if_enc.c revision 160233
1/*- 2 * Copyright (c) 2006 The FreeBSD Project. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 * 27 * $FreeBSD: head/sys/net/if_enc.c 160233 2006-07-10 05:24:06Z thompsa $ 28 */ 29 30#include <sys/param.h> 31#include <sys/systm.h> 32#include <sys/kernel.h> 33#include <sys/malloc.h> 34#include <sys/mbuf.h> 35#include <sys/module.h> 36#include <machine/bus.h> 37#include <sys/rman.h> 38#include <sys/socket.h> 39#include <sys/sockio.h> 40#include <sys/sysctl.h> 41 42#include <net/if.h> 43#include <net/if_clone.h> 44#include <net/if_types.h> 45#include <net/pfil.h> 46#include <net/route.h> 47#include <net/netisr.h> 48#include <net/bpf.h> 49#include <net/bpfdesc.h> 50 51#include <netinet/in.h> 52#include <netinet/in_systm.h> 53#include <netinet/ip.h> 54#include <netinet/ip_var.h> 55#include <netinet/in_var.h> 56#include "opt_inet6.h" 57 58#ifdef INET6 59#include <netinet/ip6.h> 60#include <netinet6/ip6_var.h> 61#endif 62 63#include <netipsec/ipsec.h> 64 65#define ENCMTU (1024+512) 66 67/* XXX this define must have the same value as in OpenBSD */ 68#define M_CONF 0x0400 /* payload was encrypted (ESP-transport) */ 69#define M_AUTH 0x0800 /* payload was authenticated (AH or ESP auth) */ 70#define M_AUTH_AH 0x2000 /* header was authenticated (AH) */ 71 72struct enchdr { 73 u_int32_t af; 74 u_int32_t spi; 75 u_int32_t flags; 76}; 77 78static struct ifnet *encif; 79static struct mtx enc_mtx; 80 81struct enc_softc { 82 struct ifnet *sc_ifp; 83}; 84 85static int enc_ioctl(struct ifnet *, u_long, caddr_t); 86static int enc_output(struct ifnet *ifp, struct mbuf *m, 87 struct sockaddr *dst, struct rtentry *rt); 88static int enc_clone_create(struct if_clone *, int, caddr_t); 89static void enc_clone_destroy(struct ifnet *); 90 91IFC_SIMPLE_DECLARE(enc, 1); 92 93static void 94enc_clone_destroy(struct ifnet *ifp) 95{ 96 KASSERT(ifp != encif, ("%s: destroying encif", __func__)); 97 98 bpfdetach(ifp); 99 if_detach(ifp); 100 if_free(ifp); 101} 102 103static int 104enc_clone_create(struct if_clone *ifc, int unit, caddr_t params) 105{ 106 struct ifnet *ifp; 107 struct enc_softc *sc; 108 109 sc = malloc(sizeof(*sc), M_DEVBUF, M_WAITOK|M_ZERO); 110 ifp = sc->sc_ifp = if_alloc(IFT_ENC); 111 if (ifp == NULL) { 112 free(sc, M_DEVBUF); 113 return (ENOSPC); 114 } 115 116 if_initname(ifp, ifc->ifc_name, unit); 117 ifp->if_mtu = ENCMTU; 118 ifp->if_ioctl = enc_ioctl; 119 ifp->if_output = enc_output; 120 ifp->if_snd.ifq_maxlen = ifqmaxlen; 121 ifp->if_softc = sc; 122 if_attach(ifp); 123 bpfattach(ifp, DLT_ENC, sizeof(struct enchdr)); 124 125 mtx_lock(&enc_mtx); 126 /* grab a pointer to enc0, ignore the rest */ 127 if (encif == NULL) 128 encif = ifp; 129 mtx_unlock(&enc_mtx); 130 131 return (0); 132} 133 134static int 135enc_modevent(module_t mod, int type, void *data) 136{ 137 switch (type) { 138 case MOD_LOAD: 139 mtx_init(&enc_mtx, "enc mtx", NULL, MTX_DEF); 140 if_clone_attach(&enc_cloner); 141 break; 142 case MOD_UNLOAD: 143 printf("enc module unload - not possible for this module\n"); 144 return (EINVAL); 145 default: 146 return (EOPNOTSUPP); 147 } 148 return (0); 149} 150 151static moduledata_t enc_mod = { 152 "enc", 153 enc_modevent, 154 0 155}; 156 157DECLARE_MODULE(enc, enc_mod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY); 158 159static int 160enc_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, 161 struct rtentry *rt) 162{ 163 m_freem(m); 164 return (0); 165} 166 167/* 168 * Process an ioctl request. 