LXR linux/net/ipv6/ip6

   1// SPDX-License-Identifier: GPL-2.0-or-later
   2/*
   3 *      IPv6 input
   4 *      Linux INET6 implementation
   5 *
   6 *      Authors:
   7 *      Pedro Roque             <roque@di.fc.ul.pt>
   8 *      Ian P. Morris           <I.P.Morris@soton.ac.uk>
   9 *
  10 *      Based in linux/net/ipv4/ip_input.c
  11 */
  12/* Changes
  13 *
  14 *      Mitsuru KANDA @USAGI and
  15 *      YOSHIFUJI Hideaki @USAGI: Remove ipv6_parse_exthdrs().
  16 */
  17
  18#include <linux/errno.h>
  19#include <linux/types.h>
  20#include <linux/socket.h>
  21#include <linux/sockios.h>
  22#include <linux/net.h>
  23#include <linux/netdevice.h>
  24#include <linux/in6.h>
  25#include <linux/icmpv6.h>
  26#include <linux/mroute6.h>
  27#include <linux/slab.h>
  28#include <linux/indirect_call_wrapper.h>
  29
  30#include <linux/netfilter.h>
  31#include <linux/netfilter_ipv6.h>
  32
  33#include <net/sock.h>
  34#include <net/snmp.h>
  35#include <net/udp.h>
  36
  37#include <net/ipv6.h>
  38#include <net/protocol.h>
  39#include <net/transp_v6.h>
  40#include <net/rawv6.h>
  41#include <net/ndisc.h>
  42#include <net/ip6_route.h>
  43#include <net/addrconf.h>
  44#include <net/xfrm.h>
  45#include <net/inet_ecn.h>
  46#include <net/dst_metadata.h>
  47
  48INDIRECT_CALLABLE_DECLARE(void tcp_v6_early_demux(struct sk_buff *));
  49static void ip6_rcv_finish_core(struct net *net, struct sock *sk,
  50                                struct sk_buff *skb)
  51{
  52        void (*edemux)(struct sk_buff *skb);
  53
  54        if (net->ipv4.sysctl_ip_early_demux && !skb_dst(skb) && skb->sk == NULL) {
  55                const struct inet6_protocol *ipprot;
  56
  57                ipprot = rcu_dereference(inet6_protos[ipv6_hdr(skb)->nexthdr]);
  58                if (ipprot && (edemux = READ_ONCE(ipprot->early_demux)))
  59                        INDIRECT_CALL_2(edemux, tcp_v6_early_demux,
  60                                        udp_v6_early_demux, skb);
  61        }
  62        if (!skb_valid_dst(skb))
  63                ip6_route_input(skb);
  64}
  65
  66int ip6_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
  67{
  68        /* if ingress device is enslaved to an L3 master device pass the
  69         * skb to its handler for processing
  70         */
  71        skb = l3mdev_ip6_rcv(skb);
  72        if (!skb)
  73                return NET_RX_SUCCESS;
  74        ip6_rcv_finish_core(net, sk, skb);
  75
  76        return dst_input(skb);
  77}
  78
  79static void ip6_sublist_rcv_finish(struct list_head *head)
  80{
  81        struct sk_buff *skb, *next;
  82
  83        list_for_each_entry_safe(skb, next, head, list) {
  84                skb_list_del_init(skb);
  85                dst_input(skb);
  86        }
  87}
  88
  89static bool ip6_can_use_hint(const struct sk_buff *skb,
  90                             const struct sk_buff *hint)
  91{
  92        return hint && !skb_dst(skb) &&
  93               ipv6_addr_equal(&ipv6_hdr(hint)->daddr, &ipv6_hdr(skb)->daddr);
  94}
  95
  96static struct sk_buff *ip6_extract_route_hint(const struct net *net,
  97                                              struct sk_buff *skb)
  98{
  99        if (fib6_routes_require_src(net) || fib6_has_custom_rules(net))
 100                return NULL;
 101
 102        return skb;
 103}
 104
 105static void ip6_list_rcv_finish(struct net *net, struct sock *sk,
 106                                struct list_head *head)
 107{
 108        struct sk_buff *skb, *next, *hint = NULL;
 109        struct dst_entry *curr_dst = NULL;
 110        struct list_head sublist;
 111
 112        INIT_LIST_HEAD(&sublist);
 113        list_for_each_entry_safe(skb, next, head, list) {
 114                struct dst_entry *dst;
 115
 116                skb_list_del_init(skb);
 117                /* if ingress device is enslaved to an L3 master device pass the
 118                 * skb to its handler for processing
 119                 */
 120                skb = l3mdev_ip6_rcv(skb);
 121                if (!skb)
 122                        continue;
 123
 124                if (ip6_can_use_hint(skb, hint))
 125                        skb_dst_copy(skb, hint);
 126                else
 127                        ip6_rcv_finish_core(net, sk, skb);
 128                dst = skb_dst(skb);
 129                if (curr_dst != dst) {
 130                        hint = ip6_extract_route_hint(net, skb);
 131
 132                        /* dispatch old sublist */
 133                        if (!list_empty(&sublist))
 134                                ip6_sublist_rcv_finish(&sublist);
 135                        /* start new sublist */
 136                        INIT_LIST_HEAD(&sublist);
 137                        curr_dst = dst;
 138                }
 139                list_add_tail(&skb->list, &sublist);
 140        }
 141        /* dispatch final sublist */
 142        ip6_sublist_rcv_finish(&sublist);
 143}
 144
 145static struct sk_buff *ip6_rcv_core(struct sk_buff *skb, struct net_device *dev,
 146                                    struct net *net)
 147{
 148        const struct ipv6hdr *hdr;
 149        u32 pkt_len;
 150        struct inet6_dev *idev;
 151
 152        if (skb->pkt_type == PACKET_OTHERHOST) {
 153                kfree_skb(skb);
 154                return NULL;
 155        }
 156
 157        rcu_read_lock();
 158
 159        idev = __in6_dev_get(skb->dev);
 160
 161        __IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_IN, skb->len);
 162
 163        if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL ||
 164            !idev || unlikely(idev->cnf.disable_ipv6)) {
 165                __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS);
 166                goto drop;
 167        }
 168
 169        memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
 170
 171        /*
 172         * Store incoming device index. When the packet will
 173         * be queued, we cannot refer to skb->dev anymore.
 174         *
 175         * BTW, when we send a packet for our own local address on a
 176         * non-loopback interface (e.g. ethX), it is being delivered
 177         * via the loopback interface (lo) here; skb->dev = loopback_dev.
 178         * It, however, should be considered as if it is being
 179         * arrived via the sending interface (ethX), because of the
 180         * nature of scoping architecture. --yoshfuji
 181         */
 182        IP6CB(skb)->iif = skb_valid_dst(skb) ? ip6_dst_idev(skb_dst(skb))->dev->ifindex : dev->ifindex;
 183
 184        if (unlikely(!pskb_may_pull(skb, sizeof(*hdr))))
 185                goto err;
 186
 187        hdr = ipv6_hdr(skb);
 188
 189        if (hdr->version != 6)
 190                goto err;
 191
 192        __IP6_ADD_STATS(net, idev,
 193                        IPSTATS_MIB_NOECTPKTS +
 194                                (ipv6_get_dsfield(hdr) & INET_ECN_MASK),
 195                        max_t(unsigned short, 1, skb_shinfo(skb)->gso_segs));
 196        /*
 197         * RFC4291 2.5.3
 198         * The loopback address must not be used as the source address in IPv6
 199         * packets that are sent outside of a single node. [..]
 200         * A packet received on an interface with a destination address
 201         * of loopback must be dropped.
 202         */
 203        if ((ipv6_addr_loopback(&hdr->saddr) ||
 204             ipv6_addr_loopback(&hdr->daddr)) &&
 205            !(dev->flags & IFF_LOOPBACK) &&
 206            !netif_is_l3_master(dev))
 207                goto err;
 208
 209        /* RFC4291 Errata ID: 3480
 210         * Interface-Local scope spans only a single interface on a
 211         * node and is useful only for loopback transmission of
 212         * multicast.  Packets with interface-local scope received
 213         * from another node must be discarded.
 214         */
 215        if (!(skb->pkt_type == PACKET_LOOPBACK ||
 216              dev->flags & IFF_LOOPBACK) &&
 217            ipv6_addr_is_multicast(&hdr->daddr) &&
 218            IPV6_ADDR_MC_SCOPE(&hdr->daddr) == 1)
 219                goto err;
 220
 221        /* If enabled, drop unicast packets that were encapsulated in link-layer
 222         * multicast or broadcast to protected against the so-called "hole-196"
 223         * attack in 802.11 wireless.
 224         */
 225        if (!ipv6_addr_is_multicast(&hdr->daddr) &&
 226            (skb->pkt_type == PACKET_BROADCAST ||
 227             skb->pkt_type == PACKET_MULTICAST) &&
 228            idev->cnf.drop_unicast_in_l2_multicast)
 229                goto err;
 230
 231        /* RFC4291 2.7
 232         * Nodes must not originate a packet to a multicast address whose scope
 233         * field contains the reserved value 0; if such a packet is received, it
 234         * must be silently dropped.
 235         */
 236        if (ipv6_addr_is_multicast(&hdr->daddr) &&
 237            IPV6_ADDR_MC_SCOPE(&hdr->daddr) == 0)
 238                goto err;
 239
 240        /*
 241         * RFC4291 2.7
 242         * Multicast addresses must not be used as source addresses in IPv6
 243         * packets or appear in any Routing header.
 244         */
 245        if (ipv6_addr_is_multicast(&hdr->saddr))
 246                goto err;
 247
 248        skb->transport_header = skb->network_header + sizeof(*hdr);
 249        IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
 250
 251        pkt_len = ntohs(hdr->payload_len);
 252
 253        /* pkt_len may be zero if Jumbo payload option is present */
 254        if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) {
 255                if (pkt_len + sizeof(struct ipv6hdr) > skb->len) {
 256                        __IP6_INC_STATS(net,
 257                                        idev, IPSTATS_MIB_INTRUNCATEDPKTS);
 258                        goto drop;
 259                }
 260                if (pskb_trim_rcsum(skb, pkt_len + sizeof(struct ipv6hdr))) {
 261                        __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS);
 262                        goto drop;
 263                }
 264                hdr = ipv6_hdr(skb);
 265        }
 266
 267        if (hdr->nexthdr == NEXTHDR_HOP) {
 268                if (ipv6_parse_hopopts(skb) < 0) {
 269                        __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS);
 270                        rcu_read_unlock();
 271                        return NULL;
 272                }
 273        }
 274
 275        rcu_read_unlock();
 276
 277        /* Must drop socket now because of tproxy. */
 278        if (!skb_sk_is_prefetched(skb))
 279                skb_orphan(skb);
 280
 281        return skb;
 282err:
 283        __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS);
 284drop:
 285        rcu_read_unlock();
 286        kfree_skb(skb);
 287        return NULL;
 288}
 289
 290int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev)
 291{
 292        struct net *net = dev_net(skb->dev);
 293
 294        skb = ip6_rcv_core(skb, dev, net);
 295        if (skb == NULL)
 296                return NET_RX_DROP;
 297        return NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING,
 298                       net, NULL, skb, dev, NULL,
 299                       ip6_rcv_finish);
 300}
 301
 302static void ip6_sublist_rcv(struct list_head *head, struct net_device *dev,
 303                            struct net *net)
 304{
 305        NF_HOOK_LIST(NFPROTO_IPV6, NF_INET_PRE_ROUTING, net, NULL,
 306                     head, dev, NULL, ip6_rcv_finish);
 307        ip6_list_rcv_finish(net, NULL, head);
 308}
 309
 310/* Receive a list of IPv6 packets */
 311void ipv6_list_rcv(struct list_head *head, struct packet_type *pt,
 312                   struct net_device *orig_dev)
 313{
 314        struct net_device *curr_dev = NULL;
 315        struct net *curr_net = NULL;
 316        struct sk_buff *skb, *next;
 317        struct list_head sublist;
 318
 319        INIT_LIST_HEAD(&sublist);
 320        list_for_each_entry_safe(skb, next, head, list) {
 321                struct net_device *dev = skb->dev;
 322                struct net *net = dev_net(dev);
 323
 324                skb_list_del_init(skb);
 325                skb = ip6_rcv_core(skb, dev, net);
 326                if (skb == NULL)
 327                        continue;
 328
 329                if (curr_dev != dev || curr_net != net) {
 330                        /* dispatch old sublist */
 331                        if (!list_empty(&sublist))
 332                                ip6_sublist_rcv(&sublist, curr_dev, curr_net);
 333                        /* start new sublist */
 334                        INIT_LIST_HEAD(&sublist);
 335                        curr_dev = dev;
 336                        curr_net = net;
 337                }
 338                list_add_tail(&skb->list, &sublist);
 339        }
 340        /* dispatch final sublist */
 341        if (!list_empty(&sublist))
 342                ip6_sublist_rcv(&sublist, curr_dev, curr_net);
 343}
 344
 345INDIRECT_CALLABLE_DECLARE(int tcp_v6_rcv(struct sk_buff *));
 346
 347/*
 348 *      Deliver the packet to the host
 349 */
 350void ip6_protocol_deliver_rcu(struct net *net, struct sk_buff *skb, int nexthdr,
 351                              bool have_final)
 352{
 353        const struct inet6_protocol *ipprot;
 354        struct inet6_dev *idev;
 355        unsigned int nhoff;
 356        bool raw;
 357
 358        /*
 359         *      Parse extension headers
 360         */
 361
 362resubmit:
 363        idev = ip6_dst_idev(skb_dst(skb));
 364        nhoff = IP6CB(skb)->nhoff;
 365        if (!have_final) {
 366                if (!pskb_pull(skb, skb_transport_offset(skb)))
 367                        goto discard;
 368                nexthdr = skb_network_header(skb)[nhoff];
 369        }
 370
 371resubmit_final:
 372        raw = raw6_local_deliver(skb, nexthdr);
 373        ipprot = rcu_dereference(inet6_protos[nexthdr]);
 374        if (ipprot) {
 375                int ret;
 376
 377                if (have_final) {
 378                        if (!(ipprot->flags & INET6_PROTO_FINAL)) {
 379                                /* Once we've seen a final protocol don't
 380                                 * allow encapsulation on any non-final
 381                                 * ones. This allows foo in UDP encapsulation
 382                                 * to work.
 383                                 */
 384                                goto discard;
 385                        }
 386                } else if (ipprot->flags & INET6_PROTO_FINAL) {
 387                        const struct ipv6hdr *hdr;
 388                        int sdif = inet6_sdif(skb);
 389                        struct net_device *dev;
 390
 391                        /* Only do this once for first final protocol */
 392                        have_final = true;
 393
 394                        /* Free reference early: we don't need it any more,
 395                           and it may hold ip_conntrack module loaded
 396                           indefinitely. */
 397                        nf_reset_ct(skb);
 398
 399                        skb_postpull_rcsum(skb, skb_network_header(skb),
 400                                           skb_network_header_len(skb));
 401                        hdr = ipv6_hdr(skb);
 402
 403                        /* skb->dev passed may be master dev for vrfs. */
 404                        if (sdif) {
 405                                dev = dev_get_by_index_rcu(net, sdif);
 406                                if (!dev)
 407                                        goto discard;
 408                        } else {
 409                                dev = skb->dev;
 410                        }
 411
 412                        if (ipv6_addr_is_multicast(&hdr->daddr) &&
 413                            !ipv6_chk_mcast_addr(dev, &hdr->daddr,
 414                                                 &hdr->saddr) &&
 415                            !ipv6_is_mld(skb, nexthdr, skb_network_header_len(skb)))
 416                                goto discard;
 417                }
 418                if (!(ipprot->flags & INET6_PROTO_NOPOLICY) &&
 419                    !xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
 420                        goto discard;
 421
 422                ret = INDIRECT_CALL_2(ipprot->handler, tcp_v6_rcv, udpv6_rcv,
 423                                      skb);
 424                if (ret > 0) {
 425                        if (ipprot->flags & INET6_PROTO_FINAL) {
 426                                /* Not an extension header, most likely UDP
 427                                 * encapsulation. Use return value as nexthdr
 428                                 * protocol not nhoff (which presumably is
 429                                 * not set by handler).
 430                                 */
 431                                nexthdr = ret;
 432                                goto resubmit_final;
 433                        } else {
 434                                goto resubmit;
 435                        }
 436                } else if (ret == 0) {
 437                        __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDELIVERS);
 438                }
 439        } else {
 440                if (!raw) {
 441                        if (xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
 442                                __IP6_INC_STATS(net, idev,
 443                                                IPSTATS_MIB_INUNKNOWNPROTOS);
 444                                icmpv6_send(skb, ICMPV6_PARAMPROB,
 445                                            ICMPV6_UNK_NEXTHDR, nhoff);
 446                        }
 447                        kfree_skb(skb);
 448                } else {
 449                        __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDELIVERS);
 450                        consume_skb(skb);
 451                }
 452        }
 453        return;
 454
 455discard:
 456        __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS);
 457        kfree_skb(skb);
 458}
 459
 460static int ip6_input_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
 461{
 462        rcu_read_lock();
 463        ip6_protocol_deliver_rcu(net, skb, 0, false);
 464        rcu_read_unlock();
 465
 466        return 0;
 467}
 468
 469
 470int ip6_input(struct sk_buff *skb)
 471{
 472        return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_IN,
 473                       dev_net(skb->dev), NULL, skb, skb->dev, NULL,
 474                       ip6_input_finish);
 475}
 476EXPORT_SYMBOL_GPL(ip6_input);
 477
 478int ip6_mc_input(struct sk_buff *skb)
 479{
 480        int sdif = inet6_sdif(skb);
 481        const struct ipv6hdr *hdr;
 482        struct net_device *dev;
 483        bool deliver;
 484
 485        __IP6_UPD_PO_STATS(dev_net(skb_dst(skb)->dev),
 486                         __in6_dev_get_safely(skb->dev), IPSTATS_MIB_INMCAST,
 487                         skb->len);
 488
 489        /* skb->dev passed may be master dev for vrfs. */
 490        if (sdif) {
 491                rcu_read_lock();
 492                dev = dev_get_by_index_rcu(dev_net(skb->dev), sdif);
 493                if (!dev) {
 494                        rcu_read_unlock();
 495                        kfree_skb(skb);
 496                        return -ENODEV;
 497                }
 498        } else {
 499                dev = skb->dev;
 500        }
 501
 502        hdr = ipv6_hdr(skb);
 503        deliver = ipv6_chk_mcast_addr(dev, &hdr->daddr, NULL);
 504        if (sdif)
 505                rcu_read_unlock();
 506
 507#ifdef CONFIG_IPV6_MROUTE
 508        /*
 509         *      IPv6 multicast router mode is now supported ;)
 510         */
 511        if (dev_net(skb->dev)->ipv6.devconf_all->mc_forwarding &&
 512            !(ipv6_addr_type(&hdr->daddr) &
 513              (IPV6_ADDR_LOOPBACK|IPV6_ADDR_LINKLOCAL)) &&
 514            likely(!(IP6CB(skb)->flags & IP6SKB_FORWARDED))) {
 515                /*
 516                 * Okay, we try to forward - split and duplicate
 517                 * packets.
 518                 */
 519                struct sk_buff *skb2;
 520                struct inet6_skb_parm *opt = IP6CB(skb);
 521
 522                /* Check for MLD */
 523                if (unlikely(opt->flags & IP6SKB_ROUTERALERT)) {
 524                        /* Check if this is a mld message */
 525                        u8 nexthdr = hdr->nexthdr;
 526                        __be16 frag_off;
 527                        int offset;
 528
 529                        /* Check if the value of Router Alert
 530                         * is for MLD (0x0000).
 531                         */
 532                        if (opt->ra == htons(IPV6_OPT_ROUTERALERT_MLD)) {
 533                                deliver = false;
 534
 535                                if (!ipv6_ext_hdr(nexthdr)) {
 536                                        /* BUG */
 537                                        goto out;
 538                                }
 539                                offset = ipv6_skip_exthdr(skb, sizeof(*hdr),
 540                                                          &nexthdr, &frag_off);
 541                                if (offset < 0)
 542                                        goto out;
 543
 544                                if (ipv6_is_mld(skb, nexthdr, offset))
 545                                        deliver = true;
 546
 547                                goto out;
 548                        }
 549                        /* unknown RA - process it normally */
 550                }
 551
 552                if (deliver)
 553                        skb2 = skb_clone(skb, GFP_ATOMIC);
 554                else {
 555                        skb2 = skb;
 556                        skb = NULL;
 557                }
 558
 559                if (skb2) {
 560                        ip6_mr_input(skb2);
 561                }
 562        }
 563out:
 564#endif
 565        if (likely(deliver))
 566                ip6_input(skb);
 567        else {
 568                /* discard */
 569                kfree_skb(skb);
 570        }
 571
 572        return 0;
 573}
 574