npf_inet.c revision 1.37.12.7
1 /*- 2 * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. 3 * All rights reserved. 4 * 5 * This material is based upon work partially supported by The 6 * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 18 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 19 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 20 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 21 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 23 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 24 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 25 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 26 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 /* 31 * Various protocol related helper routines. 32 * 33 * This layer manipulates npf_cache_t structure i.e. caches requested headers 34 * and stores which information was cached in the information bit field. 35 * It is also responsibility of this layer to update or invalidate the cache 36 * on rewrites (e.g. by translation routines). 37 */ 38 39 #ifdef _KERNEL 40 #include <sys/cdefs.h> 41 __KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.37.12.7 2018/09/30 01:45:56 pgoyette Exp $"); 42 43 #include <sys/param.h> 44 #include <sys/types.h> 45 46 #include <net/pfil.h> 47 #include <net/if.h> 48 #include <net/ethertypes.h> 49 #include <net/if_ether.h> 50 51 #include <netinet/in_systm.h> 52 #include <netinet/in.h> 53 #include <netinet6/in6_var.h> 54 #include <netinet/ip.h> 55 #include <netinet/ip6.h> 56 #include <netinet/tcp.h> 57 #include <netinet/udp.h> 58 #include <netinet/ip_icmp.h> 59 #endif 60 61 #include "npf_impl.h" 62 63 /* 64 * npf_fixup{16,32}_cksum: incremental update of the Internet checksum. 65 */ 66 67 uint16_t 68 npf_fixup16_cksum(uint16_t cksum, uint16_t odatum, uint16_t ndatum) 69 { 70 uint32_t sum; 71 72 /* 73 * RFC 1624: 74 * HC' = ~(~HC + ~m + m') 75 * 76 * Note: 1's complement sum is endian-independent (RFC 1071, page 2). 77 */ 78 sum = ~cksum & 0xffff; 79 sum += (~odatum & 0xffff) + ndatum; 80 sum = (sum >> 16) + (sum & 0xffff); 81 sum += (sum >> 16); 82 83 return ~sum & 0xffff; 84 } 85 86 uint16_t 87 npf_fixup32_cksum(uint16_t cksum, uint32_t odatum, uint32_t ndatum) 88 { 89 uint32_t sum; 90 91 /* 92 * Checksum 32-bit datum as as two 16-bit. Note, the first 93 * 32->16 bit reduction is not necessary. 94 */ 95 sum = ~cksum & 0xffff; 96 sum += (~odatum & 0xffff) + (ndatum & 0xffff); 97 98 sum += (~odatum >> 16) + (ndatum >> 16); 99 sum = (sum >> 16) + (sum & 0xffff); 100 sum += (sum >> 16); 101 return ~sum & 0xffff; 102 } 103 104 /* 105 * npf_addr_cksum: calculate checksum of the address, either IPv4 or IPv6. 106 */ 107 uint16_t 108 npf_addr_cksum(uint16_t cksum, int sz, const npf_addr_t *oaddr, 109 const npf_addr_t *naddr) 110 { 111 const uint32_t *oip32 = (const uint32_t *)oaddr; 112 const uint32_t *nip32 = (const uint32_t *)naddr; 113 114 KASSERT(sz % sizeof(uint32_t) == 0); 115 do { 116 cksum = npf_fixup32_cksum(cksum, *oip32++, *nip32++); 117 sz -= sizeof(uint32_t); 118 } while (sz); 119 120 return cksum; 121 } 122 123 /* 124 * npf_addr_sum: provide IP addresses as a XORed 32-bit integer. 