Specific embodiments of the invention will now be described in detail with reference to the accompanying figures. Like elements in the various figures are denoted by like reference numerals for consistency.
In the following detailed description of embodiments of the invention, numerous specific details are set forth in order to provide a more thorough understanding of the invention. However, it will be apparent to one of ordinary skill in the art that the invention may be practiced without these specific details. In other instances, well-known features have not been described in detail to avoid unnecessarily complicating the description.
In general, embodiments of the invention relate to a method and system for programming a classifier (hardware or software) to route packets to a virtual machine. In one embodiment of the invention, the aforementioned routing allows the packets to be forwarded to the virtual machine without the host having to determine to which virtual machine to send the packets. Said another way, embodiments of the invention off-load the classification of the packets from an application residing on the host to network interface card (NIC) hardware or a Media Access Control (MAC) level component in the host.
In addition, embodiments of the invention provide a mechanism for discovering NICs and obtaining the hardware information associated with the NICs. In general, the hardware information corresponds to information about various hardware resources (e.g., receive rings, transmit rings, hardware classifier functionality) as well as information about the various control functions that may be used to control the aforementioned hardware resources.
In one embodiment of the invention, the hardware classifier (104) is configured to analyze the incoming network traffic, typically in the form of packets, received from the network (not shown). In one embodiment of the invention, analyzing individual packets includes determining to which of the HRRs (106, 108, 110) each packet is sent. In one embodiment of the invention, analyzing the packets by the hardware classifier (104) includes analyzing one or more fields in each of the packets to determine to which of the HRRs (106, 108, 110) the packets are sent. As an alternative, the hardware classifier (104) may use the contents of one or more fields in each packet as an index into a data structure that includes information necessary to determine to which HRR (106, 108, 110) that packet is sent.
The hardware classifier (104) may be implemented entirely in hardware (i.e., the hardware classifier (104) may be a separate microprocessor embedded on the NIC (102)). Alternatively, the hardware classifier (104) may be implemented in software stored in memory (e.g., firmware, etc.) on the NIC (102) and executed by a microprocessor on the NIC (102).
In one embodiment of the invention, the host (100) may include the following components: a device driver (114), a software ring (152), one or more virtual network interface cards (VNICs) (116, 118, 120, 122), one or more virtual network stacks (VNSs) (124), one or more packet destinations (132), one or more interfaces (126, 128, 130), and one or more virtual machines (140, 142, 144). Each of the aforementioned components is described below.
In one embodiment of the invention, the device driver (114) provides an interface between the HRRs (106, 108, 110) and the host (100). More specifically, the device driver (114) exposes the HRRs (106, 108, 110) to the host (100) such that the host (100) (or, more specifically, a process executing on the host) (100) may obtain packets from the HRRs (106, 108, 110).
In one embodiment of the invention, the software ring (152) includes a software classifier (112) and a number of software receive rings (SRR) (e.g., 148, 150). In one embodiment of the invention, the software classifier (152) has the same functionality as the hardware classifier (104). However, instead of sending the classified packets to a HRR (106, 108, 110), the software classifier (112) forwards classified packets to one of the SRRs (148, 150). The SRRs (148, 150) are configured to temporarily store the received packets after being classified by the software classifier (112). In one embodiment of the invention, the software ring (152) resides in a Media Access Control (MAC) layer (146) of the host (100).
In one embodiment of the invention, each of the VNICs (116, 118, 120, 122) is associated with either a SRR (112A, 112B) or a HRR (106, 108, 110). The VNICs (116, 118, 120, 122) provide an abstraction layer between the NIC (102) and the various packet destinations (132) or virtual machines (134, 136, 136) executing on the host (100). More specifically, each VNIC (116, 118, 120, 122) operates like a NIC (102). For example, in one embodiment of the invention, each VNIC (116, 118, 120, 122) is associated with one or more Internet Protocol (IP) addresses, one or more Media Access Control (MAC) addresses, optionally, one or more ports, and, is optionally configured to handle one or more protocol types. Thus, while the host (100) may be operatively connected to a single NIC (102), packet destinations (132) and virtual machines (140, 142, 144) executing on the host (100)) operate as if the host (100) is bound to multiple NICs. In one embodiment of the invention, the VNICs (116, 118, 120, 122) reside in a Media Access Control (MAC) layer of the host (100).
