/*
* handle an error received on the local endpoint
*/
void rxrpc_UDP_error_report(struct sock *sk)
{
struct sock_exterr_skb *serr;
struct rxrpc_transport *trans;
struct rxrpc_local *local = sk->sk_user_data;
struct rxrpc_peer *peer;
struct sk_buff *skb;
__be32 addr;
__be16 port;
_enter("%p{%d}", sk, local->debug_id);
skb = skb_dequeue(&sk->sk_error_queue);
if (!skb) {
_leave("UDP socket errqueue empty");
return;
}
rxrpc_new_skb(skb);
serr = SKB_EXT_ERR(skb);
addr = *(__be32 *)(skb_network_header(skb) + serr->addr_offset);
port = serr->port;
_net("Rx UDP Error from "NIPQUAD_FMT":%hu",
NIPQUAD(addr), ntohs(port));
_debug("Msg l:%d d:%d", skb->len, skb->data_len);
peer = rxrpc_find_peer(local, addr, port);
if (IS_ERR(peer)) {
rxrpc_free_skb(skb);
_leave(" [no peer]");
return;
}
trans = rxrpc_find_transport(local, peer);
if (!trans) {
rxrpc_put_peer(peer);
rxrpc_free_skb(skb);
_leave(" [no trans]");
return;
}
if (serr->ee.ee_origin == SO_EE_ORIGIN_ICMP &&
serr->ee.ee_type == ICMP_DEST_UNREACH &&
serr->ee.ee_code == ICMP_FRAG_NEEDED
) {
u32 mtu = serr->ee.ee_info;
_net("Rx Received ICMP Fragmentation Needed (%d)", mtu);
/* wind down the local interface MTU */
if (mtu > 0 && peer->if_mtu == 65535 && mtu < peer->if_mtu) {
peer->if_mtu = mtu;
_net("I/F MTU %u", mtu);
}
/* ip_rt_frag_needed() may have eaten the info */
if (mtu == 0)
mtu = ntohs(icmp_hdr(skb)->un.frag.mtu);
if (mtu == 0) {
/* they didn't give us a size, estimate one */
if (mtu > 1500) {
mtu >>= 1;
if (mtu < 1500)
mtu = 1500;
} else {
static int ipip6_err(struct sk_buff *skb, u32 info)
{
/* All the routers (except for Linux) return only
8 bytes of packet payload. It means, that precise relaying of
ICMP in the real Internet is absolutely infeasible.
*/
struct iphdr *iph = (struct iphdr*)skb->data;
const int type = icmp_hdr(skb)->type;
const int code = icmp_hdr(skb)->code;
struct ip_tunnel *t;
int err;
switch (type) {
default:
case ICMP_PARAMETERPROB:
return 0;
case ICMP_DEST_UNREACH:
switch (code) {
case ICMP_SR_FAILED:
case ICMP_PORT_UNREACH:
/* Impossible event. */
return 0;
case ICMP_FRAG_NEEDED:
/* Soft state for pmtu is maintained by IP core. */
return 0;
default:
/* All others are translated to HOST_UNREACH.
rfc2003 contains "deep thoughts" about NET_UNREACH,
I believe they are just ether pollution. --ANK
*/
break;
}
break;
case ICMP_TIME_EXCEEDED:
if (code != ICMP_EXC_TTL)
return 0;
break;
}
err = -ENOENT;
read_lock(&ipip6_lock);
t = ipip6_tunnel_lookup(dev_net(skb->dev), iph->daddr, iph->saddr);
if (t == NULL || t->parms.iph.daddr == 0)
goto out;
err = 0;
if (t->parms.iph.ttl == 0 && type == ICMP_TIME_EXCEEDED)
goto out;
if (jiffies - t->err_time < IPTUNNEL_ERR_TIMEO)
t->err_count++;
else
t->err_count = 1;
t->err_time = jiffies;
out:
read_unlock(&ipip6_lock);
return err;
}
static void ipgre_err(struct sk_buff *skb, u32 info)
{
/* All the routers (except for Linux) return only
8 bytes of packet payload. It means, that precise relaying of
ICMP in the real Internet is absolutely infeasible.
Moreover, Cisco "wise men" put GRE key to the third word
in GRE header. It makes impossible maintaining even soft state for keyed
GRE tunnels with enabled checksum. Tell them "thank you".
Well, I wonder, rfc1812 was written by Cisco employee,
what the hell these idiots break standrads established
by themself???
*/
struct iphdr *iph = (struct iphdr *)skb->data;
__be16 *p = (__be16*)(skb->data+(iph->ihl<<2));
int grehlen = (iph->ihl<<2) + 4;
const int type = icmp_hdr(skb)->type;
const int code = icmp_hdr(skb)->code;
struct ip_tunnel *t;
__be16 flags;
flags = p[0];
if (flags&(GRE_CSUM|GRE_KEY|GRE_SEQ|GRE_ROUTING|GRE_VERSION)) {
if (flags&(GRE_VERSION|GRE_ROUTING))
return;
if (flags&GRE_KEY) {
grehlen += 4;
if (flags&GRE_CSUM)
grehlen += 4;
}
}
/* If only 8 bytes returned, keyed message will be dropped here */
if (skb_headlen(skb) < grehlen)
return;
switch (type) {
default:
case ICMP_PARAMETERPROB:
return;
case ICMP_DEST_UNREACH:
switch (code) {
case ICMP_SR_FAILED:
case ICMP_PORT_UNREACH:
/* Impossible event. */
return;
case ICMP_FRAG_NEEDED:
/* Soft state for pmtu is maintained by IP core. */
return;
default:
/* All others are translated to HOST_UNREACH.
rfc2003 contains "deep thoughts" about NET_UNREACH,
I believe they are just ether pollution. --ANK
*/
break;
}
break;
case ICMP_TIME_EXCEEDED:
if (code != ICMP_EXC_TTL)
return;
break;
}
read_lock(&ipgre_lock);
t = ipgre_tunnel_lookup(skb->dev, iph->daddr, iph->saddr,
flags & GRE_KEY ?
*(((__be32 *)p) + (grehlen / 4) - 1) : 0,
p[1]);
if (t == NULL || t->parms.iph.daddr == 0 ||
ipv4_is_multicast(t->parms.iph.daddr))
goto out;
if (t->parms.iph.ttl == 0 && type == ICMP_TIME_EXCEEDED)
goto out;
if (time_before(jiffies, t->err_time + IPTUNNEL_ERR_TIMEO))
t->err_count++;
else
t->err_count = 1;
t->err_time = jiffies;
out:
read_unlock(&ipgre_lock);
return;
}
static int ipgre_err(struct sk_buff *skb, u32 info,
const struct tnl_ptk_info *tpi)
{
/* All the routers (except for Linux) return only
8 bytes of packet payload. It means, that precise relaying of
ICMP in the real Internet is absolutely infeasible.
Moreover, Cisco "wise men" put GRE key to the third word
in GRE header. It makes impossible maintaining even soft
state for keyed GRE tunnels with enabled checksum. Tell
them "thank you".
Well, I wonder, rfc1812 was written by Cisco employee,
what the hell these idiots break standards established
by themselves???
*/
struct net *net = dev_net(skb->dev);
struct ip_tunnel_net *itn;
const struct iphdr *iph;
const int type = icmp_hdr(skb)->type;
const int code = icmp_hdr(skb)->code;
struct ip_tunnel *t;
switch (type) {
default:
case ICMP_PARAMETERPROB:
return PACKET_RCVD;
case ICMP_DEST_UNREACH:
switch (code) {
case ICMP_SR_FAILED:
case ICMP_PORT_UNREACH:
/* Impossible event. */
return PACKET_RCVD;
default:
/* All others are translated to HOST_UNREACH.
rfc2003 contains "deep thoughts" about NET_UNREACH,
I believe they are just ether pollution. --ANK
*/
break;
}
break;
case ICMP_TIME_EXCEEDED:
if (code != ICMP_EXC_TTL)
return PACKET_RCVD;
break;
case ICMP_REDIRECT:
break;
}
if (tpi->proto == htons(ETH_P_TEB))
itn = net_generic(net, gre_tap_net_id);
else
itn = net_generic(net, ipgre_net_id);
iph = (const struct iphdr *)(icmp_hdr(skb) + 1);
t = ip_tunnel_lookup(itn, skb->dev->ifindex, tpi->flags,
iph->daddr, iph->saddr, tpi->key);
if (t == NULL)
return PACKET_REJECT;
if (t->parms.iph.daddr == 0 ||
ipv4_is_multicast(t->parms.iph.daddr))
return PACKET_RCVD;
if (t->parms.iph.ttl == 0 && type == ICMP_TIME_EXCEEDED)
return PACKET_RCVD;
if (time_before(jiffies, t->err_time + IPTUNNEL_ERR_TIMEO))
t->err_count++;
else
t->err_count = 1;
t->err_time = jiffies;
return PACKET_RCVD;
}
/*
* This routine is called by the ICMP module when it gets some sort of error
* condition. If err < 0 then the socket should be closed and the error
* returned to the user. If err > 0 it's just the icmp type << 8 | icmp code.
