, messages are queued in the endpoint and the UDP is in one of two transient modes, i.e. UDP MT QUEUED or UDP QUEUED SQUEUE mode.
While in stable modes, UDP keeps track of the number of threads operating on the endpoint. The udp reader count variable represents the number of threads entering the endpoint as readers while it is in UDP MT HOT mode. Transitioning to UDP SQUEUE happens when there is only a single reader, i.e. when this counter drops to 1. Likewise, udp squeue count represents the number of threads operating on the endpoint's squeue while it is in UDP SQUEUE mode. The mode transition to UDP MT HOT happens after the last thread exits the endpoint.
Though UDP and IP are running in the same protection domain, they are still separate STREAMS modules. Therefore, STREAMS plumbing is kept unchanged and a UDP module instance is always pushed above IP. Although this causes an extra open and close for every UDP endpoint, it provides backwards compatibility for some applications that rely on such plumbing geometry to do certain things, e.g. issuing I POP on the stream to obtain direct access to IP9.
The actual UDP processing is done within the IP instance. The UDP module instance does not possess any state about the endpoint and merely acts as a dummy module, whose presence is to keep the STREAMS plumbing appearance unchanged.
Solaris 10 allows for the following plumbing modes:
- Normal - IP is first opened and later UDP is pushed directly on top. This is the default action that happens when a UDP socket or device is opened.
- SNMP - UDP is pushed on top of a module other than IP. When this happens it will support only SNMP semantics.
UDP and Socket interaction
A significant event that takes place during socket(3SOCKET) system call is the plumbing of the modules associated with the socket's address family and protocol type. A TCP or UDP socket will most likely result in sockfs residing directly atop the corresponding transport module. Pre Solaris 10, Socket layer used STREAMs primitives to communicate with UDP module. Solaris 10 allowed for a functionally callable interface which eliminated the need to use T UNITDATA REQ message for metadata during each transmit from sockfs to UDP. Instead, data and its ancillary information (i.e. remote socket address) could be provided directly to an alternative UDP entry point, therefore avoiding the extra allocation cost.For transport modules, being directly beneath sockfs allows for synchronous STREAMS to be used. This enables the transport layer to buffer incoming data to be later retrieved by the application (via synchronous STREAMS) when a read operation is issued, therefore shortening the receive processing time.
Synchronous STREAMS
Synchronous STREAMS is an extension to the traditional STREAMS interface for message passing and processing. It was originally added as part of the combined copy and checksum effort. It offers a way for the entry point of the module or driver to be called in synchronous manner with respect to user I/O request. In traditional STREAMS, the stream head is the synchronous barrier for such request. Synchronous STREAMS provides a mechanism to move this barrier from the stream head down to a module below.The TCP implementation of synchronous STREAMS in pre Solaris 10 was complicated, due to several factors. A major factor was the combined checksum and copyin/copyout operations. In Solaris 10, TCP wasn't dependent on checksum during copyin/copyout, so the mechanism was greatly simplified for use with loopback TCP and UDP on the read side. The synchronous STREAMS entry points are called during requests such as read(2) or recv(3SOCKET). Instead of sending the data upstream using putnext(9F), these modules enqueue the data in their internal receive queues and allow the send thread to return sooner. This avoids calling strrput() to enqueue the data at the stream head from within the send thread context, therefore allowing for better dynamics - reducing the amount of time taken to enqueue and signal/poll-notify the receiving application allows the send thread to return faster to do further work, i.e. things are less serialized than before.
Each time data arrives, the transport module schedules for the application to retrieve it. If the application is currently blocked (sleeping) during a read operation, it will be unblocked to allow it to resume execution. This is achieved by calling STR WAKEUP SET() on the stream. Likewise, when there is no more data available for the application, the transport module will allow it to be blocked again during the next read attempt, by calling STR WAKEUP CLEAR(). Any new data that arrives before then will override this state and cause subsequent read operation to proceed.
An application may also be blocked in poll(2) until a read event takes place, or it may be waiting for a SIGPOLL or SIGIO signal if the socket used is non-blocking. Because of this, the transport module delivers the event notification and/or signals the application each time it receives data. This is achieved by calling STR SENDSIG() on the corresponding stream.
As part of the read operation, the transport module delivers data to the application by returning it from its read side synchronous STREAMS entry point. In the case of loopback TCP, the synchronous STREAM read entry point returns the entire content (byte stream) of its receive queue to the stream head; any remaining data will be re-enqueued at the stream head awaiting the next read. For UDP, the read entry point returns only one message (datagram) at a time.
