1/*
2 * Copyright (c) 2013 Patrick McHardy <kaber@trash.net>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
7 */
8
9#include <linux/module.h>
10#include <linux/skbuff.h>
11#include <net/tcp.h>
12
13#include <linux/netfilter_ipv4/ip_tables.h>
14#include <linux/netfilter/x_tables.h>
15#include <linux/netfilter/xt_SYNPROXY.h>
16#include <net/netfilter/nf_conntrack.h>
17#include <net/netfilter/nf_conntrack_seqadj.h>
18#include <net/netfilter/nf_conntrack_synproxy.h>
19#include <net/netfilter/nf_conntrack_ecache.h>
20
21static struct iphdr *
22synproxy_build_ip(struct net *net, struct sk_buff *skb, __be32 saddr,
23 __be32 daddr)
24{
25 struct iphdr *iph;
26
27 skb_reset_network_header(skb);
28 iph = skb_put(skb, sizeof(*iph));
29 iph->version = 4;
30 iph->ihl = sizeof(*iph) / 4;
31 iph->tos = 0;
32 iph->id = 0;
33 iph->frag_off = htons(IP_DF);
34 iph->ttl = net->ipv4.sysctl_ip_default_ttl;
35 iph->protocol = IPPROTO_TCP;
36 iph->check = 0;
37 iph->saddr = saddr;
38 iph->daddr = daddr;
39
40 return iph;
41}
42
43static void
44synproxy_send_tcp(struct net *net,
45 const struct sk_buff *skb, struct sk_buff *nskb,
46 struct nf_conntrack *nfct, enum ip_conntrack_info ctinfo,
47 struct iphdr *niph, struct tcphdr *nth,
48 unsigned int tcp_hdr_size)
49{
50 nth->check = ~tcp_v4_check(tcp_hdr_size, niph->saddr, niph->daddr, 0);
51 nskb->ip_summed = CHECKSUM_PARTIAL;
52 nskb->csum_start = (unsigned char *)nth - nskb->head;
53 nskb->csum_offset = offsetof(struct tcphdr, check);
54
55 skb_dst_set_noref(nskb, skb_dst(skb));
56 nskb->protocol = htons(ETH_P_IP);
57 if (ip_route_me_harder(net, nskb, RTN_UNSPEC))
58 goto free_nskb;
59
60 if (nfct) {
61 nf_ct_set(nskb, (struct nf_conn *)nfct, ctinfo);
62 nf_conntrack_get(nfct);
63 }
64
65 ip_local_out(net, nskb->sk, nskb);
66 return;
67
68free_nskb:
69 kfree_skb(nskb);
70}
71
72static void
73synproxy_send_client_synack(struct net *net,
74 const struct sk_buff *skb, const struct tcphdr *th,
75 const struct synproxy_options *opts)
76{
77 struct sk_buff *nskb;
78 struct iphdr *iph, *niph;
79 struct tcphdr *nth;
80 unsigned int tcp_hdr_size;
81 u16 mss = opts->mss;
82
83 iph = ip_hdr(skb);
84
85 tcp_hdr_size = sizeof(*nth) + synproxy_options_size(opts);
86 nskb = alloc_skb(sizeof(*niph) + tcp_hdr_size + MAX_TCP_HEADER,
87 GFP_ATOMIC);
88 if (nskb == NULL)
89 return;
90 skb_reserve(nskb, MAX_TCP_HEADER);
91
92 niph = synproxy_build_ip(net, nskb, iph->daddr, iph->saddr);
93
94 skb_reset_transport_header(nskb);
95 nth = skb_put(nskb, tcp_hdr_size);
96 nth->source = th->dest;
97 nth->dest = th->source;
98 nth->seq = htonl(__cookie_v4_init_sequence(iph, th, &mss));
99 nth->ack_seq = htonl(ntohl(th->seq) + 1);
100 tcp_flag_word(nth) = TCP_FLAG_SYN | TCP_FLAG_ACK;
101 if (opts->options & XT_SYNPROXY_OPT_ECN)
102 tcp_flag_word(nth) |= TCP_FLAG_ECE;
103 nth->doff = tcp_hdr_size / 4;
104 nth->window = 0;
105 nth->check = 0;
106 nth->urg_ptr = 0;
107
108 synproxy_build_options(nth, opts);
109
110 synproxy_send_tcp(net, skb, nskb, skb_nfct(skb),
111 IP_CT_ESTABLISHED_REPLY, niph, nth, tcp_hdr_size);
112}
113
114static void
115synproxy_send_server_syn(struct net *net,
116 const struct sk_buff *skb, const struct tcphdr *th,
117 const struct synproxy_options *opts, u32 recv_seq)
118{
119 struct synproxy_net *snet = synproxy_pernet(net);
120 struct sk_buff *nskb;
121 struct iphdr *iph, *niph;
122 struct tcphdr *nth;
123 unsigned int tcp_hdr_size;
124
125 iph = ip_hdr(skb);
126
127 tcp_hdr_size = sizeof(*nth) + synproxy_options_size(opts);
128 nskb = alloc_skb(sizeof(*niph) + tcp_hdr_size + MAX_TCP_HEADER,
129 GFP_ATOMIC);
130 if (nskb == NULL)
131 return;
132 skb_reserve(nskb, MAX_TCP_HEADER);
133
134 niph = synproxy_build_ip(net, nskb, iph->saddr, iph->daddr);
135
136 skb_reset_transport_header(nskb);
137 nth = skb_put(nskb, tcp_hdr_size);
138 nth->source = th->source;
139 nth->dest = th->dest;
140 nth->seq = htonl(recv_seq - 1);
141 /* ack_seq is used to relay our ISN to the synproxy hook to initialize
142 * sequence number translation once a connection tracking entry exists.
143 */
144 nth->ack_seq = htonl(ntohl(th->ack_seq) - 1);
145 tcp_flag_word(nth) = TCP_FLAG_SYN;
146 if (opts->options & XT_SYNPROXY_OPT_ECN)
147 tcp_flag_word(nth) |= TCP_FLAG_ECE | TCP_FLAG_CWR;
148 nth->doff = tcp_hdr_size / 4;
149 nth->window = th->window;
150 nth->check = 0;
151 nth->urg_ptr = 0;
152
153 synproxy_build_options(nth, opts);
154
155 synproxy_send_tcp(net, skb, nskb, &snet->tmpl->ct_general, IP_CT_NEW,
156 niph, nth, tcp_hdr_size);
157}
158
159static void
160synproxy_send_server_ack(struct net *net,
161 const struct ip_ct_tcp *state,
162 const struct sk_buff *skb, const struct tcphdr *th,
163 const struct synproxy_options *opts)
164{
165 struct sk_buff *nskb;
166 struct iphdr *iph, *niph;
167 struct tcphdr *nth;
168 unsigned int tcp_hdr_size;
169
170 iph = ip_hdr(skb);
171
172 tcp_hdr_size = sizeof(*nth) + synproxy_options_size(opts);
173 nskb = alloc_skb(sizeof(*niph) + tcp_hdr_size + MAX_TCP_HEADER,
174 GFP_ATOMIC);
175 if (nskb == NULL)
176 return;
177 skb_reserve(nskb, MAX_TCP_HEADER);
178
179 niph = synproxy_build_ip(net, nskb, iph->daddr, iph->saddr);
180
181 skb_reset_transport_header(nskb);
182 nth = skb_put(nskb, tcp_hdr_size);
183 nth->source = th->dest;
184 nth->dest = th->source;
185 nth->seq = htonl(ntohl(th->ack_seq));
186 nth->ack_seq = htonl(ntohl(th->seq) + 1);
187 tcp_flag_word(nth) = TCP_FLAG_ACK;
188 nth->doff = tcp_hdr_size / 4;
189 nth->window = htons(state->seen[IP_CT_DIR_ORIGINAL].td_maxwin);
190 nth->check = 0;
191 nth->urg_ptr = 0;
192
193 synproxy_build_options(nth, opts);
194
195 synproxy_send_tcp(net, skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
196}
197
198static void
199synproxy_send_client_ack(struct net *net,
200 const struct sk_buff *skb, const struct tcphdr *th,
201 const struct synproxy_options *opts)
202{
203 struct sk_buff *nskb;
204 struct iphdr *iph, *niph;
205 struct tcphdr *nth;
206 unsigned int tcp_hdr_size;
207
208 iph = ip_hdr(skb);
209
210 tcp_hdr_size = sizeof(*nth) + synproxy_options_size(opts);
211 nskb = alloc_skb(sizeof(*niph) + tcp_hdr_size + MAX_TCP_HEADER,
212 GFP_ATOMIC);
213 if (nskb == NULL)
214 return;
215 skb_reserve(nskb, MAX_TCP_HEADER);
216
217 niph = synproxy_build_ip(net, nskb, iph->saddr, iph->daddr);
218
219 skb_reset_transport_header(nskb);
220 nth = skb_put(nskb, tcp_hdr_size);
221 nth->source = th->source;
222 nth->dest = th->dest;
223 nth->seq = htonl(ntohl(th->seq) + 1);
224 nth->ack_seq = th->ack_seq;
225 tcp_flag_word(nth) = TCP_FLAG_ACK;
226 nth->doff = tcp_hdr_size / 4;
227 nth->window = htons(ntohs(th->window) >> opts->wscale);
228 nth->check = 0;
229 nth->urg_ptr = 0;
230
231 synproxy_build_options(nth, opts);
232
233 synproxy_send_tcp(net, skb, nskb, skb_nfct(skb),
234 IP_CT_ESTABLISHED_REPLY, niph, nth, tcp_hdr_size);
235}
236
237static bool
238synproxy_recv_client_ack(struct net *net,
239 const struct sk_buff *skb, const struct tcphdr *th,
240 struct synproxy_options *opts, u32 recv_seq)
241{
242 struct synproxy_net *snet = synproxy_pernet(net);
243 int mss;
244
245 mss = __cookie_v4_check(ip_hdr(skb), th, ntohl(th->ack_seq) - 1);
246 if (mss == 0) {
247 this_cpu_inc(snet->stats->cookie_invalid);
248 return false;
249 }
250
251 this_cpu_inc(snet->stats->cookie_valid);
252 opts->mss = mss;
253 opts->options |= XT_SYNPROXY_OPT_MSS;
254
255 if (opts->options & XT_SYNPROXY_OPT_TIMESTAMP)
256 synproxy_check_timestamp_cookie(opts);
257
258 synproxy_send_server_syn(net, skb, th, opts, recv_seq);
259 return true;
260}
261
262static unsigned int
263synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
264{
265 const struct xt_synproxy_info *info = par->targinfo;
266 struct net *net = xt_net(par);
267 struct synproxy_net *snet = synproxy_pernet(net);
268 struct synproxy_options opts = {};
269 struct tcphdr *th, _th;
270
271 if (nf_ip_checksum(skb, xt_hooknum(par), par->thoff, IPPROTO_TCP))
272 return NF_DROP;
273
274 th = skb_header_pointer(skb, par->thoff, sizeof(_th), &_th);
275 if (th == NULL)
276 return NF_DROP;
277
278 if (!synproxy_parse_options(skb, par->thoff, th, &opts))
279 return NF_DROP;
280
281 if (th->syn && !(th->ack || th->fin || th->rst)) {
282 /* Initial SYN from client */
283 this_cpu_inc(snet->stats->syn_received);
284
285 if (th->ece && th->cwr)
286 opts.options |= XT_SYNPROXY_OPT_ECN;
287
288 opts.options &= info->options;
289 if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
290 synproxy_init_timestamp_cookie(info, &opts);
291 else
292 opts.options &= ~(XT_SYNPROXY_OPT_WSCALE |
293 XT_SYNPROXY_OPT_SACK_PERM |
294 XT_SYNPROXY_OPT_ECN);
295
296 synproxy_send_client_synack(net, skb, th, &opts);
297 consume_skb(skb);
298 return NF_STOLEN;
299 } else if (th->ack && !(th->fin || th->rst || th->syn)) {
300 /* ACK from client */
301 if (synproxy_recv_client_ack(net, skb, th, &opts, ntohl(th->seq))) {
302 consume_skb(skb);
303 return NF_STOLEN;
304 } else {
305 return NF_DROP;
306 }
307 }
308
309 return XT_CONTINUE;
310}
311
312static unsigned int ipv4_synproxy_hook(void *priv,
313 struct sk_buff *skb,
314 const struct nf_hook_state *nhs)
315{
316 struct net *net = nhs->net;
317 struct synproxy_net *snet = synproxy_pernet(net);
318 enum ip_conntrack_info ctinfo;
319 struct nf_conn *ct;
320 struct nf_conn_synproxy *synproxy;
321 struct synproxy_options opts = {};
322 const struct ip_ct_tcp *state;
323 struct tcphdr *th, _th;
324 unsigned int thoff;
325
326 ct = nf_ct_get(skb, &ctinfo);
327 if (ct == NULL)
328 return NF_ACCEPT;
329
330 synproxy = nfct_synproxy(ct);
331 if (synproxy == NULL)
332 return NF_ACCEPT;
333
334 if (nf_is_loopback_packet(skb) ||
335 ip_hdr(skb)->protocol != IPPROTO_TCP)
336 return NF_ACCEPT;
337
338 thoff = ip_hdrlen(skb);
339 th = skb_header_pointer(skb, thoff, sizeof(_th), &_th);
340 if (th == NULL)
341 return NF_DROP;
342
343 state = &ct->proto.tcp;
344 switch (state->state) {
345 case TCP_CONNTRACK_CLOSE:
346 if (th->rst && !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
347 nf_ct_seqadj_init(ct, ctinfo, synproxy->isn -
348 ntohl(th->seq) + 1);
349 break;
350 }
351
352 if (!th->syn || th->ack ||
353 CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
354 break;
355
356 /* Reopened connection - reset the sequence number and timestamp
357 * adjustments, they will get initialized once the connection is
358 * reestablished.
359 */
360 nf_ct_seqadj_init(ct, ctinfo, 0);
361 synproxy->tsoff = 0;
362 this_cpu_inc(snet->stats->conn_reopened);
363
364 /* fall through */
365 case TCP_CONNTRACK_SYN_SENT:
366 if (!synproxy_parse_options(skb, thoff, th, &opts))
367 return NF_DROP;
368
369 if (!th->syn && th->ack &&
370 CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) {
371 /* Keep-Alives are sent with SEG.SEQ = SND.NXT-1,
372 * therefore we need to add 1 to make the SYN sequence
373 * number match the one of first SYN.
