1 /* 2 * Copyright (c) 2007-2014 Nicira, Inc. 3 * 4 * This program is free software; you can redistribute it and/or 5 * modify it under the terms of version 2 of the GNU General Public 6 * License as published by the Free Software Foundation. 7 * 8 * This program is distributed in the hope that it will be useful, but 9 * WITHOUT ANY WARRANTY; without even the implied warranty of 10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 * General Public License for more details. 12 * 13 * You should have received a copy of the GNU General Public License 14 * along with this program; if not, write to the Free Software 15 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 16 * 02110-1301, USA 17 */ 18 19 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 20 21 #include "flow.h" 22 #include "datapath.h" 23 #include <linux/uaccess.h> 24 #include <linux/netdevice.h> 25 #include <linux/etherdevice.h> 26 #include <linux/if_ether.h> 27 #include <linux/if_vlan.h> 28 #include <net/llc_pdu.h> 29 #include <linux/kernel.h> 30 #include <linux/jhash.h> 31 #include <linux/jiffies.h> 32 #include <linux/llc.h> 33 #include <linux/module.h> 34 #include <linux/in.h> 35 #include <linux/rcupdate.h> 36 #include <linux/if_arp.h> 37 #include <linux/ip.h> 38 #include <linux/ipv6.h> 39 #include <linux/sctp.h> 40 #include <linux/tcp.h> 41 #include <linux/udp.h> 42 #include <linux/icmp.h> 43 #include <linux/icmpv6.h> 44 #include <linux/rculist.h> 45 #include <net/geneve.h> 46 #include <net/ip.h> 47 #include <net/ipv6.h> 48 #include <net/ndisc.h> 49 #include <net/mpls.h> 50 #include <net/vxlan.h> 51 52 #include "flow_netlink.h" 53 54 struct ovs_len_tbl { 55 int len; 56 const struct ovs_len_tbl *next; 57 }; 58 59 #define OVS_ATTR_NESTED -1 60 #define OVS_ATTR_VARIABLE -2 61 62 static void update_range(struct sw_flow_match *match, 63 size_t offset, size_t size, bool is_mask) 64 { 65 struct sw_flow_key_range *range; 66 size_t start = rounddown(offset, sizeof(long)); 67 size_t end = roundup(offset + size, sizeof(long)); 68 69 if (!is_mask) 70 range = &match->range; 71 else 72 range = &match->mask->range; 73 74 if (range->start == range->end) { 75 range->start = start; 76 range->end = end; 77 return; 78 } 79 80 if (range->start > start) 81 range->start = start; 82 83 if (range->end < end) 84 range->end = end; 85 } 86 87 #define SW_FLOW_KEY_PUT(match, field, value, is_mask) \ 88 do { \ 89 update_range(match, offsetof(struct sw_flow_key, field), \ 90 sizeof((match)->key->field), is_mask); \ 91 if (is_mask) \ 92 (match)->mask->key.field = value; \ 93 else \ 94 (match)->key->field = value; \ 95 } while (0) 96 97 #define SW_FLOW_KEY_MEMCPY_OFFSET(match, offset, value_p, len, is_mask) \ 98 do { \ 99 update_range(match, offset, len, is_mask); \ 100 if (is_mask) \ 101 memcpy((u8 *)&(match)->mask->key + offset, value_p, \ 102 len); \ 103 else \ 104 memcpy((u8 *)(match)->key + offset, value_p, len); \ 105 } while (0) 106 107 #define SW_FLOW_KEY_MEMCPY(match, field, value_p, len, is_mask) \ 108 SW_FLOW_KEY_MEMCPY_OFFSET(match, offsetof(struct sw_flow_key, field), \ 109 value_p, len, is_mask) 110 111 #define SW_FLOW_KEY_MEMSET_FIELD(match, field, value, is_mask) \ 112 do { \ 113 update_range(match, offsetof(struct sw_flow_key, field), \ 114 sizeof((match)->key->field), is_mask); \ 115 if (is_mask) \ 116 memset((u8 *)&(match)->mask->key.field, value, \ 117 sizeof((match)->mask->key.field)); \ 118 else \ 119 memset((u8 *)&(match)->key->field, value, \ 120 sizeof((match)->key->field)); \ 121 } while (0) 122 123 static bool match_validate(const struct sw_flow_match *match, 124 u64 key_attrs, u64 mask_attrs, bool log) 125 { 126 u64 key_expected = 1 << OVS_KEY_ATTR_ETHERNET; 127 u64 mask_allowed = key_attrs; /* At most allow all key attributes */ 128 129 /* The following mask attributes allowed only if they 130 * pass the validation tests. */ 131 mask_allowed &= ~((1 << OVS_KEY_ATTR_IPV4) 132 | (1 << OVS_KEY_ATTR_IPV6) 133 | (1 << OVS_KEY_ATTR_TCP) 134 | (1 << OVS_KEY_ATTR_TCP_FLAGS) 135 | (1 << OVS_KEY_ATTR_UDP) 136 | (1 << OVS_KEY_ATTR_SCTP) 137 | (1 << OVS_KEY_ATTR_ICMP) 138 | (1 << OVS_KEY_ATTR_ICMPV6) 139 | (1 << OVS_KEY_ATTR_ARP) 140 | (1 << OVS_KEY_ATTR_ND) 141 | (1 << OVS_KEY_ATTR_MPLS)); 142 143 /* Always allowed mask fields. */ 144 mask_allowed |= ((1 << OVS_KEY_ATTR_TUNNEL) 145 | (1 << OVS_KEY_ATTR_IN_PORT) 146 | (1 << OVS_KEY_ATTR_ETHERTYPE)); 147 148 /* Check key attributes. */ 149 if (match->key->eth.type == htons(ETH_P_ARP) 150 || match->key->eth.type == htons(ETH_P_RARP)) { 151 key_expected |= 1 << OVS_KEY_ATTR_ARP; 152 if (match->mask && (match->mask->key.eth.type == htons(0xffff))) 153 mask_allowed |= 1 << OVS_KEY_ATTR_ARP; 154 } 155 156 if (eth_p_mpls(match->key->eth.type)) { 157 key_expected |= 1 << OVS_KEY_ATTR_MPLS; 158 if (match->mask && (match->mask->key.eth.type == htons(0xffff))) 159 mask_allowed |= 1 << OVS_KEY_ATTR_MPLS; 160 } 161 162 if (match->key->eth.type == htons(ETH_P_IP)) { 163 key_expected |= 1 << OVS_KEY_ATTR_IPV4; 164 if (match->mask && (match->mask->key.eth.type == htons(0xffff))) 165 mask_allowed |= 1 << OVS_KEY_ATTR_IPV4; 166 167 if (match->key->ip.frag != OVS_FRAG_TYPE_LATER) { 168 if (match->key->ip.proto == IPPROTO_UDP) { 169 key_expected |= 1 << OVS_KEY_ATTR_UDP; 170 if (match->mask && (match->mask->key.ip.proto == 0xff)) 171 mask_allowed |= 1 << OVS_KEY_ATTR_UDP; 172 } 173 174 if (match->key->ip.proto == IPPROTO_SCTP) { 175 key_expected |= 1 << OVS_KEY_ATTR_SCTP; 176 if (match->mask && (match->mask->key.ip.proto == 0xff)) 177 mask_allowed |= 1 << OVS_KEY_ATTR_SCTP; 178 } 179 180 if (match->key->ip.proto == IPPROTO_TCP) { 181 key_expected |= 1 << OVS_KEY_ATTR_TCP; 182 key_expected |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 183 if (match->mask && (match->mask->key.ip.proto == 0xff)) { 184 mask_allowed |= 1 << OVS_KEY_ATTR_TCP; 185 mask_allowed |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 186 } 187 } 188 189 if (match->key->ip.proto == IPPROTO_ICMP) { 190 key_expected |= 1 << OVS_KEY_ATTR_ICMP; 191 if (match->mask && (match->mask->key.ip.proto == 0xff)) 192 mask_allowed |= 1 << OVS_KEY_ATTR_ICMP; 193 } 194 } 195 } 196 197 if (match->key->eth.type == htons(ETH_P_IPV6)) { 198 key_expected |= 1 << OVS_KEY_ATTR_IPV6; 199 if (match->mask && (match->mask->key.eth.type == htons(0xffff))) 200 mask_allowed |= 1 << OVS_KEY_ATTR_IPV6; 201 202 if (match->key->ip.frag != OVS_FRAG_TYPE_LATER) { 203 if (match->key->ip.proto == IPPROTO_UDP) { 204 key_expected |= 1 << OVS_KEY_ATTR_UDP; 205 if (match->mask && (match->mask->key.ip.proto == 0xff)) 206 mask_allowed |= 1 << OVS_KEY_ATTR_UDP; 207 } 208 209 if (match->key->ip.proto == IPPROTO_SCTP) { 210 key_expected |= 1 << OVS_KEY_ATTR_SCTP; 211 if (match->mask && (match->mask->key.ip.proto == 0xff)) 212 mask_allowed |= 1 << OVS_KEY_ATTR_SCTP; 213 } 214 215 if (match->key->ip.proto == IPPROTO_TCP) { 216 key_expected |= 1 << OVS_KEY_ATTR_TCP; 217 key_expected |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 218 if (match->mask && (match->mask->key.ip.proto == 0xff)) { 219 mask_allowed |= 1 << OVS_KEY_ATTR_TCP; 220 mask_allowed |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 221 } 222 } 223 224 if (match->key->ip.proto == IPPROTO_ICMPV6) { 225 key_expected |= 1 << OVS_KEY_ATTR_ICMPV6; 226 if (match->mask && (match->mask->key.ip.proto == 0xff)) 227 mask_allowed |= 1 << OVS_KEY_ATTR_ICMPV6; 228 229 if (match->key->tp.src == 230 htons(NDISC_NEIGHBOUR_SOLICITATION) || 231 match->key->tp.src == htons(NDISC_NEIGHBOUR_ADVERTISEMENT)) { 232 key_expected |= 1 << OVS_KEY_ATTR_ND; 233 if (match->mask && (match->mask->key.tp.src == htons(0xff))) 234 mask_allowed |= 1 << OVS_KEY_ATTR_ND; 235 } 236 } 237 } 238 } 239 240 if ((key_attrs & key_expected) != key_expected) { 241 /* Key attributes check failed. */ 242 OVS_NLERR(log, "Missing key (keys=%llx, expected=%llx)", 243 (unsigned long long)key_attrs, 244 (unsigned long long)key_expected); 245 return false; 246 } 247 248 if ((mask_attrs & mask_allowed) != mask_attrs) { 249 /* Mask attributes check failed. */ 250 OVS_NLERR(log, "Unexpected mask (mask=%llx, allowed=%llx)", 251 (unsigned long long)mask_attrs, 252 (unsigned long long)mask_allowed); 253 return false; 254 } 255 256 return true; 257 } 258 259 size_t ovs_tun_key_attr_size(void) 260 { 261 /* Whenever adding new OVS_TUNNEL_KEY_ FIELDS, we should consider 262 * updating this function. 263 */ 264 return nla_total_size(8) /* OVS_TUNNEL_KEY_ATTR_ID */ 265 + nla_total_size(4) /* OVS_TUNNEL_KEY_ATTR_IPV4_SRC */ 266 + nla_total_size(4) /* OVS_TUNNEL_KEY_ATTR_IPV4_DST */ 267 + nla_total_size(1) /* OVS_TUNNEL_KEY_ATTR_TOS */ 268 + nla_total_size(1) /* OVS_TUNNEL_KEY_ATTR_TTL */ 269 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT */ 270 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_CSUM */ 271 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_OAM */ 272 + nla_total_size(256) /* OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS */ 273 /* OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS is mutually exclusive with 274 * OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS and covered by it. 275 */ 276 + nla_total_size(2) /* OVS_TUNNEL_KEY_ATTR_TP_SRC */ 277 + nla_total_size(2); /* OVS_TUNNEL_KEY_ATTR_TP_DST */ 278 } 279 280 size_t ovs_key_attr_size(void) 281 { 282 /* Whenever adding new OVS_KEY_ FIELDS, we should consider 283 * updating this function. 