STREAMs fallback
By default, direct transmission and read side synchronous STREAMS optimizations are enabled for all UDP and loopback TCP sockets when sockfs is directly above the corresponding transport module. There are several cases which require these features to be disabled; when this happens, message exchange between sockfs and the transport module must then be done through putnext(9F). The cases are described as follows -- Intermediate Module - A module is configured to be autopushed at open time on top of the transport module via autopush(1M), or is I PUSH'd on a socket via ioctl(2).
- Stream Conversion - The imaginary sockmod module is I POP'd from a socket causing it to be converted from a socket endpoint into a device stream.
If a fallback is required, sockfs will notify the transport module that direct mode is disabled. The notification is sent down by the sockfs module in the form of an ioctl message, which indicates to the transport module that putnext(9F) must now be used to deliver data upstream. This allows for data to flow through the intermediate module and it provides for compatibility with device stream semantics.
5 IP
As mentioned before, all the transport layers have been merged in IP module which is fully multithreaded and acts as a pseudo device driver as well a STREAMs module. The key change in IP was the removal IP client functionality and multiplexing the inbound packet stream. The new IP Classifier (which is still part of IP module) is responsible for classifying the inbound packets to the correct connection instance. IP module is still responsible for network layer protocol processing and plumbing and managing the network interfaces.Lets have a quick look at how plumbing of network interfaces, multi pathing, and multicast works in the new stack.
Plumbing NICs
Plumbing is a long sequence of operations involving message exchanges between IP, ARP and device drivers. Most set ioctls are typically involved in plumbing operations. A natural model is to serialize these ioctls one per ill. For example plumbing of hme0 and qfe0 can go on in parallel without any interference. But various set ioctls on hme0 will all be serialized.Another possibility is to fine-grain even further and serialize operations per ipif rather than per ill. This will be beneficial only if many ipifs are hosted on an ill, and if the operations on different ipifs don't have any mutual interference. Another possibility is to completely multithread all ioctls using standard Solaris MT techniques. But this is needlessly complex and does not have much added value. It is hard to hold locks across the entire plumbing sequence, which involves waits, and message exchanges with drivers or other modules. Not much is gained in performance or functionality by simultaneously allowing multiple set ioctls on an ipif at the same time since these are purely non-repetitive control operations. Broadcast ires are created on a per ill basis rather than per ipif basis. Hence trying to bring up more than 1 ipif simultaneously on an ill involves extra complexity in the broadcast ire creation logic. On the other hand serializing plumbing operations per ill lends itself easily to the existing IP code base. During the course of plumbing IP exchanges messages with the device driver and ARP. The messages received from the underlying device driver are also handled exclusively in IP. This is convenient since we can't hold standard mutex locks across the putnext in trying to provide mutual exclusion between the write side and read side activities. Instead of the all exclusive PERMOD syncq, this effect can be easily achieved by using a per ill serialization queue.
IP Network MultiPathing (IPMP)
IPMP operations are all driven around the notion of an IPMP group. Failover and Failback operations operate between 2 ills, usually part of the same IPMP group. The ipifs and ilms are moved between the ills. This involves bringing down the source ill and could involve bringing up the destination ill. Bringing down or bringing up ills affect broadcast ires. Broadcast ires need to be grouped per IPMP group to suppress duplicate broadcast packets that are received. Thus broadcast ire manipulation affects all members of the IPMP group. Setting IFF_FAILED or IFF_STANDBY causes evaluation of all ills in the IPMP group and causes regrouping of broadcast ires. Thus serializing IPMP operations per IPMP group lends itself easily to the existing code base. An IPMP group includes both the IPv4 and IPv6 ills.Multicast