125 * Note: used for hash function. 126 */ 127 uint32_t 128 npf_addr_mix(const int sz, const npf_addr_t *a1, const npf_addr_t *a2) 129 { 130 uint32_t mix = 0; 131 132 KASSERT(sz > 0 && a1 != NULL && a2 != NULL); 133 134 for (int i = 0; i < (sz >> 2); i++) { 135 mix ^= a1->word32[i]; 136 mix ^= a2->word32[i]; 137 } 138 return mix; 139 } 140 141 /* 142 * npf_addr_mask: apply the mask to a given address and store the result. 143 */ 144 void 145 npf_addr_mask(const npf_addr_t *addr, const npf_netmask_t mask, 146 const int alen, npf_addr_t *out) 147 { 148 const int nwords = alen >> 2; 149 uint_fast8_t length = mask; 150 151 /* Note: maximum length is 32 for IPv4 and 128 for IPv6. */ 152 KASSERT(length <= NPF_MAX_NETMASK); 153 154 for (int i = 0; i < nwords; i++) { 155 uint32_t wordmask; 156 157 if (length >= 32) { 158 wordmask = htonl(0xffffffff); 159 length -= 32; 160 } else if (length) { 161 wordmask = htonl(0xffffffff << (32 - length)); 162 length = 0; 163 } else { 164 wordmask = 0; 165 } 166 out->word32[i] = addr->word32[i] & wordmask; 167 } 168 } 169 170 /* 171 * npf_addr_cmp: compare two addresses, either IPv4 or IPv6. 172 * 173 * => Return 0 if equal and negative/positive if less/greater accordingly. 174 * => Ignore the mask, if NPF_NO_NETMASK is specified. 175 */ 176 int 177 npf_addr_cmp(const npf_addr_t *addr1, const npf_netmask_t mask1, 178 const npf_addr_t *addr2, const npf_netmask_t mask2, const int alen) 179 { 180 npf_addr_t realaddr1, realaddr2; 181 182 if (mask1 != NPF_NO_NETMASK) { 183 npf_addr_mask(addr1, mask1, alen, &realaddr1); 184 addr1 = &realaddr1; 185 } 186 if (mask2 != NPF_NO_NETMASK) { 187 npf_addr_mask(addr2, mask2, alen, &realaddr2); 188 addr2 = &realaddr2; 189 } 190 return memcmp(addr1, addr2, alen); 191 } 192 193 /* 194 * npf_tcpsaw: helper to fetch SEQ, ACK, WIN and return TCP data length. 195 * 196 * => Returns all values in host byte-order. 197 */ 198 int 199 npf_tcpsaw(const npf_cache_t *npc, tcp_seq *seq, tcp_seq *ack, uint32_t *win) 200 { 201 const struct tcphdr *th = npc->npc_l4.tcp; 202 u_int thlen; 203 204 KASSERT(npf_iscached(npc, NPC_TCP)); 205 206 *seq = ntohl(th->th_seq); 207 *ack = ntohl(th->th_ack); 208 *win = (uint32_t)ntohs(th->th_win); 209 thlen = th->th_off << 2; 210 211 if (npf_iscached(npc, NPC_IP4)) { 212 const struct ip *ip = npc->npc_ip.v4; 213 return ntohs(ip->ip_len) - npc->npc_hlen - thlen; 214 } else if (npf_iscached(npc, NPC_IP6)) { 215 const struct ip6_hdr *ip6 = npc->npc_ip.v6; 216 return ntohs(ip6->ip6_plen) - 217 (npc->npc_hlen - sizeof(*ip6)) - thlen; 218 } 219 return 0; 220 } 221 222 /* 223 * npf_fetch_tcpopts: parse and return TCP options. 