fe94cc290f
The BPF seg6local hook should be powerful enough to enable users to implement most of the use-cases one could think of. After some thinking, we figured out that the following actions should be possible on a SRv6 packet, requiring 3 specific helpers : - bpf_lwt_seg6_store_bytes: Modify non-sensitive fields of the SRH - bpf_lwt_seg6_adjust_srh: Allow to grow or shrink a SRH (to add/delete TLVs) - bpf_lwt_seg6_action: Apply some SRv6 network programming actions (specifically End.X, End.T, End.B6 and End.B6.Encap) The specifications of these helpers are provided in the patch (see include/uapi/linux/bpf.h). The non-sensitive fields of the SRH are the following : flags, tag and TLVs. The other fields can not be modified, to maintain the SRH integrity. Flags, tag and TLVs can easily be modified as their validity can be checked afterwards via seg6_validate_srh. It is not allowed to modify the segments directly. If one wants to add segments on the path, he should stack a new SRH using the End.B6 action via bpf_lwt_seg6_action. Growing, shrinking or editing TLVs via the helpers will flag the SRH as invalid, and it will have to be re-validated before re-entering the IPv6 layer. This flag is stored in a per-CPU buffer, along with the current header length in bytes. Storing the SRH len in bytes in the control block is mandatory when using bpf_lwt_seg6_adjust_srh. The Header Ext. Length field contains the SRH len rounded to 8 bytes (a padding TLV can be inserted to ensure the 8-bytes boundary). When adding/deleting TLVs within the BPF program, the SRH may temporary be in an invalid state where its length cannot be rounded to 8 bytes without remainder, hence the need to store the length in bytes separately. The caller of the BPF program can then ensure that the SRH's final length is valid using this value. Again, a final SRH modified by a BPF program which doesn’t respect the 8-bytes boundary will be discarded as it will be considered as invalid. Finally, a fourth helper is provided, bpf_lwt_push_encap, which is available from the LWT BPF IN hook, but not from the seg6local BPF one. This helper allows to encapsulate a Segment Routing Header (either with a new outer IPv6 header, or by inlining it directly in the existing IPv6 header) into a non-SRv6 packet. This helper is required if we want to offer the possibility to dynamically encapsulate a SRH for non-SRv6 packet, as the BPF seg6local hook only works on traffic already containing a SRH. This is the BPF equivalent of the seg6 LWT infrastructure, which achieves the same purpose but with a static SRH per route. These helpers require CONFIG_IPV6=y (and not =m). Signed-off-by: Mathieu Xhonneux <m.xhonneux@gmail.com> Acked-by: David Lebrun <dlebrun@google.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
337 lines
9 KiB
Text
337 lines
9 KiB
Text
#
|
|
# IPv6 configuration
|
|
#
|
|
|
|
# IPv6 as module will cause a CRASH if you try to unload it
|
|
menuconfig IPV6
|
|
tristate "The IPv6 protocol"
|
|
default y
|
|
---help---
|
|
Support for IP version 6 (IPv6).
|
|
|
|
For general information about IPv6, see
|
|
<https://en.wikipedia.org/wiki/IPv6>.
|
|
For specific information about IPv6 under Linux, see
|
|
Documentation/networking/ipv6.txt and read the HOWTO at
|
|
<http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/>
|
|
|
|
To compile this protocol support as a module, choose M here: the
|
|
module will be called ipv6.
|
|
|
|
if IPV6
|
|
|
|
config IPV6_ROUTER_PREF
|
|
bool "IPv6: Router Preference (RFC 4191) support"
|
|
---help---
|
|
Router Preference is an optional extension to the Router
|
|
Advertisement message which improves the ability of hosts
|
|
to pick an appropriate router, especially when the hosts
|
|
are placed in a multi-homed network.
|
|
|
|
If unsure, say N.
|
|
|
|
config IPV6_ROUTE_INFO
|
|
bool "IPv6: Route Information (RFC 4191) support"
|
|
depends on IPV6_ROUTER_PREF
|
|
---help---
|
|
Support of Route Information.
