* [PATCH net-next 00/10] VRF-lite - v4
@ 2015-08-05 17:14 David Ahern
2015-08-05 17:14 ` [PATCH 01/10] net: Introduce VRF related flags and helpers David Ahern
` (10 more replies)
0 siblings, 11 replies; 17+ messages in thread
From: David Ahern @ 2015-08-05 17:14 UTC (permalink / raw)
To: netdev
Cc: shm, roopa, gospo, jtoppins, nikolay, ddutt, hannes,
nicolas.dichtel, stephen, hadi, ebiederm, davem, svaidya,
David Ahern
In the context of internet scale routing a requirement that always comes
up is the need to partition the available routing tables into disjoint
routing planes. A specific use case is the multi-tenancy problem where
each tenant has their own unique routing tables and in the very least
need different default gateways.
This patch allows the ability to create virtual router domains (aka VRFs
(VRF-lite to be specific) in the linux packet forwarding stack. The main
observation is that through the use of rules and socket binding to interfaces,
all the facilities that we need are already present in the infrastructure. What
is missing is a handle that identifies a routing domain and can be used to
gather applicable rules/tables and uniqify neighbor selection. The scheme used
needs to preserves the notions of ECMP, and general routing principles.
This driver is a cross between functionality that the IPVLAN driver
and the Team drivers provide where a device is created and packets
into/out of the routing domain are shuttled through this device. The
device is then used as a handle to identify the applicable rules. The
VRF device is thus the layer3 equivalent of a vlan device.
The very important point to note is that this is only a Layer3 concept
so L2 tools (e.g., LLDP) do not need to be run in each VRF, processes can
run in unaware mode or select a VRF to be talking through. Also the
behavioral model is a generalized application of the familiar VRF-Lite
model with some performance paths that need optimization. (Specifically
the output route selector that Roopa, Robert, Thomas and EricB are
currently discussing on the MPLS thread)
High Level points
=================
1. Simple overlay driver (minimal changes to current stack)
* uses the existing fib tables and fib rules infrastructure
2. Modelled closely after the ipvlan driver
3. Uses current API and infrastructure.
* Applications can use SO_BINDTODEVICE or cmsg device indentifiers
to pick VRF (ping, traceroute just work)
* Standard IP Rules work, and since they are aggregated against the
device, scale is manageable
4. Completely orthogonal to Namespaces and only provides separation in
the routing plane (and ARP)
N2
N1 (all configs here) +---------------+
+--------------+ | |
|swp1 :10.0.1.1+----------------------+swp1 :10.0.1.2 |
| | | |
|swp2 :10.0.2.1+----------------------+swp2 :10.0.2.2 |
| | +---------------+
| VRF 1 |
| table 5 |
| |
+---------------+
| |
| VRF 2 | N3
| table 6 | +---------------+
| | | |
|swp3 :10.0.2.1+----------------------+swp1 :10.0.2.2 |
| | | |
|swp4 :10.0.3.1+----------------------+swp2 :10.0.3.2 |
+--------------+ +---------------+
Given the topology above, the setup needed to get the basic VRF
functions working would be
Create the VRF devices and associate with a table
ip link add vrf1 type vrf table 5
ip link add vrf2 type vrf table 6
Install the lookup rules that map table to VRF domain
ip rule add pref 200 oif vrf1 lookup 5
ip rule add pref 200 iif vrf1 lookup 5
ip rule add pref 200 oif vrf2 lookup 6
ip rule add pref 200 iif vrf2 lookup 6
ip link set vrf1 up
ip link set vrf2 up
Enslave the routing member interfaces
ip link set swp1 master vrf1
ip link set swp2 master vrf1
ip link set swp3 master vrf2
ip link set swp4 master vrf2
Connected and local routes are automatically moved from main and local
tables to the VRF table.
ping using VRF0 is simply
ping -I vrf0 10.0.1.2
Design Highlights
=================
If a device is enslaved to a VRF device (ie., associated with a VRF)
then:
1. Rx path
The master device index is used as the iif for all lookups.
2. Tx path
Similarly, for Tx the VRF device oif is used in the flow to direct
lookups to the table associated with the VRF via its rule. From there
the FLOWI_FLAG_VRFSRC flag is used to indicate that the oif should
not be used for FIB table lookups.
3. Connected and local routes
On link up for a device, connected and local routes are added to the
table associated with the VRF device, rather than the local and main
tables.
4. Socket lookups
Socket lookups use the VRF device for comparison with sk_bound_dev_if.
If a socket is not bound to a device a socket match can happen based
on destination address, port and protocol in which case a VRF global
or agnostic process handles the connection (ie., this allows 1 listener
socket to handle connections across VRFs). The child socket becomes
bound to the VRF (sk_bound_dev_if is set to the VRF device).
5. Neighbor entries
Neighbor entries are not impacted by the VRF device. Entries are
associated with a particular interface; the VRF association is indirect
via the interface-to-VRF device enslavement.
Version 4
- builds are clean with and without VRF device enabled (no, yes and module)
- tightened the driver implementation
+ device add/delete, slave add/remove, and module unload are all clean
- fixed RCU references
+ with RCU and lock debugging enabled changes are clean through the
suite of tests
- TX path uses custom dst, so patch refactoring rtable allocation is
dropped along with the patch adding rt_nexthop helper
- dropped the task patch that adds default bind to interface for sockets
and the associated chvrf example command
+ the patches are a convenience for running unmodified code. They
are not needed for the core functionality. Any application with
support for SO_BINDTODEVICE works properly with this patch set.
Version 3
- addressed comments from first 2 RFCs with the exception of the name
Nicolas: We will do the name conversion once we agree on what the
correct name should be (vrf, mrf or something else)
- packets flow through the VRF device in both directions allowing the
following:
- tcpdump -i vrf<n>
- tc rules on vrf device
- netfilter rules on vrf device
TO-DO
=====
1. IPv6
2. ip fragments
3. ipsec, xfrms
4. listen filter to restrict VRF connections
- i.e., bind to VRF's a, b, c only or NOT VRFs e, f, g
Eric B:
I think I understand your points regarding ip fragments and ipsec now.
I will release additional patches for both, but it takes time. For
example, I have ipsec working with VRFs implemented using the VRF
driver but more changes are needed. Once I have multiple tunnels with
overlapping network spaces working I will be sending out patches for
review.
Thanks to Nikolay for his many, many code reviews whipping the device
driver into shape, and bug-Fixes and ideas from Hannes, Roopa Prabhu,
Jon Toppins, Jamal.
Patches can also be pulled from:
https://github.com/dsahern/linux.git, vrf-dev-v4 branch
https://github.com/dsahern/iproute2, vrf-dev-v4 branch
David Ahern (10):
net: Introduce VRF related flags and helpers
net: Use VRF device index for lookups on RX
net: Use VRF device index for lookups on TX
udp: Handle VRF device
net: Add inet_addr lookup by table
net: Fix up inet_addr_type checks
net: Add routes to the table associated with the device
net: Use passed in table for nexthop lookups
net: Use VRF device index for socket lookups
net: Introduce VRF device driver
drivers/net/Kconfig | 7 +
drivers/net/Makefile | 1 +
drivers/net/vrf.c | 715 +++++++++++++++++++++++++++++++++++++++++++
include/linux/netdevice.h | 20 ++
include/net/flow.h | 1 +
include/net/route.h | 7 +
include/net/vrf.h | 176 +++++++++++
include/uapi/linux/if_link.h | 9 +
net/ipv4/af_inet.c | 13 +-
net/ipv4/arp.c | 15 +-
net/ipv4/fib_frontend.c | 66 +++-
net/ipv4/fib_semantics.c | 44 ++-
net/ipv4/fib_trie.c | 7 +-
net/ipv4/icmp.c | 9 +-
net/ipv4/route.c | 8 +-
net/ipv4/syncookies.c | 5 +-
net/ipv4/tcp_input.c | 6 +-
net/ipv4/tcp_ipv4.c | 11 +-
net/ipv4/udp.c | 25 +-
19 files changed, 1102 insertions(+), 43 deletions(-)
create mode 100644 drivers/net/vrf.c
create mode 100644 include/net/vrf.h
--
2.3.2 (Apple Git-55)
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH 01/10] net: Introduce VRF related flags and helpers
2015-08-05 17:14 [PATCH net-next 00/10] VRF-lite - v4 David Ahern
@ 2015-08-05 17:14 ` David Ahern
2015-08-05 17:14 ` [PATCH 02/10] net: Use VRF device index for lookups on RX David Ahern
` (9 subsequent siblings)
10 siblings, 0 replies; 17+ messages in thread
From: David Ahern @ 2015-08-05 17:14 UTC (permalink / raw)
To: netdev
Cc: shm, roopa, gospo, jtoppins, nikolay, ddutt, hannes,
nicolas.dichtel, stephen, hadi, ebiederm, davem, svaidya,
David Ahern
Add a VRF_MASTER flag for interfaces and helper functions for determining
if a device is a VRF_MASTER.
Add link attribute for passing VRF_TABLE id.
Add vrf_ptr to netdevice.
Add various macros for determining if a device is a VRF device, the index
of the master VRF device and table associated with VRF device.
Signed-off-by: Shrijeet Mukherjee <shm@cumulusnetworks.com>
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
---
include/linux/netdevice.h | 20 +++++
include/net/vrf.h | 177 +++++++++++++++++++++++++++++++++++++++++++
include/uapi/linux/if_link.h | 9 +++
3 files changed, 206 insertions(+)
create mode 100644 include/net/vrf.h
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 607b5f41f46f..f7a6ef2fae3a 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -1289,6 +1289,7 @@ enum netdev_priv_flags {
IFF_XMIT_DST_RELEASE_PERM = 1<<22,
IFF_IPVLAN_MASTER = 1<<23,
IFF_IPVLAN_SLAVE = 1<<24,
+ IFF_VRF_MASTER = 1<<25,
};
#define IFF_802_1Q_VLAN IFF_802_1Q_VLAN
@@ -1316,6 +1317,7 @@ enum netdev_priv_flags {
#define IFF_XMIT_DST_RELEASE_PERM IFF_XMIT_DST_RELEASE_PERM
#define IFF_IPVLAN_MASTER IFF_IPVLAN_MASTER
#define IFF_IPVLAN_SLAVE IFF_IPVLAN_SLAVE
+#define IFF_VRF_MASTER IFF_VRF_MASTER
/**
* struct net_device - The DEVICE structure.
@@ -1432,6 +1434,7 @@ enum netdev_priv_flags {
* @dn_ptr: DECnet specific data
* @ip6_ptr: IPv6 specific data
* @ax25_ptr: AX.25 specific data
+ * @vrf_ptr: VRF specific data
* @ieee80211_ptr: IEEE 802.11 specific data, assign before registering
*
* @last_rx: Time of last Rx
@@ -1650,6 +1653,7 @@ struct net_device {
struct dn_dev __rcu *dn_ptr;
struct inet6_dev __rcu *ip6_ptr;
void *ax25_ptr;
+ struct net_vrf_dev __rcu *vrf_ptr;
struct wireless_dev *ieee80211_ptr;
struct wpan_dev *ieee802154_ptr;
#if IS_ENABLED(CONFIG_MPLS_ROUTING)
@@ -3808,6 +3812,22 @@ static inline bool netif_supports_nofcs(struct net_device *dev)
return dev->priv_flags & IFF_SUPP_NOFCS;
}
+static inline bool netif_is_vrf(const struct net_device *dev)
+{
+ return dev->priv_flags & IFF_VRF_MASTER;
+}
+
+static inline bool netif_index_is_vrf(struct net *net, int ifindex)
+{
+ struct net_device *dev = dev_get_by_index_rcu(net, ifindex);
+ bool rc = false;
+
+ if (dev)
+ rc = netif_is_vrf(dev);
+
+ return rc;
+}
+
/* This device needs to keep skb dst for qdisc enqueue or ndo_start_xmit() */
static inline void netif_keep_dst(struct net_device *dev)
{
diff --git a/include/net/vrf.h b/include/net/vrf.h
new file mode 100644
index 000000000000..5d4bd67a4902
--- /dev/null
+++ b/include/net/vrf.h
@@ -0,0 +1,177 @@
+/*
+ * include/net/net_vrf.h - adds vrf dev structure definitions
+ * Copyright (c) 2015 Cumulus Networks
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+#ifndef __LINUX_NET_VRF_H
+#define __LINUX_NET_VRF_H
+
+struct net_vrf_dev {
+ struct rcu_head rcu;
+ int ifindex; /* ifindex of master dev */
+ u32 tb_id; /* table id for VRF */
+};
+
+struct slave {
+ struct list_head list;
+ struct net_device *dev;
+};
+
+struct slave_queue {
+ struct list_head all_slaves;
+ int num_slaves;
+};
+
+struct net_vrf {
+ struct slave_queue queue;
+ struct fib_table *tb;
+ struct rtable *rth;
+ u32 tb_id;
+};
+
+
+#if IS_ENABLED(CONFIG_NET_VRF)
+/* called with rcu_read_lock() */
+static inline int vrf_master_ifindex_rcu(const struct net_device *dev)
+{
+ struct net_vrf_dev *vrf_ptr;
+ int ifindex = 0;
+
+ if (!dev)
+ return 0;
+
+ if (netif_is_vrf(dev))
+ ifindex = dev->ifindex;
+ else {
+ vrf_ptr = rcu_dereference(dev->vrf_ptr);
+ if (vrf_ptr)
+ ifindex = vrf_ptr->ifindex;
+ }
+
+ return ifindex;
+}
+
+static inline int vrf_master_ifindex(const struct net_device *dev)
+{
+ int ifindex;
+
+ rcu_read_lock();
+ ifindex = vrf_master_ifindex_rcu(dev);
+ rcu_read_unlock();
+
+ return ifindex;
+}
+
+static inline int vrf_master_ifindex_by_index(struct net *net, int ifindex)
+{
+ int rc = 0;
+
+ if (ifindex) {
+ struct net_device *dev = dev_get_by_index(net, ifindex);
+
+ if (dev) {
+ rc = vrf_master_ifindex(dev);
+ dev_put(dev);
+ }
+ }
+
+ return rc;
+}
+
+/* called with rcu_read_lock */
+static inline int vrf_dev_table_rcu(const struct net_device *dev)
+{
+ int tb_id = 0;
+
+ if (dev) {
+ struct net_vrf_dev *vrf_ptr;
+
+ vrf_ptr = rcu_dereference(dev->vrf_ptr);
+ if (vrf_ptr)
+ tb_id = vrf_ptr->tb_id;
+ }
+ return tb_id;
+}
+
+static inline int vrf_dev_table(const struct net_device *dev)
+{
+ int tb_id = 0;
+
+ rcu_read_lock();
+ tb_id = vrf_dev_table_rcu(dev);
+ rcu_read_unlock();
+
+ return tb_id;
+}
+
+/* called with rtnl */
+static inline int vrf_dev_table_rtnl(const struct net_device *dev)
+{
+ int tb_id = 0;
+
+ if (dev) {
+ struct net_vrf_dev *vrf_ptr;
+
+ vrf_ptr = rtnl_dereference(dev->vrf_ptr);
+ if (vrf_ptr)
+ tb_id = vrf_ptr->tb_id;
+ }
+ return tb_id;
+}
+
+/* caller has already checked netif_is_vrf(dev) */
+static inline struct rtable *vrf_dev_get_rth(const struct net_device *dev)
+{
+ struct rtable *rth = ERR_PTR(-ENETUNREACH);
+ struct net_vrf *vrf = netdev_priv(dev);
+
+ if (vrf) {
+ rth = vrf->rth;
+ atomic_inc(&rth->dst.__refcnt);
+ }
+ return rth;
+}
+
+#else
+static inline int vrf_master_ifindex_rcu(const struct net_device *dev)
+{
+ return 0;
+}
+
+static inline int vrf_master_ifindex(const struct net_device *dev)
+{
+ return 0;
+}
+
+static inline int vrf_master_ifindex_by_index(struct net *net, int ifindex)
+{
+ return 0;
+}
+
+static inline int vrf_dev_table_rcu(const struct net_device *dev)
+{
+ return 0;
+}
+
+static inline int vrf_dev_table(const struct net_device *dev)
+{
+ return 0;
+}
+
+static inline int vrf_dev_table_rtnl(const struct net_device *dev)
+{
+ return 0;
+}
+
+static inline struct rtable *vrf_dev_get_rth(const struct net_device *dev)
+{
+ return ERR_PTR(-ENETUNREACH);
+}
+#endif
+
+#endif /* __LINUX_NET_VRF_H */
diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
index ea047480a1f0..023908ef754d 100644
--- a/include/uapi/linux/if_link.h
+++ b/include/uapi/linux/if_link.h
@@ -340,6 +340,15 @@ enum macvlan_macaddr_mode {
#define MACVLAN_FLAG_NOPROMISC 1
+/* VRF section */
+enum {
+ IFLA_VRF_UNSPEC,
+ IFLA_VRF_TABLE,
+ __IFLA_VRF_MAX
+};
+
+#define IFLA_VRF_MAX (__IFLA_VRF_MAX - 1)
+
/* IPVLAN section */
enum {
IFLA_IPVLAN_UNSPEC,
--
2.3.2 (Apple Git-55)
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH 02/10] net: Use VRF device index for lookups on RX
2015-08-05 17:14 [PATCH net-next 00/10] VRF-lite - v4 David Ahern
2015-08-05 17:14 ` [PATCH 01/10] net: Introduce VRF related flags and helpers David Ahern
@ 2015-08-05 17:14 ` David Ahern
2015-08-05 17:14 ` [PATCH 03/10] net: Use VRF device index for lookups on TX David Ahern
` (8 subsequent siblings)
10 siblings, 0 replies; 17+ messages in thread
From: David Ahern @ 2015-08-05 17:14 UTC (permalink / raw)
To: netdev
Cc: shm, roopa, gospo, jtoppins, nikolay, ddutt, hannes,
nicolas.dichtel, stephen, hadi, ebiederm, davem, svaidya,
David Ahern
On ingress use index of VRF master device for route lookups if real device
is enslaved. Rules are expected to be installed for the VRF device to
direct lookups to a specific table.
