Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
nf_conntrack_reasm.c
Go to the documentation of this file.
1 /*
2  * IPv6 fragment reassembly for connection tracking
3  *
4  * Copyright (C)2004 USAGI/WIDE Project
5  *
6  * Author:
7  * Yasuyuki Kozakai @USAGI <[email protected]>
8  *
9  * Based on: net/ipv6/reassembly.c
10  *
11  * This program is free software; you can redistribute it and/or
12  * modify it under the terms of the GNU General Public License
13  * as published by the Free Software Foundation; either version
14  * 2 of the License, or (at your option) any later version.
15  */
16 
17 #include <linux/errno.h>
18 #include <linux/types.h>
19 #include <linux/string.h>
20 #include <linux/socket.h>
21 #include <linux/sockios.h>
22 #include <linux/jiffies.h>
23 #include <linux/net.h>
24 #include <linux/list.h>
25 #include <linux/netdevice.h>
26 #include <linux/in6.h>
27 #include <linux/ipv6.h>
28 #include <linux/icmpv6.h>
29 #include <linux/random.h>
30 #include <linux/slab.h>
31 
32 #include <net/sock.h>
33 #include <net/snmp.h>
34 #include <net/inet_frag.h>
35 
36 #include <net/ipv6.h>
37 #include <net/protocol.h>
38 #include <net/transp_v6.h>
39 #include <net/rawv6.h>
40 #include <net/ndisc.h>
41 #include <net/addrconf.h>
42 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
43 #include <linux/sysctl.h>
44 #include <linux/netfilter.h>
45 #include <linux/netfilter_ipv6.h>
46 #include <linux/kernel.h>
47 #include <linux/module.h>
48 #include <net/netfilter/ipv6/nf_defrag_ipv6.h>
49 
50 
51 struct nf_ct_frag6_skb_cb
52 {
53  struct inet6_skb_parm h;
54  int offset;
55  struct sk_buff *orig;
56 };
57 
58 #define NFCT_FRAG6_CB(skb) ((struct nf_ct_frag6_skb_cb*)((skb)->cb))
59 
60 static struct inet_frags nf_frags;
61 
62 #ifdef CONFIG_SYSCTL
63 static struct ctl_table nf_ct_frag6_sysctl_table[] = {
64  {
65  .procname = "nf_conntrack_frag6_timeout",
66  .data = &init_net.nf_frag.frags.timeout,
67  .maxlen = sizeof(unsigned int),
68  .mode = 0644,
69  .proc_handler = proc_dointvec_jiffies,
70  },
71  {
72  .procname = "nf_conntrack_frag6_low_thresh",
73  .data = &init_net.nf_frag.frags.low_thresh,
74  .maxlen = sizeof(unsigned int),
75  .mode = 0644,
76  .proc_handler = proc_dointvec,
77  },
78  {
79  .procname = "nf_conntrack_frag6_high_thresh",
80  .data = &init_net.nf_frag.frags.high_thresh,
81  .maxlen = sizeof(unsigned int),
82  .mode = 0644,
83  .proc_handler = proc_dointvec,
84  },
85  { }
86 };
87 
88 static int nf_ct_frag6_sysctl_register(struct net *net)
89 {
90  struct ctl_table *table;
91  struct ctl_table_header *hdr;
92 
93  table = nf_ct_frag6_sysctl_table;
94  if (!net_eq(net, &init_net)) {
95  table = kmemdup(table, sizeof(nf_ct_frag6_sysctl_table),
96  GFP_KERNEL);
97  if (table == NULL)
98  goto err_alloc;
99 
100  table[0].data = &net->ipv6.frags.high_thresh;
101  table[1].data = &net->ipv6.frags.low_thresh;
102  table[2].data = &net->ipv6.frags.timeout;
103  }
104 
105  hdr = register_net_sysctl(net, "net/netfilter", table);
106  if (hdr == NULL)
107  goto err_reg;
108 
109  net->nf_frag.sysctl.frags_hdr = hdr;
110  return 0;
111 
112 err_reg:
113  if (!net_eq(net, &init_net))
114  kfree(table);
115 err_alloc:
116  return -ENOMEM;
117 }
