2 * Copyright (c) 2015, 2016, 2017 Nicira, Inc.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
20 #include <sys/types.h>
21 #include <netinet/in.h>
22 #include <netinet/icmp6.h>
26 #include "conntrack.h"
27 #include "conntrack-private.h"
31 #include "dp-packet.h"
34 #include "odp-netlink.h"
35 #include "openvswitch/hmap.h"
36 #include "openvswitch/vlog.h"
38 #include "ovs-thread.h"
39 #include "openvswitch/poll-loop.h"
43 VLOG_DEFINE_THIS_MODULE(conntrack
);
45 COVERAGE_DEFINE(conntrack_full
);
46 COVERAGE_DEFINE(conntrack_long_cleanup
);
48 struct conn_lookup_ctx
{
57 /* Control packets with address and/or port specifiers. */
59 /* Control packets without address and/or port specifiers. */
70 enum ct_alg_ctl_type
{
74 /* SIP is not enabled through Openflow and presently only used as
75 * an example of an alg that allows a wildcard src ip. */
79 static bool conn_key_extract(struct conntrack
*, struct dp_packet
*,
80 ovs_be16 dl_type
, struct conn_lookup_ctx
*,
82 static uint32_t conn_key_hash(const struct conn_key
*, uint32_t basis
);
83 static void conn_key_reverse(struct conn_key
*);
84 static void conn_key_lookup(struct conntrack_bucket
*ctb
,
85 struct conn_lookup_ctx
*ctx
,
87 static bool valid_new(struct dp_packet
*pkt
, struct conn_key
*);
88 static struct conn
*new_conn(struct conntrack_bucket
*, struct dp_packet
*pkt
,
89 struct conn_key
*, long long now
);
90 static void delete_conn(struct conn
*);
91 static enum ct_update_res
conn_update(struct conn
*,
92 struct conntrack_bucket
*ctb
,
93 struct dp_packet
*, bool reply
,
95 static bool conn_expired(struct conn
*, long long now
);
96 static void set_mark(struct dp_packet
*, struct conn
*,
97 uint32_t val
, uint32_t mask
);
98 static void set_label(struct dp_packet
*, struct conn
*,
99 const struct ovs_key_ct_labels
*val
,
100 const struct ovs_key_ct_labels
*mask
);
101 static void *clean_thread_main(void *f_
);
103 static struct nat_conn_key_node
*
104 nat_conn_keys_lookup(struct hmap
*nat_conn_keys
,
105 const struct conn_key
*key
,
109 nat_conn_keys_insert(struct hmap
*nat_conn_keys
,
110 const struct conn
*nat_conn
,
111 uint32_t hash_basis
);
114 nat_conn_keys_remove(struct hmap
*nat_conn_keys
,
115 const struct conn_key
*key
,
119 nat_select_range_tuple(struct conntrack
*ct
, const struct conn
*conn
,
120 struct conn
*nat_conn
);
123 reverse_icmp_type(uint8_t type
);
125 reverse_icmp6_type(uint8_t type
);
127 extract_l3_ipv4(struct conn_key
*key
, const void *data
, size_t size
,
128 const char **new_data
, bool validate_checksum
);
130 extract_l3_ipv6(struct conn_key
*key
, const void *data
, size_t size
,
131 const char **new_data
);
133 static struct alg_exp_node
*
134 expectation_lookup(struct hmap
*alg_expectations
, const struct conn_key
*key
,
135 uint32_t basis
, bool src_ip_wc
);
138 repl_ftp_v4_addr(struct dp_packet
*pkt
, ovs_be32 v4_addr_rep
,
139 char *ftp_data_v4_start
,
140 size_t addr_offset_from_ftp_data_start
);
142 static enum ftp_ctl_pkt
143 process_ftp_ctl_v4(struct conntrack
*ct
,
144 struct dp_packet
*pkt
,
145 const struct conn
*conn_for_expectation
,
146 ovs_be32
*v4_addr_rep
,
147 char **ftp_data_v4_start
,
148 size_t *addr_offset_from_ftp_data_start
);
150 static enum ftp_ctl_pkt
151 detect_ftp_ctl_type(const struct conn_lookup_ctx
*ctx
,
152 struct dp_packet
*pkt
);
155 expectation_clean(struct conntrack
*ct
, const struct conn_key
*master_key
,
158 static struct ct_l4_proto
*l4_protos
[] = {
159 [IPPROTO_TCP
] = &ct_proto_tcp
,
160 [IPPROTO_UDP
] = &ct_proto_other
,
161 [IPPROTO_ICMP
] = &ct_proto_icmp4
,
162 [IPPROTO_ICMPV6
] = &ct_proto_icmp6
,
166 handle_ftp_ctl(struct conntrack
*ct
, const struct conn_lookup_ctx
*ctx
,
167 struct dp_packet
*pkt
,
168 const struct conn
*conn_for_expectation
,
169 long long now
, enum ftp_ctl_pkt ftp_ctl
, bool nat
);
172 handle_tftp_ctl(struct conntrack
*ct
,
173 const struct conn_lookup_ctx
*ctx OVS_UNUSED
,
174 struct dp_packet
*pkt
,
175 const struct conn
*conn_for_expectation
,
176 long long now OVS_UNUSED
,
177 enum ftp_ctl_pkt ftp_ctl OVS_UNUSED
, bool nat OVS_UNUSED
);
179 typedef void (*alg_helper
)(struct conntrack
*ct
,
180 const struct conn_lookup_ctx
*ctx
,
181 struct dp_packet
*pkt
,
182 const struct conn
*conn_for_expectation
,
183 long long now
, enum ftp_ctl_pkt ftp_ctl
,
186 static alg_helper alg_helpers
[] = {
187 [CT_ALG_CTL_NONE
] = NULL
,
188 [CT_ALG_CTL_FTP
] = handle_ftp_ctl
,
189 [CT_ALG_CTL_TFTP
] = handle_tftp_ctl
,
192 long long ct_timeout_val
[] = {
193 #define CT_TIMEOUT(NAME, VAL) [CT_TM_##NAME] = VAL,
198 /* The maximum TCP or UDP port number. */
199 #define CT_MAX_L4_PORT 65535
200 /* String buffer used for parsing FTP string messages.
201 * This is sized about twice what is needed to leave some
202 * margin of error. */
203 #define LARGEST_FTP_MSG_OF_INTEREST 128
204 /* FTP port string used in active mode. */
205 #define FTP_PORT_CMD "PORT"
206 /* FTP pasv string used in passive mode. */
207 #define FTP_PASV_REPLY_CODE "227"
208 /* Maximum decimal digits for port in FTP command.
209 * The port is represented as two 3 digit numbers with the
210 * high part a multiple of 256. */
211 #define MAX_FTP_PORT_DGTS 3
213 /* FTP extension EPRT string used for active mode. */
214 #define FTP_EPRT_CMD "EPRT"
215 /* FTP extension EPSV string used for passive mode. */
216 #define FTP_EPSV_REPLY "EXTENDED PASSIVE"
217 /* Maximum decimal digits for port in FTP extended command. */
218 #define MAX_EXT_FTP_PORT_DGTS 5
219 /* FTP extended command code for IPv6. */
220 #define FTP_AF_V6 '2'
221 /* Used to indicate a wildcard L4 source port number for ALGs.
222 * This is used for port numbers that we cannot predict in
224 #define ALG_WC_SRC_PORT 0
226 /* If the total number of connections goes above this value, no new connections
227 * are accepted; this is for CT_CONN_TYPE_DEFAULT connections. */
228 #define DEFAULT_N_CONN_LIMIT 3000000
230 /* Does a member by member comparison of two conn_keys; this
231 * function must be kept in sync with struct conn_key; returns 0
232 * if the keys are equal or 1 if the keys are not equal. */
234 conn_key_cmp(const struct conn_key
*key1
, const struct conn_key
*key2
)
236 if (!memcmp(&key1
->src
.addr
, &key2
->src
.addr
, sizeof key1
->src
.addr
) &&
237 !memcmp(&key1
->dst
.addr
, &key2
->dst
.addr
, sizeof key1
->dst
.addr
) &&
238 (key1
->src
.icmp_id
== key2
->src
.icmp_id
) &&
239 (key1
->src
.icmp_type
== key2
->src
.icmp_type
) &&
240 (key1
->src
.icmp_code
== key2
->src
.icmp_code
) &&
241 (key1
->dst
.icmp_id
== key2
->dst
.icmp_id
) &&
242 (key1
->dst
.icmp_type
== key2
->dst
.icmp_type
) &&
243 (key1
->dst
.icmp_code
== key2
->dst
.icmp_code
) &&
244 (key1
->dl_type
== key2
->dl_type
) &&
245 (key1
->zone
== key2
->zone
) &&
246 (key1
->nw_proto
== key2
->nw_proto
)) {
254 ct_print_conn_info(const struct conn
*c
, const char *log_msg
,
255 enum vlog_level vll
, bool force
, bool rl_on
)
257 #define CT_VLOG(RL_ON, LEVEL, ...) \
260 static struct vlog_rate_limit rl_ = VLOG_RATE_LIMIT_INIT(5, 5); \
261 vlog_rate_limit(&this_module, LEVEL, &rl_, __VA_ARGS__); \
263 vlog(&this_module, LEVEL, __VA_ARGS__); \
267 if (OVS_UNLIKELY(force
|| vlog_is_enabled(&this_module
, vll
))) {
268 if (c
->key
.dl_type
== htons(ETH_TYPE_IP
)) {
269 CT_VLOG(rl_on
, vll
, "%s: src ip "IP_FMT
" dst ip "IP_FMT
" rev src "
270 "ip "IP_FMT
" rev dst ip "IP_FMT
" src/dst ports "
271 "%"PRIu16
"/%"PRIu16
" rev src/dst ports "
272 "%"PRIu16
"/%"PRIu16
" zone/rev zone "
273 "%"PRIu16
"/%"PRIu16
" nw_proto/rev nw_proto "
274 "%"PRIu8
"/%"PRIu8
, log_msg
,
275 IP_ARGS(c
->key
.src
.addr
.ipv4_aligned
),
276 IP_ARGS(c
->key
.dst
.addr
.ipv4_aligned
),
277 IP_ARGS(c
->rev_key
.src
.addr
.ipv4_aligned
),
278 IP_ARGS(c
->rev_key
.dst
.addr
.ipv4_aligned
),
279 ntohs(c
->key
.src
.port
), ntohs(c
->key
.dst
.port
),
280 ntohs(c
->rev_key
.src
.port
), ntohs(c
->rev_key
.dst
.port
),
281 c
->key
.zone
, c
->rev_key
.zone
, c
->key
.nw_proto
,
282 c
->rev_key
.nw_proto
);
284 char ip6_s
[INET6_ADDRSTRLEN
];
285 inet_ntop(AF_INET6
, &c
->key
.src
.addr
.ipv6
, ip6_s
, sizeof ip6_s
);
286 char ip6_d
[INET6_ADDRSTRLEN
];
287 inet_ntop(AF_INET6
, &c
->key
.dst
.addr
.ipv6
, ip6_d
, sizeof ip6_d
);
288 char ip6_rs
[INET6_ADDRSTRLEN
];
289 inet_ntop(AF_INET6
, &c
->rev_key
.src
.addr
.ipv6
, ip6_rs
,
291 char ip6_rd
[INET6_ADDRSTRLEN
];
292 inet_ntop(AF_INET6
, &c
->rev_key
.dst
.addr
.ipv6
, ip6_rd
,
295 CT_VLOG(rl_on
, vll
, "%s: src ip %s dst ip %s rev src ip %s"
296 " rev dst ip %s src/dst ports %"PRIu16
"/%"PRIu16
297 " rev src/dst ports %"PRIu16
"/%"PRIu16
" zone/rev zone "
298 "%"PRIu16
"/%"PRIu16
" nw_proto/rev nw_proto "
299 "%"PRIu8
"/%"PRIu8
, log_msg
, ip6_s
, ip6_d
, ip6_rs
,
300 ip6_rd
, ntohs(c
->key
.src
.port
), ntohs(c
->key
.dst
.port
),
301 ntohs(c
->rev_key
.src
.port
), ntohs(c
->rev_key
.dst
.port
),
302 c
->key
.zone
, c
->rev_key
.zone
, c
->key
.nw_proto
,
303 c
->rev_key
.nw_proto
);
308 /* Initializes the connection tracker 'ct'. The caller is responsible for
309 * calling 'conntrack_destroy()', when the instance is not needed anymore */
311 conntrack_init(struct conntrack
*ct
)
313 long long now
= time_msec();
315 ct_rwlock_init(&ct
->resources_lock
);
316 ct_rwlock_wrlock(&ct
->resources_lock
);
317 hmap_init(&ct
->nat_conn_keys
);
318 hmap_init(&ct
->alg_expectations
);
319 hindex_init(&ct
->alg_expectation_refs
);
320 ovs_list_init(&ct
->alg_exp_list
);
321 ct_rwlock_unlock(&ct
->resources_lock
);
323 for (unsigned i
= 0; i
< CONNTRACK_BUCKETS
; i
++) {
324 struct conntrack_bucket
*ctb
= &ct
->buckets
[i
];
326 ct_lock_init(&ctb
->lock
);
327 ct_lock_lock(&ctb
->lock
);
328 hmap_init(&ctb
->connections
);
329 for (unsigned j
= 0; j
< ARRAY_SIZE(ctb
->exp_lists
); j
++) {
330 ovs_list_init(&ctb
->exp_lists
[j
]);
332 ct_lock_unlock(&ctb
->lock
);
333 ovs_mutex_init(&ctb
->cleanup_mutex
);
334 ovs_mutex_lock(&ctb
->cleanup_mutex
);
335 ctb
->next_cleanup
= now
+ CT_TM_MIN
;
336 ovs_mutex_unlock(&ctb
->cleanup_mutex
);
338 ct
->hash_basis
= random_uint32();
339 atomic_count_init(&ct
->n_conn
, 0);
340 atomic_init(&ct
->n_conn_limit
, DEFAULT_N_CONN_LIMIT
);
341 latch_init(&ct
->clean_thread_exit
);
342 ct
->clean_thread
= ovs_thread_create("ct_clean", clean_thread_main
, ct
);
345 /* Destroys the connection tracker 'ct' and frees all the allocated memory. */
347 conntrack_destroy(struct conntrack
*ct
)
349 latch_set(&ct
->clean_thread_exit
);
350 pthread_join(ct
->clean_thread
, NULL
);
351 latch_destroy(&ct
->clean_thread_exit
);
352 for (unsigned i
= 0; i
< CONNTRACK_BUCKETS
; i
++) {
353 struct conntrack_bucket
*ctb
= &ct
->buckets
[i
];
356 ovs_mutex_destroy(&ctb
->cleanup_mutex
);
357 ct_lock_lock(&ctb
->lock
);
358 HMAP_FOR_EACH_POP (conn
, node
, &ctb
->connections
) {
359 if (conn
->conn_type
== CT_CONN_TYPE_DEFAULT
) {
360 atomic_count_dec(&ct
->n_conn
);
364 hmap_destroy(&ctb
->connections
);
365 ct_lock_unlock(&ctb
->lock
);
366 ct_lock_destroy(&ctb
->lock
);
368 ct_rwlock_wrlock(&ct
->resources_lock
);
369 struct nat_conn_key_node
*nat_conn_key_node
;
370 HMAP_FOR_EACH_POP (nat_conn_key_node
, node
, &ct
->nat_conn_keys
) {
371 free(nat_conn_key_node
