Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / 3cfcdd62dbbe5ba3f272a774683ce204676d473c / . / bpf_progs / clatd.c
blob: 6b4509af48d29db9001a72fa65fc03d1bf2ffac2 [file] [log] [blame]
Maciej Żenczykowskidca6ce72019-03-07 16:54:12 -0800[diff] [blame]1/*
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Maciej Żenczykowskic2237d82019-04-02 03:59:51 -0700[diff] [blame]17#include <linux/bpf.h>
18#include <linux/if.h>
19#include <linux/if_ether.h>
20#include <linux/in.h>
21#include <linux/in6.h>
22#include <linux/ip.h>
23#include <linux/ipv6.h>
Maciej Żenczykowskidca6ce72019-03-07 16:54:12 -0800[diff] [blame]24#include <linux/pkt_cls.h>
Maciej Żenczykowskic2237d82019-04-02 03:59:51 -0700[diff] [blame]25#include <linux/swab.h>
Maciej Żenczykowskic2237d82019-04-02 03:59:51 -0700[diff] [blame]26#include <stdbool.h>
27#include <stdint.h>
28
Maciej Żenczykowskidca6ce72019-03-07 16:54:12 -0800[diff] [blame]29#include "bpf_helpers.h"
Maciej Żenczykowski3cfcdd62019-10-31 01:03:39 -0700[diff] [blame^]30#include "bpf_net_helpers.h"
Maciej Żenczykowskidca6ce72019-03-07 16:54:12 -0800[diff] [blame]31#include "netdbpf/bpf_shared.h"
32
Maciej Żenczykowskic2237d82019-04-02 03:59:51 -0700[diff] [blame]33// From kernel:include/net/ip.h
34#define IP_DF 0x4000 // Flag: "Don't Fragment"
35
36// Android only supports little endian architectures
37#define htons(x) (__builtin_constant_p(x) ? ___constant_swab16(x) : __builtin_bswap16(x))
38#define htonl(x) (__builtin_constant_p(x) ? ___constant_swab32(x) : __builtin_bswap32(x))
39#define ntohs(x) htons(x)
40#define ntohl(x) htonl(x)
41
Maciej Żenczykowskib8a7be52019-04-19 21:47:08 -0700[diff] [blame]42DEFINE_BPF_MAP(clat_ingress_map, HASH, ClatIngressKey, ClatIngressValue, 16)
Maciej Żenczykowskidca6ce72019-03-07 16:54:12 -0800[diff] [blame]43
Maciej Żenczykowskic2237d82019-04-02 03:59:51 -0700[diff] [blame]44static inline __always_inline int nat64(struct __sk_buff* skb, bool is_ethernet) {
45 const int l2_header_size = is_ethernet ? sizeof(struct ethhdr) : 0;
46 void* data = (void*)(long)skb->data;
47 const void* data_end = (void*)(long)skb->data_end;
48 const struct ethhdr* const eth = is_ethernet ? data : NULL; // used iff is_ethernet
49 const struct ipv6hdr* const ip6 = is_ethernet ? (void*)(eth + 1) : data;
Maciej Żenczykowskic2237d82019-04-02 03:59:51 -0700[diff] [blame]50
51 // Must be meta-ethernet IPv6 frame
52 if (skb->protocol != htons(ETH_P_IPV6)) return TC_ACT_OK;
53
54 // Must have (ethernet and) ipv6 header
55 if (data + l2_header_size + sizeof(*ip6) > data_end) return TC_ACT_OK;
56
57 // Ethertype - if present - must be IPv6
58 if (is_ethernet && (eth->h_proto != htons(ETH_P_IPV6))) return TC_ACT_OK;
59
60 // IP version must be 6
61 if (ip6->version != 6) return TC_ACT_OK;
62
63 // Maximum IPv6 payload length that can be translated to IPv4
64 if (ntohs(ip6->payload_len) > 0xFFFF - sizeof(struct iphdr)) return TC_ACT_OK;
65
66 switch (ip6->nexthdr) {
Maciej Żenczykowski3ed829e2019-09-07 06:53:20 -0700[diff] [blame]67 case IPPROTO_TCP: // For TCP & UDP the checksum neutrality of the chosen IPv6
68 case IPPROTO_UDP: // address means there is no need to update their checksums.
69 case IPPROTO_GRE: // We do not need to bother looking at GRE/ESP headers,
Maciej Żenczykowski365ecc32019-08-20 18:00:02 -0700[diff] [blame]70 case IPPROTO_ESP: // since there is never a checksum to update.
71 break;
72
Maciej Żenczykowskic2237d82019-04-02 03:59:51 -0700[diff] [blame]73 default: // do not know how to handle anything else
74 return TC_ACT_OK;
75 }
76
Maciej Żenczykowskib8a7be52019-04-19 21:47:08 -0700[diff] [blame]77 ClatIngressKey k = {
Maciej Żenczykowskic2237d82019-04-02 03:59:51 -0700[diff] [blame]78 .iif = skb->ifindex,
79 .pfx96.in6_u.u6_addr32 =
80 {
81 ip6->saddr.in6_u.u6_addr32[0],
82 ip6->saddr.in6_u.u6_addr32[1],
83 ip6->saddr.in6_u.u6_addr32[2],
84 },
85 .local6 = ip6->daddr,
86 };
87
Maciej Żenczykowskib8a7be52019-04-19 21:47:08 -0700[diff] [blame]88 ClatIngressValue* v = bpf_clat_ingress_map_lookup_elem(&k);
Maciej Żenczykowskic2237d82019-04-02 03:59:51 -0700[diff] [blame]89
90 if (!v) return TC_ACT_OK;
91
92 struct ethhdr eth2; // used iff is_ethernet
93 if (is_ethernet) {
94 eth2 = *eth; // Copy over the ethernet header (src/dst mac)
95 eth2.h_proto = htons(ETH_P_IP); // But replace the ethertype
96 }
97
98 struct iphdr ip = {
99 .version = 4, // u4
100 .ihl = sizeof(struct iphdr) / sizeof(__u32), // u4
101 .tos = (ip6->priority << 4) + (ip6->flow_lbl[0] >> 4), // u8
102 .tot_len = htons(ntohs(ip6->payload_len) + sizeof(struct iphdr)), // u16
103 .id = 0, // u16
104 .frag_off = htons(IP_DF), // u16
105 .ttl = ip6->hop_limit, // u8
106 .protocol = ip6->nexthdr, // u8
107 .check = 0, // u16
108 .saddr = ip6->saddr.in6_u.u6_addr32[3], // u32
109 .daddr = v->local4.s_addr, // u32
110 };
111
112 // Calculate the IPv4 one's complement checksum of the IPv4 header.
113 __u32 sum = 0;
114 for (int i = 0; i < sizeof(ip) / sizeof(__u16); ++i) {
115 sum += ((__u16*)&ip)[i];
116 }
117 // Note that sum is guaranteed to be non-zero by virtue of ip.version == 4
118 sum = (sum & 0xFFFF) + (sum >> 16); // collapse u32 into range 1 .. 0x1FFFE
119 sum = (sum & 0xFFFF) + (sum >> 16); // collapse any potential carry into u16
120 ip.check = (__u16)~sum; // sum cannot be zero, so this is never 0xFFFF
121
122 // Note that there is no L4 checksum update: we are relying on the checksum neutrality
123 // of the ipv6 address chosen by netd's ClatdController.
124
Maciej Żenczykowskifaa3abc2019-10-31 03:31:11 -0700[diff] [blame]125 // Packet mutations begin - point of no return, but if this first modification fails
126 // the packet is probably still pristine, so let clatd handle it.
127 if (bpf_skb_change_proto(skb, htons(ETH_P_IP), 0)) return TC_ACT_OK;
Maciej Żenczykowskic2237d82019-04-02 03:59:51 -0700[diff] [blame]128
129 // bpf_skb_change_proto() invalidates all pointers - reload them.
130 data = (void*)(long)skb->data;
131 data_end = (void*)(long)skb->data_end;
132
133 // I cannot think of any valid way for this error condition to trigger, however I do
134 // believe the explicit check is required to keep the in kernel ebpf verifier happy.
135 if (data + l2_header_size + sizeof(struct iphdr) > data_end) return TC_ACT_SHOT;
136
137 if (is_ethernet) {
138 struct ethhdr* new_eth = data;
139
140 // Copy over the updated ethernet header
141 *new_eth = eth2;
142
143 // Copy over the new ipv4 header.
144 *(struct iphdr*)(new_eth + 1) = ip;
145 } else {
146 // Copy over the new ipv4 header without an ethernet header.
147 *(struct iphdr*)data = ip;
148 }
149
150 // Redirect, possibly back to same interface, so tcpdump sees packet twice.
151 if (v->oif) return bpf_redirect(v->oif, BPF_F_INGRESS);
152
153 // Just let it through, tcpdump will not see IPv4 packet.
154 return TC_ACT_OK;
155}
156
Maciej Żenczykowskidca6ce72019-03-07 16:54:12 -0800[diff] [blame]157SEC("schedcls/ingress/clat_ether")
158int sched_cls_ingress_clat_ether(struct __sk_buff* skb) {
Maciej Żenczykowskic2237d82019-04-02 03:59:51 -0700[diff] [blame]159 return nat64(skb, true);
Maciej Żenczykowskidca6ce72019-03-07 16:54:12 -0800[diff] [blame]160}
161
162SEC("schedcls/ingress/clat_rawip")
163int sched_cls_ingress_clat_rawip(struct __sk_buff* skb) {
Maciej Żenczykowskic2237d82019-04-02 03:59:51 -0700[diff] [blame]164 return nat64(skb, false);
Maciej Żenczykowskidca6ce72019-03-07 16:54:12 -0800[diff] [blame]165}
166
167char _license[] SEC("license") = "Apache 2.0";