| Message ID | cover.1575779993.git.lucien.xin@gmail.com |
|---|---|
| Headers | show |
| Series | netfilter: nft_tunnel: reinforce key opts support | expand |
The 1st patch file for libnftnl is
Based on:
git://git.netfilter.org/libnftnl
The 2nd patch file for nftables is:
Based on:
git://git.netfilter.org/nftables: d42e9a1 (tag: v0.9.2) build:
Bump version to v0.9.2
plusing:
https://patchwork.ozlabs.org/patch/1136755/
https://patchwork.ozlabs.org/patch/1136756/
Dependencies:
Some fixes in libnftnl, which are in another patch.
On Sun, Dec 8, 2019 at 12:41 PM Xin Long <lucien.xin@gmail.com> wrote:
>
> This patchset improves quite a few places to make vxlan/erspan
> opts in nft_tunnel work with userspace nftables/libnftnl, and
> also keep consistent with the support for vxlan/erspan opts in
> act_tunnel_key, cls_flower and ip_tunnel_core.
>
> Meanwhile, add support for geneve opts in nft_tunnel. One patch
> for nftables and one for libnftnl will be posted here for the
> testing. With them, nft_tunnel can be set and used by:
>
> # nft add table ip filter
> # nft add chain ip filter input { type filter hook input priority 0 \; }
> # nft add tunnel filter vxlan_01 { type vxlan\; id 2\; \
> ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
> sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
> opts \"ffff\"\; }
> # nft add tunnel filter erspan_01 { type erspan\; id 2\; \
> ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
> sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
> opts \"1:1:0:0\"\; }
> # nft add tunnel filter erspan_02 { type erspan\; id 2\; \
> ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
> sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
> opts \"2:0:1:1\"\; }
> # nft add tunnel filter geneve_01 { type geneve\; id 2\; \
> ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
> sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
> opts \"1:1:1212121234567890\"\; }
> # nft add tunnel filter geneve_02 { type geneve\; id 2\; \
> ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
> sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
> opts \"1:1:34567890,2:2:12121212,3:3:1212121234567890\"\; }
> # nft list tunnels table filter
> # nft add rule filter input ip protocol udp tunnel name geneve_02
> # nft add rule filter input meta l4proto udp tunnel id 2 drop
> # nft add rule filter input meta l4proto udp tunnel path 0 drop
> # nft list chain filter input -a
>
> Xin Long (7):
> netfilter: nft_tunnel: parse ERSPAN_VERSION attr as u8
> netfilter: nft_tunnel: parse VXLAN_GBP attr as u32 in nft_tunnel
> netfilter: nft_tunnel: no need to call htons() when dumping ports
> netfilter: nft_tunnel: also dump ERSPAN_VERSION
> netfilter: nft_tunnel: also dump OPTS_ERSPAN/VXLAN
> netfilter: nft_tunnel: add the missing nla_nest_cancel()
> netfilter: nft_tunnel: add support for geneve opts
>
> include/uapi/linux/netfilter/nf_tables.h | 10 ++
> net/netfilter/nft_tunnel.c | 170 +++++++++++++++++++++++++------
> 2 files changed, 151 insertions(+), 29 deletions(-)
>
> --
> 2.1.0
>
On Sun, Dec 8, 2019 at 12:41 PM Xin Long <lucien.xin@gmail.com> wrote: > > This patchset improves quite a few places to make vxlan/erspan > opts in nft_tunnel work with userspace nftables/libnftnl, and > also keep consistent with the support for vxlan/erspan opts in > act_tunnel_key, cls_flower and ip_tunnel_core. > > Meanwhile, add support for geneve opts in nft_tunnel. One patch > for nftables and one for libnftnl will be posted here for the > testing. With them, nft_tunnel can be set and used by: > > # nft add table ip filter > # nft add chain ip filter input { type filter hook input priority 0 \; } > # nft add tunnel filter vxlan_01 { type vxlan\; id 2\; \ > ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \ > sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \ > opts \"ffff\"\; } > # nft add tunnel filter erspan_01 { type erspan\; id 2\; \ > ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \ > sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \ > opts \"1:1:0:0\"\; } > # nft add tunnel filter erspan_02 { type erspan\; id 2\; \ > ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \ > sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \ > opts \"2:0:1:1\"\; } > # nft add tunnel filter geneve_01 { type geneve\; id 2\; \ > ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \ > sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \ > opts \"1:1:1212121234567890\"\; } > # nft add tunnel filter geneve_02 { type geneve\; id 2\; \ > ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \ > sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \ > opts \"1:1:34567890,2:2:12121212,3:3:1212121234567890\"\; } > # nft list tunnels table filter > # nft add rule filter input ip protocol udp tunnel name geneve_02 > # nft add rule filter input meta l4proto udp tunnel id 2 drop > # nft add rule filter input meta l4proto udp tunnel path 0 drop > # nft list chain filter input -a Hi, Pablo as you commented on other patches, I will post v2 and > > Xin Long (7): > netfilter: nft_tunnel: parse ERSPAN_VERSION attr as u8 > netfilter: nft_tunnel: parse VXLAN_GBP attr as u32 in nft_tunnel drop these two patches > netfilter: nft_tunnel: no need to call htons() when dumping ports move this one to nf.git > netfilter: nft_tunnel: also dump ERSPAN_VERSION > netfilter: nft_tunnel: also dump OPTS_ERSPAN/VXLAN > netfilter: nft_tunnel: add the missing nla_nest_cancel() adjust these three for nf-next.git > netfilter: nft_tunnel: add support for geneve opts will you also check this one before my posting v2? Thanks.
On Thu, Dec 12, 2019 at 11:02:19AM +0800, Xin Long wrote: [...] > Hi, Pablo > as you commented on other patches, I will post v2 and > > > > Xin Long (7): > > netfilter: nft_tunnel: parse ERSPAN_VERSION attr as u8 > > netfilter: nft_tunnel: parse VXLAN_GBP attr as u32 in nft_tunnel > drop these two patches Yes, you will still need the netlink policy validation for ERSPAN_VERSION which is missing, so at least one patch will be needed for this one. > > netfilter: nft_tunnel: no need to call htons() when dumping ports > move this one to nf.git Given that nft_tunnel really needs care and that there is no upstream userspace code using this extension, I think using nf-next.git in this case is fine. Thanks.
This patchset improves quite a few places to make vxlan/erspan opts in nft_tunnel work with userspace nftables/libnftnl, and also keep consistent with the support for vxlan/erspan opts in act_tunnel_key, cls_flower and ip_tunnel_core. Meanwhile, add support for geneve opts in nft_tunnel. One patch for nftables and one for libnftnl will be posted here for the testing. With them, nft_tunnel can be set and used by: # nft add table ip filter # nft add chain ip filter input { type filter hook input priority 0 \; } # nft add tunnel filter vxlan_01 { type vxlan\; id 2\; \ ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \ sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \ opts \"ffff\"\; } # nft add tunnel filter erspan_01 { type erspan\; id 2\; \ ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \ sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \ opts \"1:1:0:0\"\; } # nft add tunnel filter erspan_02 { type erspan\; id 2\; \ ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \ sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \ opts \"2:0:1:1\"\; } # nft add tunnel filter geneve_01 { type geneve\; id 2\; \ ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \ sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \ opts \"1:1:1212121234567890\"\; } # nft add tunnel filter geneve_02 { type geneve\; id 2\; \ ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \ sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \ opts \"1:1:34567890,2:2:12121212,3:3:1212121234567890\"\; } # nft list tunnels table filter # nft add rule filter input ip protocol udp tunnel name geneve_02 # nft add rule filter input meta l4proto udp tunnel id 2 drop # nft add rule filter input meta l4proto udp tunnel path 0 drop # nft list chain filter input -a Xin Long (7): netfilter: nft_tunnel: parse ERSPAN_VERSION attr as u8 netfilter: nft_tunnel: parse VXLAN_GBP attr as u32 in nft_tunnel netfilter: nft_tunnel: no need to call htons() when dumping ports netfilter: nft_tunnel: also dump ERSPAN_VERSION netfilter: nft_tunnel: also dump OPTS_ERSPAN/VXLAN netfilter: nft_tunnel: add the missing nla_nest_cancel() netfilter: nft_tunnel: add support for geneve opts include/uapi/linux/netfilter/nf_tables.h | 10 ++ net/netfilter/nft_tunnel.c | 170 +++++++++++++++++++++++++------ 2 files changed, 151 insertions(+), 29 deletions(-)