]>
Commit | Line | Data |
---|---|---|
a94ebc39 JS |
1 | /* |
2 | * Copyright (c) 2015 Nicira, Inc. | |
3 | * | |
4 | * This program is free software; you can redistribute it and/or | |
5 | * modify it under the terms of version 2 of the GNU General Public | |
6 | * License as published by the Free Software Foundation. | |
7 | * | |
8 | * This program is distributed in the hope that it will be useful, but | |
9 | * WITHOUT ANY WARRANTY; without even the implied warranty of | |
10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
11 | * General Public License for more details. | |
12 | */ | |
13 | ||
14 | #include <linux/kconfig.h> | |
15 | #include <linux/version.h> | |
16 | ||
8063e095 | 17 | #if IS_ENABLED(CONFIG_NF_CONNTRACK) |
a94ebc39 JS |
18 | |
19 | #include <linux/module.h> | |
20 | #include <linux/openvswitch.h> | |
f8f97cdc JR |
21 | #include <linux/tcp.h> |
22 | #include <linux/udp.h> | |
23 | #include <linux/sctp.h> | |
a94ebc39 JS |
24 | #include <net/ip.h> |
25 | #include <net/netfilter/nf_conntrack_core.h> | |
11251c17 | 26 | #include <net/netfilter/nf_conntrack_helper.h> |
038e34ab | 27 | #include <net/netfilter/nf_conntrack_labels.h> |
f8f97cdc | 28 | #include <net/netfilter/nf_conntrack_seqadj.h> |
a94ebc39 JS |
29 | #include <net/netfilter/nf_conntrack_zones.h> |
30 | #include <net/netfilter/ipv6/nf_defrag_ipv6.h> | |
31 | ||
f8f97cdc JR |
32 | #ifdef CONFIG_NF_NAT_NEEDED |
33 | #include <linux/netfilter/nf_nat.h> | |
34 | #include <net/netfilter/nf_nat_core.h> | |
35 | #include <net/netfilter/nf_nat_l3proto.h> | |
36 | #endif | |
37 | ||
a94ebc39 JS |
38 | #include "datapath.h" |
39 | #include "conntrack.h" | |
40 | #include "flow.h" | |
41 | #include "flow_netlink.h" | |
86c2eb45 | 42 | #include "gso.h" |
a94ebc39 JS |
43 | |
44 | struct ovs_ct_len_tbl { | |
f8f97cdc JR |
45 | int maxlen; |
46 | int minlen; | |
a94ebc39 JS |
47 | }; |
48 | ||
372ce973 JS |
49 | /* Metadata mark for masked write to conntrack mark */ |
50 | struct md_mark { | |
51 | u32 value; | |
52 | u32 mask; | |
53 | }; | |
54 | ||
038e34ab | 55 | /* Metadata label for masked write to conntrack label. */ |
c05e2094 JS |
56 | struct md_labels { |
57 | struct ovs_key_ct_labels value; | |
58 | struct ovs_key_ct_labels mask; | |
038e34ab JS |
59 | }; |
60 | ||
f8f97cdc JR |
61 | enum ovs_ct_nat { |
62 | OVS_CT_NAT = 1 << 0, /* NAT for committed connections only. */ | |
63 | OVS_CT_SRC_NAT = 1 << 1, /* Source NAT for NEW connections. */ | |
64 | OVS_CT_DST_NAT = 1 << 2, /* Destination NAT for NEW connections. */ | |
65 | }; | |
66 | ||
a94ebc39 JS |
67 | /* Conntrack action context for execution. */ |
68 | struct ovs_conntrack_info { | |
11251c17 | 69 | struct nf_conntrack_helper *helper; |
a94ebc39 JS |
70 | struct nf_conntrack_zone zone; |
71 | struct nf_conn *ct; | |
c05e2094 | 72 | u8 commit : 1; |
f8f97cdc | 73 | u8 nat : 3; /* enum ovs_ct_nat */ |
9f1de150 | 74 | u8 random_fully_compat : 1; /* bool */ |
b80e259f | 75 | u8 force : 1; |
8e83854c | 76 | u8 have_eventmask : 1; |
a94ebc39 | 77 | u16 family; |
8e83854c | 78 | u32 eventmask; /* Mask of 1 << IPCT_*. */ |
372ce973 | 79 | struct md_mark mark; |
c05e2094 | 80 | struct md_labels labels; |
f8f97cdc JR |
81 | #ifdef CONFIG_NF_NAT_NEEDED |
82 | struct nf_nat_range range; /* Only present for SRC NAT and DST NAT. */ | |
83 | #endif | |
a94ebc39 JS |
84 | }; |
85 | ||
7162cae4 JR |
86 | static bool labels_nonzero(const struct ovs_key_ct_labels *labels); |
87 | ||
11251c17 JS |
88 | static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info); |
89 | ||
a94ebc39 JS |
90 | static u16 key_to_nfproto(const struct sw_flow_key *key) |
91 | { | |
92 | switch (ntohs(key->eth.type)) { | |
93 | case ETH_P_IP: | |
94 | return NFPROTO_IPV4; | |
95 | case ETH_P_IPV6: | |
96 | return NFPROTO_IPV6; | |
97 | default: | |
98 | return NFPROTO_UNSPEC; | |
99 | } | |
100 | } | |
101 | ||
102 | /* Map SKB connection state into the values used by flow definition. */ | |
103 | static u8 ovs_ct_get_state(enum ip_conntrack_info ctinfo) | |
104 | { | |
105 | u8 ct_state = OVS_CS_F_TRACKED; | |
106 | ||
107 | switch (ctinfo) { | |
108 | case IP_CT_ESTABLISHED_REPLY: | |
109 | case IP_CT_RELATED_REPLY: | |
a94ebc39 JS |
110 | ct_state |= OVS_CS_F_REPLY_DIR; |
111 | break; | |
112 | default: | |
113 | break; | |
114 | } | |
115 | ||
116 | switch (ctinfo) { | |
117 | case IP_CT_ESTABLISHED: | |
118 | case IP_CT_ESTABLISHED_REPLY: | |
119 | ct_state |= OVS_CS_F_ESTABLISHED; | |
120 | break; | |
121 | case IP_CT_RELATED: | |
122 | case IP_CT_RELATED_REPLY: | |
123 | ct_state |= OVS_CS_F_RELATED; | |
124 | break; | |
125 | case IP_CT_NEW: | |
a94ebc39 JS |
126 | ct_state |= OVS_CS_F_NEW; |
127 | break; | |
128 | default: | |
129 | break; | |
130 | } | |
131 | ||
132 | return ct_state; | |
133 | } | |
134 | ||
c05e2094 JS |
135 | static u32 ovs_ct_get_mark(const struct nf_conn *ct) |
136 | { | |
137 | #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) | |
138 | return ct ? ct->mark : 0; | |
139 | #else | |
140 | return 0; | |
141 | #endif | |
142 | } | |
143 | ||
237f9413 JR |
144 | /* Guard against conntrack labels max size shrinking below 128 bits. */ |
145 | #if NF_CT_LABELS_MAX_SIZE < 16 | |
146 | #error NF_CT_LABELS_MAX_SIZE must be at least 16 bytes | |
147 | #endif | |
148 | ||
c05e2094 JS |
149 | static void ovs_ct_get_labels(const struct nf_conn *ct, |
150 | struct ovs_key_ct_labels *labels) | |
038e34ab JS |
151 | { |
152 | struct nf_conn_labels *cl = ct ? nf_ct_labels_find(ct) : NULL; | |
153 | ||
237f9413 JR |
154 | if (cl) |
155 | memcpy(labels, cl->bits, OVS_CT_LABELS_LEN); | |
156 | else | |
c05e2094 | 157 | memset(labels, 0, OVS_CT_LABELS_LEN); |
038e34ab JS |
158 | } |
159 | ||
c30b4cea JR |
160 | static void __ovs_ct_update_key_orig_tp(struct sw_flow_key *key, |
161 | const struct nf_conntrack_tuple *orig, | |
162 | u8 icmp_proto) | |
163 | { | |
1963a885 | 164 | key->ct_orig_proto = orig->dst.protonum; |
c30b4cea JR |
165 | if (orig->dst.protonum == icmp_proto) { |
166 | key->ct.orig_tp.src = htons(orig->dst.u.icmp.type); | |
167 | key->ct.orig_tp.dst = htons(orig->dst.u.icmp.code); | |
168 | } else { | |
169 | key->ct.orig_tp.src = orig->src.u.all; | |
170 | key->ct.orig_tp.dst = orig->dst.u.all; | |
171 | } | |
172 | } | |
173 | ||
a94ebc39 | 174 | static void __ovs_ct_update_key(struct sw_flow_key *key, u8 state, |
372ce973 JS |
175 | const struct nf_conntrack_zone *zone, |
176 | const struct nf_conn *ct) | |
a94ebc39 | 177 | { |
1963a885 JR |
178 | key->ct_state = state; |
179 | key->ct_zone = zone->id; | |
c05e2094 JS |
180 | key->ct.mark = ovs_ct_get_mark(ct); |
181 | ovs_ct_get_labels(ct, &key->ct.labels); | |
c30b4cea JR |
182 | |
183 | if (ct) { | |
184 | const struct nf_conntrack_tuple *orig; | |
185 | ||
186 | /* Use the master if we have one. */ | |
187 | if (ct->master) | |
188 | ct = ct->master; | |
189 | orig = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple; | |
190 | ||
191 | /* IP version must match with the master connection. */ | |
192 | if (key->eth.type == htons(ETH_P_IP) && | |
193 | nf_ct_l3num(ct) == NFPROTO_IPV4) { | |
194 | key->ipv4.ct_orig.src = orig->src.u3.ip; | |
195 | key->ipv4.ct_orig.dst = orig->dst.u3.ip; | |
196 | __ovs_ct_update_key_orig_tp(key, orig, IPPROTO_ICMP); | |
197 | return; | |
198 | } else if (key->eth.type == htons(ETH_P_IPV6) && | |
199 | !sw_flow_key_is_nd(key) && | |
200 | nf_ct_l3num(ct) == NFPROTO_IPV6) { | |
201 | key->ipv6.ct_orig.src = orig->src.u3.in6; | |
202 | key->ipv6.ct_orig.dst = orig->dst.u3.in6; | |
203 | __ovs_ct_update_key_orig_tp(key, orig, NEXTHDR_ICMP); | |
204 | return; | |
205 | } | |
206 | } | |
1963a885 | 207 | /* Clear 'ct_orig_proto' to mark the non-existence of conntrack |
c30b4cea JR |
208 | * original direction key fields. |
209 | */ | |
1963a885 | 210 | key->ct_orig_proto = 0; |
a94ebc39 JS |
211 | } |
212 | ||
e3c42eb8 | 213 | /* Update 'key' based on skb->_nfct. If 'post_ct' is true, then OVS has |
f8f97cdc JR |
214 | * previously sent the packet to conntrack via the ct action. If |
