cls_flower.c (98558B)
1// SPDX-License-Identifier: GPL-2.0-or-later 2/* 3 * net/sched/cls_flower.c Flower classifier 4 * 5 * Copyright (c) 2015 Jiri Pirko <jiri@resnulli.us> 6 */ 7 8#include <linux/kernel.h> 9#include <linux/init.h> 10#include <linux/module.h> 11#include <linux/rhashtable.h> 12#include <linux/workqueue.h> 13#include <linux/refcount.h> 14 15#include <linux/if_ether.h> 16#include <linux/in6.h> 17#include <linux/ip.h> 18#include <linux/mpls.h> 19 20#include <net/sch_generic.h> 21#include <net/pkt_cls.h> 22#include <net/pkt_sched.h> 23#include <net/ip.h> 24#include <net/flow_dissector.h> 25#include <net/geneve.h> 26#include <net/vxlan.h> 27#include <net/erspan.h> 28#include <net/gtp.h> 29 30#include <net/dst.h> 31#include <net/dst_metadata.h> 32 33#include <uapi/linux/netfilter/nf_conntrack_common.h> 34 35#define TCA_FLOWER_KEY_CT_FLAGS_MAX \ 36 ((__TCA_FLOWER_KEY_CT_FLAGS_MAX - 1) << 1) 37#define TCA_FLOWER_KEY_CT_FLAGS_MASK \ 38 (TCA_FLOWER_KEY_CT_FLAGS_MAX - 1) 39 40struct fl_flow_key { 41 struct flow_dissector_key_meta meta; 42 struct flow_dissector_key_control control; 43 struct flow_dissector_key_control enc_control; 44 struct flow_dissector_key_basic basic; 45 struct flow_dissector_key_eth_addrs eth; 46 struct flow_dissector_key_vlan vlan; 47 struct flow_dissector_key_vlan cvlan; 48 union { 49 struct flow_dissector_key_ipv4_addrs ipv4; 50 struct flow_dissector_key_ipv6_addrs ipv6; 51 }; 52 struct flow_dissector_key_ports tp; 53 struct flow_dissector_key_icmp icmp; 54 struct flow_dissector_key_arp arp; 55 struct flow_dissector_key_keyid enc_key_id; 56 union { 57 struct flow_dissector_key_ipv4_addrs enc_ipv4; 58 struct flow_dissector_key_ipv6_addrs enc_ipv6; 59 }; 60 struct flow_dissector_key_ports enc_tp; 61 struct flow_dissector_key_mpls mpls; 62 struct flow_dissector_key_tcp tcp; 63 struct flow_dissector_key_ip ip; 64 struct flow_dissector_key_ip enc_ip; 65 struct flow_dissector_key_enc_opts enc_opts; 66 union { 67 struct flow_dissector_key_ports tp; 68 struct { 69 struct flow_dissector_key_ports tp_min; 70 struct flow_dissector_key_ports tp_max; 71 }; 72 } tp_range; 73 struct flow_dissector_key_ct ct; 74 struct flow_dissector_key_hash hash; 75 struct flow_dissector_key_num_of_vlans num_of_vlans; 76} __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */ 77 78struct fl_flow_mask_range { 79 unsigned short int start; 80 unsigned short int end; 81}; 82 83struct fl_flow_mask { 84 struct fl_flow_key key; 85 struct fl_flow_mask_range range; 86 u32 flags; 87 struct rhash_head ht_node; 88 struct rhashtable ht; 89 struct rhashtable_params filter_ht_params; 90 struct flow_dissector dissector; 91 struct list_head filters; 92 struct rcu_work rwork; 93 struct list_head list; 94 refcount_t refcnt; 95}; 96 97struct fl_flow_tmplt { 98 struct fl_flow_key dummy_key; 99 struct fl_flow_key mask; 100 struct flow_dissector dissector; 101 struct tcf_chain *chain; 102}; 103 104struct cls_fl_head { 105 struct rhashtable ht; 106 spinlock_t masks_lock; /* Protect masks list */ 107 struct list_head masks; 108 struct list_head hw_filters; 109 struct rcu_work rwork; 110 struct idr handle_idr; 111}; 112 113struct cls_fl_filter { 114 struct fl_flow_mask *mask; 115 struct rhash_head ht_node; 116 struct fl_flow_key mkey; 117 struct tcf_exts exts; 118 struct tcf_result res; 119 struct fl_flow_key key; 120 struct list_head list; 121 struct list_head hw_list; 122 u32 handle; 123 u32 flags; 124 u32 in_hw_count; 125 struct rcu_work rwork; 126 struct net_device *hw_dev; 127 /* Flower classifier is unlocked, which means that its reference counter 128 * can be changed concurrently without any kind of external 129 * synchronization. Use atomic reference counter to be concurrency-safe. 130 */ 131 refcount_t refcnt; 132 bool deleted; 133}; 134 135static const struct rhashtable_params mask_ht_params = { 136 .key_offset = offsetof(struct fl_flow_mask, key), 137 .key_len = sizeof(struct fl_flow_key), 138 .head_offset = offsetof(struct fl_flow_mask, ht_node), 139 .automatic_shrinking = true, 140}; 141 142static unsigned short int fl_mask_range(const struct fl_flow_mask *mask) 143{ 144 return mask->range.end - mask->range.start; 145} 146 147static void fl_mask_update_range(struct fl_flow_mask *mask) 148{ 149 const u8 *bytes = (const u8 *) &mask->key; 150 size_t size = sizeof(mask->key); 151 size_t i, first = 0, last; 152 153 for (i = 0; i < size; i++) { 154 if (bytes[i]) { 155 first = i; 156 break; 157 } 158 } 159 last = first; 160 for (i = size - 1; i != first; i--) { 161 if (bytes[i]) { 162 last = i; 163 break; 164 } 165 } 166 mask->range.start = rounddown(first, sizeof(long)); 167 mask->range.end = roundup(last + 1, sizeof(long)); 168} 169 170static void *fl_key_get_start(struct fl_flow_key *key, 171 const struct fl_flow_mask *mask) 172{ 173 return (u8 *) key + mask->range.start; 174} 175 176static void fl_set_masked_key(struct fl_flow_key *mkey, struct fl_flow_key *key, 177 struct fl_flow_mask *mask) 178{ 179 const long *lkey = fl_key_get_start(key, mask); 180 const long *lmask = fl_key_get_start(&mask->key, mask); 181 long *lmkey = fl_key_get_start(mkey, mask); 182 int i; 183 184 for (i = 0; i < fl_mask_range(mask); i += sizeof(long)) 185 *lmkey++ = *lkey++ & *lmask++; 186} 187 188static bool fl_mask_fits_tmplt(struct fl_flow_tmplt *tmplt, 189 struct fl_flow_mask *mask) 190{ 191 const long *lmask = fl_key_get_start(&mask->key, mask); 192 const long *ltmplt; 193 int i; 194 195 if (!tmplt) 196 return true; 197 ltmplt = fl_key_get_start(&tmplt->mask, mask); 198 for (i = 0; i < fl_mask_range(mask); i += sizeof(long)) { 199 if (~*ltmplt++ & *lmask++) 200 return false; 201 } 202 return true; 203} 204 205static void fl_clear_masked_range(struct fl_flow_key *key, 206 struct fl_flow_mask *mask) 207{ 208 memset(fl_key_get_start(key, mask), 0, fl_mask_range(mask)); 209} 210 211static bool fl_range_port_dst_cmp(struct cls_fl_filter *filter, 212 struct fl_flow_key *key, 213 struct fl_flow_key *mkey) 214{ 215 u16 min_mask, max_mask, min_val, max_val; 216 217 min_mask = ntohs(filter->mask->key.tp_range.tp_min.dst); 218 max_mask = ntohs(filter->mask->key.tp_range.tp_max.dst); 219 min_val = ntohs(filter->key.tp_range.tp_min.dst); 220 max_val = ntohs(filter->key.tp_range.tp_max.dst); 221 222 if (min_mask && max_mask) { 223 if (ntohs(key->tp_range.tp.dst) < min_val || 224 ntohs(key->tp_range.tp.dst) > max_val) 225 return false; 226 227 /* skb does not have min and max values */ 228 mkey->tp_range.tp_min.dst = filter->mkey.tp_range.tp_min.dst; 229 mkey->tp_range.tp_max.dst = filter->mkey.tp_range.tp_max.dst; 230 } 231 return true; 232} 233 234static bool fl_range_port_src_cmp(struct cls_fl_filter *filter, 235 struct fl_flow_key *key, 236 struct fl_flow_key *mkey) 237{ 238 u16 min_mask, max_mask, min_val, max_val; 239 240 min_mask = ntohs(filter->mask->key.tp_range.tp_min.src); 241 max_mask = ntohs(filter->mask->key.tp_range.tp_max.src); 242 min_val = ntohs(filter->key.tp_range.tp_min.src); 243 max_val = ntohs(filter->key.tp_range.tp_max.src); 244 245 if (min_mask && max_mask) { 246 if (ntohs(key->tp_range.tp.src) < min_val || 247 ntohs(key->tp_range.tp.src) > max_val) 248 return false; 249 250 /* skb does not have min and max values */ 251 mkey->tp_range.tp_min.src = filter->mkey.tp_range.tp_min.src; 252 mkey->tp_range.tp_max.src = filter->mkey.tp_range.tp_max.src; 253 } 254 return true; 255} 256 257static struct cls_fl_filter *__fl_lookup(struct fl_flow_mask *mask, 258 struct fl_flow_key *mkey) 259{ 260 return rhashtable_lookup_fast(&mask->ht, fl_key_get_start(mkey, mask), 261 mask->filter_ht_params); 262} 263 264static struct cls_fl_filter *fl_lookup_range(struct fl_flow_mask *mask, 265 struct fl_flow_key *mkey, 266 struct fl_flow_key *key) 267{ 268 struct cls_fl_filter *filter, *f; 269 270 list_for_each_entry_rcu(filter, &mask->filters, list) { 271 if (!fl_range_port_dst_cmp(filter, key, mkey)) 272 continue; 273 274 if (!fl_range_port_src_cmp(filter, key, mkey)) 275 continue; 276 277 f = __fl_lookup(mask, mkey); 278 if (f) 279 return f; 280 } 281 return NULL; 282} 283 284static noinline_for_stack 285struct cls_fl_filter *fl_mask_lookup(struct fl_flow_mask *mask, struct fl_flow_key *key) 286{ 287 struct fl_flow_key mkey; 288 289 fl_set_masked_key(&mkey, key, mask); 290 if ((mask->flags & TCA_FLOWER_MASK_FLAGS_RANGE)) 291 return fl_lookup_range(mask, &mkey, key); 292 293 return __fl_lookup(mask, &mkey); 294} 295 296static u16 fl_ct_info_to_flower_map[] = { 297 [IP_CT_ESTABLISHED] = TCA_FLOWER_KEY_CT_FLAGS_TRACKED | 298 TCA_FLOWER_KEY_CT_FLAGS_ESTABLISHED, 299 [IP_CT_RELATED] = TCA_FLOWER_KEY_CT_FLAGS_TRACKED | 300 TCA_FLOWER_KEY_CT_FLAGS_RELATED, 301 [IP_CT_ESTABLISHED_REPLY] = TCA_FLOWER_KEY_CT_FLAGS_TRACKED | 302 TCA_FLOWER_KEY_CT_FLAGS_ESTABLISHED | 303 TCA_FLOWER_KEY_CT_FLAGS_REPLY, 304 [IP_CT_RELATED_REPLY] = TCA_FLOWER_KEY_CT_FLAGS_TRACKED | 305 TCA_FLOWER_KEY_CT_FLAGS_RELATED | 306 TCA_FLOWER_KEY_CT_FLAGS_REPLY, 307 [IP_CT_NEW] = TCA_FLOWER_KEY_CT_FLAGS_TRACKED | 308 TCA_FLOWER_KEY_CT_FLAGS_NEW, 309}; 310 311static int fl_classify(struct sk_buff *skb, const struct tcf_proto *tp, 312 struct tcf_result *res) 313{ 314 struct cls_fl_head *head = rcu_dereference_bh(tp->root); 315 bool post_ct = tc_skb_cb(skb)->post_ct; 316 u16 zone = tc_skb_cb(skb)->zone; 317 struct fl_flow_key skb_key; 318 struct fl_flow_mask *mask; 319 struct cls_fl_filter *f; 320 321 list_for_each_entry_rcu(mask, &head->masks, list) { 322 flow_dissector_init_keys(&skb_key.control, &skb_key.basic); 323 fl_clear_masked_range(&skb_key, mask); 324 325 skb_flow_dissect_meta(skb, &mask->dissector, &skb_key); 326 /* skb_flow_dissect() does not set n_proto in case an unknown 327 * protocol, so do it rather here. 328 */ 329 skb_key.basic.n_proto = skb_protocol(skb, false); 330 skb_flow_dissect_tunnel_info(skb, &mask->dissector, &skb_key); 331 skb_flow_dissect_ct(skb, &mask->dissector, &skb_key, 332 fl_ct_info_to_flower_map, 333 ARRAY_SIZE(fl_ct_info_to_flower_map), 334 post_ct, zone); 335 skb_flow_dissect_hash(skb, &mask->dissector, &skb_key); 336 skb_flow_dissect(skb, &mask->dissector, &skb_key, 337 FLOW_DISSECTOR_F_STOP_BEFORE_ENCAP); 338 339 f = fl_mask_lookup(mask, &skb_key); 340 if (f && !tc_skip_sw(f->flags)) { 341 *res = f->res; 342 return tcf_exts_exec(skb, &f->exts, res); 343 } 344 } 345 return -1; 346} 347 348static int fl_init(struct tcf_proto *tp) 349{ 350 struct cls_fl_head *head; 351 352 head = kzalloc(sizeof(*head), GFP_KERNEL); 353 if (!head) 354 return -ENOBUFS; 355 356 spin_lock_init(&head->masks_lock); 357 INIT_LIST_HEAD_RCU(&head->masks); 358 INIT_LIST_HEAD(&head->hw_filters); 359 rcu_assign_pointer(tp->root, head); 360 idr_init(&head->handle_idr); 361 362 return rhashtable_init(&head->ht, &mask_ht_params); 363} 364 365static void fl_mask_free(struct fl_flow_mask *mask, bool mask_init_done) 366{ 367 /* temporary masks don't have their filters list and ht initialized */ 368 if (mask_init_done) { 369 WARN_ON(!list_empty(&mask->filters)); 370 rhashtable_destroy(&mask->ht); 371 } 372 kfree(mask); 373} 374 375static void fl_mask_free_work(struct work_struct *work) 376{ 377 struct fl_flow_mask *mask = container_of(to_rcu_work(work), 378 struct fl_flow_mask, rwork); 379 380 fl_mask_free(mask, true); 381} 382 383static void fl_uninit_mask_free_work(struct work_struct *work) 384{ 385 struct fl_flow_mask *mask = container_of(to_rcu_work(work), 386 struct fl_flow_mask, rwork); 387 388 fl_mask_free(mask, false); 389} 390 391static bool fl_mask_put(struct cls_fl_head *head, struct fl_flow_mask *mask) 392{ 393 if (!refcount_dec_and_test(&mask->refcnt)) 394 return false; 395 396 rhashtable_remove_fast(&head->ht, &mask->ht_node, mask_ht_params); 397 398 spin_lock(&head->masks_lock); 399 list_del_rcu(&mask->list); 400 spin_unlock(&head->masks_lock); 401 402 tcf_queue_work(&mask->rwork, fl_mask_free_work); 403 404 return true; 405} 406 407static struct cls_fl_head *fl_head_dereference(struct tcf_proto *tp) 408{ 409 /* Flower classifier only changes root pointer during init and destroy. 410 * Users must obtain reference to tcf_proto instance before calling its 411 * API, so tp->root pointer is protected from concurrent call to 412 * fl_destroy() by reference counting. 