[PATCH iproute2-next v6] ip-link: add support for nolocalbypass in vxlan

[PATCH iproute2-next v6] ip-link: add support for nolocalbypass in vxlan

[Vladimir Nikishkin]

Add userspace support for the [no]localbypass vxlan netlink
attribute. With localbypass on (default), the vxlan driver processes
the packets destined to the local machine by itself, bypassing the
userspace nework stack. With nolocalbypass the packets are always
forwarded to the userspace network stack, so userspace programs,
such as tcpdump have a chance to process them.

Signed-off-by: Vladimir Nikishkin <vladimir@nikishkin.pw>
---
v5=>v6: 1. ip-link:Print nolocalbypass option like the "learning" one.

This patch is not changing how the other options are printed.

 ip/iplink_vxlan.c     | 17 +++++++++++++++++
 man/man8/ip-link.8.in | 10 ++++++++++
 2 files changed, 27 insertions(+)

diff --git a/ip/iplink_vxlan.c b/ip/iplink_vxlan.c
index c7e0e1c4..cd332555 100644
--- a/ip/iplink_vxlan.c
+++ b/ip/iplink_vxlan.c
@@ -45,6 +45,7 @@ static void print_explain(FILE *f)
 		"		[ [no]remcsumtx ] [ [no]remcsumrx ]\n"
 		"		[ [no]external ] [ gbp ] [ gpe ]\n"
 		"		[ [no]vnifilter ]\n"
+		"		[ [no]localbypass ]\n"
 		"\n"
 		"Where:	VNI	:= 0-16777215\n"
 		"	ADDR	:= { IP_ADDRESS | any }\n"
@@ -276,6 +277,14 @@ static int vxlan_parse_opt(struct link_util *lu, int argc, char **argv,
 		} else if (!matches(*argv, "noudpcsum")) {
 			check_duparg(&attrs, IFLA_VXLAN_UDP_CSUM, *argv, *argv);
 			addattr8(n, 1024, IFLA_VXLAN_UDP_CSUM, 0);
+		} else if (strcmp(*argv, "localbypass") == 0) {
+			check_duparg(&attrs, IFLA_VXLAN_LOCALBYPASS,
+				     *argv, *argv);
+			addattr8(n, 1024, IFLA_VXLAN_LOCALBYPASS, 1);
+		} else if (strcmp(*argv, "nolocalbypass") == 0) {
+			check_duparg(&attrs, IFLA_VXLAN_LOCALBYPASS,
+				     *argv, *argv);
+			addattr8(n, 1024, IFLA_VXLAN_LOCALBYPASS, 0);
 		} else if (!matches(*argv, "udp6zerocsumtx")) {
 			check_duparg(&attrs, IFLA_VXLAN_UDP_ZERO_CSUM6_TX,
 				     *argv, *argv);
@@ -613,6 +622,14 @@ static void vxlan_print_opt(struct link_util *lu, FILE *f, struct rtattr *tb[])
 		}
 	}
 
+	if (tb[IFLA_VXLAN_LOCALBYPASS]) {
+		__u8 localbypass = rta_getattr_u8(tb[IFLA_VXLAN_LOCALBYPASS]);
+
+		print_bool(PRINT_JSON, "localbypass", NULL, localbypass);
+		if (!localbypass)
+			print_bool(PRINT_FP, NULL, "nolocalbypass ", true);
+	}
+
 	if (tb[IFLA_VXLAN_UDP_ZERO_CSUM6_TX]) {
 		__u8 csum6 = rta_getattr_u8(tb[IFLA_VXLAN_UDP_ZERO_CSUM6_TX]);
 
diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in
index bf3605a9..27ebeeac 100644
--- a/man/man8/ip-link.8.in
+++ b/man/man8/ip-link.8.in
@@ -630,6 +630,8 @@ the following additional arguments are supported:
 ] [
 .RB [ no ] udpcsum
 ] [
+.RB [ no ] localbypass
+] [
 .RB [ no ] udp6zerocsumtx
 ] [
 .RB [ no ] udp6zerocsumrx
@@ -734,6 +736,14 @@ are entered into the VXLAN device forwarding database.
 .RB [ no ] udpcsum
 - specifies if UDP checksum is calculated for transmitted packets over IPv4.
 
+.sp
+.RB [ no ] localbypass
+- if FDB destination is local, with nolocalbypass set, forward encapsulated
+packets to the userspace network stack. If there is a userspace process
+listening for these packets, it will have a chance to process them. If
+localbypass is active (default), bypass the kernel network stack and
+inject the packets into the target VXLAN device, assuming one exists.
+
 .sp
 .RB [ no ] udp6zerocsumtx
 - skip UDP checksum calculation for transmitted packets over IPv6.
-- 
2.35.8

--
Fastmail.

Re: [PATCH iproute2-next v6] ip-link: add support for nolocalbypass in vxlan

[Stephen Hemminger]

On Tue, 23 May 2023 12:48:05 +0800
Vladimir Nikishkin <vladimir@nikishkin.pw> wrote:

> +	if (tb[IFLA_VXLAN_LOCALBYPASS]) {
> +		__u8 localbypass = rta_getattr_u8(tb[IFLA_VXLAN_LOCALBYPASS]);
> +
> +		print_bool(PRINT_JSON, "localbypass", NULL, localbypass);
> +		if (!localbypass)
> +			print_bool(PRINT_FP, NULL, "nolocalbypass ", true);
> +	}

This is backwards since nolocalbypass is the default.

