Abstract: Some embodiments provide a method for a first smart NIC of multiple smart NICs of a host computer. Each of the smart NICs executes a smart NIC operating system that performs virtual networking operations for a set of data compute machines executing on the host computer. The method receives a data message sent by one of the data compute machines executing on the host computer. The method performs virtual networking operations on the data message to determine that the data message is to be transmitted from a port of a second smart NIC of the multiple smart NICs. The method passes the data message to the second smart NIC via a private communication channel connecting the plurality of smart NICs.

Abstract: Some embodiments provide a method for a first smart NIC of multiple smart NICs of a host computer. Each of the smart NICs executes a smart NIC operating system that performs networking operations for a set of data compute machines executing on the host computer. When the first smart NIC identifies itself as an active smart NIC for the host computer, the first smart NIC sends a first message through a datapath to a second smart NIC to verify whether the second smart NIC identifies as an active smart NIC or a standby smart NIC. If the second smart NIC sends a reply second message to the first smart NIC through the datapath, the first smart NIC (i) determines that the second smart NIC identifies as a standby smart NIC and (ii) operates to process data traffic sent to and from the host computer as the active smart NIC.

Abstract: Some embodiments provide a novel method for forwarding data messages between first and second host computers. To send, to a first machine of the first host, a second flow from a second machine of the second host in response to a first flow from the first machine, the method identifies from a set of tunnel endpoints (TEPs) of the first host a TEP that is a source TEP of the first flow. The method uses the identified TEP to identify one non-uniform memory access (NUMA) node of a set of NUMA nodes of the first host as the NUMA node associated with the first flow. The method selects, from a subset of TEPs of the first host that is associated with the identified NUMA node, one TEP as a destination TEP of the second flow. The method sends the second flow to the selected TEP of the first host.

Abstract: Some embodiments of the invention provide a method for configuring a physical network card or physical network controller (pNIC) to provide flow processing offload (FPO) for a host computer connected to the pNIC. The host computers host a set of compute nodes in a virtual network. The set of compute nodes are each associated with a set of interfaces that are each assigned a locally-unique virtual port identifier (VPID) by a flow processing and action generator. The pNIC includes a set of interfaces that are assigned physical port identifiers (PPIDs) by the pNIC. The method includes providing the pNIC with a set of mappings between VPIDs and PPIDs. The method also includes sending updates to the mappings as compute nodes migrate, connect to different interfaces of the pNIC, are assigned different VPIDs, etc.

Abstract: Example methods and systems for receive side scaling (RSS) are described. In one example, a computer system may generate and send instruction(s) to the programmable physical network interface controller (PNIC) to configure a first flow entry that associates a first packet flow with a first queue and a second flow entry that associates a second packet flow with a second queue. In response to receiving a first packet that is associated with the first packet flow, the programmable PNIC may match the first packet with the first flow entry and steer the first packet towards the first queue for processing by a first processing thread. In response to receiving a second packet that is associated with the second packet flow, the programmable PNIC may match the second packet with the second flow entry and steer the second packet towards the second queue for processing by a second processing thread.

Abstract: Some embodiments provide a method for a first smart NIC of multiple smart NICs of a host computer. Each of the smart NICs executes a smart NIC operating system that performs virtual networking operations for a set of data compute machines executing on the host computer. The method receives a data message sent by one of the data compute machines executing on the host computer. The method performs virtual networking operations on the data message to determine that the data message is to be transmitted from a port of a second smart NIC of the multiple smart NICs. The method passes the data message to the second smart NIC via a private communication channel connecting the plurality of smart NICs.

Abstract: A first host receives a packet from a first compute node for a second compute node of a second host. The payload is larger than a maximum transmission unit size. The first packet is encapsulated with an outer header. The first host analyzes a length of at least a portion of the outer header in determining a size of an encrypted segment of the payload. Then, the first host forms a plurality of packets where each packet in the packets includes an encrypted segment of the payload, a respective encryption header, and a respective authentication value. The payload of the first packet is segmented to form a plurality of encrypted segments based on the size. The first host sends the packets to the second host and receives an indication that a packet was not received. A second packet including the encrypted segment is sent to the second compute node.

Abstract: Some embodiments provide a novel method for processing flows at an embedded hardware switch of a physical network interface card (PNIC) connected to a host computer. A firewall of the PNIC detects an end of a particular data message flow associated with a particular VM of the host computer. Processing of the particular data message flow was offloaded from the firewall to an embedded hardware switch of the PNIC. After detecting the end of the particular data message flow, the firewall ends offloading of the particular data message flow by deleting a first flow record stored at the embedded hardware switch for the particular data message flow. The firewall deletes a second flow record stored at the first firewall for the particular data message flow.

Abstract: Examples described herein include efficient data packet transmission between virtual machines (“VMs”) on different hosts. An example method includes generating a large data packet at a source VM and determining a modified maximum segment size for efficient transmission. This modified size replaces the default maximum segment size through a TSO MSS override. Segmentation occurs based on the modified size, and the data segments are transmitted to the destination VM, even if on a different host. Dynamic determination of the modified size optimizes data transmission efficiency and network performance. It accounts for network headers and enables efficient transmission with or without large receiving offload (“LRO”) support. Additionally, non-transitory computer-readable media and servers implementing the method are disclosed. These systems and methods achieve streamlined data transmission, improving network performance and reducing processing overhead.

Abstract: Some embodiments provide a novel method for migrating virtual machines (VMs) from a first host computer to a second host computer. The first host computer is connected to a physical network interface card (PNIC) that performs middlebox service operations for flows associated with the VMs. At the PNIC, the method receives a notification that a VM is to be migrated from the first to the second host computer. The method configures an embedded hardware switch of the PNIC to forward a set of flows associated with the VM to a firewall of the PNIC. The embedded hardware switch was initially programmed to process the set of flows instead of the firewall. The method synchronizes flow cache information regarding the set of flows from the embedded hardware switch to the firewall. The method processes the set of flows at the firewall until the VM is migrated to the second host computer.

Abstract: Some embodiments provide a novel method for using connection tracking records to process data messages at a physical network interface card (PNIC) connected to a host computer. A first software firewall of the PNIC determines whether processing of a flow is passable to a second software firewall of the PNIC and to a third hardware firewall of the PNIC. The first software firewall creates a connection tracking record for the flow and data specifying whether processing of the flow is passable to the second software firewall and independently whether processing of the flow is passable to the third hardware firewall. The first software firewall provides the connection tracking record and said data to the second software firewall of the PNIC so that the second software firewall processes the flow or passes the connection tracking record and the data to the third hardware firewall if determination was that the flow is passable to the third hardware firewall.

Abstract: Some embodiments provide a novel method for updating firewall rules for data message flows processed at a physical network interface card (PNIC) connected to a host computer. A firewall of the PNIC receives an update to a particular firewall rule. The firewall identifies a particular data message flow that is processed at an embedded hardware switch of the PNIC using the particular firewall rule. The firewall updates a flow record associated with the particular data message flow to reflect the received update to the particular firewall rule. The firewall provides the updated flow record to the embedded hardware switch for the embedded hardware switch to process the particular flow according to the received update.

Abstract: Some embodiments provide a novel method for offloading firewall operations from a host computer executing a set of one or more virtual machines (VMs) to a physical network interface card (PNIC) connected to the host computer. The method configures, on the PNIC, a first firewall to determine actions to perform on flows associated with the set of VMs, and to offload processing of the flows to a flow-cache second firewall of the PNIC. The method configures, on the PNIC, the flow-cache second firewall to process a first set of flows based on a first set of actions determined by the first firewall, and to offload processing of a second set of flows to an embedded hardware switch of the PNIC. The method configures, on the PNIC, the embedded hardware switch to process the second set of flows based on a second set of actions determined by the first firewall.