Multicast joins operate on both the ilg and ilm structures. Multiple threads operating on an ipc (socket) trying to do multicast joins need to synchronize when operating on the ilg. Multiple threads potentially operating on different ipcs (socket endpoints) trying to do multicast joins could eventually end up trying to manipulate the ilm simultaneously and need to synchronize on the access to the ilm. Both are amenable to standard Solaris MT techniques. Considering all the above, i.e. plumbing, IPMP and multicast, the common denominator is to serialize all the exclusive operations on a per IPMP group basis. If IPMP is not enabled, then on a phyint basis. E.g. hme0 v4 and hme0 v6 ills taken together share a phyint. In the above multicast has a potential higher degree of multithreading. But it has to coexist with other exclusive operations. For example we don't want a thread to create or delete an ilm when a failover operation is already in progress trying to move ilms between 2 ills. So the lowest common denominator is to serialize multicast joins per physical interface or IPMP group.(2005-11-14 23:39:37.0) Permalink Comments [2]
Solaris Networking - The Magic Revealed (Part II)
Solaris Networking - The Magic Revealed
(Part II)
6. Solaris 10 Device Driver framework
Lets have a quick look at how Network device drivers were implemented pre Solaris 10 and why they need to change with the new Solaris 10 stack.GLDv2 and
Monolithic DLPI drivers (Solaris 9 and before)
Pre Solaris 10, network stack relays on DLPI1 providers, which are
normally implemented in one of two ways. The following illustrations
(Fig 5) show a stack based on a so-called monolithic DLPI driver and a
stack based on a driver utilizing the Generic LAN Driver (GLDv2)
module. Fig. 5
The GLDv2 module essentially behaves as a library. The client still talks to the driver instance bound to the device but the DLPI protocol processing is handled by calling into the GLDv2 module, which will then call back into the driver to access the hardware. Using the GLD module has a clear advantage in that the driver writer need not re-implement large amounts of mostly generic DLPI protocol processing. Layer two (Data-Link) features such as 802.1q Virtual LANs (VLANs) can also be implemented centrally in the GLD module allowing them to be leveraged by all drivers. The architecture still poses a problem though when considering how to implement a feature such as 802.3ad link aggregation (a.k.a. trunking) where the one-to-one correspondence between network interface and device is broken.Both GLDv2 and monolithic driver depend on DLPI messages and communicated with upper layers via STREAMs framework. This mechanism was not very effective for link aggregation or 10Gb NICs. With the new stack, a better mechanism was needed which could ensure data locality and allow the stack to control the device drivers at much finer granularity to deal with interrupts.
GLDv3 - A New
Architecture
Solaris 10 introduced a new device driver framework called GLDv3
(internal name "project Nemo") along with the new stack. Most of the
major device drivers were ported to this framework and all future and
10Gb device drivers will be based on this framework. This framework
also provided a STREAMs based DLPI layer for backword compatibility (to
allow external, non-IP modules to continue to work). GLDv3 architecture virtualizes layer two of the network stack. There is no longer a one-to-one correspondence between network interfaces and devices. The illustration below (Fig. 6) shows multiple devices registered with a MAC Services Module (MAC). It also shows two clients: one traditional client that communicates via DLPI to a Data-Link Driver (DLD) and one that is kernel based and simply makes direct function calls into the Data-Link Services Module (DLS).
Fig. 6
GLDv3 Drivers
GLDv3 drivers are similar to GLD drivers. The driver must be linked with a dependency on misc/mac. and misc/dld. It must call mac_register() with a pointer to an instance of the following structure to register with the MAC module:
typedef struct mac {
const char *m_ident;
mac_ext_t *m_extp;
struct mac_impl *m_impl;
void *m_driver;
dev_info_t *m_dip;
uint_t m_port;
mac_info_t m_info;
mac_stat_t m_stat;
mac_start_t m_start;
mac_stop_t m_stop;
mac_promisc_t m_promisc;
mac_multicst_t m_multicst;
mac_unicst_t m_unicst;
mac_resources_t m_resources;
mac_ioctl_t m_ioctl;
mac_tx_t m_tx;
} mac_t;
This structure must persist for the lifetime of the registration, i.e. it cannot be de-allocated until after mac_unregister() is called. A GLDv3 driver _init(9E) entry point is also required to call mac_init_ops() before calling mod_install(9F), and they are required to call mac_fini_ops() after calling mod_remove(9F) from _fini(9E).
The important members of this 'mac_t' structure are:
- 'm_impl' - This is used by the MAC module to point to its private
data. It must not be read or
modified by a driver.
- 'm_driver' - This field should be set by the driver to point at
its private data. This
value will be supplied as the first argument to the driver entry points.
- 'm_dip' - This field must be set to the dev_info_t pointer of the
driver instance calling
mac_register().
- 'm_stat' -
typedef uint64_t (*mac_stat_t)(void *, mac_stat_t);
This entry point is called to retrieve a value for one of the statistics defined in the mac_stat_t enumeration (below). All values should be stored and returned in 64-bit unsigned integers. Values will not be requested for statistics that the driver has not explicitly declared to be supported.
