reassembly.c 17.5 KB
Newer Older
L
Linus Torvalds 已提交
1 2
/*
 *	IPv6 fragment reassembly
3
 *	Linux INET6 implementation
L
Linus Torvalds 已提交
4 5
 *
 *	Authors:
6
 *	Pedro Roque		<roque@di.fc.ul.pt>
L
Linus Torvalds 已提交
7 8 9 10 11 12 13 14 15 16 17
 *
 *	$Id: reassembly.c,v 1.26 2001/03/07 22:00:57 davem Exp $
 *
 *	Based on: net/ipv4/ip_fragment.c
 *
 *	This program is free software; you can redistribute it and/or
 *      modify it under the terms of the GNU General Public License
 *      as published by the Free Software Foundation; either version
 *      2 of the License, or (at your option) any later version.
 */

18 19
/*
 *	Fixes:
L
Linus Torvalds 已提交
20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
 *	Andi Kleen	Make it work with multiple hosts.
 *			More RFC compliance.
 *
 *      Horst von Brand Add missing #include <linux/string.h>
 *	Alexey Kuznetsov	SMP races, threading, cleanup.
 *	Patrick McHardy		LRU queue of frag heads for evictor.
 *	Mitsuru KANDA @USAGI	Register inet6_protocol{}.
 *	David Stevens and
 *	YOSHIFUJI,H. @USAGI	Always remove fragment header to
 *				calculate ICV correctly.
 */
#include <linux/errno.h>
#include <linux/types.h>
#include <linux/string.h>
#include <linux/socket.h>
#include <linux/sockios.h>
#include <linux/jiffies.h>
#include <linux/net.h>
#include <linux/list.h>
#include <linux/netdevice.h>
#include <linux/in6.h>
#include <linux/ipv6.h>
#include <linux/icmpv6.h>
#include <linux/random.h>
#include <linux/jhash.h>
45
#include <linux/skbuff.h>
L
Linus Torvalds 已提交
46 47 48 49 50

#include <net/sock.h>
#include <net/snmp.h>

#include <net/ipv6.h>
51
#include <net/ip6_route.h>
L
Linus Torvalds 已提交
52 53 54 55 56
#include <net/protocol.h>
#include <net/transp_v6.h>
#include <net/rawv6.h>
#include <net/ndisc.h>
#include <net/addrconf.h>
57
#include <net/inet_frag.h>
L
Linus Torvalds 已提交
58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73

struct ip6frag_skb_cb
{
	struct inet6_skb_parm	h;
	int			offset;
};

#define FRAG6_CB(skb)	((struct ip6frag_skb_cb*)((skb)->cb))


/*
 *	Equivalent of ipv4 struct ipq
 */

struct frag_queue
{
74
	struct inet_frag_queue	q;
L
Linus Torvalds 已提交
75

A
Al Viro 已提交
76
	__be32			id;		/* fragment id		*/
L
Linus Torvalds 已提交
77 78 79 80 81 82 83 84
	struct in6_addr		saddr;
	struct in6_addr		daddr;

	int			iif;
	unsigned int		csum;
	__u16			nhoffset;
};

85
static struct inet_frags ip6_frags;
L
Linus Torvalds 已提交
86

87 88 89 90
int ip6_frag_nqueues(void)
{
	return ip6_frags.nqueues;
}
L
Linus Torvalds 已提交
91

92 93 94 95
int ip6_frag_mem(void)
{
	return atomic_read(&ip6_frags.mem);
}
L
Linus Torvalds 已提交
96

97 98 99
static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
			  struct net_device *dev);

100 101 102 103
/*
 * callers should be careful not to use the hash value outside the ipfrag_lock
 * as doing so could race with ipfrag_hash_rnd being recalculated.
 */
A
Al Viro 已提交
104
static unsigned int ip6qhashfn(__be32 id, struct in6_addr *saddr,
L
Linus Torvalds 已提交
105 106 107 108
			       struct in6_addr *daddr)
{
	u32 a, b, c;

A
Al Viro 已提交
109 110 111
	a = (__force u32)saddr->s6_addr32[0];
	b = (__force u32)saddr->s6_addr32[1];
	c = (__force u32)saddr->s6_addr32[2];
L
Linus Torvalds 已提交
112 113 114

	a += JHASH_GOLDEN_RATIO;
	b += JHASH_GOLDEN_RATIO;
115
	c += ip6_frags.rnd;
L
Linus Torvalds 已提交
116 117
	__jhash_mix(a, b, c);

A
Al Viro 已提交
118 119 120
	a += (__force u32)saddr->s6_addr32[3];
	b += (__force u32)daddr->s6_addr32[0];
	c += (__force u32)daddr->s6_addr32[1];
L
Linus Torvalds 已提交
121 122
	__jhash_mix(a, b, c);

A
Al Viro 已提交
123 124 125
	a += (__force u32)daddr->s6_addr32[2];
	b += (__force u32)daddr->s6_addr32[3];
	c += (__force u32)id;
L
Linus Torvalds 已提交
126 127
	__jhash_mix(a, b, c);

128
	return c & (INETFRAGS_HASHSZ - 1);
L
Linus Torvalds 已提交
129 130
}

131
static unsigned int ip6_hashfn(struct inet_frag_queue *q)
L
Linus Torvalds 已提交
132
{
133
	struct frag_queue *fq;
L
Linus Torvalds 已提交
134

135 136
	fq = container_of(q, struct frag_queue, q);
	return ip6qhashfn(fq->id, &fq->saddr, &fq->daddr);
L
Linus Torvalds 已提交
137 138
}

139 140 141 142 143 144 145 146 147 148 149 150
int ip6_frag_match(struct inet_frag_queue *q, void *a)
{
	struct frag_queue *fq;
	struct ip6_create_arg *arg = a;

	fq = container_of(q, struct frag_queue, q);
	return (fq->id == arg->id &&
			ipv6_addr_equal(&fq->saddr, arg->src) &&
			ipv6_addr_equal(&fq->daddr, arg->dst));
}
EXPORT_SYMBOL(ip6_frag_match);

L
Linus Torvalds 已提交
151 152 153 154 155
/* Memory Tracking Functions. */
static inline void frag_kfree_skb(struct sk_buff *skb, int *work)
{
	if (work)
		*work -= skb->truesize;
156
	atomic_sub(skb->truesize, &ip6_frags.mem);
L
Linus Torvalds 已提交
157 158 159
	kfree_skb(skb);
}

160
void ip6_frag_init(struct inet_frag_queue *q, void *a)
L
Linus Torvalds 已提交
161
{
162 163 164 165 166 167
	struct frag_queue *fq = container_of(q, struct frag_queue, q);
	struct ip6_create_arg *arg = a;

	fq->id = arg->id;
	ipv6_addr_copy(&fq->saddr, arg->src);
	ipv6_addr_copy(&fq->daddr, arg->dst);
L
Linus Torvalds 已提交
168
}
169
EXPORT_SYMBOL(ip6_frag_init);
L
Linus Torvalds 已提交
170 171 172

/* Destruction primitives. */

173
static __inline__ void fq_put(struct frag_queue *fq)
L
Linus Torvalds 已提交
174
{
P
Pavel Emelyanov 已提交
175
	inet_frag_put(&fq->q, &ip6_frags);
L
Linus Torvalds 已提交
176 177 178 179 180 181 182
}

/* Kill fq entry. It is not destroyed immediately,
 * because caller (and someone more) holds reference count.
 */
static __inline__ void fq_kill(struct frag_queue *fq)
{
183
	inet_frag_kill(&fq->q, &ip6_frags);
L
Linus Torvalds 已提交
184 185
}

186
static void ip6_evictor(struct inet6_dev *idev)
L
Linus Torvalds 已提交
187
{
188 189 190 191 192
	int evicted;

	evicted = inet_frag_evictor(&ip6_frags);
	if (evicted)
		IP6_ADD_STATS_BH(idev, IPSTATS_MIB_REASMFAILS, evicted);
L
Linus Torvalds 已提交
193 194 195 196
}

static void ip6_frag_expire(unsigned long data)
{
197
	struct frag_queue *fq;
198
	struct net_device *dev = NULL;
L
Linus Torvalds 已提交
199

200 201
	fq = container_of((struct inet_frag_queue *)data, struct frag_queue, q);

202
	spin_lock(&fq->q.lock);
L
Linus Torvalds 已提交
203

204
	if (fq->q.last_in & COMPLETE)
L
Linus Torvalds 已提交
205 206 207 208
		goto out;

	fq_kill(fq);

209
	dev = dev_get_by_index(&init_net, fq->iif);
210 211 212 213 214 215 216
	if (!dev)
		goto out;

	rcu_read_lock();
	IP6_INC_STATS_BH(__in6_dev_get(dev), IPSTATS_MIB_REASMTIMEOUT);
	IP6_INC_STATS_BH(__in6_dev_get(dev), IPSTATS_MIB_REASMFAILS);
	rcu_read_unlock();
L
Linus Torvalds 已提交
217

218
	/* Don't send error if the first segment did not arrive. */
219
	if (!(fq->q.last_in&FIRST_IN) || !fq->q.fragments)
220 221 222 223 224 225 226
		goto out;

	/*
	   But use as source device on which LAST ARRIVED
	   segment was received. And do not use fq->dev
	   pointer directly, device might already disappeared.
	 */
227 228
	fq->q.fragments->dev = dev;
	icmpv6_send(fq->q.fragments, ICMPV6_TIME_EXCEED, ICMPV6_EXC_FRAGTIME, 0, dev);
L
Linus Torvalds 已提交
229
out:
230 231
	if (dev)
		dev_put(dev);
232
	spin_unlock(&fq->q.lock);
233
	fq_put(fq);
L
Linus Torvalds 已提交
234 235
}

236 237 238
static __inline__ struct frag_queue *
fq_find(__be32 id, struct in6_addr *src, struct in6_addr *dst,
	struct inet6_dev *idev)
L
Linus Torvalds 已提交
239
{
240 241
	struct inet_frag_queue *q;
	struct ip6_create_arg arg;
242
	unsigned int hash;
L
Linus Torvalds 已提交
243

244 245 246
	arg.id = id;
	arg.src = src;
	arg.dst = dst;
247
	hash = ip6qhashfn(id, src, dst);
L
Linus Torvalds 已提交
248

249
	q = inet_frag_find(&ip6_frags, &arg, hash);
250 251
	if (q == NULL)
		goto oom;
L
Linus Torvalds 已提交
252

253
	return container_of(q, struct frag_queue, q);
L
Linus Torvalds 已提交
254 255

oom:
256
	IP6_INC_STATS_BH(idev, IPSTATS_MIB_REASMFAILS);
L
Linus Torvalds 已提交
257 258 259
	return NULL;
}

260
static int ip6_frag_queue(struct frag_queue *fq, struct sk_buff *skb,
L
Linus Torvalds 已提交
261 262 263
			   struct frag_hdr *fhdr, int nhoff)
{
	struct sk_buff *prev, *next;
264
	struct net_device *dev;
L
Linus Torvalds 已提交
265 266
	int offset, end;

267
	if (fq->q.last_in & COMPLETE)
L
Linus Torvalds 已提交
268 269 270
		goto err;

	offset = ntohs(fhdr->frag_off) & ~0x7;
271 272
	end = offset + (ntohs(ipv6_hdr(skb)->payload_len) -
			((u8 *)(fhdr + 1) - (u8 *)(ipv6_hdr(skb) + 1)));
L
Linus Torvalds 已提交
273 274

	if ((unsigned int)end > IPV6_MAXPLEN) {
275 276
		IP6_INC_STATS_BH(ip6_dst_idev(skb->dst),
				 IPSTATS_MIB_INHDRERRORS);
277 278 279
		icmpv6_param_prob(skb, ICMPV6_HDR_FIELD,
				  ((u8 *)&fhdr->frag_off -
				   skb_network_header(skb)));
280
		return -1;
L
Linus Torvalds 已提交
281 282
	}

283 284
	if (skb->ip_summed == CHECKSUM_COMPLETE) {
		const unsigned char *nh = skb_network_header(skb);
285
		skb->csum = csum_sub(skb->csum,
286 287 288
				     csum_partial(nh, (u8 *)(fhdr + 1) - nh,
						  0));
	}
L
Linus Torvalds 已提交
289 290 291 292 293 294

	/* Is this the final fragment? */
	if (!(fhdr->frag_off & htons(IP6_MF))) {
		/* If we already have some bits beyond end
		 * or have different end, the segment is corrupted.
		 */
295 296
		if (end < fq->q.len ||
		    ((fq->q.last_in & LAST_IN) && end != fq->q.len))
L
Linus Torvalds 已提交
297
			goto err;
298 299
		fq->q.last_in |= LAST_IN;
		fq->q.len = end;
L
Linus Torvalds 已提交
300 301 302 303 304 305 306 307
	} else {
		/* Check if the fragment is rounded to 8 bytes.
		 * Required by the RFC.
		 */
		if (end & 0x7) {
			/* RFC2460 says always send parameter problem in
			 * this case. -DaveM
			 */
308 309
			IP6_INC_STATS_BH(ip6_dst_idev(skb->dst),
					 IPSTATS_MIB_INHDRERRORS);
310
			icmpv6_param_prob(skb, ICMPV6_HDR_FIELD,
L
Linus Torvalds 已提交
311
					  offsetof(struct ipv6hdr, payload_len));
312
			return -1;
L
Linus Torvalds 已提交
313
		}
314
		if (end > fq->q.len) {
L
Linus Torvalds 已提交
315
			/* Some bits beyond end -> corruption. */
316
			if (fq->q.last_in & LAST_IN)
L
Linus Torvalds 已提交
317
				goto err;
318
			fq->q.len = end;
L
Linus Torvalds 已提交
319 320 321 322 323 324 325 326 327
		}
	}

	if (end == offset)
		goto err;

	/* Point into the IP datagram 'data' part. */
	if (!pskb_pull(skb, (u8 *) (fhdr + 1) - skb->data))
		goto err;
328

329 330
	if (pskb_trim_rcsum(skb, end - offset))
		goto err;
L
Linus Torvalds 已提交
331 332 333 334 335 336

	/* Find out which fragments are in front and at the back of us
	 * in the chain of fragments so far.  We must know where to put
	 * this fragment, right?
	 */
	prev = NULL;
337
	for(next = fq->q.fragments; next != NULL; next = next->next) {
L
Linus Torvalds 已提交
338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373
		if (FRAG6_CB(next)->offset >= offset)
			break;	/* bingo! */
		prev = next;
	}

	/* We found where to put this one.  Check for overlap with
	 * preceding fragment, and, if needed, align things so that
	 * any overlaps are eliminated.
	 */
	if (prev) {
		int i = (FRAG6_CB(prev)->offset + prev->len) - offset;

		if (i > 0) {
			offset += i;
			if (end <= offset)
				goto err;
			if (!pskb_pull(skb, i))
				goto err;
			if (skb->ip_summed != CHECKSUM_UNNECESSARY)
				skb->ip_summed = CHECKSUM_NONE;
		}
	}

	/* Look for overlap with succeeding segments.
	 * If we can merge fragments, do it.
	 */
	while (next && FRAG6_CB(next)->offset < end) {
		int i = end - FRAG6_CB(next)->offset; /* overlap is 'i' bytes */

		if (i < next->len) {
			/* Eat head of the next overlapped fragment
			 * and leave the loop. The next ones cannot overlap.
			 */
			if (!pskb_pull(next, i))
				goto err;
			FRAG6_CB(next)->offset += i;	/* next fragment */
374
			fq->q.meat -= i;
L
Linus Torvalds 已提交
375 376 377 378 379 380 381 382 383 384 385 386 387 388
			if (next->ip_summed != CHECKSUM_UNNECESSARY)
				next->ip_summed = CHECKSUM_NONE;
			break;
		} else {
			struct sk_buff *free_it = next;

			/* Old fragment is completely overridden with
			 * new one drop it.
			 */
			next = next->next;

			if (prev)
				prev->next = next;
			else
389
				fq->q.fragments = next;
L
Linus Torvalds 已提交
390

391
			fq->q.meat -= free_it->len;
L
Linus Torvalds 已提交
392 393 394 395 396 397 398 399 400 401 402
			frag_kfree_skb(free_it, NULL);
		}
	}

	FRAG6_CB(skb)->offset = offset;

	/* Insert this fragment in the chain of fragments. */
	skb->next = next;
	if (prev)
		prev->next = skb;
	else
403
		fq->q.fragments = skb;
L
Linus Torvalds 已提交
404

405 406 407 408 409
	dev = skb->dev;
	if (dev) {
		fq->iif = dev->ifindex;
		skb->dev = NULL;
	}
410 411
	fq->q.stamp = skb->tstamp;
	fq->q.meat += skb->len;
412
	atomic_add(skb->truesize, &ip6_frags.mem);
L
Linus Torvalds 已提交
413 414 415 416 417 418

	/* The first fragment.
	 * nhoffset is obtained from the first fragment, of course.
	 */
	if (offset == 0) {
		fq->nhoffset = nhoff;
419
		fq->q.last_in |= FIRST_IN;
L
Linus Torvalds 已提交
420
	}
421

422
	if (fq->q.last_in == (FIRST_IN | LAST_IN) && fq->q.meat == fq->q.len)
423 424
		return ip6_frag_reasm(fq, prev, dev);

425 426 427
	write_lock(&ip6_frags.lock);
	list_move_tail(&fq->q.lru_list, &ip6_frags.lru_list);
	write_unlock(&ip6_frags.lock);
428
	return -1;
L
Linus Torvalds 已提交
429 430

err:
431
	IP6_INC_STATS(ip6_dst_idev(skb->dst), IPSTATS_MIB_REASMFAILS);
L
Linus Torvalds 已提交
432
	kfree_skb(skb);
433
	return -1;
L
Linus Torvalds 已提交
434 435 436 437 438 439 440 441 442 443 444
}

/*
 *	Check if this packet is complete.
 *	Returns NULL on failure by any reason, and pointer
 *	to current nexthdr field in reassembled frame.
 *
 *	It is called with locked fq, and caller must check that
 *	queue is eligible for reassembly i.e. it is not COMPLETE,
 *	the last and the first frames arrived and all the bits are here.
 */
445
static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
L
Linus Torvalds 已提交
446 447
			  struct net_device *dev)
{
448
	struct sk_buff *fp, *head = fq->q.fragments;
L
Linus Torvalds 已提交
449 450 451 452 453
	int    payload_len;
	unsigned int nhoff;

	fq_kill(fq);

454 455 456 457 458 459 460 461 462 463 464
	/* Make the one we just received the head. */
	if (prev) {
		head = prev->next;
		fp = skb_clone(head, GFP_ATOMIC);

		if (!fp)
			goto out_oom;

		fp->next = head->next;
		prev->next = fp;

465 466
		skb_morph(head, fq->q.fragments);
		head->next = fq->q.fragments->next;
467

468 469
		kfree_skb(fq->q.fragments);
		fq->q.fragments = head;
470 471
	}

L
Linus Torvalds 已提交
472 473 474 475
	BUG_TRAP(head != NULL);
	BUG_TRAP(FRAG6_CB(head)->offset == 0);

	/* Unfragmented part is taken from the first segment. */
476
	payload_len = ((head->data - skb_network_header(head)) -
477
		       sizeof(struct ipv6hdr) + fq->q.len -
478
		       sizeof(struct frag_hdr));
L
Linus Torvalds 已提交
479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505
	if (payload_len > IPV6_MAXPLEN)
		goto out_oversize;

	/* Head of list must not be cloned. */
	if (skb_cloned(head) && pskb_expand_head(head, 0, 0, GFP_ATOMIC))
		goto out_oom;

	/* If the first fragment is fragmented itself, we split
	 * it to two chunks: the first with data and paged part
	 * and the second, holding only fragments. */
	if (skb_shinfo(head)->frag_list) {
		struct sk_buff *clone;
		int i, plen = 0;

		if ((clone = alloc_skb(0, GFP_ATOMIC)) == NULL)
			goto out_oom;
		clone->next = head->next;
		head->next = clone;
		skb_shinfo(clone)->frag_list = skb_shinfo(head)->frag_list;
		skb_shinfo(head)->frag_list = NULL;
		for (i=0; i<skb_shinfo(head)->nr_frags; i++)
			plen += skb_shinfo(head)->frags[i].size;
		clone->len = clone->data_len = head->data_len - plen;
		head->data_len -= clone->len;
		head->len -= clone->len;
		clone->csum = 0;
		clone->ip_summed = head->ip_summed;
506
		atomic_add(clone->truesize, &ip6_frags.mem);
L
Linus Torvalds 已提交
507 508 509 510 511
	}

	/* We have to remove fragment header from datagram and to relocate
	 * header in order to calculate ICV correctly. */
	nhoff = fq->nhoffset;
512
	skb_network_header(head)[nhoff] = skb_transport_header(head)[0];
513
	memmove(head->head + sizeof(struct frag_hdr), head->head,
L
Linus Torvalds 已提交
514
		(head->data - head->head) - sizeof(struct frag_hdr));
515 516
	head->mac_header += sizeof(struct frag_hdr);
	head->network_header += sizeof(struct frag_hdr);
L
Linus Torvalds 已提交
517 518

	skb_shinfo(head)->frag_list = head->next;
519
	skb_reset_transport_header(head);
520
	skb_push(head, head->data - skb_network_header(head));
521
	atomic_sub(head->truesize, &ip6_frags.mem);
L
Linus Torvalds 已提交
522 523 524 525 526 527

	for (fp=head->next; fp; fp = fp->next) {
		head->data_len += fp->len;
		head->len += fp->len;
		if (head->ip_summed != fp->ip_summed)
			head->ip_summed = CHECKSUM_NONE;
528
		else if (head->ip_summed == CHECKSUM_COMPLETE)
L
Linus Torvalds 已提交
529 530
			head->csum = csum_add(head->csum, fp->csum);
		head->truesize += fp->truesize;
531
		atomic_sub(fp->truesize, &ip6_frags.mem);
L
Linus Torvalds 已提交
532 533 534 535
	}

	head->next = NULL;
	head->dev = dev;
536
	head->tstamp = fq->q.stamp;
537
	ipv6_hdr(head)->payload_len = htons(payload_len);
538
	IP6CB(head)->nhoff = nhoff;
L
Linus Torvalds 已提交
539 540

	/* Yes, and fold redundant checksum back. 8) */
541
	if (head->ip_summed == CHECKSUM_COMPLETE)
542
		head->csum = csum_partial(skb_network_header(head),
543
					  skb_network_header_len(head),
544
					  head->csum);
L
Linus Torvalds 已提交
545

546 547 548
	rcu_read_lock();
	IP6_INC_STATS_BH(__in6_dev_get(dev), IPSTATS_MIB_REASMOKS);
	rcu_read_unlock();
549
	fq->q.fragments = NULL;
L
Linus Torvalds 已提交
550 551 552 553 554 555 556 557 558 559
	return 1;

out_oversize:
	if (net_ratelimit())
		printk(KERN_DEBUG "ip6_frag_reasm: payload len = %d\n", payload_len);
	goto out_fail;
out_oom:
	if (net_ratelimit())
		printk(KERN_DEBUG "ip6_frag_reasm: no memory for reassembly\n");
out_fail:
560 561 562
	rcu_read_lock();
	IP6_INC_STATS_BH(__in6_dev_get(dev), IPSTATS_MIB_REASMFAILS);
	rcu_read_unlock();
L
Linus Torvalds 已提交
563 564 565
	return -1;
}

566
static int ipv6_frag_rcv(struct sk_buff *skb)
L
Linus Torvalds 已提交
567 568 569
{
	struct frag_hdr *fhdr;
	struct frag_queue *fq;
570
	struct ipv6hdr *hdr = ipv6_hdr(skb);
L
Linus Torvalds 已提交
571

572
	IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), IPSTATS_MIB_REASMREQDS);
L
Linus Torvalds 已提交
573 574 575

	/* Jumbo payload inhibits frag. header */
	if (hdr->payload_len==0) {
576
		IP6_INC_STATS(ip6_dst_idev(skb->dst), IPSTATS_MIB_INHDRERRORS);
577 578
		icmpv6_param_prob(skb, ICMPV6_HDR_FIELD,
				  skb_network_header_len(skb));
L
Linus Torvalds 已提交
579 580
		return -1;
	}
581 582
	if (!pskb_may_pull(skb, (skb_transport_offset(skb) +
				 sizeof(struct frag_hdr)))) {
583
		IP6_INC_STATS(ip6_dst_idev(skb->dst), IPSTATS_MIB_INHDRERRORS);
584 585
		icmpv6_param_prob(skb, ICMPV6_HDR_FIELD,
				  skb_network_header_len(skb));
L
Linus Torvalds 已提交
586 587 588
		return -1;
	}

589
	hdr = ipv6_hdr(skb);
590
	fhdr = (struct frag_hdr *)skb_transport_header(skb);
L
Linus Torvalds 已提交
591 592 593

	if (!(fhdr->frag_off & htons(0xFFF9))) {
		/* It is not a fragmented frame */
594
		skb->transport_header += sizeof(struct frag_hdr);
595
		IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), IPSTATS_MIB_REASMOKS);
L
Linus Torvalds 已提交
596

597
		IP6CB(skb)->nhoff = (u8 *)fhdr - skb_network_header(skb);
L
Linus Torvalds 已提交
598 599 600
		return 1;
	}

601
	if (atomic_read(&ip6_frags.mem) > init_net.ipv6.sysctl.frags.high_thresh)
602
		ip6_evictor(ip6_dst_idev(skb->dst));
L
Linus Torvalds 已提交
603

604 605
	if ((fq = fq_find(fhdr->identification, &hdr->saddr, &hdr->daddr,
			  ip6_dst_idev(skb->dst))) != NULL) {
606
		int ret;
L
Linus Torvalds 已提交
607

608
		spin_lock(&fq->q.lock);
L
Linus Torvalds 已提交
609

610
		ret = ip6_frag_queue(fq, skb, fhdr, IP6CB(skb)->nhoff);
L
Linus Torvalds 已提交
611

612
		spin_unlock(&fq->q.lock);
613
		fq_put(fq);
L
Linus Torvalds 已提交
614 615 616
		return ret;
	}

617
	IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), IPSTATS_MIB_REASMFAILS);
L
Linus Torvalds 已提交
618 619 620 621 622 623 624 625 626 627
	kfree_skb(skb);
	return -1;
}

static struct inet6_protocol frag_protocol =
{
	.handler	=	ipv6_frag_rcv,
	.flags		=	INET6_PROTO_NOPOLICY,
};