Signed-off-by: Shrijeet Mukherjee <shm@cumulusnetworks.com>
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
---
net/ipv4/fib_frontend.c | 8 +++++++-
net/ipv4/route.c | 3 ++-
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 6b98de0d7949..d8ced1d89f1b 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -45,6 +45,7 @@
#include <net/ip_fib.h>
#include <net/rtnetlink.h>
#include <net/xfrm.h>
+#include <net/vrf.h>
#ifndef CONFIG_IP_MULTIPLE_TABLES
@@ -309,7 +310,9 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
bool dev_match;
fl4.flowi4_oif = 0;
- fl4.flowi4_iif = oif ? : LOOPBACK_IFINDEX;
+ fl4.flowi4_iif = vrf_master_ifindex_rcu(dev);
+ if (!fl4.flowi4_iif)
+ fl4.flowi4_iif = oif ? : LOOPBACK_IFINDEX;
fl4.daddr = src;
fl4.saddr = dst;
fl4.flowi4_tos = tos;
@@ -339,6 +342,9 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
if (nh->nh_dev == dev) {
dev_match = true;
break;
+ } else if (vrf_master_ifindex_rcu(nh->nh_dev) == dev->ifindex) {
+ dev_match = true;
+ break;
}
}
#else
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 18fd7c9095c7..c26ff1f7067d 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -112,6 +112,7 @@
#endif
#include <net/secure_seq.h>
#include <net/ip_tunnels.h>
+#include <net/vrf.h>
#define RT_FL_TOS(oldflp4) \
((oldflp4)->flowi4_tos & (IPTOS_RT_MASK | RTO_ONLINK))
@@ -1726,7 +1727,7 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
* Now we are ready to route packet.
*/
fl4.flowi4_oif = 0;
- fl4.flowi4_iif = dev->ifindex;
+ fl4.flowi4_iif = vrf_master_ifindex_rcu(dev) ? : dev->ifindex;
fl4.flowi4_mark = skb->mark;
fl4.flowi4_tos = tos;
fl4.flowi4_scope = RT_SCOPE_UNIVERSE;
--
2.3.2 (Apple Git-55)
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH 03/10] net: Use VRF device index for lookups on TX
2015-08-05 17:14 [PATCH net-next 00/10] VRF-lite - v4 David Ahern
2015-08-05 17:14 ` [PATCH 01/10] net: Introduce VRF related flags and helpers David Ahern
2015-08-05 17:14 ` [PATCH 02/10] net: Use VRF device index for lookups on RX David Ahern
@ 2015-08-05 17:14 ` David Ahern
2015-08-05 17:14 ` [PATCH 04/10] udp: Handle VRF device David Ahern
` (7 subsequent siblings)
10 siblings, 0 replies; 17+ messages in thread
From: David Ahern @ 2015-08-05 17:14 UTC (permalink / raw)
To: netdev
Cc: shm, roopa, gospo, jtoppins, nikolay, ddutt, hannes,
nicolas.dichtel, stephen, hadi, ebiederm, davem, svaidya,
David Ahern
As with ingress use the index of VRF master device for route lookups on
egress. However, the oif should only be used to direct the lookups to a
specific table. Routes in the table are not based on the VRF device but
rather interfaces that are part of the VRF so do not consider the oif for
lookups within the table. The FLOWI_FLAG_VRFSRC is used to control this
latter part.
Signed-off-by: Shrijeet Mukherjee <shm@cumulusnetworks.com>
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
---
include/net/flow.h | 1 +
include/net/route.h | 3 +++
net/ipv4/fib_trie.c | 7 +++++--
net/ipv4/icmp.c | 4 ++++
net/ipv4/route.c | 5 +++++
5 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/include/net/flow.h b/include/net/flow.h
index 3098ae33a178..f305588fc162 100644
--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -33,6 +33,7 @@ struct flowi_common {
__u8 flowic_flags;
#define FLOWI_FLAG_ANYSRC 0x01
#define FLOWI_FLAG_KNOWN_NH 0x02
+#define FLOWI_FLAG_VRFSRC 0x04
__u32 flowic_secid;
struct flowi_tunnel flowic_tun_key;
};
diff --git a/include/net/route.h b/include/net/route.h
index 2d45f419477f..94189d4bd899 100644
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -251,6 +251,9 @@ static inline void ip_route_connect_init(struct flowi4 *fl4, __be32 dst, __be32
if (inet_sk(sk)->transparent)
flow_flags |= FLOWI_FLAG_ANYSRC;
+ if (netif_index_is_vrf(sock_net(sk), oif))
+ flow_flags |= FLOWI_FLAG_VRFSRC;
+
flowi4_init_output(fl4, oif, sk->sk_mark, tos, RT_SCOPE_UNIVERSE,
protocol, flow_flags, dst, src, dport, sport);
}
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 37c4bb89a708..1243c79cb5b0 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -1423,8 +1423,11 @@ int fib_table_lookup(struct fib_table *tb, const struct flowi4 *flp,
nh->nh_flags & RTNH_F_LINKDOWN &&
!(fib_flags & FIB_LOOKUP_IGNORE_LINKSTATE))
continue;
- if (flp->flowi4_oif && flp->flowi4_oif != nh->nh_oif)
- continue;
+ if (!(flp->flowi4_flags & FLOWI_FLAG_VRFSRC)) {
+ if (flp->flowi4_oif &&
+ flp->flowi4_oif != nh->nh_oif)
+ continue;
+ }
if (!(fib_flags & FIB_LOOKUP_NOREF))
atomic_inc(&fi->fib_clntref);
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index c0556f1e4bf0..1164fc4ce3bc 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -96,6 +96,7 @@
#include <net/xfrm.h>
#include <net/inet_common.h>
#include <net/ip_fib.h>
+#include <net/vrf.h>
/*
* Build xmit assembly blocks
@@ -425,6 +426,7 @@ static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb)
fl4.flowi4_mark = mark;
fl4.flowi4_tos = RT_TOS(ip_hdr(skb)->tos);
fl4.flowi4_proto = IPPROTO_ICMP;
+ fl4.flowi4_oif = vrf_master_ifindex_rcu(skb->dev) ? : skb->dev->ifindex;
security_skb_classify_flow(skb, flowi4_to_flowi(&fl4));
rt = ip_route_output_key(net, &fl4);
if (IS_ERR(rt))
@@ -458,6 +460,8 @@ static struct rtable *icmp_route_lookup(struct net *net,
fl4->flowi4_proto = IPPROTO_ICMP;
fl4->fl4_icmp_type = type;
fl4->fl4_icmp_code = code;
+ fl4->flowi4_oif = vrf_master_ifindex_rcu(skb_in->dev) ? : skb_in->dev->ifindex;
+
security_skb_classify_flow(skb_in, flowi4_to_flowi(fl4));
rt = __ip_route_output_key(net, fl4);
if (IS_ERR(rt))
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index c26ff1f7067d..2c89d294b669 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2131,6 +2131,11 @@ struct rtable *__ip_route_output_key(struct net *net, struct flowi4 *fl4)
fl4->saddr = inet_select_addr(dev_out, 0,
RT_SCOPE_HOST);
}
+ if (netif_is_vrf(dev_out) &&
+ !(fl4->flowi4_flags & FLOWI_FLAG_VRFSRC)) {
+ rth = vrf_dev_get_rth(dev_out);
+ goto out;
+ }
}
if (!fl4->daddr) {
--
2.3.2 (Apple Git-55)
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH 04/10] udp: Handle VRF device
2015-08-05 17:14 [PATCH net-next 00/10] VRF-lite - v4 David Ahern
` (2 preceding siblings ...)
2015-08-05 17:14 ` [PATCH 03/10] net: Use VRF device index for lookups on TX David Ahern
@ 2015-08-05 17:14 ` David Ahern
2015-08-05 17:14 ` [PATCH 05/10] net: Add inet_addr lookup by table David Ahern
` (6 subsequent siblings)
10 siblings, 0 replies; 17+ messages in thread
From: David Ahern @ 2015-08-05 17:14 UTC (permalink / raw)
To: netdev
Cc: shm, roopa, gospo, jtoppins, nikolay, ddutt, hannes,
nicolas.dichtel, stephen, hadi, ebiederm, davem, svaidya,
David Ahern
For unconnected UDP sockets using a VRF device lookup source address
based on VRF table. This allows the UDP header to be properly setup
before showing up at the VRF device via the dst.
Signed-off-by: Shrijeet Mukherjee <shm@cumulusnetworks.com>
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
---
net/ipv4/udp.c | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 83aa604f9273..b513d72a21b3 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -884,7 +884,7 @@ int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
struct rtable *rt = NULL;
int free = 0;
int connected = 0;
- __be32 daddr, faddr, saddr;
+ __be32 daddr, faddr, saddr, vsaddr = 0;
__be16 dport;
u8 tos;
int err, is_udplite = IS_UDPLITE(sk);
@@ -1013,11 +1013,30 @@ int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
if (!rt) {
struct net *net = sock_net(sk);
+ __u8 flow_flags = inet_sk_flowi_flags(sk);
fl4 = &fl4_stack;
+
+ /* unconnected socket. If output device is enslaved to a VRF
+ * device lookup source address from VRF table. This mimics
+ * behavior of ip_route_connect{_init}.
+ */
+ if (netif_index_is_vrf(net, ipc.oif)) {
+ flowi4_init_output(fl4, ipc.oif, sk->sk_mark, tos,
+ RT_SCOPE_UNIVERSE, sk->sk_protocol,
+ (flow_flags | FLOWI_FLAG_VRFSRC),
+ faddr, saddr, dport, inet->inet_sport);
+
+ rt = ip_route_output_flow(net, fl4, sk);
+ if (!IS_ERR(rt)) {
+ vsaddr = fl4->saddr;
+ ip_rt_put(rt);
+ }
+ }
+
flowi4_init_output(fl4, ipc.oif, sk->sk_mark, tos,
RT_SCOPE_UNIVERSE, sk->sk_protocol,
- inet_sk_flowi_flags(sk),
+ flow_flags,
faddr, saddr, dport, inet->inet_sport);
security_sk_classify_flow(sk, flowi4_to_flowi(fl4));
@@ -1042,6 +1061,8 @@ int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
goto do_confirm;
back_from_confirm:
+ if (vsaddr)
+ fl4->saddr = vsaddr;
saddr = fl4->saddr;
if (!ipc.addr)
daddr = ipc.addr = fl4->daddr;
--
2.3.2 (Apple Git-55)
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH 05/10] net: Add inet_addr lookup by table
2015-08-05 17:14 [PATCH net-next 00/10] VRF-lite - v4 David Ahern
` (3 preceding siblings ...)
2015-08-05 17:14 ` [PATCH 04/10] udp: Handle VRF device David Ahern
@ 2015-08-05 17:14 ` David Ahern
2015-08-05 17:14 ` [PATCH 06/10] net: Fix up inet_addr_type checks David Ahern
` (5 subsequent siblings)
10 siblings, 0 replies; 17+ messages in thread
From: David Ahern @ 2015-08-05 17:14 UTC (permalink / raw)
To: netdev
Cc: shm, roopa, gospo, jtoppins, nikolay, ddutt, hannes,
nicolas.dichtel, stephen, hadi, ebiederm, davem, svaidya,
David Ahern
Currently inet_addr_type and inet_dev_addr_type expect local addresses
to be in the local table. With the VRF device local routes for devices
associated with a VRF will be in the table associated with the VRF.
Provide an alternate inet_addr lookup to use a specific table rather
than defaulting to the local table.
Signed-off-by: Shrijeet Mukherjee <shm@cumulusnetworks.com>
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
---
include/net/route.h | 1 +
net/ipv4/fib_frontend.c | 22 +++++++++++++++-------
2 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/include/net/route.h b/include/net/route.h
index 94189d4bd899..6ba681f0b98d 100644
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -189,6 +189,7 @@ void ipv4_sk_redirect(struct sk_buff *skb, struct sock *sk);
void ip_rt_send_redirect(struct sk_buff *skb);
unsigned int inet_addr_type(struct net *net, __be32 addr);
+unsigned int inet_addr_type_table(struct net *net, __be32 addr, int tb_id);
unsigned int inet_dev_addr_type(struct net *net, const struct net_device *dev,
__be32 addr);
void ip_rt_multicast_event(struct in_device *);
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index d8ced1d89f1b..b11321a8e58d 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -212,12 +212,12 @@ void fib_flush_external(struct net *net)
*/
static inline unsigned int __inet_dev_addr_type(struct net *net,
const struct net_device *dev,
- __be32 addr)
+ __be32 addr, int tb_id)
{
struct flowi4 fl4 = { .daddr = addr };
struct fib_result res;
unsigned int ret = RTN_BROADCAST;
- struct fib_table *local_table;
+ struct fib_table *table;
if (ipv4_is_zeronet(addr) || ipv4_is_lbcast(addr))
return RTN_BROADCAST;
@@ -226,10 +226,10 @@ static inline unsigned int __inet_dev_addr_type(struct net *net,
rcu_read_lock();
- local_table = fib_get_table(net, RT_TABLE_LOCAL);
- if (local_table) {
+ table = fib_get_table(net, tb_id);
+ if (table) {
ret = RTN_UNICAST;
- if (!fib_table_lookup(local_table, &fl4, &res, FIB_LOOKUP_NOREF)) {
+ if (!fib_table_lookup(table, &fl4, &res, FIB_LOOKUP_NOREF)) {
if (!dev || dev == res.fi->fib_dev)
ret = res.type;
}
@@ -239,16 +239,24 @@ static inline unsigned int __inet_dev_addr_type(struct net *net,
return ret;
}
+unsigned int inet_addr_type_table(struct net *net, __be32 addr, int tb_id)
+{
+ return __inet_dev_addr_type(net, NULL, addr, tb_id);
+}
+EXPORT_SYMBOL(inet_addr_type_table);
+
unsigned int inet_addr_type(struct net *net, __be32 addr)
{
- return __inet_dev_addr_type(net, NULL, addr);
+ return __inet_dev_addr_type(net, NULL, addr, RT_TABLE_LOCAL);
}
EXPORT_SYMBOL(inet_addr_type);
unsigned int inet_dev_addr_type(struct net *net, const struct net_device *dev,
__be32 addr)
{
- return __inet_dev_addr_type(net, dev, addr);
+ int rt_table = vrf_dev_table(dev) ? : RT_TABLE_LOCAL;
+
+ return __inet_dev_addr_type(net, dev, addr, rt_table);
}
EXPORT_SYMBOL(inet_dev_addr_type);
--
2.3.2 (Apple Git-55)
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH 06/10] net: Fix up inet_addr_type checks
2015-08-05 17:14 [PATCH net-next 00/10] VRF-lite - v4 David Ahern
` (4 preceding siblings ...)
2015-08-05 17:14 ` [PATCH 05/10] net: Add inet_addr lookup by table David Ahern
@ 2015-08-05 17:14 ` David Ahern
2015-08-05 17:14 ` [PATCH 07/10] net: Add routes to the table associated with the device David Ahern
` (4 subsequent siblings)
10 siblings, 0 replies; 17+ messages in thread
From: David Ahern @ 2015-08-05 17:14 UTC (permalink / raw)
To: netdev
Cc: shm, roopa, gospo, jtoppins, nikolay, ddutt, hannes,
nicolas.dichtel, stephen, hadi, ebiederm, davem, svaidya,
David Ahern
Currently inet_addr_type and inet_dev_addr_type expect local addresses
to be in the local table. With the VRF device local routes for devices
associated with a VRF will be in the table associated with the VRF.
Provide an alternate inet_addr lookup to use a specific table rather
than defaulting to the local table.
inet_addr_type_dev_table keeps the same semantics as inet_addr_type but
if the passed in device is enslaved to a VRF then the table for that VRF
is used for the lookup.
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
---
include/net/route.h | 3 +++
net/ipv4/af_inet.c | 13 ++++++++++++-
net/ipv4/arp.c | 15 +++++++++------
net/ipv4/fib_frontend.c | 28 +++++++++++++++++++++++++---
net/ipv4/fib_semantics.c | 6 ++++--
net/ipv4/icmp.c | 5 +++--
6 files changed, 56 insertions(+), 14 deletions(-)
diff --git a/include/net/route.h b/include/net/route.h
index 6ba681f0b98d..6dda2c1bf8c6 100644
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -192,6 +192,9 @@ unsigned int inet_addr_type(struct net *net, __be32 addr);
unsigned int inet_addr_type_table(struct net *net, __be32 addr, int tb_id);
unsigned int inet_dev_addr_type(struct net *net, const struct net_device *dev,
__be32 addr);
+unsigned int inet_addr_type_dev_table(struct net *net,
+ const struct net_device *dev,
+ __be32 addr);
void ip_rt_multicast_event(struct in_device *);
int ip_rt_ioctl(struct net *, unsigned int cmd, void __user *arg);
void ip_rt_get_source(u8 *src, struct sk_buff *skb, struct rtable *rt);
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index cc4e498a0ccf..96fba4f63454 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -119,6 +119,7 @@
#ifdef CONFIG_IP_MROUTE
#include <linux/mroute.h>
#endif
+#include <net/vrf.h>
/* The inetsw table contains everything that inet_create needs to
@@ -427,6 +428,7 @@ int inet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
struct net *net = sock_net(sk);
unsigned short snum;
int chk_addr_ret;
+ int tb_id = 0;
int err;
/* If the socket has its own bind function then use it. (RAW) */
@@ -448,7 +450,16 @@ int inet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
goto out;
}
- chk_addr_ret = inet_addr_type(net, addr->sin_addr.s_addr);
+ if (sk->sk_bound_dev_if) {
+ struct net_device *dev;
+
+ rcu_read_lock();
+ dev = dev_get_by_index_rcu(net, sk->sk_bound_dev_if);
+ if (dev)
+ tb_id = vrf_dev_table_rcu(dev);
+ rcu_read_unlock();
+ }
+ chk_addr_ret = inet_addr_type_table(net, addr->sin_addr.s_addr, tb_id);
/* Not specified by any standard per-se, however it breaks too
* many applications when removed. It is unfortunate since
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 34a308573f4b..30409b75e925 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -233,7 +233,7 @@ static int arp_constructor(struct neighbour *neigh)
return -EINVAL;
}
- neigh->type = inet_addr_type(dev_net(dev), addr);
+ neigh->type = inet_addr_type_dev_table(dev_net(dev), dev, addr);
parms = in_dev->arp_parms;
__neigh_parms_put(neigh->parms);
@@ -343,7 +343,7 @@ static void arp_solicit(struct neighbour *neigh, struct sk_buff *skb)
switch (IN_DEV_ARP_ANNOUNCE(in_dev)) {
default:
case 0: /* By default announce any local IP */
- if (skb && inet_addr_type(dev_net(dev),
+ if (skb && inet_addr_type_dev_table(dev_net(dev), dev,
ip_hdr(skb)->saddr) == RTN_LOCAL)
saddr = ip_hdr(skb)->saddr;
break;
@@ -351,7 +351,8 @@ static void arp_solicit(struct neighbour *neigh, struct sk_buff *skb)
if (!skb)
break;
saddr = ip_hdr(skb)->saddr;
- if (inet_addr_type(dev_net(dev), saddr) == RTN_LOCAL) {
+ if (inet_addr_type_dev_table(dev_net(dev), dev,
+ saddr) == RTN_LOCAL) {
/* saddr should be known to target */
if (inet_addr_onlink(in_dev, target, saddr))
break;
@@ -751,7 +752,7 @@ static int arp_process(struct sock *sk, struct sk_buff *skb)
/* Special case: IPv4 duplicate address detection packet (RFC2131) */
if (sip == 0) {
if (arp->ar_op == htons(ARPOP_REQUEST) &&
- inet_addr_type(net, tip) == RTN_LOCAL &&
+ inet_addr_type_dev_table(net, dev, tip) == RTN_LOCAL &&
!arp_ignore(in_dev, sip, tip))
arp_send(ARPOP_REPLY, ETH_P_ARP, sip, dev, tip, sha,
dev->dev_addr, sha);
@@ -811,16 +812,18 @@ static int arp_process(struct sock *sk, struct sk_buff *skb)
n = __neigh_lookup(&arp_tbl, &sip, dev, 0);
if (IN_DEV_ARP_ACCEPT(in_dev)) {
+ unsigned int addr_type = inet_addr_type_dev_table(net, dev, sip);
+
/* Unsolicited ARP is not accepted by default.
It is possible, that this option should be enabled for some
devices (strip is candidate)
*/
is_garp = arp->ar_op == htons(ARPOP_REQUEST) && tip == sip &&
- inet_addr_type(net, sip) == RTN_UNICAST;
+ addr_type == RTN_UNICAST;
if (!n &&
((arp->ar_op == htons(ARPOP_REPLY) &&
- inet_addr_type(net, sip) == RTN_UNICAST) || is_garp))
+ addr_type == RTN_UNICAST) || is_garp))
n = __neigh_lookup(&arp_tbl, &sip, dev, 1);
}
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index b11321a8e58d..d84ae0e30369 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -226,6 +226,9 @@ static inline unsigned int __inet_dev_addr_type(struct net *net,
rcu_read_lock();
+ if (!tb_id)
+ tb_id = RT_TABLE_LOCAL;
+
table = fib_get_table(net, tb_id);
if (table) {
ret = RTN_UNICAST;
@@ -260,6 +263,19 @@ unsigned int inet_dev_addr_type(struct net *net, const struct net_device *dev,
}
EXPORT_SYMBOL(inet_dev_addr_type);
+/* inet_addr_type with dev == NULL but using the table from a dev
+ * if one is associated
+ */
+unsigned int inet_addr_type_dev_table(struct net *net,
+ const struct net_device *dev,
+ __be32 addr)
+{
+ int rt_table = vrf_dev_table(dev) ? : RT_TABLE_LOCAL;
+
+ return __inet_dev_addr_type(net, NULL, addr, rt_table);
+}
+EXPORT_SYMBOL(inet_addr_type_dev_table);
+
__be32 fib_compute_spec_dst(struct sk_buff *skb)
{
struct net_device *dev = skb->dev;
@@ -510,9 +526,12 @@ static int rtentry_to_fib_config(struct net *net, int cmd, struct rtentry *rt,
addr = sk_extract_addr(&rt->rt_gateway);
if (rt->rt_gateway.sa_family == AF_INET && addr) {
+ unsigned int addr_type;
+
cfg->fc_gw = addr;
+ addr_type = inet_addr_type_table(net, cfg->fc_table, addr);
if (rt->rt_flags & RTF_GATEWAY &&
- inet_addr_type(net, addr) == RTN_UNICAST)
+ addr_type == RTN_UNICAST)
cfg->fc_scope = RT_SCOPE_UNIVERSE;
}
@@ -984,11 +1003,14 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim)
fib_magic(RTM_DELROUTE, RTN_BROADCAST, any, 32, prim);
}
if (!(ok & LOCAL_OK)) {
+ unsigned int addr_type;
+
fib_magic(RTM_DELROUTE, RTN_LOCAL, ifa->ifa_local, 32, prim);
/* Check, that this local address finally disappeared. */
- if (gone &&
- inet_addr_type(dev_net(dev), ifa->ifa_local) != RTN_LOCAL) {
+ addr_type = inet_addr_type_dev_table(dev_net(dev), dev,
+ ifa->ifa_local);
+ if (gone && addr_type != RTN_LOCAL) {
/* And the last, but not the least thing.
* We must flush stray FIB entries.
*
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 558e196bae0f..410ddb67221e 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -670,16 +670,18 @@ static int fib_check_nh(struct fib_config *cfg, struct fib_info *fi,
struct fib_result res;
if (nh->nh_flags & RTNH_F_ONLINK) {
+ unsigned int addr_type;
if (cfg->fc_scope >= RT_SCOPE_LINK)
return -EINVAL;
- if (inet_addr_type(net, nh->nh_gw) != RTN_UNICAST)
- return -EINVAL;
dev = __dev_get_by_index(net, nh->nh_oif);
if (!dev)
return -ENODEV;
if (!(dev->flags & IFF_UP))
return -ENETDOWN;
+ addr_type = inet_addr_type_dev_table(net, dev, nh->nh_gw);
+ if (addr_type != RTN_UNICAST)
+ return -EINVAL;
if (!netif_carrier_ok(dev))
nh->nh_flags |= RTNH_F_LINKDOWN;
nh->nh_dev = dev;
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 1164fc4ce3bc..c6f1ce149ffb 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -484,7 +484,8 @@ static struct rtable *icmp_route_lookup(struct net *net,
if (err)
goto relookup_failed;
- if (inet_addr_type(net, fl4_dec.saddr) == RTN_LOCAL) {
+ if (inet_addr_type_dev_table(net, skb_in->dev,
+ fl4_dec.saddr) == RTN_LOCAL) {
rt2 = __ip_route_output_key(net, &fl4_dec);
if (IS_ERR(rt2))
err = PTR_ERR(rt2);
@@ -833,7 +834,7 @@ static bool icmp_unreach(struct sk_buff *skb)
*/
if (!net->ipv4.sysctl_icmp_ignore_bogus_error_responses &&
- inet_addr_type(net, iph->daddr) == RTN_BROADCAST) {
+ inet_addr_type_dev_table(net, skb->dev, iph->daddr) == RTN_BROADCAST) {
net_warn_ratelimited("%pI4 sent an invalid ICMP type %u, code %u error to a broadcast: %pI4 on %s\n",
&ip_hdr(skb)->saddr,
icmph->type, icmph->code,
--
2.3.2 (Apple Git-55)
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH 07/10] net: Add routes to the table associated with the device
2015-08-05 17:14 [PATCH net-next 00/10] VRF-lite - v4 David Ahern
` (5 preceding siblings ...)
