1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Internet Control Message Protocol (ICMPv6) 4 * Linux INET6 implementation 5 * 6 * Authors: 7 * Pedro Roque <roque@di.fc.ul.pt> 8 * 9 * Based on net/ipv4/icmp.c 10 * 11 * RFC 1885 12 */ 13 14 /* 15 * Changes: 16 * 17 * Andi Kleen : exception handling 18 * Andi Kleen add rate limits. never reply to a icmp. 19 * add more length checks and other fixes. 20 * yoshfuji : ensure to sent parameter problem for 21 * fragments. 22 * YOSHIFUJI Hideaki @USAGI: added sysctl for icmp rate limit. 23 * Randy Dunlap and 24 * YOSHIFUJI Hideaki @USAGI: Per-interface statistics support 25 * Kazunori MIYAZAWA @USAGI: change output process to use ip6_append_data 26 */ 27 28 #define pr_fmt(fmt) "IPv6: " fmt 29 30 #include <linux/module.h> 31 #include <linux/errno.h> 32 #include <linux/types.h> 33 #include <linux/socket.h> 34 #include <linux/in.h> 35 #include <linux/kernel.h> 36 #include <linux/sockios.h> 37 #include <linux/net.h> 38 #include <linux/skbuff.h> 39 #include <linux/init.h> 40 #include <linux/netfilter.h> 41 #include <linux/slab.h> 42 43 #ifdef CONFIG_SYSCTL 44 #include <linux/sysctl.h> 45 #endif 46 47 #include <linux/inet.h> 48 #include <linux/netdevice.h> 49 #include <linux/icmpv6.h> 50 51 #include <net/ip.h> 52 #include <net/sock.h> 53 54 #include <net/ipv6.h> 55 #include <net/ip6_checksum.h> 56 #include <net/ping.h> 57 #include <net/protocol.h> 58 #include <net/raw.h> 59 #include <net/rawv6.h> 60 #include <net/transp_v6.h> 61 #include <net/ip6_route.h> 62 #include <net/addrconf.h> 63 #include <net/icmp.h> 64 #include <net/xfrm.h> 65 #include <net/inet_common.h> 66 #include <net/dsfield.h> 67 #include <net/l3mdev.h> 68 69 #include <linux/uaccess.h> 70 71 /* 72 * The ICMP socket(s). This is the most convenient way to flow control 73 * our ICMP output as well as maintain a clean interface throughout 74 * all layers. All Socketless IP sends will soon be gone. 75 * 76 * On SMP we have one ICMP socket per-cpu. 77 */ 78 static inline struct sock *icmpv6_sk(struct net *net) 79 { 80 return *this_cpu_ptr(net->ipv6.icmp_sk); 81 } 82 83 static int icmpv6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, 84 u8 type, u8 code, int offset, __be32 info) 85 { 86 /* icmpv6_notify checks 8 bytes can be pulled, icmp6hdr is 8 bytes */ 87 struct icmp6hdr *icmp6 = (struct icmp6hdr *) (skb->data + offset); 88 struct net *net = dev_net(skb->dev); 89 90 if (type == ICMPV6_PKT_TOOBIG) 91 ip6_update_pmtu(skb, net, info, skb->dev->ifindex, 0, sock_net_uid(net, NULL)); 92 else if (type == NDISC_REDIRECT) 93 ip6_redirect(skb, net, skb->dev->ifindex, 0, 94 sock_net_uid(net, NULL)); 95 96 if (!(type & ICMPV6_INFOMSG_MASK)) 97 if (icmp6->icmp6_type == ICMPV6_ECHO_REQUEST) 98 ping_err(skb, offset, ntohl(info)); 99 100 return 0; 101 } 102 103 static int icmpv6_rcv(struct sk_buff *skb); 104 105 static const struct inet6_protocol icmpv6_protocol = { 106 .handler = icmpv6_rcv, 107 .err_handler = icmpv6_err, 108 .flags = INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL, 109 }; 110 111 /* Called with BH disabled */ 112 static __inline__ struct sock *icmpv6_xmit_lock(struct net *net) 113 { 114 struct sock *sk; 115 116 sk = icmpv6_sk(net); 117 if (unlikely(!spin_trylock(&sk->sk_lock.slock))) { 118 /* This can happen if the output path (f.e. SIT or 119 * ip6ip6 tunnel) signals dst_link_failure() for an 120 * outgoing ICMP6 packet. 121 */ 122 return NULL; 123 } 124 return sk; 125 } 126 127 static __inline__ void icmpv6_xmit_unlock(struct sock *sk) 128 { 129 spin_unlock(&sk->sk_lock.slock); 130 } 131 132 /* 133 * Figure out, may we reply to this packet with icmp error. 134 * 135 * We do not reply, if: 136 * - it was icmp error message. 