Lines Matching +full:forced +full:- +full:comms +full:- +full:default
1 // SPDX-License-Identifier: GPL-2.0-only
83 /* Elements in ovs_ct_limit_info->limits hash table */
107 switch (ntohs(key->eth.type)) { in key_to_nfproto()
112 default: in key_to_nfproto()
127 default: in ovs_ct_get_state()
143 default: in ovs_ct_get_state()
153 return ct ? READ_ONCE(ct->mark) : 0; in ovs_ct_get_mark()
170 memcpy(labels, cl->bits, OVS_CT_LABELS_LEN); in ovs_ct_get_labels()
179 key->ct_orig_proto = orig->dst.protonum; in __ovs_ct_update_key_orig_tp()
180 if (orig->dst.protonum == icmp_proto) { in __ovs_ct_update_key_orig_tp()
181 key->ct.orig_tp.src = htons(orig->dst.u.icmp.type); in __ovs_ct_update_key_orig_tp()
182 key->ct.orig_tp.dst = htons(orig->dst.u.icmp.code); in __ovs_ct_update_key_orig_tp()
184 key->ct.orig_tp.src = orig->src.u.all; in __ovs_ct_update_key_orig_tp()
185 key->ct.orig_tp.dst = orig->dst.u.all; in __ovs_ct_update_key_orig_tp()
193 key->ct_state = state; in __ovs_ct_update_key()
194 key->ct_zone = zone->id; in __ovs_ct_update_key()
195 key->ct.mark = ovs_ct_get_mark(ct); in __ovs_ct_update_key()
196 ovs_ct_get_labels(ct, &key->ct.labels); in __ovs_ct_update_key()
202 if (ct->master) in __ovs_ct_update_key()
203 ct = ct->master; in __ovs_ct_update_key()
204 orig = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple; in __ovs_ct_update_key()
207 if (key->eth.type == htons(ETH_P_IP) && in __ovs_ct_update_key()
209 key->ipv4.ct_orig.src = orig->src.u3.ip; in __ovs_ct_update_key()
210 key->ipv4.ct_orig.dst = orig->dst.u3.ip; in __ovs_ct_update_key()
213 } else if (key->eth.type == htons(ETH_P_IPV6) && in __ovs_ct_update_key()
216 key->ipv6.ct_orig.src = orig->src.u3.in6; in __ovs_ct_update_key()
217 key->ipv6.ct_orig.dst = orig->dst.u3.in6; in __ovs_ct_update_key()
222 /* Clear 'ct_orig_proto' to mark the non-existence of conntrack in __ovs_ct_update_key()
225 key->ct_orig_proto = 0; in __ovs_ct_update_key()
228 /* Update 'key' based on skb->_nfct. If 'post_ct' is true, then OVS has
252 if (ct->master) in ovs_ct_update_key()
255 state |= key->ct_state & OVS_CS_F_NAT_MASK; in ovs_ct_update_key()
257 if (ct->status & IPS_SRC_NAT) in ovs_ct_update_key()
259 if (ct->status & IPS_DST_NAT) in ovs_ct_update_key()
266 zone = &info->zone; in ovs_ct_update_key()
282 if (nla_put_u32(skb, OVS_KEY_ATTR_CT_STATE, output->ct_state)) in ovs_ct_put_key()
283 return -EMSGSIZE; in ovs_ct_put_key()
286 nla_put_u16(skb, OVS_KEY_ATTR_CT_ZONE, output->ct_zone)) in ovs_ct_put_key()
287 return -EMSGSIZE; in ovs_ct_put_key()
290 nla_put_u32(skb, OVS_KEY_ATTR_CT_MARK, output->ct.mark)) in ovs_ct_put_key()
291 return -EMSGSIZE; in ovs_ct_put_key()
294 nla_put(skb, OVS_KEY_ATTR_CT_LABELS, sizeof(output->ct.labels), in ovs_ct_put_key()
295 &output->ct.labels)) in ovs_ct_put_key()
296 return -EMSGSIZE; in ovs_ct_put_key()
298 if (swkey->ct_orig_proto) { in ovs_ct_put_key()
299 if (swkey->eth.type == htons(ETH_P_IP)) { in ovs_ct_put_key()
303 orig.ipv4_src = output->ipv4.ct_orig.src; in ovs_ct_put_key()
304 orig.ipv4_dst = output->ipv4.ct_orig.dst; in ovs_ct_put_key()
305 orig.src_port = output->ct.orig_tp.src; in ovs_ct_put_key()
306 orig.dst_port = output->ct.orig_tp.dst; in ovs_ct_put_key()
307 orig.ipv4_proto = output->ct_orig_proto; in ovs_ct_put_key()
