2013-08-20 02:23:07 +08:00
|
|
|
#ifndef __NET_VXLAN_H
|
|
|
|
#define __NET_VXLAN_H 1
|
|
|
|
|
2014-12-24 14:37:26 +08:00
|
|
|
#include <linux/ip.h>
|
|
|
|
#include <linux/ipv6.h>
|
|
|
|
#include <linux/if_vlan.h>
|
2013-08-20 02:23:07 +08:00
|
|
|
#include <linux/skbuff.h>
|
|
|
|
#include <linux/netdevice.h>
|
|
|
|
#include <linux/udp.h>
|
2015-07-21 16:43:58 +08:00
|
|
|
#include <net/dst_metadata.h>
|
2013-08-20 02:23:07 +08:00
|
|
|
|
2016-02-03 01:09:13 +08:00
|
|
|
/* VXLAN protocol (RFC 7348) header:
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* |R|R|R|R|I|R|R|R| Reserved |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | VXLAN Network Identifier (VNI) | Reserved |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*
|
|
|
|
* I = VXLAN Network Identifier (VNI) present.
|
|
|
|
*/
|
|
|
|
struct vxlanhdr {
|
|
|
|
__be32 vx_flags;
|
|
|
|
__be32 vx_vni;
|
|
|
|
};
|
|
|
|
|
|
|
|
/* VXLAN header flags. */
|
|
|
|
#define VXLAN_HF_VNI BIT(27)
|
|
|
|
|
|
|
|
#define VXLAN_N_VID (1u << 24)
|
|
|
|
#define VXLAN_VID_MASK (VXLAN_N_VID - 1)
|
|
|
|
#define VXLAN_VNI_MASK (VXLAN_VID_MASK << 8)
|
|
|
|
#define VXLAN_HLEN (sizeof(struct udphdr) + sizeof(struct vxlanhdr))
|
|
|
|
|
|
|
|
#define VNI_HASH_BITS 10
|
|
|
|
#define VNI_HASH_SIZE (1<<VNI_HASH_BITS)
|
|
|
|
#define FDB_HASH_BITS 8
|
|
|
|
#define FDB_HASH_SIZE (1<<FDB_HASH_BITS)
|
|
|
|
|
|
|
|
/* Remote checksum offload for VXLAN (VXLAN_F_REMCSUM_[RT]X):
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* |R|R|R|R|I|R|R|R|R|R|C| Reserved |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | VXLAN Network Identifier (VNI) |O| Csum start |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*
|
|
|
|
* C = Remote checksum offload bit. When set indicates that the
|
|
|
|
* remote checksum offload data is present.
|
|
|
|
*
|
|
|
|
* O = Offset bit. Indicates the checksum offset relative to
|
|
|
|
* checksum start.
|
|
|
|
*
|
|
|
|
* Csum start = Checksum start divided by two.
|
|
|
|
*
|
|
|
|
* http://tools.ietf.org/html/draft-herbert-vxlan-rco
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* VXLAN-RCO header flags. */
|
|
|
|
#define VXLAN_HF_RCO BIT(21)
|
|
|
|
|
|
|
|
/* Remote checksum offload header option */
|
|
|
|
#define VXLAN_RCO_MASK 0x7f /* Last byte of vni field */
|
|
|
|
#define VXLAN_RCO_UDP 0x80 /* Indicate UDP RCO (TCP when not set *) */
|
|
|
|
#define VXLAN_RCO_SHIFT 1 /* Left shift of start */
|
|
|
|
#define VXLAN_RCO_SHIFT_MASK ((1 << VXLAN_RCO_SHIFT) - 1)
|
|
|
|
#define VXLAN_MAX_REMCSUM_START (VXLAN_RCO_MASK << VXLAN_RCO_SHIFT)
|
|
|
|
|
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-15 10:53:55 +08:00
|
|
|
/*
|
2016-02-03 01:09:13 +08:00
|
|
|
* VXLAN Group Based Policy Extension (VXLAN_F_GBP):
|
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-15 10:53:55 +08:00
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
2016-02-03 01:09:13 +08:00
|
|
|
* |G|R|R|R|I|R|R|R|R|D|R|R|A|R|R|R| Group Policy ID |
|
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-15 10:53:55 +08:00
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | VXLAN Network Identifier (VNI) | Reserved |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*
|
2016-02-03 01:09:13 +08:00
|
|
|
* G = Group Policy ID present.