2015-08-05 17:14 ` [PATCH 06/10] net: Fix up inet_addr_type checks David Ahern
@ 2015-08-05 17:14 ` David Ahern
2015-08-05 17:14 ` [PATCH 08/10] net: Use passed in table for nexthop lookups David Ahern
` (3 subsequent siblings)
10 siblings, 0 replies; 17+ messages in thread
From: David Ahern @ 2015-08-05 17:14 UTC (permalink / raw)
To: netdev
Cc: shm, roopa, gospo, jtoppins, nikolay, ddutt, hannes,
nicolas.dichtel, stephen, hadi, ebiederm, davem, svaidya,
David Ahern
When a device associated with a VRF is brought up or down routes
should be added to/removed from the table associated with the VRF.
fib_magic defaults to using the main or local tables. Have it use
the table with the device if there is one.
A part of this is directing prefsrc validations to the correct
table as well.
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
---
net/ipv4/fib_frontend.c | 8 ++++----
net/ipv4/fib_semantics.c | 25 +++++++++++++++++++------
2 files changed, 23 insertions(+), 10 deletions(-)
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index d84ae0e30369..0a50a08ab844 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -803,6 +803,7 @@ static int inet_dump_fib(struct sk_buff *skb, struct netlink_callback *cb)
static void fib_magic(int cmd, int type, __be32 dst, int dst_len, struct in_ifaddr *ifa)
{
struct net *net = dev_net(ifa->ifa_dev->dev);
+ int tb_id = vrf_dev_table_rtnl(ifa->ifa_dev->dev);
struct fib_table *tb;
struct fib_config cfg = {
.fc_protocol = RTPROT_KERNEL,
@@ -817,11 +818,10 @@ static void fib_magic(int cmd, int type, __be32 dst, int dst_len, struct in_ifad
},
};
- if (type == RTN_UNICAST)
- tb = fib_new_table(net, RT_TABLE_MAIN);
- else
- tb = fib_new_table(net, RT_TABLE_LOCAL);
+ if (!tb_id)
+ tb_id = (type == RTN_UNICAST) ? RT_TABLE_MAIN : RT_TABLE_LOCAL;
+ tb = fib_new_table(net, tb_id);
if (!tb)
return;
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 410ddb67221e..85e9a8abf15c 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -838,6 +838,23 @@ __be32 fib_info_update_nh_saddr(struct net *net, struct fib_nh *nh)
return nh->nh_saddr;
}
+static bool fib_valid_prefsrc(struct fib_config *cfg, __be32 fib_prefsrc)
+{
+ if (cfg->fc_type != RTN_LOCAL || !cfg->fc_dst ||
+ fib_prefsrc != cfg->fc_dst) {
+ int tb_id = cfg->fc_table;
+
+ if (tb_id == RT_TABLE_MAIN)
+ tb_id = RT_TABLE_LOCAL;
+
+ if (inet_addr_type_table(cfg->fc_nlinfo.nl_net,
+ fib_prefsrc, tb_id) != RTN_LOCAL) {
+ return false;
+ }
+ }
+ return true;
+}
+
struct fib_info *fib_create_info(struct fib_config *cfg)
{
int err;
@@ -1033,12 +1050,8 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
fi->fib_flags |= RTNH_F_LINKDOWN;
}
- if (fi->fib_prefsrc) {
- if (cfg->fc_type != RTN_LOCAL || !cfg->fc_dst ||
- fi->fib_prefsrc != cfg->fc_dst)
- if (inet_addr_type(net, fi->fib_prefsrc) != RTN_LOCAL)
- goto err_inval;
- }
+ if (fi->fib_prefsrc && !fib_valid_prefsrc(cfg, fi->fib_prefsrc))
+ goto err_inval;
change_nexthops(fi) {
fib_info_update_nh_saddr(net, nexthop_nh);
--
2.3.2 (Apple Git-55)
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH 08/10] net: Use passed in table for nexthop lookups
2015-08-05 17:14 [PATCH net-next 00/10] VRF-lite - v4 David Ahern
` (6 preceding siblings ...)
2015-08-05 17:14 ` [PATCH 07/10] net: Add routes to the table associated with the device David Ahern
@ 2015-08-05 17:14 ` David Ahern
2015-08-05 17:14 ` [PATCH 09/10] net: Use VRF device index for socket lookups David Ahern
` (2 subsequent siblings)
10 siblings, 0 replies; 17+ messages in thread
From: David Ahern @ 2015-08-05 17:14 UTC (permalink / raw)
To: netdev
Cc: shm, roopa, gospo, jtoppins, nikolay, ddutt, hannes,
nicolas.dichtel, stephen, hadi, ebiederm, davem, svaidya,
David Ahern
If a user passes in a table for new routes use that table for nexthop
lookups. Specifically, this solves the case where a connected route does
not exist in the main table, but only another table and then a subsequent
route is added with a next hop using the connected route. ie.,
$ ip route ls
default via 10.0.2.2 dev eth0
10.0.2.0/24 dev eth0 proto kernel scope link src 10.0.2.15
169.254.0.0/16 dev eth0 scope link metric 1003
192.168.56.0/24 dev eth1 proto kernel scope link src 192.168.56.51
$ ip route ls table 10
1.1.1.0/24 dev eth2 scope link
Without this patch adding a nexthop route fails:
$ ip route add table 10 2.2.2.0/24 via 1.1.1.10
RTNETLINK answers: Network is unreachable
With this patch the route is added successfully.
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
---
net/ipv4/fib_semantics.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 85e9a8abf15c..b7f1d20a9615 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -691,6 +691,7 @@ static int fib_check_nh(struct fib_config *cfg, struct fib_info *fi,
}
rcu_read_lock();
{
+ struct fib_table *tbl = NULL;
struct flowi4 fl4 = {
.daddr = nh->nh_gw,
.flowi4_scope = cfg->fc_scope + 1,
@@ -701,8 +702,16 @@ static int fib_check_nh(struct fib_config *cfg, struct fib_info *fi,
/* It is not necessary, but requires a bit of thinking */
if (fl4.flowi4_scope < RT_SCOPE_LINK)
fl4.flowi4_scope = RT_SCOPE_LINK;
- err = fib_lookup(net, &fl4, &res,
- FIB_LOOKUP_IGNORE_LINKSTATE);
+
+ if (cfg->fc_table)
+ tbl = fib_get_table(net, cfg->fc_table);
+
+ if (tbl)
+ err = fib_table_lookup(tbl, &fl4, &res,
+ FIB_LOOKUP_IGNORE_LINKSTATE);
+ else
+ err = fib_lookup(net, &fl4, &res,
+ FIB_LOOKUP_IGNORE_LINKSTATE);
if (err) {
rcu_read_unlock();
return err;
--
2.3.2 (Apple Git-55)
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH 09/10] net: Use VRF device index for socket lookups
2015-08-05 17:14 [PATCH net-next 00/10] VRF-lite - v4 David Ahern
` (7 preceding siblings ...)
2015-08-05 17:14 ` [PATCH 08/10] net: Use passed in table for nexthop lookups David Ahern
@ 2015-08-05 17:14 ` David Ahern
2015-08-05 18:32 ` Tom Herbert
2015-08-05 17:14 ` [PATCH 10/10] net: Introduce VRF device driver David Ahern
2015-08-05 17:14 ` [PATCH] iproute2: Add support for VRF device David Ahern
10 siblings, 1 reply; 17+ messages in thread
From: David Ahern @ 2015-08-05 17:14 UTC (permalink / raw)
To: netdev
Cc: shm, roopa, gospo, jtoppins, nikolay, ddutt, hannes,
nicolas.dichtel, stephen, hadi, ebiederm, davem, svaidya,
David Ahern
The intent of the VRF device is to leverage the existing SO_BINDTODEVICE
as a means of creating L3 domains. Since sockets are expected to be bound
to the VRF device the index of the master device needs to be used for
socket lookups.
Signed-off-by: Shrijeet Mukherjee <shm@cumulusnetworks.com>
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
---
net/ipv4/syncookies.c | 5 ++++-
net/ipv4/tcp_input.c | 6 +++++-
net/ipv4/tcp_ipv4.c | 11 +++++++++--
3 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index d70b1f603692..e5c8b1240278 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -18,6 +18,7 @@
#include <linux/export.h>
#include <net/tcp.h>
#include <net/route.h>
+#include <net/vrf.h>
extern int sysctl_tcp_syncookies;
@@ -348,7 +349,9 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
treq->snt_synack = tcp_opt.saw_tstamp ? tcp_opt.rcv_tsecr : 0;
treq->tfo_listener = false;
- ireq->ir_iif = sk->sk_bound_dev_if;
+ ireq->ir_iif = vrf_master_ifindex_by_index(sock_net(sk), skb->skb_iif);
+ if (!ireq->ir_iif)
+ ireq->ir_iif = sk->sk_bound_dev_if;
/* We throwed the options of the initial SYN away, so we hope
* the ACK carries the same options again (see RFC1122 4.2.3.8)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 4e4d6bcd0ca9..6b96240a4055 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -72,6 +72,7 @@
#include <net/dst.h>
#include <net/tcp.h>
#include <net/inet_common.h>
+#include <net/vrf.h>
#include <linux/ipsec.h>
#include <asm/unaligned.h>
#include <linux/errqueue.h>
@@ -6141,7 +6142,10 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops,
tcp_openreq_init(req, &tmp_opt, skb, sk);
/* Note: tcp_v6_init_req() might override ir_iif for link locals */
- inet_rsk(req)->ir_iif = sk->sk_bound_dev_if;
+ inet_rsk(req)->ir_iif = vrf_master_ifindex_by_index(sock_net(sk),
+ skb->skb_iif);
+ if (!inet_rsk(req)->ir_iif)
+ inet_rsk(req)->ir_iif = sk->sk_bound_dev_if;
af_ops->init_req(req, sk, skb);
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index d27eb549ced6..0f8ed98a2e64 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -75,6 +75,7 @@
#include <net/secure_seq.h>
#include <net/tcp_memcontrol.h>
#include <net/busy_poll.h>
+#include <net/vrf.h>
#include <linux/inet.h>
#include <linux/ipv6.h>
@@ -682,6 +683,8 @@ static void tcp_v4_send_reset(struct sock *sk, struct sk_buff *skb)
*/
if (sk)
arg.bound_dev_if = sk->sk_bound_dev_if;
+ if (!arg.bound_dev_if && skb->dev)
+ arg.bound_dev_if = vrf_master_ifindex_rcu(skb->dev);
arg.tos = ip_hdr(skb)->tos;
ip_send_unicast_reply(*this_cpu_ptr(net->ipv4.tcp_sk),
@@ -766,8 +769,10 @@ static void tcp_v4_send_ack(struct sk_buff *skb, u32 seq, u32 ack,
ip_hdr(skb)->saddr, /* XXX */
arg.iov[0].iov_len, IPPROTO_TCP, 0);
arg.csumoffset = offsetof(struct tcphdr, check) / 2;
- if (oif)
- arg.bound_dev_if = oif;
+ arg.bound_dev_if = oif ? : vrf_master_ifindex_rcu(skb_dst(skb)->dev);
+ if (!arg.bound_dev_if)
+ arg.bound_dev_if = vrf_master_ifindex_rcu(skb->dev);
+
arg.tos = tos;
ip_send_unicast_reply(*this_cpu_ptr(net->ipv4.tcp_sk),
skb, &TCP_SKB_CB(skb)->header.h4.opt,
@@ -1269,6 +1274,8 @@ struct sock *tcp_v4_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
ireq = inet_rsk(req);
sk_daddr_set(newsk, ireq->ir_rmt_addr);
sk_rcv_saddr_set(newsk, ireq->ir_loc_addr);
+ if (netif_index_is_vrf(sock_net(newsk), ireq->ir_iif))
+ newsk->sk_bound_dev_if = ireq->ir_iif;
newinet->inet_saddr = ireq->ir_loc_addr;
inet_opt = ireq->opt;
rcu_assign_pointer(newinet->inet_opt, inet_opt);
--
2.3.2 (Apple Git-55)
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH 10/10] net: Introduce VRF device driver
2015-08-05 17:14 [PATCH net-next 00/10] VRF-lite - v4 David Ahern
` (8 preceding siblings ...)
2015-08-05 17:14 ` [PATCH 09/10] net: Use VRF device index for socket lookups David Ahern
@ 2015-08-05 17:14 ` David Ahern
2015-08-05 17:14 ` [PATCH] iproute2: Add support for VRF device David Ahern
10 siblings, 0 replies; 17+ messages in thread
From: David Ahern @ 2015-08-05 17:14 UTC (permalink / raw)
To: netdev
Cc: shm, roopa, gospo, jtoppins, nikolay, ddutt, hannes,
nicolas.dichtel, stephen, hadi, ebiederm, davem, svaidya,
David Ahern
This driver borrows heavily from IPvlan and teaming drivers.
Routing domains (VRF-lite) are created by instantiating a VRF master
device with an associated table and enslaving all routed interfaces that
participate in the domain. As part of the enslavement, all connected
routes for the enslaved devices are moved to the table associated with
the VRF device. Outgoing sockets must bind to the VRF device to function.
Standard FIB rules bind the VRF device to tables and regular fib rule
processing is followed. Routed traffic through the box, is forwarded by
using the VRF device as the IIF and following the IIF rule to a table
that is mated with the VRF.
Example:
Create vrf 1:
ip link add vrf1 type vrf table 5
ip rule add iif vrf1 table 5
ip rule add oif vrf1 table 5
ip route add table 5 prohibit default
ip link set vrf1 up
Add interface to vrf 1:
ip link set eth1 master vrf1
Signed-off-by: Shrijeet Mukherjee <shm@cumulusnetworks.com>
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
---
drivers/net/Kconfig | 7 +
drivers/net/Makefile | 1 +
drivers/net/vrf.c | 715 +++++++++++++++++++++++++++++++++++++++++++++++++++
include/net/vrf.h | 1 -
4 files changed, 723 insertions(+), 1 deletion(-)
create mode 100644 drivers/net/vrf.c
diff --git a/drivers/net/Kconfig b/drivers/net/Kconfig
index c18f9e62a9fa..e58468b02987 100644
--- a/drivers/net/Kconfig
+++ b/drivers/net/Kconfig
@@ -297,6 +297,13 @@ config NLMON
diagnostics, etc. This is mostly intended for developers or support
to debug netlink issues. If unsure, say N.
+config NET_VRF
+ tristate "Virtual Routing and Forwarding (Lite)"
+ depends on IP_MULTIPLE_TABLES && IPV6_MULTIPLE_TABLES
+ ---help---
+ This option enables the support for mapping interfaces into VRF's. The
+ support enables VRF devices.
+
endif # NET_CORE
config SUNGEM_PHY
diff --git a/drivers/net/Makefile b/drivers/net/Makefile
index c12cb22478a7..ca16dd689b36 100644
--- a/drivers/net/Makefile
+++ b/drivers/net/Makefile
@@ -25,6 +25,7 @@ obj-$(CONFIG_VIRTIO_NET) += virtio_net.o
obj-$(CONFIG_VXLAN) += vxlan.o
obj-$(CONFIG_GENEVE) += geneve.o
obj-$(CONFIG_NLMON) += nlmon.o
+obj-$(CONFIG_NET_VRF) += vrf.o
#
# Networking Drivers
diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
new file mode 100644
index 000000000000..75c06ee2efa3
--- /dev/null
+++ b/drivers/net/vrf.c
@@ -0,0 +1,715 @@
+/*
+ * vrf.c: device driver to encapsulate a VRF space
+ *
+ * Copyright (c) 2015 Cumulus Networks. All rights reserved.
+ * Copyright (c) 2015 Shrijeet Mukherjee <shm@cumulusnetworks.com>
+ * Copyright (c) 2015 David Ahern <dsa@cumulusnetworks.com>
+ *
+ * Based on dummy, team and ipvlan drivers
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/netdevice.h>
+#include <linux/etherdevice.h>
+#include <linux/ip.h>
+#include <linux/init.h>
+#include <linux/moduleparam.h>
+#include <linux/netfilter.h>
+#include <linux/rtnetlink.h>
+#include <net/rtnetlink.h>
+#include <linux/u64_stats_sync.h>
+#include <linux/hashtable.h>
+
+#include <linux/inetdevice.h>
+#include <net/ip.h>
+#include <net/ip_fib.h>
+#include <net/ip6_route.h>
+#include <net/rtnetlink.h>
+#include <net/route.h>
+#include <net/addrconf.h>
+#include <net/vrf.h>
+
+#define DRV_NAME "vrf"
+#define DRV_VERSION "1.0"
+
+#define vrf_is_slave(dev) ((dev)->flags & IFF_SLAVE)
+
+#define vrf_master_get_rcu(dev) \
+ ((struct net_device *)rcu_dereference(dev->rx_handler_data))
+
+struct pcpu_dstats {
+ u64 tx_pkts;
+ u64 tx_bytes;
+ u64 tx_drps;
+ u64 rx_pkts;
+ u64 rx_bytes;
+ struct u64_stats_sync syncp;
+};
+
+static struct dst_entry *vrf_ip_check(struct dst_entry *dst, u32 cookie)
+{
+ return dst;
+}
+
+static int vrf_ip_local_out(struct sk_buff *skb)
+{
+ return ip_local_out(skb);
+}
+
+static unsigned int vrf_v4_mtu(const struct dst_entry *dst)
+{
+ /* TO-DO: return max ethernet size? */
+ return dst->dev->mtu;
+}
+
+static void vrf_dst_destroy(struct dst_entry *dst)
+{
+ /* our dst lives forever - or until the device is closed */
+}
+
+static unsigned int vrf_default_advmss(const struct dst_entry *dst)
+{
+ return 65535 - 40;
+}
+
+static struct dst_ops vrf_dst_ops = {
+ .family = AF_INET,
+ .local_out = vrf_ip_local_out,
+ .check = vrf_ip_check,
+ .mtu = vrf_v4_mtu,
+ .destroy = vrf_dst_destroy,
+ .default_advmss = vrf_default_advmss,
+};
+
+static bool is_ip_rx_frame(struct sk_buff *skb)
+{
+ switch (skb->protocol) {
+ case htons(ETH_P_IP):
+ case htons(ETH_P_IPV6):
+ return true;
+ }
+ return false;
+}
+
+/* note: already called with rcu_read_lock */
+static rx_handler_result_t vrf_handle_frame(struct sk_buff **pskb)
+{
+ struct sk_buff *skb = *pskb;
+
+ if (is_ip_rx_frame(skb)) {
+ struct net_device *dev = vrf_master_get_rcu(skb->dev);
+ struct pcpu_dstats *dstats = this_cpu_ptr(dev->dstats);
+
+ u64_stats_update_begin(&dstats->syncp);
+ dstats->rx_pkts++;
+ dstats->rx_bytes += skb->len;
+ u64_stats_update_end(&dstats->syncp);
+
+ skb->dev = dev;
+
+ return RX_HANDLER_ANOTHER;
+ }
+ return RX_HANDLER_PASS;
+}
+
+static struct rtnl_link_stats64 *vrf_get_stats64(struct net_device *dev,
+ struct rtnl_link_stats64 *stats)
+{
+ int i;
+
+ for_each_possible_cpu(i) {
+ const struct pcpu_dstats *dstats;
+ u64 tbytes, tpkts, tdrops, rbytes, rpkts;
+ unsigned int start;
+
+ dstats = per_cpu_ptr(dev->dstats, i);
+ do {
+ start = u64_stats_fetch_begin_irq(&dstats->syncp);
+ tbytes = dstats->tx_bytes;
+ tpkts = dstats->tx_pkts;
+ tdrops = dstats->tx_drps;
+ rbytes = dstats->rx_bytes;
+ rpkts = dstats->rx_pkts;
+ } while (u64_stats_fetch_retry_irq(&dstats->syncp, start));
+ stats->tx_bytes += tbytes;
+ stats->tx_packets += tpkts;
+ stats->tx_dropped += tdrops;
+ stats->rx_bytes += rbytes;
+ stats->rx_packets += rpkts;
+ }
+ return stats;
+}
+
+static netdev_tx_t vrf_process_v6_outbound(struct sk_buff *skb,
+ struct net_device *dev)
+{
+ return 0;
+}
+
+static int vrf_send_v4_prep(struct sk_buff *skb, struct flowi4 *fl4,
+ struct net_device *vrf_dev)
+{
+ struct rtable *rt;
+ int err = 1;
+
+ rt = ip_route_output_flow(dev_net(vrf_dev), fl4, NULL);
+ if (IS_ERR(rt))
+ goto out;
+
+ /* TO-DO: what about broadcast ? */
+ if (rt->rt_type != RTN_UNICAST && rt->rt_type != RTN_LOCAL) {
+ ip_rt_put(rt);
+ goto out;
+ }
+
+ skb_dst_drop(skb);
+ skb_dst_set(skb, &rt->dst);
+ err = 0;
+out:
+ return err;
+}
+
+static netdev_tx_t vrf_process_v4_outbound(struct sk_buff *skb,
+ struct net_device *vrf_dev)
+{
+ struct iphdr *ip4h = ip_hdr(skb);
+ int ret = NET_XMIT_DROP;
+ struct flowi4 fl4 = {
+ /* needed to match OIF rule */
+ .flowi4_oif = vrf_dev->ifindex,
+ .flowi4_iif = LOOPBACK_IFINDEX,
+ .flowi4_tos = RT_TOS(ip4h->tos),
+ .flowi4_flags = FLOWI_FLAG_ANYSRC | FLOWI_FLAG_VRFSRC,
+ .daddr = ip4h->daddr,
+ };
+
+ if (vrf_send_v4_prep(skb, &fl4, vrf_dev))
+ goto err;
+
+ if (!ip4h->saddr) {
+ ip4h->saddr = inet_select_addr(skb_dst(skb)->dev, 0,
+ RT_SCOPE_LINK);
+ }
+
+ ret = ip_local_out(skb);
+ if (unlikely(net_xmit_eval(ret)))
+ vrf_dev->stats.tx_errors++;
+ else
+ ret = NET_XMIT_SUCCESS;
+
+out:
+ return ret;
+err:
+ vrf_dev->stats.tx_errors++;
+ kfree_skb(skb);
+ goto out;
+}
+
+static netdev_tx_t is_ip_tx_frame(struct sk_buff *skb, struct net_device *dev)
+{
+ switch (skb->protocol) {
+ case htons(ETH_P_IP):
+ return vrf_process_v4_outbound(skb, dev);
+ case htons(ETH_P_IPV6):
+ return vrf_process_v6_outbound(skb, dev);
+ default:
+ return NET_XMIT_DROP;
+ }
+}
+
+static netdev_tx_t vrf_xmit(struct sk_buff *skb, struct net_device *dev)
+{
+ netdev_tx_t ret = is_ip_tx_frame(skb, dev);
+
+ if (likely(ret == NET_XMIT_SUCCESS || ret == NET_XMIT_CN)) {
+ struct pcpu_dstats *dstats = this_cpu_ptr(dev->dstats);
+
+ u64_stats_update_begin(&dstats->syncp);
+ dstats->tx_pkts++;
+ dstats->tx_bytes += skb->len;
+ u64_stats_update_end(&dstats->syncp);
+ } else {
+ this_cpu_inc(dev->dstats->tx_drps);
+ }
+
+ return ret;
+}
+
+static netdev_tx_t vrf_finish(struct sock *sk, struct sk_buff *skb)
+{
+ return dev_queue_xmit(skb);
+}
+
+static int vrf_output(struct sock *sk, struct sk_buff *skb)
+{
+ struct net_device *dev = skb_dst(skb)->dev;
+
+ IP_UPD_PO_STATS(dev_net(dev), IPSTATS_MIB_OUT, skb->len);
+
+ skb->dev = dev;
+ skb->protocol = htons(ETH_P_IP);
+
+ return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, sk, skb,
+ NULL, dev,
+ vrf_finish,
+ !(IPCB(skb)->flags & IPSKB_REROUTED));
+}
+
+static void vrf_rtable_destroy(struct net_vrf *vrf)
+{
+ struct dst_entry *dst = (struct dst_entry *)vrf->rth;
+
+ if (dst)
+ dst_destroy(dst);
+ vrf->rth = NULL;
+}
+
+static struct rtable *vrf_rtable_create(struct net_device *dev)
+{
+ struct rtable *rth;
+
+ rth = dst_alloc(&vrf_dst_ops, dev, 2,
+ DST_OBSOLETE_NONE,
+ (DST_HOST | DST_NOPOLICY | DST_NOXFRM));
+ if (rth) {
+ rth->dst.output = vrf_output;
+ rth->rt_genid = rt_genid_ipv4(dev_net(dev));
+ rth->rt_flags = 0;
+ rth->rt_type = RTN_UNICAST;
+ rth->rt_is_input = 0;
+ rth->rt_iif = 0;
+ rth->rt_pmtu = 0;
+ rth->rt_gateway = 0;
+ rth->rt_uses_gateway = 0;
+ INIT_LIST_HEAD(&rth->rt_uncached);
+ rth->rt_uncached_list = NULL;
+ rth->rt_lwtstate = NULL;
+ }
+
+ return rth;
+}
+
+/**************************** device handling ********************/
+
+/* cycle interface to flush neighbor cache and move routes across tables */
+static void cycle_netdev(struct net_device *dev)
+{
+ unsigned int flags = dev->flags;
+ int ret;
+
+ if (!netif_running(dev))
+ return;
+
+ ret = dev_change_flags(dev, flags & ~IFF_UP);
+ if (ret >= 0)
+ ret = dev_change_flags(dev, flags);
+
+ if (ret < 0) {
+ netdev_err(dev,
+ "Failed to cycle device %s; route tables might be wrong!\n",
+ dev->name);
+ }
+}
+
+static struct slave *__vrf_find_slave_dev(struct slave_queue *queue,
+ struct net_device *dev)
+{
+ struct list_head *head = &queue->all_slaves;
+ struct slave *slave;
+
+ list_for_each_entry(slave, head, list) {
+ if (slave->dev == dev)
+ return slave;
+ }
+
+ return NULL;
+}
+
+/* inverse of __vrf_insert_slave */
+static void __vrf_remove_slave(struct slave_queue *queue, struct slave *slave)
+{
+ dev_put(slave->dev);
+ list_del(&slave->list);
+ queue->num_slaves--;
+}
+
+static void __vrf_insert_slave(struct slave_queue *queue, struct slave *slave)
+{
+ dev_hold(slave->dev);
+ list_add(&slave->list, &queue->all_slaves);
+ queue->num_slaves++;
+}
+
+static int do_vrf_add_slave(struct net_device *dev, struct net_device *port_dev)
+{
+ struct net_vrf_dev *vrf_ptr = kmalloc(sizeof(*vrf_ptr), GFP_KERNEL);
+ struct slave *slave = kzalloc(sizeof(*slave), GFP_KERNEL);
+ struct slave *duplicate_slave;
+ struct net_vrf *vrf = netdev_priv(dev);
+ struct slave_queue *queue = &vrf->queue;
+ int ret = -ENOMEM;
+
+ if (!slave || !vrf_ptr)
+ goto out_fail;
+
+ slave->dev = port_dev;
+
+ vrf_ptr->ifindex = dev->ifindex;
+ vrf_ptr->tb_id = vrf->tb_id;
+
+ duplicate_slave = __vrf_find_slave_dev(queue, port_dev);
+ if (duplicate_slave) {
