1 /*
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <linux/bpf.h>
18 #include <linux/if.h>
19 #include <linux/if_ether.h>
20 #include <linux/in.h>
21 #include <linux/in6.h>
22 #include <linux/ip.h>
23 #include <linux/ipv6.h>
24 #include <linux/pkt_cls.h>
25 #include <linux/swab.h>
26 #include <stdbool.h>
27 #include <stdint.h>
28
29 // bionic kernel uapi linux/udp.h header is munged...
30 #define __kernel_udphdr udphdr
31 #include <linux/udp.h>
32
33 // The resulting .o needs to load on Android T+
34 #define BPFLOADER_MIN_VER BPFLOADER_T_VERSION
35
36 #include "bpf_helpers.h"
37 #include "bpf_net_helpers.h"
38 #include "clatd.h"
39 #include "clat_mark.h"
40
41 // IP flags. (from kernel's include/net/ip.h)
42 #define IP_CE 0x8000 // Flag: "Congestion" (really reserved 'evil bit')
43 #define IP_DF 0x4000 // Flag: "Don't Fragment"
44 #define IP_MF 0x2000 // Flag: "More Fragments"
45 #define IP_OFFSET 0x1FFF // "Fragment Offset" part
46
47 // from kernel's include/net/ipv6.h
48 struct frag_hdr {
49 __u8 nexthdr;
50 __u8 reserved; // always zero
51 __be16 frag_off; // 13 bit offset, 2 bits zero, 1 bit "More Fragments"
52 __be32 identification;
53 };
54
55 DEFINE_BPF_MAP_GRW(clat_ingress6_map, HASH, ClatIngress6Key, ClatIngress6Value, 16, AID_SYSTEM)
56
nat64(struct __sk_buff * skb,const struct rawip_bool rawip,const struct kver_uint kver)57 static inline __always_inline int nat64(struct __sk_buff* skb,
58 const struct rawip_bool rawip,
59 const struct kver_uint kver) {
60 const bool is_ethernet = !rawip.rawip;
61
62 // Require ethernet dst mac address to be our unicast address.
63 if (is_ethernet && (skb->pkt_type != PACKET_HOST)) return TC_ACT_PIPE;
64
65 // Must be meta-ethernet IPv6 frame
66 if (skb->protocol != htons(ETH_P_IPV6)) return TC_ACT_PIPE;
67
68 const int l2_header_size = is_ethernet ? sizeof(struct ethhdr) : 0;
69
70 // Not clear if this is actually necessary considering we use DPA (Direct Packet Access),
71 // but we need to make sure we can read the IPv6 header reliably so that we can set
72 // skb->mark = 0xDeadC1a7 for packets we fail to offload.
73 try_make_writable(skb, l2_header_size + sizeof(struct ipv6hdr));
74
75 void* data = (void*)(long)skb->data;
76 const void* data_end = (void*)(long)skb->data_end;
77 const struct ethhdr* const eth = is_ethernet ? data : NULL; // used iff is_ethernet
78 const struct ipv6hdr* const ip6 = is_ethernet ? (void*)(eth + 1) : data;
79
80 // Must have (ethernet and) ipv6 header
81 if (data + l2_header_size + sizeof(*ip6) > data_end) return TC_ACT_PIPE;
82
83 // Ethertype - if present - must be IPv6
84 if (is_ethernet && (eth->h_proto != htons(ETH_P_IPV6))) return TC_ACT_PIPE;
85
86 // IP version must be 6
87 if (ip6->version != 6) return TC_ACT_PIPE;
88
89 // Maximum IPv6 payload length that can be translated to IPv4
90 // Note: technically this check is too strict for an IPv6 fragment,
91 // which by virtue of stripping the extra 8 byte fragment extension header,
92 // could thus be 8 bytes larger and still fit in an ipv4 packet post
93 // translation. However... who ever heard of receiving ~64KB frags...
94 // fragments are kind of by definition smaller than ingress device mtu,
95 // and thus, on the internet, very very unlikely to exceed 1500 bytes.