311 return -EMSGSIZE; in ovs_ct_put_key()
312 } else if (swkey->eth.type == htons(ETH_P_IPV6)) { in ovs_ct_put_key()
316 memcpy(orig.ipv6_src, output->ipv6.ct_orig.src.s6_addr32, in ovs_ct_put_key()
318 memcpy(orig.ipv6_dst, output->ipv6.ct_orig.dst.s6_addr32, in ovs_ct_put_key()
320 orig.src_port = output->ct.orig_tp.src; in ovs_ct_put_key()
321 orig.dst_port = output->ct.orig_tp.dst; in ovs_ct_put_key()
322 orig.ipv6_proto = output->ct_orig_proto; in ovs_ct_put_key()
326 return -EMSGSIZE; in ovs_ct_put_key()
339 new_mark = ct_mark | (READ_ONCE(ct->mark) & ~(mask)); in ovs_ct_set_mark()
340 if (READ_ONCE(ct->mark) != new_mark) { in ovs_ct_set_mark()
341 WRITE_ONCE(ct->mark, new_mark); in ovs_ct_set_mark()
344 key->ct.mark = new_mark; in ovs_ct_set_mark()
349 return -ENOTSUPP; in ovs_ct_set_mark()
367 * since the new connection is not yet confirmed, and thus no-one else has
378 master_cl = ct->master ? nf_ct_labels_find(ct->master) : NULL; in ovs_ct_init_labels()
385 return -ENOSPC; in ovs_ct_init_labels()
392 u32 *dst = (u32 *)cl->bits; in ovs_ct_init_labels()
396 dst[i] = (dst[i] & ~mask->ct_labels_32[i]) | in ovs_ct_init_labels()
397 (labels->ct_labels_32[i] in ovs_ct_init_labels()
398 & mask->ct_labels_32[i]); in ovs_ct_init_labels()
406 memcpy(&key->ct.labels, cl->bits, OVS_CT_LABELS_LEN); in ovs_ct_init_labels()
420 return -ENOSPC; in ovs_ct_set_labels()
422 err = nf_connlabels_replace(ct, labels->ct_labels_32, in ovs_ct_set_labels()
423 mask->ct_labels_32, in ovs_ct_set_labels()
428 memcpy(&key->ct.labels, cl->bits, OVS_CT_LABELS_LEN); in ovs_ct_set_labels()
451 helper = rcu_dereference(help->helper); in ovs_ct_helper()
460 u8 nexthdr = ipv6_hdr(skb)->nexthdr; in ovs_ct_helper()
473 default: in ovs_ct_helper()
474 WARN_ONCE(1, "helper invoked on non-IP family!"); in ovs_ct_helper()
478 err = helper->help(skb, protoff, ct, ctinfo); in ovs_ct_helper()
484 * addresses and/or port numbers in the text-based control connection. in ovs_ct_helper()
486 if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status) && in ovs_ct_helper()
492 /* Returns 0 on success, -EINPROGRESS if 'skb' is stolen, or other nonzero
501 if (key->eth.type == htons(ETH_P_IP)) { in handle_fragments()
509 ovs_cb.mru = IPCB(skb)->frag_max_size; in handle_fragments()
511 } else if (key->eth.type == htons(ETH_P_IPV6)) { in handle_fragments()
517 if (err != -EINPROGRESS) in handle_fragments()
522 key->ip.proto = ipv6_hdr(skb)->nexthdr; in handle_fragments()
523 ovs_cb.mru = IP6CB(skb)->frag_max_size; in handle_fragments()
527 return -EPFNOSUPPORT; in handle_fragments()
535 key->ip.frag = OVS_FRAG_TYPE_NONE; in handle_fragments()
537 skb->ignore_df = 1; in handle_fragments()
567 * direction packets would be reported as un-related in ovs_ct_expect_find()
575 nf_conntrack_put(&ct->ct_general); in ovs_ct_expect_find()
590 /* Once we've had two way comms, always ESTABLISHED. */ in ovs_ct_get_info()
591 if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) in ovs_ct_get_info()
593 if (test_bit(IPS_EXPECTED_BIT, &ct->status)) in ovs_ct_get_info()
599 * re-attributing statistics or modifying the connection state. This allows an
600 * skb->_nfct lost due to an upcall to be recovered during actions execution.
