ip6_input.c (14959B)
1// SPDX-License-Identifier: GPL-2.0-or-later 2/* 3 * IPv6 input 4 * Linux INET6 implementation 5 * 6 * Authors: 7 * Pedro Roque <roque@di.fc.ul.pt> 8 * Ian P. Morris <I.P.Morris@soton.ac.uk> 9 * 10 * Based in linux/net/ipv4/ip_input.c 11 */ 12/* Changes 13 * 14 * Mitsuru KANDA @USAGI and 15 * YOSHIFUJI Hideaki @USAGI: Remove ipv6_parse_exthdrs(). 16 */ 17 18#include <linux/errno.h> 19#include <linux/types.h> 20#include <linux/socket.h> 21#include <linux/sockios.h> 22#include <linux/net.h> 23#include <linux/netdevice.h> 24#include <linux/in6.h> 25#include <linux/icmpv6.h> 26#include <linux/mroute6.h> 27#include <linux/slab.h> 28#include <linux/indirect_call_wrapper.h> 29 30#include <linux/netfilter.h> 31#include <linux/netfilter_ipv6.h> 32 33#include <net/sock.h> 34#include <net/snmp.h> 35#include <net/udp.h> 36 37#include <net/ipv6.h> 38#include <net/protocol.h> 39#include <net/transp_v6.h> 40#include <net/rawv6.h> 41#include <net/ndisc.h> 42#include <net/ip6_route.h> 43#include <net/addrconf.h> 44#include <net/xfrm.h> 45#include <net/inet_ecn.h> 46#include <net/dst_metadata.h> 47 48INDIRECT_CALLABLE_DECLARE(void tcp_v6_early_demux(struct sk_buff *)); 49static void ip6_rcv_finish_core(struct net *net, struct sock *sk, 50 struct sk_buff *skb) 51{ 52 void (*edemux)(struct sk_buff *skb); 53 54 if (net->ipv4.sysctl_ip_early_demux && !skb_dst(skb) && skb->sk == NULL) { 55 const struct inet6_protocol *ipprot; 56 57 ipprot = rcu_dereference(inet6_protos[ipv6_hdr(skb)->nexthdr]); 58 if (ipprot && (edemux = READ_ONCE(ipprot->early_demux))) 59 INDIRECT_CALL_2(edemux, tcp_v6_early_demux, 60 udp_v6_early_demux, skb); 61 } 62 if (!skb_valid_dst(skb)) 63 ip6_route_input(skb); 64} 65 66int ip6_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb) 67{ 68 /* if ingress device is enslaved to an L3 master device pass the 69 * skb to its handler for processing 70 */ 71 skb = l3mdev_ip6_rcv(skb); 72 if (!skb) 73 return NET_RX_SUCCESS; 74 ip6_rcv_finish_core(net, sk, skb); 75 76 return dst_input(skb); 77} 78 79static void ip6_sublist_rcv_finish(struct list_head *head) 80{ 81 struct sk_buff *skb, *next; 82 83 list_for_each_entry_safe(skb, next, head, list) { 84 skb_list_del_init(skb); 85 dst_input(skb); 86 } 87} 88 89static bool ip6_can_use_hint(const struct sk_buff *skb, 90 const struct sk_buff *hint) 91{ 92 return hint && !skb_dst(skb) && 93 ipv6_addr_equal(&ipv6_hdr(hint)->daddr, &ipv6_hdr(skb)->daddr); 94} 95 96static struct sk_buff *ip6_extract_route_hint(const struct net *net, 97 struct sk_buff *skb) 98{ 99 if (fib6_routes_require_src(net) || fib6_has_custom_rules(net)) 100 return NULL; 101 102 return skb; 103} 104 105static void ip6_list_rcv_finish(struct net *net, struct sock *sk, 106 struct list_head *head) 107{ 108 struct sk_buff *skb, *next, *hint = NULL; 109 struct dst_entry *curr_dst = NULL; 110 struct list_head sublist; 111 112 INIT_LIST_HEAD(&sublist); 113 list_for_each_entry_safe(skb, next, head, list) { 114 struct dst_entry *dst; 115 116 skb_list_del_init(skb); 117 /* if ingress device is enslaved to an L3 master device pass the 118 * skb to its handler for processing 119 */ 120 skb = l3mdev_ip6_rcv(skb); 121 if (!skb) 122 continue; 123 