Blame - bpf_progs/offload.c - android_packages_modules_Connectivity

blob: 4f152bf6c3d4c30cfbc5c4ebf92ae10a64487919 [file] [log] [blame]

Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	1	/*
				2	* Copyright (C) 2020 The Android Open Source Project
				3	*
				4	* Licensed under the Apache License, Version 2.0 (the "License");
				5	* you may not use this file except in compliance with the License.
				6	* You may obtain a copy of the License at
				7	*
				8	* http://www.apache.org/licenses/LICENSE-2.0
				9	*
				10	* Unless required by applicable law or agreed to in writing, software
				11	* distributed under the License is distributed on an "AS IS" BASIS,
				12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				13	* See the License for the specific language governing permissions and
				14	* limitations under the License.
				15	*/
				16
				17	#include <linux/if.h>
				18	#include <linux/ip.h>
				19	#include <linux/ipv6.h>
				20	#include <linux/pkt_cls.h>
				21	#include <linux/tcp.h>
				22
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	23	// bionic kernel uapi linux/udp.h header is munged...
				24	#define __kernel_udphdr udphdr
				25	#include <linux/udp.h>
				26
Maciej Żenczykowski	561fb4a	2023-10-24 18:48:54 -0700	[diff] [blame]	27	#ifdef MAINLINE
Maciej Żenczykowski	07d3013	2022-04-23 12:33:32 -0700	[diff] [blame]	28	// BTF is incompatible with bpfloaders < v0.10, hence for S (v0.2) we must
				29	// ship a different file than for later versions, but we need bpfloader v0.25+
				30	// for obj@ver.o support
Maciej Żenczykowski	4e4f872	2024-06-15 06:38:08 -0700	[diff] [blame^]	31	#define BPFLOADER_MIN_VER BPFLOADER_MAINLINE_T_VERSION
Maciej Żenczykowski	561fb4a	2023-10-24 18:48:54 -0700	[diff] [blame]	32	#else /* MAINLINE */
Maciej Żenczykowski	4e4f872	2024-06-15 06:38:08 -0700	[diff] [blame^]	33	// The resulting .o needs to load on the Android S bpfloader
Maciej Żenczykowski	f769952	2022-05-24 15:56:03 -0700	[diff] [blame]	34	#define BPFLOADER_MIN_VER BPFLOADER_S_VERSION
Maciej Żenczykowski	4e4f872	2024-06-15 06:38:08 -0700	[diff] [blame^]	35	#define BPFLOADER_MAX_VER BPFLOADER_T_VERSION
Maciej Żenczykowski	561fb4a	2023-10-24 18:48:54 -0700	[diff] [blame]	36	#endif /* MAINLINE */
Maciej Żenczykowski	a457bf7	2021-10-22 21:41:25 -0700	[diff] [blame]	37
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	38	// Warning: values other than AID_ROOT don't work for map uid on BpfLoader < v0.21
				39	#define TETHERING_UID AID_ROOT
				40
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	41	#define TETHERING_GID AID_NETWORK_STACK
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	42
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	43	#include "bpf_helpers.h"
				44	#include "bpf_net_helpers.h"
Maciej Żenczykowski	4e3321e	2022-12-08 12:59:23 +0000	[diff] [blame]	45	#include "offload.h"
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	46
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	47	// From kernel:include/net/ip.h
				48	#define IP_DF 0x4000 // Flag: "Don't Fragment"
				49
Maciej Żenczykowski	ec5f67d	2021-01-25 02:32:01 -0800	[diff] [blame]	50	// ----- Helper functions for offsets to fields -----
				51
				52	// They all assume simple IP packets:
				53	// - no VLAN ethernet tags
				54	// - no IPv4 options (see IPV4_HLEN/TCP4_OFFSET/UDP4_OFFSET)
				55	// - no IPv6 extension headers
				56	// - no TCP options (see TCP_HLEN)
				57
				58	//#define ETH_HLEN sizeof(struct ethhdr)
				59	#define IP4_HLEN sizeof(struct iphdr)
				60	#define IP6_HLEN sizeof(struct ipv6hdr)
				61	#define TCP_HLEN sizeof(struct tcphdr)
				62	#define UDP_HLEN sizeof(struct udphdr)
				63
				64	// Offsets from beginning of L4 (TCP/UDP) header
				65	#define TCP_OFFSET(field) offsetof(struct tcphdr, field)
				66	#define UDP_OFFSET(field) offsetof(struct udphdr, field)
				67
				68	// Offsets from beginning of L3 (IPv4) header
				69	#define IP4_OFFSET(field) offsetof(struct iphdr, field)
				70	#define IP4_TCP_OFFSET(field) (IP4_HLEN + TCP_OFFSET(field))
				71	#define IP4_UDP_OFFSET(field) (IP4_HLEN + UDP_OFFSET(field))
				72
				73	// Offsets from beginning of L3 (IPv6) header
				74	#define IP6_OFFSET(field) offsetof(struct ipv6hdr, field)
				75	#define IP6_TCP_OFFSET(field) (IP6_HLEN + TCP_OFFSET(field))
				76	#define IP6_UDP_OFFSET(field) (IP6_HLEN + UDP_OFFSET(field))
				77
				78	// Offsets from beginning of L2 (ie. Ethernet) header (which must be present)
				79	#define ETH_IP4_OFFSET(field) (ETH_HLEN + IP4_OFFSET(field))
				80	#define ETH_IP4_TCP_OFFSET(field) (ETH_HLEN + IP4_TCP_OFFSET(field))
				81	#define ETH_IP4_UDP_OFFSET(field) (ETH_HLEN + IP4_UDP_OFFSET(field))
				82	#define ETH_IP6_OFFSET(field) (ETH_HLEN + IP6_OFFSET(field))
				83	#define ETH_IP6_TCP_OFFSET(field) (ETH_HLEN + IP6_TCP_OFFSET(field))
				84	#define ETH_IP6_UDP_OFFSET(field) (ETH_HLEN + IP6_UDP_OFFSET(field))
				85
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	86	// ----- Tethering Error Counters -----
				87
Maciej Żenczykowski	be25f96	2022-10-20 00:13:15 +0000	[diff] [blame]	88	// Note that pre-T devices with Mediatek chipsets may have a kernel bug (bad patch
				89	// "[ALPS05162612] bpf: fix ubsan error") making it impossible to write to non-zero
Maciej Żenczykowski	f932a8d	2022-12-03 10:30:24 +0000	[diff] [blame]	90	// offset of bpf map ARRAYs. This file (offload.o) loads on S+, but luckily this
Maciej Żenczykowski	be25f96	2022-10-20 00:13:15 +0000	[diff] [blame]	91	// array is only written by bpf code, and only read by userspace.
				92	DEFINE_BPF_MAP_RO(tether_error_map, ARRAY, uint32_t, uint32_t, BPF_TETHER_ERR__MAX, TETHERING_GID)
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	93
Maciej Żenczykowski	3f32a83	2021-03-17 19:27:23 -0700	[diff] [blame]	94	#define COUNT_AND_RETURN(counter, ret) do { \
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	95	uint32_t code = BPF_TETHER_ERR_ ## counter; \
				96	uint32_t *count = bpf_tether_error_map_lookup_elem(&code); \
Maciej Żenczykowski	3f32a83	2021-03-17 19:27:23 -0700	[diff] [blame]	97	if (count) __sync_fetch_and_add(count, 1); \
				98	return ret; \
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	99	} while(0)
				100
				101	#define TC_DROP(counter) COUNT_AND_RETURN(counter, TC_ACT_SHOT)
Maciej Żenczykowski	6e66a36	2021-08-24 15:43:15 -0700	[diff] [blame]	102	#define TC_PUNT(counter) COUNT_AND_RETURN(counter, TC_ACT_PIPE)
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	103
				104	#define XDP_DROP(counter) COUNT_AND_RETURN(counter, XDP_DROP)
				105	#define XDP_PUNT(counter) COUNT_AND_RETURN(counter, XDP_PASS)
				106
				107	// ----- Tethering Data Stats and Limits -----
Maciej Żenczykowski	ec5f67d	2021-01-25 02:32:01 -0800	[diff] [blame]	108
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	109	// Tethering stats, indexed by upstream interface.
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	110	DEFINE_BPF_MAP_GRW(tether_stats_map, HASH, TetherStatsKey, TetherStatsValue, 16, TETHERING_GID)
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	111
				112	// Tethering data limit, indexed by upstream interface.
