Add XDP offloading
Preliminary notes on XDP offloading
XDP is a eBPF-based mechanism to run custom packet processing code in the kernel, directly in the device driver for maximum performance.
l2tpns could offload packet processing tasks to XDP, including L2TP encapsulation/desencapsulation. Control packets and corner cases would still be handled by the l2tpns process.
Tradeoffs of using XDP
It is important to understand that l2tpns will never "see" the offloaded packets. As such, several features implemented in l2tpns will become inoperative, such as:
- session throttling
- packet interception
- access lists
XDP offload design overview
The XDP offload design is made of several parts:
-
a "Internet-side" or "encapsulating" XDP program handling downstream traffic (packets whose destination is a subscriber). It will typically be attached to one or more "Internet-facing" network interfaces. This program will match relevant packets based on their destination IP address, encapsulate them in a PPP/L2TP frame, and forward them directly to the right L2TP tunnel endpoint.
-
a "subscriber-side" or "decapsulating" XDP program handling upstream traffic (packets coming from subscribers). It needs to be attached to the network interface facing subscribers. This program will intercept L2TP packets, verify they belong to a valid session, decapsulate them, and then forward the resulting IP packets directly to their destination. It will not intercept control packets (e.g. IPCP, DHCPv6) so that they can be handled by l2tpns in the usual way.
-
a set of eBPF maps storing the current state of tunnels and session. It is updated from userspace by l2tpns, and accessed by the XDP programs. More precisely, the "encapsulating" XDP program needs this data to know for which session and to which tunnel endpoint it needs to forward encapsulated packets; while the "decapsulating" XDP program needs this data to check for non-existing sessions or spoofed IP addresses from subscribers before it accepts to decapsulate and forward packets.
-
a eBPF map storing traffic statistics for each session. It is updated by the XDP programs for each packet they handle, and accessed regularly by l2tpns. There is actually one map for each CPU to avoid concurrent updates.
-
a loader that runs on l2tpns startup and attaches the XDP programs on the relevant network interfaces