284 */ 285 BUILD_BUG_ON(OVS_KEY_ATTR_TUNNEL_INFO != 26); 286 287 return nla_total_size(4) /* OVS_KEY_ATTR_PRIORITY */ 288 + nla_total_size(0) /* OVS_KEY_ATTR_TUNNEL */ 289 + ovs_tun_key_attr_size() 290 + nla_total_size(4) /* OVS_KEY_ATTR_IN_PORT */ 291 + nla_total_size(4) /* OVS_KEY_ATTR_SKB_MARK */ 292 + nla_total_size(4) /* OVS_KEY_ATTR_DP_HASH */ 293 + nla_total_size(4) /* OVS_KEY_ATTR_RECIRC_ID */ 294 + nla_total_size(4) /* OVS_KEY_ATTR_CT_STATE */ 295 + nla_total_size(2) /* OVS_KEY_ATTR_CT_ZONE */ 296 + nla_total_size(4) /* OVS_KEY_ATTR_CT_MARK */ 297 + nla_total_size(16) /* OVS_KEY_ATTR_CT_LABELS */ 298 + nla_total_size(12) /* OVS_KEY_ATTR_ETHERNET */ 299 + nla_total_size(2) /* OVS_KEY_ATTR_ETHERTYPE */ 300 + nla_total_size(4) /* OVS_KEY_ATTR_VLAN */ 301 + nla_total_size(0) /* OVS_KEY_ATTR_ENCAP */ 302 + nla_total_size(2) /* OVS_KEY_ATTR_ETHERTYPE */ 303 + nla_total_size(40) /* OVS_KEY_ATTR_IPV6 */ 304 + nla_total_size(2) /* OVS_KEY_ATTR_ICMPV6 */ 305 + nla_total_size(28); /* OVS_KEY_ATTR_ND */ 306 } 307 308 static const struct ovs_len_tbl ovs_vxlan_ext_key_lens[OVS_VXLAN_EXT_MAX + 1] = { 309 [OVS_VXLAN_EXT_GBP] = { .len = sizeof(u32) }, 310 }; 311 312 static const struct ovs_len_tbl ovs_tunnel_key_lens[OVS_TUNNEL_KEY_ATTR_MAX + 1] = { 313 [OVS_TUNNEL_KEY_ATTR_ID] = { .len = sizeof(u64) }, 314 [OVS_TUNNEL_KEY_ATTR_IPV4_SRC] = { .len = sizeof(u32) }, 315 [OVS_TUNNEL_KEY_ATTR_IPV4_DST] = { .len = sizeof(u32) }, 316 [OVS_TUNNEL_KEY_ATTR_TOS] = { .len = 1 }, 317 [OVS_TUNNEL_KEY_ATTR_TTL] = { .len = 1 }, 318 [OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT] = { .len = 0 }, 319 [OVS_TUNNEL_KEY_ATTR_CSUM] = { .len = 0 }, 320 [OVS_TUNNEL_KEY_ATTR_TP_SRC] = { .len = sizeof(u16) }, 321 [OVS_TUNNEL_KEY_ATTR_TP_DST] = { .len = sizeof(u16) }, 322 [OVS_TUNNEL_KEY_ATTR_OAM] = { .len = 0 }, 323 [OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS] = { .len = OVS_ATTR_VARIABLE }, 324 [OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS] = { .len = OVS_ATTR_NESTED, 325 .next = ovs_vxlan_ext_key_lens }, 326 }; 327 328 /* The size of the argument for each %OVS_KEY_ATTR_* Netlink attribute. */ 329 static const struct ovs_len_tbl ovs_key_lens[OVS_KEY_ATTR_MAX + 1] = { 330 [OVS_KEY_ATTR_ENCAP] = { .len = OVS_ATTR_NESTED }, 331 [OVS_KEY_ATTR_PRIORITY] = { .len = sizeof(u32) }, 332 [OVS_KEY_ATTR_IN_PORT] = { .len = sizeof(u32) }, 333 [OVS_KEY_ATTR_SKB_MARK] = { .len = sizeof(u32) }, 334 [OVS_KEY_ATTR_ETHERNET] = { .len = sizeof(struct ovs_key_ethernet) }, 335 [OVS_KEY_ATTR_VLAN] = { .len = sizeof(__be16) }, 336 [OVS_KEY_ATTR_ETHERTYPE] = { .len = sizeof(__be16) }, 337 [OVS_KEY_ATTR_IPV4] = { .len = sizeof(struct ovs_key_ipv4) }, 338 [OVS_KEY_ATTR_IPV6] = { .len = sizeof(struct ovs_key_ipv6) }, 339 [OVS_KEY_ATTR_TCP] = { .len = sizeof(struct ovs_key_tcp) }, 340 [OVS_KEY_ATTR_TCP_FLAGS] = { .len = sizeof(__be16) }, 341 [OVS_KEY_ATTR_UDP] = { .len = sizeof(struct ovs_key_udp) }, 342 [OVS_KEY_ATTR_SCTP] = { .len = sizeof(struct ovs_key_sctp) }, 343 [OVS_KEY_ATTR_ICMP] = { .len = sizeof(struct ovs_key_icmp) }, 344 [OVS_KEY_ATTR_ICMPV6] = { .len = sizeof(struct ovs_key_icmpv6) }, 345 [OVS_KEY_ATTR_ARP] = { .len = sizeof(struct ovs_key_arp) }, 346 [OVS_KEY_ATTR_ND] = { .len = sizeof(struct ovs_key_nd) }, 347 [OVS_KEY_ATTR_RECIRC_ID] = { .len = sizeof(u32) }, 348 [OVS_KEY_ATTR_DP_HASH] = { .len = sizeof(u32) }, 349 [OVS_KEY_ATTR_TUNNEL] = { .len = OVS_ATTR_NESTED, 350 .next = ovs_tunnel_key_lens, }, 351 [OVS_KEY_ATTR_MPLS] = { .len = sizeof(struct ovs_key_mpls) }, 352 [OVS_KEY_ATTR_CT_STATE] = { .len = sizeof(u32) }, 353 [OVS_KEY_ATTR_CT_ZONE] = { .len = sizeof(u16) }, 354 [OVS_KEY_ATTR_CT_MARK] = { .len = sizeof(u32) }, 355 [OVS_KEY_ATTR_CT_LABELS] = { .len = sizeof(struct ovs_key_ct_labels) }, 356 }; 357 358 static bool check_attr_len(unsigned int attr_len, unsigned int expected_len) 359 { 360 return expected_len == attr_len || 361 expected_len == OVS_ATTR_NESTED || 362 expected_len == OVS_ATTR_VARIABLE; 363 } 364 365 static bool is_all_zero(const u8 *fp, size_t size) 366 { 367 int i; 368 369 if (!fp) 370 return false; 371 372 for (i = 0; i < size; i++) 373 if (fp[i]) 374 return false; 375 376 return true; 377 } 378 379 static int __parse_flow_nlattrs(const struct nlattr *attr, 380 const struct nlattr *a[], 381 u64 *attrsp, bool log, bool nz) 382 { 383 const struct nlattr *nla; 384 u64 attrs; 385 int rem; 386 387 attrs = *attrsp; 388 nla_for_each_nested(nla, attr, rem) { 389 u16 type = nla_type(nla); 390 int expected_len; 391 392 if (type > OVS_KEY_ATTR_MAX) { 393 OVS_NLERR(log, "Key type %d is out of range max %d", 394 type, OVS_KEY_ATTR_MAX); 395 return -EINVAL; 396 } 397 398 if (attrs & (1 << type)) { 399 OVS_NLERR(log, "Duplicate key (type %d).", type); 400 return -EINVAL; 401 } 402 403 expected_len = ovs_key_lens[type].len; 404 if (!check_attr_len(nla_len(nla), expected_len)) { 405 OVS_NLERR(log, "Key %d has unexpected len %d expected %d", 406 type, nla_len(nla), expected_len); 407 return -EINVAL; 408 } 409 410 if (!nz || !is_all_zero(nla_data(nla), expected_len)) { 411 attrs |= 1 << type; 412 a[type] = nla; 413 } 414 } 415 if (rem) { 416 OVS_NLERR(log, "Message has %d unknown bytes.", rem); 417 return -EINVAL; 418 } 419 420 *attrsp = attrs; 421 return 0; 422 } 423 424 static int parse_flow_mask_nlattrs(const struct nlattr *attr, 425 const struct nlattr *a[], u64 *attrsp, 426 bool log) 427 { 428 return __parse_flow_nlattrs(attr, a, attrsp, log, true); 429 } 430 431 static int parse_flow_nlattrs(const struct nlattr *attr, 432 const struct nlattr *a[], u64 *attrsp, 433 bool log) 434 { 435 return __parse_flow_nlattrs(attr, a, attrsp, log, false); 436 } 437 438 static int genev_tun_opt_from_nlattr(const struct nlattr *a, 439 struct sw_flow_match *match, bool is_mask, 440 bool log) 441 { 442 unsigned long opt_key_offset; 443 444 if (nla_len(a) > sizeof(match->key->tun_opts)) { 445 OVS_NLERR(log, "Geneve option length err (len %d, max %zu).", 446 nla_len(a), sizeof(match->key->tun_opts)); 447 return -EINVAL; 448 } 449 450 if (nla_len(a) % 4 != 0) { 451 OVS_NLERR(log, "Geneve opt len %d is not a multiple of 4.", 452 nla_len(a)); 453 return -EINVAL; 454 } 455 456 /* We need to record the length of the options passed 457 * down, otherwise packets with the same format but 458 * additional options will be silently matched. 459 */ 460 if (!is_mask) { 461 SW_FLOW_KEY_PUT(match, tun_opts_len, nla_len(a), 462 false); 463 } else { 464 /* This is somewhat unusual because it looks at 465 * both the key and mask while parsing the 466 * attributes (and by extension assumes the key 467 * is parsed first). Normally, we would verify 468 * that each is the correct length and that the 469 * attributes line up in the validate function. 470 * However, that is difficult because this is 471 * variable length and we won't have the 472 * information later. 473 */ 474 if (match->key->tun_opts_len != nla_len(a)) { 475 OVS_NLERR(log, "Geneve option len %d != mask len %d", 476 match->key->tun_opts_len, nla_len(a)); 477 return -EINVAL; 478 } 479 480 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 481 } 482 483 opt_key_offset = TUN_METADATA_OFFSET(nla_len(a)); 484 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, nla_data(a), 485 nla_len(a), is_mask); 486 return 0; 487 } 488 489 static int vxlan_tun_opt_from_nlattr(const struct nlattr *attr, 490 struct sw_flow_match *match, bool is_mask, 491 bool log) 492 { 493 struct nlattr *a; 494 int rem; 495 unsigned long opt_key_offset; 496 struct vxlan_metadata opts; 497 498 BUILD_BUG_ON(sizeof(opts) > sizeof(match->key->tun_opts)); 499 500 memset(&opts, 0, sizeof(opts)); 501 nla_for_each_nested(a, attr, rem) { 502 int type = nla_type(a); 503 504 if (type > OVS_VXLAN_EXT_MAX) { 505 OVS_NLERR(log, "VXLAN extension %d out of range max %d", 506 type, OVS_VXLAN_EXT_MAX); 507 return -EINVAL; 508 } 509 510 if (!check_attr_len(nla_len(a), 511 ovs_vxlan_ext_key_lens[type].len)) { 512 OVS_NLERR(log, "VXLAN extension %d has unexpected len %d expected %d", 513 type, nla_len(a), 514 ovs_vxlan_ext_key_lens[type].len); 515 return -EINVAL; 516 } 517 518 switch (type) { 519 case OVS_VXLAN_EXT_GBP: 520 opts.gbp = nla_get_u32(a); 521 break; 522 default: 523 OVS_NLERR(log, "Unknown VXLAN extension attribute %d", 524 type); 525 return -EINVAL; 526 } 527 } 528 if (rem) { 529 OVS_NLERR(log, "VXLAN extension message has %d unknown bytes.", 530 rem); 531 return -EINVAL; 532 } 533 534 if (!is_mask) 535 SW_FLOW_KEY_PUT(match, tun_opts_len, sizeof(opts), false); 536 else 537 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 538 539 opt_key_offset = TUN_METADATA_OFFSET(sizeof(opts)); 540 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, &opts, sizeof(opts), 541 is_mask); 542 return 0; 543 } 544 545 static int ipv4_tun_from_nlattr(const struct nlattr *attr, 546 struct sw_flow_match *match, bool is_mask, 547 bool log) 548 { 549 struct nlattr *a; 550 int rem; 551 bool ttl = false; 552 __be16 tun_flags = 0; 553 int opts_type = 0; 554 555 nla_for_each_nested(a, attr, rem) { 556 int type = nla_type(a); 557 int err; 558 559 if (type > OVS_TUNNEL_KEY_ATTR_MAX) { 560 OVS_NLERR(log, "Tunnel attr %d out of range max %d", 561 type, OVS_TUNNEL_KEY_ATTR_MAX); 562 return -EINVAL; 563 } 564 565 if (!check_attr_len(nla_len(a), 566 ovs_tunnel_key_lens[type].len)) { 567 OVS_NLERR(log, "Tunnel attr %d has unexpected len %d expected %d", 568 type, nla_len(a), ovs_tunnel_key_lens[type].len); 569 return -EINVAL; 570 } 571 572 switch (type) { 573 case OVS_TUNNEL_KEY_ATTR_ID: 574 SW_FLOW_KEY_PUT(match, tun_key.tun_id, 575 nla_get_be64(a), is_mask); 576 tun_flags |= TUNNEL_KEY; 577 break; 578 case OVS_TUNNEL_KEY_ATTR_IPV4_SRC: 579 SW_FLOW_KEY_PUT(match, tun_key.u.ipv4.src, 580 nla_get_in_addr(a), is_mask); 581 break; 582 case OVS_TUNNEL_KEY_ATTR_IPV4_DST: 583 SW_FLOW_KEY_PUT(match, tun_key.u.ipv4.dst, 584 nla_get_in_addr(a), is_mask); 585 break; 586 case OVS_TUNNEL_KEY_ATTR_TOS: 587 SW_FLOW_KEY_PUT(match, tun_key.tos, 588 nla_get_u8(a), is_mask); 589 break; 590 case OVS_TUNNEL_KEY_ATTR_TTL: 591 SW_FLOW_KEY_PUT(match, tun_key.ttl, 592 nla_get_u8(a), is_mask); 593 ttl = true; 594 break; 595 case OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT: 596 tun_flags |= TUNNEL_DONT_FRAGMENT; 597 break; 598 case OVS_TUNNEL_KEY_ATTR_CSUM: 599 tun_flags |= TUNNEL_CSUM; 600 break; 601 case OVS_TUNNEL_KEY_ATTR_TP_SRC: 602 SW_FLOW_KEY_PUT(match, tun_key.tp_src, 603 nla_get_be16(a), is_mask); 604 break; 605 case OVS_TUNNEL_KEY_ATTR_TP_DST: 606 SW_FLOW_KEY_PUT(match, tun_key.tp_dst, 607 nla_get_be16(a), is_mask); 608 break; 609 case OVS_TUNNEL_KEY_ATTR_OAM: 610 tun_flags |= TUNNEL_OAM; 611 break; 612 case OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS: 613 if (opts_type) { 614 OVS_NLERR(log, "Multiple metadata blocks provided"); 615 return -EINVAL; 616 } 617 618 err = genev_tun_opt_from_nlattr(a, match, is_mask, log); 619 if (err) 620 return err; 621 622 tun_flags |= TUNNEL_GENEVE_OPT; 623 opts_type = type; 624 break; 625 case OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS: 626 if (opts_type) { 627 OVS_NLERR(log, "Multiple metadata blocks provided"); 628 return -EINVAL; 629 } 630 631 err = vxlan_tun_opt_from_nlattr(a, match, is_mask, log); 632 if (err) 633 return err; 634 635 tun_flags |= TUNNEL_VXLAN_OPT; 636 opts_type = type; 637 break; 638 default: 639 OVS_NLERR(log, "Unknown IPv4 tunnel attribute %d", 640 type); 641 return -EINVAL; 642 } 643 } 644 645 SW_FLOW_KEY_PUT(match, tun_key.tun_flags, tun_flags, is_mask); 646 647 if (rem > 0) { 648 OVS_NLERR(log, "IPv4 tunnel attribute has %d unknown bytes.", 649 rem); 650 return -EINVAL; 651 } 652 653 if (!is_mask) { 654 if (!match->key->tun_key.u.ipv4.dst) { 655 OVS_NLERR(log, "IPv4 tunnel dst address is zero"); 656 return -EINVAL; 657 } 658 659 if (!ttl) { 660 OVS_NLERR(log, "IPv4 tunnel TTL not specified."); 661 return -EINVAL; 662 } 663 } 664 665 return opts_type; 666 } 667 668 static int vxlan_opt_to_nlattr(struct sk_buff *skb, 669 const void *tun_opts, int swkey_tun_opts_len) 670 { 671 const struct vxlan_metadata *opts = tun_opts; 672 struct nlattr *nla; 673 674 nla = nla_nest_start(skb, OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS); 675 if (!nla) 676 return -EMSGSIZE; 677 678 if (nla_put_u32(skb, OVS_VXLAN_EXT_GBP, opts->gbp) < 0) 679 return -EMSGSIZE; 680 681 nla_nest_end(skb, nla); 682 return 0; 683 } 684 685 static int __ipv4_tun_to_nlattr(struct sk_buff *skb, 686 const struct ip_tunnel_key *output, 687 const void *tun_opts, int swkey_tun_opts_len) 688 { 689 if (output->tun_flags & TUNNEL_KEY && 690 nla_put_be64(skb, OVS_TUNNEL_KEY_ATTR_ID, output->tun_id)) 691 return -EMSGSIZE; 692 if (output->u.ipv4.src && 693 nla_put_in_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV4_SRC, 694 output->u.ipv4.src)) 695 return -EMSGSIZE; 696 if (output->u.ipv4.dst && 697 nla_put_in_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV4_DST, 698 output->u.ipv4.dst)) 699 return -EMSGSIZE; 700 if (output->tos && 701 nla_put_u8(skb, OVS_TUNNEL_KEY_ATTR_TOS, output->tos)) 702 return -EMSGSIZE; 703 if (nla_put_u8(skb, OVS_TUNNEL_KEY_ATTR_TTL, output->ttl)) 704 return -EMSGSIZE; 705 if ((output->tun_flags & TUNNEL_DONT_FRAGMENT) && 706 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT)) 707 return -EMSGSIZE; 708 if ((output->tun_flags & TUNNEL_CSUM) && 709 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_CSUM)) 710 return -EMSGSIZE; 711 if (output->tp_src && 712 nla_put_be16(skb, OVS_TUNNEL_KEY_ATTR_TP_SRC, output->tp_src)) 713 return -EMSGSIZE; 714 if (output->tp_dst && 715 nla_put_be16(skb, OVS_TUNNEL_KEY_ATTR_TP_DST, output->tp_dst)) 716 return -EMSGSIZE; 717 if ((output->tun_flags & TUNNEL_OAM) && 718 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_OAM)) 719 return -EMSGSIZE; 720 if (tun_opts) { 721 if (output->tun_flags & TUNNEL_GENEVE_OPT && 722 nla_put(skb, OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS, 723 swkey_tun_opts_len, tun_opts)) 724 return -EMSGSIZE; 725 else if (output->tun_flags & TUNNEL_VXLAN_OPT && 726 vxlan_opt_to_nlattr(skb, tun_opts, swkey_tun_opts_len)) 727 return -EMSGSIZE; 728 } 729 730 return 0; 731 } 732 733 static int ipv4_tun_to_nlattr(struct sk_buff *skb, 734 const struct ip_tunnel_key *output, 735 const void *tun_opts, int swkey_tun_opts_len) 736 { 737 struct nlattr *nla; 738 int err; 739 740 nla = nla_nest_start(skb, OVS_KEY_ATTR_TUNNEL); 741 if (!nla) 742 return -EMSGSIZE; 743 744 err = __ipv4_tun_to_nlattr(skb, output, tun_opts, swkey_tun_opts_len); 745 if (err) 746 return err; 747 748 nla_nest_end(skb, nla); 749 return 0; 750 } 751 752 int ovs_nla_put_egress_tunnel_key(struct sk_buff *skb, 753 const struct ip_tunnel_info *egress_tun_info, 754 const void *egress_tun_opts) 755 { 756 return __ipv4_tun_to_nlattr(skb, &egress_tun_info->key, 757 egress_tun_opts, 758 egress_tun_info->options_len); 759 } 760 761 static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match, 762 u64 *attrs, const struct nlattr **a, 763 bool is_mask, bool log) 764 { 765 if (*attrs & (1 << OVS_KEY_ATTR_DP_HASH)) { 766 u32 hash_val = nla_get_u32(a[OVS_KEY_ATTR_DP_HASH]); 767 768 SW_FLOW_KEY_PUT(match, ovs_flow_hash, hash_val, is_mask); 769 *attrs &= ~(1 << OVS_KEY_ATTR_DP_HASH); 770 } 771 772 if (*attrs & (1 << OVS_KEY_ATTR_RECIRC_ID)) { 773 u32 recirc_id = nla_get_u32(a[OVS_KEY_ATTR_RECIRC_ID]); 774 775 SW_FLOW_KEY_PUT(match, recirc_id, recirc_id, is_mask); 776 *attrs &= ~(1 << OVS_KEY_ATTR_RECIRC_ID); 777 } 778 779 if (*attrs & (1 << OVS_KEY_ATTR_PRIORITY)) { 780 SW_FLOW_KEY_PUT(match, phy.priority, 781 nla_get_u32(a[OVS_KEY_ATTR_PRIORITY]), is_mask); 782 *attrs &= ~(1 << OVS_KEY_ATTR_PRIORITY); 783 } 784 785 if (*attrs & (1 << OVS_KEY_ATTR_IN_PORT)) { 786 u32 in_port = nla_get_u32(a[OVS_KEY_ATTR_IN_PORT]); 787 788 if (is_mask) { 789 in_port = 0xffffffff; /* Always exact match in_port. */ 790 } else if (in_port >= DP_MAX_PORTS) { 791 OVS_NLERR(log, "Port %d exceeds max allowable %d", 792 in_port, DP_MAX_PORTS); 793 return -EINVAL; 794 } 795 796 SW_FLOW_KEY_PUT(match, phy.in_port, in_port, is_mask); 797 *attrs &= ~(1 << OVS_KEY_ATTR_IN_PORT); 798 } else if (!is_mask) { 799 SW_FLOW_KEY_PUT(match, phy.in_port, DP_MAX_PORTS, is_mask); 800 } 801 802 if (*attrs & (1 << OVS_KEY_ATTR_SKB_MARK)) { 803 uint32_t mark = nla_get_u32(a[OVS_KEY_ATTR_SKB_MARK]); 804 805 SW_FLOW_KEY_PUT(match, phy.skb_mark, mark, is_mask); 806 *attrs &= ~(1 << OVS_KEY_ATTR_SKB_MARK); 807 } 808 if (*attrs & (1 << OVS_KEY_ATTR_TUNNEL)) { 809 if (ipv4_tun_from_nlattr(a[OVS_KEY_ATTR_TUNNEL], match, 810 is_mask, log) < 0) 811 return -EINVAL; 812 *attrs &= ~(1 << OVS_KEY_ATTR_TUNNEL); 813 } 814 815 if (*attrs & (1 << OVS_KEY_ATTR_CT_STATE) && 816 ovs_ct_verify(net, OVS_KEY_ATTR_CT_STATE)) { 817 u32 ct_state = nla_get_u32(a[OVS_KEY_ATTR_CT_STATE]); 818 819 if (!is_mask && !ovs_ct_state_supported(ct_state)) { 820 OVS_NLERR(log, "ct_state flags %08x unsupported", 821 ct_state); 822 return -EINVAL; 823 } 824 825 SW_FLOW_KEY_PUT(match, ct.state, ct_state, is_mask); 826 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_STATE); 827 } 828 if (*attrs & (1 << OVS_KEY_ATTR_CT_ZONE) && 829 ovs_ct_verify(net, OVS_KEY_ATTR_CT_ZONE)) { 830 u16 ct_zone = nla_get_u16(a[OVS_KEY_ATTR_CT_ZONE]); 831 832 SW_FLOW_KEY_PUT(match, ct.zone, ct_zone, is_mask); 833 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ZONE); 834 } 835 if (*attrs & (1 << OVS_KEY_ATTR_CT_MARK) && 836 ovs_ct_verify(net, OVS_KEY_ATTR_CT_MARK)) { 837 u32 mark = nla_get_u32(a[OVS_KEY_ATTR_CT_MARK]); 838 839 SW_FLOW_KEY_PUT(match, ct.mark, mark, is_mask); 840 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_MARK); 841 } 842 if (*attrs & (1 << OVS_KEY_ATTR_CT_LABELS) && 843 ovs_ct_verify(net, OVS_KEY_ATTR_CT_LABELS)) { 844 const struct ovs_key_ct_labels *cl; 845 846 cl = nla_data(a[OVS_KEY_ATTR_CT_LABELS]); 847 SW_FLOW_KEY_MEMCPY(match, ct.labels, cl->ct_labels, 848 sizeof(*cl), is_mask); 849 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_LABELS); 850 } 851 return 0; 852 } 853 854 static int ovs_key_from_nlattrs(struct net *net, struct sw_flow_match *match, 855 u64 attrs, const struct nlattr **a, 856 bool is_mask, bool log) 857 { 858 int err; 859 860 err = metadata_from_nlattrs(net, match, &attrs, a, is_mask, log); 861 if (err) 862 return err; 863 864 if (attrs & (1 << OVS_KEY_ATTR_ETHERNET)) { 865 const struct ovs_key_ethernet *eth_key; 866 867 eth_key = nla_data(a[OVS_KEY_ATTR_ETHERNET]); 868 SW_FLOW_KEY_MEMCPY(match, eth.src, 869 eth_key->eth_src, ETH_ALEN, is_mask); 870 SW_FLOW_KEY_MEMCPY(match, eth.dst, 871 eth_key->eth_dst, ETH_ALEN, is_mask); 872 attrs &= ~(1 << OVS_KEY_ATTR_ETHERNET); 873 } 874 875 if (attrs & (1 << OVS_KEY_ATTR_VLAN)) { 876 __be16 tci; 877 878 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 879 if (!