|
|
|
|
*
|
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-15 10:53:55 +08:00
|
|
|
* D = Don't Learn bit. When set, this bit indicates that the egress
|
|
|
|
* VTEP MUST NOT learn the source address of the encapsulated frame.
|
|
|
|
*
|
|
|
|
* A = Indicates that the group policy has already been applied to
|
|
|
|
* this packet. Policies MUST NOT be applied by devices when the
|
|
|
|
* A bit is set.
|
|
|
|
*
|
2016-02-03 01:09:13 +08:00
|
|
|
* https://tools.ietf.org/html/draft-smith-vxlan-group-policy
|
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-15 10:53:55 +08:00
|
|
|
*/
|
|
|
|
struct vxlanhdr_gbp {
|
2016-02-03 01:09:11 +08:00
|
|
|
u8 vx_flags;
|
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-15 10:53:55 +08:00
|
|
|
#ifdef __LITTLE_ENDIAN_BITFIELD
|
2016-02-03 01:09:11 +08:00
|
|
|
u8 reserved_flags1:3,
|
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-15 10:53:55 +08:00
|
|
|
policy_applied:1,
|
|
|
|
reserved_flags2:2,
|
|
|
|
dont_learn:1,
|
|
|
|
reserved_flags3:1;
|
|
|
|
#elif defined(__BIG_ENDIAN_BITFIELD)
|
2016-02-03 01:09:11 +08:00
|
|
|
u8 reserved_flags1:1,
|
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-15 10:53:55 +08:00
|
|
|
dont_learn:1,
|
|
|
|
reserved_flags2:2,
|
|
|
|
policy_applied:1,
|
|
|
|
reserved_flags3:3;
|
|
|
|
#else
|
|
|
|
#error "Please fix <asm/byteorder.h>"
|
|
|
|
#endif
|
|
|
|
__be16 policy_id;
|
|
|
|
__be32 vx_vni;
|
|
|
|
};
|
|
|
|
|
2016-02-03 01:09:13 +08:00
|
|
|
/* VXLAN-GBP header flags. */
|
|
|
|
#define VXLAN_HF_GBP BIT(31)
|
|
|
|
|
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-15 10:53:55 +08:00
|
|
|
#define VXLAN_GBP_USED_BITS (VXLAN_HF_GBP | 0xFFFFFF)
|
|
|
|
|
|
|
|
/* skb->mark mapping
|
|
|
|
*
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* |R|R|R|R|R|R|R|R|R|D|R|R|A|R|R|R| Group Policy ID |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*/
|
|
|
|
#define VXLAN_GBP_DONT_LEARN (BIT(6) << 16)
|
|
|
|
#define VXLAN_GBP_POLICY_APPLIED (BIT(3) << 16)
|
|
|
|
#define VXLAN_GBP_ID_MASK (0xFFFF)
|
|
|
|
|
|
|
|
struct vxlan_metadata {
|
|
|
|
u32 gbp;
|
|
|
|
};
|
|
|
|
|
2013-08-20 02:23:07 +08:00
|
|
|
/* per UDP socket information */
|
|
|
|
struct vxlan_sock {
|
|
|
|
struct hlist_node hlist;
|
|
|
|
struct work_struct del_work;
|
|
|
|
struct socket *sock;
|
|
|
|
struct rcu_head rcu;
|
|
|
|
struct hlist_head vni_list[VNI_HASH_SIZE];
|
|
|
|
atomic_t refcnt;
|
2014-01-20 19:59:21 +08:00
|
|
|
struct udp_offload udp_offloads;
|
2015-01-13 09:00:38 +08:00
|
|
|
u32 flags;
|
2013-08-20 02:23:07 +08:00
|
|
|
};
|
|
|
|
|
2015-07-21 16:44:02 +08:00
|
|
|
union vxlan_addr {
|
|
|
|
struct sockaddr_in sin;
|
|
|
|
struct sockaddr_in6 sin6;
|
|
|
|
struct sockaddr sa;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct vxlan_rdst {
|
|
|
|
union vxlan_addr remote_ip;
|
|
|
|
