2 * Copyright (c) 2015 Nicira, Inc.
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of version 2 of the GNU General Public
6 * License as published by the Free Software Foundation.
8 * This program is distributed in the hope that it will be useful, but
9 * WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
11 * General Public License for more details.
14 #include <linux/module.h>
15 #include <linux/openvswitch.h>
17 #include <net/netfilter/nf_conntrack_core.h>
18 #include <net/netfilter/nf_conntrack_helper.h>
19 #include <net/netfilter/nf_conntrack_labels.h>
20 #include <net/netfilter/nf_conntrack_zones.h>
21 #include <net/netfilter/ipv6/nf_defrag_ipv6.h>
24 #include "conntrack.h"
26 #include "flow_netlink.h"
28 struct ovs_ct_len_tbl {
33 /* Metadata mark for masked write to conntrack mark */
39 /* Metadata label for masked write to conntrack label. */
41 struct ovs_key_ct_labels value;
42 struct ovs_key_ct_labels mask;
45 /* Conntrack action context for execution. */
46 struct ovs_conntrack_info {
47 struct nf_conntrack_helper *helper;
48 struct nf_conntrack_zone zone;
53 struct md_labels labels;
56 static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info);
58 static u16 key_to_nfproto(const struct sw_flow_key *key)
60 switch (ntohs(key->eth.type)) {
66 return NFPROTO_UNSPEC;
70 /* Map SKB connection state into the values used by flow definition. */
71 static u8 ovs_ct_get_state(enum ip_conntrack_info ctinfo)
73 u8 ct_state = OVS_CS_F_TRACKED;
76 case IP_CT_ESTABLISHED_REPLY:
77 case IP_CT_RELATED_REPLY:
79 ct_state |= OVS_CS_F_REPLY_DIR;
86 case IP_CT_ESTABLISHED:
87 case IP_CT_ESTABLISHED_REPLY:
88 ct_state |= OVS_CS_F_ESTABLISHED;
91 case IP_CT_RELATED_REPLY:
92 ct_state |= OVS_CS_F_RELATED;
96 ct_state |= OVS_CS_F_NEW;
105 static u32 ovs_ct_get_mark(const struct nf_conn *ct)
107 #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK)
108 return ct ? ct->mark : 0;
114 static void ovs_ct_get_labels(const struct nf_conn *ct,
115 struct ovs_key_ct_labels *labels)
117 struct nf_conn_labels *cl = ct ? nf_ct_labels_find(ct) : NULL;
120 size_t len = cl->words * sizeof(long);
122 if (len > OVS_CT_LABELS_LEN)
123 len = OVS_CT_LABELS_LEN;
124 else if (len < OVS_CT_LABELS_LEN)
125 memset(labels, 0, OVS_CT_LABELS_LEN);
126 memcpy(labels, cl->bits, len);
128 memset(labels, 0, OVS_CT_LABELS_LEN);
132 static void __ovs_ct_update_key(struct sw_flow_key *key, u8 state,
133 const struct nf_conntrack_zone *zone,
134 const struct nf_conn *ct)
136 key->ct.state = state;
137 key->ct.zone = zone->id;
138 key->ct.mark = ovs_ct_get_mark(ct);
139 ovs_ct_get_labels(ct, &key->ct.labels);
142 /* Update 'key' based on skb->nfct. If 'post_ct' is true, then OVS has
143 * previously sent the packet to conntrack via the ct action.
145 static void ovs_ct_update_key(const struct sk_buff *skb,
146 const struct ovs_conntrack_info *info,
147 struct sw_flow_key *key, bool post_ct)
149 const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
150 enum ip_conntrack_info ctinfo;
154 ct = nf_ct_get(skb, &ctinfo);
156 state = ovs_ct_get_state(ctinfo);
157 if (!nf_ct_is_confirmed(ct))
158 state |= OVS_CS_F_NEW;
160 state |= OVS_CS_F_RELATED;
161 zone = nf_ct_zone(ct);
162 } else if (post_ct) {
163 state = OVS_CS_F_TRACKED | OVS_CS_F_INVALID;
167 __ovs_ct_update_key(key, state, zone, ct);
170 void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key)
172 ovs_ct_update_key(skb, NULL, key, false);
175 int ovs_ct_put_key(const struct sw_flow_key *key, struct sk_buff *skb)
177 if (nla_put_u32(skb, OVS_KEY_ATTR_CT_STATE, key->ct.state))
180 if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) &&
181 nla_put_u16(skb, OVS_KEY_ATTR_CT_ZONE, key->ct.zone))
184 if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) &&
185 nla_put_u32(skb, OVS_KEY_ATTR_CT_MARK, key->ct.mark))
188 if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) &&
189 nla_put(skb, OVS_KEY_ATTR_CT_LABELS, sizeof(key->ct.labels),
196 static int ovs_ct_set_mark(struct sk_buff *skb, struct sw_flow_key *key,
197 u32 ct_mark, u32 mask)
199 #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK)
200 enum ip_conntrack_info ctinfo;
205 /* The connection could be invalid, in which case set_mark is no-op. */
206 ct = nf_ct_get(skb, &ctinfo);
210 new_mark = ct_mark | (ct->mark & ~(mask));
211 if (ct->mark != new_mark) {
213 nf_conntrack_event_cache(IPCT_MARK, ct);
214 key->ct.mark = new_mark;
223 static int ovs_ct_set_labels(struct sk_buff *skb, struct sw_flow_key *key,
224 const struct ovs_key_ct_labels *labels,
225 const struct ovs_key_ct_labels *mask)
227 enum ip_conntrack_info ctinfo;
228 struct nf_conn_labels *cl;
232 /* The connection could be invalid, in which case set_label is no-op.*/
233 ct = nf_ct_get(skb, &ctinfo);
237 cl = nf_ct_labels_find(ct);
239 nf_ct_labels_ext_add(ct);
240 cl = nf_ct_labels_find(ct);
242 if (!cl || cl->words * sizeof(long) < OVS_CT_LABELS_LEN)
245 err = nf_connlabels_replace(ct, (u32 *)labels, (u32 *)mask,
246 OVS_CT_LABELS_LEN / sizeof(u32));
250 ovs_ct_get_labels(ct, &key->ct.labels);
254 /* 'skb' should already be pulled to nh_ofs. */
255 static int ovs_ct_helper(struct sk_buff *skb, u16 proto)
257 const struct nf_conntrack_helper *helper;
258 const struct nf_conn_help *help;
259 enum ip_conntrack_info ctinfo;
260 unsigned int protoff;
263 ct = nf_ct_get(skb, &ctinfo);
264 if (!ct || ctinfo == IP_CT_RELATED_REPLY)
267 help = nfct_help(ct);
271 helper = rcu_dereference(help->helper);
277 protoff = ip_hdrlen(skb);
280 u8 nexthdr = ipv6_hdr(skb)->nexthdr;
284 ofs = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr,
286 if (ofs < 0 || (frag_off & htons(~0x7)) != 0) {
287 pr_debug("proto header not found\n");
294 WARN_ONCE(1, "helper invoked on non-IP family!");
298 return helper->help(skb, protoff, ct, ctinfo);
301 /* Returns 0 on success, -EINPROGRESS if 'skb' is stolen, or other nonzero
302 * value if 'skb' is freed.
304 static int handle_fragments(struct net *net, struct sw_flow_key *key,
305 u16 zone, struct sk_buff *skb)
307 struct ovs_skb_cb ovs_cb = *OVS_CB(skb);
309 if (key->eth.type == htons(ETH_P_IP)) {
310 enum ip_defrag_users user = IP_DEFRAG_CONNTRACK_IN + zone;
313 memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
314 err = ip_defrag(net, skb, user);
318 ovs_cb.mru = IPCB(skb)->frag_max_size;
319 #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
320 } else if (key->eth.type == htons(ETH_P_IPV6)) {
321 enum ip6_defrag_users user = IP6_DEFRAG_CONNTRACK_IN + zone;
322 struct sk_buff *reasm;
324 memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
325 reasm = nf_ct_frag6_gather(net, skb, user);
334 /* Don't free 'skb' even though it is one of the original
335 * fragments, as we're going to morph it into the head.