+ ret = -EBUSY;
+ goto out_fail;
+ }
+
+ __vrf_insert_slave(queue, slave);
+
+ /* register the packet handler for slave ports */
+ ret = netdev_rx_handler_register(port_dev, vrf_handle_frame, dev);
+ if (ret) {
+ netdev_err(port_dev,
+ "Device %s failed to register rx_handler\n",
+ port_dev->name);
+ goto out_remove;
+ }
+
+ ret = netdev_master_upper_dev_link(port_dev, dev);
+ if (ret < 0)
+ goto out_unregister;
+
+ port_dev->flags |= IFF_SLAVE;
+
+ rcu_assign_pointer(port_dev->vrf_ptr, vrf_ptr);
+ cycle_netdev(port_dev);
+
+ return 0;
+
+out_unregister:
+ netdev_rx_handler_unregister(port_dev);
+out_remove:
+ __vrf_remove_slave(queue, slave);
+out_fail:
+ kfree(vrf_ptr);
+ kfree(slave);
+ return ret;
+}
+
+static int vrf_add_slave(struct net_device *dev, struct net_device *port_dev)
+{
+ if (!netif_is_vrf(dev) || netif_is_vrf(port_dev) ||
+ vrf_is_slave(port_dev))
+ return -EINVAL;
+
+ return do_vrf_add_slave(dev, port_dev);
+}
+
+/* inverse of do_vrf_add_slave */
+static int do_vrf_del_slave(struct net_device *dev, struct net_device *port_dev)
+{
+ struct net_vrf_dev *vrf_ptr = rtnl_dereference(port_dev->vrf_ptr);
+ struct net_vrf *vrf = netdev_priv(dev);
+ struct slave_queue *queue = &vrf->queue;
+ struct slave *slave;
+
+ RCU_INIT_POINTER(port_dev->vrf_ptr, NULL);
+
+ netdev_upper_dev_unlink(port_dev, dev);
+ port_dev->flags &= ~IFF_SLAVE;
+
+ netdev_rx_handler_unregister(port_dev);
+
+ /* after netdev_rx_handler_unregister for synchronize_rcu */
+ kfree(vrf_ptr);
+
+ cycle_netdev(port_dev);
+
+ slave = __vrf_find_slave_dev(queue, port_dev);
+ if (slave)
+ __vrf_remove_slave(queue, slave);
+
+ kfree(slave);
+
+ return 0;
+}
+
+static int vrf_del_slave(struct net_device *dev, struct net_device *port_dev)
+{
+ if (!netif_is_vrf(dev))
+ return -EINVAL;
+
+ return do_vrf_del_slave(dev, port_dev);
+}
+
+static void vrf_dev_uninit(struct net_device *dev)
+{
+ struct net_vrf *vrf = netdev_priv(dev);
+ struct slave_queue *queue = &vrf->queue;
+ struct list_head *head = &queue->all_slaves;
+ struct slave *slave, *next;
+
+ vrf_rtable_destroy(vrf);
+
+ list_for_each_entry_safe(slave, next, head, list)
+ vrf_del_slave(dev, slave->dev);
+
+ if (dev->dstats)
+ free_percpu(dev->dstats);
+ dev->dstats = NULL;
+}
+
+static int vrf_dev_init(struct net_device *dev)
+{
+ struct net_vrf *vrf = netdev_priv(dev);
+
+ INIT_LIST_HEAD(&vrf->queue.all_slaves);
+
+ dev->dstats = netdev_alloc_pcpu_stats(struct pcpu_dstats);
+ if (!dev->dstats)
+ goto out_nomem;
+
+ /* create the default dst which points back to us */
+ vrf->rth = vrf_rtable_create(dev);
+ if (!vrf->rth)
+ goto out_stats;
+
+ dev->flags = IFF_MASTER | IFF_NOARP;
+
+ return 0;
+
+out_stats:
+ free_percpu(dev->dstats);
+ dev->dstats = NULL;
+out_nomem:
+ return -ENOMEM;
+}
+
+static int vrf_dev_close(struct net_device *dev)
+{
+ struct net_vrf *vrf = netdev_priv(dev);
+ struct slave_queue *queue = &vrf->queue;
+ struct list_head *head = &queue->all_slaves;
+ struct slave *slave;
+
+ list_for_each_entry(slave, head, list) {
+ slave->dev->vrf_ptr->ifindex = 0;
+ slave->dev->vrf_ptr->tb_id = 0;
+ }
+
+ return 0;
+}
+
+static int vrf_dev_open(struct net_device *dev)
+{
+ struct net_vrf *vrf = netdev_priv(dev);
+ struct slave_queue *queue = &vrf->queue;
+ struct list_head *head = &queue->all_slaves;
+ struct slave *slave;
+
+ list_for_each_entry(slave, head, list) {
+ slave->dev->vrf_ptr->ifindex = dev->ifindex;
+ slave->dev->vrf_ptr->tb_id = vrf->tb_id;
+ }
+
+ return 0;
+}
+
+static const struct net_device_ops vrf_netdev_ops = {
+ .ndo_init = vrf_dev_init,
+ .ndo_uninit = vrf_dev_uninit,
+ .ndo_open = vrf_dev_open,
+ .ndo_stop = vrf_dev_close,
+ .ndo_start_xmit = vrf_xmit,
+ .ndo_get_stats64 = vrf_get_stats64,
+ .ndo_add_slave = vrf_add_slave,
+ .ndo_del_slave = vrf_del_slave,
+};
+
+static void vrf_get_drvinfo(struct net_device *dev,
+ struct ethtool_drvinfo *info)
+{
+ strlcpy(info->driver, DRV_NAME, sizeof(info->driver));
+ strlcpy(info->version, DRV_VERSION, sizeof(info->version));
+}
+
+static const struct ethtool_ops vrf_ethtool_ops = {
+ .get_drvinfo = vrf_get_drvinfo,
+};
+
+static void vrf_setup(struct net_device *dev)
+{
+ ether_setup(dev);
+
+ /* Initialize the device structure. */
+ dev->netdev_ops = &vrf_netdev_ops;
+ dev->ethtool_ops = &vrf_ethtool_ops;
+ dev->destructor = free_netdev;
+
+ /* Fill in device structure with ethernet-generic values. */
+ eth_hw_addr_random(dev);
+
+ /* don't acquire vrf device's netif_tx_lock when transmitting */
+ dev->features |= NETIF_F_LLTX;
+
+ /* don't allow vrf devices to change network namespaces. */
+ dev->features |= NETIF_F_NETNS_LOCAL;
+}
+
+static int vrf_validate(struct nlattr *tb[], struct nlattr *data[])
+{
+ if (tb[IFLA_ADDRESS]) {
+ if (nla_len(tb[IFLA_ADDRESS]) != ETH_ALEN)
+ return -EINVAL;
+ if (!is_valid_ether_addr(nla_data(tb[IFLA_ADDRESS])))
+ return -EADDRNOTAVAIL;
+ }
+ return 0;
+}
+
+static void vrf_dellink(struct net_device *dev, struct list_head *head)
+{
+ struct net_vrf_dev *vrf_ptr = dev->vrf_ptr;
+
+ RCU_INIT_POINTER(dev->vrf_ptr, NULL);
+ kfree_rcu(vrf_ptr, rcu);
+ unregister_netdevice_queue(dev, head);
+}
+
+static int vrf_newlink(struct net *src_net, struct net_device *dev,
+ struct nlattr *tb[], struct nlattr *data[])
+{
+ struct net_vrf *vrf = netdev_priv(dev);
+ int err;
+
+ if (!data || !data[IFLA_VRF_TABLE])
+ return -EINVAL;
+
+ vrf->tb_id = nla_get_u32(data[IFLA_VRF_TABLE]);
+
+ dev->priv_flags |= IFF_VRF_MASTER;
+
+ err = -ENOMEM;
+ dev->vrf_ptr = kmalloc(sizeof(*dev->vrf_ptr), GFP_KERNEL);
+ if (!dev->vrf_ptr)
+ goto out_fail;
+
+ dev->vrf_ptr->ifindex = dev->ifindex;
+ dev->vrf_ptr->tb_id = vrf->tb_id;
+
+ err = register_netdevice(dev);
+ if (err < 0)
+ goto out_fail;
+
+ return 0;
+
+out_fail:
+ kfree(dev->vrf_ptr);
+ free_netdev(dev);
+ return err;
+}
+
+static size_t vrf_nl_getsize(const struct net_device *dev)
+{
+ return nla_total_size(sizeof(u32)); /* IFLA_VRF_TABLE */
+}
+
+static int vrf_fillinfo(struct sk_buff *skb,
+ const struct net_device *dev)
+{
+ struct net_vrf *vrf = netdev_priv(dev);
+
+ return nla_put_u32(skb, IFLA_VRF_TABLE, vrf->tb_id);
+}
+
+static const struct nla_policy vrf_nl_policy[IFLA_VRF_MAX + 1] = {
+ [IFLA_VRF_TABLE] = { .type = NLA_U32 },
+};
+
+static struct rtnl_link_ops vrf_link_ops __read_mostly = {
+ .kind = DRV_NAME,
+ .priv_size = sizeof(struct net_vrf),
+
+ .get_size = vrf_nl_getsize,
+ .policy = vrf_nl_policy,
+ .validate = vrf_validate,
+ .fill_info = vrf_fillinfo,
+
+ .newlink = vrf_newlink,
+ .dellink = vrf_dellink,
+ .setup = vrf_setup,
+ .maxtype = IFLA_VRF_MAX,
+};
+
+static int vrf_device_event(struct notifier_block *unused,
+ unsigned long event, void *ptr)
+{
+ struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+
+ /* only care about unregister events to drop slave references */
+ if (event == NETDEV_UNREGISTER &&
+ dev->reg_state == NETREG_UNREGISTERING) {
+ struct net_vrf_dev *vrf_ptr = rtnl_dereference(dev->vrf_ptr);
+ struct net_device *vrf_dev;
+
+ if (!vrf_ptr || netif_is_vrf(dev))
+ goto out;
+
+ vrf_dev = __dev_get_by_index(dev_net(dev), vrf_ptr->ifindex);
+ if (vrf_dev)
+ vrf_del_slave(vrf_dev, dev);
+ }
+out:
+ return NOTIFY_DONE;
+}
+
+static struct notifier_block vrf_notifier_block __read_mostly = {
+ .notifier_call = vrf_device_event,
+};
+
+static int __init vrf_init_module(void)
+{
+ int rc;
+
+ vrf_dst_ops.kmem_cachep =
+ kmem_cache_create("vrf_ip_dst_cache",
+ sizeof(struct rtable), 0,
+ SLAB_HWCACHE_ALIGN | SLAB_PANIC,
+ NULL);
+
+ if (!vrf_dst_ops.kmem_cachep)
+ return -ENOMEM;
+
+ register_netdevice_notifier(&vrf_notifier_block);
+
+ rc = rtnl_link_register(&vrf_link_ops);
+ if (rc < 0)
+ goto error;
+
+ return 0;
+
+error:
+ unregister_netdevice_notifier(&vrf_notifier_block);
+ kmem_cache_destroy(vrf_dst_ops.kmem_cachep);
+ return rc;
+}
+
+static void __exit vrf_cleanup_module(void)
+{
+ rtnl_link_unregister(&vrf_link_ops);
+ unregister_netdevice_notifier(&vrf_notifier_block);
+ kmem_cache_destroy(vrf_dst_ops.kmem_cachep);
+}
+
+module_init(vrf_init_module);
+module_exit(vrf_cleanup_module);
+MODULE_AUTHOR("Shrijeet Mukherjee, David Ahern");
+MODULE_DESCRIPTION("Device driver to instantiate VRF domains");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS_RTNL_LINK(DRV_NAME);
+MODULE_VERSION(DRV_VERSION);
diff --git a/include/net/vrf.h b/include/net/vrf.h
index 5d4bd67a4902..b0e5c37d94fd 100644
--- a/include/net/vrf.h
+++ b/include/net/vrf.h
@@ -29,7 +29,6 @@ struct slave_queue {
struct net_vrf {
struct slave_queue queue;
- struct fib_table *tb;
struct rtable *rth;
u32 tb_id;
};
--
2.3.2 (Apple Git-55)
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH] iproute2: Add support for VRF device
2015-08-05 17:14 [PATCH net-next 00/10] VRF-lite - v4 David Ahern
` (9 preceding siblings ...)
2015-08-05 17:14 ` [PATCH 10/10] net: Introduce VRF device driver David Ahern
@ 2015-08-05 17:14 ` David Ahern
10 siblings, 0 replies; 17+ messages in thread
From: David Ahern @ 2015-08-05 17:14 UTC (permalink / raw)
To: netdev
Cc: shm, roopa, gospo, jtoppins, nikolay, ddutt, hannes,
nicolas.dichtel, stephen, hadi, ebiederm, davem, svaidya,
David Ahern
Allow user to create a vrf device and specify its table binding.
Based on the iplink_vlan implementation.