__be16 remote_port;
|
|
|
|
u32 remote_vni;
|
|
|
|
u32 remote_ifindex;
|
|
|
|
struct list_head list;
|
|
|
|
struct rcu_head rcu;
|
2016-02-12 22:43:56 +08:00
|
|
|
struct dst_cache dst_cache;
|
2015-07-21 16:44:02 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
struct vxlan_config {
|
|
|
|
union vxlan_addr remote_ip;
|
|
|
|
union vxlan_addr saddr;
|
|
|
|
u32 vni;
|
|
|
|
int remote_ifindex;
|
|
|
|
int mtu;
|
|
|
|
__be16 dst_port;
|
2016-02-03 01:09:11 +08:00
|
|
|
u16 port_min;
|
|
|
|
u16 port_max;
|
|
|
|
u8 tos;
|
|
|
|
u8 ttl;
|
2015-07-21 16:44:02 +08:00
|
|
|
u32 flags;
|
|
|
|
unsigned long age_interval;
|
|
|
|
unsigned int addrmax;
|
|
|
|
bool no_share;
|
|
|
|
};
|
|
|
|
|
|
|
|
/* Pseudo network device */
|
|
|
|
struct vxlan_dev {
|
|
|
|
struct hlist_node hlist; /* vni hash table */
|
|
|
|
struct list_head next; /* vxlan's per namespace list */
|
2015-09-24 19:50:02 +08:00
|
|
|
struct vxlan_sock *vn4_sock; /* listening socket for IPv4 */
|
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
struct vxlan_sock *vn6_sock; /* listening socket for IPv6 */
|
|
|
|
#endif
|
2015-07-21 16:44:02 +08:00
|
|
|
struct net_device *dev;
|
|
|
|
struct net *net; /* netns for packet i/o */
|
|
|
|
struct vxlan_rdst default_dst; /* default destination */
|
|
|
|
u32 flags; /* VXLAN_F_* in vxlan.h */
|
|
|
|
|
|
|
|
struct timer_list age_timer;
|
|
|
|
spinlock_t hash_lock;
|
|
|
|
unsigned int addrcnt;
|
2015-08-20 08:07:33 +08:00
|
|
|
struct gro_cells gro_cells;
|
2015-07-21 16:44:02 +08:00
|
|
|
|
|
|
|
struct vxlan_config cfg;
|
|
|
|
|
|
|
|
struct hlist_head fdb_head[FDB_HASH_SIZE];
|
|
|
|
};
|
|
|
|
|
2014-06-05 08:20:29 +08:00
|
|
|
#define VXLAN_F_LEARN 0x01
|
|
|
|
#define VXLAN_F_PROXY 0x02
|
|
|
|
#define VXLAN_F_RSC 0x04
|
|
|
|
#define VXLAN_F_L2MISS 0x08
|
|
|
|
#define VXLAN_F_L3MISS 0x10
|
|
|
|
#define VXLAN_F_IPV6 0x20
|
|
|
|
#define VXLAN_F_UDP_CSUM 0x40
|
|
|
|
#define VXLAN_F_UDP_ZERO_CSUM6_TX 0x80
|
|
|
|
#define VXLAN_F_UDP_ZERO_CSUM6_RX 0x100
|
2015-01-13 09:00:38 +08:00
|
|
|
#define VXLAN_F_REMCSUM_TX 0x200
|
|
|
|
#define VXLAN_F_REMCSUM_RX 0x400
|
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-15 10:53:55 +08:00
|
|
|
#define VXLAN_F_GBP 0x800
|
2015-02-11 08:30:32 +08:00
|
|
|
#define VXLAN_F_REMCSUM_NOPARTIAL 0x1000
|
2015-07-21 16:43:58 +08:00
|
|
|
#define VXLAN_F_COLLECT_METADATA 0x2000
|
2014-06-05 08:20:29 +08:00
|
|
|
|
2015-03-12 10:00:10 +08:00
|
|
|
/* Flags that are used in the receive path. These flags must match in
|
2015-01-21 03:23:05 +08:00
|
|
|
* order for a socket to be shareable
|
|
|
|
*/
|
|
|
|
#define VXLAN_F_RCV_FLAGS (VXLAN_F_GBP | \
|
|
|
|
VXLAN_F_UDP_ZERO_CSUM6_RX | \
|
2015-02-11 08:30:32 +08:00
|
|
|
VXLAN_F_REMCSUM_RX | \
|
2015-07-21 16:43:58 +08:00
|
|
|
VXLAN_F_REMCSUM_NOPARTIAL | \
|
2015-08-05 13:51:07 +08:00
|
|
|
