From: Xin Long <lucien.xin@gmail.com>
To: network dev <netdev@vger.kernel.org>, netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH nf-next 0/7] netfilter: nft_tunnel: reinforce key opts support
Date: Sun, 8 Dec 2019 12:41:30 +0800 [thread overview]
Message-ID: <cover.1575779993.git.lucien.xin@gmail.com> (raw)
This patchset improves quite a few places to make vxlan/erspan
opts in nft_tunnel work with userspace nftables/libnftnl, and
also keep consistent with the support for vxlan/erspan opts in
act_tunnel_key, cls_flower and ip_tunnel_core.
Meanwhile, add support for geneve opts in nft_tunnel. One patch
for nftables and one for libnftnl will be posted here for the
testing. With them, nft_tunnel can be set and used by:
# nft add table ip filter
# nft add chain ip filter input { type filter hook input priority 0 \; }
# nft add tunnel filter vxlan_01 { type vxlan\; id 2\; \
ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
opts \"ffff\"\; }
# nft add tunnel filter erspan_01 { type erspan\; id 2\; \
ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
opts \"1:1:0:0\"\; }
# nft add tunnel filter erspan_02 { type erspan\; id 2\; \
ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
opts \"2:0:1:1\"\; }
# nft add tunnel filter geneve_01 { type geneve\; id 2\; \
ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
opts \"1:1:1212121234567890\"\; }
# nft add tunnel filter geneve_02 { type geneve\; id 2\; \
ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
opts \"1:1:34567890,2:2:12121212,3:3:1212121234567890\"\; }
# nft list tunnels table filter
# nft add rule filter input ip protocol udp tunnel name geneve_02
# nft add rule filter input meta l4proto udp tunnel id 2 drop
# nft add rule filter input meta l4proto udp tunnel path 0 drop
# nft list chain filter input -a
Xin Long (7):
netfilter: nft_tunnel: parse ERSPAN_VERSION attr as u8
netfilter: nft_tunnel: parse VXLAN_GBP attr as u32 in nft_tunnel
netfilter: nft_tunnel: no need to call htons() when dumping ports
netfilter: nft_tunnel: also dump ERSPAN_VERSION
netfilter: nft_tunnel: also dump OPTS_ERSPAN/VXLAN
netfilter: nft_tunnel: add the missing nla_nest_cancel()
netfilter: nft_tunnel: add support for geneve opts
include/uapi/linux/netfilter/nf_tables.h | 10 ++
net/netfilter/nft_tunnel.c | 170 +++++++++++++++++++++++++------
2 files changed, 151 insertions(+), 29 deletions(-)
--
2.1.0
next reply other threads:[~2019-12-08 4:42 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-08 4:41 Xin Long [this message]
2019-12-08 4:41 ` [PATCH nf-next 1/7] netfilter: nft_tunnel: parse ERSPAN_VERSION attr as u8 Xin Long
2019-12-09 20:03 ` Simon Horman
2019-12-10 4:05 ` Xin Long
2019-12-13 9:30 ` Simon Horman
2019-12-17 21:39 ` Pablo Neira Ayuso
2019-12-11 21:51 ` Pablo Neira Ayuso
2019-12-12 3:20 ` Xin Long
2019-12-12 12:33 ` Pablo Neira Ayuso
2019-12-08 4:41 ` [PATCH nf-next 2/7] netfilter: nft_tunnel: parse VXLAN_GBP attr as u32 in nft_tunnel Xin Long
2019-12-11 21:52 ` Pablo Neira Ayuso
2019-12-08 4:41 ` [PATCH nf-next 3/7] netfilter: nft_tunnel: no need to call htons() when dumping ports Xin Long
2019-12-11 21:53 ` Pablo Neira Ayuso
2019-12-11 22:06 ` Pablo Neira Ayuso
2019-12-11 22:06 ` Pablo Neira Ayuso
2019-12-11 21:57 ` Pablo Neira Ayuso
2019-12-08 4:41 ` [PATCH nf-next 4/7] netfilter: nft_tunnel: also dump ERSPAN_VERSION Xin Long
2019-12-11 21:53 ` Pablo Neira Ayuso
2019-12-08 4:41 ` [PATCH nf-next 5/7] netfilter: nft_tunnel: also dump OPTS_ERSPAN/VXLAN Xin Long
2019-12-11 21:55 ` Pablo Neira Ayuso
2019-12-08 4:41 ` [PATCH nf-next 6/7] netfilter: nft_tunnel: add the missing nla_nest_cancel() Xin Long
2019-12-11 21:55 ` Pablo Neira Ayuso
2019-12-08 4:41 ` [PATCH nf-next 7/7] netfilter: nft_tunnel: add support for geneve opts Xin Long
2019-12-08 4:51 ` [PATCH nf-next 0/7] netfilter: nft_tunnel: reinforce key opts support Xin Long
2019-12-12 3:02 ` Xin Long
2019-12-12 12:39 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1575779993.git.lucien.xin@gmail.com \
--to=lucien.xin@gmail.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).