nat6to4.c source code [linux/tools/testing/selftests/net/nat6to4.c]

1	// SPDX-License-Identifier: GPL-2.0-only
2	/*
3	* This code is taken from the Android Open Source Project and the author
4	* (Maciej Żenczykowski) has gave permission to relicense it under the
5	* GPLv2. Therefore this program is free software;
6	* You can redistribute it and/or modify it under the terms of the GNU
7	* General Public License version 2 as published by the Free Software
8	* Foundation
9
10	* The original headers, including the original license headers, are
11	* included below for completeness.
12	*
13	* Copyright (C) 2019 The Android Open Source Project
14	*
15	* Licensed under the Apache License, Version 2.0 (the "License");
16	* you may not use this file except in compliance with the License.
17	* You may obtain a copy of the License at
18	*
19	* http://www.apache.org/licenses/LICENSE-2.0
20	*
21	* Unless required by applicable law or agreed to in writing, software
22	* distributed under the License is distributed on an "AS IS" BASIS,
23	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
24	* See the License for the specific language governing permissions and
25	* limitations under the License.
26	*/
27	#include <linux/bpf.h>
28	#include <linux/if.h>
29	#include <linux/if_ether.h>
30	#include <linux/if_packet.h>
31	#include <linux/in.h>
32	#include <linux/in6.h>
33	#include <linux/ip.h>
34	#include <linux/ipv6.h>
35	#include <linux/pkt_cls.h>
36	#include <linux/swab.h>
37	#include <stdbool.h>
38	#include <stdint.h>
39
40
41	#include <linux/udp.h>
42
43	#include <bpf/bpf_helpers.h>
44	#include <bpf/bpf_endian.h>
45
46	#define IP_DF 0x4000 // Flag: "Don't Fragment"
47
48	SEC("schedcls/ingress6/nat_6")
49	int sched_cls_ingress6_nat_6_prog(struct __sk_buff *skb)
50	{
51	const int l2_header_size = sizeof(struct ethhdr);
52	void data = (void* )(long*)skb->data;
53	const void data_end = (void* )(long*)skb->data_end;
54	const struct ethhdr * const eth = data; // used iff is_ethernet
55	const struct ipv6hdr * const ip6 = (void *)(eth + `1`);
56
57	// Require ethernet dst mac address to be our unicast address.
58	if (skb->pkt_type != PACKET_HOST)
59	return TC_ACT_OK;
60
61	// Must be meta-ethernet IPv6 frame
62	if (skb->protocol != bpf_htons(ETH_P_IPV6))
63	return TC_ACT_OK;
64
65	// Must have (ethernet and) ipv6 header
66	if (data + l2_header_size + sizeof(*ip6) > data_end)
67	return TC_ACT_OK;
68
69	// Ethertype - if present - must be IPv6
70	if (eth->h_proto != bpf_htons(ETH_P_IPV6))
71	return TC_ACT_OK;
72
73	// IP version must be 6
74	if (ip6->version != `6`)
75	return TC_ACT_OK;
76	// Maximum IPv6 payload length that can be translated to IPv4
77	if (bpf_ntohs(ip6->payload_len) > `0xFFFF` - sizeof(struct iphdr))
78	return TC_ACT_OK;
79	switch (ip6->nexthdr) {
80	case IPPROTO_TCP: // For TCP & UDP the checksum neutrality of the chosen IPv6
81	case IPPROTO_UDP: // address means there is no need to update their checksums.
82	case IPPROTO_GRE: // We do not need to bother looking at GRE/ESP headers,
83	case IPPROTO_ESP: // since there is never a checksum to update.
84	break;
85	default: // do not know how to handle anything else
86	return TC_ACT_OK;
87	}
88
89	struct ethhdr eth2; // used iff is_ethernet
90
91	eth2 = eth; // Copy over the ethernet header (src/dst mac)*
92	eth2.h_proto = bpf_htons(ETH_P_IP); // But replace the ethertype
93
94	struct iphdr ip = {
95	.version = `4`, // u4
96	.ihl = sizeof(struct iphdr) / sizeof(__u32), // u4
97	.tos = (ip6->priority << `4`) + (ip6->flow_lbl[`0`] >> `4`), // u8
98	.tot_len = bpf_htons(bpf_ntohs(ip6->payload_len) + sizeof(struct iphdr)), // u16
99	.id = `0`, // u16
100	.frag_off = bpf_htons(IP_DF), // u16
101	.ttl = ip6->hop_limit, // u8
102	.protocol = ip6->nexthdr, // u8
103	.check = `0`, // u16
104	.saddr = `0x0201a8c0`, // u32
105	.daddr = `0x0101a8c0`, // u32
106	};
107
108	// Calculate the IPv4 one's complement checksum of the IPv4 header.