413 */ 414 return rcu_dereference_raw(tp->root); 415} 416 417static void __fl_destroy_filter(struct cls_fl_filter *f) 418{ 419 tcf_exts_destroy(&f->exts); 420 tcf_exts_put_net(&f->exts); 421 kfree(f); 422} 423 424static void fl_destroy_filter_work(struct work_struct *work) 425{ 426 struct cls_fl_filter *f = container_of(to_rcu_work(work), 427 struct cls_fl_filter, rwork); 428 429 __fl_destroy_filter(f); 430} 431 432static void fl_hw_destroy_filter(struct tcf_proto *tp, struct cls_fl_filter *f, 433 bool rtnl_held, struct netlink_ext_ack *extack) 434{ 435 struct tcf_block *block = tp->chain->block; 436 struct flow_cls_offload cls_flower = {}; 437 438 tc_cls_common_offload_init(&cls_flower.common, tp, f->flags, extack); 439 cls_flower.command = FLOW_CLS_DESTROY; 440 cls_flower.cookie = (unsigned long) f; 441 442 tc_setup_cb_destroy(block, tp, TC_SETUP_CLSFLOWER, &cls_flower, false, 443 &f->flags, &f->in_hw_count, rtnl_held); 444 445} 446 447static int fl_hw_replace_filter(struct tcf_proto *tp, 448 struct cls_fl_filter *f, bool rtnl_held, 449 struct netlink_ext_ack *extack) 450{ 451 struct tcf_block *block = tp->chain->block; 452 struct flow_cls_offload cls_flower = {}; 453 bool skip_sw = tc_skip_sw(f->flags); 454 int err = 0; 455 456 cls_flower.rule = flow_rule_alloc(tcf_exts_num_actions(&f->exts)); 457 if (!cls_flower.rule) 458 return -ENOMEM; 459 460 tc_cls_common_offload_init(&cls_flower.common, tp, f->flags, extack); 461 cls_flower.command = FLOW_CLS_REPLACE; 462 cls_flower.cookie = (unsigned long) f; 463 cls_flower.rule->match.dissector = &f->mask->dissector; 464 cls_flower.rule->match.mask = &f->mask->key; 465 cls_flower.rule->match.key = &f->mkey; 466 cls_flower.classid = f->res.classid; 467 468 err = tc_setup_offload_action(&cls_flower.rule->action, &f->exts, 469 cls_flower.common.extack); 470 if (err) { 471 kfree(cls_flower.rule); 472 473 return skip_sw ? err : 0; 474 } 475 476 err = tc_setup_cb_add(block, tp, TC_SETUP_CLSFLOWER, &cls_flower, 477 skip_sw, &f->flags, &f->in_hw_count, rtnl_held); 478 tc_cleanup_offload_action(&cls_flower.rule->action); 479 kfree(cls_flower.rule); 480 481 if (err) { 482 fl_hw_destroy_filter(tp, f, rtnl_held, NULL); 483 return err; 484 } 485 486 if (skip_sw && !(f->flags & TCA_CLS_FLAGS_IN_HW)) 487 return -EINVAL; 488 489 return 0; 490} 491 492static void fl_hw_update_stats(struct tcf_proto *tp, struct cls_fl_filter *f, 493 bool rtnl_held) 494{ 495 struct tcf_block *block = tp->chain->block; 496 struct flow_cls_offload cls_flower = {}; 497 498 tc_cls_common_offload_init(&cls_flower.common, tp, f->flags, NULL); 499 cls_flower.command = FLOW_CLS_STATS; 500 cls_flower.cookie = (unsigned long) f; 501 cls_flower.classid = f->res.classid; 502 503 tc_setup_cb_call(block, TC_SETUP_CLSFLOWER, &cls_flower, false, 504 rtnl_held); 505 506 tcf_exts_hw_stats_update(&f->exts, cls_flower.stats.bytes, 507 cls_flower.stats.pkts, 508 cls_flower.stats.drops, 509 cls_flower.stats.lastused, 510 cls_flower.stats.used_hw_stats, 511 cls_flower.stats.used_hw_stats_valid); 512} 513 514static void __fl_put(struct cls_fl_filter *f) 515{ 516 if (!refcount_dec_and_test(&f->refcnt)) 517 return; 518 519 if (tcf_exts_get_net(&f->exts)) 520 tcf_queue_work(&f->rwork, fl_destroy_filter_work); 521 else 522 __fl_destroy_filter(f); 523} 524 525static struct cls_fl_filter *__fl_get(struct cls_fl_head *head, u32 handle) 526{ 527 struct cls_fl_filter *f; 528 529 rcu_read_lock(); 530 f = idr_find(&head->handle_idr, handle); 531 if (f && !refcount_inc_not_zero(&f->refcnt)) 532 f = NULL; 533 rcu_read_unlock(); 534 535 return f; 536} 537 538static int __fl_delete(struct tcf_proto *tp, struct cls_fl_filter *f, 539 bool *last, bool rtnl_held, 540 struct netlink_ext_ack *extack) 541{ 542 struct cls_fl_head *head = fl_head_dereference(tp); 543 544 *last = false; 545 546 spin_lock(&tp->lock); 547 if (f->deleted) { 548 spin_unlock(&tp->lock); 549 return -ENOENT; 550 } 551 552 f->deleted = true; 553 rhashtable_remove_fast(&f->mask->ht, &f->ht_node, 554 f->mask->filter_ht_params); 555 idr_remove(&head->handle_idr, f->handle); 556 list_del_rcu(&f->list); 557 spin_unlock(&tp->lock); 558 559 *last = fl_mask_put(head, f->mask); 560 if (!tc_skip_hw(f->flags)) 561 fl_hw_destroy_filter(tp, f, rtnl_held, extack); 562 tcf_unbind_filter(tp, &f->res); 563 __fl_put(f); 564 565 return 0; 566} 567 568static void fl_destroy_sleepable(struct work_struct *work) 569{ 570 struct cls_fl_head *head = container_of(to_rcu_work(work), 571 struct cls_fl_head, 572 rwork); 573 574 rhashtable_destroy(&head->ht); 575 kfree(head); 576 module_put(THIS_MODULE); 577} 578 579static void fl_destroy(struct tcf_proto *tp, bool rtnl_held, 580 struct netlink_ext_ack *extack) 581{ 582 struct cls_fl_head *head = fl_head_dereference(tp); 583 struct fl_flow_mask *mask, *next_mask; 584 struct cls_fl_filter *f, *next; 585 bool last; 586 587 list_for_each_entry_safe(mask, next_mask, &head->masks, list) { 588 list_for_each_entry_safe(f, next, &mask->filters, list) { 589 __fl_delete(tp, f, &last, rtnl_held, extack); 590 if (last) 591 break; 592 } 593 } 594 idr_destroy(&head->handle_idr); 595 596 __module_get(THIS_MODULE); 597 tcf_queue_work(&head->rwork, fl_destroy_sleepable); 598} 599 600static void fl_put(struct tcf_proto *tp, void *arg) 601{ 602 struct cls_fl_filter *f = arg; 603 604 __fl_put(f); 605} 606 607static void *fl_get(struct tcf_proto *tp, u32 handle) 608{ 609 struct cls_fl_head *head = fl_head_dereference(tp); 610 611 return __fl_get(head, handle); 612} 613 614static const struct nla_policy fl_policy[TCA_FLOWER_MAX + 1] = { 615 [TCA_FLOWER_UNSPEC] = { .type = NLA_UNSPEC }, 616 [TCA_FLOWER_CLASSID] = { .type = NLA_U32 }, 617 [TCA_FLOWER_INDEV] = { .type = NLA_STRING, 618 .len = IFNAMSIZ }, 619 [TCA_FLOWER_KEY_ETH_DST] = { .len = ETH_ALEN }, 620 [TCA_FLOWER_KEY_ETH_DST_MASK] = { .len = ETH_ALEN }, 621 [TCA_FLOWER_KEY_ETH_SRC] = { .len = ETH_ALEN }, 622 [TCA_FLOWER_KEY_ETH_SRC_MASK] = { .len = ETH_ALEN }, 623 [TCA_FLOWER_KEY_ETH_TYPE] = { .type = NLA_U16 }, 624 [TCA_FLOWER_KEY_IP_PROTO] = { .type = NLA_U8 }, 625 [TCA_FLOWER_KEY_IPV4_SRC] = { .type = NLA_U32 }, 626 [TCA_FLOWER_KEY_IPV4_SRC_MASK] = { .type = NLA_U32 }, 627 [TCA_FLOWER_KEY_IPV4_DST] = { .type = NLA_U32 }, 628 [TCA_FLOWER_KEY_IPV4_DST_MASK] = { .type = NLA_U32 }, 629 [TCA_FLOWER_KEY_IPV6_SRC] = { .len = sizeof(struct in6_addr) }, 630 [TCA_FLOWER_KEY_IPV6_SRC_MASK] = { .len = sizeof(struct in6_addr) }, 631 [TCA_FLOWER_KEY_IPV6_DST] = { .len = sizeof(struct in6_addr) }, 632 [TCA_FLOWER_KEY_IPV6_DST_MASK] = { .len = sizeof(struct in6_addr) }, 633 [TCA_FLOWER_KEY_TCP_SRC] = { .type = NLA_U16 }, 634 [TCA_FLOWER_KEY_TCP_DST] = { .type = NLA_U16 }, 635 [TCA_FLOWER_KEY_UDP_SRC] = { .type = NLA_U16 }, 636 [TCA_FLOWER_KEY_UDP_DST] = { .type = NLA_U16 }, 637 [TCA_FLOWER_KEY_VLAN_ID] = { .type = NLA_U16 }, 638 [TCA_FLOWER_KEY_VLAN_PRIO] = { .type = NLA_U8 }, 639 [TCA_FLOWER_KEY_VLAN_ETH_TYPE] = { .type = NLA_U16 }, 640 [TCA_FLOWER_KEY_ENC_KEY_ID] = { .type = NLA_U32 }, 641 [TCA_FLOWER_KEY_ENC_IPV4_SRC] = { .type = NLA_U32 }, 642 [TCA_FLOWER_KEY_ENC_IPV4_SRC_MASK] = { .type = NLA_U32 }, 643 [TCA_FLOWER_KEY_ENC_IPV4_DST] = { .type = NLA_U32 }, 644 [TCA_FLOWER_KEY_ENC_IPV4_DST_MASK] = { .type = NLA_U32 }, 645 [TCA_FLOWER_KEY_ENC_IPV6_SRC] = { .len = sizeof(struct in6_addr) }, 646 [TCA_FLOWER_KEY_ENC_IPV6_SRC_MASK] = { .len = sizeof(struct in6_addr) }, 647 [TCA_FLOWER_KEY_ENC_IPV6_DST] = { .len = sizeof(struct in6_addr) }, 648 [TCA_FLOWER_KEY_ENC_IPV6_DST_MASK] = { .len = sizeof(struct in6_addr) }, 649 [TCA_FLOWER_KEY_TCP_SRC_MASK] = { .type = NLA_U16 }, 650 [TCA_FLOWER_KEY_TCP_DST_MASK] = { .type = NLA_U16 }, 651 [TCA_FLOWER_KEY_UDP_SRC_MASK] = { .type = NLA_U16 }, 652 [TCA_FLOWER_KEY_UDP_DST_MASK] = { .type = NLA_U16 }, 653 [TCA_FLOWER_KEY_SCTP_SRC_MASK] = { .type = NLA_U16 }, 654 [TCA_FLOWER_KEY_SCTP_DST_MASK] = { .type = NLA_U16 }, 655 [TCA_FLOWER_KEY_SCTP_SRC] = { .type = NLA_U16 }, 656 [TCA_FLOWER_KEY_SCTP_DST] = { .type = NLA_U16 }, 657 [TCA_FLOWER_KEY_ENC_UDP_SRC_PORT] = { .type = NLA_U16 }, 658 [TCA_FLOWER_KEY_ENC_UDP_SRC_PORT_MASK] = { .type = NLA_U16 }, 659 [TCA_FLOWER_KEY_ENC_UDP_DST_PORT] = { .type = NLA_U16 }, 660 [TCA_FLOWER_KEY_ENC_UDP_DST_PORT_MASK] = { .type = NLA_U16 }, 661 [TCA_FLOWER_KEY_FLAGS] = { .type = NLA_U32 }, 662 [TCA_FLOWER_KEY_FLAGS_MASK] = { .type = NLA_U32 }, 663 [TCA_FLOWER_KEY_ICMPV4_TYPE] = { .type = NLA_U8 }, 664 [TCA_FLOWER_KEY_ICMPV4_TYPE_MASK] = { .type = NLA_U8 }, 665 [TCA_FLOWER_KEY_ICMPV4_CODE] = { .type = NLA_U8 }, 666 [TCA_FLOWER_KEY_ICMPV4_CODE_MASK] = { .type = NLA_U8 }, 667 [TCA_FLOWER_KEY_ICMPV6_TYPE] = { .type = NLA_U8 }, 668 [TCA_FLOWER_KEY_ICMPV6_TYPE_MASK] = { .type = NLA_U8 }, 669 [TCA_FLOWER_KEY_ICMPV6_CODE] = { .type = NLA_U8 }, 670 [TCA_FLOWER_KEY_ICMPV6_CODE_MASK] = { .type = NLA_U8 }, 671 [TCA_FLOWER_KEY_ARP_SIP] = { .type = NLA_U32 }, 672 [TCA_FLOWER_KEY_ARP_SIP_MASK] = { .type = NLA_U32 }, 673 [TCA_FLOWER_KEY_ARP_TIP] = { .type = NLA_U32 }, 674 [TCA_FLOWER_KEY_ARP_TIP_MASK] = { .type = NLA_U32 }, 675 [TCA_FLOWER_KEY_ARP_OP] = { .type = NLA_U8 }, 676 [TCA_FLOWER_KEY_ARP_OP_MASK] = { .type = NLA_U8 }, 677 [TCA_FLOWER_KEY_ARP_SHA] = { .len = ETH_ALEN }, 678 [TCA_FLOWER_KEY_ARP_SHA_MASK] = { .len = ETH_ALEN }, 679 [TCA_FLOWER_KEY_ARP_THA] = { .len = ETH_ALEN }, 680 [TCA_FLOWER_KEY_ARP_THA_MASK] = { .len = ETH_ALEN }, 681 [TCA_FLOWER_KEY_MPLS_TTL] = { .type = NLA_U8 }, 682 [TCA_FLOWER_KEY_MPLS_BOS] = { .type = NLA_U8 }, 683 [TCA_FLOWER_KEY_MPLS_TC] = { .type = NLA_U8 }, 684 [TCA_FLOWER_KEY_MPLS_LABEL] = { .type = NLA_U32 }, 685 [TCA_FLOWER_KEY_MPLS_OPTS] = { .type = NLA_NESTED }, 686 [TCA_FLOWER_KEY_TCP_FLAGS] = { .type = NLA_U16 }, 687 [TCA_FLOWER_KEY_TCP_FLAGS_MASK] = { .type = NLA_U16 }, 688 [TCA_FLOWER_KEY_IP_TOS] = { .type = NLA_U8 }, 689 [TCA_FLOWER_KEY_IP_TOS_MASK] = { .type = NLA_U8 }, 690 [TCA_FLOWER_KEY_IP_TTL] = { .type = NLA_U8 }, 691 [TCA_FLOWER_KEY_IP_TTL_MASK] = { .type = NLA_U8 }, 692 [TCA_FLOWER_KEY_CVLAN_ID] = { .type = NLA_U16 }, 693 [TCA_FLOWER_KEY_CVLAN_PRIO] = { .type = NLA_U8 }, 694 [TCA_FLOWER_KEY_CVLAN_ETH_TYPE] = { .type = NLA_U16 }, 695 [TCA_FLOWER_KEY_ENC_IP_TOS] = { .type = NLA_U8 }, 696 [TCA_FLOWER_KEY_ENC_IP_TOS_MASK] = { .type = NLA_U8 }, 697 [TCA_FLOWER_KEY_ENC_IP_TTL] = { .type = NLA_U8 }, 698 [TCA_FLOWER_KEY_ENC_IP_TTL_MASK] = { .type = NLA_U8 }, 699 [TCA_FLOWER_KEY_ENC_OPTS] = { .type = NLA_NESTED }, 700 [TCA_FLOWER_KEY_ENC_OPTS_MASK] = { .type = NLA_NESTED }, 701 [TCA_FLOWER_KEY_CT_STATE] = 702 NLA_POLICY_MASK(NLA_U16, TCA_FLOWER_KEY_CT_FLAGS_MASK), 703 [TCA_FLOWER_KEY_CT_STATE_MASK] = 704 NLA_POLICY_MASK(NLA_U16, TCA_FLOWER_KEY_CT_FLAGS_MASK), 705 [TCA_FLOWER_KEY_CT_ZONE] = { .type = NLA_U16 }, 706 [TCA_FLOWER_KEY_CT_ZONE_MASK] = { .type = NLA_U16 }, 707 [TCA_FLOWER_KEY_CT_MARK] = { .type = NLA_U32 }, 708 [TCA_FLOWER_KEY_CT_MARK_MASK] = { .type = NLA_U32 }, 709 [TCA_FLOWER_KEY_CT_LABELS] = { .type = NLA_BINARY, 710 .len = 128 / BITS_PER_BYTE }, 711 [TCA_FLOWER_KEY_CT_LABELS_MASK] = { .type = NLA_BINARY, 712 .len = 128 / BITS_PER_BYTE }, 713 [TCA_FLOWER_FLAGS] = { .type = NLA_U32 }, 714 [TCA_FLOWER_KEY_HASH] = { .type = NLA_U32 }, 715 [TCA_FLOWER_KEY_HASH_MASK] = { .type = NLA_U32 }, 716 [TCA_FLOWER_KEY_NUM_OF_VLANS] = { .type = NLA_U8 }, 717 718}; 719 720static const struct nla_policy 721enc_opts_policy[TCA_FLOWER_KEY_ENC_OPTS_MAX + 1] = { 722 [TCA_FLOWER_KEY_ENC_OPTS_UNSPEC] = { 723 .strict_start_type = TCA_FLOWER_KEY_ENC_OPTS_VXLAN }, 724 [TCA_FLOWER_KEY_ENC_OPTS_GENEVE] = { .type = NLA_NESTED }, 725 [TCA_FLOWER_KEY_ENC_OPTS_VXLAN] = { .type = NLA_NESTED }, 726 [TCA_FLOWER_KEY_ENC_OPTS_ERSPAN] = { .type = NLA_NESTED }, 727 [TCA_FLOWER_KEY_ENC_OPTS_GTP] = { .type = NLA_NESTED }, 728}; 729 730static const struct nla_policy 731geneve_opt_policy[TCA_FLOWER_KEY_ENC_OPT_GENEVE_MAX + 1] = { 732 [TCA_FLOWER_KEY_ENC_OPT_GENEVE_CLASS] = { .type = NLA_U16 }, 733 [TCA_FLOWER_KEY_ENC_OPT_GENEVE_TYPE] = { .type = NLA_U8 }, 734 [TCA_FLOWER_KEY_ENC_OPT_GENEVE_DATA] = { .type = NLA_BINARY, 735 .len = 128 }, 736}; 737 738static const struct nla_policy 739vxlan_opt_policy[TCA_FLOWER_KEY_ENC_OPT_VXLAN_MAX + 1] = { 740 [TCA_FLOWER_KEY_ENC_OPT_VXLAN_GBP] = { .type = NLA_U32 }, 741}; 742 743static const struct nla_policy 744erspan_opt_policy[TCA_FLOWER_KEY_ENC_OPT_ERSPAN_MAX + 1] = { 745 [TCA_FLOWER_KEY_ENC_OPT_ERSPAN_VER] = { .type = NLA_U8 }, 746 [TCA_FLOWER_KEY_ENC_OPT_ERSPAN_INDEX] = { .type = NLA_U32 }, 747 [TCA_FLOWER_KEY_ENC_OPT_ERSPAN_DIR] = { .type = NLA_U8 }, 748 [TCA_FLOWER_KEY_ENC_OPT_ERSPAN_HWID] = { .type = NLA_U8 }, 749}; 750 751static const struct nla_policy 752gtp_opt_policy[TCA_FLOWER_KEY_ENC_OPT_GTP_MAX + 1] = { 753 [TCA_FLOWER_KEY_ENC_OPT_GTP_PDU_TYPE] = { .type = NLA_U8 }, 754 [TCA_FLOWER_KEY_ENC_OPT_GTP_QFI] = { .type = NLA_U8 }, 755}; 756 757static const struct nla_policy 758mpls_stack_entry_policy[TCA_FLOWER_KEY_MPLS_OPT_LSE_MAX + 1] = { 759 [TCA_FLOWER_KEY_MPLS_OPT_LSE_DEPTH] = { .type = NLA_U8 }, 760 [TCA_FLOWER_KEY_MPLS_OPT_LSE_TTL] = { .type = NLA_U8 }, 761 [TCA_FLOWER_KEY_MPLS_OPT_LSE_BOS] = { .type = NLA_U8 }, 762 [TCA_FLOWER_KEY_MPLS_OPT_LSE_TC] = { .type = NLA_U8 }, 763 [TCA_FLOWER_KEY_MPLS_OPT_LSE_LABEL] = { .type = NLA_U32 }, 764}; 765 766static void fl_set_key_val(struct nlattr **tb, 767 void *val, int val_type, 768 void *mask, int mask_type, int len) 769{ 770 if (!tb[val_type]) 771 return; 772 nla_memcpy(val, tb[val_type], len); 773 if (mask_type == TCA_FLOWER_UNSPEC || !tb[mask_type]) 774 memset(mask, 0xff, len); 775 else 776 nla_memcpy(mask, tb[mask_type], len); 777} 778 779static int fl_set_key_port_range(struct nlattr **tb, struct fl_flow_key *key, 780 struct fl_flow_key *mask, 781 struct netlink_ext_ack *extack) 782{ 783 fl_set_key_val(tb, &key->tp_range.tp_min.dst, 784 TCA_FLOWER_KEY_PORT_DST_MIN, &mask->tp_range.tp_min.dst, 785 TCA_FLOWER_UNSPEC, sizeof(key->tp_range.tp_min.dst)); 786 fl_set_key_val(tb, &key->tp_range.tp_max.dst, 787 TCA_FLOWER_KEY_PORT_DST_MAX, &mask->tp_range.tp_max.dst, 788 TCA_FLOWER_UNSPEC, sizeof(key->tp_range.tp_max.dst)); 789 fl_set_key_val(tb, &key->tp_range.tp_min.src, 790 TCA_FLOWER_KEY_PORT_SRC_MIN, &mask->tp_range.tp_min.src, 791 TCA_FLOWER_UNSPEC, sizeof(key->tp_range.tp_min.src)); 792 fl_set_key_val(tb, &key->tp_range.tp_max.src, 793 TCA_FLOWER_KEY_PORT_SRC_MAX, &mask->tp_range.tp_max.src, 794 TCA_FLOWER_UNSPEC, sizeof(key->tp_range.tp_max.src)); 795 796 if (mask->tp_range.tp_min.dst && mask->tp_range.tp_max.dst && 797 ntohs(key->tp_range.tp_max.dst) <= 798 ntohs(key->tp_range.tp_min.dst)) { 799 NL_SET_ERR_MSG_ATTR(extack, 800 tb[TCA_FLOWER_KEY_PORT_DST_MIN], 801 "Invalid destination port range (min must be strictly smaller than max)"); 802 return -EINVAL; 803 } 804 if (mask->tp_range.tp_min.src && mask->tp_range.tp_max.src && 805 ntohs(key->tp_range.tp_max.src) <= 806 ntohs(key->tp_range.tp_min.src)) { 807 NL_SET_ERR_MSG_ATTR(extack, 808 tb[TCA_FLOWER_KEY_PORT_SRC_MIN], 809 "Invalid source port range (min must be strictly smaller than max)"); 810 return -EINVAL; 811 } 812 813 return 0; 814} 815 816static int fl_set_key_mpls_lse(const struct nlattr *nla_lse, 817 struct flow_dissector_key_mpls *key_val, 818 struct flow_dissector_key_mpls *key_mask, 819 struct netlink_ext_ack *extack) 820{ 821 struct nlattr *tb[TCA_FLOWER_KEY_MPLS_OPT_LSE_MAX + 1]; 822 struct flow_dissector_mpls_lse *lse_mask; 823 struct flow_dissector_mpls_lse *lse_val; 824 u8 lse_index; 825 u8 depth; 826 int err; 827 828 err = nla_parse_nested(tb, TCA_FLOWER_KEY_MPLS_OPT_LSE_MAX, nla_lse, 829 mpls_stack_entry_policy, extack); 830 if (err < 0) 831 return err; 832 833 if (!tb[TCA_FLOWER_KEY_MPLS_OPT_LSE_DEPTH]) { 834 NL_SET_ERR_MSG(extack, "Missing MPLS option \"depth\""); 835 return -EINVAL; 836 } 837 838 depth = nla_get_u8(tb[TCA_FLOWER_KEY_MPLS_OPT_LSE_DEPTH]); 839 840 /* LSE depth starts at 1, for consistency with terminology used by 841 * RFC 3031 (section 3.9), where depth 0 refers to unlabeled packets. 