1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2007-2017 Nicira, Inc. 4 */ 5 6 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 7 8 #include "flow.h" 9 #include "datapath.h" 10 #include <linux/uaccess.h> 11 #include <linux/netdevice.h> 12 #include <linux/etherdevice.h> 13 #include <linux/if_ether.h> 14 #include <linux/if_vlan.h> 15 #include <net/llc_pdu.h> 16 #include <linux/kernel.h> 17 #include <linux/jhash.h> 18 #include <linux/jiffies.h> 19 #include <linux/llc.h> 20 #include <linux/module.h> 21 #include <linux/in.h> 22 #include <linux/rcupdate.h> 23 #include <linux/if_arp.h> 24 #include <linux/ip.h> 25 #include <linux/ipv6.h> 26 #include <linux/sctp.h> 27 #include <linux/tcp.h> 28 #include <linux/udp.h> 29 #include <linux/icmp.h> 30 #include <linux/icmpv6.h> 31 #include <linux/rculist.h> 32 #include <net/geneve.h> 33 #include <net/ip.h> 34 #include <net/ipv6.h> 35 #include <net/ndisc.h> 36 #include <net/mpls.h> 37 #include <net/vxlan.h> 38 #include <net/tun_proto.h> 39 #include <net/erspan.h> 40 41 #include "drop.h" 42 #include "flow_netlink.h" 43 44 struct ovs_len_tbl { 45 int len; 46 const struct ovs_len_tbl *next; 47 }; 48 49 #define OVS_ATTR_NESTED -1 50 #define OVS_ATTR_VARIABLE -2 51 #define OVS_COPY_ACTIONS_MAX_DEPTH 16 52 53 static bool actions_may_change_flow(const struct nlattr *actions) 54 { 55 struct nlattr *nla; 56 int rem; 57 58 nla_for_each_nested(nla, actions, rem) { 59 u16 action = nla_type(nla); 60 61 switch (action) { 62 case OVS_ACTION_ATTR_OUTPUT: 63 case OVS_ACTION_ATTR_RECIRC: 64 case OVS_ACTION_ATTR_TRUNC: 65 case OVS_ACTION_ATTR_USERSPACE: 66 case OVS_ACTION_ATTR_DROP: 67 break; 68 69 case OVS_ACTION_ATTR_CT: 70 case OVS_ACTION_ATTR_CT_CLEAR: 71 case OVS_ACTION_ATTR_HASH: 72 case OVS_ACTION_ATTR_POP_ETH: 73 case OVS_ACTION_ATTR_POP_MPLS: 74 case OVS_ACTION_ATTR_POP_NSH: 75 case OVS_ACTION_ATTR_POP_VLAN: 76 case OVS_ACTION_ATTR_PUSH_ETH: 77 case OVS_ACTION_ATTR_PUSH_MPLS: 78 case OVS_ACTION_ATTR_PUSH_NSH: 79 case OVS_ACTION_ATTR_PUSH_VLAN: 80 case OVS_ACTION_ATTR_SAMPLE: 81 case OVS_ACTION_ATTR_SET: 82 case OVS_ACTION_ATTR_SET_MASKED: 83 case OVS_ACTION_ATTR_METER: 84 case OVS_ACTION_ATTR_CHECK_PKT_LEN: 85 case OVS_ACTION_ATTR_ADD_MPLS: 86 case OVS_ACTION_ATTR_DEC_TTL: 87 default: 88 return true; 89 } 90 } 91 return false; 92 } 93 94 static void update_range(struct sw_flow_match *match, 95 size_t offset, size_t size, bool is_mask) 96 { 97 struct sw_flow_key_range *range; 98 size_t start = rounddown(offset, sizeof(long)); 99 size_t end = roundup(offset + size, sizeof(long)); 100 101 if (!is_mask) 102 range = &match->range; 103 else 104 range = &match->mask->range; 105 106 if (range->start == range->end) { 107 range->start = start; 108 range->end = end; 109 return; 110 } 111 112 if (range->start > start) 113 range->start = start; 114 115 if (range->end < end) 116 range->end = end; 117 } 118 119 #define SW_FLOW_KEY_PUT(match, field, value, is_mask) \ 120 do { \ 121 update_range(match, offsetof(struct sw_flow_key, field), \ 122 sizeof((match)->key->field), is_mask); \ 123 if (is_mask) \ 124 (match)->mask->key.field = value; \ 125 else \ 126 (match)->key->field = value; \ 127 } while (0) 128 129 #define SW_FLOW_KEY_MEMCPY_OFFSET(match, offset, value_p, len, is_mask) \ 130 do { \ 131 update_range(match, offset, len, is_mask); \ 132 if (is_mask) \ 133 memcpy((u8 *)&(match)->mask->key + offset, value_p, \ 134 len); \ 135 else \ 136 memcpy((u8 *)(match)->key + offset, value_p, len); \ 137 } while (0) 138 139 #define SW_FLOW_KEY_MEMCPY(match, field, value_p, len, is_mask) \ 140 SW_FLOW_KEY_MEMCPY_OFFSET(match, offsetof(struct sw_flow_key, field), \ 141 value_p, len, is_mask) 142 143 #define SW_FLOW_KEY_MEMSET_FIELD(match, field, value, is_mask) \ 144 do { \ 145 update_range(match, offsetof(struct sw_flow_key, field), \ 146 sizeof((match)->key->field), is_mask); \ 147 if (is_mask) \ 148 memset((u8 *)&(match)->mask->key.field, value, \ 149 sizeof((match)->mask->key.field)); \ 150 else \ 151 memset((u8 *)&(match)->key->field, value, \ 152 sizeof((match)->key->field)); \ 153 } while (0) 154 155 static bool match_validate(const struct sw_flow_match *match, 156 u64 key_attrs, u64 mask_attrs, bool log) 157 { 158 u64 key_expected = 0; 159 u64 mask_allowed = key_attrs; /* At most allow all key attributes */ 160 161 /* The following mask attributes allowed only if they 162 * pass the validation tests. */ 163 mask_allowed &= ~((1 << OVS_KEY_ATTR_IPV4) 164 | (1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4) 165 | (1 << OVS_KEY_ATTR_IPV6) 166 | (1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6) 167 | (1 << OVS_KEY_ATTR_TCP) 168 | (1 << OVS_KEY_ATTR_TCP_FLAGS) 169 | (1 << OVS_KEY_ATTR_UDP) 170 | (1 << OVS_KEY_ATTR_SCTP) 171 | (1 << OVS_KEY_ATTR_ICMP) 172 | (1 << OVS_KEY_ATTR_ICMPV6) 173 | (1 << OVS_KEY_ATTR_ARP) 174 | (1 << OVS_KEY_ATTR_ND) 175 | (1 << OVS_KEY_ATTR_MPLS) 176 | (1 << OVS_KEY_ATTR_NSH)); 177 178 /* Always allowed mask fields. */ 179 mask_allowed |= ((1 << OVS_KEY_ATTR_TUNNEL) 180 | (1 << OVS_KEY_ATTR_IN_PORT) 181 | (1 << OVS_KEY_ATTR_ETHERTYPE)); 182 183 /* Check key attributes. */ 184 if (match->key->eth.type == htons(ETH_P_ARP) 185 || match->key->eth.type == htons(ETH_P_RARP)) { 186 key_expected |= 1 << OVS_KEY_ATTR_ARP; 187 if (match->mask && (match->mask->key.eth.type == htons(0xffff))) 188 mask_allowed |= 1 << OVS_KEY_ATTR_ARP; 189 } 190 191 if (eth_p_mpls(match->key->eth.type)) { 192 key_expected |= 1 << OVS_KEY_ATTR_MPLS; 193 if (match->mask && (match->mask->key.eth.type == htons(0xffff))) 194 mask_allowed |= 1 << OVS_KEY_ATTR_MPLS; 195 } 196 197 if (match->key->eth.type == htons(ETH_P_IP)) { 198 key_expected |= 1 << OVS_KEY_ATTR_IPV4; 199 if (match->mask && match->mask->key.eth.type == htons(0xffff)) { 200 mask_allowed |= 1 << OVS_KEY_ATTR_IPV4; 201 mask_allowed |= 1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4; 202 } 203 204 if (match->key->ip.frag != OVS_FRAG_TYPE_LATER) { 205 if (match->key->ip.proto == IPPROTO_UDP) { 206 key_expected |= 1 << OVS_KEY_ATTR_UDP; 207 if (match->mask && (match->mask->key.ip.proto == 0xff)) 208 mask_allowed |= 1 << OVS_KEY_ATTR_UDP; 209 } 210 211 if (match->key->ip.proto == IPPROTO_SCTP) { 212 key_expected |= 1 << OVS_KEY_ATTR_SCTP; 213 if (match->mask && (match->mask->key.ip.proto == 0xff)) 214 mask_allowed |= 1 << OVS_KEY_ATTR_SCTP; 215 } 216 217 if (match->key->ip.proto == IPPROTO_TCP) { 218 key_expected |= 1 << OVS_KEY_ATTR_TCP; 219 key_expected |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 220 if (match->mask && (match->mask->key.ip.proto == 0xff)) { 221 mask_allowed |= 1 << OVS_KEY_ATTR_TCP; 222 mask_allowed |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 223 } 224 } 225 226 if (match->key->ip.proto == IPPROTO_ICMP) { 227 key_expected |= 1 << OVS_KEY_ATTR_ICMP; 228 if (match->mask && (match->mask->key.ip.proto == 0xff)) 229 mask_allowed |= 1 << OVS_KEY_ATTR_ICMP; 230 } 231 } 232 } 233 234 if (match->key->eth.type == htons(ETH_P_IPV6)) { 235 key_expected |= 1 << OVS_KEY_ATTR_IPV6; 236 if (match->mask && match->mask->key.eth.type == htons(0xffff)) { 237 mask_allowed |= 1 << OVS_KEY_ATTR_IPV6; 238 mask_allowed |= 1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6; 239 } 240 241 if (match->key->ip.frag != OVS_FRAG_TYPE_LATER) { 242 if (match->key->ip.proto == IPPROTO_UDP) { 243 key_expected |= 1 << OVS_KEY_ATTR_UDP; 244 if (match->mask && (match->mask->key.ip.proto == 0xff)) 245 mask_allowed |= 1 << OVS_KEY_ATTR_UDP; 246 } 247 248 if (match->key->ip.proto == IPPROTO_SCTP) { 249 key_expected |= 1 << OVS_KEY_ATTR_SCTP; 250 if (match->mask && (match->mask->key.ip.proto == 0xff)) 251 mask_allowed |= 1 << OVS_KEY_ATTR_SCTP; 252 } 253 254 if (match->key->ip.proto == IPPROTO_TCP) { 255 key_expected |= 1 << OVS_KEY_ATTR_TCP; 256 key_expected |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 257 if (match->mask && (match->mask->key.ip.proto == 0xff)) { 258 mask_allowed |= 1 << OVS_KEY_ATTR_TCP; 259 mask_allowed |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 260 } 261 } 262 263 if (match->key->ip.proto == IPPROTO_ICMPV6) { 264 key_expected |= 1 << OVS_KEY_ATTR_ICMPV6; 265 if (match->mask && (match->mask->key.ip.proto == 0xff)) 266 mask_allowed |= 1 << OVS_KEY_ATTR_ICMPV6; 267 268 if (match->key->tp.src == 269 htons(NDISC_NEIGHBOUR_SOLICITATION) || 270 match->key->tp.src == htons(NDISC_NEIGHBOUR_ADVERTISEMENT)) { 271 key_expected |= 1 << OVS_KEY_ATTR_ND; 272 /* Original direction conntrack tuple 273 * uses the same space as the ND fields 274 * in the key, so both are not allowed 275 * at the same time. 276 */ 277 mask_allowed &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6); 278 if (match->mask && (match->mask->key.tp.src == htons(0xff))) 279 mask_allowed |= 1 << OVS_KEY_ATTR_ND; 280 } 281 } 282 } 283 } 284 285 if (match->key->eth.type == htons(ETH_P_NSH)) { 286 key_expected |= 1 << OVS_KEY_ATTR_NSH; 287 if (match->mask && 288 match->mask->key.eth.type == htons(0xffff)) { 289 mask_allowed |= 1 << OVS_KEY_ATTR_NSH; 290 } 291 } 292 293 if ((key_attrs & key_expected) != key_expected) { 294 /* Key attributes check failed. */ 295 OVS_NLERR(log, "Missing key (keys=%llx, expected=%llx)", 296 (unsigned long long)key_attrs, 297 (unsigned long long)key_expected); 298 return false; 299 } 300 301 if ((mask_attrs & mask_allowed) != mask_attrs) { 302 /* Mask attributes check failed. */ 303 OVS_NLERR(log, "Unexpected mask (mask=%llx, allowed=%llx)", 304 (unsigned long long)mask_attrs, 305 (unsigned long long)mask_allowed); 306 return false; 307 } 308 309 return true; 310 } 311 312 size_t ovs_tun_key_attr_size(void) 313 { 314 /* Whenever adding new OVS_TUNNEL_KEY_ FIELDS, we should consider 315 * updating this function. 316 */ 317 return nla_total_size_64bit(8) /* OVS_TUNNEL_KEY_ATTR_ID */ 318 + nla_total_size(16) /* OVS_TUNNEL_KEY_ATTR_IPV[46]_SRC */ 319 + nla_total_size(16) /* OVS_TUNNEL_KEY_ATTR_IPV[46]_DST */ 320 + nla_total_size(1) /* OVS_TUNNEL_KEY_ATTR_TOS */ 321 + nla_total_size(1) /* OVS_TUNNEL_KEY_ATTR_TTL */ 322 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT */ 323 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_CSUM */ 324 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_OAM */ 325 + nla_total_size(256) /* OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS */ 326 /* OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS and 327 * OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS is mutually exclusive with 328 * OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS and covered by it. 329 */ 330 + nla_total_size(2) /* OVS_TUNNEL_KEY_ATTR_TP_SRC */ 331 + nla_total_size(2); /* OVS_TUNNEL_KEY_ATTR_TP_DST */ 332 } 333 334 static size_t ovs_nsh_key_attr_size(void) 335 { 336 /* Whenever adding new OVS_NSH_KEY_ FIELDS, we should consider 337 * updating this function. 338 */ 339 return nla_total_size(NSH_BASE_HDR_LEN) /* OVS_NSH_KEY_ATTR_BASE */ 340 /* OVS_NSH_KEY_ATTR_MD1 and OVS_NSH_KEY_ATTR_MD2 are 341 * mutually exclusive, so the bigger one can cover 342 * the small one. 343 */ 344 + nla_total_size(NSH_CTX_HDRS_MAX_LEN); 345 } 346 347 size_t ovs_key_attr_size(void) 348 { 349 /* Whenever adding new OVS_KEY_ FIELDS, we should consider 350 * updating this function. 351 */ 352 BUILD_BUG_ON(OVS_KEY_ATTR_MAX != 32); 353 354 return nla_total_size(4) /* OVS_KEY_ATTR_PRIORITY */ 355 + nla_total_size(0) /* OVS_KEY_ATTR_TUNNEL */ 356 + ovs_tun_key_attr_size() 357 + nla_total_size(4) /* OVS_KEY_ATTR_IN_PORT */ 358 + nla_total_size(4) /* OVS_KEY_ATTR_SKB_MARK */ 359 + nla_total_size(4) /* OVS_KEY_ATTR_DP_HASH */ 360 + nla_total_size(4) /* OVS_KEY_ATTR_RECIRC_ID */ 361 + nla_total_size(4) /* OVS_KEY_ATTR_CT_STATE */ 362 + nla_total_size(2) /* OVS_KEY_ATTR_CT_ZONE */ 363 + nla_total_size(4) /* OVS_KEY_ATTR_CT_MARK */ 364 + nla_total_size(16) /* OVS_KEY_ATTR_CT_LABELS */ 365 + nla_total_size(40) /* OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6 */ 366 + nla_total_size(0) /* OVS_KEY_ATTR_NSH */ 367 + ovs_nsh_key_attr_size() 368 + nla_total_size(12) /* OVS_KEY_ATTR_ETHERNET */ 369 + nla_total_size(2) /* OVS_KEY_ATTR_ETHERTYPE */ 370 + nla_total_size(4) /* OVS_KEY_ATTR_VLAN */ 371 + nla_total_size(0) /* OVS_KEY_ATTR_ENCAP */ 372 + nla_total_size(2) /* OVS_KEY_ATTR_ETHERTYPE */ 373 + nla_total_size(40) /* OVS_KEY_ATTR_IPV6 */ 374 + nla_total_size(2) /* OVS_KEY_ATTR_ICMPV6 */ 375 + nla_total_size(28) /* OVS_KEY_ATTR_ND */ 376 + nla_total_size(2); /* OVS_KEY_ATTR_IPV6_EXTHDRS */ 377 } 378 379 static const struct ovs_len_tbl ovs_vxlan_ext_key_lens[OVS_VXLAN_EXT_MAX + 1] = { 380 [OVS_VXLAN_EXT_GBP] = { .len = sizeof(u32) }, 381 }; 382 383 static const struct ovs_len_tbl ovs_tunnel_key_lens[OVS_TUNNEL_KEY_ATTR_MAX + 1] = { 384 [OVS_TUNNEL_KEY_ATTR_ID] = { .len = sizeof(u64) }, 385 [OVS_TUNNEL_KEY_ATTR_IPV4_SRC] = { .len = sizeof(u32) }, 386 [OVS_TUNNEL_KEY_ATTR_IPV4_DST] = { .len = sizeof(u32) }, 387 [OVS_TUNNEL_KEY_ATTR_TOS] = { .len = 1 }, 388 [OVS_TUNNEL_KEY_ATTR_TTL] = { .len = 1 }, 389 [OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT] = { .len = 0 }, 390 [OVS_TUNNEL_KEY_ATTR_CSUM] = { .len = 0 }, 391 [OVS_TUNNEL_KEY_ATTR_TP_SRC] = { .len = sizeof(u16) }, 392 [OVS_TUNNEL_KEY_ATTR_TP_DST] = { .len = sizeof(u16) }, 393 [OVS_TUNNEL_KEY_ATTR_OAM] = { .len = 0 }, 394 [OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS] = { .len = OVS_ATTR_VARIABLE }, 395 [OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS] = { .len = OVS_ATTR_NESTED, 396 .next = ovs_vxlan_ext_key_lens }, 397 [OVS_TUNNEL_KEY_ATTR_IPV6_SRC] = { .len = sizeof(struct in6_addr) }, 398 [OVS_TUNNEL_KEY_ATTR_IPV6_DST] = { .len = sizeof(struct in6_addr) }, 399 [OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS] = { .len = OVS_ATTR_VARIABLE }, 400 [OVS_TUNNEL_KEY_ATTR_IPV4_INFO_BRIDGE] = { .len = 0 }, 401 }; 402 403 static const struct ovs_len_tbl 404 ovs_nsh_key_attr_lens[OVS_NSH_KEY_ATTR_MAX + 1] = { 405 [OVS_NSH_KEY_ATTR_BASE] = { .len = sizeof(struct ovs_nsh_key_base) }, 406 [OVS_NSH_KEY_ATTR_MD1] = { .len = sizeof(struct ovs_nsh_key_md1) }, 407 [OVS_NSH_KEY_ATTR_MD2] = { .len = OVS_ATTR_VARIABLE }, 408 }; 409 410 /* The size of the argument for each %OVS_KEY_ATTR_* Netlink attribute. */ 411 static const struct ovs_len_tbl ovs_key_lens[OVS_KEY_ATTR_MAX + 1] = { 412 [OVS_KEY_ATTR_ENCAP] = { .len = OVS_ATTR_NESTED }, 413 [OVS_KEY_ATTR_PRIORITY] = { .len = sizeof(u32) }, 414 [OVS_KEY_ATTR_IN_PORT] = { .len = sizeof(u32) }, 415 [OVS_KEY_ATTR_SKB_MARK] = { .len = sizeof(u32) }, 416 [OVS_KEY_ATTR_ETHERNET] = { .len = sizeof(struct ovs_key_ethernet) }, 417 [OVS_KEY_ATTR_VLAN] = { .len = sizeof(__be16) }, 418 [OVS_KEY_ATTR_ETHERTYPE] = { .len = sizeof(__be16) }, 419 [OVS_KEY_ATTR_IPV4] = { .len = sizeof(struct ovs_key_ipv4) }, 420 [OVS_KEY_ATTR_IPV6] = { .len = sizeof(struct ovs_key_ipv6) }, 421 [OVS_KEY_ATTR_TCP] = { .len = sizeof(struct ovs_key_tcp) }, 422 [OVS_KEY_ATTR_TCP_FLAGS] = { .len = sizeof(__be16) }, 423 [OVS_KEY_ATTR_UDP] = { .len = sizeof(struct ovs_key_udp) }, 424 [OVS_KEY_ATTR_SCTP] = { .len = sizeof(struct ovs_key_sctp) }, 425 [OVS_KEY_ATTR_ICMP] = { .len = sizeof(struct ovs_key_icmp) }, 426 [OVS_KEY_ATTR_ICMPV6] = { .len = sizeof(struct ovs_key_icmpv6) }, 427 [OVS_KEY_ATTR_ARP] = { .len = sizeof(struct ovs_key_arp) }, 428 [OVS_KEY_ATTR_ND] = { .len = sizeof(struct ovs_key_nd) }, 429 [OVS_KEY_ATTR_RECIRC_ID] = { .len = sizeof(u32) }, 430 [OVS_KEY_ATTR_DP_HASH] = { .len = sizeof(u32) }, 431 [OVS_KEY_ATTR_TUNNEL] = { .len = OVS_ATTR_NESTED, 432 .next = ovs_tunnel_key_lens, }, 433 [OVS_KEY_ATTR_MPLS] = { .len = OVS_ATTR_VARIABLE }, 434 [OVS_KEY_ATTR_CT_STATE] = { .len = sizeof(u32) }, 435 [OVS_KEY_ATTR_CT_ZONE] = { .len = sizeof(u16) }, 436 [OVS_KEY_ATTR_CT_MARK] = { .len = sizeof(u32) }, 437 [OVS_KEY_ATTR_CT_LABELS] = { .len = sizeof(struct ovs_key_ct_labels) }, 438 [OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4] = { 439 .len = sizeof(struct ovs_key_ct_tuple_ipv4) }, 440 [OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6] = { 441 .len = sizeof(struct ovs_key_ct_tuple_ipv6) }, 442 [OVS_KEY_ATTR_NSH] = { .len = OVS_ATTR_NESTED, 443 .next = ovs_nsh_key_attr_lens, }, 444 [OVS_KEY_ATTR_IPV6_EXTHDRS] = { 445 .len = sizeof(struct ovs_key_ipv6_exthdrs) }, 446 }; 447 448 static bool check_attr_len(unsigned int attr_len, unsigned int expected_len) 449 { 450 return expected_len == attr_len || 451 expected_len == OVS_ATTR_NESTED || 452 expected_len == OVS_ATTR_VARIABLE; 453 } 454 455 static bool is_all_zero(const u8 *fp, size_t size) 456 { 457 int i; 458 459 if (!fp) 460 return false; 461 462 for (i = 0; i < size; i++) 463 if (fp[i]) 464 return false; 465 466 return true; 467 } 468 469 static int __parse_flow_nlattrs(const struct nlattr *attr, 470 const struct nlattr *a[], 471 u64 *attrsp, bool log, bool nz) 472 { 473 const struct nlattr *nla; 474 u64 attrs; 475 int rem; 476 477 attrs = *attrsp; 478 nla_for_each_nested(nla, attr, rem) { 479 u16 type = nla_type(nla); 480 int expected_len; 481 482 if (type > OVS_KEY_ATTR_MAX) { 483 OVS_NLERR(log, "Key type %d is out of range max %d", 484 type, OVS_KEY_ATTR_MAX); 485 return -EINVAL; 486 } 487 488 if (type == OVS_KEY_ATTR_PACKET_TYPE || 489 type == OVS_KEY_ATTR_ND_EXTENSIONS || 490 type == OVS_KEY_ATTR_TUNNEL_INFO) { 491 OVS_NLERR(log, "Key type %d is not supported", type); 492 return -EINVAL; 493 } 494 495 if (attrs & (1ULL << type)) { 496 OVS_NLERR(log, "Duplicate key (type %d).", type); 497 return -EINVAL; 498 } 499 500 expected_len = ovs_key_lens[type].len; 501 if (!check_attr_len(nla_len(nla), expected_len)) { 502 OVS_NLERR(log, "Key %d has unexpected len %d expected %d", 503 type, nla_len(nla), expected_len); 504 return -EINVAL; 505 } 506 507 if (!nz || !is_all_zero(nla_data(nla), nla_len(nla))) { 508 attrs |= 1ULL << type; 509 a[type] = nla; 510 } 511 } 512 if (rem) { 513 OVS_NLERR(log, "Message has %d unknown bytes.", rem); 514 return -EINVAL; 515 } 516 517 *attrsp = attrs; 518 return 0; 519 } 520 521 static int parse_flow_mask_nlattrs(const struct nlattr *attr, 522 const struct nlattr *a[], u64 *attrsp, 523 bool log) 524 { 525 return __parse_flow_nlattrs(attr, a, attrsp, log, true); 526 } 527 528 int parse_flow_nlattrs(const struct nlattr *attr, const struct nlattr *a[], 529 u64 *attrsp, bool log) 530 { 531 return __parse_flow_nlattrs(attr, a, attrsp, log, false); 532 } 533 534 static int genev_tun_opt_from_nlattr(const struct nlattr *a, 535 struct sw_flow_match *match, bool is_mask, 536 bool log) 537 { 538 unsigned long opt_key_offset; 539 540 if (nla_len(a) > sizeof(match->key->tun_opts)) { 541 OVS_NLERR(log, "Geneve option length err (len %d, max %zu).", 542 nla_len(a), sizeof(match->key->tun_opts)); 543 return -EINVAL; 544 } 545 546 if (nla_len(a) % 4 != 0) { 547 OVS_NLERR(log, "Geneve opt len %d is not a multiple of 4.", 548 nla_len(a)); 549 return -EINVAL; 550 } 551 552 /* We need to record the length of the options passed 553 * down, otherwise packets with the same format but 554 * additional options will be silently matched. 555 */ 556 if (!is_mask) { 557 SW_FLOW_KEY_PUT(match, tun_opts_len, nla_len(a), 558 false); 559 } else { 560 /* This is somewhat unusual because it looks at 561 * both the key and mask while parsing the 562 * attributes (and by extension assumes the key 563 * is parsed first). Normally, we would verify 564 * that each is the correct length and that the 565 * attributes line up in the validate function. 566 * However, that is difficult because this is 567 * variable length and we won't have the 568 * information later. 569 */ 570 if (match->key->tun_opts_len != nla_len(a)) { 571 OVS_NLERR(log, "Geneve option len %d != mask len %d", 572 match->key->tun_opts_len, nla_len(a)); 573 return -EINVAL; 574 } 575 576 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 577 } 578 579 opt_key_offset = TUN_METADATA_OFFSET(nla_len(a)); 580 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, nla_data(a), 581 nla_len(a), is_mask); 582 return 0; 583 } 584 585 static int vxlan_tun_opt_from_nlattr(const struct nlattr *attr, 586 struct sw_flow_match *match, bool is_mask, 587 bool log) 588 { 589 struct nlattr *a; 590 int rem; 591 unsigned long opt_key_offset; 592 struct vxlan_metadata opts; 593 594 BUILD_BUG_ON(sizeof(opts) > sizeof(match->key->tun_opts)); 595 596 memset(&opts, 0, sizeof(opts)); 597 nla_for_each_nested(a, attr, rem) { 598 int type = nla_type(a); 599 600 if (type > OVS_VXLAN_EXT_MAX) { 601 OVS_NLERR(log, "VXLAN extension %d out of range max %d", 602 type, OVS_VXLAN_EXT_MAX); 603 return -EINVAL; 604 } 605 606 if (!check_attr_len(nla_len(a), 607 ovs_vxlan_ext_key_lens[type].len)) { 608 OVS_NLERR(log, "VXLAN extension %d has unexpected len %d expected %d", 609 type, nla_len(a), 610 ovs_vxlan_ext_key_lens[type].len); 611 return -EINVAL; 612 } 613 614 switch (type) { 615 case OVS_VXLAN_EXT_GBP: 616 opts.gbp = nla_get_u32(a); 617 break; 618 default: 619 OVS_NLERR(log, "Unknown VXLAN extension attribute %d", 620 type); 621 return -EINVAL; 622 } 623 } 624 if (rem) { 625 OVS_NLERR(log, "VXLAN extension message has %d unknown bytes.", 626 rem); 627 return -EINVAL; 628 } 629 630 if (!is_mask) 631 SW_FLOW_KEY_PUT(match, tun_opts_len, sizeof(opts), false); 632 else 633 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 634 635 opt_key_offset = TUN_METADATA_OFFSET(sizeof(opts)); 636 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, &opts, sizeof(opts), 637 is_mask); 638 return 0; 639 } 640 641 static int erspan_tun_opt_from_nlattr(const struct nlattr *a, 642 struct sw_flow_match *match, bool is_mask, 643 bool log) 644 { 645 unsigned long opt_key_offset; 646 647 BUILD_BUG_ON(sizeof(struct erspan_metadata) > 648 sizeof(match->key->tun_opts)); 649 650 if (nla_len(a) > sizeof(match->key->tun_opts)) { 651 OVS_NLERR(log, "ERSPAN option length err (len %d, max %zu).", 652 nla_len(a), sizeof(match->key->tun_opts)); 653 return -EINVAL; 654 } 655 656 if (!is_mask) 657 SW_FLOW_KEY_PUT(match, tun_opts_len, 658 sizeof(struct erspan_metadata), false); 659 else 660 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 661 662 opt_key_offset = TUN_METADATA_OFFSET(nla_len(a)); 663 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, nla_data(a), 664 nla_len(a), is_mask); 665 return 0; 666 } 667 668 static int ip_tun_from_nlattr(const struct nlattr *attr, 669 struct sw_flow_match *match, bool is_mask, 670 bool log) 671 { 672 bool ttl = false, ipv4 = false, ipv6 = false; 673 bool info_bridge_mode = false; 674 __be16 tun_flags = 0; 675 int opts_type = 0; 676 struct nlattr *a; 677 int rem; 678 679 nla_for_each_nested(a, attr, rem) { 680 int type = nla_type(a); 681 int err; 682 683 if (type > OVS_TUNNEL_KEY_ATTR_MAX) { 684 OVS_NLERR(log, "Tunnel attr %d out of range max %d", 685 type, OVS_TUNNEL_KEY_ATTR_MAX); 686 return -EINVAL; 687 } 688 689 if (!check_attr_len(nla_len(a), 690 ovs_tunnel_key_lens[type].len)) { 691 OVS_NLERR(log, "Tunnel attr %d has unexpected len %d expected %d", 692 type, nla_len(a), ovs_tunnel_key_lens[type].len); 693 return -EINVAL; 694 } 695 696 switch (type) { 697 case OVS_TUNNEL_KEY_ATTR_ID: 698 SW_FLOW_KEY_PUT(match, tun_key.tun_id, 699 nla_get_be64(a), is_mask); 700 tun_flags |= TUNNEL_KEY; 701 break; 702 case OVS_TUNNEL_KEY_ATTR_IPV4_SRC: 703 SW_FLOW_KEY_PUT(match, tun_key.u.ipv4.src, 704 nla_get_in_addr(a), is_mask); 705 ipv4 = true; 706 break; 707 case OVS_TUNNEL_KEY_ATTR_IPV4_DST: 708 SW_FLOW_KEY_PUT(match, tun_key.u.ipv4.dst, 709 nla_get_in_addr(a), is_mask); 710 ipv4 = true; 711 break; 712 case OVS_TUNNEL_KEY_ATTR_IPV6_SRC: 713 SW_FLOW_KEY_PUT(match, tun_key.u.ipv6.src, 714 nla_get_in6_addr(a), is_mask); 715 ipv6 = true; 716 break; 717 case OVS_TUNNEL_KEY_ATTR_IPV6_DST: 718 SW_FLOW_KEY_PUT(match, tun_key.u.ipv6.dst, 719 nla_get_in6_addr(a), is_mask); 720 ipv6 = true; 721 break; 722 case OVS_TUNNEL_KEY_ATTR_TOS: 723 SW_FLOW_KEY_PUT(match, tun_key.tos, 724 nla_get_u8(a), is_mask); 725 break; 726 case OVS_TUNNEL_KEY_ATTR_TTL: 727 SW_FLOW_KEY_PUT(match, tun_key.ttl, 728 nla_get_u8(a), is_mask); 729 ttl = true; 730 break; 731 case OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT: 732 tun_flags |= TUNNEL_DONT_FRAGMENT; 733 break; 734 case OVS_TUNNEL_KEY_ATTR_CSUM: 735 tun_flags |= TUNNEL_CSUM; 736 break; 737 case OVS_TUNNEL_KEY_ATTR_TP_SRC: 738 SW_FLOW_KEY_PUT(match, tun_key.tp_src, 739 nla_get_be16(a), is_mask); 740 break; 741 case OVS_TUNNEL_KEY_ATTR_TP_DST: 742 SW_FLOW_KEY_PUT(match, tun_key.tp_dst, 743 nla_get_be16(a), is_mask); 744 break; 745 case OVS_TUNNEL_KEY_ATTR_OAM: 746 tun_flags |= TUNNEL_OAM; 747 break; 748 case OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS: 749 if (opts_type) { 750 OVS_NLERR(log, "Multiple metadata blocks provided"); 751 return -EINVAL; 752 } 753 754 err = genev_tun_opt_from_nlattr(a, match, is_mask, log); 755 if (err) 756 return err; 757 758 tun_flags |= TUNNEL_GENEVE_OPT; 759 opts_type = type; 760 break; 761 case OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS: 762 if (opts_type) { 763 OVS_NLERR(log, "Multiple metadata blocks provided"); 764 return -EINVAL; 765 } 766 767 err = vxlan_tun_opt_from_nlattr(a, match, is_mask, log); 768 if (err) 769 return err; 770 771 tun_flags |= TUNNEL_VXLAN_OPT; 772 opts_type = type; 773 break; 774 case OVS_TUNNEL_KEY_ATTR_PAD: 775 break; 776 case OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS: 777 if (opts_type) { 778 OVS_NLERR(log, "Multiple metadata blocks provided"); 779 return -EINVAL; 780 } 781 782 err = erspan_tun_opt_from_nlattr(a, match, is_mask, 783 log); 784 if (err) 785 return err; 786 787 tun_flags |= TUNNEL_ERSPAN_OPT; 788 opts_type = type; 789 break; 790 case OVS_TUNNEL_KEY_ATTR_IPV4_INFO_BRIDGE: 791 info_bridge_mode = true; 792 ipv4 = true; 793 break; 794 default: 795 OVS_NLERR(log, "Unknown IP tunnel attribute %d", 796 type); 797 return -EINVAL; 798 } 799 } 800 801 SW_FLOW_KEY_PUT(match, tun_key.tun_flags, tun_flags, is_mask); 802 if (is_mask) 803 SW_FLOW_KEY_MEMSET_FIELD(match, tun_proto, 0xff, true); 804 else 805 SW_FLOW_KEY_PUT(match, tun_proto, ipv6 ? AF_INET6 : AF_INET, 806 false); 807 808 if (rem > 0) { 809 OVS_NLERR(log, "IP tunnel attribute has %d unknown bytes.", 810 rem); 811 return -EINVAL; 812 } 813 814 if (ipv4 && ipv6) { 815 OVS_NLERR(log, "Mixed IPv4 and IPv6 tunnel attributes"); 816 return -EINVAL; 817 } 818 819 if (!is_mask) { 820 if (!ipv4 && !ipv6) { 821 OVS_NLERR(log, "IP tunnel dst address not specified"); 822 return -EINVAL; 823 } 824 if (ipv4) { 825 if (info_bridge_mode) { 826 if (match->key->tun_key.u.ipv4.src || 827 match->key->tun_key.u.ipv4.dst || 828 match->key->tun_key.tp_src || 829 match->key->tun_key.tp_dst || 830 match->key->tun_key.ttl || 831 match->key->tun_key.tos || 832 tun_flags & ~TUNNEL_KEY) { 833 OVS_NLERR(log, "IPv4 tun info is not correct"); 834 return -EINVAL; 835 } 836 } else if (!match->key->tun_key.u.ipv4.dst) { 837 OVS_NLERR(log, "IPv4 tunnel dst address is zero"); 838 return -EINVAL; 839 } 840 } 841 if (ipv6 && ipv6_addr_any(&match->key->tun_key.u.ipv6.dst)) { 842 OVS_NLERR(log, "IPv6 tunnel dst address is zero"); 843 return -EINVAL; 844 } 845 846 if (!ttl && !info_bridge_mode) { 847 OVS_NLERR(log, "IP tunnel TTL not specified."); 848 return -EINVAL; 849 } 850 } 851 852 return opts_type; 853 } 854 855 static int vxlan_opt_to_nlattr(struct sk_buff *skb, 856 const void *tun_opts, int swkey_tun_opts_len) 857 { 858 const struct vxlan_metadata *opts = tun_opts; 859 struct nlattr *nla; 860 861 nla = nla_nest_start_noflag(skb, OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS); 862 if (!nla) 863 return -EMSGSIZE; 864 865 if (nla_put_u32(skb, OVS_VXLAN_EXT_GBP, opts->gbp) < 0) 866 return -EMSGSIZE; 867 868 nla_nest_end(skb, nla); 869 return 0; 870 } 871 872 static int __ip_tun_to_nlattr(struct sk_buff *skb, 873 const struct ip_tunnel_key *output, 874 const void *tun_opts, int swkey_tun_opts_len, 875 unsigned short tun_proto, u8 mode) 876 { 877 if (output->tun_flags & TUNNEL_KEY && 878 nla_put_be64(skb, OVS_TUNNEL_KEY_ATTR_ID, output->tun_id, 879 OVS_TUNNEL_KEY_ATTR_PAD)) 880 return -EMSGSIZE; 881 882 if (mode & IP_TUNNEL_INFO_BRIDGE) 883 return nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_IPV4_INFO_BRIDGE) 884 ? -EMSGSIZE : 0; 885 886 switch (tun_proto) { 887 case AF_INET: 888 if (output->u.ipv4.src && 889 nla_put_in_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV4_SRC, 