LXR linux/net/netfilter/xt

   1// SPDX-License-Identifier: GPL-2.0-only
   2/* Kernel module to match L2TP header parameters. */
   3
   4/* (C) 2013      James Chapman <jchapman@katalix.com>
   5 */
   6
   7#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
   8#include <linux/module.h>
   9#include <linux/skbuff.h>
  10#include <linux/if_ether.h>
  11#include <net/ip.h>
  12#include <linux/ipv6.h>
  13#include <net/ipv6.h>
  14#include <net/udp.h>
  15#include <linux/l2tp.h>
  16
  17#include <linux/netfilter_ipv4.h>
  18#include <linux/netfilter_ipv6.h>
  19#include <linux/netfilter_ipv4/ip_tables.h>
  20#include <linux/netfilter_ipv6/ip6_tables.h>
  21#include <linux/netfilter/x_tables.h>
  22#include <linux/netfilter/xt_tcpudp.h>
  23#include <linux/netfilter/xt_l2tp.h>
  24
  25/* L2TP header masks */
  26#define L2TP_HDR_T_BIT  0x8000
  27#define L2TP_HDR_L_BIT  0x4000
  28#define L2TP_HDR_VER    0x000f
  29
  30MODULE_LICENSE("GPL");
  31MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
  32MODULE_DESCRIPTION("Xtables: L2TP header match");
  33MODULE_ALIAS("ipt_l2tp");
  34MODULE_ALIAS("ip6t_l2tp");
  35
  36/* The L2TP fields that can be matched */
  37struct l2tp_data {
  38        u32 tid;
  39        u32 sid;
  40        u8 type;
  41        u8 version;
  42};
  43
  44union l2tp_val {
  45        __be16 val16[2];
  46        __be32 val32;
  47};
  48
  49static bool l2tp_match(const struct xt_l2tp_info *info, struct l2tp_data *data)
  50{
  51        if ((info->flags & XT_L2TP_TYPE) && (info->type != data->type))
  52                return false;
  53
  54        if ((info->flags & XT_L2TP_VERSION) && (info->version != data->version))
  55                return false;
  56
  57        /* Check tid only for L2TPv3 control or any L2TPv2 packets */
  58        if ((info->flags & XT_L2TP_TID) &&
  59            ((data->type == XT_L2TP_TYPE_CONTROL) || (data->version == 2)) &&
  60            (info->tid != data->tid))
  61                return false;
  62
  63        /* Check sid only for L2TP data packets */
  64        if ((info->flags & XT_L2TP_SID) && (data->type == XT_L2TP_TYPE_DATA) &&
  65            (info->sid != data->sid))
  66                return false;
  67
  68        return true;
  69}
  70
  71/* Parse L2TP header fields when UDP encapsulation is used. Handles
  72 * L2TPv2 and L2TPv3. Note the L2TPv3 control and data packets have a
  73 * different format. See
  74 * RFC2661, Section 3.1, L2TPv2 Header Format
  75 * RFC3931, Section 3.2.1, L2TPv3 Control Message Header
  76 * RFC3931, Section 3.2.2, L2TPv3 Data Message Header
  77 * RFC3931, Section 4.1.2.1, L2TPv3 Session Header over UDP
  78 */
  79static bool l2tp_udp_mt(const struct sk_buff *skb, struct xt_action_param *par, u16 thoff)
  80{
  81        const struct xt_l2tp_info *info = par->matchinfo;
  82        int uhlen = sizeof(struct udphdr);
  83        int offs = thoff + uhlen;
  84        union l2tp_val *lh;
  85        union l2tp_val lhbuf;
  86        u16 flags;
  87        struct l2tp_data data = { 0, };
  88
  89        if (par->fragoff != 0)
  90                return false;
  91
  92        /* Extract L2TP header fields. The flags in the first 16 bits
  93         * tell us where the other fields are.
  94         */
  95        lh = skb_header_pointer(skb, offs, 2, &lhbuf);
  96        if (lh == NULL)
  97                return false;
  98
  99        flags = ntohs(lh->val16[0]);
 100        if (flags & L2TP_HDR_T_BIT)
 101                data.type = XT_L2TP_TYPE_CONTROL;
 102        else
 103                data.type = XT_L2TP_TYPE_DATA;
 104        data.version = (u8) flags & L2TP_HDR_VER;
 105
 106        /* Now extract the L2TP tid/sid. These are in different places
 107         * for L2TPv2 (rfc2661) and L2TPv3 (rfc3931). For L2TPv2, we
 108         * must also check to see if the length field is present,
 109         * since this affects the offsets into the packet of the
 110         * tid/sid fields.
 111         */
 112        if (data.version == 3) {
 113                lh = skb_header_pointer(skb, offs + 4, 4, &lhbuf);
 114                if (lh == NULL)
 115                        return false;
 116                if (data.type == XT_L2TP_TYPE_CONTROL)
 117                        data.tid = ntohl(lh->val32);
 118                else
 119                        data.sid = ntohl(lh->val32);
 120        } else if (data.version == 2) {
 121                if (flags & L2TP_HDR_L_BIT)
 122                        offs += 2;
 123                lh = skb_header_pointer(skb, offs + 2, 4, &lhbuf);
 124                if (lh == NULL)
 125                        return false;
 126                data.tid = (u32) ntohs(lh->val16[0]);
 127                data.sid = (u32) ntohs(lh->val16[1]);
 128        } else
 129                return false;
 130
 131        return l2tp_match(info, &data);
 132}
 133
 134/* Parse L2TP header fields for IP encapsulation (no UDP header).
 135 * L2TPv3 data packets have a different form with IP encap. See
 136 * RC3931, Section 4.1.1.1, L2TPv3 Session Header over IP.
 137 * RC3931, Section 4.1.1.2, L2TPv3 Control and Data Traffic over IP.
 138 */
 139static bool l2tp_ip_mt(const struct sk_buff *skb, struct xt_action_param *par, u16 thoff)
 140{
 141        const struct xt_l2tp_info *info = par->matchinfo;
 142        union l2tp_val *lh;
 143        union l2tp_val lhbuf;
 144        struct l2tp_data data = { 0, };
 145
 146        /* For IP encap, the L2TP sid is the first 32-bits. */
 147        lh = skb_header_pointer(skb, thoff, sizeof(lhbuf), &lhbuf);
 148        if (lh == NULL)
 149                return false;
 150        if (lh->val32 == 0) {
 151                /* Must be a control packet. The L2TP tid is further
 152                 * into the packet.
 153                 */
 154                data.type = XT_L2TP_TYPE_CONTROL;
 155                lh = skb_header_pointer(skb, thoff + 8, sizeof(lhbuf),
 156                                        &lhbuf);
 157                if (lh == NULL)
 158                        return false;
 159                data.tid = ntohl(lh->val32);
 160        } else {
 161                data.sid = ntohl(lh->val32);
 162                data.type = XT_L2TP_TYPE_DATA;
 163        }
 164
 165        data.version = 3;
 166
 167        return l2tp_match(info, &data);
 168}
 169
 170static bool l2tp_mt4(const struct sk_buff *skb, struct xt_action_param *par)
 171{
 172        struct iphdr *iph = ip_hdr(skb);
 173        u8 ipproto = iph->protocol;
 174
 175        /* l2tp_mt_check4 already restricts the transport protocol */
 176        switch (ipproto) {
 177        case IPPROTO_UDP:
 178                return l2tp_udp_mt(skb, par, par->thoff);
 179        case IPPROTO_L2TP:
 180                return l2tp_ip_mt(skb, par, par->thoff);
 181        }
 182
 183        return false;
 184}
 185
 186#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
 187static bool l2tp_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 188{
 189        unsigned int thoff = 0;
 190        unsigned short fragoff = 0;
 191        int ipproto;
 192
 193        ipproto = ipv6_find_hdr(skb, &thoff, -1, &fragoff, NULL);
 194        if (fragoff != 0)
 195                return false;
 196
 197        /* l2tp_mt_check6 already restricts the transport protocol */
 198        switch (ipproto) {
 199        case IPPROTO_UDP:
 200                return l2tp_udp_mt(skb, par, thoff);
 201        case IPPROTO_L2TP:
 202                return l2tp_ip_mt(skb, par, thoff);
 203        }
 204
 205        return false;
 206}
 207#endif
 208
 209static int l2tp_mt_check(const struct xt_mtchk_param *par)
 210{
 211        const struct xt_l2tp_info *info = par->matchinfo;
 212
 213        /* Check for invalid flags */
 214        if (info->flags & ~(XT_L2TP_TID | XT_L2TP_SID | XT_L2TP_VERSION |
 215                            XT_L2TP_TYPE)) {
 216                pr_info_ratelimited("unknown flags: %x\n", info->flags);
 217                return -EINVAL;
 218        }
 219
 220        /* At least one of tid, sid or type=control must be specified */
 221        if ((!(info->flags & XT_L2TP_TID)) &&
 222            (!(info->flags & XT_L2TP_SID)) &&
 223            ((!(info->flags & XT_L2TP_TYPE)) ||
 224             (info->type != XT_L2TP_TYPE_CONTROL))) {
 225                pr_info_ratelimited("invalid flags combination: %x\n",
 226                                    info->flags);
 227                return -EINVAL;
 228        }
 229
 230        /* If version 2 is specified, check that incompatible params
 231         * are not supplied
 232         */
 233        if (info->flags & XT_L2TP_VERSION) {
 234                if ((info->version < 2) || (info->version > 3)) {
 235                        pr_info_ratelimited("wrong L2TP version: %u\n",
 236                                            info->version);
 237                        return -EINVAL;
 238                }
 239
 240                if (info->version == 2) {
 241                        if ((info->flags & XT_L2TP_TID) &&
 242                            (info->tid > 0xffff)) {
 243                                pr_info_ratelimited("v2 tid > 0xffff: %u\n",
 244                                                    info->tid);
 245                                return -EINVAL;
 246                        }
 247                        if ((info->flags & XT_L2TP_SID) &&
 248                            (info->sid > 0xffff)) {
 249                                pr_info_ratelimited("v2 sid > 0xffff: %u\n",
 250                                                    info->sid);
 251                                return -EINVAL;
 252                        }
 253                }
 254        }
 255
 256        return 0;
 257}
 258
 259static int l2tp_mt_check4(const struct xt_mtchk_param *par)
 260{
 261        const struct xt_l2tp_info *info = par->matchinfo;
 262        const struct ipt_entry *e = par->entryinfo;
 263        const struct ipt_ip *ip = &e->ip;
 264        int ret;
 265
 266        ret = l2tp_mt_check(par);
 267        if (ret != 0)
 268                return ret;
 269
 270        if ((ip->proto != IPPROTO_UDP) &&
 271            (ip->proto != IPPROTO_L2TP)) {
 272                pr_info_ratelimited("missing protocol rule (udp|l2tpip)\n");
 273                return -EINVAL;
 274        }
 275
 276        if ((ip->proto == IPPROTO_L2TP) &&
 277            (info->version == 2)) {
 278                pr_info_ratelimited("v2 doesn't support IP mode\n");
 279                return -EINVAL;
 280        }
 281
 282        return 0;
 283}
 284
 285#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
 286static int l2tp_mt_check6(const struct xt_mtchk_param *par)
 287{
 288        const struct xt_l2tp_info *info = par->matchinfo;
 289        const struct ip6t_entry *e = par->entryinfo;
 290        const struct ip6t_ip6 *ip = &e->ipv6;
 291        int ret;
 292
 293        ret = l2tp_mt_check(par);
 294        if (ret != 0)
 295                return ret;
 296
 297        if ((ip->proto != IPPROTO_UDP) &&
 298            (ip->proto != IPPROTO_L2TP)) {
 299                pr_info_ratelimited("missing protocol rule (udp|l2tpip)\n");
 300                return -EINVAL;
 301        }
 302
 303        if ((ip->proto == IPPROTO_L2TP) &&
 304            (info->version == 2)) {
 305                pr_info_ratelimited("v2 doesn't support IP mode\n");
 306                return -EINVAL;
 307        }
 308
 309        return 0;
 310}
 311#endif
 312
 313static struct xt_match l2tp_mt_reg[] __read_mostly = {
 314        {
 315                .name      = "l2tp",
 316                .revision  = 0,
 317                .family    = NFPROTO_IPV4,
 318                .match     = l2tp_mt4,
 319                .matchsize = XT_ALIGN(sizeof(struct xt_l2tp_info)),
 320                .checkentry = l2tp_mt_check4,
 321                .hooks     = ((1 << NF_INET_PRE_ROUTING) |
 322                              (1 << NF_INET_LOCAL_IN) |
 323                              (1 << NF_INET_LOCAL_OUT) |
 324                              (1 << NF_INET_FORWARD)),
 325                .me        = THIS_MODULE,
 326        },
 327#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
 328        {
 329                .name      = "l2tp",
 330                .revision  = 0,
 331                .family    = NFPROTO_IPV6,
 332                .match     = l2tp_mt6,
 333                .matchsize = XT_ALIGN(sizeof(struct xt_l2tp_info)),
 334                .checkentry = l2tp_mt_check6,
 335                .hooks     = ((1 << NF_INET_PRE_ROUTING) |
 336                              (1 << NF_INET_LOCAL_IN) |
 337                              (1 << NF_INET_LOCAL_OUT) |
 338                              (1 << NF_INET_FORWARD)),
 339                .me        = THIS_MODULE,
 340        },
 341#endif
 342};
 343
 344static int __init l2tp_mt_init(void)
 345{
 346        return xt_register_matches(&l2tp_mt_reg[0], ARRAY_SIZE(l2tp_mt_reg));
 347}
 348
 349static void __exit l2tp_mt_exit(void)
 350{
 351        xt_unregister_matches(&l2tp_mt_reg[0], ARRAY_SIZE(l2tp_mt_reg));
 352}
 353
 354module_init(l2tp_mt_init);
 355module_exit(l2tp_mt_exit);
 356