1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2007-2017 Nicira, Inc. 4 */ 5 6 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 7 8 #include "flow.h" 9 #include "datapath.h" 10 #include <linux/uaccess.h> 11 #include <linux/netdevice.h> 12 #include <linux/etherdevice.h> 13 #include <linux/if_ether.h> 14 #include <linux/if_vlan.h> 15 #include <net/llc_pdu.h> 16 #include <linux/kernel.h> 17 #include <linux/jhash.h> 18 #include <linux/jiffies.h> 19 #include <linux/llc.h> 20 #include <linux/module.h> 21 #include <linux/in.h> 22 #include <linux/rcupdate.h> 23 #include <linux/if_arp.h> 24 #include <linux/ip.h> 25 #include <linux/ipv6.h> 26 #include <linux/sctp.h> 27 #include <linux/tcp.h> 28 #include <linux/udp.h> 29 #include <linux/icmp.h> 30 #include <linux/icmpv6.h> 31 #include <linux/rculist.h> 32 #include <net/geneve.h> 33 #include <net/ip.h> 34 #include <net/ipv6.h> 35 #include <net/ndisc.h> 36 #include <net/mpls.h> 37 #include <net/vxlan.h> 38 #include <net/tun_proto.h> 39 #include <net/erspan.h> 40 41 #include "drop.h" 42 #include "flow_netlink.h" 43 44 struct ovs_len_tbl { 45 int len; 46 const struct ovs_len_tbl *next; 47 }; 48 49 #define OVS_ATTR_NESTED -1 50 #define OVS_ATTR_VARIABLE -2 51 #define OVS_COPY_ACTIONS_MAX_DEPTH 16 52 53 static bool actions_may_change_flow(const struct nlattr *actions) 54 { 55 struct nlattr *nla; 56 int rem; 57 58 nla_for_each_nested(nla, actions, rem) { 59 u16 action = nla_type(nla); 60 61 switch (action) { 62 case OVS_ACTION_ATTR_OUTPUT: 63 case OVS_ACTION_ATTR_RECIRC: 64 case OVS_ACTION_ATTR_TRUNC: 65 case OVS_ACTION_ATTR_USERSPACE: 66 case OVS_ACTION_ATTR_DROP: 67 break; 68 69 case OVS_ACTION_ATTR_CT: 70 case OVS_ACTION_ATTR_CT_CLEAR: 71 case OVS_ACTION_ATTR_HASH: 72 case OVS_ACTION_ATTR_POP_ETH: 73 case OVS_ACTION_ATTR_POP_MPLS: 74 case OVS_ACTION_ATTR_POP_NSH: 75 case OVS_ACTION_ATTR_POP_VLAN: 76 case OVS_ACTION_ATTR_PUSH_ETH: 77 case OVS_ACTION_ATTR_PUSH_MPLS: 78 case OVS_ACTION_ATTR_PUSH_NSH: 79 case OVS_ACTION_ATTR_PUSH_VLAN: 80 case OVS_ACTION_ATTR_SAMPLE: 81 case OVS_ACTION_ATTR_SET: 82 case OVS_ACTION_ATTR_SET_MASKED: 83 case OVS_ACTION_ATTR_METER: 84 case OVS_ACTION_ATTR_CHECK_PKT_LEN: 85 case OVS_ACTION_ATTR_ADD_MPLS: 86 case OVS_ACTION_ATTR_DEC_TTL: 87 default: 88 return true; 89 } 90 } 91 return false; 92 } 93 94 static void update_range(struct sw_flow_match *match, 95 size_t offset, size_t size, bool is_mask) 96 { 97 struct sw_flow_key_range *range; 98 size_t start = rounddown(offset, sizeof(long)); 99 size_t end = roundup(offset + size, sizeof(long)); 100 101 if (!is_mask) 102 range = &match->range; 103 else 104 range = &match->mask->range; 105 106 if (range->start == range->end) { 107 range->start = start; 108 range->end = end; 109 return; 110 } 111 112 if (range->start > start) 113 range->start = start; 114 115 if (range->end < end) 116 range->end = end; 117 } 118 119 #define SW_FLOW_KEY_PUT(match, field, value, is_mask) \ 120 do { \ 121 update_range(match, offsetof(struct sw_flow_key, field), \ 122 sizeof((match)->key->field), is_mask); \ 123 if (is_mask) \ 124 (match)->mask->key.field = value; \ 125 else \ 126 (match)->key->field = value; \ 127 } while (0) 128 129 #define SW_FLOW_KEY_MEMCPY_OFFSET(match, offset, value_p, len, is_mask) \ 130 do { \ 131 update_range(match, offset, len, is_mask); \ 132 if (is_mask) \ 133 memcpy((u8 *)&(match)->mask->key + offset, value_p, \ 134 len); \ 135 else \ 136 memcpy((u8 *)(match)->key + offset, value_p, len); \ 137 } while (0) 138 139 #define SW_FLOW_KEY_MEMCPY(match, field, value_p, len, is_mask) \ 140 SW_FLOW_KEY_MEMCPY_OFFSET(match, offsetof(struct sw_flow_key, field), \ 141 value_p, len, is_mask) 142 143 #define SW_FLOW_KEY_MEMSET_FIELD(match, field, value, is_mask) \ 144 do { \ 145 update_range(match, offsetof(struct sw_flow_key, field), \ 146 sizeof((match)->key->field), is_mask); \ 147 if (is_mask) \ 148 memset((u8 *)&(match)->mask->key.field, value, \ 149 sizeof((match)->mask->key.field)); \ 150 else \ 151 memset((u8 *)&(match)->key->field, value, \ 152 sizeof((match)->key->field)); \ 153 } while (0) 154 155 #define SW_FLOW_KEY_BITMAP_COPY(match, field, value_p, nbits, is_mask) ({ \ 156 update_range(match, offsetof(struct sw_flow_key, field), \ 157 bitmap_size(nbits), is_mask); \ 158 bitmap_copy(is_mask ? (match)->mask->key.field : (match)->key->field, \ 159 value_p, nbits); \ 160 }) 161 162 static bool match_validate(const struct sw_flow_match *match, 163 u64 key_attrs, u64 mask_attrs, bool log) 164 { 165 u64 key_expected = 0; 166 u64 mask_allowed = key_attrs; /* At most allow all key attributes */ 167 168 /* The following mask attributes allowed only if they 169 * pass the validation tests. */ 170 mask_allowed &= ~((1 << OVS_KEY_ATTR_IPV4) 171 | (1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4) 172 | (1 << OVS_KEY_ATTR_IPV6) 173 | (1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6) 174 | (1 << OVS_KEY_ATTR_TCP) 175 | (1 << OVS_KEY_ATTR_TCP_FLAGS) 176 | (1 << OVS_KEY_ATTR_UDP) 177 | (1 << OVS_KEY_ATTR_SCTP) 178 | (1 << OVS_KEY_ATTR_ICMP) 179 | (1 << OVS_KEY_ATTR_ICMPV6) 180 | (1 << OVS_KEY_ATTR_ARP) 181 | (1 << OVS_KEY_ATTR_ND) 182 | (1 << OVS_KEY_ATTR_MPLS) 183 | (1 << OVS_KEY_ATTR_NSH)); 184 185 /* Always allowed mask fields. */ 186 mask_allowed |= ((1 << OVS_KEY_ATTR_TUNNEL) 187 | (1 << OVS_KEY_ATTR_IN_PORT) 188 | (1 << OVS_KEY_ATTR_ETHERTYPE)); 189 190 /* Check key attributes. */ 191 if (match->key->eth.type == htons(ETH_P_ARP) 192 || match->key->eth.type == htons(ETH_P_RARP)) { 193 key_expected |= 1 << OVS_KEY_ATTR_ARP; 194 if (match->mask && (match->mask->key.eth.type == htons(0xffff))) 195 mask_allowed |= 1 << OVS_KEY_ATTR_ARP; 196 } 197 198 if (eth_p_mpls(match->key->eth.type)) { 199 key_expected |= 1 << OVS_KEY_ATTR_MPLS; 200 if (match->mask && (match->mask->key.eth.type == htons(0xffff))) 201 mask_allowed |= 1 << OVS_KEY_ATTR_MPLS; 202 } 203 204 if (match->key->eth.type == htons(ETH_P_IP)) { 205 key_expected |= 1 << OVS_KEY_ATTR_IPV4; 206 if (match->mask && match->mask->key.eth.type == htons(0xffff)) { 207 mask_allowed |= 1 << OVS_KEY_ATTR_IPV4; 208 mask_allowed |= 1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4; 209 } 210 211 if (match->key->ip.frag != OVS_FRAG_TYPE_LATER) { 212 if (match->key->ip.proto == IPPROTO_UDP) { 213 key_expected |= 1 << OVS_KEY_ATTR_UDP; 214 if (match->mask && (match->mask->key.ip.proto == 0xff)) 215 mask_allowed |= 1 << OVS_KEY_ATTR_UDP; 216 } 217 218 if (match->key->ip.proto == IPPROTO_SCTP) { 219 key_expected |= 1 << OVS_KEY_ATTR_SCTP; 220 if (match->mask && (match->mask->key.ip.proto == 0xff)) 221 mask_allowed |= 1 << OVS_KEY_ATTR_SCTP; 222 } 223 224 if (match->key->ip.proto == IPPROTO_TCP) { 225 key_expected |= 1 << OVS_KEY_ATTR_TCP; 226 key_expected |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 227 if (match->mask && (match->mask->key.ip.proto == 0xff)) { 228 mask_allowed |= 1 << OVS_KEY_ATTR_TCP; 229 mask_allowed |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 230 } 231 } 232 233 if (match->key->ip.proto == IPPROTO_ICMP) { 234 key_expected |= 1 << OVS_KEY_ATTR_ICMP; 235 if (match->mask && (match->mask->key.ip.proto == 0xff)) 236 mask_allowed |= 1 << OVS_KEY_ATTR_ICMP; 237 } 238 } 239 } 240 241 if (match->key->eth.type == htons(ETH_P_IPV6)) { 242 key_expected |= 1 << OVS_KEY_ATTR_IPV6; 243 if (match->mask && match->mask->key.eth.type == htons(0xffff)) { 244 mask_allowed |= 1 << OVS_KEY_ATTR_IPV6; 245 mask_allowed |= 1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6; 246 } 247 248 if (match->key->ip.frag != OVS_FRAG_TYPE_LATER) { 249 if (match->key->ip.proto == IPPROTO_UDP) { 250 key_expected |= 1 << OVS_KEY_ATTR_UDP; 251 if (match->mask && (match->mask->key.ip.proto == 0xff)) 252 mask_allowed |= 1 << OVS_KEY_ATTR_UDP; 253 } 254 255 if (match->key->ip.proto == IPPROTO_SCTP) { 256 key_expected |= 1 << OVS_KEY_ATTR_SCTP; 257 if (match->mask && (match->mask->key.ip.proto == 0xff)) 258 mask_allowed |= 1 << OVS_KEY_ATTR_SCTP; 259 } 260 261 if (match->key->ip.proto == IPPROTO_TCP) { 262 key_expected |= 1 << OVS_KEY_ATTR_TCP; 263 key_expected |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 264 if (match->mask && (match->mask->key.ip.proto == 0xff)) { 265 mask_allowed |= 1 << OVS_KEY_ATTR_TCP; 266 mask_allowed |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 267 } 268 } 269 270 if (match->key->ip.proto == IPPROTO_ICMPV6) { 271 key_expected |= 1 << OVS_KEY_ATTR_ICMPV6; 272 if (match->mask && (match->mask->key.ip.proto == 0xff)) 273 mask_allowed |= 1 << OVS_KEY_ATTR_ICMPV6; 274 275 if (match->key->tp.src == 276 htons(NDISC_NEIGHBOUR_SOLICITATION) || 277 match->key->tp.src == htons(NDISC_NEIGHBOUR_ADVERTISEMENT)) { 278 key_expected |= 1 << OVS_KEY_ATTR_ND; 279 /* Original direction conntrack tuple 280 * uses the same space as the ND fields 281 * in the key, so both are not allowed 282 * at the same time. 283 */ 284 mask_allowed &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6); 285 if (match->mask && (match->mask->key.tp.src == htons(0xff))) 286 mask_allowed |= 1 << OVS_KEY_ATTR_ND; 287 } 288 } 289 } 290 } 291 292 if (match->key->eth.type == htons(ETH_P_NSH)) { 293 key_expected |= 1 << OVS_KEY_ATTR_NSH; 294 if (match->mask && 295 match->mask->key.eth.type == htons(0xffff)) { 296 mask_allowed |= 1 << OVS_KEY_ATTR_NSH; 297 } 298 } 299 300 if ((key_attrs & key_expected) != key_expected) { 301 /* Key attributes check failed. */ 302 OVS_NLERR(log, "Missing key (keys=%llx, expected=%llx)", 303 (unsigned long long)key_attrs, 304 (unsigned long long)key_expected); 305 return false; 306 } 307 308 if ((mask_attrs & mask_allowed) != mask_attrs) { 309 /* Mask attributes check failed. */ 310 OVS_NLERR(log, "Unexpected mask (mask=%llx, allowed=%llx)", 311 (unsigned long long)mask_attrs, 312 (unsigned long long)mask_allowed); 313 return false; 314 } 315 316 return true; 317 } 318 319 size_t ovs_tun_key_attr_size(void) 320 { 321 /* Whenever adding new OVS_TUNNEL_KEY_ FIELDS, we should consider 322 * updating this function. 323 */ 324 return nla_total_size_64bit(8) /* OVS_TUNNEL_KEY_ATTR_ID */ 325 + nla_total_size(16) /* OVS_TUNNEL_KEY_ATTR_IPV[46]_SRC */ 326 + nla_total_size(16) /* OVS_TUNNEL_KEY_ATTR_IPV[46]_DST */ 327 + nla_total_size(1) /* OVS_TUNNEL_KEY_ATTR_TOS */ 328 + nla_total_size(1) /* OVS_TUNNEL_KEY_ATTR_TTL */ 329 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT */ 330 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_CSUM */ 331 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_OAM */ 332 + nla_total_size(256) /* OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS */ 333 /* OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS and 334 * OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS is mutually exclusive with 335 * OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS and covered by it. 336 */ 337 + nla_total_size(2) /* OVS_TUNNEL_KEY_ATTR_TP_SRC */ 338 + nla_total_size(2); /* OVS_TUNNEL_KEY_ATTR_TP_DST */ 339 } 340 341 static size_t ovs_nsh_key_attr_size(void) 342 { 343 /* Whenever adding new OVS_NSH_KEY_ FIELDS, we should consider 344 * updating this function. 345 */ 346 return nla_total_size(NSH_BASE_HDR_LEN) /* OVS_NSH_KEY_ATTR_BASE */ 347 /* OVS_NSH_KEY_ATTR_MD1 and OVS_NSH_KEY_ATTR_MD2 are 348 * mutually exclusive, so the bigger one can cover 349 * the small one. 350 */ 351 + nla_total_size(NSH_CTX_HDRS_MAX_LEN); 352 } 353 354 size_t ovs_key_attr_size(void) 355 { 356 /* Whenever adding new OVS_KEY_ FIELDS, we should consider 357 * updating this function. 358 */ 359 BUILD_BUG_ON(OVS_KEY_ATTR_MAX != 32); 360 361 return nla_total_size(4) /* OVS_KEY_ATTR_PRIORITY */ 362 + nla_total_size(0) /* OVS_KEY_ATTR_TUNNEL */ 363 + ovs_tun_key_attr_size() 364 + nla_total_size(4) /* OVS_KEY_ATTR_IN_PORT */ 365 + nla_total_size(4) /* OVS_KEY_ATTR_SKB_MARK */ 366 + nla_total_size(4) /* OVS_KEY_ATTR_DP_HASH */ 367 + nla_total_size(4) /* OVS_KEY_ATTR_RECIRC_ID */ 368 + nla_total_size(4) /* OVS_KEY_ATTR_CT_STATE */ 369 + nla_total_size(2) /* OVS_KEY_ATTR_CT_ZONE */ 370 + nla_total_size(4) /* OVS_KEY_ATTR_CT_MARK */ 371 + nla_total_size(16) /* OVS_KEY_ATTR_CT_LABELS */ 372 + nla_total_size(40) /* OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6 */ 373 + nla_total_size(0) /* OVS_KEY_ATTR_NSH */ 374 + ovs_nsh_key_attr_size() 375 + nla_total_size(12) /* OVS_KEY_ATTR_ETHERNET */ 376 + nla_total_size(2) /* OVS_KEY_ATTR_ETHERTYPE */ 377 + nla_total_size(4) /* OVS_KEY_ATTR_VLAN */ 378 + nla_total_size(0) /* OVS_KEY_ATTR_ENCAP */ 379 + nla_total_size(2) /* OVS_KEY_ATTR_ETHERTYPE */ 380 + nla_total_size(40) /* OVS_KEY_ATTR_IPV6 */ 381 + nla_total_size(2) /* OVS_KEY_ATTR_ICMPV6 */ 382 + nla_total_size(28) /* OVS_KEY_ATTR_ND */ 383 + nla_total_size(2); /* OVS_KEY_ATTR_IPV6_EXTHDRS */ 384 } 385 386 static const struct ovs_len_tbl ovs_vxlan_ext_key_lens[OVS_VXLAN_EXT_MAX + 1] = { 387 [OVS_VXLAN_EXT_GBP] = { .len = sizeof(u32) }, 388 }; 389 390 static const struct ovs_len_tbl ovs_tunnel_key_lens[OVS_TUNNEL_KEY_ATTR_MAX + 1] = { 391 [OVS_TUNNEL_KEY_ATTR_ID] = { .len = sizeof(u64) }, 392 [OVS_TUNNEL_KEY_ATTR_IPV4_SRC] = { .len = sizeof(u32) }, 393 [OVS_TUNNEL_KEY_ATTR_IPV4_DST] = { .len = sizeof(u32) }, 394 [OVS_TUNNEL_KEY_ATTR_TOS] = { .len = 1 }, 395 [OVS_TUNNEL_KEY_ATTR_TTL] = { .len = 1 }, 396 [OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT] = { .len = 0 }, 397 [OVS_TUNNEL_KEY_ATTR_CSUM] = { .len = 0 }, 398 [OVS_TUNNEL_KEY_ATTR_TP_SRC] = { .len = sizeof(u16) }, 399 [OVS_TUNNEL_KEY_ATTR_TP_DST] = { .len = sizeof(u16) }, 400 [OVS_TUNNEL_KEY_ATTR_OAM] = { .len = 0 }, 401 [OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS] = { .len = OVS_ATTR_VARIABLE }, 402 [OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS] = { .len = OVS_ATTR_NESTED, 403 .next = ovs_vxlan_ext_key_lens }, 404 [OVS_TUNNEL_KEY_ATTR_IPV6_SRC] = { .len = sizeof(struct in6_addr) }, 405 [OVS_TUNNEL_KEY_ATTR_IPV6_DST] = { .len = sizeof(struct in6_addr) }, 406 [OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS] = { .len = OVS_ATTR_VARIABLE }, 407 [OVS_TUNNEL_KEY_ATTR_IPV4_INFO_BRIDGE] = { .len = 0 }, 408 }; 409 410 static const struct ovs_len_tbl 411 ovs_nsh_key_attr_lens[OVS_NSH_KEY_ATTR_MAX + 1] = { 412 [OVS_NSH_KEY_ATTR_BASE] = { .len = sizeof(struct ovs_nsh_key_base) }, 413 [OVS_NSH_KEY_ATTR_MD1] = { .len = sizeof(struct ovs_nsh_key_md1) }, 414 [OVS_NSH_KEY_ATTR_MD2] = { .len = OVS_ATTR_VARIABLE }, 415 }; 416 417 /* The size of the argument for each %OVS_KEY_ATTR_* Netlink attribute. */ 418 static const struct ovs_len_tbl ovs_key_lens[OVS_KEY_ATTR_MAX + 1] = { 419 [OVS_KEY_ATTR_ENCAP] = { .len = OVS_ATTR_NESTED }, 420 [OVS_KEY_ATTR_PRIORITY] = { .len = sizeof(u32) }, 421 [OVS_KEY_ATTR_IN_PORT] = { .len = sizeof(u32) }, 422 [OVS_KEY_ATTR_SKB_MARK] = { .len = sizeof(u32) }, 423 [OVS_KEY_ATTR_ETHERNET] = { .len = sizeof(struct ovs_key_ethernet) }, 424 [OVS_KEY_ATTR_VLAN] = { .len = sizeof(__be16) }, 425 [OVS_KEY_ATTR_ETHERTYPE] = { .len = sizeof(__be16) }, 426 [OVS_KEY_ATTR_IPV4] = { .len = sizeof(struct ovs_key_ipv4) }, 427 [OVS_KEY_ATTR_IPV6] = { .len = sizeof(struct ovs_key_ipv6) }, 428 [OVS_KEY_ATTR_TCP] = { .len = sizeof(struct ovs_key_tcp) }, 429 [OVS_KEY_ATTR_TCP_FLAGS] = { .len = sizeof(__be16) }, 430 [OVS_KEY_ATTR_UDP] = { .len = sizeof(struct ovs_key_udp) }, 431 [OVS_KEY_ATTR_SCTP] = { .len = sizeof(struct ovs_key_sctp) }, 432 [OVS_KEY_ATTR_ICMP] = { .len = sizeof(struct ovs_key_icmp) }, 433 [OVS_KEY_ATTR_ICMPV6] = { .len = sizeof(struct ovs_key_icmpv6) }, 434 [OVS_KEY_ATTR_ARP] = { .len = sizeof(struct ovs_key_arp) }, 435 [OVS_KEY_ATTR_ND] = { .len = sizeof(struct ovs_key_nd) }, 436 [OVS_KEY_ATTR_RECIRC_ID] = { .len = sizeof(u32) }, 437 [OVS_KEY_ATTR_DP_HASH] = { .len = sizeof(u32) }, 438 [OVS_KEY_ATTR_TUNNEL] = { .len = OVS_ATTR_NESTED, 439 .next = ovs_tunnel_key_lens, }, 440 [OVS_KEY_ATTR_MPLS] = { .len = OVS_ATTR_VARIABLE }, 441 [OVS_KEY_ATTR_CT_STATE] = { .len = sizeof(u32) }, 442 [OVS_KEY_ATTR_CT_ZONE] = { .len = sizeof(u16) }, 443 [OVS_KEY_ATTR_CT_MARK] = { .len = sizeof(u32) }, 444 [OVS_KEY_ATTR_CT_LABELS] = { .len = sizeof(struct ovs_key_ct_labels) }, 445 [OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4] = { 446 .len = sizeof(struct ovs_key_ct_tuple_ipv4) }, 447 [OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6] = { 448 .len = sizeof(struct ovs_key_ct_tuple_ipv6) }, 449 [OVS_KEY_ATTR_NSH] = { .len = OVS_ATTR_NESTED, 450 .next = ovs_nsh_key_attr_lens, }, 451 [OVS_KEY_ATTR_IPV6_EXTHDRS] = { 452 .len = sizeof(struct ovs_key_ipv6_exthdrs) }, 453 }; 454 455 static bool check_attr_len(unsigned int attr_len, unsigned int expected_len) 456 { 457 return expected_len == attr_len || 458 expected_len == OVS_ATTR_NESTED || 459 expected_len == OVS_ATTR_VARIABLE; 460 } 461 462 static bool is_all_zero(const u8 *fp, size_t size) 463 { 464 int i; 465 466 if (!fp) 467 return false; 468 469 for (i = 0; i < size; i++) 470 if (fp[i]) 471 return false; 472 473 return true; 474 } 475 476 static int __parse_flow_nlattrs(const struct nlattr *attr, 477 const struct nlattr *a[], 478 u64 *attrsp, bool log, bool nz) 479 { 480 const struct nlattr *nla; 481 u64 attrs; 482 int rem; 483 484 attrs = *attrsp; 485 nla_for_each_nested(nla, attr, rem) { 486 u16 type = nla_type(nla); 487 int expected_len; 488 489 if (type > OVS_KEY_ATTR_MAX) { 490 OVS_NLERR(log, "Key type %d is out of range max %d", 491 type, OVS_KEY_ATTR_MAX); 492 return -EINVAL; 493 } 494 495 if (type == OVS_KEY_ATTR_PACKET_TYPE || 496 type == OVS_KEY_ATTR_ND_EXTENSIONS || 497 type == OVS_KEY_ATTR_TUNNEL_INFO) { 498 OVS_NLERR(log, "Key type %d is not supported", type); 499 return -EINVAL; 500 } 501 502 if (attrs & (1ULL << type)) { 503 OVS_NLERR(log, "Duplicate key (type %d).", type); 504 return -EINVAL; 505 } 506 507 expected_len = ovs_key_lens[type].len; 508 if (!check_attr_len(nla_len(nla), expected_len)) { 509 OVS_NLERR(log, "Key %d has unexpected len %d expected %d", 510 type, nla_len(nla), expected_len); 511 return -EINVAL; 512 } 513 514 if (!nz || !is_all_zero(nla_data(nla), nla_len(nla))) { 515 attrs |= 1ULL << type; 516 a[type] = nla; 517 } 518 } 519 if (rem) { 520 OVS_NLERR(log, "Message has %d unknown bytes.", rem); 521 return -EINVAL; 522 } 523 524 *attrsp = attrs; 525 return 0; 526 } 527 528 static int parse_flow_mask_nlattrs(const struct nlattr *attr, 529 const struct nlattr *a[], u64 *attrsp, 530 bool log) 531 { 532 return __parse_flow_nlattrs(attr, a, attrsp, log, true); 533 } 534 535 int parse_flow_nlattrs(const struct nlattr *attr, const struct nlattr *a[], 536 u64 *attrsp, bool log) 537 { 538 return __parse_flow_nlattrs(attr, a, attrsp, log, false); 539 } 540 541 static int genev_tun_opt_from_nlattr(const struct nlattr *a, 542 struct sw_flow_match *match, bool is_mask, 543 bool log) 544 { 545 unsigned long opt_key_offset; 546 547 if (nla_len(a) > sizeof(match->key->tun_opts)) { 548 OVS_NLERR(log, "Geneve option length err (len %d, max %zu).", 549 nla_len(a), sizeof(match->key->tun_opts)); 550 return -EINVAL; 551 } 552 553 if (nla_len(a) % 4 != 0) { 554 OVS_NLERR(log, "Geneve opt len %d is not a multiple of 4.", 555 nla_len(a)); 556 return -EINVAL; 557 } 558 559 /* We need to record the length of the options passed 560 * down, otherwise packets with the same format but 561 * additional options will be silently matched. 562 */ 563 if (!is_mask) { 564 SW_FLOW_KEY_PUT(match, tun_opts_len, nla_len(a), 565 false); 566 } else { 567 /* This is somewhat unusual because it looks at 568 * both the key and mask while parsing the 569 * attributes (and by extension assumes the key 570 * is parsed first). Normally, we would verify 571 * that each is the correct length and that the 572 * attributes line up in the validate function. 573 * However, that is difficult because this is 574 * variable length and we won't have the 575 * information later. 576 */ 577 if (match->key->tun_opts_len != nla_len(a)) { 578 OVS_NLERR(log, "Geneve option len %d != mask len %d", 579 match->key->tun_opts_len, nla_len(a)); 580 return -EINVAL; 581 } 582 583 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 584 } 585 586 opt_key_offset = TUN_METADATA_OFFSET(nla_len(a)); 587 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, nla_data(a), 588 nla_len(a), is_mask); 589 return 0; 590 } 591 592 static int vxlan_tun_opt_from_nlattr(const struct nlattr *attr, 593 struct sw_flow_match *match, bool is_mask, 594 bool log) 595 { 596 struct nlattr *a; 597 int rem; 598 unsigned long opt_key_offset; 599 struct vxlan_metadata opts; 600 601 BUILD_BUG_ON(sizeof(opts) > sizeof(match->key->tun_opts)); 602 603 memset(&opts, 0, sizeof(opts)); 604 nla_for_each_nested(a, attr, rem) { 605 int type = nla_type(a); 606 607 if (type > OVS_VXLAN_EXT_MAX) { 608 OVS_NLERR(log, "VXLAN extension %d out of range max %d", 609 type, OVS_VXLAN_EXT_MAX); 610 return -EINVAL; 611 } 612 613 if (!check_attr_len(nla_len(a), 614 ovs_vxlan_ext_key_lens[type].len)) { 615 OVS_NLERR(log, "VXLAN extension %d has unexpected len %d expected %d", 616 type, nla_len(a), 617 ovs_vxlan_ext_key_lens[type].len); 618 return -EINVAL; 619 } 620 621 switch (type) { 622 case OVS_VXLAN_EXT_GBP: 623 opts.gbp = nla_get_u32(a); 624 break; 625 default: 626 OVS_NLERR(log, "Unknown VXLAN extension attribute %d", 627 type); 628 return -EINVAL; 629 } 630 } 631 if (rem) { 632 OVS_NLERR(log, "VXLAN extension message has %d unknown bytes.", 633 rem); 634 return -EINVAL; 635 } 636 637 if (!is_mask) 638 SW_FLOW_KEY_PUT(match, tun_opts_len, sizeof(opts), false); 639 else 640 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 641 642 opt_key_offset = TUN_METADATA_OFFSET(sizeof(opts)); 643 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, &opts, sizeof(opts), 644 is_mask); 645 return 0; 646 } 647 648 static int erspan_tun_opt_from_nlattr(const struct nlattr *a, 649 struct sw_flow_match *match, bool is_mask, 650 bool log) 651 { 652 unsigned long opt_key_offset; 653 654 BUILD_BUG_ON(sizeof(struct erspan_metadata) > 655 sizeof(match->key->tun_opts)); 656 657 if (nla_len(a) > sizeof(match->key->tun_opts)) { 658 OVS_NLERR(log, "ERSPAN option length err (len %d, max %zu).", 659 nla_len(a), sizeof(match->key->tun_opts)); 660 return -EINVAL; 661 } 662 663 if (!is_mask) 664 SW_FLOW_KEY_PUT(match, tun_opts_len, 665 sizeof(struct erspan_metadata), false); 666 else 667 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 668 669 opt_key_offset = TUN_METADATA_OFFSET(nla_len(a)); 670 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, nla_data(a), 671 nla_len(a), is_mask); 672 return 0; 673 } 674 675 static int ip_tun_from_nlattr(const struct nlattr *attr, 676 struct sw_flow_match *match, bool is_mask, 677 bool log) 678 { 679 bool ttl = false, ipv4 = false, ipv6 = false; 680 IP_TUNNEL_DECLARE_FLAGS(tun_flags) = { }; 681 bool info_bridge_mode = false; 682 int opts_type = 0; 683 struct nlattr *a; 684 int rem; 685 686 nla_for_each_nested(a, attr, rem) { 687 int type = nla_type(a); 688 int err; 689 690 if (type > OVS_TUNNEL_KEY_ATTR_MAX) { 691 OVS_NLERR(log, "Tunnel attr %d out of range max %d", 692 type, OVS_TUNNEL_KEY_ATTR_MAX); 693 return -EINVAL; 694 } 695 696 if (!check_attr_len(nla_len(a), 697 ovs_tunnel_key_lens[type].len)) { 698 OVS_NLERR(log, "Tunnel attr %d has unexpected len %d expected %d", 699 type, nla_len(a), ovs_tunnel_key_lens[type].len); 700 return -EINVAL; 701 } 702 703 switch (type) { 704 case OVS_TUNNEL_KEY_ATTR_ID: 705 SW_FLOW_KEY_PUT(match, tun_key.tun_id, 706 nla_get_be64(a), is_mask); 707 __set_bit(IP_TUNNEL_KEY_BIT, tun_flags); 708 break; 709 case OVS_TUNNEL_KEY_ATTR_IPV4_SRC: 710 SW_FLOW_KEY_PUT(match, tun_key.u.ipv4.src, 711 nla_get_in_addr(a), is_mask); 712 ipv4 = true; 713 break; 714 case OVS_TUNNEL_KEY_ATTR_IPV4_DST: 715 SW_FLOW_KEY_PUT(match, tun_key.u.ipv4.dst, 716 nla_get_in_addr(a), is_mask); 717 ipv4 = true; 718 break; 719 case OVS_TUNNEL_KEY_ATTR_IPV6_SRC: 720 SW_FLOW_KEY_PUT(match, tun_key.u.ipv6.src, 721 nla_get_in6_addr(a), is_mask); 722 ipv6 = true; 723 break; 724 case OVS_TUNNEL_KEY_ATTR_IPV6_DST: 725 SW_FLOW_KEY_PUT(match, tun_key.u.ipv6.dst, 726 nla_get_in6_addr(a), is_mask); 727 ipv6 = true; 728 break; 729 case OVS_TUNNEL_KEY_ATTR_TOS: 730 SW_FLOW_KEY_PUT(match, tun_key.tos, 731 nla_get_u8(a), is_mask); 732 break; 733 case OVS_TUNNEL_KEY_ATTR_TTL: 734 SW_FLOW_KEY_PUT(match, tun_key.ttl, 735 nla_get_u8(a), is_mask); 736 ttl = true; 737 break; 738 case OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT: 739 __set_bit(IP_TUNNEL_DONT_FRAGMENT_BIT, tun_flags); 740 break; 741 case OVS_TUNNEL_KEY_ATTR_CSUM: 742 __set_bit(IP_TUNNEL_CSUM_BIT, tun_flags); 743 break; 744 case OVS_TUNNEL_KEY_ATTR_TP_SRC: 745 SW_FLOW_KEY_PUT(match, tun_key.tp_src, 746 nla_get_be16(a), is_mask); 747 break; 748 case OVS_TUNNEL_KEY_ATTR_TP_DST: 749 SW_FLOW_KEY_PUT(match, tun_key.tp_dst, 750 nla_get_be16(a), is_mask); 751 break; 752 case OVS_TUNNEL_KEY_ATTR_OAM: 753 __set_bit(IP_TUNNEL_OAM_BIT, tun_flags); 754 break; 755 case OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS: 756 if (opts_type) { 757 OVS_NLERR(log, "Multiple metadata blocks provided"); 758 return -EINVAL; 759 } 760 761 err = genev_tun_opt_from_nlattr(a, match, is_mask, log); 762 if (err) 763 return err; 764 765 __set_bit(IP_TUNNEL_GENEVE_OPT_BIT, tun_flags); 766 opts_type = type; 767 break; 768 case OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS: 769 if (opts_type) { 770 OVS_NLERR(log, "Multiple metadata blocks provided"); 771 return -EINVAL; 772 } 773 774 err = vxlan_tun_opt_from_nlattr(a, match, is_mask, log); 775 if (err) 776 return err; 777 778 __set_bit(IP_TUNNEL_VXLAN_OPT_BIT, tun_flags); 779 opts_type = type; 780 break; 781 case OVS_TUNNEL_KEY_ATTR_PAD: 782 break; 783 case OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS: 784 if (opts_type) { 785 OVS_NLERR(log, "Multiple metadata blocks provided"); 786 return -EINVAL; 787 } 788 789 err = erspan_tun_opt_from_nlattr(a, match, is_mask, 790 log); 791 if (err) 792 return err; 793 794 __set_bit(IP_TUNNEL_ERSPAN_OPT_BIT, tun_flags); 795 opts_type = type; 796 break; 797 case OVS_TUNNEL_KEY_ATTR_IPV4_INFO_BRIDGE: 798 info_bridge_mode = true; 799 ipv4 = true; 800 break; 801 default: 802 OVS_NLERR(log, "Unknown IP tunnel attribute %d", 803 type); 804 return -EINVAL; 805 } 806 } 807 808 SW_FLOW_KEY_BITMAP_COPY(match, tun_key.tun_flags, tun_flags, 809 __IP_TUNNEL_FLAG_NUM, is_mask); 810 if (is_mask) 811 SW_FLOW_KEY_MEMSET_FIELD(match, tun_proto, 0xff, true); 812 else 813 SW_FLOW_KEY_PUT(match, tun_proto, ipv6 ? AF_INET6 : AF_INET, 814 false); 815 816 if (rem > 0) { 817 OVS_NLERR(log, "IP tunnel attribute has %d unknown bytes.", 818 rem); 819 return -EINVAL; 820 } 821 822 if (ipv4 && ipv6) { 823 OVS_NLERR(log, "Mixed IPv4 and IPv6 tunnel attributes"); 824 return -EINVAL; 825 } 826 827 if (!is_mask) { 828 if (!ipv4 && !ipv6) { 829 OVS_NLERR(log, "IP tunnel dst address not specified"); 830 return -EINVAL; 831 } 832 if (ipv4) { 833 if (info_bridge_mode) { 834 __clear_bit(IP_TUNNEL_KEY_BIT, tun_flags); 835 836 if (match->key->tun_key.u.ipv4.src || 837 match->key->tun_key.u.ipv4.dst || 838 match->key->tun_key.tp_src || 839 match->key->tun_key.tp_dst || 840 match->key->tun_key.ttl || 841 match->key->tun_key.tos || 842 !ip_tunnel_flags_empty(tun_flags)) { 843 OVS_NLERR(log, "IPv4 tun info is not correct"); 844 return -EINVAL; 845 } 846 } else if (!match->key->tun_key.u.ipv4.dst) { 847 OVS_NLERR(log, "IPv4 tunnel dst address is zero"); 848 return -EINVAL; 849 } 850 } 851 if (ipv6 && ipv6_addr_any(&match->key->tun_key.u.ipv6.dst)) { 852 OVS_NLERR(log, "IPv6 tunnel dst address is zero"); 853 return -EINVAL; 854 } 855 856 if (!ttl && !info_bridge_mode) { 857 OVS_NLERR(log, "IP tunnel TTL not specified."); 858 return -EINVAL; 859 } 860 } 861 862 return opts_type; 863 } 864 865 static int vxlan_opt_to_nlattr(struct sk_buff *skb, 866 const void *tun_opts, int swkey_tun_opts_len) 867 { 868 const struct vxlan_metadata *opts = tun_opts; 869 struct nlattr *nla; 870 871 nla = nla_nest_start_noflag(skb, OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS); 872 if (!nla) 873 return -EMSGSIZE; 874 875 if (nla_put_u32(skb, OVS_VXLAN_EXT_GBP, opts->gbp) < 0) 876 return -EMSGSIZE; 877 878 nla_nest_end(skb, nla); 879 return 0; 880 } 881 882 static int __ip_tun_to_nlattr(struct sk_buff *skb, 883 const struct ip_tunnel_key *output, 884 const void *tun_opts, int swkey_tun_opts_len, 885 unsigned short tun_proto, u8 mode) 886 { 887 if (test_bit(IP_TUNNEL_KEY_BIT, output->tun_flags) && 888 nla_put_be64(skb, OVS_TUNNEL_KEY_ATTR_ID, output->tun_id, 889 OVS_TUNNEL_KEY_ATTR_PAD)) 890 return -EMSGSIZE; 891 892 if (mode & IP_TUNNEL_INFO_BRIDGE) 893 return nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_IPV4_INFO_BRIDGE) 894 ? -EMSGSIZE : 0; 895 896 switch (tun_proto) { 897 case AF_INET: 898 if (output->u.ipv4.src && 899 nla_put_in_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV4_SRC, 900 output->u.ipv4.src)) 901 return -EMSGSIZE; 902 if (output->u.ipv4.dst && 903 nla_put_in_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV4_DST, 904 output->u.ipv4.dst)) 905 return -EMSGSIZE; 906 break; 907 case AF_INET6: 908 if (!ipv6_addr_any(&output->u.ipv6.src) && 909 nla_put_in6_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV6_SRC, 910 &output->u.ipv6.src)) 911 return -EMSGSIZE; 912 if (!ipv6_addr_any(&output->u.ipv6.dst) && 913 nla_put_in6_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV6_DST, 914 &output->u.ipv6.dst)) 915 return -EMSGSIZE; 916 break; 917 } 918 if (output->tos && 919 nla_put_u8(skb, OVS_TUNNEL_KEY_ATTR_TOS, output->tos)) 920 return -EMSGSIZE; 921 if (nla_put_u8(skb, OVS_TUNNEL_KEY_ATTR_TTL, output->ttl)) 922 return -EMSGSIZE; 923 if (test_bit(IP_TUNNEL_DONT_FRAGMENT_BIT, output->tun_flags) && 924 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT)) 925 return -EMSGSIZE; 926 if (test_bit(IP_TUNNEL_CSUM_BIT, output->tun_flags) && 927 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_CSUM)) 928 return -EMSGSIZE; 929 if (output->tp_src && 930 nla_put_be16(skb, OVS_TUNNEL_KEY_ATTR_TP_SRC, output->tp_src)) 931 return -EMSGSIZE; 932 if (output->tp_dst && 933 nla_put_be16(skb, OVS_TUNNEL_KEY_ATTR_TP_DST, output->tp_dst)) 934 return -EMSGSIZE; 935 if (test_bit(IP_TUNNEL_OAM_BIT, output->tun_flags) && 936 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_OAM)) 937 return -EMSGSIZE; 938 if (swkey_tun_opts_len) { 939 if (test_bit(IP_TUNNEL_GENEVE_OPT_BIT, output->tun_flags) && 940 nla_put(skb, OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS, 941 swkey_tun_opts_len, tun_opts)) 942 return -EMSGSIZE; 943 else if (test_bit(IP_TUNNEL_VXLAN_OPT_BIT, 944 output->tun_flags) && 945 vxlan_opt_to_nlattr(skb, tun_opts, swkey_tun_opts_len)) 946 return -EMSGSIZE; 947 else if (test_bit(IP_TUNNEL_ERSPAN_OPT_BIT, 948 output->tun_flags) && 949 nla_put(skb, OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS, 950 swkey_tun_opts_len, tun_opts)) 951 return -EMSGSIZE; 952 } 953 954 return 0; 955 } 956 957 static int ip_tun_to_nlattr(struct sk_buff *skb, 958 const struct ip_tunnel_key *output, 959 const void *tun_opts, int swkey_tun_opts_len, 960 unsigned short tun_proto, u8 mode) 961 { 962 struct nlattr *nla; 963 int err; 964 965 nla = nla_nest_start_noflag(skb, OVS_KEY_ATTR_TUNNEL); 966 if (!nla) 967 return -EMSGSIZE; 968 969 err = __ip_tun_to_nlattr(skb, output, tun_opts, swkey_tun_opts_len, 970 tun_proto, mode); 971 if (err) 972 return err; 973 974 nla_nest_end(skb, nla); 975 return 0; 976 } 977 978 int ovs_nla_put_tunnel_info(struct sk_buff *skb, 979 struct ip_tunnel_info *tun_info) 980 { 981 return __ip_tun_to_nlattr(skb, &tun_info->key, 982 ip_tunnel_info_opts(tun_info), 983 tun_info->options_len, 984 ip_tunnel_info_af(tun_info), tun_info->mode); 985 } 986 987 static int encode_vlan_from_nlattrs(struct sw_flow_match *match, 988 const struct nlattr *a[], 989 bool is_mask, bool inner) 990 { 991 __be16 tci = 0; 992 __be16 tpid = 0; 993 994 if (a[OVS_KEY_ATTR_VLAN]) 995 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 996 997 if (a[OVS_KEY_ATTR_ETHERTYPE]) 998 tpid = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 999 1000 if (likely(!inner)) { 1001 SW_FLOW_KEY_PUT(match, eth.vlan.tpid, tpid, is_mask); 1002 SW_FLOW_KEY_PUT(match, eth.vlan.tci, tci, is_mask); 1003 } else { 1004 SW_FLOW_KEY_PUT(match, eth.cvlan.tpid, tpid, is_mask); 1005 SW_FLOW_KEY_PUT(match, eth.cvlan.tci, tci, is_mask); 1006 } 1007 return 0; 1008 } 1009 1010 static int validate_vlan_from_nlattrs(const struct sw_flow_match *match, 1011 u64 key_attrs, bool inner, 1012 const struct nlattr **a, bool log) 1013 { 1014 __be16 tci = 0; 1015 1016 if (!((key_attrs & (1 << OVS_KEY_ATTR_ETHERNET)) && 1017 (key_attrs & (1 << OVS_KEY_ATTR_ETHERTYPE)) && 1018 eth_type_vlan(nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE])))) { 1019 /* Not a VLAN. */ 1020 return 0; 1021 } 1022 1023 if (!((key_attrs & (1 << OVS_KEY_ATTR_VLAN)) && 1024 (key_attrs & (1 << OVS_KEY_ATTR_ENCAP)))) { 1025 OVS_NLERR(log, "Invalid %s frame", (inner) ? "C-VLAN" : "VLAN"); 1026 return -EINVAL; 1027 } 1028 1029 if (a[OVS_KEY_ATTR_VLAN]) 1030 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 1031 1032 if (!(tci & htons(VLAN_CFI_MASK))) { 1033 if (tci) { 1034 OVS_NLERR(log, "%s TCI does not have VLAN_CFI_MASK bit set.", 1035 (inner) ? "C-VLAN" : "VLAN"); 1036 return -EINVAL; 1037 } else if (nla_len(a[OVS_KEY_ATTR_ENCAP])) { 1038 /* Corner case for truncated VLAN header. */ 1039 OVS_NLERR(log, "Truncated %s header has non-zero encap attribute.", 1040 (inner) ? "C-VLAN" : "VLAN"); 1041 return -EINVAL; 1042 } 1043 } 1044 1045 return 1; 1046 } 1047 1048 static int validate_vlan_mask_from_nlattrs(const struct sw_flow_match *match, 1049 u64 key_attrs, bool inner, 1050 const struct nlattr **a, bool log) 1051 { 1052 __be16 tci = 0; 1053 __be16 tpid = 0; 1054 bool encap_valid = !!(match->key->eth.vlan.tci & 1055 htons(VLAN_CFI_MASK)); 1056 bool i_encap_valid = !!(match->key->eth.cvlan.tci & 1057 htons(VLAN_CFI_MASK)); 1058 1059 if (!(key_attrs & (1 << OVS_KEY_ATTR_ENCAP))) { 1060 /* Not a VLAN. */ 1061 return 0; 1062 } 1063 1064 if ((!inner && !encap_valid) || (inner && !i_encap_valid)) { 1065 OVS_NLERR(log, "Encap mask attribute is set for non-%s frame.", 1066 (inner) ? "C-VLAN" : "VLAN"); 1067 return -EINVAL; 1068 } 1069 1070 if (a[OVS_KEY_ATTR_VLAN]) 1071 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 1072 1073 if (a[OVS_KEY_ATTR_ETHERTYPE]) 1074 tpid = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 1075 1076 if (tpid != htons(0xffff)) { 1077 OVS_NLERR(log, "Must have an exact match on %s TPID (mask=%x).", 1078 (inner) ? "C-VLAN" : "VLAN", ntohs(tpid)); 1079 return -EINVAL; 1080 } 1081 if (!(tci & htons(VLAN_CFI_MASK))) { 1082 OVS_NLERR(log, "%s TCI mask does not have exact match for VLAN_CFI_MASK bit.", 1083 (inner) ? "C-VLAN" : "VLAN"); 1084 return -EINVAL; 1085 } 1086 1087 return 1; 1088 } 1089 1090 static int __parse_vlan_from_nlattrs(struct sw_flow_match *match, 1091 u64 *key_attrs, bool inner, 1092 const struct nlattr **a, bool is_mask, 1093 bool log) 1094 { 1095 int err; 1096 const struct nlattr *encap; 1097 1098 if (!is_mask) 1099 err = validate_vlan_from_nlattrs(match, *key_attrs, inner, 1100 a, log); 1101 else 1102 err = validate_vlan_mask_from_nlattrs(match, *key_attrs, inner, 1103 a, log); 1104 if (err <= 0) 1105 return err; 1106 1107 err = encode_vlan_from_nlattrs(match, a, is_mask, inner); 1108 if (err) 1109 return err; 1110 1111 *key_attrs &= ~(1 << OVS_KEY_ATTR_ENCAP); 1112 *key_attrs &= ~(1 << OVS_KEY_ATTR_VLAN); 1113 *key_attrs &= ~(1 << OVS_KEY_ATTR_ETHERTYPE); 1114 1115 encap = a[OVS_KEY_ATTR_ENCAP]; 1116 1117 if (!is_mask) 1118 err = parse_flow_nlattrs(encap, a, key_attrs, log); 1119 else 1120 err = parse_flow_mask_nlattrs(encap, a, key_attrs, log); 1121 1122 return err; 1123 } 1124 1125 static int parse_vlan_from_nlattrs(struct sw_flow_match *match, 1126 u64 *key_attrs, const struct nlattr **a, 1127 bool is_mask, bool log) 1128 { 1129 int err; 1130 bool encap_valid = false; 1131 1132 err = __parse_vlan_from_nlattrs(match, key_attrs, false, a, 1133 is_mask, log); 1134 if (err) 1135 return err; 1136 1137 encap_valid = !!(match->key->eth.vlan.tci & htons(VLAN_CFI_MASK)); 1138 if (encap_valid) { 1139 err = __parse_vlan_from_nlattrs(match, key_attrs, true, a, 1140 is_mask, log); 1141 if (err) 1142 return err; 1143 } 1144 1145 return 0; 1146 } 1147 1148 static int parse_eth_type_from_nlattrs(struct sw_flow_match *match, 1149 u64 *attrs, const struct nlattr **a, 1150 bool is_mask, bool log) 1151 { 1152 __be16 eth_type; 1153 1154 eth_type = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 1155 if (is_mask) { 1156 /* Always exact match EtherType. */ 1157 eth_type = htons(0xffff); 1158 } else if (!eth_proto_is_802_3(eth_type)) { 1159 OVS_NLERR(log, "EtherType %x is less than min %x", 1160 ntohs(eth_type), ETH_P_802_3_MIN); 1161 return -EINVAL; 1162 } 1163 1164 SW_FLOW_KEY_PUT(match, eth.type, eth_type, is_mask); 1165 *attrs &= ~(1 << OVS_KEY_ATTR_ETHERTYPE); 1166 return 0; 1167 } 1168 1169 static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match, 1170 u64 *attrs, const struct nlattr **a, 1171 bool is_mask, bool log) 1172 { 1173 u8 mac_proto = MAC_PROTO_ETHERNET; 1174 1175 if (*attrs & (1 << OVS_KEY_ATTR_DP_HASH)) { 1176 u32 hash_val = nla_get_u32(a[OVS_KEY_ATTR_DP_HASH]); 1177 1178 SW_FLOW_KEY_PUT(match, ovs_flow_hash, hash_val, is_mask); 1179 *attrs &= ~(1 << OVS_KEY_ATTR_DP_HASH); 1180 } 1181 1182 if (*attrs & (1 << OVS_KEY_ATTR_RECIRC_ID)) { 1183 u32 recirc_id = nla_get_u32(a[OVS_KEY_ATTR_RECIRC_ID]); 1184 1185 SW_FLOW_KEY_PUT(match, recirc_id, recirc_id, is_mask); 1186 *attrs &= ~(1 << OVS_KEY_ATTR_RECIRC_ID); 1187 } 1188 1189 if (*attrs & (1 << OVS_KEY_ATTR_PRIORITY)) { 1190 SW_FLOW_KEY_PUT(match, phy.priority, 1191 nla_get_u32(a[OVS_KEY_ATTR_PRIORITY]), is_mask); 1192 *attrs &= ~(1 << OVS_KEY_ATTR_PRIORITY); 1193 } 1194 1195 if (*attrs & (1 << OVS_KEY_ATTR_IN_PORT)) { 1196 u32 in_port = nla_get_u32(a[OVS_KEY_ATTR_IN_PORT]); 1197 1198 if (is_mask) { 1199 in_port = 0xffffffff; /* Always exact match in_port. */ 1200 } else if (in_port >= DP_MAX_PORTS) { 1201 OVS_NLERR(log, "Port %d exceeds max allowable %d", 1202 in_port, DP_MAX_PORTS); 1203 return -EINVAL; 1204 } 1205 1206 SW_FLOW_KEY_PUT(match, phy.in_port, in_port, is_mask); 1207 *attrs &= ~(1 << OVS_KEY_ATTR_IN_PORT); 1208 } else if (!is_mask) { 1209 SW_FLOW_KEY_PUT(match, phy.in_port, DP_MAX_PORTS, is_mask); 1210 } 1211 1212 if (*attrs & (1 << OVS_KEY_ATTR_SKB_MARK)) { 1213 uint32_t mark = nla_get_u32(a[OVS_KEY_ATTR_SKB_MARK]); 1214 1215 SW_FLOW_KEY_PUT(match, phy.skb_mark, mark, is_mask); 1216 *attrs &= ~(1 << OVS_KEY_ATTR_SKB_MARK); 1217 } 1218 if (*attrs & (1 << OVS_KEY_ATTR_TUNNEL)) { 1219 if (ip_tun_from_nlattr(a[OVS_KEY_ATTR_TUNNEL], match, 1220 is_mask, log) < 0) 1221 return -EINVAL; 1222 *attrs &= ~(1 << OVS_KEY_ATTR_TUNNEL); 1223 } 1224 1225 if (*attrs & (1 << OVS_KEY_ATTR_CT_STATE) && 1226 ovs_ct_verify(net, OVS_KEY_ATTR_CT_STATE)) { 1227 u32 ct_state = nla_get_u32(a[OVS_KEY_ATTR_CT_STATE]); 1228 1229 if (ct_state & ~CT_SUPPORTED_MASK) { 1230 OVS_NLERR(log, "ct_state flags %08x unsupported", 1231 ct_state); 1232 return -EINVAL; 1233 } 1234 1235 SW_FLOW_KEY_PUT(match, ct_state, ct_state, is_mask); 1236 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_STATE); 1237 } 1238 if (*attrs & (1 << OVS_KEY_ATTR_CT_ZONE) && 1239 ovs_ct_verify(net, OVS_KEY_ATTR_CT_ZONE)) { 1240 u16 ct_zone = nla_get_u16(a[OVS_KEY_ATTR_CT_ZONE]); 1241 1242 SW_FLOW_KEY_PUT(match, ct_zone, ct_zone, is_mask); 1243 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ZONE); 1244 } 1245 if (*attrs & (1 << OVS_KEY_ATTR_CT_MARK) && 1246 ovs_ct_verify(net, OVS_KEY_ATTR_CT_MARK)) { 1247 u32 mark = nla_get_u32(a[OVS_KEY_ATTR_CT_MARK]); 1248 1249 SW_FLOW_KEY_PUT(match, ct.mark, mark, is_mask); 1250 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_MARK); 1251 } 1252 if (*attrs & (1 << OVS_KEY_ATTR_CT_LABELS) && 1253 ovs_ct_verify(net, OVS_KEY_ATTR_CT_LABELS)) { 1254 const struct ovs_key_ct_labels *cl; 1255 1256 cl = nla_data(a[OVS_KEY_ATTR_CT_LABELS]); 1257 SW_FLOW_KEY_MEMCPY(match, ct.labels, cl->ct_labels, 1258 sizeof(*cl), is_mask); 1259 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_LABELS); 1260 } 1261 if (*attrs & (1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4)) { 1262 const struct ovs_key_ct_tuple_ipv4 *ct; 1263 1264 ct = nla_data(a[OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4]); 1265 1266 SW_FLOW_KEY_PUT(match, ipv4.ct_orig.src, ct->ipv4_src, is_mask); 1267 SW_FLOW_KEY_PUT(match, ipv4.ct_orig.dst, ct->ipv4_dst, is_mask); 1268 SW_FLOW_KEY_PUT(match, ct.orig_tp.src, ct->src_port, is_mask); 1269 SW_FLOW_KEY_PUT(match, ct.orig_tp.dst, ct->dst_port, is_mask); 1270 SW_FLOW_KEY_PUT(match, ct_orig_proto, ct->ipv4_proto, is_mask); 1271 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4); 1272 } 1273 if (*attrs & (1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6)) { 1274 const struct ovs_key_ct_tuple_ipv6 *ct; 1275 1276 ct = nla_data(a[OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6]); 1277 1278 SW_FLOW_KEY_MEMCPY(match, ipv6.ct_orig.src, &ct->ipv6_src, 1279 sizeof(match->key->ipv6.ct_orig.src), 1280 is_mask); 1281 SW_FLOW_KEY_MEMCPY(match, ipv6.ct_orig.dst, &ct->ipv6_dst, 1282 sizeof(match->key->ipv6.ct_orig.dst), 1283 is_mask); 1284 SW_FLOW_KEY_PUT(match, ct.orig_tp.src, ct->src_port, is_mask); 1285 SW_FLOW_KEY_PUT(match, ct.orig_tp.dst, ct->dst_port, is_mask); 1286 SW_FLOW_KEY_PUT(match, ct_orig_proto, ct->ipv6_proto, is_mask); 1287 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6); 1288 } 1289 1290 /* For layer 3 packets the Ethernet type is provided 1291 * and treated as metadata but no MAC addresses are provided. 1292 */ 1293 if (!(*attrs & (1ULL << OVS_KEY_ATTR_ETHERNET)) && 1294 (*attrs & (1ULL << OVS_KEY_ATTR_ETHERTYPE))) 1295 mac_proto = MAC_PROTO_NONE; 1296 1297 /* Always exact match mac_proto */ 1298 SW_FLOW_KEY_PUT(match, mac_proto, is_mask ? 0xff : mac_proto, is_mask); 1299 1300 if (mac_proto == MAC_PROTO_NONE) 1301 return parse_eth_type_from_nlattrs(match, attrs, a, is_mask, 1302 log); 1303 1304 return 0; 1305 } 1306 1307 int nsh_hdr_from_nlattr(const struct nlattr *attr, 1308 struct nshhdr *nh, size_t size) 1309 { 1310 struct nlattr *a; 1311 int rem; 1312 u8 flags = 0; 1313 u8 ttl = 0; 1314 int mdlen = 0; 1315 1316 /* validate_nsh has check this, so we needn't do duplicate check here 1317 */ 1318 if (size < NSH_BASE_HDR_LEN) 1319 return -ENOBUFS; 1320 1321 nla_for_each_nested(a, attr, rem) { 1322 int type = nla_type(a); 1323 1324 switch (type) { 1325 case OVS_NSH_KEY_ATTR_BASE: { 1326 const struct ovs_nsh_key_base *base = nla_data(a); 1327 1328 flags = base->flags; 1329 ttl = base->ttl; 1330 nh->np = base->np; 1331 nh->mdtype = base->mdtype; 1332 nh->path_hdr = base->path_hdr; 1333 break; 1334 } 1335 case OVS_NSH_KEY_ATTR_MD1: 1336 mdlen = nla_len(a); 1337 if (mdlen > size - NSH_BASE_HDR_LEN) 1338 return -ENOBUFS; 1339 memcpy(&nh->md1, nla_data(a), mdlen); 1340 break; 1341 1342 case OVS_NSH_KEY_ATTR_MD2: 1343 mdlen = nla_len(a); 1344 if (mdlen > size - NSH_BASE_HDR_LEN) 1345 return -ENOBUFS; 1346 memcpy(&nh->md2, nla_data(a), mdlen); 1347 break; 1348 1349 default: 1350 return -EINVAL; 1351 } 1352 } 1353 1354 /* nsh header length = NSH_BASE_HDR_LEN + mdlen */ 1355 nh->ver_flags_ttl_len = 0; 1356 nsh_set_flags_ttl_len(nh, flags, ttl, NSH_BASE_HDR_LEN + mdlen); 1357 1358 return 0; 1359 } 1360 1361 int nsh_key_from_nlattr(const struct nlattr *attr, 1362 struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask) 1363 { 1364 struct nlattr *a; 1365 int rem; 1366 1367 /* validate_nsh has check this, so we needn't do duplicate check here 1368 */ 1369 nla_for_each_nested(a, attr, rem) { 1370 int type = nla_type(a); 1371 1372 switch (type) { 1373 case OVS_NSH_KEY_ATTR_BASE: { 1374 const struct ovs_nsh_key_base *base = nla_data(a); 1375 const struct ovs_nsh_key_base *base_mask = base + 1; 1376 1377 nsh->base = *base; 1378 nsh_mask->base = *base_mask; 1379 break; 1380 } 1381 case OVS_NSH_KEY_ATTR_MD1: { 1382 const struct ovs_nsh_key_md1 *md1 = nla_data(a); 1383 const struct ovs_nsh_key_md1 *md1_mask = md1 + 1; 1384 1385 memcpy(nsh->context, md1->context, sizeof(*md1)); 1386 memcpy(nsh_mask->context, md1_mask->context, 1387 sizeof(*md1_mask)); 1388 break; 1389 } 1390 case OVS_NSH_KEY_ATTR_MD2: 1391 /* Not supported yet */ 1392 return -ENOTSUPP; 1393 default: 1394 return -EINVAL; 1395 } 1396 } 1397 1398 return 0; 1399 } 1400 1401 static int nsh_key_put_from_nlattr(const struct nlattr *attr, 1402 struct sw_flow_match *match, bool is_mask, 1403 bool is_push_nsh, bool log) 1404 { 1405 struct nlattr *a; 1406 int rem; 1407 bool has_base = false; 1408 bool has_md1 = false; 1409 bool has_md2 = false; 1410 u8 mdtype = 0; 1411 int mdlen = 0; 1412 1413 if (WARN_ON(is_push_nsh && is_mask)) 1414 return -EINVAL; 1415 1416 nla_for_each_nested(a, attr, rem) { 1417 int type = nla_type(a); 1418 int i; 1419 1420 if (type > OVS_NSH_KEY_ATTR_MAX) { 1421 OVS_NLERR(log, "nsh attr %d is out of range max %d", 1422 type, OVS_NSH_KEY_ATTR_MAX); 1423 return -EINVAL; 1424 } 1425 1426 if (!check_attr_len(nla_len(a), 1427 ovs_nsh_key_attr_lens[type].len)) { 1428 OVS_NLERR( 1429 log, 1430 "nsh attr %d has unexpected len %d expected %d", 1431 type, 1432 nla_len(a), 1433 ovs_nsh_key_attr_lens[type].len 1434 ); 1435 return -EINVAL; 1436 } 1437 1438 switch (type) { 1439 case OVS_NSH_KEY_ATTR_BASE: { 1440 const struct ovs_nsh_key_base *base = nla_data(a); 1441 1442 has_base = true; 1443 mdtype = base->mdtype; 1444 SW_FLOW_KEY_PUT(match, nsh.base.flags, 1445 base->flags, is_mask); 1446 SW_FLOW_KEY_PUT(match, nsh.base.ttl, 1447 base->ttl, is_mask); 1448 SW_FLOW_KEY_PUT(match, nsh.base.mdtype, 1449 base->mdtype, is_mask); 1450 SW_FLOW_KEY_PUT(match, nsh.base.np, 1451 base->np, is_mask); 1452 SW_FLOW_KEY_PUT(match, nsh.base.path_hdr, 1453 base->path_hdr, is_mask); 1454 break; 1455 } 1456 case OVS_NSH_KEY_ATTR_MD1: { 1457 const struct ovs_nsh_key_md1 *md1 = nla_data(a); 1458 1459 has_md1 = true; 1460 for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) 1461 SW_FLOW_KEY_PUT(match, nsh.context[i], 1462 md1->context[i], is_mask); 1463 break; 1464 } 1465 case OVS_NSH_KEY_ATTR_MD2: 1466 if (!is_push_nsh) /* Not supported MD type 2 yet */ 1467 return -ENOTSUPP; 1468 1469 has_md2 = true; 1470 mdlen = nla_len(a); 1471 if (mdlen > NSH_CTX_HDRS_MAX_LEN || mdlen <= 0) { 1472 OVS_NLERR( 1473 log, 1474 "Invalid MD length %d for MD type %d", 1475 mdlen, 1476 mdtype 1477 ); 1478 return -EINVAL; 1479 } 1480 break; 1481 default: 1482 OVS_NLERR(log, "Unknown nsh attribute %d", 1483 type); 1484 return -EINVAL; 1485 } 1486 } 1487 1488 if (rem > 0) { 1489 OVS_NLERR(log, "nsh attribute has %d unknown bytes.", rem); 1490 return -EINVAL; 1491 } 1492 1493 if (has_md1 && has_md2) { 1494 OVS_NLERR( 1495 1, 1496 "invalid nsh attribute: md1 and md2 are exclusive." 1497 ); 1498 return -EINVAL; 1499 } 1500 1501 if (!is_mask) { 1502 if ((has_md1 && mdtype != NSH_M_TYPE1) || 1503 (has_md2 && mdtype != NSH_M_TYPE2)) { 1504 OVS_NLERR(1, "nsh attribute has unmatched MD type %d.", 1505 mdtype); 1506 return -EINVAL; 1507 } 1508 1509 if (is_push_nsh && 1510 (!has_base || (!has_md1 && !has_md2))) { 1511 OVS_NLERR( 1512 1, 1513 "push_nsh: missing base or metadata attributes" 1514 ); 1515 return -EINVAL; 1516 } 1517 } 1518 1519 return 0; 1520 } 1521 1522 static int ovs_key_from_nlattrs(struct net *net, struct sw_flow_match *match, 1523 u64 attrs, const struct nlattr **a, 1524 bool is_mask, bool log) 1525 { 1526 int err; 1527 1528 err = metadata_from_nlattrs(net, match, &attrs, a, is_mask, log); 1529 if (err) 1530 return err; 1531 1532 if (attrs & (1 << OVS_KEY_ATTR_ETHERNET)) { 1533 const struct ovs_key_ethernet *eth_key; 1534 1535 eth_key = nla_data(a[OVS_KEY_ATTR_ETHERNET]); 1536 SW_FLOW_KEY_MEMCPY(match, eth.src, 1537 eth_key->eth_src, ETH_ALEN, is_mask); 1538 SW_FLOW_KEY_MEMCPY(match, eth.dst, 1539 eth_key->eth_dst, ETH_ALEN, is_mask); 1540 attrs &= ~(1 << OVS_KEY_ATTR_ETHERNET); 1541 1542 if (attrs & (1 << OVS_KEY_ATTR_VLAN)) { 1543 /* VLAN attribute is always parsed before getting here since it 1544 * may occur multiple times. 1545 */ 1546 OVS_NLERR(log, "VLAN attribute unexpected."); 1547 return -EINVAL; 1548 } 1549 1550 if (attrs & (1 << OVS_KEY_ATTR_ETHERTYPE)) { 1551 err = parse_eth_type_from_nlattrs(match, &attrs, a, is_mask, 1552 log); 1553 if (err) 1554 return err; 1555 } else if (!is_mask) { 1556 SW_FLOW_KEY_PUT(match, eth.type, htons(ETH_P_802_2), is_mask); 1557 } 1558 } else if (!match->key->eth.type) { 1559 OVS_NLERR(log, "Either Ethernet header or EtherType is required."); 1560 return -EINVAL; 1561 } 1562 1563 if (attrs & (1 << OVS_KEY_ATTR_IPV4)) { 1564 const struct ovs_key_ipv4 *ipv4_key; 1565 1566 ipv4_key = nla_data(a[OVS_KEY_ATTR_IPV4]); 1567 if (!is_mask && ipv4_key->ipv4_frag > OVS_FRAG_TYPE_MAX) { 1568 OVS_NLERR(log, "IPv4 frag type %d is out of range max %d", 1569 ipv4_key->ipv4_frag, OVS_FRAG_TYPE_MAX); 1570 return -EINVAL; 1571 } 1572 SW_FLOW_KEY_PUT(match, ip.proto, 1573 ipv4_key->ipv4_proto, is_mask); 1574 SW_FLOW_KEY_PUT(match, ip.tos, 1575 ipv4_key->ipv4_tos, is_mask); 1576 SW_FLOW_KEY_PUT(match, ip.ttl, 1577 ipv4_key->ipv4_ttl, is_mask); 1578 SW_FLOW_KEY_PUT(match, ip.frag, 1579 ipv4_key->ipv4_frag, is_mask); 1580 SW_FLOW_KEY_PUT(match, ipv4.addr.src, 1581 ipv4_key->ipv4_src, is_mask); 1582 SW_FLOW_KEY_PUT(match, ipv4.addr.dst, 1583 ipv4_key->ipv4_dst, is_mask); 1584 attrs &= ~(1 << OVS_KEY_ATTR_IPV4); 1585 } 1586 1587 if (attrs & (1 << OVS_KEY_ATTR_IPV6)) { 1588 const struct ovs_key_ipv6 *ipv6_key; 1589 1590 ipv6_key = nla_data(a[OVS_KEY_ATTR_IPV6]); 1591 if (!is_mask && ipv6_key->ipv6_frag > OVS_FRAG_TYPE_MAX) { 1592 OVS_NLERR(log, "IPv6 frag type %d is out of range max %d", 1593 ipv6_key->ipv6_frag, OVS_FRAG_TYPE_MAX); 1594 return -EINVAL; 1595 } 1596 1597 if (!is_mask && ipv6_key->ipv6_label & htonl(0xFFF00000)) { 1598 OVS_NLERR(log, "IPv6 flow label %x is out of range (max=%x)", 1599 ntohl(ipv6_key->ipv6_label), (1 << 20) - 1); 1600 return -EINVAL; 1601 } 1602 1603 SW_FLOW_KEY_PUT(match, ipv6.label, 1604 ipv6_key->ipv6_label, is_mask); 1605 SW_FLOW_KEY_PUT(match, ip.proto, 1606 ipv6_key->ipv6_proto, is_mask); 1607 SW_FLOW_KEY_PUT(match, ip.tos, 1608 ipv6_key->ipv6_tclass, is_mask); 1609 SW_FLOW_KEY_PUT(match, ip.ttl, 1610 ipv6_key->ipv6_hlimit, is_mask); 1611 SW_FLOW_KEY_PUT(match, ip.frag, 1612 ipv6_key->ipv6_frag, is_mask); 1613 SW_FLOW_KEY_MEMCPY(match, ipv6.addr.src, 1614 ipv6_key->ipv6_src, 1615 sizeof(match->key->ipv6.addr.src), 1616 is_mask); 1617 SW_FLOW_KEY_MEMCPY(match, ipv6.addr.dst, 1618 ipv6_key->ipv6_dst, 1619 sizeof(match->key->ipv6.addr.dst), 1620 is_mask); 1621 1622 attrs &= ~(1 << OVS_KEY_ATTR_IPV6); 1623 } 1624 1625 if (attrs & (1ULL << OVS_KEY_ATTR_IPV6_EXTHDRS)) { 1626 const struct ovs_key_ipv6_exthdrs *ipv6_exthdrs_key; 1627 1628 ipv6_exthdrs_key = nla_data(a[OVS_KEY_ATTR_IPV6_EXTHDRS]); 1629 1630 SW_FLOW_KEY_PUT(match, ipv6.exthdrs, 1631 ipv6_exthdrs_key->hdrs, is_mask); 1632 1633 attrs &= ~(1ULL << OVS_KEY_ATTR_IPV6_EXTHDRS); 1634 } 1635 1636 if (attrs & (1 << OVS_KEY_ATTR_ARP)) { 1637 const struct ovs_key_arp *arp_key; 1638 1639 arp_key = nla_data(a[OVS_KEY_ATTR_ARP]); 1640 if (!is_mask && (arp_key->arp_op & htons(0xff00))) { 1641 OVS_NLERR(log, "Unknown ARP opcode (opcode=%d).", 1642 arp_key->arp_op); 1643 return -EINVAL; 1644 } 1645 1646 SW_FLOW_KEY_PUT(match, ipv4.addr.src, 1647 arp_key->arp_sip, is_mask); 1648 SW_FLOW_KEY_PUT(match, ipv4.addr.dst, 1649 arp_key->arp_tip, is_mask); 1650 SW_FLOW_KEY_PUT(match, ip.proto, 1651 ntohs(arp_key->arp_op), is_mask); 1652 SW_FLOW_KEY_MEMCPY(match, ipv4.arp.sha, 1653 arp_key->arp_sha, ETH_ALEN, is_mask); 1654 SW_FLOW_KEY_MEMCPY(match, ipv4.arp.tha, 1655 arp_key->arp_tha, ETH_ALEN, is_mask); 1656 1657 attrs &= ~(1 << OVS_KEY_ATTR_ARP); 1658 } 1659 1660 if (attrs & (1 << OVS_KEY_ATTR_NSH)) { 1661 if (nsh_key_put_from_nlattr(a[OVS_KEY_ATTR_NSH], match, 1662 is_mask, false, log) < 0) 1663 return -EINVAL; 1664 attrs &= ~(1 << OVS_KEY_ATTR_NSH); 1665 } 1666 1667 if (attrs & (1 << OVS_KEY_ATTR_MPLS)) { 1668 const struct ovs_key_mpls *mpls_key; 1669 u32 hdr_len; 1670 u32 label_count, label_count_mask, i; 1671 1672 mpls_key = nla_data(a[OVS_KEY_ATTR_MPLS]); 1673 hdr_len = nla_len(a[OVS_KEY_ATTR_MPLS]); 1674 label_count = hdr_len / sizeof(struct ovs_key_mpls); 1675 1676 if (label_count == 0 || label_count > MPLS_LABEL_DEPTH || 1677 hdr_len % sizeof(struct ovs_key_mpls)) 1678 return -EINVAL; 1679 1680 label_count_mask = GENMASK(label_count - 1, 0); 1681 1682 for (i = 0 ; i < label_count; i++) 1683 SW_FLOW_KEY_PUT(match, mpls.lse[i], 1684 mpls_key[i].mpls_lse, is_mask); 1685 1686 SW_FLOW_KEY_PUT(match, mpls.num_labels_mask, 1687 label_count_mask, is_mask); 1688 1689 attrs &= ~(1 << OVS_KEY_ATTR_MPLS); 1690 } 1691 1692 if (attrs & (1 << OVS_KEY_ATTR_TCP)) { 1693 const struct ovs_key_tcp *tcp_key; 1694 1695 tcp_key = nla_data(a[OVS_KEY_ATTR_TCP]); 1696 SW_FLOW_KEY_PUT(match, tp.src, tcp_key->tcp_src, is_mask); 1697 SW_FLOW_KEY_PUT(match, tp.dst, tcp_key->tcp_dst, is_mask); 1698 attrs &= ~(1 << OVS_KEY_ATTR_TCP); 1699 } 1700 1701 if (attrs & (1 << OVS_KEY_ATTR_TCP_FLAGS)) { 1702 SW_FLOW_KEY_PUT(match, tp.flags, 1703 nla_get_be16(a[OVS_KEY_ATTR_TCP_FLAGS]), 1704 is_mask); 1705 attrs &= ~(1 << OVS_KEY_ATTR_TCP_FLAGS); 1706 } 1707 1708 if (attrs & (1 << OVS_KEY_ATTR_UDP)) { 1709 const struct ovs_key_udp *udp_key; 1710 1711 udp_key = nla_data(a[OVS_KEY_ATTR_UDP]); 1712 SW_FLOW_KEY_PUT(match, tp.src, udp_key->udp_src, is_mask); 1713 SW_FLOW_KEY_PUT(match, tp.dst, udp_key->udp_dst, is_mask); 1714 attrs &= ~(1 << OVS_KEY_ATTR_UDP); 1715 } 1716 1717 if (attrs & (1 << OVS_KEY_ATTR_SCTP)) { 1718 const struct ovs_key_sctp *sctp_key; 1719 1720 sctp_key = nla_data(a[OVS_KEY_ATTR_SCTP]); 1721 SW_FLOW_KEY_PUT(match, tp.src, sctp_key->sctp_src, is_mask); 1722 SW_FLOW_KEY_PUT(match, tp.dst, sctp_key->sctp_dst, is_mask); 1723 attrs &= ~(1 << OVS_KEY_ATTR_SCTP); 1724 } 1725 1726 if (attrs & (1 << OVS_KEY_ATTR_ICMP)) { 1727 const struct ovs_key_icmp *icmp_key; 1728 1729 icmp_key = nla_data(a[OVS_KEY_ATTR_ICMP]); 1730 SW_FLOW_KEY_PUT(match, tp.src, 1731 htons(icmp_key->icmp_type), is_mask); 1732 SW_FLOW_KEY_PUT(match, tp.dst, 1733 htons(icmp_key->icmp_code), is_mask); 1734 attrs &= ~(1 << OVS_KEY_ATTR_ICMP); 1735 } 1736 1737 if (attrs & (1 << OVS_KEY_ATTR_ICMPV6)) { 1738 const struct ovs_key_icmpv6 *icmpv6_key; 1739 1740 icmpv6_key = nla_data(a[OVS_KEY_ATTR_ICMPV6]); 1741 SW_FLOW_KEY_PUT(match, tp.src, 1742 htons(icmpv6_key->icmpv6_type), is_mask); 1743 SW_FLOW_KEY_PUT(match, tp.dst, 1744 htons(icmpv6_key->icmpv6_code), is_mask); 1745 attrs &= ~(1 << OVS_KEY_ATTR_ICMPV6); 1746 } 1747 1748 if (attrs & (1 << OVS_KEY_ATTR_ND)) { 1749 const struct ovs_key_nd *nd_key; 1750 1751 nd_key = nla_data(a[OVS_KEY_ATTR_ND]); 1752 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.target, 1753 nd_key->nd_target, 1754 sizeof(match->key->ipv6.nd.target), 1755 is_mask); 1756 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.sll, 1757 nd_key->nd_sll, ETH_ALEN, is_mask); 1758 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.tll, 1759 nd_key->nd_tll, ETH_ALEN, is_mask); 1760 attrs &= ~(1 << OVS_KEY_ATTR_ND); 1761 } 1762 1763 if (attrs != 0) { 1764 OVS_NLERR(log, "Unknown key attributes %llx", 1765 (unsigned long long)attrs); 1766 return -EINVAL; 1767 } 1768 1769 return 0; 1770 } 1771 1772 static void nlattr_set(struct nlattr *attr, u8 val, 1773 const struct ovs_len_tbl *tbl) 1774 { 1775 struct nlattr *nla; 1776 int rem; 1777 1778 /* The nlattr stream should already have been validated */ 1779 nla_for_each_nested(nla, attr, rem) { 1780 if (tbl[nla_type(nla)].len == OVS_ATTR_NESTED) 1781 nlattr_set(nla, val, tbl[nla_type(nla)].next ? : tbl); 1782 else 1783 memset(nla_data(nla), val, nla_len(nla)); 1784 1785 if (nla_type(nla) == OVS_KEY_ATTR_CT_STATE) 1786 *(u32 *)nla_data(nla) &= CT_SUPPORTED_MASK; 1787 } 1788 } 1789 1790 static void mask_set_nlattr(struct nlattr *attr, u8 val) 1791 { 1792 nlattr_set(attr, val, ovs_key_lens); 1793 } 1794 1795 /** 1796 * ovs_nla_get_match - parses Netlink attributes into a flow key and 1797 * mask. In case the 'mask' is NULL, the flow is treated as exact match 1798 * flow. Otherwise, it is treated as a wildcarded flow, except the mask 1799 * does not include any don't care bit. 1800 * @net: Used to determine per-namespace field support. 1801 * @match: receives the extracted flow match information. 1802 * @nla_key: Netlink attribute holding nested %OVS_KEY_ATTR_* Netlink attribute 1803 * sequence. The fields should of the packet that triggered the creation 1804 * of this flow. 1805 * @nla_mask: Optional. Netlink attribute holding nested %OVS_KEY_ATTR_* 1806 * Netlink attribute specifies the mask field of the wildcarded flow. 1807 * @log: Boolean to allow kernel error logging. Normally true, but when 1808 * probing for feature compatibility this should be passed in as false to 1809 * suppress unnecessary error logging. 1810 */ 1811 int ovs_nla_get_match(struct net *net, struct sw_flow_match *match, 1812 const struct nlattr *nla_key, 1813 const struct nlattr *nla_mask, 1814 bool log) 1815 { 1816 const struct nlattr *a[OVS_KEY_ATTR_MAX + 1]; 1817 struct nlattr *newmask = NULL; 1818 u64 key_attrs = 0; 1819 u64 mask_attrs = 0; 1820 int err; 1821 1822 err = parse_flow_nlattrs(nla_key, a, &key_attrs, log); 1823 if (err) 1824 return err; 1825 1826 err = parse_vlan_from_nlattrs(match, &key_attrs, a, false, log); 1827 if (err) 1828 return err; 1829 1830 err = ovs_key_from_nlattrs(net, match, key_attrs, a, false, log); 1831 if (err) 1832 return err; 1833 1834 if (match->mask) { 1835 if (!nla_mask) { 1836 /* Create an exact match mask. We need to set to 0xff 1837 * all the 'match->mask' fields that have been touched 1838 * in 'match->key'. We cannot simply memset 1839 * 'match->mask', because padding bytes and fields not 1840 * specified in 'match->key' should be left to 0. 1841 * Instead, we use a stream of netlink attributes, 1842 * copied from 'key' and set to 0xff. 1843 * ovs_key_from_nlattrs() will take care of filling 1844 * 'match->mask' appropriately. 1845 */ 1846 newmask = kmemdup(nla_key, 1847 nla_total_size(nla_len(nla_key)), 1848 GFP_KERNEL); 1849 if (!newmask) 1850 return -ENOMEM; 1851 1852 mask_set_nlattr(newmask, 0xff); 1853 1854 /* The userspace does not send tunnel attributes that 1855 * are 0, but we should not wildcard them nonetheless. 1856 */ 1857 if (match->key->tun_proto) 1858 SW_FLOW_KEY_MEMSET_FIELD(match, tun_key, 1859 0xff, true); 1860 1861 nla_mask = newmask; 1862 } 1863 1864 err = parse_flow_mask_nlattrs(nla_mask, a, &mask_attrs, log); 1865 if (err) 1866 goto free_newmask; 1867 1868 /* Always match on tci. */ 1869 SW_FLOW_KEY_PUT(match, eth.vlan.tci, htons(0xffff), true); 1870 SW_FLOW_KEY_PUT(match, eth.cvlan.tci, htons(0xffff), true); 1871 1872 err = parse_vlan_from_nlattrs(match, &mask_attrs, a, true, log); 1873 if (err) 1874 goto free_newmask; 1875 1876 err = ovs_key_from_nlattrs(net, match, mask_attrs, a, true, 1877 log); 1878 if (err) 1879 goto free_newmask; 1880 } 1881 1882 if (!match_validate(match, key_attrs, mask_attrs, log)) 1883 err = -EINVAL; 1884 1885 free_newmask: 1886 kfree(newmask); 1887 return err; 1888 } 1889 1890 static size_t get_ufid_len(const struct nlattr *attr, bool log) 1891 { 1892 size_t len; 1893 1894 if (!attr) 1895 return 0; 1896 1897 len = nla_len(attr); 1898 if (len < 1 || len > MAX_UFID_LENGTH) { 1899 OVS_NLERR(log, "ufid size %u bytes exceeds the range (1, %d)", 1900 nla_len(attr), MAX_UFID_LENGTH); 1901 return 0; 1902 } 1903 1904 return len; 1905 } 1906 1907 /* Initializes 'flow->ufid', returning true if 'attr' contains a valid UFID, 1908 * or false otherwise. 1909 */ 1910 bool ovs_nla_get_ufid(struct sw_flow_id *sfid, const struct nlattr *attr, 1911 bool log) 1912 { 1913 sfid->ufid_len = get_ufid_len(attr, log); 1914 if (sfid->ufid_len) 1915 memcpy(sfid->ufid, nla_data(attr), sfid->ufid_len); 1916 1917 return sfid->ufid_len; 1918 } 1919 1920 int ovs_nla_get_identifier(struct sw_flow_id *sfid, const struct nlattr *ufid, 1921 const struct sw_flow_key *key, bool log) 1922 { 1923 struct sw_flow_key *new_key; 1924 1925 if (ovs_nla_get_ufid(sfid, ufid, log)) 1926 return 0; 1927 1928 /* If UFID was not provided, use unmasked key. */ 1929 new_key = kmalloc(sizeof(*new_key), GFP_KERNEL); 1930 if (!new_key) 1931 return -ENOMEM; 1932 memcpy(new_key, key, sizeof(*key)); 1933 sfid->unmasked_key = new_key; 1934 1935 return 0; 1936 } 1937 1938 u32 ovs_nla_get_ufid_flags(const struct nlattr *attr) 1939 { 1940 return attr ? nla_get_u32(attr) : 0; 1941 } 1942 1943 /** 1944 * ovs_nla_get_flow_metadata - parses Netlink attributes into a flow key. 1945 * @net: Network namespace. 1946 * @key: Receives extracted in_port, priority, tun_key, skb_mark and conntrack 1947 * metadata. 1948 * @a: Array of netlink attributes holding parsed %OVS_KEY_ATTR_* Netlink 1949 * attributes. 1950 * @attrs: Bit mask for the netlink attributes included in @a. 1951 * @log: Boolean to allow kernel error logging. Normally true, but when 1952 * probing for feature compatibility this should be passed in as false to 1953 * suppress unnecessary error logging. 1954 * 1955 * This parses a series of Netlink attributes that form a flow key, which must 1956 * take the same form accepted by flow_from_nlattrs(), but only enough of it to 1957 * get the metadata, that is, the parts of the flow key that cannot be 1958 * extracted from the packet itself. 1959 * 1960 * This must be called before the packet key fields are filled in 'key'. 1961 */ 1962 1963 int ovs_nla_get_flow_metadata(struct net *net, 1964 const struct nlattr *a[OVS_KEY_ATTR_MAX + 1], 1965 u64 attrs, struct sw_flow_key *key, bool log) 1966 { 1967 struct sw_flow_match match; 1968 1969 memset(&match, 0, sizeof(match)); 1970 match.key = key; 1971 1972 key->ct_state = 0; 1973 key->ct_zone = 0; 1974 key->ct_orig_proto = 0; 1975 memset(&key->ct, 0, sizeof(key->ct)); 1976 memset(&key->ipv4.ct_orig, 0, sizeof(key->ipv4.ct_orig)); 1977 memset(&key->ipv6.ct_orig, 0, sizeof(key->ipv6.ct_orig)); 1978 1979 key->phy.in_port = DP_MAX_PORTS; 1980 1981 return metadata_from_nlattrs(net, &match, &attrs, a, false, log); 1982 } 1983 1984 static int ovs_nla_put_vlan(struct sk_buff *skb, const struct vlan_head *vh, 1985 bool is_mask) 1986 { 1987 __be16 eth_type = !is_mask ? vh->tpid : htons(0xffff); 1988 1989 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, eth_type) || 1990 nla_put_be16(skb, OVS_KEY_ATTR_VLAN, vh->tci)) 1991 return -EMSGSIZE; 1992 return 0; 1993 } 1994 1995 static int nsh_key_to_nlattr(const struct ovs_key_nsh *nsh, bool is_mask, 1996 struct sk_buff *skb) 1997 { 1998 struct nlattr *start; 1999 2000 start = nla_nest_start_noflag(skb, OVS_KEY_ATTR_NSH); 2001 if (!start) 2002 return -EMSGSIZE; 2003 2004 if (nla_put(skb, OVS_NSH_KEY_ATTR_BASE, sizeof(nsh->base), &nsh->base)) 2005 goto nla_put_failure; 2006 2007 if (is_mask || nsh->base.mdtype == NSH_M_TYPE1) { 2008 if (nla_put(skb, OVS_NSH_KEY_ATTR_MD1, 2009 sizeof(nsh->context), nsh->context)) 2010 goto nla_put_failure; 2011 } 2012 2013 /* Don't support MD type 2 yet */ 2014 2015 nla_nest_end(skb, start); 2016 2017 return 0; 2018 2019 nla_put_failure: 2020 return -EMSGSIZE; 2021 } 2022 2023 static int __ovs_nla_put_key(const struct sw_flow_key *swkey, 2024 const struct sw_flow_key *output, bool is_mask, 2025 struct sk_buff *skb) 2026 { 2027 struct ovs_key_ethernet *eth_key; 2028 struct nlattr *nla; 2029 struct nlattr *encap = NULL; 2030 struct nlattr *in_encap = NULL; 2031 2032 if (nla_put_u32(skb, OVS_KEY_ATTR_RECIRC_ID, output->recirc_id)) 2033 goto nla_put_failure; 2034 2035 if (nla_put_u32(skb, OVS_KEY_ATTR_DP_HASH, output->ovs_flow_hash)) 2036 goto nla_put_failure; 2037 2038 if (nla_put_u32(skb, OVS_KEY_ATTR_PRIORITY, output->phy.priority)) 2039 goto nla_put_failure; 2040 2041 if ((swkey->tun_proto || is_mask)) { 2042 const void *opts = NULL; 2043 2044 if (ip_tunnel_is_options_present(output->tun_key.tun_flags)) 2045 opts = TUN_METADATA_OPTS(output, swkey->tun_opts_len); 2046 2047 if (ip_tun_to_nlattr(skb, &output->tun_key, opts, 2048 swkey->tun_opts_len, swkey->tun_proto, 0)) 2049 goto nla_put_failure; 2050 } 2051 2052 if (swkey->phy.in_port == DP_MAX_PORTS) { 2053 if (is_mask && (output->phy.in_port == 0xffff)) 2054 if (nla_put_u32(skb, OVS_KEY_ATTR_IN_PORT, 0xffffffff)) 2055 goto nla_put_failure; 2056 } else { 2057 u16 upper_u16; 2058 upper_u16 = !is_mask ? 0 : 0xffff; 2059 2060 if (nla_put_u32(skb, OVS_KEY_ATTR_IN_PORT, 2061 (upper_u16 << 16) | output->phy.in_port)) 2062 goto nla_put_failure; 2063 } 2064 2065 if (nla_put_u32(skb, OVS_KEY_ATTR_SKB_MARK, output->phy.skb_mark)) 2066 goto nla_put_failure; 2067 2068 if (ovs_ct_put_key(swkey, output, skb)) 2069 goto nla_put_failure; 2070 2071 if (ovs_key_mac_proto(swkey) == MAC_PROTO_ETHERNET) { 2072 nla = nla_reserve(skb, OVS_KEY_ATTR_ETHERNET, sizeof(*eth_key)); 2073 if (!nla) 2074 goto nla_put_failure; 2075 2076 eth_key = nla_data(nla); 2077 ether_addr_copy(eth_key->eth_src, output->eth.src); 2078 ether_addr_copy(eth_key->eth_dst, output->eth.dst); 2079 2080 if (swkey->eth.vlan.tci || eth_type_vlan(swkey->eth.type)) { 2081 if (ovs_nla_put_vlan(skb, &output->eth.vlan, is_mask)) 2082 goto nla_put_failure; 2083 encap = nla_nest_start_noflag(skb, OVS_KEY_ATTR_ENCAP); 2084 if (!swkey->eth.vlan.tci) 2085 goto unencap; 2086 2087 if (swkey->eth.cvlan.tci || eth_type_vlan(swkey->eth.type)) { 2088 if (ovs_nla_put_vlan(skb, &output->eth.cvlan, is_mask)) 2089 goto nla_put_failure; 2090 in_encap = nla_nest_start_noflag(skb, 2091 OVS_KEY_ATTR_ENCAP); 2092 if (!swkey->eth.cvlan.tci) 2093 goto unencap; 2094 } 2095 } 2096 2097 if (swkey->eth.type == htons(ETH_P_802_2)) { 2098 /* 2099 * Ethertype 802.2 is represented in the netlink with omitted 2100 * OVS_KEY_ATTR_ETHERTYPE in the flow key attribute, and 2101 * 0xffff in the mask attribute. Ethertype can also 2102 * be wildcarded. 2103 */ 2104 if (is_mask && output->eth.type) 2105 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, 2106 output->eth.type)) 2107 goto nla_put_failure; 2108 goto unencap; 2109 } 2110 } 2111 2112 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, output->eth.type)) 2113 goto nla_put_failure; 2114 2115 if (eth_type_vlan(swkey->eth.type)) { 2116 /* There are 3 VLAN tags, we don't know anything about the rest 2117 * of the packet, so truncate here. 2118 */ 2119 WARN_ON_ONCE(!(encap && in_encap)); 2120 goto unencap; 2121 } 2122 2123 if (swkey->eth.type == htons(ETH_P_IP)) { 2124 struct ovs_key_ipv4 *ipv4_key; 2125 2126 nla = nla_reserve(skb, OVS_KEY_ATTR_IPV4, sizeof(*ipv4_key)); 2127 if (!nla) 2128 goto nla_put_failure; 2129 ipv4_key = nla_data(nla); 2130 ipv4_key->ipv4_src = output->ipv4.addr.src; 2131 ipv4_key->ipv4_dst = output->ipv4.addr.dst; 2132 ipv4_key->ipv4_proto = output->ip.proto; 2133 ipv4_key->ipv4_tos = output->ip.tos; 2134 ipv4_key->ipv4_ttl = output->ip.ttl; 2135 ipv4_key->ipv4_frag = output->ip.frag; 2136 } else if (swkey->eth.type == htons(ETH_P_IPV6)) { 2137 struct ovs_key_ipv6 *ipv6_key; 2138 struct ovs_key_ipv6_exthdrs *ipv6_exthdrs_key; 2139 2140 nla = nla_reserve(skb, OVS_KEY_ATTR_IPV6, sizeof(*ipv6_key)); 2141 if (!nla) 2142 goto nla_put_failure; 2143 ipv6_key = nla_data(nla); 2144 memcpy(ipv6_key->ipv6_src, &output->ipv6.addr.src, 2145 sizeof(ipv6_key->ipv6_src)); 2146 memcpy(ipv6_key->ipv6_dst, &output->ipv6.addr.dst, 2147 sizeof(ipv6_key->ipv6_dst)); 2148 ipv6_key->ipv6_label = output->ipv6.label; 2149 ipv6_key->ipv6_proto = output->ip.proto; 2150 ipv6_key->ipv6_tclass = output->ip.tos; 2151 ipv6_key->ipv6_hlimit = output->ip.ttl; 2152 ipv6_key->ipv6_frag = output->ip.frag; 2153 2154 nla = nla_reserve(skb, OVS_KEY_ATTR_IPV6_EXTHDRS, 2155 sizeof(*ipv6_exthdrs_key)); 2156 if (!nla) 2157 goto nla_put_failure; 2158 ipv6_exthdrs_key = nla_data(nla); 2159 ipv6_exthdrs_key->hdrs = output->ipv6.exthdrs; 2160 } else if (swkey->eth.type == htons(ETH_P_NSH)) { 2161 if (nsh_key_to_nlattr(&output->nsh, is_mask, skb)) 2162 goto nla_put_failure; 2163 } else if (swkey->eth.type == htons(ETH_P_ARP) || 2164 swkey->eth.type == htons(ETH_P_RARP)) { 2165 struct ovs_key_arp *arp_key; 2166 2167 nla = nla_reserve(skb, OVS_KEY_ATTR_ARP, sizeof(*arp_key)); 2168 if (!nla) 2169 goto nla_put_failure; 2170 arp_key = nla_data(nla); 2171 memset(arp_key, 0, sizeof(struct ovs_key_arp)); 2172 arp_key->arp_sip = output->ipv4.addr.src; 2173 arp_key->arp_tip = output->ipv4.addr.dst; 2174 arp_key->arp_op = htons(output->ip.proto); 2175 ether_addr_copy(arp_key->arp_sha, output->ipv4.arp.sha); 2176 ether_addr_copy(arp_key->arp_tha, output->ipv4.arp.tha); 2177 } else if (eth_p_mpls(swkey->eth.type)) { 2178 u8 i, num_labels; 2179 struct ovs_key_mpls *mpls_key; 2180 2181 num_labels = hweight_long(output->mpls.num_labels_mask); 2182 nla = nla_reserve(skb, OVS_KEY_ATTR_MPLS, 2183 num_labels * sizeof(*mpls_key)); 2184 if (!nla) 2185 goto nla_put_failure; 2186 2187 mpls_key = nla_data(nla); 2188 for (i = 0; i < num_labels; i++) 2189 mpls_key[i].mpls_lse = output->mpls.lse[i]; 2190 } 2191 2192 if ((swkey->eth.type == htons(ETH_P_IP) || 2193 swkey->eth.type == htons(ETH_P_IPV6)) && 2194 swkey->ip.frag != OVS_FRAG_TYPE_LATER) { 2195 2196 if (swkey->ip.proto == IPPROTO_TCP) { 2197 struct ovs_key_tcp *tcp_key; 2198 2199 nla = nla_reserve(skb, OVS_KEY_ATTR_TCP, sizeof(*tcp_key)); 2200 if (!nla) 2201 goto nla_put_failure; 2202 tcp_key = nla_data(nla); 2203 tcp_key->tcp_src = output->tp.src; 2204 tcp_key->tcp_dst = output->tp.dst; 2205 if (nla_put_be16(skb, OVS_KEY_ATTR_TCP_FLAGS, 2206 output->tp.flags)) 2207 goto nla_put_failure; 2208 } else if (swkey->ip.proto == IPPROTO_UDP) { 2209 struct ovs_key_udp *udp_key; 2210 2211 nla = nla_reserve(skb, OVS_KEY_ATTR_UDP, sizeof(*udp_key)); 2212 if (!nla) 2213 goto nla_put_failure; 2214 udp_key = nla_data(nla); 2215 udp_key->udp_src = output->tp.src; 2216 udp_key->udp_dst = output->tp.dst; 2217 } else if (swkey->ip.proto == IPPROTO_SCTP) { 2218 struct ovs_key_sctp *sctp_key; 2219 2220 nla = nla_reserve(skb, OVS_KEY_ATTR_SCTP, sizeof(*sctp_key)); 2221 if (!nla) 2222 goto nla_put_failure; 2223 sctp_key = nla_data(nla); 2224 sctp_key->sctp_src = output->tp.src; 2225 sctp_key->sctp_dst = output->tp.dst; 2226 } else if (swkey->eth.type == htons(ETH_P_IP) && 2227 swkey->ip.proto == IPPROTO_ICMP) { 2228 struct ovs_key_icmp *icmp_key; 2229 2230 nla = nla_reserve(skb, OVS_KEY_ATTR_ICMP, sizeof(*icmp_key)); 2231 if (!nla) 2232 goto nla_put_failure; 2233 icmp_key = nla_data(nla); 2234 icmp_key->icmp_type = ntohs(output->tp.src); 2235 icmp_key->icmp_code = ntohs(output->tp.dst); 2236 } else if (swkey->eth.type == htons(ETH_P_IPV6) && 2237 swkey->ip.proto == IPPROTO_ICMPV6) { 2238 struct ovs_key_icmpv6 *icmpv6_key; 2239 2240 nla = nla_reserve(skb, OVS_KEY_ATTR_ICMPV6, 2241 sizeof(*icmpv6_key)); 2242 if (!nla) 2243 goto nla_put_failure; 2244 icmpv6_key = nla_data(nla); 2245 icmpv6_key->icmpv6_type = ntohs(output->tp.src); 2246 icmpv6_key->icmpv6_code = ntohs(output->tp.dst); 2247 2248 if (swkey->tp.src == htons(NDISC_NEIGHBOUR_SOLICITATION) || 2249 swkey->tp.src == htons(NDISC_NEIGHBOUR_ADVERTISEMENT)) { 2250 struct ovs_key_nd *nd_key; 2251 2252 nla = nla_reserve(skb, OVS_KEY_ATTR_ND, sizeof(*nd_key)); 2253 if (!nla) 2254 goto nla_put_failure; 2255 nd_key = nla_data(nla); 2256 memcpy(nd_key->nd_target, &output->ipv6.nd.target, 2257 sizeof(nd_key->nd_target)); 2258 ether_addr_copy(nd_key->nd_sll, output->ipv6.nd.sll); 2259 ether_addr_copy(nd_key->nd_tll, output->ipv6.nd.tll); 2260 } 2261 } 2262 } 2263 2264 unencap: 2265 if (in_encap) 2266 nla_nest_end(skb, in_encap); 2267 if (encap) 2268 nla_nest_end(skb, encap); 2269 2270 return 0; 2271 2272 nla_put_failure: 2273 return -EMSGSIZE; 2274 } 2275 2276 int ovs_nla_put_key(const struct sw_flow_key *swkey, 2277 const struct sw_flow_key *output, int attr, bool is_mask, 2278 struct sk_buff *skb) 2279 { 2280 int err; 2281 struct nlattr *nla; 2282 2283 nla = nla_nest_start_noflag(skb, attr); 2284 if (!nla) 2285 return -EMSGSIZE; 2286 err = __ovs_nla_put_key(swkey, output, is_mask, skb); 2287 if (err) 2288 return err; 2289 nla_nest_end(skb, nla); 2290 2291 return 0; 2292 } 2293 2294 /* Called with ovs_mutex or RCU read lock. */ 2295 int ovs_nla_put_identifier(const struct sw_flow *flow, struct sk_buff *skb) 2296 { 2297 if (ovs_identifier_is_ufid(&flow->id)) 2298 return nla_put(skb, OVS_FLOW_ATTR_UFID, flow->id.ufid_len, 2299 flow->id.ufid); 2300 2301 return ovs_nla_put_key(flow->id.unmasked_key, flow->id.unmasked_key, 2302 OVS_FLOW_ATTR_KEY, false, skb); 2303 } 2304 2305 /* Called with ovs_mutex or RCU read lock. */ 2306 int ovs_nla_put_masked_key(const struct sw_flow *flow, struct sk_buff *skb) 2307 { 2308 return ovs_nla_put_key(&flow->key, &flow->key, 2309 OVS_FLOW_ATTR_KEY, false, skb); 2310 } 2311 2312 /* Called with ovs_mutex or RCU read lock. */ 2313 int ovs_nla_put_mask(const struct sw_flow *flow, struct sk_buff *skb) 2314 { 2315 return ovs_nla_put_key(&flow->key, &flow->mask->key, 2316 OVS_FLOW_ATTR_MASK, true, skb); 2317 } 2318 2319 #define MAX_ACTIONS_BUFSIZE (32 * 1024) 2320 2321 static struct sw_flow_actions *nla_alloc_flow_actions(int size) 2322 { 2323 struct sw_flow_actions *sfa; 2324 2325 WARN_ON_ONCE(size > MAX_ACTIONS_BUFSIZE); 2326 2327 sfa = kmalloc(kmalloc_size_roundup(sizeof(*sfa) + size), GFP_KERNEL); 2328 if (!sfa) 2329 return ERR_PTR(-ENOMEM); 2330 2331 sfa->actions_len = 0; 2332 return sfa; 2333 } 2334 2335 static void ovs_nla_free_nested_actions(const struct nlattr *actions, int len); 2336 2337 static void ovs_nla_free_check_pkt_len_action(const struct nlattr *action) 2338 { 2339 const struct nlattr *a; 2340 int rem; 2341 2342 nla_for_each_nested(a, action, rem) { 2343 switch (nla_type(a)) { 2344 case OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL: 2345 case OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER: 2346 ovs_nla_free_nested_actions(nla_data(a), nla_len(a)); 2347 break; 2348 } 2349 } 2350 } 2351 2352 static void ovs_nla_free_clone_action(const struct nlattr *action) 2353 { 2354 const struct nlattr *a = nla_data(action); 2355 int rem = nla_len(action); 2356 2357 switch (nla_type(a)) { 2358 case OVS_CLONE_ATTR_EXEC: 2359 /* The real list of actions follows this attribute. */ 2360 a = nla_next(a, &rem); 2361 ovs_nla_free_nested_actions(a, rem); 2362 break; 2363 } 2364 } 2365 2366 static void ovs_nla_free_dec_ttl_action(const struct nlattr *action) 2367 { 2368 const struct nlattr *a = nla_data(action); 2369 2370 switch (nla_type(a)) { 2371 case OVS_DEC_TTL_ATTR_ACTION: 2372 ovs_nla_free_nested_actions(nla_data(a), nla_len(a)); 2373 break; 2374 } 2375 } 2376 2377 static void ovs_nla_free_sample_action(const struct nlattr *action) 2378 { 2379 const struct nlattr *a = nla_data(action); 2380 int rem = nla_len(action); 2381 2382 switch (nla_type(a)) { 2383 case OVS_SAMPLE_ATTR_ARG: 2384 /* The real list of actions follows this attribute. */ 2385 a = nla_next(a, &rem); 2386 ovs_nla_free_nested_actions(a, rem); 2387 break; 2388 } 2389 } 2390 2391 static void ovs_nla_free_set_action(const struct nlattr *a) 2392 { 2393 const struct nlattr *ovs_key = nla_data(a); 2394 struct ovs_tunnel_info *ovs_tun; 2395 2396 switch (nla_type(ovs_key)) { 2397 case OVS_KEY_ATTR_TUNNEL_INFO: 2398 ovs_tun = nla_data(ovs_key); 2399 dst_release((struct dst_entry *)ovs_tun->tun_dst); 2400 break; 2401 } 2402 } 2403 2404 static void ovs_nla_free_nested_actions(const struct nlattr *actions, int len) 2405 { 2406 const struct nlattr *a; 2407 int rem; 2408 2409 /* Whenever new actions are added, the need to update this 2410 * function should be considered. 2411 */ 2412 BUILD_BUG_ON(OVS_ACTION_ATTR_MAX != 24); 2413 2414 if (!actions) 2415 return; 2416 2417 nla_for_each_attr(a, actions, len, rem) { 2418 switch (nla_type(a)) { 2419 case OVS_ACTION_ATTR_CHECK_PKT_LEN: 2420 ovs_nla_free_check_pkt_len_action(a); 2421 break; 2422 2423 case OVS_ACTION_ATTR_CLONE: 2424 ovs_nla_free_clone_action(a); 2425 break; 2426 2427 case OVS_ACTION_ATTR_CT: 2428 ovs_ct_free_action(a); 2429 break; 2430 2431 case OVS_ACTION_ATTR_DEC_TTL: 2432 ovs_nla_free_dec_ttl_action(a); 2433 break; 2434 2435 case OVS_ACTION_ATTR_SAMPLE: 2436 ovs_nla_free_sample_action(a); 2437 break; 2438 2439 case OVS_ACTION_ATTR_SET: 2440 ovs_nla_free_set_action(a); 2441 break; 2442 } 2443 } 2444 } 2445 2446 void ovs_nla_free_flow_actions(struct sw_flow_actions *sf_acts) 2447 { 2448 if (!sf_acts) 2449 return; 2450 2451 ovs_nla_free_nested_actions(sf_acts->actions, sf_acts->actions_len); 2452 kfree(sf_acts); 2453 } 2454 2455 static void __ovs_nla_free_flow_actions(struct rcu_head *head) 2456 { 2457 ovs_nla_free_flow_actions(container_of(head, struct sw_flow_actions, rcu)); 2458 } 2459 2460 /* Schedules 'sf_acts' to be freed after the next RCU grace period. 2461 * The caller must hold rcu_read_lock for this to be sensible. */ 2462 void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *sf_acts) 2463 { 2464 call_rcu(&sf_acts->rcu, __ovs_nla_free_flow_actions); 2465 } 2466 2467 static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, 2468 int attr_len, bool log) 2469 { 2470 2471 struct sw_flow_actions *acts; 2472 int new_acts_size; 2473 size_t req_size = NLA_ALIGN(attr_len); 2474 int next_offset = offsetof(struct sw_flow_actions, actions) + 2475 (*sfa)->actions_len; 2476 2477 if (req_size <= (ksize(*sfa) - next_offset)) 2478 goto out; 2479 2480 new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2); 2481 2482 if (new_acts_size > MAX_ACTIONS_BUFSIZE) { 2483 if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) { 2484 OVS_NLERR(log, "Flow action size exceeds max %u", 2485 MAX_ACTIONS_BUFSIZE); 2486 return ERR_PTR(-EMSGSIZE); 2487 } 2488 new_acts_size = MAX_ACTIONS_BUFSIZE; 2489 } 2490 2491 acts = nla_alloc_flow_actions(new_acts_size); 2492 if (IS_ERR(acts)) 2493 return (void *)acts; 2494 2495 memcpy(acts->actions, (*sfa)->actions, (*sfa)->actions_len); 2496 acts->actions_len = (*sfa)->actions_len; 2497 acts->orig_len = (*sfa)->orig_len; 2498 kfree(*sfa); 2499 *sfa = acts; 2500 2501 out: 2502 (*sfa)->actions_len += req_size; 2503 return (struct nlattr *) ((unsigned char *)(*sfa) + next_offset); 2504 } 2505 2506 static struct nlattr *__add_action(struct sw_flow_actions **sfa, 2507 int attrtype, void *data, int len, bool log) 2508 { 2509 struct nlattr *a; 2510 2511 a = reserve_sfa_size(sfa, nla_attr_size(len), log); 2512 if (IS_ERR(a)) 2513 return a; 2514 2515 a->nla_type = attrtype; 2516 a->nla_len = nla_attr_size(len); 2517 2518 if (data) 2519 memcpy(nla_data(a), data, len); 2520 memset((unsigned char *) a + a->nla_len, 0, nla_padlen(len)); 2521 2522 return a; 2523 } 2524 2525 int ovs_nla_add_action(struct sw_flow_actions **sfa, int attrtype, void *data, 2526 int len, bool log) 2527 { 2528 struct nlattr *a; 2529 2530 a = __add_action(sfa, attrtype, data, len, log); 2531 2532 return PTR_ERR_OR_ZERO(a); 2533 } 2534 2535 static inline int add_nested_action_start(struct sw_flow_actions **sfa, 2536 int attrtype, bool log) 2537 { 2538 int used = (*sfa)->actions_len; 2539 int err; 2540 2541 err = ovs_nla_add_action(sfa, attrtype, NULL, 0, log); 2542 if (err) 2543 return err; 2544 2545 return used; 2546 } 2547 2548 static inline void add_nested_action_end(struct sw_flow_actions *sfa, 2549 int st_offset) 2550 { 2551 struct nlattr *a = (struct nlattr *) ((unsigned char *)sfa->actions + 2552 st_offset); 2553 2554 a->nla_len = sfa->actions_len - st_offset; 2555 } 2556 2557 static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 2558 const struct sw_flow_key *key, 2559 struct sw_flow_actions **sfa, 2560 __be16 eth_type, __be16 vlan_tci, 2561 u32 mpls_label_count, bool log, 2562 u32 depth); 2563 2564 static int validate_and_copy_sample(struct net *net, const struct nlattr *attr, 2565 const struct sw_flow_key *key, 2566 struct sw_flow_actions **sfa, 2567 __be16 eth_type, __be16 vlan_tci, 2568 u32 mpls_label_count, bool log, bool last, 2569 u32 depth) 2570 { 2571 const struct nlattr *attrs[OVS_SAMPLE_ATTR_MAX + 1]; 2572 const struct nlattr *probability, *actions; 2573 const struct nlattr *a; 2574 int rem, start, err; 2575 struct sample_arg arg; 2576 2577 memset(attrs, 0, sizeof(attrs)); 2578 nla_for_each_nested(a, attr, rem) { 2579 int type = nla_type(a); 2580 if (!type || type > OVS_SAMPLE_ATTR_MAX || attrs[type]) 2581 return -EINVAL; 2582 attrs[type] = a; 2583 } 2584 if (rem) 2585 return -EINVAL; 2586 2587 probability = attrs[OVS_SAMPLE_ATTR_PROBABILITY]; 2588 if (!probability || nla_len(probability) != sizeof(u32)) 2589 return -EINVAL; 2590 2591 actions = attrs[OVS_SAMPLE_ATTR_ACTIONS]; 2592 if (!actions || (nla_len(actions) && nla_len(actions) < NLA_HDRLEN)) 2593 return -EINVAL; 2594 2595 /* validation done, copy sample action. */ 2596 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_SAMPLE, log); 2597 if (start < 0) 2598 return start; 2599 2600 /* When both skb and flow may be changed, put the sample 2601 * into a deferred fifo. On the other hand, if only skb 2602 * may be modified, the actions can be executed in place. 2603 * 2604 * Do this analysis at the flow installation time. 2605 * Set 'clone_action->exec' to true if the actions can be 2606 * executed without being deferred. 2607 * 2608 * If the sample is the last action, it can always be excuted 2609 * rather than deferred. 2610 */ 2611 arg.exec = last || !actions_may_change_flow(actions); 2612 arg.probability = nla_get_u32(probability); 2613 2614 err = ovs_nla_add_action(sfa, OVS_SAMPLE_ATTR_ARG, &arg, sizeof(arg), 2615 log); 2616 if (err) 2617 return err; 2618 2619 err = __ovs_nla_copy_actions(net, actions, key, sfa, 2620 eth_type, vlan_tci, mpls_label_count, log, 2621 depth + 1); 2622 2623 if (err) 2624 return err; 2625 2626 add_nested_action_end(*sfa, start); 2627 2628 return 0; 2629 } 2630 2631 static int validate_and_copy_dec_ttl(struct net *net, 2632 const struct nlattr *attr, 2633 const struct sw_flow_key *key, 2634 struct sw_flow_actions **sfa, 2635 __be16 eth_type, __be16 vlan_tci, 2636 u32 mpls_label_count, bool log, 2637 u32 depth) 2638 { 2639 const struct nlattr *attrs[OVS_DEC_TTL_ATTR_MAX + 1]; 2640 int start, action_start, err, rem; 2641 const struct nlattr *a, *actions; 2642 2643 memset(attrs, 0, sizeof(attrs)); 2644 nla_for_each_nested(a, attr, rem) { 2645 int type = nla_type(a); 2646 2647 /* Ignore unknown attributes to be future proof. */ 2648 if (type > OVS_DEC_TTL_ATTR_MAX) 2649 continue; 2650 2651 if (!type || attrs[type]) { 2652 OVS_NLERR(log, "Duplicate or invalid key (type %d).", 2653 type); 2654 return -EINVAL; 2655 } 2656 2657 attrs[type] = a; 2658 } 2659 2660 if (rem) { 2661 OVS_NLERR(log, "Message has %d unknown bytes.", rem); 2662 return -EINVAL; 2663 } 2664 2665 actions = attrs[OVS_DEC_TTL_ATTR_ACTION]; 2666 if (!actions || (nla_len(actions) && nla_len(actions) < NLA_HDRLEN)) { 2667 OVS_NLERR(log, "Missing valid actions attribute."); 2668 return -EINVAL; 2669 } 2670 2671 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_DEC_TTL, log); 2672 if (start < 0) 2673 return start; 2674 2675 action_start = add_nested_action_start(sfa, OVS_DEC_TTL_ATTR_ACTION, log); 2676 if (action_start < 0) 2677 return action_start; 2678 2679 err = __ovs_nla_copy_actions(net, actions, key, sfa, eth_type, 2680 vlan_tci, mpls_label_count, log, 2681 depth + 1); 2682 if (err) 2683 return err; 2684 2685 add_nested_action_end(*sfa, action_start); 2686 add_nested_action_end(*sfa, start); 2687 return 0; 2688 } 2689 2690 static int validate_and_copy_clone(struct net *net, 2691 const struct nlattr *attr, 2692 const struct sw_flow_key *key, 2693 struct sw_flow_actions **sfa, 2694 __be16 eth_type, __be16 vlan_tci, 2695 u32 mpls_label_count, bool log, bool last, 2696 u32 depth) 2697 { 2698 int start, err; 2699 u32 exec; 2700 2701 if (nla_len(attr) && nla_len(attr) < NLA_HDRLEN) 2702 return -EINVAL; 2703 2704 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_CLONE, log); 2705 if (start < 0) 2706 return start; 2707 2708 exec = last || !actions_may_change_flow(attr); 2709 2710 err = ovs_nla_add_action(sfa, OVS_CLONE_ATTR_EXEC, &exec, 2711 sizeof(exec), log); 2712 if (err) 2713 return err; 2714 2715 err = __ovs_nla_copy_actions(net, attr, key, sfa, 2716 eth_type, vlan_tci, mpls_label_count, log, 2717 depth + 1); 2718 if (err) 2719 return err; 2720 2721 add_nested_action_end(*sfa, start); 2722 2723 return 0; 2724 } 2725 2726 void ovs_match_init(struct sw_flow_match *match, 2727 struct sw_flow_key *key, 2728 bool reset_key, 2729 struct sw_flow_mask *mask) 2730 { 2731 memset(match, 0, sizeof(*match)); 2732 match->key = key; 2733 match->mask = mask; 2734 2735 if (reset_key) 2736 memset(key, 0, sizeof(*key)); 2737 2738 if (mask) { 2739 memset(&mask->key, 0, sizeof(mask->key)); 2740 mask->range.start = mask->range.end = 0; 2741 } 2742 } 2743 2744 static int validate_geneve_opts(struct sw_flow_key *key) 2745 { 2746 struct geneve_opt *option; 2747 int opts_len = key->tun_opts_len; 2748 bool crit_opt = false; 2749 2750 option = (struct geneve_opt *)TUN_METADATA_OPTS(key, key->tun_opts_len); 2751 while (opts_len > 0) { 2752 int len; 2753 2754 if (opts_len < sizeof(*option)) 2755 return -EINVAL; 2756 2757 len = sizeof(*option) + option->length * 4; 2758 if (len > opts_len) 2759 return -EINVAL; 2760 2761 crit_opt |= !!(option->type & GENEVE_CRIT_OPT_TYPE); 2762 2763 option = (struct geneve_opt *)((u8 *)option + len); 2764 opts_len -= len; 2765 } 2766 2767 if (crit_opt) 2768 __set_bit(IP_TUNNEL_CRIT_OPT_BIT, key->tun_key.tun_flags); 2769 2770 return 0; 2771 } 2772 2773 static int validate_and_copy_set_tun(const struct nlattr *attr, 2774 struct sw_flow_actions **sfa, bool log) 2775 { 2776 IP_TUNNEL_DECLARE_FLAGS(dst_opt_type) = { }; 2777 struct sw_flow_match match; 2778 struct sw_flow_key key; 2779 struct metadata_dst *tun_dst; 2780 struct ip_tunnel_info *tun_info; 2781 struct ovs_tunnel_info *ovs_tun; 2782 struct nlattr *a; 2783 int err = 0, start, opts_type; 2784 2785 ovs_match_init(&match, &key, true, NULL); 2786 opts_type = ip_tun_from_nlattr(nla_data(attr), &match, false, log); 2787 if (opts_type < 0) 2788 return opts_type; 2789 2790 if (key.tun_opts_len) { 2791 switch (opts_type) { 2792 case OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS: 2793 err = validate_geneve_opts(&key); 2794 if (err < 0) 2795 return err; 2796 2797 __set_bit(IP_TUNNEL_GENEVE_OPT_BIT, dst_opt_type); 2798 break; 2799 case OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS: 2800 __set_bit(IP_TUNNEL_VXLAN_OPT_BIT, dst_opt_type); 2801 break; 2802 case OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS: 2803 __set_bit(IP_TUNNEL_ERSPAN_OPT_BIT, dst_opt_type); 2804 break; 2805 } 2806 } 2807 2808 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_SET, log); 2809 if (start < 0) 2810 return start; 2811 2812 tun_dst = metadata_dst_alloc(key.tun_opts_len, METADATA_IP_TUNNEL, 2813 GFP_KERNEL); 2814 2815 if (!tun_dst) 2816 return -ENOMEM; 2817 2818 err = dst_cache_init(&tun_dst->u.tun_info.dst_cache, GFP_KERNEL); 2819 if (err) { 2820 dst_release((struct dst_entry *)tun_dst); 2821 return err; 2822 } 2823 2824 a = __add_action(sfa, OVS_KEY_ATTR_TUNNEL_INFO, NULL, 2825 sizeof(*ovs_tun), log); 2826 if (IS_ERR(a)) { 2827 dst_release((struct dst_entry *)tun_dst); 2828 return PTR_ERR(a); 2829 } 2830 2831 ovs_tun = nla_data(a); 2832 ovs_tun->tun_dst = tun_dst; 2833 2834 tun_info = &tun_dst->u.tun_info; 2835 tun_info->mode = IP_TUNNEL_INFO_TX; 2836 if (key.tun_proto == AF_INET6) 2837 tun_info->mode |= IP_TUNNEL_INFO_IPV6; 2838 else if (key.tun_proto == AF_INET && key.tun_key.u.ipv4.dst == 0) 2839 tun_info->mode |= IP_TUNNEL_INFO_BRIDGE; 2840 tun_info->key = key.tun_key; 2841 2842 /* We need to store the options in the action itself since 2843 * everything else will go away after flow setup. We can append 2844 * it to tun_info and then point there. 2845 */ 2846 ip_tunnel_info_opts_set(tun_info, 2847 TUN_METADATA_OPTS(&key, key.tun_opts_len), 2848 key.tun_opts_len, dst_opt_type); 2849 add_nested_action_end(*sfa, start); 2850 2851 return err; 2852 } 2853 2854 static bool validate_nsh(const struct nlattr *attr, bool is_mask, 2855 bool is_push_nsh, bool log) 2856 { 2857 struct sw_flow_match match; 2858 struct sw_flow_key key; 2859 int ret = 0; 2860 2861 ovs_match_init(&match, &key, true, NULL); 2862 ret = nsh_key_put_from_nlattr(attr, &match, is_mask, 2863 is_push_nsh, log); 2864 return !ret; 2865 } 2866 2867 /* Return false if there are any non-masked bits set. 2868 * Mask follows data immediately, before any netlink padding. 2869 */ 2870 static bool validate_masked(u8 *data, int len) 2871 { 2872 u8 *mask = data + len; 2873 2874 while (len--) 2875 if (*data++ & ~*mask++) 2876 return false; 2877 2878 return true; 2879 } 2880 2881 static int validate_set(const struct nlattr *a, 2882 const struct sw_flow_key *flow_key, 2883 struct sw_flow_actions **sfa, bool *skip_copy, 2884 u8 mac_proto, __be16 eth_type, bool masked, bool log) 2885 { 2886 const struct nlattr *ovs_key = nla_data(a); 2887 int key_type = nla_type(ovs_key); 2888 size_t key_len; 2889 2890 /* There can be only one key in a action */ 2891 if (nla_total_size(nla_len(ovs_key)) != nla_len(a)) 2892 return -EINVAL; 2893 2894 key_len = nla_len(ovs_key); 2895 if (masked) 2896 key_len /= 2; 2897 2898 if (key_type > OVS_KEY_ATTR_MAX || 2899 !check_attr_len(key_len, ovs_key_lens[key_type].len)) 2900 return -EINVAL; 2901 2902 if (masked && !validate_masked(nla_data(ovs_key), key_len)) 2903 return -EINVAL; 2904 2905 switch (key_type) { 2906 case OVS_KEY_ATTR_PRIORITY: 2907 case OVS_KEY_ATTR_SKB_MARK: 2908 case OVS_KEY_ATTR_CT_MARK: 2909 case OVS_KEY_ATTR_CT_LABELS: 2910 break; 2911 2912 case OVS_KEY_ATTR_ETHERNET: 2913 if (mac_proto != MAC_PROTO_ETHERNET) 2914 return -EINVAL; 2915 break; 2916 2917 case OVS_KEY_ATTR_TUNNEL: { 2918 int err; 2919 2920 if (masked) 2921 return -EINVAL; /* Masked tunnel set not supported. */ 2922 2923 *skip_copy = true; 2924 err = validate_and_copy_set_tun(a, sfa, log); 2925 if (err) 2926 return err; 2927 break; 2928 } 2929 case OVS_KEY_ATTR_IPV4: { 2930 const struct ovs_key_ipv4 *ipv4_key; 2931 2932 if (eth_type != htons(ETH_P_IP)) 2933 return -EINVAL; 2934 2935 ipv4_key = nla_data(ovs_key); 2936 2937 if (masked) { 2938 const struct ovs_key_ipv4 *mask = ipv4_key + 1; 2939 2940 /* Non-writeable fields. */ 2941 if (mask->ipv4_proto || mask->ipv4_frag) 2942 return -EINVAL; 2943 } else { 2944 if (ipv4_key->ipv4_proto != flow_key->ip.proto) 2945 return -EINVAL; 2946 2947 if (ipv4_key->ipv4_frag != flow_key->ip.frag) 2948 return -EINVAL; 2949 } 2950 break; 2951 } 2952 case OVS_KEY_ATTR_IPV6: { 2953 const struct ovs_key_ipv6 *ipv6_key; 2954 2955 if (eth_type != htons(ETH_P_IPV6)) 2956 return -EINVAL; 2957 2958 ipv6_key = nla_data(ovs_key); 2959 2960 if (masked) { 2961 const struct ovs_key_ipv6 *mask = ipv6_key + 1; 2962 2963 /* Non-writeable fields. */ 2964 if (mask->ipv6_proto || mask->ipv6_frag) 2965 return -EINVAL; 2966 2967 /* Invalid bits in the flow label mask? */ 2968 if (ntohl(mask->ipv6_label) & 0xFFF00000) 2969 return -EINVAL; 2970 } else { 2971 if (ipv6_key->ipv6_proto != flow_key->ip.proto) 2972 return -EINVAL; 2973 2974 if (ipv6_key->ipv6_frag != flow_key->ip.frag) 2975 return -EINVAL; 2976 } 2977 if (ntohl(ipv6_key->ipv6_label) & 0xFFF00000) 2978 return -EINVAL; 2979 2980 break; 2981 } 2982 case OVS_KEY_ATTR_TCP: 2983 if ((eth_type != htons(ETH_P_IP) && 2984 eth_type != htons(ETH_P_IPV6)) || 2985 flow_key->ip.proto != IPPROTO_TCP) 2986 return -EINVAL; 2987 2988 break; 2989 2990 case OVS_KEY_ATTR_UDP: 2991 if ((eth_type != htons(ETH_P_IP) && 2992 eth_type != htons(ETH_P_IPV6)) || 2993 flow_key->ip.proto != IPPROTO_UDP) 2994 return -EINVAL; 2995 2996 break; 2997 2998 case OVS_KEY_ATTR_MPLS: 2999 if (!eth_p_mpls(eth_type)) 3000 return -EINVAL; 3001 break; 3002 3003 case OVS_KEY_ATTR_SCTP: 3004 if ((eth_type != htons(ETH_P_IP) && 3005 eth_type != htons(ETH_P_IPV6)) || 3006 flow_key->ip.proto != IPPROTO_SCTP) 3007 return -EINVAL; 3008 3009 break; 3010 3011 case OVS_KEY_ATTR_NSH: 3012 if (eth_type != htons(ETH_P_NSH)) 3013 return -EINVAL; 3014 if (!validate_nsh(nla_data(a), masked, false, log)) 3015 return -EINVAL; 3016 break; 3017 3018 default: 3019 return -EINVAL; 3020 } 3021 3022 /* Convert non-masked non-tunnel set actions to masked set actions. */ 3023 if (!masked && key_type != OVS_KEY_ATTR_TUNNEL) { 3024 int start, len = key_len * 2; 3025 struct nlattr *at; 3026 3027 *skip_copy = true; 3028 3029 start = add_nested_action_start(sfa, 3030 OVS_ACTION_ATTR_SET_TO_MASKED, 3031 log); 3032 if (start < 0) 3033 return start; 3034 3035 at = __add_action(sfa, key_type, NULL, len, log); 3036 if (IS_ERR(at)) 3037 return PTR_ERR(at); 3038 3039 memcpy(nla_data(at), nla_data(ovs_key), key_len); /* Key. */ 3040 memset(nla_data(at) + key_len, 0xff, key_len); /* Mask. */ 3041 /* Clear non-writeable bits from otherwise writeable fields. */ 3042 if (key_type == OVS_KEY_ATTR_IPV6) { 3043 struct ovs_key_ipv6 *mask = nla_data(at) + key_len; 3044 3045 mask->ipv6_label &= htonl(0x000FFFFF); 3046 } 3047 add_nested_action_end(*sfa, start); 3048 } 3049 3050 return 0; 3051 } 3052 3053 static int validate_userspace(const struct nlattr *attr) 3054 { 3055 static const struct nla_policy userspace_policy[OVS_USERSPACE_ATTR_MAX + 1] = { 3056 [OVS_USERSPACE_ATTR_PID] = {.type = NLA_U32 }, 3057 [OVS_USERSPACE_ATTR_USERDATA] = {.type = NLA_UNSPEC }, 3058 [OVS_USERSPACE_ATTR_EGRESS_TUN_PORT] = {.type = NLA_U32 }, 3059 }; 3060 struct nlattr *a[OVS_USERSPACE_ATTR_MAX + 1]; 3061 int error; 3062 3063 error = nla_parse_nested_deprecated(a, OVS_USERSPACE_ATTR_MAX, attr, 3064 userspace_policy, NULL); 3065 if (error) 3066 return error; 3067 3068 if (!a[OVS_USERSPACE_ATTR_PID] || 3069 !nla_get_u32(a[OVS_USERSPACE_ATTR_PID])) 3070 return -EINVAL; 3071 3072 return 0; 3073 } 3074 3075 static const struct nla_policy cpl_policy[OVS_CHECK_PKT_LEN_ATTR_MAX + 1] = { 3076 [OVS_CHECK_PKT_LEN_ATTR_PKT_LEN] = {.type = NLA_U16 }, 3077 [OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER] = {.type = NLA_NESTED }, 3078 [OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL] = {.type = NLA_NESTED }, 3079 }; 3080 3081 static int validate_and_copy_check_pkt_len(struct net *net, 3082 const struct nlattr *attr, 3083 const struct sw_flow_key *key, 3084 struct sw_flow_actions **sfa, 3085 __be16 eth_type, __be16 vlan_tci, 3086 u32 mpls_label_count, 3087 bool log, bool last, u32 depth) 3088 { 3089 const struct nlattr *acts_if_greater, *acts_if_lesser_eq; 3090 struct nlattr *a[OVS_CHECK_PKT_LEN_ATTR_MAX + 1]; 3091 struct check_pkt_len_arg arg; 3092 int nested_acts_start; 3093 int start, err; 3094 3095 err = nla_parse_deprecated_strict(a, OVS_CHECK_PKT_LEN_ATTR_MAX, 3096 nla_data(attr), nla_len(attr), 3097 cpl_policy, NULL); 3098 if (err) 3099 return err; 3100 3101 if (!a[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN] || 3102 !nla_get_u16(a[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN])) 3103 return -EINVAL; 3104 3105 acts_if_lesser_eq = a[OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL]; 3106 acts_if_greater = a[OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER]; 3107 3108 /* Both the nested action should be present. */ 3109 if (!acts_if_greater || !acts_if_lesser_eq) 3110 return -EINVAL; 3111 3112 /* validation done, copy the nested actions. */ 3113 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_CHECK_PKT_LEN, 3114 log); 3115 if (start < 0) 3116 return start; 3117 3118 arg.pkt_len = nla_get_u16(a[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN]); 3119 arg.exec_for_lesser_equal = 3120 last || !actions_may_change_flow(acts_if_lesser_eq); 3121 arg.exec_for_greater = 3122 last || !actions_may_change_flow(acts_if_greater); 3123 3124 err = ovs_nla_add_action(sfa, OVS_CHECK_PKT_LEN_ATTR_ARG, &arg, 3125 sizeof(arg), log); 3126 if (err) 3127 return err; 3128 3129 nested_acts_start = add_nested_action_start(sfa, 3130 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL, log); 3131 if (nested_acts_start < 0) 3132 return nested_acts_start; 3133 3134 err = __ovs_nla_copy_actions(net, acts_if_lesser_eq, key, sfa, 3135 eth_type, vlan_tci, mpls_label_count, log, 3136 depth + 1); 3137 3138 if (err) 3139 return err; 3140 3141 add_nested_action_end(*sfa, nested_acts_start); 3142 3143 nested_acts_start = add_nested_action_start(sfa, 3144 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER, log); 3145 if (nested_acts_start < 0) 3146 return nested_acts_start; 3147 3148 err = __ovs_nla_copy_actions(net, acts_if_greater, key, sfa, 3149 eth_type, vlan_tci, mpls_label_count, log, 3150 depth + 1); 3151 3152 if (err) 3153 return err; 3154 3155 add_nested_action_end(*sfa, nested_acts_start); 3156 add_nested_action_end(*sfa, start); 3157 return 0; 3158 } 3159 3160 static int copy_action(const struct nlattr *from, 3161 struct sw_flow_actions **sfa, bool log) 3162 { 3163 int totlen = NLA_ALIGN(from->nla_len); 3164 struct nlattr *to; 3165 3166 to = reserve_sfa_size(sfa, from->nla_len, log); 3167 if (IS_ERR(to)) 3168 return PTR_ERR(to); 3169 3170 memcpy(to, from, totlen); 3171 return 0; 3172 } 3173 3174 static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 3175 const struct sw_flow_key *key, 3176 struct sw_flow_actions **sfa, 3177 __be16 eth_type, __be16 vlan_tci, 3178 u32 mpls_label_count, bool log, 3179 u32 depth) 3180 { 3181 u8 mac_proto = ovs_key_mac_proto(key); 3182 const struct nlattr *a; 3183 int rem, err; 3184 3185 if (depth > OVS_COPY_ACTIONS_MAX_DEPTH) 3186 return -EOVERFLOW; 3187 3188 nla_for_each_nested(a, attr, rem) { 3189 /* Expected argument lengths, (u32)-1 for variable length. */ 3190 static const u32 action_lens[OVS_ACTION_ATTR_MAX + 1] = { 3191 [OVS_ACTION_ATTR_OUTPUT] = sizeof(u32), 3192 [OVS_ACTION_ATTR_RECIRC] = sizeof(u32), 3193 [OVS_ACTION_ATTR_USERSPACE] = (u32)-1, 3194 [OVS_ACTION_ATTR_PUSH_MPLS] = sizeof(struct ovs_action_push_mpls), 3195 [OVS_ACTION_ATTR_POP_MPLS] = sizeof(__be16), 3196 [OVS_ACTION_ATTR_PUSH_VLAN] = sizeof(struct ovs_action_push_vlan), 3197 [OVS_ACTION_ATTR_POP_VLAN] = 0, 3198 [OVS_ACTION_ATTR_SET] = (u32)-1, 3199 [OVS_ACTION_ATTR_SET_MASKED] = (u32)-1, 3200 [OVS_ACTION_ATTR_SAMPLE] = (u32)-1, 3201 [OVS_ACTION_ATTR_HASH] = sizeof(struct ovs_action_hash), 3202 [OVS_ACTION_ATTR_CT] = (u32)-1, 3203 [OVS_ACTION_ATTR_CT_CLEAR] = 0, 3204 [OVS_ACTION_ATTR_TRUNC] = sizeof(struct ovs_action_trunc), 3205 [OVS_ACTION_ATTR_PUSH_ETH] = sizeof(struct ovs_action_push_eth), 3206 [OVS_ACTION_ATTR_POP_ETH] = 0, 3207 [OVS_ACTION_ATTR_PUSH_NSH] = (u32)-1, 3208 [OVS_ACTION_ATTR_POP_NSH] = 0, 3209 [OVS_ACTION_ATTR_METER] = sizeof(u32), 3210 [OVS_ACTION_ATTR_CLONE] = (u32)-1, 3211 [OVS_ACTION_ATTR_CHECK_PKT_LEN] = (u32)-1, 3212 [OVS_ACTION_ATTR_ADD_MPLS] = sizeof(struct ovs_action_add_mpls), 3213 [OVS_ACTION_ATTR_DEC_TTL] = (u32)-1, 3214 [OVS_ACTION_ATTR_DROP] = sizeof(u32), 3215 }; 3216 const struct ovs_action_push_vlan *vlan; 3217 int type = nla_type(a); 3218 bool skip_copy; 3219 3220 if (type > OVS_ACTION_ATTR_MAX || 3221 (action_lens[type] != nla_len(a) && 3222 action_lens[type] != (u32)-1)) 3223 return -EINVAL; 3224 3225 skip_copy = false; 3226 switch (type) { 3227 case OVS_ACTION_ATTR_UNSPEC: 3228 return -EINVAL; 3229 3230 case OVS_ACTION_ATTR_USERSPACE: 3231 err = validate_userspace(a); 3232 if (err) 3233 return err; 3234 break; 3235 3236 case OVS_ACTION_ATTR_OUTPUT: 3237 if (nla_get_u32(a) >= DP_MAX_PORTS) 3238 return -EINVAL; 3239 break; 3240 3241 case OVS_ACTION_ATTR_TRUNC: { 3242 const struct ovs_action_trunc *trunc = nla_data(a); 3243 3244 if (trunc->max_len < ETH_HLEN) 3245 return -EINVAL; 3246 break; 3247 } 3248 3249 case OVS_ACTION_ATTR_HASH: { 3250 const struct ovs_action_hash *act_hash = nla_data(a); 3251 3252 switch (act_hash->hash_alg) { 3253 case OVS_HASH_ALG_L4: 3254 fallthrough; 3255 case OVS_HASH_ALG_SYM_L4: 3256 break; 3257 default: 3258 return -EINVAL; 3259 } 3260 3261 break; 3262 } 3263 3264 case OVS_ACTION_ATTR_POP_VLAN: 3265 if (mac_proto != MAC_PROTO_ETHERNET) 3266 return -EINVAL; 3267 vlan_tci = htons(0); 3268 break; 3269 3270 case OVS_ACTION_ATTR_PUSH_VLAN: 3271 if (mac_proto != MAC_PROTO_ETHERNET) 3272 return -EINVAL; 3273 vlan = nla_data(a); 3274 if (!eth_type_vlan(vlan->vlan_tpid)) 3275 return -EINVAL; 3276 if (!(vlan->vlan_tci & htons(VLAN_CFI_MASK))) 3277 return -EINVAL; 3278 vlan_tci = vlan->vlan_tci; 3279 break; 3280 3281 case OVS_ACTION_ATTR_RECIRC: 3282 break; 3283 3284 case OVS_ACTION_ATTR_ADD_MPLS: { 3285 const struct ovs_action_add_mpls *mpls = nla_data(a); 3286 3287 if (!eth_p_mpls(mpls->mpls_ethertype)) 3288 return -EINVAL; 3289 3290 if (mpls->tun_flags & OVS_MPLS_L3_TUNNEL_FLAG_MASK) { 3291 if (vlan_tci & htons(VLAN_CFI_MASK) || 3292 (eth_type != htons(ETH_P_IP) && 3293 eth_type != htons(ETH_P_IPV6) && 3294 eth_type != htons(ETH_P_ARP) && 3295 eth_type != htons(ETH_P_RARP) && 3296 !eth_p_mpls(eth_type))) 3297 return -EINVAL; 3298 mpls_label_count++; 3299 } else { 3300 if (mac_proto == MAC_PROTO_ETHERNET) { 3301 mpls_label_count = 1; 3302 mac_proto = MAC_PROTO_NONE; 3303 } else { 3304 mpls_label_count++; 3305 } 3306 } 3307 eth_type = mpls->mpls_ethertype; 3308 break; 3309 } 3310 3311 case OVS_ACTION_ATTR_PUSH_MPLS: { 3312 const struct ovs_action_push_mpls *mpls = nla_data(a); 3313 3314 if (!eth_p_mpls(mpls->mpls_ethertype)) 3315 return -EINVAL; 3316 /* Prohibit push MPLS other than to a white list 3317 * for packets that have a known tag order. 3318 */ 3319 if (vlan_tci & htons(VLAN_CFI_MASK) || 3320 (eth_type != htons(ETH_P_IP) && 3321 eth_type != htons(ETH_P_IPV6) && 3322 eth_type != htons(ETH_P_ARP) && 3323 eth_type != htons(ETH_P_RARP) && 3324 !eth_p_mpls(eth_type))) 3325 return -EINVAL; 3326 eth_type = mpls->mpls_ethertype; 3327 mpls_label_count++; 3328 break; 3329 } 3330 3331 case OVS_ACTION_ATTR_POP_MPLS: { 3332 __be16 proto; 3333 if (vlan_tci & htons(VLAN_CFI_MASK) || 3334 !eth_p_mpls(eth_type)) 3335 return -EINVAL; 3336 3337 /* Disallow subsequent L2.5+ set actions and mpls_pop 3338 * actions once the last MPLS label in the packet is 3339 * popped as there is no check here to ensure that 3340 * the new eth type is valid and thus set actions could 3341 * write off the end of the packet or otherwise corrupt 3342 * it. 3343 * 3344 * Support for these actions is planned using packet 3345 * recirculation. 3346 */ 3347 proto = nla_get_be16(a); 3348 3349 if (proto == htons(ETH_P_TEB) && 3350 mac_proto != MAC_PROTO_NONE) 3351 return -EINVAL; 3352 3353 mpls_label_count--; 3354 3355 if (!eth_p_mpls(proto) || !mpls_label_count) 3356 eth_type = htons(0); 3357 else 3358 eth_type = proto; 3359 3360 break; 3361 } 3362 3363 case OVS_ACTION_ATTR_SET: 3364 err = validate_set(a, key, sfa, 3365 &skip_copy, mac_proto, eth_type, 3366 false, log); 3367 if (err) 3368 return err; 3369 break; 3370 3371 case OVS_ACTION_ATTR_SET_MASKED: 3372 err = validate_set(a, key, sfa, 3373 &skip_copy, mac_proto, eth_type, 3374 true, log); 3375 if (err) 3376 return err; 3377 break; 3378 3379 case OVS_ACTION_ATTR_SAMPLE: { 3380 bool last = nla_is_last(a, rem); 3381 3382 err = validate_and_copy_sample(net, a, key, sfa, 3383 eth_type, vlan_tci, 3384 mpls_label_count, 3385 log, last, depth); 3386 if (err) 3387 return err; 3388 skip_copy = true; 3389 break; 3390 } 3391 3392 case OVS_ACTION_ATTR_CT: 3393 err = ovs_ct_copy_action(net, a, key, sfa, log); 3394 if (err) 3395 return err; 3396 skip_copy = true; 3397 break; 3398 3399 case OVS_ACTION_ATTR_CT_CLEAR: 3400 break; 3401 3402 case OVS_ACTION_ATTR_PUSH_ETH: 3403 /* Disallow pushing an Ethernet header if one 3404 * is already present */ 3405 if (mac_proto != MAC_PROTO_NONE) 3406 return -EINVAL; 3407 mac_proto = MAC_PROTO_ETHERNET; 3408 break; 3409 3410 case OVS_ACTION_ATTR_POP_ETH: 3411 if (mac_proto != MAC_PROTO_ETHERNET) 3412 return -EINVAL; 3413 if (vlan_tci & htons(VLAN_CFI_MASK)) 3414 return -EINVAL; 3415 mac_proto = MAC_PROTO_NONE; 3416 break; 3417 3418 case OVS_ACTION_ATTR_PUSH_NSH: 3419 if (mac_proto != MAC_PROTO_ETHERNET) { 3420 u8 next_proto; 3421 3422 next_proto = tun_p_from_eth_p(eth_type); 3423 if (!next_proto) 3424 return -EINVAL; 3425 } 3426 mac_proto = MAC_PROTO_NONE; 3427 if (!validate_nsh(nla_data(a), false, true, true)) 3428 return -EINVAL; 3429 break; 3430 3431 case OVS_ACTION_ATTR_POP_NSH: { 3432 __be16 inner_proto; 3433 3434 if (eth_type != htons(ETH_P_NSH)) 3435 return -EINVAL; 3436 inner_proto = tun_p_to_eth_p(key->nsh.base.np); 3437 if (!inner_proto) 3438 return -EINVAL; 3439 if (key->nsh.base.np == TUN_P_ETHERNET) 3440 mac_proto = MAC_PROTO_ETHERNET; 3441 else 3442 mac_proto = MAC_PROTO_NONE; 3443 break; 3444 } 3445 3446 case OVS_ACTION_ATTR_METER: 3447 /* Non-existent meters are simply ignored. */ 3448 break; 3449 3450 case OVS_ACTION_ATTR_CLONE: { 3451 bool last = nla_is_last(a, rem); 3452 3453 err = validate_and_copy_clone(net, a, key, sfa, 3454 eth_type, vlan_tci, 3455 mpls_label_count, 3456 log, last, depth); 3457 if (err) 3458 return err; 3459 skip_copy = true; 3460 break; 3461 } 3462 3463 case OVS_ACTION_ATTR_CHECK_PKT_LEN: { 3464 bool last = nla_is_last(a, rem); 3465 3466 err = validate_and_copy_check_pkt_len(net, a, key, sfa, 3467 eth_type, 3468 vlan_tci, 3469 mpls_label_count, 3470 log, last, 3471 depth); 3472 if (err) 3473 return err; 3474 skip_copy = true; 3475 break; 3476 } 3477 3478 case OVS_ACTION_ATTR_DEC_TTL: 3479 err = validate_and_copy_dec_ttl(net, a, key, sfa, 3480 eth_type, vlan_tci, 3481 mpls_label_count, log, 3482 depth); 3483 if (err) 3484 return err; 3485 skip_copy = true; 3486 break; 3487 3488 case OVS_ACTION_ATTR_DROP: 3489 if (!nla_is_last(a, rem)) 3490 return -EINVAL; 3491 break; 3492 3493 default: 3494 OVS_NLERR(log, "Unknown Action type %d", type); 3495 return -EINVAL; 3496 } 3497 if (!skip_copy) { 3498 err = copy_action(a, sfa, log); 3499 if (err) 3500 return err; 3501 } 3502 } 3503 3504 if (rem > 0) 3505 return -EINVAL; 3506 3507 return 0; 3508 } 3509 3510 /* 'key' must be the masked key. */ 3511 int ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 3512 const struct sw_flow_key *key, 3513 struct sw_flow_actions **sfa, bool log) 3514 { 3515 int err; 3516 u32 mpls_label_count = 0; 3517 3518 *sfa = nla_alloc_flow_actions(min(nla_len(attr), MAX_ACTIONS_BUFSIZE)); 3519 if (IS_ERR(*sfa)) 3520 return PTR_ERR(*sfa); 3521 3522 if (eth_p_mpls(key->eth.type)) 3523 mpls_label_count = hweight_long(key->mpls.num_labels_mask); 3524 3525 (*sfa)->orig_len = nla_len(attr); 3526 err = __ovs_nla_copy_actions(net, attr, key, sfa, key->eth.type, 3527 key->eth.vlan.tci, mpls_label_count, log, 3528 0); 3529 if (err) 3530 ovs_nla_free_flow_actions(*sfa); 3531 3532 return err; 3533 } 3534 3535 static int sample_action_to_attr(const struct nlattr *attr, 3536 struct sk_buff *skb) 3537 { 3538 struct nlattr *start, *ac_start = NULL, *sample_arg; 3539 int err = 0, rem = nla_len(attr); 3540 const struct sample_arg *arg; 3541 struct nlattr *actions; 3542 3543 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SAMPLE); 3544 if (!start) 3545 return -EMSGSIZE; 3546 3547 sample_arg = nla_data(attr); 3548 arg = nla_data(sample_arg); 3549 actions = nla_next(sample_arg, &rem); 3550 3551 if (nla_put_u32(skb, OVS_SAMPLE_ATTR_PROBABILITY, arg->probability)) { 3552 err = -EMSGSIZE; 3553 goto out; 3554 } 3555 3556 ac_start = nla_nest_start_noflag(skb, OVS_SAMPLE_ATTR_ACTIONS); 3557 if (!ac_start) { 3558 err = -EMSGSIZE; 3559 goto out; 3560 } 3561 3562 err = ovs_nla_put_actions(actions, rem, skb); 3563 3564 out: 3565 if (err) { 3566 nla_nest_cancel(skb, ac_start); 3567 nla_nest_cancel(skb, start); 3568 } else { 3569 nla_nest_end(skb, ac_start); 3570 nla_nest_end(skb, start); 3571 } 3572 3573 return err; 3574 } 3575 3576 static int clone_action_to_attr(const struct nlattr *attr, 3577 struct sk_buff *skb) 3578 { 3579 struct nlattr *start; 3580 int err = 0, rem = nla_len(attr); 3581 3582 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_CLONE); 3583 if (!start) 3584 return -EMSGSIZE; 3585 3586 /* Skipping the OVS_CLONE_ATTR_EXEC that is always the first attribute. */ 3587 attr = nla_next(nla_data(attr), &rem); 3588 err = ovs_nla_put_actions(attr, rem, skb); 3589 3590 if (err) 3591 nla_nest_cancel(skb, start); 3592 else 3593 nla_nest_end(skb, start); 3594 3595 return err; 3596 } 3597 3598 static int check_pkt_len_action_to_attr(const struct nlattr *attr, 3599 struct sk_buff *skb) 3600 { 3601 struct nlattr *start, *ac_start = NULL; 3602 const struct check_pkt_len_arg *arg; 3603 const struct nlattr *a, *cpl_arg; 3604 int err = 0, rem = nla_len(attr); 3605 3606 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_CHECK_PKT_LEN); 3607 if (!start) 3608 return -EMSGSIZE; 3609 3610 /* The first nested attribute in 'attr' is always 3611 * 'OVS_CHECK_PKT_LEN_ATTR_ARG'. 3612 */ 3613 cpl_arg = nla_data(attr); 3614 arg = nla_data(cpl_arg); 3615 3616 if (nla_put_u16(skb, OVS_CHECK_PKT_LEN_ATTR_PKT_LEN, arg->pkt_len)) { 3617 err = -EMSGSIZE; 3618 goto out; 3619 } 3620 3621 /* Second nested attribute in 'attr' is always 3622 * 'OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL'. 3623 */ 3624 a = nla_next(cpl_arg, &rem); 3625 ac_start = nla_nest_start_noflag(skb, 3626 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL); 3627 if (!ac_start) { 3628 err = -EMSGSIZE; 3629 goto out; 3630 } 3631 3632 err = ovs_nla_put_actions(nla_data(a), nla_len(a), skb); 3633 if (err) { 3634 nla_nest_cancel(skb, ac_start); 3635 goto out; 3636 } else { 3637 nla_nest_end(skb, ac_start); 3638 } 3639 3640 /* Third nested attribute in 'attr' is always 3641 * OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER. 3642 */ 3643 a = nla_next(a, &rem); 3644 ac_start = nla_nest_start_noflag(skb, 3645 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER); 3646 if (!ac_start) { 3647 err = -EMSGSIZE; 3648 goto out; 3649 } 3650 3651 err = ovs_nla_put_actions(nla_data(a), nla_len(a), skb); 3652 if (err) { 3653 nla_nest_cancel(skb, ac_start); 3654 goto out; 3655 } else { 3656 nla_nest_end(skb, ac_start); 3657 } 3658 3659 nla_nest_end(skb, start); 3660 return 0; 3661 3662 out: 3663 nla_nest_cancel(skb, start); 3664 return err; 3665 } 3666 3667 static int dec_ttl_action_to_attr(const struct nlattr *attr, 3668 struct sk_buff *skb) 3669 { 3670 struct nlattr *start, *action_start; 3671 const struct nlattr *a; 3672 int err = 0, rem; 3673 3674 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_DEC_TTL); 3675 if (!start) 3676 return -EMSGSIZE; 3677 3678 nla_for_each_attr(a, nla_data(attr), nla_len(attr), rem) { 3679 switch (nla_type(a)) { 3680 case OVS_DEC_TTL_ATTR_ACTION: 3681 3682 action_start = nla_nest_start_noflag(skb, OVS_DEC_TTL_ATTR_ACTION); 3683 if (!action_start) { 3684 err = -EMSGSIZE; 3685 goto out; 3686 } 3687 3688 err = ovs_nla_put_actions(nla_data(a), nla_len(a), skb); 3689 if (err) 3690 goto out; 3691 3692 nla_nest_end(skb, action_start); 3693 break; 3694 3695 default: 3696 /* Ignore all other option to be future compatible */ 3697 break; 3698 } 3699 } 3700 3701 nla_nest_end(skb, start); 3702 return 0; 3703 3704 out: 3705 nla_nest_cancel(skb, start); 3706 return err; 3707 } 3708 3709 static int set_action_to_attr(const struct nlattr *a, struct sk_buff *skb) 3710 { 3711 const struct nlattr *ovs_key = nla_data(a); 3712 int key_type = nla_type(ovs_key); 3713 struct nlattr *start; 3714 int err; 3715 3716 switch (key_type) { 3717 case OVS_KEY_ATTR_TUNNEL_INFO: { 3718 struct ovs_tunnel_info *ovs_tun = nla_data(ovs_key); 3719 struct ip_tunnel_info *tun_info = &ovs_tun->tun_dst->u.tun_info; 3720 3721 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SET); 3722 if (!start) 3723 return -EMSGSIZE; 3724 3725 err = ip_tun_to_nlattr(skb, &tun_info->key, 3726 ip_tunnel_info_opts(tun_info), 3727 tun_info->options_len, 3728 ip_tunnel_info_af(tun_info), tun_info->mode); 3729 if (err) 3730 return err; 3731 nla_nest_end(skb, start); 3732 break; 3733 } 3734 default: 3735 if (nla_put(skb, OVS_ACTION_ATTR_SET, nla_len(a), ovs_key)) 3736 return -EMSGSIZE; 3737 break; 3738 } 3739 3740 return 0; 3741 } 3742 3743 static int masked_set_action_to_set_action_attr(const struct nlattr *a, 3744 struct sk_buff *skb) 3745 { 3746 const struct nlattr *ovs_key = nla_data(a); 3747 struct nlattr *nla; 3748 size_t key_len = nla_len(ovs_key) / 2; 3749 3750 /* Revert the conversion we did from a non-masked set action to 3751 * masked set action. 3752 */ 3753 nla = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SET); 3754 if (!nla) 3755 return -EMSGSIZE; 3756 3757 if (nla_put(skb, nla_type(ovs_key), key_len, nla_data(ovs_key))) 3758 return -EMSGSIZE; 3759 3760 nla_nest_end(skb, nla); 3761 return 0; 3762 } 3763 3764 int ovs_nla_put_actions(const struct nlattr *attr, int len, struct sk_buff *skb) 3765 { 3766 const struct nlattr *a; 3767 int rem, err; 3768 3769 nla_for_each_attr(a, attr, len, rem) { 3770 int type = nla_type(a); 3771 3772 switch (type) { 3773 case OVS_ACTION_ATTR_SET: 3774 err = set_action_to_attr(a, skb); 3775 if (err) 3776 return err; 3777 break; 3778 3779 case OVS_ACTION_ATTR_SET_TO_MASKED: 3780 err = masked_set_action_to_set_action_attr(a, skb); 3781 if (err) 3782 return err; 3783 break; 3784 3785 case OVS_ACTION_ATTR_SAMPLE: 3786 err = sample_action_to_attr(a, skb); 3787 if (err) 3788 return err; 3789 break; 3790 3791 case OVS_ACTION_ATTR_CT: 3792 err = ovs_ct_action_to_attr(nla_data(a), skb); 3793 if (err) 3794 return err; 3795 break; 3796 3797 case OVS_ACTION_ATTR_CLONE: 3798 err = clone_action_to_attr(a, skb); 3799 if (err) 3800 return err; 3801 break; 3802 3803 case OVS_ACTION_ATTR_CHECK_PKT_LEN: 3804 err = check_pkt_len_action_to_attr(a, skb); 3805 if (err) 3806 return err; 3807 break; 3808 3809 case OVS_ACTION_ATTR_DEC_TTL: 3810 err = dec_ttl_action_to_attr(a, skb); 3811 if (err) 3812 return err; 3813 break; 3814 3815 default: 3816 if (nla_put(skb, type, nla_len(a), nla_data(a))) 3817 return -EMSGSIZE; 3818 break; 3819 } 3820 } 3821 3822 return 0; 3823 } 3824