109	__wsum sum4 = `0`;
110
111	for (int i = `0`; i < sizeof(ip) / sizeof(__u16); ++i)
112	sum4 += ((__u16 *)&ip)[i];
113
114	// Note that sum4 is guaranteed to be non-zero by virtue of ip.version == 4
115	sum4 = (sum4 & `0xFFFF`) + (sum4 >> `16`); // collapse u32 into range 1 .. 0x1FFFE
116	sum4 = (sum4 & `0xFFFF`) + (sum4 >> `16`); // collapse any potential carry into u16
117	ip.check = (__u16)~sum4; // sum4 cannot be zero, so this is never 0xFFFF
118
119	// Calculate the negative* IPv6 16-bit one's complement checksum of the IPv6 header.*
120	__wsum sum6 = `0`;
121	// We'll end up with a non-zero sum due to ip6->version == 6 (which has '0' bits)
122	for (int i = `0`; i < sizeof(ip6) / sizeof*(__u16); ++i)
123	sum6 += ~((__u16 )ip6)[i]; // note the bitwise negation*
124
125	// Note that there is no L4 checksum update: we are relying on the checksum neutrality
126	// of the ipv6 address chosen by netd's ClatdController.
127
128	// Packet mutations begin - point of no return, but if this first modification fails
129	// the packet is probably still pristine, so let clatd handle it.
130	if (bpf_skb_change_proto(skb, bpf_htons(ETH_P_IP), `0`))
131	return TC_ACT_OK;
132	bpf_csum_update(skb, sum6);
133
134	data = (void )(long*)skb->data;
135	data_end = (void )(long*)skb->data_end;
136	if (data + l2_header_size + sizeof(struct iphdr) > data_end)
137	return TC_ACT_SHOT;
138
139	struct ethhdr *new_eth = data;
140
141	// Copy over the updated ethernet header
142	*new_eth = eth2;
143
144	// Copy over the new ipv4 header.
145	(struct* iphdr *)(new_eth + `1`) = ip;
146	return bpf_redirect(skb->ifindex, BPF_F_INGRESS);
147	}
148
149	SEC("schedcls/egress4/snat4")
150	int sched_cls_egress4_snat4_prog(struct __sk_buff *skb)
151	{
152	const int l2_header_size = sizeof(struct ethhdr);
153	void data = (void* )(long*)skb->data;
154	const void data_end = (void* )(long*)skb->data_end;
155	const struct ethhdr *const eth = data; // used iff is_ethernet
156	const struct iphdr *const ip4 = (void *)(eth + `1`);
157
158	// Must be meta-ethernet IPv4 frame
159	if (skb->protocol != bpf_htons(ETH_P_IP))
160	return TC_ACT_OK;
161
162	// Must have ipv4 header
163	if (data + l2_header_size + sizeof(struct ipv6hdr) > data_end)
164	return TC_ACT_OK;
165
166	// Ethertype - if present - must be IPv4
167	if (eth->h_proto != bpf_htons(ETH_P_IP))
168	return TC_ACT_OK;
169
170	// IP version must be 4
171	if (ip4->version != `4`)
172	return TC_ACT_OK;
173
174	// We cannot handle IP options, just standard 20 byte == 5 dword minimal IPv4 header
175	if (ip4->ihl != `5`)
176	return TC_ACT_OK;
177
178	// Maximum IPv6 payload length that can be translated to IPv4
179	if (bpf_htons(ip4->tot_len) > `0xFFFF` - sizeof(struct ipv6hdr))
180	return TC_ACT_OK;
181
182	// Calculate the IPv4 one's complement checksum of the IPv4 header.
183	__wsum sum4 = `0`;
184
185	for (int i = `0`; i < sizeof(ip4) / sizeof*(__u16); ++i)
186	sum4 += ((__u16 *)ip4)[i];
187
188	// Note that sum4 is guaranteed to be non-zero by virtue of ip4->version == 4
189	sum4 = (sum4 & `0xFFFF`) + (sum4 >> `16`); // collapse u32 into range 1 .. 0x1FFFE
190	sum4 = (sum4 & `0xFFFF`) + (sum4 >> `16`); // collapse any potential carry into u16
191	// for a correct checksum we should get a* zero, but sum4 must be positive, ie 0xFFFF*
192	if (sum4 != `0xFFFF`)
193	return TC_ACT_OK;
194
195	// Minimum IPv4 total length is the size of the header
196	if (bpf_ntohs(ip4->tot_len) < sizeof(*ip4))
197	return TC_ACT_OK;
198
199	// We are incapable of dealing with IPv4 fragments
200	if (ip4->frag_off & ~bpf_htons(IP_DF))
201	return TC_ACT_OK;
202
203	switch (ip4->protocol) {
204	case IPPROTO_TCP: // For TCP & UDP the checksum neutrality of the chosen IPv6
205	case IPPROTO_GRE: // address means there is no need to update their checksums.
206	case IPPROTO_ESP: // We do not need to bother looking at GRE/ESP headers,
207	break; // since there is never a checksum to update.
208
209	case IPPROTO_UDP: // See above comment, but must also have UDP header...
210	if (data + sizeof(ip4) + sizeof(struct* udphdr) > data_end)
211	return TC_ACT_OK;
212	const struct udphdr uh = (const* struct udphdr *)(ip4 + `1`);
213	// If IPv4/UDP checksum is 0 then fallback to clatd so it can calculate the
214	// checksum. Otherwise the network or more likely the NAT64 gateway might
215	// drop the packet because in most cases IPv6/UDP packets with a zero checksum
216	// are invalid. See RFC 6935. TODO: calculate checksum via bpf_csum_diff()
217	if (!uh->check)
218	return TC_ACT_OK;
219	break;
220
221	default: // do not know how to handle anything else
222	return TC_ACT_OK;
223	}
224	struct ethhdr eth2; // used iff is_ethernet
225
226	eth2 = eth; // Copy over the ethernet header (src/dst mac)*
227	eth2.h_proto = bpf_htons(ETH_P_IPV6); // But replace the ethertype
228
229	struct ipv6hdr ip6 = {
230	.version = `6`, // __u8:4
231	.priority = ip4->tos >> `4`, // __u8:4
232	.flow_lbl = {(ip4->tos & `0xF`) << `4`, `0`, `0`}, // __u8[3]
233	.payload_len = bpf_htons(bpf_ntohs(ip4->tot_len) - `20`), // __be16
234	.nexthdr = ip4->protocol, // __u8
235	.hop_limit = ip4->ttl, // __u8
236	};
237	ip6.saddr.in6_u.u6_addr32[`0`] = bpf_htonl(`0x20010db8`);
238	ip6.saddr.in6_u.u6_addr32[`1`] = `0`;
239	ip6.saddr.in6_u.u6_addr32[`2`] = `0`;
240	ip6.saddr.in6_u.u6_addr32[`3`] = bpf_htonl(`1`);
241	ip6.daddr.in6_u.u6_addr32[`0`] = bpf_htonl(`0x20010db8`);
242	ip6.daddr.in6_u.u6_addr32[`1`] = `0`;
243	ip6.daddr.in6_u.u6_addr32[`2`] = `0`;
244	ip6.daddr.in6_u.u6_addr32[`3`] = bpf_htonl(`2`);
245
246	// Calculate the IPv6 16-bit one's complement checksum of the IPv6 header.
247	__wsum sum6 = `0`;
248	// We'll end up with a non-zero sum due to ip6.version == 6
249	for (int i = `0`; i < sizeof(ip6) / sizeof(__u16); ++i)
250	sum6 += ((__u16 *)&ip6)[i];
251
252	// Packet mutations begin - point of no return, but if this first modification fails
253	// the packet is probably still pristine, so let clatd handle it.
254	if (bpf_skb_change_proto(skb, bpf_htons(ETH_P_IPV6), `0`))
255	return TC_ACT_OK;
256
257	// This takes care of updating the skb->csum field for a CHECKSUM_COMPLETE packet.
258	// In such a case, skb->csum is a 16-bit one's complement sum of the entire payload,
259	// thus we need to subtract out the ipv4 header's sum, and add in the ipv6 header's sum.
260	// However, we've already verified the ipv4 checksum is correct and thus 0.
261	// Thus we only need to add the ipv6 header's sum.
262	//
263	// bpf_csum_update() always succeeds if the skb is CHECKSUM_COMPLETE and returns an error
264	// (-ENOTSUPP) if it isn't. So we just ignore the return code (see above for more details).
265	bpf_csum_update(skb, sum6);
266
267	// bpf_skb_change_proto() invalidates all pointers - reload them.
268	data = (void )(long*)skb->data;
269	data_end = (void )(long*)skb->data_end;
270
271	// I cannot think of any valid way for this error condition to trigger, however I do
272	// believe the explicit check is required to keep the in kernel ebpf verifier happy.
273	if (data + l2_header_size + sizeof(ip6) > data_end)
274	return TC_ACT_SHOT;
275
276	struct ethhdr *new_eth = data;
277
278	// Copy over the updated ethernet header
279	*new_eth = eth2;
280	// Copy over the new ipv4 header.
281	(struct* ipv6hdr *)(new_eth + `1`) = ip6;
282	return TC_ACT_OK;
283	}
284
285	char _license[] SEC("license") = ("GPL");
286

source code of linux/tools/testing/selftests/net/nat6to4.c