Re: [PATCH v7 0/2] netfilter: add netfilter hooks to track SRv6-encapsulated flows

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Tue, Aug 17, 2021 at 08:39:36AM +0000, Ryoga Saito wrote:
> Tunneling protocols such as VXLAN or IPIP are implemented using virtual
> network devices (vxlan0 or ipip0). Therefore, conntrack can record both
> inner flows and outer flows correctly. In contrast, SRv6 is implemented
> using lightweight tunnel infrastructure. Therefore, SRv6 packets are
> encapsulated and decapsulated without passing through virtual network
> device. Due to the following problems caused by this, conntrack can't
> record both inner flows and outer flows correctly.
> 
> First problem is caused when SRv6 packets are encapsulated. In VXLAN, at
> first, packets received are passed to nf_conntrack_in called from
> ip_rcv/ipv6_rcv. These packets are sent to virtual network device and these
> flows are confirmed in ip_output/ip6_output. However, in SRv6, at first,
> packets are passed to nf_conntrack_in, encapsulated and flows are confirmed
> in ipv6_output even if inner packets are IPv4. Therefore, IPv6 conntrack
> needs to be enabled to track IPv4 inner flow.
> 
> Second problem is caused when SRv6 packets are decapsulated. If IPv6
> conntrack is enabled, SRv6 packets are passed to nf_conntrack_in called
> from ipv6_rcv. Even if inner packets are passed to nf_conntrack_in after
> packets are decapsulated, flow aren't tracked because skb->_nfct is already
> set. Therefore, IPv6 conntrack needs to be disabled to track IPv4 flow
> when packets are decapsulated.
> 
> This patch series solves these problems and allows conntrack to record 
> inner flows correctly. It introduces netfilter hooks to srv6 lwtunnel
> and srv6local lwtunnel. It also introduces new sysctl toggle to turn on
> lightweight tunnel netfilter hooks. You can enable lwtunnel netfilter as
> following:
> 
>   sysctl net.netfilter.nf_hooks_lwtunnel=1

Applied to nf-next with a few edits. I'll post it to net-next in the
next pull request.