Each of the VNICs (116, 118, 120, 122) is operatively connected to a corresponding VNS (124). In one embodiment of the invention, each VNS (124) includes functionality to process packets in accordance with various protocols used to send and receive packets (e.g., Transmission Communication Protocol (TCP), Internet Protocol (IP), User Datagram Protocol (UDP), etc.). Further, each VNS (124) may also include functionality, as needed, to perform additional processing on the incoming and outgoing packets. This additional processing may include, but is not limited to, cryptographic processing, firewall routing, etc.
In one embodiment of the invention, each VNS (124) includes network layer and transport layer functionality. In one embodiment of the invention, network layer functionality corresponds to functionality to manage packet addressing and delivery on a network (e.g., functionality to support IP, Address Resolution Protocol (ARP), Internet Control Message Protocol, etc.). In one embodiment of the invention, transport layer functionality corresponds to functionality to manage the transfer of packets on the network (e.g., functionality to support TCP, UDP, Stream Control Transmission Protocol (SCTP), etc.). The structure and functionality of the VNSs (124) is discussed in
As discussed above, the host (100) includes one or more packet destinations (132). In one embodiment of the invention, the packet destination(s) (132) corresponds to any process (or group of processes) executing on the host that is configured to send and/or receive network traffic. Further, the packet destination(s) (132) does not include an internal network stack (i.e., there is no network stack within the packet destination); rather, the packet destination (132) is associated with a VNS (124).
Examples of packet destinations (132) include, but are not limited to containers, services (e.g., web server), etc. As shown in
In one embodiment of the invention, each VNS (124) is associated with a bandwidth allocation. Those skilled in the art will appreciate that if there is only one VNS (124) bound to the packet destination (132), then the bandwidth allocation of the VNS (124) corresponds to the bandwidth allocated to the packet destination (132). In one embodiment of the invention, the bandwidth allocation corresponds to the number of packets the packet destination may receive in a given time interval (e.g., megabytes per seconds). The bandwidth allocation for a given packet destination is enforced by the VNS operating in polling mode (discussed in
In one embodiment of the invention, the VNIC (116, 118, 120, 122) may be bound to a virtual machine (140, 142, 144) (e.g., Xen Domain) instead of a packet destination (124). In such cases, the VNIC is bound to an interface (126, 128, 130) (e.g., a Xen interface), where the interface enables the VNIC to communicate to with the virtual machine. In one embodiment of the invention, each of the aforementioned virtual machines includes its own network stack (e.g., 134, 136, 138) and includes its own operating system (OS) instance, which may be different than the OS executing on the host. In one embodiment of the invention, each virtual machine (140, 142, 144) is associated with its own MAC address and IP address (which may be static or obtained using Dynamic Host Configuration Protocol (DHCP)). Further, the VNIC associated with the virtual machine (e.g., VNIC 2 (118) is associated with VM 1 (140) in
In one embodiment, the IP layer (202) is configured to receive packets from the VNIC associated with the VNS (204) (e.g., VNS (124) receives packets from VNIC 1 (116) in
Continuing with the discussion of
In one embodiment of the invention, the transport layer (206) is configured to process inbound and outbound packets in accordance with Transmission Control Protocol (TCP), User Datagram Protocol (UDP), or both UDP and TCP. Other protocols may be supported by the transport layer (206).
In one embodiment of the invention, the outbound VSQ (208) is a queue data structure configured to receive packets from the packet destination (e.g.,
132) with which the VNS (204) is associated. Further, the outbound VSQ (208) is configured to store packets prior to sending the received packets to the transport layer (206). In one embodiment of the invention, the outbound VSQ (208) is also configured to control the flow of packets from the packet destination (e.g., 132) associated with the VNS (204) to the VNS (200). In one embodiment of the invention, the outbound VSQ (208) (or a related process) is configured to block an application for sending packets to the outbound VSQ (208), if the packet destination (e.g., 132) is attempting to issue packets at a higher rate than the outbound bandwidth allocated to the packet destination (e.g., 132). Further, the outbound VSQ (208) (or a related process) is configured to notify the packet destination (e.g., 132) when it is no longer blocked from issuing packets to the VNS (200).
