if_enc.c revision 159969 
1/*-
2 * Copyright (c) 2006 The FreeBSD Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 *    notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 *    notice, this list of conditions and the following disclaimer in the
13 *    documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * SUCH DAMAGE.
26 *
27 * $FreeBSD: head/sys/net/if_enc.c 159969 2006-06-27 01:53:12Z thompsa $
28 */
29
30#include <sys/param.h>
31#include <sys/systm.h>
32#include <sys/kernel.h>
33#include <sys/malloc.h>
34#include <sys/mbuf.h>
35#include <sys/module.h>
36#include <machine/bus.h>
37#include <sys/rman.h>
38#include <sys/socket.h>
39#include <sys/sockio.h>
40#include <sys/sysctl.h>
41
42#include <net/if.h>
43#include <net/if_clone.h>
44#include <net/if_types.h>
45#include <net/pfil.h>
46#include <net/route.h>
47#include <net/netisr.h>
48#include <net/bpf.h>
49#include <net/bpfdesc.h>
50
51#include <netinet/in.h>
52#include <netinet/in_systm.h>
53#include <netinet/ip.h>
54#include <netinet/ip_var.h>
55#include <netinet/in_var.h>
56#include "opt_inet6.h"
57
58#ifdef INET6
59#include <netinet/ip6.h>
60#include <netinet6/ip6_var.h>
61#endif
62
63#include <netipsec/ipsec.h>
64
65#define ENCMTU		(1024+512)
66
67/* XXX this define must have the same value as in OpenBSD */
68#define M_CONF		0x0400	/* payload was encrypted (ESP-transport) */
69#define M_AUTH		0x0800	/* payload was authenticated (AH or ESP auth) */
70#define M_AUTH_AH	0x2000	/* header was authenticated (AH) */
71
72struct enchdr {
73	u_int32_t af;
74	u_int32_t spi;
75	u_int32_t flags;
76};
77
78static struct ifnet	*encif;
79static struct mtx	enc_mtx;
80
81struct enc_softc {
82	struct	ifnet *sc_ifp;
83};
84
85static int	enc_ioctl(struct ifnet *, u_long, caddr_t);
86static int	enc_output(struct ifnet *ifp, struct mbuf *m,
87		    struct sockaddr *dst, struct rtentry *rt);
88static int	enc_clone_create(struct if_clone *, int);
89static void	enc_clone_destroy(struct ifnet *);
90
91IFC_SIMPLE_DECLARE(enc, 1);
92
93static void
94enc_clone_destroy(struct ifnet *ifp)
95{
96
97	KASSERT(encif == ifp, ("%s: unknown ifnet", __func__));
98
99	mtx_lock(&enc_mtx);
100	encif = NULL;
101	mtx_unlock(&enc_mtx);
102
103	bpfdetach(ifp);
104	if_detach(ifp);
105	if_free(ifp);
106
107}
108
109static int
110enc_clone_create(struct if_clone *ifc, int unit)
111{
112	struct ifnet *ifp;
113	struct enc_softc *sc;
114
115	mtx_lock(&enc_mtx);
116	if (encif != NULL)
117		return (EBUSY);
118	mtx_unlock(&enc_mtx);
119
120	sc = malloc(sizeof(*sc), M_DEVBUF, M_WAITOK|M_ZERO);
121	ifp = sc->sc_ifp = if_alloc(IFT_ENC);
122	if (ifp == NULL) {
123		free(sc, M_DEVBUF);
124		return (ENOSPC);
125	}
126
127	if_initname(ifp, ifc->ifc_name, unit);
128	ifp->if_mtu = ENCMTU;
129	ifp->if_ioctl = enc_ioctl;
130	ifp->if_output = enc_output;
131	ifp->if_snd.ifq_maxlen = ifqmaxlen;
132	ifp->if_softc = sc;
133	if_attach(ifp);
134	bpfattach(ifp, DLT_ENC, sizeof(struct enchdr));
135
136	mtx_lock(&enc_mtx);
137	encif = ifp;
138	mtx_unlock(&enc_mtx);
139
140	return (0);
141}
142
143static int
144enc_modevent(module_t mod, int type, void *data)
145{
146	switch (type) {
147	case MOD_LOAD:
148		mtx_init(&enc_mtx, "enc mtx", NULL, MTX_DEF);
149		if_clone_attach(&enc_cloner);
150		break;
151	case MOD_UNLOAD:
152		printf("enc module unload - not possible for this module\n");
153		return (EINVAL);
154	default:
155		return (EOPNOTSUPP);
156	}
157	return (0);
158}
159
160static moduledata_t enc_mod = {
161	"enc",
162	enc_modevent,
163	0
164};
165
166DECLARE_MODULE(enc, enc_mod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY);
167
168static int
169enc_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
170    struct rtentry *rt)
171{
172	m_freem(m);
173	return (0);
174}
175
176/*
177 * Process an ioctl request.
178 */
179/* ARGSUSED */
180static int
181enc_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
182{
183	int error = 0;
184
185	switch (cmd) {
186
187	case SIOCSIFFLAGS:
188		if (ifp->if_flags & IFF_UP)
189			ifp->if_drv_flags |= IFF_DRV_RUNNING;
190		else
191			ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
192
193		break;
194
195	default:
196		error = EINVAL;
197	}
198	return (error);
199}
200
201int
202ipsec_filter(struct mbuf **mp, int dir)
203{
204	int error, i;
205	struct ip *ip;
206
207	mtx_lock(&enc_mtx);
208	if (encif == NULL || (encif->if_drv_flags & IFF_DRV_RUNNING) == 0) {
209		mtx_unlock(&enc_mtx);
210		return (0);
211	}
212
213	/* Skip pfil(9) if no filters are loaded */
214	if (!(PFIL_HOOKED(&inet_pfil_hook)
215#ifdef INET6
216	    || PFIL_HOOKED(&inet6_pfil_hook)
217#endif
218	    )) {
219		mtx_unlock(&enc_mtx);
220		return (0);
221	}
222
223	i = min((*mp)->m_pkthdr.len, max_protohdr);
224	if ((*mp)->m_len < i) {
225		*mp = m_pullup(*mp, i);
226		if (*mp == NULL) {
227			printf("%s: m_pullup failed\n", __func__);
228			mtx_unlock(&enc_mtx);
229			return (-1);
230		}
231	}
232
233	error = 0;
234	ip = mtod(*mp, struct ip *);
235	switch (ip->ip_v) {
236		case 4:
237			/*
238			 * before calling the firewall, swap fields the same as
239			 * IP does. here we assume the header is contiguous
240			 */
241			ip->ip_len = ntohs(ip->ip_len);
242			ip->ip_off = ntohs(ip->ip_off);
243
244			error = pfil_run_hooks(&inet_pfil_hook, mp,
245			    encif, dir, NULL);
246
247			if (*mp == NULL || error != 0)
248				break;
249
250			/* restore byte ordering */
251			ip = mtod(*mp, struct ip *);
252			ip->ip_len = htons(ip->ip_len);
253			ip->ip_off = htons(ip->ip_off);
254			break;
255
256#ifdef INET6
257		case 6:
258			error = pfil_run_hooks(&inet6_pfil_hook, mp,
259			    encif, dir, NULL);
260			break;
261#endif
262		default:
263			printf("%s: unknown IP version\n", __func__);
264	}
265
266	mtx_unlock(&enc_mtx);
267	if (*mp == NULL)
268		return (error);
269	if (error != 0)
270		goto bad;
271
272	return (error);
273
274bad:
275	mtx_unlock(&enc_mtx);
276	m_freem(*mp);
277	*mp = NULL;
278	return (error);
279}
280
281void
282ipsec_bpf(struct mbuf *m, struct secasvar *sav, int af)
283{
284	int flags;
285	struct enchdr hdr;
286
287	KASSERT(sav != NULL, ("%s: sav is null", __func__));
288
289	mtx_lock(&enc_mtx);
290	if (encif == NULL || (encif->if_drv_flags & IFF_DRV_RUNNING) == 0) {
291		mtx_unlock(&enc_mtx);
292		return;
293	}
294
295	if (encif->if_bpf) {
296		flags = 0;
297		if (sav->alg_enc != SADB_EALG_NONE)
298			flags |= M_CONF;
299		if (sav->alg_auth != SADB_AALG_NONE)
300			flags |= M_AUTH;
301
302		/*
303		 * We need to prepend the address family as a four byte
304		 * field.  Cons up a dummy header to pacify bpf.  This
305		 * is safe because bpf will only read from the mbuf
306		 * (i.e., it won't try to free it or keep a pointer a
307		 * to it).
308		 */
309		hdr.af = af;
310		hdr.spi = sav->spi;
311		hdr.flags = flags;
312
313		bpf_mtap2(encif->if_bpf, &hdr, sizeof(hdr), m);
314	}
315	mtx_unlock(&enc_mtx);
316}
317