124 if (ip6_can_use_hint(skb, hint)) 125 skb_dst_copy(skb, hint); 126 else 127 ip6_rcv_finish_core(net, sk, skb); 128 dst = skb_dst(skb); 129 if (curr_dst != dst) { 130 hint = ip6_extract_route_hint(net, skb); 131 132 /* dispatch old sublist */ 133 if (!list_empty(&sublist)) 134 ip6_sublist_rcv_finish(&sublist); 135 /* start new sublist */ 136 INIT_LIST_HEAD(&sublist); 137 curr_dst = dst; 138 } 139 list_add_tail(&skb->list, &sublist); 140 } 141 /* dispatch final sublist */ 142 ip6_sublist_rcv_finish(&sublist); 143} 144 145static struct sk_buff *ip6_rcv_core(struct sk_buff *skb, struct net_device *dev, 146 struct net *net) 147{ 148 enum skb_drop_reason reason; 149 const struct ipv6hdr *hdr; 150 u32 pkt_len; 151 struct inet6_dev *idev; 152 153 if (skb->pkt_type == PACKET_OTHERHOST) { 154 dev_core_stats_rx_otherhost_dropped_inc(skb->dev); 155 kfree_skb_reason(skb, SKB_DROP_REASON_OTHERHOST); 156 return NULL; 157 } 158 159 rcu_read_lock(); 160 161 idev = __in6_dev_get(skb->dev); 162 163 __IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_IN, skb->len); 164 165 SKB_DR_SET(reason, NOT_SPECIFIED); 166 if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL || 167 !idev || unlikely(idev->cnf.disable_ipv6)) { 168 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS); 169 if (idev && unlikely(idev->cnf.disable_ipv6)) 170 SKB_DR_SET(reason, IPV6DISABLED); 171 goto drop; 172 } 173 174 memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm)); 175 176 /* 177 * Store incoming device index. When the packet will 178 * be queued, we cannot refer to skb->dev anymore. 179 * 180 * BTW, when we send a packet for our own local address on a 181 * non-loopback interface (e.g. ethX), it is being delivered 182 * via the loopback interface (lo) here; skb->dev = loopback_dev. 183 * It, however, should be considered as if it is being 184 * arrived via the sending interface (ethX), because of the 185 * nature of scoping architecture. --yoshfuji 186 */ 187 IP6CB(skb)->iif = skb_valid_dst(skb) ? ip6_dst_idev(skb_dst(skb))->dev->ifindex : dev->ifindex; 188 189 if (unlikely(!pskb_may_pull(skb, sizeof(*hdr)))) 190 goto err; 191 192 hdr = ipv6_hdr(skb); 193 194 if (hdr->version != 6) { 195 SKB_DR_SET(reason, UNHANDLED_PROTO); 196 goto err; 197 } 198 199 __IP6_ADD_STATS(net, idev, 200 IPSTATS_MIB_NOECTPKTS + 201 (ipv6_get_dsfield(hdr) & INET_ECN_MASK), 202 max_t(unsigned short, 1, skb_shinfo(skb)->gso_segs)); 203 /* 204 * RFC4291 2.5.3 205 * The loopback address must not be used as the source address in IPv6 206 * packets that are sent outside of a single node. [..] 207 * A packet received on an interface with a destination address 208 * of loopback must be dropped. 209 */ 210 if ((ipv6_addr_loopback(&hdr->saddr) || 211 ipv6_addr_loopback(&hdr->daddr)) && 212 !(dev->flags & IFF_LOOPBACK) && 213 !netif_is_l3_master(dev)) 214 goto err; 215 216 /* RFC4291 Errata ID: 3480 217 * Interface-Local scope spans only a single interface on a 218 * node and is useful only for loopback transmission of 219 * multicast. Packets with interface-local scope received 220 * from another node must be discarded. 221 */ 222 if (!