338 nf_ct_frag6_consume_orig(reasm);
340 key->ip.proto = ipv6_hdr(reasm)->nexthdr;
341 skb_morph(skb, reasm);
342 skb->next = reasm->next;
344 ovs_cb.mru = IP6CB(skb)->frag_max_size;
348 return -EPFNOSUPPORT;
351 key->ip.frag = OVS_FRAG_TYPE_NONE;
354 *OVS_CB(skb) = ovs_cb;
359 static struct nf_conntrack_expect *
360 ovs_ct_expect_find(struct net *net, const struct nf_conntrack_zone *zone,
361 u16 proto, const struct sk_buff *skb)
363 struct nf_conntrack_tuple tuple;
364 struct nf_conntrack_expect *exp;
366 if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto, net, &tuple))
369 exp = __nf_ct_expect_find(net, zone, &tuple);
371 struct nf_conntrack_tuple_hash *h;
373 /* Delete existing conntrack entry, if it clashes with the
374 * expectation. This can happen since conntrack ALGs do not
375 * check for clashes between (new) expectations and existing
376 * conntrack entries. nf_conntrack_in() will check the
377 * expectations only if a conntrack entry can not be found,
378 * which can lead to OVS finding the expectation (here) in the
379 * init direction, but which will not be removed by the
380 * nf_conntrack_in() call, if a matching conntrack entry is
381 * found instead. In this case all init direction packets
382 * would be reported as new related packets, while reply
383 * direction packets would be reported as un-related
384 * established packets.
386 h = nf_conntrack_find_get(net, zone, &tuple);
388 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
390 nf_ct_delete(ct, 0, 0);
391 nf_conntrack_put(&ct->ct_general);
398 /* Determine whether skb->nfct is equal to the result of conntrack lookup. */
399 static bool skb_nfct_cached(const struct net *net, const struct sk_buff *skb,
400 const struct ovs_conntrack_info *info)
402 enum ip_conntrack_info ctinfo;
405 ct = nf_ct_get(skb, &ctinfo);
408 if (!net_eq(net, read_pnet(&ct->ct_net)))
410 if (!nf_ct_zone_equal_any(info->ct, nf_ct_zone(ct)))
413 struct nf_conn_help *help;
415 help = nf_ct_ext_find(ct, NF_CT_EXT_HELPER);
416 if (help && rcu_access_pointer(help->helper) != info->helper)
423 static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
424 const struct ovs_conntrack_info *info,
427 /* If we are recirculating packets to match on conntrack fields and
428 * committing with a separate conntrack action, then we don't need to
429 * actually run the packet through conntrack twice unless it's for a
432 if (!skb_nfct_cached(net, skb, info)) {
433 struct nf_conn *tmpl = info->ct;
435 /* Associate skb with specified zone. */
438 nf_conntrack_put(skb->nfct);
439 nf_conntrack_get(&tmpl->ct_general);
440 skb->nfct = &tmpl->ct_general;
441 skb->nfctinfo = IP_CT_NEW;
444 if (nf_conntrack_in(net, info->family, NF_INET_PRE_ROUTING,
448 if (ovs_ct_helper(skb, info->family) != NF_ACCEPT) {
449 WARN_ONCE(1, "helper rejected packet");
454 ovs_ct_update_key(skb, info, key, true);
459 /* Lookup connection and read fields into key. */
460 static int ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
461 const struct ovs_conntrack_info *info,
464 struct nf_conntrack_expect *exp;
466 exp = ovs_ct_expect_find(net, &info->zone, info->family, skb);
470 state = OVS_CS_F_TRACKED | OVS_CS_F_NEW | OVS_CS_F_RELATED;
471 __ovs_ct_update_key(key, state, &info->zone, exp->master);
475 err = __ovs_ct_lookup(net, key, info, skb);
483 /* Lookup connection and confirm if unconfirmed. */
484 static int ovs_ct_commit(struct net *net, struct sw_flow_key *key,
485 const struct ovs_conntrack_info *info,
491 state = key->ct.state;
492 if (key->ct.zone == info->zone.id &&
493 ((state & OVS_CS_F_TRACKED) && !(state & OVS_CS_F_NEW))) {
494 /* Previous lookup has shown that this connection is already
495 * tracked and committed. Skip committing.
500 err = __ovs_ct_lookup(net, key, info, skb);
503 if (nf_conntrack_confirm(skb) != NF_ACCEPT)
509 static bool labels_nonzero(const struct ovs_key_ct_labels *labels)
513 for (i = 0; i < sizeof(*labels); i++)
514 if (labels->ct_labels[i])
520 /* Returns 0 on success, -EINPROGRESS if 'skb' is stolen, or other nonzero
521 * value if 'skb' is freed.
523 int ovs_ct_execute(struct net *net, struct sk_buff *skb,
524 struct sw_flow_key *key,
525 const struct ovs_conntrack_info *info)
530 /* The conntrack module expects to be working at L3. */
531 nh_ofs = skb_network_offset(skb);
532 skb_pull_rcsum(skb, nh_ofs);
534 if (key->ip.frag != OVS_FRAG_TYPE_NONE) {
535 err = handle_fragments(net, key, info->zone.id, skb);
541 err = ovs_ct_commit(net, key, info, skb);
543 err = ovs_ct_lookup(net, key, info, skb);
547 if (info->mark.mask) {
548 err = ovs_ct_set_mark(skb, key, info->mark.value,
553 if (labels_nonzero(&info->labels.mask))
554 err = ovs_ct_set_labels(skb, key, &info->labels.value,
557 skb_push(skb, nh_ofs);
558 skb_postpush_rcsum(skb, skb->data, nh_ofs);
564 static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name,
565 const struct sw_flow_key *key, bool log)
567 struct nf_conntrack_helper *helper;
568 struct nf_conn_help *help;
570 helper = nf_conntrack_helper_try_module_get(name, info->family,
573 OVS_NLERR(log, "Unknown helper \"%s\"", name);
577 help = nf_ct_helper_ext_add(info->ct, helper, GFP_KERNEL);
579 module_put(helper->me);
583 rcu_assign_pointer(help->helper, helper);
584 info->helper = helper;
588 static const struct ovs_ct_len_tbl ovs_ct_attr_lens[OVS_CT_ATTR_MAX + 1] = {
589 [OVS_CT_ATTR_COMMIT] = { .minlen = 0, .maxlen = 0 },
590 [OVS_CT_ATTR_ZONE] = { .minlen = sizeof(u16),
591 .maxlen = sizeof(u16) },
592 [OVS_CT_ATTR_MARK] = { .minlen = sizeof(struct md_mark),
593 .maxlen = sizeof(struct md_mark) },
594 [OVS_CT_ATTR_LABELS] = { .minlen = sizeof(struct md_labels),
595 .maxlen = sizeof(struct md_labels) },
596 [OVS_CT_ATTR_HELPER] = { .minlen = 1,
597 .maxlen = NF_CT_HELPER_NAME_LEN }
600 static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info,
601 const char **helper, bool log)
606 nla_for_each_nested(a, attr, rem) {
607 int type = nla_type(a);
611 if (type > OVS_CT_ATTR_MAX) {
613 "Unknown conntrack attr (type=%d, max=%d)",
614 type, OVS_CT_ATTR_MAX);
618 maxlen = ovs_ct_attr_lens[type].maxlen;
619 minlen = ovs_ct_attr_lens[type].minlen;
620 if (nla_len(a) < minlen || nla_len(a) > maxlen) {
622 "Conntrack attr type has unexpected length (type=%d, length=%d, expected=%d)",
623 type, nla_len(a), maxlen);
628 case OVS_CT_ATTR_COMMIT:
631 #ifdef CONFIG_NF_CONNTRACK_ZONES
632 case OVS_CT_ATTR_ZONE:
633 info->zone.id = nla_get_u16(a);
636 #ifdef CONFIG_NF_CONNTRACK_MARK
637 case OVS_CT_ATTR_MARK: {
638 struct md_mark *mark = nla_data(a);
641 OVS_NLERR(log, "ct_mark mask cannot be 0");
648 #ifdef CONFIG_NF_CONNTRACK_LABELS
649 case OVS_CT_ATTR_LABELS: {
650 struct md_labels *labels = nla_data(a);
652 if (!labels_nonzero(&labels->mask)) {
653 OVS_NLERR(log, "ct_labels mask cannot be 0");
656 info->labels = *labels;
660 case OVS_CT_ATTR_HELPER:
661 *helper = nla_data(a);
662 if (!memchr(*helper, '\0', nla_len(a))) {
663 OVS_NLERR(log, "Invalid conntrack helper");