137 * - it is truncated, so that it is known, that protocol is ICMPV6 138 * (i.e. in the middle of some exthdr) 139 * 140 * --ANK (980726) 141 */ 142 143 static bool is_ineligible(const struct sk_buff *skb) 144 { 145 int ptr = (u8 *)(ipv6_hdr(skb) + 1) - skb->data; 146 int len = skb->len - ptr; 147 __u8 nexthdr = ipv6_hdr(skb)->nexthdr; 148 __be16 frag_off; 149 150 if (len < 0) 151 return true; 152 153 ptr = ipv6_skip_exthdr(skb, ptr, &nexthdr, &frag_off); 154 if (ptr < 0) 155 return false; 156 if (nexthdr == IPPROTO_ICMPV6) { 157 u8 _type, *tp; 158 tp = skb_header_pointer(skb, 159 ptr+offsetof(struct icmp6hdr, icmp6_type), 160 sizeof(_type), &_type); 161 if (!tp || !(*tp & ICMPV6_INFOMSG_MASK)) 162 return true; 163 } 164 return false; 165 } 166 167 static bool icmpv6_mask_allow(struct net *net, int type) 168 { 169 if (type > ICMPV6_MSG_MAX) 170 return true; 171 172 /* Limit if icmp type is set in ratemask. */ 173 if (!test_bit(type, net->ipv6.sysctl.icmpv6_ratemask)) 174 return true; 175 176 return false; 177 } 178 179 static bool icmpv6_global_allow(struct net *net, int type) 180 { 181 if (icmpv6_mask_allow(net, type)) 182 return true; 183 184 if (icmp_global_allow()) 185 return true; 186 187 return false; 188 } 189 190 /* 191 * Check the ICMP output rate limit 192 */ 193 static bool icmpv6_xrlim_allow(struct sock *sk, u8 type, 194 struct flowi6 *fl6) 195 { 196 struct net *net = sock_net(sk); 197 struct dst_entry *dst; 198 bool res = false; 199 200 if (icmpv6_mask_allow(net, type)) 201 return true; 202 203 /* 204 * Look up the output route. 205 * XXX: perhaps the expire for routing entries cloned by 206 * this lookup should be more aggressive (not longer than timeout). 207 */ 208 dst = ip6_route_output(net, sk, fl6); 209 if (dst->error) { 210 IP6_INC_STATS(net, ip6_dst_idev(dst), 211 IPSTATS_MIB_OUTNOROUTES); 212 } else if (dst->dev && (dst->dev->flags&IFF_LOOPBACK)) { 213 res = true; 214 } else { 215 struct rt6_info *rt = (struct rt6_info *)dst; 216 int tmo = net->ipv6.sysctl.icmpv6_time; 217 struct inet_peer *peer; 218 219 /* Give more bandwidth to wider prefixes. */ 220 if (rt->rt6i_dst.plen < 128) 221 tmo >>= ((128 - rt->rt6i_dst.plen)>>5); 222 223 peer = inet_getpeer_v6(net->ipv6.peers, &fl6->daddr, 1); 224 res = inet_peer_xrlim_allow(peer, tmo); 225 if (peer) 226 inet_putpeer(peer); 227 } 228 dst_release(dst); 229 return res; 230 } 231 232 /* 233 * an inline helper for the "simple" if statement below 234 * checks if parameter problem report is caused by an 235 * unrecognized IPv6 option that has the Option Type 236 * highest-order two bits set to 10 237 */ 238 239 static bool opt_unrec(struct sk_buff *skb, __u32 offset) 240 { 241 u8 _optval, *op; 242 243 offset += skb_network_offset(skb); 244 op = skb_header_pointer(skb, offset, sizeof(_optval), &_optval); 245 if (!op) 246 return true; 247 return (*op & 0xC0) == 0x80; 248 } 249 250 void icmpv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6, 251 struct icmp6hdr *thdr, int len) 252 { 253 struct sk_buff *skb; 254 struct icmp6hdr *icmp6h; 255 256 skb = skb_peek(&sk->sk_write_queue); 257 if (!skb) 258 return; 259 260 icmp6h = icmp6_hdr(skb); 261 memcpy(icmp6h, thdr, sizeof(struct icmp6hdr)); 262 icmp6h->icmp6_cksum = 0; 263 264 if (skb_queue_len(&sk->sk_write_queue) == 1) { 265 skb->csum = csum_partial(icmp6h, 266 sizeof(struct icmp6hdr), skb->csum); 267 icmp6h->icmp6_cksum = csum_ipv6_magic(&fl6->saddr, 268 &fl6->daddr, 269 len, fl6->flowi6_proto, 270 skb->csum); 271 } else { 272 __wsum tmp_csum = 0; 273 274 skb_queue_walk(&sk->sk_write_queue, skb) { 275 tmp_csum = csum_add(tmp_csum, skb->csum); 276 } 277 278 tmp_csum = csum_partial(icmp6h, 279 sizeof(struct icmp6hdr), tmp_csum); 280 icmp6h->icmp6_cksum = csum_ipv6_magic(&fl6->saddr, 281 &fl6->daddr, 282 len, fl6->flowi6_proto, 283 tmp_csum); 284 } 285 ip6_push_pending_frames(sk); 286 } 287 288 struct icmpv6_msg { 289 struct sk_buff *skb; 290 int offset; 291 uint8_t type; 292 }; 293 294 static int icmpv6_getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb) 295 { 296 struct icmpv6_msg *msg = (struct icmpv6_msg *) from; 297 struct sk_buff *org_skb = msg->skb; 298 __wsum csum = 0; 299 300 csum = skb_copy_and_csum_bits(org_skb, msg->offset + offset, 301 to, len, csum); 302 skb->csum = csum_block_add(skb->csum, csum, odd); 303 if (!