net/ipv6/netfilter/nf_socket_ipv6.c

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  * Copyright (C) 2007-2008 BalaBit IT Ltd.
   4  * Author: Krisztian Kovacs
   5  */
   6 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
   7 #include <linux/module.h>
   8 #include <linux/skbuff.h>
   9 #include <net/tcp.h>
  10 #include <net/udp.h>
  11 #include <net/icmp.h>
  12 #include <net/sock.h>
  13 #include <net/inet_sock.h>
  14 #include <net/inet6_hashtables.h>
  15 #include <net/netfilter/ipv6/nf_defrag_ipv6.h>
  16 #include <net/netfilter/nf_socket.h>
  17 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
  18 #include <net/netfilter/nf_conntrack.h>
  19 #endif
  20
  21 static int
  22 extract_icmp6_fields(const struct sk_buff *skb,
  23                      unsigned int outside_hdrlen,
  24                      int *protocol,
  25                      const struct in6_addr **raddr,
  26                      const struct in6_addr **laddr,
  27                      __be16 *rport,
  28                      __be16 *lport,
  29                      struct ipv6hdr *ipv6_var)
  30 {
  31         const struct ipv6hdr *inside_iph;
  32         struct icmp6hdr *icmph, _icmph;
  33         __be16 *ports, _ports[2];
  34         u8 inside_nexthdr;
  35         __be16 inside_fragoff;
  36         int inside_hdrlen;
  37
  38         icmph = skb_header_pointer(skb, outside_hdrlen,
  39                                    sizeof(_icmph), &_icmph);
  40         if (icmph == NULL)
  41                 return 1;
  42
  43         if (icmph->icmp6_type & ICMPV6_INFOMSG_MASK)
  44                 return 1;
  45
  46         inside_iph = skb_header_pointer(skb, outside_hdrlen + sizeof(_icmph),
  47                                         sizeof(*ipv6_var), ipv6_var);
  48         if (inside_iph == NULL)
  49                 return 1;
  50         inside_nexthdr = inside_iph->nexthdr;
  51
  52         inside_hdrlen = ipv6_skip_exthdr(skb, outside_hdrlen + sizeof(_icmph) +
  53                                               sizeof(*ipv6_var),
  54                                          &inside_nexthdr, &inside_fragoff);
  55         if (inside_hdrlen < 0)
  56                 return 1; /* hjm: Packet has no/incomplete transport layer headers. */
  57
  58         if (inside_nexthdr != IPPROTO_TCP &&
  59             inside_nexthdr != IPPROTO_UDP)
  60                 return 1;
  61
  62         ports = skb_header_pointer(skb, inside_hdrlen,
  63                                    sizeof(_ports), &_ports);
  64         if (ports == NULL)
  65                 return 1;
  66
  67         /* the inside IP packet is the one quoted from our side, thus
  68          * its saddr is the local address */
  69         *protocol = inside_nexthdr;
  70         *laddr = &inside_iph->saddr;
  71         *lport = ports[0];
  72         *raddr = &inside_iph->daddr;
  73         *rport = ports[1];
  74
  75         return 0;
  76 }
  77
  78 static struct sock *
  79 nf_socket_get_sock_v6(struct net *net, struct sk_buff *skb, int doff,
  80                       const u8 protocol,
  81                       const struct in6_addr *saddr, const struct in6_addr *daddr,
  82                       const __be16 sport, const __be16 dport,
  83                       const struct net_device *in)
  84 {
  85         switch (protocol) {
  86         case IPPROTO_TCP:
  87                 return inet6_lookup(net, &tcp_hashinfo, skb, doff,
  88                                     saddr, sport, daddr, dport,
  89                                     in->ifindex);
  90         case IPPROTO_UDP:
  91                 return udp6_lib_lookup(net, saddr, sport, daddr, dport,
  92                                        in->ifindex);
  93         }
  94
  95         return NULL;
  96 }
  97
  98 struct sock *nf_sk_lookup_slow_v6(struct net *net, const struct sk_buff *skb,
  99                                   const struct net_device *indev)
 100 {
 101         __be16 uninitialized_var(dport), uninitialized_var(sport);
 102         const struct in6_addr *daddr = NULL, *saddr = NULL;
 103         struct ipv6hdr *iph = ipv6_hdr(skb);
 104         struct sk_buff *data_skb = NULL;
 105         int doff = 0;
 106         int thoff = 0, tproto;
 107
 108         tproto = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);
 109         if (tproto < 0) {
 110                 pr_debug("unable to find transport header in IPv6 packet, dropping\n");
 111                 return NULL;
 112         }
 113
 114         if (tproto == IPPROTO_UDP || tproto == IPPROTO_TCP) {
 115                 struct tcphdr _hdr;
 116                 struct udphdr *hp;
 117
 118                 hp = skb_header_pointer(skb, thoff, tproto == IPPROTO_UDP ?
 119                                         sizeof(*hp) : sizeof(_hdr), &_hdr);
 120                 if (hp == NULL)
 121                         return NULL;
 122
 123                 saddr = &iph->saddr;
 124                 sport = hp->source;
 125                 daddr = &iph->daddr;
 126                 dport = hp->dest;
 127                 data_skb = (struct sk_buff *)skb;
 128                 doff = tproto == IPPROTO_TCP ?
 129                         thoff + __tcp_hdrlen((struct tcphdr *)hp) :
 130                         thoff + sizeof(*hp);
 131
 132         } else if (tproto == IPPROTO_ICMPV6) {
 133                 struct ipv6hdr ipv6_var;
 134
 135                 if (extract_icmp6_fields(skb, thoff, &tproto, &saddr, &daddr,
 136                                          &sport, &dport, &ipv6_var))
 137                         return NULL;
 138         } else {
 139                 return NULL;
 140         }
 141
 142         return nf_socket_get_sock_v6(net, data_skb, doff, tproto, saddr, daddr,
 143                                      sport, dport, indev);
 144 }
 145 EXPORT_SYMBOL_GPL(nf_sk_lookup_slow_v6);
 146
 147 MODULE_LICENSE("GPL");
 148 MODULE_AUTHOR("Krisztian Kovacs, Balazs Scheidler");
 149 MODULE_DESCRIPTION("Netfilter IPv6 socket lookup infrastructure");