162306a36Sopenharmony_ci.. SPDX-License-Identifier: GPL-2.0
262306a36Sopenharmony_ci
362306a36Sopenharmony_ci===================
462306a36Sopenharmony_ciIPVLAN Driver HOWTO
562306a36Sopenharmony_ci===================
662306a36Sopenharmony_ci
762306a36Sopenharmony_ciInitial Release:
862306a36Sopenharmony_ci	Mahesh Bandewar <maheshb AT google.com>
962306a36Sopenharmony_ci
1062306a36Sopenharmony_ci1. Introduction:
1162306a36Sopenharmony_ci================
1262306a36Sopenharmony_ciThis is conceptually very similar to the macvlan driver with one major
1362306a36Sopenharmony_ciexception of using L3 for mux-ing /demux-ing among slaves. This property makes
1462306a36Sopenharmony_cithe master device share the L2 with its slave devices. I have developed this
1562306a36Sopenharmony_cidriver in conjunction with network namespaces and not sure if there is use case
1662306a36Sopenharmony_cioutside of it.
1762306a36Sopenharmony_ci
1862306a36Sopenharmony_ci
1962306a36Sopenharmony_ci2. Building and Installation:
2062306a36Sopenharmony_ci=============================
2162306a36Sopenharmony_ci
2262306a36Sopenharmony_ciIn order to build the driver, please select the config item CONFIG_IPVLAN.
2362306a36Sopenharmony_ciThe driver can be built into the kernel (CONFIG_IPVLAN=y) or as a module
2462306a36Sopenharmony_ci(CONFIG_IPVLAN=m).
2562306a36Sopenharmony_ci
2662306a36Sopenharmony_ci
2762306a36Sopenharmony_ci3. Configuration:
2862306a36Sopenharmony_ci=================
2962306a36Sopenharmony_ci
3062306a36Sopenharmony_ciThere are no module parameters for this driver and it can be configured
3162306a36Sopenharmony_ciusing IProute2/ip utility.
3262306a36Sopenharmony_ci::
3362306a36Sopenharmony_ci
3462306a36Sopenharmony_ci    ip link add link <master> name <slave> type ipvlan [ mode MODE ] [ FLAGS ]
3562306a36Sopenharmony_ci       where
3662306a36Sopenharmony_ci	 MODE: l3 (default) | l3s | l2
3762306a36Sopenharmony_ci	 FLAGS: bridge (default) | private | vepa
3862306a36Sopenharmony_ci
3962306a36Sopenharmony_cie.g.
4062306a36Sopenharmony_ci
4162306a36Sopenharmony_ci    (a) Following will create IPvlan link with eth0 as master in
4262306a36Sopenharmony_ci	L3 bridge mode::
4362306a36Sopenharmony_ci
4462306a36Sopenharmony_ci	  bash# ip link add link eth0 name ipvl0 type ipvlan
4562306a36Sopenharmony_ci    (b) This command will create IPvlan link in L2 bridge mode::
4662306a36Sopenharmony_ci
4762306a36Sopenharmony_ci	  bash# ip link add link eth0 name ipvl0 type ipvlan mode l2 bridge
4862306a36Sopenharmony_ci
4962306a36Sopenharmony_ci    (c) This command will create an IPvlan device in L2 private mode::
5062306a36Sopenharmony_ci
5162306a36Sopenharmony_ci	  bash# ip link add link eth0 name ipvlan type ipvlan mode l2 private
5262306a36Sopenharmony_ci
5362306a36Sopenharmony_ci    (d) This command will create an IPvlan device in L2 vepa mode::
5462306a36Sopenharmony_ci
5562306a36Sopenharmony_ci	  bash# ip link add link eth0 name ipvlan type ipvlan mode l2 vepa
5662306a36Sopenharmony_ci
5762306a36Sopenharmony_ci
5862306a36Sopenharmony_ci4. Operating modes:
5962306a36Sopenharmony_ci===================
6062306a36Sopenharmony_ci
6162306a36Sopenharmony_ciIPvlan has two modes of operation - L2 and L3. For a given master device,
6262306a36Sopenharmony_ciyou can select one of these two modes and all slaves on that master will
6362306a36Sopenharmony_cioperate in the same (selected) mode. The RX mode is almost identical except
6462306a36Sopenharmony_cithat in L3 mode the slaves won't receive any multicast / broadcast traffic.
