1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2007-2017 Nicira, Inc. 4 */ 5 6 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 7 8 #include "flow.h" 9 #include "datapath.h" 10 #include <linux/uaccess.h> 11 #include <linux/netdevice.h> 12 #include <linux/etherdevice.h> 13 #include <linux/if_ether.h> 14 #include <linux/if_vlan.h> 15 #include <net/llc_pdu.h> 16 #include <linux/kernel.h> 17 #include <linux/jhash.h> 18 #include <linux/jiffies.h> 19 #include <linux/llc.h> 20 #include <linux/module.h> 21 #include <linux/in.h> 22 #include <linux/rcupdate.h> 23 #include <linux/if_arp.h> 24 #include <linux/ip.h> 25 #include <linux/ipv6.h> 26 #include <linux/sctp.h> 27 #include <linux/tcp.h> 28 #include <linux/udp.h> 29 #include <linux/icmp.h> 30 #include <linux/icmpv6.h> 31 #include <linux/rculist.h> 32 #include <net/geneve.h> 33 #include <net/ip.h> 34 #include <net/ipv6.h> 35 #include <net/ndisc.h> 36 #include <net/mpls.h> 37 #include <net/vxlan.h> 38 #include <net/tun_proto.h> 39 #include <net/erspan.h> 40 41 #include "flow_netlink.h" 42 43 struct ovs_len_tbl { 44 int len; 45 const struct ovs_len_tbl *next; 46 }; 47 48 #define OVS_ATTR_NESTED -1 49 #define OVS_ATTR_VARIABLE -2 50 51 static bool actions_may_change_flow(const struct nlattr *actions) 52 { 53 struct nlattr *nla; 54 int rem; 55 56 nla_for_each_nested(nla, actions, rem) { 57 u16 action = nla_type(nla); 58 59 switch (action) { 60 case OVS_ACTION_ATTR_OUTPUT: 61 case OVS_ACTION_ATTR_RECIRC: 62 case OVS_ACTION_ATTR_TRUNC: 63 case OVS_ACTION_ATTR_USERSPACE: 64 break; 65 66 case OVS_ACTION_ATTR_CT: 67 case OVS_ACTION_ATTR_CT_CLEAR: 68 case OVS_ACTION_ATTR_HASH: 69 case OVS_ACTION_ATTR_POP_ETH: 70 case OVS_ACTION_ATTR_POP_MPLS: 71 case OVS_ACTION_ATTR_POP_NSH: 72 case OVS_ACTION_ATTR_POP_VLAN: 73 case OVS_ACTION_ATTR_PUSH_ETH: 74 case OVS_ACTION_ATTR_PUSH_MPLS: 75 case OVS_ACTION_ATTR_PUSH_NSH: 76 case OVS_ACTION_ATTR_PUSH_VLAN: 77 case OVS_ACTION_ATTR_SAMPLE: 78 case OVS_ACTION_ATTR_SET: 79 case OVS_ACTION_ATTR_SET_MASKED: 80 case OVS_ACTION_ATTR_METER: 81 case OVS_ACTION_ATTR_CHECK_PKT_LEN: 82 case OVS_ACTION_ATTR_ADD_MPLS: 83 case OVS_ACTION_ATTR_DEC_TTL: 84 default: 85 return true; 86 } 87 } 88 return false; 89 } 90 91 static void update_range(struct sw_flow_match *match, 92 size_t offset, size_t size, bool is_mask) 93 { 94 struct sw_flow_key_range *range; 95 size_t start = rounddown(offset, sizeof(long)); 96 size_t end = roundup(offset + size, sizeof(long)); 97 98 if (!is_mask) 99 range = &match->range; 100 else 101 range = &match->mask->range; 102 103 if (range->start == range->end) { 104 range->start = start; 105 range->end = end; 106 return; 107 } 108 109 if (range->start > start) 110 range->start = start; 111 112 if (range->end < end) 113 range->end = end; 114 } 115 116 #define SW_FLOW_KEY_PUT(match, field, value, is_mask) \ 117 do { \ 118 update_range(match, offsetof(struct sw_flow_key, field), \ 119 sizeof((match)->key->field), is_mask); \ 120 if (is_mask) \ 121 (match)->mask->key.field = value; \ 122 else \ 123 (match)->key->field = value; \ 124 } while (0) 125 126 #define SW_FLOW_KEY_MEMCPY_OFFSET(match, offset, value_p, len, is_mask) \ 127 do { \ 128 update_range(match, offset, len, is_mask); \ 129 if (is_mask) \ 130 memcpy((u8 *)&(match)->mask->key + offset, value_p, \ 131 len); \ 132 else \ 133 memcpy((u8 *)(match)->key + offset, value_p, len); \ 134 } while (0) 135 136 #define SW_FLOW_KEY_MEMCPY(match, field, value_p, len, is_mask) \ 137 SW_FLOW_KEY_MEMCPY_OFFSET(match, offsetof(struct sw_flow_key, field), \ 138 value_p, len, is_mask) 139 140 #define SW_FLOW_KEY_MEMSET_FIELD(match, field, value, is_mask) \ 141 do { \ 142 update_range(match, offsetof(struct sw_flow_key, field), \ 143 sizeof((match)->key->field), is_mask); \ 144 if (is_mask) \ 145 memset((u8 *)&(match)->mask->key.field, value, \ 146 sizeof((match)->mask->key.field)); \ 147 else \ 148 memset((u8 *)&(match)->key->field, value, \ 149 sizeof((match)->key->field)); \ 150 } while (0) 151 152 static bool match_validate(const struct sw_flow_match *match, 153 u64 key_attrs, u64 mask_attrs, bool log) 154 { 155 u64 key_expected = 0; 156 u64 mask_allowed = key_attrs; /* At most allow all key attributes */ 157 158 /* The following mask attributes allowed only if they 159 * pass the validation tests. */ 160 mask_allowed &= ~((1 << OVS_KEY_ATTR_IPV4) 161 | (1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4) 162 | (1 << OVS_KEY_ATTR_IPV6) 163 | (1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6) 164 | (1 << OVS_KEY_ATTR_TCP) 165 | (1 << OVS_KEY_ATTR_TCP_FLAGS) 166 | (1 << OVS_KEY_ATTR_UDP) 167 | (1 << OVS_KEY_ATTR_SCTP) 168 | (1 << OVS_KEY_ATTR_ICMP) 169 | (1 << OVS_KEY_ATTR_ICMPV6) 170 | (1 << OVS_KEY_ATTR_ARP) 171 | (1 << OVS_KEY_ATTR_ND) 172 | (1 << OVS_KEY_ATTR_MPLS) 173 | (1 << OVS_KEY_ATTR_NSH)); 174 175 /* Always allowed mask fields. */ 176 mask_allowed |= ((1 << OVS_KEY_ATTR_TUNNEL) 177 | (1 << OVS_KEY_ATTR_IN_PORT) 178 | (1 << OVS_KEY_ATTR_ETHERTYPE)); 179 180 /* Check key attributes. */ 181 if (match->key->eth.type == htons(ETH_P_ARP) 182 || match->key->eth.type == htons(ETH_P_RARP)) { 183 key_expected |= 1 << OVS_KEY_ATTR_ARP; 184 if (match->mask && (match->mask->key.eth.type == htons(0xffff))) 185 mask_allowed |= 1 << OVS_KEY_ATTR_ARP; 186 } 187 188 if (eth_p_mpls(match->key->eth.type)) { 189 key_expected |= 1 << OVS_KEY_ATTR_MPLS; 190 if (match->mask && (match->mask->key.eth.type == htons(0xffff))) 191 mask_allowed |= 1 << OVS_KEY_ATTR_MPLS; 192 } 193 194 if (match->key->eth.type == htons(ETH_P_IP)) { 195 key_expected |= 1 << OVS_KEY_ATTR_IPV4; 196 if (match->mask && match->mask->key.eth.type == htons(0xffff)) { 197 mask_allowed |= 1 << OVS_KEY_ATTR_IPV4; 198 mask_allowed |= 1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4; 199 } 200 201 if (match->key->ip.frag != OVS_FRAG_TYPE_LATER) { 202 if (match->key->ip.proto == IPPROTO_UDP) { 203 key_expected |= 1 << OVS_KEY_ATTR_UDP; 204 if (match->mask && (match->mask->key.ip.proto == 0xff)) 205 mask_allowed |= 1 << OVS_KEY_ATTR_UDP; 206 } 207 208 if (match->key->ip.proto == IPPROTO_SCTP) { 209 key_expected |= 1 << OVS_KEY_ATTR_SCTP; 210 if (match->mask && (match->mask->key.ip.proto == 0xff)) 211 mask_allowed |= 1 << OVS_KEY_ATTR_SCTP; 212 } 213 214 if (match->key->ip.proto == IPPROTO_TCP) { 215 key_expected |= 1 << OVS_KEY_ATTR_TCP; 216 key_expected |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 217 if (match->mask && (match->mask->key.ip.proto == 0xff)) { 218 mask_allowed |= 1 << OVS_KEY_ATTR_TCP; 219 mask_allowed |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 220 } 221 } 222 223 if (match->key->ip.proto == IPPROTO_ICMP) { 224 key_expected |= 1 << OVS_KEY_ATTR_ICMP; 225 if (match->mask && (match->mask->key.ip.proto == 0xff)) 226 mask_allowed |= 1 << OVS_KEY_ATTR_ICMP; 227 } 228 } 229 } 230 231 if (match->key->eth.type == htons(ETH_P_IPV6)) { 232 key_expected |= 1 << OVS_KEY_ATTR_IPV6; 233 if (match->mask && match->mask->key.eth.type == htons(0xffff)) { 234 mask_allowed |= 1 << OVS_KEY_ATTR_IPV6; 235 mask_allowed |= 1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6; 236 } 237 238 if (match->key->ip.frag != OVS_FRAG_TYPE_LATER) { 239 if (match->key->ip.proto == IPPROTO_UDP) { 240 key_expected |= 1 << OVS_KEY_ATTR_UDP; 241 if (match->mask && (match->mask->key.ip.proto == 0xff)) 242 mask_allowed |= 1 << OVS_KEY_ATTR_UDP; 243 } 244 245 if (match->key->ip.proto == IPPROTO_SCTP) { 246 key_expected |= 1 << OVS_KEY_ATTR_SCTP; 247 if (match->mask && (match->mask->key.ip.proto == 0xff)) 248 mask_allowed |= 1 << OVS_KEY_ATTR_SCTP; 249 } 250 251 if (match->key->ip.proto == IPPROTO_TCP) { 252 key_expected |= 1 << OVS_KEY_ATTR_TCP; 253 key_expected |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 254 if (match->mask && (match->mask->key.ip.proto == 0xff)) { 255 mask_allowed |= 1 << OVS_KEY_ATTR_TCP; 256 mask_allowed |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 257 } 258 } 259 260 if (match->key->ip.proto == IPPROTO_ICMPV6) { 261 key_expected |= 1 << OVS_KEY_ATTR_ICMPV6; 262 if (match->mask && (match->mask->key.ip.proto == 0xff)) 263 mask_allowed |= 1 << OVS_KEY_ATTR_ICMPV6; 264 265 if (match->key->tp.src == 266 htons(NDISC_NEIGHBOUR_SOLICITATION) || 267 match->key->tp.src == htons(NDISC_NEIGHBOUR_ADVERTISEMENT)) { 268 key_expected |= 1 << OVS_KEY_ATTR_ND; 269 /* Original direction conntrack tuple 270 * uses the same space as the ND fields 271 * in the key, so both are not allowed 272 * at the same time. 273 */ 274 mask_allowed &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6); 275 if (match->mask && (match->mask->key.tp.src == htons(0xff))) 276 mask_allowed |= 1 << OVS_KEY_ATTR_ND; 277 } 278 } 279 } 280 } 281 282 if (match->key->eth.type == htons(ETH_P_NSH)) { 283 key_expected |= 1 << OVS_KEY_ATTR_NSH; 284 if (match->mask && 285 match->mask->key.eth.type == htons(0xffff)) { 286 mask_allowed |= 1 << OVS_KEY_ATTR_NSH; 287 } 288 } 289 290 if ((key_attrs & key_expected) != key_expected) { 291 /* Key attributes check failed. */ 292 OVS_NLERR(log, "Missing key (keys=%llx, expected=%llx)", 293 (unsigned long long)key_attrs, 294 (unsigned long long)key_expected); 295 return false; 296 } 297 298 if ((mask_attrs & mask_allowed) != mask_attrs) { 299 /* Mask attributes check failed. */ 300 OVS_NLERR(log, "Unexpected mask (mask=%llx, allowed=%llx)", 301 (unsigned long long)mask_attrs, 302 (unsigned long long)mask_allowed); 303 return false; 304 } 305 306 return true; 307 } 308 309 size_t ovs_tun_key_attr_size(void) 310 { 311 /* Whenever adding new OVS_TUNNEL_KEY_ FIELDS, we should consider 312 * updating this function. 313 */ 314 return nla_total_size_64bit(8) /* OVS_TUNNEL_KEY_ATTR_ID */ 315 + nla_total_size(16) /* OVS_TUNNEL_KEY_ATTR_IPV[46]_SRC */ 316 + nla_total_size(16) /* OVS_TUNNEL_KEY_ATTR_IPV[46]_DST */ 317 + nla_total_size(1) /* OVS_TUNNEL_KEY_ATTR_TOS */ 318 + nla_total_size(1) /* OVS_TUNNEL_KEY_ATTR_TTL */ 319 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT */ 320 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_CSUM */ 321 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_OAM */ 322 + nla_total_size(256) /* OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS */ 323 /* OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS and 324 * OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS is mutually exclusive with 325 * OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS and covered by it. 326 */ 327 + nla_total_size(2) /* OVS_TUNNEL_KEY_ATTR_TP_SRC */ 328 + nla_total_size(2); /* OVS_TUNNEL_KEY_ATTR_TP_DST */ 329 } 330 331 static size_t ovs_nsh_key_attr_size(void) 332 { 333 /* Whenever adding new OVS_NSH_KEY_ FIELDS, we should consider 334 * updating this function. 335 */ 336 return nla_total_size(NSH_BASE_HDR_LEN) /* OVS_NSH_KEY_ATTR_BASE */ 337 /* OVS_NSH_KEY_ATTR_MD1 and OVS_NSH_KEY_ATTR_MD2 are 338 * mutually exclusive, so the bigger one can cover 339 * the small one. 340 */ 341 + nla_total_size(NSH_CTX_HDRS_MAX_LEN); 342 } 343 344 size_t ovs_key_attr_size(void) 345 { 346 /* Whenever adding new OVS_KEY_ FIELDS, we should consider 347 * updating this function. 348 */ 349 BUILD_BUG_ON(OVS_KEY_ATTR_TUNNEL_INFO != 29); 350 351 return nla_total_size(4) /* OVS_KEY_ATTR_PRIORITY */ 352 + nla_total_size(0) /* OVS_KEY_ATTR_TUNNEL */ 353 + ovs_tun_key_attr_size() 354 + nla_total_size(4) /* OVS_KEY_ATTR_IN_PORT */ 355 + nla_total_size(4) /* OVS_KEY_ATTR_SKB_MARK */ 356 + nla_total_size(4) /* OVS_KEY_ATTR_DP_HASH */ 357 + nla_total_size(4) /* OVS_KEY_ATTR_RECIRC_ID */ 358 + nla_total_size(4) /* OVS_KEY_ATTR_CT_STATE */ 359 + nla_total_size(2) /* OVS_KEY_ATTR_CT_ZONE */ 360 + nla_total_size(4) /* OVS_KEY_ATTR_CT_MARK */ 361 + nla_total_size(16) /* OVS_KEY_ATTR_CT_LABELS */ 362 + nla_total_size(40) /* OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6 */ 363 + nla_total_size(0) /* OVS_KEY_ATTR_NSH */ 364 + ovs_nsh_key_attr_size() 365 + nla_total_size(12) /* OVS_KEY_ATTR_ETHERNET */ 366 + nla_total_size(2) /* OVS_KEY_ATTR_ETHERTYPE */ 367 + nla_total_size(4) /* OVS_KEY_ATTR_VLAN */ 368 + nla_total_size(0) /* OVS_KEY_ATTR_ENCAP */ 369 + nla_total_size(2) /* OVS_KEY_ATTR_ETHERTYPE */ 370 + nla_total_size(40) /* OVS_KEY_ATTR_IPV6 */ 371 + nla_total_size(2) /* OVS_KEY_ATTR_ICMPV6 */ 372 + nla_total_size(28); /* OVS_KEY_ATTR_ND */ 373 } 374 375 static const struct ovs_len_tbl ovs_vxlan_ext_key_lens[OVS_VXLAN_EXT_MAX + 1] = { 376 [OVS_VXLAN_EXT_GBP] = { .len = sizeof(u32) }, 377 }; 378 379 static const struct ovs_len_tbl ovs_tunnel_key_lens[OVS_TUNNEL_KEY_ATTR_MAX + 1] = { 380 [OVS_TUNNEL_KEY_ATTR_ID] = { .len = sizeof(u64) }, 381 [OVS_TUNNEL_KEY_ATTR_IPV4_SRC] = { .len = sizeof(u32) }, 382 [OVS_TUNNEL_KEY_ATTR_IPV4_DST] = { .len = sizeof(u32) }, 383 [OVS_TUNNEL_KEY_ATTR_TOS] = { .len = 1 }, 384 [OVS_TUNNEL_KEY_ATTR_TTL] = { .len = 1 }, 385 [OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT] = { .len = 0 }, 386 [OVS_TUNNEL_KEY_ATTR_CSUM] = { .len = 0 }, 387 [OVS_TUNNEL_KEY_ATTR_TP_SRC] = { .len = sizeof(u16) }, 388 [OVS_TUNNEL_KEY_ATTR_TP_DST] = { .len = sizeof(u16) }, 389 [OVS_TUNNEL_KEY_ATTR_OAM] = { .len = 0 }, 390 [OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS] = { .len = OVS_ATTR_VARIABLE }, 391 [OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS] = { .len = OVS_ATTR_NESTED, 392 .next = ovs_vxlan_ext_key_lens }, 393 [OVS_TUNNEL_KEY_ATTR_IPV6_SRC] = { .len = sizeof(struct in6_addr) }, 394 [OVS_TUNNEL_KEY_ATTR_IPV6_DST] = { .len = sizeof(struct in6_addr) }, 395 [OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS] = { .len = OVS_ATTR_VARIABLE }, 396 [OVS_TUNNEL_KEY_ATTR_IPV4_INFO_BRIDGE] = { .len = 0 }, 397 }; 398 399 static const struct ovs_len_tbl 400 ovs_nsh_key_attr_lens[OVS_NSH_KEY_ATTR_MAX + 1] = { 401 [OVS_NSH_KEY_ATTR_BASE] = { .len = sizeof(struct ovs_nsh_key_base) }, 402 [OVS_NSH_KEY_ATTR_MD1] = { .len = sizeof(struct ovs_nsh_key_md1) }, 403 [OVS_NSH_KEY_ATTR_MD2] = { .len = OVS_ATTR_VARIABLE }, 404 }; 405 406 /* The size of the argument for each %OVS_KEY_ATTR_* Netlink attribute. */ 407 static const struct ovs_len_tbl ovs_key_lens[OVS_KEY_ATTR_MAX + 1] = { 408 [OVS_KEY_ATTR_ENCAP] = { .len = OVS_ATTR_NESTED }, 409 [OVS_KEY_ATTR_PRIORITY] = { .len = sizeof(u32) }, 410 [OVS_KEY_ATTR_IN_PORT] = { .len = sizeof(u32) }, 411 [OVS_KEY_ATTR_SKB_MARK] = { .len = sizeof(u32) }, 412 [OVS_KEY_ATTR_ETHERNET] = { .len = sizeof(struct ovs_key_ethernet) }, 413 [OVS_KEY_ATTR_VLAN] = { .len = sizeof(__be16) }, 414 [OVS_KEY_ATTR_ETHERTYPE] = { .len = sizeof(__be16) }, 415 [OVS_KEY_ATTR_IPV4] = { .len = sizeof(struct ovs_key_ipv4) }, 416 [OVS_KEY_ATTR_IPV6] = { .len = sizeof(struct ovs_key_ipv6) }, 417 [OVS_KEY_ATTR_TCP] = { .len = sizeof(struct ovs_key_tcp) }, 418 [OVS_KEY_ATTR_TCP_FLAGS] = { .len = sizeof(__be16) }, 419 [OVS_KEY_ATTR_UDP] = { .len = sizeof(struct ovs_key_udp) }, 420 [OVS_KEY_ATTR_SCTP] = { .len = sizeof(struct ovs_key_sctp) }, 421 [OVS_KEY_ATTR_ICMP] = { .len = sizeof(struct ovs_key_icmp) }, 422 [OVS_KEY_ATTR_ICMPV6] = { .len = sizeof(struct ovs_key_icmpv6) }, 423 [OVS_KEY_ATTR_ARP] = { .len = sizeof(struct ovs_key_arp) }, 424 [OVS_KEY_ATTR_ND] = { .len = sizeof(struct ovs_key_nd) }, 425 [OVS_KEY_ATTR_RECIRC_ID] = { .len = sizeof(u32) }, 426 [OVS_KEY_ATTR_DP_HASH] = { .len = sizeof(u32) }, 427 [OVS_KEY_ATTR_TUNNEL] = { .len = OVS_ATTR_NESTED, 428 .next = ovs_tunnel_key_lens, }, 429 [OVS_KEY_ATTR_MPLS] = { .len = OVS_ATTR_VARIABLE }, 430 [OVS_KEY_ATTR_CT_STATE] = { .len = sizeof(u32) }, 431 [OVS_KEY_ATTR_CT_ZONE] = { .len = sizeof(u16) }, 432 [OVS_KEY_ATTR_CT_MARK] = { .len = sizeof(u32) }, 433 [OVS_KEY_ATTR_CT_LABELS] = { .len = sizeof(struct ovs_key_ct_labels) }, 434 [OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4] = { 435 .len = sizeof(struct ovs_key_ct_tuple_ipv4) }, 436 [OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6] = { 437 .len = sizeof(struct ovs_key_ct_tuple_ipv6) }, 438 [OVS_KEY_ATTR_NSH] = { .len = OVS_ATTR_NESTED, 439 .next = ovs_nsh_key_attr_lens, }, 440 }; 441 442 static bool check_attr_len(unsigned int attr_len, unsigned int expected_len) 443 { 444 return expected_len == attr_len || 445 expected_len == OVS_ATTR_NESTED || 446 expected_len == OVS_ATTR_VARIABLE; 447 } 448 449 static bool is_all_zero(const u8 *fp, size_t size) 450 { 451 int i; 452 453 if (!fp) 454 return false; 455 456 for (i = 0; i < size; i++) 457 if (fp[i]) 458 return false; 459 460 return true; 461 } 462 463 static int __parse_flow_nlattrs(const struct nlattr *attr, 464 const struct nlattr *a[], 465 u64 *attrsp, bool log, bool nz) 466 { 467 const struct nlattr *nla; 468 u64 attrs; 469 int rem; 470 471 attrs = *attrsp; 472 nla_for_each_nested(nla, attr, rem) { 473 u16 type = nla_type(nla); 474 int expected_len; 475 476 if (type > OVS_KEY_ATTR_MAX) { 477 OVS_NLERR(log, "Key type %d is out of range max %d", 478 type, OVS_KEY_ATTR_MAX); 479 return -EINVAL; 480 } 481 482 if (attrs & (1 << type)) { 483 OVS_NLERR(log, "Duplicate key (type %d).", type); 484 return -EINVAL; 485 } 486 487 expected_len = ovs_key_lens[type].len; 488 if (!check_attr_len(nla_len(nla), expected_len)) { 489 OVS_NLERR(log, "Key %d has unexpected len %d expected %d", 490 type, nla_len(nla), expected_len); 491 return -EINVAL; 492 } 493 494 if (!nz || !is_all_zero(nla_data(nla), nla_len(nla))) { 495 attrs |= 1 << type; 496 a[type] = nla; 497 } 498 } 499 if (rem) { 500 OVS_NLERR(log, "Message has %d unknown bytes.", rem); 501 return -EINVAL; 502 } 503 504 *attrsp = attrs; 505 return 0; 506 } 507 508 static int parse_flow_mask_nlattrs(const struct nlattr *attr, 509 const struct nlattr *a[], u64 *attrsp, 510 bool log) 511 { 512 return __parse_flow_nlattrs(attr, a, attrsp, log, true); 513 } 514 515 int parse_flow_nlattrs(const struct nlattr *attr, const struct nlattr *a[], 516 u64 *attrsp, bool log) 517 { 518 return __parse_flow_nlattrs(attr, a, attrsp, log, false); 519 } 520 521 static int genev_tun_opt_from_nlattr(const struct nlattr *a, 522 struct sw_flow_match *match, bool is_mask, 523 bool log) 524 { 525 unsigned long opt_key_offset; 526 527 if (nla_len(a) > sizeof(match->key->tun_opts)) { 528 OVS_NLERR(log, "Geneve option length err (len %d, max %zu).", 529 nla_len(a), sizeof(match->key->tun_opts)); 530 return -EINVAL; 531 } 532 533 if (nla_len(a) % 4 != 0) { 534 OVS_NLERR(log, "Geneve opt len %d is not a multiple of 4.", 535 nla_len(a)); 536 return -EINVAL; 537 } 538 539 /* We need to record the length of the options passed 540 * down, otherwise packets with the same format but 541 * additional options will be silently matched. 542 */ 543 if (!is_mask) { 544 SW_FLOW_KEY_PUT(match, tun_opts_len, nla_len(a), 545 false); 546 } else { 547 /* This is somewhat unusual because it looks at 548 * both the key and mask while parsing the 549 * attributes (and by extension assumes the key 550 * is parsed first). Normally, we would verify 551 * that each is the correct length and that the 552 * attributes line up in the validate function. 553 * However, that is difficult because this is 554 * variable length and we won't have the 555 * information later. 556 */ 557 if (match->key->tun_opts_len != nla_len(a)) { 558 OVS_NLERR(log, "Geneve option len %d != mask len %d", 559 match->key->tun_opts_len, nla_len(a)); 560 return -EINVAL; 561 } 562 563 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 564 } 565 566 opt_key_offset = TUN_METADATA_OFFSET(nla_len(a)); 567 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, nla_data(a), 568 nla_len(a), is_mask); 569 return 0; 570 } 571 572 static int vxlan_tun_opt_from_nlattr(const struct nlattr *attr, 573 struct sw_flow_match *match, bool is_mask, 574 bool log) 575 { 576 struct nlattr *a; 577 int rem; 578 unsigned long opt_key_offset; 579 struct vxlan_metadata opts; 580 581 BUILD_BUG_ON(sizeof(opts) > sizeof(match->key->tun_opts)); 582 583 memset(&opts, 0, sizeof(opts)); 584 nla_for_each_nested(a, attr, rem) { 585 int type = nla_type(a); 586 587 if (type > OVS_VXLAN_EXT_MAX) { 588 OVS_NLERR(log, "VXLAN extension %d out of range max %d", 589 type, OVS_VXLAN_EXT_MAX); 590 return -EINVAL; 591 } 592 593 if (!check_attr_len(nla_len(a), 594 ovs_vxlan_ext_key_lens[type].len)) { 595 OVS_NLERR(log, "VXLAN extension %d has unexpected len %d expected %d", 596 type, nla_len(a), 597 ovs_vxlan_ext_key_lens[type].len); 598 return -EINVAL; 599 } 600 601 switch (type) { 602 case OVS_VXLAN_EXT_GBP: 603 opts.gbp = nla_get_u32(a); 604 break; 605 default: 606 OVS_NLERR(log, "Unknown VXLAN extension attribute %d", 607 type); 608 return -EINVAL; 609 } 610 } 611 if (rem) { 612 OVS_NLERR(log, "VXLAN extension message has %d unknown bytes.", 613 rem); 614 return -EINVAL; 615 } 616 617 if (!is_mask) 618 SW_FLOW_KEY_PUT(match, tun_opts_len, sizeof(opts), false); 619 else 620 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 621 622 opt_key_offset = TUN_METADATA_OFFSET(sizeof(opts)); 623 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, &opts, sizeof(opts), 624 is_mask); 625 return 0; 626 } 627 628 static int erspan_tun_opt_from_nlattr(const struct nlattr *a, 629 struct sw_flow_match *match, bool is_mask, 630 bool log) 631 { 632 unsigned long opt_key_offset; 633 634 BUILD_BUG_ON(sizeof(struct erspan_metadata) > 635 sizeof(match->key->tun_opts)); 636 637 if (nla_len(a) > sizeof(match->key->tun_opts)) { 638 OVS_NLERR(log, "ERSPAN option length err (len %d, max %zu).", 639 nla_len(a), sizeof(match->key->tun_opts)); 640 return -EINVAL; 641 } 642 643 if (!is_mask) 644 SW_FLOW_KEY_PUT(match, tun_opts_len, 645 sizeof(struct erspan_metadata), false); 646 else 647 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 648 649 opt_key_offset = TUN_METADATA_OFFSET(nla_len(a)); 650 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, nla_data(a), 651 nla_len(a), is_mask); 652 return 0; 653 } 654 655 static int ip_tun_from_nlattr(const struct nlattr *attr, 656 struct sw_flow_match *match, bool is_mask, 657 bool log) 658 { 659 bool ttl = false, ipv4 = false, ipv6 = false; 660 bool info_bridge_mode = false; 661 __be16 tun_flags = 0; 662 int opts_type = 0; 663 struct nlattr *a; 664 int rem; 665 666 nla_for_each_nested(a, attr, rem) { 667 int type = nla_type(a); 668 int err; 669 670 if (type > OVS_TUNNEL_KEY_ATTR_MAX) { 671 OVS_NLERR(log, "Tunnel attr %d out of range max %d", 672 type, OVS_TUNNEL_KEY_ATTR_MAX); 673 return -EINVAL; 674 } 675 676 if (!check_attr_len(nla_len(a), 677 ovs_tunnel_key_lens[type].len)) { 678 OVS_NLERR(log, "Tunnel attr %d has unexpected len %d expected %d", 679 type, nla_len(a), ovs_tunnel_key_lens[type].len); 680 return -EINVAL; 681 } 682 683 switch (type) { 684 case OVS_TUNNEL_KEY_ATTR_ID: 685 SW_FLOW_KEY_PUT(match, tun_key.tun_id, 686 nla_get_be64(a), is_mask); 687 tun_flags |= TUNNEL_KEY; 688 break; 689 case OVS_TUNNEL_KEY_ATTR_IPV4_SRC: 690 SW_FLOW_KEY_PUT(match, tun_key.u.ipv4.src, 691 nla_get_in_addr(a), is_mask); 692 ipv4 = true; 693 break; 694 case OVS_TUNNEL_KEY_ATTR_IPV4_DST: 695 SW_FLOW_KEY_PUT(match, tun_key.u.ipv4.dst, 696 nla_get_in_addr(a), is_mask); 697 ipv4 = true; 698 break; 699 case OVS_TUNNEL_KEY_ATTR_IPV6_SRC: 700 SW_FLOW_KEY_PUT(match, tun_key.u.ipv6.src, 701 nla_get_in6_addr(a), is_mask); 702 ipv6 = true; 703 break; 704 case OVS_TUNNEL_KEY_ATTR_IPV6_DST: 705 SW_FLOW_KEY_PUT(match, tun_key.u.ipv6.dst, 706 nla_get_in6_addr(a), is_mask); 707 ipv6 = true; 708 break; 709 case OVS_TUNNEL_KEY_ATTR_TOS: 710 SW_FLOW_KEY_PUT(match, tun_key.tos, 711 nla_get_u8(a), is_mask); 712 break; 713 case OVS_TUNNEL_KEY_ATTR_TTL: 714 SW_FLOW_KEY_PUT(match, tun_key.ttl, 715 nla_get_u8(a), is_mask); 716 ttl = true; 717 break; 718 case OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT: 719 tun_flags |= TUNNEL_DONT_FRAGMENT; 720 break; 721 case OVS_TUNNEL_KEY_ATTR_CSUM: 722 tun_flags |= TUNNEL_CSUM; 723 break; 724 case OVS_TUNNEL_KEY_ATTR_TP_SRC: 725 SW_FLOW_KEY_PUT(match, tun_key.tp_src, 726 nla_get_be16(a), is_mask); 727 break; 728 case OVS_TUNNEL_KEY_ATTR_TP_DST: 729 SW_FLOW_KEY_PUT(match, tun_key.tp_dst, 730 nla_get_be16(a), is_mask); 731 break; 732 case OVS_TUNNEL_KEY_ATTR_OAM: 733 tun_flags |= TUNNEL_OAM; 734 break; 735 case OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS: 736 if (opts_type) { 737 OVS_NLERR(log, "Multiple metadata blocks provided"); 738 return -EINVAL; 739 } 740 741 err = genev_tun_opt_from_nlattr(a, match, is_mask, log); 742 if (err) 743 return err; 744 745 tun_flags |= TUNNEL_GENEVE_OPT; 746 opts_type = type; 747 break; 748 case OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS: 749 if (opts_type) { 750 OVS_NLERR(log, "Multiple metadata blocks provided"); 751 return -EINVAL; 752 } 753 754 err = vxlan_tun_opt_from_nlattr(a, match, is_mask, log); 755 if (err) 756 return err; 757 758 tun_flags |= TUNNEL_VXLAN_OPT; 759 opts_type = type; 760 break; 761 case OVS_TUNNEL_KEY_ATTR_PAD: 762 break; 763 case OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS: 764 if (opts_type) { 765 OVS_NLERR(log, "Multiple metadata blocks provided"); 766 return -EINVAL; 767 } 768 769 err = erspan_tun_opt_from_nlattr(a, match, is_mask, 770 log); 771 if (err) 772 return err; 773 774 tun_flags |= TUNNEL_ERSPAN_OPT; 775 opts_type = type; 776 break; 777 case OVS_TUNNEL_KEY_ATTR_IPV4_INFO_BRIDGE: 778 info_bridge_mode = true; 779 ipv4 = true; 780 break; 781 default: 782 OVS_NLERR(log, "Unknown IP tunnel attribute %d", 783 type); 784 return -EINVAL; 785 } 786 } 787 788 SW_FLOW_KEY_PUT(match, tun_key.tun_flags, tun_flags, is_mask); 789 if (is_mask) 790 SW_FLOW_KEY_MEMSET_FIELD(match, tun_proto, 0xff, true); 791 else 792 SW_FLOW_KEY_PUT(match, tun_proto, ipv6 ? AF_INET6 : AF_INET, 793 false); 794 795 if (rem > 0) { 796 OVS_NLERR(log, "IP tunnel attribute has %d unknown bytes.", 797 rem); 798 return -EINVAL; 799 } 800 801 if (ipv4 && ipv6) { 802 OVS_NLERR(log, "Mixed IPv4 and IPv6 tunnel attributes"); 803 return -EINVAL; 804 } 805 806 if (!is_mask) { 807 if (!ipv4 && !ipv6) { 808 OVS_NLERR(log, "IP tunnel dst address not specified"); 809 return -EINVAL; 810 } 811 if (ipv4) { 812 if (info_bridge_mode) { 813 if (match->key->tun_key.u.ipv4.src || 814 match->key->tun_key.u.ipv4.dst || 815 match->key->tun_key.tp_src || 816 match->key->tun_key.tp_dst || 817 match->key->tun_key.ttl || 818 match->key->tun_key.tos || 819 tun_flags & ~TUNNEL_KEY) { 820 OVS_NLERR(log, "IPv4 tun info is not correct"); 821 return -EINVAL; 822 } 823 } else if (!match->key->tun_key.u.ipv4.dst) { 824 OVS_NLERR(log, "IPv4 tunnel dst address is zero"); 825 return -EINVAL; 826 } 827 } 828 if (ipv6 && ipv6_addr_any(&match->key->tun_key.u.ipv6.dst)) { 829 OVS_NLERR(log, "IPv6 tunnel dst address is zero"); 830 return -EINVAL; 831 } 832 833 if (!ttl && !info_bridge_mode) { 834 OVS_NLERR(log, "IP tunnel TTL not specified."); 835 return -EINVAL; 836 } 837 } 838 839 return opts_type; 840 } 841 842 static int vxlan_opt_to_nlattr(struct sk_buff *skb, 843 const void *tun_opts, int swkey_tun_opts_len) 844 { 845 const struct vxlan_metadata *opts = tun_opts; 846 struct nlattr *nla; 847 848 nla = nla_nest_start_noflag(skb, OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS); 849 if (!nla) 850 return -EMSGSIZE; 851 852 if (nla_put_u32(skb, OVS_VXLAN_EXT_GBP, opts->gbp) < 0) 853 return -EMSGSIZE; 854 855 nla_nest_end(skb, nla); 856 return 0; 857 } 858 859 static int __ip_tun_to_nlattr(struct sk_buff *skb, 860 const struct ip_tunnel_key *output, 861 const void *tun_opts, int swkey_tun_opts_len, 862 unsigned short tun_proto, u8 mode) 863 { 864 if (output->tun_flags & TUNNEL_KEY && 865 nla_put_be64(skb, OVS_TUNNEL_KEY_ATTR_ID, output->tun_id, 866 OVS_TUNNEL_KEY_ATTR_PAD)) 867 return -EMSGSIZE; 868 869 if (mode & IP_TUNNEL_INFO_BRIDGE) 870 return nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_IPV4_INFO_BRIDGE) 871 ? -EMSGSIZE : 0; 872 873 switch (tun_proto) { 874 case AF_INET: 875 if (output->u.ipv4.src && 876 nla_put_in_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV4_SRC, 877 output->u.ipv4.src)) 878 return -EMSGSIZE; 879 if (output->u.ipv4.dst && 880 nla_put_in_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV4_DST, 881 output->u.ipv4.dst)) 882 return -EMSGSIZE; 883 break; 884 case AF_INET6: 885 if (!ipv6_addr_any(&output->u.ipv6.src) && 886 nla_put_in6_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV6_SRC, 887 &output->u.ipv6.src)) 888 return -EMSGSIZE; 889 if (!ipv6_addr_any(&output->u.ipv6.dst) && 890 nla_put_in6_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV6_DST, 891 &output->u.ipv6.dst)) 892 return -EMSGSIZE; 893 break; 894 } 895 if (output->tos && 896 nla_put_u8(skb, OVS_TUNNEL_KEY_ATTR_TOS, output->tos)) 897 return -EMSGSIZE; 898 if (nla_put_u8(skb, OVS_TUNNEL_KEY_ATTR_TTL, output->ttl)) 899 return -EMSGSIZE; 900 if ((output->tun_flags & TUNNEL_DONT_FRAGMENT) && 901 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT)) 902 return -EMSGSIZE; 903 if ((output->tun_flags & TUNNEL_CSUM) && 904 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_CSUM)) 905 return -EMSGSIZE; 906 if (output->tp_src && 907 nla_put_be16(skb, OVS_TUNNEL_KEY_ATTR_TP_SRC, output->tp_src)) 908 return -EMSGSIZE; 909 if (output->tp_dst && 910 nla_put_be16(skb, OVS_TUNNEL_KEY_ATTR_TP_DST, output->tp_dst)) 911 return -EMSGSIZE; 912 if ((output->tun_flags & TUNNEL_OAM) && 913 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_OAM)) 914 return -EMSGSIZE; 915 if (swkey_tun_opts_len) { 916 if (output->tun_flags & TUNNEL_GENEVE_OPT && 917 nla_put(skb, OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS, 918 swkey_tun_opts_len, tun_opts)) 919 return -EMSGSIZE; 920 else if (output->tun_flags & TUNNEL_VXLAN_OPT && 921 vxlan_opt_to_nlattr(skb, tun_opts, swkey_tun_opts_len)) 922 return -EMSGSIZE; 923 else if (output->tun_flags & TUNNEL_ERSPAN_OPT && 924 nla_put(skb, OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS, 925 swkey_tun_opts_len, tun_opts)) 926 return -EMSGSIZE; 927 } 928 929 return 0; 930 } 931 932 static int ip_tun_to_nlattr(struct sk_buff *skb, 933 const struct ip_tunnel_key *output, 934 const void *tun_opts, int swkey_tun_opts_len, 935 unsigned short tun_proto, u8 mode) 936 { 937 struct nlattr *nla; 938 int err; 939 940 nla = nla_nest_start_noflag(skb, OVS_KEY_ATTR_TUNNEL); 941 if (!nla) 942 return -EMSGSIZE; 943 944 err = __ip_tun_to_nlattr(skb, output, tun_opts, swkey_tun_opts_len, 945 tun_proto, mode); 946 if (err) 947 return err; 948 949 nla_nest_end(skb, nla); 950 return 0; 951 } 952 953 int ovs_nla_put_tunnel_info(struct sk_buff *skb, 954 struct ip_tunnel_info *tun_info) 955 { 956 return __ip_tun_to_nlattr(skb, &tun_info->key, 957 ip_tunnel_info_opts(tun_info), 958 tun_info->options_len, 959 ip_tunnel_info_af(tun_info), tun_info->mode); 960 } 961 962 static int encode_vlan_from_nlattrs(struct sw_flow_match *match, 963 const struct nlattr *a[], 964 bool is_mask, bool inner) 965 { 966 __be16 tci = 0; 967 __be16 tpid = 0; 968 969 if (a[OVS_KEY_ATTR_VLAN]) 970 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 971 972 if (a[OVS_KEY_ATTR_ETHERTYPE]) 973 tpid = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 974 975 if (likely(!inner)) { 976 SW_FLOW_KEY_PUT(match, eth.vlan.tpid, tpid, is_mask); 977 SW_FLOW_KEY_PUT(match, eth.vlan.tci, tci, is_mask); 978 } else { 979 SW_FLOW_KEY_PUT(match, eth.cvlan.tpid, tpid, is_mask); 980 SW_FLOW_KEY_PUT(match, eth.cvlan.tci, tci, is_mask); 981 } 982 return 0; 983 } 984 985 static int validate_vlan_from_nlattrs(const struct sw_flow_match *match, 986 u64 key_attrs, bool inner, 987 const struct nlattr **a, bool log) 988 { 989 __be16 tci = 0; 990 991 if (!((key_attrs & (1 << OVS_KEY_ATTR_ETHERNET)) && 992 (key_attrs & (1 << OVS_KEY_ATTR_ETHERTYPE)) && 993 eth_type_vlan(nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE])))) { 994 /* Not a VLAN. */ 995 return 0; 996 } 997 998 if (!((key_attrs & (1 << OVS_KEY_ATTR_VLAN)) && 999 (key_attrs & (1 << OVS_KEY_ATTR_ENCAP)))) { 1000 OVS_NLERR(log, "Invalid %s frame", (inner) ? "C-VLAN" : "VLAN"); 1001 return -EINVAL; 1002 } 1003 1004 if (a[OVS_KEY_ATTR_VLAN]) 1005 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 1006 1007 if (!(tci & htons(VLAN_CFI_MASK))) { 1008 if (tci) { 1009 OVS_NLERR(log, "%s TCI does not have VLAN_CFI_MASK bit set.", 1010 (inner) ? "C-VLAN" : "VLAN"); 1011 return -EINVAL; 1012 } else if (nla_len(a[OVS_KEY_ATTR_ENCAP])) { 1013 /* Corner case for truncated VLAN header. */ 1014 OVS_NLERR(log, "Truncated %s header has non-zero encap attribute.", 1015 (inner) ? "C-VLAN" : "VLAN"); 1016 return -EINVAL; 1017 } 1018 } 1019 1020 return 1; 1021 } 1022 1023 static int validate_vlan_mask_from_nlattrs(const struct sw_flow_match *match, 1024 u64 key_attrs, bool inner, 1025 const struct nlattr **a, bool log) 1026 { 1027 __be16 tci = 0; 1028 __be16 tpid = 0; 1029 bool encap_valid = !!(match->key->eth.vlan.tci & 1030 htons(VLAN_CFI_MASK)); 1031 bool i_encap_valid = !!(match->key->eth.cvlan.tci & 1032 htons(VLAN_CFI_MASK)); 1033 1034 if (!(key_attrs & (1 << OVS_KEY_ATTR_ENCAP))) { 1035 /* Not a VLAN. */ 1036 return 0; 1037 } 1038 1039 if ((!inner && !encap_valid) || (inner && !i_encap_valid)) { 1040 OVS_NLERR(log, "Encap mask attribute is set for non-%s frame.", 1041 (inner) ? "C-VLAN" : "VLAN"); 1042 return -EINVAL; 1043 } 1044 1045 if (a[OVS_KEY_ATTR_VLAN]) 1046 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 1047 1048 if (a[OVS_KEY_ATTR_ETHERTYPE]) 1049 tpid = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 1050 1051 if (tpid != htons(0xffff)) { 1052 OVS_NLERR(log, "Must have an exact match on %s TPID (mask=%x).", 1053 (inner) ? "C-VLAN" : "VLAN", ntohs(tpid)); 1054 return -EINVAL; 1055 } 1056 if (!(tci & htons(VLAN_CFI_MASK))) { 1057 OVS_NLERR(log, "%s TCI mask does not have exact match for VLAN_CFI_MASK bit.", 1058 (inner) ? "C-VLAN" : "VLAN"); 1059 return -EINVAL; 1060 } 1061 1062 return 1; 1063 } 1064 1065 static int __parse_vlan_from_nlattrs(struct sw_flow_match *match, 1066 u64 *key_attrs, bool inner, 1067 const struct nlattr **a, bool is_mask, 1068 bool log) 1069 { 1070 int err; 1071 const struct nlattr *encap; 1072 1073 if (!is_mask) 1074 err = validate_vlan_from_nlattrs(match, *key_attrs, inner, 1075 a, log); 1076 else 1077 err = validate_vlan_mask_from_nlattrs(match, *key_attrs, inner, 1078 a, log); 1079 if (err <= 0) 1080 return err; 1081 1082 err = encode_vlan_from_nlattrs(match, a, is_mask, inner); 1083 if (err) 1084 return err; 1085 1086 *key_attrs &= ~(1 << OVS_KEY_ATTR_ENCAP); 1087 *key_attrs &= ~(1 << OVS_KEY_ATTR_VLAN); 1088 *key_attrs &= ~(1 << OVS_KEY_ATTR_ETHERTYPE); 1089 1090 encap = a[OVS_KEY_ATTR_ENCAP]; 1091 1092 if (!is_mask) 1093 err = parse_flow_nlattrs(encap, a, key_attrs, log); 1094 else 1095 err = parse_flow_mask_nlattrs(encap, a, key_attrs, log); 1096 1097 return err; 1098 } 1099 1100 static int parse_vlan_from_nlattrs(struct sw_flow_match *match, 1101 u64 *key_attrs, const struct nlattr **a, 1102 bool is_mask, bool log) 1103 { 1104 int err; 1105 bool encap_valid = false; 1106 1107 err = __parse_vlan_from_nlattrs(match, key_attrs, false, a, 1108 is_mask, log); 1109 if (err) 1110 return err; 1111 1112 encap_valid = !!(match->key->eth.vlan.tci & htons(VLAN_CFI_MASK)); 1113 if (encap_valid) { 1114 err = __parse_vlan_from_nlattrs(match, key_attrs, true, a, 1115 is_mask, log); 1116 if (err) 1117 return err; 1118 } 1119 1120 return 0; 1121 } 1122 1123 static int parse_eth_type_from_nlattrs(struct sw_flow_match *match, 1124 u64 *attrs, const struct nlattr **a, 1125 bool is_mask, bool log) 1126 { 1127 __be16 eth_type; 1128 1129 eth_type = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 1130 if (is_mask) { 1131 /* Always exact match EtherType. */ 1132 eth_type = htons(0xffff); 1133 } else if (!eth_proto_is_802_3(eth_type)) { 1134 OVS_NLERR(log, "EtherType %x is less than min %x", 1135 ntohs(eth_type), ETH_P_802_3_MIN); 1136 return -EINVAL; 1137 } 1138 1139 SW_FLOW_KEY_PUT(match, eth.type, eth_type, is_mask); 1140 *attrs &= ~(1 << OVS_KEY_ATTR_ETHERTYPE); 1141 return 0; 1142 } 1143 1144 static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match, 1145 u64 *attrs, const struct nlattr **a, 1146 bool is_mask, bool log) 1147 { 1148 u8 mac_proto = MAC_PROTO_ETHERNET; 1149 1150 if (*attrs & (1 << OVS_KEY_ATTR_DP_HASH)) { 1151 u32 hash_val = nla_get_u32(a[OVS_KEY_ATTR_DP_HASH]); 1152 1153 SW_FLOW_KEY_PUT(match, ovs_flow_hash, hash_val, is_mask); 1154 *attrs &= ~(1 << OVS_KEY_ATTR_DP_HASH); 1155 } 1156 1157 if (*attrs & (1 << OVS_KEY_ATTR_RECIRC_ID)) { 1158 u32 recirc_id = nla_get_u32(a[OVS_KEY_ATTR_RECIRC_ID]); 1159 1160 SW_FLOW_KEY_PUT(match, recirc_id, recirc_id, is_mask); 1161 *attrs &= ~(1 << OVS_KEY_ATTR_RECIRC_ID); 1162 } 1163 1164 if (*attrs & (1 << OVS_KEY_ATTR_PRIORITY)) { 1165 SW_FLOW_KEY_PUT(match, phy.priority, 1166 nla_get_u32(a[OVS_KEY_ATTR_PRIORITY]), is_mask); 1167 *attrs &= ~(1 << OVS_KEY_ATTR_PRIORITY); 1168 } 1169 1170 if (*attrs & (1 << OVS_KEY_ATTR_IN_PORT)) { 1171 u32 in_port = nla_get_u32(a[OVS_KEY_ATTR_IN_PORT]); 1172 1173 if (is_mask) { 1174 in_port = 0xffffffff; /* Always exact match in_port. */ 1175 } else if (in_port >= DP_MAX_PORTS) { 1176 OVS_NLERR(log, "Port %d exceeds max allowable %d", 1177 in_port, DP_MAX_PORTS); 1178 return -EINVAL; 1179 } 1180 1181 SW_FLOW_KEY_PUT(match, phy.in_port, in_port, is_mask); 1182 *attrs &= ~(1 << OVS_KEY_ATTR_IN_PORT); 1183 } else if (!is_mask) { 1184 SW_FLOW_KEY_PUT(match, phy.in_port, DP_MAX_PORTS, is_mask); 1185 } 1186 1187 if (*attrs & (1 << OVS_KEY_ATTR_SKB_MARK)) { 1188 uint32_t mark = nla_get_u32(a[OVS_KEY_ATTR_SKB_MARK]); 1189 1190 SW_FLOW_KEY_PUT(match, phy.skb_mark, mark, is_mask); 1191 *attrs &= ~(1 << OVS_KEY_ATTR_SKB_MARK); 1192 } 1193 if (*attrs & (1 << OVS_KEY_ATTR_TUNNEL)) { 1194 if (ip_tun_from_nlattr(a[OVS_KEY_ATTR_TUNNEL], match, 1195 is_mask, log) < 0) 1196 return -EINVAL; 1197 *attrs &= ~(1 << OVS_KEY_ATTR_TUNNEL); 1198 } 1199 1200 if (*attrs & (1 << OVS_KEY_ATTR_CT_STATE) && 1201 ovs_ct_verify(net, OVS_KEY_ATTR_CT_STATE)) { 1202 u32 ct_state = nla_get_u32(a[OVS_KEY_ATTR_CT_STATE]); 1203 1204 if (ct_state & ~CT_SUPPORTED_MASK) { 1205 OVS_NLERR(log, "ct_state flags %08x unsupported", 1206 ct_state); 1207 return -EINVAL; 1208 } 1209 1210 SW_FLOW_KEY_PUT(match, ct_state, ct_state, is_mask); 1211 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_STATE); 1212 } 1213 if (*attrs & (1 << OVS_KEY_ATTR_CT_ZONE) && 1214 ovs_ct_verify(net, OVS_KEY_ATTR_CT_ZONE)) { 1215 u16 ct_zone = nla_get_u16(a[OVS_KEY_ATTR_CT_ZONE]); 1216 1217 SW_FLOW_KEY_PUT(match, ct_zone, ct_zone, is_mask); 1218 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ZONE); 1219 } 1220 if (*attrs & (1 << OVS_KEY_ATTR_CT_MARK) && 1221 ovs_ct_verify(net, OVS_KEY_ATTR_CT_MARK)) { 1222 u32 mark = nla_get_u32(a[OVS_KEY_ATTR_CT_MARK]); 1223 1224 SW_FLOW_KEY_PUT(match, ct.mark, mark, is_mask); 1225 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_MARK); 1226 } 1227 if (*attrs & (1 << OVS_KEY_ATTR_CT_LABELS) && 1228 ovs_ct_verify(net, OVS_KEY_ATTR_CT_LABELS)) { 1229 const struct ovs_key_ct_labels *cl; 1230 1231 cl = nla_data(a[OVS_KEY_ATTR_CT_LABELS]); 1232 SW_FLOW_KEY_MEMCPY(match, ct.labels, cl->ct_labels, 1233 sizeof(*cl), is_mask); 1234 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_LABELS); 1235 } 1236 if (*attrs & (1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4)) { 1237 const struct ovs_key_ct_tuple_ipv4 *ct; 1238 1239 ct = nla_data(a[OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4]); 1240 1241 SW_FLOW_KEY_PUT(match, ipv4.ct_orig.src, ct->ipv4_src, is_mask); 1242 SW_FLOW_KEY_PUT(match, ipv4.ct_orig.dst, ct->ipv4_dst, is_mask); 1243 SW_FLOW_KEY_PUT(match, ct.orig_tp.src, ct->src_port, is_mask); 1244 SW_FLOW_KEY_PUT(match, ct.orig_tp.dst, ct->dst_port, is_mask); 1245 SW_FLOW_KEY_PUT(match, ct_orig_proto, ct->ipv4_proto, is_mask); 1246 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4); 1247 } 1248 if (*attrs & (1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6)) { 1249 const struct ovs_key_ct_tuple_ipv6 *ct; 1250 1251 ct = nla_data(a[OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6]); 1252 1253 SW_FLOW_KEY_MEMCPY(match, ipv6.ct_orig.src, &ct->ipv6_src, 1254 sizeof(match->key->ipv6.ct_orig.src), 1255 is_mask); 1256 SW_FLOW_KEY_MEMCPY(match, ipv6.ct_orig.dst, &ct->ipv6_dst, 1257 sizeof(match->key->ipv6.ct_orig.dst), 1258 is_mask); 1259 SW_FLOW_KEY_PUT(match, ct.orig_tp.src, ct->src_port, is_mask); 1260 SW_FLOW_KEY_PUT(match, ct.orig_tp.dst, ct->dst_port, is_mask); 1261 SW_FLOW_KEY_PUT(match, ct_orig_proto, ct->ipv6_proto, is_mask); 1262 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6); 1263 } 1264 1265 /* For layer 3 packets the Ethernet type is provided 1266 * and treated as metadata but no MAC addresses are provided. 1267 */ 1268 if (!(*attrs & (1ULL << OVS_KEY_ATTR_ETHERNET)) && 1269 (*attrs & (1ULL << OVS_KEY_ATTR_ETHERTYPE))) 1270 mac_proto = MAC_PROTO_NONE; 1271 1272 /* Always exact match mac_proto */ 1273 SW_FLOW_KEY_PUT(match, mac_proto, is_mask ? 