(tci & htons(VLAN_TAG_PRESENT))) { 880 if (is_mask) 881 OVS_NLERR(log, "VLAN TCI mask does not have exact match for VLAN_TAG_PRESENT bit."); 882 else 883 OVS_NLERR(log, "VLAN TCI does not have VLAN_TAG_PRESENT bit set."); 884 885 return -EINVAL; 886 } 887 888 SW_FLOW_KEY_PUT(match, eth.tci, tci, is_mask); 889 attrs &= ~(1 << OVS_KEY_ATTR_VLAN); 890 } 891 892 if (attrs & (1 << OVS_KEY_ATTR_ETHERTYPE)) { 893 __be16 eth_type; 894 895 eth_type = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 896 if (is_mask) { 897 /* Always exact match EtherType. */ 898 eth_type = htons(0xffff); 899 } else if (!eth_proto_is_802_3(eth_type)) { 900 OVS_NLERR(log, "EtherType %x is less than min %x", 901 ntohs(eth_type), ETH_P_802_3_MIN); 902 return -EINVAL; 903 } 904 905 SW_FLOW_KEY_PUT(match, eth.type, eth_type, is_mask); 906 attrs &= ~(1 << OVS_KEY_ATTR_ETHERTYPE); 907 } else if (!is_mask) { 908 SW_FLOW_KEY_PUT(match, eth.type, htons(ETH_P_802_2), is_mask); 909 } 910 911 if (attrs & (1 << OVS_KEY_ATTR_IPV4)) { 912 const struct ovs_key_ipv4 *ipv4_key; 913 914 ipv4_key = nla_data(a[OVS_KEY_ATTR_IPV4]); 915 if (!is_mask && ipv4_key->ipv4_frag > OVS_FRAG_TYPE_MAX) { 916 OVS_NLERR(log, "IPv4 frag type %d is out of range max %d", 917 ipv4_key->ipv4_frag, OVS_FRAG_TYPE_MAX); 918 return -EINVAL; 919 } 920 SW_FLOW_KEY_PUT(match, ip.proto, 921 ipv4_key->ipv4_proto, is_mask); 922 SW_FLOW_KEY_PUT(match, ip.tos, 923 ipv4_key->ipv4_tos, is_mask); 924 SW_FLOW_KEY_PUT(match, ip.ttl, 925 ipv4_key->ipv4_ttl, is_mask); 926 SW_FLOW_KEY_PUT(match, ip.frag, 927 ipv4_key->ipv4_frag, is_mask); 928 SW_FLOW_KEY_PUT(match, ipv4.addr.src, 929 ipv4_key->ipv4_src, is_mask); 930 SW_FLOW_KEY_PUT(match, ipv4.addr.dst, 931 ipv4_key->ipv4_dst, is_mask); 932 attrs &= ~(1 << OVS_KEY_ATTR_IPV4); 933 } 934 935 if (attrs & (1 << OVS_KEY_ATTR_IPV6)) { 936 const struct ovs_key_ipv6 *ipv6_key; 937 938 ipv6_key = nla_data(a[OVS_KEY_ATTR_IPV6]); 939 if (!is_mask && ipv6_key->ipv6_frag > OVS_FRAG_TYPE_MAX) { 940 OVS_NLERR(log, "IPv6 frag type %d is out of range max %d", 941 ipv6_key->ipv6_frag, OVS_FRAG_TYPE_MAX); 942 return -EINVAL; 943 } 944 945 if (!is_mask && ipv6_key->ipv6_label & htonl(0xFFF00000)) { 946 OVS_NLERR(log, "IPv6 flow label %x is out of range (max=%x).\n", 947 ntohl(ipv6_key->ipv6_label), (1 << 20) - 1); 948 return -EINVAL; 949 } 950 951 SW_FLOW_KEY_PUT(match, ipv6.label, 952 ipv6_key->ipv6_label, is_mask); 953 SW_FLOW_KEY_PUT(match, ip.proto, 954 ipv6_key->ipv6_proto, is_mask); 955 SW_FLOW_KEY_PUT(match, ip.tos, 956 ipv6_key->ipv6_tclass, is_mask); 957 SW_FLOW_KEY_PUT(match, ip.ttl, 958 ipv6_key->ipv6_hlimit, is_mask); 959 SW_FLOW_KEY_PUT(match, ip.frag, 960 ipv6_key->ipv6_frag, is_mask); 961 SW_FLOW_KEY_MEMCPY(match, ipv6.addr.src, 962 ipv6_key->ipv6_src, 963 sizeof(match->key->ipv6.addr.src), 964 is_mask); 965 SW_FLOW_KEY_MEMCPY(match, ipv6.addr.dst, 966 ipv6_key->ipv6_dst, 967 sizeof(match->key->ipv6.addr.dst), 968 is_mask); 969 970 attrs &= ~(1 << OVS_KEY_ATTR_IPV6); 971 } 972 973 if (attrs & (1 << OVS_KEY_ATTR_ARP)) { 974 const struct ovs_key_arp *arp_key; 975 976 arp_key = nla_data(a[OVS_KEY_ATTR_ARP]); 977 if (!is_mask && (arp_key->arp_op & htons(0xff00))) { 978 OVS_NLERR(log, "Unknown ARP opcode (opcode=%d).", 979 arp_key->arp_op); 980 return -EINVAL; 981 } 982 983 SW_FLOW_KEY_PUT(match, ipv4.addr.src, 984 arp_key->arp_sip, is_mask); 985 SW_FLOW_KEY_PUT(match, ipv4.addr.dst, 986 arp_key->arp_tip, is_mask); 987 SW_FLOW_KEY_PUT(match, ip.proto, 988 ntohs(arp_key->arp_op), is_mask); 989 SW_FLOW_KEY_MEMCPY(match, ipv4.arp.sha, 990 arp_key->arp_sha, ETH_ALEN, is_mask); 991 SW_FLOW_KEY_MEMCPY(match, ipv4.arp.tha, 992 arp_key->arp_tha, ETH_ALEN, is_mask); 993 994 attrs &= ~(1 << OVS_KEY_ATTR_ARP); 995 } 996 997 if (attrs & (1 << OVS_KEY_ATTR_MPLS)) { 998 const struct ovs_key_mpls *mpls_key; 999 1000 mpls_key = nla_data(a[OVS_KEY_ATTR_MPLS]); 1001 SW_FLOW_KEY_PUT(match, mpls.top_lse, 1002 mpls_key->mpls_lse, is_mask); 1003 1004 attrs &= ~(1 << OVS_KEY_ATTR_MPLS); 1005 } 1006 1007 if (attrs & (1 << OVS_KEY_ATTR_TCP)) { 1008 const struct ovs_key_tcp *tcp_key; 1009 1010 tcp_key = nla_data(a[OVS_KEY_ATTR_TCP]); 1011 SW_FLOW_KEY_PUT(match, tp.src, tcp_key->tcp_src, is_mask); 1012 SW_FLOW_KEY_PUT(match, tp.dst, tcp_key->tcp_dst, is_mask); 1013 attrs &= ~(1 << OVS_KEY_ATTR_TCP); 1014 } 1015 1016 if (attrs & (1 << OVS_KEY_ATTR_TCP_FLAGS)) { 1017 SW_FLOW_KEY_PUT(match, tp.flags, 1018 nla_get_be16(a[OVS_KEY_ATTR_TCP_FLAGS]), 1019 is_mask); 1020 attrs &= ~(1 << OVS_KEY_ATTR_TCP_FLAGS); 1021 } 1022 1023 if (attrs & (1 << OVS_KEY_ATTR_UDP)) { 1024 const struct ovs_key_udp *udp_key; 1025 1026 udp_key = nla_data(a[OVS_KEY_ATTR_UDP]); 1027 SW_FLOW_KEY_PUT(match, tp.src, udp_key->udp_src, is_mask); 1028 SW_FLOW_KEY_PUT(match, tp.dst, udp_key->udp_dst, is_mask); 1029 attrs &= ~(1 << OVS_KEY_ATTR_UDP); 1030 } 1031 1032 if (attrs & (1 << OVS_KEY_ATTR_SCTP)) { 1033 const struct ovs_key_sctp *sctp_key; 1034 1035 sctp_key = nla_data(a[OVS_KEY_ATTR_SCTP]); 1036 SW_FLOW_KEY_PUT(match, tp.src, sctp_key->sctp_src, is_mask); 1037 SW_FLOW_KEY_PUT(match, tp.dst, sctp_key->sctp_dst, is_mask); 1038 attrs &= ~(1 << OVS_KEY_ATTR_SCTP); 1039 } 1040 1041 if (attrs & (1 << OVS_KEY_ATTR_ICMP)) { 1042 const struct ovs_key_icmp *icmp_key; 1043 1044 icmp_key = nla_data(a[OVS_KEY_ATTR_ICMP]); 1045 SW_FLOW_KEY_PUT(match, tp.src, 1046 htons(icmp_key->icmp_type), is_mask); 1047 SW_FLOW_KEY_PUT(match, tp.dst, 1048 htons(icmp_key->icmp_code), is_mask); 1049 attrs &= ~(1 << OVS_KEY_ATTR_ICMP); 1050 } 1051 1052 if (attrs & (1 << OVS_KEY_ATTR_ICMPV6)) { 1053 const struct ovs_key_icmpv6 *icmpv6_key; 1054 1055 icmpv6_key = nla_data(a[OVS_KEY_ATTR_ICMPV6]); 1056 SW_FLOW_KEY_PUT(match, tp.src, 1057 htons(icmpv6_key->icmpv6_type), is_mask); 1058 SW_FLOW_KEY_PUT(match, tp.dst, 1059 htons(icmpv6_key->icmpv6_code), is_mask); 1060 attrs &= ~(1 << OVS_KEY_ATTR_ICMPV6); 1061 } 1062 1063 if (attrs & (1 << OVS_KEY_ATTR_ND)) { 1064 const struct ovs_key_nd *nd_key; 1065 1066 nd_key = nla_data(a[OVS_KEY_ATTR_ND]); 1067 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.target, 1068 nd_key->nd_target, 1069 sizeof(match->key->ipv6.nd.target), 1070 is_mask); 1071 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.sll, 1072 nd_key->nd_sll, ETH_ALEN, is_mask); 1073 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.tll, 1074 nd_key->nd_tll, ETH_ALEN, is_mask); 1075 attrs &= ~(1 << OVS_KEY_ATTR_ND); 1076 } 1077 1078 if (attrs != 0) { 1079 OVS_NLERR(log, "Unknown key attributes %llx", 1080 (unsigned long long)attrs); 1081 return -EINVAL; 1082 } 1083 1084 return 0; 1085 } 1086 1087 static void nlattr_set(struct nlattr *attr, u8 val, 1088 const struct ovs_len_tbl *tbl) 1089 { 1090 struct nlattr *nla; 1091 int rem; 1092 1093 /* The nlattr stream should already have been validated */ 1094 nla_for_each_nested(nla, attr, rem) { 1095 if (tbl[nla_type(nla)].len == OVS_ATTR_NESTED) { 1096 if (tbl[nla_type(nla)].next) 1097 tbl = tbl[nla_type(nla)].next; 1098 nlattr_set(nla, val, tbl); 1099 } else { 1100 memset(nla_data(nla), val, nla_len(nla)); 1101 } 1102 } 1103 } 1104 1105 static void mask_set_nlattr(struct nlattr *attr, u8 val) 1106 { 1107 nlattr_set(attr, val, ovs_key_lens); 1108 } 1109 1110 /** 1111 * ovs_nla_get_match - parses Netlink attributes into a flow key and 1112 * mask. In case the 'mask' is NULL, the flow is treated as exact match 1113 * flow. Otherwise, it is treated as a wildcarded flow, except the mask 1114 * does not include any don't care bit. 1115 * @net: Used to determine per-namespace field support. 1116 * @match: receives the extracted flow match information. 1117 * @key: Netlink attribute holding nested %OVS_KEY_ATTR_* Netlink attribute 1118 * sequence. The fields should of the packet that triggered the creation 1119 * of this flow. 1120 * @mask: Optional. Netlink attribute holding nested %OVS_KEY_ATTR_* Netlink 1121 * attribute specifies the mask field of the wildcarded flow. 1122 * @log: Boolean to allow kernel error logging. Normally true, but when 1123 * probing for feature compatibility this should be passed in as false to 1124 * suppress unnecessary error logging. 1125 */ 1126 int ovs_nla_get_match(struct net *net, struct sw_flow_match *match, 1127 const struct nlattr *nla_key, 1128 const struct nlattr *nla_mask, 1129 bool log) 1130 { 1131 const struct nlattr *a[OVS_KEY_ATTR_MAX + 1]; 1132 const struct nlattr *encap; 1133 struct nlattr *newmask = NULL; 1134 u64 key_attrs = 0; 1135 u64 mask_attrs = 0; 1136 bool encap_valid = false; 1137 int err; 1138 1139 err = parse_flow_nlattrs(nla_key, a, &key_attrs, log); 1140 if (err) 1141 return err; 1142 1143 if ((key_attrs & (1 << OVS_KEY_ATTR_ETHERNET)) && 1144 (key_attrs & (1 << OVS_KEY_ATTR_ETHERTYPE)) && 1145 (nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]) == htons(ETH_P_8021Q))) { 1146 __be16 tci; 1147 1148 if (!