VMware NSX – IOChain and how packets are processed within the kernel

During a meeting with a client when I was going over how packets are processed within the IOChain between a VM and a vSwitch, I was asked a question that stumped me…. what happens at Slot 3?

It’s common knowledge that the first 4 and last 3 slots in the IOchain are reserved for VMware and slots 4-12 are reserved for 3rd parties where services are inserted (or traffic redirected).

During my discussions I’ve only ever spoken about Slots 0-2 and 4-12…..

After much digging around and questioning the NSBU SEs, I was told that there was no real answer apart from it’s probably a VMware reserved slot for future use. =)

It’s also worth noting that Slot 15 used to be classed as a “reserved slot for future use” but is now intended to be used for Distributed Network Encryption when it becomes available (makes sense that encryption is the last thing that happens on the IOChain for packets leaving a VM, and decryption being the first for packets entering the VM).

Anyways, decided it’s probably worth blogging about IOChain slots. =)


So when a VM connects to a Logical switch there are several security services that each packet transverses which are implemented as IOChains processed within the vSphere kernel.

Slot 0: DVFilter – the Distibuted Virtual Filter monitors ingress/egress traffic on the protected vNIC and performs stateless filtering and ACL.

Slot 1: vmware-swsec – the Switch Security module learns the VMs IP/MAC address and captures any DHCP Ack or ARP broadcasts from the VM, redirecting the request to the NSX Controller – this is the ARP suppression feature. This slot is also where NSX IP Spoofguard is implemented.

Slot 2: vmware-sfw – this is where the NSX Distributed Firewall resides and where DFW rules are stored and enforced (so firewall rule and connection tables).

Slot 3: reserved for future use by VMware

Slot 4-12: 3rd party services – this is where traffic is redirected to 3rd party service appliances

Slot 13-14: reserved for future use by VMware

Slot 15: Distributed Network Encryption (when it becomes available)

2 thoughts on “VMware NSX – IOChain and how packets are processed within the kernel

  1. Hi,
    Thank you for your very interessting article.
    2 things I still don’t understand is:
    1) Order of the process. I understand that a outgoing packet is first processed in slot1 then slot2 etc. What about incoming traffic? Is an incoming packet first handled by slot1 or the highest slot?
    2) Slot 4-12: 3rd party services : Is this redirect aware of a the direction from where the connection starts? I was failing to only redirect incoming traffic and leave all outgoing flows bypass. The result was kind of asymetric result as only outgoing request packets bypass but the incoming response packet is redirects to network inspection and blocked because of the missing request packet.
    To me it seems that the network introspection desicion is made stateless ignoring the direction. What is your experience?
    BR, mario


    1. Hi Mario, so the order of process is reversed for incoming traffic from the vSwitch to the VM. Basically traffic from the vSwitch is redirected to whatever services are in place (3rd party firewall/AV) – that way any actions are performed on network traffic before it hits the VM (say blocking malicious traffic).
      As with most firewalls, you need to have the correct policies setup to action on incoming/outgoing traffic.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s