118 
119 static void __net_exit nf_ct_frags6_sysctl_unregister(struct net *net)
120 {
121  struct ctl_table *table;
122 
123  table = net->nf_frag.sysctl.frags_hdr->ctl_table_arg;
124  unregister_net_sysctl_table(net->nf_frag.sysctl.frags_hdr);
125  if (!net_eq(net, &init_net))
126  kfree(table);
127 }
128 
129 #else
130 static int nf_ct_frag6_sysctl_register(struct net *net)
131 {
132  return 0;
133 }
134 static void __net_exit nf_ct_frags6_sysctl_unregister(struct net *net)
135 {
136 }
137 #endif
138 
139 static unsigned int nf_hashfn(struct inet_frag_queue *q)
140 {
141  const struct frag_queue *nq;
142 
143  nq = container_of(q, struct frag_queue, q);
144  return inet6_hash_frag(nq->id, &nq->saddr, &nq->daddr, nf_frags.rnd);
145 }
146 
147 static void nf_skb_free(struct sk_buff *skb)
148 {
149  if (NFCT_FRAG6_CB(skb)->orig)
150  kfree_skb(NFCT_FRAG6_CB(skb)->orig);
151 }
152 
153 static void nf_ct_frag6_expire(unsigned long data)
154 {
155  struct frag_queue *fq;
156  struct net *net;
157 
158  fq = container_of((struct inet_frag_queue *)data, struct frag_queue, q);
159  net = container_of(fq->q.net, struct net, nf_frag.frags);
160 
161  ip6_expire_frag_queue(net, fq, &nf_frags);
162 }
163 
164 /* Creation primitives. */
165 static inline struct frag_queue *fq_find(struct net *net, __be32 id,
166  u32 user, struct in6_addr *src,
167  struct in6_addr *dst)
168 {
169  struct inet_frag_queue *q;
170  struct ip6_create_arg arg;
171  unsigned int hash;
172 
173  arg.id = id;
174  arg.user = user;
175  arg.src = src;
176  arg.dst = dst;
177 
178  read_lock_bh(&nf_frags.lock);
179  hash = inet6_hash_frag(id, src, dst, nf_frags.rnd);
180 
181  q = inet_frag_find(&net->nf_frag.frags, &nf_frags, &arg, hash);
182  local_bh_enable();
183  if (q == NULL)
184  goto oom;
185 
186  return container_of(q, struct frag_queue, q);
187 
188 oom:
189  return NULL;
190 }
191 
192 
193 static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
194  const struct frag_hdr *fhdr, int nhoff)
195 {
196  struct sk_buff *prev, *next;
197  unsigned int payload_len;
198  int offset, end;
199 
200  if (fq->q.last_in & INET_FRAG_COMPLETE) {
201  pr_debug("Already completed\n");
202  goto err;
203  }
204 
205  payload_len = ntohs(ipv6_hdr(skb)->payload_len);
206 
207  offset = ntohs(fhdr->frag_off) & ~0x7;
208  end = offset + (payload_len -
209  ((u8 *)(fhdr + 1) - (u8 *)(ipv6_hdr(skb) + 1)));
210 
211  if ((unsigned int)end > IPV6_MAXPLEN) {
212  pr_debug("offset is too large.\n");
213  return -1;
214  }
215 
216  if (skb->ip_summed == CHECKSUM_COMPLETE) {
217  const unsigned char *nh = skb_network_header(skb);
218  skb->csum = csum_sub(skb->csum,
219  csum_partial(nh, (u8 *)(fhdr + 1) - nh,
220  0));
221  }
222 
223  /* Is this the final fragment? */
224  if (!(fhdr->frag_off & htons(IP6_MF))) {
225  /* If we already have some bits beyond end
226  * or have different end, the segment is corrupted.
227  */
228  if (end < fq->q.len ||
229  ((fq->q.last_in & INET_FRAG_LAST_IN) && end != fq->q.len)) {
230  pr_debug("already received last fragment\n");
231  goto err;
232  }
233  fq->q.last_in |= INET_FRAG_LAST_IN;
234  fq->q.len = end;
235  } else {
236  /* Check if the fragment is rounded to 8 bytes.
