From: subashab@codeaurora.org
To: David Ahern <dsa@cumulusnetworks.com>
Cc: steffen.klassert@secunet.com, netdev@vger.kernel.org,
herbert@gondor.apana.org.au, netdev-owner@vger.kernel.org
Subject: Re: [RFC PATCH] xfrm: Add option to reset oif in xfrm lookup
Date: Wed, 03 Aug 2016 17:02:57 -0600 [thread overview]
Message-ID: <3e4bb514a6fc5316c093f5f39cc07762@codeaurora.org> (raw)
In-Reply-To: <7c3836e2-adf0-8e04-8c2f-6ee714a38f70@cumulusnetworks.com>
> I can't explain the iptables output but from a FIB lookup perspective
> it is using table 8 per the FIB rules, the xfrm is hit and packets
> shift to 192.168.77.1 and go out what you have as eth0.
>
> Take a look at:
> perf record -e fib:* -a -g
> perf script
>
> And then run tcpdump on both eth0 and eth1. For me on "eth0" (which is
> really eth11 for my VM setup) I see this on the ping:
>
You can try running these commands as is on UML.
We tried these out on 3.18 as well as on 4.4.
> 20:50:11.389837 ARP, Request who-has 192.168.77.2 tell 192.168.77.1,
> length 28
> 20:50:11.390079 ARP, Reply 192.168.77.2 is-at 02:00:12:34:02:0a, length
> 28
> 20:50:11.390101 IP 192.168.77.1 > 192.168.77.2: ICMP 192.168.77.1 udp
> port 4500 unreachable, length 168
>
> So the packets are going out "eth0" as expected.
>
> That said, the commands you have given do not totally transfer to
> another setup. In my case I have 2 VMs with eth11 and eth12 directly
> connected (VM1 eth11 <--> VM2 eth11 and ditto for eth12). You have
> given one side of the commands and I have configured the other side
> with the .1 addresses but not bothered to translate the xfrm commands.
>
> That said, this seems like a contrived example -- you pin ping to
> device eth1 (-I eth1), you are pinging a host on the network for eth1
> but want packets to go out eth0 via the xfrm. Can you elaborate on the
> real use case and problem here?
Applications may be bound to a specific interface but would try to send
data over multiple types of networks.
Our use case here is wifi calling. In this case, we try to force packets
to go over wifi after encryption.
The rules which we were using worked on 3.18 but we ran into issues on
4.4.
Debugging narrowed us down to this oif preservation through xfrm.
next prev parent reply other threads:[~2016-08-03 23:03 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-26 0:34 [RFC PATCH] xfrm: Add option to reset oif in xfrm lookup Subash Abhinov Kasiviswanathan
2016-07-26 2:34 ` David Ahern
2016-07-29 18:21 ` subashab
2016-08-03 4:06 ` David Ahern
2016-08-03 23:02 ` subashab [this message]
2016-08-04 4:52 ` David Ahern
2016-08-05 21:57 ` subashab
2016-07-28 5:08 ` Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3e4bb514a6fc5316c093f5f39cc07762@codeaurora.org \
--to=subashab@codeaurora.org \
--cc=dsa@cumulusnetworks.com \
--cc=herbert@gondor.apana.org.au \
--cc=netdev-owner@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).