]>
Commit | Line | Data |
---|---|---|
a94ebc39 JS |
1 | /* |
2 | * Copyright (c) 2015 Nicira, Inc. | |
3 | * | |
4 | * This program is free software; you can redistribute it and/or | |
5 | * modify it under the terms of version 2 of the GNU General Public | |
6 | * License as published by the Free Software Foundation. | |
7 | * | |
8 | * This program is distributed in the hope that it will be useful, but | |
9 | * WITHOUT ANY WARRANTY; without even the implied warranty of | |
10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
11 | * General Public License for more details. | |
12 | */ | |
13 | ||
14 | #include <linux/kconfig.h> | |
15 | #include <linux/version.h> | |
16 | ||
8063e095 | 17 | #if IS_ENABLED(CONFIG_NF_CONNTRACK) |
a94ebc39 JS |
18 | |
19 | #include <linux/module.h> | |
20 | #include <linux/openvswitch.h> | |
f8f97cdc JR |
21 | #include <linux/tcp.h> |
22 | #include <linux/udp.h> | |
23 | #include <linux/sctp.h> | |
a94ebc39 JS |
24 | #include <net/ip.h> |
25 | #include <net/netfilter/nf_conntrack_core.h> | |
11251c17 | 26 | #include <net/netfilter/nf_conntrack_helper.h> |
038e34ab | 27 | #include <net/netfilter/nf_conntrack_labels.h> |
f8f97cdc | 28 | #include <net/netfilter/nf_conntrack_seqadj.h> |
a94ebc39 JS |
29 | #include <net/netfilter/nf_conntrack_zones.h> |
30 | #include <net/netfilter/ipv6/nf_defrag_ipv6.h> | |
31 | ||
f8f97cdc JR |
32 | #ifdef CONFIG_NF_NAT_NEEDED |
33 | #include <linux/netfilter/nf_nat.h> | |
34 | #include <net/netfilter/nf_nat_core.h> | |
35 | #include <net/netfilter/nf_nat_l3proto.h> | |
36 | #endif | |
37 | ||
a94ebc39 JS |
38 | #include "datapath.h" |
39 | #include "conntrack.h" | |
40 | #include "flow.h" | |
41 | #include "flow_netlink.h" | |
86c2eb45 | 42 | #include "gso.h" |
a94ebc39 JS |
43 | |
44 | struct ovs_ct_len_tbl { | |
f8f97cdc JR |
45 | int maxlen; |
46 | int minlen; | |
a94ebc39 JS |
47 | }; |
48 | ||
372ce973 JS |
49 | /* Metadata mark for masked write to conntrack mark */ |
50 | struct md_mark { | |
51 | u32 value; | |
52 | u32 mask; | |
53 | }; | |
54 | ||
038e34ab | 55 | /* Metadata label for masked write to conntrack label. */ |
c05e2094 JS |
56 | struct md_labels { |
57 | struct ovs_key_ct_labels value; | |
58 | struct ovs_key_ct_labels mask; | |
038e34ab JS |
59 | }; |
60 | ||
f8f97cdc JR |
61 | enum ovs_ct_nat { |
62 | OVS_CT_NAT = 1 << 0, /* NAT for committed connections only. */ | |
63 | OVS_CT_SRC_NAT = 1 << 1, /* Source NAT for NEW connections. */ | |
64 | OVS_CT_DST_NAT = 1 << 2, /* Destination NAT for NEW connections. */ | |
65 | }; | |
66 | ||
a94ebc39 JS |
67 | /* Conntrack action context for execution. */ |
68 | struct ovs_conntrack_info { | |
11251c17 | 69 | struct nf_conntrack_helper *helper; |
a94ebc39 JS |
70 | struct nf_conntrack_zone zone; |
71 | struct nf_conn *ct; | |
c05e2094 | 72 | u8 commit : 1; |
f8f97cdc | 73 | u8 nat : 3; /* enum ovs_ct_nat */ |
9f1de150 | 74 | u8 random_fully_compat : 1; /* bool */ |
a94ebc39 | 75 | u16 family; |
372ce973 | 76 | struct md_mark mark; |
c05e2094 | 77 | struct md_labels labels; |
f8f97cdc JR |
78 | #ifdef CONFIG_NF_NAT_NEEDED |
79 | struct nf_nat_range range; /* Only present for SRC NAT and DST NAT. */ | |
80 | #endif | |
a94ebc39 JS |
81 | }; |
82 | ||
11251c17 JS |
83 | static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info); |
84 | ||
a94ebc39 JS |
85 | static u16 key_to_nfproto(const struct sw_flow_key *key) |
86 | { | |
87 | switch (ntohs(key->eth.type)) { | |
88 | case ETH_P_IP: | |
89 | return NFPROTO_IPV4; | |
90 | case ETH_P_IPV6: | |
91 | return NFPROTO_IPV6; | |
92 | default: | |
93 | return NFPROTO_UNSPEC; | |
94 | } | |
95 | } | |
96 | ||
97 | /* Map SKB connection state into the values used by flow definition. */ | |
98 | static u8 ovs_ct_get_state(enum ip_conntrack_info ctinfo) | |
99 | { | |
100 | u8 ct_state = OVS_CS_F_TRACKED; | |
101 | ||
102 | switch (ctinfo) { | |
103 | case IP_CT_ESTABLISHED_REPLY: | |
104 | case IP_CT_RELATED_REPLY: | |
a94ebc39 JS |
105 | ct_state |= OVS_CS_F_REPLY_DIR; |
106 | break; | |
107 | default: | |
108 | break; | |
109 | } | |
110 | ||
111 | switch (ctinfo) { | |
112 | case IP_CT_ESTABLISHED: | |
113 | case IP_CT_ESTABLISHED_REPLY: | |
114 | ct_state |= OVS_CS_F_ESTABLISHED; | |
115 | break; | |
116 | case IP_CT_RELATED: | |
117 | case IP_CT_RELATED_REPLY: | |
118 | ct_state |= OVS_CS_F_RELATED; | |
119 | break; | |
120 | case IP_CT_NEW: | |
a94ebc39 JS |
121 | ct_state |= OVS_CS_F_NEW; |
122 | break; | |
123 | default: | |
124 | break; | |
125 | } | |
126 | ||
127 | return ct_state; | |
128 | } | |
129 | ||
c05e2094 JS |
130 | static u32 ovs_ct_get_mark(const struct nf_conn *ct) |
131 | { | |
132 | #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) | |
133 | return ct ? ct->mark : 0; | |
134 | #else | |
135 | return 0; | |
136 | #endif | |
137 | } | |
138 | ||
237f9413 JR |
139 | /* Guard against conntrack labels max size shrinking below 128 bits. */ |
140 | #if NF_CT_LABELS_MAX_SIZE < 16 | |
141 | #error NF_CT_LABELS_MAX_SIZE must be at least 16 bytes | |
142 | #endif | |
143 | ||
c05e2094 JS |
144 | static void ovs_ct_get_labels(const struct nf_conn *ct, |
145 | struct ovs_key_ct_labels *labels) | |
038e34ab JS |
146 | { |
147 | struct nf_conn_labels *cl = ct ? nf_ct_labels_find(ct) : NULL; | |
148 | ||
237f9413 JR |
149 | if (cl) |
150 | memcpy(labels, cl->bits, OVS_CT_LABELS_LEN); | |
151 | else | |
c05e2094 | 152 | memset(labels, 0, OVS_CT_LABELS_LEN); |
038e34ab JS |
153 | } |
154 | ||
a94ebc39 | 155 | static void __ovs_ct_update_key(struct sw_flow_key *key, u8 state, |
372ce973 JS |
156 | const struct nf_conntrack_zone *zone, |
157 | const struct nf_conn *ct) | |
a94ebc39 JS |
158 | { |
159 | key->ct.state = state; | |
160 | key->ct.zone = zone->id; | |
c05e2094 JS |
161 | key->ct.mark = ovs_ct_get_mark(ct); |
162 | ovs_ct_get_labels(ct, &key->ct.labels); | |
a94ebc39 JS |
163 | } |
164 | ||
e3c42eb8 | 165 | /* Update 'key' based on skb->_nfct. If 'post_ct' is true, then OVS has |
f8f97cdc JR |
166 | * previously sent the packet to conntrack via the ct action. If |
167 | * 'keep_nat_flags' is true, the existing NAT flags retained, else they are | |
168 | * initialized from the connection status. | |
a94ebc39 JS |
169 | */ |
170 | static void ovs_ct_update_key(const struct sk_buff *skb, | |
f23593a1 | 171 | const struct ovs_conntrack_info *info, |
f8f97cdc JR |
172 | struct sw_flow_key *key, bool post_ct, |
173 | bool keep_nat_flags) | |
a94ebc39 JS |
174 | { |
175 | const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt; | |
176 | enum ip_conntrack_info ctinfo; | |
177 | struct nf_conn *ct; | |
178 | u8 state = 0; | |
179 | ||
180 | ct = nf_ct_get(skb, &ctinfo); | |
181 | if (ct) { | |
182 | state = ovs_ct_get_state(ctinfo); | |
b0f251cd | 183 | /* All unconfirmed entries are NEW connections. */ |
c05e2094 JS |
184 | if (!nf_ct_is_confirmed(ct)) |
185 | state |= OVS_CS_F_NEW; | |
b0f251cd JR |
186 | /* OVS persists the related flag for the duration of the |
187 | * connection. | |
188 | */ | |
a94ebc39 JS |
