1 // SPDX-License-Identifier: GPL-2.0-only
2 #include <linux/kernel.h>
3 #include <linux/skbuff.h>
4 #include <linux/export.h>
6 #include <linux/ipv6.h>
7 #include <linux/if_vlan.h>
9 #include <net/dst_metadata.h>
15 #include <linux/igmp.h>
16 #include <linux/icmp.h>
17 #include <linux/sctp.h>
18 #include <linux/dccp.h>
19 #include <linux/if_tunnel.h>
20 #include <linux/if_pppox.h>
21 #include <linux/ppp_defs.h>
22 #include <linux/stddef.h>
23 #include <linux/if_ether.h>
24 #include <linux/mpls.h>
25 #include <linux/tcp.h>
26 #include <linux/ptp_classify.h>
27 #include <net/flow_dissector.h>
28 #include <scsi/fc/fc_fcoe.h>
29 #include <uapi/linux/batadv_packet.h>
30 #include <linux/bpf.h>
31 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
32 #include <net/netfilter/nf_conntrack_core.h>
33 #include <net/netfilter/nf_conntrack_labels.h>
35 #include <linux/bpf-netns.h>
37 static void dissector_set_key(struct flow_dissector *flow_dissector,
38 enum flow_dissector_key_id key_id)
40 flow_dissector->used_keys |= (1 << key_id);
43 void skb_flow_dissector_init(struct flow_dissector *flow_dissector,
44 const struct flow_dissector_key *key,
45 unsigned int key_count)
49 memset(flow_dissector, 0, sizeof(*flow_dissector));
51 for (i = 0; i < key_count; i++, key++) {
52 /* User should make sure that every key target offset is within
53 * boundaries of unsigned short.
55 BUG_ON(key->offset > USHRT_MAX);
56 BUG_ON(dissector_uses_key(flow_dissector,
59 dissector_set_key(flow_dissector, key->key_id);
60 flow_dissector->offset[key->key_id] = key->offset;
63 /* Ensure that the dissector always includes control and basic key.
64 * That way we are able to avoid handling lack of these in fast path.
66 BUG_ON(!dissector_uses_key(flow_dissector,
67 FLOW_DISSECTOR_KEY_CONTROL));
68 BUG_ON(!dissector_uses_key(flow_dissector,
69 FLOW_DISSECTOR_KEY_BASIC));
71 EXPORT_SYMBOL(skb_flow_dissector_init);
73 #ifdef CONFIG_BPF_SYSCALL
74 int flow_dissector_bpf_prog_attach_check(struct net *net,
75 struct bpf_prog *prog)
77 enum netns_bpf_attach_type type = NETNS_BPF_FLOW_DISSECTOR;
79 if (net == &init_net) {
80 /* BPF flow dissector in the root namespace overrides
81 * any per-net-namespace one. When attaching to root,
82 * make sure we don't have any BPF program attached
83 * to the non-root namespaces.
90 if (rcu_access_pointer(ns->bpf.run_array[type]))
94 /* Make sure root flow dissector is not attached
95 * when attaching to the non-root namespace.
97 if (rcu_access_pointer(init_net.bpf.run_array[type]))
103 #endif /* CONFIG_BPF_SYSCALL */
106 * __skb_flow_get_ports - extract the upper layer ports and return them
107 * @skb: sk_buff to extract the ports from
108 * @thoff: transport header offset
109 * @ip_proto: protocol for which to get port offset
110 * @data: raw buffer pointer to the packet, if NULL use skb->data
111 * @hlen: packet header length, if @data is NULL use skb_headlen(skb)
113 * The function will try to retrieve the ports at offset thoff + poff where poff
114 * is the protocol port offset returned from proto_ports_offset
116 __be32 __skb_flow_get_ports(const struct sk_buff *skb, int thoff, u8 ip_proto,
117 const void *data, int hlen)
119 int poff = proto_ports_offset(ip_proto);
123 hlen = skb_headlen(skb);
127 __be32 *ports, _ports;
129 ports = __skb_header_pointer(skb, thoff + poff,
130 sizeof(_ports), data, hlen, &_ports);
137 EXPORT_SYMBOL(__skb_flow_get_ports);
139 static bool icmp_has_id(u8 type)
145 case ICMP_TIMESTAMPREPLY:
146 case ICMPV6_ECHO_REQUEST:
147 case ICMPV6_ECHO_REPLY:
155 * skb_flow_get_icmp_tci - extract ICMP(6) Type, Code and Identifier fields
156 * @skb: sk_buff to extract from
157 * @key_icmp: struct flow_dissector_key_icmp to fill
158 * @data: raw buffer pointer to the packet
159 * @thoff: offset to extract at
160 * @hlen: packet header length
162 void skb_flow_get_icmp_tci(const struct sk_buff *skb,
163 struct flow_dissector_key_icmp *key_icmp,
164 const void *data, int thoff, int hlen)
166 struct icmphdr *ih, _ih;
168 ih = __skb_header_pointer(skb, thoff, sizeof(_ih), data, hlen, &_ih);
172 key_icmp->type = ih->type;
173 key_icmp->code = ih->code;
175 /* As we use 0 to signal that the Id field is not present,
176 * avoid confusion with packets without such field
178 if (icmp_has_id(ih->type))
179 key_icmp->id = ih->un.echo.id ? ntohs(ih->un.echo.id) : 1;
183 EXPORT_SYMBOL(skb_flow_get_icmp_tci);
185 /* If FLOW_DISSECTOR_KEY_ICMP is set, dissect an ICMP packet
186 * using skb_flow_get_icmp_tci().