604 * On success, populates skb->_nfct and returns the connection. Returns NULL
644 h = &ct->tuplehash[!h->tuple.dst.dir]; in ovs_ct_find_existing()
660 * might be found for this skb. This happens when we lose a skb->_nfct in ovs_ct_executed()
661 * due to an upcall, or if the direction is being forced. If the in ovs_ct_executed()
665 *ct_executed = (key->ct_state & OVS_CS_F_TRACKED) && in ovs_ct_executed()
666 !(key->ct_state & OVS_CS_F_INVALID) && in ovs_ct_executed()
667 (key->ct_zone == info->zone.id); in ovs_ct_executed()
669 if (*ct_executed || (!key->ct_state && info->force)) { in ovs_ct_executed()
670 ct = ovs_ct_find_existing(net, &info->zone, info->family, skb, in ovs_ct_executed()
671 !!(key->ct_state & in ovs_ct_executed()
678 /* Determine whether skb->_nfct is equal to the result of conntrack lookup. */
697 if (!net_eq(net, read_pnet(&ct->ct_net))) in skb_nfct_cached()
699 if (!nf_ct_zone_equal_any(info->ct, nf_ct_zone(ct))) in skb_nfct_cached()
701 if (info->helper) { in skb_nfct_cached()
705 if (help && rcu_access_pointer(help->helper) != info->helper) in skb_nfct_cached()
708 if (info->nf_ct_timeout) { in skb_nfct_cached()
712 if (!timeout_ext || info->nf_ct_timeout != in skb_nfct_cached()
713 rcu_dereference(timeout_ext->timeout)) in skb_nfct_cached()
717 if (info->force && CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) { in skb_nfct_cached()
724 nf_conntrack_put(&ct->ct_general); in skb_nfct_cached()
740 key->ct_state |= OVS_CS_F_SRC_NAT; in ovs_nat_update_key()
741 if (key->eth.type == htons(ETH_P_IP)) in ovs_nat_update_key()
742 key->ipv4.addr.src = ip_hdr(skb)->saddr; in ovs_nat_update_key()
743 else if (key->eth.type == htons(ETH_P_IPV6)) in ovs_nat_update_key()
744 memcpy(&key->ipv6.addr.src, &ipv6_hdr(skb)->saddr, in ovs_nat_update_key()
745 sizeof(key->ipv6.addr.src)); in ovs_nat_update_key()
749 if (key->ip.proto == IPPROTO_UDP) in ovs_nat_update_key()
750 src = udp_hdr(skb)->source; in ovs_nat_update_key()
751 else if (key->ip.proto == IPPROTO_TCP) in ovs_nat_update_key()
752 src = tcp_hdr(skb)->source; in ovs_nat_update_key()
753 else if (key->ip.proto == IPPROTO_SCTP) in ovs_nat_update_key()
754 src = sctp_hdr(skb)->source; in ovs_nat_update_key()
758 key->tp.src = src; in ovs_nat_update_key()
762 key->ct_state |= OVS_CS_F_DST_NAT; in ovs_nat_update_key()
763 if (key->eth.type == htons(ETH_P_IP)) in ovs_nat_update_key()
764 key->ipv4.addr.dst = ip_hdr(skb)->daddr; in ovs_nat_update_key()
765 else if (key->eth.type == htons(ETH_P_IPV6)) in ovs_nat_update_key()
766 memcpy(&key->ipv6.addr.dst, &ipv6_hdr(skb)->daddr, in ovs_nat_update_key()
767 sizeof(key->ipv6.addr.dst)); in ovs_nat_update_key()
771 if (key->ip.proto == IPPROTO_UDP) in ovs_nat_update_key()
772 dst = udp_hdr(skb)->dest; in ovs_nat_update_key()
773 else if (key->ip.proto == IPPROTO_TCP) in ovs_nat_update_key()
774 dst = tcp_hdr(skb)->dest; in ovs_nat_update_key()
775 else if (key->ip.proto == IPPROTO_SCTP) in ovs_nat_update_key()
776 dst = sctp_hdr(skb)->dest; in ovs_nat_update_key()
780 key->tp.dst = dst; in ovs_nat_update_key()
808 skb->protocol == htons(ETH_P_IP) && in ovs_ct_nat_execute()
809 ip_hdr(skb)->protocol == IPPROTO_ICMP) { in ovs_ct_nat_execute()
815 skb->protocol == htons(ETH_P_IPV6)) { in ovs_ct_nat_execute()
817 u8 nexthdr = ipv6_hdr(skb)->nexthdr; in ovs_ct_nat_execute()