0xff : mac_proto, is_mask); 1274 1275 if (mac_proto == MAC_PROTO_NONE) 1276 return parse_eth_type_from_nlattrs(match, attrs, a, is_mask, 1277 log); 1278 1279 return 0; 1280 } 1281 1282 int nsh_hdr_from_nlattr(const struct nlattr *attr, 1283 struct nshhdr *nh, size_t size) 1284 { 1285 struct nlattr *a; 1286 int rem; 1287 u8 flags = 0; 1288 u8 ttl = 0; 1289 int mdlen = 0; 1290 1291 /* validate_nsh has check this, so we needn't do duplicate check here 1292 */ 1293 if (size < NSH_BASE_HDR_LEN) 1294 return -ENOBUFS; 1295 1296 nla_for_each_nested(a, attr, rem) { 1297 int type = nla_type(a); 1298 1299 switch (type) { 1300 case OVS_NSH_KEY_ATTR_BASE: { 1301 const struct ovs_nsh_key_base *base = nla_data(a); 1302 1303 flags = base->flags; 1304 ttl = base->ttl; 1305 nh->np = base->np; 1306 nh->mdtype = base->mdtype; 1307 nh->path_hdr = base->path_hdr; 1308 break; 1309 } 1310 case OVS_NSH_KEY_ATTR_MD1: 1311 mdlen = nla_len(a); 1312 if (mdlen > size - NSH_BASE_HDR_LEN) 1313 return -ENOBUFS; 1314 memcpy(&nh->md1, nla_data(a), mdlen); 1315 break; 1316 1317 case OVS_NSH_KEY_ATTR_MD2: 1318 mdlen = nla_len(a); 1319 if (mdlen > size - NSH_BASE_HDR_LEN) 1320 return -ENOBUFS; 1321 memcpy(&nh->md2, nla_data(a), mdlen); 1322 break; 1323 1324 default: 1325 return -EINVAL; 1326 } 1327 } 1328 1329 /* nsh header length = NSH_BASE_HDR_LEN + mdlen */ 1330 nh->ver_flags_ttl_len = 0; 1331 nsh_set_flags_ttl_len(nh, flags, ttl, NSH_BASE_HDR_LEN + mdlen); 1332 1333 return 0; 1334 } 1335 1336 int nsh_key_from_nlattr(const struct nlattr *attr, 1337 struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask) 1338 { 1339 struct nlattr *a; 1340 int rem; 1341 1342 /* validate_nsh has check this, so we needn't do duplicate check here 1343 */ 1344 nla_for_each_nested(a, attr, rem) { 1345 int type = nla_type(a); 1346 1347 switch (type) { 1348 case OVS_NSH_KEY_ATTR_BASE: { 1349 const struct ovs_nsh_key_base *base = nla_data(a); 1350 const struct ovs_nsh_key_base *base_mask = base + 1; 1351 1352 nsh->base = *base; 1353 nsh_mask->base = *base_mask; 1354 break; 1355 } 1356 case OVS_NSH_KEY_ATTR_MD1: { 1357 const struct ovs_nsh_key_md1 *md1 = nla_data(a); 1358 const struct ovs_nsh_key_md1 *md1_mask = md1 + 1; 1359 1360 memcpy(nsh->context, md1->context, sizeof(*md1)); 1361 memcpy(nsh_mask->context, md1_mask->context, 1362 sizeof(*md1_mask)); 1363 break; 1364 } 1365 case OVS_NSH_KEY_ATTR_MD2: 1366 /* Not supported yet */ 1367 return -ENOTSUPP; 1368 default: 1369 return -EINVAL; 1370 } 1371 } 1372 1373 return 0; 1374 } 1375 1376 static int nsh_key_put_from_nlattr(const struct nlattr *attr, 1377 struct sw_flow_match *match, bool is_mask, 1378 bool is_push_nsh, bool log) 1379 { 1380 struct nlattr *a; 1381 int rem; 1382 bool has_base = false; 1383 bool has_md1 = false; 1384 bool has_md2 = false; 1385 u8 mdtype = 0; 1386 int mdlen = 0; 1387 1388 if (WARN_ON(is_push_nsh && is_mask)) 1389 return -EINVAL; 1390 1391 nla_for_each_nested(a, attr, rem) { 1392 int type = nla_type(a); 1393 int i; 1394 1395 if (type > OVS_NSH_KEY_ATTR_MAX) { 1396 OVS_NLERR(log, "nsh attr %d is out of range max %d", 1397 type, OVS_NSH_KEY_ATTR_MAX); 1398 return -EINVAL; 1399 } 1400 1401 if (!check_attr_len(nla_len(a), 1402 ovs_nsh_key_attr_lens[type].len)) { 1403 OVS_NLERR( 1404 log, 1405 "nsh attr %d has unexpected len %d expected %d", 1406 type, 1407 nla_len(a), 1408 ovs_nsh_key_attr_lens[type].len 1409 ); 1410 return -EINVAL; 1411 } 1412 1413 switch (type) { 1414 case OVS_NSH_KEY_ATTR_BASE: { 1415 const struct ovs_nsh_key_base *base = nla_data(a); 1416 1417 has_base = true; 1418 mdtype = base->mdtype; 1419 SW_FLOW_KEY_PUT(match, nsh.base.flags, 1420 base->flags, is_mask); 1421 SW_FLOW_KEY_PUT(match, nsh.base.ttl, 1422 base->ttl, is_mask); 1423 SW_FLOW_KEY_PUT(match, nsh.base.mdtype, 1424 base->mdtype, is_mask); 1425 SW_FLOW_KEY_PUT(match, nsh.base.np, 1426 base->np, is_mask); 1427 SW_FLOW_KEY_PUT(match, nsh.base.path_hdr, 1428 base->path_hdr, is_mask); 1429 break; 1430 } 1431 case OVS_NSH_KEY_ATTR_MD1: { 1432 const struct ovs_nsh_key_md1 *md1 = nla_data(a); 1433 1434 has_md1 = true; 1435 for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) 1436 SW_FLOW_KEY_PUT(match, nsh.context[i], 1437 md1->context[i], is_mask); 1438 break; 1439 } 1440 case OVS_NSH_KEY_ATTR_MD2: 1441 if (!is_push_nsh) /* Not supported MD type 2 yet */ 1442 return -ENOTSUPP; 1443 1444 has_md2 = true; 1445 mdlen = nla_len(a); 1446 if (mdlen > NSH_CTX_HDRS_MAX_LEN || mdlen <= 0) { 1447 OVS_NLERR( 1448 log, 1449 "Invalid MD length %d for MD type %d", 1450 mdlen, 1451 mdtype 1452 ); 1453 return -EINVAL; 1454 } 1455 break; 1456 default: 1457 OVS_NLERR(log, "Unknown nsh attribute %d", 1458 type); 1459 return -EINVAL; 1460 } 1461 } 1462 1463 if (rem > 0) { 1464 OVS_NLERR(log, "nsh attribute has %d unknown bytes.", rem); 1465 return -EINVAL; 1466 } 1467 1468 if (has_md1 && has_md2) { 1469 OVS_NLERR( 1470 1, 1471 "invalid nsh attribute: md1 and md2 are exclusive." 1472 ); 1473 return -EINVAL; 1474 } 1475 1476 if (!is_mask) { 1477 if ((has_md1 && mdtype != NSH_M_TYPE1) || 1478 (has_md2 && mdtype != NSH_M_TYPE2)) { 1479 OVS_NLERR(1, "nsh attribute has unmatched MD type %d.", 1480 mdtype); 1481 return -EINVAL; 1482 } 1483 1484 if (is_push_nsh && 1485 (!has_base || (!has_md1 && !has_md2))) { 1486 OVS_NLERR( 1487 1, 1488 "push_nsh: missing base or metadata attributes" 1489 ); 1490 return -EINVAL; 1491 } 1492 } 1493 1494 return 0; 1495 } 1496 1497 static int ovs_key_from_nlattrs(struct net *net, struct sw_flow_match *match, 1498 u64 attrs, const struct nlattr **a, 1499 bool is_mask, bool log) 1500 { 1501 int err; 1502 1503 err = metadata_from_nlattrs(net, match, &attrs, a, is_mask, log); 1504 if (err) 1505 return err; 1506 1507 if (attrs & (1 << OVS_KEY_ATTR_ETHERNET)) { 1508 const struct ovs_key_ethernet *eth_key; 1509 1510 eth_key = nla_data(a[OVS_KEY_ATTR_ETHERNET]); 1511 SW_FLOW_KEY_MEMCPY(match, eth.src, 1512 eth_key->eth_src, ETH_ALEN, is_mask); 1513 SW_FLOW_KEY_MEMCPY(match, eth.dst, 1514 eth_key->eth_dst, ETH_ALEN, is_mask); 1515 attrs &= ~(1 << OVS_KEY_ATTR_ETHERNET); 1516 1517 if (attrs & (1 << OVS_KEY_ATTR_VLAN)) { 1518 /* VLAN attribute is always parsed before getting here since it 1519 * may occur multiple times. 1520 */ 1521 OVS_NLERR(log, "VLAN attribute unexpected."); 1522 return -EINVAL; 1523 } 1524 1525 if (attrs & (1 << OVS_KEY_ATTR_ETHERTYPE)) { 1526 err = parse_eth_type_from_nlattrs(match, &attrs, a, is_mask, 1527 log); 1528 if (err) 1529 return err; 1530 } else if (!is_mask) { 1531 SW_FLOW_KEY_PUT(match, eth.type, htons(ETH_P_802_2), is_mask); 1532 } 1533 } else if (!match->key->eth.type) { 1534 OVS_NLERR(log, "Either Ethernet header or EtherType is required."); 1535 return -EINVAL; 1536 } 1537 1538 if (attrs & (1 << OVS_KEY_ATTR_IPV4)) { 1539 const struct ovs_key_ipv4 *ipv4_key; 1540 1541 ipv4_key = nla_data(a[OVS_KEY_ATTR_IPV4]); 1542 if (!is_mask && ipv4_key->ipv4_frag > OVS_FRAG_TYPE_MAX) { 1543 OVS_NLERR(log, "IPv4 frag type %d is out of range max %d", 1544 ipv4_key->ipv4_frag, OVS_FRAG_TYPE_MAX); 1545 return -EINVAL; 1546 } 1547 SW_FLOW_KEY_PUT(match, ip.proto, 1548 ipv4_key->ipv4_proto, is_mask); 1549 SW_FLOW_KEY_PUT(match, ip.tos, 1550 ipv4_key->ipv4_tos, is_mask); 1551 SW_FLOW_KEY_PUT(match, ip.ttl, 1552 ipv4_key->ipv4_ttl, is_mask); 1553 SW_FLOW_KEY_PUT(match, ip.frag, 1554 ipv4_key->ipv4_frag, is_mask); 1555 SW_FLOW_KEY_PUT(match, ipv4.addr.src, 1556 ipv4_key->ipv4_src, is_mask); 1557 SW_FLOW_KEY_PUT(match, ipv4.addr.dst, 1558 ipv4_key->ipv4_dst, is_mask); 1559 attrs &= ~(1 << OVS_KEY_ATTR_IPV4); 1560 } 1561 1562 if (attrs & (1 << OVS_KEY_ATTR_IPV6)) { 1563 const struct ovs_key_ipv6 *ipv6_key; 1564 1565 ipv6_key = nla_data(a[OVS_KEY_ATTR_IPV6]); 1566 if (!is_mask && ipv6_key->ipv6_frag > OVS_FRAG_TYPE_MAX) { 1567 OVS_NLERR(log, "IPv6 frag type %d is out of range max %d", 1568 ipv6_key->ipv6_frag, OVS_FRAG_TYPE_MAX); 1569 return -EINVAL; 1570 } 1571 1572 if (!is_mask && ipv6_key->ipv6_label & htonl(0xFFF00000)) { 1573 OVS_NLERR(log, "IPv6 flow label %x is out of range (max=%x)", 1574 ntohl(ipv6_key->ipv6_label), (1 << 20) - 1); 1575 return -EINVAL; 1576 } 1577 1578 SW_FLOW_KEY_PUT(match, ipv6.label, 1579 ipv6_key->ipv6_label, is_mask); 1580 SW_FLOW_KEY_PUT(match, ip.proto, 1581 ipv6_key->ipv6_proto, is_mask); 1582 SW_FLOW_KEY_PUT(match, ip.tos, 1583 ipv6_key->ipv6_tclass, is_mask); 1584 SW_FLOW_KEY_PUT(match, ip.ttl, 1585 ipv6_key->ipv6_hlimit, is_mask); 1586 SW_FLOW_KEY_PUT(match, ip.frag, 1587 ipv6_key->ipv6_frag, is_mask); 1588 SW_FLOW_KEY_MEMCPY(match, ipv6.addr.src, 1589 ipv6_key->ipv6_src, 1590 sizeof(match->key->ipv6.addr.src), 1591 is_mask); 1592 SW_FLOW_KEY_MEMCPY(match, ipv6.addr.dst, 1593 ipv6_key->ipv6_dst, 1594 sizeof(match->key->ipv6.addr.dst), 1595 is_mask); 1596 1597 attrs &= ~(1 << OVS_KEY_ATTR_IPV6); 1598 } 1599 1600 if (attrs & (1 << OVS_KEY_ATTR_ARP)) { 1601 const struct ovs_key_arp *arp_key; 1602 1603 arp_key = nla_data(a[OVS_KEY_ATTR_ARP]); 1604 if (!is_mask && (arp_key->arp_op & htons(0xff00))) { 1605 OVS_NLERR(log, "Unknown ARP opcode (opcode=%d).", 1606 arp_key->arp_op); 1607 return -EINVAL; 1608 } 1609 1610 SW_FLOW_KEY_PUT(match, ipv4.addr.src, 1611 arp_key->arp_sip, is_mask); 1612 SW_FLOW_KEY_PUT(match, ipv4.addr.dst, 1613 arp_key->arp_tip, is_mask); 1614 SW_FLOW_KEY_PUT(match, ip.proto, 1615 ntohs(arp_key->arp_op), is_mask); 1616 SW_FLOW_KEY_MEMCPY(match, ipv4.arp.sha, 1617 arp_key->arp_sha, ETH_ALEN, is_mask); 1618 SW_FLOW_KEY_MEMCPY(match, ipv4.arp.tha, 1619 arp_key->arp_tha, ETH_ALEN, is_mask); 1620 1621 attrs &= ~(1 << OVS_KEY_ATTR_ARP); 1622 } 1623 1624 if (attrs & (1 << OVS_KEY_ATTR_NSH)) { 1625 if (nsh_key_put_from_nlattr(a[OVS_KEY_ATTR_NSH], match, 1626 is_mask, false, log) < 0) 1627 return -EINVAL; 1628 attrs &= ~(1 << OVS_KEY_ATTR_NSH); 1629 } 1630 1631 if (attrs & (1 << OVS_KEY_ATTR_MPLS)) { 1632 const struct ovs_key_mpls *mpls_key; 1633 u32 hdr_len; 1634 u32 label_count, label_count_mask, i; 1635 1636 mpls_key = nla_data(a[OVS_KEY_ATTR_MPLS]); 1637 hdr_len = nla_len(a[OVS_KEY_ATTR_MPLS]); 1638 label_count = hdr_len / sizeof(struct ovs_key_mpls); 1639 1640 if (label_count == 0 || label_count > MPLS_LABEL_DEPTH || 1641 hdr_len % sizeof(struct ovs_key_mpls)) 1642 return -EINVAL; 1643 1644 label_count_mask = GENMASK(label_count - 1, 0); 1645 1646 for (i = 0 ; i < label_count; i++) 1647 SW_FLOW_KEY_PUT(match, mpls.lse[i], 1648 mpls_key[i].mpls_lse, is_mask); 1649 1650 SW_FLOW_KEY_PUT(match, mpls.num_labels_mask, 1651 label_count_mask, is_mask); 1652 1653 attrs &= ~(1 << OVS_KEY_ATTR_MPLS); 1654 } 1655 1656 if (attrs & (1 << OVS_KEY_ATTR_TCP)) { 1657 const struct ovs_key_tcp *tcp_key; 1658 1659 tcp_key = nla_data(a[OVS_KEY_ATTR_TCP]); 1660 SW_FLOW_KEY_PUT(match, tp.src, tcp_key->tcp_src, is_mask); 1661 SW_FLOW_KEY_PUT(match, tp.dst, tcp_key->tcp_dst, is_mask); 1662 attrs &= ~(1 << OVS_KEY_ATTR_TCP); 1663 } 1664 1665 if (attrs & (1 << OVS_KEY_ATTR_TCP_FLAGS)) { 1666 SW_FLOW_KEY_PUT(match, tp.flags, 1667 nla_get_be16(a[OVS_KEY_ATTR_TCP_FLAGS]), 1668 is_mask); 1669 attrs &= ~(1 << OVS_KEY_ATTR_TCP_FLAGS); 1670 } 1671 1672 if (attrs & (1 << OVS_KEY_ATTR_UDP)) { 1673 const struct ovs_key_udp *udp_key; 1674 1675 udp_key = nla_data(a[OVS_KEY_ATTR_UDP]); 1676 SW_FLOW_KEY_PUT(match, tp.src, udp_key->udp_src, is_mask); 1677 SW_FLOW_KEY_PUT(match, tp.dst, udp_key->udp_dst, is_mask); 1678 attrs &= ~(1 << OVS_KEY_ATTR_UDP); 1679 } 1680 1681 if (attrs & (1 << OVS_KEY_ATTR_SCTP)) { 1682 const struct ovs_key_sctp *sctp_key; 1683 1684 sctp_key = nla_data(a[OVS_KEY_ATTR_SCTP]); 1685 SW_FLOW_KEY_PUT(match, tp.src, sctp_key->sctp_src, is_mask); 1686 SW_FLOW_KEY_PUT(match, tp.dst, sctp_key->sctp_dst, is_mask); 1687 attrs &= ~(1 << OVS_KEY_ATTR_SCTP); 1688 } 1689 1690 if (attrs & (1 << OVS_KEY_ATTR_ICMP)) { 1691 const struct ovs_key_icmp *icmp_key; 1692 1693 icmp_key = nla_data(a[OVS_KEY_ATTR_ICMP]); 1694 SW_FLOW_KEY_PUT(match, tp.src, 1695 htons(icmp_key->icmp_type), is_mask); 1696 SW_FLOW_KEY_PUT(match, tp.dst, 1697 htons(icmp_key->icmp_code), is_mask); 1698 attrs &= ~(1 << OVS_KEY_ATTR_ICMP); 1699 } 1700 1701 if (attrs & (1 << OVS_KEY_ATTR_ICMPV6)) { 1702 const struct ovs_key_icmpv6 *icmpv6_key; 1703 1704 icmpv6_key = nla_data(a[OVS_KEY_ATTR_ICMPV6]); 1705 SW_FLOW_KEY_PUT(match, tp.src, 1706 htons(icmpv6_key->icmpv6_type), is_mask); 1707 SW_FLOW_KEY_PUT(match, tp.dst, 1708 htons(icmpv6_key->icmpv6_code), is_mask); 1709 attrs &= ~(1 << OVS_KEY_ATTR_ICMPV6); 1710 } 1711 1712 if (attrs & (1 << OVS_KEY_ATTR_ND)) { 1713 const struct ovs_key_nd *nd_key; 1714 1715 nd_key = nla_data(a[OVS_KEY_ATTR_ND]); 1716 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.target, 1717 nd_key->nd_target, 1718 sizeof(match->key->ipv6.nd.target), 1719 is_mask); 1720 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.sll, 1721 nd_key->nd_sll, ETH_ALEN, is_mask); 1722 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.tll, 1723 nd_key->nd_tll, ETH_ALEN, is_mask); 1724 attrs &= ~(1 << OVS_KEY_ATTR_ND); 1725 } 1726 1727 if (attrs != 0) { 1728 OVS_NLERR(log, "Unknown key attributes %llx", 1729 (unsigned long long)attrs); 1730 return -EINVAL; 1731 } 1732 1733 return 0; 1734 } 1735 1736 static void nlattr_set(struct nlattr *attr, u8 val, 1737 const struct ovs_len_tbl *tbl) 1738 { 1739 struct nlattr *nla; 1740 int rem; 1741 1742 /* The nlattr stream should already have been validated */ 1743 nla_for_each_nested(nla, attr, rem) { 1744 if (tbl[nla_type(nla)].len == OVS_ATTR_NESTED) 1745 nlattr_set(nla, val, tbl[nla_type(nla)].next ? : tbl); 1746 else 1747 memset(nla_data(nla), val, nla_len(nla)); 1748 1749 if (nla_type(nla) == OVS_KEY_ATTR_CT_STATE) 1750 *(u32 *)nla_data(nla) &= CT_SUPPORTED_MASK; 1751 } 1752 } 1753 1754 static void mask_set_nlattr(struct nlattr *attr, u8 val) 1755 { 1756 nlattr_set(attr, val, ovs_key_lens); 1757 } 1758 1759 /** 1760 * ovs_nla_get_match - parses Netlink attributes into a flow key and 1761 * mask. In case the 'mask' is NULL, the flow is treated as exact match 1762 * flow. Otherwise, it is treated as a wildcarded flow, except the mask 1763 * does not include any don't care bit. 1764 * @net: Used to determine per-namespace field support. 