188 static void __skb_flow_dissect_icmp(const struct sk_buff *skb,
189 struct flow_dissector *flow_dissector,
190 void *target_container, const void *data,
193 struct flow_dissector_key_icmp *key_icmp;
195 if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_ICMP))
198 key_icmp = skb_flow_dissector_target(flow_dissector,
199 FLOW_DISSECTOR_KEY_ICMP,
202 skb_flow_get_icmp_tci(skb, key_icmp, data, thoff, hlen);
205 void skb_flow_dissect_meta(const struct sk_buff *skb,
206 struct flow_dissector *flow_dissector,
207 void *target_container)
209 struct flow_dissector_key_meta *meta;
211 if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_META))
214 meta = skb_flow_dissector_target(flow_dissector,
215 FLOW_DISSECTOR_KEY_META,
217 meta->ingress_ifindex = skb->skb_iif;
219 EXPORT_SYMBOL(skb_flow_dissect_meta);
222 skb_flow_dissect_set_enc_addr_type(enum flow_dissector_key_id type,
223 struct flow_dissector *flow_dissector,
224 void *target_container)
226 struct flow_dissector_key_control *ctrl;
228 if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_ENC_CONTROL))
231 ctrl = skb_flow_dissector_target(flow_dissector,
232 FLOW_DISSECTOR_KEY_ENC_CONTROL,
234 ctrl->addr_type = type;
238 skb_flow_dissect_ct(const struct sk_buff *skb,
239 struct flow_dissector *flow_dissector,
240 void *target_container, u16 *ctinfo_map,
241 size_t mapsize, bool post_ct)
243 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
244 struct flow_dissector_key_ct *key;
245 enum ip_conntrack_info ctinfo;
246 struct nf_conn_labels *cl;
249 if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_CT))
252 ct = nf_ct_get(skb, &ctinfo);
256 key = skb_flow_dissector_target(flow_dissector,
257 FLOW_DISSECTOR_KEY_CT,
261 key->ct_state = TCA_FLOWER_KEY_CT_FLAGS_TRACKED |
262 TCA_FLOWER_KEY_CT_FLAGS_INVALID;
266 if (ctinfo < mapsize)
267 key->ct_state = ctinfo_map[ctinfo];
268 #if IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES)
269 key->ct_zone = ct->zone.id;
271 #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK)
272 key->ct_mark = ct->mark;
275 cl = nf_ct_labels_find(ct);
277 memcpy(key->ct_labels, cl->bits, sizeof(key->ct_labels));
278 #endif /* CONFIG_NF_CONNTRACK */
280 EXPORT_SYMBOL(skb_flow_dissect_ct);
283 skb_flow_dissect_tunnel_info(const struct sk_buff *skb,
284 struct flow_dissector *flow_dissector,
285 void *target_container)
287 struct ip_tunnel_info *info;
288 struct ip_tunnel_key *key;
290 /* A quick check to see if there might be something to do. */
291 if (!dissector_uses_key(flow_dissector,
292 FLOW_DISSECTOR_KEY_ENC_KEYID) &&
293 !dissector_uses_key(flow_dissector,
294 FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS) &&
295 !dissector_uses_key(flow_dissector,
296 FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS) &&
297 !dissector_uses_key(flow_dissector,
298 FLOW_DISSECTOR_KEY_ENC_CONTROL) &&
299 !dissector_uses_key(flow_dissector,
300 FLOW_DISSECTOR_KEY_ENC_PORTS) &&
301 !dissector_uses_key(flow_dissector,
302 FLOW_DISSECTOR_KEY_ENC_IP) &&
303 !dissector_uses_key(flow_dissector,
304 FLOW_DISSECTOR_KEY_ENC_OPTS))
307 info = skb_tunnel_info(skb);
313 switch (ip_tunnel_info_af(info)) {
315 skb_flow_dissect_set_enc_addr_type(FLOW_DISSECTOR_KEY_IPV4_ADDRS,
318 if (dissector_uses_key(flow_dissector,
319 FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS)) {
320 struct flow_dissector_key_ipv4_addrs *ipv4;
322 ipv4 = skb_flow_dissector_target(flow_dissector,
323 FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS,
325 ipv4->src = key->u.ipv4.src;
326 ipv4->dst = key->u.ipv4.dst;
330 skb_flow_dissect_set_enc_addr_type(FLOW_DISSECTOR_KEY_IPV6_ADDRS,
333 if (dissector_uses_key(flow_dissector,
334 FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS)) {
335 struct flow_dissector_key_ipv6_addrs *ipv6;
337 ipv6 = skb_flow_dissector_target(flow_dissector,
338 FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS,
340 ipv6->src = key->u.ipv6.src;
341 ipv6->dst = key->u.ipv6.dst;
346 if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_ENC_KEYID)) {
347 struct flow_dissector_key_keyid *keyid;
349 keyid = skb_flow_dissector_target(flow_dissector,
350 FLOW_DISSECTOR_KEY_ENC_KEYID,
352 keyid->keyid = tunnel_id_to_key32(key->tun_id);
355 if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_ENC_PORTS)) {
356 struct flow_dissector_key_ports *tp;
358 tp = skb_flow_dissector_target(flow_dissector,
359 FLOW_DISSECTOR_KEY_ENC_PORTS,
361 tp->src = key->tp_src;
362 tp->dst = key->tp_dst;
365 if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_ENC_IP)) {
366 struct flow_dissector_key_ip *ip;
368 ip = skb_flow_dissector_target(flow_dissector,
369 FLOW_DISSECTOR_KEY_ENC_IP,
375 if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_ENC_OPTS)) {
376 struct flow_dissector_key_enc_opts *enc_opt;
378 enc_opt = skb_flow_dissector_target(flow_dissector,
379 FLOW_DISSECTOR_KEY_ENC_OPTS,
382 if (info->options_len) {
383 enc_opt->len = info->options_len;
384 ip_tunnel_info_opts_get(enc_opt->data, info);
385 enc_opt->dst_opt_type = info->key.tun_flags &
386 TUNNEL_OPTIONS_PRESENT;
390 EXPORT_SYMBOL(skb_flow_dissect_tunnel_info);
392 void skb_flow_dissect_hash(const struct sk_buff *skb,
393 struct flow_dissector *flow_dissector,
394 void *target_container)
396 struct flow_dissector_key_hash *key;
398 if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_HASH))
401 key = skb_flow_dissector_target(flow_dissector,
402 FLOW_DISSECTOR_KEY_HASH,
405 key->hash = skb_get_hash_raw(skb);
407 EXPORT_SYMBOL(skb_flow_dissect_hash);
409 static enum flow_dissect_ret
410 __skb_flow_dissect_mpls(const struct sk_buff *skb,
411 struct flow_dissector *flow_dissector,
412 void *target_container, const void *data, int nhoff,
413 int hlen, int lse_index, bool *entropy_label)
415 struct mpls_label *hdr, _hdr;
416 u32 entry, label, bos;
418 if (!dissector_uses_key(flow_dissector,
419 FLOW_DISSECTOR_KEY_MPLS_ENTROPY) &&
420 !dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_MPLS))
421 return FLOW_DISSECT_RET_OUT_GOOD;
423 if (lse_index >= FLOW_DIS_MPLS_MAX)
424 return FLOW_DISSECT_RET_OUT_GOOD;
426 hdr = __skb_header_pointer(skb, nhoff, sizeof(_hdr), data,
429 return FLOW_DISSECT_RET_OUT_BAD;
431 entry = ntohl(hdr->entry);
432 label = (entry & MPLS_LS_LABEL_MASK) >> MPLS_LS_LABEL_SHIFT;
433 bos = (entry & MPLS_LS_S_MASK) >> MPLS_LS_S_SHIFT;
435 if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_MPLS)) {
436 struct flow_dissector_key_mpls *key_mpls;
437 struct flow_dissector_mpls_lse *lse;
439 key_mpls = skb_flow_dissector_target(flow_dissector,
440 FLOW_DISSECTOR_KEY_MPLS,
442 lse = &key_mpls->ls[lse_index];
444 lse->mpls_ttl = (entry & MPLS_LS_TTL_MASK) >> MPLS_LS_TTL_SHIFT;
446 lse->mpls_tc = (entry & MPLS_LS_TC_MASK) >> MPLS_LS_TC_SHIFT;
447 lse->mpls_label = label;
448 dissector_set_mpls_lse(key_mpls, lse_index);
451 if (*entropy_label &&
452 dissector_uses_key(flow_dissector,
453 FLOW_DISSECTOR_KEY_MPLS_ENTROPY)) {
454 struct flow_dissector_key_keyid *key_keyid;
456 key_keyid = skb_flow_dissector_target(flow_dissector,
457 FLOW_DISSECTOR_KEY_MPLS_ENTROPY,
459 key_keyid->keyid = cpu_to_be32(label);
462 *entropy_label = label == MPLS_LABEL_ENTROPY;
464 return bos ? FLOW_DISSECT_RET_OUT_GOOD : FLOW_DISSECT_RET_PROTO_AGAIN;
467 static enum flow_dissect_ret
468 __skb_flow_dissect_arp(const struct sk_buff *skb,
469 struct flow_dissector *flow_dissector,
470 void *target_container, const void *data,
473 struct flow_dissector_key_arp *key_arp;
475 unsigned char ar_sha[ETH_ALEN];
476 unsigned char ar_sip[4];
477 unsigned char ar_tha[ETH_ALEN];
478 unsigned char ar_tip[4];
479 } *arp_eth, _arp_eth;
480 const struct arphdr *arp;
483 if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_ARP))
484 return FLOW_DISSECT_RET_OUT_GOOD;
486 arp = __skb_header_pointer(skb, nhoff, sizeof(_arp), data,
489 return FLOW_DISSECT_RET_OUT_BAD;
491 if (arp->ar_hrd != htons(ARPHRD_ETHER) ||
492 arp->ar_pro != htons(ETH_P_IP) ||
493 arp->ar_hln != ETH_ALEN ||
495 (arp->ar_op != htons(ARPOP_REPLY) &&
496 arp->ar_op != htons(ARPOP_REQUEST)))
497 return FLOW_DISSECT_RET_OUT_BAD;
499 arp_eth = __skb_header_pointer(skb, nhoff + sizeof(_arp),
500 sizeof(_arp_eth), data,
503 return FLOW_DISSECT_RET_OUT_BAD;
505 key_arp = skb_flow_dissector_target(flow_dissector,
506 FLOW_DISSECTOR_KEY_ARP,
509 memcpy(&key_arp->sip, arp_eth->ar_sip, sizeof(key_arp->sip));
510 memcpy(&key_arp->tip, arp_eth->ar_tip, sizeof(key_arp->tip));
512 /* Only store the lower byte of the opcode;
513 * this covers ARPOP_REPLY and ARPOP_REQUEST.
515 key_arp->op = ntohs(arp->ar_op) & 0xff;
517 ether_addr_copy(key_arp->sha, arp_eth->ar_sha);
518 ether_addr_copy(key_arp->tha, arp_eth->ar_tha);
520 return FLOW_DISSECT_RET_OUT_GOOD;
523 static enum flow_dissect_ret
524 __skb_flow_dissect_gre(const struct sk_buff *skb,
525 struct flow_dissector_key_control *key_control,
526 struct flow_dissector *flow_dissector,
527 void *target_container, const void *data,
528 __be16 *p_proto, int *p_nhoff, int *p_hlen,
531 struct flow_dissector_key_keyid *key_keyid;
532 struct gre_base_hdr *hdr, _hdr;
536 hdr = __skb_header_pointer(skb, *p_nhoff, sizeof(_hdr),
537 data, *p_hlen, &_hdr);
539 return FLOW_DISSECT_RET_OUT_BAD;
541 /* Only look inside GRE without routing */
542 if (hdr->flags & GRE_ROUTING)
543 return FLOW_DISSECT_RET_OUT_GOOD;
545 /* Only look inside GRE for version 0 and 1 */
546 gre_ver = ntohs(hdr->flags & GRE_VERSION);
548 return FLOW_DISSECT_RET_OUT_GOOD;
550 *p_proto = hdr->protocol;
552 /* Version1 must be PPTP, and check the flags */
553 if (!(*p_proto == GRE_PROTO_PPP && (hdr->flags & GRE_KEY)))
554 return FLOW_DISSECT_RET_OUT_GOOD;
557 offset += sizeof(struct gre_base_hdr);
559 if (hdr->flags & GRE_CSUM)
560 offset += sizeof_field(struct gre_full_hdr, csum) +
561 sizeof_field(struct gre_full_hdr, reserved1);
563 if (hdr->flags & GRE_KEY) {
567 keyid = __skb_header_pointer(skb, *p_nhoff + offset,
569 data, *p_hlen, &_keyid);
571 return FLOW_DISSECT_RET_OUT_BAD;
573 if (dissector_uses_key(flow_dissector,
574 FLOW_DISSECTOR_KEY_GRE_KEYID)) {
575 key_keyid = skb_flow_dissector_target(flow_dissector,
576 FLOW_DISSECTOR_KEY_GRE_KEYID,
579 key_keyid->keyid = *keyid;
581 key_keyid->keyid = *keyid & GRE_PPTP_KEY_MASK;
583 offset += sizeof_field(struct gre_full_hdr, key);
586 if (hdr->flags & GRE_SEQ)
587 offset += sizeof_field(struct pptp_gre_header, seq);
590 if (*p_proto == htons(ETH_P_TEB)) {
591 const struct ethhdr *eth;
594 eth = __skb_header_pointer(skb, *p_nhoff + offset,
596 data, *p_hlen, &_eth);
598 return FLOW_DISSECT_RET_OUT_BAD;
599 *p_proto = eth->h_proto;
600 offset += sizeof(*eth);
602 /* Cap headers that we access via pointers at the
603 * end of the Ethernet header as our maximum alignment
604 * at that point is only 2 bytes.
607 *p_hlen = *p_nhoff + offset;
609 } else { /* version 1, must be PPTP */
610 u8 _ppp_hdr[PPP_HDRLEN];
613 if (hdr->flags & GRE_ACK)
614 offset += sizeof_field(struct pptp_gre_header, ack);
616 ppp_hdr = __skb_header_pointer(skb, *p_nhoff + offset,
618 data, *p_hlen, _ppp_hdr);
620 return FLOW_DISSECT_RET_OUT_BAD;
622 switch (PPP_PROTOCOL(ppp_hdr)) {
624 *p_proto = htons(ETH_P_IP);
627 *p_proto = htons(ETH_P_IPV6);
630 /* Could probably catch some more like MPLS */
634 offset += PPP_HDRLEN;
638 key_control->flags |= FLOW_DIS_ENCAPSULATION;
639 if (flags & FLOW_DISSECTOR_F_STOP_AT_ENCAP)
640 return FLOW_DISSECT_RET_OUT_GOOD;
642 return FLOW_DISSECT_RET_PROTO_AGAIN;
646 * __skb_flow_dissect_batadv() - dissect batman-adv header
647 * @skb: sk_buff to with the batman-adv header
648 * @key_control: flow dissectors control key
649 * @data: raw buffer pointer to the packet, if NULL use skb->data
650 * @p_proto: pointer used to update the protocol to process next
651 * @p_nhoff: pointer used to update inner network header offset
652 * @hlen: packet header length
653 * @flags: any combination of FLOW_DISSECTOR_F_*
655 * ETH_P_BATMAN packets are tried to be dissected. Only
656 * &struct batadv_unicast packets are actually processed because they contain an
657 * inner ethernet header and are usually followed by actual network header. This
658 * allows the flow dissector to continue processing the packet.
660 * Return: FLOW_DISSECT_RET_PROTO_AGAIN when &struct batadv_unicast was found,
661 * FLOW_DISSECT_RET_OUT_GOOD when dissector should stop after encapsulation,
662 * otherwise FLOW_DISSECT_RET_OUT_BAD
664 static enum flow_dissect_ret
665 __skb_flow_dissect_batadv(const struct sk_buff *skb,
666 struct flow_dissector_key_control *key_control,
667 const void *data, __be16 *p_proto, int *p_nhoff,
668 int hlen, unsigned int flags)
671 struct batadv_unicast_packet batadv_unicast;
675 hdr = __skb_header_pointer(skb, *p_nhoff, sizeof(_hdr), data, hlen,
678 return FLOW_DISSECT_RET_OUT_BAD;
680 if (hdr->batadv_unicast.version != BATADV_COMPAT_VERSION)
681 return FLOW_DISSECT_RET_OUT_BAD;
683 if (hdr->batadv_unicast.packet_type != BATADV_UNICAST)
684 return FLOW_DISSECT_RET_OUT_BAD;
686 *p_proto = hdr->eth.h_proto;
687 *p_nhoff += sizeof(*hdr);
689 key_control->flags |= FLOW_DIS_ENCAPSULATION;
690 if (flags & FLOW_DISSECTOR_F_STOP_AT_ENCAP)
691 return FLOW_DISSECT_RET_OUT_GOOD;
693 return FLOW_DISSECT_RET_PROTO_AGAIN;
697 __skb_flow_dissect_tcp(const struct sk_buff *skb,
698 struct flow_dissector *flow_dissector,
699 void *target_container, const void *data,
702 struct flow_dissector_key_tcp *key_tcp;
703 struct tcphdr *th, _th;
705 if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_TCP))
708 th = __skb_header_pointer(skb, thoff, sizeof(_th), data, hlen, &_th);
712 if (unlikely(__tcp_hdrlen(th) < sizeof(_th)))
715 key_tcp = skb_flow_dissector_target(flow_dissector,
716 FLOW_DISSECTOR_KEY_TCP,
718 key_tcp->flags = (*(__be16 *) &tcp_flag_word(th) & htons(0x0FFF));
722 __skb_flow_dissect_ports(const struct sk_buff *skb,
723 struct flow_dissector *flow_dissector,
724 void *target_container, const void *data,
725 int nhoff, u8 ip_proto, int hlen)
727 enum flow_dissector_key_id dissector_ports = FLOW_DISSECTOR_KEY_MAX;
728 struct flow_dissector_key_ports *key_ports;
730 if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS))
731 dissector_ports = FLOW_DISSECTOR_KEY_PORTS;
732 else if (dissector_uses_key(flow_dissector,
733 FLOW_DISSECTOR_KEY_PORTS_RANGE))
734 dissector_ports = FLOW_DISSECTOR_KEY_PORTS_RANGE;
736 if (dissector_ports == FLOW_DISSECTOR_KEY_MAX)
739 key_ports = skb_flow_dissector_target(flow_dissector,
742 key_ports->ports = __skb_flow_get_ports(skb, nhoff, ip_proto,
747 __skb_flow_dissect_ipv4(const struct sk_buff *skb,
748 struct flow_dissector *flow_dissector,
749 void *target_container, const void *data,
750 const struct iphdr *iph)
752 struct flow_dissector_key_ip *key_ip;
754 if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_IP))
757 key_ip = skb_flow_dissector_target(flow_dissector,
758 FLOW_DISSECTOR_KEY_IP,
760 key_ip->tos = iph->tos;
761 key_ip->ttl = iph->ttl;
765 __skb_flow_dissect_ipv6(const struct sk_buff *skb,
766 struct flow_dissector *flow_dissector,
767 void *target_container, const void *data,
768 const struct ipv6hdr *iph)
770 struct flow_dissector_key_ip *key_ip;
772 if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_IP))
775 key_ip = skb_flow_dissector_target(flow_dissector,
776 FLOW_DISSECTOR_KEY_IP,
778 key_ip->tos = ipv6_get_dsfield(iph);
779 key_ip->ttl = iph->hop_limit;
782 /* Maximum number of protocol headers that can be parsed in
785 #define MAX_FLOW_DISSECT_HDRS 15
787 static bool skb_flow_dissect_allowed(int *num_hdrs)
791 return (*num_hdrs <= MAX_FLOW_DISSECT_HDRS);
794 static void __skb_flow_bpf_to_target(const struct bpf_flow_keys *flow_keys,
795 struct flow_dissector *flow_dissector,
796 void *target_container)
798 struct flow_dissector_key_ports *key_ports = NULL;
799 struct flow_dissector_key_control *key_control;
800 struct flow_dissector_key_basic *key_basic;
801 struct flow_dissector_key_addrs *key_addrs;
802 struct flow_dissector_key_tags *key_tags;
804 key_control = skb_flow_dissector_target(flow_dissector,
805 FLOW_DISSECTOR_KEY_CONTROL,
807 key_control->thoff = flow_keys->thoff;
808 if (flow_keys->is_frag)
809 key_control->flags |= FLOW_DIS_IS_FRAGMENT;
810 if (flow_keys->is_first_frag)
811 key_control->flags |= FLOW_DIS_FIRST_FRAG;
812 if (flow_keys->is_encap)
813 key_control->flags |= FLOW_DIS_ENCAPSULATION;
815 key_basic = skb_flow_dissector_target(flow_dissector,
816 FLOW_DISSECTOR_KEY_BASIC,
818 key_basic->n_proto = flow_keys->n_proto;
819 key_basic->ip_proto = flow_keys->ip_proto;
821 if (flow_keys->addr_proto == ETH_P_IP &&
822 dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_IPV4_ADDRS)) {
823 key_addrs = skb_flow_dissector_target(flow_dissector,
824 FLOW_DISSECTOR_KEY_IPV4_ADDRS,
826 key_addrs->v4addrs.src = flow_keys->ipv4_src;
827 key_addrs->v4addrs.dst = flow_keys->ipv4_dst;
828 key_control->addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
829 } else if (flow_keys->addr_proto == ETH_P_IPV6 &&
830 dissector_uses_key(flow_dissector,
831 FLOW_DISSECTOR_KEY_IPV6_ADDRS)) {
832 key_addrs = skb_flow_dissector_target(flow_dissector,
833 FLOW_DISSECTOR_KEY_IPV6_ADDRS,
835 memcpy(&key_addrs->v6addrs.src, &flow_keys->ipv6_src,
836 sizeof(key_addrs->v6addrs.src));
837 memcpy(&key_addrs->v6addrs.dst, &flow_keys->ipv6_dst,
838 sizeof(key_addrs->v6addrs.dst));
839 key_control->addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;
842 if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS))
843 key_ports = skb_flow_dissector_target(flow_dissector,
844 FLOW_DISSECTOR_KEY_PORTS,
846 else if (dissector_uses_key(flow_dissector,
847 FLOW_DISSECTOR_KEY_PORTS_RANGE))
848 key_ports = skb_flow_dissector_target(flow_dissector,
849 FLOW_DISSECTOR_KEY_PORTS_RANGE,
853 key_ports->src = flow_keys->sport;
854 key_ports->dst = flow_keys->dport;
857 if (dissector_uses_key(flow_dissector,
858 FLOW_DISSECTOR_KEY_FLOW_LABEL)) {
859 key_tags = skb_flow_dissector_target(flow_dissector,
860 FLOW_DISSECTOR_KEY_FLOW_LABEL,
862 key_tags->flow_label = ntohl(flow_keys->flow_label);
866 bool bpf_flow_dissect(struct bpf_prog *prog, struct bpf_flow_dissector *ctx,
867 __be16 proto, int nhoff, int hlen, unsigned int flags)
869 struct bpf_flow_keys *flow_keys = ctx->flow_keys;
872 /* Pass parameters to the BPF program */
873 memset(flow_keys, 0, sizeof(*flow_keys));
874 flow_keys->n_proto = proto;
875 flow_keys->nhoff = nhoff;
876 flow_keys->thoff = flow_keys->nhoff;
878 BUILD_BUG_ON((int)BPF_FLOW_DISSECTOR_F_PARSE_1ST_FRAG !=
879 (int)FLOW_DISSECTOR_F_PARSE_1ST_FRAG);
880 BUILD_BUG_ON((int)BPF_FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL !=
881 (int)FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL);
882 BUILD_BUG_ON((int)BPF_FLOW_DISSECTOR_F_STOP_AT_ENCAP !=
883 (int)FLOW_DISSECTOR_F_STOP_AT_ENCAP);
884 flow_keys->flags = flags;
886 result = bpf_prog_run_pin_on_cpu(prog, ctx);
888 flow_keys->nhoff = clamp_t(u16, flow_keys->nhoff, nhoff, hlen);
889 flow_keys->thoff = clamp_t(u16, flow_keys->thoff,
890 flow_keys->nhoff, hlen);
892 return result == BPF_OK;
896 * __skb_flow_dissect - extract the flow_keys struct and return it
897 * @net: associated network namespace, derived from @skb if NULL
898 * @skb: sk_buff to extract the flow from, can be NULL if the rest are specified
899 * @flow_dissector: list of keys to dissect
900 * @target_container: target structure to put dissected values into
901 * @data: raw buffer pointer to the packet, if NULL use skb->data
902 * @proto: protocol for which to get the flow, if @data is NULL use skb->protocol
903 * @nhoff: network header offset, if @data is NULL use skb_network_offset(skb)
904 * @hlen: packet header length, if @data is NULL use skb_headlen(skb)
905 * @flags: flags that control the dissection process, e.g.