169 */ 170/* ARGSUSED */ 171static int 172enc_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) 173{ 174 int error = 0; 175 176 mtx_lock(&enc_mtx); 177 178 switch (cmd) { 179 180 case SIOCSIFFLAGS: 181 if (ifp->if_flags & IFF_UP) 182 ifp->if_drv_flags |= IFF_DRV_RUNNING; 183 else 184 ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 185 186 break; 187 188 default: 189 error = EINVAL; 190 } 191 192 mtx_unlock(&enc_mtx); 193 return (error); 194} 195 196int 197ipsec_filter(struct mbuf **mp, int dir) 198{ 199 int error, i; 200 struct ip *ip; 201 202 KASSERT(encif != NULL, ("%s: encif is null", __func__)); 203 204 if ((encif->if_drv_flags & IFF_DRV_RUNNING) == 0) 205 return (0); 206 207 /* Skip pfil(9) if no filters are loaded */ 208 if (!(PFIL_HOOKED(&inet_pfil_hook) 209#ifdef INET6 210 || PFIL_HOOKED(&inet6_pfil_hook) 211#endif 212 )) { 213 return (0); 214 } 215 216 i = min((*mp)->m_pkthdr.len, max_protohdr); 217 if ((*mp)->m_len < i) { 218 *mp = m_pullup(*mp, i); 219 if (*mp == NULL) { 220 printf("%s: m_pullup failed\n", __func__); 221 return (-1); 222 } 223 } 224 225 error = 0; 226 ip = mtod(*mp, struct ip *); 227 switch (ip->ip_v) { 228 case 4: 229 /* 230 * before calling the firewall, swap fields the same as 231 * IP does. here we assume the header is contiguous 232 */ 233 ip->ip_len = ntohs(ip->ip_len); 234 ip->ip_off = ntohs(ip->ip_off); 235 236 error = pfil_run_hooks(&inet_pfil_hook, mp, 237 encif, dir, NULL); 238 239 if (*mp == NULL || error != 0) 240 break; 241 242 /* restore byte ordering */ 243 ip = mtod(*mp, struct ip *); 244 ip->ip_len = htons(ip->ip_len); 245 ip->ip_off = htons(ip->ip_off); 246 break; 247 248#ifdef INET6 249 case 6: 250 error = pfil_run_hooks(&inet6_pfil_hook, mp, 251 encif, dir, NULL); 252 break; 253#endif 254 default: 255 printf("%s: unknown IP version\n", __func__); 256 } 257 258 if (*mp == NULL) 259 return (error); 260 if (error != 0) 261 goto bad; 262 263 return (error); 264 265bad: 266 m_freem(*mp); 267 *mp = NULL; 268 return (error); 269} 270 271void 272ipsec_bpf(struct mbuf *m, struct secasvar *sav, int af) 273{ 274 int flags; 275 struct enchdr hdr; 276 277 KASSERT(encif != NULL, ("%s: encif is null", __func__)); 278 KASSERT(sav != NULL, ("%s: sav is null", __func__)); 279 280 if ((encif->if_drv_flags & IFF_DRV_RUNNING) == 0) 281 return; 282 283 if (encif->if_bpf) { 284 flags = 0; 285 if (sav->alg_enc != SADB_EALG_NONE) 286 flags |= M_CONF; 287 if (sav->alg_auth != SADB_AALG_NONE) 288 flags |= M_AUTH; 289 290 /* 291 * We need to prepend the address family as a four byte 292 * field. Cons up a dummy header to pacify bpf. This 293 * is safe because bpf will only read from the mbuf 294 * (i.e., it won't try to free it or keep a pointer a 295 * to it). 296 */ 297 hdr.af = af; 298 hdr.spi = sav->spi; 299 hdr.flags = flags; 300 301 bpf_mtap2(encif->if_bpf, &hdr, sizeof(hdr), m); 302 } 303} 304