[ovs-dev] [PATCH 03/11] datapath: Account for "vxlan: Group Policy extension"

Pravin Shelar pshelar at nicira.com
Fri Jan 30 03:45:33 UTC 2015 

On Tue, Jan 27, 2015 at 7:35 AM, Thomas Graf <tgraf at noironetworks.com> wrote:
> Upstream commit:
>     vxlan: Group Policy extension
>
>     Implements supports for the Group Policy VXLAN extension [0] to provide
>     a lightweight and simple security label mechanism across network peers
>     based on VXLAN. The security context and associated metadata is mapped
>     to/from skb->mark. This allows further mapping to a SELinux context
>     using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
>     tc, etc.
>
>     The group membership is defined by the lower 16 bits of skb->mark, the
>     upper 16 bits are used for flags.
>
>     SELinux allows to manage label to secure local resources. However,
>     distributed applications require ACLs to implemented across hosts. This
>     is typically achieved by matching on L2-L4 fields to identify the
>     original sending host and process on the receiver. On top of that,
>     netlabel and specifically CIPSO [1] allow to map security contexts to
>     universal labels.  However, netlabel and CIPSO are relatively complex.
>     This patch provides a lightweight alternative for overlay network
>     environments with a trusted underlay. No additional control protocol
>     is required.
>
>                Host 1:                       Host 2:
>
>           Group A        Group B        Group B     Group A
>           +-----+   +-------------+    +-------+   +-----+
>           | lxc |   | SELinux CTX |    | httpd |   | VM  |
>           +--+--+   +--+----------+    +---+---+   +--+--+
>           \---+---/                     \----+---/
>               |                              |
>           +---+---+                      +---+---+
>           | vxlan |                      | vxlan |
>           +---+---+                      +---+---+
>               +------------------------------+
>
>     Backwards compatibility:
>     A VXLAN-GBP socket can receive standard VXLAN frames and will assign
>     the default group 0x0000 to such frames. A Linux VXLAN socket will
>     drop VXLAN-GBP  frames. The extension is therefore disabled by default
>     and needs to be specifically enabled:
>
>        ip link add [...] type vxlan [...] gbp
>
>     In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
>     must run on a separate port number.
>
>     Examples:
>      iptables:
>       host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
>       host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
>
>      OVS:
>       # ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
>       # ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
>
>     [0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
>     [1] http://lwn.net/Articles/204905/
>
>     Signed-off-by: Thomas Graf <tgraf at suug.ch>
>     Signed-off-by: David S. Miller <davem at davemloft.net>
>
> Upstream: 351149 ("vxlan: Group Policy extension")
> Signed-off-by: Thomas Graf <tgraf at noironetworks.com>
> ---
>  acinclude.m4                              |  2 +
>  datapath/linux/compat/include/net/vxlan.h | 99 +++++++++++++++++++++++++------
>  datapath/linux/compat/vxlan.c             | 52 ++++++++++++++--
>  datapath/vport-vxlan.c                    | 10 ++--
>  4 files changed, 135 insertions(+), 28 deletions(-)
>
> diff --git a/acinclude.m4 b/acinclude.m4
> index 7db7737..8f10b98 100644
> --- a/acinclude.m4
> +++ b/acinclude.m4
> @@ -392,6 +392,8 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
>    OVS_GREP_IFELSE([$KSRC/include/net/vxlan.h], [vxlan_xmit_skb])
>    OVS_GREP_IFELSE([$KSRC/include/net/vxlan.h], [bool xnet],
>                    [OVS_DEFINE([HAVE_VXLAN_XMIT_SKB_XNET_ARG])])
> +  OVS_GREP_IFELSE([$KSRC/include/net/vxlan.h], [struct vxlan_metadata],
