1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2007-2017 Nicira, Inc. 4 */ 5 6 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 7 8 #include "flow.h" 9 #include "datapath.h" 10 #include <linux/uaccess.h> 11 #include <linux/netdevice.h> 12 #include <linux/etherdevice.h> 13 #include <linux/if_ether.h> 14 #include <linux/if_vlan.h> 15 #include <net/llc_pdu.h> 16 #include <linux/kernel.h> 17 #include <linux/jhash.h> 18 #include <linux/jiffies.h> 19 #include <linux/llc.h> 20 #include <linux/module.h> 21 #include <linux/in.h> 22 #include <linux/rcupdate.h> 23 #include <linux/if_arp.h> 24 #include <linux/ip.h> 25 #include <linux/ipv6.h> 26 #include <linux/sctp.h> 27 #include <linux/tcp.h> 28 #include <linux/udp.h> 29 #include <linux/icmp.h> 30 #include <linux/icmpv6.h> 31 #include <linux/rculist.h> 32 #include <net/geneve.h> 33 #include <net/ip.h> 34 #include <net/ipv6.h> 35 #include <net/ndisc.h> 36 #include <net/mpls.h> 37 #include <net/vxlan.h> 38 #include <net/tun_proto.h> 39 #include <net/erspan.h> 40 41 #include "flow_netlink.h" 42 43 struct ovs_len_tbl { 44 int len; 45 const struct ovs_len_tbl *next; 46 }; 47 48 #define OVS_ATTR_NESTED -1 49 #define OVS_ATTR_VARIABLE -2 50 51 static bool actions_may_change_flow(const struct nlattr *actions) 52 { 53 struct nlattr *nla; 54 int rem; 55 56 nla_for_each_nested(nla, actions, rem) { 57 u16 action = nla_type(nla); 58 59 switch (action) { 60 case OVS_ACTION_ATTR_OUTPUT: 61 case OVS_ACTION_ATTR_RECIRC: 62 case OVS_ACTION_ATTR_TRUNC: 63 case OVS_ACTION_ATTR_USERSPACE: 64 break; 65 66 case OVS_ACTION_ATTR_CT: 67 case OVS_ACTION_ATTR_CT_CLEAR: 68 case OVS_ACTION_ATTR_HASH: 69 case OVS_ACTION_ATTR_POP_ETH: 70 case OVS_ACTION_ATTR_POP_MPLS: 71 case OVS_ACTION_ATTR_POP_NSH: 72 case OVS_ACTION_ATTR_POP_VLAN: 73 case OVS_ACTION_ATTR_PUSH_ETH: 74 case OVS_ACTION_ATTR_PUSH_MPLS: 75 case OVS_ACTION_ATTR_PUSH_NSH: 76 case OVS_ACTION_ATTR_PUSH_VLAN: 77 case OVS_ACTION_ATTR_SAMPLE: 78 case OVS_ACTION_ATTR_SET: 79 case OVS_ACTION_ATTR_SET_MASKED: 80 case OVS_ACTION_ATTR_METER: 81 case OVS_ACTION_ATTR_CHECK_PKT_LEN: 82 default: 83 return true; 84 } 85 } 86 return false; 87 } 88 89 static void update_range(struct sw_flow_match *match, 90 size_t offset, size_t size, bool is_mask) 91 { 92 struct sw_flow_key_range *range; 93 size_t start = rounddown(offset, sizeof(long)); 94 size_t end = roundup(offset + size, sizeof(long)); 95 96 if (!is_mask) 97 range = &match->range; 98 else 99 range = &match->mask->range; 100 101 if (range->start == range->end) { 102 range->start = start; 103 range->end = end; 104 return; 105 } 106 107 if (range->start > start) 108 range->start = start; 109 110 if (range->end < end) 111 range->end = end; 112 } 113 114 #define SW_FLOW_KEY_PUT(match, field, value, is_mask) \ 115 do { \ 116 update_range(match, offsetof(struct sw_flow_key, field), \ 117 sizeof((match)->key->field), is_mask); \ 118 if (is_mask) \ 119 (match)->mask->key.field = value; \ 120 else \ 121 (match)->key->field = value; \ 122 } while (0) 123 124 #define SW_FLOW_KEY_MEMCPY_OFFSET(match, offset, value_p, len, is_mask) \ 125 do { \ 126 update_range(match, offset, len, is_mask); \ 127 if (is_mask) \ 128 memcpy((u8 *)&(match)->mask->key + offset, value_p, \ 129 len); \ 130 else \ 131 memcpy((u8 *)(match)->key + offset, value_p, len); \ 132 } while (0) 133 134 #define SW_FLOW_KEY_MEMCPY(match, field, value_p, len, is_mask) \ 135 SW_FLOW_KEY_MEMCPY_OFFSET(match, offsetof(struct sw_flow_key, field), \ 136 value_p, len, is_mask) 137 138 #define SW_FLOW_KEY_MEMSET_FIELD(match, field, value, is_mask) \ 139 do { \ 140 update_range(match, offsetof(struct sw_flow_key, field), \ 141 sizeof((match)->key->field), is_mask); \ 142 if (is_mask) \ 143 memset((u8 *)&(match)->mask->key.field, value, \ 144 sizeof((match)->mask->key.field)); \ 145 else \ 146 memset((u8 *)&(match)->key->field, value, \ 147 sizeof((match)->key->field)); \ 148 } while (0) 149 150 static bool match_validate(const struct sw_flow_match *match, 151 u64 key_attrs, u64 mask_attrs, bool log) 152 { 153 u64 key_expected = 0; 154 u64 mask_allowed = key_attrs; /* At most allow all key attributes */ 155 156 /* The following mask attributes allowed only if they 157 * pass the validation tests. */ 158 mask_allowed &= ~((1 << OVS_KEY_ATTR_IPV4) 159 | (1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4) 160 | (1 << OVS_KEY_ATTR_IPV6) 161 | (1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6) 162 | (1 << OVS_KEY_ATTR_TCP) 163 | (1 << OVS_KEY_ATTR_TCP_FLAGS) 164 | (1 << OVS_KEY_ATTR_UDP) 165 | (1 << OVS_KEY_ATTR_SCTP) 166 | (1 << OVS_KEY_ATTR_ICMP) 167 | (1 << OVS_KEY_ATTR_ICMPV6) 168 | (1 << OVS_KEY_ATTR_ARP) 169 | (1 << OVS_KEY_ATTR_ND) 170 | (1 << OVS_KEY_ATTR_MPLS) 171 | (1 << OVS_KEY_ATTR_NSH)); 172 173 /* Always allowed mask fields. */ 174 mask_allowed |= ((1 << OVS_KEY_ATTR_TUNNEL) 175 | (1 << OVS_KEY_ATTR_IN_PORT) 176 | (1 << OVS_KEY_ATTR_ETHERTYPE)); 177 178 /* Check key attributes. */ 179 if (match->key->eth.type == htons(ETH_P_ARP) 180 || match->key->eth.type == htons(ETH_P_RARP)) { 181 key_expected |= 1 << OVS_KEY_ATTR_ARP; 182 if (match->mask && (match->mask->key.eth.type == htons(0xffff))) 183 mask_allowed |= 1 << OVS_KEY_ATTR_ARP; 184 } 185 186 if (eth_p_mpls(match->key->eth.type)) { 187 key_expected |= 1 << OVS_KEY_ATTR_MPLS; 188 if (match->mask && (match->mask->key.eth.type == htons(0xffff))) 189 mask_allowed |= 1 << OVS_KEY_ATTR_MPLS; 190 } 191 192 if (match->key->eth.type == htons(ETH_P_IP)) { 193 key_expected |= 1 << OVS_KEY_ATTR_IPV4; 194 if (match->mask && match->mask->key.eth.type == htons(0xffff)) { 195 mask_allowed |= 1 << OVS_KEY_ATTR_IPV4; 196 mask_allowed |= 1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4; 197 } 198 199 if (match->key->ip.frag != OVS_FRAG_TYPE_LATER) { 200 if (match->key->ip.proto == IPPROTO_UDP) { 201 key_expected |= 1 << OVS_KEY_ATTR_UDP; 202 if (match->mask && (match->mask->key.ip.proto == 0xff)) 203 mask_allowed |= 1 << OVS_KEY_ATTR_UDP; 204 } 205 206 if (match->key->ip.proto == IPPROTO_SCTP) { 207 key_expected |= 1 << OVS_KEY_ATTR_SCTP; 208 if (match->mask && (match->mask->key.ip.proto == 0xff)) 209 mask_allowed |= 1 << OVS_KEY_ATTR_SCTP; 210 } 211 212 if (match->key->ip.proto == IPPROTO_TCP) { 213 key_expected |= 1 << OVS_KEY_ATTR_TCP; 214 key_expected |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 215 if (match->mask && (match->mask->key.ip.proto == 0xff)) { 216 mask_allowed |= 1 << OVS_KEY_ATTR_TCP; 217 mask_allowed |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 218 } 219 } 220 221 if (match->key->ip.proto == IPPROTO_ICMP) { 222 key_expected |= 1 << OVS_KEY_ATTR_ICMP; 223 if (match->mask && (match->mask->key.ip.proto == 0xff)) 224 mask_allowed |= 1 << OVS_KEY_ATTR_ICMP; 225 } 226 } 227 } 228 229 if (match->key->eth.type == htons(ETH_P_IPV6)) { 230 key_expected |= 1 << OVS_KEY_ATTR_IPV6; 231 if (match->mask && match->mask->key.eth.type == htons(0xffff)) { 232 mask_allowed |= 1 << OVS_KEY_ATTR_IPV6; 233 mask_allowed |= 1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6; 234 } 235 236 if (match->key->ip.frag != OVS_FRAG_TYPE_LATER) { 237 if (match->key->ip.proto == IPPROTO_UDP) { 238 key_expected |= 1 << OVS_KEY_ATTR_UDP; 239 if (match->mask && (match->mask->key.ip.proto == 0xff)) 240 mask_allowed |= 1 << OVS_KEY_ATTR_UDP; 241 } 242 243 if (match->key->ip.proto == IPPROTO_SCTP) { 244 key_expected |= 1 << OVS_KEY_ATTR_SCTP; 245 if (match->mask && (match->mask->key.ip.proto == 0xff)) 246 mask_allowed |= 1 << OVS_KEY_ATTR_SCTP; 247 } 248 249 if (match->key->ip.proto == IPPROTO_TCP) { 250 key_expected |= 1 << OVS_KEY_ATTR_TCP; 251 key_expected |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 252 if (match->mask && (match->mask->key.ip.proto == 0xff)) { 253 mask_allowed |= 1 << OVS_KEY_ATTR_TCP; 254 mask_allowed |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 255 } 256 } 257 258 if (match->key->ip.proto == IPPROTO_ICMPV6) { 259 key_expected |= 1 << OVS_KEY_ATTR_ICMPV6; 260 if (match->mask && (match->mask->key.ip.proto == 0xff)) 261 mask_allowed |= 1 << OVS_KEY_ATTR_ICMPV6; 262 263 if (match->key->tp.src == 264 htons(NDISC_NEIGHBOUR_SOLICITATION) || 265 match->key->tp.src == htons(NDISC_NEIGHBOUR_ADVERTISEMENT)) { 266 key_expected |= 1 << OVS_KEY_ATTR_ND; 267 /* Original direction conntrack tuple 268 * uses the same space as the ND fields 269 * in the key, so both are not allowed 270 * at the same time. 271 */ 272 mask_allowed &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6); 273 if (match->mask && (match->mask->key.tp.src == htons(0xff))) 274 mask_allowed |= 1 << OVS_KEY_ATTR_ND; 275 } 276 } 277 } 278 } 279 280 if (match->key->eth.type == htons(ETH_P_NSH)) { 281 key_expected |= 1 << OVS_KEY_ATTR_NSH; 282 if (match->mask && 283 match->mask->key.eth.type == htons(0xffff)) { 284 mask_allowed |= 1 << OVS_KEY_ATTR_NSH; 285 } 286 } 287 288 if ((key_attrs & key_expected) != key_expected) { 289 /* Key attributes check failed. */ 290 OVS_NLERR(log, "Missing key (keys=%llx, expected=%llx)", 291 (unsigned long long)key_attrs, 292 (unsigned long long)key_expected); 293 return false; 294 } 295 296 if ((mask_attrs & mask_allowed) != mask_attrs) { 297 /* Mask attributes check failed. */ 298 OVS_NLERR(log, "Unexpected mask (mask=%llx, allowed=%llx)", 299 (unsigned long long)mask_attrs, 300 (unsigned long long)mask_allowed); 301 return false; 302 } 303 304 return true; 305 } 306 307 size_t ovs_tun_key_attr_size(void) 308 { 309 /* Whenever adding new OVS_TUNNEL_KEY_ FIELDS, we should consider 310 * updating this function. 311 */ 312 return nla_total_size_64bit(8) /* OVS_TUNNEL_KEY_ATTR_ID */ 313 + nla_total_size(16) /* OVS_TUNNEL_KEY_ATTR_IPV[46]_SRC */ 314 + nla_total_size(16) /* OVS_TUNNEL_KEY_ATTR_IPV[46]_DST */ 315 + nla_total_size(1) /* OVS_TUNNEL_KEY_ATTR_TOS */ 316 + nla_total_size(1) /* OVS_TUNNEL_KEY_ATTR_TTL */ 317 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT */ 318 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_CSUM */ 319 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_OAM */ 320 + nla_total_size(256) /* OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS */ 321 /* OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS and 322 * OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS is mutually exclusive with 323 * OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS and covered by it. 324 */ 325 + nla_total_size(2) /* OVS_TUNNEL_KEY_ATTR_TP_SRC */ 326 + nla_total_size(2); /* OVS_TUNNEL_KEY_ATTR_TP_DST */ 327 } 328 329 static size_t ovs_nsh_key_attr_size(void) 330 { 331 /* Whenever adding new OVS_NSH_KEY_ FIELDS, we should consider 332 * updating this function. 333 */ 334 return nla_total_size(NSH_BASE_HDR_LEN) /* OVS_NSH_KEY_ATTR_BASE */ 335 /* OVS_NSH_KEY_ATTR_MD1 and OVS_NSH_KEY_ATTR_MD2 are 336 * mutually exclusive, so the bigger one can cover 337 * the small one. 338 */ 339 + nla_total_size(NSH_CTX_HDRS_MAX_LEN); 340 } 341 342 size_t ovs_key_attr_size(void) 343 { 344 /* Whenever adding new OVS_KEY_ FIELDS, we should consider 345 * updating this function. 346 */ 347 BUILD_BUG_ON(OVS_KEY_ATTR_TUNNEL_INFO != 29); 348 349 return nla_total_size(4) /* OVS_KEY_ATTR_PRIORITY */ 350 + nla_total_size(0) /* OVS_KEY_ATTR_TUNNEL */ 351 + ovs_tun_key_attr_size() 352 + nla_total_size(4) /* OVS_KEY_ATTR_IN_PORT */ 353 + nla_total_size(4) /* OVS_KEY_ATTR_SKB_MARK */ 354 + nla_total_size(4) /* OVS_KEY_ATTR_DP_HASH */ 355 + nla_total_size(4) /* OVS_KEY_ATTR_RECIRC_ID */ 356 + nla_total_size(4) /* OVS_KEY_ATTR_CT_STATE */ 357 + nla_total_size(2) /* OVS_KEY_ATTR_CT_ZONE */ 358 + nla_total_size(4) /* OVS_KEY_ATTR_CT_MARK */ 359 + nla_total_size(16) /* OVS_KEY_ATTR_CT_LABELS */ 360 + nla_total_size(40) /* OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6 */ 361 + nla_total_size(0) /* OVS_KEY_ATTR_NSH */ 362 + ovs_nsh_key_attr_size() 363 + nla_total_size(12) /* OVS_KEY_ATTR_ETHERNET */ 364 + nla_total_size(2) /* OVS_KEY_ATTR_ETHERTYPE */ 365 + nla_total_size(4) /* OVS_KEY_ATTR_VLAN */ 366 + nla_total_size(0) /* OVS_KEY_ATTR_ENCAP */ 367 + nla_total_size(2) /* OVS_KEY_ATTR_ETHERTYPE */ 368 + nla_total_size(40) /* OVS_KEY_ATTR_IPV6 */ 369 + nla_total_size(2) /* OVS_KEY_ATTR_ICMPV6 */ 370 + nla_total_size(28); /* OVS_KEY_ATTR_ND */ 371 } 372 373 static const struct ovs_len_tbl ovs_vxlan_ext_key_lens[OVS_VXLAN_EXT_MAX + 1] = { 374 [OVS_VXLAN_EXT_GBP] = { .len = sizeof(u32) }, 375 }; 376 377 static const struct ovs_len_tbl ovs_tunnel_key_lens[OVS_TUNNEL_KEY_ATTR_MAX + 1] = { 378 [OVS_TUNNEL_KEY_ATTR_ID] = { .len = sizeof(u64) }, 379 [OVS_TUNNEL_KEY_ATTR_IPV4_SRC] = { .len = sizeof(u32) }, 380 [OVS_TUNNEL_KEY_ATTR_IPV4_DST] = { .len = sizeof(u32) }, 381 [OVS_TUNNEL_KEY_ATTR_TOS] = { .len = 1 }, 382 [OVS_TUNNEL_KEY_ATTR_TTL] = { .len = 1 }, 383 [OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT] = { .len = 0 }, 384 [OVS_TUNNEL_KEY_ATTR_CSUM] = { .len = 0 }, 385 [OVS_TUNNEL_KEY_ATTR_TP_SRC] = { .len = sizeof(u16) }, 386 [OVS_TUNNEL_KEY_ATTR_TP_DST] = { .len = sizeof(u16) }, 387 [OVS_TUNNEL_KEY_ATTR_OAM] = { .len = 0 }, 388 [OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS] = { .len = OVS_ATTR_VARIABLE }, 389 [OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS] = { .len = OVS_ATTR_NESTED, 390 .next = ovs_vxlan_ext_key_lens }, 391 [OVS_TUNNEL_KEY_ATTR_IPV6_SRC] = { .len = sizeof(struct in6_addr) }, 392 [OVS_TUNNEL_KEY_ATTR_IPV6_DST] = { .len = sizeof(struct in6_addr) }, 393 [OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS] = { .len = OVS_ATTR_VARIABLE }, 394 [OVS_TUNNEL_KEY_ATTR_IPV4_INFO_BRIDGE] = { .len = 0 }, 395 }; 396 397 static const struct ovs_len_tbl 398 ovs_nsh_key_attr_lens[OVS_NSH_KEY_ATTR_MAX + 1] = { 399 [OVS_NSH_KEY_ATTR_BASE] = { .len = sizeof(struct ovs_nsh_key_base) }, 400 [OVS_NSH_KEY_ATTR_MD1] = { .len = sizeof(struct ovs_nsh_key_md1) }, 401 [OVS_NSH_KEY_ATTR_MD2] = { .len = OVS_ATTR_VARIABLE }, 402 }; 403 404 /* The size of the argument for each %OVS_KEY_ATTR_* Netlink attribute. */ 405 static const struct ovs_len_tbl ovs_key_lens[OVS_KEY_ATTR_MAX + 1] = { 406 [OVS_KEY_ATTR_ENCAP] = { .len = OVS_ATTR_NESTED }, 407 [OVS_KEY_ATTR_PRIORITY] = { .len = sizeof(u32) }, 408 [OVS_KEY_ATTR_IN_PORT] = { .len = sizeof(u32) }, 409 [OVS_KEY_ATTR_SKB_MARK] = { .len = sizeof(u32) }, 410 [OVS_KEY_ATTR_ETHERNET] = { .len = sizeof(struct ovs_key_ethernet) }, 411 [OVS_KEY_ATTR_VLAN] = { .len = sizeof(__be16) }, 412 [OVS_KEY_ATTR_ETHERTYPE] = { .len = sizeof(__be16) }, 413 [OVS_KEY_ATTR_IPV4] = { .len = sizeof(struct ovs_key_ipv4) }, 414 [OVS_KEY_ATTR_IPV6] = { .len = sizeof(struct ovs_key_ipv6) }, 415 [OVS_KEY_ATTR_TCP] = { .len = sizeof(struct ovs_key_tcp) }, 416 [OVS_KEY_ATTR_TCP_FLAGS] = { .len = sizeof(__be16) }, 417 [OVS_KEY_ATTR_UDP] = { .len = sizeof(struct ovs_key_udp) }, 418 [OVS_KEY_ATTR_SCTP] = { .len = sizeof(struct ovs_key_sctp) }, 419 [OVS_KEY_ATTR_ICMP] = { .len = sizeof(struct ovs_key_icmp) }, 420 [OVS_KEY_ATTR_ICMPV6] = { .len = sizeof(struct ovs_key_icmpv6) }, 421 [OVS_KEY_ATTR_ARP] = { .len = sizeof(struct ovs_key_arp) }, 422 [OVS_KEY_ATTR_ND] = { .len = sizeof(struct ovs_key_nd) }, 423 [OVS_KEY_ATTR_RECIRC_ID] = { .len = sizeof(u32) }, 424 [OVS_KEY_ATTR_DP_HASH] = { .len = sizeof(u32) }, 425 [OVS_KEY_ATTR_TUNNEL] = { .len = OVS_ATTR_NESTED, 426 .next = ovs_tunnel_key_lens, }, 427 [OVS_KEY_ATTR_MPLS] = { .len = OVS_ATTR_VARIABLE }, 428 [OVS_KEY_ATTR_CT_STATE] = { .len = sizeof(u32) }, 429 [OVS_KEY_ATTR_CT_ZONE] = { .len = sizeof(u16) }, 430 [OVS_KEY_ATTR_CT_MARK] = { .len = sizeof(u32) }, 431 [OVS_KEY_ATTR_CT_LABELS] = { .len = sizeof(struct ovs_key_ct_labels) }, 432 [OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4] = { 433 .len = sizeof(struct ovs_key_ct_tuple_ipv4) }, 434 [OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6] = { 435 .len = sizeof(struct ovs_key_ct_tuple_ipv6) }, 436 [OVS_KEY_ATTR_NSH] = { .len = OVS_ATTR_NESTED, 437 .next = ovs_nsh_key_attr_lens, }, 438 }; 439 440 static bool check_attr_len(unsigned int attr_len, unsigned int expected_len) 441 { 442 return expected_len == attr_len || 443 expected_len == OVS_ATTR_NESTED || 444 expected_len == OVS_ATTR_VARIABLE; 445 } 446 447 static bool is_all_zero(const u8 *fp, size_t size) 448 { 449 int i; 450 451 if (!fp) 452 return false; 453 454 for (i = 0; i < size; i++) 455 if (fp[i]) 456 return false; 457 458 return true; 459 } 460 461 static int __parse_flow_nlattrs(const struct nlattr *attr, 462 const struct nlattr *a[], 463 u64 *attrsp, bool log, bool nz) 464 { 465 const struct nlattr *nla; 466 u64 attrs; 467 int rem; 468 469 attrs = *attrsp; 470 nla_for_each_nested(nla, attr, rem) { 471 u16 type = nla_type(nla); 472 int expected_len; 473 474 if (type > OVS_KEY_ATTR_MAX) { 475 OVS_NLERR(log, "Key type %d is out of range max %d", 476 type, OVS_KEY_ATTR_MAX); 477 return -EINVAL; 478 } 479 480 if (attrs & (1 << type)) { 481 OVS_NLERR(log, "Duplicate key (type %d).", type); 482 return -EINVAL; 483 } 484 485 expected_len = ovs_key_lens[type].len; 486 if (!check_attr_len(nla_len(nla), expected_len)) { 487 OVS_NLERR(log, "Key %d has unexpected len %d expected %d", 488 type, nla_len(nla), expected_len); 489 return -EINVAL; 490 } 491 492 if (!nz || !is_all_zero(nla_data(nla), nla_len(nla))) { 493 attrs |= 1 << type; 494 a[type] = nla; 495 } 496 } 497 if (rem) { 498 OVS_NLERR(log, "Message has %d unknown bytes.", rem); 499 return -EINVAL; 500 } 501 502 *attrsp = attrs; 503 return 0; 504 } 505 506 static int parse_flow_mask_nlattrs(const struct nlattr *attr, 507 const struct nlattr *a[], u64 *attrsp, 508 bool log) 509 { 510 return __parse_flow_nlattrs(attr, a, attrsp, log, true); 511 } 512 513 int parse_flow_nlattrs(const struct nlattr *attr, const struct nlattr *a[], 514 u64 *attrsp, bool log) 515 { 516 return __parse_flow_nlattrs(attr, a, attrsp, log, false); 517 } 518 519 static int genev_tun_opt_from_nlattr(const struct nlattr *a, 520 struct sw_flow_match *match, bool is_mask, 521 bool log) 522 { 523 unsigned long opt_key_offset; 524 525 if (nla_len(a) > sizeof(match->key->tun_opts)) { 526 OVS_NLERR(log, "Geneve option length err (len %d, max %zu).", 527 nla_len(a), sizeof(match->key->tun_opts)); 528 return -EINVAL; 529 } 530 531 if (nla_len(a) % 4 != 0) { 532 OVS_NLERR(log, "Geneve opt len %d is not a multiple of 4.", 533 nla_len(a)); 534 return -EINVAL; 535 } 536 537 /* We need to record the length of the options passed 538 * down, otherwise packets with the same format but 539 * additional options will be silently matched. 540 */ 541 if (!is_mask) { 542 SW_FLOW_KEY_PUT(match, tun_opts_len, nla_len(a), 543 false); 544 } else { 545 /* This is somewhat unusual because it looks at 546 * both the key and mask while parsing the 547 * attributes (and by extension assumes the key 548 * is parsed first). Normally, we would verify 549 * that each is the correct length and that the 550 * attributes line up in the validate function. 551 * However, that is difficult because this is 552 * variable length and we won't have the 553 * information later. 554 */ 555 if (match->key->tun_opts_len != nla_len(a)) { 556 OVS_NLERR(log, "Geneve option len %d != mask len %d", 557 match->key->tun_opts_len, nla_len(a)); 558 return -EINVAL; 559 } 560 561 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 562 } 563 564 opt_key_offset = TUN_METADATA_OFFSET(nla_len(a)); 565 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, nla_data(a), 566 nla_len(a), is_mask); 567 return 0; 568 } 569 570 static int vxlan_tun_opt_from_nlattr(const struct nlattr *attr, 571 struct sw_flow_match *match, bool is_mask, 572 bool log) 573 { 574 struct nlattr *a; 575 int rem; 576 unsigned long opt_key_offset; 577 struct vxlan_metadata opts; 578 579 BUILD_BUG_ON(sizeof(opts) > sizeof(match->key->tun_opts)); 580 581 memset(&opts, 0, sizeof(opts)); 582 nla_for_each_nested(a, attr, rem) { 583 int type = nla_type(a); 584 585 if (type > OVS_VXLAN_EXT_MAX) { 586 OVS_NLERR(log, "VXLAN extension %d out of range max %d", 587 type, OVS_VXLAN_EXT_MAX); 588 return -EINVAL; 589 } 590 591 if (!check_attr_len(nla_len(a), 592 ovs_vxlan_ext_key_lens[type].len)) { 593 OVS_NLERR(log, "VXLAN extension %d has unexpected len %d expected %d", 594 type, nla_len(a), 595 ovs_vxlan_ext_key_lens[type].len); 596 return -EINVAL; 597 } 598 599 switch (type) { 600 case OVS_VXLAN_EXT_GBP: 601 opts.gbp = nla_get_u32(a); 602 break; 603 default: 604 OVS_NLERR(log, "Unknown VXLAN extension attribute %d", 605 type); 606 return -EINVAL; 607 } 608 } 609 if (rem) { 610 OVS_NLERR(log, "VXLAN extension message has %d unknown bytes.", 611 rem); 612 return -EINVAL; 613 } 614 615 if (!is_mask) 616 SW_FLOW_KEY_PUT(match, tun_opts_len, sizeof(opts), false); 617 else 618 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 619 620 opt_key_offset = TUN_METADATA_OFFSET(sizeof(opts)); 621 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, &opts, sizeof(opts), 622 is_mask); 623 return 0; 624 } 625 626 static int erspan_tun_opt_from_nlattr(const struct nlattr *a, 627 struct sw_flow_match *match, bool is_mask, 628 bool log) 629 { 630 unsigned long opt_key_offset; 631 632 BUILD_BUG_ON(sizeof(struct erspan_metadata) > 633 sizeof(match->key->tun_opts)); 634 635 if (nla_len(a) > sizeof(match->key->tun_opts)) { 636 OVS_NLERR(log, "ERSPAN option length err (len %d, max %zu).", 637 nla_len(a), sizeof(match->key->tun_opts)); 638 return -EINVAL; 639 } 640 641 if (!is_mask) 642 SW_FLOW_KEY_PUT(match, tun_opts_len, 643 sizeof(struct erspan_metadata), false); 644 else 645 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 646 647 opt_key_offset = TUN_METADATA_OFFSET(nla_len(a)); 648 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, nla_data(a), 649 nla_len(a), is_mask); 650 return 0; 651 } 652 653 static int ip_tun_from_nlattr(const struct nlattr *attr, 654 struct sw_flow_match *match, bool is_mask, 655 bool log) 656 { 657 bool ttl = false, ipv4 = false, ipv6 = false; 658 bool info_bridge_mode = false; 659 __be16 tun_flags = 0; 660 int opts_type = 0; 661 struct nlattr *a; 662 int rem; 663 664 nla_for_each_nested(a, attr, rem) { 665 int type = nla_type(a); 666 int err; 667 668 if (type > OVS_TUNNEL_KEY_ATTR_MAX) { 669 OVS_NLERR(log, "Tunnel attr %d out of range max %d", 670 type, OVS_TUNNEL_KEY_ATTR_MAX); 671 return -EINVAL; 672 } 673 674 if (!check_attr_len(nla_len(a), 675 ovs_tunnel_key_lens[type].len)) { 676 OVS_NLERR(log, "Tunnel attr %d has unexpected len %d expected %d", 677 type, nla_len(a), ovs_tunnel_key_lens[type].len); 678 return -EINVAL; 679 } 680 681 switch (type) { 682 case OVS_TUNNEL_KEY_ATTR_ID: 683 SW_FLOW_KEY_PUT(match, tun_key.tun_id, 684 nla_get_be64(a), is_mask); 685 tun_flags |= TUNNEL_KEY; 686 break; 687 case OVS_TUNNEL_KEY_ATTR_IPV4_SRC: 688 SW_FLOW_KEY_PUT(match, tun_key.u.ipv4.src, 689 nla_get_in_addr(a), is_mask); 690 ipv4 = true; 691 break; 692 case OVS_TUNNEL_KEY_ATTR_IPV4_DST: 693 SW_FLOW_KEY_PUT(match, tun_key.u.ipv4.dst, 694 nla_get_in_addr(a), is_mask); 695 ipv4 = true; 696 break; 697 case OVS_TUNNEL_KEY_ATTR_IPV6_SRC: 698 SW_FLOW_KEY_PUT(match, tun_key.u.ipv6.src, 699 nla_get_in6_addr(a), is_mask); 700 ipv6 = true; 701 break; 702 case OVS_TUNNEL_KEY_ATTR_IPV6_DST: 703 SW_FLOW_KEY_PUT(match, tun_key.u.ipv6.dst, 704 nla_get_in6_addr(a), is_mask); 705 ipv6 = true; 706 break; 707 case OVS_TUNNEL_KEY_ATTR_TOS: 708 SW_FLOW_KEY_PUT(match, tun_key.tos, 709 nla_get_u8(a), is_mask); 710 break; 711 case OVS_TUNNEL_KEY_ATTR_TTL: 712 SW_FLOW_KEY_PUT(match, tun_key.ttl, 713 nla_get_u8(a), is_mask); 714 ttl = true; 715 break; 716 case OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT: 717 tun_flags |= TUNNEL_DONT_FRAGMENT; 718 break; 719 case OVS_TUNNEL_KEY_ATTR_CSUM: 720 tun_flags |= TUNNEL_CSUM; 721 break; 722 case OVS_TUNNEL_KEY_ATTR_TP_SRC: 723 SW_FLOW_KEY_PUT(match, tun_key.tp_src, 724 nla_get_be16(a), is_mask); 725 break; 726 case OVS_TUNNEL_KEY_ATTR_TP_DST: 727 SW_FLOW_KEY_PUT(match, tun_key.tp_dst, 728 nla_get_be16(a), is_mask); 729 break; 730 case OVS_TUNNEL_KEY_ATTR_OAM: 731 tun_flags |= TUNNEL_OAM; 732 break; 733 case OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS: 734 if (opts_type) { 735 OVS_NLERR(log, "Multiple metadata blocks provided"); 736 return -EINVAL; 737 } 738 739 err = genev_tun_opt_from_nlattr(a, match, is_mask, log); 740 if (err) 741 return err; 742 743 tun_flags |= TUNNEL_GENEVE_OPT; 744 opts_type = type; 745 break; 746 case OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS: 747 if (opts_type) { 748 OVS_NLERR(log, "Multiple metadata blocks provided"); 749 return -EINVAL; 750 } 751 752 err = vxlan_tun_opt_from_nlattr(a, match, is_mask, log); 753 if (err) 754 return err; 755 756 tun_flags |= TUNNEL_VXLAN_OPT; 757 opts_type = type; 758 break; 759 case OVS_TUNNEL_KEY_ATTR_PAD: 760 break; 761 case OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS: 762 if (opts_type) { 763 OVS_NLERR(log, "Multiple metadata blocks provided"); 764 return -EINVAL; 765 } 766 767 err = erspan_tun_opt_from_nlattr(a, match, is_mask, 768 log); 769 if (err) 770 return err; 771 772 tun_flags |= TUNNEL_ERSPAN_OPT; 773 opts_type = type; 774 break; 775 case OVS_TUNNEL_KEY_ATTR_IPV4_INFO_BRIDGE: 776 info_bridge_mode = true; 777 ipv4 = true; 778 break; 779 default: 780 OVS_NLERR(log, "Unknown IP tunnel attribute %d", 781 type); 782 return -EINVAL; 783 } 784 } 785 786 SW_FLOW_KEY_PUT(match, tun_key.tun_flags, tun_flags, is_mask); 787 if (is_mask) 788 SW_FLOW_KEY_MEMSET_FIELD(match, tun_proto, 0xff, true); 789 else 790 SW_FLOW_KEY_PUT(match, tun_proto, ipv6 ? AF_INET6 : AF_INET, 791 false); 792 793 if (rem > 0) { 794 OVS_NLERR(log, "IP tunnel attribute has %d unknown bytes.", 795 rem); 796 return -EINVAL; 797 } 798 799 if (ipv4 && ipv6) { 800 OVS_NLERR(log, "Mixed IPv4 and IPv6 tunnel attributes"); 801 return -EINVAL; 802 } 803 804 if (!is_mask) { 805 if (!ipv4 && !ipv6) { 806 OVS_NLERR(log, "IP tunnel dst address not specified"); 807 return -EINVAL; 808 } 809 if (ipv4) { 810 if (info_bridge_mode) { 811 if (match->key->tun_key.u.ipv4.src || 812 match->key->tun_key.u.ipv4.dst || 813 match->key->tun_key.tp_src || 814 match->key->tun_key.tp_dst || 815 match->key->tun_key.ttl || 816 match->key->tun_key.tos || 817 tun_flags & ~TUNNEL_KEY) { 818 OVS_NLERR(log, "IPv4 tun info is not correct"); 819 return -EINVAL; 820 } 821 } else if (!match->key->tun_key.u.ipv4.dst) { 822 OVS_NLERR(log, "IPv4 tunnel dst address is zero"); 823 return -EINVAL; 824 } 825 } 826 if (ipv6 && ipv6_addr_any(&match->key->tun_key.u.ipv6.dst)) { 827 OVS_NLERR(log, "IPv6 tunnel dst address is zero"); 828 return -EINVAL; 829 } 830 831 if (!ttl && !info_bridge_mode) { 832 OVS_NLERR(log, "IP tunnel TTL not specified."); 833 return -EINVAL; 834 } 835 } 836 837 return opts_type; 838 } 839 840 static int vxlan_opt_to_nlattr(struct sk_buff *skb, 841 const void *tun_opts, int swkey_tun_opts_len) 842 { 843 const struct vxlan_metadata *opts = tun_opts; 844 struct nlattr *nla; 845 846 nla = nla_nest_start_noflag(skb, OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS); 847 if (!nla) 848 return -EMSGSIZE; 849 850 if (nla_put_u32(skb, OVS_VXLAN_EXT_GBP, opts->gbp) < 0) 851 return -EMSGSIZE; 852 853 nla_nest_end(skb, nla); 854 return 0; 855 } 856 857 static int __ip_tun_to_nlattr(struct sk_buff *skb, 858 const struct ip_tunnel_key *output, 859 const void *tun_opts, int swkey_tun_opts_len, 860 unsigned short tun_proto, u8 mode) 861 { 862 if (output->tun_flags & TUNNEL_KEY && 863 nla_put_be64(skb, OVS_TUNNEL_KEY_ATTR_ID, output->tun_id, 864 OVS_TUNNEL_KEY_ATTR_PAD)) 865 return -EMSGSIZE; 866 867 if (mode & IP_TUNNEL_INFO_BRIDGE) 868 return nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_IPV4_INFO_BRIDGE) 869 ? -EMSGSIZE : 0; 870 871 switch (tun_proto) { 872 case AF_INET: 873 if (output->u.ipv4.src && 874 nla_put_in_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV4_SRC, 875 output->u.ipv4.src)) 876 return -EMSGSIZE; 877 if (output->u.ipv4.dst && 878 nla_put_in_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV4_DST, 879 output->u.ipv4.dst)) 880 return -EMSGSIZE; 881 break; 882 case AF_INET6: 883 if (!ipv6_addr_any(&output->u.ipv6.src) && 884 nla_put_in6_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV6_SRC, 885 &output->u.ipv6.src)) 886 return -EMSGSIZE; 887 if (!ipv6_addr_any(&output->u.ipv6.dst) && 888 nla_put_in6_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV6_DST, 889 &output->u.ipv6.dst)) 890 return -EMSGSIZE; 891 break; 892 } 893 if (output->tos && 894 nla_put_u8(skb, OVS_TUNNEL_KEY_ATTR_TOS, output->tos)) 895 return -EMSGSIZE; 896 if (nla_put_u8(skb, OVS_TUNNEL_KEY_ATTR_TTL, output->ttl)) 897 return -EMSGSIZE; 898 if ((output->tun_flags & TUNNEL_DONT_FRAGMENT) && 899 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT)) 900 return -EMSGSIZE; 901 if ((output->tun_flags & TUNNEL_CSUM) && 902 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_CSUM)) 903 return -EMSGSIZE; 904 if (output->tp_src && 905 nla_put_be16(skb, OVS_TUNNEL_KEY_ATTR_TP_SRC, output->tp_src)) 906 return -EMSGSIZE; 907 if (output->tp_dst && 908 nla_put_be16(skb, OVS_TUNNEL_KEY_ATTR_TP_DST, output->tp_dst)) 909 return -EMSGSIZE; 910 if ((output->tun_flags & TUNNEL_OAM) && 911 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_OAM)) 912 return -EMSGSIZE; 913 if (swkey_tun_opts_len) { 914 if (output->tun_flags & TUNNEL_GENEVE_OPT && 915 nla_put(skb, OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS, 916 swkey_tun_opts_len, tun_opts)) 917 return -EMSGSIZE; 918 else if (output->tun_flags & TUNNEL_VXLAN_OPT && 919 vxlan_opt_to_nlattr(skb, tun_opts, swkey_tun_opts_len)) 920 return -EMSGSIZE; 921 else if (output->tun_flags & TUNNEL_ERSPAN_OPT && 922 nla_put(skb, OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS, 923 swkey_tun_opts_len, tun_opts)) 924 return -EMSGSIZE; 925 } 926 927 return 0; 928 } 929 930 static int ip_tun_to_nlattr(struct sk_buff *skb, 931 const struct ip_tunnel_key *output, 932 const void *tun_opts, int swkey_tun_opts_len, 933 unsigned short tun_proto, u8 mode) 934 { 935 struct nlattr *nla; 936 int err; 937 938 nla = nla_nest_start_noflag(skb, OVS_KEY_ATTR_TUNNEL); 939 if (!nla) 940 return -EMSGSIZE; 941 942 err = __ip_tun_to_nlattr(skb, output, tun_opts, swkey_tun_opts_len, 943 tun_proto, mode); 944 if (err) 945 return err; 946 947 nla_nest_end(skb, nla); 948 return 0; 949 } 950 951 int ovs_nla_put_tunnel_info(struct sk_buff *skb, 952 struct ip_tunnel_info *tun_info) 953 { 954 return __ip_tun_to_nlattr(skb, &tun_info->key, 955 ip_tunnel_info_opts(tun_info), 956 tun_info->options_len, 957 ip_tunnel_info_af(tun_info), tun_info->mode); 958 } 959 960 static int encode_vlan_from_nlattrs(struct sw_flow_match *match, 961 const struct nlattr *a[], 962 bool is_mask, bool inner) 963 { 964 __be16 tci = 0; 965 __be16 tpid = 0; 966 967 if (a[OVS_KEY_ATTR_VLAN]) 968 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 969 970 if (a[OVS_KEY_ATTR_ETHERTYPE]) 971 tpid = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 972 973 if (likely(!inner)) { 974 SW_FLOW_KEY_PUT(match, eth.vlan.tpid, tpid, is_mask); 975 SW_FLOW_KEY_PUT(match, eth.vlan.tci, tci, is_mask); 976 } else { 977 SW_FLOW_KEY_PUT(match, eth.cvlan.tpid, tpid, is_mask); 978 SW_FLOW_KEY_PUT(match, eth.cvlan.tci, tci, is_mask); 979 } 980 return 0; 981 } 982 983 static int validate_vlan_from_nlattrs(const struct sw_flow_match *match, 984 u64 key_attrs, bool inner, 985 const struct nlattr **a, bool log) 986 { 987 __be16 tci = 0; 988 989 if (!((key_attrs & (1 << OVS_KEY_ATTR_ETHERNET)) && 990 (key_attrs & (1 << OVS_KEY_ATTR_ETHERTYPE)) && 991 eth_type_vlan(nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE])))) { 992 /* Not a VLAN. */ 993 return 0; 994 } 995 996 if (!((key_attrs & (1 << OVS_KEY_ATTR_VLAN)) && 997 (key_attrs & (1 << OVS_KEY_ATTR_ENCAP)))) { 998 OVS_NLERR(log, "Invalid %s frame", (inner) ? "C-VLAN" : "VLAN"); 999 return -EINVAL; 1000 } 1001 1002 if (a[OVS_KEY_ATTR_VLAN]) 1003 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 1004 1005 if (!(tci & htons(VLAN_CFI_MASK))) { 1006 if (tci) { 1007 OVS_NLERR(log, "%s TCI does not have VLAN_CFI_MASK bit set.", 1008 (inner) ? "C-VLAN" : "VLAN"); 1009 return -EINVAL; 1010 } else if (nla_len(a[OVS_KEY_ATTR_ENCAP])) { 1011 /* Corner case for truncated VLAN header. */ 1012 OVS_NLERR(log, "Truncated %s header has non-zero encap attribute.", 1013 (inner) ? "C-VLAN" : "VLAN"); 1014 return -EINVAL; 1015 } 1016 } 1017 1018 return 1; 1019 } 1020 1021 static int validate_vlan_mask_from_nlattrs(const struct sw_flow_match *match, 1022 u64 key_attrs, bool inner, 1023 const struct nlattr **a, bool log) 1024 { 1025 __be16 tci = 0; 1026 __be16 tpid = 0; 1027 bool encap_valid = !!(match->key->eth.vlan.tci & 1028 htons(VLAN_CFI_MASK)); 1029 bool i_encap_valid = !!(match->key->eth.cvlan.tci & 1030 htons(VLAN_CFI_MASK)); 1031 1032 if (!(key_attrs & (1 << OVS_KEY_ATTR_ENCAP))) { 1033 /* Not a VLAN. */ 1034 return 0; 1035 } 1036 1037 if ((!inner && !encap_valid) || (inner && !i_encap_valid)) { 1038 OVS_NLERR(log, "Encap mask attribute is set for non-%s frame.", 1039 (inner) ? "C-VLAN" : "VLAN"); 1040 return -EINVAL; 1041 } 1042 1043 if (a[OVS_KEY_ATTR_VLAN]) 1044 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 1045 1046 if (a[OVS_KEY_ATTR_ETHERTYPE]) 1047 tpid = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 1048 1049 if (tpid != htons(0xffff)) { 1050 OVS_NLERR(log, "Must have an exact match on %s TPID (mask=%x).", 1051 (inner) ? "C-VLAN" : "VLAN", ntohs(tpid)); 1052 return -EINVAL; 1053 } 1054 if (!(tci & htons(VLAN_CFI_MASK))) { 1055 OVS_NLERR(log, "%s TCI mask does not have exact match for VLAN_CFI_MASK bit.", 1056 (inner) ? "C-VLAN" : "VLAN"); 1057 return -EINVAL; 1058 } 1059 1060 return 1; 1061 } 1062 1063 static int __parse_vlan_from_nlattrs(struct sw_flow_match *match, 1064 u64 *key_attrs, bool inner, 1065 const struct nlattr **a, bool is_mask, 1066 bool log) 1067 { 1068 int err; 1069 const struct nlattr *encap; 1070 1071 if (!is_mask) 1072 err = validate_vlan_from_nlattrs(match, *key_attrs, inner, 1073 a, log); 1074 else 1075 err = validate_vlan_mask_from_nlattrs(match, *key_attrs, inner, 1076 a, log); 1077 if (err <= 0) 1078 return err; 1079 1080 err = encode_vlan_from_nlattrs(match, a, is_mask, inner); 1081 if (err) 1082 return err; 1083 1084 *key_attrs &= ~(1 << OVS_KEY_ATTR_ENCAP); 1085 *key_attrs &= ~(1 << OVS_KEY_ATTR_VLAN); 1086 *key_attrs &= ~(1 << OVS_KEY_ATTR_ETHERTYPE); 1087 1088 encap = a[OVS_KEY_ATTR_ENCAP]; 1089 1090 if (!is_mask) 1091 err = parse_flow_nlattrs(encap, a, key_attrs, log); 1092 else 1093 err = parse_flow_mask_nlattrs(encap, a, key_attrs, log); 1094 1095 return err; 1096 } 1097 1098 static int parse_vlan_from_nlattrs(struct sw_flow_match *match, 1099 u64 *key_attrs, const struct nlattr **a, 1100 bool is_mask, bool log) 1101 { 1102 int err; 1103 bool encap_valid = false; 1104 1105 err = __parse_vlan_from_nlattrs(match, key_attrs, false, a, 1106 is_mask, log); 1107 if (err) 1108 return err; 1109 1110 encap_valid = !!(match->key->eth.vlan.tci & htons(VLAN_CFI_MASK)); 1111 if (encap_valid) { 1112 err = __parse_vlan_from_nlattrs(match, key_attrs, true, a, 1113 is_mask, log); 1114 if (err) 1115 return err; 1116 } 1117 1118 return 0; 1119 } 1120 1121 static int parse_eth_type_from_nlattrs(struct sw_flow_match *match, 1122 u64 *attrs, const struct nlattr **a, 1123 bool is_mask, bool log) 1124 { 1125 __be16 eth_type; 1126 1127 eth_type = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 1128 if (is_mask) { 1129 /* Always exact match EtherType. */ 1130 eth_type = htons(0xffff); 1131 } else if (!eth_proto_is_802_3(eth_type)) { 1132 OVS_NLERR(log, "EtherType %x is less than min %x", 1133 ntohs(eth_type), ETH_P_802_3_MIN); 1134 return -EINVAL; 1135 } 1136 1137 SW_FLOW_KEY_PUT(match, eth.type, eth_type, is_mask); 1138 *attrs &= ~(1 << OVS_KEY_ATTR_ETHERTYPE); 1139 return 0; 1140 } 1141 1142 static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match, 1143 u64 *attrs, const struct nlattr **a, 1144 bool is_mask, bool log) 1145 { 1146 u8 mac_proto = MAC_PROTO_ETHERNET; 1147 1148 if (*attrs & (1 << OVS_KEY_ATTR_DP_HASH)) { 1149 u32 hash_val = nla_get_u32(a[OVS_KEY_ATTR_DP_HASH]); 1150 1151 SW_FLOW_KEY_PUT(match, ovs_flow_hash, hash_val, is_mask); 1152 *attrs &= ~(1 << OVS_KEY_ATTR_DP_HASH); 1153 } 1154 1155 if (*attrs & (1 << OVS_KEY_ATTR_RECIRC_ID)) { 1156 u32 recirc_id = nla_get_u32(a[OVS_KEY_ATTR_RECIRC_ID]); 1157 1158 SW_FLOW_KEY_PUT(match, recirc_id, recirc_id, is_mask); 1159 *attrs &= ~(1 << OVS_KEY_ATTR_RECIRC_ID); 1160 } 1161 1162 if (*attrs & (1 << OVS_KEY_ATTR_PRIORITY)) { 1163 SW_FLOW_KEY_PUT(match, phy.priority, 1164 nla_get_u32(a[OVS_KEY_ATTR_PRIORITY]), is_mask); 1165 *attrs &= ~(1 << OVS_KEY_ATTR_PRIORITY); 1166 } 1167 1168 if (*attrs & (1 << OVS_KEY_ATTR_IN_PORT)) { 1169 u32 in_port = nla_get_u32(a[OVS_KEY_ATTR_IN_PORT]); 1170 1171 if (is_mask) { 1172 in_port = 0xffffffff; /* Always exact match in_port. */ 1173 } else if (in_port >= DP_MAX_PORTS) { 1174 OVS_NLERR(log, "Port %d exceeds max allowable %d", 1175 in_port, DP_MAX_PORTS); 1176 return -EINVAL; 1177 } 1178 1179 SW_FLOW_KEY_PUT(match, phy.in_port, in_port, is_mask); 1180 *attrs &= ~(1 << OVS_KEY_ATTR_IN_PORT); 1181 } else if (!is_mask) { 1182 SW_FLOW_KEY_PUT(match, phy.in_port, DP_MAX_PORTS, is_mask); 1183 } 1184 1185 if (*attrs & (1 << OVS_KEY_ATTR_SKB_MARK)) { 1186 uint32_t mark = nla_get_u32(a[OVS_KEY_ATTR_SKB_MARK]); 1187 1188 SW_FLOW_KEY_PUT(match, phy.skb_mark, mark, is_mask); 1189 *attrs &= ~(1 << OVS_KEY_ATTR_SKB_MARK); 1190 } 1191 if (*attrs & (1 << OVS_KEY_ATTR_TUNNEL)) { 1192 if (ip_tun_from_nlattr(a[OVS_KEY_ATTR_TUNNEL], match, 1193 is_mask, log) < 0) 1194 return -EINVAL; 1195 *attrs &= ~(1 << OVS_KEY_ATTR_TUNNEL); 1196 } 1197 1198 if (*attrs & (1 << OVS_KEY_ATTR_CT_STATE) && 1199 ovs_ct_verify(net, OVS_KEY_ATTR_CT_STATE)) { 1200 u32 ct_state = nla_get_u32(a[OVS_KEY_ATTR_CT_STATE]); 1201 1202 if (ct_state & ~CT_SUPPORTED_MASK) { 1203 OVS_NLERR(log, "ct_state flags %08x unsupported", 1204 ct_state); 1205 return -EINVAL; 1206 } 1207 1208 SW_FLOW_KEY_PUT(match, ct_state, ct_state, is_mask); 1209 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_STATE); 1210 } 1211 if (*attrs & (1 << OVS_KEY_ATTR_CT_ZONE) && 1212 ovs_ct_verify(net, OVS_KEY_ATTR_CT_ZONE)) { 1213 u16 ct_zone = nla_get_u16(a[OVS_KEY_ATTR_CT_ZONE]); 1214 1215 SW_FLOW_KEY_PUT(match, ct_zone, ct_zone, is_mask); 1216 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ZONE); 1217 } 1218 if (*attrs & (1 << OVS_KEY_ATTR_CT_MARK) && 1219 ovs_ct_verify(net, OVS_KEY_ATTR_CT_MARK)) { 1220 u32 mark = nla_get_u32(a[OVS_KEY_ATTR_CT_MARK]); 1221 1222 SW_FLOW_KEY_PUT(match, ct.mark, mark, is_mask); 1223 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_MARK); 1224 } 1225 if (*attrs & (1 << OVS_KEY_ATTR_CT_LABELS) && 1226 ovs_ct_verify(net, OVS_KEY_ATTR_CT_LABELS)) { 1227 const struct ovs_key_ct_labels *cl; 1228 1229 cl = nla_data(a[OVS_KEY_ATTR_CT_LABELS]); 1230 SW_FLOW_KEY_MEMCPY(match, ct.labels, cl->ct_labels, 1231 sizeof(*cl), is_mask); 1232 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_LABELS); 1233 } 1234 if (*attrs & (1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4)) { 1235 const struct ovs_key_ct_tuple_ipv4 *ct; 1236 1237 ct = nla_data(a[OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4]); 1238 1239 SW_FLOW_KEY_PUT(match, ipv4.ct_orig.src, ct->ipv4_src, is_mask); 1240 SW_FLOW_KEY_PUT(match, ipv4.ct_orig.dst, ct->ipv4_dst, is_mask); 1241 SW_FLOW_KEY_PUT(match, ct.orig_tp.src, ct->src_port, is_mask); 1242 SW_FLOW_KEY_PUT(match, ct.orig_tp.dst, ct->dst_port, is_mask); 1243 SW_FLOW_KEY_PUT(match, ct_orig_proto, ct->ipv4_proto, is_mask); 1244 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4); 1245 } 1246 if (*attrs & (1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6)) { 1247 const struct ovs_key_ct_tuple_ipv6 *ct; 1248 1249 ct = nla_data(a[OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6]); 1250 1251 SW_FLOW_KEY_MEMCPY(match, ipv6.ct_orig.src, &ct->ipv6_src, 1252 sizeof(match->key->ipv6.ct_orig.src), 1253 is_mask); 1254 SW_FLOW_KEY_MEMCPY(match, ipv6.ct_orig.dst, &ct->ipv6_dst, 1255 sizeof(match->key->ipv6.ct_orig.dst), 1256 is_mask); 1257 SW_FLOW_KEY_PUT(match, ct.orig_tp.src, ct->src_port, is_mask); 1258 SW_FLOW_KEY_PUT(match, ct.orig_tp.dst, ct->dst_port, is_mask); 1259 SW_FLOW_KEY_PUT(match, ct_orig_proto, ct->ipv6_proto, is_mask); 1260 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6); 1261 } 1262 1263 /* For layer 3 packets the Ethernet type is provided 1264 * and treated as metadata but no MAC addresses are provided. 1265 */ 1266 if (!(*attrs & (1ULL << OVS_KEY_ATTR_ETHERNET)) && 1267 (*attrs & (1ULL << OVS_KEY_ATTR_ETHERTYPE))) 1268 mac_proto = MAC_PROTO_NONE; 1269 1270 /* Always exact match mac_proto */ 1271 SW_FLOW_KEY_PUT(match, mac_proto, is_mask ? 0xff : mac_proto, is_mask); 1272 1273 if (mac_proto == MAC_PROTO_NONE) 1274 return parse_eth_type_from_nlattrs(match, attrs, a, is_mask, 1275 log); 1276 1277 return 0; 1278 } 1279 1280 int nsh_hdr_from_nlattr(const struct nlattr *attr, 1281 struct nshhdr *nh, size_t size) 1282 { 1283 struct nlattr *a; 1284 int rem; 1285 u8 flags = 0; 1286 u8 ttl = 0; 1287 int mdlen = 0; 1288 1289 /* validate_nsh has check this, so we needn't do duplicate check here 1290 */ 1291 if (size < NSH_BASE_HDR_LEN) 1292 return -ENOBUFS; 1293 1294 nla_for_each_nested(a, attr, rem) { 1295 int type = nla_type(a); 1296 1297 switch (type) { 1298 case OVS_NSH_KEY_ATTR_BASE: { 1299 const struct ovs_nsh_key_base *base = nla_data(a); 1300 1301 flags = base->flags; 1302 ttl = base->ttl; 1303 nh->np = base->np; 1304 nh->mdtype = base->mdtype; 1305 nh->path_hdr = base->path_hdr; 1306 break; 1307 } 1308 case OVS_NSH_KEY_ATTR_MD1: 1309 mdlen = nla_len(a); 1310 if (mdlen > size - NSH_BASE_HDR_LEN) 1311 return -ENOBUFS; 1312 memcpy(&nh->md1, nla_data(a), mdlen); 1313 break; 1314 1315 case OVS_NSH_KEY_ATTR_MD2: 1316 mdlen = nla_len(a); 1317 if (mdlen > size - NSH_BASE_HDR_LEN) 1318 return -ENOBUFS; 1319 memcpy(&nh->md2, nla_data(a), mdlen); 1320 break; 1321 1322 default: 1323 return -EINVAL; 1324 } 1325 } 1326 1327 /* nsh header length = NSH_BASE_HDR_LEN + mdlen */ 1328 nh->ver_flags_ttl_len = 0; 1329 nsh_set_flags_ttl_len(nh, flags, ttl, NSH_BASE_HDR_LEN + mdlen); 1330 1331 return 0; 1332 } 1333 1334 int nsh_key_from_nlattr(const struct nlattr *attr, 1335 struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask) 1336 { 1337 struct nlattr *a; 1338 int rem; 1339 1340 /* validate_nsh has check this, so we needn't do duplicate check here 1341 */ 1342 nla_for_each_nested(a, attr, rem) { 1343 int type = nla_type(a); 1344 1345 switch (type) { 1346 case OVS_NSH_KEY_ATTR_BASE: { 1347 const struct ovs_nsh_key_base *base = nla_data(a); 1348 const struct ovs_nsh_key_base *base_mask = base + 1; 1349 1350 nsh->base = *base; 1351 nsh_mask->base = *base_mask; 1352 break; 1353 } 1354 case OVS_NSH_KEY_ATTR_MD1: { 1355 const struct ovs_nsh_key_md1 *md1 = nla_data(a); 1356 const struct ovs_nsh_key_md1 *md1_mask = md1 + 1; 1357 1358 memcpy(nsh->context, md1->context, sizeof(*md1)); 1359 memcpy(nsh_mask->context, md1_mask->context, 1360 sizeof(*md1_mask)); 1361 break; 1362 } 1363 case OVS_NSH_KEY_ATTR_MD2: 1364 /* Not supported yet */ 1365 return -ENOTSUPP; 1366 default: 1367 return -EINVAL; 1368 } 1369 } 1370 1371 return 0; 1372 } 1373 1374 static int nsh_key_put_from_nlattr(const struct nlattr *attr, 1375 struct sw_flow_match *match, bool is_mask, 1376 bool is_push_nsh, bool log) 1377 { 1378 struct nlattr *a; 1379 int rem; 1380 bool has_base = false; 1381 bool has_md1 = false; 1382 bool has_md2 = false; 1383 u8 mdtype = 0; 1384 int mdlen = 0; 1385 1386 if (WARN_ON(is_push_nsh && is_mask)) 1387 return -EINVAL; 1388 1389 nla_for_each_nested(a, attr, rem) { 1390 int type = nla_type(a); 1391 int i; 1392 1393 if (type > OVS_NSH_KEY_ATTR_MAX) { 1394 OVS_NLERR(log, "nsh attr %d is out of range max %d", 1395 type, OVS_NSH_KEY_ATTR_MAX); 1396 return -EINVAL; 1397 } 1398 1399 if (!check_attr_len(nla_len(a), 1400 ovs_nsh_key_attr_lens[type].len)) { 1401 OVS_NLERR( 1402 log, 1403 "nsh attr %d has unexpected len %d expected %d", 1404 type, 1405 nla_len(a), 1406 ovs_nsh_key_attr_lens[type].len 1407 ); 1408 return -EINVAL; 1409 } 1410 1411 switch (type) { 1412 case OVS_NSH_KEY_ATTR_BASE: { 1413 const struct ovs_nsh_key_base *base = nla_data(a); 1414 1415 has_base = true; 1416 mdtype = base->mdtype; 1417 SW_FLOW_KEY_PUT(match, nsh.base.flags, 1418 base->flags, is_mask); 1419 SW_FLOW_KEY_PUT(match, nsh.base.ttl, 1420 base->ttl, is_mask); 1421 SW_FLOW_KEY_PUT(match, nsh.base.mdtype, 1422 base->mdtype, is_mask); 1423 SW_FLOW_KEY_PUT(match, nsh.base.np, 1424 base->np, is_mask); 1425 SW_FLOW_KEY_PUT(match, nsh.base.path_hdr, 1426 base->path_hdr, is_mask); 1427 break; 1428 } 1429 case OVS_NSH_KEY_ATTR_MD1: { 1430 const struct ovs_nsh_key_md1 *md1 = nla_data(a); 1431 1432 has_md1 = true; 1433 for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) 1434 SW_FLOW_KEY_PUT(match, nsh.context[i], 1435 md1->context[i], is_mask); 1436 break; 1437 } 1438 case OVS_NSH_KEY_ATTR_MD2: 1439 if (!is_push_nsh) /* Not supported MD type 2 yet */ 1440 return -ENOTSUPP; 1441 1442 has_md2 = true; 1443 mdlen = nla_len(a); 1444 if (mdlen > NSH_CTX_HDRS_MAX_LEN || mdlen <= 0) { 1445 OVS_NLERR( 1446 log, 1447 "Invalid MD length %d for MD type %d", 1448 mdlen, 1449 mdtype 1450 ); 1451 return -EINVAL; 1452 } 1453 break; 1454 default: 1455 OVS_NLERR(log, "Unknown nsh attribute %d", 1456 type); 1457 return -EINVAL; 1458 } 1459 } 1460 1461 if (rem > 0) { 1462 OVS_NLERR(log, "nsh attribute has %d unknown bytes.", rem); 1463 return -EINVAL; 1464 } 1465 1466 if (has_md1 && has_md2) { 1467 OVS_NLERR( 1468 1, 1469 "invalid nsh attribute: md1 and md2 are exclusive." 1470 ); 1471 return -EINVAL; 1472 } 1473 1474 if (!is_mask) { 1475 if ((has_md1 && mdtype != NSH_M_TYPE1) || 1476 (has_md2 && mdtype != NSH_M_TYPE2)) { 1477 OVS_NLERR(1, "nsh attribute has unmatched MD type %d.", 1478 mdtype); 1479 return -EINVAL; 1480 } 1481 1482 if (is_push_nsh && 1483 (!has_base || (!has_md1 && !has_md2))) { 1484 OVS_NLERR( 1485 1, 1486 "push_nsh: missing base or metadata attributes" 1487 ); 1488 return -EINVAL; 1489 } 1490 } 1491 1492 return 0; 1493 } 1494 1495 static int ovs_key_from_nlattrs(struct net *net, struct sw_flow_match *match, 1496 u64 attrs, const struct nlattr **a, 1497 bool is_mask, bool log) 1498 { 1499 int err; 1500 1501 err = metadata_from_nlattrs(net, match, &attrs, a, is_mask, log); 1502 if (err) 1503 return err; 1504 1505 if (attrs & (1 << OVS_KEY_ATTR_ETHERNET)) { 1506 const struct ovs_key_ethernet *eth_key; 1507 1508 eth_key = nla_data(a[OVS_KEY_ATTR_ETHERNET]); 1509 SW_FLOW_KEY_MEMCPY(match, eth.src, 1510 eth_key->eth_src, ETH_ALEN, is_mask); 1511 SW_FLOW_KEY_MEMCPY(match, eth.dst, 1512 eth_key->eth_dst, ETH_ALEN, is_mask); 1513 attrs &= ~(1 << OVS_KEY_ATTR_ETHERNET); 1514 1515 if (attrs & (1 << OVS_KEY_ATTR_VLAN)) { 1516 /* VLAN attribute is always parsed before getting here since it 1517 * may occur multiple times. 1518 */ 1519 OVS_NLERR(log, "VLAN attribute unexpected."); 1520 return -EINVAL; 1521 } 1522 1523 if (attrs & (1 << OVS_KEY_ATTR_ETHERTYPE)) { 1524 err = parse_eth_type_from_nlattrs(match, &attrs, a, is_mask, 1525 log); 1526 if (err) 1527 return err; 1528 } else if (!is_mask) { 1529 SW_FLOW_KEY_PUT(match, eth.type, htons(ETH_P_802_2), is_mask); 1530 } 1531 } else if (!match->key->eth.type) { 1532 OVS_NLERR(log, "Either Ethernet header or EtherType is required."); 1533 return -EINVAL; 1534 } 1535 1536 if (attrs & (1 << OVS_KEY_ATTR_IPV4)) { 1537 const struct ovs_key_ipv4 *ipv4_key; 1538 1539 ipv4_key = nla_data(a[OVS_KEY_ATTR_IPV4]); 1540 if (!is_mask && ipv4_key->ipv4_frag > OVS_FRAG_TYPE_MAX) { 1541 OVS_NLERR(log, "IPv4 frag type %d is out of range max %d", 1542 ipv4_key->ipv4_frag, OVS_FRAG_TYPE_MAX); 1543 return -EINVAL; 1544 } 1545 SW_FLOW_KEY_PUT(match, ip.proto, 1546 ipv4_key->ipv4_proto, is_mask); 1547 SW_FLOW_KEY_PUT(match, ip.tos, 1548 ipv4_key->ipv4_tos, is_mask); 1549 SW_FLOW_KEY_PUT(match, ip.ttl, 1550 ipv4_key->ipv4_ttl, is_mask); 1551 SW_FLOW_KEY_PUT(match, ip.frag, 1552 ipv4_key->ipv4_frag, is_mask); 1553 SW_FLOW_KEY_PUT(match, ipv4.addr.src, 1554 ipv4_key->ipv4_src, is_mask); 1555 SW_FLOW_KEY_PUT(match, ipv4.addr.dst, 1556 ipv4_key->ipv4_dst, is_mask); 1557 attrs &= ~(1 << OVS_KEY_ATTR_IPV4); 1558 } 1559 1560 if (attrs & (1 << OVS_KEY_ATTR_IPV6)) { 1561 const struct ovs_key_ipv6 *ipv6_key; 1562 1563 ipv6_key = nla_data(a[OVS_KEY_ATTR_IPV6]); 1564 if (!is_mask && ipv6_key->ipv6_frag > OVS_FRAG_TYPE_MAX) { 1565 OVS_NLERR(log, "IPv6 frag type %d is out of range max %d", 1566 ipv6_key->ipv6_frag, OVS_FRAG_TYPE_MAX); 1567 return -EINVAL; 1568 } 1569 1570 if (!is_mask && ipv6_key->ipv6_label & htonl(0xFFF00000)) { 1571 OVS_NLERR(log, "IPv6 flow label %x is out of range (max=%x)", 1572 ntohl(ipv6_key->ipv6_label), (1 << 20) - 1); 1573 return -EINVAL; 1574 } 1575 1576 SW_FLOW_KEY_PUT(match, ipv6.label, 1577 ipv6_key->ipv6_label, is_mask); 1578 SW_FLOW_KEY_PUT(match, ip.proto, 1579 ipv6_key->ipv6_proto, is_mask); 1580 SW_FLOW_KEY_PUT(match, ip.tos, 1581 ipv6_key->ipv6_tclass, is_mask); 1582 SW_FLOW_KEY_PUT(match, ip.ttl, 1583 ipv6_key->ipv6_hlimit, is_mask); 1584 SW_FLOW_KEY_PUT(match, ip.frag, 1585 ipv6_key->ipv6_frag, is_mask); 1586 SW_FLOW_KEY_MEMCPY(match, ipv6.addr.src, 1587 ipv6_key->ipv6_src, 1588 sizeof(match->key->ipv6.addr.src), 1589 is_mask); 1590 SW_FLOW_KEY_MEMCPY(match, ipv6.addr.dst, 1591 ipv6_key->ipv6_dst, 1592 sizeof(match->key->ipv6.addr.dst), 1593 is_mask); 1594 1595 attrs &= ~(1 << OVS_KEY_ATTR_IPV6); 1596 } 1597 1598 if (attrs & (1 << OVS_KEY_ATTR_ARP)) { 1599 const struct ovs_key_arp *arp_key; 1600 1601 arp_key = nla_data(a[OVS_KEY_ATTR_ARP]); 1602 if (!is_mask && (arp_key->arp_op & htons(0xff00))) { 1603 OVS_NLERR(log, "Unknown ARP opcode (opcode=%d).", 1604 arp_key->arp_op); 1605 return -EINVAL; 1606 } 1607 1608 SW_FLOW_KEY_PUT(match, ipv4.addr.src, 1609 arp_key->arp_sip, is_mask); 1610 SW_FLOW_KEY_PUT(match, ipv4.addr.dst, 1611 arp_key->arp_tip, is_mask); 1612 SW_FLOW_KEY_PUT(match, ip.proto, 1613 ntohs(arp_key->arp_op), is_mask); 1614 SW_FLOW_KEY_MEMCPY(match, ipv4.arp.sha, 1615 arp_key->arp_sha, ETH_ALEN, is_mask); 1616 SW_FLOW_KEY_MEMCPY(match, ipv4.arp.tha, 1617 arp_key->arp_tha, ETH_ALEN, is_mask); 1618 1619 attrs &= ~(1 << OVS_KEY_ATTR_ARP); 1620 } 1621 1622 if (attrs & (1 << OVS_KEY_ATTR_NSH)) { 1623 if (nsh_key_put_from_nlattr(a[OVS_KEY_ATTR_NSH], match, 1624 is_mask, false, log) < 0) 1625 return -EINVAL; 1626 attrs &= ~(1 << OVS_KEY_ATTR_NSH); 1627 } 1628 1629 if (attrs & (1 << OVS_KEY_ATTR_MPLS)) { 1630 const struct ovs_key_mpls *mpls_key; 1631 u32 hdr_len; 1632 u32 label_count, label_count_mask, i; 1633 1634 mpls_key = nla_data(a[OVS_KEY_ATTR_MPLS]); 1635 hdr_len = nla_len(a[OVS_KEY_ATTR_MPLS]); 1636 label_count = hdr_len / sizeof(struct ovs_key_mpls); 1637 1638 if (label_count == 0 || label_count > MPLS_LABEL_DEPTH || 1639 hdr_len % sizeof(struct ovs_key_mpls)) 1640 return -EINVAL; 1641 1642 label_count_mask = GENMASK(label_count - 1, 0); 1643 1644 for (i = 0 ; i < label_count; i++) 1645 SW_FLOW_KEY_PUT(match, mpls.lse[i], 1646 mpls_key[i].mpls_lse, is_mask); 1647 1648 SW_FLOW_KEY_PUT(match, mpls.num_labels_mask, 1649 label_count_mask, is_mask); 1650 1651 attrs &= ~(1 << OVS_KEY_ATTR_MPLS); 1652 } 1653 1654 if (attrs & (1 << OVS_KEY_ATTR_TCP)) { 1655 const struct ovs_key_tcp *tcp_key; 1656 1657 tcp_key = nla_data(a[OVS_KEY_ATTR_TCP]); 1658 SW_FLOW_KEY_PUT(match, tp.src, tcp_key->tcp_src, is_mask); 1659 SW_FLOW_KEY_PUT(match, tp.dst, tcp_key->tcp_dst, is_mask); 1660 attrs &= ~(1 << OVS_KEY_ATTR_TCP); 1661 } 1662 1663 if (attrs & (1 << OVS_KEY_ATTR_TCP_FLAGS)) { 1664 SW_FLOW_KEY_PUT(match, tp.flags, 1665 nla_get_be16(a[OVS_KEY_ATTR_TCP_FLAGS]), 1666 is_mask); 1667 attrs &= ~(1 << OVS_KEY_ATTR_TCP_FLAGS); 1668 } 1669 1670 if (attrs & (1 << OVS_KEY_ATTR_UDP)) { 1671 const struct ovs_key_udp *udp_key; 1672 1673 udp_key = nla_data(a[OVS_KEY_ATTR_UDP]); 1674 SW_FLOW_KEY_PUT(match, tp.src, udp_key->udp_src, is_mask); 1675 SW_FLOW_KEY_PUT(match, tp.dst, udp_key->udp_dst, is_mask); 1676 attrs &= ~(1 << OVS_KEY_ATTR_UDP); 1677 } 1678 1679 if (attrs & (1 << OVS_KEY_ATTR_SCTP)) { 1680 const struct ovs_key_sctp *sctp_key; 1681 1682 sctp_key = nla_data(a[OVS_KEY_ATTR_SCTP]); 1683 SW_FLOW_KEY_PUT(match, tp.src, sctp_key->sctp_src, is_mask); 1684 SW_FLOW_KEY_PUT(match, tp.dst, sctp_key->sctp_dst, is_mask); 1685 attrs &= ~(1 << OVS_KEY_ATTR_SCTP); 1686 } 1687 1688 if (attrs & (1 << OVS_KEY_ATTR_ICMP)) { 1689 const struct ovs_key_icmp *icmp_key; 1690 1691 icmp_key = nla_data(a[OVS_KEY_ATTR_ICMP]); 1692 SW_FLOW_KEY_PUT(match, tp.src, 1693 htons(icmp_key->icmp_type), is_mask); 1694 SW_FLOW_KEY_PUT(match, tp.dst, 1695 htons(icmp_key->icmp_code), is_mask); 1696 attrs &= ~(1 << OVS_KEY_ATTR_ICMP); 1697 } 1698 1699 if (attrs & (1 << OVS_KEY_ATTR_ICMPV6)) { 1700 const struct ovs_key_icmpv6 *icmpv6_key; 1701 1702 icmpv6_key = nla_data(a[OVS_KEY_ATTR_ICMPV6]); 1703 SW_FLOW_KEY_PUT(match, tp.src, 1704 htons(icmpv6_key->icmpv6_type), is_mask); 1705 SW_FLOW_KEY_PUT(match, tp.dst, 1706 htons(icmpv6_key->icmpv6_code), is_mask); 1707 attrs &= ~(1 << OVS_KEY_ATTR_ICMPV6); 1708 } 1709 1710 if (attrs & (1 << OVS_KEY_ATTR_ND)) { 1711 const struct ovs_key_nd *nd_key; 1712 1713 nd_key = nla_data(a[OVS_KEY_ATTR_ND]); 1714 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.target, 1715 nd_key->nd_target, 1716 sizeof(match->key->ipv6.nd.target), 1717 is_mask); 1718 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.sll, 1719 nd_key->nd_sll, ETH_ALEN, is_mask); 1720 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.tll, 1721 nd_key->nd_tll, ETH_ALEN, is_mask); 1722 attrs &= ~(1 << OVS_KEY_ATTR_ND); 1723 } 1724 1725 if (attrs != 0) { 1726 OVS_NLERR(log, "Unknown key attributes %llx", 1727 (unsigned long long)attrs); 1728 return -EINVAL; 1729 } 1730 1731 return 0; 1732 } 1733 1734 static void nlattr_set(struct nlattr *attr, u8 val, 1735 const struct ovs_len_tbl *tbl) 1736 { 1737 struct nlattr *nla; 1738 int rem; 1739 1740 /* The nlattr stream should already have been validated */ 1741 nla_for_each_nested(nla, attr, rem) { 1742 if (tbl[nla_type(nla)].len == OVS_ATTR_NESTED) 1743 nlattr_set(nla, val, tbl[nla_type(nla)].next ? : tbl); 1744 else 1745 memset(nla_data(nla), val, nla_len(nla)); 1746 1747 if (nla_type(nla) == OVS_KEY_ATTR_CT_STATE) 1748 *(u32 *)nla_data(nla) &= CT_SUPPORTED_MASK; 1749 } 1750 } 1751 1752 static void mask_set_nlattr(struct nlattr *attr, u8 val) 1753 { 1754 nlattr_set(attr, val, ovs_key_lens); 1755 } 1756 1757 /** 1758 * ovs_nla_get_match - parses Netlink attributes into a flow key and 1759 * mask. In case the 'mask' is NULL, the flow is treated as exact match 1760 * flow. Otherwise, it is treated as a wildcarded flow, except the mask 1761 * does not include any don't care bit. 1762 * @net: Used to determine per-namespace field support. 1763 * @match: receives the extracted flow match information. 1764 * @key: Netlink attribute holding nested %OVS_KEY_ATTR_* Netlink attribute 1765 * sequence. The fields should of the packet that triggered the creation 1766 * of this flow. 1767 * @mask: Optional. Netlink attribute holding nested %OVS_KEY_ATTR_* Netlink 1768 * attribute specifies the mask field of the wildcarded flow. 1769 * @log: Boolean to allow kernel error logging. Normally true, but when 1770 * probing for feature compatibility this should be passed in as false to 1771 * suppress unnecessary error logging. 1772 */ 1773 int ovs_nla_get_match(struct net *net, struct sw_flow_match *match, 1774 const struct nlattr *nla_key, 1775 const struct nlattr *nla_mask, 1776 bool log) 1777 { 1778 const struct nlattr *a[OVS_KEY_ATTR_MAX + 1]; 1779 struct nlattr *newmask = NULL; 1780 u64 key_attrs = 0; 1781 u64 mask_attrs = 0; 1782 int err; 1783 1784 err = parse_flow_nlattrs(nla_key, a, &key_attrs, log); 1785 if (err) 1786 return err; 1787 1788 err = parse_vlan_from_nlattrs(match, &key_attrs, a, false, log); 1789 if (err) 1790 return err; 1791 1792 err = ovs_key_from_nlattrs(net, match, key_attrs, a, false, log); 1793 if (err) 1794 return err; 1795 1796 if (match->mask) { 1797 if (!nla_mask) { 1798 /* Create an exact match mask. We need to set to 0xff 1799 * all the 'match->mask' fields that have been touched 1800 * in 'match->key'. We cannot simply memset 1801 * 'match->mask', because padding bytes and fields not 1802 * specified in 'match->key' should be left to 0. 1803 * Instead, we use a stream of netlink attributes, 1804 * copied from 'key' and set to 0xff. 1805 * ovs_key_from_nlattrs() will take care of filling 1806 * 'match->mask' appropriately. 1807 */ 1808 newmask = kmemdup(nla_key, 1809 nla_total_size(nla_len(nla_key)), 1810 GFP_KERNEL); 1811 if (!newmask) 1812 return -ENOMEM; 1813 1814 mask_set_nlattr(newmask, 0xff); 1815 1816 /* The userspace does not send tunnel attributes that 1817 * are 0, but we should not wildcard them nonetheless. 1818 */ 1819 if (match->key->tun_proto) 1820 SW_FLOW_KEY_MEMSET_FIELD(match, tun_key, 1821 0xff, true); 1822 1823 nla_mask = newmask; 1824 } 1825 1826 err = parse_flow_mask_nlattrs(nla_mask, a, &mask_attrs, log); 1827 if (err) 1828 goto free_newmask; 1829 1830 /* Always match on tci. */ 1831 SW_FLOW_KEY_PUT(match, eth.vlan.tci, htons(0xffff), true); 1832 SW_FLOW_KEY_PUT(match, eth.cvlan.tci, htons(0xffff), true); 1833 1834 err = parse_vlan_from_nlattrs(match, &mask_attrs, a, true, log); 1835 if (err) 1836 goto free_newmask; 1837 1838 err = ovs_key_from_nlattrs(net, match, mask_attrs, a, true, 1839 log); 1840 if (err) 1841 goto free_newmask; 1842 } 1843 1844 if (!match_validate(match, key_attrs, mask_attrs, log)) 1845 err = -EINVAL; 1846 1847 free_newmask: 1848 kfree(newmask); 1849 return err; 1850 } 1851 1852 static size_t get_ufid_len(const struct nlattr *attr, bool log) 1853 { 1854 size_t len; 1855 1856 if (!attr) 1857 return 0; 1858 1859 len = nla_len(attr); 1860 if (len < 1 || len > MAX_UFID_LENGTH) { 1861 OVS_NLERR(log, "ufid size %u bytes exceeds the range (1, %d)", 1862 nla_len(attr), MAX_UFID_LENGTH); 1863 return 0; 1864 } 1865 1866 return len; 1867 } 1868 1869 /* Initializes 'flow->ufid', returning true if 'attr' contains a valid UFID, 1870 * or false otherwise. 1871 */ 1872 bool ovs_nla_get_ufid(struct sw_flow_id *sfid, const struct nlattr *attr, 1873 bool log) 1874 { 1875 sfid->ufid_len = get_ufid_len(attr, log); 1876 if (sfid->ufid_len) 1877 memcpy(sfid->ufid, nla_data(attr), sfid->ufid_len); 1878 1879 return sfid->ufid_len; 1880 } 1881 1882 int ovs_nla_get_identifier(struct sw_flow_id *sfid, const struct nlattr *ufid, 1883 const struct sw_flow_key *key, bool log) 1884 { 1885 struct sw_flow_key *new_key; 1886 1887 if (ovs_nla_get_ufid(sfid, ufid, log)) 1888 return 0; 1889 1890 /* If UFID was not provided, use unmasked key. */ 1891 new_key = kmalloc(sizeof(*new_key), GFP_KERNEL); 1892 if (!new_key) 1893 return -ENOMEM; 1894 memcpy(new_key, key, sizeof(*key)); 1895 sfid->unmasked_key = new_key; 1896 1897 return 0; 1898 } 1899 1900 u32 ovs_nla_get_ufid_flags(const struct nlattr *attr) 1901 { 1902 return attr ? nla_get_u32(attr) : 0; 1903 } 1904 1905 /** 1906 * ovs_nla_get_flow_metadata - parses Netlink attributes into a flow key. 1907 * @net: Network namespace. 1908 * @key: Receives extracted in_port, priority, tun_key, skb_mark and conntrack 1909 * metadata. 1910 * @a: Array of netlink attributes holding parsed %OVS_KEY_ATTR_* Netlink 1911 * attributes. 1912 * @attrs: Bit mask for the netlink attributes included in @a. 1913 * @log: Boolean to allow kernel error logging. Normally true, but when 1914 * probing for feature compatibility this should be passed in as false to 1915 * suppress unnecessary error logging. 1916 * 1917 * This parses a series of Netlink attributes that form a flow key, which must 1918 * take the same form accepted by flow_from_nlattrs(), but only enough of it to 1919 * get the metadata, that is, the parts of the flow key that cannot be 1920 * extracted from the packet itself. 1921 * 1922 * This must be called before the packet key fields are filled in 'key'. 1923 */ 1924 1925 int ovs_nla_get_flow_metadata(struct net *net, 1926 const struct nlattr *a[OVS_KEY_ATTR_MAX + 1], 1927 u64 attrs, struct sw_flow_key *key, bool log) 1928 { 1929 struct sw_flow_match match; 1930 1931 memset(&match, 0, sizeof(match)); 1932 match.key = key; 1933 1934 key->ct_state = 0; 1935 key->ct_zone = 0; 1936 key->ct_orig_proto = 0; 1937 memset(&key->ct, 0, sizeof(key->ct)); 1938 memset(&key->ipv4.ct_orig, 0, sizeof(key->ipv4.ct_orig)); 1939 memset(&key->ipv6.ct_orig, 0, sizeof(key->ipv6.ct_orig)); 1940 1941 key->phy.in_port = DP_MAX_PORTS; 1942 1943 return metadata_from_nlattrs(net, &match, &attrs, a, false, log); 1944 } 1945 1946 static int ovs_nla_put_vlan(struct sk_buff *skb, const struct vlan_head *vh, 1947 bool is_mask) 1948 { 1949 __be16 eth_type = !is_mask ? vh->tpid : htons(0xffff); 1950 1951 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, eth_type) || 1952 nla_put_be16(skb, OVS_KEY_ATTR_VLAN, vh->tci)) 1953 return -EMSGSIZE; 1954 return 0; 1955 } 1956 1957 static int nsh_key_to_nlattr(const struct ovs_key_nsh *nsh, bool is_mask, 1958 struct sk_buff *skb) 1959 { 1960 struct nlattr *start; 1961 1962 start = nla_nest_start_noflag(skb, OVS_KEY_ATTR_NSH); 1963 if (!start) 1964 return -EMSGSIZE; 1965 1966 if (nla_put(skb, OVS_NSH_KEY_ATTR_BASE, sizeof(nsh->base), &nsh->base)) 1967 goto nla_put_failure; 1968 1969 if (is_mask || nsh->base.mdtype == NSH_M_TYPE1) { 1970 if (nla_put(skb, OVS_NSH_KEY_ATTR_MD1, 1971 sizeof(nsh->context), nsh->context)) 1972 goto nla_put_failure; 1973 } 1974 1975 /* Don't support MD type 2 yet */ 1976 1977 nla_nest_end(skb, start); 1978 1979 return 0; 1980 1981 nla_put_failure: 1982 return -EMSGSIZE; 1983 } 1984 1985 static int __ovs_nla_put_key(const struct sw_flow_key *swkey, 1986 const struct sw_flow_key *output, bool is_mask, 1987 struct sk_buff *skb) 1988 { 1989 struct ovs_key_ethernet *eth_key; 1990 struct nlattr *nla; 1991 struct nlattr *encap = NULL; 1992 struct nlattr *in_encap = NULL; 1993 1994 if (nla_put_u32(skb, OVS_KEY_ATTR_RECIRC_ID, output->recirc_id)) 1995 goto nla_put_failure; 1996 1997 if (nla_put_u32(skb, OVS_KEY_ATTR_DP_HASH, output->ovs_flow_hash)) 1998 goto nla_put_failure; 1999 2000 if (nla_put_u32(skb, OVS_KEY_ATTR_PRIORITY, output->phy.priority)) 2001 goto nla_put_failure; 2002 2003 if ((swkey->tun_proto || is_mask)) { 2004 const void *opts = NULL; 2005 2006 if (output->tun_key.tun_flags & TUNNEL_OPTIONS_PRESENT) 2007 opts = TUN_METADATA_OPTS(output, swkey->tun_opts_len); 2008 2009 if (ip_tun_to_nlattr(skb, &output->tun_key, opts, 2010 swkey->tun_opts_len, swkey->tun_proto, 0)) 2011 goto nla_put_failure; 2012 } 2013 2014 if (swkey->phy.in_port == DP_MAX_PORTS) { 2015 if (is_mask && (output->phy.in_port == 0xffff)) 2016 if (nla_put_u32(skb, OVS_KEY_ATTR_IN_PORT, 0xffffffff)) 2017 goto nla_put_failure; 2018 } else { 2019 u16 upper_u16; 2020 upper_u16 = !is_mask ? 0 : 0xffff; 2021 2022 if (nla_put_u32(skb, OVS_KEY_ATTR_IN_PORT, 2023 (upper_u16 << 16) | output->phy.in_port)) 2024 goto nla_put_failure; 2025 } 2026 2027 if (nla_put_u32(skb, OVS_KEY_ATTR_SKB_MARK, output->phy.skb_mark)) 2028 goto nla_put_failure; 2029 2030 if (ovs_ct_put_key(swkey, output, skb)) 2031 goto nla_put_failure; 2032 2033 if (ovs_key_mac_proto(swkey) == MAC_PROTO_ETHERNET) { 2034 nla = nla_reserve(skb, OVS_KEY_ATTR_ETHERNET, sizeof(*eth_key)); 2035 if (!nla) 2036 goto nla_put_failure; 2037 2038 eth_key = nla_data(nla); 2039 ether_addr_copy(eth_key->eth_src, output->eth.src); 2040 ether_addr_copy(eth_key->eth_dst, output->eth.dst); 2041 2042 if (swkey->eth.vlan.tci || eth_type_vlan(swkey->eth.type)) { 2043 if (ovs_nla_put_vlan(skb, &output->eth.vlan, is_mask)) 2044 goto nla_put_failure; 2045 encap = nla_nest_start_noflag(skb, OVS_KEY_ATTR_ENCAP); 2046 if (!swkey->eth.vlan.tci) 2047 goto unencap; 2048 2049 if (swkey->eth.cvlan.tci || eth_type_vlan(swkey->eth.type)) { 2050 if (ovs_nla_put_vlan(skb, &output->eth.cvlan, is_mask)) 2051 goto nla_put_failure; 2052 in_encap = nla_nest_start_noflag(skb, 2053 OVS_KEY_ATTR_ENCAP); 2054 if (!swkey->eth.cvlan.tci) 2055 goto unencap; 2056 } 2057 } 2058 2059 if (swkey->eth.type == htons(ETH_P_802_2)) { 2060 /* 2061 * Ethertype 802.2 is represented in the netlink with omitted 2062 * OVS_KEY_ATTR_ETHERTYPE in the flow key attribute, and 2063 * 0xffff in the mask attribute. Ethertype can also 2064 * be wildcarded. 2065 */ 2066 if (is_mask && output->eth.type) 2067 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, 2068 output->eth.type)) 2069 goto nla_put_failure; 2070 goto unencap; 2071 } 2072 } 2073 2074 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, output->eth.type)) 2075 goto nla_put_failure; 2076 2077 if (eth_type_vlan(swkey->eth.type)) { 2078 /* There are 3 VLAN tags, we don't know anything about the rest 2079 * of the packet, so truncate here. 2080 */ 2081 WARN_ON_ONCE(!(encap && in_encap)); 2082 goto unencap; 2083 } 2084 2085 if (swkey->eth.type == htons(ETH_P_IP)) { 2086 struct ovs_key_ipv4 *ipv4_key; 2087 2088 nla = nla_reserve(skb, OVS_KEY_ATTR_IPV4, sizeof(*ipv4_key)); 2089 if (!nla) 2090 goto nla_put_failure; 2091 ipv4_key = nla_data(nla); 2092 ipv4_key->ipv4_src = output->ipv4.addr.src; 2093 ipv4_key->ipv4_dst = output->ipv4.addr.dst; 2094 ipv4_key->ipv4_proto = output->ip.proto; 2095 ipv4_key->ipv4_tos = output->ip.tos; 2096 ipv4_key->ipv4_ttl = output->ip.ttl; 2097 ipv4_key->ipv4_frag = output->ip.frag; 2098 } else if (swkey->eth.type == htons(ETH_P_IPV6)) { 2099 struct ovs_key_ipv6 *ipv6_key; 2100 2101 nla = nla_reserve(skb, OVS_KEY_ATTR_IPV6, sizeof(*ipv6_key)); 2102 if (!nla) 2103 goto nla_put_failure; 2104 ipv6_key = nla_data(nla); 2105 memcpy(ipv6_key->ipv6_src, &output->ipv6.addr.src, 2106 sizeof(ipv6_key->ipv6_src)); 2107 memcpy(ipv6_key->ipv6_dst, &output->ipv6.addr.dst, 2108 sizeof(ipv6_key->ipv6_dst)); 2109 ipv6_key->ipv6_label = output->ipv6.label; 2110 ipv6_key->ipv6_proto = output->ip.proto; 2111 ipv6_key->ipv6_tclass = output->ip.tos; 2112 ipv6_key->ipv6_hlimit = output->ip.ttl; 2113 ipv6_key->ipv6_frag = output->ip.frag; 2114 } else if (swkey->eth.type == htons(ETH_P_NSH)) { 2115 if (nsh_key_to_nlattr(&output->nsh, is_mask, skb)) 2116 goto nla_put_failure; 2117 } else if (swkey->eth.type == htons(ETH_P_ARP) || 2118 swkey->eth.type == htons(ETH_P_RARP)) { 2119 struct ovs_key_arp *arp_key; 2120 2121 nla = nla_reserve(skb, OVS_KEY_ATTR_ARP, sizeof(*arp_key)); 2122 if (!nla) 2123 goto nla_put_failure; 2124 arp_key = nla_data(nla); 2125 memset(arp_key, 0, sizeof(struct ovs_key_arp)); 2126 arp_key->arp_sip = output->ipv4.addr.src; 2127 arp_key->arp_tip = output->ipv4.addr.dst; 2128 arp_key->arp_op = htons(output->ip.proto); 2129 ether_addr_copy(arp_key->arp_sha, output->ipv4.arp.sha); 2130 ether_addr_copy(arp_key->arp_tha, output->ipv4.arp.tha); 2131 } else if (eth_p_mpls(swkey->eth.type)) { 2132 u8 i, num_labels; 2133 struct ovs_key_mpls *mpls_key; 2134 2135 num_labels = hweight_long(output->mpls.num_labels_mask); 2136 nla = nla_reserve(skb, OVS_KEY_ATTR_MPLS, 2137 num_labels * sizeof(*mpls_key)); 2138 if (!nla) 2139 goto nla_put_failure; 2140 2141 mpls_key = nla_data(nla); 2142 for (i = 0; i < num_labels; i++) 2143 mpls_key[i].mpls_lse = output->mpls.lse[i]; 2144 } 2145 2146 if ((swkey->eth.type == htons(ETH_P_IP) || 2147 swkey->eth.type == htons(ETH_P_IPV6)) && 2148 swkey->ip.frag != OVS_FRAG_TYPE_LATER) { 2149 2150 if (swkey->ip.proto == IPPROTO_TCP) { 2151 struct ovs_key_tcp *tcp_key; 2152 2153 nla = nla_reserve(skb, OVS_KEY_ATTR_TCP, sizeof(*tcp_key)); 2154 if (!nla) 2155 goto nla_put_failure; 2156 tcp_key = nla_data(nla); 2157 tcp_key->tcp_src = output->tp.src; 2158 tcp_key->tcp_dst = output->tp.dst; 2159 if (nla_put_be16(skb, OVS_KEY_ATTR_TCP_FLAGS, 2160 output->tp.flags)) 2161 goto nla_put_failure; 2162 } else if (swkey->ip.proto == IPPROTO_UDP) { 2163 struct ovs_key_udp *udp_key; 2164 2165 nla = nla_reserve(skb, OVS_KEY_ATTR_UDP, sizeof(*udp_key)); 2166 if (!nla) 2167 goto nla_put_failure; 2168 udp_key = nla_data(nla); 2169 udp_key->udp_src = output->tp.src; 2170 udp_key->udp_dst = output->tp.dst; 2171 } else if (swkey->ip.proto == IPPROTO_SCTP) { 2172 struct ovs_key_sctp *sctp_key; 2173 2174 nla = nla_reserve(skb, OVS_KEY_ATTR_SCTP, sizeof(*sctp_key)); 2175 if (!nla) 2176 goto nla_put_failure; 2177 sctp_key = nla_data(nla); 2178 sctp_key->sctp_src = output->tp.src; 2179 sctp_key->sctp_dst = output->tp.dst; 2180 } else if (swkey->eth.type == htons(ETH_P_IP) && 2181 swkey->ip.proto == IPPROTO_ICMP) { 2182 struct ovs_key_icmp *icmp_key; 2183 2184 nla = nla_reserve(skb, OVS_KEY_ATTR_ICMP, sizeof(*icmp_key)); 2185 if (!nla) 2186 goto nla_put_failure; 2187 icmp_key = nla_data(nla); 2188 icmp_key->icmp_type = ntohs(output->tp.src); 2189 icmp_key->icmp_code = ntohs(output->tp.dst); 2190 } else if (swkey->eth.type == htons(ETH_P_IPV6) && 2191 swkey->ip.proto == IPPROTO_ICMPV6) { 2192 struct ovs_key_icmpv6 *icmpv6_key; 2193 2194 nla = nla_reserve(skb, OVS_KEY_ATTR_ICMPV6, 2195 sizeof(*icmpv6_key)); 2196 if (!nla) 2197 goto nla_put_failure; 2198 icmpv6_key = nla_data(nla); 2199 icmpv6_key->icmpv6_type = ntohs(output->tp.src); 2200 icmpv6_key->icmpv6_code = ntohs(output->tp.dst); 2201 2202 if (icmpv6_key->icmpv6_type == NDISC_NEIGHBOUR_SOLICITATION || 2203 icmpv6_key->icmpv6_type == NDISC_NEIGHBOUR_ADVERTISEMENT) { 2204 struct ovs_key_nd *nd_key; 2205 2206 nla = nla_reserve(skb, OVS_KEY_ATTR_ND, sizeof(*nd_key)); 2207 if (!nla) 2208 goto nla_put_failure; 2209 nd_key = nla_data(nla); 2210 memcpy(nd_key->nd_target, &output->ipv6.nd.target, 2211 sizeof(nd_key->nd_target)); 2212 ether_addr_copy(nd_key->nd_sll, output->ipv6.nd.sll); 2213 ether_addr_copy(nd_key->nd_tll, output->ipv6.nd.tll); 2214 } 2215 } 2216 } 2217 2218 unencap: 2219 if (in_encap) 2220 nla_nest_end(skb, in_encap); 2221 if (encap) 2222 nla_nest_end(skb, encap); 2223 2224 return 0; 2225 2226 nla_put_failure: 2227 return -EMSGSIZE; 2228 } 2229 2230 int ovs_nla_put_key(const struct sw_flow_key *swkey, 2231 const struct sw_flow_key *output, int attr, bool is_mask, 2232 struct sk_buff *skb) 2233 { 2234 int err; 2235 struct nlattr *nla; 2236 2237 nla = nla_nest_start_noflag(skb, attr); 2238 if (!nla) 2239 return -EMSGSIZE; 2240 err = __ovs_nla_put_key(swkey, output, is_mask, skb); 2241 if (err) 2242 return err; 2243 nla_nest_end(skb, nla); 2244 2245 return 0; 2246 } 2247 2248 /* Called with ovs_mutex or RCU read lock. */ 2249 int ovs_nla_put_identifier(const struct sw_flow *flow, struct sk_buff *skb) 2250 { 2251 if (ovs_identifier_is_ufid(&flow->id)) 2252 return nla_put(skb, OVS_FLOW_ATTR_UFID, flow->id.ufid_len, 2253 flow->id.ufid); 2254 2255 return ovs_nla_put_key(flow->id.unmasked_key, flow->id.unmasked_key, 2256 OVS_FLOW_ATTR_KEY, false, skb); 2257 } 2258 2259 /* Called with ovs_mutex or RCU read lock. */ 2260 int ovs_nla_put_masked_key(const struct sw_flow *flow, struct sk_buff *skb) 2261 { 2262 return ovs_nla_put_key(&flow->key, &flow->key, 2263 OVS_FLOW_ATTR_KEY, false, skb); 2264 } 2265 2266 /* Called with ovs_mutex or RCU read lock. */ 2267 int ovs_nla_put_mask(const struct sw_flow *flow, struct sk_buff *skb) 2268 { 2269 return ovs_nla_put_key(&flow->key, &flow->mask->key, 2270 OVS_FLOW_ATTR_MASK, true, skb); 2271 } 2272 2273 #define MAX_ACTIONS_BUFSIZE (32 * 1024) 2274 2275 static struct sw_flow_actions *nla_alloc_flow_actions(int size) 2276 { 2277 struct sw_flow_actions *sfa; 2278 2279 WARN_ON_ONCE(size > MAX_ACTIONS_BUFSIZE); 2280 2281 sfa = kmalloc(sizeof(*sfa) + size, GFP_KERNEL); 2282 if (!sfa) 2283 return ERR_PTR(-ENOMEM); 2284 2285 sfa->actions_len = 0; 2286 return sfa; 2287 } 2288 2289 static void ovs_nla_free_set_action(const struct nlattr *a) 2290 { 2291 const struct nlattr *ovs_key = nla_data(a); 2292 struct ovs_tunnel_info *ovs_tun; 2293 2294 switch (nla_type(ovs_key)) { 2295 case OVS_KEY_ATTR_TUNNEL_INFO: 2296 ovs_tun = nla_data(ovs_key); 2297 dst_release((struct dst_entry *)ovs_tun->tun_dst); 2298 break; 2299 } 2300 } 2301 2302 void ovs_nla_free_flow_actions(struct sw_flow_actions *sf_acts) 2303 { 2304 const struct nlattr *a; 2305 int rem; 2306 2307 if (!sf_acts) 2308 return; 2309 2310 nla_for_each_attr(a, sf_acts->actions, sf_acts->actions_len, rem) { 2311 switch (nla_type(a)) { 2312 case OVS_ACTION_ATTR_SET: 2313 ovs_nla_free_set_action(a); 2314 break; 2315 case OVS_ACTION_ATTR_CT: 2316 ovs_ct_free_action(a); 2317 break; 2318 } 2319 } 2320 2321 kfree(sf_acts); 2322 } 2323 2324 static void __ovs_nla_free_flow_actions(struct rcu_head *head) 2325 { 2326 ovs_nla_free_flow_actions(container_of(head, struct sw_flow_actions, rcu)); 2327 } 2328 2329 /* Schedules 'sf_acts' to be freed after the next RCU grace period. 2330 * The caller must hold rcu_read_lock for this to be sensible. */ 2331 void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *sf_acts) 2332 { 2333 call_rcu(&sf_acts->rcu, __ovs_nla_free_flow_actions); 2334 } 2335 2336 static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, 2337 int attr_len, bool log) 2338 { 2339 2340 struct sw_flow_actions *acts; 2341 int new_acts_size; 2342 size_t req_size = NLA_ALIGN(attr_len); 2343 int next_offset = offsetof(struct sw_flow_actions, actions) + 2344 (*sfa)->actions_len; 2345 2346 if (req_size <= (ksize(*sfa) - next_offset)) 2347 goto out; 2348 2349 new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2); 2350 2351 if (new_acts_size > MAX_ACTIONS_BUFSIZE) { 2352 if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) { 2353 OVS_NLERR(log, "Flow action size exceeds max %u", 2354 MAX_ACTIONS_BUFSIZE); 2355 return ERR_PTR(-EMSGSIZE); 2356 } 2357 new_acts_size = MAX_ACTIONS_BUFSIZE; 2358 } 2359 2360 acts = nla_alloc_flow_actions(new_acts_size); 2361 if (IS_ERR(acts)) 2362 return (void *)acts; 2363 2364 memcpy(acts->actions, (*sfa)->actions, (*sfa)->actions_len); 2365 acts->actions_len = (*sfa)->actions_len; 2366 acts->orig_len = (*sfa)->orig_len; 2367 kfree(*sfa); 2368 *sfa = acts; 2369 2370 out: 2371 (*sfa)->actions_len += req_size; 2372 return (struct nlattr *) ((unsigned char *)(*sfa) + next_offset); 2373 } 2374 2375 static struct nlattr *__add_action(struct sw_flow_actions **sfa, 2376 int attrtype, void *data, int len, bool log) 2377 { 2378 struct nlattr *a; 2379 2380 a = reserve_sfa_size(sfa, nla_attr_size(len), log); 2381 if (IS_ERR(a)) 2382 return a; 2383 2384 a->nla_type = attrtype; 2385 a->nla_len = nla_attr_size(len); 2386 2387 if (data) 2388 memcpy(nla_data(a), data, len); 2389 memset((unsigned char *) a + a->nla_len, 0, nla_padlen(len)); 2390 2391 return a; 2392 } 2393 2394 int ovs_nla_add_action(struct sw_flow_actions **sfa, int attrtype, void *data, 2395 int len, bool log) 2396 { 2397 struct nlattr *a; 2398 2399 a = __add_action(sfa, attrtype, data, len, log); 2400 2401 return PTR_ERR_OR_ZERO(a); 2402 } 2403 2404 static inline int add_nested_action_start(struct sw_flow_actions **sfa, 2405 int attrtype, bool log) 2406 { 2407 int used = (*sfa)->actions_len; 2408 int err; 2409 2410 err = ovs_nla_add_action(sfa, attrtype, NULL, 0, log); 2411 if (err) 2412 return err; 2413 2414 return used; 2415 } 2416 2417 static inline void add_nested_action_end(struct sw_flow_actions *sfa, 2418 int st_offset) 2419 { 2420 struct nlattr *a = (struct nlattr *) ((unsigned char *)sfa->actions + 2421 st_offset); 2422 2423 a->nla_len = sfa->actions_len - st_offset; 2424 } 2425 2426 static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 2427 const struct sw_flow_key *key, 2428 struct sw_flow_actions **sfa, 2429 __be16 eth_type, __be16 vlan_tci, 2430 u32 mpls_label_count, bool log); 2431 2432 static int validate_and_copy_sample(struct net *net, const struct nlattr *attr, 2433 const struct sw_flow_key *key, 2434 struct sw_flow_actions **sfa, 2435 __be16 eth_type, __be16 vlan_tci, 2436 u32 mpls_label_count, bool log, bool last) 2437 { 2438 const struct nlattr *attrs[OVS_SAMPLE_ATTR_MAX + 1]; 2439 const struct nlattr *probability, *actions; 2440 const struct nlattr *a; 2441 int rem, start, err; 2442 struct sample_arg arg; 2443 2444 memset(attrs, 0, sizeof(attrs)); 2445 nla_for_each_nested(a, attr, rem) { 2446 int type = nla_type(a); 2447 if (!type || type > OVS_SAMPLE_ATTR_MAX || attrs[type]) 2448 return -EINVAL; 2449 attrs[type] = a; 2450 } 2451 if (rem) 2452 return -EINVAL; 2453 2454 probability = attrs[OVS_SAMPLE_ATTR_PROBABILITY]; 2455 if (!probability || nla_len(probability) != sizeof(u32)) 2456 return -EINVAL; 2457 2458 actions = attrs[OVS_SAMPLE_ATTR_ACTIONS]; 2459 if (!actions || (nla_len(actions) && nla_len(actions) < NLA_HDRLEN)) 2460 return -EINVAL; 2461 2462 /* validation done, copy sample action. */ 2463 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_SAMPLE, log); 2464 if (start < 0) 2465 return start; 2466 2467 /* When both skb and flow may be changed, put the sample 2468 * into a deferred fifo. On the other hand, if only skb 2469 * may be modified, the actions can be executed in place. 2470 * 2471 * Do this analysis at the flow installation time. 2472 * Set 'clone_action->exec' to true if the actions can be 2473 * executed without being deferred. 2474 * 2475 * If the sample is the last action, it can always be excuted 2476 * rather than deferred. 2477 */ 2478 arg.exec = last || !actions_may_change_flow(actions); 2479 arg.probability = nla_get_u32(probability); 2480 2481 err = ovs_nla_add_action(sfa, OVS_SAMPLE_ATTR_ARG, &arg, sizeof(arg), 2482 log); 2483 if (err) 2484 return err; 2485 2486 err = __ovs_nla_copy_actions(net, actions, key, sfa, 2487 eth_type, vlan_tci, mpls_label_count, log); 2488 2489 if (err) 2490 return err; 2491 2492 add_nested_action_end(*sfa, start); 2493 2494 return 0; 2495 } 2496 2497 static int validate_and_copy_clone(struct net *net, 2498 const struct nlattr *attr, 2499 const struct sw_flow_key *key, 2500 struct sw_flow_actions **sfa, 2501 __be16 eth_type, __be16 vlan_tci, 2502 u32 mpls_label_count, bool log, bool last) 2503 { 2504 int start, err; 2505 u32 exec; 2506 2507 if (nla_len(attr) && nla_len(attr) < NLA_HDRLEN) 2508 return -EINVAL; 2509 2510 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_CLONE, log); 2511 if (start < 0) 2512 return start; 2513 2514 exec = last || !actions_may_change_flow(attr); 2515 2516 err = ovs_nla_add_action(sfa, OVS_CLONE_ATTR_EXEC, &exec, 2517 sizeof(exec), log); 2518 if (err) 2519 return err; 2520 2521 err = __ovs_nla_copy_actions(net, attr, key, sfa, 2522 eth_type, vlan_tci, mpls_label_count, log); 2523 if (err) 2524 return err; 2525 2526 add_nested_action_end(*sfa, start); 2527 2528 return 0; 2529 } 2530 2531 void ovs_match_init(struct sw_flow_match *match, 2532 struct sw_flow_key *key, 2533 bool reset_key, 2534 struct sw_flow_mask *mask) 2535 { 2536 memset(match, 0, sizeof(*match)); 2537 match->key = key; 2538 match->mask = mask; 2539 2540 if (reset_key) 2541 memset(key, 0, sizeof(*key)); 2542 2543 if (mask) { 2544 memset(&mask->key, 0, sizeof(mask->key)); 2545 mask->range.start = mask->range.end = 0; 2546 } 2547 } 2548 2549 static int validate_geneve_opts(struct sw_flow_key *key) 2550 { 2551 struct geneve_opt *option; 2552 int opts_len = key->tun_opts_len; 2553 bool crit_opt = false; 2554 2555 option = (struct geneve_opt *)TUN_METADATA_OPTS(key, key->tun_opts_len); 2556 while (opts_len > 0) { 2557 int len; 2558 2559 if (opts_len < sizeof(*option)) 2560 return -EINVAL; 2561 2562 len = sizeof(*option) + option->length * 4; 2563 if (len > opts_len) 2564 return -EINVAL; 2565 2566 crit_opt |= !!(option->type & GENEVE_CRIT_OPT_TYPE); 2567 2568 option = (struct geneve_opt *)((u8 *)option + len); 2569 opts_len -= len; 2570 } 2571 2572 key->tun_key.tun_flags |= crit_opt ? TUNNEL_CRIT_OPT : 0; 2573 2574 return 0; 2575 } 2576 2577 static int validate_and_copy_set_tun(const struct nlattr *attr, 2578 struct sw_flow_actions **sfa, bool log) 2579 { 2580 struct sw_flow_match match; 2581 struct sw_flow_key key; 2582 struct metadata_dst *tun_dst; 2583 struct ip_tunnel_info *tun_info; 2584 struct ovs_tunnel_info *ovs_tun; 2585 struct nlattr *a; 2586 int err = 0, start, opts_type; 2587 __be16 dst_opt_type; 2588 2589 dst_opt_type = 0; 2590 ovs_match_init(&match, &key, true, NULL); 2591 opts_type = ip_tun_from_nlattr(nla_data(attr), &match, false, log); 2592 if (opts_type < 0) 2593 return opts_type; 2594 2595 if (key.tun_opts_len) { 2596 switch (opts_type) { 2597 case OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS: 2598 err = validate_geneve_opts(&key); 2599 if (err < 0) 2600 return err; 2601 dst_opt_type = TUNNEL_GENEVE_OPT; 2602 break; 2603 case OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS: 2604 dst_opt_type = TUNNEL_VXLAN_OPT; 2605 break; 2606 case OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS: 2607 dst_opt_type = TUNNEL_ERSPAN_OPT; 2608 break; 2609 } 2610 } 2611 2612 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_SET, log); 2613 if (start < 0) 2614 return start; 2615 2616 tun_dst = metadata_dst_alloc(key.tun_opts_len, METADATA_IP_TUNNEL, 2617 GFP_KERNEL); 2618 2619 if (!tun_dst) 2620 return -ENOMEM; 2621 2622 err = dst_cache_init(&tun_dst->u.tun_info.dst_cache, GFP_KERNEL); 2623 if (err) { 2624 dst_release((struct dst_entry *)tun_dst); 2625 return err; 2626 } 2627 2628 a = __add_action(sfa, OVS_KEY_ATTR_TUNNEL_INFO, NULL, 2629 sizeof(*ovs_tun), log); 2630 if (IS_ERR(a)) { 2631 dst_release((struct dst_entry *)tun_dst); 2632 return PTR_ERR(a); 2633 } 2634 2635 ovs_tun = nla_data(a); 2636 ovs_tun->tun_dst = tun_dst; 2637 2638 tun_info = &tun_dst->u.tun_info; 2639 tun_info->mode = IP_TUNNEL_INFO_TX; 2640 if (key.tun_proto == AF_INET6) 2641 tun_info->mode |= IP_TUNNEL_INFO_IPV6; 2642 else if (key.tun_proto == AF_INET && key.tun_key.u.ipv4.dst == 0) 2643 tun_info->mode |= IP_TUNNEL_INFO_BRIDGE; 2644 tun_info->key = key.tun_key; 2645 2646 /* We need to store the options in the action itself since 2647 * everything else will go away after flow setup. We can append 2648 * it to tun_info and then point there. 2649 */ 2650 ip_tunnel_info_opts_set(tun_info, 2651 TUN_METADATA_OPTS(&key, key.tun_opts_len), 2652 key.tun_opts_len, dst_opt_type); 2653 add_nested_action_end(*sfa, start); 2654 2655 return err; 2656 } 2657 2658 static bool validate_nsh(const struct nlattr *attr, bool is_mask, 2659 bool is_push_nsh, bool log) 2660 { 2661 struct sw_flow_match match; 2662 struct sw_flow_key key; 2663 int ret = 0; 2664 2665 ovs_match_init(&match, &key, true, NULL); 2666 ret = nsh_key_put_from_nlattr(attr, &match, is_mask, 2667 is_push_nsh, log); 2668 return !ret; 2669 } 2670 2671 /* Return false if there are any non-masked bits set. 2672 * Mask follows data immediately, before any netlink padding. 2673 */ 2674 static bool validate_masked(u8 *data, int len) 2675 { 2676 u8 *mask = data + len; 2677 2678 while (len--) 2679 if (*data++ & ~*mask++) 2680 return false; 2681 2682 return true; 2683 } 2684 2685 static int validate_set(const struct nlattr *a, 2686 const struct sw_flow_key *flow_key, 2687 struct sw_flow_actions **sfa, bool *skip_copy, 2688 u8 mac_proto, __be16 eth_type, bool masked, bool log) 2689 { 2690 const struct nlattr *ovs_key = nla_data(a); 2691 int key_type = nla_type(ovs_key); 2692 size_t key_len; 2693 2694 /* There can be only one key in a action */ 2695 if (nla_total_size(nla_len(ovs_key)) != nla_len(a)) 2696 return -EINVAL; 2697 2698 key_len = nla_len(ovs_key); 2699 if (masked) 2700 key_len /= 2; 2701 2702 if (key_type > OVS_KEY_ATTR_MAX || 2703 !check_attr_len(key_len, ovs_key_lens[key_type].len)) 2704 return -EINVAL; 2705 2706 if (masked && !validate_masked(nla_data(ovs_key), key_len)) 2707 return -EINVAL; 2708 2709 switch (key_type) { 2710 const struct ovs_key_ipv4 *ipv4_key; 2711 const struct ovs_key_ipv6 *ipv6_key; 2712 int err; 2713 2714 case OVS_KEY_ATTR_PRIORITY: 2715 case OVS_KEY_ATTR_SKB_MARK: 2716 case OVS_KEY_ATTR_CT_MARK: 2717 case OVS_KEY_ATTR_CT_LABELS: 2718 break; 2719 2720 case OVS_KEY_ATTR_ETHERNET: 2721 if (mac_proto != MAC_PROTO_ETHERNET) 2722 return -EINVAL; 2723 break; 2724 2725 case OVS_KEY_ATTR_TUNNEL: 2726 if (masked) 2727 return -EINVAL; /* Masked tunnel set not supported. */ 2728 2729 *skip_copy = true; 2730 err = validate_and_copy_set_tun(a, sfa, log); 2731 if (err) 2732 return err; 2733 break; 2734 2735 case OVS_KEY_ATTR_IPV4: 2736 if (eth_type != htons(ETH_P_IP)) 2737 return -EINVAL; 2738 2739 ipv4_key = nla_data(ovs_key); 2740 2741 if (masked) { 2742 const struct ovs_key_ipv4 *mask = ipv4_key + 1; 2743 2744 /* Non-writeable fields. */ 2745 if (mask->ipv4_proto || mask->ipv4_frag) 2746 return -EINVAL; 2747 } else { 2748 if (ipv4_key->ipv4_proto != flow_key->ip.proto) 2749 return -EINVAL; 2750 2751 if (ipv4_key->ipv4_frag != flow_key->ip.frag) 2752 return -EINVAL; 2753 } 2754 break; 2755 2756 case OVS_KEY_ATTR_IPV6: 2757 if (eth_type != htons(ETH_P_IPV6)) 2758 return -EINVAL; 2759 2760 ipv6_key = nla_data(ovs_key); 2761 2762 if (masked) { 2763 const struct ovs_key_ipv6 *mask = ipv6_key + 1; 2764 2765 /* Non-writeable fields. */ 2766 if (mask->ipv6_proto || mask->ipv6_frag) 2767 return -EINVAL; 2768 2769 /* Invalid bits in the flow label mask? */ 2770 if (ntohl(mask->ipv6_label) & 0xFFF00000) 2771 return -EINVAL; 2772 } else { 2773 if (ipv6_key->ipv6_proto != flow_key->ip.proto) 2774 return -EINVAL; 2775 2776 if (ipv6_key->ipv6_frag != flow_key->ip.frag) 2777 return -EINVAL; 2778 } 2779 if (ntohl(ipv6_key->ipv6_label) & 0xFFF00000) 2780 return -EINVAL; 2781 2782 break; 2783 2784 case OVS_KEY_ATTR_TCP: 2785 if ((eth_type != htons(ETH_P_IP) && 2786 eth_type != htons(ETH_P_IPV6)) || 2787 flow_key->ip.proto != IPPROTO_TCP) 2788 return -EINVAL; 2789 2790 break; 2791 2792 case OVS_KEY_ATTR_UDP: 2793 if ((eth_type != htons(ETH_P_IP) && 2794 eth_type != htons(ETH_P_IPV6)) || 2795 flow_key->ip.proto != IPPROTO_UDP) 2796 return -EINVAL; 2797 2798 break; 2799 2800 case OVS_KEY_ATTR_MPLS: 2801 if (!eth_p_mpls(eth_type)) 2802 return -EINVAL; 2803 break; 2804 2805 case OVS_KEY_ATTR_SCTP: 2806 if ((eth_type != htons(ETH_P_IP) && 2807 eth_type != htons(ETH_P_IPV6)) || 2808 flow_key->ip.proto != IPPROTO_SCTP) 2809 return -EINVAL; 2810 2811 break; 2812 2813 case OVS_KEY_ATTR_NSH: 2814 if (eth_type != htons(ETH_P_NSH)) 2815 return -EINVAL; 2816 if (!validate_nsh(nla_data(a), masked, false, log)) 2817 return -EINVAL; 2818 break; 2819 2820 default: 2821 return -EINVAL; 2822 } 2823 2824 /* Convert non-masked non-tunnel set actions to masked set actions. */ 2825 if (!masked && key_type != OVS_KEY_ATTR_TUNNEL) { 2826 int start, len = key_len * 2; 2827 struct nlattr *at; 2828 2829 *skip_copy = true; 2830 2831 start = add_nested_action_start(sfa, 2832 OVS_ACTION_ATTR_SET_TO_MASKED, 2833 log); 2834 if (start < 0) 2835 return start; 2836 2837 at = __add_action(sfa, key_type, NULL, len, log); 2838 if (IS_ERR(at)) 2839 return PTR_ERR(at); 2840 2841 memcpy(nla_data(at), nla_data(ovs_key), key_len); /* Key. */ 2842 memset(nla_data(at) + key_len, 0xff, key_len); /* Mask. */ 2843 /* Clear non-writeable bits from otherwise writeable fields. */ 2844 if (key_type == OVS_KEY_ATTR_IPV6) { 2845 struct ovs_key_ipv6 *mask = nla_data(at) + key_len; 2846 2847 mask->ipv6_label &= htonl(0x000FFFFF); 2848 } 2849 add_nested_action_end(*sfa, start); 2850 } 2851 2852 return 0; 2853 } 2854 2855 static int validate_userspace(const struct nlattr *attr) 2856 { 2857 static const struct nla_policy userspace_policy[OVS_USERSPACE_ATTR_MAX + 1] = { 2858 [OVS_USERSPACE_ATTR_PID] = {.type = NLA_U32 }, 2859 [OVS_USERSPACE_ATTR_USERDATA] = {.type = NLA_UNSPEC }, 2860 [OVS_USERSPACE_ATTR_EGRESS_TUN_PORT] = {.type = NLA_U32 }, 2861 }; 2862 struct nlattr *a[OVS_USERSPACE_ATTR_MAX + 1]; 2863 int error; 2864 2865 error = nla_parse_nested_deprecated(a, OVS_USERSPACE_ATTR_MAX, attr, 2866 userspace_policy, NULL); 2867 if (error) 2868 return error; 2869 2870 if (!a[OVS_USERSPACE_ATTR_PID] || 2871 !nla_get_u32(a[OVS_USERSPACE_ATTR_PID])) 2872 return -EINVAL; 2873 2874 return 0; 2875 } 2876 2877 static const struct nla_policy cpl_policy[OVS_CHECK_PKT_LEN_ATTR_MAX + 1] = { 2878 [OVS_CHECK_PKT_LEN_ATTR_PKT_LEN] = {.type = NLA_U16 }, 2879 [OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER] = {.type = NLA_NESTED }, 2880 [OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL] = {.type = NLA_NESTED }, 2881 }; 2882 2883 static int validate_and_copy_check_pkt_len(struct net *net, 2884 const struct nlattr *attr, 2885 const struct sw_flow_key *key, 2886 struct sw_flow_actions **sfa, 2887 __be16 eth_type, __be16 vlan_tci, 2888 u32 mpls_label_count, 2889 bool log, bool last) 2890 { 2891 const struct nlattr *acts_if_greater, *acts_if_lesser_eq; 2892 struct nlattr *a[OVS_CHECK_PKT_LEN_ATTR_MAX + 1]; 2893 struct check_pkt_len_arg arg; 2894 int nested_acts_start; 2895 int start, err; 2896 2897 err = nla_parse_deprecated_strict(a, OVS_CHECK_PKT_LEN_ATTR_MAX, 2898 nla_data(attr), nla_len(attr), 2899 cpl_policy, NULL); 2900 if (err) 2901 return err; 2902 2903 if (!a[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN] || 2904 !nla_get_u16(a[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN])) 2905 return -EINVAL; 2906 2907 acts_if_lesser_eq = a[OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL]; 2908 acts_if_greater = a[OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER]; 2909 2910 /* Both the nested action should be present. */ 2911 if (!acts_if_greater || !acts_if_lesser_eq) 2912 return -EINVAL; 2913 2914 /* validation done, copy the nested actions. */ 2915 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_CHECK_PKT_LEN, 2916 log); 2917 if (start < 0) 2918 return start; 2919 2920 arg.pkt_len = nla_get_u16(a[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN]); 2921 arg.exec_for_lesser_equal = 2922 last || !actions_may_change_flow(acts_if_lesser_eq); 2923 arg.exec_for_greater = 2924 last || !actions_may_change_flow(acts_if_greater); 2925 2926 err = ovs_nla_add_action(sfa, OVS_CHECK_PKT_LEN_ATTR_ARG, &arg, 2927 sizeof(arg), log); 2928 if (err) 2929 return err; 2930 2931 nested_acts_start = add_nested_action_start(sfa, 2932 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL, log); 2933 if (nested_acts_start < 0) 2934 return nested_acts_start; 2935 2936 err = __ovs_nla_copy_actions(net, acts_if_lesser_eq, key, sfa, 2937 eth_type, vlan_tci, mpls_label_count, log); 2938 2939 if (err) 2940 return err; 2941 2942 add_nested_action_end(*sfa, nested_acts_start); 2943 2944 nested_acts_start = add_nested_action_start(sfa, 2945 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER, log); 2946 if (nested_acts_start < 0) 2947 return nested_acts_start; 2948 2949 err = __ovs_nla_copy_actions(net, acts_if_greater, key, sfa, 2950 eth_type, vlan_tci, mpls_label_count, log); 2951 2952 if (err) 2953 return err; 2954 2955 add_nested_action_end(*sfa, nested_acts_start); 2956 add_nested_action_end(*sfa, start); 2957 return 0; 2958 } 2959 2960 static int copy_action(const struct nlattr *from, 2961 struct sw_flow_actions **sfa, bool log) 2962 { 2963 int totlen = NLA_ALIGN(from->nla_len); 2964 struct nlattr *to; 2965 2966 to = reserve_sfa_size(sfa, from->nla_len, log); 2967 if (IS_ERR(to)) 2968 return PTR_ERR(to); 2969 2970 memcpy(to, from, totlen); 2971 return 0; 2972 } 2973 2974 static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 2975 const struct sw_flow_key *key, 2976 struct sw_flow_actions **sfa, 2977 __be16 eth_type, __be16 vlan_tci, 2978 u32 mpls_label_count, bool log) 2979 { 2980 u8 mac_proto = ovs_key_mac_proto(key); 2981 const struct nlattr *a; 2982 int rem, err; 2983 2984 nla_for_each_nested(a, attr, rem) { 2985 /* Expected argument lengths, (u32)-1 for variable length. */ 2986 static const u32 action_lens[OVS_ACTION_ATTR_MAX + 1] = { 2987 [OVS_ACTION_ATTR_OUTPUT] = sizeof(u32), 2988 [OVS_ACTION_ATTR_RECIRC] = sizeof(u32), 2989 [OVS_ACTION_ATTR_USERSPACE] = (u32)-1, 2990 [OVS_ACTION_ATTR_PUSH_MPLS] = sizeof(struct ovs_action_push_mpls), 2991 [OVS_ACTION_ATTR_POP_MPLS] = sizeof(__be16), 2992 [OVS_ACTION_ATTR_PUSH_VLAN] = sizeof(struct ovs_action_push_vlan), 2993 [OVS_ACTION_ATTR_POP_VLAN] = 0, 2994 [OVS_ACTION_ATTR_SET] = (u32)-1, 2995 [OVS_ACTION_ATTR_SET_MASKED] = (u32)-1, 2996 [OVS_ACTION_ATTR_SAMPLE] = (u32)-1, 2997 [OVS_ACTION_ATTR_HASH] = sizeof(struct ovs_action_hash), 2998 [OVS_ACTION_ATTR_CT] = (u32)-1, 2999 [OVS_ACTION_ATTR_CT_CLEAR] = 0, 3000 [OVS_ACTION_ATTR_TRUNC] = sizeof(struct ovs_action_trunc), 3001 [OVS_ACTION_ATTR_PUSH_ETH] = sizeof(struct ovs_action_push_eth), 3002 [OVS_ACTION_ATTR_POP_ETH] = 0, 3003 [OVS_ACTION_ATTR_PUSH_NSH] = (u32)-1, 3004 [OVS_ACTION_ATTR_POP_NSH] = 0, 3005 [OVS_ACTION_ATTR_METER] = sizeof(u32), 3006 [OVS_ACTION_ATTR_CLONE] = (u32)-1, 3007 [OVS_ACTION_ATTR_CHECK_PKT_LEN] = (u32)-1, 3008 }; 3009 const struct ovs_action_push_vlan *vlan; 3010 int type = nla_type(a); 3011 bool skip_copy; 3012 3013 if (type > OVS_ACTION_ATTR_MAX || 3014 (action_lens[type] != nla_len(a) && 3015 action_lens[type] != (u32)-1)) 3016 return -EINVAL; 3017 3018 skip_copy = false; 3019 switch (type) { 3020 case OVS_ACTION_ATTR_UNSPEC: 3021 return -EINVAL; 3022 3023 case OVS_ACTION_ATTR_USERSPACE: 3024 err = validate_userspace(a); 3025 if (err) 3026 return err; 3027 break; 3028 3029 case OVS_ACTION_ATTR_OUTPUT: 3030 if (nla_get_u32(a) >= DP_MAX_PORTS) 3031 return -EINVAL; 3032 break; 3033 3034 case OVS_ACTION_ATTR_TRUNC: { 3035 const struct ovs_action_trunc *trunc = nla_data(a); 3036 3037 if (trunc->max_len < ETH_HLEN) 3038 return -EINVAL; 3039 break; 3040 } 3041 3042 case OVS_ACTION_ATTR_HASH: { 3043 const struct ovs_action_hash *act_hash = nla_data(a); 3044 3045 switch (act_hash->hash_alg) { 3046 case OVS_HASH_ALG_L4: 3047 break; 3048 default: 3049 return -EINVAL; 3050 } 3051 3052 break; 3053 } 3054 3055 case OVS_ACTION_ATTR_POP_VLAN: 3056 if (mac_proto != MAC_PROTO_ETHERNET) 3057 return -EINVAL; 3058 vlan_tci = htons(0); 3059 break; 3060 3061 case OVS_ACTION_ATTR_PUSH_VLAN: 3062 if (mac_proto != MAC_PROTO_ETHERNET) 3063 return -EINVAL; 3064 vlan = nla_data(a); 3065 if (!eth_type_vlan(vlan->vlan_tpid)) 3066 return -EINVAL; 3067 if (!(vlan->vlan_tci & htons(VLAN_CFI_MASK))) 3068 return -EINVAL; 3069 vlan_tci = vlan->vlan_tci; 3070 break; 3071 3072 case OVS_ACTION_ATTR_RECIRC: 3073 break; 3074 3075 case OVS_ACTION_ATTR_PUSH_MPLS: { 3076 const struct ovs_action_push_mpls *mpls = nla_data(a); 3077 3078 if (!eth_p_mpls(mpls->mpls_ethertype)) 3079 return -EINVAL; 3080 /* Prohibit push MPLS other than to a white list 3081 * for packets that have a known tag order. 3082 */ 3083 if (vlan_tci & htons(VLAN_CFI_MASK) || 3084 (eth_type != htons(ETH_P_IP) && 3085 eth_type != htons(ETH_P_IPV6) && 3086 eth_type != htons(ETH_P_ARP) && 3087 eth_type != htons(ETH_P_RARP) && 3088 !eth_p_mpls(eth_type))) 3089 return -EINVAL; 3090 eth_type = mpls->mpls_ethertype; 3091 mpls_label_count++; 3092 break; 3093 } 3094 3095 case OVS_ACTION_ATTR_POP_MPLS: { 3096 __be16 proto; 3097 if (vlan_tci & htons(VLAN_CFI_MASK) || 3098 !eth_p_mpls(eth_type)) 3099 return -EINVAL; 3100 3101 /* Disallow subsequent L2.5+ set actions and mpls_pop 3102 * actions once the last MPLS label in the packet is 3103 * is popped as there is no check here to ensure that 3104 * the new eth type is valid and thus set actions could 3105 * write off the end of the packet or otherwise corrupt 3106 * it. 3107 * 3108 * Support for these actions is planned using packet 3109 * recirculation. 3110 */ 3111 proto = nla_get_be16(a); 3112 mpls_label_count--; 3113 3114 if (!eth_p_mpls(proto) || !mpls_label_count) 3115 eth_type = htons(0); 3116 else 3117 eth_type = proto; 3118 3119 break; 3120 } 3121 3122 case OVS_ACTION_ATTR_SET: 3123 err = validate_set(a, key, sfa, 3124 &skip_copy, mac_proto, eth_type, 3125 false, log); 3126 if (err) 3127 return err; 3128 break; 3129 3130 case OVS_ACTION_ATTR_SET_MASKED: 3131 err = validate_set(a, key, sfa, 3132 &skip_copy, mac_proto, eth_type, 3133 true, log); 3134 if (err) 3135 return err; 3136 break; 3137 3138 case OVS_ACTION_ATTR_SAMPLE: { 3139 bool last = nla_is_last(a, rem); 3140 3141 err = validate_and_copy_sample(net, a, key, sfa, 3142 eth_type, vlan_tci, 3143 mpls_label_count, 3144 log, last); 3145 if (err) 3146 return err; 3147 skip_copy = true; 3148 break; 3149 } 3150 3151 case OVS_ACTION_ATTR_CT: 3152 err = ovs_ct_copy_action(net, a, key, sfa, log); 3153 if (err) 3154 return err; 3155 skip_copy = true; 3156 break; 3157 3158 case OVS_ACTION_ATTR_CT_CLEAR: 3159 break; 3160 3161 case OVS_ACTION_ATTR_PUSH_ETH: 3162 /* Disallow pushing an Ethernet header if one 3163 * is already present */ 3164 if (mac_proto != MAC_PROTO_NONE) 3165 return -EINVAL; 3166 mac_proto = MAC_PROTO_ETHERNET; 3167 break; 3168 3169 case OVS_ACTION_ATTR_POP_ETH: 3170 if (mac_proto != MAC_PROTO_ETHERNET) 3171 return -EINVAL; 3172 if (vlan_tci & htons(VLAN_CFI_MASK)) 3173 return -EINVAL; 3174 mac_proto = MAC_PROTO_NONE; 3175 break; 3176 3177 case OVS_ACTION_ATTR_PUSH_NSH: 3178 if (mac_proto != MAC_PROTO_ETHERNET) { 3179 u8 next_proto; 3180 3181 next_proto = tun_p_from_eth_p(eth_type); 3182 if (!next_proto) 3183 return -EINVAL; 3184 } 3185 mac_proto = MAC_PROTO_NONE; 3186 if (!validate_nsh(nla_data(a), false, true, true)) 3187 return -EINVAL; 3188 break; 3189 3190 case OVS_ACTION_ATTR_POP_NSH: { 3191 __be16 inner_proto; 3192 3193 if (eth_type != htons(ETH_P_NSH)) 3194 return -EINVAL; 3195 inner_proto = tun_p_to_eth_p(key->nsh.base.np); 3196 if (!inner_proto) 3197 return -EINVAL; 3198 if (key->nsh.base.np == TUN_P_ETHERNET) 3199 mac_proto = MAC_PROTO_ETHERNET; 3200 else 3201 mac_proto = MAC_PROTO_NONE; 3202 break; 3203 } 3204 3205 case OVS_ACTION_ATTR_METER: 3206 /* Non-existent meters are simply ignored. */ 3207 break; 3208 3209 case OVS_ACTION_ATTR_CLONE: { 3210 bool last = nla_is_last(a, rem); 3211 3212 err = validate_and_copy_clone(net, a, key, sfa, 3213 eth_type, vlan_tci, 3214 mpls_label_count, 3215 log, last); 3216 if (err) 3217 return err; 3218 skip_copy = true; 3219 break; 3220 } 3221 3222 case OVS_ACTION_ATTR_CHECK_PKT_LEN: { 3223 bool last = nla_is_last(a, rem); 3224 3225 err = validate_and_copy_check_pkt_len(net, a, key, sfa, 3226 eth_type, 3227 vlan_tci, 3228 mpls_label_count, 3229 log, last); 3230 if (err) 3231 return err; 3232 skip_copy = true; 3233 break; 3234 } 3235 3236 default: 3237 OVS_NLERR(log, "Unknown Action type %d", type); 3238 return -EINVAL; 3239 } 3240 if (!skip_copy) { 3241 err = copy_action(a, sfa, log); 3242 if (err) 3243 return err; 3244 } 3245 } 3246 3247 if (rem > 0) 3248 return -EINVAL; 3249 3250 return 0; 3251 } 3252 3253 /* 'key' must be the masked key. */ 3254 int ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 3255 const struct sw_flow_key *key, 3256 struct sw_flow_actions **sfa, bool log) 3257 { 3258 int err; 3259 u32 mpls_label_count = 0; 3260 3261 *sfa = nla_alloc_flow_actions(min(nla_len(attr), MAX_ACTIONS_BUFSIZE)); 3262 if (IS_ERR(*sfa)) 3263 return PTR_ERR(*sfa); 3264 3265 if (eth_p_mpls(key->eth.type)) 3266 mpls_label_count = hweight_long(key->mpls.num_labels_mask); 3267 3268 (*sfa)->orig_len = nla_len(attr); 3269 err = __ovs_nla_copy_actions(net, attr, key, sfa, key->eth.type, 3270 key->eth.vlan.tci, mpls_label_count, log); 3271 if (err) 3272 ovs_nla_free_flow_actions(*sfa); 3273 3274 return err; 3275 } 3276 3277 static int sample_action_to_attr(const struct nlattr *attr, 3278 struct sk_buff *skb) 3279 { 3280 struct nlattr *start, *ac_start = NULL, *sample_arg; 3281 int err = 0, rem = nla_len(attr); 3282 const struct sample_arg *arg; 3283 struct nlattr *actions; 3284 3285 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SAMPLE); 3286 if (!start) 3287 return -EMSGSIZE; 3288 3289 sample_arg = nla_data(attr); 3290 arg = nla_data(sample_arg); 3291 actions = nla_next(sample_arg, &rem); 3292 3293 if (nla_put_u32(skb, OVS_SAMPLE_ATTR_PROBABILITY, arg->probability)) { 3294 err = -EMSGSIZE; 3295 goto out; 3296 } 3297 3298 ac_start = nla_nest_start_noflag(skb, OVS_SAMPLE_ATTR_ACTIONS); 3299 if (!ac_start) { 3300 err = -EMSGSIZE; 3301 goto out; 3302 } 3303 3304 err = ovs_nla_put_actions(actions, rem, skb); 3305 3306 out: 3307 if (err) { 3308 nla_nest_cancel(skb, ac_start); 3309 nla_nest_cancel(skb, start); 3310 } else { 3311 nla_nest_end(skb, ac_start); 3312 nla_nest_end(skb, start); 3313 } 3314 3315 return err; 3316 } 3317 3318 static int clone_action_to_attr(const struct nlattr *attr, 3319 struct sk_buff *skb) 3320 { 3321 struct nlattr *start; 3322 int err = 0, rem = nla_len(attr); 3323 3324 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_CLONE); 3325 if (!start) 3326 return -EMSGSIZE; 3327 3328 err = ovs_nla_put_actions(nla_data(attr), rem, skb); 3329 3330 if (err) 3331 nla_nest_cancel(skb, start); 3332 else 3333 nla_nest_end(skb, start); 3334 3335 return err; 3336 } 3337 3338 static int check_pkt_len_action_to_attr(const struct nlattr *attr, 3339 struct sk_buff *skb) 3340 { 3341 struct nlattr *start, *ac_start = NULL; 3342 const struct check_pkt_len_arg *arg; 3343 const struct nlattr *a, *cpl_arg; 3344 int err = 0, rem = nla_len(attr); 3345 3346 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_CHECK_PKT_LEN); 3347 if (!start) 3348 return -EMSGSIZE; 3349 3350 /* The first nested attribute in 'attr' is always 3351 * 'OVS_CHECK_PKT_LEN_ATTR_ARG'. 3352 */ 3353 cpl_arg = nla_data(attr); 3354 arg = nla_data(cpl_arg); 3355 3356 if (nla_put_u16(skb, OVS_CHECK_PKT_LEN_ATTR_PKT_LEN, arg->pkt_len)) { 3357 err = -EMSGSIZE; 3358 goto out; 3359 } 3360 3361 /* Second nested attribute in 'attr' is always 3362 * 'OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL'. 3363 */ 3364 a = nla_next(cpl_arg, &rem); 3365 ac_start = nla_nest_start_noflag(skb, 3366 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL); 3367 if (!ac_start) { 3368 err = -EMSGSIZE; 3369 goto out; 3370 } 3371 3372 err = ovs_nla_put_actions(nla_data(a), nla_len(a), skb); 3373 if (err) { 3374 nla_nest_cancel(skb, ac_start); 3375 goto out; 3376 } else { 3377 nla_nest_end(skb, ac_start); 3378 } 3379 3380 /* Third nested attribute in 'attr' is always 3381 * OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER. 3382 */ 3383 a = nla_next(a, &rem); 3384 ac_start = nla_nest_start_noflag(skb, 3385 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER); 3386 if (!ac_start) { 3387 err = -EMSGSIZE; 3388 goto out; 3389 } 3390 3391 err = ovs_nla_put_actions(nla_data(a), nla_len(a), skb); 3392 if (err) { 3393 nla_nest_cancel(skb, ac_start); 3394 goto out; 3395 } else { 3396 nla_nest_end(skb, ac_start); 3397 } 3398 3399 nla_nest_end(skb, start); 3400 return 0; 3401 3402 out: 3403 nla_nest_cancel(skb, start); 3404 return err; 3405 } 3406 3407 static int set_action_to_attr(const struct nlattr *a, struct sk_buff *skb) 3408 { 3409 const struct nlattr *ovs_key = nla_data(a); 3410 int key_type = nla_type(ovs_key); 3411 struct nlattr *start; 3412 int err; 3413 3414 switch (key_type) { 3415 case OVS_KEY_ATTR_TUNNEL_INFO: { 3416 struct ovs_tunnel_info *ovs_tun = nla_data(ovs_key); 3417 struct ip_tunnel_info *tun_info = &ovs_tun->tun_dst->u.tun_info; 3418 3419 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SET); 3420 if (!start) 3421 return -EMSGSIZE; 3422 3423 err = ip_tun_to_nlattr(skb, &tun_info->key, 3424 ip_tunnel_info_opts(tun_info), 3425 tun_info->options_len, 3426 ip_tunnel_info_af(tun_info), tun_info->mode); 3427 if (err) 3428 return err; 3429 nla_nest_end(skb, start); 3430 break; 3431 } 3432 default: 3433 if (nla_put(skb, OVS_ACTION_ATTR_SET, nla_len(a), ovs_key)) 3434 return -EMSGSIZE; 3435 break; 3436 } 3437 3438 return 0; 3439 } 3440 3441 static int masked_set_action_to_set_action_attr(const struct nlattr *a, 3442 struct sk_buff *skb) 3443 { 3444 const struct nlattr *ovs_key = nla_data(a); 3445 struct nlattr *nla; 3446 size_t key_len = nla_len(ovs_key) / 2; 3447 3448 /* Revert the conversion we did from a non-masked set action to 3449 * masked set action. 3450 */ 3451 nla = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SET); 3452 if (!nla) 3453 return -EMSGSIZE; 3454 3455 if (nla_put(skb, nla_type(ovs_key), key_len, nla_data(ovs_key))) 3456 return -EMSGSIZE; 3457 3458 nla_nest_end(skb, nla); 3459 return 0; 3460 } 3461 3462 int ovs_nla_put_actions(const struct nlattr *attr, int len, struct sk_buff *skb) 3463 { 3464 const struct nlattr *a; 3465 int rem, err; 3466 3467 nla_for_each_attr(a, attr, len, rem) { 3468 int type = nla_type(a); 3469 3470 switch (type) { 3471 case OVS_ACTION_ATTR_SET: 3472 err = set_action_to_attr(a, skb); 3473 if (err) 3474 return err; 3475 break; 3476 3477 case OVS_ACTION_ATTR_SET_TO_MASKED: 3478 err = masked_set_action_to_set_action_attr(a, skb); 3479 if (err) 3480 return err; 3481 break; 3482 3483 case OVS_ACTION_ATTR_SAMPLE: 3484 err = sample_action_to_attr(a, skb); 3485 if (err) 3486 return err; 3487 break; 3488 3489 case OVS_ACTION_ATTR_CT: 3490 err = ovs_ct_action_to_attr(nla_data(a), skb); 3491 if (err) 3492 return err; 3493 break; 3494 3495 case OVS_ACTION_ATTR_CLONE: 3496 err = clone_action_to_attr(a, skb); 3497 if (err) 3498 return err; 3499 break; 3500 3501 case OVS_ACTION_ATTR_CHECK_PKT_LEN: 3502 err = check_pkt_len_action_to_attr(a, skb); 3503 if (err) 3504 return err; 3505 break; 3506 3507 default: 3508 if (nla_put(skb, type, nla_len(a), nla_data(a))) 3509 return -EMSGSIZE; 3510 break; 3511 } 3512 } 3513 3514 return 0; 3515 } 3516