1/* $NetBSD: in_gif.c,v 1.83 2016/08/18 11:34:09 knakahara Exp $ */
2/* $KAME: in_gif.c,v 1.66 2001/07/29 04:46:09 itojun Exp $ */
3
4/*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33#include <sys/cdefs.h>
34__KERNEL_RCSID(0, "$NetBSD: in_gif.c,v 1.83 2016/08/18 11:34:09 knakahara Exp $");
35
36#ifdef _KERNEL_OPT
37#include "opt_inet.h"
38#endif
39
40#include <sys/param.h>
41#include <sys/systm.h>
42#include <sys/socket.h>
43#include <sys/sockio.h>
44#include <sys/mbuf.h>
45#include <sys/errno.h>
46#include <sys/ioctl.h>
47#include <sys/syslog.h>
48#include <sys/kernel.h>
49
50#include <net/if.h>
51#include <net/route.h>
52
53#include <netinet/in.h>
54#include <netinet/in_systm.h>
55#include <netinet/ip.h>
56#include <netinet/ip_var.h>
57#include <netinet/in_gif.h>
58#include <netinet/in_var.h>
59#include <netinet/ip_encap.h>
60#include <netinet/ip_ecn.h>
61
62#ifdef INET6
63#include <netinet/ip6.h>
64#endif
65
66#include <net/if_gif.h>
67
68#include <net/net_osdep.h>
69
70static int gif_validate4(const struct ip *, struct gif_softc *,
71 struct ifnet *);
72
73int ip_gif_ttl = GIF_TTL;
74
75static const struct encapsw in_gif_encapsw = {
76 .encapsw4 = {
77 .pr_input = in_gif_input,
78 .pr_ctlinput = NULL,
79 }
80};
81
82int
83in_gif_output(struct ifnet *ifp, int family, struct mbuf *m)
84{
85 struct rtentry *rt;
86 struct gif_softc *sc = ifp->if_softc;
87 struct sockaddr_in *sin_src = satosin(sc->gif_psrc);
88 struct sockaddr_in *sin_dst = satosin(sc->gif_pdst);
89 struct ip iphdr; /* capsule IP header, host byte ordered */
90 int proto, error;
91 u_int8_t tos;
92 union {
93 struct sockaddr dst;
94 struct sockaddr_in dst4;
95 } u;
96
97 if (sin_src == NULL || sin_dst == NULL ||
98 sin_src->sin_family != AF_INET ||
99 sin_dst->sin_family != AF_INET) {
100 m_freem(m);
101 return EAFNOSUPPORT;
102 }
103
104 switch (family) {
105#ifdef INET
106 case AF_INET:
107 {
108 const struct ip *ip;
109
110 proto = IPPROTO_IPV4;
111 if (m->m_len < sizeof(*ip)) {
112 m = m_pullup(m, sizeof(*ip));
113 if (m == NULL)
114 return ENOBUFS;
115 }
116 ip = mtod(m, const struct ip *);
117 tos = ip->ip_tos;
118 break;
119 }
120#endif /* INET */
121#ifdef INET6
122 case AF_INET6:
123 {
124 const struct ip6_hdr *ip6;
125 proto = IPPROTO_IPV6;
126 if (m->m_len < sizeof(*ip6)) {
127 m = m_pullup(m, sizeof(*ip6));
128 if (m == NULL)
129 return ENOBUFS;
130 }
131 ip6 = mtod(m, const struct ip6_hdr *);
132 tos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
133 break;
134 }
135#endif /* INET6 */
136 default:
137#ifdef DEBUG
138 printf("in_gif_output: warning: unknown family %d passed\n",
139 family);
140#endif
141 m_freem(m);
142 return EAFNOSUPPORT;
143 }
144
145 memset(&iphdr, 0, sizeof(iphdr));
146 iphdr.ip_src = sin_src->sin_addr;
147 /* bidirectional configured tunnel mode */
148 if (sin_dst->sin_addr.s_addr != INADDR_ANY)
149 iphdr.ip_dst = sin_dst->sin_addr;
150 else {
151 m_freem(m);
152 return ENETUNREACH;
153 }
154 iphdr.ip_p = proto;
155 /* version will be set in ip_output() */
156 iphdr.ip_ttl = ip_gif_ttl;
157 iphdr.ip_len = htons(m->m_pkthdr.len + sizeof(struct ip));
158 if (ifp->if_flags & IFF_LINK1)
159 ip_ecn_ingress(ECN_ALLOWED, &iphdr.ip_tos, &tos);
160 else
161 ip_ecn_ingress(ECN_NOCARE, &iphdr.ip_tos, &tos);
162
163 /* prepend new IP header */
164 M_PREPEND(m, sizeof(struct ip), M_DONTWAIT);
165 /* XXX Is m_pullup really necessary after M_PREPEND? */
166 if (m != NULL && M_UNWRITABLE(m, sizeof(struct ip)))
167 m = m_pullup(m, sizeof(struct ip));
168 if (m == NULL)
169 return ENOBUFS;
170 bcopy(&iphdr, mtod(m, struct ip *), sizeof(struct ip));
171
172 sockaddr_in_init(&u.dst4, &sin_dst->sin_addr, 0);
173 if ((rt = rtcache_lookup(&sc->gif_ro, &u.dst)) == NULL) {
174 m_freem(m);
175 return ENETUNREACH;
176 }
177
178 /* If the route constitutes infinite encapsulation, punt. */
179 if (rt->rt_ifp == ifp) {
180 rtcache_free(&sc->gif_ro);
181 m_freem(m);
182 return ENETUNREACH; /*XXX*/
183 }
184
185 error = ip_output(m, NULL, &sc->gif_ro, 0, NULL, NULL);
186 return (error);
187}
188
189void
190in_gif_input(struct mbuf *m, int off, int proto)
191{
192 struct ifnet *gifp = NULL;
193 const struct ip *ip;
194 int af;
195 u_int8_t otos;
196
197 ip = mtod(m, const struct ip *);
198
199 gifp = (struct ifnet *)encap_getarg(m);
200
201 if (gifp == NULL || (gifp->if_flags & (IFF_UP|IFF_RUNNING))
202 != (IFF_UP|IFF_RUNNING)) {
203 m_freem(m);
204 ip_statinc(IP_STAT_NOGIF);
205 return;
206 }
207#ifndef GIF_ENCAPCHECK
208 struct gif_softc *sc = (struct gif_softc *)gifp->if_softc;
209 /* other CPU do delete_tunnel */
210 if (sc->gif_psrc == NULL || sc->gif_pdst == NULL) {
211 m_freem(m);
212 ip_statinc(IP_STAT_NOGIF);
213 return;
214 }
215
216 struct ifnet *rcvif;
217 struct psref psref;
218 rcvif = m_get_rcvif_psref(m, &psref);
219 if (!gif_validate4(ip, sc, rcvif)) {
220 m_put_rcvif_psref(rcvif, &psref);
221 m_freem(m);
222 ip_statinc(IP_STAT_NOGIF);
223 return;
224 }
225 m_put_rcvif_psref(rcvif, &psref);
226#endif
227 otos = ip->ip_tos;
228 m_adj(m, off);
229
230 switch (proto) {
231#ifdef INET
232 case IPPROTO_IPV4:
233 {
234 struct ip *xip;
235 af = AF_INET;
236 if (M_UNWRITABLE(m, sizeof(*xip))) {
237 if ((m = m_pullup(m, sizeof(*xip))) == NULL)
238 return;
239 }
240 xip = mtod(m, struct ip *);
241 if (gifp->if_flags & IFF_LINK1)
242 ip_ecn_egress(ECN_ALLOWED, &otos, &xip->ip_tos);
243 else
244 ip_ecn_egress(ECN_NOCARE, &otos, &xip->ip_tos);
245 break;
246 }
247#endif
248#ifdef INET6
249 case IPPROTO_IPV6:
250 {
251 struct ip6_hdr *ip6;
252 u_int8_t itos;
253 af = AF_INET6;
254 if (M_UNWRITABLE(m, sizeof(*ip6))) {
255 if ((m = m_pullup(m, sizeof(*ip6))) == NULL)
256 return;
257 }
258 ip6 = mtod(m, struct ip6_hdr *);
259 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
260 if (gifp->if_flags & IFF_LINK1)
261 ip_ecn_egress(ECN_ALLOWED, &otos, &itos);
262 else
263 ip_ecn_egress(ECN_NOCARE, &otos, &itos);
264 ip6->ip6_flow &= ~htonl(0xff << 20);
265 ip6->ip6_flow |= htonl((u_int32_t)itos << 20);
266 break;
267 }
268#endif /* INET6 */
269 default:
270 ip_statinc(IP_STAT_NOGIF);
271 m_freem(m);
272 return;
273 }
274 gif_input(m, af, gifp);
275 return;
276}
277
278/*
279 * validate outer address.
280 */
281static int
282gif_validate4(const struct ip *ip, struct gif_softc *sc, struct ifnet *ifp)
283{
284 struct sockaddr_in *src, *dst;
285 struct in_ifaddr *ia4;
286 int s;
287
288 src = satosin(sc->gif_psrc);
289 dst = satosin(sc->gif_pdst);
290
291 /* check for address match */
292 if (src->sin_addr.s_addr != ip->ip_dst.s_addr ||
293 dst->sin_addr.s_addr != ip->ip_src.s_addr)
294 return 0;
295
296 /* martian filters on outer source - NOT done in ip_input! */
297 if (IN_MULTICAST(ip->ip_src.s_addr))
298 return 0;
299 switch ((ntohl(ip->ip_src.s_addr) & 0xff000000) >> 24) {
300 case 0: case 127: case 255:
301 return 0;
302 }
303 /* reject packets with broadcast on source */
304 s = pserialize_read_enter();
305 IN_ADDRLIST_READER_FOREACH(ia4) {
306 if ((ia4->ia_ifa.ifa_ifp->if_flags & IFF_BROADCAST) == 0)
307 continue;
308 if (ip->ip_src.s_addr == ia4->ia_broadaddr.sin_addr.s_addr) {
309 pserialize_read_exit(s);
310 return 0;
311 }
312 }
313 pserialize_read_exit(s);
314
315 /* ingress filters on outer source */
316 if ((sc->gif_if.if_flags & IFF_LINK2) == 0 && ifp) {
317 union {
318 struct sockaddr sa;
319 struct sockaddr_in sin;
320 } u;
321 struct rtentry *rt;
322
323 sockaddr_in_init(&u.sin, &ip->ip_src, 0);
324 rt = rtalloc1(&u.sa, 0);
325 if (rt == NULL || rt->rt_ifp != ifp) {
326#if 0
327 log(LOG_WARNING, "%s: packet from 0x%x dropped "
328 "due to ingress filter\n", if_name(&sc->gif_if),
329 (u_int32_t)ntohl(u.sin.sin_addr.s_addr));
330#endif
331 if (rt != NULL)
332 rtfree(rt);
333 return 0;
334 }
335 rtfree(rt);
336 }
337
338 return 32 * 2;
339}
340
341#ifdef GIF_ENCAPCHECK
342/*
343 * we know that we are in IFF_UP, outer address available, and outer family
344 * matched the physical addr family. see gif_encapcheck().
345 */
346int
347gif_encapcheck4(struct mbuf *m, int off, int proto, void *arg)
348{
349 struct ip ip;
350 struct gif_softc *sc;
351 struct ifnet *ifp = NULL;
352 int r;
353 struct psref psref;
354
355 /* sanity check done in caller */
356 sc = arg;
357
358 m_copydata(m, 0, sizeof(ip), &ip);
359 if ((m->m_flags & M_PKTHDR) != 0)
360 ifp = m_get_rcvif_psref(m, &psref);
361
362 r = gif_validate4(&ip, sc, ifp);
363
364 m_put_rcvif_psref(ifp, &psref);
365 return r;
366}
367#endif
368
369int
370in_gif_attach(struct gif_softc *sc)
371{
372#ifndef GIF_ENCAPCHECK
373 struct sockaddr_in mask4;
374
375 memset(&mask4, 0, sizeof(mask4));
376 mask4.sin_len = sizeof(struct sockaddr_in);
377 mask4.sin_addr.s_addr = ~0;
378
379 if (!sc->gif_psrc || !sc->gif_pdst)
380 return EINVAL;
381 sc->encap_cookie4 = encap_attach(AF_INET, -1, sc->gif_psrc,
382 (struct sockaddr *)&mask4, sc->gif_pdst, (struct sockaddr *)&mask4,
383 &in_gif_encapsw, sc);
384#else
385 sc->encap_cookie4 = encap_attach_func(AF_INET, -1, gif_encapcheck,
386 &in_gif_encapsw, sc);
387#endif
388 if (sc->encap_cookie4 == NULL)
389 return EEXIST;
390 return 0;
391}
392
393int
394in_gif_detach(struct gif_softc *sc)
395{
396 int error;
397
398 error = in_gif_pause(sc);
399
400 rtcache_free(&sc->gif_ro);
401
402 return error;
403}
404
405int
406in_gif_pause(struct gif_softc *sc)
407{
408 int error;
409
410 error = encap_detach(sc->encap_cookie4);
411 if (error == 0)
412 sc->encap_cookie4 = NULL;
413
414 return error;
415}
416