In one embodiment of the invention, the inbound VSQ (204) and outbound VSQ (208) are each configured to enforce the manner in which packets are processed. Specifically, the inbound VSQ (204) and outbound VSQ (208) may be configured to enforce the packet processing requirements imposed by the transport layer (206). For example, TCP requires serial processing of packets. Thus, the inbound VSQ (204) and outbound VSQ (208) may require all threads accessing the inbound VSQ (204) and outbound VSQ (208) to conform to a mutual exclusion policy. In one embodiment of the invention, the mutual exclusion policy requires that only one thread may access the VSQ (inbound or outbound) at a time. Thus, if two threads are attempting to access a given VSQ (inbound or outbound), one thread must wait until the other thread has finished accessing the VSQ (inbound or outbound).
Alternatively, if the transport layer (206) only supports UDP, then the inbound VSQ (204) and outbound VSQ (208) may be configured to allow concurrent access. Said another way, two or more threads may concurrently access the VSQ (inbound or outbound). In one embodiment of the invention, if the transport layer (206) is configured to process both TCP and UDP packets, then the inbound VSQ (204) and outbound VSQ (208) are configured to conform to the more stringent standard (e.g., TCP if the transport layer supports both TCP and UDP).
In one embodiment of the invention, the inbound VSQ (204) and the outbound VSQ (208) are implemented as a single bi-directional VSQ. In such cases, the bi-directional VSQ includes a single set of configuration parameters (discussed above) to enforce the manner in which packets are processed. Further, the enforcement of the configuration parameters is performed on a VSQ-basis (as opposed to a per-direction basis). For example, if the bi-directional VSQ enforces a mutual exclusion policy, then only one thread may access the bi-directional VSQ at a time.
Continuing with the discussion of
The device driver subsequently obtains hardware information from the NIC (Step 305). In one embodiment of the invention, hardware information corresponds to information about the hardware resources on the NIC. The hardware resources may include, but are not limited to, hardware receive rings (HRRs) (e.g., 106 in
In one embodiment of the invention, the hardware information may also include information about various control functions (and related information) used to control the aforementioned hardware resources on the NIC. The following is a non-exhaustive list of control functions (and related information) which may be obtained from the NIC: (i) a listing of the properties of each of the HRRs and TRRs on the NIC (the properties may includes information about the maximum number of packets each of the HRRs and TRRs may store); (ii) a function entry point for each of the HRRs, where the function entry point is used to individually poll (discussed below) each of the HRRs; (iii) an interrupt control function for each of the HRRs, where the interrupt control functions allow Interrupt Mode (discussed below) to be enabled or disabled on a per-HRR basis; (iv) a message signaled interrupt (MSI) control function for each of the HRRs, where the MSI control function provides information about the level of MSI available for each HRR as well as functionality to assign an HRR to a specific MSI; and (v) a control function to program the hardware classifier.
In one embodiment of the invention, the control function to program the hardware classifier corresponds to one or more application programming interfaces (APIs) used to program the hardware classifier to forward packets for specific virtual machines and/or packet destinations to specific HRRs. The aforementioned API is typically used by the host to program the classifier.
In one embodiment of the invention, the hardware information is advertised by the device driver to the host. Further, the hardware information is supplied to the device driver in a standardized format. Thus, the hardware information for two distinct NICs is advertised to the host in the same format (though the content is different). Further, in one embodiment of the invention, the host expects the hardware information in the standardized format.
In one embodiment of the invention, the standardized format specifies the order in which hardware resources within the hardware information are advertised to the host. For example, the standardized format may require that the hardware information is advertised in the following order: (i) HRRs; (ii) TRRs; and (iii) hardware classifier. Further, for each of the aforementioned hardware resources, the standardized format may require certain pieces of information provided in a specific format. For example, the standardized format may require the following information for each HRR: (i) a function entry point; (ii) an interrupt control function to enable or disable interrupt mode for the HRR; and (iii) level of MSI available.
In one embodiment of the invention, the host maintains a copy of the hardware information obtained from each NIC operatively connected to the host.
Once the number of VNICs to be created has been determined, the number of hardware receive rings on the NIC is assessed (Step 405). VNICs are subsequently created in the host, where the number of VNICs created corresponds to the number of VNICs determined in Step 403 (Step 407). Next, a determination is made about whether there are fewer HRRs than VNICs on the host (Step 409). If there are fewer HRRs than VNICs on the host, then a software ring is created in the host and subsequently associated with one of the HRRs (Step 411).
A set of software receive rings (SRRs) is then created within the software ring (Step 413). The VNICs are then bound to the SRRs (Step 415). More specifically, the VNICs that cannot be bound to the HRRs are bound to the SRRs. Then, the remaining VNICs are bound to the HRRs (Step 417). The hardware classifier (in the NIC) and the software classifier (if host includes a software ring) are programmed (Step 419). In one embodiment of the invention, programming the hardware classifier and software classifier includes specifying to which HRR or SRR to send the received packets. The hardware classifier may be programmed using an API advertised by the device driver (see
In one embodiment of the invention, programming the hardware classifier includes specifying that all packets for a specific packet destination or virtual machine are sent to a specific HRR. In one embodiment of the invention, the hardware classifier is programmed using the MAC address and, optionally, the IP address associated with the virtual machines. Thus, all packets with a specific MAC address (and optionally an IP address) are sent to a specific HRR. As discussed, the HRRs are bound to VNICs or software rings. Thus, packets sent to specific HRRs are subsequently sent to the appropriate VNIC or software ring.
In the case where the packets are sent to the software ring, the software classifier in the software ring performs additional classification. In one embodiment of the invention, the software classifier includes the same functionality as the hardware classifier and is programmed using the same criteria (e.g., MAC addresses, IP addresses, etc.) as the hardware classifier.
In one embodiment of the invention, VNICs are preferably bound to an HRR if an HRR is available and the hardware classifier in the NIC is configured to perform the level of classification required by the host. In such cases, one HRR is bound to a software ring and the other HRRs are bound to VNICs. In one embodiment of the invention, each of the aforementioned VNICs is associated with a virtual network stack (VNS). Further, each VNS is associated with a bandwidth allocation.
As stated above, software rings can be arbitrarily created on top of HRR or SRRs. As a result, different structures involving software rings can be created to handle the same number of VNICs using the method shown in
A determination is then made about whether the receive ring is associated with a software ring (Step 506). In one embodiment of the invention, the receive ring is associated with the software ring if packets from the receive ring are sent from the receive ring to the software ring. If the receive ring is associated with a software ring, then the packets are forwarded to a software classifier in the software ring (Step 508). The process then proceeds to Step 502. If Step 502 is entered from Step 508, then classifier in Step 502 now corresponds to a software classifier and all references to receive rings in Steps 502-520 correspond to SRRs. Said another way, when Steps 502-506 are initially performed, the classifier corresponds a hardware classifier and the receive rings correspond to HRRs. However, if the HRR is bound to a software ring (see Step 506), then in all subsequent executions of Steps 502-520, the classifier corresponds to a software classifier and all references to receive rings in Steps 502-520 correspond to SRRs.
If the receive ring is not associated with a software ring, then a determination is made about whether the receive ring (HRR or SRR) is associated with a virtual machine or a packet destination (Step 510). The receive ring is associated with the virtual machine if the receive ring sends (via a VNIC) received packets to an interface, which in turn sends packets to a virtual machine. Similarly, the receive ring is associated with a packet destination if the receive ring (via a VNIC) sends packets to a VNS, which in turn sends packets to a packet destination.
If the receive ring is associated with a packet destination, the process proceeds to Step 512. Alternatively, if the receive ring is associated with a virtual machine, then the process proceeds to Step 516. With respect to Step 512, a determination is made about whether the VSQ associated with the VNS is operating in polling mode or interrupt mode.
If the VSQ is operating in polling mode, then the packets remain in the receive ring (HRR or SRR) until the VSQ requests a specified number of packets from the receive ring (Step 514). In one embodiment of the invention, the VSQ does not request any packets when there are packets already queued on the VSQ. In one or more embodiments of the invention, the VSQ retrieves all packets from the receive ring when a request is made for packets.
Those skilled in the art will appreciate that the receive rings store a finite number of packets. Thus, if the receive rings receive packets at a faster rate than the rate at which the corresponding VSQ requests the packets, the receive rings will eventually fill completely with packets and packets received after this point are dropped until packets on the receive rings are requested and processed. In one embodiment of the invention, the rate at which packets are requested from the receive ring (SRR or HRR) and the number of packets requested are determined by the bandwidth allocation of the VNS bound to the receive ring. In one embodiment of the invention, a function entry point associated with the receive ring is used to poll the specific receive ring (HRR or SRR).
Alternatively, if the VSQ is operating in interrupt mode or the VNIC is associated with a virtual machine, then an interrupt is issued to a processor (i.e., a processor bound to the VSQ that is bound to the VNS associated with the receive ring or to a processor bound to a virtual machine) (Step 516). In one embodiment of the invention, if the receive ring is an SRR and it is bound to a VNIC, then the interrupt (as recited in Step 516) is a software interrupt as opposed to a hardware interrupt (as recited in Step 516), which is generated when the HRR is bound to a VNIC. The packets are then sent to the VNIC (Step 518). In one embodiment of the invention, if the VSQ is operating polling mode, then the VSQ, which includes the function entry point, uses the function entry point to obtain the packet from the receive ring and place it in the appropriate VNIC. Alternatively, if the VSQ is operating in interrupt mode, then the device driver (or NIC) executes the function entry point to send the packet from the receive ring to the appropriate VNIC.
The VNIC subsequently forwards the packets to the appropriate VNS or Interface (Step 520), where the packets are processed and then sent to the packet destination or virtual machine (Step 522). In one embodiment of the invention, processing the packet by the interface includes flipping the content of the packet such that the most significant bit becomes the least significant bit. Once the packet has been processed by the interface, it is placed in the address space associated with the virtual machine. In one embodiment of the invention, processing the packet by the VNS is described in
In one embodiment of the invention, the method shown in
As discussed above, in some cases, there may not be a sufficient number of HRRs to allow each virtual machine to be mapped to a unique HRR. In such cases, the packets for a number of virtual machines are sent to a specific HRR. Packets from the specific HRR are then sent to a software ring, where the software ring performs additional classification and sends the packets to the appropriate SRR. The SRRs subsequently send packets (using interrupt or polling mode) to the appropriate VNICs, which in turn forward packets towards the appropriate packet destination or virtual machine.
An embodiment of the invention may be implemented on virtually any type of computer regardless of the platform being used. For example, as shown in
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this disclosure, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as disclosed herein. Accordingly, the scope of the invention should be limited only by the attached claims.
The present application contains subject matter that may be related to the subject matter in the following U.S. applications filed on Apr. 22, 2005, and assigned to the assignee of the present application: “Method and Apparatus for Managing and Accounting for Bandwidth Utilization Within A Computing System” with U.S. application Ser. No. 11/112,367 (Attorney Docket No. 03226/643001; SUN050681); “Method and Apparatus for Consolidating Available Computing Resources on Different Computing Devices” with U.S. application Ser. No. 11/112,368 (Attorney Docket No. 03226/644001; SUN050682); “Assigning Higher Priority to Transactions Based on Subscription Level” with U.S. application Ser. No. 11/112,947 (Attorney Docket No. 03226/645001; SUN050589); “Method and Apparatus for Dynamically Isolating Affected Services Under Denial of Service Attack” with U.S. application Ser. No. 11/112,158 (Attorney Docket No. 03226/646001; SUN050587); “Method and Apparatus for Improving User Experience for Legitimate Traffic of a Service Impacted by Denial of Service Attack” with U.S. application Ser. No. 11/112,629 (Attorney Docket No. 03226/647001; SUN050590); “Method and Apparatus for Limiting Denial of Service Attack by Limiting Traffic for Hosts” with U.S. application Ser. No. 11/112,328 (Attorney Docket No. 03226/648001; SUN050591); “Hardware-Based Network Interface Per-Ring Resource Accounting” with U.S. application Ser. No. 11/112,222 (Attorney Docket No. 03226/649001; SUN050593); “Dynamic Hardware Classification Engine Updating for a Network Interface” with U.S. application Ser. No. 11/112,934 (Attorney Docket No. 03226/650001; SUN050592); “Network Interface Card Resource Mapping to Virtual Network Interface Cards” with U.S. application