224 */ 225 bool 226 npf_fetch_tcpopts(npf_cache_t *npc, uint16_t *mss, int *wscale) 227 { 228 nbuf_t *nbuf = npc->npc_nbuf; 229 const struct tcphdr *th = npc->npc_l4.tcp; 230 int cnt, optlen = 0; 231 uint8_t *cp, opt; 232 uint8_t val; 233 bool ok; 234 235 KASSERT(npf_iscached(npc, NPC_IP46)); 236 KASSERT(npf_iscached(npc, NPC_TCP)); 237 238 /* Determine if there are any TCP options, get their length. */ 239 cnt = (th->th_off << 2) - sizeof(struct tcphdr); 240 if (cnt <= 0) { 241 /* No options. */ 242 return false; 243 } 244 KASSERT(cnt <= MAX_TCPOPTLEN); 245 246 /* Fetch all the options at once. */ 247 nbuf_reset(nbuf); 248 const int step = npc->npc_hlen + sizeof(struct tcphdr); 249 if ((cp = nbuf_advance(nbuf, step, cnt)) == NULL) { 250 ok = false; 251 goto done; 252 } 253 254 /* Scan the options. */ 255 for (; cnt > 0; cnt -= optlen, cp += optlen) { 256 opt = cp[0]; 257 if (opt == TCPOPT_EOL) 258 break; 259 if (opt == TCPOPT_NOP) 260 optlen = 1; 261 else { 262 if (cnt < 2) 263 break; 264 optlen = cp[1]; 265 if (optlen < 2 || optlen > cnt) 266 break; 267 } 268 269 switch (opt) { 270 case TCPOPT_MAXSEG: 271 if (optlen != TCPOLEN_MAXSEG) 272 continue; 273 if (mss) { 274 memcpy(mss, cp + 2, sizeof(uint16_t)); 275 } 276 break; 277 case TCPOPT_WINDOW: 278 if (optlen != TCPOLEN_WINDOW) 279 continue; 280 val = *(cp + 2); 281 *wscale = (val > TCP_MAX_WINSHIFT) ? TCP_MAX_WINSHIFT : val; 282 break; 283 default: 284 break; 285 } 286 } 287 288 ok = true; 289 done: 290 if (nbuf_flag_p(nbuf, NBUF_DATAREF_RESET)) { 291 npf_recache(npc); 292 } 293 return ok; 294 } 295 296 /* 297 * npf_set_mss: set the MSS. 298 */ 299 bool 300 npf_set_mss(npf_cache_t *npc, uint16_t mss, uint16_t *old, uint16_t *new, 301 bool *mid) 302 { 303 nbuf_t *nbuf = npc->npc_nbuf; 304 const struct tcphdr *th = npc->npc_l4.tcp; 305 int cnt, optlen = 0; 306 uint8_t *cp, *base, opt; 307 bool ok; 308 309 KASSERT(npf_iscached(npc, NPC_IP46)); 310 KASSERT(npf_iscached(npc, NPC_TCP)); 311 312 /* Determine if there are any TCP options, get their length. */ 313 cnt = (th->th_off << 2) - sizeof(struct tcphdr); 314 if (cnt <= 0) { 315 /* No options. */ 316 return false; 317 } 318 KASSERT(cnt <= MAX_TCPOPTLEN); 319 320 /* Fetch all the options at once. */ 321 nbuf_reset(nbuf); 322 const int step = npc->npc_hlen + sizeof(struct tcphdr); 323 if ((base = nbuf_advance(nbuf, step, cnt)) == NULL) { 324 ok = false; 325 goto done; 326 } 327 328 /* Scan the options. */ 329 for (cp = base; cnt > 0; cnt -= optlen, cp += optlen) { 330 opt = cp[0]; 331 if (opt == TCPOPT_EOL) 332 break; 333 if (opt == TCPOPT_NOP) 334 optlen = 1; 335 else { 336 if (cnt < 2) 337 break; 338 optlen = cp[1]; 339 if (optlen < 2 || optlen > cnt) 340 break; 341 } 342 343 switch (opt) { 344 case TCPOPT_MAXSEG: 345 if (optlen != TCPOLEN_MAXSEG) 346 continue; 347 if (((cp + 2) - base) % sizeof(uint16_t) != 0) { 348 *mid = true; 349 memcpy(&old[0], cp + 1, sizeof(uint16_t)); 350 memcpy(&old[1], cp + 3, sizeof(uint16_t)); 351 memcpy(cp + 2, &mss, sizeof(uint16_t)); 352 memcpy(&new[0], cp + 1, sizeof(uint16_t)); 353 memcpy(&new[1], cp + 3, sizeof(uint16_t)); 354 } else { 355 *mid = false; 356 memcpy(cp + 2, &mss, sizeof(uint16_t)); 357 } 358 break; 359 default: 360 break; 361 } 362 } 363 364 ok = true; 365 done: 366 if (nbuf_flag_p(nbuf, NBUF_DATAREF_RESET)) { 367 npf_recache(npc); 368 } 369 return ok; 370 } 371 372 static int 373 npf_cache_ip(npf_cache_t *npc, nbuf_t *nbuf) 374 { 375 const void *nptr = nbuf_dataptr(nbuf); 376 const uint8_t ver = *(const uint8_t *)nptr; 377 int flags = 0; 378 379 /* 380 * We intentionally don't read the L4 payload after IPPROTO_AH. 381 */ 382 383 switch (ver >> 4) { 384 case IPVERSION: { 385 struct ip *ip; 386 387 ip = nbuf_ensure_contig(nbuf, sizeof(struct ip)); 388 if (ip == NULL) { 389 return NPC_FMTERR; 390 } 391 392 /* Retrieve the complete header. */ 393 if ((u_int)(ip->ip_hl << 2) < sizeof(struct ip)) { 394 return NPC_FMTERR; 395 } 396 ip = nbuf_ensure_contig(nbuf, (u_int)(ip->ip_hl << 2)); 397 if (ip == NULL) { 398 return NPC_FMTERR; 399 } 400 401 if (ip->ip_off & ~htons(IP_DF | IP_RF)) { 402 /* Note fragmentation. */ 403 flags |= NPC_IPFRAG; 404 } 405 406 /* Cache: layer 3 - IPv4. */ 407 npc->npc_alen = sizeof(struct in_addr); 408 npc->npc_ips[NPF_SRC] = (npf_addr_t *)&ip->ip_src; 409 npc->npc_ips[NPF_DST] = (npf_addr_t *)&ip->ip_dst; 410 npc->npc_hlen = ip->ip_hl << 2; 411 npc->npc_proto = ip->ip_p; 412 413 npc->npc_ip.v4 = ip; 414 flags |= NPC_IP4; 415 break; 416 } 417 418 case (IPV6_VERSION >> 4): { 419 struct ip6_hdr *ip6; 420 struct ip6_ext *ip6e; 421 struct ip6_frag *ip6f; 422 size_t off, hlen; 423 int frag_present; 424 425 ip6 = nbuf_ensure_contig(nbuf, sizeof(struct ip6_hdr)); 426 if (ip6 == NULL) { 427 return NPC_FMTERR; 428 } 429 430 /* 431 * XXX: We don't handle IPv6 Jumbograms. 432 */ 433 434 /* Set initial next-protocol value. */ 435 hlen = sizeof(struct ip6_hdr); 436 npc->npc_proto = ip6->ip6_nxt; 437 npc->npc_hlen = hlen; 438 439 frag_present = 0; 440 441 /* 442 * Advance by the length of the current header. 443 */ 444 off = nbuf_offset(nbuf); 445 while ((ip6e = nbuf_advance(nbuf, hlen, sizeof(*ip6e))) != NULL) { 446 /* 447 * Determine whether we are going to continue. 448 */ 449 switch (npc->npc_proto) { 450 case IPPROTO_HOPOPTS: 451 case IPPROTO_DSTOPTS: 452 case IPPROTO_ROUTING: 453 hlen = (ip6e->ip6e_len + 1) << 3; 454 break; 455 case IPPROTO_FRAGMENT: 456 if (frag_present++) 457 return NPC_FMTERR; 458 ip6f = nbuf_ensure_contig(nbuf, sizeof(*ip6f)); 459 if (ip6f == NULL) 460 return NPC_FMTERR; 461 462 /* RFC6946: Skip dummy fragments. */ 463 if (!ntohs(ip6f->ip6f_offlg & IP6F_OFF_MASK) && 464 !(ip6f->ip6f_offlg & IP6F_MORE_FRAG)) { 465 hlen = sizeof(struct ip6_frag); 466 break; 467 } 468 469 hlen = 0; 470 flags |= NPC_IPFRAG; 471 472 break; 473 default: 474 hlen = 0; 475 break; 476 } 477 478 if (!hlen) { 479 break; 480 } 481 npc->npc_proto = ip6e->ip6e_nxt; 482 npc->npc_hlen += hlen; 483 } 484 485 if (ip6e == NULL) { 486 return NPC_FMTERR; 487 } 488 489 /* 490 * Re-fetch the header pointers (nbufs might have been 491 * reallocated). Restore the original offset (if any). 492 */ 493 nbuf_reset(nbuf); 494 ip6 = nbuf_dataptr(nbuf); 495 if (off) { 496 nbuf_advance(nbuf, off, 0); 497 } 498 499 /* Cache: layer 3 - IPv6. */ 500 npc->npc_alen = sizeof(struct in6_addr); 501 npc->npc_ips[NPF_SRC] = (npf_addr_t *)&ip6->ip6_src; 502 npc->npc_ips[NPF_DST] = (npf_addr_t *)&ip6->ip6_dst; 503 504 npc->npc_ip.v6 = ip6; 505 flags |= NPC_IP6; 506 break; 507 } 508 default: 509 break; 510 } 511 return flags; 512 } 513 514 /* 515 * npf_cache_all: general routine to cache all relevant IP (v4 or v6) 516 * and TCP, UDP or ICMP headers. 517 * 518 * => nbuf offset shall be set accordingly. 519 */ 520 int 521 npf_cache_all(npf_cache_t *npc) 522 { 523 nbuf_t *nbuf = npc->npc_nbuf; 524 int flags, l4flags; 525 u_int hlen; 526 527 /* 528 * This routine is a main point where the references are cached, 529 * therefore clear the flag as we reset. 530 */ 531 again: 532 nbuf_unset_flag(nbuf, NBUF_DATAREF_RESET); 533 534 /* 535 * First, cache the L3 header (IPv4 or IPv6). If IP packet is 536 * fragmented, then we cannot look into L4. 537 */ 538 flags = npf_cache_ip(npc, nbuf); 539 if ((flags & NPC_IP46) == 0 || (flags & NPC_IPFRAG) != 0 || 540 (flags & NPC_FMTERR) != 0) { 541 goto out; 542 } 543 hlen = npc->npc_hlen; 544 545 /* 546 * Note: we guarantee that the potential "Query Id" field of the 547 * ICMPv4/ICMPv6 packets is in the nbuf. This field is used in the 548 * ICMP ALG. 549 */ 550 switch (npc->npc_proto) { 551 case IPPROTO_TCP: 552 /* Cache: layer 4 - TCP. */ 553 npc->npc_l4.tcp = nbuf_advance(nbuf, hlen, 554 sizeof(struct tcphdr)); 555 l4flags = NPC_LAYER4 | NPC_TCP; 556 break; 557 case IPPROTO_UDP: 558 /* Cache: layer 4 - UDP. */ 559 npc->npc_l4.udp = nbuf_advance(nbuf, hlen, 560 sizeof(struct udphdr)); 561 l4flags = NPC_LAYER4 | NPC_UDP; 562 break; 563 case IPPROTO_ICMP: 564 /* Cache: layer 4 - ICMPv4. */ 565 npc->npc_l4.icmp = nbuf_advance(nbuf, hlen, 566 ICMP_MINLEN); 567 l4flags = NPC_LAYER4 | NPC_ICMP; 568 break; 569 case IPPROTO_ICMPV6: 570 /* Cache: layer 4 - ICMPv6. */ 571 npc->npc_l4.icmp6 = nbuf_advance(nbuf, hlen, 572 sizeof(struct icmp6_hdr)); 573 l4flags = NPC_LAYER4 | NPC_ICMP; 574 break; 575 default: 576 l4flags = 0; 577 break; 578 } 579 580 /* Error out if nbuf_advance failed. */ 581 if (l4flags && npc->npc_l4.hdr == NULL) { 582 goto err; 583 } 584 585 if (nbuf_flag_p(nbuf, NBUF_DATAREF_RESET)) { 586 goto again; 587 } 588 589 flags |= l4flags; 590 npc->npc_info |= flags; 591 return flags; 592 593 err: 594 flags = NPC_FMTERR; 595 out: 596 nbuf_unset_flag(nbuf, NBUF_DATAREF_RESET); 597 npc->npc_info |= flags; 598 return flags; 599 } 600 601 void 602 npf_recache(npf_cache_t *npc) 603 { 604 nbuf_t *nbuf = npc->npc_nbuf; 605 const int mflags __diagused = npc->npc_info & (NPC_IP46 | NPC_LAYER4); 606 int flags __diagused; 607 608 nbuf_reset(nbuf); 609 npc->npc_info = 0; 610 flags = npf_cache_all(npc); 611 612 KASSERT((flags & mflags) == mflags); 613 KASSERT(nbuf_flag_p(nbuf, NBUF_DATAREF_RESET) == 0); 614 } 615 616 /* 617 * npf_rwrip: rewrite required IP address. 618 */ 619 bool 620 npf_rwrip(const npf_cache_t *npc, u_int which, const npf_addr_t *addr) 621 { 622 KASSERT(npf_iscached(npc, NPC_IP46)); 623 KASSERT(which == NPF_SRC || which == NPF_DST); 624 625 memcpy(npc->npc_ips[which], addr, npc->npc_alen); 626 return true; 627 } 628 629 /* 630 * npf_rwrport: rewrite required TCP/UDP port. 631 */ 632 bool 633 npf_rwrport(const npf_cache_t *npc, u_int which, const in_port_t port) 634 { 635 const int proto = npc->npc_proto; 636 in_port_t *oport; 637 638 KASSERT(npf_iscached(npc, NPC_TCP) || npf_iscached(npc, NPC_UDP)); 639 KASSERT(proto == IPPROTO_TCP || proto == IPPROTO_UDP); 640 KASSERT(which == NPF_SRC || which == NPF_DST); 641 642 /* Get the offset and store the port in it. */ 643 if (proto == IPPROTO_TCP) { 644 struct tcphdr *th = npc->npc_l4.tcp; 645 oport = (which == NPF_SRC) ? &th->th_sport : &th->th_dport; 646 } else { 647 struct udphdr *uh = npc->npc_l4.udp; 648 oport = (which == NPF_SRC) ? &uh->uh_sport : &uh->uh_dport; 649 } 650 memcpy(oport, &port, sizeof(in_port_t)); 651 return true; 652 } 653 654 /* 655 * npf_rwrcksum: rewrite IPv4 and/or TCP/UDP checksum. 656 */ 657 bool 658 npf_rwrcksum(const npf_cache_t *npc, u_int which, 659 const npf_addr_t *addr, const in_port_t port) 660 { 661 const npf_addr_t *oaddr = npc->npc_ips[which]; 662 const int proto = npc->npc_proto; 663 const int alen = npc->npc_alen; 664 uint16_t *ocksum; 665 in_port_t oport; 666 667 KASSERT(npf_iscached(npc, NPC_LAYER4)); 668 KASSERT(which == NPF_SRC || which == NPF_DST); 669 670 if (npf_iscached(npc, NPC_IP4)) { 671 struct ip *ip = npc->npc_ip.v4; 672 uint16_t ipsum = ip->ip_sum; 673 674 /* Recalculate IPv4 checksum and rewrite. */ 675 ip->ip_sum = npf_addr_cksum(ipsum, alen, oaddr, addr); 676 } else { 677 /* No checksum for IPv6. */ 678 KASSERT(npf_iscached(npc, NPC_IP6)); 679 } 680 681 /* Nothing else to do for ICMP. */ 682 if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6) { 683 return true; 684 } 685 KASSERT(npf_iscached(npc, NPC_TCP) || npf_iscached(npc, NPC_UDP)); 686 687 /* 688 * Calculate TCP/UDP checksum: 689 * - Skip if UDP and the current checksum is zero. 690 * - Fixup the IP address change. 691 * - Fixup the port change, if required (non-zero). 692 */ 693 if (proto == IPPROTO_TCP) { 694 struct tcphdr *th = npc->npc_l4.tcp; 695 696 ocksum = &th->th_sum; 697 oport = (which == NPF_SRC) ? th->th_sport : th->th_dport; 698 } else { 699 struct udphdr *uh = npc->npc_l4.udp; 700 701 KASSERT(proto == IPPROTO_UDP); 702 ocksum = &uh->uh_sum; 703 if (*ocksum == 0) { 704 /* No need to update. */ 705 return true; 706 } 707 oport = (which == NPF_SRC) ? uh->uh_sport : uh->uh_dport; 708 } 709 710 uint16_t cksum = npf_addr_cksum(*ocksum, alen, oaddr, addr); 711 if (port) { 712 cksum = npf_fixup16_cksum(cksum, oport, port); 713 } 714 715 /* Rewrite TCP/UDP checksum. */ 716 memcpy(ocksum, &cksum, sizeof(uint16_t)); 717 return true; 718 } 719 720 /* 721 * npf_napt_rwr: perform address and/or port translation. 722 */ 723 int 724 npf_napt_rwr(const npf_cache_t *npc, u_int which, 725 const npf_addr_t *addr, const in_addr_t port) 726 { 727 const unsigned proto = npc->npc_proto; 728 729 /* 730 * Rewrite IP and/or TCP/UDP checksums first, since we need the 731 * current (old) address/port for the calculations. Then perform 732 * the address translation i.e. rewrite source or destination. 733 */ 734 if (!npf_rwrcksum(npc, which, addr, port)) { 735 return EINVAL; 736 } 737 if (!npf_rwrip(npc, which, addr)) { 738 return EINVAL; 739 } 740 if (port == 0) { 741 /* Done. */ 742 return 0; 743 } 744 745 switch (proto) { 746 case IPPROTO_TCP: 747 case IPPROTO_UDP: 748 /* Rewrite source/destination port. */ 749 if (!npf_rwrport(npc, which, port)) { 750 return EINVAL; 751 } 752 break; 753 case IPPROTO_ICMP: 754 case IPPROTO_ICMPV6: 755 KASSERT(npf_iscached(npc, NPC_ICMP)); 756 /* Nothing. */ 757 break; 758 default: 759 return ENOTSUP; 760 } 761 return 0; 762 } 763 764 /* 765 * IPv6-to-IPv6 Network Prefix Translation (NPTv6), as per RFC 6296. 766 */ 767 768 int 769 npf_npt66_rwr(const npf_cache_t *npc, u_int which, const npf_addr_t *pref, 770 npf_netmask_t len, uint16_t adj) 771 { 772 npf_addr_t *addr = npc->npc_ips[which]; 773 unsigned remnant, word, preflen = len >> 4; 774 uint32_t sum; 775 776 KASSERT(which == NPF_SRC || which == NPF_DST); 777 778 if (!npf_iscached(npc, NPC_IP6)) { 779 return EINVAL; 780 } 781 if (len <= 48) { 782 /* 783 * The word to adjust. Cannot translate the 0xffff 784 * subnet if /48 or shorter. 785 */ 786 word = 3; 787 if (addr->word16[word] == 0xffff) { 788 return EINVAL; 789 } 790 } else { 791 /* 792 * Also, all 0s or 1s in the host part are disallowed for 793 * longer than /48 prefixes. 794 */ 795 if ((addr->word32[2] == 0 && addr->word32[3] == 0) || 796 (addr->word32[2] == ~0U && addr->word32[3] == ~0U)) 797 return EINVAL; 798 799 /* Determine the 16-bit word to adjust. */ 800 for (word = 4; word < 8; word++) 801 if (addr->word16[word] != 0xffff) 802 break; 803 } 804 805 /* Rewrite the prefix. */ 806 for (unsigned i = 0; i < preflen; i++) { 807 addr->word16[i] = pref->word16[i]; 808 } 809 810 /* 811 * If prefix length is within a 16-bit word (not dividable by 16), 812 * then prepare a mask, determine the word and adjust it. 813 */ 814 if ((remnant = len - (preflen << 4)) != 0) { 815 const uint16_t wordmask = (1U << remnant) - 1; 816 const unsigned i = preflen; 817 818 addr->word16[i] = (pref->word16[i] & wordmask) | 819 (addr->word16[i] & ~wordmask); 820 } 821 822 /* 823 * Performing 1's complement sum/difference. 824 */ 825 sum = addr->word16[word] + adj; 826 while (sum >> 16) { 827 sum = (sum >> 16) + (sum & 0xffff); 828 } 829 if (sum == 0xffff) { 830 /* RFC 1071. */ 831 sum = 0x0000; 832 } 833 addr->word16[word] = sum; 834 return 0; 835 } 836 837 #if defined(DDB) || defined(_NPF_TESTING) 838 839 const char * 840 npf_addr_dump(const npf_addr_t *addr, int alen) 841 { 842 if (alen == sizeof(struct in_addr)) { 843 struct in_addr ip; 844 memcpy(&ip, addr, alen); 845 return inet_ntoa(ip); 846 } 847 return "[IPv6]"; 848 } 849 850 #endif 851
Indexes created Sat Oct 18 17:09:52 GMT 2025