- 'm_start' -
typedef int (*mac_start_t)(void *);
This entry point is called to bring the device out of the reset/quiesced state that it was in when the interface was registered. No packets will be submitted by the MAC module for transmission and no packets should be submitted by the driver for reception before this call is made. If this function succeeds then zero should be returned. If it fails then an appropriate errno value should be returned.
- 'm_stop' -
typedef void (*mac_stop_t)(void *);
This entry point should stop the device and put it in a reset/quiesced state such that the interface can be unregistered. No packets will be submitted by the MAC for transmission once this call has been made and no packets should be submitted by the driver for reception once it has completed.
- 'm_promisc' -
typedef int (*mac_promisc_t)(void *, boolean_t);
This entry point is used to set the promiscuity of the device. If the second argument is B_TRUE then the device should receive all packets on the media. If it is set to B_FALSE then only packets destined for the device's unicast address and the media broadcast address should be received.
- 'm_multicst' -
typedef int (*mac_multicst_t)(void *, boolean_t, const uint8_t *);
This entry point is used to add and remove addresses to and from the set of multicast addresses for which the device will receive packets. If the second argument is B_TRUE then the address pointed to by the third argument should be added to the set. If the second argument is B_FALSE then the address pointed to by the third argument should be removed.
- 'm_unicst' -
typedef int (*mac_unicst_t)(void *, const uint8_t *);
This entry point is used to set a new device unicast address. Once this call is made then only packets with the new address and the media broadcast address should be received unless the device is in
promiscuous mode.
- 'm_resources' -
typedef void (*mac_resources_t)(void *, boolean_t);
This entry point is called to request that the driver register its individual receive resources or Rx rings.
- 'm_tx' -
typedef mblk_t *(*mac_tx_t)(void *, mblk_t *);
This entry point is used to submit packets for transmission by the device. The second argument points to one or more packets contained in mblk_t structures. Fragments of the same packet will be linked together using the b_cont field. Separate packets will be linked by the b_next field in the leading fragment. Packets should be scheduled for transmission in the order in which they appear in the chain. Any remaining chain of packets that cannot be scheduled should be returned. If m_tx() does return packets that cannot be scheduled the driver must call mac_tx_update() when resources become available. If all packets are scheduled for transmission then NULL should be returned.
- 'm_info' - This is an embedded structure defined as follows:
typedef struct mac_info {mi_media is set of be the media type; mi_sdu_min is the minimum payload size; mi_sdu_max is the maximum payload size; mi_cksum details the device cksum capabilities flag; mi_poll details if the driver supports polling; mi_addr_length is set to the length of the addresses used by the media; mi_unicst_addr is set with the unicast address of the device at the point at which mac_register() is called;mi_brdcst_addr is set to the broadcast address of the media; mi_stat is an array of boolean values
uint_t mi_media;
uint_t mi_sdu_min;
uint_t mi_sdu_max;
uint32_t mi_cksum;
uint32_t mi_poll;
boolean_t mi_stat[MAC_NSTAT];
uint_t mi_addr_length;
uint8_t mi_unicst_addr[MAXADDRLEN];
uint8_t mi_brdcst_addr[MAXADDRLEN];
} mac_info_t;
typedef enum {
MAC_STAT_IFSPEED = 0,
MAC_STAT_MULTIRCV,
MAC_STAT_BRDCSTRCV,
MAC_STAT_MULTIXMT,
MAC_STAT_BRDCSTXMT,
MAC_STAT_NORCVBUF,
MAC_STAT_IERRORS,
MAC_STAT_UNKNOWNS,
