~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/ipv6/netfilter/nf_reject_ipv6.c

Version: ~ [ linux-5.15-rc7 ] ~ [ linux-5.14.14 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.75 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.155 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.213 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.252 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.287 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.289 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.18.140 ] ~ [ linux-3.16.85 ] ~ [ linux-3.14.79 ] ~ [ linux-3.12.74 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 // SPDX-License-Identifier: GPL-2.0-only
  2 /* (C) 1999-2001 Paul `Rusty' Russell
  3  * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
  4  */
  5 
  6 #include <linux/module.h>
  7 #include <net/ipv6.h>
  8 #include <net/ip6_route.h>
  9 #include <net/ip6_fib.h>
 10 #include <net/ip6_checksum.h>
 11 #include <net/netfilter/ipv6/nf_reject.h>
 12 #include <linux/netfilter_ipv6.h>
 13 #include <linux/netfilter_bridge.h>
 14 
 15 static bool nf_reject_v6_csum_ok(struct sk_buff *skb, int hook)
 16 {
 17         const struct ipv6hdr *ip6h = ipv6_hdr(skb);
 18         int thoff;
 19         __be16 fo;
 20         u8 proto = ip6h->nexthdr;
 21 
 22         if (skb_csum_unnecessary(skb))
 23                 return true;
 24 
 25         if (ip6h->payload_len &&
 26             pskb_trim_rcsum(skb, ntohs(ip6h->payload_len) + sizeof(*ip6h)))
 27                 return false;
 28 
 29         ip6h = ipv6_hdr(skb);
 30         thoff = ipv6_skip_exthdr(skb, ((u8*)(ip6h+1) - skb->data), &proto, &fo);
 31         if (thoff < 0 || thoff >= skb->len || (fo & htons(~0x7)) != 0)
 32                 return false;
 33 
 34         if (!nf_reject_verify_csum(proto))
 35                 return true;
 36 
 37         return nf_ip6_checksum(skb, hook, thoff, proto) == 0;
 38 }
 39 
 40 static int nf_reject_ip6hdr_validate(struct sk_buff *skb)
 41 {
 42         struct ipv6hdr *hdr;
 43         u32 pkt_len;
 44 
 45         if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
 46                 return 0;
 47 
 48         hdr = ipv6_hdr(skb);
 49         if (hdr->version != 6)
 50                 return 0;
 51 
 52         pkt_len = ntohs(hdr->payload_len);
 53         if (pkt_len + sizeof(struct ipv6hdr) > skb->len)
 54                 return 0;
 55 
 56         return 1;
 57 }
 58 
 59 struct sk_buff *nf_reject_skb_v6_tcp_reset(struct net *net,
 60                                            struct sk_buff *oldskb,
 61                                            const struct net_device *dev,
 62                                            int hook)
 63 {
 64         struct sk_buff *nskb;
 65         const struct tcphdr *oth;
 66         struct tcphdr _oth;
 67         unsigned int otcplen;
 68         struct ipv6hdr *nip6h;
 69 
 70         if (!nf_reject_ip6hdr_validate(oldskb))
 71                 return NULL;
 72 
 73         oth = nf_reject_ip6_tcphdr_get(oldskb, &_oth, &otcplen, hook);
 74         if (!oth)
 75                 return NULL;
 76 
 77         nskb = alloc_skb(sizeof(struct ipv6hdr) + sizeof(struct tcphdr) +
 78                          LL_MAX_HEADER, GFP_ATOMIC);
 79         if (!nskb)
 80                 return NULL;
 81 
 82         nskb->dev = (struct net_device *)dev;
 83 
 84         skb_reserve(nskb, LL_MAX_HEADER);
 85         nip6h = nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_TCP,
 86                                      net->ipv6.devconf_all->hop_limit);
 87         nf_reject_ip6_tcphdr_put(nskb, oldskb, oth, otcplen);
 88         nip6h->payload_len = htons(nskb->len - sizeof(struct ipv6hdr));
 89 
 90         return nskb;
 91 }
 92 EXPORT_SYMBOL_GPL(nf_reject_skb_v6_tcp_reset);
 93 
 94 struct sk_buff *nf_reject_skb_v6_unreach(struct net *net,
 95                                          struct sk_buff *oldskb,
 96                                          const struct net_device *dev,
 97                                          int hook, u8 code)
 98 {
 99         struct sk_buff *nskb;
100         struct ipv6hdr *nip6h;
101         struct icmp6hdr *icmp6h;
102         unsigned int len;
103 
104         if (!nf_reject_ip6hdr_validate(oldskb))
105                 return NULL;
106 
107         /* Include "As much of invoking packet as possible without the ICMPv6
108          * packet exceeding the minimum IPv6 MTU" in the ICMP payload.