906 * FLOW_DISSECTOR_F_STOP_AT_ENCAP.
908 * The function will try to retrieve individual keys into target specified
909 * by flow_dissector from either the skbuff or a raw buffer specified by the
912 * Caller must take care of zeroing target container memory.
914 bool __skb_flow_dissect(const struct net *net,
915 const struct sk_buff *skb,
916 struct flow_dissector *flow_dissector,
917 void *target_container, const void *data,
918 __be16 proto, int nhoff, int hlen, unsigned int flags)
920 struct flow_dissector_key_control *key_control;
921 struct flow_dissector_key_basic *key_basic;
922 struct flow_dissector_key_addrs *key_addrs;
923 struct flow_dissector_key_tags *key_tags;
924 struct flow_dissector_key_vlan *key_vlan;
925 enum flow_dissect_ret fdret;
926 enum flow_dissector_key_id dissector_vlan = FLOW_DISSECTOR_KEY_MAX;
927 bool mpls_el = false;
935 proto = skb_vlan_tag_present(skb) ?
936 skb->vlan_proto : skb->protocol;
937 nhoff = skb_network_offset(skb);
938 hlen = skb_headlen(skb);
939 #if IS_ENABLED(CONFIG_NET_DSA)
940 if (unlikely(skb->dev && netdev_uses_dsa(skb->dev) &&
941 proto == htons(ETH_P_XDSA))) {
942 const struct dsa_device_ops *ops;
945 ops = skb->dev->dsa_ptr->tag_ops;
946 /* Only DSA header taggers break flow dissection */
947 if (ops->needed_headroom) {
948 if (ops->flow_dissect)
949 ops->flow_dissect(skb, &proto, &offset);
951 dsa_tag_generic_flow_dissect(skb,
961 /* It is ensured by skb_flow_dissector_init() that control key will
964 key_control = skb_flow_dissector_target(flow_dissector,
965 FLOW_DISSECTOR_KEY_CONTROL,
968 /* It is ensured by skb_flow_dissector_init() that basic key will
971 key_basic = skb_flow_dissector_target(flow_dissector,
972 FLOW_DISSECTOR_KEY_BASIC,
978 net = dev_net(skb->dev);
980 net = sock_net(skb->sk);
986 enum netns_bpf_attach_type type = NETNS_BPF_FLOW_DISSECTOR;
987 struct bpf_prog_array *run_array;
990 run_array = rcu_dereference(init_net.bpf.run_array[type]);
992 run_array = rcu_dereference(net->bpf.run_array[type]);
995 struct bpf_flow_keys flow_keys;
996 struct bpf_flow_dissector ctx = {
997 .flow_keys = &flow_keys,
999 .data_end = data + hlen,
1001 __be16 n_proto = proto;
1002 struct bpf_prog *prog;
1006 /* we can't use 'proto' in the skb case
1007 * because it might be set to skb->vlan_proto
1008 * which has been pulled from the data
1010 n_proto = skb->protocol;
1013 prog = READ_ONCE(run_array->items[0].prog);
1014 ret = bpf_flow_dissect(prog, &ctx, n_proto, nhoff,
1016 __skb_flow_bpf_to_target(&flow_keys, flow_dissector,
1024 if (dissector_uses_key(flow_dissector,
1025 FLOW_DISSECTOR_KEY_ETH_ADDRS)) {
1026 struct ethhdr *eth = eth_hdr(skb);
1027 struct flow_dissector_key_eth_addrs *key_eth_addrs;
1029 key_eth_addrs = skb_flow_dissector_target(flow_dissector,
1030 FLOW_DISSECTOR_KEY_ETH_ADDRS,
1032 memcpy(key_eth_addrs, ð->h_dest, sizeof(*key_eth_addrs));
1036 fdret = FLOW_DISSECT_RET_CONTINUE;
1039 case htons(ETH_P_IP): {
1040 const struct iphdr *iph;
1043 iph = __skb_header_pointer(skb, nhoff, sizeof(_iph), data, hlen, &_iph);
1044 if (!iph || iph->ihl < 5) {
1045 fdret = FLOW_DISSECT_RET_OUT_BAD;
1049 nhoff += iph->ihl * 4;
1051 ip_proto = iph->protocol;
1053 if (dissector_uses_key(flow_dissector,
1054 FLOW_DISSECTOR_KEY_IPV4_ADDRS)) {
1055 key_addrs = skb_flow_dissector_target(flow_dissector,
1056 FLOW_DISSECTOR_KEY_IPV4_ADDRS,
1059 memcpy(&key_addrs->v4addrs.src, &iph->saddr,
1060 sizeof(key_addrs->v4addrs.src));
1061 memcpy(&key_addrs->v4addrs.dst, &iph->daddr,
1062 sizeof(key_addrs->v4addrs.dst));
1063 key_control->addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
1066 __skb_flow_dissect_ipv4(skb, flow_dissector,
1067 target_container, data, iph);
1069 if (ip_is_fragment(iph)) {
1070 key_control->flags |= FLOW_DIS_IS_FRAGMENT;
1072 if (iph->frag_off & htons(IP_OFFSET)) {
1073 fdret = FLOW_DISSECT_RET_OUT_GOOD;
1076 key_control->flags |= FLOW_DIS_FIRST_FRAG;
1078 FLOW_DISSECTOR_F_PARSE_1ST_FRAG)) {
1079 fdret = FLOW_DISSECT_RET_OUT_GOOD;
1087 case htons(ETH_P_IPV6): {
1088 const struct ipv6hdr *iph;
1089 struct ipv6hdr _iph;
1091 iph = __skb_header_pointer(skb, nhoff, sizeof(_iph), data, hlen, &_iph);
1093 fdret = FLOW_DISSECT_RET_OUT_BAD;
1097 ip_proto = iph->nexthdr;
1098 nhoff += sizeof(struct ipv6hdr);
1100 if (dissector_uses_key(flow_dissector,
1101 FLOW_DISSECTOR_KEY_IPV6_ADDRS)) {
1102 key_addrs = skb_flow_dissector_target(flow_dissector,
1103 FLOW_DISSECTOR_KEY_IPV6_ADDRS,
1106 memcpy(&key_addrs->v6addrs.src, &iph->saddr,
1107 sizeof(key_addrs->v6addrs.src));
1108 memcpy(&key_addrs->v6addrs.dst, &iph->daddr,
1109 sizeof(key_addrs->v6addrs.dst));
1110 key_control->addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;
1113 if ((dissector_uses_key(flow_dissector,
1114 FLOW_DISSECTOR_KEY_FLOW_LABEL) ||
1115 (flags & FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL)) &&
1116 ip6_flowlabel(iph)) {
1117 __be32 flow_label = ip6_flowlabel(iph);
1119 if (dissector_uses_key(flow_dissector,
1120 FLOW_DISSECTOR_KEY_FLOW_LABEL)) {
1121 key_tags = skb_flow_dissector_target(flow_dissector,
1122 FLOW_DISSECTOR_KEY_FLOW_LABEL,
1124 key_tags->flow_label = ntohl(flow_label);
1126 if (flags & FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL) {
1127 fdret = FLOW_DISSECT_RET_OUT_GOOD;
1132 __skb_flow_dissect_ipv6(skb, flow_dissector,
