| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <cover.1749499963.git.petrm@nvidia.com>
Date: Mon, 9 Jun 2025 22:50:16 +0200
From: Petr Machata <petrm@...dia.com>
To: "David S. Miller" <davem@...emloft.net>, Eric Dumazet
<edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni
<pabeni@...hat.com>, David Ahern <dsahern@...il.com>,
<netdev@...r.kernel.org>
CC: Simon Horman <horms@...nel.org>, Nikolay Aleksandrov
<razor@...ckwall.org>, Ido Schimmel <idosch@...dia.com>, Petr Machata
<petrm@...dia.com>, <mlxsw@...dia.com>
Subject: [PATCH net-next 00/14] ipmr, ip6mr: Allow MC-routing locally-generated MC packets
Multicast routing is today handled in the input path. Locally generated MC
packets don't hit the IPMR code. Thus if a VXLAN remote address is
multicast, the driver needs to set an OIF during route lookup. In practice
that means that MC routing configuration needs to be kept in sync with the
VXLAN FDB and MDB. Ideally, the VXLAN packets would be routed by the MC
routing code instead.
To that end, this patchset adds support to route locally generated
multicast packets.
However, an installation that uses a VXLAN underlay netdevice for which it
also has matching MC routes, would get a different routing with this patch.
Previously, the MC packets would be delivered directly to the underlay
port, whereas now they would be MC-routed. In order to avoid this change in
behavior, introduce an IPCB/IP6CB flag. Unless the flag is set, the new
MC-routing code is skipped.
All this is keyed to a new VXLAN attribute, IFLA_VXLAN_MC_ROUTE. Only when
it is set does any of the above engage.
In addition to that, and as is the case today with MC forwarding,
IPV4_DEVCONF_MC_FORWARDING must be enabled for the netdevice that acts as a
source of MC traffic (i.e. the VXLAN PHYS_DEV), so an MC daemon must be
attached to the netdevice.
When a VXLAN netdevice with a MC remote is brought up, the physical
netdevice joins the indicated MC group. This is important for local
delivery of MC packets, so it is still necessary to configure a physical
netdevice -- the parameter cannot go away. The netdevice would however
typically not be a front panel port, but a dummy. An MC daemon would then
sit on top of that netdevice as well as any front panel ports that it needs
to service, and have routes set up between the two.
A way to configure the VXLAN netdevice to take advantage of the new MC
routing would be:
# ip link add name d up type dummy
# ip link add name vx10 up type vxlan id 1000 dstport 4789 \
local 192.0.2.1 group 225.0.0.1 ttl 16 dev d mrcoute
# ip link set dev vx10 master br # plus vlans etc.
With the following MC routes:
(192.0.2.1, 225.0.0.1) iif=d oil=swp1,swp2 # TX route
(*, 225.0.0.1) iif=swp1 oil=d,swp2 # RX route
(*, 225.0.0.1) iif=swp2 oil=d,swp1 # RX route
The RX path has not changed, with the exception of an extra MC hop. Packets
are delivered to the front panel port and MC-forwarded to the VXLAN
physical port, here "d". Since the port has joined the multicast group, the
packets are locally delivered, and end up being processed by the VXLAN
netdevice.
This patchset is based on earlier patches from Nikolay Aleksandrov and
Roopa Prabhu, though it underwent significant changes. Roopa broadly
presented the topic on LPC 2019 [0].
Patchset progression:
- Patches #1 to #4 add ip_mr_output()
- Patches #5 to #9 add ip6_mr_output()
- Patch #10 adds the VXLAN bits to enable MR engagement
- Patches #11 to #13 prepare selftest libraries
- Patch #14 includes a new test suite
[0] https://www.youtube.com/watch?v=xlReECfi-uo
Petr Machata (14):
net: ipv4: Add a flags argument to iptunnel_xmit(),
udp_tunnel_xmit_skb()
net: ipv4: ipmr: ipmr_queue_xmit(): Drop local variable `dev'
net: ipv4: ipmr: Split ipmr_queue_xmit() in two
net: ipv4: Add ip_mr_output()
net: ipv6: Make udp_tunnel6_xmit_skb() void
net: ipv6: Add a flags argument to ip6tunnel_xmit(),
udp_tunnel6_xmit_skb()
net: ipv6: ip6mr: Fix in/out netdev to pass to the FORWARD chain
net: ipv6: ip6mr: Extract a helper out of ip6mr_forward2()
net: ipv6: Add ip6_mr_output()
vxlan: Support MC routing in the underlay
selftests: forwarding: lib: Move smcrouted helpers here
selftests: net: lib: Add ip_link_has_flag()
selftests: forwarding: adf_mcd_start(): Allow configuring custom
interfaces
selftests: forwarding: Add a test for verifying VXLAN MC underlay
drivers/net/amt.c | 9 +-
drivers/net/bareudp.c | 7 +-
drivers/net/geneve.c | 7 +-
drivers/net/gtp.c | 12 +-
drivers/net/ovpn/udp.c | 4 +-
drivers/net/vxlan/vxlan_core.c | 23 +-
drivers/net/wireguard/socket.c | 4 +-
include/linux/ipv6.h | 1 +
include/linux/mroute6.h | 7 +
include/net/ip.h | 2 +
include/net/ip6_tunnel.h | 3 +-
include/net/ip_tunnels.h | 2 +-
include/net/udp_tunnel.h | 17 +-
include/net/vxlan.h | 5 +-
include/uapi/linux/if_link.h | 1 +
net/ipv4/ip_tunnel.c | 4 +-
net/ipv4/ip_tunnel_core.c | 4 +-
net/ipv4/ipmr.c | 169 +++-
net/ipv4/route.c | 2 +-
net/ipv4/udp_tunnel_core.c | 5 +-
net/ipv6/ip6_tunnel.c | 2 +-
net/ipv6/ip6_udp_tunnel.c | 18 +-
net/ipv6/ip6mr.c | 137 +++-
net/ipv6/route.c | 1 +
net/ipv6/sit.c | 2 +-
net/sctp/ipv6.c | 7 +-
net/sctp/protocol.c | 3 +-
net/tipc/udp_media.c | 12 +-
.../testing/selftests/net/forwarding/Makefile | 1 +
tools/testing/selftests/net/forwarding/lib.sh | 43 +
.../net/forwarding/router_multicast.sh | 31 +-
.../net/forwarding/vxlan_bridge_1q_mc_ul.sh | 757 ++++++++++++++++++
tools/testing/selftests/net/lib.sh | 12 +-
33 files changed, 1199 insertions(+), 115 deletions(-)
create mode 100755 tools/testing/selftests/net/forwarding/vxlan_bridge_1q_mc_ul.sh
--
2.49.0
Powered by blists - more mailing lists