109          */
110         len = min_t(unsigned int, 1220, oldskb->len);
111 
112         if (!pskb_may_pull(oldskb, len))
113                 return NULL;
114 
115         if (!nf_reject_v6_csum_ok(oldskb, hook))
116                 return NULL;
117 
118         nskb = alloc_skb(sizeof(struct ipv6hdr) + sizeof(struct icmp6hdr) +
119                          LL_MAX_HEADER + len, GFP_ATOMIC);
120         if (!nskb)
121                 return NULL;
122 
123         nskb->dev = (struct net_device *)dev;
124 
125         skb_reserve(nskb, LL_MAX_HEADER);
126         nip6h = nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_ICMPV6,
127                                      net->ipv6.devconf_all->hop_limit);
128 
129         skb_reset_transport_header(nskb);
130         icmp6h = skb_put_zero(nskb, sizeof(struct icmp6hdr));
131         icmp6h->icmp6_type = ICMPV6_DEST_UNREACH;
132         icmp6h->icmp6_code = code;
133 
134         skb_put_data(nskb, skb_network_header(oldskb), len);
135         nip6h->payload_len = htons(nskb->len - sizeof(struct ipv6hdr));
136 
137         icmp6h->icmp6_cksum =
138                 csum_ipv6_magic(&nip6h->saddr, &nip6h->daddr,
139                                 nskb->len - sizeof(struct ipv6hdr),
140                                 IPPROTO_ICMPV6,
141                                 csum_partial(icmp6h,
142                                              nskb->len - sizeof(struct ipv6hdr),
143                                              0));
144 
145         return nskb;
146 }
147 EXPORT_SYMBOL_GPL(nf_reject_skb_v6_unreach);
148 
149 const struct tcphdr *nf_reject_ip6_tcphdr_get(struct sk_buff *oldskb,
150                                               struct tcphdr *otcph,
151                                               unsigned int *otcplen, int hook)
152 {
153         const struct ipv6hdr *oip6h = ipv6_hdr(oldskb);
154         u8 proto;
155         __be16 frag_off;
156         int tcphoff;
157 
158         proto = oip6h->nexthdr;
159         tcphoff = ipv6_skip_exthdr(oldskb, ((u8 *)(oip6h + 1) - oldskb->data),
160                                    &proto, &frag_off);
161 
162         if ((tcphoff < 0) || (tcphoff > oldskb->len)) {
163                 pr_debug("Cannot get TCP header.\n");
164                 return NULL;
165         }
166 
167         *otcplen = oldskb->len - tcphoff;
168 
169         /* IP header checks: fragment, too short. */
170         if (proto != IPPROTO_TCP || *otcplen < sizeof(struct tcphdr)) {
171                 pr_debug("proto(%d) != IPPROTO_TCP or too short (len = %d)\n",
172                          proto, *otcplen);
173                 return NULL;
174         }
175 
176         otcph = skb_header_pointer(oldskb, tcphoff, sizeof(struct tcphdr),
177                                    otcph);
178         if (otcph == NULL)
179                 return NULL;
180 
181         /* No RST for RST. */
182         if (otcph->rst) {
183                 pr_debug("RST is set\n");
184                 return NULL;
185         }
186 
187         /* Check checksum. */
188         if (nf_ip6_checksum(oldskb, hook, tcphoff, IPPROTO_TCP)) {
189                 pr_debug("TCP checksum is invalid\n");
190                 return NULL;
191         }
192 
193         return otcph;
194 }
195 EXPORT_SYMBOL_GPL(nf_reject_ip6_tcphdr_get);
196 
197 struct ipv6hdr *nf_reject_ip6hdr_put(struct sk_buff *nskb,
198                                      const struct sk_buff *oldskb,
199                                      __u8 protocol, int hoplimit)
200 {
201         struct ipv6hdr *ip6h;
202         const struct ipv6hdr *oip6h = ipv6_hdr(oldskb);
203 #define DEFAULT_TOS_VALUE       0x0U
204         const __u8 tclass = DEFAULT_TOS_VALUE;
205 
206         skb_put(nskb, sizeof(struct ipv6hdr));
207         skb_reset_network_header(nskb);
208         ip6h = ipv6_hdr(nskb);
