1// SPDX-License-Identifier: GPL-2.0
  2// Copyright (c) 2018 Facebook
  3// Copyright (c) 2019 Cloudflare
  4
  5#include <string.h>
  6
  7#include <linux/bpf.h>
  8#include <linux/pkt_cls.h>
  9#include <linux/if_ether.h>
 10#include <linux/in.h>
 11#include <linux/ip.h>
 12#include <linux/ipv6.h>
 13#include <sys/socket.h>
 14#include <linux/tcp.h>
 15
 16#include "bpf_helpers.h"
 17#include "bpf_endian.h"
 18
 19struct bpf_map_def SEC("maps") results = {
 20	.type = BPF_MAP_TYPE_ARRAY,
 21	.key_size = sizeof(__u32),
 22	.value_size = sizeof(__u32),
 23	.max_entries = 3,
 24};
 25
 26static __always_inline __s64 gen_syncookie(void *data_end, struct bpf_sock *sk,
 27					   void *iph, __u32 ip_size,
 28					   struct tcphdr *tcph)
 29{
 30	__u32 thlen = tcph->doff * 4;
 31
 32	if (tcph->syn && !tcph->ack) {
 33		// packet should only have an MSS option
 34		if (thlen != 24)
 35			return 0;
 36
 37		if ((void *)tcph + thlen > data_end)
 38			return 0;
 39
 40		return bpf_tcp_gen_syncookie(sk, iph, ip_size, tcph, thlen);
 41	}
 42	return 0;
 43}
 44
 45static __always_inline void check_syncookie(void *ctx, void *data,
 46					    void *data_end)
 47{
 48	struct bpf_sock_tuple tup;
 49	struct bpf_sock *sk;
 50	struct ethhdr *ethh;
 51	struct iphdr *ipv4h;
 52	struct ipv6hdr *ipv6h;
 53	struct tcphdr *tcph;
 54	int ret;
 55	__u32 key_mss = 2;
 56	__u32 key_gen = 1;
 57	__u32 key = 0;
 58	__s64 seq_mss;
 59
 60	ethh = data;
 61	if (ethh + 1 > data_end)
 62		return;
 63
 64	switch (bpf_ntohs(ethh->h_proto)) {
 65	case ETH_P_IP:
 66		ipv4h = data + sizeof(struct ethhdr);
 67		if (ipv4h + 1 > data_end)
 68			return;
 69
 70		if (ipv4h->ihl != 5)
 71			return;
 72
 73		tcph = data + sizeof(struct ethhdr) + sizeof(struct iphdr);
 74		if (tcph + 1 > data_end)
 75			return;
 76
 77		tup.ipv4.saddr = ipv4h->saddr;
 78		tup.ipv4.daddr = ipv4h->daddr;
 79		tup.ipv4.sport = tcph->source;
 80		tup.ipv4.dport = tcph->dest;
 81
 82		sk = bpf_skc_lookup_tcp(ctx, &tup, sizeof(tup.ipv4),
 83					BPF_F_CURRENT_NETNS, 0);
 84		if (!sk)
 85			return;
 86
 87		if (sk->state != BPF_TCP_LISTEN)
 88			goto release;
 89
 90		seq_mss = gen_syncookie(data_end, sk, ipv4h, sizeof(*ipv4h),
 91					tcph);
 92
 93		ret = bpf_tcp_check_syncookie(sk, ipv4h, sizeof(*ipv4h),
 94					      tcph, sizeof(*tcph));
 95		break;
 96
 97	case ETH_P_IPV6:
 98		ipv6h = data + sizeof(struct ethhdr);
 99		if (ipv6h + 1 > data_end)
100			return;
101
102		if (ipv6h->nexthdr != IPPROTO_TCP)
103			return;
104
105		tcph = data + sizeof(struct ethhdr) + sizeof(struct ipv6hdr);
106		if (tcph + 1 > data_end)
107			return;
108
109		memcpy(tup.ipv6.saddr, &ipv6h->saddr, sizeof(tup.ipv6.saddr));
110		memcpy(tup.ipv6.daddr, &ipv6h->daddr, sizeof(tup.ipv6.daddr));
111		tup.ipv6.sport = tcph->source;
112		tup.ipv6.dport = tcph->dest;
113
114		sk = bpf_skc_lookup_tcp(ctx, &tup, sizeof(tup.ipv6),
115					BPF_F_CURRENT_NETNS, 0);
116		if (!sk)
117			return;
118
119		if (sk->state != BPF_TCP_LISTEN)
120			goto release;
121
122		seq_mss = gen_syncookie(data_end, sk, ipv6h, sizeof(*ipv6h),
123					tcph);
124
125		ret = bpf_tcp_check_syncookie(sk, ipv6h, sizeof(*ipv6h),
126					      tcph, sizeof(*tcph));
127		break;
128
129	default:
130		return;
131	}
132
133	if (seq_mss > 0) {
134		__u32 cookie = (__u32)seq_mss;
135		__u32 mss = seq_mss >> 32;
136
137		bpf_map_update_elem(&results, &key_gen, &cookie, 0);
138		bpf_map_update_elem(&results, &key_mss, &mss, 0);
139	}
140
141	if (ret == 0) {
142		__u32 cookie = bpf_ntohl(tcph->ack_seq) - 1;
143
144		bpf_map_update_elem(&results, &key, &cookie, 0);
145	}
146
147release:
148	bpf_sk_release(sk);
149}
150
151SEC("clsact/check_syncookie")
152int check_syncookie_clsact(struct __sk_buff *skb)
153{
154	check_syncookie(skb, (void *)(long)skb->data,
155			(void *)(long)skb->data_end);
156	return TC_ACT_OK;
157}
158
159SEC("xdp/check_syncookie")
160int check_syncookie_xdp(struct xdp_md *ctx)
161{
162	check_syncookie(ctx, (void *)(long)ctx->data,
163			(void *)(long)ctx->data_end);
164	return XDP_PASS;
165}
166
167char _license[] SEC("license") = "GPL";