1 // SPDX-License-Identifier: GPL-2.0-only 2 /* (C) 1999-2001 Paul `Rusty' Russell 3 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 4 */ 5 6 #include <linux/module.h> 7 #include <net/ip.h> 8 #include <net/tcp.h> 9 #include <net/route.h> 10 #include <net/dst.h> 11 #include <net/netfilter/ipv4/nf_reject.h> 12 #include <linux/netfilter_ipv4.h> 13 #include <linux/netfilter_bridge.h> 14 15 static int nf_reject_iphdr_validate(struct sk_buff *skb) 16 { 17 struct iphdr *iph; 18 u32 len; 19 20 if (!pskb_may_pull(skb, sizeof(struct iphdr))) 21 return 0; 22 23 iph = ip_hdr(skb); 24 if (iph->ihl < 5 || iph->version != 4) 25 return 0; 26 27 len = ntohs(iph->tot_len); 28 if (skb->len < len) 29 return 0; 30 else if (len < (iph->ihl*4)) 31 return 0; 32 33 if (!pskb_may_pull(skb, iph->ihl*4)) 34 return 0; 35 36 return 1; 37 } 38 39 struct sk_buff *nf_reject_skb_v4_tcp_reset(struct net *net, 40 struct sk_buff *oldskb, 41 const struct net_device *dev, 42 int hook) 43 { 44 const struct tcphdr *oth; 45 struct sk_buff *nskb; 46 struct iphdr *niph; 47 struct tcphdr _oth; 48 49 if (!nf_reject_iphdr_validate(oldskb)) 50 return NULL; 51 52 oth = nf_reject_ip_tcphdr_get(oldskb, &_oth, hook); 53 if (!oth) 54 return NULL; 55 56 nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) + 57 LL_MAX_HEADER, GFP_ATOMIC); 58 if (!nskb) 59 return NULL; 60 61 nskb->dev = (struct net_device *)dev; 62 63 skb_reserve(nskb, LL_MAX_HEADER); 64 niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP, 65 READ_ONCE(net->ipv4.sysctl_ip_default_ttl)); 66 nf_reject_ip_tcphdr_put(nskb, oldskb, oth); 67 niph->tot_len = htons(nskb->len); 68 ip_send_check(niph); 69 70 return nskb; 71 } 72 EXPORT_SYMBOL_GPL(nf_reject_skb_v4_tcp_reset); 73 74 struct sk_buff *nf_reject_skb_v4_unreach(struct net *net, 75 struct sk_buff *oldskb, 76 const struct net_device *dev, 77 int hook, u8 code) 78 { 79 struct sk_buff *nskb; 80 struct iphdr *niph; 81 struct icmphdr *icmph; 82 unsigned int len; 83 int dataoff; 84 __wsum csum; 85 u8 proto; 86 87 if (!nf_reject_iphdr_validate(oldskb)) 88 return NULL; 89 90 /* IP header checks: fragment. */ 91 if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET)) 92 return NULL; 93 94 /* RFC says return as much as we can without exceeding 576 bytes. */ 95 len = min_t(unsigned int, 536, oldskb->len); 96 97 if (!pskb_may_pull(oldskb, len)) 98 return NULL; 99 100 if (pskb_trim_rcsum(oldskb, ntohs(ip_hdr(oldskb)->tot_len))) 101 return NULL; 102 103 dataoff = ip_hdrlen(oldskb); 104 proto = ip_hdr(oldskb)->protocol; 105 106 if (!skb_csum_unnecessary(oldskb) && 107 nf_reject_verify_csum(oldskb, dataoff, proto) && 108 nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), proto)) 109 return NULL; 110 111 nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct icmphdr) + 112 LL_MAX_HEADER + len, GFP_ATOMIC); 113 if (!nskb) 114 return NULL; 115 116 nskb->dev = (struct net_device *)dev; 117 118 skb_reserve(nskb, LL_MAX_HEADER); 119 niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_ICMP, 120 READ_ONCE(net->ipv4.sysctl_ip_default_ttl)); 121 122 skb_reset_transport_header(nskb); 123 icmph = skb_put_zero(nskb, sizeof(struct icmphdr)); 124 icmph->type = ICMP_DEST_UNREACH; 125 icmph->code = code; 126 127 skb_put_data(nskb, skb_network_header(oldskb), len); 128 129 csum = csum_partial((void *)icmph, len + sizeof(struct icmphdr), 0); 130 icmph->checksum = csum_fold(csum); 131 132 niph->tot_len = htons(nskb->len); 133 ip_send_check(niph); 134 135 return nskb; 136 } 137 EXPORT_SYMBOL_GPL(nf_reject_skb_v4_unreach); 138 139 const struct tcphdr *nf_reject_ip_tcphdr_get(struct sk_buff *oldskb, 140 struct tcphdr *_oth, int hook) 141 { 142 const struct tcphdr *oth; 143 144 /* IP header checks: fragment. */ 145 if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET)) 146 return NULL; 147 148 if (ip_hdr(oldskb)->protocol != IPPROTO_TCP) 149 return NULL; 150 151 oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb), 152 sizeof(struct tcphdr), _oth); 153 if (oth == NULL) 154 return NULL; 155 156 /* No RST for RST. */ 157 if (oth->rst) 158 return NULL; 159 160 /* Check checksum */ 161 if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP)) 162 return NULL; 163 164 return oth; 165 } 166 EXPORT_SYMBOL_GPL(nf_reject_ip_tcphdr_get); 167 168 struct iphdr *nf_reject_iphdr_put(struct sk_buff *nskb, 169 const struct sk_buff *oldskb, 170 __u8 protocol, int ttl) 171 { 172 struct iphdr *niph, *oiph = ip_hdr(oldskb); 173 174 skb_reset_network_header(nskb); 175 niph = skb_put(nskb, sizeof(struct iphdr)); 176 niph->version = 4; 177 niph->ihl = sizeof(struct iphdr) / 4; 178 niph->tos = 0; 179 niph->id = 0; 180 niph->frag_off = htons(IP_DF); 181 niph->protocol = protocol; 182 niph->check = 0; 183 niph->saddr = oiph->daddr; 184 niph->daddr = oiph->saddr; 185 niph->ttl = ttl; 186 187 nskb->protocol = htons(ETH_P_IP); 188 189 return niph; 190 } 191 EXPORT_SYMBOL_GPL(nf_reject_iphdr_put); 192 193 void nf_reject_ip_tcphdr_put(struct sk_buff *nskb, const struct sk_buff *oldskb, 194 const struct tcphdr *oth) 195 { 196 struct iphdr *niph = ip_hdr(nskb); 197 struct tcphdr *tcph; 198 199 skb_reset_transport_header(nskb); 200 tcph = skb_put_zero(nskb, sizeof(struct tcphdr)); 201 tcph->source = oth->dest; 202 tcph->dest = oth->source; 203 tcph->doff = sizeof(struct tcphdr) / 4; 204 205 if (oth->ack) { 206 tcph->seq = oth->ack_seq; 207 } else { 208 tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin + 209 oldskb->len - ip_hdrlen(oldskb) - 210 (oth->doff << 2)); 211 tcph->ack = 1; 212 } 213 214 tcph->rst = 1; 215 tcph->check = ~tcp_v4_check(sizeof(struct tcphdr), niph->saddr, 216 niph->daddr, 0); 217 nskb->ip_summed = CHECKSUM_PARTIAL; 218 nskb->csum_start = (unsigned char *)tcph - nskb->head; 219 nskb->csum_offset = offsetof(struct tcphdr, check); 220 } 221 EXPORT_SYMBOL_GPL(nf_reject_ip_tcphdr_put); 222 223 static int nf_reject_fill_skb_dst(struct sk_buff *skb_in) 224 { 225 struct dst_entry *dst = NULL; 226 struct flowi fl; 227 228 memset(&fl, 0, sizeof(struct flowi)); 229 fl.u.ip4.daddr = ip_hdr(skb_in)->saddr; 230 nf_ip_route(dev_net(skb_in->dev), &dst, &fl, false); 