);
373 hmap_destroy(&ct
->nat_conn_keys
);
375 struct alg_exp_node
*alg_exp_node
;
376 HMAP_FOR_EACH_POP (alg_exp_node
, node
, &ct
->alg_expectations
) {
380 ovs_list_poison(&ct
->alg_exp_list
);
381 hmap_destroy(&ct
->alg_expectations
);
382 hindex_destroy(&ct
->alg_expectation_refs
);
383 ct_rwlock_unlock(&ct
->resources_lock
);
384 ct_rwlock_destroy(&ct
->resources_lock
);
387 static unsigned hash_to_bucket(uint32_t hash
)
389 /* Extracts the most significant bits in hash. The least significant bits
390 * are already used internally by the hmap implementation. */
391 BUILD_ASSERT(CONNTRACK_BUCKETS_SHIFT
< 32 && CONNTRACK_BUCKETS_SHIFT
>= 1);
393 return (hash
>> (32 - CONNTRACK_BUCKETS_SHIFT
)) % CONNTRACK_BUCKETS
;
397 write_ct_md(struct dp_packet
*pkt
, uint16_t zone
, const struct conn
*conn
,
398 const struct conn_key
*key
, const struct alg_exp_node
*alg_exp
)
400 pkt
->md
.ct_state
|= CS_TRACKED
;
401 pkt
->md
.ct_zone
= zone
;
402 pkt
->md
.ct_mark
= conn
? conn
->mark
: 0;
403 pkt
->md
.ct_label
= conn
? conn
->label
: OVS_U128_ZERO
;
405 /* Use the original direction tuple if we have it. */
407 if (conn
->alg_related
) {
408 key
= &conn
->master_key
;
412 } else if (alg_exp
) {
413 pkt
->md
.ct_mark
= alg_exp
->master_mark
;
414 pkt
->md
.ct_label
= alg_exp
->master_label
;
415 key
= &alg_exp
->master_key
;
418 pkt
->md
.ct_orig_tuple_ipv6
= false;
421 if (key
->dl_type
== htons(ETH_TYPE_IP
)) {
422 pkt
->md
.ct_orig_tuple
.ipv4
= (struct ovs_key_ct_tuple_ipv4
) {
423 key
->src
.addr
.ipv4_aligned
,
424 key
->dst
.addr
.ipv4_aligned
,
425 key
->nw_proto
!= IPPROTO_ICMP
426 ? key
->src
.port
: htons(key
->src
.icmp_type
),
427 key
->nw_proto
!= IPPROTO_ICMP
428 ? key
->dst
.port
: htons(key
->src
.icmp_code
),
432 pkt
->md
.ct_orig_tuple_ipv6
= true;
433 pkt
->md
.ct_orig_tuple
.ipv6
= (struct ovs_key_ct_tuple_ipv6
) {
434 key
->src
.addr
.ipv6_aligned
,
435 key
->dst
.addr
.ipv6_aligned
,
436 key
->nw_proto
!= IPPROTO_ICMPV6
437 ? key
->src
.port
: htons(key
->src
.icmp_type
),
438 key
->nw_proto
!= IPPROTO_ICMPV6
439 ? key
->dst
.port
: htons(key
->src
.icmp_code
),
444 memset(&pkt
->md
.ct_orig_tuple
, 0, sizeof pkt
->md
.ct_orig_tuple
);
449 get_ip_proto(const struct dp_packet
*pkt
)
452 struct eth_header
*l2
= dp_packet_eth(pkt
);
453 if (l2
->eth_type
== htons(ETH_TYPE_IPV6
)) {
454 struct ovs_16aligned_ip6_hdr
*nh6
= dp_packet_l3(pkt
);
455 ip_proto
= nh6
->ip6_ctlun
.ip6_un1
.ip6_un1_nxt
;
457 struct ip_header
*l3_hdr
= dp_packet_l3(pkt
);
458 ip_proto
= l3_hdr
->ip_proto
;
465 is_ftp_ctl(const enum ct_alg_ctl_type ct_alg_ctl
)
467 return ct_alg_ctl
== CT_ALG_CTL_FTP
;
470 static enum ct_alg_ctl_type
471 get_alg_ctl_type(const struct dp_packet
*pkt
, ovs_be16 tp_src
, ovs_be16 tp_dst
,
474 /* CT_IPPORT_FTP/TFTP is used because IPPORT_FTP/TFTP in not defined
475 * in OSX, at least in in.h. Since these values will never change, remove
476 * the external dependency. */
477 enum { CT_IPPORT_FTP
= 21 };
478 enum { CT_IPPORT_TFTP
= 69 };
479 uint8_t ip_proto
= get_ip_proto(pkt
);
480 struct udp_header
*uh
= dp_packet_l4(pkt
);
481 struct tcp_header
*th
= dp_packet_l4(pkt
);
482 ovs_be16 ftp_src_port
= htons(CT_IPPORT_FTP
);
483 ovs_be16 ftp_dst_port
= htons(CT_IPPORT_FTP
);
484 ovs_be16 tftp_dst_port
= htons(CT_IPPORT_TFTP
);
486 if (OVS_UNLIKELY(tp_dst
)) {
487 if (helper
&& !strncmp(helper
, "ftp", strlen("ftp"))) {
488 ftp_dst_port
= tp_dst
;
489 } else if (helper
&& !strncmp(helper
, "tftp", strlen("tftp"))) {
490 tftp_dst_port
= tp_dst
;
492 } else if (OVS_UNLIKELY(tp_src
)) {
493 if (helper
&& !strncmp(helper
, "ftp", strlen("ftp"))) {
494 ftp_src_port
= tp_src
;
498 if (ip_proto
== IPPROTO_UDP
&& uh
->udp_dst
== tftp_dst_port
) {
499 return CT_ALG_CTL_TFTP
;
500 } else if (ip_proto
== IPPROTO_TCP
&&
501 (th
->tcp_src
== ftp_src_port
|| th
->tcp_dst
== ftp_dst_port
)) {
502 return CT_ALG_CTL_FTP
;
504 return CT_ALG_CTL_NONE
;
508 alg_src_ip_wc(enum ct_alg_ctl_type alg_ctl_type
)
510 if (alg_ctl_type
== CT_ALG_CTL_SIP
) {
517 handle_alg_ctl(struct conntrack
*ct
, const struct conn_lookup_ctx
*ctx
,
518 struct dp_packet
*pkt
, enum ct_alg_ctl_type ct_alg_ctl
,
519 const struct conn
*conn
, long long now
, bool nat
,
520 const struct conn
*conn_for_expectation
)
522 /* ALG control packet handling with expectation creation. */
523 if (OVS_UNLIKELY(alg_helpers
[ct_alg_ctl
] && conn
&& conn
->alg
)) {
524 alg_helpers
[ct_alg_ctl
](ct
, ctx
, pkt
, conn_for_expectation
, now
,
525 CT_FTP_CTL_INTEREST
, nat
);
530 pat_packet(struct dp_packet
*pkt
, const struct conn
*conn
)
532 if (conn
->nat_info
->nat_action
& NAT_ACTION_SRC
) {
533 if (conn
->key
.nw_proto
== IPPROTO_TCP
) {
534 struct tcp_header
*th
= dp_packet_l4(pkt
);
535 packet_set_tcp_port(pkt
, conn
->rev_key
.dst
.port
, th
->tcp_dst
);
536 } else if (conn
->key
.nw_proto
== IPPROTO_UDP
) {
537 struct udp_header
*uh
= dp_packet_l4(pkt
);
538 packet_set_udp_port(pkt
, conn
->rev_key
.dst
.port
, uh
->udp_dst
);
540 } else if (conn
->nat_info
->nat_action
& NAT_ACTION_DST
) {
541 if (conn
->key
.nw_proto
== IPPROTO_TCP
) {
542 struct tcp_header
*th
= dp_packet_l4(pkt
);
543 packet_set_tcp_port(pkt
, th
->tcp_src
, conn
->rev_key
.src
.port
);
544 } else if (conn
->key
.nw_proto
== IPPROTO_UDP
) {
545 struct udp_header
*uh
= dp_packet_l4(pkt
);
546 packet_set_udp_port(pkt
, uh
->udp_src
, conn
->rev_key
.src
.port
);
552 nat_packet(struct dp_packet
*pkt
, const struct conn
*conn
, bool related
)
554 if (conn
->nat_info
->nat_action
& NAT_ACTION_SRC
) {
555 pkt
->md
.ct_state
|= CS_SRC_NAT
;
556 if (conn
->key
.dl_type
== htons(ETH_TYPE_IP
)) {
557 struct ip_header
*nh
= dp_packet_l3(pkt
);
558 packet_set_ipv4_addr(pkt
, &nh
->ip_src
,
559 conn
->rev_key
.dst
.addr
.ipv4_aligned
);
561 struct ovs_16aligned_ip6_hdr
*nh6
= dp_packet_l3(pkt
);
562 packet_set_ipv6_addr(pkt
, conn
->key
.nw_proto
,
564 &conn
->rev_key
.dst
.addr
.ipv6_aligned
,
568 pat_packet(pkt
, conn
);
570 } else if (conn
->nat_info
->nat_action
& NAT_ACTION_DST
) {
571 pkt
->md
.ct_state
|= CS_DST_NAT
;
572 if (conn
->key
.dl_type
== htons(ETH_TYPE_IP
)) {
573 struct ip_header
*nh
= dp_packet_l3(pkt
);
574 packet_set_ipv4_addr(pkt
, &nh
->ip_dst
,
575 conn
->rev_key
.src
.addr
.ipv4_aligned
);
577 struct ovs_16aligned_ip6_hdr
*nh6
= dp_packet_l3(pkt
);
578 packet_set_ipv6_addr(pkt
, conn
->key
.nw_proto
,
580 &conn
->rev_key
.src
.addr
.ipv6_aligned
,
584 pat_packet(pkt
, conn
);
590 un_pat_packet(struct dp_packet
*pkt
, const struct conn
*conn
)
592 if (conn
->nat_info
->nat_action
& NAT_ACTION_SRC
) {
593 if (conn
->key
.nw_proto
== IPPROTO_TCP
) {
594 struct tcp_header
*th
= dp_packet_l4(pkt
);
595 packet_set_tcp_port(pkt
, th
->tcp_src
, conn
->key
.src
.port
);
596 } else if (conn
->key
.nw_proto
== IPPROTO_UDP
) {
597 struct udp_header
*uh
= dp_packet_l4(pkt
);
598 packet_set_udp_port(pkt
, uh
->udp_src
, conn
->key
.src
.port
);
600 } else if (conn
->nat_info
->nat_action
& NAT_ACTION_DST
) {
601 if (conn
->key
.nw_proto
== IPPROTO_TCP
) {
602 struct tcp_header
*th
= dp_packet_l4(pkt
);
603 packet_set_tcp_port(pkt
, conn
->key
.dst
.port
, th
->tcp_dst
);
604 } else if (conn
->key
.nw_proto
== IPPROTO_UDP
) {
605 struct udp_header
*uh
= dp_packet_l4(pkt
);
606 packet_set_udp_port(pkt
, conn
->key
.dst
.port
, uh
->udp_dst
);
612 reverse_pat_packet(struct dp_packet
*pkt
, const struct conn
*conn
)
614 if (conn
->nat_info
->nat_action
& NAT_ACTION_SRC
) {
615 if (conn
->key
.nw_proto
== IPPROTO_TCP
) {
616 struct tcp_header
*th_in
= dp_packet_l4(pkt
);
617 packet_set_tcp_port(pkt
, conn
->key
.src
.port
,
619 } else if (conn
->key
.nw_proto
== IPPROTO_UDP
) {
620 struct udp_header
*uh_in
= dp_packet_l4(pkt
);
621 packet_set_udp_port(pkt
, conn
->key
.src
.port
,
624 } else if (conn
->nat_info
->nat_action
& NAT_ACTION_DST
) {
625 if (conn
->key
.nw_proto
== IPPROTO_TCP
) {
626 struct tcp_header
*th_in
= dp_packet_l4(pkt
);
627 packet_set_tcp_port(pkt
, th_in
->tcp_src
,
629 } else if (conn
->key
.nw_proto
== IPPROTO_UDP
) {
630 struct udp_header
*uh_in
= dp_packet_l4(pkt
);
631 packet_set_udp_port(pkt
, uh_in
->udp_src
,
638 reverse_nat_packet(struct dp_packet
*pkt
, const struct conn
*conn
)
640 char *tail
= dp_packet_tail(pkt
);
641 char pad
= dp_packet_l2_pad_size(pkt
);
642 struct conn_key inner_key
;
643 const char *inner_l4
= NULL
;
644 uint16_t orig_l3_ofs
= pkt
->l3_ofs
;
645 uint16_t orig_l4_ofs
= pkt
->l4_ofs
;
647 if (conn
->key
.dl_type
== htons(ETH_TYPE_IP
)) {
648 struct ip_header
*nh
= dp_packet_l3(pkt
);
649 struct icmp_header
*icmp
= dp_packet_l4(pkt
);
650 struct ip_header
*inner_l3
= (struct ip_header
*) (icmp
+ 1);
651 extract_l3_ipv4(&inner_key
, inner_l3
, tail
- ((char *)inner_l3
) - pad
,
653 pkt
->l3_ofs
+= (char *) inner_l3
- (char *) nh
;
654 pkt
->l4_ofs
+= inner_l4
- (char *) icmp
;
656 if (conn
->nat_info
->nat_action
& NAT_ACTION_SRC
) {
657 packet_set_ipv4_addr(pkt
, &inner_l3
->ip_src
,
658 conn
->key
.src
.addr
.ipv4_aligned
);
659 } else if (conn
->nat_info
->nat_action
& NAT_ACTION_DST
) {
660 packet_set_ipv4_addr(pkt
, &inner_l3
->ip_dst
,
661 conn
->key
.dst
.addr
.ipv4_aligned
);
664 reverse_pat_packet(pkt
, conn
);
666 icmp
->icmp_csum
= csum(icmp
, tail
- (char *) icmp
- pad
);
668 struct ovs_16aligned_ip6_hdr
*nh6
= dp_packet_l3(pkt
);
669 struct icmp6_error_header
*icmp6
= dp_packet_l4(pkt
);
670 struct ovs_16aligned_ip6_hdr
*inner_l3_6
=
671 (struct ovs_16aligned_ip6_hdr
*) (icmp6
+ 1);
672 extract_l3_ipv6(&inner_key
, inner_l3_6
,
673 tail
- ((char *)inner_l3_6
) - pad
,
675 pkt
->l3_ofs
+= (char *) inner_l3_6
- (char *) nh6
;
676 pkt
->l4_ofs
+= inner_l4
- (char *) icmp6
;
678 if (conn
->nat_info
->nat_action
& NAT_ACTION_SRC
) {
679 packet_set_ipv6_addr(pkt
, conn
->key
.nw_proto
,
680 inner_l3_6
->ip6_src
.be32
,
681 &conn
->key
.src
.addr
.ipv6_aligned
,
683 } else if (conn
->nat_info
->nat_action
& NAT_ACTION_DST
) {
684 packet_set_ipv6_addr(pkt
, conn
->key
.nw_proto
,
685 inner_l3_6
->ip6_dst
.be32
,
686 &conn
->key
.dst
.addr
.ipv6_aligned
,
689 reverse_pat_packet(pkt
, conn
);
690 uint32_t icmp6_csum
= packet_csum_pseudoheader6(nh6
);
691 icmp6
->icmp6_base
.icmp6_cksum
= 0;
692 icmp6
->icmp6_base
.icmp6_cksum
= csum_finish(
693 csum_continue(icmp6_csum
, icmp6
, tail
- (char *) icmp6
- pad
));
695 pkt
->l3_ofs
= orig_l3_ofs
;
696 pkt
->l4_ofs
= orig_l4_ofs
;
700 un_nat_packet(struct dp_packet
*pkt
, const struct conn
*conn
,
703 if (conn
->nat_info
->nat_action
& NAT_ACTION_SRC
) {
704 pkt
->md
.ct_state
|= CS_DST_NAT
;
705 if (conn
->key
.dl_type
== htons(ETH_TYPE_IP
)) {
706 struct ip_header
*nh
= dp_packet_l3(pkt
);
707 packet_set_ipv4_addr(pkt
, &nh
->ip_dst
,
708 conn
->key
.src
.addr
.ipv4_aligned
);
710 struct ovs_16aligned_ip6_hdr
*nh6
= dp_packet_l3(pkt
);
711 packet_set_ipv6_addr(pkt
, conn
->key
.nw_proto
,
713 &conn
->key
.src
.addr
.ipv6_aligned
, true);
716 if (OVS_UNLIKELY(related
)) {
717 reverse_nat_packet(pkt
, conn
);
719 un_pat_packet(pkt
, conn
);
721 } else if (conn
->nat_info
->nat_action
& NAT_ACTION_DST
) {
722 pkt
->md
.ct_state
|= CS_SRC_NAT
;
723 if (conn
->key
.dl_type
== htons(ETH_TYPE_IP
)) {
