10 Gbit Hardware Packet Filtering Using Commodity Network Adapters

Posted · Add Comment

The promise of filtering packets in hardware is not new. Unfortunately filtering network adapters are pretty expensive, not to mention if they run at 10 Gbit. Furthermore many commercial FPGA-based NICs feature hardware packet filtering, but often require card reconfiguration whenever flow rules are added/removed and have a limited set of rules that can be configured.

The release of Intel X520, the first NIC based on the 82599-controller, has triggered my interest as this controller is much more powerful than what Linux can do with it. Thanks to support from Intel and in particular Joseph Gasparakis of Intel Shannon, I have jointly developed an extension to the ixgbe driver (used to drive 82599-based NICs) for adding hardware packet filtering support. Thanks to this work, users can specify up to 32K (yes thirty-two thousand) filters that can be added on the fly without any hardware reconfiguration. And if you want the cherry on top, the cost per port of X520 is well below 1000$. So you now have no reason for not jumping on the 10 Gbit wagon.

The enhanced driver is released free of charge as part of the PF_RING distribution (inside PF_RING/drivers/intel). If you also want packet capture acceleration in addition to hardware filtering you can use TNAPI that now supports hardware packet filtering too.

You can find more information about this work at this page.