From 83830c1d7fa9cd8c24d44e70e88ab910550f83da Mon Sep 17 00:00:00 2001 From: superCharge-xsy Date: Mon, 30 Sep 2024 10:38:47 +0800 Subject: [PATCH] add xdp authz proposlal Signed-off-by: superCharge-xsy --- docs/proposal/layer4_authorization.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/proposal/layer4_authorization.md b/docs/proposal/layer4_authorization.md index a56ad03f4..cb7b5485f 100644 --- a/docs/proposal/layer4_authorization.md +++ b/docs/proposal/layer4_authorization.md @@ -15,7 +15,7 @@ creation-date: 2024-05-28 ### Summary -This article aims to explain how Kmesh achieves layer 4 authorization functionality in workload mode. For an introduction to the authentication features, please refer to:[Kmesh TCP Authorization](https://kmesh.net/en/docs/userguide/tcp_authorization/). Currently, kmesh supports two authentication architectures, packet first go through XDP authentication processing, if the type is not supported, the quintuple information is passed to Userspace authentication via a ring buffer, the ultimate goal is to completely handle authentication within XDP.[Userspace authentication](#Userspace-authentication) +This article aims to explain how Kmesh achieves layer 4 authorization functionality in workload mode. For an introduction to the authentication features, please refer to:[Kmesh TCP Authorization](https://kmesh.net/en/docs/userguide/tcp_authorization/). Currently, kmesh supports two authentication architectures, packet first go through XDP authentication processing, if the type is not supported, the quintuple information is passed to Userspace authentication via a ring buffer, the ultimate goal is to completely handle authentication within XDP. ### Userspace authentication @@ -54,9 +54,9 @@ struct { - 3.2: If the matched record shows `value=deny`, it alters the message flag, sends an RST message to the server, clears the corresponding `auth_map` record. If no record is matched, implying authorization is allowed, the message is passed through. 4. **client retry**: The client attempts to send another message, but because the server has closed the connection, the client receives a "reset by peer" signal and subsequently closes its own channel. -### Xdp-authentication +### Xdp authentication -#### Desing detail +#### Design detail ![l4_authz](pics/kmesh_l4_authorization_xdp.svg#pic_center) @@ -64,7 +64,7 @@ struct { map_of_wl_policy: records the policies that are configured for the workload. -map_of_authz: records the authz rules of policys +map_of_authz: records the authz rules of policies. ```.c struct { @@ -73,7 +73,7 @@ struct { __uint(value_size, sizeof(wl_policies_v)); __uint(map_flags, BPF_F_NO_PREALLOC); __uint(max_entries, MAP_SIZE_OF_AUTH_POLICY); -} map_of_wl_policy SEC(".maps"); +} SEC(".maps"); struct { __uint(type, BPF_MAP_TYPE_HASH);