Signed-off-by: Shrijeet Mukherjee <shm@cumulusnetworks.com>
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
---
include/linux/if_link.h | 8 +++++
ip/Makefile | 2 +-
ip/iplink.c | 2 +-
ip/iplink_vrf.c | 85 +++++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 95 insertions(+), 2 deletions(-)
create mode 100644 ip/iplink_vrf.c
diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index b905cf7f4948..74dedf4320b8 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -338,6 +338,14 @@ enum macvlan_macaddr_mode {
#define MACVLAN_FLAG_NOPROMISC 1
+/* VRF section */
+enum {
+ IFLA_VRF_UNSPEC,
+ IFLA_VRF_TABLE,
+ __IFLA_VRF_MAX
+};
+
+#define IFLA_VRF_MAX (__IFLA_VRF_MAX - 1)
/* IPVLAN section */
enum {
IFLA_IPVLAN_UNSPEC,
diff --git a/ip/Makefile b/ip/Makefile
index 77653ecc5785..d8b38ac2e44b 100644
--- a/ip/Makefile
+++ b/ip/Makefile
@@ -7,7 +7,7 @@ IPOBJ=ip.o ipaddress.o ipaddrlabel.o iproute.o iprule.o ipnetns.o \
iplink_vxlan.o tcp_metrics.o iplink_ipoib.o ipnetconf.o link_ip6tnl.o \
link_iptnl.o link_gre6.o iplink_bond.o iplink_bond_slave.o iplink_hsr.o \
iplink_bridge.o iplink_bridge_slave.o ipfou.o iplink_ipvlan.o \
- iplink_geneve.o
+ iplink_geneve.o iplink_vrf.o
RTMONOBJ=rtmon.o
diff --git a/ip/iplink.c b/ip/iplink.c
index 369d50eab94e..14bf7211a447 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -94,7 +94,7 @@ void iplink_usage(void)
fprintf(stderr, "TYPE := { vlan | veth | vcan | dummy | ifb | macvlan | macvtap |\n");
fprintf(stderr, " bridge | bond | ipoib | ip6tnl | ipip | sit | vxlan |\n");
fprintf(stderr, " gre | gretap | ip6gre | ip6gretap | vti | nlmon |\n");
- fprintf(stderr, " bond_slave | ipvlan | geneve }\n");
+ fprintf(stderr, " bond_slave | ipvlan | geneve | vrf }\n");
}
exit(-1);
}
diff --git a/ip/iplink_vrf.c b/ip/iplink_vrf.c
new file mode 100644
index 000000000000..0d7e21c7c152
--- /dev/null
+++ b/ip/iplink_vrf.c
@@ -0,0 +1,85 @@
+/* iplink_vrf.c VRF device support
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ *
+ * Authors: Shrijeet Mukherjee <shm@cumulusnetworks.com>
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <linux/if_link.h>
+
+#include "rt_names.h"
+#include "utils.h"
+#include "ip_common.h"
+
+static void vrf_explain(FILE *f)
+{
+ fprintf(f, "Usage: ... vrf table TABLEID \n");
+}
+
+static void explain(void)
+{
+ vrf_explain(stderr);
+}
+
+static int table_arg(void)
+{
+ fprintf(stderr,"Error: argument of \"table\" must be 0-32767 and currently unused\n");
+ return -1;
+}
+
+static int vrf_parse_opt(struct link_util *lu, int argc, char **argv,
+ struct nlmsghdr *n)
+{
+ while (argc > 0) {
+ if (matches(*argv, "table") == 0) {
+ __u32 table = 0;
+ NEXT_ARG();
+
+ table = atoi(*argv);
+ if (table < 0 || table > 32767)
+ return table_arg();
+ addattr32(n, 1024, IFLA_VRF_TABLE, table);
+ } else if (matches(*argv, "help") == 0) {
+ explain();
+ return -1;
+ } else {
+ fprintf(stderr, "vrf: unknown option \"%s\"?\n",
+ *argv);
+ explain();
+ return -1;
+ }
+ argc--, argv++;
+ }
+
+ return 0;
+}
+
+static void vrf_print_opt(struct link_util *lu, FILE *f, struct rtattr *tb[])
+{
+ if (!tb)
+ return;
+
+ if (tb[IFLA_VRF_TABLE])
+ fprintf(f, "table %u ", rta_getattr_u32(tb[IFLA_VRF_TABLE]));
+}
+
+static void vrf_print_help(struct link_util *lu, int argc, char **argv,
+ FILE *f)
+{
+ vrf_explain(f);
+}
+
+struct link_util vrf_link_util = {
+ .id = "vrf",
+ .maxattr = IFLA_VRF_MAX,
+ .parse_opt = vrf_parse_opt,
+ .print_opt = vrf_print_opt,
+ .print_help = vrf_print_help,
+};
--
2.3.2 (Apple Git-55)
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH 09/10] net: Use VRF device index for socket lookups
2015-08-05 17:14 ` [PATCH 09/10] net: Use VRF device index for socket lookups David Ahern
@ 2015-08-05 18:32 ` Tom Herbert
2015-08-05 19:39 ` David Ahern
0 siblings, 1 reply; 17+ messages in thread
From: Tom Herbert @ 2015-08-05 18:32 UTC (permalink / raw)
To: David Ahern
Cc: Linux Kernel Network Developers, Shrijeet Mukherjee,
Roopa Prabhu, gospo, jtoppins, nikolay, ddutt,
Hannes Frederic Sowa, Nicolas Dichtel, Stephen Hemminger, hadi,
Eric W. Biederman, David S. Miller, svaidya
On Wed, Aug 5, 2015 at 10:14 AM, David Ahern <dsa@cumulusnetworks.com> wrote:
> The intent of the VRF device is to leverage the existing SO_BINDTODEVICE
> as a means of creating L3 domains. Since sockets are expected to be bound
> to the VRF device the index of the master device needs to be used for
> socket lookups.
>
This patch set seems awfully invasive at the socket layer. Isn't there
anyway this functionality be contained in the routing layer and
sockets use existing API?
Thanks,
Tom
> Signed-off-by: Shrijeet Mukherjee <shm@cumulusnetworks.com>
> Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
> ---
> net/ipv4/syncookies.c | 5 ++++-
> net/ipv4/tcp_input.c | 6 +++++-
> net/ipv4/tcp_ipv4.c | 11 +++++++++--
> 3 files changed, 18 insertions(+), 4 deletions(-)
>
> diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
> index d70b1f603692..e5c8b1240278 100644
> --- a/net/ipv4/syncookies.c
> +++ b/net/ipv4/syncookies.c
> @@ -18,6 +18,7 @@
> #include <linux/export.h>
> #include <net/tcp.h>
> #include <net/route.h>
> +#include <net/vrf.h>
>
> extern int sysctl_tcp_syncookies;
>
> @@ -348,7 +349,9 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
> treq->snt_synack = tcp_opt.saw_tstamp ? tcp_opt.rcv_tsecr : 0;
> treq->tfo_listener = false;
>
> - ireq->ir_iif = sk->sk_bound_dev_if;
> + ireq->ir_iif = vrf_master_ifindex_by_index(sock_net(sk), skb->skb_iif);
> + if (!ireq->ir_iif)
> + ireq->ir_iif = sk->sk_bound_dev_if;
>
> /* We throwed the options of the initial SYN away, so we hope
> * the ACK carries the same options again (see RFC1122 4.2.3.8)
> diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
> index 4e4d6bcd0ca9..6b96240a4055 100644
> --- a/net/ipv4/tcp_input.c
> +++ b/net/ipv4/tcp_input.c
> @@ -72,6 +72,7 @@
> #include <net/dst.h>
> #include <net/tcp.h>
> #include <net/inet_common.h>
> +#include <net/vrf.h>
> #include <linux/ipsec.h>
> #include <asm/unaligned.h>
> #include <linux/errqueue.h>
> @@ -6141,7 +6142,10 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops,
> tcp_openreq_init(req, &tmp_opt, skb, sk);
>
> /* Note: tcp_v6_init_req() might override ir_iif for link locals */
> - inet_rsk(req)->ir_iif = sk->sk_bound_dev_if;
> + inet_rsk(req)->ir_iif = vrf_master_ifindex_by_index(sock_net(sk),
> + skb->skb_iif);
> + if (!inet_rsk(req)->ir_iif)
> + inet_rsk(req)->ir_iif = sk->sk_bound_dev_if;
>
> af_ops->init_req(req, sk, skb);
>
> diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
> index d27eb549ced6..0f8ed98a2e64 100644
> --- a/net/ipv4/tcp_ipv4.c
> +++ b/net/ipv4/tcp_ipv4.c
> @@ -75,6 +75,7 @@
> #include <net/secure_seq.h>
> #include <net/tcp_memcontrol.h>
> #include <net/busy_poll.h>
> +#include <net/vrf.h>
>
> #include <linux/inet.h>
> #include <linux/ipv6.h>
> @@ -682,6 +683,8 @@ static void tcp_v4_send_reset(struct sock *sk, struct sk_buff *skb)
> */
> if (sk)
> arg.bound_dev_if = sk->sk_bound_dev_if;
> + if (!arg.bound_dev_if && skb->dev)
> + arg.bound_dev_if = vrf_master_ifindex_rcu(skb->dev);
>
> arg.tos = ip_hdr(skb)->tos;
> ip_send_unicast_reply(*this_cpu_ptr(net->ipv4.tcp_sk),
> @@ -766,8 +769,10 @@ static void tcp_v4_send_ack(struct sk_buff *skb, u32 seq, u32 ack,
> ip_hdr(skb)->saddr, /* XXX */
> arg.iov[0].iov_len, IPPROTO_TCP, 0);
> arg.csumoffset = offsetof(struct tcphdr, check) / 2;
> - if (oif)
> - arg.bound_dev_if = oif;
> + arg.bound_dev_if = oif ? : vrf_master_ifindex_rcu(skb_dst(skb)->dev);
> + if (!arg.bound_dev_if)
> + arg.bound_dev_if = vrf_master_ifindex_rcu(skb->dev);
> +
> arg.tos = tos;
> ip_send_unicast_reply(*this_cpu_ptr(net->ipv4.tcp_sk),
> skb, &TCP_SKB_CB(skb)->header.h4.opt,
> @@ -1269,6 +1274,8 @@ struct sock *tcp_v4_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
> ireq = inet_rsk(req);
> sk_daddr_set(newsk, ireq->ir_rmt_addr);
> sk_rcv_saddr_set(newsk, ireq->ir_loc_addr);
> + if (netif_index_is_vrf(sock_net(newsk), ireq->ir_iif))
> + newsk->sk_bound_dev_if = ireq->ir_iif;
> newinet->inet_saddr = ireq->ir_loc_addr;
> inet_opt = ireq->opt;
> rcu_assign_pointer(newinet->inet_opt, inet_opt);
> --
> 2.3.2 (Apple Git-55)
>
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH 09/10] net: Use VRF device index for socket lookups
2015-08-05 18:32 ` Tom Herbert
@ 2015-08-05 19:39 ` David Ahern
0 siblings, 0 replies; 17+ messages in thread
From: David Ahern @ 2015-08-05 19:39 UTC (permalink / raw)
To: Tom Herbert
Cc: Linux Kernel Network Developers, Shrijeet Mukherjee,
Roopa Prabhu, gospo, jtoppins, nikolay, ddutt,
Hannes Frederic Sowa, Nicolas Dichtel, Stephen Hemminger, hadi,
Eric W. Biederman, David S. Miller, svaidya
Hi Tom:
On 8/5/15 12:32 PM, Tom Herbert wrote:
> On Wed, Aug 5, 2015 at 10:14 AM, David Ahern<dsa@cumulusnetworks.com> wrote:
>> >The intent of the VRF device is to leverage the existing SO_BINDTODEVICE
>> >as a means of creating L3 domains. Since sockets are expected to be bound
>> >to the VRF device the index of the master device needs to be used for
>> >socket lookups.
>> >
> This patch set seems awfully invasive at the socket layer. Isn't there
> anyway this functionality be contained in the routing layer and
> sockets use existing API?
This patch is a leftover from earlier versions. It is no longer needed.
Will drop for v5.
David
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] iproute2: Add support for VRF device
2015-08-10 17:50 ` [PATCH] iproute2: Add support for VRF device David Ahern
@ 2015-08-11 19:17 ` Nikolay Aleksandrov
0 siblings, 0 replies; 17+ messages in thread
From: Nikolay Aleksandrov @ 2015-08-11 19:17 UTC (permalink / raw)
To: David Ahern
Cc: netdev, shm, roopa, gospo, jtoppins, ddutt, hannes,
nicolas.dichtel, stephen, hadi, ebiederm, davem, svaidya
Hi,
Since there will be another version a few minor nits below,
> On Aug 10, 2015, at 8:50 PM, David Ahern <dsa@cumulusnetworks.com> wrote:
>
> Allow user to create a vrf device and specify its table binding.
> Based on the iplink_vlan implementation.
>
> Signed-off-by: Shrijeet Mukherjee <shm@cumulusnetworks.com>
> Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
> ---
> include/linux/if_link.h | 8 +++++
> ip/Makefile | 2 +-
> ip/iplink.c | 2 +-
> ip/iplink_vrf.c | 85 +++++++++++++++++++++++++++++++++++++++++++++++++
> 4 files changed, 95 insertions(+), 2 deletions(-)
> create mode 100644 ip/iplink_vrf.c
>
> diff --git a/include/linux/if_link.h b/include/linux/if_link.h
> index b905cf7f4948..74dedf4320b8 100644
> --- a/include/linux/if_link.h
> +++ b/include/linux/if_link.h
> @@ -338,6 +338,14 @@ enum macvlan_macaddr_mode {
>
> #define MACVLAN_FLAG_NOPROMISC 1
>
> +/* VRF section */
> +enum {
> + IFLA_VRF_UNSPEC,
> + IFLA_VRF_TABLE,
> + __IFLA_VRF_MAX
> +};
> +
> +#define IFLA_VRF_MAX (__IFLA_VRF_MAX - 1)
> /* IPVLAN section */
> enum {
> IFLA_IPVLAN_UNSPEC,
> diff --git a/ip/Makefile b/ip/Makefile
> index 77653ecc5785..d8b38ac2e44b 100644
> --- a/ip/Makefile
> +++ b/ip/Makefile
> @@ -7,7 +7,7 @@ IPOBJ=ip.o ipaddress.o ipaddrlabel.o iproute.o iprule.o ipnetns.o \
> iplink_vxlan.o tcp_metrics.o iplink_ipoib.o ipnetconf.o link_ip6tnl.o \
> link_iptnl.o link_gre6.o iplink_bond.o iplink_bond_slave.o iplink_hsr.o \
> iplink_bridge.o iplink_bridge_slave.o ipfou.o iplink_ipvlan.o \
> - iplink_geneve.o
> + iplink_geneve.o iplink_vrf.o
>
> RTMONOBJ=rtmon.o
>
> diff --git a/ip/iplink.c b/ip/iplink.c
> index 369d50eab94e..14bf7211a447 100644
> --- a/ip/iplink.c
> +++ b/ip/iplink.c
> @@ -94,7 +94,7 @@ void iplink_usage(void)
> fprintf(stderr, "TYPE := { vlan | veth | vcan | dummy | ifb | macvlan | macvtap |\n");
> fprintf(stderr, " bridge | bond | ipoib | ip6tnl | ipip | sit | vxlan |\n");
> fprintf(stderr, " gre | gretap | ip6gre | ip6gretap | vti | nlmon |\n");
> - fprintf(stderr, " bond_slave | ipvlan | geneve }\n");
> + fprintf(stderr, " bond_slave | ipvlan | geneve | vrf }\n");
> }
> exit(-1);
> }
> diff --git a/ip/iplink_vrf.c b/ip/iplink_vrf.c
> new file mode 100644
> index 000000000000..0d7e21c7c152
> --- /dev/null
> +++ b/ip/iplink_vrf.c
> @@ -0,0 +1,85 @@
> +/* iplink_vrf.c VRF device support
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU General Public License
> + * as published by the Free Software Foundation; either version
> + * 2 of the License, or (at your option) any later version.
> + *
> + * Authors: Shrijeet Mukherjee <shm@cumulusnetworks.com>
> + */
> +
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <string.h>
> +#include <sys/socket.h>
> +#include <linux/if_link.h>
> +
> +#include "rt_names.h"
> +#include "utils.h"
> +#include "ip_common.h"
> +
> +static void vrf_explain(FILE *f)
> +{
> + fprintf(f, "Usage: ... vrf table TABLEID \n");
> +}
> +
> +static void explain(void)
> +{
> + vrf_explain(stderr);
> +}
> +
> +static int table_arg(void)
> +{
> + fprintf(stderr,"Error: argument of \"table\" must be 0-32767 and currently unused\n");
> + return -1;
> +}
> +
> +static int vrf_parse_opt(struct link_util *lu, int argc, char **argv,
> + struct nlmsghdr *n)
> +{
> + while (argc > 0) {
> + if (matches(*argv, "table") == 0) {
> + __u32 table = 0;
> + NEXT_ARG();
^^^
Please leave a line between local variable definitions and code. Also no need
to initialize table to 0.
> +
> + table = atoi(*argv);
> + if (table < 0 || table > 32767)
^^^
table is unsigned, so < 0 will be always false.
> + return table_arg();
> + addattr32(n, 1024, IFLA_VRF_TABLE, table);
> + } else if (matches(*argv, "help") == 0) {
> + explain();
> + return -1;
> + } else {
> + fprintf(stderr, "vrf: unknown option \"%s\"?\n",
> + *argv);
> + explain();
> + return -1;
> + }
> + argc--, argv++;
> + }
> +
> + return 0;
> +}
> +
> +static void vrf_print_opt(struct link_util *lu, FILE *f, struct rtattr *tb[])
> +{
> + if (!tb)
> + return;
> +
> + if (tb[IFLA_VRF_TABLE])
> + fprintf(f, "table %u ", rta_getattr_u32(tb[IFLA_VRF_TABLE]));
> +}
> +
> +static void vrf_print_help(struct link_util *lu, int argc, char **argv,
> + FILE *f)
> +{
> + vrf_explain(f);
> +}
> +
> +struct link_util vrf_link_util = {
> + .id = "vrf",
> + .maxattr = IFLA_VRF_MAX,
> + .parse_opt = vrf_parse_opt,
> + .print_opt = vrf_print_opt,
> + .print_help = vrf_print_help,
> +};
> --
> 2.3.2 (Apple Git-55)
>
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH] iproute2: Add support for VRF device
2015-08-10 17:50 [PATCH net-next 00/10] VRF-lite - v5 David Ahern
@ 2015-08-10 17:50 ` David Ahern
2015-08-11 19:17 ` Nikolay Aleksandrov
0 siblings, 1 reply; 17+ messages in thread
From: David Ahern @ 2015-08-10 17:50 UTC (permalink / raw)
To: netdev
Cc: shm, roopa, gospo, jtoppins, nikolay, ddutt, hannes,
nicolas.dichtel, stephen, hadi, ebiederm, davem, svaidya,
David Ahern
Allow user to create a vrf device and specify its table binding.
Based on the iplink_vlan implementation.
Signed-off-by: Shrijeet Mukherjee <shm@cumulusnetworks.com>
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
---
include/linux/if_link.h | 8 +++++
ip/Makefile | 2 +-
ip/iplink.c | 2 +-
ip/iplink_vrf.c | 85 +++++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 95 insertions(+), 2 deletions(-)
create mode 100644 ip/iplink_vrf.c
diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index b905cf7f4948..74dedf4320b8 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -338,6 +338,14 @@ enum macvlan_macaddr_mode {
#define MACVLAN_FLAG_NOPROMISC 1
+/* VRF section */
+enum {
+ IFLA_VRF_UNSPEC,
+ IFLA_VRF_TABLE,
+ __IFLA_VRF_MAX
+};
+
+#define IFLA_VRF_MAX (__IFLA_VRF_MAX - 1)
/* IPVLAN section */
enum {
IFLA_IPVLAN_UNSPEC,
diff --git a/ip/Makefile b/ip/Makefile
index 77653ecc5785..d8b38ac2e44b 100644
--- a/ip/Makefile
+++ b/ip/Makefile
@@ -7,7 +7,7 @@ IPOBJ=ip.o ipaddress.o ipaddrlabel.o iproute.o iprule.o ipnetns.o \
iplink_vxlan.o tcp_metrics.o iplink_ipoib.o ipnetconf.o link_ip6tnl.o \
link_iptnl.o link_gre6.o iplink_bond.o iplink_bond_slave.o iplink_hsr.o \
iplink_bridge.o iplink_bridge_slave.o ipfou.o iplink_ipvlan.o \
- iplink_geneve.o
+ iplink_geneve.o iplink_vrf.o
RTMONOBJ=rtmon.o
diff --git a/ip/iplink.c b/ip/iplink.c
index 369d50eab94e..14bf7211a447 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -94,7 +94,7 @@ void iplink_usage(void)
fprintf(stderr, "TYPE := { vlan | veth | vcan | dummy | ifb | macvlan | macvtap |\n");
fprintf(stderr, " bridge | bond | ipoib | ip6tnl | ipip | sit | vxlan |\n");
fprintf(stderr, " gre | gretap | ip6gre | ip6gretap | vti | nlmon |\n");
- fprintf(stderr, " bond_slave | ipvlan | geneve }\n");
+ fprintf(stderr, " bond_slave | ipvlan | geneve | vrf }\n");
}
exit(-1);
}
diff --git a/ip/iplink_vrf.c b/ip/iplink_vrf.c
new file mode 100644
index 000000000000..0d7e21c7c152
--- /dev/null
+++ b/ip/iplink_vrf.c
@@ -0,0 +1,85 @@
+/* iplink_vrf.c VRF device support
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ *
+ * Authors: Shrijeet Mukherjee <shm@cumulusnetworks.com>
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <linux/if_link.h>
+
+#include "rt_names.h"
+#include "utils.h"
+#include "ip_common.h"
+
+static void vrf_explain(FILE *f)
+{
+ fprintf(f, "Usage: ... vrf table TABLEID \n");
+}
+
+static void explain(void)
+{
+ vrf_explain(stderr);
+}
+
+static int table_arg(void)
+{
+ fprintf(stderr,"Error: argument of \"table\" must be 0-32767 and currently unused\n");
+ return -1;
+}
+
+static int vrf_parse_opt(struct link_util *lu, int argc, char **argv,
+ struct nlmsghdr *n)
+{
+ while (argc > 0) {
+ if (matches(*argv, "table") == 0) {
+ __u32 table = 0;
+ NEXT_ARG();
+
+ table = atoi(*argv);
+ if (table < 0 || table > 32767)
+ return table_arg();
+ addattr32(n, 1024, IFLA_VRF_TABLE, table);
+ } else if (matches(*argv, "help") == 0) {
+ explain();
+ return -1;
+ } else {
+ fprintf(stderr, "vrf: unknown option \"%s\"?\n",
+ *argv);
+ explain();
+ return -1;
+ }
+ argc--, argv++;
+ }
+
+ return 0;
+}
+
+static void vrf_print_opt(struct link_util *lu, FILE *f, struct rtattr *tb[])
+{
+ if (!tb)
+ return;
+
+ if (tb[IFLA_VRF_TABLE])
+ fprintf(f, "table %u ", rta_getattr_u32(tb[IFLA_VRF_TABLE]));
+}
+
+static void vrf_print_help(struct link_util *lu, int argc, char **argv,
+ FILE *f)
+{
+ vrf_explain(f);
+}
+
+struct link_util vrf_link_util = {
+ .id = "vrf",
+ .maxattr = IFLA_VRF_MAX,
+ .parse_opt = vrf_parse_opt,
+ .print_opt = vrf_print_opt,
+ .print_help = vrf_print_help,
+};
--
2.3.2 (Apple Git-55)
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH] iproute2: Add support for VRF device
2015-07-27 18:30 [net-next 0/16] Proposal for VRF-lite - v3 David Ahern
@ 2015-07-27 18:31 ` David Ahern
0 siblings, 0 replies; 17+ messages in thread
From: David Ahern @ 2015-07-27 18:31 UTC (permalink / raw)
To: netdev
Cc: shm, roopa, gospo, jtoppins, nikolay, ddutt, hannes,
nicolas.dichtel, stephen, hadi, ebiederm, davem, svaidya, mingo,
luto, David Ahern
Allow user to create a vrf device and specify its table binding.
Based on the iplink_vlan implementation.
Signed-off-by: Shrijeet Mukherjee <shm@cumulusnetworks.com>
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
---
include/linux/if_link.h | 8 +++++
ip/Makefile | 2 +-
ip/iplink.c | 2 +-
ip/iplink_vrf.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 97 insertions(+), 2 deletions(-)
create mode 100644 ip/iplink_vrf.c
diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 8df6a8466839..28872fbf6814 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -337,6 +337,14 @@ enum macvlan_macaddr_mode {
#define MACVLAN_FLAG_NOPROMISC 1
+/* VRF section */
+enum {
+ IFLA_VRF_UNSPEC,
+ IFLA_VRF_TABLE,
+ __IFLA_VRF_MAX
+};
+
+#define IFLA_VRF_MAX (__IFLA_VRF_MAX - 1)
/* IPVLAN section */
enum {
IFLA_IPVLAN_UNSPEC,
diff --git a/ip/Makefile b/ip/Makefile
index 77653ecc5785..d8b38ac2e44b 100644
--- a/ip/Makefile
+++ b/ip/Makefile
@@ -7,7 +7,7 @@ IPOBJ=ip.o ipaddress.o ipaddrlabel.o iproute.o iprule.o ipnetns.o \
iplink_vxlan.o tcp_metrics.o iplink_ipoib.o ipnetconf.o link_ip6tnl.o \
link_iptnl.o link_gre6.o iplink_bond.o iplink_bond_slave.o iplink_hsr.o \
iplink_bridge.o iplink_bridge_slave.o ipfou.o iplink_ipvlan.o \
- iplink_geneve.o
+ iplink_geneve.o iplink_vrf.o
RTMONOBJ=rtmon.o
diff --git a/ip/iplink.c b/ip/iplink.c
index e296e6f611b8..892e8bc8808b 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -93,7 +93,7 @@ void iplink_usage(void)
fprintf(stderr, "TYPE := { vlan | veth | vcan | dummy | ifb | macvlan | macvtap |\n");
fprintf(stderr, " bridge | bond | ipoib | ip6tnl | ipip | sit | vxlan |\n");
fprintf(stderr, " gre | gretap | ip6gre | ip6gretap | vti | nlmon |\n");
- fprintf(stderr, " bond_slave | ipvlan | geneve }\n");
+ fprintf(stderr, " bond_slave | ipvlan | geneve | vrf }\n");
}
exit(-1);
}
diff --git a/ip/iplink_vrf.c b/ip/iplink_vrf.c
new file mode 100644
index 000000000000..bfcb3cdeaf35
--- /dev/null
+++ b/ip/iplink_vrf.c
@@ -0,0 +1,87 @@
+/* iplink_vrf.c VRF device support
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ *
+ * Authors: Shrijeet Mukherjee <shm@cumulusnetworks.com>
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <linux/if_link.h>
+
+#include "rt_names.h"
+#include "utils.h"
+#include "ip_common.h"
+
+static void vrf_explain(FILE *f)
+{
+ fprintf(f, "Usage: ... vrf table TABLEID \n");
+}
+
+static void explain(void)
+{
+ vrf_explain(stderr);
+}
+
+static int table_arg(void)
+{
+ fprintf(stderr,"Error: argument of \"table\" must be 0-32767 and currently unused\n");
+ return -1;
+}
+
+static int vrf_parse_opt(struct link_util *lu, int argc, char **argv,
+ struct nlmsghdr *n)
+{
+ while (argc > 0) {
+ if (matches(*argv, "table") == 0) {
+ __u32 table = 0;
+ NEXT_ARG();
+
+ table = atoi(*argv);
+ if (table < 0 || table > 32767)
+ return table_arg();
+ /* XXX need a table in-use check here */
+ fprintf(stderr, "adding table %d\n", table);
+ addattr32(n, 1024, IFLA_VRF_TABLE, table);
+ } else if (matches(*argv, "help") == 0) {
+ explain();
+ return -1;
+ } else {
+ fprintf(stderr, "vrf: unknown option \"%s\"?\n",
+ *argv);
+ explain();
+ return -1;
+ }
+ argc--, argv++;
+ }
+
+ return 0;
+}
+
+static void vrf_print_opt(struct link_util *lu, FILE *f, struct rtattr *tb[])
+{
+ if (!tb)
+ return;
+
+ if (tb[IFLA_VRF_TABLE])
+ fprintf(f, "table %u ", rta_getattr_u32(tb[IFLA_VRF_TABLE]));
+}
+
+static void vrf_print_help(struct link_util *lu, int argc, char **argv,
+ FILE *f)
+{
+ vrf_explain(f);
+}
+
+struct link_util vrf_link_util = {
+ .id = "vrf",
+ .maxattr = IFLA_VRF_MAX,
+ .parse_opt = vrf_parse_opt,
+ .print_opt = vrf_print_opt,
+ .print_help = vrf_print_help,
+};
--
2.3.2 (Apple Git-55)
^ permalink raw reply related [flat|nested] 17+ messages in thread
end of thread, other threads:[~2015-08-11 19:17 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-08-05 17:14 [PATCH net-next 00/10] VRF-lite - v4 David Ahern
2015-08-05 17:14 ` [PATCH 01/10] net: Introduce VRF related flags and helpers David Ahern
2015-08-05 17:14 ` [PATCH 02/10] net: Use VRF device index for lookups on RX David Ahern
2015-08-05 17:14 ` [PATCH 03/10] net: Use VRF device index for lookups on TX David Ahern
2015-08-05 17:14 ` [PATCH 04/10] udp: Handle VRF device David Ahern
2015-08-05 17:14 ` [PATCH 05/10] net: Add inet_addr lookup by table David Ahern
2015-08-05 17:14 ` [PATCH 06/10] net: Fix up inet_addr_type checks David Ahern
2015-08-05 17:14 ` [PATCH 07/10] net: Add routes to the table associated with the device David Ahern
2015-08-05 17:14 ` [PATCH 08/10] net: Use passed in table for nexthop lookups David Ahern
2015-08-05 17:14 ` [PATCH 09/10] net: Use VRF device index for socket lookups David Ahern
2015-08-05 18:32 ` Tom Herbert
2015-08-05 19:39 ` David Ahern
2015-08-05 17:14 ` [PATCH 10/10] net: Introduce VRF device driver David Ahern
2015-08-05 17:14 ` [PATCH] iproute2: Add support for VRF device David Ahern
-- strict thread matches above, loose matches on Subject: below --
2015-08-10 17:50 [PATCH net-next 00/10] VRF-lite - v5 David Ahern
2015-08-10 17:50 ` [PATCH] iproute2: Add support for VRF device David Ahern
2015-08-11 19:17 ` Nikolay Aleksandrov
2015-07-27 18:30 [net-next 0/16] Proposal for VRF-lite - v3 David Ahern
2015-07-27 18:31 ` [PATCH] iproute2: Add support for VRF device David Ahern
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).