| 1 | // SPDX-License-Identifier: GPL-2.0 |
|---|
| 2 | #include <linux/kernel.h> |
|---|
| 3 | #include <linux/netfilter.h> |
|---|
| 4 | #include <linux/netfilter_ipv4.h> |
|---|
| 5 | #include <linux/netfilter_ipv6.h> |
|---|
| 6 | #include <net/netfilter/nf_queue.h> |
|---|
| 7 | #include <net/ip6_checksum.h> |
|---|
| 8 | |
|---|
| 9 | #ifdef CONFIG_INET |
|---|
| 10 | __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook, |
|---|
| 11 | unsigned int dataoff, u8 protocol) |
|---|
| 12 | { |
|---|
| 13 | const struct iphdr *iph = ip_hdr(skb); |
|---|
| 14 | __sum16 csum = 0; |
|---|
| 15 | |
|---|
| 16 | switch (skb->ip_summed) { |
|---|
| 17 | case CHECKSUM_COMPLETE: |
|---|
| 18 | if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN) |
|---|
| 19 | break; |
|---|
| 20 | if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP && |
|---|
| 21 | !csum_fold(sum: skb->csum)) || |
|---|
| 22 | !csum_tcpudp_magic(saddr: iph->saddr, daddr: iph->daddr, |
|---|
| 23 | len: skb->len - dataoff, proto: protocol, |
|---|
| 24 | sum: skb->csum)) { |
|---|
| 25 | skb->ip_summed = CHECKSUM_UNNECESSARY; |
|---|
| 26 | break; |
|---|
| 27 | } |
|---|
| 28 | fallthrough; |
|---|
| 29 | case CHECKSUM_NONE: |
|---|
| 30 | if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP) |
|---|
| 31 | skb->csum = 0; |
|---|
| 32 | else |
|---|
| 33 | skb->csum = csum_tcpudp_nofold(saddr: iph->saddr, daddr: iph->daddr, |
|---|
| 34 | len: skb->len - dataoff, |
|---|
| 35 | proto: protocol, sum: 0); |
|---|
| 36 | csum = __skb_checksum_complete(skb); |
|---|
| 37 | } |
|---|
| 38 | return csum; |
|---|
| 39 | } |
|---|
| 40 | EXPORT_SYMBOL(nf_ip_checksum); |
|---|
| 41 | #endif |
|---|
| 42 | |
|---|
| 43 | static __sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook, |
|---|
| 44 | unsigned int dataoff, unsigned int len, |
|---|
| 45 | u8 protocol) |
|---|
| 46 | { |
|---|
| 47 | const struct iphdr *iph = ip_hdr(skb); |
|---|
| 48 | __sum16 csum = 0; |
|---|
| 49 | |
|---|
| 50 | switch (skb->ip_summed) { |
|---|
| 51 | case CHECKSUM_COMPLETE: |
|---|
| 52 | if (len == skb->len - dataoff) |
|---|
| 53 | return nf_ip_checksum(skb, hook, dataoff, protocol); |
|---|
| 54 | fallthrough; |
|---|
| 55 | case CHECKSUM_NONE: |
|---|
| 56 | skb->csum = csum_tcpudp_nofold(saddr: iph->saddr, daddr: iph->daddr, len: protocol, |
|---|
| 57 | proto: skb->len - dataoff, sum: 0); |
|---|
| 58 | skb->ip_summed = CHECKSUM_NONE; |
|---|
| 59 | return __skb_checksum_complete_head(skb, len: dataoff + len); |
|---|
| 60 | } |
|---|
| 61 | return csum; |
|---|
| 62 | } |
|---|
| 63 | |
|---|
| 64 | __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook, |
|---|
| 65 | unsigned int dataoff, u8 protocol) |
|---|
| 66 | { |
|---|
| 67 | const struct ipv6hdr *ip6h = ipv6_hdr(skb); |
|---|
| 68 | __sum16 csum = 0; |
|---|
| 69 | |
|---|
| 70 | switch (skb->ip_summed) { |
|---|
| 71 | case CHECKSUM_COMPLETE: |
|---|
| 72 | if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN) |
|---|
| 73 | break; |
|---|
| 74 | if (!csum_ipv6_magic(saddr: &ip6h->saddr, daddr: &ip6h->daddr, |
|---|
| 75 | len: skb->len - dataoff, proto: protocol, |
|---|
| 76 | sum: csum_sub(csum: skb->csum, |
|---|
| 77 | addend: skb_checksum(skb, offset: 0, |
|---|
| 78 | len: dataoff, csum: 0)))) { |
|---|
| 79 | skb->ip_summed = CHECKSUM_UNNECESSARY; |
|---|
| 80 | break; |
|---|
| 81 | } |
|---|
| 82 | fallthrough; |
|---|
| 83 | case CHECKSUM_NONE: |
|---|
| 84 | skb->csum = ~csum_unfold( |
|---|
| 85 | n: csum_ipv6_magic(saddr: &ip6h->saddr, daddr: &ip6h->daddr, |
|---|
| 86 | len: skb->len - dataoff, |
|---|
| 87 | proto: protocol, |
|---|
| 88 | sum: csum_sub(csum: 0, |
|---|
| 89 | addend: skb_checksum(skb, offset: 0, |
|---|
| 90 | len: dataoff, csum: 0)))); |
|---|
| 91 | csum = __skb_checksum_complete(skb); |
|---|
| 92 | } |
|---|
| 93 | return csum; |
|---|
| 94 | } |
|---|
| 95 | EXPORT_SYMBOL(nf_ip6_checksum); |
|---|
| 96 | |
|---|
| 97 | static __sum16 nf_ip6_checksum_partial(struct sk_buff *skb, unsigned int hook, |
|---|
| 98 | unsigned int dataoff, unsigned int len, |
|---|
| 99 | u8 protocol) |
|---|
| 100 | { |
|---|
| 101 | const struct ipv6hdr *ip6h = ipv6_hdr(skb); |
|---|
| 102 | __wsum hsum; |
|---|
| 103 | __sum16 csum = 0; |
|---|
| 104 | |
|---|
| 105 | switch (skb->ip_summed) { |
|---|
| 106 | case CHECKSUM_COMPLETE: |
|---|
| 107 | if (len == skb->len - dataoff) |
|---|
| 108 | return nf_ip6_checksum(skb, hook, dataoff, protocol); |
|---|
| 109 | fallthrough; |
|---|
| 110 | case CHECKSUM_NONE: |
|---|
| 111 | hsum = skb_checksum(skb, offset: 0, len: dataoff, csum: 0); |
|---|
| 112 | skb->csum = ~csum_unfold(n: csum_ipv6_magic(saddr: &ip6h->saddr, |
|---|
| 113 | daddr: &ip6h->daddr, |
|---|
| 114 | len: skb->len - dataoff, |
|---|
| 115 | proto: protocol, |
|---|
| 116 | sum: csum_sub(csum: 0, addend: hsum))); |
|---|
| 117 | skb->ip_summed = CHECKSUM_NONE; |
|---|
| 118 | return __skb_checksum_complete_head(skb, len: dataoff + len); |
|---|
| 119 | } |
|---|
| 120 | return csum; |
|---|
| 121 | }; |
|---|
| 122 | |
|---|
| 123 | __sum16 nf_checksum(struct sk_buff *skb, unsigned int hook, |
|---|
| 124 | unsigned int dataoff, u8 protocol, |
|---|
| 125 | unsigned short family) |
|---|
| 126 | { |
|---|
| 127 | __sum16 csum = 0; |
|---|
| 128 | |
|---|
| 129 | switch (family) { |
|---|
| 130 | case AF_INET: |
|---|
| 131 | csum = nf_ip_checksum(skb, hook, dataoff, protocol); |
|---|
| 132 | break; |
|---|
| 133 | case AF_INET6: |
|---|
| 134 | csum = nf_ip6_checksum(skb, hook, dataoff, protocol); |
|---|
| 135 | break; |
|---|
| 136 | } |
|---|
| 137 | |
|---|
| 138 | return csum; |
|---|
| 139 | } |
|---|
| 140 | EXPORT_SYMBOL_GPL(nf_checksum); |
|---|
| 141 | |
|---|
| 142 | __sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook, |
|---|
| 143 | unsigned int dataoff, unsigned int len, |
|---|
| 144 | u8 protocol, unsigned short family) |
|---|
| 145 | { |
|---|
| 146 | __sum16 csum = 0; |
|---|
| 147 | |
