2 * Copyright (C)2004 USAGI/WIDE Project
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
9 * Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
12 #include <linux/types.h>
13 #include <linux/ipv6.h>
14 #include <linux/in6.h>
15 #include <linux/netfilter.h>
16 #include <linux/module.h>
17 #include <linux/skbuff.h>
18 #include <linux/icmp.h>
20 #include <net/inet_frag.h>
22 #include <linux/netfilter_bridge.h>
23 #include <linux/netfilter_ipv6.h>
24 #include <net/netfilter/nf_conntrack.h>
25 #include <net/netfilter/nf_conntrack_helper.h>
26 #include <net/netfilter/nf_conntrack_l4proto.h>
27 #include <net/netfilter/nf_conntrack_l3proto.h>
28 #include <net/netfilter/nf_conntrack_core.h>
29 #include <net/netfilter/nf_conntrack_zones.h>
30 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
31 #include <net/netfilter/nf_nat_helper.h>
32 #include <net/netfilter/ipv6/nf_defrag_ipv6.h>
33 #include <net/netfilter/nf_log.h>
35 static bool ipv6_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff,
36 struct nf_conntrack_tuple *tuple)
41 ap = skb_header_pointer(skb, nhoff + offsetof(struct ipv6hdr, saddr),
42 sizeof(_addrs), _addrs);
46 memcpy(tuple->src.u3.ip6, ap, sizeof(tuple->src.u3.ip6));
47 memcpy(tuple->dst.u3.ip6, ap + 4, sizeof(tuple->dst.u3.ip6));
52 static bool ipv6_invert_tuple(struct nf_conntrack_tuple *tuple,
53 const struct nf_conntrack_tuple *orig)
55 memcpy(tuple->src.u3.ip6, orig->dst.u3.ip6, sizeof(tuple->src.u3.ip6));
56 memcpy(tuple->dst.u3.ip6, orig->src.u3.ip6, sizeof(tuple->dst.u3.ip6));
61 static int ipv6_print_tuple(struct seq_file *s,
62 const struct nf_conntrack_tuple *tuple)
64 return seq_printf(s, "src=%pI6 dst=%pI6 ",
65 tuple->src.u3.ip6, tuple->dst.u3.ip6);
68 static int ipv6_get_l4proto(const struct sk_buff *skb, unsigned int nhoff,
69 unsigned int *dataoff, u_int8_t *protonum)
71 unsigned int extoff = nhoff + sizeof(struct ipv6hdr);
76 if (skb_copy_bits(skb, nhoff + offsetof(struct ipv6hdr, nexthdr),
77 &nexthdr, sizeof(nexthdr)) != 0) {
78 pr_debug("ip6_conntrack_core: can't get nexthdr\n");
81 protoff = ipv6_skip_exthdr(skb, extoff, &nexthdr, &frag_off);
83 * (protoff == skb->len) mean that the packet doesn't have no data
84 * except of IPv6 & ext headers. but it's tracked anyway. - YK
86 if (protoff < 0 || (frag_off & htons(~0x7)) != 0) {
87 pr_debug("ip6_conntrack_core: can't find proto in pkt\n");
96 static unsigned int ipv6_helper(unsigned int hooknum,
98 const struct net_device *in,
99 const struct net_device *out,
100 int (*okfn)(struct sk_buff *))
103 const struct nf_conn_help *help;
104 const struct nf_conntrack_helper *helper;
105 enum ip_conntrack_info ctinfo;
111 /* This is where we call the helper: as the packet goes out. */
112 ct = nf_ct_get(skb, &ctinfo);
113 if (!ct || ctinfo == IP_CT_RELATED_REPLY)
116 help = nfct_help(ct);
119 /* rcu_read_lock()ed by nf_hook_slow */
120 helper = rcu_dereference(help->helper);
124 nexthdr = ipv6_hdr(skb)->nexthdr;
125 protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr,
127 if (protoff < 0 || (frag_off & htons(~0x7)) != 0) {
128 pr_debug("proto header not found\n");
132 ret = helper->help(skb, protoff, ct, ctinfo);
133 if (ret != NF_ACCEPT && (ret & NF_VERDICT_MASK) != NF_QUEUE) {
134 nf_log_packet(NFPROTO_IPV6, hooknum, skb, in, out, NULL,
135 "nf_ct_%s: dropping packet", helper->name);
140 static unsigned int ipv6_confirm(unsigned int hooknum,
142 const struct net_device *in,
143 const struct net_device *out,
144 int (*okfn)(struct sk_buff *))
147 enum ip_conntrack_info ctinfo;
148 unsigned char pnum = ipv6_hdr(skb)->nexthdr;
152 ct = nf_ct_get(skb, &ctinfo);
153 if (!ct || ctinfo == IP_CT_RELATED_REPLY)
156 protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &pnum,
158 if (protoff < 0 || (frag_off & htons(~0x7)) != 0) {
159 pr_debug("proto header not found\n");
163 /* adjust seqs for loopback traffic only in outgoing direction */
164 if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status) &&
165 !nf_is_loopback_packet(skb)) {
166 typeof(nf_nat_seq_adjust_hook) seq_adjust;
168 seq_adjust = rcu_dereference(nf_nat_seq_adjust_hook);
170 !seq_adjust(skb, ct, ctinfo, protoff)) {
171 NF_CT_STAT_INC_ATOMIC(nf_ct_net(ct), drop);
176 /* We've seen it coming out the other side: confirm it */
177 return nf_conntrack_confirm(skb);
180 static unsigned int __ipv6_conntrack_in(struct net *net,
181 unsigned int hooknum,
183 const struct net_device *in,
184 const struct net_device *out,
185 int (*okfn)(struct sk_buff *))
187 struct sk_buff *reasm = skb->nfct_reasm;
188 const struct nf_conn_help *help;
190 enum ip_conntrack_info ctinfo;
192 /* This packet is fragmented and has reassembled packet. */
194 /* Reassembled packet isn't parsed yet ? */
198 ret = nf_conntrack_in(net, PF_INET6, hooknum, reasm);
199 if (ret != NF_ACCEPT)
203 /* Conntrack helpers need the entire reassembled packet in the
204 * POST_ROUTING hook. In case of unconfirmed connections NAT
205 * might reassign a helper, so the entire packet is also
208 ct = nf_ct_get(reasm, &ctinfo);
209 if (ct != NULL && !nf_ct_is_untracked(ct)) {
210 help = nfct_help(ct);
211 if ((help && help->helper) || !nf_ct_is_confirmed(ct)) {
212 nf_conntrack_get_reasm(skb);
213 NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, reasm,
214 (struct net_device *)in,
215 (struct net_device *)out,
216 okfn, NF_IP6_PRI_CONNTRACK + 1);
217 return NF_DROP_ERR(-ECANCELED);
221 nf_conntrack_get(reasm->nfct);
222 skb->nfct = reasm->nfct;
223 skb->nfctinfo = reasm->nfctinfo;
227 return nf_conntrack_in(net, PF_INET6, hooknum, skb);
230 static unsigned int ipv6_conntrack_in(unsigned int hooknum,
232 const struct net_device *in,
233 const struct net_device *out,
234 int (*okfn)(struct sk_buff *))
236 return __ipv6_conntrack_in(dev_net(in), hooknum, skb, in, out, okfn);
239 static unsigned int ipv6_conntrack_local(unsigned int hooknum,
241 const struct net_device *in,
242 const struct net_device *out,
243 int (*okfn)(struct sk_buff *))
245 /* root is playing with raw sockets. */
246 if (skb->len < sizeof(struct ipv6hdr)) {
247 net_notice_ratelimited("ipv6_conntrack_local: packet too short\n");
250 return __ipv6_conntrack_in(dev_net(out), hooknum, skb, in, out, okfn);
253 static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {
255 .hook = ipv6_conntrack_in,
256 .owner = THIS_MODULE,
258 .hooknum = NF_INET_PRE_ROUTING,
259 .priority = NF_IP6_PRI_CONNTRACK,
262 .hook = ipv6_conntrack_local,
263 .owner = THIS_MODULE,
265 .hooknum = NF_INET_LOCAL_OUT,
266 .priority = NF_IP6_PRI_CONNTRACK,
270 .owner = THIS_MODULE,
272 .hooknum = NF_INET_POST_ROUTING,
273 .priority = NF_IP6_PRI_CONNTRACK_HELPER,
276 .hook = ipv6_confirm,
277 .owner = THIS_MODULE,
279 .hooknum = NF_INET_POST_ROUTING,
280 .priority = NF_IP6_PRI_LAST,
284 .owner = THIS_MODULE,
286 .hooknum = NF_INET_LOCAL_IN,
287 .priority = NF_IP6_PRI_CONNTRACK_HELPER,
290 .hook = ipv6_confirm,
291 .owner = THIS_MODULE,
293 .hooknum = NF_INET_LOCAL_IN,
294 .priority = NF_IP6_PRI_LAST-1,
298 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
300 #include <linux/netfilter/nfnetlink.h>
