]> git.proxmox.com Git - mirror_ovs.git/blame - datapath/conntrack.c
projects / mirror_ovs.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
datapath: Optimize operations for OvS flow_stats.
[mirror_ovs.git] / datapath / conntrack.c
CommitLineData
a94ebc39
JS		 1/*
2 * Copyright (c) 2015 Nicira, Inc.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of version 2 of the GNU General Public
6 * License as published by the Free Software Foundation.
7 *
8 * This program is distributed in the hope that it will be useful, but
9 * WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
11 * General Public License for more details.
12 */
13
14#include <linux/kconfig.h>
15#include <linux/version.h>
16
8063e095 17#if IS_ENABLED(CONFIG_NF_CONNTRACK)
a94ebc39
JS		 18
19#include <linux/module.h>
20#include <linux/openvswitch.h>
f8f97cdc
JR		 21#include <linux/tcp.h>
22#include <linux/udp.h>
23#include <linux/sctp.h>
a94ebc39
JS		 24#include <net/ip.h>
25#include <net/netfilter/nf_conntrack_core.h>
11251c17 26#include <net/netfilter/nf_conntrack_helper.h>
038e34ab 27#include <net/netfilter/nf_conntrack_labels.h>
f8f97cdc 28#include <net/netfilter/nf_conntrack_seqadj.h>
a94ebc39
JS		 29#include <net/netfilter/nf_conntrack_zones.h>
30#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
31
f8f97cdc
JR		 32#ifdef CONFIG_NF_NAT_NEEDED
33#include <linux/netfilter/nf_nat.h>
34#include <net/netfilter/nf_nat_core.h>
35#include <net/netfilter/nf_nat_l3proto.h>
36#endif
37
a94ebc39
JS		 38#include "datapath.h"
39#include "conntrack.h"
40#include "flow.h"
41#include "flow_netlink.h"
86c2eb45 42#include "gso.h"
a94ebc39
JS		 43
44struct ovs_ct_len_tbl {
f8f97cdc
JR		 45 int maxlen;
46 int minlen;
a94ebc39
JS		 47};
48
372ce973
JS		 49/* Metadata mark for masked write to conntrack mark */
50struct md_mark {
51 u32 value;
52 u32 mask;
53};
54
038e34ab 55/* Metadata label for masked write to conntrack label. */
c05e2094
JS		 56struct md_labels {
57 struct ovs_key_ct_labels value;
58 struct ovs_key_ct_labels mask;
038e34ab
JS		 59};
60
f8f97cdc
JR		 61enum ovs_ct_nat {
62 OVS_CT_NAT = 1 << 0, /* NAT for committed connections only. */
63 OVS_CT_SRC_NAT = 1 << 1, /* Source NAT for NEW connections. */
64 OVS_CT_DST_NAT = 1 << 2, /* Destination NAT for NEW connections. */
65};
66
a94ebc39
JS		 67/* Conntrack action context for execution. */
68struct ovs_conntrack_info {
11251c17 69 struct nf_conntrack_helper *helper;
a94ebc39
JS		 70 struct nf_conntrack_zone zone;
71 struct nf_conn *ct;
c05e2094 72 u8 commit : 1;
f8f97cdc 73 u8 nat : 3; /* enum ovs_ct_nat */
9f1de150 74 u8 random_fully_compat : 1; /* bool */
b80e259f 75 u8 force : 1;
8e83854c 76 u8 have_eventmask : 1;
a94ebc39 77 u16 family;
8e83854c 78 u32 eventmask; /* Mask of 1 << IPCT_*. */
372ce973 79 struct md_mark mark;
c05e2094 80 struct md_labels labels;
f8f97cdc
JR		 81#ifdef CONFIG_NF_NAT_NEEDED
82 struct nf_nat_range range; /* Only present for SRC NAT and DST NAT. */
83#endif
a94ebc39
JS		 84};
85
7162cae4
JR		 86static bool labels_nonzero(const struct ovs_key_ct_labels *labels);
87
11251c17
JS		 88static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info);
89
a94ebc39
JS		 90static u16 key_to_nfproto(const struct sw_flow_key *key)
91{
92 switch (ntohs(key->eth.type)) {
93 case ETH_P_IP:
94 return NFPROTO_IPV4;
95 case ETH_P_IPV6:
96 return NFPROTO_IPV6;
97 default:
98 return NFPROTO_UNSPEC;
99 }
100}
101
102/* Map SKB connection state into the values used by flow definition. */
103static u8 ovs_ct_get_state(enum ip_conntrack_info ctinfo)
104{
105 u8 ct_state = OVS_CS_F_TRACKED;
106
107 switch (ctinfo) {
108 case IP_CT_ESTABLISHED_REPLY:
109 case IP_CT_RELATED_REPLY:
a94ebc39
JS		 110 ct_state |= OVS_CS_F_REPLY_DIR;
111 break;
112 default:
113 break;
114 }
115
116 switch (ctinfo) {
117 case IP_CT_ESTABLISHED:
118 case IP_CT_ESTABLISHED_REPLY:
119 ct_state |= OVS_CS_F_ESTABLISHED;
120 break;
121 case IP_CT_RELATED:
122 case IP_CT_RELATED_REPLY:
123 ct_state |= OVS_CS_F_RELATED;
124 break;
125 case IP_CT_NEW:
a94ebc39
JS		 126 ct_state |= OVS_CS_F_NEW;
127 break;
128 default:
129 break;
130 }
131
132 return ct_state;
133}
134
c05e2094
JS		 135static u32 ovs_ct_get_mark(const struct nf_conn *ct)
136{
137#if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK)
138 return ct ? ct->mark : 0;
139#else
140 return 0;
141#endif
142}
143
237f9413
JR		 144/* Guard against conntrack labels max size shrinking below 128 bits. */
145#if NF_CT_LABELS_MAX_SIZE < 16
146#error NF_CT_LABELS_MAX_SIZE must be at least 16 bytes
147#endif
148
c05e2094
JS		 149static void ovs_ct_get_labels(const struct nf_conn *ct,
150 struct ovs_key_ct_labels *labels)
038e34ab
JS		 151{
152 struct nf_conn_labels *cl = ct ? nf_ct_labels_find(ct) : NULL;
153
237f9413
JR		 154 if (cl)
155 memcpy(labels, cl->bits, OVS_CT_LABELS_LEN);
156 else
c05e2094 157 memset(labels, 0, OVS_CT_LABELS_LEN);
038e34ab
JS		 158}
159
c30b4cea
JR		 160static void __ovs_ct_update_key_orig_tp(struct sw_flow_key *key,
161 const struct nf_conntrack_tuple *orig,
162 u8 icmp_proto)
163{
1963a885 164 key->ct_orig_proto = orig->dst.protonum;
c30b4cea
JR		 165 if (orig->dst.protonum == icmp_proto) {
166 key->ct.orig_tp.src = htons(orig->dst.u.icmp.type);
167 key->ct.orig_tp.dst = htons(orig->dst.u.icmp.code);
168 } else {
169 key->ct.orig_tp.src = orig->src.u.all;
170 key->ct.orig_tp.dst = orig->dst.u.all;
171 }
172}
173
a94ebc39 174static void __ovs_ct_update_key(struct sw_flow_key *key, u8 state,
372ce973
JS		 175 const struct nf_conntrack_zone *zone,
176 const struct nf_conn *ct)
a94ebc39 177{
1963a885
JR		 178 key->ct_state = state;
179 key->ct_zone = zone->id;
c05e2094
JS		 180 key->ct.mark = ovs_ct_get_mark(ct);
181 ovs_ct_get_labels(ct, &key->ct.labels);
c30b4cea
JR		 182
183 if (ct) {
184 const struct nf_conntrack_tuple *orig;
185
186 /* Use the master if we have one. */
187 if (ct->master)
188 ct = ct->master;
189 orig = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
190
191 /* IP version must match with the master connection. */
192 if (key->eth.type == htons(ETH_P_IP) &&
193 nf_ct_l3num(ct) == NFPROTO_IPV4) {
194 key->ipv4.ct_orig.src = orig->src.u3.ip;
195 key->ipv4.ct_orig.dst = orig->dst.u3.ip;
196 __ovs_ct_update_key_orig_tp(key, orig, IPPROTO_ICMP);
197 return;
198 } else if (key->eth.type == htons(ETH_P_IPV6) &&
199 !sw_flow_key_is_nd(key) &&
200 nf_ct_l3num(ct) == NFPROTO_IPV6) {
201 key->ipv6.ct_orig.src = orig->src.u3.in6;
202 key->ipv6.ct_orig.dst = orig->dst.u3.in6;
203 __ovs_ct_update_key_orig_tp(key, orig, NEXTHDR_ICMP);
204 return;
205 }
206 }
1963a885 207 /* Clear 'ct_orig_proto' to mark the non-existence of conntrack
c30b4cea
JR		 208 * original direction key fields.
