1 files changed, 70 insertions, 16 deletions
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 7ee5cb96db34..19269453a8ea 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -566,6 +566,70 @@ static inline bool is_spoofed_6rd(struct ip_tunnel *tunnel, const __be32 v4addr,
        return false;
 }
+/* Checks if an address matches an address on the tunnel interface.
+ * Used to detect the NAT of proto 41 packets and let them pass spoofing test.
+ * Long story:
+ * This function is called after we considered the packet as spoofed
+ * in is_spoofed_6rd.
+ * We may have a router that is doing NAT for proto 41 packets
+ * for an internal station. Destination a.a.a.a/PREFIX:bbbb:bbbb
+ * will be translated to n.n.n.n/PREFIX:bbbb:bbbb. And is_spoofed_6rd
+ * function will return true, dropping the packet.
+ * But, we can still check if is spoofed against the IP
+ * addresses associated with the interface.
+ */
+static bool only_dnatted(const struct ip_tunnel *tunnel,
+        const struct in6_addr *v6dst)
+{
+        int prefix_len;
+#ifdef CONFIG_IPV6_SIT_6RD
+        prefix_len = tunnel->ip6rd.prefixlen + 32
+                - tunnel->ip6rd.relay_prefixlen;
+#else
+        prefix_len = 48;
+#endif
+        return ipv6_chk_custom_prefix(v6dst, prefix_len, tunnel->dev);
+}
+/* Returns true if a packet is spoofed */
+static bool packet_is_spoofed(struct sk_buff *skb,
+                              const struct iphdr *iph,
+                              struct ip_tunnel *tunnel)
+{
+        const struct ipv6hdr *ipv6h;
+        if (tunnel->dev->priv_flags & IFF_ISATAP) {
+                if (!isatap_chksrc(skb, iph, tunnel))
+                        return true;
+                return false;
+        }
+        if (tunnel->dev->flags & IFF_POINTOPOINT)
+                return false;
+        ipv6h = ipv6_hdr(skb);
+        if (unlikely(is_spoofed_6rd(tunnel, iph->saddr, &ipv6h->saddr))) {
+                net_warn_ratelimited("Src spoofed %pI4/%pI6c -> %pI4/%pI6c\n",
+                                     &iph->saddr, &ipv6h->saddr,
+                                     &iph->daddr, &ipv6h->daddr);
+                return true;
+        }
+        if (likely(!is_spoofed_6rd(tunnel, iph->daddr, &ipv6h->daddr)))
+                return false;
+        if (only_dnatted(tunnel, &ipv6h->daddr))
+                return false;
+        net_warn_ratelimited("Dst spoofed %pI4/%pI6c -> %pI4/%pI6c\n",
+                             &iph->saddr, &ipv6h->saddr,
+                             &iph->daddr, &ipv6h->daddr);
+        return true;
+}
 static int ipip6_rcv(struct sk_buff *skb)
 {
        const struct iphdr *iph = ip_hdr(skb);
@@ -586,19 +650,9 @@ static int ipip6_rcv(struct sk_buff *skb)
                IPCB(skb)->flags = 0;
                skb->protocol = htons(ETH_P_IPV6);
-                if (tunnel->dev->priv_flags & IFF_ISATAP) {
+                if (packet_is_spoofed(skb, iph, tunnel)) {
-                        if (!isatap_chksrc(skb, iph, tunnel)) {
+                        tunnel->dev->stats.rx_errors++;
-                                tunnel->dev->stats.rx_errors++;
+                        goto out;
-                                goto out;
-                        }
-                } else if (!(tunnel->dev->flags&IFF_POINTOPOINT)) {
-                        if (is_spoofed_6rd(tunnel, iph->saddr,
-                                           &ipv6_hdr(skb)->saddr) ||
-                            is_spoofed_6rd(tunnel, iph->daddr,
-                                           &ipv6_hdr(skb)->daddr)) {
-                                tunnel->dev->stats.rx_errors++;
-                                goto out;
-                        }
                }
                __skb_tunnel_rx(skb, tunnel->dev, tunnel->net);
@@ -748,7 +802,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
                        neigh = dst_neigh_lookup(skb_dst(skb), &iph6->daddr);
                if (neigh == NULL) {
-                        net_dbg_ratelimited("sit: nexthop == NULL\n");
+                        net_dbg_ratelimited("nexthop == NULL\n");
                        goto tx_error;
                }
@@ -777,7 +831,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
                        neigh = dst_neigh_lookup(skb_dst(skb), &iph6->daddr);
                if (neigh == NULL) {
-                        net_dbg_ratelimited("sit: nexthop == NULL\n");
+                        net_dbg_ratelimited("nexthop == NULL\n");
                        goto tx_error;
                }
@@ -1612,6 +1666,7 @@ static int __net_init sit_init_net(struct net *net)
                goto err_alloc_dev;
        }
        dev_net_set(sitn->fb_tunnel_dev, net);
+        sitn->fb_tunnel_dev->rtnl_link_ops = &sit_link_ops;
        /* FB netdevice is special: we have one, and only one per netns.
         * Allowing to move it to another netns is clearly unsafe.
         */
@@ -1646,7 +1701,6 @@ static void __net_exit sit_exit_net(struct net *net)
        rtnl_lock();
        sit_destroy_tunnels(sitn, &list);
-        unregister_netdevice_queue(sitn->fb_tunnel_dev, &list);
        unregister_netdevice_many(&list);
        rtnl_unlock();
 }

diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c index 7ee5cb96db34..19269453a8ea 100644 --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c
@@ -566,6 +566,70 @@ static inline bool is_spoofed_6rd(struct ip_tunnel *tunnel, const __be32 v4addr,
566	return false;	566	return false;
567	}	567	}
568		568
		569	/* Checks if an address matches an address on the tunnel interface.
		570	* Used to detect the NAT of proto 41 packets and let them pass spoofing test.
		571	* Long story:
		572	* This function is called after we considered the packet as spoofed
		573	* in is_spoofed_6rd.
		574	* We may have a router that is doing NAT for proto 41 packets
		575	* for an internal station. Destination a.a.a.a/PREFIX:bbbb:bbbb
		576	* will be translated to n.n.n.n/PREFIX:bbbb:bbbb. And is_spoofed_6rd
		577	* function will return true, dropping the packet.
		578	* But, we can still check if is spoofed against the IP
		579	* addresses associated with the interface.
		580	*/
		581	static bool only_dnatted(const struct ip_tunnel *tunnel,
		582	const struct in6_addr *v6dst)
		583	{
		584	int prefix_len;
		585
		586	#ifdef CONFIG_IPV6_SIT_6RD
		587	prefix_len = tunnel->ip6rd.prefixlen + 32
		588	- tunnel->ip6rd.relay_prefixlen;
		589	#else
		590	prefix_len = 48;
		591	#endif
		592	return ipv6_chk_custom_prefix(v6dst, prefix_len, tunnel->dev);
		593	}
		594
		595	/* Returns true if a packet is spoofed */
		596	static bool packet_is_spoofed(struct sk_buff *skb,
		597	const struct iphdr *iph,
		598	struct ip_tunnel *tunnel)
		599	{
		600	const struct ipv6hdr *ipv6h;
		601
		602	if (tunnel->dev->priv_flags & IFF_ISATAP) {
		603	if (!isatap_chksrc(skb, iph, tunnel))
		604	return true;
		605
		606	return false;
		607	}
		608
		609	if (tunnel->dev->flags & IFF_POINTOPOINT)
		610	return false;
		611
		612	ipv6h = ipv6_hdr(skb);
		613
		614	if (unlikely(is_spoofed_6rd(tunnel, iph->saddr, &ipv6h->saddr))) {
		615	net_warn_ratelimited("Src spoofed %pI4/%pI6c -> %pI4/%pI6c\n",
		616	&iph->saddr, &ipv6h->saddr,
		617	&iph->daddr, &ipv6h->daddr);
		618	return true;
		619	}
		620
		621	if (likely(!is_spoofed_6rd(tunnel, iph->daddr, &ipv6h->daddr)))
		622	return false;
		623
		624	if (only_dnatted(tunnel, &ipv6h->daddr))
		625	return false;
		626
		627	net_warn_ratelimited("Dst spoofed %pI4/%pI6c -> %pI4/%pI6c\n",
		628	&iph->saddr, &ipv6h->saddr,
		629	&iph->daddr, &ipv6h->daddr);
		630	return true;
		631	}
		632