				113	// (tethering allowed when stats[iif].rxBytes + stats[iif].txBytes < limit[iif])
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	114	DEFINE_BPF_MAP_GRW(tether_limit_map, HASH, TetherLimitKey, TetherLimitValue, 16, TETHERING_GID)
Maciej Żenczykowski	088fe19	2021-01-20 13:34:17 -0800	[diff] [blame]	115
				116	// ----- IPv6 Support -----
				117
Maciej Żenczykowski	7dfbcf5	2021-01-26 16:08:57 -0800	[diff] [blame]	118	DEFINE_BPF_MAP_GRW(tether_downstream6_map, HASH, TetherDownstream6Key, Tether6Value, 64,
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	119	TETHERING_GID)
Maciej Żenczykowski	088fe19	2021-01-20 13:34:17 -0800	[diff] [blame]	120
				121	DEFINE_BPF_MAP_GRW(tether_downstream64_map, HASH, TetherDownstream64Key, TetherDownstream64Value,
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	122	1024, TETHERING_GID)
Maciej Żenczykowski	088fe19	2021-01-20 13:34:17 -0800	[diff] [blame]	123
Maciej Żenczykowski	7dfbcf5	2021-01-26 16:08:57 -0800	[diff] [blame]	124	DEFINE_BPF_MAP_GRW(tether_upstream6_map, HASH, TetherUpstream6Key, Tether6Value, 64,
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	125	TETHERING_GID)
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	126
Maciej Żenczykowski	8d3bde7	2023-10-08 18:43:23 -0700	[diff] [blame]	127	static inline __always_inline int do_forward6(struct __sk_buff* skb,
				128	const struct rawip_bool rawip,
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	129	const struct stream_bool stream,
Maciej Żenczykowski	8d3bde7	2023-10-08 18:43:23 -0700	[diff] [blame]	130	const struct kver_uint kver) {
				131	const bool is_ethernet = !rawip.rawip;
				132
Maciej Żenczykowski	8e69ec1	2021-03-07 07:06:13 -0800	[diff] [blame]	133	// Must be meta-ethernet IPv6 frame
Maciej Żenczykowski	6e66a36	2021-08-24 15:43:15 -0700	[diff] [blame]	134	if (skb->protocol != htons(ETH_P_IPV6)) return TC_ACT_PIPE;
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	135
Maciej Żenczykowski	18552e8	2021-01-24 19:59:05 -0800	[diff] [blame]	136	// Require ethernet dst mac address to be our unicast address.
Maciej Żenczykowski	6e66a36	2021-08-24 15:43:15 -0700	[diff] [blame]	137	if (is_ethernet && (skb->pkt_type != PACKET_HOST)) return TC_ACT_PIPE;
Maciej Żenczykowski	18552e8	2021-01-24 19:59:05 -0800	[diff] [blame]	138
Maciej Żenczykowski	8e69ec1	2021-03-07 07:06:13 -0800	[diff] [blame]	139	const int l2_header_size = is_ethernet ? sizeof(struct ethhdr) : 0;
				140
				141	// Since the program never writes via DPA (direct packet access) auto-pull/unclone logic does
				142	// not trigger and thus we need to manually make sure we can read packet headers via DPA.
				143	// Note: this is a blind best effort pull, which may fail or pull less - this doesn't matter.
				144	// It has to be done early cause it will invalidate any skb->data/data_end derived pointers.
Maciej Żenczykowski	824fb29	2022-04-11 23:29:46 -0700	[diff] [blame]	145	try_make_writable(skb, l2_header_size + IP6_HLEN + TCP_HLEN);
Maciej Żenczykowski	8e69ec1	2021-03-07 07:06:13 -0800	[diff] [blame]	146
				147	void* data = (void*)(long)skb->data;
				148	const void* data_end = (void*)(long)skb->data_end;
				149	struct ethhdr* eth = is_ethernet ? data : NULL; // used iff is_ethernet
				150	struct ipv6hdr* ip6 = is_ethernet ? (void*)(eth + 1) : data;
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	151
				152	// Must have (ethernet and) ipv6 header
Maciej Żenczykowski	6e66a36	2021-08-24 15:43:15 -0700	[diff] [blame]	153	if (data + l2_header_size + sizeof(*ip6) > data_end) return TC_ACT_PIPE;
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	154
				155	// Ethertype - if present - must be IPv6
Maciej Żenczykowski	6e66a36	2021-08-24 15:43:15 -0700	[diff] [blame]	156	if (is_ethernet && (eth->h_proto != htons(ETH_P_IPV6))) return TC_ACT_PIPE;
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	157
				158	// IP version must be 6
Maciej Żenczykowski	b82bf65	2022-08-10 19:28:16 +0000	[diff] [blame]	159	if (ip6->version != 6) TC_PUNT(INVALID_IPV6_VERSION);
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	160
				161	// Cannot decrement during forward if already zero or would be zero,
				162	// Let the kernel's stack handle these cases and generate appropriate ICMP errors.
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	163	if (ip6->hop_limit <= 1) TC_PUNT(LOW_TTL);
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	164
Maciej Żenczykowski	fc4f654	2021-01-22 22:19:45 -0800	[diff] [blame]	165	// If hardware offload is running and programming flows based on conntrack entries,
				166	// try not to interfere with it.
				167	if (ip6->nexthdr == IPPROTO_TCP) {
				168	struct tcphdr* tcph = (void*)(ip6 + 1);
				169
				170	// Make sure we can get at the tcp header
Lorenzo Colitti	b81584d	2021-02-06 00:00:58 +0900	[diff] [blame]	171	if (data + l2_header_size + sizeof(ip6) + sizeof(tcph) > data_end)
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	172	TC_PUNT(INVALID_TCP_HEADER);
Maciej Żenczykowski	fc4f654	2021-01-22 22:19:45 -0800	[diff] [blame]	173
				174	// Do not offload TCP packets with any one of the SYN/FIN/RST flags
Maciej Żenczykowski	0dd2bb3	2022-08-10 19:33:06 +0000	[diff] [blame]	175	if (tcph->syn \|\| tcph->fin \|\| tcph->rst) TC_PUNT(TCPV6_CONTROL_PACKET);
Maciej Żenczykowski	fc4f654	2021-01-22 22:19:45 -0800	[diff] [blame]	176	}
				177
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	178	// Protect against forwarding packets sourced from ::1 or fe80::/64 or other weirdness.
				179	__be32 src32 = ip6->saddr.s6_addr32[0];
				180	if (src32 != htonl(0x0064ff9b) && // 64:ff9b:/32 incl. XLAT464 WKP
				181	(src32 & htonl(0xe0000000)) != htonl(0x20000000)) // 2000::/3 Global Unicast
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	182	TC_PUNT(NON_GLOBAL_SRC);
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	183
Maciej Żenczykowski	bca0c85	2021-01-19 01:22:17 -0800	[diff] [blame]	184	// Protect against forwarding packets destined to ::1 or fe80::/64 or other weirdness.
				185	__be32 dst32 = ip6->daddr.s6_addr32[0];
				186	if (dst32 != htonl(0x0064ff9b) && // 64:ff9b:/32 incl. XLAT464 WKP
				187	(dst32 & htonl(0xe0000000)) != htonl(0x20000000)) // 2000::/3 Global Unicast
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	188	TC_PUNT(NON_GLOBAL_DST);
Maciej Żenczykowski	bca0c85	2021-01-19 01:22:17 -0800	[diff] [blame]	189
				190	// In the upstream direction do not forward traffic within the same /64 subnet.
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	191	if (!stream.down && (src32 == dst32) && (ip6->saddr.s6_addr32[1] == ip6->daddr.s6_addr32[1]))
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	192	TC_PUNT(LOCAL_SRC_DST);
Maciej Żenczykowski	bca0c85	2021-01-19 01:22:17 -0800	[diff] [blame]	193
				194	TetherDownstream6Key kd = {
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	195	.iif = skb->ifindex,
				196	.neigh6 = ip6->daddr,
				197	};
				198
Maciej Żenczykowski	bca0c85	2021-01-19 01:22:17 -0800	[diff] [blame]	199	TetherUpstream6Key ku = {
				200	.iif = skb->ifindex,
KH Shi	3f738fc	2023-05-23 22:37:17 +0800	[diff] [blame]	201	// Retrieve the first 64 bits of the source IPv6 address in network order
				202	.src64 = (uint64_t)&(ip6->saddr.s6_addr32[0]),
Maciej Żenczykowski	bca0c85	2021-01-19 01:22:17 -0800	[diff] [blame]	203	};
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	204	if (is_ethernet) __builtin_memcpy(stream.down ? kd.dstMac : ku.dstMac, eth->h_dest, ETH_ALEN);
Maciej Żenczykowski	bca0c85	2021-01-19 01:22:17 -0800	[diff] [blame]	205
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	206	Tether6Value* v = stream.down ? bpf_tether_downstream6_map_lookup_elem(&kd)
				207	: bpf_tether_upstream6_map_lookup_elem(&ku);
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	208
				209	// If we don't find any offload information then simply let the core stack handle it...
Maciej Żenczykowski	6e66a36	2021-08-24 15:43:15 -0700	[diff] [blame]	210	if (!v) return TC_ACT_PIPE;
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	211
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	212	uint32_t stat_and_limit_k = stream.down ? skb->ifindex : v->oif;
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	213
				214	TetherStatsValue* stat_v = bpf_tether_stats_map_lookup_elem(&stat_and_limit_k);
				215
				216	// If we don't have anywhere to put stats, then abort...
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	217	if (!stat_v) TC_PUNT(NO_STATS_ENTRY);
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	218
				219	uint64_t* limit_v = bpf_tether_limit_map_lookup_elem(&stat_and_limit_k);
				220
				221	// If we don't have a limit, then abort...
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	222	if (!limit_v) TC_PUNT(NO_LIMIT_ENTRY);
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	223
				224	// Required IPv6 minimum mtu is 1280, below that not clear what we should do, abort...
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	225	if (v->pmtu < IPV6_MIN_MTU) TC_PUNT(BELOW_IPV6_MTU);
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	226
				227	// Approximate handling of TCP/IPv6 overhead for incoming LRO/GRO packets: default
				228	// outbound path mtu of 1500 is not necessarily correct, but worst case we simply
				229	// undercount, which is still better then not accounting for this overhead at all.
				230	// Note: this really shouldn't be device/path mtu at all, but rather should be
				231	// derived from this particular connection's mss (ie. from gro segment size).
				232	// This would require a much newer kernel with newer ebpf accessors.
				233	// (This is also blindly assuming 12 bytes of tcp timestamp option in tcp header)
				234	uint64_t packets = 1;
Maciej Żenczykowski	bab0c1a	2022-12-29 11:18:35 +0000	[diff] [blame]	235	uint64_t L3_bytes = skb->len - l2_header_size;
				236	if (L3_bytes > v->pmtu) {
				237	const int tcp6_overhead = sizeof(struct ipv6hdr) + sizeof(struct tcphdr) + 12;
				238	const int mss = v->pmtu - tcp6_overhead;
				239	const uint64_t payload = L3_bytes - tcp6_overhead;
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	240	packets = (payload + mss - 1) / mss;
Maciej Żenczykowski	bab0c1a	2022-12-29 11:18:35 +0000	[diff] [blame]	241	L3_bytes = tcp6_overhead * packets + payload;
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	242	}
				243
				244	// Are we past the limit? If so, then abort...
				245	// Note: will not overflow since u64 is 936 years even at 5Gbps.
				246	// Do not drop here. Offload is just that, whenever we fail to handle
				247	// a packet we let the core stack deal with things.
				248	// (The core stack needs to handle limits correctly anyway,
				249	// since we don't offload all traffic in both directions)
Maciej Żenczykowski	bab0c1a	2022-12-29 11:18:35 +0000	[diff] [blame]	250	if (stat_v->rxBytes + stat_v->txBytes + L3_bytes > *limit_v) TC_PUNT(LIMIT_REACHED);
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	251
				252	if (!is_ethernet) {
Maciej Żenczykowski	bca0c85	2021-01-19 01:22:17 -0800	[diff] [blame]	253	// Try to inject an ethernet header, and simply return if we fail.
				254	// We do this even if TX interface is RAWIP and thus does not need an ethernet header,
				255	// because this is easier and the kernel will strip extraneous ethernet header.
				256	if (bpf_skb_change_head(skb, sizeof(struct ethhdr), /flags/ 0)) {
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	257	__sync_fetch_and_add(stream.down ? &stat_v->rxErrors : &stat_v->txErrors, 1);
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	258	TC_PUNT(CHANGE_HEAD_FAILED);
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	259	}
				260
				261	// bpf_skb_change_head() invalidates all pointers - reload them
				262	data = (void*)(long)skb->data;
				263	data_end = (void*)(long)skb->data_end;
				264	eth = data;
				265	ip6 = (void*)(eth + 1);
				266
				267	// I do not believe this can ever happen, but keep the verifier happy...
Maciej Żenczykowski	bca0c85	2021-01-19 01:22:17 -0800	[diff] [blame]	268	if (data + sizeof(struct ethhdr) + sizeof(*ip6) > data_end) {
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	269	__sync_fetch_and_add(stream.down ? &stat_v->rxErrors : &stat_v->txErrors, 1);
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	270	TC_DROP(TOO_SHORT);
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	271	}
				272	};
				273
Maciej Żenczykowski	bca0c85	2021-01-19 01:22:17 -0800	[diff] [blame]	274	// At this point we always have an ethernet header - which will get stripped by the
				275	// kernel during transmit through a rawip interface. ie. 'eth' pointer is valid.
				276	// Additionally note that 'is_ethernet' and 'l2_header_size' are no longer correct.
				277
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	278	// CHECKSUM_COMPLETE is a 16-bit one's complement sum,
				279	// thus corrections for it need to be done in 16-byte chunks at even offsets.
				280	// IPv6 nexthdr is at offset 6, while hop limit is at offset 7
				281	uint8_t old_hl = ip6->hop_limit;
				282	--ip6->hop_limit;
				283	uint8_t new_hl = ip6->hop_limit;
				284
				285	// bpf_csum_update() always succeeds if the skb is CHECKSUM_COMPLETE and returns an error
				286	// (-ENOTSUPP) if it isn't.
				287	bpf_csum_update(skb, 0xFFFF - ntohs(old_hl) + ntohs(new_hl));
				288
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	289	__sync_fetch_and_add(stream.down ? &stat_v->rxPackets : &stat_v->txPackets, packets);
				290	__sync_fetch_and_add(stream.down ? &stat_v->rxBytes : &stat_v->txBytes, L3_bytes);
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	291
				292	// Overwrite any mac header with the new one
Maciej Żenczykowski	bca0c85	2021-01-19 01:22:17 -0800	[diff] [blame]	293	// For a rawip tx interface it will simply be a bunch of zeroes and later stripped.
Maciej Żenczykowski	7dfbcf5	2021-01-26 16:08:57 -0800	[diff] [blame]	294	*eth = v->macHeader;
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	295
				296	// Redirect to forwarded interface.
				297	//
				298	// Note that bpf_redirect() cannot fail unless you pass invalid flags.
				299	// The redirect actually happens after the ebpf program has already terminated,
				300	// and can fail for example for mtu reasons at that point in time, but there's nothing
				301	// we can do about it here.
Maciej Żenczykowski	7dfbcf5	2021-01-26 16:08:57 -0800	[diff] [blame]	302	return bpf_redirect(v->oif, 0 /* this is effectively BPF_F_EGRESS */);
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	303	}
				304
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	305	DEFINE_BPF_PROG("schedcls/tether_downstream6_ether", TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	770e0a7	2021-01-18 20:14:03 -0800	[diff] [blame]	306	sched_cls_tether_downstream6_ether)
Maciej Żenczykowski	6b7829f	2021-01-18 00:03:37 -0800	[diff] [blame]	307	(struct __sk_buff* skb) {
Maciej Żenczykowski	63fadd1	2023-04-19 16:39:57 -0700	[diff] [blame]	308	return do_forward6(skb, ETHER, DOWNSTREAM, KVER_NONE);
Maciej Żenczykowski	bca0c85	2021-01-19 01:22:17 -0800	[diff] [blame]	309	}
				310
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	311	DEFINE_BPF_PROG("schedcls/tether_upstream6_ether", TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	bca0c85	2021-01-19 01:22:17 -0800	[diff] [blame]	312	sched_cls_tether_upstream6_ether)
				313	(struct __sk_buff* skb) {
Maciej Żenczykowski	63fadd1	2023-04-19 16:39:57 -0700	[diff] [blame]	314	return do_forward6(skb, ETHER, UPSTREAM, KVER_NONE);
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	315	}
				316
				317	// Note: section names must be unique to prevent programs from appending to each other,
				318	// so instead the bpf loader will strip everything past the final $ symbol when actually
				319	// pinning the program into the filesystem.
				320	//
				321	// bpf_skb_change_head() is only present on 4.14+ and 2 trivial kernel patches are needed:
				322	// ANDROID: net: bpf: Allow TC programs to call BPF_FUNC_skb_change_head
				323	// ANDROID: net: bpf: permit redirect from ingress L3 to egress L2 devices at near max mtu
				324	// (the first of those has already been upstreamed)
				325	//
Maciej Żenczykowski	efe862e	2022-07-28 09:36:52 +0000	[diff] [blame]	326	// These were added to 4.14+ Android Common Kernel in R (including the original release of ACK 5.4)
				327	// and there is a test in kernel/tests/net/test/bpf_test.py testSkbChangeHead()
				328	// and in system/netd/tests/binder_test.cpp NetdBinderTest TetherOffloadForwarding.
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	329	//
Maciej Żenczykowski	efe862e	2022-07-28 09:36:52 +0000	[diff] [blame]	330	// Hence, these mandatory (must load successfully) implementations for 4.14+ kernels:
				331	DEFINE_BPF_PROG_KVER("schedcls/tether_downstream6_rawip$4_14", TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	332	sched_cls_tether_downstream6_rawip_4_14, KVER_4_14)
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	333	(struct __sk_buff* skb) {
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	334	return do_forward6(skb, RAWIP, DOWNSTREAM, KVER_4_14);
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	335	}
				336
Maciej Żenczykowski	efe862e	2022-07-28 09:36:52 +0000	[diff] [blame]	337	DEFINE_BPF_PROG_KVER("schedcls/tether_upstream6_rawip$4_14", TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	338	sched_cls_tether_upstream6_rawip_4_14, KVER_4_14)
Maciej Żenczykowski	bca0c85	2021-01-19 01:22:17 -0800	[diff] [blame]	339	(struct __sk_buff* skb) {
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	340	return do_forward6(skb, RAWIP, UPSTREAM, KVER_4_14);
Maciej Żenczykowski	bca0c85	2021-01-19 01:22:17 -0800	[diff] [blame]	341	}
				342
Maciej Żenczykowski	efe862e	2022-07-28 09:36:52 +0000	[diff] [blame]	343	// and define no-op stubs for pre-4.14 kernels.
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	344	DEFINE_BPF_PROG_KVER_RANGE("schedcls/tether_downstream6_rawip$stub", TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	345	sched_cls_tether_downstream6_rawip_stub, KVER_NONE, KVER_4_14)
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	346	(struct __sk_buff* skb) {
Maciej Żenczykowski	6e66a36	2021-08-24 15:43:15 -0700	[diff] [blame]	347	return TC_ACT_PIPE;
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	348	}
				349
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	350	DEFINE_BPF_PROG_KVER_RANGE("schedcls/tether_upstream6_rawip$stub", TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	351	sched_cls_tether_upstream6_rawip_stub, KVER_NONE, KVER_4_14)
Maciej Żenczykowski	bca0c85	2021-01-19 01:22:17 -0800	[diff] [blame]	352	(struct __sk_buff* skb) {
Maciej Żenczykowski	6e66a36	2021-08-24 15:43:15 -0700	[diff] [blame]	353	return TC_ACT_PIPE;
Maciej Żenczykowski	bca0c85	2021-01-19 01:22:17 -0800	[diff] [blame]	354	}
				355
Maciej Żenczykowski	088fe19	2021-01-20 13:34:17 -0800	[diff] [blame]	356	// ----- IPv4 Support -----
				357
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	358	DEFINE_BPF_MAP_GRW(tether_downstream4_map, HASH, Tether4Key, Tether4Value, 1024, TETHERING_GID)
Maciej Żenczykowski	088fe19	2021-01-20 13:34:17 -0800	[diff] [blame]	359
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	360	DEFINE_BPF_MAP_GRW(tether_upstream4_map, HASH, Tether4Key, Tether4Value, 1024, TETHERING_GID)
Maciej Żenczykowski	088fe19	2021-01-20 13:34:17 -0800	[diff] [blame]	361
Maciej Żenczykowski	f72c8aa	2022-04-28 02:02:45 -0700	[diff] [blame]	362	static inline __always_inline int do_forward4_bottom(struct __sk_buff* skb,
				363	const int l2_header_size, void* data, const void* data_end,
Maciej Żenczykowski	8d3bde7	2023-10-08 18:43:23 -0700	[diff] [blame]	364	struct ethhdr* eth, struct iphdr* ip, const struct rawip_bool rawip,
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	365	const struct stream_bool stream, const struct updatetime_bool updatetime,
Maciej Żenczykowski	8a6c6d5	2023-10-10 00:59:31 -0700	[diff] [blame]	366	const bool is_tcp, const struct kver_uint kver) {
Maciej Żenczykowski	8d3bde7	2023-10-08 18:43:23 -0700	[diff] [blame]	367	const bool is_ethernet = !rawip.rawip;
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	368	struct tcphdr* tcph = is_tcp ? (void*)(ip + 1) : NULL;
				369	struct udphdr* udph = is_tcp ? NULL : (void*)(ip + 1);
				370
				371	if (is_tcp) {
				372	// Make sure we can get at the tcp header
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	373	if (data + l2_header_size + sizeof(ip) + sizeof(tcph) > data_end)
				374	TC_PUNT(SHORT_TCP_HEADER);
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	375
				376	// If hardware offload is running and programming flows based on conntrack entries, try not
				377	// to interfere with it, so do not offload TCP packets with any one of the SYN/FIN/RST flags
Maciej Żenczykowski	0dd2bb3	2022-08-10 19:33:06 +0000	[diff] [blame]	378	if (tcph->syn \|\| tcph->fin \|\| tcph->rst) TC_PUNT(TCPV4_CONTROL_PACKET);
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	379	} else { // UDP
				380	// Make sure we can get at the udp header
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	381	if (data + l2_header_size + sizeof(ip) + sizeof(udph) > data_end)
				382	TC_PUNT(SHORT_UDP_HEADER);
Maciej Żenczykowski	e4a726a	2021-02-16 17:27:34 -0800	[diff] [blame]	383
				384	// Skip handling of CHECKSUM_COMPLETE packets with udp checksum zero due to need for
				385	// additional updating of skb->csum (this could be fixed up manually with more effort).
				386	//
				387	// Note that the in-kernel implementation of 'int64_t bpf_csum_update(skb, u32 csum)' is:
				388	// if (skb->ip_summed == CHECKSUM_COMPLETE)
				389	// return (skb->csum = csum_add(skb->csum, csum));
				390	// else
				391	// return -ENOTSUPP;
				392	//
				393	// So this will punt any CHECKSUM_COMPLETE packet with a zero UDP checksum,
				394	// and leave all other packets unaffected (since it just at most adds zero to skb->csum).
				395	//
				396	// In practice this should almost never trigger because most nics do not generate
				397	// CHECKSUM_COMPLETE packets on receive - especially so for nics/drivers on a phone.
				398	//
				399	// Additionally since we're forwarding, in most cases the value of the skb->csum field
				400	// shouldn't matter (it's not used by physical nic egress).
				401	//
				402	// It only matters if we're ingressing through a CHECKSUM_COMPLETE capable nic
				403	// and egressing through a virtual interface looping back to the kernel itself
				404	// (ie. something like veth) where the CHECKSUM_COMPLETE/skb->csum can get reused
				405	// on ingress.
				406	//
				407	// If we were in the kernel we'd simply probably call
				408	// void skb_checksum_complete_unset(struct sk_buff *skb) {
				409	// if (skb->ip_summed == CHECKSUM_COMPLETE) skb->ip_summed = CHECKSUM_NONE;
				410	// }
				411	// here instead. Perhaps there should be a bpf helper for that?
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	412	if (!udph->check && (bpf_csum_update(skb, 0) >= 0)) TC_PUNT(UDP_CSUM_ZERO);
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	413	}
				414
Maciej Żenczykowski	1feb8b4	2021-01-25 12:01:31 -0800	[diff] [blame]	415	Tether4Key k = {
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	416	.iif = skb->ifindex,
				417	.l4Proto = ip->protocol,
				418	.src4.s_addr = ip->saddr,
				419	.dst4.s_addr = ip->daddr,
				420	.srcPort = is_tcp ? tcph->source : udph->source,
				421	.dstPort = is_tcp ? tcph->dest : udph->dest,
				422	};
Maciej Żenczykowski	62733f5	2021-04-01 21:51:41 -0700	[diff] [blame]	423	if (is_ethernet) __builtin_memcpy(k.dstMac, eth->h_dest, ETH_ALEN);
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	424
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	425	Tether4Value* v = stream.down ? bpf_tether_downstream4_map_lookup_elem(&k)
				426	: bpf_tether_upstream4_map_lookup_elem(&k);
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	427
				428	// If we don't find any offload information then simply let the core stack handle it...
Maciej Żenczykowski	6e66a36	2021-08-24 15:43:15 -0700	[diff] [blame]	429	if (!v) return TC_ACT_PIPE;
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	430
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	431	uint32_t stat_and_limit_k = stream.down ? skb->ifindex : v->oif;
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	432
				433	TetherStatsValue* stat_v = bpf_tether_stats_map_lookup_elem(&stat_and_limit_k);
				434
				435	// If we don't have anywhere to put stats, then abort...
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	436	if (!stat_v) TC_PUNT(NO_STATS_ENTRY);
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	437
				438	uint64_t* limit_v = bpf_tether_limit_map_lookup_elem(&stat_and_limit_k);
				439
				440	// If we don't have a limit, then abort...
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	441	if (!limit_v) TC_PUNT(NO_LIMIT_ENTRY);
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	442
				443	// Required IPv4 minimum mtu is 68, below that not clear what we should do, abort...
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	444	if (v->pmtu < 68) TC_PUNT(BELOW_IPV4_MTU);
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	445
				446	// Approximate handling of TCP/IPv4 overhead for incoming LRO/GRO packets: default
				447	// outbound path mtu of 1500 is not necessarily correct, but worst case we simply
				448	// undercount, which is still better then not accounting for this overhead at all.
				449	// Note: this really shouldn't be device/path mtu at all, but rather should be
				450	// derived from this particular connection's mss (ie. from gro segment size).
				451	// This would require a much newer kernel with newer ebpf accessors.
				452	// (This is also blindly assuming 12 bytes of tcp timestamp option in tcp header)
				453	uint64_t packets = 1;
Maciej Żenczykowski	bab0c1a	2022-12-29 11:18:35 +0000	[diff] [blame]	454	uint64_t L3_bytes = skb->len - l2_header_size;
				455	if (L3_bytes > v->pmtu) {
				456	const int tcp4_overhead = sizeof(struct iphdr) + sizeof(struct tcphdr) + 12;
				457	const int mss = v->pmtu - tcp4_overhead;
				458	const uint64_t payload = L3_bytes - tcp4_overhead;
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	459	packets = (payload + mss - 1) / mss;
Maciej Żenczykowski	bab0c1a	2022-12-29 11:18:35 +0000	[diff] [blame]	460	L3_bytes = tcp4_overhead * packets + payload;
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	461	}
				462
				463	// Are we past the limit? If so, then abort...
				464	// Note: will not overflow since u64 is 936 years even at 5Gbps.
				465	// Do not drop here. Offload is just that, whenever we fail to handle
				466	// a packet we let the core stack deal with things.
				467	// (The core stack needs to handle limits correctly anyway,
				468	// since we don't offload all traffic in both directions)
Maciej Żenczykowski	bab0c1a	2022-12-29 11:18:35 +0000	[diff] [blame]	469	if (stat_v->rxBytes + stat_v->txBytes + L3_bytes > *limit_v) TC_PUNT(LIMIT_REACHED);
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	470
Maciej Żenczykowski	ec5f67d	2021-01-25 02:32:01 -0800	[diff] [blame]	471	if (!is_ethernet) {
				472	// Try to inject an ethernet header, and simply return if we fail.
				473	// We do this even if TX interface is RAWIP and thus does not need an ethernet header,
				474	// because this is easier and the kernel will strip extraneous ethernet header.
				475	if (bpf_skb_change_head(skb, sizeof(struct ethhdr), /flags/ 0)) {
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	476	__sync_fetch_and_add(stream.down ? &stat_v->rxErrors : &stat_v->txErrors, 1);
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	477	TC_PUNT(CHANGE_HEAD_FAILED);
Maciej Żenczykowski	ec5f67d	2021-01-25 02:32:01 -0800	[diff] [blame]	478	}
				479
				480	// bpf_skb_change_head() invalidates all pointers - reload them
				481	data = (void*)(long)skb->data;
				482	data_end = (void*)(long)skb->data_end;
				483	eth = data;
				484	ip = (void*)(eth + 1);
				485	tcph = is_tcp ? (void*)(ip + 1) : NULL;
				486	udph = is_tcp ? NULL : (void*)(ip + 1);
				487
				488	// I do not believe this can ever happen, but keep the verifier happy...
				489	if (data + sizeof(struct ethhdr) + sizeof(ip) + (is_tcp ? sizeof(tcph) : sizeof(*udph)) > data_end) {
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	490	__sync_fetch_and_add(stream.down ? &stat_v->rxErrors : &stat_v->txErrors, 1);
Maciej Żenczykowski	e982f09	2021-02-04 20:26:26 -0800	[diff] [blame]	491	TC_DROP(TOO_SHORT);
Maciej Żenczykowski	ec5f67d	2021-01-25 02:32:01 -0800	[diff] [blame]	492	}
				493	};
				494
				495	// At this point we always have an ethernet header - which will get stripped by the
				496	// kernel during transmit through a rawip interface. ie. 'eth' pointer is valid.
				497	// Additionally note that 'is_ethernet' and 'l2_header_size' are no longer correct.
				498
				499	// Overwrite any mac header with the new one
				500	// For a rawip tx interface it will simply be a bunch of zeroes and later stripped.
				501	*eth = v->macHeader;
				502
Maciej Żenczykowski	c29af79	2021-07-02 01:54:04 -0700	[diff] [blame]	503	// Decrement the IPv4 TTL, we already know it's greater than 1.
				504	// u8 TTL field is followed by u8 protocol to make a u16 for ipv4 header checksum update.
				505	// Since we're keeping the ipv4 checksum valid (which means the checksum of the entire
				506	// ipv4 header remains 0), the overall checksum of the entire packet does not change.
				507	const int sz2 = sizeof(__be16);
				508	const __be16 old_ttl_proto = (__be16 )&ip->ttl;
				509	const __be16 new_ttl_proto = old_ttl_proto - htons(0x0100);
				510	bpf_l3_csum_replace(skb, ETH_IP4_OFFSET(check), old_ttl_proto, new_ttl_proto, sz2);
				511	bpf_skb_store_bytes(skb, ETH_IP4_OFFSET(ttl), &new_ttl_proto, sz2, 0);
				512
Maciej Żenczykowski	e4a726a	2021-02-16 17:27:34 -0800	[diff] [blame]	513	const int l4_offs_csum = is_tcp ? ETH_IP4_TCP_OFFSET(check) : ETH_IP4_UDP_OFFSET(check);
Maciej Żenczykowski	ec5f67d	2021-01-25 02:32:01 -0800	[diff] [blame]	514	const int sz4 = sizeof(__be32);
Maciej Żenczykowski	e4a726a	2021-02-16 17:27:34 -0800	[diff] [blame]	515	// UDP 0 is special and stored as FFFF (this flag also causes a csum of 0 to be unmodified)
				516	const int l4_flags = is_tcp ? 0 : BPF_F_MARK_MANGLED_0;
Maciej Żenczykowski	ec5f67d	2021-01-25 02:32:01 -0800	[diff] [blame]	517	const __be32 old_daddr = k.dst4.s_addr;
				518	const __be32 old_saddr = k.src4.s_addr;
				519	const __be32 new_daddr = v->dst46.s6_addr32[3];
				520	const __be32 new_saddr = v->src46.s6_addr32[3];
				521
Maciej Żenczykowski	e4a726a	2021-02-16 17:27:34 -0800	[diff] [blame]	522	bpf_l4_csum_replace(skb, l4_offs_csum, old_daddr, new_daddr, sz4 \| BPF_F_PSEUDO_HDR \| l4_flags);
Maciej Żenczykowski	ec5f67d	2021-01-25 02:32:01 -0800	[diff] [blame]	523	bpf_l3_csum_replace(skb, ETH_IP4_OFFSET(check), old_daddr, new_daddr, sz4);
				524	bpf_skb_store_bytes(skb, ETH_IP4_OFFSET(daddr), &new_daddr, sz4, 0);
				525
Maciej Żenczykowski	e4a726a	2021-02-16 17:27:34 -0800	[diff] [blame]	526	bpf_l4_csum_replace(skb, l4_offs_csum, old_saddr, new_saddr, sz4 \| BPF_F_PSEUDO_HDR \| l4_flags);
Maciej Żenczykowski	ec5f67d	2021-01-25 02:32:01 -0800	[diff] [blame]	527	bpf_l3_csum_replace(skb, ETH_IP4_OFFSET(check), old_saddr, new_saddr, sz4);
				528	bpf_skb_store_bytes(skb, ETH_IP4_OFFSET(saddr), &new_saddr, sz4, 0);
				529
Maciej Żenczykowski	e4a726a	2021-02-16 17:27:34 -0800	[diff] [blame]	530	// The offsets for TCP and UDP ports: source (u16 @ L4 offset 0) & dest (u16 @ L4 offset 2) are
				531	// actually the same, so the compiler should just optimize them both down to a constant.
				532	bpf_l4_csum_replace(skb, l4_offs_csum, k.srcPort, v->srcPort, sz2 \| l4_flags);
				533	bpf_skb_store_bytes(skb, is_tcp ? ETH_IP4_TCP_OFFSET(source) : ETH_IP4_UDP_OFFSET(source),
				534	&v->srcPort, sz2, 0);
Maciej Żenczykowski	ec5f67d	2021-01-25 02:32:01 -0800	[diff] [blame]	535
Maciej Żenczykowski	e4a726a	2021-02-16 17:27:34 -0800	[diff] [blame]	536	bpf_l4_csum_replace(skb, l4_offs_csum, k.dstPort, v->dstPort, sz2 \| l4_flags);
				537	bpf_skb_store_bytes(skb, is_tcp ? ETH_IP4_TCP_OFFSET(dest) : ETH_IP4_UDP_OFFSET(dest),
				538	&v->dstPort, sz2, 0);
Maciej Żenczykowski	ec5f67d	2021-01-25 02:32:01 -0800	[diff] [blame]	539
Maciej Żenczykowski	3686735	2021-02-15 01:53:17 -0800	[diff] [blame]	540	// This requires the bpf_ktime_get_boot_ns() helper which was added in 5.8,
				541	// and backported to all Android Common Kernel 4.14+ trees.
Maciej Żenczykowski	8a6c6d5	2023-10-10 00:59:31 -0700	[diff] [blame]	542	if (updatetime.updatetime) v->last_used = bpf_ktime_get_boot_ns();
Maciej Żenczykowski	ec5f67d	2021-01-25 02:32:01 -0800	[diff] [blame]	543
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	544	__sync_fetch_and_add(stream.down ? &stat_v->rxPackets : &stat_v->txPackets, packets);
				545	__sync_fetch_and_add(stream.down ? &stat_v->rxBytes : &stat_v->txBytes, L3_bytes);
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	546
Maciej Żenczykowski	ec5f67d	2021-01-25 02:32:01 -0800	[diff] [blame]	547	// Redirect to forwarded interface.
				548	//
				549	// Note that bpf_redirect() cannot fail unless you pass invalid flags.
				550	// The redirect actually happens after the ebpf program has already terminated,
				551	// and can fail for example for mtu reasons at that point in time, but there's nothing
				552	// we can do about it here.
				553	return bpf_redirect(v->oif, 0 /* this is effectively BPF_F_EGRESS */);
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	554	}
				555
Maciej Żenczykowski	8d3bde7	2023-10-08 18:43:23 -0700	[diff] [blame]	556	static inline __always_inline int do_forward4(struct __sk_buff* skb,
				557	const struct rawip_bool rawip,
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	558	const struct stream_bool stream,
Maciej Żenczykowski	8a6c6d5	2023-10-10 00:59:31 -0700	[diff] [blame]	559	const struct updatetime_bool updatetime,
Maciej Żenczykowski	8d3bde7	2023-10-08 18:43:23 -0700	[diff] [blame]	560	const struct kver_uint kver) {
				561	const bool is_ethernet = !rawip.rawip;
				562
Maciej Żenczykowski	f72c8aa	2022-04-28 02:02:45 -0700	[diff] [blame]	563	// Require ethernet dst mac address to be our unicast address.