1765 * @match: receives the extracted flow match information. 1766 * @nla_key: Netlink attribute holding nested %OVS_KEY_ATTR_* Netlink attribute 1767 * sequence. The fields should of the packet that triggered the creation 1768 * of this flow. 1769 * @nla_mask: Optional. Netlink attribute holding nested %OVS_KEY_ATTR_* 1770 * Netlink attribute specifies the mask field of the wildcarded flow. 1771 * @log: Boolean to allow kernel error logging. Normally true, but when 1772 * probing for feature compatibility this should be passed in as false to 1773 * suppress unnecessary error logging. 1774 */ 1775 int ovs_nla_get_match(struct net *net, struct sw_flow_match *match, 1776 const struct nlattr *nla_key, 1777 const struct nlattr *nla_mask, 1778 bool log) 1779 { 1780 const struct nlattr *a[OVS_KEY_ATTR_MAX + 1]; 1781 struct nlattr *newmask = NULL; 1782 u64 key_attrs = 0; 1783 u64 mask_attrs = 0; 1784 int err; 1785 1786 err = parse_flow_nlattrs(nla_key, a, &key_attrs, log); 1787 if (err) 1788 return err; 1789 1790 err = parse_vlan_from_nlattrs(match, &key_attrs, a, false, log); 1791 if (err) 1792 return err; 1793 1794 err = ovs_key_from_nlattrs(net, match, key_attrs, a, false, log); 1795 if (err) 1796 return err; 1797 1798 if (match->mask) { 1799 if (!nla_mask) { 1800 /* Create an exact match mask. We need to set to 0xff 1801 * all the 'match->mask' fields that have been touched 1802 * in 'match->key'. We cannot simply memset 1803 * 'match->mask', because padding bytes and fields not 1804 * specified in 'match->key' should be left to 0. 1805 * Instead, we use a stream of netlink attributes, 1806 * copied from 'key' and set to 0xff. 1807 * ovs_key_from_nlattrs() will take care of filling 1808 * 'match->mask' appropriately. 1809 */ 1810 newmask = kmemdup(nla_key, 1811 nla_total_size(nla_len(nla_key)), 1812 GFP_KERNEL); 1813 if (!newmask) 1814 return -ENOMEM; 1815 1816 mask_set_nlattr(newmask, 0xff); 1817 1818 /* The userspace does not send tunnel attributes that 1819 * are 0, but we should not wildcard them nonetheless. 1820 */ 1821 if (match->key->tun_proto) 1822 SW_FLOW_KEY_MEMSET_FIELD(match, tun_key, 1823 0xff, true); 1824 1825 nla_mask = newmask; 1826 } 1827 1828 err = parse_flow_mask_nlattrs(nla_mask, a, &mask_attrs, log); 1829 if (err) 1830 goto free_newmask; 1831 1832 /* Always match on tci. */ 1833 SW_FLOW_KEY_PUT(match, eth.vlan.tci, htons(0xffff), true); 1834 SW_FLOW_KEY_PUT(match, eth.cvlan.tci, htons(0xffff), true); 1835 1836 err = parse_vlan_from_nlattrs(match, &mask_attrs, a, true, log); 1837 if (err) 1838 goto free_newmask; 1839 1840 err = ovs_key_from_nlattrs(net, match, mask_attrs, a, true, 1841 log); 1842 if (err) 1843 goto free_newmask; 1844 } 1845 1846 if (!match_validate(match, key_attrs, mask_attrs, log)) 1847 err = -EINVAL; 1848 1849 free_newmask: 1850 kfree(newmask); 1851 return err; 1852 } 1853 1854 static size_t get_ufid_len(const struct nlattr *attr, bool log) 1855 { 1856 size_t len; 1857 1858 if (!attr) 1859 return 0; 1860 1861 len = nla_len(attr); 1862 if (len < 1 || len > MAX_UFID_LENGTH) { 1863 OVS_NLERR(log, "ufid size %u bytes exceeds the range (1, %d)", 1864 nla_len(attr), MAX_UFID_LENGTH); 1865 return 0; 1866 } 1867 1868 return len; 1869 } 1870 1871 /* Initializes 'flow->ufid', returning true if 'attr' contains a valid UFID, 1872 * or false otherwise. 1873 */ 1874 bool ovs_nla_get_ufid(struct sw_flow_id *sfid, const struct nlattr *attr, 1875 bool log) 1876 { 1877 sfid->ufid_len = get_ufid_len(attr, log); 1878 if (sfid->ufid_len) 1879 memcpy(sfid->ufid, nla_data(attr), sfid->ufid_len); 1880 1881 return sfid->ufid_len; 1882 } 1883 1884 int ovs_nla_get_identifier(struct sw_flow_id *sfid, const struct nlattr *ufid, 1885 const struct sw_flow_key *key, bool log) 1886 { 1887 struct sw_flow_key *new_key; 1888 1889 if (ovs_nla_get_ufid(sfid, ufid, log)) 1890 return 0; 1891 1892 /* If UFID was not provided, use unmasked key. */ 1893 new_key = kmalloc(sizeof(*new_key), GFP_KERNEL); 1894 if (!new_key) 1895 return -ENOMEM; 1896 memcpy(new_key, key, sizeof(*key)); 1897 sfid->unmasked_key = new_key; 1898 1899 return 0; 1900 } 1901 1902 u32 ovs_nla_get_ufid_flags(const struct nlattr *attr) 1903 { 1904 return attr ? nla_get_u32(attr) : 0; 1905 } 1906 1907 /** 1908 * ovs_nla_get_flow_metadata - parses Netlink attributes into a flow key. 1909 * @net: Network namespace. 1910 * @key: Receives extracted in_port, priority, tun_key, skb_mark and conntrack 1911 * metadata. 1912 * @a: Array of netlink attributes holding parsed %OVS_KEY_ATTR_* Netlink 1913 * attributes. 1914 * @attrs: Bit mask for the netlink attributes included in @a. 1915 * @log: Boolean to allow kernel error logging. Normally true, but when 1916 * probing for feature compatibility this should be passed in as false to 1917 * suppress unnecessary error logging. 1918 * 1919 * This parses a series of Netlink attributes that form a flow key, which must 1920 * take the same form accepted by flow_from_nlattrs(), but only enough of it to 1921 * get the metadata, that is, the parts of the flow key that cannot be 1922 * extracted from the packet itself. 1923 * 1924 * This must be called before the packet key fields are filled in 'key'. 1925 */ 1926 1927 int ovs_nla_get_flow_metadata(struct net *net, 1928 const struct nlattr *a[OVS_KEY_ATTR_MAX + 1], 1929 u64 attrs, struct sw_flow_key *key, bool log) 1930 { 1931 struct sw_flow_match match; 1932 1933 memset(&match, 0, sizeof(match)); 1934 match.key = key; 1935 1936 key->ct_state = 0; 1937 key->ct_zone = 0; 1938 key->ct_orig_proto = 0; 1939 memset(&key->ct, 0, sizeof(key->ct)); 1940 memset(&key->ipv4.ct_orig, 0, sizeof(key->ipv4.ct_orig)); 1941 memset(&key->ipv6.ct_orig, 0, sizeof(key->ipv6.ct_orig)); 1942 1943 key->phy.in_port = DP_MAX_PORTS; 1944 1945 return metadata_from_nlattrs(net, &match, &attrs, a, false, log); 1946 } 1947 1948 static int ovs_nla_put_vlan(struct sk_buff *skb, const struct vlan_head *vh, 1949 bool is_mask) 1950 { 1951 __be16 eth_type = !is_mask ? vh->tpid : htons(0xffff); 1952 1953 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, eth_type) || 1954 nla_put_be16(skb, OVS_KEY_ATTR_VLAN, vh->tci)) 1955 return -EMSGSIZE; 1956 return 0; 1957 } 1958 1959 static int nsh_key_to_nlattr(const struct ovs_key_nsh *nsh, bool is_mask, 1960 struct sk_buff *skb) 1961 { 1962 struct nlattr *start; 1963 1964 start = nla_nest_start_noflag(skb, OVS_KEY_ATTR_NSH); 1965 if (!start) 1966 return -EMSGSIZE; 1967 1968 if (nla_put(skb, OVS_NSH_KEY_ATTR_BASE, sizeof(nsh->base), &nsh->base)) 1969 goto nla_put_failure; 1970 1971 if (is_mask || nsh->base.mdtype == NSH_M_TYPE1) { 1972 if (nla_put(skb, OVS_NSH_KEY_ATTR_MD1, 1973 sizeof(nsh->context), nsh->context)) 1974 goto nla_put_failure; 1975 } 1976 1977 /* Don't support MD type 2 yet */ 1978 1979 nla_nest_end(skb, start); 1980 1981 return 0; 1982 1983 nla_put_failure: 1984 return -EMSGSIZE; 1985 } 1986 1987 static int __ovs_nla_put_key(const struct sw_flow_key *swkey, 1988 const struct sw_flow_key *output, bool is_mask, 1989 struct sk_buff *skb) 1990 { 1991 struct ovs_key_ethernet *eth_key; 1992 struct nlattr *nla; 1993 struct nlattr *encap = NULL; 1994 struct nlattr *in_encap = NULL; 1995 1996 if (nla_put_u32(skb, OVS_KEY_ATTR_RECIRC_ID, output->recirc_id)) 1997 goto nla_put_failure; 1998 1999 if (nla_put_u32(skb, OVS_KEY_ATTR_DP_HASH, output->ovs_flow_hash)) 2000 goto nla_put_failure; 2001 2002 if (nla_put_u32(skb, OVS_KEY_ATTR_PRIORITY, output->phy.priority)) 2003 goto nla_put_failure; 2004 2005 if ((swkey->tun_proto || is_mask)) { 2006 const void *opts = NULL; 2007 2008 if (output->tun_key.tun_flags & TUNNEL_OPTIONS_PRESENT) 2009 opts = TUN_METADATA_OPTS(output, swkey->tun_opts_len); 2010 2011 if (ip_tun_to_nlattr(skb, &output->tun_key, opts, 2012 swkey->tun_opts_len, swkey->tun_proto, 0)) 2013 goto nla_put_failure; 2014 } 2015 2016 if (swkey->phy.in_port == DP_MAX_PORTS) { 2017 if (is_mask && (output->phy.in_port == 0xffff)) 2018 if (nla_put_u32(skb, OVS_KEY_ATTR_IN_PORT, 0xffffffff)) 2019 goto nla_put_failure; 2020 } else { 2021 u16 upper_u16; 2022 upper_u16 = !is_mask ? 0 : 0xffff; 2023 2024 if (nla_put_u32(skb, OVS_KEY_ATTR_IN_PORT, 2025 (upper_u16 << 16) | output->phy.in_port)) 2026 goto nla_put_failure; 2027 } 2028 2029 if (nla_put_u32(skb, OVS_KEY_ATTR_SKB_MARK, output->phy.skb_mark)) 2030 goto nla_put_failure; 2031 2032 if (ovs_ct_put_key(swkey, output, skb)) 2033 goto nla_put_failure; 2034 2035 if (ovs_key_mac_proto(swkey) == MAC_PROTO_ETHERNET) { 2036 nla = nla_reserve(skb, OVS_KEY_ATTR_ETHERNET, sizeof(*eth_key)); 2037 if (!nla) 2038 goto nla_put_failure; 2039 2040 eth_key = nla_data(nla); 2041 ether_addr_copy(eth_key->eth_src, output->eth.src); 2042 ether_addr_copy(eth_key->eth_dst, output->eth.dst); 2043 2044 if (swkey->eth.vlan.tci || eth_type_vlan(swkey->eth.type)) { 2045 if (ovs_nla_put_vlan(skb, &output->eth.vlan, is_mask)) 2046 goto nla_put_failure; 2047 encap = nla_nest_start_noflag(skb, OVS_KEY_ATTR_ENCAP); 2048 if (!swkey->eth.vlan.tci) 2049 goto unencap; 2050 2051 if (swkey->eth.cvlan.tci || eth_type_vlan(swkey->eth.type)) { 2052 if (ovs_nla_put_vlan(skb, &output->eth.cvlan, is_mask)) 2053 goto nla_put_failure; 2054 in_encap = nla_nest_start_noflag(skb, 2055 OVS_KEY_ATTR_ENCAP); 2056 if (!swkey->eth.cvlan.tci) 2057 goto unencap; 2058 } 2059 } 2060 2061 if (swkey->eth.type == htons(ETH_P_802_2)) { 2062 /* 2063 * Ethertype 802.2 is represented in the netlink with omitted 2064 * OVS_KEY_ATTR_ETHERTYPE in the flow key attribute, and 2065 * 0xffff in the mask attribute. Ethertype can also 2066 * be wildcarded. 2067 */ 2068 if (is_mask && output->eth.type) 2069 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, 2070 output->eth.type)) 2071 goto nla_put_failure; 2072 goto unencap; 2073 } 2074 } 2075 2076 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, output->eth.type)) 2077 goto nla_put_failure; 2078 2079 if (eth_type_vlan(swkey->eth.type)) { 2080 /* There are 3 VLAN tags, we don't know anything about the rest 2081 * of the packet, so truncate here. 2082 */ 2083 WARN_ON_ONCE(!(encap && in_encap)); 2084 goto unencap; 2085 } 2086 2087 if (swkey->eth.type == htons(ETH_P_IP)) { 2088 struct ovs_key_ipv4 *ipv4_key; 2089 2090 nla = nla_reserve(skb, OVS_KEY_ATTR_IPV4, sizeof(*ipv4_key)); 2091 if (!nla) 2092 goto nla_put_failure; 2093 ipv4_key = nla_data(nla); 2094 ipv4_key->ipv4_src = output->ipv4.addr.src; 2095 ipv4_key->ipv4_dst = output->ipv4.addr.dst; 2096 ipv4_key->ipv4_proto = output->ip.proto; 2097 ipv4_key->ipv4_tos = output->ip.tos; 2098 ipv4_key->ipv4_ttl = output->ip.ttl; 2099 ipv4_key->ipv4_frag = output->ip.frag; 2100 } else if (swkey->eth.type == htons(ETH_P_IPV6)) { 2101 struct ovs_key_ipv6 *ipv6_key; 2102 2103 nla = nla_reserve(skb, OVS_KEY_ATTR_IPV6, sizeof(*ipv6_key)); 2104 if (!nla) 2105 goto nla_put_failure; 2106 ipv6_key = nla_data(nla); 2107 memcpy(ipv6_key->ipv6_src, &output->ipv6.addr.src, 2108 sizeof(ipv6_key->ipv6_src)); 2109 memcpy(ipv6_key->ipv6_dst, &output->ipv6.addr.dst, 2110 sizeof(ipv6_key->ipv6_dst)); 2111 ipv6_key->ipv6_label = output->ipv6.label; 2112 ipv6_key->ipv6_proto = output->ip.proto; 2113 ipv6_key->ipv6_tclass = output->ip.tos; 2114 ipv6_key->ipv6_hlimit = output->ip.ttl; 2115 ipv6_key->ipv6_frag = output->ip.frag; 2116 } else if (swkey->eth.type == htons(ETH_P_NSH)) { 2117 if (nsh_key_to_nlattr(&output->nsh, is_mask, skb)) 2118 goto nla_put_failure; 2119 } else if (swkey->eth.type == htons(ETH_P_ARP) || 2120 swkey->eth.type == htons(ETH_P_RARP)) { 2121 struct ovs_key_arp *arp_key; 2122 2123 nla = nla_reserve(skb, OVS_KEY_ATTR_ARP, sizeof(*arp_key)); 2124 if (!nla) 2125 goto nla_put_failure; 2126 arp_key = nla_data(nla); 2127 memset(arp_key, 0, sizeof(struct ovs_key_arp)); 2128 arp_key->arp_sip = output->ipv4.addr.src; 2129 arp_key->arp_tip = output->ipv4.addr.dst; 2130 arp_key->arp_op = htons(output->ip.proto); 2131 ether_addr_copy(arp_key->arp_sha, output->ipv4.arp.sha); 2132 ether_addr_copy(arp_key->arp_tha, output->ipv4.arp.tha); 2133 } else if (eth_p_mpls(swkey->eth.type)) { 2134 u8 i, num_labels; 2135 struct ovs_key_mpls *mpls_key; 2136 2137 num_labels = hweight_long(output->mpls.num_labels_mask); 2138 nla = nla_reserve(skb, OVS_KEY_ATTR_MPLS, 2139 num_labels * sizeof(*mpls_key)); 2140 if (!nla) 2141 goto nla_put_failure; 2142 2143 mpls_key = nla_data(nla); 2144 for (i = 0; i < num_labels; i++) 2145 mpls_key[i].mpls_lse = output->mpls.lse[i]; 2146 } 2147 2148 if ((swkey->eth.type == htons(ETH_P_IP) || 2149 swkey->eth.type == htons(ETH_P_IPV6)) && 2150 swkey->ip.frag != OVS_FRAG_TYPE_LATER) { 2151 2152 if (swkey->ip.proto == IPPROTO_TCP) { 2153 struct ovs_key_tcp *tcp_key; 2154 2155 nla = nla_reserve(skb, OVS_KEY_ATTR_TCP, sizeof(*tcp_key)); 2156 if (!nla) 2157 goto nla_put_failure; 2158 tcp_key = nla_data(nla); 2159 tcp_key->tcp_src = output->tp.src; 2160 tcp_key->tcp_dst = output->tp.dst; 2161 if (nla_put_be16(skb, OVS_KEY_ATTR_TCP_FLAGS, 2162 output->tp.flags)) 2163 goto nla_put_failure; 2164 } else if (swkey->ip.proto == IPPROTO_UDP) { 2165 struct ovs_key_udp *udp_key; 2166 2167 nla = nla_reserve(skb, OVS_KEY_ATTR_UDP, sizeof(*udp_key)); 2168 if (!nla) 2169 goto nla_put_failure; 2170 udp_key = nla_data(nla); 2171 udp_key->udp_src = output->tp.src; 2172 udp_key->udp_dst = output->tp.dst; 2173 } else if (swkey->ip.proto == IPPROTO_SCTP) { 2174 struct ovs_key_sctp *sctp_key; 2175 2176 nla = nla_reserve(skb, OVS_KEY_ATTR_SCTP, sizeof(*sctp_key)); 2177 if (!nla) 2178 goto nla_put_failure; 2179 sctp_key = nla_data(nla); 2180 sctp_key->sctp_src = output->tp.src; 2181 sctp_key->sctp_dst = output->tp.dst; 2182 } else if (swkey->eth.type == htons(ETH_P_IP) && 2183 swkey->ip.proto == IPPROTO_ICMP) { 2184 struct ovs_key_icmp *icmp_key; 2185 2186 nla = nla_reserve(skb, OVS_KEY_ATTR_ICMP, sizeof(*icmp_key)); 2187 if (!nla) 2188 goto nla_put_failure; 2189 icmp_key = nla_data(nla); 2190 icmp_key->icmp_type = ntohs(output->tp.src); 2191 icmp_key->icmp_code = ntohs(output->tp.dst); 2192 } else if (swkey->eth.type == htons(ETH_P_IPV6) && 2193 swkey->ip.proto == IPPROTO_ICMPV6) { 2194 struct ovs_key_icmpv6 *icmpv6_key; 2195 2196 nla = nla_reserve(skb, OVS_KEY_ATTR_ICMPV6, 2197 sizeof(*icmpv6_key)); 2198 if (!nla) 2199 goto nla_put_failure; 2200 icmpv6_key = nla_data(nla); 2201 icmpv6_key->icmpv6_type = ntohs(output->tp.src); 2202 icmpv6_key->icmpv6_code = ntohs(output->tp.dst); 2203 2204 if (icmpv6_key->icmpv6_type == NDISC_NEIGHBOUR_SOLICITATION || 2205 icmpv6_key->icmpv6_type == NDISC_NEIGHBOUR_ADVERTISEMENT) { 2206 struct ovs_key_nd *nd_key; 2207 2208 nla = nla_reserve(skb, OVS_KEY_ATTR_ND, sizeof(*nd_key)); 2209 if (!nla) 2210 goto nla_put_failure; 2211 nd_key = nla_data(nla); 2212 memcpy(nd_key->nd_target, &output->ipv6.nd.target, 2213 sizeof(nd_key->nd_target)); 2214 ether_addr_copy(nd_key->nd_sll, output->ipv6.nd.sll); 2215 ether_addr_copy(nd_key->nd_tll, output->ipv6.nd.tll); 2216 } 2217 } 2218 } 2219 2220 unencap: 2221 if (in_encap) 2222 nla_nest_end(skb, in_encap); 2223 if (encap) 2224 nla_nest_end(skb, encap); 2225 2226 return 0; 2227 2228 nla_put_failure: 2229 return -EMSGSIZE; 2230 } 2231 2232 int ovs_nla_put_key(const struct sw_flow_key *swkey, 2233 const struct sw_flow_key *output, int attr, bool is_mask, 2234 struct sk_buff *skb) 2235 { 2236 int err; 2237 struct nlattr *nla; 2238 2239 nla = nla_nest_start_noflag(skb, attr); 2240 if (!nla) 2241 return -EMSGSIZE; 2242 err = __ovs_nla_put_key(swkey, output, is_mask, skb); 2243 if (err) 2244 return err; 2245 nla_nest_end(skb, nla); 2246 2247 return 0; 2248 } 2249 2250 /* Called with ovs_mutex or RCU read lock. */ 2251 int ovs_nla_put_identifier(const struct sw_flow *flow, struct sk_buff *skb) 2252 { 2253 if (ovs_identifier_is_ufid(&flow->id)) 2254 return nla_put(skb, OVS_FLOW_ATTR_UFID, flow->id.ufid_len, 2255 flow->id.ufid); 2256 2257 return ovs_nla_put_key(flow->id.unmasked_key, flow->id.unmasked_key, 2258 OVS_FLOW_ATTR_KEY, false, skb); 2259 } 2260 2261 /* Called with ovs_mutex or RCU read lock. */ 2262 int ovs_nla_put_masked_key(const struct sw_flow *flow, struct sk_buff *skb) 2263 { 2264 return ovs_nla_put_key(&flow->key, &flow->key, 2265 OVS_FLOW_ATTR_KEY, false, skb); 2266 } 2267 2268 /* Called with ovs_mutex or RCU read lock. */ 2269 int ovs_nla_put_mask(const struct sw_flow *flow, struct sk_buff *skb) 2270 { 2271 return ovs_nla_put_key(&flow->key, &flow->mask->key, 2272 OVS_FLOW_ATTR_MASK, true, skb); 2273 } 2274 2275 #define MAX_ACTIONS_BUFSIZE (32 * 1024) 2276 2277 static struct sw_flow_actions *nla_alloc_flow_actions(int size) 2278 { 2279 struct sw_flow_actions *sfa; 2280 2281 WARN_ON_ONCE(size > MAX_ACTIONS_BUFSIZE); 2282 2283 sfa = kmalloc(sizeof(*sfa) + size, GFP_KERNEL); 2284 if (!sfa) 2285 return ERR_PTR(-ENOMEM); 2286 2287 sfa->actions_len = 0; 2288 return sfa; 2289 } 2290 2291 static void ovs_nla_free_set_action(const struct nlattr *a) 2292 { 2293 const struct nlattr *ovs_key = nla_data(a); 2294 struct ovs_tunnel_info *ovs_tun; 2295 2296 switch (nla_type(ovs_key)) { 2297 case OVS_KEY_ATTR_TUNNEL_INFO: 2298 ovs_tun = nla_data(ovs_key); 2299 dst_release((struct dst_entry *)ovs_tun->tun_dst); 2300 break; 2301 } 2302 } 2303 2304 void ovs_nla_free_flow_actions(struct sw_flow_actions *sf_acts) 2305 { 2306 const struct nlattr *a; 2307 int rem; 2308 2309 if (!sf_acts) 2310 return; 2311 2312 nla_for_each_attr(a, sf_acts->actions, sf_acts->actions_len, rem) { 2313 switch (nla_type(a)) { 2314 case OVS_ACTION_ATTR_SET: 2315 ovs_nla_free_set_action(a); 2316 break; 2317 case OVS_ACTION_ATTR_CT: 2318 ovs_ct_free_action(a); 2319 break; 2320 } 2321 } 2322 2323 kfree(sf_acts); 2324 } 2325 2326 static void __ovs_nla_free_flow_actions(struct rcu_head *head) 2327 { 2328 ovs_nla_free_flow_actions(container_of(head, struct sw_flow_actions, rcu)); 2329 } 2330 2331 /* Schedules 'sf_acts' to be freed after the next RCU grace period. 2332 * The caller must hold rcu_read_lock for this to be sensible. */ 2333 void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *sf_acts) 2334 { 2335 call_rcu(&sf_acts->rcu, __ovs_nla_free_flow_actions); 2336 } 2337 2338 static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, 2339 int attr_len, bool log) 2340 { 2341 2342 struct sw_flow_actions *acts; 2343 int new_acts_size; 2344 size_t req_size = NLA_ALIGN(attr_len); 2345 int next_offset = offsetof(struct sw_flow_actions, actions) + 2346 (*sfa)->actions_len; 2347 2348 if (req_size <= (ksize(*sfa) - next_offset)) 2349 goto out; 2350 2351 new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2); 2352 2353 if (new_acts_size > MAX_ACTIONS_BUFSIZE) { 2354 if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) { 2355 OVS_NLERR(log, "Flow action size exceeds max %u", 2356 MAX_ACTIONS_BUFSIZE); 2357 return ERR_PTR(-EMSGSIZE); 2358 } 2359 new_acts_size = MAX_ACTIONS_BUFSIZE; 2360 } 2361 2362 acts = nla_alloc_flow_actions(new_acts_size); 2363 if (IS_ERR(acts)) 2364 return (void *)acts; 2365 2366 memcpy(acts->actions, (*sfa)->actions, (*sfa)->actions_len); 2367 acts->actions_len = (*sfa)->actions_len; 2368 acts->orig_len = (*sfa)->orig_len; 2369 kfree(*sfa); 2370 *sfa = acts; 2371 2372 out: 2373 (*sfa)->actions_len += req_size; 2374 return (struct nlattr *) ((unsigned char *)(*sfa) + next_offset); 2375 } 2376 2377 static struct nlattr *__add_action(struct sw_flow_actions **sfa, 2378 int attrtype, void *data, int len, bool log) 2379 { 2380 struct nlattr *a; 2381 2382 a = reserve_sfa_size(sfa, nla_attr_size(len), log); 2383 if (IS_ERR(a)) 2384 return a; 2385 2386 a->nla_type = attrtype; 2387 a->nla_len = nla_attr_size(len); 2388 2389 if (data) 2390 memcpy(nla_data(a), data, len); 2391 memset((unsigned char *) a + a->nla_len, 0, nla_padlen(len)); 2392 2393 return a; 2394 } 2395 2396 int ovs_nla_add_action(struct sw_flow_actions **sfa, int attrtype, void *data, 2397 int len, bool log) 2398 { 2399 struct nlattr *a; 2400 2401 a = __add_action(sfa, attrtype, data, len, log); 2402 2403 return PTR_ERR_OR_ZERO(a); 2404 } 2405 2406 static inline int add_nested_action_start(struct sw_flow_actions **sfa, 2407 int attrtype, bool log) 2408 { 2409 int used = (*sfa)->actions_len; 2410 int err; 2411 2412 err = ovs_nla_add_action(sfa, attrtype, NULL, 0, log); 2413 if (err) 2414 return err; 2415 2416 return used; 2417 } 2418 2419 static inline void add_nested_action_end(struct sw_flow_actions *sfa, 2420 int st_offset) 2421 { 2422 struct nlattr *a = (struct nlattr *) ((unsigned char *)sfa->actions + 2423 st_offset); 2424 2425 a->nla_len = sfa->actions_len - st_offset; 2426 } 2427 2428 static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 2429 const struct sw_flow_key *key, 2430 struct sw_flow_actions **sfa, 2431 __be16 eth_type, __be16 vlan_tci, 2432 u32 mpls_label_count, bool log); 2433 2434 static int validate_and_copy_sample(struct net *net, const struct nlattr *attr, 2435 const struct sw_flow_key *key, 2436 struct sw_flow_actions **sfa, 2437 __be16 eth_type, __be16 vlan_tci, 2438 u32 mpls_label_count, bool log, bool last) 2439 { 2440 const struct nlattr *attrs[OVS_SAMPLE_ATTR_MAX + 1]; 2441 const struct nlattr *probability, *actions; 2442 const struct nlattr *a; 2443 int rem, start, err; 2444 struct sample_arg arg; 2445 2446 memset(attrs, 0, sizeof(attrs)); 2447 nla_for_each_nested(a, attr, rem) { 2448 int type = nla_type(a); 2449 if (!type || type > OVS_SAMPLE_ATTR_MAX || attrs[type]) 2450 return -EINVAL; 2451 attrs[type] = a; 2452 } 2453 if (rem) 2454 return -EINVAL; 2455 2456 probability = attrs[OVS_SAMPLE_ATTR_PROBABILITY]; 2457 if (!probability || nla_len(probability) != sizeof(u32)) 2458 return -EINVAL; 2459 2460 actions = attrs[OVS_SAMPLE_ATTR_ACTIONS]; 2461 if (!actions || (nla_len(actions) && nla_len(actions) < NLA_HDRLEN)) 2462 return -EINVAL; 2463 2464 /* validation done, copy sample action. */ 2465 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_SAMPLE, log); 2466 if (start < 0) 2467 return start; 2468 2469 /* When both skb and flow may be changed, put the sample 2470 * into a deferred fifo. On the other hand, if only skb 2471 * may be modified, the actions can be executed in place. 2472 * 2473 * Do this analysis at the flow installation time. 2474 * Set 'clone_action->exec' to true if the actions can be 2475 * executed without being deferred. 2476 * 2477 * If the sample is the last action, it can always be excuted 2478 * rather than deferred. 2479 */ 2480 arg.exec = last || !actions_may_change_flow(actions); 2481 arg.probability = nla_get_u32(probability); 2482 2483 err = ovs_nla_add_action(sfa, OVS_SAMPLE_ATTR_ARG, &arg, sizeof(arg), 2484 log); 2485 if (err) 2486 return err; 2487 2488 err = __ovs_nla_copy_actions(net, actions, key, sfa, 2489 eth_type, vlan_tci, mpls_label_count, log); 2490 2491 if (err) 2492 return err; 2493 2494 add_nested_action_end(*sfa, start); 2495 2496 return 0; 2497 } 2498 2499 static int validate_and_copy_dec_ttl(struct net *net, 2500 const struct nlattr *attr, 2501 const struct sw_flow_key *key, 2502 struct sw_flow_actions **sfa, 2503 __be16 eth_type, __be16 vlan_tci, 2504 u32 mpls_label_count, bool log) 2505 { 2506 const struct nlattr *attrs[OVS_DEC_TTL_ATTR_MAX + 1]; 2507 int start, action_start, err, rem; 2508 const struct nlattr *a, *actions; 2509 2510 memset(attrs, 0, sizeof(attrs)); 2511 nla_for_each_nested(a, attr, rem) { 2512 int type = nla_type(a); 2513 2514 /* Ignore unknown attributes to be future proof. */ 2515 if (type > OVS_DEC_TTL_ATTR_MAX) 2516 continue; 2517 2518 if (!type || attrs[type]) 2519 return -EINVAL; 2520 2521 attrs[type] = a; 2522 } 2523 2524 actions = attrs[OVS_DEC_TTL_ATTR_ACTION]; 2525 if (rem || !actions || (nla_len(actions) && nla_len(actions) < NLA_HDRLEN)) 2526 return -EINVAL; 2527 2528 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_DEC_TTL, log); 2529 if (start < 0) 2530 return start; 2531 2532 action_start = add_nested_action_start(sfa, OVS_DEC_TTL_ATTR_ACTION, log); 2533 if (action_start < 0) 2534 return start; 2535 2536 err = __ovs_nla_copy_actions(net, actions, key, sfa, eth_type, 2537 vlan_tci, mpls_label_count, log); 2538 if (err) 2539 return err; 2540 2541 add_nested_action_end(*sfa, action_start); 2542 add_nested_action_end(*sfa, start); 2543 return 0; 2544 } 2545 2546 static int validate_and_copy_clone(struct net *net, 2547 const struct nlattr *attr, 2548 const struct sw_flow_key *key, 2549 struct sw_flow_actions **sfa, 2550 __be16 eth_type, __be16 vlan_tci, 2551 u32 mpls_label_count, bool log, bool last) 2552 { 2553 int start, err; 2554 u32 exec; 2555 2556 if (nla_len(attr) && nla_len(attr) < NLA_HDRLEN) 2557 return -EINVAL; 2558 2559 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_CLONE, log); 2560 if (start < 0) 2561 return start; 2562 2563 exec = last || !actions_may_change_flow(attr); 2564 2565 err = ovs_nla_add_action(sfa, OVS_CLONE_ATTR_EXEC, &exec, 2566 sizeof(exec), log); 2567 if (err) 2568 return err; 2569 2570 err = __ovs_nla_copy_actions(net, attr, key, sfa, 2571 eth_type, vlan_tci, mpls_label_count, log); 2572 if (err) 2573 return err; 2574 2575 add_nested_action_end(*sfa, start); 2576 2577 return 0; 2578 } 2579 2580 void ovs_match_init(struct sw_flow_match *match, 2581 struct sw_flow_key *key, 2582 bool reset_key, 2583 struct sw_flow_mask *mask) 2584 { 2585 memset(match, 0, sizeof(*match)); 2586 match->key = key; 2587 match->mask = mask; 2588 2589 if (reset_key) 2590 memset(key, 0, sizeof(*key)); 2591 2592 if (mask) { 2593 memset(&mask->key, 0, sizeof(mask->key)); 2594 mask->range.start = mask->range.end = 0; 2595 } 2596 } 2597 2598 static int validate_geneve_opts(struct sw_flow_key *key) 2599 { 2600 struct geneve_opt *option; 2601 int opts_len = key->tun_opts_len; 2602 bool crit_opt = false; 2603 2604 option = (struct geneve_opt *)TUN_METADATA_OPTS(key, key->tun_opts_len); 2605 while (opts_len > 0) { 2606 int len; 2607 2608 if (opts_len < sizeof(*option)) 2609 return -EINVAL; 2610 2611 len = sizeof(*option) + option->length * 4; 2612 if (len > opts_len) 2613 return -EINVAL; 2614 2615 crit_opt |= !!(option->type & GENEVE_CRIT_OPT_TYPE); 2616 2617 option = (struct geneve_opt *)((u8 *)option + len); 2618 opts_len -= len; 2619 } 2620 2621 key->tun_key.tun_flags |= crit_opt ? TUNNEL_CRIT_OPT : 0; 2622 2623 return 0; 2624 } 2625 2626 static int validate_and_copy_set_tun(const struct nlattr *attr, 2627 struct sw_flow_actions **sfa, bool log) 2628 { 2629 struct sw_flow_match match; 2630 struct sw_flow_key key; 2631 struct metadata_dst *tun_dst; 2632 struct ip_tunnel_info *tun_info; 2633 struct ovs_tunnel_info *ovs_tun; 2634 struct nlattr *a; 2635 int err = 0, start, opts_type; 2636 __be16 dst_opt_type; 2637 2638 dst_opt_type = 0; 2639 ovs_match_init(&match, &key, true, NULL); 2640 opts_type = ip_tun_from_nlattr(nla_data(attr), &match, false, log); 2641 if (opts_type < 0) 2642 return opts_type; 2643 2644 if (key.tun_opts_len) { 2645 switch (opts_type) { 2646 case OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS: 2647 err = validate_geneve_opts(&key); 2648 if (err < 0) 2649 return err; 2650 dst_opt_type = TUNNEL_GENEVE_OPT; 2651 break; 2652 case OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS: 2653 dst_opt_type = TUNNEL_VXLAN_OPT; 2654 break; 2655 case OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS: 2656 dst_opt_type = TUNNEL_ERSPAN_OPT; 2657 break; 2658 } 2659 } 2660 2661 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_SET, log); 2662 if (start < 0) 2663 return start; 2664 2665 tun_dst = metadata_dst_alloc(key.tun_opts_len, METADATA_IP_TUNNEL, 2666 GFP_KERNEL); 2667 2668 if (!tun_dst) 2669 return -ENOMEM; 2670 2671 err = dst_cache_init(&tun_dst->u.tun_info.dst_cache, GFP_KERNEL); 2672 if (err) { 2673 dst_release((struct dst_entry *)tun_dst); 2674 return err; 2675 } 2676 2677 a = __add_action(sfa, OVS_KEY_ATTR_TUNNEL_INFO, NULL, 2678 sizeof(*ovs_tun), log); 2679 if (IS_ERR(a)) { 2680 dst_release((struct dst_entry *)tun_dst); 2681 return PTR_ERR(a); 2682 } 2683 2684 ovs_tun = nla_data(a); 2685 ovs_tun->tun_dst = tun_dst; 2686 2687 tun_info = &tun_dst->u.tun_info; 2688 tun_info->mode = IP_TUNNEL_INFO_TX; 2689 if (key.tun_proto == AF_INET6) 2690 tun_info->mode |= IP_TUNNEL_INFO_IPV6; 2691 else if (key.tun_proto == AF_INET && key.tun_key.u.ipv4.dst == 0) 2692 tun_info->mode |= IP_TUNNEL_INFO_BRIDGE; 2693 tun_info->key = key.tun_key; 2694 2695 /* We need to store the options in the action itself since 2696 * everything else will go away after flow setup. We can append 2697 * it to tun_info and then point there. 2698 */ 2699 ip_tunnel_info_opts_set(tun_info, 2700 TUN_METADATA_OPTS(&key, key.tun_opts_len), 2701 key.tun_opts_len, dst_opt_type); 2702 add_nested_action_end(*sfa, start); 2703 2704 return err; 2705 } 2706 2707 static bool validate_nsh(const struct nlattr *attr, bool is_mask, 2708 bool is_push_nsh, bool log) 2709 { 2710 struct sw_flow_match match; 2711 struct sw_flow_key key; 2712 int ret = 0; 2713 2714 ovs_match_init(&match, &key, true, NULL); 2715 ret = nsh_key_put_from_nlattr(attr, &match, is_mask, 2716 is_push_nsh, log); 2717 return !ret; 2718 } 2719 2720 /* Return false if there are any non-masked bits set. 2721 * Mask follows data immediately, before any netlink padding. 2722 */ 2723 static bool validate_masked(u8 *data, int len) 2724 { 2725 u8 *mask = data + len; 2726 2727 while (len--) 2728 if (*data++ & ~*mask++) 2729 return false; 2730 2731 return true; 2732 } 2733 2734 static int validate_set(const struct nlattr *a, 2735 const struct sw_flow_key *flow_key, 2736 struct sw_flow_actions **sfa, bool *skip_copy, 2737 u8 mac_proto, __be16 eth_type, bool masked, bool log) 2738 { 2739 const struct nlattr *ovs_key = nla_data(a); 2740 int key_type = nla_type(ovs_key); 2741 size_t key_len; 2742 2743 /* There can be only one key in a action */ 2744 if (nla_total_size(nla_len(ovs_key)) != nla_len(a)) 2745 return -EINVAL; 2746 2747 key_len = nla_len(ovs_key); 2748 if (masked) 2749 key_len /= 2; 2750 2751 if (key_type > OVS_KEY_ATTR_MAX || 2752 !check_attr_len(key_len, ovs_key_lens[key_type].len)) 2753 return -EINVAL; 2754 2755 if (masked && !validate_masked(nla_data(ovs_key), key_len)) 2756 return -EINVAL; 2757 2758 switch (key_type) { 2759 case OVS_KEY_ATTR_PRIORITY: 2760 case OVS_KEY_ATTR_SKB_MARK: 2761 case OVS_KEY_ATTR_CT_MARK: 2762 case OVS_KEY_ATTR_CT_LABELS: 2763 break; 2764 2765 case OVS_KEY_ATTR_ETHERNET: 2766 if (mac_proto != MAC_PROTO_ETHERNET) 2767 return -EINVAL; 2768 break; 2769 2770 case OVS_KEY_ATTR_TUNNEL: { 2771 int err; 2772 2773 if (masked) 2774 return -EINVAL; /* Masked tunnel set not supported. */ 2775 2776 *skip_copy = true; 2777 err = validate_and_copy_set_tun(a, sfa, log); 2778 if (err) 2779 return err; 2780 break; 2781 } 2782 case OVS_KEY_ATTR_IPV4: { 2783 const struct ovs_key_ipv4 *ipv4_key; 2784 2785 if (eth_type != htons(ETH_P_IP)) 2786 return -EINVAL; 2787 2788 ipv4_key = nla_data(ovs_key); 2789 2790 if (masked) { 2791 const struct ovs_key_ipv4 *mask = ipv4_key + 1; 2792 2793 /* Non-writeable fields. */ 2794 if (mask->ipv4_proto || mask->ipv4_frag) 2795 return -EINVAL; 2796 } else { 2797 if (ipv4_key->ipv4_proto != flow_key->ip.proto) 2798 return -EINVAL; 2799 2800 if (ipv4_key->ipv4_frag != flow_key->ip.frag) 2801 return -EINVAL; 2802 } 2803 break; 2804 } 2805 case OVS_KEY_ATTR_IPV6: { 2806 const struct ovs_key_ipv6 *ipv6_key; 2807 2808 if (eth_type != htons(ETH_P_IPV6)) 2809 return -EINVAL; 2810 2811 ipv6_key = nla_data(ovs_key); 2812 2813 if (masked) { 2814 const struct ovs_key_ipv6 *mask = ipv6_key + 1; 2815 2816 /* Non-writeable fields. */ 2817 if (mask->ipv6_proto || mask->ipv6_frag) 2818 return -EINVAL; 2819 2820 /* Invalid bits in the flow label mask? */ 2821 if (ntohl(mask->ipv6_label) & 0xFFF00000) 2822 return -EINVAL; 2823 } else { 2824 if (ipv6_key->ipv6_proto != flow_key->ip.proto) 2825 return -EINVAL; 2826 2827 if (ipv6_key->ipv6_frag != flow_key->ip.frag) 2828 return -EINVAL; 2829 } 2830 if (ntohl(ipv6_key->ipv6_label) & 0xFFF00000) 2831 return -EINVAL; 2832 2833 break; 2834 } 2835 case OVS_KEY_ATTR_TCP: 2836 if ((eth_type != htons(ETH_P_IP) && 2837 eth_type != htons(ETH_P_IPV6)) || 2838 flow_key->ip.proto != IPPROTO_TCP) 2839 return -EINVAL; 2840 2841 break; 2842 2843 case OVS_KEY_ATTR_UDP: 2844 if ((eth_type != htons(ETH_P_IP) && 2845 eth_type != htons(ETH_P_IPV6)) || 2846 flow_key->ip.proto != IPPROTO_UDP) 2847 return -EINVAL; 2848 2849 break; 2850 2851 case OVS_KEY_ATTR_MPLS: 2852 if (!eth_p_mpls(eth_type)) 2853 return -EINVAL; 2854 break; 2855 2856 case OVS_KEY_ATTR_SCTP: 2857 if ((eth_type != htons(ETH_P_IP) && 2858 eth_type != htons(ETH_P_IPV6)) || 2859 flow_key->ip.proto != IPPROTO_SCTP) 2860 return -EINVAL; 2861 2862 break; 2863 2864 case OVS_KEY_ATTR_NSH: 2865 if (eth_type != htons(ETH_P_NSH)) 2866 return -EINVAL; 2867 if (!validate_nsh(nla_data(a), masked, false, log)) 2868 return -EINVAL; 2869 break; 2870 2871 default: 2872 return -EINVAL; 2873 } 2874 2875 /* Convert non-masked non-tunnel set actions to masked set actions. */ 2876 if (!masked && key_type != OVS_KEY_ATTR_TUNNEL) { 2877 int start, len = key_len * 2; 2878 struct nlattr *at; 2879 2880 *skip_copy = true; 2881 2882 start = add_nested_action_start(sfa, 2883 OVS_ACTION_ATTR_SET_TO_MASKED, 2884 log); 2885 if (start < 0) 2886 return start; 2887 2888 at = __add_action(sfa, key_type, NULL, len, log); 2889 if (IS_ERR(at)) 2890 return PTR_ERR(at); 2891 2892 memcpy(nla_data(at), nla_data(ovs_key), key_len); /* Key. */ 2893 memset(nla_data(at) + key_len, 0xff, key_len); /* Mask. */ 2894 /* Clear non-writeable bits from otherwise writeable fields. */ 2895 if (key_type == OVS_KEY_ATTR_IPV6) { 2896 struct ovs_key_ipv6 *mask = nla_data(at) + key_len; 2897 2898 mask->ipv6_label &= htonl(0x000FFFFF); 2899 } 2900 add_nested_action_end(*sfa, start); 2901 } 2902 2903 return 0; 2904 } 2905 2906 static int validate_userspace(const struct nlattr *attr) 2907 { 2908 static const struct nla_policy userspace_policy[OVS_USERSPACE_ATTR_MAX + 1] = { 2909 [OVS_USERSPACE_ATTR_PID] = {.type = NLA_U32 }, 2910 [OVS_USERSPACE_ATTR_USERDATA] = {.type = NLA_UNSPEC }, 2911 [OVS_USERSPACE_ATTR_EGRESS_TUN_PORT] = {.type = NLA_U32 }, 2912 }; 2913 struct nlattr *a[OVS_USERSPACE_ATTR_MAX + 1]; 2914 int error; 2915 2916 error = nla_parse_nested_deprecated(a, OVS_USERSPACE_ATTR_MAX, attr, 2917 userspace_policy, NULL); 2918 if (error) 2919 return error; 2920 2921 if (!a[OVS_USERSPACE_ATTR_PID] || 2922 !nla_get_u32(a[OVS_USERSPACE_ATTR_PID])) 2923 return -EINVAL; 2924 2925 return 0; 2926 } 2927 2928 static const struct nla_policy cpl_policy[OVS_CHECK_PKT_LEN_ATTR_MAX + 1] = { 2929 [OVS_CHECK_PKT_LEN_ATTR_PKT_LEN] = {.type = NLA_U16 }, 2930 [OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER] = {.type = NLA_NESTED }, 2931 [OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL] = {.type = NLA_NESTED }, 2932 }; 2933 2934 static int validate_and_copy_check_pkt_len(struct net *net, 2935 const struct nlattr *attr, 2936 const struct sw_flow_key *key, 2937 struct sw_flow_actions **sfa, 2938 __be16 eth_type, __be16 vlan_tci, 2939 u32 mpls_label_count, 2940 bool log, bool last) 2941 { 2942 const struct nlattr *acts_if_greater, *acts_if_lesser_eq; 2943 struct nlattr *a[OVS_CHECK_PKT_LEN_ATTR_MAX + 1]; 2944 struct check_pkt_len_arg arg; 2945 int nested_acts_start; 2946 int start, err; 2947 2948 err = nla_parse_deprecated_strict(a, OVS_CHECK_PKT_LEN_ATTR_MAX, 2949 nla_data(attr), nla_len(attr), 2950 cpl_policy, NULL); 2951 if (err) 2952 return err; 2953 2954 if (!a[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN] || 2955 !nla_get_u16(a[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN])) 2956 return -EINVAL; 2957 2958 acts_if_lesser_eq = a[OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL]; 2959 acts_if_greater = a[OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER]; 2960 2961 /* Both the nested action should be present. */ 2962 if (!acts_if_greater || !acts_if_lesser_eq) 2963 return -EINVAL; 2964 2965 /* validation done, copy the nested actions. */ 2966 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_CHECK_PKT_LEN, 2967 log); 2968 if (start < 0) 2969 return start; 2970 2971 arg.pkt_len = nla_get_u16(a[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN]); 2972 arg.exec_for_lesser_equal = 2973 last || !actions_may_change_flow(acts_if_lesser_eq); 2974 arg.exec_for_greater = 2975 last || !actions_may_change_flow(acts_if_greater); 2976 2977 err = ovs_nla_add_action(sfa, OVS_CHECK_PKT_LEN_ATTR_ARG, &arg, 2978 sizeof(arg), log); 2979 if (err) 2980 return err; 2981 2982 nested_acts_start = add_nested_action_start(sfa, 2983 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL, log); 2984 if (nested_acts_start < 0) 2985 return nested_acts_start; 2986 2987 err = __ovs_nla_copy_actions(net, acts_if_lesser_eq, key, sfa, 2988 eth_type, vlan_tci, mpls_label_count, log); 2989 2990 if (err) 2991 return err; 2992 2993 add_nested_action_end(*sfa, nested_acts_start); 2994 2995 nested_acts_start = add_nested_action_start(sfa, 2996 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER, log); 2997 if (nested_acts_start < 0) 2998 return nested_acts_start; 2999 3000 err = __ovs_nla_copy_actions(net, acts_if_greater, key, sfa, 3001 eth_type, vlan_tci, mpls_label_count, log); 3002 3003 if (err) 3004 return err; 3005 3006 add_nested_action_end(*sfa, nested_acts_start); 3007 add_nested_action_end(*sfa, start); 3008 return 0; 3009 } 3010 3011 static int copy_action(const struct nlattr *from, 3012 struct sw_flow_actions **sfa, bool log) 3013 { 3014 int totlen = NLA_ALIGN(from->nla_len); 3015 struct nlattr *to; 3016 3017 to = reserve_sfa_size(sfa, from->nla_len, log); 3018 if (IS_ERR(to)) 3019 return PTR_ERR(to); 3020 3021 memcpy(to, from, totlen); 3022 return 0; 3023 } 3024 3025 static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 3026 const struct sw_flow_key *key, 3027 struct sw_flow_actions **sfa, 3028 __be16 eth_type, __be16 vlan_tci, 3029 u32 mpls_label_count, bool log) 3030 { 3031 u8 mac_proto = ovs_key_mac_proto(key); 3032 const struct nlattr *a; 3033 int rem, err; 3034 3035 nla_for_each_nested(a, attr, rem) { 3036 /* Expected argument lengths, (u32)-1 for variable length. */ 3037 static const u32 action_lens[OVS_ACTION_ATTR_MAX + 1] = { 3038 [OVS_ACTION_ATTR_OUTPUT] = sizeof(u32), 3039 [OVS_ACTION_ATTR_RECIRC] = sizeof(u32), 3040 [OVS_ACTION_ATTR_USERSPACE] = (u32)-1, 3041 [OVS_ACTION_ATTR_PUSH_MPLS] = sizeof(struct ovs_action_push_mpls), 3042 [OVS_ACTION_ATTR_POP_MPLS] = sizeof(__be16), 3043 [OVS_ACTION_ATTR_PUSH_VLAN] = sizeof(struct ovs_action_push_vlan), 3044 [OVS_ACTION_ATTR_POP_VLAN] = 0, 3045 [OVS_ACTION_ATTR_SET] = (u32)-1, 3046 [OVS_ACTION_ATTR_SET_MASKED] = (u32)-1, 3047 [OVS_ACTION_ATTR_SAMPLE] = (u32)-1, 3048 [OVS_ACTION_ATTR_HASH] = sizeof(struct ovs_action_hash), 3049 [OVS_ACTION_ATTR_CT] = (u32)-1, 3050 [OVS_ACTION_ATTR_CT_CLEAR] = 0, 3051 [OVS_ACTION_ATTR_TRUNC] = sizeof(struct ovs_action_trunc), 3052 [OVS_ACTION_ATTR_PUSH_ETH] = sizeof(struct ovs_action_push_eth), 3053 [OVS_ACTION_ATTR_POP_ETH] = 0, 3054 [OVS_ACTION_ATTR_PUSH_NSH] = (u32)-1, 3055 [OVS_ACTION_ATTR_POP_NSH] = 0, 3056 [OVS_ACTION_ATTR_METER] = sizeof(u32), 3057 [OVS_ACTION_ATTR_CLONE] = (u32)-1, 3058 [OVS_ACTION_ATTR_CHECK_PKT_LEN] = (u32)-1, 3059 [OVS_ACTION_ATTR_ADD_MPLS] = sizeof(struct ovs_action_add_mpls), 3060 [OVS_ACTION_ATTR_DEC_TTL] = (u32)-1, 3061 }; 3062 const struct ovs_action_push_vlan *vlan; 3063 int type = nla_type(a); 3064 bool skip_copy; 3065 3066 if (type > OVS_ACTION_ATTR_MAX || 3067 (action_lens[type] != nla_len(a) && 3068 action_lens[type] != (u32)-1)) 3069 return -EINVAL; 3070 3071 skip_copy = false; 3072 switch (type) { 3073 case OVS_ACTION_ATTR_UNSPEC: 3074 return -EINVAL; 3075 3076 case OVS_ACTION_ATTR_USERSPACE: 3077 err = validate_userspace(a); 3078 if (err) 3079 return err; 3080 break; 3081 3082 case OVS_ACTION_ATTR_OUTPUT: 3083 if (nla_get_u32(a) >= DP_MAX_PORTS) 3084 return -EINVAL; 3085 break; 3086 3087 case OVS_ACTION_ATTR_TRUNC: { 3088 const struct ovs_action_trunc *trunc = nla_data(a); 3089 3090 if (trunc->max_len < ETH_HLEN) 3091 return -EINVAL; 3092 break; 3093 } 3094 3095 case OVS_ACTION_ATTR_HASH: { 3096 const struct ovs_action_hash *act_hash = nla_data(a); 3097 3098 switch (act_hash->hash_alg) { 3099 case OVS_HASH_ALG_L4: 3100 break; 3101 default: 3102 return -EINVAL; 3103 } 3104 3105 break; 3106 } 3107 3108 case OVS_ACTION_ATTR_POP_VLAN: 3109 if (mac_proto != MAC_PROTO_ETHERNET) 3110 return -EINVAL; 3111 vlan_tci = htons(0); 3112 break; 3113 3114 case OVS_ACTION_ATTR_PUSH_VLAN: 3115 if (mac_proto != MAC_PROTO_ETHERNET) 3116 return -EINVAL; 3117 vlan = nla_data(a); 3118 if (!eth_type_vlan(vlan->vlan_tpid)) 3119 return -EINVAL; 3120 if (!(vlan->vlan_tci & htons(VLAN_CFI_MASK))) 3121 return -EINVAL; 3122 vlan_tci = vlan->vlan_tci; 3123 break; 3124 3125 case OVS_ACTION_ATTR_RECIRC: 3126 break; 3127 3128 case OVS_ACTION_ATTR_ADD_MPLS: { 3129 const struct ovs_action_add_mpls *mpls = nla_data(a); 3130 3131 if (!eth_p_mpls(mpls->mpls_ethertype)) 3132 return -EINVAL; 3133 3134 if (mpls->tun_flags & OVS_MPLS_L3_TUNNEL_FLAG_MASK) { 3135 if (vlan_tci & htons(VLAN_CFI_MASK) || 3136 (eth_type != htons(ETH_P_IP) && 3137 eth_type != htons(ETH_P_IPV6) && 3138 eth_type != htons(ETH_P_ARP) && 3139 eth_type != htons(ETH_P_RARP) && 3140 !eth_p_mpls(eth_type))) 3141 return -EINVAL; 3142 mpls_label_count++; 3143 } else { 3144 if (mac_proto == MAC_PROTO_ETHERNET) { 3145 mpls_label_count = 1; 3146 mac_proto = MAC_PROTO_NONE; 3147 } else { 3148 mpls_label_count++; 3149 } 3150 } 3151 eth_type = mpls->mpls_ethertype; 3152 break; 3153 } 3154 3155 case OVS_ACTION_ATTR_PUSH_MPLS: { 3156 const struct ovs_action_push_mpls *mpls = nla_data(a); 3157 3158 if (!eth_p_mpls(mpls->mpls_ethertype)) 3159 return -EINVAL; 3160 /* Prohibit push MPLS other than to a white list 3161 * for packets that have a known tag order. 3162 */ 3163 if (vlan_tci & htons(VLAN_CFI_MASK) || 3164 (eth_type != htons(ETH_P_IP) && 3165 eth_type != htons(ETH_P_IPV6) && 3166 eth_type != htons(ETH_P_ARP) && 3167 eth_type != htons(ETH_P_RARP) && 3168 !eth_p_mpls(eth_type))) 3169 return -EINVAL; 3170 eth_type = mpls->mpls_ethertype; 3171 mpls_label_count++; 3172 break; 3173 } 3174 3175 case OVS_ACTION_ATTR_POP_MPLS: { 3176 __be16 proto; 3177 if (vlan_tci & htons(VLAN_CFI_MASK) || 3178 !eth_p_mpls(eth_type)) 3179 return -EINVAL; 3180 3181 /* Disallow subsequent L2.5+ set actions and mpls_pop 3182 * actions once the last MPLS label in the packet is 3183 * is popped as there is no check here to ensure that 3184 * the new eth type is valid and thus set actions could 3185 * write off the end of the packet or otherwise corrupt 3186 * it. 3187 * 3188 * Support for these actions is planned using packet 3189 * recirculation. 3190 */ 3191 proto = nla_get_be16(a); 3192 3193 if (proto == htons(ETH_P_TEB) && 3194 mac_proto != MAC_PROTO_NONE) 3195 return -EINVAL; 3196 3197 mpls_label_count--; 3198 3199 if (!eth_p_mpls(proto) || !mpls_label_count) 3200 eth_type = htons(0); 3201 else 3202 eth_type = proto; 3203 3204 break; 3205 } 3206 3207 case OVS_ACTION_ATTR_SET: 3208 err = validate_set(a, key, sfa, 3209 &skip_copy, mac_proto, eth_type, 3210 false, log); 3211 if (err) 3212 return err; 3213 break; 3214 3215 case OVS_ACTION_ATTR_SET_MASKED: 3216 err = validate_set(a, key, sfa, 3217 &skip_copy, mac_proto, eth_type, 3218 true, log); 3219 if (err) 3220 return err; 3221 break; 3222 3223 case OVS_ACTION_ATTR_SAMPLE: { 3224 bool last = nla_is_last(a, rem); 3225 3226 err = validate_and_copy_sample(net, a, key, sfa, 3227 eth_type, vlan_tci, 3228 mpls_label_count, 3229 log, last); 3230 if (err) 3231 return err; 3232 skip_copy = true; 3233 break; 3234 } 3235 3236 case OVS_ACTION_ATTR_CT: 3237 err = ovs_ct_copy_action(net, a, key, sfa, log); 3238 if (err) 3239 return err; 3240 skip_copy = true; 3241 break; 3242 3243 case OVS_ACTION_ATTR_CT_CLEAR: 3244 break; 3245 3246 case OVS_ACTION_ATTR_PUSH_ETH: 3247 /* Disallow pushing an Ethernet header if one 3248 * is already present */ 3249 if (mac_proto != MAC_PROTO_NONE) 3250 return -EINVAL; 3251 mac_proto = MAC_PROTO_ETHERNET; 3252 break; 3253 3254 case OVS_ACTION_ATTR_POP_ETH: 3255 if (mac_proto != MAC_PROTO_ETHERNET) 3256 return -EINVAL; 3257 if (vlan_tci & htons(VLAN_CFI_MASK)) 3258 return -EINVAL; 3259 mac_proto = MAC_PROTO_NONE; 3260 break; 3261 3262 case OVS_ACTION_ATTR_PUSH_NSH: 3263 if (mac_proto != MAC_PROTO_ETHERNET) { 3264 u8 next_proto; 3265 3266 next_proto = tun_p_from_eth_p(eth_type); 3267 if (!next_proto) 3268 return -EINVAL; 3269 } 3270 mac_proto = MAC_PROTO_NONE; 3271 if (!validate_nsh(nla_data(a), false, true, true)) 3272 return -EINVAL; 3273 break; 3274 3275 case OVS_ACTION_ATTR_POP_NSH: { 3276 __be16 inner_proto; 3277 3278 if (eth_type != htons(ETH_P_NSH)) 3279 return -EINVAL; 3280 inner_proto = tun_p_to_eth_p(key->nsh.base.np); 3281 if (!inner_proto) 3282 return -EINVAL; 3283 if (key->nsh.base.np == TUN_P_ETHERNET) 3284 mac_proto = MAC_PROTO_ETHERNET; 3285 else 3286 mac_proto = MAC_PROTO_NONE; 3287 break; 3288 } 3289 3290 case OVS_ACTION_ATTR_METER: 3291 /* Non-existent meters are simply ignored. */ 3292 break; 3293 3294 case OVS_ACTION_ATTR_CLONE: { 3295 bool last = nla_is_last(a, rem); 3296 3297 err = validate_and_copy_clone(net, a, key, sfa, 3298 eth_type, vlan_tci, 3299 mpls_label_count, 3300 log, last); 3301 if (err) 3302 return err; 3303 skip_copy = true; 3304 break; 3305 } 3306 3307 case OVS_ACTION_ATTR_CHECK_PKT_LEN: { 3308 bool last = nla_is_last(a, rem); 3309 3310 err = validate_and_copy_check_pkt_len(net, a, key, sfa, 3311 eth_type, 3312 vlan_tci, 3313 mpls_label_count, 3314 log, last); 3315 if (err) 3316 return err; 3317 skip_copy = true; 3318 break; 3319 } 3320 3321 case OVS_ACTION_ATTR_DEC_TTL: 3322 err = validate_and_copy_dec_ttl(net, a, key, sfa, 3323 eth_type, vlan_tci, 3324 mpls_label_count, log); 3325 if (err) 3326 return err; 3327 skip_copy = true; 3328 break; 3329 3330 default: 3331 OVS_NLERR(log, "Unknown Action type %d", type); 3332 return -EINVAL; 3333 } 3334 if (!skip_copy) { 3335 err = copy_action(a, sfa, log); 3336 if (err) 3337 return err; 3338 } 3339 } 3340 3341 if (rem > 0) 3342 return -EINVAL; 3343 3344 return 0; 3345 } 3346 3347 /* 'key' must be the masked key. */ 3348 int ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 3349 const struct sw_flow_key *key, 3350 struct sw_flow_actions **sfa, bool log) 3351 { 3352 int err; 3353 u32 mpls_label_count = 0; 3354 3355 *sfa = nla_alloc_flow_actions(min(nla_len(attr), MAX_ACTIONS_BUFSIZE)); 3356 if (IS_ERR(*sfa)) 3357 return PTR_ERR(*sfa); 3358 3359 if (eth_p_mpls(key->eth.type)) 3360 mpls_label_count = hweight_long(key->mpls.num_labels_mask); 3361 3362 (*sfa)->orig_len = nla_len(attr); 3363 err = __ovs_nla_copy_actions(net, attr, key, sfa, key->eth.type, 3364 key->eth.vlan.tci, mpls_label_count, log); 3365 if (err) 3366 ovs_nla_free_flow_actions(*sfa); 3367 3368 return err; 3369 } 3370 3371 static int sample_action_to_attr(const struct nlattr *attr, 3372 struct sk_buff *skb) 3373 { 3374 struct nlattr *start, *ac_start = NULL, *sample_arg; 3375 int err = 0, rem = nla_len(attr); 3376 const struct sample_arg *arg; 3377 struct nlattr *actions; 3378 3379 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SAMPLE); 3380 if (!start) 3381 return -EMSGSIZE; 3382 3383 sample_arg = nla_data(attr); 3384 arg = nla_data(sample_arg); 3385 actions = nla_next(sample_arg, &rem); 3386 3387 if (nla_put_u32(skb, OVS_SAMPLE_ATTR_PROBABILITY, arg->probability)) { 3388 err = -EMSGSIZE; 3389 goto out; 3390 } 3391 3392 ac_start = nla_nest_start_noflag(skb, OVS_SAMPLE_ATTR_ACTIONS); 3393 if (!ac_start) { 3394 err = -EMSGSIZE; 3395 goto out; 3396 } 3397 3398 err = ovs_nla_put_actions(actions, rem, skb); 3399 3400 out: 3401 if (err) { 3402 nla_nest_cancel(skb, ac_start); 3403 nla_nest_cancel(skb, start); 3404 } else { 3405 nla_nest_end(skb, ac_start); 3406 nla_nest_end(skb, start); 3407 } 3408 3409 return err; 3410 } 3411 3412 static int clone_action_to_attr(const struct nlattr *attr, 3413 struct sk_buff *skb) 3414 { 3415 struct nlattr *start; 3416 int err = 0, rem = nla_len(attr); 3417 3418 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_CLONE); 3419 if (!start) 3420 return -EMSGSIZE; 3421 3422 err = ovs_nla_put_actions(nla_data(attr), rem, skb); 3423 3424 if (err) 3425 nla_nest_cancel(skb, start); 3426 else 3427 nla_nest_end(skb, start); 3428 3429 return err; 3430 } 3431 3432 static int check_pkt_len_action_to_attr(const struct nlattr *attr, 3433 struct sk_buff *skb) 3434 { 3435 struct nlattr *start, *ac_start = NULL; 3436 const struct check_pkt_len_arg *arg; 3437 const struct nlattr *a, *cpl_arg; 3438 int err = 0, rem = nla_len(attr); 3439 3440 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_CHECK_PKT_LEN); 3441 if (!start) 3442 return -EMSGSIZE; 3443 3444 /* The first nested attribute in 'attr' is always 3445 * 'OVS_CHECK_PKT_LEN_ATTR_ARG'. 3446 */ 3447 cpl_arg = nla_data(attr); 3448 arg = nla_data(cpl_arg); 3449 3450 if (nla_put_u16(skb, OVS_CHECK_PKT_LEN_ATTR_PKT_LEN, arg->pkt_len)) { 3451 err = -EMSGSIZE; 3452 goto out; 3453 } 3454 3455 /* Second nested attribute in 'attr' is always 3456 * 'OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL'. 3457 */ 3458 a = nla_next(cpl_arg, &rem); 3459 ac_start = nla_nest_start_noflag(skb, 3460 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL); 3461 if (!ac_start) { 3462 err = -EMSGSIZE; 3463 goto out; 3464 } 3465 3466 err = ovs_nla_put_actions(nla_data(a), nla_len(a), skb); 3467 if (err) { 3468 nla_nest_cancel(skb, ac_start); 3469 goto out; 3470 } else { 3471 nla_nest_end(skb, ac_start); 3472 } 3473 3474 /* Third nested attribute in 'attr' is always 3475 * OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER. 3476 */ 3477 a = nla_next(a, &rem); 3478 ac_start = nla_nest_start_noflag(skb, 3479 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER); 3480 if (!ac_start) { 3481 err = -EMSGSIZE; 3482 goto out; 3483 } 3484 3485 err = ovs_nla_put_actions(nla_data(a), nla_len(a), skb); 3486 if (err) { 3487 nla_nest_cancel(skb, ac_start); 3488 goto out; 3489 } else { 3490 nla_nest_end(skb, ac_start); 3491 } 3492 3493 nla_nest_end(skb, start); 3494 return 0; 3495 3496 out: 3497 nla_nest_cancel(skb, start); 3498 return err; 3499 } 3500 3501 static int dec_ttl_action_to_attr(const struct nlattr *attr, 3502 struct sk_buff *skb) 3503 { 3504 struct nlattr *start, *action_start; 3505 const struct nlattr *a; 3506 int err = 0, rem; 3507 3508 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_DEC_TTL); 3509 if (!start) 3510 return -EMSGSIZE; 3511 3512 nla_for_each_attr(a, nla_data(attr), nla_len(attr), rem) { 3513 switch (nla_type(a)) { 3514 case OVS_DEC_TTL_ATTR_ACTION: 3515 3516 action_start = nla_nest_start_noflag(skb, OVS_DEC_TTL_ATTR_ACTION); 3517 if (!action_start) { 3518 err = -EMSGSIZE; 3519 goto out; 3520 } 3521 3522 err = ovs_nla_put_actions(nla_data(a), nla_len(a), skb); 3523 if (err) 3524 goto out; 3525 3526 nla_nest_end(skb, action_start); 3527 break; 3528 3529 default: 3530 /* Ignore all other option to be future compatible */ 3531 break; 3532 } 3533 } 3534 3535 nla_nest_end(skb, start); 3536 return 0; 3537 3538 out: 3539 nla_nest_cancel(skb, start); 3540 return err; 3541 } 3542 3543 static int set_action_to_attr(const struct nlattr *a, struct sk_buff *skb) 3544 { 3545 const struct nlattr *ovs_key = nla_data(a); 3546 int key_type = nla_type(ovs_key); 3547 struct nlattr *start; 3548 int err; 3549 3550 switch (key_type) { 3551 case OVS_KEY_ATTR_TUNNEL_INFO: { 3552 struct ovs_tunnel_info *ovs_tun = nla_data(ovs_key); 3553 struct ip_tunnel_info *tun_info = &ovs_tun->tun_dst->u.tun_info; 3554 3555 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SET); 3556 if (!start) 3557 return -EMSGSIZE; 3558 3559 err = ip_tun_to_nlattr(skb, &tun_info->key, 3560 ip_tunnel_info_opts(tun_info), 3561 tun_info->options_len, 3562 ip_tunnel_info_af(tun_info), tun_info->mode); 3563 if (err) 3564 return err; 3565 nla_nest_end(skb, start); 3566 break; 3567 } 3568 default: 3569 if (nla_put(skb, OVS_ACTION_ATTR_SET, nla_len(a), ovs_key)) 3570 return -EMSGSIZE; 3571 break; 3572 } 3573 3574 return 0; 3575 } 3576 3577 static int masked_set_action_to_set_action_attr(const struct nlattr *a, 3578 struct sk_buff *skb) 3579 { 3580 const struct nlattr *ovs_key = nla_data(a); 3581 struct nlattr *nla; 3582 size_t key_len = nla_len(ovs_key) / 2; 3583 3584 /* Revert the conversion we did from a non-masked set action to 3585 * masked set action. 3586 */ 3587 nla = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SET); 3588 if (!nla) 3589 return -EMSGSIZE; 3590 3591 if (nla_put(skb, nla_type(ovs_key), key_len, nla_data(ovs_key))) 3592 return -EMSGSIZE; 3593 3594 nla_nest_end(skb, nla); 3595 return 0; 3596 } 3597 3598 int ovs_nla_put_actions(const struct nlattr *attr, int len, struct sk_buff *skb) 3599 { 3600 const struct nlattr *a; 3601 int rem, err; 3602 3603 nla_for_each_attr(a, attr, len, rem) { 3604 int type = nla_type(a); 3605 3606 switch (type) { 3607 case OVS_ACTION_ATTR_SET: 3608 err = set_action_to_attr(a, skb); 3609 if (err) 3610 return err; 3611 break; 3612 3613 case OVS_ACTION_ATTR_SET_TO_MASKED: 3614 err = masked_set_action_to_set_action_attr(a, skb); 3615 if (err) 3616 return err; 3617 break; 3618 3619 case OVS_ACTION_ATTR_SAMPLE: 3620 err = sample_action_to_attr(a, skb); 3621 if (err) 3622 return err; 3623 break; 3624 3625 case OVS_ACTION_ATTR_CT: 3626 err = ovs_ct_action_to_attr(nla_data(a), skb); 3627 if (err) 3628 return err; 3629 break; 3630 3631 case OVS_ACTION_ATTR_CLONE: 3632 err = clone_action_to_attr(a, skb); 3633 if (err) 3634 return err; 3635 break; 3636 3637 case OVS_ACTION_ATTR_CHECK_PKT_LEN: 3638 err = check_pkt_len_action_to_attr(a, skb); 3639 if (err) 3640 return err; 3641 break; 3642 3643 case OVS_ACTION_ATTR_DEC_TTL: 3644 err = dec_ttl_action_to_attr(a, skb); 3645 if (err) 3646 return err; 3647 break; 3648 3649 default: 3650 if (nla_put(skb, type, nla_len(a), nla_data(a))) 3651 return -EMSGSIZE; 3652 break; 3653 } 3654 } 3655 3656 return 0; 3657 } 3658