License cleanup: add SPDX GPL-2.0 license identifier to files with no license
Many source files in the tree are missing licensing information, which
makes it harder for compliance tools to determine the correct license.
By default all files without license information are under the default
license of the kernel, which is GPL version 2.
Update the files which contain no license information with the 'GPL-2.0'
SPDX license identifier. The SPDX identifier is a legally binding
shorthand, which can be used instead of the full boiler plate text.
This patch is based on work done by Thomas Gleixner and Kate Stewart and
Philippe Ombredanne.
How this work was done:
Patches were generated and checked against linux-4.14-rc6 for a subset of
the use cases:
- file had no licensing information it it.
- file was a */uapi/* one with no licensing information in it,
- file was a */uapi/* one with existing licensing information,
Further patches will be generated in subsequent months to fix up cases
where non-standard license headers were used, and references to license
had to be inferred by heuristics based on keywords.
The analysis to determine which SPDX License Identifier to be applied to
a file was done in a spreadsheet of side by side results from of the
output of two independent scanners (ScanCode & Windriver) producing SPDX
tag:value files created by Philippe Ombredanne. Philippe prepared the
base worksheet, and did an initial spot review of a few 1000 files.
The 4.13 kernel was the starting point of the analysis with 60,537 files
assessed. Kate Stewart did a file by file comparison of the scanner
results in the spreadsheet to determine which SPDX license identifier(s)
to be applied to the file. She confirmed any determination that was not
immediately clear with lawyers working with the Linux Foundation.
Criteria used to select files for SPDX license identifier tagging was:
- Files considered eligible had to be source code files.
- Make and config files were included as candidates if they contained >5
lines of source
- File already had some variant of a license header in it (even if <5
lines).
All documentation files were explicitly excluded.
The following heuristics were used to determine which SPDX license
identifiers to apply.
- when both scanners couldn't find any license traces, file was
considered to have no license information in it, and the top level
COPYING file license applied.
For non */uapi/* files that summary was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 11139
and resulted in the first patch in this series.
If that file was a */uapi/* path one, it was "GPL-2.0 WITH
Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 WITH Linux-syscall-note 930
and resulted in the second patch in this series.
- if a file had some form of licensing information in it, and was one
of the */uapi/* ones, it was denoted with the Linux-syscall-note if
any GPL family license was found in the file or had no licensing in
it (per prior point). Results summary:
SPDX license identifier # files
---------------------------------------------------|------
GPL-2.0 WITH Linux-syscall-note 270
GPL-2.0+ WITH Linux-syscall-note 169
((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21
((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17
LGPL-2.1+ WITH Linux-syscall-note 15
GPL-1.0+ WITH Linux-syscall-note 14
((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5
LGPL-2.0+ WITH Linux-syscall-note 4
LGPL-2.1 WITH Linux-syscall-note 3
((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3
((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1
and that resulted in the third patch in this series.
- when the two scanners agreed on the detected license(s), that became
the concluded license(s).
- when there was disagreement between the two scanners (one detected a
license but the other didn't, or they both detected different
licenses) a manual inspection of the file occurred.
- In most cases a manual inspection of the information in the file
resulted in a clear resolution of the license that should apply (and
which scanner probably needed to revisit its heuristics).
- When it was not immediately clear, the license identifier was
confirmed with lawyers working with the Linux Foundation.
- If there was any question as to the appropriate license identifier,
the file was flagged for further research and to be revisited later
in time.
In total, over 70 hours of logged manual review was done on the
spreadsheet to determine the SPDX license identifiers to apply to the
source files by Kate, Philippe, Thomas and, in some cases, confirmation
by lawyers working with the Linux Foundation.
Kate also obtained a third independent scan of the 4.13 code base from
FOSSology, and compared selected files where the other two scanners
disagreed against that SPDX file, to see if there was new insights. The
Windriver scanner is based on an older version of FOSSology in part, so
they are related.
Thomas did random spot checks in about 500 files from the spreadsheets
for the uapi headers and agreed with SPDX license identifier in the
files he inspected. For the non-uapi files Thomas did random spot checks
in about 15000 files.
In initial set of patches against 4.14-rc6, 3 files were found to have
copy/paste license identifier errors, and have been fixed to reflect the
correct identifier.
Additionally Philippe spent 10 hours this week doing a detailed manual
inspection and review of the 12,461 patched files from the initial patch
version early this week with:
- a full scancode scan run, collecting the matched texts, detected
license ids and scores
- reviewing anything where there was a license detected (about 500+
files) to ensure that the applied SPDX license was correct
- reviewing anything where there was no detection but the patch license
was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied
SPDX license was correct
This produced a worksheet with 20 files needing minor correction. This
worksheet was then exported into 3 different .csv files for the
different types of files to be modified.
These .csv files were then reviewed by Greg. Thomas wrote a script to
parse the csv files and add the proper SPDX tag to the file, in the
format that the file expected. This script was further refined by Greg
based on the output to detect more types of files automatically and to
distinguish between header and source .c files (which need different
comment types.) Finally Greg ran the script using the .csv files to
generate the patches.
