All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ryoga Saito <contact@proelbtn.com>
To: netfilter-devel@vger.kernel.org
Cc: pablo@netfilter.org, stefano.salsano@uniroma2.it,
	andrea.mayer@uniroma2.it, davem@davemloft.net, kuba@kernel.org,
	yoshfuji@linux-ipv6.org, dsahern@kernel.org,
	Ryoga Saito <contact@proelbtn.com>
Subject: [PATCH v2 0/2] net: add netfilter hooks to track SRv6-encapsulated flows
Date: Thu, 29 Jul 2021 08:37:11 +0000	[thread overview]
Message-ID: <cover.1627546390.git.contact@proelbtn.com> (raw)

Tunneling protocols such as VXLAN or IPIP are implemented using virtual
network devices (vxlan0 or ipip0). Therefore, conntrack can record both
inner flows and outer flows correctly. In contrast, SRv6 is implemented
using lightweight tunnel infrastructure. Therefore, SRv6 packets are
encapsulated and decapsulated without passing through virtual network
device. Due to the following problems caused by this, conntrack can't
record both inner flows and outer flows correctly.

First problem is caused when SRv6 packets are encapsulated. In VXLAN, at
first, packets received are passed to nf_conntrack_in called from
ip_rcv/ipv6_rcv. These packets are sent to virtual network device and these
flows are confirmed in ip_output/ip6_output. However, in SRv6, at first,
packets are passed to nf_conntrack_in, encapsulated and flows are confirmed
in ipv6_output even if inner packets are IPv4. Therefore, IPv6 conntrack
needs to be enabled to track IPv4 inner flow.

Second problem is caused when SRv6 packets are decapsulated. If IPv6
conntrack is enabled, SRv6 packets are passed to nf_conntrack_in called
from ipv6_rcv. Even if inner packets are passed to nf_conntrack_in after
packets are decapsulated, flow aren't tracked because skb->_nfct is already
set. Therefore, IPv6 conntrack needs to be disabled to track IPv4 flow
when packets are decapsulated.

This patch series solves these problems and allows conntrack to record 
inner flows correctly. It introduces netfilter hooks to srv6 lwtunnel
and srv6local lwtunnel. It also introduces new sysctl toggle to turn on
lightweight tunnel netfilter hooks.

v2: introduce nf_ct_lwtunnel_enabled static_key and sysctl toggle to turn
    on lightweight tunnel netfilter hooks

Ryoga Saito (2):
  netfilter: add new sysctl toggle for lightweight tunnel netfilter
    hooks
  netfilter: add netfilter hooks to SRv6 data plane

 .../networking/nf_conntrack-sysctl.rst        |   7 ++
 include/net/lwtunnel.h                        |   2 +
 include/net/netfilter/nf_conntrack.h          |   4 +
 net/core/lwtunnel.c                           |   3 +
 net/ipv6/seg6_iptunnel.c                      |  68 ++++++++++-
 net/ipv6/seg6_local.c                         | 115 ++++++++++++------
 net/netfilter/Makefile                        |   2 +-
 net/netfilter/nf_conntrack_lwtunnel.c         |  51 ++++++++
 net/netfilter/nf_conntrack_standalone.c       |   8 ++
 9 files changed, 217 insertions(+), 43 deletions(-)
 create mode 100644 net/netfilter/nf_conntrack_lwtunnel.c

-- 
2.25.1


             reply	other threads:[~2021-07-29  8:53 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-29  8:37 Ryoga Saito [this message]
2021-07-29  8:37 ` [PATCH v2 1/2] netfilter: add new sysctl toggle for lightweight tunnel netfilter hooks Ryoga Saito
2021-07-29 12:41   ` kernel test robot
2021-07-29 12:41     ` kernel test robot
2021-07-29  8:37 ` [PATCH v2 2/2] netfilter: add netfilter hooks to SRv6 data plane Ryoga Saito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cover.1627546390.git.contact@proelbtn.com \
    --to=contact@proelbtn.com \
    --cc=andrea.mayer@uniroma2.it \
    --cc=davem@davemloft.net \
    --cc=dsahern@kernel.org \
    --cc=kuba@kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=stefano.salsano@uniroma2.it \
    --cc=yoshfuji@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.