MAC_STAT_NOXMTBUF,
MAC_STAT_OERRORS,
MAC_STAT_COLLISIONS,
MAC_STAT_RBYTES,
MAC_STAT_IPACKETS,
MAC_STAT_OBYTES,
MAC_STAT_OPACKETS,
MAC_STAT_ALIGN_ERRORS,
MAC_STAT_FCS_ERRORS,
MAC_STAT_FIRST_COLLISIONS,
MAC_STAT_MULTI_COLLISIONS,
MAC_STAT_SQE_ERRORS,
MAC_STAT_DEFER_XMTS,
MAC_STAT_TX_LATE_COLLISIONS,
MAC_STAT_EX_COLLISIONS,
MAC_STAT_MACXMT_ERRORS,
MAC_STAT_CARRIER_ERRORS,
MAC_STAT_TOOLONG_ERRORS,
MAC_STAT_MACRCV_ERRORS,
MAC_STAT_XCVR_ADDR,
MAC_STAT_XCVR_ID,
MAC_STAT_XVCR_INUSE,
MAC_STAT_CAP_1000FDX,
MAC_STAT_CAP_1000HDX,
MAC_STAT_CAP_100FDX,
MAC_STAT_CAP_100HDX,
MAC_STAT_CAP_10FDX,
MAC_STAT_CAP_10HDX,
MAC_STAT_CAP_ASMPAUSE,
MAC_STAT_CAP_PAUSE,
MAC_STAT_CAP_AUTONEG,
MAC_STAT_ADV_CAP_1000FDX,
MAC_STAT_ADV_CAP_1000HDX,
MAC_STAT_ADV_CAP_100FDX,
MAC_STAT_ADV_CAP_100HDX,
MAC_STAT_ADV_CAP_10FDX,
MAC_STAT_ADV_CAP_10HDX,
MAC_STAT_ADV_CAP_ASMPAUSE,
MAC_STAT_ADV_CAP_PAUSE,
MAC_STAT_ADV_CAP_AUTONEG,
MAC_STAT_LP_CAP_1000FDX,
MAC_STAT_LP_CAP_1000HDX,
MAC_STAT_LP_CAP_100FDX,
MAC_STAT_LP_CAP_100HDX,
MAC_STAT_LP_CAP_10FDX,
MAC_STAT_LP_CAP_10HDX,
MAC_STAT_LP_CAP_ASMPAUSE,
MAC_STAT_LP_CAP_PAUSE,
MAC_STAT_LP_CAP_AUTONEG,
MAC_STAT_LINK_ASMPAUSE,
MAC_STAT_LINK_PAUSE,
MAC_STAT_LINK_AUTONEG,
MAC_STAT_LINK_DUPLEX,
MAC_STAT_LINK_STATE,
MAC_NSTAT /* must be the last entry */
} mac_stat_t;
The macros MAC_MIB_SET(), MAC_ETHER_SET() and MAC_MII_SET() are provided to set all the values in each of the three groups respectively to B_TRUE.
MAC
Services (MAC) module
Some key Driver Support Functions:- 'mac_resource_add' -
Various members are defined as
extern mac_resource_handle_t mac_resource_add(mac_t *, mac_resource_t *);
typedef void (*mac_blank_t)(void *, time_t, uint_t);
This function should be called from the m_resources() entry point to register individual receive resources (commonly ring buffers of DMA descriptors) with the MAC module. The returned mac_resource_handle_t value should then be supplied in calls to mac_rx(). The second argument to mac_resource_add() specifies the resource being added. Resources are specified by the mac_resource_t structure. Currently only resources of type MAC_RX_FIFO are supported. MAC_RX_FIFO resources are described by the mac_rx_fifo_t structure.
typedef mblk_t *(*mac_poll_t)(void *, uint_t);
typedef enum {
MAC_RX_FIFO = 1
} mac_resource_type_t;
typedef struct mac_rx_fifo_s {
mac_resource_type_t mrf_type; /* MAC_RX_FIFO */
mac_blank_t mrf_blank;
mac_poll_t mrf_poll;
void *mrf_arg;
time_t mrf_normal_blank_time;
uint_t mrf_normal_pkt_cnt;
} mac_rx_fifo_t;
typedef union mac_resource_u {
mac_resource_type_t mr_type;
mac_rx_fifo_t mr_fifo;
} mac_resource_t;
This mac_blank function is meant to be used by upper layers to control the interrupt rate of the device. The first argument is the device context meant to be used as the first argument to poll_blank.
The other fields mrf_normal_blank_time and mrf_normal_pkt_cnt specify the default interrupt interval and packet count threshold, respectively. These parameters may be used as the second and third arguments to mac_blank when the upper layer wants the driver to revert to the default interrupt rate.
The interrupt rate is controlled by the upper layer by calling poll_blank with different arguments. The interrupt rate can be increased or decreased by the upper layer by passing a multiple of these values to the last two arguments of mac_blank. Setting these avlues to zero disables the interrupts and NIC is deemed to be in polling mode.
The mac_poll is the driver supplied function is used by upper layer to retrieve a chain of packets (upto max count specified by second argument) from the Rx ring corresponding to the earlier supplied mrf_arg during mac_resource_add (supplied as first argument to mac_poll).
- 'mac_resource_update' -
extern void mac_resource_update(mac_t *);
Inv