|
Packit Service |
3880ab |
.TH "Tunnel metadata manipulation action in tc" 8 "10 Nov 2016" "iproute2" "Linux"
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
.SH NAME
|
|
Packit Service |
3880ab |
tunnel_key - Tunnel metadata manipulation
|
|
Packit Service |
3880ab |
.SH SYNOPSIS
|
|
Packit Service |
3880ab |
.in +8
|
|
Packit Service |
3880ab |
.ti -8
|
|
Packit Service |
3880ab |
.BR tc " ... " "action tunnel_key" " { " unset " | "
|
|
Packit Service |
3880ab |
.IR SET " }"
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
.ti -8
|
|
Packit Service |
3880ab |
.IR SET " := "
|
|
Packit Service |
3880ab |
.BR set " " src_ip
|
|
Packit Service |
3880ab |
.IR ADDRESS
|
|
Packit Service |
3880ab |
.BR dst_ip
|
|
Packit Service |
3880ab |
.IR ADDRESS
|
|
Packit Service |
3880ab |
.BI id " KEY_ID"
|
|
Packit Service |
3880ab |
.BI dst_port " UDP_PORT"
|
|
Packit Service |
3880ab |
.BI tos " TOS"
|
|
Packit Service |
3880ab |
.BI ttl " TTL"
|
|
Packit Service |
3880ab |
.RB "[ " csum " | " nocsum " ]"
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
.SH DESCRIPTION
|
|
Packit Service |
3880ab |
The
|
|
Packit Service |
3880ab |
.B tunnel_key
|
|
Packit Service |
3880ab |
action combined with a shared IP tunnel device, allows to perform IP tunnel en-
|
|
Packit Service |
3880ab |
or decapsulation on a packet, reflected by
|
|
Packit Service |
3880ab |
the operation modes
|
|
Packit Service |
3880ab |
.IR UNSET " and " SET .
|
|
Packit Service |
3880ab |
The
|
|
Packit Service |
3880ab |
.I UNSET
|
|
Packit Service |
3880ab |
mode is optional - even without using it, the metadata information will be
|
|
Packit Service |
3880ab |
released automatically when packet processing will be finished.
|
|
Packit Service |
3880ab |
.IR UNSET
|
|
Packit Service |
3880ab |
function could be used in cases when traffic is forwarded between two tunnels,
|
|
Packit Service |
3880ab |
where the metadata from the first tunnel will be used for encapsulation done by
|
|
Packit Service |
3880ab |
the second tunnel.
|
|
Packit Service |
3880ab |
.IR SET
|
|
Packit Service |
3880ab |
mode requires the source and destination ip
|
|
Packit Service |
3880ab |
.I ADDRESS
|
|
Packit Service |
3880ab |
and the tunnel key id
|
|
Packit Service |
3880ab |
.I KEY_ID
|
|
Packit Service |
3880ab |
which will be used by the ip tunnel shared device to create the tunnel header. The
|
|
Packit Service |
3880ab |
.B tunnel_key
|
|
Packit Service |
3880ab |
action is useful only in combination with a
|
|
Packit Service |
3880ab |
.B mirred redirect
|
|
Packit Service |
3880ab |
action to a shared IP tunnel device which will use the metadata (for
|
|
Packit Service |
3880ab |
.I SET
|
|
Packit Service |
3880ab |
) and unset the metadata created by it (for
|
|
Packit Service |
3880ab |
.I UNSET
|
|
Packit Service |
3880ab |
).
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
.SH OPTIONS
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.B unset
|
|
Packit Service |
3880ab |
Unset the tunnel metadata created by the IP tunnel device. This function is
|
|
Packit Service |
3880ab |
not mandatory and might be used only in some specific use cases (as explained
|
|
Packit Service |
3880ab |
above).
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.B set
|
|
Packit Service |
3880ab |
Set tunnel metadata to be used by the IP tunnel device. Requires
|
|
Packit Service |
3880ab |
.B src_ip
|
|
Packit Service |
3880ab |
and
|
|
Packit Service |
3880ab |
.B dst_ip
|
|
Packit Service |
3880ab |
options.
|
|
Packit Service |
3880ab |
.B id
|
|
Packit Service |
3880ab |
,
|
|
Packit Service |
3880ab |
.B dst_port
|
|
Packit Service |
3880ab |
,
|
|
Packit Service |
3880ab |
.B geneve_opts
|
|
Packit Service |
3880ab |
,
|
|
Packit Service |
3880ab |
.B vxlan_opts
|
|
Packit Service |
3880ab |
and
|
|
Packit Service |
3880ab |
.B erspan_opts
|
|
Packit Service |
3880ab |
are optional.
|
|
Packit Service |
3880ab |
.RS
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.B id
|
|
Packit Service |
3880ab |
Tunnel ID (for example VNI in VXLAN tunnel)
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.B src_ip
|
|
Packit Service |
3880ab |
Outer header source IP address (IPv4 or IPv6)
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.B dst_ip
|
|
Packit Service |
3880ab |
Outer header destination IP address (IPv4 or IPv6)
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.B dst_port
|
|
Packit Service |
3880ab |
Outer header destination UDP port
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.B geneve_opts
|
|
Packit Service |
3880ab |
Geneve variable length options.
|
|
Packit Service |
3880ab |
.B geneve_opts
|
|
Packit Service |
3880ab |
is specified in the form CLASS:TYPE:DATA, where CLASS is represented as a
|
|
Packit Service |
3880ab |
16bit hexadecimal value, TYPE as an 8bit hexadecimal value and DATA as a
|
|
Packit Service |
3880ab |
variable length hexadecimal value. Additionally multiple options may be
|
|
Packit Service |
3880ab |
listed using a comma delimiter.
