From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Ahern Subject: Re: v6/sit tunnels and VRFs Date: Thu, 26 Oct 2017 11:24:01 -0600 Message-ID: <9cade21c-5d92-d435-386f-6d854e6b6d55@gmail.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org To: Jeff Barnhill <0xeffeff@gmail.com> Return-path: Received: from mail-pg0-f52.google.com ([74.125.83.52]:48212 "EHLO mail-pg0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932127AbdJZRYE (ORCPT ); Thu, 26 Oct 2017 13:24:04 -0400 Received: by mail-pg0-f52.google.com with SMTP id v78so3219080pgb.5 for ; Thu, 26 Oct 2017 10:24:04 -0700 (PDT) In-Reply-To: Content-Language: en-US Sender: netdev-owner@vger.kernel.org List-ID: On 10/25/17 9:28 PM, Jeff Barnhill wrote: > Thanks, David. > > VM1: > sudo ip addr add 192.168.200.1/24 dev enp0s8 broadcast 192.168.200.255 > sudo ip link set enp0s8 up > sudo ip route add 192.168.210.0/24 nexthop via 192.168.200.3 dev enp0s8 > sudo ip tunnel add jtun mode sit remote 192.168.210.2 local 192.168.200.1 > sudo ip -6 addr add 2001::1/64 dev jtun > sudo ip link set jtun up > > VM2: > sudo ip addr add 192.168.210.2/24 dev enp0s8 broadcast 192.168.210.255 > sudo ip link set enp0s8 up > sudo ip route add 192.168.200.0/24 nexthop via 192.168.210.3 dev enp0s8 > sudo ip link add dev myvrf type vrf table 256 > sudo ip link set myvrf up > sudo ip link set enp0s8 vrf myvrf You lost the static route by doing the enslaving here. When the device is added to or removed from a VRF it is cycled specifically to dump routes and neighbor entries associated with the prior vrf. Always create the vrf and enslave first, then add routes: sudo ip link add dev myvrf type vrf table 256 sudo ip link set myvrf up sudo ip link set enp0s8 vrf myvrf sudo ip addr add 192.168.210.2/24 dev enp0s8 broadcast 192.168.210.255 sudo ip link set enp0s8 up sudo ip route add 192.168.200.0/24 nexthop via 192.168.210.3 dev enp0s8 That said, the above works for the wrong reason -- it is not really doing VRF based routing. For that to happen, the static route should be added to the vrf table: sudo ip route add vrf myvrf 192.168.200.0/24 nexthop via 192.168.210.3 dev enp0s8 And ... > sudo ip tunnel add jtun mode sit remote 192.168.200.1 local 192.168.210.2 you need to specify the link on the tunnel create: sudo ip tunnel add jtun mode sit remote 192.168.200.1 local 192.168.210.2 dev enp0s8. And ... The tunnel lookup needs to account for the VRF device switch: (whitespace damaged on paste) diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c index a799f5258614..cf0512054fa7 100644 --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c @@ -632,11 +632,18 @@ static bool packet_is_spoofed(struct sk_buff *skb, static int ipip6_rcv(struct sk_buff *skb) { const struct iphdr *iph = ip_hdr(skb); + struct net_device *dev = skb->dev; + struct net *net = dev_net(dev); struct ip_tunnel *tunnel; int err; - tunnel = ipip6_tunnel_lookup(dev_net(skb->dev), skb->dev, - iph->saddr, iph->daddr); + if (netif_is_l3_master(dev)) { + dev = dev_get_by_index_rcu(net, IPCB(skb)->iif); + if (!dev) + goto out; + } + + tunnel = ipip6_tunnel_lookup(net, dev, iph->saddr, iph->daddr); if (tunnel) { struct pcpu_sw_netstats *tstats;