301 #include <linux/netfilter/nfnetlink_conntrack.h>
303 static int ipv6_tuple_to_nlattr(struct sk_buff *skb,
304 const struct nf_conntrack_tuple *tuple)
306 if (nla_put(skb, CTA_IP_V6_SRC, sizeof(u_int32_t) * 4,
307 &tuple->src.u3.ip6) ||
308 nla_put(skb, CTA_IP_V6_DST, sizeof(u_int32_t) * 4,
310 goto nla_put_failure;
317 static const struct nla_policy ipv6_nla_policy[CTA_IP_MAX+1] = {
318 [CTA_IP_V6_SRC] = { .len = sizeof(u_int32_t)*4 },
319 [CTA_IP_V6_DST] = { .len = sizeof(u_int32_t)*4 },
322 static int ipv6_nlattr_to_tuple(struct nlattr *tb[],
323 struct nf_conntrack_tuple *t)
325 if (!tb[CTA_IP_V6_SRC] || !tb[CTA_IP_V6_DST])
328 memcpy(&t->src.u3.ip6, nla_data(tb[CTA_IP_V6_SRC]),
329 sizeof(u_int32_t) * 4);
330 memcpy(&t->dst.u3.ip6, nla_data(tb[CTA_IP_V6_DST]),
331 sizeof(u_int32_t) * 4);
336 static int ipv6_nlattr_tuple_size(void)
338 return nla_policy_len(ipv6_nla_policy, CTA_IP_MAX + 1);
342 struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6 __read_mostly = {
345 .pkt_to_tuple = ipv6_pkt_to_tuple,
346 .invert_tuple = ipv6_invert_tuple,
347 .print_tuple = ipv6_print_tuple,
348 .get_l4proto = ipv6_get_l4proto,
349 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
350 .tuple_to_nlattr = ipv6_tuple_to_nlattr,
351 .nlattr_tuple_size = ipv6_nlattr_tuple_size,
352 .nlattr_to_tuple = ipv6_nlattr_to_tuple,
353 .nla_policy = ipv6_nla_policy,
358 MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET6));
359 MODULE_LICENSE("GPL");
360 MODULE_AUTHOR("Yasuyuki KOZAKAI @USAGI <yasuyuki.kozakai@toshiba.co.jp>");
362 static int ipv6_net_init(struct net *net)
366 ret = nf_conntrack_l4proto_register(net,
367 &nf_conntrack_l4proto_tcp6);
369 printk(KERN_ERR "nf_conntrack_l4proto_tcp6: protocol register failed\n");
372 ret = nf_conntrack_l4proto_register(net,
373 &nf_conntrack_l4proto_udp6);
375 printk(KERN_ERR "nf_conntrack_l4proto_udp6: protocol register failed\n");
378 ret = nf_conntrack_l4proto_register(net,
379 &nf_conntrack_l4proto_icmpv6);
381 printk(KERN_ERR "nf_conntrack_l4proto_icmp6: protocol register failed\n");
384 ret = nf_conntrack_l3proto_register(net,
385 &nf_conntrack_l3proto_ipv6);
387 printk(KERN_ERR "nf_conntrack_l3proto_ipv6: protocol register failed\n");
392 nf_conntrack_l4proto_unregister(net,
393 &nf_conntrack_l4proto_icmpv6);
395 nf_conntrack_l4proto_unregister(net,
396 &nf_conntrack_l4proto_udp6);
398 nf_conntrack_l4proto_unregister(net,
399 &nf_conntrack_l4proto_tcp6);
404 static void ipv6_net_exit(struct net *net)
406 nf_conntrack_l3proto_unregister(net,
407 &nf_conntrack_l3proto_ipv6);
408 nf_conntrack_l4proto_unregister(net,
409 &nf_conntrack_l4proto_icmpv6);
410 nf_conntrack_l4proto_unregister(net,
411 &nf_conntrack_l4proto_udp6);
412 nf_conntrack_l4proto_unregister(net,
413 &nf_conntrack_l4proto_tcp6);
416 static struct pernet_operations ipv6_net_ops = {
417 .init = ipv6_net_init,
418 .exit = ipv6_net_exit,
421 static int __init nf_conntrack_l3proto_ipv6_init(void)
426 nf_defrag_ipv6_enable();
428 ret = register_pernet_subsys(&ipv6_net_ops);
431 ret = nf_register_hooks(ipv6_conntrack_ops,
432 ARRAY_SIZE(ipv6_conntrack_ops));
434 pr_err("nf_conntrack_ipv6: can't register pre-routing defrag "
441 unregister_pernet_subsys(&ipv6_net_ops);
446 static void __exit nf_conntrack_l3proto_ipv6_fini(void)
449 nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops));
450 unregister_pernet_subsys(&ipv6_net_ops);
453 module_init(nf_conntrack_l3proto_ipv6_init);
454 module_exit(nf_conntrack_l3proto_ipv6_fini);
projects / firefly-linux-kernel-4.4.55.git / blob