From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mike Manning Subject: [PATCH net-next v3 0/9] vrf: allow simultaneous service instances in default and other VRFs Date: Thu, 4 Oct 2018 16:12:05 +0100 Message-ID: <20181004151214.8522-1-mmanning@vyatta.att-mail.com> To: netdev@vger.kernel.org Return-path: Received: from mx0b-00191d01.pphosted.com ([67.231.157.136]:15075 "EHLO mx0a-00191d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727355AbeJDWGT (ORCPT ); Thu, 4 Oct 2018 18:06:19 -0400 Received: from pps.filterd (m0049459.ppops.net [127.0.0.1]) by m0049459.ppops.net-00191d01. (8.16.0.22/8.16.0.22) with SMTP id w94F8W1H044952 for ; Thu, 4 Oct 2018 11:12:35 -0400 Received: from tlpd255.enaf.dadc.sbc.com (sbcsmtp3.sbc.com [144.160.112.28]) by m0049459.ppops.net-00191d01. with ESMTP id 2mwn2prn5b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 04 Oct 2018 11:12:34 -0400 Received: from enaf.dadc.sbc.com (localhost [127.0.0.1]) by tlpd255.enaf.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id w94FCWEP128838 for ; Thu, 4 Oct 2018 10:12:33 -0500 Received: from zlp30497.vci.att.com (zlp30497.vci.att.com [135.46.181.156]) by tlpd255.enaf.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id w94FCSuo128696 for ; Thu, 4 Oct 2018 10:12:28 -0500 Received: from zlp30497.vci.att.com (zlp30497.vci.att.com [127.0.0.1]) by zlp30497.vci.att.com (Service) with ESMTP id 4F52E4014203 for ; Thu, 4 Oct 2018 15:12:28 +0000 (GMT) Received: from clpi183.sldc.sbc.com (unknown [135.41.1.46]) by zlp30497.vci.att.com (Service) with ESMTP id 31C3240141F7 for ; Thu, 4 Oct 2018 15:12:28 +0000 (GMT) Received: from sldc.sbc.com (localhost [127.0.0.1]) by clpi183.sldc.sbc.com (8.14.5/8.14.5) with ESMTP id w94FCR4t015297 for ; Thu, 4 Oct 2018 10:12:28 -0500 Received: from mail.eng.vyatta.net (mail.eng.vyatta.net [10.156.50.82]) by clpi183.sldc.sbc.com (8.14.5/8.14.5) with ESMTP id w94FCML3014949 for ; Thu, 4 Oct 2018 10:12:22 -0500 Received: from MM-7520.vyatta.net (unknown [10.156.47.144]) by mail.eng.vyatta.net (Postfix) with ESMTPA id D66BC36033D for ; Thu, 4 Oct 2018 08:12:21 -0700 (PDT) Sender: netdev-owner@vger.kernel.org List-ID: Services currently have to be VRF-aware if they are using an unbound socket. One cannot have multiple service instances running in the default and other VRFs for services that are not VRF-aware and listen on an unbound socket. This is because there is no way of isolating packets received in the default VRF from those arriving in other VRFs. This series provides this isolation subject to the existing kernel parameter net.ipv4.tcp_l3mdev_accept not being set, given that this is documented as allowing a single service instance to work across all VRF domains. The functionality applies to UDP & TCP services, for IPv4 and IPv6, in particular adding VRF table handling for IPv6 multicast. Example of running ssh instances in default and blue VRF: $ /usr/sbin/sshd -D $ ip vrf exec vrf-blue /usr/sbin/sshd $ ss -ta | egrep 'State|ssh' State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0%vrf-blue:ssh 0.0.0.0:* LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* ESTAB 0 0 192.168.122.220:ssh 192.168.122.1:50282 LISTEN 0 128 [::]%vrf-blue:ssh [::]:* LISTEN 0 128 [::]:ssh [::]:* ESTAB 0 0 [3000::2]%vrf-blue:ssh [3000::9]:45896 ESTAB 0 0 [2000::2]:ssh [2000::9]:46398 v1: - Address Paolo Abeni's comments (patch 4/5) - Fix build when CONFIG_NET_L3_MASTER_DEV not defined (patch 1/5) v2: - Address David Aherns' comments (patches 4/5 and 5/5) - Remove patches 3/5 and 5/5 from series for individual submissions - Include a sysctl for raw sockets as recommended by David Ahern - Expand series into 10 patches and provide improved descriptions v3: - Update description for patch 1/10 and remove patch 6/10 Dewi Morgan (1): ipv6: do not drop vrf udp multicast packets Duncan Eastoe (1): net: fix raw socket lookup device bind matching with VRFs Mike Manning (6): net: ensure unbound stream socket to be chosen when not in a VRF net: ensure unbound datagram socket to be chosen when not in a VRF net: provide a sysctl raw_l3mdev_accept for raw socket lookup with VRFs vrf: mark skb for multicast or link-local as enslaved to VRF ipv6: allow ping to link-local address in VRF ipv6: handling of multicast packets received in VRF Robert Shearman (1): net: allow binding socket in a VRF when there's an unbound socket Documentation/networking/ip-sysctl.txt | 9 +++++++++ Documentation/networking/vrf.txt | 17 ++++++++++------- drivers/net/vrf.c | 19 +++++++++--------- include/net/inet6_hashtables.h | 5 ++--- include/net/inet_hashtables.h | 24 ++++++++++++++++------- include/net/inet_sock.h | 21 ++++++++++++++++++++ include/net/netns/ipv4.h | 3 +++ include/net/raw.h | 12 ++++++++++++ include/net/udp.h | 11 +++++++++++ net/core/sock.c | 2 ++ net/ipv4/inet_connection_sock.c | 13 ++++++++++--- net/ipv4/inet_hashtables.c | 34 ++++++++++++++++++++------------- net/ipv4/raw.c | 3 +-- net/ipv4/sysctl_net_ipv4.c | 11 +++++++++++ net/ipv4/udp.c | 15 ++++++--------- net/ipv6/datagram.c | 5 ++++- net/ipv6/inet6_hashtables.c | 14 ++++++-------- net/ipv6/ip6_input.c | 35 +++++++++++++++++++++++++++++++--- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/raw.c | 5 ++--- net/ipv6/udp.c | 22 ++++++++++----------- 21 files changed, 200 insertions(+), 82 deletions(-) -- 2.11.0