From 9985416197e02a7094aa9b457564a2fede721a24 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Wed, 4 Mar 2015 17:22:52 +0100 Subject: [PATCH 1/2] macvlan: add 'passthru' mode In setup where we want to sniff with an IDS from inside a container we can use the 'passthru' mode of macvlan. This was not accessible from the config and this patch fixes the issue. Signed-off-by: Eric Leblond --- src/lxc/conf.h | 2 +- src/lxc/confile.c | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/lxc/conf.h b/src/lxc/conf.h index 48f7fa253..aca882c3c 100644 --- a/src/lxc/conf.h +++ b/src/lxc/conf.h @@ -100,7 +100,7 @@ struct ifla_vlan { }; struct ifla_macvlan { - int mode; /* private, vepa, bridge */ + int mode; /* private, vepa, bridge, passthru */ }; union netdev_p { diff --git a/src/lxc/confile.c b/src/lxc/confile.c index 7e8b6a2d7..57347351e 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -517,6 +517,10 @@ static int network_ifname(char **valuep, const char *value) # define MACVLAN_MODE_BRIDGE 4 #endif +#ifndef MACVLAN_MODE_PASSTHRU +# define MACVLAN_MODE_PASSTHRU 8 +#endif + static int macvlan_mode(int *valuep, const char *value) { struct mc_mode { @@ -526,6 +530,7 @@ static int macvlan_mode(int *valuep, const char *value) { "private", MACVLAN_MODE_PRIVATE }, { "vepa", MACVLAN_MODE_VEPA }, { "bridge", MACVLAN_MODE_BRIDGE }, + { "passthru", MACVLAN_MODE_PASSTHRU }, }; int i; @@ -2286,6 +2291,7 @@ static int lxc_get_item_nic(struct lxc_conf *c, char *retv, int inlen, case MACVLAN_MODE_PRIVATE: mode = "private"; break; case MACVLAN_MODE_VEPA: mode = "vepa"; break; case MACVLAN_MODE_BRIDGE: mode = "bridge"; break; + case MACVLAN_MODE_PASSTHRU: mode = "passthru"; break; default: mode = "(invalid)"; break; } strprint(retv, inlen, "%s", mode); From c15ea60706591a97d5c66137b74587549ef4d7e3 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Sat, 23 May 2015 17:50:31 +0200 Subject: [PATCH 2/2] doc: add 'macvlan' 'passthru' mode This patch also reword the macvlan section which was hard to read. Signed-off-by: Eric Leblond --- doc/lxc.container.conf.sgml.in | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in index aceeb1e12..cc6fcc44d 100644 --- a/doc/lxc.container.conf.sgml.in +++ b/doc/lxc.container.conf.sgml.in @@ -325,16 +325,18 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA specifies the mode the macvlan will use to communicate between different macvlan on the same upper device. The accepted - modes are , the device never - communicates with any other device on the same upper_dev (default), - , the new Virtual Ethernet Port + modes are , , + and . + In mode, the device never + communicates with any other device on the same upper_dev (default). + In mode, the new Virtual Ethernet Port Aggregator (VEPA) mode, it assumes that the adjacent bridge returns all frames where both source and destination are local to the macvlan port, i.e. the bridge is set up as a reflective relay. Broadcast frames coming in from the upper_dev get flooded to all macvlan interfaces in VEPA mode, local frames are not - delivered locally, or , it + delivered locally. In mode, it provides the behavior of a simple bridge between different macvlan interfaces on the same port. Frames from one interface to another one get delivered directly @@ -343,7 +345,11 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA interface, but when they come back from a reflective relay, we don't deliver them again. Since we know all the MAC addresses, the macvlan bridge mode does not - require learning or STP like the bridge module does. + require learning or STP like the bridge module does. In + mode, all frames received by + the physical interface are forwarded to the macvlan + interface. Only one macvlan interface in + mode is possible for one physical interface.