831 /* Non-ICMP, fall thru to initialize if needed. */ in ovs_ct_nat_execute()
839 err = (range && range->flags & NF_NAT_RANGE_MAP_IPS) in ovs_ct_nat_execute()
854 default: in ovs_ct_nat_execute()
862 skb_postpush_rcsum(skb, skb->data, nh_off); in ovs_ct_nat_execute()
889 if (info->nat & OVS_CT_NAT && ctinfo != IP_CT_NEW && in ovs_ct_nat()
890 ct->status & IPS_NAT_MASK && in ovs_ct_nat()
891 (ctinfo != IP_CT_RELATED || info->commit)) { in ovs_ct_nat()
898 maniptype = ct->status & IPS_SRC_NAT in ovs_ct_nat()
901 maniptype = ct->status & IPS_SRC_NAT in ovs_ct_nat()
903 } else if (info->nat & OVS_CT_SRC_NAT) { in ovs_ct_nat()
905 } else if (info->nat & OVS_CT_DST_NAT) { in ovs_ct_nat()
910 err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, maniptype, key); in ovs_ct_nat()
912 if (err == NF_ACCEPT && ct->status & IPS_DST_NAT) { in ovs_ct_nat()
913 if (ct->status & IPS_SRC_NAT) { in ovs_ct_nat()
919 err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, in ovs_ct_nat()
942 * Note that if the packet is deemed invalid by conntrack, skb->_nfct will be
961 .pf = info->family, in __ovs_ct_lookup()
964 struct nf_conn *tmpl = info->ct; in __ovs_ct_lookup()
971 nf_conntrack_get(&tmpl->ct_general); in __ovs_ct_lookup()
977 return -ENOENT; in __ovs_ct_lookup()
981 * the whole state, as it will be re-initialized below. in __ovs_ct_lookup()
983 key->ct_state = 0; in __ovs_ct_lookup()
1001 * the key->ct_state. in __ovs_ct_lookup()
1003 if (info->nat && !(key->ct_state & OVS_CS_F_NAT_MASK) && in __ovs_ct_lookup()
1004 (nf_ct_is_confirmed(ct) || info->commit) && in __ovs_ct_lookup()
1006 return -EINVAL; in __ovs_ct_lookup()
1015 if (info->commit && info->helper && !nfct_help(ct)) { in __ovs_ct_lookup()
1016 int err = __nf_ct_try_assign_helper(ct, info->ct, in __ovs_ct_lookup()
1023 if (info->nat && !nfct_seqadj(ct)) { in __ovs_ct_lookup()
1025 return -EINVAL; in __ovs_ct_lookup()
1030 * - nf_conntrack_in() was executed above ("!cached") or a in __ovs_ct_lookup()
1033 * - When committing an unconfirmed connection. in __ovs_ct_lookup()
1036 info->commit) && in __ovs_ct_lookup()
1037 ovs_ct_helper(skb, info->family) != NF_ACCEPT) { in __ovs_ct_lookup()
1038 return -EINVAL; in __ovs_ct_lookup()
1059 exp = ovs_ct_expect_find(net, &info->zone, info->family, skb); in ovs_ct_lookup()
1067 __ovs_ct_update_key(key, state, &info->zone, exp->master); in ovs_ct_lookup()
1089 if (labels->ct_labels_32[i]) in labels_nonzero()
1099 return &info->limits[zone & (CT_LIMIT_HASH_BUCKETS - 1)]; in ct_limit_hash_bucket()
1109 head = ct_limit_hash_bucket(info, new_ct_limit->zone); in ct_limit_set()
1111 if (ct_limit->zone == new_ct_limit->zone) { in ct_limit_set()
1112 hlist_replace_rcu(&ct_limit->hlist_node, in ct_limit_set()
1113 &new_ct_limit->hlist_node); in ct_limit_set()
1119 hlist_add_head_rcu(&new_ct_limit->hlist_node, head); in ct_limit_set()
1131 if (ct_limit->zone == zone) { in ct_limit_del()
1132 hlist_del_rcu(&ct_limit->hlist_node); in ct_limit_del()
1147 if (ct_limit->zone == zone) in ct_limit_get()
1148 return ct_limit->limit; in ct_limit_get()
1151 return info->default_limit; in ct_limit_get()
1159 const struct ovs_ct_limit_info *ct_limit_info = ovs_net->ct_limit_info; in ovs_ct_check_limit()
1163 conncount_key = info->zone.id; in ovs_ct_check_limit()
1165 per_zone_limit = ct_limit_get(ct_limit_info, info->zone.id); in ovs_ct_check_limit()
