From: Johannes Kimmel Date: Fri, 1 Jan 2021 09:55:25 +0100 Subject: netifd: backport vxlan patches Signed-off-by: Johannes Kimmel [refresh patches] Signed-off-by: Adrian Schmutzler diff --git a/package/network/config/netifd/patches/0001-netifd-vxlan-handle-srcport-range.patch b/package/network/config/netifd/patches/0001-netifd-vxlan-handle-srcport-range.patch new file mode 100644 index 0000000000000000000000000000000000000000..0b803aca8bebe33ad47f7e441bc9aa36d42b0aea --- /dev/null +++ b/package/network/config/netifd/patches/0001-netifd-vxlan-handle-srcport-range.patch @@ -0,0 +1,89 @@ +From a3c033e2afc289672e0ed4b8d8a835d509715af8 Mon Sep 17 00:00:00 2001 +From: Johannes Kimmel +Date: Fri, 4 Sep 2020 04:59:40 +0200 +Subject: [PATCH 1/4] netifd: vxlan: handle srcport range + +This adds adds the ability to set the source port range for vxlan +interfaces. + +By default vxlans will use a random port within the ephermal range as +source ports for packets. This is done to aid scaleability within a +datacenter. + +But with these defaults it's impossible to punch through NATs or +traverese most stateful firewalls easily. One solution is to fix the +srcport to the same as dstport. + +If only srcportmin is specified, then srcportmax is set in a way that +outgoing packets will only use srcportmin. + +If a range is to be specified, srcportmin and srcportmax have to be +specified. srcportmax is exclusive. + +If only srcportmax is specified, the value is ignored and defaults are +used. + +Signed-off-by: Johannes Kimmel +--- + system-linux.c | 26 ++++++++++++++++++++++++++ + system.c | 2 ++ + system.h | 2 ++ + 3 files changed, 30 insertions(+) + +--- a/system-linux.c ++++ b/system-linux.c +@@ -3062,6 +3062,32 @@ static int system_add_vxlan(const char * + } + nla_put_u16(msg, IFLA_VXLAN_PORT, htons(port)); + ++ if ((cur = tb_data[VXLAN_DATA_ATTR_SRCPORTMIN])) { ++ struct ifla_vxlan_port_range srcports = {0,0}; ++ ++ uint32_t low = blobmsg_get_u32(cur); ++ if (low < 1 || low > 65535 - 1) { ++ ret = -EINVAL; ++ goto failure; ++ } ++ ++ srcports.low = htons((uint16_t) low); ++ srcports.high = htons((uint16_t) (low+1)); ++ ++ if ((cur = tb_data[VXLAN_DATA_ATTR_SRCPORTMAX])) { ++ uint32_t high = blobmsg_get_u32(cur); ++ if (high < 1 || high > 65535) { ++ ret = -EINVAL; ++ goto failure; ++ } ++ ++ if (high > low) ++ srcports.high = htons((uint16_t) high); ++ } ++ ++ nla_put(msg, IFLA_VXLAN_PORT_RANGE, sizeof(srcports), &srcports); ++ } ++ + if ((cur = tb_data[VXLAN_DATA_ATTR_RXCSUM])) { + bool rxcsum = blobmsg_get_bool(cur); + nla_put_u8(msg, IFLA_VXLAN_UDP_ZERO_CSUM6_RX, !rxcsum); +--- a/system.c ++++ b/system.c +@@ -38,6 +38,8 @@ static const struct blobmsg_policy vxlan + [VXLAN_DATA_ATTR_MACADDR] = { .name = "macaddr", .type = BLOBMSG_TYPE_STRING }, + [VXLAN_DATA_ATTR_RXCSUM] = { .name = "rxcsum", .type = BLOBMSG_TYPE_BOOL }, + [VXLAN_DATA_ATTR_TXCSUM] = { .name = "txcsum", .type = BLOBMSG_TYPE_BOOL }, ++ [VXLAN_DATA_ATTR_SRCPORTMIN] = { .name = "srcportmin", .type = BLOBMSG_TYPE_INT32 }, ++ [VXLAN_DATA_ATTR_SRCPORTMAX] = { .name = "srcportmax", .type = BLOBMSG_TYPE_INT32 }, + }; + + const struct uci_blob_param_list vxlan_data_attr_list = { +--- a/system.h ++++ b/system.h +@@ -43,6 +43,8 @@ enum vxlan_data { + VXLAN_DATA_ATTR_MACADDR, + VXLAN_DATA_ATTR_RXCSUM, + VXLAN_DATA_ATTR_TXCSUM, ++ VXLAN_DATA_ATTR_SRCPORTMIN, ++ VXLAN_DATA_ATTR_SRCPORTMAX, + __VXLAN_DATA_ATTR_MAX + }; + diff --git a/package/network/config/netifd/patches/0002-netifd-vxlan-refactor-mapping-of-boolean-attrs.patch b/package/network/config/netifd/patches/0002-netifd-vxlan-refactor-mapping-of-boolean-attrs.patch new file mode 100644 index 0000000000000000000000000000000000000000..3c60665354a52159566826bbedf59964077205d5 --- /dev/null +++ b/package/network/config/netifd/patches/0002-netifd-vxlan-refactor-mapping-of-boolean-attrs.patch @@ -0,0 +1,54 @@ +From 226566b967dc4ef4d83ed7844b8ad746f4306f8d Mon Sep 17 00:00:00 2001 +From: Johannes Kimmel +Date: Fri, 4 Sep 2020 04:59:41 +0200 +Subject: [PATCH 2/4] netifd: vxlan: refactor mapping of boolean attrs + +Add a small function to handle boolean options and make use of it to handle: + - rxcsum + - txcsum + +Signed-off-by: Johannes Kimmel +--- + system-linux.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +--- a/system-linux.c ++++ b/system-linux.c +@@ -2951,6 +2951,17 @@ failure: + #endif + + #ifdef IFLA_VXLAN_MAX ++static void system_vxlan_map_bool_attr(struct nl_msg *msg, struct blob_attr **tb_data, int attrtype, int vxlandatatype, bool invert) { ++ struct blob_attr *cur; ++ if ((cur = tb_data[vxlandatatype])) { ++ bool val = blobmsg_get_bool(cur); ++ if (invert) { ++ val = !val; ++ } ++ nla_put_u8(msg, attrtype, val); ++ } ++} ++ + static int system_add_vxlan(const char *name, const unsigned int link, struct blob_attr **tb, bool v6) + { + struct blob_attr *tb_data[__VXLAN_DATA_ATTR_MAX]; +@@ -3088,16 +3099,9 @@ static int system_add_vxlan(const char * + nla_put(msg, IFLA_VXLAN_PORT_RANGE, sizeof(srcports), &srcports); + } + +- if ((cur = tb_data[VXLAN_DATA_ATTR_RXCSUM])) { +- bool rxcsum = blobmsg_get_bool(cur); +- nla_put_u8(msg, IFLA_VXLAN_UDP_ZERO_CSUM6_RX, !rxcsum); +- } +- +- if ((cur = tb_data[VXLAN_DATA_ATTR_TXCSUM])) { +- bool txcsum = blobmsg_get_bool(cur); +- nla_put_u8(msg, IFLA_VXLAN_UDP_CSUM, txcsum); +- nla_put_u8(msg, IFLA_VXLAN_UDP_ZERO_CSUM6_TX, !txcsum); +- } ++ system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_UDP_CSUM, VXLAN_DATA_ATTR_TXCSUM, false); ++ system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_UDP_ZERO_CSUM6_RX, VXLAN_DATA_ATTR_RXCSUM, true); ++ system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_UDP_ZERO_CSUM6_TX, VXLAN_DATA_ATTR_TXCSUM, true); + + if ((cur = tb[TUNNEL_ATTR_TOS])) { + char *str = blobmsg_get_string(cur); diff --git a/package/network/config/netifd/patches/0003-netifd-vxlan-add-most-missing-boolean-options.patch b/package/network/config/netifd/patches/0003-netifd-vxlan-add-most-missing-boolean-options.patch new file mode 100644 index 