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-01 21:07:57 +07:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0 */
|
2013-08-20 01:23:07 +07:00
|
|
|
#ifndef __NET_VXLAN_H
|
|
|
|
#define __NET_VXLAN_H 1
|
|
|
|
|
2014-12-24 13:37:26 +07:00
|
|
|
#include <linux/if_vlan.h>
|
2016-06-17 02:20:44 +07:00
|
|
|
#include <net/udp_tunnel.h>
|
2015-07-21 15:43:58 +07:00
|
|
|
#include <net/dst_metadata.h>
|
2018-10-17 15:53:20 +07:00
|
|
|
#include <net/rtnetlink.h>
|
2018-10-17 15:53:22 +07:00
|
|
|
#include <net/switchdev.h>
|
2013-08-20 01:23:07 +07:00
|
|
|
|
2016-02-03 00:09:13 +07:00
|
|
|
/* VXLAN protocol (RFC 7348) header:
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* |R|R|R|R|I|R|R|R| Reserved |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | VXLAN Network Identifier (VNI) | Reserved |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*
|
|
|
|
* I = VXLAN Network Identifier (VNI) present.
|
|
|
|
*/
|
|
|
|
struct vxlanhdr {
|
|
|
|
__be32 vx_flags;
|
|
|
|
__be32 vx_vni;
|
|
|
|
};
|
|
|
|
|
|
|
|
/* VXLAN header flags. */
|
2016-02-17 03:58:58 +07:00
|
|
|
#define VXLAN_HF_VNI cpu_to_be32(BIT(27))
|
2016-02-03 00:09:13 +07:00
|
|
|
|
|
|
|
#define VXLAN_N_VID (1u << 24)
|
|
|
|
#define VXLAN_VID_MASK (VXLAN_N_VID - 1)
|
2016-02-17 03:58:58 +07:00
|
|
|
#define VXLAN_VNI_MASK cpu_to_be32(VXLAN_VID_MASK << 8)
|
2016-02-03 00:09:13 +07:00
|
|
|
#define VXLAN_HLEN (sizeof(struct udphdr) + sizeof(struct vxlanhdr))
|
|
|
|
|
|
|
|
#define VNI_HASH_BITS 10
|
|
|
|
#define VNI_HASH_SIZE (1<<VNI_HASH_BITS)
|
|
|
|
#define FDB_HASH_BITS 8
|
|
|
|
#define FDB_HASH_SIZE (1<<FDB_HASH_BITS)
|
|
|
|
|
|
|
|
/* Remote checksum offload for VXLAN (VXLAN_F_REMCSUM_[RT]X):
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* |R|R|R|R|I|R|R|R|R|R|C| Reserved |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | VXLAN Network Identifier (VNI) |O| Csum start |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*
|
|
|
|
* C = Remote checksum offload bit. When set indicates that the
|
|
|
|
* remote checksum offload data is present.
|
|
|
|
*
|
|
|
|
* O = Offset bit. Indicates the checksum offset relative to
|
|
|
|
* checksum start.
|
|
|
|
*
|
|
|
|
* Csum start = Checksum start divided by two.
|
|
|
|
*
|
|
|
|
* http://tools.ietf.org/html/draft-herbert-vxlan-rco
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* VXLAN-RCO header flags. */
|
2016-02-17 03:58:58 +07:00
|
|
|
#define VXLAN_HF_RCO cpu_to_be32(BIT(21))
|
2016-02-03 00:09:13 +07:00
|
|
|
|
|
|
|
/* Remote checksum offload header option */
|
2016-02-17 03:58:58 +07:00
|
|
|
#define VXLAN_RCO_MASK cpu_to_be32(0x7f) /* Last byte of vni field */
|
|
|
|
#define VXLAN_RCO_UDP cpu_to_be32(0x80) /* Indicate UDP RCO (TCP when not set *) */
|
|
|
|
#define VXLAN_RCO_SHIFT 1 /* Left shift of start */
|
2016-02-03 00:09:13 +07:00
|
|
|
#define VXLAN_RCO_SHIFT_MASK ((1 << VXLAN_RCO_SHIFT) - 1)
|
2016-02-17 03:58:58 +07:00
|
|
|
#define VXLAN_MAX_REMCSUM_START (0x7f << VXLAN_RCO_SHIFT)
|
2016-02-03 00:09:13 +07:00
|
|
|
|
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-15 09:53:55 +07:00
|
|
|
/*
|
2016-02-03 00:09:13 +07:00
|
|
|
* VXLAN Group Based Policy Extension (VXLAN_F_GBP):
|
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-15 09:53:55 +07:00
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
2016-02-03 00:09:13 +07:00
|
|
|
* |G|R|R|R|I|R|R|R|R|D|R|R|A|R|R|R| Group Policy ID |
|
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-15 09:53:55 +07:00
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | VXLAN Network Identifier (VNI) | Reserved |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*
|
2016-02-03 00:09:13 +07:00
|
|
|
* G = Group Policy ID present.
|
|
|
|
*
|
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-15 09:53:55 +07:00
|
|
|
* D = Don't Learn bit. When set, this bit indicates that the egress
|
|
|
|
* VTEP MUST NOT learn the source address of the encapsulated frame.
|
|
|
|
*
|
|
|
|
* A = Indicates that the group policy has already been applied to
|
|
|
|
* this packet. Policies MUST NOT be applied by devices when the
|
|
|
|
* A bit is set.
|
|
|
|
*
|
2016-02-03 00:09:13 +07:00
|
|
|
* https://tools.ietf.org/html/draft-smith-vxlan-group-policy
|
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-15 09:53:55 +07:00
|
|
|
*/
|
|
|
|
struct vxlanhdr_gbp {
|
2016-02-03 00:09:11 +07:00
|
|
|
u8 vx_flags;
|
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-15 09:53:55 +07:00
|
|
|
#ifdef __LITTLE_ENDIAN_BITFIELD
|
2016-02-03 00:09:11 +07:00
|
|
|
u8 reserved_flags1:3,
|
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-15 09:53:55 +07:00
|
|
|
policy_applied:1,
|
|
|
|
reserved_flags2:2,
|
|
|
|
dont_learn:1,
|
|
|
|
reserved_flags3:1;
|
|
|
|
#elif defined(__BIG_ENDIAN_BITFIELD)
|
2016-02-03 00:09:11 +07:00
|
|
|
u8 reserved_flags1:1,
|
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-15 09:53:55 +07:00
|
|
|
dont_learn:1,
|
|
|
|
reserved_flags2:2,
|
|
|
|
policy_applied:1,
|
|
|
|
reserved_flags3:3;
|
|
|
|
#else
|
|
|
|
#error "Please fix <asm/byteorder.h>"
|
|
|
|
#endif
|
|
|
|
__be16 policy_id;
|
|
|
|
__be32 vx_vni;
|
|
|
|
};
|
|
|
|
|
2016-02-03 00:09:13 +07:00
|
|
|
/* VXLAN-GBP header flags. */
|
2016-02-17 03:58:58 +07:00
|
|
|
#define VXLAN_HF_GBP cpu_to_be32(BIT(31))
|
2016-02-03 00:09:13 +07:00
|
|
|
|
2016-02-17 03:58:58 +07:00
|
|
|
#define VXLAN_GBP_USED_BITS (VXLAN_HF_GBP | cpu_to_be32(0xFFFFFF))
|
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-15 09:53:55 +07:00
|
|
|
|
|
|
|
/* skb->mark mapping
|
|
|
|
*
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* |R|R|R|R|R|R|R|R|R|D|R|R|A|R|R|R| Group Policy ID |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*/
|
|
|
|
#define VXLAN_GBP_DONT_LEARN (BIT(6) << 16)
|
|
|
|
#define VXLAN_GBP_POLICY_APPLIED (BIT(3) << 16)
|
|
|
|
#define VXLAN_GBP_ID_MASK (0xFFFF)
|
|
|
|
|
vxlan: implement GPE
Implement VXLAN-GPE. Only COLLECT_METADATA is supported for now (it is
possible to support static configuration, too, if there is demand for it).
The GPE header parsing has to be moved before iptunnel_pull_header, as we
need to know the protocol.
v2: Removed what was called "L2 mode" in v1 of the patchset. Only "L3 mode"
(now called "raw mode") is added by this patch. This mode does not allow
Ethernet header to be encapsulated in VXLAN-GPE when using ip route to
specify the encapsulation, IP header is encapsulated instead. The patch
does support Ethernet to be encapsulated, though, using ETH_P_TEB in
skb->protocol. This will be utilized by other COLLECT_METADATA users
(openvswitch in particular).
If there is ever demand for Ethernet encapsulation with VXLAN-GPE using
ip route, it's easy to add a new flag switching the interface to
"Ethernet mode" (called "L2 mode" in v1 of this patchset). For now,
leave this out, it seems we don't need it.
Disallowed more flag combinations, especially RCO with GPE.
Added comment explaining that GBP and GPE cannot be set together.
Signed-off-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-04-05 19:47:13 +07:00
|
|
|
/*
|
|
|
|
* VXLAN Generic Protocol Extension (VXLAN_F_GPE):
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* |R|R|Ver|I|P|R|O| Reserved |Next Protocol |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | VXLAN Network Identifier (VNI) | Reserved |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*
|
|
|
|
* Ver = Version. Indicates VXLAN GPE protocol version.
|
|
|
|
*
|
|
|
|
* P = Next Protocol Bit. The P bit is set to indicate that the
|
|
|
|
* Next Protocol field is present.
|
|
|
|
*
|
|
|
|
* O = OAM Flag Bit. The O bit is set to indicate that the packet
|
|
|
|
* is an OAM packet.
|
|
|
|
*
|
|
|
|
* Next Protocol = This 8 bit field indicates the protocol header
|
|
|
|
* immediately following the VXLAN GPE header.
|
|
|
|
*
|
|
|
|
* https://tools.ietf.org/html/draft-ietf-nvo3-vxlan-gpe-01
|
|
|
|
*/
|
|
|
|
|
|
|
|
struct vxlanhdr_gpe {
|
|
|
|
#if defined(__LITTLE_ENDIAN_BITFIELD)
|
|
|
|
u8 oam_flag:1,
|
|
|
|
reserved_flags1:1,
|
|
|
|
np_applied:1,
|
|
|
|
instance_applied:1,
|
|
|
|
version:2,
|
2018-01-03 05:05:19 +07:00
|
|
|
reserved_flags2:2;
|
vxlan: implement GPE
Implement VXLAN-GPE. Only COLLECT_METADATA is supported for now (it is
possible to support static configuration, too, if there is demand for it).
The GPE header parsing has to be moved before iptunnel_pull_header, as we
need to know the protocol.
v2: Removed what was called "L2 mode" in v1 of the patchset. Only "L3 mode"
(now called "raw mode") is added by this patch. This mode does not allow
Ethernet header to be encapsulated in VXLAN-GPE when using ip route to
specify the encapsulation, IP header is encapsulated instead. The patch
does support Ethernet to be encapsulated, though, using ETH_P_TEB in
skb->protocol. This will be utilized by other COLLECT_METADATA users
(openvswitch in particular).
If there is ever demand for Ethernet encapsulation with VXLAN-GPE using
ip route, it's easy to add a new flag switching the interface to
"Ethernet mode" (called "L2 mode" in v1 of this patchset). For now,
leave this out, it seems we don't need it.
Disallowed more flag combinations, especially RCO with GPE.
Added comment explaining that GBP and GPE cannot be set together.
Signed-off-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-04-05 19:47:13 +07:00
|
|
|
#elif defined(__BIG_ENDIAN_BITFIELD)
|
|
|
|
u8 reserved_flags2:2,
|
|
|
|
version:2,
|
|
|
|
instance_applied:1,
|
|
|
|
np_applied:1,
|
|
|
|
reserved_flags1:1,
|
|
|
|
oam_flag:1;
|
|
|
|
#endif
|
|
|
|
u8 reserved_flags3;
|
|
|
|
u8 reserved_flags4;
|
|
|
|
u8 next_protocol;
|
|
|
|
__be32 vx_vni;
|
|
|
|
};
|
|
|
|
|
|
|
|
/* VXLAN-GPE header flags. */
|
|
|
|
#define VXLAN_HF_VER cpu_to_be32(BIT(29) | BIT(28))
|
|
|
|
#define VXLAN_HF_NP cpu_to_be32(BIT(26))
|
|
|
|
#define VXLAN_HF_OAM cpu_to_be32(BIT(24))
|
|
|
|
|
|
|
|
#define VXLAN_GPE_USED_BITS (VXLAN_HF_VER | VXLAN_HF_NP | VXLAN_HF_OAM | \
|
|
|
|
cpu_to_be32(0xff))
|
|
|
|
|
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-15 09:53:55 +07:00
|
|
|
struct vxlan_metadata {
|
|
|
|
u32 gbp;
|
|
|
|
};
|
|
|
|
|
2013-08-20 01:23:07 +07:00
|
|
|
/* per UDP socket information */
|
|
|
|
struct vxlan_sock {
|
|
|
|
struct hlist_node hlist;
|
|
|
|
struct socket *sock;
|
|
|
|
struct hlist_head vni_list[VNI_HASH_SIZE];
|
2017-07-04 19:52:59 +07:00
|
|
|
refcount_t refcnt;
|
2015-01-13 08:00:38 +07:00
|
|
|
u32 flags;
|
2013-08-20 01:23:07 +07:00
|
|
|
};
|
|
|
|
|
2015-07-21 15:44:02 +07:00
|
|
|
union vxlan_addr {
|
|
|
|
struct sockaddr_in sin;
|
|
|
|
struct sockaddr_in6 sin6;
|
|
|
|
struct sockaddr sa;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct vxlan_rdst {
|
|
|
|
union vxlan_addr remote_ip;
|
|
|
|
__be16 remote_port;
|
2018-10-17 15:53:26 +07:00
|
|
|
u8 offloaded:1;
|
2016-02-17 03:58:58 +07:00
|
|
|
__be32 remote_vni;
|
2015-07-21 15:44:02 +07:00
|
|
|
u32 remote_ifindex;
|
|
|
|
struct list_head list;
|
|
|
|
struct rcu_head rcu;
|
2016-02-12 21:43:56 +07:00
|
|
|
struct dst_cache dst_cache;
|
2015-07-21 15:44:02 +07:00
|
|
|
};
|
|
|
|
|
|
|
|
struct vxlan_config {
|
|
|
|
union vxlan_addr remote_ip;
|
|
|
|
union vxlan_addr saddr;
|
2016-02-17 03:58:58 +07:00
|
|
|
__be32 vni;
|
2015-07-21 15:44:02 +07:00
|
|
|
int remote_ifindex;
|
|
|
|
int mtu;
|
|
|
|
__be16 dst_port;
|
2016-02-03 00:09:11 +07:00
|
|
|
u16 port_min;
|
|
|
|
u16 port_max;
|
|
|
|
u8 tos;
|
|
|
|
u8 ttl;
|
2016-03-09 09:00:03 +07:00
|
|
|
__be32 label;
|
2015-07-21 15:44:02 +07:00
|
|
|
u32 flags;
|
|
|
|
unsigned long age_interval;
|
|
|
|
unsigned int addrmax;
|
|
|
|
bool no_share;
|
vxlan: Allow configuration of DF behaviour
Allow users to set the IPv4 DF bit in outgoing packets, or to inherit its
value from the IPv4 inner header. If the encapsulated protocol is IPv6 and
DF is configured to be inherited, always set it.
For IPv4, inheriting DF from the inner header was probably intended from
the very beginning judging by the comment to vxlan_xmit(), but it wasn't
actually implemented -- also because it would have done more harm than
good, without handling for ICMP Fragmentation Needed messages.
According to RFC 7348, "Path MTU discovery MAY be used". An expired RFC
draft, draft-saum-nvo3-pmtud-over-vxlan-05, whose purpose was to describe
PMTUD implementation, says that "is a MUST that Vxlan gateways [...]
SHOULD set the DF-bit [...]", whatever that means.
Given this background, the only sane option is probably to let the user
decide, and keep the current behaviour as default.
This only applies to non-lwt tunnels: if an external control plane is
used, tunnel key will still control the DF flag.
v2:
- DF behaviour configuration only applies for non-lwt tunnels, move DF
setting to if (!info) block in vxlan_xmit_one() (Stephen Hemminger)
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-11-08 18:19:16 +07:00
|
|
|
enum ifla_vxlan_df df;
|
2015-07-21 15:44:02 +07:00
|
|
|
};
|
|
|
|
|
2017-07-03 00:00:57 +07:00
|
|
|
struct vxlan_dev_node {
|
|
|
|
struct hlist_node hlist;
|
|
|
|
struct vxlan_dev *vxlan;
|
|
|
|
};
|
|
|
|
|
2015-07-21 15:44:02 +07:00
|
|
|
/* Pseudo network device */
|
|
|
|
struct vxlan_dev {
|
2017-07-03 00:00:57 +07:00
|
|
|
struct vxlan_dev_node hlist4; /* vni hash table for IPv4 socket */
|
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
struct vxlan_dev_node hlist6; /* vni hash table for IPv6 socket */
|
|
|
|
#endif
|
2015-07-21 15:44:02 +07:00
|
|
|
struct list_head next; /* vxlan's per namespace list */
|
2016-10-28 23:59:15 +07:00
|
|
|
struct vxlan_sock __rcu *vn4_sock; /* listening socket for IPv4 */
|
2015-09-24 18:50:02 +07:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2016-10-28 23:59:15 +07:00
|
|
|
struct vxlan_sock __rcu *vn6_sock; /* listening socket for IPv6 */
|
2015-09-24 18:50:02 +07:00
|
|
|
#endif
|
2015-07-21 15:44:02 +07:00
|
|
|
struct net_device *dev;
|
|
|
|
struct net *net; /* netns for packet i/o */
|
|
|
|
struct vxlan_rdst default_dst; /* default destination */
|
|
|
|
|
|
|
|
struct timer_list age_timer;
|
|
|
|
spinlock_t hash_lock;
|
|
|
|
unsigned int addrcnt;
|
2015-08-20 07:07:33 +07:00
|
|
|
struct gro_cells gro_cells;
|
2015-07-21 15:44:02 +07:00
|
|
|
|
|
|
|
struct vxlan_config cfg;
|
|
|
|
|
|
|
|
struct hlist_head fdb_head[FDB_HASH_SIZE];
|
|
|
|
};
|
|
|
|
|
2014-06-05 07:20:29 +07:00
|
|
|
#define VXLAN_F_LEARN 0x01
|
|
|
|
#define VXLAN_F_PROXY 0x02
|
|
|
|
#define VXLAN_F_RSC 0x04
|
|
|
|
#define VXLAN_F_L2MISS 0x08
|
|
|
|
#define VXLAN_F_L3MISS 0x10
|
|
|
|
#define VXLAN_F_IPV6 0x20
|
2016-02-20 02:26:31 +07:00
|
|
|
#define VXLAN_F_UDP_ZERO_CSUM_TX 0x40
|
2014-06-05 07:20:29 +07:00
|
|
|
#define VXLAN_F_UDP_ZERO_CSUM6_TX 0x80
|
|
|
|
#define VXLAN_F_UDP_ZERO_CSUM6_RX 0x100
|
2015-01-13 08:00:38 +07:00
|
|
|
#define VXLAN_F_REMCSUM_TX 0x200
|
|
|
|
#define VXLAN_F_REMCSUM_RX 0x400
|
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
OVS:
# ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
# ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-15 09:53:55 +07:00
|
|
|
#define VXLAN_F_GBP 0x800
|
2015-02-11 07:30:32 +07:00
|
|
|
#define VXLAN_F_REMCSUM_NOPARTIAL 0x1000
|
2015-07-21 15:43:58 +07:00
|
|
|
#define VXLAN_F_COLLECT_METADATA 0x2000
|
vxlan: implement GPE
Implement VXLAN-GPE. Only COLLECT_METADATA is supported for now (it is
possible to support static configuration, too, if there is demand for it).
The GPE header parsing has to be moved before iptunnel_pull_header, as we
need to know the protocol.
v2: Removed what was called "L2 mode" in v1 of the patchset. Only "L3 mode"
(now called "raw mode") is added by this patch. This mode does not allow
Ethernet header to be encapsulated in VXLAN-GPE when using ip route to
specify the encapsulation, IP header is encapsulated instead. The patch
does support Ethernet to be encapsulated, though, using ETH_P_TEB in
skb->protocol. This will be utilized by other COLLECT_METADATA users
(openvswitch in particular).
If there is ever demand for Ethernet encapsulation with VXLAN-GPE using
ip route, it's easy to add a new flag switching the interface to
"Ethernet mode" (called "L2 mode" in v1 of this patchset). For now,
leave this out, it seems we don't need it.
Disallowed more flag combinations, especially RCO with GPE.
Added comment explaining that GBP and GPE cannot be set together.
Signed-off-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-04-05 19:47:13 +07:00
|
|
|
#define VXLAN_F_GPE 0x4000
|
2017-06-19 15:03:58 +07:00
|
|
|
#define VXLAN_F_IPV6_LINKLOCAL 0x8000
|
2018-04-17 13:11:28 +07:00
|
|
|
#define VXLAN_F_TTL_INHERIT 0x10000
|
2014-06-05 07:20:29 +07:00
|
|
|
|
2015-03-12 09:00:10 +07:00
|
|
|
/* Flags that are used in the receive path. These flags must match in
|
2015-01-21 02:23:05 +07:00
|
|
|
* order for a socket to be shareable
|
|
|
|
*/
|
|
|
|
#define VXLAN_F_RCV_FLAGS (VXLAN_F_GBP | \
|
vxlan: implement GPE
Implement VXLAN-GPE. Only COLLECT_METADATA is supported for now (it is
possible to support static configuration, too, if there is demand for it).
The GPE header parsing has to be moved before iptunnel_pull_header, as we
need to know the protocol.
v2: Removed what was called "L2 mode" in v1 of the patchset. Only "L3 mode"
(now called "raw mode") is added by this patch. This mode does not allow
Ethernet header to be encapsulated in VXLAN-GPE when using ip route to
specify the encapsulation, IP header is encapsulated instead. The patch
does support Ethernet to be encapsulated, though, using ETH_P_TEB in
skb->protocol. This will be utilized by other COLLECT_METADATA users
(openvswitch in particular).
If there is ever demand for Ethernet encapsulation with VXLAN-GPE using
ip route, it's easy to add a new flag switching the interface to
"Ethernet mode" (called "L2 mode" in v1 of this patchset). For now,
leave this out, it seems we don't need it.
Disallowed more flag combinations, especially RCO with GPE.
Added comment explaining that GBP and GPE cannot be set together.
Signed-off-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-04-05 19:47:13 +07:00
|
|
|
VXLAN_F_GPE | \
|
2015-01-21 02:23:05 +07:00
|
|
|
VXLAN_F_UDP_ZERO_CSUM6_RX | \
|
2015-02-11 07:30:32 +07:00
|
|
|
VXLAN_F_REMCSUM_RX | \
|
2015-07-21 15:43:58 +07:00
|
|
|
VXLAN_F_REMCSUM_NOPARTIAL | \
|
2015-08-05 12:51:07 +07:00
|
|
|
VXLAN_F_COLLECT_METADATA)
|
2015-01-15 09:53:56 +07:00
|
|
|
|
vxlan: implement GPE
Implement VXLAN-GPE. Only COLLECT_METADATA is supported for now (it is
possible to support static configuration, too, if there is demand for it).
The GPE header parsing has to be moved before iptunnel_pull_header, as we
need to know the protocol.
v2: Removed what was called "L2 mode" in v1 of the patchset. Only "L3 mode"
(now called "raw mode") is added by this patch. This mode does not allow
Ethernet header to be encapsulated in VXLAN-GPE when using ip route to
specify the encapsulation, IP header is encapsulated instead. The patch
does support Ethernet to be encapsulated, though, using ETH_P_TEB in
skb->protocol. This will be utilized by other COLLECT_METADATA users
(openvswitch in particular).
If there is ever demand for Ethernet encapsulation with VXLAN-GPE using
ip route, it's easy to add a new flag switching the interface to
"Ethernet mode" (called "L2 mode" in v1 of this patchset). For now,
leave this out, it seems we don't need it.
Disallowed more flag combinations, especially RCO with GPE.
Added comment explaining that GBP and GPE cannot be set together.
Signed-off-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-04-05 19:47:13 +07:00
|
|
|
/* Flags that can be set together with VXLAN_F_GPE. */
|
|
|
|
#define VXLAN_F_ALLOWED_GPE (VXLAN_F_GPE | \
|
|
|
|
VXLAN_F_IPV6 | \
|
2017-06-19 15:03:58 +07:00
|
|
|
VXLAN_F_IPV6_LINKLOCAL | \
|
vxlan: implement GPE
Implement VXLAN-GPE. Only COLLECT_METADATA is supported for now (it is
possible to support static configuration, too, if there is demand for it).
The GPE header parsing has to be moved before iptunnel_pull_header, as we
need to know the protocol.
v2: Removed what was called "L2 mode" in v1 of the patchset. Only "L3 mode"
(now called "raw mode") is added by this patch. This mode does not allow
Ethernet header to be encapsulated in VXLAN-GPE when using ip route to
specify the encapsulation, IP header is encapsulated instead. The patch
does support Ethernet to be encapsulated, though, using ETH_P_TEB in
skb->protocol. This will be utilized by other COLLECT_METADATA users
(openvswitch in particular).
If there is ever demand for Ethernet encapsulation with VXLAN-GPE using
ip route, it's easy to add a new flag switching the interface to
"Ethernet mode" (called "L2 mode" in v1 of this patchset). For now,
leave this out, it seems we don't need it.
Disallowed more flag combinations, especially RCO with GPE.
Added comment explaining that GBP and GPE cannot be set together.
Signed-off-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-04-05 19:47:13 +07:00
|
|
|
VXLAN_F_UDP_ZERO_CSUM_TX | \
|
|
|
|
VXLAN_F_UDP_ZERO_CSUM6_TX | \
|
|
|
|
VXLAN_F_UDP_ZERO_CSUM6_RX | \
|
|
|
|
VXLAN_F_COLLECT_METADATA)
|
|
|
|
|
2015-07-21 15:44:02 +07:00
|
|
|
struct net_device *vxlan_dev_create(struct net *net, const char *name,
|
|
|
|
u8 name_assign_type, struct vxlan_config *conf);
|
|
|
|
|
2014-12-24 13:37:26 +07:00
|
|
|
static inline netdev_features_t vxlan_features_check(struct sk_buff *skb,
|
|
|
|
netdev_features_t features)
|
2014-11-18 07:24:54 +07:00
|
|
|
{
|
2014-12-24 13:37:26 +07:00
|
|
|
u8 l4_hdr = 0;
|
|
|
|
|
|
|
|
if (!skb->encapsulation)
|
|
|
|
return features;
|
|
|
|
|
|
|
|
switch (vlan_get_protocol(skb)) {
|
|
|
|
case htons(ETH_P_IP):
|
|
|
|
l4_hdr = ip_hdr(skb)->protocol;
|
|
|
|
break;
|
|
|
|
case htons(ETH_P_IPV6):
|
|
|
|
l4_hdr = ipv6_hdr(skb)->nexthdr;
|
|
|
|
break;
|
|
|
|
default:
|
2018-01-16 22:03:32 +07:00
|
|
|
return features;
|
2014-12-24 13:37:26 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
if ((l4_hdr == IPPROTO_UDP) &&
|
2014-11-18 07:24:54 +07:00
|
|
|
(skb->inner_protocol_type != ENCAP_TYPE_ETHER ||
|
|
|
|
skb->inner_protocol != htons(ETH_P_TEB) ||
|
|
|
|
(skb_inner_mac_header(skb) - skb_transport_header(skb) !=
|
2016-05-02 23:25:16 +07:00
|
|
|
sizeof(struct udphdr) + sizeof(struct vxlanhdr)) ||
|
|
|
|
(skb->ip_summed != CHECKSUM_NONE &&
|
|
|
|
!can_checksum_protocol(features, inner_eth_hdr(skb)->h_proto))))
|
2015-12-15 02:19:43 +07:00
|
|
|
return features & ~(NETIF_F_CSUM_MASK | NETIF_F_GSO_MASK);
|
2014-11-18 07:24:54 +07:00
|
|
|
|
2014-12-24 13:37:26 +07:00
|
|
|
return features;
|
2014-11-18 07:24:54 +07:00
|
|
|
}
|
2014-11-14 07:38:12 +07:00
|
|
|
|
2013-10-24 13:27:10 +07:00
|
|
|
/* IP header + UDP + VXLAN + Ethernet header */
|
|
|
|
#define VXLAN_HEADROOM (20 + 8 + 8 + 14)
|
|
|
|
/* IPv6 header + UDP + VXLAN + Ethernet header */
|
|
|
|
#define VXLAN6_HEADROOM (40 + 8 + 8 + 14)
|
|
|
|
|
2016-02-17 03:58:57 +07:00
|
|
|
static inline struct vxlanhdr *vxlan_hdr(struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
return (struct vxlanhdr *)(udp_hdr(skb) + 1);
|
|
|
|
}
|
|
|
|
|
2016-02-17 03:58:58 +07:00
|
|
|
static inline __be32 vxlan_vni(__be32 vni_field)
|
|
|
|
{
|
|
|
|
#if defined(__BIG_ENDIAN)
|
2016-03-21 23:39:18 +07:00
|
|
|
return (__force __be32)((__force u32)vni_field >> 8);
|
2016-02-17 03:58:58 +07:00
|
|
|
#else
|
2016-03-21 23:39:18 +07:00
|
|
|
return (__force __be32)((__force u32)(vni_field & VXLAN_VNI_MASK) << 8);
|
2016-02-17 03:58:58 +07:00
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline __be32 vxlan_vni_field(__be32 vni)
|
|
|
|
{
|
|
|
|
#if defined(__BIG_ENDIAN)
|
2016-03-21 23:39:18 +07:00
|
|
|
return (__force __be32)((__force u32)vni << 8);
|
2016-02-17 03:58:58 +07:00
|
|
|
#else
|
2016-03-21 23:39:18 +07:00
|
|
|
return (__force __be32)((__force u32)vni >> 8);
|
2016-02-17 03:58:58 +07:00
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline size_t vxlan_rco_start(__be32 vni_field)
|
|
|
|
{
|
|
|
|
return be32_to_cpu(vni_field & VXLAN_RCO_MASK) << VXLAN_RCO_SHIFT;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline size_t vxlan_rco_offset(__be32 vni_field)
|
|
|
|
{
|
|
|
|
return (vni_field & VXLAN_RCO_UDP) ?
|
|
|
|
offsetof(struct udphdr, check) :
|
|
|
|
offsetof(struct tcphdr, check);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline __be32 vxlan_compute_rco(unsigned int start, unsigned int offset)
|
|
|
|
{
|
|
|
|
__be32 vni_field = cpu_to_be32(start >> VXLAN_RCO_SHIFT);
|
|
|
|
|
|
|
|
if (offset == offsetof(struct udphdr, check))
|
|
|
|
vni_field |= VXLAN_RCO_UDP;
|
|
|
|
return vni_field;
|
|
|
|
}
|
|
|
|
|
2015-08-20 18:56:28 +07:00
|
|
|
static inline unsigned short vxlan_get_sk_family(struct vxlan_sock *vs)
|
|
|
|
{
|
|
|
|
return vs->sock->sk->sk_family;
|
|
|
|
}
|
2015-08-25 23:36:50 +07:00
|
|
|
|
2018-10-17 15:53:10 +07:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
|
|
|
|
static inline bool vxlan_addr_any(const union vxlan_addr *ipa)
|
|
|
|
{
|
|
|
|
if (ipa->sa.sa_family == AF_INET6)
|
|
|
|
return ipv6_addr_any(&ipa->sin6.sin6_addr);
|
|
|
|
else
|
|
|
|
return ipa->sin.sin_addr.s_addr == htonl(INADDR_ANY);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline bool vxlan_addr_multicast(const union vxlan_addr *ipa)
|
|
|
|
{
|
|
|
|
if (ipa->sa.sa_family == AF_INET6)
|
|
|
|
return ipv6_addr_is_multicast(&ipa->sin6.sin6_addr);
|
|
|
|
else
|
|
|
|
return IN_MULTICAST(ntohl(ipa->sin.sin_addr.s_addr));
|
|
|
|
}
|
|
|
|
|
|
|
|
#else /* !IS_ENABLED(CONFIG_IPV6) */
|
|
|
|
|
|
|
|
static inline bool vxlan_addr_any(const union vxlan_addr *ipa)
|
|
|
|
{
|
|
|
|
return ipa->sin.sin_addr.s_addr == htonl(INADDR_ANY);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline bool vxlan_addr_multicast(const union vxlan_addr *ipa)
|
|
|
|
{
|
|
|
|
return IN_MULTICAST(ntohl(ipa->sin.sin_addr.s_addr));
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif /* IS_ENABLED(CONFIG_IPV6) */
|
|
|
|
|
2018-10-17 15:53:20 +07:00
|
|
|
static inline bool netif_is_vxlan(const struct net_device *dev)
|
|
|
|
{
|
|
|
|
return dev->rtnl_link_ops &&
|
|
|
|
!strcmp(dev->rtnl_link_ops->kind, "vxlan");
|
|
|
|
}
|
|
|
|
|
2018-10-17 15:53:22 +07:00
|
|
|
struct switchdev_notifier_vxlan_fdb_info {
|
|
|
|
struct switchdev_notifier_info info; /* must be first */
|
|
|
|
union vxlan_addr remote_ip;
|
|
|
|
__be16 remote_port;
|
|
|
|
__be32 remote_vni;
|
|
|
|
u32 remote_ifindex;
|
|
|
|
u8 eth_addr[ETH_ALEN];
|
|
|
|
__be32 vni;
|
2018-10-17 15:53:26 +07:00
|
|
|
bool offloaded;
|
2018-11-21 15:02:36 +07:00
|
|
|
bool added_by_user;
|
2018-10-17 15:53:22 +07:00
|
|
|
};
|
|
|
|
|
2018-10-17 15:53:24 +07:00
|
|
|
#if IS_ENABLED(CONFIG_VXLAN)
|
|
|
|
int vxlan_fdb_find_uc(struct net_device *dev, const u8 *mac, __be32 vni,
|
|
|
|
struct switchdev_notifier_vxlan_fdb_info *fdb_info);
|
2018-12-08 02:55:04 +07:00
|
|
|
int vxlan_fdb_replay(const struct net_device *dev, __be32 vni,
|
|
|
|
struct notifier_block *nb);
|
2018-12-08 02:55:06 +07:00
|
|
|
void vxlan_fdb_clear_offload(const struct net_device *dev, __be32 vni);
|
2018-12-08 02:55:04 +07:00
|
|
|
|
2018-10-17 15:53:24 +07:00
|
|
|
#else
|
|
|
|
static inline int
|
|
|
|
vxlan_fdb_find_uc(struct net_device *dev, const u8 *mac, __be32 vni,
|
|
|
|
struct switchdev_notifier_vxlan_fdb_info *fdb_info)
|
|
|
|
{
|
|
|
|
return -ENOENT;
|
|
|
|
}
|
2018-12-08 02:55:04 +07:00
|
|
|
|
|
|
|
static inline int vxlan_fdb_replay(const struct net_device *dev, __be32 vni,
|
|
|
|
struct notifier_block *nb)
|
|
|
|
{
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
}
|
2018-12-08 02:55:06 +07:00
|
|
|
|
|
|
|
static inline void
|
|
|
|
vxlan_fdb_clear_offload(const struct net_device *dev, __be32 vni)
|
|
|
|
{
|
|
|
|
}
|
2018-10-17 15:53:24 +07:00
|
|
|
#endif
|
|
|
|
|
2015-08-25 23:36:50 +07:00
|
|
|
#endif
|