(msg->type & ICMPV6_INFOMSG_MASK)) 304 nf_ct_attach(skb, org_skb); 305 return 0; 306 } 307 308 #if IS_ENABLED(CONFIG_IPV6_MIP6) 309 static void mip6_addr_swap(struct sk_buff *skb) 310 { 311 struct ipv6hdr *iph = ipv6_hdr(skb); 312 struct inet6_skb_parm *opt = IP6CB(skb); 313 struct ipv6_destopt_hao *hao; 314 struct in6_addr tmp; 315 int off; 316 317 if (opt->dsthao) { 318 off = ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO); 319 if (likely(off >= 0)) { 320 hao = (struct ipv6_destopt_hao *) 321 (skb_network_header(skb) + off); 322 tmp = iph->saddr; 323 iph->saddr = hao->addr; 324 hao->addr = tmp; 325 } 326 } 327 } 328 #else 329 static inline void mip6_addr_swap(struct sk_buff *skb) {} 330 #endif 331 332 static struct dst_entry *icmpv6_route_lookup(struct net *net, 333 struct sk_buff *skb, 334 struct sock *sk, 335 struct flowi6 *fl6) 336 { 337 struct dst_entry *dst, *dst2; 338 struct flowi6 fl2; 339 int err; 340 341 err = ip6_dst_lookup(net, sk, &dst, fl6); 342 if (err) 343 return ERR_PTR(err); 344 345 /* 346 * We won't send icmp if the destination is known 347 * anycast. 348 */ 349 if (ipv6_anycast_destination(dst, &fl6->daddr)) { 350 net_dbg_ratelimited("icmp6_send: acast source\n"); 351 dst_release(dst); 352 return ERR_PTR(-EINVAL); 353 } 354 355 /* No need to clone since we're just using its address. */ 356 dst2 = dst; 357 358 dst = xfrm_lookup(net, dst, flowi6_to_flowi(fl6), sk, 0); 359 if (!IS_ERR(dst)) { 360 if (dst != dst2) 361 return dst; 362 } else { 363 if (PTR_ERR(dst) == -EPERM) 364 dst = NULL; 365 else 366 return dst; 367 } 368 369 err = xfrm_decode_session_reverse(skb, flowi6_to_flowi(&fl2), AF_INET6); 370 if (err) 371 goto relookup_failed; 372 373 err = ip6_dst_lookup(net, sk, &dst2, &fl2); 374 if (err) 375 goto relookup_failed; 376 377 dst2 = xfrm_lookup(net, dst2, flowi6_to_flowi(&fl2), sk, XFRM_LOOKUP_ICMP); 378 if (!IS_ERR(dst2)) { 379 dst_release(dst); 380 dst = dst2; 381 } else { 382 err = PTR_ERR(dst2); 383 if (err == -EPERM) { 384 dst_release(dst); 385 return dst2; 386 } else 387 goto relookup_failed; 388 } 389 390 relookup_failed: 391 if (dst) 392 return dst; 393 return ERR_PTR(err); 394 } 395 396 static int icmp6_iif(const struct sk_buff *skb) 397 { 398 int iif = skb->dev->ifindex; 399 400 /* for local traffic to local address, skb dev is the loopback 401 * device. Check if there is a dst attached to the skb and if so 402 * get the real device index. Same is needed for replies to a link 403 * local address on a device enslaved to an L3 master device 404 */ 405 if (unlikely(iif == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) { 406 const struct rt6_info *rt6 = skb_rt6_info(skb); 407 408 if (rt6) 409 iif = rt6->rt6i_idev->dev->ifindex; 410 } 411 412 return iif; 413 } 414 415 /* 416 * Send an ICMP message in response to a packet in error 417 */ 418 static void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info, 419 const struct in6_addr *force_saddr) 420 { 421 struct inet6_dev *idev = NULL; 422 struct ipv6hdr *hdr = ipv6_hdr(skb); 423 struct sock *sk; 424 struct net *net; 425 struct ipv6_pinfo *np; 426 const struct in6_addr *saddr = NULL; 427 struct dst_entry *dst; 428 struct icmp6hdr tmp_hdr; 429 struct flowi6 fl6; 430 struct icmpv6_msg msg; 431 struct ipcm6_cookie ipc6; 432 int iif = 0; 433 int addr_type = 0; 434 int len; 435 u32 mark; 436 437 if ((u8 *)hdr < skb->head || 438 (skb_network_header(skb) + sizeof(*hdr)) > skb_tail_pointer(skb)) 439 return; 440 441 if (!skb->dev) 442 return; 443 net = dev_net(skb->dev); 444 mark = IP6_REPLY_MARK(net, skb->mark); 445 /* 446 * Make sure we respect the rules 447 * i.e. RFC 1885 2.4(e) 448 * Rule (e.1) is enforced by not using icmp6_send 449 * in any code that processes icmp errors. 450 */ 451 addr_type = ipv6_addr_type(&hdr->daddr); 452 453 if (ipv6_chk_addr(net, &hdr->daddr, skb->dev, 0) || 454 ipv6_chk_acast_addr_src(net, skb->dev, &hdr->daddr)) 455 saddr = &hdr->daddr; 456 457 /* 458 * Dest addr check 459 */ 460 461 if (addr_type & IPV6_ADDR_MULTICAST || skb->pkt_type != PACKET_HOST) { 462 if (type != ICMPV6_PKT_TOOBIG && 463 !(type == ICMPV6_PARAMPROB && 464 code == ICMPV6_UNK_OPTION && 465 (opt_unrec(skb, info)))) 466 return; 467 468 saddr = NULL; 469 } 470 471 addr_type = ipv6_addr_type(&hdr->saddr); 472 473 /* 474 * Source addr check 475 */ 476 477 if (__ipv6_addr_needs_scope_id(addr_type)) { 478 iif = icmp6_iif(skb); 479 } else { 480 dst = skb_dst(skb); 481 iif = l3mdev_master_ifindex(dst ? dst->dev : skb->dev); 482 } 483 484 /* 485 * Must not send error if the source does not uniquely 486 * identify a single node (RFC2463 Section 2.4). 487 * We check unspecified / multicast addresses here, 488 * and anycast addresses will be checked later. 489 */ 490 if ((addr_type == IPV6_ADDR_ANY) || (addr_type & IPV6_ADDR_MULTICAST)) { 491 net_dbg_ratelimited("icmp6_send: addr_any/mcast source [%pI6c > %pI6c]\n", 492 &hdr->saddr, &hdr->daddr); 493 return; 494 } 495 496 /* 497 * Never answer to a ICMP packet. 498 */ 499 if (is_ineligible(skb)) { 500 net_dbg_ratelimited("icmp6_send: no reply to icmp error [%pI6c > %pI6c]\n", 501 &hdr->saddr, &hdr->daddr); 502 return; 503 } 504 505 /* Needed by both icmp_global_allow and icmpv6_xmit_lock */ 506 local_bh_disable(); 507 508 /* Check global sysctl_icmp_msgs_per_sec ratelimit */ 509 if (!(skb->dev->flags & IFF_LOOPBACK) && !icmpv6_global_allow(net, type)) 510 goto out_bh_enable; 511 512 mip6_addr_swap(skb); 513 514 memset(&fl6, 0, sizeof(fl6)); 515 fl6.flowi6_proto = IPPROTO_ICMPV6; 516 fl6.daddr = hdr->saddr; 517 if (force_saddr) 518 saddr = force_saddr; 519 if (saddr) 520 fl6.saddr = *saddr; 521 fl6.flowi6_mark = mark; 522 fl6.flowi6_oif = iif; 523 fl6.fl6_icmp_type = type; 524 fl6.fl6_icmp_code = code; 525 fl6.flowi6_uid = sock_net_uid(net, NULL); 526 fl6.mp_hash = rt6_multipath_hash(net, &fl6, skb, NULL); 527 security_skb_classify_flow(skb, flowi6_to_flowi(&fl6)); 528 529 sk = icmpv6_xmit_lock(net); 530 if (!sk) 531 goto out_bh_enable; 532 533 sk->sk_mark = mark; 534 np = inet6_sk(sk); 535 536 if (!icmpv6_xrlim_allow(sk, type, &fl6)) 537 goto out; 538 539 tmp_hdr.icmp6_type = type; 540 tmp_hdr.icmp6_code = code; 541 tmp_hdr.icmp6_cksum = 0; 542 tmp_hdr.icmp6_pointer = htonl(info); 543 544 if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr)) 545 fl6.flowi6_oif = np->mcast_oif; 546 else if (!fl6.flowi6_oif) 547 fl6.flowi6_oif = np->ucast_oif; 548 549 ipcm6_init_sk(&ipc6, np); 550 fl6.flowlabel = ip6_make_flowinfo(ipc6.tclass, fl6.flowlabel); 551 552 dst = icmpv6_route_lookup(net, skb, sk, &fl6); 553 if (IS_ERR(dst)) 554 goto out; 555 556 ipc6.hlimit = ip6_sk_dst_hoplimit(np, &fl6, dst); 557 558 msg.skb = skb; 559 msg.offset = skb_network_offset(skb); 560 msg.type = type; 561 562 len = skb->len - msg.offset; 563 len = min_t(unsigned int, len, IPV6_MIN_MTU - sizeof(struct ipv6hdr) - sizeof(struct icmp6hdr)); 564 if (len < 0) { 565 net_dbg_ratelimited("icmp: len problem [%pI6c > %pI6c]\n", 566 &hdr->saddr, &hdr->daddr); 567 goto out_dst_release; 568 } 569 570 rcu_read_lock(); 571 idev = __in6_dev_get(skb->dev); 572 573 if (ip6_append_data(sk, icmpv6_getfrag, &msg, 574 len + sizeof(struct icmp6hdr), 575 sizeof(struct icmp6hdr), 576 &ipc6, &fl6, (struct rt6_info *)dst, 577 MSG_DONTWAIT)) { 578 ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTERRORS); 579 ip6_flush_pending_frames(sk); 580 } else { 581 icmpv6_push_pending_frames(sk, &fl6, &tmp_hdr, 582 len + sizeof(struct icmp6hdr)); 583 } 584 rcu_read_unlock(); 585 out_dst_release: 586 dst_release(dst); 587 out: 588 icmpv6_xmit_unlock(sk); 589 out_bh_enable: 590 local_bh_enable(); 591 } 592 593 /* Slightly more convenient version of icmp6_send. 594 */ 595 void icmpv6_param_prob(struct sk_buff *skb, u8 code, int pos) 596 { 597 icmp6_send(skb, ICMPV6_PARAMPROB, code, pos, NULL); 598 kfree_skb(skb); 599 } 600 601 /* Generate icmpv6 with type/code ICMPV6_DEST_UNREACH/ICMPV6_ADDR_UNREACH 602 * if sufficient data bytes are available 603 * @nhs is the size of the tunnel header(s) : 604 * Either an IPv4 header for SIT encap 605 * an IPv4 header + GRE header for GRE encap 606 */ 607 int ip6_err_gen_icmpv6_unreach(struct sk_buff *skb, int nhs, int type, 608 unsigned int data_len) 609 { 610 struct in6_addr temp_saddr; 611 struct rt6_info *rt; 612 struct sk_buff *skb2; 613 u32 info = 0; 614 615 if (!pskb_may_pull(skb, nhs + sizeof(struct ipv6hdr) + 8)) 616 return 1; 617 618 /* RFC 4884 (partial) support for ICMP extensions */ 619 if (data_len < 128 || (data_len & 7) || skb->len < data_len) 620 data_len = 0; 621 622 skb2 = data_len ? skb_copy(skb, GFP_ATOMIC) : skb_clone(skb, GFP_ATOMIC); 623 624 if (!skb2) 625 return 1; 626 627 skb_dst_drop(skb2); 628 skb_pull(skb2, nhs); 629 skb_reset_network_header(skb2); 630 631 rt = rt6_lookup(dev_net(skb->dev), &ipv6_hdr(skb2)->saddr, NULL, 0, 632 skb, 0); 633 634 if (rt && rt->dst.dev) 635 skb2->dev = rt->dst.dev; 636 637 ipv6_addr_set_v4mapped(ip_hdr(skb)->saddr, &temp_saddr); 638 639 if (data_len) { 640 /* RFC 4884 (partial) support : 641 * insert 0 padding at the end, before the extensions 642 */ 643 __skb_push(skb2, nhs); 644 skb_reset_network_header(skb2); 645 memmove(skb2->data, skb2->data + nhs, data_len - nhs); 646 memset(skb2->data + data_len - nhs, 0, nhs); 647 /* RFC 4884 4.5 : Length is measured in 64-bit words, 648 * and stored in reserved[0] 649 */ 650 info = (data_len/8) << 24; 651 } 652 if (type == ICMP_TIME_EXCEEDED) 653 icmp6_send(skb2, ICMPV6_TIME_EXCEED, ICMPV6_EXC_HOPLIMIT, 654 info, &temp_saddr); 655 else 656 icmp6_send(skb2, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 657 info, &temp_saddr); 658 if (rt) 659 ip6_rt_put(rt); 660 661 kfree_skb(skb2); 662 663 return 0; 664 } 665 EXPORT_SYMBOL(ip6_err_gen_icmpv6_unreach); 666 667 static void icmpv6_echo_reply(struct sk_buff *skb) 668 { 669 struct net *net = dev_net(skb->dev); 670 struct sock *sk; 671 struct inet6_dev *idev; 672 struct ipv6_pinfo *np; 673 const struct in6_addr *saddr = NULL; 674 struct icmp6hdr *icmph = icmp6_hdr(skb); 675 struct icmp6hdr tmp_hdr; 676 struct flowi6 fl6; 677 struct icmpv6_msg msg; 678 struct dst_entry *dst; 679 struct ipcm6_cookie ipc6; 680 u32 mark = IP6_REPLY_MARK(net, skb->mark); 681 bool acast; 682 683 if (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr) && 684 net->ipv6.sysctl.icmpv6_echo_ignore_multicast) 685 return; 686 687 saddr = &ipv6_hdr(skb)->daddr; 688 689 acast = ipv6_anycast_destination(skb_dst(skb), saddr); 690 if (acast && net->ipv6.sysctl.icmpv6_echo_ignore_anycast) 691 return; 692 693 if (!ipv6_unicast_destination(skb) && 694 !(net->ipv6.sysctl.anycast_src_echo_reply && acast)) 695 saddr = NULL; 696 697 memcpy(&tmp_hdr, icmph, sizeof(tmp_hdr)); 698 tmp_hdr.icmp6_type = ICMPV6_ECHO_REPLY; 699 700 memset(&fl6, 0, sizeof(fl6)); 701 fl6.flowi6_proto = IPPROTO_ICMPV6; 702 fl6.daddr = ipv6_hdr(skb)->saddr; 703 if (saddr) 704 fl6.saddr = *saddr; 705 fl6.flowi6_oif = icmp6_iif(skb); 706 fl6.fl6_icmp_type = ICMPV6_ECHO_REPLY; 707 fl6.flowi6_mark = mark; 708 fl6.flowi6_uid = sock_net_uid(net, NULL); 709 security_skb_classify_flow(skb, flowi6_to_flowi(&fl6)); 710 711 local_bh_disable(); 712 sk = icmpv6_xmit_lock(net); 713 if (!sk) 714 goto out_bh_enable; 715 sk->sk_mark = mark; 716 np = inet6_sk(sk); 717 718 if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr)) 719 fl6.flowi6_oif = np->mcast_oif; 720 else if (!fl6.flowi6_oif) 721 fl6.flowi6_oif = np->ucast_oif; 722 723 if (ip6_dst_lookup(net, sk, &dst, &fl6)) 724 goto out; 725 dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), sk, 0); 726 if (IS_ERR(dst)) 727 goto out; 728 729 /* Check the ratelimit */ 730 if ((!