215 | * 'keep_nat_flags' is true, the existing NAT flags retained, else they are | |
216 | * initialized from the connection status. | |
a94ebc39 JS |
217 | */ |
218 | static void ovs_ct_update_key(const struct sk_buff *skb, | |
f23593a1 | 219 | const struct ovs_conntrack_info *info, |
f8f97cdc JR |
220 | struct sw_flow_key *key, bool post_ct, |
221 | bool keep_nat_flags) | |
a94ebc39 JS |
222 | { |
223 | const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt; | |
224 | enum ip_conntrack_info ctinfo; | |
225 | struct nf_conn *ct; | |
226 | u8 state = 0; | |
227 | ||
228 | ct = nf_ct_get(skb, &ctinfo); | |
229 | if (ct) { | |
230 | state = ovs_ct_get_state(ctinfo); | |
b0f251cd | 231 | /* All unconfirmed entries are NEW connections. */ |
c05e2094 JS |
232 | if (!nf_ct_is_confirmed(ct)) |
233 | state |= OVS_CS_F_NEW; | |
b0f251cd JR |
234 | /* OVS persists the related flag for the duration of the |
235 | * connection. | |
236 | */ | |
a94ebc39 JS |
237 | if (ct->master) |
238 | state |= OVS_CS_F_RELATED; | |
f8f97cdc | 239 | if (keep_nat_flags) { |
1963a885 | 240 | state |= key->ct_state & OVS_CS_F_NAT_MASK; |
f8f97cdc JR |
241 | } else { |
242 | if (ct->status & IPS_SRC_NAT) | |
243 | state |= OVS_CS_F_SRC_NAT; | |
244 | if (ct->status & IPS_DST_NAT) | |
245 | state |= OVS_CS_F_DST_NAT; | |
246 | } | |
a94ebc39 JS |
247 | zone = nf_ct_zone(ct); |
248 | } else if (post_ct) { | |
249 | state = OVS_CS_F_TRACKED | OVS_CS_F_INVALID; | |
f23593a1 JS |
250 | if (info) |
251 | zone = &info->zone; | |
a94ebc39 | 252 | } |
372ce973 | 253 | __ovs_ct_update_key(key, state, zone, ct); |
a94ebc39 JS |
254 | } |
255 | ||
b0f251cd JR |
256 | /* This is called to initialize CT key fields possibly coming in from the local |
257 | * stack. | |
258 | */ | |
a94ebc39 JS |
259 | void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key) |
260 | { | |
f8f97cdc | 261 | ovs_ct_update_key(skb, NULL, key, false, false); |
a94ebc39 JS |
262 | } |
263 | ||
c30b4cea JR |
264 | #define IN6_ADDR_INITIALIZER(ADDR) \ |
265 | { (ADDR).s6_addr32[0], (ADDR).s6_addr32[1], \ | |
266 | (ADDR).s6_addr32[2], (ADDR).s6_addr32[3] } | |
267 | ||
268 | int ovs_ct_put_key(const struct sw_flow_key *swkey, | |
269 | const struct sw_flow_key *output, struct sk_buff *skb) | |
a94ebc39 | 270 | { |
1963a885 | 271 | if (nla_put_u32(skb, OVS_KEY_ATTR_CT_STATE, output->ct_state)) |
a94ebc39 JS |
272 | return -EMSGSIZE; |
273 | ||
274 | if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) && | |
1963a885 | 275 | nla_put_u16(skb, OVS_KEY_ATTR_CT_ZONE, output->ct_zone)) |
a94ebc39 JS |
276 | return -EMSGSIZE; |
277 | ||
372ce973 | 278 | if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) && |
c30b4cea | 279 | nla_put_u32(skb, OVS_KEY_ATTR_CT_MARK, output->ct.mark)) |
372ce973 JS |
280 | return -EMSGSIZE; |
281 | ||
c05e2094 | 282 | if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) && |
c30b4cea JR |
283 | nla_put(skb, OVS_KEY_ATTR_CT_LABELS, sizeof(output->ct.labels), |
284 | &output->ct.labels)) | |
038e34ab JS |
285 | return -EMSGSIZE; |
286 | ||
1963a885 | 287 | if (swkey->ct_orig_proto) { |
c30b4cea JR |
288 | if (swkey->eth.type == htons(ETH_P_IP)) { |
289 | struct ovs_key_ct_tuple_ipv4 orig = { | |
290 | output->ipv4.ct_orig.src, | |
291 | output->ipv4.ct_orig.dst, | |
292 | output->ct.orig_tp.src, | |
293 | output->ct.orig_tp.dst, | |
1963a885 | 294 | output->ct_orig_proto, |
c30b4cea JR |
295 | }; |
296 | if (nla_put(skb, OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4, | |
297 | sizeof(orig), &orig)) | |
298 | return -EMSGSIZE; | |
299 | } else if (swkey->eth.type == htons(ETH_P_IPV6)) { | |
300 | struct ovs_key_ct_tuple_ipv6 orig = { | |
301 | IN6_ADDR_INITIALIZER(output->ipv6.ct_orig.src), | |
302 | IN6_ADDR_INITIALIZER(output->ipv6.ct_orig.dst), | |
303 | output->ct.orig_tp.src, | |
304 | output->ct.orig_tp.dst, | |
1963a885 | 305 | output->ct_orig_proto, |
c30b4cea JR |
306 | }; |
307 | if (nla_put(skb, OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6, | |
308 | sizeof(orig), &orig)) | |
309 | return -EMSGSIZE; | |
310 | } | |
311 | } | |
312 | ||
372ce973 JS |
313 | return 0; |
314 | } | |
315 | ||
efd40994 | 316 | static int ovs_ct_set_mark(struct nf_conn *ct, struct sw_flow_key *key, |
372ce973 JS |
317 | u32 ct_mark, u32 mask) |
318 | { | |
c05e2094 | 319 | #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) |
372ce973 JS |
320 | u32 new_mark; |
321 | ||
372ce973 JS |
322 | new_mark = ct_mark | (ct->mark & ~(mask)); |
323 | if (ct->mark != new_mark) { | |
324 | ct->mark = new_mark; | |
1b22e621 JR |
325 | if (nf_ct_is_confirmed(ct)) |
326 | nf_conntrack_event_cache(IPCT_MARK, ct); | |
372ce973 JS |
327 | key->ct.mark = new_mark; |
328 | } | |
329 | ||
a94ebc39 | 330 | return 0; |
c05e2094 JS |
331 | #else |
332 | return -ENOTSUPP; | |
333 | #endif | |
a94ebc39 JS |
334 | } |
335 | ||
efd40994 | 336 | static struct nf_conn_labels *ovs_ct_get_conn_labels(struct nf_conn *ct) |
038e34ab | 337 | { |
038e34ab | 338 | struct nf_conn_labels *cl; |
038e34ab JS |
339 | |
340 | cl = nf_ct_labels_find(ct); | |
341 | if (!cl) { | |
342 | nf_ct_labels_ext_add(ct); | |
343 | cl = nf_ct_labels_find(ct); | |
344 | } | |
9f04eabe | 345 | |
efd40994 JR |
346 | return cl; |
347 | } | |
348 | ||
349 | /* Initialize labels for a new, yet to be committed conntrack entry. Note that | |
350 | * since the new connection is not yet confirmed, and thus no-one else has | |
351 | * access to it's labels, we simply write them over. | |
352 | */ | |
353 | static int ovs_ct_init_labels(struct nf_conn *ct, struct sw_flow_key *key, | |
354 | const struct ovs_key_ct_labels *labels, | |
355 | const struct ovs_key_ct_labels *mask) | |
356 | { | |
7162cae4 JR |
357 | struct nf_conn_labels *cl, *master_cl; |
358 | bool have_mask = labels_nonzero(mask); | |
359 | ||
360 | /* Inherit master's labels to the related connection? */ | |
361 | master_cl = ct->master ? nf_ct_labels_find(ct->master) : NULL; | |
362 | ||
363 | if (!master_cl && !have_mask) | |
364 | return 0; /* Nothing to do. */ | |
efd40994 JR |
365 | |
366 | cl = ovs_ct_get_conn_labels(ct); | |
367 | if (!cl) | |
038e34ab JS |
368 | return -ENOSPC; |
369 | ||
28033773 JR |
370 | /* Inherit the master's labels, if any. Must use memcpy for backport |
371 | * as struct assignment only copies the length field in older | |
372 | * kernels. | |
373 | */ | |
7162cae4 | 374 | if (master_cl) |
28033773 | 375 | memcpy(cl->bits, master_cl->bits, OVS_CT_LABELS_LEN); |
7162cae4 JR |
376 | |
377 | if (have_mask) { | |
378 | u32 *dst = (u32 *)cl->bits; | |
379 | int i; | |
380 | ||
381 | for (i = 0; i < OVS_CT_LABELS_LEN_32; i++) | |
382 | dst[i] = (dst[i] & ~mask->ct_labels_32[i]) | | |
383 | (labels->ct_labels_32[i] | |
384 | & mask->ct_labels_32[i]); | |
385 | } | |
1b22e621 | 386 | |
efd40994 | 387 | /* Labels are included in the IPCTNL_MSG_CT_NEW event only if the |
100f4e14 | 388 | * IPCT_LABEL bit is set in the event cache. |
efd40994 JR |
389 | */ |
390 | nf_conntrack_event_cache(IPCT_LABEL, ct); | |
1b22e621 | 391 | |
efd40994 JR |
392 | memcpy(&key->ct.labels, cl->bits, OVS_CT_LABELS_LEN); |
393 | ||
394 | return 0; | |
395 | } | |
396 | ||
397 | static int ovs_ct_set_labels(struct nf_conn *ct, struct sw_flow_key *key, | |
398 | const struct ovs_key_ct_labels *labels, | |
399 | const struct ovs_key_ct_labels *mask) | |
400 | { | |
401 | struct nf_conn_labels *cl; | |
402 | int err; | |
403 | ||
404 | cl = ovs_ct_get_conn_labels(ct); | |
405 | if (!cl) | |
406 | return -ENOSPC; | |
407 | ||
408 | err = nf_connlabels_replace(ct, labels->ct_labels_32, | |
409 | mask->ct_labels_32, | |
410 | OVS_CT_LABELS_LEN_32); | |
411 | if (err) | |
412 | return err; | |
413 | ||
414 | memcpy(&key->ct.labels, cl->bits, OVS_CT_LABELS_LEN); | |
038e34ab | 415 | |
038e34ab JS |
416 | return 0; |
417 | } | |
418 | ||
11251c17 JS |
419 | /* 'skb' should already be pulled to nh_ofs. */ |
420 | static int ovs_ct_helper(struct sk_buff *skb, u16 proto) | |
421 | { | |
422 | const struct nf_conntrack_helper *helper; | |
423 | const struct nf_conn_help *help; | |
424 | enum ip_conntrack_info ctinfo; | |