VXLAN_F_COLLECT_METADATA)
|
2015-01-15 10:53:56 +08:00
|
|
|
|
2015-07-21 16:44:02 +08:00
|
|
|
struct net_device *vxlan_dev_create(struct net *net, const char *name,
|
|
|
|
u8 name_assign_type, struct vxlan_config *conf);
|
|
|
|
|
2015-09-24 19:50:02 +08:00
|
|
|
static inline __be16 vxlan_dev_dst_port(struct vxlan_dev *vxlan,
|
|
|
|
unsigned short family)
|
2015-07-21 16:44:06 +08:00
|
|
|
{
|
2015-09-24 19:50:02 +08:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
if (family == AF_INET6)
|
|
|
|
return inet_sk(vxlan->vn6_sock->sock->sk)->inet_sport;
|
|
|
|
#endif
|
|
|
|
return inet_sk(vxlan->vn4_sock->sock->sk)->inet_sport;
|
2015-07-21 16:44:06 +08:00
|
|
|
}
|
2013-08-20 02:23:17 +08:00
|
|
|
|
2014-12-24 14:37:26 +08:00
|
|
|
static inline netdev_features_t vxlan_features_check(struct sk_buff *skb,
|
|
|
|
netdev_features_t features)
|
2014-11-18 08:24:54 +08:00
|
|
|
{
|
2014-12-24 14:37:26 +08:00
|
|
|
u8 l4_hdr = 0;
|
|
|
|
|
|
|
|
if (!skb->encapsulation)
|
|
|
|
return features;
|
|
|
|
|
|
|
|
switch (vlan_get_protocol(skb)) {
|
|
|
|
case htons(ETH_P_IP):
|
|
|
|
l4_hdr = ip_hdr(skb)->protocol;
|
|
|
|
break;
|
|
|
|
case htons(ETH_P_IPV6):
|
|
|
|
l4_hdr = ipv6_hdr(skb)->nexthdr;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
return features;;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((l4_hdr == IPPROTO_UDP) &&
|
2014-11-18 08:24:54 +08:00
|
|
|
(skb->inner_protocol_type != ENCAP_TYPE_ETHER ||
|
|
|
|
skb->inner_protocol != htons(ETH_P_TEB) ||
|
|
|
|
(skb_inner_mac_header(skb) - skb_transport_header(skb) !=
|
|
|
|
sizeof(struct udphdr) + sizeof(struct vxlanhdr))))
|
2015-12-15 03:19:43 +08:00
|
|
|
return features & ~(NETIF_F_CSUM_MASK | NETIF_F_GSO_MASK);
|
2014-11-18 08:24:54 +08:00
|
|
|
|
2014-12-24 14:37:26 +08:00
|
|
|
return features;
|
2014-11-18 08:24:54 +08:00
|
|
|
}
|
2014-11-14 08:38:12 +08:00
|
|
|
|
2013-10-24 14:27:10 +08:00
|
|
|
/* IP header + UDP + VXLAN + Ethernet header */
|
|
|
|
#define VXLAN_HEADROOM (20 + 8 + 8 + 14)
|
|
|
|
/* IPv6 header + UDP + VXLAN + Ethernet header */
|
|
|
|
#define VXLAN6_HEADROOM (40 + 8 + 8 + 14)
|
|
|
|
|
2016-02-17 04:58:57 +08:00
|
|
|
static inline struct vxlanhdr *vxlan_hdr(struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
return (struct vxlanhdr *)(udp_hdr(skb) + 1);
|
|
|
|
}
|
|
|
|
|
2013-10-24 14:27:10 +08:00
|
|
|
#if IS_ENABLED(CONFIG_VXLAN)
|
2013-09-04 17:13:38 +08:00
|
|
|
void vxlan_get_rx_port(struct net_device *netdev);
|
2013-10-24 14:27:10 +08:00
|
|
|
#else
|
|
|
|
static inline void vxlan_get_rx_port(struct net_device *netdev)
|
|
|
|
{
|
|
|
|
}
|
|
|
|
#endif
|
2015-08-20 19:56:28 +08:00
|
|
|
|
|
|
|
static inline unsigned short vxlan_get_sk_family(struct vxlan_sock *vs)
|
|
|
|
{
|
|
|
|
return vs->sock->sk->sk_family;
|
|
|
|
}
|
2015-08-26 00:36:50 +08:00
|
|
|
|
|
|
|
#endif
|