1 /* 2 * Copyright (c) 2007-2017 Nicira, Inc. 3 * 4 * This program is free software; you can redistribute it and/or 5 * modify it under the terms of version 2 of the GNU General Public 6 * License as published by the Free Software Foundation. 7 * 8 * This program is distributed in the hope that it will be useful, but 9 * WITHOUT ANY WARRANTY; without even the implied warranty of 10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 * General Public License for more details. 12 * 13 * You should have received a copy of the GNU General Public License 14 * along with this program; if not, write to the Free Software 15 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 16 * 02110-1301, USA 17 */ 18 19 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 20 21 #include "flow.h" 22 #include "datapath.h" 23 #include <linux/uaccess.h> 24 #include <linux/netdevice.h> 25 #include <linux/etherdevice.h> 26 #include <linux/if_ether.h> 27 #include <linux/if_vlan.h> 28 #include <net/llc_pdu.h> 29 #include <linux/kernel.h> 30 #include <linux/jhash.h> 31 #include <linux/jiffies.h> 32 #include <linux/llc.h> 33 #include <linux/module.h> 34 #include <linux/in.h> 35 #include <linux/rcupdate.h> 36 #include <linux/if_arp.h> 37 #include <linux/ip.h> 38 #include <linux/ipv6.h> 39 #include <linux/sctp.h> 40 #include <linux/tcp.h> 41 #include <linux/udp.h> 42 #include <linux/icmp.h> 43 #include <linux/icmpv6.h> 44 #include <linux/rculist.h> 45 #include <net/geneve.h> 46 #include <net/ip.h> 47 #include <net/ipv6.h> 48 #include <net/ndisc.h> 49 #include <net/mpls.h> 50 #include <net/vxlan.h> 51 #include <net/tun_proto.h> 52 53 #include "flow_netlink.h" 54 55 struct ovs_len_tbl { 56 int len; 57 const struct ovs_len_tbl *next; 58 }; 59 60 #define OVS_ATTR_NESTED -1 61 #define OVS_ATTR_VARIABLE -2 62 63 static bool actions_may_change_flow(const struct nlattr *actions) 64 { 65 struct nlattr *nla; 66 int rem; 67 68 nla_for_each_nested(nla, actions, rem) { 69 u16 action = nla_type(nla); 70 71 switch (action) { 72 case OVS_ACTION_ATTR_OUTPUT: 73 case OVS_ACTION_ATTR_RECIRC: 74 case OVS_ACTION_ATTR_TRUNC: 75 case OVS_ACTION_ATTR_USERSPACE: 76 break; 77 78 case OVS_ACTION_ATTR_CT: 79 case OVS_ACTION_ATTR_CT_CLEAR: 80 case OVS_ACTION_ATTR_HASH: 81 case OVS_ACTION_ATTR_POP_ETH: 82 case OVS_ACTION_ATTR_POP_MPLS: 83 case OVS_ACTION_ATTR_POP_NSH: 84 case OVS_ACTION_ATTR_POP_VLAN: 85 case OVS_ACTION_ATTR_PUSH_ETH: 86 case OVS_ACTION_ATTR_PUSH_MPLS: 87 case OVS_ACTION_ATTR_PUSH_NSH: 88 case OVS_ACTION_ATTR_PUSH_VLAN: 89 case OVS_ACTION_ATTR_SAMPLE: 90 case OVS_ACTION_ATTR_SET: 91 case OVS_ACTION_ATTR_SET_MASKED: 92 case OVS_ACTION_ATTR_METER: 93 default: 94 return true; 95 } 96 } 97 return false; 98 } 99 100 static void update_range(struct sw_flow_match *match, 101 size_t offset, size_t size, bool is_mask) 102 { 103 struct sw_flow_key_range *range; 104 size_t start = rounddown(offset, sizeof(long)); 105 size_t end = roundup(offset + size, sizeof(long)); 106 107 if (!is_mask) 108 range = &match->range; 109 else 110 range = &match->mask->range; 111 112 if (range->start == range->end) { 113 range->start = start; 114 range->end = end; 115 return; 116 } 117 118 if (range->start > start) 119 range->start = start; 120 121 if (range->end < end) 122 range->end = end; 123 } 124 125 #define SW_FLOW_KEY_PUT(match, field, value, is_mask) \ 126 do { \ 127 update_range(match, offsetof(struct sw_flow_key, field), \ 128 sizeof((match)->key->field), is_mask); \ 129 if (is_mask) \ 130 (match)->mask->key.field = value; \ 131 else \ 132 (match)->key->field = value; \ 133 } while (0) 134 135 #define SW_FLOW_KEY_MEMCPY_OFFSET(match, offset, value_p, len, is_mask) \ 136 do { \ 137 update_range(match, offset, len, is_mask); \ 138 if (is_mask) \ 139 memcpy((u8 *)&(match)->mask->key + offset, value_p, \ 140 len); \ 141 else \ 142 memcpy((u8 *)(match)->key + offset, value_p, len); \ 143 } while (0) 144 145 #define SW_FLOW_KEY_MEMCPY(match, field, value_p, len, is_mask) \ 146 SW_FLOW_KEY_MEMCPY_OFFSET(match, offsetof(struct sw_flow_key, field), \ 147 value_p, len, is_mask) 148 149 #define SW_FLOW_KEY_MEMSET_FIELD(match, field, value, is_mask) \ 150 do { \ 151 update_range(match, offsetof(struct sw_flow_key, field), \ 152 sizeof((match)->key->field), is_mask); \ 153 if (is_mask) \ 154 memset((u8 *)&(match)->mask->key.field, value, \ 155 sizeof((match)->mask->key.field)); \ 156 else \ 157 memset((u8 *)&(match)->key->field, value, \ 158 sizeof((match)->key->field)); \ 159 } while (0) 160 161 static bool match_validate(const struct sw_flow_match *match, 162 u64 key_attrs, u64 mask_attrs, bool log) 163 { 164 u64 key_expected = 0; 165 u64 mask_allowed = key_attrs; /* At most allow all key attributes */ 166 167 /* The following mask attributes allowed only if they 168 * pass the validation tests. */ 169 mask_allowed &= ~((1 << OVS_KEY_ATTR_IPV4) 170 | (1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4) 171 | (1 << OVS_KEY_ATTR_IPV6) 172 | (1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6) 173 | (1 << OVS_KEY_ATTR_TCP) 174 | (1 << OVS_KEY_ATTR_TCP_FLAGS) 175 | (1 << OVS_KEY_ATTR_UDP) 176 | (1 << OVS_KEY_ATTR_SCTP) 177 | (1 << OVS_KEY_ATTR_ICMP) 178 | (1 << OVS_KEY_ATTR_ICMPV6) 179 | (1 << OVS_KEY_ATTR_ARP) 180 | (1 << OVS_KEY_ATTR_ND) 181 | (1 << OVS_KEY_ATTR_MPLS) 182 | (1 << OVS_KEY_ATTR_NSH)); 183 184 /* Always allowed mask fields. */ 185 mask_allowed |= ((1 << OVS_KEY_ATTR_TUNNEL) 186 | (1 << OVS_KEY_ATTR_IN_PORT) 187 | (1 << OVS_KEY_ATTR_ETHERTYPE)); 188 189 /* Check key attributes. */ 190 if (match->key->eth.type == htons(ETH_P_ARP) 191 || match->key->eth.type == htons(ETH_P_RARP)) { 192 key_expected |= 1 << OVS_KEY_ATTR_ARP; 193 if (match->mask && (match->mask->key.eth.type == htons(0xffff))) 194 mask_allowed |= 1 << OVS_KEY_ATTR_ARP; 195 } 196 197 if (eth_p_mpls(match->key->eth.type)) { 198 key_expected |= 1 << OVS_KEY_ATTR_MPLS; 199 if (match->mask && (match->mask->key.eth.type == htons(0xffff))) 200 mask_allowed |= 1 << OVS_KEY_ATTR_MPLS; 201 } 202 203 if (match->key->eth.type == htons(ETH_P_IP)) { 204 key_expected |= 1 << OVS_KEY_ATTR_IPV4; 205 if (match->mask && match->mask->key.eth.type == htons(0xffff)) { 206 mask_allowed |= 1 << OVS_KEY_ATTR_IPV4; 207 mask_allowed |= 1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4; 208 } 209 210 if (match->key->ip.frag != OVS_FRAG_TYPE_LATER) { 211 if (match->key->ip.proto == IPPROTO_UDP) { 212 key_expected |= 1 << OVS_KEY_ATTR_UDP; 213 if (match->mask && (match->mask->key.ip.proto == 0xff)) 214 mask_allowed |= 1 << OVS_KEY_ATTR_UDP; 215 } 216 217 if (match->key->ip.proto == IPPROTO_SCTP) { 218 key_expected |= 1 << OVS_KEY_ATTR_SCTP; 219 if (match->mask && (match->mask->key.ip.proto == 0xff)) 220 mask_allowed |= 1 << OVS_KEY_ATTR_SCTP; 221 } 222 223 if (match->key->ip.proto == IPPROTO_TCP) { 224 key_expected |= 1 << OVS_KEY_ATTR_TCP; 225 key_expected |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 226 if (match->mask && (match->mask->key.ip.proto == 0xff)) { 227 mask_allowed |= 1 << OVS_KEY_ATTR_TCP; 228 mask_allowed |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 229 } 230 } 231 232 if (match->key->ip.proto == IPPROTO_ICMP) { 233 key_expected |= 1 << OVS_KEY_ATTR_ICMP; 234 if (match->mask && (match->mask->key.ip.proto == 0xff)) 235 mask_allowed |= 1 << OVS_KEY_ATTR_ICMP; 236 } 237 } 238 } 239 240 if (match->key->eth.type == htons(ETH_P_IPV6)) { 241 key_expected |= 1 << OVS_KEY_ATTR_IPV6; 242 if (match->mask && match->mask->key.eth.type == htons(0xffff)) { 243 mask_allowed |= 1 << OVS_KEY_ATTR_IPV6; 244 mask_allowed |= 1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6; 245 } 246 247 if (match->key->ip.frag != OVS_FRAG_TYPE_LATER) { 248 if (match->key->ip.proto == IPPROTO_UDP) { 249 key_expected |= 1 << OVS_KEY_ATTR_UDP; 250 if (match->mask && (match->mask->key.ip.proto == 0xff)) 251 mask_allowed |= 1 << OVS_KEY_ATTR_UDP; 252 } 253 254 if (match->key->ip.proto == IPPROTO_SCTP) { 255 key_expected |= 1 << OVS_KEY_ATTR_SCTP; 256 if (match->mask && (match->mask->key.ip.proto == 0xff)) 257 mask_allowed |= 1 << OVS_KEY_ATTR_SCTP; 258 } 259 260 if (match->key->ip.proto == IPPROTO_TCP) { 261 key_expected |= 1 << OVS_KEY_ATTR_TCP; 262 key_expected |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 263 if (match->mask && (match->mask->key.ip.proto == 0xff)) { 264 mask_allowed |= 1 << OVS_KEY_ATTR_TCP; 265 mask_allowed |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 266 } 267 } 268 269 if (match->key->ip.proto == IPPROTO_ICMPV6) { 270 key_expected |= 1 << OVS_KEY_ATTR_ICMPV6; 271 if (match->mask && (match->mask->key.ip.proto == 0xff)) 272 mask_allowed |= 1 << OVS_KEY_ATTR_ICMPV6; 273 274 if (match->key->tp.src == 275 htons(NDISC_NEIGHBOUR_SOLICITATION) || 276 match->key->tp.src == htons(NDISC_NEIGHBOUR_ADVERTISEMENT)) { 277 key_expected |= 1 << OVS_KEY_ATTR_ND; 278 /* Original direction conntrack tuple 279 * uses the same space as the ND fields 280 * in the key, so both are not allowed 281 * at the same time. 282 */ 283 mask_allowed &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6); 284 if (match->mask && (match->mask->key.tp.src == htons(0xff))) 285 mask_allowed |= 1 << OVS_KEY_ATTR_ND; 286 } 287 } 288 } 289 } 290 291 if (match->key->eth.type == htons(ETH_P_NSH)) { 292 key_expected |= 1 << OVS_KEY_ATTR_NSH; 293 if (match->mask && 294 match->mask->key.eth.type == htons(0xffff)) { 295 mask_allowed |= 1 << OVS_KEY_ATTR_NSH; 296 } 297 } 298 299 if ((key_attrs & key_expected) != key_expected) { 300 /* Key attributes check failed. */ 301 OVS_NLERR(log, "Missing key (keys=%llx, expected=%llx)", 302 (unsigned long long)key_attrs, 303 (unsigned long long)key_expected); 304 return false; 305 } 306 307 if ((mask_attrs & mask_allowed) != mask_attrs) { 308 /* Mask attributes check failed. */ 309 OVS_NLERR(log, "Unexpected mask (mask=%llx, allowed=%llx)", 310 (unsigned long long)mask_attrs, 311 (unsigned long long)mask_allowed); 312 return false; 313 } 314 315 return true; 316 } 317 318 size_t ovs_tun_key_attr_size(void) 319 { 320 /* Whenever adding new OVS_TUNNEL_KEY_ FIELDS, we should consider 321 * updating this function. 322 */ 323 return nla_total_size_64bit(8) /* OVS_TUNNEL_KEY_ATTR_ID */ 324 + nla_total_size(16) /* OVS_TUNNEL_KEY_ATTR_IPV[46]_SRC */ 325 + nla_total_size(16) /* OVS_TUNNEL_KEY_ATTR_IPV[46]_DST */ 326 + nla_total_size(1) /* OVS_TUNNEL_KEY_ATTR_TOS */ 327 + nla_total_size(1) /* OVS_TUNNEL_KEY_ATTR_TTL */ 328 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT */ 329 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_CSUM */ 330 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_OAM */ 331 + nla_total_size(256) /* OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS */ 332 /* OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS is mutually exclusive with 333 * OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS and covered by it. 334 */ 335 + nla_total_size(2) /* OVS_TUNNEL_KEY_ATTR_TP_SRC */ 336 + nla_total_size(2); /* OVS_TUNNEL_KEY_ATTR_TP_DST */ 337 } 338 339 static size_t ovs_nsh_key_attr_size(void) 340 { 341 /* Whenever adding new OVS_NSH_KEY_ FIELDS, we should consider 342 * updating this function. 343 */ 344 return nla_total_size(NSH_BASE_HDR_LEN) /* OVS_NSH_KEY_ATTR_BASE */ 345 /* OVS_NSH_KEY_ATTR_MD1 and OVS_NSH_KEY_ATTR_MD2 are 346 * mutually exclusive, so the bigger one can cover 347 * the small one. 348 */ 349 + nla_total_size(NSH_CTX_HDRS_MAX_LEN); 350 } 351 352 size_t ovs_key_attr_size(void) 353 { 354 /* Whenever adding new OVS_KEY_ FIELDS, we should consider 355 * updating this function. 356 */ 357 BUILD_BUG_ON(OVS_KEY_ATTR_TUNNEL_INFO != 29); 358 359 return nla_total_size(4) /* OVS_KEY_ATTR_PRIORITY */ 360 + nla_total_size(0) /* OVS_KEY_ATTR_TUNNEL */ 361 + ovs_tun_key_attr_size() 362 + nla_total_size(4) /* OVS_KEY_ATTR_IN_PORT */ 363 + nla_total_size(4) /* OVS_KEY_ATTR_SKB_MARK */ 364 + nla_total_size(4) /* OVS_KEY_ATTR_DP_HASH */ 365 + nla_total_size(4) /* OVS_KEY_ATTR_RECIRC_ID */ 366 + nla_total_size(4) /* OVS_KEY_ATTR_CT_STATE */ 367 + nla_total_size(2) /* OVS_KEY_ATTR_CT_ZONE */ 368 + nla_total_size(4) /* OVS_KEY_ATTR_CT_MARK */ 369 + nla_total_size(16) /* OVS_KEY_ATTR_CT_LABELS */ 370 + nla_total_size(40) /* OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6 */ 371 + nla_total_size(0) /* OVS_KEY_ATTR_NSH */ 372 + ovs_nsh_key_attr_size() 373 + nla_total_size(12) /* OVS_KEY_ATTR_ETHERNET */ 374 + nla_total_size(2) /* OVS_KEY_ATTR_ETHERTYPE */ 375 + nla_total_size(4) /* OVS_KEY_ATTR_VLAN */ 376 + nla_total_size(0) /* OVS_KEY_ATTR_ENCAP */ 377 + nla_total_size(2) /* OVS_KEY_ATTR_ETHERTYPE */ 378 + nla_total_size(40) /* OVS_KEY_ATTR_IPV6 */ 379 + nla_total_size(2) /* OVS_KEY_ATTR_ICMPV6 */ 380 + nla_total_size(28); /* OVS_KEY_ATTR_ND */ 381 } 382 383 static const struct ovs_len_tbl ovs_vxlan_ext_key_lens[OVS_VXLAN_EXT_MAX + 1] = { 384 [OVS_VXLAN_EXT_GBP] = { .len = sizeof(u32) }, 385 }; 386 387 static const struct ovs_len_tbl ovs_tunnel_key_lens[OVS_TUNNEL_KEY_ATTR_MAX + 1] = { 388 [OVS_TUNNEL_KEY_ATTR_ID] = { .len = sizeof(u64) }, 389 [OVS_TUNNEL_KEY_ATTR_IPV4_SRC] = { .len = sizeof(u32) }, 390 [OVS_TUNNEL_KEY_ATTR_IPV4_DST] = { .len = sizeof(u32) }, 391 [OVS_TUNNEL_KEY_ATTR_TOS] = { .len = 1 }, 392 [OVS_TUNNEL_KEY_ATTR_TTL] = { .len = 1 }, 393 [OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT] = { .len = 0 }, 394 [OVS_TUNNEL_KEY_ATTR_CSUM] = { .len = 0 }, 395 [OVS_TUNNEL_KEY_ATTR_TP_SRC] = { .len = sizeof(u16) }, 396 [OVS_TUNNEL_KEY_ATTR_TP_DST] = { .len = sizeof(u16) }, 397 [OVS_TUNNEL_KEY_ATTR_OAM] = { .len = 0 }, 398 [OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS] = { .len = OVS_ATTR_VARIABLE }, 399 [OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS] = { .len = OVS_ATTR_NESTED, 400 .next = ovs_vxlan_ext_key_lens }, 401 [OVS_TUNNEL_KEY_ATTR_IPV6_SRC] = { .len = sizeof(struct in6_addr) }, 402 [OVS_TUNNEL_KEY_ATTR_IPV6_DST] = { .len = sizeof(struct in6_addr) }, 403 }; 404 405 static const struct ovs_len_tbl 406 ovs_nsh_key_attr_lens[OVS_NSH_KEY_ATTR_MAX + 1] = { 407 [OVS_NSH_KEY_ATTR_BASE] = { .len = sizeof(struct ovs_nsh_key_base) }, 408 [OVS_NSH_KEY_ATTR_MD1] = { .len = sizeof(struct ovs_nsh_key_md1) }, 409 [OVS_NSH_KEY_ATTR_MD2] = { .len = OVS_ATTR_VARIABLE }, 410 }; 411 412 /* The size of the argument for each %OVS_KEY_ATTR_* Netlink attribute. */ 413 static const struct ovs_len_tbl ovs_key_lens[OVS_KEY_ATTR_MAX + 1] = { 414 [OVS_KEY_ATTR_ENCAP] = { .len = OVS_ATTR_NESTED }, 415 [OVS_KEY_ATTR_PRIORITY] = { .len = sizeof(u32) }, 416 [OVS_KEY_ATTR_IN_PORT] = { .len = sizeof(u32) }, 417 [OVS_KEY_ATTR_SKB_MARK] = { .len = sizeof(u32) }, 418 [OVS_KEY_ATTR_ETHERNET] = { .len = sizeof(struct ovs_key_ethernet) }, 419 [OVS_KEY_ATTR_VLAN] = { .len = sizeof(__be16) }, 420 [OVS_KEY_ATTR_ETHERTYPE] = { .len = sizeof(__be16) }, 421 [OVS_KEY_ATTR_IPV4] = { .len = sizeof(struct ovs_key_ipv4) }, 422 [OVS_KEY_ATTR_IPV6] = { .len = sizeof(struct ovs_key_ipv6) }, 423 [OVS_KEY_ATTR_TCP] = { .len = sizeof(struct ovs_key_tcp) }, 424 [OVS_KEY_ATTR_TCP_FLAGS] = { .len = sizeof(__be16) }, 425 [OVS_KEY_ATTR_UDP] = { .len = sizeof(struct ovs_key_udp) }, 426 [OVS_KEY_ATTR_SCTP] = { .len = sizeof(struct ovs_key_sctp) }, 427 [OVS_KEY_ATTR_ICMP] = { .len = sizeof(struct ovs_key_icmp) }, 428 [OVS_KEY_ATTR_ICMPV6] = { .len = sizeof(struct ovs_key_icmpv6) }, 429 [OVS_KEY_ATTR_ARP] = { .len = sizeof(struct ovs_key_arp) }, 430 [OVS_KEY_ATTR_ND] = { .len = sizeof(struct ovs_key_nd) }, 431 [OVS_KEY_ATTR_RECIRC_ID] = { .len = sizeof(u32) }, 432 [OVS_KEY_ATTR_DP_HASH] = { .len = sizeof(u32) }, 433 [OVS_KEY_ATTR_TUNNEL] = { .len = OVS_ATTR_NESTED, 434 .next = ovs_tunnel_key_lens, }, 435 [OVS_KEY_ATTR_MPLS] = { .len = sizeof(struct ovs_key_mpls) }, 436 [OVS_KEY_ATTR_CT_STATE] = { .len = sizeof(u32) }, 437 [OVS_KEY_ATTR_CT_ZONE] = { .len = sizeof(u16) }, 438 [OVS_KEY_ATTR_CT_MARK] = { .len = sizeof(u32) }, 439 [OVS_KEY_ATTR_CT_LABELS] = { .len = sizeof(struct ovs_key_ct_labels) }, 440 [OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4] = { 441 .len = sizeof(struct ovs_key_ct_tuple_ipv4) }, 442 [OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6] = { 443 .len = sizeof(struct ovs_key_ct_tuple_ipv6) }, 444 [OVS_KEY_ATTR_NSH] = { .len = OVS_ATTR_NESTED, 445 .next = ovs_nsh_key_attr_lens, }, 446 }; 447 448 static bool check_attr_len(unsigned int attr_len, unsigned int expected_len) 449 { 450 return expected_len == attr_len || 451 expected_len == OVS_ATTR_NESTED || 452 expected_len == OVS_ATTR_VARIABLE; 453 } 454 455 static bool is_all_zero(const u8 *fp, size_t size) 456 { 457 int i; 458 459 if (!fp) 460 return false; 461 462 for (i = 0; i < size; i++) 463 if (fp[i]) 464 return false; 465 466 return true; 467 } 468 469 static int __parse_flow_nlattrs(const struct nlattr *attr, 470 const struct nlattr *a[], 471 u64 *attrsp, bool log, bool nz) 472 { 473 const struct nlattr *nla; 474 u64 attrs; 475 int rem; 476 477 attrs = *attrsp; 478 nla_for_each_nested(nla, attr, rem) { 479 u16 type = nla_type(nla); 480 int expected_len; 481 482 if (type > OVS_KEY_ATTR_MAX) { 483 OVS_NLERR(log, "Key type %d is out of range max %d", 484 type, OVS_KEY_ATTR_MAX); 485 return -EINVAL; 486 } 487 488 if (attrs & (1 << type)) { 489 OVS_NLERR(log, "Duplicate key (type %d).", type); 490 return -EINVAL; 491 } 492 493 expected_len = ovs_key_lens[type].len; 494 if (!check_attr_len(nla_len(nla), expected_len)) { 495 OVS_NLERR(log, "Key %d has unexpected len %d expected %d", 496 type, nla_len(nla), expected_len); 497 return -EINVAL; 498 } 499 500 if (!nz || !is_all_zero(nla_data(nla), expected_len)) { 501 attrs |= 1 << type; 502 a[type] = nla; 503 } 504 } 505 if (rem) { 506 OVS_NLERR(log, "Message has %d unknown bytes.", rem); 507 return -EINVAL; 508 } 509 510 *attrsp = attrs; 511 return 0; 512 } 513 514 static int parse_flow_mask_nlattrs(const struct nlattr *attr, 515 const struct nlattr *a[], u64 *attrsp, 516 bool log) 517 { 518 return __parse_flow_nlattrs(attr, a, attrsp, log, true); 519 } 520 521 int parse_flow_nlattrs(const struct nlattr *attr, const struct nlattr *a[], 522 u64 *attrsp, bool log) 523 { 524 return __parse_flow_nlattrs(attr, a, attrsp, log, false); 525 } 526 527 static int genev_tun_opt_from_nlattr(const struct nlattr *a, 528 struct sw_flow_match *match, bool is_mask, 529 bool log) 530 { 531 unsigned long opt_key_offset; 532 533 if (nla_len(a) > sizeof(match->key->tun_opts)) { 534 OVS_NLERR(log, "Geneve option length err (len %d, max %zu).", 535 nla_len(a), sizeof(match->key->tun_opts)); 536 return -EINVAL; 537 } 538 539 if (nla_len(a) % 4 != 0) { 540 OVS_NLERR(log, "Geneve opt len %d is not a multiple of 4.", 541 nla_len(a)); 542 return -EINVAL; 543 } 544 545 /* We need to record the length of the options passed 546 * down, otherwise packets with the same format but 547 * additional options will be silently matched. 548 */ 549 if (!is_mask) { 550 SW_FLOW_KEY_PUT(match, tun_opts_len, nla_len(a), 551 false); 552 } else { 553 /* This is somewhat unusual because it looks at 554 * both the key and mask while parsing the 555 * attributes (and by extension assumes the key 556 * is parsed first). Normally, we would verify 557 * that each is the correct length and that the 558 * attributes line up in the validate function. 559 * However, that is difficult because this is 560 * variable length and we won't have the 561 * information later. 562 */ 563 if (match->key->tun_opts_len != nla_len(a)) { 564 OVS_NLERR(log, "Geneve option len %d != mask len %d", 565 match->key->tun_opts_len, nla_len(a)); 566 return -EINVAL; 567 } 568 569 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 570 } 571 572 opt_key_offset = TUN_METADATA_OFFSET(nla_len(a)); 573 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, nla_data(a), 574 nla_len(a), is_mask); 575 return 0; 576 } 577 578 static int vxlan_tun_opt_from_nlattr(const struct nlattr *attr, 579 struct sw_flow_match *match, bool is_mask, 580 bool log) 581 { 582 struct nlattr *a; 583 int rem; 584 unsigned long opt_key_offset; 585 struct vxlan_metadata opts; 586 587 BUILD_BUG_ON(sizeof(opts) > sizeof(match->key->tun_opts)); 588 589 memset(&opts, 0, sizeof(opts)); 590 nla_for_each_nested(a, attr, rem) { 591 int type = nla_type(a); 592 593 if (type > OVS_VXLAN_EXT_MAX) { 594 OVS_NLERR(log, "VXLAN extension %d out of range max %d", 595 type, OVS_VXLAN_EXT_MAX); 596 return -EINVAL; 597 } 598 599 if (!check_attr_len(nla_len(a), 600 ovs_vxlan_ext_key_lens[type].len)) { 601 OVS_NLERR(log, "VXLAN extension %d has unexpected len %d expected %d", 602 type, nla_len(a), 603 ovs_vxlan_ext_key_lens[type].len); 604 return -EINVAL; 605 } 606 607 switch (type) { 608 case OVS_VXLAN_EXT_GBP: 609 opts.gbp = nla_get_u32(a); 610 break; 611 default: 612 OVS_NLERR(log, "Unknown VXLAN extension attribute %d", 613 type); 614 return -EINVAL; 615 } 616 } 617 if (rem) { 618 OVS_NLERR(log, "VXLAN extension message has %d unknown bytes.", 619 rem); 620 return -EINVAL; 621 } 622 623 if (!is_mask) 624 SW_FLOW_KEY_PUT(match, tun_opts_len, sizeof(opts), false); 625 else 626 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 627 628 opt_key_offset = TUN_METADATA_OFFSET(sizeof(opts)); 629 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, &opts, sizeof(opts), 630 is_mask); 631 return 0; 632 } 633 634 static int ip_tun_from_nlattr(const struct nlattr *attr, 635 struct sw_flow_match *match, bool is_mask, 636 bool log) 637 { 638 bool ttl = false, ipv4 = false, ipv6 = false; 639 __be16 tun_flags = 0; 640 int opts_type = 0; 641 struct nlattr *a; 642 int rem; 643 644 nla_for_each_nested(a, attr, rem) { 645 int type = nla_type(a); 646 int err; 647 648 if (type > OVS_TUNNEL_KEY_ATTR_MAX) { 649 OVS_NLERR(log, "Tunnel attr %d out of range max %d", 650 type, OVS_TUNNEL_KEY_ATTR_MAX); 651 return -EINVAL; 652 } 653 654 if (!check_attr_len(nla_len(a), 655 ovs_tunnel_key_lens[type].len)) { 656 OVS_NLERR(log, "Tunnel attr %d has unexpected len %d expected %d", 657 type, nla_len(a), ovs_tunnel_key_lens[type].len); 658 return -EINVAL; 659 } 660 661 switch (type) { 662 case OVS_TUNNEL_KEY_ATTR_ID: 663 SW_FLOW_KEY_PUT(match, tun_key.tun_id, 664 nla_get_be64(a), is_mask); 665 tun_flags |= TUNNEL_KEY; 666 break; 667 case OVS_TUNNEL_KEY_ATTR_IPV4_SRC: 668 SW_FLOW_KEY_PUT(match, tun_key.u.ipv4.src, 669 nla_get_in_addr(a), is_mask); 670 ipv4 = true; 671 break; 672 case OVS_TUNNEL_KEY_ATTR_IPV4_DST: 673 SW_FLOW_KEY_PUT(match, tun_key.u.ipv4.dst, 674 nla_get_in_addr(a), is_mask); 675 ipv4 = true; 676 break; 677 case OVS_TUNNEL_KEY_ATTR_IPV6_SRC: 678 SW_FLOW_KEY_PUT(match, tun_key.u.ipv6.src, 679 nla_get_in6_addr(a), is_mask); 680 ipv6 = true; 681 break; 682 case OVS_TUNNEL_KEY_ATTR_IPV6_DST: 683 SW_FLOW_KEY_PUT(match, tun_key.u.ipv6.dst, 684 nla_get_in6_addr(a), is_mask); 685 ipv6 = true; 686 break; 687 case OVS_TUNNEL_KEY_ATTR_TOS: 688 SW_FLOW_KEY_PUT(match, tun_key.tos, 689 nla_get_u8(a), is_mask); 690 break; 691 case OVS_TUNNEL_KEY_ATTR_TTL: 692 SW_FLOW_KEY_PUT(match, tun_key.ttl, 693 nla_get_u8(a), is_mask); 694 ttl = true; 695 break; 696 case OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT: 697 tun_flags |= TUNNEL_DONT_FRAGMENT; 698 break; 699 case OVS_TUNNEL_KEY_ATTR_CSUM: 700 tun_flags |= TUNNEL_CSUM; 701 break; 702 case OVS_TUNNEL_KEY_ATTR_TP_SRC: 703 SW_FLOW_KEY_PUT(match, tun_key.tp_src, 704 nla_get_be16(a), is_mask); 705 break; 706 case OVS_TUNNEL_KEY_ATTR_TP_DST: 707 SW_FLOW_KEY_PUT(match, tun_key.tp_dst, 708 nla_get_be16(a), is_mask); 709 break; 710 case OVS_TUNNEL_KEY_ATTR_OAM: 711 tun_flags |= TUNNEL_OAM; 712 break; 713 case OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS: 714 if (opts_type) { 715 OVS_NLERR(log, "Multiple metadata blocks provided"); 716 return -EINVAL; 717 } 718 719 err = genev_tun_opt_from_nlattr(a, match, is_mask, log); 720 if (err) 721 return err; 722 723 tun_flags |= TUNNEL_GENEVE_OPT; 724 opts_type = type; 725 break; 726 case OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS: 727 if (opts_type) { 728 OVS_NLERR(log, "Multiple metadata blocks provided"); 729 return -EINVAL; 730 } 731 732 err = vxlan_tun_opt_from_nlattr(a, match, is_mask, log); 733 if (err) 734 return err; 735 736 tun_flags |= TUNNEL_VXLAN_OPT; 737 opts_type = type; 738 break; 739 case OVS_TUNNEL_KEY_ATTR_PAD: 740 break; 741 default: 742 OVS_NLERR(log, "Unknown IP tunnel attribute %d", 743 type); 744 return -EINVAL; 745 } 746 } 747 748 SW_FLOW_KEY_PUT(match, tun_key.tun_flags, tun_flags, is_mask); 749 if (is_mask) 750 SW_FLOW_KEY_MEMSET_FIELD(match, tun_proto, 0xff, true); 751 else 752 SW_FLOW_KEY_PUT(match, tun_proto, ipv6 ? AF_INET6 : AF_INET, 753 false); 754 755 if (rem > 0) { 756 OVS_NLERR(log, "IP tunnel attribute has %d unknown bytes.", 757 rem); 758 return -EINVAL; 759 } 760 761 if (ipv4 && ipv6) { 762 OVS_NLERR(log, "Mixed IPv4 and IPv6 tunnel attributes"); 763 return -EINVAL; 764 } 765 766 if (!is_mask) { 767 if (!ipv4 && !ipv6) { 768 OVS_NLERR(log, "IP tunnel dst address not specified"); 769 return -EINVAL; 770 } 771 if (ipv4 && !match->key->tun_key.u.ipv4.dst) { 772 OVS_NLERR(log, "IPv4 tunnel dst address is zero"); 773 return -EINVAL; 774 } 775 if (ipv6 && ipv6_addr_any(&match->key->tun_key.u.ipv6.dst)) { 776 OVS_NLERR(log, "IPv6 tunnel dst address is zero"); 777 return -EINVAL; 778 } 779 780 if (!ttl) { 781 OVS_NLERR(log, "IP tunnel TTL not specified."); 782 return -EINVAL; 783 } 784 } 785 786 return opts_type; 787 } 788 789 static int vxlan_opt_to_nlattr(struct sk_buff *skb, 790 const void *tun_opts, int swkey_tun_opts_len) 791 { 792 const struct vxlan_metadata *opts = tun_opts; 793 struct nlattr *nla; 794 795 nla = nla_nest_start(skb, OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS); 796 if (!nla) 797 return -EMSGSIZE; 798 799 if (nla_put_u32(skb, OVS_VXLAN_EXT_GBP, opts->gbp) < 0) 800 return -EMSGSIZE; 801 802 nla_nest_end(skb, nla); 803 return 0; 804 } 805 806 static int __ip_tun_to_nlattr(struct sk_buff *skb, 807 const struct ip_tunnel_key *output, 808 const void *tun_opts, int swkey_tun_opts_len, 809 unsigned short tun_proto) 810 { 811 if (output->tun_flags & TUNNEL_KEY && 812 nla_put_be64(skb, OVS_TUNNEL_KEY_ATTR_ID, output->tun_id, 813 OVS_TUNNEL_KEY_ATTR_PAD)) 814 return -EMSGSIZE; 815 switch (tun_proto) { 816 case AF_INET: 817 if (output->u.ipv4.src && 818 nla_put_in_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV4_SRC, 819 output->u.ipv4.src)) 820 return -EMSGSIZE; 821 if (output->u.ipv4.dst && 822 nla_put_in_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV4_DST, 823 output->u.ipv4.dst)) 824 return -EMSGSIZE; 825 break; 826 case AF_INET6: 827 if (!ipv6_addr_any(&output->u.ipv6.src) && 828 nla_put_in6_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV6_SRC, 829 &output->u.ipv6.src)) 830 return -EMSGSIZE; 831 if (!ipv6_addr_any(&output->u.ipv6.dst) && 832 nla_put_in6_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV6_DST, 833 &output->u.ipv6.dst)) 834 return -EMSGSIZE; 835 break; 836 } 837 if (output->tos && 838 nla_put_u8(skb, OVS_TUNNEL_KEY_ATTR_TOS, output->tos)) 839 return -EMSGSIZE; 840 if (nla_put_u8(skb, OVS_TUNNEL_KEY_ATTR_TTL, output->ttl)) 841 return -EMSGSIZE; 842 if ((output->tun_flags & TUNNEL_DONT_FRAGMENT) && 843 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT)) 844 return -EMSGSIZE; 845 if ((output->tun_flags & TUNNEL_CSUM) && 846 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_CSUM)) 847 return -EMSGSIZE; 848 if (output->tp_src && 849 nla_put_be16(skb, OVS_TUNNEL_KEY_ATTR_TP_SRC, output->tp_src)) 850 return -EMSGSIZE; 851 if (output->tp_dst && 852 nla_put_be16(skb, OVS_TUNNEL_KEY_ATTR_TP_DST, output->tp_dst)) 853 return -EMSGSIZE; 854 if ((output->tun_flags & TUNNEL_OAM) && 855 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_OAM)) 856 return -EMSGSIZE; 857 if (swkey_tun_opts_len) { 858 if (output->tun_flags & TUNNEL_GENEVE_OPT && 859 nla_put(skb, OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS, 860 swkey_tun_opts_len, tun_opts)) 861 return -EMSGSIZE; 862 else if (output->tun_flags & TUNNEL_VXLAN_OPT && 863 vxlan_opt_to_nlattr(skb, tun_opts, swkey_tun_opts_len)) 864 return -EMSGSIZE; 865 } 866 867 return 0; 868 } 869 870 static int ip_tun_to_nlattr(struct sk_buff *skb, 871 const struct ip_tunnel_key *output, 872 const void *tun_opts, int swkey_tun_opts_len, 873 unsigned short tun_proto) 874 { 875 struct nlattr *nla; 876 int err; 877 878 nla = nla_nest_start(skb, OVS_KEY_ATTR_TUNNEL); 879 if (!nla) 880 return -EMSGSIZE; 881 882 err = __ip_tun_to_nlattr(skb, output, tun_opts, swkey_tun_opts_len, 883 tun_proto); 884 if (err) 885 return err; 886 887 nla_nest_end(skb, nla); 888 return 0; 889 } 890 891 int ovs_nla_put_tunnel_info(struct sk_buff *skb, 892 struct ip_tunnel_info *tun_info) 893 { 894 return __ip_tun_to_nlattr(skb, &tun_info->key, 895 ip_tunnel_info_opts(tun_info), 896 tun_info->options_len, 897 ip_tunnel_info_af(tun_info)); 898 } 899 900 static int encode_vlan_from_nlattrs(struct sw_flow_match *match, 901 const struct nlattr *a[], 902 bool is_mask, bool inner) 903 { 904 __be16 tci = 0; 905 __be16 tpid = 0; 906 907 if (a[OVS_KEY_ATTR_VLAN]) 908 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 909 910 if (a[OVS_KEY_ATTR_ETHERTYPE]) 911 tpid = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 912 913 if (likely(!inner)) { 914 SW_FLOW_KEY_PUT(match, eth.vlan.tpid, tpid, is_mask); 915 SW_FLOW_KEY_PUT(match, eth.vlan.tci, tci, is_mask); 916 } else { 917 SW_FLOW_KEY_PUT(match, eth.cvlan.tpid, tpid, is_mask); 918 SW_FLOW_KEY_PUT(match, eth.cvlan.tci, tci, is_mask); 919 } 920 return 0; 921 } 922 923 static int validate_vlan_from_nlattrs(const struct sw_flow_match *match, 924 u64 key_attrs, bool inner, 925 const struct nlattr **a, bool log) 926 { 927 __be16 tci = 0; 928 929 if (!((key_attrs & (1 << OVS_KEY_ATTR_ETHERNET)) && 930 (key_attrs & (1 << OVS_KEY_ATTR_ETHERTYPE)) && 931 eth_type_vlan(nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE])))) { 932 /* Not a VLAN. */ 933 return 0; 934 } 935 936 if (!((key_attrs & (1 << OVS_KEY_ATTR_VLAN)) && 937 (key_attrs & (1 << OVS_KEY_ATTR_ENCAP)))) { 938 OVS_NLERR(log, "Invalid %s frame", (inner) ? "C-VLAN" : "VLAN"); 939 return -EINVAL; 940 } 941 942 if (a[OVS_KEY_ATTR_VLAN]) 943 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 944 945 if (!(tci & htons(VLAN_TAG_PRESENT))) { 946 if (tci) { 947 OVS_NLERR(log, "%s TCI does not have VLAN_TAG_PRESENT bit set.", 948 (inner) ? "C-VLAN" : "VLAN"); 949 return -EINVAL; 950 } else if (nla_len(a[OVS_KEY_ATTR_ENCAP])) { 951 /* Corner case for truncated VLAN header. */ 952 OVS_NLERR(log, "Truncated %s header has non-zero encap attribute.", 953 (inner) ? "C-VLAN" : "VLAN"); 954 return -EINVAL; 955 } 956 } 957 958 return 1; 959 } 960 961 static int validate_vlan_mask_from_nlattrs(const struct sw_flow_match *match, 962 u64 key_attrs, bool inner, 963 const struct nlattr **a, bool log) 964 { 965 __be16 tci = 0; 966 __be16 tpid = 0; 967 bool encap_valid = !!(match->key->eth.vlan.tci & 968 htons(VLAN_TAG_PRESENT)); 969 bool i_encap_valid = !!(match->key->eth.cvlan.tci & 970 htons(VLAN_TAG_PRESENT)); 971 972 if (!(key_attrs & (1 << OVS_KEY_ATTR_ENCAP))) { 973 /* Not a VLAN. */ 974 return 0; 975 } 976 977 if ((!inner && !encap_valid) || (inner && !i_encap_valid)) { 978 OVS_NLERR(log, "Encap mask attribute is set for non-%s frame.", 979 (inner) ? "C-VLAN" : "VLAN"); 980 return -EINVAL; 981 } 982 983 if (a[OVS_KEY_ATTR_VLAN]) 984 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 985 986 if (a[OVS_KEY_ATTR_ETHERTYPE]) 987 tpid = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 988 989 if (tpid != htons(0xffff)) { 990 OVS_NLERR(log, "Must have an exact match on %s TPID (mask=%x).", 991 (inner) ? "C-VLAN" : "VLAN", ntohs(tpid)); 992 return -EINVAL; 993 } 994 if (!(tci & htons(VLAN_TAG_PRESENT))) { 995 OVS_NLERR(log, "%s TCI mask does not have exact match for VLAN_TAG_PRESENT bit.", 996 (inner) ? "C-VLAN" : "VLAN"); 997 return -EINVAL; 998 } 999 1000 return 1; 1001 } 1002 1003 static int __parse_vlan_from_nlattrs(struct sw_flow_match *match, 1004 u64 *key_attrs, bool inner, 1005 const struct nlattr **a, bool is_mask, 1006 bool log) 1007 { 1008 int err; 1009 const struct nlattr *encap; 1010 1011 if (!is_mask) 1012 err = validate_vlan_from_nlattrs(match, *key_attrs, inner, 1013 a, log); 1014 else 1015 err = validate_vlan_mask_from_nlattrs(match, *key_attrs, inner, 1016 a, log); 1017 if (err <= 0) 1018 return err; 1019 1020 err = encode_vlan_from_nlattrs(match, a, is_mask, inner); 1021 if (err) 1022 return err; 1023 1024 *key_attrs &= ~(1 << OVS_KEY_ATTR_ENCAP); 1025 *key_attrs &= ~(1 << OVS_KEY_ATTR_VLAN); 1026 *key_attrs &= ~(1 << OVS_KEY_ATTR_ETHERTYPE); 1027 1028 encap = a[OVS_KEY_ATTR_ENCAP]; 1029 1030 if (!is_mask) 1031 err = parse_flow_nlattrs(encap, a, key_attrs, log); 1032 else 1033 err = parse_flow_mask_nlattrs(encap, a, key_attrs, log); 1034 1035 return err; 1036 } 1037 1038 static int parse_vlan_from_nlattrs(struct sw_flow_match *match, 1039 u64 *key_attrs, const struct nlattr **a, 1040 bool is_mask, bool log) 1041 { 1042 int err; 1043 bool encap_valid = false; 1044 1045 err = __parse_vlan_from_nlattrs(match, key_attrs, false, a, 1046 is_mask, log); 1047 if (err) 1048 return err; 1049 1050 encap_valid = !!(match->key->eth.vlan.tci & htons(VLAN_TAG_PRESENT)); 1051 if (encap_valid) { 1052 err = __parse_vlan_from_nlattrs(match, key_attrs, true, a, 1053 is_mask, log); 1054 if (err) 1055 return err; 1056 } 1057 1058 return 0; 1059 } 1060 1061 static int parse_eth_type_from_nlattrs(struct sw_flow_match *match, 1062 u64 *attrs, const struct nlattr **a, 1063 bool is_mask, bool log) 1064 { 1065 __be16 eth_type; 1066 1067 eth_type = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 1068 if (is_mask) { 1069 /* Always exact match EtherType. */ 1070 eth_type = htons(0xffff); 1071 } else if (!eth_proto_is_802_3(eth_type)) { 1072 OVS_NLERR(log, "EtherType %x is less than min %x", 1073 ntohs(eth_type), ETH_P_802_3_MIN); 1074 return -EINVAL; 1075 } 1076 1077 SW_FLOW_KEY_PUT(match, eth.type, eth_type, is_mask); 1078 *attrs &= ~(1 << OVS_KEY_ATTR_ETHERTYPE); 1079 return 0; 1080 } 1081 1082 static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match, 1083 u64 *attrs, const struct nlattr **a, 1084 bool is_mask, bool log) 1085 { 1086 u8 mac_proto = MAC_PROTO_ETHERNET; 1087 1088 if (*attrs & (1 << OVS_KEY_ATTR_DP_HASH)) { 1089 u32 hash_val = nla_get_u32(a[OVS_KEY_ATTR_DP_HASH]); 1090 1091 SW_FLOW_KEY_PUT(match, ovs_flow_hash, hash_val, is_mask); 1092 *attrs &= ~(1 << OVS_KEY_ATTR_DP_HASH); 1093 } 1094 1095 if (*attrs & (1 << OVS_KEY_ATTR_RECIRC_ID)) { 1096 u32 recirc_id = nla_get_u32(a[OVS_KEY_ATTR_RECIRC_ID]); 1097 1098 SW_FLOW_KEY_PUT(match, recirc_id, recirc_id, is_mask); 1099 *attrs &= ~(1 << OVS_KEY_ATTR_RECIRC_ID); 1100 } 1101 1102 if (*attrs & (1 << OVS_KEY_ATTR_PRIORITY)) { 1103 SW_FLOW_KEY_PUT(match, phy.priority, 1104 nla_get_u32(a[OVS_KEY_ATTR_PRIORITY]), is_mask); 1105 *attrs &= ~(1 << OVS_KEY_ATTR_PRIORITY); 1106 } 1107 1108 if (*attrs & (1 << OVS_KEY_ATTR_IN_PORT)) { 1109 u32 in_port = nla_get_u32(a[OVS_KEY_ATTR_IN_PORT]); 1110 1111 if (is_mask) { 1112 in_port = 0xffffffff; /* Always exact match in_port. */ 1113 } else if (in_port >= DP_MAX_PORTS) { 1114 OVS_NLERR(log, "Port %d exceeds max allowable %d", 1115 in_port, DP_MAX_PORTS); 1116 return -EINVAL; 1117 } 1118 1119 SW_FLOW_KEY_PUT(match, phy.in_port, in_port, is_mask); 1120 *attrs &= ~(1 << OVS_KEY_ATTR_IN_PORT); 1121 } else if (!is_mask) { 1122 SW_FLOW_KEY_PUT(match, phy.in_port, DP_MAX_PORTS, is_mask); 1123 } 1124 1125 if (*attrs & (1 << OVS_KEY_ATTR_SKB_MARK)) { 1126 uint32_t mark = nla_get_u32(a[OVS_KEY_ATTR_SKB_MARK]); 1127 1128 SW_FLOW_KEY_PUT(match, phy.skb_mark, mark, is_mask); 1129 *attrs &= ~(1 << OVS_KEY_ATTR_SKB_MARK); 1130 } 1131 if (*attrs & (1 << OVS_KEY_ATTR_TUNNEL)) { 1132 if (ip_tun_from_nlattr(a[OVS_KEY_ATTR_TUNNEL], match, 1133 is_mask, log) < 0) 1134 return -EINVAL; 1135 *attrs &= ~(1 << OVS_KEY_ATTR_TUNNEL); 1136 } 1137 1138 if (*attrs & (1 << OVS_KEY_ATTR_CT_STATE) && 1139 ovs_ct_verify(net, OVS_KEY_ATTR_CT_STATE)) { 1140 u32 ct_state = nla_get_u32(a[OVS_KEY_ATTR_CT_STATE]); 1141 1142 if (ct_state & ~CT_SUPPORTED_MASK) { 1143 OVS_NLERR(log, "ct_state flags %08x unsupported", 1144 ct_state); 1145 return -EINVAL; 1146 } 1147 1148 SW_FLOW_KEY_PUT(match, ct_state, ct_state, is_mask); 1149 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_STATE); 1150 } 1151 if (*attrs & (1 << OVS_KEY_ATTR_CT_ZONE) && 1152 ovs_ct_verify(net, OVS_KEY_ATTR_CT_ZONE)) { 1153 u16 ct_zone = nla_get_u16(a[OVS_KEY_ATTR_CT_ZONE]); 1154 1155 SW_FLOW_KEY_PUT(match, ct_zone, ct_zone, is_mask); 1156 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ZONE); 1157 } 1158 if (*attrs & (1 << OVS_KEY_ATTR_CT_MARK) && 1159 ovs_ct_verify(net, OVS_KEY_ATTR_CT_MARK)) { 1160 u32 mark = nla_get_u32(a[OVS_KEY_ATTR_CT_MARK]); 1161 1162 SW_FLOW_KEY_PUT(match, ct.mark, mark, is_mask); 1163 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_MARK); 1164 } 1165 if (*attrs & (1 << OVS_KEY_ATTR_CT_LABELS) && 1166 ovs_ct_verify(net, OVS_KEY_ATTR_CT_LABELS)) { 1167 const struct ovs_key_ct_labels *cl; 1168 1169 cl = nla_data(a[OVS_KEY_ATTR_CT_LABELS]); 1170 SW_FLOW_KEY_MEMCPY(match, ct.labels, cl->ct_labels, 1171 sizeof(*cl), is_mask); 1172 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_LABELS); 1173 } 1174 if (*attrs & (1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4)) { 1175 const struct ovs_key_ct_tuple_ipv4 *ct; 1176 1177 ct = nla_data(a[OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4]); 1178 1179 SW_FLOW_KEY_PUT(match, ipv4.ct_orig.src, ct->ipv4_src, is_mask); 1180 SW_FLOW_KEY_PUT(match, ipv4.ct_orig.dst, ct->ipv4_dst, is_mask); 1181 SW_FLOW_KEY_PUT(match, ct.orig_tp.src, ct->src_port, is_mask); 1182 SW_FLOW_KEY_PUT(match, ct.orig_tp.dst, ct->dst_port, is_mask); 1183 SW_FLOW_KEY_PUT(match, ct_orig_proto, ct->ipv4_proto, is_mask); 1184 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4); 1185 } 1186 if (*attrs & (1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6)) { 1187 const struct ovs_key_ct_tuple_ipv6 *ct; 1188 1189 ct = nla_data(a[OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6]); 1190 1191 SW_FLOW_KEY_MEMCPY(match, ipv6.ct_orig.src, &ct->ipv6_src, 1192 sizeof(match->key->ipv6.ct_orig.src), 1193 is_mask); 1194 SW_FLOW_KEY_MEMCPY(match, ipv6.ct_orig.dst, &ct->ipv6_dst, 1195 sizeof(match->key->ipv6.ct_orig.dst), 1196 is_mask); 1197 SW_FLOW_KEY_PUT(match, ct.orig_tp.src, ct->src_port, is_mask); 1198 SW_FLOW_KEY_PUT(match, ct.orig_tp.dst, ct->dst_port, is_mask); 1199 SW_FLOW_KEY_PUT(match, ct_orig_proto, ct->ipv6_proto, is_mask); 1200 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6); 1201 } 1202 1203 /* For layer 3 packets the Ethernet type is provided 1204 * and treated as metadata but no MAC addresses are provided. 1205 */ 1206 if (!(*attrs & (1ULL << OVS_KEY_ATTR_ETHERNET)) && 1207 (*attrs & (1ULL << OVS_KEY_ATTR_ETHERTYPE))) 1208 mac_proto = MAC_PROTO_NONE; 1209 1210 /* Always exact match mac_proto */ 1211 SW_FLOW_KEY_PUT(match, mac_proto, is_mask ? 0xff : mac_proto, is_mask); 1212 1213 if (mac_proto == MAC_PROTO_NONE) 1214 return parse_eth_type_from_nlattrs(match, attrs, a, is_mask, 1215 log); 1216 1217 return 0; 1218 } 1219 1220 int nsh_hdr_from_nlattr(const struct nlattr *attr, 1221 struct nshhdr *nh, size_t size) 1222 { 1223 struct nlattr *a; 1224 int rem; 1225 u8 flags = 0; 1226 u8 ttl = 0; 1227 int mdlen = 0; 1228 1229 /* validate_nsh has check this, so we needn't do duplicate check here 1230 */ 1231 if (size < NSH_BASE_HDR_LEN) 1232 return -ENOBUFS; 1233 1234 nla_for_each_nested(a, attr, rem) { 1235 int type = nla_type(a); 1236 1237 switch (type) { 1238 case OVS_NSH_KEY_ATTR_BASE: { 1239 const struct ovs_nsh_key_base *base = nla_data(a); 1240 1241 flags = base->flags; 1242 ttl = base->ttl; 1243 nh->np = base->np; 1244 nh->mdtype = base->mdtype; 1245 nh->path_hdr = base->path_hdr; 1246 break; 1247 } 1248 case OVS_NSH_KEY_ATTR_MD1: 1249 mdlen = nla_len(a); 1250 if (mdlen > size - NSH_BASE_HDR_LEN) 1251 return -ENOBUFS; 1252 memcpy(&nh->md1, nla_data(a), mdlen); 1253 break; 1254 1255 case OVS_NSH_KEY_ATTR_MD2: 1256 mdlen = nla_len(a); 1257 if (mdlen > size - NSH_BASE_HDR_LEN) 1258 return -ENOBUFS; 1259 memcpy(&nh->md2, nla_data(a), mdlen); 1260 break; 1261 1262 default: 1263 return -EINVAL; 1264 } 1265 } 1266 1267 /* nsh header length = NSH_BASE_HDR_LEN + mdlen */ 1268 nh->ver_flags_ttl_len = 0; 1269 nsh_set_flags_ttl_len(nh, flags, ttl, NSH_BASE_HDR_LEN + mdlen); 1270 1271 return 0; 1272 } 1273 1274 int nsh_key_from_nlattr(const struct nlattr *attr, 1275 struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask) 1276 { 1277 struct nlattr *a; 1278 int rem; 1279 1280 /* validate_nsh has check this, so we needn't do duplicate check here 1281 */ 1282 nla_for_each_nested(a, attr, rem) { 1283 int type = nla_type(a); 1284 1285 switch (type) { 1286 case OVS_NSH_KEY_ATTR_BASE: { 1287 const struct ovs_nsh_key_base *base = nla_data(a); 1288 const struct ovs_nsh_key_base *base_mask = base + 1; 1289 1290 nsh->base = *base; 1291 nsh_mask->base = *base_mask; 1292 break; 1293 } 1294 case OVS_NSH_KEY_ATTR_MD1: { 1295 const struct ovs_nsh_key_md1 *md1 = nla_data(a); 1296 const struct ovs_nsh_key_md1 *md1_mask = md1 + 1; 1297 1298 memcpy(nsh->context, md1->context, sizeof(*md1)); 1299 memcpy(nsh_mask->context, md1_mask->context, 1300 sizeof(*md1_mask)); 1301 break; 1302 } 1303 case OVS_NSH_KEY_ATTR_MD2: 1304 /* Not supported yet */ 1305 return -ENOTSUPP; 1306 default: 1307 return -EINVAL; 1308 } 1309 } 1310 1311 return 0; 1312 } 1313 1314 static int nsh_key_put_from_nlattr(const struct nlattr *attr, 1315 struct sw_flow_match *match, bool is_mask, 1316 bool is_push_nsh, bool log) 1317 { 1318 struct nlattr *a; 1319 int rem; 1320 bool has_base = false; 1321 bool has_md1 = false; 1322 bool has_md2 = false; 1323 u8 mdtype = 0; 1324 int mdlen = 0; 1325 1326 if (WARN_ON(is_push_nsh && is_mask)) 1327 return -EINVAL; 1328 1329 nla_for_each_nested(a, attr, rem) { 1330 int type = nla_type(a); 1331 int i; 1332 1333 if (type > OVS_NSH_KEY_ATTR_MAX) { 1334 OVS_NLERR(log, "nsh attr %d is out of range max %d", 1335 type, OVS_NSH_KEY_ATTR_MAX); 1336 return -EINVAL; 1337 } 1338 1339 if (!check_attr_len(nla_len(a), 1340 ovs_nsh_key_attr_lens[type].len)) { 1341 OVS_NLERR( 1342 log, 1343 "nsh attr %d has unexpected len %d expected %d", 1344 type, 1345 nla_len(a), 1346 ovs_nsh_key_attr_lens[type].len 1347 ); 1348 return -EINVAL; 1349 } 1350 1351 switch (type) { 1352 case OVS_NSH_KEY_ATTR_BASE: { 1353 const struct ovs_nsh_key_base *base = nla_data(a); 1354 1355 has_base = true; 1356 mdtype = base->mdtype; 1357 SW_FLOW_KEY_PUT(match, nsh.base.flags, 1358 base->flags, is_mask); 1359 SW_FLOW_KEY_PUT(match, nsh.base.ttl, 1360 base->ttl, is_mask); 1361 SW_FLOW_KEY_PUT(match, nsh.base.mdtype, 1362 base->mdtype, is_mask); 1363 SW_FLOW_KEY_PUT(match, nsh.base.np, 1364 base->np, is_mask); 1365 SW_FLOW_KEY_PUT(match, nsh.base.path_hdr, 1366 base->path_hdr, is_mask); 1367 break; 1368 } 1369 case OVS_NSH_KEY_ATTR_MD1: { 1370 const struct ovs_nsh_key_md1 *md1 = nla_data(a); 1371 1372 has_md1 = true; 1373 for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) 1374 SW_FLOW_KEY_PUT(match, nsh.context[i], 1375 md1->context[i], is_mask); 1376 break; 1377 } 1378 case OVS_NSH_KEY_ATTR_MD2: 1379 if (!is_push_nsh) /* Not supported MD type 2 yet */ 1380 return -ENOTSUPP; 1381 1382 has_md2 = true; 1383 mdlen = nla_len(a); 1384 if (mdlen > NSH_CTX_HDRS_MAX_LEN || mdlen <= 0) { 1385 OVS_NLERR( 1386 log, 1387 "Invalid MD length %d for MD type %d", 1388 mdlen, 1389 mdtype 1390 ); 1391 return -EINVAL; 1392 } 1393 break; 1394 default: 1395 OVS_NLERR(log, "Unknown nsh attribute %d", 1396 type); 1397 return -EINVAL; 1398 } 1399 } 1400 1401 if (rem > 0) { 1402 OVS_NLERR(log, "nsh attribute has %d unknown bytes.", rem); 1403 return -EINVAL; 1404 } 1405 1406 if (has_md1 && has_md2) { 1407 OVS_NLERR( 1408 1, 1409 "invalid nsh attribute: md1 and md2 are exclusive." 1410 ); 1411 return -EINVAL; 1412 } 1413 1414 if (!is_mask) { 1415 if ((has_md1 && mdtype != NSH_M_TYPE1) || 1416 (has_md2 && mdtype != NSH_M_TYPE2)) { 1417 OVS_NLERR(1, "nsh attribute has unmatched MD type %d.", 1418 mdtype); 1419 return -EINVAL; 1420 } 1421 1422 if (is_push_nsh && 1423 (!has_base || (!has_md1 && !has_md2))) { 1424 OVS_NLERR( 1425 1, 1426 "push_nsh: missing base or metadata attributes" 1427 ); 1428 return -EINVAL; 1429 } 1430 } 1431 1432 return 0; 1433 } 1434 1435 static int ovs_key_from_nlattrs(struct net *net, struct sw_flow_match *match, 1436 u64 attrs, const struct nlattr **a, 1437 bool is_mask, bool log) 1438 { 1439 int err; 1440 1441 err = metadata_from_nlattrs(net, match, &attrs, a, is_mask, log); 1442 if (err) 1443 return err; 1444 1445 if (attrs & (1 << OVS_KEY_ATTR_ETHERNET)) { 1446 const struct ovs_key_ethernet *eth_key; 1447 1448 eth_key = nla_data(a[OVS_KEY_ATTR_ETHERNET]); 1449 SW_FLOW_KEY_MEMCPY(match, eth.src, 1450 eth_key->eth_src, ETH_ALEN, is_mask); 1451 SW_FLOW_KEY_MEMCPY(match, eth.dst, 1452 eth_key->eth_dst, ETH_ALEN, is_mask); 1453 attrs &= ~(1 << OVS_KEY_ATTR_ETHERNET); 1454 1455 if (attrs & (1 << OVS_KEY_ATTR_VLAN)) { 1456 /* VLAN attribute is always parsed before getting here since it 1457 * may occur multiple times. 1458 */ 1459 OVS_NLERR(log, "VLAN attribute unexpected."); 1460 return -EINVAL; 1461 } 1462 1463 if (attrs & (1 << OVS_KEY_ATTR_ETHERTYPE)) { 1464 err = parse_eth_type_from_nlattrs(match, &attrs, a, is_mask, 1465 log); 1466 if (err) 1467 return err; 1468 } else if (!is_mask) { 1469 SW_FLOW_KEY_PUT(match, eth.type, htons(ETH_P_802_2), is_mask); 1470 } 1471 } else if (!match->key->eth.type) { 1472 OVS_NLERR(log, "Either Ethernet header or EtherType is required."); 1473 return -EINVAL; 1474 } 1475 1476 if (attrs & (1 << OVS_KEY_ATTR_IPV4)) { 1477 const struct ovs_key_ipv4 *ipv4_key; 1478 1479 ipv4_key = nla_data(a[OVS_KEY_ATTR_IPV4]); 1480 if (!is_mask && ipv4_key->ipv4_frag > OVS_FRAG_TYPE_MAX) { 1481 OVS_NLERR(log, "IPv4 frag type %d is out of range max %d", 1482 ipv4_key->ipv4_frag, OVS_FRAG_TYPE_MAX); 1483 return -EINVAL; 1484 } 1485 SW_FLOW_KEY_PUT(match, ip.proto, 1486 ipv4_key->ipv4_proto, is_mask); 1487 SW_FLOW_KEY_PUT(match, ip.tos, 1488 ipv4_key->ipv4_tos, is_mask); 1489 SW_FLOW_KEY_PUT(match, ip.ttl, 1490 ipv4_key->ipv4_ttl, is_mask); 1491 SW_FLOW_KEY_PUT(match, ip.frag, 1492 ipv4_key->ipv4_frag, is_mask); 1493 SW_FLOW_KEY_PUT(match, ipv4.addr.src, 1494 ipv4_key->ipv4_src, is_mask); 1495 SW_FLOW_KEY_PUT(match, ipv4.addr.dst, 1496 ipv4_key->ipv4_dst, is_mask); 1497 attrs &= ~(1 << OVS_KEY_ATTR_IPV4); 1498 } 1499 1500 if (attrs & (1 << OVS_KEY_ATTR_IPV6)) { 1501 const struct ovs_key_ipv6 *ipv6_key; 1502 1503 ipv6_key = nla_data(a[OVS_KEY_ATTR_IPV6]); 1504 if (!is_mask && ipv6_key->ipv6_frag > OVS_FRAG_TYPE_MAX) { 1505 OVS_NLERR(log, "IPv6 frag type %d is out of range max %d", 1506 ipv6_key->ipv6_frag, OVS_FRAG_TYPE_MAX); 1507 return -EINVAL; 1508 } 1509 1510 if (!is_mask && ipv6_key->ipv6_label & htonl(0xFFF00000)) { 1511 OVS_NLERR(log, "IPv6 flow label %x is out of range (max=%x)", 1512 ntohl(ipv6_key->ipv6_label), (1 << 20) - 1); 1513 return -EINVAL; 1514 } 1515 1516 SW_FLOW_KEY_PUT(match, ipv6.label, 1517 ipv6_key->ipv6_label, is_mask); 1518 SW_FLOW_KEY_PUT(match, ip.proto, 1519 ipv6_key->ipv6_proto, is_mask); 1520 SW_FLOW_KEY_PUT(match, ip.tos, 1521 ipv6_key->ipv6_tclass, is_mask); 1522 SW_FLOW_KEY_PUT(match, ip.ttl, 1523 ipv6_key->ipv6_hlimit, is_mask); 1524 SW_FLOW_KEY_PUT(match, ip.frag, 1525 ipv6_key->ipv6_frag, is_mask); 1526 SW_FLOW_KEY_MEMCPY(match, ipv6.addr.src, 1527 ipv6_key->ipv6_src, 1528 sizeof(match->key->ipv6.addr.src), 1529 is_mask); 1530 SW_FLOW_KEY_MEMCPY(match, ipv6.addr.dst, 1531 ipv6_key->ipv6_dst, 1532 sizeof(match->key->ipv6.addr.dst), 1533 is_mask); 1534 1535 attrs &= ~(1 << OVS_KEY_ATTR_IPV6); 1536 } 1537 1538 if (attrs & (1 << OVS_KEY_ATTR_ARP)) { 1539 const struct ovs_key_arp *arp_key; 1540 1541 arp_key = nla_data(a[OVS_KEY_ATTR_ARP]); 1542 if (!is_mask && (arp_key->arp_op & htons(0xff00))) { 1543 OVS_NLERR(log, "Unknown ARP opcode (opcode=%d).", 1544 arp_key->arp_op); 1545 return -EINVAL; 1546 } 1547 1548 SW_FLOW_KEY_PUT(match, ipv4.addr.src, 1549 arp_key->arp_sip, is_mask); 1550 SW_FLOW_KEY_PUT(match, ipv4.addr.dst, 1551 arp_key->arp_tip, is_mask); 1552 SW_FLOW_KEY_PUT(match, ip.proto, 1553 ntohs(arp_key->arp_op), is_mask); 1554 SW_FLOW_KEY_MEMCPY(match, ipv4.arp.sha, 1555 arp_key->arp_sha, ETH_ALEN, is_mask); 1556 SW_FLOW_KEY_MEMCPY(match, ipv4.arp.tha, 1557 arp_key->arp_tha, ETH_ALEN, is_mask); 1558 1559 attrs &= ~(1 << OVS_KEY_ATTR_ARP); 1560 } 1561 1562 if (attrs & (1 << OVS_KEY_ATTR_NSH)) { 1563 if (nsh_key_put_from_nlattr(a[OVS_KEY_ATTR_NSH], match, 1564 is_mask, false, log) < 0) 1565 return -EINVAL; 1566 attrs &= ~(1 << OVS_KEY_ATTR_NSH); 1567 } 1568 1569 if (attrs & (1 << OVS_KEY_ATTR_MPLS)) { 1570 const struct ovs_key_mpls *mpls_key; 1571 1572 mpls_key = nla_data(a[OVS_KEY_ATTR_MPLS]); 1573 SW_FLOW_KEY_PUT(match, mpls.top_lse, 1574 mpls_key->mpls_lse, is_mask); 1575 1576 attrs &= ~(1 << OVS_KEY_ATTR_MPLS); 1577 } 1578 1579 if (attrs & (1 << OVS_KEY_ATTR_TCP)) { 1580 const struct ovs_key_tcp *tcp_key; 1581 1582 tcp_key = nla_data(a[OVS_KEY_ATTR_TCP]); 1583 SW_FLOW_KEY_PUT(match, tp.src, tcp_key->tcp_src, is_mask); 1584 SW_FLOW_KEY_PUT(match, tp.dst, tcp_key->tcp_dst, is_mask); 1585 attrs &= ~(1 << OVS_KEY_ATTR_TCP); 1586 } 1587 1588 if (attrs & (1 << OVS_KEY_ATTR_TCP_FLAGS)) { 1589 SW_FLOW_KEY_PUT(match, tp.flags, 1590 nla_get_be16(a[OVS_KEY_ATTR_TCP_FLAGS]), 1591 is_mask); 1592 attrs &= ~(1 << OVS_KEY_ATTR_TCP_FLAGS); 1593 } 1594 1595 if (attrs & (1 << OVS_KEY_ATTR_UDP)) { 1596 const struct ovs_key_udp *udp_key; 1597 1598 udp_key = nla_data(a[OVS_KEY_ATTR_UDP]); 1599 SW_FLOW_KEY_PUT(match, tp.src, udp_key->udp_src, is_mask); 1600 SW_FLOW_KEY_PUT(match, tp.dst, udp_key->udp_dst, is_mask); 1601 attrs &= ~(1 << OVS_KEY_ATTR_UDP); 1602 } 1603 1604 if (attrs & (1 << OVS_KEY_ATTR_SCTP)) { 1605 const struct ovs_key_sctp *sctp_key; 1606 1607 sctp_key = nla_data(a[OVS_KEY_ATTR_SCTP]); 1608 SW_FLOW_KEY_PUT(match, tp.src, sctp_key->sctp_src, is_mask); 1609 SW_FLOW_KEY_PUT(match, tp.dst, sctp_key->sctp_dst, is_mask); 1610 attrs &= ~(1 << OVS_KEY_ATTR_SCTP); 1611 } 1612 1613 if (attrs & (1 << OVS_KEY_ATTR_ICMP)) { 1614 const struct ovs_key_icmp *icmp_key; 1615 1616 icmp_key = nla_data(a[OVS_KEY_ATTR_ICMP]); 1617 SW_FLOW_KEY_PUT(match, tp.src, 1618 htons(icmp_key->icmp_type), is_mask); 1619 SW_FLOW_KEY_PUT(match, tp.dst, 1620 htons(icmp_key->icmp_code), is_mask); 1621 attrs &= ~(1 << OVS_KEY_ATTR_ICMP); 1622 } 1623 1624 if (attrs & (1 << OVS_KEY_ATTR_ICMPV6)) { 1625 const struct ovs_key_icmpv6 *icmpv6_key; 1626 1627 icmpv6_key = nla_data(a[OVS_KEY_ATTR_ICMPV6]); 1628 SW_FLOW_KEY_PUT(match, tp.src, 1629 htons(icmpv6_key->icmpv6_type), is_mask); 1630 SW_FLOW_KEY_PUT(match, tp.dst, 1631 htons(icmpv6_key->icmpv6_code), is_mask); 1632 attrs &= ~(1 << OVS_KEY_ATTR_ICMPV6); 1633 } 1634 1635 if (attrs & (1 << OVS_KEY_ATTR_ND)) { 1636 const struct ovs_key_nd *nd_key; 1637 1638 nd_key = nla_data(a[OVS_KEY_ATTR_ND]); 1639 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.target, 1640 nd_key->nd_target, 1641 sizeof(match->key->ipv6.nd.target), 1642 is_mask); 1643 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.sll, 1644 nd_key->nd_sll, ETH_ALEN, is_mask); 1645 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.tll, 1646 nd_key->nd_tll, ETH_ALEN, is_mask); 1647 attrs &= ~(1 << OVS_KEY_ATTR_ND); 1648 } 1649 1650 if (attrs != 0) { 1651 OVS_NLERR(log, "Unknown key attributes %llx", 1652 (unsigned long long)attrs); 1653 return -EINVAL; 1654 } 1655 1656 return 0; 1657 } 1658 1659 static void nlattr_set(struct nlattr *attr, u8 val, 1660 const struct ovs_len_tbl *tbl) 1661 { 1662 struct nlattr *nla; 1663 int rem; 1664 1665 /* The nlattr stream should already have been validated */ 1666 nla_for_each_nested(nla, attr, rem) { 1667 if (tbl[nla_type(nla)].len == OVS_ATTR_NESTED) { 1668 if (tbl[nla_type(nla)].next) 1669 tbl = tbl[nla_type(nla)].next; 1670 nlattr_set(nla, val, tbl); 1671 } else { 1672 memset(nla_data(nla), val, nla_len(nla)); 1673 } 1674 1675 if (nla_type(nla) == OVS_KEY_ATTR_CT_STATE) 1676 *(u32 *)nla_data(nla) &= CT_SUPPORTED_MASK; 1677 } 1678 } 1679 1680 static void mask_set_nlattr(struct nlattr *attr, u8 val) 1681 { 1682 nlattr_set(attr, val, ovs_key_lens); 1683 } 1684 1685 /** 1686 * ovs_nla_get_match - parses Netlink attributes into a flow key and 1687 * mask. In case the 'mask' is NULL, the flow is treated as exact match 1688 * flow. Otherwise, it is treated as a wildcarded flow, except the mask 1689 * does not include any don't care bit. 1690 * @net: Used to determine per-namespace field support. 1691 * @match: receives the extracted flow match information. 1692 * @key: Netlink attribute holding nested %OVS_KEY_ATTR_* Netlink attribute 1693 * sequence. The fields should of the packet that triggered the creation 1694 * of this flow. 1695 * @mask: Optional. Netlink attribute holding nested %OVS_KEY_ATTR_* Netlink 1696 * attribute specifies the mask field of the wildcarded flow. 1697 * @log: Boolean to allow kernel error logging. Normally true, but when 1698 * probing for feature compatibility this should be passed in as false to 1699 * suppress unnecessary error logging. 1700 */ 1701 int ovs_nla_get_match(struct net *net, struct sw_flow_match *match, 1702 const struct nlattr *nla_key, 1703 const struct nlattr *nla_mask, 1704 bool log) 1705 { 1706 const struct nlattr *a[OVS_KEY_ATTR_MAX + 1]; 1707 struct nlattr *newmask = NULL; 1708 u64 key_attrs = 0; 1709 u64 mask_attrs = 0; 1710 int err; 1711 1712 err = parse_flow_nlattrs(nla_key, a, &key_attrs, log); 1713 if (err) 1714 return err; 1715 1716 err = parse_vlan_from_nlattrs(match, &key_attrs, a, false, log); 1717 if (err) 1718 return err; 1719 1720 err = ovs_key_from_nlattrs(net, match, key_attrs, a, false, log); 1721 if (err) 1722 return err; 1723 1724 if (match->mask) { 1725 if (!nla_mask) { 1726 /* Create an exact match mask. We need to set to 0xff 1727 * all the 'match->mask' fields that have been touched 1728 * in 'match->key'. We cannot simply memset 1729 * 'match->mask', because padding bytes and fields not 1730 * specified in 'match->key' should be left to 0. 1731 * Instead, we use a stream of netlink attributes, 1732 * copied from 'key' and set to 0xff. 1733 * ovs_key_from_nlattrs() will take care of filling 1734 * 'match->mask' appropriately. 1735 */ 1736 newmask = kmemdup(nla_key, 1737 nla_total_size(nla_len(nla_key)), 1738 GFP_KERNEL); 1739 if (!newmask) 1740 return -ENOMEM; 1741 1742 mask_set_nlattr(newmask, 0xff); 1743 1744 /* The userspace does not send tunnel attributes that 1745 * are 0, but we should not wildcard them nonetheless. 1746 */ 1747 if (match->key->tun_proto) 1748 SW_FLOW_KEY_MEMSET_FIELD(match, tun_key, 1749 0xff, true); 1750 1751 nla_mask = newmask; 1752 } 1753 1754 err = parse_flow_mask_nlattrs(nla_mask, a, &mask_attrs, log); 1755 if (err) 1756 goto free_newmask; 1757 1758 /* Always match on tci. */ 1759 SW_FLOW_KEY_PUT(match, eth.vlan.tci, htons(0xffff), true); 1760 SW_FLOW_KEY_PUT(match, eth.cvlan.tci, htons(0xffff), true); 1761 1762 err = parse_vlan_from_nlattrs(match, &mask_attrs, a, true, log); 1763 if (err) 1764 goto free_newmask; 1765 1766 err = ovs_key_from_nlattrs(net, match, mask_attrs, a, true, 1767 log); 1768 if (err) 1769 goto free_newmask; 1770 } 1771 1772 if (!match_validate(match, key_attrs, mask_attrs, log)) 1773 err = -EINVAL; 1774 1775 free_newmask: 1776 kfree(newmask); 1777 return err; 1778 } 1779 1780 static size_t get_ufid_len(const struct nlattr *attr, bool log) 1781 { 1782 size_t len; 1783 1784 if (!attr) 1785 return 0; 1786 1787 len = nla_len(attr); 1788 if (len < 1 || len > MAX_UFID_LENGTH) { 1789 OVS_NLERR(log, "ufid size %u bytes exceeds the range (1, %d)", 1790 nla_len(attr), MAX_UFID_LENGTH); 1791 return 0; 1792 } 1793 1794 return len; 1795 } 1796 1797 /* Initializes 'flow->ufid', returning true if 'attr' contains a valid UFID, 1798 * or false otherwise. 1799 */ 1800 bool ovs_nla_get_ufid(struct sw_flow_id *sfid, const struct nlattr *attr, 1801 bool log) 1802 { 1803 sfid->ufid_len = get_ufid_len(attr, log); 1804 if (sfid->ufid_len) 1805 memcpy(sfid->ufid, nla_data(attr), sfid->ufid_len); 1806 1807 return sfid->ufid_len; 1808 } 1809 1810 int ovs_nla_get_identifier(struct sw_flow_id *sfid, const struct nlattr *ufid, 1811 const struct sw_flow_key *key, bool log) 1812 { 1813 struct sw_flow_key *new_key; 1814 1815 if (ovs_nla_get_ufid(sfid, ufid, log)) 1816 return 0; 1817 1818 /* If UFID was not provided, use unmasked key. */ 1819 new_key = kmalloc(sizeof(*new_key), GFP_KERNEL); 1820 if (!new_key) 1821 return -ENOMEM; 1822 memcpy(new_key, key, sizeof(*key)); 1823 sfid->unmasked_key = new_key; 1824 1825 return 0; 1826 } 1827 1828 u32 ovs_nla_get_ufid_flags(const struct nlattr *attr) 1829 { 1830 return attr ? nla_get_u32(attr) : 0; 1831 } 1832 1833 /** 1834 * ovs_nla_get_flow_metadata - parses Netlink attributes into a flow key. 1835 * @net: Network namespace. 1836 * @key: Receives extracted in_port, priority, tun_key, skb_mark and conntrack 1837 * metadata. 1838 * @a: Array of netlink attributes holding parsed %OVS_KEY_ATTR_* Netlink 1839 * attributes. 1840 * @attrs: Bit mask for the netlink attributes included in @a. 1841 * @log: Boolean to allow kernel error logging. Normally true, but when 1842 * probing for feature compatibility this should be passed in as false to 1843 * suppress unnecessary error logging. 1844 * 1845 * This parses a series of Netlink attributes that form a flow key, which must 1846 * take the same form accepted by flow_from_nlattrs(), but only enough of it to 1847 * get the metadata, that is, the parts of the flow key that cannot be 1848 * extracted from the packet itself. 1849 * 1850 * This must be called before the packet key fields are filled in 'key'. 1851 */ 1852 1853 int ovs_nla_get_flow_metadata(struct net *net, 1854 const struct nlattr *a[OVS_KEY_ATTR_MAX + 1], 1855 u64 attrs, struct sw_flow_key *key, bool log) 1856 { 1857 struct sw_flow_match match; 1858 1859 memset(&match, 0, sizeof(match)); 1860 match.key = key; 1861 1862 key->ct_state = 0; 1863 key->ct_zone = 0; 1864 key->ct_orig_proto = 0; 1865 memset(&key->ct, 0, sizeof(key->ct)); 1866 memset(&key->ipv4.ct_orig, 0, sizeof(key->ipv4.ct_orig)); 1867 memset(&key->ipv6.ct_orig, 0, sizeof(key->ipv6.ct_orig)); 1868 1869 key->phy.in_port = DP_MAX_PORTS; 1870 1871 return metadata_from_nlattrs(net, &match, &attrs, a, false, log); 1872 } 1873 1874 static int ovs_nla_put_vlan(struct sk_buff *skb, const struct vlan_head *vh, 1875 bool is_mask) 1876 { 1877 __be16 eth_type = !is_mask ? vh->tpid : htons(0xffff); 1878 1879 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, eth_type) || 1880 nla_put_be16(skb, OVS_KEY_ATTR_VLAN, vh->tci)) 1881 return -EMSGSIZE; 1882 return 0; 1883 } 1884 1885 static int nsh_key_to_nlattr(const struct ovs_key_nsh *nsh, bool is_mask, 1886 struct sk_buff *skb) 1887 { 1888 struct nlattr *start; 1889 1890 start = nla_nest_start(skb, OVS_KEY_ATTR_NSH); 1891 if (!start) 1892 return -EMSGSIZE; 1893 1894 if (nla_put(skb, OVS_NSH_KEY_ATTR_BASE, sizeof(nsh->base), &nsh->base)) 1895 goto nla_put_failure; 1896 1897 if (is_mask || nsh->base.mdtype == NSH_M_TYPE1) { 1898 if (nla_put(skb, OVS_NSH_KEY_ATTR_MD1, 1899 sizeof(nsh->context), nsh->context)) 1900 goto nla_put_failure; 1901 } 1902 1903 /* Don't support MD type 2 yet */ 1904 1905 nla_nest_end(skb, start); 1906 1907 return 0; 1908 1909 nla_put_failure: 1910 return -EMSGSIZE; 1911 } 1912 1913 static int __ovs_nla_put_key(const struct sw_flow_key *swkey, 1914 const struct sw_flow_key *output, bool is_mask, 1915 struct sk_buff *skb) 1916 { 1917 struct ovs_key_ethernet *eth_key; 1918 struct nlattr *nla; 1919 struct nlattr *encap = NULL; 1920 struct nlattr *in_encap = NULL; 1921 1922 if (nla_put_u32(skb, OVS_KEY_ATTR_RECIRC_ID, output->recirc_id)) 1923 goto nla_put_failure; 1924 1925 if (nla_put_u32(skb, OVS_KEY_ATTR_DP_HASH, output->ovs_flow_hash)) 1926 goto nla_put_failure; 1927 1928 if (nla_put_u32(skb, OVS_KEY_ATTR_PRIORITY, output->phy.priority)) 1929 goto nla_put_failure; 1930 1931 if ((swkey->tun_proto || is_mask)) { 1932 const void *opts = NULL; 1933 1934 if (output->tun_key.tun_flags & TUNNEL_OPTIONS_PRESENT) 1935 opts = TUN_METADATA_OPTS(output, swkey->tun_opts_len); 1936 1937 if (ip_tun_to_nlattr(skb, &output->tun_key, opts, 1938 swkey->tun_opts_len, swkey->tun_proto)) 1939 goto nla_put_failure; 1940 } 1941 1942 if (swkey->phy.in_port == DP_MAX_PORTS) { 1943 if (is_mask && (output->phy.in_port == 0xffff)) 1944 if (nla_put_u32(skb, OVS_KEY_ATTR_IN_PORT, 0xffffffff)) 1945 goto nla_put_failure; 1946 } else { 1947 u16 upper_u16; 1948 upper_u16 = !is_mask ? 0 : 0xffff; 1949 1950 if (nla_put_u32(skb, OVS_KEY_ATTR_IN_PORT, 1951 (upper_u16 << 16) | output->phy.in_port)) 1952 goto nla_put_failure; 1953 } 1954 1955 if (nla_put_u32(skb, OVS_KEY_ATTR_SKB_MARK, output->phy.skb_mark)) 1956 goto nla_put_failure; 1957 1958 if (ovs_ct_put_key(swkey, output, skb)) 1959 goto nla_put_failure; 1960 1961 if (ovs_key_mac_proto(swkey) == MAC_PROTO_ETHERNET) { 1962 nla = nla_reserve(skb, OVS_KEY_ATTR_ETHERNET, sizeof(*eth_key)); 1963 if (!nla) 1964 goto nla_put_failure; 1965 1966 eth_key = nla_data(nla); 1967 ether_addr_copy(eth_key->eth_src, output->eth.src); 1968 ether_addr_copy(eth_key->eth_dst, output->eth.dst); 1969 1970 if (swkey->eth.vlan.tci || eth_type_vlan(swkey->eth.type)) { 1971 if (ovs_nla_put_vlan(skb, &output->eth.vlan, is_mask)) 1972 goto nla_put_failure; 1973 encap = nla_nest_start(skb, OVS_KEY_ATTR_ENCAP); 1974 if (!swkey->eth.vlan.tci) 1975 goto unencap; 1976 1977 if (swkey->eth.cvlan.tci || eth_type_vlan(swkey->eth.type)) { 1978 if (ovs_nla_put_vlan(skb, &output->eth.cvlan, is_mask)) 1979 goto nla_put_failure; 1980 in_encap = nla_nest_start(skb, OVS_KEY_ATTR_ENCAP); 1981 if (!swkey->eth.cvlan.tci) 1982 goto unencap; 1983 } 1984 } 1985 1986 if (swkey->eth.type == htons(ETH_P_802_2)) { 1987 /* 1988 * Ethertype 802.2 is represented in the netlink with omitted 1989 * OVS_KEY_ATTR_ETHERTYPE in the flow key attribute, and 1990 * 0xffff in the mask attribute. Ethertype can also 1991 * be wildcarded. 1992 */ 1993 if (is_mask && output->eth.type) 1994 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, 1995 output->eth.type)) 1996 goto nla_put_failure; 1997 goto unencap; 1998 } 1999 } 2000 2001 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, output->eth.type)) 2002 goto nla_put_failure; 2003 2004 if (eth_type_vlan(swkey->eth.type)) { 2005 /* There are 3 VLAN tags, we don't know anything about the rest 2006 * of the packet, so truncate here. 2007 */ 2008 WARN_ON_ONCE(!(encap && in_encap)); 2009 goto unencap; 2010 } 2011 2012 if (swkey->eth.type == htons(ETH_P_IP)) { 2013 struct ovs_key_ipv4 *ipv4_key; 2014 2015 nla = nla_reserve(skb, OVS_KEY_ATTR_IPV4, sizeof(*ipv4_key)); 2016 if (!nla) 2017 goto nla_put_failure; 2018 ipv4_key = nla_data(nla); 2019 ipv4_key->ipv4_src = output->ipv4.addr.src; 2020 ipv4_key->ipv4_dst = output->ipv4.addr.dst; 2021 ipv4_key->ipv4_proto = output->ip.proto; 2022 ipv4_key->ipv4_tos = output->ip.tos; 2023 ipv4_key->ipv4_ttl = output->ip.ttl; 2024 ipv4_key->ipv4_frag = output->ip.frag; 2025 } else if (swkey->eth.type == htons(ETH_P_IPV6)) { 2026 struct ovs_key_ipv6 *ipv6_key; 2027 2028 nla = nla_reserve(skb, OVS_KEY_ATTR_IPV6, sizeof(*ipv6_key)); 2029 if (!nla) 2030 goto nla_put_failure; 2031 ipv6_key = nla_data(nla); 2032 memcpy(ipv6_key->ipv6_src, &output->ipv6.addr.src, 2033 sizeof(ipv6_key->ipv6_src)); 2034 memcpy(ipv6_key->ipv6_dst, &output->ipv6.addr.dst, 2035 sizeof(ipv6_key->ipv6_dst)); 2036 ipv6_key->ipv6_label = output->ipv6.label; 2037 ipv6_key->ipv6_proto = output->ip.proto; 2038 ipv6_key->ipv6_tclass = output->ip.tos; 2039 ipv6_key->ipv6_hlimit = output->ip.ttl; 2040 ipv6_key->ipv6_frag = output->ip.frag; 2041 } else if (swkey->eth.type == htons(ETH_P_NSH)) { 2042 if (nsh_key_to_nlattr(&output->nsh, is_mask, skb)) 2043 goto nla_put_failure; 2044 } else if (swkey->eth.type == htons(ETH_P_ARP) || 2045 swkey->eth.type == htons(ETH_P_RARP)) { 2046 struct ovs_key_arp *arp_key; 2047 2048 nla = nla_reserve(skb, OVS_KEY_ATTR_ARP, sizeof(*arp_key)); 2049 if (!nla) 2050 goto nla_put_failure; 2051 arp_key = nla_data(nla); 2052 memset(arp_key, 0, sizeof(struct ovs_key_arp)); 2053 arp_key->arp_sip = output->ipv4.addr.src; 2054 arp_key->arp_tip = output->ipv4.addr.dst; 2055 arp_key->arp_op = htons(output->ip.proto); 2056 ether_addr_copy(arp_key->arp_sha, output->ipv4.arp.sha); 2057 ether_addr_copy(arp_key->arp_tha, output->ipv4.arp.tha); 2058 } else if (eth_p_mpls(swkey->eth.type)) { 2059 struct ovs_key_mpls *mpls_key; 2060 2061 nla = nla_reserve(skb, OVS_KEY_ATTR_MPLS, sizeof(*mpls_key)); 2062 if (!nla) 2063 goto nla_put_failure; 2064 mpls_key = nla_data(nla); 2065 mpls_key->mpls_lse = output->mpls.top_lse; 2066 } 2067 2068 if ((swkey->eth.type == htons(ETH_P_IP) || 2069 swkey->eth.type == htons(ETH_P_IPV6)) && 2070 swkey->ip.frag != OVS_FRAG_TYPE_LATER) { 2071 2072 if (swkey->ip.proto == IPPROTO_TCP) { 2073 struct ovs_key_tcp *tcp_key; 2074 2075 nla = nla_reserve(skb, OVS_KEY_ATTR_TCP, sizeof(*tcp_key)); 2076 if (!nla) 2077 goto nla_put_failure; 2078 tcp_key = nla_data(nla); 2079 tcp_key->tcp_src = output->tp.src; 2080 tcp_key->tcp_dst = output->tp.dst; 2081 if (nla_put_be16(skb, OVS_KEY_ATTR_TCP_FLAGS, 2082 output->tp.flags)) 2083 goto nla_put_failure; 2084 } else if (swkey->ip.proto == IPPROTO_UDP) { 2085 struct ovs_key_udp *udp_key; 2086 2087 nla = nla_reserve(skb, OVS_KEY_ATTR_UDP, sizeof(*udp_key)); 2088 if (!nla) 2089 goto nla_put_failure; 2090 udp_key = nla_data(nla); 2091 udp_key->udp_src = output->tp.src; 2092 udp_key->udp_dst = output->tp.dst; 2093 } else if (swkey->ip.proto == IPPROTO_SCTP) { 2094 struct ovs_key_sctp *sctp_key; 2095 2096 nla = nla_reserve(skb, OVS_KEY_ATTR_SCTP, sizeof(*sctp_key)); 2097 if (!nla) 2098 goto nla_put_failure; 2099 sctp_key = nla_data(nla); 2100 sctp_key->sctp_src = output->tp.src; 2101 sctp_key->sctp_dst = output->tp.dst; 2102 } else if (swkey->eth.type == htons(ETH_P_IP) && 2103 swkey->ip.proto == IPPROTO_ICMP) { 2104 struct ovs_key_icmp *icmp_key; 2105 2106 nla = nla_reserve(skb, OVS_KEY_ATTR_ICMP, sizeof(*icmp_key)); 2107 if (!nla) 2108 goto nla_put_failure; 2109 icmp_key = nla_data(nla); 2110 icmp_key->icmp_type = ntohs(output->tp.src); 2111 icmp_key->icmp_code = ntohs(output->tp.dst); 2112 } else if (swkey->eth.type == htons(ETH_P_IPV6) && 2113 swkey->ip.proto == IPPROTO_ICMPV6) { 2114 struct ovs_key_icmpv6 *icmpv6_key; 2115 2116 nla = nla_reserve(skb, OVS_KEY_ATTR_ICMPV6, 2117 sizeof(*icmpv6_key)); 2118 if (!nla) 2119 goto nla_put_failure; 2120 icmpv6_key = nla_data(nla); 2121 icmpv6_key->icmpv6_type = ntohs(output->tp.src); 2122 icmpv6_key->icmpv6_code = ntohs(output->tp.dst); 2123 2124 if (icmpv6_key->icmpv6_type == NDISC_NEIGHBOUR_SOLICITATION || 2125 icmpv6_key->icmpv6_type == NDISC_NEIGHBOUR_ADVERTISEMENT) { 2126 struct ovs_key_nd *nd_key; 2127 2128 nla = nla_reserve(skb, OVS_KEY_ATTR_ND, sizeof(*nd_key)); 2129 if (!nla) 2130 goto nla_put_failure; 2131 nd_key = nla_data(nla); 2132 memcpy(nd_key->nd_target, &output->ipv6.nd.target, 2133 sizeof(nd_key->nd_target)); 2134 ether_addr_copy(nd_key->nd_sll, output->ipv6.nd.sll); 2135 ether_addr_copy(nd_key->nd_tll, output->ipv6.nd.tll); 2136 } 2137 } 2138 } 2139 2140 unencap: 2141 if (in_encap) 2142 nla_nest_end(skb, in_encap); 2143 if (encap) 2144 nla_nest_end(skb, encap); 2145 2146 return 0; 2147 2148 nla_put_failure: 2149 return -EMSGSIZE; 2150 } 2151 2152 int ovs_nla_put_key(const struct sw_flow_key *swkey, 2153 const struct sw_flow_key *output, int attr, bool is_mask, 2154 struct sk_buff *skb) 2155 { 2156 int err; 2157 struct nlattr *nla; 2158 2159 nla = nla_nest_start(skb, attr); 2160 if (!nla) 2161 return -EMSGSIZE; 2162 err = __ovs_nla_put_key(swkey, output, is_mask, skb); 2163 if (err) 2164 return err; 2165 nla_nest_end(skb, nla); 2166 2167 return 0; 2168 } 2169 2170 /* Called with ovs_mutex or RCU read lock. */ 2171 int ovs_nla_put_identifier(const struct sw_flow *flow, struct sk_buff *skb) 2172 { 2173 if (ovs_identifier_is_ufid(&flow->id)) 2174 return nla_put(skb, OVS_FLOW_ATTR_UFID, flow->id.ufid_len, 2175 flow->id.ufid); 2176 2177 return ovs_nla_put_key(flow->id.unmasked_key, flow->id.unmasked_key, 2178 OVS_FLOW_ATTR_KEY, false, skb); 2179 } 2180 2181 /* Called with ovs_mutex or RCU read lock. */ 2182 int ovs_nla_put_masked_key(const struct sw_flow *flow, struct sk_buff *skb) 2183 { 2184 return ovs_nla_put_key(&flow->key, &flow->key, 2185 OVS_FLOW_ATTR_KEY, false, skb); 2186 } 2187 2188 /* Called with ovs_mutex or RCU read lock. */ 2189 int ovs_nla_put_mask(const struct sw_flow *flow, struct sk_buff *skb) 2190 { 2191 return ovs_nla_put_key(&flow->key, &flow->mask->key, 2192 OVS_FLOW_ATTR_MASK, true, skb); 2193 } 2194 2195 #define MAX_ACTIONS_BUFSIZE (32 * 1024) 2196 2197 static struct sw_flow_actions *nla_alloc_flow_actions(int size) 2198 { 2199 struct sw_flow_actions *sfa; 2200 2201 WARN_ON_ONCE(size > MAX_ACTIONS_BUFSIZE); 2202 2203 sfa = kmalloc(sizeof(*sfa) + size, GFP_KERNEL); 2204 if (!sfa) 2205 return ERR_PTR(-ENOMEM); 2206 2207 sfa->actions_len = 0; 2208 return sfa; 2209 } 2210 2211 static void ovs_nla_free_set_action(const struct nlattr *a) 2212 { 2213 const struct nlattr *ovs_key = nla_data(a); 2214 struct ovs_tunnel_info *ovs_tun; 2215 2216 switch (nla_type(ovs_key)) { 2217 case OVS_KEY_ATTR_TUNNEL_INFO: 2218 ovs_tun = nla_data(ovs_key); 2219 dst_release((struct dst_entry *)ovs_tun->tun_dst); 2220 break; 2221 } 2222 } 2223 2224 void ovs_nla_free_flow_actions(struct sw_flow_actions *sf_acts) 2225 { 2226 const struct nlattr *a; 2227 int rem; 2228 2229 if (!sf_acts) 2230 return; 2231 2232 nla_for_each_attr(a, sf_acts->actions, sf_acts->actions_len, rem) { 2233 switch (nla_type(a)) { 2234 case OVS_ACTION_ATTR_SET: 2235 ovs_nla_free_set_action(a); 2236 break; 2237 case OVS_ACTION_ATTR_CT: 2238 ovs_ct_free_action(a); 2239 break; 2240 } 2241 } 2242 2243 kfree(sf_acts); 2244 } 2245 2246 static void __ovs_nla_free_flow_actions(struct rcu_head *head) 2247 { 2248 ovs_nla_free_flow_actions(container_of(head, struct sw_flow_actions, rcu)); 2249 } 2250 2251 /* Schedules 'sf_acts' to be freed after the next RCU grace period. 2252 * The caller must hold rcu_read_lock for this to be sensible. */ 2253 void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *sf_acts) 2254 { 2255 call_rcu(&sf_acts->rcu, __ovs_nla_free_flow_actions); 2256 } 2257 2258 static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, 2259 int attr_len, bool log) 2260 { 2261 2262 struct sw_flow_actions *acts; 2263 int new_acts_size; 2264 int req_size = NLA_ALIGN(attr_len); 2265 int next_offset = offsetof(struct sw_flow_actions, actions) + 2266 (*sfa)->actions_len; 2267 2268 if (req_size <= (ksize(*sfa) - next_offset)) 2269 goto out; 2270 2271 new_acts_size = ksize(*sfa) * 2; 2272 2273 if (new_acts_size > MAX_ACTIONS_BUFSIZE) { 2274 if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) { 2275 OVS_NLERR(log, "Flow action size exceeds max %u", 2276 MAX_ACTIONS_BUFSIZE); 2277 return ERR_PTR(-EMSGSIZE); 2278 } 2279 new_acts_size = MAX_ACTIONS_BUFSIZE; 2280 } 2281 2282 acts = nla_alloc_flow_actions(new_acts_size); 2283 if (IS_ERR(acts)) 2284 return (void *)acts; 2285 2286 memcpy(acts->actions, (*sfa)->actions, (*sfa)->actions_len); 2287 acts->actions_len = (*sfa)->actions_len; 2288 acts->orig_len = (*sfa)->orig_len; 2289 kfree(*sfa); 2290 *sfa = acts; 2291 2292 out: 2293 (*sfa)->actions_len += req_size; 2294 return (struct nlattr *) ((unsigned char *)(*sfa) + next_offset); 2295 } 2296 2297 static struct nlattr *__add_action(struct sw_flow_actions **sfa, 2298 int attrtype, void *data, int len, bool log) 2299 { 2300 struct nlattr *a; 2301 2302 a = reserve_sfa_size(sfa, nla_attr_size(len), log); 2303 if (IS_ERR(a)) 2304 return a; 2305 2306 a->nla_type = attrtype; 2307 a->nla_len = nla_attr_size(len); 2308 2309 if (data) 2310 memcpy(nla_data(a), data, len); 2311 memset((unsigned char *) a + a->nla_len, 0, nla_padlen(len)); 2312 2313 return a; 2314 } 2315 2316 int ovs_nla_add_action(struct sw_flow_actions **sfa, int attrtype, void *data, 2317 int len, bool log) 2318 { 2319 struct nlattr *a; 2320 2321 a = __add_action(sfa, attrtype, data, len, log); 2322 2323 return PTR_ERR_OR_ZERO(a); 2324 } 2325 2326 static inline int add_nested_action_start(struct sw_flow_actions **sfa, 2327 int attrtype, bool log) 2328 { 2329 int used = (*sfa)->actions_len; 2330 int err; 2331 2332 err = ovs_nla_add_action(sfa, attrtype, NULL, 0, log); 2333 if (err) 2334 return err; 2335 2336 return used; 2337 } 2338 2339 static inline void add_nested_action_end(struct sw_flow_actions *sfa, 2340 int st_offset) 2341 { 2342 struct nlattr *a = (struct nlattr *) ((unsigned char *)sfa->actions + 2343 st_offset); 2344 2345 a->nla_len = sfa->actions_len - st_offset; 2346 } 2347 2348 static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 2349 const struct sw_flow_key *key, 2350 struct sw_flow_actions **sfa, 2351 __be16 eth_type, __be16 vlan_tci, bool log); 2352 2353 static int validate_and_copy_sample(struct net *net, const struct nlattr *attr, 2354 const struct sw_flow_key *key, 2355 struct sw_flow_actions **sfa, 2356 __be16 eth_type, __be16 vlan_tci, 2357 bool log, bool last) 2358 { 2359 const struct nlattr *attrs[OVS_SAMPLE_ATTR_MAX + 1]; 2360 const struct nlattr *probability, *actions; 2361 const struct nlattr *a; 2362 int rem, start, err; 2363 struct sample_arg arg; 2364 2365 memset(attrs, 0, sizeof(attrs)); 2366 nla_for_each_nested(a, attr, rem) { 2367 int type = nla_type(a); 2368 if (!type || type > OVS_SAMPLE_ATTR_MAX || attrs[type]) 2369 return -EINVAL; 2370 attrs[type] = a; 2371 } 2372 if (rem) 2373 return -EINVAL; 2374 2375 probability = attrs[OVS_SAMPLE_ATTR_PROBABILITY]; 2376 if (!probability || nla_len(probability) != sizeof(u32)) 2377 return -EINVAL; 2378 2379 actions = attrs[OVS_SAMPLE_ATTR_ACTIONS]; 2380 if (!actions || (nla_len(actions) && nla_len(actions) < NLA_HDRLEN)) 2381 return -EINVAL; 2382 2383 /* validation done, copy sample action. */ 2384 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_SAMPLE, log); 2385 if (start < 0) 2386 return start; 2387 2388 /* When both skb and flow may be changed, put the sample 2389 * into a deferred fifo. On the other hand, if only skb 2390 * may be modified, the actions can be executed in place. 2391 * 2392 * Do this analysis at the flow installation time. 2393 * Set 'clone_action->exec' to true if the actions can be 2394 * executed without being deferred. 2395 * 2396 * If the sample is the last action, it can always be excuted 2397 * rather than deferred. 2398 */ 2399 arg.exec = last || !actions_may_change_flow(actions); 2400 arg.probability = nla_get_u32(probability); 2401 2402 err = ovs_nla_add_action(sfa, OVS_SAMPLE_ATTR_ARG, &arg, sizeof(arg), 2403 log); 2404 if (err) 2405 return err; 2406 2407 err = __ovs_nla_copy_actions(net, actions, key, sfa, 2408 eth_type, vlan_tci, log); 2409 2410 if (err) 2411 return err; 2412 2413 add_nested_action_end(*sfa, start); 2414 2415 return 0; 2416 } 2417 2418 void ovs_match_init(struct sw_flow_match *match, 2419 struct sw_flow_key *key, 2420 bool reset_key, 2421 struct sw_flow_mask *mask) 2422 { 2423 memset(match, 0, sizeof(*match)); 2424 match->key = key; 2425 match->mask = mask; 2426 2427 if (reset_key) 2428 memset(key, 0, sizeof(*key)); 2429 2430 if (mask) { 2431 memset(&mask->key, 0, sizeof(mask->key)); 2432 mask->range.start = mask->range.end = 0; 2433 } 2434 } 2435 2436 static int validate_geneve_opts(struct sw_flow_key *key) 2437 { 2438 struct geneve_opt *option; 2439 int opts_len = key->tun_opts_len; 2440 bool crit_opt = false; 2441 2442 option = (struct geneve_opt *)TUN_METADATA_OPTS(key, key->tun_opts_len); 2443 while (opts_len > 0) { 2444 int len; 2445 2446 if (opts_len < sizeof(*option)) 2447 return -EINVAL; 2448 2449 len = sizeof(*option) + option->length * 4; 2450 if (len > opts_len) 2451 return -EINVAL; 2452 2453 crit_opt |= !!(option->type & GENEVE_CRIT_OPT_TYPE); 2454 2455 option = (struct geneve_opt *)((u8 *)option + len); 2456 opts_len -= len; 2457 }; 2458 2459 key->tun_key.tun_flags |= crit_opt ? TUNNEL_CRIT_OPT : 0; 2460 2461 return 0; 2462 } 2463 2464 static int validate_and_copy_set_tun(const struct nlattr *attr, 2465 struct sw_flow_actions **sfa, bool log) 2466 { 2467 struct sw_flow_match match; 2468 struct sw_flow_key key; 2469 struct metadata_dst *tun_dst; 2470 struct ip_tunnel_info *tun_info; 2471 struct ovs_tunnel_info *ovs_tun; 2472 struct nlattr *a; 2473 int err = 0, start, opts_type; 2474 2475 ovs_match_init(&match, &key, true, NULL); 2476 opts_type = ip_tun_from_nlattr(nla_data(attr), &match, false, log); 2477 if (opts_type < 0) 2478 return opts_type; 2479 2480 if (key.tun_opts_len) { 2481 switch (opts_type) { 2482 case OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS: 2483 err = validate_geneve_opts(&key); 2484 if (err < 0) 2485 return err; 2486 break; 2487 case OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS: 2488 break; 2489 } 2490 }; 2491 2492 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_SET, log); 2493 if (start < 0) 2494 return start; 2495 2496 tun_dst = metadata_dst_alloc(key.tun_opts_len, METADATA_IP_TUNNEL, 2497 GFP_KERNEL); 2498 2499 if (!tun_dst) 2500 return -ENOMEM; 2501 2502 err = dst_cache_init(&tun_dst->u.tun_info.dst_cache, GFP_KERNEL); 2503 if (err) { 2504 dst_release((struct dst_entry *)tun_dst); 2505 return err; 2506 } 2507 2508 a = __add_action(sfa, OVS_KEY_ATTR_TUNNEL_INFO, NULL, 2509 sizeof(*ovs_tun), log); 2510 if (IS_ERR(a)) { 2511 dst_release((struct dst_entry *)tun_dst); 2512 return PTR_ERR(a); 2513 } 2514 2515 ovs_tun = nla_data(a); 2516 ovs_tun->tun_dst = tun_dst; 2517 2518 tun_info = &tun_dst->u.tun_info; 2519 tun_info->mode = IP_TUNNEL_INFO_TX; 2520 if (key.tun_proto == AF_INET6) 2521 tun_info->mode |= IP_TUNNEL_INFO_IPV6; 2522 tun_info->key = key.tun_key; 2523 2524 /* We need to store the options in the action itself since 2525 * everything else will go away after flow setup. We can append 2526 * it to tun_info and then point there. 2527 */ 2528 ip_tunnel_info_opts_set(tun_info, 2529 TUN_METADATA_OPTS(&key, key.tun_opts_len), 2530 key.tun_opts_len); 2531 add_nested_action_end(*sfa, start); 2532 2533 return err; 2534 } 2535 2536 static bool validate_nsh(const struct nlattr *attr, bool is_mask, 2537 bool is_push_nsh, bool log) 2538 { 2539 struct sw_flow_match match; 2540 struct sw_flow_key key; 2541 int ret = 0; 2542 2543 ovs_match_init(&match, &key, true, NULL); 2544 ret = nsh_key_put_from_nlattr(attr, &match, is_mask, 2545 is_push_nsh, log); 2546 return !ret; 2547 } 2548 2549 /* Return false if there are any non-masked bits set. 2550 * Mask follows data immediately, before any netlink padding. 2551 */ 2552 static bool validate_masked(u8 *data, int len) 2553 { 2554 u8 *mask = data + len; 2555 2556 while (len--) 2557 if (*data++ & ~*mask++) 2558 return false; 2559 2560 return true; 2561 } 2562 2563 static int validate_set(const struct nlattr *a, 2564 const struct sw_flow_key *flow_key, 2565 struct sw_flow_actions **sfa, bool *skip_copy, 2566 u8 mac_proto, __be16 eth_type, bool masked, bool log) 2567 { 2568 const struct nlattr *ovs_key = nla_data(a); 2569 int key_type = nla_type(ovs_key); 2570 size_t key_len; 2571 2572 /* There can be only one key in a action */ 2573 if (nla_total_size(nla_len(ovs_key)) != nla_len(a)) 2574 return -EINVAL; 2575 2576 key_len = nla_len(ovs_key); 2577 if (masked) 2578 key_len /= 2; 2579 2580 if (key_type > OVS_KEY_ATTR_MAX || 2581 !check_attr_len(key_len, ovs_key_lens[key_type].len)) 2582 return -EINVAL; 2583 2584 if (masked && !validate_masked(nla_data(ovs_key), key_len)) 2585 return -EINVAL; 2586 2587 switch (key_type) { 2588 const struct ovs_key_ipv4 *ipv4_key; 2589 const struct ovs_key_ipv6 *ipv6_key; 2590 int err; 2591 2592 case OVS_KEY_ATTR_PRIORITY: 2593 case OVS_KEY_ATTR_SKB_MARK: 2594 case OVS_KEY_ATTR_CT_MARK: 2595 case OVS_KEY_ATTR_CT_LABELS: 2596 break; 2597 2598 case OVS_KEY_ATTR_ETHERNET: 2599 if (mac_proto != MAC_PROTO_ETHERNET) 2600 return -EINVAL; 2601 break; 2602 2603 case OVS_KEY_ATTR_TUNNEL: 2604 if (masked) 2605 return -EINVAL; /* Masked tunnel set not supported. */ 2606 2607 *skip_copy = true; 2608 err = validate_and_copy_set_tun(a, sfa, log); 2609 if (err) 2610 return err; 2611 break; 2612 2613 case OVS_KEY_ATTR_IPV4: 2614 if (eth_type != htons(ETH_P_IP)) 2615 return -EINVAL; 2616 2617 ipv4_key = nla_data(ovs_key); 2618 2619 if (masked) { 2620 const struct ovs_key_ipv4 *mask = ipv4_key + 1; 2621 2622 /* Non-writeable fields. */ 2623 if (mask->ipv4_proto || mask->ipv4_frag) 2624 return -EINVAL; 2625 } else { 2626 if (ipv4_key->ipv4_proto != flow_key->ip.proto) 2627 return -EINVAL; 2628 2629 if (ipv4_key->ipv4_frag != flow_key->ip.frag) 2630 return -EINVAL; 2631 } 2632 break; 2633 2634 case OVS_KEY_ATTR_IPV6: 2635 if (eth_type != htons(ETH_P_IPV6)) 2636 return -EINVAL; 2637 2638 ipv6_key = nla_data(ovs_key); 2639 2640 if (masked) { 2641 const struct ovs_key_ipv6 *mask = ipv6_key + 1; 2642 2643 /* Non-writeable fields. */ 2644 if (mask->ipv6_proto || mask->ipv6_frag) 2645 return -EINVAL; 2646 2647 /* Invalid bits in the flow label mask? */ 2648 if (ntohl(mask->ipv6_label) & 0xFFF00000) 2649 return -EINVAL; 2650 } else { 2651 if (ipv6_key->ipv6_proto != flow_key->ip.proto) 2652 return -EINVAL; 2653 2654 if (ipv6_key->ipv6_frag != flow_key->ip.frag) 2655 return -EINVAL; 2656 } 2657 if (ntohl(ipv6_key->ipv6_label) & 0xFFF00000) 2658 return -EINVAL; 2659 2660 break; 2661 2662 case OVS_KEY_ATTR_TCP: 2663 if ((eth_type != htons(ETH_P_IP) && 2664 eth_type != htons(ETH_P_IPV6)) || 2665 flow_key->ip.proto != IPPROTO_TCP) 2666 return -EINVAL; 2667 2668 break; 2669 2670 case OVS_KEY_ATTR_UDP: 2671 if ((eth_type != htons(ETH_P_IP) && 2672 eth_type != htons(ETH_P_IPV6)) || 2673 flow_key->ip.proto != IPPROTO_UDP) 2674 return -EINVAL; 2675 2676 break; 2677 2678 case OVS_KEY_ATTR_MPLS: 2679 if (!eth_p_mpls(eth_type)) 2680 return -EINVAL; 2681 break; 2682 2683 case OVS_KEY_ATTR_SCTP: 2684 if ((eth_type != htons(ETH_P_IP) && 2685 eth_type != htons(ETH_P_IPV6)) || 2686 flow_key->ip.proto != IPPROTO_SCTP) 2687 return -EINVAL; 2688 2689 break; 2690 2691 case OVS_KEY_ATTR_NSH: 2692 if (eth_type != htons(ETH_P_NSH)) 2693 return -EINVAL; 2694 if (!validate_nsh(nla_data(a), masked, false, log)) 2695 return -EINVAL; 2696 break; 2697 2698 default: 2699 return -EINVAL; 2700 } 2701 2702 /* Convert non-masked non-tunnel set actions to masked set actions. */ 2703 if (!masked && key_type != OVS_KEY_ATTR_TUNNEL) { 2704 int start, len = key_len * 2; 2705 struct nlattr *at; 2706 2707 *skip_copy = true; 2708 2709 start = add_nested_action_start(sfa, 2710 OVS_ACTION_ATTR_SET_TO_MASKED, 2711 log); 2712 if (start < 0) 2713 return start; 2714 2715 at = __add_action(sfa, key_type, NULL, len, log); 2716 if (IS_ERR(at)) 2717 return PTR_ERR(at); 2718 2719 memcpy(nla_data(at), nla_data(ovs_key), key_len); /* Key. */ 2720 memset(nla_data(at) + key_len, 0xff, key_len); /* Mask. */ 2721 /* Clear non-writeable bits from otherwise writeable fields. */ 2722 if (key_type == OVS_KEY_ATTR_IPV6) { 2723 struct ovs_key_ipv6 *mask = nla_data(at) + key_len; 2724 2725 mask->ipv6_label &= htonl(0x000FFFFF); 2726 } 2727 add_nested_action_end(*sfa, start); 2728 } 2729 2730 return 0; 2731 } 2732 2733 static int validate_userspace(const struct nlattr *attr) 2734 { 2735 static const struct nla_policy userspace_policy[OVS_USERSPACE_ATTR_MAX + 1] = { 2736 [OVS_USERSPACE_ATTR_PID] = {.type = NLA_U32 }, 2737 [OVS_USERSPACE_ATTR_USERDATA] = {.type = NLA_UNSPEC }, 2738 [OVS_USERSPACE_ATTR_EGRESS_TUN_PORT] = {.type = NLA_U32 }, 2739 }; 2740 struct nlattr *a[OVS_USERSPACE_ATTR_MAX + 1]; 2741 int error; 2742 2743 error = nla_parse_nested(a, OVS_USERSPACE_ATTR_MAX, attr, 2744 userspace_policy, NULL); 2745 if (error) 2746 return error; 2747 2748 if (!a[OVS_USERSPACE_ATTR_PID] || 2749 !nla_get_u32(a[OVS_USERSPACE_ATTR_PID])) 2750 return -EINVAL; 2751 2752 return 0; 2753 } 2754 2755 static int copy_action(const struct nlattr *from, 2756 struct sw_flow_actions **sfa, bool log) 2757 { 2758 int totlen = NLA_ALIGN(from->nla_len); 2759 struct nlattr *to; 2760 2761 to = reserve_sfa_size(sfa, from->nla_len, log); 2762 if (IS_ERR(to)) 2763 return PTR_ERR(to); 2764 2765 memcpy(to, from, totlen); 2766 return 0; 2767 } 2768 2769 static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 2770 const struct sw_flow_key *key, 2771 struct sw_flow_actions **sfa, 2772 __be16 eth_type, __be16 vlan_tci, bool log) 2773 { 2774 u8 mac_proto = ovs_key_mac_proto(key); 2775 const struct nlattr *a; 2776 int rem, err; 2777 2778 nla_for_each_nested(a, attr, rem) { 2779 /* Expected argument lengths, (u32)-1 for variable length. */ 2780 static const u32 action_lens[OVS_ACTION_ATTR_MAX + 1] = { 2781 [OVS_ACTION_ATTR_OUTPUT] = sizeof(u32), 2782 [OVS_ACTION_ATTR_RECIRC] = sizeof(u32), 2783 [OVS_ACTION_ATTR_USERSPACE] = (u32)-1, 2784 [OVS_ACTION_ATTR_PUSH_MPLS] = sizeof(struct ovs_action_push_mpls), 2785 [OVS_ACTION_ATTR_POP_MPLS] = sizeof(__be16), 2786 [OVS_ACTION_ATTR_PUSH_VLAN] = sizeof(struct ovs_action_push_vlan), 2787 [OVS_ACTION_ATTR_POP_VLAN] = 0, 2788 [OVS_ACTION_ATTR_SET] = (u32)-1, 2789 [OVS_ACTION_ATTR_SET_MASKED] = (u32)-1, 2790 [OVS_ACTION_ATTR_SAMPLE] = (u32)-1, 2791 [OVS_ACTION_ATTR_HASH] = sizeof(struct ovs_action_hash), 2792 [OVS_ACTION_ATTR_CT] = (u32)-1, 2793 [OVS_ACTION_ATTR_CT_CLEAR] = 0, 2794 [OVS_ACTION_ATTR_TRUNC] = sizeof(struct ovs_action_trunc), 2795 [OVS_ACTION_ATTR_PUSH_ETH] = sizeof(struct ovs_action_push_eth), 2796 [OVS_ACTION_ATTR_POP_ETH] = 0, 2797 [OVS_ACTION_ATTR_PUSH_NSH] = (u32)-1, 2798 [OVS_ACTION_ATTR_POP_NSH] = 0, 2799 [OVS_ACTION_ATTR_METER] = sizeof(u32), 2800 }; 2801 const struct ovs_action_push_vlan *vlan; 2802 int type = nla_type(a); 2803 bool skip_copy; 2804 2805 if (type > OVS_ACTION_ATTR_MAX || 2806 (action_lens[type] != nla_len(a) && 2807 action_lens[type] != (u32)-1)) 2808 return -EINVAL; 2809 2810 skip_copy = false; 2811 switch (type) { 2812 case OVS_ACTION_ATTR_UNSPEC: 2813 return -EINVAL; 2814 2815 case OVS_ACTION_ATTR_USERSPACE: 2816 err = validate_userspace(a); 2817 if (err) 2818 return err; 2819 break; 2820 2821 case OVS_ACTION_ATTR_OUTPUT: 2822 if (nla_get_u32(a) >= DP_MAX_PORTS) 2823 return -EINVAL; 2824 break; 2825 2826 case OVS_ACTION_ATTR_TRUNC: { 2827 const struct ovs_action_trunc *trunc = nla_data(a); 2828 2829 if (trunc->max_len < ETH_HLEN) 2830 return -EINVAL; 2831 break; 2832 } 2833 2834 case OVS_ACTION_ATTR_HASH: { 2835 const struct ovs_action_hash *act_hash = nla_data(a); 2836 2837 switch (act_hash->hash_alg) { 2838 case OVS_HASH_ALG_L4: 2839 break; 2840 default: 2841 return -EINVAL; 2842 } 2843 2844 break; 2845 } 2846 2847 case OVS_ACTION_ATTR_POP_VLAN: 2848 if (mac_proto != MAC_PROTO_ETHERNET) 2849 return -EINVAL; 2850 vlan_tci = htons(0); 2851 break; 2852 2853 case OVS_ACTION_ATTR_PUSH_VLAN: 2854 if (mac_proto != MAC_PROTO_ETHERNET) 2855 return -EINVAL; 2856 vlan = nla_data(a); 2857 if (!eth_type_vlan(vlan->vlan_tpid)) 2858 return -EINVAL; 2859 if (!(vlan->vlan_tci & htons(VLAN_TAG_PRESENT))) 2860 return -EINVAL; 2861 vlan_tci = vlan->vlan_tci; 2862 break; 2863 2864 case OVS_ACTION_ATTR_RECIRC: 2865 break; 2866 2867 case OVS_ACTION_ATTR_PUSH_MPLS: { 2868 const struct ovs_action_push_mpls *mpls = nla_data(a); 2869 2870 if (!eth_p_mpls(mpls->mpls_ethertype)) 2871 return -EINVAL; 2872 /* Prohibit push MPLS other than to a white list 2873 * for packets that have a known tag order. 2874 */ 2875 if (vlan_tci & htons(VLAN_TAG_PRESENT) || 2876 (eth_type != htons(ETH_P_IP) && 2877 eth_type != htons(ETH_P_IPV6) && 2878 eth_type != htons(ETH_P_ARP) && 2879 eth_type != htons(ETH_P_RARP) && 2880 !eth_p_mpls(eth_type))) 2881 return -EINVAL; 2882 eth_type = mpls->mpls_ethertype; 2883 break; 2884 } 2885 2886 case OVS_ACTION_ATTR_POP_MPLS: 2887 if (vlan_tci & htons(VLAN_TAG_PRESENT) || 2888 !eth_p_mpls(eth_type)) 2889 return -EINVAL; 2890 2891 /* Disallow subsequent L2.5+ set and mpls_pop actions 2892 * as there is no check here to ensure that the new 2893 * eth_type is valid and thus set actions could 2894 * write off the end of the packet or otherwise 2895 * corrupt it. 2896 * 2897 * Support for these actions is planned using packet 2898 * recirculation. 2899 */ 2900 eth_type = htons(0); 2901 break; 2902 2903 case OVS_ACTION_ATTR_SET: 2904 err = validate_set(a, key, sfa, 2905 &skip_copy, mac_proto, eth_type, 2906 false, log); 2907 if (err) 2908 return err; 2909 break; 2910 2911 case OVS_ACTION_ATTR_SET_MASKED: 2912 err = validate_set(a, key, sfa, 2913 &skip_copy, mac_proto, eth_type, 2914 true, log); 2915 if (err) 2916 return err; 2917 break; 2918 2919 case OVS_ACTION_ATTR_SAMPLE: { 2920 bool last = nla_is_last(a, rem); 2921 2922 err = validate_and_copy_sample(net, a, key, sfa, 2923 eth_type, vlan_tci, 2924 log, last); 2925 if (err) 2926 return err; 2927 skip_copy = true; 2928 break; 2929 } 2930 2931 case OVS_ACTION_ATTR_CT: 2932 err = ovs_ct_copy_action(net, a, key, sfa, log); 2933 if (err) 2934 return err; 2935 skip_copy = true; 2936 break; 2937 2938 case OVS_ACTION_ATTR_CT_CLEAR: 2939 break; 2940 2941 case OVS_ACTION_ATTR_PUSH_ETH: 2942 /* Disallow pushing an Ethernet header if one 2943 * is already present */ 2944 if (mac_proto != MAC_PROTO_NONE) 2945 return -EINVAL; 2946 mac_proto = MAC_PROTO_NONE; 2947 break; 2948 2949 case OVS_ACTION_ATTR_POP_ETH: 2950 if (mac_proto != MAC_PROTO_ETHERNET) 2951 return -EINVAL; 2952 if (vlan_tci & htons(VLAN_TAG_PRESENT)) 2953 return -EINVAL; 2954 mac_proto = MAC_PROTO_ETHERNET; 2955 break; 2956 2957 case OVS_ACTION_ATTR_PUSH_NSH: 2958 if (mac_proto != MAC_PROTO_ETHERNET) { 2959 u8 next_proto; 2960 2961 next_proto = tun_p_from_eth_p(eth_type); 2962 if (!next_proto) 2963 return -EINVAL; 2964 } 2965 mac_proto = MAC_PROTO_NONE; 2966 if (!validate_nsh(nla_data(a), false, true, true)) 2967 return -EINVAL; 2968 break; 2969 2970 case OVS_ACTION_ATTR_POP_NSH: { 2971 __be16 inner_proto; 2972 2973 if (eth_type != htons(ETH_P_NSH)) 2974 return -EINVAL; 2975 inner_proto = tun_p_to_eth_p(key->nsh.base.np); 2976 if (!inner_proto) 2977 return -EINVAL; 2978 if (key->nsh.base.np == TUN_P_ETHERNET) 2979 mac_proto = MAC_PROTO_ETHERNET; 2980 else 2981 mac_proto = MAC_PROTO_NONE; 2982 break; 2983 } 2984 2985 case OVS_ACTION_ATTR_METER: 2986 /* Non-existent meters are simply ignored. */ 2987 break; 2988 2989 default: 2990 OVS_NLERR(log, "Unknown Action type %d", type); 2991 return -EINVAL; 2992 } 2993 if (!skip_copy) { 2994 err = copy_action(a, sfa, log); 2995 if (err) 2996 return err; 2997 } 2998 } 2999 3000 if (rem > 0) 3001 return -EINVAL; 3002 3003 return 0; 3004 } 3005 3006 /* 'key' must be the masked key. */ 3007 int ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 3008 const struct sw_flow_key *key, 3009 struct sw_flow_actions **sfa, bool log) 3010 { 3011 int err; 3012 3013 *sfa = nla_alloc_flow_actions(min(nla_len(attr), MAX_ACTIONS_BUFSIZE)); 3014 if (IS_ERR(*sfa)) 3015 return PTR_ERR(*sfa); 3016 3017 (*sfa)->orig_len = nla_len(attr); 3018 err = __ovs_nla_copy_actions(net, attr, key, sfa, key->eth.type, 3019 key->eth.vlan.tci, log); 3020 if (err) 3021 ovs_nla_free_flow_actions(*sfa); 3022 3023 return err; 3024 } 3025 3026 static int sample_action_to_attr(const struct nlattr *attr, 3027 struct sk_buff *skb) 3028 { 3029 struct nlattr *start, *ac_start = NULL, *sample_arg; 3030 int err = 0, rem = nla_len(attr); 3031 const struct sample_arg *arg; 3032 struct nlattr *actions; 3033 3034 start = nla_nest_start(skb, OVS_ACTION_ATTR_SAMPLE); 3035 if (!start) 3036 return -EMSGSIZE; 3037 3038 sample_arg = nla_data(attr); 3039 arg = nla_data(sample_arg); 3040 actions = nla_next(sample_arg, &rem); 3041 3042 if (nla_put_u32(skb, OVS_SAMPLE_ATTR_PROBABILITY, arg->probability)) { 3043 err = -EMSGSIZE; 3044 goto out; 3045 } 3046 3047 ac_start = nla_nest_start(skb, OVS_SAMPLE_ATTR_ACTIONS); 3048 if (!ac_start) { 3049 err = -EMSGSIZE; 3050 goto out; 3051 } 3052 3053 err = ovs_nla_put_actions(actions, rem, skb); 3054 3055 out: 3056 if (err) { 3057 nla_nest_cancel(skb, ac_start); 3058 nla_nest_cancel(skb, start); 3059 } else { 3060 nla_nest_end(skb, ac_start); 3061 nla_nest_end(skb, start); 3062 } 3063 3064 return err; 3065 } 3066 3067 static int set_action_to_attr(const struct nlattr *a, struct sk_buff *skb) 3068 { 3069 const struct nlattr *ovs_key = nla_data(a); 3070 int key_type = nla_type(ovs_key); 3071 struct nlattr *start; 3072 int err; 3073 3074 switch (key_type) { 3075 case OVS_KEY_ATTR_TUNNEL_INFO: { 3076 struct ovs_tunnel_info *ovs_tun = nla_data(ovs_key); 3077 struct ip_tunnel_info *tun_info = &ovs_tun->tun_dst->u.tun_info; 3078 3079 start = nla_nest_start(skb, OVS_ACTION_ATTR_SET); 3080 if (!start) 3081 return -EMSGSIZE; 3082 3083 err = ip_tun_to_nlattr(skb, &tun_info->key, 3084 ip_tunnel_info_opts(tun_info), 3085 tun_info->options_len, 3086 ip_tunnel_info_af(tun_info)); 3087 if (err) 3088 return err; 3089 nla_nest_end(skb, start); 3090 break; 3091 } 3092 default: 3093 if (nla_put(skb, OVS_ACTION_ATTR_SET, nla_len(a), ovs_key)) 3094 return -EMSGSIZE; 3095 break; 3096 } 3097 3098 return 0; 3099 } 3100 3101 static int masked_set_action_to_set_action_attr(const struct nlattr *a, 3102 struct sk_buff *skb) 3103 { 3104 const struct nlattr *ovs_key = nla_data(a); 3105 struct nlattr *nla; 3106 size_t key_len = nla_len(ovs_key) / 2; 3107 3108 /* Revert the conversion we did from a non-masked set action to 3109 * masked set action. 3110 */ 3111 nla = nla_nest_start(skb, OVS_ACTION_ATTR_SET); 3112 if (!nla) 3113 return -EMSGSIZE; 3114 3115 if (nla_put(skb, nla_type(ovs_key), key_len, nla_data(ovs_key))) 3116 return -EMSGSIZE; 3117 3118 nla_nest_end(skb, nla); 3119 return 0; 3120 } 3121 3122 int ovs_nla_put_actions(const struct nlattr *attr, int len, struct sk_buff *skb) 3123 { 3124 const struct nlattr *a; 3125 int rem, err; 3126 3127 nla_for_each_attr(a, attr, len, rem) { 3128 int type = nla_type(a); 3129 3130 switch (type) { 3131 case OVS_ACTION_ATTR_SET: 3132 err = set_action_to_attr(a, skb); 3133 if (err) 3134 return err; 3135 break; 3136 3137 case OVS_ACTION_ATTR_SET_TO_MASKED: 3138 err = masked_set_action_to_set_action_attr(a, skb); 3139 if (err) 3140 return err; 3141 break; 3142 3143 case OVS_ACTION_ATTR_SAMPLE: 3144 err = sample_action_to_attr(a, skb); 3145 if (err) 3146 return err; 3147 break; 3148 3149 case OVS_ACTION_ATTR_CT: 3150 err = ovs_ct_action_to_attr(nla_data(a), skb); 3151 if (err) 3152 return err; 3153 break; 3154 3155 default: 3156 if (nla_put(skb, type, nla_len(a), nla_data(a))) 3157 return -EMSGSIZE; 3158 break; 3159 } 3160 } 3161 3162 return 0; 3163 } 3164