linux/net/netfilter/xt_l2tp.c
<<
>>
Prefs
   1/* Kernel module to match L2TP header parameters. */
   2
   3/* (C) 2013      James Chapman <jchapman@katalix.com>
   4 *
   5 * This program is free software; you can redistribute it and/or modify
   6 * it under the terms of the GNU General Public License version 2 as
   7 * published by the Free Software Foundation.
   8 */
   9
  10#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  11#include <linux/module.h>
  12#include <linux/skbuff.h>
  13#include <linux/if_ether.h>
  14#include <net/ip.h>
  15#include <linux/ipv6.h>
  16#include <net/ipv6.h>
  17#include <net/udp.h>
  18#include <linux/l2tp.h>
  19
  20#include <linux/netfilter_ipv4.h>
  21#include <linux/netfilter_ipv6.h>
  22#include <linux/netfilter_ipv4/ip_tables.h>
  23#include <linux/netfilter_ipv6/ip6_tables.h>
  24#include <linux/netfilter/x_tables.h>
  25#include <linux/netfilter/xt_tcpudp.h>
  26#include <linux/netfilter/xt_l2tp.h>
  27
  28/* L2TP header masks */
  29#define L2TP_HDR_T_BIT  0x8000
  30#define L2TP_HDR_L_BIT  0x4000
  31#define L2TP_HDR_VER    0x000f
  32
  33MODULE_LICENSE("GPL");
  34MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
  35MODULE_DESCRIPTION("Xtables: L2TP header match");
  36MODULE_ALIAS("ipt_l2tp");
  37MODULE_ALIAS("ip6t_l2tp");
  38
  39/* The L2TP fields that can be matched */
  40struct l2tp_data {
  41        u32 tid;
  42        u32 sid;
  43        u8 type;
  44        u8 version;
  45};
  46
  47union l2tp_val {
  48        __be16 val16[2];
  49        __be32 val32;
  50};
  51
  52static bool l2tp_match(const struct xt_l2tp_info *info, struct l2tp_data *data)
  53{
  54        if ((info->flags & XT_L2TP_TYPE) && (info->type != data->type))
  55                return false;
  56
  57        if ((info->flags & XT_L2TP_VERSION) && (info->version != data->version))
  58                return false;
  59
  60        /* Check tid only for L2TPv3 control or any L2TPv2 packets */
  61        if ((info->flags & XT_L2TP_TID) &&
  62            ((data->type == XT_L2TP_TYPE_CONTROL) || (data->version == 2)) &&
  63            (info->tid != data->tid))
  64                return false;
  65
  66        /* Check sid only for L2TP data packets */
  67        if ((info->flags & XT_L2TP_SID) && (data->type == XT_L2TP_TYPE_DATA) &&
  68            (info->sid != data->sid))
  69                return false;
  70
  71        return true;
  72}
  73
  74/* Parse L2TP header fields when UDP encapsulation is used. Handles
  75 * L2TPv2 and L2TPv3. Note the L2TPv3 control and data packets have a
  76 * different format. See
  77 * RFC2661, Section 3.1, L2TPv2 Header Format
  78 * RFC3931, Section 3.2.1, L2TPv3 Control Message Header
  79 * RFC3931, Section 3.2.2, L2TPv3 Data Message Header
  80 * RFC3931, Section 4.1.2.1, L2TPv3 Session Header over UDP
  81 */
  82static bool l2tp_udp_mt(const struct sk_buff *skb, struct xt_action_param *par, u16 thoff)
  83{
  84        const struct xt_l2tp_info *info = par->matchinfo;
  85        int uhlen = sizeof(struct udphdr);
  86        int offs = thoff + uhlen;
  87        union l2tp_val *lh;
  88        union l2tp_val lhbuf;
  89        u16 flags;
  90        struct l2tp_data data = { 0, };
  91
  92        if (par->fragoff != 0)
  93                return false;
  94
  95        /* Extract L2TP header fields. The flags in the first 16 bits
  96         * tell us where the other fields are.
  97         */
  98        lh = skb_header_pointer(skb, offs, 2, &lhbuf);
  99        if (lh == NULL)
 100                return false;
 101
 102        flags = ntohs(lh->val16[0]);
 103        if (flags & L2TP_HDR_T_BIT)
 104                data.type = XT_L2TP_TYPE_CONTROL;
 105        else
 106                data.type = XT_L2TP_TYPE_DATA;
 107        data.version = (u8) flags & L2TP_HDR_VER;
 108
 109        /* Now extract the L2TP tid/sid. These are in different places
 110         * for L2TPv2 (rfc2661) and L2TPv3 (rfc3931). For L2TPv2, we
 111         * must also check to see if the length field is present,
 112         * since this affects the offsets into the packet of the
 113         * tid/sid fields.
 114         */
 115        if (data.version == 3) {
 116                lh = skb_header_pointer(skb, offs + 4, 4, &lhbuf);
 117                if (lh == NULL)
 118                        return false;
 119                if (data.type == XT_L2TP_TYPE_CONTROL)
 120                        data.tid = ntohl(lh->val32);
 121                else
 122                        data.sid = ntohl(lh->val32);
 123        } else if (data.version == 2) {
 124                if (flags & L2TP_HDR_L_BIT)
 125                        offs += 2;
 126                lh = skb_header_pointer(skb, offs + 2, 4, &lhbuf);
 127                if (lh == NULL)
 128                        return false;
 129                data.tid = (u32) ntohs(lh->val16[0]);
 130                data.sid = (u32) ntohs(lh->val16[1]);
 131        } else
 132                return false;
 133
 134        return l2tp_match(info, &data);
 135}
 136
 137/* Parse L2TP header fields for IP encapsulation (no UDP header).
 138 * L2TPv3 data packets have a different form with IP encap. See
 139 * RC3931, Section 4.1.1.1, L2TPv3 Session Header over IP.
 140 * RC3931, Section 4.1.1.2, L2TPv3 Control and Data Traffic over IP.
 141 */
 142static bool l2tp_ip_mt(const struct sk_buff *skb, struct xt_action_param *par, u16 thoff)
 143{
 144        const struct xt_l2tp_info *info = par->matchinfo;
 145        union l2tp_val *lh;
 146        union l2tp_val lhbuf;
 147        struct l2tp_data data = { 0, };
 148
 149        /* For IP encap, the L2TP sid is the first 32-bits. */
 150        lh = skb_header_pointer(skb, thoff, sizeof(lhbuf), &lhbuf);
 151        if (lh == NULL)
 152                return false;
 153        if (lh->val32 == 0) {
 154                /* Must be a control packet. The L2TP tid is further
 155                 * into the packet.
 156                 */
 157                data.type = XT_L2TP_TYPE_CONTROL;
 158                lh = skb_header_pointer(skb, thoff + 8, sizeof(lhbuf),
 159                                        &lhbuf);
 160                if (lh == NULL)
 161                        return false;
 162                data.tid = ntohl(lh->val32);
 163        } else {
 164                data.sid = ntohl(lh->val32);
 165                data.type = XT_L2TP_TYPE_DATA;
 166        }
 167
 168        data.version = 3;
 169
 170        return l2tp_match(info, &data);
 171}
 172
 173static bool l2tp_mt4(const struct sk_buff *skb, struct xt_action_param *par)
 174{
 175        struct iphdr *iph = ip_hdr(skb);
 176        u8 ipproto = iph->protocol;
 177
 178        /* l2tp_mt_check4 already restricts the transport protocol */
 179        switch (ipproto) {
 180        case IPPROTO_UDP:
 181                return l2tp_udp_mt(skb, par, par->thoff);
 182        case IPPROTO_L2TP:
 183                return l2tp_ip_mt(skb, par, par->thoff);
 184        }
 185
 186        return false;
 187}
 188
 189#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
 190static bool l2tp_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 191{
 192        unsigned int thoff = 0;
 193        unsigned short fragoff = 0;
 194        int ipproto;
 195
 196        ipproto = ipv6_find_hdr(skb, &thoff, -1, &fragoff, NULL);
 197        if (fragoff != 0)
 198                return false;
 199
 200        /* l2tp_mt_check6 already restricts the transport protocol */
 201        switch (ipproto) {
 202        case IPPROTO_UDP:
 203                return l2tp_udp_mt(skb, par, thoff);
 204        case IPPROTO_L2TP:
 205                return l2tp_ip_mt(skb, par, thoff);
 206        }
 207
 208        return false;
 209}
 210#endif
 211
 212static int l2tp_mt_check(const struct xt_mtchk_param *par)
 213{
 214        const struct xt_l2tp_info *info = par->matchinfo;
 215
 216        /* Check for invalid flags */
 217        if (info->flags & ~(XT_L2TP_TID | XT_L2TP_SID | XT_L2TP_VERSION |
 218                            XT_L2TP_TYPE)) {
 219                pr_info_ratelimited("unknown flags: %x\n", info->flags);
 220                return -EINVAL;
 221        }
 222
 223        /* At least one of tid, sid or type=control must be specified */
 224        if ((!(info->flags & XT_L2TP_TID)) &&
 225            (!(info->flags & XT_L2TP_SID)) &&
 226            ((!(info->flags & XT_L2TP_TYPE)) ||
 227             (info->type != XT_L2TP_TYPE_CONTROL))) {
 228                pr_info_ratelimited("invalid flags combination: %x\n",
 229                                    info->flags);
 230                return -EINVAL;
 231        }
 232
 233        /* If version 2 is specified, check that incompatible params
 234         * are not supplied
 235         */
 236        if (info->flags & XT_L2TP_VERSION) {
 237                if ((info->version < 2) || (info->version > 3)) {
 238                        pr_info_ratelimited("wrong L2TP version: %u\n",
 239                                            info->version);
 240                        return -EINVAL;
 241                }
 242
 243                if (info->version == 2) {
 244                        if ((info->flags & XT_L2TP_TID) &&
 245                            (info->tid > 0xffff)) {
 246                                pr_info_ratelimited("v2 tid > 0xffff: %u\n",
 247                                                    info->tid);
 248                                return -EINVAL;
 249                        }
 250                        if ((info->flags & XT_L2TP_SID) &&
 251                            (info->sid > 0xffff)) {
 252                                pr_info_ratelimited("v2 sid > 0xffff: %u\n",
 253                                                    info->sid);
 254                                return -EINVAL;
 255                        }
 256                }
 257        }
 258
 259        return 0;
 260}
 261
 262static int l2tp_mt_check4(const struct xt_mtchk_param *par)
 263{
 264        const struct xt_l2tp_info *info = par->matchinfo;
 265        const struct ipt_entry *e = par->entryinfo;
 266        const struct ipt_ip *ip = &e->ip;
 267        int ret;
 268
 269        ret = l2tp_mt_check(par);
 270        if (ret != 0)
 271                return ret;
 272
 273        if ((ip->proto != IPPROTO_UDP) &&
 274            (ip->proto != IPPROTO_L2TP)) {
 275                pr_info_ratelimited("missing protocol rule (udp|l2tpip)\n");
 276                return -EINVAL;
 277        }
 278
 279        if ((ip->proto == IPPROTO_L2TP) &&
 280            (info->version == 2)) {
 281                pr_info_ratelimited("v2 doesn't support IP mode\n");
 282                return -EINVAL;
 283        }
 284
 285        return 0;
 286}
 287
 288#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
 289static int l2tp_mt_check6(const struct xt_mtchk_param *par)
 290{
 291        const struct xt_l2tp_info *info = par->matchinfo;
 292        const struct ip6t_entry *e = par->entryinfo;
 293        const struct ip6t_ip6 *ip = &e->ipv6;
 294        int ret;
 295
 296        ret = l2tp_mt_check(par);
 297        if (ret != 0)
 298                return ret;
 299
 300        if ((ip->proto != IPPROTO_UDP) &&
 301            (ip->proto != IPPROTO_L2TP)) {
 302                pr_info_ratelimited("missing protocol rule (udp|l2tpip)\n");
 303                return -EINVAL;
 304        }
 305
 306        if ((ip->proto == IPPROTO_L2TP) &&
 307            (info->version == 2)) {
 308                pr_info_ratelimited("v2 doesn't support IP mode\n");
 309                return -EINVAL;
 310        }
 311
 312        return 0;
 313}
 314#endif
 315
 316static struct xt_match l2tp_mt_reg[] __read_mostly = {
 317        {
 318                .name      = "l2tp",
 319                .revision  = 0,
 320                .family    = NFPROTO_IPV4,
 321                .match     = l2tp_mt4,
 322                .matchsize = XT_ALIGN(sizeof(struct xt_l2tp_info)),
 323                .checkentry = l2tp_mt_check4,
 324                .hooks     = ((1 << NF_INET_PRE_ROUTING) |
 325                              (1 << NF_INET_LOCAL_IN) |
 326                              (1 << NF_INET_LOCAL_OUT) |
 327                              (1 << NF_INET_FORWARD)),
 328                .me        = THIS_MODULE,
 329        },
 330#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
 331        {
 332                .name      = "l2tp",
 333                .revision  = 0,
 334                .family    = NFPROTO_IPV6,
 335                .match     = l2tp_mt6,
 336                .matchsize = XT_ALIGN(sizeof(struct xt_l2tp_info)),
 337                .checkentry = l2tp_mt_check6,
 338                .hooks     = ((1 << NF_INET_PRE_ROUTING) |
 339                              (1 << NF_INET_LOCAL_IN) |
 340                              (1 << NF_INET_LOCAL_OUT) |
 341                              (1 << NF_INET_FORWARD)),
 342                .me        = THIS_MODULE,
 343        },
 344#endif
 345};
 346
 347static int __init l2tp_mt_init(void)
 348{
 349        return xt_register_matches(&l2tp_mt_reg[0], ARRAY_SIZE(l2tp_mt_reg));
 350}
 351
 352static void __exit l2tp_mt_exit(void)
 353{
 354        xt_unregister_matches(&l2tp_mt_reg[0], ARRAY_SIZE(l2tp_mt_reg));
 355}
 356
 357module_init(l2tp_mt_init);
 358module_exit(l2tp_mt_exit);
 359