1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2007-2017 Nicira, Inc. 4 */ 5 6 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 7 8 #include "flow.h" 9 #include "datapath.h" 10 #include <linux/uaccess.h> 11 #include <linux/netdevice.h> 12 #include <linux/etherdevice.h> 13 #include <linux/if_ether.h> 14 #include <linux/if_vlan.h> 15 #include <net/llc_pdu.h> 16 #include <linux/kernel.h> 17 #include <linux/jhash.h> 18 #include <linux/jiffies.h> 19 #include <linux/llc.h> 20 #include <linux/module.h> 21 #include <linux/in.h> 22 #include <linux/rcupdate.h> 23 #include <linux/if_arp.h> 24 #include <linux/ip.h> 25 #include <linux/ipv6.h> 26 #include <linux/sctp.h> 27 #include <linux/tcp.h> 28 #include <linux/udp.h> 29 #include <linux/icmp.h> 30 #include <linux/icmpv6.h> 31 #include <linux/rculist.h> 32 #include <net/geneve.h> 33 #include <net/ip.h> 34 #include <net/ipv6.h> 35 #include <net/ndisc.h> 36 #include <net/mpls.h> 37 #include <net/vxlan.h> 38 #include <net/tun_proto.h> 39 #include <net/erspan.h> 40 41 #include "flow_netlink.h" 42 43 struct ovs_len_tbl { 44 int len; 45 const struct ovs_len_tbl *next; 46 }; 47 48 #define OVS_ATTR_NESTED -1 49 #define OVS_ATTR_VARIABLE -2 50 51 static bool actions_may_change_flow(const struct nlattr *actions) 52 { 53 struct nlattr *nla; 54 int rem; 55 56 nla_for_each_nested(nla, actions, rem) { 57 u16 action = nla_type(nla); 58 59 switch (action) { 60 case OVS_ACTION_ATTR_OUTPUT: 61 case OVS_ACTION_ATTR_RECIRC: 62 case OVS_ACTION_ATTR_TRUNC: 63 case OVS_ACTION_ATTR_USERSPACE: 64 break; 65 66 case OVS_ACTION_ATTR_CT: 67 case OVS_ACTION_ATTR_CT_CLEAR: 68 case OVS_ACTION_ATTR_HASH: 69 case OVS_ACTION_ATTR_POP_ETH: 70 case OVS_ACTION_ATTR_POP_MPLS: 71 case OVS_ACTION_ATTR_POP_NSH: 72 case OVS_ACTION_ATTR_POP_VLAN: 73 case OVS_ACTION_ATTR_PUSH_ETH: 74 case OVS_ACTION_ATTR_PUSH_MPLS: 75 case OVS_ACTION_ATTR_PUSH_NSH: 76 case OVS_ACTION_ATTR_PUSH_VLAN: 77 case OVS_ACTION_ATTR_SAMPLE: 78 case OVS_ACTION_ATTR_SET: 79 case OVS_ACTION_ATTR_SET_MASKED: 80 case OVS_ACTION_ATTR_METER: 81 case OVS_ACTION_ATTR_CHECK_PKT_LEN: 82 case OVS_ACTION_ATTR_ADD_MPLS: 83 case OVS_ACTION_ATTR_DEC_TTL: 84 default: 85 return true; 86 } 87 } 88 return false; 89 } 90 91 static void update_range(struct sw_flow_match *match, 92 size_t offset, size_t size, bool is_mask) 93 { 94 struct sw_flow_key_range *range; 95 size_t start = rounddown(offset, sizeof(long)); 96 size_t end = roundup(offset + size, sizeof(long)); 97 98 if (!is_mask) 99 range = &match->range; 100 else 101 range = &match->mask->range; 102 103 if (range->start == range->end) { 104 range->start = start; 105 range->end = end; 106 return; 107 } 108 109 if (range->start > start) 110 range->start = start; 111 112 if (range->end < end) 113 range->end = end; 114 } 115 116 #define SW_FLOW_KEY_PUT(match, field, value, is_mask) \ 117 do { \ 118 update_range(match, offsetof(struct sw_flow_key, field), \ 119 sizeof((match)->key->field), is_mask); \ 120 if (is_mask) \ 121 (match)->mask->key.field = value; \ 122 else \ 123 (match)->key->field = value; \ 124 } while (0) 125 126 #define SW_FLOW_KEY_MEMCPY_OFFSET(match, offset, value_p, len, is_mask) \ 127 do { \ 128 update_range(match, offset, len, is_mask); \ 129 if (is_mask) \ 130 memcpy((u8 *)&(match)->mask->key + offset, value_p, \ 131 len); \ 132 else \ 133 memcpy((u8 *)(match)->key + offset, value_p, len); \ 134 } while (0) 135 136 #define SW_FLOW_KEY_MEMCPY(match, field, value_p, len, is_mask) \ 137 SW_FLOW_KEY_MEMCPY_OFFSET(match, offsetof(struct sw_flow_key, field), \ 138 value_p, len, is_mask) 139 140 #define SW_FLOW_KEY_MEMSET_FIELD(match, field, value, is_mask) \ 141 do { \ 142 update_range(match, offsetof(struct sw_flow_key, field), \ 143 sizeof((match)->key->field), is_mask); \ 144 if (is_mask) \ 145 memset((u8 *)&(match)->mask->key.field, value, \ 146 sizeof((match)->mask->key.field)); \ 147 else \ 148 memset((u8 *)&(match)->key->field, value, \ 149 sizeof((match)->key->field)); \ 150 } while (0) 151 152 static bool match_validate(const struct sw_flow_match *match, 153 u64 key_attrs, u64 mask_attrs, bool log) 154 { 155 u64 key_expected = 0; 156 u64 mask_allowed = key_attrs; /* At most allow all key attributes */ 157 158 /* The following mask attributes allowed only if they 159 * pass the validation tests. */ 160 mask_allowed &= ~((1 << OVS_KEY_ATTR_IPV4) 161 | (1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4) 162 | (1 << OVS_KEY_ATTR_IPV6) 163 | (1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6) 164 | (1 << OVS_KEY_ATTR_TCP) 165 | (1 << OVS_KEY_ATTR_TCP_FLAGS) 166 | (1 << OVS_KEY_ATTR_UDP) 167 | (1 << OVS_KEY_ATTR_SCTP) 168 | (1 << OVS_KEY_ATTR_ICMP) 169 | (1 << OVS_KEY_ATTR_ICMPV6) 170 | (1 << OVS_KEY_ATTR_ARP) 171 | (1 << OVS_KEY_ATTR_ND) 172 | (1 << OVS_KEY_ATTR_MPLS) 173 | (1 << OVS_KEY_ATTR_NSH)); 174 175 /* Always allowed mask fields. */ 176 mask_allowed |= ((1 << OVS_KEY_ATTR_TUNNEL) 177 | (1 << OVS_KEY_ATTR_IN_PORT) 178 | (1 << OVS_KEY_ATTR_ETHERTYPE)); 179 180 /* Check key attributes. */ 181 if (match->key->eth.type == htons(ETH_P_ARP) 182 || match->key->eth.type == htons(ETH_P_RARP)) { 183 key_expected |= 1 << OVS_KEY_ATTR_ARP; 184 if (match->mask && (match->mask->key.eth.type == htons(0xffff))) 185 mask_allowed |= 1 << OVS_KEY_ATTR_ARP; 186 } 187 188 if (eth_p_mpls(match->key->eth.type)) { 189 key_expected |= 1 << OVS_KEY_ATTR_MPLS; 190 if (match->mask && (match->mask->key.eth.type == htons(0xffff))) 191 mask_allowed |= 1 << OVS_KEY_ATTR_MPLS; 192 } 193 194 if (match->key->eth.type == htons(ETH_P_IP)) { 195 key_expected |= 1 << OVS_KEY_ATTR_IPV4; 196 if (match->mask && match->mask->key.eth.type == htons(0xffff)) { 197 mask_allowed |= 1 << OVS_KEY_ATTR_IPV4; 198 mask_allowed |= 1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4; 199 } 200 201 if (match->key->ip.frag != OVS_FRAG_TYPE_LATER) { 202 if (match->key->ip.proto == IPPROTO_UDP) { 203 key_expected |= 1 << OVS_KEY_ATTR_UDP; 204 if (match->mask && (match->mask->key.ip.proto == 0xff)) 205 mask_allowed |= 1 << OVS_KEY_ATTR_UDP; 206 } 207 208 if (match->key->ip.proto == IPPROTO_SCTP) { 209 key_expected |= 1 << OVS_KEY_ATTR_SCTP; 210 if (match->mask && (match->mask->key.ip.proto == 0xff)) 211 mask_allowed |= 1 << OVS_KEY_ATTR_SCTP; 212 } 213 214 if (match->key->ip.proto == IPPROTO_TCP) { 215 key_expected |= 1 << OVS_KEY_ATTR_TCP; 216 key_expected |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 217 if (match->mask && (match->mask->key.ip.proto == 0xff)) { 218 mask_allowed |= 1 << OVS_KEY_ATTR_TCP; 219 mask_allowed |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 220 } 221 } 222 223 if (match->key->ip.proto == IPPROTO_ICMP) { 224 key_expected |= 1 << OVS_KEY_ATTR_ICMP; 225 if (match->mask && (match->mask->key.ip.proto == 0xff)) 226 mask_allowed |= 1 << OVS_KEY_ATTR_ICMP; 227 } 228 } 229 } 230 231 if (match->key->eth.type == htons(ETH_P_IPV6)) { 232 key_expected |= 1 << OVS_KEY_ATTR_IPV6; 233 if (match->mask && match->mask->key.eth.type == htons(0xffff)) { 234 mask_allowed |= 1 << OVS_KEY_ATTR_IPV6; 235 mask_allowed |= 1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6; 236 } 237 238 if (match->key->ip.frag != OVS_FRAG_TYPE_LATER) { 239 if (match->key->ip.proto == IPPROTO_UDP) { 240 key_expected |= 1 << OVS_KEY_ATTR_UDP; 241 if (match->mask && (match->mask->key.ip.proto == 0xff)) 242 mask_allowed |= 1 << OVS_KEY_ATTR_UDP; 243 } 244 245 if (match->key->ip.proto == IPPROTO_SCTP) { 246 key_expected |= 1 << OVS_KEY_ATTR_SCTP; 247 if (match->mask && (match->mask->key.ip.proto == 0xff)) 248 mask_allowed |= 1 << OVS_KEY_ATTR_SCTP; 249 } 250 251 if (match->key->ip.proto == IPPROTO_TCP) { 252 key_expected |= 1 << OVS_KEY_ATTR_TCP; 253 key_expected |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 254 if (match->mask && (match->mask->key.ip.proto == 0xff)) { 255 mask_allowed |= 1 << OVS_KEY_ATTR_TCP; 256 mask_allowed |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 257 } 258 } 259 260 if (match->key->ip.proto == IPPROTO_ICMPV6) { 261 key_expected |= 1 << OVS_KEY_ATTR_ICMPV6; 262 if (match->mask && (match->mask->key.ip.proto == 0xff)) 263 mask_allowed |= 1 << OVS_KEY_ATTR_ICMPV6; 264 265 if (match->key->tp.src == 266 htons(NDISC_NEIGHBOUR_SOLICITATION) || 267 match->key->tp.src == htons(NDISC_NEIGHBOUR_ADVERTISEMENT)) { 268 key_expected |= 1 << OVS_KEY_ATTR_ND; 269 /* Original direction conntrack tuple 270 * uses the same space as the ND fields 271 * in the key, so both are not allowed 272 * at the same time. 273 */ 274 mask_allowed &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6); 275 if (match->mask && (match->mask->key.tp.src == htons(0xff))) 276 mask_allowed |= 1 << OVS_KEY_ATTR_ND; 277 } 278 } 279 } 280 } 281 282 if (match->key->eth.type == htons(ETH_P_NSH)) { 283 key_expected |= 1 << OVS_KEY_ATTR_NSH; 284 if (match->mask && 285 match->mask->key.eth.type == htons(0xffff)) { 286 mask_allowed |= 1 << OVS_KEY_ATTR_NSH; 287 } 288 } 289 290 if ((key_attrs & key_expected) != key_expected) { 291 /* Key attributes check failed. */ 292 OVS_NLERR(log, "Missing key (keys=%llx, expected=%llx)", 293 (unsigned long long)key_attrs, 294 (unsigned long long)key_expected); 295 return false; 296 } 297 298 if ((mask_attrs & mask_allowed) != mask_attrs) { 299 /* Mask attributes check failed. */ 300 OVS_NLERR(log, "Unexpected mask (mask=%llx, allowed=%llx)", 301 (unsigned long long)mask_attrs, 302 (unsigned long long)mask_allowed); 303 return false; 304 } 305 306 return true; 307 } 308 309 size_t ovs_tun_key_attr_size(void) 310 { 311 /* Whenever adding new OVS_TUNNEL_KEY_ FIELDS, we should consider 312 * updating this function. 313 */ 314 return nla_total_size_64bit(8) /* OVS_TUNNEL_KEY_ATTR_ID */ 315 + nla_total_size(16) /* OVS_TUNNEL_KEY_ATTR_IPV[46]_SRC */ 316 + nla_total_size(16) /* OVS_TUNNEL_KEY_ATTR_IPV[46]_DST */ 317 + nla_total_size(1) /* OVS_TUNNEL_KEY_ATTR_TOS */ 318 + nla_total_size(1) /* OVS_TUNNEL_KEY_ATTR_TTL */ 319 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT */ 320 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_CSUM */ 321 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_OAM */ 322 + nla_total_size(256) /* OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS */ 323 /* OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS and 324 * OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS is mutually exclusive with 325 * OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS and covered by it. 326 */ 327 + nla_total_size(2) /* OVS_TUNNEL_KEY_ATTR_TP_SRC */ 328 + nla_total_size(2); /* OVS_TUNNEL_KEY_ATTR_TP_DST */ 329 } 330 331 static size_t ovs_nsh_key_attr_size(void) 332 { 333 /* Whenever adding new OVS_NSH_KEY_ FIELDS, we should consider 334 * updating this function. 335 */ 336 return nla_total_size(NSH_BASE_HDR_LEN) /* OVS_NSH_KEY_ATTR_BASE */ 337 /* OVS_NSH_KEY_ATTR_MD1 and OVS_NSH_KEY_ATTR_MD2 are 338 * mutually exclusive, so the bigger one can cover 339 * the small one. 340 */ 341 + nla_total_size(NSH_CTX_HDRS_MAX_LEN); 342 } 343 344 size_t ovs_key_attr_size(void) 345 { 346 /* Whenever adding new OVS_KEY_ FIELDS, we should consider 347 * updating this function. 348 */ 349 BUILD_BUG_ON(OVS_KEY_ATTR_TUNNEL_INFO != 30); 350 351 return nla_total_size(4) /* OVS_KEY_ATTR_PRIORITY */ 352 + nla_total_size(0) /* OVS_KEY_ATTR_TUNNEL */ 353 + ovs_tun_key_attr_size() 354 + nla_total_size(4) /* OVS_KEY_ATTR_IN_PORT */ 355 + nla_total_size(4) /* OVS_KEY_ATTR_SKB_MARK */ 356 + nla_total_size(4) /* OVS_KEY_ATTR_DP_HASH */ 357 + nla_total_size(4) /* OVS_KEY_ATTR_RECIRC_ID */ 358 + nla_total_size(4) /* OVS_KEY_ATTR_CT_STATE */ 359 + nla_total_size(2) /* OVS_KEY_ATTR_CT_ZONE */ 360 + nla_total_size(4) /* OVS_KEY_ATTR_CT_MARK */ 361 + nla_total_size(16) /* OVS_KEY_ATTR_CT_LABELS */ 362 + nla_total_size(40) /* OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6 */ 363 + nla_total_size(0) /* OVS_KEY_ATTR_NSH */ 364 + ovs_nsh_key_attr_size() 365 + nla_total_size(12) /* OVS_KEY_ATTR_ETHERNET */ 366 + nla_total_size(2) /* OVS_KEY_ATTR_ETHERTYPE */ 367 + nla_total_size(4) /* OVS_KEY_ATTR_VLAN */ 368 + nla_total_size(0) /* OVS_KEY_ATTR_ENCAP */ 369 + nla_total_size(2) /* OVS_KEY_ATTR_ETHERTYPE */ 370 + nla_total_size(40) /* OVS_KEY_ATTR_IPV6 */ 371 + nla_total_size(2) /* OVS_KEY_ATTR_ICMPV6 */ 372 + nla_total_size(28) /* OVS_KEY_ATTR_ND */ 373 + nla_total_size(2); /* OVS_KEY_ATTR_IPV6_EXTHDRS */ 374 } 375 376 static const struct ovs_len_tbl ovs_vxlan_ext_key_lens[OVS_VXLAN_EXT_MAX + 1] = { 377 [OVS_VXLAN_EXT_GBP] = { .len = sizeof(u32) }, 378 }; 379 380 static const struct ovs_len_tbl ovs_tunnel_key_lens[OVS_TUNNEL_KEY_ATTR_MAX + 1] = { 381 [OVS_TUNNEL_KEY_ATTR_ID] = { .len = sizeof(u64) }, 382 [OVS_TUNNEL_KEY_ATTR_IPV4_SRC] = { .len = sizeof(u32) }, 383 [OVS_TUNNEL_KEY_ATTR_IPV4_DST] = { .len = sizeof(u32) }, 384 [OVS_TUNNEL_KEY_ATTR_TOS] = { .len = 1 }, 385 [OVS_TUNNEL_KEY_ATTR_TTL] = { .len = 1 }, 386 [OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT] = { .len = 0 }, 387 [OVS_TUNNEL_KEY_ATTR_CSUM] = { .len = 0 }, 388 [OVS_TUNNEL_KEY_ATTR_TP_SRC] = { .len = sizeof(u16) }, 389 [OVS_TUNNEL_KEY_ATTR_TP_DST] = { .len = sizeof(u16) }, 390 [OVS_TUNNEL_KEY_ATTR_OAM] = { .len = 0 }, 391 [OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS] = { .len = OVS_ATTR_VARIABLE }, 392 [OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS] = { .len = OVS_ATTR_NESTED, 393 .next = ovs_vxlan_ext_key_lens }, 394 [OVS_TUNNEL_KEY_ATTR_IPV6_SRC] = { .len = sizeof(struct in6_addr) }, 395 [OVS_TUNNEL_KEY_ATTR_IPV6_DST] = { .len = sizeof(struct in6_addr) }, 396 [OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS] = { .len = OVS_ATTR_VARIABLE }, 397 [OVS_TUNNEL_KEY_ATTR_IPV4_INFO_BRIDGE] = { .len = 0 }, 398 }; 399 400 static const struct ovs_len_tbl 401 ovs_nsh_key_attr_lens[OVS_NSH_KEY_ATTR_MAX + 1] = { 402 [OVS_NSH_KEY_ATTR_BASE] = { .len = sizeof(struct ovs_nsh_key_base) }, 403 [OVS_NSH_KEY_ATTR_MD1] = { .len = sizeof(struct ovs_nsh_key_md1) }, 404 [OVS_NSH_KEY_ATTR_MD2] = { .len = OVS_ATTR_VARIABLE }, 405 }; 406 407 /* The size of the argument for each %OVS_KEY_ATTR_* Netlink attribute. */ 408 static const struct ovs_len_tbl ovs_key_lens[OVS_KEY_ATTR_MAX + 1] = { 409 [OVS_KEY_ATTR_ENCAP] = { .len = OVS_ATTR_NESTED }, 410 [OVS_KEY_ATTR_PRIORITY] = { .len = sizeof(u32) }, 411 [OVS_KEY_ATTR_IN_PORT] = { .len = sizeof(u32) }, 412 [OVS_KEY_ATTR_SKB_MARK] = { .len = sizeof(u32) }, 413 [OVS_KEY_ATTR_ETHERNET] = { .len = sizeof(struct ovs_key_ethernet) }, 414 [OVS_KEY_ATTR_VLAN] = { .len = sizeof(__be16) }, 415 [OVS_KEY_ATTR_ETHERTYPE] = { .len = sizeof(__be16) }, 416 [OVS_KEY_ATTR_IPV4] = { .len = sizeof(struct ovs_key_ipv4) }, 417 [OVS_KEY_ATTR_IPV6] = { .len = sizeof(struct ovs_key_ipv6) }, 418 [OVS_KEY_ATTR_TCP] = { .len = sizeof(struct ovs_key_tcp) }, 419 [OVS_KEY_ATTR_TCP_FLAGS] = { .len = sizeof(__be16) }, 420 [OVS_KEY_ATTR_UDP] = { .len = sizeof(struct ovs_key_udp) }, 421 [OVS_KEY_ATTR_SCTP] = { .len = sizeof(struct ovs_key_sctp) }, 422 [OVS_KEY_ATTR_ICMP] = { .len = sizeof(struct ovs_key_icmp) }, 423 [OVS_KEY_ATTR_ICMPV6] = { .len = sizeof(struct ovs_key_icmpv6) }, 424 [OVS_KEY_ATTR_ARP] = { .len = sizeof(struct ovs_key_arp) }, 425 [OVS_KEY_ATTR_ND] = { .len = sizeof(struct ovs_key_nd) }, 426 [OVS_KEY_ATTR_RECIRC_ID] = { .len = sizeof(u32) }, 427 [OVS_KEY_ATTR_DP_HASH] = { .len = sizeof(u32) }, 428 [OVS_KEY_ATTR_TUNNEL] = { .len = OVS_ATTR_NESTED, 429 .next = ovs_tunnel_key_lens, }, 430 [OVS_KEY_ATTR_MPLS] = { .len = OVS_ATTR_VARIABLE }, 431 [OVS_KEY_ATTR_CT_STATE] = { .len = sizeof(u32) }, 432 [OVS_KEY_ATTR_CT_ZONE] = { .len = sizeof(u16) }, 433 [OVS_KEY_ATTR_CT_MARK] = { .len = sizeof(u32) }, 434 [OVS_KEY_ATTR_CT_LABELS] = { .len = sizeof(struct ovs_key_ct_labels) }, 435 [OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4] = { 436 .len = sizeof(struct ovs_key_ct_tuple_ipv4) }, 437 [OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6] = { 438 .len = sizeof(struct ovs_key_ct_tuple_ipv6) }, 439 [OVS_KEY_ATTR_NSH] = { .len = OVS_ATTR_NESTED, 440 .next = ovs_nsh_key_attr_lens, }, 441 [OVS_KEY_ATTR_IPV6_EXTHDRS] = { 442 .len = sizeof(struct ovs_key_ipv6_exthdrs) }, 443 }; 444 445 static bool check_attr_len(unsigned int attr_len, unsigned int expected_len) 446 { 447 return expected_len == attr_len || 448 expected_len == OVS_ATTR_NESTED || 449 expected_len == OVS_ATTR_VARIABLE; 450 } 451 452 static bool is_all_zero(const u8 *fp, size_t size) 453 { 454 int i; 455 456 if (!fp) 457 return false; 458 459 for (i = 0; i < size; i++) 460 if (fp[i]) 461 return false; 462 463 return true; 464 } 465 466 static int __parse_flow_nlattrs(const struct nlattr *attr, 467 const struct nlattr *a[], 468 u64 *attrsp, bool log, bool nz) 469 { 470 const struct nlattr *nla; 471 u64 attrs; 472 int rem; 473 474 attrs = *attrsp; 475 nla_for_each_nested(nla, attr, rem) { 476 u16 type = nla_type(nla); 477 int expected_len; 478 479 if (type > OVS_KEY_ATTR_MAX) { 480 OVS_NLERR(log, "Key type %d is out of range max %d", 481 type, OVS_KEY_ATTR_MAX); 482 return -EINVAL; 483 } 484 485 if (attrs & (1 << type)) { 486 OVS_NLERR(log, "Duplicate key (type %d).", type); 487 return -EINVAL; 488 } 489 490 expected_len = ovs_key_lens[type].len; 491 if (!check_attr_len(nla_len(nla), expected_len)) { 492 OVS_NLERR(log, "Key %d has unexpected len %d expected %d", 493 type, nla_len(nla), expected_len); 494 return -EINVAL; 495 } 496 497 if (!nz || !is_all_zero(nla_data(nla), nla_len(nla))) { 498 attrs |= 1 << type; 499 a[type] = nla; 500 } 501 } 502 if (rem) { 503 OVS_NLERR(log, "Message has %d unknown bytes.", rem); 504 return -EINVAL; 505 } 506 507 *attrsp = attrs; 508 return 0; 509 } 510 511 static int parse_flow_mask_nlattrs(const struct nlattr *attr, 512 const struct nlattr *a[], u64 *attrsp, 513 bool log) 514 { 515 return __parse_flow_nlattrs(attr, a, attrsp, log, true); 516 } 517 518 int parse_flow_nlattrs(const struct nlattr *attr, const struct nlattr *a[], 519 u64 *attrsp, bool log) 520 { 521 return __parse_flow_nlattrs(attr, a, attrsp, log, false); 522 } 523 524 static int genev_tun_opt_from_nlattr(const struct nlattr *a, 525 struct sw_flow_match *match, bool is_mask, 526 bool log) 527 { 528 unsigned long opt_key_offset; 529 530 if (nla_len(a) > sizeof(match->key->tun_opts)) { 531 OVS_NLERR(log, "Geneve option length err (len %d, max %zu).", 532 nla_len(a), sizeof(match->key->tun_opts)); 533 return -EINVAL; 534 } 535 536 if (nla_len(a) % 4 != 0) { 537 OVS_NLERR(log, "Geneve opt len %d is not a multiple of 4.", 538 nla_len(a)); 539 return -EINVAL; 540 } 541 542 /* We need to record the length of the options passed 543 * down, otherwise packets with the same format but 544 * additional options will be silently matched. 545 */ 546 if (!is_mask) { 547 SW_FLOW_KEY_PUT(match, tun_opts_len, nla_len(a), 548 false); 549 } else { 550 /* This is somewhat unusual because it looks at 551 * both the key and mask while parsing the 552 * attributes (and by extension assumes the key 553 * is parsed first). Normally, we would verify 554 * that each is the correct length and that the 555 * attributes line up in the validate function. 556 * However, that is difficult because this is 557 * variable length and we won't have the 558 * information later. 559 */ 560 if (match->key->tun_opts_len != nla_len(a)) { 561 OVS_NLERR(log, "Geneve option len %d != mask len %d", 562 match->key->tun_opts_len, nla_len(a)); 563 return -EINVAL; 564 } 565 566 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 567 } 568 569 opt_key_offset = TUN_METADATA_OFFSET(nla_len(a)); 570 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, nla_data(a), 571 nla_len(a), is_mask); 572 return 0; 573 } 574 575 static int vxlan_tun_opt_from_nlattr(const struct nlattr *attr, 576 struct sw_flow_match *match, bool is_mask, 577 bool log) 578 { 579 struct nlattr *a; 580 int rem; 581 unsigned long opt_key_offset; 582 struct vxlan_metadata opts; 583 584 BUILD_BUG_ON(sizeof(opts) > sizeof(match->key->tun_opts)); 585 586 memset(&opts, 0, sizeof(opts)); 587 nla_for_each_nested(a, attr, rem) { 588 int type = nla_type(a); 589 590 if (type > OVS_VXLAN_EXT_MAX) { 591 OVS_NLERR(log, "VXLAN extension %d out of range max %d", 592 type, OVS_VXLAN_EXT_MAX); 593 return -EINVAL; 594 } 595 596 if (!check_attr_len(nla_len(a), 597 ovs_vxlan_ext_key_lens[type].len)) { 598 OVS_NLERR(log, "VXLAN extension %d has unexpected len %d expected %d", 599 type, nla_len(a), 600 ovs_vxlan_ext_key_lens[type].len); 601 return -EINVAL; 602 } 603 604 switch (type) { 605 case OVS_VXLAN_EXT_GBP: 606 opts.gbp = nla_get_u32(a); 607 break; 608 default: 609 OVS_NLERR(log, "Unknown VXLAN extension attribute %d", 610 type); 611 return -EINVAL; 612 } 613 } 614 if (rem) { 615 OVS_NLERR(log, "VXLAN extension message has %d unknown bytes.", 616 rem); 617 return -EINVAL; 618 } 619 620 if (!is_mask) 621 SW_FLOW_KEY_PUT(match, tun_opts_len, sizeof(opts), false); 622 else 623 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 624 625 opt_key_offset = TUN_METADATA_OFFSET(sizeof(opts)); 626 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, &opts, sizeof(opts), 627 is_mask); 628 return 0; 629 } 630 631 static int erspan_tun_opt_from_nlattr(const struct nlattr *a, 632 struct sw_flow_match *match, bool is_mask, 633 bool log) 634 { 635 unsigned long opt_key_offset; 636 637 BUILD_BUG_ON(sizeof(struct erspan_metadata) > 638 sizeof(match->key->tun_opts)); 639 640 if (nla_len(a) > sizeof(match->key->tun_opts)) { 641 OVS_NLERR(log, "ERSPAN option length err (len %d, max %zu).", 642 nla_len(a), sizeof(match->key->tun_opts)); 643 return -EINVAL; 644 } 645 646 if (!is_mask) 647 SW_FLOW_KEY_PUT(match, tun_opts_len, 648 sizeof(struct erspan_metadata), false); 649 else 650 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 651 652 opt_key_offset = TUN_METADATA_OFFSET(nla_len(a)); 653 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, nla_data(a), 654 nla_len(a), is_mask); 655 return 0; 656 } 657 658 static int ip_tun_from_nlattr(const struct nlattr *attr, 659 struct sw_flow_match *match, bool is_mask, 660 bool log) 661 { 662 bool ttl = false, ipv4 = false, ipv6 = false; 663 bool info_bridge_mode = false; 664 __be16 tun_flags = 0; 665 int opts_type = 0; 666 struct nlattr *a; 667 int rem; 668 669 nla_for_each_nested(a, attr, rem) { 670 int type = nla_type(a); 671 int err; 672 673 if (type > OVS_TUNNEL_KEY_ATTR_MAX) { 674 OVS_NLERR(log, "Tunnel attr %d out of range max %d", 675 type, OVS_TUNNEL_KEY_ATTR_MAX); 676 return -EINVAL; 677 } 678 679 if (!check_attr_len(nla_len(a), 680 ovs_tunnel_key_lens[type].len)) { 681 OVS_NLERR(log, "Tunnel attr %d has unexpected len %d expected %d", 682 type, nla_len(a), ovs_tunnel_key_lens[type].len); 683 return -EINVAL; 684 } 685 686 switch (type) { 687 case OVS_TUNNEL_KEY_ATTR_ID: 688 SW_FLOW_KEY_PUT(match, tun_key.tun_id, 689 nla_get_be64(a), is_mask); 690 tun_flags |= TUNNEL_KEY; 691 break; 692 case OVS_TUNNEL_KEY_ATTR_IPV4_SRC: 693 SW_FLOW_KEY_PUT(match, tun_key.u.ipv4.src, 694 nla_get_in_addr(a), is_mask); 695 ipv4 = true; 696 break; 697 case OVS_TUNNEL_KEY_ATTR_IPV4_DST: 698 SW_FLOW_KEY_PUT(match, tun_key.u.ipv4.dst, 699 nla_get_in_addr(a), is_mask); 700 ipv4 = true; 701 break; 702 case OVS_TUNNEL_KEY_ATTR_IPV6_SRC: 703 SW_FLOW_KEY_PUT(match, tun_key.u.ipv6.src, 704 nla_get_in6_addr(a), is_mask); 705 ipv6 = true; 706 break; 707 case OVS_TUNNEL_KEY_ATTR_IPV6_DST: 708 SW_FLOW_KEY_PUT(match, tun_key.u.ipv6.dst, 709 nla_get_in6_addr(a), is_mask); 710 ipv6 = true; 711 break; 712 case OVS_TUNNEL_KEY_ATTR_TOS: 713 SW_FLOW_KEY_PUT(match, tun_key.tos, 714 nla_get_u8(a), is_mask); 715 break; 716 case OVS_TUNNEL_KEY_ATTR_TTL: 717 SW_FLOW_KEY_PUT(match, tun_key.ttl, 718 nla_get_u8(a), is_mask); 719 ttl = true; 720 break; 721 case OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT: 722 tun_flags |= TUNNEL_DONT_FRAGMENT; 723 break; 724 case OVS_TUNNEL_KEY_ATTR_CSUM: 725 tun_flags |= TUNNEL_CSUM; 726 break; 727 case OVS_TUNNEL_KEY_ATTR_TP_SRC: 728 SW_FLOW_KEY_PUT(match, tun_key.tp_src, 729 nla_get_be16(a), is_mask); 730 break; 731 case OVS_TUNNEL_KEY_ATTR_TP_DST: 732 SW_FLOW_KEY_PUT(match, tun_key.tp_dst, 733 nla_get_be16(a), is_mask); 734 break; 735 case OVS_TUNNEL_KEY_ATTR_OAM: 736 tun_flags |= TUNNEL_OAM; 737 break; 738 case OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS: 739 if (opts_type) { 740 OVS_NLERR(log, "Multiple metadata blocks provided"); 741 return -EINVAL; 742 } 743 744 err = genev_tun_opt_from_nlattr(a, match, is_mask, log); 745 if (err) 746 return err; 747 748 tun_flags |= TUNNEL_GENEVE_OPT; 749 opts_type = type; 750 break; 751 case OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS: 752 if (opts_type) { 753 OVS_NLERR(log, "Multiple metadata blocks provided"); 754 return -EINVAL; 755 } 756 757 err = vxlan_tun_opt_from_nlattr(a, match, is_mask, log); 758 if (err) 759 return err; 760 761 tun_flags |= TUNNEL_VXLAN_OPT; 762 opts_type = type; 763 break; 764 case OVS_TUNNEL_KEY_ATTR_PAD: 765 break; 766 case OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS: 767 if (opts_type) { 768 OVS_NLERR(log, "Multiple metadata blocks provided"); 769 return -EINVAL; 770 } 771 772 err = erspan_tun_opt_from_nlattr(a, match, is_mask, 773 log); 774 if (err) 775 return err; 776 777 tun_flags |= TUNNEL_ERSPAN_OPT; 778 opts_type = type; 779 break; 780 case OVS_TUNNEL_KEY_ATTR_IPV4_INFO_BRIDGE: 781 info_bridge_mode = true; 782 ipv4 = true; 783 break; 784 default: 785 OVS_NLERR(log, "Unknown IP tunnel attribute %d", 786 type); 787 return -EINVAL; 788 } 789 } 790 791 SW_FLOW_KEY_PUT(match, tun_key.tun_flags, tun_flags, is_mask); 792 if (is_mask) 793 SW_FLOW_KEY_MEMSET_FIELD(match, tun_proto, 0xff, true); 794 else 795 SW_FLOW_KEY_PUT(match, tun_proto, ipv6 ? AF_INET6 : AF_INET, 796 false); 797 798 if (rem > 0) { 799 OVS_NLERR(log, "IP tunnel attribute has %d unknown bytes.", 800 rem); 801 return -EINVAL; 802 } 803 804 if (ipv4 && ipv6) { 805 OVS_NLERR(log, "Mixed IPv4 and IPv6 tunnel attributes"); 806 return -EINVAL; 807 } 808 809 if (!is_mask) { 810 if (!ipv4 && !ipv6) { 811 OVS_NLERR(log, "IP tunnel dst address not specified"); 812 return -EINVAL; 813 } 814 if (ipv4) { 815 if (info_bridge_mode) { 816 if (match->key->tun_key.u.ipv4.src || 817 match->key->tun_key.u.ipv4.dst || 818 match->key->tun_key.tp_src || 819 match->key->tun_key.tp_dst || 820 match->key->tun_key.ttl || 821 match->key->tun_key.tos || 822 tun_flags & ~TUNNEL_KEY) { 823 OVS_NLERR(log, "IPv4 tun info is not correct"); 824 return -EINVAL; 825 } 826 } else if (!match->key->tun_key.u.ipv4.dst) { 827 OVS_NLERR(log, "IPv4 tunnel dst address is zero"); 828 return -EINVAL; 829 } 830 } 831 if (ipv6 && ipv6_addr_any(&match->key->tun_key.u.ipv6.dst)) { 832 OVS_NLERR(log, "IPv6 tunnel dst address is zero"); 833 return -EINVAL; 834 } 835 836 if (!ttl && !info_bridge_mode) { 837 OVS_NLERR(log, "IP tunnel TTL not specified."); 838 return -EINVAL; 839 } 840 } 841 842 return opts_type; 843 } 844 845 static int vxlan_opt_to_nlattr(struct sk_buff *skb, 846 const void *tun_opts, int swkey_tun_opts_len) 847 { 848 const struct vxlan_metadata *opts = tun_opts; 849 struct nlattr *nla; 850 851 nla = nla_nest_start_noflag(skb, OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS); 852 if (!nla) 853 return -EMSGSIZE; 854 855 if (nla_put_u32(skb, OVS_VXLAN_EXT_GBP, opts->gbp) < 0) 856 return -EMSGSIZE; 857 858 nla_nest_end(skb, nla); 859 return 0; 860 } 861 862 static int __ip_tun_to_nlattr(struct sk_buff *skb, 863 const struct ip_tunnel_key *output, 864 const void *tun_opts, int swkey_tun_opts_len, 865 unsigned short tun_proto, u8 mode) 866 { 867 if (output->tun_flags & TUNNEL_KEY && 868 nla_put_be64(skb, OVS_TUNNEL_KEY_ATTR_ID, output->tun_id, 869 OVS_TUNNEL_KEY_ATTR_PAD)) 870 return -EMSGSIZE; 871 872 if (mode & IP_TUNNEL_INFO_BRIDGE) 873 return nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_IPV4_INFO_BRIDGE) 874 ? -EMSGSIZE : 0; 875 876 switch (tun_proto) { 877 case AF_INET: 878 if (output->u.ipv4.src && 879 nla_put_in_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV4_SRC, 880 output->u.ipv4.src)) 881 return -EMSGSIZE; 882 if (output->u.ipv4.dst && 883 nla_put_in_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV4_DST, 884 output->u.ipv4.dst)) 885 return -EMSGSIZE; 886 break; 887 case AF_INET6: 888 if (!ipv6_addr_any(&output->u.ipv6.src) && 889 nla_put_in6_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV6_SRC, 890 &output->u.ipv6.src)) 891 return -EMSGSIZE; 892 if (!ipv6_addr_any(&output->u.ipv6.dst) && 893 nla_put_in6_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV6_DST, 894 &output->u.ipv6.dst)) 895 return -EMSGSIZE; 896 break; 897 } 898 if (output->tos && 899 nla_put_u8(skb, OVS_TUNNEL_KEY_ATTR_TOS, output->tos)) 900 return -EMSGSIZE; 901 if (nla_put_u8(skb, OVS_TUNNEL_KEY_ATTR_TTL, output->ttl)) 902 return -EMSGSIZE; 903 if ((output->tun_flags & TUNNEL_DONT_FRAGMENT) && 904 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT)) 905 return -EMSGSIZE; 906 if ((output->tun_flags & TUNNEL_CSUM) && 907 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_CSUM)) 908 return -EMSGSIZE; 909 if (output->tp_src && 910 nla_put_be16(skb, OVS_TUNNEL_KEY_ATTR_TP_SRC, output->tp_src)) 911 return -EMSGSIZE; 912 if (output->tp_dst && 913 nla_put_be16(skb, OVS_TUNNEL_KEY_ATTR_TP_DST, output->tp_dst)) 914 return -EMSGSIZE; 915 if ((output->tun_flags & TUNNEL_OAM) && 916 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_OAM)) 917 return -EMSGSIZE; 918 if (swkey_tun_opts_len) { 919 if (output->tun_flags & TUNNEL_GENEVE_OPT && 920 nla_put(skb, OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS, 921 swkey_tun_opts_len, tun_opts)) 922 return -EMSGSIZE; 923 else if (output->tun_flags & TUNNEL_VXLAN_OPT && 924 vxlan_opt_to_nlattr(skb, tun_opts, swkey_tun_opts_len)) 925 return -EMSGSIZE; 926 else if (output->tun_flags & TUNNEL_ERSPAN_OPT && 927 nla_put(skb, OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS, 928 swkey_tun_opts_len, tun_opts)) 929 return -EMSGSIZE; 930 } 931 932 return 0; 933 } 934 935 static int ip_tun_to_nlattr(struct sk_buff *skb, 936 const struct ip_tunnel_key *output, 937 const void *tun_opts, int swkey_tun_opts_len, 938 unsigned short tun_proto, u8 mode) 939 { 940 struct nlattr *nla; 941 int err; 942 943 nla = nla_nest_start_noflag(skb, OVS_KEY_ATTR_TUNNEL); 944 if (!nla) 945 return -EMSGSIZE; 946 947 err = __ip_tun_to_nlattr(skb, output, tun_opts, swkey_tun_opts_len, 948 tun_proto, mode); 949 if (err) 950 return err; 951 952 nla_nest_end(skb, nla); 953 return 0; 954 } 955 956 int ovs_nla_put_tunnel_info(struct sk_buff *skb, 957 struct ip_tunnel_info *tun_info) 958 { 959 return __ip_tun_to_nlattr(skb, &tun_info->key, 960 ip_tunnel_info_opts(tun_info), 961 tun_info->options_len, 962 ip_tunnel_info_af(tun_info), tun_info->mode); 963 } 964 965 static int encode_vlan_from_nlattrs(struct sw_flow_match *match, 966 const struct nlattr *a[], 967 bool is_mask, bool inner) 968 { 969 __be16 tci = 0; 970 __be16 tpid = 0; 971 972 if (a[OVS_KEY_ATTR_VLAN]) 973 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 974 975 if (a[OVS_KEY_ATTR_ETHERTYPE]) 976 tpid = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 977 978 if (likely(!inner)) { 979 SW_FLOW_KEY_PUT(match, eth.vlan.tpid, tpid, is_mask); 980 SW_FLOW_KEY_PUT(match, eth.vlan.tci, tci, is_mask); 981 } else { 982 SW_FLOW_KEY_PUT(match, eth.cvlan.tpid, tpid, is_mask); 983 SW_FLOW_KEY_PUT(match, eth.cvlan.tci, tci, is_mask); 984 } 985 return 0; 986 } 987 988 static int validate_vlan_from_nlattrs(const struct sw_flow_match *match, 989 u64 key_attrs, bool inner, 990 const struct nlattr **a, bool log) 991 { 992 __be16 tci = 0; 993 994 if (!((key_attrs & (1 << OVS_KEY_ATTR_ETHERNET)) && 995 (key_attrs & (1 << OVS_KEY_ATTR_ETHERTYPE)) && 996 eth_type_vlan(nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE])))) { 997 /* Not a VLAN. */ 998 return 0; 999 } 1000 1001 if (!((key_attrs & (1 << OVS_KEY_ATTR_VLAN)) && 1002 (key_attrs & (1 << OVS_KEY_ATTR_ENCAP)))) { 1003 OVS_NLERR(log, "Invalid %s frame", (inner) ? "C-VLAN" : "VLAN"); 1004 return -EINVAL; 1005 } 1006 1007 if (a[OVS_KEY_ATTR_VLAN]) 1008 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 1009 1010 if (!(tci & htons(VLAN_CFI_MASK))) { 1011 if (tci) { 1012 OVS_NLERR(log, "%s TCI does not have VLAN_CFI_MASK bit set.", 1013 (inner) ? "C-VLAN" : "VLAN"); 1014 return -EINVAL; 1015 } else if (nla_len(a[OVS_KEY_ATTR_ENCAP])) { 1016 /* Corner case for truncated VLAN header. */ 1017 OVS_NLERR(log, "Truncated %s header has non-zero encap attribute.", 1018 (inner) ? "C-VLAN" : "VLAN"); 1019 return -EINVAL; 1020 } 1021 } 1022 1023 return 1; 1024 } 1025 1026 static int validate_vlan_mask_from_nlattrs(const struct sw_flow_match *match, 1027 u64 key_attrs, bool inner, 1028 const struct nlattr **a, bool log) 1029 { 1030 __be16 tci = 0; 1031 __be16 tpid = 0; 1032 bool encap_valid = !!(match->key->eth.vlan.tci & 1033 htons(VLAN_CFI_MASK)); 1034 bool i_encap_valid = !!(match->key->eth.cvlan.tci & 1035 htons(VLAN_CFI_MASK)); 1036 1037 if (!(key_attrs & (1 << OVS_KEY_ATTR_ENCAP))) { 1038 /* Not a VLAN. */ 1039 return 0; 1040 } 1041 1042 if ((!inner && !encap_valid) || (inner && !i_encap_valid)) { 1043 OVS_NLERR(log, "Encap mask attribute is set for non-%s frame.", 1044 (inner) ? "C-VLAN" : "VLAN"); 1045 return -EINVAL; 1046 } 1047 1048 if (a[OVS_KEY_ATTR_VLAN]) 1049 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 1050 1051 if (a[OVS_KEY_ATTR_ETHERTYPE]) 1052 tpid = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 1053 1054 if (tpid != htons(0xffff)) { 1055 OVS_NLERR(log, "Must have an exact match on %s TPID (mask=%x).", 1056 (inner) ? "C-VLAN" : "VLAN", ntohs(tpid)); 1057 return -EINVAL; 1058 } 1059 if (!(tci & htons(VLAN_CFI_MASK))) { 1060 OVS_NLERR(log, "%s TCI mask does not have exact match for VLAN_CFI_MASK bit.", 1061 (inner) ? "C-VLAN" : "VLAN"); 1062 return -EINVAL; 1063 } 1064 1065 return 1; 1066 } 1067 1068 static int __parse_vlan_from_nlattrs(struct sw_flow_match *match, 1069 u64 *key_attrs, bool inner, 1070 const struct nlattr **a, bool is_mask, 1071 bool log) 1072 { 1073 int err; 1074 const struct nlattr *encap; 1075 1076 if (!is_mask) 1077 err = validate_vlan_from_nlattrs(match, *key_attrs, inner, 1078 a, log); 1079 else 1080 err = validate_vlan_mask_from_nlattrs(match, *key_attrs, inner, 1081 a, log); 1082 if (err <= 0) 1083 return err; 1084 1085 err = encode_vlan_from_nlattrs(match, a, is_mask, inner); 1086 if (err) 1087 return err; 1088 1089 *key_attrs &= ~(1 << OVS_KEY_ATTR_ENCAP); 1090 *key_attrs &= ~(1 << OVS_KEY_ATTR_VLAN); 1091 *key_attrs &= ~(1 << OVS_KEY_ATTR_ETHERTYPE); 1092 1093 encap = a[OVS_KEY_ATTR_ENCAP]; 1094 1095 if (!is_mask) 1096 err = parse_flow_nlattrs(encap, a, key_attrs, log); 1097 else 1098 err = parse_flow_mask_nlattrs(encap, a, key_attrs, log); 1099 1100 return err; 1101 } 1102 1103 static int parse_vlan_from_nlattrs(struct sw_flow_match *match, 1104 u64 *key_attrs, const struct nlattr **a, 1105 bool is_mask, bool log) 1106 { 1107 int err; 1108 bool encap_valid = false; 1109 1110 err = __parse_vlan_from_nlattrs(match, key_attrs, false, a, 1111 is_mask, log); 1112 if (err) 1113 return err; 1114 1115 encap_valid = !!(match->key->eth.vlan.tci & htons(VLAN_CFI_MASK)); 1116 if (encap_valid) { 1117 err = __parse_vlan_from_nlattrs(match, key_attrs, true, a, 1118 is_mask, log); 1119 if (err) 1120 return err; 1121 } 1122 1123 return 0; 1124 } 1125 1126 static int parse_eth_type_from_nlattrs(struct sw_flow_match *match, 1127 u64 *attrs, const struct nlattr **a, 1128 bool is_mask, bool log) 1129 { 1130 __be16 eth_type; 1131 1132 eth_type = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 1133 if (is_mask) { 1134 /* Always exact match EtherType. */ 1135 eth_type = htons(0xffff); 1136 } else if (!eth_proto_is_802_3(eth_type)) { 1137 OVS_NLERR(log, "EtherType %x is less than min %x", 1138 ntohs(eth_type), ETH_P_802_3_MIN); 1139 return -EINVAL; 1140 } 1141 1142 SW_FLOW_KEY_PUT(match, eth.type, eth_type, is_mask); 1143 *attrs &= ~(1 << OVS_KEY_ATTR_ETHERTYPE); 1144 return 0; 1145 } 1146 1147 static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match, 1148 u64 *attrs, const struct nlattr **a, 1149 bool is_mask, bool log) 1150 { 1151 u8 mac_proto = MAC_PROTO_ETHERNET; 1152 1153 if (*attrs & (1 << OVS_KEY_ATTR_DP_HASH)) { 1154 u32 hash_val = nla_get_u32(a[OVS_KEY_ATTR_DP_HASH]); 1155 1156 SW_FLOW_KEY_PUT(match, ovs_flow_hash, hash_val, is_mask); 1157 *attrs &= ~(1 << OVS_KEY_ATTR_DP_HASH); 1158 } 1159 1160 if (*attrs & (1 << OVS_KEY_ATTR_RECIRC_ID)) { 1161 u32 recirc_id = nla_get_u32(a[OVS_KEY_ATTR_RECIRC_ID]); 1162 1163 SW_FLOW_KEY_PUT(match, recirc_id, recirc_id, is_mask); 1164 *attrs &= ~(1 << OVS_KEY_ATTR_RECIRC_ID); 1165 } 1166 1167 if (*attrs & (1 << OVS_KEY_ATTR_PRIORITY)) { 1168 SW_FLOW_KEY_PUT(match, phy.priority, 1169 nla_get_u32(a[OVS_KEY_ATTR_PRIORITY]), is_mask); 1170 *attrs &= ~(1 << OVS_KEY_ATTR_PRIORITY); 1171 } 1172 1173 if (*attrs & (1 << OVS_KEY_ATTR_IN_PORT)) { 1174 u32 in_port = nla_get_u32(a[OVS_KEY_ATTR_IN_PORT]); 1175 1176 if (is_mask) { 1177 in_port = 0xffffffff; /* Always exact match in_port. */ 1178 } else if (in_port >= DP_MAX_PORTS) { 1179 OVS_NLERR(log, "Port %d exceeds max allowable %d", 1180 in_port, DP_MAX_PORTS); 1181 return -EINVAL; 1182 } 1183 1184 SW_FLOW_KEY_PUT(match, phy.in_port, in_port, is_mask); 1185 *attrs &= ~(1 << OVS_KEY_ATTR_IN_PORT); 1186 } else if (!is_mask) { 1187 SW_FLOW_KEY_PUT(match, phy.in_port, DP_MAX_PORTS, is_mask); 1188 } 1189 1190 if (*attrs & (1 << OVS_KEY_ATTR_SKB_MARK)) { 1191 uint32_t mark = nla_get_u32(a[OVS_KEY_ATTR_SKB_MARK]); 1192 1193 SW_FLOW_KEY_PUT(match, phy.skb_mark, mark, is_mask); 1194 *attrs &= ~(1 << OVS_KEY_ATTR_SKB_MARK); 1195 } 1196 if (*attrs & (1 << OVS_KEY_ATTR_TUNNEL)) { 1197 if (ip_tun_from_nlattr(a[OVS_KEY_ATTR_TUNNEL], match, 1198 is_mask, log) < 0) 1199 return -EINVAL; 1200 *attrs &= ~(1 << OVS_KEY_ATTR_TUNNEL); 1201 } 1202 1203 if (*attrs & (1 << OVS_KEY_ATTR_CT_STATE) && 1204 ovs_ct_verify(net, OVS_KEY_ATTR_CT_STATE)) { 1205 u32 ct_state = nla_get_u32(a[OVS_KEY_ATTR_CT_STATE]); 1206 1207 if (ct_state & ~CT_SUPPORTED_MASK) { 1208 OVS_NLERR(log, "ct_state flags %08x unsupported", 1209 ct_state); 1210 return -EINVAL; 1211 } 1212 1213 SW_FLOW_KEY_PUT(match, ct_state, ct_state, is_mask); 1214 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_STATE); 1215 } 1216 if (*attrs & (1 << OVS_KEY_ATTR_CT_ZONE) && 1217 ovs_ct_verify(net, OVS_KEY_ATTR_CT_ZONE)) { 1218 u16 ct_zone = nla_get_u16(a[OVS_KEY_ATTR_CT_ZONE]); 1219 1220 SW_FLOW_KEY_PUT(match, ct_zone, ct_zone, is_mask); 1221 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ZONE); 1222 } 1223 if (*attrs & (1 << OVS_KEY_ATTR_CT_MARK) && 1224 ovs_ct_verify(net, OVS_KEY_ATTR_CT_MARK)) { 1225 u32 mark = nla_get_u32(a[OVS_KEY_ATTR_CT_MARK]); 1226 1227 SW_FLOW_KEY_PUT(match, ct.mark, mark, is_mask); 1228 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_MARK); 1229 } 1230 if (*attrs & (1 << OVS_KEY_ATTR_CT_LABELS) && 1231 ovs_ct_verify(net, OVS_KEY_ATTR_CT_LABELS)) { 1232 const struct ovs_key_ct_labels *cl; 1233 1234 cl = nla_data(a[OVS_KEY_ATTR_CT_LABELS]); 1235 SW_FLOW_KEY_MEMCPY(match, ct.labels, cl->ct_labels, 1236 sizeof(*cl), is_mask); 1237 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_LABELS); 1238 } 1239 if (*attrs & (1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4)) { 1240 const struct ovs_key_ct_tuple_ipv4 *ct; 1241 1242 ct = nla_data(a[OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4]); 1243 1244 SW_FLOW_KEY_PUT(match, ipv4.ct_orig.src, ct->ipv4_src, is_mask); 1245 SW_FLOW_KEY_PUT(match, ipv4.ct_orig.dst, ct->ipv4_dst, is_mask); 1246 SW_FLOW_KEY_PUT(match, ct.orig_tp.src, ct->src_port, is_mask); 1247 SW_FLOW_KEY_PUT(match, ct.orig_tp.dst, ct->dst_port, is_mask); 1248 SW_FLOW_KEY_PUT(match, ct_orig_proto, ct->ipv4_proto, is_mask); 1249 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4); 1250 } 1251 if (*attrs & (1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6)) { 1252 const struct ovs_key_ct_tuple_ipv6 *ct; 1253 1254 ct = nla_data(a[OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6]); 1255 1256 SW_FLOW_KEY_MEMCPY(match, ipv6.ct_orig.src, &ct->ipv6_src, 1257 sizeof(match->key->ipv6.ct_orig.src), 1258 is_mask); 1259 SW_FLOW_KEY_MEMCPY(match, ipv6.ct_orig.dst, &ct->ipv6_dst, 1260 sizeof(match->key->ipv6.ct_orig.dst), 1261 is_mask); 1262 SW_FLOW_KEY_PUT(match, ct.orig_tp.src, ct->src_port, is_mask); 1263 SW_FLOW_KEY_PUT(match, ct.orig_tp.dst, ct->dst_port, is_mask); 1264 SW_FLOW_KEY_PUT(match, ct_orig_proto, ct->ipv6_proto, is_mask); 1265 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6); 1266 } 1267 1268 /* For layer 3 packets the Ethernet type is provided 1269 * and treated as metadata but no MAC addresses are provided. 1270 */ 1271 if (!(*attrs & (1ULL << OVS_KEY_ATTR_ETHERNET)) && 1272 (*attrs & (1ULL << OVS_KEY_ATTR_ETHERTYPE))) 1273 mac_proto = MAC_PROTO_NONE; 1274 1275 /* Always exact match mac_proto */ 1276 SW_FLOW_KEY_PUT(match, mac_proto, is_mask ? 0xff : mac_proto, is_mask); 1277 1278 if (mac_proto == MAC_PROTO_NONE) 1279 return parse_eth_type_from_nlattrs(match, attrs, a, is_mask, 1280 log); 1281 1282 return 0; 1283 } 1284 1285 int nsh_hdr_from_nlattr(const struct nlattr *attr, 1286 struct nshhdr *nh, size_t size) 1287 { 1288 struct nlattr *a; 1289 int rem; 1290 u8 flags = 0; 1291 u8 ttl = 0; 1292 int mdlen = 0; 1293 1294 /* validate_nsh has check this, so we needn't do duplicate check here 1295 */ 1296 if (size < NSH_BASE_HDR_LEN) 1297 return -ENOBUFS; 1298 1299 nla_for_each_nested(a, attr, rem) { 1300 int type = nla_type(a); 1301 1302 switch (type) { 1303 case OVS_NSH_KEY_ATTR_BASE: { 1304 const struct ovs_nsh_key_base *base = nla_data(a); 1305 1306 flags = base->flags; 1307 ttl = base->ttl; 1308 nh->np = base->np; 1309 nh->mdtype = base->mdtype; 1310 nh->path_hdr = base->path_hdr; 1311 break; 1312 } 1313 case OVS_NSH_KEY_ATTR_MD1: 1314 mdlen = nla_len(a); 1315 if (mdlen > size - NSH_BASE_HDR_LEN) 1316 return -ENOBUFS; 1317 memcpy(&nh->md1, nla_data(a), mdlen); 1318 break; 1319 1320 case OVS_NSH_KEY_ATTR_MD2: 1321 mdlen = nla_len(a); 1322 if (mdlen > size - NSH_BASE_HDR_LEN) 1323 return -ENOBUFS; 1324 memcpy(&nh->md2, nla_data(a), mdlen); 1325 break; 1326 1327 default: 1328 return -EINVAL; 1329 } 1330 } 1331 1332 /* nsh header length = NSH_BASE_HDR_LEN + mdlen */ 1333 nh->ver_flags_ttl_len = 0; 1334 nsh_set_flags_ttl_len(nh, flags, ttl, NSH_BASE_HDR_LEN + mdlen); 1335 1336 return 0; 1337 } 1338 1339 int nsh_key_from_nlattr(const struct nlattr *attr, 1340 struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask) 1341 { 1342 struct nlattr *a; 1343 int rem; 1344 1345 /* validate_nsh has check this, so we needn't do duplicate check here 1346 */ 1347 nla_for_each_nested(a, attr, rem) { 1348 int type = nla_type(a); 1349 1350 switch (type) { 1351 case OVS_NSH_KEY_ATTR_BASE: { 1352 const struct ovs_nsh_key_base *base = nla_data(a); 1353 const struct ovs_nsh_key_base *base_mask = base + 1; 1354 1355 nsh->base = *base; 1356 nsh_mask->base = *base_mask; 1357 break; 1358 } 1359 case OVS_NSH_KEY_ATTR_MD1: { 1360 const struct ovs_nsh_key_md1 *md1 = nla_data(a); 1361 const struct ovs_nsh_key_md1 *md1_mask = md1 + 1; 1362 1363 memcpy(nsh->context, md1->context, sizeof(*md1)); 1364 memcpy(nsh_mask->context, md1_mask->context, 1365 sizeof(*md1_mask)); 1366 break; 1367 } 1368 case OVS_NSH_KEY_ATTR_MD2: 1369 /* Not supported yet */ 1370 return -ENOTSUPP; 1371 default: 1372 return -EINVAL; 1373 } 1374 } 1375 1376 return 0; 1377 } 1378 1379 static int nsh_key_put_from_nlattr(const struct nlattr *attr, 1380 struct sw_flow_match *match, bool is_mask, 1381 bool is_push_nsh, bool log) 1382 { 1383 struct nlattr *a; 1384 int rem; 1385 bool has_base = false; 1386 bool has_md1 = false; 1387 bool has_md2 = false; 1388 u8 mdtype = 0; 1389 int mdlen = 0; 1390 1391 if (WARN_ON(is_push_nsh && is_mask)) 1392 return -EINVAL; 1393 1394 nla_for_each_nested(a, attr, rem) { 1395 int type = nla_type(a); 1396 int i; 1397 1398 if (type > OVS_NSH_KEY_ATTR_MAX) { 1399 OVS_NLERR(log, "nsh attr %d is out of range max %d", 1400 type, OVS_NSH_KEY_ATTR_MAX); 1401 return -EINVAL; 1402 } 1403 1404 if (!check_attr_len(nla_len(a), 1405 ovs_nsh_key_attr_lens[type].len)) { 1406 OVS_NLERR( 1407 log, 1408 "nsh attr %d has unexpected len %d expected %d", 1409 type, 1410 nla_len(a), 1411 ovs_nsh_key_attr_lens[type].len 1412 ); 1413 return -EINVAL; 1414 } 1415 1416 switch (type) { 1417 case OVS_NSH_KEY_ATTR_BASE: { 1418 const struct ovs_nsh_key_base *base = nla_data(a); 1419 1420 has_base = true; 1421 mdtype = base->mdtype; 1422 SW_FLOW_KEY_PUT(match, nsh.base.flags, 1423 base->flags, is_mask); 1424 SW_FLOW_KEY_PUT(match, nsh.base.ttl, 1425 base->ttl, is_mask); 1426 SW_FLOW_KEY_PUT(match, nsh.base.mdtype, 1427 base->mdtype, is_mask); 1428 SW_FLOW_KEY_PUT(match, nsh.base.np, 1429 base->np, is_mask); 1430 SW_FLOW_KEY_PUT(match, nsh.base.path_hdr, 1431 base->path_hdr, is_mask); 1432 break; 1433 } 1434 case OVS_NSH_KEY_ATTR_MD1: { 1435 const struct ovs_nsh_key_md1 *md1 = nla_data(a); 1436 1437 has_md1 = true; 1438 for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) 1439 SW_FLOW_KEY_PUT(match, nsh.context[i], 1440 md1->context[i], is_mask); 1441 break; 1442 } 1443 case OVS_NSH_KEY_ATTR_MD2: 1444 if (!is_push_nsh) /* Not supported MD type 2 yet */ 1445 return -ENOTSUPP; 1446 1447 has_md2 = true; 1448 mdlen = nla_len(a); 1449 if (mdlen > NSH_CTX_HDRS_MAX_LEN || mdlen <= 0) { 1450 OVS_NLERR( 1451 log, 1452 "Invalid MD length %d for MD type %d", 1453 mdlen, 1454 mdtype 1455 ); 1456 return -EINVAL; 1457 } 1458 break; 1459 default: 1460 OVS_NLERR(log, "Unknown nsh attribute %d", 1461 type); 1462 return -EINVAL; 1463 } 1464 } 1465 1466 if (rem > 0) { 1467 OVS_NLERR(log, "nsh attribute has %d unknown bytes.", rem); 1468 return -EINVAL; 1469 } 1470 1471 if (has_md1 && has_md2) { 1472 OVS_NLERR( 1473 1, 1474 "invalid nsh attribute: md1 and md2 are exclusive." 1475 ); 1476 return -EINVAL; 1477 } 1478 1479 if (!is_mask) { 1480 if ((has_md1 && mdtype != NSH_M_TYPE1) || 1481 (has_md2 && mdtype != NSH_M_TYPE2)) { 1482 OVS_NLERR(1, "nsh attribute has unmatched MD type %d.", 1483 mdtype); 1484 return -EINVAL; 1485 } 1486 1487 if (is_push_nsh && 1488 (!has_base || (!has_md1 && !has_md2))) { 1489 OVS_NLERR( 1490 1, 1491 "push_nsh: missing base or metadata attributes" 1492 ); 1493 return -EINVAL; 1494 } 1495 } 1496 1497 return 0; 1498 } 1499 1500 static int ovs_key_from_nlattrs(struct net *net, struct sw_flow_match *match, 1501 u64 attrs, const struct nlattr **a, 1502 bool is_mask, bool log) 1503 { 1504 int err; 1505 1506 err = metadata_from_nlattrs(net, match, &attrs, a, is_mask, log); 1507 if (err) 1508 return err; 1509 1510 if (attrs & (1 << OVS_KEY_ATTR_ETHERNET)) { 1511 const struct ovs_key_ethernet *eth_key; 1512 1513 eth_key = nla_data(a[OVS_KEY_ATTR_ETHERNET]); 1514 SW_FLOW_KEY_MEMCPY(match, eth.src, 1515 eth_key->eth_src, ETH_ALEN, is_mask); 1516 SW_FLOW_KEY_MEMCPY(match, eth.dst, 1517 eth_key->eth_dst, ETH_ALEN, is_mask); 1518 attrs &= ~(1 << OVS_KEY_ATTR_ETHERNET); 1519 1520 if (attrs & (1 << OVS_KEY_ATTR_VLAN)) { 1521 /* VLAN attribute is always parsed before getting here since it 1522 * may occur multiple times. 1523 */ 1524 OVS_NLERR(log, "VLAN attribute unexpected."); 1525 return -EINVAL; 1526 } 1527 1528 if (attrs & (1 << OVS_KEY_ATTR_ETHERTYPE)) { 1529 err = parse_eth_type_from_nlattrs(match, &attrs, a, is_mask, 1530 log); 1531 if (err) 1532 return err; 1533 } else if (!is_mask) { 1534 SW_FLOW_KEY_PUT(match, eth.type, htons(ETH_P_802_2), is_mask); 1535 } 1536 } else if (!match->key->eth.type) { 1537 OVS_NLERR(log, "Either Ethernet header or EtherType is required."); 1538 return -EINVAL; 1539 } 1540 1541 if (attrs & (1 << OVS_KEY_ATTR_IPV4)) { 1542 const struct ovs_key_ipv4 *ipv4_key; 1543 1544 ipv4_key = nla_data(a[OVS_KEY_ATTR_IPV4]); 1545 if (!is_mask && ipv4_key->ipv4_frag > OVS_FRAG_TYPE_MAX) { 1546 OVS_NLERR(log, "IPv4 frag type %d is out of range max %d", 1547 ipv4_key->ipv4_frag, OVS_FRAG_TYPE_MAX); 1548 return -EINVAL; 1549 } 1550 SW_FLOW_KEY_PUT(match, ip.proto, 1551 ipv4_key->ipv4_proto, is_mask); 1552 SW_FLOW_KEY_PUT(match, ip.tos, 1553 ipv4_key->ipv4_tos, is_mask); 1554 SW_FLOW_KEY_PUT(match, ip.ttl, 1555 ipv4_key->ipv4_ttl, is_mask); 1556 SW_FLOW_KEY_PUT(match, ip.frag, 1557 ipv4_key->ipv4_frag, is_mask); 1558 SW_FLOW_KEY_PUT(match, ipv4.addr.src, 1559 ipv4_key->ipv4_src, is_mask); 1560 SW_FLOW_KEY_PUT(match, ipv4.addr.dst, 1561 ipv4_key->ipv4_dst, is_mask); 1562 attrs &= ~(1 << OVS_KEY_ATTR_IPV4); 1563 } 1564 1565 if (attrs & (1 << OVS_KEY_ATTR_IPV6)) { 1566 const struct ovs_key_ipv6 *ipv6_key; 1567 1568 ipv6_key = nla_data(a[OVS_KEY_ATTR_IPV6]); 1569 if (!is_mask && ipv6_key->ipv6_frag > OVS_FRAG_TYPE_MAX) { 1570 OVS_NLERR(log, "IPv6 frag type %d is out of range max %d", 1571 ipv6_key->ipv6_frag, OVS_FRAG_TYPE_MAX); 1572 return -EINVAL; 1573 } 1574 1575 if (!is_mask && ipv6_key->ipv6_label & htonl(0xFFF00000)) { 1576 OVS_NLERR(log, "IPv6 flow label %x is out of range (max=%x)", 1577 ntohl(ipv6_key->ipv6_label), (1 << 20) - 1); 1578 return -EINVAL; 1579 } 1580 1581 SW_FLOW_KEY_PUT(match, ipv6.label, 1582 ipv6_key->ipv6_label, is_mask); 1583 SW_FLOW_KEY_PUT(match, ip.proto, 1584 ipv6_key->ipv6_proto, is_mask); 1585 SW_FLOW_KEY_PUT(match, ip.tos, 1586 ipv6_key->ipv6_tclass, is_mask); 1587 SW_FLOW_KEY_PUT(match, ip.ttl, 1588 ipv6_key->ipv6_hlimit, is_mask); 1589 SW_FLOW_KEY_PUT(match, ip.frag, 1590 ipv6_key->ipv6_frag, is_mask); 1591 SW_FLOW_KEY_MEMCPY(match, ipv6.addr.src, 1592 ipv6_key->ipv6_src, 1593 sizeof(match->key->ipv6.addr.src), 1594 is_mask); 1595 SW_FLOW_KEY_MEMCPY(match, ipv6.addr.dst, 1596 ipv6_key->ipv6_dst, 1597 sizeof(match->key->ipv6.addr.dst), 1598 is_mask); 1599 1600 attrs &= ~(1 << OVS_KEY_ATTR_IPV6); 1601 } 1602 1603 if (attrs & (1ULL << OVS_KEY_ATTR_IPV6_EXTHDRS)) { 1604 const struct ovs_key_ipv6_exthdrs *ipv6_exthdrs_key; 1605 1606 ipv6_exthdrs_key = nla_data(a[OVS_KEY_ATTR_IPV6_EXTHDRS]); 1607 1608 SW_FLOW_KEY_PUT(match, ipv6.exthdrs, 1609 ipv6_exthdrs_key->hdrs, is_mask); 1610 1611 attrs &= ~(1ULL << OVS_KEY_ATTR_IPV6_EXTHDRS); 1612 } 1613 1614 if (attrs & (1 << OVS_KEY_ATTR_ARP)) { 1615 const struct ovs_key_arp *arp_key; 1616 1617 arp_key = nla_data(a[OVS_KEY_ATTR_ARP]); 1618 if (!is_mask && (arp_key->arp_op & htons(0xff00))) { 1619 OVS_NLERR(log, "Unknown ARP opcode (opcode=%d).", 1620 arp_key->arp_op); 1621 return -EINVAL; 1622 } 1623 1624 SW_FLOW_KEY_PUT(match, ipv4.addr.src, 1625 arp_key->arp_sip, is_mask); 1626 SW_FLOW_KEY_PUT(match, ipv4.addr.dst, 1627 arp_key->arp_tip, is_mask); 1628 SW_FLOW_KEY_PUT(match, ip.proto, 1629 ntohs(arp_key->arp_op), is_mask); 1630 SW_FLOW_KEY_MEMCPY(match, ipv4.arp.sha, 1631 arp_key->arp_sha, ETH_ALEN, is_mask); 1632 SW_FLOW_KEY_MEMCPY(match, ipv4.arp.tha, 1633 arp_key->arp_tha, ETH_ALEN, is_mask); 1634 1635 attrs &= ~(1 << OVS_KEY_ATTR_ARP); 1636 } 1637 1638 if (attrs & (1 << OVS_KEY_ATTR_NSH)) { 1639 if (nsh_key_put_from_nlattr(a[OVS_KEY_ATTR_NSH], match, 1640 is_mask, false, log) < 0) 1641 return -EINVAL; 1642 attrs &= ~(1 << OVS_KEY_ATTR_NSH); 1643 } 1644 1645 if (attrs & (1 << OVS_KEY_ATTR_MPLS)) { 1646 const struct ovs_key_mpls *mpls_key; 1647 u32 hdr_len; 1648 u32 label_count, label_count_mask, i; 1649 1650 mpls_key = nla_data(a[OVS_KEY_ATTR_MPLS]); 1651 hdr_len = nla_len(a[OVS_KEY_ATTR_MPLS]); 1652 label_count = hdr_len / sizeof(struct ovs_key_mpls); 1653 1654 if (label_count == 0 || label_count > MPLS_LABEL_DEPTH || 1655 hdr_len % sizeof(struct ovs_key_mpls)) 1656 return -EINVAL; 1657 1658 label_count_mask = GENMASK(label_count - 1, 0); 1659 1660 for (i = 0 ; i < label_count; i++) 1661 SW_FLOW_KEY_PUT(match, mpls.lse[i], 1662 mpls_key[i].mpls_lse, is_mask); 1663 1664 SW_FLOW_KEY_PUT(match, mpls.num_labels_mask, 1665 label_count_mask, is_mask); 1666 1667 attrs &= ~(1 << OVS_KEY_ATTR_MPLS); 1668 } 1669 1670 if (attrs & (1 << OVS_KEY_ATTR_TCP)) { 1671 const struct ovs_key_tcp *tcp_key; 1672 1673 tcp_key = nla_data(a[OVS_KEY_ATTR_TCP]); 1674 SW_FLOW_KEY_PUT(match, tp.src, tcp_key->tcp_src, is_mask); 1675 SW_FLOW_KEY_PUT(match, tp.dst, tcp_key->tcp_dst, is_mask); 1676 attrs &= ~(1 << OVS_KEY_ATTR_TCP); 1677 } 1678 1679 if (attrs & (1 << OVS_KEY_ATTR_TCP_FLAGS)) { 1680 SW_FLOW_KEY_PUT(match, tp.flags, 1681 nla_get_be16(a[OVS_KEY_ATTR_TCP_FLAGS]), 1682 is_mask); 1683 attrs &= ~(1 << OVS_KEY_ATTR_TCP_FLAGS); 1684 } 1685 1686 if (attrs & (1 << OVS_KEY_ATTR_UDP)) { 1687 const struct ovs_key_udp *udp_key; 1688 1689 udp_key = nla_data(a[OVS_KEY_ATTR_UDP]); 1690 SW_FLOW_KEY_PUT(match, tp.src, udp_key->udp_src, is_mask); 1691 SW_FLOW_KEY_PUT(match, tp.dst, udp_key->udp_dst, is_mask); 1692 attrs &= ~(1 << OVS_KEY_ATTR_UDP); 1693 } 1694 1695 if (attrs & (1 << OVS_KEY_ATTR_SCTP)) { 1696 const struct ovs_key_sctp *sctp_key; 1697 1698 sctp_key = nla_data(a[OVS_KEY_ATTR_SCTP]); 1699 SW_FLOW_KEY_PUT(match, tp.src, sctp_key->sctp_src, is_mask); 1700 SW_FLOW_KEY_PUT(match, tp.dst, sctp_key->sctp_dst, is_mask); 1701 attrs &= ~(1 << OVS_KEY_ATTR_SCTP); 1702 } 1703 1704 if (attrs & (1 << OVS_KEY_ATTR_ICMP)) { 1705 const struct ovs_key_icmp *icmp_key; 1706 1707 icmp_key = nla_data(a[OVS_KEY_ATTR_ICMP]); 1708 SW_FLOW_KEY_PUT(match, tp.src, 1709 htons(icmp_key->icmp_type), is_mask); 1710 SW_FLOW_KEY_PUT(match, tp.dst, 1711 htons(icmp_key->icmp_code), is_mask); 1712 attrs &= ~(1 << OVS_KEY_ATTR_ICMP); 1713 } 1714 1715 if (attrs & (1 << OVS_KEY_ATTR_ICMPV6)) { 1716 const struct ovs_key_icmpv6 *icmpv6_key; 1717 1718 icmpv6_key = nla_data(a[OVS_KEY_ATTR_ICMPV6]); 1719 SW_FLOW_KEY_PUT(match, tp.src, 1720 htons(icmpv6_key->icmpv6_type), is_mask); 1721 SW_FLOW_KEY_PUT(match, tp.dst, 1722 htons(icmpv6_key->icmpv6_code), is_mask); 1723 attrs &= ~(1 << OVS_KEY_ATTR_ICMPV6); 1724 } 1725 1726 if (attrs & (1 << OVS_KEY_ATTR_ND)) { 1727 const struct ovs_key_nd *nd_key; 1728 1729 nd_key = nla_data(a[OVS_KEY_ATTR_ND]); 1730 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.target, 1731 nd_key->nd_target, 1732 sizeof(match->key->ipv6.nd.target), 1733 is_mask); 1734 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.sll, 1735 nd_key->nd_sll, ETH_ALEN, is_mask); 1736 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.tll, 1737 nd_key->nd_tll, ETH_ALEN, is_mask); 1738 attrs &= ~(1 << OVS_KEY_ATTR_ND); 1739 } 1740 1741 if (attrs != 0) { 1742 OVS_NLERR(log, "Unknown key attributes %llx", 1743 (unsigned long long)attrs); 1744 return -EINVAL; 1745 } 1746 1747 return 0; 1748 } 1749 1750 static void nlattr_set(struct nlattr *attr, u8 val, 1751 const struct ovs_len_tbl *tbl) 1752 { 1753 struct nlattr *nla; 1754 int rem; 1755 1756 /* The nlattr stream should already have been validated */ 1757 nla_for_each_nested(nla, attr, rem) { 1758 if (tbl[nla_type(nla)].len == OVS_ATTR_NESTED) 1759 nlattr_set(nla, val, tbl[nla_type(nla)].next ? : tbl); 1760 else 1761 memset(nla_data(nla), val, nla_len(nla)); 1762 1763 if (nla_type(nla) == OVS_KEY_ATTR_CT_STATE) 1764 *(u32 *)nla_data(nla) &= CT_SUPPORTED_MASK; 1765 } 1766 } 1767 1768 static void mask_set_nlattr(struct nlattr *attr, u8 val) 1769 { 1770 nlattr_set(attr, val, ovs_key_lens); 1771 } 1772 1773 /** 1774 * ovs_nla_get_match - parses Netlink attributes into a flow key and 1775 * mask. In case the 'mask' is NULL, the flow is treated as exact match 1776 * flow. Otherwise, it is treated as a wildcarded flow, except the mask 1777 * does not include any don't care bit. 1778 * @net: Used to determine per-namespace field support. 1779 * @match: receives the extracted flow match information. 1780 * @nla_key: Netlink attribute holding nested %OVS_KEY_ATTR_* Netlink attribute 1781 * sequence. The fields should of the packet that triggered the creation 1782 * of this flow. 1783 * @nla_mask: Optional. Netlink attribute holding nested %OVS_KEY_ATTR_* 1784 * Netlink attribute specifies the mask field of the wildcarded flow. 1785 * @log: Boolean to allow kernel error logging. Normally true, but when 1786 * probing for feature compatibility this should be passed in as false to 1787 * suppress unnecessary error logging. 1788 */ 1789 int ovs_nla_get_match(struct net *net, struct sw_flow_match *match, 1790 const struct nlattr *nla_key, 1791 const struct nlattr *nla_mask, 1792 bool log) 1793 { 1794 const struct nlattr *a[OVS_KEY_ATTR_MAX + 1]; 1795 struct nlattr *newmask = NULL; 1796 u64 key_attrs = 0; 1797 u64 mask_attrs = 0; 1798 int err; 1799 1800 err = parse_flow_nlattrs(nla_key, a, &key_attrs, log); 1801 if (err) 1802 return err; 1803 1804 err = parse_vlan_from_nlattrs(match, &key_attrs, a, false, log); 1805 if (err) 1806 return err; 1807 1808 err = ovs_key_from_nlattrs(net, match, key_attrs, a, false, log); 1809 if (err) 1810 return err; 1811 1812 if (match->mask) { 1813 if (!nla_mask) { 1814 /* Create an exact match mask. We need to set to 0xff 1815 * all the 'match->mask' fields that have been touched 1816 * in 'match->key'. We cannot simply memset 1817 * 'match->mask', because padding bytes and fields not 1818 * specified in 'match->key' should be left to 0. 1819 * Instead, we use a stream of netlink attributes, 1820 * copied from 'key' and set to 0xff. 1821 * ovs_key_from_nlattrs() will take care of filling 1822 * 'match->mask' appropriately. 1823 */ 1824 newmask = kmemdup(nla_key, 1825 nla_total_size(nla_len(nla_key)), 1826 GFP_KERNEL); 1827 if (!newmask) 1828 return -ENOMEM; 1829 1830 mask_set_nlattr(newmask, 0xff); 1831 1832 /* The userspace does not send tunnel attributes that 1833 * are 0, but we should not wildcard them nonetheless. 1834 */ 1835 if (match->key->tun_proto) 1836 SW_FLOW_KEY_MEMSET_FIELD(match, tun_key, 1837 0xff, true); 1838 1839 nla_mask = newmask; 1840 } 1841 1842 err = parse_flow_mask_nlattrs(nla_mask, a, &mask_attrs, log); 1843 if (err) 1844 goto free_newmask; 1845 1846 /* Always match on tci. */ 1847 SW_FLOW_KEY_PUT(match, eth.vlan.tci, htons(0xffff), true); 1848 SW_FLOW_KEY_PUT(match, eth.cvlan.tci, htons(0xffff), true); 1849 1850 err = parse_vlan_from_nlattrs(match, &mask_attrs, a, true, log); 1851 if (err) 1852 goto free_newmask; 1853 1854 err = ovs_key_from_nlattrs(net, match, mask_attrs, a, true, 1855 log); 1856 if (err) 1857 goto free_newmask; 1858 } 1859 1860 if (!match_validate(match, key_attrs, mask_attrs, log)) 1861 err = -EINVAL; 1862 1863 free_newmask: 1864 kfree(newmask); 1865 return err; 1866 } 1867 1868 static size_t get_ufid_len(const struct nlattr *attr, bool log) 1869 { 1870 size_t len; 1871 1872 if (!attr) 1873 return 0; 1874 1875 len = nla_len(attr); 1876 if (len < 1 || len > MAX_UFID_LENGTH) { 1877 OVS_NLERR(log, "ufid size %u bytes exceeds the range (1, %d)", 1878 nla_len(attr), MAX_UFID_LENGTH); 1879 return 0; 1880 } 1881 1882 return len; 1883 } 1884 1885 /* Initializes 'flow->ufid', returning true if 'attr' contains a valid UFID, 1886 * or false otherwise. 1887 */ 1888 bool ovs_nla_get_ufid(struct sw_flow_id *sfid, const struct nlattr *attr, 1889 bool log) 1890 { 1891 sfid->ufid_len = get_ufid_len(attr, log); 1892 if (sfid->ufid_len) 1893 memcpy(sfid->ufid, nla_data(attr), sfid->ufid_len); 1894 1895 return sfid->ufid_len; 1896 } 1897 1898 int ovs_nla_get_identifier(struct sw_flow_id *sfid, const struct nlattr *ufid, 1899 const struct sw_flow_key *key, bool log) 1900 { 1901 struct sw_flow_key *new_key; 1902 1903 if (ovs_nla_get_ufid(sfid, ufid, log)) 1904 return 0; 1905 1906 /* If UFID was not provided, use unmasked key. */ 1907 new_key = kmalloc(sizeof(*new_key), GFP_KERNEL); 1908 if (!new_key) 1909 return -ENOMEM; 1910 memcpy(new_key, key, sizeof(*key)); 1911 sfid->unmasked_key = new_key; 1912 1913 return 0; 1914 } 1915 1916 u32 ovs_nla_get_ufid_flags(const struct nlattr *attr) 1917 { 1918 return attr ? nla_get_u32(attr) : 0; 1919 } 1920 1921 /** 1922 * ovs_nla_get_flow_metadata - parses Netlink attributes into a flow key. 1923 * @net: Network namespace. 1924 * @key: Receives extracted in_port, priority, tun_key, skb_mark and conntrack 1925 * metadata. 1926 * @a: Array of netlink attributes holding parsed %OVS_KEY_ATTR_* Netlink 1927 * attributes. 1928 * @attrs: Bit mask for the netlink attributes included in @a. 1929 * @log: Boolean to allow kernel error logging. Normally true, but when 1930 * probing for feature compatibility this should be passed in as false to 1931 * suppress unnecessary error logging. 1932 * 1933 * This parses a series of Netlink attributes that form a flow key, which must 1934 * take the same form accepted by flow_from_nlattrs(), but only enough of it to 1935 * get the metadata, that is, the parts of the flow key that cannot be 1936 * extracted from the packet itself. 1937 * 1938 * This must be called before the packet key fields are filled in 'key'. 1939 */ 1940 1941 int ovs_nla_get_flow_metadata(struct net *net, 1942 const struct nlattr *a[OVS_KEY_ATTR_MAX + 1], 1943 u64 attrs, struct sw_flow_key *key, bool log) 1944 { 1945 struct sw_flow_match match; 1946 1947 memset(&match, 0, sizeof(match)); 1948 match.key = key; 1949 1950 key->ct_state = 0; 1951 key->ct_zone = 0; 1952 key->ct_orig_proto = 0; 1953 memset(&key->ct, 0, sizeof(key->ct)); 1954 memset(&key->ipv4.ct_orig, 0, sizeof(key->ipv4.ct_orig)); 1955 memset(&key->ipv6.ct_orig, 0, sizeof(key->ipv6.ct_orig)); 1956 1957 key->phy.in_port = DP_MAX_PORTS; 1958 1959 return metadata_from_nlattrs(net, &match, &attrs, a, false, log); 1960 } 1961 1962 static int ovs_nla_put_vlan(struct sk_buff *skb, const struct vlan_head *vh, 1963 bool is_mask) 1964 { 1965 __be16 eth_type = !is_mask ? vh->tpid : htons(0xffff); 1966 1967 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, eth_type) || 1968 nla_put_be16(skb, OVS_KEY_ATTR_VLAN, vh->tci)) 1969 return -EMSGSIZE; 1970 return 0; 1971 } 1972 1973 static int nsh_key_to_nlattr(const struct ovs_key_nsh *nsh, bool is_mask, 1974 struct sk_buff *skb) 1975 { 1976 struct nlattr *start; 1977 1978 start = nla_nest_start_noflag(skb, OVS_KEY_ATTR_NSH); 1979 if (!start) 1980 return -EMSGSIZE; 1981 1982 if (nla_put(skb, OVS_NSH_KEY_ATTR_BASE, sizeof(nsh->base), &nsh->base)) 1983 goto nla_put_failure; 1984 1985 if (is_mask || nsh->base.mdtype == NSH_M_TYPE1) { 1986 if (nla_put(skb, OVS_NSH_KEY_ATTR_MD1, 1987 sizeof(nsh->context), nsh->context)) 1988 goto nla_put_failure; 1989 } 1990 1991 /* Don't support MD type 2 yet */ 1992 1993 nla_nest_end(skb, start); 1994 1995 return 0; 1996 1997 nla_put_failure: 1998 return -EMSGSIZE; 1999 } 2000 2001 static int __ovs_nla_put_key(const struct sw_flow_key *swkey, 2002 const struct sw_flow_key *output, bool is_mask, 2003 struct sk_buff *skb) 2004 { 2005 struct ovs_key_ethernet *eth_key; 2006 struct nlattr *nla; 2007 struct nlattr *encap = NULL; 2008 struct nlattr *in_encap = NULL; 2009 2010 if (nla_put_u32(skb, OVS_KEY_ATTR_RECIRC_ID, output->recirc_id)) 2011 goto nla_put_failure; 2012 2013 if (nla_put_u32(skb, OVS_KEY_ATTR_DP_HASH, output->ovs_flow_hash)) 2014 goto nla_put_failure; 2015 2016 if (nla_put_u32(skb, OVS_KEY_ATTR_PRIORITY, output->phy.priority)) 2017 goto nla_put_failure; 2018 2019 if ((swkey->tun_proto || is_mask)) { 2020 const void *opts = NULL; 2021 2022 if (output->tun_key.tun_flags & TUNNEL_OPTIONS_PRESENT) 2023 opts = TUN_METADATA_OPTS(output, swkey->tun_opts_len); 2024 2025 if (ip_tun_to_nlattr(skb, &output->tun_key, opts, 2026 swkey->tun_opts_len, swkey->tun_proto, 0)) 2027 goto nla_put_failure; 2028 } 2029 2030 if (swkey->phy.in_port == DP_MAX_PORTS) { 2031 if (is_mask && (output->phy.in_port == 0xffff)) 2032 if (nla_put_u32(skb, OVS_KEY_ATTR_IN_PORT, 0xffffffff)) 2033 goto nla_put_failure; 2034 } else { 2035 u16 upper_u16; 2036 upper_u16 = !is_mask ? 0 : 0xffff; 2037 2038 if (nla_put_u32(skb, OVS_KEY_ATTR_IN_PORT, 2039 (upper_u16 << 16) | output->phy.in_port)) 2040 goto nla_put_failure; 2041 } 2042 2043 if (nla_put_u32(skb, OVS_KEY_ATTR_SKB_MARK, output->phy.skb_mark)) 2044 goto nla_put_failure; 2045 2046 if (ovs_ct_put_key(swkey, output, skb)) 2047 goto nla_put_failure; 2048 2049 if (ovs_key_mac_proto(swkey) == MAC_PROTO_ETHERNET) { 2050 nla = nla_reserve(skb, OVS_KEY_ATTR_ETHERNET, sizeof(*eth_key)); 2051 if (!nla) 2052 goto nla_put_failure; 2053 2054 eth_key = nla_data(nla); 2055 ether_addr_copy(eth_key->eth_src, output->eth.src); 2056 ether_addr_copy(eth_key->eth_dst, output->eth.dst); 2057 2058 if (swkey->eth.vlan.tci || eth_type_vlan(swkey->eth.type)) { 2059 if (ovs_nla_put_vlan(skb, &output->eth.vlan, is_mask)) 2060 goto nla_put_failure; 2061 encap = nla_nest_start_noflag(skb, OVS_KEY_ATTR_ENCAP); 2062 if (!swkey->eth.vlan.tci) 2063 goto unencap; 2064 2065 if (swkey->eth.cvlan.tci || eth_type_vlan(swkey->eth.type)) { 2066 if (ovs_nla_put_vlan(skb, &output->eth.cvlan, is_mask)) 2067 goto nla_put_failure; 2068 in_encap = nla_nest_start_noflag(skb, 2069 OVS_KEY_ATTR_ENCAP); 2070 if (!swkey->eth.cvlan.tci) 2071 goto unencap; 2072 } 2073 } 2074 2075 if (swkey->eth.type == htons(ETH_P_802_2)) { 2076 /* 2077 * Ethertype 802.2 is represented in the netlink with omitted 2078 * OVS_KEY_ATTR_ETHERTYPE in the flow key attribute, and 2079 * 0xffff in the mask attribute. Ethertype can also 2080 * be wildcarded. 2081 */ 2082 if (is_mask && output->eth.type) 2083 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, 2084 output->eth.type)) 2085 goto nla_put_failure; 2086 goto unencap; 2087 } 2088 } 2089 2090 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, output->eth.type)) 2091 goto nla_put_failure; 2092 2093 if (eth_type_vlan(swkey->eth.type)) { 2094 /* There are 3 VLAN tags, we don't know anything about the rest 2095 * of the packet, so truncate here. 2096 */ 2097 WARN_ON_ONCE(!(encap && in_encap)); 2098 goto unencap; 2099 } 2100 2101 if (swkey->eth.type == htons(ETH_P_IP)) { 2102 struct ovs_key_ipv4 *ipv4_key; 2103 2104 nla = nla_reserve(skb, OVS_KEY_ATTR_IPV4, sizeof(*ipv4_key)); 2105 if (!nla) 2106 goto nla_put_failure; 2107 ipv4_key = nla_data(nla); 2108 ipv4_key->ipv4_src = output->ipv4.addr.src; 2109 ipv4_key->ipv4_dst = output->ipv4.addr.dst; 2110 ipv4_key->ipv4_proto = output->ip.proto; 2111 ipv4_key->ipv4_tos = output->ip.tos; 2112 ipv4_key->ipv4_ttl = output->ip.ttl; 2113 ipv4_key->ipv4_frag = output->ip.frag; 2114 } else if (swkey->eth.type == htons(ETH_P_IPV6)) { 2115 struct ovs_key_ipv6 *ipv6_key; 2116 struct ovs_key_ipv6_exthdrs *ipv6_exthdrs_key; 2117 2118 nla = nla_reserve(skb, OVS_KEY_ATTR_IPV6, sizeof(*ipv6_key)); 2119 if (!nla) 2120 goto nla_put_failure; 2121 ipv6_key = nla_data(nla); 2122 memcpy(ipv6_key->ipv6_src, &output->ipv6.addr.src, 2123 sizeof(ipv6_key->ipv6_src)); 2124 memcpy(ipv6_key->ipv6_dst, &output->ipv6.addr.dst, 2125 sizeof(ipv6_key->ipv6_dst)); 2126 ipv6_key->ipv6_label = output->ipv6.label; 2127 ipv6_key->ipv6_proto = output->ip.proto; 2128 ipv6_key->ipv6_tclass = output->ip.tos; 2129 ipv6_key->ipv6_hlimit = output->ip.ttl; 2130 ipv6_key->ipv6_frag = output->ip.frag; 2131 2132 nla = nla_reserve(skb, OVS_KEY_ATTR_IPV6_EXTHDRS, 2133 sizeof(*ipv6_exthdrs_key)); 2134 if (!nla) 2135 goto nla_put_failure; 2136 ipv6_exthdrs_key = nla_data(nla); 2137 ipv6_exthdrs_key->hdrs = output->ipv6.exthdrs; 2138 } else if (swkey->eth.type == htons(ETH_P_NSH)) { 2139 if (nsh_key_to_nlattr(&output->nsh, is_mask, skb)) 2140 goto nla_put_failure; 2141 } else if (swkey->eth.type == htons(ETH_P_ARP) || 2142 swkey->eth.type == htons(ETH_P_RARP)) { 2143 struct ovs_key_arp *arp_key; 2144 2145 nla = nla_reserve(skb, OVS_KEY_ATTR_ARP, sizeof(*arp_key)); 2146 if (!nla) 2147 goto nla_put_failure; 2148 arp_key = nla_data(nla); 2149 memset(arp_key, 0, sizeof(struct ovs_key_arp)); 2150 arp_key->arp_sip = output->ipv4.addr.src; 2151 arp_key->arp_tip = output->ipv4.addr.dst; 2152 arp_key->arp_op = htons(output->ip.proto); 2153 ether_addr_copy(arp_key->arp_sha, output->ipv4.arp.sha); 2154 ether_addr_copy(arp_key->arp_tha, output->ipv4.arp.tha); 2155 } else if (eth_p_mpls(swkey->eth.type)) { 2156 u8 i, num_labels; 2157 struct ovs_key_mpls *mpls_key; 2158 2159 num_labels = hweight_long(output->mpls.num_labels_mask); 2160 nla = nla_reserve(skb, OVS_KEY_ATTR_MPLS, 2161 num_labels * sizeof(*mpls_key)); 2162 if (!nla) 2163 goto nla_put_failure; 2164 2165 mpls_key = nla_data(nla); 2166 for (i = 0; i < num_labels; i++) 2167 mpls_key[i].mpls_lse = output->mpls.lse[i]; 2168 } 2169 2170 if ((swkey->eth.type == htons(ETH_P_IP) || 2171 swkey->eth.type == htons(ETH_P_IPV6)) && 2172 swkey->ip.frag != OVS_FRAG_TYPE_LATER) { 2173 2174 if (swkey->ip.proto == IPPROTO_TCP) { 2175 struct ovs_key_tcp *tcp_key; 2176 2177 nla = nla_reserve(skb, OVS_KEY_ATTR_TCP, sizeof(*tcp_key)); 2178 if (!nla) 2179 goto nla_put_failure; 2180 tcp_key = nla_data(nla); 2181 tcp_key->tcp_src = output->tp.src; 2182 tcp_key->tcp_dst = output->tp.dst; 2183 if (nla_put_be16(skb, OVS_KEY_ATTR_TCP_FLAGS, 2184 output->tp.flags)) 2185 goto nla_put_failure; 2186 } else if (swkey->ip.proto == IPPROTO_UDP) { 2187 struct ovs_key_udp *udp_key; 2188 2189 nla = nla_reserve(skb, OVS_KEY_ATTR_UDP, sizeof(*udp_key)); 2190 if (!nla) 2191 goto nla_put_failure; 2192 udp_key = nla_data(nla); 2193 udp_key->udp_src = output->tp.src; 2194 udp_key->udp_dst = output->tp.dst; 2195 } else if (swkey->ip.proto == IPPROTO_SCTP) { 2196 struct ovs_key_sctp *sctp_key; 2197 2198 nla = nla_reserve(skb, OVS_KEY_ATTR_SCTP, sizeof(*sctp_key)); 2199 if (!nla) 2200 goto nla_put_failure; 2201 sctp_key = nla_data(nla); 2202 sctp_key->sctp_src = output->tp.src; 2203 sctp_key->sctp_dst = output->tp.dst; 2204 } else if (swkey->eth.type == htons(ETH_P_IP) && 2205 swkey->ip.proto == IPPROTO_ICMP) { 2206 struct ovs_key_icmp *icmp_key; 2207 2208 nla = nla_reserve(skb, OVS_KEY_ATTR_ICMP, sizeof(*icmp_key)); 2209 if (!nla) 2210 goto nla_put_failure; 2211 icmp_key = nla_data(nla); 2212 icmp_key->icmp_type = ntohs(output->tp.src); 2213 icmp_key->icmp_code = ntohs(output->tp.dst); 2214 } else if (swkey->eth.type == htons(ETH_P_IPV6) && 2215 swkey->ip.proto == IPPROTO_ICMPV6) { 2216 struct ovs_key_icmpv6 *icmpv6_key; 2217 2218 nla = nla_reserve(skb, OVS_KEY_ATTR_ICMPV6, 2219 sizeof(*icmpv6_key)); 2220 if (!nla) 2221 goto nla_put_failure; 2222 icmpv6_key = nla_data(nla); 2223 icmpv6_key->icmpv6_type = ntohs(output->tp.src); 2224 icmpv6_key->icmpv6_code = ntohs(output->tp.dst); 2225 2226 if (icmpv6_key->icmpv6_type == NDISC_NEIGHBOUR_SOLICITATION || 2227 icmpv6_key->icmpv6_type == NDISC_NEIGHBOUR_ADVERTISEMENT) { 2228 struct ovs_key_nd *nd_key; 2229 2230 nla = nla_reserve(skb, OVS_KEY_ATTR_ND, sizeof(*nd_key)); 2231 if (!nla) 2232 goto nla_put_failure; 2233 nd_key = nla_data(nla); 2234 memcpy(nd_key->nd_target, &output->ipv6.nd.target, 2235 sizeof(nd_key->nd_target)); 2236 ether_addr_copy(nd_key->nd_sll, output->ipv6.nd.sll); 2237 ether_addr_copy(nd_key->nd_tll, output->ipv6.nd.tll); 2238 } 2239 } 2240 } 2241 2242 unencap: 2243 if (in_encap) 2244 nla_nest_end(skb, in_encap); 2245 if (encap) 2246 nla_nest_end(skb, encap); 2247 2248 return 0; 2249 2250 nla_put_failure: 2251 return -EMSGSIZE; 2252 } 2253 2254 int ovs_nla_put_key(const struct sw_flow_key *swkey, 2255 const struct sw_flow_key *output, int attr, bool is_mask, 2256 struct sk_buff *skb) 2257 { 2258 int err; 2259 struct nlattr *nla; 2260 2261 nla = nla_nest_start_noflag(skb, attr); 2262 if (!nla) 2263 return -EMSGSIZE; 2264 err = __ovs_nla_put_key(swkey, output, is_mask, skb); 2265 if (err) 2266 return err; 2267 nla_nest_end(skb, nla); 2268 2269 return 0; 2270 } 2271 2272 /* Called with ovs_mutex or RCU read lock. */ 2273 int ovs_nla_put_identifier(const struct sw_flow *flow, struct sk_buff *skb) 2274 { 2275 if (ovs_identifier_is_ufid(&flow->id)) 2276 return nla_put(skb, OVS_FLOW_ATTR_UFID, flow->id.ufid_len, 2277 flow->id.ufid); 2278 2279 return ovs_nla_put_key(flow->id.unmasked_key, flow->id.unmasked_key, 2280 OVS_FLOW_ATTR_KEY, false, skb); 2281 } 2282 2283 /* Called with ovs_mutex or RCU read lock. */ 2284 int ovs_nla_put_masked_key(const struct sw_flow *flow, struct sk_buff *skb) 2285 { 2286 return ovs_nla_put_key(&flow->key, &flow->key, 2287 OVS_FLOW_ATTR_KEY, false, skb); 2288 } 2289 2290 /* Called with ovs_mutex or RCU read lock. */ 2291 int ovs_nla_put_mask(const struct sw_flow *flow, struct sk_buff *skb) 2292 { 2293 return ovs_nla_put_key(&flow->key, &flow->mask->key, 2294 OVS_FLOW_ATTR_MASK, true, skb); 2295 } 2296 2297 #define MAX_ACTIONS_BUFSIZE (32 * 1024) 2298 2299 static struct sw_flow_actions *nla_alloc_flow_actions(int size) 2300 { 2301 struct sw_flow_actions *sfa; 2302 2303 WARN_ON_ONCE(size > MAX_ACTIONS_BUFSIZE); 2304 2305 sfa = kmalloc(sizeof(*sfa) + size, GFP_KERNEL); 2306 if (!sfa) 2307 return ERR_PTR(-ENOMEM); 2308 2309 sfa->actions_len = 0; 2310 return sfa; 2311 } 2312 2313 static void ovs_nla_free_set_action(const struct nlattr *a) 2314 { 2315 const struct nlattr *ovs_key = nla_data(a); 2316 struct ovs_tunnel_info *ovs_tun; 2317 2318 switch (nla_type(ovs_key)) { 2319 case OVS_KEY_ATTR_TUNNEL_INFO: 2320 ovs_tun = nla_data(ovs_key); 2321 dst_release((struct dst_entry *)ovs_tun->tun_dst); 2322 break; 2323 } 2324 } 2325 2326 void ovs_nla_free_flow_actions(struct sw_flow_actions *sf_acts) 2327 { 2328 const struct nlattr *a; 2329 int rem; 2330 2331 if (!sf_acts) 2332 return; 2333 2334 nla_for_each_attr(a, sf_acts->actions, sf_acts->actions_len, rem) { 2335 switch (nla_type(a)) { 2336 case OVS_ACTION_ATTR_SET: 2337 ovs_nla_free_set_action(a); 2338 break; 2339 case OVS_ACTION_ATTR_CT: 2340 ovs_ct_free_action(a); 2341 break; 2342 } 2343 } 2344 2345 kfree(sf_acts); 2346 } 2347 2348 static void __ovs_nla_free_flow_actions(struct rcu_head *head) 2349 { 2350 ovs_nla_free_flow_actions(container_of(head, struct sw_flow_actions, rcu)); 2351 } 2352 2353 /* Schedules 'sf_acts' to be freed after the next RCU grace period. 2354 * The caller must hold rcu_read_lock for this to be sensible. */ 2355 void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *sf_acts) 2356 { 2357 call_rcu(&sf_acts->rcu, __ovs_nla_free_flow_actions); 2358 } 2359 2360 static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, 2361 int attr_len, bool log) 2362 { 2363 2364 struct sw_flow_actions *acts; 2365 int new_acts_size; 2366 size_t req_size = NLA_ALIGN(attr_len); 2367 int next_offset = offsetof(struct sw_flow_actions, actions) + 2368 (*sfa)->actions_len; 2369 2370 if (req_size <= (ksize(*sfa) - next_offset)) 2371 goto out; 2372 2373 new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2); 2374 2375 if (new_acts_size > MAX_ACTIONS_BUFSIZE) { 2376 if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) { 2377 OVS_NLERR(log, "Flow action size exceeds max %u", 2378 MAX_ACTIONS_BUFSIZE); 2379 return ERR_PTR(-EMSGSIZE); 2380 } 2381 new_acts_size = MAX_ACTIONS_BUFSIZE; 2382 } 2383 2384 acts = nla_alloc_flow_actions(new_acts_size); 2385 if (IS_ERR(acts)) 2386 return (void *)acts; 2387 2388 memcpy(acts->actions, (*sfa)->actions, (*sfa)->actions_len); 2389 acts->actions_len = (*sfa)->actions_len; 2390 acts->orig_len = (*sfa)->orig_len; 2391 kfree(*sfa); 2392 *sfa = acts; 2393 2394 out: 2395 (*sfa)->actions_len += req_size; 2396 return (struct nlattr *) ((unsigned char *)(*sfa) + next_offset); 2397 } 2398 2399 static struct nlattr *__add_action(struct sw_flow_actions **sfa, 2400 int attrtype, void *data, int len, bool log) 2401 { 2402 struct nlattr *a; 2403 2404 a = reserve_sfa_size(sfa, nla_attr_size(len), log); 2405 if (IS_ERR(a)) 2406 return a; 2407 2408 a->nla_type = attrtype; 2409 a->nla_len = nla_attr_size(len); 2410 2411 if (data) 2412 memcpy(nla_data(a), data, len); 2413 memset((unsigned char *) a + a->nla_len, 0, nla_padlen(len)); 2414 2415 return a; 2416 } 2417 2418 int ovs_nla_add_action(struct sw_flow_actions **sfa, int attrtype, void *data, 2419 int len, bool log) 2420 { 2421 struct nlattr *a; 2422 2423 a = __add_action(sfa, attrtype, data, len, log); 2424 2425 return PTR_ERR_OR_ZERO(a); 2426 } 2427 2428 static inline int add_nested_action_start(struct sw_flow_actions **sfa, 2429 int attrtype, bool log) 2430 { 2431 int used = (*sfa)->actions_len; 2432 int err; 2433 2434 err = ovs_nla_add_action(sfa, attrtype, NULL, 0, log); 2435 if (err) 2436 return err; 2437 2438 return used; 2439 } 2440 2441 static inline void add_nested_action_end(struct sw_flow_actions *sfa, 2442 int st_offset) 2443 { 2444 struct nlattr *a = (struct nlattr *) ((unsigned char *)sfa->actions + 2445 st_offset); 2446 2447 a->nla_len = sfa->actions_len - st_offset; 2448 } 2449 2450 static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 2451 const struct sw_flow_key *key, 2452 struct sw_flow_actions **sfa, 2453 __be16 eth_type, __be16 vlan_tci, 2454 u32 mpls_label_count, bool log); 2455 2456 static int validate_and_copy_sample(struct net *net, const struct nlattr *attr, 2457 const struct sw_flow_key *key, 2458 struct sw_flow_actions **sfa, 2459 __be16 eth_type, __be16 vlan_tci, 2460 u32 mpls_label_count, bool log, bool last) 2461 { 2462 const struct nlattr *attrs[OVS_SAMPLE_ATTR_MAX + 1]; 2463 const struct nlattr *probability, *actions; 2464 const struct nlattr *a; 2465 int rem, start, err; 2466 struct sample_arg arg; 2467 2468 memset(attrs, 0, sizeof(attrs)); 2469 nla_for_each_nested(a, attr, rem) { 2470 int type = nla_type(a); 2471 if (!type || type > OVS_SAMPLE_ATTR_MAX || attrs[type]) 2472 return -EINVAL; 2473 attrs[type] = a; 2474 } 2475 if (rem) 2476 return -EINVAL; 2477 2478 probability = attrs[OVS_SAMPLE_ATTR_PROBABILITY]; 2479 if (!probability || nla_len(probability) != sizeof(u32)) 2480 return -EINVAL; 2481 2482 actions = attrs[OVS_SAMPLE_ATTR_ACTIONS]; 2483 if (!actions || (nla_len(actions) && nla_len(actions) < NLA_HDRLEN)) 2484 return -EINVAL; 2485 2486 /* validation done, copy sample action. */ 2487 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_SAMPLE, log); 2488 if (start < 0) 2489 return start; 2490 2491 /* When both skb and flow may be changed, put the sample 2492 * into a deferred fifo. On the other hand, if only skb 2493 * may be modified, the actions can be executed in place. 2494 * 2495 * Do this analysis at the flow installation time. 2496 * Set 'clone_action->exec' to true if the actions can be 2497 * executed without being deferred. 2498 * 2499 * If the sample is the last action, it can always be excuted 2500 * rather than deferred. 2501 */ 2502 arg.exec = last || !actions_may_change_flow(actions); 2503 arg.probability = nla_get_u32(probability); 2504 2505 err = ovs_nla_add_action(sfa, OVS_SAMPLE_ATTR_ARG, &arg, sizeof(arg), 2506 log); 2507 if (err) 2508 return err; 2509 2510 err = __ovs_nla_copy_actions(net, actions, key, sfa, 2511 eth_type, vlan_tci, mpls_label_count, log); 2512 2513 if (err) 2514 return err; 2515 2516 add_nested_action_end(*sfa, start); 2517 2518 return 0; 2519 } 2520 2521 static int validate_and_copy_dec_ttl(struct net *net, 2522 const struct nlattr *attr, 2523 const struct sw_flow_key *key, 2524 struct sw_flow_actions **sfa, 2525 __be16 eth_type, __be16 vlan_tci, 2526 u32 mpls_label_count, bool log) 2527 { 2528 const struct nlattr *attrs[OVS_DEC_TTL_ATTR_MAX + 1]; 2529 int start, action_start, err, rem; 2530 const struct nlattr *a, *actions; 2531 2532 memset(attrs, 0, sizeof(attrs)); 2533 nla_for_each_nested(a, attr, rem) { 2534 int type = nla_type(a); 2535 2536 /* Ignore unknown attributes to be future proof. */ 2537 if (type > OVS_DEC_TTL_ATTR_MAX) 2538 continue; 2539 2540 if (!type || attrs[type]) { 2541 OVS_NLERR(log, "Duplicate or invalid key (type %d).", 2542 type); 2543 return -EINVAL; 2544 } 2545 2546 attrs[type] = a; 2547 } 2548 2549 if (rem) { 2550 OVS_NLERR(log, "Message has %d unknown bytes.", rem); 2551 return -EINVAL; 2552 } 2553 2554 actions = attrs[OVS_DEC_TTL_ATTR_ACTION]; 2555 if (!actions || (nla_len(actions) && nla_len(actions) < NLA_HDRLEN)) { 2556 OVS_NLERR(log, "Missing valid actions attribute."); 2557 return -EINVAL; 2558 } 2559 2560 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_DEC_TTL, log); 2561 if (start < 0) 2562 return start; 2563 2564 action_start = add_nested_action_start(sfa, OVS_DEC_TTL_ATTR_ACTION, log); 2565 if (action_start < 0) 2566 return action_start; 2567 2568 err = __ovs_nla_copy_actions(net, actions, key, sfa, eth_type, 2569 vlan_tci, mpls_label_count, log); 2570 if (err) 2571 return err; 2572 2573 add_nested_action_end(*sfa, action_start); 2574 add_nested_action_end(*sfa, start); 2575 return 0; 2576 } 2577 2578 static int validate_and_copy_clone(struct net *net, 2579 const struct nlattr *attr, 2580 const struct sw_flow_key *key, 2581 struct sw_flow_actions **sfa, 2582 __be16 eth_type, __be16 vlan_tci, 2583 u32 mpls_label_count, bool log, bool last) 2584 { 2585 int start, err; 2586 u32 exec; 2587 2588 if (nla_len(attr) && nla_len(attr) < NLA_HDRLEN) 2589 return -EINVAL; 2590 2591 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_CLONE, log); 2592 if (start < 0) 2593 return start; 2594 2595 exec = last || !actions_may_change_flow(attr); 2596 2597 err = ovs_nla_add_action(sfa, OVS_CLONE_ATTR_EXEC, &exec, 2598 sizeof(exec), log); 2599 if (err) 2600 return err; 2601 2602 err = __ovs_nla_copy_actions(net, attr, key, sfa, 2603 eth_type, vlan_tci, mpls_label_count, log); 2604 if (err) 2605 return err; 2606 2607 add_nested_action_end(*sfa, start); 2608 2609 return 0; 2610 } 2611 2612 void ovs_match_init(struct sw_flow_match *match, 2613 struct sw_flow_key *key, 2614 bool reset_key, 2615 struct sw_flow_mask *mask) 2616 { 2617 memset(match, 0, sizeof(*match)); 2618 match->key = key; 2619 match->mask = mask; 2620 2621 if (reset_key) 2622 memset(key, 0, sizeof(*key)); 2623 2624 if (mask) { 2625 memset(&mask->key, 0, sizeof(mask->key)); 2626 mask->range.start = mask->range.end = 0; 2627 } 2628 } 2629 2630 static int validate_geneve_opts(struct sw_flow_key *key) 2631 { 2632 struct geneve_opt *option; 2633 int opts_len = key->tun_opts_len; 2634 bool crit_opt = false; 2635 2636 option = (struct geneve_opt *)TUN_METADATA_OPTS(key, key->tun_opts_len); 2637 while (opts_len > 0) { 2638 int len; 2639 2640 if (opts_len < sizeof(*option)) 2641 return -EINVAL; 2642 2643 len = sizeof(*option) + option->length * 4; 2644 if (len > opts_len) 2645 return -EINVAL; 2646 2647 crit_opt |= !!(option->type & GENEVE_CRIT_OPT_TYPE); 2648 2649 option = (struct geneve_opt *)((u8 *)option + len); 2650 opts_len -= len; 2651 } 2652 2653 key->tun_key.tun_flags |= crit_opt ? TUNNEL_CRIT_OPT : 0; 2654 2655 return 0; 2656 } 2657 2658 static int validate_and_copy_set_tun(const struct nlattr *attr, 2659 struct sw_flow_actions **sfa, bool log) 2660 { 2661 struct sw_flow_match match; 2662 struct sw_flow_key key; 2663 struct metadata_dst *tun_dst; 2664 struct ip_tunnel_info *tun_info; 2665 struct ovs_tunnel_info *ovs_tun; 2666 struct nlattr *a; 2667 int err = 0, start, opts_type; 2668 __be16 dst_opt_type; 2669 2670 dst_opt_type = 0; 2671 ovs_match_init(&match, &key, true, NULL); 2672 opts_type = ip_tun_from_nlattr(nla_data(attr), &match, false, log); 2673 if (opts_type < 0) 2674 return opts_type; 2675 2676 if (key.tun_opts_len) { 2677 switch (opts_type) { 2678 case OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS: 2679 err = validate_geneve_opts(&key); 2680 if (err < 0) 2681 return err; 2682 dst_opt_type = TUNNEL_GENEVE_OPT; 2683 break; 2684 case OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS: 2685 dst_opt_type = TUNNEL_VXLAN_OPT; 2686 break; 2687 case OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS: 2688 dst_opt_type = TUNNEL_ERSPAN_OPT; 2689 break; 2690 } 2691 } 2692 2693 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_SET, log); 2694 if (start < 0) 2695 return start; 2696 2697 tun_dst = metadata_dst_alloc(key.tun_opts_len, METADATA_IP_TUNNEL, 2698 GFP_KERNEL); 2699 2700 if (!tun_dst) 2701 return -ENOMEM; 2702 2703 err = dst_cache_init(&tun_dst->u.tun_info.dst_cache, GFP_KERNEL); 2704 if (err) { 2705 dst_release((struct dst_entry *)tun_dst); 2706 return err; 2707 } 2708 2709 a = __add_action(sfa, OVS_KEY_ATTR_TUNNEL_INFO, NULL, 2710 sizeof(*ovs_tun), log); 2711 if (IS_ERR(a)) { 2712 dst_release((struct dst_entry *)tun_dst); 2713 return PTR_ERR(a); 2714 } 2715 2716 ovs_tun = nla_data(a); 2717 ovs_tun->tun_dst = tun_dst; 2718 2719 tun_info = &tun_dst->u.tun_info; 2720 tun_info->mode = IP_TUNNEL_INFO_TX; 2721 if (key.tun_proto == AF_INET6) 2722 tun_info->mode |= IP_TUNNEL_INFO_IPV6; 2723 else if (key.tun_proto == AF_INET && key.tun_key.u.ipv4.dst == 0) 2724 tun_info->mode |= IP_TUNNEL_INFO_BRIDGE; 2725 tun_info->key = key.tun_key; 2726 2727 /* We need to store the options in the action itself since 2728 * everything else will go away after flow setup. We can append 2729 * it to tun_info and then point there. 2730 */ 2731 ip_tunnel_info_opts_set(tun_info, 2732 TUN_METADATA_OPTS(&key, key.tun_opts_len), 2733 key.tun_opts_len, dst_opt_type); 2734 add_nested_action_end(*sfa, start); 2735 2736 return err; 2737 } 2738 2739 static bool validate_nsh(const struct nlattr *attr, bool is_mask, 2740 bool is_push_nsh, bool log) 2741 { 2742 struct sw_flow_match match; 2743 struct sw_flow_key key; 2744 int ret = 0; 2745 2746 ovs_match_init(&match, &key, true, NULL); 2747 ret = nsh_key_put_from_nlattr(attr, &match, is_mask, 2748 is_push_nsh, log); 2749 return !ret; 2750 } 2751 2752 /* Return false if there are any non-masked bits set. 2753 * Mask follows data immediately, before any netlink padding. 2754 */ 2755 static bool validate_masked(u8 *data, int len) 2756 { 2757 u8 *mask = data + len; 2758 2759 while (len--) 2760 if (*data++ & ~*mask++) 2761 return false; 2762 2763 return true; 2764 } 2765 2766 static int validate_set(const struct nlattr *a, 2767 const struct sw_flow_key *flow_key, 2768 struct sw_flow_actions **sfa, bool *skip_copy, 2769 u8 mac_proto, __be16 eth_type, bool masked, bool log) 2770 { 2771 const struct nlattr *ovs_key = nla_data(a); 2772 int key_type = nla_type(ovs_key); 2773 size_t key_len; 2774 2775 /* There can be only one key in a action */ 2776 if (nla_total_size(nla_len(ovs_key)) != nla_len(a)) 2777 return -EINVAL; 2778 2779 key_len = nla_len(ovs_key); 2780 if (masked) 2781 key_len /= 2; 2782 2783 if (key_type > OVS_KEY_ATTR_MAX || 2784 !check_attr_len(key_len, ovs_key_lens[key_type].len)) 2785 return -EINVAL; 2786 2787 if (masked && !validate_masked(nla_data(ovs_key), key_len)) 2788 return -EINVAL; 2789 2790 switch (key_type) { 2791 case OVS_KEY_ATTR_PRIORITY: 2792 case OVS_KEY_ATTR_SKB_MARK: 2793 case OVS_KEY_ATTR_CT_MARK: 2794 case OVS_KEY_ATTR_CT_LABELS: 2795 break; 2796 2797 case OVS_KEY_ATTR_ETHERNET: 2798 if (mac_proto != MAC_PROTO_ETHERNET) 2799 return -EINVAL; 2800 break; 2801 2802 case OVS_KEY_ATTR_TUNNEL: { 2803 int err; 2804 2805 if (masked) 2806 return -EINVAL; /* Masked tunnel set not supported. */ 2807 2808 *skip_copy = true; 2809 err = validate_and_copy_set_tun(a, sfa, log); 2810 if (err) 2811 return err; 2812 break; 2813 } 2814 case OVS_KEY_ATTR_IPV4: { 2815 const struct ovs_key_ipv4 *ipv4_key; 2816 2817 if (eth_type != htons(ETH_P_IP)) 2818 return -EINVAL; 2819 2820 ipv4_key = nla_data(ovs_key); 2821 2822 if (masked) { 2823 const struct ovs_key_ipv4 *mask = ipv4_key + 1; 2824 2825 /* Non-writeable fields. */ 2826 if (mask->ipv4_proto || mask->ipv4_frag) 2827 return -EINVAL; 2828 } else { 2829 if (ipv4_key->ipv4_proto != flow_key->ip.proto) 2830 return -EINVAL; 2831 2832 if (ipv4_key->ipv4_frag != flow_key->ip.frag) 2833 return -EINVAL; 2834 } 2835 break; 2836 } 2837 case OVS_KEY_ATTR_IPV6: { 2838 const struct ovs_key_ipv6 *ipv6_key; 2839 2840 if (eth_type != htons(ETH_P_IPV6)) 2841 return -EINVAL; 2842 2843 ipv6_key = nla_data(ovs_key); 2844 2845 if (masked) { 2846 const struct ovs_key_ipv6 *mask = ipv6_key + 1; 2847 2848 /* Non-writeable fields. */ 2849 if (mask->ipv6_proto || mask->ipv6_frag) 2850 return -EINVAL; 2851 2852 /* Invalid bits in the flow label mask? */ 2853 if (ntohl(mask->ipv6_label) & 0xFFF00000) 2854 return -EINVAL; 2855 } else { 2856 if (ipv6_key->ipv6_proto != flow_key->ip.proto) 2857 return -EINVAL; 2858 2859 if (ipv6_key->ipv6_frag != flow_key->ip.frag) 2860 return -EINVAL; 2861 } 2862 if (ntohl(ipv6_key->ipv6_label) & 0xFFF00000) 2863 return -EINVAL; 2864 2865 break; 2866 } 2867 case OVS_KEY_ATTR_TCP: 2868 if ((eth_type != htons(ETH_P_IP) && 2869 eth_type != htons(ETH_P_IPV6)) || 2870 flow_key->ip.proto != IPPROTO_TCP) 2871 return -EINVAL; 2872 2873 break; 2874 2875 case OVS_KEY_ATTR_UDP: 2876 if ((eth_type != htons(ETH_P_IP) && 2877 eth_type != htons(ETH_P_IPV6)) || 2878 flow_key->ip.proto != IPPROTO_UDP) 2879 return -EINVAL; 2880 2881 break; 2882 2883 case OVS_KEY_ATTR_MPLS: 2884 if (!eth_p_mpls(eth_type)) 2885 return -EINVAL; 2886 break; 2887 2888 case OVS_KEY_ATTR_SCTP: 2889 if ((eth_type != htons(ETH_P_IP) && 2890 eth_type != htons(ETH_P_IPV6)) || 2891 flow_key->ip.proto != IPPROTO_SCTP) 2892 return -EINVAL; 2893 2894 break; 2895 2896 case OVS_KEY_ATTR_NSH: 2897 if (eth_type != htons(ETH_P_NSH)) 2898 return -EINVAL; 2899 if (!validate_nsh(nla_data(a), masked, false, log)) 2900 return -EINVAL; 2901 break; 2902 2903 default: 2904 return -EINVAL; 2905 } 2906 2907 /* Convert non-masked non-tunnel set actions to masked set actions. */ 2908 if (!masked && key_type != OVS_KEY_ATTR_TUNNEL) { 2909 int start, len = key_len * 2; 2910 struct nlattr *at; 2911 2912 *skip_copy = true; 2913 2914 start = add_nested_action_start(sfa, 2915 OVS_ACTION_ATTR_SET_TO_MASKED, 2916 log); 2917 if (start < 0) 2918 return start; 2919 2920 at = __add_action(sfa, key_type, NULL, len, log); 2921 if (IS_ERR(at)) 2922 return PTR_ERR(at); 2923 2924 memcpy(nla_data(at), nla_data(ovs_key), key_len); /* Key. */ 2925 memset(nla_data(at) + key_len, 0xff, key_len); /* Mask. */ 2926 /* Clear non-writeable bits from otherwise writeable fields. */ 2927 if (key_type == OVS_KEY_ATTR_IPV6) { 2928 struct ovs_key_ipv6 *mask = nla_data(at) + key_len; 2929 2930 mask->ipv6_label &= htonl(0x000FFFFF); 2931 } 2932 add_nested_action_end(*sfa, start); 2933 } 2934 2935 return 0; 2936 } 2937 2938 static int validate_userspace(const struct nlattr *attr) 2939 { 2940 static const struct nla_policy userspace_policy[OVS_USERSPACE_ATTR_MAX + 1] = { 2941 [OVS_USERSPACE_ATTR_PID] = {.type = NLA_U32 }, 2942 [OVS_USERSPACE_ATTR_USERDATA] = {.type = NLA_UNSPEC }, 2943 [OVS_USERSPACE_ATTR_EGRESS_TUN_PORT] = {.type = NLA_U32 }, 2944 }; 2945 struct nlattr *a[OVS_USERSPACE_ATTR_MAX + 1]; 2946 int error; 2947 2948 error = nla_parse_nested_deprecated(a, OVS_USERSPACE_ATTR_MAX, attr, 2949 userspace_policy, NULL); 2950 if (error) 2951 return error; 2952 2953 if (!a[OVS_USERSPACE_ATTR_PID] || 2954 !nla_get_u32(a[OVS_USERSPACE_ATTR_PID])) 2955 return -EINVAL; 2956 2957 return 0; 2958 } 2959 2960 static const struct nla_policy cpl_policy[OVS_CHECK_PKT_LEN_ATTR_MAX + 1] = { 2961 [OVS_CHECK_PKT_LEN_ATTR_PKT_LEN] = {.type = NLA_U16 }, 2962 [OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER] = {.type = NLA_NESTED }, 2963 [OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL] = {.type = NLA_NESTED }, 2964 }; 2965 2966 static int validate_and_copy_check_pkt_len(struct net *net, 2967 const struct nlattr *attr, 2968 const struct sw_flow_key *key, 2969 struct sw_flow_actions **sfa, 2970 __be16 eth_type, __be16 vlan_tci, 2971 u32 mpls_label_count, 2972 bool log, bool last) 2973 { 2974 const struct nlattr *acts_if_greater, *acts_if_lesser_eq; 2975 struct nlattr *a[OVS_CHECK_PKT_LEN_ATTR_MAX + 1]; 2976 struct check_pkt_len_arg arg; 2977 int nested_acts_start; 2978 int start, err; 2979 2980 err = nla_parse_deprecated_strict(a, OVS_CHECK_PKT_LEN_ATTR_MAX, 2981 nla_data(attr), nla_len(attr), 2982 cpl_policy, NULL); 2983 if (err) 2984 return err; 2985 2986 if (!a[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN] || 2987 !nla_get_u16(a[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN])) 2988 return -EINVAL; 2989 2990 acts_if_lesser_eq = a[OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL]; 2991 acts_if_greater = a[OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER]; 2992 2993 /* Both the nested action should be present. */ 2994 if (!acts_if_greater || !acts_if_lesser_eq) 2995 return -EINVAL; 2996 2997 /* validation done, copy the nested actions. */ 2998 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_CHECK_PKT_LEN, 2999 log); 3000 if (start < 0) 3001 return start; 3002 3003 arg.pkt_len = nla_get_u16(a[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN]); 3004 arg.exec_for_lesser_equal = 3005 last || !actions_may_change_flow(acts_if_lesser_eq); 3006 arg.exec_for_greater = 3007 last || !actions_may_change_flow(acts_if_greater); 3008 3009 err = ovs_nla_add_action(sfa, OVS_CHECK_PKT_LEN_ATTR_ARG, &arg, 3010 sizeof(arg), log); 3011 if (err) 3012 return err; 3013 3014 nested_acts_start = add_nested_action_start(sfa, 3015 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL, log); 3016 if (nested_acts_start < 0) 3017 return nested_acts_start; 3018 3019 err = __ovs_nla_copy_actions(net, acts_if_lesser_eq, key, sfa, 3020 eth_type, vlan_tci, mpls_label_count, log); 3021 3022 if (err) 3023 return err; 3024 3025 add_nested_action_end(*sfa, nested_acts_start); 3026 3027 nested_acts_start = add_nested_action_start(sfa, 3028 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER, log); 3029 if (nested_acts_start < 0) 3030 return nested_acts_start; 3031 3032 err = __ovs_nla_copy_actions(net, acts_if_greater, key, sfa, 3033 eth_type, vlan_tci, mpls_label_count, log); 3034 3035 if (err) 3036 return err; 3037 3038 add_nested_action_end(*sfa, nested_acts_start); 3039 add_nested_action_end(*sfa, start); 3040 return 0; 3041 } 3042 3043 static int copy_action(const struct nlattr *from, 3044 struct sw_flow_actions **sfa, bool log) 3045 { 3046 int totlen = NLA_ALIGN(from->nla_len); 3047 struct nlattr *to; 3048 3049 to = reserve_sfa_size(sfa, from->nla_len, log); 3050 if (IS_ERR(to)) 3051 return PTR_ERR(to); 3052 3053 memcpy(to, from, totlen); 3054 return 0; 3055 } 3056 3057 static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 3058 const struct sw_flow_key *key, 3059 struct sw_flow_actions **sfa, 3060 __be16 eth_type, __be16 vlan_tci, 3061 u32 mpls_label_count, bool log) 3062 { 3063 u8 mac_proto = ovs_key_mac_proto(key); 3064 const struct nlattr *a; 3065 int rem, err; 3066 3067 nla_for_each_nested(a, attr, rem) { 3068 /* Expected argument lengths, (u32)-1 for variable length. */ 3069 static const u32 action_lens[OVS_ACTION_ATTR_MAX + 1] = { 3070 [OVS_ACTION_ATTR_OUTPUT] = sizeof(u32), 3071 [OVS_ACTION_ATTR_RECIRC] = sizeof(u32), 3072 [OVS_ACTION_ATTR_USERSPACE] = (u32)-1, 3073 [OVS_ACTION_ATTR_PUSH_MPLS] = sizeof(struct ovs_action_push_mpls), 3074 [OVS_ACTION_ATTR_POP_MPLS] = sizeof(__be16), 3075 [OVS_ACTION_ATTR_PUSH_VLAN] = sizeof(struct ovs_action_push_vlan), 3076 [OVS_ACTION_ATTR_POP_VLAN] = 0, 3077 [OVS_ACTION_ATTR_SET] = (u32)-1, 3078 [OVS_ACTION_ATTR_SET_MASKED] = (u32)-1, 3079 [OVS_ACTION_ATTR_SAMPLE] = (u32)-1, 3080 [OVS_ACTION_ATTR_HASH] = sizeof(struct ovs_action_hash), 3081 [OVS_ACTION_ATTR_CT] = (u32)-1, 3082 [OVS_ACTION_ATTR_CT_CLEAR] = 0, 3083 [OVS_ACTION_ATTR_TRUNC] = sizeof(struct ovs_action_trunc), 3084 [OVS_ACTION_ATTR_PUSH_ETH] = sizeof(struct ovs_action_push_eth), 3085 [OVS_ACTION_ATTR_POP_ETH] = 0, 3086 [OVS_ACTION_ATTR_PUSH_NSH] = (u32)-1, 3087 [OVS_ACTION_ATTR_POP_NSH] = 0, 3088 [OVS_ACTION_ATTR_METER] = sizeof(u32), 3089 [OVS_ACTION_ATTR_CLONE] = (u32)-1, 3090 [OVS_ACTION_ATTR_CHECK_PKT_LEN] = (u32)-1, 3091 [OVS_ACTION_ATTR_ADD_MPLS] = sizeof(struct ovs_action_add_mpls), 3092 [OVS_ACTION_ATTR_DEC_TTL] = (u32)-1, 3093 }; 3094 const struct ovs_action_push_vlan *vlan; 3095 int type = nla_type(a); 3096 bool skip_copy; 3097 3098 if (type > OVS_ACTION_ATTR_MAX || 3099 (action_lens[type] != nla_len(a) && 3100 action_lens[type] != (u32)-1)) 3101 return -EINVAL; 3102 3103 skip_copy = false; 3104 switch (type) { 3105 case OVS_ACTION_ATTR_UNSPEC: 3106 return -EINVAL; 3107 3108 case OVS_ACTION_ATTR_USERSPACE: 3109 err = validate_userspace(a); 3110 if (err) 3111 return err; 3112 break; 3113 3114 case OVS_ACTION_ATTR_OUTPUT: 3115 if (nla_get_u32(a) >= DP_MAX_PORTS) 3116 return -EINVAL; 3117 break; 3118 3119 case OVS_ACTION_ATTR_TRUNC: { 3120 const struct ovs_action_trunc *trunc = nla_data(a); 3121 3122 if (trunc->max_len < ETH_HLEN) 3123 return -EINVAL; 3124 break; 3125 } 3126 3127 case OVS_ACTION_ATTR_HASH: { 3128 const struct ovs_action_hash *act_hash = nla_data(a); 3129 3130 switch (act_hash->hash_alg) { 3131 case OVS_HASH_ALG_L4: 3132 break; 3133 default: 3134 return -EINVAL; 3135 } 3136 3137 break; 3138 } 3139 3140 case OVS_ACTION_ATTR_POP_VLAN: 3141 if (mac_proto != MAC_PROTO_ETHERNET) 3142 return -EINVAL; 3143 vlan_tci = htons(0); 3144 break; 3145 3146 case OVS_ACTION_ATTR_PUSH_VLAN: 3147 if (mac_proto != MAC_PROTO_ETHERNET) 3148 return -EINVAL; 3149 vlan = nla_data(a); 3150 if (!eth_type_vlan(vlan->vlan_tpid)) 3151 return -EINVAL; 3152 if (!(vlan->vlan_tci & htons(VLAN_CFI_MASK))) 3153 return -EINVAL; 3154 vlan_tci = vlan->vlan_tci; 3155 break; 3156 3157 case OVS_ACTION_ATTR_RECIRC: 3158 break; 3159 3160 case OVS_ACTION_ATTR_ADD_MPLS: { 3161 const struct ovs_action_add_mpls *mpls = nla_data(a); 3162 3163 if (!eth_p_mpls(mpls->mpls_ethertype)) 3164 return -EINVAL; 3165 3166 if (mpls->tun_flags & OVS_MPLS_L3_TUNNEL_FLAG_MASK) { 3167 if (vlan_tci & htons(VLAN_CFI_MASK) || 3168 (eth_type != htons(ETH_P_IP) && 3169 eth_type != htons(ETH_P_IPV6) && 3170 eth_type != htons(ETH_P_ARP) && 3171 eth_type != htons(ETH_P_RARP) && 3172 !eth_p_mpls(eth_type))) 3173 return -EINVAL; 3174 mpls_label_count++; 3175 } else { 3176 if (mac_proto == MAC_PROTO_ETHERNET) { 3177 mpls_label_count = 1; 3178 mac_proto = MAC_PROTO_NONE; 3179 } else { 3180 mpls_label_count++; 3181 } 3182 } 3183 eth_type = mpls->mpls_ethertype; 3184 break; 3185 } 3186 3187 case OVS_ACTION_ATTR_PUSH_MPLS: { 3188 const struct ovs_action_push_mpls *mpls = nla_data(a); 3189 3190 if (!eth_p_mpls(mpls->mpls_ethertype)) 3191 return -EINVAL; 3192 /* Prohibit push MPLS other than to a white list 3193 * for packets that have a known tag order. 3194 */ 3195 if (vlan_tci & htons(VLAN_CFI_MASK) || 3196 (eth_type != htons(ETH_P_IP) && 3197 eth_type != htons(ETH_P_IPV6) && 3198 eth_type != htons(ETH_P_ARP) && 3199 eth_type != htons(ETH_P_RARP) && 3200 !eth_p_mpls(eth_type))) 3201 return -EINVAL; 3202 eth_type = mpls->mpls_ethertype; 3203 mpls_label_count++; 3204 break; 3205 } 3206 3207 case OVS_ACTION_ATTR_POP_MPLS: { 3208 __be16 proto; 3209 if (vlan_tci & htons(VLAN_CFI_MASK) || 3210 !eth_p_mpls(eth_type)) 3211 return -EINVAL; 3212 3213 /* Disallow subsequent L2.5+ set actions and mpls_pop 3214 * actions once the last MPLS label in the packet is 3215 * is popped as there is no check here to ensure that 3216 * the new eth type is valid and thus set actions could 3217 * write off the end of the packet or otherwise corrupt 3218 * it. 3219 * 3220 * Support for these actions is planned using packet 3221 * recirculation. 3222 */ 3223 proto = nla_get_be16(a); 3224 3225 if (proto == htons(ETH_P_TEB) && 3226 mac_proto != MAC_PROTO_NONE) 3227 return -EINVAL; 3228 3229 mpls_label_count--; 3230 3231 if (!eth_p_mpls(proto) || !mpls_label_count) 3232 eth_type = htons(0); 3233 else 3234 eth_type = proto; 3235 3236 break; 3237 } 3238 3239 case OVS_ACTION_ATTR_SET: 3240 err = validate_set(a, key, sfa, 3241 &skip_copy, mac_proto, eth_type, 3242 false, log); 3243 if (err) 3244 return err; 3245 break; 3246 3247 case OVS_ACTION_ATTR_SET_MASKED: 3248 err = validate_set(a, key, sfa, 3249 &skip_copy, mac_proto, eth_type, 3250 true, log); 3251 if (err) 3252 return err; 3253 break; 3254 3255 case OVS_ACTION_ATTR_SAMPLE: { 3256 bool last = nla_is_last(a, rem); 3257 3258 err = validate_and_copy_sample(net, a, key, sfa, 3259 eth_type, vlan_tci, 3260 mpls_label_count, 3261 log, last); 3262 if (err) 3263 return err; 3264 skip_copy = true; 3265 break; 3266 } 3267 3268 case OVS_ACTION_ATTR_CT: 3269 err = ovs_ct_copy_action(net, a, key, sfa, log); 3270 if (err) 3271 return err; 3272 skip_copy = true; 3273 break; 3274 3275 case OVS_ACTION_ATTR_CT_CLEAR: 3276 break; 3277 3278 case OVS_ACTION_ATTR_PUSH_ETH: 3279 /* Disallow pushing an Ethernet header if one 3280 * is already present */ 3281 if (mac_proto != MAC_PROTO_NONE) 3282 return -EINVAL; 3283 mac_proto = MAC_PROTO_ETHERNET; 3284 break; 3285 3286 case OVS_ACTION_ATTR_POP_ETH: 3287 if (mac_proto != MAC_PROTO_ETHERNET) 3288 return -EINVAL; 3289 if (vlan_tci & htons(VLAN_CFI_MASK)) 3290 return -EINVAL; 3291 mac_proto = MAC_PROTO_NONE; 3292 break; 3293 3294 case OVS_ACTION_ATTR_PUSH_NSH: 3295 if (mac_proto != MAC_PROTO_ETHERNET) { 3296 u8 next_proto; 3297 3298 next_proto = tun_p_from_eth_p(eth_type); 3299 if (!next_proto) 3300 return -EINVAL; 3301 } 3302 mac_proto = MAC_PROTO_NONE; 3303 if (!validate_nsh(nla_data(a), false, true, true)) 3304 return -EINVAL; 3305 break; 3306 3307 case OVS_ACTION_ATTR_POP_NSH: { 3308 __be16 inner_proto; 3309 3310 if (eth_type != htons(ETH_P_NSH)) 3311 return -EINVAL; 3312 inner_proto = tun_p_to_eth_p(key->nsh.base.np); 3313 if (!inner_proto) 3314 return -EINVAL; 3315 if (key->nsh.base.np == TUN_P_ETHERNET) 3316 mac_proto = MAC_PROTO_ETHERNET; 3317 else 3318 mac_proto = MAC_PROTO_NONE; 3319 break; 3320 } 3321 3322 case OVS_ACTION_ATTR_METER: 3323 /* Non-existent meters are simply ignored. */ 3324 break; 3325 3326 case OVS_ACTION_ATTR_CLONE: { 3327 bool last = nla_is_last(a, rem); 3328 3329 err = validate_and_copy_clone(net, a, key, sfa, 3330 eth_type, vlan_tci, 3331 mpls_label_count, 3332 log, last); 3333 if (err) 3334 return err; 3335 skip_copy = true; 3336 break; 3337 } 3338 3339 case OVS_ACTION_ATTR_CHECK_PKT_LEN: { 3340 bool last = nla_is_last(a, rem); 3341 3342 err = validate_and_copy_check_pkt_len(net, a, key, sfa, 3343 eth_type, 3344 vlan_tci, 3345 mpls_label_count, 3346 log, last); 3347 if (err) 3348 return err; 3349 skip_copy = true; 3350 break; 3351 } 3352 3353 case OVS_ACTION_ATTR_DEC_TTL: 3354 err = validate_and_copy_dec_ttl(net, a, key, sfa, 3355 eth_type, vlan_tci, 3356 mpls_label_count, log); 3357 if (err) 3358 return err; 3359 skip_copy = true; 3360 break; 3361 3362 default: 3363 OVS_NLERR(log, "Unknown Action type %d", type); 3364 return -EINVAL; 3365 } 3366 if (!skip_copy) { 3367 err = copy_action(a, sfa, log); 3368 if (err) 3369 return err; 3370 } 3371 } 3372 3373 if (rem > 0) 3374 return -EINVAL; 3375 3376 return 0; 3377 } 3378 3379 /* 'key' must be the masked key. */ 3380 int ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 3381 const struct sw_flow_key *key, 3382 struct sw_flow_actions **sfa, bool log) 3383 { 3384 int err; 3385 u32 mpls_label_count = 0; 3386 3387 *sfa = nla_alloc_flow_actions(min(nla_len(attr), MAX_ACTIONS_BUFSIZE)); 3388 if (IS_ERR(*sfa)) 3389 return PTR_ERR(*sfa); 3390 3391 if (eth_p_mpls(key->eth.type)) 3392 mpls_label_count = hweight_long(key->mpls.num_labels_mask); 3393 3394 (*sfa)->orig_len = nla_len(attr); 3395 err = __ovs_nla_copy_actions(net, attr, key, sfa, key->eth.type, 3396 key->eth.vlan.tci, mpls_label_count, log); 3397 if (err) 3398 ovs_nla_free_flow_actions(*sfa); 3399 3400 return err; 3401 } 3402 3403 static int sample_action_to_attr(const struct nlattr *attr, 3404 struct sk_buff *skb) 3405 { 3406 struct nlattr *start, *ac_start = NULL, *sample_arg; 3407 int err = 0, rem = nla_len(attr); 3408 const struct sample_arg *arg; 3409 struct nlattr *actions; 3410 3411 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SAMPLE); 3412 if (!start) 3413 return -EMSGSIZE; 3414 3415 sample_arg = nla_data(attr); 3416 arg = nla_data(sample_arg); 3417 actions = nla_next(sample_arg, &rem); 3418 3419 if (nla_put_u32(skb, OVS_SAMPLE_ATTR_PROBABILITY, arg->probability)) { 3420 err = -EMSGSIZE; 3421 goto out; 3422 } 3423 3424 ac_start = nla_nest_start_noflag(skb, OVS_SAMPLE_ATTR_ACTIONS); 3425 if (!ac_start) { 3426 err = -EMSGSIZE; 3427 goto out; 3428 } 3429 3430 err = ovs_nla_put_actions(actions, rem, skb); 3431 3432 out: 3433 if (err) { 3434 nla_nest_cancel(skb, ac_start); 3435 nla_nest_cancel(skb, start); 3436 } else { 3437 nla_nest_end(skb, ac_start); 3438 nla_nest_end(skb, start); 3439 } 3440 3441 return err; 3442 } 3443 3444 static int clone_action_to_attr(const struct nlattr *attr, 3445 struct sk_buff *skb) 3446 { 3447 struct nlattr *start; 3448 int err = 0, rem = nla_len(attr); 3449 3450 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_CLONE); 3451 if (!start) 3452 return -EMSGSIZE; 3453 3454 err = ovs_nla_put_actions(nla_data(attr), rem, skb); 3455 3456 if (err) 3457 nla_nest_cancel(skb, start); 3458 else 3459 nla_nest_end(skb, start); 3460 3461 return err; 3462 } 3463 3464 static int check_pkt_len_action_to_attr(const struct nlattr *attr, 3465 struct sk_buff *skb) 3466 { 3467 struct nlattr *start, *ac_start = NULL; 3468 const struct check_pkt_len_arg *arg; 3469 const struct nlattr *a, *cpl_arg; 3470 int err = 0, rem = nla_len(attr); 3471 3472 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_CHECK_PKT_LEN); 3473 if (!start) 3474 return -EMSGSIZE; 3475 3476 /* The first nested attribute in 'attr' is always 3477 * 'OVS_CHECK_PKT_LEN_ATTR_ARG'. 3478 */ 3479 cpl_arg = nla_data(attr); 3480 arg = nla_data(cpl_arg); 3481 3482 if (nla_put_u16(skb, OVS_CHECK_PKT_LEN_ATTR_PKT_LEN, arg->pkt_len)) { 3483 err = -EMSGSIZE; 3484 goto out; 3485 } 3486 3487 /* Second nested attribute in 'attr' is always 3488 * 'OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL'. 3489 */ 3490 a = nla_next(cpl_arg, &rem); 3491 ac_start = nla_nest_start_noflag(skb, 3492 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL); 3493 if (!ac_start) { 3494 err = -EMSGSIZE; 3495 goto out; 3496 } 3497 3498 err = ovs_nla_put_actions(nla_data(a), nla_len(a), skb); 3499 if (err) { 3500 nla_nest_cancel(skb, ac_start); 3501 goto out; 3502 } else { 3503 nla_nest_end(skb, ac_start); 3504 } 3505 3506 /* Third nested attribute in 'attr' is always 3507 * OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER. 3508 */ 3509 a = nla_next(a, &rem); 3510 ac_start = nla_nest_start_noflag(skb, 3511 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER); 3512 if (!ac_start) { 3513 err = -EMSGSIZE; 3514 goto out; 3515 } 3516 3517 err = ovs_nla_put_actions(nla_data(a), nla_len(a), skb); 3518 if (err) { 3519 nla_nest_cancel(skb, ac_start); 3520 goto out; 3521 } else { 3522 nla_nest_end(skb, ac_start); 3523 } 3524 3525 nla_nest_end(skb, start); 3526 return 0; 3527 3528 out: 3529 nla_nest_cancel(skb, start); 3530 return err; 3531 } 3532 3533 static int dec_ttl_action_to_attr(const struct nlattr *attr, 3534 struct sk_buff *skb) 3535 { 3536 struct nlattr *start, *action_start; 3537 const struct nlattr *a; 3538 int err = 0, rem; 3539 3540 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_DEC_TTL); 3541 if (!start) 3542 return -EMSGSIZE; 3543 3544 nla_for_each_attr(a, nla_data(attr), nla_len(attr), rem) { 3545 switch (nla_type(a)) { 3546 case OVS_DEC_TTL_ATTR_ACTION: 3547 3548 action_start = nla_nest_start_noflag(skb, OVS_DEC_TTL_ATTR_ACTION); 3549 if (!action_start) { 3550 err = -EMSGSIZE; 3551 goto out; 3552 } 3553 3554 err = ovs_nla_put_actions(nla_data(a), nla_len(a), skb); 3555 if (err) 3556 goto out; 3557 3558 nla_nest_end(skb, action_start); 3559 break; 3560 3561 default: 3562 /* Ignore all other option to be future compatible */ 3563 break; 3564 } 3565 } 3566 3567 nla_nest_end(skb, start); 3568 return 0; 3569 3570 out: 3571 nla_nest_cancel(skb, start); 3572 return err; 3573 } 3574 3575 static int set_action_to_attr(const struct nlattr *a, struct sk_buff *skb) 3576 { 3577 const struct nlattr *ovs_key = nla_data(a); 3578 int key_type = nla_type(ovs_key); 3579 struct nlattr *start; 3580 int err; 3581 3582 switch (key_type) { 3583 case OVS_KEY_ATTR_TUNNEL_INFO: { 3584 struct ovs_tunnel_info *ovs_tun = nla_data(ovs_key); 3585 struct ip_tunnel_info *tun_info = &ovs_tun->tun_dst->u.tun_info; 3586 3587 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SET); 3588 if (!start) 3589 return -EMSGSIZE; 3590 3591 err = ip_tun_to_nlattr(skb, &tun_info->key, 3592 ip_tunnel_info_opts(tun_info), 3593 tun_info->options_len, 3594 ip_tunnel_info_af(tun_info), tun_info->mode); 3595 if (err) 3596 return err; 3597 nla_nest_end(skb, start); 3598 break; 3599 } 3600 default: 3601 if (nla_put(skb, OVS_ACTION_ATTR_SET, nla_len(a), ovs_key)) 3602 return -EMSGSIZE; 3603 break; 3604 } 3605 3606 return 0; 3607 } 3608 3609 static int masked_set_action_to_set_action_attr(const struct nlattr *a, 3610 struct sk_buff *skb) 3611 { 3612 const struct nlattr *ovs_key = nla_data(a); 3613 struct nlattr *nla; 3614 size_t key_len = nla_len(ovs_key) / 2; 3615 3616 /* Revert the conversion we did from a non-masked set action to 3617 * masked set action. 3618 */ 3619 nla = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SET); 3620 if (!nla) 3621 return -EMSGSIZE; 3622 3623 if (nla_put(skb, nla_type(ovs_key), key_len, nla_data(ovs_key))) 3624 return -EMSGSIZE; 3625 3626 nla_nest_end(skb, nla); 3627 return 0; 3628 } 3629 3630 int ovs_nla_put_actions(const struct nlattr *attr, int len, struct sk_buff *skb) 3631 { 3632 const struct nlattr *a; 3633 int rem, err; 3634 3635 nla_for_each_attr(a, attr, len, rem) { 3636 int type = nla_type(a); 3637 3638 switch (type) { 3639 case OVS_ACTION_ATTR_SET: 3640 err = set_action_to_attr(a, skb); 3641 if (err) 3642 return err; 3643 break; 3644 3645 case OVS_ACTION_ATTR_SET_TO_MASKED: 3646 err = masked_set_action_to_set_action_attr(a, skb); 3647 if (err) 3648 return err; 3649 break; 3650 3651 case OVS_ACTION_ATTR_SAMPLE: 3652 err = sample_action_to_attr(a, skb); 3653 if (err) 3654 return err; 3655 break; 3656 3657 case OVS_ACTION_ATTR_CT: 3658 err = ovs_ct_action_to_attr(nla_data(a), skb); 3659 if (err) 3660 return err; 3661 break; 3662 3663 case OVS_ACTION_ATTR_CLONE: 3664 err = clone_action_to_attr(a, skb); 3665 if (err) 3666 return err; 3667 break; 3668 3669 case OVS_ACTION_ATTR_CHECK_PKT_LEN: 3670 err = check_pkt_len_action_to_attr(a, skb); 3671 if (err) 3672 return err; 3673 break; 3674 3675 case OVS_ACTION_ATTR_DEC_TTL: 3676 err = dec_ttl_action_to_attr(a, skb); 3677 if (err) 3678 return err; 3679 break; 3680 3681 default: 3682 if (nla_put(skb, type, nla_len(a), nla_data(a))) 3683 return -EMSGSIZE; 3684 break; 3685 } 3686 } 3687 3688 return 0; 3689 } 3690