(skb->dev->flags & IFF_LOOPBACK) && !icmpv6_global_allow(net, ICMPV6_ECHO_REPLY)) || 731 !icmpv6_xrlim_allow(sk, ICMPV6_ECHO_REPLY, &fl6)) 732 goto out_dst_release; 733 734 idev = __in6_dev_get(skb->dev); 735 736 msg.skb = skb; 737 msg.offset = 0; 738 msg.type = ICMPV6_ECHO_REPLY; 739 740 ipcm6_init_sk(&ipc6, np); 741 ipc6.hlimit = ip6_sk_dst_hoplimit(np, &fl6, dst); 742 ipc6.tclass = ipv6_get_dsfield(ipv6_hdr(skb)); 743 744 if (ip6_append_data(sk, icmpv6_getfrag, &msg, 745 skb->len + sizeof(struct icmp6hdr), 746 sizeof(struct icmp6hdr), &ipc6, &fl6, 747 (struct rt6_info *)dst, MSG_DONTWAIT)) { 748 __ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTERRORS); 749 ip6_flush_pending_frames(sk); 750 } else { 751 icmpv6_push_pending_frames(sk, &fl6, &tmp_hdr, 752 skb->len + sizeof(struct icmp6hdr)); 753 } 754 out_dst_release: 755 dst_release(dst); 756 out: 757 icmpv6_xmit_unlock(sk); 758 out_bh_enable: 759 local_bh_enable(); 760 } 761 762 void icmpv6_notify(struct sk_buff *skb, u8 type, u8 code, __be32 info) 763 { 764 const struct inet6_protocol *ipprot; 765 int inner_offset; 766 __be16 frag_off; 767 u8 nexthdr; 768 struct net *net = dev_net(skb->dev); 769 770 if (!pskb_may_pull(skb, sizeof(struct ipv6hdr))) 771 goto out; 772 773 nexthdr = ((struct ipv6hdr *)skb->data)->nexthdr; 774 if (ipv6_ext_hdr(nexthdr)) { 775 /* now skip over extension headers */ 776 inner_offset = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), 777 &nexthdr, &frag_off); 778 if (inner_offset < 0) 779 goto out; 780 } else { 781 inner_offset = sizeof(struct ipv6hdr); 782 } 783 784 /* Checkin header including 8 bytes of inner protocol header. */ 785 if (!pskb_may_pull(skb, inner_offset+8)) 786 goto out; 787 788 /* BUGGG_FUTURE: we should try to parse exthdrs in this packet. 789 Without this we will not able f.e. to make source routed 790 pmtu discovery. 791 Corresponding argument (opt) to notifiers is already added. 792 --ANK (980726) 793 */ 794 795 ipprot = rcu_dereference(inet6_protos[nexthdr]); 796 if (ipprot && ipprot->err_handler) 797 ipprot->err_handler(skb, NULL, type, code, inner_offset, info); 798 799 raw6_icmp_error(skb, nexthdr, type, code, inner_offset, info); 800 return; 801 802 out: 803 __ICMP6_INC_STATS(net, __in6_dev_get(skb->dev), ICMP6_MIB_INERRORS); 804 } 805 806 /* 807 * Handle icmp messages 808 */ 809 810 static int icmpv6_rcv(struct sk_buff *skb) 811 { 812 struct net *net = dev_net(skb->dev); 813 struct net_device *dev = skb->dev; 814 struct inet6_dev *idev = __in6_dev_get(dev); 815 const struct in6_addr *saddr, *daddr; 816 struct icmp6hdr *hdr; 817 u8 type; 818 bool success = false; 819 820 if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) { 821 struct sec_path *sp = skb_sec_path(skb); 822 int nh; 823 824 if (!(sp && sp->xvec[sp->len - 1]->props.flags & 825 XFRM_STATE_ICMP)) 826 goto drop_no_count; 827 828 if (!pskb_may_pull(skb, sizeof(*hdr) + sizeof(struct ipv6hdr))) 829 goto drop_no_count; 830 831 nh = skb_network_offset(skb); 832 skb_set_network_header(skb, sizeof(*hdr)); 833 834 if (!xfrm6_policy_check_reverse(NULL, XFRM_POLICY_IN, skb)) 835 goto drop_no_count; 836 837 skb_set_network_header(skb, nh); 838 } 839 840 __ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_INMSGS); 841 842 saddr = &ipv6_hdr(skb)->saddr; 843 daddr = &ipv6_hdr(skb)->daddr; 844 845 if (skb_checksum_validate(skb, IPPROTO_ICMPV6, ip6_compute_pseudo)) { 846 net_dbg_ratelimited("ICMPv6 checksum