237  * Required by the RFC.
238  */
239  if (end & 0x7) {
240  /* RFC2460 says always send parameter problem in
241  * this case. -DaveM
242  */
243  pr_debug("end of fragment not rounded to 8 bytes.\n");
244  return -1;
245  }
246  if (end > fq->q.len) {
247  /* Some bits beyond end -> corruption. */
248  if (fq->q.last_in & INET_FRAG_LAST_IN) {
249  pr_debug("last packet already reached.\n");
250  goto err;
251  }
252  fq->q.len = end;
253  }
254  }
255 
256  if (end == offset)
257  goto err;
258 
259  /* Point into the IP datagram 'data' part. */
260  if (!pskb_pull(skb, (u8 *) (fhdr + 1) - skb->data)) {
261  pr_debug("queue: message is too short.\n");
262  goto err;
263  }
264  if (pskb_trim_rcsum(skb, end - offset)) {
265  pr_debug("Can't trim\n");
266  goto err;
267  }
268 
269  /* Find out which fragments are in front and at the back of us
270  * in the chain of fragments so far. We must know where to put
271  * this fragment, right?
272  */
273  prev = fq->q.fragments_tail;
274  if (!prev || NFCT_FRAG6_CB(prev)->offset < offset) {
275  next = NULL;
276  goto found;
277  }
278  prev = NULL;
279  for (next = fq->q.fragments; next != NULL; next = next->next) {
280  if (NFCT_FRAG6_CB(next)->offset >= offset)
281  break; /* bingo! */
282  prev = next;
283  }
284 
285 found:
286  /* RFC5722, Section 4:
287  * When reassembling an IPv6 datagram, if
288  * one or more its constituent fragments is determined to be an
289  * overlapping fragment, the entire datagram (and any constituent
290  * fragments, including those not yet received) MUST be silently
291  * discarded.
292  */
293 
294  /* Check for overlap with preceding fragment. */
295  if (prev &&
296  (NFCT_FRAG6_CB(prev)->offset + prev->len) > offset)
297  goto discard_fq;
298 
299  /* Look for overlap with succeeding segment. */
300  if (next && NFCT_FRAG6_CB(next)->offset < end)
301  goto discard_fq;
302 
303  NFCT_FRAG6_CB(skb)->offset = offset;
304 
305  /* Insert this fragment in the chain of fragments. */
306  skb->next = next;
307  if (!next)
308  fq->q.fragments_tail = skb;
309  if (prev)
310  prev->next = skb;
311  else
312  fq->q.fragments = skb;
313 
314  skb->dev = NULL;
315  fq->q.stamp = skb->tstamp;
316  fq->q.meat += skb->len;
317  if (payload_len > fq->q.max_size)
318  fq->q.max_size = payload_len;
319  atomic_add(skb->truesize, &fq->q.net->mem);
320 
321  /* The first fragment.
322  * nhoffset is obtained from the first fragment, of course.
323  */
324  if (offset == 0) {
325  fq->nhoffset = nhoff;
326  fq->q.last_in |= INET_FRAG_FIRST_IN;
327  }
328  write_lock(&nf_frags.lock);
329  list_move_tail(&fq->q.lru_list, &fq->q.net->lru_list);
330  write_unlock(&nf_frags.lock);
331  return 0;
332 
333 discard_fq:
334  inet_frag_kill(&fq->q, &nf_frags);
335 err:
336  return -1;
337 }
338 
339 /*
340  * Check if this packet is complete.
341  * Returns NULL on failure by any reason, and pointer
342  * to current nexthdr field in reassembled frame.
343  *
344  * It is called with locked fq, and caller must check that
345  * queue is eligible for reassembly i.e. it is not COMPLETE,
346  * the last and the first frames arrived and all the bits are here.
