hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux-sg2042/drivers
History
Thomas Graf 3511494ce2 vxlan: Group Policy extension 
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.

The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.

SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels.  However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.

           Host 1:                       Host 2:

      Group A        Group B        Group B     Group A
      +-----+   +-------------+    +-------+   +-----+
      | lxc |   | SELinux CTX |    | httpd |   | VM  |
      +--+--+   +--+----------+    +---+---+   +--+--+
	  \---+---/                     \----+---/
	      |                              |
	  +---+---+                      +---+---+
	  | vxlan |                      | vxlan |
	  +---+---+                      +---+---+
	      +------------------------------+

Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP  frames. The extension is therefore disabled by default
and needs to be specifically enabled:

   ip link add [...] type vxlan [...] gbp

In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.

Examples:
 iptables:
  host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
  host2# iptables -I INPUT -m mark --mark 0x200 -j DROP

 OVS:
  # ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
  # ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'

[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
[1] http://lwn.net/Articles/204905/

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
 		2015-01-15 01:11:41 -05:00
..
accessibility
acpi Merge branch 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux 2015-01-14 07:53:51 +13:00
amba Char/Misc driver patches for 3.19-rc1 2014-12-14 16:43:47 -08:00
android
ata More ACPI and power management updates for 3.19-rc1 2014-12-18 20:28:33 -08:00
atm atm: horizon: Remove some unused functions 2015-01-13 17:28:19 -05:00
auxdisplay
base Merge branches 'pm-domains', 'powercap' and 'pm-tools' 2014-12-29 21:24:00 +01:00
bcma Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2014-12-11 17:56:37 -08:00
block NVMe: Fix locking on abort handling 2015-01-08 09:02:23 -07:00
bluetooth Bluetooth: btusb: Set the HCI_QUIRK_BROKEN_LOCAL_COMMANDS quirk 2014-12-26 20:16:13 +02:00
bus Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
cdrom
char ipmi: Fix compile warning with tv_usec 2014-12-30 13:34:36 -06:00
clk GMAC: modify CRU config for Rockchip RK3288 SoCs integrated GMAC 2014-12-31 19:14:18 -05:00
clocksource Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-01-06 22:29:20 -05:00
connector
coresight
cpufreq Merge branches 'pm-cpufreq' and 'pm-cpuidle' 2014-12-29 21:23:41 +01:00
cpuidle Merge branches 'pm-cpufreq' and 'pm-cpuidle' 2014-12-29 21:23:41 +01:00
crypto Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
dca
devfreq
dio
dma Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
dma-buf
edac Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
eisa
extcon Char/Misc driver patches for 3.19-rc1 2014-12-14 16:43:47 -08:00
firewire firewire: sbp2: replace card lock by target lock 2014-12-10 20:53:21 +01:00
firmware Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
fmc
gpio gpio: dln2: use bus_sync_unlock instead of scheduling work 2015-01-09 07:57:35 +01:00
gpu Merge tag 'amdkfd-fixes-2015-01-06' of git://people.freedesktop.org/~gabbayo/linux into drm-fixes 2015-01-08 10:36:37 +10:00
hid HID: roccat: potential out of bounds in pyra_sysfs_write_settings() 2015-01-09 14:41:01 +01:00
hsi * misc. fixes in omap-ssi and nokia-modem drivers 2014-12-15 17:33:47 -08:00
hv Char/Misc driver patches for 3.19-rc1 2014-12-14 16:43:47 -08:00
hwmon Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux 2014-12-17 10:16:27 -08:00
hwspinlock
i2c Merge branch 'i2c/for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2014-12-20 13:52:52 -08:00
ide Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
idle
iio Staging patches for 3.19-rc1 2014-12-15 18:06:13 -08:00
infiniband net: rename vlan_tx_* helpers since "tx" is misleading there 2015-01-13 17:51:08 -05:00
input Revert "Input: atmel_mxt_ts - use deep sleep mode when stopped" 2014-12-31 12:59:34 -08:00
