What is the best way to accomplish "decapsulate any" functionality?

What is the best way to accomplish "decapsulate any" functionality?

[Alex Gartrell]

Short Version:

What's the best way to accomplish "decapsulate any" functionality for
"IPv{4,6} in IPv{4,6}?"  Should I write an xfrm module or is there a
simple, existing method?

Long Version:

We've been using IPVS with ipip tunneling for ages, and it's been great,
but our decapsulation story has always been a little weak.  At some point,
someone figured out that if you create tunnel interfaces for both v4 and v6
and add loopback or link-local unicast addresses to each, the kernel will
magically start decapsulating these packets for you, and you can put your
virtual IPs on any dummy interface you want (or loopback).

So our load balancer's pre-run script basically boils down to:
ip tunnel add mode ipip
ip addr add dev tunl0 127.0.0.101/32
ip link set dev tunl0 up
ip addr add dev lo ${VIP}/32
# And then the equivalent for v6

And all was well and good in the kingdom.  But now we're getting ready to
turn up our IPv6-only internal cluster, and so we're forced to push forward
on things like v4-in-v6 tunneling (currently unsupported by IPVS, but we've
got a patch set that we'll put up when we have a working end-to-end-test).
Predictably, our magic script fell apart and we had to look into how the
sausage was made.

So, before I go off and write some terrible xfrm decapsulate-any module, is
there a "right way" to do this with stock linux?

Thanks,
Alex

Re: What is the best way to accomplish "decapsulate any" functionality?

[Alexey Andriyanov]

28.07.2014 22:26, Alex Gartrell wrote:
> Short Version:
> 
> What's the best way to accomplish "decapsulate any" functionality for
> "IPv{4,6} in IPv{4,6}?"  Should I write an xfrm module or is there a
> simple, existing method?

Hi, Alex.

I also wanted to decapsulate 4in6 packets without configuring the endpoints. The ip6_tunnel module already has the mode parameter (6in6, 4in6, any).

The problem is the fallback device "ip6tnl0" has preconfigured mode 6in6 that you can not change. All other tunnel devices work only with specified endpoints.

I've found two ways for fixing this:
The first is to change mode of the ip6tnl0 to 'any' at compile-time. Very simple, but may cause compatibility issues.
The idea behing the second is to allow changing mode of the ip6tnl0 device as for any other tunnel device

Hereby I'm requesting for comments on these changes. If somebody decides to merge one of these into upstream kernel tree, I will repost the patch with proper formalities.


diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 46ba243..2c43ec9 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1524,7 +1524,7 @@ static int __net_init ip6_fb_tnl_dev_init(struct net_device *dev)
 	if (err)
 		return err;
 
-	t->parms.proto = IPPROTO_IPV6;
+	t->parms.proto = 0;
 	dev_hold(dev);
 
 	ip6_tnl_link_config(t);
--

diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 46ba243..4b03bd9 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1269,6 +1269,14 @@ static int ip6_tnl_update(struct ip6_tnl *t, struct __ip6_tnl_parm *p)
 	return err;
 }
 
+static int ip6_tnl0_update(struct ip6_tnl *t, struct __ip6_tnl_parm *p)
+{
+	/* for default tnl0 device allow changing only proto */
+	t->parms.proto = p->proto;
+	netdev_state_change(t->dev);
+	return 0;
+}
+
 static void
 ip6_tnl_parm_from_user(struct __ip6_tnl_parm *p, const struct ip6_tnl_parm *u)
 {
@@ -1368,7 +1376,7 @@ ip6_tnl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
 			break;
 		ip6_tnl_parm_from_user(&p1, &p);
 		t = ip6_tnl_locate(net, &p1, cmd == SIOCADDTUNNEL);
-		if (dev != ip6n->fb_tnl_dev && cmd == SIOCCHGTUNNEL) {
+		if (cmd == SIOCCHGTUNNEL) {
 			if (t != NULL) {
 				if (t->dev != dev) {
 					err = -EEXIST;
@@ -1376,8 +1384,10 @@ ip6_tnl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
 				}
 			} else
 				t = netdev_priv(dev);