2 * Copyright (c) 2015 Nicira, Inc.
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of version 2 of the GNU General Public
6 * License as published by the Free Software Foundation.
8 * This program is distributed in the hope that it will be useful, but
9 * WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
11 * General Public License for more details.
14 #include <linux/module.h>
15 #include <linux/openvswitch.h>
16 #include <linux/tcp.h>
17 #include <linux/udp.h>
18 #include <linux/sctp.h>
19 #include <linux/static_key.h>
21 #include <net/genetlink.h>
22 #include <net/netfilter/nf_conntrack_core.h>
23 #include <net/netfilter/nf_conntrack_count.h>
24 #include <net/netfilter/nf_conntrack_helper.h>
25 #include <net/netfilter/nf_conntrack_labels.h>
26 #include <net/netfilter/nf_conntrack_seqadj.h>
27 #include <net/netfilter/nf_conntrack_zones.h>
28 #include <net/netfilter/ipv6/nf_defrag_ipv6.h>
29 #include <net/ipv6_frag.h>
31 #ifdef CONFIG_NF_NAT_NEEDED
32 #include <net/netfilter/nf_nat.h>
36 #include "conntrack.h"
38 #include "flow_netlink.h"
40 struct ovs_ct_len_tbl {
45 /* Metadata mark for masked write to conntrack mark */
51 /* Metadata label for masked write to conntrack label. */
53 struct ovs_key_ct_labels value;
54 struct ovs_key_ct_labels mask;
58 OVS_CT_NAT = 1 << 0, /* NAT for committed connections only. */
59 OVS_CT_SRC_NAT = 1 << 1, /* Source NAT for NEW connections. */
60 OVS_CT_DST_NAT = 1 << 2, /* Destination NAT for NEW connections. */
63 /* Conntrack action context for execution. */
64 struct ovs_conntrack_info {
65 struct nf_conntrack_helper *helper;
66 struct nf_conntrack_zone zone;
69 u8 nat : 3; /* enum ovs_ct_nat */
71 u8 have_eventmask : 1;
73 u32 eventmask; /* Mask of 1 << IPCT_*. */
75 struct md_labels labels;
76 #ifdef CONFIG_NF_NAT_NEEDED
77 struct nf_nat_range2 range; /* Only present for SRC NAT and DST NAT. */
81 #if IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT)
82 #define OVS_CT_LIMIT_UNLIMITED 0
83 #define OVS_CT_LIMIT_DEFAULT OVS_CT_LIMIT_UNLIMITED
84 #define CT_LIMIT_HASH_BUCKETS 512
85 static DEFINE_STATIC_KEY_FALSE(ovs_ct_limit_enabled);
88 /* Elements in ovs_ct_limit_info->limits hash table */
89 struct hlist_node hlist_node;
95 struct ovs_ct_limit_info {
97 struct hlist_head *limits;
98 struct nf_conncount_data *data;
101 static const struct nla_policy ct_limit_policy[OVS_CT_LIMIT_ATTR_MAX + 1] = {
102 [OVS_CT_LIMIT_ATTR_ZONE_LIMIT] = { .type = NLA_NESTED, },
106 static bool labels_nonzero(const struct ovs_key_ct_labels *labels);
108 static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info);
110 static u16 key_to_nfproto(const struct sw_flow_key *key)
112 switch (ntohs(key->eth.type)) {
118 return NFPROTO_UNSPEC;
122 /* Map SKB connection state into the values used by flow definition. */
123 static u8 ovs_ct_get_state(enum ip_conntrack_info ctinfo)
125 u8 ct_state = OVS_CS_F_TRACKED;
128 case IP_CT_ESTABLISHED_REPLY:
129 case IP_CT_RELATED_REPLY:
130 ct_state |= OVS_CS_F_REPLY_DIR;
137 case IP_CT_ESTABLISHED:
138 case IP_CT_ESTABLISHED_REPLY:
139 ct_state |= OVS_CS_F_ESTABLISHED;
142 case IP_CT_RELATED_REPLY:
143 ct_state |= OVS_CS_F_RELATED;
146 ct_state |= OVS_CS_F_NEW;
155 static u32 ovs_ct_get_mark(const struct nf_conn *ct)
157 #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK)
158 return ct ? ct->mark : 0;
164 /* Guard against conntrack labels max size shrinking below 128 bits. */
165 #if NF_CT_LABELS_MAX_SIZE < 16
166 #error NF_CT_LABELS_MAX_SIZE must be at least 16 bytes
169 static void ovs_ct_get_labels(const struct nf_conn *ct,
170 struct ovs_key_ct_labels *labels)
172 struct nf_conn_labels *cl = ct ? nf_ct_labels_find(ct) : NULL;
175 memcpy(labels, cl->bits, OVS_CT_LABELS_LEN);
177 memset(labels, 0, OVS_CT_LABELS_LEN);
180 static void __ovs_ct_update_key_orig_tp(struct sw_flow_key *key,
181 const struct nf_conntrack_tuple *orig,
184 key->ct_orig_proto = orig->dst.protonum;
185 if (orig->dst.protonum == icmp_proto) {
186 key->ct.orig_tp.src = htons(orig->dst.u.icmp.type);
187 key->ct.orig_tp.dst = htons(orig->dst.u.icmp.code);
189 key->ct.orig_tp.src = orig->src.u.all;
190 key->ct.orig_tp.dst = orig->dst.u.all;
194 static void __ovs_ct_update_key(struct sw_flow_key *key, u8 state,
195 const struct nf_conntrack_zone *zone,
196 const struct nf_conn *ct)
198 key->ct_state = state;
199 key->ct_zone = zone->id;
200 key->ct.mark = ovs_ct_get_mark(ct);
201 ovs_ct_get_labels(ct, &key->ct.labels);
204 const struct nf_conntrack_tuple *orig;
206 /* Use the master if we have one. */
209 orig = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
211 /* IP version must match with the master connection. */
212 if (key->eth.type == htons(ETH_P_IP) &&
213 nf_ct_l3num(ct) == NFPROTO_IPV4) {
214 key->ipv4.ct_orig.src = orig->src.u3.ip;
215 key->ipv4.ct_orig.dst = orig->dst.u3.ip;
216 __ovs_ct_update_key_orig_tp(key, orig, IPPROTO_ICMP);
218 } else if (key->eth.type == htons(ETH_P_IPV6) &&
219 !sw_flow_key_is_nd(key) &&
220 nf_ct_l3num(ct) == NFPROTO_IPV6) {
221 key->ipv6.ct_orig.src = orig->src.u3.in6;
222 key->ipv6.ct_orig.dst = orig->dst.u3.in6;
223 __ovs_ct_update_key_orig_tp(key, orig, NEXTHDR_ICMP);
227 /* Clear 'ct_orig_proto' to mark the non-existence of conntrack
228 * original direction key fields.
230 key->ct_orig_proto = 0;
233 /* Update 'key' based on skb->_nfct. If 'post_ct' is true, then OVS has
234 * previously sent the packet to conntrack via the ct action. If
235 * 'keep_nat_flags' is true, the existing NAT flags retained, else they are
236 * initialized from the connection status.
238 static void ovs_ct_update_key(const struct sk_buff *skb,
239 const struct ovs_conntrack_info *info,
240 struct sw_flow_key *key, bool post_ct,
243 const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
244 enum ip_conntrack_info ctinfo;
248 ct = nf_ct_get(skb, &ctinfo);
250 state = ovs_ct_get_state(ctinfo);
251 /* All unconfirmed entries are NEW connections. */
252 if (!nf_ct_is_confirmed(ct))
253 state |= OVS_CS_F_NEW;
254 /* OVS persists the related flag for the duration of the
258 state |= OVS_CS_F_RELATED;
259 if (keep_nat_flags) {
260 state |= key->ct_state & OVS_CS_F_NAT_MASK;
262 if (ct->status & IPS_SRC_NAT)
263 state |= OVS_CS_F_SRC_NAT;
264 if (ct->status & IPS_DST_NAT)
265 state |= OVS_CS_F_DST_NAT;
267 zone = nf_ct_zone(ct);
268 } else if (post_ct) {
269 state = OVS_CS_F_TRACKED | OVS_CS_F_INVALID;
273 __ovs_ct_update_key(key, state, zone, ct);
276 /* This is called to initialize CT key fields possibly coming in from the local
279 void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key)
281 ovs_ct_update_key(skb, NULL, key, false, false);
284 #define IN6_ADDR_INITIALIZER(ADDR) \
285 { (ADDR).s6_addr32[0], (ADDR).s6_addr32[1], \
286 (ADDR).s6_addr32[2], (ADDR).s6_addr32[3] }
288 int ovs_ct_put_key(const struct sw_flow_key *swkey,
289 const struct sw_flow_key *output, struct sk_buff *skb)
291 if (nla_put_u32(skb, OVS_KEY_ATTR_CT_STATE, output->ct_state))
294 if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) &&
295 nla_put_u16(skb, OVS_KEY_ATTR_CT_ZONE, output->ct_zone))
298 if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) &&
299 nla_put_u32(skb, OVS_KEY_ATTR_CT_MARK, output->ct.mark))
302 if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) &&
303 nla_put(skb, OVS_KEY_ATTR_CT_LABELS, sizeof(output->ct.labels),
307 if (swkey->ct_orig_proto) {
308 if (swkey->eth.type == htons(ETH_P_IP)) {
309 struct ovs_key_ct_tuple_ipv4 orig = {
310 output->ipv4.ct_orig.src,
311 output->ipv4.ct_orig.dst,
312 output->ct.orig_tp.src,
313 output->ct.orig_tp.dst,
314 output->ct_orig_proto,
316 if (nla_put(skb, OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4,
317 sizeof(orig), &orig))
319 } else if (swkey->eth.type == htons(ETH_P_IPV6)) {
320 struct ovs_key_ct_tuple_ipv6 orig = {
321 IN6_ADDR_INITIALIZER(output->ipv6.ct_orig.src),
322 IN6_ADDR_INITIALIZER(output->ipv6.ct_orig.dst),
323 output->ct.orig_tp.src,
324 output->ct.orig_tp.dst,
325 output->ct_orig_proto,
327 if (nla_put(skb, OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6,
328 sizeof(orig), &orig))
336 static int ovs_ct_set_mark(struct nf_conn *ct, struct sw_flow_key *key,
337 u32 ct_mark, u32 mask)
339 #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK)
342 new_mark = ct_mark | (ct->mark & ~(mask));
343 if (ct->mark != new_mark) {
345 if (nf_ct_is_confirmed(ct))
346 nf_conntrack_event_cache(IPCT_MARK, ct);
347 key->ct.mark = new_mark;
356 static struct nf_conn_labels *ovs_ct_get_conn_labels(struct nf_conn *ct)
358 struct nf_conn_labels *cl;
360 cl = nf_ct_labels_find(ct);
362 nf_ct_labels_ext_add(ct);
363 cl = nf_ct_labels_find(ct);
369 /* Initialize labels for a new, yet to be committed conntrack entry. Note that
370 * since the new connection is not yet confirmed, and thus no-one else has
371 * access to it's labels, we simply write them over.
373 static int ovs_ct_init_labels(struct nf_conn *ct, struct sw_flow_key *key,
374 const struct ovs_key_ct_labels *labels,
375 const struct ovs_key_ct_labels *mask)
377 struct nf_conn_labels *cl, *master_cl;
378 bool have_mask = labels_nonzero(mask);
380 /* Inherit master's labels to the related connection? */
381 master_cl = ct->master ? nf_ct_labels_find(ct->master) : NULL;
383 if (!master_cl && !have_mask)
384 return 0; /* Nothing to do. */
386 cl = ovs_ct_get_conn_labels(ct);
390 /* Inherit the master's labels, if any. */
395 u32 *dst = (u32 *)cl->bits;
398 for (i = 0; i < OVS_CT_LABELS_LEN_32; i++)
399 dst[i] = (dst[i] & ~mask->ct_labels_32[i]) |
400 (labels->ct_labels_32[i]
401 & mask->ct_labels_32[i]);
404 /* Labels are included in the IPCTNL_MSG_CT_NEW event only if the
405 * IPCT_LABEL bit is set in the event cache.
407 nf_conntrack_event_cache(IPCT_LABEL, ct);
409 memcpy(&key->ct.labels, cl->bits, OVS_CT_LABELS_LEN);
414 static int ovs_ct_set_labels(struct nf_conn *ct, struct sw_flow_key *key,
415 const struct ovs_key_ct_labels *labels,
416 const struct ovs_key_ct_labels *mask)
418 struct nf_conn_labels *cl;
421 cl = ovs_ct_get_conn_labels(ct);
425 err = nf_connlabels_replace(ct, labels->ct_labels_32,
427 OVS_CT_LABELS_LEN_32);
431 memcpy(&key->ct.labels, cl->bits, OVS_CT_LABELS_LEN);
436 /* 'skb' should already be pulled to nh_ofs. */
437 static int ovs_ct_helper(struct sk_buff *skb, u16 proto)
439 const struct nf_conntrack_helper *helper;
440 const struct nf_conn_help *help;
441 enum ip_conntrack_info ctinfo;
442 unsigned int protoff;
446 ct = nf_ct_get(skb, &ctinfo);
447 if (!ct || ctinfo == IP_CT_RELATED_REPLY)
450 help = nfct_help(ct);
454 helper = rcu_dereference(help->helper);
460 protoff = ip_hdrlen(skb);
463 u8 nexthdr = ipv6_hdr(skb)->nexthdr;
467 ofs = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr,
469 if (ofs < 0 || (frag_off & htons(~0x7)) != 0) {
470 pr_debug("proto header not found\n");
477 WARN_ONCE(1, "helper invoked on non-IP family!");
481 err = helper->help(skb, protoff, ct, ctinfo);
482 if (err != NF_ACCEPT)
485 /* Adjust seqs after helper. This is needed due to some helpers (e.g.,
486 * FTP with NAT) adusting the TCP payload size when mangling IP
487 * addresses and/or port numbers in the text-based control connection.
489 if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status) &&
490 !nf_ct_seq_adjust(skb, ct, ctinfo, protoff))
495 /* Returns 0 on success, -EINPROGRESS if 'skb' is stolen, or other nonzero
496 * value if 'skb' is freed.
498 static int handle_fragments(struct net *net, struct sw_flow_key *key,
499 u16 zone, struct sk_buff *skb)
501 struct ovs_skb_cb ovs_cb = *OVS_CB(skb);
504 if (key->eth.type == htons(ETH_P_IP)) {
505 enum ip_defrag_users user = IP_DEFRAG_CONNTRACK_IN + zone;
507 memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
508 err = ip_defrag(net, skb, user);
512 ovs_cb.mru = IPCB(skb)->frag_max_size;
513 #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
514 } else if (key->eth.type == htons(ETH_P_IPV6)) {
515 enum ip6_defrag_users user = IP6_DEFRAG_CONNTRACK_IN + zone;
517 memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
518 err = nf_ct_frag6_gather(net, skb, user);
520 if (err != -EINPROGRESS)
525 key->ip.proto = ipv6_hdr(skb)->nexthdr;
526 ovs_cb.mru = IP6CB(skb)->frag_max_size;
530 return -EPFNOSUPPORT;
533 key->ip.frag = OVS_FRAG_TYPE_NONE;
536 *OVS_CB(skb) = ovs_cb;
541 static struct nf_conntrack_expect *
542 ovs_ct_expect_find(struct net *net, const struct nf_conntrack_zone *zone,
543 u16 proto, const struct sk_buff *skb)
545 struct nf_conntrack_tuple tuple;
546 struct nf_conntrack_expect *exp;
548 if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto, net, &tuple))
551 exp = __nf_ct_expect_find(net, zone, &tuple);
553 struct nf_conntrack_tuple_hash *h;
555 /* Delete existing conntrack entry, if it clashes with the
556 * expectation. This can happen since conntrack ALGs do not
557 * check for clashes between (new) expectations and existing
558 * conntrack entries. nf_conntrack_in() will check the
559 * expectations only if a conntrack entry can not be found,
560 * which can lead to OVS finding the expectation (here) in the
561 * init direction, but which will not be removed by the
562 * nf_conntrack_in() call, if a matching conntrack entry is
563 * found instead. In this case all init direction packets
564 * would be reported as new related packets, while reply
565 * direction packets would be reported as un-related
566 * established packets.
568 h = nf_conntrack_find_get(net, zone, &tuple);
570 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
572 nf_ct_delete(ct, 0, 0);
573 nf_conntrack_put(&ct->ct_general);
580 /* This replicates logic from nf_conntrack_core.c that is not exported. */
581 static enum ip_conntrack_info
582 ovs_ct_get_info(const struct nf_conntrack_tuple_hash *h)
584 const struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
586 if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY)
587 return IP_CT_ESTABLISHED_REPLY;
588 /* Once we've had two way comms, always ESTABLISHED. */
589 if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status))
590 return IP_CT_ESTABLISHED;
591 if (test_bit(IPS_EXPECTED_BIT, &ct->status))
592 return IP_CT_RELATED;
596 /* Find an existing connection which this packet belongs to without
597 * re-attributing statistics or modifying the connection state. This allows an
598 * skb->_nfct lost due to an upcall to be recovered during actions execution.
600 * Must be called with rcu_read_lock.
602 * On success, populates skb->_nfct and returns the connection. Returns NULL
603 * if there is no existing entry.
605 static struct nf_conn *
606 ovs_ct_find_existing(struct net *net, const struct nf_conntrack_zone *zone,
607 u8 l3num, struct sk_buff *skb, bool natted)
609 struct nf_conntrack_tuple tuple;
610 struct nf_conntrack_tuple_hash *h;
613 if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), l3num,
615 pr_debug("ovs_ct_find_existing: Can't get tuple\n");
619 /* Must invert the tuple if skb has been transformed by NAT. */
621 struct nf_conntrack_tuple inverse;
623 if (!nf_ct_invert_tuple(&inverse, &tuple)) {
624 pr_debug("ovs_ct_find_existing: Inversion failed!\n");
630 /* look for tuple match */
631 h = nf_conntrack_find_get(net, zone, &tuple);
633 return NULL; /* Not found. */
635 ct = nf_ct_tuplehash_to_ctrack(h);
637 /* Inverted packet tuple matches the reverse direction conntrack tuple,
638 * select the other tuplehash to get the right 'ctinfo' bits for this
642 h = &ct->tuplehash[!h->tuple.dst.dir];
644 nf_ct_set(skb, ct, ovs_ct_get_info(h));
649 struct nf_conn *ovs_ct_executed(struct net *net,
650 const struct sw_flow_key *key,
651 const struct ovs_conntrack_info *info,
655 struct nf_conn *ct = NULL;
657 /* If no ct, check if we have evidence that an existing conntrack entry
658 * might be found for this skb. This happens when we lose a skb->_nfct
659 * due to an upcall, or if the direction is being forced. If the
660 * connection was not confirmed, it is not cached and needs to be run
661 * through conntrack again.
663 *ct_executed = (key->ct_state & OVS_CS_F_TRACKED) &&
664 !(key->ct_state & OVS_CS_F_INVALID) &&
665 (key->ct_zone == info->zone.id);
667 if (*ct_executed || (!key->ct_state && info->force)) {
668 ct = ovs_ct_find_existing(net, &info->zone, info->family, skb,
676 /* Determine whether skb->_nfct is equal to the result of conntrack lookup. */
677 static bool skb_nfct_cached(struct net *net,
678 const struct sw_flow_key *key,
679 const struct ovs_conntrack_info *info,
682 enum ip_conntrack_info ctinfo;
684 bool ct_executed = true;
686 ct = nf_ct_get(skb, &ctinfo);
688 ct = ovs_ct_executed(net, key, info, skb, &ct_executed);
691 nf_ct_get(skb, &ctinfo);
695 if (!net_eq(net, read_pnet(&ct->ct_net)))
697 if (!nf_ct_zone_equal_any(info->ct, nf_ct_zone(ct)))
700 struct nf_conn_help *help;
702 help = nf_ct_ext_find(ct, NF_CT_EXT_HELPER);
703 if (help && rcu_access_pointer(help->helper) != info->helper)
706 /* Force conntrack entry direction to the current packet? */
707 if (info->force && CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) {
708 /* Delete the conntrack entry if confirmed, else just release
711 if (nf_ct_is_confirmed(ct))
712 nf_ct_delete(ct, 0, 0);
714 nf_conntrack_put(&ct->ct_general);
715 nf_ct_set(skb, NULL, 0);
722 #ifdef CONFIG_NF_NAT_NEEDED
723 /* Modelled after nf_nat_ipv[46]_fn().
724 * range is only used for new, uninitialized NAT state.
725 * Returns either NF_ACCEPT or NF_DROP.
727 static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct,
728 enum ip_conntrack_info ctinfo,
729 const struct nf_nat_range2 *range,
730 enum nf_nat_manip_type maniptype)
732 int hooknum, nh_off, err = NF_ACCEPT;
734 nh_off = skb_network_offset(skb);
735 skb_pull_rcsum(skb, nh_off);
737 /* See HOOK2MANIP(). */
738 if (maniptype == NF_NAT_MANIP_SRC)
739 hooknum = NF_INET_LOCAL_IN; /* Source NAT */
741 hooknum = NF_INET_LOCAL_OUT; /* Destination NAT */
745 case IP_CT_RELATED_REPLY:
746 if (IS_ENABLED(CONFIG_NF_NAT) &&
747 skb->protocol == htons(ETH_P_IP) &&
748 ip_hdr(skb)->protocol == IPPROTO_ICMP) {
749 if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,
753 } else if (IS_ENABLED(CONFIG_IPV6) &&
754 skb->protocol == htons(ETH_P_IPV6)) {
756 u8 nexthdr = ipv6_hdr(skb)->nexthdr;
757 int hdrlen = ipv6_skip_exthdr(skb,
758 sizeof(struct ipv6hdr),
759 &nexthdr, &frag_off);
761 if (hdrlen >= 0 && nexthdr == IPPROTO_ICMPV6) {
762 if (!nf_nat_icmpv6_reply_translation(skb, ct,
770 /* Non-ICMP, fall thru to initialize if needed. */
773 /* Seen it before? This can happen for loopback, retrans,
776 if (!nf_nat_initialized(ct, maniptype)) {
777 /* Initialize according to the NAT action. */
778 err = (range && range->flags & NF_NAT_RANGE_MAP_IPS)
779 /* Action is set up to establish a new
782 ? nf_nat_setup_info(ct, range, maniptype)
783 : nf_nat_alloc_null_binding(ct, hooknum);
784 if (err != NF_ACCEPT)
789 case IP_CT_ESTABLISHED:
790 case IP_CT_ESTABLISHED_REPLY:
798 err = nf_nat_packet(ct, ctinfo, hooknum, skb);
800 skb_push(skb, nh_off);
801 skb_postpush_rcsum(skb, skb->data, nh_off);
806 static void ovs_nat_update_key(struct sw_flow_key *key,
807 const struct sk_buff *skb,
808 enum nf_nat_manip_type maniptype)
810 if (maniptype == NF_NAT_MANIP_SRC) {
813 key->ct_state |= OVS_CS_F_SRC_NAT;
814 if (key->eth.type == htons(ETH_P_IP))
815 key->ipv4.addr.src = ip_hdr(skb)->saddr;
816 else if (key->eth.type == htons(ETH_P_IPV6))
817 memcpy(&key->ipv6.addr.src, &ipv6_hdr(skb)->saddr,
818 sizeof(key->ipv6.addr.src));
822 if (key->ip.proto == IPPROTO_UDP)
823 src = udp_hdr(skb)->source;
824 else if (key->ip.proto == IPPROTO_TCP)
825 src = tcp_hdr(skb)->source;
826 else if (key->ip.proto == IPPROTO_SCTP)
827 src = sctp_hdr(skb)->source;
835 key->ct_state |= OVS_CS_F_DST_NAT;
836 if (key->eth.type == htons(ETH_P_IP))
837 key->ipv4.addr.dst = ip_hdr(skb)->daddr;
838 else if (key->eth.type == htons(ETH_P_IPV6))
839 memcpy(&key->ipv6.addr.dst, &ipv6_hdr(skb)->daddr,
840 sizeof(key->ipv6.addr.dst));
844 if (key->ip.proto == IPPROTO_UDP)
845 dst = udp_hdr(skb)->dest;
846 else if (key->ip.proto == IPPROTO_TCP)
847 dst = tcp_hdr(skb)->dest;
848 else if (key->ip.proto == IPPROTO_SCTP)
849 dst = sctp_hdr(skb)->dest;
857 /* Returns NF_DROP if the packet should be dropped, NF_ACCEPT otherwise. */
858 static int ovs_ct_nat(struct net *net, struct sw_flow_key *key,
859 const struct ovs_conntrack_info *info,
860 struct sk_buff *skb, struct nf_conn *ct,
861 enum ip_conntrack_info ctinfo)
863 enum nf_nat_manip_type maniptype;
866 /* Add NAT extension if not confirmed yet. */
867 if (!nf_ct_is_confirmed(ct) && !nf_ct_nat_ext_add(ct))
868 return NF_ACCEPT; /* Can't NAT. */
870 /* Determine NAT type.