231 if (!dst) 232 return -1; 233 234 skb_dst_set(skb_in, dst); 235 return 0; 236 } 237 238 /* Send RST reply */ 239 void nf_send_reset(struct net *net, struct sock *sk, struct sk_buff *oldskb, 240 int hook) 241 { 242 struct net_device *br_indev __maybe_unused; 243 struct sk_buff *nskb; 244 struct iphdr *niph; 245 const struct tcphdr *oth; 246 struct tcphdr _oth; 247 248 oth = nf_reject_ip_tcphdr_get(oldskb, &_oth, hook); 249 if (!oth) 250 return; 251 252 if ((hook == NF_INET_PRE_ROUTING || hook == NF_INET_INGRESS) && 253 nf_reject_fill_skb_dst(oldskb) < 0) 254 return; 255 256 if (skb_rtable(oldskb)->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST)) 257 return; 258 259 nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) + 260 LL_MAX_HEADER, GFP_ATOMIC); 261 if (!nskb) 262 return; 263 264 /* ip_route_me_harder expects skb->dst to be set */ 265 skb_dst_set_noref(nskb, skb_dst(oldskb)); 266 267 nskb->mark = IP4_REPLY_MARK(net, oldskb->mark); 268 269 skb_reserve(nskb, LL_MAX_HEADER); 270 niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP, 271 ip4_dst_hoplimit(skb_dst(nskb))); 272 nf_reject_ip_tcphdr_put(nskb, oldskb, oth); 273 if (ip_route_me_harder(net, sk, nskb, RTN_UNSPEC)) 274 goto free_nskb; 275 276 niph = ip_hdr(nskb); 277 278 /* "Never happens" */ 279 if (nskb->len > dst_mtu(skb_dst(nskb))) 280 goto free_nskb; 281 282 nf_ct_attach(nskb, oldskb); 283 284 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) 285 /* If we use ip_local_out for bridged traffic, the MAC source on 286 * the RST will be ours, instead of the destination's. This confuses 287 * some routers/firewalls, and they drop the packet. So we need to 288 * build the eth header using the original destination's MAC as the 289 * source, and send the RST packet directly. 290 */ 291 br_indev = nf_bridge_get_physindev(oldskb); 292 if (br_indev) { 293 struct ethhdr *oeth = eth_hdr(oldskb); 294 295 nskb->dev = br_indev; 296 niph->tot_len = htons(nskb->len); 297 ip_send_check(niph); 298 if (dev_hard_header(nskb, nskb->dev, ntohs(nskb->protocol), 299 oeth->h_source, oeth->h_dest, nskb->len) < 0) 300 goto free_nskb; 301 dev_queue_xmit(nskb); 302 } else 303 #endif 304 ip_local_out(net, nskb->sk, nskb); 305 306 return; 307 308 free_nskb: 309 kfree_skb(nskb); 310 } 311 EXPORT_SYMBOL_GPL(nf_send_reset); 312 313 void nf_send_unreach(struct sk_buff *skb_in, int code, int hook) 314 { 315 struct iphdr *iph = ip_hdr(skb_in); 316 int dataoff = ip_hdrlen(skb_in); 317 u8 proto = iph->protocol; 318 319 if (iph->frag_off & htons(IP_OFFSET)) 320 return; 321 322 if ((hook == NF_INET_PRE_ROUTING || hook == NF_INET_INGRESS) && 323 nf_reject_fill_skb_dst(skb_in) < 0) 324 return; 325 326 if (skb_csum_unnecessary(skb_in) || 327 !nf_reject_verify_csum(skb_in, dataoff, proto)) { 328 icmp_send(skb_in, ICMP_DEST_UNREACH, code, 0); 329 return; 330 } 331 332 if (nf_ip_checksum(skb_in, hook, dataoff, proto) == 0) 333 icmp_send(skb_in, ICMP_DEST_UNREACH, code, 0); 334 } 335 EXPORT_SYMBOL_GPL(nf_send_unreach); 336 337 MODULE_LICENSE("GPL"); 338