347  */
348 static struct sk_buff *
349 nf_ct_frag6_reasm(struct frag_queue *fq, struct net_device *dev)
350 {
351  struct sk_buff *fp, *op, *head = fq->q.fragments;
352  int payload_len;
353 
354  inet_frag_kill(&fq->q, &nf_frags);
355 
356  WARN_ON(head == NULL);
357  WARN_ON(NFCT_FRAG6_CB(head)->offset != 0);
358 
359  /* Unfragmented part is taken from the first segment. */
360  payload_len = ((head->data - skb_network_header(head)) -
361  sizeof(struct ipv6hdr) + fq->q.len -
362  sizeof(struct frag_hdr));
363  if (payload_len > IPV6_MAXPLEN) {
364  pr_debug("payload len is too large.\n");
365  goto out_oversize;
366  }
367 
368  /* Head of list must not be cloned. */
369  if (skb_cloned(head) && pskb_expand_head(head, 0, 0, GFP_ATOMIC)) {
370  pr_debug("skb is cloned but can't expand head");
371  goto out_oom;
372  }
373 
374  /* If the first fragment is fragmented itself, we split
375  * it to two chunks: the first with data and paged part
376  * and the second, holding only fragments. */
377  if (skb_has_frag_list(head)) {
378  struct sk_buff *clone;
379  int i, plen = 0;
380 
381  clone = alloc_skb(0, GFP_ATOMIC);
382  if (clone == NULL)
383  goto out_oom;
384 
385  clone->next = head->next;
386  head->next = clone;
387  skb_shinfo(clone)->frag_list = skb_shinfo(head)->frag_list;
388  skb_frag_list_init(head);
389  for (i = 0; i < skb_shinfo(head)->nr_frags; i++)
390  plen += skb_frag_size(&skb_shinfo(head)->frags[i]);
391  clone->len = clone->data_len = head->data_len - plen;
392  head->data_len -= clone->len;
393  head->len -= clone->len;
394  clone->csum = 0;
395  clone->ip_summed = head->ip_summed;
396 
397  NFCT_FRAG6_CB(clone)->orig = NULL;
398  atomic_add(clone->truesize, &fq->q.net->mem);
399  }
400 
401  /* We have to remove fragment header from datagram and to relocate
402  * header in order to calculate ICV correctly. */
403  skb_network_header(head)[fq->nhoffset] = skb_transport_header(head)[0];
404  memmove(head->head + sizeof(struct frag_hdr), head->head,
405  (head->data - head->head) - sizeof(struct frag_hdr));
406  head->mac_header += sizeof(struct frag_hdr);
407  head->network_header += sizeof(struct frag_hdr);
408 
409  skb_shinfo(head)->frag_list = head->next;
410  skb_reset_transport_header(head);
411  skb_push(head, head->data - skb_network_header(head));
412 
413  for (fp=head->next; fp; fp = fp->next) {
414  head->data_len += fp->len;
415  head->len += fp->len;
416  if (head->ip_summed != fp->ip_summed)
417  head->ip_summed = CHECKSUM_NONE;
418  else if (head->ip_summed == CHECKSUM_COMPLETE)
419  head->csum = csum_add(head->csum, fp->csum);
420  head->truesize += fp->truesize;
421  }
422  atomic_sub(head->truesize, &fq->q.net->mem);
423 
424  head->local_df = 1;
425  head->next = NULL;
426  head->dev = dev;
427  head->tstamp = fq->q.stamp;
428  ipv6_hdr(head)->payload_len = htons(payload_len);
429  IP6CB(head)->frag_max_size = sizeof(struct ipv6hdr) + fq->q.max_size;
430 
431  /* Yes, and fold redundant checksum back. 8) */
432  if (head->ip_summed == CHECKSUM_COMPLETE)
433  head->csum = csum_partial(skb_network_header(head),
434  skb_network_header_len(head),
435  head->csum);
436 
437  fq->q.fragments = NULL;
438  fq->q.fragments_tail = NULL;
439 
440  /* all original skbs are linked into the NFCT_FRAG6_CB(head).orig */
441  fp = skb_shinfo(head)->frag_list;
442  if (fp && NFCT_FRAG6_CB(fp)->orig == NULL)
443  /* at above code, head skb is divided into two skbs. */
444  fp = fp->next;
445 
446  op = NFCT_FRAG6_CB(head)->orig;
447  for (; fp; fp = fp->next) {
448  struct sk_buff *orig = NFCT_FRAG6_CB(fp)->orig;
449 
450  op->next = orig;
451  op = orig;
452  NFCT_FRAG6_CB(fp)->orig = NULL;
453  }
454 
455  return head;
456 
457 out_oversize:
458  net_dbg_ratelimited("nf_ct_frag6_reasm: payload len = %d\n",
459  payload_len);
460  goto out_fail;
461 out_oom:
462  net_dbg_ratelimited("nf_ct_frag6_reasm: no memory for reassembly\n");
463 out_fail:
464  return NULL;
465 }
466 
467 /*
468  * find the header just before Fragment Header.