890 output->u.ipv4.src)) 891 return -EMSGSIZE; 892 if (output->u.ipv4.dst && 893 nla_put_in_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV4_DST, 894 output->u.ipv4.dst)) 895 return -EMSGSIZE; 896 break; 897 case AF_INET6: 898 if (!ipv6_addr_any(&output->u.ipv6.src) && 899 nla_put_in6_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV6_SRC, 900 &output->u.ipv6.src)) 901 return -EMSGSIZE; 902 if (!ipv6_addr_any(&output->u.ipv6.dst) && 903 nla_put_in6_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV6_DST, 904 &output->u.ipv6.dst)) 905 return -EMSGSIZE; 906 break; 907 } 908 if (output->tos && 909 nla_put_u8(skb, OVS_TUNNEL_KEY_ATTR_TOS, output->tos)) 910 return -EMSGSIZE; 911 if (nla_put_u8(skb, OVS_TUNNEL_KEY_ATTR_TTL, output->ttl)) 912 return -EMSGSIZE; 913 if ((output->tun_flags & TUNNEL_DONT_FRAGMENT) && 914 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT)) 915 return -EMSGSIZE; 916 if ((output->tun_flags & TUNNEL_CSUM) && 917 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_CSUM)) 918 return -EMSGSIZE; 919 if (output->tp_src && 920 nla_put_be16(skb, OVS_TUNNEL_KEY_ATTR_TP_SRC, output->tp_src)) 921 return -EMSGSIZE; 922 if (output->tp_dst && 923 nla_put_be16(skb, OVS_TUNNEL_KEY_ATTR_TP_DST, output->tp_dst)) 924 return -EMSGSIZE; 925 if ((output->tun_flags & TUNNEL_OAM) && 926 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_OAM)) 927 return -EMSGSIZE; 928 if (swkey_tun_opts_len) { 929 if (output->tun_flags & TUNNEL_GENEVE_OPT && 930 nla_put(skb, OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS, 931 swkey_tun_opts_len, tun_opts)) 932 return -EMSGSIZE; 933 else if (output->tun_flags & TUNNEL_VXLAN_OPT && 934 vxlan_opt_to_nlattr(skb, tun_opts, swkey_tun_opts_len)) 935 return -EMSGSIZE; 936 else if (output->tun_flags & TUNNEL_ERSPAN_OPT && 937 nla_put(skb, OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS, 938 swkey_tun_opts_len, tun_opts)) 939 return -EMSGSIZE; 940 } 941 942 return 0; 943 } 944 945 static int ip_tun_to_nlattr(struct sk_buff *skb, 946 const struct ip_tunnel_key *output, 947 const void *tun_opts, int swkey_tun_opts_len, 948 unsigned short tun_proto, u8 mode) 949 { 950 struct nlattr *nla; 951 int err; 952 953 nla = nla_nest_start_noflag(skb, OVS_KEY_ATTR_TUNNEL); 954 if (!nla) 955 return -EMSGSIZE; 956 957 err = __ip_tun_to_nlattr(skb, output, tun_opts, swkey_tun_opts_len, 958 tun_proto, mode); 959 if (err) 960 return err; 961 962 nla_nest_end(skb, nla); 963 return 0; 964 } 965 966 int ovs_nla_put_tunnel_info(struct sk_buff *skb, 967 struct ip_tunnel_info *tun_info) 968 { 969 return __ip_tun_to_nlattr(skb, &tun_info->key, 970 ip_tunnel_info_opts(tun_info), 971 tun_info->options_len, 972 ip_tunnel_info_af(tun_info), tun_info->mode); 973 } 974 975 static int encode_vlan_from_nlattrs(struct sw_flow_match *match, 976 const struct nlattr *a[], 977 bool is_mask, bool inner) 978 { 979 __be16 tci = 0; 980 __be16 tpid = 0; 981 982 if (a[OVS_KEY_ATTR_VLAN]) 983 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 984 985 if (a[OVS_KEY_ATTR_ETHERTYPE]) 986 tpid = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 987 988 if (likely(!inner)) { 989 SW_FLOW_KEY_PUT(match, eth.vlan.tpid, tpid, is_mask); 990 SW_FLOW_KEY_PUT(match, eth.vlan.tci, tci, is_mask); 991 } else { 992 SW_FLOW_KEY_PUT(match, eth.cvlan.tpid, tpid, is_mask); 993 SW_FLOW_KEY_PUT(match, eth.cvlan.tci, tci, is_mask); 994 } 995 return 0; 996 } 997 998 static int validate_vlan_from_nlattrs(const struct sw_flow_match *match, 999 u64 key_attrs, bool inner, 1000 const struct nlattr **a, bool log) 1001 { 1002 __be16 tci = 0; 1003 1004 if (!((key_attrs & (1 << OVS_KEY_ATTR_ETHERNET)) && 1005 (key_attrs & (1 << OVS_KEY_ATTR_ETHERTYPE)) && 1006 eth_type_vlan(nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE])))) { 1007 /* Not a VLAN. */ 1008 return 0; 1009 } 1010 1011 if (!((key_attrs & (1 << OVS_KEY_ATTR_VLAN)) && 1012 (key_attrs & (1 << OVS_KEY_ATTR_ENCAP)))) { 1013 OVS_NLERR(log, "Invalid %s frame", (inner) ? "C-VLAN" : "VLAN"); 1014 return -EINVAL; 1015 } 1016 1017 if (a[OVS_KEY_ATTR_VLAN]) 1018 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 1019 1020 if (!(tci & htons(VLAN_CFI_MASK))) { 1021 if (tci) { 1022 OVS_NLERR(log, "%s TCI does not have VLAN_CFI_MASK bit set.", 1023 (inner) ? "C-VLAN" : "VLAN"); 1024 return -EINVAL; 1025 } else if (nla_len(a[OVS_KEY_ATTR_ENCAP])) { 1026 /* Corner case for truncated VLAN header. */ 1027 OVS_NLERR(log, "Truncated %s header has non-zero encap attribute.", 1028 (inner) ? "C-VLAN" : "VLAN"); 1029 return -EINVAL; 1030 } 1031 } 1032 1033 return 1; 1034 } 1035 1036 static int validate_vlan_mask_from_nlattrs(const struct sw_flow_match *match, 1037 u64 key_attrs, bool inner, 1038 const struct nlattr **a, bool log) 1039 { 1040 __be16 tci = 0; 1041 __be16 tpid = 0; 1042 bool encap_valid = !!(match->key->eth.vlan.tci & 1043 htons(VLAN_CFI_MASK)); 1044 bool i_encap_valid = !!(match->key->eth.cvlan.tci & 1045 htons(VLAN_CFI_MASK)); 1046 1047 if (!(key_attrs & (1 << OVS_KEY_ATTR_ENCAP))) { 1048 /* Not a VLAN. */ 1049 return 0; 1050 } 1051 1052 if ((!inner && !encap_valid) || (inner && !i_encap_valid)) { 1053 OVS_NLERR(log, "Encap mask attribute is set for non-%s frame.", 1054 (inner) ? "C-VLAN" : "VLAN"); 1055 return -EINVAL; 1056 } 1057 1058 if (a[OVS_KEY_ATTR_VLAN]) 1059 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 1060 1061 if (a[OVS_KEY_ATTR_ETHERTYPE]) 1062 tpid = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 1063 1064 if (tpid != htons(0xffff)) { 1065 OVS_NLERR(log, "Must have an exact match on %s TPID (mask=%x).", 1066 (inner) ? "C-VLAN" : "VLAN", ntohs(tpid)); 1067 return -EINVAL; 1068 } 1069 if (!(tci & htons(VLAN_CFI_MASK))) { 1070 OVS_NLERR(log, "%s TCI mask does not have exact match for VLAN_CFI_MASK bit.", 1071 (inner) ? "C-VLAN" : "VLAN"); 1072 return -EINVAL; 1073 } 1074 1075 return 1; 1076 } 1077 1078 static int __parse_vlan_from_nlattrs(struct sw_flow_match *match, 1079 u64 *key_attrs, bool inner, 1080 const struct nlattr **a, bool is_mask, 1081 bool log) 1082 { 1083 int err; 1084 const struct nlattr *encap; 1085 1086 if (!is_mask) 1087 err = validate_vlan_from_nlattrs(match, *key_attrs, inner, 1088 a, log); 1089 else 1090 err = validate_vlan_mask_from_nlattrs(match, *key_attrs, inner, 1091 a, log); 1092 if (err <= 0) 1093 return err; 1094 1095 err = encode_vlan_from_nlattrs(match, a, is_mask, inner); 1096 if (err) 1097 return err; 1098 1099 *key_attrs &= ~(1 << OVS_KEY_ATTR_ENCAP); 1100 *key_attrs &= ~(1 << OVS_KEY_ATTR_VLAN); 1101 *key_attrs &= ~(1 << OVS_KEY_ATTR_ETHERTYPE); 1102 1103 encap = a[OVS_KEY_ATTR_ENCAP]; 1104 1105 if (!is_mask) 1106 err = parse_flow_nlattrs(encap, a, key_attrs, log); 1107 else 1108 err = parse_flow_mask_nlattrs(encap, a, key_attrs, log); 1109 1110 return err; 1111 } 1112 1113 static int parse_vlan_from_nlattrs(struct sw_flow_match *match, 1114 u64 *key_attrs, const struct nlattr **a, 1115 bool is_mask, bool log) 1116 { 1117 int err; 1118 bool encap_valid = false; 1119 1120 err = __parse_vlan_from_nlattrs(match, key_attrs, false, a, 1121 is_mask, log); 1122 if (err) 1123 return err; 1124 1125 encap_valid = !!(match->key->eth.vlan.tci & htons(VLAN_CFI_MASK)); 1126 if (encap_valid) { 1127 err = __parse_vlan_from_nlattrs(match, key_attrs, true, a, 1128 is_mask, log); 1129 if (err) 1130 return err; 1131 } 1132 1133 return 0; 1134 } 1135 1136 static int parse_eth_type_from_nlattrs(struct sw_flow_match *match, 1137 u64 *attrs, const struct nlattr **a, 1138 bool is_mask, bool log) 1139 { 1140 __be16 eth_type; 1141 1142 eth_type = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 1143 if (is_mask) { 1144 /* Always exact match EtherType. */ 1145 eth_type = htons(0xffff); 1146 } else if (!eth_proto_is_802_3(eth_type)) { 1147 OVS_NLERR(log, "EtherType %x is less than min %x", 1148 ntohs(eth_type), ETH_P_802_3_MIN); 1149 return -EINVAL; 1150 } 1151 1152 SW_FLOW_KEY_PUT(match, eth.type, eth_type, is_mask); 1153 *attrs &= ~(1 << OVS_KEY_ATTR_ETHERTYPE); 1154 return 0; 1155 } 1156 1157 static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match, 1158 u64 *attrs, const struct nlattr **a, 1159 bool is_mask, bool log) 1160 { 1161 u8 mac_proto = MAC_PROTO_ETHERNET; 1162 1163 if (*attrs & (1 << OVS_KEY_ATTR_DP_HASH)) { 1164 u32 hash_val = nla_get_u32(a[OVS_KEY_ATTR_DP_HASH]); 1165 1166 SW_FLOW_KEY_PUT(match, ovs_flow_hash, hash_val, is_mask); 1167 *attrs &= ~(1 << OVS_KEY_ATTR_DP_HASH); 1168 } 1169 1170 if (*attrs & (1 << OVS_KEY_ATTR_RECIRC_ID)) { 1171 u32 recirc_id = nla_get_u32(a[OVS_KEY_ATTR_RECIRC_ID]); 1172 1173 SW_FLOW_KEY_PUT(match, recirc_id, recirc_id, is_mask); 1174 *attrs &= ~(1 << OVS_KEY_ATTR_RECIRC_ID); 1175 } 1176 1177 if (*attrs & (1 << OVS_KEY_ATTR_PRIORITY)) { 1178 SW_FLOW_KEY_PUT(match, phy.priority, 1179 nla_get_u32(a[OVS_KEY_ATTR_PRIORITY]), is_mask); 1180 *attrs &= ~(1 << OVS_KEY_ATTR_PRIORITY); 1181 } 1182 1183 if (*attrs & (1 << OVS_KEY_ATTR_IN_PORT)) { 1184 u32 in_port = nla_get_u32(a[OVS_KEY_ATTR_IN_PORT]); 1185 1186 if (is_mask) { 1187 in_port = 0xffffffff; /* Always exact match in_port. */ 1188 } else if (in_port >= DP_MAX_PORTS) { 1189 OVS_NLERR(log, "Port %d exceeds max allowable %d", 1190 in_port, DP_MAX_PORTS); 1191 return -EINVAL; 1192 } 1193 1194 SW_FLOW_KEY_PUT(match, phy.in_port, in_port, is_mask); 1195 *attrs &= ~(1 << OVS_KEY_ATTR_IN_PORT); 1196 } else if (!is_mask) { 1197 SW_FLOW_KEY_PUT(match, phy.in_port, DP_MAX_PORTS, is_mask); 1198 } 1199 1200 if (*attrs & (1 << OVS_KEY_ATTR_SKB_MARK)) { 1201 uint32_t mark = nla_get_u32(a[OVS_KEY_ATTR_SKB_MARK]); 1202 1203 SW_FLOW_KEY_PUT(match, phy.skb_mark, mark, is_mask); 1204 *attrs &= ~(1 << OVS_KEY_ATTR_SKB_MARK); 1205 } 1206 if (*attrs & (1 << OVS_KEY_ATTR_TUNNEL)) { 1207 if (ip_tun_from_nlattr(a[OVS_KEY_ATTR_TUNNEL], match, 1208 is_mask, log) < 0) 1209 return -EINVAL; 1210 *attrs &= ~(1 << OVS_KEY_ATTR_TUNNEL); 1211 } 1212 1213 if (*attrs & (1 << OVS_KEY_ATTR_CT_STATE) && 1214 ovs_ct_verify(net, OVS_KEY_ATTR_CT_STATE)) { 1215 u32 ct_state = nla_get_u32(a[OVS_KEY_ATTR_CT_STATE]); 1216 1217 if (ct_state & ~CT_SUPPORTED_MASK) { 1218 OVS_NLERR(log, "ct_state flags %08x unsupported", 1219 ct_state); 1220 return -EINVAL; 1221 } 1222 1223 SW_FLOW_KEY_PUT(match, ct_state, ct_state, is_mask); 1224 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_STATE); 1225 } 1226 if (*attrs & (1 << OVS_KEY_ATTR_CT_ZONE) && 1227 ovs_ct_verify(net, OVS_KEY_ATTR_CT_ZONE)) { 1228 u16 ct_zone = nla_get_u16(a[OVS_KEY_ATTR_CT_ZONE]); 1229 1230 SW_FLOW_KEY_PUT(match, ct_zone, ct_zone, is_mask); 1231 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ZONE); 1232 } 1233 if (*attrs & (1 << OVS_KEY_ATTR_CT_MARK) && 1234 ovs_ct_verify(net, OVS_KEY_ATTR_CT_MARK)) { 1235 u32 mark = nla_get_u32(a[OVS_KEY_ATTR_CT_MARK]); 1236 1237 SW_FLOW_KEY_PUT(match, ct.mark, mark, is_mask); 1238 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_MARK); 1239 } 1240 if (*attrs & (1 << OVS_KEY_ATTR_CT_LABELS) && 1241 ovs_ct_verify(net, OVS_KEY_ATTR_CT_LABELS)) { 1242 const struct ovs_key_ct_labels *cl; 1243 1244 cl = nla_data(a[OVS_KEY_ATTR_CT_LABELS]); 1245 SW_FLOW_KEY_MEMCPY(match, ct.labels, cl->ct_labels, 1246 sizeof(*cl), is_mask); 1247 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_LABELS); 1248 } 1249 if (*attrs & (1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4)) { 1250 const struct ovs_key_ct_tuple_ipv4 *ct; 1251 1252 ct = nla_data(a[OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4]); 1253 1254 SW_FLOW_KEY_PUT(match, ipv4.ct_orig.src, ct->ipv4_src, is_mask); 1255 SW_FLOW_KEY_PUT(match, ipv4.ct_orig.dst, ct->ipv4_dst, is_mask); 1256 SW_FLOW_KEY_PUT(match, ct.orig_tp.src, ct->src_port, is_mask); 1257 SW_FLOW_KEY_PUT(match, ct.orig_tp.dst, ct->dst_port, is_mask); 1258 SW_FLOW_KEY_PUT(match, ct_orig_proto, ct->ipv4_proto, is_mask); 1259 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4); 1260 } 1261 if (*attrs & (1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6)) { 1262 const struct ovs_key_ct_tuple_ipv6 *ct; 1263 1264 ct = nla_data(a[OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6]); 1265 1266 SW_FLOW_KEY_MEMCPY(match, ipv6.ct_orig.src, &ct->ipv6_src, 1267 sizeof(match->key->ipv6.ct_orig.src), 1268 is_mask); 1269 SW_FLOW_KEY_MEMCPY(match, ipv6.ct_orig.dst, &ct->ipv6_dst, 1270 sizeof(match->key->ipv6.ct_orig.dst), 1271 is_mask); 1272 SW_FLOW_KEY_PUT(match, ct.orig_tp.src, ct->src_port, is_mask); 1273 SW_FLOW_KEY_PUT(match, ct.orig_tp.dst, ct->dst_port, is_mask); 1274 SW_FLOW_KEY_PUT(match, ct_orig_proto, ct->ipv6_proto, is_mask); 1275 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6); 1276 } 1277 1278 /* For layer 3 packets the Ethernet type is provided 1279 * and treated as metadata but no MAC addresses are provided. 1280 */ 1281 if (!(*attrs & (1ULL << OVS_KEY_ATTR_ETHERNET)) && 1282 (*attrs & (1ULL << OVS_KEY_ATTR_ETHERTYPE))) 1283 mac_proto = MAC_PROTO_NONE; 1284 1285 /* Always exact match mac_proto */ 1286 SW_FLOW_KEY_PUT(match, mac_proto, is_mask ? 