npf_inet.c revision 1.51
1 /* $NetBSD: npf_inet.c,v 1.51 2018/08/31 14:16:06 maxv Exp $ */ 2 3 /*- 4 * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This material is based upon work partially supported by The 8 * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 /* 33 * Various protocol related helper routines. 34 * 35 * This layer manipulates npf_cache_t structure i.e. caches requested headers 36 * and stores which information was cached in the information bit field. 37 * It is also responsibility of this layer to update or invalidate the cache 38 * on rewrites (e.g. by translation routines). 39 */ 40 41 #ifdef _KERNEL 42 #include <sys/cdefs.h> 43 __KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.51 2018/08/31 14:16:06 maxv Exp $"); 44 45 #include <sys/param.h> 46 #include <sys/types.h> 47 48 #include <net/pfil.h> 49 #include <net/if.h> 50 #include <net/ethertypes.h> 51 #include <net/if_ether.h> 52 53 #include <netinet/in_systm.h> 54 #include <netinet/in.h> 55 #include <netinet6/in6_var.h> 56 #include <netinet/ip.h> 57 #include <netinet/ip6.h> 58 #include <netinet/tcp.h> 59 #include <netinet/udp.h> 60 #include <netinet/ip_icmp.h> 61 #endif 62 63 #include "npf_impl.h" 64 65 /* 66 * npf_fixup{16,32}_cksum: incremental update of the Internet checksum. 67 */ 68 69 uint16_t 70 npf_fixup16_cksum(uint16_t cksum, uint16_t odatum, uint16_t ndatum) 71 { 72 uint32_t sum; 73 74 /* 75 * RFC 1624: 76 * HC' = ~(~HC + ~m + m') 77 * 78 * Note: 1's complement sum is endian-independent (RFC 1071, page 2). 79 */ 80 sum = ~cksum & 0xffff; 81 sum += (~odatum & 0xffff) + ndatum; 82 sum = (sum >> 16) + (sum & 0xffff); 83 sum += (sum >> 16); 84 85 return ~sum & 0xffff; 86 } 87 88 uint16_t 89 npf_fixup32_cksum(uint16_t cksum, uint32_t odatum, uint32_t ndatum) 90 { 91 uint32_t sum; 92 93 /* 94 * Checksum 32-bit datum as as two 16-bit. Note, the first 95 * 32->16 bit reduction is not necessary. 96 */ 97 sum = ~cksum & 0xffff; 98 sum += (~odatum & 0xffff) + (ndatum & 0xffff); 99 100 sum += (~odatum >> 16) + (ndatum >> 16); 101 sum = (sum >> 16) + (sum & 0xffff); 102 sum += (sum >> 16); 103 return ~sum & 0xffff; 104 } 105 106 /* 107 * npf_addr_cksum: calculate checksum of the address, either IPv4 or IPv6. 108 */ 109 uint16_t 110 npf_addr_cksum(uint16_t cksum, int sz, const npf_addr_t *oaddr, 111 const npf_addr_t *naddr) 112 { 113 const uint32_t *oip32 = (const uint32_t *)oaddr; 114 const uint32_t *nip32 = (const uint32_t *)naddr; 115 116 KASSERT(sz % sizeof(uint32_t) == 0); 117 do { 118 cksum = npf_fixup32_cksum(cksum, *oip32++, *nip32++); 119 sz -= sizeof(uint32_t); 120 } while (sz); 121 122 return cksum; 123 } 124 125 /* 126 * npf_addr_sum: provide IP addresses as a XORed 32-bit integer. 127 * Note: used for hash function. 128 */ 129 uint32_t 130 npf_addr_mix(const int sz, const npf_addr_t *a1, const npf_addr_t *a2) 131 { 132 uint32_t mix = 0; 133 134 KASSERT(sz > 0 && a1 != NULL && a2 != NULL); 135 136 for (int i = 0; i < (sz >> 2); i++) { 137 mix ^= a1->word32[i]; 138 mix ^= a2->word32[i]; 139 } 140 return mix; 141 } 142 143 /* 144 * npf_addr_mask: apply the mask to a given address and store the result. 145 */ 146 void 147 npf_addr_mask(const npf_addr_t *addr, const npf_netmask_t mask, 148 const int alen, npf_addr_t *out) 149 { 150 const int nwords = alen >> 2; 151 uint_fast8_t length = mask; 152 153 /* Note: maximum length is 32 for IPv4 and 128 for IPv6. */ 154 KASSERT(length <= NPF_MAX_NETMASK); 155 156 for (int i = 0; i < nwords; i++) { 157 uint32_t wordmask; 158 159 if (length >= 32) { 160 wordmask = htonl(0xffffffff); 161 length -= 32; 162 } else if (length) { 163 wordmask = htonl(0xffffffff << (32 - length)); 164 length = 0; 165 } else { 166 wordmask = 0; 167 } 168 out->word32[i] = addr->word32[i] & wordmask; 169 } 170 } 171 172 /* 173 * npf_addr_cmp: compare two addresses, either IPv4 or IPv6. 174 * 175 * => Return 0 if equal and negative/positive if less/greater accordingly. 176 * => Ignore the mask, if NPF_NO_NETMASK is specified. 177 */ 178 int 179 npf_addr_cmp(const npf_addr_t *addr1, const npf_netmask_t mask1, 180 const npf_addr_t *addr2, const npf_netmask_t mask2, const int alen) 181 { 182 npf_addr_t realaddr1, realaddr2; 183 184 if (mask1 != NPF_NO_NETMASK) { 185 npf_addr_mask(addr1, mask1, alen, &realaddr1); 186 addr1 = &realaddr1; 187 } 188 if (mask2 != NPF_NO_NETMASK) { 189 npf_addr_mask(addr2, mask2, alen, &realaddr2); 190 addr2 = &realaddr2; 191 } 192 return memcmp(addr1, addr2, alen); 193 } 194 195 /* 196 * npf_tcpsaw: helper to fetch SEQ, ACK, WIN and return TCP data length. 197 * 198 * => Returns all values in host byte-order. 199 */ 200 int 201 npf_tcpsaw(const npf_cache_t *npc, tcp_seq *seq, tcp_seq *ack, uint32_t *win) 202 { 203 const struct tcphdr *th = npc->npc_l4.tcp; 204 u_int thlen; 205 206 KASSERT(npf_iscached(npc, NPC_TCP)); 207 208 *seq = ntohl(th->th_seq); 209 *ack = ntohl(th->th_ack); 210 *win = (uint32_t)ntohs(th->th_win); 211 thlen = th->th_off << 2; 212 213 if (npf_iscached(npc, NPC_IP4)) { 214 const struct ip *ip = npc->npc_ip.v4; 215 return ntohs(ip->ip_len) - npc->npc_hlen - thlen; 216 } else if (npf_iscached(npc, NPC_IP6)) { 217 const struct ip6_hdr *ip6 = npc->npc_ip.v6; 218 return ntohs(ip6->ip6_plen) - 219 (npc->npc_hlen - sizeof(*ip6)) - thlen; 220 } 221 return 0; 222 } 223 224 /* 225 * npf_fetch_tcpopts: parse and return TCP options. 226 */ 227 bool 228 npf_fetch_tcpopts(npf_cache_t *npc, uint16_t *mss, int *wscale) 229 { 230 nbuf_t *nbuf = npc->npc_nbuf; 231 const struct tcphdr *th = npc->npc_l4.tcp; 232 int cnt, optlen = 0; 233 uint8_t *cp, opt; 234 uint8_t val; 235 bool ok; 236 237 KASSERT(npf_iscached(npc, NPC_IP46)); 238 KASSERT(npf_iscached(npc, NPC_TCP)); 239 240 /* Determine if there are any TCP options, get their length. */ 241 cnt = (th->th_off << 2) - sizeof(struct tcphdr); 242 if (cnt <= 0) { 243 /* No options. */ 244 return false; 245 } 246 KASSERT(cnt <= MAX_TCPOPTLEN); 247 248 /* Fetch all the options at once. */ 249 nbuf_reset(nbuf); 250 const int step = npc->npc_hlen + sizeof(struct tcphdr); 251 if ((cp = nbuf_advance(nbuf, step, cnt)) == NULL) { 252 ok = false; 253 goto done; 254 } 255 256 /* Scan the options. */ 257 for (; cnt > 0; cnt -= optlen, cp += optlen) { 258 opt = cp[0]; 259 if (opt == TCPOPT_EOL) 260 break; 261 if (opt == TCPOPT_NOP) 262 optlen = 1; 263 else { 264 if (cnt < 2) 265 break; 266 optlen = cp[1]; 267 if (optlen < 2 || optlen > cnt) 268 break; 269 } 270 271 switch (opt) { 272 case TCPOPT_MAXSEG: 273 if (optlen != TCPOLEN_MAXSEG) 274 continue; 275 if (mss) { 276 memcpy(mss, cp + 2, sizeof(uint16_t)); 277 } 278 break; 279 case TCPOPT_WINDOW: 280 if (optlen != TCPOLEN_WINDOW) 281 continue; 282 val = *(cp + 2); 283 *wscale = (val > TCP_MAX_WINSHIFT) ? TCP_MAX_WINSHIFT : val; 284 break; 285 default: 286 break; 287 } 288 } 289 290 ok = true; 291 done: 292 if (nbuf_flag_p(nbuf, NBUF_DATAREF_RESET)) { 293 npf_recache(npc); 294 } 295 return ok; 296 } 297 298 /* 299 * npf_set_mss: set the MSS. 300 */ 301 bool 302 npf_set_mss(npf_cache_t *npc, uint16_t mss, uint16_t *old, uint16_t *new, 303 bool *mid) 304 { 305 nbuf_t *nbuf = npc->npc_nbuf; 306 const struct tcphdr *th = npc->npc_l4.tcp; 307 int cnt, optlen = 0; 308 uint8_t *cp, *base, opt; 309 bool ok; 310 311 KASSERT(npf_iscached(npc, NPC_IP46)); 312 KASSERT(npf_iscached(npc, NPC_TCP)); 313 314 /* Determine if there are any TCP options, get their length. */ 315 cnt = (th->th_off << 2) - sizeof(struct tcphdr); 316 if (cnt <= 0) { 317 /* No options. */ 318 return false; 319 } 320 KASSERT(cnt <= MAX_TCPOPTLEN); 321 322 /* Fetch all the options at once. */ 323 nbuf_reset(nbuf); 324 const int step = npc->npc_hlen + sizeof(struct tcphdr); 325 if ((base = nbuf_advance(nbuf, step, cnt)) == NULL) { 326 ok = false; 327 goto done; 328 } 329 330 /* Scan the options. */ 331 for (cp = base; cnt > 0; cnt -= optlen, cp += optlen) { 332 opt = cp[0]; 333 if (opt == TCPOPT_EOL) 334 break; 335 if (opt == TCPOPT_NOP) 336 optlen = 1; 337 else { 338 if (cnt < 2) 339 break; 340 optlen = cp[1]; 341 if (optlen < 2 || optlen > cnt) 342 break; 343 } 344 345 switch (opt) { 346 case TCPOPT_MAXSEG: 347 if (optlen != TCPOLEN_MAXSEG) 348 continue; 349 if (((cp + 2) - base) % sizeof(uint16_t) != 0) { 350 *mid = true; 351 memcpy(&old[0], cp + 1, sizeof(uint16_t)); 352 memcpy(&old[1], cp + 3, sizeof(uint16_t)); 353 memcpy(cp + 2, &mss, sizeof(uint16_t)); 354 memcpy(&new[0], cp + 1, sizeof(uint16_t)); 355 memcpy(&new[1], cp + 3, sizeof(uint16_t)); 356 } else { 357 *mid = false; 358 memcpy(cp + 2, &mss, sizeof(uint16_t)); 359 } 360 break; 361 default: 362 break; 363 } 364 } 365 366 ok = true; 367 done: 368 if (nbuf_flag_p(nbuf, NBUF_DATAREF_RESET)) { 369 npf_recache(npc); 370 } 371 return ok; 372 } 373 374 static int 375 npf_cache_ip(npf_cache_t *npc, nbuf_t *nbuf) 376 { 377 const void *nptr = nbuf_dataptr(nbuf); 378 