|
|
|
|
If unsure, say N.
|
|
|
|
config IPV6_OPTIMISTIC_DAD
|
|
bool "IPv6: Enable RFC 4429 Optimistic DAD"
|
|
---help---
|
|
Support for optimistic Duplicate Address Detection. It allows for
|
|
autoconfigured addresses to be used more quickly.
|
|
|
|
If unsure, say N.
|
|
|
|
config INET6_AH
|
|
tristate "IPv6: AH transformation"
|
|
select XFRM_ALGO
|
|
select CRYPTO
|
|
select CRYPTO_HMAC
|
|
select CRYPTO_MD5
|
|
select CRYPTO_SHA1
|
|
---help---
|
|
Support for IPsec AH.
|
|
|
|
If unsure, say Y.
|
|
|
|
config INET6_ESP
|
|
tristate "IPv6: ESP transformation"
|
|
select XFRM_ALGO
|
|
select CRYPTO
|
|
select CRYPTO_AUTHENC
|
|
select CRYPTO_HMAC
|
|
select CRYPTO_MD5
|
|
select CRYPTO_CBC
|
|
select CRYPTO_SHA1
|
|
select CRYPTO_DES
|
|
select CRYPTO_ECHAINIV
|
|
---help---
|
|
Support for IPsec ESP.
|
|
|
|
If unsure, say Y.
|
|
|
|
config INET6_ESP_OFFLOAD
|
|
tristate "IPv6: ESP transformation offload"
|
|
depends on INET6_ESP
|
|
select XFRM_OFFLOAD
|
|
default n
|
|
---help---
|
|
Support for ESP transformation offload. This makes sense
|
|
only if this system really does IPsec and want to do it
|
|
with high throughput. A typical desktop system does not
|
|
need it, even if it does IPsec.
|
|
|
|
If unsure, say N.
|
|
|
|
config INET6_IPCOMP
|
|
tristate "IPv6: IPComp transformation"
|
|
select INET6_XFRM_TUNNEL
|
|
select XFRM_IPCOMP
|
|
---help---
|
|
Support for IP Payload Compression Protocol (IPComp) (RFC3173),
|
|
typically needed for IPsec.
|
|
|
|
If unsure, say Y.
|
|
|
|
config IPV6_MIP6
|
|
tristate "IPv6: Mobility"
|
|
select XFRM
|
|
---help---
|
|
Support for IPv6 Mobility described in RFC 3775.
|
|
|
|
If unsure, say N.
|
|
|
|
config IPV6_ILA
|
|
tristate "IPv6: Identifier Locator Addressing (ILA)"
|
|
depends on NETFILTER
|
|
select LWTUNNEL
|
|
---help---
|
|
Support for IPv6 Identifier Locator Addressing (ILA).
|
|
|
|
ILA is a mechanism to do network virtualization without
|
|
encapsulation. The basic concept of ILA is that we split an
|
|
IPv6 address into a 64 bit locator and 64 bit identifier. The
|
|
identifier is the identity of an entity in communication
|
|
("who") and the locator expresses the location of the
|
|
entity ("where").
|
|
|
|
ILA can be configured using the "encap ila" option with
|
|
"ip -6 route" command. ILA is described in
|
|
https://tools.ietf.org/html/draft-herbert-nvo3-ila-00.
|
|
|
|
If unsure, say N.
|
|
|
|
config INET6_XFRM_TUNNEL
|
|
tristate
|
|
select INET6_TUNNEL
|
|
default n
|
|
|
|
config INET6_TUNNEL
|
|
tristate
|
|
default n
|
|
|
|
config INET6_XFRM_MODE_TRANSPORT
|
|
tristate "IPv6: IPsec transport mode"
|
|
default IPV6
|
|
select XFRM
|
|
---help---
|
|
Support for IPsec transport mode.
|
|
|
|
If unsure, say Y.
|
|
|
|
config INET6_XFRM_MODE_TUNNEL
|
|
tristate "IPv6: IPsec tunnel mode"
|
|
default IPV6
|
|
select XFRM
|
|
---help---
|
|
Support for IPsec tunnel mode.
