1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
|
// SPDX-License-Identifier: GPL-2.0-only
/*
* This code is taken from the Android Open Source Project and the author
* (Maciej Żenczykowski) has gave permission to relicense it under the
* GPLv2. Therefore this program is free software;
* You can redistribute it and/or modify it under the terms of the GNU
* General Public License version 2 as published by the Free Software
* Foundation
* The original headers, including the original license headers, are
* included below for completeness.
*
* Copyright (C) 2019 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <linux/bpf.h>
#include <linux/if.h>
#include <linux/if_ether.h>
#include <linux/if_packet.h>
#include <linux/in.h>
#include <linux/in6.h>
#include <linux/ip.h>
#include <linux/ipv6.h>
#include <linux/pkt_cls.h>
#include <linux/swab.h>
#include <stdbool.h>
#include <stdint.h>
#include <linux/udp.h>
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_endian.h>
#define IP_DF 0x4000 // Flag: "Don't Fragment"
SEC("schedcls/ingress6/nat_6")
int sched_cls_ingress6_nat_6_prog(struct __sk_buff *skb)
{
const int l2_header_size = sizeof(struct ethhdr);
void *data = (void *)(long)skb->data;
const void *data_end = (void *)(long)skb->data_end;
const struct ethhdr * const eth = data; // used iff is_ethernet
const struct ipv6hdr * const ip6 = (void *)(eth + 1);
// Require ethernet dst mac address to be our unicast address.
if (skb->pkt_type != PACKET_HOST)
return TC_ACT_OK;
// Must be meta-ethernet IPv6 frame
if (skb->protocol != bpf_htons(ETH_P_IPV6))
return TC_ACT_OK;
// Must have (ethernet and) ipv6 header
if (data + l2_header_size + sizeof(*ip6) > data_end)
return TC_ACT_OK;
// Ethertype - if present - must be IPv6
if (eth->h_proto != bpf_htons(ETH_P_IPV6))
return TC_ACT_OK;
// IP version must be 6
if (ip6->version != 6)
return TC_ACT_OK;
// Maximum IPv6 payload length that can be translated to IPv4
if (bpf_ntohs(ip6->payload_len) > 0xFFFF - sizeof(struct iphdr))
return TC_ACT_OK;
switch (ip6->nexthdr) {
case IPPROTO_TCP: // For TCP & UDP the checksum neutrality of the chosen IPv6
case IPPROTO_UDP: // address means there is no need to update their checksums.
case IPPROTO_GRE: // We do not need to bother looking at GRE/ESP headers,
case IPPROTO_ESP: // since there is never a checksum to update.
break;
default: // do not know how to handle anything else
return TC_ACT_OK;
}
struct ethhdr eth2; // used iff is_ethernet
eth2 = *eth; // Copy over the ethernet header (src/dst mac)
eth2.h_proto = bpf_htons(ETH_P_IP); // But replace the ethertype
struct iphdr ip = {
.version = 4, // u4
.ihl = sizeof(struct iphdr) / sizeof(__u32), // u4
.tos = (ip6->priority << 4) + (ip6->flow_lbl[0] >> 4), // u8
.tot_len = bpf_htons(bpf_ntohs(ip6->payload_len) + sizeof(struct iphdr)), // u16
.id = 0, // u16
.frag_off = bpf_htons(IP_DF), // u16
.ttl = ip6->hop_limit, // u8
.protocol = ip6->nexthdr, // u8
.check = 0, // u16
.saddr = 0x0201a8c0, // u32
.daddr = 0x0101a8c0, // u32
};
// Calculate the IPv4 one's complement checksum of the IPv4 header.
__wsum sum4 = 0;
for (int i = 0; i < sizeof(ip) / sizeof(__u16); ++i)
sum4 += ((__u16 *)&ip)[i];
// Note that sum4 is guaranteed to be non-zero by virtue of ip.version == 4
sum4 = (sum4 & 0xFFFF) + (sum4 >> 16); // collapse u32 into range 1 .. 0x1FFFE
sum4 = (sum4 & 0xFFFF) + (sum4 >> 16); // collapse any potential carry into u16
ip.check = (__u16)~sum4; // sum4 cannot be zero, so this is never 0xFFFF
// Calculate the *negative* IPv6 16-bit one's complement checksum of the IPv6 header.
__wsum sum6 = 0;
// We'll end up with a non-zero sum due to ip6->version == 6 (which has '0' bits)
for (int i = 0; i < sizeof(*ip6) / sizeof(__u16); ++i)
sum6 += ~((__u16 *)ip6)[i]; // note the bitwise negation
// Note that there is no L4 checksum update: we are relying on the checksum neutrality
// of the ipv6 address chosen by netd's ClatdController.
// Packet mutations begin - point of no return, but if this first modification fails
// the packet is probably still pristine, so let clatd handle it.
if (bpf_skb_change_proto(skb, bpf_htons(ETH_P_IP), 0))
return TC_ACT_OK;
bpf_csum_update(skb, sum6);
data = (void *)(long)skb->data;
data_end = (void *)(long)skb->data_end;
if (data + l2_header_size + sizeof(struct iphdr) > data_end)
return TC_ACT_SHOT;
struct ethhdr *new_eth = data;
// Copy over the updated ethernet header
*new_eth = eth2;
// Copy over the new ipv4 header.
*(struct iphdr *)(new_eth + 1) = ip;
return bpf_redirect(skb->ifindex, BPF_F_INGRESS);
}
SEC("schedcls/egress4/snat4")
int sched_cls_egress4_snat4_prog(struct __sk_buff *skb)
{
const int l2_header_size = sizeof(struct ethhdr);
void *data = (void *)(long)skb->data;
const void *data_end = (void *)(long)skb->data_end;
const struct ethhdr *const eth = data; // used iff is_ethernet
const struct iphdr *const ip4 = (void *)(eth + 1);
// Must be meta-ethernet IPv4 frame
if (skb->protocol != bpf_htons(ETH_P_IP))
return TC_ACT_OK;
// Must have ipv4 header
if (data + l2_header_size + sizeof(struct ipv6hdr) > data_end)
return TC_ACT_OK;
// Ethertype - if present - must be IPv4
if (eth->h_proto != bpf_htons(ETH_P_IP))
return TC_ACT_OK;
// IP version must be 4
if (ip4->version != 4)
return TC_ACT_OK;
// We cannot handle IP options, just standard 20 byte == 5 dword minimal IPv4 header
if (ip4->ihl != 5)
return TC_ACT_OK;
// Maximum IPv6 payload length that can be translated to IPv4
if (bpf_htons(ip4->tot_len) > 0xFFFF - sizeof(struct ipv6hdr))
return TC_ACT_OK;
// Calculate the IPv4 one's complement checksum of the IPv4 header.
__wsum sum4 = 0;
for (int i = 0; i < sizeof(*ip4) / sizeof(__u16); ++i)
sum4 += ((__u16 *)ip4)[i];
// Note that sum4 is guaranteed to be non-zero by virtue of ip4->version == 4
sum4 = (sum4 & 0xFFFF) + (sum4 >> 16); // collapse u32 into range 1 .. 0x1FFFE
sum4 = (sum4 & 0xFFFF) + (sum4 >> 16); // collapse any potential carry into u16
// for a correct checksum we should get *a* zero, but sum4 must be positive, ie 0xFFFF
if (sum4 != 0xFFFF)
return TC_ACT_OK;
// Minimum IPv4 total length is the size of the header
if (bpf_ntohs(ip4->tot_len) < sizeof(*ip4))
return TC_ACT_OK;
// We are incapable of dealing with IPv4 fragments
if (ip4->frag_off & ~bpf_htons(IP_DF))
return TC_ACT_OK;
switch (ip4->protocol) {
case IPPROTO_TCP: // For TCP & UDP the checksum neutrality of the chosen IPv6
case IPPROTO_GRE: // address means there is no need to update their checksums.