842 */ 843 if (depth < 1 || depth > FLOW_DIS_MPLS_MAX) { 844 NL_SET_ERR_MSG_ATTR(extack, 845 tb[TCA_FLOWER_KEY_MPLS_OPT_LSE_DEPTH], 846 "Invalid MPLS depth"); 847 return -EINVAL; 848 } 849 lse_index = depth - 1; 850 851 dissector_set_mpls_lse(key_val, lse_index); 852 dissector_set_mpls_lse(key_mask, lse_index); 853 854 lse_val = &key_val->ls[lse_index]; 855 lse_mask = &key_mask->ls[lse_index]; 856 857 if (tb[TCA_FLOWER_KEY_MPLS_OPT_LSE_TTL]) { 858 lse_val->mpls_ttl = nla_get_u8(tb[TCA_FLOWER_KEY_MPLS_OPT_LSE_TTL]); 859 lse_mask->mpls_ttl = MPLS_TTL_MASK; 860 } 861 if (tb[TCA_FLOWER_KEY_MPLS_OPT_LSE_BOS]) { 862 u8 bos = nla_get_u8(tb[TCA_FLOWER_KEY_MPLS_OPT_LSE_BOS]); 863 864 if (bos & ~MPLS_BOS_MASK) { 865 NL_SET_ERR_MSG_ATTR(extack, 866 tb[TCA_FLOWER_KEY_MPLS_OPT_LSE_BOS], 867 "Bottom Of Stack (BOS) must be 0 or 1"); 868 return -EINVAL; 869 } 870 lse_val->mpls_bos = bos; 871 lse_mask->mpls_bos = MPLS_BOS_MASK; 872 } 873 if (tb[TCA_FLOWER_KEY_MPLS_OPT_LSE_TC]) { 874 u8 tc = nla_get_u8(tb[TCA_FLOWER_KEY_MPLS_OPT_LSE_TC]); 875 876 if (tc & ~MPLS_TC_MASK) { 877 NL_SET_ERR_MSG_ATTR(extack, 878 tb[TCA_FLOWER_KEY_MPLS_OPT_LSE_TC], 879 "Traffic Class (TC) must be between 0 and 7"); 880 return -EINVAL; 881 } 882 lse_val->mpls_tc = tc; 883 lse_mask->mpls_tc = MPLS_TC_MASK; 884 } 885 if (tb[TCA_FLOWER_KEY_MPLS_OPT_LSE_LABEL]) { 886 u32 label = nla_get_u32(tb[TCA_FLOWER_KEY_MPLS_OPT_LSE_LABEL]); 887 888 if (label & ~MPLS_LABEL_MASK) { 889 NL_SET_ERR_MSG_ATTR(extack, 890 tb[TCA_FLOWER_KEY_MPLS_OPT_LSE_LABEL], 891 "Label must be between 0 and 1048575"); 892 return -EINVAL; 893 } 894 lse_val->mpls_label = label; 895 lse_mask->mpls_label = MPLS_LABEL_MASK; 896 } 897 898 return 0; 899} 900 901static int fl_set_key_mpls_opts(const struct nlattr *nla_mpls_opts, 902 struct flow_dissector_key_mpls *key_val, 903 struct flow_dissector_key_mpls *key_mask, 904 struct netlink_ext_ack *extack) 905{ 906 struct nlattr *nla_lse; 907 int rem; 908 int err; 909 910 if (!(nla_mpls_opts->nla_type & NLA_F_NESTED)) { 911 NL_SET_ERR_MSG_ATTR(extack, nla_mpls_opts, 912 "NLA_F_NESTED is missing"); 913 return -EINVAL; 914 } 915 916 nla_for_each_nested(nla_lse, nla_mpls_opts, rem) { 917 if (nla_type(nla_lse) != TCA_FLOWER_KEY_MPLS_OPTS_LSE) { 918 NL_SET_ERR_MSG_ATTR(extack, nla_lse, 919 "Invalid MPLS option type"); 920 return -EINVAL; 921 } 922 923 err = fl_set_key_mpls_lse(nla_lse, key_val, key_mask, extack); 924 if (err < 0) 925 return err; 926 } 927 if (rem) { 928 NL_SET_ERR_MSG(extack, 929 "Bytes leftover after parsing MPLS options"); 930 return -EINVAL; 931 } 932 933 return 0; 934} 935 936static int fl_set_key_mpls(struct nlattr **tb, 937 struct flow_dissector_key_mpls *key_val, 938 struct flow_dissector_key_mpls *key_mask, 939 struct netlink_ext_ack *extack) 940{ 941 struct flow_dissector_mpls_lse *lse_mask; 942 struct flow_dissector_mpls_lse *lse_val; 943 944 if (tb[TCA_FLOWER_KEY_MPLS_OPTS]) { 945 if (tb[TCA_FLOWER_KEY_MPLS_TTL] || 946 tb[TCA_FLOWER_KEY_MPLS_BOS] || 947 tb[TCA_FLOWER_KEY_MPLS_TC] || 948 tb[TCA_FLOWER_KEY_MPLS_LABEL]) { 949 NL_SET_ERR_MSG_ATTR(extack, 950 tb[TCA_FLOWER_KEY_MPLS_OPTS], 951 "MPLS label, Traffic Class, Bottom Of Stack and Time To Live must be encapsulated in the MPLS options attribute"); 952 return -EBADMSG; 953 } 954 955 return fl_set_key_mpls_opts(tb[TCA_FLOWER_KEY_MPLS_OPTS], 956 key_val, key_mask, extack); 957 } 958 959 lse_val = &key_val->ls[0]; 960 lse_mask = &key_mask->ls[0]; 961 962 if (tb[TCA_FLOWER_KEY_MPLS_TTL]) { 963 lse_val->mpls_ttl = nla_get_u8(tb[TCA_FLOWER_KEY_MPLS_TTL]); 964 lse_mask->mpls_ttl = MPLS_TTL_MASK; 965 dissector_set_mpls_lse(key_val, 0); 966 dissector_set_mpls_lse(key_mask, 0); 967 } 968 if (tb[TCA_FLOWER_KEY_MPLS_BOS]) { 969 u8 bos = nla_get_u8(tb[TCA_FLOWER_KEY_MPLS_BOS]); 970 971 if (bos & ~MPLS_BOS_MASK) { 972 NL_SET_ERR_MSG_ATTR(extack, 973 tb[TCA_FLOWER_KEY_MPLS_BOS], 974 "Bottom Of Stack (BOS) must be 0 or 1"); 975 return -EINVAL; 976 } 977 lse_val->mpls_bos = bos; 978 lse_mask->mpls_bos = MPLS_BOS_MASK; 979 dissector_set_mpls_lse(key_val, 0); 980 dissector_set_mpls_lse(key_mask, 0); 981 } 982 if (tb[TCA_FLOWER_KEY_MPLS_TC]) { 983 u8 tc = nla_get_u8(tb[TCA_FLOWER_KEY_MPLS_TC]); 984 985 if (tc & ~MPLS_TC_MASK) { 986 NL_SET_ERR_MSG_ATTR(extack, 987 tb[TCA_FLOWER_KEY_MPLS_TC], 988 "Traffic Class (TC) must be between 0 and 7"); 989 return -EINVAL; 990 } 991 lse_val->mpls_tc = tc; 992 lse_mask->mpls_tc = MPLS_TC_MASK; 993 dissector_set_mpls_lse(key_val, 0); 994 dissector_set_mpls_lse(key_mask, 0); 995 } 996 if (tb[TCA_FLOWER_KEY_MPLS_LABEL]) { 997 u32 label = nla_get_u32(tb[TCA_FLOWER_KEY_MPLS_LABEL]); 998 999 if (label & ~MPLS_LABEL_MASK) { 1000 NL_SET_ERR_MSG_ATTR(extack, 1001 tb[TCA_FLOWER_KEY_MPLS_LABEL], 1002 "Label must be between 0 and 1048575"); 1003 return -EINVAL; 1004 } 1005 lse_val->mpls_label = label; 1006 lse_mask->mpls_label = MPLS_LABEL_MASK; 1007 dissector_set_mpls_lse(key_val, 0); 1008 dissector_set_mpls_lse(key_mask, 0); 1009 } 1010 return 0; 1011} 1012 1013static void fl_set_key_vlan(struct nlattr **tb, 1014 __be16 ethertype, 1015 int vlan_id_key, int vlan_prio_key, 1016 int vlan_next_eth_type_key, 1017 struct flow_dissector_key_vlan *key_val, 1018 struct flow_dissector_key_vlan *key_mask) 1019{ 1020#define VLAN_PRIORITY_MASK 0x7 1021 1022 if (tb[vlan_id_key]) { 1023 key_val->vlan_id = 1024 nla_get_u16(tb[vlan_id_key]) & VLAN_VID_MASK; 1025 key_mask->vlan_id = VLAN_VID_MASK; 1026 } 1027 if (tb[vlan_prio_key]) { 1028 key_val->vlan_priority = 1029 nla_get_u8(tb[vlan_prio_key]) & 1030 VLAN_PRIORITY_MASK; 1031 key_mask->vlan_priority = VLAN_PRIORITY_MASK; 1032 } 1033 if (ethertype) { 1034 key_val->vlan_tpid = ethertype; 1035 key_mask->vlan_tpid = cpu_to_be16(~0); 1036 } 1037 if (tb[vlan_next_eth_type_key]) { 1038 key_val->vlan_eth_type = 1039 nla_get_be16(tb[vlan_next_eth_type_key]); 1040 key_mask->vlan_eth_type = cpu_to_be16(~0); 1041 } 1042} 1043 1044static void fl_set_key_flag(u32 flower_key, u32 flower_mask, 1045 u32 *dissector_key, u32 *dissector_mask, 1046 u32 flower_flag_bit, u32 dissector_flag_bit) 1047{ 1048 if (flower_mask & flower_flag_bit) { 1049 *dissector_mask |= dissector_flag_bit; 1050 if (flower_key & flower_flag_bit) 1051 *dissector_key |= dissector_flag_bit; 1052 } 1053} 1054 1055static int fl_set_key_flags(struct nlattr **tb, u32 *flags_key, 1056 u32 *flags_mask, struct netlink_ext_ack *extack) 1057{ 1058 u32 key, mask; 1059 1060 /* mask is mandatory for flags */ 1061 if (!tb[TCA_FLOWER_KEY_FLAGS_MASK]) { 1062 NL_SET_ERR_MSG(extack, "Missing flags mask"); 1063 return -EINVAL; 1064 } 1065 1066 key = be32_to_cpu(nla_get_be32(tb[TCA_FLOWER_KEY_FLAGS])); 1067 mask = be32_to_cpu(nla_get_be32(tb[TCA_FLOWER_KEY_FLAGS_MASK])); 1068 1069 *flags_key = 0; 1070 *flags_mask = 0; 1071 1072 fl_set_key_flag(key, mask, flags_key, flags_mask, 1073 TCA_FLOWER_KEY_FLAGS_IS_FRAGMENT, FLOW_DIS_IS_FRAGMENT); 1074 fl_set_key_flag(key, mask, flags_key, flags_mask, 1075 TCA_FLOWER_KEY_FLAGS_FRAG_IS_FIRST, 1076 FLOW_DIS_FIRST_FRAG); 1077 1078 return 0; 1079} 1080 1081static void fl_set_key_ip(struct nlattr **tb, bool encap, 1082 struct flow_dissector_key_ip *key, 1083 struct flow_dissector_key_ip *mask) 1084{ 1085 int tos_key = encap ? TCA_FLOWER_KEY_ENC_IP_TOS : TCA_FLOWER_KEY_IP_TOS; 1086 int ttl_key = encap ? TCA_FLOWER_KEY_ENC_IP_TTL : TCA_FLOWER_KEY_IP_TTL; 1087 int tos_mask = encap ? TCA_FLOWER_KEY_ENC_IP_TOS_MASK : TCA_FLOWER_KEY_IP_TOS_MASK; 1088 int ttl_mask = encap ? TCA_FLOWER_KEY_ENC_IP_TTL_MASK : TCA_FLOWER_KEY_IP_TTL_MASK; 1089 1090 fl_set_key_val(tb, &key->tos, tos_key, &mask->tos, tos_mask, sizeof(key->tos)); 1091 fl_set_key_val(tb, &key->ttl, ttl_key, &mask->ttl, ttl_mask, sizeof(key->ttl)); 1092} 1093 1094static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key, 1095 int depth, int option_len, 1096 struct netlink_ext_ack *extack) 1097{ 1098 struct nlattr *tb[TCA_FLOWER_KEY_ENC_OPT_GENEVE_MAX + 1]; 1099 struct nlattr *class = NULL, *type = NULL, *data = NULL; 1100 struct geneve_opt *opt; 1101 int err, data_len = 0; 1102 1103 if (option_len > sizeof(struct geneve_opt)) 1104 data_len = option_len - sizeof(struct geneve_opt); 1105 1106 opt = (struct geneve_opt *)&key->enc_opts.data[key->enc_opts.len]; 1107 memset(opt, 0xff, option_len); 1108 opt->length = data_len / 4; 1109 opt->r1 = 0; 1110 opt->r2 = 0; 1111 opt->r3 = 0; 1112 1113 /* If no mask has been prodived we assume an exact match. */ 1114 if (!depth) 1115 return sizeof(struct geneve_opt) + data_len; 1116 1117 if (nla_type(nla) != TCA_FLOWER_KEY_ENC_OPTS_GENEVE) { 1118 NL_SET_ERR_MSG(extack, "Non-geneve option type for mask"); 1119 return -EINVAL; 1120 } 1121 1122 err = nla_parse_nested_deprecated(tb, 1123 TCA_FLOWER_KEY_ENC_OPT_GENEVE_MAX, 1124 nla, geneve_opt_policy, extack); 1125 if (err < 0) 1126 return err; 1127 1128 /* We are not allowed to omit any of CLASS, TYPE or DATA 1129 * fields from the key. 1130 */ 1131 if (!option_len && 1132 (!tb[TCA_FLOWER_KEY_ENC_OPT_GENEVE_CLASS] || 1133 !tb[TCA_FLOWER_KEY_ENC_OPT_GENEVE_TYPE] || 1134 !tb[TCA_FLOWER_KEY_ENC_OPT_GENEVE_DATA])) { 1135 NL_SET_ERR_MSG(extack, "Missing tunnel key geneve option class, type or data"); 1136 return -EINVAL; 1137 } 1138 1139 /* Omitting any of CLASS, TYPE or DATA fields is allowed 1140 * for the mask. 1141 */ 1142 if (tb[TCA_FLOWER_KEY_ENC_OPT_GENEVE_DATA]) { 1143 int new_len = key->enc_opts.len; 1144 1145 data = tb[TCA_FLOWER_KEY_ENC_OPT_GENEVE_DATA]; 1146 data_len = nla_len(data); 1147 if (data_len < 4) { 1148 NL_SET_ERR_MSG(extack, "Tunnel key geneve option data is less than 4 bytes long"); 1149 return -ERANGE; 1150 } 1151 if (data_len % 4) { 1152 NL_SET_ERR_MSG(extack, "Tunnel key geneve option data is not a multiple of 4 bytes long"); 1153 return -ERANGE; 1154 } 1155 1156 new_len += sizeof(struct geneve_opt) + data_len; 1157 BUILD_BUG_ON(FLOW_DIS_TUN_OPTS_MAX != IP_TUNNEL_OPTS_MAX); 1158 if (new_len > FLOW_DIS_TUN_OPTS_MAX) { 1159 NL_SET_ERR_MSG(extack, "Tunnel options exceeds max size"); 1160 return -ERANGE; 1161 } 1162 opt->length = data_len / 4; 1163 memcpy(opt->opt_data, nla_data(data), data_len); 1164 } 1165 1166 if (tb[TCA_FLOWER_KEY_ENC_OPT_GENEVE_CLASS]) { 1167 class = tb[TCA_FLOWER_KEY_ENC_OPT_GENEVE_CLASS]; 1168 opt->opt_class = nla_get_be16(class); 1169 } 1170 1171 if (tb[TCA_FLOWER_KEY_ENC_OPT_GENEVE_TYPE]) { 1172 type = tb[TCA_FLOWER_KEY_ENC_OPT_GENEVE_TYPE]; 1173 opt->type = nla_get_u8(type); 1174 } 1175 1176 return sizeof(struct geneve_opt) + data_len; 1177} 1178 1179static int fl_set_vxlan_opt(const struct nlattr *nla, struct fl_flow_key *key, 1180 int depth, int option_len, 1181 struct netlink_ext_ack *extack) 1182{ 1183 struct nlattr *tb[TCA_FLOWER_KEY_ENC_OPT_VXLAN_MAX + 1]; 1184 struct vxlan_metadata *md; 1185 int err; 1186 1187 md = (struct vxlan_metadata *)&key->enc_opts.data[key->enc_opts.len]; 1188 memset(md, 0xff, sizeof(*md)); 1189 1190 if (!depth) 1191 return sizeof(*md); 1192 1193 if (nla_type(nla) != TCA_FLOWER_KEY_ENC_OPTS_VXLAN) { 1194 NL_SET_ERR_MSG(extack, "Non-vxlan option type for mask"); 1195 return -EINVAL; 1196 } 1197 1198 err = nla_parse_nested(tb, TCA_FLOWER_KEY_ENC_OPT_VXLAN_MAX, nla, 1199 vxlan_opt_policy, extack); 1200 if (err < 0) 1201 return err; 1202 1203 if (!option_len && !tb[TCA_FLOWER_KEY_ENC_OPT_VXLAN_GBP]) { 1204 NL_SET_ERR_MSG(extack, "Missing tunnel key vxlan option gbp"); 1205 return -EINVAL; 1206 } 1207 1208 if (tb[TCA_FLOWER_KEY_ENC_OPT_VXLAN_GBP]) { 1209 md->gbp = nla_get_u32(tb[TCA_FLOWER_KEY_ENC_OPT_VXLAN_GBP]); 1210 md->gbp &= VXLAN_GBP_MASK; 1211 } 1212 1213 return sizeof(*md); 1214} 1215 1216static int fl_set_erspan_opt(const struct nlattr *nla, struct fl_flow_key *key, 1217 int depth, int option_len, 1218 struct netlink_ext_ack *extack) 1219{ 1220 struct nlattr *tb[TCA_FLOWER_KEY_ENC_OPT_ERSPAN_MAX + 1]; 1221 struct erspan_metadata *md; 1222 int err; 1223 1224 md = (struct erspan_metadata *)&key->enc_opts.data[key->enc_opts.len]; 1225 memset(md, 0xff, sizeof(*md)); 1226 md->version = 1; 1227 1228 if (!depth) 1229 return sizeof(*md); 1230 1231 if (nla_type(nla) != TCA_FLOWER_KEY_ENC_OPTS_ERSPAN) { 1232 NL_SET_ERR_MSG(extack, "Non-erspan option type for mask"); 1233 return -EINVAL; 1234 } 1235 1236 err = nla_parse_nested(tb, TCA_FLOWER_KEY_ENC_OPT_ERSPAN_MAX, nla, 1237 erspan_opt_policy, extack); 1238 if (err < 0) 1239 return err; 1240 1241 if (!option_len && !tb[TCA_FLOWER_KEY_ENC_OPT_ERSPAN_VER]) { 1242 NL_SET_ERR_MSG(extack, "Missing tunnel key erspan option ver"); 1243 return -EINVAL; 1244 } 1245 1246 if (tb[TCA_FLOWER_KEY_ENC_OPT_ERSPAN_VER]) 1247 md->version = nla_get_u8(tb[TCA_FLOWER_KEY_ENC_OPT_ERSPAN_VER]); 1248 1249 if (md->version == 1) { 1250 if (!option_len && !tb[TCA_FLOWER_KEY_ENC_OPT_ERSPAN_INDEX]) { 1251 NL_SET_ERR_MSG(extack, "Missing tunnel key erspan option index"); 1252 return -EINVAL; 1253 } 1254 if (tb[TCA_FLOWER_KEY_ENC_OPT_ERSPAN_INDEX]) { 1255 nla = tb[TCA_FLOWER_KEY_ENC_OPT_ERSPAN_INDEX]; 1256 memset(&md->u, 0x00, sizeof(md->u)); 1257 md->u.index = nla_get_be32(nla); 1258 } 1259 } else if (md->version == 2) { 1260 if (!option_len && (!tb[TCA_FLOWER_KEY_ENC_OPT_ERSPAN_DIR] || 1261 !tb[TCA_FLOWER_KEY_ENC_OPT_ERSPAN_HWID])) { 1262 NL_SET_ERR_MSG(extack, "Missing tunnel key erspan option dir or hwid"); 1263 return -EINVAL; 1264 } 1265 if (tb[TCA_FLOWER_KEY_ENC_OPT_ERSPAN_DIR]) { 1266 nla = tb[TCA_FLOWER_KEY_ENC_OPT_ERSPAN_DIR]; 1267 md->u.md2.dir = nla_get_u8(nla); 1268 } 1269 if (tb[TCA_FLOWER_KEY_ENC_OPT_ERSPAN_HWID]) { 1270 nla = tb[TCA_FLOWER_KEY_ENC_OPT_ERSPAN_HWID]; 1271 set_hwid(&md->u.md2, nla_get_u8(nla)); 1272 } 1273 } else { 1274 NL_SET_ERR_MSG(extack, "Tunnel key erspan option ver is incorrect"); 1275 return -EINVAL; 1276 } 1277 1278 return sizeof(*md); 1279} 1280 1281static int fl_set_gtp_opt(const struct nlattr *nla, struct fl_flow_key *key, 1282 int depth, int option_len, 1283 struct netlink_ext_ack *extack) 1284{ 1285 struct nlattr *tb[TCA_FLOWER_KEY_ENC_OPT_GTP_MAX + 1]; 1286 struct gtp_pdu_session_info *sinfo; 1287 u8 len = key->enc_opts.len; 1288 int err; 1289 1290 sinfo = (struct gtp_pdu_session_info *)&key->enc_opts.data[len]; 1291 memset(sinfo, 0xff, option_len); 1292 1293 if (!depth) 1294 return sizeof(*sinfo); 1295 1296 if (nla_type(nla) != TCA_FLOWER_KEY_ENC_OPTS_GTP) { 1297 NL_SET_ERR_MSG_MOD(extack, "Non-gtp option type for mask"); 1298 return -EINVAL; 1299 } 1300 1301 err = nla_parse_nested(tb, TCA_FLOWER_KEY_ENC_OPT_GTP_MAX, nla, 1302 gtp_opt_policy, extack); 1303 if (err < 0) 1304 return err; 1305 1306 if (!option_len && 1307 (!tb[TCA_FLOWER_KEY_ENC_OPT_GTP_PDU_TYPE] || 1308 !tb[TCA_FLOWER_KEY_ENC_OPT_GTP_QFI])) { 1309 NL_SET_ERR_MSG_MOD(extack, 1310 "Missing tunnel key gtp option pdu type or qfi"); 1311 return -EINVAL; 1312 } 1313 1314 if (tb[TCA_FLOWER_KEY_ENC_OPT_GTP_PDU_TYPE]) 1315 sinfo->pdu_type = 1316 nla_get_u8(tb[TCA_FLOWER_KEY_ENC_OPT_GTP_PDU_TYPE]); 1317 1318 if (tb[TCA_FLOWER_KEY_ENC_OPT_GTP_QFI]) 1319 sinfo->qfi = nla_get_u8(tb[TCA_FLOWER_KEY_ENC_OPT_GTP_QFI]); 1320 1321 return sizeof(*sinfo); 1322} 1323 1324static int fl_set_enc_opt(struct nlattr **tb, struct fl_flow_key *key, 1325 struct fl_flow_key *mask, 1326 struct netlink_ext_ack *extack) 1327{ 1328 const struct nlattr *nla_enc_key, *nla_opt_key, *nla_opt_msk = NULL; 1329 int err, option_len, key_depth, msk_depth = 0; 1330 1331 err = nla_validate_nested_deprecated(tb[TCA_FLOWER_KEY_ENC_OPTS], 1332 TCA_FLOWER_KEY_ENC_OPTS_MAX, 1333 enc_opts_policy, extack); 1334 if (err) 1335 return err; 1336 1337 nla_enc_key = nla_data(tb[TCA_FLOWER_KEY_ENC_OPTS]); 1338 1339 if (tb[TCA_FLOWER_KEY_ENC_OPTS_MASK]) { 1340 err = nla_validate_nested_deprecated(tb[TCA_FLOWER_KEY_ENC_OPTS_MASK], 1341 TCA_FLOWER_KEY_ENC_OPTS_MAX, 1342 enc_opts_policy, extack); 1343 if (err) 1344 return err; 1345 1346 nla_opt_msk = nla_data(tb[TCA_FLOWER_KEY_ENC_OPTS_MASK]); 1347 msk_depth = nla_len(tb[TCA_FLOWER_KEY_ENC_OPTS_MASK]); 1348 if (!nla_ok(nla_opt_msk, msk_depth)) { 1349 NL_SET_ERR_MSG(extack, "Invalid nested attribute for masks"); 1350 return -EINVAL; 1351 } 1352 } 1353 1354 nla_for_each_attr(nla_opt_key, nla_enc_key, 1355 nla_len(tb[TCA_FLOWER_KEY_ENC_OPTS]), key_depth) { 1356 switch (nla_type(nla_opt_key)) { 1357 case TCA_FLOWER_KEY_ENC_OPTS_GENEVE: 1358 if (key->enc_opts.dst_opt_type && 1359 key->enc_opts.dst_opt_type != TUNNEL_GENEVE_OPT) { 1360 NL_SET_ERR_MSG(extack, "Duplicate type for geneve options"); 1361 return -EINVAL; 1362 } 1363 option_len = 0; 1364 key->enc_opts.dst_opt_type = TUNNEL_GENEVE_OPT; 1365 option_len = fl_set_geneve_opt(nla_opt_key, key, 1366 key_depth, option_len, 1367 extack); 1368 if (option_len < 0) 1369 return option_len; 1370 1371 key->enc_opts.len += option_len; 1372 /* At the same time we need to parse through the mask 1373 * in order to verify exact and mask attribute lengths. 1374 */ 1375 mask->enc_opts.dst_opt_type = TUNNEL_GENEVE_OPT; 1376 option_len = fl_set_geneve_opt(nla_opt_msk, mask, 1377 msk_depth, option_len, 1378 extack); 1379 if (option_len < 0) 1380 return option_len; 1381 1382 mask->enc_opts.len += option_len; 1383 if (key->enc_opts.len != mask->enc_opts.len) { 1384 NL_SET_ERR_MSG(extack, "Key and mask miss aligned"); 1385 return -EINVAL; 1386 } 1387 break; 1388 case TCA_FLOWER_KEY_ENC_OPTS_VXLAN: 1389 if (key->enc_opts.dst_opt_type) { 1390 NL_SET_ERR_MSG(extack, "Duplicate type for vxlan options"); 1391 return -EINVAL; 1392 } 1393 option_len = 0; 1394 key->enc_opts.dst_opt_type = TUNNEL_VXLAN_OPT; 1395 option_len = fl_set_vxlan_opt(nla_opt_key, key, 1396 key_depth, option_len, 1397 extack); 1398 if (option_len < 0) 1399 return option_len; 1400 1401 key->enc_opts.len += option_len; 1402 /* At the same time we need to parse through the mask 1403 * in order to verify exact and mask attribute lengths. 1404 */ 1405 mask->enc_opts.dst_opt_type = TUNNEL_VXLAN_OPT; 1406 option_len = fl_set_vxlan_opt(nla_opt_msk, mask, 1407 msk_depth, option_len, 1408 extack); 1409 if (option_len < 0) 1410 return option_len; 1411 1412 mask->enc_opts.len += option_len; 1413 if (key->enc_opts.len != mask->enc_opts.len) { 1414 NL_SET_ERR_MSG(extack, "Key and mask miss aligned"); 1415 return -EINVAL; 1416 } 1417 break; 1418 case TCA_FLOWER_KEY_ENC_OPTS_ERSPAN: 1419 if (key->enc_opts.dst_opt_type) { 1420 NL_SET_ERR_MSG(extack, "Duplicate type for erspan options"); 1421 return -EINVAL; 1422 } 1423 option_len = 0; 1424 key->enc_opts.dst_opt_type = TUNNEL_ERSPAN_OPT; 1425 option_len = fl_set_erspan_opt(nla_opt_key, key, 1426 key_depth, option_len, 1427 extack); 1428 if (option_len < 0) 1429 return option_len; 1430 1431 key->enc_opts.len += option_len; 1432 /* At the same time we need to parse through the mask 1433 * in order to verify exact and mask attribute lengths. 1434 */ 1435 mask->enc_opts.dst_opt_type = TUNNEL_ERSPAN_OPT; 1436 option_len = fl_set_erspan_opt(nla_opt_msk, mask, 1437 msk_depth, option_len, 1438 extack); 1439 if (option_len < 0) 1440 return option_len; 1441 1442 mask->enc_opts.len += option_len; 1443 if (key->enc_opts.len != mask->enc_opts.len) { 1444 NL_SET_ERR_MSG(extack, "Key and mask miss aligned"); 1445 return -EINVAL; 1446 } 1447 break; 1448 case TCA_FLOWER_KEY_ENC_OPTS_GTP: 1449 if (key->enc_opts.dst_opt_type) { 1450 NL_SET_ERR_MSG_MOD(extack, 1451 "Duplicate type for gtp options"); 1452 return -EINVAL; 1453 } 1454 option_len = 0; 1455 key->enc_opts.dst_opt_type = TUNNEL_GTP_OPT; 1456 option_len = fl_set_gtp_opt(nla_opt_key, key, 1457 key_depth, option_len, 1458 extack); 1459 if (option_len < 0) 1460 return option_len; 1461 1462 key->enc_opts.len += option_len; 1463 /* At the same time we need to parse through the mask 1464 * in order to verify exact and mask attribute lengths. 1465 */ 1466 mask->enc_opts.dst_opt_type = TUNNEL_GTP_OPT; 1467 option_len = fl_set_gtp_opt(nla_opt_msk, mask, 1468 msk_depth, option_len, 1469 extack); 1470 if (option_len < 0) 1471 return option_len; 1472 1473 mask->enc_opts.len += option_len; 1474 if (key->enc_opts.len != mask->enc_opts.len) { 1475 NL_SET_ERR_MSG_MOD(extack, 1476 "Key and mask miss aligned"); 1477 return -EINVAL; 1478 } 1479 break; 1480 default: 1481 NL_SET_ERR_MSG(extack, "Unknown tunnel option type"); 1482 return -EINVAL; 1483 } 1484 1485 if (!msk_depth) 1486 continue; 1487 1488 if (!nla_ok(nla_opt_msk, msk_depth)) { 1489 NL_SET_ERR_MSG(extack, "A mask attribute is invalid"); 1490 return -EINVAL; 1491 } 1492 nla_opt_msk = nla_next(nla_opt_msk, &msk_depth); 1493 } 1494 1495 return 0; 1496} 1497 1498static int fl_validate_ct_state(u16 state, struct nlattr *tb, 1499 struct netlink_ext_ack *extack) 1500{ 1501 if (state && !(state & TCA_FLOWER_KEY_CT_FLAGS_TRACKED)) { 1502 NL_SET_ERR_MSG_ATTR(extack, tb, 1503 "no trk, so no other flag can be set"); 1504 return -EINVAL; 1505 } 1506 1507 if (state & TCA_FLOWER_KEY_CT_FLAGS_NEW && 1508 state & TCA_FLOWER_KEY_CT_FLAGS_ESTABLISHED) { 1509 NL_SET_ERR_MSG_ATTR(extack, tb, 1510 "new and est are mutually exclusive"); 1511 return -EINVAL; 1512 } 1513 1514 if (state & TCA_FLOWER_KEY_CT_FLAGS_INVALID && 1515 state & ~(TCA_FLOWER_KEY_CT_FLAGS_TRACKED | 1516 TCA_FLOWER_KEY_CT_FLAGS_INVALID)) { 1517 NL_SET_ERR_MSG_ATTR(extack, tb, 1518 "when inv is set, only trk may be set"); 1519 return -EINVAL; 1520 } 1521 1522 if (state & TCA_FLOWER_KEY_CT_FLAGS_NEW && 1523 state & TCA_FLOWER_KEY_CT_FLAGS_REPLY) { 1524 NL_SET_ERR_MSG_ATTR(extack, tb, 1525 "new and rpl are mutually exclusive"); 1526 return -EINVAL; 1527 } 1528 1529 return 0; 1530} 1531 1532static int fl_set_key_ct(struct nlattr **tb, 1533 struct flow_dissector_key_ct *key, 1534 struct flow_dissector_key_ct *mask, 1535 struct netlink_ext_ack *extack) 1536{ 1537 if (tb[TCA_FLOWER_KEY_CT_STATE]) { 1538 int err; 1539 1540 if (!IS_ENABLED(CONFIG_NF_CONNTRACK)) { 1541 NL_SET_ERR_MSG(extack, "Conntrack isn't enabled"); 1542 return -EOPNOTSUPP; 1543 } 1544 fl_set_key_val(tb, &key->ct_state, TCA_FLOWER_KEY_CT_STATE, 1545 &mask->ct_state, TCA_FLOWER_KEY_CT_STATE_MASK, 1546 sizeof(key->ct_state)); 1547 1548 err = fl_validate_ct_state(key->ct_state & mask->ct_state, 1549 tb[TCA_FLOWER_KEY_CT_STATE_MASK], 1550 extack); 1551 if (err) 1552 return err; 1553 1554 } 1555 if (tb[TCA_FLOWER_KEY_CT_ZONE]) { 1556 if (!IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES)) { 1557 NL_SET_ERR_MSG(extack, "Conntrack zones isn't enabled"); 1558 return -EOPNOTSUPP; 1559 } 1560 fl_set_key_val(tb, &key->ct_zone, TCA_FLOWER_KEY_CT_ZONE, 1561 &mask->ct_zone, TCA_FLOWER_KEY_CT_ZONE_MASK, 1562 sizeof(key->ct_zone)); 1563 } 1564 if (tb[TCA_FLOWER_KEY_CT_MARK]) { 1565 if (!IS_ENABLED(CONFIG_NF_CONNTRACK_MARK)) { 1566 NL_SET_ERR_MSG(extack, "Conntrack mark isn't enabled"); 1567 return -EOPNOTSUPP; 1568 } 1569 fl_set_key_val(tb, &key->ct_mark, TCA_FLOWER_KEY_CT_MARK, 1570 &mask->ct_mark, TCA_FLOWER_KEY_CT_MARK_MASK, 1571 sizeof(key->ct_mark)); 1572 } 1573 if (tb[TCA_FLOWER_KEY_CT_LABELS]) { 1574 if (!IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS)) { 1575 NL_SET_ERR_MSG(extack, "Conntrack labels aren't enabled"); 1576 return -EOPNOTSUPP; 1577 } 1578 fl_set_key_val(tb, key->ct_labels, TCA_FLOWER_KEY_CT_LABELS, 1579 mask->ct_labels, TCA_FLOWER_KEY_CT_LABELS_MASK, 1580 sizeof(key->ct_labels)); 1581 } 1582 1583 return 0; 1584} 1585 1586static bool is_vlan_key(struct nlattr *tb, __be16 *ethertype, 1587 struct fl_flow_key *key, struct fl_flow_key *mask, 1588 int vthresh) 1589{ 1590 const bool good_num_of_vlans = key->num_of_vlans.num_of_vlans > vthresh; 1591 1592 if (!tb) { 1593 *ethertype = 0; 1594 return good_num_of_vlans; 1595 } 1596 1597 *ethertype = nla_get_be16(tb); 1598 if (good_num_of_vlans || eth_type_vlan(*ethertype)) 1599 return true; 1600 1601 key->basic.n_proto = *ethertype; 1602 mask->basic.n_proto = cpu_to_be16(~0); 1603 return false; 1604} 1605 1606static int fl_set_key(struct net *net, struct nlattr **tb, 1607 struct fl_flow_key *key, struct fl_flow_key *mask, 1608 struct netlink_ext_ack *extack) 1609{ 1610 __be16 ethertype; 1611 int ret = 0; 1612 1613 if (tb[TCA_FLOWER_INDEV]) { 1614 int err = tcf_change_indev(net, tb[TCA_FLOWER_INDEV], extack); 1615 if (err < 0) 1616 return err; 1617 key->meta.ingress_ifindex = err; 1618 mask->meta.ingress_ifindex = 0xffffffff; 1619 } 1620 1621 fl_set_key_val(tb, key->eth.dst, TCA_FLOWER_KEY_ETH_DST, 1622 mask->eth.dst, TCA_FLOWER_KEY_ETH_DST_MASK, 1623 sizeof(key->eth.dst)); 1624 fl_set_key_val(tb, key->eth.src, TCA_FLOWER_KEY_ETH_SRC, 1625 mask->eth.src, TCA_FLOWER_KEY_ETH_SRC_MASK, 1626 sizeof(key->eth.src)); 1627 fl_set_key_val(tb, &key->num_of_vlans, 1628 TCA_FLOWER_KEY_NUM_OF_VLANS, 1629 &mask->num_of_vlans, 1630 TCA_FLOWER_UNSPEC, 1631 sizeof(key->num_of_vlans)); 1632 1633 if (is_vlan_key(tb[TCA_FLOWER_KEY_ETH_TYPE], ðertype, key, mask, 0)) { 1634 fl_set_key_vlan(tb, ethertype, TCA_FLOWER_KEY_VLAN_ID, 1635 TCA_FLOWER_KEY_VLAN_PRIO, 1636 TCA_FLOWER_KEY_VLAN_ETH_TYPE, 1637 &key->vlan, &mask->vlan); 1638 1639 if (is_vlan_key(tb[TCA_FLOWER_KEY_VLAN_ETH_TYPE], 1640 ðertype, key, mask, 1)) { 1641 fl_set_key_vlan(tb, ethertype, 1642 TCA_FLOWER_KEY_CVLAN_ID, 1643 TCA_FLOWER_KEY_CVLAN_PRIO, 1644 TCA_FLOWER_KEY_CVLAN_ETH_TYPE, 1645 &key->cvlan, &mask->cvlan); 1646 fl_set_key_val(tb, &key->basic.n_proto, 1647 