189 | if (ct->master) |
190 | state |= OVS_CS_F_RELATED; | |
f8f97cdc JR |
191 | if (keep_nat_flags) { |
192 | state |= key->ct.state & OVS_CS_F_NAT_MASK; | |
193 | } else { | |
194 | if (ct->status & IPS_SRC_NAT) | |
195 | state |= OVS_CS_F_SRC_NAT; | |
196 | if (ct->status & IPS_DST_NAT) | |
197 | state |= OVS_CS_F_DST_NAT; | |
198 | } | |
a94ebc39 JS |
199 | zone = nf_ct_zone(ct); |
200 | } else if (post_ct) { | |
201 | state = OVS_CS_F_TRACKED | OVS_CS_F_INVALID; | |
f23593a1 JS |
202 | if (info) |
203 | zone = &info->zone; | |
a94ebc39 | 204 | } |
372ce973 | 205 | __ovs_ct_update_key(key, state, zone, ct); |
a94ebc39 JS |
206 | } |
207 | ||
b0f251cd JR |
208 | /* This is called to initialize CT key fields possibly coming in from the local |
209 | * stack. | |
210 | */ | |
a94ebc39 JS |
211 | void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key) |
212 | { | |
f8f97cdc | 213 | ovs_ct_update_key(skb, NULL, key, false, false); |
a94ebc39 JS |
214 | } |
215 | ||
216 | int ovs_ct_put_key(const struct sw_flow_key *key, struct sk_buff *skb) | |
217 | { | |
c05e2094 | 218 | if (nla_put_u32(skb, OVS_KEY_ATTR_CT_STATE, key->ct.state)) |
a94ebc39 JS |
219 | return -EMSGSIZE; |
220 | ||
221 | if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) && | |
222 | nla_put_u16(skb, OVS_KEY_ATTR_CT_ZONE, key->ct.zone)) | |
223 | return -EMSGSIZE; | |
224 | ||
372ce973 JS |
225 | if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) && |
226 | nla_put_u32(skb, OVS_KEY_ATTR_CT_MARK, key->ct.mark)) | |
227 | return -EMSGSIZE; | |
228 | ||
c05e2094 JS |
229 | if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) && |
230 | nla_put(skb, OVS_KEY_ATTR_CT_LABELS, sizeof(key->ct.labels), | |
231 | &key->ct.labels)) | |
038e34ab JS |
232 | return -EMSGSIZE; |
233 | ||
372ce973 JS |
234 | return 0; |
235 | } | |
236 | ||
efd40994 | 237 | static int ovs_ct_set_mark(struct nf_conn *ct, struct sw_flow_key *key, |
372ce973 JS |
238 | u32 ct_mark, u32 mask) |
239 | { | |
c05e2094 | 240 | #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) |
372ce973 JS |
241 | u32 new_mark; |
242 | ||
372ce973 JS |
243 | new_mark = ct_mark | (ct->mark & ~(mask)); |
244 | if (ct->mark != new_mark) { | |
245 | ct->mark = new_mark; | |
1b22e621 JR |
246 | if (nf_ct_is_confirmed(ct)) |
247 | nf_conntrack_event_cache(IPCT_MARK, ct); | |
372ce973 JS |
248 | key->ct.mark = new_mark; |
249 | } | |
250 | ||
a94ebc39 | 251 | return 0; |
c05e2094 JS |
252 | #else |
253 | return -ENOTSUPP; | |
254 | #endif | |
a94ebc39 JS |
255 | } |
256 | ||
efd40994 | 257 | static struct nf_conn_labels *ovs_ct_get_conn_labels(struct nf_conn *ct) |
038e34ab | 258 | { |
038e34ab | 259 | struct nf_conn_labels *cl; |
038e34ab JS |
260 | |
261 | cl = nf_ct_labels_find(ct); | |
262 | if (!cl) { | |
263 | nf_ct_labels_ext_add(ct); | |
264 | cl = nf_ct_labels_find(ct); | |
265 | } | |
9f04eabe | 266 | |
efd40994 JR |
267 | return cl; |
268 | } | |
269 | ||
270 | /* Initialize labels for a new, yet to be committed conntrack entry. Note that | |
271 | * since the new connection is not yet confirmed, and thus no-one else has | |
272 | * access to it's labels, we simply write them over. | |
273 | */ | |
274 | static int ovs_ct_init_labels(struct nf_conn *ct, struct sw_flow_key *key, | |
275 | const struct ovs_key_ct_labels *labels, | |
276 | const struct ovs_key_ct_labels *mask) | |
277 | { | |
278 | struct nf_conn_labels *cl; | |
279 | u32 *dst; | |
280 | int i; | |
281 | ||
282 | cl = ovs_ct_get_conn_labels(ct); | |
283 | if (!cl) | |
038e34ab JS |
284 | return -ENOSPC; |
285 | ||
efd40994 JR |
286 | dst = (u32 *)cl->bits; |
287 | for (i = 0; i < OVS_CT_LABELS_LEN_32; i++) | |
288 | dst[i] = (dst[i] & ~mask->ct_labels_32[i]) | | |
289 | (labels->ct_labels_32[i] & mask->ct_labels_32[i]); | |
1b22e621 | 290 | |
efd40994 JR |
291 | /* Labels are included in the IPCTNL_MSG_CT_NEW event only if the |
292 | * IPCT_LABEL bit it set in the event cache. | |
293 | */ | |
294 | nf_conntrack_event_cache(IPCT_LABEL, ct); | |
1b22e621 | 295 | |
efd40994 JR |
296 | memcpy(&key->ct.labels, cl->bits, OVS_CT_LABELS_LEN); |
297 | ||
298 | return 0; | |
299 | } | |
300 | ||
301 | static int ovs_ct_set_labels(struct nf_conn *ct, struct sw_flow_key *key, | |
302 | const struct ovs_key_ct_labels *labels, | |
303 | const struct ovs_key_ct_labels *mask) | |
304 | { | |
305 | struct nf_conn_labels *cl; | |
306 | int err; | |
307 | ||
308 | cl = ovs_ct_get_conn_labels(ct); | |
309 | if (!cl) | |
310 | return -ENOSPC; | |
311 | ||
312 | err = nf_connlabels_replace(ct, labels->ct_labels_32, | |
313 | mask->ct_labels_32, | |
314 | OVS_CT_LABELS_LEN_32); | |
315 | if (err) | |
316 | return err; | |
317 | ||
318 | memcpy(&key->ct.labels, cl->bits, OVS_CT_LABELS_LEN); | |
038e34ab | 319 | |
038e34ab JS |
320 | return 0; |
321 | } | |
322 | ||
11251c17 JS |
323 | /* 'skb' should already be pulled to nh_ofs. */ |
324 | static int ovs_ct_helper(struct sk_buff *skb, u16 proto) | |
325 | { | |
326 | const struct nf_conntrack_helper *helper; | |
327 | const struct nf_conn_help *help; | |
328 | enum ip_conntrack_info ctinfo; | |
329 | unsigned int protoff; | |
330 | struct nf_conn *ct; | |
4cc85f28 | 331 | u8 nexthdr; |
f8f97cdc | 332 | int err; |
11251c17 | 333 | |
3d47fa46 JH |
334 | #if LINUX_VERSION_CODE < KERNEL_VERSION(4,6,0) |
335 | bool dst_set = false; | |
336 | struct rtable rt = { .rt_flags = 0 }; | |
337 | #endif | |
338 | ||
11251c17 JS |
339 | ct = nf_ct_get(skb, &ctinfo); |
340 | if (!ct || ctinfo == IP_CT_RELATED_REPLY) | |
341 | return NF_ACCEPT; | |
342 | ||
343 | help = nfct_help(ct); | |
344 | if (!help) | |
345 | return NF_ACCEPT; | |
346 | ||
347 | helper = rcu_dereference(help->helper); | |
348 | if (!helper) | |
349 | return NF_ACCEPT; | |
350 | ||
351 | switch (proto) { | |
352 | case NFPROTO_IPV4: | |
353 | protoff = ip_hdrlen(skb); | |
354 | break; | |
355 | case NFPROTO_IPV6: { | |
11251c17 | 356 | __be16 frag_off; |
c05e2094 | 357 | int ofs; |
11251c17 | 358 | |
4cc85f28 | 359 | nexthdr = ipv6_hdr(skb)->nexthdr; |
c05e2094 JS |
360 | ofs = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr, |
361 | &frag_off); | |
362 | if (ofs < 0 || (frag_off & htons(~0x7)) != 0) { | |
11251c17 JS |
363 | pr_debug("proto header not found\n"); |
364 | return NF_ACCEPT; | |
365 | } | |
c05e2094 | 366 | protoff = ofs; |
11251c17 JS |
367 | break; |
368 | } | |
369 | default: | |
370 | WARN_ONCE(1, "helper invoked on non-IP family!"); | |
371 | return NF_DROP; | |
372 | } | |
373 | ||
4cc85f28 JR |
374 | #if LINUX_VERSION_CODE < KERNEL_VERSION(4,6,0) |
375 | /* Linux 4.5 and older depend on skb_dst being set when recalculating | |
376 | * checksums after NAT helper has mangled TCP or UDP packet payload. | |
3d47fa46 JH |
377 | * skb_dst is cast to a rtable struct and the flags examined. |
378 | * Forcing these flags to have RTCF_LOCAL not set ensures checksum mod | |
379 | * is carried out in the same way as kernel versions > 4.5 | |
4cc85f28 | 380 | */ |
3d47fa46 JH |
