Currently it uses UDP port 8472 by default, which is not the IANA assigned port and there is no option to configure it.
- Difficulty level
- Unknown (require assessment)
- Why the issue appeared?
- Will be filled on close
cpo@CR1# set interfaces vxlan vxlan1 remote Possible completions: <x.x.x.x> Remote address of this VXLAN tunnel
This is the current supported CLI.
We could add set interfaces vxlan vxlan1 remote port but this looks ugly. Changing the ClI at all would break existing implementations.
Changing the port to the IANA default port could also break existing implementations. Any ideas @syncer?
Personally I'd prefer
set interfaces vxlan vxlan1 destination address x.x.x.x set interfaces vxlan vxlan1 destination port x.x.x.x
And drop set interfaces vxlan vxlan1 remote
Same as we have in the firewall rules.
The VXLAN RFC states:
Destination Port: IANA has assigned the value 4789 for the VXLAN UDP port, and this value SHOULD be used by default as the destination UDP port. Some early implementations of VXLAN have used other values for the destination port. To enable interoperability with these implementations, the destination port SHOULD be configurable.
IMO we should move to a RFC compliant implementation
@syncer: To recap, are you OK with the following changes:
- Change default destination port to to the IANA assigned one (will break current setups)
- Remove set interfaces vxlan vxlan1 remote
- Add set interfaces vxlan vxlan1 dst-vtep address and set interfaces vxlan vxlan1 dst-vtep port
If that's ok I'll go for the changes ...
Found inside the Linux Kernels source code:
/* UDP port for VXLAN traffic. * The IANA assigned port is 4789, but the Linux default is 8472 * for compatibility with early adopters. */ static unsigned short vxlan_port __read_mostly = 8472; module_param_named(udp_port, vxlan_port, ushort, 0444); MODULE_PARM_DESC(udp_port, "Destination UDP port");
Looks like that the initial idea is not possible as the VXLAN destination port can only be set system wide during load time of the Kernel module.
Looking through the sources I see that ./vyatta-conntrack/templates-cfg/system/conntrack/node.def holds a good example. Here a file /etc/modprobe.d/vyatta_nf_conntrack.conf is created that holds the module specific configuration.
We could use /etc/modprobe.d/vyos_vxlan.conf and populate it w/ options vxlan vxlan_port=1337
@syncer lets change proposal to:
- Keep set interfaces vxlan vxlan1 remote
- Add set interfaces vxlan port <num> as system wide configuration.
Note: Changing vxlan port requires reloading the Kernel Module (better reboot)
Okay, the proof of concept worked on the console
root@LR1:/home/cpo# cat /etc/modprobe.d/vyos_vxlan.conf options vxlan udp_port=31337 root@LR1:/home/cpo# dmesg | tail -n 1 [ 724.283680] VXLAN PORT: 31337
With a patched Kernel to print the VXLAN UDP port number used.
Unfortunately it looks like set interfaces vxlan port <num> can't be used (at least I was not able to PoC-it) b/c set interfaces vxlan <vxlanX> is a TAG node which prevents any other nodes parallel to it like port. @dmbaturin hopefully I'm wrong. Do you know of any other configuration tree where I can have a look?
Proposal for command:
set system module driver vxlan port <num>
This would enable us to add additional kernel module config params under set system module driver <x> param <y> and don't loose the future ability to maybe hardware dependent parameters on a mudular system via set system module <slot0> foo bar