1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* |
3 | * This code is taken from the Android Open Source Project and the author |
4 | * (Maciej Żenczykowski) has gave permission to relicense it under the |
5 | * GPLv2. Therefore this program is free software; |
6 | * You can redistribute it and/or modify it under the terms of the GNU |
7 | * General Public License version 2 as published by the Free Software |
8 | * Foundation |
9 | |
10 | * The original headers, including the original license headers, are |
11 | * included below for completeness. |
12 | * |
13 | * Copyright (C) 2019 The Android Open Source Project |
14 | * |
15 | * Licensed under the Apache License, Version 2.0 (the "License"); |
16 | * you may not use this file except in compliance with the License. |
17 | * You may obtain a copy of the License at |
18 | * |
19 | * http://www.apache.org/licenses/LICENSE-2.0 |
20 | * |
21 | * Unless required by applicable law or agreed to in writing, software |
22 | * distributed under the License is distributed on an "AS IS" BASIS, |
23 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
24 | * See the License for the specific language governing permissions and |
25 | * limitations under the License. |
26 | */ |
27 | #include <linux/bpf.h> |
28 | #include <linux/if.h> |
29 | #include <linux/if_ether.h> |
30 | #include <linux/if_packet.h> |
31 | #include <linux/in.h> |
32 | #include <linux/in6.h> |
33 | #include <linux/ip.h> |
34 | #include <linux/ipv6.h> |
35 | #include <linux/pkt_cls.h> |
36 | #include <linux/swab.h> |
37 | #include <stdbool.h> |
38 | #include <stdint.h> |
39 | |
40 | |
41 | #include <linux/udp.h> |
42 | |
43 | #include <bpf/bpf_helpers.h> |
44 | #include <bpf/bpf_endian.h> |
45 | |
46 | #define IP_DF 0x4000 // Flag: "Don't Fragment" |
47 | |
48 | SEC("schedcls/ingress6/nat_6" ) |
49 | int sched_cls_ingress6_nat_6_prog(struct __sk_buff *skb) |
50 | { |
51 | const int = sizeof(struct ethhdr); |
52 | void *data = (void *)(long)skb->data; |
53 | const void *data_end = (void *)(long)skb->data_end; |
54 | const struct ethhdr * const eth = data; // used iff is_ethernet |
55 | const struct ipv6hdr * const ip6 = (void *)(eth + 1); |
56 | |
57 | // Require ethernet dst mac address to be our unicast address. |
58 | if (skb->pkt_type != PACKET_HOST) |
59 | return TC_ACT_OK; |
60 | |
61 | // Must be meta-ethernet IPv6 frame |
62 | if (skb->protocol != bpf_htons(ETH_P_IPV6)) |
63 | return TC_ACT_OK; |
64 | |
65 | // Must have (ethernet and) ipv6 header |
66 | if (data + l2_header_size + sizeof(*ip6) > data_end) |
67 | return TC_ACT_OK; |
68 | |
69 | // Ethertype - if present - must be IPv6 |
70 | if (eth->h_proto != bpf_htons(ETH_P_IPV6)) |
71 | return TC_ACT_OK; |
72 | |
73 | // IP version must be 6 |
74 | if (ip6->version != 6) |
75 | return TC_ACT_OK; |
76 | // Maximum IPv6 payload length that can be translated to IPv4 |
77 | if (bpf_ntohs(ip6->payload_len) > 0xFFFF - sizeof(struct iphdr)) |
78 | return TC_ACT_OK; |
79 | switch (ip6->nexthdr) { |