TCA_FLOWER_KEY_CVLAN_ETH_TYPE, 1648 &mask->basic.n_proto, 1649 TCA_FLOWER_UNSPEC, 1650 sizeof(key->basic.n_proto)); 1651 } 1652 } 1653 1654 if (key->basic.n_proto == htons(ETH_P_IP) || 1655 key->basic.n_proto == htons(ETH_P_IPV6)) { 1656 fl_set_key_val(tb, &key->basic.ip_proto, TCA_FLOWER_KEY_IP_PROTO, 1657 &mask->basic.ip_proto, TCA_FLOWER_UNSPEC, 1658 sizeof(key->basic.ip_proto)); 1659 fl_set_key_ip(tb, false, &key->ip, &mask->ip); 1660 } 1661 1662 if (tb[TCA_FLOWER_KEY_IPV4_SRC] || tb[TCA_FLOWER_KEY_IPV4_DST]) { 1663 key->control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS; 1664 mask->control.addr_type = ~0; 1665 fl_set_key_val(tb, &key->ipv4.src, TCA_FLOWER_KEY_IPV4_SRC, 1666 &mask->ipv4.src, TCA_FLOWER_KEY_IPV4_SRC_MASK, 1667 sizeof(key->ipv4.src)); 1668 fl_set_key_val(tb, &key->ipv4.dst, TCA_FLOWER_KEY_IPV4_DST, 1669 &mask->ipv4.dst, TCA_FLOWER_KEY_IPV4_DST_MASK, 1670 sizeof(key->ipv4.dst)); 1671 } else if (tb[TCA_FLOWER_KEY_IPV6_SRC] || tb[TCA_FLOWER_KEY_IPV6_DST]) { 1672 key->control.addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS; 1673 mask->control.addr_type = ~0; 1674 fl_set_key_val(tb, &key->ipv6.src, TCA_FLOWER_KEY_IPV6_SRC, 1675 &mask->ipv6.src, TCA_FLOWER_KEY_IPV6_SRC_MASK, 1676 sizeof(key->ipv6.src)); 1677 fl_set_key_val(tb, &key->ipv6.dst, TCA_FLOWER_KEY_IPV6_DST, 1678 &mask->ipv6.dst, TCA_FLOWER_KEY_IPV6_DST_MASK, 1679 sizeof(key->ipv6.dst)); 1680 } 1681 1682 if (key->basic.ip_proto == IPPROTO_TCP) { 1683 fl_set_key_val(tb, &key->tp.src, TCA_FLOWER_KEY_TCP_SRC, 1684 &mask->tp.src, TCA_FLOWER_KEY_TCP_SRC_MASK, 1685 sizeof(key->tp.src)); 1686 fl_set_key_val(tb, &key->tp.dst, TCA_FLOWER_KEY_TCP_DST, 1687 &mask->tp.dst, TCA_FLOWER_KEY_TCP_DST_MASK, 1688 sizeof(key->tp.dst)); 1689 fl_set_key_val(tb, &key->tcp.flags, TCA_FLOWER_KEY_TCP_FLAGS, 1690 &mask->tcp.flags, TCA_FLOWER_KEY_TCP_FLAGS_MASK, 1691 sizeof(key->tcp.flags)); 1692 } else if (key->basic.ip_proto == IPPROTO_UDP) { 1693 fl_set_key_val(tb, &key->tp.src, TCA_FLOWER_KEY_UDP_SRC, 1694 &mask->tp.src, TCA_FLOWER_KEY_UDP_SRC_MASK, 1695 sizeof(key->tp.src)); 1696 fl_set_key_val(tb, &key->tp.dst, TCA_FLOWER_KEY_UDP_DST, 1697 &mask->tp.dst, TCA_FLOWER_KEY_UDP_DST_MASK, 1698 sizeof(key->tp.dst)); 1699 } else if (key->basic.ip_proto == IPPROTO_SCTP) { 1700 fl_set_key_val(tb, &key->tp.src, TCA_FLOWER_KEY_SCTP_SRC, 1701 &mask->tp.src, TCA_FLOWER_KEY_SCTP_SRC_MASK, 1702 sizeof(key->tp.src)); 1703 fl_set_key_val(tb, &key->tp.dst, TCA_FLOWER_KEY_SCTP_DST, 1704 &mask->tp.dst, TCA_FLOWER_KEY_SCTP_DST_MASK, 1705 sizeof(key->tp.dst)); 1706 } else if (key->basic.n_proto == htons(ETH_P_IP) && 1707 key->basic.ip_proto == IPPROTO_ICMP) { 1708 fl_set_key_val(tb, &key->icmp.type, TCA_FLOWER_KEY_ICMPV4_TYPE, 1709 &mask->icmp.type, 1710 TCA_FLOWER_KEY_ICMPV4_TYPE_MASK, 1711 sizeof(key->icmp.type)); 1712 fl_set_key_val(tb, &key->icmp.code, TCA_FLOWER_KEY_ICMPV4_CODE, 1713 &mask->icmp.code, 1714 TCA_FLOWER_KEY_ICMPV4_CODE_MASK, 1715 sizeof(key->icmp.code)); 1716 } else if (key->basic.n_proto == htons(ETH_P_IPV6) && 1717 key->basic.ip_proto == IPPROTO_ICMPV6) { 1718 fl_set_key_val(tb, &key->icmp.type, TCA_FLOWER_KEY_ICMPV6_TYPE, 1719 &mask->icmp.type, 1720 TCA_FLOWER_KEY_ICMPV6_TYPE_MASK, 1721 sizeof(key->icmp.type)); 1722 fl_set_key_val(tb, &key->icmp.code, TCA_FLOWER_KEY_ICMPV6_CODE, 1723 &mask->icmp.code, 1724 TCA_FLOWER_KEY_ICMPV6_CODE_MASK, 1725 sizeof(key->icmp.code)); 1726 } else if (key->basic.n_proto == htons(ETH_P_MPLS_UC) || 1727 key->basic.n_proto == htons(ETH_P_MPLS_MC)) { 1728 ret = fl_set_key_mpls(tb, &key->mpls, &mask->mpls, extack); 1729 if (ret) 1730 return ret; 1731 } else if (key->basic.n_proto == htons(ETH_P_ARP) || 1732 key->basic.n_proto == htons(ETH_P_RARP)) { 1733 fl_set_key_val(tb, &key->arp.sip, TCA_FLOWER_KEY_ARP_SIP, 1734 &mask->arp.sip, TCA_FLOWER_KEY_ARP_SIP_MASK, 1735 sizeof(key->arp.sip)); 1736 fl_set_key_val(tb, &key->arp.tip, TCA_FLOWER_KEY_ARP_TIP, 1737 &mask->arp.tip, TCA_FLOWER_KEY_ARP_TIP_MASK, 1738 sizeof(key->arp.tip)); 1739 fl_set_key_val(tb, &key->arp.op, TCA_FLOWER_KEY_ARP_OP, 1740 &mask->arp.op, TCA_FLOWER_KEY_ARP_OP_MASK, 1741 sizeof(key->arp.op)); 1742 fl_set_key_val(tb, key->arp.sha, TCA_FLOWER_KEY_ARP_SHA, 1743 mask->arp.sha, TCA_FLOWER_KEY_ARP_SHA_MASK, 1744 sizeof(key->arp.sha)); 1745 fl_set_key_val(tb, key->arp.tha, TCA_FLOWER_KEY_ARP_THA, 1746 mask->arp.tha, TCA_FLOWER_KEY_ARP_THA_MASK, 1747 sizeof(key->arp.tha)); 1748 } 1749 1750 if (key->basic.ip_proto == IPPROTO_TCP || 1751 key->basic.ip_proto == IPPROTO_UDP || 1752 key->basic.ip_proto == IPPROTO_SCTP) { 1753 ret = fl_set_key_port_range(tb, key, mask, extack); 1754 if (ret) 1755 return ret; 1756 } 1757 1758 if (tb[TCA_FLOWER_KEY_ENC_IPV4_SRC] || 1759 tb[TCA_FLOWER_KEY_ENC_IPV4_DST]) { 1760 key->enc_control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS; 1761 mask->enc_control.addr_type = ~0; 1762 fl_set_key_val(tb, &key->enc_ipv4.src, 1763 TCA_FLOWER_KEY_ENC_IPV4_SRC, 1764 &mask->enc_ipv4.src, 1765 TCA_FLOWER_KEY_ENC_IPV4_SRC_MASK, 1766 sizeof(key->enc_ipv4.src)); 1767 fl_set_key_val(tb, &key->enc_ipv4.dst, 1768 TCA_FLOWER_KEY_ENC_IPV4_DST, 1769 &mask->enc_ipv4.dst, 1770 TCA_FLOWER_KEY_ENC_IPV4_DST_MASK, 1771 sizeof(key->enc_ipv4.dst)); 1772 } 1773 1774 if (tb[TCA_FLOWER_KEY_ENC_IPV6_SRC] || 1775 tb[TCA_FLOWER_KEY_ENC_IPV6_DST]) { 1776 key->enc_control.addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS; 1777 mask->enc_control.addr_type = ~0; 1778 fl_set_key_val(tb, &key->enc_ipv6.src, 1779 TCA_FLOWER_KEY_ENC_IPV6_SRC, 1780 &mask->enc_ipv6.src, 1781 TCA_FLOWER_KEY_ENC_IPV6_SRC_MASK, 1782 sizeof(key->enc_ipv6.src)); 1783 fl_set_key_val(tb, &key->enc_ipv6.dst, 1784 TCA_FLOWER_KEY_ENC_IPV6_DST, 1785 &mask->enc_ipv6.dst, 1786 TCA_FLOWER_KEY_ENC_IPV6_DST_MASK, 1787 sizeof(key->enc_ipv6.dst)); 1788 } 1789 1790 fl_set_key_val(tb, &key->enc_key_id.keyid, TCA_FLOWER_KEY_ENC_KEY_ID, 1791 &mask->enc_key_id.keyid, TCA_FLOWER_UNSPEC, 1792 sizeof(key->enc_key_id.keyid)); 1793 1794 fl_set_key_val(tb, &key->enc_tp.src, TCA_FLOWER_KEY_ENC_UDP_SRC_PORT, 1795 &mask->enc_tp.src, TCA_FLOWER_KEY_ENC_UDP_SRC_PORT_MASK, 1796 sizeof(key->enc_tp.src)); 1797 1798 fl_set_key_val(tb, &key->enc_tp.dst, TCA_FLOWER_KEY_ENC_UDP_DST_PORT, 1799 &mask->enc_tp.dst, TCA_FLOWER_KEY_ENC_UDP_DST_PORT_MASK, 1800 sizeof(key->enc_tp.dst)); 1801 1802 fl_set_key_ip(tb, true, &key->enc_ip, &mask->enc_ip); 1803 1804 fl_set_key_val(tb, &key->hash.hash, TCA_FLOWER_KEY_HASH, 1805 &mask->hash.hash, TCA_FLOWER_KEY_HASH_MASK, 1806 sizeof(key->hash.hash)); 1807 1808 if (tb[TCA_FLOWER_KEY_ENC_OPTS]) { 1809 ret = fl_set_enc_opt(tb, key, mask, extack); 1810 if (ret) 1811 return ret; 1812 } 1813 1814 ret = fl_set_key_ct(tb, &key->ct, &mask->ct, extack); 1815 if (ret) 1816 return ret; 1817 1818 if (tb[TCA_FLOWER_KEY_FLAGS]) 1819 ret = fl_set_key_flags(tb, &key->control.flags, 1820 &mask->control.flags, extack); 1821 1822 return ret; 1823} 1824 1825static void fl_mask_copy(struct fl_flow_mask *dst, 1826 struct fl_flow_mask *src) 1827{ 1828 const void *psrc = fl_key_get_start(&src->key, src); 1829 void *pdst = fl_key_get_start(&dst->key, src); 1830 1831 memcpy(pdst, psrc, fl_mask_range(src)); 1832 dst->range = src->range; 1833} 1834 1835static const struct rhashtable_params fl_ht_params = { 1836 .key_offset = offsetof(struct cls_fl_filter, mkey), /* base offset */ 1837 .head_offset = offsetof(struct cls_fl_filter, ht_node), 1838 .automatic_shrinking = true, 1839}; 1840 1841static int fl_init_mask_hashtable(struct fl_flow_mask *mask) 1842{ 1843 mask->filter_ht_params = fl_ht_params; 1844 mask->filter_ht_params.key_len = fl_mask_range(mask); 1845 mask->filter_ht_params.key_offset += mask->range.start; 1846 1847 return rhashtable_init(&mask->ht, &mask->filter_ht_params); 1848} 1849 1850#define FL_KEY_MEMBER_OFFSET(member) offsetof(struct fl_flow_key, member) 1851#define FL_KEY_MEMBER_SIZE(member) sizeof_field(struct fl_flow_key, member) 1852 1853#define FL_KEY_IS_MASKED(mask, member) \ 1854 memchr_inv(((char *)mask) + FL_KEY_MEMBER_OFFSET(member), \ 1855 0, FL_KEY_MEMBER_SIZE(member)) \ 1856 1857#define FL_KEY_SET(keys, cnt, id, member) \ 1858 do { \ 1859 keys[cnt].key_id = id; \ 1860 keys[cnt].offset = FL_KEY_MEMBER_OFFSET(member); \ 1861 cnt++; \ 1862 } while(0); 1863 1864#define FL_KEY_SET_IF_MASKED(mask, keys, cnt, id, member) \ 1865 do { \ 1866 if (FL_KEY_IS_MASKED(mask, member)) \ 1867 FL_KEY_SET(keys, cnt, id, member); \ 1868 } while(0); 1869 1870static void fl_init_dissector(struct flow_dissector *dissector, 1871 struct fl_flow_key *mask) 1872{ 1873 struct flow_dissector_key keys[FLOW_DISSECTOR_KEY_MAX]; 1874 size_t cnt = 0; 1875 1876 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1877 FLOW_DISSECTOR_KEY_META, meta); 1878 FL_KEY_SET(keys, cnt, FLOW_DISSECTOR_KEY_CONTROL, control); 1879 FL_KEY_SET(keys, cnt, FLOW_DISSECTOR_KEY_BASIC, basic); 1880 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1881 FLOW_DISSECTOR_KEY_ETH_ADDRS, eth); 1882 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1883 FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4); 1884 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1885 FLOW_DISSECTOR_KEY_IPV6_ADDRS, ipv6); 1886 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1887 FLOW_DISSECTOR_KEY_PORTS, tp); 1888 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1889 FLOW_DISSECTOR_KEY_PORTS_RANGE, tp_range); 1890 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1891 FLOW_DISSECTOR_KEY_IP, ip); 1892 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1893 FLOW_DISSECTOR_KEY_TCP, tcp); 1894 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1895 FLOW_DISSECTOR_KEY_ICMP, icmp); 1896 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1897 FLOW_DISSECTOR_KEY_ARP, arp); 1898 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1899 FLOW_DISSECTOR_KEY_MPLS, mpls); 1900 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1901 FLOW_DISSECTOR_KEY_VLAN, vlan); 1902 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1903 FLOW_DISSECTOR_KEY_CVLAN, cvlan); 1904 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1905 FLOW_DISSECTOR_KEY_ENC_KEYID, enc_key_id); 1906 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1907 FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS, enc_ipv4); 1908 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1909 FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS, enc_ipv6); 1910 if (FL_KEY_IS_MASKED(mask, enc_ipv4) || 1911 FL_KEY_IS_MASKED(mask, enc_ipv6)) 1912 FL_KEY_SET(keys, cnt, FLOW_DISSECTOR_KEY_ENC_CONTROL, 1913 enc_control); 1914 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1915 FLOW_DISSECTOR_KEY_ENC_PORTS, enc_tp); 1916 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1917 FLOW_DISSECTOR_KEY_ENC_IP, enc_ip); 1918 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1919 FLOW_DISSECTOR_KEY_ENC_OPTS, enc_opts); 1920 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1921 FLOW_DISSECTOR_KEY_CT, ct); 1922 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1923 FLOW_DISSECTOR_KEY_HASH, hash); 1924 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1925 FLOW_DISSECTOR_KEY_NUM_OF_VLANS, num_of_vlans); 1926 1927 skb_flow_dissector_init(dissector, keys, cnt); 1928} 1929 1930static struct fl_flow_mask *fl_create_new_mask(struct cls_fl_head *head, 1931 struct fl_flow_mask *mask) 1932{ 1933 struct fl_flow_mask *newmask; 1934 int err; 1935 1936 newmask = kzalloc(sizeof(*newmask), GFP_KERNEL); 1937 if (!newmask) 1938 return ERR_PTR(-ENOMEM); 1939 1940 fl_mask_copy(newmask, mask); 1941 1942 if ((newmask->key.tp_range.tp_min.dst && 1943 newmask->key.tp_range.tp_max.dst) || 1944 (newmask->key.tp_range.tp_min.src && 1945 newmask->key.tp_range.tp_max.src)) 1946 newmask->flags |= TCA_FLOWER_MASK_FLAGS_RANGE; 1947 1948 err = fl_init_mask_hashtable(newmask); 1949 if (err) 1950 goto errout_free; 1951 1952 fl_init_dissector(&newmask->dissector, &newmask->key); 1953 1954 INIT_LIST_HEAD_RCU(&newmask->filters); 1955 1956 refcount_set(&newmask->refcnt, 1); 1957 err = rhashtable_replace_fast(&head->ht, &mask->ht_node, 1958 &newmask->ht_node, mask_ht_params); 1959 if (err) 1960 goto errout_destroy; 1961 1962 spin_lock(&head->masks_lock); 1963 list_add_tail_rcu(&newmask->list, &head->masks); 1964 spin_unlock(&head->masks_lock); 1965 1966 return newmask; 1967 1968errout_destroy: 1969 rhashtable_destroy(&newmask->ht); 1970errout_free: 1971 kfree(newmask); 1972 1973 return ERR_PTR(err); 1974} 1975 1976static int fl_check_assign_mask(struct cls_fl_head *head, 1977 struct cls_fl_filter *fnew, 1978 struct cls_fl_filter *fold, 1979 struct fl_flow_mask *mask) 1980{ 1981 struct fl_flow_mask *newmask; 1982 int ret = 0; 1983 1984 rcu_read_lock(); 1985 1986 /* Insert mask as temporary node to prevent concurrent creation of mask 1987 * with same key. Any concurrent lookups with same key will return 1988 * -EAGAIN because mask's refcnt is zero. 1989 */ 1990 fnew->mask = rhashtable_lookup_get_insert_fast(&head->ht, 1991 &mask->ht_node, 1992 mask_ht_params); 1993 if (!fnew->mask) { 1994 rcu_read_unlock(); 1995 1996 if (fold) { 1997 ret = -EINVAL; 1998 goto errout_cleanup; 1999 } 2000 2001 newmask = fl_create_new_mask(head, mask); 2002 if (IS_ERR(newmask)) { 2003 ret = PTR_ERR(newmask); 2004 goto errout_cleanup; 2005 } 2006 2007 fnew->mask = newmask; 2008 return 0; 2009 } else if (IS_ERR(fnew->mask)) { 2010 ret = PTR_ERR(fnew->mask); 2011 } else if (fold && fold->mask != fnew->mask) { 2012 ret = -EINVAL; 2013 } else if (!refcount_inc_not_zero(&fnew->mask->refcnt)) { 2014 /* Mask was deleted concurrently, try again */ 2015 ret = -EAGAIN; 2016 } 2017 rcu_read_unlock(); 2018 return ret; 2019 2020errout_cleanup: 2021 rhashtable_remove_fast(&head->ht, &mask->ht_node, 2022 mask_ht_params); 2023 return ret; 2024} 2025 2026static int fl_set_parms(struct net *net, struct tcf_proto *tp, 2027 struct cls_fl_filter *f, struct fl_flow_mask *mask, 2028 unsigned long base, struct nlattr **tb, 2029 struct nlattr *est, 2030 struct fl_flow_tmplt *tmplt, 2031 u32 flags, u32 fl_flags, 2032 struct netlink_ext_ack *extack) 2033{ 2034 int err; 2035 2036 err = tcf_exts_validate_ex(net, tp, tb, est, &f->exts, flags, 2037 fl_flags, extack); 2038 if (err < 0) 2039 return err; 2040 2041 if (tb[TCA_FLOWER_CLASSID]) { 2042 f->res.classid = nla_get_u32(tb[TCA_FLOWER_CLASSID]); 2043 if (flags & TCA_ACT_FLAGS_NO_RTNL) 2044 rtnl_lock(); 2045 tcf_bind_filter(tp, &f->res, base); 2046 if (flags & TCA_ACT_FLAGS_NO_RTNL) 2047 rtnl_unlock(); 2048 } 2049 2050 err = fl_set_key(net, tb, &f->key, &mask->key, extack); 2051 if (err) 2052 return err; 2053 2054 fl_mask_update_range(mask); 2055 fl_set_masked_key(&f->mkey, &f->key, mask); 2056 2057 if (!fl_mask_fits_tmplt(tmplt, mask)) { 2058 NL_SET_ERR_MSG_MOD(extack, "Mask does not fit the template"); 2059 return -EINVAL; 2060 } 2061 2062 return 0; 2063} 2064 2065static int fl_ht_insert_unique(struct cls_fl_filter *fnew, 2066 struct cls_fl_filter *fold, 2067 bool *in_ht) 2068{ 2069 struct fl_flow_mask *mask = fnew->mask; 2070 int err; 2071 2072 err = rhashtable_lookup_insert_fast(&mask->ht, 2073 &fnew->ht_node, 2074 mask->filter_ht_params); 2075 if (err) { 2076 *in_ht = false; 2077 /* It is okay if filter with same key exists when 2078 * overwriting. 