425 | unsigned int protoff; | |
426 | struct nf_conn *ct; | |
4cc85f28 | 427 | u8 nexthdr; |
f8f97cdc | 428 | int err; |
11251c17 | 429 | |
3d47fa46 JH |
430 | #if LINUX_VERSION_CODE < KERNEL_VERSION(4,6,0) |
431 | bool dst_set = false; | |
432 | struct rtable rt = { .rt_flags = 0 }; | |
433 | #endif | |
434 | ||
11251c17 JS |
435 | ct = nf_ct_get(skb, &ctinfo); |
436 | if (!ct || ctinfo == IP_CT_RELATED_REPLY) | |
437 | return NF_ACCEPT; | |
438 | ||
439 | help = nfct_help(ct); | |
440 | if (!help) | |
441 | return NF_ACCEPT; | |
442 | ||
443 | helper = rcu_dereference(help->helper); | |
444 | if (!helper) | |
445 | return NF_ACCEPT; | |
446 | ||
447 | switch (proto) { | |
448 | case NFPROTO_IPV4: | |
449 | protoff = ip_hdrlen(skb); | |
450 | break; | |
451 | case NFPROTO_IPV6: { | |
11251c17 | 452 | __be16 frag_off; |
c05e2094 | 453 | int ofs; |
11251c17 | 454 | |
4cc85f28 | 455 | nexthdr = ipv6_hdr(skb)->nexthdr; |
c05e2094 JS |
456 | ofs = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr, |
457 | &frag_off); | |
458 | if (ofs < 0 || (frag_off & htons(~0x7)) != 0) { | |
11251c17 JS |
459 | pr_debug("proto header not found\n"); |
460 | return NF_ACCEPT; | |
461 | } | |
c05e2094 | 462 | protoff = ofs; |
11251c17 JS |
463 | break; |
464 | } | |
465 | default: | |
466 | WARN_ONCE(1, "helper invoked on non-IP family!"); | |
467 | return NF_DROP; | |
468 | } | |
469 | ||
4cc85f28 JR |
470 | #if LINUX_VERSION_CODE < KERNEL_VERSION(4,6,0) |
471 | /* Linux 4.5 and older depend on skb_dst being set when recalculating | |
472 | * checksums after NAT helper has mangled TCP or UDP packet payload. | |
3d47fa46 JH |
473 | * skb_dst is cast to a rtable struct and the flags examined. |
474 | * Forcing these flags to have RTCF_LOCAL not set ensures checksum mod | |
475 | * is carried out in the same way as kernel versions > 4.5 | |
4cc85f28 | 476 | */ |
3d47fa46 JH |
477 | if (ct->status & IPS_NAT_MASK && skb->ip_summed != CHECKSUM_PARTIAL |
478 | && !skb_dst(skb)) { | |
479 | dst_set = true; | |
480 | skb_dst_set(skb, &rt.dst); | |
4cc85f28 JR |
481 | } |
482 | #endif | |
f8f97cdc JR |
483 | err = helper->help(skb, protoff, ct, ctinfo); |
484 | if (err != NF_ACCEPT) | |
485 | return err; | |
486 | ||
3d47fa46 JH |
487 | #if LINUX_VERSION_CODE < KERNEL_VERSION(4,6,0) |
488 | if (dst_set) | |
489 | skb_dst_set(skb, NULL); | |
490 | #endif | |
491 | ||
f8f97cdc JR |
492 | /* Adjust seqs after helper. This is needed due to some helpers (e.g., |
493 | * FTP with NAT) adusting the TCP payload size when mangling IP | |
494 | * addresses and/or port numbers in the text-based control connection. | |
495 | */ | |
496 | if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status) && | |
497 | !nf_ct_seq_adjust(skb, ct, ctinfo, protoff)) | |
498 | return NF_DROP; | |
499 | return NF_ACCEPT; | |
11251c17 JS |
500 | } |
501 | ||
c05e2094 JS |
502 | /* Returns 0 on success, -EINPROGRESS if 'skb' is stolen, or other nonzero |
503 | * value if 'skb' is freed. | |
504 | */ | |
a94ebc39 JS |
505 | static int handle_fragments(struct net *net, struct sw_flow_key *key, |
506 | u16 zone, struct sk_buff *skb) | |
507 | { | |
86c2eb45 | 508 | struct ovs_gso_cb ovs_cb = *OVS_GSO_CB(skb); |
2e602ea3 | 509 | int err; |
a94ebc39 | 510 | |
a94ebc39 JS |
511 | if (key->eth.type == htons(ETH_P_IP)) { |
512 | enum ip_defrag_users user = IP_DEFRAG_CONNTRACK_IN + zone; | |
a94ebc39 JS |
513 | |
514 | memset(IPCB(skb), 0, sizeof(struct inet_skb_parm)); | |
39c0ff22 | 515 | err = ip_defrag(net, skb, user); |
a94ebc39 JS |
516 | if (err) |
517 | return err; | |
518 | ||
86c2eb45 | 519 | ovs_cb.dp_cb.mru = IPCB(skb)->frag_max_size; |
a94ebc39 | 520 | #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) |
c05e2094 | 521 | } else if (key->eth.type == htons(ETH_P_IPV6)) { |
a94ebc39 | 522 | enum ip6_defrag_users user = IP6_DEFRAG_CONNTRACK_IN + zone; |
a94ebc39 JS |
523 | |
524 | memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm)); | |
2e602ea3 | 525 | err = nf_ct_frag6_gather(net, skb, user); |
6b4fe5a9 DDP |
526 | if (err) { |
527 | if (err != -EINPROGRESS) | |
528 | kfree_skb(skb); | |
2e602ea3 | 529 | return err; |
6b4fe5a9 | 530 | } |
a94ebc39 | 531 | |
2e602ea3 | 532 | key->ip.proto = ipv6_hdr(skb)->nexthdr; |
86c2eb45 | 533 | ovs_cb.dp_cb.mru = IP6CB(skb)->frag_max_size; |
a94ebc39 JS |
534 | #endif /* IP frag support */ |
535 | } else { | |
c05e2094 | 536 | kfree_skb(skb); |
a94ebc39 JS |
537 | return -EPFNOSUPPORT; |
538 | } | |
539 | ||
540 | key->ip.frag = OVS_FRAG_TYPE_NONE; | |
541 | skb_clear_hash(skb); | |
542 | skb->ignore_df = 1; | |
86c2eb45 | 543 | *OVS_GSO_CB(skb) = ovs_cb; |
a94ebc39 JS |
544 | |
545 | return 0; | |
546 | } | |
547 | ||
548 | static struct nf_conntrack_expect * | |
549 | ovs_ct_expect_find(struct net *net, const struct nf_conntrack_zone *zone, | |
550 | u16 proto, const struct sk_buff *skb) | |
551 | { | |
552 | struct nf_conntrack_tuple tuple; | |
3618f466 | 553 | struct nf_conntrack_expect *exp; |
a94ebc39 | 554 | |
fa67f8e0 | 555 | if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto, net, &tuple)) |
a94ebc39 | 556 | return NULL; |
3618f466 JR |
557 | |
558 | exp = __nf_ct_expect_find(net, zone, &tuple); | |
559 | if (exp) { | |
560 | struct nf_conntrack_tuple_hash *h; | |
561 | ||
562 | /* Delete existing conntrack entry, if it clashes with the | |
563 | * expectation. This can happen since conntrack ALGs do not | |
564 | * check for clashes between (new) expectations and existing | |
565 | * conntrack entries. nf_conntrack_in() will check the | |
566 | * expectations only if a conntrack entry can not be found, | |
567 | * which can lead to OVS finding the expectation (here) in the | |
568 | * init direction, but which will not be removed by the | |
569 | * nf_conntrack_in() call, if a matching conntrack entry is | |
570 | * found instead. In this case all init direction packets | |
571 | * would be reported as new related packets, while reply | |
572 | * direction packets would be reported as un-related | |
573 | * established packets. | |
574 | */ | |
575 | h = nf_conntrack_find_get(net, zone, &tuple); | |
576 | if (h) { | |
577 | struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); | |
578 | ||
579 | nf_ct_delete(ct, 0, 0); | |
580 | nf_conntrack_put(&ct->ct_general); | |
581 | } | |
582 | } | |
583 | ||
584 | return exp; | |
a94ebc39 JS |
585 | } |
586 | ||
3dd9e118 JR |
587 | /* This replicates logic from nf_conntrack_core.c that is not exported. */ |
588 | static enum ip_conntrack_info | |
589 | ovs_ct_get_info(const struct nf_conntrack_tuple_hash *h) | |
590 | { | |
591 | const struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); | |
592 | ||
593 | if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY) | |
594 | return IP_CT_ESTABLISHED_REPLY; | |
595 | /* Once we've had two way comms, always ESTABLISHED. */ | |
596 | if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) | |
597 | return IP_CT_ESTABLISHED; | |
598 | if (test_bit(IPS_EXPECTED_BIT, &ct->status)) | |
599 | return IP_CT_RELATED; | |
600 | return IP_CT_NEW; | |
601 | } | |
602 | ||
603 | /* Find an existing connection which this packet belongs to without | |
604 | * re-attributing statistics or modifying the connection state. This allows an | |
e3c42eb8 | 605 | * skb->_nfct lost due to an upcall to be recovered during actions execution. |
3dd9e118 JR |
606 | * |
607 | * Must be called with rcu_read_lock. | |
608 | * | |
e3c42eb8 JR |
609 | * On success, populates skb->_nfct and returns the connection. Returns NULL |
610 | * if there is no existing entry. | |
3dd9e118 JR |
611 | */ |
612 | static struct nf_conn * | |
613 | ovs_ct_find_existing(struct net *net, const struct nf_conntrack_zone *zone, | |
c0324e37 | 614 | u8 l3num, struct sk_buff *skb, bool natted) |
3dd9e118 JR |
615 | { |
616 | struct nf_conntrack_l3proto *l3proto; | |
617 | struct nf_conntrack_l4proto *l4proto; | |
618 | struct nf_conntrack_tuple tuple; | |
619 | struct nf_conntrack_tuple_hash *h; | |
3dd9e118 JR |
620 | struct nf_conn *ct; |
621 | unsigned int dataoff; | |