871 * Check if the NAT type can be deduced from the tracked connection.
872 * Make sure new expected connections (IP_CT_RELATED) are NATted only
875 if (info->nat & OVS_CT_NAT && ctinfo != IP_CT_NEW &&
876 ct->status & IPS_NAT_MASK &&
877 (ctinfo != IP_CT_RELATED || info->commit)) {
878 /* NAT an established or related connection like before. */
879 if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY)
880 /* This is the REPLY direction for a connection
881 * for which NAT was applied in the forward
882 * direction. Do the reverse NAT.
884 maniptype = ct->status & IPS_SRC_NAT
885 ? NF_NAT_MANIP_DST : NF_NAT_MANIP_SRC;
887 maniptype = ct->status & IPS_SRC_NAT
888 ? NF_NAT_MANIP_SRC : NF_NAT_MANIP_DST;
889 } else if (info->nat & OVS_CT_SRC_NAT) {
890 maniptype = NF_NAT_MANIP_SRC;
891 } else if (info->nat & OVS_CT_DST_NAT) {
892 maniptype = NF_NAT_MANIP_DST;
894 return NF_ACCEPT; /* Connection is not NATed. */
896 err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, maniptype);
898 /* Mark NAT done if successful and update the flow key. */
899 if (err == NF_ACCEPT)
900 ovs_nat_update_key(key, skb, maniptype);
904 #else /* !CONFIG_NF_NAT_NEEDED */
905 static int ovs_ct_nat(struct net *net, struct sw_flow_key *key,
906 const struct ovs_conntrack_info *info,
907 struct sk_buff *skb, struct nf_conn *ct,
908 enum ip_conntrack_info ctinfo)
914 /* Pass 'skb' through conntrack in 'net', using zone configured in 'info', if
915 * not done already. Update key with new CT state after passing the packet
917 * Note that if the packet is deemed invalid by conntrack, skb->_nfct will be
918 * set to NULL and 0 will be returned.
920 static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
921 const struct ovs_conntrack_info *info,
924 /* If we are recirculating packets to match on conntrack fields and
925 * committing with a separate conntrack action, then we don't need to
926 * actually run the packet through conntrack twice unless it's for a
929 bool cached = skb_nfct_cached(net, key, info, skb);
930 enum ip_conntrack_info ctinfo;
934 struct nf_hook_state state = {
935 .hook = NF_INET_PRE_ROUTING,
939 struct nf_conn *tmpl = info->ct;
942 /* Associate skb with specified zone. */
945 nf_conntrack_put(skb_nfct(skb));
946 nf_conntrack_get(&tmpl->ct_general);
947 nf_ct_set(skb, tmpl, IP_CT_NEW);
950 err = nf_conntrack_in(skb, &state);
951 if (err != NF_ACCEPT)
954 /* Clear CT state NAT flags to mark that we have not yet done
955 * NAT after the nf_conntrack_in() call. We can actually clear
956 * the whole state, as it will be re-initialized below.
960 /* Update the key, but keep the NAT flags. */
961 ovs_ct_update_key(skb, info, key, true, true);
964 ct = nf_ct_get(skb, &ctinfo);
966 /* Packets starting a new connection must be NATted before the
967 * helper, so that the helper knows about the NAT. We enforce
968 * this by delaying both NAT and helper calls for unconfirmed
969 * connections until the committing CT action. For later
970 * packets NAT and Helper may be called in either order.
972 * NAT will be done only if the CT action has NAT, and only
973 * once per packet (per zone), as guarded by the NAT bits in
976 if (info->nat && !(key->ct_state & OVS_CS_F_NAT_MASK) &&
977 (nf_ct_is_confirmed(ct) || info->commit) &&
978 ovs_ct_nat(net, key, info, skb, ct, ctinfo) != NF_ACCEPT) {
982 /* Userspace may decide to perform a ct lookup without a helper
983 * specified followed by a (recirculate and) commit with one.
984 * Therefore, for unconfirmed connections which we will commit,
985 * we need to attach the helper here.
987 if (!nf_ct_is_confirmed(ct) && info->commit &&
988 info->helper && !nfct_help(ct)) {
989 int err = __nf_ct_try_assign_helper(ct, info->ct,
995 /* Call the helper only if:
996 * - nf_conntrack_in() was executed above ("!cached") for a
997 * confirmed connection, or
998 * - When committing an unconfirmed connection.
1000 if ((nf_ct_is_confirmed(ct) ? !cached : info->commit) &&
1001 ovs_ct_helper(skb, info->family) != NF_ACCEPT) {
1009 /* Lookup connection and read fields into key. */
1010 static int ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
1011 const struct ovs_conntrack_info *info,
1012 struct sk_buff *skb)
1014 struct nf_conntrack_expect *exp;
1016 /* If we pass an expected packet through nf_conntrack_in() the
1017 * expectation is typically removed, but the packet could still be
1018 * lost in upcall processing. To prevent this from happening we
1019 * perform an explicit expectation lookup. Expected connections are
1020 * always new, and will be passed through conntrack only when they are
1021 * committed, as it is OK to remove the expectation at that time.
1023 exp = ovs_ct_expect_find(net, &info->zone, info->family, skb);
1027 /* NOTE: New connections are NATted and Helped only when
1028 * committed, so we are not calling into NAT here.
1030 state = OVS_CS_F_TRACKED | OVS_CS_F_NEW | OVS_CS_F_RELATED;
1031 __ovs_ct_update_key(key, state, &info->zone, exp->master);
1036 err = __ovs_ct_lookup(net, key, info, skb);
1040 ct = (struct nf_conn *)skb_nfct(skb);
1042 nf_ct_deliver_cached_events(ct);
1048 static bool labels_nonzero(const struct ovs_key_ct_labels *labels)
1052 for (i = 0; i < OVS_CT_LABELS_LEN_32; i++)
1053 if (labels->ct_labels_32[i])
1059 #if IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT)
1060 static struct hlist_head *ct_limit_hash_bucket(
1061 const struct ovs_ct_limit_info *info, u16 zone)
1063 return &info->limits[zone & (CT_LIMIT_HASH_BUCKETS - 1)];
1066 /* Call with ovs_mutex */
1067 static void ct_limit_set(const struct ovs_ct_limit_info *info,
1068 struct ovs_ct_limit *new_ct_limit)
1070 struct ovs_ct_limit *ct_limit;
1071 struct hlist_head *head;
1073 head = ct_limit_hash_bucket(info, new_ct_limit->zone);
1074 hlist_for_each_entry_rcu(ct_limit, head, hlist_node) {
1075 if (ct_limit->zone == new_ct_limit->zone) {
1076 hlist_replace_rcu(&ct_limit->hlist_node,
1077 &new_ct_limit->hlist_node);
1078 kfree_rcu(ct_limit, rcu);
1083 hlist_add_head_rcu(&new_ct_limit->hlist_node, head);
1086 /* Call with ovs_mutex */
1087 static void ct_limit_del(const struct ovs_ct_limit_info *info, u16 zone)
1089 struct ovs_ct_limit *ct_limit;
1090 struct hlist_head *head;
1091 struct hlist_node *n;
1093 head = ct_limit_hash_bucket(info, zone);
1094 hlist_for_each_entry_safe(ct_limit, n, head, hlist_node) {
1095 if (ct_limit->zone == zone) {
1096 hlist_del_rcu(&ct_limit->hlist_node);
1097 kfree_rcu(ct_limit, rcu);
1103 /* Call with RCU read lock */
1104 static u32 ct_limit_get(const struct ovs_ct_limit_info *info, u16 zone)
1106 struct ovs_ct_limit *ct_limit;
1107 struct hlist_head *head;
1109 head = ct_limit_hash_bucket(info, zone);
1110 hlist_for_each_entry_rcu(ct_limit, head, hlist_node) {
1111 if (ct_limit->zone == zone)
1112 return ct_limit->limit;
1115 return info->default_limit;
1118 static int ovs_ct_check_limit(struct net *net,
1119 const struct ovs_conntrack_info *info,
1120 const struct nf_conntrack_tuple *tuple)
1122 struct ovs_net *ovs_net = net_generic(net, ovs_net_id);
1123 const struct ovs_ct_limit_info *ct_limit_info = ovs_net->ct_limit_info;
1124 u32 per_zone_limit, connections;
1127 conncount_key = info->zone.id;
1129 per_zone_limit = ct_limit_get(ct_limit_info, info->zone.id);
1130 if (per_zone_limit == OVS_CT_LIMIT_UNLIMITED)
1133 connections = nf_conncount_count(net, ct_limit_info->data,
1134 &conncount_key, tuple, &info->zone);
1135 if (connections > per_zone_limit)
1142 /* Lookup connection and confirm if unconfirmed. */
1143 static int ovs_ct_commit(struct net *net, struct sw_flow_key *key,
1144 const struct ovs_conntrack_info *info,
1145 struct sk_buff *skb)
1147 enum ip_conntrack_info ctinfo;
1151 err = __ovs_ct_lookup(net, key, info, skb);
1155 /* The connection could be invalid, in which case this is a no-op.*/
1156 ct = nf_ct_get(skb, &ctinfo);
1160 #if IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT)
1161 if (static_branch_unlikely(&ovs_ct_limit_enabled)) {
1162 if (!nf_ct_is_confirmed(ct)) {
1163 err = ovs_ct_check_limit(net, info,
1164 &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
1166 net_warn_ratelimited("openvswitch: zone: %u "
1167 "exceeds conntrack limit\n",
1175 /* Set the conntrack event mask if given. NEW and DELETE events have
1176 * their own groups, but the NFNLGRP_CONNTRACK_UPDATE group listener
1177 * typically would receive many kinds of updates. Setting the event
1178 * mask allows those events to be filtered. The set event mask will
1179 * remain in effect for the lifetime of the connection unless changed
1180 * by a further CT action with both the commit flag and the eventmask
1182 if (info->have_eventmask) {
1183 struct nf_conntrack_ecache *cache = nf_ct_ecache_find(ct);
1186 cache->ctmask = info->eventmask;
1189 /* Apply changes before confirming the connection so that the initial
1190 * conntrack NEW netlink event carries the values given in the CT
1193 if (info->mark.mask) {
1194 err = ovs_ct_set_mark(ct, key, info->mark.value,
1199 if (!nf_ct_is_confirmed(ct)) {
1200 err = ovs_ct_init_labels(ct, key, &info->labels.value,
1201 &info->labels.mask);
1204 } else if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) &&
1205 labels_nonzero(&info->labels.mask)) {
1206 err = ovs_ct_set_labels(ct, key, &info->labels.value,
1207 &info->labels.mask);
1211 /* This will take care of sending queued events even if the connection
1212 * is already confirmed.
