mirror of https://github.com/Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
189 lines
6.4 KiB
189 lines
6.4 KiB
.. SPDX-License-Identifier: GPL-2.0 |
|
|
|
=================== |
|
IPVLAN Driver HOWTO |
|
=================== |
|
|
|
Initial Release: |
|
Mahesh Bandewar <maheshb AT google.com> |
|
|
|
1. Introduction: |
|
================ |
|
This is conceptually very similar to the macvlan driver with one major |
|
exception of using L3 for mux-ing /demux-ing among slaves. This property makes |
|
the master device share the L2 with its slave devices. I have developed this |
|
driver in conjunction with network namespaces and not sure if there is use case |
|
outside of it. |
|
|
|
|
|
2. Building and Installation: |
|
============================= |
|
|
|
In order to build the driver, please select the config item CONFIG_IPVLAN. |
|
The driver can be built into the kernel (CONFIG_IPVLAN=y) or as a module |
|
(CONFIG_IPVLAN=m). |
|
|
|
|
|
3. Configuration: |
|
================= |
|
|
|
There are no module parameters for this driver and it can be configured |
|
using IProute2/ip utility. |
|
:: |
|
|
|
ip link add link <master> name <slave> type ipvlan [ mode MODE ] [ FLAGS ] |
|
where |
|
MODE: l3 (default) | l3s | l2 |
|
FLAGS: bridge (default) | private | vepa |
|
|
|
e.g. |
|
|
|
(a) Following will create IPvlan link with eth0 as master in |
|
L3 bridge mode:: |
|
|
|
bash# ip link add link eth0 name ipvl0 type ipvlan |
|
(b) This command will create IPvlan link in L2 bridge mode:: |
|
|
|
bash# ip link add link eth0 name ipvl0 type ipvlan mode l2 bridge |
|
|
|
(c) This command will create an IPvlan device in L2 private mode:: |
|
|
|
bash# ip link add link eth0 name ipvlan type ipvlan mode l2 private |
|
|
|
(d) This command will create an IPvlan device in L2 vepa mode:: |
|
|
|
bash# ip link add link eth0 name ipvlan type ipvlan mode l2 vepa |
|
|
|
|
|
4. Operating modes: |
|
=================== |
|
|
|
IPvlan has two modes of operation - L2 and L3. For a given master device, |
|
you can select one of these two modes and all slaves on that master will |
|
operate in the same (selected) mode. The RX mode is almost identical except |
|
that in L3 mode the slaves wont receive any multicast / broadcast traffic. |
|
L3 mode is more restrictive since routing is controlled from the other (mostly) |
|
default namespace. |
|
|
|
4.1 L2 mode: |
|
------------ |
|
|
|
In this mode TX processing happens on the stack instance attached to the |
|
slave device and packets are switched and queued to the master device to send |
|
out. In this mode the slaves will RX/TX multicast and broadcast (if applicable) |
|
as well. |
|
|
|
4.2 L3 mode: |
|
------------ |
|
|
|
In this mode TX processing up to L3 happens on the stack instance attached |
|
to the slave device and packets are switched to the stack instance of the |
|
master device for the L2 processing and routing from that instance will be |
|
used before packets are queued on the outbound device. In this mode the slaves |
|
will not receive nor can send multicast / broadcast traffic. |
|
|
|
4.3 L3S mode: |
|
------------- |
|
|
|
This is very similar to the L3 mode except that iptables (conn-tracking) |
|
works in this mode and hence it is L3-symmetric (L3s). This will have slightly less |
|
performance but that shouldn't matter since you are choosing this mode over plain-L3 |
|
mode to make conn-tracking work. |
|
|
|
5. Mode flags: |
|
============== |
|
|
|
At this time following mode flags are available |
|
|
|
5.1 bridge: |
|
----------- |
|
This is the default option. To configure the IPvlan port in this mode, |
|
user can choose to either add this option on the command-line or don't specify |
|
anything. This is the traditional mode where slaves can cross-talk among |
|
themselves apart from talking through the master device. |
|
|
|
5.2 private: |
|
------------ |
|
If this option is added to the command-line, the port is set in private |
|
mode. i.e. port won't allow cross communication between slaves. |
|
|
|
5.3 vepa: |
|
--------- |
|
If this is added to the command-line, the port is set in VEPA mode. |
|
i.e. port will offload switching functionality to the external entity as |
|
described in 802.1Qbg |
|
Note: VEPA mode in IPvlan has limitations. IPvlan uses the mac-address of the |
|
master-device, so the packets which are emitted in this mode for the adjacent |
|
neighbor will have source and destination mac same. This will make the switch / |
|
router send the redirect message. |
|
|
|
6. What to choose (macvlan vs. ipvlan)? |
|
======================================= |
|
|
|
These two devices are very similar in many regards and the specific use |
|
case could very well define which device to choose. if one of the following |
|
situations defines your use case then you can choose to use ipvlan: |
|
|
|
|
|
(a) The Linux host that is connected to the external switch / router has |
|
policy configured that allows only one mac per port. |
|
(b) No of virtual devices created on a master exceed the mac capacity and |
|
puts the NIC in promiscuous mode and degraded performance is a concern. |
|
(c) If the slave device is to be put into the hostile / untrusted network |
|
namespace where L2 on the slave could be changed / misused. |
|
|
|
|
|
6. Example configuration: |
|
========================= |
|
|
|
:: |
|
|
|
+=============================================================+ |
|
| Host: host1 | |
|
| | |
|
| +----------------------+ +----------------------+ | |
|
| | NS:ns0 | | NS:ns1 | | |
|
| | | | | | |
|
| | | | | | |
|
| | ipvl0 | | ipvl1 | | |
|
| +----------#-----------+ +-----------#----------+ | |
|
| # # | |
|
| ################################ | |
|
| # eth0 | |
|
+==============================#==============================+ |
|
|
|
|
|
(a) Create two network namespaces - ns0, ns1:: |
|
|
|
ip netns add ns0 |
|
ip netns add ns1 |
|
|
|
(b) Create two ipvlan slaves on eth0 (master device):: |
|
|
|
ip link add link eth0 ipvl0 type ipvlan mode l2 |
|
ip link add link eth0 ipvl1 type ipvlan mode l2 |
|
|
|
(c) Assign slaves to the respective network namespaces:: |
|
|
|
ip link set dev ipvl0 netns ns0 |
|
ip link set dev ipvl1 netns ns1 |
|
|
|
(d) Now switch to the namespace (ns0 or ns1) to configure the slave devices |
|
|
|
- For ns0:: |
|
|
|
(1) ip netns exec ns0 bash |
|
(2) ip link set dev ipvl0 up |
|
(3) ip link set dev lo up |
|
(4) ip -4 addr add 127.0.0.1 dev lo |
|
(5) ip -4 addr add $IPADDR dev ipvl0 |
|
(6) ip -4 route add default via $ROUTER dev ipvl0 |
|
|
|
- For ns1:: |
|
|
|
(1) ip netns exec ns1 bash |
|
(2) ip link set dev ipvl1 up |
|
(3) ip link set dev lo up |
|
(4) ip -4 addr add 127.0.0.1 dev lo |
|
(5) ip -4 addr add $IPADDR dev ipvl1 |
|
(6) ip -4 route add default via $ROUTER dev ipvl1
|
|
|