From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mike Manning <mmanning@vyatta.att-mail.com>
Subject: [PATCH net-next 0/5] vrf: allow simultaneous service instances in default and other VRFs
Date: Thu, 20 Sep 2018 09:58:43 +0100
Message-ID: <20180920085848.17721-1-mmanning@vyatta.att-mail.com>
To: netdev@vger.kernel.org
Return-path: <netdev-owner@vger.kernel.org>
Received: from mx0a-00191d01.pphosted.com ([67.231.149.140]:34638 "EHLO
        mx0a-00191d01.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726177AbeITOl3 (ORCPT
        <rfc822;netdev@vger.kernel.org>); Thu, 20 Sep 2018 10:41:29 -0400
Received: from pps.filterd (m0049297.ppops.net [127.0.0.1])
        by m0049297.ppops.net-00191d01. (8.16.0.22/8.16.0.22) with SMTP id w8K8t5xs022834
        for <netdev@vger.kernel.org>; Thu, 20 Sep 2018 04:59:03 -0400
Received: from tlpd255.enaf.dadc.sbc.com (sbcsmtp3.sbc.com [144.160.112.28])
        by m0049297.ppops.net-00191d01. with ESMTP id 2mm3h9x7gc-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
        for <netdev@vger.kernel.org>; Thu, 20 Sep 2018 04:59:03 -0400
Received: from enaf.dadc.sbc.com (localhost [127.0.0.1])
        by tlpd255.enaf.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id w8K8x1oP006670
        for <netdev@vger.kernel.org>; Thu, 20 Sep 2018 03:59:02 -0500
Received: from zlp30495.vci.att.com (zlp30495.vci.att.com [135.46.181.158])
        by tlpd255.enaf.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id w8K8wwhD006527
        for <netdev@vger.kernel.org>; Thu, 20 Sep 2018 03:58:58 -0500
Received: from zlp30495.vci.att.com (zlp30495.vci.att.com [127.0.0.1])
        by zlp30495.vci.att.com (Service) with ESMTP id 485FD40F6CEA
        for <netdev@vger.kernel.org>; Thu, 20 Sep 2018 08:58:58 +0000 (GMT)
Received: from tlpd252.dadc.sbc.com (unknown [135.31.184.157])
        by zlp30495.vci.att.com (Service) with ESMTP id 35C2440F6CE5
        for <netdev@vger.kernel.org>; Thu, 20 Sep 2018 08:58:58 +0000 (GMT)
Received: from dadc.sbc.com (localhost [127.0.0.1])
        by tlpd252.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id w8K8wwm9105968
        for <netdev@vger.kernel.org>; Thu, 20 Sep 2018 03:58:58 -0500
Received: from mail.eng.vyatta.net (mail.eng.vyatta.net [10.156.50.82])
        by tlpd252.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id w8K8wudI105856
        for <netdev@vger.kernel.org>; Thu, 20 Sep 2018 03:58:56 -0500
Received: from MM-7520.vyatta.net (unknown [10.156.47.144])
        by mail.eng.vyatta.net (Postfix) with ESMTPA id 6B7FD360034
        for <netdev@vger.kernel.org>; Thu, 20 Sep 2018 01:58:55 -0700 (PDT)
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

Services currently have to be VRF-aware if they are using an unbound
socket. One cannot have multiple service instances running in the
default and other VRFs for services that are not VRF-aware and listen
on an unbound socket. This is because there is no way of isolating
packets received in the default VRF from those arriving in other VRFs.

This series provides this isolation subject to the existing kernel
parameter net.ipv4.tcp_l3mdev_accept not being set, given that this is
documented as allowing a single service instance to work across all
VRF domains. The functionality applies to UDP & TCP services, for IPv4
and IPv6, in particular adding VRF table handling for IPv6 multicast.

Example of running ssh instances in default and blue VRF:

$ /usr/sbin/sshd -D
$ ip vrf exec vrf-blue /usr/sbin/sshd
$ ss -ta | egrep 'State|ssh'
State   Recv-Q   Send-Q           Local Address:Port       Peer Address:Port
LISTEN  0        128           0.0.0.0%vrf-blue:ssh             0.0.0.0:*
LISTEN  0        128                    0.0.0.0:ssh             0.0.0.0:*
ESTAB   0        0              192.168.122.220:ssh       192.168.122.1:50282
LISTEN  0        128              [::]%vrf-blue:ssh                [::]:*
LISTEN  0        128                       [::]:ssh                [::]:*
ESTAB   0        0           [3000::2]%vrf-blue:ssh           [3000::9]:45896
ESTAB   0        0                    [2000::2]:ssh           [2000::9]:46398

Dewi Morgan (1):
  ipv6: do not drop vrf udp multicast packets

Mike Manning (1):
  ipv6: allow link-local and multicast packets inside vrf

Patrick Ruddy (1):
  ipv6: add vrf table handling code for ipv6 mcast

Robert Shearman (2):
  net: allow binding socket in a VRF when there's an unbound socket
  ipv4: Allow sending multicast packets on specific i/f using VRF socket

 Documentation/networking/vrf.txt |  9 ++++----
 drivers/net/vrf.c                | 30 ++++++++++++++++--------
 include/net/inet6_hashtables.h   |  5 ++--
 include/net/inet_hashtables.h    | 21 +++++++++++------
 include/net/inet_sock.h          | 13 +++++++++++
 net/core/sock.c                  |  2 ++
 net/ipv4/datagram.c              |  2 +-
 net/ipv4/inet_connection_sock.c  | 13 ++++++++---
 net/ipv4/inet_hashtables.c       | 34 +++++++++++++++++-----------
 net/ipv4/ip_sockglue.c           |  3 +++
 net/ipv4/ping.c                  |  2 +-
 net/ipv4/raw.c                   |  6 ++---
 net/ipv4/udp.c                   | 17 ++++++--------
 net/ipv6/datagram.c              |  5 +++-
 net/ipv6/inet6_hashtables.c      | 14 +++++-------
 net/ipv6/ip6_input.c             | 46 +++++++++++++++++++++++++++++++++----
 net/ipv6/ip6mr.c                 | 49 ++++++++++++++++++++++++++++++----------
 net/ipv6/ipv6_sockglue.c         |  5 +++-
 net/ipv6/raw.c                   |  6 ++---
 net/ipv6/udp.c                   | 22 ++++++++----------
 20 files changed, 208 insertions(+), 96 deletions(-)

-- 
2.11.0