LXR linux/net/ipv4/ip

   1/*
   2 * INET         An implementation of the TCP/IP protocol suite for the LINUX
   3 *              operating system.  INET is implemented using the  BSD Socket
   4 *              interface as the means of communication with the user level.
   5 *
   6 *              The Internet Protocol (IP) module.
   7 *
   8 * Authors:     Ross Biro
   9 *              Fred N. van Kempen, <waltje@uWalt.NL.Mugnet.ORG>
  10 *              Donald Becker, <becker@super.org>
  11 *              Alan Cox, <alan@lxorguk.ukuu.org.uk>
  12 *              Richard Underwood
  13 *              Stefan Becker, <stefanb@yello.ping.de>
  14 *              Jorge Cwik, <jorge@laser.satlink.net>
  15 *              Arnt Gulbrandsen, <agulbra@nvg.unit.no>
  16 *
  17 *
  18 * Fixes:
  19 *              Alan Cox        :       Commented a couple of minor bits of surplus code
  20 *              Alan Cox        :       Undefining IP_FORWARD doesn't include the code
  21 *                                      (just stops a compiler warning).
  22 *              Alan Cox        :       Frames with >=MAX_ROUTE record routes, strict routes or loose routes
  23 *                                      are junked rather than corrupting things.
  24 *              Alan Cox        :       Frames to bad broadcast subnets are dumped
  25 *                                      We used to process them non broadcast and
  26 *                                      boy could that cause havoc.
  27 *              Alan Cox        :       ip_forward sets the free flag on the
  28 *                                      new frame it queues. Still crap because
  29 *                                      it copies the frame but at least it
  30 *                                      doesn't eat memory too.
  31 *              Alan Cox        :       Generic queue code and memory fixes.
  32 *              Fred Van Kempen :       IP fragment support (borrowed from NET2E)
  33 *              Gerhard Koerting:       Forward fragmented frames correctly.
  34 *              Gerhard Koerting:       Fixes to my fix of the above 8-).
  35 *              Gerhard Koerting:       IP interface addressing fix.
  36 *              Linus Torvalds  :       More robustness checks
  37 *              Alan Cox        :       Even more checks: Still not as robust as it ought to be
  38 *              Alan Cox        :       Save IP header pointer for later
  39 *              Alan Cox        :       ip option setting
  40 *              Alan Cox        :       Use ip_tos/ip_ttl settings
  41 *              Alan Cox        :       Fragmentation bogosity removed
  42 *                                      (Thanks to Mark.Bush@prg.ox.ac.uk)
  43 *              Dmitry Gorodchanin :    Send of a raw packet crash fix.
  44 *              Alan Cox        :       Silly ip bug when an overlength
  45 *                                      fragment turns up. Now frees the
  46 *                                      queue.
  47 *              Linus Torvalds/ :       Memory leakage on fragmentation
  48 *              Alan Cox        :       handling.
  49 *              Gerhard Koerting:       Forwarding uses IP priority hints
  50 *              Teemu Rantanen  :       Fragment problems.
  51 *              Alan Cox        :       General cleanup, comments and reformat
  52 *              Alan Cox        :       SNMP statistics
  53 *              Alan Cox        :       BSD address rule semantics. Also see
  54 *                                      UDP as there is a nasty checksum issue
  55 *                                      if you do things the wrong way.
  56 *              Alan Cox        :       Always defrag, moved IP_FORWARD to the config.in file
  57 *              Alan Cox        :       IP options adjust sk->priority.
  58 *              Pedro Roque     :       Fix mtu/length error in ip_forward.
  59 *              Alan Cox        :       Avoid ip_chk_addr when possible.
  60 *      Richard Underwood       :       IP multicasting.
  61 *              Alan Cox        :       Cleaned up multicast handlers.
  62 *              Alan Cox        :       RAW sockets demultiplex in the BSD style.
  63 *              Gunther Mayer   :       Fix the SNMP reporting typo
  64 *              Alan Cox        :       Always in group 224.0.0.1
  65 *      Pauline Middelink       :       Fast ip_checksum update when forwarding
  66 *                                      Masquerading support.
  67 *              Alan Cox        :       Multicast loopback error for 224.0.0.1
  68 *              Alan Cox        :       IP_MULTICAST_LOOP option.
  69 *              Alan Cox        :       Use notifiers.
  70 *              Bjorn Ekwall    :       Removed ip_csum (from slhc.c too)
  71 *              Bjorn Ekwall    :       Moved ip_fast_csum to ip.h (inline!)
