1 | /* SPDX-License-Identifier: GPL-2.0 */ |
2 | #ifndef _NET_FLOW_DISSECTOR_H |
3 | #define _NET_FLOW_DISSECTOR_H |
4 | |
5 | #include <linux/types.h> |
6 | #include <linux/in6.h> |
7 | #include <linux/siphash.h> |
8 | #include <linux/string.h> |
9 | #include <uapi/linux/if_ether.h> |
10 | |
11 | struct bpf_prog; |
12 | struct net; |
13 | struct sk_buff; |
14 | |
15 | /** |
16 | * struct flow_dissector_key_control: |
17 | * @thoff: Transport header offset |
18 | * @addr_type: Type of key. One of FLOW_DISSECTOR_KEY_* |
19 | * @flags: Key flags. Any of FLOW_DIS_(IS_FRAGMENT|FIRST_FRAGENCAPSULATION) |
20 | */ |
21 | struct flow_dissector_key_control { |
22 | u16 thoff; |
23 | u16 addr_type; |
24 | u32 flags; |
25 | }; |
26 | |
27 | #define FLOW_DIS_IS_FRAGMENT BIT(0) |
28 | #define FLOW_DIS_FIRST_FRAG BIT(1) |
29 | #define FLOW_DIS_ENCAPSULATION BIT(2) |
30 | |
31 | enum flow_dissect_ret { |
32 | FLOW_DISSECT_RET_OUT_GOOD, |
33 | FLOW_DISSECT_RET_OUT_BAD, |
34 | FLOW_DISSECT_RET_PROTO_AGAIN, |
35 | FLOW_DISSECT_RET_IPPROTO_AGAIN, |
36 | FLOW_DISSECT_RET_CONTINUE, |
37 | }; |
38 | |
39 | /** |
40 | * struct flow_dissector_key_basic: |
41 | * @n_proto: Network header protocol (eg. IPv4/IPv6) |
42 | * @ip_proto: Transport header protocol (eg. TCP/UDP) |
43 | * @padding: Unused |
44 | */ |
45 | struct flow_dissector_key_basic { |
46 | __be16 n_proto; |
47 | u8 ip_proto; |
48 | u8 padding; |
49 | }; |
50 | |
51 | struct flow_dissector_key_tags { |
52 | u32 flow_label; |
53 | }; |
54 | |
55 | struct flow_dissector_key_vlan { |
56 | union { |
57 | struct { |
58 | u16 vlan_id:12, |
59 | vlan_dei:1, |
60 | vlan_priority:3; |
61 | }; |
62 | __be16 vlan_tci; |
63 | }; |
64 | __be16 vlan_tpid; |
65 | __be16 vlan_eth_type; |
66 | u16 padding; |
67 | }; |
68 | |
69 | struct flow_dissector_mpls_lse { |
70 | u32 mpls_ttl:8, |
71 | mpls_bos:1, |
72 | mpls_tc:3, |
73 | mpls_label:20; |
74 | }; |
75 | |
76 | #define FLOW_DIS_MPLS_MAX 7 |
77 | struct flow_dissector_key_mpls { |
78 | struct flow_dissector_mpls_lse ls[FLOW_DIS_MPLS_MAX]; /* Label Stack */ |
79 | u8 used_lses; /* One bit set for each Label Stack Entry in use */ |
80 | }; |
81 | |
82 | static inline void dissector_set_mpls_lse(struct flow_dissector_key_mpls *mpls, |
83 | int lse_index) |
84 | { |
85 | mpls->used_lses |= 1 << lse_index; |
86 | } |
87 | |
88 | #define FLOW_DIS_TUN_OPTS_MAX 255 |
89 | /** |
90 | * struct flow_dissector_key_enc_opts: |
91 | * @data: tunnel option data |
92 | * @len: length of tunnel option data |
93 | * @dst_opt_type: tunnel option type |
94 | */ |
95 | struct flow_dissector_key_enc_opts { |
96 | u8 data[FLOW_DIS_TUN_OPTS_MAX]; /* Using IP_TUNNEL_OPTS_MAX is desired |
97 | * here but seems difficult to #include |
98 | */ |
99 | u8 len; |
100 | __be16 dst_opt_type; |
101 | }; |
102 | |
103 | struct flow_dissector_key_keyid { |
104 | __be32 keyid; |
105 | }; |
106 | |
107 | /** |
108 | * struct flow_dissector_key_ipv4_addrs: |
109 | * @src: source ip address |
110 | * @dst: destination ip address |
111 | */ |
112 | struct flow_dissector_key_ipv4_addrs { |
113 | /* (src,dst) must be grouped, in the same way than in IP header */ |
114 | __be32 src; |
115 | __be32 dst; |
116 | }; |
117 | |
118 | /** |
119 | * struct flow_dissector_key_ipv6_addrs: |
120 | * @src: source ip address |
121 | * @dst: destination ip address |
122 | */ |
123 | struct flow_dissector_key_ipv6_addrs { |
124 | /* (src,dst) must be grouped, in the same way than in IP header */ |
125 | struct in6_addr src; |
126 | struct in6_addr dst; |
127 | }; |
128 | |
129 | /** |
130 | * struct flow_dissector_key_tipc: |
131 | * @key: source node address combined with selector |
132 | */ |
133 | struct flow_dissector_key_tipc { |
134 | __be32 key; |
135 | }; |
136 | |
137 | /** |
138 | * struct flow_dissector_key_addrs: |
139 | * @v4addrs: IPv4 addresses |
140 | * @v6addrs: IPv6 addresses |
141 | * @tipckey: TIPC key |
142 | */ |
143 | struct flow_dissector_key_addrs { |
144 | union { |
145 | struct flow_dissector_key_ipv4_addrs v4addrs; |
146 | struct flow_dissector_key_ipv6_addrs v6addrs; |
147 | struct flow_dissector_key_tipc tipckey; |
148 | }; |
149 | }; |
150 | |
151 | /** |
152 | * struct flow_dissector_key_arp: |
153 | * @sip: Sender IP address |
154 | * @tip: Target IP address |
155 | * @op: Operation |
156 | * @sha: Sender hardware address |
157 | * @tha: Target hardware address |
158 | */ |
159 | struct flow_dissector_key_arp { |
160 | __u32 sip; |
161 | __u32 tip; |
162 | __u8 op; |
163 | unsigned char sha[ETH_ALEN]; |
164 | unsigned char tha[ETH_ALEN]; |
165 | }; |
166 | |
167 | /** |
168 | * struct flow_dissector_key_ports: |
169 | * @ports: port numbers of Transport header |
170 | * @src: source port number |
171 | * @dst: destination port number |
172 | */ |
173 | struct flow_dissector_key_ports { |
174 | union { |
175 | __be32 ports; |
176 | struct { |
177 | __be16 src; |
178 | __be16 dst; |
179 | }; |
180 | }; |
181 | }; |
182 | |
183 | /** |
184 | * struct flow_dissector_key_ports_range |
185 | * @tp: port number from packet |
186 | * @tp_min: min port number in range |
187 | * @tp_max: max port number in range |
188 | */ |
189 | struct flow_dissector_key_ports_range { |
190 | union { |
191 | struct flow_dissector_key_ports tp; |
192 | struct { |
193 | struct flow_dissector_key_ports tp_min; |
194 | struct flow_dissector_key_ports tp_max; |
195 | }; |
196 | }; |
197 | }; |
198 | |
199 | /** |
200 | * struct flow_dissector_key_icmp: |
201 | * @type: ICMP type |
202 | * @code: ICMP code |
203 | * @id: Session identifier |
204 | */ |
205 | struct flow_dissector_key_icmp { |
206 | struct { |
207 | u8 type; |
208 | u8 code; |
209 | }; |
210 | u16 id; |
211 | }; |
212 | |
213 | /** |
214 | * struct flow_dissector_key_eth_addrs: |
215 | * @src: source Ethernet address |
216 | * @dst: destination Ethernet address |
217 | */ |
218 | struct flow_dissector_key_eth_addrs { |
219 | /* (dst,src) must be grouped, in the same way than in ETH header */ |
220 | unsigned char dst[ETH_ALEN]; |
221 | unsigned char src[ETH_ALEN]; |
222 | }; |
223 | |
224 | /** |
225 | * struct flow_dissector_key_tcp: |
226 | * @flags: flags |
227 | */ |
228 | struct flow_dissector_key_tcp { |
229 | __be16 flags; |
230 | }; |
231 | |
232 | /** |
233 | * struct flow_dissector_key_ip: |
234 | * @tos: tos |
235 | * @ttl: ttl |
236 | */ |
237 | struct flow_dissector_key_ip { |
238 | __u8 tos; |
239 | __u8 ttl; |
240 | }; |
241 | |
242 | /** |
243 | * struct flow_dissector_key_meta: |
244 | * @ingress_ifindex: ingress ifindex |
245 | * @ingress_iftype: ingress interface type |
246 | * @l2_miss: packet did not match an L2 entry during forwarding |
247 | */ |
248 | struct flow_dissector_key_meta { |
249 | int ingress_ifindex; |
250 | u16 ingress_iftype; |
251 | u8 l2_miss; |
252 | }; |
253 | |
254 | /** |
255 | * struct flow_dissector_key_ct: |
256 | * @ct_state: conntrack state after converting with map |
257 | * @ct_mark: conttrack mark |
258 | * @ct_zone: conntrack zone |
259 | * @ct_labels: conntrack labels |
260 | */ |
261 | struct flow_dissector_key_ct { |
262 | u16 ct_state; |
263 | u16 ct_zone; |
264 | u32 ct_mark; |
265 | u32 ct_labels[4]; |
266 | }; |
267 | |
268 | /** |
269 | * struct flow_dissector_key_hash: |
270 | * @hash: hash value |
271 | */ |
272 | struct flow_dissector_key_hash { |
273 | u32 hash; |
274 | }; |
275 | |
276 | /** |
277 | * struct flow_dissector_key_num_of_vlans: |
278 | * @num_of_vlans: num_of_vlans value |
279 | */ |
280 | struct flow_dissector_key_num_of_vlans { |
281 | u8 num_of_vlans; |
282 | }; |
283 | |
284 | /** |
285 | * struct flow_dissector_key_pppoe: |
286 | * @session_id: pppoe session id |
287 | * @ppp_proto: ppp protocol |
288 | * @type: pppoe eth type |
289 | */ |
290 | struct flow_dissector_key_pppoe { |
291 | __be16 session_id; |
292 | __be16 ppp_proto; |
293 | __be16 type; |
294 | }; |
295 | |
296 | /** |
297 | * struct flow_dissector_key_l2tpv3: |
298 | * @session_id: identifier for a l2tp session |
299 | */ |
300 | struct flow_dissector_key_l2tpv3 { |
301 | __be32 session_id; |
302 | }; |
303 | |
304 | /** |
305 | * struct flow_dissector_key_ipsec: |
306 | * @spi: identifier for a ipsec connection |
307 | */ |
308 | struct flow_dissector_key_ipsec { |
309 | __be32 spi; |
310 | }; |
311 | |
312 | /** |
313 | * struct flow_dissector_key_cfm |
314 | * @mdl_ver: maintenance domain level (mdl) and cfm protocol version |
315 | * @opcode: code specifying a type of cfm protocol packet |
316 | * |
317 | * See 802.1ag, ITU-T G.8013/Y.1731 |
318 | * 1 2 |
319 | * |7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0| |
320 | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
321 | * | mdl | version | opcode | |
322 | * +-----+---------+-+-+-+-+-+-+-+-+ |
323 | */ |
324 | struct flow_dissector_key_cfm { |
325 | u8 mdl_ver; |
326 | u8 opcode; |
327 | }; |
328 | |
329 | #define FLOW_DIS_CFM_MDL_MASK GENMASK(7, 5) |
330 | #define FLOW_DIS_CFM_MDL_MAX 7 |
331 | |
332 | enum flow_dissector_key_id { |
333 | FLOW_DISSECTOR_KEY_CONTROL, /* struct flow_dissector_key_control */ |
334 | FLOW_DISSECTOR_KEY_BASIC, /* struct flow_dissector_key_basic */ |
335 | FLOW_DISSECTOR_KEY_IPV4_ADDRS, /* struct flow_dissector_key_ipv4_addrs */ |
336 | FLOW_DISSECTOR_KEY_IPV6_ADDRS, /* struct flow_dissector_key_ipv6_addrs */ |