				564	if (is_ethernet && (skb->pkt_type != PACKET_HOST)) return TC_ACT_PIPE;
				565
				566	// Must be meta-ethernet IPv4 frame
				567	if (skb->protocol != htons(ETH_P_IP)) return TC_ACT_PIPE;
				568
				569	const int l2_header_size = is_ethernet ? sizeof(struct ethhdr) : 0;
				570
				571	// Since the program never writes via DPA (direct packet access) auto-pull/unclone logic does
				572	// not trigger and thus we need to manually make sure we can read packet headers via DPA.
				573	// Note: this is a blind best effort pull, which may fail or pull less - this doesn't matter.
				574	// It has to be done early cause it will invalidate any skb->data/data_end derived pointers.
				575	try_make_writable(skb, l2_header_size + IP4_HLEN + TCP_HLEN);
				576
				577	void* data = (void*)(long)skb->data;
				578	const void* data_end = (void*)(long)skb->data_end;
				579	struct ethhdr* eth = is_ethernet ? data : NULL; // used iff is_ethernet
				580	struct iphdr* ip = is_ethernet ? (void*)(eth + 1) : data;
				581
				582	// Must have (ethernet and) ipv4 header
				583	if (data + l2_header_size + sizeof(*ip) > data_end) return TC_ACT_PIPE;
				584
				585	// Ethertype - if present - must be IPv4
				586	if (is_ethernet && (eth->h_proto != htons(ETH_P_IP))) return TC_ACT_PIPE;
				587
				588	// IP version must be 4
Maciej Żenczykowski	b82bf65	2022-08-10 19:28:16 +0000	[diff] [blame]	589	if (ip->version != 4) TC_PUNT(INVALID_IPV4_VERSION);
Maciej Żenczykowski	f72c8aa	2022-04-28 02:02:45 -0700	[diff] [blame]	590
				591	// We cannot handle IP options, just standard 20 byte == 5 dword minimal IPv4 header
				592	if (ip->ihl != 5) TC_PUNT(HAS_IP_OPTIONS);
				593
				594	// Calculate the IPv4 one's complement checksum of the IPv4 header.
				595	__wsum sum4 = 0;
				596	for (int i = 0; i < sizeof(*ip) / sizeof(__u16); ++i) {
				597	sum4 += ((__u16*)ip)[i];
				598	}
				599	// Note that sum4 is guaranteed to be non-zero by virtue of ip4->version == 4
				600	sum4 = (sum4 & 0xFFFF) + (sum4 >> 16); // collapse u32 into range 1 .. 0x1FFFE
				601	sum4 = (sum4 & 0xFFFF) + (sum4 >> 16); // collapse any potential carry into u16
				602	// for a correct checksum we should get a zero, but sum4 must be positive, ie 0xFFFF
				603	if (sum4 != 0xFFFF) TC_PUNT(CHECKSUM);
				604
				605	// Minimum IPv4 total length is the size of the header
				606	if (ntohs(ip->tot_len) < sizeof(*ip)) TC_PUNT(TRUNCATED_IPV4);
				607
				608	// We are incapable of dealing with IPv4 fragments
				609	if (ip->frag_off & ~htons(IP_DF)) TC_PUNT(IS_IP_FRAG);
				610
				611	// Cannot decrement during forward if already zero or would be zero,
				612	// Let the kernel's stack handle these cases and generate appropriate ICMP errors.
				613	if (ip->ttl <= 1) TC_PUNT(LOW_TTL);
				614
				615	// If we cannot update the 'last_used' field due to lack of bpf_ktime_get_boot_ns() helper,
				616	// then it is not safe to offload UDP due to the small conntrack timeouts, as such,
				617	// in such a situation we can only support TCP. This also has the added nice benefit of
				618	// using a separate error counter, and thus making it obvious which version of the program
				619	// is loaded.
Maciej Żenczykowski	8a6c6d5	2023-10-10 00:59:31 -0700	[diff] [blame]	620	if (!updatetime.updatetime && ip->protocol != IPPROTO_TCP) TC_PUNT(NON_TCP);
Maciej Żenczykowski	f72c8aa	2022-04-28 02:02:45 -0700	[diff] [blame]	621
				622	// We do not support offloading anything besides IPv4 TCP and UDP, due to need for NAT,
				623	// but no need to check this if !updatetime due to check immediately above.
Maciej Żenczykowski	8a6c6d5	2023-10-10 00:59:31 -0700	[diff] [blame]	624	if (updatetime.updatetime && (ip->protocol != IPPROTO_TCP) && (ip->protocol != IPPROTO_UDP))
Maciej Żenczykowski	f72c8aa	2022-04-28 02:02:45 -0700	[diff] [blame]	625	TC_PUNT(NON_TCP_UDP);
				626
				627	// We want to make sure that the compiler will, in the !updatetime case, entirely optimize
				628	// out all the non-tcp logic. Also note that at this point is_udp === !is_tcp.
Maciej Żenczykowski	8a6c6d5	2023-10-10 00:59:31 -0700	[diff] [blame]	629	const bool is_tcp = !updatetime.updatetime \|\| (ip->protocol == IPPROTO_TCP);
Maciej Żenczykowski	f72c8aa	2022-04-28 02:02:45 -0700	[diff] [blame]	630
				631	// This is a bit of a hack to make things easier on the bpf verifier.
				632	// (In particular I believe the Linux 4.14 kernel's verifier can get confused later on about
				633	// what offsets into the packet are valid and can spuriously reject the program, this is
				634	// because it fails to realize that is_tcp && !is_tcp is impossible)
				635	//
				636	// For both TCP & UDP we'll need to read and modify the src/dst ports, which so happen to
				637	// always be in the first 4 bytes of the L4 header. Additionally for UDP we'll need access
				638	// to the checksum field which is in bytes 7 and 8. While for TCP we'll need to read the
				639	// TCP flags (at offset 13) and access to the checksum field (2 bytes at offset 16).
				640	// As such we always need access to at least 8 bytes.
				641	if (data + l2_header_size + sizeof(*ip) + 8 > data_end) TC_PUNT(SHORT_L4_HEADER);
				642
				643	// We're forcing the compiler to emit two copies of the following code, optimized
				644	// separately for is_tcp being true or false. This simplifies the resulting bpf
				645	// byte code sufficiently that the 4.14 bpf verifier is able to keep track of things.
				646	// Without this (updatetime == true) case would fail to bpf verify on 4.14 even
				647	// if the underlying requisite kernel support (bpf_ktime_get_boot_ns) was backported.
				648	if (is_tcp) {
				649	return do_forward4_bottom(skb, l2_header_size, data, data_end, eth, ip,
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	650	rawip, stream, updatetime, /* is_tcp */ true, kver);
Maciej Żenczykowski	f72c8aa	2022-04-28 02:02:45 -0700	[diff] [blame]	651	} else {
				652	return do_forward4_bottom(skb, l2_header_size, data, data_end, eth, ip,
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	653	rawip, stream, updatetime, /* is_tcp */ false, kver);
Maciej Żenczykowski	f72c8aa	2022-04-28 02:02:45 -0700	[diff] [blame]	654	}
				655	}
				656
Maciej Żenczykowski	acddd4f	2021-03-09 21:43:48 -0800	[diff] [blame]	657	// Full featured (required) implementations for 5.8+ kernels (these are S+ by definition)
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	658
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	659	DEFINE_BPF_PROG_KVER("schedcls/tether_downstream4_rawip$5_8", TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	660	sched_cls_tether_downstream4_rawip_5_8, KVER_5_8)
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	661	(struct __sk_buff* skb) {
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	662	return do_forward4(skb, RAWIP, DOWNSTREAM, UPDATETIME, KVER_5_8);
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	663	}
				664
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	665	DEFINE_BPF_PROG_KVER("schedcls/tether_upstream4_rawip$5_8", TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	666	sched_cls_tether_upstream4_rawip_5_8, KVER_5_8)
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	667	(struct __sk_buff* skb) {
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	668	return do_forward4(skb, RAWIP, UPSTREAM, UPDATETIME, KVER_5_8);
Maciej Żenczykowski	c2b0146	2021-01-24 21:01:29 -0800	[diff] [blame]	669	}
				670
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	671	DEFINE_BPF_PROG_KVER("schedcls/tether_downstream4_ether$5_8", TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	672	sched_cls_tether_downstream4_ether_5_8, KVER_5_8)
Maciej Żenczykowski	3686735	2021-02-15 01:53:17 -0800	[diff] [blame]	673	(struct __sk_buff* skb) {
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	674	return do_forward4(skb, ETHER, DOWNSTREAM, UPDATETIME, KVER_5_8);
Maciej Żenczykowski	3686735	2021-02-15 01:53:17 -0800	[diff] [blame]	675	}
				676
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	677	DEFINE_BPF_PROG_KVER("schedcls/tether_upstream4_ether$5_8", TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	678	sched_cls_tether_upstream4_ether_5_8, KVER_5_8)
Maciej Żenczykowski	2278aed	2021-03-09 21:19:52 -0800	[diff] [blame]	679	(struct __sk_buff* skb) {
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	680	return do_forward4(skb, ETHER, UPSTREAM, UPDATETIME, KVER_5_8);
Maciej Żenczykowski	2278aed	2021-03-09 21:19:52 -0800	[diff] [blame]	681	}
				682
Maciej Żenczykowski	acddd4f	2021-03-09 21:43:48 -0800	[diff] [blame]	683	// Full featured (optional) implementations for 4.14-S, 4.19-S & 5.4-S kernels
				684	// (optional, because we need to be able to fallback for 4.14/4.19/5.4 pre-S kernels)
Maciej Żenczykowski	2278aed	2021-03-09 21:19:52 -0800	[diff] [blame]	685
Maciej Żenczykowski	3686735	2021-02-15 01:53:17 -0800	[diff] [blame]	686	DEFINE_OPTIONAL_BPF_PROG_KVER_RANGE("schedcls/tether_downstream4_rawip$opt",
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	687	TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	3686735	2021-02-15 01:53:17 -0800	[diff] [blame]	688	sched_cls_tether_downstream4_rawip_opt,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	689	KVER_4_14, KVER_5_8)
Maciej Żenczykowski	3686735	2021-02-15 01:53:17 -0800	[diff] [blame]	690	(struct __sk_buff* skb) {
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	691	return do_forward4(skb, RAWIP, DOWNSTREAM, UPDATETIME, KVER_4_14);
Maciej Żenczykowski	3686735	2021-02-15 01:53:17 -0800	[diff] [blame]	692	}
				693
Maciej Żenczykowski	3686735	2021-02-15 01:53:17 -0800	[diff] [blame]	694	DEFINE_OPTIONAL_BPF_PROG_KVER_RANGE("schedcls/tether_upstream4_rawip$opt",
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	695	TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	3686735	2021-02-15 01:53:17 -0800	[diff] [blame]	696	sched_cls_tether_upstream4_rawip_opt,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	697	KVER_4_14, KVER_5_8)
Maciej Żenczykowski	3686735	2021-02-15 01:53:17 -0800	[diff] [blame]	698	(struct __sk_buff* skb) {
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	699	return do_forward4(skb, RAWIP, UPSTREAM, UPDATETIME, KVER_4_14);
Maciej Żenczykowski	3686735	2021-02-15 01:53:17 -0800	[diff] [blame]	700	}
				701
Maciej Żenczykowski	2278aed	2021-03-09 21:19:52 -0800	[diff] [blame]	702	DEFINE_OPTIONAL_BPF_PROG_KVER_RANGE("schedcls/tether_downstream4_ether$opt",
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	703	TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	2278aed	2021-03-09 21:19:52 -0800	[diff] [blame]	704	sched_cls_tether_downstream4_ether_opt,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	705	KVER_4_14, KVER_5_8)
Maciej Żenczykowski	2278aed	2021-03-09 21:19:52 -0800	[diff] [blame]	706	(struct __sk_buff* skb) {
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	707	return do_forward4(skb, ETHER, DOWNSTREAM, UPDATETIME, KVER_4_14);
Maciej Żenczykowski	2278aed	2021-03-09 21:19:52 -0800	[diff] [blame]	708	}
				709
				710	DEFINE_OPTIONAL_BPF_PROG_KVER_RANGE("schedcls/tether_upstream4_ether$opt",
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	711	TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	2278aed	2021-03-09 21:19:52 -0800	[diff] [blame]	712	sched_cls_tether_upstream4_ether_opt,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	713	KVER_4_14, KVER_5_8)
Maciej Żenczykowski	2278aed	2021-03-09 21:19:52 -0800	[diff] [blame]	714	(struct __sk_buff* skb) {
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	715	return do_forward4(skb, ETHER, UPSTREAM, UPDATETIME, KVER_4_14);
Maciej Żenczykowski	2278aed	2021-03-09 21:19:52 -0800	[diff] [blame]	716	}
				717
Maciej Żenczykowski	3686735	2021-02-15 01:53:17 -0800	[diff] [blame]	718	// Partial (TCP-only: will not update 'last_used' field) implementations for 4.14+ kernels.
Maciej Żenczykowski	acddd4f	2021-03-09 21:43:48 -0800	[diff] [blame]	719	// These will be loaded only if the above optional ones failed (loading of these must succeed
				720	// for 5.4+, since that is always an R patched kernel).
Maciej Żenczykowski	3686735	2021-02-15 01:53:17 -0800	[diff] [blame]	721	//
				722	// [Note: as a result TCP connections will not have their conntrack timeout refreshed, however,
				723	// since /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established defaults to 432000 (seconds),
				724	// this in practice means they'll break only after 5 days. This seems an acceptable trade-off.
				725	//
				726	// Additionally kernel/tests change "net-test: add bpf_ktime_get_ns / bpf_ktime_get_boot_ns tests"
				727	// which enforces and documents the required kernel cherrypicks will make it pretty unlikely that
				728	// many devices upgrading to S will end up relying on these fallback programs.
				729
Maciej Żenczykowski	acddd4f	2021-03-09 21:43:48 -0800	[diff] [blame]	730	// RAWIP: Required for 5.4-R kernels -- which always support bpf_skb_change_head().
				731
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	732	DEFINE_BPF_PROG_KVER_RANGE("schedcls/tether_downstream4_rawip$5_4", TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	733	sched_cls_tether_downstream4_rawip_5_4, KVER_5_4, KVER_5_8)
Maciej Żenczykowski	3686735	2021-02-15 01:53:17 -0800	[diff] [blame]	734	(struct __sk_buff* skb) {
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	735	return do_forward4(skb, RAWIP, DOWNSTREAM, NO_UPDATETIME, KVER_5_4);
Maciej Żenczykowski	3686735	2021-02-15 01:53:17 -0800	[diff] [blame]	736	}
				737
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	738	DEFINE_BPF_PROG_KVER_RANGE("schedcls/tether_upstream4_rawip$5_4", TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	739	sched_cls_tether_upstream4_rawip_5_4, KVER_5_4, KVER_5_8)
Maciej Żenczykowski	3686735	2021-02-15 01:53:17 -0800	[diff] [blame]	740	(struct __sk_buff* skb) {
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	741	return do_forward4(skb, RAWIP, UPSTREAM, NO_UPDATETIME, KVER_5_4);
Maciej Żenczykowski	3686735	2021-02-15 01:53:17 -0800	[diff] [blame]	742	}
				743
Maciej Żenczykowski	acddd4f	2021-03-09 21:43:48 -0800	[diff] [blame]	744	// RAWIP: Optional for 4.14/4.19 (R) kernels -- which support bpf_skb_change_head().
				745	// [Note: fallback for 4.14/4.19 (P/Q) kernels is below in stub section]
				746
				747	DEFINE_OPTIONAL_BPF_PROG_KVER_RANGE("schedcls/tether_downstream4_rawip$4_14",
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	748	TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	acddd4f	2021-03-09 21:43:48 -0800	[diff] [blame]	749	sched_cls_tether_downstream4_rawip_4_14,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	750	KVER_4_14, KVER_5_4)
Maciej Żenczykowski	acddd4f	2021-03-09 21:43:48 -0800	[diff] [blame]	751	(struct __sk_buff* skb) {
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	752	return do_forward4(skb, RAWIP, DOWNSTREAM, NO_UPDATETIME, KVER_4_14);
Maciej Żenczykowski	acddd4f	2021-03-09 21:43:48 -0800	[diff] [blame]	753	}
				754
				755	DEFINE_OPTIONAL_BPF_PROG_KVER_RANGE("schedcls/tether_upstream4_rawip$4_14",
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	756	TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	acddd4f	2021-03-09 21:43:48 -0800	[diff] [blame]	757	sched_cls_tether_upstream4_rawip_4_14,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	758	KVER_4_14, KVER_5_4)
Maciej Żenczykowski	acddd4f	2021-03-09 21:43:48 -0800	[diff] [blame]	759	(struct __sk_buff* skb) {
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	760	return do_forward4(skb, RAWIP, UPSTREAM, NO_UPDATETIME, KVER_4_14);
Maciej Żenczykowski	acddd4f	2021-03-09 21:43:48 -0800	[diff] [blame]	761	}
				762
				763	// ETHER: Required for 4.14-Q/R, 4.19-Q/R & 5.4-R kernels.
