Contents 1 Developer days presentations 2 Tuesday 8th 2.1 Netfilter updates 2.2 Achievement unlocked: No central conntrack lock 2.3 OVS MPLS 2.4 nftables quick hacking HOWTO 2.5 switch-o-pocalypse 2.6 Challenge: 10Gbit/s wirespeed (and beyond) 2.7 Lessons learned from DPDK 3 Wednesday 8th 3.1 qdisc updates 3.1.1 qdisc lockless FIFO 3.2 Hardware offloads 3.3 nftables kernel 3.4 nft from userspace 3.5 nftables as socket filter / nftables JIT: Some way to merge efforts with BPF JIT? 3.6 Open vSwitch with conntrack 3.7 Use of nftables from OVS 4 Thursday 9th 4.1 ipset 4.2 nft-sync 4.3 nftables automated tests 4.4 XML/JSON support for libnftnl 4.5 ebtables/nft compatibility 4.6 ulogd2 recent work and next challenges

Developer days presentations

• When: From 8th to 9th of July.
• Audience: Linux netdev/netfilter developers

Tuesday 8th

Netfilter updates

• Who: Pablo Neira
• What: A short summary on the Netfilter kernel changes since the last workshop.
• Estimated time: 15 minutes

Achievement unlocked: No central conntrack lock

• Who: Jesper Dangaard Brouer
• What: Achievement unlocked: No central conntrack lock
• Estimated time: 15 minutes

OVS MPLS

• Slides
• Who: Simon Horman
• What: OVS MPLS
• Estimated time: 15 minutes

nftables quick hacking HOWTO

• Who: Pablo
• What: A list of pointers to save time to those that didn't have the time to have a look at nftables.
• Estimated time: 15 minutes

switch-o-pocalypse

• Who: Stephen Hemminger
• What: Bridging started out simple, but the addition of new functionality is growing to VXLAN, NIC's and external switches. Open discussion on how best to handle this
• Estimated time: 15 minutes + 15 minutes discussion

Challenge: 10Gbit/s wirespeed (and beyond)

• Who: Jesper Dangaard Brouer
• What: Understand engineering challenge behind 10Gbit/s wirespeed smallest frame single core, and the main tricks making this possible.
• Estimated time: 45 minutes + 30 minutes flame/discussion.

Lessons learned from DPDK

• Who: Stephen Hemminger
• What: Are any of the performance advantages of DPDK applicable to Linux?
• Estimated time: 10 min Intro + 20 min discussion / flames

Wednesday 8th

qdisc updates

• Who: John Fastabend
• What: Summary of work to port qdisc lock to RCU and discussion on what else should be done.
• Estimated time: 30 minutes + 15 minutes discussion

qdisc lockless FIFO

• Who: Jesper Dangaard Brouer
• What: After John Fastabend's work is complete, we need a lockless qdisc implementation. I've implemented a lockless FIFO, discussing the first results, and possible pitfalls.
• Estimated time: 30 minutes + 30 minutes discussion

Hardware offloads

• Who: John Fastabend
• What: Possibility for hardware offload support?
• Estimated time: 10 minutes + 10 minutes

nftables kernel

• Who: Patrick McHardy / Pablo Neira
• What: What's done, what needs to be fixed/done and future things coming.
• Estimated time: 30 minutes + 30 minutes discussion.

nft from userspace

• Who: Patrick McHardy / Pablo Neira
• What: What's done, what needs to be fixed/done and future things coming.
• Estimated time: 30 minutes + 30 minutes discussion.

nftables as socket filter / nftables JIT: Some way to merge efforts with BPF JIT?

• Who: Pablo / Alexei
• What: nftables as an alternative to BPF
• Estimated time: 30 minutes presentation + 30 minutes discussion

Open vSwitch with conntrack

• Slides
• Who: Jesse Gross
• What: Open vSwitch has mostly focused on stateless flow table entries but integrating other kernel components such as conntracking would improve functionality and performance. Description of prototype work that has been done plus discussion.
• Estimated time: 15 minutes + 15 minutes discussion

Use of nftables from OVS

• Slides
• Who: Thomas Graf
• What: Given the conntrack work done by Jesse, OVS could make use of the existing nftables codebase to provide generic, powerful packet rewrite features to implement stateful NAT at L2-L4 and eventually L4+.
• Estimated time: 10 min Intro + 20 min discussion / flames

Thursday 9th

ipset

• Who: Jozsef Kadlecsik
• What: Updates on ipset.
• Estimated time: 15min

nft-sync

• Who: Arturo Borrero Gonzalez
• What: nft-sync, a new userspace tool to distribute a nftables ruleset across the network.
• Estimated time: 15 minutes + 10 minutes for discussion (estimated)

nftables automated tests

• Who: Ana Rey
• What: Test System in nft
• Estimated time: 10 minutes + 20 minutes discussion (testing packet path)
• Talk: File:Workshop-nft-test.pdf

XML/JSON support for libnftnl

• Who: Álvaro Neira
• What: XML/JSON support for libnftnl
• Estimated time: 15 minutes

ebtables/nft compatibility

• Who: Giussepe Longo
• What: Translate an ebtables ruleset to a nftables one
• Estimated time: 10 minutes

ulogd2 recent work and next challenges

• Who: Eric Leblond
• What: A point of work done since last workshop (JSON, DB ring) and a discussion on next steps
• Estimated time: 15 minutes + 15 minutes discussion