2079 */ 2080 return fold && err == -EEXIST ? 0 : err; 2081 } 2082 2083 *in_ht = true; 2084 return 0; 2085} 2086 2087static int fl_change(struct net *net, struct sk_buff *in_skb, 2088 struct tcf_proto *tp, unsigned long base, 2089 u32 handle, struct nlattr **tca, 2090 void **arg, u32 flags, 2091 struct netlink_ext_ack *extack) 2092{ 2093 struct cls_fl_head *head = fl_head_dereference(tp); 2094 bool rtnl_held = !(flags & TCA_ACT_FLAGS_NO_RTNL); 2095 struct cls_fl_filter *fold = *arg; 2096 struct cls_fl_filter *fnew; 2097 struct fl_flow_mask *mask; 2098 struct nlattr **tb; 2099 bool in_ht; 2100 int err; 2101 2102 if (!tca[TCA_OPTIONS]) { 2103 err = -EINVAL; 2104 goto errout_fold; 2105 } 2106 2107 mask = kzalloc(sizeof(struct fl_flow_mask), GFP_KERNEL); 2108 if (!mask) { 2109 err = -ENOBUFS; 2110 goto errout_fold; 2111 } 2112 2113 tb = kcalloc(TCA_FLOWER_MAX + 1, sizeof(struct nlattr *), GFP_KERNEL); 2114 if (!tb) { 2115 err = -ENOBUFS; 2116 goto errout_mask_alloc; 2117 } 2118 2119 err = nla_parse_nested_deprecated(tb, TCA_FLOWER_MAX, 2120 tca[TCA_OPTIONS], fl_policy, NULL); 2121 if (err < 0) 2122 goto errout_tb; 2123 2124 if (fold && handle && fold->handle != handle) { 2125 err = -EINVAL; 2126 goto errout_tb; 2127 } 2128 2129 fnew = kzalloc(sizeof(*fnew), GFP_KERNEL); 2130 if (!fnew) { 2131 err = -ENOBUFS; 2132 goto errout_tb; 2133 } 2134 INIT_LIST_HEAD(&fnew->hw_list); 2135 refcount_set(&fnew->refcnt, 1); 2136 2137 err = tcf_exts_init(&fnew->exts, net, TCA_FLOWER_ACT, 0); 2138 if (err < 0) 2139 goto errout; 2140 2141 if (tb[TCA_FLOWER_FLAGS]) { 2142 fnew->flags = nla_get_u32(tb[TCA_FLOWER_FLAGS]); 2143 2144 if (!tc_flags_valid(fnew->flags)) { 2145 err = -EINVAL; 2146 goto errout; 2147 } 2148 } 2149 2150 err = fl_set_parms(net, tp, fnew, mask, base, tb, tca[TCA_RATE], 2151 tp->chain->tmplt_priv, flags, fnew->flags, 2152 extack); 2153 if (err) 2154 goto errout; 2155 2156 err = fl_check_assign_mask(head, fnew, fold, mask); 2157 if (err) 2158 goto errout; 2159 2160 err = fl_ht_insert_unique(fnew, fold, &in_ht); 2161 if (err) 2162 goto errout_mask; 2163 2164 if (!tc_skip_hw(fnew->flags)) { 2165 err = fl_hw_replace_filter(tp, fnew, rtnl_held, extack); 2166 if (err) 2167 goto errout_ht; 2168 } 2169 2170 if (!tc_in_hw(fnew->flags)) 2171 fnew->flags |= TCA_CLS_FLAGS_NOT_IN_HW; 2172 2173 spin_lock(&tp->lock); 2174 2175 /* tp was deleted concurrently. -EAGAIN will cause caller to lookup 2176 * proto again or create new one, if necessary. 2177 */ 2178 if (tp->deleting) { 2179 err = -EAGAIN; 2180 goto errout_hw; 2181 } 2182 2183 if (fold) { 2184 /* Fold filter was deleted concurrently. Retry lookup. */ 2185 if (fold->deleted) { 2186 err = -EAGAIN; 2187 goto errout_hw; 2188 } 2189 2190 fnew->handle = handle; 2191 2192 if (!in_ht) { 2193 struct rhashtable_params params = 2194 fnew->mask->filter_ht_params; 2195 2196 err = rhashtable_insert_fast(&fnew->mask->ht, 2197 &fnew->ht_node, 2198 params); 2199 if (err) 2200 goto errout_hw; 2201 in_ht = true; 2202 } 2203 2204 refcount_inc(&fnew->refcnt); 2205 rhashtable_remove_fast(&fold->mask->ht, 2206 &fold->ht_node, 2207 fold->mask->filter_ht_params); 2208 idr_replace(&head->handle_idr, fnew, fnew->handle); 2209 list_replace_rcu(&fold->list, &fnew->list); 2210 fold->deleted = true; 2211 2212 spin_unlock(&tp->lock); 2213 2214 fl_mask_put(head, fold->mask); 2215 if (!tc_skip_hw(fold->flags)) 2216 fl_hw_destroy_filter(tp, fold, rtnl_held, NULL); 2217 tcf_unbind_filter(tp, &fold->res); 2218 /* Caller holds reference to fold, so refcnt is always > 0 2219 * after this. 2220 */ 2221 refcount_dec(&fold->refcnt); 2222 __fl_put(fold); 2223 } else { 2224 if (handle) { 2225 /* user specifies a handle and it doesn't exist */ 2226 err = idr_alloc_u32(&head->handle_idr, fnew, &handle, 2227 handle, GFP_ATOMIC); 2228 2229 /* Filter with specified handle was concurrently 2230 * inserted after initial check in cls_api. This is not 2231 * necessarily an error if NLM_F_EXCL is not set in 2232 * message flags. Returning EAGAIN will cause cls_api to 2233 * try to update concurrently inserted rule. 2234 */ 2235 if (err == -ENOSPC) 2236 err = -EAGAIN; 2237 } else { 2238 handle = 1; 2239 err = idr_alloc_u32(&head->handle_idr, fnew, &handle, 2240 INT_MAX, GFP_ATOMIC); 2241 } 2242 if (err) 2243 goto errout_hw; 2244 2245 refcount_inc(&fnew->refcnt); 2246 fnew->handle = handle; 2247 list_add_tail_rcu(&fnew->list, &fnew->mask->filters); 2248 spin_unlock(&tp->lock); 2249 } 2250 2251 *arg = fnew; 2252 2253 kfree(tb); 2254 tcf_queue_work(&mask->rwork, fl_uninit_mask_free_work); 2255 return 0; 2256 2257errout_ht: 2258 spin_lock(&tp->lock); 2259errout_hw: 2260 fnew->deleted = true; 2261 spin_unlock(&tp->lock); 2262 if (!tc_skip_hw(fnew->flags)) 2263 fl_hw_destroy_filter(tp, fnew, rtnl_held, NULL); 2264 if (in_ht) 2265 rhashtable_remove_fast(&fnew->mask->ht, &fnew->ht_node, 2266 fnew->mask->filter_ht_params); 2267errout_mask: 2268 fl_mask_put(head, fnew->mask); 2269errout: 2270 __fl_put(fnew); 2271errout_tb: 2272 kfree(tb); 2273errout_mask_alloc: 2274 tcf_queue_work(&mask->rwork, fl_uninit_mask_free_work); 2275errout_fold: 2276 if (fold) 2277 __fl_put(fold); 2278 return err; 2279} 2280 2281static int fl_delete(struct tcf_proto *tp, void *arg, bool *last, 2282 bool rtnl_held, struct netlink_ext_ack *extack) 2283{ 2284 struct cls_fl_head *head = fl_head_dereference(tp); 2285 struct cls_fl_filter *f = arg; 2286 bool last_on_mask; 2287 int err = 0; 2288 2289 err = __fl_delete(tp, f, &last_on_mask, rtnl_held, extack); 2290 *last = list_empty(&head->masks); 2291 __fl_put(f); 2292 2293 return err; 2294} 2295 2296static void fl_walk(struct tcf_proto *tp, struct tcf_walker *arg, 2297 bool rtnl_held) 2298{ 2299 struct cls_fl_head *head = fl_head_dereference(tp); 2300 unsigned long id = arg->cookie, tmp; 2301 struct cls_fl_filter *f; 2302 2303 arg->count = arg->skip; 2304 2305 rcu_read_lock(); 2306 idr_for_each_entry_continue_ul(&head->handle_idr, f, tmp, id) { 2307 /* don't return filters that are being deleted */ 2308 if (!refcount_inc_not_zero(&f->refcnt)) 2309 continue; 2310 rcu_read_unlock(); 2311 2312 if (arg->fn(tp, f, arg) < 0) { 2313 __fl_put(f); 2314 arg->stop = 1; 2315 rcu_read_lock(); 2316 break; 2317 } 2318 __fl_put(f); 2319 arg->count++; 2320 rcu_read_lock(); 2321 } 2322 rcu_read_unlock(); 2323 arg->cookie = id; 2324} 2325 2326static struct cls_fl_filter * 2327fl_get_next_hw_filter(struct tcf_proto *tp, struct cls_fl_filter *f, bool add) 2328{ 2329 struct cls_fl_head *head = fl_head_dereference(tp); 2330 2331 spin_lock(&tp->lock); 2332 if (list_empty(&head->hw_filters)) { 2333 spin_unlock(&tp->lock); 2334 return NULL; 2335 } 2336 2337 if (!f) 2338 f = list_entry(&head->hw_filters, struct cls_fl_filter, 2339 hw_list); 2340 list_for_each_entry_continue(f, &head->hw_filters, hw_list) { 2341 if (!(add && f->deleted) && refcount_inc_not_zero(&f->refcnt)) { 2342 spin_unlock(&tp->lock); 2343 return f; 2344 } 2345 } 2346 2347 spin_unlock(&tp->lock); 2348 return NULL; 2349} 2350 2351static int fl_reoffload(struct tcf_proto *tp, bool add, flow_setup_cb_t *cb, 2352 void *cb_priv, struct netlink_ext_ack *extack) 2353{ 2354 struct tcf_block *block = tp->chain->block; 2355 struct flow_cls_offload cls_flower = {}; 2356 struct cls_fl_filter *f = NULL; 2357 int err; 2358 2359 /* hw_filters list can only be changed by hw offload functions after 2360 * obtaining rtnl lock. Make sure it is not changed while reoffload is 2361 * iterating it. 2362 */ 2363 ASSERT_RTNL(); 2364 2365 while ((f = fl_get_next_hw_filter(tp, f, add))) { 2366 cls_flower.rule = 2367 flow_rule_alloc(tcf_exts_num_actions(&f->exts)); 2368 if (!cls_flower.rule) { 2369 __fl_put(f); 2370 return -ENOMEM; 2371 } 2372 2373 tc_cls_common_offload_init(&cls_flower.common, tp, f->flags, 2374 extack); 2375 cls_flower.command = add ? 2376 FLOW_CLS_REPLACE : FLOW_CLS_DESTROY; 2377 cls_flower.cookie = (unsigned long)f; 2378 cls_flower.rule->match.dissector = &f->mask->dissector; 2379 cls_flower.rule->match.mask = &f->mask->key; 2380 cls_flower.rule->match.key = &f->mkey; 2381 2382 err = tc_setup_offload_action(&cls_flower.rule->action, &f->exts, 2383 cls_flower.common.extack); 2384 if (err) { 2385 kfree(cls_flower.rule); 2386 if (tc_skip_sw(f->flags)) { 2387 __fl_put(f); 2388 return err; 2389 } 2390 goto next_flow; 2391 } 2392 2393 cls_flower.classid = f->res.classid; 2394 2395 err = tc_setup_cb_reoffload(block, tp, add, cb, 2396 TC_SETUP_CLSFLOWER, &cls_flower, 2397 cb_priv, &f->flags, 2398 &f->in_hw_count); 2399 tc_cleanup_offload_action(&cls_flower.rule->action); 2400 kfree(cls_flower.rule); 2401 2402 if (err) { 2403 __fl_put(f); 2404 return err; 2405 } 2406next_flow: 2407 __fl_put(f); 2408 } 2409 2410 return 0; 2411} 2412 2413static void fl_hw_add(struct tcf_proto *tp, void *type_data) 2414{ 2415 struct flow_cls_offload *cls_flower = type_data; 2416 struct cls_fl_filter *f = 2417 (struct cls_fl_filter *) cls_flower->cookie; 2418 struct cls_fl_head *head = fl_head_dereference(tp); 2419 2420 spin_lock(&tp->lock); 2421 list_add(&f->hw_list, &head->hw_filters); 2422 spin_unlock(&tp->lock); 2423} 2424 2425static void fl_hw_del(struct tcf_proto *tp, void *type_data) 2426{ 2427 struct flow_cls_offload *cls_flower = type_data; 2428 struct cls_fl_filter *f = 2429 (struct cls_fl_filter *) cls_flower->cookie; 2430 2431 spin_lock(&tp->lock); 2432 if (!list_empty(&f->hw_list)) 2433 list_del_init(&f->hw_list); 2434 spin_unlock(&tp->lock); 2435} 2436 2437static int fl_hw_create_tmplt(struct tcf_chain *chain, 2438 struct fl_flow_tmplt *tmplt) 2439{ 2440 struct flow_cls_offload cls_flower = {}; 2441 struct tcf_block *block = chain->block; 2442 2443 cls_flower.rule = flow_rule_alloc(0); 2444 if (!cls_flower.rule) 2445 return -ENOMEM; 2446 2447 cls_flower.common.chain_index = chain->index; 2448 cls_flower.command = FLOW_CLS_TMPLT_CREATE; 2449 cls_flower.cookie = (unsigned long) tmplt; 2450 cls_flower.rule->match.dissector = &tmplt->dissector; 2451 cls_flower.rule->match.mask = &tmplt->mask; 2452 cls_flower.rule->match.key = &tmplt->dummy_key; 2453 2454 /* We don't care if driver (any of them) fails to handle this 2455 * call. It serves just as a hint for it. 2456 */ 2457 tc_setup_cb_call(block, TC_SETUP_CLSFLOWER, &cls_flower, false, true); 2458 kfree(cls_flower.rule); 2459 2460 return 0; 2461} 2462 2463static void fl_hw_destroy_tmplt(struct tcf_chain *chain, 2464 struct fl_flow_tmplt *tmplt) 2465{ 2466 struct flow_cls_offload cls_flower = {}; 2467 struct tcf_block *block = chain->block; 2468 2469 cls_flower.common.chain_index = chain->index; 2470 cls_flower.command = FLOW_CLS_TMPLT_DESTROY; 2471 cls_flower.cookie = (unsigned long) tmplt; 2472 2473 tc_setup_cb_call(block, TC_SETUP_CLSFLOWER, &cls_flower, false, true); 2474} 2475 2476static void *fl_tmplt_create(struct net *net, struct tcf_chain *chain, 2477 struct nlattr **tca, 2478 struct netlink_ext_ack *extack) 2479{ 2480 struct fl_flow_tmplt *tmplt; 2481 struct nlattr **tb; 2482 int err; 2483 2484 if (!tca[TCA_OPTIONS]) 2485 return ERR_PTR(-EINVAL); 2486 2487 tb = kcalloc(TCA_FLOWER_MAX + 1, sizeof(struct nlattr *), GFP_KERNEL); 2488 if (!tb) 2489 return ERR_PTR(-ENOBUFS); 2490 err = nla_parse_nested_deprecated(tb, TCA_FLOWER_MAX, 2491 tca[TCA_OPTIONS], fl_policy, NULL); 2492 if (err) 2493 goto errout_tb; 2494 2495 tmplt = kzalloc(sizeof(*tmplt), GFP_KERNEL); 2496 if (!tmplt) { 2497 err = -ENOMEM; 2498 goto errout_tb; 