724 struct ip_header
*nh
= dp_packet_l3(pkt
);
725 packet_set_ipv4_addr(pkt
, &nh
->ip_src
,
726 conn
->key
.dst
.addr
.ipv4_aligned
);
728 struct ovs_16aligned_ip6_hdr
*nh6
= dp_packet_l3(pkt
);
729 packet_set_ipv6_addr(pkt
, conn
->key
.nw_proto
,
731 &conn
->key
.dst
.addr
.ipv6_aligned
, true);
734 if (OVS_UNLIKELY(related
)) {
735 reverse_nat_packet(pkt
, conn
);
737 un_pat_packet(pkt
, conn
);
742 /* Typical usage of this helper is in non per-packet code;
743 * this is because the bucket lock needs to be held for lookup
744 * and a hash would have already been needed. Hence, this function
745 * is just intended for code clarity. */
747 conn_lookup(struct conntrack
*ct
, const struct conn_key
*key
, long long now
)
749 struct conn_lookup_ctx ctx
;
752 ctx
.hash
= conn_key_hash(key
, ct
->hash_basis
);
753 unsigned bucket
= hash_to_bucket(ctx
.hash
);
754 conn_key_lookup(&ct
->buckets
[bucket
], &ctx
, now
);
759 conn_seq_skew_set(struct conntrack
*ct
, const struct conn_key
*key
,
760 long long now
, int seq_skew
, bool seq_skew_dir
)
762 unsigned bucket
= hash_to_bucket(conn_key_hash(key
, ct
->hash_basis
));
763 ct_lock_lock(&ct
->buckets
[bucket
].lock
);
764 struct conn
*conn
= conn_lookup(ct
, key
, now
);
765 if (conn
&& seq_skew
) {
766 conn
->seq_skew
= seq_skew
;
767 conn
->seq_skew_dir
= seq_skew_dir
;
769 ct_lock_unlock(&ct
->buckets
[bucket
].lock
);
773 nat_clean(struct conntrack
*ct
, struct conn
*conn
,
774 struct conntrack_bucket
*ctb
)
775 OVS_REQUIRES(ctb
->lock
)
777 ct_rwlock_wrlock(&ct
->resources_lock
);
778 nat_conn_keys_remove(&ct
->nat_conn_keys
, &conn
->rev_key
, ct
->hash_basis
);
779 ct_rwlock_unlock(&ct
->resources_lock
);
780 ct_lock_unlock(&ctb
->lock
);
781 unsigned bucket_rev_conn
=
782 hash_to_bucket(conn_key_hash(&conn
->rev_key
, ct
->hash_basis
));
783 ct_lock_lock(&ct
->buckets
[bucket_rev_conn
].lock
);
784 ct_rwlock_wrlock(&ct
->resources_lock
);
785 long long now
= time_msec();
786 struct conn
*rev_conn
= conn_lookup(ct
, &conn
->rev_key
, now
);
787 struct nat_conn_key_node
*nat_conn_key_node
=
788 nat_conn_keys_lookup(&ct
->nat_conn_keys
, &conn
->rev_key
,
791 /* In the unlikely event, rev conn was recreated, then skip
792 * rev_conn cleanup. */
793 if (rev_conn
&& (!nat_conn_key_node
||
794 conn_key_cmp(&nat_conn_key_node
->value
,
795 &rev_conn
->rev_key
))) {
796 hmap_remove(&ct
->buckets
[bucket_rev_conn
].connections
,
802 ct_rwlock_unlock(&ct
->resources_lock
);
803 ct_lock_unlock(&ct
->buckets
[bucket_rev_conn
].lock
);
804 ct_lock_lock(&ctb
->lock
);
808 conn_clean(struct conntrack
*ct
, struct conn
*conn
,
809 struct conntrack_bucket
*ctb
)
810 OVS_REQUIRES(ctb
->lock
)
813 expectation_clean(ct
, &conn
->key
, ct
->hash_basis
);
815 ovs_list_remove(&conn
->exp_node
);
816 hmap_remove(&ctb
->connections
, &conn
->node
);
817 atomic_count_dec(&ct
->n_conn
);
818 if (conn
->nat_info
) {
819 nat_clean(ct
, conn
, ctb
);
826 ct_verify_helper(const char *helper
, enum ct_alg_ctl_type ct_alg_ctl
)
828 if (ct_alg_ctl
== CT_ALG_CTL_NONE
) {
831 if ((ct_alg_ctl
== CT_ALG_CTL_FTP
) &&
832 !strncmp(helper
, "ftp", strlen("ftp"))) {
834 } else if ((ct_alg_ctl
== CT_ALG_CTL_TFTP
) &&
835 !strncmp(helper
, "tftp", strlen("tftp"))) {
845 /* This function is called with the bucket lock held. */
847 conn_not_found(struct conntrack
*ct
, struct dp_packet
*pkt
,
848 struct conn_lookup_ctx
*ctx
, bool commit
, long long now
,
849 const struct nat_action_info_t
*nat_action_info
,
850 struct conn
*conn_for_un_nat_copy
,
852 const struct alg_exp_node
*alg_exp
,
853 enum ct_alg_ctl_type ct_alg_ctl
)
855 struct conn
*nc
= NULL
;
857 if (!valid_new(pkt
, &ctx
->key
)) {
858 pkt
->md
.ct_state
= CS_INVALID
;
862 pkt
->md
.ct_state
= CS_NEW
;
865 pkt
->md
.ct_state
|= CS_RELATED
;
869 unsigned int n_conn_limit
;
870 atomic_read_relaxed(&ct
->n_conn_limit
, &n_conn_limit
);
872 if (atomic_count_get(&ct
->n_conn
) >= n_conn_limit
) {
873 COVERAGE_INC(conntrack_full
);
877 unsigned bucket
= hash_to_bucket(ctx
->hash
);
878 nc
= new_conn(&ct
->buckets
[bucket
], pkt
, &ctx
->key
, now
);
880 nc
->rev_key
= nc
->key
;
881 conn_key_reverse(&nc
->rev_key
);
883 if (ct_verify_helper(helper
, ct_alg_ctl
)) {
884 nc
->alg
= nullable_xstrdup(helper
);
888 nc
->alg_related
= true;
889 nc
->mark
= alg_exp
->master_mark
;
890 nc
->label
= alg_exp
->master_label
;
891 nc
->master_key
= alg_exp
->master_key
;
894 if (nat_action_info
) {
895 nc
->nat_info
= xmemdup(nat_action_info
, sizeof *nc
->nat_info
);
898 if (alg_exp
->nat_rpl_dst
) {
899 nc
->rev_key
.dst
.addr
= alg_exp
->alg_nat_repl_addr
;
900 nc
->nat_info
->nat_action
= NAT_ACTION_SRC
;
902 nc
->rev_key
.src
.addr
= alg_exp
->alg_nat_repl_addr
;
903 nc
->nat_info
->nat_action
= NAT_ACTION_DST
;
905 *conn_for_un_nat_copy
= *nc
;
906 ct_rwlock_wrlock(&ct
->resources_lock
);
907 bool new_insert
= nat_conn_keys_insert(&ct
->nat_conn_keys
,
908 conn_for_un_nat_copy
,
910 ct_rwlock_unlock(&ct
->resources_lock
);
912 char *log_msg
= xasprintf("Pre-existing alg "
914 ct_print_conn_info(conn_for_un_nat_copy
, log_msg
, VLL_INFO
,
919 *conn_for_un_nat_copy
= *nc
;
920 ct_rwlock_wrlock(&ct
->resources_lock
);
921 bool nat_res
= nat_select_range_tuple(ct
, nc
,
922 conn_for_un_nat_copy
);
925 goto nat_res_exhaustion
;
928 /* Update nc with nat adjustments made to
929 * conn_for_un_nat_copy by nat_select_range_tuple(). */
930 *nc
= *conn_for_un_nat_copy
;
931 ct_rwlock_unlock(&ct
->resources_lock
);
933 conn_for_un_nat_copy
->conn_type
= CT_CONN_TYPE_UN_NAT
;
934 conn_for_un_nat_copy
->nat_info
= NULL
;
935 conn_for_un_nat_copy
->alg
= NULL
;
936 nat_packet(pkt
, nc
, ctx
->icmp_related
);
938 hmap_insert(&ct
->buckets
[bucket
].connections
, &nc
->node
, ctx
->hash
);
939 atomic_count_inc(&ct
->n_conn
);
944 /* This would be a user error or a DOS attack.
945 * A user error is prevented by allocating enough
946 * combinations of NAT addresses when combined with
947 * ephemeral ports. A DOS attack should be protected
948 * against with firewall rules or a separate firewall.
949 * Also using zone partitioning can limit DoS impact. */
951 ovs_list_remove(&nc
->exp_node
);
953 /* conn_for_un_nat_copy is a local variable in process_one; this
954 * memset() serves to document that conn_for_un_nat_copy is from
955 * this point on unused. */
956 memset(conn_for_un_nat_copy
, 0, sizeof *conn_for_un_nat_copy
);
957 ct_rwlock_unlock(&ct
->resources_lock
);
958 static struct vlog_rate_limit rl
= VLOG_RATE_LIMIT_INIT(5, 5);
959 VLOG_WARN_RL(&rl
, "Unable to NAT due to tuple space exhaustion - "
960 "if DoS attack, use firewalling and/or zone partitioning.");
965 conn_update_state(struct conntrack
*ct
, struct dp_packet
*pkt
,
966 struct conn_lookup_ctx
*ctx
, struct conn
**conn
,
967 long long now
, unsigned bucket
)
968 OVS_REQUIRES(ct
->buckets
[bucket
].lock
)
970 bool create_new_conn
= false;
972 if (ctx
->icmp_related
) {
973 pkt
->md
.ct_state
|= CS_RELATED
;
975 pkt
->md
.ct_state
|= CS_REPLY_DIR
;
978 if ((*conn
)->alg_related
) {
979 pkt
->md
.ct_state
|= CS_RELATED
;
982 enum ct_update_res res
= conn_update(*conn
, &ct
->buckets
[bucket
],
983 pkt
, ctx
->reply
, now
);
986 case CT_UPDATE_VALID
:
987 pkt
->md
.ct_state
|= CS_ESTABLISHED
;
988 pkt
->md
.ct_state
&= ~CS_NEW
;
990 pkt
->md
.ct_state
|= CS_REPLY_DIR
;
993 case CT_UPDATE_INVALID
:
994 pkt
->md
.ct_state
= CS_INVALID
;
997 conn_clean(ct
, *conn
, &ct
->buckets
[bucket
]);
998 create_new_conn
= true;
1004 return create_new_conn
;
1008 create_un_nat_conn(struct conntrack
*ct
, struct conn
*conn_for_un_nat_copy
,
1009 long long now
, bool alg_un_nat
)
1011 struct conn
*nc
= xmemdup(conn_for_un_nat_copy
, sizeof *nc
);
1012 nc
->key
= conn_for_un_nat_copy
->rev_key
;
1013 nc
->rev_key
= conn_for_un_nat_copy
->key
;
1014 uint32_t un_nat_hash
= conn_key_hash(&nc
->key
, ct
->hash_basis
);
1015 unsigned un_nat_conn_bucket
= hash_to_bucket(un_nat_hash
);
1016 ct_lock_lock(&ct
->buckets
[un_nat_conn_bucket
].lock
);
1017 struct conn
*rev_conn
= conn_lookup(ct
, &nc
->key
, now
);
1021 hmap_insert(&ct
->buckets
[un_nat_conn_bucket
].connections
,
1022 &nc
->node
, un_nat_hash
);
1024 char *log_msg
= xasprintf("Unusual condition for un_nat conn "
1025 "create for alg: rev_conn %p", rev_conn
);
1026 ct_print_conn_info(nc
, log_msg
, VLL_INFO
, true, false);
1031 ct_rwlock_rdlock(&ct
->resources_lock
);
1033 struct nat_conn_key_node
*nat_conn_key_node
=
1034 nat_conn_keys_lookup(&ct
->nat_conn_keys
, &nc
->key
, ct
->hash_basis
);
1035 if (nat_conn_key_node
&& !conn_key_cmp(&nat_conn_key_node
->value
,
1036 &nc
->rev_key
) && !rev_conn
) {
1037 hmap_insert(&ct
->buckets
[un_nat_conn_bucket
].connections
,
1038 &nc
->node
, un_nat_hash
);
1040 char *log_msg
= xasprintf("Unusual condition for un_nat conn "
1041 "create: nat_conn_key_node/rev_conn "
1042 "%p/%p", nat_conn_key_node
, rev_conn
);
1043 ct_print_conn_info(nc
, log_msg
, VLL_INFO
, true, false);
1047 ct_rwlock_unlock(&ct
->resources_lock
);
1049 ct_lock_unlock(&ct
->buckets
[un_nat_conn_bucket
].lock
);
1053 handle_nat(struct dp_packet
*pkt
, struct conn
*conn
,
1054 uint16_t zone
, bool reply
, bool related
)
1056 if (conn
->nat_info
&&
1057 (!(pkt
->md
.ct_state
& (CS_SRC_NAT
| CS_DST_NAT
)) ||
1058 (pkt
->md
.ct_state
& (CS_SRC_NAT
| CS_DST_NAT
) &&
1059 zone
!= pkt
->md
.ct_zone
))) {
1061 if (pkt
->md
.ct_state
& (CS_SRC_NAT
| CS_DST_NAT
)) {
1062 pkt
->md
.ct_state
&= ~(CS_SRC_NAT
| CS_DST_NAT
);
1065 un_nat_packet(pkt
, conn
, related
);
1067 nat_packet(pkt
, conn
, related
);
1073 check_orig_tuple(struct conntrack
*ct
, struct dp_packet
*pkt
,
1074 struct conn_lookup_ctx
*ctx_in
, long long now
,
1075 unsigned *bucket
, struct conn
**conn
,
1076 const struct nat_action_info_t
*nat_action_info
)
1077 OVS_REQUIRES(ct
->buckets
[*bucket
].lock
)
1079 if ((ctx_in
->key
.dl_type
== htons(ETH_TYPE_IP
) &&
1080 !pkt
->md
.ct_orig_tuple
.ipv4
.ipv4_proto
) ||
1081 (ctx_in
->key
.dl_type
== htons(ETH_TYPE_IPV6
) &&
1082 !pkt
->md
.ct_orig_tuple
.ipv6
.ipv6_proto
) ||
1083 !(pkt
->md
.ct_state
& (CS_SRC_NAT
| CS_DST_NAT
)) ||
1088 ct_lock_unlock(&ct
->buckets
[*bucket
].lock
);
1089 struct conn_lookup_ctx ctx
;
1090 memset(&ctx
, 0 , sizeof ctx
);
1093 if (ctx_in
->key
.dl_type
== htons(ETH_TYPE_IP
)) {
1094 ctx
.key
.src
.addr
.ipv4_aligned
= pkt
->md
.ct_orig_tuple
.ipv4
.ipv4_src
;
1095 ctx
.key
.dst
.addr
.ipv4_aligned
= pkt
->md
.ct_orig_tuple
.ipv4
.ipv4_dst
;
1097 if (ctx_in
->key
.nw_proto
== IPPROTO_ICMP
) {
1098 ctx
.key
.src
.icmp_id
= ctx_in
->key
.src
.icmp_id
;
1099 ctx
.key
.dst
.icmp_id
= ctx_in
->key
.dst
.icmp_id
;
1100 uint16_t src_port
= ntohs(pkt
->md
.ct_orig_tuple
.ipv4
.src_port
);
1101 ctx
.key
.src
.icmp_type
= (uint8_t) src_port
;
1102 ctx
.key
.dst
.icmp_type
= reverse_icmp_type(ctx
.key
.src
.icmp_type
);
1104 ctx
.key
.src
.port
= pkt
->md
.ct_orig_tuple
.ipv4
.src_port
;
1105 ctx
.key
.dst
.port
= pkt
->md
.ct_orig_tuple
.ipv4
.dst_port
;
1107 ctx
.key
.nw_proto
= pkt
->md
.ct_orig_tuple
.ipv4
.ipv4_proto
;
1109 ctx
.key
.src
.addr
.ipv6_aligned
= pkt
->md
.ct_orig_tuple
.ipv6
.ipv6_src
;
1110 ctx
.key
.dst
.addr
.ipv6_aligned
= pkt
->md
.ct_orig_tuple
.ipv6
.ipv6_dst
;
1112 if (ctx_in
->key
.nw_proto
== IPPROTO_ICMPV6
) {
1113 ctx
.key
.src
.icmp_id
= ctx_in
->key
.src
.icmp_id
;
1114 ctx
.key
.dst
.icmp_id
= ctx_in
->key
.dst
.icmp_id
;
1115 uint16_t src_port
= ntohs(pkt
->md
.ct_orig_tuple
.ipv6
.src_port
);
1116 ctx
.key
.src
.icmp_type
= (uint8_t) src_port
;
1117 ctx
.key
.dst
.icmp_type
= reverse_icmp6_type(ctx
.key
.src
.icmp_type
);
1119 ctx
.key
.src
.port
= pkt
->md
.ct_orig_tuple
.ipv6
.src_port
;
1120 ctx
.key
.dst
.port
= pkt
->md
.ct_orig_tuple
.ipv6
.dst_port
;
1122 ctx
.key
.nw_proto
= pkt
->md
.ct_orig_tuple
.ipv6
.ipv6_proto
;
1125 ctx
.key
.dl_type
= ctx_in
->key
.dl_type
;
1126 ctx
.key
.zone
= pkt
->md
.ct_zone
;
1127 ctx
.hash
= conn_key_hash(&ctx
.key
, ct
->hash_basis
);
1128 *bucket
= hash_to_bucket(ctx
.hash
);
1129 ct_lock_lock(&ct
->buckets
[*bucket
].lock
);
1130 conn_key_lookup(&ct
->buckets
[*bucket
], &ctx
, now
);
1132 return *conn
? true : false;
1136 is_un_nat_conn_valid(const struct conn
*un_nat_conn
)
1138 return un_nat_conn
->conn_type
== CT_CONN_TYPE_UN_NAT
;
1142 conn_update_state_alg(struct conntrack
*ct
, struct dp_packet
*pkt
,
1143 struct conn_lookup_ctx
*ctx
, struct conn
*conn
,
1144 const struct nat_action_info_t
*nat_action_info
,
1145 enum ct_alg_ctl_type ct_alg_ctl
, long long now
,
1146 unsigned bucket
, bool *create_new_conn
)
1147 OVS_REQUIRES(ct
->buckets
[bucket
].lock
)
1149 if (is_ftp_ctl(ct_alg_ctl
)) {
1150 /* Keep sequence tracking in sync with the source of the
1152 if (ctx
->reply
!= conn
->seq_skew_dir
) {
1153 handle_ftp_ctl(ct
, ctx
, pkt
, conn
, now
, CT_FTP_CTL_OTHER
,
1155 *create_new_conn
= conn_update_state(ct
, pkt
, ctx
, &conn
, now
,
1158 *create_new_conn
= conn_update_state(ct
, pkt
, ctx
, &conn
, now
,
1160 handle_ftp_ctl(ct
, ctx
, pkt
, conn
, now
, CT_FTP_CTL_OTHER
,
1169 process_one(struct conntrack
*ct
, struct dp_packet
*pkt
,
1170 struct conn_lookup_ctx
*ctx
, uint16_t zone
,
1171 bool force
, bool commit
, long long now
, const uint32_t *setmark
,
1172 const struct ovs_key_ct_labels
*setlabel
,
1173 const struct nat_action_info_t
*nat_action_info
,
1174 ovs_be16 tp_src
, ovs_be16 tp_dst
, const char *helper
)
1177 unsigned bucket
= hash_to_bucket(ctx
->hash
);
1178 ct_lock_lock(&ct
->buckets
[bucket
].lock
);
1179 conn_key_lookup(&ct
->buckets
[bucket
], ctx
, now
);
1182 /* Delete found entry if in wrong direction. 'force' implies commit. */
1183 if (conn
&& force
&& ctx
->reply
) {
1184 conn_clean(ct
, conn
, &ct
->buckets
[bucket
]);
1188 if (OVS_LIKELY(conn
)) {
1189 if (conn
->conn_type
== CT_CONN_TYPE_UN_NAT
) {
1193 struct conn_lookup_ctx ctx2
;
1195 ctx2
.key
= conn
->rev_key
;
1196 ctx2
.hash
= conn_key_hash(&conn
->rev_key
, ct
->hash_basis
);
1198 ct_lock_unlock(&ct
->buckets
[bucket
].lock
);
1199 bucket
= hash_to_bucket(ctx2
.hash
);
1201 ct_lock_lock(&ct
->buckets
[bucket
].lock
);
1202 conn_key_lookup(&ct
->buckets
[bucket
], &ctx2
, now
);
1207 /* It is a race condition where conn has timed out and removed
1208 * between unlock of the rev_conn and lock of the forward conn;
1210 pkt
->md
.ct_state
|= CS_TRACKED
| CS_INVALID
;
1211 ct_lock_unlock(&ct
->buckets
[bucket
].lock
);
1217 bool create_new_conn
= false;
1218 struct conn conn_for_un_nat_copy
;
1219 conn_for_un_nat_copy
.conn_type
= CT_CONN_TYPE_DEFAULT
;
1221 enum ct_alg_ctl_type ct_alg_ctl
= get_alg_ctl_type(pkt
, tp_src
, tp_dst
,
1224 if (OVS_LIKELY(conn
)) {
1225 if (OVS_LIKELY(!conn_update_state_alg(ct
, pkt
, ctx
, conn
,
1227 ct_alg_ctl
, now
, bucket
,
1228 &create_new_conn
))) {
1229 create_new_conn
= conn_update_state(ct
, pkt
, ctx
, &conn
, now
,
1232 if (nat_action_info
&& !create_new_conn
) {
1233 handle_nat(pkt
, conn
, zone
, ctx
->reply
, ctx
->icmp_related
);
1236 } else if (check_orig_tuple(ct
, pkt
, ctx
, now
, &bucket
, &conn
,
1238 create_new_conn
= conn_update_state(ct
, pkt
, ctx
, &conn
, now
, bucket
);
1240 if (ctx
->icmp_related
) {
1241 /* An icmp related conn should always be found; no new
1242 connection is created based on an icmp related packet. */
1243 pkt
->md
.ct_state
= CS_INVALID
;
1245 create_new_conn
= true;
1249 const struct alg_exp_node
*alg_exp
= NULL
;
1251 if (OVS_UNLIKELY(create_new_conn
)) {
1252 struct alg_exp_node alg_exp_entry
;
1254 ct_rwlock_rdlock(&ct
->resources_lock
);
1255 alg_exp
= expectation_lookup(&ct
->alg_expectations
, &ctx
->key
,
1257 alg_src_ip_wc(ct_alg_ctl
));
1259 alg_exp_entry
= *alg_exp
;
1260 alg_exp
= &alg_exp_entry
;
1262 ct_rwlock_unlock(&ct
->resources_lock
);
1264 conn
= conn_not_found(ct
, pkt
, ctx
, commit
, now
, nat_action_info
,
1265 &conn_for_un_nat_copy
, helper
, alg_exp
,
1269 write_ct_md(pkt
, zone
, conn
, &ctx
->key
, alg_exp
);
1271 if (conn
&& setmark
) {
1272 set_mark(pkt
, conn
, setmark
[0], setmark
[1]);
1275 if (conn
&& setlabel
) {
1276 set_label(pkt
, conn
, &setlabel
[0], &setlabel
[1]);
1279 struct conn conn_for_expectation
;
1280 if (OVS_UNLIKELY((ct_alg_ctl
!= CT_ALG_CTL_NONE
) && conn
)) {
1281 conn_for_expectation
= *conn
;
1284 ct_lock_unlock(&ct
->buckets
[bucket
].lock
);
1286 if (is_un_nat_conn_valid(&conn_for_un_nat_copy
)) {
1287 create_un_nat_conn(ct
, &conn_for_un_nat_copy
, now
, !!alg_exp
);
1290 handle_alg_ctl(ct
, ctx
, pkt
, ct_alg_ctl
, conn
, now
, !!nat_action_info
,
1291 &conn_for_expectation
);
1294 /* Sends the packets in '*pkt_batch' through the connection tracker 'ct'. All
1295 * the packets should have the same 'dl_type' (IPv4 or IPv6) and should have
1296 * the l3 and and l4 offset properly set.
1298 * If 'commit' is true, the packets are allowed to create new entries in the
1299 * connection tables. 'setmark', if not NULL, should point to a two
1300 * elements array containing a value and a mask to set the connection mark.
1301 * 'setlabel' behaves similarly for the connection label.*/
1303 conntrack_execute(struct conntrack
*ct
, struct dp_packet_batch
*pkt_batch
,
1304 ovs_be16 dl_type
, bool force
, bool commit
, uint16_t zone
,
1305 const uint32_t *setmark
,
1306 const struct ovs_key_ct_labels
*setlabel
,
1307 ovs_be16 tp_src
, ovs_be16 tp_dst
, const char *helper
,
1308 const struct nat_action_info_t
*nat_action_info
,
1312 struct dp_packet
*packet
;
1313 struct conn_lookup_ctx ctx
;
1315 DP_PACKET_BATCH_FOR_EACH (packet
, pkt_batch
) {
1316 if (!conn_key_extract(ct
, packet
, dl_type
, &ctx
, zone
)) {
1317 packet
->md
.ct_state
= CS_INVALID
;
1318 write_ct_md(packet
, zone
, NULL
, NULL
, NULL
);
1321 process_one(ct
, packet
, &ctx
, zone
, force
, commit
, now
, setmark
,
1322 setlabel
, nat_action_info
, tp_src
, tp_dst
, helper
);
1329 conntrack_clear(struct dp_packet
*packet
)
1331 /* According to pkt_metadata_init(), ct_state == 0 is enough to make all of
1332 * the conntrack fields invalid. */
1333 packet
->md
.ct_state
= 0;
1337 set_mark(struct dp_packet
*pkt
, struct conn
*conn
, uint32_t val
, uint32_t mask
)
1339 if (conn
->alg_related
) {
1340 pkt
->md
.ct_mark
= conn
->mark
;
1342 pkt
->md
.ct_mark
= val
| (pkt
->md
.ct_mark
& ~(mask
));
1343 conn
->mark
= pkt
->md
.ct_mark
;
1348 set_label(struct dp_packet
*pkt
, struct conn
*conn
,
1349 const struct ovs_key_ct_labels
*val
,
1350 const struct ovs_key_ct_labels
*mask
)
1352 if (conn
->alg_related
) {
1353 pkt
->md
.ct_label
= conn
->label
;
1357 memcpy(&v
, val
, sizeof v
);
1358 memcpy(&m
, mask
, sizeof m
);
1360 pkt
->md
.ct_label
.u64
.lo
= v
.u64
.lo
1361 | (pkt
->md
.ct_label
.u64
.lo
& ~(m
.u64
.lo
));
1362 pkt
->md
.ct_label
.u64
.hi
= v
.u64
.hi
1363 | (pkt
->md
.ct_label
.u64
.hi
& ~(m
.u64
.hi
));
1364 conn
->label
= pkt
->md
.ct_label
;
1369 /* Delete the expired connections from 'ctb', up to 'limit'. Returns the
1370 * earliest expiration time among the remaining connections in 'ctb'. Returns
1371 * LLONG_MAX if 'ctb' is empty. The return value might be smaller than 'now',
1372 * if 'limit' is reached */
1374 sweep_bucket(struct conntrack
*ct
, struct conntrack_bucket
*ctb
,
1375 long long now
, size_t limit
)
1376 OVS_REQUIRES(ctb
->lock
)
1378 struct conn
*conn
, *next
;
1379 long long min_expiration
= LLONG_MAX
;
1382 for (unsigned i
= 0; i
< N_CT_TM
; i
++) {
1383 LIST_FOR_EACH_SAFE (conn
, next
, exp_node
, &ctb
->exp_lists
[i
]) {
1384 if (conn
->conn_type
== CT_CONN_TYPE_DEFAULT
) {
1385 if (!conn_expired(conn
, now
) || count
>= limit
) {
1386 min_expiration
= MIN(min_expiration
, conn
->expiration
);
1387 if (count
>= limit
) {
1388 /* Do not check other lists. */
1389 COVERAGE_INC(conntrack_long_cleanup
);
1390 return min_expiration
;
1394 conn_clean(ct
, conn
, ctb
);
1399 return min_expiration
;
1402 /* Cleans up old connection entries from 'ct'. Returns the time when the
1403 * next expiration might happen. The return value might be smaller than
1404 * 'now', meaning that an internal limit has been reached, and some expired
1405 * connections have not been deleted. */
1407 conntrack_clean(struct conntrack
*ct
, long long now
)
1409 long long next_wakeup
= now
+ CT_TM_MIN
;
1410 unsigned int n_conn_limit
;
1411 size_t clean_count
= 0;
1413 atomic_read_relaxed(&ct
->n_conn_limit
, &n_conn_limit
);
1415 for (unsigned i
= 0; i
< CONNTRACK_BUCKETS
; i
++) {
1416 struct conntrack_bucket
*ctb
= &ct
->buckets
[i
];
1420 ovs_mutex_lock(&ctb
->cleanup_mutex
);
1421 if (ctb
->next_cleanup
> now
) {
1425 ct_lock_lock(&ctb
->lock
);
1426 prev_count
= hmap_count(&ctb
->connections
);
1427 /* If the connections are well distributed among buckets, we want to
1428 * limit to 10% of the global limit equally split among buckets. If
1429 * the bucket is busier than the others, we limit to 10% of its
1431 min_exp
= sweep_bucket(ct
, ctb
, now
,
1432 MAX(prev_count
/10, n_conn_limit
/(CONNTRACK_BUCKETS
*10)));
1433 clean_count
+= prev_count
- hmap_count(&ctb
->connections
);
1435 if (min_exp
> now
) {
1436 /* We call hmap_shrink() only if sweep_bucket() managed to delete
1437 * every expired connection. */
1438 hmap_shrink(&ctb
->connections
);
1441 ct_lock_unlock(&ctb
->lock
);
1443 ctb
->next_cleanup
= MIN(min_exp
, now
+ CT_TM_MIN
);
1446 next_wakeup
= MIN(next_wakeup
, ctb
->next_cleanup
);
1447 ovs_mutex_unlock(&ctb
->cleanup_mutex
);
1450 VLOG_DBG("conntrack cleanup %"PRIuSIZE
" entries in %lld msec",
1451 clean_count
, time_msec() - now
);
1458 * We must call conntrack_clean() periodically. conntrack_clean() return
1459 * value gives an hint on when the next cleanup must be done (either because
1460 * there is an actual connection that expires, or because a new connection
1461 * might be created with the minimum timeout).
1463 * The logic below has two goals:
1465 * - We want to reduce the number of wakeups and batch connection cleanup
1466 * when the load is not very high. CT_CLEAN_INTERVAL ensures that if we
1467 * are coping with the current cleanup tasks, then we wait at least
1468 * 5 seconds to do further cleanup.
1470 * - We don't want to keep the buckets locked too long, as we might prevent
1471 * traffic from flowing. CT_CLEAN_MIN_INTERVAL ensures that if cleanup is
1472 * behind, there is at least some 200ms blocks of time when buckets will be
1473 * left alone, so the datapath can operate unhindered.
1475 #define CT_CLEAN_INTERVAL 5000 /* 5 seconds */
1476 #define CT_CLEAN_MIN_INTERVAL 200 /* 0.2 seconds */
1479 clean_thread_main(void *f_
)
1481 struct conntrack
*ct
= f_
;
1483 while (!latch_is_set(&ct
->clean_thread_exit
)) {
1484 long long next_wake
;
1485 long long now
= time_msec();
1486 next_wake
= conntrack_clean(ct
, now
);
1488 if (next_wake
< now
) {
1489 poll_timer_wait_until(now
+ CT_CLEAN_MIN_INTERVAL
);
1491 poll_timer_wait_until(MAX(next_wake
, now
+ CT_CLEAN_INTERVAL
));
1493 latch_wait(&ct
->clean_thread_exit
);
1500 /* Key extraction */
1502 /* The function stores a pointer to the first byte after the header in
1503 * '*new_data', if 'new_data' is not NULL. If it is NULL, the caller is
1504 * not interested in the header's tail, meaning that the header has
1505 * already been parsed (e.g. by flow_extract): we take this as a hint to
1506 * save a few checks. If 'validate_checksum' is true, the function returns
1507 * false if the IPv4 checksum is invalid. */
1509 extract_l3_ipv4(struct conn_key
*key
, const void *data
, size_t size
,
1510 const char **new_data
, bool validate_checksum
)
1513 if (OVS_UNLIKELY(size
< IP_HEADER_LEN
)) {
1518 const struct ip_header
*ip
= data
;
1519 size_t ip_len
= IP_IHL(ip
->ip_ihl_ver
) * 4;
1522 if (OVS_UNLIKELY(ip_len
< IP_HEADER_LEN
)) {
1525 if (OVS_UNLIKELY(size
< ip_len
)) {
1529 if (IP_IS_FRAGMENT(ip
->ip_frag_off
)) {
1533 *new_data
= (char *) data
+ ip_len
;
1536 if (validate_checksum
&& csum(data
, ip_len
) != 0) {
1540 key
->src
.addr
.ipv4
= ip
->ip_src
;
1541 key
->dst
.addr
.ipv4
= ip
->ip_dst
;
1542 key
->nw_proto
= ip
->ip_proto
;
1547 /* The function stores a pointer to the first byte after the header in
1548 * '*new_data', if 'new_data' is not NULL. If it is NULL, the caller is
1549 * not interested in the header's tail, meaning that the header has
1550 * already been parsed (e.g. by flow_extract): we take this as a hint to
1551 * save a few checks. */
1553 extract_l3_ipv6(struct conn_key
*key
, const void *data
, size_t size
,
1554 const char **new_data
)
1556 const struct ovs_16aligned_ip6_hdr
*ip6
= data
;
1559 if (OVS_UNLIKELY(size
< sizeof *ip6
)) {
1565 size
-= sizeof *ip6
;
1566 uint8_t nw_proto
= ip6
->ip6_nxt
;
1567 uint8_t nw_frag
= 0;
1569 if (!parse_ipv6_ext_hdrs(&data
, &size
, &nw_proto
, &nw_frag
)) {
1581 key
->src
.addr
.ipv6
= ip6
->ip6_src
;
1582 key
->dst
.addr
.ipv6
= ip6
->ip6_dst
;
1583 key
->nw_proto
= nw_proto
;
1589 checksum_valid(const struct conn_key
*key
, const void *data
, size_t size
,
1594 if (key
->dl_type
== htons(ETH_TYPE_IP
)) {
1595 csum
= packet_csum_pseudoheader(l3
);
1596 } else if (key
->dl_type
== htons(ETH_TYPE_IPV6
)) {
1597 csum
= packet_csum_pseudoheader6(l3
);
1602 csum
= csum_continue(csum
, data
, size
);
1604 return csum_finish(csum
) == 0;
1608 check_l4_tcp(const struct conn_key
*key
, const void *data
, size_t size
,
1609 const void *l3
, bool validate_checksum
)
1611 const struct tcp_header
*tcp
= data
;
1612 if (size
< sizeof *tcp
) {
1616 size_t tcp_len
= TCP_OFFSET(tcp
->tcp_ctl
) * 4;
1617 if (OVS_UNLIKELY(tcp_len
< TCP_HEADER_LEN
|| tcp_len
> size
)) {
1621 return validate_checksum
? checksum_valid(key
, data
, size
, l3
) : true;
1625 check_l4_udp(const struct conn_key
*key
, const void *data
, size_t size
,
1626 const void *l3
, bool validate_checksum
)
1628 const struct udp_header
*udp
= data
;
1629 if (size
< sizeof *udp
) {
1633 size_t udp_len
= ntohs(udp
->udp_len
);
1634 if (OVS_UNLIKELY(udp_len
< UDP_HEADER_LEN
|| udp_len
> size
)) {
1638 /* Validation must be skipped if checksum is 0 on IPv4 packets */
1639 return (udp
->udp_csum
== 0 && key
->dl_type
== htons(ETH_TYPE_IP
))
1640 || (validate_checksum
? checksum_valid(key
, data
, size
, l3
) : true);
1644 check_l4_icmp(const void *data
, size_t size
, bool validate_checksum
)
1646 return validate_checksum
? csum(data
, size
) == 0 : true;
1650 check_l4_icmp6(const struct conn_key
*key
, const void *data
, size_t size
,
1651 const void *l3
, bool validate_checksum
)
1653 return validate_checksum
? checksum_valid(key
, data
, size
, l3
) : true;
1657 extract_l4_tcp(struct conn_key
*key
, const void *data
, size_t size
)
1659 if (OVS_UNLIKELY(size
< TCP_HEADER_LEN
)) {
1663 const struct tcp_header
*tcp
= data
;
1664 key
->src
.port
= tcp
->tcp_src
;
1665 key
->dst
.port
= tcp
->tcp_dst
;
1667 /* Port 0 is invalid */
1668 return key
->src
.port
&& key
->dst
.port
;
1672 extract_l4_udp(struct conn_key
*key
, const void *data
, size_t size
)
1674 if (OVS_UNLIKELY(size
< UDP_HEADER_LEN
)) {
1678 const struct udp_header
*udp
= data
;
1679 key
->src
.port
= udp
->udp_src
;
1680 key
->dst
.port
= udp
->udp_dst
;
1682 /* Port 0 is invalid */
1683 return key
->src
.port
&& key
->dst
.port
;
1686 static inline bool extract_l4(struct conn_key
*key
, const void *data
,
1687 size_t size
, bool *related
, const void *l3
,
1688 bool validate_checksum
);
1691 reverse_icmp_type(uint8_t type
)
1694 case ICMP4_ECHO_REQUEST
:
1695 return ICMP4_ECHO_REPLY
;
1696 case ICMP4_ECHO_REPLY
:
1697 return ICMP4_ECHO_REQUEST
;
1699 case ICMP4_TIMESTAMP
:
1700 return ICMP4_TIMESTAMPREPLY
;
1701 case ICMP4_TIMESTAMPREPLY
:
1702 return ICMP4_TIMESTAMP
;
1704 case ICMP4_INFOREQUEST
:
1705 return ICMP4_INFOREPLY
;
1706 case ICMP4_INFOREPLY
:
1707 return ICMP4_INFOREQUEST
;
1713 /* If 'related' is not NULL and the function is processing an ICMP
1714 * error packet, extract the l3 and l4 fields from the nested header
1715 * instead and set *related to true. If 'related' is NULL we're
1716 * already processing a nested header and no such recursion is
1719 extract_l4_icmp(struct conn_key
*key
, const void *data
, size_t size
,
1722 if (OVS_UNLIKELY(size
< ICMP_HEADER_LEN
)) {
1726 const struct icmp_header
*icmp
= data
;
1728 switch (icmp
->icmp_type
) {
1729 case ICMP4_ECHO_REQUEST
:
1730 case ICMP4_ECHO_REPLY
:
1731 case ICMP4_TIMESTAMP
:
1732 case ICMP4_TIMESTAMPREPLY
:
1733 case ICMP4_INFOREQUEST
:
1734 case ICMP4_INFOREPLY
:
1735 if (icmp
->icmp_code
!= 0) {
1738 /* Separate ICMP connection: identified using id */
1739 key
->src
.icmp_id
= key
->dst
.icmp_id
= icmp
->icmp_fields
.echo
.id
;
1740 key
->src
.icmp_type
= icmp
->icmp_type
;
1741 key
->dst
.icmp_type
= reverse_icmp_type(icmp
->icmp_type
);
1743 case ICMP4_DST_UNREACH
:
1744 case ICMP4_TIME_EXCEEDED
:
1745 case ICMP4_PARAM_PROB
:
1746 case ICMP4_SOURCEQUENCH
:
1747 case ICMP4_REDIRECT
: {
1748 /* ICMP packet part of another connection. We should
1749 * extract the key from embedded packet header */
1750 struct conn_key inner_key
;
1751 const char *l3
= (const char *) (icmp
+ 1);
1752 const char *tail
= (const char *) data
+ size
;
1759 memset(&inner_key
, 0, sizeof inner_key
);
1760 inner_key
.dl_type
= htons(ETH_TYPE_IP
);
1761 bool ok
= extract_l3_ipv4(&inner_key
, l3
, tail
- l3
, &l4
, false);
1766 if (inner_key
.src
.addr
.ipv4_aligned
!= key
->dst
.addr
.ipv4_aligned
) {
1770 key
->src
= inner_key
.src
;
1771 key
->dst
= inner_key
.dst
;
1772 key
->nw_proto
= inner_key
.nw_proto
;
1774 ok
= extract_l4(key
, l4
, tail
- l4
, NULL
, l3
, false);
1776 conn_key_reverse(key
);
1789 reverse_icmp6_type(uint8_t type
)
1792 case ICMP6_ECHO_REQUEST
:
1793 return ICMP6_ECHO_REPLY
;
1794 case ICMP6_ECHO_REPLY
:
1795 return ICMP6_ECHO_REQUEST
;
1801 /* If 'related' is not NULL and the function is processing an ICMP
1802 * error packet, extract the l3 and l4 fields from the nested header
1803 * instead and set *related to true. If 'related' is NULL we're
1804 * already processing a nested header and no such recursion is
1807 extract_l4_icmp6(struct conn_key
*key
, const void *data
, size_t size
,
1810 const struct icmp6_header
*icmp6
= data
;
1812 /* All the messages that we support need at least 4 bytes after
1814 if (size
< sizeof *icmp6
+ 4) {
1818 switch (icmp6
->icmp6_type
) {
1819 case ICMP6_ECHO_REQUEST
:
1820 case ICMP6_ECHO_REPLY
:
1821 if (icmp6
->icmp6_code
!= 0) {
1824 /* Separate ICMP connection: identified using id */
1825 key
->src
.icmp_id
= key
->dst
.icmp_id
= *(ovs_be16
*) (icmp6
+ 1);
1826 key
->src
.icmp_type
= icmp6
->icmp6_type
;
1827 key
->dst
.icmp_type
= reverse_icmp6_type(icmp6
->icmp6_type
);
1829 case ICMP6_DST_UNREACH
:
1830 case ICMP6_PACKET_TOO_BIG
:
1831 case ICMP6_TIME_EXCEEDED
:
1832 case ICMP6_PARAM_PROB
: {
1833 /* ICMP packet part of another connection. We should
1834 * extract the key from embedded packet header */
1835 struct conn_key inner_key
;
1836 const char *l3
= (const char *) icmp6
+ 8;
1837 const char *tail
= (const char *) data
+ size
;
1838 const char *l4
= NULL
;
1844 memset(&inner_key
, 0, sizeof inner_key
);
1845 inner_key
.dl_type
= htons(ETH_TYPE_IPV6
);
1846 bool ok
= extract_l3_ipv6(&inner_key
, l3
, tail
- l3
, &l4
);
1851 /* pf doesn't do this, but it seems a good idea */
1852 if (!ipv6_addr_equals(&inner_key
.src
.addr
.ipv6_aligned
,
1853 &key
->dst
.addr
.ipv6_aligned
)) {
1857 key
->src
= inner_key
.src
;
1858 key
->dst
= inner_key
.dst
;
1859 key
->nw_proto
= inner_key
.nw_proto
;
1861 ok
= extract_l4(key
, l4
, tail
- l4
, NULL
, l3
, false);
1863 conn_key_reverse(key
);
1875 /* Extract l4 fields into 'key', which must already contain valid l3
1878 * If 'related' is not NULL and an ICMP error packet is being
1879 * processed, the function will extract the key from the packet nested
1880 * in the ICMP payload and set '*related' to true.
1882 * If 'related' is NULL, it means that we're already parsing a header nested
1883 * in an ICMP error. In this case, we skip checksum and length validation. */
1885 extract_l4(struct conn_key
*key
, const void *data
, size_t size
, bool *related
,
1886 const void *l3
, bool validate_checksum
)
1888 if (key
->nw_proto
== IPPROTO_TCP
) {
1889 return (!related
|| check_l4_tcp(key
, data
, size
, l3
,
1890 validate_checksum
)) && extract_l4_tcp(key
, data
, size
);
1891 } else if (key
->nw_proto
== IPPROTO_UDP
) {
1892 return (!related
|| check_l4_udp(key
, data
, size
, l3
,
1893 validate_checksum
)) && extract_l4_udp(key
, data
, size
);
1894 } else if (key
->dl_type
== htons(ETH_TYPE_IP
)
1895 && key
->nw_proto
== IPPROTO_ICMP
) {
1896 return (!related
|| check_l4_icmp(data
, size
, validate_checksum
))
1897 && extract_l4_icmp(key
, data
, size
, related
);
1898 } else if (key
->dl_type
== htons(ETH_TYPE_IPV6
)
1899 && key
->nw_proto
== IPPROTO_ICMPV6
) {
1900 return (!related
|| check_l4_icmp6(key
, data
, size
, l3
,
1901 validate_checksum
)) && extract_l4_icmp6(key
, data
, size
,
1909 conn_key_extract(struct conntrack
*ct
, struct dp_packet
*pkt
, ovs_be16 dl_type
,
1910 struct conn_lookup_ctx
*ctx
, uint16_t zone
)
1912 const struct eth_header
*l2
= dp_packet_eth(pkt
);
1913 const struct ip_header
*l3
= dp_packet_l3(pkt
);
1914 const char *l4
= dp_packet_l4(pkt
);
1916 memset(ctx
, 0, sizeof *ctx
);
1918 if (!l2
|| !l3
|| !l4
) {
1922 ctx
->key
.zone
= zone
;
1924 /* XXX In this function we parse the packet (again, it has already
1925 * gone through miniflow_extract()) for two reasons:
1927 * 1) To extract the l3 addresses and l4 ports.
1928 * We already have the l3 and l4 headers' pointers. Extracting
1929 * the l3 addresses and the l4 ports is really cheap, since they
1930 * can be found at fixed locations.
1931 * 2) To extract the l4 type.
1932 * Extracting the l4 types, for IPv6 can be quite expensive, because
1933 * it's not at a fixed location.
1935 * Here's a way to avoid (2) with the help of the datapath.
1936 * The datapath doesn't keep the packet's extracted flow[1], so
1937 * using that is not an option. We could use the packet's matching
1938 * megaflow, but we have to make sure that the l4 type (nw_proto)
1939 * is unwildcarded. This means either:
1941 * a) dpif-netdev unwildcards the l4 type when a new flow is installed
1942 * if the actions contains ct().
1944 * b) ofproto-dpif-xlate unwildcards the l4 type when translating a ct()
1945 * action. This is already done in different actions, but it's
1946 * unnecessary for the kernel.
1949 * [1] The reasons for this are that keeping the flow increases
1950 * (slightly) the cache footprint and increases computation
1951 * time as we move the packet around. Most importantly, the flow
1952 * should be updated by the actions and this can be slow, as
1953 * we use a sparse representation (miniflow).
1956 const char *tail
= dp_packet_tail(pkt
);
1958 ctx
->key
.dl_type
= dl_type
;
1960 if (ctx
->key
.dl_type
== htons(ETH_TYPE_IP
)) {
1961 bool hwol_bad_l3_csum
= dp_packet_ip_checksum_bad(pkt
);
1962 if (hwol_bad_l3_csum
) {
1965 bool hwol_good_l3_csum
= dp_packet_ip_checksum_valid(pkt
);
1966 /* Validate the checksum only when hwol is not supported. */
1967 ok
= extract_l3_ipv4(&ctx
->key
, l3
, tail
- (char *) l3
, NULL
,
1968 !hwol_good_l3_csum
);
1970 } else if (ctx
->key
.dl_type
== htons(ETH_TYPE_IPV6
)) {
1971 ok
= extract_l3_ipv6(&ctx
->key
, l3
, tail
- (char *) l3
, NULL
);
1977 bool hwol_bad_l4_csum
= dp_packet_l4_checksum_bad(pkt
);
1978 if (!hwol_bad_l4_csum
) {
1979 bool hwol_good_l4_csum
= dp_packet_l4_checksum_valid(pkt
);
1980 /* Validate the checksum only when hwol is not supported. */
1981 if (extract_l4(&ctx
->key
, l4
, tail
- l4
, &ctx
->icmp_related
, l3
,
1982 !hwol_good_l4_csum
)) {
1983 ctx
->hash
= conn_key_hash(&ctx
->key
, ct
->hash_basis
);
1993 ct_addr_hash_add(uint32_t hash
, const struct ct_addr
*addr
)
1995 BUILD_ASSERT_DECL(sizeof *addr
% 4 == 0);
1996 return hash_add_bytes32(hash
, (const uint32_t *) addr
, sizeof *addr
);
2000 ct_endpoint_hash_add(uint32_t hash
, const struct ct_endpoint
*ep
)
2002 BUILD_ASSERT_DECL(sizeof *ep
% 4 == 0);
2003 return hash_add_bytes32(hash
, (const uint32_t *) ep
, sizeof *ep
);
2008 conn_key_hash(const struct conn_key
*key
, uint32_t basis
)
2010 uint32_t hsrc
, hdst
, hash
;
2011 hsrc
= hdst
= basis
;
2012 hsrc
= ct_endpoint_hash_add(hsrc
, &key
->src
);
2013 hdst
= ct_endpoint_hash_add(hdst
, &key
->dst
);
2015 /* Even if source and destination are swapped the hash will be the same. */
2018 /* Hash the rest of the key(L3 and L4 types and zone). */
2019 hash
= hash_words((uint32_t *) (&key
->dst
+ 1),
2020 (uint32_t *) (key
+ 1) - (uint32_t *) (&key
->dst
+ 1),
2023 return hash_finish(hash
, 0);
2027 conn_key_reverse(struct conn_key
*key
)
2029 struct ct_endpoint tmp
= key
->src
;
2030 key
->src
= key
->dst
;
2035 nat_ipv6_addrs_delta(struct in6_addr
*ipv6_aligned_min
,
2036 struct in6_addr
*ipv6_aligned_max
)
2038 uint8_t *ipv6_min_hi
= &ipv6_aligned_min
->s6_addr
[0];
2039 uint8_t *ipv6_min_lo
= &ipv6_aligned_min
->s6_addr
[0] + sizeof(uint64_t);
2040 uint8_t *ipv6_max_hi
= &ipv6_aligned_max
->s6_addr
[0];
2041 uint8_t *ipv6_max_lo
= &ipv6_aligned_max
->s6_addr
[0] + sizeof(uint64_t);
2043 ovs_be64 addr6_64_min_hi
;
2044 ovs_be64 addr6_64_min_lo
;
2045 memcpy(&addr6_64_min_hi
, ipv6_min_hi
, sizeof addr6_64_min_hi
);
2046 memcpy(&addr6_64_min_lo
, ipv6_min_lo
, sizeof addr6_64_min_lo
);
2048 ovs_be64 addr6_64_max_hi
;
2049 ovs_be64 addr6_64_max_lo
;
2050 memcpy(&addr6_64_max_hi
, ipv6_max_hi
, sizeof addr6_64_max_hi
);
2051 memcpy(&addr6_64_max_lo
, ipv6_max_lo
, sizeof addr6_64_max_lo
);
2055 if (addr6_64_min_hi
== addr6_64_max_hi
&&
2056 ntohll(addr6_64_min_lo
) <= ntohll(addr6_64_max_lo
)) {
2057 diff
= ntohll(addr6_64_max_lo
) - ntohll(addr6_64_min_lo
);
2058 } else if (ntohll(addr6_64_min_hi
) + 1 == ntohll(addr6_64_max_hi
) &&
2059 ntohll(addr6_64_min_lo
) > ntohll(addr6_64_max_lo
)) {
2060 diff
= UINT64_MAX
- (ntohll(addr6_64_min_lo
) -
2061 ntohll(addr6_64_max_lo
) - 1);
2063 /* Limit address delta supported to 32 bits or 4 billion approximately.
2064 * Possibly, this should be visible to the user through a datapath
2065 * support check, however the practical impact is probably nil. */
2069 if (diff
> 0xfffffffe) {
2075 /* This function must be used in tandem with nat_ipv6_addrs_delta(), which
2076 * restricts the input parameters. */
2078 nat_ipv6_addr_increment(struct in6_addr
*ipv6_aligned
, uint32_t increment
)
2080 uint8_t *ipv6_hi
= &ipv6_aligned
->s6_addr
[0];
2081 uint8_t *ipv6_lo
= &ipv6_aligned
->s6_addr
[0] + sizeof(ovs_be64
);
2082 ovs_be64 addr6_64_hi
;
2083 ovs_be64 addr6_64_lo
;
2084 memcpy(&addr6_64_hi
, ipv6_hi
, sizeof addr6_64_hi
);
2085 memcpy(&addr6_64_lo
, ipv6_lo
, sizeof addr6_64_lo
);
2087 if (UINT64_MAX
- increment
>= ntohll(addr6_64_lo
)) {
2088 addr6_64_lo
= htonll(increment
+ ntohll(addr6_64_lo
));
2089 } else if (addr6_64_hi
!= OVS_BE64_MAX
) {
2090 addr6_64_hi
= htonll(1 + ntohll(addr6_64_hi
));
2091 addr6_64_lo
= htonll(increment
- (UINT64_MAX
-
2092 ntohll(addr6_64_lo
) + 1));
2097 memcpy(ipv6_hi
, &addr6_64_hi
, sizeof addr6_64_hi
);
2098 memcpy(ipv6_lo
, &addr6_64_lo
, sizeof addr6_64_lo
);
2104 nat_range_hash(const struct conn
*conn
, uint32_t basis
)
2106 uint32_t hash
= basis
;
2108 hash
= ct_addr_hash_add(hash
, &conn
->nat_info
->min_addr
);
2109 hash
= ct_addr_hash_add(hash
, &conn
->nat_info
->max_addr
);
2110 hash
= hash_add(hash
,
2111 (conn
->nat_info
->max_port
<< 16)
2112 | conn
->nat_info
->min_port
);
2113 hash
= ct_endpoint_hash_add(hash
, &conn
->key
.src
);
2114 hash
= ct_endpoint_hash_add(hash
, &conn
->key
.dst
);
2115 hash
= hash_add(hash
, (OVS_FORCE
uint32_t) conn
->key
.dl_type
);
2116 hash
= hash_add(hash
, conn
->key
.nw_proto
);
2117 hash
= hash_add(hash
, conn
->key
.zone
);
2119 /* The purpose of the second parameter is to distinguish hashes of data of
2120 * different length; our data always has the same length so there is no
2121 * value in counting. */
2122 return hash_finish(hash
, 0);
2126 nat_select_range_tuple(struct conntrack
*ct
, const struct conn
*conn
,
2127 struct conn
*nat_conn
)
2129 enum { MIN_NAT_EPHEMERAL_PORT
= 1024,
2130 MAX_NAT_EPHEMERAL_PORT
= 65535 };
2134 uint16_t first_port
;
2135 uint32_t hash
= nat_range_hash(conn
, ct
->hash_basis
);
2137 if ((conn
->nat_info
->nat_action
& NAT_ACTION_SRC
) &&
2138 (!(conn
->nat_info
->nat_action
& NAT_ACTION_SRC_PORT
))) {
2139 min_port
= ntohs(conn
->key
.src
.port
);
2140 max_port
= ntohs(conn
->key
.src
.port
);
2141 first_port
= min_port
;
2142 } else if ((conn
->nat_info
->nat_action
& NAT_ACTION_DST
) &&
2143 (!(conn
->nat_info
->nat_action
& NAT_ACTION_DST_PORT
))) {
2144 min_port
= ntohs(conn
->key
.dst
.port
);
2145 max_port
= ntohs(conn
->key
.dst
.port
);
2146 first_port
= min_port
;
2148 uint16_t deltap
= conn
->nat_info
->max_port
- conn
->nat_info
->min_port
;
2149 uint32_t port_index
= hash
% (deltap
+ 1);
2150 first_port
= conn
->nat_info
->min_port
+ port_index
;
2151 min_port
= conn
->nat_info
->min_port
;
2152 max_port
= conn
->nat_info
->max_port
;
2155 uint32_t deltaa
= 0;
2156 uint32_t address_index
;
2157 struct ct_addr ct_addr
;
2158 memset(&ct_addr
, 0, sizeof ct_addr
);
2159 struct ct_addr max_ct_addr
;
2160 memset(&max_ct_addr
, 0, sizeof max_ct_addr
);
2161 max_ct_addr
= conn
->nat_info
->max_addr
;
2163 if (conn
->key
.dl_type
== htons(ETH_TYPE_IP
)) {
2164 deltaa
= ntohl(conn
->nat_info
->max_addr
.ipv4_aligned
) -
2165 ntohl(conn
->nat_info
->min_addr
.ipv4_aligned
);
2166 address_index
= hash
% (deltaa
+ 1);
2167 ct_addr
.ipv4_aligned
= htonl(
2168 ntohl(conn
->nat_info
->min_addr
.ipv4_aligned
) + address_index
);
2170 deltaa
= nat_ipv6_addrs_delta(&conn
->nat_info
->min_addr
.ipv6_aligned
,
2171 &conn
->nat_info
->max_addr
.ipv6_aligned
);
2172 /* deltaa must be within 32 bits for full hash coverage. A 64 or
2173 * 128 bit hash is unnecessary and hence not used here. Most code
2174 * is kept common with V4; nat_ipv6_addrs_delta() will do the
2175 * enforcement via max_ct_addr. */
2176 max_ct_addr
= conn
->nat_info
->min_addr
;
2177 nat_ipv6_addr_increment(&max_ct_addr
.ipv6_aligned
, deltaa
);
2178 address_index
= hash
% (deltaa
+ 1);
2179 ct_addr
.ipv6_aligned
= conn
->nat_info
->min_addr
.ipv6_aligned
;
2180 nat_ipv6_addr_increment(&ct_addr
.ipv6_aligned
, address_index
);
2183 uint16_t port
= first_port
;
2184 bool all_ports_tried
= false;
2185 bool original_ports_tried
= false;
2186 struct ct_addr first_addr
= ct_addr
;
2189 if (conn
->nat_info
->nat_action
& NAT_ACTION_SRC
) {
2190 nat_conn
->rev_key
.dst
.addr
= ct_addr
;
2192 nat_conn
->rev_key
.src
.addr
= ct_addr
;
2195 if ((conn
->key
.nw_proto
== IPPROTO_ICMP
) ||
2196 (conn
->key
.nw_proto
== IPPROTO_ICMPV6
)) {
2197 all_ports_tried
= true;
2198 } else if (conn
->nat_info
->nat_action
& NAT_ACTION_SRC
) {
2199 nat_conn
->rev_key
.dst
.port
= htons(port
);
2201 nat_conn
->rev_key
.src
.port
= htons(port
);
2204 bool new_insert
= nat_conn_keys_insert(&ct
->nat_conn_keys
, nat_conn
,
2208 } else if (!all_ports_tried
) {
2209 if (min_port
== max_port
) {
2210 all_ports_tried
= true;
2211 } else if (port
== max_port
) {
2216 if (port
== first_port
) {
2217 all_ports_tried
= true;
2220 if (memcmp(&ct_addr
, &max_ct_addr
, sizeof ct_addr
)) {
2221 if (conn
->key
.dl_type
== htons(ETH_TYPE_IP
)) {
2222 ct_addr
.ipv4_aligned
= htonl(
2223 ntohl(ct_addr
.ipv4_aligned
) + 1);
2225 nat_ipv6_addr_increment(&ct_addr
.ipv6_aligned
, 1);
2228 ct_addr
= conn
->nat_info
->min_addr
;
2230 if (!memcmp(&ct_addr
, &first_addr
, sizeof ct_addr
)) {
2231 if (!original_ports_tried
) {
2232 original_ports_tried
= true;
2233 ct_addr
= conn
->nat_info
->min_addr
;
2234 min_port
= MIN_NAT_EPHEMERAL_PORT
;
2235 max_port
= MAX_NAT_EPHEMERAL_PORT
;
2240 first_port
= min_port
;
2242 all_ports_tried
= false;
2248 /* This function must be called with the ct->resources lock taken. */
2249 static struct nat_conn_key_node
*
2250 nat_conn_keys_lookup(struct hmap
*nat_conn_keys
,
2251 const struct conn_key
*key
,
2254 struct nat_conn_key_node
*nat_conn_key_node
;
2256 HMAP_FOR_EACH_WITH_HASH (nat_conn_key_node
, node
,
2257 conn_key_hash(key
, basis
), nat_conn_keys
) {
2258 if (!conn_key_cmp(&nat_conn_key_node
->key
, key
)) {
2259 return nat_conn_key_node
;
2265 /* This function must be called with the ct->resources lock taken. */
2267 nat_conn_keys_insert(struct hmap
*nat_conn_keys
, const struct conn
*nat_conn
,
2270 struct nat_conn_key_node
*nat_conn_key_node
=
2271 nat_conn_keys_lookup(nat_conn_keys
, &nat_conn
->rev_key
, basis
);
2273 if (!nat_conn_key_node
) {
2274 struct nat_conn_key_node
*nat_conn_key
= xzalloc(sizeof *nat_conn_key
);
2275 nat_conn_key
->key
= nat_conn
->rev_key
;
2276 nat_conn_key
->value
= nat_conn
->key
;
2277 hmap_insert(nat_conn_keys
, &nat_conn_key
->node
,
2278 conn_key_hash(&nat_conn_key
->key
, basis
));
2284 /* This function must be called with the ct->resources write lock taken. */
2286 nat_conn_keys_remove(struct hmap
*nat_conn_keys
,
2287 const struct conn_key
*key
,
2290 struct nat_conn_key_node
*nat_conn_key_node
;
2292 HMAP_FOR_EACH_WITH_HASH (nat_conn_key_node
, node
,
2293 conn_key_hash(key
, basis
), nat_conn_keys
) {
2294 if (!conn_key_cmp(&nat_conn_key_node
->key
, key
)) {
2295 hmap_remove(nat_conn_keys
, &nat_conn_key_node
->node
);
2296 free(nat_conn_key_node
);
2303 conn_key_lookup(struct conntrack_bucket
*ctb
, struct conn_lookup_ctx
*ctx
,
2305 OVS_REQUIRES(ctb
->lock
)
2307 uint32_t hash
= ctx
->hash
;
2312 HMAP_FOR_EACH_WITH_HASH (conn
, node
, hash
, &ctb
->connections
) {
2313 if (!conn_key_cmp(&conn
->key
, &ctx
->key
)
2314 && !conn_expired(conn
, now
)) {
2319 if (!conn_key_cmp(&conn
->rev_key
, &ctx
->key
)
2320 && !conn_expired(conn
, now
)) {
2328 static enum ct_update_res
2329 conn_update(struct conn
*conn
, struct conntrack_bucket
*ctb
,
2330 struct dp_packet
*pkt
, bool reply
, long long now
)
2332 return l4_protos
[conn
->key
.nw_proto
]->conn_update(conn
, ctb
, pkt
,
2337 conn_expired(struct conn
*conn
, long long now
)
2339 if (conn
->conn_type
== CT_CONN_TYPE_DEFAULT
) {
2340 return now
>= conn
->expiration
;
2346 valid_new(struct dp_packet
*pkt
, struct conn_key
*key
)
2348 return l4_protos
[key
->nw_proto
]->valid_new(pkt
);
2351 static struct conn
*
2352 new_conn(struct conntrack_bucket
*ctb
, struct dp_packet
*pkt
,
2353 struct conn_key
*key
, long long now
)