* After adjustment header points to the first 8 bytes of the tcp header. We
* need to find the appropriate port.
*
* The locking strategy used here is very "optimistic". When someone else
* accesses the socket the ICMP is just dropped and for some paths there is no
* check at all. A more general error queue to queue errors for later handling
* is probably better.
*/
static void dccp_v4_err(struct sk_buff *skb, u32 info)
{
const struct iphdr *iph = (struct iphdr *)skb->data;
const struct dccp_hdr *dh = (struct dccp_hdr *)(skb->data +
(iph->ihl << 2));
struct dccp_sock *dp;
struct inet_sock *inet;
const int type = icmp_hdr(skb)->type;
const int code = icmp_hdr(skb)->code;
struct sock *sk;
__u64 seq;
int err;
if (skb->len < (iph->ihl << 2) + 8) {
ICMP_INC_STATS_BH(ICMP_MIB_INERRORS);
return;
}
sk = inet_lookup(&dccp_hashinfo, iph->daddr, dh->dccph_dport,
iph->saddr, dh->dccph_sport, inet_iif(skb));
if (sk == NULL) {
ICMP_INC_STATS_BH(ICMP_MIB_INERRORS);
return;
}
if (sk->sk_state == DCCP_TIME_WAIT) {
inet_twsk_put(inet_twsk(sk));
return;
}
bh_lock_sock(sk);
/* If too many ICMPs get dropped on busy
* servers this needs to be solved differently.
*/
if (sock_owned_by_user(sk))
NET_INC_STATS_BH(LINUX_MIB_LOCKDROPPEDICMPS);
if (sk->sk_state == DCCP_CLOSED)
goto out;
dp = dccp_sk(sk);
seq = dccp_hdr_seq(skb);
if (sk->sk_state != DCCP_LISTEN &&
!between48(seq, dp->dccps_swl, dp->dccps_swh)) {
NET_INC_STATS_BH(LINUX_MIB_OUTOFWINDOWICMPS);
goto out;
}
switch (type) {
case ICMP_SOURCE_QUENCH:
/* Just silently ignore these. */
goto out;
case ICMP_PARAMETERPROB:
err = EPROTO;
break;
case ICMP_DEST_UNREACH:
if (code > NR_ICMP_UNREACH)
goto out;
if (code == ICMP_FRAG_NEEDED) { /* PMTU discovery (RFC1191) */
if (!sock_owned_by_user(sk))
dccp_do_pmtu_discovery(sk, iph, info);
goto out;
}
err = icmp_err_convert[code].errno;
break;
case ICMP_TIME_EXCEEDED:
err = EHOSTUNREACH;
break;
default:
goto out;
}
switch (sk->sk_state) {
struct request_sock *req , **prev;
case DCCP_LISTEN:
if (sock_owned_by_user(sk))
goto out;
req = inet_csk_search_req(sk, &prev, dh->dccph_dport,
iph->daddr, iph->saddr);
if (!req)
goto out;
/*
* ICMPs are not backlogged, hence we cannot get an established
* socket here.
*/
WARN_ON(req->sk);
if (seq != dccp_rsk(req)->dreq_iss) {
NET_INC_STATS_BH(LINUX_MIB_OUTOFWINDOWICMPS);
goto out;
}
/*
* Still in RESPOND, just remove it silently.
* There is no good way to pass the error to the newly
* created socket, and POSIX does not want network
* errors returned from accept().
*/
inet_csk_reqsk_queue_drop(sk, req, prev);
goto out;
case DCCP_REQUESTING:
case DCCP_RESPOND:
if (!sock_owned_by_user(sk)) {
DCCP_INC_STATS_BH(DCCP_MIB_ATTEMPTFAILS);
sk->sk_err = err;
sk->sk_error_report(sk);
dccp_done(sk);
} else
sk->sk_err_soft = err;
goto out;
}
/* If we've already connected we will keep trying
* until we time out, or the user gives up.
*
* rfc1122 4.2.3.9 allows to consider as hard errors
* only PROTO_UNREACH and PORT_UNREACH (well, FRAG_FAILED too,
* but it is obsoleted by pmtu discovery).
*
* Note, that in modern internet, where routing is unreliable
* and in each dark corner broken firewalls sit, sending random
* errors ordered by their masters even this two messages finally lose
* their original sense (even Linux sends invalid PORT_UNREACHs)
*
* Now we are in compliance with RFCs.
* --ANK (980905)
*/
inet = inet_sk(sk);
if (!sock_owned_by_user(sk) && inet->recverr) {
sk->sk_err = err;
sk->sk_error_report(sk);
} else /* Only an error on timeout */
sk->sk_err_soft = err;
out:
bh_unlock_sock(sk);
sock_put(sk);
}
/* after ipt_filter */
static unsigned int ezp_nat_pre_hook(unsigned int hooknum,
struct sk_buff *skb, const struct net_device *indev,
const struct net_device *outdev,
int (*okfn)(struct sk_buff *))
{
struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
int ret = NF_ACCEPT;
enum ip_conntrack_dir dir;
__u32 dnat_addr = 0, snat_addr = 0;
int* nat_flag;
struct dst_entry** dst_to_use = NULL;
struct iphdr *iph = ip_hdr(skb);
struct icmphdr *hdr = icmp_hdr(skb);
struct tcphdr *tcph = tcp_hdr(skb);
/* EZP: enum nf_nat_manip_type maniptype = HOOK2MANIP(hooknum); */
if(!ezp_nat_enable_flag){
return NF_ACCEPT;
}
ct = nf_ct_get(skb, &ctinfo);
if (!ct) {
if (iph->protocol == IPPROTO_ICMP
&& hdr->type == ICMP_REDIRECT)
return NF_DROP;
return NF_ACCEPT;
}
/* TCP or UDP. */
if ((iph->protocol != IPPROTO_TCP) &&
(iph->protocol != IPPROTO_UDP) ) {
return NF_ACCEPT;
}
if ((iph->protocol == IPPROTO_TCP) &&
((tcp_flag_word(tcph) & (TCP_FLAG_RST | TCP_FLAG_SYN)) ==
TCP_FLAG_SYN)) {
return NF_ACCEPT;
}
/* Make sure it is confirmed. */
if (!nf_ct_is_confirmed(ct)) {
return NF_ACCEPT;
}
/* We comment out this part since
((tcp_flag_word((*pskb)->h.th) == TCP_FLAG_SYN) ||
* 1. conntrack establishing is a 2 way process, but after routing, we have
* established routing entry and address resolution table, so we don't
* need to check ESTABLISH state.
* 2. With establishing state, we need to go through forward state and
* routing several times. It may occur that our holded entry may be
* replaced. */
/*
if ((ctinfo != IP_CT_ESTABLISHED) &&
(ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY)) {
return NF_ACCEPT;
}
*/
dir = CTINFO2DIR(ctinfo);
if (dir == IP_CT_DIR_ORIGINAL) {
if (!ct->orgdir_dst) {
return NF_ACCEPT;
} else {
nat_flag = &ct->orgdir_rid;
if (!(*nat_flag & ((1 << IP_NAT_MANIP_DST) |
(1 << IP_NAT_MANIP_SRC) |
(1 << EZP_IP_LOCAL_IN)))) {
return NF_ACCEPT;
}
/* Check only in forward case and ignore input case */
if (!(*nat_flag & (1 << EZP_IP_LOCAL_IN))) {
if ((!ct->orgdir_dst->hh) && (!ct->orgdir_dst->neighbour)) {
printk("%s:orig dst and neighbour null dir\n",__FUNCTION__);
return NF_ACCEPT;
}
}
if (skb->dst) {
/* skb might has its own dst already.
* e.g. output to local input */
dst_release(skb->dst);
}
skb->protocol = htons(ETH_P_IP);
skb->dst = ct->orgdir_dst;
/* XXX: */
skb->dev = ct->orgdir_dst->dev;
/* skb uses this dst_entry */
dst_use(skb->dst, jiffies);
dst_to_use = &ct->orgdir_dst;
}
} else {
/* IP_CT_DIR_REPLY */
if (!ct->replydir_dst) {
return NF_ACCEPT;
} else {
nat_flag = &ct->replydir_rid;
if (!(*nat_flag & ((1 << IP_NAT_MANIP_DST) |
(1 << IP_NAT_MANIP_SRC) |
(1 << EZP_IP_LOCAL_IN)))) {
return NF_ACCEPT;
}
/* Check only in forward case and ignore input case */
if (!(*nat_flag & (1 << EZP_IP_LOCAL_IN))) {
if ((!ct->replydir_dst->hh) && (!ct->replydir_dst->neighbour)) {
printk("%s:reply dst and neighbour null\n",__FUNCTION__);
return NF_ACCEPT;
}
}
if (skb->dst) {
/* skb might has its own dst already. */
/* e.g. output to local input */
dst_release(skb->dst);
}
skb->protocol = htons(ETH_P_IP);
skb->dst = ct->replydir_dst;
/* XXX: */
skb->dev = ct->replydir_dst->dev;
/* skb uses this dst_entry */
dst_use(skb->dst, jiffies);
dst_to_use = &ct->replydir_dst;
}
}
/* After this point, every "return NF_ACCEPT" action need to release
* holded dst entry. So we use "goto release_dst_and_return" to handle the
* action commonly. */
/* EZP:
if (!nf_nat_initialized(ct, maniptype)) {
goto release_dst_and_return;
}
*/
/* If we have helper, we need to go original path until conntrack
* confirmed */
if(nfct_help(ct)){
goto release_dst_and_return;
}
if (dir == IP_CT_DIR_ORIGINAL) {
(skb)->imq_flags = ct->ct_orig_imq_flags;
}
else{
(skb)->imq_flags = ct->ct_repl_imq_flags;
}
/* PRE_ROUTING NAT */
/* Assume DNAT conntrack is ready. */
if ((*nat_flag & (1 << IP_NAT_MANIP_DST))){
dnat_addr = iph->daddr;
ret = nf_nat_packet(ct, ctinfo, NF_INET_PRE_ROUTING, skb);
if (ret != NF_ACCEPT) {
goto release_dst_and_return;
}
if (dnat_addr == iph->daddr) {
*nat_flag &= ~(1 << IP_NAT_MANIP_DST);
}
}
/* INPUT */
if ((*nat_flag & (1 << EZP_IP_LOCAL_IN))){
/* TODO: use ip_local_deliver_finish() and add ip_defrag(). */
/* XXX: Not sure this will hit or not. */
/*
* Reassemble IP fragments.
*/
if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
if (ip_defrag(skb, IP_DEFRAG_LOCAL_DELIVER)) {
/* If return value is not 0, defrag error */
/* return 0; */
/* XXX: return NF_STOLEN? */
goto release_dst_and_return;
}
}
/* For INPUT path, there is no need to check dst_mtu but defrag.
if (skb->len > dst_mtu(&((struct rtable*)skb->dst)->u.dst)) {
goto release_dst_and_return;
}*/
if (ezp_nat_queue_enable_flag) {
if ((skb)->imq_flags & IMQ_F_ENQUEUE) {
struct nf_hook_ops *elem = nf_get_imq_ops();
/* With to apply IMQ, we have to check the IMQ flag, if the flag is
* set, we have to enquene this skb and leave it to IMQ*/
if (elem != NULL) {
nf_queue(skb, (struct list_head*)elem, AF_INET,
NF_INET_POST_ROUTING,
(struct net_device*)indev,
(struct net_device*)
((struct rtable*)skb->dst)->u.dst.dev,
ip_local_deliver_finish, NF_ACCEPT >> NF_VERDICT_BITS);
return NF_STOLEN;
}
}
}
ret = ip_local_deliver_finish(skb);
return NF_STOLEN;
}
bool test_filtering_and_updating( void )
{
u_int8_t protocol;
struct tuple tuple;
struct sk_buff *skb;
struct in_addr addr4;
struct in6_addr addr6;
bool success = true;
log_debug(" >>> Errores de ICMP no deben afectar las tablas ");
protocol = IPPROTO_ICMP;
success &= init_tuple_for_test_ipv4( &tuple , protocol );
skb = init_skb_for_test( &tuple, protocol );
success &= assert_not_null(skb, "init_skb_for_test");
icmp_hdr(skb)->type = ICMP_DEST_UNREACH; /* Error packet */
/* Process a tuple generated from a incoming IPv6 packet: */
success &= assert_equals_int(NF_ACCEPT, filtering_and_updating( skb, &tuple),
"See if we can forward an IPv4 ICMP packet.");
kfree_skb(skb);
log_debug(" >>> Get rid of hairpinning loop ");
protocol = IPPROTO_UDP;
success &= init_tuple_for_test_ipv6( &tuple , protocol );
skb = init_skb_for_test( &tuple, protocol );
success &= assert_not_null(skb, "init_skb_for_test");
/* Add pref64 */
success &= str_to_addr6_verbose(INIT_TUPLE_IPV6_HAIR_LOOP_SRC_ADDR , &addr6);
tuple.src.addr.ipv6 = addr6;
success &= assert_equals_int(NF_DROP, filtering_and_updating( skb, &tuple),
"See if we can get rid of hairpinning loop in IPv6.");
kfree_skb(skb);
log_debug(" >>> Get rid of unwanted packets ");
success &= init_tuple_for_test_ipv6( &tuple , protocol );
skb = init_skb_for_test( &tuple, protocol );
success &= assert_not_null(skb, "init_skb_for_test");
/* Unwanted packet */
success &= str_to_addr6_verbose(INIT_TUPLE_IPV6_HAIR_LOOP_DST_ADDR , &addr6);
tuple.dst.addr.ipv6 = addr6;
success &= assert_equals_int(NF_DROP, filtering_and_updating( skb, &tuple),
"See if we can get rid of unwanted packets in IPv6.");
kfree_skb(skb);
log_debug(" >>> Get rid of un-expected packets, destined to an address not in pool");
success &= init_tuple_for_test_ipv4( &tuple , protocol );
skb = init_skb_for_test( &tuple, protocol );
success &= assert_not_null(skb, "init_skb_for_test");
/* Packet destined to an address not in pool */
success &= str_to_addr4_verbose(INIT_TUPLE_IPV4_NOT_POOL_DST_ADDR , &addr4);
tuple.dst.addr.ipv4 = addr4;
success &= assert_equals_int(NF_DROP, filtering_and_updating( skb, &tuple),
"See if we can get rid of packet destined to an address not in pool.");
kfree_skb(skb);
log_debug(" >>> IPv4 incoming packet --> reject");
success &= init_tuple_for_test_ipv4( &tuple , protocol );
skb = init_skb_for_test( &tuple, protocol );
success &= assert_not_null(skb, "init_skb_for_test");
success &= assert_equals_int(NF_DROP, filtering_and_updating( skb, &tuple),
"See if we can do reject an incoming IPv4 UDP packet.");
kfree_skb(skb);
log_debug(" >>> IPv6 incoming packet --> accept");
success &= init_tuple_for_test_ipv6( &tuple , protocol );
skb = init_skb_for_test( &tuple, protocol );
success &= assert_not_null(skb, "init_skb_for_test");
success &= assert_equals_int(NF_ACCEPT, filtering_and_updating( skb, &tuple),
"See if we can do filtering and updating on an incoming IPv6 UDP packet.");
kfree_skb(skb);
/* TODO (test) see test_ipv4_udp(). */
/*
log_debug(" >>> IPv4 incoming packet --> accept");
success &= init_tuple_for_test_ipv4( &tuple , protocol );
skb = init_skb_for_test( &tuple, protocol );
success &= assert_not_null(skb, "init_skb_for_test");
success &= assert_equals_int(NF_ACCEPT, filtering_and_updating( skb, &tuple),
"See if we can do filtering and updating on an incoming IPv4 UDP packet.");
kfree_skb(skb);
*/
return success;
}
int icmp_discard(struct sk_buff *skb, uint8_t type, uint8_t code,
...) {
struct {
union {
struct icmpbody_dest_unreach dest_unreach;
struct icmpbody_source_quench source_quench;
struct icmpbody_redirect redirect;
struct icmpbody_time_exceed time_exceed;
struct icmpbody_param_prob param_prob;
} __attribute__((packed));
char __body_msg_storage[ICMP_DISCARD_MAX_SIZE];
} __attribute__((packed)) body;
va_list extra;
uint8_t *body_msg;
size_t body_msg_sz;
if (!(ip_is_local(ip_hdr(skb)->saddr, 0)
|| ip_is_local(ip_hdr(skb)->daddr, 0))
|| (ip_hdr(skb)->frag_off & htons(IP_OFFSET))
|| (ip_data_length(ip_hdr(skb)) < ICMP_DISCARD_MIN_SIZE)
|| (ip_hdr(skb)->proto != IPPROTO_ICMP)
|| (skb->h.raw = skb->nh.raw + IP_HEADER_SIZE(ip_hdr(skb)),
ICMP_TYPE_ERROR(icmp_hdr(skb)->type))) {
skb_free(skb);
return 0; /* error: inappropriate packet */
}
switch (type) {
default:
assertf(0, "bad type for discard");
body_msg = (uint8_t *)&body.__body_msg_storage[0];
break; /* error: bad type for discard */
case ICMP_DEST_UNREACH:
assertf(code < __ICMP_DEST_UNREACH_MAX,
"incorrect code for type");
va_start(extra, code);
body.dest_unreach.zero = 0;
body.dest_unreach.mtu = code != ICMP_FRAG_NEEDED ? 0
: htons((uint16_t)va_arg(extra, int));
va_end(extra);
body_msg = &body.dest_unreach.msg[0];
break;
case ICMP_SOURCE_QUENCH:
assertf(code == 0, "incorrect code for type");
body.source_quench.zero = 0;
body_msg = &body.source_quench.msg[0];
break;
case ICMP_REDIRECT:
assertf(code < __ICMP_REDIRECT_MAX,
"incorrect code for type");
va_start(extra, code);
memcpy(&body.redirect.gateway,
va_arg(extra, struct in_addr *),
sizeof body.redirect.gateway);
va_end(extra);
body_msg = &body.redirect.msg[0];
break;
case ICMP_TIME_EXCEED:
assertf(code < __ICMP_TIME_EXCEED_MAX,
"incorrect code for type");
body.time_exceed.zero = 0;
body_msg = &body.time_exceed.msg[0];
break;
case ICMP_PARAM_PROB:
assertf(code < __ICMP_PARAM_PROB_MAX,
"incorrect code for type");
va_start(extra, code);
body.param_prob.ptr = code != ICMP_PTR_ERROR ? 0
: (uint8_t)va_arg(extra, int);
body.param_prob.zero1 = body.param_prob.zero2 = 0;
va_end(extra);
body_msg = &body.param_prob.msg[0];
break;
}
body_msg_sz = min(ip_data_length(ip_hdr(skb)),
sizeof body.__body_msg_storage);
memcpy(body_msg, ip_hdr(skb), body_msg_sz);
if (NULL == skb_declone(skb)) {
skb_free(skb);
return -ENOMEM; /* error: can't declone data */
}
return icmp_send(type, code, &body, sizeof body
- sizeof body.__body_msg_storage + body_msg_sz,
skb);
}
static int vti4_err(struct sk_buff *skb, u32 info)
{
__be32 spi;
__u32 mark;
struct xfrm_state *x;
struct ip_tunnel *tunnel;
struct ip_esp_hdr *esph;
struct ip_auth_hdr *ah ;
struct ip_comp_hdr *ipch;
struct net *net = dev_net(skb->dev);
const struct iphdr *iph = (const struct iphdr *)skb->data;
int protocol = iph->protocol;
struct ip_tunnel_net *itn = net_generic(net, vti_net_id);
tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY,
iph->daddr, iph->saddr, 0);
if (!tunnel)
return -1;
mark = be32_to_cpu(tunnel->parms.o_key);
switch (protocol) {
case IPPROTO_ESP:
esph = (struct ip_esp_hdr *)(skb->data+(iph->ihl<<2));
spi = esph->spi;
break;
case IPPROTO_AH:
ah = (struct ip_auth_hdr *)(skb->data+(iph->ihl<<2));
spi = ah->spi;
break;
case IPPROTO_COMP:
ipch = (struct ip_comp_hdr *)(skb->data+(iph->ihl<<2));
spi = htonl(ntohs(ipch->cpi));
break;
default:
return 0;
}
switch (icmp_hdr(skb)->type) {
case ICMP_DEST_UNREACH:
if (icmp_hdr(skb)->code != ICMP_FRAG_NEEDED)
return 0;
case ICMP_REDIRECT:
break;
default:
return 0;
}
x = xfrm_state_lookup(net, mark, (const xfrm_address_t *)&iph->daddr,
spi, protocol, AF_INET);
if (!x)
return 0;
if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH)
ipv4_update_pmtu(skb, net, info, 0, 0, protocol, 0);
else
ipv4_redirect(skb, net, 0, 0, protocol, 0);
xfrm_state_put(x);
return 0;
}
static void dccp_v4_err(struct sk_buff *skb, u32 info)
{
const struct iphdr *iph = (struct iphdr *)skb->data;
const u8 offset = iph->ihl << 2;
const struct dccp_hdr *dh = (struct dccp_hdr *)(skb->data + offset);
struct dccp_sock *dp;
struct inet_sock *inet;
const int type = icmp_hdr(skb)->type;
const int code = icmp_hdr(skb)->code;
struct sock *sk;
__u64 seq;
int err;
struct net *net = dev_net(skb->dev);
if (skb->len < offset + sizeof(*dh) ||
skb->len < offset + __dccp_basic_hdr_len(dh)) {
ICMP_INC_STATS_BH(net, ICMP_MIB_INERRORS);
return;
}
sk = inet_lookup(net, &dccp_hashinfo,
iph->daddr, dh->dccph_dport,
iph->saddr, dh->dccph_sport, inet_iif(skb));
if (sk == NULL) {
ICMP_INC_STATS_BH(net, ICMP_MIB_INERRORS);
return;
}
if (sk->sk_state == DCCP_TIME_WAIT) {
inet_twsk_put(inet_twsk(sk));
return;
}
bh_lock_sock(sk);
if (sock_owned_by_user(sk))
NET_INC_STATS_BH(net, LINUX_MIB_LOCKDROPPEDICMPS);
if (sk->sk_state == DCCP_CLOSED)
goto out;
dp = dccp_sk(sk);
seq = dccp_hdr_seq(dh);
if ((1 << sk->sk_state) & ~(DCCPF_REQUESTING | DCCPF_LISTEN) &&
!between48(seq, dp->dccps_awl, dp->dccps_awh)) {
NET_INC_STATS_BH(net, LINUX_MIB_OUTOFWINDOWICMPS);
goto out;
}
switch (type) {
case ICMP_SOURCE_QUENCH:
goto out;
case ICMP_PARAMETERPROB:
err = EPROTO;
break;
case ICMP_DEST_UNREACH:
if (code > NR_ICMP_UNREACH)
goto out;
if (code == ICMP_FRAG_NEEDED) {
if (!sock_owned_by_user(sk))
dccp_do_pmtu_discovery(sk, iph, info);
goto out;
}
err = icmp_err_convert[code].errno;
break;
case ICMP_TIME_EXCEEDED:
err = EHOSTUNREACH;
break;
default:
goto out;
}
switch (sk->sk_state) {
struct request_sock *req , **prev;
case DCCP_LISTEN:
if (sock_owned_by_user(sk))
goto out;
req = inet_csk_search_req(sk, &prev, dh->dccph_dport,
iph->daddr, iph->saddr);
if (!req)
goto out;
WARN_ON(req->sk);
if (seq != dccp_rsk(req)->dreq_iss) {
NET_INC_STATS_BH(net, LINUX_MIB_OUTOFWINDOWICMPS);
goto out;
}
inet_csk_reqsk_queue_drop(sk, req, prev);
goto out;
case DCCP_REQUESTING:
case DCCP_RESPOND:
if (!sock_owned_by_user(sk)) {
DCCP_INC_STATS_BH(DCCP_MIB_ATTEMPTFAILS);
sk->sk_err = err;
sk->sk_error_report(sk);
dccp_done(sk);
} else
sk->sk_err_soft = err;
goto out;
}
inet = inet_sk(sk);
if (!sock_owned_by_user(sk) && inet->recverr) {
sk->sk_err = err;
sk->sk_error_report(sk);
} else
sk->sk_err_soft = err;
out:
bh_unlock_sock(sk);
sock_put(sk);
}
/**
* ovs_flow_extract - extracts a flow key from an Ethernet frame.
* @skb: sk_buff that contains the frame, with skb->data pointing to the
* Ethernet header
* @in_port: port number on which @skb was received.
* @key: output flow key
*
* The caller must ensure that skb->len >= ETH_HLEN.
*
* Returns 0 if successful, otherwise a negative errno value.
*
* Initializes @skb header pointers as follows:
*
* - skb->mac_header: the Ethernet header.
*
* - skb->network_header: just past the Ethernet header, or just past the
* VLAN header, to the first byte of the Ethernet payload.
*
* - skb->transport_header: If key->eth.type is ETH_P_IP or ETH_P_IPV6
* on output, then just past the IP header, if one is present and
* of a correct length, otherwise the same as skb->network_header.
* For other key->eth.type values it is left untouched.
*/
int ovs_flow_extract(struct sk_buff *skb, u16 in_port, struct sw_flow_key *key)
{
int error;
struct ethhdr *eth;
memset(key, 0, sizeof(*key));
key->phy.priority = skb->priority;
if (OVS_CB(skb)->tun_key)
memcpy(&key->tun_key, OVS_CB(skb)->tun_key, sizeof(key->tun_key));
key->phy.in_port = in_port;
key->phy.skb_mark = skb->mark;
skb_reset_mac_header(skb);
/* Link layer. We are guaranteed to have at least the 14 byte Ethernet
* header in the linear data area.
*/
eth = eth_hdr(skb);
memcpy(key->eth.src, eth->h_source, ETH_ALEN);
memcpy(key->eth.dst, eth->h_dest, ETH_ALEN);
__skb_pull(skb, 2 * ETH_ALEN);
/* We are going to push all headers that we pull, so no need to
* update skb->csum here.
*/
if (vlan_tx_tag_present(skb))
key->eth.tci = htons(skb->vlan_tci);
else if (eth->h_proto == htons(ETH_P_8021Q))
if (unlikely(parse_vlan(skb, key)))
return -ENOMEM;
key->eth.type = parse_ethertype(skb);
if (unlikely(key->eth.type == htons(0)))
return -ENOMEM;
skb_reset_network_header(skb);
__skb_push(skb, skb->data - skb_mac_header(skb));
/* Network layer. */
if (key->eth.type == htons(ETH_P_IP)) {
struct iphdr *nh;
__be16 offset;
error = check_iphdr(skb);
if (unlikely(error)) {
if (error == -EINVAL) {
skb->transport_header = skb->network_header;
error = 0;
}
return error;
}
nh = ip_hdr(skb);
key->ipv4.addr.src = nh->saddr;
key->ipv4.addr.dst = nh->daddr;
key->ip.proto = nh->protocol;
key->ip.tos = nh->tos;
key->ip.ttl = nh->ttl;
offset = nh->frag_off & htons(IP_OFFSET);
if (offset) {
key->ip.frag = OVS_FRAG_TYPE_LATER;
return 0;
}
if (nh->frag_off & htons(IP_MF) ||
skb_shinfo(skb)->gso_type & SKB_GSO_UDP)
key->ip.frag = OVS_FRAG_TYPE_FIRST;
/* Transport layer. */
if (key->ip.proto == IPPROTO_TCP) {
if (tcphdr_ok(skb)) {
struct tcphdr *tcp = tcp_hdr(skb);
key->ipv4.tp.src = tcp->source;
key->ipv4.tp.dst = tcp->dest;
key->ipv4.tp.flags = TCP_FLAGS_BE16(tcp);
}
} else if (key->ip.proto == IPPROTO_UDP) {
if (udphdr_ok(skb)) {
struct udphdr *udp = udp_hdr(skb);
key->ipv4.tp.src = udp->source;
key->ipv4.tp.dst = udp->dest;
}
} else if (key->ip.proto == IPPROTO_SCTP) {
if (sctphdr_ok(skb)) {
struct sctphdr *sctp = sctp_hdr(skb);
key->ipv4.tp.src = sctp->source;
key->ipv4.tp.dst = sctp->dest;
}
} else if (key->ip.proto == IPPROTO_ICMP) {
if (icmphdr_ok(skb)) {
struct icmphdr *icmp = icmp_hdr(skb);
/* The ICMP type and code fields use the 16-bit
* transport port fields, so we need to store
* them in 16-bit network byte order. */
key->ipv4.tp.src = htons(icmp->type);
key->ipv4.tp.dst = htons(icmp->code);
}
}
} else if ((key->eth.type == htons(ETH_P_ARP) ||
key->eth.type == htons(ETH_P_RARP)) && arphdr_ok(skb)) {
struct arp_eth_header *arp;
arp = (struct arp_eth_header *)skb_network_header(skb);
if (arp->ar_hrd == htons(ARPHRD_ETHER)
&& arp->ar_pro == htons(ETH_P_IP)
&& arp->ar_hln == ETH_ALEN
&& arp->ar_pln == 4) {
/* We only match on the lower 8 bits of the opcode. */
if (ntohs(arp->ar_op) <= 0xff)
key->ip.proto = ntohs(arp->ar_op);
memcpy(&key->ipv4.addr.src, arp->ar_sip, sizeof(key->ipv4.addr.src));
memcpy(&key->ipv4.addr.dst, arp->ar_tip, sizeof(key->ipv4.addr.dst));
memcpy(key->ipv4.arp.sha, arp->ar_sha, ETH_ALEN);
memcpy(key->ipv4.arp.tha, arp->ar_tha, ETH_ALEN);
}
} else if (key->eth.type == htons(ETH_P_IPV6)) {
int nh_len; /* IPv6 Header + Extensions */
nh_len = parse_ipv6hdr(skb, key);
if (unlikely(nh_len < 0)) {
if (nh_len == -EINVAL) {
skb->transport_header = skb->network_header;
error = 0;
} else {
error = nh_len;
}
return error;
}
if (key->ip.frag == OVS_FRAG_TYPE_LATER)
return 0;
if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP)
key->ip.frag = OVS_FRAG_TYPE_FIRST;
/* Transport layer. */
if (key->ip.proto == NEXTHDR_TCP) {
if (tcphdr_ok(skb)) {
struct tcphdr *tcp = tcp_hdr(skb);
key->ipv6.tp.src = tcp->source;
key->ipv6.tp.dst = tcp->dest;
key->ipv6.tp.flags = TCP_FLAGS_BE16(tcp);
}
} else if (key->ip.proto == NEXTHDR_UDP) {
if (udphdr_ok(skb)) {
struct udphdr *udp = udp_hdr(skb);
key->ipv6.tp.src = udp->source;
key->ipv6.tp.dst = udp->dest;
}
} else if (key->ip.proto == NEXTHDR_SCTP) {
if (sctphdr_ok(skb)) {
struct sctphdr *sctp = sctp_hdr(skb);
key->ipv6.tp.src = sctp->source;
key->ipv6.tp.dst = sctp->dest;
}
} else if (key->ip.proto == NEXTHDR_ICMP) {
if (icmp6hdr_ok(skb)) {
error = parse_icmpv6(skb, key, nh_len);
if (error)
return error;
}
}
}
return 0;
}
static int ipip6_err(struct sk_buff *skb, u32 info)
{
#ifndef I_WISH_WORLD_WERE_PERFECT
/* It is not :-( All the routers (except for Linux) return only
8 bytes of packet payload. It means, that precise relaying of
ICMP in the real Internet is absolutely infeasible.
*/
struct iphdr *iph = (struct iphdr*)skb->data;
const int type = icmp_hdr(skb)->type;
const int code = icmp_hdr(skb)->code;
struct ip_tunnel *t;
int err;
switch (type) {
default:
case ICMP_PARAMETERPROB:
return 0;
case ICMP_DEST_UNREACH:
switch (code) {
case ICMP_SR_FAILED:
case ICMP_PORT_UNREACH:
/* Impossible event. */
return 0;
case ICMP_FRAG_NEEDED:
/* Soft state for pmtu is maintained by IP core. */
return 0;
default:
/* All others are translated to HOST_UNREACH.
rfc2003 contains "deep thoughts" about NET_UNREACH,
I believe they are just ether pollution. --ANK
*/
break;
}
break;
case ICMP_TIME_EXCEEDED:
if (code != ICMP_EXC_TTL)
return 0;
break;
}
err = -ENOENT;
read_lock(&ipip6_lock);
t = ipip6_tunnel_lookup(iph->daddr, iph->saddr);
if (t == NULL || t->parms.iph.daddr == 0)
goto out;
err = 0;
if (t->parms.iph.ttl == 0 && type == ICMP_TIME_EXCEEDED)
goto out;
if (jiffies - t->err_time < IPTUNNEL_ERR_TIMEO)
t->err_count++;
else
t->err_count = 1;
t->err_time = jiffies;
out:
read_unlock(&ipip6_lock);
return err;
#else
struct iphdr *iph = (struct iphdr*)dp;
int hlen = iph->ihl<<2;
struct ipv6hdr *iph6;
const int type = icmp_hdr(skb)->type;
const int code = icmp_hdr(skb)->code;
int rel_type = 0;
int rel_code = 0;
int rel_info = 0;
struct sk_buff *skb2;
struct rt6_info *rt6i;
if (len < hlen + sizeof(struct ipv6hdr))
return;
iph6 = (struct ipv6hdr*)(dp + hlen);
switch (type) {
default:
return;
case ICMP_PARAMETERPROB:
if (icmp_hdr(skb)->un.gateway < hlen)
return;
/* So... This guy found something strange INSIDE encapsulated
packet. Well, he is fool, but what can we do ?
*/
rel_type = ICMPV6_PARAMPROB;
rel_info = icmp_hdr(skb)->un.gateway - hlen;
break;
case ICMP_DEST_UNREACH:
switch (code) {
case ICMP_SR_FAILED:
case ICMP_PORT_UNREACH:
/* Impossible event. */
return;
case ICMP_FRAG_NEEDED:
/* Too complicated case ... */
return;
default:
/* All others are translated to HOST_UNREACH.
rfc2003 contains "deep thoughts" about NET_UNREACH,
I believe, it is just ether pollution. --ANK
*/
rel_type = ICMPV6_DEST_UNREACH;
rel_code = ICMPV6_ADDR_UNREACH;
break;
}
break;
case ICMP_TIME_EXCEEDED:
if (code != ICMP_EXC_TTL)
return;
rel_type = ICMPV6_TIME_EXCEED;
rel_code = ICMPV6_EXC_HOPLIMIT;
break;
}
/* Prepare fake skb to feed it to icmpv6_send */
skb2 = skb_clone(skb, GFP_ATOMIC);
if (skb2 == NULL)
return 0;
dst_release(skb2->dst);
skb2->dst = NULL;
skb_pull(skb2, skb->data - (u8*)iph6);
skb_reset_network_header(skb2);
/* Try to guess incoming interface */
rt6i = rt6_lookup(&iph6->saddr, NULL, NULL, 0);
if (rt6i && rt6i->rt6i_dev) {
skb2->dev = rt6i->rt6i_dev;
rt6i = rt6_lookup(&iph6->daddr, &iph6->saddr, NULL, 0);
if (rt6i && rt6i->rt6i_dev && rt6i->rt6i_dev->type == ARPHRD_SIT) {
struct ip_tunnel *t = netdev_priv(rt6i->rt6i_dev);
if (rel_type == ICMPV6_TIME_EXCEED && t->parms.iph.ttl) {
rel_type = ICMPV6_DEST_UNREACH;
rel_code = ICMPV6_ADDR_UNREACH;
}
icmpv6_send(skb2, rel_type, rel_code, rel_info, skb2->dev);
}
}
kfree_skb(skb2);
return 0;
#endif
}
static int ipip_err(struct sk_buff *skb, u32 info)
{
/* All the routers (except for Linux) return only
* 8 bytes of packet payload. It means, that precise relaying of
* ICMP in the real Internet is absolutely infeasible.
*/
struct net *net = dev_net(skb->dev);
struct ip_tunnel_net *itn = net_generic(net, ipip_net_id);
const struct iphdr *iph = (const struct iphdr *)skb->data;
const int type = icmp_hdr(skb)->type;
const int code = icmp_hdr(skb)->code;
struct ip_tunnel *t;
int err = 0;
switch (type) {
case ICMP_DEST_UNREACH:
switch (code) {
case ICMP_SR_FAILED:
/* Impossible event. */
goto out;
default:
/* All others are translated to HOST_UNREACH.
* rfc2003 contains "deep thoughts" about NET_UNREACH,
* I believe they are just ether pollution. --ANK
*/
break;
}
break;
case ICMP_TIME_EXCEEDED:
if (code != ICMP_EXC_TTL)
goto out;
break;
case ICMP_REDIRECT:
break;
default:
goto out;
}
t = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY,
iph->daddr, iph->saddr, 0);
if (!t) {
err = -ENOENT;
goto out;
}
if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) {
ipv4_update_pmtu(skb, net, info, t->parms.link, iph->protocol);
goto out;
}
if (type == ICMP_REDIRECT) {
ipv4_redirect(skb, net, t->parms.link, iph->protocol);
goto out;
}
if (t->parms.iph.daddr == 0) {
err = -ENOENT;
goto out;
}
if (t->parms.iph.ttl == 0 && type == ICMP_TIME_EXCEEDED)
goto out;
if (time_before(jiffies, t->err_time + IPTUNNEL_ERR_TIMEO))
t->err_count++;
else
t->err_count = 1;
t->err_time = jiffies;
out:
return err;
}
/**
* Main F&U routine. Called during the processing of every packet.
*
* Decides if "skb" should be processed, updating binding and session information.
*
* @param[in] skb packet being translated.
* @param[in] tuple skb's summary.
* @return indicator of what should happen to skb.
*/
verdict filtering_and_updating(struct sk_buff* skb, struct tuple *in_tuple)
{
struct ipv6hdr *hdr_ip6;
verdict result = VER_CONTINUE;
log_debug("Step 2: Filtering and Updating");
switch (skb_l3_proto(skb)) {
case L3PROTO_IPV6:
/* ICMP errors should not be filtered or affect the tables. */
if (skb_l4_proto(skb) == L4PROTO_ICMP && is_icmp6_error(icmp6_hdr(skb)->icmp6_type)) {
log_debug("Packet is ICMPv6 error; skipping step...");
return VER_CONTINUE;
}
/* Get rid of hairpinning loops and unwanted packets. */
hdr_ip6 = ipv6_hdr(skb);
if (pool6_contains(&hdr_ip6->saddr)) {
log_debug("Hairpinning loop. Dropping...");
inc_stats(skb, IPSTATS_MIB_INADDRERRORS);
return VER_DROP;
}
if (!pool6_contains(&hdr_ip6->daddr)) {
log_debug("Packet was rejected by pool6; dropping...");
inc_stats(skb, IPSTATS_MIB_INADDRERRORS);
return VER_DROP;
}
break;
case L3PROTO_IPV4:
/* ICMP errors should not be filtered or affect the tables. */
if (skb_l4_proto(skb) == L4PROTO_ICMP && is_icmp4_error(icmp_hdr(skb)->type)) {
log_debug("Packet is ICMPv4 error; skipping step...");
return VER_CONTINUE;
}
/* Get rid of unexpected packets */
if (!pool4_contains(ip_hdr(skb)->daddr)) {
log_debug("Packet was rejected by pool4; dropping...");
inc_stats(skb, IPSTATS_MIB_INADDRERRORS);
return VER_DROP;
}
break;
}
/* Process packet, according to its protocol. */
switch (skb_l4_proto(skb)) {
case L4PROTO_UDP:
switch (skb_l3_proto(skb)) {
case L3PROTO_IPV6:
result = ipv6_simple(skb, in_tuple);
break;
case L3PROTO_IPV4:
result = ipv4_simple(skb, in_tuple);
break;
}
break;
case L4PROTO_TCP:
result = tcp(skb, in_tuple);
break;
case L4PROTO_ICMP:
switch (skb_l3_proto(skb)) {
case L3PROTO_IPV6:
if (filter_icmpv6_info()) {
log_debug("Packet is ICMPv6 info (ping); dropping due to policy.");
inc_stats(skb, IPSTATS_MIB_INDISCARDS);
return VER_DROP;
}
result = ipv6_simple(skb, in_tuple);
break;
case L3PROTO_IPV4:
result = ipv4_simple(skb, in_tuple);
break;
}
break;
}
log_debug("Done: Step 2.");
return result;
}
/**
* key_extract - extracts a flow key from an Ethernet frame.
* @skb: sk_buff that contains the frame, with skb->data pointing to the
* Ethernet header
* @key: output flow key
*
* The caller must ensure that skb->len >= ETH_HLEN.
*
* Returns 0 if successful, otherwise a negative errno value.
*
* Initializes @skb header pointers as follows:
*
* - skb->mac_header: the Ethernet header.
*
* - skb->network_header: just past the Ethernet header, or just past the
* VLAN header, to the first byte of the Ethernet payload.
*
* - skb->transport_header: If key->eth.type is ETH_P_IP or ETH_P_IPV6
* on output, then just past the IP header, if one is present and
* of a correct length, otherwise the same as skb->network_header.
* For other key->eth.type values it is left untouched.
*/
static int key_extract(struct sk_buff *skb, struct sw_flow_key *key)
{
int error;
struct ethhdr *eth;
/* Flags are always used as part of stats */
key->tp.flags = 0;
skb_reset_mac_header(skb);
/* Link layer. We are guaranteed to have at least the 14 byte Ethernet
* header in the linear data area.
*/
eth = eth_hdr(skb);
ether_addr_copy(key->eth.src, eth->h_source);
ether_addr_copy(key->eth.dst, eth->h_dest);
__skb_pull(skb, 2 * ETH_ALEN);
/* We are going to push all headers that we pull, so no need to
* update skb->csum here.
*/
key->eth.tci = 0;
if (vlan_tx_tag_present(skb))
key->eth.tci = htons(vlan_get_tci(skb));
else if (eth->h_proto == htons(ETH_P_8021Q))
if (unlikely(parse_vlan(skb, key)))
return -ENOMEM;
key->eth.type = parse_ethertype(skb);
if (unlikely(key->eth.type == htons(0)))
return -ENOMEM;
skb_reset_network_header(skb);
skb_reset_mac_len(skb);
__skb_push(skb, skb->data - skb_mac_header(skb));
/* Network layer. */
if (key->eth.type == htons(ETH_P_IP)) {
struct iphdr *nh;
__be16 offset;
error = check_iphdr(skb);
if (unlikely(error)) {
memset(&key->ip, 0, sizeof(key->ip));
memset(&key->ipv4, 0, sizeof(key->ipv4));
if (error == -EINVAL) {
skb->transport_header = skb->network_header;
error = 0;
}
return error;
}
nh = ip_hdr(skb);
key->ipv4.addr.src = nh->saddr;
key->ipv4.addr.dst = nh->daddr;
key->ip.proto = nh->protocol;
key->ip.tos = nh->tos;
key->ip.ttl = nh->ttl;
offset = nh->frag_off & htons(IP_OFFSET);
if (offset) {
key->ip.frag = OVS_FRAG_TYPE_LATER;
return 0;
}
if (nh->frag_off & htons(IP_MF) ||
skb_shinfo(skb)->gso_type & SKB_GSO_UDP)
key->ip.frag = OVS_FRAG_TYPE_FIRST;
else
key->ip.frag = OVS_FRAG_TYPE_NONE;
/* Transport layer. */
if (key->ip.proto == IPPROTO_TCP) {
if (tcphdr_ok(skb)) {
struct tcphdr *tcp = tcp_hdr(skb);
key->tp.src = tcp->source;
key->tp.dst = tcp->dest;
key->tp.flags = TCP_FLAGS_BE16(tcp);
} else {
memset(&key->tp, 0, sizeof(key->tp));
}
} else if (key->ip.proto == IPPROTO_UDP) {
if (udphdr_ok(skb)) {
struct udphdr *udp = udp_hdr(skb);
key->tp.src = udp->source;
key->tp.dst = udp->dest;
} else {
memset(&key->tp, 0, sizeof(key->tp));
}
} else if (key->ip.proto == IPPROTO_SCTP) {
if (sctphdr_ok(skb)) {
struct sctphdr *sctp = sctp_hdr(skb);
key->tp.src = sctp->source;
key->tp.dst = sctp->dest;
} else {
memset(&key->tp, 0, sizeof(key->tp));
}
} else if (key->ip.proto == IPPROTO_ICMP) {
if (icmphdr_ok(skb)) {
struct icmphdr *icmp = icmp_hdr(skb);
/* The ICMP type and code fields use the 16-bit
* transport port fields, so we need to store
* them in 16-bit network byte order.
*/
key->tp.src = htons(icmp->type);
key->tp.dst = htons(icmp->code);
} else {
memset(&key->tp, 0, sizeof(key->tp));
}
}
} else if (key->eth.type == htons(ETH_P_ARP) ||
key->eth.type == htons(ETH_P_RARP)) {
struct arp_eth_header *arp;
bool arp_available = arphdr_ok(skb);
arp = (struct arp_eth_header *)skb_network_header(skb);
if (arp_available &&
arp->ar_hrd == htons(ARPHRD_ETHER) &&
arp->ar_pro == htons(ETH_P_IP) &&
arp->ar_hln == ETH_ALEN &&
arp->ar_pln == 4) {
/* We only match on the lower 8 bits of the opcode. */
if (ntohs(arp->ar_op) <= 0xff)
key->ip.proto = ntohs(arp->ar_op);
else
key->ip.proto = 0;
memcpy(&key->ipv4.addr.src, arp->ar_sip, sizeof(key->ipv4.addr.src));
memcpy(&key->ipv4.addr.dst, arp->ar_tip, sizeof(key->ipv4.addr.dst));
ether_addr_copy(key->ipv4.arp.sha, arp->ar_sha);
ether_addr_copy(key->ipv4.arp.tha, arp->ar_tha);
} else {
memset(&key->ip, 0, sizeof(key->ip));
memset(&key->ipv4, 0, sizeof(key->ipv4));
}
} else if (eth_p_mpls(key->eth.type)) {
size_t stack_len = MPLS_HLEN;
/* In the presence of an MPLS label stack the end of the L2
* header and the beginning of the L3 header differ.
*
* Advance network_header to the beginning of the L3
* header. mac_len corresponds to the end of the L2 header.
*/
while (1) {
__be32 lse;
error = check_header(skb, skb->mac_len + stack_len);
if (unlikely(error))
return 0;
memcpy(&lse, skb_network_header(skb), MPLS_HLEN);
if (stack_len == MPLS_HLEN)
memcpy(&key->mpls.top_lse, &lse, MPLS_HLEN);
skb_set_network_header(skb, skb->mac_len + stack_len);
if (lse & htonl(MPLS_LS_S_MASK))
break;
stack_len += MPLS_HLEN;
}
} else if (key->eth.type == htons(ETH_P_IPV6)) {
int nh_len; /* IPv6 Header + Extensions */
nh_len = parse_ipv6hdr(skb, key);
if (unlikely(nh_len < 0)) {
memset(&key->ip, 0, sizeof(key->ip));
memset(&key->ipv6.addr, 0, sizeof(key->ipv6.addr));
if (nh_len == -EINVAL) {
skb->transport_header = skb->network_header;
error = 0;
} else {
error = nh_len;
}
return error;
}
if (key->ip.frag == OVS_FRAG_TYPE_LATER)
return 0;
if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP)
key->ip.frag = OVS_FRAG_TYPE_FIRST;
/* Transport layer. */
if (key->ip.proto == NEXTHDR_TCP) {
if (tcphdr_ok(skb)) {
struct tcphdr *tcp = tcp_hdr(skb);
key->tp.src = tcp->source;
key->tp.dst = tcp->dest;
key->tp.flags = TCP_FLAGS_BE16(tcp);
} else {
memset(&key->tp, 0, sizeof(key->tp));
}
} else if (key->ip.proto == NEXTHDR_UDP) {
if (udphdr_ok(skb)) {
struct udphdr *udp = udp_hdr(skb);
key->tp.src = udp->source;
key->tp.dst = udp->dest;
} else {
memset(&key->tp, 0, sizeof(key->tp));
}
} else if (key->ip.proto == NEXTHDR_SCTP) {
if (sctphdr_ok(skb)) {
struct sctphdr *sctp = sctp_hdr(skb);
key->tp.src = sctp->source;
key->tp.dst = sctp->dest;
} else {
memset(&key->tp, 0, sizeof(key->tp));
}
} else if (key->ip.proto == NEXTHDR_ICMP) {
if (icmp6hdr_ok(skb)) {
error = parse_icmpv6(skb, key, nh_len);
if (error)
return error;
} else {
memset(&key->tp, 0, sizeof(key->tp));
}
}
}
return 0;
}
struct sk_buff* init_skb_for_test( struct tuple *tuple, u_int8_t protocol )
{
__u32 l3_len;
__u32 l4_len;
struct tcphdr *tcp_header;
struct udphdr *udp_header;
struct icmphdr *icmp_header;
struct iphdr *ip_header = NULL;
struct sk_buff *skb;
switch(protocol)
{
case IPPROTO_TCP:
l4_len = sizeof(struct tcphdr);
break;
case IPPROTO_UDP:
l4_len = sizeof(struct udphdr);
break;
case IPPROTO_ICMP:
l4_len = sizeof(struct icmphdr);
break;
default:
log_warning("Invalid protocol 1: %u", protocol);
return NULL;
}
l3_len = sizeof(struct iphdr);
skb = alloc_skb(LL_MAX_HEADER + l3_len + l4_len + SKB_PAYLOAD, GFP_ATOMIC);
if (!skb)
{
log_warning(" New packet allocation failed.");
return NULL;
}
skb_reserve(skb, LL_MAX_HEADER);
skb_put(skb, l3_len + l4_len + SKB_PAYLOAD);
skb_reset_mac_header(skb);
skb_reset_network_header(skb);
skb_set_transport_header(skb, l3_len);
ip_header = ip_hdr(skb);
memset(ip_header, 0, sizeof(struct iphdr));
switch(protocol)
{
case IPPROTO_TCP:
tcp_header = tcp_hdr(skb);
memset(tcp_header, 0, l4_len);
tcp_header->source = tuple->src.l4_id;
tcp_header->dest = tuple->dst.l4_id;
break;
case IPPROTO_UDP:
udp_header = udp_hdr(skb);
memset(udp_header, 0, l4_len);
udp_header->source = tuple->src.l4_id;
udp_header->dest = tuple->dst.l4_id;
udp_header->len = htons(sizeof(struct udphdr) + SKB_PAYLOAD);
udp_header->check = 0;
break;
case IPPROTO_ICMP:
icmp_header = icmp_hdr(skb);
memset(icmp_header, 0, l4_len);
icmp_header->type = ICMP_ECHO;
/* icmp_header->type = ICMP_ECHOREPLY; */
/* icmp6_header->icmp6_type = ICMPV6_ECHO_REQUEST; */
/* icmp6_header->icmp6_type = ICMPV6_ECHO_REPLY; */
break;
default:
log_warning("Invalid protocol 2: %u", protocol);
kfree_skb(skb);
return NULL;
}
ip_header->version = 4;
ip_header->ihl = (sizeof(struct iphdr)) /4 ;
ip_header->tos = 0;
ip_header->tot_len = htons(l3_len + l4_len + SKB_PAYLOAD);
ip_header->id = htons(111);
ip_header->frag_off = 0;
ip_header->ttl = 64;
ip_header->protocol = protocol;
ip_header->check = 0;
/* skb_forward_csum(skb); */
ip_header->saddr = tuple->src.addr.ipv4.s_addr;
ip_header->daddr = tuple->dst.addr.ipv4.s_addr;
skb->protocol = htons(ETH_P_IP);
return skb;
}
/*
* This routine is called by the ICMP module when it gets some sort of error
* condition. If err < 0 then the socket should be closed and the error
* returned to the user. If err > 0 it's just the icmp type << 8 | icmp code.
* After adjustment header points to the first 8 bytes of the tcp header. We
* need to find the appropriate port.
*
* The locking strategy used here is very "optimistic". When someone else
* accesses the socket the ICMP is just dropped and for some paths there is no
* check at all. A more general error queue to queue errors for later handling
* is probably better.
*/
static void dccp_v4_err(struct sk_buff *skb, u32 info)
{
const struct iphdr *iph = (struct iphdr *)skb->data;
const u8 offset = iph->ihl << 2;
const struct dccp_hdr *dh = (struct dccp_hdr *)(skb->data + offset);
struct dccp_sock *dp;
struct inet_sock *inet;
const int type = icmp_hdr(skb)->type;
const int code = icmp_hdr(skb)->code;
struct sock *sk;
__u64 seq;
int err;
struct net *net = dev_net(skb->dev);
if (skb->len < offset + sizeof(*dh) ||
skb->len < offset + __dccp_basic_hdr_len(dh)) {
ICMP_INC_STATS_BH(net, ICMP_MIB_INERRORS);
return;
}
sk = __inet_lookup_established(net, &dccp_hashinfo,
iph->daddr, dh->dccph_dport,
iph->saddr, ntohs(dh->dccph_sport),
inet_iif(skb));
if (!sk) {
ICMP_INC_STATS_BH(net, ICMP_MIB_INERRORS);
return;
}
if (sk->sk_state == DCCP_TIME_WAIT) {
inet_twsk_put(inet_twsk(sk));
return;
}
seq = dccp_hdr_seq(dh);
if (sk->sk_state == DCCP_NEW_SYN_RECV)
return dccp_req_err(sk, seq);
bh_lock_sock(sk);
/* If too many ICMPs get dropped on busy
* servers this needs to be solved differently.
*/
if (sock_owned_by_user(sk))
NET_INC_STATS_BH(net, LINUX_MIB_LOCKDROPPEDICMPS);
if (sk->sk_state == DCCP_CLOSED)
goto out;
dp = dccp_sk(sk);
if ((1 << sk->sk_state) & ~(DCCPF_REQUESTING | DCCPF_LISTEN) &&
!between48(seq, dp->dccps_awl, dp->dccps_awh)) {
NET_INC_STATS_BH(net, LINUX_MIB_OUTOFWINDOWICMPS);
goto out;
}
switch (type) {
case ICMP_REDIRECT:
dccp_do_redirect(skb, sk);
goto out;
case ICMP_SOURCE_QUENCH:
/* Just silently ignore these. */
goto out;
case ICMP_PARAMETERPROB:
err = EPROTO;
break;
case ICMP_DEST_UNREACH:
if (code > NR_ICMP_UNREACH)
goto out;
if (code == ICMP_FRAG_NEEDED) { /* PMTU discovery (RFC1191) */
if (!sock_owned_by_user(sk))
dccp_do_pmtu_discovery(sk, iph, info);
goto out;
}
err = icmp_err_convert[code].errno;
break;
case ICMP_TIME_EXCEEDED:
err = EHOSTUNREACH;
break;
default:
goto out;
}
switch (sk->sk_state) {
case DCCP_REQUESTING:
case DCCP_RESPOND:
if (!sock_owned_by_user(sk)) {
DCCP_INC_STATS_BH(DCCP_MIB_ATTEMPTFAILS);
sk->sk_err = err;
sk->sk_error_report(sk);
dccp_done(sk);
} else
sk->sk_err_soft = err;
goto out;
}
/* If we've already connected we will keep trying
* until we time out, or the user gives up.
*
* rfc1122 4.2.3.9 allows to consider as hard errors
* only PROTO_UNREACH and PORT_UNREACH (well, FRAG_FAILED too,
* but it is obsoleted by pmtu discovery).
*
* Note, that in modern internet, where routing is unreliable
* and in each dark corner broken firewalls sit, sending random
* errors ordered by their masters even this two messages finally lose
* their original sense (even Linux sends invalid PORT_UNREACHs)
*
* Now we are in compliance with RFCs.
* --ANK (980905)
*/
inet = inet_sk(sk);
if (!sock_owned_by_user(sk) && inet->recverr) {
sk->sk_err = err;
sk->sk_error_report(sk);
} else /* Only an error on timeout */
sk->sk_err_soft = err;
out:
bh_unlock_sock(sk);
sock_put(sk);
}
/**
* Extracts relevant data from "skb" and stores it in the "tuple" tuple.
*
* @param skb packet the data will be extracted from.
* @param tuple this function will populate this value using "skb"'s contents.
* @return whether packet processing should continue.
*/
verdict determine_in_tuple(struct sk_buff *skb, struct tuple *in_tuple)
{
struct icmphdr *icmp4;
struct icmp6hdr *icmp6;
verdict result = VER_CONTINUE;
log_debug("Step 1: Determining the Incoming Tuple");
switch (skb_l3_proto(skb)) {
case L3PROTO_IPV4:
switch (skb_l4_proto(skb)) {
case L4PROTO_UDP:
result = ipv4_udp(skb, in_tuple);
break;
case L4PROTO_TCP:
result = ipv4_tcp(skb, in_tuple);
break;
case L4PROTO_ICMP:
icmp4 = icmp_hdr(skb);
if (is_icmp4_info(icmp4->type)) {
result = ipv4_icmp_info(skb, in_tuple);
} else if (is_icmp4_error(icmp4->type)) {
result = ipv4_icmp_err(skb, in_tuple);
} else {
log_debug("Unknown ICMPv4 type: %u. Dropping packet...", icmp4->type);
inc_stats(skb, IPSTATS_MIB_INHDRERRORS);
result = VER_DROP;
}
break;
}
break;
case L3PROTO_IPV6:
switch (skb_l4_proto(skb)) {
case L4PROTO_UDP:
result = ipv6_udp(skb, in_tuple);
break;
case L4PROTO_TCP:
result = ipv6_tcp(skb, in_tuple);
break;
case L4PROTO_ICMP:
icmp6 = icmp6_hdr(skb);
if (is_icmp6_info(icmp6->icmp6_type)) {
result = ipv6_icmp_info(skb, in_tuple);
} else if (is_icmp6_error(icmp6->icmp6_type)) {
result = ipv6_icmp_err(skb, in_tuple);
} else {
log_debug("Unknown ICMPv6 type: %u. Dropping packet...", icmp6->icmp6_type);
inc_stats(skb, IPSTATS_MIB_INHDRERRORS);
result = VER_DROP;
}
break;
}
break;
}
/*
* We moved the transport-protocol-not-recognized ICMP errors to packet.c because they're
* covered in validations.
*/
log_tuple(in_tuple);
log_debug("Done step 1.");
return result;
}
