By moving network functionality from dedicated hardware to software running on end-hosts, Network Functions Virtualization (NFV) pledges the benefits of cloud computing to packet processing. While most of the NFV frameworks today rely on kernel-bypass approaches, no attention has been given to kernel packet processing, which has always proved hard to evolve and to program. In this article, we present Polycube, a software framework whose main goal is to bring the power of NFV to in-kernel packet processing applications, enabling a level of flexibility and customization that was unthinkable before. Polycube enables the creation of arbitrary and complex network function chains, where each function can include an efficient in-kernel data plane and a flexible user-space control plane with strong characteristics of isolation, persistence, and composability. Polycube network functions, called Cubes, can be dynamically generated and injected into the kernel networking stack, without requiring custom kernels or specific kernel modules, simplifying the debugging and introspection, which are two fundamental properties in recent cloud environments. We validate the framework by showing significant improvements over existing applications, and we prove the generality of the Polycube programming model through the implementation of complex use cases such as a network provider for Kubernetes.

中文翻译：

---

微服务时代基于eBPF的网络功能框架

通过将网络功能从专用硬件转移到在最终主机上运行的软件，网络功能虚拟化（NFV）保证了云计算在数据包处理方面的优势。尽管当今大多数NFV框架都依赖于内核绕过方法，但并未关注内核数据包处理，事实证明，这种处理很难发展和编程。在本文中，我们介绍了Polycube，这是一个软件框架，其主要目标是将NFV的功能引入内核数据包处理应用程序，从而实现前所未有的灵活性和自定义级别。Polycube支持创建任意和复杂的网络功能链，其中每个功能可以包括高效的内核数据平面和灵活的用户空间控制平面，并具有强大的隔离，持久性，和可组合性。Polycube网络功能（称为Cubes）可以动态生成并注入到内核网络堆栈中，而无需自定义内核或特定的内核模块，从而简化了调试和自省，这是最近云环境中的两个基本属性。我们通过显示对现有应用程序的重大改进来验证框架，并通过实现复杂的用例（例如Kubernetes的网络提供商）来证明Polycube编程模型的普遍性。