469  *
470  * if success return 0 and set ...
471  * (*prevhdrp): the value of "Next Header Field" in the header
472  * just before Fragment Header.
473  * (*prevhoff): the offset of "Next Header Field" in the header
474  * just before Fragment Header.
475  * (*fhoff) : the offset of Fragment Header.
476  *
477  * Based on ipv6_skip_hdr() in net/ipv6/exthdr.c
478  *
479  */
480 static int
481 find_prev_fhdr(struct sk_buff *skb, u8 *prevhdrp, int *prevhoff, int *fhoff)
482 {
483  u8 nexthdr = ipv6_hdr(skb)->nexthdr;
484  const int netoff = skb_network_offset(skb);
485  u8 prev_nhoff = netoff + offsetof(struct ipv6hdr, nexthdr);
486  int start = netoff + sizeof(struct ipv6hdr);
487  int len = skb->len - start;
488  u8 prevhdr = NEXTHDR_IPV6;
489 
490  while (nexthdr != NEXTHDR_FRAGMENT) {
491  struct ipv6_opt_hdr hdr;
492  int hdrlen;
493 
494  if (!ipv6_ext_hdr(nexthdr)) {
495  return -1;
496  }
497  if (nexthdr == NEXTHDR_NONE) {
498  pr_debug("next header is none\n");
499  return -1;
500  }
501  if (len < (int)sizeof(struct ipv6_opt_hdr)) {
502  pr_debug("too short\n");
503  return -1;
504  }
505  if (skb_copy_bits(skb, start, &hdr, sizeof(hdr)))
506  BUG();
507  if (nexthdr == NEXTHDR_AUTH)
508  hdrlen = (hdr.hdrlen+2)<<2;
509  else
510  hdrlen = ipv6_optlen(&hdr);
511 
512  prevhdr = nexthdr;
513  prev_nhoff = start;
514 
515  nexthdr = hdr.nexthdr;
516  len -= hdrlen;
517  start += hdrlen;
518  }
519 
520  if (len < 0)
521  return -1;
522 
523  *prevhdrp = prevhdr;
524  *prevhoff = prev_nhoff;
525  *fhoff = start;
526 
527  return 0;
528 }
529 
530 struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user)
531 {
532  struct sk_buff *clone;
533  struct net_device *dev = skb->dev;
534  struct net *net = skb_dst(skb) ? dev_net(skb_dst(skb)->dev)
535  : dev_net(skb->dev);
536  struct frag_hdr *fhdr;
537  struct frag_queue *fq;
538  struct ipv6hdr *hdr;
539  int fhoff, nhoff;
540  u8 prevhdr;
541  struct sk_buff *ret_skb = NULL;
542 
543  /* Jumbo payload inhibits frag. header */
544  if (ipv6_hdr(skb)->payload_len == 0) {
545  pr_debug("payload len = 0\n");
546  return skb;
547  }
548 
549  if (find_prev_fhdr(skb, &prevhdr, &nhoff, &fhoff) < 0)
550  return skb;
551 
552  clone = skb_clone(skb, GFP_ATOMIC);
553  if (clone == NULL) {
554  pr_debug("Can't clone skb\n");
555  return skb;
556  }
557 
558  NFCT_FRAG6_CB(clone)->orig = skb;
559 
560  if (!pskb_may_pull(clone, fhoff + sizeof(*fhdr))) {
561  pr_debug("message is too short.\n");
562  goto ret_orig;
563  }
564 
565  skb_set_transport_header(clone, fhoff);
566  hdr = ipv6_hdr(clone);
567  fhdr = (struct frag_hdr *)skb_transport_header(clone);
568 
569  local_bh_disable();
570  inet_frag_evictor(&net->nf_frag.frags, &nf_frags, false);
571  local_bh_enable();
572 
573  fq = fq_find(net, fhdr->identification, user, &hdr->saddr, &hdr->daddr);