1133 target_container, data, iph);
1137 case htons(ETH_P_8021AD):
1138 case htons(ETH_P_8021Q): {
1139 const struct vlan_hdr *vlan = NULL;
1140 struct vlan_hdr _vlan;
1141 __be16 saved_vlan_tpid = proto;
1143 if (dissector_vlan == FLOW_DISSECTOR_KEY_MAX &&
1144 skb && skb_vlan_tag_present(skb)) {
1145 proto = skb->protocol;
1147 vlan = __skb_header_pointer(skb, nhoff, sizeof(_vlan),
1148 data, hlen, &_vlan);
1150 fdret = FLOW_DISSECT_RET_OUT_BAD;
1154 proto = vlan->h_vlan_encapsulated_proto;
1155 nhoff += sizeof(*vlan);
1158 if (dissector_vlan == FLOW_DISSECTOR_KEY_MAX) {
1159 dissector_vlan = FLOW_DISSECTOR_KEY_VLAN;
1160 } else if (dissector_vlan == FLOW_DISSECTOR_KEY_VLAN) {
1161 dissector_vlan = FLOW_DISSECTOR_KEY_CVLAN;
1163 fdret = FLOW_DISSECT_RET_PROTO_AGAIN;
1167 if (dissector_uses_key(flow_dissector, dissector_vlan)) {
1168 key_vlan = skb_flow_dissector_target(flow_dissector,
1173 key_vlan->vlan_id = skb_vlan_tag_get_id(skb);
1174 key_vlan->vlan_priority = skb_vlan_tag_get_prio(skb);
1176 key_vlan->vlan_id = ntohs(vlan->h_vlan_TCI) &
1178 key_vlan->vlan_priority =
1179 (ntohs(vlan->h_vlan_TCI) &
1180 VLAN_PRIO_MASK) >> VLAN_PRIO_SHIFT;
1182 key_vlan->vlan_tpid = saved_vlan_tpid;
1185 fdret = FLOW_DISSECT_RET_PROTO_AGAIN;
1188 case htons(ETH_P_PPP_SES): {
1190 struct pppoe_hdr hdr;
1193 hdr = __skb_header_pointer(skb, nhoff, sizeof(_hdr), data, hlen, &_hdr);
1195 fdret = FLOW_DISSECT_RET_OUT_BAD;
1200 nhoff += PPPOE_SES_HLEN;
1203 proto = htons(ETH_P_IP);
1204 fdret = FLOW_DISSECT_RET_PROTO_AGAIN;
1206 case htons(PPP_IPV6):
1207 proto = htons(ETH_P_IPV6);
1208 fdret = FLOW_DISSECT_RET_PROTO_AGAIN;
1211 fdret = FLOW_DISSECT_RET_OUT_BAD;
1216 case htons(ETH_P_TIPC): {
1217 struct tipc_basic_hdr *hdr, _hdr;
1219 hdr = __skb_header_pointer(skb, nhoff, sizeof(_hdr),
1222 fdret = FLOW_DISSECT_RET_OUT_BAD;
1226 if (dissector_uses_key(flow_dissector,
1227 FLOW_DISSECTOR_KEY_TIPC)) {
1228 key_addrs = skb_flow_dissector_target(flow_dissector,
1229 FLOW_DISSECTOR_KEY_TIPC,
1231 key_addrs->tipckey.key = tipc_hdr_rps_key(hdr);
1232 key_control->addr_type = FLOW_DISSECTOR_KEY_TIPC;
1234 fdret = FLOW_DISSECT_RET_OUT_GOOD;
1238 case htons(ETH_P_MPLS_UC):
1239 case htons(ETH_P_MPLS_MC):
1240 fdret = __skb_flow_dissect_mpls(skb, flow_dissector,
1241 target_container, data,
1242 nhoff, hlen, mpls_lse,
1244 nhoff += sizeof(struct mpls_label);
1247 case htons(ETH_P_FCOE):
1248 if ((hlen - nhoff) < FCOE_HEADER_LEN) {
1249 fdret = FLOW_DISSECT_RET_OUT_BAD;
1253 nhoff += FCOE_HEADER_LEN;
1254 fdret = FLOW_DISSECT_RET_OUT_GOOD;
1257 case htons(ETH_P_ARP):
1258 case htons(ETH_P_RARP):
1259 fdret = __skb_flow_dissect_arp(skb, flow_dissector,
1260 target_container, data,
1264 case htons(ETH_P_BATMAN):
1265 fdret = __skb_flow_dissect_batadv(skb, key_control, data,
1266 &proto, &nhoff, hlen, flags);
1269 case htons(ETH_P_1588): {
1270 struct ptp_header *hdr, _hdr;
1272 hdr = __skb_header_pointer(skb, nhoff, sizeof(_hdr), data,
1275 fdret = FLOW_DISSECT_RET_OUT_BAD;
1279 nhoff += ntohs(hdr->message_length);
1280 fdret = FLOW_DISSECT_RET_OUT_GOOD;
1285 fdret = FLOW_DISSECT_RET_OUT_BAD;
1289 /* Process result of proto processing */
1291 case FLOW_DISSECT_RET_OUT_GOOD:
1293 case FLOW_DISSECT_RET_PROTO_AGAIN:
1294 if (skb_flow_dissect_allowed(&num_hdrs))
1297 case FLOW_DISSECT_RET_CONTINUE:
1298 case FLOW_DISSECT_RET_IPPROTO_AGAIN:
1300 case FLOW_DISSECT_RET_OUT_BAD:
1306 fdret = FLOW_DISSECT_RET_CONTINUE;
1310 fdret = __skb_flow_dissect_gre(skb, key_control, flow_dissector,
1311 target_container, data,
1312 &proto, &nhoff, &hlen, flags);
1316 case NEXTHDR_ROUTING:
1317 case NEXTHDR_DEST: {
1318 u8 _opthdr[2], *opthdr;
1320 if (proto != htons(ETH_P_IPV6))
1323 opthdr = __skb_header_pointer(skb, nhoff, sizeof(_opthdr),
1324 data, hlen, &_opthdr);
1326 fdret = FLOW_DISSECT_RET_OUT_BAD;
1330 ip_proto = opthdr[0];
1331 nhoff += (opthdr[1] + 1) << 3;
1333 fdret = FLOW_DISSECT_RET_IPPROTO_AGAIN;
1336 case NEXTHDR_FRAGMENT: {
1337 struct frag_hdr _fh, *fh;
1339 if (proto != htons(ETH_P_IPV6))
1342 fh = __skb_header_pointer(skb, nhoff, sizeof(_fh),
1346 fdret = FLOW_DISSECT_RET_OUT_BAD;
1350 key_control->flags |= FLOW_DIS_IS_FRAGMENT;
1352 nhoff += sizeof(_fh);
1353 ip_proto = fh->nexthdr;
1355 if (!(fh->frag_off & htons(IP6_OFFSET))) {
1356 key_control->flags |= FLOW_DIS_FIRST_FRAG;
1357 if (flags & FLOW_DISSECTOR_F_PARSE_1ST_FRAG) {
1358 fdret = FLOW_DISSECT_RET_IPPROTO_AGAIN;
1363 fdret = FLOW_DISSECT_RET_OUT_GOOD;
1367 proto = htons(ETH_P_IP);
1369 key_control->flags |= FLOW_DIS_ENCAPSULATION;
1370 if (flags & FLOW_DISSECTOR_F_STOP_AT_ENCAP) {
1371 fdret = FLOW_DISSECT_RET_OUT_GOOD;
1375 fdret = FLOW_DISSECT_RET_PROTO_AGAIN;
1379 proto = htons(ETH_P_IPV6);
1381 key_control->flags |= FLOW_DIS_ENCAPSULATION;
1382 if (flags & FLOW_DISSECTOR_F_STOP_AT_ENCAP) {
1383 fdret = FLOW_DISSECT_RET_OUT_GOOD;
1387 fdret = FLOW_DISSECT_RET_PROTO_AGAIN;
1392 proto = htons(ETH_P_MPLS_UC);
1393 fdret = FLOW_DISSECT_RET_PROTO_AGAIN;
1397 __skb_flow_dissect_tcp(skb, flow_dissector, target_container,
1402 case IPPROTO_ICMPV6:
1403 __skb_flow_dissect_icmp(skb, flow_dissector, target_container,
1411 if (!(key_control->flags & FLOW_DIS_IS_FRAGMENT))
1412 __skb_flow_dissect_ports(skb, flow_dissector, target_container,