668 OVS_NLERR(log, "Unknown conntrack attr (%d)",
675 OVS_NLERR(log, "Conntrack attr has %d unknown bytes", rem);
682 bool ovs_ct_verify(struct net *net, enum ovs_key_attr attr)
684 if (attr == OVS_KEY_ATTR_CT_STATE)
686 if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) &&
687 attr == OVS_KEY_ATTR_CT_ZONE)
689 if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) &&
690 attr == OVS_KEY_ATTR_CT_MARK)
692 if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) &&
693 attr == OVS_KEY_ATTR_CT_LABELS) {
694 struct ovs_net *ovs_net = net_generic(net, ovs_net_id);
696 return ovs_net->xt_label;
702 int ovs_ct_copy_action(struct net *net, const struct nlattr *attr,
703 const struct sw_flow_key *key,
704 struct sw_flow_actions **sfa, bool log)
706 struct ovs_conntrack_info ct_info;
707 const char *helper = NULL;
711 family = key_to_nfproto(key);
712 if (family == NFPROTO_UNSPEC) {
713 OVS_NLERR(log, "ct family unspecified");
717 memset(&ct_info, 0, sizeof(ct_info));
718 ct_info.family = family;
720 nf_ct_zone_init(&ct_info.zone, NF_CT_DEFAULT_ZONE_ID,
721 NF_CT_DEFAULT_ZONE_DIR, 0);
723 err = parse_ct(attr, &ct_info, &helper, log);
727 /* Set up template for tracking connections in specific zones. */
728 ct_info.ct = nf_ct_tmpl_alloc(net, &ct_info.zone, GFP_KERNEL);
730 OVS_NLERR(log, "Failed to allocate conntrack template");
734 __set_bit(IPS_CONFIRMED_BIT, &ct_info.ct->status);
735 nf_conntrack_get(&ct_info.ct->ct_general);
738 err = ovs_ct_add_helper(&ct_info, helper, key, log);
743 err = ovs_nla_add_action(sfa, OVS_ACTION_ATTR_CT, &ct_info,
744 sizeof(ct_info), log);
750 __ovs_ct_free_action(&ct_info);
754 int ovs_ct_action_to_attr(const struct ovs_conntrack_info *ct_info,
757 struct nlattr *start;
759 start = nla_nest_start(skb, OVS_ACTION_ATTR_CT);
763 if (ct_info->commit && nla_put_flag(skb, OVS_CT_ATTR_COMMIT))
765 if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) &&
766 nla_put_u16(skb, OVS_CT_ATTR_ZONE, ct_info->zone.id))
768 if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) && ct_info->mark.mask &&
769 nla_put(skb, OVS_CT_ATTR_MARK, sizeof(ct_info->mark),
772 if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) &&
773 labels_nonzero(&ct_info->labels.mask) &&
774 nla_put(skb, OVS_CT_ATTR_LABELS, sizeof(ct_info->labels),
777 if (ct_info->helper) {
778 if (nla_put_string(skb, OVS_CT_ATTR_HELPER,
779 ct_info->helper->name))
783 nla_nest_end(skb, start);
788 void ovs_ct_free_action(const struct nlattr *a)
790 struct ovs_conntrack_info *ct_info = nla_data(a);
792 __ovs_ct_free_action(ct_info);
795 static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info)
798 module_put(ct_info->helper->me);
800 nf_ct_put(ct_info->ct);
803 void ovs_ct_init(struct net *net)
805 unsigned int n_bits = sizeof(struct ovs_key_ct_labels) * BITS_PER_BYTE;
806 struct ovs_net *ovs_net = net_generic(net, ovs_net_id);
808 if (nf_connlabels_get(net, n_bits)) {
809 ovs_net->xt_label = false;
810 OVS_NLERR(true, "Failed to set connlabel length");
812 ovs_net->xt_label = true;
816 void ovs_ct_exit(struct net *net)
818 struct ovs_net *ovs_net = net_generic(net, ovs_net_id);
820 if (ovs_net->xt_label)
821 nf_connlabels_put(net);
projects / releases.git / blob