|---|
| 148 | switch (family) { |
|---|
| 149 | case AF_INET: |
|---|
| 150 | csum = nf_ip_checksum_partial(skb, hook, dataoff, len, |
|---|
| 151 | protocol); |
|---|
| 152 | break; |
|---|
| 153 | case AF_INET6: |
|---|
| 154 | csum = nf_ip6_checksum_partial(skb, hook, dataoff, len, |
|---|
| 155 | protocol); |
|---|
| 156 | break; |
|---|
| 157 | } |
|---|
| 158 | |
|---|
| 159 | return csum; |
|---|
| 160 | } |
|---|
| 161 | EXPORT_SYMBOL_GPL(nf_checksum_partial); |
|---|
| 162 | |
|---|
| 163 | int nf_route(struct net *net, struct dst_entry **dst, struct flowi *fl, |
|---|
| 164 | bool strict, unsigned short family) |
|---|
| 165 | { |
|---|
| 166 | const struct nf_ipv6_ops *v6ops __maybe_unused; |
|---|
| 167 | int ret = 0; |
|---|
| 168 | |
|---|
| 169 | switch (family) { |
|---|
| 170 | case AF_INET: |
|---|
| 171 | ret = nf_ip_route(net, dst, fl, strict); |
|---|
| 172 | break; |
|---|
| 173 | case AF_INET6: |
|---|
| 174 | ret = nf_ip6_route(net, dst, fl, strict); |
|---|
| 175 | break; |
|---|
| 176 | } |
|---|
| 177 | |
|---|
| 178 | return ret; |
|---|
| 179 | } |
|---|
| 180 | EXPORT_SYMBOL_GPL(nf_route); |
|---|
| 181 | |
|---|
| 182 | /* Only get and check the lengths, not do any hop-by-hop stuff. */ |
|---|
| 183 | int nf_ip6_check_hbh_len(struct sk_buff *skb, u32 *plen) |
|---|
| 184 | { |
|---|
| 185 | int len, off = sizeof(struct ipv6hdr); |
|---|
| 186 | unsigned char *nh; |
|---|
| 187 | |
|---|
| 188 | if (!pskb_may_pull(skb, len: off + 8)) |
|---|
| 189 | return -ENOMEM; |
|---|
| 190 | nh = (unsigned char *)(ipv6_hdr(skb) + 1); |
|---|
| 191 | len = (nh[1] + 1) << 3; |
|---|
| 192 | |
|---|
| 193 | if (!pskb_may_pull(skb, len: off + len)) |
|---|
| 194 | return -ENOMEM; |
|---|
| 195 | nh = skb_network_header(skb); |
|---|
| 196 | |
|---|
| 197 | off += 2; |
|---|
| 198 | len -= 2; |
|---|
| 199 | while (len > 0) { |
|---|
| 200 | int optlen; |
|---|
| 201 | |
|---|
| 202 | if (nh[off] == IPV6_TLV_PAD1) { |
|---|
| 203 | off++; |
|---|
| 204 | len--; |
|---|
| 205 | continue; |
|---|
| 206 | } |
|---|
| 207 | if (len < 2) |
|---|
| 208 | return -EBADMSG; |
|---|
| 209 | optlen = nh[off + 1] + 2; |
|---|
| 210 | if (optlen > len) |
|---|
| 211 | return -EBADMSG; |
|---|
| 212 | |
|---|
| 213 | if (nh[off] == IPV6_TLV_JUMBO) { |
|---|
| 214 | u32 pkt_len; |
|---|
| 215 | |
|---|
| 216 | if (nh[off + 1] != 4 || (off & 3) != 2) |
|---|
| 217 | return -EBADMSG; |
|---|
| 218 | pkt_len = ntohl(*(__be32 *)(nh + off + 2)); |
|---|
| 219 | if (pkt_len <= IPV6_MAXPLEN || |
|---|
| 220 | ipv6_hdr(skb)->payload_len) |
|---|
| 221 | return -EBADMSG; |
|---|
| 222 | if (pkt_len > skb->len - sizeof(struct ipv6hdr)) |
|---|
| 223 | return -EBADMSG; |
|---|
| 224 | *plen = pkt_len; |
|---|
| 225 | } |
|---|
| 226 | off += optlen; |
|---|
| 227 | len -= optlen; |
|---|
| 228 | } |
|---|
| 229 | |
|---|
| 230 | return len ? -EBADMSG : 0; |
|---|
| 231 | } |
|---|
| 232 | EXPORT_SYMBOL_GPL(nf_ip6_check_hbh_len); |
|---|
| 233 | |
|---|