(skb->pkt_type == PACKET_LOOPBACK || 223 dev->flags & IFF_LOOPBACK) && 224 ipv6_addr_is_multicast(&hdr->daddr) && 225 IPV6_ADDR_MC_SCOPE(&hdr->daddr) == 1) 226 goto err; 227 228 /* If enabled, drop unicast packets that were encapsulated in link-layer 229 * multicast or broadcast to protected against the so-called "hole-196" 230 * attack in 802.11 wireless. 231 */ 232 if (!ipv6_addr_is_multicast(&hdr->daddr) && 233 (skb->pkt_type == PACKET_BROADCAST || 234 skb->pkt_type == PACKET_MULTICAST) && 235 idev->cnf.drop_unicast_in_l2_multicast) { 236 SKB_DR_SET(reason, UNICAST_IN_L2_MULTICAST); 237 goto err; 238 } 239 240 /* RFC4291 2.7 241 * Nodes must not originate a packet to a multicast address whose scope 242 * field contains the reserved value 0; if such a packet is received, it 243 * must be silently dropped. 244 */ 245 if (ipv6_addr_is_multicast(&hdr->daddr) && 246 IPV6_ADDR_MC_SCOPE(&hdr->daddr) == 0) 247 goto err; 248 249 /* 250 * RFC4291 2.7 251 * Multicast addresses must not be used as source addresses in IPv6 252 * packets or appear in any Routing header. 253 */ 254 if (ipv6_addr_is_multicast(&hdr->saddr)) 255 goto err; 256 257 skb->transport_header = skb->network_header + sizeof(*hdr); 258 IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr); 259 260 pkt_len = ntohs(hdr->payload_len); 261 262 /* pkt_len may be zero if Jumbo payload option is present */ 263 if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) { 264 if (pkt_len + sizeof(struct ipv6hdr) > skb->len) { 265 __IP6_INC_STATS(net, 266 idev, IPSTATS_MIB_INTRUNCATEDPKTS); 267 SKB_DR_SET(reason, PKT_TOO_SMALL); 268 goto drop; 269 } 270 if (pskb_trim_rcsum(skb, pkt_len + sizeof(struct ipv6hdr))) 271 goto err; 272 hdr = ipv6_hdr(skb); 273 } 274 275 if (hdr->nexthdr == NEXTHDR_HOP) { 276 if (ipv6_parse_hopopts(skb) < 0) { 277 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS); 278 rcu_read_unlock(); 279 return NULL; 280 } 281 } 282 283 rcu_read_unlock(); 284 285 /* Must drop socket now because of tproxy. */ 286 if (!skb_sk_is_prefetched(skb)) 287 skb_orphan(skb); 288 289 return skb; 290err: 291 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS); 292 SKB_DR_OR(reason, IP_INHDR); 293drop: 294 rcu_read_unlock(); 295 kfree_skb_reason(skb, reason); 296 return NULL; 297} 298 299int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev) 300{ 301 struct net *net = dev_net(skb->dev); 302 303 skb = ip6_rcv_core(skb, dev, net); 304 if (skb == NULL) 305 return NET_RX_DROP; 306 return NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, 307 net, NULL, skb, dev, NULL, 308 ip6_rcv_finish); 309} 310 311static void ip6_sublist_rcv(struct list_head *head, struct net_device *dev, 312 struct net *net) 313{ 314 NF_HOOK_LIST(NFPROTO_IPV6, NF_INET_PRE_ROUTING, net, NULL, 315 head, dev, NULL, ip6_rcv_finish); 316 ip6_list_rcv_finish(net, NULL, head); 317} 318 319/* Receive a list of IPv6 packets */ 320void ipv6_list_rcv(struct list_head *head, struct packet_type *pt, 321 struct net_device *orig_dev) 322{ 323 struct net_device *curr_dev = NULL; 324 struct net *curr_net = NULL; 325 struct sk_buff *skb, *next; 326 struct list_head sublist; 327 328 INIT_LIST_HEAD(&sublist); 329 list_for_each_entry_safe(skb, next, head, list) { 330 struct net_device *dev = skb->dev; 331 struct