1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (c) 2007-2017 Nicira, Inc.
4  */
5 
6 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
7 
8 #include "flow.h"
9 #include "datapath.h"
10 #include <linux/uaccess.h>
11 #include <linux/netdevice.h>
12 #include <linux/etherdevice.h>
13 #include <linux/if_ether.h>
14 #include <linux/if_vlan.h>
15 #include <net/llc_pdu.h>
16 #include <linux/kernel.h>
17 #include <linux/jhash.h>
18 #include <linux/jiffies.h>
19 #include <linux/llc.h>
20 #include <linux/module.h>
21 #include <linux/in.h>
22 #include <linux/rcupdate.h>
23 #include <linux/if_arp.h>
24 #include <linux/ip.h>
25 #include <linux/ipv6.h>
26 #include <linux/sctp.h>
27 #include <linux/tcp.h>
28 #include <linux/udp.h>
29 #include <linux/icmp.h>
30 #include <linux/icmpv6.h>
31 #include <linux/rculist.h>
32 #include <net/geneve.h>
33 #include <net/ip.h>
34 #include <net/ipv6.h>
35 #include <net/ndisc.h>
36 #include <net/mpls.h>
37 #include <net/vxlan.h>
38 #include <net/tun_proto.h>
39 #include <net/erspan.h>
40 
41 #include "flow_netlink.h"
42 
43 struct ovs_len_tbl {
44 	int len;
45 	const struct ovs_len_tbl *next;
46 };
47 
48 #define OVS_ATTR_NESTED -1
49 #define OVS_ATTR_VARIABLE -2
50 
51 static bool actions_may_change_flow(const struct nlattr *actions)
52 {
53 	struct nlattr *nla;
54 	int rem;
55 
56 	nla_for_each_nested(nla, actions, rem) {
57 		u16 action = nla_type(nla);
58 
59 		switch (action) {
60 		case OVS_ACTION_ATTR_OUTPUT:
61 		case OVS_ACTION_ATTR_RECIRC:
62 		case OVS_ACTION_ATTR_TRUNC:
63 		case OVS_ACTION_ATTR_USERSPACE:
64 			break;
65 
66 		case OVS_ACTION_ATTR_CT:
67 		case OVS_ACTION_ATTR_CT_CLEAR:
68 		case OVS_ACTION_ATTR_HASH:
69 		case OVS_ACTION_ATTR_POP_ETH:
70 		case OVS_ACTION_ATTR_POP_MPLS:
71 		case OVS_ACTION_ATTR_POP_NSH:
72 		case OVS_ACTION_ATTR_POP_VLAN:
73 		case OVS_ACTION_ATTR_PUSH_ETH:
74 		case OVS_ACTION_ATTR_PUSH_MPLS:
75 		case OVS_ACTION_ATTR_PUSH_NSH:
76 		case OVS_ACTION_ATTR_PUSH_VLAN:
77 		case OVS_ACTION_ATTR_SAMPLE:
78 		case OVS_ACTION_ATTR_SET:
79 		case OVS_ACTION_ATTR_SET_MASKED:
80 		case OVS_ACTION_ATTR_METER:
81 		case OVS_ACTION_ATTR_CHECK_PKT_LEN:
82 		case OVS_ACTION_ATTR_ADD_MPLS:
83 		case OVS_ACTION_ATTR_DEC_TTL:
84 		default:
85 			return true;
86 		}
87 	}
88 	return false;
89 }
90 
91 static void update_range(struct sw_flow_match *match,
92 			 size_t offset, size_t size, bool is_mask)
93 {
94 	struct sw_flow_key_range *range;
95 	size_t start = rounddown(offset, sizeof(long));
96 	size_t end = roundup(offset + size, sizeof(long));
97 
98 	if (!is_mask)
99 		range = &match->range;
100 	else
101 		range = &match->mask->range;
102 
103 	if (range->start == range->end) {
104 		range->start = start;
105 		range->end = end;
106 		return;
107 	}
108 
109 	if (range->start > start)
110 		range->start = start;
111 
112 	if (range->end < end)
113 		range->end = end;
114 }
115 
116 #define SW_FLOW_KEY_PUT(match, field, value, is_mask) \
117 	do { \
118 		update_range(match, offsetof(struct sw_flow_key, field),    \
119 			     sizeof((match)->key->field), is_mask);	    \
120 		if (is_mask)						    \
121 			(match)->mask->key.field = value;		    \
122 		else							    \
123 			(match)->key->field = value;		            \
124 	} while (0)
125 
126 #define SW_FLOW_KEY_MEMCPY_OFFSET(match, offset, value_p, len, is_mask)	    \
127 	do {								    \
128 		update_range(match, offset, len, is_mask);		    \
129 		if (is_mask)						    \
130 			memcpy((u8 *)&(match)->mask->key + offset, value_p, \
131 			       len);					   \
132 		else							    \
133 			memcpy((u8 *)(match)->key + offset, value_p, len);  \
134 	} while (0)
135 
136 #define SW_FLOW_KEY_MEMCPY(match, field, value_p, len, is_mask)		      \
137 	SW_FLOW_KEY_MEMCPY_OFFSET(match, offsetof(struct sw_flow_key, field), \
138 				  value_p, len, is_mask)
139 
140 #define SW_FLOW_KEY_MEMSET_FIELD(match, field, value, is_mask)		    \
141 	do {								    \
142 		update_range(match, offsetof(struct sw_flow_key, field),    \
143 			     sizeof((match)->key->field), is_mask);	    \
144 		if (is_mask)						    \
145 			memset((u8 *)&(match)->mask->key.field, value,      \
146 			       sizeof((match)->mask->key.field));	    \
147 		else							    \
148 			memset((u8 *)&(match)->key->field, value,           \
149 			       sizeof((match)->key->field));                \
150 	} while (0)
151 
152 static bool match_validate(const struct sw_flow_match *match,
153 			   u64 key_attrs, u64 mask_attrs, bool log)
154 {
155 	u64 key_expected = 0;
156 	u64 mask_allowed = key_attrs;  /* At most allow all key attributes */
157 
158 	/* The following mask attributes allowed only if they
159 	 * pass the validation tests. */
160 	mask_allowed &= ~((1 << OVS_KEY_ATTR_IPV4)
161 			| (1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4)
162 			| (1 << OVS_KEY_ATTR_IPV6)
163 			| (1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6)
164 			| (1 << OVS_KEY_ATTR_TCP)
165 			| (1 << OVS_KEY_ATTR_TCP_FLAGS)
166 			| (1 << OVS_KEY_ATTR_UDP)
167 			| (1 << OVS_KEY_ATTR_SCTP)
168 			| (1 << OVS_KEY_ATTR_ICMP)
169 			| (1 << OVS_KEY_ATTR_ICMPV6)
170 			| (1 << OVS_KEY_ATTR_ARP)
171 			| (1 << OVS_KEY_ATTR_ND)
172 			| (1 << OVS_KEY_ATTR_MPLS)
173 			| (1 << OVS_KEY_ATTR_NSH));
174 
175 	/* Always allowed mask fields. */
176 	mask_allowed |= ((1 << OVS_KEY_ATTR_TUNNEL)
177 		       | (1 << OVS_KEY_ATTR_IN_PORT)
178 		       | (1 << OVS_KEY_ATTR_ETHERTYPE));
179 
180 	/* Check key attributes. */
181 	if (match->key->eth.type == htons(ETH_P_ARP)
182 			|| match->key->eth.type == htons(ETH_P_RARP)) {
183 		key_expected |= 1 << OVS_KEY_ATTR_ARP;
184 		if (match->mask && (match->mask->key.eth.type == htons(0xffff)))
185 			mask_allowed |= 1 << OVS_KEY_ATTR_ARP;
186 	}
187 
188 	if (eth_p_mpls(match->key->eth.type)) {
189 		key_expected |= 1 << OVS_KEY_ATTR_MPLS;
190 		if (match->mask && (match->mask->key.eth.type == htons(0xffff)))
191 			mask_allowed |= 1 << OVS_KEY_ATTR_MPLS;
192 	}
193 
194 	if (match->key->eth.type == htons(ETH_P_IP)) {
195 		key_expected |= 1 << OVS_KEY_ATTR_IPV4;
196 		if (match->mask && match->mask->key.eth.type == htons(0xffff)) {
197 			mask_allowed |= 1 << OVS_KEY_ATTR_IPV4;
198 			mask_allowed |= 1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4;
199 		}
200 
201 		if (match->key->ip.frag != OVS_FRAG_TYPE_LATER) {
202 			if (match->key->ip.proto == IPPROTO_UDP) {
203 				key_expected |= 1 << OVS_KEY_ATTR_UDP;
204 				if (match->mask && (match->mask->key.ip.proto == 0xff))
205 					mask_allowed |= 1 << OVS_KEY_ATTR_UDP;
206 			}
207 
208 			if (match->key->ip.proto == IPPROTO_SCTP) {
209 				key_expected |= 1 << OVS_KEY_ATTR_SCTP;
210 				if (match->mask && (match->mask->key.ip.proto == 0xff))
211 					mask_allowed |= 1 << OVS_KEY_ATTR_SCTP;
212 			}
213 
214 			if (match->key->ip.proto == IPPROTO_TCP) {
215 				key_expected |= 1 << OVS_KEY_ATTR_TCP;
216 				key_expected |= 1 << OVS_KEY_ATTR_TCP_FLAGS;
217 				if (match->mask && (match->mask->key.ip.proto == 0xff)) {
218 					mask_allowed |= 1 << OVS_KEY_ATTR_TCP;
219 					mask_allowed |= 1 << OVS_KEY_ATTR_TCP_FLAGS;
220 				}
221 			}
222 
223 			if (match->key->ip.proto == IPPROTO_ICMP) {
224 				key_expected |= 1 << OVS_KEY_ATTR_ICMP;
225 				if (match->mask && (match->mask->key.ip.proto == 0xff))
226 					mask_allowed |= 1 << OVS_KEY_ATTR_ICMP;
227 			}
228 		}
229 	}
230 
231 	if (match->key->eth.type == htons(ETH_P_IPV6)) {
232 		key_expected |= 1 << OVS_KEY_ATTR_IPV6;
233 		if (match->mask && match->mask->key.eth.type == htons(0xffff)) {
234 			mask_allowed |= 1 << OVS_KEY_ATTR_IPV6;
235 			mask_allowed |= 1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6;
236 		}
237 
238 		if (match->key->ip.frag != OVS_FRAG_TYPE_LATER) {
239 			if (match->key->ip.proto == IPPROTO_UDP) {
240 				key_expected |= 1 << OVS_KEY_ATTR_UDP;
241 				if (match->mask && (match->mask->key.ip.proto == 0xff))
242 					mask_allowed |= 1 << OVS_KEY_ATTR_UDP;
243 			}
244 
245 			if (match->key->ip.proto == IPPROTO_SCTP) {
246 				key_expected |= 1 << OVS_KEY_ATTR_SCTP;
247 				if (match->mask && (match->mask->key.ip.proto == 0xff))
248 					mask_allowed |= 1 << OVS_KEY_ATTR_SCTP;
249 			}
250 
251 			if (match->key->ip.proto == IPPROTO_TCP) {
252 				key_expected |= 1 << OVS_KEY_ATTR_TCP;
253 				key_expected |= 1 << OVS_KEY_ATTR_TCP_FLAGS;
254 				if (match->mask && (match->mask->key.ip.proto == 0xff)) {
255 					mask_allowed |= 1 << OVS_KEY_ATTR_TCP;
256 					mask_allowed |= 1 << OVS_KEY_ATTR_TCP_FLAGS;
257 				}
258 			}
259 
260 			if (match->key->ip.proto == IPPROTO_ICMPV6) {
261 				key_expected |= 1 << OVS_KEY_ATTR_ICMPV6;
262 				if (match->mask && (match->mask->key.ip.proto == 0xff))
263 					mask_allowed |= 1 << OVS_KEY_ATTR_ICMPV6;
264 
265 				if (match->key->tp.src ==
266 						htons(NDISC_NEIGHBOUR_SOLICITATION) ||
267 				    match->key->tp.src == htons(NDISC_NEIGHBOUR_ADVERTISEMENT)) {
268 					key_expected |= 1 << OVS_KEY_ATTR_ND;
269 					/* Original direction conntrack tuple
270 					 * uses the same space as the ND fields
271 					 * in the key, so both are not allowed
272 					 * at the same time.
273 					 */
274 					mask_allowed &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6);
275 					if (match->mask && (match->mask->key.tp.src == htons(0xff)))
276 						mask_allowed |= 1 << OVS_KEY_ATTR_ND;
277 				}
278 			}
279 		}
280 	}
281 
282 	if (match->key->eth.type == htons(ETH_P_NSH)) {
283 		key_expected |= 1 << OVS_KEY_ATTR_NSH;
284 		if (match->mask &&
285 		    match->mask->key.eth.type == htons(0xffff)) {
286 			mask_allowed |= 1 << OVS_KEY_ATTR_NSH;
287 		}
288 	}
289 
290 	if ((key_attrs & key_expected) != key_expected) {
291 		/* Key attributes check failed. */
292 		OVS_NLERR(log, "Missing key (keys=%llx, expected=%llx)",
293 			  (unsigned long long)key_attrs,
294 			  (unsigned long long)key_expected);
295 		return false;
296 	}
297 
298 	if ((mask_attrs & mask_allowed) != mask_attrs) {
299 		/* Mask attributes check failed. */
300 		OVS_NLERR(log, "Unexpected mask (mask=%llx, allowed=%llx)",
301 			  (unsigned long long)mask_attrs,
302 			  (unsigned long long)mask_allowed);
303 		return false;
304 	}
305 
306 	return true;
307 }
308 
309 size_t ovs_tun_key_attr_size(void)
310 {
311 	/* Whenever adding new OVS_TUNNEL_KEY_ FIELDS, we should consider
312 	 * updating this function.
313 	 */
314 	return    nla_total_size_64bit(8) /* OVS_TUNNEL_KEY_ATTR_ID */
315 		+ nla_total_size(16)   /* OVS_TUNNEL_KEY_ATTR_IPV[46]_SRC */
316 		+ nla_total_size(16)   /* OVS_TUNNEL_KEY_ATTR_IPV[46]_DST */
317 		+ nla_total_size(1)    /* OVS_TUNNEL_KEY_ATTR_TOS */
318 		+ nla_total_size(1)    /* OVS_TUNNEL_KEY_ATTR_TTL */
319 		+ nla_total_size(0)    /* OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT */
320 		+ nla_total_size(0)    /* OVS_TUNNEL_KEY_ATTR_CSUM */
321 		+ nla_total_size(0)    /* OVS_TUNNEL_KEY_ATTR_OAM */
322 		+ nla_total_size(256)  /* OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS */
323 		/* OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS and
324 		 * OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS is mutually exclusive with
325 		 * OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS and covered by it.
326 		 */
327 		+ nla_total_size(2)    /* OVS_TUNNEL_KEY_ATTR_TP_SRC */
328 		+ nla_total_size(2);   /* OVS_TUNNEL_KEY_ATTR_TP_DST */
329 }
330 
331 static size_t ovs_nsh_key_attr_size(void)
332 {
333 	/* Whenever adding new OVS_NSH_KEY_ FIELDS, we should consider
334 	 * updating this function.
335 	 */
336 	return  nla_total_size(NSH_BASE_HDR_LEN) /* OVS_NSH_KEY_ATTR_BASE */
337 		/* OVS_NSH_KEY_ATTR_MD1 and OVS_NSH_KEY_ATTR_MD2 are
338 		 * mutually exclusive, so the bigger one can cover
339 		 * the small one.
340 		 */
341 		+ nla_total_size(NSH_CTX_HDRS_MAX_LEN);
342 }
343 
344 size_t ovs_key_attr_size(void)
345 {
346 	/* Whenever adding new OVS_KEY_ FIELDS, we should consider
347 	 * updating this function.
348 	 */
349 	BUILD_BUG_ON(OVS_KEY_ATTR_TUNNEL_INFO != 29);
350 
351 	return    nla_total_size(4)   /* OVS_KEY_ATTR_PRIORITY */
352 		+ nla_total_size(0)   /* OVS_KEY_ATTR_TUNNEL */
353 		  + ovs_tun_key_attr_size()
354 		+ nla_total_size(4)   /* OVS_KEY_ATTR_IN_PORT */
355 		+ nla_total_size(4)   /* OVS_KEY_ATTR_SKB_MARK */
356 		+ nla_total_size(4)   /* OVS_KEY_ATTR_DP_HASH */
357 		+ nla_total_size(4)   /* OVS_KEY_ATTR_RECIRC_ID */
358 		+ nla_total_size(4)   /* OVS_KEY_ATTR_CT_STATE */
359 		+ nla_total_size(2)   /* OVS_KEY_ATTR_CT_ZONE */
360 		+ nla_total_size(4)   /* OVS_KEY_ATTR_CT_MARK */
361 		+ nla_total_size(16)  /* OVS_KEY_ATTR_CT_LABELS */
362 		+ nla_total_size(40)  /* OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6 */
363 		+ nla_total_size(0)   /* OVS_KEY_ATTR_NSH */
364 		  + ovs_nsh_key_attr_size()
365 		+ nla_total_size(12)  /* OVS_KEY_ATTR_ETHERNET */
366 		+ nla_total_size(2)   /* OVS_KEY_ATTR_ETHERTYPE */
367 		+ nla_total_size(4)   /* OVS_KEY_ATTR_VLAN */
368 		+ nla_total_size(0)   /* OVS_KEY_ATTR_ENCAP */
369 		+ nla_total_size(2)   /* OVS_KEY_ATTR_ETHERTYPE */
370 		+ nla_total_size(40)  /* OVS_KEY_ATTR_IPV6 */
371 		+ nla_total_size(2)   /* OVS_KEY_ATTR_ICMPV6 */
372 		+ nla_total_size(28); /* OVS_KEY_ATTR_ND */
373 }
374 
375 static const struct ovs_len_tbl ovs_vxlan_ext_key_lens[OVS_VXLAN_EXT_MAX + 1] = {
376 	[OVS_VXLAN_EXT_GBP]	    = { .len = sizeof(u32) },
377 };
378 
379 static const struct ovs_len_tbl ovs_tunnel_key_lens[OVS_TUNNEL_KEY_ATTR_MAX + 1] = {
380 	[OVS_TUNNEL_KEY_ATTR_ID]	    = { .len = sizeof(u64) },
381 	[OVS_TUNNEL_KEY_ATTR_IPV4_SRC]	    = { .len = sizeof(u32) },
382 	[OVS_TUNNEL_KEY_ATTR_IPV4_DST]	    = { .len = sizeof(u32) },
383 	[OVS_TUNNEL_KEY_ATTR_TOS]	    = { .len = 1 },
384 	[OVS_TUNNEL_KEY_ATTR_TTL]	    = { .len = 1 },
385 	[OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT] = { .len = 0 },
386 	[OVS_TUNNEL_KEY_ATTR_CSUM]	    = { .len = 0 },
387 	[OVS_TUNNEL_KEY_ATTR_TP_SRC]	    = { .len = sizeof(u16) },
388 	[OVS_TUNNEL_KEY_ATTR_TP_DST]	    = { .len = sizeof(u16) },
389 	[OVS_TUNNEL_KEY_ATTR_OAM]	    = { .len = 0 },
390 	[OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS]   = { .len = OVS_ATTR_VARIABLE },
391 	[OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS]    = { .len = OVS_ATTR_NESTED,
392 						.next = ovs_vxlan_ext_key_lens },
393 	[OVS_TUNNEL_KEY_ATTR_IPV6_SRC]      = { .len = sizeof(struct in6_addr) },
394 	[OVS_TUNNEL_KEY_ATTR_IPV6_DST]      = { .len = sizeof(struct in6_addr) },
395 	[OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS]   = { .len = OVS_ATTR_VARIABLE },
396 	[OVS_TUNNEL_KEY_ATTR_IPV4_INFO_BRIDGE]   = { .len = 0 },
397 };
398 
399 static const struct ovs_len_tbl
400 ovs_nsh_key_attr_lens[OVS_NSH_KEY_ATTR_MAX + 1] = {
401 	[OVS_NSH_KEY_ATTR_BASE] = { .len = sizeof(struct ovs_nsh_key_base) },
402 	[OVS_NSH_KEY_ATTR_MD1]  = { .len = sizeof(struct ovs_nsh_key_md1) },
403 	[OVS_NSH_KEY_ATTR_MD2]  = { .len = OVS_ATTR_VARIABLE },
404 };
405 
406 /* The size of the argument for each %OVS_KEY_ATTR_* Netlink attribute.  */
407 static const struct ovs_len_tbl ovs_key_lens[OVS_KEY_ATTR_MAX + 1] = {
408 	[OVS_KEY_ATTR_ENCAP]	 = { .len = OVS_ATTR_NESTED },
409 	[OVS_KEY_ATTR_PRIORITY]	 = { .len = sizeof(u32) },
410 	[OVS_KEY_ATTR_IN_PORT]	 = { .len = sizeof(u32) },
411 	[OVS_KEY_ATTR_SKB_MARK]	 = { .len = sizeof(u32) },
412 	[OVS_KEY_ATTR_ETHERNET]	 = { .len = sizeof(struct ovs_key_ethernet) },
413 	[OVS_KEY_ATTR_VLAN]	 = { .len = sizeof(__be16) },
414 	[OVS_KEY_ATTR_ETHERTYPE] = { .len = sizeof(__be16) },
415 	[OVS_KEY_ATTR_IPV4]	 = { .len = sizeof(struct ovs_key_ipv4) },
416 	[OVS_KEY_ATTR_IPV6]	 = { .len = sizeof(struct ovs_key_ipv6) },
417 	[OVS_KEY_ATTR_TCP]	 = { .len = sizeof(struct ovs_key_tcp) },
418 	[OVS_KEY_ATTR_TCP_FLAGS] = { .len = sizeof(__be16) },
419 	[OVS_KEY_ATTR_UDP]	 = { .len = sizeof(struct ovs_key_udp) },
420 	[OVS_KEY_ATTR_SCTP]	 = { .len = sizeof(struct ovs_key_sctp) },
421 	[OVS_KEY_ATTR_ICMP]	 = { .len = sizeof(struct ovs_key_icmp) },
422 	[OVS_KEY_ATTR_ICMPV6]	 = { .len = sizeof(struct ovs_key_icmpv6) },
423 	[OVS_KEY_ATTR_ARP]	 = { .len = sizeof(struct ovs_key_arp) },
424 	[OVS_KEY_ATTR_ND]	 = { .len = sizeof(struct ovs_key_nd) },
425 	[OVS_KEY_ATTR_RECIRC_ID] = { .len = sizeof(u32) },
426 	[OVS_KEY_ATTR_DP_HASH]	 = { .len = sizeof(u32) },
427 	[OVS_KEY_ATTR_TUNNEL]	 = { .len = OVS_ATTR_NESTED,
428 				     .next = ovs_tunnel_key_lens, },
429 	[OVS_KEY_ATTR_MPLS]	 = { .len = OVS_ATTR_VARIABLE },
430 	[OVS_KEY_ATTR_CT_STATE]	 = { .len = sizeof(u32) },
431 	[OVS_KEY_ATTR_CT_ZONE]	 = { .len = sizeof(u16) },
432 	[OVS_KEY_ATTR_CT_MARK]	 = { .len = sizeof(u32) },
433 	[OVS_KEY_ATTR_CT_LABELS] = { .len = sizeof(struct ovs_key_ct_labels) },
434 	[OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4] = {
435 		.len = sizeof(struct ovs_key_ct_tuple_ipv4) },
436 	[OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6] = {
437 		.len = sizeof(struct ovs_key_ct_tuple_ipv6) },
438 	[OVS_KEY_ATTR_NSH]       = { .len = OVS_ATTR_NESTED,
439 				     .next = ovs_nsh_key_attr_lens, },
440 };
441 
442 static bool check_attr_len(unsigned int attr_len, unsigned int expected_len)
443 {
444 	return expected_len == attr_len ||
445 	       expected_len == OVS_ATTR_NESTED ||
446 	       expected_len == OVS_ATTR_VARIABLE;
447 }
448 
449 static bool is_all_zero(const u8 *fp, size_t size)
450 {
451 	int i;
452 
453 	if (!fp)
454 		return false;
455 
456 	for (i = 0; i < size; i++)
457 		if (fp[i])
458 			return false;
459 
460 	return true;
461 }
462 
463 static int __parse_flow_nlattrs(const struct nlattr *attr,
464 				const struct nlattr *a[],
465 				u64 *attrsp, bool log, bool nz)
466 {
467 	const struct nlattr *nla;
468 	u64 attrs;
469 	int rem;
470 
471 	attrs = *attrsp;
472 	nla_for_each_nested(nla, attr, rem) {
473 		u16 type = nla_type(nla);
474 		int expected_len;
475 
476 		if (type > OVS_KEY_ATTR_MAX) {
477 			OVS_NLERR(log, "Key type %d is out of range max %d",
478 				  type, OVS_KEY_ATTR_MAX);
479 			return -EINVAL;
480 		}
481 
482 		if (attrs & (1 << type)) {
483 			OVS_NLERR(log, "Duplicate key (type %d).", type);
484 			return -EINVAL;
485 		}
486 
487 		expected_len = ovs_key_lens[type].len;
488 		if (!check_attr_len(nla_len(nla), expected_len)) {
489 			OVS_NLERR(log, "Key %d has unexpected len %d expected %d",
490 				  type, nla_len(nla), expected_len);
491 			return -EINVAL;
492 		}
493 
494 		if (!nz || !is_all_zero(nla_data(nla), nla_len(nla))) {
495 			attrs |= 1 << type;
496 			a[type] = nla;
497 		}
498 	}
499 	if (rem) {
500 		OVS_NLERR(log, "Message has %d unknown bytes.", rem);
501 		return -EINVAL;
502 	}
503 
504 	*attrsp = attrs;
505 	return 0;
506 }
507 
508 static int parse_flow_mask_nlattrs(const struct nlattr *attr,
509 				   const struct nlattr *a[], u64 *attrsp,
510 				   bool log)
511 {
512 	return __parse_flow_nlattrs(attr, a, attrsp, log, true);
513 }
514 
515 int parse_flow_nlattrs(const struct nlattr *attr, const struct nlattr *a[],
516 		       u64 *attrsp, bool log)
517 {
518 	return __parse_flow_nlattrs(attr, a, attrsp, log, false);
519 }
520 
521 static int genev_tun_opt_from_nlattr(const struct nlattr *a,
522 				     struct sw_flow_match *match, bool is_mask,
523 				     bool log)
524 {
525 	unsigned long opt_key_offset;
526 
527 	if (nla_len(a) > sizeof(match->key->tun_opts)) {
528 		OVS_NLERR(log, "Geneve option length err (len %d, max %zu).",
529 			  nla_len(a), sizeof(match->key->tun_opts));
530 		return -EINVAL;
531 	}
532 
533 	if (nla_len(a) % 4 != 0) {
534 		OVS_NLERR(log, "Geneve opt len %d is not a multiple of 4.",
535 			  nla_len(a));
536 		return -EINVAL;
537 	}
538 
539 	/* We need to record the length of the options passed
540 	 * down, otherwise packets with the same format but
541 	 * additional options will be silently matched.
542 	 */
543 	if (!is_mask) {
544 		SW_FLOW_KEY_PUT(match, tun_opts_len, nla_len(a),
545 				false);
546 	} else {
547 		/* This is somewhat unusual because it looks at
548 		 * both the key and mask while parsing the
549 		 * attributes (and by extension assumes the key
550 		 * is parsed first). Normally, we would verify
551 		 * that each is the correct length and that the
552 		 * attributes line up in the validate function.
553 		 * However, that is difficult because this is
554 		 * variable length and we won't have the
555 		 * information later.
556 		 */
557 		if (match->key->tun_opts_len != nla_len(a)) {
558 			OVS_NLERR(log, "Geneve option len %d != mask len %d",
559 				  match->key->tun_opts_len, nla_len(a));
560 			return -EINVAL;
561 		}
562 
563 		SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true);
564 	}
565 
566 	opt_key_offset = TUN_METADATA_OFFSET(nla_len(a));
567 	SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, nla_data(a),
568 				  nla_len(a), is_mask);
569 	return 0;
570 }
571 
572 static int vxlan_tun_opt_from_nlattr(const struct nlattr *attr,
573 				     struct sw_flow_match *match, bool is_mask,
574 				     bool log)
575 {
576 	struct nlattr *a;
577 	int rem;
578 	unsigned long opt_key_offset;
579 	struct vxlan_metadata opts;
580 
581 	BUILD_BUG_ON(sizeof(opts) > sizeof(match->key->tun_opts));
582 
583 	memset(&opts, 0, sizeof(opts));
584 	nla_for_each_nested(a, attr, rem) {
585 		int type = nla_type(a);
586 
587 		if (type > OVS_VXLAN_EXT_MAX) {
588 			OVS_NLERR(log, "VXLAN extension %d out of range max %d",
589 				  type, OVS_VXLAN_EXT_MAX);
590 			return -EINVAL;
591 		}
592 
593 		if (!check_attr_len(nla_len(a),
594 				    ovs_vxlan_ext_key_lens[type].len)) {
595 			OVS_NLERR(log, "VXLAN extension %d has unexpected len %d expected %d",
596 				  type, nla_len(a),
597 				  ovs_vxlan_ext_key_lens[type].len);
598 			return -EINVAL;
599 		}
600 
601 		switch (type) {
602 		case OVS_VXLAN_EXT_GBP:
603 			opts.gbp = nla_get_u32(a);
604 			break;
605 		default:
606 			OVS_NLERR(log, "Unknown VXLAN extension attribute %d",
607 				  type);
608 			return -EINVAL;
609 		}
610 	}
611 	if (rem) {
612 		OVS_NLERR(log, "VXLAN extension message has %d unknown bytes.",
613 			  rem);
614 		return -EINVAL;
615 	}
616 
617 	if (!is_mask)
618 		SW_FLOW_KEY_PUT(match, tun_opts_len, sizeof(opts), false);
619 	else
620 		SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true);
621 
622 	opt_key_offset = TUN_METADATA_OFFSET(sizeof(opts));
623 	SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, &opts, sizeof(opts),
624 				  is_mask);
625 	return 0;
626 }
627 
628 static int erspan_tun_opt_from_nlattr(const struct nlattr *a,
629 				      struct sw_flow_match *match, bool is_mask,
630 				      bool log)
631 {
632 	unsigned long opt_key_offset;
633 
634 	BUILD_BUG_ON(sizeof(struct erspan_metadata) >
635 		     sizeof(match->key->tun_opts));
636 
637 	if (nla_len(a) > sizeof(match->key->tun_opts)) {
638 		OVS_NLERR(log, "ERSPAN option length err (len %d, max %zu).",
639 			  nla_len(a), sizeof(match->key->tun_opts));
640 		return -EINVAL;
641 	}
642 
643 	if (!is_mask)
644 		SW_FLOW_KEY_PUT(match, tun_opts_len,
645 				sizeof(struct erspan_metadata), false);
646 	else
647 		SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true);
648 
649 	opt_key_offset = TUN_METADATA_OFFSET(nla_len(a));
650 	SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, nla_data(a),
651 				  nla_len(a), is_mask);
652 	return 0;
653 }
654 
655 static int ip_tun_from_nlattr(const struct nlattr *attr,
656 			      struct sw_flow_match *match, bool is_mask,
657 			      bool log)
658 {
659 	bool ttl = false, ipv4 = false, ipv6 = false;
660 	bool info_bridge_mode = false;
661 	__be16 tun_flags = 0;
662 	int opts_type = 0;
663 	struct nlattr *a;
664 	int rem;
665 
666 	nla_for_each_nested(a, attr, rem) {
667 		int type = nla_type(a);
668 		int err;
669 
670 		if (type > OVS_TUNNEL_KEY_ATTR_MAX) {
671 			OVS_NLERR(log, "Tunnel attr %d out of range max %d",
672 				  type, OVS_TUNNEL_KEY_ATTR_MAX);
673 			return -EINVAL;
674 		}
675 
676 		if (!check_attr_len(nla_len(a),
677 				    ovs_tunnel_key_lens[type].len)) {
678 			OVS_NLERR(log, "Tunnel attr %d has unexpected len %d expected %d",
679 				  type, nla_len(a), ovs_tunnel_key_lens[type].len);
680 			return -EINVAL;
681 		}
682 
683 		switch (type) {
684 		case OVS_TUNNEL_KEY_ATTR_ID:
685 			SW_FLOW_KEY_PUT(match, tun_key.tun_id,
686 					nla_get_be64(a), is_mask);
687 			tun_flags |= TUNNEL_KEY;
688 			break;
689 		case OVS_TUNNEL_KEY_ATTR_IPV4_SRC:
690 			SW_FLOW_KEY_PUT(match, tun_key.u.ipv4.src,
691 					nla_get_in_addr(a), is_mask);
692 			ipv4 = true;
693 			break;
694 		case OVS_TUNNEL_KEY_ATTR_IPV4_DST:
695 			SW_FLOW_KEY_PUT(match, tun_key.u.ipv4.dst,
696 					nla_get_in_addr(a), is_mask);
697 			ipv4 = true;
698 			break;
699 		case OVS_TUNNEL_KEY_ATTR_IPV6_SRC:
700 			SW_FLOW_KEY_PUT(match, tun_key.u.ipv6.src,
701 					nla_get_in6_addr(a), is_mask);
702 			ipv6 = true;
703 			break;
704 		case OVS_TUNNEL_KEY_ATTR_IPV6_DST:
705 			SW_FLOW_KEY_PUT(match, tun_key.u.ipv6.dst,
706 					nla_get_in6_addr(a), is_mask);
707 			ipv6 = true;
708 			break;
709 		case OVS_TUNNEL_KEY_ATTR_TOS:
710 			SW_FLOW_KEY_PUT(match, tun_key.tos,
711 					nla_get_u8(a), is_mask);
712 			break;
713 		case OVS_TUNNEL_KEY_ATTR_TTL:
714 			SW_FLOW_KEY_PUT(match, tun_key.ttl,
715 					nla_get_u8(a), is_mask);
716 			ttl = true;
717 			break;
718 		case OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT:
719 			tun_flags |= TUNNEL_DONT_FRAGMENT;
720 			break;
721 		case OVS_TUNNEL_KEY_ATTR_CSUM:
722 			tun_flags |= TUNNEL_CSUM;
723 			break;
724 		case OVS_TUNNEL_KEY_ATTR_TP_SRC:
725 			SW_FLOW_KEY_PUT(match, tun_key.tp_src,
726 					nla_get_be16(a), is_mask);
727 			break;
728 		case OVS_TUNNEL_KEY_ATTR_TP_DST:
729 			SW_FLOW_KEY_PUT(match, tun_key.tp_dst,
730 					nla_get_be16(a), is_mask);
731 			break;
732 		case OVS_TUNNEL_KEY_ATTR_OAM:
733 			tun_flags |= TUNNEL_OAM;
734 			break;
735 		case OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS:
736 			if (opts_type) {
737 				OVS_NLERR(log, "Multiple metadata blocks provided");
738 				return -EINVAL;
739 			}
740 
741 			err = genev_tun_opt_from_nlattr(a, match, is_mask, log);
742 			if (err)
743 				return err;
744 
745 			tun_flags |= TUNNEL_GENEVE_OPT;
746 			opts_type = type;
747 			break;
748 		case OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS:
749 			if (opts_type) {
750 				OVS_NLERR(log, "Multiple metadata blocks provided");
751 				return -EINVAL;
752 			}
753 
754 			err = vxlan_tun_opt_from_nlattr(a, match, is_mask, log);
755 			if (err)
756 				return err;
757 
758 			tun_flags |= TUNNEL_VXLAN_OPT;
759 			opts_type = type;
760 			break;
761 		case OVS_TUNNEL_KEY_ATTR_PAD:
762 			break;
763 		case OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS:
764 			if (opts_type) {
765 				OVS_NLERR(log, "Multiple metadata blocks provided");
766 				return -EINVAL;
767 			}
768 
769 			err = erspan_tun_opt_from_nlattr(a, match, is_mask,
770 							 log);
771 			if (err)
772 				return err;
773 
774 			tun_flags |= TUNNEL_ERSPAN_OPT;
775 			opts_type = type;
776 			break;
777 		case OVS_TUNNEL_KEY_ATTR_IPV4_INFO_BRIDGE:
778 			info_bridge_mode = true;
779 			ipv4 = true;
780 			break;
781 		default:
782 			OVS_NLERR(log, "Unknown IP tunnel attribute %d",
783 				  type);
784 			return -EINVAL;
785 		}
786 	}
787 
788 	SW_FLOW_KEY_PUT(match, tun_key.tun_flags, tun_flags, is_mask);
789 	if (is_mask)
790 		SW_FLOW_KEY_MEMSET_FIELD(match, tun_proto, 0xff, true);
791 	else
792 		SW_FLOW_KEY_PUT(match, tun_proto, ipv6 ? AF_INET6 : AF_INET,
793 				false);
794 
795 	if (rem > 0) {
796 		OVS_NLERR(log, "IP tunnel attribute has %d unknown bytes.",
797 			  rem);
798 		return -EINVAL;
799 	}
800 
801 	if (ipv4 && ipv6) {
802 		OVS_NLERR(log, "Mixed IPv4 and IPv6 tunnel attributes");
803 		return -EINVAL;
804 	}
805 
806 	if (!is_mask) {
807 		if (!ipv4 && !ipv6) {
808 			OVS_NLERR(log, "IP tunnel dst address not specified");
809 			return -EINVAL;
810 		}
811 		if (ipv4) {
812 			if (info_bridge_mode) {
813 				if (match->key->tun_key.u.ipv4.src ||
814 				    match->key->tun_key.u.ipv4.dst ||
815 				    match->key->tun_key.tp_src ||
816 				    match->key->tun_key.tp_dst ||
817 				    match->key->tun_key.ttl ||
818 				    match->key->tun_key.tos ||
819 				    tun_flags & ~TUNNEL_KEY) {
820 					OVS_NLERR(log, "IPv4 tun info is not correct");
821 					return -EINVAL;
822 				}
823 			} else if (!match->key->tun_key.u.ipv4.dst) {
824 				OVS_NLERR(log, "IPv4 tunnel dst address is zero");
825 				return -EINVAL;
826 			}
827 		}
828 		if (ipv6 && ipv6_addr_any(&match->key->tun_key.u.ipv6.dst)) {
829 			OVS_NLERR(log, "IPv6 tunnel dst address is zero");
830 			return -EINVAL;
831 		}
832 
833 		if (!ttl && !info_bridge_mode) {
834 			OVS_NLERR(log, "IP tunnel TTL not specified.");
835 			return -EINVAL;
836 		}
837 	}
838 
839 	return opts_type;
840 }
841 
842 static int vxlan_opt_to_nlattr(struct sk_buff *skb,
843 			       const void *tun_opts, int swkey_tun_opts_len)
844 {
845 	const struct vxlan_metadata *opts = tun_opts;
846 	struct nlattr *nla;
847 
848 	nla = nla_nest_start_noflag(skb, OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS);
849 	if (!nla)
850 		return -EMSGSIZE;
851 
852 	if (nla_put_u32(skb, OVS_VXLAN_EXT_GBP, opts->gbp) < 0)
853 		return -EMSGSIZE;
854 
855 	nla_nest_end(skb, nla);
856 	return 0;
857 }
858 
859 static int __ip_tun_to_nlattr(struct sk_buff *skb,
860 			      const struct ip_tunnel_key *output,
861 			      const void *tun_opts, int swkey_tun_opts_len,
862 			      unsigned short tun_proto, u8 mode)
863 {
864 	if (output->tun_flags & TUNNEL_KEY &&
865 	    nla_put_be64(skb, OVS_TUNNEL_KEY_ATTR_ID, output->tun_id,
866 			 OVS_TUNNEL_KEY_ATTR_PAD))
867 		return -EMSGSIZE;
868 
869 	if (mode & IP_TUNNEL_INFO_BRIDGE)
870 		return nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_IPV4_INFO_BRIDGE)
871 		       ? -EMSGSIZE : 0;
872 
873 	switch (tun_proto) {
874 	case AF_INET:
875 		if (output->u.ipv4.src &&
876 		    nla_put_in_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV4_SRC,
877 				    output->u.ipv4.src))
878 			return -EMSGSIZE;
879 		if (output->u.ipv4.dst &&
880 		    nla_put_in_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV4_DST,
881 				    output->u.ipv4.dst))
882 			return -EMSGSIZE;
883 		break;
884 	case AF_INET6:
885 		if (!ipv6_addr_any(&output->u.ipv6.src) &&
886 		    nla_put_in6_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV6_SRC,
887 				     &output->u.ipv6.src))
888 			return -EMSGSIZE;
889 		if (!ipv6_addr_any(&output->u.ipv6.dst) &&
890 		    nla_put_in6_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV6_DST,
891 				     &output->u.ipv6.dst))
892 			return -EMSGSIZE;
893 		break;
894 	}
895 	if (output->tos &&
896 	    nla_put_u8(skb, OVS_TUNNEL_KEY_ATTR_TOS, output->tos))
897 		return -EMSGSIZE;
898 	if (nla_put_u8(skb, OVS_TUNNEL_KEY_ATTR_TTL, output->ttl))
899 		return -EMSGSIZE;
900 	if ((output->tun_flags & TUNNEL_DONT_FRAGMENT) &&
901 	    nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT))
902 		return -EMSGSIZE;
903 	if ((output->tun_flags & TUNNEL_CSUM) &&
904 	    nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_CSUM))
905 		return -EMSGSIZE;
906 	if (output->tp_src &&
907 	    nla_put_be16(skb, OVS_TUNNEL_KEY_ATTR_TP_SRC, output->tp_src))
908 		return -EMSGSIZE;
909 	if (output->tp_dst &&
910 	    nla_put_be16(skb, OVS_TUNNEL_KEY_ATTR_TP_DST, output->tp_dst))
911 		return -EMSGSIZE;
912 	if ((output->tun_flags & TUNNEL_OAM) &&
913 	    nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_OAM))
914 		return -EMSGSIZE;
915 	if (swkey_tun_opts_len) {
916 		if (output->tun_flags & TUNNEL_GENEVE_OPT &&
917 		    nla_put(skb, OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS,
918 			    swkey_tun_opts_len, tun_opts))
919 			return -EMSGSIZE;
920 		else if (output->tun_flags & TUNNEL_VXLAN_OPT &&
921 			 vxlan_opt_to_nlattr(skb, tun_opts, swkey_tun_opts_len))
922 			return -EMSGSIZE;
923 		else if (output->tun_flags & TUNNEL_ERSPAN_OPT &&
924 			 nla_put(skb, OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS,
925 				 swkey_tun_opts_len, tun_opts))
926 			return -EMSGSIZE;
927 	}
928 
929 	return 0;
930 }
931 
932 static int ip_tun_to_nlattr(struct sk_buff *skb,
933 			    const struct ip_tunnel_key *output,
934 			    const void *tun_opts, int swkey_tun_opts_len,
935 			    unsigned short tun_proto, u8 mode)
936 {
937 	struct nlattr *nla;
938 	int err;
939 
940 	nla = nla_nest_start_noflag(skb, OVS_KEY_ATTR_TUNNEL);
941 	if (!nla)
942 		return -EMSGSIZE;
943 
944 	err = __ip_tun_to_nlattr(skb, output, tun_opts, swkey_tun_opts_len,
945 				 tun_proto, mode);
946 	if (err)
947 		return err;
948 
949 	nla_nest_end(skb, nla);
950 	return 0;
951 }
952 
953 int ovs_nla_put_tunnel_info(struct sk_buff *skb,
954 			    struct ip_tunnel_info *tun_info)
955 {
956 	return __ip_tun_to_nlattr(skb, &tun_info->key,
957 				  ip_tunnel_info_opts(tun_info),
958 				  tun_info->options_len,
959 				  ip_tunnel_info_af(tun_info), tun_info->mode);
960 }
961 
962 static int encode_vlan_from_nlattrs(struct sw_flow_match *match,
963 				    const struct nlattr *a[],
964 				    bool is_mask, bool inner)
965 {
966 	__be16 tci = 0;
967 	__be16 tpid = 0;
968 
969 	if (a[OVS_KEY_ATTR_VLAN])
970 		tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]);
971 
972 	if (a[OVS_KEY_ATTR_ETHERTYPE])
973 		tpid = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]);
974 
975 	if (likely(!inner)) {
976 		SW_FLOW_KEY_PUT(match, eth.vlan.tpid, tpid, is_mask);
977 		SW_FLOW_KEY_PUT(match, eth.vlan.tci, tci, is_mask);
978 	} else {
979 		SW_FLOW_KEY_PUT(match, eth.cvlan.tpid, tpid, is_mask);
980 		SW_FLOW_KEY_PUT(match, eth.cvlan.tci, tci, is_mask);
981 	}
982 	return 0;
983 }
984 
985 static int validate_vlan_from_nlattrs(const struct sw_flow_match *match,
986 				      u64 key_attrs, bool inner,
987 				      const struct nlattr **a, bool log)
988 {
989 	__be16 tci = 0;
990 
991 	if (!((key_attrs & (1 << OVS_KEY_ATTR_ETHERNET)) &&
992 	      (key_attrs & (1 << OVS_KEY_ATTR_ETHERTYPE)) &&
993 	       eth_type_vlan(nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE])))) {
994 		/* Not a VLAN. */
995 		return 0;
996 	}
997 
998 	if (!((key_attrs & (1 << OVS_KEY_ATTR_VLAN)) &&
999 	      (key_attrs & (1 << OVS_KEY_ATTR_ENCAP)))) {
1000 		OVS_NLERR(log, "Invalid %s frame", (inner) ? "C-VLAN" : "VLAN");
1001 		return -EINVAL;
1002 	}
1003 
1004 	if (a[OVS_KEY_ATTR_VLAN])
1005 		tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]);
1006 
1007 	if (!(tci & htons(VLAN_CFI_MASK))) {
1008 		if (tci) {
1009 			OVS_NLERR(log, "%s TCI does not have VLAN_CFI_MASK bit set.",
1010 				  (inner) ? "C-VLAN" : "VLAN");
1011 			return -EINVAL;
1012 		} else if (nla_len(a[OVS_KEY_ATTR_ENCAP])) {
1013 			/* Corner case for truncated VLAN header. */
1014 			OVS_NLERR(log, "Truncated %s header has non-zero encap attribute.",
1015 				  (inner) ? "C-VLAN" : "VLAN");
1016 			return -EINVAL;
1017 		}
1018 	}
1019 
1020 	return 1;
1021 }
1022 
1023 static int validate_vlan_mask_from_nlattrs(const struct sw_flow_match *match,
1024 					   u64 key_attrs, bool inner,
1025 					   const struct nlattr **a, bool log)
1026 {
1027 	__be16 tci = 0;
1028 	__be16 tpid = 0;
1029 	bool encap_valid = !!(match->key->eth.vlan.tci &
1030 			      htons(VLAN_CFI_MASK));
1031 	bool i_encap_valid = !!(match->key->eth.cvlan.tci &
1032 				htons(VLAN_CFI_MASK));
1033 
1034 	if (!(key_attrs & (1 << OVS_KEY_ATTR_ENCAP))) {
1035 		/* Not a VLAN. */
1036 		return 0;
1037 	}
1038 
1039 	if ((!inner && !encap_valid) || (inner && !i_encap_valid)) {
1040 		OVS_NLERR(log, "Encap mask attribute is set for non-%s frame.",
1041 			  (inner) ? "C-VLAN" : "VLAN");
1042 		return -EINVAL;
1043 	}
1044 
1045 	if (a[OVS_KEY_ATTR_VLAN])
1046 		tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]);
1047 
1048 	if (a[OVS_KEY_ATTR_ETHERTYPE])
1049 		tpid = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]);
1050 
1051 	if (tpid != htons(0xffff)) {
1052 		OVS_NLERR(log, "Must have an exact match on %s TPID (mask=%x).",
1053 			  (inner) ? "C-VLAN" : "VLAN", ntohs(tpid));
1054 		return -EINVAL;
1055 	}
1056 	if (!(tci & htons(VLAN_CFI_MASK))) {
1057 		OVS_NLERR(log, "%s TCI mask does not have exact match for VLAN_CFI_MASK bit.",
1058 			  (inner) ? "C-VLAN" : "VLAN");
1059 		return -EINVAL;
1060 	}
1061 
1062 	return 1;
1063 }
1064 
1065 static int __parse_vlan_from_nlattrs(struct sw_flow_match *match,
1066 				     u64 *key_attrs, bool inner,
1067 				     const struct nlattr **a, bool is_mask,
1068 				     bool log)
1069 {
1070 	int err;
1071 	const struct nlattr *encap;
1072 
1073 	if (!is_mask)
1074 		err = validate_vlan_from_nlattrs(match, *key_attrs, inner,
1075 						 a, log);
1076 	else
1077 		err = validate_vlan_mask_from_nlattrs(match, *key_attrs, inner,
1078 						      a, log);
1079 	if (err <= 0)
1080 		return err;
1081 
1082 	err = encode_vlan_from_nlattrs(match, a, is_mask, inner);
1083 	if (err)
1084 		return err;
1085 
1086 	*key_attrs &= ~(1 << OVS_KEY_ATTR_ENCAP);
1087 	*key_attrs &= ~(1 << OVS_KEY_ATTR_VLAN);
1088 	*key_attrs &= ~(1 << OVS_KEY_ATTR_ETHERTYPE);
1089 
1090 	encap = a[OVS_KEY_ATTR_ENCAP];
1091 
1092 	if (!is_mask)
1093 		err = parse_flow_nlattrs(encap, a, key_attrs, log);
1094 	else
1095 		err = parse_flow_mask_nlattrs(encap, a, key_attrs, log);
1096 
1097 	return err;
1098 }
1099 
1100 static int parse_vlan_from_nlattrs(struct sw_flow_match *match,
1101 				   u64 *key_attrs, const struct nlattr **a,
1102 				   bool is_mask, bool log)
1103 {
1104 	int err;
1105 	bool encap_valid = false;
1106 
1107 	err = __parse_vlan_from_nlattrs(match, key_attrs, false, a,
1108 					is_mask, log);
1109 	if (err)
1110 		return err;
1111 
1112 	encap_valid = !!(match->key->eth.vlan.tci & htons(VLAN_CFI_MASK));
1113 	if (encap_valid) {
1114 		err = __parse_vlan_from_nlattrs(match, key_attrs, true, a,
1115 						is_mask, log);
1116 		if (err)
1117 			return err;
1118 	}
1119 
1120 	return 0;
1121 }
1122 
1123 static int parse_eth_type_from_nlattrs(struct sw_flow_match *match,
1124 				       u64 *attrs, const struct nlattr **a,
1125 				       bool is_mask, bool log)
1126 {
1127 	__be16 eth_type;
1128 
1129 	eth_type = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]);
1130 	if (is_mask) {
1131 		/* Always exact match EtherType. */
1132 		eth_type = htons(0xffff);
1133 	} else if (!eth_proto_is_802_3(eth_type)) {
1134 		OVS_NLERR(log, "EtherType %x is less than min %x",
1135 				ntohs(eth_type), ETH_P_802_3_MIN);
1136 		return -EINVAL;
1137 	}
1138 
1139 	SW_FLOW_KEY_PUT(match, eth.type, eth_type, is_mask);
1140 	*attrs &= ~(1 << OVS_KEY_ATTR_ETHERTYPE);
1141 	return 0;
1142 }
1143 
1144 static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match,
1145 				 u64 *attrs, const struct nlattr **a,
1146 				 bool is_mask, bool log)
1147 {
1148 	u8 mac_proto = MAC_PROTO_ETHERNET;
1149 
1150 	if (*attrs & (1 << OVS_KEY_ATTR_DP_HASH)) {
1151 		u32 hash_val = nla_get_u32(a[OVS_KEY_ATTR_DP_HASH]);
1152 
1153 		SW_FLOW_KEY_PUT(match, ovs_flow_hash, hash_val, is_mask);
1154 		*attrs &= ~(1 << OVS_KEY_ATTR_DP_HASH);
1155 	}
1156 
1157 	if (*attrs & (1 << OVS_KEY_ATTR_RECIRC_ID)) {
1158 		u32 recirc_id = nla_get_u32(a[OVS_KEY_ATTR_RECIRC_ID]);
1159 
1160 		SW_FLOW_KEY_PUT(match, recirc_id, recirc_id, is_mask);
1161 		*attrs &= ~(1 << OVS_KEY_ATTR_RECIRC_ID);
1162 	}
1163 
1164 	if (*attrs & (1 << OVS_KEY_ATTR_PRIORITY)) {
1165 		SW_FLOW_KEY_PUT(match, phy.priority,
1166 			  nla_get_u32(a[OVS_KEY_ATTR_PRIORITY]), is_mask);
1167 		*attrs &= ~(1 << OVS_KEY_ATTR_PRIORITY);
1168 	}
1169 
1170 	if (*attrs & (1 << OVS_KEY_ATTR_IN_PORT)) {
1171 		u32 in_port = nla_get_u32(a[OVS_KEY_ATTR_IN_PORT]);
1172 
1173 		if (is_mask) {
1174 			in_port = 0xffffffff; /* Always exact match in_port. */
1175 		} else if (in_port >= DP_MAX_PORTS) {
1176 			OVS_NLERR(log, "Port %d exceeds max allowable %d",
1177 				  in_port, DP_MAX_PORTS);
1178 			return -EINVAL;
1179 		}
1180 
1181 		SW_FLOW_KEY_PUT(match, phy.in_port, in_port, is_mask);
1182 		*attrs &= ~(1 << OVS_KEY_ATTR_IN_PORT);
1183 	} else if (!is_mask) {
1184 		SW_FLOW_KEY_PUT(match, phy.in_port, DP_MAX_PORTS, is_mask);
1185 	}
1186 
1187 	if (*attrs & (1 << OVS_KEY_ATTR_SKB_MARK)) {
1188 		uint32_t mark = nla_get_u32(a[OVS_KEY_ATTR_SKB_MARK]);
1189 
1190 		SW_FLOW_KEY_PUT(match, phy.skb_mark, mark, is_mask);
1191 		*attrs &= ~(1 << OVS_KEY_ATTR_SKB_MARK);
1192 	}
1193 	if (*attrs & (1 << OVS_KEY_ATTR_TUNNEL)) {
1194 		if (ip_tun_from_nlattr(a[OVS_KEY_ATTR_TUNNEL], match,
1195 				       is_mask, log) < 0)
1196 			return -EINVAL;
1197 		*attrs &= ~(1 << OVS_KEY_ATTR_TUNNEL);
1198 	}
1199 
1200 	if (*attrs & (1 << OVS_KEY_ATTR_CT_STATE) &&
1201 	    ovs_ct_verify(net, OVS_KEY_ATTR_CT_STATE)) {
1202 		u32 ct_state = nla_get_u32(a[OVS_KEY_ATTR_CT_STATE]);
1203 
1204 		if (ct_state & ~CT_SUPPORTED_MASK) {
1205 			OVS_NLERR(log, "ct_state flags %08x unsupported",
1206 				  ct_state);
1207 			return -EINVAL;
1208 		}
1209 
1210 		SW_FLOW_KEY_PUT(match, ct_state, ct_state, is_mask);
1211 		*attrs &= ~(1ULL << OVS_KEY_ATTR_CT_STATE);
1212 	}
1213 	if (*attrs & (1 << OVS_KEY_ATTR_CT_ZONE) &&
1214 	    ovs_ct_verify(net, OVS_KEY_ATTR_CT_ZONE)) {
1215 		u16 ct_zone = nla_get_u16(a[OVS_KEY_ATTR_CT_ZONE]);
1216 
1217 		SW_FLOW_KEY_PUT(match, ct_zone, ct_zone, is_mask);
1218 		*attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ZONE);
1219 	}
1220 	if (*attrs & (1 << OVS_KEY_ATTR_CT_MARK) &&
1221 	    ovs_ct_verify(net, OVS_KEY_ATTR_CT_MARK)) {
1222 		u32 mark = nla_get_u32(a[OVS_KEY_ATTR_CT_MARK]);
1223 
1224 		SW_FLOW_KEY_PUT(match, ct.mark, mark, is_mask);
1225 		*attrs &= ~(1ULL << OVS_KEY_ATTR_CT_MARK);
1226 	}
1227 	if (*attrs & (1 << OVS_KEY_ATTR_CT_LABELS) &&
1228 	    ovs_ct_verify(net, OVS_KEY_ATTR_CT_LABELS)) {
1229 		const struct ovs_key_ct_labels *cl;
1230 
1231 		cl = nla_data(a[OVS_KEY_ATTR_CT_LABELS]);
1232 		SW_FLOW_KEY_MEMCPY(match, ct.labels, cl->ct_labels,
1233 				   sizeof(*cl), is_mask);
1234 		*attrs &= ~(1ULL << OVS_KEY_ATTR_CT_LABELS);
1235 	}
1236 	if (*attrs & (1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4)) {
1237 		const struct ovs_key_ct_tuple_ipv4 *ct;
1238 
1239 		ct = nla_data(a[OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4]);
1240 
1241 		SW_FLOW_KEY_PUT(match, ipv4.ct_orig.src, ct->ipv4_src, is_mask);
1242 		SW_FLOW_KEY_PUT(match, ipv4.ct_orig.dst, ct->ipv4_dst, is_mask);
1243 		SW_FLOW_KEY_PUT(match, ct.orig_tp.src, ct->src_port, is_mask);
1244 		SW_FLOW_KEY_PUT(match, ct.orig_tp.dst, ct->dst_port, is_mask);
1245 		SW_FLOW_KEY_PUT(match, ct_orig_proto, ct->ipv4_proto, is_mask);
1246 		*attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4);
1247 	}
1248 	if (*attrs & (1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6)) {
1249 		const struct ovs_key_ct_tuple_ipv6 *ct;
1250 
1251 		ct = nla_data(a[OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6]);
1252 
1253 		SW_FLOW_KEY_MEMCPY(match, ipv6.ct_orig.src, &ct->ipv6_src,
1254 				   sizeof(match->key->ipv6.ct_orig.src),
1255 				   is_mask);
1256 		SW_FLOW_KEY_MEMCPY(match, ipv6.ct_orig.dst, &ct->ipv6_dst,
1257 				   sizeof(match->key->ipv6.ct_orig.dst),
1258 				   is_mask);
1259 		SW_FLOW_KEY_PUT(match, ct.orig_tp.src, ct->src_port, is_mask);
1260 		SW_FLOW_KEY_PUT(match, ct.orig_tp.dst, ct->dst_port, is_mask);
1261 		SW_FLOW_KEY_PUT(match, ct_orig_proto, ct->ipv6_proto, is_mask);
1262 		*attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6);
1263 	}
1264 
1265 	/* For layer 3 packets the Ethernet type is provided
1266 	 * and treated as metadata but no MAC addresses are provided.
1267 	 */
1268 	if (!(*attrs & (1ULL << OVS_KEY_ATTR_ETHERNET)) &&
1269 	    (*attrs & (1ULL << OVS_KEY_ATTR_ETHERTYPE)))
1270 		mac_proto = MAC_PROTO_NONE;
1271 
1272 	/* Always exact match mac_proto */
1273 	SW_FLOW_KEY_PUT(match, mac_proto, is_mask ? 0xff : mac_proto, is_mask);
1274 
1275 	if (mac_proto == MAC_PROTO_NONE)
1276 		return parse_eth_type_from_nlattrs(match, attrs, a, is_mask,
1277 						   log);
1278 
1279 	return 0;
1280 }
1281 
1282 int nsh_hdr_from_nlattr(const struct nlattr *attr,
1283 			struct nshhdr *nh, size_t size)
1284 {
1285 	struct nlattr *a;
1286 	int rem;
1287 	u8 flags = 0;
1288 	u8 ttl = 0;
1289 	int mdlen = 0;
1290 
1291 	/* validate_nsh has check this, so we needn't do duplicate check here
1292 	 */
1293 	if (size < NSH_BASE_HDR_LEN)
1294 		return -ENOBUFS;
1295 
1296 	nla_for_each_nested(a, attr, rem) {
1297 		int type = nla_type(a);
1298 
1299 		switch (type) {
1300 		case OVS_NSH_KEY_ATTR_BASE: {
1301 			const struct ovs_nsh_key_base *base = nla_data(a);
1302 
1303 			flags = base->flags;
1304 			ttl = base->ttl;
1305 			nh->np = base->np;
1306 			nh->mdtype = base->mdtype;
1307 			nh->path_hdr = base->path_hdr;
1308 			break;
1309 		}
1310 		case OVS_NSH_KEY_ATTR_MD1:
1311 			mdlen = nla_len(a);
1312 			if (mdlen > size - NSH_BASE_HDR_LEN)
1313 				return -ENOBUFS;
1314 			memcpy(&nh->md1, nla_data(a), mdlen);
1315 			break;
1316 
1317 		case OVS_NSH_KEY_ATTR_MD2:
1318 			mdlen = nla_len(a);
1319 			if (mdlen > size - NSH_BASE_HDR_LEN)
1320 				return -ENOBUFS;
1321 			memcpy(&nh->md2, nla_data(a), mdlen);
1322 			break;
1323 
1324 		default:
1325 			return -EINVAL;
1326 		}
1327 	}
1328 
1329 	/* nsh header length  = NSH_BASE_HDR_LEN + mdlen */
1330 	nh->ver_flags_ttl_len = 0;
1331 	nsh_set_flags_ttl_len(nh, flags, ttl, NSH_BASE_HDR_LEN + mdlen);
1332 
1333 	return 0;
1334 }
1335 
1336 int nsh_key_from_nlattr(const struct nlattr *attr,
1337 			struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask)
1338 {
1339 	struct nlattr *a;
1340 	int rem;
1341 
1342 	/* validate_nsh has check this, so we needn't do duplicate check here
1343 	 */
1344 	nla_for_each_nested(a, attr, rem) {
1345 		int type = nla_type(a);
1346 
1347 		switch (type) {
1348 		case OVS_NSH_KEY_ATTR_BASE: {
1349 			const struct ovs_nsh_key_base *base = nla_data(a);
1350 			const struct ovs_nsh_key_base *base_mask = base + 1;
1351 
1352 			nsh->base = *base;
1353 			nsh_mask->base = *base_mask;
1354 			break;
1355 		}
1356 		case OVS_NSH_KEY_ATTR_MD1: {
1357 			const struct ovs_nsh_key_md1 *md1 = nla_data(a);
1358 			const struct ovs_nsh_key_md1 *md1_mask = md1 + 1;
1359 
1360 			memcpy(nsh->context, md1->context, sizeof(*md1));
1361 			memcpy(nsh_mask->context, md1_mask->context,
1362 			       sizeof(*md1_mask));
1363 			break;
1364 		}
1365 		case OVS_NSH_KEY_ATTR_MD2:
1366 			/* Not supported yet */
1367 			return -ENOTSUPP;
1368 		default:
1369 			return -EINVAL;
1370 		}
1371 	}
1372 
1373 	return 0;
1374 }
1375 
1376 static int nsh_key_put_from_nlattr(const struct nlattr *attr,
1377 				   struct sw_flow_match *match, bool is_mask,
1378 				   bool is_push_nsh, bool log)
1379 {
1380 	struct nlattr *a;
1381 	int rem;
1382 	bool has_base = false;
1383 	bool has_md1 = false;
1384 	bool has_md2 = false;
1385 	u8 mdtype = 0;
1386 	int mdlen = 0;
1387 
1388 	if (WARN_ON(is_push_nsh && is_mask))
1389 		return -EINVAL;
1390 
1391 	nla_for_each_nested(a, attr, rem) {
1392 		int type = nla_type(a);
1393 		int i;
1394 
1395 		if (type > OVS_NSH_KEY_ATTR_MAX) {
1396 			OVS_NLERR(log, "nsh attr %d is out of range max %d",
1397 				  type, OVS_NSH_KEY_ATTR_MAX);
1398 			return -EINVAL;
1399 		}
1400 
1401 		if (!check_attr_len(nla_len(a),
1402 				    ovs_nsh_key_attr_lens[type].len)) {
1403 			OVS_NLERR(
1404 			    log,
1405 			    "nsh attr %d has unexpected len %d expected %d",
1406 			    type,
1407 			    nla_len(a),
1408 			    ovs_nsh_key_attr_lens[type].len
1409 			);
1410 			return -EINVAL;
1411 		}
1412 
1413 		switch (type) {
1414 		case OVS_NSH_KEY_ATTR_BASE: {
1415 			const struct ovs_nsh_key_base *base = nla_data(a);
1416 
1417 			has_base = true;
1418 			mdtype = base->mdtype;
1419 			SW_FLOW_KEY_PUT(match, nsh.base.flags,
1420 					base->flags, is_mask);
1421 			SW_FLOW_KEY_PUT(match, nsh.base.ttl,
1422 					base->ttl, is_mask);
1423 			SW_FLOW_KEY_PUT(match, nsh.base.mdtype,
1424 					base->mdtype, is_mask);
1425 			SW_FLOW_KEY_PUT(match, nsh.base.np,
1426 					base->np, is_mask);
1427 			SW_FLOW_KEY_PUT(match, nsh.base.path_hdr,
1428 					base->path_hdr, is_mask);
1429 			break;
1430 		}
1431 		case OVS_NSH_KEY_ATTR_MD1: {
1432 			const struct ovs_nsh_key_md1 *md1 = nla_data(a);
1433 
1434 			has_md1 = true;
1435 			for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++)
1436 				SW_FLOW_KEY_PUT(match, nsh.context[i],
1437 						md1->context[i], is_mask);
1438 			break;
1439 		}
1440 		case OVS_NSH_KEY_ATTR_MD2:
1441 			if (!is_push_nsh) /* Not supported MD type 2 yet */
1442 				return -ENOTSUPP;
1443 
1444 			has_md2 = true;
1445 			mdlen = nla_len(a);
1446 			if (mdlen > NSH_CTX_HDRS_MAX_LEN || mdlen <= 0) {
1447 				OVS_NLERR(
1448 				    log,
1449 				    "Invalid MD length %d for MD type %d",
1450 				    mdlen,
1451 				    mdtype
1452 				);
1453 				return -EINVAL;
1454 			}
1455 			break;
1456 		default:
1457 			OVS_NLERR(log, "Unknown nsh attribute %d",
1458 				  type);
1459 			return -EINVAL;
1460 		}
1461 	}
1462 
1463 	if (rem > 0) {
1464 		OVS_NLERR(log, "nsh attribute has %d unknown bytes.", rem);
1465 		return -EINVAL;
1466 	}
1467 
1468 	if (has_md1 && has_md2) {
1469 		OVS_NLERR(
1470 		    1,
1471 		    "invalid nsh attribute: md1 and md2 are exclusive."
1472 		);
1473 		return -EINVAL;
1474 	}
1475 
1476 	if (!is_mask) {
1477 		if ((has_md1 && mdtype != NSH_M_TYPE1) ||
1478 		    (has_md2 && mdtype != NSH_M_TYPE2)) {
1479 			OVS_NLERR(1, "nsh attribute has unmatched MD type %d.",
1480 				  mdtype);
1481 			return -EINVAL;
1482 		}
1483 
1484 		if (is_push_nsh &&
1485 		    (!has_base || (!has_md1 && !has_md2))) {
1486 			OVS_NLERR(
1487 			    1,
1488 			    "push_nsh: missing base or metadata attributes"
1489 			);
1490 			return -EINVAL;
1491 		}
1492 	}
1493 
1494 	return 0;
1495 }
1496 
1497 static int ovs_key_from_nlattrs(struct net *net, struct sw_flow_match *match,
1498 				u64 attrs, const struct nlattr **a,
1499 				bool is_mask, bool log)
1500 {
1501 	int err;
1502 
1503 	err = metadata_from_nlattrs(net, match, &attrs, a, is_mask, log);
1504 	if (err)
1505 		return err;
1506 
1507 	if (attrs & (1 << OVS_KEY_ATTR_ETHERNET)) {
1508 		const struct ovs_key_ethernet *eth_key;
1509 
1510 		eth_key = nla_data(a[OVS_KEY_ATTR_ETHERNET]);
1511 		SW_FLOW_KEY_MEMCPY(match, eth.src,
1512 				eth_key->eth_src, ETH_ALEN, is_mask);
1513 		SW_FLOW_KEY_MEMCPY(match, eth.dst,
1514 				eth_key->eth_dst, ETH_ALEN, is_mask);
1515 		attrs &= ~(1 << OVS_KEY_ATTR_ETHERNET);
1516 
1517 		if (attrs & (1 << OVS_KEY_ATTR_VLAN)) {
1518 			/* VLAN attribute is always parsed before getting here since it
1519 			 * may occur multiple times.
1520 			 */
1521 			OVS_NLERR(log, "VLAN attribute unexpected.");
1522 			return -EINVAL;
1523 		}
1524 
1525 		if (attrs & (1 << OVS_KEY_ATTR_ETHERTYPE)) {
1526 			err = parse_eth_type_from_nlattrs(match, &attrs, a, is_mask,
1527 							  log);
1528 			if (err)
1529 				return err;
1530 		} else if (!is_mask) {
1531 			SW_FLOW_KEY_PUT(match, eth.type, htons(ETH_P_802_2), is_mask);
1532 		}
1533 	} else if (!match->key->eth.type) {
1534 		OVS_NLERR(log, "Either Ethernet header or EtherType is required.");
1535 		return -EINVAL;
1536 	}
1537 
1538 	if (attrs & (1 << OVS_KEY_ATTR_IPV4)) {
1539 		const struct ovs_key_ipv4 *ipv4_key;
1540 
1541 		ipv4_key = nla_data(a[OVS_KEY_ATTR_IPV4]);
1542 		if (!is_mask && ipv4_key->ipv4_frag > OVS_FRAG_TYPE_MAX) {
1543 			OVS_NLERR(log, "IPv4 frag type %d is out of range max %d",
1544 				  ipv4_key->ipv4_frag, OVS_FRAG_TYPE_MAX);
1545 			return -EINVAL;
1546 		}
1547 		SW_FLOW_KEY_PUT(match, ip.proto,
1548 				ipv4_key->ipv4_proto, is_mask);
1549 		SW_FLOW_KEY_PUT(match, ip.tos,
1550 				ipv4_key->ipv4_tos, is_mask);
1551 		SW_FLOW_KEY_PUT(match, ip.ttl,
1552 				ipv4_key->ipv4_ttl, is_mask);
1553 		SW_FLOW_KEY_PUT(match, ip.frag,
1554 				ipv4_key->ipv4_frag, is_mask);
1555 		SW_FLOW_KEY_PUT(match, ipv4.addr.src,
1556 				ipv4_key->ipv4_src, is_mask);
1557 		SW_FLOW_KEY_PUT(match, ipv4.addr.dst,
1558 				ipv4_key->ipv4_dst, is_mask);
1559 		attrs &= ~(1 << OVS_KEY_ATTR_IPV4);
1560 	}
1561 
1562 	if (attrs & (1 << OVS_KEY_ATTR_IPV6)) {
1563 		const struct ovs_key_ipv6 *ipv6_key;
1564 
1565 		ipv6_key = nla_data(a[OVS_KEY_ATTR_IPV6]);
1566 		if (!is_mask && ipv6_key->ipv6_frag > OVS_FRAG_TYPE_MAX) {
1567 			OVS_NLERR(log, "IPv6 frag type %d is out of range max %d",
1568 				  ipv6_key->ipv6_frag, OVS_FRAG_TYPE_MAX);
1569 			return -EINVAL;
1570 		}
1571 
1572 		if (!is_mask && ipv6_key->ipv6_label & htonl(0xFFF00000)) {
1573 			OVS_NLERR(log, "IPv6 flow label %x is out of range (max=%x)",
1574 				  ntohl(ipv6_key->ipv6_label), (1 << 20) - 1);
1575 			return -EINVAL;
1576 		}
1577 
1578 		SW_FLOW_KEY_PUT(match, ipv6.label,
1579 				ipv6_key->ipv6_label, is_mask);
1580 		SW_FLOW_KEY_PUT(match, ip.proto,
1581 				ipv6_key->ipv6_proto, is_mask);
1582 		SW_FLOW_KEY_PUT(match, ip.tos,
1583 				ipv6_key->ipv6_tclass, is_mask);
1584 		SW_FLOW_KEY_PUT(match, ip.ttl,
1585 				ipv6_key->ipv6_hlimit, is_mask);
1586 		SW_FLOW_KEY_PUT(match, ip.frag,
1587 				ipv6_key->ipv6_frag, is_mask);
1588 		SW_FLOW_KEY_MEMCPY(match, ipv6.addr.src,
1589 				ipv6_key->ipv6_src,
1590 				sizeof(match->key->ipv6.addr.src),
1591 				is_mask);
1592 		SW_FLOW_KEY_MEMCPY(match, ipv6.addr.dst,
1593 				ipv6_key->ipv6_dst,
1594 				sizeof(match->key->ipv6.addr.dst),
1595 				is_mask);
1596 
1597 		attrs &= ~(1 << OVS_KEY_ATTR_IPV6);
1598 	}
1599 
1600 	if (attrs & (1 << OVS_KEY_ATTR_ARP)) {
1601 		const struct ovs_key_arp *arp_key;
1602 
1603 		arp_key = nla_data(a[OVS_KEY_ATTR_ARP]);
1604 		if (!is_mask && (arp_key->arp_op & htons(0xff00))) {
1605 			OVS_NLERR(log, "Unknown ARP opcode (opcode=%d).",
1606 				  arp_key->arp_op);
1607 			return -EINVAL;
1608 		}
1609 
1610 		SW_FLOW_KEY_PUT(match, ipv4.addr.src,
1611 				arp_key->arp_sip, is_mask);
1612 		SW_FLOW_KEY_PUT(match, ipv4.addr.dst,
1613 			arp_key->arp_tip, is_mask);
1614 		SW_FLOW_KEY_PUT(match, ip.proto,
1615 				ntohs(arp_key->arp_op), is_mask);
1616 		SW_FLOW_KEY_MEMCPY(match, ipv4.arp.sha,
1617 				arp_key->arp_sha, ETH_ALEN, is_mask);
1618 		SW_FLOW_KEY_MEMCPY(match, ipv4.arp.tha,
1619 				arp_key->arp_tha, ETH_ALEN, is_mask);
1620 
1621 		attrs &= ~(1 << OVS_KEY_ATTR_ARP);
1622 	}
1623 
1624 	if (attrs & (1 << OVS_KEY_ATTR_NSH)) {
1625 		if (nsh_key_put_from_nlattr(a[OVS_KEY_ATTR_NSH], match,
1626 					    is_mask, false, log) < 0)
1627 			return -EINVAL;
1628 		attrs &= ~(1 << OVS_KEY_ATTR_NSH);
1629 	}
1630 
1631 	if (attrs & (1 << OVS_KEY_ATTR_MPLS)) {
1632 		const struct ovs_key_mpls *mpls_key;
1633 		u32 hdr_len;
1634 		u32 label_count, label_count_mask, i;
1635 
1636 		mpls_key = nla_data(a[OVS_KEY_ATTR_MPLS]);
1637 		hdr_len = nla_len(a[OVS_KEY_ATTR_MPLS]);
1638 		label_count = hdr_len / sizeof(struct ovs_key_mpls);
1639 
1640 		if (label_count == 0 || label_count > MPLS_LABEL_DEPTH ||
1641 		    hdr_len % sizeof(struct ovs_key_mpls))
1642 			return -EINVAL;
1643 
1644 		label_count_mask =  GENMASK(label_count - 1, 0);
1645 
1646 		for (i = 0 ; i < label_count; i++)
1647 			SW_FLOW_KEY_PUT(match, mpls.lse[i],
1648 					mpls_key[i].mpls_lse, is_mask);
1649 
1650 		SW_FLOW_KEY_PUT(match, mpls.num_labels_mask,
1651 				label_count_mask, is_mask);
1652 
1653 		attrs &= ~(1 << OVS_KEY_ATTR_MPLS);
1654 	 }
1655 
1656 	if (attrs & (1 << OVS_KEY_ATTR_TCP)) {
1657 		const struct ovs_key_tcp *tcp_key;
1658 
1659 		tcp_key = nla_data(a[OVS_KEY_ATTR_TCP]);
1660 		SW_FLOW_KEY_PUT(match, tp.src, tcp_key->tcp_src, is_mask);
1661 		SW_FLOW_KEY_PUT(match, tp.dst, tcp_key->tcp_dst, is_mask);
1662 		attrs &= ~(1 << OVS_KEY_ATTR_TCP);
1663 	}
1664 
1665 	if (attrs & (1 << OVS_KEY_ATTR_TCP_FLAGS)) {
1666 		SW_FLOW_KEY_PUT(match, tp.flags,
1667 				nla_get_be16(a[OVS_KEY_ATTR_TCP_FLAGS]),
1668 				is_mask);
1669 		attrs &= ~(1 << OVS_KEY_ATTR_TCP_FLAGS);
1670 	}
1671 
1672 	if (attrs & (1 << OVS_KEY_ATTR_UDP)) {
1673 		const struct ovs_key_udp *udp_key;
1674 
1675 		udp_key = nla_data(a[OVS_KEY_ATTR_UDP]);
1676 		SW_FLOW_KEY_PUT(match, tp.src, udp_key->udp_src, is_mask);
1677 		SW_FLOW_KEY_PUT(match, tp.dst, udp_key->udp_dst, is_mask);
1678 		attrs &= ~(1 << OVS_KEY_ATTR_UDP);
1679 	}
1680 
1681 	if (attrs & (1 << OVS_KEY_ATTR_SCTP)) {
1682 		const struct ovs_key_sctp *sctp_key;
1683 
1684 		sctp_key = nla_data(a[OVS_KEY_ATTR_SCTP]);
1685 		SW_FLOW_KEY_PUT(match, tp.src, sctp_key->sctp_src, is_mask);
1686 		SW_FLOW_KEY_PUT(match, tp.dst, sctp_key->sctp_dst, is_mask);
1687 		attrs &= ~(1 << OVS_KEY_ATTR_SCTP);
1688 	}
1689 
1690 	if (attrs & (1 << OVS_KEY_ATTR_ICMP)) {
1691 		const struct ovs_key_icmp *icmp_key;
1692 
1693 		icmp_key = nla_data(a[OVS_KEY_ATTR_ICMP]);
1694 		SW_FLOW_KEY_PUT(match, tp.src,
1695 				htons(icmp_key->icmp_type), is_mask);
1696 		SW_FLOW_KEY_PUT(match, tp.dst,
1697 				htons(icmp_key->icmp_code), is_mask);
1698 		attrs &= ~(1 << OVS_KEY_ATTR_ICMP);
1699 	}
1700 
1701 	if (attrs & (1 << OVS_KEY_ATTR_ICMPV6)) {
1702 		const struct ovs_key_icmpv6 *icmpv6_key;
1703 
1704 		icmpv6_key = nla_data(a[OVS_KEY_ATTR_ICMPV6]);
1705 		SW_FLOW_KEY_PUT(match, tp.src,
1706 				htons(icmpv6_key->icmpv6_type), is_mask);
1707 		SW_FLOW_KEY_PUT(match, tp.dst,
1708 				htons(icmpv6_key->icmpv6_code), is_mask);
1709 		attrs &= ~(1 << OVS_KEY_ATTR_ICMPV6);
1710 	}
1711 
1712 	if (attrs & (1 << OVS_KEY_ATTR_ND)) {
1713 		const struct ovs_key_nd *nd_key;
1714 
1715 		nd_key = nla_data(a[OVS_KEY_ATTR_ND]);
1716 		SW_FLOW_KEY_MEMCPY(match, ipv6.nd.target,
1717 			nd_key->nd_target,
1718 			sizeof(match->key->ipv6.nd.target),
1719 			is_mask);
1720 		SW_FLOW_KEY_MEMCPY(match, ipv6.nd.sll,
1721 			nd_key->nd_sll, ETH_ALEN, is_mask);
1722 		SW_FLOW_KEY_MEMCPY(match, ipv6.nd.tll,
1723 				nd_key->nd_tll, ETH_ALEN, is_mask);
1724 		attrs &= ~(1 << OVS_KEY_ATTR_ND);
1725 	}
1726 
1727 	if (attrs != 0) {
1728 		OVS_NLERR(log, "Unknown key attributes %llx",
1729 			  (unsigned long long)attrs);
1730 		return -EINVAL;
1731 	}
1732 
1733 	return 0;
1734 }
1735 
1736 static void nlattr_set(struct nlattr *attr, u8 val,
1737 		       const struct ovs_len_tbl *tbl)
1738 {
1739 	struct nlattr *nla;
1740 	int rem;
1741 
1742 	/* The nlattr stream should already have been validated */
1743 	nla_for_each_nested(nla, attr, rem) {
1744 		if (tbl[nla_type(nla)].len == OVS_ATTR_NESTED)
1745 			nlattr_set(nla, val, tbl[nla_type(nla)].next ? : tbl);
1746 		else
1747 			memset(nla_data(nla), val, nla_len(nla));
1748 
1749 		if (nla_type(nla) == OVS_KEY_ATTR_CT_STATE)
1750 			*(u32 *)nla_data(nla) &= CT_SUPPORTED_MASK;
1751 	}
1752 }
1753 
1754 static void mask_set_nlattr(struct nlattr *attr, u8 val)
1755 {
1756 	nlattr_set(attr, val, ovs_key_lens);
1757 }
1758 
1759 /**
1760  * ovs_nla_get_match - parses Netlink attributes into a flow key and
1761  * mask. In case the 'mask' is NULL, the flow is treated as exact match
1762  * flow. Otherwise, it is treated as a wildcarded flow, except the mask
1763  * does not include any don't care bit.
1764  * @net: Used to determine per-namespace field support.
1765  * @match: receives the extracted flow match information.
1766  * @nla_key: Netlink attribute holding nested %OVS_KEY_ATTR_* Netlink attribute
1767  * sequence. The fields should of the packet that triggered the creation
1768  * of this flow.
1769  * @nla_mask: Optional. Netlink attribute holding nested %OVS_KEY_ATTR_*
1770  * Netlink attribute specifies the mask field of the wildcarded flow.
1771  * @log: Boolean to allow kernel error logging.  Normally true, but when
1772  * probing for feature compatibility this should be passed in as false to
1773  * suppress unnecessary error logging.
1774  */
1775 int ovs_nla_get_match(struct net *net, struct sw_flow_match *match,
1776 		      const struct nlattr *nla_key,
1777 		      const struct nlattr *nla_mask,
1778 		      bool log)
1779 {
1780 	const struct nlattr *a[OVS_KEY_ATTR_MAX + 1];
1781 	struct nlattr *newmask = NULL;
1782 	u64 key_attrs = 0;
1783 	u64 mask_attrs = 0;
1784 	int err;
1785 
1786 	err = parse_flow_nlattrs(nla_key, a, &key_attrs, log);
1787 	if (err)
1788 		return err;
1789 
1790 	err = parse_vlan_from_nlattrs(match, &key_attrs, a, false, log);
1791 	if (err)
1792 		return err;
1793 
1794 	err = ovs_key_from_nlattrs(net, match, key_attrs, a, false, log);
1795 	if (err)
1796 		return err;
1797 
1798 	if (match->mask) {
1799 		if (!nla_mask) {
1800 			/* Create an exact match mask. We need to set to 0xff
1801 			 * all the 'match->mask' fields that have been touched
1802 			 * in 'match->key'. We cannot simply memset
1803 			 * 'match->mask', because padding bytes and fields not
1804 			 * specified in 'match->key' should be left to 0.
1805 			 * Instead, we use a stream of netlink attributes,
1806 			 * copied from 'key' and set to 0xff.
1807 			 * ovs_key_from_nlattrs() will take care of filling
1808 			 * 'match->mask' appropriately.
1809 			 */
1810 			newmask = kmemdup(nla_key,
1811 					  nla_total_size(nla_len(nla_key)),
1812 					  GFP_KERNEL);
1813 			if (!newmask)
1814 				return -ENOMEM;
1815 
1816 			mask_set_nlattr(newmask, 0xff);
1817 
1818 			/* The userspace does not send tunnel attributes that
1819 			 * are 0, but we should not wildcard them nonetheless.
1820 			 */
1821 			if (match->key->tun_proto)
1822 				SW_FLOW_KEY_MEMSET_FIELD(match, tun_key,
1823 							 0xff, true);
1824 
1825 			nla_mask = newmask;
1826 		}
1827 
1828 		err = parse_flow_mask_nlattrs(nla_mask, a, &mask_attrs, log);
1829 		if (err)
1830 			goto free_newmask;
1831 
1832 		/* Always match on tci. */
1833 		SW_FLOW_KEY_PUT(match, eth.vlan.tci, htons(0xffff), true);
1834 		SW_FLOW_KEY_PUT(match, eth.cvlan.tci, htons(0xffff), true);
1835 
1836 		err = parse_vlan_from_nlattrs(match, &mask_attrs, a, true, log);
1837 		if (err)
1838 			goto free_newmask;
1839 
1840 		err = ovs_key_from_nlattrs(net, match, mask_attrs, a, true,
1841 					   log);
1842 		if (err)
1843 			goto free_newmask;
1844 	}
1845 
1846 	if (!match_validate(match, key_attrs, mask_attrs, log))
1847 		err = -EINVAL;
1848 
1849 free_newmask:
1850 	kfree(newmask);
1851 	return err;
1852 }
1853 
1854 static size_t get_ufid_len(const struct nlattr *attr, bool log)
1855 {
1856 	size_t len;
1857 
1858 	if (!attr)
1859 		return 0;
1860 
1861 	len = nla_len(attr);
1862 	if (len < 1 || len > MAX_UFID_LENGTH) {
1863 		OVS_NLERR(log, "ufid size %u bytes exceeds the range (1, %d)",
1864 			  nla_len(attr), MAX_UFID_LENGTH);
1865 		return 0;
1866 	}
1867 
1868 	return len;
1869 }
1870 
1871 /* Initializes 'flow->ufid', returning true if 'attr' contains a valid UFID,
1872  * or false otherwise.
1873  */
1874 bool ovs_nla_get_ufid(struct sw_flow_id *sfid, const struct nlattr *attr,
1875 		      bool log)
1876 {
1877 	sfid->ufid_len = get_ufid_len(attr, log);
1878 	if (sfid->ufid_len)
1879 		memcpy(sfid->ufid, nla_data(attr), sfid->ufid_len);
1880 
1881 	return sfid->ufid_len;
1882 }
1883 
1884 int ovs_nla_get_identifier(struct sw_flow_id *sfid, const struct nlattr *ufid,
1885 			   const struct sw_flow_key *key, bool log)
1886 {
1887 	struct sw_flow_key *new_key;
1888 
1889 	if (ovs_nla_get_ufid(sfid, ufid, log))
1890 		return 0;
1891 
1892 	/* If UFID was not provided, use unmasked key. */
1893 	new_key = kmalloc(sizeof(*new_key), GFP_KERNEL);
1894 	if (!new_key)
1895 		return -ENOMEM;
1896 	memcpy(new_key, key, sizeof(*key));
1897 	sfid->unmasked_key = new_key;
1898 
1899 	return 0;
1900 }
1901 
1902 u32 ovs_nla_get_ufid_flags(const struct nlattr *attr)
1903 {
1904 	return attr ? nla_get_u32(attr) : 0;
1905 }
1906 
1907 /**
1908  * ovs_nla_get_flow_metadata - parses Netlink attributes into a flow key.
1909  * @net: Network namespace.
1910  * @key: Receives extracted in_port, priority, tun_key, skb_mark and conntrack
1911  * metadata.
1912  * @a: Array of netlink attributes holding parsed %OVS_KEY_ATTR_* Netlink
1913  * attributes.
1914  * @attrs: Bit mask for the netlink attributes included in @a.
1915  * @log: Boolean to allow kernel error logging.  Normally true, but when
1916  * probing for feature compatibility this should be passed in as false to
1917  * suppress unnecessary error logging.
1918  *
1919  * This parses a series of Netlink attributes that form a flow key, which must
1920  * take the same form accepted by flow_from_nlattrs(), but only enough of it to
1921  * get the metadata, that is, the parts of the flow key that cannot be
1922  * extracted from the packet itself.
1923  *
1924  * This must be called before the packet key fields are filled in 'key'.
1925  */
1926 
1927 int ovs_nla_get_flow_metadata(struct net *net,
1928 			      const struct nlattr *a[OVS_KEY_ATTR_MAX + 1],
1929 			      u64 attrs, struct sw_flow_key *key, bool log)
1930 {
1931 	struct sw_flow_match match;
1932 
1933 	memset(&match, 0, sizeof(match));
1934 	match.key = key;
1935 
1936 	key->ct_state = 0;
1937 	key->ct_zone = 0;
1938 	key->ct_orig_proto = 0;
1939 	memset(&key->ct, 0, sizeof(key->ct));
1940 	memset(&key->ipv4.ct_orig, 0, sizeof(key->ipv4.ct_orig));
1941 	memset(&key->ipv6.ct_orig, 0, sizeof(key->ipv6.ct_orig));
1942 
1943 	key->phy.in_port = DP_MAX_PORTS;
1944 
1945 	return metadata_from_nlattrs(net, &match, &attrs, a, false, log);
1946 }
1947 
1948 static int ovs_nla_put_vlan(struct sk_buff *skb, const struct vlan_head *vh,
1949 			    bool is_mask)
1950 {
1951 	__be16 eth_type = !is_mask ? vh->tpid : htons(0xffff);
1952 
1953 	if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, eth_type) ||
1954 	    nla_put_be16(skb, OVS_KEY_ATTR_VLAN, vh->tci))
1955 		return -EMSGSIZE;
1956 	return 0;
1957 }
1958 
1959 static int nsh_key_to_nlattr(const struct ovs_key_nsh *nsh, bool is_mask,
1960 			     struct sk_buff *skb)
1961 {
1962 	struct nlattr *start;
1963 
1964 	start = nla_nest_start_noflag(skb, OVS_KEY_ATTR_NSH);
1965 	if (!start)
1966 		return -EMSGSIZE;
1967 
1968 	if (nla_put(skb, OVS_NSH_KEY_ATTR_BASE, sizeof(nsh->base), &nsh->base))
1969 		goto nla_put_failure;
1970 
1971 	if (is_mask || nsh->base.mdtype == NSH_M_TYPE1) {
1972 		if (nla_put(skb, OVS_NSH_KEY_ATTR_MD1,
1973 			    sizeof(nsh->context), nsh->context))
1974 			goto nla_put_failure;
1975 	}
1976 
1977 	/* Don't support MD type 2 yet */
1978 
1979 	nla_nest_end(skb, start);
1980 
1981 	return 0;
1982 
1983 nla_put_failure:
1984 	return -EMSGSIZE;
1985 }
1986 
1987 static int __ovs_nla_put_key(const struct sw_flow_key *swkey,
1988 			     const struct sw_flow_key *output, bool is_mask,
1989 			     struct sk_buff *skb)
1990 {
1991 	struct ovs_key_ethernet *eth_key;
1992 	struct nlattr *nla;
1993 	struct nlattr *encap = NULL;
1994 	struct nlattr *in_encap = NULL;
1995 
1996 	if (nla_put_u32(skb, OVS_KEY_ATTR_RECIRC_ID, output->recirc_id))
1997 		goto nla_put_failure;
1998 
1999 	if (nla_put_u32(skb, OVS_KEY_ATTR_DP_HASH, output->ovs_flow_hash))
2000 		goto nla_put_failure;
2001 
2002 	if (nla_put_u32(skb, OVS_KEY_ATTR_PRIORITY, output->phy.priority))
2003 		goto nla_put_failure;
2004 
2005 	if ((swkey->tun_proto || is_mask)) {
2006 		const void *opts = NULL;
2007 
2008 		if (output->tun_key.tun_flags & TUNNEL_OPTIONS_PRESENT)
2009 			opts = TUN_METADATA_OPTS(output, swkey->tun_opts_len);
2010 
2011 		if (ip_tun_to_nlattr(skb, &output->tun_key, opts,
2012 				     swkey->tun_opts_len, swkey->tun_proto, 0))
2013 			goto nla_put_failure;
2014 	}
2015 
2016 	if (swkey->phy.in_port == DP_MAX_PORTS) {
2017 		if (is_mask && (output->phy.in_port == 0xffff))
2018 			if (nla_put_u32(skb, OVS_KEY_ATTR_IN_PORT, 0xffffffff))
2019 				goto nla_put_failure;
2020 	} else {
2021 		u16 upper_u16;
2022 		upper_u16 = !is_mask ? 0 : 0xffff;
2023 
2024 		if (nla_put_u32(skb, OVS_KEY_ATTR_IN_PORT,
2025 				(upper_u16 << 16) | output->phy.in_port))
2026 			goto nla_put_failure;
2027 	}
2028 
2029 	if (nla_put_u32(skb, OVS_KEY_ATTR_SKB_MARK, output->phy.skb_mark))
2030 		goto nla_put_failure;
2031 
2032 	if (ovs_ct_put_key(swkey, output, skb))
2033 		goto nla_put_failure;
2034 
2035 	if (ovs_key_mac_proto(swkey) == MAC_PROTO_ETHERNET) {
2036 		nla = nla_reserve(skb, OVS_KEY_ATTR_ETHERNET, sizeof(*eth_key));
2037 		if (!nla)
2038 			goto nla_put_failure;
2039 
2040 		eth_key = nla_data(nla);
2041 		ether_addr_copy(eth_key->eth_src, output->eth.src);
2042 		ether_addr_copy(eth_key->eth_dst, output->eth.dst);
2043 
2044 		if (swkey->eth.vlan.tci || eth_type_vlan(swkey->eth.type)) {
2045 			if (ovs_nla_put_vlan(skb, &output->eth.vlan, is_mask))
2046 				goto nla_put_failure;
2047 			encap = nla_nest_start_noflag(skb, OVS_KEY_ATTR_ENCAP);
2048 			if (!swkey->eth.vlan.tci)
2049 				goto unencap;
2050 
2051 			if (swkey->eth.cvlan.tci || eth_type_vlan(swkey->eth.type)) {
2052 				if (ovs_nla_put_vlan(skb, &output->eth.cvlan, is_mask))
2053 					goto nla_put_failure;
2054 				in_encap = nla_nest_start_noflag(skb,
2055 								 OVS_KEY_ATTR_ENCAP);
2056 				if (!swkey->eth.cvlan.tci)
2057 					goto unencap;
2058 			}
2059 		}
2060 
2061 		if (swkey->eth.type == htons(ETH_P_802_2)) {
2062 			/*
2063 			* Ethertype 802.2 is represented in the netlink with omitted
2064 			* OVS_KEY_ATTR_ETHERTYPE in the flow key attribute, and
2065 			* 0xffff in the mask attribute.  Ethertype can also
2066 			* be wildcarded.
2067 			*/
2068 			if (is_mask && output->eth.type)
2069 				if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE,
2070 							output->eth.type))
2071 					goto nla_put_failure;
2072 			goto unencap;
2073 		}
2074 	}
2075 
2076 	if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, output->eth.type))
2077 		goto nla_put_failure;
2078 
2079 	if (eth_type_vlan(swkey->eth.type)) {
2080 		/* There are 3 VLAN tags, we don't know anything about the rest
2081 		 * of the packet, so truncate here.
2082 		 */
2083 		WARN_ON_ONCE(!(encap && in_encap));
2084 		goto unencap;
2085 	}
2086 
2087 	if (swkey->eth.type == htons(ETH_P_IP)) {
2088 		struct ovs_key_ipv4 *ipv4_key;
2089 
2090 		nla = nla_reserve(skb, OVS_KEY_ATTR_IPV4, sizeof(*ipv4_key));
2091 		if (!nla)
2092 			goto nla_put_failure;
2093 		ipv4_key = nla_data(nla);
2094 		ipv4_key->ipv4_src = output->ipv4.addr.src;
2095 		ipv4_key->ipv4_dst = output->ipv4.addr.dst;
2096 		ipv4_key->ipv4_proto = output->ip.proto;
2097 		ipv4_key->ipv4_tos = output->ip.tos;
2098 		ipv4_key->ipv4_ttl = output->ip.ttl;
2099 		ipv4_key->ipv4_frag = output->ip.frag;
2100 	} else if (swkey->eth.type == htons(ETH_P_IPV6)) {
2101 		struct ovs_key_ipv6 *ipv6_key;
2102 
2103 		nla = nla_reserve(skb, OVS_KEY_ATTR_IPV6, sizeof(*ipv6_key));
2104 		if (!nla)
2105 			goto nla_put_failure;
2106 		ipv6_key = nla_data(nla);
2107 		memcpy(ipv6_key->ipv6_src, &output->ipv6.addr.src,
2108 				sizeof(ipv6_key->ipv6_src));
2109 		memcpy(ipv6_key->ipv6_dst, &output->ipv6.addr.dst,
2110 				sizeof(ipv6_key->ipv6_dst));
2111 		ipv6_key->ipv6_label = output->ipv6.label;
2112 		ipv6_key->ipv6_proto = output->ip.proto;
2113 		ipv6_key->ipv6_tclass = output->ip.tos;
2114 		ipv6_key->ipv6_hlimit = output->ip.ttl;
2115 		ipv6_key->ipv6_frag = output->ip.frag;
2116 	} else if (swkey->eth.type == htons(ETH_P_NSH)) {
2117 		if (nsh_key_to_nlattr(&output->nsh, is_mask, skb))
2118 			goto nla_put_failure;
2119 	} else if (swkey->eth.type == htons(ETH_P_ARP) ||
2120 		   swkey->eth.type == htons(ETH_P_RARP)) {
2121 		struct ovs_key_arp *arp_key;
2122 
2123 		nla = nla_reserve(skb, OVS_KEY_ATTR_ARP, sizeof(*arp_key));
2124 		if (!nla)
2125 			goto nla_put_failure;
2126 		arp_key = nla_data(nla);
2127 		memset(arp_key, 0, sizeof(struct ovs_key_arp));
2128 		arp_key->arp_sip = output->ipv4.addr.src;
2129 		arp_key->arp_tip = output->ipv4.addr.dst;
2130 		arp_key->arp_op = htons(output->ip.proto);
2131 		ether_addr_copy(arp_key->arp_sha, output->ipv4.arp.sha);
2132 		ether_addr_copy(arp_key->arp_tha, output->ipv4.arp.tha);
2133 	} else if (eth_p_mpls(swkey->eth.type)) {
2134 		u8 i, num_labels;
2135 		struct ovs_key_mpls *mpls_key;
2136 
2137 		num_labels = hweight_long(output->mpls.num_labels_mask);
2138 		nla = nla_reserve(skb, OVS_KEY_ATTR_MPLS,
2139 				  num_labels * sizeof(*mpls_key));
2140 		if (!nla)
2141 			goto nla_put_failure;
2142 
2143 		mpls_key = nla_data(nla);
2144 		for (i = 0; i < num_labels; i++)
2145 			mpls_key[i].mpls_lse = output->mpls.lse[i];
2146 	}
2147 
2148 	if ((swkey->eth.type == htons(ETH_P_IP) ||
2149 	     swkey->eth.type == htons(ETH_P_IPV6)) &&
2150 	     swkey->ip.frag != OVS_FRAG_TYPE_LATER) {
2151 
2152 		if (swkey->ip.proto == IPPROTO_TCP) {
2153 			struct ovs_key_tcp *tcp_key;
2154 
2155 			nla = nla_reserve(skb, OVS_KEY_ATTR_TCP, sizeof(*tcp_key));
2156 			if (!nla)
2157 				goto nla_put_failure;
2158 			tcp_key = nla_data(nla);
2159 			tcp_key->tcp_src = output->tp.src;
2160 			tcp_key->tcp_dst = output->tp.dst;
2161 			if (nla_put_be16(skb, OVS_KEY_ATTR_TCP_FLAGS,
2162 					 output->tp.flags))
2163 				goto nla_put_failure;
2164 		} else if (swkey->ip.proto == IPPROTO_UDP) {
2165 			struct ovs_key_udp *udp_key;
2166 
2167 			nla = nla_reserve(skb, OVS_KEY_ATTR_UDP, sizeof(*udp_key));
2168 			if (!nla)
2169 				goto nla_put_failure;
2170 			udp_key = nla_data(nla);
2171 			udp_key->udp_src = output->tp.src;
2172 			udp_key->udp_dst = output->tp.dst;
2173 		} else if (swkey->ip.proto == IPPROTO_SCTP) {
2174 			struct ovs_key_sctp *sctp_key;
2175 
2176 			nla = nla_reserve(skb, OVS_KEY_ATTR_SCTP, sizeof(*sctp_key));
2177 			if (!nla)
2178 				goto nla_put_failure;
2179 			sctp_key = nla_data(nla);
2180 			sctp_key->sctp_src = output->tp.src;
2181 			sctp_key->sctp_dst = output->tp.dst;
2182 		} else if (swkey->eth.type == htons(ETH_P_IP) &&
2183 			   swkey->ip.proto == IPPROTO_ICMP) {
2184 			struct ovs_key_icmp *icmp_key;
2185 
2186 			nla = nla_reserve(skb, OVS_KEY_ATTR_ICMP, sizeof(*icmp_key));
2187 			if (!nla)
2188 				goto nla_put_failure;
2189 			icmp_key = nla_data(nla);
2190 			icmp_key->icmp_type = ntohs(output->tp.src);
2191 			icmp_key->icmp_code = ntohs(output->tp.dst);
2192 		} else if (swkey->eth.type == htons(ETH_P_IPV6) &&
2193 			   swkey->ip.proto == IPPROTO_ICMPV6) {
2194 			struct ovs_key_icmpv6 *icmpv6_key;
2195 
2196 			nla = nla_reserve(skb, OVS_KEY_ATTR_ICMPV6,
2197 						sizeof(*icmpv6_key));
2198 			if (!nla)
2199 				goto nla_put_failure;
2200 			icmpv6_key = nla_data(nla);
2201 			icmpv6_key->icmpv6_type = ntohs(output->tp.src);
2202 			icmpv6_key->icmpv6_code = ntohs(output->tp.dst);
2203 
2204 			if (icmpv6_key->icmpv6_type == NDISC_NEIGHBOUR_SOLICITATION ||
2205 			    icmpv6_key->icmpv6_type == NDISC_NEIGHBOUR_ADVERTISEMENT) {
2206 				struct ovs_key_nd *nd_key;
2207 
2208 				nla = nla_reserve(skb, OVS_KEY_ATTR_ND, sizeof(*nd_key));
2209 				if (!nla)
2210 					goto nla_put_failure;
2211 				nd_key = nla_data(nla);
2212 				memcpy(nd_key->nd_target, &output->ipv6.nd.target,
2213 							sizeof(nd_key->nd_target));
2214 				ether_addr_copy(nd_key->nd_sll, output->ipv6.nd.sll);
2215 				ether_addr_copy(nd_key->nd_tll, output->ipv6.nd.tll);
2216 			}
2217 		}
2218 	}
2219 
2220 unencap:
2221 	if (in_encap)
2222 		nla_nest_end(skb, in_encap);
2223 	if (encap)
2224 		nla_nest_end(skb, encap);
2225 
2226 	return 0;
2227 
2228 nla_put_failure:
2229 	return -EMSGSIZE;
2230 }
2231 
2232 int ovs_nla_put_key(const struct sw_flow_key *swkey,
2233 		    const struct sw_flow_key *output, int attr, bool is_mask,
2234 		    struct sk_buff *skb)
2235 {
2236 	int err;
2237 	struct nlattr *nla;
2238 
2239 	nla = nla_nest_start_noflag(skb, attr);
2240 	if (!nla)
2241 		return -EMSGSIZE;
2242 	err = __ovs_nla_put_key(swkey, output, is_mask, skb);
2243 	if (err)
2244 		return err;
2245 	nla_nest_end(skb, nla);
2246 
2247 	return 0;
2248 }
2249 
2250 /* Called with ovs_mutex or RCU read lock. */
2251 int ovs_nla_put_identifier(const struct sw_flow *flow, struct sk_buff *skb)
2252 {
2253 	if (ovs_identifier_is_ufid(&flow->id))
2254 		return nla_put(skb, OVS_FLOW_ATTR_UFID, flow->id.ufid_len,
2255 			       flow->id.ufid);
2256 
2257 	return ovs_nla_put_key(flow->id.unmasked_key, flow->id.unmasked_key,
2258 			       OVS_FLOW_ATTR_KEY, false, skb);
2259 }
2260 
2261 /* Called with ovs_mutex or RCU read lock. */
2262 int ovs_nla_put_masked_key(const struct sw_flow *flow, struct sk_buff *skb)
2263 {
2264 	return ovs_nla_put_key(&flow->key, &flow->key,
2265 				OVS_FLOW_ATTR_KEY, false, skb);
2266 }
2267 
2268 /* Called with ovs_mutex or RCU read lock. */
2269 int ovs_nla_put_mask(const struct sw_flow *flow, struct sk_buff *skb)
2270 {
2271 	return ovs_nla_put_key(&flow->key, &flow->mask->key,
2272 				OVS_FLOW_ATTR_MASK, true, skb);
2273 }
2274 
2275 #define MAX_ACTIONS_BUFSIZE	(32 * 1024)
2276 
2277 static struct sw_flow_actions *nla_alloc_flow_actions(int size)
2278 {
2279 	struct sw_flow_actions *sfa;
2280 
2281 	WARN_ON_ONCE(size > MAX_ACTIONS_BUFSIZE);
2282 
2283 	sfa = kmalloc(sizeof(*sfa) + size, GFP_KERNEL);
2284 	if (!sfa)
2285 		return ERR_PTR(-ENOMEM);
2286 
2287 	sfa->actions_len = 0;
2288 	return sfa;
2289 }
2290 
2291 static void ovs_nla_free_set_action(const struct nlattr *a)
2292 {
2293 	const struct nlattr *ovs_key = nla_data(a);
2294 	struct ovs_tunnel_info *ovs_tun;
2295 
2296 	switch (nla_type(ovs_key)) {
2297 	case OVS_KEY_ATTR_TUNNEL_INFO:
2298 		ovs_tun = nla_data(ovs_key);
2299 		dst_release((struct dst_entry *)ovs_tun->tun_dst);
2300 		break;
2301 	}
2302 }
2303 
2304 void ovs_nla_free_flow_actions(struct sw_flow_actions *sf_acts)
2305 {
2306 	const struct nlattr *a;
2307 	int rem;
2308 
2309 	if (!sf_acts)
2310 		return;
2311 
2312 	nla_for_each_attr(a, sf_acts->actions, sf_acts->actions_len, rem) {
2313 		switch (nla_type(a)) {
2314 		case OVS_ACTION_ATTR_SET:
2315 			ovs_nla_free_set_action(a);
2316 			break;
2317 		case OVS_ACTION_ATTR_CT:
2318 			ovs_ct_free_action(a);
2319 			break;
2320 		}
2321 	}
2322 
2323 	kfree(sf_acts);
2324 }
2325 
2326 static void __ovs_nla_free_flow_actions(struct rcu_head *head)
2327 {
2328 	ovs_nla_free_flow_actions(container_of(head, struct sw_flow_actions, rcu));
2329 }
2330 
2331 /* Schedules 'sf_acts' to be freed after the next RCU grace period.
2332  * The caller must hold rcu_read_lock for this to be sensible. */
2333 void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *sf_acts)
2334 {
2335 	call_rcu(&sf_acts->rcu, __ovs_nla_free_flow_actions);
2336 }
2337 
2338 static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa,
2339 				       int attr_len, bool log)
2340 {
2341 
2342 	struct sw_flow_actions *acts;
2343 	int new_acts_size;
2344 	size_t req_size = NLA_ALIGN(attr_len);
2345 	int next_offset = offsetof(struct sw_flow_actions, actions) +
2346 					(*sfa)->actions_len;
2347 
2348 	if (req_size <= (ksize(*sfa) - next_offset))
2349 		goto out;
2350 
2351 	new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2);
2352 
2353 	if (new_acts_size > MAX_ACTIONS_BUFSIZE) {
2354 		if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {
2355 			OVS_NLERR(log, "Flow action size exceeds max %u",
2356 				  MAX_ACTIONS_BUFSIZE);
2357 			return ERR_PTR(-EMSGSIZE);
2358 		}
2359 		new_acts_size = MAX_ACTIONS_BUFSIZE;
2360 	}
2361 
2362 	acts = nla_alloc_flow_actions(new_acts_size);
2363 	if (IS_ERR(acts))
2364 		return (void *)acts;
2365 
2366 	memcpy(acts->actions, (*sfa)->actions, (*sfa)->actions_len);
2367 	acts->actions_len = (*sfa)->actions_len;
2368 	acts->orig_len = (*sfa)->orig_len;
2369 	kfree(*sfa);
2370 	*sfa = acts;
2371 
2372 out:
2373 	(*sfa)->actions_len += req_size;
2374 	return  (struct nlattr *) ((unsigned char *)(*sfa) + next_offset);
2375 }
2376 
2377 static struct nlattr *__add_action(struct sw_flow_actions **sfa,
2378 				   int attrtype, void *data, int len, bool log)
2379 {
2380 	struct nlattr *a;
2381 
2382 	a = reserve_sfa_size(sfa, nla_attr_size(len), log);
2383 	if (IS_ERR(a))
2384 		return a;
2385 
2386 	a->nla_type = attrtype;
2387 	a->nla_len = nla_attr_size(len);
2388 
2389 	if (data)
2390 		memcpy(nla_data(a), data, len);
2391 	memset((unsigned char *) a + a->nla_len, 0, nla_padlen(len));
2392 
2393 	return a;
2394 }
2395 
2396 int ovs_nla_add_action(struct sw_flow_actions **sfa, int attrtype, void *data,
2397 		       int len, bool log)
2398 {
2399 	struct nlattr *a;
2400 
2401 	a = __add_action(sfa, attrtype, data, len, log);
2402 
2403 	return PTR_ERR_OR_ZERO(a);
2404 }
2405 
2406 static inline int add_nested_action_start(struct sw_flow_actions **sfa,
2407 					  int attrtype, bool log)
2408 {
2409 	int used = (*sfa)->actions_len;
2410 	int err;
2411 
2412 	err = ovs_nla_add_action(sfa, attrtype, NULL, 0, log);
2413 	if (err)
2414 		return err;
2415 
2416 	return used;
2417 }
2418 
2419 static inline void add_nested_action_end(struct sw_flow_actions *sfa,
2420 					 int st_offset)
2421 {
2422 	struct nlattr *a = (struct nlattr *) ((unsigned char *)sfa->actions +
2423 							       st_offset);
2424 
2425 	a->nla_len = sfa->actions_len - st_offset;
2426 }
2427 
2428 static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
2429 				  const struct sw_flow_key *key,
2430 				  struct sw_flow_actions **sfa,
2431 				  __be16 eth_type, __be16 vlan_tci,
2432 				  u32 mpls_label_count, bool log);
2433 
2434 static int validate_and_copy_sample(struct net *net, const struct nlattr *attr,
2435 				    const struct sw_flow_key *key,
2436 				    struct sw_flow_actions **sfa,
2437 				    __be16 eth_type, __be16 vlan_tci,
2438 				    u32 mpls_label_count, bool log, bool last)
2439 {
2440 	const struct nlattr *attrs[OVS_SAMPLE_ATTR_MAX + 1];
2441 	const struct nlattr *probability, *actions;
2442 	const struct nlattr *a;
2443 	int rem, start, err;
2444 	struct sample_arg arg;
2445 
2446 	memset(attrs, 0, sizeof(attrs));
2447 	nla_for_each_nested(a, attr, rem) {
2448 		int type = nla_type(a);
2449 		if (!type || type > OVS_SAMPLE_ATTR_MAX || attrs[type])
2450 			return -EINVAL;
2451 		attrs[type] = a;
2452 	}
2453 	if (rem)
2454 		return -EINVAL;
2455 
2456 	probability = attrs[OVS_SAMPLE_ATTR_PROBABILITY];
2457 	if (!probability || nla_len(probability) != sizeof(u32))
2458 		return -EINVAL;
2459 
2460 	actions = attrs[OVS_SAMPLE_ATTR_ACTIONS];
2461 	if (!actions || (nla_len(actions) && nla_len(actions) < NLA_HDRLEN))
2462 		return -EINVAL;
2463 
2464 	/* validation done, copy sample action. */
2465 	start = add_nested_action_start(sfa, OVS_ACTION_ATTR_SAMPLE, log);
2466 	if (start < 0)
2467 		return start;
2468 
2469 	/* When both skb and flow may be changed, put the sample
2470 	 * into a deferred fifo. On the other hand, if only skb
2471 	 * may be modified, the actions can be executed in place.
2472 	 *
2473 	 * Do this analysis at the flow installation time.
2474 	 * Set 'clone_action->exec' to true if the actions can be
2475 	 * executed without being deferred.
2476 	 *
2477 	 * If the sample is the last action, it can always be excuted
2478 	 * rather than deferred.
2479 	 */
2480 	arg.exec = last || !actions_may_change_flow(actions);
2481 	arg.probability = nla_get_u32(probability);
2482 
2483 	err = ovs_nla_add_action(sfa, OVS_SAMPLE_ATTR_ARG, &arg, sizeof(arg),
2484 				 log);
2485 	if (err)
2486 		return err;
2487 
2488 	err = __ovs_nla_copy_actions(net, actions, key, sfa,
2489 				     eth_type, vlan_tci, mpls_label_count, log);
2490 
2491 	if (err)
2492 		return err;
2493 
2494 	add_nested_action_end(*sfa, start);
2495 
2496 	return 0;
2497 }
2498 
2499 static int validate_and_copy_dec_ttl(struct net *net,
2500 				     const struct nlattr *attr,
2501 				     const struct sw_flow_key *key,
2502 				     struct sw_flow_actions **sfa,
2503 				     __be16 eth_type, __be16 vlan_tci,
2504 				     u32 mpls_label_count, bool log)
2505 {
2506 	const struct nlattr *attrs[OVS_DEC_TTL_ATTR_MAX + 1];
2507 	int start, action_start, err, rem;
2508 	const struct nlattr *a, *actions;
2509 
2510 	memset(attrs, 0, sizeof(attrs));
2511 	nla_for_each_nested(a, attr, rem) {
2512 		int type = nla_type(a);
2513 
2514 		/* Ignore unknown attributes to be future proof. */
2515 		if (type > OVS_DEC_TTL_ATTR_MAX)
2516 			continue;
2517 
2518 		if (!type || attrs[type])
2519 			return -EINVAL;
2520 
2521 		attrs[type] = a;
2522 	}
2523 
2524 	actions = attrs[OVS_DEC_TTL_ATTR_ACTION];
2525 	if (rem || !actions || (nla_len(actions) && nla_len(actions) < NLA_HDRLEN))
2526 		return -EINVAL;
2527 
2528 	start = add_nested_action_start(sfa, OVS_ACTION_ATTR_DEC_TTL, log);
2529 	if (start < 0)
2530 		return start;
2531 
2532 	action_start = add_nested_action_start(sfa, OVS_DEC_TTL_ATTR_ACTION, log);
2533 	if (action_start < 0)
2534 		return start;
2535 
2536 	err = __ovs_nla_copy_actions(net, actions, key, sfa, eth_type,
2537 				     vlan_tci, mpls_label_count, log);
2538 	if (err)
2539 		return err;
2540 
2541 	add_nested_action_end(*sfa, action_start);
2542 	add_nested_action_end(*sfa, start);
2543 	return 0;
2544 }
2545 
2546 static int validate_and_copy_clone(struct net *net,
2547 				   const struct nlattr *attr,
2548 				   const struct sw_flow_key *key,
2549 				   struct sw_flow_actions **sfa,
2550 				   __be16 eth_type, __be16 vlan_tci,
2551 				   u32 mpls_label_count, bool log, bool last)
2552 {
2553 	int start, err;
2554 	u32 exec;
2555 
2556 	if (nla_len(attr) && nla_len(attr) < NLA_HDRLEN)
2557 		return -EINVAL;
2558 
2559 	start = add_nested_action_start(sfa, OVS_ACTION_ATTR_CLONE, log);
2560 	if (start < 0)
2561 		return start;
2562 
2563 	exec = last || !actions_may_change_flow(attr);
2564 
2565 	err = ovs_nla_add_action(sfa, OVS_CLONE_ATTR_EXEC, &exec,
2566 				 sizeof(exec), log);
2567 	if (err)
2568 		return err;
2569 
2570 	err = __ovs_nla_copy_actions(net, attr, key, sfa,
2571 				     eth_type, vlan_tci, mpls_label_count, log);
2572 	if (err)
2573 		return err;
2574 
2575 	add_nested_action_end(*sfa, start);
2576 
2577 	return 0;
2578 }
2579 
2580 void ovs_match_init(struct sw_flow_match *match,
2581 		    struct sw_flow_key *key,
2582 		    bool reset_key,
2583 		    struct sw_flow_mask *mask)
2584 {
2585 	memset(match, 0, sizeof(*match));
2586 	match->key = key;
2587 	match->mask = mask;
2588 
2589 	if (reset_key)
2590 		memset(key, 0, sizeof(*key));
2591 
2592 	if (mask) {
2593 		memset(&mask->key, 0, sizeof(mask->key));
2594 		mask->range.start = mask->range.end = 0;
2595 	}
2596 }
2597 
2598 static int validate_geneve_opts(struct sw_flow_key *key)
2599 {
2600 	struct geneve_opt *option;
2601 	int opts_len = key->tun_opts_len;
2602 	bool crit_opt = false;
2603 
2604 	option = (struct geneve_opt *)TUN_METADATA_OPTS(key, key->tun_opts_len);
2605 	while (opts_len > 0) {
2606 		int len;
2607 
2608 		if (opts_len < sizeof(*option))
2609 			return -EINVAL;
2610 
2611 		len = sizeof(*option) + option->length * 4;
2612 		if (len > opts_len)
2613 			return -EINVAL;
2614 
2615 		crit_opt |= !!(option->type & GENEVE_CRIT_OPT_TYPE);
2616 
2617 		option = (struct geneve_opt *)((u8 *)option + len);
2618 		opts_len -= len;
2619 	}
2620 
2621 	key->tun_key.tun_flags |= crit_opt ? TUNNEL_CRIT_OPT : 0;
2622 
2623 	return 0;
2624 }
2625 
2626 static int validate_and_copy_set_tun(const struct nlattr *attr,
2627 				     struct sw_flow_actions **sfa, bool log)
2628 {
2629 	struct sw_flow_match match;
2630 	struct sw_flow_key key;
2631 	struct metadata_dst *tun_dst;
2632 	struct ip_tunnel_info *tun_info;
2633 	struct ovs_tunnel_info *ovs_tun;
2634 	struct nlattr *a;
2635 	int err = 0, start, opts_type;
2636 	__be16 dst_opt_type;
2637 
2638 	dst_opt_type = 0;
2639 	ovs_match_init(&match, &key, true, NULL);
2640 	opts_type = ip_tun_from_nlattr(nla_data(attr), &match, false, log);
2641 	if (opts_type < 0)
2642 		return opts_type;
2643 
2644 	if (key.tun_opts_len) {
2645 		switch (opts_type) {
2646 		case OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS:
2647 			err = validate_geneve_opts(&key);
2648 			if (err < 0)
2649 				return err;
2650 			dst_opt_type = TUNNEL_GENEVE_OPT;
2651 			break;
2652 		case OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS:
2653 			dst_opt_type = TUNNEL_VXLAN_OPT;
2654 			break;
2655 		case OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS:
2656 			dst_opt_type = TUNNEL_ERSPAN_OPT;
2657 			break;
2658 		}
2659 	}
2660 
2661 	start = add_nested_action_start(sfa, OVS_ACTION_ATTR_SET, log);
2662 	if (start < 0)
2663 		return start;
2664 
2665 	tun_dst = metadata_dst_alloc(key.tun_opts_len, METADATA_IP_TUNNEL,
2666 				     GFP_KERNEL);
2667 
2668 	if (!tun_dst)
2669 		return -ENOMEM;
2670 
2671 	err = dst_cache_init(&tun_dst->u.tun_info.dst_cache, GFP_KERNEL);
2672 	if (err) {
2673 		dst_release((struct dst_entry *)tun_dst);
2674 		return err;
2675 	}
2676 
2677 	a = __add_action(sfa, OVS_KEY_ATTR_TUNNEL_INFO, NULL,
2678 			 sizeof(*ovs_tun), log);
2679 	if (IS_ERR(a)) {
2680 		dst_release((struct dst_entry *)tun_dst);
2681 		return PTR_ERR(a);
2682 	}
2683 
2684 	ovs_tun = nla_data(a);
2685 	ovs_tun->tun_dst = tun_dst;
2686 
2687 	tun_info = &tun_dst->u.tun_info;
2688 	tun_info->mode = IP_TUNNEL_INFO_TX;
2689 	if (key.tun_proto == AF_INET6)
2690 		tun_info->mode |= IP_TUNNEL_INFO_IPV6;
2691 	else if (key.tun_proto == AF_INET && key.tun_key.u.ipv4.dst == 0)
2692 		tun_info->mode |= IP_TUNNEL_INFO_BRIDGE;
2693 	tun_info->key = key.tun_key;
2694 
2695 	/* We need to store the options in the action itself since
2696 	 * everything else will go away after flow setup. We can append
2697 	 * it to tun_info and then point there.
2698 	 */
2699 	ip_tunnel_info_opts_set(tun_info,
2700 				TUN_METADATA_OPTS(&key, key.tun_opts_len),
2701 				key.tun_opts_len, dst_opt_type);
2702 	add_nested_action_end(*sfa, start);
2703 
2704 	return err;
2705 }
2706 
2707 static bool validate_nsh(const struct nlattr *attr, bool is_mask,
2708 			 bool is_push_nsh, bool log)
2709 {
2710 	struct sw_flow_match match;
2711 	struct sw_flow_key key;
2712 	int ret = 0;
2713 
2714 	ovs_match_init(&match, &key, true, NULL);
2715 	ret = nsh_key_put_from_nlattr(attr, &match, is_mask,
2716 				      is_push_nsh, log);
2717 	return !ret;
2718 }
2719 
2720 /* Return false if there are any non-masked bits set.
2721  * Mask follows data immediately, before any netlink padding.
2722  */
2723 static bool validate_masked(u8 *data, int len)
2724 {
2725 	u8 *mask = data + len;
2726 
2727 	while (len--)
2728 		if (*data++ & ~*mask++)
2729 			return false;
2730 
2731 	return true;
2732 }
2733 
2734 static int validate_set(const struct nlattr *a,
2735 			const struct sw_flow_key *flow_key,
2736 			struct sw_flow_actions **sfa, bool *skip_copy,
2737 			u8 mac_proto, __be16 eth_type, bool masked, bool log)
2738 {
2739 	const struct nlattr *ovs_key = nla_data(a);
2740 	int key_type = nla_type(ovs_key);
2741 	size_t key_len;
2742 
2743 	/* There can be only one key in a action */
2744 	if (nla_total_size(nla_len(ovs_key)) != nla_len(a))
2745 		return -EINVAL;
2746 
2747 	key_len = nla_len(ovs_key);
2748 	if (masked)
2749 		key_len /= 2;
2750 
2751 	if (key_type > OVS_KEY_ATTR_MAX ||
2752 	    !check_attr_len(key_len, ovs_key_lens[key_type].len))
2753 		return -EINVAL;
2754 
2755 	if (masked && !validate_masked(nla_data(ovs_key), key_len))
2756 		return -EINVAL;
2757 
2758 	switch (key_type) {
2759 	case OVS_KEY_ATTR_PRIORITY:
2760 	case OVS_KEY_ATTR_SKB_MARK:
2761 	case OVS_KEY_ATTR_CT_MARK:
2762 	case OVS_KEY_ATTR_CT_LABELS:
2763 		break;
2764 
2765 	case OVS_KEY_ATTR_ETHERNET:
2766 		if (mac_proto != MAC_PROTO_ETHERNET)
2767 			return -EINVAL;
2768 		break;
2769 
2770 	case OVS_KEY_ATTR_TUNNEL: {
2771 		int err;
2772 
2773 		if (masked)
2774 			return -EINVAL; /* Masked tunnel set not supported. */
2775 
2776 		*skip_copy = true;
2777 		err = validate_and_copy_set_tun(a, sfa, log);
2778 		if (err)
2779 			return err;
2780 		break;
2781 	}
2782 	case OVS_KEY_ATTR_IPV4: {
2783 		const struct ovs_key_ipv4 *ipv4_key;
2784 
2785 		if (eth_type != htons(ETH_P_IP))
2786 			return -EINVAL;
2787 
2788 		ipv4_key = nla_data(ovs_key);
2789 
2790 		if (masked) {
2791 			const struct ovs_key_ipv4 *mask = ipv4_key + 1;
2792 
2793 			/* Non-writeable fields. */
2794 			if (mask->ipv4_proto || mask->ipv4_frag)
2795 				return -EINVAL;
2796 		} else {
2797 			if (ipv4_key->ipv4_proto != flow_key->ip.proto)
2798 				return -EINVAL;
2799 
2800 			if (ipv4_key->ipv4_frag != flow_key->ip.frag)
2801 				return -EINVAL;
2802 		}
2803 		break;
2804 	}
2805 	case OVS_KEY_ATTR_IPV6: {
2806 		const struct ovs_key_ipv6 *ipv6_key;
2807 
2808 		if (eth_type != htons(ETH_P_IPV6))
2809 			return -EINVAL;
2810 
2811 		ipv6_key = nla_data(ovs_key);
2812 
2813 		if (masked) {
2814 			const struct ovs_key_ipv6 *mask = ipv6_key + 1;
2815 
2816 			/* Non-writeable fields. */
2817 			if (mask->ipv6_proto || mask->ipv6_frag)
2818 				return -EINVAL;
2819 
2820 			/* Invalid bits in the flow label mask? */
2821 			if (ntohl(mask->ipv6_label) & 0xFFF00000)
2822 				return -EINVAL;
2823 		} else {
2824 			if (ipv6_key->ipv6_proto != flow_key->ip.proto)
2825 				return -EINVAL;
2826 
2827 			if (ipv6_key->ipv6_frag != flow_key->ip.frag)
2828 				return -EINVAL;
2829 		}
2830 		if (ntohl(ipv6_key->ipv6_label) & 0xFFF00000)
2831 			return -EINVAL;
2832 
2833 		break;
2834 	}
2835 	case OVS_KEY_ATTR_TCP:
2836 		if ((eth_type != htons(ETH_P_IP) &&
2837 		     eth_type != htons(ETH_P_IPV6)) ||
2838 		    flow_key->ip.proto != IPPROTO_TCP)
2839 			return -EINVAL;
2840 
2841 		break;
2842 
2843 	case OVS_KEY_ATTR_UDP:
2844 		if ((eth_type != htons(ETH_P_IP) &&
2845 		     eth_type != htons(ETH_P_IPV6)) ||
2846 		    flow_key->ip.proto != IPPROTO_UDP)
2847 			return -EINVAL;
2848 
2849 		break;
2850 
2851 	case OVS_KEY_ATTR_MPLS:
2852 		if (!eth_p_mpls(eth_type))
2853 			return -EINVAL;
2854 		break;
2855 
2856 	case OVS_KEY_ATTR_SCTP:
2857 		if ((eth_type != htons(ETH_P_IP) &&
2858 		     eth_type != htons(ETH_P_IPV6)) ||
2859 		    flow_key->ip.proto != IPPROTO_SCTP)
2860 			return -EINVAL;
2861 
2862 		break;
2863 
2864 	case OVS_KEY_ATTR_NSH:
2865 		if (eth_type != htons(ETH_P_NSH))
2866 			return -EINVAL;
2867 		if (!validate_nsh(nla_data(a), masked, false, log))
2868 			return -EINVAL;
2869 		break;
2870 
2871 	default:
2872 		return -EINVAL;
2873 	}
2874 
2875 	/* Convert non-masked non-tunnel set actions to masked set actions. */
2876 	if (!masked && key_type != OVS_KEY_ATTR_TUNNEL) {
2877 		int start, len = key_len * 2;
2878 		struct nlattr *at;
2879 
2880 		*skip_copy = true;
2881 
2882 		start = add_nested_action_start(sfa,
2883 						OVS_ACTION_ATTR_SET_TO_MASKED,
2884 						log);
2885 		if (start < 0)
2886 			return start;
2887 
2888 		at = __add_action(sfa, key_type, NULL, len, log);
2889 		if (IS_ERR(at))
2890 			return PTR_ERR(at);
2891 
2892 		memcpy(nla_data(at), nla_data(ovs_key), key_len); /* Key. */
2893 		memset(nla_data(at) + key_len, 0xff, key_len);    /* Mask. */
2894 		/* Clear non-writeable bits from otherwise writeable fields. */
2895 		if (key_type == OVS_KEY_ATTR_IPV6) {
2896 			struct ovs_key_ipv6 *mask = nla_data(at) + key_len;
2897 
2898 			mask->ipv6_label &= htonl(0x000FFFFF);
2899 		}
2900 		add_nested_action_end(*sfa, start);
2901 	}
2902 
2903 	return 0;
2904 }
2905 
2906 static int validate_userspace(const struct nlattr *attr)
2907 {
2908 	static const struct nla_policy userspace_policy[OVS_USERSPACE_ATTR_MAX + 1] = {
2909 		[OVS_USERSPACE_ATTR_PID] = {.type = NLA_U32 },
2910 		[OVS_USERSPACE_ATTR_USERDATA] = {.type = NLA_UNSPEC },
2911 		[OVS_USERSPACE_ATTR_EGRESS_TUN_PORT] = {.type = NLA_U32 },
2912 	};
2913 	struct nlattr *a[OVS_USERSPACE_ATTR_MAX + 1];
2914 	int error;
2915 
2916 	error = nla_parse_nested_deprecated(a, OVS_USERSPACE_ATTR_MAX, attr,
2917 					    userspace_policy, NULL);
2918 	if (error)
2919 		return error;
2920 
2921 	if (!a[OVS_USERSPACE_ATTR_PID] ||
2922 	    !nla_get_u32(a[OVS_USERSPACE_ATTR_PID]))
2923 		return -EINVAL;
2924 
2925 	return 0;
2926 }
2927 
2928 static const struct nla_policy cpl_policy[OVS_CHECK_PKT_LEN_ATTR_MAX + 1] = {
2929 	[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN] = {.type = NLA_U16 },
2930 	[OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER] = {.type = NLA_NESTED },
2931 	[OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL] = {.type = NLA_NESTED },
2932 };
2933 
2934 static int validate_and_copy_check_pkt_len(struct net *net,
2935 					   const struct nlattr *attr,
2936 					   const struct sw_flow_key *key,
2937 					   struct sw_flow_actions **sfa,
2938 					   __be16 eth_type, __be16 vlan_tci,
2939 					   u32 mpls_label_count,
2940 					   bool log, bool last)
2941 {
2942 	const struct nlattr *acts_if_greater, *acts_if_lesser_eq;
2943 	struct nlattr *a[OVS_CHECK_PKT_LEN_ATTR_MAX + 1];
2944 	struct check_pkt_len_arg arg;
2945 	int nested_acts_start;
2946 	int start, err;
2947 
2948 	err = nla_parse_deprecated_strict(a, OVS_CHECK_PKT_LEN_ATTR_MAX,
2949 					  nla_data(attr), nla_len(attr),
2950 					  cpl_policy, NULL);
2951 	if (err)
2952 		return err;
2953 
2954 	if (!a[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN] ||
2955 	    !nla_get_u16(a[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN]))
2956 		return -EINVAL;
2957 
2958 	acts_if_lesser_eq = a[OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL];
2959 	acts_if_greater = a[OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER];
2960 
2961 	/* Both the nested action should be present. */
2962 	if (!acts_if_greater || !acts_if_lesser_eq)
2963 		return -EINVAL;
2964 
2965 	/* validation done, copy the nested actions. */
2966 	start = add_nested_action_start(sfa, OVS_ACTION_ATTR_CHECK_PKT_LEN,
2967 					log);
2968 	if (start < 0)
2969 		return start;
2970 
2971 	arg.pkt_len = nla_get_u16(a[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN]);
2972 	arg.exec_for_lesser_equal =
2973 		last || !actions_may_change_flow(acts_if_lesser_eq);
2974 	arg.exec_for_greater =
2975 		last || !actions_may_change_flow(acts_if_greater);
2976 
2977 	err = ovs_nla_add_action(sfa, OVS_CHECK_PKT_LEN_ATTR_ARG, &arg,
2978 				 sizeof(arg), log);
2979 	if (err)
2980 		return err;
2981 
2982 	nested_acts_start = add_nested_action_start(sfa,
2983 		OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL, log);
2984 	if (nested_acts_start < 0)
2985 		return nested_acts_start;
2986 
2987 	err = __ovs_nla_copy_actions(net, acts_if_lesser_eq, key, sfa,
2988 				     eth_type, vlan_tci, mpls_label_count, log);
2989 
2990 	if (err)
2991 		return err;
2992 
2993 	add_nested_action_end(*sfa, nested_acts_start);
2994 
2995 	nested_acts_start = add_nested_action_start(sfa,
2996 		OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER, log);
2997 	if (nested_acts_start < 0)
2998 		return nested_acts_start;
2999 
3000 	err = __ovs_nla_copy_actions(net, acts_if_greater, key, sfa,
3001 				     eth_type, vlan_tci, mpls_label_count, log);
3002 
3003 	if (err)
3004 		return err;
3005 
3006 	add_nested_action_end(*sfa, nested_acts_start);
3007 	add_nested_action_end(*sfa, start);
3008 	return 0;
3009 }
3010 
3011 static int copy_action(const struct nlattr *from,
3012 		       struct sw_flow_actions **sfa, bool log)
3013 {
3014 	int totlen = NLA_ALIGN(from->nla_len);
3015 	struct nlattr *to;
3016 
3017 	to = reserve_sfa_size(sfa, from->nla_len, log);
3018 	if (IS_ERR(to))
3019 		return PTR_ERR(to);
3020 
3021 	memcpy(to, from, totlen);
3022 	return 0;
3023 }
3024 
3025 static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
3026 				  const struct sw_flow_key *key,
3027 				  struct sw_flow_actions **sfa,
3028 				  __be16 eth_type, __be16 vlan_tci,
3029 				  u32 mpls_label_count, bool log)
3030 {
3031 	u8 mac_proto = ovs_key_mac_proto(key);
3032 	const struct nlattr *a;
3033 	int rem, err;
3034 
3035 	nla_for_each_nested(a, attr, rem) {
3036 		/* Expected argument lengths, (u32)-1 for variable length. */
3037 		static const u32 action_lens[OVS_ACTION_ATTR_MAX + 1] = {
3038 			[OVS_ACTION_ATTR_OUTPUT] = sizeof(u32),
3039 			[OVS_ACTION_ATTR_RECIRC] = sizeof(u32),
3040 			[OVS_ACTION_ATTR_USERSPACE] = (u32)-1,
3041 			[OVS_ACTION_ATTR_PUSH_MPLS] = sizeof(struct ovs_action_push_mpls),
3042 			[OVS_ACTION_ATTR_POP_MPLS] = sizeof(__be16),
3043 			[OVS_ACTION_ATTR_PUSH_VLAN] = sizeof(struct ovs_action_push_vlan),
3044 			[OVS_ACTION_ATTR_POP_VLAN] = 0,
3045 			[OVS_ACTION_ATTR_SET] = (u32)-1,
3046 			[OVS_ACTION_ATTR_SET_MASKED] = (u32)-1,
3047 			[OVS_ACTION_ATTR_SAMPLE] = (u32)-1,
3048 			[OVS_ACTION_ATTR_HASH] = sizeof(struct ovs_action_hash),
3049 			[OVS_ACTION_ATTR_CT] = (u32)-1,
3050 			[OVS_ACTION_ATTR_CT_CLEAR] = 0,
3051 			[OVS_ACTION_ATTR_TRUNC] = sizeof(struct ovs_action_trunc),
3052 			[OVS_ACTION_ATTR_PUSH_ETH] = sizeof(struct ovs_action_push_eth),
3053 			[OVS_ACTION_ATTR_POP_ETH] = 0,
3054 			[OVS_ACTION_ATTR_PUSH_NSH] = (u32)-1,
3055 			[OVS_ACTION_ATTR_POP_NSH] = 0,
3056 			[OVS_ACTION_ATTR_METER] = sizeof(u32),
3057 			[OVS_ACTION_ATTR_CLONE] = (u32)-1,
3058 			[OVS_ACTION_ATTR_CHECK_PKT_LEN] = (u32)-1,
3059 			[OVS_ACTION_ATTR_ADD_MPLS] = sizeof(struct ovs_action_add_mpls),
3060 			[OVS_ACTION_ATTR_DEC_TTL] = (u32)-1,
3061 		};
3062 		const struct ovs_action_push_vlan *vlan;
3063 		int type = nla_type(a);
3064 		bool skip_copy;
3065 
3066 		if (type > OVS_ACTION_ATTR_MAX ||
3067 		    (action_lens[type] != nla_len(a) &&
3068 		     action_lens[type] != (u32)-1))
3069 			return -EINVAL;
3070 
3071 		skip_copy = false;
3072 		switch (type) {
3073 		case OVS_ACTION_ATTR_UNSPEC:
3074 			return -EINVAL;
3075 
3076 		case OVS_ACTION_ATTR_USERSPACE:
3077 			err = validate_userspace(a);
3078 			if (err)
3079 				return err;
3080 			break;
3081 
3082 		case OVS_ACTION_ATTR_OUTPUT:
3083 			if (nla_get_u32(a) >= DP_MAX_PORTS)
3084 				return -EINVAL;
3085 			break;
3086 
3087 		case OVS_ACTION_ATTR_TRUNC: {
3088 			const struct ovs_action_trunc *trunc = nla_data(a);
3089 
3090 			if (trunc->max_len < ETH_HLEN)
3091 				return -EINVAL;
3092 			break;
3093 		}
3094 
3095 		case OVS_ACTION_ATTR_HASH: {
3096 			const struct ovs_action_hash *act_hash = nla_data(a);
3097 
3098 			switch (act_hash->hash_alg) {
3099 			case OVS_HASH_ALG_L4:
3100 				break;
3101 			default:
3102 				return  -EINVAL;
3103 			}
3104 
3105 			break;
3106 		}
3107 
3108 		case OVS_ACTION_ATTR_POP_VLAN:
3109 			if (mac_proto != MAC_PROTO_ETHERNET)
3110 				return -EINVAL;
3111 			vlan_tci = htons(0);
3112 			break;
3113 
3114 		case OVS_ACTION_ATTR_PUSH_VLAN:
3115 			if (mac_proto != MAC_PROTO_ETHERNET)
3116 				return -EINVAL;
3117 			vlan = nla_data(a);
3118 			if (!eth_type_vlan(vlan->vlan_tpid))
3119 				return -EINVAL;
3120 			if (!(vlan->vlan_tci & htons(VLAN_CFI_MASK)))
3121 				return -EINVAL;
3122 			vlan_tci = vlan->vlan_tci;
3123 			break;
3124 
3125 		case OVS_ACTION_ATTR_RECIRC:
3126 			break;
3127 
3128 		case OVS_ACTION_ATTR_ADD_MPLS: {
3129 			const struct ovs_action_add_mpls *mpls = nla_data(a);
3130 
3131 			if (!eth_p_mpls(mpls->mpls_ethertype))
3132 				return -EINVAL;
3133 
3134 			if (mpls->tun_flags & OVS_MPLS_L3_TUNNEL_FLAG_MASK) {
3135 				if (vlan_tci & htons(VLAN_CFI_MASK) ||
3136 				    (eth_type != htons(ETH_P_IP) &&
3137 				     eth_type != htons(ETH_P_IPV6) &&
3138 				     eth_type != htons(ETH_P_ARP) &&
3139 				     eth_type != htons(ETH_P_RARP) &&
3140 				     !eth_p_mpls(eth_type)))
3141 					return -EINVAL;
3142 				mpls_label_count++;
3143 			} else {
3144 				if (mac_proto == MAC_PROTO_ETHERNET) {
3145 					mpls_label_count = 1;
3146 					mac_proto = MAC_PROTO_NONE;
3147 				} else {
3148 					mpls_label_count++;
3149 				}
3150 			}
3151 			eth_type = mpls->mpls_ethertype;
3152 			break;
3153 		}
3154 
3155 		case OVS_ACTION_ATTR_PUSH_MPLS: {
3156 			const struct ovs_action_push_mpls *mpls = nla_data(a);
3157 
3158 			if (!eth_p_mpls(mpls->mpls_ethertype))
3159 				return -EINVAL;
3160 			/* Prohibit push MPLS other than to a white list
3161 			 * for packets that have a known tag order.
3162 			 */
3163 			if (vlan_tci & htons(VLAN_CFI_MASK) ||
3164 			    (eth_type != htons(ETH_P_IP) &&
3165 			     eth_type != htons(ETH_P_IPV6) &&
3166 			     eth_type != htons(ETH_P_ARP) &&
3167 			     eth_type != htons(ETH_P_RARP) &&
3168 			     !eth_p_mpls(eth_type)))
3169 				return -EINVAL;
3170 			eth_type = mpls->mpls_ethertype;
3171 			mpls_label_count++;
3172 			break;
3173 		}
3174 
3175 		case OVS_ACTION_ATTR_POP_MPLS: {
3176 			__be16  proto;
3177 			if (vlan_tci & htons(VLAN_CFI_MASK) ||
3178 			    !eth_p_mpls(eth_type))
3179 				return -EINVAL;
3180 
3181 			/* Disallow subsequent L2.5+ set actions and mpls_pop
3182 			 * actions once the last MPLS label in the packet is
3183 			 * is popped as there is no check here to ensure that
3184 			 * the new eth type is valid and thus set actions could
3185 			 * write off the end of the packet or otherwise corrupt
3186 			 * it.
3187 			 *
3188 			 * Support for these actions is planned using packet
3189 			 * recirculation.
3190 			 */
3191 			proto = nla_get_be16(a);
3192 
3193 			if (proto == htons(ETH_P_TEB) &&
3194 			    mac_proto != MAC_PROTO_NONE)
3195 				return -EINVAL;
3196 
3197 			mpls_label_count--;
3198 
3199 			if (!eth_p_mpls(proto) || !mpls_label_count)
3200 				eth_type = htons(0);
3201 			else
3202 				eth_type =  proto;
3203 
3204 			break;
3205 		}
3206 
3207 		case OVS_ACTION_ATTR_SET:
3208 			err = validate_set(a, key, sfa,
3209 					   &skip_copy, mac_proto, eth_type,
3210 					   false, log);
3211 			if (err)
3212 				return err;
3213 			break;
3214 
3215 		case OVS_ACTION_ATTR_SET_MASKED:
3216 			err = validate_set(a, key, sfa,
3217 					   &skip_copy, mac_proto, eth_type,
3218 					   true, log);
3219 			if (err)
3220 				return err;
3221 			break;
3222 
3223 		case OVS_ACTION_ATTR_SAMPLE: {
3224 			bool last = nla_is_last(a, rem);
3225 
3226 			err = validate_and_copy_sample(net, a, key, sfa,
3227 						       eth_type, vlan_tci,
3228 						       mpls_label_count,
3229 						       log, last);
3230 			if (err)
3231 				return err;
3232 			skip_copy = true;
3233 			break;
3234 		}
3235 
3236 		case OVS_ACTION_ATTR_CT:
3237 			err = ovs_ct_copy_action(net, a, key, sfa, log);
3238 			if (err)
3239 				return err;
3240 			skip_copy = true;
3241 			break;
3242 
3243 		case OVS_ACTION_ATTR_CT_CLEAR:
3244 			break;
3245 
3246 		case OVS_ACTION_ATTR_PUSH_ETH:
3247 			/* Disallow pushing an Ethernet header if one
3248 			 * is already present */
3249 			if (mac_proto != MAC_PROTO_NONE)
3250 				return -EINVAL;
3251 			mac_proto = MAC_PROTO_ETHERNET;
3252 			break;
3253 
3254 		case OVS_ACTION_ATTR_POP_ETH:
3255 			if (mac_proto != MAC_PROTO_ETHERNET)
3256 				return -EINVAL;
3257 			if (vlan_tci & htons(VLAN_CFI_MASK))
3258 				return -EINVAL;
3259 			mac_proto = MAC_PROTO_NONE;
3260 			break;
3261 
3262 		case OVS_ACTION_ATTR_PUSH_NSH:
3263 			if (mac_proto != MAC_PROTO_ETHERNET) {
3264 				u8 next_proto;
3265 
3266 				next_proto = tun_p_from_eth_p(eth_type);
3267 				if (!next_proto)
3268 					return -EINVAL;
3269 			}
3270 			mac_proto = MAC_PROTO_NONE;
3271 			if (!validate_nsh(nla_data(a), false, true, true))
3272 				return -EINVAL;
3273 			break;
3274 
3275 		case OVS_ACTION_ATTR_POP_NSH: {
3276 			__be16 inner_proto;
3277 
3278 			if (eth_type != htons(ETH_P_NSH))
3279 				return -EINVAL;
3280 			inner_proto = tun_p_to_eth_p(key->nsh.base.np);
3281 			if (!inner_proto)
3282 				return -EINVAL;
3283 			if (key->nsh.base.np == TUN_P_ETHERNET)
3284 				mac_proto = MAC_PROTO_ETHERNET;
3285 			else
3286 				mac_proto = MAC_PROTO_NONE;
3287 			break;
3288 		}
3289 
3290 		case OVS_ACTION_ATTR_METER:
3291 			/* Non-existent meters are simply ignored.  */
3292 			break;
3293 
3294 		case OVS_ACTION_ATTR_CLONE: {
3295 			bool last = nla_is_last(a, rem);
3296 
3297 			err = validate_and_copy_clone(net, a, key, sfa,
3298 						      eth_type, vlan_tci,
3299 						      mpls_label_count,
3300 						      log, last);
3301 			if (err)
3302 				return err;
3303 			skip_copy = true;
3304 			break;
3305 		}
3306 
3307 		case OVS_ACTION_ATTR_CHECK_PKT_LEN: {
3308 			bool last = nla_is_last(a, rem);
3309 
3310 			err = validate_and_copy_check_pkt_len(net, a, key, sfa,
3311 							      eth_type,
3312 							      vlan_tci,
3313 							      mpls_label_count,
3314 							      log, last);
3315 			if (err)
3316 				return err;
3317 			skip_copy = true;
3318 			break;
3319 		}
3320 
3321 		case OVS_ACTION_ATTR_DEC_TTL:
3322 			err = validate_and_copy_dec_ttl(net, a, key, sfa,
3323 							eth_type, vlan_tci,
3324 							mpls_label_count, log);
3325 			if (err)
3326 				return err;
3327 			skip_copy = true;
3328 			break;
3329 
3330 		default:
3331 			OVS_NLERR(log, "Unknown Action type %d", type);
3332 			return -EINVAL;
3333 		}
3334 		if (!skip_copy) {
3335 			err = copy_action(a, sfa, log);
3336 			if (err)
3337 				return err;
3338 		}
3339 	}
3340 
3341 	if (rem > 0)
3342 		return -EINVAL;
3343 
3344 	return 0;
3345 }
3346 
3347 /* 'key' must be the masked key. */
3348 int ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
3349 			 const struct sw_flow_key *key,
3350 			 struct sw_flow_actions **sfa, bool log)
3351 {
3352 	int err;
3353 	u32 mpls_label_count = 0;
3354 
3355 	*sfa = nla_alloc_flow_actions(min(nla_len(attr), MAX_ACTIONS_BUFSIZE));
3356 	if (IS_ERR(*sfa))
3357 		return PTR_ERR(*sfa);
3358 
3359 	if (eth_p_mpls(key->eth.type))
3360 		mpls_label_count = hweight_long(key->mpls.num_labels_mask);
3361 
3362 	(*sfa)->orig_len = nla_len(attr);
3363 	err = __ovs_nla_copy_actions(net, attr, key, sfa, key->eth.type,
3364 				     key->eth.vlan.tci, mpls_label_count, log);
3365 	if (err)
3366 		ovs_nla_free_flow_actions(*sfa);
3367 
3368 	return err;
3369 }
3370 
3371 static int sample_action_to_attr(const struct nlattr *attr,
3372 				 struct sk_buff *skb)
3373 {
3374 	struct nlattr *start, *ac_start = NULL, *sample_arg;
3375 	int err = 0, rem = nla_len(attr);
3376 	const struct sample_arg *arg;
3377 	struct nlattr *actions;
3378 
3379 	start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SAMPLE);
3380 	if (!start)
3381 		return -EMSGSIZE;
3382 
3383 	sample_arg = nla_data(attr);
3384 	arg = nla_data(sample_arg);
3385 	actions = nla_next(sample_arg, &rem);
3386 
3387 	if (nla_put_u32(skb, OVS_SAMPLE_ATTR_PROBABILITY, arg->probability)) {
3388 		err = -EMSGSIZE;
3389 		goto out;
3390 	}
3391 
3392 	ac_start = nla_nest_start_noflag(skb, OVS_SAMPLE_ATTR_ACTIONS);
3393 	if (!ac_start) {
3394 		err = -EMSGSIZE;
3395 		goto out;
3396 	}
3397 
3398 	err = ovs_nla_put_actions(actions, rem, skb);
3399 
3400 out:
3401 	if (err) {
3402 		nla_nest_cancel(skb, ac_start);
3403 		nla_nest_cancel(skb, start);
3404 	} else {
3405 		nla_nest_end(skb, ac_start);
3406 		nla_nest_end(skb, start);
3407 	}
3408 
3409 	return err;
3410 }
3411 
3412 static int clone_action_to_attr(const struct nlattr *attr,
3413 				struct sk_buff *skb)
3414 {
3415 	struct nlattr *start;
3416 	int err = 0, rem = nla_len(attr);
3417 
3418 	start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_CLONE);
3419 	if (!start)
3420 		return -EMSGSIZE;
3421 
3422 	err = ovs_nla_put_actions(nla_data(attr), rem, skb);
3423 
3424 	if (err)
3425 		nla_nest_cancel(skb, start);
3426 	else
3427 		nla_nest_end(skb, start);
3428 
3429 	return err;
3430 }
3431 
3432 static int check_pkt_len_action_to_attr(const struct nlattr *attr,
3433 					struct sk_buff *skb)
3434 {
3435 	struct nlattr *start, *ac_start = NULL;
3436 	const struct check_pkt_len_arg *arg;
3437 	const struct nlattr *a, *cpl_arg;
3438 	int err = 0, rem = nla_len(attr);
3439 
3440 	start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_CHECK_PKT_LEN);
3441 	if (!start)
3442 		return -EMSGSIZE;
3443 
3444 	/* The first nested attribute in 'attr' is always
3445 	 * 'OVS_CHECK_PKT_LEN_ATTR_ARG'.
3446 	 */
3447 	cpl_arg = nla_data(attr);
3448 	arg = nla_data(cpl_arg);
3449 
3450 	if (nla_put_u16(skb, OVS_CHECK_PKT_LEN_ATTR_PKT_LEN, arg->pkt_len)) {
3451 		err = -EMSGSIZE;
3452 		goto out;
3453 	}
3454 
3455 	/* Second nested attribute in 'attr' is always
3456 	 * 'OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL'.
3457 	 */
3458 	a = nla_next(cpl_arg, &rem);
3459 	ac_start =  nla_nest_start_noflag(skb,
3460 					  OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL);
3461 	if (!ac_start) {
3462 		err = -EMSGSIZE;
3463 		goto out;
3464 	}
3465 
3466 	err = ovs_nla_put_actions(nla_data(a), nla_len(a), skb);
3467 	if (err) {
3468 		nla_nest_cancel(skb, ac_start);
3469 		goto out;
3470 	} else {
3471 		nla_nest_end(skb, ac_start);
3472 	}
3473 
3474 	/* Third nested attribute in 'attr' is always
3475 	 * OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER.
3476 	 */
3477 	a = nla_next(a, &rem);
3478 	ac_start =  nla_nest_start_noflag(skb,
3479 					  OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER);
3480 	if (!ac_start) {
3481 		err = -EMSGSIZE;
3482 		goto out;
3483 	}
3484 
3485 	err = ovs_nla_put_actions(nla_data(a), nla_len(a), skb);
3486 	if (err) {
3487 		nla_nest_cancel(skb, ac_start);
3488 		goto out;
3489 	} else {
3490 		nla_nest_end(skb, ac_start);
3491 	}
3492 
3493 	nla_nest_end(skb, start);
3494 	return 0;
3495 
3496 out:
3497 	nla_nest_cancel(skb, start);
3498 	return err;
3499 }
3500 
3501 static int dec_ttl_action_to_attr(const struct nlattr *attr,
3502 				  struct sk_buff *skb)
3503 {
3504 	struct nlattr *start, *action_start;
3505 	const struct nlattr *a;
3506 	int err = 0, rem;
3507 
3508 	start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_DEC_TTL);
3509 	if (!start)
3510 		return -EMSGSIZE;
3511 
3512 	nla_for_each_attr(a, nla_data(attr), nla_len(attr), rem) {
3513 		switch (nla_type(a)) {
3514 		case OVS_DEC_TTL_ATTR_ACTION:
3515 
3516 			action_start = nla_nest_start_noflag(skb, OVS_DEC_TTL_ATTR_ACTION);
3517 			if (!action_start) {
3518 				err = -EMSGSIZE;
3519 				goto out;
3520 			}
3521 
3522 			err = ovs_nla_put_actions(nla_data(a), nla_len(a), skb);
3523 			if (err)
3524 				goto out;
3525 
3526 			nla_nest_end(skb, action_start);
3527 			break;
3528 
3529 		default:
3530 			/* Ignore all other option to be future compatible */
3531 			break;
3532 		}
3533 	}
3534 
3535 	nla_nest_end(skb, start);
3536 	return 0;
3537 
3538 out:
3539 	nla_nest_cancel(skb, start);
3540 	return err;
3541 }
3542 
3543 static int set_action_to_attr(const struct nlattr *a, struct sk_buff *skb)
3544 {
3545 	const struct nlattr *ovs_key = nla_data(a);
3546 	int key_type = nla_type(ovs_key);
3547 	struct nlattr *start;
3548 	int err;
3549 
3550 	switch (key_type) {
3551 	case OVS_KEY_ATTR_TUNNEL_INFO: {
3552 		struct ovs_tunnel_info *ovs_tun = nla_data(ovs_key);
3553 		struct ip_tunnel_info *tun_info = &ovs_tun->tun_dst->u.tun_info;
3554 
3555 		start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SET);
3556 		if (!start)
3557 			return -EMSGSIZE;
3558 
3559 		err =  ip_tun_to_nlattr(skb, &tun_info->key,
3560 					ip_tunnel_info_opts(tun_info),
3561 					tun_info->options_len,
3562 					ip_tunnel_info_af(tun_info), tun_info->mode);
3563 		if (err)
3564 			return err;
3565 		nla_nest_end(skb, start);
3566 		break;
3567 	}
3568 	default:
3569 		if (nla_put(skb, OVS_ACTION_ATTR_SET, nla_len(a), ovs_key))
3570 			return -EMSGSIZE;
3571 		break;
3572 	}
3573 
3574 	return 0;
3575 }
3576 
3577 static int masked_set_action_to_set_action_attr(const struct nlattr *a,
3578 						struct sk_buff *skb)
3579 {
3580 	const struct nlattr *ovs_key = nla_data(a);
3581 	struct nlattr *nla;
3582 	size_t key_len = nla_len(ovs_key) / 2;
3583 
3584 	/* Revert the conversion we did from a non-masked set action to
3585 	 * masked set action.
3586 	 */
3587 	nla = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SET);
3588 	if (!nla)
3589 		return -EMSGSIZE;
3590 
3591 	if (nla_put(skb, nla_type(ovs_key), key_len, nla_data(ovs_key)))
3592 		return -EMSGSIZE;
3593 
3594 	nla_nest_end(skb, nla);
3595 	return 0;
3596 }
3597 
3598 int ovs_nla_put_actions(const struct nlattr *attr, int len, struct sk_buff *skb)
3599 {
3600 	const struct nlattr *a;
3601 	int rem, err;
3602 
3603 	nla_for_each_attr(a, attr, len, rem) {
3604 		int type = nla_type(a);
3605 
3606 		switch (type) {
3607 		case OVS_ACTION_ATTR_SET:
3608 			err = set_action_to_attr(a, skb);
3609 			if (err)
3610 				return err;
3611 			break;
3612 
3613 		case OVS_ACTION_ATTR_SET_TO_MASKED:
3614 			err = masked_set_action_to_set_action_attr(a, skb);
3615 			if (err)
3616 				return err;
3617 			break;
3618 
3619 		case OVS_ACTION_ATTR_SAMPLE:
3620 			err = sample_action_to_attr(a, skb);
3621 			if (err)
3622 				return err;
3623 			break;
3624 
3625 		case OVS_ACTION_ATTR_CT:
3626 			err = ovs_ct_action_to_attr(nla_data(a), skb);
3627 			if (err)
3628 				return err;
3629 			break;
3630 
3631 		case OVS_ACTION_ATTR_CLONE:
3632 			err = clone_action_to_attr(a, skb);
3633 			if (err)
3634 				return err;
3635 			break;
3636 
3637 		case OVS_ACTION_ATTR_CHECK_PKT_LEN:
3638 			err = check_pkt_len_action_to_attr(a, skb);
3639 			if (err)
3640 				return err;
3641 			break;
3642 
3643 		case OVS_ACTION_ATTR_DEC_TTL:
3644 			err = dec_ttl_action_to_attr(a, skb);
3645 			if (err)
3646 				return err;
3647 			break;
3648 
3649 		default:
3650 			if (nla_put(skb, type, nla_len(a), nla_data(a)))
3651 				return -EMSGSIZE;
3652 			break;
3653 		}
3654 	}
3655 
3656 	return 0;
3657 }
3658