381 | if (ct->status & IPS_NAT_MASK && skb->ip_summed != CHECKSUM_PARTIAL |
382 | && !skb_dst(skb)) { | |
383 | dst_set = true; | |
384 | skb_dst_set(skb, &rt.dst); | |
4cc85f28 JR |
385 | } |
386 | #endif | |
f8f97cdc JR |
387 | err = helper->help(skb, protoff, ct, ctinfo); |
388 | if (err != NF_ACCEPT) | |
389 | return err; | |
390 | ||
3d47fa46 JH |
391 | #if LINUX_VERSION_CODE < KERNEL_VERSION(4,6,0) |
392 | if (dst_set) | |
393 | skb_dst_set(skb, NULL); | |
394 | #endif | |
395 | ||
f8f97cdc JR |
396 | /* Adjust seqs after helper. This is needed due to some helpers (e.g., |
397 | * FTP with NAT) adusting the TCP payload size when mangling IP | |
398 | * addresses and/or port numbers in the text-based control connection. | |
399 | */ | |
400 | if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status) && | |
401 | !nf_ct_seq_adjust(skb, ct, ctinfo, protoff)) | |
402 | return NF_DROP; | |
403 | return NF_ACCEPT; | |
11251c17 JS |
404 | } |
405 | ||
c05e2094 JS |
406 | /* Returns 0 on success, -EINPROGRESS if 'skb' is stolen, or other nonzero |
407 | * value if 'skb' is freed. | |
408 | */ | |
a94ebc39 JS |
409 | static int handle_fragments(struct net *net, struct sw_flow_key *key, |
410 | u16 zone, struct sk_buff *skb) | |
411 | { | |
86c2eb45 | 412 | struct ovs_gso_cb ovs_cb = *OVS_GSO_CB(skb); |
2e602ea3 | 413 | int err; |
a94ebc39 | 414 | |
a94ebc39 JS |
415 | if (key->eth.type == htons(ETH_P_IP)) { |
416 | enum ip_defrag_users user = IP_DEFRAG_CONNTRACK_IN + zone; | |
a94ebc39 JS |
417 | |
418 | memset(IPCB(skb), 0, sizeof(struct inet_skb_parm)); | |
39c0ff22 | 419 | err = ip_defrag(net, skb, user); |
a94ebc39 JS |
420 | if (err) |
421 | return err; | |
422 | ||
86c2eb45 | 423 | ovs_cb.dp_cb.mru = IPCB(skb)->frag_max_size; |
a94ebc39 | 424 | #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) |
c05e2094 | 425 | } else if (key->eth.type == htons(ETH_P_IPV6)) { |
a94ebc39 | 426 | enum ip6_defrag_users user = IP6_DEFRAG_CONNTRACK_IN + zone; |
a94ebc39 | 427 | |
66ec6da8 | 428 | skb_orphan(skb); |
a94ebc39 | 429 | memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm)); |
2e602ea3 | 430 | err = nf_ct_frag6_gather(net, skb, user); |
6b4fe5a9 DDP |
431 | if (err) { |
432 | if (err != -EINPROGRESS) | |
433 | kfree_skb(skb); | |
2e602ea3 | 434 | return err; |
6b4fe5a9 | 435 | } |
a94ebc39 | 436 | |
2e602ea3 | 437 | key->ip.proto = ipv6_hdr(skb)->nexthdr; |
86c2eb45 | 438 | ovs_cb.dp_cb.mru = IP6CB(skb)->frag_max_size; |
a94ebc39 JS |
439 | #endif /* IP frag support */ |
440 | } else { | |
c05e2094 | 441 | kfree_skb(skb); |
a94ebc39 JS |
442 | return -EPFNOSUPPORT; |
443 | } | |
444 | ||
445 | key->ip.frag = OVS_FRAG_TYPE_NONE; | |
446 | skb_clear_hash(skb); | |
447 | skb->ignore_df = 1; | |
86c2eb45 | 448 | *OVS_GSO_CB(skb) = ovs_cb; |
a94ebc39 JS |
449 | |
450 | return 0; | |
451 | } | |
452 | ||
453 | static struct nf_conntrack_expect * | |
454 | ovs_ct_expect_find(struct net *net, const struct nf_conntrack_zone *zone, | |
455 | u16 proto, const struct sk_buff *skb) | |
456 | { | |
457 | struct nf_conntrack_tuple tuple; | |
458 | ||
fa67f8e0 | 459 | if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto, net, &tuple)) |
a94ebc39 JS |
460 | return NULL; |
461 | return __nf_ct_expect_find(net, zone, &tuple); | |
462 | } | |
463 | ||
3dd9e118 JR |
464 | /* This replicates logic from nf_conntrack_core.c that is not exported. */ |
465 | static enum ip_conntrack_info | |
466 | ovs_ct_get_info(const struct nf_conntrack_tuple_hash *h) | |
467 | { | |
468 | const struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); | |
469 | ||
470 | if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY) | |
471 | return IP_CT_ESTABLISHED_REPLY; | |
472 | /* Once we've had two way comms, always ESTABLISHED. */ | |
473 | if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) | |
474 | return IP_CT_ESTABLISHED; | |
475 | if (test_bit(IPS_EXPECTED_BIT, &ct->status)) | |
476 | return IP_CT_RELATED; | |
477 | return IP_CT_NEW; | |
478 | } | |
479 | ||
480 | /* Find an existing connection which this packet belongs to without | |
481 | * re-attributing statistics or modifying the connection state. This allows an | |
e3c42eb8 | 482 | * skb->_nfct lost due to an upcall to be recovered during actions execution. |
3dd9e118 JR |
483 | * |
484 | * Must be called with rcu_read_lock. | |
485 | * | |
e3c42eb8 JR |
486 | * On success, populates skb->_nfct and returns the connection. Returns NULL |
487 | * if there is no existing entry. | |
3dd9e118 JR |
488 | */ |
489 | static struct nf_conn * | |
490 | ovs_ct_find_existing(struct net *net, const struct nf_conntrack_zone *zone, | |
c0324e37 | 491 | u8 l3num, struct sk_buff *skb, bool natted) |
3dd9e118 JR |
492 | { |
493 | struct nf_conntrack_l3proto *l3proto; | |
494 | struct nf_conntrack_l4proto *l4proto; | |
495 | struct nf_conntrack_tuple tuple; | |
496 | struct nf_conntrack_tuple_hash *h; | |
3dd9e118 JR |
497 | struct nf_conn *ct; |
498 | unsigned int dataoff; | |
499 | u8 protonum; | |
500 | ||
501 | l3proto = __nf_ct_l3proto_find(l3num); | |
3dd9e118 JR |
502 | if (l3proto->get_l4proto(skb, skb_network_offset(skb), &dataoff, |
503 | &protonum) <= 0) { | |
504 | pr_debug("ovs_ct_find_existing: Can't get protonum\n"); | |
505 | return NULL; | |
506 | } | |
507 | l4proto = __nf_ct_l4proto_find(l3num, protonum); | |
3dd9e118 JR |
508 | if (!nf_ct_get_tuple(skb, skb_network_offset(skb), dataoff, l3num, |
509 | protonum, net, &tuple, l3proto, l4proto)) { | |
510 | pr_debug("ovs_ct_find_existing: Can't get tuple\n"); | |
511 | return NULL; | |
512 | } | |
513 | ||
c0324e37 JR |
514 | /* Must invert the tuple if skb has been transformed by NAT. */ |
515 | if (natted) { | |
516 | struct nf_conntrack_tuple inverse; | |
517 | ||
518 | if (!nf_ct_invert_tuple(&inverse, &tuple, l3proto, l4proto)) { | |
519 | pr_debug("ovs_ct_find_existing: Inversion failed!\n"); | |
520 | return NULL; | |
521 | } | |
522 | tuple = inverse; | |
523 | } | |
524 | ||
3dd9e118 JR |
525 | /* look for tuple match */ |
526 | h = nf_conntrack_find_get(net, zone, &tuple); | |
527 | if (!h) | |
528 | return NULL; /* Not found. */ | |
529 | ||
530 | ct = nf_ct_tuplehash_to_ctrack(h); | |
531 | ||
c0324e37 JR |
532 | /* Inverted packet tuple matches the reverse direction conntrack tuple, |
533 | * select the other tuplehash to get the right 'ctinfo' bits for this | |
534 | * packet. | |
535 | */ | |
536 | if (natted) | |
537 | h = &ct->tuplehash[!h->tuple.dst.dir]; | |
538 | ||
dfa791b2 | 539 | nf_ct_set(skb, ct, ovs_ct_get_info(h)); |
3dd9e118 JR |
540 | return ct; |
541 | } | |
542 | ||
e3c42eb8 | 543 | /* Determine whether skb->_nfct is equal to the result of conntrack lookup. */ |
3dd9e118 JR |
544 | static bool skb_nfct_cached(struct net *net, |
545 | const struct sw_flow_key *key, | |
546 | const struct ovs_conntrack_info *info, | |
547 | struct sk_buff *skb) | |
a94ebc39 JS |
548 | { |
549 | enum ip_conntrack_info ctinfo; | |
550 | struct nf_conn *ct; | |
551 | ||
552 | ct = nf_ct_get(skb, &ctinfo); | |