1169 connections = nf_conncount_count(net, ct_limit_info->data, in ovs_ct_check_limit()
1170 &conncount_key, tuple, &info->zone); in ovs_ct_check_limit()
1172 return -ENOMEM; in ovs_ct_check_limit()
1191 /* The connection could be invalid, in which case this is a no-op.*/ in ovs_ct_commit()
1200 &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); in ovs_ct_commit()
1204 info->zone.id); in ovs_ct_commit()
1218 if (info->have_eventmask) { in ovs_ct_commit()
1222 cache->ctmask = info->eventmask; in ovs_ct_commit()
1229 if (info->mark.mask) { in ovs_ct_commit()
1230 err = ovs_ct_set_mark(ct, key, info->mark.value, in ovs_ct_commit()
1231 info->mark.mask); in ovs_ct_commit()
1236 err = ovs_ct_init_labels(ct, key, &info->labels.value, in ovs_ct_commit()
1237 &info->labels.mask); in ovs_ct_commit()
1241 labels_nonzero(&info->labels.mask)) { in ovs_ct_commit()
1242 err = ovs_ct_set_labels(ct, key, &info->labels.value, in ovs_ct_commit()
1243 &info->labels.mask); in ovs_ct_commit()
1251 return -EINVAL; in ovs_ct_commit()
1257 * removing any trailing lower-layer padding. This prepares the skb
1258 * for higher-layer processing that assumes skb->len excludes padding
1267 switch (skb->protocol) { in ovs_skb_network_trim()
1269 len = ntohs(ip_hdr(skb)->tot_len); in ovs_skb_network_trim()
1273 + ntohs(ipv6_hdr(skb)->payload_len); in ovs_skb_network_trim()
1275 default: in ovs_skb_network_trim()
1276 len = skb->len; in ovs_skb_network_trim()
1286 /* Returns 0 on success, -EINPROGRESS if 'skb' is stolen, or other nonzero
1304 if (key->ip.frag != OVS_FRAG_TYPE_NONE) { in ovs_ct_execute()
1305 err = handle_fragments(net, key, info->zone.id, skb); in ovs_ct_execute()
1310 if (info->commit) in ovs_ct_execute()
1316 skb_postpush_rcsum(skb, skb->data, nh_ofs); in ovs_ct_execute()
1341 helper = nf_conntrack_helper_try_module_get(name, info->family, in ovs_ct_add_helper()
1342 key->ip.proto); in ovs_ct_add_helper()
1345 return -EINVAL; in ovs_ct_add_helper()
1348 help = nf_ct_helper_ext_add(info->ct, GFP_KERNEL); in ovs_ct_add_helper()
1351 return -ENOMEM; in ovs_ct_add_helper()
1355 if (info->nat) { in ovs_ct_add_helper()
1356 ret = nf_nat_helper_try_module_get(name, info->family, in ovs_ct_add_helper()
1357 key->ip.proto); in ovs_ct_add_helper()
1366 rcu_assign_pointer(help->helper, helper); in ovs_ct_add_helper()
1367 info->helper = helper; in ovs_ct_add_helper()
1379 bool ip_vers = (info->family == NFPROTO_IPV6); in parse_nat()
1400 return -EINVAL; in parse_nat()
1407 return -EINVAL; in parse_nat()
1413 if (info->nat) { in parse_nat()
1415 return -ERANGE; in parse_nat()
1417 info->nat |= OVS_CT_NAT; in parse_nat()
1418 info->nat |= ((type == OVS_NAT_ATTR_SRC) in parse_nat()
1423 nla_memcpy(&info->range.min_addr, a, in parse_nat()
1424 sizeof(info->range.min_addr)); in parse_nat()
1425 info->range.flags |= NF_NAT_RANGE_MAP_IPS; in parse_nat()
1430 nla_memcpy(&info->range.max_addr, a, in parse_nat()
1431 sizeof(info->range.max_addr)); in parse_nat()
1432 info->range.flags |= NF_NAT_RANGE_MAP_IPS; in parse_nat()
1436 info->range.min_proto.all = htons(nla_get_u16(a)); in parse_nat()
1437 info->range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; in parse_nat()
1442 info->range.max_proto.all = htons(nla_get_u16(a)); in parse_nat()
1443 info->range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; in parse_nat()
1447 info->range.flags |= NF_NAT_RANGE_PERSISTENT; in parse_nat()
1451 info->range.flags |= NF_NAT_RANGE_PROTO_RANDOM; in parse_nat()
1455 info->range.flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY; in parse_nat()
1458 default: in parse_nat()
1460 return -EINVAL; in parse_nat()
1466 return -EINVAL; in parse_nat()
1468 if (!info->nat) { in parse_nat()
1470 if (info->range.flags) { in parse_nat()
1474 return -EINVAL; in parse_nat()
1476 info->nat = OVS_CT_NAT; /* NAT existing connections. */ in parse_nat()
1477 } else if (!info->commit) { in parse_nat()
1481 return -EINVAL; in parse_nat()
1484 if (info->range.flags & NF_NAT_RANGE_MAP_IPS && !have_ip_max) { in parse_nat()
1485 memcpy(&info->range.max_addr, &info->range.min_addr, in parse_nat()
1486 sizeof(info->range.max_addr)); in parse_nat()
1489 if (info->range.flags & NF_NAT_RANGE_PROTO_SPECIFIED && in parse_nat()
1491 info->range.max_proto.all = info->range.min_proto.all; in parse_nat()
1533 return -EINVAL; in parse_ct()
1542 return -EINVAL; in parse_ct()
1547 info->force = true; in parse_ct()
1550 info->commit = true; in parse_ct()
1554 info->zone.id = nla_get_u16(a); in parse_ct()
1561 if (!mark->mask) { in parse_ct()
1563 return -EINVAL; in parse_ct()
1565 info->mark = *mark; in parse_ct()
1573 if (!labels_nonzero(&labels->mask)) { in parse_ct()
1575 return -EINVAL; in parse_ct()
1577 info->labels = *labels; in parse_ct()
1585 return -EINVAL; in parse_ct()
1598 info->have_eventmask = true; in parse_ct()
1599 info->eventmask = nla_get_u32(a); in parse_ct()
1603 memcpy(info->timeout, nla_data(a), nla_len(a)); in parse_ct()
1604 if (!memchr(info->timeout, '\0', nla_len(a))) { in parse_ct()
1606 return -EINVAL; in parse_ct()
1611 default: in parse_ct()
1614 return -EINVAL; in parse_ct()
1619 if (!info->commit && info->mark.mask) { in parse_ct()
1622 return -EINVAL; in parse_ct()
1626 if (!info->commit && labels_nonzero(&info->labels.mask)) { in parse_ct()
1629 return -EINVAL; in parse_ct()
1634 return -EINVAL; in parse_ct()
1654 return ovs_net->xt_label; in ovs_ct_verify()
1672 return -EINVAL; in ovs_ct_copy_action()
1689 return -ENOMEM; in ovs_ct_copy_action()
1693 if (nf_ct_set_timeout(net, ct_info.ct, family, key->ip.proto, in ovs_ct_copy_action()
1699 nf_ct_timeout_find(ct_info.ct)->timeout); in ovs_ct_copy_action()
1714 __set_bit(IPS_CONFIRMED_BIT, &ct_info.ct->status); in ovs_ct_copy_action()
1715 nf_conntrack_get(&ct_info.ct->ct_general); in ovs_ct_copy_action()
1732 if (info->nat & OVS_CT_SRC_NAT) { in ovs_ct_nat_to_attr()
1735 } else if (info->nat & OVS_CT_DST_NAT) { in ovs_ct_nat_to_attr()
1742 if (info->range.flags & NF_NAT_RANGE_MAP_IPS) { in ovs_ct_nat_to_attr()
1744 info->family == NFPROTO_IPV4) { in ovs_ct_nat_to_attr()
1746 info->range.min_addr.ip) || in ovs_ct_nat_to_attr()
1747 (info->range.max_addr.ip in ovs_ct_nat_to_attr()
1748 != info->range.min_addr.ip && in ovs_ct_nat_to_attr()
1750 info->range.max_addr.ip)))) in ovs_ct_nat_to_attr()
1753 info->family == NFPROTO_IPV6) { in ovs_ct_nat_to_attr()
1755 &info->range.min_addr.in6) || in ovs_ct_nat_to_attr()
1756 (memcmp(&info->range.max_addr.in6, in ovs_ct_nat_to_attr()
1757 &info->range.min_addr.in6, in ovs_ct_nat_to_attr()
1758 sizeof(info->range.max_addr.in6)) && in ovs_ct_nat_to_attr()
1760 &info->range.max_addr.in6)))) in ovs_ct_nat_to_attr()
1766 if (info->range.flags & NF_NAT_RANGE_PROTO_SPECIFIED && in ovs_ct_nat_to_attr()