209         ip6_flow_hdr(ip6h, tclass, 0);
210         ip6h->hop_limit = hoplimit;
211         ip6h->nexthdr = protocol;
212         ip6h->saddr = oip6h->daddr;
213         ip6h->daddr = oip6h->saddr;
214 
215         nskb->protocol = htons(ETH_P_IPV6);
216 
217         return ip6h;
218 }
219 EXPORT_SYMBOL_GPL(nf_reject_ip6hdr_put);
220 
221 void nf_reject_ip6_tcphdr_put(struct sk_buff *nskb,
222                               const struct sk_buff *oldskb,
223                               const struct tcphdr *oth, unsigned int otcplen)
224 {
225         struct tcphdr *tcph;
226         int needs_ack;
227 
228         skb_reset_transport_header(nskb);
229         tcph = skb_put(nskb, sizeof(struct tcphdr));
230         /* Truncate to length (no data) */
231         tcph->doff = sizeof(struct tcphdr)/4;
232         tcph->source = oth->dest;
233         tcph->dest = oth->source;
234 
235         if (oth->ack) {
236                 needs_ack = 0;
237                 tcph->seq = oth->ack_seq;
238                 tcph->ack_seq = 0;
239         } else {
240                 needs_ack = 1;
241                 tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
242                                       otcplen - (oth->doff<<2));
243                 tcph->seq = 0;
244         }
245 
246         /* Reset flags */
247         ((u_int8_t *)tcph)[13] = 0;
248         tcph->rst = 1;
249         tcph->ack = needs_ack;
250         tcph->window = 0;
251         tcph->urg_ptr = 0;
252         tcph->check = 0;
253 
254         /* Adjust TCP checksum */
255         tcph->check = csum_ipv6_magic(&ipv6_hdr(nskb)->saddr,
256                                       &ipv6_hdr(nskb)->daddr,
257                                       sizeof(struct tcphdr), IPPROTO_TCP,
258                                       csum_partial(tcph,
259                                                    sizeof(struct tcphdr), 0));
260 }
261 EXPORT_SYMBOL_GPL(nf_reject_ip6_tcphdr_put);
262 
263 static int nf_reject6_fill_skb_dst(struct sk_buff *skb_in)
264 {
265         struct dst_entry *dst = NULL;
266         struct flowi fl;
267 
268         memset(&fl, 0, sizeof(struct flowi));
269         fl.u.ip6.daddr = ipv6_hdr(skb_in)->saddr;
270         nf_ip6_route(dev_net(skb_in->dev), &dst, &fl, false);
271         if (!dst)
272                 return -1;
273 
274         skb_dst_set(skb_in, dst);
275         return 0;
276 }
277 
278 void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb,
279                     int hook)
280 {
281         struct net_device *br_indev __maybe_unused;
282         struct sk_buff *nskb;
283         struct tcphdr _otcph;
284         const struct tcphdr *otcph;
285         unsigned int otcplen, hh_len;
286         const struct ipv6hdr *oip6h = ipv6_hdr(oldskb);
287         struct ipv6hdr *ip6h;
288         struct dst_entry *dst = NULL;
289         struct flowi6 fl6;
290 
291         if ((!(ipv6_addr_type(&oip6h->saddr) & IPV6_ADDR_UNICAST)) ||
292             (!(ipv6_addr_type(&oip6h->daddr) & IPV6_ADDR_UNICAST))) {
293                 pr_debug("addr is not unicast.\n");
294                 return;
295         }
296 
297         otcph = nf_reject_ip6_tcphdr_get(oldskb, &_otcph, &otcplen, hook);
298         if (!otcph)
299                 return;
300 
301         memset(&fl6, 0, sizeof(fl6));
302         fl6.flowi6_proto = IPPROTO_TCP;
303         fl6.saddr = oip6h->daddr;
304         fl6.daddr = oip6h->saddr;
305         fl6.fl6_sport = otcph->dest;
306         fl6.fl6_dport = otcph->source;
307 
308         if (hook == NF_INET_PRE_ROUTING || hook == NF_INET_INGRESS) {
309                 nf_ip6_route(net, &dst, flowi6_to_flowi(&fl6), false);
310                 if (!dst)
311                         return;
312                 skb_dst_set(oldskb, dst);
313         }
314 
315         fl6.flowi6_oif = l3mdev_master_ifindex(skb_dst(oldskb)->dev);
