net/netfilter/xt_l2tp.c

0001 // SPDX-License-Identifier: GPL-2.0-only
0002 /* Kernel module to match L2TP header parameters. */
0003
0004 /* (C) 2013      James Chapman <jchapman@katalix.com>
0005  */
0006
0007 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
0008 #include <linux/module.h>
0009 #include <linux/skbuff.h>
0010 #include <linux/if_ether.h>
0011 #include <net/ip.h>
0012 #include <linux/ipv6.h>
0013 #include <net/ipv6.h>
0014 #include <net/udp.h>
0015 #include <linux/l2tp.h>
0016
0017 #include <linux/netfilter_ipv4.h>
0018 #include <linux/netfilter_ipv6.h>
0019 #include <linux/netfilter_ipv4/ip_tables.h>
0020 #include <linux/netfilter_ipv6/ip6_tables.h>
0021 #include <linux/netfilter/x_tables.h>
0022 #include <linux/netfilter/xt_tcpudp.h>
0023 #include <linux/netfilter/xt_l2tp.h>
0024
0025 /* L2TP header masks */
0026 #define L2TP_HDR_T_BIT  0x8000
0027 #define L2TP_HDR_L_BIT  0x4000
0028 #define L2TP_HDR_VER    0x000f
0029
0030 MODULE_LICENSE("GPL");
0031 MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
0032 MODULE_DESCRIPTION("Xtables: L2TP header match");
0033 MODULE_ALIAS("ipt_l2tp");
0034 MODULE_ALIAS("ip6t_l2tp");
0035
0036 /* The L2TP fields that can be matched */
0037 struct l2tp_data {
0038     u32 tid;
0039     u32 sid;
0040     u8 type;
0041     u8 version;
0042 };
0043
0044 union l2tp_val {
0045     __be16 val16[2];
0046     __be32 val32;
0047 };
0048
0049 static bool l2tp_match(const struct xt_l2tp_info *info, struct l2tp_data *data)
0050 {
0051     if ((info->flags & XT_L2TP_TYPE) && (info->type != data->type))
0052         return false;
0053
0054     if ((info->flags & XT_L2TP_VERSION) && (info->version != data->version))
0055         return false;
0056
0057     /* Check tid only for L2TPv3 control or any L2TPv2 packets */
0058     if ((info->flags & XT_L2TP_TID) &&
0059         ((data->type == XT_L2TP_TYPE_CONTROL) || (data->version == 2)) &&
0060         (info->tid != data->tid))
0061         return false;
0062
0063     /* Check sid only for L2TP data packets */
0064     if ((info->flags & XT_L2TP_SID) && (data->type == XT_L2TP_TYPE_DATA) &&
0065         (info->sid != data->sid))
0066         return false;
0067
0068     return true;
0069 }
0070
0071 /* Parse L2TP header fields when UDP encapsulation is used. Handles
0072  * L2TPv2 and L2TPv3. Note the L2TPv3 control and data packets have a
0073  * different format. See
0074  * RFC2661, Section 3.1, L2TPv2 Header Format
0075  * RFC3931, Section 3.2.1, L2TPv3 Control Message Header
0076  * RFC3931, Section 3.2.2, L2TPv3 Data Message Header
0077  * RFC3931, Section 4.1.2.1, L2TPv3 Session Header over UDP
0078  */
0079 static bool l2tp_udp_mt(const struct sk_buff *skb, struct xt_action_param *par, u16 thoff)
0080 {
0081     const struct xt_l2tp_info *info = par->matchinfo;
0082     int uhlen = sizeof(struct udphdr);
0083     int offs = thoff + uhlen;
0084     union l2tp_val *lh;
0085     union l2tp_val lhbuf;
0086     u16 flags;
0087     struct l2tp_data data = { 0, };
0088
0089     if (par->fragoff != 0)
0090         return false;
0091
0092     /* Extract L2TP header fields. The flags in the first 16 bits
0093      * tell us where the other fields are.
0094      */
0095     lh = skb_header_pointer(skb, offs, 2, &lhbuf);
0096     if (lh == NULL)
0097         return false;
0098
0099     flags = ntohs(lh->val16[0]);
0100     if (flags & L2TP_HDR_T_BIT)
0101         data.type = XT_L2TP_TYPE_CONTROL;
0102     else
0103         data.type = XT_L2TP_TYPE_DATA;
0104     data.version = (u8) flags & L2TP_HDR_VER;
0105
0106     /* Now extract the L2TP tid/sid. These are in different places
0107      * for L2TPv2 (rfc2661) and L2TPv3 (rfc3931). For L2TPv2, we
0108      * must also check to see if the length field is present,
0109      * since this affects the offsets into the packet of the
0110      * tid/sid fields.
