xref: /openbmc/linux/net/core/flow_dissector.c (revision 68f436a80fc89faa474134edfe442d95528be17a)
1 // SPDX-License-Identifier: GPL-2.0-only
2 #include <linux/kernel.h>
3 #include <linux/skbuff.h>
4 #include <linux/export.h>
5 #include <linux/ip.h>
6 #include <linux/ipv6.h>
7 #include <linux/if_vlan.h>
8 #include <linux/filter.h>
9 #include <net/dsa.h>
10 #include <net/dst_metadata.h>
11 #include <net/ip.h>
12 #include <net/ipv6.h>
13 #include <net/gre.h>
14 #include <net/pptp.h>
15 #include <net/tipc.h>
16 #include <linux/igmp.h>
17 #include <linux/icmp.h>
18 #include <linux/sctp.h>
19 #include <linux/dccp.h>
20 #include <linux/if_tunnel.h>
21 #include <linux/if_pppox.h>
22 #include <linux/ppp_defs.h>
23 #include <linux/stddef.h>
24 #include <linux/if_ether.h>
25 #include <linux/if_hsr.h>
26 #include <linux/mpls.h>
27 #include <linux/tcp.h>
28 #include <linux/ptp_classify.h>
29 #include <net/flow_dissector.h>
30 #include <net/pkt_cls.h>
31 #include <scsi/fc/fc_fcoe.h>
32 #include <uapi/linux/batadv_packet.h>
33 #include <linux/bpf.h>
34 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
35 #include <net/netfilter/nf_conntrack_core.h>
36 #include <net/netfilter/nf_conntrack_labels.h>
37 #endif
38 #include <linux/bpf-netns.h>
39 
40 static void dissector_set_key(struct flow_dissector *flow_dissector,
41 			      enum flow_dissector_key_id key_id)
42 {
43 	flow_dissector->used_keys |= (1 << key_id);
44 }
45 
46 void skb_flow_dissector_init(struct flow_dissector *flow_dissector,
47 			     const struct flow_dissector_key *key,
48 			     unsigned int key_count)
49 {
50 	unsigned int i;
51 
52 	memset(flow_dissector, 0, sizeof(*flow_dissector));
53 
54 	for (i = 0; i < key_count; i++, key++) {
55 		/* User should make sure that every key target offset is within
56 		 * boundaries of unsigned short.
57 		 */
58 		BUG_ON(key->offset > USHRT_MAX);
59 		BUG_ON(dissector_uses_key(flow_dissector,
60 					  key->key_id));
61 
62 		dissector_set_key(flow_dissector, key->key_id);
63 		flow_dissector->offset[key->key_id] = key->offset;
64 	}
65 
66 	/* Ensure that the dissector always includes control and basic key.
67 	 * That way we are able to avoid handling lack of these in fast path.
68 	 */
69 	BUG_ON(!dissector_uses_key(flow_dissector,
70 				   FLOW_DISSECTOR_KEY_CONTROL));
71 	BUG_ON(!dissector_uses_key(flow_dissector,
72 				   FLOW_DISSECTOR_KEY_BASIC));
73 }
74 EXPORT_SYMBOL(skb_flow_dissector_init);
75 
76 #ifdef CONFIG_BPF_SYSCALL
77 int flow_dissector_bpf_prog_attach_check(struct net *net,
78 					 struct bpf_prog *prog)
79 {
80 	enum netns_bpf_attach_type type = NETNS_BPF_FLOW_DISSECTOR;
81 
82 	if (net == &init_net) {
83 		/* BPF flow dissector in the root namespace overrides
84 		 * any per-net-namespace one. When attaching to root,
85 		 * make sure we don't have any BPF program attached
86 		 * to the non-root namespaces.
87 		 */
88 		struct net *ns;
89 
90 		for_each_net(ns) {
91 			if (ns == &init_net)
92 				continue;
93 			if (rcu_access_pointer(ns->bpf.run_array[type]))
94 				return -EEXIST;
95 		}
96 	} else {
97 		/* Make sure root flow dissector is not attached
98 		 * when attaching to the non-root namespace.
99 		 */
100 		if (rcu_access_pointer(init_net.bpf.run_array[type]))
101 			return -EEXIST;
102 	}
103 
104 	return 0;
105 }
106 #endif /* CONFIG_BPF_SYSCALL */
107 
108 /**
109  * __skb_flow_get_ports - extract the upper layer ports and return them
110  * @skb: sk_buff to extract the ports from
111  * @thoff: transport header offset
112  * @ip_proto: protocol for which to get port offset
113  * @data: raw buffer pointer to the packet, if NULL use skb->data
114  * @hlen: packet header length, if @data is NULL use skb_headlen(skb)
115  *
116  * The function will try to retrieve the ports at offset thoff + poff where poff
117  * is the protocol port offset returned from proto_ports_offset
118  */
119 __be32 __skb_flow_get_ports(const struct sk_buff *skb, int thoff, u8 ip_proto,
120 			    const void *data, int hlen)
121 {
122 	int poff = proto_ports_offset(ip_proto);
123 
124 	if (!data) {
125 		data = skb->data;
126 		hlen = skb_headlen(skb);
127 	}
128 
129 	if (poff >= 0) {
130 		__be32 *ports, _ports;
131 
132 		ports = __skb_header_pointer(skb, thoff + poff,
133 					     sizeof(_ports), data, hlen, &_ports);
134 		if (ports)
135 			return *ports;
136 	}
137 
138 	return 0;
139 }
140 EXPORT_SYMBOL(__skb_flow_get_ports);
141 
142 static bool icmp_has_id(u8 type)
143 {
144 	switch (type) {
145 	case ICMP_ECHO:
146 	case ICMP_ECHOREPLY:
147 	case ICMP_TIMESTAMP:
148 	case ICMP_TIMESTAMPREPLY:
149 	case ICMPV6_ECHO_REQUEST:
150 	case ICMPV6_ECHO_REPLY:
151 		return true;
152 	}
153 
154 	return false;
155 }
156 
157 /**
158  * skb_flow_get_icmp_tci - extract ICMP(6) Type, Code and Identifier fields
159  * @skb: sk_buff to extract from
160  * @key_icmp: struct flow_dissector_key_icmp to fill
161  * @data: raw buffer pointer to the packet
162  * @thoff: offset to extract at
163  * @hlen: packet header length
164  */
165 void skb_flow_get_icmp_tci(const struct sk_buff *skb,
166 			   struct flow_dissector_key_icmp *key_icmp,
167 			   const void *data, int thoff, int hlen)
168 {
169 	struct icmphdr *ih, _ih;
170 
171 	ih = __skb_header_pointer(skb, thoff, sizeof(_ih), data, hlen, &_ih);
172 	if (!ih)
173 		return;
174 
175 	key_icmp->type = ih->type;
176 	key_icmp->code = ih->code;
177 
178 	/* As we use 0 to signal that the Id field is not present,
179 	 * avoid confusion with packets without such field
180 	 */
181 	if (icmp_has_id(ih->type))
182 		key_icmp->id = ih->un.echo.id ? ntohs(ih->un.echo.id) : 1;
183 	else
184 		key_icmp->id = 0;
185 }
186 EXPORT_SYMBOL(skb_flow_get_icmp_tci);
187 
188 /* If FLOW_DISSECTOR_KEY_ICMP is set, dissect an ICMP packet
189  * using skb_flow_get_icmp_tci().
190  */
191 static void __skb_flow_dissect_icmp(const struct sk_buff *skb,
192 				    struct flow_dissector *flow_dissector,
193 				    void *target_container, const void *data,
194 				    int thoff, int hlen)
195 {
196 	struct flow_dissector_key_icmp *key_icmp;
197 
198 	if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_ICMP))
199 		return;
200 
201 	key_icmp = skb_flow_dissector_target(flow_dissector,
202 					     FLOW_DISSECTOR_KEY_ICMP,
203 					     target_container);
204 
205 	skb_flow_get_icmp_tci(skb, key_icmp, data, thoff, hlen);
206 }
207 
208 static void __skb_flow_dissect_l2tpv3(const struct sk_buff *skb,
209 				      struct flow_dissector *flow_dissector,
210 				      void *target_container, const void *data,
211 				      int nhoff, int hlen)
212 {
213 	struct flow_dissector_key_l2tpv3 *key_l2tpv3;
214 	struct {
215 		__be32 session_id;
216 	} *hdr, _hdr;
217 
218 	if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_L2TPV3))
219 		return;
220 
221 	hdr = __skb_header_pointer(skb, nhoff, sizeof(_hdr), data, hlen, &_hdr);
222 	if (!hdr)
223 		return;
224 
225 	key_l2tpv3 = skb_flow_dissector_target(flow_dissector,
226 					       FLOW_DISSECTOR_KEY_L2TPV3,
227 					       target_container);
228 
229 	key_l2tpv3->session_id = hdr->session_id;
230 }
231 
232 void skb_flow_dissect_meta(const struct sk_buff *skb,
233 			   struct flow_dissector *flow_dissector,
234 			   void *target_container)
235 {
236 	struct flow_dissector_key_meta *meta;
237 
238 	if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_META))
239 		return;
240 
241 	meta = skb_flow_dissector_target(flow_dissector,
242 					 FLOW_DISSECTOR_KEY_META,
243 					 target_container);
244 	meta->ingress_ifindex = skb->skb_iif;
245 #if IS_ENABLED(CONFIG_NET_TC_SKB_EXT)
246 	if (tc_skb_ext_tc_enabled()) {
247 		struct tc_skb_ext *ext;
248 
249 		ext = skb_ext_find(skb, TC_SKB_EXT);
250 		if (ext)
251 			meta->l2_miss = ext->l2_miss;
252 	}
253 #endif
254 }
255 EXPORT_SYMBOL(skb_flow_dissect_meta);
256 
257 static void
258 skb_flow_dissect_set_enc_addr_type(enum flow_dissector_key_id type,
259 				   struct flow_dissector *flow_dissector,
260 				   void *target_container)
261 {
262 	struct flow_dissector_key_control *ctrl;
263 
264 	if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_ENC_CONTROL))
265 		return;
266 
267 	ctrl = skb_flow_dissector_target(flow_dissector,
268 					 FLOW_DISSECTOR_KEY_ENC_CONTROL,
269 					 target_container);
270 	ctrl->addr_type = type;
271 }
272 
273 void
274 skb_flow_dissect_ct(const struct sk_buff *skb,
275 		    struct flow_dissector *flow_dissector,
276 		    void *target_container, u16 *ctinfo_map,
277 		    size_t mapsize, bool post_ct, u16 zone)
278 {
279 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
280 	struct flow_dissector_key_ct *key;
281 	enum ip_conntrack_info ctinfo;
282 	struct nf_conn_labels *cl;
283 	struct nf_conn *ct;
284 
285 	if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_CT))
286 		return;
287 
288 	ct = nf_ct_get(skb, &ctinfo);
289 	if (!ct && !post_ct)
290 		return;
291 
292 	key = skb_flow_dissector_target(flow_dissector,
293 					FLOW_DISSECTOR_KEY_CT,
294 					target_container);
295 
296 	if (!ct) {
297 		key->ct_state = TCA_FLOWER_KEY_CT_FLAGS_TRACKED |
298 				TCA_FLOWER_KEY_CT_FLAGS_INVALID;
299 		key->ct_zone = zone;
300 		return;
301 	}
302 
303 	if (ctinfo < mapsize)
304 		key->ct_state = ctinfo_map[ctinfo];
305 #if IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES)
306 	key->ct_zone = ct->zone.id;
307 #endif
308 #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK)
309 	key->ct_mark = READ_ONCE(ct->mark);
310 #endif
311 
312 	cl = nf_ct_labels_find(ct);
313 	if (cl)
314 		memcpy(key->ct_labels, cl->bits, sizeof(key->ct_labels));
315 #endif /* CONFIG_NF_CONNTRACK */
316 }
317 EXPORT_SYMBOL(skb_flow_dissect_ct);
318 
319 void
320 skb_flow_dissect_tunnel_info(const struct sk_buff *skb,
321 			     struct flow_dissector *flow_dissector,
322 			     void *target_container)
323 {
324 	struct ip_tunnel_info *info;
325 	struct ip_tunnel_key *key;
326 
327 	/* A quick check to see if there might be something to do. */
328 	if (!dissector_uses_key(flow_dissector,
329 				FLOW_DISSECTOR_KEY_ENC_KEYID) &&
330 	    !dissector_uses_key(flow_dissector,
331 				FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS) &&
332 	    !dissector_uses_key(flow_dissector,
333 				FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS) &&
334 	    !dissector_uses_key(flow_dissector,
335 				FLOW_DISSECTOR_KEY_ENC_CONTROL) &&
336 	    !dissector_uses_key(flow_dissector,
337 				FLOW_DISSECTOR_KEY_ENC_PORTS) &&
338 	    !dissector_uses_key(flow_dissector,
339 				FLOW_DISSECTOR_KEY_ENC_IP) &&
340 	    !dissector_uses_key(flow_dissector,
341 				FLOW_DISSECTOR_KEY_ENC_OPTS))
342 		return;
343 
344 	info = skb_tunnel_info(skb);
345 	if (!info)
346 		return;
347 
348 	key = &info->key;
349 
350 	switch (ip_tunnel_info_af(info)) {
351 	case AF_INET:
352 		skb_flow_dissect_set_enc_addr_type(FLOW_DISSECTOR_KEY_IPV4_ADDRS,
353 						   flow_dissector,
354 						   target_container);
355 		if (dissector_uses_key(flow_dissector,
356 				       FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS)) {
357 			struct flow_dissector_key_ipv4_addrs *ipv4;
358 
359 			ipv4 = skb_flow_dissector_target(flow_dissector,
360 							 FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS,
361 							 target_container);
362 			ipv4->src = key->u.ipv4.src;
363 			ipv4->dst = key->u.ipv4.dst;
364 		}
365 		break;
366 	case AF_INET6:
367 		skb_flow_dissect_set_enc_addr_type(FLOW_DISSECTOR_KEY_IPV6_ADDRS,
368 						   flow_dissector,
369 						   target_container);
370 		if (dissector_uses_key(flow_dissector,
371 				       FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS)) {
372 			struct flow_dissector_key_ipv6_addrs *ipv6;
373 
374 			ipv6 = skb_flow_dissector_target(flow_dissector,
375 							 FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS,
376 							 target_container);
377 			ipv6->src = key->u.ipv6.src;
378 			ipv6->dst = key->u.ipv6.dst;
379 		}
380 		break;
381 	}
382 
383 	if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_ENC_KEYID)) {
384 		struct flow_dissector_key_keyid *keyid;
385 
386 		keyid = skb_flow_dissector_target(flow_dissector,
387 						  FLOW_DISSECTOR_KEY_ENC_KEYID,
388 						  target_container);
389 		keyid->keyid = tunnel_id_to_key32(key->tun_id);
390 	}
391 
392 	if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_ENC_PORTS)) {
393 		struct flow_dissector_key_ports *tp;
394 
395 		tp = skb_flow_dissector_target(flow_dissector,
396 					       FLOW_DISSECTOR_KEY_ENC_PORTS,
397 					       target_container);
398 		tp->src = key->tp_src;
399 		tp->dst = key->tp_dst;
400 	}
401 
402 	if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_ENC_IP)) {
403 		struct flow_dissector_key_ip *ip;
404 
405 		ip = skb_flow_dissector_target(flow_dissector,
406 					       FLOW_DISSECTOR_KEY_ENC_IP,
407 					       target_container);
408 		ip->tos = key->tos;
409 		ip->ttl = key->ttl;
410 	}
411 
412 	if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_ENC_OPTS)) {
413 		struct flow_dissector_key_enc_opts *enc_opt;
414 
415 		enc_opt = skb_flow_dissector_target(flow_dissector,
416 						    FLOW_DISSECTOR_KEY_ENC_OPTS,
417 						    target_container);
418 
419 		if (info->options_len) {
420 			enc_opt->len = info->options_len;
421 			ip_tunnel_info_opts_get(enc_opt->data, info);
422 			enc_opt->dst_opt_type = info->key.tun_flags &
423 						TUNNEL_OPTIONS_PRESENT;
424 		}
425 	}
426 }
427 EXPORT_SYMBOL(skb_flow_dissect_tunnel_info);
428 
429 void skb_flow_dissect_hash(const struct sk_buff *skb,
430 			   struct flow_dissector *flow_dissector,
431 			   void *target_container)
432 {
433 	struct flow_dissector_key_hash *key;
434 
435 	if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_HASH))
436 		return;
437 
438 	key = skb_flow_dissector_target(flow_dissector,
439 					FLOW_DISSECTOR_KEY_HASH,
440 					target_container);
441 
442 	key->hash = skb_get_hash_raw(skb);
443 }
444 EXPORT_SYMBOL(skb_flow_dissect_hash);
445 
446 static enum flow_dissect_ret
447 __skb_flow_dissect_mpls(const struct sk_buff *skb,
448 			struct flow_dissector *flow_dissector,
449 			void *target_container, const void *data, int nhoff,
450 			int hlen, int lse_index, bool *entropy_label)
451 {
452 	struct mpls_label *hdr, _hdr;
453 	u32 entry, label, bos;
454 
455 	if (!dissector_uses_key(flow_dissector,
456 				FLOW_DISSECTOR_KEY_MPLS_ENTROPY) &&
457 	    !dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_MPLS))
458 		return FLOW_DISSECT_RET_OUT_GOOD;
459 
460 	if (lse_index >= FLOW_DIS_MPLS_MAX)
461 		return FLOW_DISSECT_RET_OUT_GOOD;
462 
463 	hdr = __skb_header_pointer(skb, nhoff, sizeof(_hdr), data,
464 				   hlen, &_hdr);
465 	if (!hdr)
466 		return FLOW_DISSECT_RET_OUT_BAD;
467 
468 	entry = ntohl(hdr->entry);
469 	label = (entry & MPLS_LS_LABEL_MASK) >> MPLS_LS_LABEL_SHIFT;
470 	bos = (entry & MPLS_LS_S_MASK) >> MPLS_LS_S_SHIFT;
471 
472 	if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_MPLS)) {
473 		struct flow_dissector_key_mpls *key_mpls;
474 		struct flow_dissector_mpls_lse *lse;
475 
476 		key_mpls = skb_flow_dissector_target(flow_dissector,
477 						     FLOW_DISSECTOR_KEY_MPLS,
478 						     target_container);
479 		lse = &key_mpls->ls[lse_index];
480 
481 		lse->mpls_ttl = (entry & MPLS_LS_TTL_MASK) >> MPLS_LS_TTL_SHIFT;
482 		lse->mpls_bos = bos;
483 		lse->mpls_tc = (entry & MPLS_LS_TC_MASK) >> MPLS_LS_TC_SHIFT;
484 		lse->mpls_label = label;
485 		dissector_set_mpls_lse(key_mpls, lse_index);
486 	}
487 
488 	if (*entropy_label &&
489 	    dissector_uses_key(flow_dissector,
490 			       FLOW_DISSECTOR_KEY_MPLS_ENTROPY)) {
491 		struct flow_dissector_key_keyid *key_keyid;
492 
493 		key_keyid = skb_flow_dissector_target(flow_dissector,
494 						      FLOW_DISSECTOR_KEY_MPLS_ENTROPY,
495 						      target_container);
496 		key_keyid->keyid = cpu_to_be32(label);
497 	}
498 
499 	*entropy_label = label == MPLS_LABEL_ENTROPY;
500 
501 	return bos ? FLOW_DISSECT_RET_OUT_GOOD : FLOW_DISSECT_RET_PROTO_AGAIN;
502 }
503 
504 static enum flow_dissect_ret
505 __skb_flow_dissect_arp(const struct sk_buff *skb,
506 		       struct flow_dissector *flow_dissector,
507 		       void *target_container, const void *data,
508 		       int nhoff, int hlen)
509 {
510 	struct flow_dissector_key_arp *key_arp;
511 	struct {
512 		unsigned char ar_sha[ETH_ALEN];
513 		unsigned char ar_sip[4];
514 		unsigned char ar_tha[ETH_ALEN];
515 		unsigned char ar_tip[4];
516 	} *arp_eth, _arp_eth;
517 	const struct arphdr *arp;
518 	struct arphdr _arp;
519 
520 	if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_ARP))
521 		return FLOW_DISSECT_RET_OUT_GOOD;
522 
523 	arp = __skb_header_pointer(skb, nhoff, sizeof(_arp), data,
524 				   hlen, &_arp);
525 	if (!arp)
526 		return FLOW_DISSECT_RET_OUT_BAD;
527 
528 	if (arp->ar_hrd != htons(ARPHRD_ETHER) ||
529 	    arp->ar_pro != htons(ETH_P_IP) ||
530 	    arp->ar_hln != ETH_ALEN ||
531 	    arp->ar_pln != 4 ||
532 	    (arp->ar_op != htons(ARPOP_REPLY) &&
533 	     arp->ar_op != htons(ARPOP_REQUEST)))
534 		return FLOW_DISSECT_RET_OUT_BAD;
535 
536 	arp_eth = __skb_header_pointer(skb, nhoff + sizeof(_arp),
537 				       sizeof(_arp_eth), data,
538 				       hlen, &_arp_eth);
539 	if (!arp_eth)
540 		return FLOW_DISSECT_RET_OUT_BAD;
541 
542 	key_arp = skb_flow_dissector_target(flow_dissector,
543 					    FLOW_DISSECTOR_KEY_ARP,
544 					    target_container);
545 
546 	memcpy(&key_arp->sip, arp_eth->ar_sip, sizeof(key_arp->sip));
547 	memcpy(&key_arp->tip, arp_eth->ar_tip, sizeof(key_arp->tip));
548 
549 	/* Only store the lower byte of the opcode;
550 	 * this covers ARPOP_REPLY and ARPOP_REQUEST.
551 	 */
552 	key_arp->op = ntohs(arp->ar_op) & 0xff;
553 
554 	ether_addr_copy(key_arp->sha, arp_eth->ar_sha);
555 	ether_addr_copy(key_arp->tha, arp_eth->ar_tha);
556 
557 	return FLOW_DISSECT_RET_OUT_GOOD;
558 }
559 
560 static enum flow_dissect_ret
561 __skb_flow_dissect_cfm(const struct sk_buff *skb,
562 		       struct flow_dissector *flow_dissector,
563 		       void *target_container, const void *data,
564 		       int nhoff, int hlen)
565 {
566 	struct flow_dissector_key_cfm *key, *hdr, _hdr;
567 
568 	if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_CFM))
569 		return FLOW_DISSECT_RET_OUT_GOOD;
570 
571 	hdr = __skb_header_pointer(skb, nhoff, sizeof(*key), data, hlen, &_hdr);
572 	if (!hdr)
573 		return FLOW_DISSECT_RET_OUT_BAD;
574 
575 	key = skb_flow_dissector_target(flow_dissector, FLOW_DISSECTOR_KEY_CFM,
576 					target_container);
577 
578 	key->mdl_ver = hdr->mdl_ver;
579 	key->opcode = hdr->opcode;
580 
581 	return FLOW_DISSECT_RET_OUT_GOOD;
582 }
583 
584 static enum flow_dissect_ret
585 __skb_flow_dissect_gre(const struct sk_buff *skb,
586 		       struct flow_dissector_key_control *key_control,
587 		       struct flow_dissector *flow_dissector,
588 		       void *target_container, const void *data,
589 		       __be16 *p_proto, int *p_nhoff, int *p_hlen,
590 		       unsigned int flags)
591 {
592 	struct flow_dissector_key_keyid *key_keyid;
593 	struct gre_base_hdr *hdr, _hdr;
594 	int offset = 0;
595 	u16 gre_ver;
596 
597 	hdr = __skb_header_pointer(skb, *p_nhoff, sizeof(_hdr),
598 				   data, *p_hlen, &_hdr);
599 	if (!hdr)
600 		return FLOW_DISSECT_RET_OUT_BAD;
601 
602 	/* Only look inside GRE without routing */
603 	if (hdr->flags & GRE_ROUTING)
604 		return FLOW_DISSECT_RET_OUT_GOOD;
605 
606 	/* Only look inside GRE for version 0 and 1 */
607 	gre_ver = ntohs(hdr->flags & GRE_VERSION);
608 	if (gre_ver > 1)
609 		return FLOW_DISSECT_RET_OUT_GOOD;
610 
611 	*p_proto = hdr->protocol;
612 	if (gre_ver) {
613 		/* Version1 must be PPTP, and check the flags */
614 		if (!(*p_proto == GRE_PROTO_PPP && (hdr->flags & GRE_KEY)))
615 			return FLOW_DISSECT_RET_OUT_GOOD;
616 	}
617 
618 	offset += sizeof(struct gre_base_hdr);
619 
620 	if (hdr->flags & GRE_CSUM)
621 		offset += sizeof_field(struct gre_full_hdr, csum) +
622 			  sizeof_field(struct gre_full_hdr, reserved1);
623 
624 	if (hdr->flags & GRE_KEY) {
625 		const __be32 *keyid;
626 		__be32 _keyid;
627 
628 		keyid = __skb_header_pointer(skb, *p_nhoff + offset,
629 					     sizeof(_keyid),
630 					     data, *p_hlen, &_keyid);
631 		if (!keyid)
632 			return FLOW_DISSECT_RET_OUT_BAD;
633 
634 		if (dissector_uses_key(flow_dissector,
635 				       FLOW_DISSECTOR_KEY_GRE_KEYID)) {
636 			key_keyid = skb_flow_dissector_target(flow_dissector,
637 							      FLOW_DISSECTOR_KEY_GRE_KEYID,
638 							      target_container);
639 			if (gre_ver == 0)
640 				key_keyid->keyid = *keyid;
641 			else
642 				key_keyid->keyid = *keyid & GRE_PPTP_KEY_MASK;
643 		}
644 		offset += sizeof_field(struct gre_full_hdr, key);
645 	}
646 
647 	if (hdr->flags & GRE_SEQ)
648 		offset += sizeof_field(struct pptp_gre_header, seq);
649 
650 	if (gre_ver == 0) {
651 		if (*p_proto == htons(ETH_P_TEB)) {
652 			const struct ethhdr *eth;
653 			struct ethhdr _eth;
654 
655 			eth = __skb_header_pointer(skb, *p_nhoff + offset,
656 						   sizeof(_eth),
657 						   data, *p_hlen, &_eth);
658 			if (!eth)
659 				return FLOW_DISSECT_RET_OUT_BAD;
660 			*p_proto = eth->h_proto;
661 			offset += sizeof(*eth);
662 
663 			/* Cap headers that we access via pointers at the
664 			 * end of the Ethernet header as our maximum alignment
665 			 * at that point is only 2 bytes.
666 			 */
667 			if (NET_IP_ALIGN)
668 				*p_hlen = *p_nhoff + offset;
669 		}
670 	} else { /* version 1, must be PPTP */
671 		u8 _ppp_hdr[PPP_HDRLEN];
672 		u8 *ppp_hdr;
673 
674 		if (hdr->flags & GRE_ACK)
675 			offset += sizeof_field(struct pptp_gre_header, ack);
676 
677 		ppp_hdr = __skb_header_pointer(skb, *p_nhoff + offset,
678 					       sizeof(_ppp_hdr),
679 					       data, *p_hlen, _ppp_hdr);
680 		if (!ppp_hdr)
681 			return FLOW_DISSECT_RET_OUT_BAD;
682 
683 		switch (PPP_PROTOCOL(ppp_hdr)) {
684 		case PPP_IP:
685 			*p_proto = htons(ETH_P_IP);
686 			break;
687 		case PPP_IPV6:
688 			*p_proto = htons(ETH_P_IPV6);
689 			break;
690 		default:
691 			/* Could probably catch some more like MPLS */
692 			break;
693 		}
694 
695 		offset += PPP_HDRLEN;
696 	}
697 
698 	*p_nhoff += offset;
699 	key_control->flags |= FLOW_DIS_ENCAPSULATION;
700 	if (flags & FLOW_DISSECTOR_F_STOP_AT_ENCAP)
701 		return FLOW_DISSECT_RET_OUT_GOOD;
702 
703 	return FLOW_DISSECT_RET_PROTO_AGAIN;
704 }
705 
706 /**
707  * __skb_flow_dissect_batadv() - dissect batman-adv header
708  * @skb: sk_buff to with the batman-adv header
709  * @key_control: flow dissectors control key
710  * @data: raw buffer pointer to the packet, if NULL use skb->data
711  * @p_proto: pointer used to update the protocol to process next
712  * @p_nhoff: pointer used to update inner network header offset
713  * @hlen: packet header length
714  * @flags: any combination of FLOW_DISSECTOR_F_*
715  *
716  * ETH_P_BATMAN packets are tried to be dissected. Only
717  * &struct batadv_unicast packets are actually processed because they contain an
718  * inner ethernet header and are usually followed by actual network header. This
719  * allows the flow dissector to continue processing the packet.
720  *
721  * Return: FLOW_DISSECT_RET_PROTO_AGAIN when &struct batadv_unicast was found,
722  *  FLOW_DISSECT_RET_OUT_GOOD when dissector should stop after encapsulation,
723  *  otherwise FLOW_DISSECT_RET_OUT_BAD
724  */
725 static enum flow_dissect_ret
726 __skb_flow_dissect_batadv(const struct sk_buff *skb,
727 			  struct flow_dissector_key_control *key_control,
728 			  const void *data, __be16 *p_proto, int *p_nhoff,
729 			  int hlen, unsigned int flags)
730 {
731 	struct {
732 		struct batadv_unicast_packet batadv_unicast;
733 		struct ethhdr eth;
734 	} *hdr, _hdr;
735 
736 	hdr = __skb_header_pointer(skb, *p_nhoff, sizeof(_hdr), data, hlen,
737 				   &_hdr);
738 	if (!hdr)
739 		return FLOW_DISSECT_RET_OUT_BAD;
740 
741 	if (hdr->batadv_unicast.version != BATADV_COMPAT_VERSION)
742 		return FLOW_DISSECT_RET_OUT_BAD;
743 
744 	if (hdr->batadv_unicast.packet_type != BATADV_UNICAST)
745 		return FLOW_DISSECT_RET_OUT_BAD;
746 
747 	*p_proto = hdr->eth.h_proto;
748 	*p_nhoff += sizeof(*hdr);
749 
750 	key_control->flags |= FLOW_DIS_ENCAPSULATION;
751 	if (flags & FLOW_DISSECTOR_F_STOP_AT_ENCAP)
752 		return FLOW_DISSECT_RET_OUT_GOOD;
753 
754 	return FLOW_DISSECT_RET_PROTO_AGAIN;
755 }
756 
757 static void
758 __skb_flow_dissect_tcp(const struct sk_buff *skb,
759 		       struct flow_dissector *flow_dissector,
760 		       void *target_container, const void *data,
761 		       int thoff, int hlen)
762 {
763 	struct flow_dissector_key_tcp *key_tcp;
764 	struct tcphdr *th, _th;
765 
766 	if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_TCP))
767 		return;
768 
769 	th = __skb_header_pointer(skb, thoff, sizeof(_th), data, hlen, &_th);
770 	if (!th)
771 		return;
772 
773 	if (unlikely(__tcp_hdrlen(th) < sizeof(_th)))
774 		return;
775 
776 	key_tcp = skb_flow_dissector_target(flow_dissector,
777 					    FLOW_DISSECTOR_KEY_TCP,
778 					    target_container);
779 	key_tcp->flags = (*(__be16 *) &tcp_flag_word(th) & htons(0x0FFF));
780 }
781 
782 static void
783 __skb_flow_dissect_ports(const struct sk_buff *skb,
784 			 struct flow_dissector *flow_dissector,
785 			 void *target_container, const void *data,
786 			 int nhoff, u8 ip_proto, int hlen)
787 {
788 	enum flow_dissector_key_id dissector_ports = FLOW_DISSECTOR_KEY_MAX;
789 	struct flow_dissector_key_ports *key_ports;
790 
791 	if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS))
792 		dissector_ports = FLOW_DISSECTOR_KEY_PORTS;
793 	else if (dissector_uses_key(flow_dissector,
794 				    FLOW_DISSECTOR_KEY_PORTS_RANGE))
795 		dissector_ports = FLOW_DISSECTOR_KEY_PORTS_RANGE;
796 
797 	if (dissector_ports == FLOW_DISSECTOR_KEY_MAX)
798 		return;
799 
800 	key_ports = skb_flow_dissector_target(flow_dissector,
801 					      dissector_ports,
802 					      target_container);
803 	key_ports->ports = __skb_flow_get_ports(skb, nhoff, ip_proto,
804 						data, hlen);
805 }
806 
807 static void
808 __skb_flow_dissect_ipv4(const struct sk_buff *skb,
809 			struct flow_dissector *flow_dissector,
810 			void *target_container, const void *data,
811 			const struct iphdr *iph)
812 {
813 	struct flow_dissector_key_ip *key_ip;
814 
815 	if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_IP))
816 		return;
817 
818 	key_ip = skb_flow_dissector_target(flow_dissector,
819 					   FLOW_DISSECTOR_KEY_IP,
820 					   target_container);
821 	key_ip->tos = iph->tos;
822 	key_ip->ttl = iph->ttl;
823 }
824 
825 static void
826 __skb_flow_dissect_ipv6(const struct sk_buff *skb,
827 			struct flow_dissector *flow_dissector,
828 			void *target_container, const void *data,
829 			const struct ipv6hdr *iph)
830 {
831 	struct flow_dissector_key_ip *key_ip;
832 
833 	if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_IP))
834 		return;
835 
836 	key_ip = skb_flow_dissector_target(flow_dissector,
837 					   FLOW_DISSECTOR_KEY_IP,
838 					   target_container);
839 	key_ip->tos = ipv6_get_dsfield(iph);
840 	key_ip->ttl = iph->hop_limit;
841 }
842 
843 /* Maximum number of protocol headers that can be parsed in
844  * __skb_flow_dissect
845  */
846 #define MAX_FLOW_DISSECT_HDRS	15
847 
848 static bool skb_flow_dissect_allowed(int *num_hdrs)
849 {
850 	++*num_hdrs;
851 
852 	return (*num_hdrs <= MAX_FLOW_DISSECT_HDRS);
853 }
854 
855 static void __skb_flow_bpf_to_target(const struct bpf_flow_keys *flow_keys,
856 				     struct flow_dissector *flow_dissector,
857 				     void *target_container)
858 {
859 	struct flow_dissector_key_ports *key_ports = NULL;
860 	struct flow_dissector_key_control *key_control;
861 	struct flow_dissector_key_basic *key_basic;
862 	struct flow_dissector_key_addrs *key_addrs;
863 	struct flow_dissector_key_tags *key_tags;
864 
865 	key_control = skb_flow_dissector_target(flow_dissector,
866 						FLOW_DISSECTOR_KEY_CONTROL,
867 						target_container);
868 	key_control->thoff = flow_keys->thoff;
869 	if (flow_keys->is_frag)
870 		key_control->flags |= FLOW_DIS_IS_FRAGMENT;
871 	if (flow_keys->is_first_frag)
872 		key_control->flags |= FLOW_DIS_FIRST_FRAG;
873 	if (flow_keys->is_encap)
874 		key_control->flags |= FLOW_DIS_ENCAPSULATION;
875 
876 	key_basic = skb_flow_dissector_target(flow_dissector,
877 					      FLOW_DISSECTOR_KEY_BASIC,
878 					      target_container);
879 	key_basic->n_proto = flow_keys->n_proto;
880 	key_basic->ip_proto = flow_keys->ip_proto;
881 
882 	if (flow_keys->addr_proto == ETH_P_IP &&
883 	    dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_IPV4_ADDRS)) {
884 		key_addrs = skb_flow_dissector_target(flow_dissector,
885 						      FLOW_DISSECTOR_KEY_IPV4_ADDRS,
886 						      target_container);
887 		key_addrs->v4addrs.src = flow_keys->ipv4_src;
888 		key_addrs->v4addrs.dst = flow_keys->ipv4_dst;
889 		key_control->addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
890 	} else if (flow_keys->addr_proto == ETH_P_IPV6 &&
891 		   dissector_uses_key(flow_dissector,
892 				      FLOW_DISSECTOR_KEY_IPV6_ADDRS)) {
893 		key_addrs = skb_flow_dissector_target(flow_dissector,
894 						      FLOW_DISSECTOR_KEY_IPV6_ADDRS,
895 						      target_container);
896 		memcpy(&key_addrs->v6addrs.src, &flow_keys->ipv6_src,
897 		       sizeof(key_addrs->v6addrs.src));
898 		memcpy(&key_addrs->v6addrs.dst, &flow_keys->ipv6_dst,
899 		       sizeof(key_addrs->v6addrs.dst));
900 		key_control->addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;
901 	}
902 
903 	if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS))
904 		key_ports = skb_flow_dissector_target(flow_dissector,
905 						      FLOW_DISSECTOR_KEY_PORTS,
906 						      target_container);
907 	else if (dissector_uses_key(flow_dissector,
908 				    FLOW_DISSECTOR_KEY_PORTS_RANGE))
909 		key_ports = skb_flow_dissector_target(flow_dissector,
910 						      FLOW_DISSECTOR_KEY_PORTS_RANGE,
911 						      target_container);
912 
913 	if (key_ports) {
914 		key_ports->src = flow_keys->sport;
915 		key_ports->dst = flow_keys->dport;
916 	}
917 
918 	if (dissector_uses_key(flow_dissector,
919 			       FLOW_DISSECTOR_KEY_FLOW_LABEL)) {
920 		key_tags = skb_flow_dissector_target(flow_dissector,
921 						     FLOW_DISSECTOR_KEY_FLOW_LABEL,
922 						     target_container);
923 		key_tags->flow_label = ntohl(flow_keys->flow_label);
924 	}
925 }
926 
927 u32 bpf_flow_dissect(struct bpf_prog *prog, struct bpf_flow_dissector *ctx,
928 		     __be16 proto, int nhoff, int hlen, unsigned int flags)
929 {
930 	struct bpf_flow_keys *flow_keys = ctx->flow_keys;
931 	u32 result;
932 
933 	/* Pass parameters to the BPF program */
934 	memset(flow_keys, 0, sizeof(*flow_keys));
935 	flow_keys->n_proto = proto;
936 	flow_keys->nhoff = nhoff;
937 	flow_keys->thoff = flow_keys->nhoff;
938 
939 	BUILD_BUG_ON((int)BPF_FLOW_DISSECTOR_F_PARSE_1ST_FRAG !=
940 		     (int)FLOW_DISSECTOR_F_PARSE_1ST_FRAG);
941 	BUILD_BUG_ON((int)BPF_FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL !=
942 		     (int)FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL);
943 	BUILD_BUG_ON((int)BPF_FLOW_DISSECTOR_F_STOP_AT_ENCAP !=
944 		     (int)FLOW_DISSECTOR_F_STOP_AT_ENCAP);
945 	flow_keys->flags = flags;
946 
947 	result = bpf_prog_run_pin_on_cpu(prog, ctx);
948 
949 	flow_keys->nhoff = clamp_t(u16, flow_keys->nhoff, nhoff, hlen);
950 	flow_keys->thoff = clamp_t(u16, flow_keys->thoff,
951 				   flow_keys->nhoff, hlen);
952 
953 	return result;
954 }
955 
956 static bool is_pppoe_ses_hdr_valid(const struct pppoe_hdr *hdr)
957 {
958 	return hdr->ver == 1 && hdr->type == 1 && hdr->code == 0;
959 }
960 
961 /**
962  * __skb_flow_dissect - extract the flow_keys struct and return it
963  * @net: associated network namespace, derived from @skb if NULL
964  * @skb: sk_buff to extract the flow from, can be NULL if the rest are specified
965  * @flow_dissector: list of keys to dissect
966  * @target_container: target structure to put dissected values into
967  * @data: raw buffer pointer to the packet, if NULL use skb->data
968  * @proto: protocol for which to get the flow, if @data is NULL use skb->protocol
969  * @nhoff: network header offset, if @data is NULL use skb_network_offset(skb)
970  * @hlen: packet header length, if @data is NULL use skb_headlen(skb)
971  * @flags: flags that control the dissection process, e.g.
972  *         FLOW_DISSECTOR_F_STOP_AT_ENCAP.
973  *
974  * The function will try to retrieve individual keys into target specified
975  * by flow_dissector from either the skbuff or a raw buffer specified by the
976  * rest parameters.
977  *
978  * Caller must take care of zeroing target container memory.
979  */
980 bool __skb_flow_dissect(const struct net *net,
981 			const struct sk_buff *skb,
982 			struct flow_dissector *flow_dissector,
983 			void *target_container, const void *data,
984 			__be16 proto, int nhoff, int hlen, unsigned int flags)
985 {
986 	struct flow_dissector_key_control *key_control;
987 	struct flow_dissector_key_basic *key_basic;
988 	struct flow_dissector_key_addrs *key_addrs;
989 	struct flow_dissector_key_tags *key_tags;
990 	struct flow_dissector_key_vlan *key_vlan;
991 	enum flow_dissect_ret fdret;
992 	enum flow_dissector_key_id dissector_vlan = FLOW_DISSECTOR_KEY_MAX;
993 	bool mpls_el = false;
994 	int mpls_lse = 0;
995 	int num_hdrs = 0;
996 	u8 ip_proto = 0;
997 	bool ret;
998 
999 	if (!data) {
1000 		data = skb->data;
1001 		proto = skb_vlan_tag_present(skb) ?
1002 			 skb->vlan_proto : skb->protocol;
1003 		nhoff = skb_network_offset(skb);
1004 		hlen = skb_headlen(skb);
1005 #if IS_ENABLED(CONFIG_NET_DSA)
1006 		if (unlikely(skb->dev && netdev_uses_dsa(skb->dev) &&
1007 			     proto == htons(ETH_P_XDSA))) {
1008 			struct metadata_dst *md_dst = skb_metadata_dst(skb);
1009 			const struct dsa_device_ops *ops;
1010 			int offset = 0;
1011 
1012 			ops = skb->dev->dsa_ptr->tag_ops;
1013 			/* Only DSA header taggers break flow dissection */
1014 			if (ops->needed_headroom &&
1015 			    (!md_dst || md_dst->type != METADATA_HW_PORT_MUX)) {
1016 				if (ops->flow_dissect)
1017 					ops->flow_dissect(skb, &proto, &offset);
1018 				else
1019 					dsa_tag_generic_flow_dissect(skb,
1020 								     &proto,
1021 								     &offset);
1022 				hlen -= offset;
1023 				nhoff += offset;
1024 			}
1025 		}
1026 #endif
1027 	}
1028 
1029 	/* It is ensured by skb_flow_dissector_init() that control key will
1030 	 * be always present.
1031 	 */
1032 	key_control = skb_flow_dissector_target(flow_dissector,
1033 						FLOW_DISSECTOR_KEY_CONTROL,
1034 						target_container);
1035 
1036 	/* It is ensured by skb_flow_dissector_init() that basic key will
1037 	 * be always present.
1038 	 */
1039 	key_basic = skb_flow_dissector_target(flow_dissector,
1040 					      FLOW_DISSECTOR_KEY_BASIC,
1041 					      target_container);
1042 
1043 	if (skb) {
1044 		if (!net) {
1045 			if (skb->dev)
1046 				net = dev_net(skb->dev);
1047 			else if (skb->sk)
1048 				net = sock_net(skb->sk);
1049 		}
1050 	}
1051 
1052 	WARN_ON_ONCE(!net);
1053 	if (net) {
1054 		enum netns_bpf_attach_type type = NETNS_BPF_FLOW_DISSECTOR;
1055 		struct bpf_prog_array *run_array;
1056 
1057 		rcu_read_lock();
1058 		run_array = rcu_dereference(init_net.bpf.run_array[type]);
1059 		if (!run_array)
1060 			run_array = rcu_dereference(net->bpf.run_array[type]);
1061 
1062 		if (run_array) {
1063 			struct bpf_flow_keys flow_keys;
1064 			struct bpf_flow_dissector ctx = {
1065 				.flow_keys = &flow_keys,
1066 				.data = data,
1067 				.data_end = data + hlen,
1068 			};
1069 			__be16 n_proto = proto;
1070 			struct bpf_prog *prog;
1071 			u32 result;
1072 
1073 			if (skb) {
1074 				ctx.skb = skb;
1075 				/* we can't use 'proto' in the skb case
1076 				 * because it might be set to skb->vlan_proto
1077 				 * which has been pulled from the data
1078 				 */
1079 				n_proto = skb->protocol;
1080 			}
1081 
1082 			prog = READ_ONCE(run_array->items[0].prog);
1083 			result = bpf_flow_dissect(prog, &ctx, n_proto, nhoff,
1084 						  hlen, flags);
1085 			if (result == BPF_FLOW_DISSECTOR_CONTINUE)
1086 				goto dissect_continue;
1087 			__skb_flow_bpf_to_target(&flow_keys, flow_dissector,
1088 						 target_container);
1089 			rcu_read_unlock();
1090 			return result == BPF_OK;
1091 		}
1092 dissect_continue:
1093 		rcu_read_unlock();
1094 	}
1095 
1096 	if (dissector_uses_key(flow_dissector,
1097 			       FLOW_DISSECTOR_KEY_ETH_ADDRS)) {
1098 		struct ethhdr *eth = eth_hdr(skb);
1099 		struct flow_dissector_key_eth_addrs *key_eth_addrs;
1100 
1101 		key_eth_addrs = skb_flow_dissector_target(flow_dissector,
1102 							  FLOW_DISSECTOR_KEY_ETH_ADDRS,
1103 							  target_container);
1104 		memcpy(key_eth_addrs, eth, sizeof(*key_eth_addrs));
1105 	}
1106 
1107 	if (dissector_uses_key(flow_dissector,
1108 			       FLOW_DISSECTOR_KEY_NUM_OF_VLANS)) {
1109 		struct flow_dissector_key_num_of_vlans *key_num_of_vlans;
1110 
1111 		key_num_of_vlans = skb_flow_dissector_target(flow_dissector,
1112 							     FLOW_DISSECTOR_KEY_NUM_OF_VLANS,
1113 							     target_container);
1114 		key_num_of_vlans->num_of_vlans = 0;
1115 	}
1116 
1117 proto_again:
1118 	fdret = FLOW_DISSECT_RET_CONTINUE;
1119 
1120 	switch (proto) {
1121 	case htons(ETH_P_IP): {
1122 		const struct iphdr *iph;
1123 		struct iphdr _iph;
1124 
1125 		iph = __skb_header_pointer(skb, nhoff, sizeof(_iph), data, hlen, &_iph);
1126 		if (!iph || iph->ihl < 5) {
1127 			fdret = FLOW_DISSECT_RET_OUT_BAD;
1128 			break;
1129 		}
1130 
1131 		nhoff += iph->ihl * 4;
1132 
1133 		ip_proto = iph->protocol;
1134 
1135 		if (dissector_uses_key(flow_dissector,
1136 				       FLOW_DISSECTOR_KEY_IPV4_ADDRS)) {
1137 			key_addrs = skb_flow_dissector_target(flow_dissector,
1138 							      FLOW_DISSECTOR_KEY_IPV4_ADDRS,
1139 							      target_container);
1140 
1141 			memcpy(&key_addrs->v4addrs.src, &iph->saddr,
1142 			       sizeof(key_addrs->v4addrs.src));
1143 			memcpy(&key_addrs->v4addrs.dst, &iph->daddr,
1144 			       sizeof(key_addrs->v4addrs.dst));
1145 			key_control->addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
1146 		}
1147 
1148 		__skb_flow_dissect_ipv4(skb, flow_dissector,
1149 					target_container, data, iph);
1150 
1151 		if (ip_is_fragment(iph)) {
1152 			key_control->flags |= FLOW_DIS_IS_FRAGMENT;
1153 
1154 			if (iph->frag_off & htons(IP_OFFSET)) {
1155 				fdret = FLOW_DISSECT_RET_OUT_GOOD;
1156 				break;
1157 			} else {
1158 				key_control->flags |= FLOW_DIS_FIRST_FRAG;
1159 				if (!(flags &
1160 				      FLOW_DISSECTOR_F_PARSE_1ST_FRAG)) {
1161 					fdret = FLOW_DISSECT_RET_OUT_GOOD;
1162 					break;
1163 				}
1164 			}
1165 		}
1166 
1167 		break;
1168 	}
1169 	case htons(ETH_P_IPV6): {
1170 		const struct ipv6hdr *iph;
1171 		struct ipv6hdr _iph;
1172 
1173 		iph = __skb_header_pointer(skb, nhoff, sizeof(_iph), data, hlen, &_iph);
1174 		if (!iph) {
1175 			fdret = FLOW_DISSECT_RET_OUT_BAD;
1176 			break;
1177 		}
1178 
1179 		ip_proto = iph->nexthdr;
1180 		nhoff += sizeof(struct ipv6hdr);
1181 
1182 		if (dissector_uses_key(flow_dissector,
1183 				       FLOW_DISSECTOR_KEY_IPV6_ADDRS)) {
1184 			key_addrs = skb_flow_dissector_target(flow_dissector,
1185 							      FLOW_DISSECTOR_KEY_IPV6_ADDRS,
1186 							      target_container);
1187 
1188 			memcpy(&key_addrs->v6addrs.src, &iph->saddr,
1189 			       sizeof(key_addrs->v6addrs.src));
1190 			memcpy(&key_addrs->v6addrs.dst, &iph->daddr,
1191 			       sizeof(key_addrs->v6addrs.dst));
1192 			key_control->addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;
1193 		}
1194 
1195 		if ((dissector_uses_key(flow_dissector,
1196 					FLOW_DISSECTOR_KEY_FLOW_LABEL) ||
1197 		     (flags & FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL)) &&
1198 		    ip6_flowlabel(iph)) {
1199 			__be32 flow_label = ip6_flowlabel(iph);
1200 
1201 			if (dissector_uses_key(flow_dissector,
1202 					       FLOW_DISSECTOR_KEY_FLOW_LABEL)) {
1203 				key_tags = skb_flow_dissector_target(flow_dissector,
1204 								     FLOW_DISSECTOR_KEY_FLOW_LABEL,
1205 								     target_container);
1206 				key_tags->flow_label = ntohl(flow_label);
1207 			}
1208 			if (flags & FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL) {
1209 				fdret = FLOW_DISSECT_RET_OUT_GOOD;
1210 				break;
1211 			}
1212 		}
1213 
1214 		__skb_flow_dissect_ipv6(skb, flow_dissector,
1215 					target_container, data, iph);
1216 
1217 		break;
1218 	}
1219 	case htons(ETH_P_8021AD):
1220 	case htons(ETH_P_8021Q): {
1221 		const struct vlan_hdr *vlan = NULL;
1222 		struct vlan_hdr _vlan;
1223 		__be16 saved_vlan_tpid = proto;
1224 
1225 		if (dissector_vlan == FLOW_DISSECTOR_KEY_MAX &&
1226 		    skb && skb_vlan_tag_present(skb)) {
1227 			proto = skb->protocol;
1228 		} else {
1229 			vlan = __skb_header_pointer(skb, nhoff, sizeof(_vlan),
1230 						    data, hlen, &_vlan);
1231 			if (!vlan) {
1232 				fdret = FLOW_DISSECT_RET_OUT_BAD;
1233 				break;
1234 			}
1235 
1236 			proto = vlan->h_vlan_encapsulated_proto;
1237 			nhoff += sizeof(*vlan);
1238 		}
1239 
1240 		if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_NUM_OF_VLANS) &&
1241 		    !(key_control->flags & FLOW_DIS_ENCAPSULATION)) {
1242 			struct flow_dissector_key_num_of_vlans *key_nvs;
1243 
1244 			key_nvs = skb_flow_dissector_target(flow_dissector,
1245 							    FLOW_DISSECTOR_KEY_NUM_OF_VLANS,
1246 							    target_container);
1247 			key_nvs->num_of_vlans++;
1248 		}
1249 
1250 		if (dissector_vlan == FLOW_DISSECTOR_KEY_MAX) {
1251 			dissector_vlan = FLOW_DISSECTOR_KEY_VLAN;
1252 		} else if (dissector_vlan == FLOW_DISSECTOR_KEY_VLAN) {
1253 			dissector_vlan = FLOW_DISSECTOR_KEY_CVLAN;
1254 		} else {
1255 			fdret = FLOW_DISSECT_RET_PROTO_AGAIN;
1256 			break;
1257 		}
1258 
1259 		if (dissector_uses_key(flow_dissector, dissector_vlan)) {
1260 			key_vlan = skb_flow_dissector_target(flow_dissector,
1261 							     dissector_vlan,
1262 							     target_container);
1263 
1264 			if (!vlan) {
1265 				key_vlan->vlan_id = skb_vlan_tag_get_id(skb);
1266 				key_vlan->vlan_priority = skb_vlan_tag_get_prio(skb);
1267 			} else {
1268 				key_vlan->vlan_id = ntohs(vlan->h_vlan_TCI) &
1269 					VLAN_VID_MASK;
1270 				key_vlan->vlan_priority =
1271 					(ntohs(vlan->h_vlan_TCI) &
1272 					 VLAN_PRIO_MASK) >> VLAN_PRIO_SHIFT;
1273 			}
1274 			key_vlan->vlan_tpid = saved_vlan_tpid;
1275 			key_vlan->vlan_eth_type = proto;
1276 		}
1277 
1278 		fdret = FLOW_DISSECT_RET_PROTO_AGAIN;
1279 		break;
1280 	}
1281 	case htons(ETH_P_PPP_SES): {
1282 		struct {
1283 			struct pppoe_hdr hdr;
1284 			__be16 proto;
1285 		} *hdr, _hdr;
1286 		u16 ppp_proto;
1287 
1288 		hdr = __skb_header_pointer(skb, nhoff, sizeof(_hdr), data, hlen, &_hdr);
1289 		if (!hdr) {
1290 			fdret = FLOW_DISSECT_RET_OUT_BAD;
1291 			break;
1292 		}
1293 
1294 		if (!is_pppoe_ses_hdr_valid(&hdr->hdr)) {
1295 			fdret = FLOW_DISSECT_RET_OUT_BAD;
1296 			break;
1297 		}
1298 
1299 		/* least significant bit of the most significant octet
1300 		 * indicates if protocol field was compressed
1301 		 */
1302 		ppp_proto = ntohs(hdr->proto);
1303 		if (ppp_proto & 0x0100) {
1304 			ppp_proto = ppp_proto >> 8;
1305 			nhoff += PPPOE_SES_HLEN - 1;
1306 		} else {
1307 			nhoff += PPPOE_SES_HLEN;
1308 		}
1309 
1310 		if (ppp_proto == PPP_IP) {
1311 			proto = htons(ETH_P_IP);
1312 			fdret = FLOW_DISSECT_RET_PROTO_AGAIN;
1313 		} else if (ppp_proto == PPP_IPV6) {
1314 			proto = htons(ETH_P_IPV6);
1315 			fdret = FLOW_DISSECT_RET_PROTO_AGAIN;
1316 		} else if (ppp_proto == PPP_MPLS_UC) {
1317 			proto = htons(ETH_P_MPLS_UC);
1318 			fdret = FLOW_DISSECT_RET_PROTO_AGAIN;
1319 		} else if (ppp_proto == PPP_MPLS_MC) {
1320 			proto = htons(ETH_P_MPLS_MC);
1321 			fdret = FLOW_DISSECT_RET_PROTO_AGAIN;
1322 		} else if (ppp_proto_is_valid(ppp_proto)) {
1323 			fdret = FLOW_DISSECT_RET_OUT_GOOD;
1324 		} else {
1325 			fdret = FLOW_DISSECT_RET_OUT_BAD;
1326 			break;
1327 		}
1328 
1329 		if (dissector_uses_key(flow_dissector,
1330 				       FLOW_DISSECTOR_KEY_PPPOE)) {
1331 			struct flow_dissector_key_pppoe *key_pppoe;
1332 
1333 			key_pppoe = skb_flow_dissector_target(flow_dissector,
1334 							      FLOW_DISSECTOR_KEY_PPPOE,
1335 							      target_container);
1336 			key_pppoe->session_id = hdr->hdr.sid;
1337 			key_pppoe->ppp_proto = htons(ppp_proto);
1338 			key_pppoe->type = htons(ETH_P_PPP_SES);
1339 		}
1340 		break;
1341 	}
1342 	case htons(ETH_P_TIPC): {
1343 		struct tipc_basic_hdr *hdr, _hdr;
1344 
1345 		hdr = __skb_header_pointer(skb, nhoff, sizeof(_hdr),
1346 					   data, hlen, &_hdr);
1347 		if (!hdr) {
1348 			fdret = FLOW_DISSECT_RET_OUT_BAD;
1349 			break;
1350 		}
1351 
1352 		if (dissector_uses_key(flow_dissector,
1353 				       FLOW_DISSECTOR_KEY_TIPC)) {
1354 			key_addrs = skb_flow_dissector_target(flow_dissector,
1355 							      FLOW_DISSECTOR_KEY_TIPC,
1356 							      target_container);
1357 			key_addrs->tipckey.key = tipc_hdr_rps_key(hdr);
1358 			key_control->addr_type = FLOW_DISSECTOR_KEY_TIPC;
1359 		}
1360 		fdret = FLOW_DISSECT_RET_OUT_GOOD;
1361 		break;
1362 	}
1363 
1364 	case htons(ETH_P_MPLS_UC):
1365 	case htons(ETH_P_MPLS_MC):
1366 		fdret = __skb_flow_dissect_mpls(skb, flow_dissector,
1367 						target_container, data,
1368 						nhoff, hlen, mpls_lse,
1369 						&mpls_el);
1370 		nhoff += sizeof(struct mpls_label);
1371 		mpls_lse++;
1372 		break;
1373 	case htons(ETH_P_FCOE):
1374 		if ((hlen - nhoff) < FCOE_HEADER_LEN) {
1375 			fdret = FLOW_DISSECT_RET_OUT_BAD;
1376 			break;
1377 		}
1378 
1379 		nhoff += FCOE_HEADER_LEN;
1380 		fdret = FLOW_DISSECT_RET_OUT_GOOD;
1381 		break;
1382 
1383 	case htons(ETH_P_ARP):
1384 	case htons(ETH_P_RARP):
1385 		fdret = __skb_flow_dissect_arp(skb, flow_dissector,
1386 					       target_container, data,
1387 					       nhoff, hlen);
1388 		break;
1389 
1390 	case htons(ETH_P_BATMAN):
1391 		fdret = __skb_flow_dissect_batadv(skb, key_control, data,
1392 						  &proto, &nhoff, hlen, flags);
1393 		break;
1394 
1395 	case htons(ETH_P_1588): {
1396 		struct ptp_header *hdr, _hdr;
1397 
1398 		hdr = __skb_header_pointer(skb, nhoff, sizeof(_hdr), data,
1399 					   hlen, &_hdr);
1400 		if (!hdr) {
1401 			fdret = FLOW_DISSECT_RET_OUT_BAD;
1402 			break;
1403 		}
1404 
1405 		nhoff += ntohs(hdr->message_length);
1406 		fdret = FLOW_DISSECT_RET_OUT_GOOD;
1407 		break;
1408 	}
1409 
1410 	case htons(ETH_P_PRP):
1411 	case htons(ETH_P_HSR): {
1412 		struct hsr_tag *hdr, _hdr;
1413 
1414 		hdr = __skb_header_pointer(skb, nhoff, sizeof(_hdr), data, hlen,
1415 					   &_hdr);
1416 		if (!hdr) {
1417 			fdret = FLOW_DISSECT_RET_OUT_BAD;
1418 			break;
1419 		}
1420 
1421 		proto = hdr->encap_proto;
1422 		nhoff += HSR_HLEN;
1423 		fdret = FLOW_DISSECT_RET_PROTO_AGAIN;
1424 		break;
1425 	}
1426 
1427 	case htons(ETH_P_CFM):
1428 		fdret = __skb_flow_dissect_cfm(skb, flow_dissector,
1429 					       target_container, data,
1430 					       nhoff, hlen);
1431 		break;
1432 
1433 	default:
1434 		fdret = FLOW_DISSECT_RET_OUT_BAD;
1435 		break;
1436 	}
1437 
1438 	/* Process result of proto processing */
1439 	switch (fdret) {
1440 	case FLOW_DISSECT_RET_OUT_GOOD:
1441 		goto out_good;
1442 	case FLOW_DISSECT_RET_PROTO_AGAIN:
1443 		if (skb_flow_dissect_allowed(&num_hdrs))
1444 			goto proto_again;
1445 		goto out_good;
1446 	case FLOW_DISSECT_RET_CONTINUE:
1447 	case FLOW_DISSECT_RET_IPPROTO_AGAIN:
1448 		break;
1449 	case FLOW_DISSECT_RET_OUT_BAD:
1450 	default:
1451 		goto out_bad;
1452 	}
1453 
1454 ip_proto_again:
1455 	fdret = FLOW_DISSECT_RET_CONTINUE;
1456 
1457 	switch (ip_proto) {
1458 	case IPPROTO_GRE:
1459 		if (flags & FLOW_DISSECTOR_F_STOP_BEFORE_ENCAP) {
1460 			fdret = FLOW_DISSECT_RET_OUT_GOOD;
1461 			break;
1462 		}
1463 
1464 		fdret = __skb_flow_dissect_gre(skb, key_control, flow_dissector,
1465 					       target_container, data,
1466 					       &proto, &nhoff, &hlen, flags);
1467 		break;
1468 
1469 	case NEXTHDR_HOP:
1470 	case NEXTHDR_ROUTING:
1471 	case NEXTHDR_DEST: {
1472 		u8 _opthdr[2], *opthdr;
1473 
1474 		if (proto != htons(ETH_P_IPV6))
1475 			break;
1476 
1477 		opthdr = __skb_header_pointer(skb, nhoff, sizeof(_opthdr),
1478 					      data, hlen, &_opthdr);
1479 		if (!opthdr) {
1480 			fdret = FLOW_DISSECT_RET_OUT_BAD;
1481 			break;
1482 		}
1483 
1484 		ip_proto = opthdr[0];
1485 		nhoff += (opthdr[1] + 1) << 3;
1486 
1487 		fdret = FLOW_DISSECT_RET_IPPROTO_AGAIN;
1488 		break;
1489 	}
1490 	case NEXTHDR_FRAGMENT: {
1491 		struct frag_hdr _fh, *fh;
1492 
1493 		if (proto != htons(ETH_P_IPV6))
1494 			break;
1495 
1496 		fh = __skb_header_pointer(skb, nhoff, sizeof(_fh),
1497 					  data, hlen, &_fh);
1498 
1499 		if (!fh) {
1500 			fdret = FLOW_DISSECT_RET_OUT_BAD;
1501 			break;
1502 		}
1503 
1504 		key_control->flags |= FLOW_DIS_IS_FRAGMENT;
1505 
1506 		nhoff += sizeof(_fh);
1507 		ip_proto = fh->nexthdr;
1508 
1509 		if (!(fh->frag_off & htons(IP6_OFFSET))) {
1510 			key_control->flags |= FLOW_DIS_FIRST_FRAG;
1511 			if (flags & FLOW_DISSECTOR_F_PARSE_1ST_FRAG) {
1512 				fdret = FLOW_DISSECT_RET_IPPROTO_AGAIN;
1513 				break;
1514 			}
1515 		}
1516 
1517 		fdret = FLOW_DISSECT_RET_OUT_GOOD;
1518 		break;
1519 	}
1520 	case IPPROTO_IPIP:
1521 		if (flags & FLOW_DISSECTOR_F_STOP_BEFORE_ENCAP) {
1522 			fdret = FLOW_DISSECT_RET_OUT_GOOD;
1523 			break;
1524 		}
1525 
1526 		proto = htons(ETH_P_IP);
1527 
1528 		key_control->flags |= FLOW_DIS_ENCAPSULATION;
1529 		if (flags & FLOW_DISSECTOR_F_STOP_AT_ENCAP) {
1530 			fdret = FLOW_DISSECT_RET_OUT_GOOD;
1531 			break;
1532 		}
1533 
1534 		fdret = FLOW_DISSECT_RET_PROTO_AGAIN;
1535 		break;
1536 
1537 	case IPPROTO_IPV6:
1538 		if (flags & FLOW_DISSECTOR_F_STOP_BEFORE_ENCAP) {
1539 			fdret = FLOW_DISSECT_RET_OUT_GOOD;
1540 			break;
1541 		}
1542 
1543 		proto = htons(ETH_P_IPV6);
1544 
1545 		key_control->flags |= FLOW_DIS_ENCAPSULATION;
1546 		if (flags & FLOW_DISSECTOR_F_STOP_AT_ENCAP) {
1547 			fdret = FLOW_DISSECT_RET_OUT_GOOD;
1548 			break;
1549 		}
1550 
1551 		fdret = FLOW_DISSECT_RET_PROTO_AGAIN;
1552 		break;
1553 
1554 
1555 	case IPPROTO_MPLS:
1556 		proto = htons(ETH_P_MPLS_UC);
1557 		fdret = FLOW_DISSECT_RET_PROTO_AGAIN;
1558 		break;
1559 
1560 	case IPPROTO_TCP:
1561 		__skb_flow_dissect_tcp(skb, flow_dissector, target_container,
1562 				       data, nhoff, hlen);
1563 		break;
1564 
1565 	case IPPROTO_ICMP:
1566 	case IPPROTO_ICMPV6:
1567 		__skb_flow_dissect_icmp(skb, flow_dissector, target_container,
1568 					data, nhoff, hlen);
1569 		break;
1570 	case IPPROTO_L2TP:
1571 		__skb_flow_dissect_l2tpv3(skb, flow_dissector, target_container,
1572 					  data, nhoff, hlen);
1573 		break;
1574 
1575 	default:
1576 		break;
1577 	}
1578 
1579 	if (!(key_control->flags & FLOW_DIS_IS_FRAGMENT))
1580 		__skb_flow_dissect_ports(skb, flow_dissector, target_container,
1581 					 data, nhoff, ip_proto, hlen);
1582 
1583 	/* Process result of IP proto processing */
1584 	switch (fdret) {
1585 	case FLOW_DISSECT_RET_PROTO_AGAIN:
1586 		if (skb_flow_dissect_allowed(&num_hdrs))
1587 			goto proto_again;
1588 		break;
1589 	case FLOW_DISSECT_RET_IPPROTO_AGAIN:
1590 		if (skb_flow_dissect_allowed(&num_hdrs))
1591 			goto ip_proto_again;
1592 		break;
1593 	case FLOW_DISSECT_RET_OUT_GOOD:
1594 	case FLOW_DISSECT_RET_CONTINUE:
1595 		break;
1596 	case FLOW_DISSECT_RET_OUT_BAD:
1597 	default:
1598 		goto out_bad;
1599 	}
1600 
1601 out_good:
1602 	ret = true;
1603 
1604 out:
1605 	key_control->thoff = min_t(u16, nhoff, skb ? skb->len : hlen);
1606 	key_basic->n_proto = proto;
1607 	key_basic->ip_proto = ip_proto;
1608 
1609 	return ret;
1610 
1611 out_bad:
1612 	ret = false;
1613 	goto out;
1614 }
1615 EXPORT_SYMBOL(__skb_flow_dissect);
1616 
1617 static siphash_aligned_key_t hashrnd;
1618 static __always_inline void __flow_hash_secret_init(void)
1619 {
1620 	net_get_random_once(&hashrnd, sizeof(hashrnd));
1621 }
1622 
1623 static const void *flow_keys_hash_start(const struct flow_keys *flow)
1624 {
1625 	BUILD_BUG_ON(FLOW_KEYS_HASH_OFFSET % SIPHASH_ALIGNMENT);
1626 	return &flow->FLOW_KEYS_HASH_START_FIELD;
1627 }
1628 
1629 static inline size_t flow_keys_hash_length(const struct flow_keys *flow)
1630 {
1631 	size_t diff = FLOW_KEYS_HASH_OFFSET + sizeof(flow->addrs);
1632 
1633 	BUILD_BUG_ON((sizeof(*flow) - FLOW_KEYS_HASH_OFFSET) % sizeof(u32));
1634 
1635 	switch (flow->control.addr_type) {
1636 	case FLOW_DISSECTOR_KEY_IPV4_ADDRS:
1637 		diff -= sizeof(flow->addrs.v4addrs);
1638 		break;
1639 	case FLOW_DISSECTOR_KEY_IPV6_ADDRS:
1640 		diff -= sizeof(flow->addrs.v6addrs);
1641 		break;
1642 	case FLOW_DISSECTOR_KEY_TIPC:
1643 		diff -= sizeof(flow->addrs.tipckey);
1644 		break;
1645 	}
1646 	return sizeof(*flow) - diff;
1647 }
1648 
1649 __be32 flow_get_u32_src(const struct flow_keys *flow)
1650 {
1651 	switch (flow->control.addr_type) {
1652 	case FLOW_DISSECTOR_KEY_IPV4_ADDRS:
1653 		return flow->addrs.v4addrs.src;
1654 	case FLOW_DISSECTOR_KEY_IPV6_ADDRS:
1655 		return (__force __be32)ipv6_addr_hash(
1656 			&flow->addrs.v6addrs.src);
1657 	case FLOW_DISSECTOR_KEY_TIPC:
1658 		return flow->addrs.tipckey.key;
1659 	default:
1660 		return 0;
1661 	}
1662 }
1663 EXPORT_SYMBOL(flow_get_u32_src);
1664 
1665 __be32 flow_get_u32_dst(const struct flow_keys *flow)
1666 {
1667 	switch (flow->control.addr_type) {
1668 	case FLOW_DISSECTOR_KEY_IPV4_ADDRS:
1669 		return flow->addrs.v4addrs.dst;
1670 	case FLOW_DISSECTOR_KEY_IPV6_ADDRS:
1671 		return (__force __be32)ipv6_addr_hash(
1672 			&flow->addrs.v6addrs.dst);
1673 	default:
1674 		return 0;
1675 	}
1676 }
1677 EXPORT_SYMBOL(flow_get_u32_dst);
1678 
1679 /* Sort the source and destination IP and the ports,
1680  * to have consistent hash within the two directions
1681  */
1682 static inline void __flow_hash_consistentify(struct flow_keys *keys)
1683 {
1684 	int addr_diff, i;
1685 
1686 	switch (keys->control.addr_type) {
1687 	case FLOW_DISSECTOR_KEY_IPV4_ADDRS:
1688 		if ((__force u32)keys->addrs.v4addrs.dst <
1689 		    (__force u32)keys->addrs.v4addrs.src)
1690 			swap(keys->addrs.v4addrs.src, keys->addrs.v4addrs.dst);
1691 
1692 		if ((__force u16)keys->ports.dst <
1693 		    (__force u16)keys->ports.src) {
1694 			swap(keys->ports.src, keys->ports.dst);
1695 		}
1696 		break;
1697 	case FLOW_DISSECTOR_KEY_IPV6_ADDRS:
1698 		addr_diff = memcmp(&keys->addrs.v6addrs.dst,
1699 				   &keys->addrs.v6addrs.src,
1700 				   sizeof(keys->addrs.v6addrs.dst));
1701 		if (addr_diff < 0) {
1702 			for (i = 0; i < 4; i++)
1703 				swap(keys->addrs.v6addrs.src.s6_addr32[i],
1704 				     keys->addrs.v6addrs.dst.s6_addr32[i]);
1705 		}
1706 		if ((__force u16)keys->ports.dst <
1707 		    (__force u16)keys->ports.src) {
1708 			swap(keys->ports.src, keys->ports.dst);
1709 		}
1710 		break;
1711 	}
1712 }
1713 
1714 static inline u32 __flow_hash_from_keys(struct flow_keys *keys,
1715 					const siphash_key_t *keyval)
1716 {
1717 	u32 hash;
1718 
1719 	__flow_hash_consistentify(keys);
1720 
1721 	hash = siphash(flow_keys_hash_start(keys),
1722 		       flow_keys_hash_length(keys), keyval);
1723 	if (!hash)
1724 		hash = 1;
1725 
1726 	return hash;
1727 }
1728 
1729 u32 flow_hash_from_keys(struct flow_keys *keys)
1730 {
1731 	__flow_hash_secret_init();
1732 	return __flow_hash_from_keys(keys, &hashrnd);
1733 }
1734 EXPORT_SYMBOL(flow_hash_from_keys);
1735 
1736 static inline u32 ___skb_get_hash(const struct sk_buff *skb,
1737 				  struct flow_keys *keys,
1738 				  const siphash_key_t *keyval)
1739 {
1740 	skb_flow_dissect_flow_keys(skb, keys,
1741 				   FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL);
1742 
1743 	return __flow_hash_from_keys(keys, keyval);
1744 }
1745 
1746 struct _flow_keys_digest_data {
1747 	__be16	n_proto;
1748 	u8	ip_proto;
1749 	u8	padding;
1750 	__be32	ports;
1751 	__be32	src;
1752 	__be32	dst;
1753 };
1754 
1755 void make_flow_keys_digest(struct flow_keys_digest *digest,
1756 			   const struct flow_keys *flow)
1757 {
1758 	struct _flow_keys_digest_data *data =
1759 	    (struct _flow_keys_digest_data *)digest;
1760 
1761 	BUILD_BUG_ON(sizeof(*data) > sizeof(*digest));
1762 
1763 	memset(digest, 0, sizeof(*digest));
1764 
1765 	data->n_proto = flow->basic.n_proto;
1766 	data->ip_proto = flow->basic.ip_proto;
1767 	data->ports = flow->ports.ports;
1768 	data->src = flow->addrs.v4addrs.src;
1769 	data->dst = flow->addrs.v4addrs.dst;
1770 }
1771 EXPORT_SYMBOL(make_flow_keys_digest);
1772 
1773 static struct flow_dissector flow_keys_dissector_symmetric __read_mostly;
1774 
1775 u32 __skb_get_hash_symmetric(const struct sk_buff *skb)
1776 {
1777 	struct flow_keys keys;
1778 
1779 	__flow_hash_secret_init();
1780 
1781 	memset(&keys, 0, sizeof(keys));
1782 	__skb_flow_dissect(NULL, skb, &flow_keys_dissector_symmetric,
1783 			   &keys, NULL, 0, 0, 0,
1784 			   FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL);
1785 
1786 	return __flow_hash_from_keys(&keys, &hashrnd);
1787 }
1788 EXPORT_SYMBOL_GPL(__skb_get_hash_symmetric);
1789 
1790 /**
1791  * __skb_get_hash: calculate a flow hash
1792  * @skb: sk_buff to calculate flow hash from
1793  *
1794  * This function calculates a flow hash based on src/dst addresses
1795  * and src/dst port numbers.  Sets hash in skb to non-zero hash value
1796  * on success, zero indicates no valid hash.  Also, sets l4_hash in skb
1797  * if hash is a canonical 4-tuple hash over transport ports.
1798  */
1799 void __skb_get_hash(struct sk_buff *skb)
1800 {
1801 	struct flow_keys keys;
1802 	u32 hash;
1803 
1804 	__flow_hash_secret_init();
1805 
1806 	hash = ___skb_get_hash(skb, &keys, &hashrnd);
1807 
1808 	__skb_set_sw_hash(skb, hash, flow_keys_have_l4(&keys));
1809 }
1810 EXPORT_SYMBOL(__skb_get_hash);
1811 
1812 __u32 skb_get_hash_perturb(const struct sk_buff *skb,
1813 			   const siphash_key_t *perturb)
1814 {
1815 	struct flow_keys keys;
1816 
1817 	return ___skb_get_hash(skb, &keys, perturb);
1818 }
1819 EXPORT_SYMBOL(skb_get_hash_perturb);
1820 
1821 u32 __skb_get_poff(const struct sk_buff *skb, const void *data,
1822 		   const struct flow_keys_basic *keys, int hlen)
1823 {
1824 	u32 poff = keys->control.thoff;
1825 
1826 	/* skip L4 headers for fragments after the first */
1827 	if ((keys->control.flags & FLOW_DIS_IS_FRAGMENT) &&
1828 	    !(keys->control.flags & FLOW_DIS_FIRST_FRAG))
1829 		return poff;
1830 
1831 	switch (keys->basic.ip_proto) {
1832 	case IPPROTO_TCP: {
1833 		/* access doff as u8 to avoid unaligned access */
1834 		const u8 *doff;
1835 		u8 _doff;
1836 
1837 		doff = __skb_header_pointer(skb, poff + 12, sizeof(_doff),
1838 					    data, hlen, &_doff);
1839 		if (!doff)
1840 			return poff;
1841 
1842 		poff += max_t(u32, sizeof(struct tcphdr), (*doff & 0xF0) >> 2);
1843 		break;
1844 	}
1845 	case IPPROTO_UDP:
1846 	case IPPROTO_UDPLITE:
1847 		poff += sizeof(struct udphdr);
1848 		break;
1849 	/* For the rest, we do not really care about header
1850 	 * extensions at this point for now.
1851 	 */
1852 	case IPPROTO_ICMP:
1853 		poff += sizeof(struct icmphdr);
1854 		break;
1855 	case IPPROTO_ICMPV6:
1856 		poff += sizeof(struct icmp6hdr);
1857 		break;
1858 	case IPPROTO_IGMP:
1859 		poff += sizeof(struct igmphdr);
1860 		break;
1861 	case IPPROTO_DCCP:
1862 		poff += sizeof(struct dccp_hdr);
1863 		break;
1864 	case IPPROTO_SCTP:
1865 		poff += sizeof(struct sctphdr);
1866 		break;
1867 	}
1868 
1869 	return poff;
1870 }
1871 
1872 /**
1873  * skb_get_poff - get the offset to the payload
1874  * @skb: sk_buff to get the payload offset from
1875  *
1876  * The function will get the offset to the payload as far as it could
1877  * be dissected.  The main user is currently BPF, so that we can dynamically
1878  * truncate packets without needing to push actual payload to the user
1879  * space and can analyze headers only, instead.
1880  */
1881 u32 skb_get_poff(const struct sk_buff *skb)
1882 {
1883 	struct flow_keys_basic keys;
1884 
1885 	if (!skb_flow_dissect_flow_keys_basic(NULL, skb, &keys,
1886 					      NULL, 0, 0, 0, 0))
1887 		return 0;
1888 
1889 	return __skb_get_poff(skb, skb->data, &keys, skb_headlen(skb));
1890 }
1891 
1892 __u32 __get_hash_from_flowi6(const struct flowi6 *fl6, struct flow_keys *keys)
1893 {
1894 	memset(keys, 0, sizeof(*keys));
1895 
1896 	memcpy(&keys->addrs.v6addrs.src, &fl6->saddr,
1897 	    sizeof(keys->addrs.v6addrs.src));
1898 	memcpy(&keys->addrs.v6addrs.dst, &fl6->daddr,
1899 	    sizeof(keys->addrs.v6addrs.dst));
1900 	keys->control.addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;
1901 	keys->ports.src = fl6->fl6_sport;
1902 	keys->ports.dst = fl6->fl6_dport;
1903 	keys->keyid.keyid = fl6->fl6_gre_key;
1904 	keys->tags.flow_label = (__force u32)flowi6_get_flowlabel(fl6);
1905 	keys->basic.ip_proto = fl6->flowi6_proto;
1906 
1907 	return flow_hash_from_keys(keys);
1908 }
1909 EXPORT_SYMBOL(__get_hash_from_flowi6);
1910 
1911 static const struct flow_dissector_key flow_keys_dissector_keys[] = {
1912 	{
1913 		.key_id = FLOW_DISSECTOR_KEY_CONTROL,
1914 		.offset = offsetof(struct flow_keys, control),
1915 	},
1916 	{
1917 		.key_id = FLOW_DISSECTOR_KEY_BASIC,
1918 		.offset = offsetof(struct flow_keys, basic),
1919 	},
1920 	{
1921 		.key_id = FLOW_DISSECTOR_KEY_IPV4_ADDRS,
1922 		.offset = offsetof(struct flow_keys, addrs.v4addrs),
1923 	},
1924 	{
1925 		.key_id = FLOW_DISSECTOR_KEY_IPV6_ADDRS,
1926 		.offset = offsetof(struct flow_keys, addrs.v6addrs),
1927 	},
1928 	{
1929 		.key_id = FLOW_DISSECTOR_KEY_TIPC,
1930 		.offset = offsetof(struct flow_keys, addrs.tipckey),
1931 	},
1932 	{
1933 		.key_id = FLOW_DISSECTOR_KEY_PORTS,
1934 		.offset = offsetof(struct flow_keys, ports),
1935 	},
1936 	{
1937 		.key_id = FLOW_DISSECTOR_KEY_VLAN,
1938 		.offset = offsetof(struct flow_keys, vlan),
1939 	},
1940 	{
1941 		.key_id = FLOW_DISSECTOR_KEY_FLOW_LABEL,
1942 		.offset = offsetof(struct flow_keys, tags),
1943 	},
1944 	{
1945 		.key_id = FLOW_DISSECTOR_KEY_GRE_KEYID,
1946 		.offset = offsetof(struct flow_keys, keyid),
1947 	},
1948 };
1949 
1950 static const struct flow_dissector_key flow_keys_dissector_symmetric_keys[] = {
1951 	{
1952 		.key_id = FLOW_DISSECTOR_KEY_CONTROL,
1953 		.offset = offsetof(struct flow_keys, control),
1954 	},
1955 	{
1956 		.key_id = FLOW_DISSECTOR_KEY_BASIC,
1957 		.offset = offsetof(struct flow_keys, basic),
1958 	},
1959 	{
1960 		.key_id = FLOW_DISSECTOR_KEY_IPV4_ADDRS,
1961 		.offset = offsetof(struct flow_keys, addrs.v4addrs),
1962 	},
1963 	{
1964 		.key_id = FLOW_DISSECTOR_KEY_IPV6_ADDRS,
1965 		.offset = offsetof(struct flow_keys, addrs.v6addrs),
1966 	},
1967 	{
1968 		.key_id = FLOW_DISSECTOR_KEY_PORTS,
1969 		.offset = offsetof(struct flow_keys, ports),
1970 	},
1971 };
1972 
1973 static const struct flow_dissector_key flow_keys_basic_dissector_keys[] = {
1974 	{
1975 		.key_id = FLOW_DISSECTOR_KEY_CONTROL,
1976 		.offset = offsetof(struct flow_keys, control),
1977 	},
1978 	{
1979 		.key_id = FLOW_DISSECTOR_KEY_BASIC,
1980 		.offset = offsetof(struct flow_keys, basic),
1981 	},
1982 };
1983 
1984 struct flow_dissector flow_keys_dissector __read_mostly;
1985 EXPORT_SYMBOL(flow_keys_dissector);
1986 
1987 struct flow_dissector flow_keys_basic_dissector __read_mostly;
1988 EXPORT_SYMBOL(flow_keys_basic_dissector);
1989 
1990 static int __init init_default_flow_dissectors(void)
1991 {
1992 	skb_flow_dissector_init(&flow_keys_dissector,
1993 				flow_keys_dissector_keys,
1994 				ARRAY_SIZE(flow_keys_dissector_keys));
1995 	skb_flow_dissector_init(&flow_keys_dissector_symmetric,
1996 				flow_keys_dissector_symmetric_keys,
1997 				ARRAY_SIZE(flow_keys_dissector_symmetric_keys));
1998 	skb_flow_dissector_init(&flow_keys_basic_dissector,
1999 				flow_keys_basic_dissector_keys,
2000 				ARRAY_SIZE(flow_keys_basic_dissector_keys));
2001 	return 0;
2002 }
2003 core_initcall(init_default_flow_dissectors);
2004