r one for the overlay, if your application cannot run
in a netns / requires access to all vnis.
Alexis Bauvin
(re-send for netdev as somehow the first one contained html)
> Le 7 oct. 2019 à 13:39, Ondřej Flídr a écrit :
>
> Hello,
>
> it seems that ip doesn't handle combina
if I set the
> policy to ACCEPT and flush all the rules, the behaviour remains the same.
>
> Is it possible that the TCP stack isn't aware of the session (as is mapped to
> wrong VRF internally or something to that effect) and is therefore sending
> the RST?
>
> Gareth
&
Hi,
There has been some changes regarding VRF isolation in Linux 5 IIRC, namely
proper
isolation of the default VRF.
Some things you may try:
- looking at the l3mdev_accept sysctls (e.g. `net.ipv4.tcp_l3mdev_accept`)
- querying stuff from the management vrf through `ip vrf exec vrf-mgmt `
e.g
ires the host to support virtio
tso for the guest to offload segmentation).
All this leads to inconsistent behaviour in the kernel, especially on
netfilter modules that uses sk->socket (e.g. xt_owner).
Signed-off-by: Alexis Bauvin
Fixes: 66ccbc9c87c2 ("tap: use build_skb() for small packe
> Le 23 juil. 2019 à 15:53, Jason Wang a écrit :
> On 2019/7/23 下午9:01, Alexis Bauvin wrote:
>> Small packets going out of a tap device go through an optimized code
>> path that uses build_skb() rather than sock_alloc_send_pskb(). The
>> latter calls skb_set_owner_w(), b
.
All this leads to inconsistent behaviour in the kernel, especially on
netfilter modules that uses sk->socket (e.g. xt_owner).
Signed-off-by: Alexis Bauvin
Fixes: 66ccbc9c87c2 ("tap: use build_skb() for small packet")
---
drivers/net/tun.c | 71 -
VRF to another works when
down/up the VXLAN interface.
Signed-off-by: Alexis Bauvin
Reviewed-by: Amine Kherbouche
Reviewed-by: David Ahern
Tested-by: Amine Kherbouche
---
tools/testing/selftests/net/Makefile | 1 +
.../selftests/net/test_vxlan_under_vrf.sh | 129
to be
bound to a specific VRF device therefore looking up in the correct table.
Alexis Bauvin (4):
udp_tunnel: add config option to bind to a device
l3mdev: add function to retreive upper master
vxlan: add support for underlay in non-default VRF
test/net: Add script for
device | | | |
| eth0 | <- - - - - - - | vxlan-red | | tap-red | (... more taps)
| || | | |
+--++---+ +-+
Signed-off-by: Alexis Bauvin
Reviewed-by: Am
|
| |
++-+
|
|
++-+
| |
| br-blue |
| |
++-+
|
|
++-+
| |
| eth0 |
| |
+--+
This will properly resolve the l3mdev of eth0 to vrf-blue.
Signed-off-by: Alexis Bauvin
Reviewed-by: Amine Kherbouche
Reviewed-by: David Ahern
Tested-by: Amine Kherbouche
UDP tunnel sockets are always opened unbound to a specific device. This
patch allow the socket to be bound on a custom device, which
incidentally makes UDP tunnels VRF-aware if binding to an l3mdev.
Signed-off-by: Alexis Bauvin
Reviewed-by: Amine Kherbouche
Tested-by: Amine Kherbouche
Le 30 nov. 2018 à 15:31, Sabrina Dubroca a écrit :
> 2018-11-27, 14:05:42 +0100, Alexis Bauvin wrote:
>> diff --git a/net/ipv4/udp_tunnel.c b/net/ipv4/udp_tunnel.c
>> index 6539ff15e9a3..dc68e15a4f72 100644
>> --- a/net/ipv4/udp_tunnel.c
>> +++ b/net/ipv4/udp_tunnel.
UDP tunnel sockets are always opened unbound to a specific device. This
patch allow the socket to be bound on a custom device, which
incidentally makes UDP tunnels VRF-aware if binding to an l3mdev.
Signed-off-by: Alexis Bauvin
Reviewed-by: Amine Kherbouche
Reviewed-by: David Ahern
Tested-by
|
| |
++-+
|
|
++-+
| |
| br-blue |
| |
++-+
|
|
++-+
| |
| eth0 |
| |
+--+
This will properly resolve the l3mdev of eth0 to vrf-blue.
Signed-off-by: Alexis Bauvin
Reviewed-by: Amine Kherbouche
Reviewed-by: David Ahern
Tested-by: Amine Kherbouche
device | | | |
| eth0 | <- - - - - - - | vxlan-red | | tap-red | (... more taps)
| || | | |
+--++---+ +-+
Signed-off-by: Alexis Bauvin
Reviewed-by: Am
VRF to another works when
down/up the VXLAN interface.
Signed-off-by: Alexis Bauvin
Reviewed-by: Amine Kherbouche
Reviewed-by: David Ahern
Tested-by: Amine Kherbouche
---
tools/testing/selftests/net/Makefile | 1 +
.../selftests/net/test_vxlan_under_vrf.sh | 129
nt from
blue or red by e.g. a guest VM will be accepted by the socket, allowing
injection of VXLAN packets from the overlay.
This patch serie fixes the issues describe above by allowing VXLAN socket to be
bound to a specific VRF device therefore looking up in the correct table.
Alexis Bauvin (4):
Le 27 nov. 2018 à 06:58, Roopa Prabhu a écrit :
> On Mon, Nov 26, 2018 at 5:04 PM Alexis Bauvin wrote:
>>
>> When underlay VRF changes, either because the lower device itself changed,
>> or its VRF changed, this patch releases the current socket of the VXLAN
>> devic
device | | | |
| eth0 | <- - - - - - - | vxlan-red | | tap-red | (... more taps)
| || | | |
+--++---+ +-+
Signed-off-by: Alexis Bauvin
Reviewed-by: Am
|
| |
++-+
|
|
++-+
| |
| br-blue |
| |
++-+
|
|
++-+
| |
| eth0 |
| |
+--+
This will properly resolve the l3mdev of eth0 to vrf-blue.
Signed-off-by: Alexis Bauvin
Reviewed-by: Amine Kherbouche
Reviewed-by: David Ahern
Tested-by: Amine Kherbouche
tion of VXLAN packets from the overlay.
This patch serie fixes the issues describe above by allowing VXLAN socket to be
bound to a specific VRF device therefore looking up in the correct table.
Alexis Bauvin (6):
udp_tunnel: add config option to bind to a device
l3mdev: add function to retr
VRF to another works when
down/up the VXLAN interface.
Signed-off-by: Alexis Bauvin
Reviewed-by: Amine Kherbouche
Tested-by: Amine Kherbouche
---
tools/testing/selftests/net/Makefile | 1 +
.../selftests/net/test_vxlan_under_vrf.sh | 129 ++
2 files changed, 130
When underlay VRF changes, either because the lower device itself changed,
or its VRF changed, this patch releases the current socket of the VXLAN
device and recreates another one in the right VRF. This allows for
on-the-fly change of the underlay VRF of a VXLAN device.
Signed-off-by: Alexis
-blue |
++-+
|
+++
| br-blue |
+++
|
+---+---+
| bond0 |
+--+-+--+
| |
+--+ +--+
| |
+---+--+ +--+---+
| eth0 | | eth1 |
+--+ +--+
Signed-off-by: Alexis Bauvin
Reviewed-by: Amine Kherbouche
Tested-by: Amine
UDP tunnel sockets are always opened unbound to a specific device. This
patch allow the socket to be bound on a custom device, which
incidentally makes UDP tunnels VRF-aware if binding to an l3mdev.
Signed-off-by: Alexis Bauvin
Reviewed-by: Amine Kherbouche
Reviewed-by: David Ahern
Tested-by
Le 27 nov. 2018 à 01:46, David Ahern a écrit :
> On 11/26/18 5:41 PM, Alexis Bauvin wrote:
>> Le 26 nov. 2018 à 18:54, David Ahern a écrit :
>>> On 11/26/18 9:32 AM, Alexis Bauvin wrote:
>>>> Thanks for the review. I’ll send a v5 if you have no other comment on
>
Le 26 nov. 2018 à 18:54, David Ahern a écrit :
> On 11/26/18 9:32 AM, Alexis Bauvin wrote:
>> Thanks for the review. I’ll send a v5 if you have no other comment on
>> this version!
>
> A few comments on the test script; see attached which has the changes.
>
> Mainly t
Le 26 nov. 2018 à 19:26, Roopa Prabhu a écrit :
>
> On Mon, Nov 26, 2018 at 9:54 AM David Ahern wrote:
>>
>> On 11/26/18 9:32 AM, Alexis Bauvin wrote:
>>> Thanks for the review. I’ll send a v5 if you have no other comment on
>>> this version!
>>
Le 22 nov. 2018 à 18:19, David Ahern a écrit :
> On 11/21/18 6:07 PM, Alexis Bauvin wrote:
>> Creating a VXLAN device with is underlay in the non-default VRF makes
>> egress route lookup fail or incorrect since it will resolve in the
>> default VRF, and ingress fail because
Le 22 nov. 2018 à 18:14, David Ahern a écrit :
> On 11/21/18 6:07 PM, Alexis Bauvin wrote:
>> diff --git a/net/core/dev.c b/net/core/dev.c
>> index 93243479085f..12459036d0da 100644
>> --- a/net/core/dev.c
>> +++ b/net/core/dev.c
>> @@ -7225,6 +7225,23 @@ void
-blue |
++-+
|
+++
| br-blue |
+++
|
+---+---+
| bond0 |
+--+-+--+
| |
+--+ +--+
| |
+---+--+ +--+---+
| eth0 | | eth1 |
+--+ +--+
Signed-off-by: Alexis Bauvin
Reviewed-by: Amine Kherbouche
Tested-by: Amine
device | | | |
| eth0 | <- - - - - - - | vxlan-red | | tap-red | (... more taps)
| || | | |
+--++---+ +-+
Signed-off-by: Alexis Bauvin
Reviewed-by: Am
UDP tunnel sockets are always opened unbound to a specific device. This
patch allow the socket to be bound on a custom device, which
incidentally makes UDP tunnels VRF-aware if binding to an l3mdev.
Signed-off-by: Alexis Bauvin
Reviewed-by: Amine Kherbouche
Tested-by: Amine Kherbouche
|
| |
++-+
|
|
++-+
| |
| br-blue |
| |
++-+
|
|
++-+
| |
| eth0 |
| |
+--+
This will properly resolve the l3mdev of eth0 to vrf-blue.
Signed-off-by: Alexis Bauvin
Reviewed-by: Amine Kherbouche
Tested-by: Amine Kherbouche
---
include/net/l3mdev.h
ecific VRF device therefore looking up in the correct table.
Alexis Bauvin (5):
udp_tunnel: add config option to bind to a device
l3mdev: add function to retreive upper master
vxlan: add support for underlay in non-default VRF
netdev: add netdev_is_upper_master
vxlan: handle underlay VRF ch
When underlay VRF changes, either because the lower device itself changed,
or its VRF changed, this patch releases the current socket of the VXLAN
device and recreates another one in the right VRF. This allows for
on-the-fly change of the underlay VRF of a VXLAN device.
Signed-off-by: Alexis
Le 21 nov. 2018 à 20:28, David Ahern a écrit :
> On 11/21/18 7:05 AM, Alexis Bauvin wrote:
>> Le 20 nov. 2018 à 18:09, David Ahern a écrit :
>>> On 11/20/18 9:58 AM, Alexis Bauvin wrote:
>>>> A socket bound to vrf-blue listens on *:4789, thus owning the port. If
&
Le 21 nov. 2018 à 20:26, David Ahern a écrit :
>
> On 11/21/18 6:30 AM, Alexis Bauvin wrote:
>> Le 20 nov. 2018 à 22:45, David Ahern a écrit :
>>>
>>> On 11/20/18 7:23 AM, Alexis Bauvin wrote:
>>>> We are trying to isolate the VXLAN traffic from dif
Le 20 nov. 2018 à 18:09, David Ahern a écrit :
> On 11/20/18 9:58 AM, Alexis Bauvin wrote:
>> A socket bound to vrf-blue listens on *:4789, thus owning the port. If
>> moving an
>> underlay to the default vrf (ip link set dummy-b nomaster), a new socket
>> will be
Le 20 nov. 2018 à 22:45, David Ahern a écrit :
>
> On 11/20/18 7:23 AM, Alexis Bauvin wrote:
>> We are trying to isolate the VXLAN traffic from different VMs with VRF as
>> shown
>&
Le 20 nov. 2018 à 17:13, David Ahern a écrit :
> On 11/20/18 8:48 AM, David Ahern wrote:
>> On 11/20/18 8:35 AM, Roopa Prabhu wrote:
>>> On Tue, Nov 20, 2018 at 7:04 AM David Ahern
>>> wrote:
>>>>
>>>> On 11/20/18 7:23 AM, Alexis Bauvin wro
Le 20 nov. 2018 à 16:35, Roopa Prabhu a écrit :
>
> On Tue, Nov 20, 2018 at 7:04 AM David Ahern wrote:
>>
>> On 11/20/18 7:23 AM, Alexis Bauvin wrote:
>>> When underlay VRF changes, either because the lower device itself changed,
>>> or its VRF changed, th
Le 20 nov. 2018 à 16:04, David Ahern a écrit :
>
> On 11/20/18 7:23 AM, Alexis Bauvin wrote:
>> When underlay VRF changes, either because the lower device itself changed,
>> or its VRF changed, this patch releases the current socket of the VXLAN
>> device and recreates
Le 20 nov. 2018 à 16:25, Roopa Prabhu a écrit :
>
> On Tue, Nov 20, 2018 at 6:23 AM Alexis Bauvin wrote:
>>
>> Creating a VXLAN device with is underlay in the non-default VRF makes
>> egress route lookup fail or incorrect since it will resolve in the
>> default
Le 20 nov. 2018 à 15:57, David Ahern a écrit :
>
> On 11/20/18 7:23 AM, Alexis Bauvin wrote:
>> Creating a VXLAN device with is underlay in the non-default VRF makes
>> egress route lookup fail or incorrect since it will resolve in the
>> default VRF, and ingress fail be
ixes the issues describe above by allowing VXLAN socket to be
bound to a specific VRF device therefore looking up in the correct table.