Re: [PATCH iproute2-next v6] ip-link: add support for nolocalbypass in vxlan

[Vladimir Nikishkin]

On Wed, May 24, 2023, at 00:04, Stephen Hemminger wrote:
> On Tue, 23 May 2023 12:48:05 +0800
> Vladimir Nikishkin <vladimir@nikishkin.pw> wrote:
>
>> +	if (tb[IFLA_VXLAN_LOCALBYPASS]) {
>> +		__u8 localbypass = rta_getattr_u8(tb[IFLA_VXLAN_LOCALBYPASS]);
>> +
>> +		print_bool(PRINT_JSON, "localbypass", NULL, localbypass);
>> +		if (!localbypass)
>> +			print_bool(PRINT_FP, NULL, "nolocalbypass ", true);
>> +	}
>
> This is backwards since nolocalbypass is the default.

localbypass is (or should) be the default, because it is how everything used to work in the past. nolocalbypass is the new feature.

--
Fastmail.

Re: [PATCH iproute2-next v6] ip-link: add support for nolocalbypass in vxlan

[Andrea Claudi]

On Tue, May 23, 2023 at 09:04:41AM -0700, Stephen Hemminger wrote:
> On Tue, 23 May 2023 12:48:05 +0800
> Vladimir Nikishkin <vladimir@nikishkin.pw> wrote:
> 
> > +	if (tb[IFLA_VXLAN_LOCALBYPASS]) {
> > +		__u8 localbypass = rta_getattr_u8(tb[IFLA_VXLAN_LOCALBYPASS]);
> > +
> > +		print_bool(PRINT_JSON, "localbypass", NULL, localbypass);
> > +		if (!localbypass)
> > +			print_bool(PRINT_FP, NULL, "nolocalbypass ", true);
> > +	}
> 
> This is backwards since nolocalbypass is the default.
>

Stephen, I'll try to summarize the discussion we had in v5 here.

- We agree that it's a good idea to have JSON attributes printed both
  when 'true' and 'false'. As Petr said, this makes the code less error
  prone and makes it clear attribute is supported.
- I have some concerns about printing options only when non-default
  values are set. Non-JSON output is mostly consumed by humans, that
  usually expects something to be visible if present/true/enabled. I
  know I'm advocating for a change in the iproute output here, and we
  usually don't do that, but I argue there's value in having a less
  cluttered and confusing output.

  For example, let's take what you see with a default vxlan:
  $ ip link add type vxlan id 12
  $ ip -j link show vxlan0
  [...] udpcsum noudp6zerocsumtx noudp6zerocsumrx [...]

  IMHO printing only "udpcsum" is enough to make the user aware that
  the "udpcsum" feature is enabled and the rest is off.

I'm not against Vladimir's change, of course. But I would be very happy
if we can agree on a direction for the output from now on, and try to
enforce it, maybe deprecating the "old way" to print out stuff step by
step, if we find it useful.

What do you think?
Andrea

Re: [PATCH iproute2-next v6] ip-link: add support for nolocalbypass in vxlan

[Stephen Hemminger]

On Tue, 23 May 2023 20:37:04 +0200
Andrea Claudi <aclaudi@redhat.com> wrote:

> Stephen, I'll try to summarize the discussion we had in v5 here.
> 
> - We agree that it's a good idea to have JSON attributes printed both
>   when 'true' and 'false'. As Petr said, this makes the code less error
>   prone and makes it clear attribute is supported.
> - I have some concerns about printing options only when non-default
>   values are set. Non-JSON output is mostly consumed by humans, that
>   usually expects something to be visible if present/true/enabled. I
>   know I'm advocating for a change in the iproute output here, and we
>   usually don't do that, but I argue there's value in having a less
>   cluttered and confusing output.
> 
>   For example, let's take what you see with a default vxlan:
>   $ ip link add type vxlan id 12
>   $ ip -j link show vxlan0
>   [...] udpcsum noudp6zerocsumtx noudp6zerocsumrx [...]
> 
>   IMHO printing only "udpcsum" is enough to make the user aware that
>   the "udpcsum" feature is enabled and the rest is off.
> 
> I'm not against Vladimir's change, of course. But I would be very happy
> if we can agree on a direction for the output from now on, and try to
> enforce it, maybe deprecating the "old way" to print out stuff step by
> step, if we find it useful.
> 
> What do you think?
> Andrea

If you look at the other RFC patch set. It does change to always
print the state of all options.

Re: [PATCH iproute2-next v6] ip-link: add support for nolocalbypass in vxlan

[Vladimir Nikishkin]

Stephen Hemminger <stephen@networkplumber.org> writes:

> On Tue, 23 May 2023 12:48:05 +0800
> Vladimir Nikishkin <vladimir@nikishkin.pw> wrote:
>
>> +	if (tb[IFLA_VXLAN_LOCALBYPASS]) {
>> +		__u8 localbypass = rta_getattr_u8(tb[IFLA_VXLAN_LOCALBYPASS]);
>> +
>> +		print_bool(PRINT_JSON, "localbypass", NULL, localbypass);
>> +		if (!localbypass)
>> +			print_bool(PRINT_FP, NULL, "nolocalbypass ", true);
>> +	}
>
> This is backwards since nolocalbypass is the default.

Could you, please, look at the proposed changes again? I do not think
that the default is "nolocalbypass". The default is "localbypass", as
this is how the kernel behaved without commit
69474a8a5837be63f13c6f60a7d622b98ed5c539.

-- 
Your sincerely,
Vladimir Nikishkin (MiEr, lockywolf)
(Laptop)
--
Fastmail.