[PATCH nf-next 0/2] nf_tables lightweight tunneling support

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Thu, 2 Aug 2018 20:59:58 +0200

Hi,

This patchset adds lightweight tunneling support for nf_tables:

1) Set tunnel configuration via the iproute2 external flag from the
   ingress hook.

   Example 1: ERSPAN for packet dissection at collector.

 # ip link add gre100 type erspan external
 # ip link set up dev gre100
 # cat ruleset.nft
 table netdev x {
        tunnel w {
                id 5
                ip daddr 192.168.2.1
		erspan {
			version 1
			index 10
		}
        }
        chain y {
                type filter hook ingress device eth0 priority 0; policy accept;
                tunnel set "w" dup to "gre100"
        }
 }
 # nft -f ruleset.nft

   Example 2: simple VXLAN tunneling for VM behind tap0

 (vm)# ip a a 10.141.10.2/24 dev eth0
 (vm)# ip ro a default via 10.141.10.1
 (host-a)# ip link add vxlan100 type vxlan dstport 4789 external
 (host-a)# brctl addbr br0
 (host-a)# brctl addif tap0 vxlan100
 (host-a)# ip link set up dev vxlan100
 (host-a)# ip link set up dev tap0
 (host-a)# ip link set up dev br0
 (host-a)# cat ruleset.nft
 table netdev x {
        tunnel w {
                id 5
                ip daddr 192.168.2.1
        }
        chain y {
                type filter hook ingress device tap0 priority 0; policy accept;
                tunnel set "w"
        }
 }
 (host-a)# nft -f ruleset.nft

At (host-b), there's a vxlan100 interface that owns 10.141.10.1 that
performs IPv4 forwarding and masquerading.

You can combine tunnels with maps, eg.

	tunnel set ip saddr map { 10.141.10.2 : "w1", \
			          10.141.9.45 : "w2" ,
				  10.141.8.32 : "w3"}

for fast tunnel policy lookups, assuming you have different tunnel
policy definitions, eg. "w1", "w2" and "w3".

2) Match on tunneling information available through tunnel metadata
   template, eg. accept only traffic coming from the VXLAN tunnel VNI 5 in
   the previous example.

   (host-a)# nft add rule filter bridge filter prerouting tunnel id 5 counter accept

Pablo Neira Ayuso (2):
  netfilter: nf_tables: add tunnel support
  netfilter: nf_tables: match on tunnel metadata

 include/uapi/linux/netfilter/nf_tables.h |  84 ++++-
 net/core/dst.c                           |   1 +
 net/netfilter/Kconfig                    |   7 +
 net/netfilter/Makefile                   |   1 +
 net/netfilter/nft_tunnel.c               | 568 +++++++++++++++++++++++++++++++
 5 files changed, 660 insertions(+), 1 deletion(-)
 create mode 100644 net/netfilter/nft_tunnel.c

--
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html