80 | case IPPROTO_TCP: // For TCP & UDP the checksum neutrality of the chosen IPv6 |
81 | case IPPROTO_UDP: // address means there is no need to update their checksums. |
82 | case IPPROTO_GRE: // We do not need to bother looking at GRE/ESP headers, |
83 | case IPPROTO_ESP: // since there is never a checksum to update. |
84 | break; |
85 | default: // do not know how to handle anything else |
86 | return TC_ACT_OK; |
87 | } |
88 | |
89 | struct ethhdr eth2; // used iff is_ethernet |
90 | |
91 | eth2 = *eth; // Copy over the ethernet header (src/dst mac) |
92 | eth2.h_proto = bpf_htons(ETH_P_IP); // But replace the ethertype |
93 | |
94 | struct iphdr ip = { |
95 | .version = 4, // u4 |
96 | .ihl = sizeof(struct iphdr) / sizeof(__u32), // u4 |
97 | .tos = (ip6->priority << 4) + (ip6->flow_lbl[0] >> 4), // u8 |
98 | .tot_len = bpf_htons(bpf_ntohs(ip6->payload_len) + sizeof(struct iphdr)), // u16 |
99 | .id = 0, // u16 |
100 | .frag_off = bpf_htons(IP_DF), // u16 |
101 | .ttl = ip6->hop_limit, // u8 |
102 | .protocol = ip6->nexthdr, // u8 |
103 | .check = 0, // u16 |
104 | .saddr = 0x0201a8c0, // u32 |
105 | .daddr = 0x0101a8c0, // u32 |
106 | }; |
107 | |
108 | // Calculate the IPv4 one's complement checksum of the IPv4 header. |
109 | __wsum sum4 = 0; |
110 | |
111 | for (int i = 0; i < sizeof(ip) / sizeof(__u16); ++i) |
112 | sum4 += ((__u16 *)&ip)[i]; |
113 | |
114 | // Note that sum4 is guaranteed to be non-zero by virtue of ip.version == 4 |
115 | sum4 = (sum4 & 0xFFFF) + (sum4 >> 16); // collapse u32 into range 1 .. 0x1FFFE |
116 | sum4 = (sum4 & 0xFFFF) + (sum4 >> 16); // collapse any potential carry into u16 |
117 | ip.check = (__u16)~sum4; // sum4 cannot be zero, so this is never 0xFFFF |
118 | |
119 | // Calculate the *negative* IPv6 16-bit one's complement checksum of the IPv6 header. |
120 | __wsum sum6 = 0; |
121 | // We'll end up with a non-zero sum due to ip6->version == 6 (which has '0' bits) |
122 | for (int i = 0; i < sizeof(*ip6) / sizeof(__u16); ++i) |
123 | sum6 += ~((__u16 *)ip6)[i]; // note the bitwise negation |
124 | |
125 | // Note that there is no L4 checksum update: we are relying on the checksum neutrality |
126 | // of the ipv6 address chosen by netd's ClatdController. |
127 | |
128 | // Packet mutations begin - point of no return, but if this first modification fails |
129 | // the packet is probably still pristine, so let clatd handle it. |
130 | if (bpf_skb_change_proto(skb, bpf_htons(ETH_P_IP), 0)) |
131 | return TC_ACT_OK; |
132 | bpf_csum_update(skb, sum6); |
133 | |
134 | data = (void *)(long)skb->data; |
135 | data_end = (void *)(long)skb->data_end; |
136 | if (data + l2_header_size + sizeof(struct iphdr) > data_end) |
137 | return TC_ACT_SHOT; |
138 | |
139 | struct ethhdr *new_eth = data; |
140 | |
141 | // Copy over the updated ethernet header |
142 | *new_eth = eth2; |
143 | |
144 | // Copy over the new ipv4 header. |
145 | *(struct iphdr *)(new_eth + 1) = ip; |
146 | return bpf_redirect(skb->ifindex, BPF_F_INGRESS); |
147 | } |
148 | |
149 | SEC("schedcls/egress4/snat4" ) |
150 | int sched_cls_egress4_snat4_prog(struct __sk_buff *skb) |
151 | { |
152 | const int = sizeof(struct ethhdr); |
153 | void *data = (void *)(long)skb->data; |
154 | const void *data_end = (void *)(long)skb->data_end; |
155 | const struct ethhdr *const eth = data; // used iff is_ethernet |
156 | const struct iphdr *const ip4 = (void *)(eth + 1); |
157 | |
158 | // Must be meta-ethernet IPv4 frame |
159 | if (skb->protocol != bpf_htons(ETH_P_IP)) |
160 | return TC_ACT_OK; |
161 | |
162 | // Must have ipv4 header |
163 | if (data + l2_header_size + sizeof(struct ipv6hdr) > data_end) |
164 | return TC_ACT_OK; |
165 | |
166 | // Ethertype - if present - must be IPv4 |
167 | if (eth->h_proto != bpf_htons(ETH_P_IP)) |
168 | return TC_ACT_OK; |
169 | |
170 | // IP version must be 4 |
171 | if (ip4->version != 4) |
172 | return TC_ACT_OK; |
173 | |
174 | // We cannot handle IP options, just standard 20 byte == 5 dword minimal IPv4 header |
175 | if (ip4->ihl != 5) |
176 | return TC_ACT_OK; |
177 | |
178 | // Maximum IPv6 payload length that can be translated to IPv4 |
179 | if (bpf_htons(ip4->tot_len) > 0xFFFF - sizeof(struct ipv6hdr)) |
180 | return TC_ACT_OK; |
181 | |
182 | // Calculate the IPv4 one's complement checksum of the IPv4 header. |
183 | __wsum sum4 = 0; |
184 | |
185 | for (int i = 0; i < sizeof(*ip4) / sizeof(__u16); ++i) |
186 | sum4 += ((__u16 *)ip4)[i]; |
187 | |
188 | // Note that sum4 is guaranteed to be non-zero by virtue of ip4->version == 4 |
189 | sum4 = (sum4 & 0xFFFF) + (sum4 >> 16); // collapse u32 into range 1 .. 0x1FFFE |
190 | sum4 = (sum4 & 0xFFFF) + (sum4 >> 16); // collapse any potential carry into u16 |
191 | // for a correct checksum we should get *a* zero, but sum4 must be positive, ie 0xFFFF |
192 | if (sum4 != 0xFFFF) |
193 | return TC_ACT_OK; |
194 | |
195 | // Minimum IPv4 total length is the size of the header |
196 | if (bpf_ntohs(ip4->tot_len) < sizeof(*ip4)) |
197 | return TC_ACT_OK; |
198 | |
199 | // We are incapable of dealing with IPv4 fragments |
200 | if (ip4->frag_off & ~bpf_htons(IP_DF)) |
201 | return TC_ACT_OK; |
202 | |
203 | switch (ip4->protocol) { |
204 | case IPPROTO_TCP: // For TCP & UDP the checksum neutrality of the chosen IPv6 |
205 | case IPPROTO_GRE: // address means there is no need to update their checksums. |
206 | case IPPROTO_ESP: // We do not need to bother looking at GRE/ESP headers, |
207 | break; // since there is never a checksum to update. |
208 | |
209 | case IPPROTO_UDP: // See above comment, but must also have UDP header... |
210 | if (data + sizeof(*ip4) + sizeof(struct udphdr) > data_end) |
211 | return TC_ACT_OK; |
212 | const struct udphdr *uh = (const struct udphdr *)(ip4 + 1); |
213 | // If IPv4/UDP checksum is 0 then fallback to clatd so it can calculate the |
214 | // checksum. Otherwise the network or more likely the NAT64 gateway might |
215 | // drop the packet because in most cases IPv6/UDP packets with a zero checksum |
216 | // are invalid. See RFC 6935. TODO: calculate checksum via bpf_csum_diff() |
217 | if (!uh->check) |
218 | return TC_ACT_OK; |
219 | break; |
220 | |
221 | default: // do not know how to handle anything else |
222 | return TC_ACT_OK; |
223 | } |
224 | struct ethhdr eth2; // used iff is_ethernet |
225 | |
226 | eth2 = *eth; // Copy over the ethernet header (src/dst mac) |
227 | eth2.h_proto = bpf_htons(ETH_P_IPV6); // But replace the ethertype |
228 | |
229 | struct ipv6hdr ip6 = { |
230 | .version = 6, // __u8:4 |
231 | .priority = ip4->tos >> 4, // __u8:4 |
232 | .flow_lbl = {(ip4->tos & 0xF) << 4, 0, 0}, // __u8[3] |
233 | .payload_len = bpf_htons(bpf_ntohs(ip4->tot_len) - 20), // __be16 |
234 | .nexthdr = ip4->protocol, // __u8 |
235 | .hop_limit = ip4->ttl, // __u8 |
236 | }; |
237 | ip6.saddr.in6_u.u6_addr32[0] = bpf_htonl(0x20010db8); |
238 | ip6.saddr.in6_u.u6_addr32[1] = 0; |
239 | ip6.saddr.in6_u.u6_addr32[2] = 0; |
240 | ip6.saddr.in6_u.u6_addr32[3] = bpf_htonl(1); |
241 | ip6.daddr.in6_u.u6_addr32[0] = bpf_htonl(0x20010db8); |
242 | ip6.daddr.in6_u.u6_addr32[1] = 0; |
243 | ip6.daddr.in6_u.u6_addr32[2] = 0; |
244 | ip6.daddr.in6_u.u6_addr32[3] = bpf_htonl(2); |
245 | |
246 | // Calculate the IPv6 16-bit one's complement checksum of the IPv6 header. |
247 | __wsum sum6 = 0; |
248 | // We'll end up with a non-zero sum due to ip6.version == 6 |
249 | for (int i = 0; i < sizeof(ip6) / sizeof(__u16); ++i) |
250 | sum6 += ((__u16 *)&ip6)[i]; |
251 | |
252 | // Packet mutations begin - point of no return, but if this first modification fails |
253 | // the packet is probably still pristine, so let clatd handle it. |
254 | if (bpf_skb_change_proto(skb, bpf_htons(ETH_P_IPV6), 0)) |
255 | return TC_ACT_OK; |
256 | |
257 | // This takes care of updating the skb->csum field for a CHECKSUM_COMPLETE packet. |
258 | // In such a case, skb->csum is a 16-bit one's complement sum of the entire payload, |
259 | // thus we need to subtract out the ipv4 header's sum, and add in the ipv6 header's sum. |
260 | // However, we've already verified the ipv4 checksum is correct and thus 0. |
261 | // Thus we only need to add the ipv6 header's sum. |
262 | // |
263 | // bpf_csum_update() always succeeds if the skb is CHECKSUM_COMPLETE and returns an error |
264 | // (-ENOTSUPP) if it isn't. So we just ignore the return code (see above for more details). |
265 | bpf_csum_update(skb, sum6); |
266 | |
267 | // bpf_skb_change_proto() invalidates all pointers - reload them. |
268 | data = (void *)(long)skb->data; |
269 | data_end = (void *)(long)skb->data_end; |
270 | |
271 | // I cannot think of any valid way for this error condition to trigger, however I do |
272 | // believe the explicit check is required to keep the in kernel ebpf verifier happy. |
273 | if (data + l2_header_size + sizeof(ip6) > data_end) |
274 | return TC_ACT_SHOT; |
275 | |
276 | struct ethhdr *new_eth = data; |
277 | |
278 | // Copy over the updated ethernet header |
279 | *new_eth = eth2; |
280 | // Copy over the new ipv4 header. |
281 | *(struct ipv6hdr *)(new_eth + 1) = ip6; |
282 | return TC_ACT_OK; |
283 | } |
284 | |
285 | char _license[] SEC("license" ) = ("GPL" ); |
286 | |