Re: ip rule iif oif and vrf

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: David Ahern <dsahern@gmail.com>
To: Stephen Suryaputra <ssuryaextr@gmail.com>
Cc: netdev@vger.kernel.org
Subject: Re: ip rule iif oif and vrf
Date: Wed, 23 Sep 2020 19:47:16 -0600	[thread overview]
Message-ID: <ccba2d59-58ad-40ca-0a09-b55c90e9145e@gmail.com> (raw)
In-Reply-To: <20200923235002.GA25818@ICIPI.localdomain>

On 9/23/20 5:50 PM, Stephen Suryaputra wrote:
> 
> I have a reproducer using namespaces attached in this email (gre_setup.sh).

Thanks for the script. Very helpful.

Interesting setup.


# +-------+     +----------+   +----------+   +-------+
# | h0    |     |    r0    |   |    r1    |   |    h1 |
# |    v00+-----+v00    v01+---+v10    v11+---+v11    |
# |       |     |          |   |          |   |       |
# +-------+     +----------+   +----------+   +-------+
#                  |    <===gre===>    |
#                  | gre01       gre10 |
#                  |                   |
#          vrf_r0t | vrf_r0c   vrf_r1c | vrf_r1t
#         (tenant)        (core)         (tenant)
# h0_v00 10.0.0.2/24     r0_v00 10.0.0.1/24
# r0_v01 1.1.1.1/24      r1_v10 1.1.1.2/24
# h1_v11 11.0.0.2/24     r1_v11 11.0.0.1/24
# gre01 2.2.2.1/30       gre10 2.2.2.2/30


You have route leaking for the jump from tenant to core and the gre
devices in the core VRF. For the jump from core to tenant, you are
trying to use fib rules based on gre device index.

Yea, that is not going to work since the skb->dev is set to the VRF
device and it is not a simple change to remove that swap.

If I remove the fib rules and add VRF route leaking from core to tenant
it works. Why is that not an option? Overlapping tenant addresses?

One thought to get around it is adding support for a new FIB rule type
-- say l3mdev_port. That rule can look at the real ingress device which
is saved in the skb->cb as IPCB(skb)->iif.

next prev parent reply	other threads:[~2020-09-24  1:47 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-22 13:11 ip rule iif oif and vrf Stephen Suryaputra
2020-09-22 15:39 ` David Ahern
2020-09-23 23:50   ` Stephen Suryaputra
2020-09-24  1:47     ` David Ahern [this message]
2020-09-24 13:48       ` Stephen Suryaputra
2020-09-24 14:41         ` David Ahern
2020-10-01  2:23           ` Stephen Suryaputra
2020-10-12  0:06             ` David Ahern

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ccba2d59-58ad-40ca-0a09-b55c90e9145e@gmail.com \
    --to=dsahern@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=ssuryaextr@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).