				764
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	765	DEFINE_BPF_PROG_KVER_RANGE("schedcls/tether_downstream4_ether$4_14", TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	766	sched_cls_tether_downstream4_ether_4_14, KVER_4_14, KVER_5_8)
Maciej Żenczykowski	088fe19	2021-01-20 13:34:17 -0800	[diff] [blame]	767	(struct __sk_buff* skb) {
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	768	return do_forward4(skb, ETHER, DOWNSTREAM, NO_UPDATETIME, KVER_4_14);
Maciej Żenczykowski	088fe19	2021-01-20 13:34:17 -0800	[diff] [blame]	769	}
				770
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	771	DEFINE_BPF_PROG_KVER_RANGE("schedcls/tether_upstream4_ether$4_14", TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	772	sched_cls_tether_upstream4_ether_4_14, KVER_4_14, KVER_5_8)
Maciej Żenczykowski	2278aed	2021-03-09 21:19:52 -0800	[diff] [blame]	773	(struct __sk_buff* skb) {
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	774	return do_forward4(skb, ETHER, UPSTREAM, NO_UPDATETIME, KVER_4_14);
Maciej Żenczykowski	2278aed	2021-03-09 21:19:52 -0800	[diff] [blame]	775	}
				776
Maciej Żenczykowski	acddd4f	2021-03-09 21:43:48 -0800	[diff] [blame]	777	// Placeholder (no-op) implementations for older Q kernels
				778
				779	// RAWIP: 4.9-P/Q, 4.14-P/Q & 4.19-Q kernels -- without bpf_skb_change_head() for tc programs
Maciej Żenczykowski	2278aed	2021-03-09 21:19:52 -0800	[diff] [blame]	780
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	781	DEFINE_BPF_PROG_KVER_RANGE("schedcls/tether_downstream4_rawip$stub", TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	782	sched_cls_tether_downstream4_rawip_stub, KVER_NONE, KVER_5_4)
Maciej Żenczykowski	088fe19	2021-01-20 13:34:17 -0800	[diff] [blame]	783	(struct __sk_buff* skb) {
Maciej Żenczykowski	6e66a36	2021-08-24 15:43:15 -0700	[diff] [blame]	784	return TC_ACT_PIPE;
Maciej Żenczykowski	088fe19	2021-01-20 13:34:17 -0800	[diff] [blame]	785	}
				786
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	787	DEFINE_BPF_PROG_KVER_RANGE("schedcls/tether_upstream4_rawip$stub", TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	788	sched_cls_tether_upstream4_rawip_stub, KVER_NONE, KVER_5_4)
Maciej Żenczykowski	088fe19	2021-01-20 13:34:17 -0800	[diff] [blame]	789	(struct __sk_buff* skb) {
Maciej Żenczykowski	6e66a36	2021-08-24 15:43:15 -0700	[diff] [blame]	790	return TC_ACT_PIPE;
Maciej Żenczykowski	088fe19	2021-01-20 13:34:17 -0800	[diff] [blame]	791	}
				792
Maciej Żenczykowski	acddd4f	2021-03-09 21:43:48 -0800	[diff] [blame]	793	// ETHER: 4.9-P/Q kernel
				794
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	795	DEFINE_BPF_PROG_KVER_RANGE("schedcls/tether_downstream4_ether$stub", TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	796	sched_cls_tether_downstream4_ether_stub, KVER_NONE, KVER_4_14)
Maciej Żenczykowski	2278aed	2021-03-09 21:19:52 -0800	[diff] [blame]	797	(struct __sk_buff* skb) {
Maciej Żenczykowski	6e66a36	2021-08-24 15:43:15 -0700	[diff] [blame]	798	return TC_ACT_PIPE;
Maciej Żenczykowski	2278aed	2021-03-09 21:19:52 -0800	[diff] [blame]	799	}
				800
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	801	DEFINE_BPF_PROG_KVER_RANGE("schedcls/tether_upstream4_ether$stub", TETHERING_UID, TETHERING_GID,
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	802	sched_cls_tether_upstream4_ether_stub, KVER_NONE, KVER_4_14)
Maciej Żenczykowski	088fe19	2021-01-20 13:34:17 -0800	[diff] [blame]	803	(struct __sk_buff* skb) {
Maciej Żenczykowski	6e66a36	2021-08-24 15:43:15 -0700	[diff] [blame]	804	return TC_ACT_PIPE;
Maciej Żenczykowski	088fe19	2021-01-20 13:34:17 -0800	[diff] [blame]	805	}
				806
Maciej Żenczykowski	b199742	2021-01-20 14:31:50 -0800	[diff] [blame]	807	// ----- XDP Support -----
				808
Maciej Żenczykowski	ccce4a3	2022-07-17 01:28:38 -0700	[diff] [blame]	809	DEFINE_BPF_MAP_GRW(tether_dev_map, DEVMAP_HASH, uint32_t, uint32_t, 64, TETHERING_GID)
Maciej Żenczykowski	db2cff5	2021-03-01 21:22:49 -0800	[diff] [blame]	810
Maciej Żenczykowski	8d3bde7	2023-10-08 18:43:23 -0700	[diff] [blame]	811	static inline __always_inline int do_xdp_forward6(struct xdp_md *ctx, const struct rawip_bool rawip,
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	812	const struct stream_bool stream) {
Maciej Żenczykowski	90b81ac	2021-03-07 06:48:26 -0800	[diff] [blame]	813	return XDP_PASS;
				814	}
				815
Maciej Żenczykowski	8d3bde7	2023-10-08 18:43:23 -0700	[diff] [blame]	816	static inline __always_inline int do_xdp_forward4(struct xdp_md *ctx, const struct rawip_bool rawip,
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	817	const struct stream_bool stream) {
Maciej Żenczykowski	90b81ac	2021-03-07 06:48:26 -0800	[diff] [blame]	818	return XDP_PASS;
				819	}
				820
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	821	static inline __always_inline int do_xdp_forward_ether(struct xdp_md *ctx,
				822	const struct stream_bool stream) {
Maciej Żenczykowski	90b81ac	2021-03-07 06:48:26 -0800	[diff] [blame]	823	const void* data = (void*)(long)ctx->data;
				824	const void* data_end = (void*)(long)ctx->data_end;
				825	const struct ethhdr* eth = data;
				826
				827	// Make sure we actually have an ethernet header
				828	if ((void*)(eth + 1) > data_end) return XDP_PASS;
				829
				830	if (eth->h_proto == htons(ETH_P_IPV6))
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	831	return do_xdp_forward6(ctx, ETHER, stream);
Maciej Żenczykowski	90b81ac	2021-03-07 06:48:26 -0800	[diff] [blame]	832	if (eth->h_proto == htons(ETH_P_IP))
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	833	return do_xdp_forward4(ctx, ETHER, stream);
Maciej Żenczykowski	90b81ac	2021-03-07 06:48:26 -0800	[diff] [blame]	834
				835	// Anything else we don't know how to handle...
				836	return XDP_PASS;
				837	}
				838
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	839	static inline __always_inline int do_xdp_forward_rawip(struct xdp_md *ctx,
				840	const struct stream_bool stream) {
Maciej Żenczykowski	90b81ac	2021-03-07 06:48:26 -0800	[diff] [blame]	841	const void* data = (void*)(long)ctx->data;
				842	const void* data_end = (void*)(long)ctx->data_end;
				843
				844	// The top nibble of both IPv4 and IPv6 headers is the IP version.
				845	if (data_end - data < 1) return XDP_PASS;
				846	const uint8_t v = ((uint8_t)data) >> 4;
				847
Maciej Żenczykowski	e1a615a	2023-10-10 03:34:56 -0700	[diff] [blame]	848	if (v == 6) return do_xdp_forward6(ctx, RAWIP, stream);
				849	if (v == 4) return do_xdp_forward4(ctx, RAWIP, stream);
Maciej Żenczykowski	90b81ac	2021-03-07 06:48:26 -0800	[diff] [blame]	850
				851	// Anything else we don't know how to handle...
				852	return XDP_PASS;
				853	}
				854
Maciej Żenczykowski	b199742	2021-01-20 14:31:50 -0800	[diff] [blame]	855	#define DEFINE_XDP_PROG(str, func) \
Maciej Żenczykowski	901c710	2023-10-06 15:47:46 -0700	[diff] [blame]	856	DEFINE_BPF_PROG_KVER(str, TETHERING_UID, TETHERING_GID, func, KVER_5_9)(struct xdp_md *ctx)
Maciej Żenczykowski	b199742	2021-01-20 14:31:50 -0800	[diff] [blame]	857
				858	DEFINE_XDP_PROG("xdp/tether_downstream_ether",
				859	xdp_tether_downstream_ether) {
Maciej Żenczykowski	cad569f	2023-04-19 16:33:30 -0700	[diff] [blame]	860	return do_xdp_forward_ether(ctx, DOWNSTREAM);
Maciej Żenczykowski	b199742	2021-01-20 14:31:50 -0800	[diff] [blame]	861	}
				862
				863	DEFINE_XDP_PROG("xdp/tether_downstream_rawip",
				864	xdp_tether_downstream_rawip) {
Maciej Żenczykowski	cad569f	2023-04-19 16:33:30 -0700	[diff] [blame]	865	return do_xdp_forward_rawip(ctx, DOWNSTREAM);
Maciej Żenczykowski	b199742	2021-01-20 14:31:50 -0800	[diff] [blame]	866	}
				867
				868	DEFINE_XDP_PROG("xdp/tether_upstream_ether",
				869	xdp_tether_upstream_ether) {
Maciej Żenczykowski	941ea03	2023-04-19 16:33:02 -0700	[diff] [blame]	870	return do_xdp_forward_ether(ctx, UPSTREAM);
Maciej Żenczykowski	b199742	2021-01-20 14:31:50 -0800	[diff] [blame]	871	}
				872
				873	DEFINE_XDP_PROG("xdp/tether_upstream_rawip",
				874	xdp_tether_upstream_rawip) {
Maciej Żenczykowski	941ea03	2023-04-19 16:33:02 -0700	[diff] [blame]	875	return do_xdp_forward_rawip(ctx, UPSTREAM);
Maciej Żenczykowski	b199742	2021-01-20 14:31:50 -0800	[diff] [blame]	876	}
				877
Hungming Chen	56c632c	2020-09-10 15:42:58 +0800	[diff] [blame]	878	LICENSE("Apache 2.0");
Maciej Żenczykowski	3dd052e	2024-04-19 23:39:44 +0000	[diff] [blame]	879	CRITICAL("Connectivity (Tethering)");
Maciej Żenczykowski	de1342a	2023-06-09 05:45:57 +0000	[diff] [blame]	880	DISABLE_BTF_ON_USER_BUILDS();