0111      */
0112     if (data.version == 3) {
0113         lh = skb_header_pointer(skb, offs + 4, 4, &lhbuf);
0114         if (lh == NULL)
0115             return false;
0116         if (data.type == XT_L2TP_TYPE_CONTROL)
0117             data.tid = ntohl(lh->val32);
0118         else
0119             data.sid = ntohl(lh->val32);
0120     } else if (data.version == 2) {
0121         if (flags & L2TP_HDR_L_BIT)
0122             offs += 2;
0123         lh = skb_header_pointer(skb, offs + 2, 4, &lhbuf);
0124         if (lh == NULL)
0125             return false;
0126         data.tid = (u32) ntohs(lh->val16[0]);
0127         data.sid = (u32) ntohs(lh->val16[1]);
0128     } else
0129         return false;
0130
0131     return l2tp_match(info, &data);
0132 }
0133
0134 /* Parse L2TP header fields for IP encapsulation (no UDP header).
0135  * L2TPv3 data packets have a different form with IP encap. See
0136  * RC3931, Section 4.1.1.1, L2TPv3 Session Header over IP.
0137  * RC3931, Section 4.1.1.2, L2TPv3 Control and Data Traffic over IP.
0138  */
0139 static bool l2tp_ip_mt(const struct sk_buff *skb, struct xt_action_param *par, u16 thoff)
0140 {
0141     const struct xt_l2tp_info *info = par->matchinfo;
0142     union l2tp_val *lh;
0143     union l2tp_val lhbuf;
0144     struct l2tp_data data = { 0, };
0145
0146     /* For IP encap, the L2TP sid is the first 32-bits. */
0147     lh = skb_header_pointer(skb, thoff, sizeof(lhbuf), &lhbuf);
0148     if (lh == NULL)
0149         return false;
0150     if (lh->val32 == 0) {
0151         /* Must be a control packet. The L2TP tid is further
0152          * into the packet.
0153          */
0154         data.type = XT_L2TP_TYPE_CONTROL;
0155         lh = skb_header_pointer(skb, thoff + 8, sizeof(lhbuf),
0156                     &lhbuf);
0157         if (lh == NULL)
0158             return false;
0159         data.tid = ntohl(lh->val32);
0160     } else {
0161         data.sid = ntohl(lh->val32);
0162         data.type = XT_L2TP_TYPE_DATA;
0163     }
0164
0165     data.version = 3;
0166
0167     return l2tp_match(info, &data);
0168 }
0169
0170 static bool l2tp_mt4(const struct sk_buff *skb, struct xt_action_param *par)
0171 {
0172     struct iphdr *iph = ip_hdr(skb);
0173     u8 ipproto = iph->protocol;
0174
0175     /* l2tp_mt_check4 already restricts the transport protocol */
0176     switch (ipproto) {
0177     case IPPROTO_UDP:
0178         return l2tp_udp_mt(skb, par, par->thoff);
0179     case IPPROTO_L2TP:
0180         return l2tp_ip_mt(skb, par, par->thoff);
0181     }
0182
0183     return false;
0184 }
0185
0186 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
0187 static bool l2tp_mt6(const struct sk_buff *skb, struct xt_action_param *par)
0188 {
0189     unsigned int thoff = 0;
0190     unsigned short fragoff = 0;
0191     int ipproto;
0192
0193     ipproto = ipv6_find_hdr(skb, &thoff, -1, &fragoff, NULL);
0194     if (fragoff != 0)
0195         return false;
0196
0197     /* l2tp_mt_check6 already restricts the transport protocol */
0198     switch (ipproto) {
0199     case IPPROTO_UDP:
0200         return l2tp_udp_mt(skb, par, thoff);
0201     case IPPROTO_L2TP:
0202         return l2tp_ip_mt(skb, par, thoff);
0203     }
0204
0205     return false;
0206 }
0207 #endif
0208
0209 static int l2tp_mt_check(const struct xt_mtchk_param *par)
0210 {
0211     const struct xt_l2tp_info *info = par->matchinfo;
0212
0213     /* Check for invalid flags */
0214     if (info->flags & ~(XT_L2TP_TID | XT_L2TP_SID | XT_L2TP_VERSION |
0215                 XT_L2TP_TYPE)) {
0216         pr_info_ratelimited("unknown flags: %x\n", info->flags);
0217         return -EINVAL;
0218     }
0219
0220     /* At least one of tid, sid or type=control must be specified */
0221     if ((!(info->flags & XT_L2TP_TID)) &&
0222         (!(info->flags & XT_L2TP_SID)) &&
0223         ((!(info->flags & XT_L2TP_TYPE)) ||
0224          (info->type != XT_L2TP_TYPE_CONTROL))) {
0225         pr_info_ratelimited("invalid flags combination: %x\n",
0226                     info->flags);
0227         return -EINVAL;
0228     }
0229
0230     /* If version 2 is specified, check that incompatible params
0231      * are not supplied
0232      */
0233     if (info->flags & XT_L2TP_VERSION) {
0234         if ((info->version < 2) || (info->version > 3)) {
0235             pr_info_ratelimited("wrong L2TP version: %u\n",
0236                         info->version);
0237             return -EINVAL;
0238         }
0239
0240         if (info->version == 2) {
0241             if ((info->flags & XT_L2TP_TID) &&
0242                 (info->tid > 0xffff)) {
0243                 pr_info_ratelimited("v2 tid > 0xffff: %u\n",
0244                             info->tid);
0245                 return -EINVAL;
0246             }
0247             if ((info->flags & XT_L2TP_SID) &&
0248                 (info->sid > 0xffff)) {
0249                 pr_info_ratelimited("v2 sid > 0xffff: %u\n",
0250                             info->sid);
0251                 return -EINVAL;
0252             }
0253         }
0254     }
0255
0256     return 0;
0257 }
0258
0259 static int l2tp_mt_check4(const struct xt_mtchk_param *par)
0260 {
0261     const struct xt_l2tp_info *info = par->matchinfo;
0262     const struct ipt_entry *e = par->entryinfo;
0263     const struct ipt_ip *ip = &e->ip;
0264     int ret;
0265
0266     ret = l2tp_mt_check(par);
0267     if (ret != 0)
0268         return ret;
0269
0270     if ((ip->proto != IPPROTO_UDP) &&
0271         (ip->proto != IPPROTO_L2TP)) {
0272         pr_info_ratelimited("missing protocol rule (udp|l2tpip)\n");
0273         return -EINVAL;
0274     }
0275
0276     if ((ip->proto == IPPROTO_L2TP) &&
0277         (info->version == 2)) {
0278         pr_info_ratelimited("v2 doesn't support IP mode\n");
0279         return -EINVAL;
0280     }
0281
0282     return 0;
0283 }
0284
0285 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
0286 static int l2tp_mt_check6(const struct xt_mtchk_param *par)
0287 {
0288     const struct xt_l2tp_info *info = par->matchinfo;
0289     const struct ip6t_entry *e = par->entryinfo;
0290     const struct ip6t_ip6 *ip = &e->ipv6;
0291     int ret;
0292
0293     ret = l2tp_mt_check(par);
0294     if (ret != 0)
0295         return ret;
0296
0297     if ((ip->proto != IPPROTO_UDP) &&
0298         (ip->proto != IPPROTO_L2TP)) {
0299         pr_info_ratelimited("missing protocol rule (udp|l2tpip)\n");
0300         return -EINVAL;
0301     }
0302
0303     if ((ip->proto == IPPROTO_L2TP) &&
0304         (info->version == 2)) {
0305         pr_info_ratelimited("v2 doesn't support IP mode\n");
0306         return -EINVAL;
0307     }
0308
0309     return 0;
0310 }
0311 #endif
0312
0313 static struct xt_match l2tp_mt_reg[] __read_mostly = {
0314     {
0315         .name      = "l2tp",
0316         .revision  = 0,
0317         .family    = NFPROTO_IPV4,
0318         .match     = l2tp_mt4,
0319         .matchsize = XT_ALIGN(sizeof(struct xt_l2tp_info)),
0320         .checkentry = l2tp_mt_check4,
0321         .hooks     = ((1 << NF_INET_PRE_ROUTING) |
0322                   (1 << NF_INET_LOCAL_IN) |
0323                   (1 << NF_INET_LOCAL_OUT) |
0324                   (1 << NF_INET_FORWARD)),
0325         .me        = THIS_MODULE,
0326     },
0327 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
0328     {
0329         .name      = "l2tp",
0330         .revision  = 0,
0331         .family    = NFPROTO_IPV6,
0332         .match     = l2tp_mt6,
0333         .matchsize = XT_ALIGN(sizeof(struct xt_l2tp_info)),
0334         .checkentry = l2tp_mt_check6,
0335         .hooks     = ((1 << NF_INET_PRE_ROUTING) |
0336                   (1 << NF_INET_LOCAL_IN) |
0337                   (1 << NF_INET_LOCAL_OUT) |
0338                   (1 << NF_INET_FORWARD)),
0339         .me        = THIS_MODULE,
0340     },
0341 #endif
0342 };
0343
0344 static int __init l2tp_mt_init(void)
0345 {
0346     return xt_register_matches(&l2tp_mt_reg[0], ARRAY_SIZE(l2tp_mt_reg));
0347 }
0348
0349 static void __exit l2tp_mt_exit(void)
0350 {
0351     xt_unregister_matches(&l2tp_mt_reg[0], ARRAY_SIZE(l2tp_mt_reg));
0352 }
0353
0354 module_init(l2tp_mt_init);
0355 module_exit(l2tp_mt_exit);