Page MenuHomeFreeBSD
Differential D48646

Virtualise if_vxlan
Needs ReviewPublic
Actions

Authored by zlei on Thu, Jan 23, 7:31 PM.

Details

Reviewers
bryanv
np
kib
hrs
Group Reviewers
network
Summary

This is the last driver which lacks VNET support. With this change it will be practical to do tests via test framework. This should also fix the long standing PR 255882.

Test Plan
    1. stress test with iperf3, with different vxlan interface in different jails which connected with epair(4).
  2. test vmove, aka ifconfig vxlan0 vnet foo, ifconfig vxlan0 -vnet foo.
  3. test vxlan hardware offload ( no hardware available right now )
  4. create and config vxlan in vnet jail. Destroy the jail ( jail -R foo ).

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

zlei created this revision.Thu, Jan 23, 7:31 PM
Herald added subscribers: olce, glebius, melifaro and 2 others. · View Herald TranscriptThu, Jan 23, 7:31 PM
zlei requested review of this revision.Thu, Jan 23, 7:31 PM
zlei added a comment.Thu, Jan 23, 7:37 PM

Current know problem, the fourth test,

create and config vxlan in vnet jail. Destroy the jail ( jail -R foo ).

may panic, or block the jail from destroying, or the jail keep in dying state ( jls -d ).

zlei added a parent revision: D48621: if_vxlan(4): Prefer SYSCTL_INT over TUNABLE_INT.Thu, Jan 23, 7:38 PM
afedorov added a subscriber: afedorov.Thu, Jan 23, 8:11 PM
afedorov added a comment.Thu, Jan 23, 8:24 PM

It won't work becaus, if_vxlan(4) exports various statistics and tables via sysctl. But for VNET we can only change the values, and not the tree itself.

The problem is somewhat broader.

afedorov added inline comments.Thu, Jan 23, 9:09 PM
sys/net/if_vxlan.c
3582

We can’t move vxlan to the jail., because vxl_unit is the same.

zlei added a comment.Fri, Jan 24, 1:58 AM
In D48646#1109329, @afedorov wrote:

It won't work becaus, if_vxlan(4) exports various statistics and tables via sysctl. But for VNET we can only change the values, and not the tree itself.

The problem is somewhat broader.

Yeah, this is another known issue, I forgot to mention this. I'm proposing to have a global unique number for those dynamically added sysctl nodes, but that apparently may leak sensitive info , such as forwarding table entries. Or we should apply restrictions for that, but I have no idea how to restrict that.

zlei added inline comments.Fri, Jan 24, 2:07 AM
sys/net/if_vxlan.c
3582

ifnet vmove is another known problem. For vxlan(4), it appears less useful to move an interface to another vnet, given the cloner has been already virtualized and you can attache to that jail / vnet to clone create a new one.

I once have the idea to introduce a cloner flag, say IFC_F_NO_VMOVE to forbid some clone create interfaces to be moved. Known good candidates are if_pflog, if_pfsync, and if_lo. Tunnel drivers such as if_gif / if_gre / if_vxlan may also have this restriction, so we no longer need if_reassign handler.

zlei added inline comments.Fri, Jan 24, 2:11 AM
sys/net/if_vxlan.c
3582

We can’t move vxlan to the jail., because vxl_unit is the same.

See vxlan_reassign(), the interface to be vmoved was reset to factory default status, aka no vni, vxlan local or vxlan remote .

Revision Contents
Changeset List

PathSize
sys/
kern/
1 line
net/
111 lines

Diff 149823

View Options

sys/kern/kern_jail.c

Loading...
View Options

sys/net/if_vxlan.c

Loading...