Alexis Bauvin (3):
udp_tunnel: add config option to bind to a device
vxlan: add support for underlay in non-default VRF
vxlan: handle underlay VRF chang
When underlay VRF changes, either because the lower device itself changed,
or its VRF changed, this patch releases the current socket of the VXLAN
device and recreates another one in the right VRF. This allows for
on-the-fly change of the underlay VRF of a VXLAN device.
Signed-off-by: Alexis
| | | |
| eth0 | <- - - - - - - | vxlan-red | | tap-red | (... more taps)
| || | | |
+--++---+ +-+
Signed-off-by: Alexis Bauvin
Reviewed-by: Amine Kherbouche
Tested-by: Amine Kherbou
UDP tunnel sockets are always opened unbound to a specific device. This
patch allow the socket to be bound on a custom device, which
incidentally makes UDP tunnels VRF-aware if binding to an l3mdev.
Signed-off-by: Alexis Bauvin
Reviewed-by: Amine Kherbouche
Tested-by: Amine Kherbouche
| | | |
| eth0 | <- - - - - - - | vxlan-red | | tap-red | (... more taps)
| || | | |
+--++---+ +-+
Signed-off-by: Alexis Bauvin
Reviewed-by: Amine Kherbouche
Tested-by: Amine Kherbou
UDP tunnel sockets are always opened unbound to a specific device. This
patch allow the socket to be bound on a custom device, which
incidentally makes UDP tunnels VRF-aware if binding to an l3mdev.
Signed-off-by: Alexis Bauvin
Reviewed-by: Amine Kherbouche
Tested-by: Amine Kherbouche
When underlay VRF changes, either because the lower device itself changed,
or its VRF changed, this patch releases the current socket of the VXLAN
device and recreates another one in the right VRF. This allows for
on-the-fly change of the underlay VRF of a VXLAN device.
Signed-off-by: Alexis
t from
blue or red by e.g. a guest VM will be accepted by the socket, allowing
injection of VXLAN packets from the overlay.
This patch serie fixes the issues describe above by allowing VXLAN socket to be
bound to a specific VRF device therefore looking up in the correct table.
Alexis Bauvin (3):
Le 19 nov. 2018 à 17:18, David Ahern a écrit :
>
> On 11/19/18 7:21 AM, Alexis Bauvin wrote:
>> UDP tunnel sockets are always opened unbound to a specific device. This
>> patch allow the socket to be bound on a custom device, which
>> incidentally makes UDP tunnels VR
Le 16 nov. 2018 à 08:37, David Ahern a écrit :
> On 11/15/18 2:05 AM, Alexis Bauvin wrote:
>> Le 14 nov. 2018 à 20:58, David Ahern a écrit :
>>>
>>> you are making this more specific than it needs to be
>>>
>>> On 11/14/18 1:31 AM, Alexi
Le 14 nov. 2018 à 21:04, David Ahern a écrit :
>
> On 11/14/18 1:31 AM, Alexis Bauvin wrote:
>> diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
>> index 7477b5510a04..188c0cdb8838 100644
>> --- a/drivers/net/vxlan.c
>> +++ b/drivers/net/vxlan.c
>> @@ -2
Le 14 nov. 2018 à 20:58, David Ahern a écrit :
>
> you are making this more specific than it needs to be
>
> On 11/14/18 1:31 AM, Alexis Bauvin wrote:
>> diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
>> index 27bd586b94b0..7477b5510a04 100644
>> ---
Le 14 nov. 2018 à 17:07, Nicolas Dichtel a écrit :
> Le 14/11/2018 à 10:31, Alexis Bauvin a écrit :
>> UDP tunnel sockets are always opened unbound to a specific device. This
>> patch allow the socket to be bound on a custom device, which
>> incidentally makes UDP tunnels VR
58 matches
Mail list logo