622 | u8 protonum; | |
623 | ||
624 | l3proto = __nf_ct_l3proto_find(l3num); | |
3dd9e118 JR |
625 | if (l3proto->get_l4proto(skb, skb_network_offset(skb), &dataoff, |
626 | &protonum) <= 0) { | |
627 | pr_debug("ovs_ct_find_existing: Can't get protonum\n"); | |
628 | return NULL; | |
629 | } | |
630 | l4proto = __nf_ct_l4proto_find(l3num, protonum); | |
3dd9e118 JR |
631 | if (!nf_ct_get_tuple(skb, skb_network_offset(skb), dataoff, l3num, |
632 | protonum, net, &tuple, l3proto, l4proto)) { | |
633 | pr_debug("ovs_ct_find_existing: Can't get tuple\n"); | |
634 | return NULL; | |
635 | } | |
636 | ||
c0324e37 JR |
637 | /* Must invert the tuple if skb has been transformed by NAT. */ |
638 | if (natted) { | |
639 | struct nf_conntrack_tuple inverse; | |
640 | ||
641 | if (!nf_ct_invert_tuple(&inverse, &tuple, l3proto, l4proto)) { | |
642 | pr_debug("ovs_ct_find_existing: Inversion failed!\n"); | |
643 | return NULL; | |
644 | } | |
645 | tuple = inverse; | |
646 | } | |
647 | ||
3dd9e118 JR |
648 | /* look for tuple match */ |
649 | h = nf_conntrack_find_get(net, zone, &tuple); | |
650 | if (!h) | |
651 | return NULL; /* Not found. */ | |
652 | ||
653 | ct = nf_ct_tuplehash_to_ctrack(h); | |
654 | ||
c0324e37 JR |
655 | /* Inverted packet tuple matches the reverse direction conntrack tuple, |
656 | * select the other tuplehash to get the right 'ctinfo' bits for this | |
657 | * packet. | |
658 | */ | |
659 | if (natted) | |
660 | h = &ct->tuplehash[!h->tuple.dst.dir]; | |
661 | ||
dfa791b2 | 662 | nf_ct_set(skb, ct, ovs_ct_get_info(h)); |
3dd9e118 JR |
663 | return ct; |
664 | } | |
665 | ||
4e7b535d GR |
666 | static |
667 | struct nf_conn *ovs_ct_executed(struct net *net, | |
668 | const struct sw_flow_key *key, | |
669 | const struct ovs_conntrack_info *info, | |
670 | struct sk_buff *skb, | |
671 | bool *ct_executed) | |
672 | { | |
673 | struct nf_conn *ct = NULL; | |
674 | ||
675 | /* If no ct, check if we have evidence that an existing conntrack entry | |
676 | * might be found for this skb. This happens when we lose a skb->_nfct | |
677 | * due to an upcall, or if the direction is being forced. If the | |
678 | * connection was not confirmed, it is not cached and needs to be run | |
679 | * through conntrack again. | |
680 | */ | |
681 | *ct_executed = (key->ct_state & OVS_CS_F_TRACKED) && | |
682 | !(key->ct_state & OVS_CS_F_INVALID) && | |
683 | (key->ct_zone == info->zone.id); | |
684 | ||
685 | if (*ct_executed || (!key->ct_state && info->force)) { | |
686 | ct = ovs_ct_find_existing(net, &info->zone, info->family, skb, | |
687 | !!(key->ct_state & | |
688 | OVS_CS_F_NAT_MASK)); | |
689 | } | |
690 | ||
691 | return ct; | |
692 | } | |
693 | ||
e3c42eb8 | 694 | /* Determine whether skb->_nfct is equal to the result of conntrack lookup. */ |
3dd9e118 JR |
695 | static bool skb_nfct_cached(struct net *net, |
696 | const struct sw_flow_key *key, | |
697 | const struct ovs_conntrack_info *info, | |
698 | struct sk_buff *skb) | |
a94ebc39 JS |
699 | { |
700 | enum ip_conntrack_info ctinfo; | |
701 | struct nf_conn *ct; | |
4e7b535d | 702 | bool ct_executed = true; |
a94ebc39 JS |
703 | |
704 | ct = nf_ct_get(skb, &ctinfo); | |
705 | if (!ct) | |
4e7b535d GR |
706 | ct = ovs_ct_executed(net, key, info, skb, &ct_executed); |
707 | ||
708 | if (ct) | |
709 | nf_ct_get(skb, &ctinfo); | |
710 | else | |
a94ebc39 | 711 | return false; |
4e7b535d | 712 | |
a94ebc39 JS |
713 | if (!net_eq(net, read_pnet(&ct->ct_net))) |
714 | return false; | |
715 | if (!nf_ct_zone_equal_any(info->ct, nf_ct_zone(ct))) | |
716 | return false; | |
11251c17 JS |
717 | if (info->helper) { |
718 | struct nf_conn_help *help; | |
719 | ||
720 | help = nf_ct_ext_find(ct, NF_CT_EXT_HELPER); | |
721 | if (help && rcu_access_pointer(help->helper) != info->helper) | |
722 | return false; | |
723 | } | |
b80e259f JR |
724 | /* Force conntrack entry direction to the current packet? */ |
725 | if (info->force && CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) { | |
726 | /* Delete the conntrack entry if confirmed, else just release | |
727 | * the reference. | |
728 | */ | |
729 | if (nf_ct_is_confirmed(ct)) | |
730 | nf_ct_delete(ct, 0, 0); | |
ceb0a8a9 JR |
731 | |
732 | nf_conntrack_put(&ct->ct_general); | |
b80e259f JR |
733 | nf_ct_set(skb, NULL, 0); |
734 | return false; | |
735 | } | |
a94ebc39 | 736 | |
4e7b535d | 737 | return ct_executed; |
a94ebc39 JS |
738 | } |
739 | ||
f8f97cdc JR |
740 | #ifdef CONFIG_NF_NAT_NEEDED |
741 | /* Modelled after nf_nat_ipv[46]_fn(). | |
742 | * range is only used for new, uninitialized NAT state. | |
743 | * Returns either NF_ACCEPT or NF_DROP. | |
744 | */ | |
745 | static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, | |
746 | enum ip_conntrack_info ctinfo, | |
747 | const struct nf_nat_range *range, | |
748 | enum nf_nat_manip_type maniptype) | |
749 | { | |
750 | int hooknum, nh_off, err = NF_ACCEPT; | |
751 | ||
752 | nh_off = skb_network_offset(skb); | |
073c7b86 | 753 | skb_pull_rcsum(skb, nh_off); |
f8f97cdc JR |
754 | |
755 | /* See HOOK2MANIP(). */ | |
756 | if (maniptype == NF_NAT_MANIP_SRC) | |
757 | hooknum = NF_INET_LOCAL_IN; /* Source NAT */ | |
758 | else | |
759 | hooknum = NF_INET_LOCAL_OUT; /* Destination NAT */ | |
760 | ||
761 | switch (ctinfo) { | |
762 | case IP_CT_RELATED: | |
763 | case IP_CT_RELATED_REPLY: | |
90b01477 AB |
764 | if (IS_ENABLED(CONFIG_NF_NAT_IPV4) && |
765 | skb->protocol == htons(ETH_P_IP) && | |
f8f97cdc JR |
766 | ip_hdr(skb)->protocol == IPPROTO_ICMP) { |
767 | if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo, | |
768 | hooknum)) | |
769 | err = NF_DROP; | |
770 | goto push; | |
90b01477 AB |
771 | } else if (IS_ENABLED(CONFIG_NF_NAT_IPV6) && |
772 | skb->protocol == htons(ETH_P_IPV6)) { | |
f8f97cdc JR |
773 | __be16 frag_off; |
774 | u8 nexthdr = ipv6_hdr(skb)->nexthdr; | |
775 | int hdrlen = ipv6_skip_exthdr(skb, | |
776 | sizeof(struct ipv6hdr), | |
777 | &nexthdr, &frag_off); | |
778 | ||
779 | if (hdrlen >= 0 && nexthdr == IPPROTO_ICMPV6) { | |
780 | if (!nf_nat_icmpv6_reply_translation(skb, ct, | |
781 | ctinfo, | |
782 | hooknum, | |
783 | hdrlen)) | |
784 | err = NF_DROP; | |
785 | goto push; | |
786 | } | |
f8f97cdc JR |
787 | } |
788 | /* Non-ICMP, fall thru to initialize if needed. */ | |
789 | case IP_CT_NEW: | |
790 | /* Seen it before? This can happen for loopback, retrans, | |
791 | * or local packets. | |
792 | */ | |
793 | if (!nf_nat_initialized(ct, maniptype)) { | |
794 | /* Initialize according to the NAT action. */ | |
795 | err = (range && range->flags & NF_NAT_RANGE_MAP_IPS) | |
796 | /* Action is set up to establish a new | |
797 | * mapping. | |
798 | */ | |
799 | ? nf_nat_setup_info(ct, range, maniptype) | |
800 | : nf_nat_alloc_null_binding(ct, hooknum); | |
801 | if (err != NF_ACCEPT) | |
802 | goto push; | |
803 | } | |
804 | break; | |
805 | ||
806 | case IP_CT_ESTABLISHED: | |
807 | case IP_CT_ESTABLISHED_REPLY: | |
808 | break; | |
809 | ||
810 | default: | |
811 | err = NF_DROP; | |
812 | goto push; | |
813 | } | |
814 | ||
815 | err = nf_nat_packet(ct, ctinfo, hooknum, skb); | |
816 | push: | |
817 | skb_push(skb, nh_off); | |
073c7b86 | 818 | skb_postpush_rcsum(skb, skb->data, nh_off); |
f8f97cdc JR |
819 | |
820 | return err; | |
821 | } | |
822 | ||
823 | static void ovs_nat_update_key(struct sw_flow_key *key, | |
824 | const struct sk_buff *skb, | |
825 | enum nf_nat_manip_type maniptype) | |
826 | { | |
827 | if (maniptype == NF_NAT_MANIP_SRC) { | |
828 | __be16 src; | |
829 | ||
1963a885 | 830 | key->ct_state |= OVS_CS_F_SRC_NAT; |
f8f97cdc JR |
831 | if (key->eth.type == htons(ETH_P_IP)) |
832 | key->ipv4.addr.src = ip_hdr(skb)->saddr; | |
833 | else if (key->eth.type == htons(ETH_P_IPV6)) | |
834 | memcpy(&key->ipv6.addr.src, &ipv6_hdr(skb)->saddr, | |
835 | sizeof(key->ipv6.addr.src)); | |
836 | else | |
837 | return; | |
838 | ||
839 | if (key->ip.proto == IPPROTO_UDP) | |
840 | src = udp_hdr(skb)->source; | |
841 | else if (key->ip.proto == IPPROTO_TCP) | |
842 | src = tcp_hdr(skb)->source; | |
843 | else if (key->ip.proto == IPPROTO_SCTP) | |