1214 if (nf_conntrack_confirm(skb) != NF_ACCEPT)
1220 /* Trim the skb to the length specified by the IP/IPv6 header,
1221 * removing any trailing lower-layer padding. This prepares the skb
1222 * for higher-layer processing that assumes skb->len excludes padding
1223 * (such as nf_ip_checksum). The caller needs to pull the skb to the
1224 * network header, and ensure ip_hdr/ipv6_hdr points to valid data.
1226 static int ovs_skb_network_trim(struct sk_buff *skb)
1231 switch (skb->protocol) {
1232 case htons(ETH_P_IP):
1233 len = ntohs(ip_hdr(skb)->tot_len);
1235 case htons(ETH_P_IPV6):
1236 len = sizeof(struct ipv6hdr)
1237 + ntohs(ipv6_hdr(skb)->payload_len);
1243 err = pskb_trim_rcsum(skb, len);
1250 /* Returns 0 on success, -EINPROGRESS if 'skb' is stolen, or other nonzero
1251 * value if 'skb' is freed.
1253 int ovs_ct_execute(struct net *net, struct sk_buff *skb,
1254 struct sw_flow_key *key,
1255 const struct ovs_conntrack_info *info)
1260 /* The conntrack module expects to be working at L3. */
1261 nh_ofs = skb_network_offset(skb);
1262 skb_pull_rcsum(skb, nh_ofs);
1264 err = ovs_skb_network_trim(skb);
1268 if (key->ip.frag != OVS_FRAG_TYPE_NONE) {
1269 err = handle_fragments(net, key, info->zone.id, skb);
1275 err = ovs_ct_commit(net, key, info, skb);
1277 err = ovs_ct_lookup(net, key, info, skb);
1279 skb_push(skb, nh_ofs);
1280 skb_postpush_rcsum(skb, skb->data, nh_ofs);
1286 int ovs_ct_clear(struct sk_buff *skb, struct sw_flow_key *key)
1288 if (skb_nfct(skb)) {
1289 nf_conntrack_put(skb_nfct(skb));
1290 nf_ct_set(skb, NULL, IP_CT_UNTRACKED);
1291 ovs_ct_fill_key(skb, key);
1297 static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name,
1298 const struct sw_flow_key *key, bool log)
1300 struct nf_conntrack_helper *helper;
1301 struct nf_conn_help *help;
1303 helper = nf_conntrack_helper_try_module_get(name, info->family,
1306 OVS_NLERR(log, "Unknown helper \"%s\"", name);
1310 help = nf_ct_helper_ext_add(info->ct, GFP_KERNEL);
1312 nf_conntrack_helper_put(helper);
1316 rcu_assign_pointer(help->helper, helper);
1317 info->helper = helper;
1320 request_module("ip_nat_%s", name);
1325 #ifdef CONFIG_NF_NAT_NEEDED
1326 static int parse_nat(const struct nlattr *attr,
1327 struct ovs_conntrack_info *info, bool log)
1331 bool have_ip_max = false;
1332 bool have_proto_max = false;
1333 bool ip_vers = (info->family == NFPROTO_IPV6);
1335 nla_for_each_nested(a, attr, rem) {
1336 static const int ovs_nat_attr_lens[OVS_NAT_ATTR_MAX + 1][2] = {
1337 [OVS_NAT_ATTR_SRC] = {0, 0},
1338 [OVS_NAT_ATTR_DST] = {0, 0},
1339 [OVS_NAT_ATTR_IP_MIN] = {sizeof(struct in_addr),
1340 sizeof(struct in6_addr)},
1341 [OVS_NAT_ATTR_IP_MAX] = {sizeof(struct in_addr),
1342 sizeof(struct in6_addr)},
1343 [OVS_NAT_ATTR_PROTO_MIN] = {sizeof(u16), sizeof(u16)},
1344 [OVS_NAT_ATTR_PROTO_MAX] = {sizeof(u16), sizeof(u16)},
1345 [OVS_NAT_ATTR_PERSISTENT] = {0, 0},
1346 [OVS_NAT_ATTR_PROTO_HASH] = {0, 0},
1347 [OVS_NAT_ATTR_PROTO_RANDOM] = {0, 0},
1349 int type = nla_type(a);
1351 if (type > OVS_NAT_ATTR_MAX) {
1352 OVS_NLERR(log, "Unknown NAT attribute (type=%d, max=%d)",
1353 type, OVS_NAT_ATTR_MAX);
1357 if (nla_len(a) != ovs_nat_attr_lens[type][ip_vers]) {
1358 OVS_NLERR(log, "NAT attribute type %d has unexpected length (%d != %d)",
1360 ovs_nat_attr_lens[type][ip_vers]);
1365 case OVS_NAT_ATTR_SRC:
1366 case OVS_NAT_ATTR_DST:
1368 OVS_NLERR(log, "Only one type of NAT may be specified");
1371 info->nat |= OVS_CT_NAT;
1372 info->nat |= ((type == OVS_NAT_ATTR_SRC)
1373 ? OVS_CT_SRC_NAT : OVS_CT_DST_NAT);
1376 case OVS_NAT_ATTR_IP_MIN:
1377 nla_memcpy(&info->range.min_addr, a,
1378 sizeof(info->range.min_addr));
1379 info->range.flags |= NF_NAT_RANGE_MAP_IPS;
1382 case OVS_NAT_ATTR_IP_MAX:
1384 nla_memcpy(&info->range.max_addr, a,
1385 sizeof(info->range.max_addr));
1386 info->range.flags |= NF_NAT_RANGE_MAP_IPS;
1389 case OVS_NAT_ATTR_PROTO_MIN:
1390 info->range.min_proto.all = htons(nla_get_u16(a));
1391 info->range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
1394 case OVS_NAT_ATTR_PROTO_MAX:
1395 have_proto_max = true;
1396 info->range.max_proto.all = htons(nla_get_u16(a));
1397 info->range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
1400 case OVS_NAT_ATTR_PERSISTENT:
1401 info->range.flags |= NF_NAT_RANGE_PERSISTENT;
1404 case OVS_NAT_ATTR_PROTO_HASH:
1405 info->range.flags |= NF_NAT_RANGE_PROTO_RANDOM;
1408 case OVS_NAT_ATTR_PROTO_RANDOM:
1409 info->range.flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY;
1413 OVS_NLERR(log, "Unknown nat attribute (%d)", type);
1419 OVS_NLERR(log, "NAT attribute has %d unknown bytes", rem);
1423 /* Do not allow flags if no type is given. */
1424 if (info->range.flags) {
1426 "NAT flags may be given only when NAT range (SRC or DST) is also specified."