96 if (ntohs(ip6->payload_len) > 0xFFFF - sizeof(struct iphdr)) return TC_ACT_PIPE;
97
98 ClatIngress6Key k = {
99 .iif = skb->ifindex,
100 .pfx96.in6_u.u6_addr32 =
101 {
102 ip6->saddr.in6_u.u6_addr32[0],
103 ip6->saddr.in6_u.u6_addr32[1],
104 ip6->saddr.in6_u.u6_addr32[2],
105 },
106 .local6 = ip6->daddr,
107 };
108
109 ClatIngress6Value* v = bpf_clat_ingress6_map_lookup_elem(&k);
110
111 if (!v) return TC_ACT_PIPE;
112
113 __u8 proto = ip6->nexthdr;
114 __be16 ip_id = 0;
115 __be16 frag_off = htons(IP_DF);
116 __u16 tot_len = ntohs(ip6->payload_len) + sizeof(struct iphdr); // cannot overflow, see above
117
118 if (proto == IPPROTO_FRAGMENT) {
119 // Fragment handling requires bpf_skb_adjust_room which is 4.14+
120 if (!KVER_IS_AT_LEAST(kver, 4, 14, 0)) return TC_ACT_PIPE;
121
122 // Must have (ethernet and) ipv6 header and ipv6 fragment extension header
123 if (data + l2_header_size + sizeof(*ip6) + sizeof(struct frag_hdr) > data_end)
124 return TC_ACT_PIPE;
125 const struct frag_hdr *frag = (const struct frag_hdr *)(ip6 + 1);
126 proto = frag->nexthdr;
127 // RFC6145: use bottom 16-bits of network endian 32-bit IPv6 ID field for 16-bit IPv4 field.
128 // this is equivalent to: ip_id = htons(ntohl(frag->identification));
129 ip_id = frag->identification >> 16;
130 // Conversion of 16-bit IPv6 frag offset to 16-bit IPv4 frag offset field.
131 // IPv6 is '13 bits of offset in multiples of 8' + 2 zero bits + more fragment bit
132 // IPv4 is zero bit + don't frag bit + more frag bit + '13 bits of offset in multiples of 8'
133 frag_off = ntohs(frag->frag_off);
134 frag_off = ((frag_off & 1) << 13) | (frag_off >> 3);
135 frag_off = htons(frag_off);
136 // Note that by construction tot_len is guaranteed to not underflow here
137 tot_len -= sizeof(struct frag_hdr);
138 // This is a badly formed IPv6 packet with less payload than the size of an IPv6 Frag EH
139 if (tot_len < sizeof(struct iphdr)) return TC_ACT_PIPE;
140 }
141
142 switch (proto) {
143 case IPPROTO_TCP: // For TCP, UDP & UDPLITE the checksum neutrality of the chosen
144 case IPPROTO_UDP: // IPv6 address means there is no need to update their checksums.
145 case IPPROTO_UDPLITE: //
146 case IPPROTO_GRE: // We do not need to bother looking at GRE/ESP headers,
147 case IPPROTO_ESP: // since there is never a checksum to update.
148 break;
149
150 default: // do not know how to handle anything else
151 // Mark ingress non-offloaded clat packet for dropping in ip6tables bw_raw_PREROUTING.
152 // Non-offloaded clat packet is going to be handled by clat daemon and ip6tables. The
153 // duplicate one in ip6tables is not necessary.
154 skb->mark = CLAT_MARK;
155 return TC_ACT_PIPE;
156 }
157
158 struct ethhdr eth2; // used iff is_ethernet
159 if (is_ethernet) {
160 eth2 = *eth; // Copy over the ethernet header (src/dst mac)
161 eth2.h_proto = htons(ETH_P_IP); // But replace the ethertype
162 }
163
164 struct iphdr ip = {
165 .version = 4, // u4
166 .ihl = sizeof(struct iphdr) / sizeof(__u32), // u4
167 .tos = (ip6->priority << 4) + (ip6->flow_lbl[0] >> 4), // u8
168 .tot_len = htons(tot_len), // be16
169 .id = ip_id, // be16
170 .frag_off = frag_off, // be16
171 .ttl = ip6->hop_limit, // u8
172 .protocol = proto, // u8
173 .check = 0, // u16
174 .saddr = ip6->saddr.in6_u.u6_addr32[3], // be32
175 .daddr = v->local4.s_addr, // be32
176 };
177
178 // Calculate the IPv4 one's complement checksum of the IPv4 header.
179 __wsum sum4 = 0;
180 for (int i = 0; i < sizeof(ip) / sizeof(__u16); ++i) {
181 sum4 += ((__u16*)&ip)[i];
182 }
183 // Note that sum4 is guaranteed to be non-zero by virtue of ip.version == 4
184 sum4 = (sum4 & 0xFFFF) + (sum4 >> 16); // collapse u32 into range 1 .. 0x1FFFE
185 sum4 = (sum4 & 0xFFFF) + (sum4 >> 16); // collapse any potential carry into u16
186 ip.check = (__u16)~sum4; // sum4 cannot be zero, so this is never 0xFFFF
187
188 // Calculate the *negative* IPv6 16-bit one's complement checksum of the IPv6 header.