3dd9e118 | 553 | /* If no ct, check if we have evidence that an existing conntrack entry |
e3c42eb8 | 554 | * might be found for this skb. This happens when we lose a skb->_nfct |
3dd9e118 JR |
555 | * due to an upcall. If the connection was not confirmed, it is not |
556 | * cached and needs to be run through conntrack again. | |
557 | */ | |
558 | if (!ct && key->ct.state & OVS_CS_F_TRACKED && | |
559 | !(key->ct.state & OVS_CS_F_INVALID) && | |
560 | key->ct.zone == info->zone.id) | |
c0324e37 JR |
561 | ct = ovs_ct_find_existing(net, &info->zone, info->family, skb, |
562 | !!(key->ct.state | |
563 | & OVS_CS_F_NAT_MASK)); | |
a94ebc39 JS |
564 | if (!ct) |
565 | return false; | |
566 | if (!net_eq(net, read_pnet(&ct->ct_net))) | |
567 | return false; | |
568 | if (!nf_ct_zone_equal_any(info->ct, nf_ct_zone(ct))) | |
569 | return false; | |
11251c17 JS |
570 | if (info->helper) { |
571 | struct nf_conn_help *help; | |
572 | ||
573 | help = nf_ct_ext_find(ct, NF_CT_EXT_HELPER); | |
574 | if (help && rcu_access_pointer(help->helper) != info->helper) | |
575 | return false; | |
576 | } | |
a94ebc39 JS |
577 | |
578 | return true; | |
579 | } | |
580 | ||
f8f97cdc JR |
581 | #ifdef CONFIG_NF_NAT_NEEDED |
582 | /* Modelled after nf_nat_ipv[46]_fn(). | |
583 | * range is only used for new, uninitialized NAT state. | |
584 | * Returns either NF_ACCEPT or NF_DROP. | |
585 | */ | |
586 | static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, | |
587 | enum ip_conntrack_info ctinfo, | |
588 | const struct nf_nat_range *range, | |
589 | enum nf_nat_manip_type maniptype) | |
590 | { | |
591 | int hooknum, nh_off, err = NF_ACCEPT; | |
592 | ||
593 | nh_off = skb_network_offset(skb); | |
073c7b86 | 594 | skb_pull_rcsum(skb, nh_off); |
f8f97cdc JR |
595 | |
596 | /* See HOOK2MANIP(). */ | |
597 | if (maniptype == NF_NAT_MANIP_SRC) | |
598 | hooknum = NF_INET_LOCAL_IN; /* Source NAT */ | |
599 | else | |
600 | hooknum = NF_INET_LOCAL_OUT; /* Destination NAT */ | |
601 | ||
602 | switch (ctinfo) { | |
603 | case IP_CT_RELATED: | |
604 | case IP_CT_RELATED_REPLY: | |
90b01477 AB |
605 | if (IS_ENABLED(CONFIG_NF_NAT_IPV4) && |
606 | skb->protocol == htons(ETH_P_IP) && | |
f8f97cdc JR |
607 | ip_hdr(skb)->protocol == IPPROTO_ICMP) { |
608 | if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo, | |
609 | hooknum)) | |
610 | err = NF_DROP; | |
611 | goto push; | |
90b01477 AB |
612 | } else if (IS_ENABLED(CONFIG_NF_NAT_IPV6) && |
613 | skb->protocol == htons(ETH_P_IPV6)) { | |
f8f97cdc JR |
614 | __be16 frag_off; |
615 | u8 nexthdr = ipv6_hdr(skb)->nexthdr; | |
616 | int hdrlen = ipv6_skip_exthdr(skb, | |
617 | sizeof(struct ipv6hdr), | |
618 | &nexthdr, &frag_off); | |
619 | ||
620 | if (hdrlen >= 0 && nexthdr == IPPROTO_ICMPV6) { | |
621 | if (!nf_nat_icmpv6_reply_translation(skb, ct, | |
622 | ctinfo, | |
623 | hooknum, | |
624 | hdrlen)) | |
625 | err = NF_DROP; | |
626 | goto push; | |
627 | } | |
f8f97cdc JR |
628 | } |
629 | /* Non-ICMP, fall thru to initialize if needed. */ | |
630 | case IP_CT_NEW: | |
631 | /* Seen it before? This can happen for loopback, retrans, | |
632 | * or local packets. | |
633 | */ | |
634 | if (!nf_nat_initialized(ct, maniptype)) { | |
635 | /* Initialize according to the NAT action. */ | |
636 | err = (range && range->flags & NF_NAT_RANGE_MAP_IPS) | |
637 | /* Action is set up to establish a new | |
638 | * mapping. | |
639 | */ | |
640 | ? nf_nat_setup_info(ct, range, maniptype) | |
641 | : nf_nat_alloc_null_binding(ct, hooknum); | |
642 | if (err != NF_ACCEPT) | |
643 | goto push; | |
644 | } | |
645 | break; | |
646 | ||
647 | case IP_CT_ESTABLISHED: | |
648 | case IP_CT_ESTABLISHED_REPLY: | |
649 | break; | |
650 | ||
651 | default: | |
652 | err = NF_DROP; | |
653 | goto push; | |
654 | } | |
655 | ||
656 | err = nf_nat_packet(ct, ctinfo, hooknum, skb); | |
657 | push: | |
658 | skb_push(skb, nh_off); | |
073c7b86 | 659 | skb_postpush_rcsum(skb, skb->data, nh_off); |
f8f97cdc JR |
660 | |
661 | return err; | |
662 | } | |
663 | ||
664 | static void ovs_nat_update_key(struct sw_flow_key *key, | |
665 | const struct sk_buff *skb, | |
666 | enum nf_nat_manip_type maniptype) | |
667 | { | |
668 | if (maniptype == NF_NAT_MANIP_SRC) { | |
669 | __be16 src; | |
670 | ||
671 | key->ct.state |= OVS_CS_F_SRC_NAT; | |
672 | if (key->eth.type == htons(ETH_P_IP)) | |
673 | key->ipv4.addr.src = ip_hdr(skb)->saddr; | |
674 | else if (key->eth.type == htons(ETH_P_IPV6)) | |
675 | memcpy(&key->ipv6.addr.src, &ipv6_hdr(skb)->saddr, | |
676 | sizeof(key->ipv6.addr.src)); | |
677 | else | |
678 | return; | |
679 | ||
680 | if (key->ip.proto == IPPROTO_UDP) | |
681 | src = udp_hdr(skb)->source; | |
682 | else if (key->ip.proto == IPPROTO_TCP) | |
683 | src = tcp_hdr(skb)->source; | |
684 | else if (key->ip.proto == IPPROTO_SCTP) | |
685 | src = sctp_hdr(skb)->source; | |
686 | else | |
687 | return; | |
688 | ||
689 | key->tp.src = src; | |
690 | } else { | |
691 | __be16 dst; | |
692 | ||
693 | key->ct.state |= OVS_CS_F_DST_NAT; | |
694 | if (key->eth.type == htons(ETH_P_IP)) | |
695 | key->ipv4.addr.dst = ip_hdr(skb)->daddr; | |
696 | else if (key->eth.type == htons(ETH_P_IPV6)) | |
697 | memcpy(&key->ipv6.addr.dst, &ipv6_hdr(skb)->daddr, | |
698 | sizeof(key->ipv6.addr.dst)); | |
699 | else | |
700 | return; | |
701 | ||
702 | if (key->ip.proto == IPPROTO_UDP) | |
703 | dst = udp_hdr(skb)->dest; | |
704 | else if (key->ip.proto == IPPROTO_TCP) | |
705 | dst = tcp_hdr(skb)->dest; | |
706 | else if (key->ip.proto == IPPROTO_SCTP) | |
707 | dst = sctp_hdr(skb)->dest; | |
708 | else | |
709 | return; | |
710 | ||
711 | key->tp.dst = dst; | |
712 | } | |
713 | } | |
714 | ||
715 | /* Returns NF_DROP if the packet should be dropped, NF_ACCEPT otherwise. */ | |
716 | static int ovs_ct_nat(struct net *net, struct sw_flow_key *key, | |
717 | const struct ovs_conntrack_info *info, | |
718 | struct sk_buff *skb, struct nf_conn *ct, | |
719 | enum ip_conntrack_info ctinfo) | |
720 | { | |
721 | enum nf_nat_manip_type maniptype; | |
722 | int err; | |
723 | ||
724 | if (nf_ct_is_untracked(ct)) { | |
725 | /* A NAT action may only be performed on tracked packets. */ | |
726 | return NF_ACCEPT; | |
727 | } | |
728 | ||
729 | /* Add NAT extension if not confirmed yet. */ | |
730 | if (!nf_ct_is_confirmed(ct) && !nf_ct_nat_ext_add(ct)) | |
731 | return NF_ACCEPT; /* Can't NAT. */ | |
732 | ||
733 | /* Determine NAT type. | |
734 | * Check if the NAT type can be deduced from the tracked connection. | |
d2e8b514 JR |
735 | * Make sure new expected connections (IP_CT_RELATED) are NATted only |
736 | * when committing. | |
f8f97cdc JR |
737 | */ |
738 | if (info->nat & OVS_CT_NAT && ctinfo != IP_CT_NEW && | |
739 | ct->status & IPS_NAT_MASK && | |
d2e8b514 | 740 | (ctinfo != IP_CT_RELATED || info->commit)) { |
f8f97cdc JR |
741 | /* NAT an established or related connection like before. */ |
742 | if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) | |
743 | /* This is the REPLY direction for a connection | |
744 | * for which NAT was applied in the forward | |
745 | * direction. Do the reverse NAT. | |
746 | */ | |
747 | maniptype = ct->status & IPS_SRC_NAT | |
748 | ? NF_NAT_MANIP_DST : NF_NAT_MANIP_SRC; | |
749 | else | |
750 | maniptype = ct->status & IPS_SRC_NAT | |
751 | ? NF_NAT_MANIP_SRC : NF_NAT_MANIP_DST; | |
752 | } else if (info->nat & OVS_CT_SRC_NAT) { | |
753 | maniptype = NF_NAT_MANIP_SRC; | |
754 | } else if (info->nat & OVS_CT_DST_NAT) { | |
755 | maniptype = NF_NAT_MANIP_DST; | |
756 | } else { | |
757 | return NF_ACCEPT; /* Connection is not NATed. */ | |
758 | } | |
759 | err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, maniptype); | |
760 | ||
761 | /* Mark NAT done if successful and update the flow key. */ | |
762 | if (err == NF_ACCEPT) | |
763 | ovs_nat_update_key(key, skb, maniptype); | |
764 | ||
765 | return err; | |
766 | } | |
767 | #else /* !CONFIG_NF_NAT_NEEDED */ | |
768 | static int ovs_ct_nat(struct net *net, struct sw_flow_key *key, | |
769 | const struct ovs_conntrack_info *info, | |
770 | struct sk_buff *skb, struct nf_conn *ct, | |
771 | enum ip_conntrack_info ctinfo) | |
772 | { | |
773 | return NF_ACCEPT; | |
774 | } | |
775 | #endif | |
776 | ||
b0f251cd | 777 | /* Pass 'skb' through conntrack in 'net', using zone configured in 'info', if |
a04a5794 JR |
778 | * not done already. Update key with new CT state after passing the packet |
779 | * through conntrack. | |
e3c42eb8 | 780 | * Note that if the packet is deemed invalid by conntrack, skb->_nfct will be |
b0f251cd JR |
781 | * set to NULL and 0 will be returned. |
782 | */ | |
c05e2094 | 783 | static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, |
a94ebc39 JS |
784 | const struct ovs_conntrack_info *info, |
785 | struct sk_buff *skb) | |
786 | { | |
787 | /* If we are recirculating packets to match on conntrack fields and | |
788 | * committing with a separate conntrack action, then we don't need to | |
789 | * actually run the packet through conntrack twice unless it's for a | |
790 | * different zone. | |
791 | */ | |
b21d237e JR |
792 | bool cached = skb_nfct_cached(net, key, info, skb); |
793 | enum ip_conntrack_info ctinfo; | |
794 | struct nf_conn *ct; | |
795 | ||
796 | if (!cached) { | |
a94ebc39 | 797 | struct nf_conn *tmpl = info->ct; |
9bf67b92 | 798 | int err; |
a94ebc39 JS |
799 | |
800 | /* Associate skb with specified zone. */ | |
801 | if (tmpl) { | |
d3c313c1 FW |
802 | if (skb_nfct(skb)) |
803 | nf_conntrack_put(skb_nfct(skb)); | |
a94ebc39 | 804 | nf_conntrack_get(&tmpl->ct_general); |
dfa791b2 | 805 | nf_ct_set(skb, tmpl, IP_CT_NEW); |
a94ebc39 JS |
806 | } |
807 | ||
a6d28f7c PNA |
808 | err = nf_conntrack_in(net, info->family, |
809 | NF_INET_PRE_ROUTING, skb); | |
9bf67b92 | 810 | if (err != NF_ACCEPT) |
a94ebc39 | 811 | return -ENOENT; |
11251c17 | 812 | |
f8f97cdc JR |
813 | /* Clear CT state NAT flags to mark that we have not yet done |
814 | * NAT after the nf_conntrack_in() call. We can actually clear | |
815 | * the whole state, as it will be re-initialized below. | |
816 | */ | |
817 | key->ct.state = 0; | |
818 | ||
819 | /* Update the key, but keep the NAT flags. */ | |
820 | ovs_ct_update_key(skb, info, key, true, true); | |
b21d237e | 821 | } |
a04a5794 | 822 | |
b21d237e | 823 | ct = nf_ct_get(skb, &ctinfo); |
f8f97cdc JR |
824 | if (ct) { |
825 | /* Packets starting a new connection must be NATted before the | |
826 | * helper, so that the helper knows about the NAT. We enforce | |
827 | * this by delaying both NAT and helper calls for unconfirmed | |
828 | * connections until the committing CT action. For later | |
829 | * packets NAT and Helper may be called in either order. | |
830 | * | |
831 | * NAT will be done only if the CT action has NAT, and only | |
832 | * once per packet (per zone), as guarded by the NAT bits in | |
833 | * the key->ct.state. | |
834 | */ | |
835 | if (info->nat && !(key->ct.state & OVS_CS_F_NAT_MASK) && | |
836 | (nf_ct_is_confirmed(ct) || info->commit) && | |
837 | ovs_ct_nat(net, key, info, skb, ct, ctinfo) != NF_ACCEPT) { | |
838 | return -EINVAL; | |
839 | } | |
840 | ||
b87a5aac JS |
841 | /* Userspace may decide to perform a ct lookup without a helper |
842 | * specified followed by a (recirculate and) commit with one. | |
843 | * Therefore, for unconfirmed connections which we will commit, | |
844 | * we need to attach the helper here. | |
845 | */ | |
846 | if (!nf_ct_is_confirmed(ct) && info->commit && | |
847 | info->helper && !nfct_help(ct)) { | |
848 | int err = __nf_ct_try_assign_helper(ct, info->ct, | |
849 | GFP_ATOMIC); | |
850 | if (err) | |
851 | return err; | |
852 | } | |
853 | ||
f8f97cdc JR |
854 | /* Call the helper only if: |
855 | * - nf_conntrack_in() was executed above ("!cached") for a | |
856 | * confirmed connection, or | |
857 | * - When committing an unconfirmed connection. | |
858 | */ | |
859 | if ((nf_ct_is_confirmed(ct) ? !cached : info->commit) && | |
860 | ovs_ct_helper(skb, info->family) != NF_ACCEPT) { | |
861 | return -EINVAL; | |
862 | } | |
a94ebc39 JS |
863 | } |
864 | ||
865 | return 0; | |
866 | } | |
867 | ||
868 | /* Lookup connection and read fields into key. */ | |
869 | static int ovs_ct_lookup(struct net *net, struct sw_flow_key *key, | |
870 | const struct ovs_conntrack_info *info, | |
871 | struct sk_buff *skb) | |
872 | { | |
873 | struct nf_conntrack_expect *exp; | |
874 | ||
b0f251cd JR |
875 | /* If we pass an expected packet through nf_conntrack_in() the |
876 | * expectation is typically removed, but the packet could still be | |
877 | * lost in upcall processing. To prevent this from happening we | |
878 | * perform an explicit expectation lookup. Expected connections are | |
879 | * always new, and will be passed through conntrack only when they are | |
880 | * committed, as it is OK to remove the expectation at that time. | |
881 | */ | |
a94ebc39 JS |
882 | exp = ovs_ct_expect_find(net, &info->zone, info->family, skb); |
883 | if (exp) { | |
884 | u8 state; | |
885 | ||
f8f97cdc JR |
886 | /* NOTE: New connections are NATted and Helped only when |
887 | * committed, so we are not calling into NAT here. | |
888 | */ | |
a94ebc39 | 889 | state = OVS_CS_F_TRACKED | OVS_CS_F_NEW | OVS_CS_F_RELATED; |
372ce973 | 890 | __ovs_ct_update_key(key, state, &info->zone, exp->master); |
f325530e PS |
891 | } else { |
892 | struct nf_conn *ct; | |
893 | int err; | |
894 | ||
895 | err = __ovs_ct_lookup(net, key, info, skb); | |
896 | if (err) | |
897 | return err; | |
898 | ||
d3c313c1 | 899 | ct = (struct nf_conn *)skb_nfct(skb); |
f325530e PS |
900 | if (ct) |
901 | nf_ct_deliver_cached_events(ct); | |
902 | } | |
a94ebc39 JS |
903 | |
904 | return 0; | |
905 | } | |
906 | ||
c05e2094 | 907 | static bool labels_nonzero(const struct ovs_key_ct_labels *labels) |
038e34ab JS |
908 | { |
909 | size_t i; | |
910 | ||
83495bd9 JR |
911 | for (i = 0; i < OVS_CT_LABELS_LEN_32; i++) |
912 | if (labels->ct_labels_32[i]) | |
038e34ab JS |
913 | return true; |
914 | ||
915 | return false; | |
916 | } | |
917 | ||
39a6542b JR |
918 | /* Lookup connection and confirm if unconfirmed. */ |
919 | static int ovs_ct_commit(struct net *net, struct sw_flow_key *key, | |
920 | const struct ovs_conntrack_info *info, | |
921 | struct sk_buff *skb) | |
922 | { | |
efd40994 JR |
923 | enum ip_conntrack_info ctinfo; |
924 | struct nf_conn *ct; | |
39a6542b JR |
925 | int err; |
926 | ||
927 | err = __ovs_ct_lookup(net, key, info, skb); | |
928 | if (err) | |
929 | return err; | |
930 | ||
efd40994 JR |
931 | /* The connection could be invalid, in which case this is a no-op.*/ |
932 | ct = nf_ct_get(skb, &ctinfo); | |
933 | if (!ct) | |
934 | return 0; | |
935 | ||
39a6542b JR |
936 | /* Apply changes before confirming the connection so that the initial |
937 | * conntrack NEW netlink event carries the values given in the CT | |
938 | * action. | |
939 | */ | |
940 | if (info->mark.mask) { | |
efd40994 | 941 | err = ovs_ct_set_mark(ct, key, info->mark.value, |
39a6542b JR |
942 | info->mark.mask); |
943 | if (err) | |
944 | return err; | |
945 | } | |
946 | if (labels_nonzero(&info->labels.mask)) { | |
efd40994 JR |
947 | if (!nf_ct_is_confirmed(ct)) |
948 | err = ovs_ct_init_labels(ct, key, &info->labels.value, | |
949 | &info->labels.mask); | |
950 | else | |
951 | err = ovs_ct_set_labels(ct, key, &info->labels.value, | |
952 | &info->labels.mask); | |
39a6542b JR |
953 | if (err) |
954 | return err; | |
955 | } | |
956 | /* This will take care of sending queued events even if the connection | |
957 | * is already confirmed. | |
958 | */ | |
959 | if (nf_conntrack_confirm(skb) != NF_ACCEPT) | |
960 | return -EINVAL; | |
961 | ||
962 | return 0; | |
963 | } | |
964 | ||
c05e2094 JS |
965 | /* Returns 0 on success, -EINPROGRESS if 'skb' is stolen, or other nonzero |
966 | * value if 'skb' is freed. | |
967 | */ | |
a94ebc39 JS |
968 | int ovs_ct_execute(struct net *net, struct sk_buff *skb, |
969 | struct sw_flow_key *key, | |
970 | const struct ovs_conntrack_info *info) | |
971 | { | |
972 | int nh_ofs; | |
973 | int err; | |
974 | ||
975 | /* The conntrack module expects to be working at L3. */ | |
976 | nh_ofs = skb_network_offset(skb); | |
073c7b86 | 977 | skb_pull_rcsum(skb, nh_ofs); |
a94ebc39 JS |
978 | |
979 | if (key->ip.frag != OVS_FRAG_TYPE_NONE) { | |
980 | err = handle_fragments(net, key, info->zone.id, skb); | |
981 | if (err) | |
982 | return err; | |
983 | } | |
984 | ||
c05e2094 | 985 | if (info->commit) |
39a6542b | 986 | err = ovs_ct_commit(net, key, info, skb); |
a94ebc39 JS |
987 | else |
988 | err = ovs_ct_lookup(net, key, info, skb); | |
989 | ||
990 | skb_push(skb, nh_ofs); | |
073c7b86 | 991 | skb_postpush_rcsum(skb, skb->data, nh_ofs); |
c05e2094 JS |
992 | if (err) |
993 | kfree_skb(skb); | |
a94ebc39 JS |
994 | return err; |
995 | } | |
996 | ||
11251c17 JS |
997 | static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name, |
998 | const struct sw_flow_key *key, bool log) | |
999 | { | |
1000 | struct nf_conntrack_helper *helper; | |
1001 | struct nf_conn_help *help; | |
1002 | ||
1003 | helper = nf_conntrack_helper_try_module_get(name, info->family, | |
1004 | key->ip.proto); | |
1005 | if (!helper) { | |
1006 | OVS_NLERR(log, "Unknown helper \"%s\"", name); | |
1007 | return -EINVAL; | |
1008 | } | |
1009 | ||
1010 | help = nf_ct_helper_ext_add(info->ct, helper, GFP_KERNEL); | |
1011 | if (!help) { | |
1012 | module_put(helper->me); | |
1013 | return -ENOMEM; | |
1014 | } | |
1015 | ||
1016 | rcu_assign_pointer(help->helper, helper); | |
1017 | info->helper = helper; | |
1018 | return 0; | |
1019 | } | |
1020 | ||
f8f97cdc JR |
1021 | #ifdef CONFIG_NF_NAT_NEEDED |
1022 | static int parse_nat(const struct nlattr *attr, | |
1023 | struct ovs_conntrack_info *info, bool log) | |
1024 | { | |
1025 | struct nlattr *a; | |
1026 | int rem; | |
1027 | bool have_ip_max = false; | |
1028 | bool have_proto_max = false; | |
1029 | bool ip_vers = (info->family == NFPROTO_IPV6); | |
1030 | ||
1031 | nla_for_each_nested(a, attr, rem) { | |
1032 | static const int ovs_nat_attr_lens[OVS_NAT_ATTR_MAX + 1][2] = { | |
1033 | [OVS_NAT_ATTR_SRC] = {0, 0}, | |
1034 | [OVS_NAT_ATTR_DST] = {0, 0}, | |
1035 | [OVS_NAT_ATTR_IP_MIN] = {sizeof(struct in_addr), | |
1036 | sizeof(struct in6_addr)}, | |
1037 | [OVS_NAT_ATTR_IP_MAX] = {sizeof(struct in_addr), | |
1038 | sizeof(struct in6_addr)}, | |
1039 | [OVS_NAT_ATTR_PROTO_MIN] = {sizeof(u16), sizeof(u16)}, | |
1040 | [OVS_NAT_ATTR_PROTO_MAX] = {sizeof(u16), sizeof(u16)}, | |
1041 | [OVS_NAT_ATTR_PERSISTENT] = {0, 0}, | |
1042 | [OVS_NAT_ATTR_PROTO_HASH] = {0, 0}, | |
1043 | [OVS_NAT_ATTR_PROTO_RANDOM] = {0, 0}, | |
1044 | }; | |
1045 | int type = nla_type(a); | |
1046 | ||
1047 | if (type > OVS_NAT_ATTR_MAX) { | |
1048 | OVS_NLERR(log, | |
1049 | "Unknown NAT attribute (type=%d, max=%d).\n", | |
1050 | type, OVS_NAT_ATTR_MAX); | |
1051 | return -EINVAL; | |
1052 | } | |
1053 | ||
1054 | if (nla_len(a) != ovs_nat_attr_lens[type][ip_vers]) { | |
1055 | OVS_NLERR(log, | |
1056 | "NAT attribute type %d has unexpected length (%d != %d).\n", | |
1057 | type, nla_len(a), | |
1058 | ovs_nat_attr_lens[type][ip_vers]); | |
1059 | return -EINVAL; | |
1060 | } | |
1061 | ||
1062 | switch (type) { | |
1063 | case OVS_NAT_ATTR_SRC: | |
1064 | case OVS_NAT_ATTR_DST: | |
1065 | if (info->nat) { | |
1066 | OVS_NLERR(log, | |
1067 | "Only one type of NAT may be specified.\n" | |
1068 | ); | |
1069 | return -ERANGE; | |
1070 | } | |
1071 | info->nat |= OVS_CT_NAT; | |
1072 | info->nat |= ((type == OVS_NAT_ATTR_SRC) | |
1073 | ? OVS_CT_SRC_NAT : OVS_CT_DST_NAT); | |
1074 | break; | |
1075 | ||
1076 | case OVS_NAT_ATTR_IP_MIN: | |
70e71d27 HY |
1077 | nla_memcpy(&info->range.min_addr, a, |
1078 | sizeof(info->range.min_addr)); | |
f8f97cdc JR |
1079 | info->range.flags |= NF_NAT_RANGE_MAP_IPS; |
1080 | break; | |
1081 | ||
1082 | case OVS_NAT_ATTR_IP_MAX: | |
1083 | have_ip_max = true; | |
1084 | nla_memcpy(&info->range.max_addr, a, | |
1085 | sizeof(info->range.max_addr)); | |
1086 | info->range.flags |= NF_NAT_RANGE_MAP_IPS; | |
1087 | break; | |
1088 | ||
1089 | case OVS_NAT_ATTR_PROTO_MIN: | |
1090 | info->range.min_proto.all = htons(nla_get_u16(a)); | |
1091 | info->range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; | |
1092 | break; | |
1093 | ||
1094 | case OVS_NAT_ATTR_PROTO_MAX: | |
1095 | have_proto_max = true; | |
1096 | info->range.max_proto.all = htons(nla_get_u16(a)); | |
1097 | info->range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; | |
1098 | break; | |
1099 | ||
1100 | case OVS_NAT_ATTR_PERSISTENT: | |
1101 | info->range.flags |= NF_NAT_RANGE_PERSISTENT; | |
1102 | break; | |
1103 | ||
1104 | case OVS_NAT_ATTR_PROTO_HASH: | |
1105 | info->range.flags |= NF_NAT_RANGE_PROTO_RANDOM; | |
1106 | break; | |
1107 | ||
1108 | case OVS_NAT_ATTR_PROTO_RANDOM: | |
9f1de150 | 1109 | #ifdef NF_NAT_RANGE_PROTO_RANDOM_FULLY |
f8f97cdc | 1110 | info->range.flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY; |
9f1de150 JR |
1111 | #else |
1112 | info->range.flags |= NF_NAT_RANGE_PROTO_RANDOM; | |