337 | FLOW_DISSECTOR_KEY_PORTS, /* struct flow_dissector_key_ports */ |
338 | FLOW_DISSECTOR_KEY_PORTS_RANGE, /* struct flow_dissector_key_ports */ |
339 | FLOW_DISSECTOR_KEY_ICMP, /* struct flow_dissector_key_icmp */ |
340 | FLOW_DISSECTOR_KEY_ETH_ADDRS, /* struct flow_dissector_key_eth_addrs */ |
341 | FLOW_DISSECTOR_KEY_TIPC, /* struct flow_dissector_key_tipc */ |
342 | FLOW_DISSECTOR_KEY_ARP, /* struct flow_dissector_key_arp */ |
343 | FLOW_DISSECTOR_KEY_VLAN, /* struct flow_dissector_key_vlan */ |
344 | FLOW_DISSECTOR_KEY_FLOW_LABEL, /* struct flow_dissector_key_tags */ |
345 | FLOW_DISSECTOR_KEY_GRE_KEYID, /* struct flow_dissector_key_keyid */ |
346 | FLOW_DISSECTOR_KEY_MPLS_ENTROPY, /* struct flow_dissector_key_keyid */ |
347 | FLOW_DISSECTOR_KEY_ENC_KEYID, /* struct flow_dissector_key_keyid */ |
348 | FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS, /* struct flow_dissector_key_ipv4_addrs */ |
349 | FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS, /* struct flow_dissector_key_ipv6_addrs */ |
350 | FLOW_DISSECTOR_KEY_ENC_CONTROL, /* struct flow_dissector_key_control */ |
351 | FLOW_DISSECTOR_KEY_ENC_PORTS, /* struct flow_dissector_key_ports */ |
352 | FLOW_DISSECTOR_KEY_MPLS, /* struct flow_dissector_key_mpls */ |
353 | FLOW_DISSECTOR_KEY_TCP, /* struct flow_dissector_key_tcp */ |
354 | FLOW_DISSECTOR_KEY_IP, /* struct flow_dissector_key_ip */ |
355 | FLOW_DISSECTOR_KEY_CVLAN, /* struct flow_dissector_key_vlan */ |
356 | FLOW_DISSECTOR_KEY_ENC_IP, /* struct flow_dissector_key_ip */ |
357 | FLOW_DISSECTOR_KEY_ENC_OPTS, /* struct flow_dissector_key_enc_opts */ |
358 | FLOW_DISSECTOR_KEY_META, /* struct flow_dissector_key_meta */ |
359 | FLOW_DISSECTOR_KEY_CT, /* struct flow_dissector_key_ct */ |
360 | FLOW_DISSECTOR_KEY_HASH, /* struct flow_dissector_key_hash */ |
361 | FLOW_DISSECTOR_KEY_NUM_OF_VLANS, /* struct flow_dissector_key_num_of_vlans */ |
362 | FLOW_DISSECTOR_KEY_PPPOE, /* struct flow_dissector_key_pppoe */ |
363 | FLOW_DISSECTOR_KEY_L2TPV3, /* struct flow_dissector_key_l2tpv3 */ |
364 | FLOW_DISSECTOR_KEY_CFM, /* struct flow_dissector_key_cfm */ |
365 | FLOW_DISSECTOR_KEY_IPSEC, /* struct flow_dissector_key_ipsec */ |
366 | |
367 | FLOW_DISSECTOR_KEY_MAX, |
368 | }; |
369 | |
370 | #define FLOW_DISSECTOR_F_PARSE_1ST_FRAG BIT(0) |
371 | #define FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL BIT(1) |
372 | #define FLOW_DISSECTOR_F_STOP_AT_ENCAP BIT(2) |
373 | #define FLOW_DISSECTOR_F_STOP_BEFORE_ENCAP BIT(3) |
374 | |
375 | struct flow_dissector_key { |
376 | enum flow_dissector_key_id key_id; |
377 | size_t offset; /* offset of struct flow_dissector_key_* |
378 | in target the struct */ |
379 | }; |
380 | |
381 | struct flow_dissector { |
382 | unsigned long long used_keys; |
383 | /* each bit represents presence of one key id */ |
384 | unsigned short int offset[FLOW_DISSECTOR_KEY_MAX]; |
385 | }; |
386 | |
387 | struct flow_keys_basic { |
388 | struct flow_dissector_key_control control; |
389 | struct flow_dissector_key_basic basic; |
390 | }; |
391 | |
392 | struct flow_keys { |
393 | struct flow_dissector_key_control control; |
