我想终止来自镜像流量的 AWS 网关负载均衡器的 GENEVE UDP 隧道。这个想法是将数据包开盖成其原始形式。
sudo tc qdisc add dev eth0 handle ffff: ingress
sudo tc filter add dev eth0 protocol ip parent ffff: \
flower \
ip_proto udp dst_port 6081 \
geneve_opts 0108:01:020000000000000000/FFFF:FF:FF0000000000000000,0108:02:020000000000000000/FFFF:FF:FF0000000000000000,0108:03:0100000000/FFFF:FF:FF00000000 \
action tunnel_key unset
我遇到的问题是,开盖似乎没有发生。下面的 tcpdump 捕获 GENEVE 标头(UDP 端口 6081)。
% sudo tcpdump -i any "udp port 6081 or udp port 4789" -nn
15:11:34.548567 IP 10.0.109.255.60202 > 10.0.40.230.6081: Geneve, Flags [none], vni 0x0, options [32 bytes]: IP 10.0.96.239.65428 > 10.0.102.143.4789: VXLAN, flags [I] (0x08), vni 14692826
IP 34.232.225.122.12321 > 10.0.96.239.8888: UDP, length 200
但我期望的是端口 4789 上的内部 VXLAN 标头:
IP 10.0.96.239.65428 > 10.0.102.143.4789: VXLAN, flags [I] (0x08), vni 14692826
IP 34.232.225.122.12321 > 10.0.96.239.8888: UDP, length 200
我使用的是 4.14 内核:
% uname -a
Linux ip-10-0-40-230.ec2.internal 4.14.311-233.529.amzn2.x86_64 #1 SMP Thu Mar 23 09:54:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux