xref: /linux/net/netfilter/utils.c (revision 0c7c237b1c35011ef0b8d30c1d5c20bc6ae7b69b)
1 // SPDX-License-Identifier: GPL-2.0
2 #include <linux/kernel.h>
3 #include <linux/netfilter.h>
4 #include <linux/netfilter_ipv4.h>
5 #include <linux/netfilter_ipv6.h>
6 #include <net/netfilter/nf_queue.h>
7 #include <net/ip6_checksum.h>
8 
9 #ifdef CONFIG_INET
10 __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
11 		       unsigned int dataoff, u8 protocol)
12 {
13 	const struct iphdr *iph = ip_hdr(skb);
14 	__sum16 csum = 0;
15 
16 	switch (skb->ip_summed) {
17 	case CHECKSUM_COMPLETE:
18 		if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN)
19 			break;
20 		if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP &&
21 		    !csum_fold(skb->csum)) ||
22 		    !csum_tcpudp_magic(iph->saddr, iph->daddr,
23 				       skb->len - dataoff, protocol,
24 				       skb->csum)) {
25 			skb->ip_summed = CHECKSUM_UNNECESSARY;
26 			break;
27 		}
28 		fallthrough;
29 	case CHECKSUM_NONE:
30 		if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP)
31 			skb->csum = 0;
32 		else
33 			skb->csum = csum_tcpudp_nofold(iph->saddr, iph->daddr,
34 						       skb->len - dataoff,
35 						       protocol, 0);
36 		csum = __skb_checksum_complete(skb);
37 	}
38 	return csum;
39 }
40 EXPORT_SYMBOL(nf_ip_checksum);
41 #endif
42 
43 static __sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
44 				      unsigned int dataoff, unsigned int len,
45 				      u8 protocol)
46 {
47 	const struct iphdr *iph = ip_hdr(skb);
48 	__sum16 csum = 0;
49 
50 	switch (skb->ip_summed) {
51 	case CHECKSUM_COMPLETE:
52 		if (len == skb->len - dataoff)
53 			return nf_ip_checksum(skb, hook, dataoff, protocol);
54 		fallthrough;
55 	case CHECKSUM_NONE:
56 		skb->csum = csum_tcpudp_nofold(iph->saddr, iph->daddr, protocol,
57 					       skb->len - dataoff, 0);
58 		skb->ip_summed = CHECKSUM_NONE;
59 		return __skb_checksum_complete_head(skb, dataoff + len);
60 	}
61 	return csum;
62 }
63 
64 __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
65 			unsigned int dataoff, u8 protocol)
66 {
67 	const struct ipv6hdr *ip6h = ipv6_hdr(skb);
68 	__sum16 csum = 0;
69 
70 	switch (skb->ip_summed) {
71 	case CHECKSUM_COMPLETE:
72 		if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN)
73 			break;
74 		if (!csum_ipv6_magic(&ip6h->saddr, &ip6h->daddr,
75 				     skb->len - dataoff, protocol,
76 				     csum_sub(skb->csum,
77 					      skb_checksum(skb, 0,
78 							   dataoff, 0)))) {
79 			skb->ip_summed = CHECKSUM_UNNECESSARY;
80 			break;
81 		}
82 		fallthrough;
83 	case CHECKSUM_NONE:
84 		skb->csum = ~csum_unfold(
85 				csum_ipv6_magic(&ip6h->saddr, &ip6h->daddr,
86 					     skb->len - dataoff,
87 					     protocol,
88 					     csum_sub(0,
89 						      skb_checksum(skb, 0,
90 								   dataoff, 0))));
91 		csum = __skb_checksum_complete(skb);
92 	}
93 	return csum;
94 }
95 EXPORT_SYMBOL(nf_ip6_checksum);
96 
97 static __sum16 nf_ip6_checksum_partial(struct sk_buff *skb, unsigned int hook,
98 				       unsigned int dataoff, unsigned int len,
99 				       u8 protocol)
100 {
101 	const struct ipv6hdr *ip6h = ipv6_hdr(skb);
102 	__wsum hsum;
103 	__sum16 csum = 0;
104 
105 	switch (skb->ip_summed) {
106 	case CHECKSUM_COMPLETE:
107 		if (len == skb->len - dataoff)
108 			return nf_ip6_checksum(skb, hook, dataoff, protocol);
109 		fallthrough;
110 	case CHECKSUM_NONE:
111 		hsum = skb_checksum(skb, 0, dataoff, 0);
112 		skb->csum = ~csum_unfold(csum_ipv6_magic(&ip6h->saddr,
113 							 &ip6h->daddr,
114 							 skb->len - dataoff,
115 							 protocol,
116 							 csum_sub(0, hsum)));
117 		skb->ip_summed = CHECKSUM_NONE;
118 		return __skb_checksum_complete_head(skb, dataoff + len);
119 	}
120 	return csum;
121 };
122 
123 __sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
124 		    unsigned int dataoff, u8 protocol,
125 		    unsigned short family)
126 {
127 	__sum16 csum = 0;
128 
129 	switch (family) {
130 	case AF_INET:
131 		csum = nf_ip_checksum(skb, hook, dataoff, protocol);
132 		break;
133 	case AF_INET6:
134 		csum = nf_ip6_checksum(skb, hook, dataoff, protocol);
135 		break;
136 	}
137 
138 	return csum;
139 }
140 EXPORT_SYMBOL_GPL(nf_checksum);
141 
142 __sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
143 			    unsigned int dataoff, unsigned int len,
144 			    u8 protocol, unsigned short family)
145 {
146 	__sum16 csum = 0;
147 
148 	switch (family) {
149 	case AF_INET:
150 		csum = nf_ip_checksum_partial(skb, hook, dataoff, len,
151 					      protocol);
152 		break;
153 	case AF_INET6:
154 		csum = nf_ip6_checksum_partial(skb, hook, dataoff, len,
155 					       protocol);
156 		break;
157 	}
158 
159 	return csum;
160 }
161 EXPORT_SYMBOL_GPL(nf_checksum_partial);
162 
163 int nf_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
164 	     bool strict, unsigned short family)
165 {
166 	const struct nf_ipv6_ops *v6ops __maybe_unused;
167 	int ret = 0;
168 
169 	switch (family) {
170 	case AF_INET:
171 		ret = nf_ip_route(net, dst, fl, strict);
172 		break;
173 	case AF_INET6:
174 		ret = nf_ip6_route(net, dst, fl, strict);
175 		break;
176 	}
177 
178 	return ret;
179 }
180 EXPORT_SYMBOL_GPL(nf_route);
181 
182 static int nf_ip_reroute(struct sk_buff *skb, const struct nf_queue_entry *entry)
183 {
184 #ifdef CONFIG_INET
185 	const struct ip_rt_info *rt_info = nf_queue_entry_reroute(entry);
186 
187 	if (entry->state.hook == NF_INET_LOCAL_OUT) {
188 		const struct iphdr *iph = ip_hdr(skb);
189 
190 		if (!(iph->tos == rt_info->tos &&
191 		      skb->mark == rt_info->mark &&
192 		      iph->daddr == rt_info->daddr &&
193 		      iph->saddr == rt_info->saddr))
194 			return ip_route_me_harder(entry->state.net, entry->state.sk,
195 						  skb, RTN_UNSPEC);
196 	}
197 #endif
198 	return 0;
199 }
200 
201 int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry)
202 {
203 	const struct nf_ipv6_ops *v6ops;
204 	int ret = 0;
205 
206 	switch (entry->state.pf) {
207 	case AF_INET:
208 		ret = nf_ip_reroute(skb, entry);
209 		break;
210 	case AF_INET6:
211 		v6ops = rcu_dereference(nf_ipv6_ops);
212 		if (v6ops)
213 			ret = v6ops->reroute(skb, entry);
214 		break;
215 	}
216 	return ret;
217 }
218 
219 /* Only get and check the lengths, not do any hop-by-hop stuff. */
220 int nf_ip6_check_hbh_len(struct sk_buff *skb, u32 *plen)
221 {
222 	int len, off = sizeof(struct ipv6hdr);
223 	unsigned char *nh;
224 
225 	if (!pskb_may_pull(skb, off + 8))
226 		return -ENOMEM;
227 	nh = (unsigned char *)(ipv6_hdr(skb) + 1);
228 	len = (nh[1] + 1) << 3;
229 
230 	if (!pskb_may_pull(skb, off + len))
231 		return -ENOMEM;
232 	nh = skb_network_header(skb);
233 
234 	off += 2;
235 	len -= 2;
236 	while (len > 0) {
237 		int optlen;
238 
239 		if (nh[off] == IPV6_TLV_PAD1) {
240 			off++;
241 			len--;
242 			continue;
243 		}
244 		if (len < 2)
245 			return -EBADMSG;
246 		optlen = nh[off + 1] + 2;
247 		if (optlen > len)
248 			return -EBADMSG;
249 
250 		if (nh[off] == IPV6_TLV_JUMBO) {
251 			u32 pkt_len;
252 
253 			if (nh[off + 1] != 4 || (off & 3) != 2)
254 				return -EBADMSG;
255 			pkt_len = ntohl(*(__be32 *)(nh + off + 2));
256 			if (pkt_len <= IPV6_MAXPLEN ||
257 			    ipv6_hdr(skb)->payload_len)
258 				return -EBADMSG;
259 			if (pkt_len > skb->len - sizeof(struct ipv6hdr))
260 				return -EBADMSG;
261 			*plen = pkt_len;
262 		}
263 		off += optlen;
264 		len -= optlen;
265 	}
266 
267 	return len ? -EBADMSG : 0;
268 }
269 EXPORT_SYMBOL_GPL(nf_ip6_check_hbh_len);
270