Re: [PATCH nf-next,RFC 0/2] nf_tables encapsulation/decapsulation support

wenxu <wenxu@xxxxxxxxx> · Wed, 23 Oct 2019 11:49:57 +0800

On 10/22/2019 11:47 PM, Pablo Neira Ayuso wrote:
> Hi,
>
> This is a RFC patchset, untested, to introduce new infrastructure to
> specify protocol decapsulation and encapsulation actions. This patchset
> comes with initial support for VLAN, eg.
>
> 1) VLAN decapsulation:
>
> 	... meta iif . vlan id { eth0 . 10, eth1 . 11} decap vlan
>
> The decapsulation is a single statement with no extra options.

Currently there is no vlan meta match expr.  So it is better to extend the meta expr or add new

ntf_vlan_get_expr?

>
> 2) VLAN encapsulation:
>
> 	add vlan "network0" { type push; id 100; proto 0x8100; }
>         add vlan "network1" { type update; id 101; }
> 	... encap vlan set ip daddr map { 192.168.0.0/24 : "network0",
> 					  192.168.1.0/24 : "network1" }
>
> The idea is that the user specifies the vlan policy through object
> definition, eg. "network0" and "network1", then it applies this policy
> via the "encap vlan set" statement.
>
> This infrastructure should allow for more encapsulation protocols
> with little work, eg. MPLS.

So the tunnel already exist in nft_tunnel also can add in this encapsulation protocols

as ip.

like ip-route

encap ip id 100 dst 10.0.0.1?

>
> I have places the encap object and the decap expression in the same
> nft_encap module.
>
> I'm still considering to extend the object infrastructure to specify
> the operation type through the rule, ie.
>
> 	add vlan "network0" { id 100; proto 0x8100; }
>         add vlan "network1" { id 101; }
> 	... encap vlan push ip daddr map { 192.168.0.0/24 : "network0",
> 					   192.168.1.0/24 : "network1" }
>
> So the VLAN object does not come with the operation type, instead this
> is specified through the encap statement, that would require a bit more
> work on the object infrastructure which is probably a good idea.
>
> This is work-in-progress, syntax is tentative, comments welcome.
>
> Thanks.
>
> Pablo Neira Ayuso (2):
>   netfilter: nf_tables: add decapsulation support
>   netfilter: nf_tables: add encapsulation support
>
>  include/uapi/linux/netfilter/nf_tables.h |  56 ++++-
>  net/netfilter/Kconfig                    |   6 +
>  net/netfilter/Makefile                   |   1 +
>  net/netfilter/nft_encap.c                | 341 +++++++++++++++++++++++++++++++
>  4 files changed, 403 insertions(+), 1 deletion(-)
>  create mode 100644 net/netfilter/nft_encap.c
>
> --
> 2.11.0
>
>