net *net = dev_net(dev); 332 333 skb_list_del_init(skb); 334 skb = ip6_rcv_core(skb, dev, net); 335 if (skb == NULL) 336 continue; 337 338 if (curr_dev != dev || curr_net != net) { 339 /* dispatch old sublist */ 340 if (!list_empty(&sublist)) 341 ip6_sublist_rcv(&sublist, curr_dev, curr_net); 342 /* start new sublist */ 343 INIT_LIST_HEAD(&sublist); 344 curr_dev = dev; 345 curr_net = net; 346 } 347 list_add_tail(&skb->list, &sublist); 348 } 349 /* dispatch final sublist */ 350 if (!list_empty(&sublist)) 351 ip6_sublist_rcv(&sublist, curr_dev, curr_net); 352} 353 354INDIRECT_CALLABLE_DECLARE(int tcp_v6_rcv(struct sk_buff *)); 355 356/* 357 * Deliver the packet to the host 358 */ 359void ip6_protocol_deliver_rcu(struct net *net, struct sk_buff *skb, int nexthdr, 360 bool have_final) 361{ 362 const struct inet6_protocol *ipprot; 363 struct inet6_dev *idev; 364 unsigned int nhoff; 365 SKB_DR(reason); 366 bool raw; 367 368 /* 369 * Parse extension headers 370 */ 371 372resubmit: 373 idev = ip6_dst_idev(skb_dst(skb)); 374 nhoff = IP6CB(skb)->nhoff; 375 if (!have_final) { 376 if (!pskb_pull(skb, skb_transport_offset(skb))) 377 goto discard; 378 nexthdr = skb_network_header(skb)[nhoff]; 379 } 380 381resubmit_final: 382 raw = raw6_local_deliver(skb, nexthdr); 383 ipprot = rcu_dereference(inet6_protos[nexthdr]); 384 if (ipprot) { 385 int ret; 386 387 if (have_final) { 388 if (!(ipprot->flags & INET6_PROTO_FINAL)) { 389 /* Once we've seen a final protocol don't 390 * allow encapsulation on any non-final 391 * ones. This allows foo in UDP encapsulation 392 * to work. 393 */ 394 goto discard; 395 } 396 } else if (ipprot->flags & INET6_PROTO_FINAL) { 397 const struct ipv6hdr *hdr; 398 int sdif = inet6_sdif(skb); 399 struct net_device *dev; 400 401 /* Only do this once for first final protocol */ 402 have_final = true; 403 404 /* Free reference early: we don't need it any more, 405 and it may hold ip_conntrack module loaded 406 indefinitely. */ 407 nf_reset_ct(skb); 408 409 skb_postpull_rcsum(skb, skb_network_header(skb), 410 skb_network_header_len(skb)); 411 hdr = ipv6_hdr(skb); 412 413 /* skb->dev passed may be master dev for vrfs. */ 414 if (sdif) { 415 dev = dev_get_by_index_rcu(net, sdif); 416 if (!dev) 417 goto discard; 418 } else { 419 dev = skb->dev; 420 } 421 422 if (ipv6_addr_is_multicast(&hdr->daddr) && 423 !ipv6_chk_mcast_addr(dev, &hdr->daddr, 424 &hdr->saddr) && 425 !ipv6_is_mld(skb, nexthdr, skb_network_header_len(skb))) { 426 SKB_DR_SET(reason, IP_INADDRERRORS); 427 goto discard; 428 } 429 } 430 if (!(ipprot->flags & INET6_PROTO_NOPOLICY) && 431 !xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) { 432 SKB_DR_SET(reason, XFRM_POLICY); 433 goto discard; 434 } 435 436 ret = INDIRECT_CALL_2(ipprot->handler, tcp_v6_rcv, udpv6_rcv, 437 skb); 438 if (ret > 0) { 439 if (ipprot->flags & INET6_PROTO_FINAL) { 440 /* Not an extension header, most likely UDP 441 * encapsulation. Use return value as nexthdr 442 * protocol not nhoff (which presumably is 443 * not set by handler). 