844 | src = sctp_hdr(skb)->source; | |
845 | else | |
846 | return; | |
847 | ||
848 | key->tp.src = src; | |
849 | } else { | |
850 | __be16 dst; | |
851 | ||
1963a885 | 852 | key->ct_state |= OVS_CS_F_DST_NAT; |
f8f97cdc JR |
853 | if (key->eth.type == htons(ETH_P_IP)) |
854 | key->ipv4.addr.dst = ip_hdr(skb)->daddr; | |
855 | else if (key->eth.type == htons(ETH_P_IPV6)) | |
856 | memcpy(&key->ipv6.addr.dst, &ipv6_hdr(skb)->daddr, | |
857 | sizeof(key->ipv6.addr.dst)); | |
858 | else | |
859 | return; | |
860 | ||
861 | if (key->ip.proto == IPPROTO_UDP) | |
862 | dst = udp_hdr(skb)->dest; | |
863 | else if (key->ip.proto == IPPROTO_TCP) | |
864 | dst = tcp_hdr(skb)->dest; | |
865 | else if (key->ip.proto == IPPROTO_SCTP) | |
866 | dst = sctp_hdr(skb)->dest; | |
867 | else | |
868 | return; | |
869 | ||
870 | key->tp.dst = dst; | |
871 | } | |
872 | } | |
873 | ||
874 | /* Returns NF_DROP if the packet should be dropped, NF_ACCEPT otherwise. */ | |
875 | static int ovs_ct_nat(struct net *net, struct sw_flow_key *key, | |
876 | const struct ovs_conntrack_info *info, | |
877 | struct sk_buff *skb, struct nf_conn *ct, | |
878 | enum ip_conntrack_info ctinfo) | |
879 | { | |
880 | enum nf_nat_manip_type maniptype; | |
881 | int err; | |
882 | ||
56ec5593 | 883 | #ifdef HAVE_NF_CT_IS_UNTRACKED |
f8f97cdc JR |
884 | if (nf_ct_is_untracked(ct)) { |
885 | /* A NAT action may only be performed on tracked packets. */ | |
886 | return NF_ACCEPT; | |
887 | } | |
56ec5593 | 888 | #endif /* HAVE_NF_CT_IS_UNTRACKED */ |
f8f97cdc JR |
889 | |
890 | /* Add NAT extension if not confirmed yet. */ | |
891 | if (!nf_ct_is_confirmed(ct) && !nf_ct_nat_ext_add(ct)) | |
892 | return NF_ACCEPT; /* Can't NAT. */ | |
893 | ||
894 | /* Determine NAT type. | |
895 | * Check if the NAT type can be deduced from the tracked connection. | |
d2e8b514 JR |
896 | * Make sure new expected connections (IP_CT_RELATED) are NATted only |
897 | * when committing. | |
f8f97cdc JR |
898 | */ |
899 | if (info->nat & OVS_CT_NAT && ctinfo != IP_CT_NEW && | |
900 | ct->status & IPS_NAT_MASK && | |
d2e8b514 | 901 | (ctinfo != IP_CT_RELATED || info->commit)) { |
f8f97cdc JR |
902 | /* NAT an established or related connection like before. */ |
903 | if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) | |
904 | /* This is the REPLY direction for a connection | |
905 | * for which NAT was applied in the forward | |
906 | * direction. Do the reverse NAT. | |
907 | */ | |
908 | maniptype = ct->status & IPS_SRC_NAT | |
909 | ? NF_NAT_MANIP_DST : NF_NAT_MANIP_SRC; | |
910 | else | |
911 | maniptype = ct->status & IPS_SRC_NAT | |
912 | ? NF_NAT_MANIP_SRC : NF_NAT_MANIP_DST; | |
913 | } else if (info->nat & OVS_CT_SRC_NAT) { | |
914 | maniptype = NF_NAT_MANIP_SRC; | |
915 | } else if (info->nat & OVS_CT_DST_NAT) { | |
916 | maniptype = NF_NAT_MANIP_DST; | |
917 | } else { | |
918 | return NF_ACCEPT; /* Connection is not NATed. */ | |
919 | } | |
920 | err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, maniptype); | |
921 | ||
922 | /* Mark NAT done if successful and update the flow key. */ | |
923 | if (err == NF_ACCEPT) | |
924 | ovs_nat_update_key(key, skb, maniptype); | |
925 | ||
926 | return err; | |
927 | } | |
928 | #else /* !CONFIG_NF_NAT_NEEDED */ | |
929 | static int ovs_ct_nat(struct net *net, struct sw_flow_key *key, | |
930 | const struct ovs_conntrack_info *info, | |
931 | struct sk_buff *skb, struct nf_conn *ct, | |
932 | enum ip_conntrack_info ctinfo) | |
933 | { | |
934 | return NF_ACCEPT; | |
935 | } | |
936 | #endif | |
937 | ||
b0f251cd | 938 | /* Pass 'skb' through conntrack in 'net', using zone configured in 'info', if |
a04a5794 JR |
939 | * not done already. Update key with new CT state after passing the packet |
940 | * through conntrack. | |
e3c42eb8 | 941 | * Note that if the packet is deemed invalid by conntrack, skb->_nfct will be |
b0f251cd JR |
942 | * set to NULL and 0 will be returned. |
943 | */ | |
c05e2094 | 944 | static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, |
a94ebc39 JS |
945 | const struct ovs_conntrack_info *info, |
946 | struct sk_buff *skb) | |
947 | { | |
948 | /* If we are recirculating packets to match on conntrack fields and | |
949 | * committing with a separate conntrack action, then we don't need to | |
950 | * actually run the packet through conntrack twice unless it's for a | |
951 | * different zone. | |
952 | */ | |
b21d237e JR |
953 | bool cached = skb_nfct_cached(net, key, info, skb); |
954 | enum ip_conntrack_info ctinfo; | |
955 | struct nf_conn *ct; | |
956 | ||
957 | if (!cached) { | |
a94ebc39 | 958 | struct nf_conn *tmpl = info->ct; |
9bf67b92 | 959 | int err; |
a94ebc39 JS |
960 | |
961 | /* Associate skb with specified zone. */ | |
962 | if (tmpl) { | |
d3c313c1 FW |
963 | if (skb_nfct(skb)) |
964 | nf_conntrack_put(skb_nfct(skb)); | |
a94ebc39 | 965 | nf_conntrack_get(&tmpl->ct_general); |
dfa791b2 | 966 | nf_ct_set(skb, tmpl, IP_CT_NEW); |
a94ebc39 JS |
967 | } |
968 | ||
a6d28f7c PNA |
969 | err = nf_conntrack_in(net, info->family, |
970 | NF_INET_PRE_ROUTING, skb); | |
9bf67b92 | 971 | if (err != NF_ACCEPT) |
a94ebc39 | 972 | return -ENOENT; |
11251c17 | 973 | |
f8f97cdc JR |
974 | /* Clear CT state NAT flags to mark that we have not yet done |
975 | * NAT after the nf_conntrack_in() call. We can actually clear | |
976 | * the whole state, as it will be re-initialized below. | |
977 | */ | |
1963a885 | 978 | key->ct_state = 0; |
f8f97cdc JR |
979 | |
980 | /* Update the key, but keep the NAT flags. */ | |
981 | ovs_ct_update_key(skb, info, key, true, true); | |
b21d237e | 982 | } |
a04a5794 | 983 | |
b21d237e | 984 | ct = nf_ct_get(skb, &ctinfo); |
f8f97cdc JR |
985 | if (ct) { |
986 | /* Packets starting a new connection must be NATted before the | |
987 | * helper, so that the helper knows about the NAT. We enforce | |
988 | * this by delaying both NAT and helper calls for unconfirmed | |
989 | * connections until the committing CT action. For later | |
990 | * packets NAT and Helper may be called in either order. | |
991 | * | |
992 | * NAT will be done only if the CT action has NAT, and only | |
993 | * once per packet (per zone), as guarded by the NAT bits in | |
1963a885 | 994 | * the key->ct_state. |
f8f97cdc | 995 | */ |
1963a885 | 996 | if (info->nat && !(key->ct_state & OVS_CS_F_NAT_MASK) && |
f8f97cdc JR |
997 | (nf_ct_is_confirmed(ct) || info->commit) && |
998 | ovs_ct_nat(net, key, info, skb, ct, ctinfo) != NF_ACCEPT) { | |
999 | return -EINVAL; | |
1000 | } | |
1001 | ||
b87a5aac JS |
1002 | /* Userspace may decide to perform a ct lookup without a helper |
1003 | * specified followed by a (recirculate and) commit with one. | |
1004 | * Therefore, for unconfirmed connections which we will commit, | |
1005 | * we need to attach the helper here. | |
1006 | */ | |
1007 | if (!nf_ct_is_confirmed(ct) && info->commit && | |
1008 | info->helper && !nfct_help(ct)) { | |
1009 | int err = __nf_ct_try_assign_helper(ct, info->ct, | |
1010 | GFP_ATOMIC); | |
1011 | if (err) | |
1012 | return err; | |
1013 | } | |
1014 | ||
f8f97cdc JR |
1015 | /* Call the helper only if: |
1016 | * - nf_conntrack_in() was executed above ("!cached") for a | |
1017 | * confirmed connection, or | |
1018 | * - When committing an unconfirmed connection. | |
1019 | */ | |
1020 | if ((nf_ct_is_confirmed(ct) ? !cached : info->commit) && | |
1021 | ovs_ct_helper(skb, info->family) != NF_ACCEPT) { | |
1022 | return -EINVAL; | |
1023 | } | |
a94ebc39 JS |
1024 | } |
1025 | ||
1026 | return 0; | |
1027 | } | |
1028 | ||
1029 | /* Lookup connection and read fields into key. */ | |
1030 | static int ovs_ct_lookup(struct net *net, struct sw_flow_key *key, | |
1031 | const struct ovs_conntrack_info *info, | |
1032 | struct sk_buff *skb) | |
1033 | { | |
1034 | struct nf_conntrack_expect *exp; | |
1035 | ||
b0f251cd JR |
1036 | /* If we pass an expected packet through nf_conntrack_in() the |
1037 | * expectation is typically removed, but the packet could still be | |
1038 | * lost in upcall processing. To prevent this from happening we | |
