lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Sun, 14 Aug 2016 17:06:50 +0300
From:	Amir Vadai <amir@...ai.me>
To:	Jamal Hadi Salim <jhs@...atatu.com>, Jiri Pirko <jiri@...lanox.com>
Cc:	netdev@...r.kernel.org, Or Gerlitz <ogerlitz@...lanox.com>,
	Hadar Har-Zion <hadarh@...lanox.com>,
	Oded Shanoon <odeds@...lanox.com>,
	Amir Vadai <amirva@...lanox.com>
Subject: [RFC net-next 0/2] net/sched: cls_flower, act_mirred: VXLAN redirect using TC

From: Amir Vadai <amirva@...lanox.com>>

Hi,

I would like to make it possible to manage VXLAN encap/decap using the flower
classifier, mirred action and vxlan device.
In order to make the solution scaleable, I'm using a shared vxlan device, with
encapsulation information packed in the metadata - by the mirred action in the
encap flow, and used in the decap flow, by the flower classifier.

For example for virt use case:
# [uplink NIC] --{cls_flower & mirred}--> [vxlan dev] --{udp/ip stack}--> [tap]
# [tap dev] --{udp/ip stack}--> [vxlan dev] --{cls_flower & mirred}--> [uplink NIC]
# In the example, vxlan tunnel ip's are 11.11.11.* and the real devices ip's
# are: 11.11.0.*

ip link add $VXLAN type vxlan dstport 4789 external

ifconfig $VXLAN up

tc qdisc add dev $ETH ingress

# ENCAP rule for ARP
tc filter add dev $ETH protocol 0x806 parent ffff: prio 11 \
		flower \
		action mirred egress redirect dev $VXLAN enc_src_ip 11.11.0.1 enc_dst_ip 11.11.0.2 enc_key_id 11 enc_dst_port 4789

# ENCAP rule for ICMP
tc filter add dev $ETH protocol ip parent ffff: prio 10 \
		flower ip_proto 1 \
		action mirred egress redirect dev $VXLAN enc_src_ip 11.11.0.1 enc_dst_ip 11.11.0.2 enc_key_id 11 enc_dst_port 4789

tc qdisc add dev $VXLAN ingress

# DECAP rule for ARP
tc filter add dev $VXLAN protocol 0x806 parent ffff: prio 11 \
		flower enc_src_ip 11.11.0.2 enc_dst_ip 11.11.0.1 enc_key_id 11 \
		action mirred egress redirect dev $ETH

# DECAP rule for ICMP
tc filter add dev $VXLAN protocol ip parent ffff: prio 10 \
		flower enc_src_ip 11.11.0.2 enc_dst_ip 11.11.0.1 enc_key_id 11 \
		action mirred egress redirect dev $ETH

Next step will be to enable offloading of those rules.

Following two patches to cls_flower and act_mirred were used to validate and
test this approach, and supplied to make things clearer, they will be modified
before the actual submission.

Thanks,
Amir

Amir Vadai (2):
  net/sched: cls_flower: Introduce classify by vxlan outer headers
  net/sched: act_mirred: Introduce vxlan support

 include/net/tc_act/tc_mirred.h        |  5 +++
 include/uapi/linux/pkt_cls.h          | 11 +++++
 include/uapi/linux/tc_act/tc_mirred.h |  7 ++++
 net/sched/act_mirred.c                | 79 +++++++++++++++++++++++++++++++++++
 net/sched/cls_flower.c                | 53 +++++++++++++++++++++++
 5 files changed, 155 insertions(+)

-- 
2.9.0

Powered by blists - more mailing lists