In computing environments, virtual switches may be used that comprise software modules capable of providing a communication platform for one or more virtual nodes in the computing environment. These virtual switches may provide switching operations, routing operations, distributed firewall operations, and the like, and may be used to intelligently direct communication on the network by inspecting packets before passing them to other computing nodes (both real and virtual). For example, packets may be inspected to determine the source and destination internet protocol (IP) addresses to determine if the communication is permitted to be delivered to the destination computing node. In some implementations, software defined networks may be designed with packet forwarding configurations that indicate actions to be taken against each communicated packet. The packet forwarding configurations may identify specific attributes, such as IP addresses, media access control (MAC) addresses, and the like within the data packet and, when identified, provide a set of actions to be asserted against the data packet. These actions may include modifications to the data packet, and forwarding rules for the data packet, amongst other possible operations.
In some implementations, to provide the virtual switching operations, the virtual switch may be required to transfer and receive packets for the virtual nodes over one or more physical network interfaces of the host computing system. To support the communication of these packets over the physical network interfaces, the host may be capable of configuring the physical network interfaces to maintain a quality of service for packets destined for the virtual nodes by implementing filters for received packets. However, difficulties can arise in classifying data packets destined for nested virtual nodes, such as a container operating within a virtual machine, or a virtual machine operating within a virtual machine. Further, memory constraints for memory allocated to the physical network interfaces may limit the number of filters that can be implemented at the interfaces. Consequently, difficulties arise in determining which of the virtual nodes operating on the host system receive a packet filter due to the memory constraints.
Overview
The technology disclosed herein enhances the management of data packet communications for virtual nodes over a physical network interface. In one implementation, a method of managing packet filters for physical network interfaces of a host computing system includes obtaining dispatch statistics for media access control (MAC) addresses associated with virtual nodes communicating over physical network interfaces via a virtual switch. The method further provides, for each MAC address in the MAC addresses, identifying a priority value based on a virtual network interface port and a physical network interface of the physical network interfaces that the MAC address was identified on by the virtual switch, and identifying a subset of the MAC addresses that meet filter criteria based on the priority values. The method also includes identifying a filter configuration for the subset of the MAC addresses based on the dispatch statistics for the subset of the MAC addresses, and applying the filter configuration at the physical network interfaces.