1039 | * perform an explicit expectation lookup. Expected connections are | |
1040 | * always new, and will be passed through conntrack only when they are | |
1041 | * committed, as it is OK to remove the expectation at that time. | |
1042 | */ | |
a94ebc39 JS |
1043 | exp = ovs_ct_expect_find(net, &info->zone, info->family, skb); |
1044 | if (exp) { | |
1045 | u8 state; | |
1046 | ||
f8f97cdc JR |
1047 | /* NOTE: New connections are NATted and Helped only when |
1048 | * committed, so we are not calling into NAT here. | |
1049 | */ | |
a94ebc39 | 1050 | state = OVS_CS_F_TRACKED | OVS_CS_F_NEW | OVS_CS_F_RELATED; |
372ce973 | 1051 | __ovs_ct_update_key(key, state, &info->zone, exp->master); |
f325530e PS |
1052 | } else { |
1053 | struct nf_conn *ct; | |
1054 | int err; | |
1055 | ||
1056 | err = __ovs_ct_lookup(net, key, info, skb); | |
1057 | if (err) | |
1058 | return err; | |
1059 | ||
d3c313c1 | 1060 | ct = (struct nf_conn *)skb_nfct(skb); |
f325530e PS |
1061 | if (ct) |
1062 | nf_ct_deliver_cached_events(ct); | |
1063 | } | |
a94ebc39 JS |
1064 | |
1065 | return 0; | |
1066 | } | |
1067 | ||
c05e2094 | 1068 | static bool labels_nonzero(const struct ovs_key_ct_labels *labels) |
038e34ab JS |
1069 | { |
1070 | size_t i; | |
1071 | ||
83495bd9 JR |
1072 | for (i = 0; i < OVS_CT_LABELS_LEN_32; i++) |
1073 | if (labels->ct_labels_32[i]) | |
038e34ab JS |
1074 | return true; |
1075 | ||
1076 | return false; | |
1077 | } | |
1078 | ||
39a6542b JR |
1079 | /* Lookup connection and confirm if unconfirmed. */ |
1080 | static int ovs_ct_commit(struct net *net, struct sw_flow_key *key, | |
1081 | const struct ovs_conntrack_info *info, | |
1082 | struct sk_buff *skb) | |
1083 | { | |
efd40994 JR |
1084 | enum ip_conntrack_info ctinfo; |
1085 | struct nf_conn *ct; | |
39a6542b JR |
1086 | int err; |
1087 | ||
1088 | err = __ovs_ct_lookup(net, key, info, skb); | |
1089 | if (err) | |
1090 | return err; | |
1091 | ||
efd40994 JR |
1092 | /* The connection could be invalid, in which case this is a no-op.*/ |
1093 | ct = nf_ct_get(skb, &ctinfo); | |
1094 | if (!ct) | |
1095 | return 0; | |
1096 | ||
8e83854c JR |
1097 | /* Set the conntrack event mask if given. NEW and DELETE events have |
1098 | * their own groups, but the NFNLGRP_CONNTRACK_UPDATE group listener | |
1099 | * typically would receive many kinds of updates. Setting the event | |
1100 | * mask allows those events to be filtered. The set event mask will | |
1101 | * remain in effect for the lifetime of the connection unless changed | |
1102 | * by a further CT action with both the commit flag and the eventmask | |
1103 | * option. */ | |
1104 | if (info->have_eventmask) { | |
1105 | struct nf_conntrack_ecache *cache = nf_ct_ecache_find(ct); | |
1106 | ||
1107 | if (cache) | |
1108 | cache->ctmask = info->eventmask; | |
1109 | } | |
1110 | ||
39a6542b JR |
1111 | /* Apply changes before confirming the connection so that the initial |
1112 | * conntrack NEW netlink event carries the values given in the CT | |
1113 | * action. | |
1114 | */ | |
1115 | if (info->mark.mask) { | |
efd40994 | 1116 | err = ovs_ct_set_mark(ct, key, info->mark.value, |
39a6542b JR |
1117 | info->mark.mask); |
1118 | if (err) | |
1119 | return err; | |
1120 | } | |
7162cae4 JR |
1121 | if (!nf_ct_is_confirmed(ct)) { |
1122 | err = ovs_ct_init_labels(ct, key, &info->labels.value, | |
1123 | &info->labels.mask); | |
1124 | if (err) | |
1125 | return err; | |
1126 | } else if (labels_nonzero(&info->labels.mask)) { | |
1127 | err = ovs_ct_set_labels(ct, key, &info->labels.value, | |
1128 | &info->labels.mask); | |
39a6542b JR |
1129 | if (err) |
1130 | return err; | |
1131 | } | |
1132 | /* This will take care of sending queued events even if the connection | |
1133 | * is already confirmed. | |
1134 | */ | |
1135 | if (nf_conntrack_confirm(skb) != NF_ACCEPT) | |
1136 | return -EINVAL; | |
1137 | ||
1138 | return 0; | |
1139 | } | |
1140 | ||
c05e2094 JS |
1141 | /* Returns 0 on success, -EINPROGRESS if 'skb' is stolen, or other nonzero |
1142 | * value if 'skb' is freed. | |
1143 | */ | |
a94ebc39 JS |
1144 | int ovs_ct_execute(struct net *net, struct sk_buff *skb, |
1145 | struct sw_flow_key *key, | |
1146 | const struct ovs_conntrack_info *info) | |
1147 | { | |
1148 | int nh_ofs; | |
1149 | int err; | |
1150 | ||
1151 | /* The conntrack module expects to be working at L3. */ | |
1152 | nh_ofs = skb_network_offset(skb); | |
073c7b86 | 1153 | skb_pull_rcsum(skb, nh_ofs); |
a94ebc39 JS |
1154 | |
1155 | if (key->ip.frag != OVS_FRAG_TYPE_NONE) { | |
1156 | err = handle_fragments(net, key, info->zone.id, skb); | |
1157 | if (err) | |
1158 | return err; | |
1159 | } | |
1160 | ||
c05e2094 | 1161 | if (info->commit) |
39a6542b | 1162 | err = ovs_ct_commit(net, key, info, skb); |
a94ebc39 JS |
1163 | else |
1164 | err = ovs_ct_lookup(net, key, info, skb); | |
1165 | ||
1166 | skb_push(skb, nh_ofs); | |
073c7b86 | 1167 | skb_postpush_rcsum(skb, skb->data, nh_ofs); |
c05e2094 JS |
1168 | if (err) |
1169 | kfree_skb(skb); | |
a94ebc39 JS |
1170 | return err; |
1171 | } | |
1172 | ||
11251c17 JS |
1173 | static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name, |
1174 | const struct sw_flow_key *key, bool log) | |
1175 | { | |
1176 | struct nf_conntrack_helper *helper; | |
1177 | struct nf_conn_help *help; | |
1178 | ||
1179 | helper = nf_conntrack_helper_try_module_get(name, info->family, | |
1180 | key->ip.proto); | |
1181 | if (!helper) { | |
1182 | OVS_NLERR(log, "Unknown helper \"%s\"", name); | |
1183 | return -EINVAL; | |
1184 | } | |
1185 | ||
1186 | help = nf_ct_helper_ext_add(info->ct, helper, GFP_KERNEL); | |
1187 | if (!help) { | |
ac8e3c6d | 1188 | nf_conntrack_helper_put(helper); |
11251c17 JS |
1189 | return -ENOMEM; |
1190 | } | |
1191 | ||
1192 | rcu_assign_pointer(help->helper, helper); | |
1193 | info->helper = helper; | |
1194 | return 0; | |
1195 | } | |
1196 | ||
f8f97cdc JR |
1197 | #ifdef CONFIG_NF_NAT_NEEDED |
1198 | static int parse_nat(const struct nlattr *attr, | |
1199 | struct ovs_conntrack_info *info, bool log) | |
1200 | { | |
1201 | struct nlattr *a; | |
1202 | int rem; | |
1203 | bool have_ip_max = false; | |
1204 | bool have_proto_max = false; | |
1205 | bool ip_vers = (info->family == NFPROTO_IPV6); | |
1206 | ||
1207 | nla_for_each_nested(a, attr, rem) { | |
1208 | static const int ovs_nat_attr_lens[OVS_NAT_ATTR_MAX + 1][2] = { | |
1209 | [OVS_NAT_ATTR_SRC] = {0, 0}, | |
1210 | [OVS_NAT_ATTR_DST] = {0, 0}, | |
1211 | [OVS_NAT_ATTR_IP_MIN] = {sizeof(struct in_addr), | |
1212 | sizeof(struct in6_addr)}, | |
1213 | [OVS_NAT_ATTR_IP_MAX] = {sizeof(struct in_addr), | |
1214 | sizeof(struct in6_addr)}, | |
1215 | [OVS_NAT_ATTR_PROTO_MIN] = {sizeof(u16), sizeof(u16)}, | |
1216 | [OVS_NAT_ATTR_PROTO_MAX] = {sizeof(u16), sizeof(u16)}, | |
1217 | [OVS_NAT_ATTR_PERSISTENT] = {0, 0}, | |
1218 | [OVS_NAT_ATTR_PROTO_HASH] = {0, 0}, | |
1219 | [OVS_NAT_ATTR_PROTO_RANDOM] = {0, 0}, | |
1220 | }; | |
1221 | int type = nla_type(a); | |
1222 | ||
1223 | if (type > OVS_NAT_ATTR_MAX) { | |
1224 | OVS_NLERR(log, | |
1225 | "Unknown NAT attribute (type=%d, max=%d).\n", | |
1226 | type, OVS_NAT_ATTR_MAX); | |
1227 | return -EINVAL; | |
1228 | } | |
1229 | ||
1230 | if (nla_len(a) != ovs_nat_attr_lens[type][ip_vers]) { | |
1231 | OVS_NLERR(log, | |
1232 | "NAT attribute type %d has unexpected length (%d != %d).\n", | |
1233 | type, nla_len(a), | |
1234 | ovs_nat_attr_lens[type][ip_vers]); | |
1235 | return -EINVAL; | |
1236 | } | |
1237 | ||
1238 | switch (type) { | |
1239 | case OVS_NAT_ATTR_SRC: | |
1240 | case OVS_NAT_ATTR_DST: | |
1241 | if (info->nat) { | |
1242 | OVS_NLERR(log, | |
1243 | "Only one type of NAT may be specified.\n" | |
1244 | ); | |
1245 | return -ERANGE; | |
1246 | } | |
1247 | info->nat |= OVS_CT_NAT; | |
1248 | info->nat |= ((type == OVS_NAT_ATTR_SRC) | |
1249 | ? OVS_CT_SRC_NAT : OVS_CT_DST_NAT); | |
1250 | break; | |
1251 | ||
1252 | case OVS_NAT_ATTR_IP_MIN: | |
70e71d27 HY |
1253 | nla_memcpy(&info->range.min_addr, a, |
1254 | sizeof(info->range.min_addr)); | |
f8f97cdc JR |
1255 | info->range.flags |= NF_NAT_RANGE_MAP_IPS; |
1256 | break; | |
1257 | ||
1258 | case OVS_NAT_ATTR_IP_MAX: | |
1259 | have_ip_max = true; | |
1260 | nla_memcpy(&info->range.max_addr, a, | |
1261 | sizeof(info->range.max_addr)); | |
1262 | info->range.flags |= NF_NAT_RANGE_MAP_IPS; | |
1263 | break; | |
1264 | ||
1265 | case OVS_NAT_ATTR_PROTO_MIN: | |
1266 | info->range.min_proto.all = htons(nla_get_u16(a)); | |
1267 | info->range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; | |
1268 | break; | |
1269 | ||
1270 | case OVS_NAT_ATTR_PROTO_MAX: | |
1271 | have_proto_max = true; | |
1272 | info->range.max_proto.all = htons(nla_get_u16(a)); | |
1273 | info->range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; | |
1274 | break; | |
1275 | ||
1276 | case OVS_NAT_ATTR_PERSISTENT: | |
1277 | info->range.flags |= NF_NAT_RANGE_PERSISTENT; | |
1278 | break; | |
1279 | ||
1280 | case OVS_NAT_ATTR_PROTO_HASH: | |
1281 | info->range.flags |= NF_NAT_RANGE_PROTO_RANDOM; | |
1282 | break; | |
1283 | ||
1284 | case OVS_NAT_ATTR_PROTO_RANDOM: | |
9f1de150 | 1285 | #ifdef NF_NAT_RANGE_PROTO_RANDOM_FULLY |
f8f97cdc | 1286 | info->range.flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY; |
9f1de150 JR |
1287 | #else |
1288 | info->range.flags |= NF_NAT_RANGE_PROTO_RANDOM; | |
1289 | info->random_fully_compat = true; | |
1290 | #endif | |
f8f97cdc JR |
1291 | break; |
1292 | ||
1293 | default: | |
1294 | OVS_NLERR(log, "Unknown nat attribute (%d).\n", type); | |
1295 | return -EINVAL; | |
1296 | } | |
1297 | } | |
1298 | ||
1299 | if (rem > 0) { | |
1300 | OVS_NLERR(log, "NAT attribute has %d unknown bytes.\n", rem); | |
1301 | return -EINVAL; | |
1302 | } | |
1303 | if (!info->nat) { | |
1304 | /* Do not allow flags if no type is given. */ | |
1305 | if (info->range.flags) { | |
1306 | OVS_NLERR(log, | |
1307 | "NAT flags may be given only when NAT range (SRC or DST) is also specified.\n" | |
1308 | ); | |
1309 | return -EINVAL; | |
1310 | } | |
1311 | info->nat = OVS_CT_NAT; /* NAT existing connections. */ | |
1312 | } else if (!info->commit) { | |
1313 | OVS_NLERR(log, | |
1314 | "NAT attributes may be specified only when CT COMMIT flag is also specified.\n" | |
1315 | ); | |
1316 | return -EINVAL; | |
1317 | } | |
1318 | /* Allow missing IP_MAX. */ | |
1319 | if (info->range.flags & NF_NAT_RANGE_MAP_IPS && !have_ip_max) { | |
1320 | memcpy(&info->range.max_addr, &info->range.min_addr, | |
1321 | sizeof(info->range.max_addr)); | |
1322 | } | |
1323 | /* Allow missing PROTO_MAX. */ | |
1324 | if (info->range.flags & NF_NAT_RANGE_PROTO_SPECIFIED && | |
1325 | !have_proto_max) { | |
1326 | info->range.max_proto.all = info->range.min_proto.all; | |
1327 | } | |
1328 | return 0; | |
1329 | } | |
1330 | #endif | |
1331 | ||
a94ebc39 | 1332 | static const struct ovs_ct_len_tbl ovs_ct_attr_lens[OVS_CT_ATTR_MAX + 1] = { |
c05e2094 | 1333 | [OVS_CT_ATTR_COMMIT] = { .minlen = 0, .maxlen = 0 }, |
b80e259f | 1334 | [OVS_CT_ATTR_FORCE_COMMIT] = { .minlen = 0, .maxlen = 0 }, |
a94ebc39 JS |
1335 | [OVS_CT_ATTR_ZONE] = { .minlen = sizeof(u16), |
1336 | .maxlen = sizeof(u16) }, | |
372ce973 JS |
1337 | [OVS_CT_ATTR_MARK] = { .minlen = sizeof(struct md_mark), |
1338 | .maxlen = sizeof(struct md_mark) }, | |
c05e2094 JS |
1339 | [OVS_CT_ATTR_LABELS] = { .minlen = sizeof(struct md_labels), |
1340 | .maxlen = sizeof(struct md_labels) }, | |
11251c17 | 1341 | [OVS_CT_ATTR_HELPER] = { .minlen = 1, |
f8f97cdc JR |
1342 | .maxlen = NF_CT_HELPER_NAME_LEN }, |
1343 | #ifdef CONFIG_NF_NAT_NEEDED | |
1344 | /* NAT length is checked when parsing the nested attributes. */ | |
1345 | [OVS_CT_ATTR_NAT] = { .minlen = 0, .maxlen = INT_MAX }, | |
1346 | #endif | |
8e83854c JR |
1347 | [OVS_CT_ATTR_EVENTMASK] = { .minlen = sizeof(u32), |
1348 | .maxlen = sizeof(u32) }, | |
a94ebc39 JS |
1349 | }; |
1350 | ||
1351 | static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info, | |
11251c17 | 1352 | const char **helper, bool log) |
a94ebc39 JS |
1353 | { |
1354 | struct nlattr *a; | |
1355 | int rem; | |
1356 | ||
1357 | nla_for_each_nested(a, attr, rem) { | |
1358 | int type = nla_type(a); | |
fb296f42 GR |
1359 | int maxlen; |
1360 | int minlen; | |
a94ebc39 JS |
1361 | |
1362 | if (type > OVS_CT_ATTR_MAX) { | |
1363 | OVS_NLERR(log, | |
1364 | "Unknown conntrack attr (type=%d, max=%d)", | |
1365 | type, OVS_CT_ATTR_MAX); | |
1366 | return -EINVAL; | |
1367 | } | |
fb296f42 GR |
1368 | |
1369 | maxlen = ovs_ct_attr_lens[type].maxlen; | |
1370 | minlen = ovs_ct_attr_lens[type].minlen; | |
a94ebc39 JS |
1371 | if (nla_len(a) < minlen || nla_len(a) > maxlen) { |
1372 | OVS_NLERR(log, | |
1373 | "Conntrack attr type has unexpected length (type=%d, length=%d, expected=%d)", | |
1374 | type, nla_len(a), maxlen); | |
1375 | return -EINVAL; | |
1376 | } | |
1377 | ||
1378 | switch (type) { | |
b80e259f JR |
1379 | case OVS_CT_ATTR_FORCE_COMMIT: |
1380 | info->force = true; | |
1381 | /* fall through. */ | |
c05e2094 JS |
1382 | case OVS_CT_ATTR_COMMIT: |
1383 | info->commit = true; | |
a94ebc39 JS |
1384 | break; |
1385 | #ifdef CONFIG_NF_CONNTRACK_ZONES | |
1386 | case OVS_CT_ATTR_ZONE: | |
1387 | info->zone.id = nla_get_u16(a); | |
1388 | break; | |
372ce973 JS |
1389 | #endif |
1390 | #ifdef CONFIG_NF_CONNTRACK_MARK | |
1391 | case OVS_CT_ATTR_MARK: { | |
1392 | struct md_mark *mark = nla_data(a); | |
1393 | ||
c05e2094 JS |
1394 | if (!mark->mask) { |
1395 | OVS_NLERR(log, "ct_mark mask cannot be 0"); | |
1396 | return -EINVAL; | |
1397 | } | |
372ce973 JS |
1398 | info->mark = *mark; |
1399 | break; | |
1400 | } | |
038e34ab JS |
1401 | #endif |
1402 | #ifdef CONFIG_NF_CONNTRACK_LABELS | |
c05e2094 JS |
1403 | case OVS_CT_ATTR_LABELS: { |
1404 | struct md_labels *labels = nla_data(a); | |
038e34ab | 1405 | |
c05e2094 JS |
1406 | if (!labels_nonzero(&labels->mask)) { |
1407 | OVS_NLERR(log, "ct_labels mask cannot be 0"); | |
1408 | return -EINVAL; | |
1409 | } | |
1410 | info->labels = *labels; | |
038e34ab JS |
1411 | break; |
1412 | } | |
a94ebc39 | 1413 | #endif |
11251c17 JS |
1414 | case OVS_CT_ATTR_HELPER: |
1415 | *helper = nla_data(a); | |
1416 | if (!memchr(*helper, '\0', nla_len(a))) { | |
1417 | OVS_NLERR(log, "Invalid conntrack helper"); | |
1418 | return -EINVAL; | |
1419 | } | |
1420 | break; | |
f8f97cdc JR |
1421 | #ifdef CONFIG_NF_NAT_NEEDED |
1422 | case OVS_CT_ATTR_NAT: { | |
1423 | int err = parse_nat(a, info, log); | |
1424 | ||
1425 | if (err) | |
1426 | return err; | |
1427 | break; | |
1428 | } | |
1429 | #endif | |
8e83854c JR |
1430 | case OVS_CT_ATTR_EVENTMASK: |
1431 | info->have_eventmask = true; | |
1432 | info->eventmask = nla_get_u32(a); | |
1433 | break; | |
1434 | ||
a94ebc39 JS |
1435 | default: |
1436 | OVS_NLERR(log, "Unknown conntrack attr (%d)", | |
1437 | type); | |
1438 | return -EINVAL; | |
1439 | } | |
1440 | } | |
1441 | ||
39a6542b JR |
1442 | #ifdef CONFIG_NF_CONNTRACK_MARK |
1443 | if (!info->commit && info->mark.mask) { | |
1444 | OVS_NLERR(log, | |
1445 | "Setting conntrack mark requires 'commit' flag."); | |
1446 | return -EINVAL; | |
1447 | } | |
1448 | #endif | |
1449 | #ifdef CONFIG_NF_CONNTRACK_LABELS | |
1450 | if (!info->commit && labels_nonzero(&info->labels.mask)) { | |
1451 | OVS_NLERR(log, | |
1452 | "Setting conntrack labels requires 'commit' flag."); | |
1453 | return -EINVAL; | |
1454 | } | |
1455 | #endif | |
a94ebc39 JS |
1456 | if (rem > 0) { |
1457 | OVS_NLERR(log, "Conntrack attr has %d unknown bytes", rem); | |
1458 | return -EINVAL; | |
1459 | } | |
1460 | ||
1461 | return 0; | |
1462 | } | |
1463 | ||
038e34ab | 1464 | bool ovs_ct_verify(struct net *net, enum ovs_key_attr attr) |
a94ebc39 JS |
1465 | { |
1466 | if (attr == OVS_KEY_ATTR_CT_STATE) | |
1467 | return true; | |
1468 | if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) && | |
1469 | attr == OVS_KEY_ATTR_CT_ZONE) | |
1470 | return true; | |
372ce973 JS |
1471 | if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) && |
1472 | attr == OVS_KEY_ATTR_CT_MARK) | |
1473 | return true; | |
038e34ab | 1474 | if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) && |
c05e2094 | 1475 | attr == OVS_KEY_ATTR_CT_LABELS) { |
038e34ab JS |
1476 | struct ovs_net *ovs_net = net_generic(net, ovs_net_id); |
1477 | ||
1478 | return ovs_net->xt_label; | |
1479 | } | |
a94ebc39 JS |
1480 | |
1481 | return false; | |
1482 | } | |
1483 | ||
1484 | int ovs_ct_copy_action(struct net *net, const struct nlattr *attr, | |
1485 | const struct sw_flow_key *key, | |
1486 | struct sw_flow_actions **sfa, bool log) | |
1487 | { | |
1488 | struct ovs_conntrack_info ct_info; | |
11251c17 | 1489 | const char *helper = NULL; |
a94ebc39 JS |
1490 | u16 family; |
1491 | int err; | |
1492 | ||
1493 | family = key_to_nfproto(key); | |
1494 | if (family == NFPROTO_UNSPEC) { | |
1495 | OVS_NLERR(log, "ct family unspecified"); | |
1496 | return -EINVAL; | |
1497 | } | |
1498 | ||
1499 | memset(&ct_info, 0, sizeof(ct_info)); | |
1500 | ct_info.family = family; | |
1501 | ||
1502 | nf_ct_zone_init(&ct_info.zone, NF_CT_DEFAULT_ZONE_ID, | |
1503 | NF_CT_DEFAULT_ZONE_DIR, 0); | |
1504 | ||
11251c17 | 1505 | err = parse_ct(attr, &ct_info, &helper, log); |
a94ebc39 JS |
1506 | if (err) |
1507 | return err; | |
1508 | ||
1509 | /* Set up template for tracking connections in specific zones. */ | |
1510 | ct_info.ct = nf_ct_tmpl_alloc(net, &ct_info.zone, GFP_KERNEL); | |
1511 | if (!ct_info.ct) { | |
1512 | OVS_NLERR(log, "Failed to allocate conntrack template"); | |
1513 | return -ENOMEM; | |
1514 | } | |
a3a68d63 JS |
1515 | |
1516 | __set_bit(IPS_CONFIRMED_BIT, &ct_info.ct->status); | |
1517 | nf_conntrack_get(&ct_info.ct->ct_general); | |
1518 | ||
11251c17 JS |
1519 | if (helper) { |
1520 | err = ovs_ct_add_helper(&ct_info, helper, key, log); | |
1521 | if (err) | |
1522 | goto err_free_ct; | |
1523 | } | |
a94ebc39 JS |
1524 | |
1525 | err = ovs_nla_add_action(sfa, OVS_ACTION_ATTR_CT, &ct_info, | |
1526 | sizeof(ct_info), log); | |
1527 | if (err) | |
1528 | goto err_free_ct; | |
1529 | ||
a94ebc39 JS |
1530 | return 0; |
1531 | err_free_ct: | |
11251c17 | 1532 | __ovs_ct_free_action(&ct_info); |
a94ebc39 JS |
1533 | return err; |
1534 | } | |
1535 | ||
f8f97cdc JR |
1536 | #ifdef CONFIG_NF_NAT_NEEDED |
1537 | static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info, | |
1538 | struct sk_buff *skb) | |
1539 | { | |
1540 | struct nlattr *start; | |
1541 | ||
1542 | start = nla_nest_start(skb, OVS_CT_ATTR_NAT); | |
1543 | if (!start) | |
1544 | return false; | |
1545 | ||
1546 | if (info->nat & OVS_CT_SRC_NAT) { | |
1547 | if (nla_put_flag(skb, OVS_NAT_ATTR_SRC)) | |
1548 | return false; | |
1549 | } else if (info->nat & OVS_CT_DST_NAT) { | |
1550 | if (nla_put_flag(skb, OVS_NAT_ATTR_DST)) | |
1551 | return false; | |
1552 | } else { | |
1553 | goto out; | |
1554 | } | |
1555 | ||
1556 | if (info->range.flags & NF_NAT_RANGE_MAP_IPS) { | |
90b01477 AB |
1557 | if (IS_ENABLED(CONFIG_NF_NAT_IPV4) && |
1558 | info->family == NFPROTO_IPV4) { | |
f8f97cdc JR |
1559 | if (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MIN, |
1560 | info->range.min_addr.ip) || | |
1561 | (info->range.max_addr.ip | |
1562 | != info->range.min_addr.ip && | |
1563 | (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MAX, | |
1564 | info->range.max_addr.ip)))) | |
1565 | return false; | |
90b01477 AB |
1566 | } else if (IS_ENABLED(CONFIG_NF_NAT_IPV6) && |
1567 | info->family == NFPROTO_IPV6) { | |
f8f97cdc JR |
1568 | if (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MIN, |
1569 | &info->range.min_addr.in6) || | |
1570 | (memcmp(&info->range.max_addr.in6, | |
1571 | &info->range.min_addr.in6, | |
1572 | sizeof(info->range.max_addr.in6)) && | |
1573 | (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MAX, | |
1574 | &info->range.max_addr.in6)))) | |
1575 | return false; | |
f8f97cdc JR |
1576 | } else { |
1577 | return false; | |
1578 | } | |
1579 | } | |
1580 | if (info->range.flags & NF_NAT_RANGE_PROTO_SPECIFIED && | |
1581 | (nla_put_u16(skb, OVS_NAT_ATTR_PROTO_MIN, | |
1582 | ntohs(info->range.min_proto.all)) || | |
1583 | (info->range.max_proto.all != info->range.min_proto.all && | |
1584 | nla_put_u16(skb, OVS_NAT_ATTR_PROTO_MAX, | |
1585 | ntohs(info->range.max_proto.all))))) | |
1586 | return false; | |
1587 | ||
1588 | if (info->range.flags & NF_NAT_RANGE_PERSISTENT && | |
1589 | nla_put_flag(skb, OVS_NAT_ATTR_PERSISTENT)) | |
1590 | return false; | |
1591 | if (info->range.flags & NF_NAT_RANGE_PROTO_RANDOM && | |
9f1de150 JR |
1592 | nla_put_flag(skb, info->random_fully_compat |
1593 | ? OVS_NAT_ATTR_PROTO_RANDOM | |
1594 | : OVS_NAT_ATTR_PROTO_HASH)) | |
f8f97cdc | 1595 | return false; |
9f1de150 | 1596 | #ifdef NF_NAT_RANGE_PROTO_RANDOM_FULLY |
f8f97cdc JR |
1597 | if (info->range.flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY && |
1598 | nla_put_flag(skb, OVS_NAT_ATTR_PROTO_RANDOM)) | |
1599 | return false; | |
9f1de150 | 1600 | #endif |
f8f97cdc JR |
1601 | out: |
1602 | nla_nest_end(skb, start); | |
1603 | ||
1604 | return true; | |
1605 | } | |
1606 | #endif | |
1607 | ||
a94ebc39 JS |
1608 | int ovs_ct_action_to_attr(const struct ovs_conntrack_info *ct_info, |
1609 | struct sk_buff *skb) | |
1610 | { | |
1611 | struct nlattr *start; | |
1612 | ||
1613 | start = nla_nest_start(skb, OVS_ACTION_ATTR_CT); | |
1614 | if (!start) | |
1615 | return -EMSGSIZE; | |
1616 | ||
b80e259f JR |
1617 | if (ct_info->commit && nla_put_flag(skb, ct_info->force |
1618 | ? OVS_CT_ATTR_FORCE_COMMIT | |
1619 | : OVS_CT_ATTR_COMMIT)) | |
a94ebc39 JS |
1620 | return -EMSGSIZE; |
1621 | if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) && | |
1622 | nla_put_u16(skb, OVS_CT_ATTR_ZONE, ct_info->zone.id)) | |
1623 | return -EMSGSIZE; | |
c05e2094 | 1624 | if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) && ct_info->mark.mask && |
372ce973 JS |
1625 | nla_put(skb, OVS_CT_ATTR_MARK, sizeof(ct_info->mark), |
1626 | &ct_info->mark)) | |
1627 | return -EMSGSIZE; | |
038e34ab | 1628 | if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) && |
c05e2094 JS |
1629 | labels_nonzero(&ct_info->labels.mask) && |
1630 | nla_put(skb, OVS_CT_ATTR_LABELS, sizeof(ct_info->labels), | |
1631 | &ct_info->labels)) | |
038e34ab | 1632 | return -EMSGSIZE; |
11251c17 JS |
1633 | if (ct_info->helper) { |
1634 | if (nla_put_string(skb, OVS_CT_ATTR_HELPER, | |
1635 | ct_info->helper->name)) | |
1636 | return -EMSGSIZE; | |
1637 | } | |
8e83854c JR |
1638 | if (ct_info->have_eventmask && |
1639 | nla_put_u32(skb, OVS_CT_ATTR_EVENTMASK, ct_info->eventmask)) | |
1640 | return -EMSGSIZE; | |
1641 | ||
f8f97cdc JR |
1642 | #ifdef CONFIG_NF_NAT_NEEDED |
1643 | if (ct_info->nat && !ovs_ct_nat_to_attr(ct_info, skb)) | |
1644 | return -EMSGSIZE; | |
1645 | #endif | |
a94ebc39 JS |
1646 | nla_nest_end(skb, start); |
1647 | ||
1648 | return 0; | |
1649 | } | |
1650 | ||
1651 | void ovs_ct_free_action(const struct nlattr *a) | |
1652 | { | |
1653 | struct ovs_conntrack_info *ct_info = nla_data(a); | |
1654 | ||
11251c17 JS |
1655 | __ovs_ct_free_action(ct_info); |
1656 | } | |
1657 | ||
1658 | static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info) | |
1659 | { | |
1660 | if (ct_info->helper) | |
ac8e3c6d | 1661 | nf_conntrack_helper_put(ct_info->helper); |
a94ebc39 JS |
1662 | if (ct_info->ct) |
1663 | nf_ct_tmpl_free(ct_info->ct); | |
1664 | } | |
1665 | ||
038e34ab JS |
1666 | void ovs_ct_init(struct net *net) |
1667 | { | |
c05e2094 | 1668 | unsigned int n_bits = sizeof(struct ovs_key_ct_labels) * BITS_PER_BYTE; |
038e34ab JS |
1669 | struct ovs_net *ovs_net = net_generic(net, ovs_net_id); |
1670 | ||
7f2ab8cd | 1671 | if (nf_connlabels_get(net, n_bits - 1)) { |
038e34ab JS |
1672 | ovs_net->xt_label = false; |
1673 | OVS_NLERR(true, "Failed to set connlabel length"); | |
1674 | } else { | |
1675 | ovs_net->xt_label = true; | |
1676 | } | |
1677 | } | |
1678 | ||
1679 | void ovs_ct_exit(struct net *net) | |
1680 | { | |
1681 | struct ovs_net *ovs_net = net_generic(net, ovs_net_id); | |
1682 | ||
1683 | if (ovs_net->xt_label) | |
1684 | nf_connlabels_put(net); | |
1685 | } | |
1686 | ||
8063e095 | 1687 | #endif /* CONFIG_NF_CONNTRACK */ |