mirror_iproute2/man/man8/tc-tunnel_key.8

.TH "Tunnel metadata manipulation action in tc" 8 "10 Nov 2016" "iproute2" "Linux"

.SH NAME
tunnel_key - Tunnel metadata manipulation
.SH SYNOPSIS
.in +8
.ti -8
.BR tc " ... " "action tunnel_key" " { " unset " | "
.IR SET " }"

.ti -8
.IR SET " := "
.BR set " " src_ip
.IR ADDRESS
.BR dst_ip
.IR ADDRESS
.BI id " KEY_ID"
.BI dst_port " UDP_PORT"
.BI tos " TOS"
.BI ttl " TTL"
.RB "[ " csum " | " nocsum " ]"

.SH DESCRIPTION
The
.B tunnel_key
action combined with a shared IP tunnel device, allows to perform IP tunnel en-
or decapsulation on a packet, reflected by
the operation modes
.IR UNSET " and " SET .
The
.I UNSET
mode is optional - even without using it, the metadata information will be
released automatically when packet processing will be finished.
.IR UNSET
function could be used in cases when traffic is forwarded between two tunnels,
where the metadata from the first tunnel will be used for encapsulation done by
the second tunnel.
.IR SET
mode requires the source and destination ip
.I ADDRESS
and the tunnel key id
.I KEY_ID
which will be used by the ip tunnel shared device to create the tunnel header. The
.B tunnel_key
action is useful only in combination with a
.B mirred redirect
action to a shared IP tunnel device which will use the metadata (for
.I SET
) and unset the metadata created by it (for
.I UNSET
).

.SH OPTIONS
.TP
.B unset
Unset the tunnel metadata created by the IP tunnel device.  This function is
not mandatory and might be used only in some specific use cases (as explained
above).
.TP
.B set
Set tunnel metadata to be used by the IP tunnel device. Requires
.B id
,
.B src_ip
and
.B dst_ip
options.
.B dst_port
and
.B geneve_opts
are optional.
.RS
.TP
.B id
Tunnel ID (for example VNI in VXLAN tunnel)
.TP
.B src_ip
Outer header source IP address (IPv4 or IPv6)
.TP
.B dst_ip
Outer header destination IP address (IPv4 or IPv6)
.TP
.B dst_port
Outer header destination UDP port
.TP
.B geneve_opts
Geneve variable length options.
.B geneve_opts
is specified in the form CLASS:TYPE:DATA, where CLASS is represented as a
16bit hexadecimal value, TYPE as an 8bit hexadecimal value and DATA as a
variable length hexadecimal value. Additionally multiple options may be
listed using a comma delimiter.
.TP
.B tos
Outer header TOS
.TP
.B ttl
Outer header TTL
.TP
.RB [ no ] csum
Controlls outer UDP checksum. When set to
.B csum
(which is default), the outer UDP checksum is calculated and included in the
packets. When set to
.BR nocsum ,
outer UDP checksum is zero. Note that when using zero UDP checksums with
IPv6, the other tunnel endpoint must be configured to accept such packets.
In Linux, this would be the
.B udp6zerocsumrx
option for the VXLAN tunnel interface.
.IP
If using
.B nocsum
with IPv6, be sure you know what you are doing. Zero UDP checksums provide
weaker protection against corrupted packets. See RFC6935 for details.
.RE
.SH EXAMPLES
The following example encapsulates incoming ICMP packets on eth0 into a vxlan
tunnel, by setting metadata to VNI 11, source IP 11.11.0.1 and destination IP
11.11.0.2, and by redirecting the packet with the metadata to device vxlan0,
which will do the actual encapsulation using the metadata:

.RS
.EX
#tc qdisc add dev eth0 handle ffff: ingress
#tc filter add dev eth0 protocol ip parent ffff: \\
  flower \\
    ip_proto icmp \\
  action tunnel_key set \\
    src_ip 11.11.0.1 \\
    dst_ip 11.11.0.2 \\
    id 11 \\
  action mirred egress redirect dev vxlan0
.EE
.RE

Here is an example of the
.B unset
function: Incoming VXLAN traffic with outer IP's and VNI 11 is decapsulated by
vxlan0 and metadata is unset before redirecting to tunl1 device:

.RS
.EX
#tc qdisc add dev eth0 handle ffff: ingress
#tc filter add dev vxlan0 protocol ip parent ffff: \
  flower \\
	  enc_src_ip 11.11.0.2 enc_dst_ip 11.11.0.1 enc_key_id 11 \
	action tunnel_key unset \
	action mirred egress redirect dev tunl1
.EE
.RE

.SH SEE ALSO
.BR tc (8)