1430 info->nat = OVS_CT_NAT; /* NAT existing connections. */
1431 } else if (!info->commit) {
1433 "NAT attributes may be specified only when CT COMMIT flag is also specified."
1437 /* Allow missing IP_MAX. */
1438 if (info->range.flags & NF_NAT_RANGE_MAP_IPS && !have_ip_max) {
1439 memcpy(&info->range.max_addr, &info->range.min_addr,
1440 sizeof(info->range.max_addr));
1442 /* Allow missing PROTO_MAX. */
1443 if (info->range.flags & NF_NAT_RANGE_PROTO_SPECIFIED &&
1445 info->range.max_proto.all = info->range.min_proto.all;
1451 static const struct ovs_ct_len_tbl ovs_ct_attr_lens[OVS_CT_ATTR_MAX + 1] = {
1452 [OVS_CT_ATTR_COMMIT] = { .minlen = 0, .maxlen = 0 },
1453 [OVS_CT_ATTR_FORCE_COMMIT] = { .minlen = 0, .maxlen = 0 },
1454 [OVS_CT_ATTR_ZONE] = { .minlen = sizeof(u16),
1455 .maxlen = sizeof(u16) },
1456 [OVS_CT_ATTR_MARK] = { .minlen = sizeof(struct md_mark),
1457 .maxlen = sizeof(struct md_mark) },
1458 [OVS_CT_ATTR_LABELS] = { .minlen = sizeof(struct md_labels),
1459 .maxlen = sizeof(struct md_labels) },
1460 [OVS_CT_ATTR_HELPER] = { .minlen = 1,
1461 .maxlen = NF_CT_HELPER_NAME_LEN },
1462 #ifdef CONFIG_NF_NAT_NEEDED
1463 /* NAT length is checked when parsing the nested attributes. */
1464 [OVS_CT_ATTR_NAT] = { .minlen = 0, .maxlen = INT_MAX },
1466 [OVS_CT_ATTR_EVENTMASK] = { .minlen = sizeof(u32),
1467 .maxlen = sizeof(u32) },
1470 static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info,
1471 const char **helper, bool log)
1476 nla_for_each_nested(a, attr, rem) {
1477 int type = nla_type(a);
1481 if (type > OVS_CT_ATTR_MAX) {
1483 "Unknown conntrack attr (type=%d, max=%d)",
1484 type, OVS_CT_ATTR_MAX);
1488 maxlen = ovs_ct_attr_lens[type].maxlen;
1489 minlen = ovs_ct_attr_lens[type].minlen;
1490 if (nla_len(a) < minlen || nla_len(a) > maxlen) {
1492 "Conntrack attr type has unexpected length (type=%d, length=%d, expected=%d)",
1493 type, nla_len(a), maxlen);
1498 case OVS_CT_ATTR_FORCE_COMMIT:
1501 case OVS_CT_ATTR_COMMIT:
1502 info->commit = true;
1504 #ifdef CONFIG_NF_CONNTRACK_ZONES
1505 case OVS_CT_ATTR_ZONE:
1506 info->zone.id = nla_get_u16(a);
1509 #ifdef CONFIG_NF_CONNTRACK_MARK
1510 case OVS_CT_ATTR_MARK: {
1511 struct md_mark *mark = nla_data(a);
1514 OVS_NLERR(log, "ct_mark mask cannot be 0");
1521 #ifdef CONFIG_NF_CONNTRACK_LABELS
1522 case OVS_CT_ATTR_LABELS: {
1523 struct md_labels *labels = nla_data(a);
1525 if (!labels_nonzero(&labels->mask)) {
1526 OVS_NLERR(log, "ct_labels mask cannot be 0");
1529 info->labels = *labels;
1533 case OVS_CT_ATTR_HELPER:
1534 *helper = nla_data(a);
1535 if (!memchr(*helper, '\0', nla_len(a))) {
1536 OVS_NLERR(log, "Invalid conntrack helper");
1540 #ifdef CONFIG_NF_NAT_NEEDED
1541 case OVS_CT_ATTR_NAT: {
1542 int err = parse_nat(a, info, log);
1549 case OVS_CT_ATTR_EVENTMASK:
1550 info->have_eventmask = true;
1551 info->eventmask = nla_get_u32(a);
1555 OVS_NLERR(log, "Unknown conntrack attr (%d)",
1561 #ifdef CONFIG_NF_CONNTRACK_MARK
1562 if (!info->commit && info->mark.mask) {
1564 "Setting conntrack mark requires 'commit' flag.");
1568 #ifdef CONFIG_NF_CONNTRACK_LABELS
1569 if (!info->commit && labels_nonzero(&info->labels.mask)) {
1571 "Setting conntrack labels requires 'commit' flag.");
1576 OVS_NLERR(log, "Conntrack attr has %d unknown bytes", rem);
1583 bool ovs_ct_verify(struct net *net, enum ovs_key_attr attr)
1585 if (attr == OVS_KEY_ATTR_CT_STATE)
1587 if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) &&
1588 attr == OVS_KEY_ATTR_CT_ZONE)
1590 if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) &&
1591 attr == OVS_KEY_ATTR_CT_MARK)
1593 if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) &&
1594 attr == OVS_KEY_ATTR_CT_LABELS) {
1595 struct ovs_net *ovs_net = net_generic(net, ovs_net_id);
1597 return ovs_net->xt_label;
1603 int ovs_ct_copy_action(struct net *net, const struct nlattr *attr,
1604 const struct sw_flow_key *key,
1605 struct sw_flow_actions **sfa, bool log)
1607 struct ovs_conntrack_info ct_info;
1608 const char *helper = NULL;
1612 family = key_to_nfproto(key);
1613 if (family == NFPROTO_UNSPEC) {
1614 OVS_NLERR(log, "ct family unspecified");
1618 memset(&ct_info, 0, sizeof(ct_info));
1619 ct_info.family = family;
1621 nf_ct_zone_init(&ct_info.zone, NF_CT_DEFAULT_ZONE_ID,
1622 NF_CT_DEFAULT_ZONE_DIR, 0);
1624 err = parse_ct(attr, &ct_info, &helper, log);
1628 /* Set up template for tracking connections in specific zones. */
1629 ct_info.ct = nf_ct_tmpl_alloc(net, &ct_info.zone, GFP_KERNEL);
1631 OVS_NLERR(log, "Failed to allocate conntrack template");
1635 err = ovs_ct_add_helper(&ct_info, helper, key, log);
1640 err = ovs_nla_add_action(sfa, OVS_ACTION_ATTR_CT, &ct_info,
1641 sizeof(ct_info), log);
1645 __set_bit(IPS_CONFIRMED_BIT, &ct_info.ct->status);
1646 nf_conntrack_get(&ct_info.ct->ct_general);
1649 __ovs_ct_free_action(&ct_info);
1653 #ifdef CONFIG_NF_NAT_NEEDED
1654 static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info,
1655 struct sk_buff *skb)
1657 struct nlattr *start;
1659 start = nla_nest_start(skb, OVS_CT_ATTR_NAT);
1663 if (info->nat & OVS_CT_SRC_NAT) {
1664 if (nla_put_flag(skb, OVS_NAT_ATTR_SRC))
1666 } else if (info->nat & OVS_CT_DST_NAT) {
1667 if (nla_put_flag(skb, OVS_NAT_ATTR_DST))
1673 if (info->range.flags & NF_NAT_RANGE_MAP_IPS) {
1674 if (IS_ENABLED(CONFIG_NF_NAT) &&
1675 info->family == NFPROTO_IPV4) {
1676 if (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MIN,
1677 info->range.min_addr.ip) ||
1678 (info->range.max_addr.ip
1679 != info->range.min_addr.ip &&
1680 (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MAX,
1681 info->range.max_addr.ip))))
1683 } else if (IS_ENABLED(CONFIG_IPV6) &&
1684 info->family == NFPROTO_IPV6) {
1685 if (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MIN,
1686 &info->range.min_addr.in6) ||
1687 (memcmp(&info->range.max_addr.in6,
1688 &info->range.min_addr.in6,
1689 sizeof(info->range.max_addr.in6)) &&
1690 (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MAX,
1691 &info->range.max_addr.in6))))
1697 if (info->range.flags & NF_NAT_RANGE_PROTO_SPECIFIED &&
1698 (nla_put_u16(skb, OVS_NAT_ATTR_PROTO_MIN,
