On Fri, Jan 30, 2015 at 6:36 AM, Thomas Graf <tg...@noironetworks.com> wrote: > Upstream commit: > vxlan: Group Policy extension > > Implements supports for the Group Policy VXLAN extension [0] to provide > a lightweight and simple security label mechanism across network peers > based on VXLAN. The security context and associated metadata is mapped > to/from skb->mark. This allows further mapping to a SELinux context > using SECMARK, to implement ACLs directly with nftables, iptables, OVS, > tc, etc. > > The group membership is defined by the lower 16 bits of skb->mark, the > upper 16 bits are used for flags. > > SELinux allows to manage label to secure local resources. However, > distributed applications require ACLs to implemented across hosts. This > is typically achieved by matching on L2-L4 fields to identify the > original sending host and process on the receiver. On top of that, > netlabel and specifically CIPSO [1] allow to map security contexts to > universal labels. However, netlabel and CIPSO are relatively complex. > This patch provides a lightweight alternative for overlay network > environments with a trusted underlay. No additional control protocol > is required. > > Host 1: Host 2: > > Group A Group B Group B Group A > +-----+ +-------------+ +-------+ +-----+ > | lxc | | SELinux CTX | | httpd | | VM | > +--+--+ +--+----------+ +---+---+ +--+--+ > \---+---/ \----+---/ > | | > +---+---+ +---+---+ > | vxlan | | vxlan | > +---+---+ +---+---+ > +------------------------------+ > > Backwards compatibility: > A VXLAN-GBP socket can receive standard VXLAN frames and will assign > the default group 0x0000 to such frames. A Linux VXLAN socket will > drop VXLAN-GBP frames. The extension is therefore disabled by default > and needs to be specifically enabled: > > ip link add [...] type vxlan [...] gbp > > In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket > must run on a separate port number. > > Examples: > iptables: > host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark > 0x200 > host2# iptables -I INPUT -m mark --mark 0x200 -j DROP > > OVS: > # ovs-ofctl add-flow br0 > 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL' > # ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop' > > [0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy > [1] http://lwn.net/Articles/204905/ > > Signed-off-by: Thomas Graf <tg...@suug.ch> > Signed-off-by: David S. Miller <da...@davemloft.net> > > Upstream: 351149 ("vxlan: Group Policy extension") > Signed-off-by: Thomas Graf <tg...@noironetworks.com>
Acked-by: Pravin B Shelar <pshe...@nicira.com> _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
