PageRenderTime 69ms CodeModel.GetById 13ms app.highlight 51ms RepoModel.GetById 1ms app.codeStats 0ms

/net/ipv6/netfilter/nf_conntrack_reasm.c

http://github.com/mirrors/linux
C | 554 lines | 409 code | 88 blank | 57 comment | 62 complexity | f5099007ee6230856e9608a25ac097b2 MD5 | raw file
  1// SPDX-License-Identifier: GPL-2.0-or-later
  2/*
  3 * IPv6 fragment reassembly for connection tracking
  4 *
  5 * Copyright (C)2004 USAGI/WIDE Project
  6 *
  7 * Author:
  8 *	Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
  9 *
 10 * Based on: net/ipv6/reassembly.c
 11 */
 12
 13#define pr_fmt(fmt) "IPv6-nf: " fmt
 14
 15#include <linux/errno.h>
 16#include <linux/types.h>
 17#include <linux/string.h>
 18#include <linux/socket.h>
 19#include <linux/sockios.h>
 20#include <linux/jiffies.h>
 21#include <linux/net.h>
 22#include <linux/list.h>
 23#include <linux/netdevice.h>
 24#include <linux/in6.h>
 25#include <linux/ipv6.h>
 26#include <linux/icmpv6.h>
 27#include <linux/random.h>
 28#include <linux/slab.h>
 29
 30#include <net/sock.h>
 31#include <net/snmp.h>
 32#include <net/ipv6_frag.h>
 33
 34#include <net/protocol.h>
 35#include <net/transp_v6.h>
 36#include <net/rawv6.h>
 37#include <net/ndisc.h>
 38#include <net/addrconf.h>
 39#include <net/inet_ecn.h>
 40#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
 41#include <linux/sysctl.h>
 42#include <linux/netfilter.h>
 43#include <linux/netfilter_ipv6.h>
 44#include <linux/kernel.h>
 45#include <linux/module.h>
 46#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
 47
 48static const char nf_frags_cache_name[] = "nf-frags";
 49
 50static struct inet_frags nf_frags;
 51
 52#ifdef CONFIG_SYSCTL
 53
 54static struct ctl_table nf_ct_frag6_sysctl_table[] = {
 55	{
 56		.procname	= "nf_conntrack_frag6_timeout",
 57		.maxlen		= sizeof(unsigned int),
 58		.mode		= 0644,
 59		.proc_handler	= proc_dointvec_jiffies,
 60	},
 61	{
 62		.procname	= "nf_conntrack_frag6_low_thresh",
 63		.maxlen		= sizeof(unsigned long),
 64		.mode		= 0644,
 65		.proc_handler	= proc_doulongvec_minmax,
 66	},
 67	{
 68		.procname	= "nf_conntrack_frag6_high_thresh",
 69		.maxlen		= sizeof(unsigned long),
 70		.mode		= 0644,
 71		.proc_handler	= proc_doulongvec_minmax,
 72	},
 73	{ }
 74};
 75
 76static int nf_ct_frag6_sysctl_register(struct net *net)
 77{
 78	struct ctl_table *table;
 79	struct ctl_table_header *hdr;
 80
 81	table = nf_ct_frag6_sysctl_table;
 82	if (!net_eq(net, &init_net)) {
 83		table = kmemdup(table, sizeof(nf_ct_frag6_sysctl_table),
 84				GFP_KERNEL);
 85		if (table == NULL)
 86			goto err_alloc;
 87	}
 88
 89	table[0].data	= &net->nf_frag.fqdir->timeout;
 90	table[1].data	= &net->nf_frag.fqdir->low_thresh;
 91	table[1].extra2	= &net->nf_frag.fqdir->high_thresh;
 92	table[2].data	= &net->nf_frag.fqdir->high_thresh;
 93	table[2].extra1	= &net->nf_frag.fqdir->low_thresh;
 94	table[2].extra2	= &init_net.nf_frag.fqdir->high_thresh;
 95
 96	hdr = register_net_sysctl(net, "net/netfilter", table);
 97	if (hdr == NULL)
 98		goto err_reg;
 99
100	net->nf_frag_frags_hdr = hdr;
101	return 0;
102
103err_reg:
104	if (!net_eq(net, &init_net))
105		kfree(table);
106err_alloc:
107	return -ENOMEM;
108}
109
110static void __net_exit nf_ct_frags6_sysctl_unregister(struct net *net)
111{
112	struct ctl_table *table;
113
114	table = net->nf_frag_frags_hdr->ctl_table_arg;
115	unregister_net_sysctl_table(net->nf_frag_frags_hdr);
116	if (!net_eq(net, &init_net))
117		kfree(table);
118}
119
120#else
121static int nf_ct_frag6_sysctl_register(struct net *net)
122{
123	return 0;
124}
125static void __net_exit nf_ct_frags6_sysctl_unregister(struct net *net)
126{
127}
128#endif
129
130static int nf_ct_frag6_reasm(struct frag_queue *fq, struct sk_buff *skb,
131			     struct sk_buff *prev_tail, struct net_device *dev);
132
133static inline u8 ip6_frag_ecn(const struct ipv6hdr *ipv6h)
134{
135	return 1 << (ipv6_get_dsfield(ipv6h) & INET_ECN_MASK);
136}
137
138static void nf_ct_frag6_expire(struct timer_list *t)
139{
140	struct inet_frag_queue *frag = from_timer(frag, t, timer);
141	struct frag_queue *fq;
142
143	fq = container_of(frag, struct frag_queue, q);
144
145	ip6frag_expire_frag_queue(fq->q.fqdir->net, fq);
146}
147
148/* Creation primitives. */
149static struct frag_queue *fq_find(struct net *net, __be32 id, u32 user,
150				  const struct ipv6hdr *hdr, int iif)
151{
152	struct frag_v6_compare_key key = {
153		.id = id,
154		.saddr = hdr->saddr,
155		.daddr = hdr->daddr,
156		.user = user,
157		.iif = iif,
158	};
159	struct inet_frag_queue *q;
160
161	q = inet_frag_find(net->nf_frag.fqdir, &key);
162	if (!q)
163		return NULL;
164
165	return container_of(q, struct frag_queue, q);
166}
167
168
169static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
170			     const struct frag_hdr *fhdr, int nhoff)
171{
172	unsigned int payload_len;
173	struct net_device *dev;
174	struct sk_buff *prev;
175	int offset, end, err;
176	u8 ecn;
177
178	if (fq->q.flags & INET_FRAG_COMPLETE) {
179		pr_debug("Already completed\n");
180		goto err;
181	}
182
183	payload_len = ntohs(ipv6_hdr(skb)->payload_len);
184
185	offset = ntohs(fhdr->frag_off) & ~0x7;
186	end = offset + (payload_len -
187			((u8 *)(fhdr + 1) - (u8 *)(ipv6_hdr(skb) + 1)));
188
189	if ((unsigned int)end > IPV6_MAXPLEN) {
190		pr_debug("offset is too large.\n");
191		return -EINVAL;
192	}
193
194	ecn = ip6_frag_ecn(ipv6_hdr(skb));
195
196	if (skb->ip_summed == CHECKSUM_COMPLETE) {
197		const unsigned char *nh = skb_network_header(skb);
198		skb->csum = csum_sub(skb->csum,
199				     csum_partial(nh, (u8 *)(fhdr + 1) - nh,
200						  0));
201	}
202
203	/* Is this the final fragment? */
204	if (!(fhdr->frag_off & htons(IP6_MF))) {
205		/* If we already have some bits beyond end
206		 * or have different end, the segment is corrupted.
207		 */
208		if (end < fq->q.len ||
209		    ((fq->q.flags & INET_FRAG_LAST_IN) && end != fq->q.len)) {
210			pr_debug("already received last fragment\n");
211			goto err;
212		}
213		fq->q.flags |= INET_FRAG_LAST_IN;
214		fq->q.len = end;
215	} else {
216		/* Check if the fragment is rounded to 8 bytes.