> +                  [OVS_DEFINE([HAVE_VXLAN_METADATA])])
>    OVS_GREP_IFELSE([$KSRC/include/net/udp.h], [udp_flow_src_port],
>                    [OVS_DEFINE([HAVE_UDP_FLOW_SRC_PORT])])
>    OVS_GREP_IFELSE([$KSRC/include/linux/skbuff.h], [ignore_df:1],
> diff --git a/datapath/linux/compat/include/net/vxlan.h b/datapath/linux/compat/include/net/vxlan.h
> index f3d93c0..52ce233 100644
> --- a/datapath/linux/compat/include/net/vxlan.h
> +++ b/datapath/linux/compat/include/net/vxlan.h
> @@ -15,43 +15,98 @@
>  #ifndef VXLAN_HLEN
>  /* VXLAN header flags. */
>  #define VXLAN_HF_VNI 0x08000000
> +#ifndef VXLAN_HF_GBP
> +#define VXLAN_HF_GBP 0x80000000
> +#endif
>
>  #define VXLAN_N_VID     (1u << 24)
>  #define VXLAN_VID_MASK  (VXLAN_N_VID - 1)
>  #define VXLAN_HLEN (sizeof(struct udphdr) + sizeof(struct vxlanhdr))
>  #endif
>
> -#ifdef USE_KERNEL_TUNNEL_API
> +#ifndef VXLAN_GBP_USED_BITS
> +/*
> + * VXLAN Group Based Policy Extension:
> + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> + * |1|-|-|-|1|-|-|-|R|D|R|R|A|R|R|R|        Group Policy ID        |
> + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> + * |                VXLAN Network Identifier (VNI) |   Reserved    |
> + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> + *
> + * D = Don't Learn bit. When set, this bit indicates that the egress
> + *     VTEP MUST NOT learn the source address of the encapsulated frame.
> + *
> + * A = Indicates that the group policy has already been applied to
> + *     this packet. Policies MUST NOT be applied by devices when the
> + *     A bit is set.
> + *
> + * [0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
> + */
> +struct vxlanhdr_gbp {
> +       __u8    vx_flags;
> +#ifdef __LITTLE_ENDIAN_BITFIELD
> +       __u8    reserved_flags1:3,
> +               policy_applied:1,
> +               reserved_flags2:2,
> +               dont_learn:1,
> +               reserved_flags3:1;
> +#elif defined(__BIG_ENDIAN_BITFIELD)
> +       __u8    reserved_flags1:1,
> +               dont_learn:1,
> +               reserved_flags2:2,
> +               policy_applied:1,
> +               reserved_flags3:3;
> +#else
> +#error "Please fix <asm/byteorder.h>"
> +#endif
> +       __be16  policy_id;
> +       __be32  vx_vni;
> +};
> +#define VXLAN_GBP_USED_BITS (VXLAN_HF_GBP | 0xFFFFFF)
> +
> +/* skb->mark mapping
> + *
> + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> + * |R|R|R|R|R|R|R|R|R|D|R|R|A|R|R|R|        Group Policy ID        |
> + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> + */
> +#define VXLAN_GBP_DONT_LEARN           (BIT(6) << 16)
> +#define VXLAN_GBP_POLICY_APPLIED       (BIT(3) << 16)
> +#define VXLAN_GBP_ID_MASK              (0xFFFF)
> +
> +#define VXLAN_F_GBP                    0x800
> +#endif
> +
> +#ifdef HAVE_VXLAN_METADATA
>  static inline int rpl_vxlan_xmit_skb(struct vxlan_sock *vs,
>                     struct rtable *rt, struct sk_buff *skb,
>                     __be32 src, __be32 dst, __u8 tos, __u8 ttl, __be16 df,
> -                   __be16 src_port, __be16 dst_port, __be32 vni)
> +                   __be16 src_port, __be16 dst_port,
> +                  struct vxlan_metadata *md)
>  {
Can you keep vxlan_xmit_skb() in-sync with upstream kernel. I see
couple of parameters are missing. If there is any difference in
function prototype, we can not make use of vxlan_xmit_skb() from new
kernel.

>         if (skb_is_gso(skb) && skb_is_encapsulated(skb)) {
>                 kfree_skb(skb);
>                 return -ENOSYS;
>         }
>
> -#ifdef HAVE_VXLAN_XMIT_SKB_XNET_ARG

HAVE_VXLAN_XMIT_SKB_XNET_ARG can be removed from acinclude.m4.

> -       return vxlan_xmit_skb(vs, rt, skb, src, dst, tos, ttl, df,
> -                             src_port, dst_port, vni, false);
> -#else

More information about the dev mailing list