2355 struct conn
*newconn
= l4_protos
[key
->nw_proto
]->new_conn(ctb
, pkt
, now
);
2357 newconn
->key
= *key
;
2364 delete_conn(struct conn
*conn
)
2366 free(conn
->nat_info
);
2372 ct_endpoint_to_ct_dpif_inet_addr(const struct ct_addr
*a
,
2373 union ct_dpif_inet_addr
*b
,
2376 if (dl_type
== htons(ETH_TYPE_IP
)) {
2377 b
->ip
= a
->ipv4_aligned
;
2378 } else if (dl_type
== htons(ETH_TYPE_IPV6
)){
2379 b
->in6
= a
->ipv6_aligned
;
2384 conn_key_to_tuple(const struct conn_key
*key
, struct ct_dpif_tuple
*tuple
)
2386 if (key
->dl_type
== htons(ETH_TYPE_IP
)) {
2387 tuple
->l3_type
= AF_INET
;
2388 } else if (key
->dl_type
== htons(ETH_TYPE_IPV6
)) {
2389 tuple
->l3_type
= AF_INET6
;
2391 tuple
->ip_proto
= key
->nw_proto
;
2392 ct_endpoint_to_ct_dpif_inet_addr(&key
->src
.addr
, &tuple
->src
,
2394 ct_endpoint_to_ct_dpif_inet_addr(&key
->dst
.addr
, &tuple
->dst
,
2397 if (key
->nw_proto
== IPPROTO_ICMP
|| key
->nw_proto
== IPPROTO_ICMPV6
) {
2398 tuple
->icmp_id
= key
->src
.icmp_id
;
2399 tuple
->icmp_type
= key
->src
.icmp_type
;
2400 tuple
->icmp_code
= key
->src
.icmp_code
;
2402 tuple
->src_port
= key
->src
.port
;
2403 tuple
->dst_port
= key
->dst
.port
;
2408 conn_to_ct_dpif_entry(const struct conn
*conn
, struct ct_dpif_entry
*entry
,
2409 long long now
, int bkt
)
2411 memset(entry
, 0, sizeof *entry
);
2412 conn_key_to_tuple(&conn
->key
, &entry
->tuple_orig
);
2413 conn_key_to_tuple(&conn
->rev_key
, &entry
->tuple_reply
);
2415 entry
->zone
= conn
->key
.zone
;
2416 entry
->mark
= conn
->mark
;
2418 memcpy(&entry
->labels
, &conn
->label
, sizeof entry
->labels
);
2419 /* Not implemented yet */
2420 entry
->timestamp
.start
= 0;
2421 entry
->timestamp
.stop
= 0;
2423 long long expiration
= conn
->expiration
- now
;
2424 entry
->timeout
= (expiration
> 0) ? expiration
/ 1000 : 0;
2426 struct ct_l4_proto
*class = l4_protos
[conn
->key
.nw_proto
];
2427 if (class->conn_get_protoinfo
) {
2428 class->conn_get_protoinfo(conn
, &entry
->protoinfo
);
2434 /* Caller is responsible for freeing. */
2435 entry
->helper
.name
= xstrdup(conn
->alg
);
2440 conntrack_dump_start(struct conntrack
*ct
, struct conntrack_dump
*dump
,
2441 const uint16_t *pzone
, int *ptot_bkts
)
2443 memset(dump
, 0, sizeof(*dump
));
2446 dump
->zone
= *pzone
;
2447 dump
->filter_zone
= true;
2451 *ptot_bkts
= CONNTRACK_BUCKETS
;
2456 conntrack_dump_next(struct conntrack_dump
*dump
, struct ct_dpif_entry
*entry
)
2458 struct conntrack
*ct
= dump
->ct
;
2459 long long now
= time_msec();
2461 while (dump
->bucket
< CONNTRACK_BUCKETS
) {
2462 struct hmap_node
*node
;
2464 ct_lock_lock(&ct
->buckets
[dump
->bucket
].lock
);
2468 node
= hmap_at_position(&ct
->buckets
[dump
->bucket
].connections
,
2473 INIT_CONTAINER(conn
, node
, node
);
2474 if ((!dump
->filter_zone
|| conn
->key
.zone
== dump
->zone
) &&
2475 (conn
->conn_type
!= CT_CONN_TYPE_UN_NAT
)) {
2476 conn_to_ct_dpif_entry(conn
, entry
, now
, dump
->bucket
);
2479 /* Else continue, until we find an entry in the appropriate zone
2480 * or the bucket has been scanned completely. */
2482 ct_lock_unlock(&ct
->buckets
[dump
->bucket
].lock
);
2485 memset(&dump
->bucket_pos
, 0, sizeof dump
->bucket_pos
);
2495 conntrack_dump_done(struct conntrack_dump
*dump OVS_UNUSED
)
2501 conntrack_flush(struct conntrack
*ct
, const uint16_t *zone
)
2503 for (unsigned i
= 0; i
< CONNTRACK_BUCKETS
; i
++) {
2504 struct conn
*conn
, *next
;
2506 ct_lock_lock(&ct
->buckets
[i
].lock
);
2507 HMAP_FOR_EACH_SAFE (conn
, next
, node
, &ct
->buckets
[i
].connections
) {
2508 if ((!zone
|| *zone
== conn
->key
.zone
) &&
2509 (conn
->conn_type
== CT_CONN_TYPE_DEFAULT
)) {
2510 conn_clean(ct
, conn
, &ct
->buckets
[i
]);
2513 ct_lock_unlock(&ct
->buckets
[i
].lock
);
2520 conntrack_set_maxconns(struct conntrack
*ct
, uint32_t maxconns
)
2522 atomic_store_relaxed(&ct
->n_conn_limit
, maxconns
);
2527 conntrack_get_maxconns(struct conntrack
*ct
, uint32_t *maxconns
)
2529 atomic_read_relaxed(&ct
->n_conn_limit
, maxconns
);
2534 conntrack_get_nconns(struct conntrack
*ct
, uint32_t *nconns
)
2536 *nconns
= atomic_count_get(&ct
->n_conn
);
2540 /* This function must be called with the ct->resources read lock taken. */
2541 static struct alg_exp_node
*
2542 expectation_lookup(struct hmap
*alg_expectations
, const struct conn_key
*key
,
2543 uint32_t basis
, bool src_ip_wc
)
2545 struct conn_key check_key
= *key
;
2546 check_key
.src
.port
= ALG_WC_SRC_PORT
;
2549 memset(&check_key
.src
.addr
, 0, sizeof check_key
.src
.addr
);
2552 struct alg_exp_node
*alg_exp_node
;
2554 HMAP_FOR_EACH_WITH_HASH (alg_exp_node
, node
,
2555 conn_key_hash(&check_key
, basis
),
2557 if (!conn_key_cmp(&alg_exp_node
->key
, &check_key
)) {
2558 return alg_exp_node
;
2564 /* This function must be called with the ct->resources write lock taken. */
2566 expectation_remove(struct hmap
*alg_expectations
,
2567 const struct conn_key
*key
, uint32_t basis
)
2569 struct alg_exp_node
*alg_exp_node
;
2571 HMAP_FOR_EACH_WITH_HASH (alg_exp_node
, node
, conn_key_hash(key
, basis
),
2573 if (!conn_key_cmp(&alg_exp_node
->key
, key
)) {
2574 hmap_remove(alg_expectations
, &alg_exp_node
->node
);
2580 /* This function must be called with the ct->resources read lock taken. */
2581 static struct alg_exp_node
*
2582 expectation_ref_lookup_unique(const struct hindex
*alg_expectation_refs
,
2583 const struct conn_key
*master_key
,
2584 const struct conn_key
*alg_exp_key
,
2587 struct alg_exp_node
*alg_exp_node
;
2589 HINDEX_FOR_EACH_WITH_HASH (alg_exp_node
, node_ref
,
2590 conn_key_hash(master_key
, basis
),
2591 alg_expectation_refs
) {
2592 if (!conn_key_cmp(&alg_exp_node
->master_key
, master_key
) &&
2593 !conn_key_cmp(&alg_exp_node
->key
, alg_exp_key
)) {
2594 return alg_exp_node
;
2600 /* This function must be called with the ct->resources write lock taken. */
2602 expectation_ref_create(struct hindex
*alg_expectation_refs
,
2603 struct alg_exp_node
*alg_exp_node
,
2606 if (!expectation_ref_lookup_unique(alg_expectation_refs
,
2607 &alg_exp_node
->master_key
,
2608 &alg_exp_node
->key
, basis
)) {
2609 hindex_insert(alg_expectation_refs
, &alg_exp_node
->node_ref
,
2610 conn_key_hash(&alg_exp_node
->master_key
, basis
));
2615 expectation_clean(struct conntrack
*ct
, const struct conn_key
*master_key
,
2618 ct_rwlock_wrlock(&ct
->resources_lock
);
2620 struct alg_exp_node
*node
, *next
;
2621 HINDEX_FOR_EACH_WITH_HASH_SAFE (node
, next
, node_ref
,
2622 conn_key_hash(master_key
, basis
),
2623 &ct
->alg_expectation_refs
) {
2624 if (!conn_key_cmp(&node
->master_key
, master_key
)) {
2625 expectation_remove(&ct
->alg_expectations
, &node
->key
, basis
);
2626 hindex_remove(&ct
->alg_expectation_refs
, &node
->node_ref
);
2631 ct_rwlock_unlock(&ct
->resources_lock
);
2635 expectation_create(struct conntrack
*ct
, ovs_be16 dst_port
,
2636 const struct conn
*master_conn
, bool reply
, bool src_ip_wc
,
2639 struct ct_addr src_addr
;
2640 struct ct_addr dst_addr
;
2641 struct ct_addr alg_nat_repl_addr
;
2642 struct alg_exp_node
*alg_exp_node
= xzalloc(sizeof *alg_exp_node
);
2645 src_addr
= master_conn
->key
.src
.addr
;
2646 dst_addr
= master_conn
->key
.dst
.addr
;
2648 alg_nat_repl_addr
= dst_addr
;
2650 alg_nat_repl_addr
= master_conn
->rev_key
.dst
.addr
;
2652 alg_exp_node
->nat_rpl_dst
= true;
2654 src_addr
= master_conn
->rev_key
.src
.addr
;
2655 dst_addr
= master_conn
->rev_key
.dst
.addr
;
2657 alg_nat_repl_addr
= src_addr
;
2659 alg_nat_repl_addr
= master_conn
->key
.src
.addr
;
2661 alg_exp_node
->nat_rpl_dst
= false;
2664 memset(&src_addr
, 0, sizeof src_addr
);
2667 alg_exp_node
->key
.dl_type
= master_conn
->key
.dl_type
;
2668 alg_exp_node
->key
.nw_proto
= master_conn
->key
.nw_proto
;
2669 alg_exp_node
->key
.zone
= master_conn
->key
.zone
;
2670 alg_exp_node
->key
.src
.addr
= src_addr
;
2671 alg_exp_node
->key
.dst
.addr
= dst_addr
;
2672 alg_exp_node
->key
.src
.port
= ALG_WC_SRC_PORT
;
2673 alg_exp_node
->key
.dst
.port
= dst_port
;
2674 alg_exp_node
->master_mark
= master_conn
->mark
;
2675 alg_exp_node
->master_label
= master_conn
->label
;
2676 alg_exp_node
->master_key
= master_conn
->key
;
2677 /* Take the write lock here because it is almost 100%
2678 * likely that the lookup will fail and
2679 * expectation_create() will be called below. */
2680 ct_rwlock_wrlock(&ct
->resources_lock
);
2681 struct alg_exp_node
*alg_exp
= expectation_lookup(
2682 &ct
->alg_expectations
, &alg_exp_node
->key
, ct
->hash_basis
, src_ip_wc
);
2685 ct_rwlock_unlock(&ct
->resources_lock
);
2689 alg_exp_node
->alg_nat_repl_addr
= alg_nat_repl_addr
;
2690 hmap_insert(&ct
->alg_expectations
, &alg_exp_node
->node
,
2691 conn_key_hash(&alg_exp_node
->key
, ct
->hash_basis
));
2692 expectation_ref_create(&ct
->alg_expectation_refs
, alg_exp_node
,
2694 ct_rwlock_unlock(&ct
->resources_lock
);
2698 get_v4_byte_be(ovs_be32 v4_addr
, uint8_t index
)
2700 uint8_t *byte_ptr
= (OVS_FORCE
uint8_t *) &v4_addr
;
2701 return byte_ptr
[index
];
2705 replace_substring(char *substr
, uint8_t substr_size
,
2706 uint8_t total_size
, char *rep_str
,
2707 uint8_t rep_str_size
)
2709 memmove(substr
+ rep_str_size
, substr
+ substr_size
,
2710 total_size
- substr_size
);
2711 memcpy(substr
, rep_str
, rep_str_size
);
2714 /* Replace IPV4 address in FTP message with NATed address. */
2716 repl_ftp_v4_addr(struct dp_packet
*pkt
, ovs_be32 v4_addr_rep
,
2717 char *ftp_data_start
,
2718 size_t addr_offset_from_ftp_data_start
)
2720 enum { MAX_FTP_V4_NAT_DELTA
= 8 };
2722 /* Do conservative check for pathological MTU usage. */
2723 uint32_t orig_used_size
= dp_packet_size(pkt
);
2724 uint16_t allocated_size
= dp_packet_get_allocated(pkt
);
2725 if (orig_used_size
+ MAX_FTP_V4_NAT_DELTA
> allocated_size
) {
2726 static struct vlog_rate_limit rl
= VLOG_RATE_LIMIT_INIT(5, 5);
2727 VLOG_WARN_RL(&rl
, "Unsupported effective MTU %u used with FTP",
2732 size_t remain_size
= tcp_payload_length(pkt
) -
2733 addr_offset_from_ftp_data_start
;
2734 int overall_delta
= 0;
2735 char *byte_str
= ftp_data_start
+ addr_offset_from_ftp_data_start
;
2737 /* Replace the existing IPv4 address by the new one. */
2738 for (uint8_t i
= 0; i
< 4; i
++) {
2739 /* Find the end of the string for this octet. */
2740 char *next_delim
= memchr(byte_str
, ',', 4);
2741 ovs_assert(next_delim
);
2742 int substr_size
= next_delim
- byte_str
;
2743 remain_size
-= substr_size
;
2745 /* Compose the new string for this octet, and replace it. */
2747 uint8_t rep_byte
= get_v4_byte_be(v4_addr_rep
, i
);
2748 int replace_size
= sprintf(rep_str
, "%d", rep_byte
);
2749 replace_substring(byte_str
, substr_size
, remain_size
,
2750 rep_str
, replace_size
);
2751 overall_delta
+= replace_size
- substr_size
;
2753 /* Advance past the octet and the following comma. */
2754 byte_str
+= replace_size
+ 1;
2757 dp_packet_set_size(pkt
, orig_used_size
+ overall_delta
);
2758 return overall_delta
;
2762 skip_non_digits(char *str
)
2764 while (!isdigit(*str
) && *str
!= 0) {
2771 terminate_number_str(char *str
, uint8_t max_digits
)
2773 uint8_t digits_found
= 0;
2774 while (isdigit(*str
) && digits_found
<= max_digits
) {
2785 get_ftp_ctl_msg(struct dp_packet
*pkt
, char *ftp_msg
)
2787 struct tcp_header
*th
= dp_packet_l4(pkt
);
2788 char *tcp_hdr
= (char *) th
;
2789 uint32_t tcp_payload_len
= tcp_payload_length(pkt
);
2790 size_t tcp_payload_of_interest
= MIN(tcp_payload_len
,
2791 LARGEST_FTP_MSG_OF_INTEREST
);
2792 size_t tcp_hdr_len
= TCP_OFFSET(th
->tcp_ctl
) * 4;
2794 ovs_strlcpy(ftp_msg
, tcp_hdr
+ tcp_hdr_len
,
2795 tcp_payload_of_interest
);
2798 static enum ftp_ctl_pkt
2799 detect_ftp_ctl_type(const struct conn_lookup_ctx