209 */
1963a885 210 key->ct_orig_proto = 0;
a94ebc39
JS		 211}
212
e3c42eb8 213/* Update 'key' based on skb->_nfct. If 'post_ct' is true, then OVS has
f8f97cdc
JR		 214 * previously sent the packet to conntrack via the ct action. If
215 * 'keep_nat_flags' is true, the existing NAT flags retained, else they are
216 * initialized from the connection status.
a94ebc39
JS		 217 */
218static void ovs_ct_update_key(const struct sk_buff *skb,
f23593a1 219 const struct ovs_conntrack_info *info,
f8f97cdc
JR		 220 struct sw_flow_key *key, bool post_ct,
221 bool keep_nat_flags)
a94ebc39
JS		 222{
223 const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
224 enum ip_conntrack_info ctinfo;
225 struct nf_conn *ct;
226 u8 state = 0;
227
228 ct = nf_ct_get(skb, &ctinfo);
229 if (ct) {
230 state = ovs_ct_get_state(ctinfo);
b0f251cd 231 /* All unconfirmed entries are NEW connections. */
c05e2094
JS		 232 if (!nf_ct_is_confirmed(ct))
233 state |= OVS_CS_F_NEW;
b0f251cd
JR		 234 /* OVS persists the related flag for the duration of the
235 * connection.
236 */
a94ebc39
JS		 237 if (ct->master)
238 state |= OVS_CS_F_RELATED;
f8f97cdc 239 if (keep_nat_flags) {
1963a885 240 state |= key->ct_state & OVS_CS_F_NAT_MASK;
f8f97cdc
JR		 241 } else {
242 if (ct->status & IPS_SRC_NAT)
243 state |= OVS_CS_F_SRC_NAT;
244 if (ct->status & IPS_DST_NAT)
245 state |= OVS_CS_F_DST_NAT;
246 }
a94ebc39
JS		 247 zone = nf_ct_zone(ct);
248 } else if (post_ct) {
249 state = OVS_CS_F_TRACKED | OVS_CS_F_INVALID;
f23593a1
JS		 250 if (info)
251 zone = &info->zone;
a94ebc39 252 }
372ce973 253 __ovs_ct_update_key(key, state, zone, ct);
a94ebc39
JS		 254}
255
b0f251cd
JR		 256/* This is called to initialize CT key fields possibly coming in from the local
257 * stack.
258 */
a94ebc39
JS		 259void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key)
260{
f8f97cdc 261 ovs_ct_update_key(skb, NULL, key, false, false);
a94ebc39
JS		 262}
263
c30b4cea
JR		 264#define IN6_ADDR_INITIALIZER(ADDR) \
265 { (ADDR).s6_addr32[0], (ADDR).s6_addr32[1], \
266 (ADDR).s6_addr32[2], (ADDR).s6_addr32[3] }
267
268int ovs_ct_put_key(const struct sw_flow_key *swkey,
269 const struct sw_flow_key *output, struct sk_buff *skb)
a94ebc39 270{
1963a885 271 if (nla_put_u32(skb, OVS_KEY_ATTR_CT_STATE, output->ct_state))
a94ebc39
JS		 272 return -EMSGSIZE;
273
274 if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) &&
1963a885 275 nla_put_u16(skb, OVS_KEY_ATTR_CT_ZONE, output->ct_zone))
a94ebc39
JS		 276 return -EMSGSIZE;
277
372ce973 278 if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) &&
c30b4cea 279 nla_put_u32(skb, OVS_KEY_ATTR_CT_MARK, output->ct.mark))
372ce973
JS		 280 return -EMSGSIZE;
281
c05e2094 282 if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) &&
c30b4cea
JR		 283 nla_put(skb, OVS_KEY_ATTR_CT_LABELS, sizeof(output->ct.labels),
284 &output->ct.labels))
038e34ab
JS		 285 return -EMSGSIZE;
286
1963a885 287 if (swkey->ct_orig_proto) {
c30b4cea
JR		 288 if (swkey->eth.type == htons(ETH_P_IP)) {
289 struct ovs_key_ct_tuple_ipv4 orig = {
290 output->ipv4.ct_orig.src,
291 output->ipv4.ct_orig.dst,
292 output->ct.orig_tp.src,
293 output->ct.orig_tp.dst,
1963a885 294 output->ct_orig_proto,
c30b4cea
JR		 295 };
296 if (nla_put(skb, OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4,
297 sizeof(orig), &orig))
298 return -EMSGSIZE;
299 } else if (swkey->eth.type == htons(ETH_P_IPV6)) {
300 struct ovs_key_ct_tuple_ipv6 orig = {
301 IN6_ADDR_INITIALIZER(output->ipv6.ct_orig.src),
302 IN6_ADDR_INITIALIZER(output->ipv6.ct_orig.dst),
303 output->ct.orig_tp.src,
304 output->ct.orig_tp.dst,
1963a885 305 output->ct_orig_proto,
c30b4cea
JR		 306 };
307 if (nla_put(skb, OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6,
308 sizeof(orig), &orig))
309 return -EMSGSIZE;
310 }
311 }
312
372ce973
JS		 313 return 0;
314}
315
efd40994 316static int ovs_ct_set_mark(struct nf_conn *ct, struct sw_flow_key *key,
372ce973
JS		 317 u32 ct_mark, u32 mask)
318{
c05e2094 319#if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK)
372ce973
JS		 320 u32 new_mark;
321
372ce973
JS		 322 new_mark = ct_mark | (ct->mark & ~(mask));
323 if (ct->mark != new_mark) {
324 ct->mark = new_mark;
1b22e621
JR		 325 if (nf_ct_is_confirmed(ct))
326 nf_conntrack_event_cache(IPCT_MARK, ct);
372ce973
JS		 327 key->ct.mark = new_mark;
328 }
329
a94ebc39 330 return 0;
c05e2094
JS		 331#else
332 return -ENOTSUPP;
333#endif
a94ebc39
JS		 334}
335
efd40994 336static struct nf_conn_labels *ovs_ct_get_conn_labels(struct nf_conn *ct)
038e34ab 337{
038e34ab 338 struct nf_conn_labels *cl;
038e34ab
JS		 339
340 cl = nf_ct_labels_find(ct);
341 if (!cl) {
342 nf_ct_labels_ext_add(ct);
343 cl = nf_ct_labels_find(ct);
344 }
9f04eabe 345
efd40994
JR		 346 return cl;
347}
348
349/* Initialize labels for a new, yet to be committed conntrack entry. Note that
350 * since the new connection is not yet confirmed, and thus no-one else has
351 * access to it's labels, we simply write them over.
352 */
353static int ovs_ct_init_labels(struct nf_conn *ct, struct sw_flow_key *key,
354 const struct ovs_key_ct_labels *labels,
355 const struct ovs_key_ct_labels *mask)
356{
7162cae4
JR		 357 struct nf_conn_labels *cl, *master_cl;
358 bool have_mask = labels_nonzero(mask);
359
360 /* Inherit master's labels to the related connection? */
361 master_cl = ct->master ? nf_ct_labels_find(ct->master) : NULL;
362
363 if (!master_cl && !have_mask)
364 return 0; /* Nothing to do. */
efd40994
JR		 365
366 cl = ovs_ct_get_conn_labels(ct);
367 if (!cl)
038e34ab
JS		 368 return -ENOSPC;
369
28033773
JR		 370 /* Inherit the master's labels, if any. Must use memcpy for backport
371 * as struct assignment only copies the length field in older
372 * kernels.
373 */
7162cae4 374 if (master_cl)
28033773 375 memcpy(cl->bits, master_cl->bits, OVS_CT_LABELS_LEN);
7162cae4
JR		 376
377 if (have_mask) {
378 u32 *dst = (u32 *)cl->bits;
379 int i;
380
381 for (i = 0; i < OVS_CT_LABELS_LEN_32; i++)
382 dst[i] = (dst[i] & ~mask->ct_labels_32[i]) |
383 (labels->ct_labels_32[i]
384 & mask->ct_labels_32[i]);
385 }
1b22e621 386
efd40994 387 /* Labels are included in the IPCTNL_MSG_CT_NEW event only if the
100f4e14 388 * IPCT_LABEL bit is set in the event cache.
efd40994
JR		 389 */
390 nf_conntrack_event_cache(IPCT_LABEL, ct);
1b22e621 391
efd40994
JR		 392 memcpy(&key->ct.labels, cl->bits, OVS_CT_LABELS_LEN);
393
394 return 0;
395}
396
397static int ovs_ct_set_labels(struct nf_conn *ct, struct sw_flow_key *key,
398 const struct ovs_key_ct_labels *labels,
399 const struct ovs_key_ct_labels *mask)
400{
401 struct nf_conn_labels *cl;
402 int err;
403
404 cl = ovs_ct_get_conn_labels(ct);
405 if (!cl)
406 return -ENOSPC;
407
408 err = nf_connlabels_replace(ct, labels->ct_labels_32,
409 mask->ct_labels_32,
410 OVS_CT_LABELS_LEN_32);
411 if (err)
412 return err;
413
414 memcpy(&key->ct.labels, cl->bits, OVS_CT_LABELS_LEN);
038e34ab 415
038e34ab
JS		 416 return 0;
417}
418
11251c17
JS		 419/* 'skb' should already be pulled to nh_ofs. */
420static int ovs_ct_helper(struct sk_buff *skb, u16 proto)
421{
422 const struct nf_conntrack_helper *helper;
423 const struct nf_conn_help *help;
424 enum ip_conntrack_info ctinfo;
425 unsigned int protoff;
426 struct nf_conn *ct;
4cc85f28 427 u8 nexthdr;
f8f97cdc 428 int err;
11251c17 429
3d47fa46
JH		 430#if LINUX_VERSION_CODE < KERNEL_VERSION(4,6,0)
431 bool dst_set = false;
432 struct rtable rt = { .rt_flags = 0 };
433#endif
434
11251c17
JS		 435 ct = nf_ct_get(skb, &ctinfo);
436 if (!ct || ctinfo == IP_CT_RELATED_REPLY)
437 return NF_ACCEPT;
438
439 help = nfct_help(ct);
440 if (!help)
441 return NF_ACCEPT;
442
443 helper = rcu_dereference(help->helper);
444 if (!helper)
445 return NF_ACCEPT;
446
447 switch (proto) {
448 case NFPROTO_IPV4:
449 protoff = ip_hdrlen(skb);
450 break;
451 case NFPROTO_IPV6: {
11251c17 452 __be16 frag_off;
c05e2094 453 int ofs;
11251c17 454
4cc85f28 455 nexthdr = ipv6_hdr(skb)->nexthdr;
c05e2094
JS		 456 ofs = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr,
457 &frag_off);
458 if (ofs < 0 || (frag_off & htons(~0x7)) != 0) {
11251c17
JS		 459 pr_debug("proto header not found\n");
460 return NF_ACCEPT;
461 }
c05e2094 462 protoff = ofs;
11251c17
JS		 463 break;
464 }
465 default:
466 WARN_ONCE(1, "helper invoked on non-IP family!");
467 return NF_DROP;
468 }
469
4cc85f28
JR		 470#if LINUX_VERSION_CODE < KERNEL_VERSION(4,6,0)
471 /* Linux 4.5 and older depend on skb_dst being set when recalculating
472 * checksums after NAT helper has mangled TCP or UDP packet payload.
3d47fa46
JH		 473 * skb_dst is cast to a rtable struct and the flags examined.
474 * Forcing these flags to have RTCF_LOCAL not set ensures checksum mod
475 * is carried out in the same way as kernel versions > 4.5
4cc85f28 476 */
3d47fa46
JH		 477 if (ct->status & IPS_NAT_MASK && skb->ip_summed != CHECKSUM_PARTIAL
478 && !skb_dst(skb)) {
479 dst_set = true;
480 skb_dst_set(skb, &rt.dst);
4cc85f28
JR		 481 }
482#endif
f8f97cdc
JR		 483 err = helper->help(skb, protoff, ct, ctinfo);
484 if (err != NF_ACCEPT)
485 return err;
486
3d47fa46
JH		 487#if LINUX_VERSION_CODE < KERNEL_VERSION(4,6,0)
488 if (dst_set)
489 skb_dst_set(skb, NULL);
490#endif
491
f8f97cdc
JR		 492 /* Adjust seqs after helper. This is needed due to some helpers (e.g.,
493 * FTP with NAT) adusting the TCP payload size when mangling IP
494 * addresses and/or port numbers in the text-based control connection.
495 */
496 if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status) &&
497 !nf_ct_seq_adjust(skb, ct, ctinfo, protoff))
498 return NF_DROP;
499 return NF_ACCEPT;
11251c17
JS		 500}
501
c05e2094
JS		 502/* Returns 0 on success, -EINPROGRESS if 'skb' is stolen, or other nonzero
503 * value if 'skb' is freed.
504 */
a94ebc39
JS		 505static int handle_fragments(struct net *net, struct sw_flow_key *key,
506 u16 zone, struct sk_buff *skb)
507{
86c2eb45 508 struct ovs_gso_cb ovs_cb = *OVS_GSO_CB(skb);
2e602ea3 509 int err;
a94ebc39 510
a94ebc39
JS		 511 if (key->eth.type == htons(ETH_P_IP)) {
512 enum ip_defrag_users user = IP_DEFRAG_CONNTRACK_IN + zone;
a94ebc39
JS		 513
514 memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
39c0ff22 515 err = ip_defrag(net, skb, user);
a94ebc39
JS		 516 if (err)
517 return err;
518
86c2eb45 519 ovs_cb.dp_cb.mru = IPCB(skb)->frag_max_size;
a94ebc39 520#if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
c05e2094 521 } else if (key->eth.type == htons(ETH_P_IPV6)) {
a94ebc39 522 enum ip6_defrag_users user = IP6_DEFRAG_CONNTRACK_IN + zone;
a94ebc39
JS		 523
524 memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
2e602ea3 525 err = nf_ct_frag6_gather(net, skb, user);
6b4fe5a9
DDP		 526 if (err) {
527 if (err != -EINPROGRESS)
528 kfree_skb(skb);
2e602ea3 529 return err;
6b4fe5a9 530 }
a94ebc39 531
2e602ea3 532 key->ip.proto = ipv6_hdr(skb)->nexthdr;
86c2eb45 533 ovs_cb.dp_cb.mru = IP6CB(skb)->frag_max_size;
a94ebc39
JS		 534#endif /* IP frag support */
535 } else {
c05e2094 536 kfree_skb(skb);
a94ebc39
JS		 537 return -EPFNOSUPPORT;
538 }
539
540 key->ip.frag = OVS_FRAG_TYPE_NONE;
541 skb_clear_hash(skb);
542 skb->ignore_df = 1;
86c2eb45 543 *OVS_GSO_CB(skb) = ovs_cb;
a94ebc39
JS		 544
545 return 0;
546}
547
548static struct nf_conntrack_expect *
549ovs_ct_expect_find(struct net *net, const struct nf_conntrack_zone *zone,
550 u16 proto, const struct sk_buff *skb)
551{
552 struct nf_conntrack_tuple tuple;
3618f466 553 struct nf_conntrack_expect *exp;
a94ebc39 554
fa67f8e0 555 if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto, net, &tuple))
a94ebc39 556 return NULL;
3618f466
JR		 557
558 exp = __nf_ct_expect_find(net, zone, &tuple);
559 if (exp) {
560 struct nf_conntrack_tuple_hash *h;
561
562 /* Delete existing conntrack entry, if it clashes with the
563 * expectation. This can happen since conntrack ALGs do not
564 * check for clashes between (new) expectations and existing
565 * conntrack entries. nf_conntrack_in() will check the
566 * expectations only if a conntrack entry can not be found,
567 * which can lead to OVS finding the expectation (here) in the
568 * init direction, but which will not be removed by the
569 * nf_conntrack_in() call, if a matching conntrack entry is
570 * found instead. In this case all init direction packets
571 * would be reported as new related packets, while reply
572 * direction packets would be reported as un-related
573 * established packets.
574 */
575 h = nf_conntrack_find_get(net, zone, &tuple);
576 if (h) {
577 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
578
579 nf_ct_delete(ct, 0, 0);
580 nf_conntrack_put(&ct->ct_general);
581 }
582 }
583
584 return exp;
a94ebc39
JS		 585}
586
3dd9e118
JR		 587/* This replicates logic from nf_conntrack_core.c that is not exported. */
588static enum ip_conntrack_info
589ovs_ct_get_info(const struct nf_conntrack_tuple_hash *h)
590{
591 const struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
592
593 if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY)
594 return IP_CT_ESTABLISHED_REPLY;
595 /* Once we've had two way comms, always ESTABLISHED. */
596 if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status))
597 return IP_CT_ESTABLISHED;
598 if (test_bit(IPS_EXPECTED_BIT, &ct->status))
599 return IP_CT_RELATED;
600 return IP_CT_NEW;
601}
602
603/* Find an existing connection which this packet belongs to without
604 * re-attributing statistics or modifying the connection state. This allows an
e3c42eb8 605 * skb->_nfct lost due to an upcall to be recovered during actions execution.
3dd9e118
JR		 606 *
607 * Must be called with rcu_read_lock.
608 *
e3c42eb8
JR		 609 * On success, populates skb->_nfct and returns the connection. Returns NULL
610 * if there is no existing entry.
3dd9e118
JR		 611 */
612static struct nf_conn *
613ovs_ct_find_existing(struct net *net, const struct nf_conntrack_zone *zone,
c0324e37 614 u8 l3num, struct sk_buff *skb, bool natted)
3dd9e118
JR		 615{
616 struct nf_conntrack_l3proto *l3proto;
617 struct nf_conntrack_l4proto *l4proto;
618 struct nf_conntrack_tuple tuple;
619 struct nf_conntrack_tuple_hash *h;
3dd9e118
JR		 620 struct nf_conn *ct;
621 unsigned int dataoff;
622 u8 protonum;
623
624 l3proto = __nf_ct_l3proto_find(l3num);
3dd9e118
JR		 625 if (l3proto->get_l4proto(skb, skb_network_offset(skb), &dataoff,
626 &protonum) <= 0) {
627 pr_debug("ovs_ct_find_existing: Can't get protonum\n");
628 return NULL;
629 }
630 l4proto = __nf_ct_l4proto_find(l3num, protonum);
3dd9e118
JR		 631 if (!nf_ct_get_tuple(skb, skb_network_offset(skb), dataoff, l3num,
632 protonum, net, &tuple, l3proto, l4proto)) {
633 pr_debug("ovs_ct_find_existing: Can't get tuple\n");
634 return NULL;
635 }
636
c0324e37
JR		 637 /* Must invert the tuple if skb has been transformed by NAT. */
638 if (natted) {
639 struct nf_conntrack_tuple inverse;
640
641 if (!nf_ct_invert_tuple(&inverse, &tuple, l3proto, l4proto)) {
642 pr_debug("ovs_ct_find_existing: Inversion failed!\n");
643 return NULL;
644 }
645 tuple = inverse;
646 }
647
3dd9e118
JR		 648 /* look for tuple match */
649 h = nf_conntrack_find_get(net, zone, &tuple);
650 if (!h)
651 return NULL; /* Not found. */
652
653 ct = nf_ct_tuplehash_to_ctrack(h);
654
c0324e37
JR		 655 /* Inverted packet tuple matches the reverse direction conntrack tuple,
656 * select the other tuplehash to get the right 'ctinfo' bits for this
657 * packet.
658 */
659 if (natted)
660 h = &ct->tuplehash[!h->tuple.dst.dir];
661
dfa791b2 662 nf_ct_set(skb, ct, ovs_ct_get_info(h));
3dd9e118
JR		 663 return ct;
664}
665
4e7b535d
GR		 666static
667struct nf_conn *ovs_ct_executed(struct net *net,
668 const struct sw_flow_key *key,
669 const struct ovs_conntrack_info *info,
670 struct sk_buff *skb,
671 bool *ct_executed)
672{
673 struct nf_conn *ct = NULL;
674
675 /* If no ct, check if we have evidence that an existing conntrack entry
676 * might be found for this skb. This happens when we lose a skb->_nfct
677 * due to an upcall, or if the direction is being forced. If the
678 * connection was not confirmed, it is not cached and needs to be run
679 * through conntrack again.
680 */
681 *ct_executed = (key->ct_state & OVS_CS_F_TRACKED) &&
682 !(key->ct_state & OVS_CS_F_INVALID) &&
683 (key->ct_zone == info->zone.id);
684
685 if (*ct_executed || (!key->ct_state && info->force)) {
686 ct = ovs_ct_find_existing(net, &info->zone, info->family, skb,
687 !!(key->ct_state &
688 OVS_CS_F_NAT_MASK));
689 }
690
691 return ct;
692}
693
e3c42eb8 694/* Determine whether skb->_nfct is equal to the result of conntrack lookup. */
3dd9e118
JR		 695static bool skb_nfct_cached(struct net *net,
696 const struct sw_flow_key *key,
697 const struct ovs_conntrack_info *info,
698 struct sk_buff *skb)
a94ebc39
JS		 699{
700 enum ip_conntrack_info ctinfo;
701 struct nf_conn *ct;
4e7b535d 702 bool ct_executed = true;
a94ebc39
JS		 703
704 ct = nf_ct_get(skb, &ctinfo);
705 if (!ct)
4e7b535d
GR		 706 ct = ovs_ct_executed(net, key, info, skb, &ct_executed);
707
708 if (ct)
709 nf_ct_get(skb, &ctinfo);
710 else
a94ebc39 711 return false;
4e7b535d 712
a94ebc39
JS		 713 if (!net_eq(net, read_pnet(&ct->ct_net)))
714 return false;
715 if (!nf_ct_zone_equal_any(info->ct, nf_ct_zone(ct)))
716 return false;
11251c17
JS		 717 if (info->helper) {
718 struct nf_conn_help *help;
719
720 help = nf_ct_ext_find(ct, NF_CT_EXT_HELPER);
721 if (help && rcu_access_pointer(help->helper) != info->helper)
722 return false;
723 }
b80e259f
JR		 724 /* Force conntrack entry direction to the current packet? */
725 if (info->force && CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) {
726 /* Delete the conntrack entry if confirmed, else just release
727 * the reference.
728 */
729 if (nf_ct_is_confirmed(ct))
730 nf_ct_delete(ct, 0, 0);
ceb0a8a9
JR		 731
732 nf_conntrack_put(&ct->ct_general);
b80e259f
JR		 733 nf_ct_set(skb, NULL, 0);
734 return false;
735 }
a94ebc39 736
4e7b535d 737 return ct_executed;
a94ebc39
JS		 738}
739
f8f97cdc
JR		 740#ifdef CONFIG_NF_NAT_NEEDED
741/* Modelled after nf_nat_ipv[46]_fn().
742 * range is only used for new, uninitialized NAT state.
743 * Returns either NF_ACCEPT or NF_DROP.
744 */
745static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct,
746 enum ip_conntrack_info ctinfo,
747 const struct nf_nat_range *range,
748 enum nf_nat_manip_type maniptype)
749{
750 int hooknum, nh_off, err = NF_ACCEPT;
751
752 nh_off = skb_network_offset(skb);
073c7b86 753 skb_pull_rcsum(skb, nh_off);
f8f97cdc
JR		 754
755 /* See HOOK2MANIP(). */
756 if (maniptype == NF_NAT_MANIP_SRC)
757 hooknum = NF_INET_LOCAL_IN; /* Source NAT */
758 else
759 hooknum = NF_INET_LOCAL_OUT; /* Destination NAT */
760
761 switch (ctinfo) {
762 case IP_CT_RELATED:
763 case IP_CT_RELATED_REPLY:
90b01477
AB		 764 if (IS_ENABLED(CONFIG_NF_NAT_IPV4) &&
765 skb->protocol == htons(ETH_P_IP) &&
f8f97cdc
JR		 766 ip_hdr(skb)->protocol == IPPROTO_ICMP) {
767 if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,
768 hooknum))
769 err = NF_DROP;
770 goto push;
90b01477
AB		 771 } else if (IS_ENABLED(CONFIG_NF_NAT_IPV6) &&
772 skb->protocol == htons(ETH_P_IPV6)) {
f8f97cdc
JR		 773 __be16 frag_off;
774 u8 nexthdr = ipv6_hdr(skb)->nexthdr;
775 int hdrlen = ipv6_skip_exthdr(skb,
776 sizeof(struct ipv6hdr),
777 &nexthdr, &frag_off);
778
779 if (hdrlen >= 0 && nexthdr == IPPROTO_ICMPV6) {
780 if (!nf_nat_icmpv6_reply_translation(skb, ct,
781 ctinfo,
782 hooknum,
783 hdrlen))
784 err = NF_DROP;
785 goto push;
786 }
f8f97cdc
JR		 787 }
788 /* Non-ICMP, fall thru to initialize if needed. */
789 case IP_CT_NEW:
790 /* Seen it before? This can happen for loopback, retrans,
791 * or local packets.
792 */
793 if (!nf_nat_initialized(ct, maniptype)) {
794 /* Initialize according to the NAT action. */
795 err = (range && range->flags & NF_NAT_RANGE_MAP_IPS)
796 /* Action is set up to establish a new
797 * mapping.
798 */
799 ? nf_nat_setup_info(ct, range, maniptype)
800 : nf_nat_alloc_null_binding(ct, hooknum);
801 if (err != NF_ACCEPT)
802 goto push;
803 }
804 break;
805
806 case IP_CT_ESTABLISHED:
807 case IP_CT_ESTABLISHED_REPLY:
808 break;
809
810 default:
811 err = NF_DROP;
812 goto push;
813 }
814
815 err = nf_nat_packet(ct, ctinfo, hooknum, skb);
816push:
817 skb_push(skb, nh_off);
073c7b86 818 skb_postpush_rcsum(skb, skb->data, nh_off);
f8f97cdc
JR		 819
820 return err;
821}
822
823static void ovs_nat_update_key(struct sw_flow_key *key,
824 const struct sk_buff *skb,
825 enum nf_nat_manip_type maniptype)
826{
827 if (maniptype == NF_NAT_MANIP_SRC) {
828 __be16 src;
829
1963a885 830 key->ct_state |= OVS_CS_F_SRC_NAT;
f8f97cdc
JR		 831 if (key->eth.type == htons(ETH_P_IP))
832 key->ipv4.addr.src = ip_hdr(skb)->saddr;
833 else if (key->eth.type == htons(ETH_P_IPV6))
834 memcpy(&key->ipv6.addr.src, &ipv6_hdr(skb)->saddr,
835 sizeof(key->ipv6.addr.src));
836 else
837 return;
838
839 if (key->ip.proto == IPPROTO_UDP)
840 src = udp_hdr(skb)->source;
841 else if (key->ip.proto == IPPROTO_TCP)
842 src = tcp_hdr(skb)->source;
843 else if (key->ip.proto == IPPROTO_SCTP)
844 src = sctp_hdr(skb)->source;
845 else
846 return;
847
848 key->tp.src = src;
849 } else {
850 __be16 dst;
851
1963a885 852 key->ct_state |= OVS_CS_F_DST_NAT;
f8f97cdc
JR		 853 if (key->eth.type == htons(ETH_P_IP))
854 key->ipv4.addr.dst = ip_hdr(skb)->daddr;
855 else if (key->eth.type == htons(ETH_P_IPV6))
856 memcpy(&key->ipv6.addr.dst, &ipv6_hdr(skb)->daddr,
857 sizeof(key->ipv6.addr.dst));
858 else
859 return;
860
861 if (key->ip.proto == IPPROTO_UDP)
862 dst = udp_hdr(skb)->dest;
863 else if (key->ip.proto == IPPROTO_TCP)
864 dst = tcp_hdr(skb)->dest;
865 else if (key->ip.proto == IPPROTO_SCTP)
866 dst = sctp_hdr(skb)->dest;
867 else
868 return;
869
870 key->tp.dst = dst;
871 }
872}
873
874/* Returns NF_DROP if the packet should be dropped, NF_ACCEPT otherwise. */
875static int ovs_ct_nat(struct net *net, struct sw_flow_key *key,
876 const struct ovs_conntrack_info *info,
877 struct sk_buff *skb, struct nf_conn *ct,
878 enum ip_conntrack_info ctinfo)
879{
880 enum nf_nat_manip_type maniptype;
881 int err;
882
56ec5593 883#ifdef HAVE_NF_CT_IS_UNTRACKED
f8f97cdc
JR		 884 if (nf_ct_is_untracked(ct)) {
885 /* A NAT action may only be performed on tracked packets. */
886 return NF_ACCEPT;
887 }
56ec5593 888#endif /* HAVE_NF_CT_IS_UNTRACKED */
f8f97cdc
JR		 889
890 /* Add NAT extension if not confirmed yet. */
891 if (!nf_ct_is_confirmed(ct) && !nf_ct_nat_ext_add(ct))
892 return NF_ACCEPT; /* Can't NAT. */
893
894 /* Determine NAT type.
