[nft,v2,00/16] vxlan, geneve, gre, gretap matching support

Message ID	20221017110408.742223-1-pablo@netfilter.org
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Pablo Neira Ayuso <pablo@netfilter.org> To: netfilter-devel@vger.kernel.org Subject: [PATCH nft,v2 00/16] vxlan, geneve, gre, gretap matching support Date: Mon, 17 Oct 2022 13:03:52 +0200 Message-Id: <20221017110408.742223-1-pablo@netfilter.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	vxlan, geneve, gre, gretap matching support \| expand [nft,v2,00/16] vxlan, geneve, gre, gretap matching support [nft,v2,01/16] src: add eval_proto_ctx() [nft,v2,02/16] src: add dl_proto_ctx() [nft,v2,03/16] src: add vxlan matching support [nft,v2,04/16] tests: py: add vxlan tests [nft,v2,05/16] tests: shell: add vxlan set tests [nft,v2,06/16] doc: add vxlan matching expression [nft,v2,07/16] src: display (inner) tag in --debug=proto-ctx [nft,v2,08/16] src: add gre support [nft,v2,09/16] tests: py: add gre tests [nft,v2,10/16] doc: add gre matching expression [nft,v2,11/16] src: add geneve matching support [nft,v2,12/16] tests: py: add geneve tests [nft,v2,13/16] doc: add geneve matching expression [nft,v2,14/16] src: add gretap support [nft,v2,15/16] tests: py: add gretap tests [nft,v2,16/16] doc: add gretap matching expression

Message ID

20221017110408.742223-1-pablo@netfilter.org

Headers

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH nft,v2 00/16] vxlan, geneve, gre, gretap matching support
Date: Mon, 17 Oct 2022 13:03:52 +0200
Message-Id: <20221017110408.742223-1-pablo@netfilter.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

vxlan, geneve, gre, gretap matching support | expand

Message

Pablo Neira Ayuso Oct. 17, 2022, 11:03 a.m. UTC

Hi,

The following patchset adds support for vxlan, geneve, gre and gretap.
This patchset includes tests and documentation update.

1) Add eval_proto_ctx() to prepare for multiple protocol context to
   track inner and outer headers for the evaluation path.

2) Add dl_proto_ctx() to deal with multiple protocol context to track
   inner and outer header for the delinearize path.

3) Add vxlan support. This includes initial infrastructure for the
   new in-kernel inner expression. A protocol description is added to payload
   and meta expressions.

4) Add tests/py for vxlan.

5) Add tests/shell for vxlan.

6) Update vxlan documentation in nft(8) manpage.

7) Annotate --debug=proto-ctx for easier debugging of inner and outer
   protocol tracking.

8) Add gre support.

9) Add gre tests.

10) Update gre documentation in nft(8) manpage.

11) Add geneve support.

12) Add tests/py for geneve.

13) Update geneve documentation in nft(8) manpage.

14) Add gretap support

15) Add tests/py for gretap.

16) Update gretap documentation in nft(8) manpage.

Pablo Neira Ayuso (16):
  src: add eval_proto_ctx()
  src: add dl_proto_ctx()
  src: add vxlan matching support
  tests: py: add vxlan tests
  tests: shell: add vxlan set tests
  doc: add vxlan matching expression
  src: display (inner) tag in --debug=proto-ctx
  src: add gre support
  tests: py: add gre tests
  doc: add gre matching expression
  src: add geneve matching support
  tests: py: add geneve tests
  doc: add geneve matching expression
  src: add gretap support
  tests: py: add gretap tests
  doc: add gretap matching expression

 doc/payload-expression.txt                   | 154 ++++++++++
 include/expression.h                         |   2 +
 include/linux/netfilter/nf_tables.h          |  27 ++
 include/netlink.h                            |  11 +-
 include/parser.h                             |   1 +
 include/payload.h                            |   4 +
 include/proto.h                              |  58 +++-
 include/rule.h                               |   3 +-
 src/evaluate.c                               | 286 ++++++++++++-----
 src/expression.c                             |   1 +
 src/meta.c                                   |  21 +-
 src/netlink.c                                |   2 +-
 src/netlink_delinearize.c                    | 308 ++++++++++++++++---
 src/netlink_linearize.c                      |  80 ++++-
 src/parser_bison.y                           | 115 +++++++
 src/payload.c                                | 142 +++++++--
 src/proto.c                                  | 133 +++++++-
 src/rule.c                                   |   3 +-
 src/scanner.l                                |  13 +-
 src/xt.c                                     |   8 +-
 tests/py/inet/geneve.t                       |  23 ++
 tests/py/inet/geneve.t.payload               | 114 +++++++
 tests/py/inet/gre.t                          |  22 ++
 tests/py/inet/gre.t.payload                  |  78 +++++
 tests/py/inet/gretap.t                       |  21 ++
 tests/py/inet/gretap.t.payload               |  87 ++++++
 tests/py/inet/vxlan.t                        |  23 ++
 tests/py/inet/vxlan.t.payload                | 114 +++++++
 tests/shell/testcases/sets/dumps/inner_0.nft |  18 ++
 tests/shell/testcases/sets/inner_0           |  25 ++
 30 files changed, 1721 insertions(+), 176 deletions(-)
 create mode 100644 tests/py/inet/geneve.t
 create mode 100644 tests/py/inet/geneve.t.payload
 create mode 100644 tests/py/inet/gre.t
 create mode 100644 tests/py/inet/gre.t.payload
 create mode 100644 tests/py/inet/gretap.t
 create mode 100644 tests/py/inet/gretap.t.payload
 create mode 100644 tests/py/inet/vxlan.t
 create mode 100644 tests/py/inet/vxlan.t.payload
 create mode 100644 tests/shell/testcases/sets/dumps/inner_0.nft
 create mode 100755 tests/shell/testcases/sets/inner_0

--
2.30.2

Comments

Pablo Neira Ayuso Jan. 2, 2023, 3:04 p.m. UTC | #1

On Mon, Oct 17, 2022 at 01:03:52PM +0200, Pablo Neira Ayuso wrote:
> Hi,
> 
> The following patchset adds support for vxlan, geneve, gre and gretap.
> This patchset includes tests and documentation update.

This is now applied to nftables.git repository now that 6.2-rc is out.

This batch is missing support for:

-j/--json
-o/--optimize

At least -o should be easy to add.

-j requires a bit more work, I am considering two possibilities with
this: either add "tunnel" field to "payload" or use "vxlan ip" in the
existing "protocol" field. I have not yet evaluated the up/down sides
of any these options for the json support.