[ovs-dev] [PATCH 03/11] datapath: Account for "vxlan: Group Policy extension"
Pravin Shelar
pshelar at nicira.com
Fri Jan 30 03:45:33 UTC 2015
On Tue, Jan 27, 2015 at 7:35 AM, Thomas Graf <tgraf at noironetworks.com> wrote:
> Upstream commit:
> vxlan: Group Policy extension
>
> Implements supports for the Group Policy VXLAN extension [0] to provide
> a lightweight and simple security label mechanism across network peers
> based on VXLAN. The security context and associated metadata is mapped
> to/from skb->mark. This allows further mapping to a SELinux context
> using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
> tc, etc.
>
> The group membership is defined by the lower 16 bits of skb->mark, the
> upper 16 bits are used for flags.
>
> SELinux allows to manage label to secure local resources. However,
> distributed applications require ACLs to implemented across hosts. This
> is typically achieved by matching on L2-L4 fields to identify the
> original sending host and process on the receiver. On top of that,
> netlabel and specifically CIPSO [1] allow to map security contexts to
> universal labels. However, netlabel and CIPSO are relatively complex.
> This patch provides a lightweight alternative for overlay network
> environments with a trusted underlay. No additional control protocol
> is required.
>
> Host 1: Host 2:
>
> Group A Group B Group B Group A
> +-----+ +-------------+ +-------+ +-----+
> | lxc | | SELinux CTX | | httpd | | VM |
> +--+--+ +--+----------+ +---+---+ +--+--+
> \---+---/ \----+---/
> | |
> +---+---+ +---+---+
> | vxlan | | vxlan |
> +---+---+ +---+---+
> +------------------------------+
>
> Backwards compatibility:
> A VXLAN-GBP socket can receive standard VXLAN frames and will assign
> the default group 0x0000 to such frames. A Linux VXLAN socket will
> drop VXLAN-GBP frames. The extension is therefore disabled by default
> and needs to be specifically enabled:
>
> ip link add [...] type vxlan [...] gbp
>
> In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
> must run on a separate port number.
>
> Examples:
> iptables:
> host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
> host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
>
> OVS:
> # ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
> # ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
>
> [0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
> [1] http://lwn.net/Articles/204905/
>
> Signed-off-by: Thomas Graf <tgraf at suug.ch>
> Signed-off-by: David S. Miller <davem at davemloft.net>
>
> Upstream: 351149 ("vxlan: Group Policy extension")
> Signed-off-by: Thomas Graf <tgraf at noironetworks.com>
> ---
> acinclude.m4 | 2 +
> datapath/linux/compat/include/net/vxlan.h | 99 +++++++++++++++++++++++++------
> datapath/linux/compat/vxlan.c | 52 ++++++++++++++--
> datapath/vport-vxlan.c | 10 ++--
> 4 files changed, 135 insertions(+), 28 deletions(-)
>
> diff --git a/acinclude.m4 b/acinclude.m4
> index 7db7737..8f10b98 100644
> --- a/acinclude.m4
> +++ b/acinclude.m4
> @@ -392,6 +392,8 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
> OVS_GREP_IFELSE([$KSRC/include/net/vxlan.h], [vxlan_xmit_skb])
> OVS_GREP_IFELSE([$KSRC/include/net/vxlan.h], [bool xnet],
> [OVS_DEFINE([HAVE_VXLAN_XMIT_SKB_XNET_ARG])])
> + OVS_GREP_IFELSE([$KSRC/include/net/vxlan.h], [struct vxlan_metadata],