case IPPROTO_ESP: // We do not need to bother looking at GRE/ESP headers,
break; // since there is never a checksum to update.
case IPPROTO_UDP: // See above comment, but must also have UDP header...
if (data + sizeof(*ip4) + sizeof(struct udphdr) > data_end)
return TC_ACT_OK;
const struct udphdr *uh = (const struct udphdr *)(ip4 + 1);
// If IPv4/UDP checksum is 0 then fallback to clatd so it can calculate the
// checksum. Otherwise the network or more likely the NAT64 gateway might
// drop the packet because in most cases IPv6/UDP packets with a zero checksum
// are invalid. See RFC 6935. TODO: calculate checksum via bpf_csum_diff()
if (!uh->check)
return TC_ACT_OK;
break;
default: // do not know how to handle anything else
return TC_ACT_OK;
}
struct ethhdr eth2; // used iff is_ethernet
eth2 = *eth; // Copy over the ethernet header (src/dst mac)
eth2.h_proto = bpf_htons(ETH_P_IPV6); // But replace the ethertype
struct ipv6hdr ip6 = {
.version = 6, // __u8:4
.priority = ip4->tos >> 4, // __u8:4
.flow_lbl = {(ip4->tos & 0xF) << 4, 0, 0}, // __u8[3]
.payload_len = bpf_htons(bpf_ntohs(ip4->tot_len) - 20), // __be16
.nexthdr = ip4->protocol, // __u8
.hop_limit = ip4->ttl, // __u8
};
ip6.saddr.in6_u.u6_addr32[0] = bpf_htonl(0x20010db8);
ip6.saddr.in6_u.u6_addr32[1] = 0;
ip6.saddr.in6_u.u6_addr32[2] = 0;
ip6.saddr.in6_u.u6_addr32[3] = bpf_htonl(1);
ip6.daddr.in6_u.u6_addr32[0] = bpf_htonl(0x20010db8);
ip6.daddr.in6_u.u6_addr32[1] = 0;
ip6.daddr.in6_u.u6_addr32[2] = 0;
ip6.daddr.in6_u.u6_addr32[3] = bpf_htonl(2);
// Calculate the IPv6 16-bit one's complement checksum of the IPv6 header.
__wsum sum6 = 0;
// We'll end up with a non-zero sum due to ip6.version == 6
for (int i = 0; i < sizeof(ip6) / sizeof(__u16); ++i)
sum6 += ((__u16 *)&ip6)[i];
// Packet mutations begin - point of no return, but if this first modification fails
// the packet is probably still pristine, so let clatd handle it.
if (bpf_skb_change_proto(skb, bpf_htons(ETH_P_IPV6), 0))
return TC_ACT_OK;
// This takes care of updating the skb->csum field for a CHECKSUM_COMPLETE packet.
// In such a case, skb->csum is a 16-bit one's complement sum of the entire payload,
// thus we need to subtract out the ipv4 header's sum, and add in the ipv6 header's sum.
// However, we've already verified the ipv4 checksum is correct and thus 0.
// Thus we only need to add the ipv6 header's sum.
//
// bpf_csum_update() always succeeds if the skb is CHECKSUM_COMPLETE and returns an error
// (-ENOTSUPP) if it isn't. So we just ignore the return code (see above for more details).
bpf_csum_update(skb, sum6);
// bpf_skb_change_proto() invalidates all pointers - reload them.
data = (void *)(long)skb->data;
data_end = (void *)(long)skb->data_end;
// I cannot think of any valid way for this error condition to trigger, however I do
// believe the explicit check is required to keep the in kernel ebpf verifier happy.
if (data + l2_header_size + sizeof(ip6) > data_end)
return TC_ACT_SHOT;
struct ethhdr *new_eth = data;
// Copy over the updated ethernet header
*new_eth = eth2;
// Copy over the new ipv4 header.
*(struct ipv6hdr *)(new_eth + 1) = ip6;
return TC_ACT_OK;
}
char _license[] SEC("license") = ("GPL");
|