189 __wsum sum6 = 0;
190 // We'll end up with a non-zero sum due to ip6->version == 6 (which has '0' bits)
191 for (int i = 0; i < sizeof(*ip6) / sizeof(__u16); ++i) {
192 sum6 += ~((__u16*)ip6)[i]; // note the bitwise negation
193 }
194
195 // Note that there is no L4 checksum update: we are relying on the checksum neutrality
196 // of the ipv6 address chosen by netd's ClatdController.
197
198 // Packet mutations begin - point of no return, but if this first modification fails
199 // the packet is probably still pristine, so let clatd handle it.
200 if (bpf_skb_change_proto(skb, htons(ETH_P_IP), 0)) {
201 // Mark ingress non-offloaded clat packet for dropping in ip6tables bw_raw_PREROUTING.
202 // Non-offloaded clat packet is going to be handled by clat daemon and ip6tables. The
203 // duplicate one in ip6tables is not necessary.
204 skb->mark = CLAT_MARK;
205 return TC_ACT_PIPE;
206 }
207
208 // This takes care of updating the skb->csum field for a CHECKSUM_COMPLETE packet.
209 //
210 // In such a case, skb->csum is a 16-bit one's complement sum of the entire payload,
211 // thus we need to subtract out the ipv6 header's sum, and add in the ipv4 header's sum.
212 // However, by construction of ip.check above the checksum of an ipv4 header is zero.
213 // Thus we only need to subtract the ipv6 header's sum, which is the same as adding
214 // in the sum of the bitwise negation of the ipv6 header.
215 //
216 // bpf_csum_update() always succeeds if the skb is CHECKSUM_COMPLETE and returns an error
217 // (-ENOTSUPP) if it isn't. So we just ignore the return code.
218 //
219 // if (skb->ip_summed == CHECKSUM_COMPLETE)
220 // return (skb->csum = csum_add(skb->csum, csum));
221 // else
222 // return -ENOTSUPP;
223 bpf_csum_update(skb, sum6);
224
225 // Technically 'kver < KVER_4_14' already implies 'frag_off == htons(IP_DF)' due to logic above,
226 // thus the initial 'kver >= KVER_4_14' check here is entirely superfluous.
227 //
228 // However, we *need* the compiler (when compiling the program for 4.9) to entirely
229 // optimize out the call to bpf_skb_adjust_room() bpf helper: it's not enough for it to emit
230 // an unreachable call to it, it must *not* emit it at all (otherwise the 4.9 kernel's
231 // bpf verifier will refuse to load a program with an unknown bpf helper call)
232 //
233 // This is easiest to achieve by being very explicit in the if clause,
234 // better safe than sorry...
235 //
236 // Note: we currently have no TreeHugger coverage for 4.9-T devices (there are no such
237 // Pixel or cuttlefish devices), so likely you won't notice for months if this breaks...
238 if (KVER_IS_AT_LEAST(kver, 4, 14, 0) && frag_off != htons(IP_DF)) {
239 // If we're converting an IPv6 Fragment, we need to trim off 8 more bytes
240 // We're beyond recovery on error here... but hard to imagine how this could fail.
241 if (bpf_skb_adjust_room(skb, -(__s32)sizeof(struct frag_hdr), BPF_ADJ_ROOM_NET, /*flags*/0))
242 return TC_ACT_SHOT;
243 }
244
245 try_make_writable(skb, l2_header_size + sizeof(struct iphdr));
246
247 // bpf_skb_change_proto() invalidates all pointers - reload them.
248 data = (void*)(long)skb->data;
249 data_end = (void*)(long)skb->data_end;
250
251 // I cannot think of any valid way for this error condition to trigger, however I do
252 // believe the explicit check is required to keep the in kernel ebpf verifier happy.
253 if (data + l2_header_size + sizeof(struct iphdr) > data_end) return TC_ACT_SHOT;
254
255 if (is_ethernet) {
256 struct ethhdr* new_eth = data;
257
258 // Copy over the updated ethernet header
259 *new_eth = eth2;
260
261 // Copy over the new ipv4 header.
262 *(struct iphdr*)(new_eth + 1) = ip;
263 } else {
264 // Copy over the new ipv4 header without an ethernet header.
265 *(struct iphdr*)data = ip;
266 }
267
268 // Count successfully translated packet
269 __sync_fetch_and_add(&v->packets, 1);
270 __sync_fetch_and_add(&v->bytes, skb->len - l2_header_size);
271
272 // Redirect, possibly back to same interface, so tcpdump sees packet twice.
