1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * This code is taken from the Android Open Source Project and the author
4 * (Maciej Żenczykowski) has gave permission to relicense it under the
5 * GPLv2. Therefore this program is free software;
6 * You can redistribute it and/or modify it under the terms of the GNU
7 * General Public License version 2 as published by the Free Software
8 * Foundation
9
10 * The original headers, including the original license headers, are
11 * included below for completeness.
12 *
13 * Copyright (C) 2019 The Android Open Source Project
14 *
15 * Licensed under the Apache License, Version 2.0 (the "License");
16 * you may not use this file except in compliance with the License.
17 * You may obtain a copy of the License at
18 *
19 * http://www.apache.org/licenses/LICENSE-2.0
20 *
21 * Unless required by applicable law or agreed to in writing, software
22 * distributed under the License is distributed on an "AS IS" BASIS,
23 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
24 * See the License for the specific language governing permissions and
25 * limitations under the License.
26 */
27 #include <linux/bpf.h>
28 #include <linux/if.h>
29 #include <linux/if_ether.h>
30 #include <linux/if_packet.h>
31 #include <linux/in.h>
32 #include <linux/in6.h>
33 #include <linux/ip.h>
34 #include <linux/ipv6.h>
35 #include <linux/pkt_cls.h>
36 #include <linux/swab.h>
37 #include <stdbool.h>
38 #include <stdint.h>
39
40
41 #include <linux/udp.h>
42
43 #include <bpf/bpf_helpers.h>
44 #include <bpf/bpf_endian.h>
45
46 #define IP_DF 0x4000 // Flag: "Don't Fragment"
47
48 SEC("schedcls/ingress6/nat_6")
sched_cls_ingress6_nat_6_prog(struct __sk_buff * skb)49 int sched_cls_ingress6_nat_6_prog(struct __sk_buff *skb)
50 {
51 const int l2_header_size = sizeof(struct ethhdr);
52 void *data = (void *)(long)skb->data;
53 const void *data_end = (void *)(long)skb->data_end;
54 const struct ethhdr * const eth = data; // used iff is_ethernet
55 const struct ipv6hdr * const ip6 = (void *)(eth + 1);
56
57 // Require ethernet dst mac address to be our unicast address.
58 if (skb->pkt_type != PACKET_HOST)
59 return TC_ACT_OK;
60
61 // Must be meta-ethernet IPv6 frame
62 if (skb->protocol != bpf_htons(ETH_P_IPV6))
63 return TC_ACT_OK;
64
65 // Must have (ethernet and) ipv6 header
66 if (data + l2_header_size + sizeof(*ip6) > data_end)
67 return TC_ACT_OK;
68
69 // Ethertype - if present - must be IPv6
70 if (eth->h_proto != bpf_htons(ETH_P_IPV6))
71 return TC_ACT_OK;
72
73 // IP version must be 6
74 if (ip6->version != 6)
75 return TC_ACT_OK;
76 // Maximum IPv6 payload length that can be translated to IPv4
77 if (bpf_ntohs(ip6->payload_len) > 0xFFFF - sizeof(struct iphdr))
78 return TC_ACT_OK;
79 switch (ip6->nexthdr) {
80 case IPPROTO_TCP: // For TCP & UDP the checksum neutrality of the chosen IPv6
81 case IPPROTO_UDP: // address means there is no need to update their checksums.
82 case IPPROTO_GRE: // We do not need to bother looking at GRE/ESP headers,
83 case IPPROTO_ESP: // since there is never a checksum to update.
84 break;
85 default: // do not know how to handle anything else
86 return TC_ACT_OK;
87 }
88
89 struct ethhdr eth2; // used iff is_ethernet
90
91 eth2 = *eth; // Copy over the ethernet header (src/dst mac)
92 eth2.h_proto = bpf_htons(ETH_P_IP); // But replace the ethertype
93
94 struct iphdr ip = {
95 .version = 4, // u4
96 .ihl = sizeof(struct iphdr) / sizeof(__u32), // u4
97 .tos = (ip6->priority << 4) + (ip6->flow_lbl[0] >> 4), // u8
98 .tot_len = bpf_htons(bpf_ntohs(ip6->payload_len) + sizeof(struct iphdr)), // u16
99 .id = 0, // u16
100 .frag_off = bpf_htons(IP_DF), // u16
101 .ttl = ip6->hop_limit, // u8
102 .protocol = ip6->nexthdr, // u8
103 .check = 0, // u16
104 .saddr = 0x0201a8c0, // u32
105 .daddr = 0x0101a8c0, // u32
106 };
107
108 // Calculate the IPv4 one's complement checksum of the IPv4 header.