1413 data, nhoff, ip_proto, hlen);
1415 /* Process result of IP proto processing */
1417 case FLOW_DISSECT_RET_PROTO_AGAIN:
1418 if (skb_flow_dissect_allowed(&num_hdrs))
1421 case FLOW_DISSECT_RET_IPPROTO_AGAIN:
1422 if (skb_flow_dissect_allowed(&num_hdrs))
1423 goto ip_proto_again;
1425 case FLOW_DISSECT_RET_OUT_GOOD:
1426 case FLOW_DISSECT_RET_CONTINUE:
1428 case FLOW_DISSECT_RET_OUT_BAD:
1437 key_control->thoff = min_t(u16, nhoff, skb ? skb->len : hlen);
1438 key_basic->n_proto = proto;
1439 key_basic->ip_proto = ip_proto;
1447 EXPORT_SYMBOL(__skb_flow_dissect);
1449 static siphash_key_t hashrnd __read_mostly;
1450 static __always_inline void __flow_hash_secret_init(void)
1452 net_get_random_once(&hashrnd, sizeof(hashrnd));
1455 static const void *flow_keys_hash_start(const struct flow_keys *flow)
1457 BUILD_BUG_ON(FLOW_KEYS_HASH_OFFSET % SIPHASH_ALIGNMENT);
1458 return &flow->FLOW_KEYS_HASH_START_FIELD;
1461 static inline size_t flow_keys_hash_length(const struct flow_keys *flow)
1463 size_t diff = FLOW_KEYS_HASH_OFFSET + sizeof(flow->addrs);
1465 BUILD_BUG_ON((sizeof(*flow) - FLOW_KEYS_HASH_OFFSET) % sizeof(u32));
1467 switch (flow->control.addr_type) {
1468 case FLOW_DISSECTOR_KEY_IPV4_ADDRS:
1469 diff -= sizeof(flow->addrs.v4addrs);
1471 case FLOW_DISSECTOR_KEY_IPV6_ADDRS:
1472 diff -= sizeof(flow->addrs.v6addrs);
1474 case FLOW_DISSECTOR_KEY_TIPC:
1475 diff -= sizeof(flow->addrs.tipckey);
1478 return sizeof(*flow) - diff;
1481 __be32 flow_get_u32_src(const struct flow_keys *flow)
1483 switch (flow->control.addr_type) {
1484 case FLOW_DISSECTOR_KEY_IPV4_ADDRS:
1485 return flow->addrs.v4addrs.src;
1486 case FLOW_DISSECTOR_KEY_IPV6_ADDRS:
1487 return (__force __be32)ipv6_addr_hash(
1488 &flow->addrs.v6addrs.src);
1489 case FLOW_DISSECTOR_KEY_TIPC:
1490 return flow->addrs.tipckey.key;
1495 EXPORT_SYMBOL(flow_get_u32_src);
1497 __be32 flow_get_u32_dst(const struct flow_keys *flow)
1499 switch (flow->control.addr_type) {
1500 case FLOW_DISSECTOR_KEY_IPV4_ADDRS:
1501 return flow->addrs.v4addrs.dst;
1502 case FLOW_DISSECTOR_KEY_IPV6_ADDRS:
1503 return (__force __be32)ipv6_addr_hash(
1504 &flow->addrs.v6addrs.dst);
1509 EXPORT_SYMBOL(flow_get_u32_dst);
1511 /* Sort the source and destination IP and the ports,
1512 * to have consistent hash within the two directions
1514 static inline void __flow_hash_consistentify(struct flow_keys *keys)
1518 switch (keys->control.addr_type) {
1519 case FLOW_DISSECTOR_KEY_IPV4_ADDRS:
1520 addr_diff = (__force u32)keys->addrs.v4addrs.dst -
1521 (__force u32)keys->addrs.v4addrs.src;
1523 swap(keys->addrs.v4addrs.src, keys->addrs.v4addrs.dst);
1525 if ((__force u16)keys->ports.dst <
1526 (__force u16)keys->ports.src) {
1527 swap(keys->ports.src, keys->ports.dst);
1530 case FLOW_DISSECTOR_KEY_IPV6_ADDRS:
1531 addr_diff = memcmp(&keys->addrs.v6addrs.dst,
1532 &keys->addrs.v6addrs.src,
1533 sizeof(keys->addrs.v6addrs.dst));
1534 if (addr_diff < 0) {
1535 for (i = 0; i < 4; i++)
1536 swap(keys->addrs.v6addrs.src.s6_addr32[i],
1537 keys->addrs.v6addrs.dst.s6_addr32[i]);
1539 if ((__force u16)keys->ports.dst <
1540 (__force u16)keys->ports.src) {
1541 swap(keys->ports.src, keys->ports.dst);
1547 static inline u32 __flow_hash_from_keys(struct flow_keys *keys,
1548 const siphash_key_t *keyval)
1552 __flow_hash_consistentify(keys);
1554 hash = siphash(flow_keys_hash_start(keys),
1555 flow_keys_hash_length(keys), keyval);
1562 u32 flow_hash_from_keys(struct flow_keys *keys)
1564 __flow_hash_secret_init();
1565 return __flow_hash_from_keys(keys, &hashrnd);
1567 EXPORT_SYMBOL(flow_hash_from_keys);
1569 static inline u32 ___skb_get_hash(const struct sk_buff *skb,
1570 struct flow_keys *keys,
1571 const siphash_key_t *keyval)
1573 skb_flow_dissect_flow_keys(skb, keys,
1574 FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL);
1576 return __flow_hash_from_keys(keys, keyval);
1579 struct _flow_keys_digest_data {
1588 void make_flow_keys_digest(struct flow_keys_digest *digest,
1589 const struct flow_keys *flow)
1591 struct _flow_keys_digest_data *data =
1592 (struct _flow_keys_digest_data *)digest;
1594 BUILD_BUG_ON(sizeof(*data) > sizeof(*digest));
1596 memset(digest, 0, sizeof(*digest));
1598 data->n_proto = flow->basic.n_proto;
1599 data->ip_proto = flow->basic.ip_proto;
1600 data->ports = flow->ports.ports;
1601 data->src = flow->addrs.v4addrs.src;
1602 data->dst = flow->addrs.v4addrs.dst;
1604 EXPORT_SYMBOL(make_flow_keys_digest);
1606 static struct flow_dissector flow_keys_dissector_symmetric __read_mostly;
1608 u32 __skb_get_hash_symmetric(const struct sk_buff *skb)
1610 struct flow_keys keys;
1612 __flow_hash_secret_init();
1614 memset(&keys, 0, sizeof(keys));
1615 __skb_flow_dissect(NULL, skb, &flow_keys_dissector_symmetric,
1616 &keys, NULL, 0, 0, 0,
1617 FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL);
1619 return __flow_hash_from_keys(&keys, &hashrnd);
1621 EXPORT_SYMBOL_GPL(__skb_get_hash_symmetric);
1624 * __skb_get_hash: calculate a flow hash
1625 * @skb: sk_buff to calculate flow hash from
1627 * This function calculates a flow hash based on src/dst addresses
1628 * and src/dst port numbers. Sets hash in skb to non-zero hash value
1629 * on success, zero indicates no valid hash. Also, sets l4_hash in skb
1630 * if hash is a canonical 4-tuple hash over transport ports.