|
|
|
|
If unsure, say Y.
|
|
|
|
config INET6_XFRM_MODE_BEET
|
|
tristate "IPv6: IPsec BEET mode"
|
|
default IPV6
|
|
select XFRM
|
|
---help---
|
|
Support for IPsec BEET mode.
|
|
|
|
If unsure, say Y.
|
|
|
|
config INET6_XFRM_MODE_ROUTEOPTIMIZATION
|
|
tristate "IPv6: MIPv6 route optimization mode"
|
|
select XFRM
|
|
---help---
|
|
Support for MIPv6 route optimization mode.
|
|
|
|
config IPV6_VTI
|
|
tristate "Virtual (secure) IPv6: tunneling"
|
|
select IPV6_TUNNEL
|
|
select NET_IP_TUNNEL
|
|
depends on INET6_XFRM_MODE_TUNNEL
|
|
---help---
|
|
Tunneling means encapsulating data of one protocol type within
|
|
another protocol and sending it over a channel that understands the
|
|
encapsulating protocol. This can be used with xfrm mode tunnel to give
|
|
the notion of a secure tunnel for IPSEC and then use routing protocol
|
|
on top.
|
|
|
|
config IPV6_SIT
|
|
tristate "IPv6: IPv6-in-IPv4 tunnel (SIT driver)"
|
|
select INET_TUNNEL
|
|
select NET_IP_TUNNEL
|
|
select IPV6_NDISC_NODETYPE
|
|
default y
|
|
---help---
|
|
Tunneling means encapsulating data of one protocol type within
|
|
another protocol and sending it over a channel that understands the
|
|
encapsulating protocol. This driver implements encapsulation of IPv6
|
|
into IPv4 packets. This is useful if you want to connect two IPv6
|
|
networks over an IPv4-only path.
|
|
|
|
Saying M here will produce a module called sit. If unsure, say Y.
|
|
|
|
config IPV6_SIT_6RD
|
|
bool "IPv6: IPv6 Rapid Deployment (6RD)"
|
|
depends on IPV6_SIT
|
|
default n
|
|
---help---
|
|
IPv6 Rapid Deployment (6rd; draft-ietf-softwire-ipv6-6rd) builds upon
|
|
mechanisms of 6to4 (RFC3056) to enable a service provider to rapidly
|
|
deploy IPv6 unicast service to IPv4 sites to which it provides
|
|
customer premise equipment. Like 6to4, it utilizes stateless IPv6 in
|
|
IPv4 encapsulation in order to transit IPv4-only network
|
|
infrastructure. Unlike 6to4, a 6rd service provider uses an IPv6
|
|
prefix of its own in place of the fixed 6to4 prefix.
|
|
|
|
With this option enabled, the SIT driver offers 6rd functionality by
|
|
providing additional ioctl API to configure the IPv6 Prefix for in
|
|
stead of static 2002::/16 for 6to4.
|
|
|
|
If unsure, say N.
|
|
|
|
config IPV6_NDISC_NODETYPE
|
|
bool
|
|
|
|
config IPV6_TUNNEL
|
|
tristate "IPv6: IP-in-IPv6 tunnel (RFC2473)"
|
|
select INET6_TUNNEL
|
|
select DST_CACHE
|
|
select GRO_CELLS
|
|
---help---
|
|
Support for IPv6-in-IPv6 and IPv4-in-IPv6 tunnels described in
|
|
RFC 2473.
|
|
|
|
If unsure, say N.
|
|
|
|
config IPV6_GRE
|
|
tristate "IPv6: GRE tunnel"
|
|
select IPV6_TUNNEL
|
|
select NET_IP_TUNNEL
|
|
depends on NET_IPGRE_DEMUX
|
|
---help---
|
|
Tunneling means encapsulating data of one protocol type within
|
|
another protocol and sending it over a channel that understands the
|
|
encapsulating protocol. This particular tunneling driver implements
|
|
GRE (Generic Routing Encapsulation) and at this time allows
|
|
encapsulating of IPv4 or IPv6 over existing IPv6 infrastructure.