1699 ntohs(info->range.min_proto.all)) ||
1700 (info->range.max_proto.all != info->range.min_proto.all &&
1701 nla_put_u16(skb, OVS_NAT_ATTR_PROTO_MAX,
1702 ntohs(info->range.max_proto.all)))))
1705 if (info->range.flags & NF_NAT_RANGE_PERSISTENT &&
1706 nla_put_flag(skb, OVS_NAT_ATTR_PERSISTENT))
1708 if (info->range.flags & NF_NAT_RANGE_PROTO_RANDOM &&
1709 nla_put_flag(skb, OVS_NAT_ATTR_PROTO_HASH))
1711 if (info->range.flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY &&
1712 nla_put_flag(skb, OVS_NAT_ATTR_PROTO_RANDOM))
1715 nla_nest_end(skb, start);
1721 int ovs_ct_action_to_attr(const struct ovs_conntrack_info *ct_info,
1722 struct sk_buff *skb)
1724 struct nlattr *start;
1726 start = nla_nest_start(skb, OVS_ACTION_ATTR_CT);
1730 if (ct_info->commit && nla_put_flag(skb, ct_info->force
1731 ? OVS_CT_ATTR_FORCE_COMMIT
1732 : OVS_CT_ATTR_COMMIT))
1734 if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) &&
1735 nla_put_u16(skb, OVS_CT_ATTR_ZONE, ct_info->zone.id))
1737 if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) && ct_info->mark.mask &&
1738 nla_put(skb, OVS_CT_ATTR_MARK, sizeof(ct_info->mark),
1741 if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) &&
1742 labels_nonzero(&ct_info->labels.mask) &&
1743 nla_put(skb, OVS_CT_ATTR_LABELS, sizeof(ct_info->labels),
1746 if (ct_info->helper) {
1747 if (nla_put_string(skb, OVS_CT_ATTR_HELPER,
1748 ct_info->helper->name))
1751 if (ct_info->have_eventmask &&
1752 nla_put_u32(skb, OVS_CT_ATTR_EVENTMASK, ct_info->eventmask))
1755 #ifdef CONFIG_NF_NAT_NEEDED
1756 if (ct_info->nat && !ovs_ct_nat_to_attr(ct_info, skb))
1759 nla_nest_end(skb, start);
1764 void ovs_ct_free_action(const struct nlattr *a)
1766 struct ovs_conntrack_info *ct_info = nla_data(a);
1768 __ovs_ct_free_action(ct_info);
1771 static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info)
1773 if (ct_info->helper)
1774 nf_conntrack_helper_put(ct_info->helper);
1776 nf_ct_tmpl_free(ct_info->ct);
1779 #if IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT)
1780 static int ovs_ct_limit_init(struct net *net, struct ovs_net *ovs_net)
1784 ovs_net->ct_limit_info = kmalloc(sizeof(*ovs_net->ct_limit_info),
1786 if (!ovs_net->ct_limit_info)
1789 ovs_net->ct_limit_info->default_limit = OVS_CT_LIMIT_DEFAULT;
1790 ovs_net->ct_limit_info->limits =
1791 kmalloc_array(CT_LIMIT_HASH_BUCKETS, sizeof(struct hlist_head),
1793 if (!ovs_net->ct_limit_info->limits) {
1794 kfree(ovs_net->ct_limit_info);
1798 for (i = 0; i < CT_LIMIT_HASH_BUCKETS; i++)
1799 INIT_HLIST_HEAD(&ovs_net->ct_limit_info->limits[i]);
1801 ovs_net->ct_limit_info->data =
1802 nf_conncount_init(net, NFPROTO_INET, sizeof(u32));
1804 if (IS_ERR(ovs_net->ct_limit_info->data)) {
1805 err = PTR_ERR(ovs_net->ct_limit_info->data);
1806 kfree(ovs_net->ct_limit_info->limits);
1807 kfree(ovs_net->ct_limit_info);
1808 pr_err("openvswitch: failed to init nf_conncount %d\n", err);
1814 static void ovs_ct_limit_exit(struct net *net, struct ovs_net *ovs_net)
1816 const struct ovs_ct_limit_info *info = ovs_net->ct_limit_info;
1819 nf_conncount_destroy(net, NFPROTO_INET, info->data);
1820 for (i = 0; i < CT_LIMIT_HASH_BUCKETS; ++i) {
1821 struct hlist_head *head = &info->limits[i];
1822 struct ovs_ct_limit *ct_limit;
1824 hlist_for_each_entry_rcu(ct_limit, head, hlist_node)
1825 kfree_rcu(ct_limit, rcu);
1827 kfree(ovs_net->ct_limit_info->limits);
1828 kfree(ovs_net->ct_limit_info);
1831 static struct sk_buff *
1832 ovs_ct_limit_cmd_reply_start(struct genl_info *info, u8 cmd,
1833 struct ovs_header **ovs_reply_header)
1835 struct ovs_header *ovs_header = info->userhdr;
1836 struct sk_buff *skb;
1838 skb = genlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1840 return ERR_PTR(-ENOMEM);
1842 *ovs_reply_header = genlmsg_put(skb, info->snd_portid,
1844 &dp_ct_limit_genl_family, 0, cmd);
1846 if (!*ovs_reply_header) {
1848 return ERR_PTR(-EMSGSIZE);
1850 (*ovs_reply_header)->dp_ifindex = ovs_header->dp_ifindex;
1855 static bool check_zone_id(int zone_id, u16 *pzone)
1857 if (zone_id >= 0 && zone_id <= 65535) {
1858 *pzone = (u16)zone_id;
1864 static int ovs_ct_limit_set_zone_limit(struct nlattr *nla_zone_limit,
1865 struct ovs_ct_limit_info *info)
1867 struct ovs_zone_limit *zone_limit;
1871 rem = NLA_ALIGN(nla_len(nla_zone_limit));
1872 zone_limit = (struct ovs_zone_limit *)nla_data(nla_zone_limit);
1874 while (rem >= sizeof(*zone_limit)) {
1875 if (unlikely(zone_limit->zone_id ==
1876 OVS_ZONE_LIMIT_DEFAULT_ZONE)) {
1878 info->default_limit = zone_limit->limit;
1880 } else if (unlikely(!check_zone_id(
1881 zone_limit->zone_id, &zone))) {
1882 OVS_NLERR(true, "zone id is out of range");
1884 struct ovs_ct_limit *ct_limit;
1886 ct_limit = kmalloc(sizeof(*ct_limit), GFP_KERNEL);
1890 ct_limit->zone = zone;
1891 ct_limit->limit = zone_limit->limit;
1894 ct_limit_set(info, ct_limit);
1897 rem -= NLA_ALIGN(sizeof(*zone_limit));
1898 zone_limit = (struct ovs_zone_limit *)((u8 *)zone_limit +
1899 NLA_ALIGN(sizeof(*zone_limit)));
1903 OVS_NLERR(true, "set zone limit has %d unknown bytes", rem);
1908 static int ovs_ct_limit_del_zone_limit(struct nlattr *nla_zone_limit,
1909 struct ovs_ct_limit_info *info)
1911 struct ovs_zone_limit *zone_limit;
1915 rem = NLA_ALIGN(nla_len(nla_zone_limit));
1916 zone_limit = (struct ovs_zone_limit *)nla_data(nla_zone_limit);
1918 while (rem >= sizeof(*zone_limit)) {
1919 if (unlikely(zone_limit->zone_id ==
1920 OVS_ZONE_LIMIT_DEFAULT_ZONE)) {
1922 info->default_limit = OVS_CT_LIMIT_DEFAULT;
1924 } else if (unlikely(!check_zone_id(
1925 zone_limit->zone_id, &zone))) {
1926 OVS_NLERR(true, "zone id is out of range");
1929 ct_limit_del(info, zone);
1932 rem -= NLA_ALIGN(sizeof(*zone_limit));
1933 zone_limit = (struct ovs_zone_limit *)((u8 *)zone_limit +
1934 NLA_ALIGN(sizeof(*zone_limit)));
1938 OVS_NLERR(true, "del zone limit has %d unknown bytes", rem);
1943 static int ovs_ct_limit_get_default_limit(struct ovs_ct_limit_info *info,
1944 struct sk_buff *reply)
1946 struct ovs_zone_limit zone_limit;
1949 zone_limit.zone_id = OVS_ZONE_LIMIT_DEFAULT_ZONE;
