Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / c2237d86ac82d05aa5d412fd26657ea8d424b500 / . / bpf_progs / clatd.c
blob: 4c2953f78fa83234f4e0f156ead2130c0f6613d0 [file] [log] [blame]
Maciej Żenczykowskidca6ce72019-03-07 16:54:12 -0800[diff] [blame]1/*
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Maciej Żenczykowskic2237d82019-04-02 03:59:51 -0700[diff] [blame^]17#include <linux/bpf.h>
18#include <linux/if.h>
19#include <linux/if_ether.h>
20#include <linux/in.h>
21#include <linux/in6.h>
22#include <linux/ip.h>
23#include <linux/ipv6.h>
Maciej Żenczykowskidca6ce72019-03-07 16:54:12 -0800[diff] [blame]24#include <linux/pkt_cls.h>
Maciej Żenczykowskic2237d82019-04-02 03:59:51 -0700[diff] [blame^]25#include <linux/swab.h>
26#include <linux/tcp.h>
27#include <linux/udp.h>
28#include <stdbool.h>
29#include <stdint.h>
30
Maciej Żenczykowskidca6ce72019-03-07 16:54:12 -0800[diff] [blame]31#include "bpf_helpers.h"
32#include "netdbpf/bpf_shared.h"
33
Maciej Żenczykowskic2237d82019-04-02 03:59:51 -0700[diff] [blame^]34// bionic/libc/kernel/uapi/linux/udp.h:
35// struct __kernel_udphdr {
36// bionic/libc/kernel/tools/defaults.py:
37// # We want to support both BSD and Linux member names in struct udphdr.
38// "udphdr": "__kernel_udphdr",
39// so instead it just doesn't work... ugh.
40#define udphdr __kernel_udphdr
41
42// From kernel:include/net/ip.h
43#define IP_DF 0x4000 // Flag: "Don't Fragment"
44
45// Android only supports little endian architectures
46#define htons(x) (__builtin_constant_p(x) ? ___constant_swab16(x) : __builtin_bswap16(x))
47#define htonl(x) (__builtin_constant_p(x) ? ___constant_swab32(x) : __builtin_bswap32(x))
48#define ntohs(x) htons(x)
49#define ntohl(x) htonl(x)
50
Maciej Żenczykowski4fe857e2019-03-29 23:29:17 -0700[diff] [blame]51struct bpf_map_def SEC("maps") clat_ingress_map = {
Maciej Żenczykowskidca6ce72019-03-07 16:54:12 -0800[diff] [blame]52 .type = BPF_MAP_TYPE_HASH,
Maciej Żenczykowski4fe857e2019-03-29 23:29:17 -0700[diff] [blame]53 .key_size = sizeof(struct ClatIngressKey),
54 .value_size = sizeof(struct ClatIngressValue),
Maciej Żenczykowskidca6ce72019-03-07 16:54:12 -0800[diff] [blame]55 .max_entries = 16,
56};
57
Maciej Żenczykowskic2237d82019-04-02 03:59:51 -0700[diff] [blame^]58static inline __always_inline int nat64(struct __sk_buff* skb, bool is_ethernet) {
59 const int l2_header_size = is_ethernet ? sizeof(struct ethhdr) : 0;
60 void* data = (void*)(long)skb->data;
61 const void* data_end = (void*)(long)skb->data_end;
62 const struct ethhdr* const eth = is_ethernet ? data : NULL; // used iff is_ethernet
63 const struct ipv6hdr* const ip6 = is_ethernet ? (void*)(eth + 1) : data;
64 const struct tcphdr* const tcp = (void*)(ip6 + 1);
65 const struct udphdr* const udp = (void*)(ip6 + 1);
66
67 // Must be meta-ethernet IPv6 frame
68 if (skb->protocol != htons(ETH_P_IPV6)) return TC_ACT_OK;
69
70 // Must have (ethernet and) ipv6 header
71 if (data + l2_header_size + sizeof(*ip6) > data_end) return TC_ACT_OK;
72
73 // Ethertype - if present - must be IPv6
74 if (is_ethernet && (eth->h_proto != htons(ETH_P_IPV6))) return TC_ACT_OK;
75
76 // IP version must be 6
77 if (ip6->version != 6) return TC_ACT_OK;
78
79 // Maximum IPv6 payload length that can be translated to IPv4
80 if (ntohs(ip6->payload_len) > 0xFFFF - sizeof(struct iphdr)) return TC_ACT_OK;
81
82 switch (ip6->nexthdr) {
83 case IPPROTO_TCP: // If TCP, must have 20 byte minimal TCP header
84 if (tcp + 1 > (struct tcphdr*)data_end) return TC_ACT_OK;
85 break;
86
87 case IPPROTO_UDP: // If UDP, must have 8 byte minimal UDP header
88 if (udp + 1 > (struct udphdr*)data_end) return TC_ACT_OK;
89 break;
90
91 default: // do not know how to handle anything else
92 return TC_ACT_OK;
93 }
94
95 struct ClatIngressKey k = {
96 .iif = skb->ifindex,
97 .pfx96.in6_u.u6_addr32 =
98 {
99 ip6->saddr.in6_u.u6_addr32[0],
100 ip6->saddr.in6_u.u6_addr32[1],
101 ip6->saddr.in6_u.u6_addr32[2],
102 },
103 .local6 = ip6->daddr,
104 };
105
106 struct ClatIngressValue* v = bpf_map_lookup_elem(&clat_ingress_map, &k);
107
108 if (!v) return TC_ACT_OK;
109
110 struct ethhdr eth2; // used iff is_ethernet
111 if (is_ethernet) {
112 eth2 = *eth; // Copy over the ethernet header (src/dst mac)
113 eth2.h_proto = htons(ETH_P_IP); // But replace the ethertype
114 }
115
116 struct iphdr ip = {
117 .version = 4, // u4
118 .ihl = sizeof(struct iphdr) / sizeof(__u32), // u4
119 .tos = (ip6->priority << 4) + (ip6->flow_lbl[0] >> 4), // u8
120 .tot_len = htons(ntohs(ip6->payload_len) + sizeof(struct iphdr)), // u16
121 .id = 0, // u16
122 .frag_off = htons(IP_DF), // u16
123 .ttl = ip6->hop_limit, // u8
124 .protocol = ip6->nexthdr, // u8
125 .check = 0, // u16
126 .saddr = ip6->saddr.in6_u.u6_addr32[3], // u32
127 .daddr = v->local4.s_addr, // u32
128 };
129
130 // Calculate the IPv4 one's complement checksum of the IPv4 header.
131 __u32 sum = 0;
132 for (int i = 0; i < sizeof(ip) / sizeof(__u16); ++i) {
133 sum += ((__u16*)&ip)[i];
134 }
135 // Note that sum is guaranteed to be non-zero by virtue of ip.version == 4
136 sum = (sum & 0xFFFF) + (sum >> 16); // collapse u32 into range 1 .. 0x1FFFE
137 sum = (sum & 0xFFFF) + (sum >> 16); // collapse any potential carry into u16
138 ip.check = (__u16)~sum; // sum cannot be zero, so this is never 0xFFFF
139
140 // Note that there is no L4 checksum update: we are relying on the checksum neutrality
141 // of the ipv6 address chosen by netd's ClatdController.
142
143 // Packet mutations begin - point of no return.
144 if (bpf_skb_change_proto(skb, htons(ETH_P_IP), 0)) return TC_ACT_SHOT;
145
146 // bpf_skb_change_proto() invalidates all pointers - reload them.
147 data = (void*)(long)skb->data;
148 data_end = (void*)(long)skb->data_end;
149
150 // I cannot think of any valid way for this error condition to trigger, however I do
151 // believe the explicit check is required to keep the in kernel ebpf verifier happy.
152 if (data + l2_header_size + sizeof(struct iphdr) > data_end) return TC_ACT_SHOT;
153
154 if (is_ethernet) {
155 struct ethhdr* new_eth = data;
156
157 // Copy over the updated ethernet header
158 *new_eth = eth2;
159
160 // Copy over the new ipv4 header.
161 *(struct iphdr*)(new_eth + 1) = ip;
162 } else {
163 // Copy over the new ipv4 header without an ethernet header.
164 *(struct iphdr*)data = ip;
165 }
166
167 // Redirect, possibly back to same interface, so tcpdump sees packet twice.
168 if (v->oif) return bpf_redirect(v->oif, BPF_F_INGRESS);
169
170 // Just let it through, tcpdump will not see IPv4 packet.
171 return TC_ACT_OK;
172}
173
Maciej Żenczykowskidca6ce72019-03-07 16:54:12 -0800[diff] [blame]174SEC("schedcls/ingress/clat_ether")
175int sched_cls_ingress_clat_ether(struct __sk_buff* skb) {
Maciej Żenczykowskic2237d82019-04-02 03:59:51 -0700[diff] [blame^]176 return nat64(skb, true);
Maciej Żenczykowskidca6ce72019-03-07 16:54:12 -0800[diff] [blame]177}
178
179SEC("schedcls/ingress/clat_rawip")
180int sched_cls_ingress_clat_rawip(struct __sk_buff* skb) {
Maciej Żenczykowskic2237d82019-04-02 03:59:51 -0700[diff] [blame^]181 return nat64(skb, false);
Maciej Żenczykowskidca6ce72019-03-07 16:54:12 -0800[diff] [blame]182}
183
184char _license[] SEC("license") = "Apache 2.0";