109 __wsum sum4 = 0;
110
111 for (int i = 0; i < sizeof(ip) / sizeof(__u16); ++i)
112 sum4 += ((__u16 *)&ip)[i];
113
114 // Note that sum4 is guaranteed to be non-zero by virtue of ip.version == 4
115 sum4 = (sum4 & 0xFFFF) + (sum4 >> 16); // collapse u32 into range 1 .. 0x1FFFE
116 sum4 = (sum4 & 0xFFFF) + (sum4 >> 16); // collapse any potential carry into u16
117 ip.check = (__u16)~sum4; // sum4 cannot be zero, so this is never 0xFFFF
118
119 // Calculate the *negative* IPv6 16-bit one's complement checksum of the IPv6 header.
120 __wsum sum6 = 0;
121 // We'll end up with a non-zero sum due to ip6->version == 6 (which has '0' bits)
122 for (int i = 0; i < sizeof(*ip6) / sizeof(__u16); ++i)
123 sum6 += ~((__u16 *)ip6)[i]; // note the bitwise negation
124
125 // Note that there is no L4 checksum update: we are relying on the checksum neutrality
126 // of the ipv6 address chosen by netd's ClatdController.
127
128 // Packet mutations begin - point of no return, but if this first modification fails
129 // the packet is probably still pristine, so let clatd handle it.
130 if (bpf_skb_change_proto(skb, bpf_htons(ETH_P_IP), 0))
131 return TC_ACT_OK;
132 bpf_csum_update(skb, sum6);
133
134 data = (void *)(long)skb->data;
135 data_end = (void *)(long)skb->data_end;
136 if (data + l2_header_size + sizeof(struct iphdr) > data_end)
137 return TC_ACT_SHOT;
138
139 struct ethhdr *new_eth = data;
140
141 // Copy over the updated ethernet header
142 *new_eth = eth2;
143
144 // Copy over the new ipv4 header.
145 *(struct iphdr *)(new_eth + 1) = ip;
146 return bpf_redirect(skb->ifindex, BPF_F_INGRESS);
147 }
148
149 SEC("schedcls/egress4/snat4")
sched_cls_egress4_snat4_prog(struct __sk_buff * skb)150 int sched_cls_egress4_snat4_prog(struct __sk_buff *skb)
151 {
152 const int l2_header_size = sizeof(struct ethhdr);
153 void *data = (void *)(long)skb->data;
154 const void *data_end = (void *)(long)skb->data_end;
155 const struct ethhdr *const eth = data; // used iff is_ethernet
156 const struct iphdr *const ip4 = (void *)(eth + 1);
157
158 // Must be meta-ethernet IPv4 frame
159 if (skb->protocol != bpf_htons(ETH_P_IP))
160 return TC_ACT_OK;
161
162 // Must have ipv4 header
163 if (data + l2_header_size + sizeof(struct ipv6hdr) > data_end)
164 return TC_ACT_OK;
165
166 // Ethertype - if present - must be IPv4
167 if (eth->h_proto != bpf_htons(ETH_P_IP))
168 return TC_ACT_OK;
169
170 // IP version must be 4
171 if (ip4->version != 4)
172 return TC_ACT_OK;
173
174 // We cannot handle IP options, just standard 20 byte == 5 dword minimal IPv4 header
175 if (ip4->ihl != 5)
176 return TC_ACT_OK;
177
178 // Maximum IPv6 payload length that can be translated to IPv4
179 if (bpf_htons(ip4->tot_len) > 0xFFFF - sizeof(struct ipv6hdr))
180 return TC_ACT_OK;
181
182 // Calculate the IPv4 one's complement checksum of the IPv4 header.
183 __wsum sum4 = 0;
184
185 for (int i = 0; i < sizeof(*ip4) / sizeof(__u16); ++i)
186 sum4 += ((__u16 *)ip4)[i];
187
188 // Note that sum4 is guaranteed to be non-zero by virtue of ip4->version == 4
189 sum4 = (sum4 & 0xFFFF) + (sum4 >> 16); // collapse u32 into range 1 .. 0x1FFFE
190 sum4 = (sum4 & 0xFFFF) + (sum4 >> 16); // collapse any potential carry into u16
191 // for a correct checksum we should get *a* zero, but sum4 must be positive, ie 0xFFFF
192 if (sum4 != 0xFFFF)
193 return TC_ACT_OK;
194
195 // Minimum IPv4 total length is the size of the header
196 if (bpf_ntohs(ip4->tot_len) < sizeof(*ip4))
197 return TC_ACT_OK;
198
199 // We are incapable of dealing with IPv4 fragments
200 if (ip4->frag_off & ~bpf_htons(IP_DF))
201 return TC_ACT_OK;
202
203 switch (ip4->protocol) {
204 case IPPROTO_TCP: // For TCP & UDP the checksum neutrality of the chosen IPv6
205 case IPPROTO_GRE: // address means there is no need to update their checksums.
