[nf-next v2 3/3] netfilter: using ip6tables as L2/L3/L4 classifier for SRv6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



In Linux, SRv6 policies can be pushed based on the destination
address of packets.

However for many use-cases, it is needed to push SRv6 policies
based on information from L2/L3/L4.

Consider a use-case where you want to push SRv6 policies based
on the application layer protocol (HTTP/DNS), which requires
being able to match the destination port of a packet.

In this patch, we use iptables a classifier for SRv6, hence we
benefit from all of its matching capabilities.

We added a new action to the SEG6 target, named "bind-sid",
that takes the BSID and the SID table as arguments.

Each packet that matches an iptables rule with SEG6 target that
has the bind-sid action, will go through the SRv6 policies
configured for that BSID.

Example:
We have an SRv6 policy configured in Linux as follows:
ip -6 route add A99::1 encap seg6 mode encap segs F1::,F2:: dev eth1

We can steer traffic through this SRv6 policy using the matching
power of iptables firewall as follows:

ip6atbles -t raw -I PREROUTING -s <saddr> -d <daddr> \
-p <proto> --sport <src_port> --dport <dst_port> \
-j SEG6 --seg6-action bind-sid --bsid A99::1 --bsid-tbl 0

This new SEG6 action should perfectly address all use-cases that
require pushing SRv6 policies based information from Layer3/Layer4.

Signed-off-by: Ahmed Abdelsalam <amsalam20@xxxxxxxxx>
---
 net/ipv6/netfilter/ip6t_SEG6.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/net/ipv6/netfilter/ip6t_SEG6.c b/net/ipv6/netfilter/ip6t_SEG6.c
index 0adfb98ccaf2..283786cf4126 100644
--- a/net/ipv6/netfilter/ip6t_SEG6.c
+++ b/net/ipv6/netfilter/ip6t_SEG6.c
@@ -25,6 +25,14 @@
 #include <net/seg6.h>
 #include <net/ip6_route.h>
 
+static int seg6_bsid(struct sk_buff *skb, struct in6_addr bsid,
+		     u32 tbl)
+{
+	seg6_lookup_nexthop(skb, &bsid, tbl);
+	dst_input(skb);
+	return NF_STOLEN;
+}
+
 static int seg6_go_next(struct sk_buff *skb, struct ipv6_sr_hdr *srh)
 {
 	if (srh->segments_left == 0)
@@ -63,6 +71,10 @@ seg6_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 	struct ipv6_sr_hdr *srh;
 	const struct ip6t_seg6_info *seg6 = par->targinfo;
 
+	/* bind-sid action doesn't require packets with SRH */
+	if (seg6->action == IP6T_SEG6_BSID)
+		return seg6_bsid(skb, seg6->bsid, seg6->tbl);
+
 	srh = seg6_get_srh(skb);
 	if (!srh)
 		return NF_DROP;
@@ -87,6 +99,7 @@ static int seg6_check(const struct xt_tgchk_param *par)
 	case IP6T_SEG6_GO_NEXT:
 	case IP6T_SEG6_SKIP_NEXT:
 	case IP6T_SEG6_GO_LAST:
+	case IP6T_SEG6_BSID:
 		return 0;
 	default:
 	return -EOPNOTSUPP;
-- 
2.11.0




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux