18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only 28c2ecf20Sopenharmony_ci/* 38c2ecf20Sopenharmony_ci * Copyright (c) 2015 Nicira, Inc. 48c2ecf20Sopenharmony_ci */ 58c2ecf20Sopenharmony_ci 68c2ecf20Sopenharmony_ci#include <linux/module.h> 78c2ecf20Sopenharmony_ci#include <linux/openvswitch.h> 88c2ecf20Sopenharmony_ci#include <linux/tcp.h> 98c2ecf20Sopenharmony_ci#include <linux/udp.h> 108c2ecf20Sopenharmony_ci#include <linux/sctp.h> 118c2ecf20Sopenharmony_ci#include <linux/static_key.h> 128c2ecf20Sopenharmony_ci#include <net/ip.h> 138c2ecf20Sopenharmony_ci#include <net/genetlink.h> 148c2ecf20Sopenharmony_ci#include <net/netfilter/nf_conntrack_core.h> 158c2ecf20Sopenharmony_ci#include <net/netfilter/nf_conntrack_count.h> 168c2ecf20Sopenharmony_ci#include <net/netfilter/nf_conntrack_helper.h> 178c2ecf20Sopenharmony_ci#include <net/netfilter/nf_conntrack_labels.h> 188c2ecf20Sopenharmony_ci#include <net/netfilter/nf_conntrack_seqadj.h> 198c2ecf20Sopenharmony_ci#include <net/netfilter/nf_conntrack_timeout.h> 208c2ecf20Sopenharmony_ci#include <net/netfilter/nf_conntrack_zones.h> 218c2ecf20Sopenharmony_ci#include <net/netfilter/ipv6/nf_defrag_ipv6.h> 228c2ecf20Sopenharmony_ci#include <net/ipv6_frag.h> 238c2ecf20Sopenharmony_ci 248c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_NF_NAT) 258c2ecf20Sopenharmony_ci#include <net/netfilter/nf_nat.h> 268c2ecf20Sopenharmony_ci#endif 278c2ecf20Sopenharmony_ci 288c2ecf20Sopenharmony_ci#include "datapath.h" 298c2ecf20Sopenharmony_ci#include "conntrack.h" 308c2ecf20Sopenharmony_ci#include "flow.h" 318c2ecf20Sopenharmony_ci#include "flow_netlink.h" 328c2ecf20Sopenharmony_ci 338c2ecf20Sopenharmony_cistruct ovs_ct_len_tbl { 348c2ecf20Sopenharmony_ci int maxlen; 358c2ecf20Sopenharmony_ci int minlen; 368c2ecf20Sopenharmony_ci}; 378c2ecf20Sopenharmony_ci 388c2ecf20Sopenharmony_ci/* Metadata mark for masked write to conntrack mark */ 398c2ecf20Sopenharmony_cistruct md_mark { 408c2ecf20Sopenharmony_ci u32 value; 418c2ecf20Sopenharmony_ci u32 mask; 428c2ecf20Sopenharmony_ci}; 438c2ecf20Sopenharmony_ci 448c2ecf20Sopenharmony_ci/* Metadata label for masked write to conntrack label. */ 458c2ecf20Sopenharmony_cistruct md_labels { 468c2ecf20Sopenharmony_ci struct ovs_key_ct_labels value; 478c2ecf20Sopenharmony_ci struct ovs_key_ct_labels mask; 488c2ecf20Sopenharmony_ci}; 498c2ecf20Sopenharmony_ci 508c2ecf20Sopenharmony_cienum ovs_ct_nat { 518c2ecf20Sopenharmony_ci OVS_CT_NAT = 1 << 0, /* NAT for committed connections only. */ 528c2ecf20Sopenharmony_ci OVS_CT_SRC_NAT = 1 << 1, /* Source NAT for NEW connections. */ 538c2ecf20Sopenharmony_ci OVS_CT_DST_NAT = 1 << 2, /* Destination NAT for NEW connections. */ 548c2ecf20Sopenharmony_ci}; 558c2ecf20Sopenharmony_ci 568c2ecf20Sopenharmony_ci/* Conntrack action context for execution. */ 578c2ecf20Sopenharmony_cistruct ovs_conntrack_info { 588c2ecf20Sopenharmony_ci struct nf_conntrack_helper *helper; 598c2ecf20Sopenharmony_ci struct nf_conntrack_zone zone; 608c2ecf20Sopenharmony_ci struct nf_conn *ct; 618c2ecf20Sopenharmony_ci u8 commit : 1; 628c2ecf20Sopenharmony_ci u8 nat : 3; /* enum ovs_ct_nat */ 638c2ecf20Sopenharmony_ci u8 force : 1; 648c2ecf20Sopenharmony_ci u8 have_eventmask : 1; 658c2ecf20Sopenharmony_ci u16 family; 668c2ecf20Sopenharmony_ci u32 eventmask; /* Mask of 1 << IPCT_*. */ 678c2ecf20Sopenharmony_ci struct md_mark mark; 688c2ecf20Sopenharmony_ci struct md_labels labels; 698c2ecf20Sopenharmony_ci char timeout[CTNL_TIMEOUT_NAME_MAX]; 708c2ecf20Sopenharmony_ci struct nf_ct_timeout *nf_ct_timeout; 718c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_NF_NAT) 728c2ecf20Sopenharmony_ci struct nf_nat_range2 range; /* Only present for SRC NAT and DST NAT. */ 738c2ecf20Sopenharmony_ci#endif 748c2ecf20Sopenharmony_ci}; 758c2ecf20Sopenharmony_ci 768c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT) 778c2ecf20Sopenharmony_ci#define OVS_CT_LIMIT_UNLIMITED 0 788c2ecf20Sopenharmony_ci#define OVS_CT_LIMIT_DEFAULT OVS_CT_LIMIT_UNLIMITED 798c2ecf20Sopenharmony_ci#define CT_LIMIT_HASH_BUCKETS 512 808c2ecf20Sopenharmony_cistatic DEFINE_STATIC_KEY_FALSE(ovs_ct_limit_enabled); 818c2ecf20Sopenharmony_ci 828c2ecf20Sopenharmony_cistruct ovs_ct_limit { 838c2ecf20Sopenharmony_ci /* Elements in ovs_ct_limit_info->limits hash table */ 848c2ecf20Sopenharmony_ci struct hlist_node hlist_node; 858c2ecf20Sopenharmony_ci struct rcu_head rcu; 868c2ecf20Sopenharmony_ci u16 zone; 878c2ecf20Sopenharmony_ci u32 limit; 888c2ecf20Sopenharmony_ci}; 898c2ecf20Sopenharmony_ci 908c2ecf20Sopenharmony_cistruct ovs_ct_limit_info { 918c2ecf20Sopenharmony_ci u32 default_limit; 928c2ecf20Sopenharmony_ci struct hlist_head *limits; 938c2ecf20Sopenharmony_ci struct nf_conncount_data *data; 948c2ecf20Sopenharmony_ci}; 958c2ecf20Sopenharmony_ci 968c2ecf20Sopenharmony_cistatic const struct nla_policy ct_limit_policy[OVS_CT_LIMIT_ATTR_MAX + 1] = { 978c2ecf20Sopenharmony_ci [OVS_CT_LIMIT_ATTR_ZONE_LIMIT] = { .type = NLA_NESTED, }, 988c2ecf20Sopenharmony_ci}; 998c2ecf20Sopenharmony_ci#endif 1008c2ecf20Sopenharmony_ci 1018c2ecf20Sopenharmony_cistatic bool labels_nonzero(const struct ovs_key_ct_labels *labels); 1028c2ecf20Sopenharmony_ci 1038c2ecf20Sopenharmony_cistatic void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info); 1048c2ecf20Sopenharmony_ci 1058c2ecf20Sopenharmony_cistatic u16 key_to_nfproto(const struct sw_flow_key *key) 1068c2ecf20Sopenharmony_ci{ 1078c2ecf20Sopenharmony_ci switch (ntohs(key->eth.type)) { 1088c2ecf20Sopenharmony_ci case ETH_P_IP: 1098c2ecf20Sopenharmony_ci return NFPROTO_IPV4; 1108c2ecf20Sopenharmony_ci case ETH_P_IPV6: 1118c2ecf20Sopenharmony_ci return NFPROTO_IPV6; 1128c2ecf20Sopenharmony_ci default: 1138c2ecf20Sopenharmony_ci return NFPROTO_UNSPEC; 1148c2ecf20Sopenharmony_ci } 1158c2ecf20Sopenharmony_ci} 1168c2ecf20Sopenharmony_ci 1178c2ecf20Sopenharmony_ci/* Map SKB connection state into the values used by flow definition. */ 1188c2ecf20Sopenharmony_cistatic u8 ovs_ct_get_state(enum ip_conntrack_info ctinfo) 1198c2ecf20Sopenharmony_ci{ 1208c2ecf20Sopenharmony_ci u8 ct_state = OVS_CS_F_TRACKED; 1218c2ecf20Sopenharmony_ci 1228c2ecf20Sopenharmony_ci switch (ctinfo) { 1238c2ecf20Sopenharmony_ci case IP_CT_ESTABLISHED_REPLY: 1248c2ecf20Sopenharmony_ci case IP_CT_RELATED_REPLY: 1258c2ecf20Sopenharmony_ci ct_state |= OVS_CS_F_REPLY_DIR; 1268c2ecf20Sopenharmony_ci break; 1278c2ecf20Sopenharmony_ci default: 1288c2ecf20Sopenharmony_ci break; 1298c2ecf20Sopenharmony_ci } 1308c2ecf20Sopenharmony_ci 1318c2ecf20Sopenharmony_ci switch (ctinfo) { 1328c2ecf20Sopenharmony_ci case IP_CT_ESTABLISHED: 1338c2ecf20Sopenharmony_ci case IP_CT_ESTABLISHED_REPLY: 1348c2ecf20Sopenharmony_ci ct_state |= OVS_CS_F_ESTABLISHED; 1358c2ecf20Sopenharmony_ci break; 1368c2ecf20Sopenharmony_ci case IP_CT_RELATED: 1378c2ecf20Sopenharmony_ci case IP_CT_RELATED_REPLY: 1388c2ecf20Sopenharmony_ci ct_state |= OVS_CS_F_RELATED; 1398c2ecf20Sopenharmony_ci break; 1408c2ecf20Sopenharmony_ci case IP_CT_NEW: 1418c2ecf20Sopenharmony_ci ct_state |= OVS_CS_F_NEW; 1428c2ecf20Sopenharmony_ci break; 1438c2ecf20Sopenharmony_ci default: 1448c2ecf20Sopenharmony_ci break; 1458c2ecf20Sopenharmony_ci } 1468c2ecf20Sopenharmony_ci 1478c2ecf20Sopenharmony_ci return ct_state; 1488c2ecf20Sopenharmony_ci} 1498c2ecf20Sopenharmony_ci 1508c2ecf20Sopenharmony_cistatic u32 ovs_ct_get_mark(const struct nf_conn *ct) 1518c2ecf20Sopenharmony_ci{ 1528c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) 1538c2ecf20Sopenharmony_ci return ct ? READ_ONCE(ct->mark) : 0; 1548c2ecf20Sopenharmony_ci#else 1558c2ecf20Sopenharmony_ci return 0; 1568c2ecf20Sopenharmony_ci#endif 1578c2ecf20Sopenharmony_ci} 1588c2ecf20Sopenharmony_ci 1598c2ecf20Sopenharmony_ci/* Guard against conntrack labels max size shrinking below 128 bits. */ 1608c2ecf20Sopenharmony_ci#if NF_CT_LABELS_MAX_SIZE < 16 1618c2ecf20Sopenharmony_ci#error NF_CT_LABELS_MAX_SIZE must be at least 16 bytes 1628c2ecf20Sopenharmony_ci#endif 1638c2ecf20Sopenharmony_ci 1648c2ecf20Sopenharmony_cistatic void ovs_ct_get_labels(const struct nf_conn *ct, 1658c2ecf20Sopenharmony_ci struct ovs_key_ct_labels *labels) 1668c2ecf20Sopenharmony_ci{ 1678c2ecf20Sopenharmony_ci struct nf_conn_labels *cl = ct ? nf_ct_labels_find(ct) : NULL; 1688c2ecf20Sopenharmony_ci 1698c2ecf20Sopenharmony_ci if (cl) 1708c2ecf20Sopenharmony_ci memcpy(labels, cl->bits, OVS_CT_LABELS_LEN); 1718c2ecf20Sopenharmony_ci else 1728c2ecf20Sopenharmony_ci memset(labels, 0, OVS_CT_LABELS_LEN); 1738c2ecf20Sopenharmony_ci} 1748c2ecf20Sopenharmony_ci 1758c2ecf20Sopenharmony_cistatic void __ovs_ct_update_key_orig_tp(struct sw_flow_key *key, 1768c2ecf20Sopenharmony_ci const struct nf_conntrack_tuple *orig, 1778c2ecf20Sopenharmony_ci u8 icmp_proto) 1788c2ecf20Sopenharmony_ci{ 1798c2ecf20Sopenharmony_ci key->ct_orig_proto = orig->dst.protonum; 1808c2ecf20Sopenharmony_ci if (orig->dst.protonum == icmp_proto) { 1818c2ecf20Sopenharmony_ci key->ct.orig_tp.src = htons(orig->dst.u.icmp.type); 1828c2ecf20Sopenharmony_ci key->ct.orig_tp.dst = htons(orig->dst.u.icmp.code); 1838c2ecf20Sopenharmony_ci } else { 1848c2ecf20Sopenharmony_ci key->ct.orig_tp.src = orig->src.u.all; 1858c2ecf20Sopenharmony_ci key->ct.orig_tp.dst = orig->dst.u.all; 1868c2ecf20Sopenharmony_ci } 1878c2ecf20Sopenharmony_ci} 1888c2ecf20Sopenharmony_ci 1898c2ecf20Sopenharmony_cistatic void __ovs_ct_update_key(struct sw_flow_key *key, u8 state, 1908c2ecf20Sopenharmony_ci const struct nf_conntrack_zone *zone, 1918c2ecf20Sopenharmony_ci const struct nf_conn *ct) 1928c2ecf20Sopenharmony_ci{ 1938c2ecf20Sopenharmony_ci key->ct_state = state; 1948c2ecf20Sopenharmony_ci key->ct_zone = zone->id; 1958c2ecf20Sopenharmony_ci key->ct.mark = ovs_ct_get_mark(ct); 1968c2ecf20Sopenharmony_ci ovs_ct_get_labels(ct, &key->ct.labels); 1978c2ecf20Sopenharmony_ci 1988c2ecf20Sopenharmony_ci if (ct) { 1998c2ecf20Sopenharmony_ci const struct nf_conntrack_tuple *orig; 2008c2ecf20Sopenharmony_ci 2018c2ecf20Sopenharmony_ci /* Use the master if we have one. */ 2028c2ecf20Sopenharmony_ci if (ct->master) 2038c2ecf20Sopenharmony_ci ct = ct->master; 2048c2ecf20Sopenharmony_ci orig = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple; 2058c2ecf20Sopenharmony_ci 2068c2ecf20Sopenharmony_ci /* IP version must match with the master connection. */ 2078c2ecf20Sopenharmony_ci if (key->eth.type == htons(ETH_P_IP) && 2088c2ecf20Sopenharmony_ci nf_ct_l3num(ct) == NFPROTO_IPV4) { 2098c2ecf20Sopenharmony_ci key->ipv4.ct_orig.src = orig->src.u3.ip; 2108c2ecf20Sopenharmony_ci key->ipv4.ct_orig.dst = orig->dst.u3.ip; 2118c2ecf20Sopenharmony_ci __ovs_ct_update_key_orig_tp(key, orig, IPPROTO_ICMP); 2128c2ecf20Sopenharmony_ci return; 2138c2ecf20Sopenharmony_ci } else if (key->eth.type == htons(ETH_P_IPV6) && 2148c2ecf20Sopenharmony_ci !sw_flow_key_is_nd(key) && 2158c2ecf20Sopenharmony_ci nf_ct_l3num(ct) == NFPROTO_IPV6) { 2168c2ecf20Sopenharmony_ci key->ipv6.ct_orig.src = orig->src.u3.in6; 2178c2ecf20Sopenharmony_ci key->ipv6.ct_orig.dst = orig->dst.u3.in6; 2188c2ecf20Sopenharmony_ci __ovs_ct_update_key_orig_tp(key, orig, NEXTHDR_ICMP); 2198c2ecf20Sopenharmony_ci return; 2208c2ecf20Sopenharmony_ci } 2218c2ecf20Sopenharmony_ci } 2228c2ecf20Sopenharmony_ci /* Clear 'ct_orig_proto' to mark the non-existence of conntrack 2238c2ecf20Sopenharmony_ci * original direction key fields. 2248c2ecf20Sopenharmony_ci */ 2258c2ecf20Sopenharmony_ci key->ct_orig_proto = 0; 2268c2ecf20Sopenharmony_ci} 2278c2ecf20Sopenharmony_ci 2288c2ecf20Sopenharmony_ci/* Update 'key' based on skb->_nfct. If 'post_ct' is true, then OVS has 2298c2ecf20Sopenharmony_ci * previously sent the packet to conntrack via the ct action. If 2308c2ecf20Sopenharmony_ci * 'keep_nat_flags' is true, the existing NAT flags retained, else they are 2318c2ecf20Sopenharmony_ci * initialized from the connection status. 2328c2ecf20Sopenharmony_ci */ 2338c2ecf20Sopenharmony_cistatic void ovs_ct_update_key(const struct sk_buff *skb, 2348c2ecf20Sopenharmony_ci const struct ovs_conntrack_info *info, 2358c2ecf20Sopenharmony_ci struct sw_flow_key *key, bool post_ct, 2368c2ecf20Sopenharmony_ci bool keep_nat_flags) 2378c2ecf20Sopenharmony_ci{ 2388c2ecf20Sopenharmony_ci const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt; 2398c2ecf20Sopenharmony_ci enum ip_conntrack_info ctinfo; 2408c2ecf20Sopenharmony_ci struct nf_conn *ct; 2418c2ecf20Sopenharmony_ci u8 state = 0; 2428c2ecf20Sopenharmony_ci 2438c2ecf20Sopenharmony_ci ct = nf_ct_get(skb, &ctinfo); 2448c2ecf20Sopenharmony_ci if (ct) { 2458c2ecf20Sopenharmony_ci state = ovs_ct_get_state(ctinfo); 2468c2ecf20Sopenharmony_ci /* All unconfirmed entries are NEW connections. */ 2478c2ecf20Sopenharmony_ci if (!nf_ct_is_confirmed(ct)) 2488c2ecf20Sopenharmony_ci state |= OVS_CS_F_NEW; 2498c2ecf20Sopenharmony_ci /* OVS persists the related flag for the duration of the 2508c2ecf20Sopenharmony_ci * connection. 2518c2ecf20Sopenharmony_ci */ 2528c2ecf20Sopenharmony_ci if (ct->master) 2538c2ecf20Sopenharmony_ci state |= OVS_CS_F_RELATED; 2548c2ecf20Sopenharmony_ci if (keep_nat_flags) { 2558c2ecf20Sopenharmony_ci state |= key->ct_state & OVS_CS_F_NAT_MASK; 2568c2ecf20Sopenharmony_ci } else { 2578c2ecf20Sopenharmony_ci if (ct->status & IPS_SRC_NAT) 2588c2ecf20Sopenharmony_ci state |= OVS_CS_F_SRC_NAT; 2598c2ecf20Sopenharmony_ci if (ct->status & IPS_DST_NAT) 2608c2ecf20Sopenharmony_ci state |= OVS_CS_F_DST_NAT; 2618c2ecf20Sopenharmony_ci } 2628c2ecf20Sopenharmony_ci zone = nf_ct_zone(ct); 2638c2ecf20Sopenharmony_ci } else if (post_ct) { 2648c2ecf20Sopenharmony_ci state = OVS_CS_F_TRACKED | OVS_CS_F_INVALID; 2658c2ecf20Sopenharmony_ci if (info) 2668c2ecf20Sopenharmony_ci zone = &info->zone; 2678c2ecf20Sopenharmony_ci } 2688c2ecf20Sopenharmony_ci __ovs_ct_update_key(key, state, zone, ct); 2698c2ecf20Sopenharmony_ci} 2708c2ecf20Sopenharmony_ci 2718c2ecf20Sopenharmony_ci/* This is called to initialize CT key fields possibly coming in from the local 2728c2ecf20Sopenharmony_ci * stack. 2738c2ecf20Sopenharmony_ci */ 2748c2ecf20Sopenharmony_civoid ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key) 2758c2ecf20Sopenharmony_ci{ 2768c2ecf20Sopenharmony_ci ovs_ct_update_key(skb, NULL, key, false, false); 2778c2ecf20Sopenharmony_ci} 2788c2ecf20Sopenharmony_ci 2798c2ecf20Sopenharmony_ciint ovs_ct_put_key(const struct sw_flow_key *swkey, 2808c2ecf20Sopenharmony_ci const struct sw_flow_key *output, struct sk_buff *skb) 2818c2ecf20Sopenharmony_ci{ 2828c2ecf20Sopenharmony_ci if (nla_put_u32(skb, OVS_KEY_ATTR_CT_STATE, output->ct_state)) 2838c2ecf20Sopenharmony_ci return -EMSGSIZE; 2848c2ecf20Sopenharmony_ci 2858c2ecf20Sopenharmony_ci if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) && 2868c2ecf20Sopenharmony_ci nla_put_u16(skb, OVS_KEY_ATTR_CT_ZONE, output->ct_zone)) 2878c2ecf20Sopenharmony_ci return -EMSGSIZE; 2888c2ecf20Sopenharmony_ci 2898c2ecf20Sopenharmony_ci if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) && 2908c2ecf20Sopenharmony_ci nla_put_u32(skb, OVS_KEY_ATTR_CT_MARK, output->ct.mark)) 2918c2ecf20Sopenharmony_ci return -EMSGSIZE; 2928c2ecf20Sopenharmony_ci 2938c2ecf20Sopenharmony_ci if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) && 2948c2ecf20Sopenharmony_ci nla_put(skb, OVS_KEY_ATTR_CT_LABELS, sizeof(output->ct.labels), 2958c2ecf20Sopenharmony_ci &output->ct.labels)) 2968c2ecf20Sopenharmony_ci return -EMSGSIZE; 2978c2ecf20Sopenharmony_ci 2988c2ecf20Sopenharmony_ci if (swkey->ct_orig_proto) { 2998c2ecf20Sopenharmony_ci if (swkey->eth.type == htons(ETH_P_IP)) { 3008c2ecf20Sopenharmony_ci struct ovs_key_ct_tuple_ipv4 orig; 3018c2ecf20Sopenharmony_ci 3028c2ecf20Sopenharmony_ci memset(&orig, 0, sizeof(orig)); 3038c2ecf20Sopenharmony_ci orig.ipv4_src = output->ipv4.ct_orig.src; 3048c2ecf20Sopenharmony_ci orig.ipv4_dst = output->ipv4.ct_orig.dst; 3058c2ecf20Sopenharmony_ci orig.src_port = output->ct.orig_tp.src; 3068c2ecf20Sopenharmony_ci orig.dst_port = output->ct.orig_tp.dst; 3078c2ecf20Sopenharmony_ci orig.ipv4_proto = output->ct_orig_proto; 3088c2ecf20Sopenharmony_ci 3098c2ecf20Sopenharmony_ci if (nla_put(skb, OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4, 3108c2ecf20Sopenharmony_ci sizeof(orig), &orig)) 3118c2ecf20Sopenharmony_ci return -EMSGSIZE; 3128c2ecf20Sopenharmony_ci } else if (swkey->eth.type == htons(ETH_P_IPV6)) { 3138c2ecf20Sopenharmony_ci struct ovs_key_ct_tuple_ipv6 orig; 3148c2ecf20Sopenharmony_ci 3158c2ecf20Sopenharmony_ci memset(&orig, 0, sizeof(orig)); 3168c2ecf20Sopenharmony_ci memcpy(orig.ipv6_src, output->ipv6.ct_orig.src.s6_addr32, 3178c2ecf20Sopenharmony_ci sizeof(orig.ipv6_src)); 3188c2ecf20Sopenharmony_ci memcpy(orig.ipv6_dst, output->ipv6.ct_orig.dst.s6_addr32, 3198c2ecf20Sopenharmony_ci sizeof(orig.ipv6_dst)); 3208c2ecf20Sopenharmony_ci orig.src_port = output->ct.orig_tp.src; 3218c2ecf20Sopenharmony_ci orig.dst_port = output->ct.orig_tp.dst; 3228c2ecf20Sopenharmony_ci orig.ipv6_proto = output->ct_orig_proto; 3238c2ecf20Sopenharmony_ci 3248c2ecf20Sopenharmony_ci if (nla_put(skb, OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6, 3258c2ecf20Sopenharmony_ci sizeof(orig), &orig)) 3268c2ecf20Sopenharmony_ci return -EMSGSIZE; 3278c2ecf20Sopenharmony_ci } 3288c2ecf20Sopenharmony_ci } 3298c2ecf20Sopenharmony_ci 3308c2ecf20Sopenharmony_ci return 0; 3318c2ecf20Sopenharmony_ci} 3328c2ecf20Sopenharmony_ci 3338c2ecf20Sopenharmony_cistatic int ovs_ct_set_mark(struct nf_conn *ct, struct sw_flow_key *key, 3348c2ecf20Sopenharmony_ci u32 ct_mark, u32 mask) 3358c2ecf20Sopenharmony_ci{ 3368c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) 3378c2ecf20Sopenharmony_ci u32 new_mark; 3388c2ecf20Sopenharmony_ci 3398c2ecf20Sopenharmony_ci new_mark = ct_mark | (READ_ONCE(ct->mark) & ~(mask)); 3408c2ecf20Sopenharmony_ci if (READ_ONCE(ct->mark) != new_mark) { 3418c2ecf20Sopenharmony_ci WRITE_ONCE(ct->mark, new_mark); 3428c2ecf20Sopenharmony_ci if (nf_ct_is_confirmed(ct)) 3438c2ecf20Sopenharmony_ci nf_conntrack_event_cache(IPCT_MARK, ct); 3448c2ecf20Sopenharmony_ci key->ct.mark = new_mark; 3458c2ecf20Sopenharmony_ci } 3468c2ecf20Sopenharmony_ci 3478c2ecf20Sopenharmony_ci return 0; 3488c2ecf20Sopenharmony_ci#else 3498c2ecf20Sopenharmony_ci return -ENOTSUPP; 3508c2ecf20Sopenharmony_ci#endif 3518c2ecf20Sopenharmony_ci} 3528c2ecf20Sopenharmony_ci 3538c2ecf20Sopenharmony_cistatic struct nf_conn_labels *ovs_ct_get_conn_labels(struct nf_conn *ct) 3548c2ecf20Sopenharmony_ci{ 3558c2ecf20Sopenharmony_ci struct nf_conn_labels *cl; 3568c2ecf20Sopenharmony_ci 3578c2ecf20Sopenharmony_ci cl = nf_ct_labels_find(ct); 3588c2ecf20Sopenharmony_ci if (!cl) { 3598c2ecf20Sopenharmony_ci nf_ct_labels_ext_add(ct); 3608c2ecf20Sopenharmony_ci cl = nf_ct_labels_find(ct); 3618c2ecf20Sopenharmony_ci } 3628c2ecf20Sopenharmony_ci 3638c2ecf20Sopenharmony_ci return cl; 3648c2ecf20Sopenharmony_ci} 3658c2ecf20Sopenharmony_ci 3668c2ecf20Sopenharmony_ci/* Initialize labels for a new, yet to be committed conntrack entry. Note that 3678c2ecf20Sopenharmony_ci * since the new connection is not yet confirmed, and thus no-one else has 3688c2ecf20Sopenharmony_ci * access to it's labels, we simply write them over. 3698c2ecf20Sopenharmony_ci */ 3708c2ecf20Sopenharmony_cistatic int ovs_ct_init_labels(struct nf_conn *ct, struct sw_flow_key *key, 3718c2ecf20Sopenharmony_ci const struct ovs_key_ct_labels *labels, 3728c2ecf20Sopenharmony_ci const struct ovs_key_ct_labels *mask) 3738c2ecf20Sopenharmony_ci{ 3748c2ecf20Sopenharmony_ci struct nf_conn_labels *cl, *master_cl; 3758c2ecf20Sopenharmony_ci bool have_mask = labels_nonzero(mask); 3768c2ecf20Sopenharmony_ci 3778c2ecf20Sopenharmony_ci /* Inherit master's labels to the related connection? */ 3788c2ecf20Sopenharmony_ci master_cl = ct->master ? nf_ct_labels_find(ct->master) : NULL; 3798c2ecf20Sopenharmony_ci 3808c2ecf20Sopenharmony_ci if (!master_cl && !have_mask) 3818c2ecf20Sopenharmony_ci return 0; /* Nothing to do. */ 3828c2ecf20Sopenharmony_ci 3838c2ecf20Sopenharmony_ci cl = ovs_ct_get_conn_labels(ct); 3848c2ecf20Sopenharmony_ci if (!cl) 3858c2ecf20Sopenharmony_ci return -ENOSPC; 3868c2ecf20Sopenharmony_ci 3878c2ecf20Sopenharmony_ci /* Inherit the master's labels, if any. */ 3888c2ecf20Sopenharmony_ci if (master_cl) 3898c2ecf20Sopenharmony_ci *cl = *master_cl; 3908c2ecf20Sopenharmony_ci 3918c2ecf20Sopenharmony_ci if (have_mask) { 3928c2ecf20Sopenharmony_ci u32 *dst = (u32 *)cl->bits; 3938c2ecf20Sopenharmony_ci int i; 3948c2ecf20Sopenharmony_ci 3958c2ecf20Sopenharmony_ci for (i = 0; i < OVS_CT_LABELS_LEN_32; i++) 3968c2ecf20Sopenharmony_ci dst[i] = (dst[i] & ~mask->ct_labels_32[i]) | 3978c2ecf20Sopenharmony_ci (labels->ct_labels_32[i] 3988c2ecf20Sopenharmony_ci & mask->ct_labels_32[i]); 3998c2ecf20Sopenharmony_ci } 4008c2ecf20Sopenharmony_ci 4018c2ecf20Sopenharmony_ci /* Labels are included in the IPCTNL_MSG_CT_NEW event only if the 4028c2ecf20Sopenharmony_ci * IPCT_LABEL bit is set in the event cache. 4038c2ecf20Sopenharmony_ci */ 4048c2ecf20Sopenharmony_ci nf_conntrack_event_cache(IPCT_LABEL, ct); 4058c2ecf20Sopenharmony_ci 4068c2ecf20Sopenharmony_ci memcpy(&key->ct.labels, cl->bits, OVS_CT_LABELS_LEN); 4078c2ecf20Sopenharmony_ci 4088c2ecf20Sopenharmony_ci return 0; 4098c2ecf20Sopenharmony_ci} 4108c2ecf20Sopenharmony_ci 4118c2ecf20Sopenharmony_cistatic int ovs_ct_set_labels(struct nf_conn *ct, struct sw_flow_key *key, 4128c2ecf20Sopenharmony_ci const struct ovs_key_ct_labels *labels, 4138c2ecf20Sopenharmony_ci const struct ovs_key_ct_labels *mask) 4148c2ecf20Sopenharmony_ci{ 4158c2ecf20Sopenharmony_ci struct nf_conn_labels *cl; 4168c2ecf20Sopenharmony_ci int err; 4178c2ecf20Sopenharmony_ci 4188c2ecf20Sopenharmony_ci cl = ovs_ct_get_conn_labels(ct); 4198c2ecf20Sopenharmony_ci if (!cl) 4208c2ecf20Sopenharmony_ci return -ENOSPC; 4218c2ecf20Sopenharmony_ci 4228c2ecf20Sopenharmony_ci err = nf_connlabels_replace(ct, labels->ct_labels_32, 4238c2ecf20Sopenharmony_ci mask->ct_labels_32, 4248c2ecf20Sopenharmony_ci OVS_CT_LABELS_LEN_32); 4258c2ecf20Sopenharmony_ci if (err) 4268c2ecf20Sopenharmony_ci return err; 4278c2ecf20Sopenharmony_ci 4288c2ecf20Sopenharmony_ci memcpy(&key->ct.labels, cl->bits, OVS_CT_LABELS_LEN); 4298c2ecf20Sopenharmony_ci 4308c2ecf20Sopenharmony_ci return 0; 4318c2ecf20Sopenharmony_ci} 4328c2ecf20Sopenharmony_ci 4338c2ecf20Sopenharmony_ci/* 'skb' should already be pulled to nh_ofs. */ 4348c2ecf20Sopenharmony_cistatic int ovs_ct_helper(struct sk_buff *skb, u16 proto) 4358c2ecf20Sopenharmony_ci{ 4368c2ecf20Sopenharmony_ci const struct nf_conntrack_helper *helper; 4378c2ecf20Sopenharmony_ci const struct nf_conn_help *help; 4388c2ecf20Sopenharmony_ci enum ip_conntrack_info ctinfo; 4398c2ecf20Sopenharmony_ci unsigned int protoff; 4408c2ecf20Sopenharmony_ci struct nf_conn *ct; 4418c2ecf20Sopenharmony_ci int err; 4428c2ecf20Sopenharmony_ci 4438c2ecf20Sopenharmony_ci ct = nf_ct_get(skb, &ctinfo); 4448c2ecf20Sopenharmony_ci if (!ct || ctinfo == IP_CT_RELATED_REPLY) 4458c2ecf20Sopenharmony_ci return NF_ACCEPT; 4468c2ecf20Sopenharmony_ci 4478c2ecf20Sopenharmony_ci help = nfct_help(ct); 4488c2ecf20Sopenharmony_ci if (!help) 4498c2ecf20Sopenharmony_ci return NF_ACCEPT; 4508c2ecf20Sopenharmony_ci 4518c2ecf20Sopenharmony_ci helper = rcu_dereference(help->helper); 4528c2ecf20Sopenharmony_ci if (!helper) 4538c2ecf20Sopenharmony_ci return NF_ACCEPT; 4548c2ecf20Sopenharmony_ci 4558c2ecf20Sopenharmony_ci switch (proto) { 4568c2ecf20Sopenharmony_ci case NFPROTO_IPV4: 4578c2ecf20Sopenharmony_ci protoff = ip_hdrlen(skb); 4588c2ecf20Sopenharmony_ci break; 4598c2ecf20Sopenharmony_ci case NFPROTO_IPV6: { 4608c2ecf20Sopenharmony_ci u8 nexthdr = ipv6_hdr(skb)->nexthdr; 4618c2ecf20Sopenharmony_ci __be16 frag_off; 4628c2ecf20Sopenharmony_ci int ofs; 4638c2ecf20Sopenharmony_ci 4648c2ecf20Sopenharmony_ci ofs = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr, 4658c2ecf20Sopenharmony_ci &frag_off); 4668c2ecf20Sopenharmony_ci if (ofs < 0 || (frag_off & htons(~0x7)) != 0) { 4678c2ecf20Sopenharmony_ci pr_debug("proto header not found\n"); 4688c2ecf20Sopenharmony_ci return NF_ACCEPT; 4698c2ecf20Sopenharmony_ci } 4708c2ecf20Sopenharmony_ci protoff = ofs; 4718c2ecf20Sopenharmony_ci break; 4728c2ecf20Sopenharmony_ci } 4738c2ecf20Sopenharmony_ci default: 4748c2ecf20Sopenharmony_ci WARN_ONCE(1, "helper invoked on non-IP family!"); 4758c2ecf20Sopenharmony_ci return NF_DROP; 4768c2ecf20Sopenharmony_ci } 4778c2ecf20Sopenharmony_ci 4788c2ecf20Sopenharmony_ci err = helper->help(skb, protoff, ct, ctinfo); 4798c2ecf20Sopenharmony_ci if (err != NF_ACCEPT) 4808c2ecf20Sopenharmony_ci return err; 4818c2ecf20Sopenharmony_ci 4828c2ecf20Sopenharmony_ci /* Adjust seqs after helper. This is needed due to some helpers (e.g., 4838c2ecf20Sopenharmony_ci * FTP with NAT) adusting the TCP payload size when mangling IP 4848c2ecf20Sopenharmony_ci * addresses and/or port numbers in the text-based control connection. 4858c2ecf20Sopenharmony_ci */ 4868c2ecf20Sopenharmony_ci if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status) && 4878c2ecf20Sopenharmony_ci !nf_ct_seq_adjust(skb, ct, ctinfo, protoff)) 4888c2ecf20Sopenharmony_ci return NF_DROP; 4898c2ecf20Sopenharmony_ci return NF_ACCEPT; 4908c2ecf20Sopenharmony_ci} 4918c2ecf20Sopenharmony_ci 4928c2ecf20Sopenharmony_ci/* Returns 0 on success, -EINPROGRESS if 'skb' is stolen, or other nonzero 4938c2ecf20Sopenharmony_ci * value if 'skb' is freed. 4948c2ecf20Sopenharmony_ci */ 4958c2ecf20Sopenharmony_cistatic int handle_fragments(struct net *net, struct sw_flow_key *key, 4968c2ecf20Sopenharmony_ci u16 zone, struct sk_buff *skb) 4978c2ecf20Sopenharmony_ci{ 4988c2ecf20Sopenharmony_ci struct ovs_skb_cb ovs_cb = *OVS_CB(skb); 4998c2ecf20Sopenharmony_ci int err; 5008c2ecf20Sopenharmony_ci 5018c2ecf20Sopenharmony_ci if (key->eth.type == htons(ETH_P_IP)) { 5028c2ecf20Sopenharmony_ci enum ip_defrag_users user = IP_DEFRAG_CONNTRACK_IN + zone; 5038c2ecf20Sopenharmony_ci 5048c2ecf20Sopenharmony_ci memset(IPCB(skb), 0, sizeof(struct inet_skb_parm)); 5058c2ecf20Sopenharmony_ci err = ip_defrag(net, skb, user); 5068c2ecf20Sopenharmony_ci if (err) 5078c2ecf20Sopenharmony_ci return err; 5088c2ecf20Sopenharmony_ci 5098c2ecf20Sopenharmony_ci ovs_cb.mru = IPCB(skb)->frag_max_size; 5108c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) 5118c2ecf20Sopenharmony_ci } else if (key->eth.type == htons(ETH_P_IPV6)) { 5128c2ecf20Sopenharmony_ci enum ip6_defrag_users user = IP6_DEFRAG_CONNTRACK_IN + zone; 5138c2ecf20Sopenharmony_ci 5148c2ecf20Sopenharmony_ci memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm)); 5158c2ecf20Sopenharmony_ci err = nf_ct_frag6_gather(net, skb, user); 5168c2ecf20Sopenharmony_ci if (err) { 5178c2ecf20Sopenharmony_ci if (err != -EINPROGRESS) 5188c2ecf20Sopenharmony_ci kfree_skb(skb); 5198c2ecf20Sopenharmony_ci return err; 5208c2ecf20Sopenharmony_ci } 5218c2ecf20Sopenharmony_ci 5228c2ecf20Sopenharmony_ci key->ip.proto = ipv6_hdr(skb)->nexthdr; 5238c2ecf20Sopenharmony_ci ovs_cb.mru = IP6CB(skb)->frag_max_size; 5248c2ecf20Sopenharmony_ci#endif 5258c2ecf20Sopenharmony_ci } else { 5268c2ecf20Sopenharmony_ci kfree_skb(skb); 5278c2ecf20Sopenharmony_ci return -EPFNOSUPPORT; 5288c2ecf20Sopenharmony_ci } 5298c2ecf20Sopenharmony_ci 5308c2ecf20Sopenharmony_ci /* The key extracted from the fragment that completed this datagram 5318c2ecf20Sopenharmony_ci * likely didn't have an L4 header, so regenerate it. 5328c2ecf20Sopenharmony_ci */ 5338c2ecf20Sopenharmony_ci ovs_flow_key_update_l3l4(skb, key); 5348c2ecf20Sopenharmony_ci 5358c2ecf20Sopenharmony_ci key->ip.frag = OVS_FRAG_TYPE_NONE; 5368c2ecf20Sopenharmony_ci skb_clear_hash(skb); 5378c2ecf20Sopenharmony_ci skb->ignore_df = 1; 5388c2ecf20Sopenharmony_ci *OVS_CB(skb) = ovs_cb; 5398c2ecf20Sopenharmony_ci 5408c2ecf20Sopenharmony_ci return 0; 5418c2ecf20Sopenharmony_ci} 5428c2ecf20Sopenharmony_ci 5438c2ecf20Sopenharmony_cistatic struct nf_conntrack_expect * 5448c2ecf20Sopenharmony_ciovs_ct_expect_find(struct net *net, const struct nf_conntrack_zone *zone, 5458c2ecf20Sopenharmony_ci u16 proto, const struct sk_buff *skb) 5468c2ecf20Sopenharmony_ci{ 5478c2ecf20Sopenharmony_ci struct nf_conntrack_tuple tuple; 5488c2ecf20Sopenharmony_ci struct nf_conntrack_expect *exp; 5498c2ecf20Sopenharmony_ci 5508c2ecf20Sopenharmony_ci if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto, net, &tuple)) 5518c2ecf20Sopenharmony_ci return NULL; 5528c2ecf20Sopenharmony_ci 5538c2ecf20Sopenharmony_ci exp = __nf_ct_expect_find(net, zone, &tuple); 5548c2ecf20Sopenharmony_ci if (exp) { 5558c2ecf20Sopenharmony_ci struct nf_conntrack_tuple_hash *h; 5568c2ecf20Sopenharmony_ci 5578c2ecf20Sopenharmony_ci /* Delete existing conntrack entry, if it clashes with the 5588c2ecf20Sopenharmony_ci * expectation. This can happen since conntrack ALGs do not 5598c2ecf20Sopenharmony_ci * check for clashes between (new) expectations and existing 5608c2ecf20Sopenharmony_ci * conntrack entries. nf_conntrack_in() will check the 5618c2ecf20Sopenharmony_ci * expectations only if a conntrack entry can not be found, 5628c2ecf20Sopenharmony_ci * which can lead to OVS finding the expectation (here) in the 5638c2ecf20Sopenharmony_ci * init direction, but which will not be removed by the 5648c2ecf20Sopenharmony_ci * nf_conntrack_in() call, if a matching conntrack entry is 5658c2ecf20Sopenharmony_ci * found instead. In this case all init direction packets 5668c2ecf20Sopenharmony_ci * would be reported as new related packets, while reply 5678c2ecf20Sopenharmony_ci * direction packets would be reported as un-related 5688c2ecf20Sopenharmony_ci * established packets. 5698c2ecf20Sopenharmony_ci */ 5708c2ecf20Sopenharmony_ci h = nf_conntrack_find_get(net, zone, &tuple); 5718c2ecf20Sopenharmony_ci if (h) { 5728c2ecf20Sopenharmony_ci struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); 5738c2ecf20Sopenharmony_ci 5748c2ecf20Sopenharmony_ci nf_ct_delete(ct, 0, 0); 5758c2ecf20Sopenharmony_ci nf_conntrack_put(&ct->ct_general); 5768c2ecf20Sopenharmony_ci } 5778c2ecf20Sopenharmony_ci } 5788c2ecf20Sopenharmony_ci 5798c2ecf20Sopenharmony_ci return exp; 5808c2ecf20Sopenharmony_ci} 5818c2ecf20Sopenharmony_ci 5828c2ecf20Sopenharmony_ci/* This replicates logic from nf_conntrack_core.c that is not exported. */ 5838c2ecf20Sopenharmony_cistatic enum ip_conntrack_info 5848c2ecf20Sopenharmony_ciovs_ct_get_info(const struct nf_conntrack_tuple_hash *h) 5858c2ecf20Sopenharmony_ci{ 5868c2ecf20Sopenharmony_ci const struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); 5878c2ecf20Sopenharmony_ci 5888c2ecf20Sopenharmony_ci if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY) 5898c2ecf20Sopenharmony_ci return IP_CT_ESTABLISHED_REPLY; 5908c2ecf20Sopenharmony_ci /* Once we've had two way comms, always ESTABLISHED. */ 5918c2ecf20Sopenharmony_ci if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) 5928c2ecf20Sopenharmony_ci return IP_CT_ESTABLISHED; 5938c2ecf20Sopenharmony_ci if (test_bit(IPS_EXPECTED_BIT, &ct->status)) 5948c2ecf20Sopenharmony_ci return IP_CT_RELATED; 5958c2ecf20Sopenharmony_ci return IP_CT_NEW; 5968c2ecf20Sopenharmony_ci} 5978c2ecf20Sopenharmony_ci 5988c2ecf20Sopenharmony_ci/* Find an existing connection which this packet belongs to without 5998c2ecf20Sopenharmony_ci * re-attributing statistics or modifying the connection state. This allows an 6008c2ecf20Sopenharmony_ci * skb->_nfct lost due to an upcall to be recovered during actions execution. 6018c2ecf20Sopenharmony_ci * 6028c2ecf20Sopenharmony_ci * Must be called with rcu_read_lock. 6038c2ecf20Sopenharmony_ci * 6048c2ecf20Sopenharmony_ci * On success, populates skb->_nfct and returns the connection. Returns NULL 6058c2ecf20Sopenharmony_ci * if there is no existing entry. 6068c2ecf20Sopenharmony_ci */ 6078c2ecf20Sopenharmony_cistatic struct nf_conn * 6088c2ecf20Sopenharmony_ciovs_ct_find_existing(struct net *net, const struct nf_conntrack_zone *zone, 6098c2ecf20Sopenharmony_ci u8 l3num, struct sk_buff *skb, bool natted) 6108c2ecf20Sopenharmony_ci{ 6118c2ecf20Sopenharmony_ci struct nf_conntrack_tuple tuple; 6128c2ecf20Sopenharmony_ci struct nf_conntrack_tuple_hash *h; 6138c2ecf20Sopenharmony_ci struct nf_conn *ct; 6148c2ecf20Sopenharmony_ci 6158c2ecf20Sopenharmony_ci if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), l3num, 6168c2ecf20Sopenharmony_ci net, &tuple)) { 6178c2ecf20Sopenharmony_ci pr_debug("ovs_ct_find_existing: Can't get tuple\n"); 6188c2ecf20Sopenharmony_ci return NULL; 6198c2ecf20Sopenharmony_ci } 6208c2ecf20Sopenharmony_ci 6218c2ecf20Sopenharmony_ci /* Must invert the tuple if skb has been transformed by NAT. */ 6228c2ecf20Sopenharmony_ci if (natted) { 6238c2ecf20Sopenharmony_ci struct nf_conntrack_tuple inverse; 6248c2ecf20Sopenharmony_ci 6258c2ecf20Sopenharmony_ci if (!nf_ct_invert_tuple(&inverse, &tuple)) { 6268c2ecf20Sopenharmony_ci pr_debug("ovs_ct_find_existing: Inversion failed!\n"); 6278c2ecf20Sopenharmony_ci return NULL; 6288c2ecf20Sopenharmony_ci } 6298c2ecf20Sopenharmony_ci tuple = inverse; 6308c2ecf20Sopenharmony_ci } 6318c2ecf20Sopenharmony_ci 6328c2ecf20Sopenharmony_ci /* look for tuple match */ 6338c2ecf20Sopenharmony_ci h = nf_conntrack_find_get(net, zone, &tuple); 6348c2ecf20Sopenharmony_ci if (!h) 6358c2ecf20Sopenharmony_ci return NULL; /* Not found. */ 6368c2ecf20Sopenharmony_ci 6378c2ecf20Sopenharmony_ci ct = nf_ct_tuplehash_to_ctrack(h); 6388c2ecf20Sopenharmony_ci 6398c2ecf20Sopenharmony_ci /* Inverted packet tuple matches the reverse direction conntrack tuple, 6408c2ecf20Sopenharmony_ci * select the other tuplehash to get the right 'ctinfo' bits for this 6418c2ecf20Sopenharmony_ci * packet. 6428c2ecf20Sopenharmony_ci */ 6438c2ecf20Sopenharmony_ci if (natted) 6448c2ecf20Sopenharmony_ci h = &ct->tuplehash[!h->tuple.dst.dir]; 6458c2ecf20Sopenharmony_ci 6468c2ecf20Sopenharmony_ci nf_ct_set(skb, ct, ovs_ct_get_info(h)); 6478c2ecf20Sopenharmony_ci return ct; 6488c2ecf20Sopenharmony_ci} 6498c2ecf20Sopenharmony_ci 6508c2ecf20Sopenharmony_cistatic 6518c2ecf20Sopenharmony_cistruct nf_conn *ovs_ct_executed(struct net *net, 6528c2ecf20Sopenharmony_ci const struct sw_flow_key *key, 6538c2ecf20Sopenharmony_ci const struct ovs_conntrack_info *info, 6548c2ecf20Sopenharmony_ci struct sk_buff *skb, 6558c2ecf20Sopenharmony_ci bool *ct_executed) 6568c2ecf20Sopenharmony_ci{ 6578c2ecf20Sopenharmony_ci struct nf_conn *ct = NULL; 6588c2ecf20Sopenharmony_ci 6598c2ecf20Sopenharmony_ci /* If no ct, check if we have evidence that an existing conntrack entry 6608c2ecf20Sopenharmony_ci * might be found for this skb. This happens when we lose a skb->_nfct 6618c2ecf20Sopenharmony_ci * due to an upcall, or if the direction is being forced. If the 6628c2ecf20Sopenharmony_ci * connection was not confirmed, it is not cached and needs to be run 6638c2ecf20Sopenharmony_ci * through conntrack again. 6648c2ecf20Sopenharmony_ci */ 6658c2ecf20Sopenharmony_ci *ct_executed = (key->ct_state & OVS_CS_F_TRACKED) && 6668c2ecf20Sopenharmony_ci !(key->ct_state & OVS_CS_F_INVALID) && 6678c2ecf20Sopenharmony_ci (key->ct_zone == info->zone.id); 6688c2ecf20Sopenharmony_ci 6698c2ecf20Sopenharmony_ci if (*ct_executed || (!key->ct_state && info->force)) { 6708c2ecf20Sopenharmony_ci ct = ovs_ct_find_existing(net, &info->zone, info->family, skb, 6718c2ecf20Sopenharmony_ci !!(key->ct_state & 6728c2ecf20Sopenharmony_ci OVS_CS_F_NAT_MASK)); 6738c2ecf20Sopenharmony_ci } 6748c2ecf20Sopenharmony_ci 6758c2ecf20Sopenharmony_ci return ct; 6768c2ecf20Sopenharmony_ci} 6778c2ecf20Sopenharmony_ci 6788c2ecf20Sopenharmony_ci/* Determine whether skb->_nfct is equal to the result of conntrack lookup. */ 6798c2ecf20Sopenharmony_cistatic bool skb_nfct_cached(struct net *net, 6808c2ecf20Sopenharmony_ci const struct sw_flow_key *key, 6818c2ecf20Sopenharmony_ci const struct ovs_conntrack_info *info, 6828c2ecf20Sopenharmony_ci struct sk_buff *skb) 6838c2ecf20Sopenharmony_ci{ 6848c2ecf20Sopenharmony_ci enum ip_conntrack_info ctinfo; 6858c2ecf20Sopenharmony_ci struct nf_conn *ct; 6868c2ecf20Sopenharmony_ci bool ct_executed = true; 6878c2ecf20Sopenharmony_ci 6888c2ecf20Sopenharmony_ci ct = nf_ct_get(skb, &ctinfo); 6898c2ecf20Sopenharmony_ci if (!ct) 6908c2ecf20Sopenharmony_ci ct = ovs_ct_executed(net, key, info, skb, &ct_executed); 6918c2ecf20Sopenharmony_ci 6928c2ecf20Sopenharmony_ci if (ct) 6938c2ecf20Sopenharmony_ci nf_ct_get(skb, &ctinfo); 6948c2ecf20Sopenharmony_ci else 6958c2ecf20Sopenharmony_ci return false; 6968c2ecf20Sopenharmony_ci 6978c2ecf20Sopenharmony_ci if (!net_eq(net, read_pnet(&ct->ct_net))) 6988c2ecf20Sopenharmony_ci return false; 6998c2ecf20Sopenharmony_ci if (!nf_ct_zone_equal_any(info->ct, nf_ct_zone(ct))) 7008c2ecf20Sopenharmony_ci return false; 7018c2ecf20Sopenharmony_ci if (info->helper) { 7028c2ecf20Sopenharmony_ci struct nf_conn_help *help; 7038c2ecf20Sopenharmony_ci 7048c2ecf20Sopenharmony_ci help = nf_ct_ext_find(ct, NF_CT_EXT_HELPER); 7058c2ecf20Sopenharmony_ci if (help && rcu_access_pointer(help->helper) != info->helper) 7068c2ecf20Sopenharmony_ci return false; 7078c2ecf20Sopenharmony_ci } 7088c2ecf20Sopenharmony_ci if (info->nf_ct_timeout) { 7098c2ecf20Sopenharmony_ci struct nf_conn_timeout *timeout_ext; 7108c2ecf20Sopenharmony_ci 7118c2ecf20Sopenharmony_ci timeout_ext = nf_ct_timeout_find(ct); 7128c2ecf20Sopenharmony_ci if (!timeout_ext || info->nf_ct_timeout != 7138c2ecf20Sopenharmony_ci rcu_dereference(timeout_ext->timeout)) 7148c2ecf20Sopenharmony_ci return false; 7158c2ecf20Sopenharmony_ci } 7168c2ecf20Sopenharmony_ci /* Force conntrack entry direction to the current packet? */ 7178c2ecf20Sopenharmony_ci if (info->force && CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) { 7188c2ecf20Sopenharmony_ci /* Delete the conntrack entry if confirmed, else just release 7198c2ecf20Sopenharmony_ci * the reference. 7208c2ecf20Sopenharmony_ci */ 7218c2ecf20Sopenharmony_ci if (nf_ct_is_confirmed(ct)) 7228c2ecf20Sopenharmony_ci nf_ct_delete(ct, 0, 0); 7238c2ecf20Sopenharmony_ci 7248c2ecf20Sopenharmony_ci nf_conntrack_put(&ct->ct_general); 7258c2ecf20Sopenharmony_ci nf_ct_set(skb, NULL, 0); 7268c2ecf20Sopenharmony_ci return false; 7278c2ecf20Sopenharmony_ci } 7288c2ecf20Sopenharmony_ci 7298c2ecf20Sopenharmony_ci return ct_executed; 7308c2ecf20Sopenharmony_ci} 7318c2ecf20Sopenharmony_ci 7328c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_NF_NAT) 7338c2ecf20Sopenharmony_cistatic void ovs_nat_update_key(struct sw_flow_key *key, 7348c2ecf20Sopenharmony_ci const struct sk_buff *skb, 7358c2ecf20Sopenharmony_ci enum nf_nat_manip_type maniptype) 7368c2ecf20Sopenharmony_ci{ 7378c2ecf20Sopenharmony_ci if (maniptype == NF_NAT_MANIP_SRC) { 7388c2ecf20Sopenharmony_ci __be16 src; 7398c2ecf20Sopenharmony_ci 7408c2ecf20Sopenharmony_ci key->ct_state |= OVS_CS_F_SRC_NAT; 7418c2ecf20Sopenharmony_ci if (key->eth.type == htons(ETH_P_IP)) 7428c2ecf20Sopenharmony_ci key->ipv4.addr.src = ip_hdr(skb)->saddr; 7438c2ecf20Sopenharmony_ci else if (key->eth.type == htons(ETH_P_IPV6)) 7448c2ecf20Sopenharmony_ci memcpy(&key->ipv6.addr.src, &ipv6_hdr(skb)->saddr, 7458c2ecf20Sopenharmony_ci sizeof(key->ipv6.addr.src)); 7468c2ecf20Sopenharmony_ci else 7478c2ecf20Sopenharmony_ci return; 7488c2ecf20Sopenharmony_ci 7498c2ecf20Sopenharmony_ci if (key->ip.proto == IPPROTO_UDP) 7508c2ecf20Sopenharmony_ci src = udp_hdr(skb)->source; 7518c2ecf20Sopenharmony_ci else if (key->ip.proto == IPPROTO_TCP) 7528c2ecf20Sopenharmony_ci src = tcp_hdr(skb)->source; 7538c2ecf20Sopenharmony_ci else if (key->ip.proto == IPPROTO_SCTP) 7548c2ecf20Sopenharmony_ci src = sctp_hdr(skb)->source; 7558c2ecf20Sopenharmony_ci else 7568c2ecf20Sopenharmony_ci return; 7578c2ecf20Sopenharmony_ci 7588c2ecf20Sopenharmony_ci key->tp.src = src; 7598c2ecf20Sopenharmony_ci } else { 7608c2ecf20Sopenharmony_ci __be16 dst; 7618c2ecf20Sopenharmony_ci 7628c2ecf20Sopenharmony_ci key->ct_state |= OVS_CS_F_DST_NAT; 7638c2ecf20Sopenharmony_ci if (key->eth.type == htons(ETH_P_IP)) 7648c2ecf20Sopenharmony_ci key->ipv4.addr.dst = ip_hdr(skb)->daddr; 7658c2ecf20Sopenharmony_ci else if (key->eth.type == htons(ETH_P_IPV6)) 7668c2ecf20Sopenharmony_ci memcpy(&key->ipv6.addr.dst, &ipv6_hdr(skb)->daddr, 7678c2ecf20Sopenharmony_ci sizeof(key->ipv6.addr.dst)); 7688c2ecf20Sopenharmony_ci else 7698c2ecf20Sopenharmony_ci return; 7708c2ecf20Sopenharmony_ci 7718c2ecf20Sopenharmony_ci if (key->ip.proto == IPPROTO_UDP) 7728c2ecf20Sopenharmony_ci dst = udp_hdr(skb)->dest; 7738c2ecf20Sopenharmony_ci else if (key->ip.proto == IPPROTO_TCP) 7748c2ecf20Sopenharmony_ci dst = tcp_hdr(skb)->dest; 7758c2ecf20Sopenharmony_ci else if (key->ip.proto == IPPROTO_SCTP) 7768c2ecf20Sopenharmony_ci dst = sctp_hdr(skb)->dest; 7778c2ecf20Sopenharmony_ci else 7788c2ecf20Sopenharmony_ci return; 7798c2ecf20Sopenharmony_ci 7808c2ecf20Sopenharmony_ci key->tp.dst = dst; 7818c2ecf20Sopenharmony_ci } 7828c2ecf20Sopenharmony_ci} 7838c2ecf20Sopenharmony_ci 7848c2ecf20Sopenharmony_ci/* Modelled after nf_nat_ipv[46]_fn(). 7858c2ecf20Sopenharmony_ci * range is only used for new, uninitialized NAT state. 7868c2ecf20Sopenharmony_ci * Returns either NF_ACCEPT or NF_DROP. 7878c2ecf20Sopenharmony_ci */ 7888c2ecf20Sopenharmony_cistatic int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, 7898c2ecf20Sopenharmony_ci enum ip_conntrack_info ctinfo, 7908c2ecf20Sopenharmony_ci const struct nf_nat_range2 *range, 7918c2ecf20Sopenharmony_ci enum nf_nat_manip_type maniptype, struct sw_flow_key *key) 7928c2ecf20Sopenharmony_ci{ 7938c2ecf20Sopenharmony_ci int hooknum, nh_off, err = NF_ACCEPT; 7948c2ecf20Sopenharmony_ci 7958c2ecf20Sopenharmony_ci nh_off = skb_network_offset(skb); 7968c2ecf20Sopenharmony_ci skb_pull_rcsum(skb, nh_off); 7978c2ecf20Sopenharmony_ci 7988c2ecf20Sopenharmony_ci /* See HOOK2MANIP(). */ 7998c2ecf20Sopenharmony_ci if (maniptype == NF_NAT_MANIP_SRC) 8008c2ecf20Sopenharmony_ci hooknum = NF_INET_LOCAL_IN; /* Source NAT */ 8018c2ecf20Sopenharmony_ci else 8028c2ecf20Sopenharmony_ci hooknum = NF_INET_LOCAL_OUT; /* Destination NAT */ 8038c2ecf20Sopenharmony_ci 8048c2ecf20Sopenharmony_ci switch (ctinfo) { 8058c2ecf20Sopenharmony_ci case IP_CT_RELATED: 8068c2ecf20Sopenharmony_ci case IP_CT_RELATED_REPLY: 8078c2ecf20Sopenharmony_ci if (IS_ENABLED(CONFIG_NF_NAT) && 8088c2ecf20Sopenharmony_ci skb->protocol == htons(ETH_P_IP) && 8098c2ecf20Sopenharmony_ci ip_hdr(skb)->protocol == IPPROTO_ICMP) { 8108c2ecf20Sopenharmony_ci if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo, 8118c2ecf20Sopenharmony_ci hooknum)) 8128c2ecf20Sopenharmony_ci err = NF_DROP; 8138c2ecf20Sopenharmony_ci goto push; 8148c2ecf20Sopenharmony_ci } else if (IS_ENABLED(CONFIG_IPV6) && 8158c2ecf20Sopenharmony_ci skb->protocol == htons(ETH_P_IPV6)) { 8168c2ecf20Sopenharmony_ci __be16 frag_off; 8178c2ecf20Sopenharmony_ci u8 nexthdr = ipv6_hdr(skb)->nexthdr; 8188c2ecf20Sopenharmony_ci int hdrlen = ipv6_skip_exthdr(skb, 8198c2ecf20Sopenharmony_ci sizeof(struct ipv6hdr), 8208c2ecf20Sopenharmony_ci &nexthdr, &frag_off); 8218c2ecf20Sopenharmony_ci 8228c2ecf20Sopenharmony_ci if (hdrlen >= 0 && nexthdr == IPPROTO_ICMPV6) { 8238c2ecf20Sopenharmony_ci if (!nf_nat_icmpv6_reply_translation(skb, ct, 8248c2ecf20Sopenharmony_ci ctinfo, 8258c2ecf20Sopenharmony_ci hooknum, 8268c2ecf20Sopenharmony_ci hdrlen)) 8278c2ecf20Sopenharmony_ci err = NF_DROP; 8288c2ecf20Sopenharmony_ci goto push; 8298c2ecf20Sopenharmony_ci } 8308c2ecf20Sopenharmony_ci } 8318c2ecf20Sopenharmony_ci /* Non-ICMP, fall thru to initialize if needed. */ 8328c2ecf20Sopenharmony_ci fallthrough; 8338c2ecf20Sopenharmony_ci case IP_CT_NEW: 8348c2ecf20Sopenharmony_ci /* Seen it before? This can happen for loopback, retrans, 8358c2ecf20Sopenharmony_ci * or local packets. 8368c2ecf20Sopenharmony_ci */ 8378c2ecf20Sopenharmony_ci if (!nf_nat_initialized(ct, maniptype)) { 8388c2ecf20Sopenharmony_ci /* Initialize according to the NAT action. */ 8398c2ecf20Sopenharmony_ci err = (range && range->flags & NF_NAT_RANGE_MAP_IPS) 8408c2ecf20Sopenharmony_ci /* Action is set up to establish a new 8418c2ecf20Sopenharmony_ci * mapping. 8428c2ecf20Sopenharmony_ci */ 8438c2ecf20Sopenharmony_ci ? nf_nat_setup_info(ct, range, maniptype) 8448c2ecf20Sopenharmony_ci : nf_nat_alloc_null_binding(ct, hooknum); 8458c2ecf20Sopenharmony_ci if (err != NF_ACCEPT) 8468c2ecf20Sopenharmony_ci goto push; 8478c2ecf20Sopenharmony_ci } 8488c2ecf20Sopenharmony_ci break; 8498c2ecf20Sopenharmony_ci 8508c2ecf20Sopenharmony_ci case IP_CT_ESTABLISHED: 8518c2ecf20Sopenharmony_ci case IP_CT_ESTABLISHED_REPLY: 8528c2ecf20Sopenharmony_ci break; 8538c2ecf20Sopenharmony_ci 8548c2ecf20Sopenharmony_ci default: 8558c2ecf20Sopenharmony_ci err = NF_DROP; 8568c2ecf20Sopenharmony_ci goto push; 8578c2ecf20Sopenharmony_ci } 8588c2ecf20Sopenharmony_ci 8598c2ecf20Sopenharmony_ci err = nf_nat_packet(ct, ctinfo, hooknum, skb); 8608c2ecf20Sopenharmony_cipush: 8618c2ecf20Sopenharmony_ci skb_push(skb, nh_off); 8628c2ecf20Sopenharmony_ci skb_postpush_rcsum(skb, skb->data, nh_off); 8638c2ecf20Sopenharmony_ci 8648c2ecf20Sopenharmony_ci /* Update the flow key if NAT successful. */ 8658c2ecf20Sopenharmony_ci if (err == NF_ACCEPT) 8668c2ecf20Sopenharmony_ci ovs_nat_update_key(key, skb, maniptype); 8678c2ecf20Sopenharmony_ci 8688c2ecf20Sopenharmony_ci return err; 8698c2ecf20Sopenharmony_ci} 8708c2ecf20Sopenharmony_ci 8718c2ecf20Sopenharmony_ci/* Returns NF_DROP if the packet should be dropped, NF_ACCEPT otherwise. */ 8728c2ecf20Sopenharmony_cistatic int ovs_ct_nat(struct net *net, struct sw_flow_key *key, 8738c2ecf20Sopenharmony_ci const struct ovs_conntrack_info *info, 8748c2ecf20Sopenharmony_ci struct sk_buff *skb, struct nf_conn *ct, 8758c2ecf20Sopenharmony_ci enum ip_conntrack_info ctinfo) 8768c2ecf20Sopenharmony_ci{ 8778c2ecf20Sopenharmony_ci enum nf_nat_manip_type maniptype; 8788c2ecf20Sopenharmony_ci int err; 8798c2ecf20Sopenharmony_ci 8808c2ecf20Sopenharmony_ci /* Add NAT extension if not confirmed yet. */ 8818c2ecf20Sopenharmony_ci if (!nf_ct_is_confirmed(ct) && !nf_ct_nat_ext_add(ct)) 8828c2ecf20Sopenharmony_ci return NF_ACCEPT; /* Can't NAT. */ 8838c2ecf20Sopenharmony_ci 8848c2ecf20Sopenharmony_ci /* Determine NAT type. 8858c2ecf20Sopenharmony_ci * Check if the NAT type can be deduced from the tracked connection. 8868c2ecf20Sopenharmony_ci * Make sure new expected connections (IP_CT_RELATED) are NATted only 8878c2ecf20Sopenharmony_ci * when committing. 8888c2ecf20Sopenharmony_ci */ 8898c2ecf20Sopenharmony_ci if (info->nat & OVS_CT_NAT && ctinfo != IP_CT_NEW && 8908c2ecf20Sopenharmony_ci ct->status & IPS_NAT_MASK && 8918c2ecf20Sopenharmony_ci (ctinfo != IP_CT_RELATED || info->commit)) { 8928c2ecf20Sopenharmony_ci /* NAT an established or related connection like before. */ 8938c2ecf20Sopenharmony_ci if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) 8948c2ecf20Sopenharmony_ci /* This is the REPLY direction for a connection 8958c2ecf20Sopenharmony_ci * for which NAT was applied in the forward 8968c2ecf20Sopenharmony_ci * direction. Do the reverse NAT. 8978c2ecf20Sopenharmony_ci */ 8988c2ecf20Sopenharmony_ci maniptype = ct->status & IPS_SRC_NAT 8998c2ecf20Sopenharmony_ci ? NF_NAT_MANIP_DST : NF_NAT_MANIP_SRC; 9008c2ecf20Sopenharmony_ci else 9018c2ecf20Sopenharmony_ci maniptype = ct->status & IPS_SRC_NAT 9028c2ecf20Sopenharmony_ci ? NF_NAT_MANIP_SRC : NF_NAT_MANIP_DST; 9038c2ecf20Sopenharmony_ci } else if (info->nat & OVS_CT_SRC_NAT) { 9048c2ecf20Sopenharmony_ci maniptype = NF_NAT_MANIP_SRC; 9058c2ecf20Sopenharmony_ci } else if (info->nat & OVS_CT_DST_NAT) { 9068c2ecf20Sopenharmony_ci maniptype = NF_NAT_MANIP_DST; 9078c2ecf20Sopenharmony_ci } else { 9088c2ecf20Sopenharmony_ci return NF_ACCEPT; /* Connection is not NATed. */ 9098c2ecf20Sopenharmony_ci } 9108c2ecf20Sopenharmony_ci err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, maniptype, key); 9118c2ecf20Sopenharmony_ci 9128c2ecf20Sopenharmony_ci if (err == NF_ACCEPT && ct->status & IPS_DST_NAT) { 9138c2ecf20Sopenharmony_ci if (ct->status & IPS_SRC_NAT) { 9148c2ecf20Sopenharmony_ci if (maniptype == NF_NAT_MANIP_SRC) 9158c2ecf20Sopenharmony_ci maniptype = NF_NAT_MANIP_DST; 9168c2ecf20Sopenharmony_ci else 9178c2ecf20Sopenharmony_ci maniptype = NF_NAT_MANIP_SRC; 9188c2ecf20Sopenharmony_ci 9198c2ecf20Sopenharmony_ci err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, 9208c2ecf20Sopenharmony_ci maniptype, key); 9218c2ecf20Sopenharmony_ci } else if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) { 9228c2ecf20Sopenharmony_ci err = ovs_ct_nat_execute(skb, ct, ctinfo, NULL, 9238c2ecf20Sopenharmony_ci NF_NAT_MANIP_SRC, key); 9248c2ecf20Sopenharmony_ci } 9258c2ecf20Sopenharmony_ci } 9268c2ecf20Sopenharmony_ci 9278c2ecf20Sopenharmony_ci return err; 9288c2ecf20Sopenharmony_ci} 9298c2ecf20Sopenharmony_ci#else /* !CONFIG_NF_NAT */ 9308c2ecf20Sopenharmony_cistatic int ovs_ct_nat(struct net *net, struct sw_flow_key *key, 9318c2ecf20Sopenharmony_ci const struct ovs_conntrack_info *info, 9328c2ecf20Sopenharmony_ci struct sk_buff *skb, struct nf_conn *ct, 9338c2ecf20Sopenharmony_ci enum ip_conntrack_info ctinfo) 9348c2ecf20Sopenharmony_ci{ 9358c2ecf20Sopenharmony_ci return NF_ACCEPT; 9368c2ecf20Sopenharmony_ci} 9378c2ecf20Sopenharmony_ci#endif 9388c2ecf20Sopenharmony_ci 9398c2ecf20Sopenharmony_ci/* Pass 'skb' through conntrack in 'net', using zone configured in 'info', if 9408c2ecf20Sopenharmony_ci * not done already. Update key with new CT state after passing the packet 9418c2ecf20Sopenharmony_ci * through conntrack. 9428c2ecf20Sopenharmony_ci * Note that if the packet is deemed invalid by conntrack, skb->_nfct will be 9438c2ecf20Sopenharmony_ci * set to NULL and 0 will be returned. 9448c2ecf20Sopenharmony_ci */ 9458c2ecf20Sopenharmony_cistatic int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, 9468c2ecf20Sopenharmony_ci const struct ovs_conntrack_info *info, 9478c2ecf20Sopenharmony_ci struct sk_buff *skb) 9488c2ecf20Sopenharmony_ci{ 9498c2ecf20Sopenharmony_ci /* If we are recirculating packets to match on conntrack fields and 9508c2ecf20Sopenharmony_ci * committing with a separate conntrack action, then we don't need to 9518c2ecf20Sopenharmony_ci * actually run the packet through conntrack twice unless it's for a 9528c2ecf20Sopenharmony_ci * different zone. 9538c2ecf20Sopenharmony_ci */ 9548c2ecf20Sopenharmony_ci bool cached = skb_nfct_cached(net, key, info, skb); 9558c2ecf20Sopenharmony_ci enum ip_conntrack_info ctinfo; 9568c2ecf20Sopenharmony_ci struct nf_conn *ct; 9578c2ecf20Sopenharmony_ci 9588c2ecf20Sopenharmony_ci if (!cached) { 9598c2ecf20Sopenharmony_ci struct nf_hook_state state = { 9608c2ecf20Sopenharmony_ci .hook = NF_INET_PRE_ROUTING, 9618c2ecf20Sopenharmony_ci .pf = info->family, 9628c2ecf20Sopenharmony_ci .net = net, 9638c2ecf20Sopenharmony_ci }; 9648c2ecf20Sopenharmony_ci struct nf_conn *tmpl = info->ct; 9658c2ecf20Sopenharmony_ci int err; 9668c2ecf20Sopenharmony_ci 9678c2ecf20Sopenharmony_ci /* Associate skb with specified zone. */ 9688c2ecf20Sopenharmony_ci if (tmpl) { 9698c2ecf20Sopenharmony_ci if (skb_nfct(skb)) 9708c2ecf20Sopenharmony_ci nf_conntrack_put(skb_nfct(skb)); 9718c2ecf20Sopenharmony_ci nf_conntrack_get(&tmpl->ct_general); 9728c2ecf20Sopenharmony_ci nf_ct_set(skb, tmpl, IP_CT_NEW); 9738c2ecf20Sopenharmony_ci } 9748c2ecf20Sopenharmony_ci 9758c2ecf20Sopenharmony_ci err = nf_conntrack_in(skb, &state); 9768c2ecf20Sopenharmony_ci if (err != NF_ACCEPT) 9778c2ecf20Sopenharmony_ci return -ENOENT; 9788c2ecf20Sopenharmony_ci 9798c2ecf20Sopenharmony_ci /* Clear CT state NAT flags to mark that we have not yet done 9808c2ecf20Sopenharmony_ci * NAT after the nf_conntrack_in() call. We can actually clear 9818c2ecf20Sopenharmony_ci * the whole state, as it will be re-initialized below. 9828c2ecf20Sopenharmony_ci */ 9838c2ecf20Sopenharmony_ci key->ct_state = 0; 9848c2ecf20Sopenharmony_ci 9858c2ecf20Sopenharmony_ci /* Update the key, but keep the NAT flags. */ 9868c2ecf20Sopenharmony_ci ovs_ct_update_key(skb, info, key, true, true); 9878c2ecf20Sopenharmony_ci } 9888c2ecf20Sopenharmony_ci 9898c2ecf20Sopenharmony_ci ct = nf_ct_get(skb, &ctinfo); 9908c2ecf20Sopenharmony_ci if (ct) { 9918c2ecf20Sopenharmony_ci bool add_helper = false; 9928c2ecf20Sopenharmony_ci 9938c2ecf20Sopenharmony_ci /* Packets starting a new connection must be NATted before the 9948c2ecf20Sopenharmony_ci * helper, so that the helper knows about the NAT. We enforce 9958c2ecf20Sopenharmony_ci * this by delaying both NAT and helper calls for unconfirmed 9968c2ecf20Sopenharmony_ci * connections until the committing CT action. For later 9978c2ecf20Sopenharmony_ci * packets NAT and Helper may be called in either order. 9988c2ecf20Sopenharmony_ci * 9998c2ecf20Sopenharmony_ci * NAT will be done only if the CT action has NAT, and only 10008c2ecf20Sopenharmony_ci * once per packet (per zone), as guarded by the NAT bits in 10018c2ecf20Sopenharmony_ci * the key->ct_state. 10028c2ecf20Sopenharmony_ci */ 10038c2ecf20Sopenharmony_ci if (info->nat && !(key->ct_state & OVS_CS_F_NAT_MASK) && 10048c2ecf20Sopenharmony_ci (nf_ct_is_confirmed(ct) || info->commit) && 10058c2ecf20Sopenharmony_ci ovs_ct_nat(net, key, info, skb, ct, ctinfo) != NF_ACCEPT) { 10068c2ecf20Sopenharmony_ci return -EINVAL; 10078c2ecf20Sopenharmony_ci } 10088c2ecf20Sopenharmony_ci 10098c2ecf20Sopenharmony_ci /* Userspace may decide to perform a ct lookup without a helper 10108c2ecf20Sopenharmony_ci * specified followed by a (recirculate and) commit with one, 10118c2ecf20Sopenharmony_ci * or attach a helper in a later commit. Therefore, for 10128c2ecf20Sopenharmony_ci * connections which we will commit, we may need to attach 10138c2ecf20Sopenharmony_ci * the helper here. 10148c2ecf20Sopenharmony_ci */ 10158c2ecf20Sopenharmony_ci if (info->commit && info->helper && !nfct_help(ct)) { 10168c2ecf20Sopenharmony_ci int err = __nf_ct_try_assign_helper(ct, info->ct, 10178c2ecf20Sopenharmony_ci GFP_ATOMIC); 10188c2ecf20Sopenharmony_ci if (err) 10198c2ecf20Sopenharmony_ci return err; 10208c2ecf20Sopenharmony_ci add_helper = true; 10218c2ecf20Sopenharmony_ci 10228c2ecf20Sopenharmony_ci /* helper installed, add seqadj if NAT is required */ 10238c2ecf20Sopenharmony_ci if (info->nat && !nfct_seqadj(ct)) { 10248c2ecf20Sopenharmony_ci if (!nfct_seqadj_ext_add(ct)) 10258c2ecf20Sopenharmony_ci return -EINVAL; 10268c2ecf20Sopenharmony_ci } 10278c2ecf20Sopenharmony_ci } 10288c2ecf20Sopenharmony_ci 10298c2ecf20Sopenharmony_ci /* Call the helper only if: 10308c2ecf20Sopenharmony_ci * - nf_conntrack_in() was executed above ("!cached") or a 10318c2ecf20Sopenharmony_ci * helper was just attached ("add_helper") for a confirmed 10328c2ecf20Sopenharmony_ci * connection, or 10338c2ecf20Sopenharmony_ci * - When committing an unconfirmed connection. 10348c2ecf20Sopenharmony_ci */ 10358c2ecf20Sopenharmony_ci if ((nf_ct_is_confirmed(ct) ? !cached || add_helper : 10368c2ecf20Sopenharmony_ci info->commit) && 10378c2ecf20Sopenharmony_ci ovs_ct_helper(skb, info->family) != NF_ACCEPT) { 10388c2ecf20Sopenharmony_ci return -EINVAL; 10398c2ecf20Sopenharmony_ci } 10408c2ecf20Sopenharmony_ci } 10418c2ecf20Sopenharmony_ci 10428c2ecf20Sopenharmony_ci return 0; 10438c2ecf20Sopenharmony_ci} 10448c2ecf20Sopenharmony_ci 10458c2ecf20Sopenharmony_ci/* Lookup connection and read fields into key. */ 10468c2ecf20Sopenharmony_cistatic int ovs_ct_lookup(struct net *net, struct sw_flow_key *key, 10478c2ecf20Sopenharmony_ci const struct ovs_conntrack_info *info, 10488c2ecf20Sopenharmony_ci struct sk_buff *skb) 10498c2ecf20Sopenharmony_ci{ 10508c2ecf20Sopenharmony_ci struct nf_conntrack_expect *exp; 10518c2ecf20Sopenharmony_ci 10528c2ecf20Sopenharmony_ci /* If we pass an expected packet through nf_conntrack_in() the 10538c2ecf20Sopenharmony_ci * expectation is typically removed, but the packet could still be 10548c2ecf20Sopenharmony_ci * lost in upcall processing. To prevent this from happening we 10558c2ecf20Sopenharmony_ci * perform an explicit expectation lookup. Expected connections are 10568c2ecf20Sopenharmony_ci * always new, and will be passed through conntrack only when they are 10578c2ecf20Sopenharmony_ci * committed, as it is OK to remove the expectation at that time. 10588c2ecf20Sopenharmony_ci */ 10598c2ecf20Sopenharmony_ci exp = ovs_ct_expect_find(net, &info->zone, info->family, skb); 10608c2ecf20Sopenharmony_ci if (exp) { 10618c2ecf20Sopenharmony_ci u8 state; 10628c2ecf20Sopenharmony_ci 10638c2ecf20Sopenharmony_ci /* NOTE: New connections are NATted and Helped only when 10648c2ecf20Sopenharmony_ci * committed, so we are not calling into NAT here. 10658c2ecf20Sopenharmony_ci */ 10668c2ecf20Sopenharmony_ci state = OVS_CS_F_TRACKED | OVS_CS_F_NEW | OVS_CS_F_RELATED; 10678c2ecf20Sopenharmony_ci __ovs_ct_update_key(key, state, &info->zone, exp->master); 10688c2ecf20Sopenharmony_ci } else { 10698c2ecf20Sopenharmony_ci struct nf_conn *ct; 10708c2ecf20Sopenharmony_ci int err; 10718c2ecf20Sopenharmony_ci 10728c2ecf20Sopenharmony_ci err = __ovs_ct_lookup(net, key, info, skb); 10738c2ecf20Sopenharmony_ci if (err) 10748c2ecf20Sopenharmony_ci return err; 10758c2ecf20Sopenharmony_ci 10768c2ecf20Sopenharmony_ci ct = (struct nf_conn *)skb_nfct(skb); 10778c2ecf20Sopenharmony_ci if (ct) 10788c2ecf20Sopenharmony_ci nf_ct_deliver_cached_events(ct); 10798c2ecf20Sopenharmony_ci } 10808c2ecf20Sopenharmony_ci 10818c2ecf20Sopenharmony_ci return 0; 10828c2ecf20Sopenharmony_ci} 10838c2ecf20Sopenharmony_ci 10848c2ecf20Sopenharmony_cistatic bool labels_nonzero(const struct ovs_key_ct_labels *labels) 10858c2ecf20Sopenharmony_ci{ 10868c2ecf20Sopenharmony_ci size_t i; 10878c2ecf20Sopenharmony_ci 10888c2ecf20Sopenharmony_ci for (i = 0; i < OVS_CT_LABELS_LEN_32; i++) 10898c2ecf20Sopenharmony_ci if (labels->ct_labels_32[i]) 10908c2ecf20Sopenharmony_ci return true; 10918c2ecf20Sopenharmony_ci 10928c2ecf20Sopenharmony_ci return false; 10938c2ecf20Sopenharmony_ci} 10948c2ecf20Sopenharmony_ci 10958c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT) 10968c2ecf20Sopenharmony_cistatic struct hlist_head *ct_limit_hash_bucket( 10978c2ecf20Sopenharmony_ci const struct ovs_ct_limit_info *info, u16 zone) 10988c2ecf20Sopenharmony_ci{ 10998c2ecf20Sopenharmony_ci return &info->limits[zone & (CT_LIMIT_HASH_BUCKETS - 1)]; 11008c2ecf20Sopenharmony_ci} 11018c2ecf20Sopenharmony_ci 11028c2ecf20Sopenharmony_ci/* Call with ovs_mutex */ 11038c2ecf20Sopenharmony_cistatic void ct_limit_set(const struct ovs_ct_limit_info *info, 11048c2ecf20Sopenharmony_ci struct ovs_ct_limit *new_ct_limit) 11058c2ecf20Sopenharmony_ci{ 11068c2ecf20Sopenharmony_ci struct ovs_ct_limit *ct_limit; 11078c2ecf20Sopenharmony_ci struct hlist_head *head; 11088c2ecf20Sopenharmony_ci 11098c2ecf20Sopenharmony_ci head = ct_limit_hash_bucket(info, new_ct_limit->zone); 11108c2ecf20Sopenharmony_ci hlist_for_each_entry_rcu(ct_limit, head, hlist_node) { 11118c2ecf20Sopenharmony_ci if (ct_limit->zone == new_ct_limit->zone) { 11128c2ecf20Sopenharmony_ci hlist_replace_rcu(&ct_limit->hlist_node, 11138c2ecf20Sopenharmony_ci &new_ct_limit->hlist_node); 11148c2ecf20Sopenharmony_ci kfree_rcu(ct_limit, rcu); 11158c2ecf20Sopenharmony_ci return; 11168c2ecf20Sopenharmony_ci } 11178c2ecf20Sopenharmony_ci } 11188c2ecf20Sopenharmony_ci 11198c2ecf20Sopenharmony_ci hlist_add_head_rcu(&new_ct_limit->hlist_node, head); 11208c2ecf20Sopenharmony_ci} 11218c2ecf20Sopenharmony_ci 11228c2ecf20Sopenharmony_ci/* Call with ovs_mutex */ 11238c2ecf20Sopenharmony_cistatic void ct_limit_del(const struct ovs_ct_limit_info *info, u16 zone) 11248c2ecf20Sopenharmony_ci{ 11258c2ecf20Sopenharmony_ci struct ovs_ct_limit *ct_limit; 11268c2ecf20Sopenharmony_ci struct hlist_head *head; 11278c2ecf20Sopenharmony_ci struct hlist_node *n; 11288c2ecf20Sopenharmony_ci 11298c2ecf20Sopenharmony_ci head = ct_limit_hash_bucket(info, zone); 11308c2ecf20Sopenharmony_ci hlist_for_each_entry_safe(ct_limit, n, head, hlist_node) { 11318c2ecf20Sopenharmony_ci if (ct_limit->zone == zone) { 11328c2ecf20Sopenharmony_ci hlist_del_rcu(&ct_limit->hlist_node); 11338c2ecf20Sopenharmony_ci kfree_rcu(ct_limit, rcu); 11348c2ecf20Sopenharmony_ci return; 11358c2ecf20Sopenharmony_ci } 11368c2ecf20Sopenharmony_ci } 11378c2ecf20Sopenharmony_ci} 11388c2ecf20Sopenharmony_ci 11398c2ecf20Sopenharmony_ci/* Call with RCU read lock */ 11408c2ecf20Sopenharmony_cistatic u32 ct_limit_get(const struct ovs_ct_limit_info *info, u16 zone) 11418c2ecf20Sopenharmony_ci{ 11428c2ecf20Sopenharmony_ci struct ovs_ct_limit *ct_limit; 11438c2ecf20Sopenharmony_ci struct hlist_head *head; 11448c2ecf20Sopenharmony_ci 11458c2ecf20Sopenharmony_ci head = ct_limit_hash_bucket(info, zone); 11468c2ecf20Sopenharmony_ci hlist_for_each_entry_rcu(ct_limit, head, hlist_node) { 11478c2ecf20Sopenharmony_ci if (ct_limit->zone == zone) 11488c2ecf20Sopenharmony_ci return ct_limit->limit; 11498c2ecf20Sopenharmony_ci } 11508c2ecf20Sopenharmony_ci 11518c2ecf20Sopenharmony_ci return info->default_limit; 11528c2ecf20Sopenharmony_ci} 11538c2ecf20Sopenharmony_ci 11548c2ecf20Sopenharmony_cistatic int ovs_ct_check_limit(struct net *net, 11558c2ecf20Sopenharmony_ci const struct ovs_conntrack_info *info, 11568c2ecf20Sopenharmony_ci const struct nf_conntrack_tuple *tuple) 11578c2ecf20Sopenharmony_ci{ 11588c2ecf20Sopenharmony_ci struct ovs_net *ovs_net = net_generic(net, ovs_net_id); 11598c2ecf20Sopenharmony_ci const struct ovs_ct_limit_info *ct_limit_info = ovs_net->ct_limit_info; 11608c2ecf20Sopenharmony_ci u32 per_zone_limit, connections; 11618c2ecf20Sopenharmony_ci u32 conncount_key; 11628c2ecf20Sopenharmony_ci 11638c2ecf20Sopenharmony_ci conncount_key = info->zone.id; 11648c2ecf20Sopenharmony_ci 11658c2ecf20Sopenharmony_ci per_zone_limit = ct_limit_get(ct_limit_info, info->zone.id); 11668c2ecf20Sopenharmony_ci if (per_zone_limit == OVS_CT_LIMIT_UNLIMITED) 11678c2ecf20Sopenharmony_ci return 0; 11688c2ecf20Sopenharmony_ci 11698c2ecf20Sopenharmony_ci connections = nf_conncount_count(net, ct_limit_info->data, 11708c2ecf20Sopenharmony_ci &conncount_key, tuple, &info->zone); 11718c2ecf20Sopenharmony_ci if (connections > per_zone_limit) 11728c2ecf20Sopenharmony_ci return -ENOMEM; 11738c2ecf20Sopenharmony_ci 11748c2ecf20Sopenharmony_ci return 0; 11758c2ecf20Sopenharmony_ci} 11768c2ecf20Sopenharmony_ci#endif 11778c2ecf20Sopenharmony_ci 11788c2ecf20Sopenharmony_ci/* Lookup connection and confirm if unconfirmed. */ 11798c2ecf20Sopenharmony_cistatic int ovs_ct_commit(struct net *net, struct sw_flow_key *key, 11808c2ecf20Sopenharmony_ci const struct ovs_conntrack_info *info, 11818c2ecf20Sopenharmony_ci struct sk_buff *skb) 11828c2ecf20Sopenharmony_ci{ 11838c2ecf20Sopenharmony_ci enum ip_conntrack_info ctinfo; 11848c2ecf20Sopenharmony_ci struct nf_conn *ct; 11858c2ecf20Sopenharmony_ci int err; 11868c2ecf20Sopenharmony_ci 11878c2ecf20Sopenharmony_ci err = __ovs_ct_lookup(net, key, info, skb); 11888c2ecf20Sopenharmony_ci if (err) 11898c2ecf20Sopenharmony_ci return err; 11908c2ecf20Sopenharmony_ci 11918c2ecf20Sopenharmony_ci /* The connection could be invalid, in which case this is a no-op.*/ 11928c2ecf20Sopenharmony_ci ct = nf_ct_get(skb, &ctinfo); 11938c2ecf20Sopenharmony_ci if (!ct) 11948c2ecf20Sopenharmony_ci return 0; 11958c2ecf20Sopenharmony_ci 11968c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT) 11978c2ecf20Sopenharmony_ci if (static_branch_unlikely(&ovs_ct_limit_enabled)) { 11988c2ecf20Sopenharmony_ci if (!nf_ct_is_confirmed(ct)) { 11998c2ecf20Sopenharmony_ci err = ovs_ct_check_limit(net, info, 12008c2ecf20Sopenharmony_ci &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); 12018c2ecf20Sopenharmony_ci if (err) { 12028c2ecf20Sopenharmony_ci net_warn_ratelimited("openvswitch: zone: %u " 12038c2ecf20Sopenharmony_ci "exceeds conntrack limit\n", 12048c2ecf20Sopenharmony_ci info->zone.id); 12058c2ecf20Sopenharmony_ci return err; 12068c2ecf20Sopenharmony_ci } 12078c2ecf20Sopenharmony_ci } 12088c2ecf20Sopenharmony_ci } 12098c2ecf20Sopenharmony_ci#endif 12108c2ecf20Sopenharmony_ci 12118c2ecf20Sopenharmony_ci /* Set the conntrack event mask if given. NEW and DELETE events have 12128c2ecf20Sopenharmony_ci * their own groups, but the NFNLGRP_CONNTRACK_UPDATE group listener 12138c2ecf20Sopenharmony_ci * typically would receive many kinds of updates. Setting the event 12148c2ecf20Sopenharmony_ci * mask allows those events to be filtered. The set event mask will 12158c2ecf20Sopenharmony_ci * remain in effect for the lifetime of the connection unless changed 12168c2ecf20Sopenharmony_ci * by a further CT action with both the commit flag and the eventmask 12178c2ecf20Sopenharmony_ci * option. */ 12188c2ecf20Sopenharmony_ci if (info->have_eventmask) { 12198c2ecf20Sopenharmony_ci struct nf_conntrack_ecache *cache = nf_ct_ecache_find(ct); 12208c2ecf20Sopenharmony_ci 12218c2ecf20Sopenharmony_ci if (cache) 12228c2ecf20Sopenharmony_ci cache->ctmask = info->eventmask; 12238c2ecf20Sopenharmony_ci } 12248c2ecf20Sopenharmony_ci 12258c2ecf20Sopenharmony_ci /* Apply changes before confirming the connection so that the initial 12268c2ecf20Sopenharmony_ci * conntrack NEW netlink event carries the values given in the CT 12278c2ecf20Sopenharmony_ci * action. 12288c2ecf20Sopenharmony_ci */ 12298c2ecf20Sopenharmony_ci if (info->mark.mask) { 12308c2ecf20Sopenharmony_ci err = ovs_ct_set_mark(ct, key, info->mark.value, 12318c2ecf20Sopenharmony_ci info->mark.mask); 12328c2ecf20Sopenharmony_ci if (err) 12338c2ecf20Sopenharmony_ci return err; 12348c2ecf20Sopenharmony_ci } 12358c2ecf20Sopenharmony_ci if (!nf_ct_is_confirmed(ct)) { 12368c2ecf20Sopenharmony_ci err = ovs_ct_init_labels(ct, key, &info->labels.value, 12378c2ecf20Sopenharmony_ci &info->labels.mask); 12388c2ecf20Sopenharmony_ci if (err) 12398c2ecf20Sopenharmony_ci return err; 12408c2ecf20Sopenharmony_ci } else if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) && 12418c2ecf20Sopenharmony_ci labels_nonzero(&info->labels.mask)) { 12428c2ecf20Sopenharmony_ci err = ovs_ct_set_labels(ct, key, &info->labels.value, 12438c2ecf20Sopenharmony_ci &info->labels.mask); 12448c2ecf20Sopenharmony_ci if (err) 12458c2ecf20Sopenharmony_ci return err; 12468c2ecf20Sopenharmony_ci } 12478c2ecf20Sopenharmony_ci /* This will take care of sending queued events even if the connection 12488c2ecf20Sopenharmony_ci * is already confirmed. 12498c2ecf20Sopenharmony_ci */ 12508c2ecf20Sopenharmony_ci if (nf_conntrack_confirm(skb) != NF_ACCEPT) 12518c2ecf20Sopenharmony_ci return -EINVAL; 12528c2ecf20Sopenharmony_ci 12538c2ecf20Sopenharmony_ci return 0; 12548c2ecf20Sopenharmony_ci} 12558c2ecf20Sopenharmony_ci 12568c2ecf20Sopenharmony_ci/* Trim the skb to the length specified by the IP/IPv6 header, 12578c2ecf20Sopenharmony_ci * removing any trailing lower-layer padding. This prepares the skb 12588c2ecf20Sopenharmony_ci * for higher-layer processing that assumes skb->len excludes padding 12598c2ecf20Sopenharmony_ci * (such as nf_ip_checksum). The caller needs to pull the skb to the 12608c2ecf20Sopenharmony_ci * network header, and ensure ip_hdr/ipv6_hdr points to valid data. 12618c2ecf20Sopenharmony_ci */ 12628c2ecf20Sopenharmony_cistatic int ovs_skb_network_trim(struct sk_buff *skb) 12638c2ecf20Sopenharmony_ci{ 12648c2ecf20Sopenharmony_ci unsigned int len; 12658c2ecf20Sopenharmony_ci int err; 12668c2ecf20Sopenharmony_ci 12678c2ecf20Sopenharmony_ci switch (skb->protocol) { 12688c2ecf20Sopenharmony_ci case htons(ETH_P_IP): 12698c2ecf20Sopenharmony_ci len = ntohs(ip_hdr(skb)->tot_len); 12708c2ecf20Sopenharmony_ci break; 12718c2ecf20Sopenharmony_ci case htons(ETH_P_IPV6): 12728c2ecf20Sopenharmony_ci len = sizeof(struct ipv6hdr) 12738c2ecf20Sopenharmony_ci + ntohs(ipv6_hdr(skb)->payload_len); 12748c2ecf20Sopenharmony_ci break; 12758c2ecf20Sopenharmony_ci default: 12768c2ecf20Sopenharmony_ci len = skb->len; 12778c2ecf20Sopenharmony_ci } 12788c2ecf20Sopenharmony_ci 12798c2ecf20Sopenharmony_ci err = pskb_trim_rcsum(skb, len); 12808c2ecf20Sopenharmony_ci if (err) 12818c2ecf20Sopenharmony_ci kfree_skb(skb); 12828c2ecf20Sopenharmony_ci 12838c2ecf20Sopenharmony_ci return err; 12848c2ecf20Sopenharmony_ci} 12858c2ecf20Sopenharmony_ci 12868c2ecf20Sopenharmony_ci/* Returns 0 on success, -EINPROGRESS if 'skb' is stolen, or other nonzero 12878c2ecf20Sopenharmony_ci * value if 'skb' is freed. 12888c2ecf20Sopenharmony_ci */ 12898c2ecf20Sopenharmony_ciint ovs_ct_execute(struct net *net, struct sk_buff *skb, 12908c2ecf20Sopenharmony_ci struct sw_flow_key *key, 12918c2ecf20Sopenharmony_ci const struct ovs_conntrack_info *info) 12928c2ecf20Sopenharmony_ci{ 12938c2ecf20Sopenharmony_ci int nh_ofs; 12948c2ecf20Sopenharmony_ci int err; 12958c2ecf20Sopenharmony_ci 12968c2ecf20Sopenharmony_ci /* The conntrack module expects to be working at L3. */ 12978c2ecf20Sopenharmony_ci nh_ofs = skb_network_offset(skb); 12988c2ecf20Sopenharmony_ci skb_pull_rcsum(skb, nh_ofs); 12998c2ecf20Sopenharmony_ci 13008c2ecf20Sopenharmony_ci err = ovs_skb_network_trim(skb); 13018c2ecf20Sopenharmony_ci if (err) 13028c2ecf20Sopenharmony_ci return err; 13038c2ecf20Sopenharmony_ci 13048c2ecf20Sopenharmony_ci if (key->ip.frag != OVS_FRAG_TYPE_NONE) { 13058c2ecf20Sopenharmony_ci err = handle_fragments(net, key, info->zone.id, skb); 13068c2ecf20Sopenharmony_ci if (err) 13078c2ecf20Sopenharmony_ci return err; 13088c2ecf20Sopenharmony_ci } 13098c2ecf20Sopenharmony_ci 13108c2ecf20Sopenharmony_ci if (info->commit) 13118c2ecf20Sopenharmony_ci err = ovs_ct_commit(net, key, info, skb); 13128c2ecf20Sopenharmony_ci else 13138c2ecf20Sopenharmony_ci err = ovs_ct_lookup(net, key, info, skb); 13148c2ecf20Sopenharmony_ci 13158c2ecf20Sopenharmony_ci skb_push(skb, nh_ofs); 13168c2ecf20Sopenharmony_ci skb_postpush_rcsum(skb, skb->data, nh_ofs); 13178c2ecf20Sopenharmony_ci if (err) 13188c2ecf20Sopenharmony_ci kfree_skb(skb); 13198c2ecf20Sopenharmony_ci return err; 13208c2ecf20Sopenharmony_ci} 13218c2ecf20Sopenharmony_ci 13228c2ecf20Sopenharmony_ciint ovs_ct_clear(struct sk_buff *skb, struct sw_flow_key *key) 13238c2ecf20Sopenharmony_ci{ 13248c2ecf20Sopenharmony_ci if (skb_nfct(skb)) { 13258c2ecf20Sopenharmony_ci nf_conntrack_put(skb_nfct(skb)); 13268c2ecf20Sopenharmony_ci nf_ct_set(skb, NULL, IP_CT_UNTRACKED); 13278c2ecf20Sopenharmony_ci if (key) 13288c2ecf20Sopenharmony_ci ovs_ct_fill_key(skb, key); 13298c2ecf20Sopenharmony_ci } 13308c2ecf20Sopenharmony_ci 13318c2ecf20Sopenharmony_ci return 0; 13328c2ecf20Sopenharmony_ci} 13338c2ecf20Sopenharmony_ci 13348c2ecf20Sopenharmony_cistatic int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name, 13358c2ecf20Sopenharmony_ci const struct sw_flow_key *key, bool log) 13368c2ecf20Sopenharmony_ci{ 13378c2ecf20Sopenharmony_ci struct nf_conntrack_helper *helper; 13388c2ecf20Sopenharmony_ci struct nf_conn_help *help; 13398c2ecf20Sopenharmony_ci int ret = 0; 13408c2ecf20Sopenharmony_ci 13418c2ecf20Sopenharmony_ci helper = nf_conntrack_helper_try_module_get(name, info->family, 13428c2ecf20Sopenharmony_ci key->ip.proto); 13438c2ecf20Sopenharmony_ci if (!helper) { 13448c2ecf20Sopenharmony_ci OVS_NLERR(log, "Unknown helper \"%s\"", name); 13458c2ecf20Sopenharmony_ci return -EINVAL; 13468c2ecf20Sopenharmony_ci } 13478c2ecf20Sopenharmony_ci 13488c2ecf20Sopenharmony_ci help = nf_ct_helper_ext_add(info->ct, GFP_KERNEL); 13498c2ecf20Sopenharmony_ci if (!help) { 13508c2ecf20Sopenharmony_ci nf_conntrack_helper_put(helper); 13518c2ecf20Sopenharmony_ci return -ENOMEM; 13528c2ecf20Sopenharmony_ci } 13538c2ecf20Sopenharmony_ci 13548c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_NF_NAT) 13558c2ecf20Sopenharmony_ci if (info->nat) { 13568c2ecf20Sopenharmony_ci ret = nf_nat_helper_try_module_get(name, info->family, 13578c2ecf20Sopenharmony_ci key->ip.proto); 13588c2ecf20Sopenharmony_ci if (ret) { 13598c2ecf20Sopenharmony_ci nf_conntrack_helper_put(helper); 13608c2ecf20Sopenharmony_ci OVS_NLERR(log, "Failed to load \"%s\" NAT helper, error: %d", 13618c2ecf20Sopenharmony_ci name, ret); 13628c2ecf20Sopenharmony_ci return ret; 13638c2ecf20Sopenharmony_ci } 13648c2ecf20Sopenharmony_ci } 13658c2ecf20Sopenharmony_ci#endif 13668c2ecf20Sopenharmony_ci rcu_assign_pointer(help->helper, helper); 13678c2ecf20Sopenharmony_ci info->helper = helper; 13688c2ecf20Sopenharmony_ci return ret; 13698c2ecf20Sopenharmony_ci} 13708c2ecf20Sopenharmony_ci 13718c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_NF_NAT) 13728c2ecf20Sopenharmony_cistatic int parse_nat(const struct nlattr *attr, 13738c2ecf20Sopenharmony_ci struct ovs_conntrack_info *info, bool log) 13748c2ecf20Sopenharmony_ci{ 13758c2ecf20Sopenharmony_ci struct nlattr *a; 13768c2ecf20Sopenharmony_ci int rem; 13778c2ecf20Sopenharmony_ci bool have_ip_max = false; 13788c2ecf20Sopenharmony_ci bool have_proto_max = false; 13798c2ecf20Sopenharmony_ci bool ip_vers = (info->family == NFPROTO_IPV6); 13808c2ecf20Sopenharmony_ci 13818c2ecf20Sopenharmony_ci nla_for_each_nested(a, attr, rem) { 13828c2ecf20Sopenharmony_ci static const int ovs_nat_attr_lens[OVS_NAT_ATTR_MAX + 1][2] = { 13838c2ecf20Sopenharmony_ci [OVS_NAT_ATTR_SRC] = {0, 0}, 13848c2ecf20Sopenharmony_ci [OVS_NAT_ATTR_DST] = {0, 0}, 13858c2ecf20Sopenharmony_ci [OVS_NAT_ATTR_IP_MIN] = {sizeof(struct in_addr), 13868c2ecf20Sopenharmony_ci sizeof(struct in6_addr)}, 13878c2ecf20Sopenharmony_ci [OVS_NAT_ATTR_IP_MAX] = {sizeof(struct in_addr), 13888c2ecf20Sopenharmony_ci sizeof(struct in6_addr)}, 13898c2ecf20Sopenharmony_ci [OVS_NAT_ATTR_PROTO_MIN] = {sizeof(u16), sizeof(u16)}, 13908c2ecf20Sopenharmony_ci [OVS_NAT_ATTR_PROTO_MAX] = {sizeof(u16), sizeof(u16)}, 13918c2ecf20Sopenharmony_ci [OVS_NAT_ATTR_PERSISTENT] = {0, 0}, 13928c2ecf20Sopenharmony_ci [OVS_NAT_ATTR_PROTO_HASH] = {0, 0}, 13938c2ecf20Sopenharmony_ci [OVS_NAT_ATTR_PROTO_RANDOM] = {0, 0}, 13948c2ecf20Sopenharmony_ci }; 13958c2ecf20Sopenharmony_ci int type = nla_type(a); 13968c2ecf20Sopenharmony_ci 13978c2ecf20Sopenharmony_ci if (type > OVS_NAT_ATTR_MAX) { 13988c2ecf20Sopenharmony_ci OVS_NLERR(log, "Unknown NAT attribute (type=%d, max=%d)", 13998c2ecf20Sopenharmony_ci type, OVS_NAT_ATTR_MAX); 14008c2ecf20Sopenharmony_ci return -EINVAL; 14018c2ecf20Sopenharmony_ci } 14028c2ecf20Sopenharmony_ci 14038c2ecf20Sopenharmony_ci if (nla_len(a) != ovs_nat_attr_lens[type][ip_vers]) { 14048c2ecf20Sopenharmony_ci OVS_NLERR(log, "NAT attribute type %d has unexpected length (%d != %d)", 14058c2ecf20Sopenharmony_ci type, nla_len(a), 14068c2ecf20Sopenharmony_ci ovs_nat_attr_lens[type][ip_vers]); 14078c2ecf20Sopenharmony_ci return -EINVAL; 14088c2ecf20Sopenharmony_ci } 14098c2ecf20Sopenharmony_ci 14108c2ecf20Sopenharmony_ci switch (type) { 14118c2ecf20Sopenharmony_ci case OVS_NAT_ATTR_SRC: 14128c2ecf20Sopenharmony_ci case OVS_NAT_ATTR_DST: 14138c2ecf20Sopenharmony_ci if (info->nat) { 14148c2ecf20Sopenharmony_ci OVS_NLERR(log, "Only one type of NAT may be specified"); 14158c2ecf20Sopenharmony_ci return -ERANGE; 14168c2ecf20Sopenharmony_ci } 14178c2ecf20Sopenharmony_ci info->nat |= OVS_CT_NAT; 14188c2ecf20Sopenharmony_ci info->nat |= ((type == OVS_NAT_ATTR_SRC) 14198c2ecf20Sopenharmony_ci ? OVS_CT_SRC_NAT : OVS_CT_DST_NAT); 14208c2ecf20Sopenharmony_ci break; 14218c2ecf20Sopenharmony_ci 14228c2ecf20Sopenharmony_ci case OVS_NAT_ATTR_IP_MIN: 14238c2ecf20Sopenharmony_ci nla_memcpy(&info->range.min_addr, a, 14248c2ecf20Sopenharmony_ci sizeof(info->range.min_addr)); 14258c2ecf20Sopenharmony_ci info->range.flags |= NF_NAT_RANGE_MAP_IPS; 14268c2ecf20Sopenharmony_ci break; 14278c2ecf20Sopenharmony_ci 14288c2ecf20Sopenharmony_ci case OVS_NAT_ATTR_IP_MAX: 14298c2ecf20Sopenharmony_ci have_ip_max = true; 14308c2ecf20Sopenharmony_ci nla_memcpy(&info->range.max_addr, a, 14318c2ecf20Sopenharmony_ci sizeof(info->range.max_addr)); 14328c2ecf20Sopenharmony_ci info->range.flags |= NF_NAT_RANGE_MAP_IPS; 14338c2ecf20Sopenharmony_ci break; 14348c2ecf20Sopenharmony_ci 14358c2ecf20Sopenharmony_ci case OVS_NAT_ATTR_PROTO_MIN: 14368c2ecf20Sopenharmony_ci info->range.min_proto.all = htons(nla_get_u16(a)); 14378c2ecf20Sopenharmony_ci info->range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; 14388c2ecf20Sopenharmony_ci break; 14398c2ecf20Sopenharmony_ci 14408c2ecf20Sopenharmony_ci case OVS_NAT_ATTR_PROTO_MAX: 14418c2ecf20Sopenharmony_ci have_proto_max = true; 14428c2ecf20Sopenharmony_ci info->range.max_proto.all = htons(nla_get_u16(a)); 14438c2ecf20Sopenharmony_ci info->range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; 14448c2ecf20Sopenharmony_ci break; 14458c2ecf20Sopenharmony_ci 14468c2ecf20Sopenharmony_ci case OVS_NAT_ATTR_PERSISTENT: 14478c2ecf20Sopenharmony_ci info->range.flags |= NF_NAT_RANGE_PERSISTENT; 14488c2ecf20Sopenharmony_ci break; 14498c2ecf20Sopenharmony_ci 14508c2ecf20Sopenharmony_ci case OVS_NAT_ATTR_PROTO_HASH: 14518c2ecf20Sopenharmony_ci info->range.flags |= NF_NAT_RANGE_PROTO_RANDOM; 14528c2ecf20Sopenharmony_ci break; 14538c2ecf20Sopenharmony_ci 14548c2ecf20Sopenharmony_ci case OVS_NAT_ATTR_PROTO_RANDOM: 14558c2ecf20Sopenharmony_ci info->range.flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY; 14568c2ecf20Sopenharmony_ci break; 14578c2ecf20Sopenharmony_ci 14588c2ecf20Sopenharmony_ci default: 14598c2ecf20Sopenharmony_ci OVS_NLERR(log, "Unknown nat attribute (%d)", type); 14608c2ecf20Sopenharmony_ci return -EINVAL; 14618c2ecf20Sopenharmony_ci } 14628c2ecf20Sopenharmony_ci } 14638c2ecf20Sopenharmony_ci 14648c2ecf20Sopenharmony_ci if (rem > 0) { 14658c2ecf20Sopenharmony_ci OVS_NLERR(log, "NAT attribute has %d unknown bytes", rem); 14668c2ecf20Sopenharmony_ci return -EINVAL; 14678c2ecf20Sopenharmony_ci } 14688c2ecf20Sopenharmony_ci if (!info->nat) { 14698c2ecf20Sopenharmony_ci /* Do not allow flags if no type is given. */ 14708c2ecf20Sopenharmony_ci if (info->range.flags) { 14718c2ecf20Sopenharmony_ci OVS_NLERR(log, 14728c2ecf20Sopenharmony_ci "NAT flags may be given only when NAT range (SRC or DST) is also specified." 14738c2ecf20Sopenharmony_ci ); 14748c2ecf20Sopenharmony_ci return -EINVAL; 14758c2ecf20Sopenharmony_ci } 14768c2ecf20Sopenharmony_ci info->nat = OVS_CT_NAT; /* NAT existing connections. */ 14778c2ecf20Sopenharmony_ci } else if (!info->commit) { 14788c2ecf20Sopenharmony_ci OVS_NLERR(log, 14798c2ecf20Sopenharmony_ci "NAT attributes may be specified only when CT COMMIT flag is also specified." 14808c2ecf20Sopenharmony_ci ); 14818c2ecf20Sopenharmony_ci return -EINVAL; 14828c2ecf20Sopenharmony_ci } 14838c2ecf20Sopenharmony_ci /* Allow missing IP_MAX. */ 14848c2ecf20Sopenharmony_ci if (info->range.flags & NF_NAT_RANGE_MAP_IPS && !have_ip_max) { 14858c2ecf20Sopenharmony_ci memcpy(&info->range.max_addr, &info->range.min_addr, 14868c2ecf20Sopenharmony_ci sizeof(info->range.max_addr)); 14878c2ecf20Sopenharmony_ci } 14888c2ecf20Sopenharmony_ci /* Allow missing PROTO_MAX. */ 14898c2ecf20Sopenharmony_ci if (info->range.flags & NF_NAT_RANGE_PROTO_SPECIFIED && 14908c2ecf20Sopenharmony_ci !have_proto_max) { 14918c2ecf20Sopenharmony_ci info->range.max_proto.all = info->range.min_proto.all; 14928c2ecf20Sopenharmony_ci } 14938c2ecf20Sopenharmony_ci return 0; 14948c2ecf20Sopenharmony_ci} 14958c2ecf20Sopenharmony_ci#endif 14968c2ecf20Sopenharmony_ci 14978c2ecf20Sopenharmony_cistatic const struct ovs_ct_len_tbl ovs_ct_attr_lens[OVS_CT_ATTR_MAX + 1] = { 14988c2ecf20Sopenharmony_ci [OVS_CT_ATTR_COMMIT] = { .minlen = 0, .maxlen = 0 }, 14998c2ecf20Sopenharmony_ci [OVS_CT_ATTR_FORCE_COMMIT] = { .minlen = 0, .maxlen = 0 }, 15008c2ecf20Sopenharmony_ci [OVS_CT_ATTR_ZONE] = { .minlen = sizeof(u16), 15018c2ecf20Sopenharmony_ci .maxlen = sizeof(u16) }, 15028c2ecf20Sopenharmony_ci [OVS_CT_ATTR_MARK] = { .minlen = sizeof(struct md_mark), 15038c2ecf20Sopenharmony_ci .maxlen = sizeof(struct md_mark) }, 15048c2ecf20Sopenharmony_ci [OVS_CT_ATTR_LABELS] = { .minlen = sizeof(struct md_labels), 15058c2ecf20Sopenharmony_ci .maxlen = sizeof(struct md_labels) }, 15068c2ecf20Sopenharmony_ci [OVS_CT_ATTR_HELPER] = { .minlen = 1, 15078c2ecf20Sopenharmony_ci .maxlen = NF_CT_HELPER_NAME_LEN }, 15088c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_NF_NAT) 15098c2ecf20Sopenharmony_ci /* NAT length is checked when parsing the nested attributes. */ 15108c2ecf20Sopenharmony_ci [OVS_CT_ATTR_NAT] = { .minlen = 0, .maxlen = INT_MAX }, 15118c2ecf20Sopenharmony_ci#endif 15128c2ecf20Sopenharmony_ci [OVS_CT_ATTR_EVENTMASK] = { .minlen = sizeof(u32), 15138c2ecf20Sopenharmony_ci .maxlen = sizeof(u32) }, 15148c2ecf20Sopenharmony_ci [OVS_CT_ATTR_TIMEOUT] = { .minlen = 1, 15158c2ecf20Sopenharmony_ci .maxlen = CTNL_TIMEOUT_NAME_MAX }, 15168c2ecf20Sopenharmony_ci}; 15178c2ecf20Sopenharmony_ci 15188c2ecf20Sopenharmony_cistatic int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info, 15198c2ecf20Sopenharmony_ci const char **helper, bool log) 15208c2ecf20Sopenharmony_ci{ 15218c2ecf20Sopenharmony_ci struct nlattr *a; 15228c2ecf20Sopenharmony_ci int rem; 15238c2ecf20Sopenharmony_ci 15248c2ecf20Sopenharmony_ci nla_for_each_nested(a, attr, rem) { 15258c2ecf20Sopenharmony_ci int type = nla_type(a); 15268c2ecf20Sopenharmony_ci int maxlen; 15278c2ecf20Sopenharmony_ci int minlen; 15288c2ecf20Sopenharmony_ci 15298c2ecf20Sopenharmony_ci if (type > OVS_CT_ATTR_MAX) { 15308c2ecf20Sopenharmony_ci OVS_NLERR(log, 15318c2ecf20Sopenharmony_ci "Unknown conntrack attr (type=%d, max=%d)", 15328c2ecf20Sopenharmony_ci type, OVS_CT_ATTR_MAX); 15338c2ecf20Sopenharmony_ci return -EINVAL; 15348c2ecf20Sopenharmony_ci } 15358c2ecf20Sopenharmony_ci 15368c2ecf20Sopenharmony_ci maxlen = ovs_ct_attr_lens[type].maxlen; 15378c2ecf20Sopenharmony_ci minlen = ovs_ct_attr_lens[type].minlen; 15388c2ecf20Sopenharmony_ci if (nla_len(a) < minlen || nla_len(a) > maxlen) { 15398c2ecf20Sopenharmony_ci OVS_NLERR(log, 15408c2ecf20Sopenharmony_ci "Conntrack attr type has unexpected length (type=%d, length=%d, expected=%d)", 15418c2ecf20Sopenharmony_ci type, nla_len(a), maxlen); 15428c2ecf20Sopenharmony_ci return -EINVAL; 15438c2ecf20Sopenharmony_ci } 15448c2ecf20Sopenharmony_ci 15458c2ecf20Sopenharmony_ci switch (type) { 15468c2ecf20Sopenharmony_ci case OVS_CT_ATTR_FORCE_COMMIT: 15478c2ecf20Sopenharmony_ci info->force = true; 15488c2ecf20Sopenharmony_ci fallthrough; 15498c2ecf20Sopenharmony_ci case OVS_CT_ATTR_COMMIT: 15508c2ecf20Sopenharmony_ci info->commit = true; 15518c2ecf20Sopenharmony_ci break; 15528c2ecf20Sopenharmony_ci#ifdef CONFIG_NF_CONNTRACK_ZONES 15538c2ecf20Sopenharmony_ci case OVS_CT_ATTR_ZONE: 15548c2ecf20Sopenharmony_ci info->zone.id = nla_get_u16(a); 15558c2ecf20Sopenharmony_ci break; 15568c2ecf20Sopenharmony_ci#endif 15578c2ecf20Sopenharmony_ci#ifdef CONFIG_NF_CONNTRACK_MARK 15588c2ecf20Sopenharmony_ci case OVS_CT_ATTR_MARK: { 15598c2ecf20Sopenharmony_ci struct md_mark *mark = nla_data(a); 15608c2ecf20Sopenharmony_ci 15618c2ecf20Sopenharmony_ci if (!mark->mask) { 15628c2ecf20Sopenharmony_ci OVS_NLERR(log, "ct_mark mask cannot be 0"); 15638c2ecf20Sopenharmony_ci return -EINVAL; 15648c2ecf20Sopenharmony_ci } 15658c2ecf20Sopenharmony_ci info->mark = *mark; 15668c2ecf20Sopenharmony_ci break; 15678c2ecf20Sopenharmony_ci } 15688c2ecf20Sopenharmony_ci#endif 15698c2ecf20Sopenharmony_ci#ifdef CONFIG_NF_CONNTRACK_LABELS 15708c2ecf20Sopenharmony_ci case OVS_CT_ATTR_LABELS: { 15718c2ecf20Sopenharmony_ci struct md_labels *labels = nla_data(a); 15728c2ecf20Sopenharmony_ci 15738c2ecf20Sopenharmony_ci if (!labels_nonzero(&labels->mask)) { 15748c2ecf20Sopenharmony_ci OVS_NLERR(log, "ct_labels mask cannot be 0"); 15758c2ecf20Sopenharmony_ci return -EINVAL; 15768c2ecf20Sopenharmony_ci } 15778c2ecf20Sopenharmony_ci info->labels = *labels; 15788c2ecf20Sopenharmony_ci break; 15798c2ecf20Sopenharmony_ci } 15808c2ecf20Sopenharmony_ci#endif 15818c2ecf20Sopenharmony_ci case OVS_CT_ATTR_HELPER: 15828c2ecf20Sopenharmony_ci *helper = nla_data(a); 15838c2ecf20Sopenharmony_ci if (!memchr(*helper, '\0', nla_len(a))) { 15848c2ecf20Sopenharmony_ci OVS_NLERR(log, "Invalid conntrack helper"); 15858c2ecf20Sopenharmony_ci return -EINVAL; 15868c2ecf20Sopenharmony_ci } 15878c2ecf20Sopenharmony_ci break; 15888c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_NF_NAT) 15898c2ecf20Sopenharmony_ci case OVS_CT_ATTR_NAT: { 15908c2ecf20Sopenharmony_ci int err = parse_nat(a, info, log); 15918c2ecf20Sopenharmony_ci 15928c2ecf20Sopenharmony_ci if (err) 15938c2ecf20Sopenharmony_ci return err; 15948c2ecf20Sopenharmony_ci break; 15958c2ecf20Sopenharmony_ci } 15968c2ecf20Sopenharmony_ci#endif 15978c2ecf20Sopenharmony_ci case OVS_CT_ATTR_EVENTMASK: 15988c2ecf20Sopenharmony_ci info->have_eventmask = true; 15998c2ecf20Sopenharmony_ci info->eventmask = nla_get_u32(a); 16008c2ecf20Sopenharmony_ci break; 16018c2ecf20Sopenharmony_ci#ifdef CONFIG_NF_CONNTRACK_TIMEOUT 16028c2ecf20Sopenharmony_ci case OVS_CT_ATTR_TIMEOUT: 16038c2ecf20Sopenharmony_ci memcpy(info->timeout, nla_data(a), nla_len(a)); 16048c2ecf20Sopenharmony_ci if (!memchr(info->timeout, '\0', nla_len(a))) { 16058c2ecf20Sopenharmony_ci OVS_NLERR(log, "Invalid conntrack timeout"); 16068c2ecf20Sopenharmony_ci return -EINVAL; 16078c2ecf20Sopenharmony_ci } 16088c2ecf20Sopenharmony_ci break; 16098c2ecf20Sopenharmony_ci#endif 16108c2ecf20Sopenharmony_ci 16118c2ecf20Sopenharmony_ci default: 16128c2ecf20Sopenharmony_ci OVS_NLERR(log, "Unknown conntrack attr (%d)", 16138c2ecf20Sopenharmony_ci type); 16148c2ecf20Sopenharmony_ci return -EINVAL; 16158c2ecf20Sopenharmony_ci } 16168c2ecf20Sopenharmony_ci } 16178c2ecf20Sopenharmony_ci 16188c2ecf20Sopenharmony_ci#ifdef CONFIG_NF_CONNTRACK_MARK 16198c2ecf20Sopenharmony_ci if (!info->commit && info->mark.mask) { 16208c2ecf20Sopenharmony_ci OVS_NLERR(log, 16218c2ecf20Sopenharmony_ci "Setting conntrack mark requires 'commit' flag."); 16228c2ecf20Sopenharmony_ci return -EINVAL; 16238c2ecf20Sopenharmony_ci } 16248c2ecf20Sopenharmony_ci#endif 16258c2ecf20Sopenharmony_ci#ifdef CONFIG_NF_CONNTRACK_LABELS 16268c2ecf20Sopenharmony_ci if (!info->commit && labels_nonzero(&info->labels.mask)) { 16278c2ecf20Sopenharmony_ci OVS_NLERR(log, 16288c2ecf20Sopenharmony_ci "Setting conntrack labels requires 'commit' flag."); 16298c2ecf20Sopenharmony_ci return -EINVAL; 16308c2ecf20Sopenharmony_ci } 16318c2ecf20Sopenharmony_ci#endif 16328c2ecf20Sopenharmony_ci if (rem > 0) { 16338c2ecf20Sopenharmony_ci OVS_NLERR(log, "Conntrack attr has %d unknown bytes", rem); 16348c2ecf20Sopenharmony_ci return -EINVAL; 16358c2ecf20Sopenharmony_ci } 16368c2ecf20Sopenharmony_ci 16378c2ecf20Sopenharmony_ci return 0; 16388c2ecf20Sopenharmony_ci} 16398c2ecf20Sopenharmony_ci 16408c2ecf20Sopenharmony_cibool ovs_ct_verify(struct net *net, enum ovs_key_attr attr) 16418c2ecf20Sopenharmony_ci{ 16428c2ecf20Sopenharmony_ci if (attr == OVS_KEY_ATTR_CT_STATE) 16438c2ecf20Sopenharmony_ci return true; 16448c2ecf20Sopenharmony_ci if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) && 16458c2ecf20Sopenharmony_ci attr == OVS_KEY_ATTR_CT_ZONE) 16468c2ecf20Sopenharmony_ci return true; 16478c2ecf20Sopenharmony_ci if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) && 16488c2ecf20Sopenharmony_ci attr == OVS_KEY_ATTR_CT_MARK) 16498c2ecf20Sopenharmony_ci return true; 16508c2ecf20Sopenharmony_ci if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) && 16518c2ecf20Sopenharmony_ci attr == OVS_KEY_ATTR_CT_LABELS) { 16528c2ecf20Sopenharmony_ci struct ovs_net *ovs_net = net_generic(net, ovs_net_id); 16538c2ecf20Sopenharmony_ci 16548c2ecf20Sopenharmony_ci return ovs_net->xt_label; 16558c2ecf20Sopenharmony_ci } 16568c2ecf20Sopenharmony_ci 16578c2ecf20Sopenharmony_ci return false; 16588c2ecf20Sopenharmony_ci} 16598c2ecf20Sopenharmony_ci 16608c2ecf20Sopenharmony_ciint ovs_ct_copy_action(struct net *net, const struct nlattr *attr, 16618c2ecf20Sopenharmony_ci const struct sw_flow_key *key, 16628c2ecf20Sopenharmony_ci struct sw_flow_actions **sfa, bool log) 16638c2ecf20Sopenharmony_ci{ 16648c2ecf20Sopenharmony_ci struct ovs_conntrack_info ct_info; 16658c2ecf20Sopenharmony_ci const char *helper = NULL; 16668c2ecf20Sopenharmony_ci u16 family; 16678c2ecf20Sopenharmony_ci int err; 16688c2ecf20Sopenharmony_ci 16698c2ecf20Sopenharmony_ci family = key_to_nfproto(key); 16708c2ecf20Sopenharmony_ci if (family == NFPROTO_UNSPEC) { 16718c2ecf20Sopenharmony_ci OVS_NLERR(log, "ct family unspecified"); 16728c2ecf20Sopenharmony_ci return -EINVAL; 16738c2ecf20Sopenharmony_ci } 16748c2ecf20Sopenharmony_ci 16758c2ecf20Sopenharmony_ci memset(&ct_info, 0, sizeof(ct_info)); 16768c2ecf20Sopenharmony_ci ct_info.family = family; 16778c2ecf20Sopenharmony_ci 16788c2ecf20Sopenharmony_ci nf_ct_zone_init(&ct_info.zone, NF_CT_DEFAULT_ZONE_ID, 16798c2ecf20Sopenharmony_ci NF_CT_DEFAULT_ZONE_DIR, 0); 16808c2ecf20Sopenharmony_ci 16818c2ecf20Sopenharmony_ci err = parse_ct(attr, &ct_info, &helper, log); 16828c2ecf20Sopenharmony_ci if (err) 16838c2ecf20Sopenharmony_ci return err; 16848c2ecf20Sopenharmony_ci 16858c2ecf20Sopenharmony_ci /* Set up template for tracking connections in specific zones. */ 16868c2ecf20Sopenharmony_ci ct_info.ct = nf_ct_tmpl_alloc(net, &ct_info.zone, GFP_KERNEL); 16878c2ecf20Sopenharmony_ci if (!ct_info.ct) { 16888c2ecf20Sopenharmony_ci OVS_NLERR(log, "Failed to allocate conntrack template"); 16898c2ecf20Sopenharmony_ci return -ENOMEM; 16908c2ecf20Sopenharmony_ci } 16918c2ecf20Sopenharmony_ci 16928c2ecf20Sopenharmony_ci if (ct_info.timeout[0]) { 16938c2ecf20Sopenharmony_ci if (nf_ct_set_timeout(net, ct_info.ct, family, key->ip.proto, 16948c2ecf20Sopenharmony_ci ct_info.timeout)) 16958c2ecf20Sopenharmony_ci pr_info_ratelimited("Failed to associated timeout " 16968c2ecf20Sopenharmony_ci "policy `%s'\n", ct_info.timeout); 16978c2ecf20Sopenharmony_ci else 16988c2ecf20Sopenharmony_ci ct_info.nf_ct_timeout = rcu_dereference( 16998c2ecf20Sopenharmony_ci nf_ct_timeout_find(ct_info.ct)->timeout); 17008c2ecf20Sopenharmony_ci 17018c2ecf20Sopenharmony_ci } 17028c2ecf20Sopenharmony_ci 17038c2ecf20Sopenharmony_ci if (helper) { 17048c2ecf20Sopenharmony_ci err = ovs_ct_add_helper(&ct_info, helper, key, log); 17058c2ecf20Sopenharmony_ci if (err) 17068c2ecf20Sopenharmony_ci goto err_free_ct; 17078c2ecf20Sopenharmony_ci } 17088c2ecf20Sopenharmony_ci 17098c2ecf20Sopenharmony_ci err = ovs_nla_add_action(sfa, OVS_ACTION_ATTR_CT, &ct_info, 17108c2ecf20Sopenharmony_ci sizeof(ct_info), log); 17118c2ecf20Sopenharmony_ci if (err) 17128c2ecf20Sopenharmony_ci goto err_free_ct; 17138c2ecf20Sopenharmony_ci 17148c2ecf20Sopenharmony_ci __set_bit(IPS_CONFIRMED_BIT, &ct_info.ct->status); 17158c2ecf20Sopenharmony_ci nf_conntrack_get(&ct_info.ct->ct_general); 17168c2ecf20Sopenharmony_ci return 0; 17178c2ecf20Sopenharmony_cierr_free_ct: 17188c2ecf20Sopenharmony_ci __ovs_ct_free_action(&ct_info); 17198c2ecf20Sopenharmony_ci return err; 17208c2ecf20Sopenharmony_ci} 17218c2ecf20Sopenharmony_ci 17228c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_NF_NAT) 17238c2ecf20Sopenharmony_cistatic bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info, 17248c2ecf20Sopenharmony_ci struct sk_buff *skb) 17258c2ecf20Sopenharmony_ci{ 17268c2ecf20Sopenharmony_ci struct nlattr *start; 17278c2ecf20Sopenharmony_ci 17288c2ecf20Sopenharmony_ci