206 case IPPROTO_ESP: // We do not need to bother looking at GRE/ESP headers,
207 break; // since there is never a checksum to update.
208
209 case IPPROTO_UDP: // See above comment, but must also have UDP header...
210 if (data + sizeof(*ip4) + sizeof(struct udphdr) > data_end)
211 return TC_ACT_OK;
212 const struct udphdr *uh = (const struct udphdr *)(ip4 + 1);
213 // If IPv4/UDP checksum is 0 then fallback to clatd so it can calculate the
214 // checksum. Otherwise the network or more likely the NAT64 gateway might
215 // drop the packet because in most cases IPv6/UDP packets with a zero checksum
216 // are invalid. See RFC 6935. TODO: calculate checksum via bpf_csum_diff()
217 if (!uh->check)
218 return TC_ACT_OK;
219 break;
220
221 default: // do not know how to handle anything else
222 return TC_ACT_OK;
223 }
224 struct ethhdr eth2; // used iff is_ethernet
225
226 eth2 = *eth; // Copy over the ethernet header (src/dst mac)
227 eth2.h_proto = bpf_htons(ETH_P_IPV6); // But replace the ethertype
228
229 struct ipv6hdr ip6 = {
230 .version = 6, // __u8:4
231 .priority = ip4->tos >> 4, // __u8:4
232 .flow_lbl = {(ip4->tos & 0xF) << 4, 0, 0}, // __u8[3]
233 .payload_len = bpf_htons(bpf_ntohs(ip4->tot_len) - 20), // __be16
234 .nexthdr = ip4->protocol, // __u8
235 .hop_limit = ip4->ttl, // __u8
236 };
237 ip6.saddr.in6_u.u6_addr32[0] = bpf_htonl(0x20010db8);
238 ip6.saddr.in6_u.u6_addr32[1] = 0;
239 ip6.saddr.in6_u.u6_addr32[2] = 0;
240 ip6.saddr.in6_u.u6_addr32[3] = bpf_htonl(1);
241 ip6.daddr.in6_u.u6_addr32[0] = bpf_htonl(0x20010db8);
242 ip6.daddr.in6_u.u6_addr32[1] = 0;
243 ip6.daddr.in6_u.u6_addr32[2] = 0;
244 ip6.daddr.in6_u.u6_addr32[3] = bpf_htonl(2);
245
246 // Calculate the IPv6 16-bit one's complement checksum of the IPv6 header.
247 __wsum sum6 = 0;
248 // We'll end up with a non-zero sum due to ip6.version == 6
249 for (int i = 0; i < sizeof(ip6) / sizeof(__u16); ++i)
250 sum6 += ((__u16 *)&ip6)[i];
251
252 // Packet mutations begin - point of no return, but if this first modification fails
253 // the packet is probably still pristine, so let clatd handle it.
254 if (bpf_skb_change_proto(skb, bpf_htons(ETH_P_IPV6), 0))
255 return TC_ACT_OK;
256
257 // This takes care of updating the skb->csum field for a CHECKSUM_COMPLETE packet.
258 // In such a case, skb->csum is a 16-bit one's complement sum of the entire payload,
259 // thus we need to subtract out the ipv4 header's sum, and add in the ipv6 header's sum.
260 // However, we've already verified the ipv4 checksum is correct and thus 0.
261 // Thus we only need to add the ipv6 header's sum.
262 //
263 // bpf_csum_update() always succeeds if the skb is CHECKSUM_COMPLETE and returns an error
264 // (-ENOTSUPP) if it isn't. So we just ignore the return code (see above for more details).
265 bpf_csum_update(skb, sum6);
266
267 // bpf_skb_change_proto() invalidates all pointers - reload them.
268 data = (void *)(long)skb->data;
269 data_end = (void *)(long)skb->data_end;
270
271 // I cannot think of any valid way for this error condition to trigger, however I do
272 // believe the explicit check is required to keep the in kernel ebpf verifier happy.
273 if (data + l2_header_size + sizeof(ip6) > data_end)
274 return TC_ACT_SHOT;
275
276 struct ethhdr *new_eth = data;
277
278 // Copy over the updated ethernet header
279 *new_eth = eth2;
280 // Copy over the new ipv4 header.
281 *(struct ipv6hdr *)(new_eth + 1) = ip6;
282 return TC_ACT_OK;
283 }
284
285 char _license[] SEC("license") = ("GPL");
286