((key_attrs & (1 << OVS_KEY_ATTR_VLAN)) && 1149 (key_attrs & (1 << OVS_KEY_ATTR_ENCAP)))) { 1150 OVS_NLERR(log, "Invalid Vlan frame."); 1151 return -EINVAL; 1152 } 1153 1154 key_attrs &= ~(1 << OVS_KEY_ATTR_ETHERTYPE); 1155 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 1156 encap = a[OVS_KEY_ATTR_ENCAP]; 1157 key_attrs &= ~(1 << OVS_KEY_ATTR_ENCAP); 1158 encap_valid = true; 1159 1160 if (tci & htons(VLAN_TAG_PRESENT)) { 1161 err = parse_flow_nlattrs(encap, a, &key_attrs, log); 1162 if (err) 1163 return err; 1164 } else if (!tci) { 1165 /* Corner case for truncated 802.1Q header. */ 1166 if (nla_len(encap)) { 1167 OVS_NLERR(log, "Truncated 802.1Q header has non-zero encap attribute."); 1168 return -EINVAL; 1169 } 1170 } else { 1171 OVS_NLERR(log, "Encap attr is set for non-VLAN frame"); 1172 return -EINVAL; 1173 } 1174 } 1175 1176 err = ovs_key_from_nlattrs(net, match, key_attrs, a, false, log); 1177 if (err) 1178 return err; 1179 1180 if (match->mask) { 1181 if (!nla_mask) { 1182 /* Create an exact match mask. We need to set to 0xff 1183 * all the 'match->mask' fields that have been touched 1184 * in 'match->key'. We cannot simply memset 1185 * 'match->mask', because padding bytes and fields not 1186 * specified in 'match->key' should be left to 0. 1187 * Instead, we use a stream of netlink attributes, 1188 * copied from 'key' and set to 0xff. 1189 * ovs_key_from_nlattrs() will take care of filling 1190 * 'match->mask' appropriately. 1191 */ 1192 newmask = kmemdup(nla_key, 1193 nla_total_size(nla_len(nla_key)), 1194 GFP_KERNEL); 1195 if (!newmask) 1196 return -ENOMEM; 1197 1198 mask_set_nlattr(newmask, 0xff); 1199 1200 /* The userspace does not send tunnel attributes that 1201 * are 0, but we should not wildcard them nonetheless. 1202 */ 1203 if (match->key->tun_key.u.ipv4.dst) 1204 SW_FLOW_KEY_MEMSET_FIELD(match, tun_key, 1205 0xff, true); 1206 1207 nla_mask = newmask; 1208 } 1209 1210 err = parse_flow_mask_nlattrs(nla_mask, a, &mask_attrs, log); 1211 if (err) 1212 goto free_newmask; 1213 1214 /* Always match on tci. */ 1215 SW_FLOW_KEY_PUT(match, eth.tci, htons(0xffff), true); 1216 1217 if (mask_attrs & 1 << OVS_KEY_ATTR_ENCAP) { 1218 __be16 eth_type = 0; 1219 __be16 tci = 0; 1220 1221 if (!encap_valid) { 1222 OVS_NLERR(log, "Encap mask attribute is set for non-VLAN frame."); 1223 err = -EINVAL; 1224 goto free_newmask; 1225 } 1226 1227 mask_attrs &= ~(1 << OVS_KEY_ATTR_ENCAP); 1228 if (a[OVS_KEY_ATTR_ETHERTYPE]) 1229 eth_type = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 1230 1231 if (eth_type == htons(0xffff)) { 1232 mask_attrs &= ~(1 << OVS_KEY_ATTR_ETHERTYPE); 1233 encap = a[OVS_KEY_ATTR_ENCAP]; 1234 err = parse_flow_mask_nlattrs(encap, a, 1235 &mask_attrs, log); 1236 if (err) 1237 goto free_newmask; 1238 } else { 1239 OVS_NLERR(log, "VLAN frames must have an exact match on the TPID (mask=%x).", 1240 ntohs(eth_type)); 1241 err = -EINVAL; 1242 goto free_newmask; 1243 } 1244 1245 if (a[OVS_KEY_ATTR_VLAN]) 1246 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 1247 1248 if (!(tci & htons(VLAN_TAG_PRESENT))) { 1249 OVS_NLERR(log, "VLAN tag present bit must have an exact match (tci_mask=%x).", 1250 ntohs(tci)); 1251 err = -EINVAL; 1252 goto free_newmask; 1253 } 1254 } 1255 1256 err = ovs_key_from_nlattrs(net, match, mask_attrs, a, true, 1257 log); 1258 if (err) 1259 goto free_newmask; 1260 } 1261 1262 if (!match_validate(match, key_attrs, mask_attrs, log)) 1263 err = -EINVAL; 1264 1265 free_newmask: 1266 kfree(newmask); 1267 return err; 1268 } 1269 1270 static size_t get_ufid_len(const struct nlattr *attr, bool log) 1271 { 1272 size_t len; 1273 1274 if (!attr) 1275 return 0; 1276 1277 len = nla_len(attr); 1278 if (len < 1 || len > MAX_UFID_LENGTH) { 1279 OVS_NLERR(log, "ufid size %u bytes exceeds the range (1, %d)", 1280 nla_len(attr), MAX_UFID_LENGTH); 1281 return 0; 1282 } 1283 1284 return len; 1285 } 1286 1287 /* Initializes 'flow->ufid', returning true if 'attr' contains a valid UFID, 1288 * or false otherwise. 1289 */ 1290 bool ovs_nla_get_ufid(struct sw_flow_id *sfid, const struct nlattr *attr, 1291 bool log) 1292 { 1293 sfid->ufid_len = get_ufid_len(attr, log); 1294 if (sfid->ufid_len) 1295 memcpy(sfid->ufid, nla_data(attr), sfid->ufid_len); 1296 1297 return sfid->ufid_len; 1298 } 1299 1300 int ovs_nla_get_identifier(struct sw_flow_id *sfid, const struct nlattr *ufid, 1301 const struct sw_flow_key *key, bool log) 1302 { 1303 struct sw_flow_key *new_key; 1304 1305 if (ovs_nla_get_ufid(sfid, ufid, log)) 1306 return 0; 1307 1308 /* If UFID was not provided, use unmasked key. */ 1309 new_key = kmalloc(sizeof(*new_key), GFP_KERNEL); 1310 if (!new_key) 1311 return -ENOMEM; 1312 memcpy(new_key, key, sizeof(*key)); 1313 sfid->unmasked_key = new_key; 1314 1315 return 0; 1316 } 1317 1318 u32 ovs_nla_get_ufid_flags(const struct nlattr *attr) 1319 { 1320 return attr ? nla_get_u32(attr) : 0; 1321 } 1322 1323 /** 1324 * ovs_nla_get_flow_metadata - parses Netlink attributes into a flow key. 1325 * @key: Receives extracted in_port, priority, tun_key and skb_mark. 1326 * @attr: Netlink attribute holding nested %OVS_KEY_ATTR_* Netlink attribute 1327 * sequence. 1328 * @log: Boolean to allow kernel error logging. Normally true, but when 1329 * probing for feature compatibility this should be passed in as false to 1330 * suppress unnecessary error logging. 1331 * 1332 * This parses a series of Netlink attributes that form a flow key, which must 1333 * take the same form accepted by flow_from_nlattrs(), but only enough of it to 1334 * get the metadata, that is, the parts of the flow key that cannot be 1335 * extracted from the packet itself. 1336 */ 1337 1338 int ovs_nla_get_flow_metadata(struct net *net, const struct nlattr *attr, 1339 struct sw_flow_key *key, 1340 bool log) 1341 { 1342 const struct nlattr *a[OVS_KEY_ATTR_MAX + 1]; 1343 struct sw_flow_match match; 1344 u64 attrs = 0; 1345 int err; 1346 1347 err = parse_flow_nlattrs(attr, a, &attrs, log); 1348 if (err) 1349 return -EINVAL; 1350 1351 memset(&match, 0, sizeof(match)); 1352 match.key = key; 1353 1354 memset(&key->ct, 0, sizeof(key->ct)); 1355 key->phy.in_port = DP_MAX_PORTS; 1356 1357 return metadata_from_nlattrs(net, &match, &attrs, a, false, log); 1358 } 1359 1360 static int __ovs_nla_put_key(const struct sw_flow_key *swkey, 1361 const struct sw_flow_key *output, bool is_mask, 1362 struct sk_buff *skb) 1363 { 1364 struct ovs_key_ethernet *eth_key; 1365 struct nlattr *nla, *encap; 1366 1367 if (nla_put_u32(skb, OVS_KEY_ATTR_RECIRC_ID, output->recirc_id)) 1368 goto nla_put_failure; 1369 1370 if (nla_put_u32(skb, OVS_KEY_ATTR_DP_HASH, output->ovs_flow_hash)) 1371 goto nla_put_failure; 1372 1373 if (nla_put_u32(skb, OVS_KEY_ATTR_PRIORITY, output->phy.priority)) 1374 goto nla_put_failure; 1375 1376 if ((swkey->tun_key.u.ipv4.dst || is_mask)) { 1377 const void *opts = NULL; 1378 1379 if (output->tun_key.tun_flags & TUNNEL_OPTIONS_PRESENT) 1380 opts = TUN_METADATA_OPTS(output, swkey->tun_opts_len); 1381 1382 if (ipv4_tun_to_nlattr(skb, &output->tun_key, opts, 1383 swkey->tun_opts_len)) 1384 goto nla_put_failure; 1385 } 1386 1387 if (swkey->phy.in_port == DP_MAX_PORTS) { 1388 if (is_mask && (output->phy.in_port == 0xffff)) 1389 if (nla_put_u32(skb, OVS_KEY_ATTR_IN_PORT, 0xffffffff)) 1390 goto nla_put_failure; 1391 } else { 1392 u16 upper_u16; 1393 upper_u16 = !is_mask ? 0 : 0xffff; 1394 1395 if (nla_put_u32(skb, OVS_KEY_ATTR_IN_PORT, 1396 (upper_u16 << 16) | output->phy.in_port)) 1397 goto nla_put_failure; 1398 } 1399 1400 if (nla_put_u32(skb, OVS_KEY_ATTR_SKB_MARK, output->phy.skb_mark)) 1401 goto nla_put_failure; 1402 1403 if (ovs_ct_put_key(output, skb)) 1404 goto nla_put_failure; 1405 1406 nla = nla_reserve(skb, OVS_KEY_ATTR_ETHERNET, sizeof(*eth_key)); 1407 if (!nla) 1408 goto nla_put_failure; 1409 1410 eth_key = nla_data(nla); 1411 ether_addr_copy(eth_key->eth_src, output->eth.src); 1412 ether_addr_copy(eth_key->eth_dst, output->eth.dst); 1413 1414 if (swkey->eth.tci || swkey->eth.type == htons(ETH_P_8021Q)) { 1415 __be16 eth_type; 1416 eth_type = !is_mask ? htons(ETH_P_8021Q) : htons(0xffff); 1417 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, eth_type) || 1418 nla_put_be16(skb, OVS_KEY_ATTR_VLAN, output->eth.tci)) 1419 goto nla_put_failure; 1420 encap = nla_nest_start(skb, OVS_KEY_ATTR_ENCAP); 1421 if (!swkey->eth.tci) 1422 goto unencap; 1423 } else 1424 encap = NULL; 1425 1426 if (swkey->eth.type == htons(ETH_P_802_2)) { 1427 /* 1428 * Ethertype 802.2 is represented in the netlink with omitted 1429 * OVS_KEY_ATTR_ETHERTYPE in the flow key attribute, and 1430 * 0xffff in the mask attribute. Ethertype can also 1431 * be wildcarded. 