217		 * Required by the RFC.
218		 */
219		if (end & 0x7) {
220			/* RFC2460 says always send parameter problem in
221			 * this case. -DaveM
222			 */
223			pr_debug("end of fragment not rounded to 8 bytes.\n");
224			inet_frag_kill(&fq->q);
225			return -EPROTO;
226		}
227		if (end > fq->q.len) {
228			/* Some bits beyond end -> corruption. */
229			if (fq->q.flags & INET_FRAG_LAST_IN) {
230				pr_debug("last packet already reached.\n");
231				goto err;
232			}
233			fq->q.len = end;
234		}
235	}
236
237	if (end == offset)
238		goto err;
239
240	/* Point into the IP datagram 'data' part. */
241	if (!pskb_pull(skb, (u8 *) (fhdr + 1) - skb->data)) {
242		pr_debug("queue: message is too short.\n");
243		goto err;
244	}
245	if (pskb_trim_rcsum(skb, end - offset)) {
246		pr_debug("Can't trim\n");
247		goto err;
248	}
249
250	/* Note : skb->rbnode and skb->dev share the same location. */
251	dev = skb->dev;
252	/* Makes sure compiler wont do silly aliasing games */
253	barrier();
254
255	prev = fq->q.fragments_tail;
256	err = inet_frag_queue_insert(&fq->q, skb, offset, end);
257	if (err) {
258		if (err == IPFRAG_DUP) {
259			/* No error for duplicates, pretend they got queued. */
260			kfree_skb(skb);
261			return -EINPROGRESS;
262		}
263		goto insert_error;
264	}
265
266	if (dev)
267		fq->iif = dev->ifindex;
268
269	fq->q.stamp = skb->tstamp;
270	fq->q.meat += skb->len;
271	fq->ecn |= ecn;
272	if (payload_len > fq->q.max_size)
273		fq->q.max_size = payload_len;
274	add_frag_mem_limit(fq->q.fqdir, skb->truesize);
275
276	/* The first fragment.
277	 * nhoffset is obtained from the first fragment, of course.
278	 */
279	if (offset == 0) {
280		fq->nhoffset = nhoff;
281		fq->q.flags |= INET_FRAG_FIRST_IN;
282	}
283
284	if (fq->q.flags == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) &&
285	    fq->q.meat == fq->q.len) {
286		unsigned long orefdst = skb->_skb_refdst;
287
288		skb->_skb_refdst = 0UL;
289		err = nf_ct_frag6_reasm(fq, skb, prev, dev);
290		skb->_skb_refdst = orefdst;
291
292		/* After queue has assumed skb ownership, only 0 or
293		 * -EINPROGRESS must be returned.
294		 */
295		return err ? -EINPROGRESS : 0;
296	}
297
298	skb_dst_drop(skb);
299	return -EINPROGRESS;
300
301insert_error:
302	inet_frag_kill(&fq->q);
303err:
304	skb_dst_drop(skb);
305	return -EINVAL;
306}
307
308/*
309 *	Check if this packet is complete.
310 *
311 *	It is called with locked fq, and caller must check that
312 *	queue is eligible for reassembly i.e. it is not COMPLETE,
313 *	the last and the first frames arrived and all the bits are here.
314 */
315static int nf_ct_frag6_reasm(struct frag_queue *fq, struct sk_buff *skb,
316			     struct sk_buff *prev_tail, struct net_device *dev)
317{
318	void *reasm_data;
319	int payload_len;
320	u8 ecn;
321
322	inet_frag_kill(&fq->q);
323
324	ecn = ip_frag_ecn_table[fq->ecn];
325	if (unlikely(ecn == 0xff))
326		goto err;
327
328	reasm_data = inet_frag_reasm_prepare(&fq->q, skb, prev_tail);
329	if (!reasm_data)
330		goto err;
331
332	payload_len = ((skb->data - skb_network_header(skb)) -
333		       sizeof(struct ipv6hdr) + fq->q.len -
334		       sizeof(struct frag_hdr));
335	if (payload_len > IPV6_MAXPLEN) {
336		net_dbg_ratelimited("nf_ct_frag6_reasm: payload len = %d\n",
337				    payload_len);
338		goto err;
339	}
340
341	/* We have to remove fragment header from datagram and to relocate
342	 * header in order to calculate ICV correctly. */
343	skb_network_header(skb)[fq->nhoffset] = skb_transport_header(skb)[0];
344	memmove(skb->head + sizeof(struct frag_hdr), skb->head,
345		(skb->data - skb->head) - sizeof(struct frag_hdr));
346	skb->mac_header += sizeof(struct frag_hdr);
347	skb->network_header += sizeof(struct frag_hdr);
348
349	skb_reset_transport_header(skb);
350
351	inet_frag_reasm_finish(&fq->q, skb, reasm_data, false);
352
353	skb->ignore_df = 1;
354	skb->dev = dev;
355	ipv6_hdr(skb)->payload_len = htons(payload_len);
356	ipv6_change_dsfield(ipv6_hdr(skb), 0xff, ecn);
357	IP6CB(skb)->frag_max_size = sizeof(struct ipv6hdr) + fq->q.max_size;
358
359	/* Yes, and fold redundant checksum back. 8) */
360	if (skb->ip_summed == CHECKSUM_COMPLETE)
361		skb->csum = csum_partial(skb_network_header(skb),
362					 skb_network_header_len(skb),
363					 skb->csum);
364
365	fq->q.rb_fragments = RB_ROOT;
366	fq->q.fragments_tail = NULL;
367	fq->q.last_run_head = NULL;
368
369	return 0;
370
371err:
372	inet_frag_kill(&fq->q);
373	return -EINVAL;
374}
375
376/*
377 * find the header just before Fragment Header.
378 *
379 * if success return 0 and set ...
380 * (*prevhdrp): the value of "Next Header Field" in the header
381 *		just before Fragment Header.
382 * (*prevhoff): the offset of "Next Header Field" in the header
383 *		just before Fragment Header.
384 * (*fhoff)   : the offset of Fragment Header.
385 *
386 * Based on ipv6_skip_hdr() in net/ipv6/exthdr.c
387 *
388 */
389static int
390find_prev_fhdr(struct sk_buff *skb, u8 *prevhdrp, int *prevhoff, int *fhoff)
391{
392	u8 nexthdr = ipv6_hdr(skb)->nexthdr;
393	const int netoff = skb_network_offset(skb);
394	u8 prev_nhoff = netoff + offsetof(struct ipv6hdr, nexthdr);
395	int start = netoff + sizeof(struct ipv6hdr);
396	int len = skb->len - start;
397	u8 prevhdr = NEXTHDR_IPV6;
398
399	while (nexthdr != NEXTHDR_FRAGMENT) {
400		struct ipv6_opt_hdr hdr;
401		int hdrlen;
402
403		if (!ipv6_ext_hdr(nexthdr)) {
404			return -1;
405		}
406		if (nexthdr == NEXTHDR_NONE) {
407			pr_debug("next header is none\n");
408			return -1;
409		}
410		if (len < (int)sizeof(struct ipv6_opt_hdr)) {
411			pr_debug("too short\n");
412			return -1;
413		}
414		if (skb_copy_bits(skb, start, &hdr, sizeof(hdr)))
415			BUG();
416		if (nexthdr == NEXTHDR_AUTH)
417			hdrlen = ipv6_authlen(&hdr);
418		else
419			hdrlen = ipv6_optlen(&hdr);
420
421		prevhdr = nexthdr;
