diff options
| author | Thomas Graf <tgraf@suug.ch> | 2015-01-14 21:53:55 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-01-15 01:11:41 -0500 |
| commit | 3511494ce2f3d3b77544c79b87511a4ddb61dc89 (patch) | |
| tree | c9713e3be0f66f344a180de2f78943d18370e97a /net/openvswitch | |
| parent | 3f3558bb512e0762d5a4573a4aaf038d7a616e92 (diff) | |
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/openvswitch')
| -rw-r--r-- | net/openvswitch/vport-vxlan.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/net/openvswitch/vport-vxlan.c b/net/openvswitch/vport-vxlan.c index 1435a053a870..9919d71c52c3 100644 --- a/net/openvswitch/vport-vxlan.c +++ b/net/openvswitch/vport-vxlan.c | |||
| @@ -59,7 +59,8 @@ static inline struct vxlan_port *vxlan_vport(const struct vport *vport) | |||
| 59 | } | 59 | } |
| 60 | 60 | ||
| 61 | /* Called with rcu_read_lock and BH disabled. */ | 61 | /* Called with rcu_read_lock and BH disabled. */ |
| 62 | static void vxlan_rcv(struct vxlan_sock *vs, struct sk_buff *skb, __be32 vx_vni) | 62 | static void vxlan_rcv(struct vxlan_sock *vs, struct sk_buff *skb, |
| 63 | struct vxlan_metadata *md) | ||
| 63 | { | 64 | { |
| 64 | struct ovs_tunnel_info tun_info; | 65 | struct ovs_tunnel_info tun_info; |
| 65 | struct vport *vport = vs->data; | 66 | struct vport *vport = vs->data; |
| @@ -68,7 +69,7 @@ static void vxlan_rcv(struct vxlan_sock *vs, struct sk_buff *skb, __be32 vx_vni) | |||
| 68 | 69 | ||
| 69 | /* Save outer tunnel values */ | 70 | /* Save outer tunnel values */ |
| 70 | iph = ip_hdr(skb); | 71 | iph = ip_hdr(skb); |
| 71 | key = cpu_to_be64(ntohl(vx_vni) >> 8); | 72 | key = cpu_to_be64(ntohl(md->vni) >> 8); |
| 72 | ovs_flow_tun_info_init(&tun_info, iph, | 73 | ovs_flow_tun_info_init(&tun_info, iph, |
| 73 | udp_hdr(skb)->source, udp_hdr(skb)->dest, | 74 | udp_hdr(skb)->source, udp_hdr(skb)->dest, |
| 74 | key, TUNNEL_KEY, NULL, 0); | 75 | key, TUNNEL_KEY, NULL, 0); |
| @@ -146,6 +147,7 @@ static int vxlan_tnl_send(struct vport *vport, struct sk_buff *skb) | |||
| 146 | struct vxlan_port *vxlan_port = vxlan_vport(vport); | 147 | struct vxlan_port *vxlan_port = vxlan_vport(vport); |
| 147 | __be16 dst_port = inet_sk(vxlan_port->vs->sock->sk)->inet_sport; | 148 | __be16 dst_port = inet_sk(vxlan_port->vs->sock->sk)->inet_sport; |
| 148 | const struct ovs_key_ipv4_tunnel *tun_key; | 149 | const struct ovs_key_ipv4_tunnel *tun_key; |
| 150 | struct vxlan_metadata md = {0}; | ||
| 149 | struct rtable *rt; | 151 | struct rtable *rt; |
| 150 | struct flowi4 fl; | 152 | struct flowi4 fl; |
| 151 | __be16 src_port; | 153 | __be16 src_port; |
| @@ -170,12 +172,13 @@ static int vxlan_tnl_send(struct vport *vport, struct sk_buff *skb) | |||
| 170 | skb->ignore_df = 1; | 172 | skb->ignore_df = 1; |
| 171 | 173 | ||
| 172 | src_port = udp_flow_src_port(net, skb, 0, 0, true); | 174 | src_port = udp_flow_src_port(net, skb, 0, 0, true); |
| 175 | md.vni = htonl(be64_to_cpu(tun_key->tun_id) << 8); | ||
| 173 | 176 | ||
| 174 | err = vxlan_xmit_skb(vxlan_port->vs, rt, skb, | 177 | err = vxlan_xmit_skb(vxlan_port->vs, rt, skb, |
| 175 | fl.saddr, tun_key->ipv4_dst, | 178 | fl.saddr, tun_key->ipv4_dst, |
| 176 | tun_key->ipv4_tos, tun_key->ipv4_ttl, df, | 179 | tun_key->ipv4_tos, tun_key->ipv4_ttl, df, |
| 177 | src_port, dst_port, | 180 | src_port, dst_port, |
| 178 | htonl(be64_to_cpu(tun_key->tun_id) << 8), | 181 | &md, |
| 179 | false); | 182 | false); |
| 180 | if (err < 0) | 183 | if (err < 0) |
| 181 | ip_rt_put(rt); | 184 | ip_rt_put(rt); |