2499 } 2500 tmplt->chain = chain; 2501 err = fl_set_key(net, tb, &tmplt->dummy_key, &tmplt->mask, extack); 2502 if (err) 2503 goto errout_tmplt; 2504 2505 fl_init_dissector(&tmplt->dissector, &tmplt->mask); 2506 2507 err = fl_hw_create_tmplt(chain, tmplt); 2508 if (err) 2509 goto errout_tmplt; 2510 2511 kfree(tb); 2512 return tmplt; 2513 2514errout_tmplt: 2515 kfree(tmplt); 2516errout_tb: 2517 kfree(tb); 2518 return ERR_PTR(err); 2519} 2520 2521static void fl_tmplt_destroy(void *tmplt_priv) 2522{ 2523 struct fl_flow_tmplt *tmplt = tmplt_priv; 2524 2525 fl_hw_destroy_tmplt(tmplt->chain, tmplt); 2526 kfree(tmplt); 2527} 2528 2529static int fl_dump_key_val(struct sk_buff *skb, 2530 void *val, int val_type, 2531 void *mask, int mask_type, int len) 2532{ 2533 int err; 2534 2535 if (!memchr_inv(mask, 0, len)) 2536 return 0; 2537 err = nla_put(skb, val_type, len, val); 2538 if (err) 2539 return err; 2540 if (mask_type != TCA_FLOWER_UNSPEC) { 2541 err = nla_put(skb, mask_type, len, mask); 2542 if (err) 2543 return err; 2544 } 2545 return 0; 2546} 2547 2548static int fl_dump_key_port_range(struct sk_buff *skb, struct fl_flow_key *key, 2549 struct fl_flow_key *mask) 2550{ 2551 if (fl_dump_key_val(skb, &key->tp_range.tp_min.dst, 2552 TCA_FLOWER_KEY_PORT_DST_MIN, 2553 &mask->tp_range.tp_min.dst, TCA_FLOWER_UNSPEC, 2554 sizeof(key->tp_range.tp_min.dst)) || 2555 fl_dump_key_val(skb, &key->tp_range.tp_max.dst, 2556 TCA_FLOWER_KEY_PORT_DST_MAX, 2557 &mask->tp_range.tp_max.dst, TCA_FLOWER_UNSPEC, 2558 sizeof(key->tp_range.tp_max.dst)) || 2559 fl_dump_key_val(skb, &key->tp_range.tp_min.src, 2560 TCA_FLOWER_KEY_PORT_SRC_MIN, 2561 &mask->tp_range.tp_min.src, TCA_FLOWER_UNSPEC, 2562 sizeof(key->tp_range.tp_min.src)) || 2563 fl_dump_key_val(skb, &key->tp_range.tp_max.src, 2564 TCA_FLOWER_KEY_PORT_SRC_MAX, 2565 &mask->tp_range.tp_max.src, TCA_FLOWER_UNSPEC, 2566 sizeof(key->tp_range.tp_max.src))) 2567 return -1; 2568 2569 return 0; 2570} 2571 2572static int fl_dump_key_mpls_opt_lse(struct sk_buff *skb, 2573 struct flow_dissector_key_mpls *mpls_key, 2574 struct flow_dissector_key_mpls *mpls_mask, 2575 u8 lse_index) 2576{ 2577 struct flow_dissector_mpls_lse *lse_mask = &mpls_mask->ls[lse_index]; 2578 struct flow_dissector_mpls_lse *lse_key = &mpls_key->ls[lse_index]; 2579 int err; 2580 2581 err = nla_put_u8(skb, TCA_FLOWER_KEY_MPLS_OPT_LSE_DEPTH, 2582 lse_index + 1); 2583 if (err) 2584 return err; 2585 2586 if (lse_mask->mpls_ttl) { 2587 err = nla_put_u8(skb, TCA_FLOWER_KEY_MPLS_OPT_LSE_TTL, 2588 lse_key->mpls_ttl); 2589 if (err) 2590 return err; 2591 } 2592 if (lse_mask->mpls_bos) { 2593 err = nla_put_u8(skb, TCA_FLOWER_KEY_MPLS_OPT_LSE_BOS, 2594 lse_key->mpls_bos); 2595 if (err) 2596 return err; 2597 } 2598 if (lse_mask->mpls_tc) { 2599 err = nla_put_u8(skb, TCA_FLOWER_KEY_MPLS_OPT_LSE_TC, 2600 lse_key->mpls_tc); 2601 if (err) 2602 return err; 2603 } 2604 if (lse_mask->mpls_label) { 2605 err = nla_put_u32(skb, TCA_FLOWER_KEY_MPLS_OPT_LSE_LABEL, 2606 lse_key->mpls_label); 2607 if (err) 2608 return err; 2609 } 2610 2611 return 0; 2612} 2613 2614static int fl_dump_key_mpls_opts(struct sk_buff *skb, 2615 struct flow_dissector_key_mpls *mpls_key, 2616 struct flow_dissector_key_mpls *mpls_mask) 2617{ 2618 struct nlattr *opts; 2619 struct nlattr *lse; 2620 u8 lse_index; 2621 int err; 2622 2623 opts = nla_nest_start(skb, TCA_FLOWER_KEY_MPLS_OPTS); 2624 if (!opts) 2625 return -EMSGSIZE; 2626 2627 for (lse_index = 0; lse_index < FLOW_DIS_MPLS_MAX; lse_index++) { 2628 if (!(mpls_mask->used_lses & 1 << lse_index)) 2629 continue; 2630 2631 lse = nla_nest_start(skb, TCA_FLOWER_KEY_MPLS_OPTS_LSE); 2632 if (!lse) { 2633 err = -EMSGSIZE; 2634 goto err_opts; 2635 } 2636 2637 err = fl_dump_key_mpls_opt_lse(skb, mpls_key, mpls_mask, 2638 lse_index); 2639 if (err) 2640 goto err_opts_lse; 2641 nla_nest_end(skb, lse); 2642 } 2643 nla_nest_end(skb, opts); 2644 2645 return 0; 2646 2647err_opts_lse: 2648 nla_nest_cancel(skb, lse); 2649err_opts: 2650 nla_nest_cancel(skb, opts); 2651 2652 return err; 2653} 2654 2655static int fl_dump_key_mpls(struct sk_buff *skb, 2656 struct flow_dissector_key_mpls *mpls_key, 2657 struct flow_dissector_key_mpls *mpls_mask) 2658{ 2659 struct flow_dissector_mpls_lse *lse_mask; 2660 struct flow_dissector_mpls_lse *lse_key; 2661 int err; 2662 2663 if (!mpls_mask->used_lses) 2664 return 0; 2665 2666 lse_mask = &mpls_mask->ls[0]; 2667 lse_key = &mpls_key->ls[0]; 2668 2669 /* For backward compatibility, don't use the MPLS nested attributes if 2670 * the rule can be expressed using the old attributes. 2671 */ 2672 if (mpls_mask->used_lses & ~1 || 2673 (!lse_mask->mpls_ttl && !lse_mask->mpls_bos && 2674 !lse_mask->mpls_tc && !lse_mask->mpls_label)) 2675 return fl_dump_key_mpls_opts(skb, mpls_key, mpls_mask); 2676 2677 if (lse_mask->mpls_ttl) { 2678 err = nla_put_u8(skb, TCA_FLOWER_KEY_MPLS_TTL, 2679 lse_key->mpls_ttl); 2680 if (err) 2681 return err; 2682 } 2683 if (lse_mask->mpls_tc) { 2684 err = nla_put_u8(skb, TCA_FLOWER_KEY_MPLS_TC, 2685 lse_key->mpls_tc); 2686 if (err) 2687 return err; 2688 } 2689 if (lse_mask->mpls_label) { 2690 err = nla_put_u32(skb, TCA_FLOWER_KEY_MPLS_LABEL, 2691 lse_key->mpls_label); 2692 if (err) 2693 return err; 2694 } 2695 if (lse_mask->mpls_bos) { 2696 err = nla_put_u8(skb, TCA_FLOWER_KEY_MPLS_BOS, 2697 lse_key->mpls_bos); 2698 if (err) 2699 return err; 2700 } 2701 return 0; 2702} 2703 2704static int fl_dump_key_ip(struct sk_buff *skb, bool encap, 2705 struct flow_dissector_key_ip *key, 2706 struct flow_dissector_key_ip *mask) 2707{ 2708 int tos_key = encap ? TCA_FLOWER_KEY_ENC_IP_TOS : TCA_FLOWER_KEY_IP_TOS; 2709 int ttl_key = encap ? TCA_FLOWER_KEY_ENC_IP_TTL : TCA_FLOWER_KEY_IP_TTL; 2710 int tos_mask = encap ? TCA_FLOWER_KEY_ENC_IP_TOS_MASK : TCA_FLOWER_KEY_IP_TOS_MASK; 2711 int ttl_mask = encap ? TCA_FLOWER_KEY_ENC_IP_TTL_MASK : TCA_FLOWER_KEY_IP_TTL_MASK; 2712 2713 if (fl_dump_key_val(skb, &key->tos, tos_key, &mask->tos, tos_mask, sizeof(key->tos)) || 2714 fl_dump_key_val(skb, &key->ttl, ttl_key, &mask->ttl, ttl_mask, sizeof(key->ttl))) 2715 return -1; 2716 2717 return 0; 2718} 2719 2720static int fl_dump_key_vlan(struct sk_buff *skb, 2721 int vlan_id_key, int vlan_prio_key, 2722 struct flow_dissector_key_vlan *vlan_key, 2723 struct flow_dissector_key_vlan *vlan_mask) 2724{ 2725 int err; 2726 2727 if (!memchr_inv(vlan_mask, 0, sizeof(*vlan_mask))) 2728 return 0; 2729 if (vlan_mask->vlan_id) { 2730 err = nla_put_u16(skb, vlan_id_key, 2731 vlan_key->vlan_id); 2732 if (err) 2733 return err; 2734 } 2735 if (vlan_mask->vlan_priority) { 2736 err = nla_put_u8(skb, vlan_prio_key, 2737 vlan_key->vlan_priority); 2738 if (err) 2739 return err; 2740 } 2741 return 0; 2742} 2743 2744static void fl_get_key_flag(u32 dissector_key, u32 dissector_mask, 2745 u32 *flower_key, u32 *flower_mask, 2746 u32 flower_flag_bit, u32 dissector_flag_bit) 2747{ 2748 if (dissector_mask & dissector_flag_bit) { 2749 *flower_mask |= flower_flag_bit; 2750 if (dissector_key & dissector_flag_bit) 2751 *flower_key |= flower_flag_bit; 2752 } 2753} 2754 2755static int fl_dump_key_flags(struct sk_buff *skb, u32 flags_key, u32 flags_mask) 2756{ 2757 u32 key, mask; 2758 __be32 _key, _mask; 2759 int err; 2760 2761 if (!memchr_inv(&flags_mask, 0, sizeof(flags_mask))) 2762 return 0; 2763 2764 key = 0; 2765 mask = 0; 2766 2767 fl_get_key_flag(flags_key, flags_mask, &key, &mask, 2768 TCA_FLOWER_KEY_FLAGS_IS_FRAGMENT, FLOW_DIS_IS_FRAGMENT); 2769 fl_get_key_flag(flags_key, flags_mask, &key, &mask, 2770 TCA_FLOWER_KEY_FLAGS_FRAG_IS_FIRST, 2771 FLOW_DIS_FIRST_FRAG); 2772 2773 _key = cpu_to_be32(key); 2774 _mask = cpu_to_be32(mask); 2775 2776 err = nla_put(skb, TCA_FLOWER_KEY_FLAGS, 4, &_key); 2777 if (err) 2778 return err; 2779 2780 return nla_put(skb, TCA_FLOWER_KEY_FLAGS_MASK, 4, &_mask); 2781} 2782 2783static int fl_dump_key_geneve_opt(struct sk_buff *skb, 2784 struct flow_dissector_key_enc_opts *enc_opts) 2785{ 2786 struct geneve_opt *opt; 2787 struct nlattr *nest; 2788 int opt_off = 0; 2789 2790 nest = nla_nest_start_noflag(skb, TCA_FLOWER_KEY_ENC_OPTS_GENEVE); 2791 if (!nest) 2792 goto nla_put_failure; 2793 2794 while (enc_opts->len > opt_off) { 2795 opt = (struct geneve_opt *)&enc_opts->data[opt_off]; 2796 2797 if (nla_put_be16(skb, TCA_FLOWER_KEY_ENC_OPT_GENEVE_CLASS, 2798 opt->opt_class)) 2799 goto nla_put_failure; 2800 if (nla_put_u8(skb, TCA_FLOWER_KEY_ENC_OPT_GENEVE_TYPE, 2801 opt->type)) 2802 goto nla_put_failure; 2803 if (nla_put(skb, TCA_FLOWER_KEY_ENC_OPT_GENEVE_DATA, 2804 opt->length * 4, opt->opt_data)) 2805 goto nla_put_failure; 2806 2807 opt_off += sizeof(struct geneve_opt) + opt->length * 4; 2808 } 2809 nla_nest_end(skb, nest); 2810 return 0; 2811 2812nla_put_failure: 2813 nla_nest_cancel(skb, nest); 2814 return -EMSGSIZE; 2815} 2816 2817static int fl_dump_key_vxlan_opt(struct sk_buff *skb, 2818 struct flow_dissector_key_enc_opts *enc_opts) 2819{ 2820 struct vxlan_metadata *md; 2821 struct nlattr *nest; 2822 2823 nest = nla_nest_start_noflag(skb, TCA_FLOWER_KEY_ENC_OPTS_VXLAN); 2824 if (!nest) 2825 goto nla_put_failure; 2826 2827 md = (struct vxlan_metadata *)&enc_opts->data[0]; 2828 if (nla_put_u32(skb, TCA_FLOWER_KEY_ENC_OPT_VXLAN_GBP, md->gbp)) 2829 goto nla_put_failure; 2830 2831 nla_nest_end(skb, nest); 2832 return 0; 2833 2834nla_put_failure: 2835 nla_nest_cancel(skb, nest); 2836 return -EMSGSIZE; 2837} 2838 2839static int fl_dump_key_erspan_opt(struct sk_buff *skb, 2840 struct flow_dissector_key_enc_opts *enc_opts) 2841{ 2842 struct erspan_metadata *md; 2843 struct nlattr *nest; 2844 2845 nest = nla_nest_start_noflag(skb, TCA_FLOWER_KEY_ENC_OPTS_ERSPAN); 2846 if (!nest) 2847 goto nla_put_failure; 2848 2849 md = (struct erspan_metadata *)&enc_opts->data[0]; 2850 if (nla_put_u8(skb, TCA_FLOWER_KEY_ENC_OPT_ERSPAN_VER, md->version)) 2851 goto nla_put_failure; 2852 2853 if (md->version == 1 && 2854 nla_put_be32(skb, TCA_FLOWER_KEY_ENC_OPT_ERSPAN_INDEX, md->u.index)) 2855 goto nla_put_failure; 2856 2857 if (md->version == 2 && 2858 (nla_put_u8(skb, TCA_FLOWER_KEY_ENC_OPT_ERSPAN_DIR, 2859 md->u.md2.dir) || 2860 nla_put_u8(skb, TCA_FLOWER_KEY_ENC_OPT_ERSPAN_HWID, 2861 get_hwid(&md->u.md2)))) 2862 goto nla_put_failure; 2863 2864 nla_nest_end(skb, nest); 2865 return 0; 2866 2867nla_put_failure: 2868 nla_nest_cancel(skb, nest); 2869 return -EMSGSIZE; 2870} 2871 2872static int fl_dump_key_gtp_opt(struct sk_buff *skb, 2873 struct flow_dissector_key_enc_opts *enc_opts) 2874 2875{ 2876 struct gtp_pdu_session_info *session_info; 2877 struct nlattr *nest; 2878 2879 nest = nla_nest_start_noflag(skb, TCA_FLOWER_KEY_ENC_OPTS_GTP); 2880 if (!nest) 2881 goto nla_put_failure; 2882 2883 session_info = (struct gtp_pdu_session_info *)&enc_opts->data[0]; 2884 2885 if (nla_put_u8(skb, TCA_FLOWER_KEY_ENC_OPT_GTP_PDU_TYPE, 2886 session_info->pdu_type)) 2887 goto nla_put_failure; 2888 2889 if (nla_put_u8(skb, TCA_FLOWER_KEY_ENC_OPT_GTP_QFI, session_info->qfi)) 2890 goto nla_put_failure; 2891 2892 nla_nest_end(skb, nest); 2893 return 0; 2894 2895nla_put_failure: 2896 nla_nest_cancel(skb, nest); 2897 return -EMSGSIZE; 2898} 2899 2900static int fl_dump_key_ct(struct sk_buff *skb, 2901 struct flow_dissector_key_ct *key, 2902 struct flow_dissector_key_ct *mask) 2903{ 2904 if (IS_ENABLED(CONFIG_NF_CONNTRACK) && 2905 fl_dump_key_val(skb, &key->ct_state, TCA_FLOWER_KEY_CT_STATE, 2906 &mask->ct_state, TCA_FLOWER_KEY_CT_STATE_MASK, 2907 sizeof(key->ct_state))) 2908 goto nla_put_failure; 2909 2910 if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) && 2911 fl_dump_key_val(skb, &key->ct_zone, TCA_FLOWER_KEY_CT_ZONE, 2912 &mask->ct_zone, TCA_FLOWER_KEY_CT_ZONE_MASK, 2913 sizeof(key->ct_zone))) 2914 goto nla_put_failure; 2915 2916 if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) && 2917 fl_dump_key_val(skb, &key->ct_mark, TCA_FLOWER_KEY_CT_MARK, 2918 &mask->ct_mark, TCA_FLOWER_KEY_CT_MARK_MASK, 2919 sizeof(key->ct_mark))) 2920 goto nla_put_failure; 2921 2922 if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) && 2923 fl_dump_key_val(skb, &key->ct_labels, TCA_FLOWER_KEY_CT_LABELS, 2924 &mask->ct_labels, TCA_FLOWER_KEY_CT_LABELS_MASK, 2925 sizeof(key->ct_labels))) 2926 goto nla_put_failure; 2927 2928 return 0; 2929 2930nla_put_failure: 2931 return -EMSGSIZE; 2932} 2933 2934static int fl_dump_key_options(struct sk_buff *skb, int enc_opt_type, 2935 struct flow_dissector_key_enc_opts *enc_opts) 2936{ 2937 struct nlattr *nest; 2938 int err; 2939 2940 if (!enc_opts->len) 2941 return 0; 2942 2943 nest = nla_nest_start_noflag(skb, enc_opt_type); 2944 if (!nest) 2945 goto nla_put_failure; 2946 2947 switch (enc_opts->dst_opt_type) { 2948 case TUNNEL_GENEVE_OPT: 2949 err = fl_dump_key_geneve_opt(skb, enc_opts); 2950 if (err) 2951 goto nla_put_failure; 2952 break; 2953 case TUNNEL_VXLAN_OPT: 2954 err = fl_dump_key_vxlan_opt(skb, enc_opts); 2955 if (err) 2956 goto nla_put_failure; 2957 break; 2958 case TUNNEL_ERSPAN_OPT: 2959 err = fl_dump_key_erspan_opt(skb, enc_opts); 2960 if (err) 2961 goto nla_put_failure; 2962 break; 2963 case TUNNEL_GTP_OPT: 2964 err = fl_dump_key_gtp_opt(skb, enc_opts); 2965 if (err) 2966 goto nla_put_failure; 2967 break; 2968 default: 2969 goto nla_put_failure; 2970 } 2971 nla_nest_end(skb, nest); 2972 return 0; 2973 2974nla_put_failure: 2975 nla_nest_cancel(skb, nest); 2976 return -EMSGSIZE; 2977} 2978 2979static int fl_dump_key_enc_opt(struct sk_buff *skb, 2980 struct flow_dissector_key_enc_opts *key_opts, 2981 struct flow_dissector_key_enc_opts *msk_opts) 2982{ 2983 int err; 2984 2985 err = fl_dump_key_options(skb, TCA_FLOWER_KEY_ENC_OPTS, key_opts); 2986 if (err) 2987 return err; 2988 2989 return fl_dump_key_options(skb, TCA_FLOWER_KEY_ENC_OPTS_MASK, msk_opts); 2990} 2991 2992static int fl_dump_key(struct sk_buff *skb, struct net *net, 2993 struct fl_flow_key *key, struct fl_flow_key *mask) 2994{ 2995 if (mask->meta.ingress_ifindex) { 2996 struct net_device *dev; 2997 2998 dev = __dev_get_by_index(net, key->meta.ingress_ifindex); 2999 if (dev && nla_put_string(skb, TCA_FLOWER_INDEV, dev->name)) 3000 goto nla_put_failure; 3001 } 3002 3003 if (fl_dump_key_val(skb, key->eth.dst, TCA_FLOWER_KEY_ETH_DST, 3004 mask->eth.dst, TCA_FLOWER_KEY_ETH_DST_MASK, 3005 sizeof(key->eth.dst)) || 3006 fl_dump_key_val(skb, key->eth.src, TCA_FLOWER_KEY_ETH_SRC, 3007 mask->eth.src, TCA_FLOWER_KEY_ETH_SRC_MASK, 3008 sizeof(key->eth.src)) || 3009 fl_dump_key_val(skb, &key->basic.n_proto, TCA_FLOWER_KEY_ETH_TYPE, 3010 &mask->basic.n_proto, TCA_FLOWER_UNSPEC, 3011 sizeof(key->basic.n_proto))) 3012 goto nla_put_failure; 3013 3014 if (mask->num_of_vlans.num_of_vlans) { 3015 if (nla_put_u8(skb, TCA_FLOWER_KEY_NUM_OF_VLANS, key->num_of_vlans.num_of_vlans)) 3016 goto nla_put_failure; 3017 } 3018 3019 if (fl_dump_key_mpls(skb, &key->mpls, &mask->mpls)) 3020 goto nla_put_failure; 3021 3022 if (fl_dump_key_vlan(skb, TCA_FLOWER_KEY_VLAN_ID, 3023 TCA_FLOWER_KEY_VLAN_PRIO, &key->vlan, &mask->vlan)) 3024 goto nla_put_failure; 3025 3026 if (fl_dump_key_vlan(skb, TCA_FLOWER_KEY_CVLAN_ID, 3027 TCA_FLOWER_KEY_CVLAN_PRIO, 3028 &key->cvlan, &mask->cvlan) || 3029 (mask->cvlan.vlan_tpid && 3030 nla_put_be16(skb, TCA_FLOWER_KEY_VLAN_ETH_TYPE, 3031 key->cvlan.vlan_tpid))) 3032 goto nla_put_failure; 3033 3034 if (mask->basic.n_proto) { 3035 if (mask->cvlan.vlan_eth_type) { 3036 if (nla_put_be16(skb, TCA_FLOWER_KEY_CVLAN_ETH_TYPE, 3037 key->basic.n_proto)) 3038 goto nla_put_failure; 3039 } else if (mask->vlan.vlan_eth_type) { 3040 if (nla_put_be16(skb, TCA_FLOWER_KEY_VLAN_ETH_TYPE, 3041 key->vlan.vlan_eth_type)) 3042 goto nla_put_failure; 3043 } 3044 } 3045 3046 if ((key->basic.n_proto == htons(ETH_P_IP) || 3047 key->basic.n_proto == htons(ETH_P_IPV6)) && 3048 (fl_dump_key_val(skb, &key->basic.ip_proto, TCA_FLOWER_KEY_IP_PROTO, 3049 &mask->basic.ip_proto, TCA_FLOWER_UNSPEC, 3050 sizeof(key->basic.ip_proto)) || 3051 fl_dump_key_ip(skb, false, &key->ip, &mask->ip))) 3052 goto nla_put_failure; 3053 3054 if (key->control.addr_type == FLOW_DISSECTOR_KEY_IPV4_ADDRS && 3055 (fl_dump_key_val(skb, &key->ipv4.src, TCA_FLOWER_KEY_IPV4_SRC, 3056 &mask->ipv4.src, TCA_FLOWER_KEY_IPV4_SRC_MASK, 3057 sizeof(key->ipv4.src)) || 3058 fl_dump_key_val(skb, &key->ipv4.dst, TCA_FLOWER_KEY_IPV4_DST, 3059 &mask->ipv4.dst, TCA_FLOWER_KEY_IPV4_DST_MASK, 3060 sizeof(key->ipv4.dst)))) 3061 goto nla_put_failure; 3062 else if (key->control.addr_type == FLOW_DISSECTOR_KEY_IPV6_ADDRS && 3063 (fl_dump_key_val(skb, &key->ipv6.src, TCA_FLOWER_KEY_IPV6_SRC, 3064 &mask->ipv6.src, TCA_FLOWER_KEY_IPV6_SRC_MASK, 3065 sizeof(key->ipv6.src)) || 3066 fl_dump_key_val(skb, &key->ipv6.dst, TCA_FLOWER_KEY_IPV6_DST, 3067 &mask->ipv6.dst, TCA_FLOWER_KEY_IPV6_DST_MASK, 3068 sizeof(key->ipv6.dst)))) 3069 goto nla_put_failure; 3070 3071 if (key->basic.ip_proto == IPPROTO_TCP && 3072 (fl_dump_key_val(skb, &key->tp.src, TCA_FLOWER_KEY_TCP_SRC, 3073 &mask->tp.src, TCA_FLOWER_KEY_TCP_SRC_MASK, 3074 sizeof(key->tp.src)) || 3075 fl_dump_key_val(skb, &key->tp.dst, TCA_FLOWER_KEY_TCP_DST, 3076 &mask->tp.dst, TCA_FLOWER_KEY_TCP_DST_MASK, 3077 sizeof(key->tp.dst)) || 3078 fl_dump_key_val(skb, &key->tcp.flags, TCA_FLOWER_KEY_TCP_FLAGS, 3079 &mask->tcp.flags, TCA_FLOWER_KEY_TCP_FLAGS_MASK, 3080 sizeof(key->tcp.flags)))) 3081 goto nla_put_failure; 3082 else if (key->basic.ip_proto == IPPROTO_UDP && 3083 (fl_dump_key_val(skb, &key->tp.src, TCA_FLOWER_KEY_UDP_SRC, 3084 &mask->tp.src, TCA_FLOWER_KEY_UDP_SRC_MASK, 3085 sizeof(key->tp.src)) || 3086 fl_dump_key_val(skb, &key->tp.dst, TCA_FLOWER_KEY_UDP_DST, 3087 &mask->tp.dst, TCA_FLOWER_KEY_UDP_DST_MASK, 3088 sizeof(key->tp.dst)))) 3089 goto nla_put_failure; 3090 else if (key->basic.ip_proto == IPPROTO_SCTP && 3091 (fl_dump_key_val(skb, &key->tp.src, TCA_FLOWER_KEY_SCTP_SRC, 3092 &mask->tp.src, TCA_FLOWER_KEY_SCTP_SRC_MASK, 3093 sizeof(key->tp.src)) || 3094 fl_dump_key_val(skb, &key->tp.dst, TCA_FLOWER_KEY_SCTP_DST, 3095 &mask->tp.dst, TCA_FLOWER_KEY_SCTP_DST_MASK, 3096 sizeof(key->tp.dst)))) 3097 goto nla_put_failure; 3098 else if (key->basic.n_proto == htons(ETH_P_IP) && 3099 key->basic.ip_proto == IPPROTO_ICMP && 3100 (fl_dump_key_val(skb, &key->icmp.type, 3101 TCA_FLOWER_KEY_ICMPV4_TYPE, &mask->icmp.type, 3102 TCA_FLOWER_KEY_ICMPV4_TYPE_MASK, 3103 sizeof(key->icmp.type)) || 3104 fl_dump_key_val(skb, &key->icmp.code, 3105 TCA_FLOWER_KEY_ICMPV4_CODE, &mask->icmp.code, 3106 TCA_FLOWER_KEY_ICMPV4_CODE_MASK, 3107 sizeof(key->icmp.code)))) 3108 goto nla_put_failure; 3109 else if (key->basic.n_proto == htons(ETH_P_IPV6) && 3110 key->basic.ip_proto == IPPROTO_ICMPV6 && 3111 (fl_dump_key_val(skb, &key->icmp.type, 3112 TCA_FLOWER_KEY_ICMPV6_TYPE, &mask->icmp.type, 3113 TCA_FLOWER_KEY_ICMPV6_TYPE_MASK, 3114 sizeof(key->icmp.type)) || 3115 fl_dump_key_val(skb, &key->icmp.code, 3116 TCA_FLOWER_KEY_ICMPV6_CODE, &mask->icmp.code, 3117 TCA_FLOWER_KEY_ICMPV6_CODE_MASK, 3118 sizeof(key->icmp.code)))) 3119 goto nla_put_failure; 3120 else if ((key->basic.n_proto == htons(ETH_P_ARP) || 3121 key->basic.n_proto == htons(ETH_P_RARP)) && 3122 (fl_dump_key_val(skb, &key->arp.sip, 3123 TCA_FLOWER_KEY_ARP_SIP, &mask->arp.sip, 3124 TCA_FLOWER_KEY_ARP_SIP_MASK, 3125 sizeof(key->arp.sip)) || 3126 fl_dump_key_val(skb, &key->arp.tip, 3127 TCA_FLOWER_KEY_ARP_TIP, &mask->arp.tip, 3128 TCA_FLOWER_KEY_ARP_TIP_MASK, 3129 sizeof(key->arp.tip)) || 3130 fl_dump_key_val(skb, &key->arp.op, 3131 TCA_FLOWER_KEY_ARP_OP, &mask->arp.op, 3132 TCA_FLOWER_KEY_ARP_OP_MASK, 3133 sizeof(key->arp.op)) || 3134 fl_dump_key_val(skb, key->arp.sha, TCA_FLOWER_KEY_ARP_SHA, 3135 mask->arp.sha, TCA_FLOWER_KEY_ARP_SHA_MASK, 3136 sizeof(key->arp.sha)) || 3137 fl_dump_key_val(skb, key->arp.tha, TCA_FLOWER_KEY_ARP_THA, 3138 mask->arp.tha, TCA_FLOWER_KEY_ARP_THA_MASK, 3139 sizeof(key->arp.tha)))) 3140 goto nla_put_failure; 3141 3142 if ((key->basic.ip_proto == IPPROTO_TCP || 3143 key->basic.ip_proto == IPPROTO_UDP || 3144 key->basic.ip_proto == IPPROTO_SCTP) && 3145 fl_dump_key_port_range(skb, key, mask)) 3146 goto nla_put_failure; 3147 3148 if (key->enc_control.addr_type == FLOW_DISSECTOR_KEY_IPV4_ADDRS && 3149 (fl_dump_key_val(skb, &key->enc_ipv4.src, 3150 TCA_FLOWER_KEY_ENC_IPV4_SRC, &mask->enc_ipv4.src, 3151 TCA_FLOWER_KEY_ENC_IPV4_SRC_MASK, 3152 sizeof(key->enc_ipv4.src)) || 3153 fl_dump_key_val(skb, &key->enc_ipv4.dst, 3154 TCA_FLOWER_KEY_ENC_IPV4_DST, &mask->enc_ipv4.dst, 3155 TCA_FLOWER_KEY_ENC_IPV4_DST_MASK, 3156 sizeof(key->enc_ipv4.dst)))) 3157 goto nla_put_failure; 3158 else if (key->enc_control.addr_type == FLOW_DISSECTOR_KEY_IPV6_ADDRS && 3159 (fl_dump_key_val(skb, &key->enc_ipv6.src, 3160 TCA_FLOWER_KEY_ENC_IPV6_SRC, &mask->enc_ipv6.src, 3161 TCA_FLOWER_KEY_ENC_IPV6_SRC_MASK, 3162 sizeof(key->enc_ipv6.src)) || 3163 fl_dump_key_val(skb, &key->enc_ipv6.dst, 3164 TCA_FLOWER_KEY_ENC_IPV6_DST, 3165 &mask->enc_ipv6.dst, 3166 TCA_FLOWER_KEY_ENC_IPV6_DST_MASK, 3167 sizeof(key->enc_ipv6.dst)))) 3168 goto nla_put_failure; 3169 3170 if (fl_dump_key_val(skb, &key->enc_key_id, TCA_FLOWER_KEY_ENC_KEY_ID, 3171 &mask->enc_key_id, TCA_FLOWER_UNSPEC, 3172 sizeof(key->enc_key_id)) || 3173 fl_dump_key_val(skb, &key->enc_tp.src, 3174 TCA_FLOWER_KEY_ENC_UDP_SRC_PORT, 3175 &mask->enc_tp.src, 3176 TCA_FLOWER_KEY_ENC_UDP_SRC_PORT_MASK, 3177 sizeof(key->enc_tp.src)) || 3178 fl_dump_key_val(skb, &key->enc_tp.dst, 3179 TCA_FLOWER_KEY_ENC_UDP_DST_PORT, 3180 &mask->enc_tp.dst, 3181 TCA_FLOWER_KEY_ENC_UDP_DST_PORT_MASK, 3182 sizeof(key->enc_tp.dst)) || 3183 fl_dump_key_ip(skb, true, &key->enc_ip, &mask->enc_ip) || 3184 fl_dump_key_enc_opt(skb, &key->enc_opts, &mask->enc_opts)) 3185 goto nla_put_failure; 3186 3187 if (fl_dump_key_ct(skb, &key->ct, &mask->ct)) 3188 goto nla_put_failure; 3189 3190 if (fl_dump_key_flags(skb, key->control.flags, mask->control.flags)) 3191 goto nla_put_failure; 3192 3193 if (fl_dump_key_val(skb, &key->hash.hash, TCA_FLOWER_KEY_HASH, 3194 &mask->hash.hash, TCA_FLOWER_KEY_HASH_MASK, 3195 sizeof(key->hash.hash))) 3196 goto nla_put_failure; 3197 3198 return 0; 3199 3200nla_put_failure: 3201 return -EMSGSIZE; 3202} 3203 3204static int fl_dump(struct net *net, struct tcf_proto *tp, void *fh, 3205 struct sk_buff *skb, struct tcmsg *t, bool rtnl_held) 3206{ 3207 struct cls_fl_filter *f = fh; 3208 struct nlattr *nest; 3209 struct fl_flow_key *key, *mask; 3210 bool skip_hw; 3211 3212 if (!f) 3213 return skb->len; 3214 3215 t->tcm_handle = f->handle; 3216 3217 nest = nla_nest_start_noflag(skb, TCA_OPTIONS); 3218 if (!nest) 3219 goto nla_put_failure; 3220 3221 spin_lock(&tp->lock); 3222 3223 if (f->res.classid && 3224 nla_put_u32(skb, TCA_FLOWER_CLASSID, f->res.classid)) 3225 goto nla_put_failure_locked; 3226 3227 key = &f->key; 3228 mask = &f->mask->key; 3229 skip_hw = tc_skip_hw(f->flags); 3230 3231 if (fl_dump_key(skb, net, key, mask)) 3232 goto nla_put_failure_locked; 3233 3234 if (f->flags && nla_put_u32(skb, TCA_FLOWER_FLAGS, f->flags)) 3235 goto nla_put_failure_locked; 3236 3237 spin_unlock(&tp->lock); 3238 3239 if (!skip_hw) 3240 fl_hw_update_stats(tp, f, rtnl_held); 3241 3242 if (nla_put_u32(skb, TCA_FLOWER_IN_HW_COUNT, f->in_hw_count)) 3243 goto nla_put_failure; 3244 3245 if (tcf_exts_dump(skb, &f->exts)) 3246 goto nla_put_failure; 3247 3248 nla_nest_end(skb, nest); 3249 3250 if (tcf_exts_dump_stats(skb, &f->exts) < 0) 3251 goto nla_put_failure; 3252 3253 return skb->len; 3254 3255nla_put_failure_locked: 3256 spin_unlock(&tp->lock); 3257nla_put_failure: 3258 nla_nest_cancel(skb, nest); 3259 return -1; 3260} 3261 3262static int fl_terse_dump(struct net *net, struct tcf_proto *tp, void *fh, 3263 struct sk_buff *skb, struct tcmsg *t, bool rtnl_held) 3264{ 3265 struct cls_fl_filter *f = fh; 3266 struct nlattr *nest; 3267 bool skip_hw; 3268 3269 if (!f) 3270 return skb->len; 3271 3272 t->tcm_handle = f->handle; 3273 3274 nest = nla_nest_start_noflag(skb, TCA_OPTIONS); 3275 if (!nest) 3276 goto nla_put_failure; 3277 3278 spin_lock(&tp->lock); 3279 3280 skip_hw = tc_skip_hw(f->flags); 3281 3282 if (f->flags && nla_put_u32(skb, TCA_FLOWER_FLAGS, f->flags)) 3283 goto nla_put_failure_locked; 3284 3285 spin_unlock(&tp->lock); 3286 3287 if (!skip_hw) 3288 fl_hw_update_stats(tp, f, rtnl_held); 3289 3290 if (tcf_exts_terse_dump(skb, &f->exts)) 3291 goto nla_put_failure; 3292 3293 nla_nest_end(skb, nest); 3294 3295 return skb->len; 3296 3297nla_put_failure_locked: 3298 spin_unlock(&tp->lock); 3299nla_put_failure: 3300 nla_nest_cancel(skb, nest); 3301 return -1; 3302} 3303 3304static int fl_tmplt_dump(struct sk_buff *skb, struct net *net, void *tmplt_priv) 3305{ 3306 struct fl_flow_tmplt *tmplt = tmplt_priv; 3307 struct fl_flow_key *key, *mask; 3308 struct nlattr *nest; 3309 3310 nest = nla_nest_start_noflag(skb, TCA_OPTIONS); 3311 if (!nest) 3312 goto nla_put_failure; 3313 3314 key = &tmplt->dummy_key; 3315 mask = &tmplt->mask; 3316 3317 if (fl_dump_key(skb, net, key, mask)) 3318 goto nla_put_failure; 3319 3320 nla_nest_end(skb, nest); 3321 3322 return skb->len; 3323 3324nla_put_failure: 3325 nla_nest_cancel(skb, nest); 3326 return -EMSGSIZE; 3327} 3328 3329static void fl_bind_class(void *fh, u32 classid, unsigned long cl, void *q, 3330 unsigned long base) 3331{ 3332 struct cls_fl_filter *f = fh; 3333 3334 if (f && f->res.classid == classid) { 3335 if (cl) 3336 __tcf_bind_filter(q, &f->res, base); 3337 else 3338 __tcf_unbind_filter(q, &f->res); 3339 } 3340} 3341 3342static bool fl_delete_empty(struct tcf_proto *tp) 3343{ 3344 struct cls_fl_head *head = fl_head_dereference(tp); 3345 3346 spin_lock(&tp->lock); 3347 tp->deleting = idr_is_empty(&head->handle_idr); 3348 spin_unlock(&tp->lock); 3349 3350 return tp->deleting; 3351} 3352 3353static struct tcf_proto_ops cls_fl_ops __read_mostly = { 3354 .kind = "flower", 3355 .classify = fl_classify, 3356 .init = fl_init, 3357 .destroy = fl_destroy, 3358 .get = fl_get, 3359 .put = fl_put, 3360 .change = fl_change, 3361 .delete = fl_delete, 3362 .delete_empty = fl_delete_empty, 3363 .walk = fl_walk, 3364 .reoffload = fl_reoffload, 3365 .hw_add = fl_hw_add, 3366 .hw_del = fl_hw_del, 3367 .dump = fl_dump, 3368 .terse_dump = fl_terse_dump, 3369 .bind_class = fl_bind_class, 3370 .tmplt_create = fl_tmplt_create, 3371 .tmplt_destroy = fl_tmplt_destroy, 3372 .tmplt_dump = fl_tmplt_dump, 3373 .owner = THIS_MODULE, 3374 .flags = TCF_PROTO_OPS_DOIT_UNLOCKED, 3375}; 3376 3377static int __init cls_fl_init(void) 3378{ 3379 return register_tcf_proto_ops(&cls_fl_ops); 3380} 3381 3382static void __exit cls_fl_exit(void) 3383{ 3384 unregister_tcf_proto_ops(&cls_fl_ops); 3385} 3386 3387module_init(cls_fl_init); 3388module_exit(cls_fl_exit); 3389 3390MODULE_AUTHOR("Jiri Pirko <jiri@resnulli.us>"); 3391MODULE_DESCRIPTION("Flower classifier"); 3392MODULE_LICENSE("GPL v2");