422		prev_nhoff = start;
423
424		nexthdr = hdr.nexthdr;
425		len -= hdrlen;
426		start += hdrlen;
427	}
428
429	if (len < 0)
430		return -1;
431
432	*prevhdrp = prevhdr;
433	*prevhoff = prev_nhoff;
434	*fhoff = start;
435
436	return 0;
437}
438
439int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
440{
441	u16 savethdr = skb->transport_header;
442	int fhoff, nhoff, ret;
443	struct frag_hdr *fhdr;
444	struct frag_queue *fq;
445	struct ipv6hdr *hdr;
446	u8 prevhdr;
447
448	/* Jumbo payload inhibits frag. header */
449	if (ipv6_hdr(skb)->payload_len == 0) {
450		pr_debug("payload len = 0\n");
451		return 0;
452	}
453
454	if (find_prev_fhdr(skb, &prevhdr, &nhoff, &fhoff) < 0)
455		return 0;
456
457	if (!pskb_may_pull(skb, fhoff + sizeof(*fhdr)))
458		return -ENOMEM;
459
460	skb_set_transport_header(skb, fhoff);
461	hdr = ipv6_hdr(skb);
462	fhdr = (struct frag_hdr *)skb_transport_header(skb);
463
464	skb_orphan(skb);
465	fq = fq_find(net, fhdr->identification, user, hdr,
466		     skb->dev ? skb->dev->ifindex : 0);
467	if (fq == NULL) {
468		pr_debug("Can't find and can't create new queue\n");
469		return -ENOMEM;
470	}
471
472	spin_lock_bh(&fq->q.lock);
473
474	ret = nf_ct_frag6_queue(fq, skb, fhdr, nhoff);
475	if (ret == -EPROTO) {
476		skb->transport_header = savethdr;
477		ret = 0;
478	}
479
480	spin_unlock_bh(&fq->q.lock);
481	inet_frag_put(&fq->q);
482	return ret;
483}
484EXPORT_SYMBOL_GPL(nf_ct_frag6_gather);
485
486static int nf_ct_net_init(struct net *net)
487{
488	int res;
489
490	res = fqdir_init(&net->nf_frag.fqdir, &nf_frags, net);
491	if (res < 0)
492		return res;
493
494	net->nf_frag.fqdir->high_thresh = IPV6_FRAG_HIGH_THRESH;
495	net->nf_frag.fqdir->low_thresh = IPV6_FRAG_LOW_THRESH;
496	net->nf_frag.fqdir->timeout = IPV6_FRAG_TIMEOUT;
497
498	res = nf_ct_frag6_sysctl_register(net);
499	if (res < 0)
500		fqdir_exit(net->nf_frag.fqdir);
501	return res;
502}
503
504static void nf_ct_net_pre_exit(struct net *net)
505{
506	fqdir_pre_exit(net->nf_frag.fqdir);
507}
508
509static void nf_ct_net_exit(struct net *net)
510{
511	nf_ct_frags6_sysctl_unregister(net);
512	fqdir_exit(net->nf_frag.fqdir);
513}
514
515static struct pernet_operations nf_ct_net_ops = {
516	.init		= nf_ct_net_init,
517	.pre_exit	= nf_ct_net_pre_exit,
518	.exit		= nf_ct_net_exit,
519};
520
521static const struct rhashtable_params nfct_rhash_params = {
522	.head_offset		= offsetof(struct inet_frag_queue, node),
523	.hashfn			= ip6frag_key_hashfn,
524	.obj_hashfn		= ip6frag_obj_hashfn,
525	.obj_cmpfn		= ip6frag_obj_cmpfn,
526	.automatic_shrinking	= true,
527};
528
529int nf_ct_frag6_init(void)
530{
531	int ret = 0;
532
533	nf_frags.constructor = ip6frag_init;
534	nf_frags.destructor = NULL;
535	nf_frags.qsize = sizeof(struct frag_queue);
536	nf_frags.frag_expire = nf_ct_frag6_expire;
537	nf_frags.frags_cache_name = nf_frags_cache_name;
538	nf_frags.rhash_params = nfct_rhash_params;
539	ret = inet_frags_init(&nf_frags);
540	if (ret)
541		goto out;
542	ret = register_pernet_subsys(&nf_ct_net_ops);
543	if (ret)
544		inet_frags_fini(&nf_frags);
545
546out:
547	return ret;
548}
549
550void nf_ct_frag6_cleanup(void)
551{
552	unregister_pernet_subsys(&nf_ct_net_ops);
553	inet_frags_fini(&nf_frags);
554}