1 | /* $NetBSD: in_gif.c,v 1.83 2016/08/18 11:34:09 knakahara Exp $ */ |
2 | /* $KAME: in_gif.c,v 1.66 2001/07/29 04:46:09 itojun Exp $ */ |
3 | |
4 | /* |
5 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. |
6 | * All rights reserved. |
7 | * |
8 | * Redistribution and use in source and binary forms, with or without |
9 | * modification, are permitted provided that the following conditions |
10 | * are met: |
11 | * 1. Redistributions of source code must retain the above copyright |
12 | * notice, this list of conditions and the following disclaimer. |
13 | * 2. Redistributions in binary form must reproduce the above copyright |
14 | * notice, this list of conditions and the following disclaimer in the |
15 | * documentation and/or other materials provided with the distribution. |
16 | * 3. Neither the name of the project nor the names of its contributors |
17 | * may be used to endorse or promote products derived from this software |
18 | * without specific prior written permission. |
19 | * |
20 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND |
21 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
30 | * SUCH DAMAGE. |
31 | */ |
32 | |
33 | #include <sys/cdefs.h> |
34 | __KERNEL_RCSID(0, "$NetBSD: in_gif.c,v 1.83 2016/08/18 11:34:09 knakahara Exp $" ); |
35 | |
36 | #ifdef _KERNEL_OPT |
37 | #include "opt_inet.h" |
38 | #endif |
39 | |
40 | #include <sys/param.h> |
41 | #include <sys/systm.h> |
42 | #include <sys/socket.h> |
43 | #include <sys/sockio.h> |
44 | #include <sys/mbuf.h> |
45 | #include <sys/errno.h> |
46 | #include <sys/ioctl.h> |
47 | #include <sys/syslog.h> |
48 | #include <sys/kernel.h> |
49 | |
50 | #include <net/if.h> |
51 | #include <net/route.h> |
52 | |
53 | #include <netinet/in.h> |
54 | #include <netinet/in_systm.h> |
55 | #include <netinet/ip.h> |
56 | #include <netinet/ip_var.h> |
57 | #include <netinet/in_gif.h> |
58 | #include <netinet/in_var.h> |
59 | #include <netinet/ip_encap.h> |
60 | #include <netinet/ip_ecn.h> |
61 | |
62 | #ifdef INET6 |
63 | #include <netinet/ip6.h> |
64 | #endif |
65 | |
66 | #include <net/if_gif.h> |
67 | |
68 | #include <net/net_osdep.h> |
69 | |
70 | static int gif_validate4(const struct ip *, struct gif_softc *, |
71 | struct ifnet *); |
72 | |
73 | int ip_gif_ttl = GIF_TTL; |
74 | |
75 | static const struct encapsw in_gif_encapsw = { |
76 | .encapsw4 = { |
77 | .pr_input = in_gif_input, |
78 | .pr_ctlinput = NULL, |
79 | } |
80 | }; |
81 | |
82 | int |
83 | in_gif_output(struct ifnet *ifp, int family, struct mbuf *m) |
84 | { |
85 | struct rtentry *rt; |
86 | struct gif_softc *sc = ifp->if_softc; |
87 | struct sockaddr_in *sin_src = satosin(sc->gif_psrc); |
88 | struct sockaddr_in *sin_dst = satosin(sc->gif_pdst); |
89 | struct ip iphdr; /* capsule IP header, host byte ordered */ |
90 | int proto, error; |
91 | u_int8_t tos; |
92 | union { |
93 | struct sockaddr dst; |
94 | struct sockaddr_in dst4; |
95 | } u; |
96 | |
97 | if (sin_src == NULL || sin_dst == NULL || |
98 | sin_src->sin_family != AF_INET || |
99 | sin_dst->sin_family != AF_INET) { |
100 | m_freem(m); |
101 | return EAFNOSUPPORT; |
102 | } |
103 | |
104 | switch (family) { |
105 | #ifdef INET |
106 | case AF_INET: |
107 | { |
108 | const struct ip *ip; |
109 | |
110 | proto = IPPROTO_IPV4; |
111 | if (m->m_len < sizeof(*ip)) { |
112 | m = m_pullup(m, sizeof(*ip)); |
113 | if (m == NULL) |
114 | return ENOBUFS; |
115 | } |
116 | ip = mtod(m, const struct ip *); |
117 | tos = ip->ip_tos; |
118 | break; |
119 | } |
120 | #endif /* INET */ |
121 | #ifdef INET6 |
122 | case AF_INET6: |
123 | { |
124 | const struct ip6_hdr *ip6; |
125 | proto = IPPROTO_IPV6; |
126 | if (m->m_len < sizeof(*ip6)) { |
127 | m = m_pullup(m, sizeof(*ip6)); |
128 | if (m == NULL) |
129 | return ENOBUFS; |
130 | } |
131 | ip6 = mtod(m, const struct ip6_hdr *); |
132 | tos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; |
133 | break; |
134 | } |
135 | #endif /* INET6 */ |
136 | default: |
137 | #ifdef DEBUG |
138 | printf("in_gif_output: warning: unknown family %d passed\n" , |
139 | family); |
140 | #endif |
141 | m_freem(m); |
142 | return EAFNOSUPPORT; |
143 | } |
144 | |
145 | memset(&iphdr, 0, sizeof(iphdr)); |
146 | iphdr.ip_src = sin_src->sin_addr; |
147 | /* bidirectional configured tunnel mode */ |
148 | if (sin_dst->sin_addr.s_addr != INADDR_ANY) |
149 | iphdr.ip_dst = sin_dst->sin_addr; |
150 | else { |
151 | m_freem(m); |
152 | return ENETUNREACH; |
153 | } |
154 | iphdr.ip_p = proto; |
155 | /* version will be set in ip_output() */ |
156 | iphdr.ip_ttl = ip_gif_ttl; |
157 | iphdr.ip_len = htons(m->m_pkthdr.len + sizeof(struct ip)); |
158 | if (ifp->if_flags & IFF_LINK1) |
159 | ip_ecn_ingress(ECN_ALLOWED, &iphdr.ip_tos, &tos); |
160 | else |
161 | ip_ecn_ingress(ECN_NOCARE, &iphdr.ip_tos, &tos); |
162 | |
163 | /* prepend new IP header */ |
164 | M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); |
165 | /* XXX Is m_pullup really necessary after M_PREPEND? */ |
166 | if (m != NULL && M_UNWRITABLE(m, sizeof(struct ip))) |
167 | m = m_pullup(m, sizeof(struct ip)); |
168 | if (m == NULL) |
169 | return ENOBUFS; |
170 | bcopy(&iphdr, mtod(m, struct ip *), sizeof(struct ip)); |
171 | |
172 | sockaddr_in_init(&u.dst4, &sin_dst->sin_addr, 0); |
173 | if ((rt = rtcache_lookup(&sc->gif_ro, &u.dst)) == NULL) { |
174 | m_freem(m); |
175 | return ENETUNREACH; |
176 | } |
177 | |
178 | /* If the route constitutes infinite encapsulation, punt. */ |
179 | if (rt->rt_ifp == ifp) { |
180 | rtcache_free(&sc->gif_ro); |
181 | m_freem(m); |
182 | return ENETUNREACH; /*XXX*/ |
183 | } |
184 | |
185 | error = ip_output(m, NULL, &sc->gif_ro, 0, NULL, NULL); |
186 | return (error); |
187 | } |
188 | |
189 | void |
190 | in_gif_input(struct mbuf *m, int off, int proto) |
191 | { |
192 | struct ifnet *gifp = NULL; |
193 | const struct ip *ip; |
194 | int af; |
195 | u_int8_t otos; |
196 | |
197 | ip = mtod(m, const struct ip *); |
198 | |
199 | gifp = (struct ifnet *)encap_getarg(m); |
200 | |
201 | if (gifp == NULL || (gifp->if_flags & (IFF_UP|IFF_RUNNING)) |
202 | != (IFF_UP|IFF_RUNNING)) { |
203 | m_freem(m); |
204 | ip_statinc(IP_STAT_NOGIF); |
205 | return; |
206 | } |
207 | #ifndef GIF_ENCAPCHECK |
208 | struct gif_softc *sc = (struct gif_softc *)gifp->if_softc; |
209 | /* other CPU do delete_tunnel */ |
210 | if (sc->gif_psrc == NULL || sc->gif_pdst == NULL) { |
211 | m_freem(m); |
212 | ip_statinc(IP_STAT_NOGIF); |
213 | return; |
214 | } |
215 | |
216 | struct ifnet *rcvif; |
217 | struct psref psref; |
218 | rcvif = m_get_rcvif_psref(m, &psref); |
219 | if (!gif_validate4(ip, sc, rcvif)) { |
220 | m_put_rcvif_psref(rcvif, &psref); |
221 | m_freem(m); |
222 | ip_statinc(IP_STAT_NOGIF); |
223 | return; |
224 | } |
225 | m_put_rcvif_psref(rcvif, &psref); |
226 | #endif |
227 | otos = ip->ip_tos; |
228 | m_adj(m, off); |
229 | |
230 | switch (proto) { |
231 | #ifdef INET |
232 | case IPPROTO_IPV4: |
233 | { |
234 | struct ip *xip; |
235 | af = AF_INET; |
236 | if (M_UNWRITABLE(m, sizeof(*xip))) { |
237 | if ((m = m_pullup(m, sizeof(*xip))) == NULL) |
238 | return; |
239 | } |
240 | xip = mtod(m, struct ip *); |
241 | if (gifp->if_flags & IFF_LINK1) |
242 | ip_ecn_egress(ECN_ALLOWED, &otos, &xip->ip_tos); |
243 | else |
244 | ip_ecn_egress(ECN_NOCARE, &otos, &xip->ip_tos); |
245 | break; |
246 | } |
247 | #endif |
248 | #ifdef INET6 |
249 | case IPPROTO_IPV6: |
250 | { |
251 | struct ip6_hdr *ip6; |
252 | u_int8_t itos; |
253 | af = AF_INET6; |
254 | if (M_UNWRITABLE(m, sizeof(*ip6))) { |
255 | if ((m = m_pullup(m, sizeof(*ip6))) == NULL) |
256 | return; |
257 | } |
258 | ip6 = mtod(m, struct ip6_hdr *); |
259 | itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; |
260 | if (gifp->if_flags & IFF_LINK1) |
261 | ip_ecn_egress(ECN_ALLOWED, &otos, &itos); |
262 | else |
263 | ip_ecn_egress(ECN_NOCARE, &otos, &itos); |
264 | ip6->ip6_flow &= ~htonl(0xff << 20); |
265 | ip6->ip6_flow |= htonl((u_int32_t)itos << 20); |
266 | break; |
267 | } |
268 | #endif /* INET6 */ |
269 | default: |
270 | ip_statinc(IP_STAT_NOGIF); |
271 | m_freem(m); |
272 | return; |
273 | } |
274 | gif_input(m, af, gifp); |
275 | return; |
276 | } |
277 | |
278 | /* |
279 | * validate outer address. |
280 | */ |
281 | static int |
282 | gif_validate4(const struct ip *ip, struct gif_softc *sc, struct ifnet *ifp) |
283 | { |
284 | struct sockaddr_in *src, *dst; |
285 | struct in_ifaddr *ia4; |
286 | int s; |
287 | |
288 | src = satosin(sc->gif_psrc); |
289 | dst = satosin(sc->gif_pdst); |
290 | |
291 | /* check for address match */ |
292 | if (src->sin_addr.s_addr != ip->ip_dst.s_addr || |
293 | dst->sin_addr.s_addr != ip->ip_src.s_addr) |
294 | return 0; |
295 | |
296 | /* martian filters on outer source - NOT done in ip_input! */ |
297 | if (IN_MULTICAST(ip->ip_src.s_addr)) |
298 | return 0; |
299 | switch ((ntohl(ip->ip_src.s_addr) & 0xff000000) >> 24) { |
300 | case 0: case 127: case 255: |
301 | return 0; |
302 | } |
303 | /* reject packets with broadcast on source */ |
304 | s = pserialize_read_enter(); |
305 | IN_ADDRLIST_READER_FOREACH(ia4) { |
306 | if ((ia4->ia_ifa.ifa_ifp->if_flags & IFF_BROADCAST) == 0) |
307 | continue; |
308 | if (ip->ip_src.s_addr == ia4->ia_broadaddr.sin_addr.s_addr) { |
309 | pserialize_read_exit(s); |
310 | return 0; |
311 | } |
312 | } |
313 | pserialize_read_exit(s); |
314 | |
315 | /* ingress filters on outer source */ |
316 | if ((sc->gif_if.if_flags & IFF_LINK2) == 0 && ifp) { |
317 | union { |
318 | struct sockaddr sa; |
319 | struct sockaddr_in sin; |
320 | } u; |
321 | struct rtentry *rt; |
322 | |
323 | sockaddr_in_init(&u.sin, &ip->ip_src, 0); |
324 | rt = rtalloc1(&u.sa, 0); |
325 | if (rt == NULL || rt->rt_ifp != ifp) { |
326 | #if 0 |
327 | log(LOG_WARNING, "%s: packet from 0x%x dropped " |
328 | "due to ingress filter\n" , if_name(&sc->gif_if), |
329 | (u_int32_t)ntohl(u.sin.sin_addr.s_addr)); |
330 | #endif |
331 | if (rt != NULL) |
332 | rtfree(rt); |
333 | return 0; |
334 | } |
335 | rtfree(rt); |
336 | } |
337 | |
338 | return 32 * 2; |
339 | } |
340 | |
341 | #ifdef GIF_ENCAPCHECK |
342 | /* |
343 | * we know that we are in IFF_UP, outer address available, and outer family |
344 | * matched the physical addr family. see gif_encapcheck(). |
345 | */ |
346 | int |
347 | gif_encapcheck4(struct mbuf *m, int off, int proto, void *arg) |
348 | { |
349 | struct ip ip; |
350 | struct gif_softc *sc; |
351 | struct ifnet *ifp = NULL; |
352 | int r; |
353 | struct psref psref; |
354 | |
355 | /* sanity check done in caller */ |
356 | sc = arg; |
357 | |
358 | m_copydata(m, 0, sizeof(ip), &ip); |
359 | if ((m->m_flags & M_PKTHDR) != 0) |
360 | ifp = m_get_rcvif_psref(m, &psref); |
361 | |
362 | r = gif_validate4(&ip, sc, ifp); |
363 | |
364 | m_put_rcvif_psref(ifp, &psref); |
365 | return r; |
366 | } |
367 | #endif |
368 | |
369 | int |
370 | in_gif_attach(struct gif_softc *sc) |
371 | { |
372 | #ifndef GIF_ENCAPCHECK |
373 | struct sockaddr_in mask4; |
374 | |
375 | memset(&mask4, 0, sizeof(mask4)); |
376 | mask4.sin_len = sizeof(struct sockaddr_in); |
377 | mask4.sin_addr.s_addr = ~0; |
378 | |
379 | if (!sc->gif_psrc || !sc->gif_pdst) |
380 | return EINVAL; |
381 | sc->encap_cookie4 = encap_attach(AF_INET, -1, sc->gif_psrc, |
382 | (struct sockaddr *)&mask4, sc->gif_pdst, (struct sockaddr *)&mask4, |
383 | &in_gif_encapsw, sc); |
384 | #else |
385 | sc->encap_cookie4 = encap_attach_func(AF_INET, -1, gif_encapcheck, |
386 | &in_gif_encapsw, sc); |
387 | #endif |
388 | if (sc->encap_cookie4 == NULL) |
389 | return EEXIST; |
390 | return 0; |
391 | } |
392 | |
393 | int |
394 | in_gif_detach(struct gif_softc *sc) |
395 | { |
396 | int error; |
397 | |
398 | error = in_gif_pause(sc); |
399 | |
400 | rtcache_free(&sc->gif_ro); |
401 | |
402 | return error; |
403 | } |
404 | |
405 | int |
406 | in_gif_pause(struct gif_softc *sc) |
407 | { |
408 | int error; |
409 | |
410 | error = encap_detach(sc->encap_cookie4); |
411 | if (error == 0) |
412 | sc->encap_cookie4 = NULL; |
413 | |
414 | return error; |
415 | } |
416 | |