iommu iommu/rockchip: Drop owner assignment from platform_drivers 2015-01-05 12:40:06 +01:00
ipack
irqchip Merge branch 'irq-irqdomain-arm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-12-15 17:30:09 -08:00
isdn Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-01-15 00:53:17 -05:00
leds leds: netxbig: fix oops at probe time 2015-01-13 13:49:01 -08:00
lguest virtio: allow finalize_features to fail 2014-12-09 16:32:32 +02:00
macintosh macintosh: therm_pm72: delete deprecated driver 2014-12-19 19:32:47 +01:00
mailbox Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
mcb
md dm: fix missed error code if .end_io isn't implemented by target_type 2014-12-17 12:31:13 -05:00
media More ACPI and power management updates for 3.19-rc1 2014-12-18 20:28:33 -08:00
memory MTD updates for 3.19: 2014-12-17 09:59:26 -08:00
memstick
message
mfd Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2014-12-30 16:59:59 -08:00
misc powerpc updates for 3.19 batch 2 2014-12-19 12:57:45 -08:00
mmc mmc: sdhci-pci: Add support for Intel SPT 2015-01-12 10:14:58 +01:00
mtd MTD updates for 3.19: 2014-12-17 09:59:26 -08:00
net vxlan: Group Policy extension 2015-01-15 01:11:41 -05:00
nfc More ACPI and power management updates for 3.19-rc1 2014-12-18 20:28:33 -08:00
ntb
nubus
of ARM: SoC/iommu configuration for 3.19 2014-12-16 14:53:01 -08:00
oprofile
parisc
parport Char/Misc driver patches for 3.19-rc1 2014-12-14 16:43:47 -08:00
pci Merge branch 'x86-apic-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-12-19 14:02:02 -08:00
pcmcia Char/Misc driver patches for 3.19-rc1 2014-12-14 16:43:47 -08:00
phy phy: miphy365x: Pass sysconfig register offsets via syscfg dt property. 2015-01-11 18:53:34 -05:00
pinctrl pinctrl: st: Add irq_disable hook to st_gpio_irqchip 2015-01-07 10:44:39 +01:00
platform platform-drivers-x86 for 3.19 2014-12-18 20:24:55 -08:00
pnp
power More ACPI and power management updates for 3.19-rc1 2014-12-18 20:28:33 -08:00
powercap powercap / RAPL: add IDs for future Xeon CPUs 2014-12-17 02:35:42 +01:00
pps
ps3
ptp
pwm pwm: Changes for v3.19-rc1 2014-12-17 10:10:51 -08:00
rapidio
ras
regulator regulator: Fix for v3.19 2014-12-29 13:24:38 -08:00
remoteproc Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
reset Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
rpmsg
rtc Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
s390 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-01-15 00:53:17 -05:00
sbus
scsi Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-01-15 00:53:17 -05:00
sfi
sh drivers: sh / PM: Replace CONFIG_PM_RUNTIME with CONFIG_PM 2014-12-05 03:08:24 +01:00
sn
soc Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2014-12-15 15:52:01 -08:00
spi Merge remote-tracking branches 'spi/fix/img-spfi' and 'spi/fix/msiof' into spi-linus 2014-12-24 12:57:54 +00:00
spmi
ssb Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2014-12-11 17:56:37 -08:00
staging [regression] braino in "lustre: use is_root_inode()" 2014-12-26 22:43:19 -05:00
target iscsi-target: Fix typos in enum cmd_flags_table 2015-01-09 15:25:58 -08:00
tc
thermal int340x_thermal/processor_thermal_device: return failure when 2015-01-06 08:18:21 +08:00
thunderbolt
tty tty: 8250_omap: Replace CONFIG_PM_RUNTIME with CONFIG_PM 2014-12-19 15:27:58 +01:00
uio Char/Misc driver patches for 3.19-rc1 2014-12-14 16:43:47 -08:00
usb SCSI for-linus on 20141220 2014-12-20 13:42:57 -08:00
uwb
vfio vfio-pci: Fix the check on pci device type in vfio_pci_probe() 2015-01-07 10:29:11 -07:00
vhost Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-01-15 00:53:17 -05:00
video OMAPDSS: SDI: fix output port_num 2014-12-30 11:18:30 +02:00
virt
virtio virtio_pci: document why we defer kfree 2015-01-06 16:35:36 +02:00
vlynq
vme
w1 Char/Misc driver patches for 3.19-rc1 2014-12-14 16:43:47 -08:00
watchdog watchdog: imx2_wdt: Fix the argument of watchdog_active() 2014-12-18 16:01:20 +01:00
xen Merge remote-tracking branch 'scsi-queue/drivers-for-3.19' into for-linus 2014-12-18 05:56:29 -08:00
zorro
Kconfig Staging patches for 3.19-rc1 2014-12-15 18:06:13 -08:00
Makefile drivers: Move iommu/ before gpu/ in Makefile 2014-12-22 11:47:37 +02:00