1950 zone_limit.limit = info->default_limit;
1951 err = nla_put_nohdr(reply, sizeof(zone_limit), &zone_limit);
1958 static int __ovs_ct_limit_get_zone_limit(struct net *net,
1959 struct nf_conncount_data *data,
1960 u16 zone_id, u32 limit,
1961 struct sk_buff *reply)
1963 struct nf_conntrack_zone ct_zone;
1964 struct ovs_zone_limit zone_limit;
1965 u32 conncount_key = zone_id;
1967 zone_limit.zone_id = zone_id;
1968 zone_limit.limit = limit;
1969 nf_ct_zone_init(&ct_zone, zone_id, NF_CT_DEFAULT_ZONE_DIR, 0);
1971 zone_limit.count = nf_conncount_count(net, data, &conncount_key, NULL,
1973 return nla_put_nohdr(reply, sizeof(zone_limit), &zone_limit);
1976 static int ovs_ct_limit_get_zone_limit(struct net *net,
1977 struct nlattr *nla_zone_limit,
1978 struct ovs_ct_limit_info *info,
1979 struct sk_buff *reply)
1981 struct ovs_zone_limit *zone_limit;
1986 rem = NLA_ALIGN(nla_len(nla_zone_limit));
1987 zone_limit = (struct ovs_zone_limit *)nla_data(nla_zone_limit);
1989 while (rem >= sizeof(*zone_limit)) {
1990 if (unlikely(zone_limit->zone_id ==
1991 OVS_ZONE_LIMIT_DEFAULT_ZONE)) {
1992 err = ovs_ct_limit_get_default_limit(info, reply);
1995 } else if (unlikely(!check_zone_id(zone_limit->zone_id,
1997 OVS_NLERR(true, "zone id is out of range");
2000 limit = ct_limit_get(info, zone);
2003 err = __ovs_ct_limit_get_zone_limit(
2004 net, info->data, zone, limit, reply);
2008 rem -= NLA_ALIGN(sizeof(*zone_limit));
2009 zone_limit = (struct ovs_zone_limit *)((u8 *)zone_limit +
2010 NLA_ALIGN(sizeof(*zone_limit)));
2014 OVS_NLERR(true, "get zone limit has %d unknown bytes", rem);
2019 static int ovs_ct_limit_get_all_zone_limit(struct net *net,
2020 struct ovs_ct_limit_info *info,
2021 struct sk_buff *reply)
2023 struct ovs_ct_limit *ct_limit;
2024 struct hlist_head *head;
2027 err = ovs_ct_limit_get_default_limit(info, reply);
2032 for (i = 0; i < CT_LIMIT_HASH_BUCKETS; ++i) {
2033 head = &info->limits[i];
2034 hlist_for_each_entry_rcu(ct_limit, head, hlist_node) {
2035 err = __ovs_ct_limit_get_zone_limit(net, info->data,
2036 ct_limit->zone, ct_limit->limit, reply);
2047 static int ovs_ct_limit_cmd_set(struct sk_buff *skb, struct genl_info *info)
2049 struct nlattr **a = info->attrs;
2050 struct sk_buff *reply;
2051 struct ovs_header *ovs_reply_header;
2052 struct ovs_net *ovs_net = net_generic(sock_net(skb->sk), ovs_net_id);
2053 struct ovs_ct_limit_info *ct_limit_info = ovs_net->ct_limit_info;
2056 reply = ovs_ct_limit_cmd_reply_start(info, OVS_CT_LIMIT_CMD_SET,
2059 return PTR_ERR(reply);
2061 if (!a[OVS_CT_LIMIT_ATTR_ZONE_LIMIT]) {
2066 err = ovs_ct_limit_set_zone_limit(a[OVS_CT_LIMIT_ATTR_ZONE_LIMIT],
2071 static_branch_enable(&ovs_ct_limit_enabled);
2073 genlmsg_end(reply, ovs_reply_header);
2074 return genlmsg_reply(reply, info);
2081 static int ovs_ct_limit_cmd_del(struct sk_buff *skb, struct genl_info *info)
2083 struct nlattr **a = info->attrs;
2084 struct sk_buff *reply;
2085 struct ovs_header *ovs_reply_header;
2086 struct ovs_net *ovs_net = net_generic(sock_net(skb->sk), ovs_net_id);
2087 struct ovs_ct_limit_info *ct_limit_info = ovs_net->ct_limit_info;
2090 reply = ovs_ct_limit_cmd_reply_start(info, OVS_CT_LIMIT_CMD_DEL,
2093 return PTR_ERR(reply);
2095 if (!a[OVS_CT_LIMIT_ATTR_ZONE_LIMIT]) {
2100 err = ovs_ct_limit_del_zone_limit(a[OVS_CT_LIMIT_ATTR_ZONE_LIMIT],
2105 genlmsg_end(reply, ovs_reply_header);
2106 return genlmsg_reply(reply, info);
2113 static int ovs_ct_limit_cmd_get(struct sk_buff *skb, struct genl_info *info)
2115 struct nlattr **a = info->attrs;
2116 struct nlattr *nla_reply;
2117 struct sk_buff *reply;
2118 struct ovs_header *ovs_reply_header;
2119 struct net *net = sock_net(skb->sk);
2120 struct ovs_net *ovs_net = net_generic(net, ovs_net_id);
2121 struct ovs_ct_limit_info *ct_limit_info = ovs_net->ct_limit_info;
2124 reply = ovs_ct_limit_cmd_reply_start(info, OVS_CT_LIMIT_CMD_GET,
2127 return PTR_ERR(reply);
2129 nla_reply = nla_nest_start(reply, OVS_CT_LIMIT_ATTR_ZONE_LIMIT);
2131 if (a[OVS_CT_LIMIT_ATTR_ZONE_LIMIT]) {
2132 err = ovs_ct_limit_get_zone_limit(
2133 net, a[OVS_CT_LIMIT_ATTR_ZONE_LIMIT], ct_limit_info,
2138 err = ovs_ct_limit_get_all_zone_limit(net, ct_limit_info,
2144 nla_nest_end(reply, nla_reply);
2145 genlmsg_end(reply, ovs_reply_header);
2146 return genlmsg_reply(reply, info);
2153 static struct genl_ops ct_limit_genl_ops[] = {
2154 { .cmd = OVS_CT_LIMIT_CMD_SET,
2155 .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN
2157 .policy = ct_limit_policy,
2158 .doit = ovs_ct_limit_cmd_set,
2160 { .cmd = OVS_CT_LIMIT_CMD_DEL,
2161 .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN
2163 .policy = ct_limit_policy,
2164 .doit = ovs_ct_limit_cmd_del,
2166 { .cmd = OVS_CT_LIMIT_CMD_GET,
2167 .flags = 0, /* OK for unprivileged users. */
2168 .policy = ct_limit_policy,
2169 .doit = ovs_ct_limit_cmd_get,
2173 static const struct genl_multicast_group ovs_ct_limit_multicast_group = {
2174 .name = OVS_CT_LIMIT_MCGROUP,
2177 struct genl_family dp_ct_limit_genl_family __ro_after_init = {
2178 .hdrsize = sizeof(struct ovs_header),
2179 .name = OVS_CT_LIMIT_FAMILY,
2180 .version = OVS_CT_LIMIT_VERSION,
2181 .maxattr = OVS_CT_LIMIT_ATTR_MAX,
2183 .parallel_ops = true,
2184 .ops = ct_limit_genl_ops,
2185 .n_ops = ARRAY_SIZE(ct_limit_genl_ops),
2186 .mcgrps = &ovs_ct_limit_multicast_group,
2188 .module = THIS_MODULE,
2192 int ovs_ct_init(struct net *net)
2194 unsigned int n_bits = sizeof(struct ovs_key_ct_labels) * BITS_PER_BYTE;
2195 struct ovs_net *ovs_net = net_generic(net, ovs_net_id);
2197 if (nf_connlabels_get(net, n_bits - 1)) {
2198 ovs_net->xt_label = false;
2199 OVS_NLERR(true, "Failed to set connlabel length");
2201 ovs_net->xt_label = true;
2204 #if IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT)
2205 return ovs_ct_limit_init(net, ovs_net);
2211 void ovs_ct_exit(struct net *net)
2213 struct ovs_net *ovs_net = net_generic(net, ovs_net_id);
2215 #if IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT)
2216 ovs_ct_limit_exit(net, ovs_net);
2219 if (ovs_net->xt_label)
2220 nf_connlabels_put(net);
projects / linux.git / blob