0

I was wondering if there's a difference between eBPF XDP and eBPF socket filter mode when parsing a packet header information.

Say I want to retrieve a destination IP address and a source IP address from a packet header using eBPF.

If there's no difference in doing so between XDP and socket filter mode, maybe it's better to implement packet monitoring functionality in XDP instead of implementing it in a socket filter program?

If so, wouldn't it be always better to monitor every incoming packet using XDP instead of using a socket buffer since XDP can offload its operations to a NIC when used with hardware offload mode?

Thanks!

Rosè
  • 345
  • 2
  • 13

2 Answers2

1

If your kernel supports direct packet access for socket filter programs, there is indeed little difference between parsing them with socket filter or XDP programs.

There are however other reasons to prefer tc or socket filter programs to XDP programs. The main reason is likely that XDP has relatively few helpers available, especially compared to tc programs. Then, different program types have access to different information; for example, tc programs have partial access to the skb and socket filter programs can access socket uids and cookies.

pchaigno
  • 11,313
  • 2
  • 29
  • 54
1

As a complement to pchaigno's answer: Hardware offload has little to do here. It is supported for both XDP and TC programs, and will bring you the same performance in both cases.

Parsing packets in XDP and socket filters/TC is the same, so if you want performance go for XDP, period. Reasons NOT TO use XDP are the ones stated by pchaigno: more helpers for TC, access to socket buffer. Or lack of XDP support by your driver (in which case generic XDP should bring you performance equivalent to TC). Note that these additional helpers and socket buffer access may not be available to programs offloaded to the hardware (on Netronome NFPs, programs offloaded from XDP and TC all behave the same and have access to the same subset of helpers).

Not relevant to monitoring incoming packet, but another big advantage of TC at the moment is the ability to add filters on the egress side. As of this writing, there is work in progress to support that for XDP, but nothing merged to the kernel.

Qeole
  • 8,284
  • 1
  • 24
  • 52