IPv6 NAT: Do not drop DNATed 6to4/6rd packets

When a router is doing DNAT for 6to4/6rd packets the latest anti-spoofing commit 218774dc ("ipv6: add anti-spoofing checks for 6to4 and 6rd") will drop them because the IPv6 address embedded does not match the IPv4 destination. This patch will allow them to pass by testing if we have an address that matches on 6to4/6rd interface. I have been hit by this problem using Fedora and IPV6TO4_IPV4ADDR. Also, log the dropped packets (with rate limit). Signed-off-by: Catalin(ux) M. BOIE <catab@embedromix.ro> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Catalin\(ux\) M. BOIE <catab@embedromix.ro> 2013-09-23 16:04:19 -0400
committer: David S. Miller <davem@davemloft.net> 2013-09-28 15:56:15 -0400
commit: 7df37ff33dc122f7bd0614d707939fe84322d264 (patch)
tree: caacc6c977eeb20bd408094c92a12c4bd8adfbed /net/ipv6/sit.c
parent: 60e453a940ac678565b6641d65f8c18541bb9f28 (diff)
1 files changed, 69 insertions, 15 deletions
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 7ee5cb96db34..afd5605aea7c 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -566,6 +566,70 @@ static inline bool is_spoofed_6rd(struct ip_tunnel *tunnel, const __be32 v4addr,
        return false;
 }
+/* Checks if an address matches an address on the tunnel interface.
+ * Used to detect the NAT of proto 41 packets and let them pass spoofing test.
+ * Long story:
+ * This function is called after we considered the packet as spoofed
+ * in is_spoofed_6rd.
+ * We may have a router that is doing NAT for proto 41 packets
+ * for an internal station. Destination a.a.a.a/PREFIX:bbbb:bbbb
+ * will be translated to n.n.n.n/PREFIX:bbbb:bbbb. And is_spoofed_6rd
+ * function will return true, dropping the packet.
+ * But, we can still check if is spoofed against the IP
+ * addresses associated with the interface.
+ */
+static bool only_dnatted(const struct ip_tunnel *tunnel,
+        const struct in6_addr *v6dst)
+{
+        int prefix_len;
+#ifdef CONFIG_IPV6_SIT_6RD
+        prefix_len = tunnel->ip6rd.prefixlen + 32
+                - tunnel->ip6rd.relay_prefixlen;
+#else
+        prefix_len = 48;
+#endif
+        return ipv6_chk_custom_prefix(v6dst, prefix_len, tunnel->dev);
+}
+/* Returns true if a packet is spoofed */
+static bool packet_is_spoofed(struct sk_buff *skb,
+                              const struct iphdr *iph,
+                              struct ip_tunnel *tunnel)
+{
+        const struct ipv6hdr *ipv6h;
+        if (tunnel->dev->priv_flags & IFF_ISATAP) {
+                if (!isatap_chksrc(skb, iph, tunnel))
+                        return true;
+                return false;
+        }
+        if (tunnel->dev->flags & IFF_POINTOPOINT)
+                return false;
+        ipv6h = ipv6_hdr(skb);
+        if (unlikely(is_spoofed_6rd(tunnel, iph->saddr, &ipv6h->saddr))) {
+                net_warn_ratelimited("Src spoofed %pI4/%pI6c -> %pI4/%pI6c\n",
+                                     &iph->saddr, &ipv6h->saddr,
+                                     &iph->daddr, &ipv6h->daddr);
+                return true;
+        }
+        if (likely(!is_spoofed_6rd(tunnel, iph->daddr, &ipv6h->daddr)))
+                return false;
+        if (only_dnatted(tunnel, &ipv6h->daddr))
+                return false;
+        net_warn_ratelimited("Dst spoofed %pI4/%pI6c -> %pI4/%pI6c\n",
+                             &iph->saddr, &ipv6h->saddr,
+                             &iph->daddr, &ipv6h->daddr);
+        return true;
+}
 static int ipip6_rcv(struct sk_buff *skb)
 {
        const struct iphdr *iph = ip_hdr(skb);
@@ -586,19 +650,9 @@ static int ipip6_rcv(struct sk_buff *skb)
                IPCB(skb)->flags = 0;
                skb->protocol = htons(ETH_P_IPV6);
-                if (tunnel->dev->priv_flags & IFF_ISATAP) {
+                if (packet_is_spoofed(skb, iph, tunnel)) {
-                        if (!isatap_chksrc(skb, iph, tunnel)) {
+                        tunnel->dev->stats.rx_errors++;
-                                tunnel->dev->stats.rx_errors++;
+                        goto out;
-                                goto out;
-                        }
-                } else if (!(tunnel->dev->flags&IFF_POINTOPOINT)) {
-                        if (is_spoofed_6rd(tunnel, iph->saddr,
-                                           &ipv6_hdr(skb)->saddr) ||
-                            is_spoofed_6rd(tunnel, iph->daddr,
-                                           &ipv6_hdr(skb)->daddr)) {
-                                tunnel->dev->stats.rx_errors++;
-                                goto out;
-                        }
                }
                __skb_tunnel_rx(skb, tunnel->dev, tunnel->net);
@@ -748,7 +802,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
                        neigh = dst_neigh_lookup(skb_dst(skb), &iph6->daddr);
                if (neigh == NULL) {
-                        net_dbg_ratelimited("sit: nexthop == NULL\n");
+                        net_dbg_ratelimited("nexthop == NULL\n");
                        goto tx_error;
                }
@@ -777,7 +831,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
                        neigh = dst_neigh_lookup(skb_dst(skb), &iph6->daddr);
                if (neigh == NULL) {
-                        net_dbg_ratelimited("sit: nexthop == NULL\n");
+                        net_dbg_ratelimited("nexthop == NULL\n");
                        goto tx_error;
                }
author	Catalin\(ux\) M. BOIE <catab@embedromix.ro>	2013-09-23 16:04:19 -0400
committer	David S. Miller <davem@davemloft.net>	2013-09-28 15:56:15 -0400
commit	7df37ff33dc122f7bd0614d707939fe84322d264 (patch)
tree	caacc6c977eeb20bd408094c92a12c4bd8adfbed /net/ipv6/sit.c
parent	60e453a940ac678565b6641d65f8c18541bb9f28 (diff)

diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c index 7ee5cb96db34..afd5605aea7c 100644 --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c
@@ -566,6 +566,70 @@ static inline bool is_spoofed_6rd(struct ip_tunnel *tunnel, const __be32 v4addr,
566	return false;	566	return false;
567	}	567	}
568		568
		569	/* Checks if an address matches an address on the tunnel interface.
		570	* Used to detect the NAT of proto 41 packets and let them pass spoofing test.
		571	* Long story:
		572	* This function is called after we considered the packet as spoofed
		573	* in is_spoofed_6rd.
		574	* We may have a router that is doing NAT for proto 41 packets
		575	* for an internal station. Destination a.a.a.a/PREFIX:bbbb:bbbb
		576	* will be translated to n.n.n.n/PREFIX:bbbb:bbbb. And is_spoofed_6rd
		577	* function will return true, dropping the packet.
		578	* But, we can still check if is spoofed against the IP
		579	* addresses associated with the interface.