444 */ 445 nexthdr = ret; 446 goto resubmit_final; 447 } else { 448 goto resubmit; 449 } 450 } else if (ret == 0) { 451 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDELIVERS); 452 } 453 } else { 454 if (!raw) { 455 if (xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) { 456 __IP6_INC_STATS(net, idev, 457 IPSTATS_MIB_INUNKNOWNPROTOS); 458 icmpv6_send(skb, ICMPV6_PARAMPROB, 459 ICMPV6_UNK_NEXTHDR, nhoff); 460 SKB_DR_SET(reason, IP_NOPROTO); 461 } else { 462 SKB_DR_SET(reason, XFRM_POLICY); 463 } 464 kfree_skb_reason(skb, reason); 465 } else { 466 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDELIVERS); 467 consume_skb(skb); 468 } 469 } 470 return; 471 472discard: 473 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS); 474 kfree_skb_reason(skb, reason); 475} 476 477static int ip6_input_finish(struct net *net, struct sock *sk, struct sk_buff *skb) 478{ 479 skb_clear_delivery_time(skb); 480 rcu_read_lock(); 481 ip6_protocol_deliver_rcu(net, skb, 0, false); 482 rcu_read_unlock(); 483 484 return 0; 485} 486 487 488int ip6_input(struct sk_buff *skb) 489{ 490 return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_IN, 491 dev_net(skb->dev), NULL, skb, skb->dev, NULL, 492 ip6_input_finish); 493} 494EXPORT_SYMBOL_GPL(ip6_input); 495 496int ip6_mc_input(struct sk_buff *skb) 497{ 498 int sdif = inet6_sdif(skb); 499 const struct ipv6hdr *hdr; 500 struct net_device *dev; 501 bool deliver; 502 503 __IP6_UPD_PO_STATS(dev_net(skb_dst(skb)->dev), 504 __in6_dev_get_safely(skb->dev), IPSTATS_MIB_INMCAST, 505 skb->len); 506 507 /* skb->dev passed may be master dev for vrfs. */ 508 if (sdif) { 509 rcu_read_lock(); 510 dev = dev_get_by_index_rcu(dev_net(skb->dev), sdif); 511 if (!dev) { 512 rcu_read_unlock(); 513 kfree_skb(skb); 514 return -ENODEV; 515 } 516 } else { 517 dev = skb->dev; 518 } 519 520 hdr = ipv6_hdr(skb); 521 deliver = ipv6_chk_mcast_addr(dev, &hdr->daddr, NULL); 522 if (sdif) 523 rcu_read_unlock(); 524 525#ifdef CONFIG_IPV6_MROUTE 526 /* 527 * IPv6 multicast router mode is now supported ;) 528 */ 529 if (atomic_read(&dev_net(skb->dev)->ipv6.devconf_all->mc_forwarding) && 530 !(ipv6_addr_type(&hdr->daddr) & 531 (IPV6_ADDR_LOOPBACK|IPV6_ADDR_LINKLOCAL)) && 532 likely(!(IP6CB(skb)->flags & IP6SKB_FORWARDED))) { 533 /* 534 * Okay, we try to forward - split and duplicate 535 * packets. 536 */ 537 struct sk_buff *skb2; 538 struct inet6_skb_parm *opt = IP6CB(skb); 539 540 /* Check for MLD */ 541 if (unlikely(opt->flags & IP6SKB_ROUTERALERT)) { 542 /* Check if this is a mld message */ 543 u8 nexthdr = hdr->nexthdr; 544 __be16 frag_off; 545 int offset; 546 547 /* Check if the value of Router Alert 548 * is for MLD (0x0000). 549 */ 550 if (opt->ra == htons(IPV6_OPT_ROUTERALERT_MLD)) { 551 deliver = false; 552 553 if (!ipv6_ext_hdr(nexthdr)) { 554 /* BUG */ 555 goto out; 556 } 557 offset = ipv6_skip_exthdr(skb, sizeof(*hdr), 558 &nexthdr, &frag_off); 559 if (offset < 0) 560 goto out; 561 562 if (ipv6_is_mld(skb, nexthdr, offset)) 563 deliver = true; 564 565 goto out; 566 } 567 /* unknown RA - process it normally */ 568 } 569 570 if (deliver) 571 skb2 = skb_clone(skb, GFP_ATOMIC); 572 else { 573 skb2 = skb; 574 skb = NULL; 575 } 576 577 if (skb2) { 578 ip6_mr_input(skb2); 579 } 580 } 581out: 582#endif 583 if (likely(deliver)) 584 ip6_input(skb); 585 else { 586 /* discard */ 587 kfree_skb(skb); 588 } 589 590 return 0; 591}