failed [%pI6c > %pI6c]\n", 847 saddr, daddr); 848 goto csum_error; 849 } 850 851 if (!pskb_pull(skb, sizeof(*hdr))) 852 goto discard_it; 853 854 hdr = icmp6_hdr(skb); 855 856 type = hdr->icmp6_type; 857 858 ICMP6MSGIN_INC_STATS(dev_net(dev), idev, type); 859 860 switch (type) { 861 case ICMPV6_ECHO_REQUEST: 862 if (!net->ipv6.sysctl.icmpv6_echo_ignore_all) 863 icmpv6_echo_reply(skb); 864 break; 865 866 case ICMPV6_ECHO_REPLY: 867 success = ping_rcv(skb); 868 break; 869 870 case ICMPV6_PKT_TOOBIG: 871 /* BUGGG_FUTURE: if packet contains rthdr, we cannot update 872 standard destination cache. Seems, only "advanced" 873 destination cache will allow to solve this problem 874 --ANK (980726) 875 */ 876 if (!pskb_may_pull(skb, sizeof(struct ipv6hdr))) 877 goto discard_it; 878 hdr = icmp6_hdr(skb); 879 880 /* to notify */ 881 /* fall through */ 882 case ICMPV6_DEST_UNREACH: 883 case ICMPV6_TIME_EXCEED: 884 case ICMPV6_PARAMPROB: 885 icmpv6_notify(skb, type, hdr->icmp6_code, hdr->icmp6_mtu); 886 break; 887 888 case NDISC_ROUTER_SOLICITATION: 889 case NDISC_ROUTER_ADVERTISEMENT: 890 case NDISC_NEIGHBOUR_SOLICITATION: 891 case NDISC_NEIGHBOUR_ADVERTISEMENT: 892 case NDISC_REDIRECT: 893 ndisc_rcv(skb); 894 break; 895 896 case ICMPV6_MGM_QUERY: 897 igmp6_event_query(skb); 898 break; 899 900 case ICMPV6_MGM_REPORT: 901 igmp6_event_report(skb); 902 break; 903 904 case ICMPV6_MGM_REDUCTION: 905 case ICMPV6_NI_QUERY: 906 case ICMPV6_NI_REPLY: 907 case ICMPV6_MLD2_REPORT: 908 case ICMPV6_DHAAD_REQUEST: 909 case ICMPV6_DHAAD_REPLY: 910 case ICMPV6_MOBILE_PREFIX_SOL: 911 case ICMPV6_MOBILE_PREFIX_ADV: 912 break; 913 914 default: 915 /* informational */ 916 if (type & ICMPV6_INFOMSG_MASK) 917 break; 918 919 net_dbg_ratelimited("icmpv6: msg of unknown type [%pI6c > %pI6c]\n", 920 saddr, daddr); 921 922 /* 923 * error of unknown type. 924 * must pass to upper level 925 */ 926 927 icmpv6_notify(skb, type, hdr->icmp6_code, hdr->icmp6_mtu); 928 } 929 930 /* until the v6 path can be better sorted assume failure and 931 * preserve the status quo behaviour for the rest of the paths to here 932 */ 933 if (success) 934 consume_skb(skb); 935 else 936 kfree_skb(skb); 937 938 return 0; 939 940 csum_error: 941 __ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_CSUMERRORS); 942 discard_it: 943 __ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_INERRORS); 944 drop_no_count: 945 kfree_skb(skb); 946 return 0; 947 } 948 949 void icmpv6_flow_init(struct sock *sk, struct flowi6 *fl6, 950 u8 type, 951 const struct in6_addr *saddr, 952 const struct in6_addr *daddr, 953 int oif) 954 { 955 memset(fl6, 0, sizeof(*fl6)); 956 fl6->saddr = *saddr; 957 fl6->daddr = *daddr; 958 fl6->flowi6_proto = IPPROTO_ICMPV6; 959 fl6->fl6_icmp_type = type; 960 fl6->fl6_icmp_code = 0; 961 fl6->flowi6_oif = oif; 962 security_sk_classify_flow(sk, flowi6_to_flowi(fl6)); 963 } 964 965 static void __net_exit icmpv6_sk_exit(struct net *net) 966 { 967 int i; 968 969 for_each_possible_cpu(i) 970 inet_ctl_sock_destroy(*per_cpu_ptr(net->ipv6.icmp_sk, i)); 971 free_percpu(net->ipv6.icmp_sk); 972 } 973 974 static int __net_init icmpv6_sk_init(struct net *net) 975 { 976 struct sock *sk; 977 int err, i; 978 979 net->ipv6.icmp_sk = alloc_percpu(struct sock *); 980 if (!net->ipv6.icmp_sk) 981 return -ENOMEM; 982 983 for_each_possible_cpu(i) { 984 err = inet_ctl_sock_create(&sk, PF_INET6, 985 SOCK_RAW, IPPROTO_ICMPV6, net); 986 if (err < 0) { 987 pr_err("Failed to initialize the ICMP6 control socket (err %d)\n", 988 err); 989 goto fail; 990 } 991 992 *per_cpu_ptr(net->ipv6.icmp_sk, i) = sk; 993 994 /* Enough space for 2 64K ICMP packets, including 995 * sk_buff struct overhead. 