		580	*/
		581	static bool only_dnatted(const struct ip_tunnel *tunnel,
		582	const struct in6_addr *v6dst)
		583	{
		584	int prefix_len;
		585
		586	#ifdef CONFIG_IPV6_SIT_6RD
		587	prefix_len = tunnel->ip6rd.prefixlen + 32
		588	- tunnel->ip6rd.relay_prefixlen;
		589	#else
		590	prefix_len = 48;
		591	#endif
		592	return ipv6_chk_custom_prefix(v6dst, prefix_len, tunnel->dev);
		593	}
		594
		595	/* Returns true if a packet is spoofed */
		596	static bool packet_is_spoofed(struct sk_buff *skb,
		597	const struct iphdr *iph,
		598	struct ip_tunnel *tunnel)
		599	{
		600	const struct ipv6hdr *ipv6h;
		601
		602	if (tunnel->dev->priv_flags & IFF_ISATAP) {
		603	if (!isatap_chksrc(skb, iph, tunnel))
		604	return true;
		605
		606	return false;
		607	}
		608
		609	if (tunnel->dev->flags & IFF_POINTOPOINT)
		610	return false;
		611
		612	ipv6h = ipv6_hdr(skb);
		613
		614	if (unlikely(is_spoofed_6rd(tunnel, iph->saddr, &ipv6h->saddr))) {
		615	net_warn_ratelimited("Src spoofed %pI4/%pI6c -> %pI4/%pI6c\n",
		616	&iph->saddr, &ipv6h->saddr,
		617	&iph->daddr, &ipv6h->daddr);
		618	return true;
		619	}
		620
		621	if (likely(!is_spoofed_6rd(tunnel, iph->daddr, &ipv6h->daddr)))
		622	return false;
		623
		624	if (only_dnatted(tunnel, &ipv6h->daddr))
		625	return false;
		626
		627	net_warn_ratelimited("Dst spoofed %pI4/%pI6c -> %pI4/%pI6c\n",
		628	&iph->saddr, &ipv6h->saddr,
		629	&iph->daddr, &ipv6h->daddr);
		630	return true;
		631	}
		632
569	static int ipip6_rcv(struct sk_buff *skb)	633	static int ipip6_rcv(struct sk_buff *skb)
570	{	634	{
571	const struct iphdr *iph = ip_hdr(skb);	635	const struct iphdr *iph = ip_hdr(skb);
@@ -586,19 +650,9 @@ static int ipip6_rcv(struct sk_buff *skb)
586	IPCB(skb)->flags = 0;	650	IPCB(skb)->flags = 0;
587	skb->protocol = htons(ETH_P_IPV6);	651	skb->protocol = htons(ETH_P_IPV6);
588		652
589	if (tunnel->dev->priv_flags & IFF_ISATAP) {	653	if (packet_is_spoofed(skb, iph, tunnel)) {
590	if (!isatap_chksrc(skb, iph, tunnel)) {	654	tunnel->dev->stats.rx_errors++;
591	tunnel->dev->stats.rx_errors++;	655	goto out;
592	goto out;
593	}
594	} else if (!(tunnel->dev->flags&IFF_POINTOPOINT)) {
595	if (is_spoofed_6rd(tunnel, iph->saddr,
596	&ipv6_hdr(skb)->saddr) \|\|
597	is_spoofed_6rd(tunnel, iph->daddr,
598	&ipv6_hdr(skb)->daddr)) {
599	tunnel->dev->stats.rx_errors++;
600	goto out;
601	}
602	}	656	}
603		657
604	__skb_tunnel_rx(skb, tunnel->dev, tunnel->net);	658	__skb_tunnel_rx(skb, tunnel->dev, tunnel->net);
@@ -748,7 +802,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
748	neigh = dst_neigh_lookup(skb_dst(skb), &iph6->daddr);	802	neigh = dst_neigh_lookup(skb_dst(skb), &iph6->daddr);
749		803
750	if (neigh == NULL) {	804	if (neigh == NULL) {
751	net_dbg_ratelimited("sit: nexthop == NULL\n");	805	net_dbg_ratelimited("nexthop == NULL\n");
752	goto tx_error;	806	goto tx_error;
753	}	807	}
754		808
@@ -777,7 +831,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
777	neigh = dst_neigh_lookup(skb_dst(skb), &iph6->daddr);	831	neigh = dst_neigh_lookup(skb_dst(skb), &iph6->daddr);
778		832
779	if (neigh == NULL) {	833	if (neigh == NULL) {
780	net_dbg_ratelimited("sit: nexthop == NULL\n");	834	net_dbg_ratelimited("nexthop == NULL\n");
781	goto tx_error;	835	goto tx_error;
782	}	836	}
783		837