1632 void __skb_get_hash(struct sk_buff *skb)
1634 struct flow_keys keys;
1637 __flow_hash_secret_init();
1639 hash = ___skb_get_hash(skb, &keys, &hashrnd);
1641 __skb_set_sw_hash(skb, hash, flow_keys_have_l4(&keys));
1643 EXPORT_SYMBOL(__skb_get_hash);
1645 __u32 skb_get_hash_perturb(const struct sk_buff *skb,
1646 const siphash_key_t *perturb)
1648 struct flow_keys keys;
1650 return ___skb_get_hash(skb, &keys, perturb);
1652 EXPORT_SYMBOL(skb_get_hash_perturb);
1654 u32 __skb_get_poff(const struct sk_buff *skb, const void *data,
1655 const struct flow_keys_basic *keys, int hlen)
1657 u32 poff = keys->control.thoff;
1659 /* skip L4 headers for fragments after the first */
1660 if ((keys->control.flags & FLOW_DIS_IS_FRAGMENT) &&
1661 !(keys->control.flags & FLOW_DIS_FIRST_FRAG))
1664 switch (keys->basic.ip_proto) {
1666 /* access doff as u8 to avoid unaligned access */
1670 doff = __skb_header_pointer(skb, poff + 12, sizeof(_doff),
1671 data, hlen, &_doff);
1675 poff += max_t(u32, sizeof(struct tcphdr), (*doff & 0xF0) >> 2);
1679 case IPPROTO_UDPLITE:
1680 poff += sizeof(struct udphdr);
1682 /* For the rest, we do not really care about header
1683 * extensions at this point for now.
1686 poff += sizeof(struct icmphdr);
1688 case IPPROTO_ICMPV6:
1689 poff += sizeof(struct icmp6hdr);
1692 poff += sizeof(struct igmphdr);
1695 poff += sizeof(struct dccp_hdr);
1698 poff += sizeof(struct sctphdr);
1706 * skb_get_poff - get the offset to the payload
1707 * @skb: sk_buff to get the payload offset from
1709 * The function will get the offset to the payload as far as it could
1710 * be dissected. The main user is currently BPF, so that we can dynamically
1711 * truncate packets without needing to push actual payload to the user
1712 * space and can analyze headers only, instead.
1714 u32 skb_get_poff(const struct sk_buff *skb)
1716 struct flow_keys_basic keys;
1718 if (!skb_flow_dissect_flow_keys_basic(NULL, skb, &keys,
1722 return __skb_get_poff(skb, skb->data, &keys, skb_headlen(skb));
1725 __u32 __get_hash_from_flowi6(const struct flowi6 *fl6, struct flow_keys *keys)
1727 memset(keys, 0, sizeof(*keys));
1729 memcpy(&keys->addrs.v6addrs.src, &fl6->saddr,
1730 sizeof(keys->addrs.v6addrs.src));
1731 memcpy(&keys->addrs.v6addrs.dst, &fl6->daddr,
1732 sizeof(keys->addrs.v6addrs.dst));
1733 keys->control.addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;
1734 keys->ports.src = fl6->fl6_sport;
1735 keys->ports.dst = fl6->fl6_dport;
1736 keys->keyid.keyid = fl6->fl6_gre_key;
1737 keys->tags.flow_label = (__force u32)flowi6_get_flowlabel(fl6);
1738 keys->basic.ip_proto = fl6->flowi6_proto;
1740 return flow_hash_from_keys(keys);
1742 EXPORT_SYMBOL(__get_hash_from_flowi6);
1744 static const struct flow_dissector_key flow_keys_dissector_keys[] = {
1746 .key_id = FLOW_DISSECTOR_KEY_CONTROL,
1747 .offset = offsetof(struct flow_keys, control),
1750 .key_id = FLOW_DISSECTOR_KEY_BASIC,
1751 .offset = offsetof(struct flow_keys, basic),
1754 .key_id = FLOW_DISSECTOR_KEY_IPV4_ADDRS,
1755 .offset = offsetof(struct flow_keys, addrs.v4addrs),
1758 .key_id = FLOW_DISSECTOR_KEY_IPV6_ADDRS,
1759 .offset = offsetof(struct flow_keys, addrs.v6addrs),
1762 .key_id = FLOW_DISSECTOR_KEY_TIPC,
1763 .offset = offsetof(struct flow_keys, addrs.tipckey),
1766 .key_id = FLOW_DISSECTOR_KEY_PORTS,
1767 .offset = offsetof(struct flow_keys, ports),
1770 .key_id = FLOW_DISSECTOR_KEY_VLAN,
1771 .offset = offsetof(struct flow_keys, vlan),
1774 .key_id = FLOW_DISSECTOR_KEY_FLOW_LABEL,
1775 .offset = offsetof(struct flow_keys, tags),
1778 .key_id = FLOW_DISSECTOR_KEY_GRE_KEYID,
1779 .offset = offsetof(struct flow_keys, keyid),
1783 static const struct flow_dissector_key flow_keys_dissector_symmetric_keys[] = {
1785 .key_id = FLOW_DISSECTOR_KEY_CONTROL,
1786 .offset = offsetof(struct flow_keys, control),
1789 .key_id = FLOW_DISSECTOR_KEY_BASIC,
1790 .offset = offsetof(struct flow_keys, basic),
1793 .key_id = FLOW_DISSECTOR_KEY_IPV4_ADDRS,
1794 .offset = offsetof(struct flow_keys, addrs.v4addrs),
1797 .key_id = FLOW_DISSECTOR_KEY_IPV6_ADDRS,
1798 .offset = offsetof(struct flow_keys, addrs.v6addrs),
1801 .key_id = FLOW_DISSECTOR_KEY_PORTS,
1802 .offset = offsetof(struct flow_keys, ports),
1806 static const struct flow_dissector_key flow_keys_basic_dissector_keys[] = {
1808 .key_id = FLOW_DISSECTOR_KEY_CONTROL,
1809 .offset = offsetof(struct flow_keys, control),
1812 .key_id = FLOW_DISSECTOR_KEY_BASIC,
1813 .offset = offsetof(struct flow_keys, basic),
1817 struct flow_dissector flow_keys_dissector __read_mostly;
1818 EXPORT_SYMBOL(flow_keys_dissector);
1820 struct flow_dissector flow_keys_basic_dissector __read_mostly;
1821 EXPORT_SYMBOL(flow_keys_basic_dissector);
1823 static int __init init_default_flow_dissectors(void)
1825 skb_flow_dissector_init(&flow_keys_dissector,
1826 flow_keys_dissector_keys,
1827 ARRAY_SIZE(flow_keys_dissector_keys));
1828 skb_flow_dissector_init(&flow_keys_dissector_symmetric,
1829 flow_keys_dissector_symmetric_keys,
1830 ARRAY_SIZE(flow_keys_dissector_symmetric_keys));
1831 skb_flow_dissector_init(&flow_keys_basic_dissector,
1832 flow_keys_basic_dissector_keys,
1833 ARRAY_SIZE(flow_keys_basic_dissector_keys));
1836 core_initcall(init_default_flow_dissectors);
projects / platform / kernel / linux-rpi.git / blob