ip-fou

ip fou { add | del | show }
ip fou add port PORT [ ipproto IPPROTO ] [ encap_type TYPE ] [ encap_sport SPORT ] [ encap_dport DPORT ] [ encap_csum ] [ encap_csum_zero_csum6_tx ] [ encap_zero_csum6_rx ]
ip fou del port PORT
ip fou show

add
    Adds a Foo Over UDP (FOU) encapsulation port definition to the kernel.

del
    Deletes a FOU encapsulation port definition from the kernel.

show
    Displays all currently configured FOU encapsulation port definitions.

port PORT
    Specifies the UDP port number for FOU encapsulation. This is the port the kernel listens on for incoming FOU packets. It is a mandatory parameter for 'add' and 'del' operations.

ipproto IPPROTO
    Defines the inner IP protocol number (e.g., 4 for IPIP, 47 for GRE, 50 for ESP) that is expected after the UDP header. This tells the kernel how to interpret the payload after UDP decapsulation. If omitted, the kernel may attempt to derive the inner protocol, especially with 'gue' type.

encap_type TYPE
    Sets the specific encapsulation type. Valid types are 'fou' (the default, a simpler generic UDP encapsulation) or 'gue' for Generic UDP Encapsulation. GUE includes its own header with an inner protocol field and flags, offering more flexibility.

encap_sport SPORT
    Specifies the UDP source port that will be used for the outer FOU encapsulation when sending packets. This can be useful for symmetric firewall rules or load balancing.

encap_dport DPORT
    Specifies the UDP destination port that will be used for the outer FOU encapsulation when sending packets. This is distinct from the 'port' parameter which defines the listening port.

encap_csum
    Enables UDP checksum calculation for encapsulated packets being transmitted. This provides integrity checking but adds a small CPU overhead.

encap_csum_zero_csum6_tx
    Enables UDP checksum but explicitly forces a zero checksum value for IPv6 transmit packets. This is often used for specific hardware offloading or compatibility with certain network devices that expect zero checksums for IPv6.

encap_zero_csum6_rx
    Allows the system to accept incoming IPv6 packets with a zero UDP checksum. This can be necessary for compatibility with devices that do not generate or send UDP checksums for IPv6 traffic.

The ip-fou command, a part of the iproute2 utility suite, is used to manage Foo Over UDP (FOU) encapsulation ports on a Linux system.

FOU is a generic encapsulation protocol that allows arbitrary IP protocols (like GRE, IPIP, or even raw IP) to be encapsulated directly within a UDP header. This approach provides several key benefits:
1. NAT/Firewall Traversal: UDP is generally more permissive through NAT devices and firewalls compared to other IP protocols (like GRE, which uses IP protocol 47). FOU enables tunneling through such network obstacles.
2. ECMP Hashing: By encapsulating traffic in UDP, network devices can leverage UDP port numbers for Equal-Cost Multi-Path (ECMP) hashing, allowing for more granular load balancing across multiple paths.
3. Generic Encapsulation: It provides a flexible way to tunnel various protocols without needing specific kernel modules for each. For instance, an `ipproto 47` (GRE) packet can be wrapped in UDP via FOU, even if the underlying network doesn't natively support GRE.

ip-fou allows administrators to define FOU 'ports' which are essentially mappings between a specific UDP port and an inner IP protocol. When packets arrive on that UDP port, the kernel automatically decapsulates them, treating the inner payload as the specified IP protocol. This configuration is crucial for setting up advanced overlay networks and VPN solutions.

Using ip-fou requires a Linux kernel with FOU support compiled in (typically available in modern kernels, version 3.10+).
Proper network configuration, including routing tables and firewall rules (e.g., with iptables or nftables), is essential for FOU traffic to flow correctly. Misconfiguration can lead to dropped packets or unexpected routing.
MTU (Maximum Transmission Unit) considerations are important. Encapsulation adds overhead, potentially requiring adjustments to interface MTU or enabling Path MTU Discovery (PMTUD) to avoid fragmentation issues.
Debugging encapsulated traffic can be more complex, often requiring tools like tcpdump with appropriate decapsulation support.

While ip-fou manages both, there's a distinction between FOU (Foo Over UDP) and GUE (Generic UDP Encapsulation). FOU is a simpler, header-less encapsulation where only the UDP port specifies the inner protocol. GUE, however, introduces a small header after the UDP header that includes an inner IP protocol field, flags, and an optional checksum. This makes GUE more self-describing and flexible, especially for supporting multiple inner protocols on a single UDP port. The encap_type parameter allows choosing between these two modes.

The ipproto parameter is crucial for FOU decapsulation. It tells the Linux kernel which IP protocol to expect as the payload after the UDP header. For example, if you set ipproto 47 for UDP port X, any packet arriving on port X will have its UDP header removed, and the remaining payload will be treated as a GRE packet. This allows standard network stack processing for the inner protocol. Without it, the kernel wouldn't know how to correctly process the decapsulated data.

Foo Over UDP (FOU) and Generic UDP Encapsulation (GUE) were introduced into the Linux kernel around version 3.10-3.11. Their development was primarily driven by the need for more flexible tunneling mechanisms in cloud and data center environments, specifically to address limitations of traditional tunnels like GRE in scenarios involving NAT, firewalls, and the desire for better load balancing via ECMP hashing of UDP traffic. ip-fou, as part of the iproute2 utility, became the standard command-line tool for managing these kernel features, evolving alongside their development to support features like GUE and checksum options.

ip(8), ip-link(8), ip-tunnel(8), ip-route(8), iptables(8), nftables(8)