| Message ID | 20220826114700.2272645-1-eyal.birger@gmail.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | xfrm: support collect metadata mode for xfrm interfaces | expand |
On Fri, Aug 26, 2022 at 02:46:57PM +0300, Eyal Birger wrote: > This series adds support for "collect_md" mode in XFRM interfaces. > > This feature is useful for maintaining a large number of IPsec connections > with the benefits of using a network interface while reducing the overhead > of maintaining a large number of devices. > > Currently this is possible by having multiple connections share a common > interface by sharing the if_id identifier and using some other criteria > to distinguish between them - such as different subnets or skb marks. > This becomes complex in multi-tenant environments where subnets collide > and the mark space is used for other purposes. > > Since the xfrm interface uses the if_id as the differentiator when > looking for policies, setting the if_id in the dst_metadata framework > allows using a single interface for different connections while having > the ability to selectively steer traffic to each one. In addition the > xfrm interface "link" property can also be specified to affect underlying > routing in the context of VRFs. > > The series is composed of the following steps: > > - Introduce a new METADATA_XFRM metadata type to be used for this purpose. > Reuse of the existing "METADATA_IP_TUNNEL" type was rejected in [0] as > XFRM does not necessarily represent an IP tunnel. > > - Add support for collect metadata mode in xfrm interfaces > > - Allow setting the XFRM metadata from the LWT infrastructure > > Future additions could allow setting/getting the XFRM metadata from eBPF > programs, TC, OVS, NF, etc. > > [0] https://patchwork.kernel.org/project/netdevbpf/patch/20201121142823.3629805-1-eyal.birger@gmail.com/#23824575 > > Eyal Birger (3): > net: allow storing xfrm interface metadata in metadata_dst > xfrm: interface: support collect metadata mode > xfrm: lwtunnel: add lwtunnel support for xfrm interfaces in collect_md > mode > > include/net/dst_metadata.h | 31 +++++ > include/net/xfrm.h | 11 +- > include/uapi/linux/if_link.h | 1 + > include/uapi/linux/lwtunnel.h | 10 ++ > net/core/lwtunnel.c | 1 + > net/xfrm/xfrm_input.c | 7 +- > net/xfrm/xfrm_interface.c | 206 ++++++++++++++++++++++++++++++---- > net/xfrm/xfrm_policy.c | 10 +- > 8 files changed, 248 insertions(+), 29 deletions(-) Applied, thanks a lot Eyal!
This series adds support for "collect_md" mode in XFRM interfaces. This feature is useful for maintaining a large number of IPsec connections with the benefits of using a network interface while reducing the overhead of maintaining a large number of devices. Currently this is possible by having multiple connections share a common interface by sharing the if_id identifier and using some other criteria to distinguish between them - such as different subnets or skb marks. This becomes complex in multi-tenant environments where subnets collide and the mark space is used for other purposes. Since the xfrm interface uses the if_id as the differentiator when looking for policies, setting the if_id in the dst_metadata framework allows using a single interface for different connections while having the ability to selectively steer traffic to each one. In addition the xfrm interface "link" property can also be specified to affect underlying routing in the context of VRFs. The series is composed of the following steps: - Introduce a new METADATA_XFRM metadata type to be used for this purpose. Reuse of the existing "METADATA_IP_TUNNEL" type was rejected in [0] as XFRM does not necessarily represent an IP tunnel. - Add support for collect metadata mode in xfrm interfaces - Allow setting the XFRM metadata from the LWT infrastructure Future additions could allow setting/getting the XFRM metadata from eBPF programs, TC, OVS, NF, etc. [0] https://patchwork.kernel.org/project/netdevbpf/patch/20201121142823.3629805-1-eyal.birger@gmail.com/#23824575 Eyal Birger (3): net: allow storing xfrm interface metadata in metadata_dst xfrm: interface: support collect metadata mode xfrm: lwtunnel: add lwtunnel support for xfrm interfaces in collect_md mode include/net/dst_metadata.h | 31 +++++ include/net/xfrm.h | 11 +- include/uapi/linux/if_link.h | 1 + include/uapi/linux/lwtunnel.h | 10 ++ net/core/lwtunnel.c | 1 + net/xfrm/xfrm_input.c | 7 +- net/xfrm/xfrm_interface.c | 206 ++++++++++++++++++++++++++++++---- net/xfrm/xfrm_policy.c | 10 +- 8 files changed, 248 insertions(+), 29 deletions(-) ---- v4: coding change as suggested by Nicolas Dichtel v3: coding changes as suggested by Nikolay Aleksandrov and Nicolas Dichtel v2: add "link" property as suggested by Nicolas Dichtel