316         fl6.flowi6_mark = IP6_REPLY_MARK(net, oldskb->mark);
317         security_skb_classify_flow(oldskb, flowi6_to_flowi_common(&fl6));
318         dst = ip6_route_output(net, NULL, &fl6);
319         if (dst->error) {
320                 dst_release(dst);
321                 return;
322         }
323         dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), NULL, 0);
324         if (IS_ERR(dst))
325                 return;
326 
327         hh_len = (dst->dev->hard_header_len + 15)&~15;
328         nskb = alloc_skb(hh_len + 15 + dst->header_len + sizeof(struct ipv6hdr)
329                          + sizeof(struct tcphdr) + dst->trailer_len,
330                          GFP_ATOMIC);
331 
332         if (!nskb) {
333                 net_dbg_ratelimited("cannot alloc skb\n");
334                 dst_release(dst);
335                 return;
336         }
337 
338         skb_dst_set(nskb, dst);
339 
340         nskb->mark = fl6.flowi6_mark;
341 
342         skb_reserve(nskb, hh_len + dst->header_len);
343         ip6h = nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_TCP,
344                                     ip6_dst_hoplimit(dst));
345         nf_reject_ip6_tcphdr_put(nskb, oldskb, otcph, otcplen);
346 
347         nf_ct_attach(nskb, oldskb);
348 
349 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
350         /* If we use ip6_local_out for bridged traffic, the MAC source on
351          * the RST will be ours, instead of the destination's.  This confuses
352          * some routers/firewalls, and they drop the packet.  So we need to
353          * build the eth header using the original destination's MAC as the
354          * source, and send the RST packet directly.
355          */
356         br_indev = nf_bridge_get_physindev(oldskb);
357         if (br_indev) {
358                 struct ethhdr *oeth = eth_hdr(oldskb);
359 
360                 nskb->dev = br_indev;
361                 nskb->protocol = htons(ETH_P_IPV6);
362                 ip6h->payload_len = htons(sizeof(struct tcphdr));
363                 if (dev_hard_header(nskb, nskb->dev, ntohs(nskb->protocol),
364                                     oeth->h_source, oeth->h_dest, nskb->len) < 0) {
365                         kfree_skb(nskb);
366                         return;
367                 }
368                 dev_queue_xmit(nskb);
369         } else
370 #endif
371                 ip6_local_out(net, sk, nskb);
372 }
373 EXPORT_SYMBOL_GPL(nf_send_reset6);
374 
375 static bool reject6_csum_ok(struct sk_buff *skb, int hook)
376 {
377         const struct ipv6hdr *ip6h = ipv6_hdr(skb);
378         int thoff;
379         __be16 fo;
380         u8 proto;
381 
382         if (skb_csum_unnecessary(skb))
383                 return true;
384 
385         proto = ip6h->nexthdr;
386         thoff = ipv6_skip_exthdr(skb, ((u8 *)(ip6h + 1) - skb->data), &proto, &fo);
387 
388         if (thoff < 0 || thoff >= skb->len || (fo & htons(~0x7)) != 0)
389                 return false;
390 
391         if (!nf_reject_verify_csum(proto))
392                 return true;
393 
394         return nf_ip6_checksum(skb, hook, thoff, proto) == 0;
395 }
396 
397 void nf_send_unreach6(struct net *net, struct sk_buff *skb_in,
398                       unsigned char code, unsigned int hooknum)
399 {
400         if (!reject6_csum_ok(skb_in, hooknum))
401                 return;
402 
403         if (hooknum == NF_INET_LOCAL_OUT && skb_in->dev == NULL)
404                 skb_in->dev = net->loopback_dev;
405 
406         if ((hooknum == NF_INET_PRE_ROUTING || hooknum == NF_INET_INGRESS) &&
407             nf_reject6_fill_skb_dst(skb_in) < 0)
408                 return;
409 
410         icmpv6_send(skb_in, ICMPV6_DEST_UNREACH, code, 0);
411 }
412 EXPORT_SYMBOL_GPL(nf_send_unreach6);
413 
414 MODULE_LICENSE("GPL");
415 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp