From: David Ahern <dsahern@gmail.com>
To: Mike Manning <mmanning@vyatta.att-mail.com>,
netdev@vger.kernel.org, David Miller <davem@davemloft.net>
Subject: Re: [PATCH net-next 0/5] vrf: allow simultaneous service instances in default and other VRFs
Date: Thu, 20 Sep 2018 21:28:43 -0700 [thread overview]
Message-ID: <fa020045-d2ca-2c44-eb47-e5c051b3fab5@gmail.com> (raw)
In-Reply-To: <20180920085848.17721-1-mmanning@vyatta.att-mail.com>
On 9/20/18 1:58 AM, Mike Manning wrote:
> Services currently have to be VRF-aware if they are using an unbound
> socket. One cannot have multiple service instances running in the
> default and other VRFs for services that are not VRF-aware and listen
> on an unbound socket. This is because there is no way of isolating
> packets received in the default VRF from those arriving in other VRFs.
>
> This series provides this isolation subject to the existing kernel
> parameter net.ipv4.tcp_l3mdev_accept not being set, given that this is
> documented as allowing a single service instance to work across all
> VRF domains. The functionality applies to UDP & TCP services, for IPv4
> and IPv6, in particular adding VRF table handling for IPv6 multicast.
>
> Example of running ssh instances in default and blue VRF:
>
> $ /usr/sbin/sshd -D
> $ ip vrf exec vrf-blue /usr/sbin/sshd
> $ ss -ta | egrep 'State|ssh'
> State Recv-Q Send-Q Local Address:Port Peer Address:Port
> LISTEN 0 128 0.0.0.0%vrf-blue:ssh 0.0.0.0:*
> LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:*
> ESTAB 0 0 192.168.122.220:ssh 192.168.122.1:50282
> LISTEN 0 128 [::]%vrf-blue:ssh [::]:*
> LISTEN 0 128 [::]:ssh [::]:*
> ESTAB 0 0 [3000::2]%vrf-blue:ssh [3000::9]:45896
> ESTAB 0 0 [2000::2]:ssh [2000::9]:46398
>
Hi Dave:
I need some time to review and more importantly test this patch set
before it is committed. I am traveling tomorrow afternoon through Sunday
evening, so I need a few days into next week to get to this.
Thanks,
David
next prev parent reply other threads:[~2018-09-21 10:15 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-20 8:58 [PATCH net-next 0/5] vrf: allow simultaneous service instances in default and other VRFs Mike Manning
2018-09-20 8:58 ` [PATCH net-next 1/5] net: allow binding socket in a VRF when there's an unbound socket Mike Manning
2018-09-23 8:47 ` kbuild test robot
2018-09-23 9:58 ` kbuild test robot
2018-09-20 8:58 ` [PATCH net-next 2/5] ipv6: allow link-local and multicast packets inside vrf Mike Manning
2018-09-20 8:58 ` [PATCH net-next 3/5] ipv4: Allow sending multicast packets on specific i/f using VRF socket Mike Manning
2018-09-20 8:58 ` [PATCH net-next 4/5] ipv6: do not drop vrf udp multicast packets Mike Manning
2018-09-20 13:02 ` Paolo Abeni
2018-09-20 16:50 ` Mike Manning
2018-09-20 8:58 ` [PATCH net-next 5/5] ipv6: add vrf table handling code for ipv6 mcast Mike Manning
2018-09-21 4:28 ` David Ahern [this message]
2018-09-21 14:41 ` [PATCH net-next 0/5] vrf: allow simultaneous service instances in default and other VRFs David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fa020045-d2ca-2c44-eb47-e5c051b3fab5@gmail.com \
--to=dsahern@gmail.com \
--cc=davem@davemloft.net \
--cc=mmanning@vyatta.att-mail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.