1

I am trying to add a tc flower filter for the geneve protocol and I am getting this error:

% sudo tc filter add dev gnv0 protocol ip parent ffff: \
    flower geneve_opts 0108:01:020000000000000000/FFFF:FF:FF0000000000000000,0108:02:020000000000000000/FFFF:FF:FF0000000000000000,0108:03:0100000000/FFFF:FF:FF00000000 \
    action tunnel_key unset
RTNETLINK answers: No such file or directory
We have an error talking to the kernel

I am using Amazon Linux:

% uname -a
Linux ip-10-0-40-230.ec2.internal 4.14.311-233.529.amzn2.x86_64 #1 SMP Thu Mar 23 09:54:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

I want to terminate a GENEVE UDP tunnel coming from an AWS Gateway load balancer which is mirroring traffic. The idea is to decap the packet into its original form. Note that I have also tried vxlan_opts with no luck either so the issue is more specific to tc than to the filter imo.

I have loaded some kernel modules that were suggested online (not sure that they are necessary nor sufficient);

% lsmod | grep sch                                      
sch_htb                24576  0
sch_netem              20480  0
sch_ingress            16384  1

Full example:

sudo yum install tc
sudo modprobe sch_netem
sudo modprobe sch_htb

sudo ip link add name gnv0 type geneve dstport 6081 external
sudo ip link set gnv0 up
sudo tc qdisc add dev gnv0 ingress

sudo tc filter add dev gnv0 protocol ip parent ffff: \
    flower geneve_opts 0108:01:020000000000000000/FFFF:FF:FF0000000000000000,0108:02:020000000000000000/FFFF:FF:FF0000000000000000,0108:03:0100000000/FFFF:FF:FF00000000 \
    action tunnel_key unset

I tried it on AL2023 and similar error;

sudo ip link add name gnv0 type geneve dstport 6081 external
sudo ip link set gnv0 up
sudo tc qdisc add dev gnv0 ingress
sudo tc filter add dev gnv0 protocol ip parent ffff: \
    flower geneve_opts 0108:01:020000000000000000/FFFF:FF:FF0000000000000000,0108:02:020000000000000000/FFFF:FF:FF0000000000000000,0108:03:0100000000/FFFF:FF:FF00000000 \
    action tunnel_key unset
Error: Failed to load TC action module.
We have an error talking to the kernel
Improve this question
4
  • Here (kernel 6.1.x / iproute2 6.1.x) trying your example I get a more meaningful error: Error: Tunnel key geneve option data is not a multiple of 4 bytes long. . Hope this helps. (geneve, act_tunnel_key and a few others got loaded automatically) Commented May 15, 2023 at 17:24
  • 1
    modprobe act_tunnel_key? Commented May 15, 2023 at 17:24
  • @A.B maybe that is an issue also but I don't think that is what is causing the error just yet... @frostschutz that seems to be it - other actions seem to work but not this one... ``` % sudo modprobe act_tunnel_key modprobe: FATAL: Module act_tunnel_key not found in directory /lib/modules/4.14.311-233.529.amzn2.x86_64 ``` Not sure why it is missing... I can see it in the kernel source on github: github.com/amazonlinux/linux/blob/amazon-4.14.y/master/net/… Commented May 16, 2023 at 11:03
  • 1
    @frostschutz you are right! I recompiled the kernel with CONFIG_NET_ACT_TUNNEL_KEY=m and now it works :) Thank you! Commented May 16, 2023 at 13:06

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.