> + [OVS_DEFINE([HAVE_VXLAN_METADATA])])
> OVS_GREP_IFELSE([$KSRC/include/net/udp.h], [udp_flow_src_port],
> [OVS_DEFINE([HAVE_UDP_FLOW_SRC_PORT])])
> OVS_GREP_IFELSE([$KSRC/include/linux/skbuff.h], [ignore_df:1],
> diff --git a/datapath/linux/compat/include/net/vxlan.h b/datapath/linux/compat/include/net/vxlan.h
> index f3d93c0..52ce233 100644
> --- a/datapath/linux/compat/include/net/vxlan.h
> +++ b/datapath/linux/compat/include/net/vxlan.h
> @@ -15,43 +15,98 @@
> #ifndef VXLAN_HLEN
> /* VXLAN header flags. */
> #define VXLAN_HF_VNI 0x08000000
> +#ifndef VXLAN_HF_GBP
> +#define VXLAN_HF_GBP 0x80000000
> +#endif
>
> #define VXLAN_N_VID (1u << 24)
> #define VXLAN_VID_MASK (VXLAN_N_VID - 1)
> #define VXLAN_HLEN (sizeof(struct udphdr) + sizeof(struct vxlanhdr))
> #endif
>
> -#ifdef USE_KERNEL_TUNNEL_API
> +#ifndef VXLAN_GBP_USED_BITS
> +/*
> + * VXLAN Group Based Policy Extension:
> + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> + * |1|-|-|-|1|-|-|-|R|D|R|R|A|R|R|R| Group Policy ID |
> + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> + * | VXLAN Network Identifier (VNI) | Reserved |
> + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> + *
> + * D = Don't Learn bit. When set, this bit indicates that the egress
> + * VTEP MUST NOT learn the source address of the encapsulated frame.
> + *
> + * A = Indicates that the group policy has already been applied to
> + * this packet. Policies MUST NOT be applied by devices when the
> + * A bit is set.
> + *
> + * [0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
> + */
> +struct vxlanhdr_gbp {
> + __u8 vx_flags;
> +#ifdef __LITTLE_ENDIAN_BITFIELD
> + __u8 reserved_flags1:3,
> + policy_applied:1,
> + reserved_flags2:2,
> + dont_learn:1,
> + reserved_flags3:1;
> +#elif defined(__BIG_ENDIAN_BITFIELD)
> + __u8 reserved_flags1:1,
> + dont_learn:1,
> + reserved_flags2:2,
> + policy_applied:1,
> + reserved_flags3:3;
> +#else
> +#error "Please fix <asm/byteorder.h>"
> +#endif
> + __be16 policy_id;
> + __be32 vx_vni;
> +};
> +#define VXLAN_GBP_USED_BITS (VXLAN_HF_GBP | 0xFFFFFF)
> +
> +/* skb->mark mapping
> + *
> + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> + * |R|R|R|R|R|R|R|R|R|D|R|R|A|R|R|R| Group Policy ID |
> + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> + */
> +#define VXLAN_GBP_DONT_LEARN (BIT(6) << 16)
> +#define VXLAN_GBP_POLICY_APPLIED (BIT(3) << 16)
> +#define VXLAN_GBP_ID_MASK (0xFFFF)
> +
> +#define VXLAN_F_GBP 0x800
> +#endif
> +
> +#ifdef HAVE_VXLAN_METADATA
> static inline int rpl_vxlan_xmit_skb(struct vxlan_sock *vs,
> struct rtable *rt, struct sk_buff *skb,
> __be32 src, __be32 dst, __u8 tos, __u8 ttl, __be16 df,
> - __be16 src_port, __be16 dst_port, __be32 vni)
> + __be16 src_port, __be16 dst_port,
> + struct vxlan_metadata *md)
> {
Can you keep vxlan_xmit_skb() in-sync with upstream kernel. I see
couple of parameters are missing. If there is any difference in
function prototype, we can not make use of vxlan_xmit_skb() from new
kernel.
> if (skb_is_gso(skb) && skb_is_encapsulated(skb)) {
> kfree_skb(skb);
> return -ENOSYS;
> }
>
> -#ifdef HAVE_VXLAN_XMIT_SKB_XNET_ARG
HAVE_VXLAN_XMIT_SKB_XNET_ARG can be removed from acinclude.m4.
> - return vxlan_xmit_skb(vs, rt, skb, src, dst, tos, ttl, df,
> - src_port, dst_port, vni, false);
> -#else
More information about the dev
mailing list