996 */ 997 sk->sk_sndbuf = 2 * SKB_TRUESIZE(64 * 1024); 998 } 999 return 0; 1000 1001 fail: 1002 icmpv6_sk_exit(net); 1003 return err; 1004 } 1005 1006 static struct pernet_operations icmpv6_sk_ops = { 1007 .init = icmpv6_sk_init, 1008 .exit = icmpv6_sk_exit, 1009 }; 1010 1011 int __init icmpv6_init(void) 1012 { 1013 int err; 1014 1015 err = register_pernet_subsys(&icmpv6_sk_ops); 1016 if (err < 0) 1017 return err; 1018 1019 err = -EAGAIN; 1020 if (inet6_add_protocol(&icmpv6_protocol, IPPROTO_ICMPV6) < 0) 1021 goto fail; 1022 1023 err = inet6_register_icmp_sender(icmp6_send); 1024 if (err) 1025 goto sender_reg_err; 1026 return 0; 1027 1028 sender_reg_err: 1029 inet6_del_protocol(&icmpv6_protocol, IPPROTO_ICMPV6); 1030 fail: 1031 pr_err("Failed to register ICMP6 protocol\n"); 1032 unregister_pernet_subsys(&icmpv6_sk_ops); 1033 return err; 1034 } 1035 1036 void icmpv6_cleanup(void) 1037 { 1038 inet6_unregister_icmp_sender(icmp6_send); 1039 unregister_pernet_subsys(&icmpv6_sk_ops); 1040 inet6_del_protocol(&icmpv6_protocol, IPPROTO_ICMPV6); 1041 } 1042 1043 1044 static const struct icmp6_err { 1045 int err; 1046 int fatal; 1047 } tab_unreach[] = { 1048 { /* NOROUTE */ 1049 .err = ENETUNREACH, 1050 .fatal = 0, 1051 }, 1052 { /* ADM_PROHIBITED */ 1053 .err = EACCES, 1054 .fatal = 1, 1055 }, 1056 { /* Was NOT_NEIGHBOUR, now reserved */ 1057 .err = EHOSTUNREACH, 1058 .fatal = 0, 1059 }, 1060 { /* ADDR_UNREACH */ 1061 .err = EHOSTUNREACH, 1062 .fatal = 0, 1063 }, 1064 { /* PORT_UNREACH */ 1065 .err = ECONNREFUSED, 1066 .fatal = 1, 1067 }, 1068 { /* POLICY_FAIL */ 1069 .err = EACCES, 1070 .fatal = 1, 1071 }, 1072 { /* REJECT_ROUTE */ 1073 .err = EACCES, 1074 .fatal = 1, 1075 }, 1076 }; 1077 1078 int icmpv6_err_convert(u8 type, u8 code, int *err) 1079 { 1080 int fatal = 0; 1081 1082 *err = EPROTO; 1083 1084 switch (type) { 1085 case ICMPV6_DEST_UNREACH: 1086 fatal = 1; 1087 if (code < ARRAY_SIZE(tab_unreach)) { 1088 *err = tab_unreach[code].err; 1089 fatal = tab_unreach[code].fatal; 1090 } 1091 break; 1092 1093 case ICMPV6_PKT_TOOBIG: 1094 *err = EMSGSIZE; 1095 break; 1096 1097 case ICMPV6_PARAMPROB: 1098 *err = EPROTO; 1099 fatal = 1; 1100 break; 1101 1102 case ICMPV6_TIME_EXCEED: 1103 *err = EHOSTUNREACH; 1104 break; 1105 } 1106 1107 return fatal; 1108 } 1109 EXPORT_SYMBOL(icmpv6_err_convert); 1110 1111 #ifdef CONFIG_SYSCTL 1112 static struct ctl_table ipv6_icmp_table_template[] = { 1113 { 1114 .procname = "ratelimit", 1115 .data = &init_net.ipv6.sysctl.icmpv6_time, 1116 .maxlen = sizeof(int), 1117 .mode = 0644, 1118 .proc_handler = proc_dointvec_ms_jiffies, 1119 }, 1120 { 1121 .procname = "echo_ignore_all", 1122 .data = &init_net.ipv6.sysctl.icmpv6_echo_ignore_all, 1123 .maxlen = sizeof(int), 1124 .mode = 0644, 1125 .proc_handler = proc_dointvec, 1126 }, 1127 { 1128 .procname = "echo_ignore_multicast", 1129 .data = &init_net.ipv6.sysctl.icmpv6_echo_ignore_multicast, 1130 .maxlen = sizeof(int), 1131 .mode = 0644, 1132 .proc_handler = proc_dointvec, 1133 }, 1134 { 1135 .procname = "echo_ignore_anycast", 1136 .data = &init_net.ipv6.sysctl.icmpv6_echo_ignore_anycast, 1137 .maxlen = sizeof(int), 1138 .mode = 0644, 1139 .proc_handler = proc_dointvec, 1140 }, 1141 { 1142 .procname = "ratemask", 1143 .data = &init_net.ipv6.sysctl.icmpv6_ratemask_ptr, 1144 .maxlen = ICMPV6_MSG_MAX + 1, 1145 .mode = 0644, 1146 .proc_handler = proc_do_large_bitmap, 1147 }, 1148 { }, 1149 }; 1150 1151 struct ctl_table * __net_init ipv6_icmp_sysctl_init(struct net *net) 1152 { 1153 struct ctl_table *table; 1154 1155 table = kmemdup(ipv6_icmp_table_template, 1156 sizeof(ipv6_icmp_table_template), 1157 GFP_KERNEL); 1158 1159 if (table) { 1160 table[0].data = &net->ipv6.sysctl.icmpv6_time; 1161 table[1].data = &net->ipv6.sysctl.icmpv6_echo_ignore_all; 1162 table[2].data = &net->ipv6.sysctl.icmpv6_echo_ignore_multicast; 1163 table[3].data = &net->ipv6.sysctl.icmpv6_echo_ignore_anycast; 1164 table[4].data = &net->ipv6.sysctl.icmpv6_ratemask_ptr; 1165 } 1166 return table; 1167 } 1168 #endif 1169