Re: Using VRF to limit 'ip monitor' and 'iw event' messages

[David Ahern <dsahern@kernel.org>]

On 5/18/26 3:51 PM, Ben Greear wrote:
> Hello David,
> 
> We are interested in filtering out iw and ip netlink events for
> processes bound
> to VRFs.

are you trying to filter out the events kernel side or in `ip monitor`?


> 
> For instance, Chromium starts spewing errors when we try to run it on a
> system with many
> network interfaces, we guess because it is being confused by all of the
> other network devices
> going up and down.
> 
> I think the crux of the problem is to know if a netlink listener socket
> is bound
> to a VRF or not, and also to know if the generator of the message is
> bound to
> a particular VRF.

so you are running `ip vrf exec` on ip monitor? ie., how is the netlink
socket getting bound to a device?

VRF is only a Layer 3 construct, and a netlink socket is not AF_INET or
AF_INET6.

> 
> Do you have any suggestions for how we might go about this?  We'll be
> happy to post
> the resulting patches for consideration to be included upstream.

You could add try a filter in `ip monitor` that looks at the device
index and only emit a message if "sk_bound_dev_if == N" where N is 0 for
default VRF or the VRF device ifindex. From there, you would have to
parse the message, identify the dump type, find the netdevice attribute
and then figure out if it is a VRF device or a port of a VRF device.
Going to be complicated.

Kernel side, netlink layer has no knowledge of the attributes, so I
don't see how a filter could work at that layer.

This reminds of the kind of filtering (ie., fine details) that Jamal
wanted to do for tc. Kind of hard to do given the various layers.