rtnetlink: add new rtm tunnel api for tunnel id filtering

This patch adds new rtm tunnel msg and api for tunnel id
filtering in dst_metadata devices. First dst_metadata
device to use the api is vxlan driver with AF_BRIDGE
family.

This and later changes add ability in vxlan driver to do
tunnel id filtering (or vni filtering) on dst_metadata
devices. This is similar to vlan api in the vlan filtering bridge.

this patch includes selinux nlmsg_route_perms support for RTM_*TUNNEL
api from Benjamin Poirier.

Signed-off-by: Roopa Prabhu <roopa@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
index be09d2a..3dfc9ff 100644 (file)
--- a/include/uapi/linux/if_link.h
+++ b/include/uapi/linux/if_link.h
@@ -713,7 +713,32 @@ enum ipvlan_mode {
 #define IPVLAN_F_PRIVATE       0x01
 #define IPVLAN_F_VEPA          0x02
 
+/* Tunnel RTM header */
+struct tunnel_msg {
+       __u8 family;
+       __u8 reserved1;
+       __u16 reserved2;
+       __u32 ifindex;
+};
+
 /* VXLAN section */
+enum {
+       VXLAN_VNIFILTER_ENTRY_UNSPEC,
+       VXLAN_VNIFILTER_ENTRY_START,
+       VXLAN_VNIFILTER_ENTRY_END,
+       VXLAN_VNIFILTER_ENTRY_GROUP,
+       VXLAN_VNIFILTER_ENTRY_GROUP6,
+       __VXLAN_VNIFILTER_ENTRY_MAX
+};
+#define VXLAN_VNIFILTER_ENTRY_MAX      (__VXLAN_VNIFILTER_ENTRY_MAX - 1)
+
+enum {
+       VXLAN_VNIFILTER_UNSPEC,
+       VXLAN_VNIFILTER_ENTRY,
+       __VXLAN_VNIFILTER_MAX
+};
+#define VXLAN_VNIFILTER_MAX    (__VXLAN_VNIFILTER_MAX - 1)
+
 enum {
        IFLA_VXLAN_UNSPEC,
        IFLA_VXLAN_ID,
@@ -745,6 +770,7 @@ enum {
        IFLA_VXLAN_GPE,
        IFLA_VXLAN_TTL_INHERIT,
        IFLA_VXLAN_DF,
+       IFLA_VXLAN_VNIFILTER, /* only applicable with COLLECT_METADATA mode */
        __IFLA_VXLAN_MAX
 };
 #define IFLA_VXLAN_MAX (__IFLA_VXLAN_MAX - 1)

diff --git a/include/uapi/linux/rtnetlink.h b/include/uapi/linux/rtnetlink.h
index 93d934c..0970cb4 100644 (file)
--- a/include/uapi/linux/rtnetlink.h
+++ b/include/uapi/linux/rtnetlink.h
@@ -185,6 +185,13 @@ enum {
        RTM_GETNEXTHOPBUCKET,
 #define RTM_GETNEXTHOPBUCKET   RTM_GETNEXTHOPBUCKET
 
+       RTM_NEWTUNNEL = 120,
+#define RTM_NEWTUNNEL  RTM_NEWTUNNEL
+       RTM_DELTUNNEL,
+#define RTM_DELTUNNEL  RTM_DELTUNNEL
+       RTM_GETTUNNEL,
+#define RTM_GETTUNNEL  RTM_GETTUNNEL
+
        __RTM_MAX,
 #define RTM_MAX                (((__RTM_MAX + 3) & ~3) - 1)
 };
@@ -756,6 +763,8 @@ enum rtnetlink_groups {
 #define RTNLGRP_BRVLAN         RTNLGRP_BRVLAN
        RTNLGRP_MCTP_IFADDR,
 #define RTNLGRP_MCTP_IFADDR    RTNLGRP_MCTP_IFADDR
+       RTNLGRP_TUNNEL,
+#define RTNLGRP_TUNNEL         RTNLGRP_TUNNEL
        __RTNLGRP_MAX
 };
 #define RTNLGRP_MAX    (__RTNLGRP_MAX - 1)

diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index 94ea2a8..6ad3ee0 100644 (file)
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -91,6 +91,9 @@ static const struct nlmsg_perm nlmsg_route_perms[] =
        { RTM_NEWNEXTHOPBUCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
        { RTM_DELNEXTHOPBUCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
        { RTM_GETNEXTHOPBUCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ  },
+       { RTM_NEWTUNNEL,        NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
+       { RTM_DELTUNNEL,        NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
+       { RTM_GETTUNNEL,        NETLINK_ROUTE_SOCKET__NLMSG_READ  },
 };
 
 static const struct nlmsg_perm nlmsg_tcpdiag_perms[] =
@@ -176,7 +179,7 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
                 * structures at the top of this file with the new mappings
                 * before updating the BUILD_BUG_ON() macro!
                 */
-               BUILD_BUG_ON(RTM_MAX != (RTM_NEWNEXTHOPBUCKET + 3));
+               BUILD_BUG_ON(RTM_MAX != (RTM_NEWTUNNEL + 3));
                err = nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms,
                                 sizeof(nlmsg_route_perms));
                break;