[PATCH nf-next 0/7] netfilter: nft_tunnel: reinforce key opts support

Xin Long <lucien.xin@xxxxxxxxx> · Sun, 8 Dec 2019 12:41:30 +0800

This patchset improves quite a few places to make vxlan/erspan
opts in nft_tunnel work with userspace nftables/libnftnl, and
also keep consistent with the support for vxlan/erspan opts in
act_tunnel_key, cls_flower and ip_tunnel_core.

Meanwhile, add support for geneve opts in nft_tunnel. One patch
for nftables and one for libnftnl will be posted here for the
testing. With them, nft_tunnel can be set and used by:

  # nft add table ip filter
  # nft add chain ip filter input { type filter hook input priority 0 \; }
  # nft add tunnel filter vxlan_01 { type vxlan\; id 2\; \
    ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
    sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
    opts \"ffff\"\; }
  # nft add tunnel filter erspan_01 { type erspan\; id 2\; \
    ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
    sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
    opts \"1:1:0:0\"\; }
  # nft add tunnel filter erspan_02 { type erspan\; id 2\; \
    ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
    sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
    opts \"2:0:1:1\"\; }
  # nft add tunnel filter geneve_01 { type geneve\; id 2\; \
    ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
    sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
    opts \"1:1:1212121234567890\"\; }
  # nft add tunnel filter geneve_02 { type geneve\; id 2\; \
    ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
    sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
    opts \"1:1:34567890,2:2:12121212,3:3:1212121234567890\"\; }
  # nft list tunnels table filter
  # nft add rule filter input ip protocol udp tunnel name geneve_02
  # nft add rule filter input meta l4proto udp tunnel id 2 drop
  # nft add rule filter input meta l4proto udp tunnel path 0 drop
  # nft list chain filter input -a

Xin Long (7):
  netfilter: nft_tunnel: parse ERSPAN_VERSION attr as u8
  netfilter: nft_tunnel: parse VXLAN_GBP attr as u32 in nft_tunnel
  netfilter: nft_tunnel: no need to call htons() when dumping ports
  netfilter: nft_tunnel: also dump ERSPAN_VERSION
  netfilter: nft_tunnel: also dump OPTS_ERSPAN/VXLAN
  netfilter: nft_tunnel: add the missing nla_nest_cancel()
  netfilter: nft_tunnel: add support for geneve opts

 include/uapi/linux/netfilter/nf_tables.h |  10 ++
 net/netfilter/nft_tunnel.c               | 170 +++++++++++++++++++++++++------
 2 files changed, 151 insertions(+), 29 deletions(-)

-- 
2.1.0