Services currently have to be VRF-aware if they are using an unbound socket. One cannot have multiple service instances running in the default and other VRFs for services that are not VRF-aware and listen on an unbound socket. This is because there is no way of isolating packets received in the default VRF from those arriving in other VRFs.
This series provides this isolation subject to the existing kernel parameter net.ipv4.tcp_l3mdev_accept not being set, given that this is documented as allowing a single service instance to work across all VRF domains. The functionality applies to UDP & TCP services, for IPv4 and IPv6, in particular adding VRF table handling for IPv6 multicast. Example of running ssh instances in default and blue VRF: $ /usr/sbin/sshd -D $ ip vrf exec vrf-blue /usr/sbin/sshd $ ss -ta | egrep 'State|ssh' State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0%vrf-blue:ssh 0.0.0.0:* LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* ESTAB 0 0 192.168.122.220:ssh 192.168.122.1:50282 LISTEN 0 128 [::]%vrf-blue:ssh [::]:* LISTEN 0 128 [::]:ssh [::]:* ESTAB 0 0 [3000::2]%vrf-blue:ssh [3000::9]:45896 ESTAB 0 0 [2000::2]:ssh [2000::9]:46398 v1: - Address Paolo Abeni's comments (patch 4/5) - Fix build when CONFIG_NET_L3_MASTER_DEV not defined (patch 1/5) Dewi Morgan (1): ipv6: do not drop vrf udp multicast packets Mike Manning (1): ipv6: allow link-local and multicast packets inside vrf Patrick Ruddy (1): ipv6: add vrf table handling code for ipv6 mcast Robert Shearman (2): net: allow binding socket in a VRF when there's an unbound socket ipv4: Allow sending multicast packets on specific i/f using VRF socket Documentation/networking/vrf.txt | 9 ++++---- drivers/net/vrf.c | 30 ++++++++++++++++-------- include/net/inet6_hashtables.h | 5 ++-- include/net/inet_hashtables.h | 31 +++++++++++++++++++------ include/net/inet_sock.h | 13 +++++++++++ net/core/sock.c | 2 ++ net/ipv4/datagram.c | 2 +- net/ipv4/inet_connection_sock.c | 13 ++++++++--- net/ipv4/inet_hashtables.c | 34 +++++++++++++++++----------- net/ipv4/ip_sockglue.c | 3 +++ net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 6 ++--- net/ipv4/udp.c | 17 ++++++-------- net/ipv6/datagram.c | 5 +++- net/ipv6/inet6_hashtables.c | 14 +++++------- net/ipv6/ip6_input.c | 43 +++++++++++++++++++++++++++++++---- net/ipv6/ip6mr.c | 49 ++++++++++++++++++++++++++++++---------- net/ipv6/ipv6_sockglue.c | 5 +++- net/ipv6/raw.c | 6 ++--- net/ipv6/udp.c | 22 ++++++++---------- 20 files changed, 214 insertions(+), 97 deletions(-) -- 2.11.0