273 if (v->oif) return bpf_redirect(v->oif, BPF_F_INGRESS);
274
275 // Just let it through, tcpdump will not see IPv4 packet.
276 return TC_ACT_PIPE;
277 }
278
279 DEFINE_BPF_PROG_KVER("schedcls/ingress6/clat_ether$4_14", AID_ROOT, AID_SYSTEM, sched_cls_ingress6_clat_ether_4_14, KVER_4_14)
280 (struct __sk_buff* skb) {
281 return nat64(skb, ETHER, KVER_4_14);
282 }
283
284 DEFINE_BPF_PROG_KVER_RANGE("schedcls/ingress6/clat_ether$4_9", AID_ROOT, AID_SYSTEM, sched_cls_ingress6_clat_ether_4_9, KVER_NONE, KVER_4_14)
285 (struct __sk_buff* skb) {
286 return nat64(skb, ETHER, KVER_NONE);
287 }
288
289 DEFINE_BPF_PROG_KVER("schedcls/ingress6/clat_rawip$4_14", AID_ROOT, AID_SYSTEM, sched_cls_ingress6_clat_rawip_4_14, KVER_4_14)
290 (struct __sk_buff* skb) {
291 return nat64(skb, RAWIP, KVER_4_14);
292 }
293
294 DEFINE_BPF_PROG_KVER_RANGE("schedcls/ingress6/clat_rawip$4_9", AID_ROOT, AID_SYSTEM, sched_cls_ingress6_clat_rawip_4_9, KVER_NONE, KVER_4_14)
295 (struct __sk_buff* skb) {
296 return nat64(skb, RAWIP, KVER_NONE);
297 }
298
299 DEFINE_BPF_MAP_GRW(clat_egress4_map, HASH, ClatEgress4Key, ClatEgress4Value, 16, AID_SYSTEM)
300
301 DEFINE_BPF_PROG("schedcls/egress4/clat_rawip", AID_ROOT, AID_SYSTEM, sched_cls_egress4_clat_rawip)
302 (struct __sk_buff* skb) {
303 // Must be meta-ethernet IPv4 frame
304 if (skb->protocol != htons(ETH_P_IP)) return TC_ACT_PIPE;
305
306 // Possibly not needed, but for consistency with nat64 up above
307 try_make_writable(skb, sizeof(struct iphdr));
308
309 void* data = (void*)(long)skb->data;
310 const void* data_end = (void*)(long)skb->data_end;
311 const struct iphdr* const ip4 = data;
312
313 // Must have ipv4 header
314 if (data + sizeof(*ip4) > data_end) return TC_ACT_PIPE;
315
316 // IP version must be 4
317 if (ip4->version != 4) return TC_ACT_PIPE;
318
319 // We cannot handle IP options, just standard 20 byte == 5 dword minimal IPv4 header
320 if (ip4->ihl != 5) return TC_ACT_PIPE;
321
322 // Calculate the IPv4 one's complement checksum of the IPv4 header.
323 __wsum sum4 = 0;
324 for (int i = 0; i < sizeof(*ip4) / sizeof(__u16); ++i) {
325 sum4 += ((__u16*)ip4)[i];
326 }
327 // Note that sum4 is guaranteed to be non-zero by virtue of ip4->version == 4
328 sum4 = (sum4 & 0xFFFF) + (sum4 >> 16); // collapse u32 into range 1 .. 0x1FFFE
329 sum4 = (sum4 & 0xFFFF) + (sum4 >> 16); // collapse any potential carry into u16
330 // for a correct checksum we should get *a* zero, but sum4 must be positive, ie 0xFFFF
331 if (sum4 != 0xFFFF) return TC_ACT_PIPE;
332
333 // Minimum IPv4 total length is the size of the header
334 if (ntohs(ip4->tot_len) < sizeof(*ip4)) return TC_ACT_PIPE;
335
336 // We are incapable of dealing with IPv4 fragments
337 if (ip4->frag_off & ~htons(IP_DF)) return TC_ACT_PIPE;
338
339 switch (ip4->protocol) {
340 case IPPROTO_TCP: // For TCP, UDP & UDPLITE the checksum neutrality of the chosen
341 case IPPROTO_UDPLITE: // IPv6 address means there is no need to update their checksums.
342 case IPPROTO_GRE: // We do not need to bother looking at GRE/ESP headers,
343 case IPPROTO_ESP: // since there is never a checksum to update.