Ser. No. 11/112,063 (Attorney Docket No. 03226/651001; SUN050588); “Network Interface Decryption and Classification Technique” with U.S. application Ser. No. 11/112,436 (Attorney Docket No. 03226/652001; SUN050596); “Method and Apparatus for Enforcing Resource Utilization of a Container” with U.S. application Ser. No. 11/112,910 (Attorney Docket No. 03226/653001; SUN050595); “Method and Apparatus for Enforcing Packet Destination Specific Priority Using Threads” with U.S. application Ser. No. 11/112,584 (Attorney Docket No. 03226/654001; SUN050597); “Method and Apparatus for Processing Network Traffic Associated with Specific Protocols” with U.S. application Ser. No. 11/112,228 (Attorney Docket No. 03226/655001; SUN050598). The present application contains subject matter that may be related to the subject matter in the following U.S. applications filed on Oct. 21, 2005, and assigned to the assignee of the present application: “Method and Apparatus for Defending Against Denial of Service Attacks” with U.S. application Ser. No. 11/255,366 (Attorney Docket No. 03226/688001; SUN050966); “Router Based Defense Against Denial of Service Attacks Using Dynamic Feedback from Attacked Host” with U.S. application Ser. No. 11/256,254 (Attorney Docket No. 03226/689001; SUN050969); and “Method and Apparatus for Monitoring Packets at High Data Rates” with U.S. application Ser. No. 11/226,790 (Attorney Docket No. 03226/690001; SUN050972). The present application contains subject matter that may be related to the subject matter in the following U.S. applications filed on Jun. 30, 2006, and assigned to the assignee of the present application: “Network Interface Card Virtualization Based On Hardware Resources and Software Rings” with U.S. Application Serial No. TBD (Attorney Docket No. 03226/870001; SUN061020); “Method and System for Controlling Virtual Machine Bandwidth” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/871001; SUN061021); “Virtual Switch” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/873001; SUN061023); “System and Method for Virtual Network Interface Cards Based on Internet Protocol Addresses” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/874001; SUN061024); “Virtual Network Interface Card Loopback Fastpath” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/876001; SUN061027); “Bridging Network Components” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/877001; SUN061028); “Reflecting the Bandwidth Assigned to a Virtual Network Interface Card Through Its Link Speed” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/878001; SUN061029); “Method and Apparatus for Containing a Denial of Service Attack Using Hardware Resources on a Virtual Network Interface Card” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/879001; SUN061033); “Virtual Network Interface Cards with VLAN Functionality” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/882001; SUN061037); “Method and Apparatus for Dynamic Assignment of Network Interface Card Resources” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/883001; SUN061038); “Generalized Serialization Queue Framework for Protocol Processing” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/884001; SUN061039); “Serialization Queue Framework for Transmitting Packets” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/885001; SUN061040). The present application contains subject matter that may be related to the subject matter in the following U.S. applications filed on Jul. 20, 2006, and assigned to the assignee of the present application: “Low Impact Network Debugging” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/829001; SUN060545); “Reflecting Bandwidth and Priority in Network Attached Storage I/O” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/830001; SUN060587); “Priority and Bandwidth Specification at Mount Time of NAS Device Volume” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/831001; SUN060588); “Notifying Network Applications of Receive Overflow Conditions” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/869001; SUN060913); “Multi-Level Packet Classification” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/875001; SUN061026); “Method and System for Automatically Reflecting Hardware Resource Allocation Modifications” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/881001; SUN061036); “Multiple Virtual Network Stack Instances Using Virtual Network Interface Cards” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/888001; SUN061041); “Method and System for Network Configuration for Containers” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/889001; SUN061044); “Network Memory Pools for Packet Destinations and Virtual Machines” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/890001; SUN061062); “Method and System for Network Configuration for Virtual Machines” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/893001; SUN061171); “Multiple Virtual Network Stack Instances” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/896001; SUN061198); and “Shared and Separate Network Stack Instances” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/898001; SUN061200).