tools/testing/selftests/net/nat6to4.bpf.c

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  * This code is taken from the Android Open Source Project and the author
   4  * (Maciej Żenczykowski) has gave permission to relicense it under the
   5  * GPLv2. Therefore this program is free software;
   6  * You can redistribute it and/or modify it under the terms of the GNU
   7  * General Public License version 2 as published by the Free Software
   8  * Foundation
   9
  10  * The original headers, including the original license headers, are
  11  * included below for completeness.
  12  *
  13  * Copyright (C) 2019 The Android Open Source Project
  14  *
  15  * Licensed under the Apache License, Version 2.0 (the "License");
  16  * you may not use this file except in compliance with the License.
  17  * You may obtain a copy of the License at
  18  *
  19  *      http://www.apache.org/licenses/LICENSE-2.0
  20  *
  21  * Unless required by applicable law or agreed to in writing, software
  22  * distributed under the License is distributed on an "AS IS" BASIS,
  23  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  24  * See the License for the specific language governing permissions and
  25  * limitations under the License.
  26  */
  27 #include <linux/bpf.h>
  28 #include <linux/if.h>
  29 #include <linux/if_ether.h>
  30 #include <linux/if_packet.h>
  31 #include <linux/in.h>
  32 #include <linux/in6.h>
  33 #include <linux/ip.h>
  34 #include <linux/ipv6.h>
  35 #include <linux/pkt_cls.h>
  36 #include <linux/swab.h>
  37 #include <stdbool.h>
  38 #include <stdint.h>
  39
  40
  41 #include <linux/udp.h>
  42
  43 #include <bpf/bpf_helpers.h>
  44 #include <bpf/bpf_endian.h>
  45
  46 #define IP_DF 0x4000  // Flag: "Don't Fragment"
  47
  48 SEC("schedcls/ingress6/nat_6")
  49 int sched_cls_ingress6_nat_6_prog(struct __sk_buff *skb)
  50 {
  51         const int l2_header_size =  sizeof(struct ethhdr);
  52         void *data = (void *)(long)skb->data;
  53         const void *data_end = (void *)(long)skb->data_end;
  54         const struct ethhdr * const eth = data;  // used iff is_ethernet
  55         const struct ipv6hdr * const ip6 =  (void *)(eth + 1);
  56
  57         // Require ethernet dst mac address to be our unicast address.
  58         if  (skb->pkt_type != PACKET_HOST)
  59                 return TC_ACT_OK;
  60
  61         // Must be meta-ethernet IPv6 frame
  62         if (skb->protocol != bpf_htons(ETH_P_IPV6))
  63                 return TC_ACT_OK;
  64
  65         // Must have (ethernet and) ipv6 header
  66         if (data + l2_header_size + sizeof(*ip6) > data_end)
  67                 return TC_ACT_OK;
  68
  69         // Ethertype - if present - must be IPv6
  70         if (eth->h_proto != bpf_htons(ETH_P_IPV6))
  71                 return TC_ACT_OK;
  72
  73         // IP version must be 6
  74         if (ip6->version != 6)
  75                 return TC_ACT_OK;
  76         // Maximum IPv6 payload length that can be translated to IPv4
  77         if (bpf_ntohs(ip6->payload_len) > 0xFFFF - sizeof(struct iphdr))
  78                 return TC_ACT_OK;
  79         switch (ip6->nexthdr) {
  80         case IPPROTO_TCP:  // For TCP & UDP the checksum neutrality of the chosen IPv6
  81         case IPPROTO_UDP:  // address means there is no need to update their checksums.
  82         case IPPROTO_GRE:  // We do not need to bother looking at GRE/ESP headers,
  83         case IPPROTO_ESP:  // since there is never a checksum to update.
  84                 break;
  85         default:  // do not know how to handle anything else
  86                 return TC_ACT_OK;
  87         }
  88
  89         struct ethhdr eth2;  // used iff is_ethernet
  90
  91         eth2 = *eth;                     // Copy over the ethernet header (src/dst mac)
  92         eth2.h_proto = bpf_htons(ETH_P_IP);  // But replace the ethertype
  93
  94         struct iphdr ip = {
  95                 .version = 4,                                                      // u4
  96                 .ihl = sizeof(struct iphdr) / sizeof(__u32),                       // u4
  97                 .tos = (ip6->priority << 4) + (ip6->flow_lbl[0] >> 4),             // u8
  98                 .tot_len = bpf_htons(bpf_ntohs(ip6->payload_len) + sizeof(struct iphdr)),  // u16
  99                 .id = 0,                                                           // u16
 100                 .frag_off = bpf_htons(IP_DF),                                          // u16
 101                 .ttl = ip6->hop_limit,                                             // u8
 102                 .protocol = ip6->nexthdr,                                          // u8
 103                 .check = 0,                                                        // u16
 104                 .saddr = 0x0201a8c0,                            // u32
 105                 .daddr = 0x0101a8c0,                                         // u32
 106         };
 107
 108         // Calculate the IPv4 one's complement checksum of the IPv4 header.
 109         __wsum sum4 = 0;
 110
 111         for (int i = 0; i < sizeof(ip) / sizeof(__u16); ++i)
 112                 sum4 += ((__u16 *)&ip)[i];
 113
 114         // Note that sum4 is guaranteed to be non-zero by virtue of ip.version == 4
 115         sum4 = (sum4 & 0xFFFF) + (sum4 >> 16);  // collapse u32 into range 1 .. 0x1FFFE
 116         sum4 = (sum4 & 0xFFFF) + (sum4 >> 16);  // collapse any potential carry into u16
 117         ip.check = (__u16)~sum4;                // sum4 cannot be zero, so this is never 0xFFFF
 118
 119         // Calculate the *negative* IPv6 16-bit one's complement checksum of the IPv6 header.
 120         __wsum sum6 = 0;
 121         // We'll end up with a non-zero sum due to ip6->version == 6 (which has '0' bits)
 122         for (int i = 0; i < sizeof(*ip6) / sizeof(__u16); ++i)
 123                 sum6 += ~((__u16 *)ip6)[i];  // note the bitwise negation
 124
 125         // Note that there is no L4 checksum update: we are relying on the checksum neutrality
 126         // of the ipv6 address chosen by netd's ClatdController.
 127
 128         // Packet mutations begin - point of no return, but if this first modification fails
 129         // the packet is probably still pristine, so let clatd handle it.
 130         if (bpf_skb_change_proto(skb, bpf_htons(ETH_P_IP), 0))
 131                 return TC_ACT_OK;
 132         bpf_csum_update(skb, sum6);
 133
 134         data = (void *)(long)skb->data;
 135         data_end = (void *)(long)skb->data_end;
 136         if (data + l2_header_size + sizeof(struct iphdr) > data_end)
 137                 return TC_ACT_SHOT;
 138
 139         struct ethhdr *new_eth = data;
 140
 141         // Copy over the updated ethernet header
 142         *new_eth = eth2;
 143
 144         // Copy over the new ipv4 header.
 145         *(struct iphdr *)(new_eth + 1) = ip;
 146         return bpf_redirect(skb->ifindex, BPF_F_INGRESS);
 147 }
 148
 149 SEC("schedcls/egress4/snat4")
 150 int sched_cls_egress4_snat4_prog(struct __sk_buff *skb)
 151 {
 152         const int l2_header_size =  sizeof(struct ethhdr);
 153         void *data = (void *)(long)skb->data;
 154         const void *data_end = (void *)(long)skb->data_end;
 155         const struct ethhdr *const eth = data;  // used iff is_ethernet
 156         const struct iphdr *const ip4 = (void *)(eth + 1);
 157
 158         // Must be meta-ethernet IPv4 frame
 159         if (skb->protocol != bpf_htons(ETH_P_IP))
 160                 return TC_ACT_OK;
 161
 162         // Must have ipv4 header
 163         if (data + l2_header_size + sizeof(struct ipv6hdr) > data_end)
 164                 return TC_ACT_OK;
 165
 166         // Ethertype - if present - must be IPv4
 167         if (eth->h_proto != bpf_htons(ETH_P_IP))
 168                 return TC_ACT_OK;
 169
 170         // IP version must be 4
 171         if (ip4->version != 4)
 172                 return TC_ACT_OK;
 173
 174         // We cannot handle IP options, just standard 20 byte == 5 dword minimal IPv4 header
 175         if (ip4->ihl != 5)
 176                 return TC_ACT_OK;
 177
 178         // Maximum IPv6 payload length that can be translated to IPv4
 179         if (bpf_htons(ip4->tot_len) > 0xFFFF - sizeof(struct ipv6hdr))
 180                 return TC_ACT_OK;
 181
 182         // Calculate the IPv4 one's complement checksum of the IPv4 header.
 183         __wsum sum4 = 0;
 184
 185         for (int i = 0; i < sizeof(*ip4) / sizeof(__u16); ++i)
 186                 sum4 += ((__u16 *)ip4)[i];
 187
 188         // Note that sum4 is guaranteed to be non-zero by virtue of ip4->version == 4
 189         sum4 = (sum4 & 0xFFFF) + (sum4 >> 16);  // collapse u32 into range 1 .. 0x1FFFE
 190         sum4 = (sum4 & 0xFFFF) + (sum4 >> 16);  // collapse any potential carry into u16
 191         // for a correct checksum we should get *a* zero, but sum4 must be positive, ie 0xFFFF
 192         if (sum4 != 0xFFFF)
 193                 return TC_ACT_OK;
 194
 195         // Minimum IPv4 total length is the size of the header
 196         if (bpf_ntohs(ip4->tot_len) < sizeof(*ip4))
 197                 return TC_ACT_OK;
 198
 199         // We are incapable of dealing with IPv4 fragments
 200         if (ip4->frag_off & ~bpf_htons(IP_DF))
 201                 return TC_ACT_OK;
 202
 203         switch (ip4->protocol) {
 204         case IPPROTO_TCP:  // For TCP & UDP the checksum neutrality of the chosen IPv6
 205         case IPPROTO_GRE:  // address means there is no need to update their checksums.
 206         case IPPROTO_ESP:  // We do not need to bother looking at GRE/ESP headers,
 207                 break;         // since there is never a checksum to update.
 208
 209         case IPPROTO_UDP:  // See above comment, but must also have UDP header...
 210                 if (data + sizeof(*ip4) + sizeof(struct udphdr) > data_end)
 211                         return TC_ACT_OK;
 212                 const struct udphdr *uh = (const struct udphdr *)(ip4 + 1);
 213                 // If IPv4/UDP checksum is 0 then fallback to clatd so it can calculate the
 214                 // checksum.  Otherwise the network or more likely the NAT64 gateway might
 215                 // drop the packet because in most cases IPv6/UDP packets with a zero checksum
 216                 // are invalid. See RFC 6935.  TODO: calculate checksum via bpf_csum_diff()
 217                 if (!uh->check)
 218                         return TC_ACT_OK;
 219                 break;
 220
 221         default:  // do not know how to handle anything else
 222                 return TC_ACT_OK;
 223         }
 224         struct ethhdr eth2;  // used iff is_ethernet
 225
 226         eth2 = *eth;                     // Copy over the ethernet header (src/dst mac)
 227         eth2.h_proto = bpf_htons(ETH_P_IPV6);  // But replace the ethertype
 228
 229         struct ipv6hdr ip6 = {
 230                 .version = 6,                                    // __u8:4
 231                 .priority = ip4->tos >> 4,                       // __u8:4
 232                 .flow_lbl = {(ip4->tos & 0xF) << 4, 0, 0},       // __u8[3]
 233                 .payload_len = bpf_htons(bpf_ntohs(ip4->tot_len) - 20),  // __be16
 234                 .nexthdr = ip4->protocol,                        // __u8
 235                 .hop_limit = ip4->ttl,                           // __u8
 236         };
 237         ip6.saddr.in6_u.u6_addr32[0] = bpf_htonl(0x20010db8);
 238         ip6.saddr.in6_u.u6_addr32[1] = 0;
 239         ip6.saddr.in6_u.u6_addr32[2] = 0;
 240         ip6.saddr.in6_u.u6_addr32[3] = bpf_htonl(1);
 241         ip6.daddr.in6_u.u6_addr32[0] = bpf_htonl(0x20010db8);
 242         ip6.daddr.in6_u.u6_addr32[1] = 0;
 243         ip6.daddr.in6_u.u6_addr32[2] = 0;
 244         ip6.daddr.in6_u.u6_addr32[3] = bpf_htonl(2);
 245
 246         // Calculate the IPv6 16-bit one's complement checksum of the IPv6 header.
 247         __wsum sum6 = 0;
 248         // We'll end up with a non-zero sum due to ip6.version == 6
 249         for (int i = 0; i < sizeof(ip6) / sizeof(__u16); ++i)
 250                 sum6 += ((__u16 *)&ip6)[i];
 251
 252         // Packet mutations begin - point of no return, but if this first modification fails
 253         // the packet is probably still pristine, so let clatd handle it.
 254         if (bpf_skb_change_proto(skb, bpf_htons(ETH_P_IPV6), 0))
 255                 return TC_ACT_OK;
 256
 257         // This takes care of updating the skb->csum field for a CHECKSUM_COMPLETE packet.
 258         // In such a case, skb->csum is a 16-bit one's complement sum of the entire payload,
 259         // thus we need to subtract out the ipv4 header's sum, and add in the ipv6 header's sum.
 260         // However, we've already verified the ipv4 checksum is correct and thus 0.
 261         // Thus we only need to add the ipv6 header's sum.
 262         //
 263         // bpf_csum_update() always succeeds if the skb is CHECKSUM_COMPLETE and returns an error
 264         // (-ENOTSUPP) if it isn't.  So we just ignore the return code (see above for more details).
 265         bpf_csum_update(skb, sum6);
 266
 267         // bpf_skb_change_proto() invalidates all pointers - reload them.
 268         data = (void *)(long)skb->data;
 269         data_end = (void *)(long)skb->data_end;
 270
 271         // I cannot think of any valid way for this error condition to trigger, however I do
 272         // believe the explicit check is required to keep the in kernel ebpf verifier happy.
 273         if (data + l2_header_size + sizeof(ip6) > data_end)
 274                 return TC_ACT_SHOT;
 275
 276         struct ethhdr *new_eth = data;
 277
 278         // Copy over the updated ethernet header
 279         *new_eth = eth2;
 280         // Copy over the new ipv4 header.
 281         *(struct ipv6hdr *)(new_eth + 1) = ip6;
 282         return TC_ACT_OK;
 283 }
 284
 285 char _license[] SEC("license") = ("GPL");