const uint8_t ver = *(const uint8_t *)nptr; 379 int flags = 0; 380 381 /* 382 * We intentionally don't read the L4 payload after IPPROTO_AH. 383 */ 384 385 switch (ver >> 4) { 386 case IPVERSION: { 387 struct ip *ip; 388 389 ip = nbuf_ensure_contig(nbuf, sizeof(struct ip)); 390 if (ip == NULL) { 391 return NPC_FMTERR; 392 } 393 394 /* Retrieve the complete header. */ 395 if ((u_int)(ip->ip_hl << 2) < sizeof(struct ip)) { 396 return NPC_FMTERR; 397 } 398 ip = nbuf_ensure_contig(nbuf, (u_int)(ip->ip_hl << 2)); 399 if (ip == NULL) { 400 return NPC_FMTERR; 401 } 402 403 if (ip->ip_off & ~htons(IP_DF | IP_RF)) { 404 /* Note fragmentation. */ 405 flags |= NPC_IPFRAG; 406 } 407 408 /* Cache: layer 3 - IPv4. */ 409 npc->npc_alen = sizeof(struct in_addr); 410 npc->npc_ips[NPF_SRC] = (npf_addr_t *)&ip->ip_src; 411 npc->npc_ips[NPF_DST] = (npf_addr_t *)&ip->ip_dst; 412 npc->npc_hlen = ip->ip_hl << 2; 413 npc->npc_proto = ip->ip_p; 414 415 npc->npc_ip.v4 = ip; 416 flags |= NPC_IP4; 417 break; 418 } 419 420 case (IPV6_VERSION >> 4): { 421 struct ip6_hdr *ip6; 422 struct ip6_ext *ip6e; 423 struct ip6_frag *ip6f; 424 size_t off, hlen; 425 int frag_present; 426 427 ip6 = nbuf_ensure_contig(nbuf, sizeof(struct ip6_hdr)); 428 if (ip6 == NULL) { 429 return NPC_FMTERR; 430 } 431 432 /* 433 * XXX: We don't handle IPv6 Jumbograms. 434 */ 435 436 /* Set initial next-protocol value. */ 437 hlen = sizeof(struct ip6_hdr); 438 npc->npc_proto = ip6->ip6_nxt; 439 npc->npc_hlen = hlen; 440 441 frag_present = 0; 442 443 /* 444 * Advance by the length of the current header. 445 */ 446 off = nbuf_offset(nbuf); 447 while ((ip6e = nbuf_advance(nbuf, hlen, sizeof(*ip6e))) != NULL) { 448 /* 449 * Determine whether we are going to continue. 450 */ 451 switch (npc->npc_proto) { 452 case IPPROTO_HOPOPTS: 453 case IPPROTO_DSTOPTS: 454 case IPPROTO_ROUTING: 455 hlen = (ip6e->ip6e_len + 1) << 3; 456 break; 457 case IPPROTO_FRAGMENT: 458 if (frag_present++) 459 return NPC_FMTERR; 460 ip6f = nbuf_ensure_contig(nbuf, sizeof(*ip6f)); 461 if (ip6f == NULL) 462 return NPC_FMTERR; 463 464 /* RFC6946: Skip dummy fragments. */ 465 if (!ntohs(ip6f->ip6f_offlg & IP6F_OFF_MASK) && 466 !(ip6f->ip6f_offlg & IP6F_MORE_FRAG)) { 467 hlen = sizeof(struct ip6_frag); 468 break; 469 } 470 471 hlen = 0; 472 flags |= NPC_IPFRAG; 473 474 break; 475 default: 476 hlen = 0; 477 break; 478 } 479 480 if (!hlen) { 481 break; 482 } 483 npc->npc_proto = ip6e->ip6e_nxt; 484 npc->npc_hlen += hlen; 485 } 486 487 if (ip6e == NULL) { 488 return NPC_FMTERR; 489 } 490 491 /* 492 * Re-fetch the header pointers (nbufs might have been 493 * reallocated). Restore the original offset (if any). 494 */ 495 nbuf_reset(nbuf); 496 ip6 = nbuf_dataptr(nbuf); 497 if (off) { 498 nbuf_advance(nbuf, off, 0); 499 } 500 501 /* Cache: layer 3 - IPv6. */ 502 npc->npc_alen = sizeof(struct in6_addr); 503 npc->npc_ips[NPF_SRC] = (npf_addr_t *)&ip6->ip6_src; 504 npc->npc_ips[NPF_DST] = (npf_addr_t *)&ip6->ip6_dst; 505 506 npc->npc_ip.v6 = ip6; 507 flags |= NPC_IP6; 508 break; 509 } 510 default: 511 break; 512 } 513 return flags; 514 } 515 516 /* 517 * npf_cache_all: general routine to cache all relevant IP (v4 or v6) 518 * and TCP, UDP or ICMP headers. 519 * 520 * => nbuf offset shall be set accordingly. 521 */ 522 int 523 npf_cache_all(npf_cache_t *npc) 524 { 525 nbuf_t *nbuf = npc->npc_nbuf; 526 int flags, l4flags; 527 u_int hlen; 528 529 /* 530 * This routine is a main point where the references are cached, 531 * therefore clear the flag as we reset. 532 */ 533 again: 534 nbuf_unset_flag(nbuf, NBUF_DATAREF_RESET); 535 536 /* 537 * First, cache the L3 header (IPv4 or IPv6). If IP packet is 538 * fragmented, then we cannot look into L4. 539 */ 540 flags = npf_cache_ip(npc, nbuf); 541 if ((flags & NPC_IP46) == 0 || (flags & NPC_IPFRAG) != 0 || 542 (flags & NPC_FMTERR) != 0) { 543 goto out; 544 } 545 hlen = npc->npc_hlen; 546 547 /* 548 * Note: we guarantee that the potential "Query Id" field of the 549 * ICMPv4/ICMPv6 packets is in the nbuf. This field is used in the 550 * ICMP ALG. 551 */ 552 switch (npc->npc_proto) { 553 case IPPROTO_TCP: 554 /* Cache: layer 4 - TCP. */ 555 npc->npc_l4.tcp = nbuf_advance(nbuf, hlen, 556 sizeof(struct tcphdr)); 557 l4flags = NPC_LAYER4 | NPC_TCP; 558 break; 559 case IPPROTO_UDP: 560 /* Cache: layer 4 - UDP. */ 561 npc->npc_l4.udp = nbuf_advance(nbuf, hlen, 562 sizeof(struct udphdr)); 563 l4flags = NPC_LAYER4 | NPC_UDP; 564 break; 565 case IPPROTO_ICMP: 566 /* Cache: layer 4 - ICMPv4. */ 567 npc->npc_l4.icmp = nbuf_advance(nbuf, hlen, 568 ICMP_MINLEN); 569 l4flags = NPC_LAYER4 | NPC_ICMP; 570 break; 571 case IPPROTO_ICMPV6: 572 /* Cache: layer 4 - ICMPv6. */ 573 npc->npc_l4.icmp6 = nbuf_advance(nbuf, hlen, 574 sizeof(struct icmp6_hdr)); 575 l4flags = NPC_LAYER4 | NPC_ICMP; 576 break; 577 default: 578 l4flags = 0; 579 break; 580 } 581 582 /* Error out if nbuf_advance failed. */ 583 if (l4flags && npc->npc_l4.hdr == NULL) { 584 goto err; 585 } 586 587 if (nbuf_flag_p(nbuf, NBUF_DATAREF_RESET)) { 588 goto again; 589 } 590 591 flags |= l4flags; 592 npc->npc_info |= flags; 593 return flags; 594 595 err: 596 flags = NPC_FMTERR; 597 out: 598 nbuf_unset_flag(nbuf, NBUF_DATAREF_RESET); 599 npc->npc_info |= flags; 600 return flags; 601 } 602 603 void 604 npf_recache(npf_cache_t *npc) 605 { 606 nbuf_t *nbuf = npc->npc_nbuf; 607 const int mflags __diagused = npc->npc_info & (NPC_IP46 | NPC_LAYER4); 608 int flags __diagused; 609 610 nbuf_reset(nbuf); 611 npc->npc_info = 0; 612 flags = npf_cache_all(npc); 613 614 KASSERT((flags & mflags) == mflags); 615 KASSERT(nbuf_flag_p(nbuf, NBUF_DATAREF_RESET) == 0); 616 } 617 618 /* 619 * npf_rwrip: rewrite required IP address. 620 */ 621 bool 622 npf_rwrip(const npf_cache_t *npc, u_int which, const npf_addr_t *addr) 623 { 624 KASSERT(npf_iscached(npc, NPC_IP46)); 625 KASSERT(which == NPF_SRC || which == NPF_DST); 626 627 memcpy(npc->npc_ips[which], addr, npc->npc_alen); 628 return true; 629 } 630 631 /* 632 * npf_rwrport: rewrite required TCP/UDP port. 633 */ 634 bool 635 npf_rwrport(const npf_cache_t *npc, u_int which, const in_port_t port) 636 { 637 const int proto = npc->npc_proto; 638 in_port_t *oport; 639 640 KASSERT(npf_iscached(npc, NPC_TCP) || npf_iscached(npc, NPC_UDP)); 641 KASSERT(proto == IPPROTO_TCP || proto == IPPROTO_UDP); 642 KASSERT(which == NPF_SRC || which == NPF_DST); 643 644 /* Get the offset and store the port in it. */ 645 if (proto == IPPROTO_TCP) { 646 struct tcphdr *th = npc->npc_l4.tcp; 647 oport = (which == NPF_SRC) ? &th->th_sport : &th->th_dport; 648 } else { 649 struct udphdr *uh = npc->npc_l4.udp; 650 oport = (which == NPF_SRC) ? &uh->uh_sport : &uh->uh_dport; 651 } 652 memcpy(oport, &port, sizeof(in_port_t)); 653 return true; 654 } 655 656 /* 657 * npf_rwrcksum: rewrite IPv4 and/or TCP/UDP checksum. 658 */ 659 bool 660 npf_rwrcksum(const npf_cache_t *npc, u_int which, 661 const npf_addr_t *addr, const in_port_t port) 662 { 663 const npf_addr_t *oaddr = npc->npc_ips[which]; 664 const int proto = npc->npc_proto; 665 const int alen = npc->npc_alen; 666 uint16_t *ocksum; 667 in_port_t oport; 668 669 KASSERT(npf_iscached(npc, NPC_LAYER4)); 670 KASSERT(which == NPF_SRC || which == NPF_DST); 671 672 if (npf_iscached(npc, NPC_IP4)) { 673 struct ip *ip = npc->npc_ip.v4; 674 uint16_t ipsum = ip->ip_sum; 675 676 /* Recalculate IPv4 checksum and rewrite. */ 677 ip->ip_sum = npf_addr_cksum(ipsum, alen, oaddr, addr); 678 } else { 679 /* No checksum for IPv6. */ 680 KASSERT(npf_iscached(npc, NPC_IP6)); 681 } 682 683 /* Nothing else to do for ICMP. */ 684 if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6) { 685 return true; 686 } 687 KASSERT(npf_iscached(npc, NPC_TCP) || npf_iscached(npc, NPC_UDP)); 688 689 /* 690 * Calculate TCP/UDP checksum: 691 * - Skip if UDP and the current checksum is zero. 692 * - Fixup the IP address change. 693 * - Fixup the port change, if required (non-zero). 694 */ 695 if (proto == IPPROTO_TCP) { 696 struct tcphdr *th = npc->npc_l4.tcp; 697 698 ocksum = &th->th_sum; 699 oport = (which == NPF_SRC) ? th->th_sport : th->th_dport; 700 } else { 701 struct udphdr *uh = npc->npc_l4.udp; 702 703 KASSERT(proto == IPPROTO_UDP); 704 ocksum = &uh->uh_sum; 705 if (*ocksum == 0) { 706 /* No need to update. */ 707 return true; 708 } 709 oport = (which == NPF_SRC) ? uh->uh_sport : uh->uh_dport; 710 } 711 712 uint16_t cksum = npf_addr_cksum(*ocksum, alen, oaddr, addr); 713 if (port) { 714 cksum = npf_fixup16_cksum(cksum, oport, port); 715 } 716 717 /* Rewrite TCP/UDP checksum. */ 718 memcpy(ocksum, &cksum, sizeof(uint16_t)); 719 return true; 720 } 721 722 /* 723 * npf_napt_rwr: perform address and/or port translation. 724 */ 725 int 726 npf_napt_rwr(const npf_cache_t *npc, u_int which, 727 const npf_addr_t *addr, const in_addr_t port) 728 { 729 const unsigned proto = npc->npc_proto; 730 731 /* 732 * Rewrite IP and/or TCP/UDP checksums first, since we need the 733 * current (old) address/port for the calculations. Then perform 734 * the address translation i.e. rewrite source or destination. 735 */ 736 if (!npf_rwrcksum(npc, which, addr, port)) { 737 return EINVAL; 738 } 739 if (!npf_rwrip(npc, which, addr)) { 740 return EINVAL; 741 } 742 if (port == 0) { 743 /* Done. */ 744 return 0; 745 } 746 747 switch (proto) { 748 case IPPROTO_TCP: 749 case IPPROTO_UDP: 750 /* Rewrite source/destination port. */ 751 if (!npf_rwrport(npc, which, port)) { 752 return EINVAL; 753 } 754 break; 755 case IPPROTO_ICMP: 756 case IPPROTO_ICMPV6: 757 KASSERT(npf_iscached(npc, NPC_ICMP)); 758 /* Nothing. */ 759 break; 760 default: 761 return ENOTSUP; 762 } 763 return 0; 764 } 765 766 /* 767 * IPv6-to-IPv6 Network Prefix Translation (NPTv6), as per RFC 6296. 768 */ 769 770 int 771 npf_npt66_rwr(const npf_cache_t *npc, u_int which, const npf_addr_t *pref, 772 npf_netmask_t len, uint16_t adj) 773 { 774 npf_addr_t *addr = npc->npc_ips[which]; 775 unsigned remnant, word, preflen = len >> 4; 776 uint32_t sum; 777 778 KASSERT(which == NPF_SRC || which == NPF_DST); 779 780 if (!npf_iscached(npc, NPC_IP6)) { 781 return EINVAL; 782 } 783 if (len <= 48) { 784 /* 785 * The word to adjust. Cannot translate the 0xffff 786 * subnet if /48 or shorter. 787 */ 788 word = 3; 789 if (addr->word16[word] == 0xffff) { 790 return EINVAL; 791 } 792 } else { 793 /* 794 * Also, all 0s or 1s in the host part are disallowed for 795 * longer than /48 prefixes. 796 */ 797 if ((addr->word32[2] == 0 && addr->word32[3] == 0) || 798 (addr->word32[2] == ~0U && addr->word32[3] == ~0U)) 799 return EINVAL; 800 801 /* Determine the 16-bit word to adjust. */ 802 for (word = 4; word < 8; word++) 803 if (addr->word16[word] != 0xffff) 804 break; 805 } 806 807 /* Rewrite the prefix. */ 808 for (unsigned i = 0; i < preflen; i++) { 809 addr->word16[i] = pref->word16[i]; 810 } 811 812 /* 813 * If prefix length is within a 16-bit word (not dividable by 16), 814 * then prepare a mask, determine the word and adjust it. 815 */ 816 if ((remnant = len - (preflen << 4)) != 0) { 817 const uint16_t wordmask = (1U << remnant) - 1; 818 const unsigned i = preflen; 819 820 addr->word16[i] = (pref->word16[i] & wordmask) | 821 (addr->word16[i] & ~wordmask); 822 } 823 824 /* 825 * Performing 1's complement sum/difference. 826 */ 827 sum = addr->word16[word] + adj; 828 while (sum >> 16) { 829 sum = (sum >> 16) + (sum & 0xffff); 830 } 831 if (sum == 0xffff) { 832 /* RFC 1071. */ 833 sum = 0x0000; 834 } 835 addr->word16[word] = sum; 836 return 0; 837 } 838 839 #if defined(DDB) || defined(_NPF_TESTING) 840 841 const char * 842 npf_addr_dump(const npf_addr_t *addr, int alen) 843 { 844 if (alen == sizeof(struct in_addr)) { 845 struct in_addr ip; 846 memcpy(&ip, addr, alen); 847 return inet_ntoa(ip); 848 } 849 return "[IPv6]"; 850 } 851 852 #endif 853
Indexes created Tue Sep 23 07:09:52 GMT 2025