From: David Ahern <dsa@cumulusnetworks.com>
To: Mahesh Bandewar <mahesh@bandewar.net>, netdev <netdev@vger.kernel.org>
Cc: Eric Dumazet <edumazet@google.com>,
David Miller <davem@davemloft.net>,
Mahesh Bandewar <maheshb@google.com>
Subject: Re: [PATCHv4 next 3/3] ipvlan: Introduce l3s mode
Date: Sun, 18 Sep 2016 10:57:35 -0600 [thread overview]
Message-ID: <b8002d08-ff4a-b53e-6dff-2cf969db3189@cumulusnetworks.com> (raw)
In-Reply-To: <1474055959-12565-1-git-send-email-mahesh@bandewar.net>
On 9/16/16 1:59 PM, Mahesh Bandewar wrote:
> From: Mahesh Bandewar <maheshb@google.com>
>
> In a typical IPvlan L3 setup where master is in default-ns and
> each slave is into different (slave) ns. In this setup egress
> packet processing for traffic originating from slave-ns will
> hit all NF_HOOKs in slave-ns as well as default-ns. However same
> is not true for ingress processing. All these NF_HOOKs are
> hit only in the slave-ns skipping them in the default-ns.
> IPvlan in L3 mode is restrictive and if admins want to deploy
> iptables rules in default-ns, this asymmetric data path makes it
> impossible to do so.
>
> This patch makes use of the l3_rcv() (added as part of l3mdev
> enhancements) to perform input route lookup on RX packets without
> changing the skb->dev and then uses nf_hook at NF_INET_LOCAL_IN
> to change the skb->dev just before handing over skb to L4.
Today's l3 mode only allows netfilter Rx rules on ipvlan devices in slave-ns since skb->dev is changed to ipvlan device and the namespace crossing happens in rx-handler.
This new l3s mode only allows Rx rules on the parent devices (eg., eth1) in the default-ns since skb->dev stays as parent device until the NF_HOOK is run. Specifically, you can't put rules on eth1 and ipvl0 since the packet never goes through L3 with the ipvlan device set?
So the 'symmetric' is wrt to the parent device in the default-ns.
Also, there is no longer an explicit namespace crossing; that happens via the route lookup and setting dst on the skb. I guess for this use case it is ok.
>
> Signed-off-by: Mahesh Bandewar <maheshb@google.com>
> CC: David Ahern <dsa@cumulusnetworks.com>
> ---
> Documentation/networking/ipvlan.txt | 7 ++-
> drivers/net/Kconfig | 1 +
> drivers/net/ipvlan/ipvlan.h | 6 +++
> drivers/net/ipvlan/ipvlan_core.c | 94 +++++++++++++++++++++++++++++++++++++
> drivers/net/ipvlan/ipvlan_main.c | 87 +++++++++++++++++++++++++++++++---
> include/uapi/linux/if_link.h | 1 +
> 6 files changed, 188 insertions(+), 8 deletions(-)
Reviewed-by: David Ahern <dsa@cumulusnetworks.com>
prev parent reply other threads:[~2016-09-18 16:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-16 19:59 [PATCHv4 next 3/3] ipvlan: Introduce l3s mode Mahesh Bandewar
2016-09-18 16:57 ` David Ahern [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b8002d08-ff4a-b53e-6dff-2cf969db3189@cumulusnetworks.com \
--to=dsa@cumulusnetworks.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=mahesh@bandewar.net \
--cc=maheshb@google.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox