1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * IPv6 input
4 * Linux INET6 implementation
5 *
6 * Authors:
7 * Pedro Roque <roque@di.fc.ul.pt>
8 * Ian P. Morris <I.P.Morris@soton.ac.uk>
9 *
10 * Based in linux/net/ipv4/ip_input.c
11 */
12 /* Changes
13 *
14 * Mitsuru KANDA @USAGI and
15 * YOSHIFUJI Hideaki @USAGI: Remove ipv6_parse_exthdrs().
16 */
17
18 #include <linux/errno.h>
19 #include <linux/types.h>
20 #include <linux/socket.h>
21 #include <linux/sockios.h>
22 #include <linux/net.h>
23 #include <linux/netdevice.h>
24 #include <linux/in6.h>
25 #include <linux/icmpv6.h>
26 #include <linux/mroute6.h>
27 #include <linux/slab.h>
28 #include <linux/indirect_call_wrapper.h>
29
30 #include <linux/netfilter.h>
31 #include <linux/netfilter_ipv6.h>
32
33 #include <net/sock.h>
34 #include <net/snmp.h>
35
36 #include <net/ipv6.h>
37 #include <net/protocol.h>
38 #include <net/transp_v6.h>
39 #include <net/rawv6.h>
40 #include <net/ndisc.h>
41 #include <net/ip6_route.h>
42 #include <net/addrconf.h>
43 #include <net/xfrm.h>
44 #include <net/inet_ecn.h>
45 #include <net/dst_metadata.h>
46
47 void udp_v6_early_demux(struct sk_buff *);
48 void tcp_v6_early_demux(struct sk_buff *);
ip6_rcv_finish_core(struct net * net,struct sock * sk,struct sk_buff * skb)49 static void ip6_rcv_finish_core(struct net *net, struct sock *sk,
50 struct sk_buff *skb)
51 {
52 if (READ_ONCE(net->ipv4.sysctl_ip_early_demux) &&
53 !skb_dst(skb) && !skb->sk) {
54 switch (ipv6_hdr(skb)->nexthdr) {
55 case IPPROTO_TCP:
56 if (READ_ONCE(net->ipv4.sysctl_tcp_early_demux))
57 tcp_v6_early_demux(skb);
58 break;
59 case IPPROTO_UDP:
60 if (READ_ONCE(net->ipv4.sysctl_udp_early_demux))
61 udp_v6_early_demux(skb);
62 break;
63 }
64 }
65
66 if (!skb_valid_dst(skb))
67 ip6_route_input(skb);
68 }
69
ip6_rcv_finish(struct net * net,struct sock * sk,struct sk_buff * skb)70 int ip6_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
71 {
72 /* if ingress device is enslaved to an L3 master device pass the
73 * skb to its handler for processing
74 */
75 skb = l3mdev_ip6_rcv(skb);
76 if (!skb)
77 return NET_RX_SUCCESS;
78 ip6_rcv_finish_core(net, sk, skb);
79
80 return dst_input(skb);
81 }
82
ip6_sublist_rcv_finish(struct list_head * head)83 static void ip6_sublist_rcv_finish(struct list_head *head)
84 {
85 struct sk_buff *skb, *next;
86
87 list_for_each_entry_safe(skb, next, head, list) {
88 skb_list_del_init(skb);
89 dst_input(skb);
90 }
91 }
92
ip6_list_rcv_finish(struct net * net,struct sock * sk,struct list_head * head)93 static void ip6_list_rcv_finish(struct net *net, struct sock *sk,
94 struct list_head *head)
95 {
96 struct dst_entry *curr_dst = NULL;
97 struct sk_buff *skb, *next;
98 struct list_head sublist;
99
100 INIT_LIST_HEAD(&sublist);
101 list_for_each_entry_safe(skb, next, head, list) {
102 struct dst_entry *dst;
103
104 skb_list_del_init(skb);
105 /* if ingress device is enslaved to an L3 master device pass the
106 * skb to its handler for processing
107 */
108 skb = l3mdev_ip6_rcv(skb);
109 if (!skb)
110 continue;
111 ip6_rcv_finish_core(net, sk, skb);
112 dst = skb_dst(skb);
113 if (curr_dst != dst) {
114 /* dispatch old sublist */
115 if (!list_empty(&sublist))
116 ip6_sublist_rcv_finish(&sublist);
117 /* start new sublist */
118 INIT_LIST_HEAD(&sublist);
119 curr_dst = dst;
120 }
121 list_add_tail(&skb->list, &sublist);
122 }
123 /* dispatch final sublist */
124 ip6_sublist_rcv_finish(&sublist);
125 }
126
ip6_rcv_core(struct sk_buff * skb,struct net_device * dev,struct net * net)127 static struct sk_buff *ip6_rcv_core(struct sk_buff *skb, struct net_device *dev,
128 struct net *net)
129 {
130 const struct ipv6hdr *hdr;
131 u32 pkt_len;
132 struct inet6_dev *idev;
133
134 if (skb->pkt_type == PACKET_OTHERHOST) {
135 kfree_skb(skb);
136 return NULL;
137 }
138
139 rcu_read_lock();
140
141 idev = __in6_dev_get(skb->dev);
142
143 __IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_IN, skb->len);
144
145 if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL ||
146 !idev || unlikely(idev->cnf.disable_ipv6)) {
147 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS);
148 goto drop;
149 }
150
151 memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
152
153 /*
154 * Store incoming device index. When the packet will
155 * be queued, we cannot refer to skb->dev anymore.
156 *
157 * BTW, when we send a packet for our own local address on a
158 * non-loopback interface (e.g. ethX), it is being delivered
159 * via the loopback interface (lo) here; skb->dev = loopback_dev.
160 * It, however, should be considered as if it is being
161 * arrived via the sending interface (ethX), because of the
162 * nature of scoping architecture. --yoshfuji
163 */
164 IP6CB(skb)->iif = skb_valid_dst(skb) ? ip6_dst_idev(skb_dst(skb))->dev->ifindex : dev->ifindex;
165
166 if (unlikely(!pskb_may_pull(skb, sizeof(*hdr))))
167 goto err;
168
169 hdr = ipv6_hdr(skb);
170
171 if (hdr->version != 6)
172 goto err;
173
174 __IP6_ADD_STATS(net, idev,
175 IPSTATS_MIB_NOECTPKTS +
176 (ipv6_get_dsfield(hdr) & INET_ECN_MASK),
177 max_t(unsigned short, 1, skb_shinfo(skb)->gso_segs));
178 /*
179 * RFC4291 2.5.3
180 * The loopback address must not be used as the source address in IPv6
181 * packets that are sent outside of a single node. [..]
182 * A packet received on an interface with a destination address
183 * of loopback must be dropped.
184 */
185 if ((ipv6_addr_loopback(&hdr->saddr) ||
186 ipv6_addr_loopback(&hdr->daddr)) &&
187 !(dev->flags & IFF_LOOPBACK) &&
188 !netif_is_l3_master(dev))
189 goto err;
190
191 /* RFC4291 Errata ID: 3480
192 * Interface-Local scope spans only a single interface on a
193 * node and is useful only for loopback transmission of
194 * multicast. Packets with interface-local scope received
195 * from another node must be discarded.
196 */
197 if (!(skb->pkt_type == PACKET_LOOPBACK ||
198 dev->flags & IFF_LOOPBACK) &&
199 ipv6_addr_is_multicast(&hdr->daddr) &&
200 IPV6_ADDR_MC_SCOPE(&hdr->daddr) == 1)
201 goto err;
202
203 /* If enabled, drop unicast packets that were encapsulated in link-layer
204 * multicast or broadcast to protected against the so-called "hole-196"
205 * attack in 802.11 wireless.
206 */
207 if (!ipv6_addr_is_multicast(&hdr->daddr) &&
208 (skb->pkt_type == PACKET_BROADCAST ||
209 skb->pkt_type == PACKET_MULTICAST) &&
210 idev->cnf.drop_unicast_in_l2_multicast)
211 goto err;
212
213 /* RFC4291 2.7
214 * Nodes must not originate a packet to a multicast address whose scope
215 * field contains the reserved value 0; if such a packet is received, it
216 * must be silently dropped.
217 */
218 if (ipv6_addr_is_multicast(&hdr->daddr) &&
219 IPV6_ADDR_MC_SCOPE(&hdr->daddr) == 0)
220 goto err;
221
222 /*
223 * RFC4291 2.7
224 * Multicast addresses must not be used as source addresses in IPv6
225 * packets or appear in any Routing header.
226 */
227 if (ipv6_addr_is_multicast(&hdr->saddr))
228 goto err;
229
230 skb->transport_header = skb->network_header + sizeof(*hdr);
231 IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
232
233 pkt_len = ntohs(hdr->payload_len);
234
235 /* pkt_len may be zero if Jumbo payload option is present */
236 if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) {
237 if (pkt_len + sizeof(struct ipv6hdr) > skb->len) {
238 __IP6_INC_STATS(net,
239 idev, IPSTATS_MIB_INTRUNCATEDPKTS);
240 goto drop;
241 }
242 if (pskb_trim_rcsum(skb, pkt_len + sizeof(struct ipv6hdr))) {
243 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS);
244 goto drop;
245 }
246 hdr = ipv6_hdr(skb);
247 }
248
249 if (hdr->nexthdr == NEXTHDR_HOP) {
250 if (ipv6_parse_hopopts(skb) < 0) {
251 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS);
252 rcu_read_unlock();
253 return NULL;
254 }
255 }
256
257 rcu_read_unlock();
258
259 /* Must drop socket now because of tproxy. */
260 skb_orphan(skb);
261
262 return skb;
263 err:
264 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS);
265 drop:
266 rcu_read_unlock();
267 kfree_skb(skb);
268 return NULL;
269 }
270
ipv6_rcv(struct sk_buff * skb,struct net_device * dev,struct packet_type * pt,struct net_device * orig_dev)271 int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev)
272 {
273 struct net *net = dev_net(skb->dev);
274
275 skb = ip6_rcv_core(skb, dev, net);
276 if (skb == NULL)
277 return NET_RX_DROP;
278 return NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING,
279 net, NULL, skb, dev, NULL,
280 ip6_rcv_finish);
281 }
282
ip6_sublist_rcv(struct list_head * head,struct net_device * dev,struct net * net)283 static void ip6_sublist_rcv(struct list_head *head, struct net_device *dev,
284 struct net *net)
285 {
286 NF_HOOK_LIST(NFPROTO_IPV6, NF_INET_PRE_ROUTING, net, NULL,
287 head, dev, NULL, ip6_rcv_finish);
288 ip6_list_rcv_finish(net, NULL, head);
289 }
290
291 /* Receive a list of IPv6 packets */
ipv6_list_rcv(struct list_head * head,struct packet_type * pt,struct net_device * orig_dev)292 void ipv6_list_rcv(struct list_head *head, struct packet_type *pt,
293 struct net_device *orig_dev)
294 {
295 struct net_device *curr_dev = NULL;
296 struct net *curr_net = NULL;
297 struct sk_buff *skb, *next;
298 struct list_head sublist;
299
300 INIT_LIST_HEAD(&sublist);
301 list_for_each_entry_safe(skb, next, head, list) {
302 struct net_device *dev = skb->dev;
303 struct net *net = dev_net(dev);
304
305 skb_list_del_init(skb);
306 skb = ip6_rcv_core(skb, dev, net);
307 if (skb == NULL)
308 continue;
309
310 if (curr_dev != dev || curr_net != net) {
311 /* dispatch old sublist */
312 if (!list_empty(&sublist))
313 ip6_sublist_rcv(&sublist, curr_dev, curr_net);
314 /* start new sublist */
315 INIT_LIST_HEAD(&sublist);
316 curr_dev = dev;
317 curr_net = net;
318 }
319 list_add_tail(&skb->list, &sublist);
320 }
321 /* dispatch final sublist */
322 ip6_sublist_rcv(&sublist, curr_dev, curr_net);
323 }
324
325 INDIRECT_CALLABLE_DECLARE(int udpv6_rcv(struct sk_buff *));
326 INDIRECT_CALLABLE_DECLARE(int tcp_v6_rcv(struct sk_buff *));
327
328 /*
329 * Deliver the packet to the host
330 */
ip6_protocol_deliver_rcu(struct net * net,struct sk_buff * skb,int nexthdr,bool have_final)331 void ip6_protocol_deliver_rcu(struct net *net, struct sk_buff *skb, int nexthdr,
332 bool have_final)
333 {
334 const struct inet6_protocol *ipprot;
335 struct inet6_dev *idev;
336 unsigned int nhoff;
337 bool raw;
338
339 /*
340 * Parse extension headers
341 */
342
343 resubmit:
344 idev = ip6_dst_idev(skb_dst(skb));
345 nhoff = IP6CB(skb)->nhoff;
346 if (!have_final) {
347 if (!pskb_pull(skb, skb_transport_offset(skb)))
348 goto discard;
349 nexthdr = skb_network_header(skb)[nhoff];
350 }
351
352 resubmit_final:
353 raw = raw6_local_deliver(skb, nexthdr);
354 ipprot = rcu_dereference(inet6_protos[nexthdr]);
355 if (ipprot) {
356 int ret;
357
358 if (have_final) {
359 if (!(ipprot->flags & INET6_PROTO_FINAL)) {
360 /* Once we've seen a final protocol don't
361 * allow encapsulation on any non-final
362 * ones. This allows foo in UDP encapsulation
363 * to work.
364 */
365 goto discard;
366 }
367 } else if (ipprot->flags & INET6_PROTO_FINAL) {
368 const struct ipv6hdr *hdr;
369 int sdif = inet6_sdif(skb);
370 struct net_device *dev;
371
372 /* Only do this once for first final protocol */
373 have_final = true;
374
375 /* Free reference early: we don't need it any more,
376 and it may hold ip_conntrack module loaded
377 indefinitely. */
378 nf_reset_ct(skb);
379
380 skb_postpull_rcsum(skb, skb_network_header(skb),
381 skb_network_header_len(skb));
382 hdr = ipv6_hdr(skb);
383
384 /* skb->dev passed may be master dev for vrfs. */
385 if (sdif) {
386 dev = dev_get_by_index_rcu(net, sdif);
387 if (!dev)
388 goto discard;
389 } else {
390 dev = skb->dev;
391 }
392
393 if (ipv6_addr_is_multicast(&hdr->daddr) &&
394 !ipv6_chk_mcast_addr(dev, &hdr->daddr,
395 &hdr->saddr) &&
396 !ipv6_is_mld(skb, nexthdr, skb_network_header_len(skb)))
397 goto discard;
398 }
399 if (!(ipprot->flags & INET6_PROTO_NOPOLICY) &&
400 !xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
401 goto discard;
402
403 ret = INDIRECT_CALL_2(ipprot->handler, tcp_v6_rcv, udpv6_rcv,
404 skb);
405 if (ret > 0) {
406 if (ipprot->flags & INET6_PROTO_FINAL) {
407 /* Not an extension header, most likely UDP
408 * encapsulation. Use return value as nexthdr
409 * protocol not nhoff (which presumably is
410 * not set by handler).
411 */
412 nexthdr = ret;
413 goto resubmit_final;
414 } else {
415 goto resubmit;
416 }
417 } else if (ret == 0) {
418 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDELIVERS);
419 }
420 } else {
421 if (!raw) {
422 if (xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
423 __IP6_INC_STATS(net, idev,
424 IPSTATS_MIB_INUNKNOWNPROTOS);
425 icmpv6_send(skb, ICMPV6_PARAMPROB,
426 ICMPV6_UNK_NEXTHDR, nhoff);
427 }
428 kfree_skb(skb);
429 } else {
430 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDELIVERS);
431 consume_skb(skb);
432 }
433 }
434 return;
435
436 discard:
437 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS);
438 kfree_skb(skb);
439 }
440
ip6_input_finish(struct net * net,struct sock * sk,struct sk_buff * skb)441 static int ip6_input_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
442 {
443 rcu_read_lock();
444 ip6_protocol_deliver_rcu(net, skb, 0, false);
445 rcu_read_unlock();
446
447 return 0;
448 }
449
450
ip6_input(struct sk_buff * skb)451 int ip6_input(struct sk_buff *skb)
452 {
453 return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_IN,
454 dev_net(skb->dev), NULL, skb, skb->dev, NULL,
455 ip6_input_finish);
456 }
457 EXPORT_SYMBOL_GPL(ip6_input);
458
ip6_mc_input(struct sk_buff * skb)459 int ip6_mc_input(struct sk_buff *skb)
460 {
461 int sdif = inet6_sdif(skb);
462 const struct ipv6hdr *hdr;
463 struct net_device *dev;
464 bool deliver;
465
466 __IP6_UPD_PO_STATS(dev_net(skb_dst(skb)->dev),
467 __in6_dev_get_safely(skb->dev), IPSTATS_MIB_INMCAST,
468 skb->len);
469
470 /* skb->dev passed may be master dev for vrfs. */
471 if (sdif) {
472 rcu_read_lock();
473 dev = dev_get_by_index_rcu(dev_net(skb->dev), sdif);
474 if (!dev) {
475 rcu_read_unlock();
476 kfree_skb(skb);
477 return -ENODEV;
478 }
479 } else {
480 dev = skb->dev;
481 }
482
483 hdr = ipv6_hdr(skb);
484 deliver = ipv6_chk_mcast_addr(dev, &hdr->daddr, NULL);
485 if (sdif)
486 rcu_read_unlock();
487
488 #ifdef CONFIG_IPV6_MROUTE
489 /*
490 * IPv6 multicast router mode is now supported ;)
491 */
492 if (atomic_read(&dev_net(skb->dev)->ipv6.devconf_all->mc_forwarding) &&
493 !(ipv6_addr_type(&hdr->daddr) &
494 (IPV6_ADDR_LOOPBACK|IPV6_ADDR_LINKLOCAL)) &&
495 likely(!(IP6CB(skb)->flags & IP6SKB_FORWARDED))) {
496 /*
497 * Okay, we try to forward - split and duplicate
498 * packets.
499 */
500 struct sk_buff *skb2;
501 struct inet6_skb_parm *opt = IP6CB(skb);
502
503 /* Check for MLD */
504 if (unlikely(opt->flags & IP6SKB_ROUTERALERT)) {
505 /* Check if this is a mld message */
506 u8 nexthdr = hdr->nexthdr;
507 __be16 frag_off;
508 int offset;
509
510 /* Check if the value of Router Alert
511 * is for MLD (0x0000).
512 */
513 if (opt->ra == htons(IPV6_OPT_ROUTERALERT_MLD)) {
514 deliver = false;
515
516 if (!ipv6_ext_hdr(nexthdr)) {
517 /* BUG */
518 goto out;
519 }
520 offset = ipv6_skip_exthdr(skb, sizeof(*hdr),
521 &nexthdr, &frag_off);
522 if (offset < 0)
523 goto out;
524
525 if (ipv6_is_mld(skb, nexthdr, offset))
526 deliver = true;
527
528 goto out;
529 }
530 /* unknown RA - process it normally */
531 }
532
533 if (deliver)
534 skb2 = skb_clone(skb, GFP_ATOMIC);
535 else {
536 skb2 = skb;
537 skb = NULL;
538 }
539
540 if (skb2) {
541 ip6_mr_input(skb2);
542 }
543 }
544 out:
545 #endif
546 if (likely(deliver))
547 ip6_input(skb);
548 else {
549 /* discard */
550 kfree_skb(skb);
551 }
552
553 return 0;
554 }
555