374 */
375 if (synproxy_recv_client_ack(net, skb, th, &opts,
376 ntohl(th->seq) + 1)) {
377 this_cpu_inc(snet->stats->cookie_retrans);
378 consume_skb(skb);
379 return NF_STOLEN;
380 } else {
381 return NF_DROP;
382 }
383 }
384
385 synproxy->isn = ntohl(th->ack_seq);
386 if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
387 synproxy->its = opts.tsecr;
388
389 nf_conntrack_event_cache(IPCT_SYNPROXY, ct);
390 break;
391 case TCP_CONNTRACK_SYN_RECV:
392 if (!th->syn || !th->ack)
393 break;
394
395 if (!synproxy_parse_options(skb, thoff, th, &opts))
396 return NF_DROP;
397
398 if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP) {
399 synproxy->tsoff = opts.tsval - synproxy->its;
400 nf_conntrack_event_cache(IPCT_SYNPROXY, ct);
401 }
402
403 opts.options &= ~(XT_SYNPROXY_OPT_MSS |
404 XT_SYNPROXY_OPT_WSCALE |
405 XT_SYNPROXY_OPT_SACK_PERM);
406
407 swap(opts.tsval, opts.tsecr);
408 synproxy_send_server_ack(net, state, skb, th, &opts);
409
410 nf_ct_seqadj_init(ct, ctinfo, synproxy->isn - ntohl(th->seq));
411 nf_conntrack_event_cache(IPCT_SEQADJ, ct);
412
413 swap(opts.tsval, opts.tsecr);
414 synproxy_send_client_ack(net, skb, th, &opts);
415
416 consume_skb(skb);
417 return NF_STOLEN;
418 default:
419 break;
420 }
421
422 synproxy_tstamp_adjust(skb, thoff, th, ct, ctinfo, synproxy);
423 return NF_ACCEPT;
424}
425
426static const struct nf_hook_ops ipv4_synproxy_ops[] = {
427 {
428 .hook = ipv4_synproxy_hook,
429 .pf = NFPROTO_IPV4,
430 .hooknum = NF_INET_LOCAL_IN,
431 .priority = NF_IP_PRI_CONNTRACK_CONFIRM - 1,
432 },
433 {
434 .hook = ipv4_synproxy_hook,
435 .pf = NFPROTO_IPV4,
436 .hooknum = NF_INET_POST_ROUTING,
437 .priority = NF_IP_PRI_CONNTRACK_CONFIRM - 1,
438 },
439};
440
441static int synproxy_tg4_check(const struct xt_tgchk_param *par)
442{
443 struct synproxy_net *snet = synproxy_pernet(par->net);
444 const struct ipt_entry *e = par->entryinfo;
445 int err;
446
447 if (e->ip.proto != IPPROTO_TCP ||
448 e->ip.invflags & XT_INV_PROTO)
449 return -EINVAL;
450
451 err = nf_ct_netns_get(par->net, par->family);
452 if (err)
453 return err;
454
455 if (snet->hook_ref4 == 0) {
456 err = nf_register_net_hooks(par->net, ipv4_synproxy_ops,
457 ARRAY_SIZE(ipv4_synproxy_ops));
458 if (err) {
459 nf_ct_netns_put(par->net, par->family);
460 return err;
461 }
462 }
463
464 snet->hook_ref4++;
465 return err;
466}
467
468static void synproxy_tg4_destroy(const struct xt_tgdtor_param *par)
469{
470 struct synproxy_net *snet = synproxy_pernet(par->net);
471
472 snet->hook_ref4--;
473 if (snet->hook_ref4 == 0)
474 nf_unregister_net_hooks(par->net, ipv4_synproxy_ops,
475 ARRAY_SIZE(ipv4_synproxy_ops));
476 nf_ct_netns_put(par->net, par->family);
477}
478
479static struct xt_target synproxy_tg4_reg __read_mostly = {
480 .name = "SYNPROXY",
481 .family = NFPROTO_IPV4,
482 .hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD),
483 .target = synproxy_tg4,
484 .targetsize = sizeof(struct xt_synproxy_info),
485 .checkentry = synproxy_tg4_check,
486 .destroy = synproxy_tg4_destroy,
487 .me = THIS_MODULE,
488};
489
490static int __init synproxy_tg4_init(void)
491{
492 return xt_register_target(&synproxy_tg4_reg);
493}
494
495static void __exit synproxy_tg4_exit(void)
496{
497 xt_unregister_target(&synproxy_tg4_reg);
498}
499
500module_init(synproxy_tg4_init);
501module_exit(synproxy_tg4_exit);
502
503MODULE_LICENSE("GPL");
504MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
505