628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676
#ifdef CONFIG_SYSCTL
static struct ctl_table ip6_frags_ctl_table[] = {
	{
		.ctl_name	= NET_IPV6_IP6FRAG_HIGH_THRESH,
		.procname	= "ip6frag_high_thresh",
		.data		= &init_net.ipv6.sysctl.frags.high_thresh,
		.maxlen		= sizeof(int),
		.mode		= 0644,
		.proc_handler	= &proc_dointvec
	},
	{
		.ctl_name	= NET_IPV6_IP6FRAG_LOW_THRESH,
		.procname	= "ip6frag_low_thresh",
		.data		= &init_net.ipv6.sysctl.frags.low_thresh,
		.maxlen		= sizeof(int),
		.mode		= 0644,
		.proc_handler	= &proc_dointvec
	},
	{
		.ctl_name	= NET_IPV6_IP6FRAG_TIME,
		.procname	= "ip6frag_time",
		.data		= &init_net.ipv6.sysctl.frags.timeout,
		.maxlen		= sizeof(int),
		.mode		= 0644,
		.proc_handler	= &proc_dointvec_jiffies,
		.strategy	= &sysctl_jiffies,
	},
	{
		.ctl_name	= NET_IPV6_IP6FRAG_SECRET_INTERVAL,
		.procname	= "ip6frag_secret_interval",
		.data		= &init_net.ipv6.sysctl.frags.secret_interval,
		.maxlen		= sizeof(int),
		.mode		= 0644,
		.proc_handler	= &proc_dointvec_jiffies,
		.strategy	= &sysctl_jiffies
	},
	{ }
};

static int ip6_frags_sysctl_register(struct net *net)
{
	struct ctl_table_header *hdr;

	hdr = register_net_sysctl_table(net, net_ipv6_ctl_path,
			ip6_frags_ctl_table);
	return hdr == NULL ? -ENOMEM : 0;
}
#else
static inline int ip6_frags_sysctl_register(struct net *net)
677
{
678 679 680
	return 0;
}
#endif
D
Daniel Lezcano 已提交
681

682 683
static int ipv6_frags_init_net(struct net *net)
{
684
	ip6_frags.ctl = &net->ipv6.sysctl.frags;
685 686 687 688 689 690 691

	net->ipv6.sysctl.frags.high_thresh = 256 * 1024;
	net->ipv6.sysctl.frags.low_thresh = 192 * 1024;
	net->ipv6.sysctl.frags.timeout = IPV6_FRAG_TIMEOUT;
	net->ipv6.sysctl.frags.secret_interval = 10 * 60 * HZ;

	return ip6_frags_sysctl_register(net);
692 693
}

694
int __init ipv6_frag_init(void)
L
Linus Torvalds 已提交
695
{
696
	int ret;
L
Linus Torvalds 已提交
697

698 699 700
	ret = inet6_add_protocol(&frag_protocol, IPPROTO_FRAGMENT);
	if (ret)
		goto out;
701

702 703
	ipv6_frags_init_net(&init_net);

704
	ip6_frags.hashfn = ip6_hashfn;
705
	ip6_frags.constructor = ip6_frag_init;
706
	ip6_frags.destructor = NULL;
707 708
	ip6_frags.skb_free = NULL;
	ip6_frags.qsize = sizeof(struct frag_queue);
709
	ip6_frags.match = ip6_frag_match;
710
	ip6_frags.frag_expire = ip6_frag_expire;
711
	inet_frags_init(&ip6_frags);
712 713 714 715 716 717 718 719
out:
	return ret;
}

void ipv6_frag_exit(void)
{
	inet_frags_fini(&ip6_frags);
	inet6_del_protocol(&frag_protocol, IPPROTO_FRAGMENT);
L
Linus Torvalds 已提交
720
}