895 * Check if the NAT type can be deduced from the tracked connection.
d2e8b514
JR		 896 * Make sure new expected connections (IP_CT_RELATED) are NATted only
897 * when committing.
f8f97cdc
JR		 898 */
899 if (info->nat & OVS_CT_NAT && ctinfo != IP_CT_NEW &&
900 ct->status & IPS_NAT_MASK &&
d2e8b514 901 (ctinfo != IP_CT_RELATED || info->commit)) {
f8f97cdc
JR		 902 /* NAT an established or related connection like before. */
903 if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY)
904 /* This is the REPLY direction for a connection
905 * for which NAT was applied in the forward
906 * direction. Do the reverse NAT.
907 */
908 maniptype = ct->status & IPS_SRC_NAT
909 ? NF_NAT_MANIP_DST : NF_NAT_MANIP_SRC;
910 else
911 maniptype = ct->status & IPS_SRC_NAT
912 ? NF_NAT_MANIP_SRC : NF_NAT_MANIP_DST;
913 } else if (info->nat & OVS_CT_SRC_NAT) {
914 maniptype = NF_NAT_MANIP_SRC;
915 } else if (info->nat & OVS_CT_DST_NAT) {
916 maniptype = NF_NAT_MANIP_DST;
917 } else {
918 return NF_ACCEPT; /* Connection is not NATed. */
919 }
920 err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, maniptype);
921
922 /* Mark NAT done if successful and update the flow key. */
923 if (err == NF_ACCEPT)
924 ovs_nat_update_key(key, skb, maniptype);
925
926 return err;
927}
928#else /* !CONFIG_NF_NAT_NEEDED */
929static int ovs_ct_nat(struct net *net, struct sw_flow_key *key,
930 const struct ovs_conntrack_info *info,
931 struct sk_buff *skb, struct nf_conn *ct,
932 enum ip_conntrack_info ctinfo)
933{
934 return NF_ACCEPT;
935}
936#endif
937
b0f251cd 938/* Pass 'skb' through conntrack in 'net', using zone configured in 'info', if
a04a5794
JR		 939 * not done already. Update key with new CT state after passing the packet
940 * through conntrack.
e3c42eb8 941 * Note that if the packet is deemed invalid by conntrack, skb->_nfct will be
b0f251cd
JR		 942 * set to NULL and 0 will be returned.
943 */
c05e2094 944static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
a94ebc39
JS		 945 const struct ovs_conntrack_info *info,
946 struct sk_buff *skb)
947{
948 /* If we are recirculating packets to match on conntrack fields and
949 * committing with a separate conntrack action, then we don't need to
950 * actually run the packet through conntrack twice unless it's for a
951 * different zone.
952 */
b21d237e
JR		 953 bool cached = skb_nfct_cached(net, key, info, skb);
954 enum ip_conntrack_info ctinfo;
955 struct nf_conn *ct;
956
957 if (!cached) {
a94ebc39 958 struct nf_conn *tmpl = info->ct;
9bf67b92 959 int err;
a94ebc39
JS		 960
961 /* Associate skb with specified zone. */
962 if (tmpl) {
d3c313c1
FW		 963 if (skb_nfct(skb))
964 nf_conntrack_put(skb_nfct(skb));
a94ebc39 965 nf_conntrack_get(&tmpl->ct_general);
dfa791b2 966 nf_ct_set(skb, tmpl, IP_CT_NEW);
a94ebc39
JS		 967 }
968
a6d28f7c
PNA		 969 err = nf_conntrack_in(net, info->family,
970 NF_INET_PRE_ROUTING, skb);
9bf67b92 971 if (err != NF_ACCEPT)
a94ebc39 972 return -ENOENT;
11251c17 973
f8f97cdc
JR		 974 /* Clear CT state NAT flags to mark that we have not yet done
975 * NAT after the nf_conntrack_in() call. We can actually clear
976 * the whole state, as it will be re-initialized below.
977 */
1963a885 978 key->ct_state = 0;
f8f97cdc
JR		 979
980 /* Update the key, but keep the NAT flags. */
981 ovs_ct_update_key(skb, info, key, true, true);
b21d237e 982 }
a04a5794 983
b21d237e 984 ct = nf_ct_get(skb, &ctinfo);
f8f97cdc
JR		 985 if (ct) {
986 /* Packets starting a new connection must be NATted before the
987 * helper, so that the helper knows about the NAT. We enforce
988 * this by delaying both NAT and helper calls for unconfirmed
989 * connections until the committing CT action. For later
990 * packets NAT and Helper may be called in either order.
991 *
992 * NAT will be done only if the CT action has NAT, and only
993 * once per packet (per zone), as guarded by the NAT bits in
1963a885 994 * the key->ct_state.
f8f97cdc 995 */
1963a885 996 if (info->nat && !(key->ct_state & OVS_CS_F_NAT_MASK) &&
f8f97cdc
JR		 997 (nf_ct_is_confirmed(ct) || info->commit) &&
998 ovs_ct_nat(net, key, info, skb, ct, ctinfo) != NF_ACCEPT) {
999 return -EINVAL;
1000 }
1001
b87a5aac
JS		 1002 /* Userspace may decide to perform a ct lookup without a helper
1003 * specified followed by a (recirculate and) commit with one.
1004 * Therefore, for unconfirmed connections which we will commit,
1005 * we need to attach the helper here.
1006 */
1007 if (!nf_ct_is_confirmed(ct) && info->commit &&
1008 info->helper && !nfct_help(ct)) {
1009 int err = __nf_ct_try_assign_helper(ct, info->ct,
1010 GFP_ATOMIC);
1011 if (err)
1012 return err;
1013 }
1014
f8f97cdc
JR		 1015 /* Call the helper only if:
1016 * - nf_conntrack_in() was executed above ("!cached") for a
1017 * confirmed connection, or
1018 * - When committing an unconfirmed connection.
1019 */
1020 if ((nf_ct_is_confirmed(ct) ? !cached : info->commit) &&
1021 ovs_ct_helper(skb, info->family) != NF_ACCEPT) {
1022 return -EINVAL;
1023 }
a94ebc39
JS		 1024 }
1025
1026 return 0;
1027}
1028
1029/* Lookup connection and read fields into key. */
1030static int ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
1031 const struct ovs_conntrack_info *info,
1032 struct sk_buff *skb)
1033{
1034 struct nf_conntrack_expect *exp;
1035
b0f251cd
JR		 1036 /* If we pass an expected packet through nf_conntrack_in() the
1037 * expectation is typically removed, but the packet could still be
1038 * lost in upcall processing. To prevent this from happening we
1039 * perform an explicit expectation lookup. Expected connections are
1040 * always new, and will be passed through conntrack only when they are
1041 * committed, as it is OK to remove the expectation at that time.
1042 */
a94ebc39
JS		 1043 exp = ovs_ct_expect_find(net, &info->zone, info->family, skb);
1044 if (exp) {
1045 u8 state;
1046
f8f97cdc
JR		 1047 /* NOTE: New connections are NATted and Helped only when
1048 * committed, so we are not calling into NAT here.
1049 */
a94ebc39 1050 state = OVS_CS_F_TRACKED | OVS_CS_F_NEW | OVS_CS_F_RELATED;
372ce973 1051 __ovs_ct_update_key(key, state, &info->zone, exp->master);
f325530e
PS		 1052 } else {
1053 struct nf_conn *ct;
1054 int err;
1055
1056 err = __ovs_ct_lookup(net, key, info, skb);
1057 if (err)
1058 return err;
1059
d3c313c1 1060 ct = (struct nf_conn *)skb_nfct(skb);
f325530e
PS		 1061 if (ct)
1062 nf_ct_deliver_cached_events(ct);
1063 }
a94ebc39
JS		 1064
1065 return 0;
1066}
1067
c05e2094 1068static bool labels_nonzero(const struct ovs_key_ct_labels *labels)
038e34ab
JS		 1069{
1070 size_t i;
1071
83495bd9
JR		 1072 for (i = 0; i < OVS_CT_LABELS_LEN_32; i++)
1073 if (labels->ct_labels_32[i])
038e34ab
JS		 1074 return true;
1075
1076 return false;
1077}
1078
39a6542b
JR		 1079/* Lookup connection and confirm if unconfirmed. */
1080static int ovs_ct_commit(struct net *net, struct sw_flow_key *key,
1081 const struct ovs_conntrack_info *info,
1082 struct sk_buff *skb)
1083{
efd40994
JR		 1084 enum ip_conntrack_info ctinfo;
1085 struct nf_conn *ct;
39a6542b
JR		 1086 int err;
1087
1088 err = __ovs_ct_lookup(net, key, info, skb);
1089 if (err)
1090 return err;
1091
efd40994
JR		 1092 /* The connection could be invalid, in which case this is a no-op.*/
1093 ct = nf_ct_get(skb, &ctinfo);
1094 if (!ct)
1095 return 0;
1096
8e83854c
JR		 1097 /* Set the conntrack event mask if given. NEW and DELETE events have
1098 * their own groups, but the NFNLGRP_CONNTRACK_UPDATE group listener
1099 * typically would receive many kinds of updates. Setting the event
1100 * mask allows those events to be filtered. The set event mask will
1101 * remain in effect for the lifetime of the connection unless changed
1102 * by a further CT action with both the commit flag and the eventmask
1103 * option. */
1104 if (info->have_eventmask) {
1105 struct nf_conntrack_ecache *cache = nf_ct_ecache_find(ct);
1106
1107 if (cache)
1108 cache->ctmask = info->eventmask;
1109 }
1110
39a6542b
JR		 1111 /* Apply changes before confirming the connection so that the initial
1112 * conntrack NEW netlink event carries the values given in the CT
1113 * action.
1114 */
1115 if (info->mark.mask) {
efd40994 1116 err = ovs_ct_set_mark(ct, key, info->mark.value,
39a6542b
JR		 1117 info->mark.mask);
1118 if (err)
1119 return err;
1120 }
7162cae4
JR		 1121 if (!nf_ct_is_confirmed(ct)) {
1122 err = ovs_ct_init_labels(ct, key, &info->labels.value,
1123 &info->labels.mask);
1124 if (err)
1125 return err;
1126 } else if (labels_nonzero(&info->labels.mask)) {
1127 err = ovs_ct_set_labels(ct, key, &info->labels.value,
1128 &info->labels.mask);
39a6542b
JR		 1129 if (err)
1130 return err;
1131 }
1132 /* This will take care of sending queued events even if the connection
1133 * is already confirmed.
1134 */
1135 if (nf_conntrack_confirm(skb) != NF_ACCEPT)
1136 return -EINVAL;
1137
1138 return 0;
1139}
1140
c05e2094
JS		 1141/* Returns 0 on success, -EINPROGRESS if 'skb' is stolen, or other nonzero
1142 * value if 'skb' is freed.
1143 */
a94ebc39
JS		 1144int ovs_ct_execute(struct net *net, struct sk_buff *skb,
1145 struct sw_flow_key *key,
1146 const struct ovs_conntrack_info *info)
1147{
1148 int nh_ofs;
1149 int err;
1150
1151 /* The conntrack module expects to be working at L3. */
1152 nh_ofs = skb_network_offset(skb);
073c7b86 1153 skb_pull_rcsum(skb, nh_ofs);
a94ebc39
JS		 1154
1155 if (key->ip.frag != OVS_FRAG_TYPE_NONE) {
1156 err = handle_fragments(net, key, info->zone.id, skb);
1157 if (err)
1158 return err;
1159 }
1160
c05e2094 1161 if (info->commit)
39a6542b 1162 err = ovs_ct_commit(net, key, info, skb);
a94ebc39
JS		 1163 else
1164 err = ovs_ct_lookup(net, key, info, skb);
1165
1166 skb_push(skb, nh_ofs);
073c7b86 1167 skb_postpush_rcsum(skb, skb->data, nh_ofs);
c05e2094
JS		 1168 if (err)
1169 kfree_skb(skb);
a94ebc39
JS		 1170 return err;
1171}
1172
11251c17
JS		 1173static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name,
1174 const struct sw_flow_key *key, bool log)
1175{
1176 struct nf_conntrack_helper *helper;
1177 struct nf_conn_help *help;
1178
1179 helper = nf_conntrack_helper_try_module_get(name, info->family,
1180 key->ip.proto);
1181 if (!helper) {
1182 OVS_NLERR(log, "Unknown helper \"%s\"", name);
1183 return -EINVAL;
1184 }
1185
1186 help = nf_ct_helper_ext_add(info->ct, helper, GFP_KERNEL);
1187 if (!help) {
ac8e3c6d 1188 nf_conntrack_helper_put(helper);
11251c17
JS		 1189 return -ENOMEM;
1190 }
1191
1192 rcu_assign_pointer(help->helper, helper);
1193 info->helper = helper;
1194 return 0;
1195}
1196
f8f97cdc
JR		 1197#ifdef CONFIG_NF_NAT_NEEDED
1198static int parse_nat(const struct nlattr *attr,
1199 struct ovs_conntrack_info *info, bool log)
1200{
1201 struct nlattr *a;
1202 int rem;
1203 bool have_ip_max = false;
1204 bool have_proto_max = false;
1205 bool ip_vers = (info->family == NFPROTO_IPV6);
1206
1207 nla_for_each_nested(a, attr, rem) {
1208 static const int ovs_nat_attr_lens[OVS_NAT_ATTR_MAX + 1][2] = {
1209 [OVS_NAT_ATTR_SRC] = {0, 0},
1210 [OVS_NAT_ATTR_DST] = {0, 0},
1211 [OVS_NAT_ATTR_IP_MIN] = {sizeof(struct in_addr),
1212 sizeof(struct in6_addr)},
1213 [OVS_NAT_ATTR_IP_MAX] = {sizeof(struct in_addr),
1214 sizeof(struct in6_addr)},
1215 [OVS_NAT_ATTR_PROTO_MIN] = {sizeof(u16), sizeof(u16)},
1216 [OVS_NAT_ATTR_PROTO_MAX] = {sizeof(u16), sizeof(u16)},
1217 [OVS_NAT_ATTR_PERSISTENT] = {0, 0},
1218 [OVS_NAT_ATTR_PROTO_HASH] = {0, 0},
1219 [OVS_NAT_ATTR_PROTO_RANDOM] = {0, 0},
1220 };
1221 int type = nla_type(a);
1222
1223 if (type > OVS_NAT_ATTR_MAX) {
1224 OVS_NLERR(log,
1225 "Unknown NAT attribute (type=%d, max=%d).\n",
1226 type, OVS_NAT_ATTR_MAX);
1227 return -EINVAL;
1228 }
1229
1230 if (nla_len(a) != ovs_nat_attr_lens[type][ip_vers]) {
1231 OVS_NLERR(log,
1232 "NAT attribute type %d has unexpected length (%d != %d).\n",
1233 type, nla_len(a),
1234 ovs_nat_attr_lens[type][ip_vers]);
1235 return -EINVAL;
1236 }
1237
1238 switch (type) {
1239 case OVS_NAT_ATTR_SRC:
1240 case OVS_NAT_ATTR_DST:
1241 if (info->nat) {
1242 OVS_NLERR(log,
1243 "Only one type of NAT may be specified.\n"
1244 );
1245 return -ERANGE;
1246 }
1247 info->nat |= OVS_CT_NAT;
1248 info->nat |= ((type == OVS_NAT_ATTR_SRC)
1249 ? OVS_CT_SRC_NAT : OVS_CT_DST_NAT);
1250 break;
1251
1252 case OVS_NAT_ATTR_IP_MIN:
70e71d27
HY		 1253 nla_memcpy(&info->range.min_addr, a,
1254 sizeof(info->range.min_addr));
f8f97cdc
JR		 1255 info->range.flags |= NF_NAT_RANGE_MAP_IPS;
1256 break;
1257
1258 case OVS_NAT_ATTR_IP_MAX:
1259 have_ip_max = true;
1260 nla_memcpy(&info->range.max_addr, a,
1261 sizeof(info->range.max_addr));
1262 info->range.flags |= NF_NAT_RANGE_MAP_IPS;
1263 break;
1264
1265 case OVS_NAT_ATTR_PROTO_MIN:
1266 info->range.min_proto.all = htons(nla_get_u16(a));
1267 info->range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
1268 break;
1269
1270 case OVS_NAT_ATTR_PROTO_MAX:
1271 have_proto_max = true;
1272 info->range.max_proto.all = htons(nla_get_u16(a));
1273 info->range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
1274 break;
1275
1276 case OVS_NAT_ATTR_PERSISTENT:
1277 info->range.flags |= NF_NAT_RANGE_PERSISTENT;
1278 break;
1279
1280 case OVS_NAT_ATTR_PROTO_HASH:
1281 info->range.flags |= NF_NAT_RANGE_PROTO_RANDOM;
1282 break;
1283
1284 case OVS_NAT_ATTR_PROTO_RANDOM:
9f1de150 1285#ifdef NF_NAT_RANGE_PROTO_RANDOM_FULLY
f8f97cdc 1286 info->range.flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY;
9f1de150
JR		 1287#else
1288 info->range.flags |= NF_NAT_RANGE_PROTO_RANDOM;
1289 info->random_fully_compat = true;
1290#endif
f8f97cdc
JR		 1291 break;
1292
1293 default:
1294 OVS_NLERR(log, "Unknown nat attribute (%d).\n", type);
1295 return -EINVAL;
1296 }
1297 }
1298
1299 if (rem > 0) {
1300 OVS_NLERR(log, "NAT attribute has %d unknown bytes.\n", rem);
1301 return -EINVAL;
1302 }
1303 if (!info->nat) {
1304 /* Do not allow flags if no type is given. */
1305 if (info->range.flags) {
1306 OVS_NLERR(log,
1307 "NAT flags may be given only when NAT range (SRC or DST) is also specified.\n"
1308 );
1309 return -EINVAL;
1310 }
1311 info->nat = OVS_CT_NAT; /* NAT existing connections. */
1312 } else if (!info->commit) {
1313 OVS_NLERR(log,
1314 "NAT attributes may be specified only when CT COMMIT flag is also specified.\n"
1315 );
1316 return -EINVAL;
1317 }
1318 /* Allow missing IP_MAX. */
1319 if (info->range.flags & NF_NAT_RANGE_MAP_IPS && !have_ip_max) {
1320 memcpy(&info->range.max_addr, &info->range.min_addr,
1321 sizeof(info->range.max_addr));
1322 }
1323 /* Allow missing PROTO_MAX. */
1324 if (info->range.flags & NF_NAT_RANGE_PROTO_SPECIFIED &&
1325 !have_proto_max) {
1326 info->range.max_proto.all = info->range.min_proto.all;
1327 }
1328 return 0;
1329}
1330#endif
1331
a94ebc39 1332static const struct ovs_ct_len_tbl ovs_ct_attr_lens[OVS_CT_ATTR_MAX + 1] = {
c05e2094 1333 [OVS_CT_ATTR_COMMIT] = { .minlen = 0, .maxlen = 0 },
b80e259f 1334 [OVS_CT_ATTR_FORCE_COMMIT] = { .minlen = 0, .maxlen = 0 },
a94ebc39
JS		 1335 [OVS_CT_ATTR_ZONE] = { .minlen = sizeof(u16),
1336 .maxlen = sizeof(u16) },
372ce973
JS		 1337 [OVS_CT_ATTR_MARK] = { .minlen = sizeof(struct md_mark),
1338 .maxlen = sizeof(struct md_mark) },
c05e2094
JS		 1339 [OVS_CT_ATTR_LABELS] = { .minlen = sizeof(struct md_labels),
1340 .maxlen = sizeof(struct md_labels) },
11251c17 1341 [OVS_CT_ATTR_HELPER] = { .minlen = 1,
f8f97cdc
JR		 1342 .maxlen = NF_CT_HELPER_NAME_LEN },
1343#ifdef CONFIG_NF_NAT_NEEDED
1344 /* NAT length is checked when parsing the nested attributes. */
1345 [OVS_CT_ATTR_NAT] = { .minlen = 0, .maxlen = INT_MAX },
1346#endif
8e83854c
JR		 1347 [OVS_CT_ATTR_EVENTMASK] = { .minlen = sizeof(u32),
1348 .maxlen = sizeof(u32) },
a94ebc39
JS		 1349};
1350
1351static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info,
11251c17 1352 const char **helper, bool log)
a94ebc39
JS		 1353{
1354 struct nlattr *a;
1355 int rem;
1356
1357 nla_for_each_nested(a, attr, rem) {
1358 int type = nla_type(a);
fb296f42
GR		 1359 int maxlen;
1360 int minlen;
a94ebc39
JS		 1361
1362 if (type > OVS_CT_ATTR_MAX) {
1363 OVS_NLERR(log,
1364 "Unknown conntrack attr (type=%d, max=%d)",
1365 type, OVS_CT_ATTR_MAX);
1366 return -EINVAL;
1367 }
fb296f42
GR		 1368
1369 maxlen = ovs_ct_attr_lens[type].maxlen;
1370 minlen = ovs_ct_attr_lens[type].minlen;
a94ebc39
JS		 1371 if (nla_len(a) < minlen || nla_len(a) > maxlen) {
1372 OVS_NLERR(log,
1373 "Conntrack attr type has unexpected length (type=%d, length=%d, expected=%d)",
1374 type, nla_len(a), maxlen);
1375 return -EINVAL;
1376 }
1377
1378 switch (type) {
b80e259f
JR		 1379 case OVS_CT_ATTR_FORCE_COMMIT:
1380 info->force = true;
1381 /* fall through. */
c05e2094
JS		 1382 case OVS_CT_ATTR_COMMIT:
1383 info->commit = true;
a94ebc39
JS		 1384 break;
1385#ifdef CONFIG_NF_CONNTRACK_ZONES
1386 case OVS_CT_ATTR_ZONE:
1387 info->zone.id = nla_get_u16(a);
1388 break;
372ce973
JS		 1389#endif
1390#ifdef CONFIG_NF_CONNTRACK_MARK
1391 case OVS_CT_ATTR_MARK: {
1392 struct md_mark *mark = nla_data(a);
1393
c05e2094
JS		 1394 if (!mark->mask) {
1395 OVS_NLERR(log, "ct_mark mask cannot be 0");
1396 return -EINVAL;
1397 }
372ce973
JS		 1398 info->mark = *mark;
1399 break;
1400 }
038e34ab
JS		 1401#endif
1402#ifdef CONFIG_NF_CONNTRACK_LABELS
c05e2094
JS		 1403 case OVS_CT_ATTR_LABELS: {
1404 struct md_labels *labels = nla_data(a);
038e34ab 1405
c05e2094
JS		 1406 if (!labels_nonzero(&labels->mask)) {
1407 OVS_NLERR(log, "ct_labels mask cannot be 0");
1408 return -EINVAL;
1409 }
1410 info->labels = *labels;
038e34ab
JS		 1411 break;
1412 }
a94ebc39 1413#endif
11251c17
JS		 1414 case OVS_CT_ATTR_HELPER:
1415 *helper = nla_data(a);
1416 if (!memchr(*helper, '\0', nla_len(a))) {
1417 OVS_NLERR(log, "Invalid conntrack helper");
1418 return -EINVAL;
1419 }
1420 break;
f8f97cdc
JR		 1421#ifdef CONFIG_NF_NAT_NEEDED
1422 case OVS_CT_ATTR_NAT: {
1423 int err = parse_nat(a, info, log);
1424
1425 if (err)
1426 return err;
1427 break;
1428 }
1429#endif
8e83854c
JR		 1430 case OVS_CT_ATTR_EVENTMASK:
1431 info->have_eventmask = true;
1432 info->eventmask = nla_get_u32(a);
1433 break;
1434
a94ebc39
JS		 1435 default:
1436 OVS_NLERR(log, "Unknown conntrack attr (%d)",
1437 type);
1438 return -EINVAL;
1439 }
1440 }
1441
39a6542b
JR		 1442#ifdef CONFIG_NF_CONNTRACK_MARK
1443 if (!info->commit && info->mark.mask) {
1444 OVS_NLERR(log,
1445 "Setting conntrack mark requires 'commit' flag.");
1446 return -EINVAL;
1447 }
1448#endif
1449#ifdef CONFIG_NF_CONNTRACK_LABELS
1450 if (!info->commit && labels_nonzero(&info->labels.mask)) {
1451 OVS_NLERR(log,
1452 "Setting conntrack labels requires 'commit' flag.");
1453 return -EINVAL;
1454 }
1455#endif
a94ebc39
JS		 1456 if (rem > 0) {
1457 OVS_NLERR(log, "Conntrack attr has %d unknown bytes", rem);
1458 return -EINVAL;
1459 }
1460
1461 return 0;
1462}
1463
038e34ab 1464bool ovs_ct_verify(struct net *net, enum ovs_key_attr attr)
a94ebc39
JS		 1465{
1466 if (attr == OVS_KEY_ATTR_CT_STATE)
1467 return true;
1468 if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) &&
1469 attr == OVS_KEY_ATTR_CT_ZONE)
1470 return true;
372ce973
JS		 1471 if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) &&
1472 attr == OVS_KEY_ATTR_CT_MARK)
1473 return true;
038e34ab 1474 if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) &&
c05e2094 1475 attr == OVS_KEY_ATTR_CT_LABELS) {
038e34ab
JS		 1476 struct ovs_net *ovs_net = net_generic(net, ovs_net_id);
1477
1478 return ovs_net->xt_label;
1479 }
a94ebc39
JS		 1480
1481 return false;
1482}
1483
1484int ovs_ct_copy_action(struct net *net, const struct nlattr *attr,
1485 const struct sw_flow_key *key,
1486 struct sw_flow_actions **sfa, bool log)
1487{
1488 struct ovs_conntrack_info ct_info;
11251c17 1489 const char *helper = NULL;
a94ebc39
JS		 1490 u16 family;
1491 int err;
1492
1493 family = key_to_nfproto(key);
1494 if (family == NFPROTO_UNSPEC) {
1495 OVS_NLERR(log, "ct family unspecified");
1496 return -EINVAL;
1497 }
1498
1499 memset(&ct_info, 0, sizeof(ct_info));
1500 ct_info.family = family;
1501
1502 nf_ct_zone_init(&ct_info.zone, NF_CT_DEFAULT_ZONE_ID,
1503 NF_CT_DEFAULT_ZONE_DIR, 0);
1504
11251c17 1505 err = parse_ct(attr, &ct_info, &helper, log);
a94ebc39
JS		 1506 if (err)
1507 return err;
1508
1509 /* Set up template for tracking connections in specific zones. */
1510 ct_info.ct = nf_ct_tmpl_alloc(net, &ct_info.zone, GFP_KERNEL);
1511 if (!ct_info.ct) {
1512 OVS_NLERR(log, "Failed to allocate conntrack template");
1513 return -ENOMEM;
1514 }
a3a68d63
JS		 1515
1516 __set_bit(IPS_CONFIRMED_BIT, &ct_info.ct->status);
1517 nf_conntrack_get(&ct_info.ct->ct_general);
1518
11251c17
JS		 1519 if (helper) {
1520 err = ovs_ct_add_helper(&ct_info, helper, key, log);
1521 if (err)
1522 goto err_free_ct;
1523 }
a94ebc39
JS		 1524
1525 err = ovs_nla_add_action(sfa, OVS_ACTION_ATTR_CT, &ct_info,
1526 sizeof(ct_info), log);
1527 if (err)
1528 goto err_free_ct;
1529
a94ebc39
JS		 1530 return 0;
1531err_free_ct:
11251c17 1532 __ovs_ct_free_action(&ct_info);
a94ebc39
JS		 1533 return err;
1534}
1535
f8f97cdc
JR		 1536#ifdef CONFIG_NF_NAT_NEEDED
1537static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info,
1538 struct sk_buff *skb)
1539{
1540 struct nlattr *start;
1541
1542 start = nla_nest_start(skb, OVS_CT_ATTR_NAT);
1543 if (!start)
1544 return false;
1545
1546 if (info->nat & OVS_CT_SRC_NAT) {
1547 if (nla_put_flag(skb, OVS_NAT_ATTR_SRC))
1548 return false;
1549 } else if (info->nat & OVS_CT_DST_NAT) {
1550 if (nla_put_flag(skb, OVS_NAT_ATTR_DST))
1551 return false;
1552 } else {
1553 goto out;
1554 }
1555
1556 if (info->range.flags & NF_NAT_RANGE_MAP_IPS) {
90b01477
AB		 1557 if (IS_ENABLED(CONFIG_NF_NAT_IPV4) &&
1558 info->family == NFPROTO_IPV4) {
f8f97cdc
JR		 1559 if (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MIN,
1560 info->range.min_addr.ip) ||
1561 (info->range.max_addr.ip
1562 != info->range.min_addr.ip &&
1563 (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MAX,
1564 info->range.max_addr.ip))))
1565 return false;
90b01477
AB		 1566 } else if (IS_ENABLED(CONFIG_NF_NAT_IPV6) &&
1567 info->family == NFPROTO_IPV6) {
f8f97cdc
JR		 1568 if (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MIN,
1569 &info->range.min_addr.in6) ||
1570 (memcmp(&info->range.max_addr.in6,
1571 &info->range.min_addr.in6,
1572 sizeof(info->range.max_addr.in6)) &&
1573 (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MAX,
1574 &info->range.max_addr.in6))))
1575 return false;
f8f97cdc
JR		 1576 } else {
1577 return false;
1578 }
1579 }
1580 if (info->range.flags & NF_NAT_RANGE_PROTO_SPECIFIED &&
1581 (nla_put_u16(skb, OVS_NAT_ATTR_PROTO_MIN,
1582 ntohs(info->range.min_proto.all)) ||
1583 (info->range.max_proto.all != info->range.min_proto.all &&
1584 nla_put_u16(skb, OVS_NAT_ATTR_PROTO_MAX,
1585 ntohs(info->range.max_proto.all)))))
1586 return false;
1587
1588 if (info->range.flags & NF_NAT_RANGE_PERSISTENT &&
1589 nla_put_flag(skb, OVS_NAT_ATTR_PERSISTENT))
1590 return false;
1591 if (info->range.flags & NF_NAT_RANGE_PROTO_RANDOM &&
9f1de150
JR		 1592 nla_put_flag(skb, info->random_fully_compat
1593 ? OVS_NAT_ATTR_PROTO_RANDOM
1594 : OVS_NAT_ATTR_PROTO_HASH))
f8f97cdc 1595 return false;
9f1de150 1596#ifdef NF_NAT_RANGE_PROTO_RANDOM_FULLY
f8f97cdc
JR		 1597 if (info->range.flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY &&
1598 nla_put_flag(skb, OVS_NAT_ATTR_PROTO_RANDOM))
1599 return false;
9f1de150 1600#endif
f8f97cdc
JR		 1601out:
1602 nla_nest_end(skb, start);
1603
1604 return true;
1605}
1606#endif
1607
a94ebc39
JS		 1608int ovs_ct_action_to_attr(const struct ovs_conntrack_info *ct_info,
1609 struct sk_buff *skb)
1610{
1611 struct nlattr *start;
1612
1613 start = nla_nest_start(skb, OVS_ACTION_ATTR_CT);
1614 if (!start)
1615 return -EMSGSIZE;
1616
b80e259f
JR		 1617 if (ct_info->commit && nla_put_flag(skb, ct_info->force
1618 ? OVS_CT_ATTR_FORCE_COMMIT
1619 : OVS_CT_ATTR_COMMIT))
a94ebc39
JS		 1620 return -EMSGSIZE;
1621 if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) &&
1622 nla_put_u16(skb, OVS_CT_ATTR_ZONE, ct_info->zone.id))
1623 return -EMSGSIZE;
c05e2094 1624 if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) && ct_info->mark.mask &&
372ce973
JS		 1625 nla_put(skb, OVS_CT_ATTR_MARK, sizeof(ct_info->mark),
1626 &ct_info->mark))
1627 return -EMSGSIZE;
038e34ab 1628 if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) &&
c05e2094
JS		 1629 labels_nonzero(&ct_info->labels.mask) &&
1630 nla_put(skb, OVS_CT_ATTR_LABELS, sizeof(ct_info->labels),
1631 &ct_info->labels))
038e34ab 1632 return -EMSGSIZE;
11251c17
JS		 1633 if (ct_info->helper) {
1634 if (nla_put_string(skb, OVS_CT_ATTR_HELPER,
1635 ct_info->helper->name))
1636 return -EMSGSIZE;
1637 }
8e83854c
JR		 1638 if (ct_info->have_eventmask &&
1639 nla_put_u32(skb, OVS_CT_ATTR_EVENTMASK, ct_info->eventmask))
1640 return -EMSGSIZE;
1641
f8f97cdc
JR		 1642#ifdef CONFIG_NF_NAT_NEEDED
1643 if (ct_info->nat && !ovs_ct_nat_to_attr(ct_info, skb))
1644 return -EMSGSIZE;
1645#endif
a94ebc39
JS		 1646 nla_nest_end(skb, start);
1647
1648 return 0;
1649}
1650
1651void ovs_ct_free_action(const struct nlattr *a)
1652{
1653 struct ovs_conntrack_info *ct_info = nla_data(a);
1654
11251c17
JS		 1655 __ovs_ct_free_action(ct_info);
1656}
1657
1658static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info)
1659{
1660 if (ct_info->helper)
ac8e3c6d 1661 nf_conntrack_helper_put(ct_info->helper);
a94ebc39
JS		 1662 if (ct_info->ct)
1663 nf_ct_tmpl_free(ct_info->ct);
1664}
1665
038e34ab
JS		 1666void ovs_ct_init(struct net *net)
1667{
c05e2094 1668 unsigned int n_bits = sizeof(struct ovs_key_ct_labels) * BITS_PER_BYTE;
038e34ab
JS		 1669 struct ovs_net *ovs_net = net_generic(net, ovs_net_id);
1670
7f2ab8cd 1671 if (nf_connlabels_get(net, n_bits - 1)) {
038e34ab
JS		 1672 ovs_net->xt_label = false;
1673 OVS_NLERR(true, "Failed to set connlabel length");
1674 } else {
1675 ovs_net->xt_label = true;
1676 }
1677}
1678
1679void ovs_ct_exit(struct net *net)
1680{
1681 struct ovs_net *ovs_net = net_generic(net, ovs_net_id);
1682
1683 if (ovs_net->xt_label)
1684 nf_connlabels_put(net);
1685}
1686
8063e095 1687#endif /* CONFIG_NF_CONNTRACK */
openvswitch mirror