| .TH "Tunnel metadata manipulation action in tc" 8 "10 Nov 2016" "iproute2" "Linux" |
| |
| .SH NAME |
| tunnel_key - Tunnel metadata manipulation |
| .SH SYNOPSIS |
| .in +8 |
| .ti -8 |
| .BR tc " ... " "action tunnel_key" " { " unset " | " |
| .IR SET " }" |
| |
| .ti -8 |
| .IR SET " := " |
| .BR set " " src_ip |
| .IR ADDRESS |
| .BR dst_ip |
| .IR ADDRESS |
| .BI id " KEY_ID" |
| .BI dst_port " UDP_PORT" |
| .BI tos " TOS" |
| .BI ttl " TTL" |
| .RB "[ " csum " | " nocsum " ]" |
| |
| .SH DESCRIPTION |
| The |
| .B tunnel_key |
| action combined with a shared IP tunnel device, allows to perform IP tunnel en- |
| or decapsulation on a packet, reflected by |
| the operation modes |
| .IR UNSET " and " SET . |
| The |
| .I UNSET |
| mode is optional - even without using it, the metadata information will be |
| released automatically when packet processing will be finished. |
| .IR UNSET |
| function could be used in cases when traffic is forwarded between two tunnels, |
| where the metadata from the first tunnel will be used for encapsulation done by |
| the second tunnel. |
| .IR SET |
| mode requires the source and destination ip |
| .I ADDRESS |
| and the tunnel key id |
| .I KEY_ID |
| which will be used by the ip tunnel shared device to create the tunnel header. The |
| .B tunnel_key |
| action is useful only in combination with a |
| .B mirred redirect |
| action to a shared IP tunnel device which will use the metadata (for |
| .I SET |
| ) and unset the metadata created by it (for |
| .I UNSET |
| ). |
| |
| .SH OPTIONS |
| .TP |
| .B unset |
| Unset the tunnel metadata created by the IP tunnel device. This function is |
| not mandatory and might be used only in some specific use cases (as explained |
| above). |
| .TP |
| .B set |
| Set tunnel metadata to be used by the IP tunnel device. Requires |
| .B src_ip |
| and |
| .B dst_ip |
| options. |
| .B id |
| , |
| .B dst_port |
| and |
| .B geneve_opts |
| are optional. |
| .RS |
| .TP |
| .B id |
| Tunnel ID (for example VNI in VXLAN tunnel) |
| .TP |
| .B src_ip |
| Outer header source IP address (IPv4 or IPv6) |
| .TP |
| .B dst_ip |
| Outer header destination IP address (IPv4 or IPv6) |
| .TP |
| .B dst_port |
| Outer header destination UDP port |
| .TP |
| .B geneve_opts |
| Geneve variable length options. |
| .B geneve_opts |
| is specified in the form CLASS:TYPE:DATA, where CLASS is represented as a |
| 16bit hexadecimal value, TYPE as an 8bit hexadecimal value and DATA as a |
| variable length hexadecimal value. Additionally multiple options may be |
| listed using a comma delimiter. |
| .TP |
| .B tos |
| Outer header TOS |
| .TP |
| .B ttl |
| Outer header TTL |
| .TP |
| .RB [ no ] csum |
| Controls outer UDP checksum. When set to |
| .B csum |
| (which is default), the outer UDP checksum is calculated and included in the |
| packets. When set to |
| .BR nocsum , |
| outer UDP checksum is zero. Note that when using zero UDP checksums with |
| IPv6, the other tunnel endpoint must be configured to accept such packets. |
| In Linux, this would be the |
| .B udp6zerocsumrx |
| option for the VXLAN tunnel interface. |
| .IP |
| If using |
| .B nocsum |
| with IPv6, be sure you know what you are doing. Zero UDP checksums provide |
| weaker protection against corrupted packets. See RFC6935 for details. |
| .RE |
| .SH EXAMPLES |
| The following example encapsulates incoming ICMP packets on eth0 into a vxlan |
| tunnel, by setting metadata to VNI 11, source IP 11.11.0.1 and destination IP |
| 11.11.0.2, and by redirecting the packet with the metadata to device vxlan0, |
| which will do the actual encapsulation using the metadata: |
| |
| .RS |
| .EX |
| #tc qdisc add dev eth0 handle ffff: ingress |
| #tc filter add dev eth0 protocol ip parent ffff: \\ |
| flower \\ |
| ip_proto icmp \\ |
| action tunnel_key set \\ |
| src_ip 11.11.0.1 \\ |
| dst_ip 11.11.0.2 \\ |
| id 11 \\ |
| action mirred egress redirect dev vxlan0 |
| .EE |
| .RE |
| |
| Here is an example of the |
| .B unset |
| function: Incoming VXLAN traffic with outer IP's and VNI 11 is decapsulated by |
| vxlan0 and metadata is unset before redirecting to tunl1 device: |
| |
| .RS |
| .EX |
| #tc qdisc add dev eth0 handle ffff: ingress |
| #tc filter add dev vxlan0 protocol ip parent ffff: \ |
| flower \\ |
| enc_src_ip 11.11.0.2 enc_dst_ip 11.11.0.1 enc_key_id 11 \ |
| action tunnel_key unset \ |
| action mirred egress redirect dev tunl1 |
| .EE |
| .RE |
| |
| .SH SEE ALSO |
| .BR tc (8) |