Field
Embodiments of the present invention generally relate to the field of computer networking. In particular, various embodiments relate to dynamically limiting the rate that a network interface controller (NIC) transmits data packets to a host central processing unit (CPU) of a network appliance.
Description of the Related Art
In a network system, a network appliance, such as a firewall, may control network traffic at the border of a network. The network appliance may include one or more host CPUs and one or more NICs. The NICs are typically coupled to the host CPUs through a bus system. The NICs receive data packets from the network through network links, such as optical fiber cables, and transmit the data packets to the host CPUs through the bus system. The host CPUs may scan the data packets based on policies configured by an administrator of the network. The network appliance allows the data packets to be transmitted to the destinations of the data packets if the data packets comply with the configured policies.
The data packet scanning may be performed within a kernel of an operating system, such as Linux, and typically has a higher priority than user space applications. When the network appliance is experiencing heavy network traffic, a large number of data packets are transmitted from a NIC to a host CPU in a short time. The host CPU may be very busy handling the data packets in the kernel, thereby leaving few, if any, CPU cycles for user space applications or other tasks.
Some user space applications are very critical and have to get some amount of CPU cycles once in a while. Failure by the network appliance to spare some CPU cycles for user space applications and other tasks may cause critical issues. For example, a user of the network appliance may receive a delayed or no response from an application when the operating system is overwhelmed by processing of data packets from the network. In a multi-core system, the problem may still exist because modern NICs support Message Signaled Interrupts Extended (MSI-X) and can deliver data packets to multiple CPUs. As such, during high-traffic periods, even the multiple CPUs of a multi-core system may become weighed down handling processing of data packets in kernel space—again potentially starving user space applications and/or other lower priority tasks.
Therefore, there is a need to limit the rate at which a NIC transmits data packets to a host CPU so that the host CPU may spare some cycles for handling other applications.