344 break;
345
346 case IPPROTO_UDP: // See above comment, but must also have UDP header...
347 if (data + sizeof(*ip4) + sizeof(struct udphdr) > data_end) return TC_ACT_PIPE;
348 const struct udphdr* uh = (const struct udphdr*)(ip4 + 1);
349 // If IPv4/UDP checksum is 0 then fallback to clatd so it can calculate the
350 // checksum. Otherwise the network or more likely the NAT64 gateway might
351 // drop the packet because in most cases IPv6/UDP packets with a zero checksum
352 // are invalid. See RFC 6935. TODO: calculate checksum via bpf_csum_diff()
353 if (!uh->check) return TC_ACT_PIPE;
354 break;
355
356 default: // do not know how to handle anything else
357 return TC_ACT_PIPE;
358 }
359
360 ClatEgress4Key k = {
361 .iif = skb->ifindex,
362 .local4.s_addr = ip4->saddr,
363 };
364
365 ClatEgress4Value* v = bpf_clat_egress4_map_lookup_elem(&k);
366
367 if (!v) return TC_ACT_PIPE;
368
369 // Translating without redirecting doesn't make sense.
370 if (!v->oif) return TC_ACT_PIPE;
371
372 // This implementation is currently limited to rawip.
373 if (v->oifIsEthernet) return TC_ACT_PIPE;
374
375 struct ipv6hdr ip6 = {
376 .version = 6, // __u8:4
377 .priority = ip4->tos >> 4, // __u8:4
378 .flow_lbl = {(ip4->tos & 0xF) << 4, 0, 0}, // __u8[3]
379 .payload_len = htons(ntohs(ip4->tot_len) - 20), // __be16
380 .nexthdr = ip4->protocol, // __u8
381 .hop_limit = ip4->ttl, // __u8
382 .saddr = v->local6, // struct in6_addr
383 .daddr = v->pfx96, // struct in6_addr
384 };
385 ip6.daddr.in6_u.u6_addr32[3] = ip4->daddr;
386
387 // Calculate the IPv6 16-bit one's complement checksum of the IPv6 header.
388 __wsum sum6 = 0;
389 // We'll end up with a non-zero sum due to ip6.version == 6
390 for (int i = 0; i < sizeof(ip6) / sizeof(__u16); ++i) {
391 sum6 += ((__u16*)&ip6)[i];
392 }
393
394 // Note that there is no L4 checksum update: we are relying on the checksum neutrality
395 // of the ipv6 address chosen by netd's ClatdController.
396
397 // Packet mutations begin - point of no return, but if this first modification fails
398 // the packet is probably still pristine, so let clatd handle it.
399 if (bpf_skb_change_proto(skb, htons(ETH_P_IPV6), 0)) return TC_ACT_PIPE;
400
401 // This takes care of updating the skb->csum field for a CHECKSUM_COMPLETE packet.
402 //
403 // In such a case, skb->csum is a 16-bit one's complement sum of the entire payload,
404 // thus we need to subtract out the ipv4 header's sum, and add in the ipv6 header's sum.
405 // However, we've already verified the ipv4 checksum is correct and thus 0.
406 // Thus we only need to add the ipv6 header's sum.
407 //
408 // bpf_csum_update() always succeeds if the skb is CHECKSUM_COMPLETE and returns an error
409 // (-ENOTSUPP) if it isn't. So we just ignore the return code (see above for more details).
410 bpf_csum_update(skb, sum6);
411
412 // bpf_skb_change_proto() invalidates all pointers - reload them.
413 data = (void*)(long)skb->data;
414 data_end = (void*)(long)skb->data_end;
415
416 // I cannot think of any valid way for this error condition to trigger, however I do
417 // believe the explicit check is required to keep the in kernel ebpf verifier happy.
418 if (data + sizeof(ip6) > data_end) return TC_ACT_SHOT;
419
420 // Copy over the new ipv6 header without an ethernet header.
421 *(struct ipv6hdr*)data = ip6;
422
423 // Count successfully translated packet
424 __sync_fetch_and_add(&v->packets, 1);
425 __sync_fetch_and_add(&v->bytes, skb->len);
426
427 // Redirect to non v4-* interface. Tcpdump only sees packet after this redirect.
428 return bpf_redirect(v->oif, 0 /* this is effectively BPF_F_EGRESS */);
429 }
430
431 LICENSE("Apache 2.0");
432 CRITICAL("Connectivity");
433 DISABLE_BTF_ON_USER_BUILDS();
434 DISABLE_ON_MAINLINE_BEFORE_U_QPR3();
435