On Tue, Aug 17, 2021 at 08:39:36AM +0000, Ryoga Saito wrote: > Tunneling protocols such as VXLAN or IPIP are implemented using virtual > network devices (vxlan0 or ipip0). Therefore, conntrack can record both > inner flows and outer flows correctly. In contrast, SRv6 is implemented > using lightweight tunnel infrastructure. Therefore, SRv6 packets are > encapsulated and decapsulated without passing through virtual network > device. Due to the following problems caused by this, conntrack can't > record both inner flows and outer flows correctly. > > First problem is caused when SRv6 packets are encapsulated. In VXLAN, at > first, packets received are passed to nf_conntrack_in called from > ip_rcv/ipv6_rcv. These packets are sent to virtual network device and these > flows are confirmed in ip_output/ip6_output. However, in SRv6, at first, > packets are passed to nf_conntrack_in, encapsulated and flows are confirmed > in ipv6_output even if inner packets are IPv4. Therefore, IPv6 conntrack > needs to be enabled to track IPv4 inner flow. > > Second problem is caused when SRv6 packets are decapsulated. If IPv6 > conntrack is enabled, SRv6 packets are passed to nf_conntrack_in called > from ipv6_rcv. Even if inner packets are passed to nf_conntrack_in after > packets are decapsulated, flow aren't tracked because skb->_nfct is already > set. Therefore, IPv6 conntrack needs to be disabled to track IPv4 flow > when packets are decapsulated. > > This patch series solves these problems and allows conntrack to record > inner flows correctly. It introduces netfilter hooks to srv6 lwtunnel > and srv6local lwtunnel. It also introduces new sysctl toggle to turn on > lightweight tunnel netfilter hooks. You can enable lwtunnel netfilter as > following: > > sysctl net.netfilter.nf_hooks_lwtunnel=1 Applied to nf-next with a few edits. I'll post it to net-next in the next pull request.