  72 *              Stefan Becker   :       Send out ICMP HOST REDIRECT
  73 *      Arnt Gulbrandsen        :       ip_build_xmit
  74 *              Alan Cox        :       Per socket routing cache
  75 *              Alan Cox        :       Fixed routing cache, added header cache.
  76 *              Alan Cox        :       Loopback didn't work right in original ip_build_xmit - fixed it.
  77 *              Alan Cox        :       Only send ICMP_REDIRECT if src/dest are the same net.
  78 *              Alan Cox        :       Incoming IP option handling.
  79 *              Alan Cox        :       Set saddr on raw output frames as per BSD.
  80 *              Alan Cox        :       Stopped broadcast source route explosions.
  81 *              Alan Cox        :       Can disable source routing
  82 *              Takeshi Sone    :       Masquerading didn't work.
  83 *      Dave Bonn,Alan Cox      :       Faster IP forwarding whenever possible.
  84 *              Alan Cox        :       Memory leaks, tramples, misc debugging.
  85 *              Alan Cox        :       Fixed multicast (by popular demand 8))
  86 *              Alan Cox        :       Fixed forwarding (by even more popular demand 8))
  87 *              Alan Cox        :       Fixed SNMP statistics [I think]
  88 *      Gerhard Koerting        :       IP fragmentation forwarding fix
  89 *              Alan Cox        :       Device lock against page fault.
  90 *              Alan Cox        :       IP_HDRINCL facility.
  91 *      Werner Almesberger      :       Zero fragment bug
  92 *              Alan Cox        :       RAW IP frame length bug
  93 *              Alan Cox        :       Outgoing firewall on build_xmit
  94 *              A.N.Kuznetsov   :       IP_OPTIONS support throughout the kernel
  95 *              Alan Cox        :       Multicast routing hooks
  96 *              Jos Vos         :       Do accounting *before* call_in_firewall
  97 *      Willy Konynenberg       :       Transparent proxying support
  98 *
  99 *
 100 *
 101 * To Fix:
 102 *              IP fragmentation wants rewriting cleanly. The RFC815 algorithm is much more efficient
 103 *              and could be made very efficient with the addition of some virtual memory hacks to permit
 104 *              the allocation of a buffer that can then be 'grown' by twiddling page tables.
 105 *              Output fragmentation wants updating along with the buffer management to use a single
 106 *              interleaved copy algorithm so that fragmenting has a one copy overhead. Actual packet
 107 *              output should probably do its own fragmentation at the UDP/RAW layer. TCP shouldn't cause
 108 *              fragmentation anyway.
 109 *
 110 *              This program is free software; you can redistribute it and/or
 111 *              modify it under the terms of the GNU General Public License
 112 *              as published by the Free Software Foundation; either version
 113 *              2 of the License, or (at your option) any later version.
 114 */
 115
 116#define pr_fmt(fmt) "IPv4: " fmt
 117
 118#include <linux/module.h>
 119#include <linux/types.h>
 120#include <linux/kernel.h>
 121#include <linux/string.h>
 122#include <linux/errno.h>
 123#include <linux/slab.h>
 124
 125#include <linux/net.h>
 126#include <linux/socket.h>
 127#include <linux/sockios.h>
 128#include <linux/in.h>
 129#include <linux/inet.h>
 130#include <linux/inetdevice.h>
 131#include <linux/netdevice.h>
 132#include <linux/etherdevice.h>
 133
 134#include <net/snmp.h>
 135#include <net/ip.h>
 136#include <net/protocol.h>
 137#include <net/route.h>
 138#include <linux/skbuff.h>
 139#include <net/sock.h>
 140#include <net/arp.h>
 141#include <net/icmp.h>
 142#include <net/raw.h>
 143#include <net/checksum.h>
 144#include <net/inet_ecn.h>
 145#include <linux/netfilter_ipv4.h>
 146#include <net/xfrm.h>
 147#include <linux/mroute.h>
 148#include <linux/netlink.h>
 149#include <net/dst_metadata.h>
 150
 151/*
 152 *      Process Router Attention IP option (RFC 2113)
 153 */
 154bool ip_call_ra_chain(struct sk_buff *skb)
 155{
 156        struct ip_ra_chain *ra;
 157        u8 protocol = ip_hdr(skb)->protocol;
 158        struct sock *last = NULL;
 159        struct net_device *dev = skb->dev;
 160        struct net *net = dev_net(dev);
 161
 162        for (ra = rcu_dereference(ip_ra_chain); ra; ra = rcu_dereference(ra->next)) {
 163                struct sock *sk = ra->sk;
 164
 165                /* If socket is bound to an interface, only report
 166                 * the packet if it came  from that interface.
 167                 */
 168                if (sk && inet_sk(sk)->inet_num == protocol &&
 169                    (!sk->sk_bound_dev_if ||
 170                     sk->sk_bound_dev_if == dev->ifindex) &&
 171                    net_eq(sock_net(sk), net)) {
 172                        if (ip_is_fragment(ip_hdr(skb))) {
 173                                if (ip_defrag(net, skb, IP_DEFRAG_CALL_RA_CHAIN))
 174                                        return true;
 175                        }
 176                        if (last) {
 177                                struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
 178                                if (skb2)
 179                                        raw_rcv(last, skb2);
 180                        }
 181                        last = sk;
 182                }
 183        }
 184
 185        if (last) {
 186                raw_rcv(last, skb);
 187                return true;
 188        }
 189        return false;
 190}
 191
 192static int ip_local_deliver_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
 193{
 194        __skb_pull(skb, skb_network_header_len(skb));
 195
 196        rcu_read_lock();
 197        {
 198                int protocol = ip_hdr(skb)->protocol;
 199                const struct net_protocol *ipprot;
 200                int raw;
 201
 202        resubmit:
 203                raw = raw_local_deliver(skb, protocol);
 204
 205                ipprot = rcu_dereference(inet_protos[protocol]);
 206                if (ipprot) {
 207                        int ret;
 208
 209                        if (!ipprot->no_policy) {
 210                                if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {
 211                                        kfree_skb(skb);
 212                                        goto out;
 213                                }
 214                                nf_reset(skb);
 215                        }
 216                        ret = ipprot->handler(skb);
 217                        if (ret < 0) {
 218                                protocol = -ret;
 219                                goto resubmit;
 220                        }
 221                        __IP_INC_STATS(net, IPSTATS_MIB_INDELIVERS);
 222                } else {
 223                        if (!raw) {
 224                                if (xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {
 225                                        __IP_INC_STATS(net, IPSTATS_MIB_INUNKNOWNPROTOS);
 226                                        icmp_send(skb, ICMP_DEST_UNREACH,
 227                                                  ICMP_PROT_UNREACH, 0);
 228                                }
 229                                kfree_skb(skb);
 230                        } else {
 231                                __IP_INC_STATS(net, IPSTATS_MIB_INDELIVERS);
 232                                consume_skb(skb);
 233                        }
 234                }
 235        }
 236 out:
 237        rcu_read_unlock();
 238
 239        return 0;
 240}
 241
 242/*
 243 *      Deliver IP Packets to the higher protocol layers.
 244 */
 245int ip_local_deliver(struct sk_buff *skb)
 246{
 247        /*
 248         *      Reassemble IP fragments.
 249         */
 250        struct net *net = dev_net(skb->dev);
 251
 252        if (ip_is_fragment(ip_hdr(skb))) {
 253                if (ip_defrag(net, skb, IP_DEFRAG_LOCAL_DELIVER))
 254                        return 0;
 255        }
 256
 257        return NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_IN,
 258                       net, NULL, skb, skb->dev, NULL,
 259                       ip_local_deliver_finish);
 260}
 261
 262static inline bool ip_rcv_options(struct sk_buff *skb)
 263{
 264        struct ip_options *opt;
 265        const struct iphdr *iph;
 266        struct net_device *dev = skb->dev;
 267
 268        /* It looks as overkill, because not all
 269           IP options require packet mangling.
 270           But it is the easiest for now, especially taking
 271           into account that combination of IP options
 272           and running sniffer is extremely rare condition.
 273                                              --ANK (980813)
 274        */
 275        if (skb_cow(skb, skb_headroom(skb))) {
 276                __IP_INC_STATS(dev_net(dev), IPSTATS_MIB_INDISCARDS);
 277                goto drop;
 278        }
 279
 280        iph = ip_hdr(skb);
 281        opt = &(IPCB(skb)->opt);
 282        opt->optlen = iph->ihl*4 - sizeof(struct iphdr);
 283
 284        if (ip_options_compile(dev_net(dev), opt, skb)) {
 285                __IP_INC_STATS(dev_net(dev), IPSTATS_MIB_INHDRERRORS);
 286                goto drop;
 287        }
 288
 289        if (unlikely(opt->srr)) {
 290                struct in_device *in_dev = __in_dev_get_rcu(dev);
 291
 292                if (in_dev) {
 293                        if (!IN_DEV_SOURCE_ROUTE(in_dev)) {
 294                                if (IN_DEV_LOG_MARTIANS(in_dev))
 295                                        net_info_ratelimited("source route option %pI4 -> %pI4\n",
 296                                                             &iph->saddr,
 297                                                             &iph->daddr);
 298                                goto drop;
 299                        }
 300                }
 301
 302                if (ip_options_rcv_srr(skb))
 303                        goto drop;
 304        }
 305
 306        return false;
 307drop:
 308        return true;
 309}
 310
 311static int ip_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
 312{
 313        const struct iphdr *iph = ip_hdr(skb);
 314        int (*edemux)(struct sk_buff *skb);
 315        struct net_device *dev = skb->dev;
 316        struct rtable *rt;
 317        int err;
 318
 319        /* if ingress device is enslaved to an L3 master device pass the
 320         * skb to its handler for processing
 321         */
 322        skb = l3mdev_ip_rcv(skb);
 323        if (!skb)
 324                return NET_RX_SUCCESS;
 325
 326        if (net->ipv4.sysctl_ip_early_demux &&
 327            !skb_dst(skb) &&
 328            !skb->sk &&
 329            !ip_is_fragment(iph)) {
 330                const struct net_protocol *ipprot;
 331                int protocol = iph->protocol;
 332
 333                ipprot = rcu_dereference(inet_protos[protocol]);
 334                if (ipprot && (edemux = READ_ONCE(ipprot->early_demux))) {
 335                        err = edemux(skb);
 336                        if (unlikely(err))
 337                                goto drop_error;
 338                        /* must reload iph, skb->head might have changed */
 339                        iph = ip_hdr(skb);
 340                }
 341        }
 342
 343        /*
 344         *      Initialise the virtual path cache for the packet. It describes
 345         *      how the packet travels inside Linux networking.
 346         */
 347        if (!skb_valid_dst(skb)) {
 348                err = ip_route_input_noref(skb, iph->daddr, iph->saddr,
 349                                           iph->tos, dev);
 350                if (unlikely(err))
 351                        goto drop_error;
 352        }
 353
 354#ifdef CONFIG_IP_ROUTE_CLASSID
 355        if (unlikely(skb_dst(skb)->tclassid)) {
 356                struct ip_rt_acct *st = this_cpu_ptr(ip_rt_acct);
 357                u32 idx = skb_dst(skb)->tclassid;
 358                st[idx&0xFF].o_packets++;
 359                st[idx&0xFF].o_bytes += skb->len;
 360                st[(idx>>16)&0xFF].i_packets++;
 361                st[(idx>>16)&0xFF].i_bytes += skb->len;
 362        }
 363#endif
 364
 365        if (iph->ihl > 5 && ip_rcv_options(skb))
 366                goto drop;
 367
 368        rt = skb_rtable(skb);
 369        if (rt->rt_type == RTN_MULTICAST) {
 370                __IP_UPD_PO_STATS(net, IPSTATS_MIB_INMCAST, skb->len);
 371        } else if (rt->rt_type == RTN_BROADCAST) {
 372                __IP_UPD_PO_STATS(net, IPSTATS_MIB_INBCAST, skb->len);
 373        } else if (skb->pkt_type == PACKET_BROADCAST ||
 374                   skb->pkt_type == PACKET_MULTICAST) {
 375                struct in_device *in_dev = __in_dev_get_rcu(dev);
 376
 377                /* RFC 1122 3.3.6:
 378                 *
 379                 *   When a host sends a datagram to a link-layer broadcast
 380                 *   address, the IP destination address MUST be a legal IP
 381                 *   broadcast or IP multicast address.
 382                 *
 383                 *   A host SHOULD silently discard a datagram that is received
 384                 *   via a link-layer broadcast (see Section 2.4) but does not
 385                 *   specify an IP multicast or broadcast destination address.
 386                 *
 387                 * This doesn't explicitly say L2 *broadcast*, but broadcast is
 388                 * in a way a form of multicast and the most common use case for
 389                 * this is 802.11 protecting against cross-station spoofing (the
 390                 * so-called "hole-196" attack) so do it for both.
 391                 */
 392                if (in_dev &&
 393                    IN_DEV_ORCONF(in_dev, DROP_UNICAST_IN_L2_MULTICAST))
 394                        goto drop;
 395        }
 396
 397        return dst_input(skb);
 398
 399drop:
 400        kfree_skb(skb);
 401        return NET_RX_DROP;
 402
 403drop_error:
 404        if (err == -EXDEV)
 405                __NET_INC_STATS(net, LINUX_MIB_IPRPFILTER);
 406        goto drop;
 407}
 408
 409/*
 410 *      Main IP Receive routine.
 411 */
 412int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev)
 413{
 414        const struct iphdr *iph;
 415        struct net *net;
 416        u32 len;
 417
 418        /* When the interface is in promisc. mode, drop all the crap
 419         * that it receives, do not try to analyse it.
 420         */
 421        if (skb->pkt_type == PACKET_OTHERHOST)
 422                goto drop;
 423
 424
 425        net = dev_net(dev);
 426        __IP_UPD_PO_STATS(net, IPSTATS_MIB_IN, skb->len);
 427
 428        skb = skb_share_check(skb, GFP_ATOMIC);
 429        if (!skb) {
 430                __IP_INC_STATS(net, IPSTATS_MIB_INDISCARDS);
 431                goto out;
 432        }
 433
 434        if (!pskb_may_pull(skb, sizeof(struct iphdr)))
 435                goto inhdr_error;
 436
 437        iph = ip_hdr(skb);
 438
 439        /*
 440         *      RFC1122: 3.2.1.2 MUST silently discard any IP frame that fails the checksum.
 441         *
 442         *      Is the datagram acceptable?
 443         *
 444         *      1.      Length at least the size of an ip header
 445         *      2.      Version of 4
 446         *      3.      Checksums correctly. [Speed optimisation for later, skip loopback checksums]
 447         *      4.      Doesn't have a bogus length
 448         */
 449
 450        if (iph->ihl < 5 || iph->version != 4)
 451                goto inhdr_error;
 452
 453        BUILD_BUG_ON(IPSTATS_MIB_ECT1PKTS != IPSTATS_MIB_NOECTPKTS + INET_ECN_ECT_1);
 454        BUILD_BUG_ON(IPSTATS_MIB_ECT0PKTS != IPSTATS_MIB_NOECTPKTS + INET_ECN_ECT_0);
 455        BUILD_BUG_ON(IPSTATS_MIB_CEPKTS != IPSTATS_MIB_NOECTPKTS + INET_ECN_CE);
 456        __IP_ADD_STATS(net,
 457                       IPSTATS_MIB_NOECTPKTS + (iph->tos & INET_ECN_MASK),
 458                       max_t(unsigned short, 1, skb_shinfo(skb)->gso_segs));
 459
 460        if (!pskb_may_pull(skb, iph->ihl*4))
 461                goto inhdr_error;
 462
 463        iph = ip_hdr(skb);
 464
 465        if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl)))
 466                goto csum_error;
 467
 468        len = ntohs(iph->tot_len);
 469        if (skb->len < len) {
 470                __IP_INC_STATS(net, IPSTATS_MIB_INTRUNCATEDPKTS);
 471                goto drop;
 472        } else if (len < (iph->ihl*4))
 473                goto inhdr_error;
 474
 475        /* Our transport medium may have padded the buffer out. Now we know it
 476         * is IP we can trim to the true length of the frame.
 477         * Note this now means skb->len holds ntohs(iph->tot_len).
 478         */
 479        if (pskb_trim_rcsum(skb, len)) {
 480                __IP_INC_STATS(net, IPSTATS_MIB_INDISCARDS);
 481                goto drop;
 482        }
 483
 484        skb->transport_header = skb->network_header + iph->ihl*4;
 485
 486        /* Remove any debris in the socket control block */
 487        memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
 488        IPCB(skb)->iif = skb->skb_iif;
 489
 490        /* Must drop socket now because of tproxy. */
 491        skb_orphan(skb);
 492
 493        return NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING,
 494                       net, NULL, skb, dev, NULL,
 495                       ip_rcv_finish);
 496
 497csum_error:
 498        __IP_INC_STATS(net, IPSTATS_MIB_CSUMERRORS);
 499inhdr_error:
 500        __IP_INC_STATS(net, IPSTATS_MIB_INHDRERRORS);
 501drop:
 502        kfree_skb(skb);
 503out:
 504        return NET_RX_DROP;
 505}
 506