#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/in6.h>
+#include <linux/if_arp.h>
#include <linux/if_vlan.h>
#include <net/inet_ecn.h>
#include <net/ip.h>
#include "openvswitch/datapath-protocol.h"
#include "vport.h"
-static struct sk_buff *
-make_writable(struct sk_buff *skb, unsigned min_headroom, gfp_t gfp)
+static struct sk_buff *make_writable(struct sk_buff *skb, unsigned min_headroom, gfp_t gfp)
{
- if (skb_shared(skb) || skb_cloned(skb)) {
+ if (skb_cloned(skb)) {
struct sk_buff *nskb;
unsigned headroom = max(min_headroom, skb_headroom(skb));
return NULL;
}
-static void set_tunnel(struct sk_buff *skb, struct odp_flow_key *key,
- __be32 tun_id)
-{
- OVS_CB(skb)->tun_id = key->tun_id = tun_id;
-}
-
-static struct sk_buff *
-vlan_pull_tag(struct sk_buff *skb)
+static struct sk_buff *vlan_pull_tag(struct sk_buff *skb)
{
struct vlan_ethhdr *vh = vlan_eth_hdr(skb);
struct ethhdr *eh;
return skb;
}
-
-static struct sk_buff *
-modify_vlan_tci(struct datapath *dp, struct sk_buff *skb,
- struct odp_flow_key *key, const union odp_action *a,
- int n_actions, gfp_t gfp)
+static struct sk_buff *modify_vlan_tci(struct datapath *dp, struct sk_buff *skb,
+ const struct odp_flow_key *key,
+ const union odp_action *a, int n_actions,
+ gfp_t gfp)
{
u16 tci, mask;
if (a->type == ODPAT_SET_VLAN_VID) {
tci = ntohs(a->vlan_vid.vlan_vid);
mask = VLAN_VID_MASK;
- key->dl_vlan = a->vlan_vid.vlan_vid;
} else {
tci = a->vlan_pcp.vlan_pcp << VLAN_PCP_SHIFT;
mask = VLAN_PCP_MASK;
- key->dl_vlan_pcp = a->vlan_pcp.vlan_pcp;
}
skb = make_writable(skb, VLAN_HLEN, gfp);
segs = __vlan_put_tag(segs, tci);
err = -ENOMEM;
if (segs) {
- struct odp_flow_key segkey = *key;
err = execute_actions(dp, segs,
- &segkey, a + 1,
+ key, a + 1,
n_actions - 1,
gfp);
}
return skb;
}
-static struct sk_buff *strip_vlan(struct sk_buff *skb,
- struct odp_flow_key *key, gfp_t gfp)
+static struct sk_buff *strip_vlan(struct sk_buff *skb, gfp_t gfp)
{
skb = make_writable(skb, 0, gfp);
- if (skb) {
+ if (skb)
vlan_pull_tag(skb);
- key->dl_vlan = htons(ODP_VLAN_NONE);
- }
+
return skb;
}
static struct sk_buff *set_dl_addr(struct sk_buff *skb,
- struct odp_flow_key *key,
const struct odp_action_dl_addr *a,
gfp_t gfp)
{
skb = make_writable(skb, 0, gfp);
if (skb) {
struct ethhdr *eh = eth_hdr(skb);
- if (a->type == ODPAT_SET_DL_SRC) {
+ if (a->type == ODPAT_SET_DL_SRC)
memcpy(eh->h_source, a->dl_addr, ETH_ALEN);
- memcpy(key->dl_src, a->dl_addr, ETH_ALEN);
- } else {
+ else
memcpy(eh->h_dest, a->dl_addr, ETH_ALEN);
- memcpy(key->dl_dst, a->dl_addr, ETH_ALEN);
- }
}
return skb;
}
}
static struct sk_buff *set_nw_addr(struct sk_buff *skb,
- struct odp_flow_key *key,
+ const struct odp_flow_key *key,
const struct odp_action_nw_addr *a,
gfp_t gfp)
{
}
update_csum(&nh->check, skb, old, new, 0);
*f = new;
-
- if (a->type == ODPAT_SET_NW_SRC)
- key->nw_src = a->nw_addr;
- else
- key->nw_dst = a->nw_addr;
}
return skb;
}
static struct sk_buff *set_nw_tos(struct sk_buff *skb,
- struct odp_flow_key *key,
+ const struct odp_flow_key *key,
const struct odp_action_nw_tos *a,
gfp_t gfp)
{
update_csum(&nh->check, skb, htons((uint16_t)old),
htons((uint16_t)new), 0);
*f = new;
- key->nw_tos = a->nw_tos;
}
return skb;
}
-static struct sk_buff *
-set_tp_port(struct sk_buff *skb, struct odp_flow_key *key,
- const struct odp_action_tp_port *a,
- gfp_t gfp)
+static struct sk_buff *set_tp_port(struct sk_buff *skb,
+ const struct odp_flow_key *key,
+ const struct odp_action_tp_port *a, gfp_t gfp)
{
int check_ofs;
update_csum((u16*)(skb_transport_header(skb) + check_ofs),
skb, old, new, 0);
*f = new;
- if (a->type == ODPAT_SET_TP_SRC)
- key->tp_src = a->tp_port;
- else
- key->tp_dst = a->tp_port;
}
return skb;
}
-static inline unsigned packet_length(const struct sk_buff *skb)
+/**
+ * is_spoofed_arp - check for invalid ARP packet
+ *
+ * @skb: skbuff containing an Ethernet packet, with network header pointing
+ * just past the Ethernet and optional 802.1Q header.
+ * @key: flow key extracted from @skb by flow_extract()
+ *
+ * Returns true if @skb is an invalid Ethernet+IPv4 ARP packet: one with screwy
+ * or truncated header fields or one whose inner and outer Ethernet address
+ * differ.
+ */
+static bool is_spoofed_arp(struct sk_buff *skb, const struct odp_flow_key *key)
{
- unsigned length = skb->len - ETH_HLEN;
- if (skb->protocol == htons(ETH_P_8021Q))
- length -= VLAN_HLEN;
- return length;
+ struct arp_eth_header *arp;
+
+ if (key->dl_type != htons(ETH_P_ARP))
+ return false;
+
+ if (skb_network_offset(skb) + sizeof(struct arp_eth_header) > skb->len)
+ return true;
+
+ arp = (struct arp_eth_header *)skb_network_header(skb);
+ return (arp->ar_hrd != htons(ARPHRD_ETHER) ||
+ arp->ar_pro != htons(ETH_P_IP) ||
+ arp->ar_hln != ETH_ALEN ||
+ arp->ar_pln != 4 ||
+ compare_ether_addr(arp->ar_sha, eth_hdr(skb)->h_source));
}
-static void
-do_output(struct datapath *dp, struct sk_buff *skb, int out_port)
+static void do_output(struct datapath *dp, struct sk_buff *skb, int out_port)
{
struct dp_port *p;
- int mtu;
if (!skb)
goto error;
if (!p)
goto error;
- mtu = vport_get_mtu(p->vport);
- if (packet_length(skb) > mtu && !skb_is_gso(skb)) {
- printk(KERN_WARNING "%s: dropped over-mtu packet: %d > %d\n",
- dp_name(dp), packet_length(skb), mtu);
- goto error;
- }
-
vport_send(p->vport, skb);
return;
return prev_port;
}
-static int
-output_control(struct datapath *dp, struct sk_buff *skb, u32 arg, gfp_t gfp)
+static int output_control(struct datapath *dp, struct sk_buff *skb, u32 arg,
+ gfp_t gfp)
{
skb = skb_clone(skb, gfp);
if (!skb)
/* Execute a list of actions against 'skb'. */
int execute_actions(struct datapath *dp, struct sk_buff *skb,
- struct odp_flow_key *key,
+ const struct odp_flow_key *key,
const union odp_action *a, int n_actions,
gfp_t gfp)
{
OVS_CB(skb)->tun_id = 0;
for (; n_actions > 0; a++, n_actions--) {
- WARN_ON_ONCE(skb_shared(skb));
if (prev_port != -1) {
do_output(dp, skb_clone(skb, gfp), prev_port);
prev_port = -1;
break;
case ODPAT_SET_TUNNEL:
- set_tunnel(skb, key, a->tunnel.tun_id);
+ OVS_CB(skb)->tun_id = a->tunnel.tun_id;
break;
case ODPAT_SET_VLAN_VID:
break;
case ODPAT_STRIP_VLAN:
- skb = strip_vlan(skb, key, gfp);
+ skb = strip_vlan(skb, gfp);
break;
case ODPAT_SET_DL_SRC:
case ODPAT_SET_DL_DST:
- skb = set_dl_addr(skb, key, &a->dl_addr, gfp);
+ skb = set_dl_addr(skb, &a->dl_addr, gfp);
break;
case ODPAT_SET_NW_SRC:
case ODPAT_POP_PRIORITY:
skb->priority = priority;
break;
+
+ case ODPAT_DROP_SPOOFED_ARP:
+ if (unlikely(is_spoofed_arp(skb, key)))
+ goto exit;
+ break;
}
if (!skb)
return -ENOMEM;
}
+exit:
if (prev_port != -1)
do_output(dp, skb, prev_port);
else
git://git.onelab.eu / sliver-openvswitch.git / blobdiff