start = nla_nest_start_noflag(skb, OVS_CT_ATTR_NAT); 17298c2ecf20Sopenharmony_ci if (!start) 17308c2ecf20Sopenharmony_ci return false; 17318c2ecf20Sopenharmony_ci 17328c2ecf20Sopenharmony_ci if (info->nat & OVS_CT_SRC_NAT) { 17338c2ecf20Sopenharmony_ci if (nla_put_flag(skb, OVS_NAT_ATTR_SRC)) 17348c2ecf20Sopenharmony_ci return false; 17358c2ecf20Sopenharmony_ci } else if (info->nat & OVS_CT_DST_NAT) { 17368c2ecf20Sopenharmony_ci if (nla_put_flag(skb, OVS_NAT_ATTR_DST)) 17378c2ecf20Sopenharmony_ci return false; 17388c2ecf20Sopenharmony_ci } else { 17398c2ecf20Sopenharmony_ci goto out; 17408c2ecf20Sopenharmony_ci } 17418c2ecf20Sopenharmony_ci 17428c2ecf20Sopenharmony_ci if (info->range.flags & NF_NAT_RANGE_MAP_IPS) { 17438c2ecf20Sopenharmony_ci if (IS_ENABLED(CONFIG_NF_NAT) && 17448c2ecf20Sopenharmony_ci info->family == NFPROTO_IPV4) { 17458c2ecf20Sopenharmony_ci if (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MIN, 17468c2ecf20Sopenharmony_ci info->range.min_addr.ip) || 17478c2ecf20Sopenharmony_ci (info->range.max_addr.ip 17488c2ecf20Sopenharmony_ci != info->range.min_addr.ip && 17498c2ecf20Sopenharmony_ci (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MAX, 17508c2ecf20Sopenharmony_ci info->range.max_addr.ip)))) 17518c2ecf20Sopenharmony_ci return false; 17528c2ecf20Sopenharmony_ci } else if (IS_ENABLED(CONFIG_IPV6) && 17538c2ecf20Sopenharmony_ci info->family == NFPROTO_IPV6) { 17548c2ecf20Sopenharmony_ci if (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MIN, 17558c2ecf20Sopenharmony_ci &info->range.min_addr.in6) || 17568c2ecf20Sopenharmony_ci (memcmp(&info->range.max_addr.in6, 17578c2ecf20Sopenharmony_ci &info->range.min_addr.in6, 17588c2ecf20Sopenharmony_ci sizeof(info->range.max_addr.in6)) && 17598c2ecf20Sopenharmony_ci (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MAX, 17608c2ecf20Sopenharmony_ci &info->range.max_addr.in6)))) 17618c2ecf20Sopenharmony_ci return false; 17628c2ecf20Sopenharmony_ci } else { 17638c2ecf20Sopenharmony_ci return false; 17648c2ecf20Sopenharmony_ci } 17658c2ecf20Sopenharmony_ci } 17668c2ecf20Sopenharmony_ci if (info->range.flags & NF_NAT_RANGE_PROTO_SPECIFIED && 17678c2ecf20Sopenharmony_ci (nla_put_u16(skb, OVS_NAT_ATTR_PROTO_MIN, 17688c2ecf20Sopenharmony_ci ntohs(info->range.min_proto.all)) || 17698c2ecf20Sopenharmony_ci (info->range.max_proto.all != info->range.min_proto.all && 17708c2ecf20Sopenharmony_ci nla_put_u16(skb, OVS_NAT_ATTR_PROTO_MAX, 17718c2ecf20Sopenharmony_ci ntohs(info->range.max_proto.all))))) 17728c2ecf20Sopenharmony_ci return false; 17738c2ecf20Sopenharmony_ci 17748c2ecf20Sopenharmony_ci if (info->range.flags & NF_NAT_RANGE_PERSISTENT && 17758c2ecf20Sopenharmony_ci nla_put_flag(skb, OVS_NAT_ATTR_PERSISTENT)) 17768c2ecf20Sopenharmony_ci return false; 17778c2ecf20Sopenharmony_ci if (info->range.flags & NF_NAT_RANGE_PROTO_RANDOM && 17788c2ecf20Sopenharmony_ci nla_put_flag(skb, OVS_NAT_ATTR_PROTO_HASH)) 17798c2ecf20Sopenharmony_ci return false; 17808c2ecf20Sopenharmony_ci if (info->range.flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY && 17818c2ecf20Sopenharmony_ci nla_put_flag(skb, OVS_NAT_ATTR_PROTO_RANDOM)) 17828c2ecf20Sopenharmony_ci return false; 17838c2ecf20Sopenharmony_ciout: 17848c2ecf20Sopenharmony_ci nla_nest_end(skb, start); 17858c2ecf20Sopenharmony_ci 17868c2ecf20Sopenharmony_ci return true; 17878c2ecf20Sopenharmony_ci} 17888c2ecf20Sopenharmony_ci#endif 17898c2ecf20Sopenharmony_ci 17908c2ecf20Sopenharmony_ciint ovs_ct_action_to_attr(const struct ovs_conntrack_info *ct_info, 17918c2ecf20Sopenharmony_ci struct sk_buff *skb) 17928c2ecf20Sopenharmony_ci{ 17938c2ecf20Sopenharmony_ci struct nlattr *start; 17948c2ecf20Sopenharmony_ci 17958c2ecf20Sopenharmony_ci start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_CT); 17968c2ecf20Sopenharmony_ci if (!start) 17978c2ecf20Sopenharmony_ci return -EMSGSIZE; 17988c2ecf20Sopenharmony_ci 17998c2ecf20Sopenharmony_ci if (ct_info->commit && nla_put_flag(skb, ct_info->force 18008c2ecf20Sopenharmony_ci ? OVS_CT_ATTR_FORCE_COMMIT 18018c2ecf20Sopenharmony_ci : OVS_CT_ATTR_COMMIT)) 18028c2ecf20Sopenharmony_ci return -EMSGSIZE; 18038c2ecf20Sopenharmony_ci if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) && 18048c2ecf20Sopenharmony_ci nla_put_u16(skb, OVS_CT_ATTR_ZONE, ct_info->zone.id)) 18058c2ecf20Sopenharmony_ci return -EMSGSIZE; 18068c2ecf20Sopenharmony_ci if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) && ct_info->mark.mask && 18078c2ecf20Sopenharmony_ci nla_put(skb, OVS_CT_ATTR_MARK, sizeof(ct_info->mark), 18088c2ecf20Sopenharmony_ci &ct_info->mark)) 18098c2ecf20Sopenharmony_ci return -EMSGSIZE; 18108c2ecf20Sopenharmony_ci if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) && 18118c2ecf20Sopenharmony_ci labels_nonzero(&ct_info->labels.mask) && 18128c2ecf20Sopenharmony_ci nla_put(skb, OVS_CT_ATTR_LABELS, sizeof(ct_info->labels), 18138c2ecf20Sopenharmony_ci &ct_info->labels)) 18148c2ecf20Sopenharmony_ci return -EMSGSIZE; 18158c2ecf20Sopenharmony_ci if (ct_info->helper) { 18168c2ecf20Sopenharmony_ci if (nla_put_string(skb, OVS_CT_ATTR_HELPER, 18178c2ecf20Sopenharmony_ci ct_info->helper->name)) 18188c2ecf20Sopenharmony_ci return -EMSGSIZE; 18198c2ecf20Sopenharmony_ci } 18208c2ecf20Sopenharmony_ci if (ct_info->have_eventmask && 18218c2ecf20Sopenharmony_ci nla_put_u32(skb, OVS_CT_ATTR_EVENTMASK, ct_info->eventmask)) 18228c2ecf20Sopenharmony_ci return -EMSGSIZE; 18238c2ecf20Sopenharmony_ci if (ct_info->timeout[0]) { 18248c2ecf20Sopenharmony_ci if (nla_put_string(skb, OVS_CT_ATTR_TIMEOUT, ct_info->timeout)) 18258c2ecf20Sopenharmony_ci return -EMSGSIZE; 18268c2ecf20Sopenharmony_ci } 18278c2ecf20Sopenharmony_ci 18288c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_NF_NAT) 18298c2ecf20Sopenharmony_ci if (ct_info->nat && !ovs_ct_nat_to_attr(ct_info, skb)) 18308c2ecf20Sopenharmony_ci return -EMSGSIZE; 18318c2ecf20Sopenharmony_ci#endif 18328c2ecf20Sopenharmony_ci nla_nest_end(skb, start); 18338c2ecf20Sopenharmony_ci 18348c2ecf20Sopenharmony_ci return 0; 18358c2ecf20Sopenharmony_ci} 18368c2ecf20Sopenharmony_ci 18378c2ecf20Sopenharmony_civoid ovs_ct_free_action(const struct nlattr *a) 18388c2ecf20Sopenharmony_ci{ 18398c2ecf20Sopenharmony_ci struct ovs_conntrack_info *ct_info = nla_data(a); 18408c2ecf20Sopenharmony_ci 18418c2ecf20Sopenharmony_ci __ovs_ct_free_action(ct_info); 18428c2ecf20Sopenharmony_ci} 18438c2ecf20Sopenharmony_ci 18448c2ecf20Sopenharmony_cistatic void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info) 18458c2ecf20Sopenharmony_ci{ 18468c2ecf20Sopenharmony_ci if (ct_info->helper) { 18478c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_NF_NAT) 18488c2ecf20Sopenharmony_ci if (ct_info->nat) 18498c2ecf20Sopenharmony_ci nf_nat_helper_put(ct_info->helper); 18508c2ecf20Sopenharmony_ci#endif 18518c2ecf20Sopenharmony_ci nf_conntrack_helper_put(ct_info->helper); 18528c2ecf20Sopenharmony_ci } 18538c2ecf20Sopenharmony_ci if (ct_info->ct) { 18548c2ecf20Sopenharmony_ci if (ct_info->timeout[0]) 18558c2ecf20Sopenharmony_ci nf_ct_destroy_timeout(ct_info->ct); 18568c2ecf20Sopenharmony_ci nf_ct_tmpl_free(ct_info->ct); 18578c2ecf20Sopenharmony_ci } 18588c2ecf20Sopenharmony_ci} 18598c2ecf20Sopenharmony_ci 18608c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT) 18618c2ecf20Sopenharmony_cistatic int ovs_ct_limit_init(struct net *net, struct ovs_net *ovs_net) 18628c2ecf20Sopenharmony_ci{ 18638c2ecf20Sopenharmony_ci int i, err; 18648c2ecf20Sopenharmony_ci 18658c2ecf20Sopenharmony_ci ovs_net->ct_limit_info = kmalloc(sizeof(*ovs_net->ct_limit_info), 18668c2ecf20Sopenharmony_ci GFP_KERNEL); 18678c2ecf20Sopenharmony_ci if (!ovs_net->ct_limit_info) 18688c2ecf20Sopenharmony_ci return -ENOMEM; 18698c2ecf20Sopenharmony_ci 18708c2ecf20Sopenharmony_ci ovs_net->ct_limit_info->default_limit = OVS_CT_LIMIT_DEFAULT; 18718c2ecf20Sopenharmony_ci ovs_net->ct_limit_info->limits = 18728c2ecf20Sopenharmony_ci kmalloc_array(CT_LIMIT_HASH_BUCKETS, sizeof(struct hlist_head), 18738c2ecf20Sopenharmony_ci GFP_KERNEL); 18748c2ecf20Sopenharmony_ci if (!ovs_net->ct_limit_info->limits) { 18758c2ecf20Sopenharmony_ci kfree(ovs_net->ct_limit_info); 18768c2ecf20Sopenharmony_ci return -ENOMEM; 18778c2ecf20Sopenharmony_ci } 18788c2ecf20Sopenharmony_ci 18798c2ecf20Sopenharmony_ci for (i = 0; i < CT_LIMIT_HASH_BUCKETS; i++) 18808c2ecf20Sopenharmony_ci INIT_HLIST_HEAD(&ovs_net->ct_limit_info->limits[i]); 18818c2ecf20Sopenharmony_ci 18828c2ecf20Sopenharmony_ci ovs_net->ct_limit_info->data = 18838c2ecf20Sopenharmony_ci nf_conncount_init(net, NFPROTO_INET, sizeof(u32)); 18848c2ecf20Sopenharmony_ci 18858c2ecf20Sopenharmony_ci if (IS_ERR(ovs_net->ct_limit_info->data)) { 18868c2ecf20Sopenharmony_ci err = PTR_ERR(ovs_net->ct_limit_info->data); 18878c2ecf20Sopenharmony_ci kfree(ovs_net->ct_limit_info->limits); 18888c2ecf20Sopenharmony_ci kfree(ovs_net->ct_limit_info); 18898c2ecf20Sopenharmony_ci pr_err("openvswitch: failed to init nf_conncount %d\n", err); 18908c2ecf20Sopenharmony_ci return err; 18918c2ecf20Sopenharmony_ci } 18928c2ecf20Sopenharmony_ci return 0; 18938c2ecf20Sopenharmony_ci} 18948c2ecf20Sopenharmony_ci 18958c2ecf20Sopenharmony_cistatic void ovs_ct_limit_exit(struct net *net, struct ovs_net *ovs_net) 18968c2ecf20Sopenharmony_ci{ 18978c2ecf20Sopenharmony_ci const struct ovs_ct_limit_info *info = ovs_net->ct_limit_info; 18988c2ecf20Sopenharmony_ci int i; 18998c2ecf20Sopenharmony_ci 19008c2ecf20Sopenharmony_ci nf_conncount_destroy(net, NFPROTO_INET, info->data); 19018c2ecf20Sopenharmony_ci for (i = 0; i < CT_LIMIT_HASH_BUCKETS; ++i) { 19028c2ecf20Sopenharmony_ci struct hlist_head *head = &info->limits[i]; 19038c2ecf20Sopenharmony_ci struct ovs_ct_limit *ct_limit; 19048c2ecf20Sopenharmony_ci 19058c2ecf20Sopenharmony_ci hlist_for_each_entry_rcu(ct_limit, head, hlist_node, 19068c2ecf20Sopenharmony_ci lockdep_ovsl_is_held()) 19078c2ecf20Sopenharmony_ci kfree_rcu(ct_limit, rcu); 19088c2ecf20Sopenharmony_ci } 19098c2ecf20Sopenharmony_ci kfree(info->limits); 19108c2ecf20Sopenharmony_ci kfree(info); 19118c2ecf20Sopenharmony_ci} 19128c2ecf20Sopenharmony_ci 19138c2ecf20Sopenharmony_cistatic struct sk_buff * 19148c2ecf20Sopenharmony_ciovs_ct_limit_cmd_reply_start(struct genl_info *info, u8 cmd, 19158c2ecf20Sopenharmony_ci struct ovs_header **ovs_reply_header) 19168c2ecf20Sopenharmony_ci{ 19178c2ecf20Sopenharmony_ci struct ovs_header *ovs_header = info->userhdr; 19188c2ecf20Sopenharmony_ci struct sk_buff *skb; 19198c2ecf20Sopenharmony_ci 19208c2ecf20Sopenharmony_ci skb = genlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 19218c2ecf20Sopenharmony_ci if (!skb) 19228c2ecf20Sopenharmony_ci return ERR_PTR(-ENOMEM); 19238c2ecf20Sopenharmony_ci 19248c2ecf20Sopenharmony_ci *ovs_reply_header = genlmsg_put(skb, info->snd_portid, 19258c2ecf20Sopenharmony_ci info->snd_seq, 19268c2ecf20Sopenharmony_ci &dp_ct_limit_genl_family, 0, cmd); 19278c2ecf20Sopenharmony_ci 19288c2ecf20Sopenharmony_ci if (!*ovs_reply_header) { 19298c2ecf20Sopenharmony_ci nlmsg_free(skb); 19308c2ecf20Sopenharmony_ci return ERR_PTR(-EMSGSIZE); 19318c2ecf20Sopenharmony_ci } 19328c2ecf20Sopenharmony_ci (*ovs_reply_header)->dp_ifindex = ovs_header->dp_ifindex; 19338c2ecf20Sopenharmony_ci 19348c2ecf20Sopenharmony_ci return skb; 19358c2ecf20Sopenharmony_ci} 19368c2ecf20Sopenharmony_ci 19378c2ecf20Sopenharmony_cistatic bool check_zone_id(int zone_id, u16 *pzone) 19388c2ecf20Sopenharmony_ci{ 19398c2ecf20Sopenharmony_ci if (zone_id >= 0 && zone_id <= 65535) { 19408c2ecf20Sopenharmony_ci *pzone = (u16)zone_id; 19418c2ecf20Sopenharmony_ci return true; 19428c2ecf20Sopenharmony_ci } 19438c2ecf20Sopenharmony_ci return false; 19448c2ecf20Sopenharmony_ci} 19458c2ecf20Sopenharmony_ci 19468c2ecf20Sopenharmony_cistatic int ovs_ct_limit_set_zone_limit(struct nlattr *nla_zone_limit, 19478c2ecf20Sopenharmony_ci struct ovs_ct_limit_info *info) 19488c2ecf20Sopenharmony_ci{ 19498c2ecf20Sopenharmony_ci struct ovs_zone_limit *zone_limit; 19508c2ecf20Sopenharmony_ci int rem; 19518c2ecf20Sopenharmony_ci u16 zone; 19528c2ecf20Sopenharmony_ci 19538c2ecf20Sopenharmony_ci rem = NLA_ALIGN(nla_len(nla_zone_limit)); 19548c2ecf20Sopenharmony_ci zone_limit = (struct ovs_zone_limit *)nla_data(nla_zone_limit); 19558c2ecf20Sopenharmony_ci 19568c2ecf20Sopenharmony_ci while (rem >= sizeof(*zone_limit)) { 19578c2ecf20Sopenharmony_ci if (unlikely(zone_limit->zone_id == 19588c2ecf20Sopenharmony_ci OVS_ZONE_LIMIT_DEFAULT_ZONE)) { 19598c2ecf20Sopenharmony_ci ovs_lock(); 19608c2ecf20Sopenharmony_ci info->default_limit = zone_limit->limit; 19618c2ecf20Sopenharmony_ci ovs_unlock(); 19628c2ecf20Sopenharmony_ci } else if (unlikely(!check_zone_id( 19638c2ecf20Sopenharmony_ci zone_limit->zone_id, &zone))) { 19648c2ecf20Sopenharmony_ci OVS_NLERR(true, "zone id is out of range"); 19658c2ecf20Sopenharmony_ci } else { 19668c2ecf20Sopenharmony_ci struct ovs_ct_limit *ct_limit; 19678c2ecf20Sopenharmony_ci 19688c2ecf20Sopenharmony_ci ct_limit = kmalloc(sizeof(*ct_limit), GFP_KERNEL); 19698c2ecf20Sopenharmony_ci if (!ct_limit) 19708c2ecf20Sopenharmony_ci return -ENOMEM; 19718c2ecf20Sopenharmony_ci 19728c2ecf20Sopenharmony_ci ct_limit->zone = zone; 19738c2ecf20Sopenharmony_ci ct_limit->limit = zone_limit->limit; 19748c2ecf20Sopenharmony_ci 19758c2ecf20Sopenharmony_ci ovs_lock(); 19768c2ecf20Sopenharmony_ci ct_limit_set(info, ct_limit); 19778c2ecf20Sopenharmony_ci ovs_unlock(); 19788c2ecf20Sopenharmony_ci } 19798c2ecf20Sopenharmony_ci rem -= NLA_ALIGN(sizeof(*zone_limit)); 19808c2ecf20Sopenharmony_ci zone_limit = (struct ovs_zone_limit *)((u8 *)zone_limit + 19818c2ecf20Sopenharmony_ci NLA_ALIGN(sizeof(*zone_limit))); 19828c2ecf20Sopenharmony_ci } 19838c2ecf20Sopenharmony_ci 19848c2ecf20Sopenharmony_ci if (rem) 19858c2ecf20Sopenharmony_ci OVS_NLERR(true, "set zone limit has %d unknown bytes", rem); 19868c2ecf20Sopenharmony_ci 19878c2ecf20Sopenharmony_ci return 0; 19888c2ecf20Sopenharmony_ci} 19898c2ecf20Sopenharmony_ci 19908c2ecf20Sopenharmony_cistatic int ovs_ct_limit_del_zone_limit(struct nlattr *nla_zone_limit, 19918c2ecf20Sopenharmony_ci struct ovs_ct_limit_info *info) 19928c2ecf20Sopenharmony_ci{ 19938c2ecf20Sopenharmony_ci struct ovs_zone_limit *zone_limit; 19948c2ecf20Sopenharmony_ci int rem; 19958c2ecf20Sopenharmony_ci u16 zone; 19968c2ecf20Sopenharmony_ci 19978c2ecf20Sopenharmony_ci rem = NLA_ALIGN(nla_len(nla_zone_limit)); 19988c2ecf20Sopenharmony_ci zone_limit = (struct ovs_zone_limit *)nla_data(nla_zone_limit); 19998c2ecf20Sopenharmony_ci 20008c2ecf20Sopenharmony_ci while (rem >= sizeof(*zone_limit)) { 20018c2ecf20Sopenharmony_ci if (unlikely(zone_limit->zone_id == 20028c2ecf20Sopenharmony_ci OVS_ZONE_LIMIT_DEFAULT_ZONE)) { 20038c2ecf20Sopenharmony_ci ovs_lock(); 20048c2ecf20Sopenharmony_ci info->default_limit = OVS_CT_LIMIT_DEFAULT; 20058c2ecf20Sopenharmony_ci ovs_unlock(); 20068c2ecf20Sopenharmony_ci } else if (unlikely(!check_zone_id( 20078c2ecf20Sopenharmony_ci zone_limit->zone_id, &zone))) { 20088c2ecf20Sopenharmony_ci OVS_NLERR(true, "zone id is out of range"); 20098c2ecf20Sopenharmony_ci } else { 20108c2ecf20Sopenharmony_ci ovs_lock(); 20118c2ecf20Sopenharmony_ci ct_limit_del(info, zone); 20128c2ecf20Sopenharmony_ci ovs_unlock(); 20138c2ecf20Sopenharmony_ci } 20148c2ecf20Sopenharmony_ci rem -= NLA_ALIGN(sizeof(*zone_limit)); 20158c2ecf20Sopenharmony_ci zone_limit = (struct ovs_zone_limit *)((u8 *)zone_limit + 20168c2ecf20Sopenharmony_ci NLA_ALIGN(sizeof(*zone_limit))); 20178c2ecf20Sopenharmony_ci } 20188c2ecf20Sopenharmony_ci 20198c2ecf20Sopenharmony_ci if (rem) 20208c2ecf20Sopenharmony_ci OVS_NLERR(true, "del zone limit has %d unknown bytes", rem); 20218c2ecf20Sopenharmony_ci 20228c2ecf20Sopenharmony_ci return 0; 20238c2ecf20Sopenharmony_ci} 20248c2ecf20Sopenharmony_ci 20258c2ecf20Sopenharmony_cistatic int ovs_ct_limit_get_default_limit(struct ovs_ct_limit_info *info, 20268c2ecf20Sopenharmony_ci struct sk_buff *reply) 20278c2ecf20Sopenharmony_ci{ 20288c2ecf20Sopenharmony_ci struct ovs_zone_limit zone_limit = { 20298c2ecf20Sopenharmony_ci .zone_id = OVS_ZONE_LIMIT_DEFAULT_ZONE, 20308c2ecf20Sopenharmony_ci .limit = info->default_limit, 20318c2ecf20Sopenharmony_ci }; 20328c2ecf20Sopenharmony_ci 20338c2ecf20Sopenharmony_ci return nla_put_nohdr(reply, sizeof(zone_limit), &zone_limit); 20348c2ecf20Sopenharmony_ci} 20358c2ecf20Sopenharmony_ci 20368c2ecf20Sopenharmony_cistatic int __ovs_ct_limit_get_zone_limit(struct net *net, 20378c2ecf20Sopenharmony_ci struct nf_conncount_data *data, 20388c2ecf20Sopenharmony_ci u16 zone_id, u32 limit, 20398c2ecf20Sopenharmony_ci struct sk_buff *reply) 20408c2ecf20Sopenharmony_ci{ 20418c2ecf20Sopenharmony_ci struct nf_conntrack_zone ct_zone; 20428c2ecf20Sopenharmony_ci struct ovs_zone_limit zone_limit; 20438c2ecf20Sopenharmony_ci u32 conncount_key = zone_id; 20448c2ecf20Sopenharmony_ci 20458c2ecf20Sopenharmony_ci zone_limit.zone_id = zone_id; 20468c2ecf20Sopenharmony_ci zone_limit.limit = limit; 20478c2ecf20Sopenharmony_ci nf_ct_zone_init(&ct_zone, zone_id, NF_CT_DEFAULT_ZONE_DIR, 0); 20488c2ecf20Sopenharmony_ci 20498c2ecf20Sopenharmony_ci zone_limit.count = nf_conncount_count(net, data, &conncount_key, NULL, 20508c2ecf20Sopenharmony_ci &ct_zone); 20518c2ecf20Sopenharmony_ci return nla_put_nohdr(reply, sizeof(zone_limit), &zone_limit); 20528c2ecf20Sopenharmony_ci} 20538c2ecf20Sopenharmony_ci 20548c2ecf20Sopenharmony_cistatic int ovs_ct_limit_get_zone_limit(struct net *net, 20558c2ecf20Sopenharmony_ci struct nlattr *nla_zone_limit, 20568c2ecf20Sopenharmony_ci struct ovs_ct_limit_info *info, 20578c2ecf20Sopenharmony_ci struct sk_buff *reply) 20588c2ecf20Sopenharmony_ci{ 20598c2ecf20Sopenharmony_ci struct ovs_zone_limit *zone_limit; 20608c2ecf20Sopenharmony_ci int rem, err; 20618c2ecf20Sopenharmony_ci u32 limit; 20628c2ecf20Sopenharmony_ci u16 zone; 20638c2ecf20Sopenharmony_ci 20648c2ecf20Sopenharmony_ci rem = NLA_ALIGN(nla_len(nla_zone_limit)); 20658c2ecf20Sopenharmony_ci zone_limit = (struct ovs_zone_limit *)nla_data(nla_zone_limit); 20668c2ecf20Sopenharmony_ci 20678c2ecf20Sopenharmony_ci while (rem >= sizeof(*zone_limit)) { 20688c2ecf20Sopenharmony_ci if (unlikely(zone_limit->zone_id == 20698c2ecf20Sopenharmony_ci OVS_ZONE_LIMIT_DEFAULT_ZONE)) { 20708c2ecf20Sopenharmony_ci err = ovs_ct_limit_get_default_limit(info, reply); 20718c2ecf20Sopenharmony_ci if (err) 20728c2ecf20Sopenharmony_ci return err; 20738c2ecf20Sopenharmony_ci } else if (unlikely(!check_zone_id(zone_limit->zone_id, 20748c2ecf20Sopenharmony_ci &zone))) { 20758c2ecf20Sopenharmony_ci OVS_NLERR(true, "zone id is out of range"); 20768c2ecf20Sopenharmony_ci } else { 20778c2ecf20Sopenharmony_ci rcu_read_lock(); 20788c2ecf20Sopenharmony_ci limit = ct_limit_get(info, zone); 20798c2ecf20Sopenharmony_ci rcu_read_unlock(); 20808c2ecf20Sopenharmony_ci 20818c2ecf20Sopenharmony_ci err = __ovs_ct_limit_get_zone_limit( 20828c2ecf20Sopenharmony_ci net, info->data, zone, limit, reply); 20838c2ecf20Sopenharmony_ci if (err) 20848c2ecf20Sopenharmony_ci return err; 20858c2ecf20Sopenharmony_ci } 20868c2ecf20Sopenharmony_ci rem -= NLA_ALIGN(sizeof(*zone_limit)); 20878c2ecf20Sopenharmony_ci zone_limit = (struct ovs_zone_limit *)((u8 *)zone_limit + 20888c2ecf20Sopenharmony_ci NLA_ALIGN(sizeof(*zone_limit))); 20898c2ecf20Sopenharmony_ci } 20908c2ecf20Sopenharmony_ci 20918c2ecf20Sopenharmony_ci if (rem) 20928c2ecf20Sopenharmony_ci OVS_NLERR(true, "get zone limit has %d unknown bytes", rem); 20938c2ecf20Sopenharmony_ci 20948c2ecf20Sopenharmony_ci return 0; 20958c2ecf20Sopenharmony_ci} 20968c2ecf20Sopenharmony_ci 20978c2ecf20Sopenharmony_cistatic int ovs_ct_limit_get_all_zone_limit(struct net *net, 20988c2ecf20Sopenharmony_ci struct ovs_ct_limit_info *info, 20998c2ecf20Sopenharmony_ci struct sk_buff *reply) 21008c2ecf20Sopenharmony_ci{ 21018c2ecf20Sopenharmony_ci struct ovs_ct_limit *ct_limit; 21028c2ecf20Sopenharmony_ci struct hlist_head *head; 21038c2ecf20Sopenharmony_ci int i, err = 0; 21048c2ecf20Sopenharmony_ci 21058c2ecf20Sopenharmony_ci err = ovs_ct_limit_get_default_limit(info, reply); 21068c2ecf20Sopenharmony_ci if (err) 21078c2ecf20Sopenharmony_ci return err; 21088c2ecf20Sopenharmony_ci 21098c2ecf20Sopenharmony_ci rcu_read_lock(); 21108c2ecf20Sopenharmony_ci for (i = 0; i < CT_LIMIT_HASH_BUCKETS; ++i) { 21118c2ecf20Sopenharmony_ci head = &info->limits[i]; 21128c2ecf20Sopenharmony_ci hlist_for_each_entry_rcu(ct_limit, head, hlist_node) { 21138c2ecf20Sopenharmony_ci err = __ovs_ct_limit_get_zone_limit(net, info->data, 21148c2ecf20Sopenharmony_ci ct_limit->zone, ct_limit->limit, reply); 21158c2ecf20Sopenharmony_ci if (err) 21168c2ecf20Sopenharmony_ci goto exit_err; 21178c2ecf20Sopenharmony_ci } 21188c2ecf20Sopenharmony_ci } 21198c2ecf20Sopenharmony_ci 21208c2ecf20Sopenharmony_ciexit_err: 21218c2ecf20Sopenharmony_ci rcu_read_unlock(); 21228c2ecf20Sopenharmony_ci return err; 21238c2ecf20Sopenharmony_ci} 21248c2ecf20Sopenharmony_ci 21258c2ecf20Sopenharmony_cistatic int ovs_ct_limit_cmd_set(struct sk_buff *skb, struct genl_info *info) 21268c2ecf20Sopenharmony_ci{ 21278c2ecf20Sopenharmony_ci struct nlattr **a = info->attrs; 21288c2ecf20Sopenharmony_ci struct sk_buff *reply; 21298c2ecf20Sopenharmony_ci struct ovs_header *ovs_reply_header; 21308c2ecf20Sopenharmony_ci struct ovs_net *ovs_net = net_generic(sock_net(skb->sk), ovs_net_id); 21318c2ecf20Sopenharmony_ci struct ovs_ct_limit_info *ct_limit_info = ovs_net->ct_limit_info; 21328c2ecf20Sopenharmony_ci int err; 21338c2ecf20Sopenharmony_ci 21348c2ecf20Sopenharmony_ci reply = ovs_ct_limit_cmd_reply_start(info, OVS_CT_LIMIT_CMD_SET, 21358c2ecf20Sopenharmony_ci &ovs_reply_header); 21368c2ecf20Sopenharmony_ci if (IS_ERR(reply)) 21378c2ecf20Sopenharmony_ci return PTR_ERR(reply); 21388c2ecf20Sopenharmony_ci 21398c2ecf20Sopenharmony_ci if (!a[OVS_CT_LIMIT_ATTR_ZONE_LIMIT]) { 21408c2ecf20Sopenharmony_ci err = -EINVAL; 21418c2ecf20Sopenharmony_ci goto exit_err; 21428c2ecf20Sopenharmony_ci } 21438c2ecf20Sopenharmony_ci 21448c2ecf20Sopenharmony_ci err = ovs_ct_limit_set_zone_limit(a[OVS_CT_LIMIT_ATTR_ZONE_LIMIT], 21458c2ecf20Sopenharmony_ci ct_limit_info); 21468c2ecf20Sopenharmony_ci if (err) 21478c2ecf20Sopenharmony_ci goto exit_err; 21488c2ecf20Sopenharmony_ci 21498c2ecf20Sopenharmony_ci static_branch_enable(&ovs_ct_limit_enabled); 21508c2ecf20Sopenharmony_ci 21518c2ecf20Sopenharmony_ci genlmsg_end(reply, ovs_reply_header); 21528c2ecf20Sopenharmony_ci return genlmsg_reply(reply, info); 21538c2ecf20Sopenharmony_ci 21548c2ecf20Sopenharmony_ciexit_err: 21558c2ecf20Sopenharmony_ci nlmsg_free(reply); 21568c2ecf20Sopenharmony_ci return err; 21578c2ecf20Sopenharmony_ci} 21588c2ecf20Sopenharmony_ci 21598c2ecf20Sopenharmony_cistatic int ovs_ct_limit_cmd_del(struct sk_buff *skb, struct genl_info *info) 21608c2ecf20Sopenharmony_ci{ 21618c2ecf20Sopenharmony_ci struct nlattr **a = info->attrs; 21628c2ecf20Sopenharmony_ci struct sk_buff *reply; 21638c2ecf20Sopenharmony_ci struct ovs_header *ovs_reply_header; 21648c2ecf20Sopenharmony_ci struct ovs_net *ovs_net = net_generic(sock_net(skb->sk), ovs_net_id); 21658c2ecf20Sopenharmony_ci struct ovs_ct_limit_info *ct_limit_info = ovs_net->ct_limit_info; 21668c2ecf20Sopenharmony_ci int err; 21678c2ecf20Sopenharmony_ci 21688c2ecf20Sopenharmony_ci reply = ovs_ct_limit_cmd_reply_start(info, OVS_CT_LIMIT_CMD_DEL, 21698c2ecf20Sopenharmony_ci &ovs_reply_header); 21708c2ecf20Sopenharmony_ci if (IS_ERR(reply)) 21718c2ecf20Sopenharmony_ci return PTR_ERR(reply); 21728c2ecf20Sopenharmony_ci 21738c2ecf20Sopenharmony_ci if (!a[OVS_CT_LIMIT_ATTR_ZONE_LIMIT]) { 21748c2ecf20Sopenharmony_ci err = -EINVAL; 21758c2ecf20Sopenharmony_ci goto exit_err; 21768c2ecf20Sopenharmony_ci } 21778c2ecf20Sopenharmony_ci 21788c2ecf20Sopenharmony_ci err = ovs_ct_limit_del_zone_limit(a[OVS_CT_LIMIT_ATTR_ZONE_LIMIT], 21798c2ecf20Sopenharmony_ci ct_limit_info); 21808c2ecf20Sopenharmony_ci if (err) 21818c2ecf20Sopenharmony_ci goto exit_err; 21828c2ecf20Sopenharmony_ci 21838c2ecf20Sopenharmony_ci genlmsg_end(reply, ovs_reply_header); 21848c2ecf20Sopenharmony_ci return genlmsg_reply(reply, info); 21858c2ecf20Sopenharmony_ci 21868c2ecf20Sopenharmony_ciexit_err: 21878c2ecf20Sopenharmony_ci nlmsg_free(reply); 21888c2ecf20Sopenharmony_ci return err; 21898c2ecf20Sopenharmony_ci} 21908c2ecf20Sopenharmony_ci 21918c2ecf20Sopenharmony_cistatic int ovs_ct_limit_cmd_get(struct sk_buff *skb, struct genl_info *info) 21928c2ecf20Sopenharmony_ci{ 21938c2ecf20Sopenharmony_ci struct nlattr **a = info->attrs; 21948c2ecf20Sopenharmony_ci struct nlattr *nla_reply; 21958c2ecf20Sopenharmony_ci struct sk_buff *reply; 21968c2ecf20Sopenharmony_ci struct ovs_header *ovs_reply_header; 21978c2ecf20Sopenharmony_ci struct net *net = sock_net(skb->sk); 21988c2ecf20Sopenharmony_ci struct ovs_net *ovs_net = net_generic(net, ovs_net_id); 21998c2ecf20Sopenharmony_ci struct ovs_ct_limit_info *ct_limit_info = ovs_net->ct_limit_info; 22008c2ecf20Sopenharmony_ci int err; 22018c2ecf20Sopenharmony_ci 22028c2ecf20Sopenharmony_ci reply = ovs_ct_limit_cmd_reply_start(info, OVS_CT_LIMIT_CMD_GET, 22038c2ecf20Sopenharmony_ci &ovs_reply_header); 22048c2ecf20Sopenharmony_ci if (IS_ERR(reply)) 22058c2ecf20Sopenharmony_ci return PTR_ERR(reply); 22068c2ecf20Sopenharmony_ci 22078c2ecf20Sopenharmony_ci nla_reply = nla_nest_start_noflag(reply, OVS_CT_LIMIT_ATTR_ZONE_LIMIT); 22088c2ecf20Sopenharmony_ci if (!nla_reply) { 22098c2ecf20Sopenharmony_ci err = -EMSGSIZE; 22108c2ecf20Sopenharmony_ci goto exit_err; 22118c2ecf20Sopenharmony_ci } 22128c2ecf20Sopenharmony_ci 22138c2ecf20Sopenharmony_ci if (a[OVS_CT_LIMIT_ATTR_ZONE_LIMIT]) { 22148c2ecf20Sopenharmony_ci err = ovs_ct_limit_get_zone_limit( 22158c2ecf20Sopenharmony_ci net, a[OVS_CT_LIMIT_ATTR_ZONE_LIMIT], ct_limit_info, 22168c2ecf20Sopenharmony_ci reply); 22178c2ecf20Sopenharmony_ci if (err) 22188c2ecf20Sopenharmony_ci goto exit_err; 22198c2ecf20Sopenharmony_ci } else { 22208c2ecf20Sopenharmony_ci err = ovs_ct_limit_get_all_zone_limit(net, ct_limit_info, 22218c2ecf20Sopenharmony_ci reply); 22228c2ecf20Sopenharmony_ci if (err) 22238c2ecf20Sopenharmony_ci goto exit_err; 22248c2ecf20Sopenharmony_ci } 22258c2ecf20Sopenharmony_ci 22268c2ecf20Sopenharmony_ci nla_nest_end(reply, nla_reply); 22278c2ecf20Sopenharmony_ci genlmsg_end(reply, ovs_reply_header); 22288c2ecf20Sopenharmony_ci return genlmsg_reply(reply, info); 22298c2ecf20Sopenharmony_ci 22308c2ecf20Sopenharmony_ciexit_err: 22318c2ecf20Sopenharmony_ci nlmsg_free(reply); 22328c2ecf20Sopenharmony_ci return err; 22338c2ecf20Sopenharmony_ci} 22348c2ecf20Sopenharmony_ci 22358c2ecf20Sopenharmony_cistatic const struct genl_small_ops ct_limit_genl_ops[] = { 22368c2ecf20Sopenharmony_ci { .cmd = OVS_CT_LIMIT_CMD_SET, 22378c2ecf20Sopenharmony_ci .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 22388c2ecf20Sopenharmony_ci .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN 22398c2ecf20Sopenharmony_ci * privilege. */ 22408c2ecf20Sopenharmony_ci .doit = ovs_ct_limit_cmd_set, 22418c2ecf20Sopenharmony_ci }, 22428c2ecf20Sopenharmony_ci { .cmd = OVS_CT_LIMIT_CMD_DEL, 22438c2ecf20Sopenharmony_ci .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 22448c2ecf20Sopenharmony_ci .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN 22458c2ecf20Sopenharmony_ci * privilege. */ 22468c2ecf20Sopenharmony_ci .doit = ovs_ct_limit_cmd_del, 22478c2ecf20Sopenharmony_ci }, 22488c2ecf20Sopenharmony_ci { .cmd = OVS_CT_LIMIT_CMD_GET, 22498c2ecf20Sopenharmony_ci .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 22508c2ecf20Sopenharmony_ci .flags = 0, /* OK for unprivileged users. */ 22518c2ecf20Sopenharmony_ci .doit = ovs_ct_limit_cmd_get, 22528c2ecf20Sopenharmony_ci }, 22538c2ecf20Sopenharmony_ci}; 22548c2ecf20Sopenharmony_ci 22558c2ecf20Sopenharmony_cistatic const struct genl_multicast_group ovs_ct_limit_multicast_group = { 22568c2ecf20Sopenharmony_ci .name = OVS_CT_LIMIT_MCGROUP, 22578c2ecf20Sopenharmony_ci}; 22588c2ecf20Sopenharmony_ci 22598c2ecf20Sopenharmony_cistruct genl_family dp_ct_limit_genl_family __ro_after_init = { 22608c2ecf20Sopenharmony_ci .hdrsize = sizeof(struct ovs_header), 22618c2ecf20Sopenharmony_ci .name = OVS_CT_LIMIT_FAMILY, 22628c2ecf20Sopenharmony_ci .version = OVS_CT_LIMIT_VERSION, 22638c2ecf20Sopenharmony_ci .maxattr = OVS_CT_LIMIT_ATTR_MAX, 22648c2ecf20Sopenharmony_ci .policy = ct_limit_policy, 22658c2ecf20Sopenharmony_ci .netnsok = true, 22668c2ecf20Sopenharmony_ci .parallel_ops = true, 22678c2ecf20Sopenharmony_ci .small_ops = ct_limit_genl_ops, 22688c2ecf20Sopenharmony_ci .n_small_ops = ARRAY_SIZE(ct_limit_genl_ops), 22698c2ecf20Sopenharmony_ci .mcgrps = &ovs_ct_limit_multicast_group, 22708c2ecf20Sopenharmony_ci .n_mcgrps = 1, 22718c2ecf20Sopenharmony_ci .module = THIS_MODULE, 22728c2ecf20Sopenharmony_ci}; 22738c2ecf20Sopenharmony_ci#endif 22748c2ecf20Sopenharmony_ci 22758c2ecf20Sopenharmony_ciint ovs_ct_init(struct net *net) 22768c2ecf20Sopenharmony_ci{ 22778c2ecf20Sopenharmony_ci unsigned int n_bits = sizeof(struct ovs_key_ct_labels) * BITS_PER_BYTE; 22788c2ecf20Sopenharmony_ci struct ovs_net *ovs_net = net_generic(net, ovs_net_id); 22798c2ecf20Sopenharmony_ci 22808c2ecf20Sopenharmony_ci if (nf_connlabels_get(net, n_bits - 1)) { 22818c2ecf20Sopenharmony_ci ovs_net->xt_label = false; 22828c2ecf20Sopenharmony_ci OVS_NLERR(true, "Failed to set connlabel length"); 22838c2ecf20Sopenharmony_ci } else { 22848c2ecf20Sopenharmony_ci ovs_net->xt_label = true; 22858c2ecf20Sopenharmony_ci } 22868c2ecf20Sopenharmony_ci 22878c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT) 22888c2ecf20Sopenharmony_ci return ovs_ct_limit_init(net, ovs_net); 22898c2ecf20Sopenharmony_ci#else 22908c2ecf20Sopenharmony_ci return 0; 22918c2ecf20Sopenharmony_ci#endif 22928c2ecf20Sopenharmony_ci} 22938c2ecf20Sopenharmony_ci 22948c2ecf20Sopenharmony_civoid ovs_ct_exit(struct net *net) 22958c2ecf20Sopenharmony_ci{ 22968c2ecf20Sopenharmony_ci struct ovs_net *ovs_net = net_generic(net, ovs_net_id); 22978c2ecf20Sopenharmony_ci 22988c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT) 22998c2ecf20Sopenharmony_ci ovs_ct_limit_exit(net, ovs_net); 23008c2ecf20Sopenharmony_ci#endif 23018c2ecf20Sopenharmony_ci 23028c2ecf20Sopenharmony_ci if (ovs_net->xt_label) 23038c2ecf20Sopenharmony_ci nf_connlabels_put(net); 23048c2ecf20Sopenharmony_ci} 2305