diff options
| -rw-r--r-- | include/net/addrconf.h | 4 | ||||
| -rw-r--r-- | net/ipv6/addrconf.c | 27 | ||||
| -rw-r--r-- | net/ipv6/sit.c | 84 |
3 files changed, 100 insertions, 15 deletions
diff --git a/include/net/addrconf.h b/include/net/addrconf.h index fb314de2b61b..86505bfa5d2c 100644 --- a/include/net/addrconf.h +++ b/include/net/addrconf.h | |||
| @@ -67,6 +67,10 @@ int ipv6_chk_addr(struct net *net, const struct in6_addr *addr, | |||
| 67 | int ipv6_chk_home_addr(struct net *net, const struct in6_addr *addr); | 67 | int ipv6_chk_home_addr(struct net *net, const struct in6_addr *addr); |
| 68 | #endif | 68 | #endif |
| 69 | 69 | ||
| 70 | bool ipv6_chk_custom_prefix(const struct in6_addr *addr, | ||
| 71 | const unsigned int prefix_len, | ||
| 72 | struct net_device *dev); | ||
| 73 | |||
| 70 | int ipv6_chk_prefix(const struct in6_addr *addr, struct net_device *dev); | 74 | int ipv6_chk_prefix(const struct in6_addr *addr, struct net_device *dev); |
| 71 | 75 | ||
| 72 | struct inet6_ifaddr *ipv6_get_ifaddr(struct net *net, | 76 | struct inet6_ifaddr *ipv6_get_ifaddr(struct net *net, |
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index d6ff12617f36..a0c3abe72461 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c | |||
| @@ -1499,6 +1499,33 @@ static bool ipv6_chk_same_addr(struct net *net, const struct in6_addr *addr, | |||
| 1499 | return false; | 1499 | return false; |
| 1500 | } | 1500 | } |
| 1501 | 1501 | ||
| 1502 | /* Compares an address/prefix_len with addresses on device @dev. | ||
| 1503 | * If one is found it returns true. | ||
| 1504 | */ | ||
| 1505 | bool ipv6_chk_custom_prefix(const struct in6_addr *addr, | ||
| 1506 | const unsigned int prefix_len, struct net_device *dev) | ||
| 1507 | { | ||
| 1508 | struct inet6_dev *idev; | ||
| 1509 | struct inet6_ifaddr *ifa; | ||
| 1510 | bool ret = false; | ||
| 1511 | |||
| 1512 | rcu_read_lock(); | ||
| 1513 | idev = __in6_dev_get(dev); | ||
| 1514 | if (idev) { | ||
| 1515 | read_lock_bh(&idev->lock); | ||
| 1516 | list_for_each_entry(ifa, &idev->addr_list, if_list) { | ||
| 1517 | ret = ipv6_prefix_equal(addr, &ifa->addr, prefix_len); | ||
| 1518 | if (ret) | ||
| 1519 | break; | ||
| 1520 | } | ||
| 1521 | read_unlock_bh(&idev->lock); | ||
| 1522 | } | ||
| 1523 | rcu_read_unlock(); | ||
| 1524 | |||
| 1525 | return ret; | ||
| 1526 | } | ||
| 1527 | EXPORT_SYMBOL(ipv6_chk_custom_prefix); | ||
| 1528 | |||
| 1502 | int ipv6_chk_prefix(const struct in6_addr *addr, struct net_device *dev) | 1529 | int ipv6_chk_prefix(const struct in6_addr *addr, struct net_device *dev) |
| 1503 | { | 1530 | { |
| 1504 | struct inet6_dev *idev; | 1531 | struct inet6_dev *idev; |
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c index 7ee5cb96db34..afd5605aea7c 100644 --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c | |||
| @@ -566,6 +566,70 @@ static inline bool is_spoofed_6rd(struct ip_tunnel *tunnel, const __be32 v4addr, | |||
| 566 | return false; | 566 | return false; |
| 567 | } | 567 | } |
| 568 | 568 | ||
| 569 | /* Checks if an address matches an address on the tunnel interface. | ||
| 570 | * Used to detect the NAT of proto 41 packets and let them pass spoofing test. | ||
| 571 | * Long story: | ||
| 572 | * This function is called after we considered the packet as spoofed | ||
| 573 | * in is_spoofed_6rd. | ||
| 574 | * We may have a router that is doing NAT for proto 41 packets | ||
| 575 | * for an internal station. Destination a.a.a.a/PREFIX:bbbb:bbbb | ||
| 576 | * will be translated to n.n.n.n/PREFIX:bbbb:bbbb. And is_spoofed_6rd | ||
| 577 | * function will return true, dropping the packet. | ||
| 578 | * But, we can still check if is spoofed against the IP | ||
| 579 | * addresses associated with the interface. | ||
| 580 | */ | ||
| 581 | static bool only_dnatted(const struct ip_tunnel *tunnel, | ||
| 582 | const struct in6_addr *v6dst) | ||
