Repository files navigation

The original Open vSwitch README is available atREADME-original.md.

Oko is an extension of Open vSwitch-DPDK that provides runtime extension withBPF programs. BPF programs act as filters over packets: they are referenced asan additional match field in the OpenFlow tables and cannot write to packets.They can however read and write to persistent maps (array or hash table) toretain information on flows.

Oko was based on Open vSwitch v2.5 (commitb63bf24) and relies on amodified version ofthe ubpf project to execute BPF programs.

This version of Oko is aresearch prototype: it almost certainly containsserious bugs and should only be used for experimentation and research purposes.

To install Oko, you can follow the usualguidelines to install OpenvSwitch-DPDK. No additional dependencies are required.

$ ovs-vsctl add-port br0 dpdk0 --set Interface dpdk0 type=dpdk ofport_request=1$ ovs-vsctl add-port br0 dpdk1 --set Interface dpdk1 type=dpdk ofport_request=2$ ovs-vsctl show509b64f2-a893-490a-9fd5-7582c29e8b89    Bridge"br0"        Port"dpdk0"            Interface"dpdk0"                type: dpdk        Port"dpdk1"            Interface"dpdk1"                type: dpdk$ clang -O2 -target bpf -c examples/bpf/stateless-firewall.c -o /tmp/stateless-firewall.o$ ovs-ofctl load-filter-prog br0 1 /tmp/stateless-firewall.o$ ovs-ofctl add-flow br0 priority=1,in_port=1,filter_prog=1,actions=output:2$ ovs-ofctl add-flow br0 priority=1,in_port=2,actions=output:1$ ovs-ofctl dump-flows br0NXST_FLOW reply (xid=0x4): cookie=0x0, duration=103.730s, table=0, n_packets=0, n_bytes=0, idle_age=103, priority=1,in_port=1,filter_prog=1 actions=output:2 cookie=0x0, duration=103.842s, table=0, n_packets=0, n_bytes=0, idle_age=103, in_port=2,actions=output:1# Drop (value=1) packets destined to IP 172.16.0.14 through map 0 of filter_prog 1.$ ovs-ofctl update-map br0 1 0 key 14 0 16 172 value 1 0 0 0# Show the content of map 0 of filter_prog 1. Use 'hex' flag to print in hexadecimal format.$ ovs-ofctl dump-map br0 1 0 hexNXT_DUMP_MAP_REPLY (xid=0x4):The map contains 1 element(s)Key: 0e 00 10 acValue: 01 00 00 00

Except for thelib/bpf/lookup3.c file in the public domain, all new filesintroduced by Oko compared to Open vSwitch are licensed under Apache 2.0.Modified files from both Open vSwitch and ubpf are also licensed under theiroriginal license, Apache 2.0.

For compliance with the Apache 2.0 license, the following lists ourmodifications to the source codes of ubpf and Open vSwitch.

• Support for maps allocation (ELF parsing, memory allocation, and maprelocation).
• Support for Array, Hash table, Bloom filter, and Count-Min sketch maps.
• Increase the stack size of the virtual machine to 512.
• Fix warnings related to pointer arithmetic.
• Support for LDIND* and LDABS* bytecode instructions.
• BPF helpers to compute a hash value and retrieve the current time.
• BPF verifier for register types and variable-sized loops.

• Newfilter_prog match field in OpenFlow table.
• NewLOAD_FILTER_PROG OpenFlow message to send a BPF program to load to theswitch, as an ELF file.
• NewUPDATE_MAP OpenFlow message to write entry (key-value pair) to the BPFmap of the given BPF program.
• NewDUMP_MAP OpenFlow message to dump the BPF map of the given BPF program.
• NewSEND_MAPS action and message to send the content of maps to thecontroller.
• New filter program chain structure in the datapath to cache a succession ofBPF programs.

Paul Chaignon <paul.chaignon@orange.com>

Tomasz Osiński <tomasz.osinski2@orange.com>

Mateusz Kossakowski <mateusz.kossakowski@orange.com>