0000000000000000000000000000000000000000..693e92b9f6b50f20d8fd220c196440d7bf894eb9 --- /dev/null +++ b/package/network/config/netifd/patches/0003-netifd-vxlan-add-most-missing-boolean-options.patch @@ -0,0 +1,93 @@ +From 11223f5550f7dd8faefb85441065b682be16e61f Mon Sep 17 00:00:00 2001 +From: Johannes Kimmel +Date: Fri, 4 Sep 2020 04:59:42 +0200 +Subject: [PATCH 3/4] netifd: vxlan: add most missing boolean options + +adds the folloing missing options: + - learning + - rsc + - proxy + - l2miss + - l3miss + - gbp + +See ip-link(3) for their meaning. + +still missing: + - external + - gpe + +I'm not sure how to handle them at the moment. It's unclear to me what +IFLA_VXLAN_* value corresponds to the 'external' option and according to +the manpage, gpe depends on it. + +Signed-off-by: Johannes Kimmel +--- + system-linux.c | 16 +++++++++++++--- + system.c | 6 ++++++ + system.h | 6 ++++++ + 3 files changed, 25 insertions(+), 3 deletions(-) + +--- a/system-linux.c ++++ b/system-linux.c +@@ -2955,10 +2955,14 @@ static void system_vxlan_map_bool_attr(s + struct blob_attr *cur; + if ((cur = tb_data[vxlandatatype])) { + bool val = blobmsg_get_bool(cur); +- if (invert) { ++ if (invert) + val = !val; +- } +- nla_put_u8(msg, attrtype, val); ++ ++ if ((attrtype == IFLA_VXLAN_GBP) && val) ++ nla_put_flag(msg, attrtype); ++ else ++ nla_put_u8(msg, attrtype, val); ++ + } + } + +@@ -3102,6 +3106,12 @@ static int system_add_vxlan(const char * + system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_UDP_CSUM, VXLAN_DATA_ATTR_TXCSUM, false); + system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_UDP_ZERO_CSUM6_RX, VXLAN_DATA_ATTR_RXCSUM, true); + system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_UDP_ZERO_CSUM6_TX, VXLAN_DATA_ATTR_TXCSUM, true); ++ system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_LEARNING, VXLAN_DATA_ATTR_LEARNING, false); ++ system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_RSC , VXLAN_DATA_ATTR_RSC, false); ++ system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_PROXY , VXLAN_DATA_ATTR_PROXY, false); ++ system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_L2MISS , VXLAN_DATA_ATTR_L2MISS, false); ++ system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_L3MISS , VXLAN_DATA_ATTR_L3MISS, false); ++ system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_GBP , VXLAN_DATA_ATTR_GBP, false); + + if ((cur = tb[TUNNEL_ATTR_TOS])) { + char *str = blobmsg_get_string(cur); +--- a/system.c ++++ b/system.c +@@ -40,6 +40,12 @@ static const struct blobmsg_policy vxlan + [VXLAN_DATA_ATTR_TXCSUM] = { .name = "txcsum", .type = BLOBMSG_TYPE_BOOL }, + [VXLAN_DATA_ATTR_SRCPORTMIN] = { .name = "srcportmin", .type = BLOBMSG_TYPE_INT32 }, + [VXLAN_DATA_ATTR_SRCPORTMAX] = { .name = "srcportmax", .type = BLOBMSG_TYPE_INT32 }, ++ [VXLAN_DATA_ATTR_LEARNING] = { .name = "learning", .type = BLOBMSG_TYPE_BOOL }, ++ [VXLAN_DATA_ATTR_RSC] = { .name = "rsc", .type = BLOBMSG_TYPE_BOOL }, ++ [VXLAN_DATA_ATTR_PROXY] = { .name = "proxy", .type = BLOBMSG_TYPE_BOOL }, ++ [VXLAN_DATA_ATTR_L2MISS] = { .name = "l2miss", .type = BLOBMSG_TYPE_BOOL }, ++ [VXLAN_DATA_ATTR_L3MISS] = { .name = "l3miss", .type = BLOBMSG_TYPE_BOOL }, ++ [VXLAN_DATA_ATTR_GBP] = { .name = "gbp", .type = BLOBMSG_TYPE_BOOL }, + }; + + const struct uci_blob_param_list vxlan_data_attr_list = { +--- a/system.h ++++ b/system.h +@@ -45,6 +45,12 @@ enum vxlan_data { + VXLAN_DATA_ATTR_TXCSUM, + VXLAN_DATA_ATTR_SRCPORTMIN, + VXLAN_DATA_ATTR_SRCPORTMAX, ++ VXLAN_DATA_ATTR_LEARNING, ++ VXLAN_DATA_ATTR_RSC, ++ VXLAN_DATA_ATTR_PROXY, ++ VXLAN_DATA_ATTR_L2MISS, ++ VXLAN_DATA_ATTR_L3MISS, ++ VXLAN_DATA_ATTR_GBP, + __VXLAN_DATA_ATTR_MAX + }; + diff --git a/package/network/config/netifd/patches/0004-netifd-vxlan-add-aging-and-maxaddress-options.patch b/package/network/config/netifd/patches/0004-netifd-vxlan-add-aging-and-maxaddress-options.patch new file mode 100644 index 0000000000000000000000000000000000000000..8a2b4424fe282492ecf64522ecf3d1b3ba106bbb --- /dev/null +++ b/package/network/config/netifd/patches/0004-netifd-vxlan-add-aging-and-maxaddress-options.patch @@ -0,0 +1,56 @@ +From 55a7b6b7f2f773c06a79cb7359ffdab54ba32450 Mon Sep 17 00:00:00 2001 +From: Johannes Kimmel +Date: Fri, 4 Sep 2020 04:59:43 +0200 +Subject: [PATCH 4/4] netifd: vxlan: add aging and maxaddress options + +For both options the values can just be passed to the kernel. All +unsigned values are accepted, thus no range checking required. + +Signed-off-by: Johannes Kimmel +--- + system-linux.c | 10 ++++++++++ + system.c | 2 ++ + system.h | 2 ++ + 3 files changed, 14 insertions(+) + +--- a/system-linux.c ++++ b/system-linux.c +@@ -3113,6 +3113,16 @@ static int system_add_vxlan(const char * + system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_L3MISS , VXLAN_DATA_ATTR_L3MISS, false); + system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_GBP , VXLAN_DATA_ATTR_GBP, false); + ++ if ((cur = tb_data[VXLAN_DATA_ATTR_AGEING])) { ++ uint32_t ageing = blobmsg_get_u32(cur); ++ nla_put_u32(msg, IFLA_VXLAN_AGEING, ageing); ++ } ++ ++ if ((cur = tb_data[VXLAN_DATA_ATTR_LIMIT])) { ++ uint32_t maxaddress = blobmsg_get_u32(cur); ++ nla_put_u32(msg, IFLA_VXLAN_LIMIT, maxaddress); ++ } ++ + if ((cur = tb[TUNNEL_ATTR_TOS])) { + char *str = blobmsg_get_string(cur); + unsigned tos = 1; +--- a/system.c ++++ b/system.c +@@ -46,6 +46,8 @@ static const struct blobmsg_policy vxlan + [VXLAN_DATA_ATTR_L2MISS] = { .name = "l2miss", .type = BLOBMSG_TYPE_BOOL }, + [VXLAN_DATA_ATTR_L3MISS] = { .name = "l3miss", .type = BLOBMSG_TYPE_BOOL }, + [VXLAN_DATA_ATTR_GBP] = { .name = "gbp", .type = BLOBMSG_TYPE_BOOL }, ++ [VXLAN_DATA_ATTR_AGEING] = { .name = "ageing", .type = BLOBMSG_TYPE_INT32 }, ++ [VXLAN_DATA_ATTR_LIMIT] = { .name = "maxaddress", .type = BLOBMSG_TYPE_INT32 }, + }; + + const struct uci_blob_param_list vxlan_data_attr_list = { +--- a/system.h ++++ b/system.h +@@ -51,6 +51,8 @@ enum vxlan_data { + VXLAN_DATA_ATTR_L2MISS, + VXLAN_DATA_ATTR_L3MISS, + VXLAN_DATA_ATTR_GBP, ++ VXLAN_DATA_ATTR_AGEING, ++ VXLAN_DATA_ATTR_LIMIT, + __VXLAN_DATA_ATTR_MAX + }; +