| 583 | { | ||
| 584 | int prefix_len; | ||
| 585 | |||
| 586 | #ifdef CONFIG_IPV6_SIT_6RD | ||
| 587 | prefix_len = tunnel->ip6rd.prefixlen + 32 | ||
| 588 | - tunnel->ip6rd.relay_prefixlen; | ||
| 589 | #else | ||
| 590 | prefix_len = 48; | ||
| 591 | #endif | ||
| 592 | return ipv6_chk_custom_prefix(v6dst, prefix_len, tunnel->dev); | ||
| 593 | } | ||
| 594 | |||
| 595 | /* Returns true if a packet is spoofed */ | ||
| 596 | static bool packet_is_spoofed(struct sk_buff *skb, | ||
| 597 | const struct iphdr *iph, | ||
| 598 | struct ip_tunnel *tunnel) | ||
| 599 | { | ||
| 600 | const struct ipv6hdr *ipv6h; | ||
| 601 | |||
| 602 | if (tunnel->dev->priv_flags & IFF_ISATAP) { | ||
| 603 | if (!isatap_chksrc(skb, iph, tunnel)) | ||
| 604 | return true; | ||
| 605 | |||
| 606 | return false; | ||
| 607 | } | ||
| 608 | |||
| 609 | if (tunnel->dev->flags & IFF_POINTOPOINT) | ||
| 610 | return false; | ||
| 611 | |||
| 612 | ipv6h = ipv6_hdr(skb); | ||
| 613 | |||
| 614 | if (unlikely(is_spoofed_6rd(tunnel, iph->saddr, &ipv6h->saddr))) { | ||
| 615 | net_warn_ratelimited("Src spoofed %pI4/%pI6c -> %pI4/%pI6c\n", | ||
| 616 | &iph->saddr, &ipv6h->saddr, | ||
| 617 | &iph->daddr, &ipv6h->daddr); | ||
| 618 | return true; | ||
| 619 | } | ||
| 620 | |||
| 621 | if (likely(!is_spoofed_6rd(tunnel, iph->daddr, &ipv6h->daddr))) | ||
| 622 | return false; | ||
| 623 | |||
| 624 | if (only_dnatted(tunnel, &ipv6h->daddr)) | ||
| 625 | return false; | ||
| 626 | |||
| 627 | net_warn_ratelimited("Dst spoofed %pI4/%pI6c -> %pI4/%pI6c\n", | ||
| 628 | &iph->saddr, &ipv6h->saddr, | ||
| 629 | &iph->daddr, &ipv6h->daddr); | ||
| 630 | return true; | ||
| 631 | } | ||
| 632 | |||
| 569 | static int ipip6_rcv(struct sk_buff *skb) | 633 | static int ipip6_rcv(struct sk_buff *skb) |
| 570 | { | 634 | { |
| 571 | const struct iphdr *iph = ip_hdr(skb); | 635 | const struct iphdr *iph = ip_hdr(skb); |
| @@ -586,19 +650,9 @@ static int ipip6_rcv(struct sk_buff *skb) | |||
| 586 | IPCB(skb)->flags = 0; | 650 | IPCB(skb)->flags = 0; |
| 587 | skb->protocol = htons(ETH_P_IPV6); | 651 | skb->protocol = htons(ETH_P_IPV6); |
| 588 | 652 | ||
| 589 | if (tunnel->dev->priv_flags & IFF_ISATAP) { | 653 | if (packet_is_spoofed(skb, iph, tunnel)) { |
| 590 | if (!isatap_chksrc(skb, iph, tunnel)) { | 654 | tunnel->dev->stats.rx_errors++; |
| 591 | tunnel->dev->stats.rx_errors++; | 655 | goto out; |
| 592 | goto out; | ||
| 593 | } | ||
| 594 | } else if (!(tunnel->dev->flags&IFF_POINTOPOINT)) { | ||
| 595 | if (is_spoofed_6rd(tunnel, iph->saddr, | ||
| 596 | &ipv6_hdr(skb)->saddr) || | ||
| 597 | is_spoofed_6rd(tunnel, iph->daddr, | ||
| 598 | &ipv6_hdr(skb)->daddr)) { | ||
| 599 | tunnel->dev->stats.rx_errors++; | ||
| 600 | goto out; | ||
| 601 | } | ||
| 602 | } | 656 | } |
| 603 | 657 | ||
| 604 | __skb_tunnel_rx(skb, tunnel->dev, tunnel->net); | 658 | __skb_tunnel_rx(skb, tunnel->dev, tunnel->net); |
| @@ -748,7 +802,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb, | |||
| 748 | neigh = dst_neigh_lookup(skb_dst(skb), &iph6->daddr); | 802 | neigh = dst_neigh_lookup(skb_dst(skb), &iph6->daddr); |
| 749 | 803 | ||
| 750 | if (neigh == NULL) { | 804 | if (neigh == NULL) { |
| 751 | net_dbg_ratelimited("sit: nexthop == NULL\n"); | 805 | net_dbg_ratelimited("nexthop == NULL\n"); |
| 752 | goto tx_error; | 806 | goto tx_error; |
| 753 | } | 807 | } |
| 754 | 808 | ||
| @@ -777,7 +831,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb, | |||
| 777 | neigh = dst_neigh_lookup(skb_dst(skb), &iph6->daddr); | 831 | neigh = dst_neigh_lookup(skb_dst(skb), &iph6->daddr); |
| 778 | 832 | ||
| 779 | if (neigh == NULL) { | 833 | if (neigh == NULL) { |
| 780 | net_dbg_ratelimited("sit: nexthop == NULL\n"); | 834 | net_dbg_ratelimited("nexthop == NULL\n"); |
| 781 | goto tx_error; | 835 | goto tx_error; |
| 782 | } | 836 | } |
| 783 | 837 | ||