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.B vxlan_opts
|
|
Packit Service |
3880ab |
Vxlan metatdata options.
|
|
Packit Service |
3880ab |
.B vxlan_opts
|
|
Packit Service |
3880ab |
is specified in the form GBP, as a 32bit number. Multiple options is not
|
|
Packit Service |
3880ab |
supported.
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.B erspan_opts
|
|
Packit Service |
3880ab |
Erspan metatdata options.
|
|
Packit Service |
3880ab |
.B erspan_opts
|
|
Packit Service |
3880ab |
is specified in the form VERSION:INDEX:DIR:HWID, where VERSION is represented
|
|
Packit Service |
3880ab |
as a 8bit number, INDEX as an 32bit number, DIR and HWID as a 8bit number.
|
|
Packit Service |
3880ab |
Multiple options is not supported. Note INDEX is used when VERSION is 1,
|
|
Packit Service |
3880ab |
and DIR and HWID are used when VERSION is 2.
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.B tos
|
|
Packit Service |
3880ab |
Outer header TOS
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.B ttl
|
|
Packit Service |
3880ab |
Outer header TTL
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.RB [ no ] csum
|
|
Packit Service |
3880ab |
Controls outer UDP checksum. When set to
|
|
Packit Service |
3880ab |
.B csum
|
|
Packit Service |
3880ab |
(which is default), the outer UDP checksum is calculated and included in the
|
|
Packit Service |
3880ab |
packets. When set to
|
|
Packit Service |
3880ab |
.BR nocsum ,
|
|
Packit Service |
3880ab |
outer UDP checksum is zero. Note that when using zero UDP checksums with
|
|
Packit Service |
3880ab |
IPv6, the other tunnel endpoint must be configured to accept such packets.
|
|
Packit Service |
3880ab |
In Linux, this would be the
|
|
Packit Service |
3880ab |
.B udp6zerocsumrx
|
|
Packit Service |
3880ab |
option for the VXLAN tunnel interface.
|
|
Packit Service |
3880ab |
.IP
|
|
Packit Service |
3880ab |
If using
|
|
Packit Service |
3880ab |
.B nocsum
|
|
Packit Service |
3880ab |
with IPv6, be sure you know what you are doing. Zero UDP checksums provide
|
|
Packit Service |
3880ab |
weaker protection against corrupted packets. See RFC6935 for details.
|
|
Packit Service |
3880ab |
.RE
|
|
Packit Service |
3880ab |
.SH EXAMPLES
|
|
Packit Service |
3880ab |
The following example encapsulates incoming ICMP packets on eth0 into a vxlan
|
|
Packit Service |
3880ab |
tunnel, by setting metadata to VNI 11, source IP 11.11.0.1 and destination IP
|
|
Packit Service |
3880ab |
11.11.0.2, and by redirecting the packet with the metadata to device vxlan0,
|
|
Packit Service |
3880ab |
which will do the actual encapsulation using the metadata:
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
.RS
|
|
Packit Service |
3880ab |
.EX
|
|
Packit Service |
3880ab |
#tc qdisc add dev eth0 handle ffff: ingress
|
|
Packit Service |
3880ab |
#tc filter add dev eth0 protocol ip parent ffff: \\
|
|
Packit Service |
3880ab |
flower \\
|
|
Packit Service |
3880ab |
ip_proto icmp \\
|
|
Packit Service |
3880ab |
action tunnel_key set \\
|
|
Packit Service |
3880ab |
src_ip 11.11.0.1 \\
|
|
Packit Service |
3880ab |
dst_ip 11.11.0.2 \\
|
|
Packit Service |
3880ab |
id 11 \\
|
|
Packit Service |
3880ab |
action mirred egress redirect dev vxlan0
|
|
Packit Service |
3880ab |
.EE
|
|
Packit Service |
3880ab |
.RE
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
Here is an example of the
|
|
Packit Service |
3880ab |
.B unset
|
|
Packit Service |
3880ab |
function: Incoming VXLAN traffic with outer IP's and VNI 11 is decapsulated by
|
|
Packit Service |
3880ab |
vxlan0 and metadata is unset before redirecting to tunl1 device:
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
.RS
|
|
Packit Service |
3880ab |
.EX
|
|
Packit Service |
3880ab |
#tc qdisc add dev eth0 handle ffff: ingress
|
|
Packit Service |
3880ab |
#tc filter add dev vxlan0 protocol ip parent ffff: \
|
|
Packit Service |
3880ab |
flower \\
|
|
Packit Service |
3880ab |
enc_src_ip 11.11.0.2 enc_dst_ip 11.11.0.1 enc_key_id 11 \
|
|
Packit Service |
3880ab |
action tunnel_key unset \
|
|
Packit Service |
3880ab |
action mirred egress redirect dev tunl1
|
|
Packit Service |
3880ab |
.EE
|
|
Packit Service |
3880ab |
.RE
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
.SH SEE ALSO
|
|
Packit Service |
3880ab |
.BR tc (8)
|