394 | #define FLOW_KEYS_HASH_START_FIELD basic |
395 | struct flow_dissector_key_basic basic __aligned(SIPHASH_ALIGNMENT); |
396 | struct flow_dissector_key_tags tags; |
397 | struct flow_dissector_key_vlan vlan; |
398 | struct flow_dissector_key_vlan cvlan; |
399 | struct flow_dissector_key_keyid keyid; |
400 | struct flow_dissector_key_ports ports; |
401 | struct flow_dissector_key_icmp icmp; |
402 | /* 'addrs' must be the last member */ |
403 | struct flow_dissector_key_addrs addrs; |
404 | }; |
405 | |
406 | #define FLOW_KEYS_HASH_OFFSET \ |
407 | offsetof(struct flow_keys, FLOW_KEYS_HASH_START_FIELD) |
408 | |
409 | __be32 flow_get_u32_src(const struct flow_keys *flow); |
410 | __be32 flow_get_u32_dst(const struct flow_keys *flow); |
411 | |
412 | extern struct flow_dissector flow_keys_dissector; |
413 | extern struct flow_dissector flow_keys_basic_dissector; |
414 | |
415 | /* struct flow_keys_digest: |
416 | * |
417 | * This structure is used to hold a digest of the full flow keys. This is a |
418 | * larger "hash" of a flow to allow definitively matching specific flows where |
419 | * the 32 bit skb->hash is not large enough. The size is limited to 16 bytes so |
420 | * that it can be used in CB of skb (see sch_choke for an example). |
421 | */ |
422 | #define FLOW_KEYS_DIGEST_LEN 16 |
423 | struct flow_keys_digest { |
424 | u8 data[FLOW_KEYS_DIGEST_LEN]; |
425 | }; |
426 | |
427 | void make_flow_keys_digest(struct flow_keys_digest *digest, |
428 | const struct flow_keys *flow); |
429 | |
430 | static inline bool flow_keys_have_l4(const struct flow_keys *keys) |
431 | { |
432 | return (keys->ports.ports || keys->tags.flow_label); |
433 | } |
434 | |
435 | u32 flow_hash_from_keys(struct flow_keys *keys); |
436 | void skb_flow_get_icmp_tci(const struct sk_buff *skb, |
437 | struct flow_dissector_key_icmp *key_icmp, |
438 | const void *data, int thoff, int hlen); |
439 | |
440 | static inline bool dissector_uses_key(const struct flow_dissector *flow_dissector, |
441 | enum flow_dissector_key_id key_id) |
442 | { |
443 | return flow_dissector->used_keys & (1ULL << key_id); |
444 | } |
445 | |
446 | static inline void *skb_flow_dissector_target(struct flow_dissector *flow_dissector, |
447 | enum flow_dissector_key_id key_id, |
448 | void *target_container) |
449 | { |
450 | return ((char *)target_container) + flow_dissector->offset[key_id]; |
451 | } |
452 | |
453 | struct bpf_flow_dissector { |
454 | struct bpf_flow_keys *flow_keys; |
455 | const struct sk_buff *skb; |
456 | const void *data; |
457 | const void *data_end; |
458 | }; |
459 | |
460 | static inline void |
461 | flow_dissector_init_keys(struct flow_dissector_key_control *key_control, |
462 | struct flow_dissector_key_basic *key_basic) |
463 | { |
464 | memset(key_control, 0, sizeof(*key_control)); |
465 | memset(key_basic, 0, sizeof(*key_basic)); |
466 | } |
467 | |
468 | #ifdef CONFIG_BPF_SYSCALL |
469 | int flow_dissector_bpf_prog_attach_check(struct net *net, |
470 | struct bpf_prog *prog); |
471 | #endif /* CONFIG_BPF_SYSCALL */ |
472 | |
473 | #endif |
474 | |