*ctx
,
2800 struct dp_packet
*pkt
)
2802 char ftp_msg
[LARGEST_FTP_MSG_OF_INTEREST
+ 1] = {0};
2803 get_ftp_ctl_msg(pkt
, ftp_msg
);
2805 if (ctx
->key
.dl_type
== htons(ETH_TYPE_IPV6
)) {
2806 if (strncasecmp(ftp_msg
, FTP_EPRT_CMD
, strlen(FTP_EPRT_CMD
)) &&
2807 !strcasestr(ftp_msg
, FTP_EPSV_REPLY
)) {
2808 return CT_FTP_CTL_OTHER
;
2811 if (strncasecmp(ftp_msg
, FTP_PORT_CMD
, strlen(FTP_PORT_CMD
)) &&
2812 strncasecmp(ftp_msg
, FTP_PASV_REPLY_CODE
,
2813 strlen(FTP_PASV_REPLY_CODE
))) {
2814 return CT_FTP_CTL_OTHER
;
2818 return CT_FTP_CTL_INTEREST
;
2821 static enum ftp_ctl_pkt
2822 process_ftp_ctl_v4(struct conntrack
*ct
,
2823 struct dp_packet
*pkt
,
2824 const struct conn
*conn_for_expectation
,
2825 ovs_be32
*v4_addr_rep
,
2826 char **ftp_data_v4_start
,
2827 size_t *addr_offset_from_ftp_data_start
)
2829 struct tcp_header
*th
= dp_packet_l4(pkt
);
2830 size_t tcp_hdr_len
= TCP_OFFSET(th
->tcp_ctl
) * 4;
2831 char *tcp_hdr
= (char *) th
;
2832 *ftp_data_v4_start
= tcp_hdr
+ tcp_hdr_len
;
2833 char ftp_msg
[LARGEST_FTP_MSG_OF_INTEREST
+ 1] = {0};
2834 get_ftp_ctl_msg(pkt
, ftp_msg
);
2835 char *ftp
= ftp_msg
;
2836 enum ct_alg_mode mode
;
2838 if (!strncasecmp(ftp
, FTP_PORT_CMD
, strlen(FTP_PORT_CMD
))) {
2839 ftp
= ftp_msg
+ strlen(FTP_PORT_CMD
);
2840 mode
= CT_FTP_MODE_ACTIVE
;
2842 ftp
= ftp_msg
+ strlen(FTP_PASV_REPLY_CODE
);
2843 mode
= CT_FTP_MODE_PASSIVE
;
2846 /* Find first space. */
2847 ftp
= strchr(ftp
, ' ');
2849 return CT_FTP_CTL_INVALID
;
2852 /* Find the first digit, after space. */
2853 ftp
= skip_non_digits(ftp
);
2855 return CT_FTP_CTL_INVALID
;
2858 char *ip_addr_start
= ftp
;
2859 *addr_offset_from_ftp_data_start
= ip_addr_start
- ftp_msg
;
2861 uint8_t comma_count
= 0;
2862 while (comma_count
< 4 && *ftp
) {
2865 if (comma_count
== 4) {
2873 if (comma_count
!= 4) {
2874 return CT_FTP_CTL_INVALID
;
2877 struct in_addr ip_addr
;
2878 int rc2
= inet_pton(AF_INET
, ip_addr_start
, &ip_addr
);
2880 return CT_FTP_CTL_INVALID
;
2883 char *save_ftp
= ftp
;
2884 ftp
= terminate_number_str(ftp
, MAX_FTP_PORT_DGTS
);
2886 return CT_FTP_CTL_INVALID
;
2889 if (!str_to_int(save_ftp
, 10, &value
)) {
2890 return CT_FTP_CTL_INVALID
;
2893 /* This is derived from the L4 port maximum is 65535. */
2895 return CT_FTP_CTL_INVALID
;
2898 uint16_t port_hs
= value
;
2901 /* Skip over comma. */
2904 bool digit_found
= false;
2905 while (isdigit(*ftp
)) {
2910 return CT_FTP_CTL_INVALID
;
2913 if (!str_to_int(save_ftp
, 10, &value
)) {
2914 return CT_FTP_CTL_INVALID
;
2918 return CT_FTP_CTL_INVALID
;
2921 uint16_t port_lo_hs
= value
;
2922 if (65535 - port_hs
< port_lo_hs
) {
2923 return CT_FTP_CTL_INVALID
;
2926 port_hs
|= port_lo_hs
;
2927 ovs_be16 port
= htons(port_hs
);
2928 ovs_be32 conn_ipv4_addr
;
2931 case CT_FTP_MODE_ACTIVE
:
2932 *v4_addr_rep
= conn_for_expectation
->rev_key
.dst
.addr
.ipv4_aligned
;
2933 conn_ipv4_addr
= conn_for_expectation
->key
.src
.addr
.ipv4_aligned
;
2935 case CT_FTP_MODE_PASSIVE
:
2936 *v4_addr_rep
= conn_for_expectation
->key
.dst
.addr
.ipv4_aligned
;
2937 conn_ipv4_addr
= conn_for_expectation
->rev_key
.src
.addr
.ipv4_aligned
;
2944 ovs_be32 ftp_ipv4_addr
;
2945 ftp_ipv4_addr
= ip_addr
.s_addr
;
2946 /* Although most servers will block this exploit, there may be some
2947 * less well managed. */
2948 if (ftp_ipv4_addr
!= conn_ipv4_addr
&& ftp_ipv4_addr
!= *v4_addr_rep
) {
2949 return CT_FTP_CTL_INVALID
;
2952 expectation_create(ct
, port
, conn_for_expectation
,
2953 !!(pkt
->md
.ct_state
& CS_REPLY_DIR
), false, false);
2954 return CT_FTP_CTL_INTEREST
;
2958 skip_ipv6_digits(char *str
)
2960 while (isxdigit(*str
) || *str
== ':' || *str
== '.') {
2966 static enum ftp_ctl_pkt
2967 process_ftp_ctl_v6(struct conntrack
*ct
,
2968 struct dp_packet
*pkt
,
2969 const struct conn
*conn_for_expectation
,
2970 struct ct_addr
*v6_addr_rep
,
2971 char **ftp_data_start
,
2972 size_t *addr_offset_from_ftp_data_start
,
2973 size_t *addr_size
, enum ct_alg_mode
*mode
)
2975 struct tcp_header
*th
= dp_packet_l4(pkt
);
2976 size_t tcp_hdr_len
= TCP_OFFSET(th
->tcp_ctl
) * 4;
2977 char *tcp_hdr
= (char *) th
;
2978 char ftp_msg
[LARGEST_FTP_MSG_OF_INTEREST
+ 1] = {0};
2979 get_ftp_ctl_msg(pkt
, ftp_msg
);
2980 *ftp_data_start
= tcp_hdr
+ tcp_hdr_len
;
2981 char *ftp
= ftp_msg
;
2982 struct in6_addr ip6_addr
;
2984 if (!strncasecmp(ftp
, FTP_EPRT_CMD
, strlen(FTP_EPRT_CMD
))) {
2985 ftp
= ftp_msg
+ strlen(FTP_EPRT_CMD
);
2986 ftp
= skip_non_digits(ftp
);
2987 if (*ftp
!= FTP_AF_V6
|| isdigit(ftp
[1])) {
2988 return CT_FTP_CTL_INVALID
;
2990 /* Jump over delimiter. */
2993 memset(&ip6_addr
, 0, sizeof ip6_addr
);
2994 char *ip_addr_start
= ftp
;
2995 *addr_offset_from_ftp_data_start
= ip_addr_start
- ftp_msg
;
2996 ftp
= skip_ipv6_digits(ftp
);
2998 *addr_size
= ftp
- ip_addr_start
;
2999 int rc2
= inet_pton(AF_INET6
, ip_addr_start
, &ip6_addr
);
3001 return CT_FTP_CTL_INVALID
;
3004 *mode
= CT_FTP_MODE_ACTIVE
;
3006 ftp
= ftp_msg
+ strcspn(ftp_msg
, "(");
3007 ftp
= skip_non_digits(ftp
);
3008 if (!isdigit(*ftp
)) {
3009 return CT_FTP_CTL_INVALID
;
3012 /* Not used for passive mode. */
3013 *addr_offset_from_ftp_data_start
= 0;
3016 *mode
= CT_FTP_MODE_PASSIVE
;
3019 char *save_ftp
= ftp
;
3020 ftp
= terminate_number_str(ftp
, MAX_EXT_FTP_PORT_DGTS
);
3022 return CT_FTP_CTL_INVALID
;
3026 if (!str_to_int(save_ftp
, 10, &value
)) {
3027 return CT_FTP_CTL_INVALID
;
3029 if (value
> CT_MAX_L4_PORT
) {
3030 return CT_FTP_CTL_INVALID
;
3033 uint16_t port_hs
= value
;
3034 ovs_be16 port
= htons(port_hs
);
3037 case CT_FTP_MODE_ACTIVE
:
3038 *v6_addr_rep
= conn_for_expectation
->rev_key
.dst
.addr
;
3039 /* Although most servers will block this exploit, there may be some
3040 * less well managed. */
3041 if (memcmp(&ip6_addr
, &v6_addr_rep
->ipv6_aligned
, sizeof ip6_addr
) &&
3042 memcmp(&ip6_addr
, &conn_for_expectation
->key
.src
.addr
.ipv6_aligned
,
3044 return CT_FTP_CTL_INVALID
;
3047 case CT_FTP_MODE_PASSIVE
:
3048 *v6_addr_rep
= conn_for_expectation
->key
.dst
.addr
;
3055 expectation_create(ct
, port
, conn_for_expectation
,
3056 !!(pkt
->md
.ct_state
& CS_REPLY_DIR
), false, false);
3057 return CT_FTP_CTL_INTEREST
;
3061 repl_ftp_v6_addr(struct dp_packet
*pkt
, struct ct_addr v6_addr_rep
,
3062 char *ftp_data_start
,
3063 size_t addr_offset_from_ftp_data_start
,
3064 size_t addr_size
, enum ct_alg_mode mode
)
3066 /* This is slightly bigger than really possible. */
3067 enum { MAX_FTP_V6_NAT_DELTA
= 45 };
3069 if (mode
== CT_FTP_MODE_PASSIVE
) {
3073 /* Do conservative check for pathological MTU usage. */
3074 uint32_t orig_used_size
= dp_packet_size(pkt
);
3075 uint16_t allocated_size
= dp_packet_get_allocated(pkt
);
3076 if (orig_used_size
+ MAX_FTP_V6_NAT_DELTA
> allocated_size
) {
3077 static struct vlog_rate_limit rl
= VLOG_RATE_LIMIT_INIT(5, 5);
3078 VLOG_WARN_RL(&rl
, "Unsupported effective MTU %u used with FTP",
3084 char v6_addr_str
[IPV6_SCAN_LEN
] = {0};
3085 rc
= inet_ntop(AF_INET6
, &v6_addr_rep
.ipv6_aligned
, v6_addr_str
,
3087 ovs_assert(rc
!= NULL
);
3089 size_t replace_addr_size
= strlen(v6_addr_str
);
3091 size_t remain_size
= tcp_payload_length(pkt
) -
3092 addr_offset_from_ftp_data_start
;
3094 char *pkt_addr_str
= ftp_data_start
+ addr_offset_from_ftp_data_start
;
3095 replace_substring(pkt_addr_str
, addr_size
, remain_size
,
3096 v6_addr_str
, replace_addr_size
);
3098 int overall_delta
= (int) replace_addr_size
- (int) addr_size
;
3100 dp_packet_set_size(pkt
, orig_used_size
+ overall_delta
);
3101 return overall_delta
;
3105 handle_ftp_ctl(struct conntrack
*ct
, const struct conn_lookup_ctx
*ctx
,
3106 struct dp_packet
*pkt
,
3107 const struct conn
*conn_for_expectation
,
3108 long long now
, enum ftp_ctl_pkt ftp_ctl
, bool nat
)
3110 struct ip_header
*l3_hdr
= dp_packet_l3(pkt
);
3111 ovs_be32 v4_addr_rep
= 0;
3112 struct ct_addr v6_addr_rep
;
3113 size_t addr_offset_from_ftp_data_start
;
3114 size_t addr_size
= 0;
3115 char *ftp_data_start
;
3116 bool do_seq_skew_adj
= true;
3117 enum ct_alg_mode mode
= CT_FTP_MODE_ACTIVE
;
3119 if (detect_ftp_ctl_type(ctx
, pkt
) != ftp_ctl
) {
3123 if (!nat
|| !conn_for_expectation
->seq_skew
) {
3124 do_seq_skew_adj
= false;
3127 struct ovs_16aligned_ip6_hdr
*nh6
= dp_packet_l3(pkt
);
3128 int64_t seq_skew
= 0;
3130 if (ftp_ctl
== CT_FTP_CTL_OTHER
) {
3131 seq_skew
= conn_for_expectation
->seq_skew
;
3132 } else if (ftp_ctl
== CT_FTP_CTL_INTEREST
) {
3133 enum ftp_ctl_pkt rc
;
3134 if (ctx
->key
.dl_type
== htons(ETH_TYPE_IPV6
)) {
3135 rc
= process_ftp_ctl_v6(ct
, pkt
, conn_for_expectation
,
3136 &v6_addr_rep
, &ftp_data_start
,
3137 &addr_offset_from_ftp_data_start
,
3140 rc
= process_ftp_ctl_v4(ct
, pkt
, conn_for_expectation
,
3141 &v4_addr_rep
, &ftp_data_start
,
3142 &addr_offset_from_ftp_data_start
);
3144 if (rc
== CT_FTP_CTL_INVALID
) {
3145 static struct vlog_rate_limit rl
= VLOG_RATE_LIMIT_INIT(5, 5);
3146 VLOG_WARN_RL(&rl
, "Invalid FTP control packet format");
3147 pkt
->md
.ct_state
|= CS_TRACKED
| CS_INVALID
;
3149 } else if (rc
== CT_FTP_CTL_INTEREST
) {
3152 if (ctx
->key
.dl_type
== htons(ETH_TYPE_IPV6
)) {
3153 seq_skew
= repl_ftp_v6_addr(pkt
, v6_addr_rep
, ftp_data_start
,
3154 addr_offset_from_ftp_data_start
,
3157 ip_len
= ntohs(nh6
->ip6_ctlun
.ip6_un1
.ip6_un1_plen
);
3159 nh6
->ip6_ctlun
.ip6_un1
.ip6_un1_plen
= htons(ip_len
);
3160 conn_seq_skew_set(ct
, &conn_for_expectation
->key
, now
,
3161 seq_skew
, ctx
->reply
);
3164 seq_skew
= repl_ftp_v4_addr(pkt
, v4_addr_rep
, ftp_data_start
,
3165 addr_offset_from_ftp_data_start
);
3166 ip_len
= ntohs(l3_hdr
->ip_tot_len
);
3169 l3_hdr
->ip_csum
= recalc_csum16(l3_hdr
->ip_csum
,
3170 l3_hdr
->ip_tot_len
, htons(ip_len
));
3171 l3_hdr
->ip_tot_len
= htons(ip_len
);
3172 conn_seq_skew_set(ct
, &conn_for_expectation
->key
, now
,
3173 seq_skew
, ctx
->reply
);
3183 struct tcp_header
*th
= dp_packet_l4(pkt
);
3185 if (do_seq_skew_adj
&& seq_skew
!= 0) {
3186 if (ctx
->reply
!= conn_for_expectation
->seq_skew_dir
) {
3188 uint32_t tcp_ack
= ntohl(get_16aligned_be32(&th
->tcp_ack
));
3190 if ((seq_skew
> 0) && (tcp_ack
< seq_skew
)) {
3191 /* Should not be possible; will be marked invalid. */
3193 } else if ((seq_skew
< 0) && (UINT32_MAX
- tcp_ack
< -seq_skew
)) {
3194 tcp_ack
= (-seq_skew
) - (UINT32_MAX
- tcp_ack
);
3196 tcp_ack
-= seq_skew
;
3198 ovs_be32 new_tcp_ack
= htonl(tcp_ack
);
3199 put_16aligned_be32(&th
->tcp_ack
, new_tcp_ack
);
3201 uint32_t tcp_seq
= ntohl(get_16aligned_be32(&th
->tcp_seq
));
3202 if ((seq_skew
> 0) && (UINT32_MAX
- tcp_seq
< seq_skew
)) {
3203 tcp_seq
= seq_skew
- (UINT32_MAX
- tcp_seq
);
3204 } else if ((seq_skew
< 0) && (tcp_seq
< -seq_skew
)) {
3205 /* Should not be possible; will be marked invalid. */
3208 tcp_seq
+= seq_skew
;
3210 ovs_be32 new_tcp_seq
= htonl(tcp_seq
);
3211 put_16aligned_be32(&th
->tcp_seq
, new_tcp_seq
);
3217 if (ctx
->key
.dl_type
== htons(ETH_TYPE_IPV6
)) {
3218 tcp_csum
= packet_csum_pseudoheader6(nh6
);
3220 tcp_csum
= packet_csum_pseudoheader(l3_hdr
);
3222 const char *tail
= dp_packet_tail(pkt
);
3223 uint8_t pad
= dp_packet_l2_pad_size(pkt
);
3224 th
->tcp_csum
= csum_finish(
3225 csum_continue(tcp_csum
, th
, tail
- (char *) th
- pad
));
3230 handle_tftp_ctl(struct conntrack
*ct
,
3231 const struct conn_lookup_ctx
*ctx OVS_UNUSED
,
3232 struct dp_packet
*pkt
,
3233 const struct conn
*conn_for_expectation
,
3234 long long now OVS_UNUSED
,
3235 enum ftp_ctl_pkt ftp_ctl OVS_UNUSED
, bool nat OVS_UNUSED
)
3237 expectation_create(ct
, conn_for_expectation
->key
.src
.port
,
3238 conn_for_expectation
,
3239 !!(pkt
->md
.ct_state
& CS_REPLY_DIR
), false, false);