574  if (fq == NULL) {
575  pr_debug("Can't find and can't create new queue\n");
576  goto ret_orig;
577  }
578 
579  spin_lock_bh(&fq->q.lock);
580 
581  if (nf_ct_frag6_queue(fq, clone, fhdr, nhoff) < 0) {
582  spin_unlock_bh(&fq->q.lock);
583  pr_debug("Can't insert skb to queue\n");
584  inet_frag_put(&fq->q, &nf_frags);
585  goto ret_orig;
586  }
587 
588  if (fq->q.last_in == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) &&
589  fq->q.meat == fq->q.len) {
590  ret_skb = nf_ct_frag6_reasm(fq, dev);
591  if (ret_skb == NULL)
592  pr_debug("Can't reassemble fragmented packets\n");
593  }
594  spin_unlock_bh(&fq->q.lock);
595 
596  inet_frag_put(&fq->q, &nf_frags);
597  return ret_skb;
598 
599 ret_orig:
600  kfree_skb(clone);
601  return skb;
602 }
603 
604 void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb,
605  struct net_device *in, struct net_device *out,
606  int (*okfn)(struct sk_buff *))
607 {
608  struct sk_buff *s, *s2;
609  unsigned int ret = 0;
610 
611  for (s = NFCT_FRAG6_CB(skb)->orig; s;) {
612  nf_conntrack_put_reasm(s->nfct_reasm);
613  nf_conntrack_get_reasm(skb);
614  s->nfct_reasm = skb;
615 
616  s2 = s->next;
617  s->next = NULL;
618 
619  if (ret != -ECANCELED)
620  ret = NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, s,
621  in, out, okfn,
622  NF_IP6_PRI_CONNTRACK_DEFRAG + 1);
623  else
624  kfree_skb(s);
625 
626  s = s2;
627  }
628  nf_conntrack_put_reasm(skb);
629 }
630 
631 static int nf_ct_net_init(struct net *net)
632 {
633  net->nf_frag.frags.high_thresh = IPV6_FRAG_HIGH_THRESH;
634  net->nf_frag.frags.low_thresh = IPV6_FRAG_LOW_THRESH;
635  net->nf_frag.frags.timeout = IPV6_FRAG_TIMEOUT;
636  inet_frags_init_net(&net->nf_frag.frags);
637 
638  return nf_ct_frag6_sysctl_register(net);
639 }
640 
641 static void nf_ct_net_exit(struct net *net)
642 {
643  nf_ct_frags6_sysctl_unregister(net);
644  inet_frags_exit_net(&net->nf_frag.frags, &nf_frags);
645 }
646 
647 static struct pernet_operations nf_ct_net_ops = {
648  .init = nf_ct_net_init,
649  .exit = nf_ct_net_exit,
650 };
651 
652 int nf_ct_frag6_init(void)
653 {
654  int ret = 0;
655 
656  nf_frags.hashfn = nf_hashfn;
657  nf_frags.constructor = ip6_frag_init;
658  nf_frags.destructor = NULL;
659  nf_frags.skb_free = nf_skb_free;
660  nf_frags.qsize = sizeof(struct frag_queue);
661  nf_frags.match = ip6_frag_match;
662  nf_frags.frag_expire = nf_ct_frag6_expire;
663  nf_frags.secret_interval = 10 * 60 * HZ;
664  inet_frags_init(&nf_frags);
665 
666  ret = register_pernet_subsys(&nf_ct_net_ops);
667  if (ret)
668  inet_frags_fini(&nf_frags);
669 
670  return ret;
671 }
672 
673 void nf_ct_frag6_cleanup(void)
674 {
675  unregister_pernet_subsys(&nf_ct_net_ops);
676  inet_frags_fini(&nf_frags);
677 }
Generated on Thu Jan 10 2013 14:59:26 for Linux Kernel by   doxygen 1.8.2