1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2007-2017 Nicira, Inc. 4 */ 5 6 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 7 8 #include "flow.h" 9 #include "datapath.h" 10 #include <linux/uaccess.h> 11 #include <linux/netdevice.h> 12 #include <linux/etherdevice.h> 13 #include <linux/if_ether.h> 14 #include <linux/if_vlan.h> 15 #include <net/llc_pdu.h> 16 #include <linux/kernel.h> 17 #include <linux/jhash.h> 18 #include <linux/jiffies.h> 19 #include <linux/llc.h> 20 #include <linux/module.h> 21 #include <linux/in.h> 22 #include <linux/rcupdate.h> 23 #include <linux/if_arp.h> 24 #include <linux/ip.h> 25 #include <linux/ipv6.h> 26 #include <linux/sctp.h> 27 #include <linux/tcp.h> 28 #include <linux/udp.h> 29 #include <linux/icmp.h> 30 #include <linux/icmpv6.h> 31 #include <linux/rculist.h> 32 #include <net/geneve.h> 33 #include <net/ip.h> 34 #include <net/ipv6.h> 35 #include <net/ndisc.h> 36 #include <net/mpls.h> 37 #include <net/vxlan.h> 38 #include <net/tun_proto.h> 39 #include <net/erspan.h> 40 41 #include "flow_netlink.h" 42 43 struct ovs_len_tbl { 44 int len; 45 const struct ovs_len_tbl *next; 46 }; 47 48 #define OVS_ATTR_NESTED -1 49 #define OVS_ATTR_VARIABLE -2 50 51 static bool actions_may_change_flow(const struct nlattr *actions) 52 { 53 struct nlattr *nla; 54 int rem; 55 56 nla_for_each_nested(nla, actions, rem) { 57 u16 action = nla_type(nla); 58 59 switch (action) { 60 case OVS_ACTION_ATTR_OUTPUT: 61 case OVS_ACTION_ATTR_RECIRC: 62 case OVS_ACTION_ATTR_TRUNC: 63 case OVS_ACTION_ATTR_USERSPACE: 64 break; 65 66 case OVS_ACTION_ATTR_CT: 67 case OVS_ACTION_ATTR_CT_CLEAR: 68 case OVS_ACTION_ATTR_HASH: 69 case OVS_ACTION_ATTR_POP_ETH: 70 case OVS_ACTION_ATTR_POP_MPLS: 71 case OVS_ACTION_ATTR_POP_NSH: 72 case OVS_ACTION_ATTR_POP_VLAN: 73 case OVS_ACTION_ATTR_PUSH_ETH: 74 case OVS_ACTION_ATTR_PUSH_MPLS: 75 case OVS_ACTION_ATTR_PUSH_NSH: 76 case OVS_ACTION_ATTR_PUSH_VLAN: 77 case OVS_ACTION_ATTR_SAMPLE: 78 case OVS_ACTION_ATTR_SET: 79 case OVS_ACTION_ATTR_SET_MASKED: 80 case OVS_ACTION_ATTR_METER: 81 case OVS_ACTION_ATTR_CHECK_PKT_LEN: 82 case OVS_ACTION_ATTR_ADD_MPLS: 83 case OVS_ACTION_ATTR_DEC_TTL: 84 default: 85 return true; 86 } 87 } 88 return false; 89 } 90 91 static void update_range(struct sw_flow_match *match, 92 size_t offset, size_t size, bool is_mask) 93 { 94 struct sw_flow_key_range *range; 95 size_t start = rounddown(offset, sizeof(long)); 96 size_t end = roundup(offset + size, sizeof(long)); 97 98 if (!is_mask) 99 range = &match->range; 100 else 101 range = &match->mask->range; 102 103 if (range->start == range->end) { 104 range->start = start; 105 range->end = end; 106 return; 107 } 108 109 if (range->start > start) 110 range->start = start; 111 112 if (range->end < end) 113 range->end = end; 114 } 115 116 #define SW_FLOW_KEY_PUT(match, field, value, is_mask) \ 117 do { \ 118 update_range(match, offsetof(struct sw_flow_key, field), \ 119 sizeof((match)->key->field), is_mask); \ 120 if (is_mask) \ 121 (match)->mask->key.field = value; \ 122 else \ 123 (match)->key->field = value; \ 124 } while (0) 125 126 #define SW_FLOW_KEY_MEMCPY_OFFSET(match, offset, value_p, len, is_mask) \ 127 do { \ 128 update_range(match, offset, len, is_mask); \ 129 if (is_mask) \ 130 memcpy((u8 *)&(match)->mask->key + offset, value_p, \ 131 len); \ 132 else \ 133 memcpy((u8 *)(match)->key + offset, value_p, len); \ 134 } while (0) 135 136 #define SW_FLOW_KEY_MEMCPY(match, field, value_p, len, is_mask) \ 137 SW_FLOW_KEY_MEMCPY_OFFSET(match, offsetof(struct sw_flow_key, field), \ 138 value_p, len, is_mask) 139 140 #define SW_FLOW_KEY_MEMSET_FIELD(match, field, value, is_mask) \ 141 do { \ 142 update_range(match, offsetof(struct sw_flow_key, field), \ 143 sizeof((match)->key->field), is_mask); \ 144 if (is_mask) \ 145 memset((u8 *)&(match)->mask->key.field, value, \ 146 sizeof((match)->mask->key.field)); \ 147 else \ 148 memset((u8 *)&(match)->key->field, value, \ 149 sizeof((match)->key->field)); \ 150 } while (0) 151 152 static bool match_validate(const struct sw_flow_match *match, 153 u64 key_attrs, u64 mask_attrs, bool log) 154 { 155 u64 key_expected = 0; 156 u64 mask_allowed = key_attrs; /* At most allow all key attributes */ 157 158 /* The following mask attributes allowed only if they 159 * pass the validation tests. */ 160 mask_allowed &= ~((1 << OVS_KEY_ATTR_IPV4) 161 | (1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4) 162 | (1 << OVS_KEY_ATTR_IPV6) 163 | (1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6) 164 | (1 << OVS_KEY_ATTR_TCP) 165 | (1 << OVS_KEY_ATTR_TCP_FLAGS) 166 | (1 << OVS_KEY_ATTR_UDP) 167 | (1 << OVS_KEY_ATTR_SCTP) 168 | (1 << OVS_KEY_ATTR_ICMP) 169 | (1 << OVS_KEY_ATTR_ICMPV6) 170 | (1 << OVS_KEY_ATTR_ARP) 171 | (1 << OVS_KEY_ATTR_ND) 172 | (1 << OVS_KEY_ATTR_MPLS) 173 | (1 << OVS_KEY_ATTR_NSH)); 174 175 /* Always allowed mask fields. */ 176 mask_allowed |= ((1 << OVS_KEY_ATTR_TUNNEL) 177 | (1 << OVS_KEY_ATTR_IN_PORT) 178 | (1 << OVS_KEY_ATTR_ETHERTYPE)); 179 180 /* Check key attributes. */ 181 if (match->key->eth.type == htons(ETH_P_ARP) 182 || match->key->eth.type == htons(ETH_P_RARP)) { 183 key_expected |= 1 << OVS_KEY_ATTR_ARP; 184 if (match->mask && (match->mask->key.eth.type == htons(0xffff))) 185 mask_allowed |= 1 << OVS_KEY_ATTR_ARP; 186 } 187 188 if (eth_p_mpls(match->key->eth.type)) { 189 key_expected |= 1 << OVS_KEY_ATTR_MPLS; 190 if (match->mask && (match->mask->key.eth.type == htons(0xffff))) 191 mask_allowed |= 1 << OVS_KEY_ATTR_MPLS; 192 } 193 194 if (match->key->eth.type == htons(ETH_P_IP)) { 195 key_expected |= 1 << OVS_KEY_ATTR_IPV4; 196 if (match->mask && match->mask->key.eth.type == htons(0xffff)) { 197 mask_allowed |= 1 << OVS_KEY_ATTR_IPV4; 198 mask_allowed |= 1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4; 199 } 200 201 if (match->key->ip.frag != OVS_FRAG_TYPE_LATER) { 202 if (match->key->ip.proto == IPPROTO_UDP) { 203 key_expected |= 1 << OVS_KEY_ATTR_UDP; 204 if (match->mask && (match->mask->key.ip.proto == 0xff)) 205 mask_allowed |= 1 << OVS_KEY_ATTR_UDP; 206 } 207 208 if (match->key->ip.proto == IPPROTO_SCTP) { 209 key_expected |= 1 << OVS_KEY_ATTR_SCTP; 210 if (match->mask && (match->mask->key.ip.proto == 0xff)) 211 mask_allowed |= 1 << OVS_KEY_ATTR_SCTP; 212 } 213 214 if (match->key->ip.proto == IPPROTO_TCP) { 215 key_expected |= 1 << OVS_KEY_ATTR_TCP; 216 key_expected |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 217 if (match->mask && (match->mask->key.ip.proto == 0xff)) { 218 mask_allowed |= 1 << OVS_KEY_ATTR_TCP; 219 mask_allowed |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 220 } 221 } 222 223 if (match->key->ip.proto == IPPROTO_ICMP) { 224 key_expected |= 1 << OVS_KEY_ATTR_ICMP; 225 if (match->mask && (match->mask->key.ip.proto == 0xff)) 226 mask_allowed |= 1 << OVS_KEY_ATTR_ICMP; 227 } 228 } 229 } 230 231 if (match->key->eth.type == htons(ETH_P_IPV6)) { 232 key_expected |= 1 << OVS_KEY_ATTR_IPV6; 233 if (match->mask && match->mask->key.eth.type == htons(0xffff)) { 234 mask_allowed |= 1 << OVS_KEY_ATTR_IPV6; 235 mask_allowed |= 1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6; 236 } 237 238 if (match->key->ip.frag != OVS_FRAG_TYPE_LATER) { 239 if (match->key->ip.proto == IPPROTO_UDP) { 240 key_expected |= 1 << OVS_KEY_ATTR_UDP; 241 if (match->mask && (match->mask->key.ip.proto == 0xff)) 242 mask_allowed |= 1 << OVS_KEY_ATTR_UDP; 243 } 244 245 if (match->key->ip.proto == IPPROTO_SCTP) { 246 key_expected |= 1 << OVS_KEY_ATTR_SCTP; 247 if (match->mask && (match->mask->key.ip.proto == 0xff)) 248 mask_allowed |= 1 << OVS_KEY_ATTR_SCTP; 249 } 250 251 if (match->key->ip.proto == IPPROTO_TCP) { 252 key_expected |= 1 << OVS_KEY_ATTR_TCP; 253 key_expected |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 254 if (match->mask && (match->mask->key.ip.proto == 0xff)) { 255 mask_allowed |= 1 << OVS_KEY_ATTR_TCP; 256 mask_allowed |= 1 << OVS_KEY_ATTR_TCP_FLAGS; 257 } 258 } 259 260 if (match->key->ip.proto == IPPROTO_ICMPV6) { 261 key_expected |= 1 << OVS_KEY_ATTR_ICMPV6; 262 if (match->mask && (match->mask->key.ip.proto == 0xff)) 263 mask_allowed |= 1 << OVS_KEY_ATTR_ICMPV6; 264 265 if (match->key->tp.src == 266 htons(NDISC_NEIGHBOUR_SOLICITATION) || 267 match->key->tp.src == htons(NDISC_NEIGHBOUR_ADVERTISEMENT)) { 268 key_expected |= 1 << OVS_KEY_ATTR_ND; 269 /* Original direction conntrack tuple 270 * uses the same space as the ND fields 271 * in the key, so both are not allowed 272 * at the same time. 273 */ 274 mask_allowed &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6); 275 if (match->mask && (match->mask->key.tp.src == htons(0xff))) 276 mask_allowed |= 1 << OVS_KEY_ATTR_ND; 277 } 278 } 279 } 280 } 281 282 if (match->key->eth.type == htons(ETH_P_NSH)) { 283 key_expected |= 1 << OVS_KEY_ATTR_NSH; 284 if (match->mask && 285 match->mask->key.eth.type == htons(0xffff)) { 286 mask_allowed |= 1 << OVS_KEY_ATTR_NSH; 287 } 288 } 289 290 if ((key_attrs & key_expected) != key_expected) { 291 /* Key attributes check failed. */ 292 OVS_NLERR(log, "Missing key (keys=%llx, expected=%llx)", 293 (unsigned long long)key_attrs, 294 (unsigned long long)key_expected); 295 return false; 296 } 297 298 if ((mask_attrs & mask_allowed) != mask_attrs) { 299 /* Mask attributes check failed. */ 300 OVS_NLERR(log, "Unexpected mask (mask=%llx, allowed=%llx)", 301 (unsigned long long)mask_attrs, 302 (unsigned long long)mask_allowed); 303 return false; 304 } 305 306 return true; 307 } 308 309 size_t ovs_tun_key_attr_size(void) 310 { 311 /* Whenever adding new OVS_TUNNEL_KEY_ FIELDS, we should consider 312 * updating this function. 313 */ 314 return nla_total_size_64bit(8) /* OVS_TUNNEL_KEY_ATTR_ID */ 315 + nla_total_size(16) /* OVS_TUNNEL_KEY_ATTR_IPV[46]_SRC */ 316 + nla_total_size(16) /* OVS_TUNNEL_KEY_ATTR_IPV[46]_DST */ 317 + nla_total_size(1) /* OVS_TUNNEL_KEY_ATTR_TOS */ 318 + nla_total_size(1) /* OVS_TUNNEL_KEY_ATTR_TTL */ 319 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT */ 320 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_CSUM */ 321 + nla_total_size(0) /* OVS_TUNNEL_KEY_ATTR_OAM */ 322 + nla_total_size(256) /* OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS */ 323 /* OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS and 324 * OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS is mutually exclusive with 325 * OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS and covered by it. 326 */ 327 + nla_total_size(2) /* OVS_TUNNEL_KEY_ATTR_TP_SRC */ 328 + nla_total_size(2); /* OVS_TUNNEL_KEY_ATTR_TP_DST */ 329 } 330 331 static size_t ovs_nsh_key_attr_size(void) 332 { 333 /* Whenever adding new OVS_NSH_KEY_ FIELDS, we should consider 334 * updating this function. 335 */ 336 return nla_total_size(NSH_BASE_HDR_LEN) /* OVS_NSH_KEY_ATTR_BASE */ 337 /* OVS_NSH_KEY_ATTR_MD1 and OVS_NSH_KEY_ATTR_MD2 are 338 * mutually exclusive, so the bigger one can cover 339 * the small one. 340 */ 341 + nla_total_size(NSH_CTX_HDRS_MAX_LEN); 342 } 343 344 size_t ovs_key_attr_size(void) 345 { 346 /* Whenever adding new OVS_KEY_ FIELDS, we should consider 347 * updating this function. 348 */ 349 BUILD_BUG_ON(OVS_KEY_ATTR_MAX != 32); 350 351 return nla_total_size(4) /* OVS_KEY_ATTR_PRIORITY */ 352 + nla_total_size(0) /* OVS_KEY_ATTR_TUNNEL */ 353 + ovs_tun_key_attr_size() 354 + nla_total_size(4) /* OVS_KEY_ATTR_IN_PORT */ 355 + nla_total_size(4) /* OVS_KEY_ATTR_SKB_MARK */ 356 + nla_total_size(4) /* OVS_KEY_ATTR_DP_HASH */ 357 + nla_total_size(4) /* OVS_KEY_ATTR_RECIRC_ID */ 358 + nla_total_size(4) /* OVS_KEY_ATTR_CT_STATE */ 359 + nla_total_size(2) /* OVS_KEY_ATTR_CT_ZONE */ 360 + nla_total_size(4) /* OVS_KEY_ATTR_CT_MARK */ 361 + nla_total_size(16) /* OVS_KEY_ATTR_CT_LABELS */ 362 + nla_total_size(40) /* OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6 */ 363 + nla_total_size(0) /* OVS_KEY_ATTR_NSH */ 364 + ovs_nsh_key_attr_size() 365 + nla_total_size(12) /* OVS_KEY_ATTR_ETHERNET */ 366 + nla_total_size(2) /* OVS_KEY_ATTR_ETHERTYPE */ 367 + nla_total_size(4) /* OVS_KEY_ATTR_VLAN */ 368 + nla_total_size(0) /* OVS_KEY_ATTR_ENCAP */ 369 + nla_total_size(2) /* OVS_KEY_ATTR_ETHERTYPE */ 370 + nla_total_size(40) /* OVS_KEY_ATTR_IPV6 */ 371 + nla_total_size(2) /* OVS_KEY_ATTR_ICMPV6 */ 372 + nla_total_size(28) /* OVS_KEY_ATTR_ND */ 373 + nla_total_size(2); /* OVS_KEY_ATTR_IPV6_EXTHDRS */ 374 } 375 376 static const struct ovs_len_tbl ovs_vxlan_ext_key_lens[OVS_VXLAN_EXT_MAX + 1] = { 377 [OVS_VXLAN_EXT_GBP] = { .len = sizeof(u32) }, 378 }; 379 380 static const struct ovs_len_tbl ovs_tunnel_key_lens[OVS_TUNNEL_KEY_ATTR_MAX + 1] = { 381 [OVS_TUNNEL_KEY_ATTR_ID] = { .len = sizeof(u64) }, 382 [OVS_TUNNEL_KEY_ATTR_IPV4_SRC] = { .len = sizeof(u32) }, 383 [OVS_TUNNEL_KEY_ATTR_IPV4_DST] = { .len = sizeof(u32) }, 384 [OVS_TUNNEL_KEY_ATTR_TOS] = { .len = 1 }, 385 [OVS_TUNNEL_KEY_ATTR_TTL] = { .len = 1 }, 386 [OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT] = { .len = 0 }, 387 [OVS_TUNNEL_KEY_ATTR_CSUM] = { .len = 0 }, 388 [OVS_TUNNEL_KEY_ATTR_TP_SRC] = { .len = sizeof(u16) }, 389 [OVS_TUNNEL_KEY_ATTR_TP_DST] = { .len = sizeof(u16) }, 390 [OVS_TUNNEL_KEY_ATTR_OAM] = { .len = 0 }, 391 [OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS] = { .len = OVS_ATTR_VARIABLE }, 392 [OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS] = { .len = OVS_ATTR_NESTED, 393 .next = ovs_vxlan_ext_key_lens }, 394 [OVS_TUNNEL_KEY_ATTR_IPV6_SRC] = { .len = sizeof(struct in6_addr) }, 395 [OVS_TUNNEL_KEY_ATTR_IPV6_DST] = { .len = sizeof(struct in6_addr) }, 396 [OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS] = { .len = OVS_ATTR_VARIABLE }, 397 [OVS_TUNNEL_KEY_ATTR_IPV4_INFO_BRIDGE] = { .len = 0 }, 398 }; 399 400 static const struct ovs_len_tbl 401 ovs_nsh_key_attr_lens[OVS_NSH_KEY_ATTR_MAX + 1] = { 402 [OVS_NSH_KEY_ATTR_BASE] = { .len = sizeof(struct ovs_nsh_key_base) }, 403 [OVS_NSH_KEY_ATTR_MD1] = { .len = sizeof(struct ovs_nsh_key_md1) }, 404 [OVS_NSH_KEY_ATTR_MD2] = { .len = OVS_ATTR_VARIABLE }, 405 }; 406 407 /* The size of the argument for each %OVS_KEY_ATTR_* Netlink attribute. */ 408 static const struct ovs_len_tbl ovs_key_lens[OVS_KEY_ATTR_MAX + 1] = { 409 [OVS_KEY_ATTR_ENCAP] = { .len = OVS_ATTR_NESTED }, 410 [OVS_KEY_ATTR_PRIORITY] = { .len = sizeof(u32) }, 411 [OVS_KEY_ATTR_IN_PORT] = { .len = sizeof(u32) }, 412 [OVS_KEY_ATTR_SKB_MARK] = { .len = sizeof(u32) }, 413 [OVS_KEY_ATTR_ETHERNET] = { .len = sizeof(struct ovs_key_ethernet) }, 414 [OVS_KEY_ATTR_VLAN] = { .len = sizeof(__be16) }, 415 [OVS_KEY_ATTR_ETHERTYPE] = { .len = sizeof(__be16) }, 416 [OVS_KEY_ATTR_IPV4] = { .len = sizeof(struct ovs_key_ipv4) }, 417 [OVS_KEY_ATTR_IPV6] = { .len = sizeof(struct ovs_key_ipv6) }, 418 [OVS_KEY_ATTR_TCP] = { .len = sizeof(struct ovs_key_tcp) }, 419 [OVS_KEY_ATTR_TCP_FLAGS] = { .len = sizeof(__be16) }, 420 [OVS_KEY_ATTR_UDP] = { .len = sizeof(struct ovs_key_udp) }, 421 [OVS_KEY_ATTR_SCTP] = { .len = sizeof(struct ovs_key_sctp) }, 422 [OVS_KEY_ATTR_ICMP] = { .len = sizeof(struct ovs_key_icmp) }, 423 [OVS_KEY_ATTR_ICMPV6] = { .len = sizeof(struct ovs_key_icmpv6) }, 424 [OVS_KEY_ATTR_ARP] = { .len = sizeof(struct ovs_key_arp) }, 425 [OVS_KEY_ATTR_ND] = { .len = sizeof(struct ovs_key_nd) }, 426 [OVS_KEY_ATTR_RECIRC_ID] = { .len = sizeof(u32) }, 427 [OVS_KEY_ATTR_DP_HASH] = { .len = sizeof(u32) }, 428 [OVS_KEY_ATTR_TUNNEL] = { .len = OVS_ATTR_NESTED, 429 .next = ovs_tunnel_key_lens, }, 430 [OVS_KEY_ATTR_MPLS] = { .len = OVS_ATTR_VARIABLE }, 431 [OVS_KEY_ATTR_CT_STATE] = { .len = sizeof(u32) }, 432 [OVS_KEY_ATTR_CT_ZONE] = { .len = sizeof(u16) }, 433 [OVS_KEY_ATTR_CT_MARK] = { .len = sizeof(u32) }, 434 [OVS_KEY_ATTR_CT_LABELS] = { .len = sizeof(struct ovs_key_ct_labels) }, 435 [OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4] = { 436 .len = sizeof(struct ovs_key_ct_tuple_ipv4) }, 437 [OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6] = { 438 .len = sizeof(struct ovs_key_ct_tuple_ipv6) }, 439 [OVS_KEY_ATTR_NSH] = { .len = OVS_ATTR_NESTED, 440 .next = ovs_nsh_key_attr_lens, }, 441 [OVS_KEY_ATTR_IPV6_EXTHDRS] = { 442 .len = sizeof(struct ovs_key_ipv6_exthdrs) }, 443 }; 444 445 static bool check_attr_len(unsigned int attr_len, unsigned int expected_len) 446 { 447 return expected_len == attr_len || 448 expected_len == OVS_ATTR_NESTED || 449 expected_len == OVS_ATTR_VARIABLE; 450 } 451 452 static bool is_all_zero(const u8 *fp, size_t size) 453 { 454 int i; 455 456 if (!fp) 457 return false; 458 459 for (i = 0; i < size; i++) 460 if (fp[i]) 461 return false; 462 463 return true; 464 } 465 466 static int __parse_flow_nlattrs(const struct nlattr *attr, 467 const struct nlattr *a[], 468 u64 *attrsp, bool log, bool nz) 469 { 470 const struct nlattr *nla; 471 u64 attrs; 472 int rem; 473 474 attrs = *attrsp; 475 nla_for_each_nested(nla, attr, rem) { 476 u16 type = nla_type(nla); 477 int expected_len; 478 479 if (type > OVS_KEY_ATTR_MAX) { 480 OVS_NLERR(log, "Key type %d is out of range max %d", 481 type, OVS_KEY_ATTR_MAX); 482 return -EINVAL; 483 } 484 485 if (type == OVS_KEY_ATTR_PACKET_TYPE || 486 type == OVS_KEY_ATTR_ND_EXTENSIONS || 487 type == OVS_KEY_ATTR_TUNNEL_INFO) { 488 OVS_NLERR(log, "Key type %d is not supported", type); 489 return -EINVAL; 490 } 491 492 if (attrs & (1ULL << type)) { 493 OVS_NLERR(log, "Duplicate key (type %d).", type); 494 return -EINVAL; 495 } 496 497 expected_len = ovs_key_lens[type].len; 498 if (!check_attr_len(nla_len(nla), expected_len)) { 499 OVS_NLERR(log, "Key %d has unexpected len %d expected %d", 500 type, nla_len(nla), expected_len); 501 return -EINVAL; 502 } 503 504 if (!nz || !is_all_zero(nla_data(nla), nla_len(nla))) { 505 attrs |= 1ULL << type; 506 a[type] = nla; 507 } 508 } 509 if (rem) { 510 OVS_NLERR(log, "Message has %d unknown bytes.", rem); 511 return -EINVAL; 512 } 513 514 *attrsp = attrs; 515 return 0; 516 } 517 518 static int parse_flow_mask_nlattrs(const struct nlattr *attr, 519 const struct nlattr *a[], u64 *attrsp, 520 bool log) 521 { 522 return __parse_flow_nlattrs(attr, a, attrsp, log, true); 523 } 524 525 int parse_flow_nlattrs(const struct nlattr *attr, const struct nlattr *a[], 526 u64 *attrsp, bool log) 527 { 528 return __parse_flow_nlattrs(attr, a, attrsp, log, false); 529 } 530 531 static int genev_tun_opt_from_nlattr(const struct nlattr *a, 532 struct sw_flow_match *match, bool is_mask, 533 bool log) 534 { 535 unsigned long opt_key_offset; 536 537 if (nla_len(a) > sizeof(match->key->tun_opts)) { 538 OVS_NLERR(log, "Geneve option length err (len %d, max %zu).", 539 nla_len(a), sizeof(match->key->tun_opts)); 540 return -EINVAL; 541 } 542 543 if (nla_len(a) % 4 != 0) { 544 OVS_NLERR(log, "Geneve opt len %d is not a multiple of 4.", 545 nla_len(a)); 546 return -EINVAL; 547 } 548 549 /* We need to record the length of the options passed 550 * down, otherwise packets with the same format but 551 * additional options will be silently matched. 552 */ 553 if (!is_mask) { 554 SW_FLOW_KEY_PUT(match, tun_opts_len, nla_len(a), 555 false); 556 } else { 557 /* This is somewhat unusual because it looks at 558 * both the key and mask while parsing the 559 * attributes (and by extension assumes the key 560 * is parsed first). Normally, we would verify 561 * that each is the correct length and that the 562 * attributes line up in the validate function. 563 * However, that is difficult because this is 564 * variable length and we won't have the 565 * information later. 566 */ 567 if (match->key->tun_opts_len != nla_len(a)) { 568 OVS_NLERR(log, "Geneve option len %d != mask len %d", 569 match->key->tun_opts_len, nla_len(a)); 570 return -EINVAL; 571 } 572 573 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 574 } 575 576 opt_key_offset = TUN_METADATA_OFFSET(nla_len(a)); 577 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, nla_data(a), 578 nla_len(a), is_mask); 579 return 0; 580 } 581 582 static int vxlan_tun_opt_from_nlattr(const struct nlattr *attr, 583 struct sw_flow_match *match, bool is_mask, 584 bool log) 585 { 586 struct nlattr *a; 587 int rem; 588 unsigned long opt_key_offset; 589 struct vxlan_metadata opts; 590 591 BUILD_BUG_ON(sizeof(opts) > sizeof(match->key->tun_opts)); 592 593 memset(&opts, 0, sizeof(opts)); 594 nla_for_each_nested(a, attr, rem) { 595 int type = nla_type(a); 596 597 if (type > OVS_VXLAN_EXT_MAX) { 598 OVS_NLERR(log, "VXLAN extension %d out of range max %d", 599 type, OVS_VXLAN_EXT_MAX); 600 return -EINVAL; 601 } 602 603 if (!check_attr_len(nla_len(a), 604 ovs_vxlan_ext_key_lens[type].len)) { 605 OVS_NLERR(log, "VXLAN extension %d has unexpected len %d expected %d", 606 type, nla_len(a), 607 ovs_vxlan_ext_key_lens[type].len); 608 return -EINVAL; 609 } 610 611 switch (type) { 612 case OVS_VXLAN_EXT_GBP: 613 opts.gbp = nla_get_u32(a); 614 break; 615 default: 616 OVS_NLERR(log, "Unknown VXLAN extension attribute %d", 617 type); 618 return -EINVAL; 619 } 620 } 621 if (rem) { 622 OVS_NLERR(log, "VXLAN extension message has %d unknown bytes.", 623 rem); 624 return -EINVAL; 625 } 626 627 if (!is_mask) 628 SW_FLOW_KEY_PUT(match, tun_opts_len, sizeof(opts), false); 629 else 630 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 631 632 opt_key_offset = TUN_METADATA_OFFSET(sizeof(opts)); 633 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, &opts, sizeof(opts), 634 is_mask); 635 return 0; 636 } 637 638 static int erspan_tun_opt_from_nlattr(const struct nlattr *a, 639 struct sw_flow_match *match, bool is_mask, 640 bool log) 641 { 642 unsigned long opt_key_offset; 643 644 BUILD_BUG_ON(sizeof(struct erspan_metadata) > 645 sizeof(match->key->tun_opts)); 646 647 if (nla_len(a) > sizeof(match->key->tun_opts)) { 648 OVS_NLERR(log, "ERSPAN option length err (len %d, max %zu).", 649 nla_len(a), sizeof(match->key->tun_opts)); 650 return -EINVAL; 651 } 652 653 if (!is_mask) 654 SW_FLOW_KEY_PUT(match, tun_opts_len, 655 sizeof(struct erspan_metadata), false); 656 else 657 SW_FLOW_KEY_PUT(match, tun_opts_len, 0xff, true); 658 659 opt_key_offset = TUN_METADATA_OFFSET(nla_len(a)); 660 SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, nla_data(a), 661 nla_len(a), is_mask); 662 return 0; 663 } 664 665 static int ip_tun_from_nlattr(const struct nlattr *attr, 666 struct sw_flow_match *match, bool is_mask, 667 bool log) 668 { 669 bool ttl = false, ipv4 = false, ipv6 = false; 670 bool info_bridge_mode = false; 671 __be16 tun_flags = 0; 672 int opts_type = 0; 673 struct nlattr *a; 674 int rem; 675 676 nla_for_each_nested(a, attr, rem) { 677 int type = nla_type(a); 678 int err; 679 680 if (type > OVS_TUNNEL_KEY_ATTR_MAX) { 681 OVS_NLERR(log, "Tunnel attr %d out of range max %d", 682 type, OVS_TUNNEL_KEY_ATTR_MAX); 683 return -EINVAL; 684 } 685 686 if (!check_attr_len(nla_len(a), 687 ovs_tunnel_key_lens[type].len)) { 688 OVS_NLERR(log, "Tunnel attr %d has unexpected len %d expected %d", 689 type, nla_len(a), ovs_tunnel_key_lens[type].len); 690 return -EINVAL; 691 } 692 693 switch (type) { 694 case OVS_TUNNEL_KEY_ATTR_ID: 695 SW_FLOW_KEY_PUT(match, tun_key.tun_id, 696 nla_get_be64(a), is_mask); 697 tun_flags |= TUNNEL_KEY; 698 break; 699 case OVS_TUNNEL_KEY_ATTR_IPV4_SRC: 700 SW_FLOW_KEY_PUT(match, tun_key.u.ipv4.src, 701 nla_get_in_addr(a), is_mask); 702 ipv4 = true; 703 break; 704 case OVS_TUNNEL_KEY_ATTR_IPV4_DST: 705 SW_FLOW_KEY_PUT(match, tun_key.u.ipv4.dst, 706 nla_get_in_addr(a), is_mask); 707 ipv4 = true; 708 break; 709 case OVS_TUNNEL_KEY_ATTR_IPV6_SRC: 710 SW_FLOW_KEY_PUT(match, tun_key.u.ipv6.src, 711 nla_get_in6_addr(a), is_mask); 712 ipv6 = true; 713 break; 714 case OVS_TUNNEL_KEY_ATTR_IPV6_DST: 715 SW_FLOW_KEY_PUT(match, tun_key.u.ipv6.dst, 716 nla_get_in6_addr(a), is_mask); 717 ipv6 = true; 718 break; 719 case OVS_TUNNEL_KEY_ATTR_TOS: 720 SW_FLOW_KEY_PUT(match, tun_key.tos, 721 nla_get_u8(a), is_mask); 722 break; 723 case OVS_TUNNEL_KEY_ATTR_TTL: 724 SW_FLOW_KEY_PUT(match, tun_key.ttl, 725 nla_get_u8(a), is_mask); 726 ttl = true; 727 break; 728 case OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT: 729 tun_flags |= TUNNEL_DONT_FRAGMENT; 730 break; 731 case OVS_TUNNEL_KEY_ATTR_CSUM: 732 tun_flags |= TUNNEL_CSUM; 733 break; 734 case OVS_TUNNEL_KEY_ATTR_TP_SRC: 735 SW_FLOW_KEY_PUT(match, tun_key.tp_src, 736 nla_get_be16(a), is_mask); 737 break; 738 case OVS_TUNNEL_KEY_ATTR_TP_DST: 739 SW_FLOW_KEY_PUT(match, tun_key.tp_dst, 740 nla_get_be16(a), is_mask); 741 break; 742 case OVS_TUNNEL_KEY_ATTR_OAM: 743 tun_flags |= TUNNEL_OAM; 744 break; 745 case OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS: 746 if (opts_type) { 747 OVS_NLERR(log, "Multiple metadata blocks provided"); 748 return -EINVAL; 749 } 750 751 err = genev_tun_opt_from_nlattr(a, match, is_mask, log); 752 if (err) 753 return err; 754 755 tun_flags |= TUNNEL_GENEVE_OPT; 756 opts_type = type; 757 break; 758 case OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS: 759 if (opts_type) { 760 OVS_NLERR(log, "Multiple metadata blocks provided"); 761 return -EINVAL; 762 } 763 764 err = vxlan_tun_opt_from_nlattr(a, match, is_mask, log); 765 if (err) 766 return err; 767 768 tun_flags |= TUNNEL_VXLAN_OPT; 769 opts_type = type; 770 break; 771 case OVS_TUNNEL_KEY_ATTR_PAD: 772 break; 773 case OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS: 774 if (opts_type) { 775 OVS_NLERR(log, "Multiple metadata blocks provided"); 776 return -EINVAL; 777 } 778 779 err = erspan_tun_opt_from_nlattr(a, match, is_mask, 780 log); 781 if (err) 782 return err; 783 784 tun_flags |= TUNNEL_ERSPAN_OPT; 785 opts_type = type; 786 break; 787 case OVS_TUNNEL_KEY_ATTR_IPV4_INFO_BRIDGE: 788 info_bridge_mode = true; 789 ipv4 = true; 790 break; 791 default: 792 OVS_NLERR(log, "Unknown IP tunnel attribute %d", 793 type); 794 return -EINVAL; 795 } 796 } 797 798 SW_FLOW_KEY_PUT(match, tun_key.tun_flags, tun_flags, is_mask); 799 if (is_mask) 800 SW_FLOW_KEY_MEMSET_FIELD(match, tun_proto, 0xff, true); 801 else 802 SW_FLOW_KEY_PUT(match, tun_proto, ipv6 ? AF_INET6 : AF_INET, 803 false); 804 805 if (rem > 0) { 806 OVS_NLERR(log, "IP tunnel attribute has %d unknown bytes.", 807 rem); 808 return -EINVAL; 809 } 810 811 if (ipv4 && ipv6) { 812 OVS_NLERR(log, "Mixed IPv4 and IPv6 tunnel attributes"); 813 return -EINVAL; 814 } 815 816 if (!is_mask) { 817 if (!ipv4 && !ipv6) { 818 OVS_NLERR(log, "IP tunnel dst address not specified"); 819 return -EINVAL; 820 } 821 if (ipv4) { 822 if (info_bridge_mode) { 823 if (match->key->tun_key.u.ipv4.src || 824 match->key->tun_key.u.ipv4.dst || 825 match->key->tun_key.tp_src || 826 match->key->tun_key.tp_dst || 827 match->key->tun_key.ttl || 828 match->key->tun_key.tos || 829 tun_flags & ~TUNNEL_KEY) { 830 OVS_NLERR(log, "IPv4 tun info is not correct"); 831 return -EINVAL; 832 } 833 } else if (!match->key->tun_key.u.ipv4.dst) { 834 OVS_NLERR(log, "IPv4 tunnel dst address is zero"); 835 return -EINVAL; 836 } 837 } 838 if (ipv6 && ipv6_addr_any(&match->key->tun_key.u.ipv6.dst)) { 839 OVS_NLERR(log, "IPv6 tunnel dst address is zero"); 840 return -EINVAL; 841 } 842 843 if (!ttl && !info_bridge_mode) { 844 OVS_NLERR(log, "IP tunnel TTL not specified."); 845 return -EINVAL; 846 } 847 } 848 849 return opts_type; 850 } 851 852 static int vxlan_opt_to_nlattr(struct sk_buff *skb, 853 const void *tun_opts, int swkey_tun_opts_len) 854 { 855 const struct vxlan_metadata *opts = tun_opts; 856 struct nlattr *nla; 857 858 nla = nla_nest_start_noflag(skb, OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS); 859 if (!nla) 860 return -EMSGSIZE; 861 862 if (nla_put_u32(skb, OVS_VXLAN_EXT_GBP, opts->gbp) < 0) 863 return -EMSGSIZE; 864 865 nla_nest_end(skb, nla); 866 return 0; 867 } 868 869 static int __ip_tun_to_nlattr(struct sk_buff *skb, 870 const struct ip_tunnel_key *output, 871 const void *tun_opts, int swkey_tun_opts_len, 872 unsigned short tun_proto, u8 mode) 873 { 874 if (output->tun_flags & TUNNEL_KEY && 875 nla_put_be64(skb, OVS_TUNNEL_KEY_ATTR_ID, output->tun_id, 876 OVS_TUNNEL_KEY_ATTR_PAD)) 877 return -EMSGSIZE; 878 879 if (mode & IP_TUNNEL_INFO_BRIDGE) 880 return nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_IPV4_INFO_BRIDGE) 881 ? -EMSGSIZE : 0; 882 883 switch (tun_proto) { 884 case AF_INET: 885 if (output->u.ipv4.src && 886 nla_put_in_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV4_SRC, 887 output->u.ipv4.src)) 888 return -EMSGSIZE; 889 if (output->u.ipv4.dst && 890 nla_put_in_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV4_DST, 891 output->u.ipv4.dst)) 892 return -EMSGSIZE; 893 break; 894 case AF_INET6: 895 if (!ipv6_addr_any(&output->u.ipv6.src) && 896 nla_put_in6_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV6_SRC, 897 &output->u.ipv6.src)) 898 return -EMSGSIZE; 899 if (!ipv6_addr_any(&output->u.ipv6.dst) && 900 nla_put_in6_addr(skb, OVS_TUNNEL_KEY_ATTR_IPV6_DST, 901 &output->u.ipv6.dst)) 902 return -EMSGSIZE; 903 break; 904 } 905 if (output->tos && 906 nla_put_u8(skb, OVS_TUNNEL_KEY_ATTR_TOS, output->tos)) 907 return -EMSGSIZE; 908 if (nla_put_u8(skb, OVS_TUNNEL_KEY_ATTR_TTL, output->ttl)) 909 return -EMSGSIZE; 910 if ((output->tun_flags & TUNNEL_DONT_FRAGMENT) && 911 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT)) 912 return -EMSGSIZE; 913 if ((output->tun_flags & TUNNEL_CSUM) && 914 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_CSUM)) 915 return -EMSGSIZE; 916 if (output->tp_src && 917 nla_put_be16(skb, OVS_TUNNEL_KEY_ATTR_TP_SRC, output->tp_src)) 918 return -EMSGSIZE; 919 if (output->tp_dst && 920 nla_put_be16(skb, OVS_TUNNEL_KEY_ATTR_TP_DST, output->tp_dst)) 921 return -EMSGSIZE; 922 if ((output->tun_flags & TUNNEL_OAM) && 923 nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_OAM)) 924 return -EMSGSIZE; 925 if (swkey_tun_opts_len) { 926 if (output->tun_flags & TUNNEL_GENEVE_OPT && 927 nla_put(skb, OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS, 928 swkey_tun_opts_len, tun_opts)) 929 return -EMSGSIZE; 930 else if (output->tun_flags & TUNNEL_VXLAN_OPT && 931 vxlan_opt_to_nlattr(skb, tun_opts, swkey_tun_opts_len)) 932 return -EMSGSIZE; 933 else if (output->tun_flags & TUNNEL_ERSPAN_OPT && 934 nla_put(skb, OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS, 935 swkey_tun_opts_len, tun_opts)) 936 return -EMSGSIZE; 937 } 938 939 return 0; 940 } 941 942 static int ip_tun_to_nlattr(struct sk_buff *skb, 943 const struct ip_tunnel_key *output, 944 const void *tun_opts, int swkey_tun_opts_len, 945 unsigned short tun_proto, u8 mode) 946 { 947 struct nlattr *nla; 948 int err; 949 950 nla = nla_nest_start_noflag(skb, OVS_KEY_ATTR_TUNNEL); 951 if (!nla) 952 return -EMSGSIZE; 953 954 err = __ip_tun_to_nlattr(skb, output, tun_opts, swkey_tun_opts_len, 955 tun_proto, mode); 956 if (err) 957 return err; 958 959 nla_nest_end(skb, nla); 960 return 0; 961 } 962 963 int ovs_nla_put_tunnel_info(struct sk_buff *skb, 964 struct ip_tunnel_info *tun_info) 965 { 966 return __ip_tun_to_nlattr(skb, &tun_info->key, 967 ip_tunnel_info_opts(tun_info), 968 tun_info->options_len, 969 ip_tunnel_info_af(tun_info), tun_info->mode); 970 } 971 972 static int encode_vlan_from_nlattrs(struct sw_flow_match *match, 973 const struct nlattr *a[], 974 bool is_mask, bool inner) 975 { 976 __be16 tci = 0; 977 __be16 tpid = 0; 978 979 if (a[OVS_KEY_ATTR_VLAN]) 980 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 981 982 if (a[OVS_KEY_ATTR_ETHERTYPE]) 983 tpid = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 984 985 if (likely(!inner)) { 986 SW_FLOW_KEY_PUT(match, eth.vlan.tpid, tpid, is_mask); 987 SW_FLOW_KEY_PUT(match, eth.vlan.tci, tci, is_mask); 988 } else { 989 SW_FLOW_KEY_PUT(match, eth.cvlan.tpid, tpid, is_mask); 990 SW_FLOW_KEY_PUT(match, eth.cvlan.tci, tci, is_mask); 991 } 992 return 0; 993 } 994 995 static int validate_vlan_from_nlattrs(const struct sw_flow_match *match, 996 u64 key_attrs, bool inner, 997 const struct nlattr **a, bool log) 998 { 999 __be16 tci = 0; 1000 1001 if (!((key_attrs & (1 << OVS_KEY_ATTR_ETHERNET)) && 1002 (key_attrs & (1 << OVS_KEY_ATTR_ETHERTYPE)) && 1003 eth_type_vlan(nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE])))) { 1004 /* Not a VLAN. */ 1005 return 0; 1006 } 1007 1008 if (!((key_attrs & (1 << OVS_KEY_ATTR_VLAN)) && 1009 (key_attrs & (1 << OVS_KEY_ATTR_ENCAP)))) { 1010 OVS_NLERR(log, "Invalid %s frame", (inner) ? "C-VLAN" : "VLAN"); 1011 return -EINVAL; 1012 } 1013 1014 if (a[OVS_KEY_ATTR_VLAN]) 1015 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 1016 1017 if (!(tci & htons(VLAN_CFI_MASK))) { 1018 if (tci) { 1019 OVS_NLERR(log, "%s TCI does not have VLAN_CFI_MASK bit set.", 1020 (inner) ? "C-VLAN" : "VLAN"); 1021 return -EINVAL; 1022 } else if (nla_len(a[OVS_KEY_ATTR_ENCAP])) { 1023 /* Corner case for truncated VLAN header. */ 1024 OVS_NLERR(log, "Truncated %s header has non-zero encap attribute.", 1025 (inner) ? "C-VLAN" : "VLAN"); 1026 return -EINVAL; 1027 } 1028 } 1029 1030 return 1; 1031 } 1032 1033 static int validate_vlan_mask_from_nlattrs(const struct sw_flow_match *match, 1034 u64 key_attrs, bool inner, 1035 const struct nlattr **a, bool log) 1036 { 1037 __be16 tci = 0; 1038 __be16 tpid = 0; 1039 bool encap_valid = !!(match->key->eth.vlan.tci & 1040 htons(VLAN_CFI_MASK)); 1041 bool i_encap_valid = !!(match->key->eth.cvlan.tci & 1042 htons(VLAN_CFI_MASK)); 1043 1044 if (!(key_attrs & (1 << OVS_KEY_ATTR_ENCAP))) { 1045 /* Not a VLAN. */ 1046 return 0; 1047 } 1048 1049 if ((!inner && !encap_valid) || (inner && !i_encap_valid)) { 1050 OVS_NLERR(log, "Encap mask attribute is set for non-%s frame.", 1051 (inner) ? "C-VLAN" : "VLAN"); 1052 return -EINVAL; 1053 } 1054 1055 if (a[OVS_KEY_ATTR_VLAN]) 1056 tci = nla_get_be16(a[OVS_KEY_ATTR_VLAN]); 1057 1058 if (a[OVS_KEY_ATTR_ETHERTYPE]) 1059 tpid = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 1060 1061 if (tpid != htons(0xffff)) { 1062 OVS_NLERR(log, "Must have an exact match on %s TPID (mask=%x).", 1063 (inner) ? "C-VLAN" : "VLAN", ntohs(tpid)); 1064 return -EINVAL; 1065 } 1066 if (!(tci & htons(VLAN_CFI_MASK))) { 1067 OVS_NLERR(log, "%s TCI mask does not have exact match for VLAN_CFI_MASK bit.", 1068 (inner) ? "C-VLAN" : "VLAN"); 1069 return -EINVAL; 1070 } 1071 1072 return 1; 1073 } 1074 1075 static int __parse_vlan_from_nlattrs(struct sw_flow_match *match, 1076 u64 *key_attrs, bool inner, 1077 const struct nlattr **a, bool is_mask, 1078 bool log) 1079 { 1080 int err; 1081 const struct nlattr *encap; 1082 1083 if (!is_mask) 1084 err = validate_vlan_from_nlattrs(match, *key_attrs, inner, 1085 a, log); 1086 else 1087 err = validate_vlan_mask_from_nlattrs(match, *key_attrs, inner, 1088 a, log); 1089 if (err <= 0) 1090 return err; 1091 1092 err = encode_vlan_from_nlattrs(match, a, is_mask, inner); 1093 if (err) 1094 return err; 1095 1096 *key_attrs &= ~(1 << OVS_KEY_ATTR_ENCAP); 1097 *key_attrs &= ~(1 << OVS_KEY_ATTR_VLAN); 1098 *key_attrs &= ~(1 << OVS_KEY_ATTR_ETHERTYPE); 1099 1100 encap = a[OVS_KEY_ATTR_ENCAP]; 1101 1102 if (!is_mask) 1103 err = parse_flow_nlattrs(encap, a, key_attrs, log); 1104 else 1105 err = parse_flow_mask_nlattrs(encap, a, key_attrs, log); 1106 1107 return err; 1108 } 1109 1110 static int parse_vlan_from_nlattrs(struct sw_flow_match *match, 1111 u64 *key_attrs, const struct nlattr **a, 1112 bool is_mask, bool log) 1113 { 1114 int err; 1115 bool encap_valid = false; 1116 1117 err = __parse_vlan_from_nlattrs(match, key_attrs, false, a, 1118 is_mask, log); 1119 if (err) 1120 return err; 1121 1122 encap_valid = !!(match->key->eth.vlan.tci & htons(VLAN_CFI_MASK)); 1123 if (encap_valid) { 1124 err = __parse_vlan_from_nlattrs(match, key_attrs, true, a, 1125 is_mask, log); 1126 if (err) 1127 return err; 1128 } 1129 1130 return 0; 1131 } 1132 1133 static int parse_eth_type_from_nlattrs(struct sw_flow_match *match, 1134 u64 *attrs, const struct nlattr **a, 1135 bool is_mask, bool log) 1136 { 1137 __be16 eth_type; 1138 1139 eth_type = nla_get_be16(a[OVS_KEY_ATTR_ETHERTYPE]); 1140 if (is_mask) { 1141 /* Always exact match EtherType. */ 1142 eth_type = htons(0xffff); 1143 } else if (!eth_proto_is_802_3(eth_type)) { 1144 OVS_NLERR(log, "EtherType %x is less than min %x", 1145 ntohs(eth_type), ETH_P_802_3_MIN); 1146 return -EINVAL; 1147 } 1148 1149 SW_FLOW_KEY_PUT(match, eth.type, eth_type, is_mask); 1150 *attrs &= ~(1 << OVS_KEY_ATTR_ETHERTYPE); 1151 return 0; 1152 } 1153 1154 static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match, 1155 u64 *attrs, const struct nlattr **a, 1156 bool is_mask, bool log) 1157 { 1158 u8 mac_proto = MAC_PROTO_ETHERNET; 1159 1160 if (*attrs & (1 << OVS_KEY_ATTR_DP_HASH)) { 1161 u32 hash_val = nla_get_u32(a[OVS_KEY_ATTR_DP_HASH]); 1162 1163 SW_FLOW_KEY_PUT(match, ovs_flow_hash, hash_val, is_mask); 1164 *attrs &= ~(1 << OVS_KEY_ATTR_DP_HASH); 1165 } 1166 1167 if (*attrs & (1 << OVS_KEY_ATTR_RECIRC_ID)) { 1168 u32 recirc_id = nla_get_u32(a[OVS_KEY_ATTR_RECIRC_ID]); 1169 1170 SW_FLOW_KEY_PUT(match, recirc_id, recirc_id, is_mask); 1171 *attrs &= ~(1 << OVS_KEY_ATTR_RECIRC_ID); 1172 } 1173 1174 if (*attrs & (1 << OVS_KEY_ATTR_PRIORITY)) { 1175 SW_FLOW_KEY_PUT(match, phy.priority, 1176 nla_get_u32(a[OVS_KEY_ATTR_PRIORITY]), is_mask); 1177 *attrs &= ~(1 << OVS_KEY_ATTR_PRIORITY); 1178 } 1179 1180 if (*attrs & (1 << OVS_KEY_ATTR_IN_PORT)) { 1181 u32 in_port = nla_get_u32(a[OVS_KEY_ATTR_IN_PORT]); 1182 1183 if (is_mask) { 1184 in_port = 0xffffffff; /* Always exact match in_port. */ 1185 } else if (in_port >= DP_MAX_PORTS) { 1186 OVS_NLERR(log, "Port %d exceeds max allowable %d", 1187 in_port, DP_MAX_PORTS); 1188 return -EINVAL; 1189 } 1190 1191 SW_FLOW_KEY_PUT(match, phy.in_port, in_port, is_mask); 1192 *attrs &= ~(1 << OVS_KEY_ATTR_IN_PORT); 1193 } else if (!is_mask) { 1194 SW_FLOW_KEY_PUT(match, phy.in_port, DP_MAX_PORTS, is_mask); 1195 } 1196 1197 if (*attrs & (1 << OVS_KEY_ATTR_SKB_MARK)) { 1198 uint32_t mark = nla_get_u32(a[OVS_KEY_ATTR_SKB_MARK]); 1199 1200 SW_FLOW_KEY_PUT(match, phy.skb_mark, mark, is_mask); 1201 *attrs &= ~(1 << OVS_KEY_ATTR_SKB_MARK); 1202 } 1203 if (*attrs & (1 << OVS_KEY_ATTR_TUNNEL)) { 1204 if (ip_tun_from_nlattr(a[OVS_KEY_ATTR_TUNNEL], match, 1205 is_mask, log) < 0) 1206 return -EINVAL; 1207 *attrs &= ~(1 << OVS_KEY_ATTR_TUNNEL); 1208 } 1209 1210 if (*attrs & (1 << OVS_KEY_ATTR_CT_STATE) && 1211 ovs_ct_verify(net, OVS_KEY_ATTR_CT_STATE)) { 1212 u32 ct_state = nla_get_u32(a[OVS_KEY_ATTR_CT_STATE]); 1213 1214 if (ct_state & ~CT_SUPPORTED_MASK) { 1215 OVS_NLERR(log, "ct_state flags %08x unsupported", 1216 ct_state); 1217 return -EINVAL; 1218 } 1219 1220 SW_FLOW_KEY_PUT(match, ct_state, ct_state, is_mask); 1221 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_STATE); 1222 } 1223 if (*attrs & (1 << OVS_KEY_ATTR_CT_ZONE) && 1224 ovs_ct_verify(net, OVS_KEY_ATTR_CT_ZONE)) { 1225 u16 ct_zone = nla_get_u16(a[OVS_KEY_ATTR_CT_ZONE]); 1226 1227 SW_FLOW_KEY_PUT(match, ct_zone, ct_zone, is_mask); 1228 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ZONE); 1229 } 1230 if (*attrs & (1 << OVS_KEY_ATTR_CT_MARK) && 1231 ovs_ct_verify(net, OVS_KEY_ATTR_CT_MARK)) { 1232 u32 mark = nla_get_u32(a[OVS_KEY_ATTR_CT_MARK]); 1233 1234 SW_FLOW_KEY_PUT(match, ct.mark, mark, is_mask); 1235 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_MARK); 1236 } 1237 if (*attrs & (1 << OVS_KEY_ATTR_CT_LABELS) && 1238 ovs_ct_verify(net, OVS_KEY_ATTR_CT_LABELS)) { 1239 const struct ovs_key_ct_labels *cl; 1240 1241 cl = nla_data(a[OVS_KEY_ATTR_CT_LABELS]); 1242 SW_FLOW_KEY_MEMCPY(match, ct.labels, cl->ct_labels, 1243 sizeof(*cl), is_mask); 1244 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_LABELS); 1245 } 1246 if (*attrs & (1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4)) { 1247 const struct ovs_key_ct_tuple_ipv4 *ct; 1248 1249 ct = nla_data(a[OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4]); 1250 1251 SW_FLOW_KEY_PUT(match, ipv4.ct_orig.src, ct->ipv4_src, is_mask); 1252 SW_FLOW_KEY_PUT(match, ipv4.ct_orig.dst, ct->ipv4_dst, is_mask); 1253 SW_FLOW_KEY_PUT(match, ct.orig_tp.src, ct->src_port, is_mask); 1254 SW_FLOW_KEY_PUT(match, ct.orig_tp.dst, ct->dst_port, is_mask); 1255 SW_FLOW_KEY_PUT(match, ct_orig_proto, ct->ipv4_proto, is_mask); 1256 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4); 1257 } 1258 if (*attrs & (1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6)) { 1259 const struct ovs_key_ct_tuple_ipv6 *ct; 1260 1261 ct = nla_data(a[OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6]); 1262 1263 SW_FLOW_KEY_MEMCPY(match, ipv6.ct_orig.src, &ct->ipv6_src, 1264 sizeof(match->key->ipv6.ct_orig.src), 1265 is_mask); 1266 SW_FLOW_KEY_MEMCPY(match, ipv6.ct_orig.dst, &ct->ipv6_dst, 1267 sizeof(match->key->ipv6.ct_orig.dst), 1268 is_mask); 1269 SW_FLOW_KEY_PUT(match, ct.orig_tp.src, ct->src_port, is_mask); 1270 SW_FLOW_KEY_PUT(match, ct.orig_tp.dst, ct->dst_port, is_mask); 1271 SW_FLOW_KEY_PUT(match, ct_orig_proto, ct->ipv6_proto, is_mask); 1272 *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6); 1273 } 1274 1275 /* For layer 3 packets the Ethernet type is provided 1276 * and treated as metadata but no MAC addresses are provided. 1277 */ 1278 if (!(*attrs & (1ULL << OVS_KEY_ATTR_ETHERNET)) && 1279 (*attrs & (1ULL << OVS_KEY_ATTR_ETHERTYPE))) 1280 mac_proto = MAC_PROTO_NONE; 1281 1282 /* Always exact match mac_proto */ 1283 SW_FLOW_KEY_PUT(match, mac_proto, is_mask ? 0xff : mac_proto, is_mask); 1284 1285 if (mac_proto == MAC_PROTO_NONE) 1286 return parse_eth_type_from_nlattrs(match, attrs, a, is_mask, 1287 log); 1288 1289 return 0; 1290 } 1291 1292 int nsh_hdr_from_nlattr(const struct nlattr *attr, 1293 struct nshhdr *nh, size_t size) 1294 { 1295 struct nlattr *a; 1296 int rem; 1297 u8 flags = 0; 1298 u8 ttl = 0; 1299 int mdlen = 0; 1300 1301 /* validate_nsh has check this, so we needn't do duplicate check here 1302 */ 1303 if (size < NSH_BASE_HDR_LEN) 1304 return -ENOBUFS; 1305 1306 nla_for_each_nested(a, attr, rem) { 1307 int type = nla_type(a); 1308 1309 switch (type) { 1310 case OVS_NSH_KEY_ATTR_BASE: { 1311 const struct ovs_nsh_key_base *base = nla_data(a); 1312 1313 flags = base->flags; 1314 ttl = base->ttl; 1315 nh->np = base->np; 1316 nh->mdtype = base->mdtype; 1317 nh->path_hdr = base->path_hdr; 1318 break; 1319 } 1320 case OVS_NSH_KEY_ATTR_MD1: 1321 mdlen = nla_len(a); 1322 if (mdlen > size - NSH_BASE_HDR_LEN) 1323 return -ENOBUFS; 1324 memcpy(&nh->md1, nla_data(a), mdlen); 1325 break; 1326 1327 case OVS_NSH_KEY_ATTR_MD2: 1328 mdlen = nla_len(a); 1329 if (mdlen > size - NSH_BASE_HDR_LEN) 1330 return -ENOBUFS; 1331 memcpy(&nh->md2, nla_data(a), mdlen); 1332 break; 1333 1334 default: 1335 return -EINVAL; 1336 } 1337 } 1338 1339 /* nsh header length = NSH_BASE_HDR_LEN + mdlen */ 1340 nh->ver_flags_ttl_len = 0; 1341 nsh_set_flags_ttl_len(nh, flags, ttl, NSH_BASE_HDR_LEN + mdlen); 1342 1343 return 0; 1344 } 1345 1346 int nsh_key_from_nlattr(const struct nlattr *attr, 1347 struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask) 1348 { 1349 struct nlattr *a; 1350 int rem; 1351 1352 /* validate_nsh has check this, so we needn't do duplicate check here 1353 */ 1354 nla_for_each_nested(a, attr, rem) { 1355 int type = nla_type(a); 1356 1357 switch (type) { 1358 case OVS_NSH_KEY_ATTR_BASE: { 1359 const struct ovs_nsh_key_base *base = nla_data(a); 1360 const struct ovs_nsh_key_base *base_mask = base + 1; 1361 1362 nsh->base = *base; 1363 nsh_mask->base = *base_mask; 1364 break; 1365 } 1366 case OVS_NSH_KEY_ATTR_MD1: { 1367 const struct ovs_nsh_key_md1 *md1 = nla_data(a); 1368 const struct ovs_nsh_key_md1 *md1_mask = md1 + 1; 1369 1370 memcpy(nsh->context, md1->context, sizeof(*md1)); 1371 memcpy(nsh_mask->context, md1_mask->context, 1372 sizeof(*md1_mask)); 1373 break; 1374 } 1375 case OVS_NSH_KEY_ATTR_MD2: 1376 /* Not supported yet */ 1377 return -ENOTSUPP; 1378 default: 1379 return -EINVAL; 1380 } 1381 } 1382 1383 return 0; 1384 } 1385 1386 static int nsh_key_put_from_nlattr(const struct nlattr *attr, 1387 struct sw_flow_match *match, bool is_mask, 1388 bool is_push_nsh, bool log) 1389 { 1390 struct nlattr *a; 1391 int rem; 1392 bool has_base = false; 1393 bool has_md1 = false; 1394 bool has_md2 = false; 1395 u8 mdtype = 0; 1396 int mdlen = 0; 1397 1398 if (WARN_ON(is_push_nsh && is_mask)) 1399 return -EINVAL; 1400 1401 nla_for_each_nested(a, attr, rem) { 1402 int type = nla_type(a); 1403 int i; 1404 1405 if (type > OVS_NSH_KEY_ATTR_MAX) { 1406 OVS_NLERR(log, "nsh attr %d is out of range max %d", 1407 type, OVS_NSH_KEY_ATTR_MAX); 1408 return -EINVAL; 1409 } 1410 1411 if (!check_attr_len(nla_len(a), 1412 ovs_nsh_key_attr_lens[type].len)) { 1413 OVS_NLERR( 1414 log, 1415 "nsh attr %d has unexpected len %d expected %d", 1416 type, 1417 nla_len(a), 1418 ovs_nsh_key_attr_lens[type].len 1419 ); 1420 return -EINVAL; 1421 } 1422 1423 switch (type) { 1424 case OVS_NSH_KEY_ATTR_BASE: { 1425 const struct ovs_nsh_key_base *base = nla_data(a); 1426 1427 has_base = true; 1428 mdtype = base->mdtype; 1429 SW_FLOW_KEY_PUT(match, nsh.base.flags, 1430 base->flags, is_mask); 1431 SW_FLOW_KEY_PUT(match, nsh.base.ttl, 1432 base->ttl, is_mask); 1433 SW_FLOW_KEY_PUT(match, nsh.base.mdtype, 1434 base->mdtype, is_mask); 1435 SW_FLOW_KEY_PUT(match, nsh.base.np, 1436 base->np, is_mask); 1437 SW_FLOW_KEY_PUT(match, nsh.base.path_hdr, 1438 base->path_hdr, is_mask); 1439 break; 1440 } 1441 case OVS_NSH_KEY_ATTR_MD1: { 1442 const struct ovs_nsh_key_md1 *md1 = nla_data(a); 1443 1444 has_md1 = true; 1445 for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) 1446 SW_FLOW_KEY_PUT(match, nsh.context[i], 1447 md1->context[i], is_mask); 1448 break; 1449 } 1450 case OVS_NSH_KEY_ATTR_MD2: 1451 if (!is_push_nsh) /* Not supported MD type 2 yet */ 1452 return -ENOTSUPP; 1453 1454 has_md2 = true; 1455 mdlen = nla_len(a); 1456 if (mdlen > NSH_CTX_HDRS_MAX_LEN || mdlen <= 0) { 1457 OVS_NLERR( 1458 log, 1459 "Invalid MD length %d for MD type %d", 1460 mdlen, 1461 mdtype 1462 ); 1463 return -EINVAL; 1464 } 1465 break; 1466 default: 1467 OVS_NLERR(log, "Unknown nsh attribute %d", 1468 type); 1469 return -EINVAL; 1470 } 1471 } 1472 1473 if (rem > 0) { 1474 OVS_NLERR(log, "nsh attribute has %d unknown bytes.", rem); 1475 return -EINVAL; 1476 } 1477 1478 if (has_md1 && has_md2) { 1479 OVS_NLERR( 1480 1, 1481 "invalid nsh attribute: md1 and md2 are exclusive." 1482 ); 1483 return -EINVAL; 1484 } 1485 1486 if (!is_mask) { 1487 if ((has_md1 && mdtype != NSH_M_TYPE1) || 1488 (has_md2 && mdtype != NSH_M_TYPE2)) { 1489 OVS_NLERR(1, "nsh attribute has unmatched MD type %d.", 1490 mdtype); 1491 return -EINVAL; 1492 } 1493 1494 if (is_push_nsh && 1495 (!has_base || (!has_md1 && !has_md2))) { 1496 OVS_NLERR( 1497 1, 1498 "push_nsh: missing base or metadata attributes" 1499 ); 1500 return -EINVAL; 1501 } 1502 } 1503 1504 return 0; 1505 } 1506 1507 static int ovs_key_from_nlattrs(struct net *net, struct sw_flow_match *match, 1508 u64 attrs, const struct nlattr **a, 1509 bool is_mask, bool log) 1510 { 1511 int err; 1512 1513 err = metadata_from_nlattrs(net, match, &attrs, a, is_mask, log); 1514 if (err) 1515 return err; 1516 1517 if (attrs & (1 << OVS_KEY_ATTR_ETHERNET)) { 1518 const struct ovs_key_ethernet *eth_key; 1519 1520 eth_key = nla_data(a[OVS_KEY_ATTR_ETHERNET]); 1521 SW_FLOW_KEY_MEMCPY(match, eth.src, 1522 eth_key->eth_src, ETH_ALEN, is_mask); 1523 SW_FLOW_KEY_MEMCPY(match, eth.dst, 1524 eth_key->eth_dst, ETH_ALEN, is_mask); 1525 attrs &= ~(1 << OVS_KEY_ATTR_ETHERNET); 1526 1527 if (attrs & (1 << OVS_KEY_ATTR_VLAN)) { 1528 /* VLAN attribute is always parsed before getting here since it 1529 * may occur multiple times. 1530 */ 1531 OVS_NLERR(log, "VLAN attribute unexpected."); 1532 return -EINVAL; 1533 } 1534 1535 if (attrs & (1 << OVS_KEY_ATTR_ETHERTYPE)) { 1536 err = parse_eth_type_from_nlattrs(match, &attrs, a, is_mask, 1537 log); 1538 if (err) 1539 return err; 1540 } else if (!is_mask) { 1541 SW_FLOW_KEY_PUT(match, eth.type, htons(ETH_P_802_2), is_mask); 1542 } 1543 } else if (!match->key->eth.type) { 1544 OVS_NLERR(log, "Either Ethernet header or EtherType is required."); 1545 return -EINVAL; 1546 } 1547 1548 if (attrs & (1 << OVS_KEY_ATTR_IPV4)) { 1549 const struct ovs_key_ipv4 *ipv4_key; 1550 1551 ipv4_key = nla_data(a[OVS_KEY_ATTR_IPV4]); 1552 if (!is_mask && ipv4_key->ipv4_frag > OVS_FRAG_TYPE_MAX) { 1553 OVS_NLERR(log, "IPv4 frag type %d is out of range max %d", 1554 ipv4_key->ipv4_frag, OVS_FRAG_TYPE_MAX); 1555 return -EINVAL; 1556 } 1557 SW_FLOW_KEY_PUT(match, ip.proto, 1558 ipv4_key->ipv4_proto, is_mask); 1559 SW_FLOW_KEY_PUT(match, ip.tos, 1560 ipv4_key->ipv4_tos, is_mask); 1561 SW_FLOW_KEY_PUT(match, ip.ttl, 1562 ipv4_key->ipv4_ttl, is_mask); 1563 SW_FLOW_KEY_PUT(match, ip.frag, 1564 ipv4_key->ipv4_frag, is_mask); 1565 SW_FLOW_KEY_PUT(match, ipv4.addr.src, 1566 ipv4_key->ipv4_src, is_mask); 1567 SW_FLOW_KEY_PUT(match, ipv4.addr.dst, 1568 ipv4_key->ipv4_dst, is_mask); 1569 attrs &= ~(1 << OVS_KEY_ATTR_IPV4); 1570 } 1571 1572 if (attrs & (1 << OVS_KEY_ATTR_IPV6)) { 1573 const struct ovs_key_ipv6 *ipv6_key; 1574 1575 ipv6_key = nla_data(a[OVS_KEY_ATTR_IPV6]); 1576 if (!is_mask && ipv6_key->ipv6_frag > OVS_FRAG_TYPE_MAX) { 1577 OVS_NLERR(log, "IPv6 frag type %d is out of range max %d", 1578 ipv6_key->ipv6_frag, OVS_FRAG_TYPE_MAX); 1579 return -EINVAL; 1580 } 1581 1582 if (!is_mask && ipv6_key->ipv6_label & htonl(0xFFF00000)) { 1583 OVS_NLERR(log, "IPv6 flow label %x is out of range (max=%x)", 1584 ntohl(ipv6_key->ipv6_label), (1 << 20) - 1); 1585 return -EINVAL; 1586 } 1587 1588 SW_FLOW_KEY_PUT(match, ipv6.label, 1589 ipv6_key->ipv6_label, is_mask); 1590 SW_FLOW_KEY_PUT(match, ip.proto, 1591 ipv6_key->ipv6_proto, is_mask); 1592 SW_FLOW_KEY_PUT(match, ip.tos, 1593 ipv6_key->ipv6_tclass, is_mask); 1594 SW_FLOW_KEY_PUT(match, ip.ttl, 1595 ipv6_key->ipv6_hlimit, is_mask); 1596 SW_FLOW_KEY_PUT(match, ip.frag, 1597 ipv6_key->ipv6_frag, is_mask); 1598 SW_FLOW_KEY_MEMCPY(match, ipv6.addr.src, 1599 ipv6_key->ipv6_src, 1600 sizeof(match->key->ipv6.addr.src), 1601 is_mask); 1602 SW_FLOW_KEY_MEMCPY(match, ipv6.addr.dst, 1603 ipv6_key->ipv6_dst, 1604 sizeof(match->key->ipv6.addr.dst), 1605 is_mask); 1606 1607 attrs &= ~(1 << OVS_KEY_ATTR_IPV6); 1608 } 1609 1610 if (attrs & (1ULL << OVS_KEY_ATTR_IPV6_EXTHDRS)) { 1611 const struct ovs_key_ipv6_exthdrs *ipv6_exthdrs_key; 1612 1613 ipv6_exthdrs_key = nla_data(a[OVS_KEY_ATTR_IPV6_EXTHDRS]); 1614 1615 SW_FLOW_KEY_PUT(match, ipv6.exthdrs, 1616 ipv6_exthdrs_key->hdrs, is_mask); 1617 1618 attrs &= ~(1ULL << OVS_KEY_ATTR_IPV6_EXTHDRS); 1619 } 1620 1621 if (attrs & (1 << OVS_KEY_ATTR_ARP)) { 1622 const struct ovs_key_arp *arp_key; 1623 1624 arp_key = nla_data(a[OVS_KEY_ATTR_ARP]); 1625 if (!is_mask && (arp_key->arp_op & htons(0xff00))) { 1626 OVS_NLERR(log, "Unknown ARP opcode (opcode=%d).", 1627 arp_key->arp_op); 1628 return -EINVAL; 1629 } 1630 1631 SW_FLOW_KEY_PUT(match, ipv4.addr.src, 1632 arp_key->arp_sip, is_mask); 1633 SW_FLOW_KEY_PUT(match, ipv4.addr.dst, 1634 arp_key->arp_tip, is_mask); 1635 SW_FLOW_KEY_PUT(match, ip.proto, 1636 ntohs(arp_key->arp_op), is_mask); 1637 SW_FLOW_KEY_MEMCPY(match, ipv4.arp.sha, 1638 arp_key->arp_sha, ETH_ALEN, is_mask); 1639 SW_FLOW_KEY_MEMCPY(match, ipv4.arp.tha, 1640 arp_key->arp_tha, ETH_ALEN, is_mask); 1641 1642 attrs &= ~(1 << OVS_KEY_ATTR_ARP); 1643 } 1644 1645 if (attrs & (1 << OVS_KEY_ATTR_NSH)) { 1646 if (nsh_key_put_from_nlattr(a[OVS_KEY_ATTR_NSH], match, 1647 is_mask, false, log) < 0) 1648 return -EINVAL; 1649 attrs &= ~(1 << OVS_KEY_ATTR_NSH); 1650 } 1651 1652 if (attrs & (1 << OVS_KEY_ATTR_MPLS)) { 1653 const struct ovs_key_mpls *mpls_key; 1654 u32 hdr_len; 1655 u32 label_count, label_count_mask, i; 1656 1657 mpls_key = nla_data(a[OVS_KEY_ATTR_MPLS]); 1658 hdr_len = nla_len(a[OVS_KEY_ATTR_MPLS]); 1659 label_count = hdr_len / sizeof(struct ovs_key_mpls); 1660 1661 if (label_count == 0 || label_count > MPLS_LABEL_DEPTH || 1662 hdr_len % sizeof(struct ovs_key_mpls)) 1663 return -EINVAL; 1664 1665 label_count_mask = GENMASK(label_count - 1, 0); 1666 1667 for (i = 0 ; i < label_count; i++) 1668 SW_FLOW_KEY_PUT(match, mpls.lse[i], 1669 mpls_key[i].mpls_lse, is_mask); 1670 1671 SW_FLOW_KEY_PUT(match, mpls.num_labels_mask, 1672 label_count_mask, is_mask); 1673 1674 attrs &= ~(1 << OVS_KEY_ATTR_MPLS); 1675 } 1676 1677 if (attrs & (1 << OVS_KEY_ATTR_TCP)) { 1678 const struct ovs_key_tcp *tcp_key; 1679 1680 tcp_key = nla_data(a[OVS_KEY_ATTR_TCP]); 1681 SW_FLOW_KEY_PUT(match, tp.src, tcp_key->tcp_src, is_mask); 1682 SW_FLOW_KEY_PUT(match, tp.dst, tcp_key->tcp_dst, is_mask); 1683 attrs &= ~(1 << OVS_KEY_ATTR_TCP); 1684 } 1685 1686 if (attrs & (1 << OVS_KEY_ATTR_TCP_FLAGS)) { 1687 SW_FLOW_KEY_PUT(match, tp.flags, 1688 nla_get_be16(a[OVS_KEY_ATTR_TCP_FLAGS]), 1689 is_mask); 1690 attrs &= ~(1 << OVS_KEY_ATTR_TCP_FLAGS); 1691 } 1692 1693 if (attrs & (1 << OVS_KEY_ATTR_UDP)) { 1694 const struct ovs_key_udp *udp_key; 1695 1696 udp_key = nla_data(a[OVS_KEY_ATTR_UDP]); 1697 SW_FLOW_KEY_PUT(match, tp.src, udp_key->udp_src, is_mask); 1698 SW_FLOW_KEY_PUT(match, tp.dst, udp_key->udp_dst, is_mask); 1699 attrs &= ~(1 << OVS_KEY_ATTR_UDP); 1700 } 1701 1702 if (attrs & (1 << OVS_KEY_ATTR_SCTP)) { 1703 const struct ovs_key_sctp *sctp_key; 1704 1705 sctp_key = nla_data(a[OVS_KEY_ATTR_SCTP]); 1706 SW_FLOW_KEY_PUT(match, tp.src, sctp_key->sctp_src, is_mask); 1707 SW_FLOW_KEY_PUT(match, tp.dst, sctp_key->sctp_dst, is_mask); 1708 attrs &= ~(1 << OVS_KEY_ATTR_SCTP); 1709 } 1710 1711 if (attrs & (1 << OVS_KEY_ATTR_ICMP)) { 1712 const struct ovs_key_icmp *icmp_key; 1713 1714 icmp_key = nla_data(a[OVS_KEY_ATTR_ICMP]); 1715 SW_FLOW_KEY_PUT(match, tp.src, 1716 htons(icmp_key->icmp_type), is_mask); 1717 SW_FLOW_KEY_PUT(match, tp.dst, 1718 htons(icmp_key->icmp_code), is_mask); 1719 attrs &= ~(1 << OVS_KEY_ATTR_ICMP); 1720 } 1721 1722 if (attrs & (1 << OVS_KEY_ATTR_ICMPV6)) { 1723 const struct ovs_key_icmpv6 *icmpv6_key; 1724 1725 icmpv6_key = nla_data(a[OVS_KEY_ATTR_ICMPV6]); 1726 SW_FLOW_KEY_PUT(match, tp.src, 1727 htons(icmpv6_key->icmpv6_type), is_mask); 1728 SW_FLOW_KEY_PUT(match, tp.dst, 1729 htons(icmpv6_key->icmpv6_code), is_mask); 1730 attrs &= ~(1 << OVS_KEY_ATTR_ICMPV6); 1731 } 1732 1733 if (attrs & (1 << OVS_KEY_ATTR_ND)) { 1734 const struct ovs_key_nd *nd_key; 1735 1736 nd_key = nla_data(a[OVS_KEY_ATTR_ND]); 1737 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.target, 1738 nd_key->nd_target, 1739 sizeof(match->key->ipv6.nd.target), 1740 is_mask); 1741 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.sll, 1742 nd_key->nd_sll, ETH_ALEN, is_mask); 1743 SW_FLOW_KEY_MEMCPY(match, ipv6.nd.tll, 1744 nd_key->nd_tll, ETH_ALEN, is_mask); 1745 attrs &= ~(1 << OVS_KEY_ATTR_ND); 1746 } 1747 1748 if (attrs != 0) { 1749 OVS_NLERR(log, "Unknown key attributes %llx", 1750 (unsigned long long)attrs); 1751 return -EINVAL; 1752 } 1753 1754 return 0; 1755 } 1756 1757 static void nlattr_set(struct nlattr *attr, u8 val, 1758 const struct ovs_len_tbl *tbl) 1759 { 1760 struct nlattr *nla; 1761 int rem; 1762 1763 /* The nlattr stream should already have been validated */ 1764 nla_for_each_nested(nla, attr, rem) { 1765 if (tbl[nla_type(nla)].len == OVS_ATTR_NESTED) 1766 nlattr_set(nla, val, tbl[nla_type(nla)].next ? : tbl); 1767 else 1768 memset(nla_data(nla), val, nla_len(nla)); 1769 1770 if (nla_type(nla) == OVS_KEY_ATTR_CT_STATE) 1771 *(u32 *)nla_data(nla) &= CT_SUPPORTED_MASK; 1772 } 1773 } 1774 1775 static void mask_set_nlattr(struct nlattr *attr, u8 val) 1776 { 1777 nlattr_set(attr, val, ovs_key_lens); 1778 } 1779 1780 /** 1781 * ovs_nla_get_match - parses Netlink attributes into a flow key and 1782 * mask. In case the 'mask' is NULL, the flow is treated as exact match 1783 * flow. Otherwise, it is treated as a wildcarded flow, except the mask 1784 * does not include any don't care bit. 1785 * @net: Used to determine per-namespace field support. 1786 * @match: receives the extracted flow match information. 1787 * @nla_key: Netlink attribute holding nested %OVS_KEY_ATTR_* Netlink attribute 1788 * sequence. The fields should of the packet that triggered the creation 1789 * of this flow. 1790 * @nla_mask: Optional. Netlink attribute holding nested %OVS_KEY_ATTR_* 1791 * Netlink attribute specifies the mask field of the wildcarded flow. 1792 * @log: Boolean to allow kernel error logging. Normally true, but when 1793 * probing for feature compatibility this should be passed in as false to 1794 * suppress unnecessary error logging. 1795 */ 1796 int ovs_nla_get_match(struct net *net, struct sw_flow_match *match, 1797 const struct nlattr *nla_key, 1798 const struct nlattr *nla_mask, 1799 bool log) 1800 { 1801 const struct nlattr *a[OVS_KEY_ATTR_MAX + 1]; 1802 struct nlattr *newmask = NULL; 1803 u64 key_attrs = 0; 1804 u64 mask_attrs = 0; 1805 int err; 1806 1807 err = parse_flow_nlattrs(nla_key, a, &key_attrs, log); 1808 if (err) 1809 return err; 1810 1811 err = parse_vlan_from_nlattrs(match, &key_attrs, a, false, log); 1812 if (err) 1813 return err; 1814 1815 err = ovs_key_from_nlattrs(net, match, key_attrs, a, false, log); 1816 if (err) 1817 return err; 1818 1819 if (match->mask) { 1820 if (!nla_mask) { 1821 /* Create an exact match mask. We need to set to 0xff 1822 * all the 'match->mask' fields that have been touched 1823 * in 'match->key'. We cannot simply memset 1824 * 'match->mask', because padding bytes and fields not 1825 * specified in 'match->key' should be left to 0. 1826 * Instead, we use a stream of netlink attributes, 1827 * copied from 'key' and set to 0xff. 1828 * ovs_key_from_nlattrs() will take care of filling 1829 * 'match->mask' appropriately. 1830 */ 1831 newmask = kmemdup(nla_key, 1832 nla_total_size(nla_len(nla_key)), 1833 GFP_KERNEL); 1834 if (!newmask) 1835 return -ENOMEM; 1836 1837 mask_set_nlattr(newmask, 0xff); 1838 1839 /* The userspace does not send tunnel attributes that 1840 * are 0, but we should not wildcard them nonetheless. 1841 */ 1842 if (match->key->tun_proto) 1843 SW_FLOW_KEY_MEMSET_FIELD(match, tun_key, 1844 0xff, true); 1845 1846 nla_mask = newmask; 1847 } 1848 1849 err = parse_flow_mask_nlattrs(nla_mask, a, &mask_attrs, log); 1850 if (err) 1851 goto free_newmask; 1852 1853 /* Always match on tci. */ 1854 SW_FLOW_KEY_PUT(match, eth.vlan.tci, htons(0xffff), true); 1855 SW_FLOW_KEY_PUT(match, eth.cvlan.tci, htons(0xffff), true); 1856 1857 err = parse_vlan_from_nlattrs(match, &mask_attrs, a, true, log); 1858 if (err) 1859 goto free_newmask; 1860 1861 err = ovs_key_from_nlattrs(net, match, mask_attrs, a, true, 1862 log); 1863 if (err) 1864 goto free_newmask; 1865 } 1866 1867 if (!match_validate(match, key_attrs, mask_attrs, log)) 1868 err = -EINVAL; 1869 1870 free_newmask: 1871 kfree(newmask); 1872 return err; 1873 } 1874 1875 static size_t get_ufid_len(const struct nlattr *attr, bool log) 1876 { 1877 size_t len; 1878 1879 if (!attr) 1880 return 0; 1881 1882 len = nla_len(attr); 1883 if (len < 1 || len > MAX_UFID_LENGTH) { 1884 OVS_NLERR(log, "ufid size %u bytes exceeds the range (1, %d)", 1885 nla_len(attr), MAX_UFID_LENGTH); 1886 return 0; 1887 } 1888 1889 return len; 1890 } 1891 1892 /* Initializes 'flow->ufid', returning true if 'attr' contains a valid UFID, 1893 * or false otherwise. 1894 */ 1895 bool ovs_nla_get_ufid(struct sw_flow_id *sfid, const struct nlattr *attr, 1896 bool log) 1897 { 1898 sfid->ufid_len = get_ufid_len(attr, log); 1899 if (sfid->ufid_len) 1900 memcpy(sfid->ufid, nla_data(attr), sfid->ufid_len); 1901 1902 return sfid->ufid_len; 1903 } 1904 1905 int ovs_nla_get_identifier(struct sw_flow_id *sfid, const struct nlattr *ufid, 1906 const struct sw_flow_key *key, bool log) 1907 { 1908 struct sw_flow_key *new_key; 1909 1910 if (ovs_nla_get_ufid(sfid, ufid, log)) 1911 return 0; 1912 1913 /* If UFID was not provided, use unmasked key. */ 1914 new_key = kmalloc(sizeof(*new_key), GFP_KERNEL); 1915 if (!new_key) 1916 return -ENOMEM; 1917 memcpy(new_key, key, sizeof(*key)); 1918 sfid->unmasked_key = new_key; 1919 1920 return 0; 1921 } 1922 1923 u32 ovs_nla_get_ufid_flags(const struct nlattr *attr) 1924 { 1925 return attr ? nla_get_u32(attr) : 0; 1926 } 1927 1928 /** 1929 * ovs_nla_get_flow_metadata - parses Netlink attributes into a flow key. 1930 * @net: Network namespace. 1931 * @key: Receives extracted in_port, priority, tun_key, skb_mark and conntrack 1932 * metadata. 1933 * @a: Array of netlink attributes holding parsed %OVS_KEY_ATTR_* Netlink 1934 * attributes. 1935 * @attrs: Bit mask for the netlink attributes included in @a. 1936 * @log: Boolean to allow kernel error logging. Normally true, but when 1937 * probing for feature compatibility this should be passed in as false to 1938 * suppress unnecessary error logging. 1939 * 1940 * This parses a series of Netlink attributes that form a flow key, which must 1941 * take the same form accepted by flow_from_nlattrs(), but only enough of it to 1942 * get the metadata, that is, the parts of the flow key that cannot be 1943 * extracted from the packet itself. 1944 * 1945 * This must be called before the packet key fields are filled in 'key'. 1946 */ 1947 1948 int ovs_nla_get_flow_metadata(struct net *net, 1949 const struct nlattr *a[OVS_KEY_ATTR_MAX + 1], 1950 u64 attrs, struct sw_flow_key *key, bool log) 1951 { 1952 struct sw_flow_match match; 1953 1954 memset(&match, 0, sizeof(match)); 1955 match.key = key; 1956 1957 key->ct_state = 0; 1958 key->ct_zone = 0; 1959 key->ct_orig_proto = 0; 1960 memset(&key->ct, 0, sizeof(key->ct)); 1961 memset(&key->ipv4.ct_orig, 0, sizeof(key->ipv4.ct_orig)); 1962 memset(&key->ipv6.ct_orig, 0, sizeof(key->ipv6.ct_orig)); 1963 1964 key->phy.in_port = DP_MAX_PORTS; 1965 1966 return metadata_from_nlattrs(net, &match, &attrs, a, false, log); 1967 } 1968 1969 static int ovs_nla_put_vlan(struct sk_buff *skb, const struct vlan_head *vh, 1970 bool is_mask) 1971 { 1972 __be16 eth_type = !is_mask ? vh->tpid : htons(0xffff); 1973 1974 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, eth_type) || 1975 nla_put_be16(skb, OVS_KEY_ATTR_VLAN, vh->tci)) 1976 return -EMSGSIZE; 1977 return 0; 1978 } 1979 1980 static int nsh_key_to_nlattr(const struct ovs_key_nsh *nsh, bool is_mask, 1981 struct sk_buff *skb) 1982 { 1983 struct nlattr *start; 1984 1985 start = nla_nest_start_noflag(skb, OVS_KEY_ATTR_NSH); 1986 if (!start) 1987 return -EMSGSIZE; 1988 1989 if (nla_put(skb, OVS_NSH_KEY_ATTR_BASE, sizeof(nsh->base), &nsh->base)) 1990 goto nla_put_failure; 1991 1992 if (is_mask || nsh->base.mdtype == NSH_M_TYPE1) { 1993 if (nla_put(skb, OVS_NSH_KEY_ATTR_MD1, 1994 sizeof(nsh->context), nsh->context)) 1995 goto nla_put_failure; 1996 } 1997 1998 /* Don't support MD type 2 yet */ 1999 2000 nla_nest_end(skb, start); 2001 2002 return 0; 2003 2004 nla_put_failure: 2005 return -EMSGSIZE; 2006 } 2007 2008 static int __ovs_nla_put_key(const struct sw_flow_key *swkey, 2009 const struct sw_flow_key *output, bool is_mask, 2010 struct sk_buff *skb) 2011 { 2012 struct ovs_key_ethernet *eth_key; 2013 struct nlattr *nla; 2014 struct nlattr *encap = NULL; 2015 struct nlattr *in_encap = NULL; 2016 2017 if (nla_put_u32(skb, OVS_KEY_ATTR_RECIRC_ID, output->recirc_id)) 2018 goto nla_put_failure; 2019 2020 if (nla_put_u32(skb, OVS_KEY_ATTR_DP_HASH, output->ovs_flow_hash)) 2021 goto nla_put_failure; 2022 2023 if (nla_put_u32(skb, OVS_KEY_ATTR_PRIORITY, output->phy.priority)) 2024 goto nla_put_failure; 2025 2026 if ((swkey->tun_proto || is_mask)) { 2027 const void *opts = NULL; 2028 2029 if (output->tun_key.tun_flags & TUNNEL_OPTIONS_PRESENT) 2030 opts = TUN_METADATA_OPTS(output, swkey->tun_opts_len); 2031 2032 if (ip_tun_to_nlattr(skb, &output->tun_key, opts, 2033 swkey->tun_opts_len, swkey->tun_proto, 0)) 2034 goto nla_put_failure; 2035 } 2036 2037 if (swkey->phy.in_port == DP_MAX_PORTS) { 2038 if (is_mask && (output->phy.in_port == 0xffff)) 2039 if (nla_put_u32(skb, OVS_KEY_ATTR_IN_PORT, 0xffffffff)) 2040 goto nla_put_failure; 2041 } else { 2042 u16 upper_u16; 2043 upper_u16 = !is_mask ? 0 : 0xffff; 2044 2045 if (nla_put_u32(skb, OVS_KEY_ATTR_IN_PORT, 2046 (upper_u16 << 16) | output->phy.in_port)) 2047 goto nla_put_failure; 2048 } 2049 2050 if (nla_put_u32(skb, OVS_KEY_ATTR_SKB_MARK, output->phy.skb_mark)) 2051 goto nla_put_failure; 2052 2053 if (ovs_ct_put_key(swkey, output, skb)) 2054 goto nla_put_failure; 2055 2056 if (ovs_key_mac_proto(swkey) == MAC_PROTO_ETHERNET) { 2057 nla = nla_reserve(skb, OVS_KEY_ATTR_ETHERNET, sizeof(*eth_key)); 2058 if (!nla) 2059 goto nla_put_failure; 2060 2061 eth_key = nla_data(nla); 2062 ether_addr_copy(eth_key->eth_src, output->eth.src); 2063 ether_addr_copy(eth_key->eth_dst, output->eth.dst); 2064 2065 if (swkey->eth.vlan.tci || eth_type_vlan(swkey->eth.type)) { 2066 if (ovs_nla_put_vlan(skb, &output->eth.vlan, is_mask)) 2067 goto nla_put_failure; 2068 encap = nla_nest_start_noflag(skb, OVS_KEY_ATTR_ENCAP); 2069 if (!swkey->eth.vlan.tci) 2070 goto unencap; 2071 2072 if (swkey->eth.cvlan.tci || eth_type_vlan(swkey->eth.type)) { 2073 if (ovs_nla_put_vlan(skb, &output->eth.cvlan, is_mask)) 2074 goto nla_put_failure; 2075 in_encap = nla_nest_start_noflag(skb, 2076 OVS_KEY_ATTR_ENCAP); 2077 if (!swkey->eth.cvlan.tci) 2078 goto unencap; 2079 } 2080 } 2081 2082 if (swkey->eth.type == htons(ETH_P_802_2)) { 2083 /* 2084 * Ethertype 802.2 is represented in the netlink with omitted 2085 * OVS_KEY_ATTR_ETHERTYPE in the flow key attribute, and 2086 * 0xffff in the mask attribute. Ethertype can also 2087 * be wildcarded. 2088 */ 2089 if (is_mask && output->eth.type) 2090 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, 2091 output->eth.type)) 2092 goto nla_put_failure; 2093 goto unencap; 2094 } 2095 } 2096 2097 if (nla_put_be16(skb, OVS_KEY_ATTR_ETHERTYPE, output->eth.type)) 2098 goto nla_put_failure; 2099 2100 if (eth_type_vlan(swkey->eth.type)) { 2101 /* There are 3 VLAN tags, we don't know anything about the rest 2102 * of the packet, so truncate here. 2103 */ 2104 WARN_ON_ONCE(!(encap && in_encap)); 2105 goto unencap; 2106 } 2107 2108 if (swkey->eth.type == htons(ETH_P_IP)) { 2109 struct ovs_key_ipv4 *ipv4_key; 2110 2111 nla = nla_reserve(skb, OVS_KEY_ATTR_IPV4, sizeof(*ipv4_key)); 2112 if (!nla) 2113 goto nla_put_failure; 2114 ipv4_key = nla_data(nla); 2115 ipv4_key->ipv4_src = output->ipv4.addr.src; 2116 ipv4_key->ipv4_dst = output->ipv4.addr.dst; 2117 ipv4_key->ipv4_proto = output->ip.proto; 2118 ipv4_key->ipv4_tos = output->ip.tos; 2119 ipv4_key->ipv4_ttl = output->ip.ttl; 2120 ipv4_key->ipv4_frag = output->ip.frag; 2121 } else if (swkey->eth.type == htons(ETH_P_IPV6)) { 2122 struct ovs_key_ipv6 *ipv6_key; 2123 struct ovs_key_ipv6_exthdrs *ipv6_exthdrs_key; 2124 2125 nla = nla_reserve(skb, OVS_KEY_ATTR_IPV6, sizeof(*ipv6_key)); 2126 if (!nla) 2127 goto nla_put_failure; 2128 ipv6_key = nla_data(nla); 2129 memcpy(ipv6_key->ipv6_src, &output->ipv6.addr.src, 2130 sizeof(ipv6_key->ipv6_src)); 2131 memcpy(ipv6_key->ipv6_dst, &output->ipv6.addr.dst, 2132 sizeof(ipv6_key->ipv6_dst)); 2133 ipv6_key->ipv6_label = output->ipv6.label; 2134 ipv6_key->ipv6_proto = output->ip.proto; 2135 ipv6_key->ipv6_tclass = output->ip.tos; 2136 ipv6_key->ipv6_hlimit = output->ip.ttl; 2137 ipv6_key->ipv6_frag = output->ip.frag; 2138 2139 nla = nla_reserve(skb, OVS_KEY_ATTR_IPV6_EXTHDRS, 2140 sizeof(*ipv6_exthdrs_key)); 2141 if (!nla) 2142 goto nla_put_failure; 2143 ipv6_exthdrs_key = nla_data(nla); 2144 ipv6_exthdrs_key->hdrs = output->ipv6.exthdrs; 2145 } else if (swkey->eth.type == htons(ETH_P_NSH)) { 2146 if (nsh_key_to_nlattr(&output->nsh, is_mask, skb)) 2147 goto nla_put_failure; 2148 } else if (swkey->eth.type == htons(ETH_P_ARP) || 2149 swkey->eth.type == htons(ETH_P_RARP)) { 2150 struct ovs_key_arp *arp_key; 2151 2152 nla = nla_reserve(skb, OVS_KEY_ATTR_ARP, sizeof(*arp_key)); 2153 if (!nla) 2154 goto nla_put_failure; 2155 arp_key = nla_data(nla); 2156 memset(arp_key, 0, sizeof(struct ovs_key_arp)); 2157 arp_key->arp_sip = output->ipv4.addr.src; 2158 arp_key->arp_tip = output->ipv4.addr.dst; 2159 arp_key->arp_op = htons(output->ip.proto); 2160 ether_addr_copy(arp_key->arp_sha, output->ipv4.arp.sha); 2161 ether_addr_copy(arp_key->arp_tha, output->ipv4.arp.tha); 2162 } else if (eth_p_mpls(swkey->eth.type)) { 2163 u8 i, num_labels; 2164 struct ovs_key_mpls *mpls_key; 2165 2166 num_labels = hweight_long(output->mpls.num_labels_mask); 2167 nla = nla_reserve(skb, OVS_KEY_ATTR_MPLS, 2168 num_labels * sizeof(*mpls_key)); 2169 if (!nla) 2170 goto nla_put_failure; 2171 2172 mpls_key = nla_data(nla); 2173 for (i = 0; i < num_labels; i++) 2174 mpls_key[i].mpls_lse = output->mpls.lse[i]; 2175 } 2176 2177 if ((swkey->eth.type == htons(ETH_P_IP) || 2178 swkey->eth.type == htons(ETH_P_IPV6)) && 2179 swkey->ip.frag != OVS_FRAG_TYPE_LATER) { 2180 2181 if (swkey->ip.proto == IPPROTO_TCP) { 2182 struct ovs_key_tcp *tcp_key; 2183 2184 nla = nla_reserve(skb, OVS_KEY_ATTR_TCP, sizeof(*tcp_key)); 2185 if (!nla) 2186 goto nla_put_failure; 2187 tcp_key = nla_data(nla); 2188 tcp_key->tcp_src = output->tp.src; 2189 tcp_key->tcp_dst = output->tp.dst; 2190 if (nla_put_be16(skb, OVS_KEY_ATTR_TCP_FLAGS, 2191 output->tp.flags)) 2192 goto nla_put_failure; 2193 } else if (swkey->ip.proto == IPPROTO_UDP) { 2194 struct ovs_key_udp *udp_key; 2195 2196 nla = nla_reserve(skb, OVS_KEY_ATTR_UDP, sizeof(*udp_key)); 2197 if (!nla) 2198 goto nla_put_failure; 2199 udp_key = nla_data(nla); 2200 udp_key->udp_src = output->tp.src; 2201 udp_key->udp_dst = output->tp.dst; 2202 } else if (swkey->ip.proto == IPPROTO_SCTP) { 2203 struct ovs_key_sctp *sctp_key; 2204 2205 nla = nla_reserve(skb, OVS_KEY_ATTR_SCTP, sizeof(*sctp_key)); 2206 if (!nla) 2207 goto nla_put_failure; 2208 sctp_key = nla_data(nla); 2209 sctp_key->sctp_src = output->tp.src; 2210 sctp_key->sctp_dst = output->tp.dst; 2211 } else if (swkey->eth.type == htons(ETH_P_IP) && 2212 swkey->ip.proto == IPPROTO_ICMP) { 2213 struct ovs_key_icmp *icmp_key; 2214 2215 nla = nla_reserve(skb, OVS_KEY_ATTR_ICMP, sizeof(*icmp_key)); 2216 if (!nla) 2217 goto nla_put_failure; 2218 icmp_key = nla_data(nla); 2219 icmp_key->icmp_type = ntohs(output->tp.src); 2220 icmp_key->icmp_code = ntohs(output->tp.dst); 2221 } else if (swkey->eth.type == htons(ETH_P_IPV6) && 2222 swkey->ip.proto == IPPROTO_ICMPV6) { 2223 struct ovs_key_icmpv6 *icmpv6_key; 2224 2225 nla = nla_reserve(skb, OVS_KEY_ATTR_ICMPV6, 2226 sizeof(*icmpv6_key)); 2227 if (!nla) 2228 goto nla_put_failure; 2229 icmpv6_key = nla_data(nla); 2230 icmpv6_key->icmpv6_type = ntohs(output->tp.src); 2231 icmpv6_key->icmpv6_code = ntohs(output->tp.dst); 2232 2233 if (swkey->tp.src == htons(NDISC_NEIGHBOUR_SOLICITATION) || 2234 swkey->tp.src == htons(NDISC_NEIGHBOUR_ADVERTISEMENT)) { 2235 struct ovs_key_nd *nd_key; 2236 2237 nla = nla_reserve(skb, OVS_KEY_ATTR_ND, sizeof(*nd_key)); 2238 if (!nla) 2239 goto nla_put_failure; 2240 nd_key = nla_data(nla); 2241 memcpy(nd_key->nd_target, &output->ipv6.nd.target, 2242 sizeof(nd_key->nd_target)); 2243 ether_addr_copy(nd_key->nd_sll, output->ipv6.nd.sll); 2244 ether_addr_copy(nd_key->nd_tll, output->ipv6.nd.tll); 2245 } 2246 } 2247 } 2248 2249 unencap: 2250 if (in_encap) 2251 nla_nest_end(skb, in_encap); 2252 if (encap) 2253 nla_nest_end(skb, encap); 2254 2255 return 0; 2256 2257 nla_put_failure: 2258 return -EMSGSIZE; 2259 } 2260 2261 int ovs_nla_put_key(const struct sw_flow_key *swkey, 2262 const struct sw_flow_key *output, int attr, bool is_mask, 2263 struct sk_buff *skb) 2264 { 2265 int err; 2266 struct nlattr *nla; 2267 2268 nla = nla_nest_start_noflag(skb, attr); 2269 if (!nla) 2270 return -EMSGSIZE; 2271 err = __ovs_nla_put_key(swkey, output, is_mask, skb); 2272 if (err) 2273 return err; 2274 nla_nest_end(skb, nla); 2275 2276 return 0; 2277 } 2278 2279 /* Called with ovs_mutex or RCU read lock. */ 2280 int ovs_nla_put_identifier(const struct sw_flow *flow, struct sk_buff *skb) 2281 { 2282 if (ovs_identifier_is_ufid(&flow->id)) 2283 return nla_put(skb, OVS_FLOW_ATTR_UFID, flow->id.ufid_len, 2284 flow->id.ufid); 2285 2286 return ovs_nla_put_key(flow->id.unmasked_key, flow->id.unmasked_key, 2287 OVS_FLOW_ATTR_KEY, false, skb); 2288 } 2289 2290 /* Called with ovs_mutex or RCU read lock. */ 2291 int ovs_nla_put_masked_key(const struct sw_flow *flow, struct sk_buff *skb) 2292 { 2293 return ovs_nla_put_key(&flow->key, &flow->key, 2294 OVS_FLOW_ATTR_KEY, false, skb); 2295 } 2296 2297 /* Called with ovs_mutex or RCU read lock. */ 2298 int ovs_nla_put_mask(const struct sw_flow *flow, struct sk_buff *skb) 2299 { 2300 return ovs_nla_put_key(&flow->key, &flow->mask->key, 2301 OVS_FLOW_ATTR_MASK, true, skb); 2302 } 2303 2304 #define MAX_ACTIONS_BUFSIZE (32 * 1024) 2305 2306 static struct sw_flow_actions *nla_alloc_flow_actions(int size) 2307 { 2308 struct sw_flow_actions *sfa; 2309 2310 WARN_ON_ONCE(size > MAX_ACTIONS_BUFSIZE); 2311 2312 sfa = kmalloc(sizeof(*sfa) + size, GFP_KERNEL); 2313 if (!sfa) 2314 return ERR_PTR(-ENOMEM); 2315 2316 sfa->actions_len = 0; 2317 return sfa; 2318 } 2319 2320 static void ovs_nla_free_nested_actions(const struct nlattr *actions, int len); 2321 2322 static void ovs_nla_free_check_pkt_len_action(const struct nlattr *action) 2323 { 2324 const struct nlattr *a; 2325 int rem; 2326 2327 nla_for_each_nested(a, action, rem) { 2328 switch (nla_type(a)) { 2329 case OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL: 2330 case OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER: 2331 ovs_nla_free_nested_actions(nla_data(a), nla_len(a)); 2332 break; 2333 } 2334 } 2335 } 2336 2337 static void ovs_nla_free_clone_action(const struct nlattr *action) 2338 { 2339 const struct nlattr *a = nla_data(action); 2340 int rem = nla_len(action); 2341 2342 switch (nla_type(a)) { 2343 case OVS_CLONE_ATTR_EXEC: 2344 /* The real list of actions follows this attribute. */ 2345 a = nla_next(a, &rem); 2346 ovs_nla_free_nested_actions(a, rem); 2347 break; 2348 } 2349 } 2350 2351 static void ovs_nla_free_dec_ttl_action(const struct nlattr *action) 2352 { 2353 const struct nlattr *a = nla_data(action); 2354 2355 switch (nla_type(a)) { 2356 case OVS_DEC_TTL_ATTR_ACTION: 2357 ovs_nla_free_nested_actions(nla_data(a), nla_len(a)); 2358 break; 2359 } 2360 } 2361 2362 static void ovs_nla_free_sample_action(const struct nlattr *action) 2363 { 2364 const struct nlattr *a = nla_data(action); 2365 int rem = nla_len(action); 2366 2367 switch (nla_type(a)) { 2368 case OVS_SAMPLE_ATTR_ARG: 2369 /* The real list of actions follows this attribute. */ 2370 a = nla_next(a, &rem); 2371 ovs_nla_free_nested_actions(a, rem); 2372 break; 2373 } 2374 } 2375 2376 static void ovs_nla_free_set_action(const struct nlattr *a) 2377 { 2378 const struct nlattr *ovs_key = nla_data(a); 2379 struct ovs_tunnel_info *ovs_tun; 2380 2381 switch (nla_type(ovs_key)) { 2382 case OVS_KEY_ATTR_TUNNEL_INFO: 2383 ovs_tun = nla_data(ovs_key); 2384 dst_release((struct dst_entry *)ovs_tun->tun_dst); 2385 break; 2386 } 2387 } 2388 2389 static void ovs_nla_free_nested_actions(const struct nlattr *actions, int len) 2390 { 2391 const struct nlattr *a; 2392 int rem; 2393 2394 /* Whenever new actions are added, the need to update this 2395 * function should be considered. 2396 */ 2397 BUILD_BUG_ON(OVS_ACTION_ATTR_MAX != 23); 2398 2399 if (!actions) 2400 return; 2401 2402 nla_for_each_attr(a, actions, len, rem) { 2403 switch (nla_type(a)) { 2404 case OVS_ACTION_ATTR_CHECK_PKT_LEN: 2405 ovs_nla_free_check_pkt_len_action(a); 2406 break; 2407 2408 case OVS_ACTION_ATTR_CLONE: 2409 ovs_nla_free_clone_action(a); 2410 break; 2411 2412 case OVS_ACTION_ATTR_CT: 2413 ovs_ct_free_action(a); 2414 break; 2415 2416 case OVS_ACTION_ATTR_DEC_TTL: 2417 ovs_nla_free_dec_ttl_action(a); 2418 break; 2419 2420 case OVS_ACTION_ATTR_SAMPLE: 2421 ovs_nla_free_sample_action(a); 2422 break; 2423 2424 case OVS_ACTION_ATTR_SET: 2425 ovs_nla_free_set_action(a); 2426 break; 2427 } 2428 } 2429 } 2430 2431 void ovs_nla_free_flow_actions(struct sw_flow_actions *sf_acts) 2432 { 2433 if (!sf_acts) 2434 return; 2435 2436 ovs_nla_free_nested_actions(sf_acts->actions, sf_acts->actions_len); 2437 kfree(sf_acts); 2438 } 2439 2440 static void __ovs_nla_free_flow_actions(struct rcu_head *head) 2441 { 2442 ovs_nla_free_flow_actions(container_of(head, struct sw_flow_actions, rcu)); 2443 } 2444 2445 /* Schedules 'sf_acts' to be freed after the next RCU grace period. 2446 * The caller must hold rcu_read_lock for this to be sensible. */ 2447 void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *sf_acts) 2448 { 2449 call_rcu(&sf_acts->rcu, __ovs_nla_free_flow_actions); 2450 } 2451 2452 static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, 2453 int attr_len, bool log) 2454 { 2455 2456 struct sw_flow_actions *acts; 2457 int new_acts_size; 2458 size_t req_size = NLA_ALIGN(attr_len); 2459 int next_offset = offsetof(struct sw_flow_actions, actions) + 2460 (*sfa)->actions_len; 2461 2462 if (req_size <= (ksize(*sfa) - next_offset)) 2463 goto out; 2464 2465 new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2); 2466 2467 if (new_acts_size > MAX_ACTIONS_BUFSIZE) { 2468 if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) { 2469 OVS_NLERR(log, "Flow action size exceeds max %u", 2470 MAX_ACTIONS_BUFSIZE); 2471 return ERR_PTR(-EMSGSIZE); 2472 } 2473 new_acts_size = MAX_ACTIONS_BUFSIZE; 2474 } 2475 2476 acts = nla_alloc_flow_actions(new_acts_size); 2477 if (IS_ERR(acts)) 2478 return (void *)acts; 2479 2480 memcpy(acts->actions, (*sfa)->actions, (*sfa)->actions_len); 2481 acts->actions_len = (*sfa)->actions_len; 2482 acts->orig_len = (*sfa)->orig_len; 2483 kfree(*sfa); 2484 *sfa = acts; 2485 2486 out: 2487 (*sfa)->actions_len += req_size; 2488 return (struct nlattr *) ((unsigned char *)(*sfa) + next_offset); 2489 } 2490 2491 static struct nlattr *__add_action(struct sw_flow_actions **sfa, 2492 int attrtype, void *data, int len, bool log) 2493 { 2494 struct nlattr *a; 2495 2496 a = reserve_sfa_size(sfa, nla_attr_size(len), log); 2497 if (IS_ERR(a)) 2498 return a; 2499 2500 a->nla_type = attrtype; 2501 a->nla_len = nla_attr_size(len); 2502 2503 if (data) 2504 memcpy(nla_data(a), data, len); 2505 memset((unsigned char *) a + a->nla_len, 0, nla_padlen(len)); 2506 2507 return a; 2508 } 2509 2510 int ovs_nla_add_action(struct sw_flow_actions **sfa, int attrtype, void *data, 2511 int len, bool log) 2512 { 2513 struct nlattr *a; 2514 2515 a = __add_action(sfa, attrtype, data, len, log); 2516 2517 return PTR_ERR_OR_ZERO(a); 2518 } 2519 2520 static inline int add_nested_action_start(struct sw_flow_actions **sfa, 2521 int attrtype, bool log) 2522 { 2523 int used = (*sfa)->actions_len; 2524 int err; 2525 2526 err = ovs_nla_add_action(sfa, attrtype, NULL, 0, log); 2527 if (err) 2528 return err; 2529 2530 return used; 2531 } 2532 2533 static inline void add_nested_action_end(struct sw_flow_actions *sfa, 2534 int st_offset) 2535 { 2536 struct nlattr *a = (struct nlattr *) ((unsigned char *)sfa->actions + 2537 st_offset); 2538 2539 a->nla_len = sfa->actions_len - st_offset; 2540 } 2541 2542 static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 2543 const struct sw_flow_key *key, 2544 struct sw_flow_actions **sfa, 2545 __be16 eth_type, __be16 vlan_tci, 2546 u32 mpls_label_count, bool log); 2547 2548 static int validate_and_copy_sample(struct net *net, const struct nlattr *attr, 2549 const struct sw_flow_key *key, 2550 struct sw_flow_actions **sfa, 2551 __be16 eth_type, __be16 vlan_tci, 2552 u32 mpls_label_count, bool log, bool last) 2553 { 2554 const struct nlattr *attrs[OVS_SAMPLE_ATTR_MAX + 1]; 2555 const struct nlattr *probability, *actions; 2556 const struct nlattr *a; 2557 int rem, start, err; 2558 struct sample_arg arg; 2559 2560 memset(attrs, 0, sizeof(attrs)); 2561 nla_for_each_nested(a, attr, rem) { 2562 int type = nla_type(a); 2563 if (!type || type > OVS_SAMPLE_ATTR_MAX || attrs[type]) 2564 return -EINVAL; 2565 attrs[type] = a; 2566 } 2567 if (rem) 2568 return -EINVAL; 2569 2570 probability = attrs[OVS_SAMPLE_ATTR_PROBABILITY]; 2571 if (!probability || nla_len(probability) != sizeof(u32)) 2572 return -EINVAL; 2573 2574 actions = attrs[OVS_SAMPLE_ATTR_ACTIONS]; 2575 if (!actions || (nla_len(actions) && nla_len(actions) < NLA_HDRLEN)) 2576 return -EINVAL; 2577 2578 /* validation done, copy sample action. */ 2579 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_SAMPLE, log); 2580 if (start < 0) 2581 return start; 2582 2583 /* When both skb and flow may be changed, put the sample 2584 * into a deferred fifo. On the other hand, if only skb 2585 * may be modified, the actions can be executed in place. 2586 * 2587 * Do this analysis at the flow installation time. 2588 * Set 'clone_action->exec' to true if the actions can be 2589 * executed without being deferred. 2590 * 2591 * If the sample is the last action, it can always be excuted 2592 * rather than deferred. 2593 */ 2594 arg.exec = last || !actions_may_change_flow(actions); 2595 arg.probability = nla_get_u32(probability); 2596 2597 err = ovs_nla_add_action(sfa, OVS_SAMPLE_ATTR_ARG, &arg, sizeof(arg), 2598 log); 2599 if (err) 2600 return err; 2601 2602 err = __ovs_nla_copy_actions(net, actions, key, sfa, 2603 eth_type, vlan_tci, mpls_label_count, log); 2604 2605 if (err) 2606 return err; 2607 2608 add_nested_action_end(*sfa, start); 2609 2610 return 0; 2611 } 2612 2613 static int validate_and_copy_dec_ttl(struct net *net, 2614 const struct nlattr *attr, 2615 const struct sw_flow_key *key, 2616 struct sw_flow_actions **sfa, 2617 __be16 eth_type, __be16 vlan_tci, 2618 u32 mpls_label_count, bool log) 2619 { 2620 const struct nlattr *attrs[OVS_DEC_TTL_ATTR_MAX + 1]; 2621 int start, action_start, err, rem; 2622 const struct nlattr *a, *actions; 2623 2624 memset(attrs, 0, sizeof(attrs)); 2625 nla_for_each_nested(a, attr, rem) { 2626 int type = nla_type(a); 2627 2628 /* Ignore unknown attributes to be future proof. */ 2629 if (type > OVS_DEC_TTL_ATTR_MAX) 2630 continue; 2631 2632 if (!type || attrs[type]) { 2633 OVS_NLERR(log, "Duplicate or invalid key (type %d).", 2634 type); 2635 return -EINVAL; 2636 } 2637 2638 attrs[type] = a; 2639 } 2640 2641 if (rem) { 2642 OVS_NLERR(log, "Message has %d unknown bytes.", rem); 2643 return -EINVAL; 2644 } 2645 2646 actions = attrs[OVS_DEC_TTL_ATTR_ACTION]; 2647 if (!actions || (nla_len(actions) && nla_len(actions) < NLA_HDRLEN)) { 2648 OVS_NLERR(log, "Missing valid actions attribute."); 2649 return -EINVAL; 2650 } 2651 2652 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_DEC_TTL, log); 2653 if (start < 0) 2654 return start; 2655 2656 action_start = add_nested_action_start(sfa, OVS_DEC_TTL_ATTR_ACTION, log); 2657 if (action_start < 0) 2658 return action_start; 2659 2660 err = __ovs_nla_copy_actions(net, actions, key, sfa, eth_type, 2661 vlan_tci, mpls_label_count, log); 2662 if (err) 2663 return err; 2664 2665 add_nested_action_end(*sfa, action_start); 2666 add_nested_action_end(*sfa, start); 2667 return 0; 2668 } 2669 2670 static int validate_and_copy_clone(struct net *net, 2671 const struct nlattr *attr, 2672 const struct sw_flow_key *key, 2673 struct sw_flow_actions **sfa, 2674 __be16 eth_type, __be16 vlan_tci, 2675 u32 mpls_label_count, bool log, bool last) 2676 { 2677 int start, err; 2678 u32 exec; 2679 2680 if (nla_len(attr) && nla_len(attr) < NLA_HDRLEN) 2681 return -EINVAL; 2682 2683 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_CLONE, log); 2684 if (start < 0) 2685 return start; 2686 2687 exec = last || !actions_may_change_flow(attr); 2688 2689 err = ovs_nla_add_action(sfa, OVS_CLONE_ATTR_EXEC, &exec, 2690 sizeof(exec), log); 2691 if (err) 2692 return err; 2693 2694 err = __ovs_nla_copy_actions(net, attr, key, sfa, 2695 eth_type, vlan_tci, mpls_label_count, log); 2696 if (err) 2697 return err; 2698 2699 add_nested_action_end(*sfa, start); 2700 2701 return 0; 2702 } 2703 2704 void ovs_match_init(struct sw_flow_match *match, 2705 struct sw_flow_key *key, 2706 bool reset_key, 2707 struct sw_flow_mask *mask) 2708 { 2709 memset(match, 0, sizeof(*match)); 2710 match->key = key; 2711 match->mask = mask; 2712 2713 if (reset_key) 2714 memset(key, 0, sizeof(*key)); 2715 2716 if (mask) { 2717 memset(&mask->key, 0, sizeof(mask->key)); 2718 mask->range.start = mask->range.end = 0; 2719 } 2720 } 2721 2722 static int validate_geneve_opts(struct sw_flow_key *key) 2723 { 2724 struct geneve_opt *option; 2725 int opts_len = key->tun_opts_len; 2726 bool crit_opt = false; 2727 2728 option = (struct geneve_opt *)TUN_METADATA_OPTS(key, key->tun_opts_len); 2729 while (opts_len > 0) { 2730 int len; 2731 2732 if (opts_len < sizeof(*option)) 2733 return -EINVAL; 2734 2735 len = sizeof(*option) + option->length * 4; 2736 if (len > opts_len) 2737 return -EINVAL; 2738 2739 crit_opt |= !!(option->type & GENEVE_CRIT_OPT_TYPE); 2740 2741 option = (struct geneve_opt *)((u8 *)option + len); 2742 opts_len -= len; 2743 } 2744 2745 key->tun_key.tun_flags |= crit_opt ? TUNNEL_CRIT_OPT : 0; 2746 2747 return 0; 2748 } 2749 2750 static int validate_and_copy_set_tun(const struct nlattr *attr, 2751 struct sw_flow_actions **sfa, bool log) 2752 { 2753 struct sw_flow_match match; 2754 struct sw_flow_key key; 2755 struct metadata_dst *tun_dst; 2756 struct ip_tunnel_info *tun_info; 2757 struct ovs_tunnel_info *ovs_tun; 2758 struct nlattr *a; 2759 int err = 0, start, opts_type; 2760 __be16 dst_opt_type; 2761 2762 dst_opt_type = 0; 2763 ovs_match_init(&match, &key, true, NULL); 2764 opts_type = ip_tun_from_nlattr(nla_data(attr), &match, false, log); 2765 if (opts_type < 0) 2766 return opts_type; 2767 2768 if (key.tun_opts_len) { 2769 switch (opts_type) { 2770 case OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS: 2771 err = validate_geneve_opts(&key); 2772 if (err < 0) 2773 return err; 2774 dst_opt_type = TUNNEL_GENEVE_OPT; 2775 break; 2776 case OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS: 2777 dst_opt_type = TUNNEL_VXLAN_OPT; 2778 break; 2779 case OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS: 2780 dst_opt_type = TUNNEL_ERSPAN_OPT; 2781 break; 2782 } 2783 } 2784 2785 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_SET, log); 2786 if (start < 0) 2787 return start; 2788 2789 tun_dst = metadata_dst_alloc(key.tun_opts_len, METADATA_IP_TUNNEL, 2790 GFP_KERNEL); 2791 2792 if (!tun_dst) 2793 return -ENOMEM; 2794 2795 err = dst_cache_init(&tun_dst->u.tun_info.dst_cache, GFP_KERNEL); 2796 if (err) { 2797 dst_release((struct dst_entry *)tun_dst); 2798 return err; 2799 } 2800 2801 a = __add_action(sfa, OVS_KEY_ATTR_TUNNEL_INFO, NULL, 2802 sizeof(*ovs_tun), log); 2803 if (IS_ERR(a)) { 2804 dst_release((struct dst_entry *)tun_dst); 2805 return PTR_ERR(a); 2806 } 2807 2808 ovs_tun = nla_data(a); 2809 ovs_tun->tun_dst = tun_dst; 2810 2811 tun_info = &tun_dst->u.tun_info; 2812 tun_info->mode = IP_TUNNEL_INFO_TX; 2813 if (key.tun_proto == AF_INET6) 2814 tun_info->mode |= IP_TUNNEL_INFO_IPV6; 2815 else if (key.tun_proto == AF_INET && key.tun_key.u.ipv4.dst == 0) 2816 tun_info->mode |= IP_TUNNEL_INFO_BRIDGE; 2817 tun_info->key = key.tun_key; 2818 2819 /* We need to store the options in the action itself since 2820 * everything else will go away after flow setup. We can append 2821 * it to tun_info and then point there. 2822 */ 2823 ip_tunnel_info_opts_set(tun_info, 2824 TUN_METADATA_OPTS(&key, key.tun_opts_len), 2825 key.tun_opts_len, dst_opt_type); 2826 add_nested_action_end(*sfa, start); 2827 2828 return err; 2829 } 2830 2831 static bool validate_nsh(const struct nlattr *attr, bool is_mask, 2832 bool is_push_nsh, bool log) 2833 { 2834 struct sw_flow_match match; 2835 struct sw_flow_key key; 2836 int ret = 0; 2837 2838 ovs_match_init(&match, &key, true, NULL); 2839 ret = nsh_key_put_from_nlattr(attr, &match, is_mask, 2840 is_push_nsh, log); 2841 return !ret; 2842 } 2843 2844 /* Return false if there are any non-masked bits set. 2845 * Mask follows data immediately, before any netlink padding. 2846 */ 2847 static bool validate_masked(u8 *data, int len) 2848 { 2849 u8 *mask = data + len; 2850 2851 while (len--) 2852 if (*data++ & ~*mask++) 2853 return false; 2854 2855 return true; 2856 } 2857 2858 static int validate_set(const struct nlattr *a, 2859 const struct sw_flow_key *flow_key, 2860 struct sw_flow_actions **sfa, bool *skip_copy, 2861 u8 mac_proto, __be16 eth_type, bool masked, bool log) 2862 { 2863 const struct nlattr *ovs_key = nla_data(a); 2864 int key_type = nla_type(ovs_key); 2865 size_t key_len; 2866 2867 /* There can be only one key in a action */ 2868 if (nla_total_size(nla_len(ovs_key)) != nla_len(a)) 2869 return -EINVAL; 2870 2871 key_len = nla_len(ovs_key); 2872 if (masked) 2873 key_len /= 2; 2874 2875 if (key_type > OVS_KEY_ATTR_MAX || 2876 !check_attr_len(key_len, ovs_key_lens[key_type].len)) 2877 return -EINVAL; 2878 2879 if (masked && !validate_masked(nla_data(ovs_key), key_len)) 2880 return -EINVAL; 2881 2882 switch (key_type) { 2883 case OVS_KEY_ATTR_PRIORITY: 2884 case OVS_KEY_ATTR_SKB_MARK: 2885 case OVS_KEY_ATTR_CT_MARK: 2886 case OVS_KEY_ATTR_CT_LABELS: 2887 break; 2888 2889 case OVS_KEY_ATTR_ETHERNET: 2890 if (mac_proto != MAC_PROTO_ETHERNET) 2891 return -EINVAL; 2892 break; 2893 2894 case OVS_KEY_ATTR_TUNNEL: { 2895 int err; 2896 2897 if (masked) 2898 return -EINVAL; /* Masked tunnel set not supported. */ 2899 2900 *skip_copy = true; 2901 err = validate_and_copy_set_tun(a, sfa, log); 2902 if (err) 2903 return err; 2904 break; 2905 } 2906 case OVS_KEY_ATTR_IPV4: { 2907 const struct ovs_key_ipv4 *ipv4_key; 2908 2909 if (eth_type != htons(ETH_P_IP)) 2910 return -EINVAL; 2911 2912 ipv4_key = nla_data(ovs_key); 2913 2914 if (masked) { 2915 const struct ovs_key_ipv4 *mask = ipv4_key + 1; 2916 2917 /* Non-writeable fields. */ 2918 if (mask->ipv4_proto || mask->ipv4_frag) 2919 return -EINVAL; 2920 } else { 2921 if (ipv4_key->ipv4_proto != flow_key->ip.proto) 2922 return -EINVAL; 2923 2924 if (ipv4_key->ipv4_frag != flow_key->ip.frag) 2925 return -EINVAL; 2926 } 2927 break; 2928 } 2929 case OVS_KEY_ATTR_IPV6: { 2930 const struct ovs_key_ipv6 *ipv6_key; 2931 2932 if (eth_type != htons(ETH_P_IPV6)) 2933 return -EINVAL; 2934 2935 ipv6_key = nla_data(ovs_key); 2936 2937 if (masked) { 2938 const struct ovs_key_ipv6 *mask = ipv6_key + 1; 2939 2940 /* Non-writeable fields. */ 2941 if (mask->ipv6_proto || mask->ipv6_frag) 2942 return -EINVAL; 2943 2944 /* Invalid bits in the flow label mask? */ 2945 if (ntohl(mask->ipv6_label) & 0xFFF00000) 2946 return -EINVAL; 2947 } else { 2948 if (ipv6_key->ipv6_proto != flow_key->ip.proto) 2949 return -EINVAL; 2950 2951 if (ipv6_key->ipv6_frag != flow_key->ip.frag) 2952 return -EINVAL; 2953 } 2954 if (ntohl(ipv6_key->ipv6_label) & 0xFFF00000) 2955 return -EINVAL; 2956 2957 break; 2958 } 2959 case OVS_KEY_ATTR_TCP: 2960 if ((eth_type != htons(ETH_P_IP) && 2961 eth_type != htons(ETH_P_IPV6)) || 2962 flow_key->ip.proto != IPPROTO_TCP) 2963 return -EINVAL; 2964 2965 break; 2966 2967 case OVS_KEY_ATTR_UDP: 2968 if ((eth_type != htons(ETH_P_IP) && 2969 eth_type != htons(ETH_P_IPV6)) || 2970 flow_key->ip.proto != IPPROTO_UDP) 2971 return -EINVAL; 2972 2973 break; 2974 2975 case OVS_KEY_ATTR_MPLS: 2976 if (!eth_p_mpls(eth_type)) 2977 return -EINVAL; 2978 break; 2979 2980 case OVS_KEY_ATTR_SCTP: 2981 if ((eth_type != htons(ETH_P_IP) && 2982 eth_type != htons(ETH_P_IPV6)) || 2983 flow_key->ip.proto != IPPROTO_SCTP) 2984 return -EINVAL; 2985 2986 break; 2987 2988 case OVS_KEY_ATTR_NSH: 2989 if (eth_type != htons(ETH_P_NSH)) 2990 return -EINVAL; 2991 if (!validate_nsh(nla_data(a), masked, false, log)) 2992 return -EINVAL; 2993 break; 2994 2995 default: 2996 return -EINVAL; 2997 } 2998 2999 /* Convert non-masked non-tunnel set actions to masked set actions. */ 3000 if (!masked && key_type != OVS_KEY_ATTR_TUNNEL) { 3001 int start, len = key_len * 2; 3002 struct nlattr *at; 3003 3004 *skip_copy = true; 3005 3006 start = add_nested_action_start(sfa, 3007 OVS_ACTION_ATTR_SET_TO_MASKED, 3008 log); 3009 if (start < 0) 3010 return start; 3011 3012 at = __add_action(sfa, key_type, NULL, len, log); 3013 if (IS_ERR(at)) 3014 return PTR_ERR(at); 3015 3016 memcpy(nla_data(at), nla_data(ovs_key), key_len); /* Key. */ 3017 memset(nla_data(at) + key_len, 0xff, key_len); /* Mask. */ 3018 /* Clear non-writeable bits from otherwise writeable fields. */ 3019 if (key_type == OVS_KEY_ATTR_IPV6) { 3020 struct ovs_key_ipv6 *mask = nla_data(at) + key_len; 3021 3022 mask->ipv6_label &= htonl(0x000FFFFF); 3023 } 3024 add_nested_action_end(*sfa, start); 3025 } 3026 3027 return 0; 3028 } 3029 3030 static int validate_userspace(const struct nlattr *attr) 3031 { 3032 static const struct nla_policy userspace_policy[OVS_USERSPACE_ATTR_MAX + 1] = { 3033 [OVS_USERSPACE_ATTR_PID] = {.type = NLA_U32 }, 3034 [OVS_USERSPACE_ATTR_USERDATA] = {.type = NLA_UNSPEC }, 3035 [OVS_USERSPACE_ATTR_EGRESS_TUN_PORT] = {.type = NLA_U32 }, 3036 }; 3037 struct nlattr *a[OVS_USERSPACE_ATTR_MAX + 1]; 3038 int error; 3039 3040 error = nla_parse_nested_deprecated(a, OVS_USERSPACE_ATTR_MAX, attr, 3041 userspace_policy, NULL); 3042 if (error) 3043 return error; 3044 3045 if (!a[OVS_USERSPACE_ATTR_PID] || 3046 !nla_get_u32(a[OVS_USERSPACE_ATTR_PID])) 3047 return -EINVAL; 3048 3049 return 0; 3050 } 3051 3052 static const struct nla_policy cpl_policy[OVS_CHECK_PKT_LEN_ATTR_MAX + 1] = { 3053 [OVS_CHECK_PKT_LEN_ATTR_PKT_LEN] = {.type = NLA_U16 }, 3054 [OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER] = {.type = NLA_NESTED }, 3055 [OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL] = {.type = NLA_NESTED }, 3056 }; 3057 3058 static int validate_and_copy_check_pkt_len(struct net *net, 3059 const struct nlattr *attr, 3060 const struct sw_flow_key *key, 3061 struct sw_flow_actions **sfa, 3062 __be16 eth_type, __be16 vlan_tci, 3063 u32 mpls_label_count, 3064 bool log, bool last) 3065 { 3066 const struct nlattr *acts_if_greater, *acts_if_lesser_eq; 3067 struct nlattr *a[OVS_CHECK_PKT_LEN_ATTR_MAX + 1]; 3068 struct check_pkt_len_arg arg; 3069 int nested_acts_start; 3070 int start, err; 3071 3072 err = nla_parse_deprecated_strict(a, OVS_CHECK_PKT_LEN_ATTR_MAX, 3073 nla_data(attr), nla_len(attr), 3074 cpl_policy, NULL); 3075 if (err) 3076 return err; 3077 3078 if (!a[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN] || 3079 !nla_get_u16(a[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN])) 3080 return -EINVAL; 3081 3082 acts_if_lesser_eq = a[OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL]; 3083 acts_if_greater = a[OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER]; 3084 3085 /* Both the nested action should be present. */ 3086 if (!acts_if_greater || !acts_if_lesser_eq) 3087 return -EINVAL; 3088 3089 /* validation done, copy the nested actions. */ 3090 start = add_nested_action_start(sfa, OVS_ACTION_ATTR_CHECK_PKT_LEN, 3091 log); 3092 if (start < 0) 3093 return start; 3094 3095 arg.pkt_len = nla_get_u16(a[OVS_CHECK_PKT_LEN_ATTR_PKT_LEN]); 3096 arg.exec_for_lesser_equal = 3097 last || !actions_may_change_flow(acts_if_lesser_eq); 3098 arg.exec_for_greater = 3099 last || !actions_may_change_flow(acts_if_greater); 3100 3101 err = ovs_nla_add_action(sfa, OVS_CHECK_PKT_LEN_ATTR_ARG, &arg, 3102 sizeof(arg), log); 3103 if (err) 3104 return err; 3105 3106 nested_acts_start = add_nested_action_start(sfa, 3107 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL, log); 3108 if (nested_acts_start < 0) 3109 return nested_acts_start; 3110 3111 err = __ovs_nla_copy_actions(net, acts_if_lesser_eq, key, sfa, 3112 eth_type, vlan_tci, mpls_label_count, log); 3113 3114 if (err) 3115 return err; 3116 3117 add_nested_action_end(*sfa, nested_acts_start); 3118 3119 nested_acts_start = add_nested_action_start(sfa, 3120 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER, log); 3121 if (nested_acts_start < 0) 3122 return nested_acts_start; 3123 3124 err = __ovs_nla_copy_actions(net, acts_if_greater, key, sfa, 3125 eth_type, vlan_tci, mpls_label_count, log); 3126 3127 if (err) 3128 return err; 3129 3130 add_nested_action_end(*sfa, nested_acts_start); 3131 add_nested_action_end(*sfa, start); 3132 return 0; 3133 } 3134 3135 static int copy_action(const struct nlattr *from, 3136 struct sw_flow_actions **sfa, bool log) 3137 { 3138 int totlen = NLA_ALIGN(from->nla_len); 3139 struct nlattr *to; 3140 3141 to = reserve_sfa_size(sfa, from->nla_len, log); 3142 if (IS_ERR(to)) 3143 return PTR_ERR(to); 3144 3145 memcpy(to, from, totlen); 3146 return 0; 3147 } 3148 3149 static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 3150 const struct sw_flow_key *key, 3151 struct sw_flow_actions **sfa, 3152 __be16 eth_type, __be16 vlan_tci, 3153 u32 mpls_label_count, bool log) 3154 { 3155 u8 mac_proto = ovs_key_mac_proto(key); 3156 const struct nlattr *a; 3157 int rem, err; 3158 3159 nla_for_each_nested(a, attr, rem) { 3160 /* Expected argument lengths, (u32)-1 for variable length. */ 3161 static const u32 action_lens[OVS_ACTION_ATTR_MAX + 1] = { 3162 [OVS_ACTION_ATTR_OUTPUT] = sizeof(u32), 3163 [OVS_ACTION_ATTR_RECIRC] = sizeof(u32), 3164 [OVS_ACTION_ATTR_USERSPACE] = (u32)-1, 3165 [OVS_ACTION_ATTR_PUSH_MPLS] = sizeof(struct ovs_action_push_mpls), 3166 [OVS_ACTION_ATTR_POP_MPLS] = sizeof(__be16), 3167 [OVS_ACTION_ATTR_PUSH_VLAN] = sizeof(struct ovs_action_push_vlan), 3168 [OVS_ACTION_ATTR_POP_VLAN] = 0, 3169 [OVS_ACTION_ATTR_SET] = (u32)-1, 3170 [OVS_ACTION_ATTR_SET_MASKED] = (u32)-1, 3171 [OVS_ACTION_ATTR_SAMPLE] = (u32)-1, 3172 [OVS_ACTION_ATTR_HASH] = sizeof(struct ovs_action_hash), 3173 [OVS_ACTION_ATTR_CT] = (u32)-1, 3174 [OVS_ACTION_ATTR_CT_CLEAR] = 0, 3175 [OVS_ACTION_ATTR_TRUNC] = sizeof(struct ovs_action_trunc), 3176 [OVS_ACTION_ATTR_PUSH_ETH] = sizeof(struct ovs_action_push_eth), 3177 [OVS_ACTION_ATTR_POP_ETH] = 0, 3178 [OVS_ACTION_ATTR_PUSH_NSH] = (u32)-1, 3179 [OVS_ACTION_ATTR_POP_NSH] = 0, 3180 [OVS_ACTION_ATTR_METER] = sizeof(u32), 3181 [OVS_ACTION_ATTR_CLONE] = (u32)-1, 3182 [OVS_ACTION_ATTR_CHECK_PKT_LEN] = (u32)-1, 3183 [OVS_ACTION_ATTR_ADD_MPLS] = sizeof(struct ovs_action_add_mpls), 3184 [OVS_ACTION_ATTR_DEC_TTL] = (u32)-1, 3185 }; 3186 const struct ovs_action_push_vlan *vlan; 3187 int type = nla_type(a); 3188 bool skip_copy; 3189 3190 if (type > OVS_ACTION_ATTR_MAX || 3191 (action_lens[type] != nla_len(a) && 3192 action_lens[type] != (u32)-1)) 3193 return -EINVAL; 3194 3195 skip_copy = false; 3196 switch (type) { 3197 case OVS_ACTION_ATTR_UNSPEC: 3198 return -EINVAL; 3199 3200 case OVS_ACTION_ATTR_USERSPACE: 3201 err = validate_userspace(a); 3202 if (err) 3203 return err; 3204 break; 3205 3206 case OVS_ACTION_ATTR_OUTPUT: 3207 if (nla_get_u32(a) >= DP_MAX_PORTS) 3208 return -EINVAL; 3209 break; 3210 3211 case OVS_ACTION_ATTR_TRUNC: { 3212 const struct ovs_action_trunc *trunc = nla_data(a); 3213 3214 if (trunc->max_len < ETH_HLEN) 3215 return -EINVAL; 3216 break; 3217 } 3218 3219 case OVS_ACTION_ATTR_HASH: { 3220 const struct ovs_action_hash *act_hash = nla_data(a); 3221 3222 switch (act_hash->hash_alg) { 3223 case OVS_HASH_ALG_L4: 3224 break; 3225 default: 3226 return -EINVAL; 3227 } 3228 3229 break; 3230 } 3231 3232 case OVS_ACTION_ATTR_POP_VLAN: 3233 if (mac_proto != MAC_PROTO_ETHERNET) 3234 return -EINVAL; 3235 vlan_tci = htons(0); 3236 break; 3237 3238 case OVS_ACTION_ATTR_PUSH_VLAN: 3239 if (mac_proto != MAC_PROTO_ETHERNET) 3240 return -EINVAL; 3241 vlan = nla_data(a); 3242 if (!eth_type_vlan(vlan->vlan_tpid)) 3243 return -EINVAL; 3244 if (!(vlan->vlan_tci & htons(VLAN_CFI_MASK))) 3245 return -EINVAL; 3246 vlan_tci = vlan->vlan_tci; 3247 break; 3248 3249 case OVS_ACTION_ATTR_RECIRC: 3250 break; 3251 3252 case OVS_ACTION_ATTR_ADD_MPLS: { 3253 const struct ovs_action_add_mpls *mpls = nla_data(a); 3254 3255 if (!eth_p_mpls(mpls->mpls_ethertype)) 3256 return -EINVAL; 3257 3258 if (mpls->tun_flags & OVS_MPLS_L3_TUNNEL_FLAG_MASK) { 3259 if (vlan_tci & htons(VLAN_CFI_MASK) || 3260 (eth_type != htons(ETH_P_IP) && 3261 eth_type != htons(ETH_P_IPV6) && 3262 eth_type != htons(ETH_P_ARP) && 3263 eth_type != htons(ETH_P_RARP) && 3264 !eth_p_mpls(eth_type))) 3265 return -EINVAL; 3266 mpls_label_count++; 3267 } else { 3268 if (mac_proto == MAC_PROTO_ETHERNET) { 3269 mpls_label_count = 1; 3270 mac_proto = MAC_PROTO_NONE; 3271 } else { 3272 mpls_label_count++; 3273 } 3274 } 3275 eth_type = mpls->mpls_ethertype; 3276 break; 3277 } 3278 3279 case OVS_ACTION_ATTR_PUSH_MPLS: { 3280 const struct ovs_action_push_mpls *mpls = nla_data(a); 3281 3282 if (!eth_p_mpls(mpls->mpls_ethertype)) 3283 return -EINVAL; 3284 /* Prohibit push MPLS other than to a white list 3285 * for packets that have a known tag order. 3286 */ 3287 if (vlan_tci & htons(VLAN_CFI_MASK) || 3288 (eth_type != htons(ETH_P_IP) && 3289 eth_type != htons(ETH_P_IPV6) && 3290 eth_type != htons(ETH_P_ARP) && 3291 eth_type != htons(ETH_P_RARP) && 3292 !eth_p_mpls(eth_type))) 3293 return -EINVAL; 3294 eth_type = mpls->mpls_ethertype; 3295 mpls_label_count++; 3296 break; 3297 } 3298 3299 case OVS_ACTION_ATTR_POP_MPLS: { 3300 __be16 proto; 3301 if (vlan_tci & htons(VLAN_CFI_MASK) || 3302 !eth_p_mpls(eth_type)) 3303 return -EINVAL; 3304 3305 /* Disallow subsequent L2.5+ set actions and mpls_pop 3306 * actions once the last MPLS label in the packet is 3307 * is popped as there is no check here to ensure that 3308 * the new eth type is valid and thus set actions could 3309 * write off the end of the packet or otherwise corrupt 3310 * it. 3311 * 3312 * Support for these actions is planned using packet 3313 * recirculation. 3314 */ 3315 proto = nla_get_be16(a); 3316 3317 if (proto == htons(ETH_P_TEB) && 3318 mac_proto != MAC_PROTO_NONE) 3319 return -EINVAL; 3320 3321 mpls_label_count--; 3322 3323 if (!eth_p_mpls(proto) || !mpls_label_count) 3324 eth_type = htons(0); 3325 else 3326 eth_type = proto; 3327 3328 break; 3329 } 3330 3331 case OVS_ACTION_ATTR_SET: 3332 err = validate_set(a, key, sfa, 3333 &skip_copy, mac_proto, eth_type, 3334 false, log); 3335 if (err) 3336 return err; 3337 break; 3338 3339 case OVS_ACTION_ATTR_SET_MASKED: 3340 err = validate_set(a, key, sfa, 3341 &skip_copy, mac_proto, eth_type, 3342 true, log); 3343 if (err) 3344 return err; 3345 break; 3346 3347 case OVS_ACTION_ATTR_SAMPLE: { 3348 bool last = nla_is_last(a, rem); 3349 3350 err = validate_and_copy_sample(net, a, key, sfa, 3351 eth_type, vlan_tci, 3352 mpls_label_count, 3353 log, last); 3354 if (err) 3355 return err; 3356 skip_copy = true; 3357 break; 3358 } 3359 3360 case OVS_ACTION_ATTR_CT: 3361 err = ovs_ct_copy_action(net, a, key, sfa, log); 3362 if (err) 3363 return err; 3364 skip_copy = true; 3365 break; 3366 3367 case OVS_ACTION_ATTR_CT_CLEAR: 3368 break; 3369 3370 case OVS_ACTION_ATTR_PUSH_ETH: 3371 /* Disallow pushing an Ethernet header if one 3372 * is already present */ 3373 if (mac_proto != MAC_PROTO_NONE) 3374 return -EINVAL; 3375 mac_proto = MAC_PROTO_ETHERNET; 3376 break; 3377 3378 case OVS_ACTION_ATTR_POP_ETH: 3379 if (mac_proto != MAC_PROTO_ETHERNET) 3380 return -EINVAL; 3381 if (vlan_tci & htons(VLAN_CFI_MASK)) 3382 return -EINVAL; 3383 mac_proto = MAC_PROTO_NONE; 3384 break; 3385 3386 case OVS_ACTION_ATTR_PUSH_NSH: 3387 if (mac_proto != MAC_PROTO_ETHERNET) { 3388 u8 next_proto; 3389 3390 next_proto = tun_p_from_eth_p(eth_type); 3391 if (!next_proto) 3392 return -EINVAL; 3393 } 3394 mac_proto = MAC_PROTO_NONE; 3395 if (!validate_nsh(nla_data(a), false, true, true)) 3396 return -EINVAL; 3397 break; 3398 3399 case OVS_ACTION_ATTR_POP_NSH: { 3400 __be16 inner_proto; 3401 3402 if (eth_type != htons(ETH_P_NSH)) 3403 return -EINVAL; 3404 inner_proto = tun_p_to_eth_p(key->nsh.base.np); 3405 if (!inner_proto) 3406 return -EINVAL; 3407 if (key->nsh.base.np == TUN_P_ETHERNET) 3408 mac_proto = MAC_PROTO_ETHERNET; 3409 else 3410 mac_proto = MAC_PROTO_NONE; 3411 break; 3412 } 3413 3414 case OVS_ACTION_ATTR_METER: 3415 /* Non-existent meters are simply ignored. */ 3416 break; 3417 3418 case OVS_ACTION_ATTR_CLONE: { 3419 bool last = nla_is_last(a, rem); 3420 3421 err = validate_and_copy_clone(net, a, key, sfa, 3422 eth_type, vlan_tci, 3423 mpls_label_count, 3424 log, last); 3425 if (err) 3426 return err; 3427 skip_copy = true; 3428 break; 3429 } 3430 3431 case OVS_ACTION_ATTR_CHECK_PKT_LEN: { 3432 bool last = nla_is_last(a, rem); 3433 3434 err = validate_and_copy_check_pkt_len(net, a, key, sfa, 3435 eth_type, 3436 vlan_tci, 3437 mpls_label_count, 3438 log, last); 3439 if (err) 3440 return err; 3441 skip_copy = true; 3442 break; 3443 } 3444 3445 case OVS_ACTION_ATTR_DEC_TTL: 3446 err = validate_and_copy_dec_ttl(net, a, key, sfa, 3447 eth_type, vlan_tci, 3448 mpls_label_count, log); 3449 if (err) 3450 return err; 3451 skip_copy = true; 3452 break; 3453 3454 default: 3455 OVS_NLERR(log, "Unknown Action type %d", type); 3456 return -EINVAL; 3457 } 3458 if (!skip_copy) { 3459 err = copy_action(a, sfa, log); 3460 if (err) 3461 return err; 3462 } 3463 } 3464 3465 if (rem > 0) 3466 return -EINVAL; 3467 3468 return 0; 3469 } 3470 3471 /* 'key' must be the masked key. */ 3472 int ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, 3473 const struct sw_flow_key *key, 3474 struct sw_flow_actions **sfa, bool log) 3475 { 3476 int err; 3477 u32 mpls_label_count = 0; 3478 3479 *sfa = nla_alloc_flow_actions(min(nla_len(attr), MAX_ACTIONS_BUFSIZE)); 3480 if (IS_ERR(*sfa)) 3481 return PTR_ERR(*sfa); 3482 3483 if (eth_p_mpls(key->eth.type)) 3484 mpls_label_count = hweight_long(key->mpls.num_labels_mask); 3485 3486 (*sfa)->orig_len = nla_len(attr); 3487 err = __ovs_nla_copy_actions(net, attr, key, sfa, key->eth.type, 3488 key->eth.vlan.tci, mpls_label_count, log); 3489 if (err) 3490 ovs_nla_free_flow_actions(*sfa); 3491 3492 return err; 3493 } 3494 3495 static int sample_action_to_attr(const struct nlattr *attr, 3496 struct sk_buff *skb) 3497 { 3498 struct nlattr *start, *ac_start = NULL, *sample_arg; 3499 int err = 0, rem = nla_len(attr); 3500 const struct sample_arg *arg; 3501 struct nlattr *actions; 3502 3503 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SAMPLE); 3504 if (!start) 3505 return -EMSGSIZE; 3506 3507 sample_arg = nla_data(attr); 3508 arg = nla_data(sample_arg); 3509 actions = nla_next(sample_arg, &rem); 3510 3511 if (nla_put_u32(skb, OVS_SAMPLE_ATTR_PROBABILITY, arg->probability)) { 3512 err = -EMSGSIZE; 3513 goto out; 3514 } 3515 3516 ac_start = nla_nest_start_noflag(skb, OVS_SAMPLE_ATTR_ACTIONS); 3517 if (!ac_start) { 3518 err = -EMSGSIZE; 3519 goto out; 3520 } 3521 3522 err = ovs_nla_put_actions(actions, rem, skb); 3523 3524 out: 3525 if (err) { 3526 nla_nest_cancel(skb, ac_start); 3527 nla_nest_cancel(skb, start); 3528 } else { 3529 nla_nest_end(skb, ac_start); 3530 nla_nest_end(skb, start); 3531 } 3532 3533 return err; 3534 } 3535 3536 static int clone_action_to_attr(const struct nlattr *attr, 3537 struct sk_buff *skb) 3538 { 3539 struct nlattr *start; 3540 int err = 0, rem = nla_len(attr); 3541 3542 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_CLONE); 3543 if (!start) 3544 return -EMSGSIZE; 3545 3546 /* Skipping the OVS_CLONE_ATTR_EXEC that is always the first attribute. */ 3547 attr = nla_next(nla_data(attr), &rem); 3548 err = ovs_nla_put_actions(attr, rem, skb); 3549 3550 if (err) 3551 nla_nest_cancel(skb, start); 3552 else 3553 nla_nest_end(skb, start); 3554 3555 return err; 3556 } 3557 3558 static int check_pkt_len_action_to_attr(const struct nlattr *attr, 3559 struct sk_buff *skb) 3560 { 3561 struct nlattr *start, *ac_start = NULL; 3562 const struct check_pkt_len_arg *arg; 3563 const struct nlattr *a, *cpl_arg; 3564 int err = 0, rem = nla_len(attr); 3565 3566 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_CHECK_PKT_LEN); 3567 if (!start) 3568 return -EMSGSIZE; 3569 3570 /* The first nested attribute in 'attr' is always 3571 * 'OVS_CHECK_PKT_LEN_ATTR_ARG'. 3572 */ 3573 cpl_arg = nla_data(attr); 3574 arg = nla_data(cpl_arg); 3575 3576 if (nla_put_u16(skb, OVS_CHECK_PKT_LEN_ATTR_PKT_LEN, arg->pkt_len)) { 3577 err = -EMSGSIZE; 3578 goto out; 3579 } 3580 3581 /* Second nested attribute in 'attr' is always 3582 * 'OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL'. 3583 */ 3584 a = nla_next(cpl_arg, &rem); 3585 ac_start = nla_nest_start_noflag(skb, 3586 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL); 3587 if (!ac_start) { 3588 err = -EMSGSIZE; 3589 goto out; 3590 } 3591 3592 err = ovs_nla_put_actions(nla_data(a), nla_len(a), skb); 3593 if (err) { 3594 nla_nest_cancel(skb, ac_start); 3595 goto out; 3596 } else { 3597 nla_nest_end(skb, ac_start); 3598 } 3599 3600 /* Third nested attribute in 'attr' is always 3601 * OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER. 3602 */ 3603 a = nla_next(a, &rem); 3604 ac_start = nla_nest_start_noflag(skb, 3605 OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER); 3606 if (!ac_start) { 3607 err = -EMSGSIZE; 3608 goto out; 3609 } 3610 3611 err = ovs_nla_put_actions(nla_data(a), nla_len(a), skb); 3612 if (err) { 3613 nla_nest_cancel(skb, ac_start); 3614 goto out; 3615 } else { 3616 nla_nest_end(skb, ac_start); 3617 } 3618 3619 nla_nest_end(skb, start); 3620 return 0; 3621 3622 out: 3623 nla_nest_cancel(skb, start); 3624 return err; 3625 } 3626 3627 static int dec_ttl_action_to_attr(const struct nlattr *attr, 3628 struct sk_buff *skb) 3629 { 3630 struct nlattr *start, *action_start; 3631 const struct nlattr *a; 3632 int err = 0, rem; 3633 3634 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_DEC_TTL); 3635 if (!start) 3636 return -EMSGSIZE; 3637 3638 nla_for_each_attr(a, nla_data(attr), nla_len(attr), rem) { 3639 switch (nla_type(a)) { 3640 case OVS_DEC_TTL_ATTR_ACTION: 3641 3642 action_start = nla_nest_start_noflag(skb, OVS_DEC_TTL_ATTR_ACTION); 3643 if (!action_start) { 3644 err = -EMSGSIZE; 3645 goto out; 3646 } 3647 3648 err = ovs_nla_put_actions(nla_data(a), nla_len(a), skb); 3649 if (err) 3650 goto out; 3651 3652 nla_nest_end(skb, action_start); 3653 break; 3654 3655 default: 3656 /* Ignore all other option to be future compatible */ 3657 break; 3658 } 3659 } 3660 3661 nla_nest_end(skb, start); 3662 return 0; 3663 3664 out: 3665 nla_nest_cancel(skb, start); 3666 return err; 3667 } 3668 3669 static int set_action_to_attr(const struct nlattr *a, struct sk_buff *skb) 3670 { 3671 const struct nlattr *ovs_key = nla_data(a); 3672 int key_type = nla_type(ovs_key); 3673 struct nlattr *start; 3674 int err; 3675 3676 switch (key_type) { 3677 case OVS_KEY_ATTR_TUNNEL_INFO: { 3678 struct ovs_tunnel_info *ovs_tun = nla_data(ovs_key); 3679 struct ip_tunnel_info *tun_info = &ovs_tun->tun_dst->u.tun_info; 3680 3681 start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SET); 3682 if (!start) 3683 return -EMSGSIZE; 3684 3685 err = ip_tun_to_nlattr(skb, &tun_info->key, 3686 ip_tunnel_info_opts(tun_info), 3687 tun_info->options_len, 3688 ip_tunnel_info_af(tun_info), tun_info->mode); 3689 if (err) 3690 return err; 3691 nla_nest_end(skb, start); 3692 break; 3693 } 3694 default: 3695 if (nla_put(skb, OVS_ACTION_ATTR_SET, nla_len(a), ovs_key)) 3696 return -EMSGSIZE; 3697 break; 3698 } 3699 3700 return 0; 3701 } 3702 3703 static int masked_set_action_to_set_action_attr(const struct nlattr *a, 3704 struct sk_buff *skb) 3705 { 3706 const struct nlattr *ovs_key = nla_data(a); 3707 struct nlattr *nla; 3708 size_t key_len = nla_len(ovs_key) / 2; 3709 3710 /* Revert the conversion we did from a non-masked set action to 3711 * masked set action. 3712 */ 3713 nla = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SET); 3714 if (!nla) 3715 return -EMSGSIZE; 3716 3717 if (nla_put(skb, nla_type(ovs_key), key_len, nla_data(ovs_key))) 3718 return -EMSGSIZE; 3719 3720 nla_nest_end(skb, nla); 3721 return 0; 3722 } 3723 3724 int ovs_nla_put_actions(const struct nlattr *attr, int len, struct sk_buff *skb) 3725 { 3726 const struct nlattr *a; 3727 int rem, err; 3728 3729 nla_for_each_attr(a, attr, len, rem) { 3730 int type = nla_type(a); 3731 3732 switch (type) { 3733 case OVS_ACTION_ATTR_SET: 3734 err = set_action_to_attr(a, skb); 3735 if (err) 3736 return err; 3737 break; 3738 3739 case OVS_ACTION_ATTR_SET_TO_MASKED: 3740 err = masked_set_action_to_set_action_attr(a, skb); 3741 if (err) 3742 return err; 3743 break; 3744 3745 case OVS_ACTION_ATTR_SAMPLE: 3746 err = sample_action_to_attr(a, skb); 3747 if (err) 3748 return err; 3749 break; 3750 3751 case OVS_ACTION_ATTR_CT: 3752 err = ovs_ct_action_to_attr(nla_data(a), skb); 3753 if (err) 3754 return err; 3755 break; 3756 3757 case OVS_ACTION_ATTR_CLONE: 3758 err = clone_action_to_attr(a, skb); 3759 if (err) 3760 return err; 3761 break; 3762 3763 case OVS_ACTION_ATTR_CHECK_PKT_LEN: 3764 err = check_pkt_len_action_to_attr(a, skb); 3765 if (err) 3766 return err; 3767 break; 3768 3769 case OVS_ACTION_ATTR_DEC_TTL: 3770 err = dec_ttl_action_to_attr(a, skb); 3771 if (err) 3772 return err; 3773 break; 3774 3775 default: 3776 if (nla_put(skb, type, nla_len(a), nla_data(a))) 3777 return -EMSGSIZE; 3778 break; 3779 } 3780 } 3781 3782 return 0; 3783 } 3784