569	static int ipip6_rcv(struct sk_buff *skb)	633	static int ipip6_rcv(struct sk_buff *skb)
570	{	634	{
571	const struct iphdr *iph = ip_hdr(skb);	635	const struct iphdr *iph = ip_hdr(skb);
@@ -586,19 +650,9 @@ static int ipip6_rcv(struct sk_buff *skb)
586	IPCB(skb)->flags = 0;	650	IPCB(skb)->flags = 0;
587	skb->protocol = htons(ETH_P_IPV6);	651	skb->protocol = htons(ETH_P_IPV6);
588		652
589	if (tunnel->dev->priv_flags & IFF_ISATAP) {	653	if (packet_is_spoofed(skb, iph, tunnel)) {
590	if (!isatap_chksrc(skb, iph, tunnel)) {	654	tunnel->dev->stats.rx_errors++;
591	tunnel->dev->stats.rx_errors++;	655	goto out;
592	goto out;
593	}
594	} else if (!(tunnel->dev->flags&IFF_POINTOPOINT)) {
595	if (is_spoofed_6rd(tunnel, iph->saddr,
596	&ipv6_hdr(skb)->saddr) \|\|
597	is_spoofed_6rd(tunnel, iph->daddr,
598	&ipv6_hdr(skb)->daddr)) {
599	tunnel->dev->stats.rx_errors++;
600	goto out;
601	}
602	}	656	}
603		657
604	__skb_tunnel_rx(skb, tunnel->dev, tunnel->net);	658	__skb_tunnel_rx(skb, tunnel->dev, tunnel->net);
@@ -748,7 +802,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
748	neigh = dst_neigh_lookup(skb_dst(skb), &iph6->daddr);	802	neigh = dst_neigh_lookup(skb_dst(skb), &iph6->daddr);
749		803
750	if (neigh == NULL) {	804	if (neigh == NULL) {
751	net_dbg_ratelimited("sit: nexthop == NULL\n");	805	net_dbg_ratelimited("nexthop == NULL\n");
752	goto tx_error;	806	goto tx_error;
753	}	807	}
754		808
@@ -777,7 +831,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
777	neigh = dst_neigh_lookup(skb_dst(skb), &iph6->daddr);	831	neigh = dst_neigh_lookup(skb_dst(skb), &iph6->daddr);
778		832
779	if (neigh == NULL) {	833	if (neigh == NULL) {
780	net_dbg_ratelimited("sit: nexthop == NULL\n");	834	net_dbg_ratelimited("nexthop == NULL\n");
781	goto tx_error;	835	goto tx_error;
782	}	836	}
783		837
@@ -1612,6 +1666,7 @@ static int __net_init sit_init_net(struct net *net)
1612	goto err_alloc_dev;	1666	goto err_alloc_dev;
1613	}	1667	}
1614	dev_net_set(sitn->fb_tunnel_dev, net);	1668	dev_net_set(sitn->fb_tunnel_dev, net);
		1669	sitn->fb_tunnel_dev->rtnl_link_ops = &sit_link_ops;
1615	/* FB netdevice is special: we have one, and only one per netns.	1670	/* FB netdevice is special: we have one, and only one per netns.
1616	* Allowing to move it to another netns is clearly unsafe.	1671	* Allowing to move it to another netns is clearly unsafe.
1617	*/	1672	*/
@@ -1646,7 +1701,6 @@ static void __net_exit sit_exit_net(struct net *net)
1646		1701
1647	rtnl_lock();	1702	rtnl_lock();
1648	sit_destroy_tunnels(sitn, &list);	1703	sit_destroy_tunnels(sitn, &list);
1649	unregister_netdevice_queue(sitn->fb_tunnel_dev, &list);
1650	unregister_netdevice_many(&list);	1704	unregister_netdevice_many(&list);
1651	rtnl_unlock();	1705	rtnl_unlock();
1652	}	1706	}