6562306a36Sopenharmony_ciL3 mode is more restrictive since routing is controlled from the other (mostly)
6662306a36Sopenharmony_cidefault namespace.
6762306a36Sopenharmony_ci
6862306a36Sopenharmony_ci4.1 L2 mode:
6962306a36Sopenharmony_ci------------
7062306a36Sopenharmony_ci
7162306a36Sopenharmony_ciIn this mode TX processing happens on the stack instance attached to the
7262306a36Sopenharmony_cislave device and packets are switched and queued to the master device to send
7362306a36Sopenharmony_ciout. In this mode the slaves will RX/TX multicast and broadcast (if applicable)
7462306a36Sopenharmony_cias well.
7562306a36Sopenharmony_ci
7662306a36Sopenharmony_ci4.2 L3 mode:
7762306a36Sopenharmony_ci------------
7862306a36Sopenharmony_ci
7962306a36Sopenharmony_ciIn this mode TX processing up to L3 happens on the stack instance attached
8062306a36Sopenharmony_cito the slave device and packets are switched to the stack instance of the
8162306a36Sopenharmony_cimaster device for the L2 processing and routing from that instance will be
8262306a36Sopenharmony_ciused before packets are queued on the outbound device. In this mode the slaves
8362306a36Sopenharmony_ciwill not receive nor can send multicast / broadcast traffic.
8462306a36Sopenharmony_ci
8562306a36Sopenharmony_ci4.3 L3S mode:
8662306a36Sopenharmony_ci-------------
8762306a36Sopenharmony_ci
8862306a36Sopenharmony_ciThis is very similar to the L3 mode except that iptables (conn-tracking)
8962306a36Sopenharmony_ciworks in this mode and hence it is L3-symmetric (L3s). This will have slightly less
9062306a36Sopenharmony_ciperformance but that shouldn't matter since you are choosing this mode over plain-L3
9162306a36Sopenharmony_cimode to make conn-tracking work.
9262306a36Sopenharmony_ci
9362306a36Sopenharmony_ci5. Mode flags:
9462306a36Sopenharmony_ci==============
9562306a36Sopenharmony_ci
9662306a36Sopenharmony_ciAt this time following mode flags are available
9762306a36Sopenharmony_ci
9862306a36Sopenharmony_ci5.1 bridge:
9962306a36Sopenharmony_ci-----------
10062306a36Sopenharmony_ciThis is the default option. To configure the IPvlan port in this mode,
10162306a36Sopenharmony_ciuser can choose to either add this option on the command-line or don't specify
10262306a36Sopenharmony_cianything. This is the traditional mode where slaves can cross-talk among
10362306a36Sopenharmony_cithemselves apart from talking through the master device.
10462306a36Sopenharmony_ci
10562306a36Sopenharmony_ci5.2 private:
10662306a36Sopenharmony_ci------------
10762306a36Sopenharmony_ciIf this option is added to the command-line, the port is set in private
10862306a36Sopenharmony_cimode. i.e. port won't allow cross communication between slaves.
10962306a36Sopenharmony_ci
11062306a36Sopenharmony_ci5.3 vepa:
11162306a36Sopenharmony_ci---------
11262306a36Sopenharmony_ciIf this is added to the command-line, the port is set in VEPA mode.
11362306a36Sopenharmony_cii.e. port will offload switching functionality to the external entity as
11462306a36Sopenharmony_cidescribed in 802.1Qbg
11562306a36Sopenharmony_ciNote: VEPA mode in IPvlan has limitations. IPvlan uses the mac-address of the
11662306a36Sopenharmony_cimaster-device, so the packets which are emitted in this mode for the adjacent
11762306a36Sopenharmony_cineighbor will have source and destination mac same. This will make the switch /
11862306a36Sopenharmony_cirouter send the redirect message.
11962306a36Sopenharmony_ci
12062306a36Sopenharmony_ci6. What to choose (macvlan vs. ipvlan)?
12162306a36Sopenharmony_ci=======================================
12262306a36Sopenharmony_ci
12362306a36Sopenharmony_ciThese two devices are very similar in many regards and the specific use
12462306a36Sopenharmony_cicase could very well define which device to choose. if one of the following
12562306a36Sopenharmony_cisituations defines your use case then you can choose to use ipvlan:
12662306a36Sopenharmony_ci
12762306a36Sopenharmony_ci
12862306a36Sopenharmony_ci(a) The Linux host that is connected to the external switch / router has
12962306a36Sopenharmony_ci    policy configured that allows only one mac per port.
13062306a36Sopenharmony_ci(b) No of virtual devices created on a master exceed the mac capacity and
13162306a36Sopenharmony_ci    puts the NIC in promiscuous mode and degraded performance is a concern.
13262306a36Sopenharmony_ci(c) If the slave device is to be put into the hostile / untrusted network
13362306a36Sopenharmony_ci    namespace where L2 on the slave could be changed / misused.
13462306a36Sopenharmony_ci
13562306a36Sopenharmony_ci
13662306a36Sopenharmony_ci6. Example configuration:
13762306a36Sopenharmony_ci=========================
13862306a36Sopenharmony_ci
13962306a36Sopenharmony_ci::
14062306a36Sopenharmony_ci
14162306a36Sopenharmony_ci  +=============================================================+
14262306a36Sopenharmony_ci  |  Host: host1                                                |
14362306a36Sopenharmony_ci  |                                                             |
14462306a36Sopenharmony_ci  |   +----------------------+      +----------------------+    |
14562306a36Sopenharmony_ci  |   |   NS:ns0             |      |  NS:ns1              |    |
14662306a36Sopenharmony_ci  |   |                      |      |                      |    |
14762306a36Sopenharmony_ci  |   |                      |      |                      |    |
14862306a36Sopenharmony_ci  |   |        ipvl0         |      |         ipvl1        |    |
14962306a36Sopenharmony_ci  |   +----------#-----------+      +-----------#----------+    |
15062306a36Sopenharmony_ci  |              #                              #               |
15162306a36Sopenharmony_ci  |              ################################               |
15262306a36Sopenharmony_ci  |                              # eth0                         |
15362306a36Sopenharmony_ci  +==============================#==============================+
15462306a36Sopenharmony_ci
15562306a36Sopenharmony_ci
15662306a36Sopenharmony_ci(a) Create two network namespaces - ns0, ns1::
15762306a36Sopenharmony_ci
15862306a36Sopenharmony_ci	ip netns add ns0
15962306a36Sopenharmony_ci	ip netns add ns1
16062306a36Sopenharmony_ci
16162306a36Sopenharmony_ci(b) Create two ipvlan slaves on eth0 (master device)::
16262306a36Sopenharmony_ci
16362306a36Sopenharmony_ci	ip link add link eth0 ipvl0 type ipvlan mode l2
16462306a36Sopenharmony_ci	ip link add link eth0 ipvl1 type ipvlan mode l2
16562306a36Sopenharmony_ci
16662306a36Sopenharmony_ci(c) Assign slaves to the respective network namespaces::
16762306a36Sopenharmony_ci
16862306a36Sopenharmony_ci	ip link set dev ipvl0 netns ns0
16962306a36Sopenharmony_ci	ip link set dev ipvl1 netns ns1
17062306a36Sopenharmony_ci
17162306a36Sopenharmony_ci(d) Now switch to the namespace (ns0 or ns1) to configure the slave devices
17262306a36Sopenharmony_ci
17362306a36Sopenharmony_ci	- For ns0::
17462306a36Sopenharmony_ci
17562306a36Sopenharmony_ci		(1) ip netns exec ns0 bash
17662306a36Sopenharmony_ci		(2) ip link set dev ipvl0 up
17762306a36Sopenharmony_ci		(3) ip link set dev lo up
17862306a36Sopenharmony_ci		(4) ip -4 addr add 127.0.0.1 dev lo
17962306a36Sopenharmony_ci		(5) ip -4 addr add $IPADDR dev ipvl0
18062306a36Sopenharmony_ci		(6) ip -4 route add default via $ROUTER dev ipvl0
18162306a36Sopenharmony_ci
18262306a36Sopenharmony_ci	- For ns1::
18362306a36Sopenharmony_ci
18462306a36Sopenharmony_ci		(1) ip netns exec ns1 bash
18562306a36Sopenharmony_ci		(2) ip link set dev ipvl1 up
18662306a36Sopenharmony_ci		(3) ip link set dev lo up
18762306a36Sopenharmony_ci		(4) ip -4 addr add 127.0.0.1 dev lo
18862306a36Sopenharmony_ci		(5) ip -4 addr add $IPADDR dev ipvl1
18962306a36Sopenharmony_ci		(6) ip -4 route add default via $ROUTER dev ipvl1
190