1113 | info->random_fully_compat = true; | |
1114 | #endif | |
f8f97cdc JR |
1115 | break; |
1116 | ||
1117 | default: | |
1118 | OVS_NLERR(log, "Unknown nat attribute (%d).\n", type); | |
1119 | return -EINVAL; | |
1120 | } | |
1121 | } | |
1122 | ||
1123 | if (rem > 0) { | |
1124 | OVS_NLERR(log, "NAT attribute has %d unknown bytes.\n", rem); | |
1125 | return -EINVAL; | |
1126 | } | |
1127 | if (!info->nat) { | |
1128 | /* Do not allow flags if no type is given. */ | |
1129 | if (info->range.flags) { | |
1130 | OVS_NLERR(log, | |
1131 | "NAT flags may be given only when NAT range (SRC or DST) is also specified.\n" | |
1132 | ); | |
1133 | return -EINVAL; | |
1134 | } | |
1135 | info->nat = OVS_CT_NAT; /* NAT existing connections. */ | |
1136 | } else if (!info->commit) { | |
1137 | OVS_NLERR(log, | |
1138 | "NAT attributes may be specified only when CT COMMIT flag is also specified.\n" | |
1139 | ); | |
1140 | return -EINVAL; | |
1141 | } | |
1142 | /* Allow missing IP_MAX. */ | |
1143 | if (info->range.flags & NF_NAT_RANGE_MAP_IPS && !have_ip_max) { | |
1144 | memcpy(&info->range.max_addr, &info->range.min_addr, | |
1145 | sizeof(info->range.max_addr)); | |
1146 | } | |
1147 | /* Allow missing PROTO_MAX. */ | |
1148 | if (info->range.flags & NF_NAT_RANGE_PROTO_SPECIFIED && | |
1149 | !have_proto_max) { | |
1150 | info->range.max_proto.all = info->range.min_proto.all; | |
1151 | } | |
1152 | return 0; | |
1153 | } | |
1154 | #endif | |
1155 | ||
a94ebc39 | 1156 | static const struct ovs_ct_len_tbl ovs_ct_attr_lens[OVS_CT_ATTR_MAX + 1] = { |
c05e2094 | 1157 | [OVS_CT_ATTR_COMMIT] = { .minlen = 0, .maxlen = 0 }, |
a94ebc39 JS |
1158 | [OVS_CT_ATTR_ZONE] = { .minlen = sizeof(u16), |
1159 | .maxlen = sizeof(u16) }, | |
372ce973 JS |
1160 | [OVS_CT_ATTR_MARK] = { .minlen = sizeof(struct md_mark), |
1161 | .maxlen = sizeof(struct md_mark) }, | |
c05e2094 JS |
1162 | [OVS_CT_ATTR_LABELS] = { .minlen = sizeof(struct md_labels), |
1163 | .maxlen = sizeof(struct md_labels) }, | |
11251c17 | 1164 | [OVS_CT_ATTR_HELPER] = { .minlen = 1, |
f8f97cdc JR |
1165 | .maxlen = NF_CT_HELPER_NAME_LEN }, |
1166 | #ifdef CONFIG_NF_NAT_NEEDED | |
1167 | /* NAT length is checked when parsing the nested attributes. */ | |
1168 | [OVS_CT_ATTR_NAT] = { .minlen = 0, .maxlen = INT_MAX }, | |
1169 | #endif | |
a94ebc39 JS |
1170 | }; |
1171 | ||
1172 | static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info, | |
11251c17 | 1173 | const char **helper, bool log) |
a94ebc39 JS |
1174 | { |
1175 | struct nlattr *a; | |
1176 | int rem; | |
1177 | ||
1178 | nla_for_each_nested(a, attr, rem) { | |
1179 | int type = nla_type(a); | |
1180 | int maxlen = ovs_ct_attr_lens[type].maxlen; | |
1181 | int minlen = ovs_ct_attr_lens[type].minlen; | |
1182 | ||
1183 | if (type > OVS_CT_ATTR_MAX) { | |
1184 | OVS_NLERR(log, | |
1185 | "Unknown conntrack attr (type=%d, max=%d)", | |
1186 | type, OVS_CT_ATTR_MAX); | |
1187 | return -EINVAL; | |
1188 | } | |
1189 | if (nla_len(a) < minlen || nla_len(a) > maxlen) { | |
1190 | OVS_NLERR(log, | |
1191 | "Conntrack attr type has unexpected length (type=%d, length=%d, expected=%d)", | |
1192 | type, nla_len(a), maxlen); | |
1193 | return -EINVAL; | |
1194 | } | |
1195 | ||
1196 | switch (type) { | |
c05e2094 JS |
1197 | case OVS_CT_ATTR_COMMIT: |
1198 | info->commit = true; | |
a94ebc39 JS |
1199 | break; |
1200 | #ifdef CONFIG_NF_CONNTRACK_ZONES | |
1201 | case OVS_CT_ATTR_ZONE: | |
1202 | info->zone.id = nla_get_u16(a); | |
1203 | break; | |
372ce973 JS |
1204 | #endif |
1205 | #ifdef CONFIG_NF_CONNTRACK_MARK | |
1206 | case OVS_CT_ATTR_MARK: { | |
1207 | struct md_mark *mark = nla_data(a); | |
1208 | ||
c05e2094 JS |
1209 | if (!mark->mask) { |
1210 | OVS_NLERR(log, "ct_mark mask cannot be 0"); | |
1211 | return -EINVAL; | |
1212 | } | |
372ce973 JS |
1213 | info->mark = *mark; |
1214 | break; | |
1215 | } | |
038e34ab JS |
1216 | #endif |
1217 | #ifdef CONFIG_NF_CONNTRACK_LABELS | |
c05e2094 JS |
1218 | case OVS_CT_ATTR_LABELS: { |
1219 | struct md_labels *labels = nla_data(a); | |
038e34ab | 1220 | |
c05e2094 JS |
1221 | if (!labels_nonzero(&labels->mask)) { |
1222 | OVS_NLERR(log, "ct_labels mask cannot be 0"); | |
1223 | return -EINVAL; | |
1224 | } | |
1225 | info->labels = *labels; | |
038e34ab JS |
1226 | break; |
1227 | } | |
a94ebc39 | 1228 | #endif |
11251c17 JS |
1229 | case OVS_CT_ATTR_HELPER: |
1230 | *helper = nla_data(a); | |
1231 | if (!memchr(*helper, '\0', nla_len(a))) { | |
1232 | OVS_NLERR(log, "Invalid conntrack helper"); | |
1233 | return -EINVAL; | |
1234 | } | |
1235 | break; | |
f8f97cdc JR |
1236 | #ifdef CONFIG_NF_NAT_NEEDED |
1237 | case OVS_CT_ATTR_NAT: { | |
1238 | int err = parse_nat(a, info, log); | |
1239 | ||
1240 | if (err) | |
1241 | return err; | |
1242 | break; | |
1243 | } | |
1244 | #endif | |
a94ebc39 JS |
1245 | default: |
1246 | OVS_NLERR(log, "Unknown conntrack attr (%d)", | |
1247 | type); | |
1248 | return -EINVAL; | |
1249 | } | |
1250 | } | |
1251 | ||
39a6542b JR |
1252 | #ifdef CONFIG_NF_CONNTRACK_MARK |
1253 | if (!info->commit && info->mark.mask) { | |
1254 | OVS_NLERR(log, | |
1255 | "Setting conntrack mark requires 'commit' flag."); | |
1256 | return -EINVAL; | |
1257 | } | |
1258 | #endif | |
1259 | #ifdef CONFIG_NF_CONNTRACK_LABELS | |
1260 | if (!info->commit && labels_nonzero(&info->labels.mask)) { | |
1261 | OVS_NLERR(log, | |
1262 | "Setting conntrack labels requires 'commit' flag."); | |
1263 | return -EINVAL; | |
1264 | } | |
1265 | #endif | |
a94ebc39 JS |
1266 | if (rem > 0) { |
1267 | OVS_NLERR(log, "Conntrack attr has %d unknown bytes", rem); | |
1268 | return -EINVAL; | |
1269 | } | |
1270 | ||
1271 | return 0; | |
1272 | } | |
1273 | ||
038e34ab | 1274 | bool ovs_ct_verify(struct net *net, enum ovs_key_attr attr) |
a94ebc39 JS |
1275 | { |
1276 | if (attr == OVS_KEY_ATTR_CT_STATE) | |
1277 | return true; | |
1278 | if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) && | |
1279 | attr == OVS_KEY_ATTR_CT_ZONE) | |
1280 | return true; | |
372ce973 JS |
1281 | if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) && |
1282 | attr == OVS_KEY_ATTR_CT_MARK) | |
1283 | return true; | |
038e34ab | 1284 | if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) && |
c05e2094 | 1285 | attr == OVS_KEY_ATTR_CT_LABELS) { |
038e34ab JS |
1286 | struct ovs_net *ovs_net = net_generic(net, ovs_net_id); |
1287 | ||
1288 | return ovs_net->xt_label; | |
1289 | } | |
a94ebc39 JS |
1290 | |
1291 | return false; | |
1292 | } | |
1293 | ||
1294 | int ovs_ct_copy_action(struct net *net, const struct nlattr *attr, | |
1295 | const struct sw_flow_key *key, | |
1296 | struct sw_flow_actions **sfa, bool log) | |
1297 | { | |
1298 | struct ovs_conntrack_info ct_info; | |
11251c17 | 1299 | const char *helper = NULL; |
a94ebc39 JS |
1300 | u16 family; |
1301 | int err; | |
1302 | ||
1303 | family = key_to_nfproto(key); | |
1304 | if (family == NFPROTO_UNSPEC) { | |
1305 | OVS_NLERR(log, "ct family unspecified"); | |
1306 | return -EINVAL; | |
1307 | } | |
1308 | ||
1309 | memset(&ct_info, 0, sizeof(ct_info)); | |
1310 | ct_info.family = family; | |
1311 | ||
1312 | nf_ct_zone_init(&ct_info.zone, NF_CT_DEFAULT_ZONE_ID, | |
1313 | NF_CT_DEFAULT_ZONE_DIR, 0); | |
1314 | ||
11251c17 | 1315 | err = parse_ct(attr, &ct_info, &helper, log); |
a94ebc39 JS |
1316 | if (err) |
1317 | return err; | |
1318 | ||
1319 | /* Set up template for tracking connections in specific zones. */ | |
1320 | ct_info.ct = nf_ct_tmpl_alloc(net, &ct_info.zone, GFP_KERNEL); | |
1321 | if (!ct_info.ct) { | |
1322 | OVS_NLERR(log, "Failed to allocate conntrack template"); | |
1323 | return -ENOMEM; | |
1324 | } | |
a3a68d63 JS |
1325 | |
1326 | __set_bit(IPS_CONFIRMED_BIT, &ct_info.ct->status); | |
1327 | nf_conntrack_get(&ct_info.ct->ct_general); | |
1328 | ||
11251c17 JS |
1329 | if (helper) { |
1330 | err = ovs_ct_add_helper(&ct_info, helper, key, log); | |
1331 | if (err) | |
1332 | goto err_free_ct; | |
1333 | } | |
a94ebc39 JS |
1334 | |
1335 | err = ovs_nla_add_action(sfa, OVS_ACTION_ATTR_CT, &ct_info, | |
1336 | sizeof(ct_info), log); | |
1337 | if (err) | |
1338 | goto err_free_ct; | |
1339 | ||
a94ebc39 JS |
1340 | return 0; |
1341 | err_free_ct: | |
11251c17 | 1342 | __ovs_ct_free_action(&ct_info); |
a94ebc39 JS |
1343 | return err; |
1344 | } | |
1345 | ||
f8f97cdc JR |
1346 | #ifdef CONFIG_NF_NAT_NEEDED |
1347 | static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info, | |
1348 | struct sk_buff *skb) | |
1349 | { | |
1350 | struct nlattr *start; | |
1351 | ||
1352 | start = nla_nest_start(skb, OVS_CT_ATTR_NAT); | |
1353 | if (!start) | |
1354 | return false; | |
1355 | ||
1356 | if (info->nat & OVS_CT_SRC_NAT) { | |
1357 | if (nla_put_flag(skb, OVS_NAT_ATTR_SRC)) | |
1358 | return false; | |
1359 | } else if (info->nat & OVS_CT_DST_NAT) { | |
1360 | if (nla_put_flag(skb, OVS_NAT_ATTR_DST)) | |
1361 | return false; | |
1362 | } else { | |
1363 | goto out; | |
1364 | } | |
1365 | ||
1366 | if (info->range.flags & NF_NAT_RANGE_MAP_IPS) { | |
90b01477 AB |
1367 | if (IS_ENABLED(CONFIG_NF_NAT_IPV4) && |
1368 | info->family == NFPROTO_IPV4) { | |
f8f97cdc JR |
1369 | if (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MIN, |
1370 | info->range.min_addr.ip) || | |
1371 | (info->range.max_addr.ip | |
1372 | != info->range.min_addr.ip && | |
1373 | (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MAX, | |
1374 | info->range.max_addr.ip)))) | |
1375 | return false; | |
90b01477 AB |
1376 | } else if (IS_ENABLED(CONFIG_NF_NAT_IPV6) && |
1377 | info->family == NFPROTO_IPV6) { | |
f8f97cdc JR |
1378 | if (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MIN, |
1379 | &info->range.min_addr.in6) || | |
1380 | (memcmp(&info->range.max_addr.in6, | |
1381 | &info->range.min_addr.in6, | |
1382 | sizeof(info->range.max_addr.in6)) && | |
1383 | (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MAX, | |
1384 | &info->range.max_addr.in6)))) | |
1385 | return false; | |
f8f97cdc JR |
1386 | } else { |
1387 | return false; | |
1388 | } | |
1389 | } | |
1390 | if (info->range.flags & NF_NAT_RANGE_PROTO_SPECIFIED && | |
1391 | (nla_put_u16(skb, OVS_NAT_ATTR_PROTO_MIN, | |
1392 | ntohs(info->range.min_proto.all)) || | |
1393 | (info->range.max_proto.all != info->range.min_proto.all && | |
1394 | nla_put_u16(skb, OVS_NAT_ATTR_PROTO_MAX, | |
1395 | ntohs(info->range.max_proto.all))))) | |
1396 | return false; | |
1397 | ||
1398 | if (info->range.flags & NF_NAT_RANGE_PERSISTENT && | |
1399 | nla_put_flag(skb, OVS_NAT_ATTR_PERSISTENT)) | |
1400 | return false; | |
1401 | if (info->range.flags & NF_NAT_RANGE_PROTO_RANDOM && | |
9f1de150 JR |
1402 | nla_put_flag(skb, info->random_fully_compat |
1403 | ? OVS_NAT_ATTR_PROTO_RANDOM | |
1404 | : OVS_NAT_ATTR_PROTO_HASH)) | |
f8f97cdc | 1405 | return false; |
9f1de150 | 1406 | #ifdef NF_NAT_RANGE_PROTO_RANDOM_FULLY |
f8f97cdc JR |
1407 | if (info->range.flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY && |
1408 | nla_put_flag(skb, OVS_NAT_ATTR_PROTO_RANDOM)) | |
1409 | return false; | |
9f1de150 | 1410 | #endif |
f8f97cdc JR |
1411 | out: |
1412 | nla_nest_end(skb, start); | |
1413 | ||
1414 | return true; | |
1415 | } | |
1416 | #endif | |
1417 | ||
a94ebc39 JS |
1418 | int ovs_ct_action_to_attr(const struct ovs_conntrack_info *ct_info, |
1419 | struct sk_buff *skb) | |
1420 | { | |
1421 | struct nlattr *start; | |
1422 | ||
1423 | start = nla_nest_start(skb, OVS_ACTION_ATTR_CT); | |
1424 | if (!start) | |
1425 | return -EMSGSIZE; | |
1426 | ||
c05e2094 | 1427 | if (ct_info->commit && nla_put_flag(skb, OVS_CT_ATTR_COMMIT)) |
a94ebc39 JS |
1428 | return -EMSGSIZE; |
1429 | if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) && | |
1430 | nla_put_u16(skb, OVS_CT_ATTR_ZONE, ct_info->zone.id)) | |
1431 | return -EMSGSIZE; | |
c05e2094 | 1432 | if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) && ct_info->mark.mask && |
372ce973 JS |
1433 | nla_put(skb, OVS_CT_ATTR_MARK, sizeof(ct_info->mark), |
1434 | &ct_info->mark)) | |
1435 | return -EMSGSIZE; | |
038e34ab | 1436 | if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) && |
c05e2094 JS |
1437 | labels_nonzero(&ct_info->labels.mask) && |
1438 | nla_put(skb, OVS_CT_ATTR_LABELS, sizeof(ct_info->labels), | |
1439 | &ct_info->labels)) | |
038e34ab | 1440 | return -EMSGSIZE; |
11251c17 JS |
1441 | if (ct_info->helper) { |
1442 | if (nla_put_string(skb, OVS_CT_ATTR_HELPER, | |
1443 | ct_info->helper->name)) | |
1444 | return -EMSGSIZE; | |
1445 | } | |
f8f97cdc JR |
1446 | #ifdef CONFIG_NF_NAT_NEEDED |
1447 | if (ct_info->nat && !ovs_ct_nat_to_attr(ct_info, skb)) | |
1448 | return -EMSGSIZE; | |
1449 | #endif | |
a94ebc39 JS |
1450 | nla_nest_end(skb, start); |
1451 | ||
1452 | return 0; | |
1453 | } | |
1454 | ||
1455 | void ovs_ct_free_action(const struct nlattr *a) | |
1456 | { | |
1457 | struct ovs_conntrack_info *ct_info = nla_data(a); | |
1458 | ||
11251c17 JS |
1459 | __ovs_ct_free_action(ct_info); |
1460 | } | |
1461 | ||
1462 | static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info) | |
1463 | { | |
1464 | if (ct_info->helper) | |
1465 | module_put(ct_info->helper->me); | |
a94ebc39 JS |
1466 | if (ct_info->ct) |
1467 | nf_ct_tmpl_free(ct_info->ct); | |
1468 | } | |
1469 | ||
038e34ab JS |
1470 | void ovs_ct_init(struct net *net) |
1471 | { | |
c05e2094 | 1472 | unsigned int n_bits = sizeof(struct ovs_key_ct_labels) * BITS_PER_BYTE; |
038e34ab JS |
1473 | struct ovs_net *ovs_net = net_generic(net, ovs_net_id); |
1474 | ||
7f2ab8cd | 1475 | if (nf_connlabels_get(net, n_bits - 1)) { |
038e34ab JS |
1476 | ovs_net->xt_label = false; |
1477 | OVS_NLERR(true, "Failed to set connlabel length"); | |
1478 | } else { | |
1479 | ovs_net->xt_label = true; | |
1480 | } | |
1481 | } | |
1482 | ||
1483 | void ovs_ct_exit(struct net *net) | |
1484 | { | |
1485 | struct ovs_net *ovs_net = net_generic(net, ovs_net_id); | |
1486 | ||
1487 | if (ovs_net->xt_label) | |
1488 | nf_connlabels_put(net); | |
1489 | } | |
1490 | ||
8063e095 | 1491 | #endif /* CONFIG_NF_CONNTRACK */ |