1432 */ 1433 if (is_mask && output->eth.type) 1434 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, 1435 output->eth.type)) 1436 goto nla_put_failure; 1437 goto unencap; 1438 } 1439 1440 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, output->eth.type)) 1441 goto nla_put_failure; 1442 1443 if (swkey->eth.type == htons(ETH_P_IP)) { 1444 struct ovs_key_ipv4 *ipv4_key; 1445 1446 nla = nla_reserve(skb, OVS_KEY_ATTR_IPV4, sizeof(*ipv4_key)); 1447 if (!nla) 1448 goto nla_put_failure; 1449 ipv4_key = nla_data(nla); 1450 ipv4_key->ipv4_src = output->ipv4.addr.src; 1451 ipv4_key->ipv4_dst = output->ipv4.addr.dst; 1452 ipv4_key->ipv4_proto = output->ip.proto; 1453 ipv4_key->ipv4_tos = output->ip.tos; 1454 ipv4_key->ipv4_ttl = output->ip.ttl; 1455 ipv4_key->ipv4_frag = output->ip.frag; 1456 } else if (swkey->eth.type == htons(ETH_P_IPV6)) { 1457 struct ovs_key_ipv6 *ipv6_key; 1458 1459 nla = nla_reserve(skb, OVS_KEY_ATTR_IPV6, sizeof(*ipv6_key)); 1460 if (!nla) 1461 goto nla_put_failure; 1462 ipv6_key = nla_data(nla); 1463 memcpy(ipv6_key->ipv6_src, &output->ipv6.addr.src, 1464 sizeof(ipv6_key->ipv6_src)); 1465 memcpy(ipv6_key->ipv6_dst, &output->ipv6.addr.dst, 1466 sizeof(ipv6_key->ipv6_dst)); 1467 ipv6_key->ipv6_label = output->ipv6.label; 1468 ipv6_key->ipv6_proto = output->ip.proto; 1469 ipv6_key->ipv6_tclass = output->ip.tos; 1470 ipv6_key->ipv6_hlimit = output->ip.ttl; 1471 ipv6_key->ipv6_frag = output->ip.frag; 1472 } else if (swkey->eth.type == htons(ETH_P_ARP) || 1473 swkey->eth.type == htons(ETH_P_RARP)) { 1474 struct ovs_key_arp *arp_key; 1475 1476 nla = nla_reserve(skb, OVS_KEY_ATTR_ARP, sizeof(*arp_key)); 1477 if (!nla) 1478 goto nla_put_failure; 1479 arp_key = nla_data(nla); 1480 memset(arp_key, 0, sizeof(struct ovs_key_arp)); 1481 arp_key->arp_sip = output->ipv4.addr.src; 1482 arp_key->arp_tip = output->ipv4.addr.dst; 1483 arp_key->arp_op = htons(output->ip.proto); 1484 ether_addr_copy(arp_key->arp_sha, output->ipv4.arp.sha); 1485 ether_addr_copy(arp_key->arp_tha, output->ipv4.arp.tha); 1486 } else if (eth_p_mpls(swkey->eth.type)) { 1487 struct ovs_key_mpls *mpls_key; 1488 1489 nla = nla_reserve(skb, OVS_KEY_ATTR_MPLS, sizeof(*mpls_key)); 1490 if (!nla) 1491 goto nla_put_failure; 1492 mpls_key = nla_data(nla); 1493 mpls_key->mpls_lse = output->mpls.top_lse; 1494 } 1495 1496 if ((swkey->eth.type == htons(ETH_P_IP) || 1497 swkey->eth.type == htons(ETH_P_IPV6)) && 1498 swkey->ip.frag != OVS_FRAG_TYPE_LATER) { 1499 1500 if (swkey->ip.proto == IPPROTO_TCP) { 1501 struct ovs_key_tcp *tcp_key; 1502 1503 nla = nla_reserve(skb, OVS_KEY_ATTR_TCP, sizeof(*tcp_key)); 1504 if (!nla) 1505 goto nla_put_failure; 1506 tcp_key = nla_data(nla); 1507 tcp_key->tcp_src = output->tp.src; 1508 tcp_key->tcp_dst = output->tp.dst; 1509 if (nla_put_be16(skb, OVS_KEY_ATTR_TCP_FLAGS, 1510 output->tp.flags)) 1511 goto nla_put_failure; 1512 } else if (swkey->ip.proto == IPPROTO_UDP) { 1513 struct ovs_key_udp *udp_key; 1514 1515 nla = nla_reserve(skb, OVS_KEY_ATTR_UDP, sizeof(*udp_key)); 1516 if (!nla) 1517 goto nla_put_failure; 1518 udp_key = nla_data(nla); 1519 udp_key->udp_src = output->tp.src; 1520 udp_key->udp_dst = output->tp.dst; 1521 } else if (swkey->ip.proto == IPPROTO_SCTP) { 1522 struct ovs_key_sctp *sctp_key; 1523 1524 nla = nla_reserve(skb, OVS_KEY_ATTR_SCTP, sizeof(*sctp_key)); 1525 if (!nla) 1526 goto nla_put_failure; 1527 sctp_key = nla_data(nla); 1528 sctp_key->sctp_src = output->tp.src; 1529 sctp_key->sctp_dst = output->tp.dst; 1530 } else if (swkey->eth.type == htons(ETH_P_IP) && 1531 swkey->ip.proto == IPPROTO_ICMP) { 1532 struct ovs_key_icmp *icmp_key; 1533 1534 nla = nla_reserve(skb, OVS_KEY_ATTR_ICMP, sizeof(*icmp_key)); 1535 if (!nla) 1536 goto nla_put_failure; 1537 icmp_key = nla_data(nla); 1538 icmp_key->icmp_type = ntohs(output->tp.src); 1539 icmp_key->icmp_code = ntohs(output->tp.dst); 1540 } else if (swkey->eth.type == htons(ETH_P_IPV6) && 1541 swkey->ip.proto == IPPROTO_ICMPV6) { 1542 struct ovs_key_icmpv6 *icmpv6_key; 1543 1544 nla = nla_reserve(skb, OVS_KEY_ATTR_ICMPV6, 1545 sizeof(*icmpv6_key)); 1546 if (!nla) 1547 goto nla_put_failure; 1548 icmpv6_key = nla_data(nla); 1549 icmpv6_key->icmpv6_type = ntohs(output->tp.src); 1550 icmpv6_key->icmpv6_code = ntohs(output->tp.dst); 1551 1552 if (icmpv6_key->icmpv6_type == NDISC_NEIGHBOUR_SOLICITATION || 1553 icmpv6_key->icmpv6_type == NDISC_NEIGHBOUR_ADVERTISEMENT) { 1554 struct ovs_key_nd *nd_key; 1555 1556 nla = nla_reserve(skb, OVS_KEY_ATTR_ND, sizeof(*nd_key)); 1557 if (!nla) 1558 goto nla_put_failure; 1559 nd_key = nla_data(nla); 1560 memcpy(nd_key->nd_target, &output->ipv6.nd.target, 1561 sizeof(nd_key->nd_target)); 1562 ether_addr_copy(nd_key->nd_sll, output->ipv6.nd.sll); 1563 ether_addr_copy(nd_key->nd_tll, output->ipv6.nd.tll); 1564 } 1565 } 1566 } 1567 1568 unencap: 1569 if (encap) 1570 nla_nest_end(skb, encap); 1571 1572 return 0; 1573 1574 nla_put_failure: 1575 return -EMSGSIZE; 1576 } 1577 1578 int ovs_nla_put_key(const struct sw_flow_key *swkey, 1579 const struct sw_flow_key *output, int attr, bool is_mask, 1580 struct sk_buff *skb) 1581 { 1582 int err; 1583 struct nlattr *nla; 1584 1585 nla = nla_nest_start(skb, attr); 1586 if (!nla) 1587 return -EMSGSIZE; 1588 err = __ovs_nla_put_key(swkey, output, is_mask, skb); 1589 if (err) 1590 return err; 1591 nla_nest_end(skb, nla); 1592 1593 return 0; 1594 } 1595 1596 /* Called with ovs_mutex or RCU read lock. */ 1597 int ovs_nla_put_identifier(const struct sw_flow *flow, struct sk_buff *skb) 1598 { 1599 if (ovs_identifier_is_ufid(&flow->id)) 1600 return nla_put(skb, OVS_FLOW_ATTR_UFID, flow->id.ufid_len, 1601 flow->id.ufid); 1602 1603 return ovs_nla_put_key(flow->id.unmasked_key, flow->id.unmasked_key, 1604 OVS_FLOW_ATTR_KEY, false, skb); 1605 } 1606 1607 /* Called with ovs_mutex or RCU read lock. */ 1608 int ovs_nla_put_masked_key(const struct sw_flow *flow, struct sk_buff *skb) 1609 { 1610 return ovs_nla_put_key(&flow->key, &flow->key, 1611 OVS_FLOW_ATTR_KEY, false, skb); 1612 } 1613 1614 /* Called with ovs_mutex or RCU read lock. */ 1615 int ovs_nla_put_mask(const struct sw_flow *flow, struct sk_buff *skb) 1616 { 1617 return ovs_nla_put_key(&flow->key, &flow->mask->key, 1618 OVS_FLOW_ATTR_MASK, true, skb); 1619 } 1620 1621 #define MAX_ACTIONS_BUFSIZE (32 * 1024) 1622 1623 static struct sw_flow_actions *nla_alloc_flow_actions(int size, bool log) 1624 { 1625 struct sw_flow_actions *sfa; 1626 1627 if (size > MAX_ACTIONS_BUFSIZE) { 1628 OVS_NLERR(log, "Flow action size %u bytes exceeds max", size); 1629 return ERR_PTR(-EINVAL); 1630 } 1631 1632 sfa = kmalloc(sizeof(*sfa) + size, GFP_KERNEL); 1633 if (!sfa) 1634 return ERR_PTR(-ENOMEM); 1635 1636 sfa->actions_len = 0; 1637 return sfa; 1638 } 1639 1640 static void ovs_nla_free_set_action(const struct nlattr *a) 1641 { 1642 const struct nlattr *ovs_key = nla_data(a); 1643 struct ovs_tunnel_info *ovs_tun; 1644 1645 switch (nla_type(ovs_key)) { 1646 case OVS_KEY_ATTR_TUNNEL_INFO: 1647 ovs_tun = nla_data(ovs_key); 1648 dst_release((struct dst_entry *)ovs_tun->tun_dst); 1649 break; 1650 } 1651 } 1652 1653 void ovs_nla_free_flow_actions(struct sw_flow_actions *sf_acts) 1654 { 1655 const struct nlattr *a; 1656 int rem; 1657 1658 if (!sf_acts) 1659 return; 1660 1661 nla_for_each_attr(a, sf_acts->actions, sf_acts->actions_len, rem) { 1662 switch (nla_type(a)) { 1663 case OVS_ACTION_ATTR_SET: 1664 ovs_nla_free_set_action(a); 1665 break; 1666 case OVS_ACTION_ATTR_CT: 1667 ovs_ct_free_action(a); 1668 break; 1669 } 1670 } 1671 1672 kfree(sf_acts); 1673 } 1674 1675 static void __ovs_nla_free_flow_actions(struct rcu_head *head) 1676 { 1677 ovs_nla_free_flow_actions(container_of(head, struct sw_flow_actions, rcu)); 1678 } 1679 1680 /* Schedules 'sf_acts' to be freed after the next RCU grace period. 1681 * The caller must hold rcu_read_lock for this to be sensible. */ 1682 void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *sf_acts) 1683 { 1684 call_rcu(&sf_acts->rcu, __ovs_nla_free_flow_actions); 1685 } 1686 1687 static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, 1688 int attr_len, bool log) 1689 { 1690 1691 struct sw_flow_actions *acts; 1692 int new_acts_size; 1693 int req_size = NLA_ALIGN(attr_len); 1694 int next_offset = offsetof(struct sw_flow_actions, actions) + 1695 (*sfa)->actions_len; 1696 1697 if (req_size <= (ksize(*sfa) - next_offset)) 1698 goto out; 1699 1700 new_acts_size = ksize(*sfa) * 2; 1701 1702 if (new_acts_size > MAX_ACTIONS_BUFSIZE) { 1703 if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) 1704 return ERR_PTR(-EMSGSIZE); 1705 new_acts_size = MAX_ACTIONS_BUFSIZE; 1706 } 1707 1708 acts = nla_alloc_flow_actions(new_acts_size, log); 1709 if (IS_ERR(acts)) 1710 return (void *)acts; 1711 1712 memcpy(acts->actions, (*sfa)->actions, (*sfa)->actions_len); 1713 acts->actions_len = (*sfa)->actions_len; 1714 acts->orig_len = (*sfa)->orig_len; 1715 kfree(*sfa); 1716 *sfa = acts; 1717 1718 out: 1719 (*sfa)->actions_len += req_size; 1720 return (struct nlattr *) ((unsigned char *)(*sfa) + next_offset); 1721 } 1722 1723 static struct nlattr *__add_action(struct sw_flow_actions **sfa, 1724 int attrtype, void *data, int len, bool log) 1725 { 1726 struct nlattr *a; 1727 1728 a = reserve_sfa_size(sfa, nla_attr_size(len), log); 1729 if (IS_ERR(a)) 1730 return a; 1731 1732 a->nla_type = attrtype; 1733 a->nla_len = nla_attr_size(len); 1734 1735 if (data) 1736 memcpy(nla_data(a), data, len); 1737 memset((unsigned char *) a + a->nla_len, 0, nla_padlen(len)); 1738 1739 return a; 1740 } 1741 1742 int ovs_nla_add_action(struct sw_flow_actions **sfa, int attrtype, void *data, 1743 int len, bool log) 1744 { 1745 struct nlattr *a; 1746 1747 a = __add_action(sfa, attrtype, data, len, log); 1748 1749 return PTR_ERR_OR_ZERO(a); 1750 } 1751 1752 static inline int add_nested_action_start(struct sw_flow_actions **sfa, 1753 int attrtype, bool log) 1754 { 1755 int used = (*sfa)->actions_len; 1756 int err; 1757 1758 err = ovs_nla_add_action(sfa, attrtype, NULL, 0, log); 1759 if (err) 1760 return err; 1761 1762 return used; 1763 } 1764 1765 static inline void add_nested_action_end(struct sw_flow_actions *sfa, 1766 int st_offset) 1767 { 1768 struct nlattr *a = (struct nlattr *) ((unsigned char *)sfa->actions + 1769 st_offset); 1770 1771 a->nla_len = sfa->actions_len - st_offset; 1772 } 1773 1774 static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 1775 const struct sw_flow_key *key, 1776 int depth, struct sw_flow_actions **sfa, 1777 __be16 eth_type, __be16 vlan_tci, bool log); 1778 1779 static int validate_and_copy_sample(struct net *net, const struct nlattr *attr, 1780 const struct sw_flow_key *key, int depth, 1781 struct sw_flow_actions **sfa, 1782 __be16 eth_type, __be16 vlan_tci, bool log) 1783 { 1784 const struct nlattr *attrs[OVS_SAMPLE_ATTR_MAX + 1]; 1785 const struct nlattr *probability, *actions; 1786 const struct nlattr *a; 1787 int rem, start, err, st_acts; 1788 1789 memset(attrs, 0, sizeof(attrs)); 1790 nla_for_each_nested(a, attr, rem) { 1791 int type = nla_type(a); 1792 if (!type || type > OVS_SAMPLE_ATTR_MAX || attrs[type]) 1793 return -EINVAL; 1794 attrs[type] = a; 1795 } 1796 if (rem) 1797 return -EINVAL; 1798 1799 probability = attrs[OVS_SAMPLE_ATTR_PROBABILITY]; 1800 if (!probability || nla_len(probability) != sizeof(u32)) 1801 return -EINVAL; 1802 1803 actions = attrs[OVS_SAMPLE_ATTR_ACTIONS]; 1804 if (!actions || (nla_len(actions) && nla_len(actions) < NLA_HDRLEN)) 1805 return -EINVAL; 1806 1807 /* validation done, copy sample action. */ 1808 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_SAMPLE, log); 1809 if (start < 0) 1810 return start; 1811 err = ovs_nla_add_action(sfa, OVS_SAMPLE_ATTR_PROBABILITY, 1812 nla_data(probability), sizeof(u32), log); 1813 if (err) 1814 return err; 1815 st_acts = add_nested_action_start(sfa, OVS_SAMPLE_ATTR_ACTIONS, log); 1816 if (st_acts < 0) 1817 return st_acts; 1818 1819 err = __ovs_nla_copy_actions(net, actions, key, depth + 1, sfa, 1820 eth_type, vlan_tci, log); 1821 if (err) 1822 return err; 1823 1824 add_nested_action_end(*sfa, st_acts); 1825 add_nested_action_end(*sfa, start); 1826 1827 return 0; 1828 } 1829 1830 void ovs_match_init(struct sw_flow_match *match, 1831 struct sw_flow_key *key, 1832 struct sw_flow_mask *mask) 1833 { 1834 memset(match, 0, sizeof(*match)); 1835 match->key = key; 1836 match->mask = mask; 1837 1838 memset(key, 0, sizeof(*key)); 1839 1840 if (mask) { 1841 memset(&mask->key, 0, sizeof(mask->key)); 1842 mask->range.start = mask->range.end = 0; 1843 } 1844 } 1845 1846 static int validate_geneve_opts(struct sw_flow_key *key) 1847 { 1848 struct geneve_opt *option; 1849 int opts_len = key->tun_opts_len; 1850 bool crit_opt = false; 1851 1852 option = (struct geneve_opt *)TUN_METADATA_OPTS(key, key->tun_opts_len); 1853 while (opts_len > 0) { 1854 int len; 1855 1856 if (opts_len < sizeof(*option)) 1857 return -EINVAL; 1858 1859 len = sizeof(*option) + option->length * 4; 1860 if (len > opts_len) 1861 return -EINVAL; 1862 1863 crit_opt |= !!(option->type & GENEVE_CRIT_OPT_TYPE); 1864 1865 option = (struct geneve_opt *)((u8 *)option + len); 1866 opts_len -= len; 1867 }; 1868 1869 key->tun_key.tun_flags |= crit_opt ? TUNNEL_CRIT_OPT : 0; 1870 1871 return 0; 1872 } 1873 1874 static int validate_and_copy_set_tun(const struct nlattr *attr, 1875 struct sw_flow_actions **sfa, bool log) 1876 { 1877 struct sw_flow_match match; 1878 struct sw_flow_key key; 1879 struct metadata_dst *tun_dst; 1880 struct ip_tunnel_info *tun_info; 1881 struct ovs_tunnel_info *ovs_tun; 1882 struct nlattr *a; 1883 int err = 0, start, opts_type; 1884 1885 ovs_match_init(&match, &key, NULL); 1886 opts_type = ipv4_tun_from_nlattr(nla_data(attr), &match, false, log); 1887 if (opts_type < 0) 1888 return opts_type; 1889 1890 if (key.tun_opts_len) { 1891 switch (opts_type) { 1892 case OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS: 1893 err = validate_geneve_opts(&key); 1894 if (err < 0) 1895 return err; 1896 break; 1897 case OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS: 1898 break; 1899 } 1900 }; 1901 1902 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_SET, log); 1903 if (start < 0) 1904 return start; 1905 1906 tun_dst = metadata_dst_alloc(key.tun_opts_len, GFP_KERNEL); 1907 if (!tun_dst) 1908 return -ENOMEM; 1909 1910 a = __add_action(sfa, OVS_KEY_ATTR_TUNNEL_INFO, NULL, 1911 sizeof(*ovs_tun), log); 1912 if (IS_ERR(a)) { 1913 dst_release((struct dst_entry *)tun_dst); 1914 return PTR_ERR(a); 1915 } 1916 1917 ovs_tun = nla_data(a); 1918 ovs_tun->tun_dst = tun_dst; 1919 1920 tun_info = &tun_dst->u.tun_info; 1921 tun_info->mode = IP_TUNNEL_INFO_TX; 1922 tun_info->key = key.tun_key; 1923 1924 /* We need to store the options in the action itself since 1925 * everything else will go away after flow setup. We can append 1926 * it to tun_info and then point there. 1927 */ 1928 ip_tunnel_info_opts_set(tun_info, 1929 TUN_METADATA_OPTS(&key, key.tun_opts_len), 1930 key.tun_opts_len); 1931 add_nested_action_end(*sfa, start); 1932 1933 return err; 1934 } 1935 1936 /* Return false if there are any non-masked bits set. 1937 * Mask follows data immediately, before any netlink padding. 1938 */ 1939 static bool validate_masked(u8 *data, int len) 1940 { 1941 u8 *mask = data + len; 1942 1943 while (len--) 1944 if (*data++ & ~*mask++) 1945 return false; 1946 1947 return true; 1948 } 1949 1950 static int validate_set(const struct nlattr *a, 1951 const struct sw_flow_key *flow_key, 1952 struct sw_flow_actions **sfa, 1953 bool *skip_copy, __be16 eth_type, bool masked, bool log) 1954 { 1955 const struct nlattr *ovs_key = nla_data(a); 1956 int key_type = nla_type(ovs_key); 1957 size_t key_len; 1958 1959 /* There can be only one key in a action */ 1960 if (nla_total_size(nla_len(ovs_key)) != nla_len(a)) 1961 return -EINVAL; 1962 1963 key_len = nla_len(ovs_key); 1964 if (masked) 1965 key_len /= 2; 1966 1967 if (key_type > OVS_KEY_ATTR_MAX || 1968 !check_attr_len(key_len, ovs_key_lens[key_type].len)) 1969 return -EINVAL; 1970 1971 if (masked && !validate_masked(nla_data(ovs_key), key_len)) 1972 return -EINVAL; 1973 1974 switch (key_type) { 1975 const struct ovs_key_ipv4 *ipv4_key; 1976 const struct ovs_key_ipv6 *ipv6_key; 1977 int err; 1978 1979 case OVS_KEY_ATTR_PRIORITY: 1980 case OVS_KEY_ATTR_SKB_MARK: 1981 case OVS_KEY_ATTR_CT_MARK: 1982 case OVS_KEY_ATTR_CT_LABELS: 1983 case OVS_KEY_ATTR_ETHERNET: 1984 break; 1985 1986 case OVS_KEY_ATTR_TUNNEL: 1987 if (eth_p_mpls(eth_type)) 1988 return -EINVAL; 1989 1990 if (masked) 1991 return -EINVAL; /* Masked tunnel set not supported. */ 1992 1993 *skip_copy = true; 1994 err = validate_and_copy_set_tun(a, sfa, log); 1995 if (err) 1996 return err; 1997 break; 1998 1999 case OVS_KEY_ATTR_IPV4: 2000 if (eth_type != htons(ETH_P_IP)) 2001 return -EINVAL; 2002 2003 ipv4_key = nla_data(ovs_key); 2004 2005 if (masked) { 2006 const struct ovs_key_ipv4 *mask = ipv4_key + 1; 2007 2008 /* Non-writeable fields. */ 2009 if (mask->ipv4_proto || mask->ipv4_frag) 2010 return -EINVAL; 2011 } else { 2012 if (ipv4_key->ipv4_proto != flow_key->ip.proto) 2013 return -EINVAL; 2014 2015 if (ipv4_key->ipv4_frag != flow_key->ip.frag) 2016 return -EINVAL; 2017 } 2018 break; 2019 2020 case OVS_KEY_ATTR_IPV6: 2021 if (eth_type != htons(ETH_P_IPV6)) 2022 return -EINVAL; 2023 2024 ipv6_key = nla_data(ovs_key); 2025 2026 if (masked) { 2027 const struct ovs_key_ipv6 *mask = ipv6_key + 1; 2028 2029 /* Non-writeable fields. */ 2030 if (mask->ipv6_proto || mask->ipv6_frag) 2031 return -EINVAL; 2032 2033 /* Invalid bits in the flow label mask? */ 2034 if (ntohl(mask->ipv6_label) & 0xFFF00000) 2035 return -EINVAL; 2036 } else { 2037 if (ipv6_key->ipv6_proto != flow_key->ip.proto) 2038 return -EINVAL; 2039 2040 if (ipv6_key->ipv6_frag != flow_key->ip.frag) 2041 return -EINVAL; 2042 } 2043 if (ntohl(ipv6_key->ipv6_label) & 0xFFF00000) 2044 return -EINVAL; 2045 2046 break; 2047 2048 case OVS_KEY_ATTR_TCP: 2049 if ((eth_type != htons(ETH_P_IP) && 2050 eth_type != htons(ETH_P_IPV6)) || 2051 flow_key->ip.proto != IPPROTO_TCP) 2052 return -EINVAL; 2053 2054 break; 2055 2056 case OVS_KEY_ATTR_UDP: 2057 if ((eth_type != htons(ETH_P_IP) && 2058 eth_type != htons(ETH_P_IPV6)) || 2059 flow_key->ip.proto != IPPROTO_UDP) 2060 return -EINVAL; 2061 2062 break; 2063 2064 case OVS_KEY_ATTR_MPLS: 2065 if (!eth_p_mpls(eth_type)) 2066 return -EINVAL; 2067 break; 2068 2069 case OVS_KEY_ATTR_SCTP: 2070 if ((eth_type != htons(ETH_P_IP) && 2071 eth_type != htons(ETH_P_IPV6)) || 2072 flow_key->ip.proto != IPPROTO_SCTP) 2073 return -EINVAL; 2074 2075 break; 2076 2077 default: 2078 return -EINVAL; 2079 } 2080 2081 /* Convert non-masked non-tunnel set actions to masked set actions. */ 2082 if (!masked && key_type != OVS_KEY_ATTR_TUNNEL) { 2083 int start, len = key_len * 2; 2084 struct nlattr *at; 2085 2086 *skip_copy = true; 2087 2088 start = add_nested_action_start(sfa, 2089 OVS_ACTION_ATTR_SET_TO_MASKED, 2090 log); 2091 if (start < 0) 2092 return start; 2093 2094 at = __add_action(sfa, key_type, NULL, len, log); 2095 if (IS_ERR(at)) 2096 return PTR_ERR(at); 2097 2098 memcpy(nla_data(at), nla_data(ovs_key), key_len); /* Key. */ 2099 memset(nla_data(at) + key_len, 0xff, key_len); /* Mask. */ 2100 /* Clear non-writeable bits from otherwise writeable fields. */ 2101 if (key_type == OVS_KEY_ATTR_IPV6) { 2102 struct ovs_key_ipv6 *mask = nla_data(at) + key_len; 2103 2104 mask->ipv6_label &= htonl(0x000FFFFF); 2105 } 2106 add_nested_action_end(*sfa, start); 2107 } 2108 2109 return 0; 2110 } 2111 2112 static int validate_userspace(const struct nlattr *attr) 2113 { 2114 static const struct nla_policy userspace_policy[OVS_USERSPACE_ATTR_MAX + 1] = { 2115 [OVS_USERSPACE_ATTR_PID] = {.type = NLA_U32 }, 2116 [OVS_USERSPACE_ATTR_USERDATA] = {.type = NLA_UNSPEC }, 2117 [OVS_USERSPACE_ATTR_EGRESS_TUN_PORT] = {.type = NLA_U32 }, 2118 }; 2119 struct nlattr *a[OVS_USERSPACE_ATTR_MAX + 1]; 2120 int error; 2121 2122 error = nla_parse_nested(a, OVS_USERSPACE_ATTR_MAX, 2123 attr, userspace_policy); 2124 if (error) 2125 return error; 2126 2127 if (!a[OVS_USERSPACE_ATTR_PID] || 2128 !nla_get_u32(a[OVS_USERSPACE_ATTR_PID])) 2129 return -EINVAL; 2130 2131 return 0; 2132 } 2133 2134 static int copy_action(const struct nlattr *from, 2135 struct sw_flow_actions **sfa, bool log) 2136 { 2137 int totlen = NLA_ALIGN(from->nla_len); 2138 struct nlattr *to; 2139 2140 to = reserve_sfa_size(sfa, from->nla_len, log); 2141 if (IS_ERR(to)) 2142 return PTR_ERR(to); 2143 2144 memcpy(to, from, totlen); 2145 return 0; 2146 } 2147 2148 static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 2149 const struct sw_flow_key *key, 2150 int depth, struct sw_flow_actions **sfa, 2151 __be16 eth_type, __be16 vlan_tci, bool log) 2152 { 2153 const struct nlattr *a; 2154 int rem, err; 2155 2156 if (depth >= SAMPLE_ACTION_DEPTH) 2157 return -EOVERFLOW; 2158 2159 nla_for_each_nested(a, attr, rem) { 2160 /* Expected argument lengths, (u32)-1 for variable length. */ 2161 static const u32 action_lens[OVS_ACTION_ATTR_MAX + 1] = { 2162 [OVS_ACTION_ATTR_OUTPUT] = sizeof(u32), 2163 [OVS_ACTION_ATTR_RECIRC] = sizeof(u32), 2164 [OVS_ACTION_ATTR_USERSPACE] = (u32)-1, 2165 [OVS_ACTION_ATTR_PUSH_MPLS] = sizeof(struct ovs_action_push_mpls), 2166 [OVS_ACTION_ATTR_POP_MPLS] = sizeof(__be16), 2167 [OVS_ACTION_ATTR_PUSH_VLAN] = sizeof(struct ovs_action_push_vlan), 2168 [OVS_ACTION_ATTR_POP_VLAN] = 0, 2169 [OVS_ACTION_ATTR_SET] = (u32)-1, 2170 [OVS_ACTION_ATTR_SET_MASKED] = (u32)-1, 2171 [OVS_ACTION_ATTR_SAMPLE] = (u32)-1, 2172 [OVS_ACTION_ATTR_HASH] = sizeof(struct ovs_action_hash), 2173 [OVS_ACTION_ATTR_CT] = (u32)-1, 2174 }; 2175 const struct ovs_action_push_vlan *vlan; 2176 int type = nla_type(a); 2177 bool skip_copy; 2178 2179 if (type > OVS_ACTION_ATTR_MAX || 2180 (action_lens[type] != nla_len(a) && 2181 action_lens[type] != (u32)-1)) 2182 return -EINVAL; 2183 2184 skip_copy = false; 2185 switch (type) { 2186 case OVS_ACTION_ATTR_UNSPEC: 2187 return -EINVAL; 2188 2189 case OVS_ACTION_ATTR_USERSPACE: 2190 err = validate_userspace(a); 2191 if (err) 2192 return err; 2193 break; 2194 2195 case OVS_ACTION_ATTR_OUTPUT: 2196 if (nla_get_u32(a) >= DP_MAX_PORTS) 2197 return -EINVAL; 2198 break; 2199 2200 case OVS_ACTION_ATTR_HASH: { 2201 const struct ovs_action_hash *act_hash = nla_data(a); 2202 2203 switch (act_hash->hash_alg) { 2204 case OVS_HASH_ALG_L4: 2205 break; 2206 default: 2207 return -EINVAL; 2208 } 2209 2210 break; 2211 } 2212 2213 case OVS_ACTION_ATTR_POP_VLAN: 2214 vlan_tci = htons(0); 2215 break; 2216 2217 case OVS_ACTION_ATTR_PUSH_VLAN: 2218 vlan = nla_data(a); 2219 if (vlan->vlan_tpid != htons(ETH_P_8021Q)) 2220 return -EINVAL; 2221 if (!(vlan->vlan_tci & htons(VLAN_TAG_PRESENT))) 2222 return -EINVAL; 2223 vlan_tci = vlan->vlan_tci; 2224 break; 2225 2226 case OVS_ACTION_ATTR_RECIRC: 2227 break; 2228 2229 case OVS_ACTION_ATTR_PUSH_MPLS: { 2230 const struct ovs_action_push_mpls *mpls = nla_data(a); 2231 2232 if (!eth_p_mpls(mpls->mpls_ethertype)) 2233 return -EINVAL; 2234 /* Prohibit push MPLS other than to a white list 2235 * for packets that have a known tag order. 2236 */ 2237 if (vlan_tci & htons(VLAN_TAG_PRESENT) || 2238 (eth_type != htons(ETH_P_IP) && 2239 eth_type != htons(ETH_P_IPV6) && 2240 eth_type != htons(ETH_P_ARP) && 2241 eth_type != htons(ETH_P_RARP) && 2242 !eth_p_mpls(eth_type))) 2243 return -EINVAL; 2244 eth_type = mpls->mpls_ethertype; 2245 break; 2246 } 2247 2248 case OVS_ACTION_ATTR_POP_MPLS: 2249 if (vlan_tci & htons(VLAN_TAG_PRESENT) || 2250 !eth_p_mpls(eth_type)) 2251 return -EINVAL; 2252 2253 /* Disallow subsequent L2.5+ set and mpls_pop actions 2254 * as there is no check here to ensure that the new 2255 * eth_type is valid and thus set actions could 2256 * write off the end of the packet or otherwise 2257 * corrupt it. 2258 * 2259 * Support for these actions is planned using packet 2260 * recirculation. 2261 */ 2262 eth_type = htons(0); 2263 break; 2264 2265 case OVS_ACTION_ATTR_SET: 2266 err = validate_set(a, key, sfa, 2267 &skip_copy, eth_type, false, log); 2268 if (err) 2269 return err; 2270 break; 2271 2272 case OVS_ACTION_ATTR_SET_MASKED: 2273 err = validate_set(a, key, sfa, 2274 &skip_copy, eth_type, true, log); 2275 if (err) 2276 return err; 2277 break; 2278 2279 case OVS_ACTION_ATTR_SAMPLE: 2280 err = validate_and_copy_sample(net, a, key, depth, sfa, 2281 eth_type, vlan_tci, log); 2282 if (err) 2283 return err; 2284 skip_copy = true; 2285 break; 2286 2287 case OVS_ACTION_ATTR_CT: 2288 err = ovs_ct_copy_action(net, a, key, sfa, log); 2289 if (err) 2290 return err; 2291 skip_copy = true; 2292 break; 2293 2294 default: 2295 OVS_NLERR(log, "Unknown Action type %d", type); 2296 return -EINVAL; 2297 } 2298 if (!skip_copy) { 2299 err = copy_action(a, sfa, log); 2300 if (err) 2301 return err; 2302 } 2303 } 2304 2305 if (rem > 0) 2306 return -EINVAL; 2307 2308 return 0; 2309 } 2310 2311 /* 'key' must be the masked key. */ 2312 int ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 2313 const struct sw_flow_key *key, 2314 struct sw_flow_actions **sfa, bool log) 2315 { 2316 int err; 2317 2318 *sfa = nla_alloc_flow_actions(nla_len(attr), log); 2319 if (IS_ERR(*sfa)) 2320 return PTR_ERR(*sfa); 2321 2322 (*sfa)->orig_len = nla_len(attr); 2323 err = __ovs_nla_copy_actions(net, attr, key, 0, sfa, key->eth.type, 2324 key->eth.tci, log); 2325 if (err) 2326 ovs_nla_free_flow_actions(*sfa); 2327 2328 return err; 2329 } 2330 2331 static int sample_action_to_attr(const struct nlattr *attr, struct sk_buff *skb) 2332 { 2333 const struct nlattr *a; 2334 struct nlattr *start; 2335 int err = 0, rem; 2336 2337 start = nla_nest_start(skb, OVS_ACTION_ATTR_SAMPLE); 2338 if (!start) 2339 return -EMSGSIZE; 2340 2341 nla_for_each_nested(a, attr, rem) { 2342 int type = nla_type(a); 2343 struct nlattr *st_sample; 2344 2345 switch (type) { 2346 case OVS_SAMPLE_ATTR_PROBABILITY: 2347 if (nla_put(skb, OVS_SAMPLE_ATTR_PROBABILITY, 2348 sizeof(u32), nla_data(a))) 2349 return -EMSGSIZE; 2350 break; 2351 case OVS_SAMPLE_ATTR_ACTIONS: 2352 st_sample = nla_nest_start(skb, OVS_SAMPLE_ATTR_ACTIONS); 2353 if (!st_sample) 2354 return -EMSGSIZE; 2355 err = ovs_nla_put_actions(nla_data(a), nla_len(a), skb); 2356 if (err) 2357 return err; 2358 nla_nest_end(skb, st_sample); 2359 break; 2360 } 2361 } 2362 2363 nla_nest_end(skb, start); 2364 return err; 2365 } 2366 2367 static int set_action_to_attr(const struct nlattr *a, struct sk_buff *skb) 2368 { 2369 const struct nlattr *ovs_key = nla_data(a); 2370 int key_type = nla_type(ovs_key); 2371 struct nlattr *start; 2372 int err; 2373 2374 switch (key_type) { 2375 case OVS_KEY_ATTR_TUNNEL_INFO: { 2376 struct ovs_tunnel_info *ovs_tun = nla_data(ovs_key); 2377 struct ip_tunnel_info *tun_info = &ovs_tun->tun_dst->u.tun_info; 2378 2379 start = nla_nest_start(skb, OVS_ACTION_ATTR_SET); 2380 if (!start) 2381 return -EMSGSIZE; 2382 2383 err = ipv4_tun_to_nlattr(skb, &tun_info->key, 2384 tun_info->options_len ? 2385 ip_tunnel_info_opts(tun_info) : NULL, 2386 tun_info->options_len); 2387 if (err) 2388 return err; 2389 nla_nest_end(skb, start); 2390 break; 2391 } 2392 default: 2393 if (nla_put(skb, OVS_ACTION_ATTR_SET, nla_len(a), ovs_key)) 2394 return -EMSGSIZE; 2395 break; 2396 } 2397 2398 return 0; 2399 } 2400 2401 static int masked_set_action_to_set_action_attr(const struct nlattr *a, 2402 struct sk_buff *skb) 2403 { 2404 const struct nlattr *ovs_key = nla_data(a); 2405 struct nlattr *nla; 2406 size_t key_len = nla_len(ovs_key) / 2; 2407 2408 /* Revert the conversion we did from a non-masked set action to 2409 * masked set action. 2410 */ 2411 nla = nla_nest_start(skb, OVS_ACTION_ATTR_SET); 2412 if (!nla) 2413 return -EMSGSIZE; 2414 2415 if (nla_put(skb, nla_type(ovs_key), key_len, nla_data(ovs_key))) 2416 return -EMSGSIZE; 2417 2418 nla_nest_end(skb, nla); 2419 return 0; 2420 } 2421 2422 int ovs_nla_put_actions(const struct nlattr *attr, int len, struct sk_buff *skb) 2423 { 2424 const struct nlattr *a; 2425 int rem, err; 2426 2427 nla_for_each_attr(a, attr, len, rem) { 2428 int type = nla_type(a); 2429 2430 switch (type) { 2431 case OVS_ACTION_ATTR_SET: 2432 err = set_action_to_attr(a, skb); 2433 if (err) 2434 return err; 2435 break; 2436 2437 case OVS_ACTION_ATTR_SET_TO_MASKED: 2438 err = masked_set_action_to_set_action_attr(a, skb); 2439 if (err) 2440 return err; 2441 break; 2442 2443 case OVS_ACTION_ATTR_SAMPLE: 2444 err = sample_action_to_attr(a, skb); 2445 if (err) 2446 return err; 2447 break; 2448 2449 case OVS_ACTION_ATTR_CT: 2450 err = ovs_ct_action_to_attr(nla_data(a), skb); 2451 if (err) 2452 return err; 2453 break; 2454 2455 default: 2456 if (nla_put(skb, type, nla_len(a), nla_data(a))) 2457 return -EMSGSIZE; 2458 break; 2459 } 2460 } 2461 2462 return 0; 2463 } 2464