|
|
This driver is useful if the other endpoint is a Cisco router: Cisco
|
|
likes GRE much better than the other Linux tunneling driver ("IP
|
|
tunneling" above). In addition, GRE allows multicast redistribution
|
|
through the tunnel.
|
|
|
|
Saying M here will produce a module called ip6_gre. If unsure, say N.
|
|
|
|
config IPV6_FOU
|
|
tristate
|
|
default NET_FOU && IPV6
|
|
|
|
config IPV6_FOU_TUNNEL
|
|
tristate
|
|
default NET_FOU_IP_TUNNELS && IPV6_FOU
|
|
select IPV6_TUNNEL
|
|
|
|
config IPV6_MULTIPLE_TABLES
|
|
bool "IPv6: Multiple Routing Tables"
|
|
select FIB_RULES
|
|
---help---
|
|
Support multiple routing tables.
|
|
|
|
config IPV6_SUBTREES
|
|
bool "IPv6: source address based routing"
|
|
depends on IPV6_MULTIPLE_TABLES
|
|
---help---
|
|
Enable routing by source address or prefix.
|
|
|
|
The destination address is still the primary routing key, so mixing
|
|
normal and source prefix specific routes in the same routing table
|
|
may sometimes lead to unintended routing behavior. This can be
|
|
avoided by defining different routing tables for the normal and
|
|
source prefix specific routes.
|
|
|
|
If unsure, say N.
|
|
|
|
config IPV6_MROUTE
|
|
bool "IPv6: multicast routing"
|
|
depends on IPV6
|
|
select IP_MROUTE_COMMON
|
|
---help---
|
|
Support for IPv6 multicast forwarding.
|
|
If unsure, say N.
|
|
|
|
config IPV6_MROUTE_MULTIPLE_TABLES
|
|
bool "IPv6: multicast policy routing"
|
|
depends on IPV6_MROUTE
|
|
select FIB_RULES
|
|
help
|
|
Normally, a multicast router runs a userspace daemon and decides
|
|
what to do with a multicast packet based on the source and
|
|
destination addresses. If you say Y here, the multicast router
|
|
will also be able to take interfaces and packet marks into
|
|
account and run multiple instances of userspace daemons
|
|
simultaneously, each one handling a single table.
|
|
|
|
If unsure, say N.
|
|
|
|
config IPV6_PIMSM_V2
|
|
bool "IPv6: PIM-SM version 2 support"
|
|
depends on IPV6_MROUTE
|
|
---help---
|
|
Support for IPv6 PIM multicast routing protocol PIM-SMv2.
|
|
If unsure, say N.
|
|
|
|
config IPV6_SEG6_LWTUNNEL
|
|
bool "IPv6: Segment Routing Header encapsulation support"
|
|
depends on IPV6
|
|
select LWTUNNEL
|
|
select DST_CACHE
|
|
select IPV6_MULTIPLE_TABLES
|
|
---help---
|
|
Support for encapsulation of packets within an outer IPv6
|
|
header and a Segment Routing Header using the lightweight
|
|
tunnels mechanism. Also enable support for advanced local
|
|
processing of SRv6 packets based on their active segment.
|
|
|
|
If unsure, say N.
|
|
|
|
config IPV6_SEG6_HMAC
|
|
bool "IPv6: Segment Routing HMAC support"
|
|
depends on IPV6
|
|
select CRYPTO_HMAC
|
|
select CRYPTO_SHA1
|
|
select CRYPTO_SHA256
|
|
---help---
|
|
Support for HMAC signature generation and verification
|
|
of SR-enabled packets.
|
|
|
|
If unsure, say N.
|
|
|
|
config IPV6_SEG6_BPF
|
|
def_bool y
|
|
depends on IPV6_SEG6_LWTUNNEL
|
|
depends on IPV6 = y
|
|
|
|
endif # IPV6
|