Abstract: Some embodiments of the invention provide a method of migrating a VM from a first host computer to a second host computer, the first host computer having a first PNIC that performs at least one of network forwarding operations and middlebox service operations for the VM. At an RDMA client executing on a set of one or more processors of the first host computer, the method directs an RDMA server executing on the first PNIC to provide networking state data associated with at least one of network forwarding operations and middlebox service operations that the first PNIC performs for the VM. The provided networking state data resides in a memory of the first PNIC that is accessible to the RDMA server. At the RDMA client, the method provides the obtained networking state data to the second host computer as part of a data migration that is performed to migrate the VM from the first host computer to the second host computer.

Abstract: Some embodiments of the invention provide a method of migrating a virtual machine (VM) from a first host computer to a second host computer, the first host computer having a first PNIC, the second host computer having a second PNIC, the first and second PNICs for performing at least one of network forwarding operations and middlebox service operations for the VM. At an RDMA client executing on a set of one or more processors of the second PNIC, the method receives a notification from the second host computer indicating a data migration that is performed to migrate the particular VM from the first host computer to the second host computer has started. Based on the notification, at the RDMA client, the method directs an RDMA server executing on the first PNIC to provide networking state data associated with at least one of network forwarding operations and middlebox service operations that the first PNIC performs for the VM.

Abstract: In some embodiments, a method fragments a first packet into a plurality of fragments when a length of an encapsulated first packet is larger than a maximum transmission unit size. For each fragment in the plurality of fragments, fragmentation information is generated. The method encapsulates each fragment in the plurality of fragments with an outer header to form a plurality of encapsulated packets. The respective fragmentation information for each fragment is inserted in a portion of the outer header that is processed by endpoints of an overlay tunnel and not processed by a device along a path of the overlay tunnel. The plurality of encapsulated packets are sent via the overlay tunnel.

Abstract: Some embodiments of the invention provide a method for configuring a physical network card or physical network controller (pNIC) to provide flow processing offload (FPO) for a host computer connected to the pNIC. The host computers host a set of compute nodes in a virtual network. The set of compute nodes are each associated with a set of interfaces that are each assigned a locally-unique virtual port identifier (VPID) by a flow processing and action generator. The pNIC includes a set of interfaces that are assigned physical port identifiers (PPIDs) by the pNIC. The method includes providing the pNIC with a set of mappings between VPIDs and PPIDs. The method also includes sending updates to the mappings as compute nodes migrate, connect to different interfaces of the pNIC, are assigned different VPIDs, etc.

Abstract: Some embodiments of the invention provide a method for configuring multiple hardware offload units of a host computer to perform operations on packets associated with machines (e.g., virtual machines or containers) executing on the host computer and to pass the packets between each other efficiently. For instance, in some embodiments, the method configures a program executing on the host computer to identify a first hardware offload unit that has to perform a first operation on a packet associated with a particular machine and to provide the packet to the first hardware offload unit. The packet in some embodiments is a packet that the particular machine has sent to a destination machine on the network, or is a packet received from a source machine through a network and destined to the particular machine.

Abstract: In some embodiments, a method fragments a first packet into a plurality of fragments when a length of an encapsulated first packet is larger than a maximum transmission unit size. For each fragment in the plurality of fragments, fragmentation information is generated. The method encapsulates each fragment in the plurality of fragments with an outer header to form a plurality of encapsulated packets. The respective fragmentation information for each fragment is inserted in a portion of the outer header that is processed by endpoints of an overlay tunnel and not processed by a device along a path of the overlay tunnel. The plurality of encapsulated packets are sent via the overlay tunnel.

Abstract: Some embodiments of the invention provide a method for configuring multiple hardware offload units of a host computer to perform operations on packets associated with machines (e.g., virtual machines or containers) executing on the host computer and to pass the packets between each other efficiently. For instance, in some embodiments, the method configures a program executing on the host computer to identify a first hardware offload unit that has to perform a first operation on a packet associated with a particular machine and to provide the packet to the first hardware offload unit. The packet in some embodiments is a packet that the particular machine has sent to a destination machine on the network, or is a packet received from a source machine through a network and destined to the particular machine.