0xff : mac_proto, is_mask); 1287 1288 if (mac_proto == MAC_PROTO_NONE) 1289 return parse_eth_type_from_nlattrs(match, attrs, a, is_mask, 1290 log); 1291 1292 return 0; 1293 } 1294 1295 int nsh_hdr_from_nlattr(const struct nlattr *attr, 1296 struct nshhdr *nh, size_t size) 1297 { 1298 struct nlattr *a; 1299 int rem; 1300 u8 flags = 0; 1301 u8 ttl = 0; 1302 int mdlen = 0; 1303 1304 /* validate_nsh has check this, so we needn't do duplicate check here 1305 */ 1306 if (size < NSH_BASE_HDR_LEN) 1307 return -ENOBUFS; 1308 1309 nla_for_each_nested(a, attr, rem) { 1310 int type = nla_type(a); 1311 1312 switch (type) { 1313 case OVS_NSH_KEY_ATTR_BASE: { 1314 const struct ovs_nsh_key_base *base = nla_data(a); 1315 1316 flags = base->flags; 1317 ttl = base->ttl; 1318 nh->np = base->np; 1319 nh->mdtype = base->mdtype; 1320 nh->path_hdr = base->path_hdr; 1321 break; 1322 } 1323 case OVS_NSH_KEY_ATTR_MD1: 1324 mdlen = nla_len(a); 1325 if (mdlen > size - NSH_BASE_HDR_LEN) 1326 return -ENOBUFS; 1327 memcpy(&nh->md1, nla_data(a), mdlen); 1328 break; 1329 1330 case OVS_NSH_KEY_ATTR_MD2: 1331 mdlen = nla_len(a); 1332 if (mdlen > size - NSH_BASE_HDR_LEN) 1333 return -ENOBUFS; 1334 memcpy(&nh->md2, nla_data(a), mdlen); 1335 break; 1336 1337 default: 1338 return -EINVAL; 1339 } 1340 } 1341 1342 /* nsh header length = NSH_BASE_HDR_LEN + mdlen */ 1343 nh->ver_flags_ttl_len = 0; 1344 nsh_set_flags_ttl_len(nh, flags, ttl, NSH_BASE_HDR_LEN + mdlen); 1345 1346 return 0; 1347 } 1348 1349 int nsh_key_from_nlattr(const struct nlattr *attr, 1350 struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask) 1351 { 1352 struct nlattr *a; 1353 int rem; 1354 1355 /* validate_nsh has check this, so we needn't do duplicate check here 1356 */ 1357 nla_for_each_nested(a, attr, rem) { 1358 int type = nla_type(a); 1359 1360 switch (type) { 1361 case OVS_NSH_KEY_ATTR_BASE: { 1362 const struct ovs_nsh_key_base *base = nla_data(a); 1363 const struct ovs_nsh_key_base *base_mask = base + 1; 1364 1365 nsh->base = *base; 1366 nsh_mask->base = *base_mask; 1367 break; 1368 } 1369 case OVS_NSH_KEY_ATTR_MD1: { 1370 const struct ovs_nsh_key_md1 *md1 = nla_data(a); 1371 const struct ovs_nsh_key_md1 *md1_mask = md1 + 1; 1372 1373 memcpy(nsh->context, md1->context, sizeof(*md1)); 1374 memcpy(nsh_mask->context, md1_mask->context, 1375 sizeof(*md1_mask)); 1376 break; 1377 } 1378 case OVS_NSH_KEY_ATTR_MD2: 1379 /* Not supported yet */ 1380 return -ENOTSUPP; 1381 default: 1382 return -EINVAL; 1383 } 1384 } 1385 1386 return 0; 1387 } 1388 1389 static int nsh_key_put_from_nlattr(const struct nlattr *attr, 1390 struct sw_flow_match *match, bool is_mask, 1391 bool is_push_nsh, bool log) 1392 { 1393 struct nlattr *a; 1394 int rem; 1395 bool has_base = false; 1396 bool has_md1 = false; 1397 bool has_md2 = false; 1398 u8 mdtype = 0; 1399 int mdlen = 0; 1400 1401 if (WARN_ON(is_push_nsh && is_mask)) 1402 return -EINVAL; 1403 1404 nla_for_each_nested(a, attr, rem) { 1405 int type = nla_type(a); 1406 int i; 1407 1408 if (type > OVS_NSH_KEY_ATTR_MAX) { 1409 OVS_NLERR(log, "nsh attr %d is out of range max %d", 1410 type, OVS_NSH_KEY_ATTR_MAX); 1411 return -EINVAL; 1412 } 1413 1414 if (!check_attr_len(nla_len(a), 1415 ovs_nsh_key_attr_lens[type].len)) { 1416 OVS_NLERR( 1417 log, 1418 "nsh attr %d has unexpected len %d expected %d", 1419 type, 1420 nla_len(a), 1421 ovs_nsh_key_attr_lens[type].len 1422 ); 1423 return -EINVAL; 1424 } 1425 1426 switch (type) { 1427 case OVS_NSH_KEY_ATTR_BASE: { 1428 const struct ovs_nsh_key_base *base = nla_data(a); 1429 1430 has_base = true; 1431 mdtype = base->mdtype; 1432 SW_FLOW_KEY_PUT(match, nsh.base.flags, 1433 base->flags, is_mask); 1434 SW_FLOW_KEY_PUT(match, nsh.base.ttl, 1435 base->ttl, is_mask); 1436 SW_FLOW_KEY_PUT(match, nsh.base.mdtype, 1437 base->mdtype, is_mask); 1438 SW_FLOW_KEY_PUT(match, nsh.base.np, 1439 base->np, is_mask); 1440 SW_FLOW_KEY_PUT(match, nsh.base.path_hdr, 1441 base->path_hdr, is_mask); 1442 break; 1443 } 1444 case OVS_NSH_KEY_ATTR_MD1: { 1445 const struct ovs_nsh_key_md1 *md1 = nla_data(a); 1446 1447 has_md1 = true; 1448 for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) 1449 SW_FLOW_KEY_PUT(match, nsh.context[i], 1450 md1->context[i], is_mask); 1451 break; 1452 } 1453 case OVS_NSH_KEY_ATTR_MD2: 1454 if (!is_push_nsh) /* Not supported MD type 2 yet */ 1455 return -ENOTSUPP; 1456 1457 has_md2 = true; 1458 mdlen = nla_len(a); 1459 if (mdlen > NSH_CTX_HDRS_MAX_LEN || mdlen <= 0) { 1460 OVS_NLERR( 1461 log, 1462 "Invalid MD length %d for MD type %d", 1463 mdlen, 1464 mdtype 1465 ); 1466 return -EINVAL; 1467 } 1468 break; 1469 default: 1470 OVS_NLERR(log, "Unknown nsh attribute %d", 1471 type); 1472 return -EINVAL; 1473 } 1474 } 1475 1476 if (rem > 0) { 1477 OVS_NLERR(log, "nsh attribute has %d unknown bytes.", rem); 1478 return -EINVAL; 1479 } 1480 1481 if (has_md1 && has_md2) { 1482 OVS_NLERR( 1483 1, 1484 "invalid nsh attribute: md1 and md2 are exclusive." 1485 ); 1486 return -EINVAL; 1487 } 1488 1489 if (!is_mask) { 1490 if ((has_md1 && mdtype != NSH_M_TYPE1) || 1491 (has_md2 && mdtype != NSH_M_TYPE2)) { 1492 OVS_NLERR(1, "nsh attribute has unmatched MD type %d.", 1493 mdtype); 1494 return -EINVAL; 1495 } 1496 1497 if (is_push_nsh && 1498 (!has_base || (!has_md1 && !has_md2))) { 1499 OVS_NLERR( 1500 1, 1501 "push_nsh: missing base or metadata attributes" 1502 ); 1503 return -EINVAL; 1504 } 1505 } 1506 1507 return 0; 1508 } 1509 1510 static int ovs_key_from_nlattrs(struct net *net, struct sw_flow_match *match, 1511 u64 attrs, const struct nlattr **a, 1512 bool is_mask, bool log) 1513 { 1514 int err; 1515 1516 err = metadata_from_nlattrs(net, match, &attrs, a, is_mask, log); 1517 if (err) 1518 return err; 1519 1520 if (attrs & (1 << OVS_KEY_ATTR_ETHERNET)) { 1521 const struct ovs_key_ethernet *eth_key; 1522 1523 eth_key = nla_data(a[OVS_KEY_ATTR_ETHERNET]); 1524 SW_FLOW_KEY_MEMCPY(match, eth.src, 1525 eth_key->eth_src, ETH_ALEN, is_mask); 1526 SW_FLOW_KEY_MEMCPY(match, eth.dst, 1527 eth_key->eth_dst, ETH_ALEN, is_mask); 1528 attrs &= ~(1 << OVS_KEY_ATTR_ETHERNET); 1529 1530 if (attrs & (1 << OVS_KEY_ATTR_VLAN)) { 1531 /* VLAN attribute is always parsed before getting here since it 1532 * may occur multiple times. 1533 */ 1534 OVS_NLERR(log, "VLAN attribute unexpected."); 1535 return -EINVAL; 1536 } 1537 1538 if (attrs & (1 << OVS_KEY_ATTR_ETHERTYPE)) { 1539 err = parse_eth_type_from_nlattrs(match, &attrs, a, is_mask, 1540 log); 1541 if (err) 1542 return err; 1543 } else if (!is_mask) { 1544 SW_FLOW_KEY_PUT(match, eth.type, htons(ETH_P_802_2), is_mask); 1545 } 1546 } else if (!match->key->eth.type) { 1547 OVS_NLERR(log, "Either Ethernet header or EtherType is required."); 1548 return -EINVAL; 1549 } 1550 1551 if (attrs & (1 << OVS_KEY_ATTR_IPV4)) { 1552 const struct ovs_key_ipv4 *ipv4_key; 1553 1554 ipv4_key = nla_data(a[OVS_KEY_ATTR_IPV4]); 1555 if (!is_mask && ipv4_key->ipv4_frag > OVS_FRAG_TYPE_MAX) { 1556 OVS_NLERR(log, "IPv4 frag type %d is out of range max %d", 1557 ipv4_key->ipv4_frag, OVS_FRAG_TYPE_MAX); 1558 return -EINVAL; 1559 } 1560 SW_FLOW_KEY_PUT(match, ip.proto, 1561 ipv4_key->ipv4_proto, is_mask); 1562 SW_FLOW_KEY_PUT(match, ip.tos, 1563 ipv4_key->ipv4_tos, is_mask); 1564 SW_FLOW_KEY_PUT(match, ip.ttl, 1565 ipv4_key->ipv4_ttl, is_mask); 1566 SW_FLOW_KEY_PUT(match, ip.frag, 1567 ipv4_key->ipv4_frag, is_mask); 1568 SW_FLOW_KEY_PUT(match, ipv4.addr.src, 1569 ipv4_key->ipv4_src, is_mask); 1570 SW_FLOW_KEY_PUT(match, ipv4.addr.dst, 1571 ipv4_key->ipv4_dst, is_mask); 1572 attrs &= ~(1 << OVS_KEY_ATTR_IPV4); 1573 } 1574 1575 if (attrs & (1 << OVS_KEY_ATTR_IPV6)) { 1576 const struct ovs_key_ipv6 *ipv6_key; 1577 1578 ipv6_key = nla_data(a[OVS_KEY_ATTR_IPV6]); 1579 if (!is_mask && ipv6_key->ipv6_frag > OVS_FRAG_TYPE_MAX) { 1580 OVS_NLERR(log, "IPv6 frag type %d is out of range max %d", 1581 ipv6_key->ipv6_frag, OVS_FRAG_TYPE_MAX); 1582 return -EINVAL; 1583 } 1584 1585 if (!is_mask && ipv6_key->ipv6_label & htonl(0xFFF00000)) { 1586 OVS_NLERR(log, "IPv6 flow label %x is out of range (max=%x)", 1587 ntohl(ipv6_key->ipv6_label), (1 << 20) - 1); 1588 return -EINVAL; 1589 } 1590 1591 SW_FLOW_KEY_PUT(match, ipv6.label, 1592 ipv6_key->ipv6_label, is_mask); 1593 SW_FLOW_KEY_PUT(match, ip.proto, 1594 ipv6_key->ipv6_proto, is_mask); 1595 SW_FLOW_KEY_PUT(match, ip.tos, 1596 ipv6_key->ipv6_tclass, is_mask); 1597 SW_FLOW_KEY_PUT(match, ip.ttl, 1598 ipv6_key->ipv6_hlimit, is_mask); 1599 SW_FLOW_KEY_PUT(match, ip.frag, 1600 ipv6_key->ipv6_frag, is_mask); 1601 SW_FLOW_KEY_MEMCPY(match, ipv6.addr.src, 1602 ipv6_key->ipv6_src, 1603 sizeof(match->key->ipv6.addr.src), 1604 is_mask); 1605 SW_FLOW_KEY_MEMCPY(match, ipv6.addr.dst, 1606 ipv6_key->ipv6_dst, 1607 sizeof(match->key->ipv6.addr.dst), 1608 is_mask); 1609 1610 attrs &= ~(1 << OVS_KEY_ATTR_IPV6); 1611 } 1612 1613 if (attrs & (1ULL << OVS_KEY_ATTR_IPV6_EXTHDRS)) { 1614 const struct ovs_key_ipv6_exthdrs *ipv6_exthdrs_key; 1615 1616 ipv6_exthdrs_key = nla_data(a[OVS_KEY_ATTR_IPV6_EXTHDRS]); 1617 1618 SW_FLOW_KEY_PUT(match, ipv6.exthdrs, 1619 ipv6_exthdrs_key->hdrs, is_mask); 1620 1621 attrs &= ~(1ULL << OVS_KEY_ATTR_IPV6_EXTHDRS); 1622 } 1623 1624 if (attrs & (1 << OVS_KEY_ATTR_ARP)) { 1625 const struct ovs_key_arp *arp_key; 1626 1627 arp_key = nla_data(a[OVS_KEY_ATTR_ARP]); 1628 if (!is_mask && (arp_key->arp_op & htons(0xff00))) { 1629 OVS_NLERR(log, "Unknown ARP opcode (opcode=%d).", 1630 arp_key->arp_op); 1631 return -EINVAL; 1632 } 1633 1634 SW_FLOW_KEY_PUT(match, ipv4.addr.src, 1635 arp_key->arp_sip, is_mask); 1636 SW_FLOW_KEY_PUT(match, ipv4.addr.dst, 1637 arp_key->arp_tip, is_mask); 1638 SW_FLOW_KEY_PUT(match, ip.proto, 1639 ntohs(arp_key->arp_op), is_mask); 1640 SW_FLOW_KEY_MEMCPY(match, ipv4.arp.sha, 1641 arp_key->arp_sha, ETH_ALEN, is_mask); 1642 SW_FLOW_KEY_MEMCPY(match, ipv4.arp.tha, 1643 arp_key->arp_tha, ETH_ALEN, is_mask); 1644 1645 attrs &= ~(1 << OVS_KEY_ATTR_ARP); 1646 } 1647 1648 if (attrs & (1 << OVS_KEY_ATTR_NSH)) { 1649 if (nsh_key_put_from_nlattr(a[OVS_KEY_ATTR_NSH], match, 1650 is_mask, false, log) < 0) 1651 return -EINVAL; 1652 attrs &= ~(1 << OVS_KEY_ATTR_NSH); 1653 } 1654 1655 if (attrs & (1 << OVS_KEY_ATTR_MPLS)) { 1656 const struct ovs_key_mpls *mpls_key; 1657 u32 hdr_len; 1658 u32 label_count, label_count_mask, i; 1659 1660 mpls_key = nla_data(a[OVS_KEY_ATTR_MPLS]); 1661 hdr_len = nla_len(a[OVS_KEY_ATTR_MPLS]); 1662 label_count = hdr_len / sizeof(struct ovs_key_mpls); 1663 1664 if (label_count == 0 || label_count > MPLS_LABEL_DEPTH || 1665 hdr_len % sizeof(struct ovs_key_mpls)) 1666 return -EINVAL; 1667 1668 label_count_mask = GENMASK(label_count - 1, 0); 1669 1670 for (i = 0 ; i < label_count; i++) 1671 SW_FLOW_KEY_PUT(match, mpls.lse[i], 1672 mpls_key[i].mpls_lse, is_mask); 1673 1674 SW_FLOW_KEY_PUT(match, mpls.num_labels_mask, 1675 label_count_mask, is_mask); 1676 1677 attrs &= ~(1 << OVS_KEY_ATTR_MPLS); 1678 } 1679 1680 if (attrs & (1 << OVS_KEY_ATTR_TCP)) { 1681 const struct ovs_key_tcp *tcp_key; 1682 1683 tcp_key = nla_data(a[OVS_KEY_ATTR_TCP]); 1684 SW_FLOW_KEY_PUT(match, tp.src, tcp_key->tcp_src, is_mask); 1685 SW_FLOW_KEY_PUT(match, tp.dst, tcp_key->tcp_dst, is_mask); 1686 attrs &= ~(1 << OVS_KEY_ATTR_TCP); 1687 } 1688 1689 if (attrs & (1 << OVS_KEY_ATTR_TCP_FLAGS)) { 1690 SW_FLOW_KEY_PUT(match, tp.flags, 1691 nla_get_be16(a[OVS_KEY_ATTR_TCP_FLAGS]), 1692 is_mask); 1693 attrs &= ~(1 << OVS_KEY_ATTR_TCP_FLAGS); 1694 } 1695 1696 if (attrs & (1 << OVS_KEY_ATTR_UDP)) { 1697 const struct ovs_key_udp *udp_key; 1698 1699 udp_key = nla_data(a[OVS_KEY_ATTR_UDP]); 1700 SW_FLOW_KEY_PUT(match, tp.src, udp_key->udp_src, is_mask); 1701 SW_FLOW_KEY_PUT(match, tp.dst, udp_key->udp_dst, is_mask); 1702 attrs &= ~(1 << OVS_KEY_ATTR_UDP); 1703 } 1704 1705 if (attrs & (1 << OVS_KEY_ATTR_SCTP)) { 1706 const struct ovs_key_sctp *sctp_key; 1707 1708 sctp_key = nla_data(a[OVS_KEY_ATTR_SCTP]); 1709 SW_FLOW_KEY_PUT(match, tp.src, sctp_key->sctp_src, is_mask); 1710 SW_FLOW_KEY_PUT(match, tp.dst, sctp_key->sctp_dst, is_mask); 1711 attrs &= ~(1 << OVS_KEY_ATTR_SCTP); 1712 } 1713 1714 if (attrs & (1 << OVS_KEY_ATTR_ICMP)) { 1715 const struct ovs_key_icmp *icmp_key; 1716 1717 icmp_key = nla_data(a[OVS_KEY_ATTR_ICMP]); 1718 SW_FLOW_KEY_PUT(match, tp.src, 1719 htons(icmp_key->icmp_type), is_mask); 1720 SW_FLOW_KEY_PUT(match, tp.dst, 1721 htons(icmp_key->icmp_code), is_mask); 1722 attrs &= ~(1 << OVS_KEY_ATTR_ICMP); 1723 } 1724 1725 if (attrs & (1 << OVS_KEY_ATTR_ICMPV6)) { 1726 const struct ovs_key_icmpv6 *icmpv6_key; 1727 1728 icmpv6_key = nla_data(a[OVS_KEY_ATTR_ICMPV6]); 1729 SW_FLOW_KEY_PUT(match, tp.src, 1730 htons(icmpv6_key->icmpv6_type), is_mask); 1731 SW_FLOW_KEY_PUT(match, tp.dst, 1732 htons(icmpv6_key->icmpv6_code), is_mask); 1733 attrs &= ~(1 << OVS_KEY_ATTR_ICMPV6); 1734 } 1735 1736 if (attrs & (1 << OVS_KEY_ATTR_ND)) { 1737 const struct ovs_key_nd *nd_key; 1738 1739 nd_key = nla_data(a[OVS_KEY_ATTR_ND]); 1740 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.target, 1741 nd_key->nd_target, 1742 sizeof(match->key->ipv6.nd.target), 1743 is_mask); 1744 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.sll, 1745 nd_key->nd_sll, ETH_ALEN, is_mask); 1746 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.tll, 1747 nd_key->nd_tll, ETH_ALEN, is_mask); 1748 attrs &= ~(1 << OVS_KEY_ATTR_ND); 1749 } 1750 1751 if (attrs != 0) { 1752 OVS_NLERR(log, "Unknown key attributes %llx", 1753 (unsigned long long)attrs); 1754 return -EINVAL; 1755 } 1756 1757 return 0; 1758 } 1759 1760 static void nlattr_set(struct nlattr *attr, u8 val, 1761 const struct ovs_len_tbl *tbl) 1762 { 1763 struct nlattr *nla; 1764 int rem; 1765 1766 /* The nlattr stream should already have been validated */ 1767 nla_for_each_nested(nla, attr, rem) { 1768 if (tbl[nla_type(nla)].len == OVS_ATTR_NESTED) 1769 nlattr_set(nla, val, tbl[nla_type(nla)].next ? : tbl); 1770 else 1771 memset(nla_data(nla), val, nla_len(nla)); 1772 1773 if (nla_type(nla) == OVS_KEY_ATTR_CT_STATE) 1774 *(u32 *)nla_data(nla) &= CT_SUPPORTED_MASK; 1775 } 1776 } 1777 1778 static void mask_set_nlattr(struct nlattr *attr, u8 val) 1779 { 1780 nlattr_set(attr, val, ovs_key_lens); 1781 } 1782 1783 /** 1784 * ovs_nla_get_match - parses Netlink attributes into a flow key and 1785 * mask. In case the 'mask' is NULL, the flow is treated as exact match 1786 * flow. Otherwise, it is treated as a wildcarded flow, except the mask 1787 * does not include any don't care bit. 1788 * @net: Used to determine per-namespace field support. 1789 * @match: receives the extracted flow match information. 1790 * @nla_key: Netlink attribute holding nested %OVS_KEY_ATTR_* Netlink attribute 1791 * sequence. The fields should of the packet that triggered the creation 1792 * of this flow. 1793 * @nla_mask: Optional. Netlink attribute holding nested %OVS_KEY_ATTR_* 1794 * Netlink attribute specifies the mask field of the wildcarded flow. 1795 * @log: Boolean to allow kernel error logging. Normally true, but when 1796 * probing for feature compatibility this should be passed in as false to 1797 * suppress unnecessary error logging. 1798 */ 1799 int ovs_nla_get_match(struct net *net, struct sw_flow_match *match, 1800 const struct nlattr *nla_key, 1801 const struct nlattr *nla_mask, 1802 bool log) 1803 { 1804 const struct nlattr *a[OVS_KEY_ATTR_MAX + 1]; 1805 struct nlattr *newmask = NULL; 1806 u64 key_attrs = 0; 1807 u64 mask_attrs = 0; 1808 int err; 1809 1810 err = parse_flow_nlattrs(nla_key, a, &key_attrs, log); 1811 if (err) 1812 return err; 1813 1814 err = parse_vlan_from_nlattrs(match, &key_attrs, a, false, log); 1815 if (err) 1816 return err; 1817 1818 err = ovs_key_from_nlattrs(net, match, key_attrs, a, false, log); 1819 if (err) 1820 return err; 1821 1822 if (match->mask) { 1823 if (!nla_mask) { 1824 /* Create an exact match mask. We need to set to 0xff 1825 * all the 'match->mask' fields that have been touched 1826 * in 'match->key'. We cannot simply memset 1827 * 'match->mask', because padding bytes and fields not 1828 * specified in 'match->key' should be left to 0. 1829 * Instead, we use a stream of netlink attributes, 1830 * copied from 'key' and set to 0xff. 1831 * ovs_key_from_nlattrs() will take care of filling 1832 * 'match->mask' appropriately. 1833 */ 1834 newmask = kmemdup(nla_key, 1835 nla_total_size(nla_len(nla_key)), 1836 GFP_KERNEL); 1837 if (!newmask) 1838 return -ENOMEM; 1839 1840 mask_set_nlattr(newmask, 0xff); 1841 1842 /* The userspace does not send tunnel attributes that 1843 * are 0, but we should not wildcard them nonetheless. 1844 */ 1845 if (match->key->tun_proto) 1846 SW_FLOW_KEY_MEMSET_FIELD(match, tun_key, 1847 0xff, true); 1848 1849 nla_mask = newmask; 1850 } 1851 1852 err = parse_flow_mask_nlattrs(nla_mask, a, &mask_attrs, log); 1853 if (err) 1854 goto free_newmask; 1855 1856 /* Always match on tci. */ 1857 SW_FLOW_KEY_PUT(match, eth.vlan.tci, htons(0xffff), true); 1858 SW_FLOW_KEY_PUT(match, eth.cvlan.tci, htons(0xffff), true); 1859 1860 err = parse_vlan_from_nlattrs(match, &mask_attrs, a, true, log); 1861 if (err) 1862 goto free_newmask; 1863 1864 err = ovs_key_from_nlattrs(net, match, mask_attrs, a, true, 1865 log); 1866 if (err) 1867 goto free_newmask; 1868 } 1869 1870 if (!match_validate(match, key_attrs, mask_attrs, log)) 1871 err = -EINVAL; 1872 1873 free_newmask: 1874 kfree(newmask); 1875 return err; 1876 } 1877 1878 static size_t get_ufid_len(const struct nlattr *attr, bool log) 1879 { 1880 size_t len; 1881 1882 if (!attr) 1883 return 0; 1884 1885 len = nla_len(attr); 1886 if (len < 1 || len > MAX_UFID_LENGTH) { 1887 OVS_NLERR(log, "ufid size %u bytes exceeds the range (1, %d)", 1888 nla_len(attr), MAX_UFID_LENGTH); 1889 return 0; 1890 } 1891 1892 return len; 1893 } 1894 1895 /* Initializes 'flow->ufid', returning true if 'attr' contains a valid UFID, 1896 * or false otherwise. 1897 */ 1898 bool ovs_nla_get_ufid(struct sw_flow_id *sfid, const struct nlattr *attr, 1899 bool log) 1900 { 1901 sfid->ufid_len = get_ufid_len(attr, log); 1902 if (sfid->ufid_len) 1903 memcpy(sfid->ufid, nla_data(attr), sfid->ufid_len); 1904 1905 return sfid->ufid_len; 1906 } 1907 1908 int ovs_nla_get_identifier(struct sw_flow_id *sfid, const struct nlattr *ufid, 1909 const struct sw_flow_key *key, bool log) 1910 { 1911 struct sw_flow_key *new_key; 1912 1913 if (ovs_nla_get_ufid(sfid, ufid, log)) 1914 return 0; 1915 1916 /* If UFID was not provided, use unmasked key. */ 1917 new_key = kmalloc(sizeof(*new_key), GFP_KERNEL); 1918 if (!new_key) 1919 return -ENOMEM; 1920 memcpy(new_key, key, sizeof(*key)); 1921 sfid->unmasked_key = new_key; 1922 1923 return 0; 1924 } 1925 1926 u32 ovs_nla_get_ufid_flags(const struct nlattr *attr) 1927 { 1928 return attr ? nla_get_u32(attr) : 0; 1929 } 1930 1931 /** 1932 * ovs_nla_get_flow_metadata - parses Netlink attributes into a flow key. 1933 * @net: Network namespace. 1934 * @key: Receives extracted in_port, priority, tun_key, skb_mark and conntrack 1935 * metadata. 1936 * @a: Array of netlink attributes holding parsed %OVS_KEY_ATTR_* Netlink 1937 * attributes. 1938 * @attrs: Bit mask for the netlink attributes included in @a. 1939 * @log: Boolean to allow kernel error logging. Normally true, but when 1940 * probing for feature compatibility this should be passed in as false to 1941 * suppress unnecessary error logging. 1942 * 1943 * This parses a series of Netlink attributes that form a flow key, which must 1944 * take the same form accepted by flow_from_nlattrs(), but only enough of it to 1945 * get the metadata, that is, the parts of the flow key that cannot be 1946 * extracted from the packet itself. 1947 * 1948 * This must be called before the packet key fields are filled in 'key'. 1949 */ 1950 1951 int ovs_nla_get_flow_metadata(struct net *net, 1952 const struct nlattr *a[OVS_KEY_ATTR_MAX + 1], 1953 u64 attrs, struct sw_flow_key *key, bool log) 1954 { 1955 struct sw_flow_match match; 1956 1957 memset(&match, 0, sizeof(match)); 1958 match.key = key; 1959 1960 key->ct_state = 0; 1961 key->ct_zone = 0; 1962 key->ct_orig_proto = 0; 1963 memset(&key->ct, 0, sizeof(key->ct)); 1964 memset(&key->ipv4.ct_orig, 0, sizeof(key->ipv4.ct_orig)); 1965 memset(&key->ipv6.ct_orig, 0, sizeof(key->ipv6.ct_orig)); 1966 1967 key->phy.in_port = DP_MAX_PORTS; 1968 1969 return metadata_from_nlattrs(net, &match, &attrs, a, false, log); 1970 } 1971 1972 static int ovs_nla_put_vlan(struct sk_buff *skb, const struct vlan_head *vh, 1973 bool is_mask) 1974 { 1975 __be16 eth_type = !is_mask ? vh->tpid : htons(0xffff); 1976 1977 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, eth_type) || 1978 nla_put_be16(skb, OVS_KEY_ATTR_VLAN, vh->tci)) 1979 return -EMSGSIZE; 1980 return 0; 1981 } 1982 1983 static int nsh_key_to_nlattr(const struct ovs_key_nsh *nsh, bool is_mask, 1984 struct sk_buff *skb) 1985 { 1986 struct nlattr *start; 1987 1988 start = nla_nest_start_noflag(skb, OVS_KEY_ATTR_NSH); 1989 if (!start) 1990 return -EMSGSIZE; 1991 1992 if (nla_put(skb, OVS_NSH_KEY_ATTR_BASE, sizeof(nsh->base), &nsh->base)) 1993 goto nla_put_failure; 1994 1995 if (is_mask || nsh->base.mdtype == NSH_M_TYPE1) { 1996 if (nla_put(skb, OVS_NSH_KEY_ATTR_MD1, 1997 sizeof(nsh->context), nsh->context)) 1998 goto nla_put_failure; 1999 } 2000 2001 /* Don't support MD type 2 yet */ 2002 2003 nla_nest_end(skb, start); 2004 2005 return 0; 2006 2007 nla_put_failure: 2008 return -EMSGSIZE; 2009 } 2010 2011 static int __ovs_nla_put_key(const struct sw_flow_key *swkey, 2012 const struct sw_flow_key *output, bool is_mask, 2013 struct sk_buff *skb) 2014 { 2015 struct ovs_key_ethernet *eth_key; 2016 struct nlattr *nla; 2017 struct nlattr *encap = NULL; 2018 struct nlattr *in_encap = NULL; 2019 2020 if (nla_put_u32(skb, OVS_KEY_ATTR_RECIRC_ID, output->recirc_id)) 2021 goto nla_put_failure; 2022 2023 if (nla_put_u32(skb, OVS_KEY_ATTR_DP_HASH, output->ovs_flow_hash)) 2024 goto nla_put_failure; 2025 2026 if (nla_put_u32(skb, OVS_KEY_ATTR_PRIORITY, output->phy.priority)) 2027 goto nla_put_failure; 2028 2029 if ((swkey->tun_proto || is_mask)) { 2030 const void *opts = NULL; 2031 2032 if (output->tun_key.tun_flags & TUNNEL_OPTIONS_PRESENT) 2033 opts = TUN_METADATA_OPTS(output, swkey->tun_opts_len); 2034 2035 if (ip_tun_to_nlattr(skb, &output->tun_key, opts, 2036 swkey->tun_opts_len, swkey->tun_proto, 0)) 2037 goto nla_put_failure; 2038 } 2039 2040 if (swkey->phy.in_port == DP_MAX_PORTS) { 2041 if (is_mask && (output->phy.in_port == 0xffff)) 2042 if (nla_put_u32(skb, OVS_KEY_ATTR_IN_PORT, 0xffffffff)) 2043 goto nla_put_failure; 2044 } else { 2045 u16 upper_u16; 2046 upper_u16 = !is_mask ? 0 : 0xffff; 2047 2048 if (nla_put_u32(skb, OVS_KEY_ATTR_IN_PORT, 2049 (upper_u16 << 16) | output->phy.in_port)) 2050 goto nla_put_failure; 2051 } 2052 2053 if (nla_put_u32(skb, OVS_KEY_ATTR_SKB_MARK, output->phy.skb_mark)) 2054 goto nla_put_failure; 2055 2056 if (ovs_ct_put_key(swkey, output, skb)) 2057 goto nla_put_failure; 2058 2059 if (ovs_key_mac_proto(swkey) == MAC_PROTO_ETHERNET) { 2060 nla = nla_reserve(skb, OVS_KEY_ATTR_ETHERNET, sizeof(*eth_key)); 2061 if (!nla) 2062 goto nla_put_failure; 2063 2064 eth_key = nla_data(nla); 2065 ether_addr_copy(eth_key->eth_src, output->eth.src); 2066 ether_addr_copy(eth_key->eth_dst, output->eth.dst); 2067 2068 if (swkey->eth.vlan.tci || eth_type_vlan(swkey->eth.type)) { 2069 if (ovs_nla_put_vlan(skb, &output->eth.vlan, is_mask)) 2070 goto nla_put_failure; 2071 encap = nla_nest_start_noflag(skb, OVS_KEY_ATTR_ENCAP); 2072 if (!swkey->eth.vlan.tci) 2073 goto unencap; 2074 2075 if (swkey->eth.cvlan.tci || eth_type_vlan(swkey->eth.type)) { 2076 if (ovs_nla_put_vlan(skb, &output->eth.cvlan, is_mask)) 2077 goto nla_put_failure; 2078 in_encap = nla_nest_start_noflag(skb, 2079 OVS_KEY_ATTR_ENCAP); 2080 if (!swkey->eth.cvlan.tci) 2081 goto unencap; 2082 } 2083 } 2084 2085 if (swkey->eth.type == htons(ETH_P_802_2)) { 2086 /* 2087 * Ethertype 802.2 is represented in the netlink with omitted 2088 * OVS_KEY_ATTR_ETHERTYPE in the flow key attribute, and 2089 * 0xffff in the mask attribute. Ethertype can also 2090 * be wildcarded. 2091 */ 2092 if (is_mask && output->eth.type) 2093 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, 2094 output->eth.type)) 2095 goto nla_put_failure; 2096 goto unencap; 2097 } 2098 } 2099 2100 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, output->eth.type)) 2101 goto nla_put_failure; 2102 2103 if (eth_type_vlan(swkey->eth.type)) { 2104 /* There are 3 VLAN tags, we don't know anything about the rest 2105 * of the packet, so truncate here. 2106 */ 2107 WARN_ON_ONCE(!(encap && in_encap)); 2108 goto unencap; 2109 } 2110 2111 if (swkey->eth.type == htons(ETH_P_IP)) { 2112 struct ovs_key_ipv4 *ipv4_key; 2113 2114 nla = nla_reserve(skb, OVS_KEY_ATTR_IPV4, sizeof(*ipv4_key)); 2115 if (!nla) 2116 goto nla_put_failure; 2117 ipv4_key = nla_data(nla); 2118 ipv4_key->ipv4_src = output->ipv4.addr.src; 2119 ipv4_key->ipv4_dst = output->ipv4.addr.dst; 2120 ipv4_key->ipv4_proto = output->ip.proto; 2121 ipv4_key->ipv4_tos = output->ip.tos; 2122 ipv4_key->ipv4_ttl = output->ip.ttl; 2123 ipv4_key->ipv4_frag = output->ip.frag; 2124 } else if (swkey->eth.type == htons(ETH_P_IPV6)) { 2125 struct ovs_key_ipv6 *ipv6_key; 2126 struct ovs_key_ipv6_exthdrs *ipv6_exthdrs_key; 2127 2128 nla = nla_reserve(skb, OVS_KEY_ATTR_IPV6, sizeof(*ipv6_key)); 2129 if (!nla) 2130 goto nla_put_failure; 2131 ipv6_key = nla_data(nla); 2132 memcpy(ipv6_key->ipv6_src, &output->ipv6.addr.src, 2133 sizeof(ipv6_key->ipv6_src)); 2134 memcpy(ipv6_key->ipv6_dst, &output->ipv6.addr.dst, 2135 sizeof(ipv6_key->ipv6_dst)); 2136 ipv6_key->ipv6_label = output->ipv6.label; 2137 ipv6_key->ipv6_proto = output->ip.proto; 2138 ipv6_key->ipv6_tclass = output->ip.tos; 2139 ipv6_key->ipv6_hlimit = output->ip.ttl; 2140 ipv6_key->ipv6_frag = output->ip.frag; 2141 2142 nla = nla_reserve(skb, OVS_KEY_ATTR_IPV6_EXTHDRS, 2143 sizeof(*ipv6_exthdrs_key)); 2144 if (!nla) 2145 goto nla_put_failure; 2146 ipv6_exthdrs_key = nla_data(nla); 2147 ipv6_exthdrs_key->hdrs = output->ipv6.exthdrs; 2148 } else if (swkey->eth.type == htons(ETH_P_NSH)) { 2149 if (nsh_key_to_nlattr(&output->nsh, is_mask, skb)) 2150 goto nla_put_failure; 2151 } else if (swkey->eth.type == htons(ETH_P_ARP) || 2152 swkey->eth.type == htons(ETH_P_RARP)) { 2153 struct ovs_key_arp *arp_key; 2154 2155 nla = nla_reserve(skb, OVS_KEY_ATTR_ARP, sizeof(*arp_key)); 2156 if (!nla) 2157 goto nla_put_failure; 2158 arp_key = nla_data(nla); 2159 memset(arp_key, 0, sizeof(struct ovs_key_arp)); 2160 arp_key->arp_sip = output->ipv4.addr.src; 2161 arp_key->arp_tip = output->ipv4.addr.dst; 2162 arp_key->arp_op = htons(output->ip.proto); 2163 ether_addr_copy(arp_key->arp_sha, output->ipv4.arp.sha); 2164 ether_addr_copy(arp_key->arp_tha, output->ipv4.arp.tha); 2165 } else if (eth_p_mpls(swkey->eth.type)) { 2166 u8 i, num_labels; 2167 struct ovs_key_mpls *mpls_key; 2168 2169 num_labels = hweight_long(output->mpls.num_labels_mask); 2170 nla = nla_reserve(skb, OVS_KEY_ATTR_MPLS, 2171 num_labels * sizeof(*mpls_key)); 2172 if (!nla) 2173 goto nla_put_failure; 2174 2175 mpls_key = nla_data(nla); 2176 for (i = 0; i < num_labels; i++) 2177 mpls_key[i].mpls_lse = output->mpls.lse[i]; 2178 } 2179 2180 if ((swkey->eth.type == htons(ETH_P_IP) || 2181 swkey->eth.type == htons(ETH_P_IPV6)) && 2182 swkey->ip.frag != OVS_FRAG_TYPE_LATER) { 2183 2184 if (swkey->ip.proto == IPPROTO_TCP) { 2185 struct ovs_key_tcp *tcp_key; 2186 2187 nla = nla_reserve(skb, OVS_KEY_ATTR_TCP, sizeof(*tcp_key)); 2188 if (!nla) 2189 goto nla_put_failure; 2190 tcp_key = nla_data(nla); 2191 tcp_key->tcp_src = output->tp.src; 2192 tcp_key->tcp_dst = output->tp.dst; 2193 if (nla_put_be16(skb, OVS_KEY_ATTR_TCP_FLAGS, 2194 output->tp.flags)) 2195 goto nla_put_failure; 2196 } else if (swkey->ip.proto == IPPROTO_UDP) { 2197 struct ovs_key_udp *udp_key; 2198 2199 nla = nla_reserve(skb, OVS_KEY_ATTR_UDP, sizeof(*udp_key)); 2200 if (!nla) 2201 goto nla_put_failure; 2202 udp_key = nla_data(nla); 2203 udp_key->udp_src = output->tp.src; 2204 udp_key->udp_dst = output->tp.dst; 2205 } else if (swkey->ip.proto == IPPROTO_SCTP) { 2206 struct ovs_key_sctp *sctp_key; 2207 2208 nla = nla_reserve(skb, OVS_KEY_ATTR_SCTP, sizeof(*sctp_key)); 2209 if (!nla) 2210 goto nla_put_failure; 2211 sctp_key = nla_data(nla); 2212 sctp_key->sctp_src = output->tp.src; 2213 sctp_key->sctp_dst = output->tp.dst; 2214 } else if (swkey->eth.type == htons(ETH_P_IP) && 2215 swkey->ip.proto == IPPROTO_ICMP) { 2216 struct ovs_key_icmp *icmp_key; 2217 2218 nla = nla_reserve(skb, OVS_KEY_ATTR_ICMP, sizeof(*icmp_key)); 2219 if (!nla) 2220 goto nla_put_failure; 2221 icmp_key = nla_data(nla); 2222 icmp_key->icmp_type = ntohs(output->tp.src); 2223 icmp_key->icmp_code = ntohs(output->tp.dst); 2224 } else if (swkey->eth.type == htons(ETH_P_IPV6) && 2225 swkey->ip.proto == IPPROTO_ICMPV6) { 2226 struct ovs_key_icmpv6 *icmpv6_key; 2227 2228 nla = nla_reserve(skb, OVS_KEY_ATTR_ICMPV6, 2229 sizeof(*icmpv6_key)); 2230 if (!nla) 2231 goto nla_put_failure; 2232 icmpv6_key = nla_data(nla); 2233 icmpv6_key->icmpv6_type = ntohs(output->tp.src); 2234 icmpv6_key->icmpv6_code = ntohs(output->tp.dst); 2235 2236 if (swkey->tp.src == htons(NDISC_NEIGHBOUR_SOLICITATION) || 2237 swkey->tp.src == htons(NDISC_NEIGHBOUR_ADVERTISEMENT)) { 2238 struct ovs_key_nd *nd_key; 2239 2240 nla = nla_reserve(skb, OVS_KEY_ATTR_ND, sizeof(*nd_key)); 2241 if (!nla) 2242 goto nla_put_failure; 2243 nd_key = nla_data(nla); 2244 memcpy(nd_key->nd_target, &output->ipv6.nd.target, 2245 sizeof(nd_key->nd_target)); 2246 ether_addr_copy(nd_key->nd_sll, output->ipv6.nd.sll); 2247 ether_addr_copy(nd_key->nd_tll, output->ipv6.nd.tll); 2248 } 2249 } 2250 } 2251 2252 unencap: 2253 if (in_encap) 2254 nla_nest_end(skb, in_encap); 2255 if (encap) 2256 nla_nest_end(skb, encap); 2257 2258 return 0; 2259 2260 nla_put_failure: 2261 return -EMSGSIZE; 2262 } 2263 2264 int ovs_nla_put_key(const struct sw_flow_key *swkey, 2265 const struct sw_flow_key *output, int attr, bool is_mask, 2266 struct sk_buff *skb) 2267 { 2268 int err; 2269 struct nlattr *nla; 2270 2271 nla = nla_nest_start_noflag(skb, attr); 2272 if (!nla) 2273 return -EMSGSIZE; 2274 err = __ovs_nla_put_key(swkey, output, is_mask, skb); 2275 if (err) 2276 return err; 2277 nla_nest_end(skb, nla); 2278 2279 return 0; 2280 } 2281 2282 /* Called with ovs_mutex or RCU read lock. */ 2283 int ovs_nla_put_identifier(const struct sw_flow *flow, struct sk_buff *skb) 2284 { 2285 if (ovs_identifier_is_ufid(&flow->id)) 2286 return nla_put(skb, OVS_FLOW_ATTR_UFID, flow->id.ufid_len, 2287 flow->id.ufid); 2288 2289 return ovs_nla_put_key(flow->id.unmasked_key, flow->id.unmasked_key, 2290 OVS_FLOW_ATTR_KEY, false, skb); 2291 } 2292 2293 /* Called with ovs_mutex or RCU read lock. */ 2294 int ovs_nla_put_masked_key(const struct sw_flow *flow, struct sk_buff *skb) 2295 { 2296 return ovs_nla_put_key(&flow->key, &flow->key, 2297 OVS_FLOW_ATTR_KEY, false, skb); 2298 } 2299 2300 /* Called with ovs_mutex or RCU read lock. */ 2301 int ovs_nla_put_mask(const struct sw_flow *flow, struct sk_buff *skb) 2302 { 2303 return ovs_nla_put_key(&flow->key, &flow->mask->key, 2304 OVS_FLOW_ATTR_MASK, true, skb); 2305 } 2306 2307 #define MAX_ACTIONS_BUFSIZE (32 * 1024) 2308 2309 static struct sw_flow_actions *nla_alloc_flow_actions(int size) 2310 { 2311 struct sw_flow_actions *sfa; 2312 2313 WARN_ON_ONCE(size > MAX_ACTIONS_BUFSIZE); 2314 2315 sfa = kmalloc(kmalloc_size_roundup(sizeof(*sfa) + size), GFP_KERNEL); 2316 if (!sfa) 2317 return ERR_PTR(-ENOMEM); 2318 2319 sfa->actions_len = 0; 2320 return sfa; 2321 } 2322 2323 static void ovs_nla_free_nested_actions(const struct nlattr *actions, int len); 2324 2325 static void ovs_nla_free_check_pkt_len_action(const struct nlattr *action) 2326 { 2327 const struct nlattr *a; 2328 int rem; 2329 2330 nla_for_each_nested(a, action, rem) { 2331 switch (nla_type(a)) { 2332 case OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL: 2333 case OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER: 2334 ovs_nla_free_nested_actions(nla_data(a), nla_len(a)); 2335 break; 2336 } 2337 } 2338 } 2339 2340 static void ovs_nla_free_clone_action(const struct nlattr *action) 2341 { 2342 const struct nlattr *a = nla_data(action); 2343 int rem = nla_len(action); 2344 2345 switch (nla_type(a)) { 2346 case OVS_CLONE_ATTR_EXEC: 2347 /* The real list of actions follows this attribute. */ 2348 a = nla_next(a, &rem); 2349 ovs_nla_free_nested_actions(a, rem); 2350 break; 2351 } 2352 } 2353 2354 static void ovs_nla_free_dec_ttl_action(const struct nlattr *action) 2355 { 2356 const struct nlattr *a = nla_data(action); 2357 2358 switch (nla_type(a)) { 2359 case OVS_DEC_TTL_ATTR_ACTION: 2360 ovs_nla_free_nested_actions(nla_data(a), nla_len(a)); 2361 break; 2362 } 2363 } 2364 2365 static void ovs_nla_free_sample_action(const struct nlattr *action) 2366 { 2367 const struct nlattr *a = nla_data(action); 2368 int rem = nla_len(action); 2369 2370 switch (nla_type(a)) { 2371 case OVS_SAMPLE_ATTR_ARG: 2372 /* The real list of actions follows this attribute. */ 2373 a = nla_next(a, &rem); 2374 ovs_nla_free_nested_actions(a, rem); 2375 break; 2376 } 2377 } 2378 2379 static void ovs_nla_free_set_action(const struct nlattr *a) 2380 { 2381 const struct nlattr *ovs_key = nla_data(a); 2382 struct ovs_tunnel_info *ovs_tun; 2383 2384 switch (nla_type(ovs_key)) { 2385 case OVS_KEY_ATTR_TUNNEL_INFO: 2386 ovs_tun = nla_data(ovs_key); 2387 dst_release((struct dst_entry *)ovs_tun->tun_dst); 2388 break; 2389 } 2390 } 2391 2392 static void ovs_nla_free_nested_actions(const struct nlattr *actions, int len) 2393 { 2394 const struct nlattr *a; 2395 int rem; 2396 2397 /* Whenever new actions are added, the need to update this 2398 * function should be considered. 2399 */ 2400 BUILD_BUG_ON(OVS_ACTION_ATTR_MAX != 24); 2401 2402 if (!actions) 2403 return; 2404 2405 nla_for_each_attr(a, actions, len, rem) { 2406 switch (nla_type(a)) { 2407 case OVS_ACTION_ATTR_CHECK_PKT_LEN: 2408 ovs_nla_free_check_pkt_len_action(a); 2409 break; 2410 2411 case OVS_ACTION_ATTR_CLONE: 2412 ovs_nla_free_clone_action(a); 2413 break; 2414 2415 case OVS_ACTION_ATTR_CT: 2416 ovs_ct_free_action(a); 2417 break; 2418 2419 case OVS_ACTION_ATTR_DEC_TTL: 2420 ovs_nla_free_dec_ttl_action(a); 2421 break; 2422 2423 case OVS_ACTION_ATTR_SAMPLE: 2424 ovs_nla_free_sample_action(a); 2425 break; 2426 2427 case OVS_ACTION_ATTR_SET: 2428 ovs_nla_free_set_action(a); 2429 break; 2430 } 2431 } 2432 } 2433 2434 void ovs_nla_free_flow_actions(struct sw_flow_actions *sf_acts) 2435 { 2436 if (!sf_acts) 2437 return; 2438 2439 ovs_nla_free_nested_actions(sf_acts->actions, sf_acts->actions_len); 2440 kfree(sf_acts); 2441 } 2442 2443 static void __ovs_nla_free_flow_actions(struct rcu_head *head) 2444 { 2445 ovs_nla_free_flow_actions(container_of(head, struct sw_flow_actions, rcu)); 2446 } 2447 2448 /* Schedules 'sf_acts' to be freed after the next RCU grace period. 2449 * The caller must hold rcu_read_lock for this to be sensible. */ 2450 void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *sf_acts) 2451 { 2452 call_rcu(&sf_acts->rcu, __ovs_nla_free_flow_actions); 2453 } 2454 2455 static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, 2456 int attr_len, bool log) 2457 { 2458 2459 struct sw_flow_actions *acts; 2460 int new_acts_size; 2461 size_t req_size = NLA_ALIGN(attr_len); 2462 int next_offset = offsetof(struct sw_flow_actions, actions) + 2463 (*sfa)->actions_len; 2464 2465 if (req_size <= (ksize(*sfa) - next_offset)) 2466 goto out; 2467 2468 new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2); 2469 2470 if (new_acts_size > MAX_ACTIONS_BUFSIZE) { 2471 if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) { 2472 OVS_NLERR(log, "Flow action size exceeds max %u", 2473 MAX_ACTIONS_BUFSIZE); 2474 return ERR_PTR(-EMSGSIZE); 2475 } 2476 new_acts_size = MAX_ACTIONS_BUFSIZE; 2477 } 2478 2479 acts = nla_alloc_flow_actions(new_acts_size); 2480 if (IS_ERR(acts)) 2481 return (void *)acts; 2482 2483 memcpy(acts->actions, (*sfa)->actions, (*sfa)->actions_len); 2484 acts->actions_len = (*sfa)->actions_len; 2485 acts->orig_len = (*sfa)->orig_len; 2486 kfree(*sfa); 2487 *sfa = acts; 2488 2489 out: 2490 (*sfa)->actions_len += req_size; 2491 return (struct nlattr *) ((unsigned char *)(*sfa) + next_offset); 2492 } 2493 2494 static struct nlattr *__add_action(struct sw_flow_actions **sfa, 2495 int attrtype, void *data, int len, bool log) 2496 { 2497 struct nlattr *a; 2498 2499 a = reserve_sfa_size(sfa, nla_attr_size(len), log); 2500 if (IS_ERR(a)) 2501 return a; 2502 2503 a->nla_type = attrtype; 2504 a->nla_len = nla_attr_size(len); 2505 2506 if (data) 2507 memcpy(nla_data(a), data, len); 2508 memset((unsigned char *) a + a->nla_len, 0, nla_padlen(len)); 2509 2510 return a; 2511 } 2512 2513 int ovs_nla_add_action(struct sw_flow_actions **sfa, int attrtype, void *data, 2514 int len, bool log) 2515 { 2516 struct nlattr *a; 2517 2518 a = __add_action(sfa, attrtype, data, len, log); 2519 2520 return PTR_ERR_OR_ZERO(a); 2521 } 2522 2523 static inline int add_nested_action_start(struct sw_flow_actions **sfa, 2524 int attrtype, bool log) 2525 { 2526 int used = (*sfa)->actions_len; 2527 int err; 2528 2529 err = ovs_nla_add_action(sfa, attrtype, NULL, 0, log); 2530 if (err) 2531 return err; 2532 2533 return used; 2534 } 2535 2536 static inline void add_nested_action_end(struct sw_flow_actions *sfa, 2537 int st_offset) 2538 { 2539 struct nlattr *a = (struct nlattr *) ((unsigned char *)sfa->actions + 2540 st_offset); 2541 2542 a->nla_len = sfa->actions_len - st_offset; 2543 } 2544 2545 static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 2546 const struct sw_flow_key *key, 2547 struct sw_flow_actions **sfa, 2548 __be16 eth_type, __be16 vlan_tci, 2549 u32 mpls_label_count, bool log, 2550 u32 depth); 2551 2552 static int validate_and_copy_sample(struct net *net, const struct nlattr *attr, 2553 const struct sw_flow_key *key, 2554 struct sw_flow_actions **sfa, 2555 __be16 eth_type, __be16 vlan_tci, 2556 u32 mpls_label_count, bool log, bool last, 2557 u32 depth) 2558 { 2559 const struct nlattr *attrs[OVS_SAMPLE_ATTR_MAX + 1]; 2560 const struct nlattr *probability, *actions; 2561 const struct nlattr *a; 2562 int rem, start, err; 2563 struct sample_arg arg; 2564 2565 memset(attrs, 0, sizeof(attrs)); 2566 nla_for_each_nested(a, attr, rem) { 2567 int type = nla_type(a); 2568 if (!type || type > OVS_SAMPLE_ATTR_MAX || attrs[type]) 2569 return -EINVAL; 2570 attrs[type] = a; 2571 } 2572 if (rem) 2573 return -EINVAL; 2574 2575 probability = attrs[OVS_SAMPLE_ATTR_PROBABILITY]; 2576 if (!probability || nla_len(probability) != sizeof(u32)) 2577 return -EINVAL; 2578 2579 actions = attrs[OVS_SAMPLE_ATTR_ACTIONS]; 2580 if (!actions || (nla_len(actions) && nla_len(actions) < NLA_HDRLEN)) 2581 return -EINVAL; 2582 2583 /* validation done, copy sample action. */ 2584 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_SAMPLE, log); 2585 if (start < 0) 2586 return start; 2587 2588 /* When both skb and flow may be changed, put the sample 2589 * into a deferred fifo. On the other hand, if only skb 2590 * may be modified, the actions can be executed in place. 2591 * 2592 * Do this analysis at the flow installation time. 2593 * Set 'clone_action->exec' to true if the actions can be 2594 * executed without being deferred. 2595 * 2596 * If the sample is the last action, it can always be excuted 2597 * rather than deferred. 2598 */ 2599 arg.exec = last || !actions_may_change_flow(actions); 2600 arg.probability = nla_get_u32(probability); 2601 2602 err = ovs_nla_add_action(sfa, OVS_SAMPLE_ATTR_ARG, &arg, sizeof(arg), 2603 log); 2604 if (err) 2605 return err; 2606 2607 err = __ovs_nla_copy_actions(net, actions, key, sfa, 2608 eth_type, vlan_tci, mpls_label_count, log, 2609 depth + 1); 2610 2611 if (err) 2612 return err; 2613 2614 add_nested_action_end(*sfa, start); 2615 2616 return 0; 2617 } 2618 2619 static int validate_and_copy_dec_ttl(struct net *net, 2620 const struct nlattr *attr, 2621 const struct sw_flow_key *key, 2622 struct sw_flow_actions **sfa, 2623 __be16 eth_type, __be16 vlan_tci, 2624 u32 mpls_label_count, bool log, 2625 u32 depth) 2626 { 2627 const struct nlattr *attrs[OVS_DEC_TTL_ATTR_MAX + 1]; 2628 int start, action_start, err, rem; 2629 const struct nlattr *a, *actions; 2630 2631 memset(attrs, 0, sizeof(attrs)); 2632 nla_for_each_nested(a, attr, rem) { 2633 int type = nla_type(a); 2634 2635 /* Ignore unknown attributes to be future proof. */ 2636 if (type > OVS_DEC_TTL_ATTR_MAX) 2637 continue; 2638 2639 if (!type || attrs[type]) { 2640 OVS_NLERR(log, "Duplicate or invalid key (type %d).", 2641 type); 2642 return -EINVAL; 2643 } 2644 2645 attrs[type] = a; 2646 } 2647 2648 if (rem) { 2649 OVS_NLERR(log, "Message has %d unknown bytes.", rem); 2650 return -EINVAL; 2651 } 2652 2653 actions = attrs[OVS_DEC_TTL_ATTR_ACTION]; 2654 if (!actions || (nla_len(actions) && nla_len(actions) < NLA_HDRLEN)) { 2655 OVS_NLERR(log, "Missing valid actions attribute."); 2656 return -EINVAL; 2657 } 2658 2659 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_DEC_TTL, log); 2660 if (start < 0) 2661 return start; 2662 2663 action_start = add_nested_action_start(sfa, OVS_DEC_TTL_ATTR_ACTION, log); 2664 if (action_start < 0) 2665 return action_start; 2666 2667 err = __ovs_nla_copy_actions(net, actions, key, sfa, eth_type, 2668 vlan_tci, mpls_label_count, log, 2669 depth + 1); 2670 if (err) 2671 return err; 2672 2673 add_nested_action_end(*sfa, action_start); 2674 add_nested_action_end(*sfa, start); 2675 return 0; 2676 } 2677 2678 static int validate_and_copy_clone(struct net *net, 2679 const struct nlattr *attr, 2680 const struct sw_flow_key *key, 2681 struct sw_flow_actions **sfa, 2682 __be16 eth_type, __be16 vlan_tci, 2683 u32 mpls_label_count, bool log, bool last, 2684 u32 depth) 2685 { 2686 int start, err; 2687 u32 exec; 2688 2689 if (nla_len(attr) && nla_len(attr) < NLA_HDRLEN) 2690 return -EINVAL; 2691 2692 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_CLONE, log); 2693 if (start < 0) 2694 return start; 2695 2696 exec = last || !actions_may_change_flow(attr); 2697 2698 err = ovs_nla_add_action(sfa, OVS_CLONE_ATTR_EXEC, &exec, 2699 sizeof(exec), log); 2700 if (err) 2701 return err; 2702 2703 err = __ovs_nla_copy_actions(net, attr, key, sfa, 2704 eth_type, vlan_tci, mpls_label_count, log, 2705 depth + 1); 2706 if (err) 2707 return err; 2708 2709 add_nested_action_end(*sfa, start); 2710 2711 return 0; 2712 } 2713 2714 void ovs_match_init(struct sw_flow_match *match, 2715 struct sw_flow_key *key, 2716 bool reset_key, 2717 struct sw_flow_mask *mask) 2718 { 2719 memset(match, 0, sizeof(*match)); 2720 match->key = key; 2721 match->mask = mask; 2722 2723 if (reset_key) 2724 memset(key, 0, sizeof(*key)); 2725 2726 if (mask) { 2727 memset(&mask->key, 0, sizeof(mask->key)); 2728 mask->range.start = mask->range.end = 0; 2729 } 2730 } 2731 2732 static int validate_geneve_opts(struct sw_flow_key *key) 2733 { 2734 struct geneve_opt *option; 2735 int opts_len = key->tun_opts_len; 2736 bool crit_opt = false; 2737 2738 option = (struct geneve_opt *)TUN_METADATA_OPTS(key, key->tun_opts_len); 2739 while (opts_len > 0) { 2740 int len; 2741 2742 if (opts_len < sizeof(*option)) 2743 return -EINVAL; 2744 2745 len = sizeof(*option) + option->length * 4; 2746 if (len > opts_len) 2747 return -EINVAL; 2748 2749 crit_opt |= !!(option->type & GENEVE_CRIT_OPT_TYPE); 2750 2751 option = (struct geneve_opt *)((u8 *)option + len); 2752 opts_len -= len; 2753 } 2754 2755 key->tun_key.tun_flags |= crit_opt ? TUNNEL_CRIT_OPT : 0; 2756 2757 return 0; 2758 } 2759 2760 static int validate_and_copy_set_tun(const struct nlattr *attr, 2761 struct sw_flow_actions **sfa, bool log) 2762 { 2763 struct sw_flow_match match; 2764 struct sw_flow_key key; 2765 struct metadata_dst *tun_dst; 2766 struct ip_tunnel_info *tun_info; 2767 struct ovs_tunnel_info *ovs_tun; 2768 struct nlattr *a; 2769 int err = 0, start, opts_type; 2770 __be16 dst_opt_type; 2771 2772 dst_opt_type = 0; 2773 ovs_match_init(&match, &key, true, NULL); 2774 opts_type = ip_tun_from_nlattr(nla_data(attr), &match, false, log); 2775 if (opts_type < 0) 2776 return opts_type; 2777 2778 if (key.tun_opts_len) { 2779 switch (opts_type) { 2780 case OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS: 2781 err = validate_geneve_opts(&key); 2782 if (err < 0) 2783 return err; 2784 dst_opt_type = TUNNEL_GENEVE_OPT; 2785 break; 2786 case OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS: 2787 dst_opt_type = TUNNEL_VXLAN_OPT; 2788 break; 2789 case OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS: 2790 dst_opt_type = TUNNEL_ERSPAN_OPT; 2791 break; 2792 } 2793 } 2794 2795 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_SET, log); 2796 if (start < 0) 2797 return start; 2798 2799 tun_dst = metadata_dst_alloc(key.tun_opts_len, METADATA_IP_TUNNEL, 2800 GFP_KERNEL); 2801 2802 if (!tun_dst) 2803 return -ENOMEM; 2804 2805 err = dst_cache_init(&tun_dst->u.tun_info.dst_cache, GFP_KERNEL); 2806 if (err) { 2807 dst_release((struct dst_entry *)tun_dst); 2808 return err; 2809 } 2810 2811 a = __add_action(sfa, OVS_KEY_ATTR_TUNNEL_INFO, NULL, 2812 sizeof(*ovs_tun), log); 2813 if (IS_ERR(a)) { 2814 dst_release((struct dst_entry *)tun_dst); 2815 return PTR_ERR(a); 2816 } 2817 2818 ovs_tun = nla_data(a); 2819 ovs_tun->tun_dst = tun_dst; 2820 2821 tun_info = &tun_dst->u.tun_info; 2822 tun_info->mode = IP_TUNNEL_INFO_TX; 2823 if (key.tun_proto == AF_INET6) 2824 tun_info->mode |= IP_TUNNEL_INFO_IPV6; 2825 else if (key.tun_proto == AF_INET && key.tun_key.u.ipv4.dst == 0) 2826 tun_info->mode |= IP_TUNNEL_INFO_BRIDGE; 2827 tun_info->key = key.tun_key; 2828 2829 /* We need to store the options in the action itself since 2830 * everything else will go away after flow setup. We can append 2831 * it to tun_info and then point there. 2832 */ 2833 ip_tunnel_info_opts_set(tun_info, 2834 TUN_METADATA_OPTS(&key, key.tun_opts_len), 2835 key.tun_opts_len, dst_opt_type); 2836 add_nested_action_end(*sfa, start); 2837 2838 return err; 2839 } 2840 2841 static bool validate_nsh(const struct nlattr *attr, bool is_mask, 2842 bool is_push_nsh, bool log) 2843 { 2844 struct sw_flow_match match; 2845 struct sw_flow_key key; 2846 int ret = 0; 2847 2848 ovs_match_init(&match, &key, true, NULL); 2849 ret = nsh_key_put_from_nlattr(attr, &match, is_mask, 2850 is_push_nsh, log); 2851 return !ret; 2852 } 2853 2854 /* Return false if there are any non-masked bits set. 2855 * Mask follows data immediately, before any netlink padding. 2856 */ 2857 static bool validate_masked(u8 *data, int len) 2858 { 2859 u8 *mask = data + len; 2860 2861 while (len--) 2862 if (*data++ & ~*mask++) 2863 return false; 2864 2865 return true; 2866 } 2867 2868 static int validate_set(const struct nlattr *a, 2869 const struct sw_flow_key *flow_key, 2870 struct sw_flow_actions **sfa, bool *skip_copy, 2871 u8 mac_proto, __be16 eth_type, bool masked, bool log) 2872 { 2873 const struct nlattr *ovs_key = nla_data(a); 2874 int key_type = nla_type(ovs_key); 2875 size_t key_len; 2876 2877 /* There can be only one key in a action */ 2878 if (nla_total_size(nla_len(ovs_key)) != nla_len(a)) 2879 return -EINVAL; 2880 2881 key_len = nla_len(ovs_key); 2882 if (masked) 2883 key_len /= 2; 2884 2885 if (key_type > OVS_KEY_ATTR_MAX || 2886 !check_attr_len(key_len, ovs_key_lens[key_type].len)) 2887 return -EINVAL; 2888 2889 if (masked && !validate_masked(nla_data(ovs_key), key_len)) 2890 return -EINVAL; 2891 2892 switch (key_type) { 2893 case OVS_KEY_ATTR_PRIORITY: 2894 case OVS_KEY_ATTR_SKB_MARK: 2895 case OVS_KEY_ATTR_CT_MARK: 2896 case OVS_KEY_ATTR_CT_LABELS: 2897 break; 2898 2899 case OVS_KEY_ATTR_ETHERNET: 2900 if (mac_proto != MAC_PROTO_ETHERNET) 2901 return -EINVAL; 2902 break; 2903 2904 case OVS_KEY_ATTR_TUNNEL: { 2905 int err; 2906 2907 if (masked) 2908 return -EINVAL; /* Masked tunnel set not supported. */ 2909 2910 *skip_copy = true; 2911 err = validate_and_copy_set_tun(a, sfa, log); 2912 if (err) 2913 return err; 2914 break; 2915 } 2916 case OVS_KEY_ATTR_IPV4: { 2917 const struct ovs_key_ipv4 *ipv4_key; 2918 2919 if (eth_type != htons(ETH_P_IP)) 2920 return -EINVAL; 2921 2922 ipv4_key = nla_data(ovs_key); 2923 2924 if (masked) { 2925 const struct ovs_key_ipv4 *mask = ipv4_key + 1; 2926 2927 /* Non-writeable fields. */ 2928 if (mask->ipv4_proto || mask->ipv4_frag) 2929 return -EINVAL; 2930 } else { 2931 if (ipv4_key->ipv4_proto != flow_key->ip.proto) 2932 return -EINVAL; 2933 2934 if (ipv4_key->ipv4_frag != flow_key->ip.frag) 2935 return -EINVAL; 2936 } 2937 break; 2938 } 2939 case OVS_KEY_ATTR_IPV6: { 2940 const struct ovs_key_ipv6 *ipv6_key; 2941 2942 if (eth_type != htons(ETH_P_IPV6)) 2943 return -EINVAL; 2944 2945 ipv6_key = nla_data(ovs_key); 2946 2947 if (masked) { 2948 const struct ovs_key_ipv6 *mask = ipv6_key + 1; 2949 2950 /* Non-writeable fields. */ 2951 if (mask->ipv6_proto || mask->ipv6_frag) 2952 return -EINVAL; 2953 2954 /* Invalid bits in the flow label mask? */ 2955 if (ntohl(mask->ipv6_label) & 0xFFF00000) 2956 return -EINVAL; 2957 } else { 2958 if (ipv6_key->ipv6_proto != flow_key->ip.proto) 2959 return -EINVAL; 2960 2961 if (ipv6_key->ipv6_frag != flow_key->ip.frag) 2962 return -EINVAL; 2963 } 2964 if (ntohl(ipv6_key->ipv6_label) & 0xFFF00000) 2965 return -EINVAL; 2966 2967 break; 2968 } 2969 case OVS_KEY_ATTR_TCP: 2970 if ((eth_type != htons(ETH_P_IP) && 2971 eth_type != htons(ETH_P_IPV6)) || 2972 flow_key->ip.proto != IPPROTO_TCP) 2973 return -EINVAL; 2974 2975 break; 2976 2977 case OVS_KEY_ATTR_UDP: 2978 if ((eth_type != htons(ETH_P_IP) && 2979 eth_type != htons(ETH_P_IPV6)) || 2980 flow_key->ip.proto != IPPROTO_UDP) 2981 return -EINVAL; 2982 2983 break; 2984 2985 case OVS_KEY_ATTR_MPLS: 2986 if (!eth_p_mpls(eth_type)) 2987 return -EINVAL; 2988 break; 2989 2990 case OVS_KEY_ATTR_SCTP: 2991 if ((eth_type != htons(ETH_P_IP) && 2992 eth_type != htons(ETH_P_IPV6)) || 2993 flow_key->ip.proto != IPPROTO_SCTP) 2994 return -EINVAL; 2995 2996 break; 2997 2998 case OVS_KEY_ATTR_NSH: 2999 if (eth_type != htons(ETH_P_NSH)) 3000 return -EINVAL; 3001 if (!validate_nsh(nla_data(a), masked, false, log)) 3002 return -EINVAL; 3003 break; 3004 3005 default: 3006 return -EINVAL; 3007 } 3008 3009 /* Convert non-masked non-tunnel set actions to masked set actions. */ 3010 if (!masked && key_type != OVS_KEY_ATTR_TUNNEL) { 3011 int start, len = key_len * 2; 3012 struct nlattr *at; 3013 3014 *skip_copy = true; 3015 3016 start = add_nested_action_start(sfa, 3017 OVS_ACTION_ATTR_SET_TO_MASKED, 3018 log); 3019 if (start < 0) 3020 return start; 3021 3022 at = __add_action(sfa, key_type, NULL, len, log); 3023 if (IS_ERR(at)) 3024 return PTR_ERR(at); 3025 3026 memcpy(nla_data(at), nla_data(ovs_key), key_len); /* Key. */ 3027 memset(nla_data(at) + key_len, 0xff, key_len); /* Mask. */ 3028 /* Clear non-writeable bits from otherwise writeable fields. */ 3029 if (key_type == OVS_KEY_ATTR_IPV6) { 3030 struct ovs_key_ipv6 *mask = nla_data(at) + key_len; 3031 3032 mask->ipv6_label &= htonl(0x000FFFFF); 3033 } 3034 add_nested_action_end(*sfa, start); 3035 } 3036 3037 return 0; 3038 } 3039 3040 static int validate_userspace(const struct nlattr *attr) 3041 { 3042 static const struct nla_policy userspace_policy[OVS_USERSPACE_ATTR_MAX + 1] = { 3043 [OVS_USERSPACE_ATTR_PID] = {.type = NLA_U32 }, 3044 [OVS_USERSPACE_ATTR_USERDATA] = {.type = NLA_UNSPEC }, 3045 [OVS_USERSPACE_ATTR_EGRESS_TUN_PORT] = {.type = NLA_U32 }, 3046 }; 3047 struct nlattr *a[OVS_USERSPACE_ATTR_MAX + 1]; 3048 int error; 3049 3050 error = nla_parse_nested_deprecated(a, OVS_USERSPACE_ATTR_MAX, attr, 3051 userspace_policy, NULL); 3052 if (error) 3053 return error; 3054 3055 if (!a[OVS_USERSPACE_ATTR_PID] || 3056 !nla_get_u32(a[OVS_USERSPACE_ATTR_PID])) 3057 return -EINVAL; 3058 3059 return 0; 3060 } 3061 3062 static const struct nla_policy cpl_policy[OVS_CHECK_PKT_LEN_ATTR_MAX + 1] = { 3063 [OVS_CHECK_PKT_LEN_ATTR_PKT_LEN] = {.type = NLA_U16 }, 3064 [OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER] = {.type = NLA_NESTED }, 3065 [OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL] = {.type = NLA_NESTED }, 3066 }; 3067 3068 static int validate_and_copy_check_pkt_len(struct net *net, 3069 const struct nlattr *attr, 3070 const struct sw_flow_key *key, 3071 struct sw_flow_actions **sfa, 3072 __be16 eth_type, __be16 vlan_tci, 3073 u32 mpls_label_count, 3074 bool log, bool last, u32 depth) 3075 { 3076 const struct nlattr *acts_if_greater, *acts_if_lesser_eq; 3077 struct nlattr *a[OVS_CHECK_PKT_LEN_ATTR_MAX + 1]; 3078 struct check_pkt_len_arg arg; 3079 int nested_acts_start; 3080 int start, err; 3081 3082 err = nla_parse_deprecated_strict(a, OVS_CHECK_PKT_LEN_ATTR_MAX, 3083 nla_data(attr), nla_len(attr), 3084 cpl_policy, NULL); 3085 if (err) 3086 return err; 3087 3088 if (!a[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN] || 3089 !nla_get_u16(a[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN])) 3090 return -EINVAL; 3091 3092 acts_if_lesser_eq = a[OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL]; 3093 acts_if_greater = a[OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER]; 3094 3095 /* Both the nested action should be present. */ 3096 if (!acts_if_greater || !acts_if_lesser_eq) 3097 return -EINVAL; 3098 3099 /* validation done, copy the nested actions. */ 3100 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_CHECK_PKT_LEN, 3101 log); 3102 if (start < 0) 3103 return start; 3104 3105 arg.pkt_len = nla_get_u16(a[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN]); 3106 arg.exec_for_lesser_equal = 3107 last || !actions_may_change_flow(acts_if_lesser_eq); 3108 arg.exec_for_greater = 3109 last || !actions_may_change_flow(acts_if_greater); 3110 3111 err = ovs_nla_add_action(sfa, OVS_CHECK_PKT_LEN_ATTR_ARG, &arg, 3112 sizeof(arg), log); 3113 if (err) 3114 return err; 3115 3116 nested_acts_start = add_nested_action_start(sfa, 3117 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL, log); 3118 if (nested_acts_start < 0) 3119 return nested_acts_start; 3120 3121 err = __ovs_nla_copy_actions(net, acts_if_lesser_eq, key, sfa, 3122 eth_type, vlan_tci, mpls_label_count, log, 3123 depth + 1); 3124 3125 if (err) 3126 return err; 3127 3128 add_nested_action_end(*sfa, nested_acts_start); 3129 3130 nested_acts_start = add_nested_action_start(sfa, 3131 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER, log); 3132 if (nested_acts_start < 0) 3133 return nested_acts_start; 3134 3135 err = __ovs_nla_copy_actions(net, acts_if_greater, key, sfa, 3136 eth_type, vlan_tci, mpls_label_count, log, 3137 depth + 1); 3138 3139 if (err) 3140 return err; 3141 3142 add_nested_action_end(*sfa, nested_acts_start); 3143 add_nested_action_end(*sfa, start); 3144 return 0; 3145 } 3146 3147 static int copy_action(const struct nlattr *from, 3148 struct sw_flow_actions **sfa, bool log) 3149 { 3150 int totlen = NLA_ALIGN(from->nla_len); 3151 struct nlattr *to; 3152 3153 to = reserve_sfa_size(sfa, from->nla_len, log); 3154 if (IS_ERR(to)) 3155 return PTR_ERR(to); 3156 3157 memcpy(to, from, totlen); 3158 return 0; 3159 } 3160 3161 static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 3162 const struct sw_flow_key *key, 3163 struct sw_flow_actions **sfa, 3164 __be16 eth_type, __be16 vlan_tci, 3165 u32 mpls_label_count, bool log, 3166 u32 depth) 3167 { 3168 u8 mac_proto = ovs_key_mac_proto(key); 3169 const struct nlattr *a; 3170 int rem, err; 3171 3172 if (depth > OVS_COPY_ACTIONS_MAX_DEPTH) 3173 return -EOVERFLOW; 3174 3175 nla_for_each_nested(a, attr, rem) { 3176 /* Expected argument lengths, (u32)-1 for variable length. */ 3177 static const u32 action_lens[OVS_ACTION_ATTR_MAX + 1] = { 3178 [OVS_ACTION_ATTR_OUTPUT] = sizeof(u32), 3179 [OVS_ACTION_ATTR_RECIRC] = sizeof(u32), 3180 [OVS_ACTION_ATTR_USERSPACE] = (u32)-1, 3181 [OVS_ACTION_ATTR_PUSH_MPLS] = sizeof(struct ovs_action_push_mpls), 3182 [OVS_ACTION_ATTR_POP_MPLS] = sizeof(__be16), 3183 [OVS_ACTION_ATTR_PUSH_VLAN] = sizeof(struct ovs_action_push_vlan), 3184 [OVS_ACTION_ATTR_POP_VLAN] = 0, 3185 [OVS_ACTION_ATTR_SET] = (u32)-1, 3186 [OVS_ACTION_ATTR_SET_MASKED] = (u32)-1, 3187 [OVS_ACTION_ATTR_SAMPLE] = (u32)-1, 3188 [OVS_ACTION_ATTR_HASH] = sizeof(struct ovs_action_hash), 3189 [OVS_ACTION_ATTR_CT] = (u32)-1, 3190 [OVS_ACTION_ATTR_CT_CLEAR] = 0, 3191 [OVS_ACTION_ATTR_TRUNC] = sizeof(struct ovs_action_trunc), 3192 [OVS_ACTION_ATTR_PUSH_ETH] = sizeof(struct ovs_action_push_eth), 3193 [OVS_ACTION_ATTR_POP_ETH] = 0, 3194 [OVS_ACTION_ATTR_PUSH_NSH] = (u32)-1, 3195 [OVS_ACTION_ATTR_POP_NSH] = 0, 3196 [OVS_ACTION_ATTR_METER] = sizeof(u32), 3197 [OVS_ACTION_ATTR_CLONE] = (u32)-1, 3198 [OVS_ACTION_ATTR_CHECK_PKT_LEN] = (u32)-1, 3199 [OVS_ACTION_ATTR_ADD_MPLS] = sizeof(struct ovs_action_add_mpls), 3200 [OVS_ACTION_ATTR_DEC_TTL] = (u32)-1, 3201 [OVS_ACTION_ATTR_DROP] = sizeof(u32), 3202 }; 3203 const struct ovs_action_push_vlan *vlan; 3204 int type = nla_type(a); 3205 bool skip_copy; 3206 3207 if (type > OVS_ACTION_ATTR_MAX || 3208 (action_lens[type] != nla_len(a) && 3209 action_lens[type] != (u32)-1)) 3210 return -EINVAL; 3211 3212 skip_copy = false; 3213 switch (type) { 3214 case OVS_ACTION_ATTR_UNSPEC: 3215 return -EINVAL; 3216 3217 case OVS_ACTION_ATTR_USERSPACE: 3218 err = validate_userspace(a); 3219 if (err) 3220 return err; 3221 break; 3222 3223 case OVS_ACTION_ATTR_OUTPUT: 3224 if (nla_get_u32(a) >= DP_MAX_PORTS) 3225 return -EINVAL; 3226 break; 3227 3228 case OVS_ACTION_ATTR_TRUNC: { 3229 const struct ovs_action_trunc *trunc = nla_data(a); 3230 3231 if (trunc->max_len < ETH_HLEN) 3232 return -EINVAL; 3233 break; 3234 } 3235 3236 case OVS_ACTION_ATTR_HASH: { 3237 const struct ovs_action_hash *act_hash = nla_data(a); 3238 3239 switch (act_hash->hash_alg) { 3240 case OVS_HASH_ALG_L4: 3241 fallthrough; 3242 case OVS_HASH_ALG_SYM_L4: 3243 break; 3244 default: 3245 return -EINVAL; 3246 } 3247 3248 break; 3249 } 3250 3251 case OVS_ACTION_ATTR_POP_VLAN: 3252 if (mac_proto != MAC_PROTO_ETHERNET) 3253 return -EINVAL; 3254 vlan_tci = htons(0); 3255 break; 3256 3257 case OVS_ACTION_ATTR_PUSH_VLAN: 3258 if (mac_proto != MAC_PROTO_ETHERNET) 3259 return -EINVAL; 3260 vlan = nla_data(a); 3261 if (!eth_type_vlan(vlan->vlan_tpid)) 3262 return -EINVAL; 3263 if (!(vlan->vlan_tci & htons(VLAN_CFI_MASK))) 3264 return -EINVAL; 3265 vlan_tci = vlan->vlan_tci; 3266 break; 3267 3268 case OVS_ACTION_ATTR_RECIRC: 3269 break; 3270 3271 case OVS_ACTION_ATTR_ADD_MPLS: { 3272 const struct ovs_action_add_mpls *mpls = nla_data(a); 3273 3274 if (!eth_p_mpls(mpls->mpls_ethertype)) 3275 return -EINVAL; 3276 3277 if (mpls->tun_flags & OVS_MPLS_L3_TUNNEL_FLAG_MASK) { 3278 if (vlan_tci & htons(VLAN_CFI_MASK) || 3279 (eth_type != htons(ETH_P_IP) && 3280 eth_type != htons(ETH_P_IPV6) && 3281 eth_type != htons(ETH_P_ARP) && 3282 eth_type != htons(ETH_P_RARP) && 3283 !eth_p_mpls(eth_type))) 3284 return -EINVAL; 3285 mpls_label_count++; 3286 } else { 3287 if (mac_proto == MAC_PROTO_ETHERNET) { 3288 mpls_label_count = 1; 3289 mac_proto = MAC_PROTO_NONE; 3290 } else { 3291 mpls_label_count++; 3292 } 3293 } 3294 eth_type = mpls->mpls_ethertype; 3295 break; 3296 } 3297 3298 case OVS_ACTION_ATTR_PUSH_MPLS: { 3299 const struct ovs_action_push_mpls *mpls = nla_data(a); 3300 3301 if (!eth_p_mpls(mpls->mpls_ethertype)) 3302 return -EINVAL; 3303 /* Prohibit push MPLS other than to a white list 3304 * for packets that have a known tag order. 3305 */ 3306 if (vlan_tci & htons(VLAN_CFI_MASK) || 3307 (eth_type != htons(ETH_P_IP) && 3308 eth_type != htons(ETH_P_IPV6) && 3309 eth_type != htons(ETH_P_ARP) && 3310 eth_type != htons(ETH_P_RARP) && 3311 !eth_p_mpls(eth_type))) 3312 return -EINVAL; 3313 eth_type = mpls->mpls_ethertype; 3314 mpls_label_count++; 3315 break; 3316 } 3317 3318 case OVS_ACTION_ATTR_POP_MPLS: { 3319 __be16 proto; 3320 if (vlan_tci & htons(VLAN_CFI_MASK) || 3321 !eth_p_mpls(eth_type)) 3322 return -EINVAL; 3323 3324 /* Disallow subsequent L2.5+ set actions and mpls_pop 3325 * actions once the last MPLS label in the packet is 3326 * popped as there is no check here to ensure that 3327 * the new eth type is valid and thus set actions could 3328 * write off the end of the packet or otherwise corrupt 3329 * it. 3330 * 3331 * Support for these actions is planned using packet 3332 * recirculation. 3333 */ 3334 proto = nla_get_be16(a); 3335 3336 if (proto == htons(ETH_P_TEB) && 3337 mac_proto != MAC_PROTO_NONE) 3338 return -EINVAL; 3339 3340 mpls_label_count--; 3341 3342 if (!eth_p_mpls(proto) || !mpls_label_count) 3343 eth_type = htons(0); 3344 else 3345 eth_type = proto; 3346 3347 break; 3348 } 3349 3350 case OVS_ACTION_ATTR_SET: 3351 err = validate_set(a, key, sfa, 3352 &skip_copy, mac_proto, eth_type, 3353 false, log); 3354 if (err) 3355 return err; 3356 break; 3357 3358 case OVS_ACTION_ATTR_SET_MASKED: 3359 err = validate_set(a, key, sfa, 3360 &skip_copy, mac_proto, eth_type, 3361 true, log); 3362 if (err) 3363 return err; 3364 break; 3365 3366 case OVS_ACTION_ATTR_SAMPLE: { 3367 bool last = nla_is_last(a, rem); 3368 3369 err = validate_and_copy_sample(net, a, key, sfa, 3370 eth_type, vlan_tci, 3371 mpls_label_count, 3372 log, last, depth); 3373 if (err) 3374 return err; 3375 skip_copy = true; 3376 break; 3377 } 3378 3379 case OVS_ACTION_ATTR_CT: 3380 err = ovs_ct_copy_action(net, a, key, sfa, log); 3381 if (err) 3382 return err; 3383 skip_copy = true; 3384 break; 3385 3386 case OVS_ACTION_ATTR_CT_CLEAR: 3387 break; 3388 3389 case OVS_ACTION_ATTR_PUSH_ETH: 3390 /* Disallow pushing an Ethernet header if one 3391 * is already present */ 3392 if (mac_proto != MAC_PROTO_NONE) 3393 return -EINVAL; 3394 mac_proto = MAC_PROTO_ETHERNET; 3395 break; 3396 3397 case OVS_ACTION_ATTR_POP_ETH: 3398 if (mac_proto != MAC_PROTO_ETHERNET) 3399 return -EINVAL; 3400 if (vlan_tci & htons(VLAN_CFI_MASK)) 3401 return -EINVAL; 3402 mac_proto = MAC_PROTO_NONE; 3403 break; 3404 3405 case OVS_ACTION_ATTR_PUSH_NSH: 3406 if (mac_proto != MAC_PROTO_ETHERNET) { 3407 u8 next_proto; 3408 3409 next_proto = tun_p_from_eth_p(eth_type); 3410 if (!next_proto) 3411 return -EINVAL; 3412 } 3413 mac_proto = MAC_PROTO_NONE; 3414 if (!validate_nsh(nla_data(a), false, true, true)) 3415 return -EINVAL; 3416 break; 3417 3418 case OVS_ACTION_ATTR_POP_NSH: { 3419 __be16 inner_proto; 3420 3421 if (eth_type != htons(ETH_P_NSH)) 3422 return -EINVAL; 3423 inner_proto = tun_p_to_eth_p(key->nsh.base.np); 3424 if (!inner_proto) 3425 return -EINVAL; 3426 if (key->nsh.base.np == TUN_P_ETHERNET) 3427 mac_proto = MAC_PROTO_ETHERNET; 3428 else 3429 mac_proto = MAC_PROTO_NONE; 3430 break; 3431 } 3432 3433 case OVS_ACTION_ATTR_METER: 3434 /* Non-existent meters are simply ignored. */ 3435 break; 3436 3437 case OVS_ACTION_ATTR_CLONE: { 3438 bool last = nla_is_last(a, rem); 3439 3440 err = validate_and_copy_clone(net, a, key, sfa, 3441 eth_type, vlan_tci, 3442 mpls_label_count, 3443 log, last, depth); 3444 if (err) 3445 return err; 3446 skip_copy = true; 3447 break; 3448 } 3449 3450 case OVS_ACTION_ATTR_CHECK_PKT_LEN: { 3451 bool last = nla_is_last(a, rem); 3452 3453 err = validate_and_copy_check_pkt_len(net, a, key, sfa, 3454 eth_type, 3455 vlan_tci, 3456 mpls_label_count, 3457 log, last, 3458 depth); 3459 if (err) 3460 return err; 3461 skip_copy = true; 3462 break; 3463 } 3464 3465 case OVS_ACTION_ATTR_DEC_TTL: 3466 err = validate_and_copy_dec_ttl(net, a, key, sfa, 3467 eth_type, vlan_tci, 3468 mpls_label_count, log, 3469 depth); 3470 if (err) 3471 return err; 3472 skip_copy = true; 3473 break; 3474 3475 case OVS_ACTION_ATTR_DROP: 3476 if (!nla_is_last(a, rem)) 3477 return -EINVAL; 3478 break; 3479 3480 default: 3481 OVS_NLERR(log, "Unknown Action type %d", type); 3482 return -EINVAL; 3483 } 3484 if (!skip_copy) { 3485 err = copy_action(a, sfa, log); 3486 if (err) 3487 return err; 3488 } 3489 } 3490 3491 if (rem > 0) 3492 return -EINVAL; 3493 3494 return 0; 3495 } 3496 3497 /* 'key' must be the masked key. */ 3498 int ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 3499 const struct sw_flow_key *key, 3500 struct sw_flow_actions **sfa, bool log) 3501 { 3502 int err; 3503 u32 mpls_label_count = 0; 3504 3505 *sfa = nla_alloc_flow_actions(min(nla_len(attr), MAX_ACTIONS_BUFSIZE)); 3506 if (IS_ERR(*sfa)) 3507 return PTR_ERR(*sfa); 3508 3509 if (eth_p_mpls(key->eth.type)) 3510 mpls_label_count = hweight_long(key->mpls.num_labels_mask); 3511 3512 (*sfa)->orig_len = nla_len(attr); 3513 err = __ovs_nla_copy_actions(net, attr, key, sfa, key->eth.type, 3514 key->eth.vlan.tci, mpls_label_count, log, 3515 0); 3516 if (err) 3517 ovs_nla_free_flow_actions(*sfa); 3518 3519 return err; 3520 } 3521 3522 static int sample_action_to_attr(const struct nlattr *attr, 3523 struct sk_buff *skb) 3524 { 3525 struct nlattr *start, *ac_start = NULL, *sample_arg; 3526 int err = 0, rem = nla_len(attr); 3527 const struct sample_arg *arg; 3528 struct nlattr *actions; 3529 3530 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SAMPLE); 3531 if (!start) 3532 return -EMSGSIZE; 3533 3534 sample_arg = nla_data(attr); 3535 arg = nla_data(sample_arg); 3536 actions = nla_next(sample_arg, &rem); 3537 3538 if (nla_put_u32(skb, OVS_SAMPLE_ATTR_PROBABILITY, arg->probability)) { 3539 err = -EMSGSIZE; 3540 goto out; 3541 } 3542 3543 ac_start = nla_nest_start_noflag(skb, OVS_SAMPLE_ATTR_ACTIONS); 3544 if (!ac_start) { 3545 err = -EMSGSIZE; 3546 goto out; 3547 } 3548 3549 err = ovs_nla_put_actions(actions, rem, skb); 3550 3551 out: 3552 if (err) { 3553 nla_nest_cancel(skb, ac_start); 3554 nla_nest_cancel(skb, start); 3555 } else { 3556 nla_nest_end(skb, ac_start); 3557 nla_nest_end(skb, start); 3558 } 3559 3560 return err; 3561 } 3562 3563 static int clone_action_to_attr(const struct nlattr *attr, 3564 struct sk_buff *skb) 3565 { 3566 struct nlattr *start; 3567 int err = 0, rem = nla_len(attr); 3568 3569 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_CLONE); 3570 if (!start) 3571 return -EMSGSIZE; 3572 3573 /* Skipping the OVS_CLONE_ATTR_EXEC that is always the first attribute. */ 3574 attr = nla_next(nla_data(attr), &rem); 3575 err = ovs_nla_put_actions(attr, rem, skb); 3576 3577 if (err) 3578 nla_nest_cancel(skb, start); 3579 else 3580 nla_nest_end(skb, start); 3581 3582 return err; 3583 } 3584 3585 static int check_pkt_len_action_to_attr(const struct nlattr *attr, 3586 struct sk_buff *skb) 3587 { 3588 struct nlattr *start, *ac_start = NULL; 3589 const struct check_pkt_len_arg *arg; 3590 const struct nlattr *a, *cpl_arg; 3591 int err = 0, rem = nla_len(attr); 3592 3593 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_CHECK_PKT_LEN); 3594 if (!start) 3595 return -EMSGSIZE; 3596 3597 /* The first nested attribute in 'attr' is always 3598 * 'OVS_CHECK_PKT_LEN_ATTR_ARG'. 3599 */ 3600 cpl_arg = nla_data(attr); 3601 arg = nla_data(cpl_arg); 3602 3603 if (nla_put_u16(skb, OVS_CHECK_PKT_LEN_ATTR_PKT_LEN, arg->pkt_len)) { 3604 err = -EMSGSIZE; 3605 goto out; 3606 } 3607 3608 /* Second nested attribute in 'attr' is always 3609 * 'OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL'. 3610 */ 3611 a = nla_next(cpl_arg, &rem); 3612 ac_start = nla_nest_start_noflag(skb, 3613 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL); 3614 if (!ac_start) { 3615 err = -EMSGSIZE; 3616 goto out; 3617 } 3618 3619 err = ovs_nla_put_actions(nla_data(a), nla_len(a), skb); 3620 if (err) { 3621 nla_nest_cancel(skb, ac_start); 3622 goto out; 3623 } else { 3624 nla_nest_end(skb, ac_start); 3625 } 3626 3627 /* Third nested attribute in 'attr' is always 3628 * OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER. 3629 */ 3630 a = nla_next(a, &rem); 3631 ac_start = nla_nest_start_noflag(skb, 3632 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER); 3633 if (!ac_start) { 3634 err = -EMSGSIZE; 3635 goto out; 3636 } 3637 3638 err = ovs_nla_put_actions(nla_data(a), nla_len(a), skb); 3639 if (err) { 3640 nla_nest_cancel(skb, ac_start); 3641 goto out; 3642 } else { 3643 nla_nest_end(skb, ac_start); 3644 } 3645 3646 nla_nest_end(skb, start); 3647 return 0; 3648 3649 out: 3650 nla_nest_cancel(skb, start); 3651 return err; 3652 } 3653 3654 static int dec_ttl_action_to_attr(const struct nlattr *attr, 3655 struct sk_buff *skb) 3656 { 3657 struct nlattr *start, *action_start; 3658 const struct nlattr *a; 3659 int err = 0, rem; 3660 3661 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_DEC_TTL); 3662 if (!start) 3663 return -EMSGSIZE; 3664 3665 nla_for_each_attr(a, nla_data(attr), nla_len(attr), rem) { 3666 switch (nla_type(a)) { 3667 case OVS_DEC_TTL_ATTR_ACTION: 3668 3669 action_start = nla_nest_start_noflag(skb, OVS_DEC_TTL_ATTR_ACTION); 3670 if (!action_start) { 3671 err = -EMSGSIZE; 3672 goto out; 3673 } 3674 3675 err = ovs_nla_put_actions(nla_data(a), nla_len(a), skb); 3676 if (err) 3677 goto out; 3678 3679 nla_nest_end(skb, action_start); 3680 break; 3681 3682 default: 3683 /* Ignore all other option to be future compatible */ 3684 break; 3685 } 3686 } 3687 3688 nla_nest_end(skb, start); 3689 return 0; 3690 3691 out: 3692 nla_nest_cancel(skb, start); 3693 return err; 3694 } 3695 3696 static int set_action_to_attr(const struct nlattr *a, struct sk_buff *skb) 3697 { 3698 const struct nlattr *ovs_key = nla_data(a); 3699 int key_type = nla_type(ovs_key); 3700 struct nlattr *start; 3701 int err; 3702 3703 switch (key_type) { 3704 case OVS_KEY_ATTR_TUNNEL_INFO: { 3705 struct ovs_tunnel_info *ovs_tun = nla_data(ovs_key); 3706 struct ip_tunnel_info *tun_info = &ovs_tun->tun_dst->u.tun_info; 3707 3708 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SET); 3709 if (!start) 3710 return -EMSGSIZE; 3711 3712 err = ip_tun_to_nlattr(skb, &tun_info->key, 3713 ip_tunnel_info_opts(tun_info), 3714 tun_info->options_len, 3715 ip_tunnel_info_af(tun_info), tun_info->mode); 3716 if (err) 3717 return err; 3718 nla_nest_end(skb, start); 3719 break; 3720 } 3721 default: 3722 if (nla_put(skb, OVS_ACTION_ATTR_SET, nla_len(a), ovs_key)) 3723 return -EMSGSIZE; 3724 break; 3725 } 3726 3727 return 0; 3728 } 3729 3730 static int masked_set_action_to_set_action_attr(const struct nlattr *a, 3731 struct sk_buff *skb) 3732 { 3733 const struct nlattr *ovs_key = nla_data(a); 3734 struct nlattr *nla; 3735 size_t key_len = nla_len(ovs_key) / 2; 3736 3737 /* Revert the conversion we did from a non-masked set action to 3738 * masked set action. 3739 */ 3740 nla = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SET); 3741 if (!nla) 3742 return -EMSGSIZE; 3743 3744 if (nla_put(skb, nla_type(ovs_key), key_len, nla_data(ovs_key))) 3745 return -EMSGSIZE; 3746 3747 nla_nest_end(skb, nla); 3748 return 0; 3749 } 3750 3751 int ovs_nla_put_actions(const struct nlattr *attr, int len, struct sk_buff *skb) 3752 { 3753 const struct nlattr *a; 3754 int rem, err; 3755 3756 nla_for_each_attr(a, attr, len, rem) { 3757 int type = nla_type(a); 3758 3759 switch (type) { 3760 case OVS_ACTION_ATTR_SET: 3761 err = set_action_to_attr(a, skb); 3762 if (err) 3763 return err; 3764 break; 3765 3766 case OVS_ACTION_ATTR_SET_TO_MASKED: 3767 err = masked_set_action_to_set_action_attr(a, skb); 3768 if (err) 3769 return err; 3770 break; 3771 3772 case OVS_ACTION_ATTR_SAMPLE: 3773 err = sample_action_to_attr(a, skb); 3774 if (err) 3775 return err; 3776 break; 3777 3778 case OVS_ACTION_ATTR_CT: 3779 err = ovs_ct_action_to_attr(nla_data(a), skb); 3780 if (err) 3781 return err; 3782 break; 3783 3784 case OVS_ACTION_ATTR_CLONE: 3785 err = clone_action_to_attr(a, skb); 3786 if (err) 3787 return err; 3788 break; 3789 3790 case OVS_ACTION_ATTR_CHECK_PKT_LEN: 3791 err = check_pkt_len_action_to_attr(a, skb); 3792 if (err) 3793 return err; 3794 break; 3795 3796 case OVS_ACTION_ATTR_DEC_TTL: 3797 err = dec_ttl_action_to_attr(a, skb); 3798 if (err) 3799 return err; 3800 break; 3801 3802 default: 3803 if (nla_put(skb, type, nla_len(a), nla_data(a))) 3804 return -EMSGSIZE; 3805 break; 3806 } 3807 } 3808 3809 return 0; 3810 } 3811