1768 ntohs(info->range.min_proto.all)) || in ovs_ct_nat_to_attr()
1769 (info->range.max_proto.all != info->range.min_proto.all && in ovs_ct_nat_to_attr()
1771 ntohs(info->range.max_proto.all))))) in ovs_ct_nat_to_attr()
1774 if (info->range.flags & NF_NAT_RANGE_PERSISTENT && in ovs_ct_nat_to_attr()
1777 if (info->range.flags & NF_NAT_RANGE_PROTO_RANDOM && in ovs_ct_nat_to_attr()
1780 if (info->range.flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY && in ovs_ct_nat_to_attr()
1797 return -EMSGSIZE; in ovs_ct_action_to_attr()
1799 if (ct_info->commit && nla_put_flag(skb, ct_info->force in ovs_ct_action_to_attr()
1802 return -EMSGSIZE; in ovs_ct_action_to_attr()
1804 nla_put_u16(skb, OVS_CT_ATTR_ZONE, ct_info->zone.id)) in ovs_ct_action_to_attr()
1805 return -EMSGSIZE; in ovs_ct_action_to_attr()
1806 if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) && ct_info->mark.mask && in ovs_ct_action_to_attr()
1807 nla_put(skb, OVS_CT_ATTR_MARK, sizeof(ct_info->mark), in ovs_ct_action_to_attr()
1808 &ct_info->mark)) in ovs_ct_action_to_attr()
1809 return -EMSGSIZE; in ovs_ct_action_to_attr()
1811 labels_nonzero(&ct_info->labels.mask) && in ovs_ct_action_to_attr()
1812 nla_put(skb, OVS_CT_ATTR_LABELS, sizeof(ct_info->labels), in ovs_ct_action_to_attr()
1813 &ct_info->labels)) in ovs_ct_action_to_attr()
1814 return -EMSGSIZE; in ovs_ct_action_to_attr()
1815 if (ct_info->helper) { in ovs_ct_action_to_attr()
1817 ct_info->helper->name)) in ovs_ct_action_to_attr()
1818 return -EMSGSIZE; in ovs_ct_action_to_attr()
1820 if (ct_info->have_eventmask && in ovs_ct_action_to_attr()
1821 nla_put_u32(skb, OVS_CT_ATTR_EVENTMASK, ct_info->eventmask)) in ovs_ct_action_to_attr()
1822 return -EMSGSIZE; in ovs_ct_action_to_attr()
1823 if (ct_info->timeout[0]) { in ovs_ct_action_to_attr()
1824 if (nla_put_string(skb, OVS_CT_ATTR_TIMEOUT, ct_info->timeout)) in ovs_ct_action_to_attr()
1825 return -EMSGSIZE; in ovs_ct_action_to_attr()
1829 if (ct_info->nat && !ovs_ct_nat_to_attr(ct_info, skb)) in ovs_ct_action_to_attr()
1830 return -EMSGSIZE; in ovs_ct_action_to_attr()
1846 if (ct_info->helper) { in __ovs_ct_free_action()
1848 if (ct_info->nat) in __ovs_ct_free_action()
1849 nf_nat_helper_put(ct_info->helper); in __ovs_ct_free_action()
1851 nf_conntrack_helper_put(ct_info->helper); in __ovs_ct_free_action()
1853 if (ct_info->ct) { in __ovs_ct_free_action()
1854 if (ct_info->timeout[0]) in __ovs_ct_free_action()
1855 nf_ct_destroy_timeout(ct_info->ct); in __ovs_ct_free_action()
1856 nf_ct_tmpl_free(ct_info->ct); in __ovs_ct_free_action()
1865 ovs_net->ct_limit_info = kmalloc(sizeof(*ovs_net->ct_limit_info), in ovs_ct_limit_init()
1867 if (!ovs_net->ct_limit_info) in ovs_ct_limit_init()
1868 return -ENOMEM; in ovs_ct_limit_init()
1870 ovs_net->ct_limit_info->default_limit = OVS_CT_LIMIT_DEFAULT; in ovs_ct_limit_init()
1871 ovs_net->ct_limit_info->limits = in ovs_ct_limit_init()
1874 if (!ovs_net->ct_limit_info->limits) { in ovs_ct_limit_init()
1875 kfree(ovs_net->ct_limit_info); in ovs_ct_limit_init()
1876 return -ENOMEM; in ovs_ct_limit_init()
1880 INIT_HLIST_HEAD(&ovs_net->ct_limit_info->limits[i]); in ovs_ct_limit_init()
1882 ovs_net->ct_limit_info->data = in ovs_ct_limit_init()
1885 if (IS_ERR(ovs_net->ct_limit_info->data)) { in ovs_ct_limit_init()
1886 err = PTR_ERR(ovs_net->ct_limit_info->data); in ovs_ct_limit_init()
1887 kfree(ovs_net->ct_limit_info->limits); in ovs_ct_limit_init()
1888 kfree(ovs_net->ct_limit_info); in ovs_ct_limit_init()
1897 const struct ovs_ct_limit_info *info = ovs_net->ct_limit_info; in ovs_ct_limit_exit()
1900 nf_conncount_destroy(net, NFPROTO_INET, info->data); in ovs_ct_limit_exit()
1902 struct hlist_head *head = &info->limits[i]; in ovs_ct_limit_exit()
1909 kfree(info->limits); in ovs_ct_limit_exit()
1917 struct ovs_header *ovs_header = info->userhdr; in ovs_ct_limit_cmd_reply_start()
1922 return ERR_PTR(-ENOMEM); in ovs_ct_limit_cmd_reply_start()
1924 *ovs_reply_header = genlmsg_put(skb, info->snd_portid, in ovs_ct_limit_cmd_reply_start()
1925 info->snd_seq, in ovs_ct_limit_cmd_reply_start()
1930 return ERR_PTR(-EMSGSIZE); in ovs_ct_limit_cmd_reply_start()
1932 (*ovs_reply_header)->dp_ifindex = ovs_header->dp_ifindex; in ovs_ct_limit_cmd_reply_start()
1957 if (unlikely(zone_limit->zone_id == in ovs_ct_limit_set_zone_limit()
1960 info->default_limit = zone_limit->limit; in ovs_ct_limit_set_zone_limit()
1963 zone_limit->zone_id, &zone))) { in ovs_ct_limit_set_zone_limit()
1970 return -ENOMEM; in ovs_ct_limit_set_zone_limit()
1972 ct_limit->zone = zone; in ovs_ct_limit_set_zone_limit()
1973 ct_limit->limit = zone_limit->limit; in ovs_ct_limit_set_zone_limit()
1979 rem -= NLA_ALIGN(sizeof(*zone_limit)); in ovs_ct_limit_set_zone_limit()
2001 if (unlikely(zone_limit->zone_id == in ovs_ct_limit_del_zone_limit()
2004 info->default_limit = OVS_CT_LIMIT_DEFAULT; in ovs_ct_limit_del_zone_limit()
2007 zone_limit->zone_id, &zone))) { in ovs_ct_limit_del_zone_limit()
2014 rem -= NLA_ALIGN(sizeof(*zone_limit)); in ovs_ct_limit_del_zone_limit()
2030 .limit = info->default_limit, in ovs_ct_limit_get_default_limit()
2068 if (unlikely(zone_limit->zone_id == in ovs_ct_limit_get_zone_limit()
2073 } else if (unlikely(!check_zone_id(zone_limit->zone_id, in ovs_ct_limit_get_zone_limit()
2082 net, info->data, zone, limit, reply); in ovs_ct_limit_get_zone_limit()
2086 rem -= NLA_ALIGN(sizeof(*zone_limit)); in ovs_ct_limit_get_zone_limit()
2111 head = &info->limits[i]; in ovs_ct_limit_get_all_zone_limit()
2113 err = __ovs_ct_limit_get_zone_limit(net, info->data, in ovs_ct_limit_get_all_zone_limit()
2114 ct_limit->zone, ct_limit->limit, reply); in ovs_ct_limit_get_all_zone_limit()
2127 struct nlattr **a = info->attrs; in ovs_ct_limit_cmd_set()
2130 struct ovs_net *ovs_net = net_generic(sock_net(skb->sk), ovs_net_id); in ovs_ct_limit_cmd_set()
2131 struct ovs_ct_limit_info *ct_limit_info = ovs_net->ct_limit_info; in ovs_ct_limit_cmd_set()
2140 err = -EINVAL; in ovs_ct_limit_cmd_set()
2161 struct nlattr **a = info->attrs; in ovs_ct_limit_cmd_del()
2164 struct ovs_net *ovs_net = net_generic(sock_net(skb->sk), ovs_net_id); in ovs_ct_limit_cmd_del()
2165 struct ovs_ct_limit_info *ct_limit_info = ovs_net->ct_limit_info; in ovs_ct_limit_cmd_del()
2174 err = -EINVAL; in ovs_ct_limit_cmd_del()
2193 struct nlattr **a = info->attrs; in ovs_ct_limit_cmd_get()
2197 struct net *net = sock_net(skb->sk); in ovs_ct_limit_cmd_get()
2199 struct ovs_ct_limit_info *ct_limit_info = ovs_net->ct_limit_info; in ovs_ct_limit_cmd_get()
2209 err = -EMSGSIZE; in ovs_ct_limit_cmd_get()
2280 if (nf_connlabels_get(net, n_bits - 1)) { in ovs_ct_init()
2281 ovs_net->xt_label = false; in ovs_ct_init()
2284 ovs_net->xt_label = true; in ovs_ct_init()
2302 if (ovs_net->xt_label) in ovs_ct_exit()