net/bpf/nat6to4.c

0001 // SPDX-License-Identifier: GPL-2.0-only
0002 /*
0003  * This code is taken from the Android Open Source Project and the author
0004  * (Maciej Żenczykowski) has gave permission to relicense it under the
0005  * GPLv2. Therefore this program is free software;
0006  * You can redistribute it and/or modify it under the terms of the GNU
0007  * General Public License version 2 as published by the Free Software
0008  * Foundation
0009
0010  * The original headers, including the original license headers, are
0011  * included below for completeness.
0012  *
0013  * Copyright (C) 2019 The Android Open Source Project
0014  *
0015  * Licensed under the Apache License, Version 2.0 (the "License");
0016  * you may not use this file except in compliance with the License.
0017  * You may obtain a copy of the License at
0018  *
0019  *      http://www.apache.org/licenses/LICENSE-2.0
0020  *
0021  * Unless required by applicable law or agreed to in writing, software
0022  * distributed under the License is distributed on an "AS IS" BASIS,
0023  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
0024  * See the License for the specific language governing permissions and
0025  * limitations under the License.
0026  */
0027 #include <linux/bpf.h>
0028 #include <linux/if.h>
0029 #include <linux/if_ether.h>
0030 #include <linux/if_packet.h>
0031 #include <linux/in.h>
0032 #include <linux/in6.h>
0033 #include <linux/ip.h>
0034 #include <linux/ipv6.h>
0035 #include <linux/pkt_cls.h>
0036 #include <linux/swab.h>
0037 #include <stdbool.h>
0038 #include <stdint.h>
0039
0040
0041 #include <linux/udp.h>
0042
0043 #include <bpf/bpf_helpers.h>
0044 #include <bpf/bpf_endian.h>
0045
0046 #define IP_DF 0x4000  // Flag: "Don't Fragment"
0047
0048 SEC("schedcls/ingress6/nat_6")
0049 int sched_cls_ingress6_nat_6_prog(struct __sk_buff *skb)
0050 {
0051     const int l2_header_size =  sizeof(struct ethhdr);
0052     void *data = (void *)(long)skb->data;
0053     const void *data_end = (void *)(long)skb->data_end;
0054     const struct ethhdr * const eth = data;  // used iff is_ethernet
0055     const struct ipv6hdr * const ip6 =  (void *)(eth + 1);
0056
0057     // Require ethernet dst mac address to be our unicast address.
0058     if  (skb->pkt_type != PACKET_HOST)
0059         return TC_ACT_OK;
0060
0061     // Must be meta-ethernet IPv6 frame
0062     if (skb->protocol != bpf_htons(ETH_P_IPV6))
0063         return TC_ACT_OK;
0064
0065     // Must have (ethernet and) ipv6 header
0066     if (data + l2_header_size + sizeof(*ip6) > data_end)
0067         return TC_ACT_OK;
0068
0069     // Ethertype - if present - must be IPv6
0070     if (eth->h_proto != bpf_htons(ETH_P_IPV6))
0071         return TC_ACT_OK;
0072
0073     // IP version must be 6
0074     if (ip6->version != 6)
0075         return TC_ACT_OK;
0076     // Maximum IPv6 payload length that can be translated to IPv4
0077     if (bpf_ntohs(ip6->payload_len) > 0xFFFF - sizeof(struct iphdr))
0078         return TC_ACT_OK;
0079     switch (ip6->nexthdr) {
0080     case IPPROTO_TCP:  // For TCP & UDP the checksum neutrality of the chosen IPv6
0081     case IPPROTO_UDP:  // address means there is no need to update their checksums.
0082     case IPPROTO_GRE:  // We do not need to bother looking at GRE/ESP headers,
0083     case IPPROTO_ESP:  // since there is never a checksum to update.
0084         break;
0085     default:  // do not know how to handle anything else
0086         return TC_ACT_OK;
0087     }
0088
0089     struct ethhdr eth2;  // used iff is_ethernet
0090
0091     eth2 = *eth;                     // Copy over the ethernet header (src/dst mac)
0092     eth2.h_proto = bpf_htons(ETH_P_IP);  // But replace the ethertype
0093
0094     struct iphdr ip = {
0095         .version = 4,                                                      // u4
0096         .ihl = sizeof(struct iphdr) / sizeof(__u32),                       // u4
0097         .tos = (ip6->priority << 4) + (ip6->flow_lbl[0] >> 4),             // u8
0098         .tot_len = bpf_htons(bpf_ntohs(ip6->payload_len) + sizeof(struct iphdr)),  // u16
0099         .id = 0,                                                           // u16
0100         .frag_off = bpf_htons(IP_DF),                                          // u16
0101         .ttl = ip6->hop_limit,                                             // u8
0102         .protocol = ip6->nexthdr,                                          // u8
0103         .check = 0,                                                        // u16
0104         .saddr = 0x0201a8c0,                            // u32
0105         .daddr = 0x0101a8c0,                                         // u32
0106     };
0107
0108     // Calculate the IPv4 one's complement checksum of the IPv4 header.
0109     __wsum sum4 = 0;
0110
0111     for (int i = 0; i < sizeof(ip) / sizeof(__u16); ++i)
0112         sum4 += ((__u16 *)&ip)[i];
0113
0114     // Note that sum4 is guaranteed to be non-zero by virtue of ip.version == 4
0115     sum4 = (sum4 & 0xFFFF) + (sum4 >> 16);  // collapse u32 into range 1 .. 0x1FFFE
0116     sum4 = (sum4 & 0xFFFF) + (sum4 >> 16);  // collapse any potential carry into u16
0117     ip.check = (__u16)~sum4;                // sum4 cannot be zero, so this is never 0xFFFF
0118
0119     // Calculate the *negative* IPv6 16-bit one's complement checksum of the IPv6 header.
0120     __wsum sum6 = 0;
0121     // We'll end up with a non-zero sum due to ip6->version == 6 (which has '0' bits)
0122     for (int i = 0; i < sizeof(*ip6) / sizeof(__u16); ++i)
0123         sum6 += ~((__u16 *)ip6)[i];  // note the bitwise negation
0124
0125     // Note that there is no L4 checksum update: we are relying on the checksum neutrality
0126     // of the ipv6 address chosen by netd's ClatdController.
0127
0128     // Packet mutations begin - point of no return, but if this first modification fails
0129     // the packet is probably still pristine, so let clatd handle it.
0130     if (bpf_skb_change_proto(skb, bpf_htons(ETH_P_IP), 0))
0131         return TC_ACT_OK;
0132     bpf_csum_update(skb, sum6);
0133
0134     data = (void *)(long)skb->data;
0135     data_end = (void *)(long)skb->data_end;
0136     if (data + l2_header_size + sizeof(struct iphdr) > data_end)
0137         return TC_ACT_SHOT;
0138
0139     struct ethhdr *new_eth = data;
0140
0141     // Copy over the updated ethernet header
0142     *new_eth = eth2;
0143
0144     // Copy over the new ipv4 header.
0145     *(struct iphdr *)(new_eth + 1) = ip;
0146     return bpf_redirect(skb->ifindex, BPF_F_INGRESS);
0147 }
0148
0149 SEC("schedcls/egress4/snat4")
0150 int sched_cls_egress4_snat4_prog(struct __sk_buff *skb)
0151 {
0152     const int l2_header_size =  sizeof(struct ethhdr);
0153     void *data = (void *)(long)skb->data;
0154     const void *data_end = (void *)(long)skb->data_end;
0155     const struct ethhdr *const eth = data;  // used iff is_ethernet
0156     const struct iphdr *const ip4 = (void *)(eth + 1);
0157
0158     // Must be meta-ethernet IPv4 frame
0159     if (skb->protocol != bpf_htons(ETH_P_IP))
0160         return TC_ACT_OK;
0161
0162     // Must have ipv4 header
0163     if (data + l2_header_size + sizeof(struct ipv6hdr) > data_end)
0164         return TC_ACT_OK;
0165
0166     // Ethertype - if present - must be IPv4
0167     if (eth->h_proto != bpf_htons(ETH_P_IP))
0168         return TC_ACT_OK;
0169
0170     // IP version must be 4
0171     if (ip4->version != 4)
0172         return TC_ACT_OK;
0173
0174     // We cannot handle IP options, just standard 20 byte == 5 dword minimal IPv4 header
0175     if (ip4->ihl != 5)
0176         return TC_ACT_OK;
0177
0178     // Maximum IPv6 payload length that can be translated to IPv4
0179     if (bpf_htons(ip4->tot_len) > 0xFFFF - sizeof(struct ipv6hdr))
0180         return TC_ACT_OK;
0181
0182     // Calculate the IPv4 one's complement checksum of the IPv4 header.
0183     __wsum sum4 = 0;
0184
0185     for (int i = 0; i < sizeof(*ip4) / sizeof(__u16); ++i)
0186         sum4 += ((__u16 *)ip4)[i];
0187
0188     // Note that sum4 is guaranteed to be non-zero by virtue of ip4->version == 4
0189     sum4 = (sum4 & 0xFFFF) + (sum4 >> 16);  // collapse u32 into range 1 .. 0x1FFFE
0190     sum4 = (sum4 & 0xFFFF) + (sum4 >> 16);  // collapse any potential carry into u16
0191     // for a correct checksum we should get *a* zero, but sum4 must be positive, ie 0xFFFF
0192     if (sum4 != 0xFFFF)
0193         return TC_ACT_OK;
0194
0195     // Minimum IPv4 total length is the size of the header
0196     if (bpf_ntohs(ip4->tot_len) < sizeof(*ip4))
0197         return TC_ACT_OK;
0198
0199     // We are incapable of dealing with IPv4 fragments
0200     if (ip4->frag_off & ~bpf_htons(IP_DF))
0201         return TC_ACT_OK;
0202
0203     switch (ip4->protocol) {
0204     case IPPROTO_TCP:  // For TCP & UDP the checksum neutrality of the chosen IPv6
0205     case IPPROTO_GRE:  // address means there is no need to update their checksums.
0206     case IPPROTO_ESP:  // We do not need to bother looking at GRE/ESP headers,
0207         break;         // since there is never a checksum to update.
0208
0209     case IPPROTO_UDP:  // See above comment, but must also have UDP header...
0210         if (data + sizeof(*ip4) + sizeof(struct udphdr) > data_end)
0211             return TC_ACT_OK;
0212         const struct udphdr *uh = (const struct udphdr *)(ip4 + 1);
0213         // If IPv4/UDP checksum is 0 then fallback to clatd so it can calculate the
0214         // checksum.  Otherwise the network or more likely the NAT64 gateway might
0215         // drop the packet because in most cases IPv6/UDP packets with a zero checksum
0216         // are invalid. See RFC 6935.  TODO: calculate checksum via bpf_csum_diff()
0217         if (!uh->check)
0218             return TC_ACT_OK;
0219         break;
0220
0221     default:  // do not know how to handle anything else
0222         return TC_ACT_OK;
0223     }
0224     struct ethhdr eth2;  // used iff is_ethernet
0225
0226     eth2 = *eth;                     // Copy over the ethernet header (src/dst mac)
0227     eth2.h_proto = bpf_htons(ETH_P_IPV6);  // But replace the ethertype
0228
0229     struct ipv6hdr ip6 = {
0230         .version = 6,                                    // __u8:4
0231         .priority = ip4->tos >> 4,                       // __u8:4
0232         .flow_lbl = {(ip4->tos & 0xF) << 4, 0, 0},       // __u8[3]
0233         .payload_len = bpf_htons(bpf_ntohs(ip4->tot_len) - 20),  // __be16
0234         .nexthdr = ip4->protocol,                        // __u8
0235         .hop_limit = ip4->ttl,                           // __u8
0236     };
0237     ip6.saddr.in6_u.u6_addr32[0] = bpf_htonl(0x20010db8);
0238     ip6.saddr.in6_u.u6_addr32[1] = 0;
0239     ip6.saddr.in6_u.u6_addr32[2] = 0;
0240     ip6.saddr.in6_u.u6_addr32[3] = bpf_htonl(1);
0241     ip6.daddr.in6_u.u6_addr32[0] = bpf_htonl(0x20010db8);
0242     ip6.daddr.in6_u.u6_addr32[1] = 0;
0243     ip6.daddr.in6_u.u6_addr32[2] = 0;
0244     ip6.daddr.in6_u.u6_addr32[3] = bpf_htonl(2);
0245
0246     // Calculate the IPv6 16-bit one's complement checksum of the IPv6 header.
0247     __wsum sum6 = 0;
0248     // We'll end up with a non-zero sum due to ip6.version == 6
0249     for (int i = 0; i < sizeof(ip6) / sizeof(__u16); ++i)
0250         sum6 += ((__u16 *)&ip6)[i];
0251
0252     // Packet mutations begin - point of no return, but if this first modification fails
0253     // the packet is probably still pristine, so let clatd handle it.
0254     if (bpf_skb_change_proto(skb, bpf_htons(ETH_P_IPV6), 0))
0255         return TC_ACT_OK;
0256
0257     // This takes care of updating the skb->csum field for a CHECKSUM_COMPLETE packet.
0258     // In such a case, skb->csum is a 16-bit one's complement sum of the entire payload,
0259     // thus we need to subtract out the ipv4 header's sum, and add in the ipv6 header's sum.
0260     // However, we've already verified the ipv4 checksum is correct and thus 0.
0261     // Thus we only need to add the ipv6 header's sum.
0262     //
0263     // bpf_csum_update() always succeeds if the skb is CHECKSUM_COMPLETE and returns an error
0264     // (-ENOTSUPP) if it isn't.  So we just ignore the return code (see above for more details).
0265     bpf_csum_update(skb, sum6);
0266
0267     // bpf_skb_change_proto() invalidates all pointers - reload them.
0268     data = (void *)(long)skb->data;
0269     data_end = (void *)(long)skb->data_end;
0270
0271     // I cannot think of any valid way for this error condition to trigger, however I do
0272     // believe the explicit check is required to keep the in kernel ebpf verifier happy.
0273     if (data + l2_header_size + sizeof(ip6) > data_end)
0274         return TC_ACT_SHOT;
0275
0276     struct ethhdr *new_eth = data;
0277
0278     // Copy over the updated ethernet header
0279     *new_eth = eth2;
0280     // Copy over the new ipv4 header.
0281     *(struct ipv6hdr *)(new_eth + 1) = ip6;
0282     return TC_ACT_OK;
0283 }
0284
0285 char _license[] SEC("license") = ("GPL");