sys/netinet6/in6_gif.c

18334Speter/*-
90075Sobrien * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
169689Skan * All rights reserved.
169689Skan *
18334Speter * Redistribution and use in source and binary forms, with or without
90075Sobrien * modification, are permitted provided that the following conditions
18334Speter * are met:
90075Sobrien * 1. Redistributions of source code must retain the above copyright
90075Sobrien *    notice, this list of conditions and the following disclaimer.
90075Sobrien * 2. Redistributions in binary form must reproduce the above copyright
90075Sobrien *    notice, this list of conditions and the following disclaimer in the
18334Speter *    documentation and/or other materials provided with the distribution.
90075Sobrien * 3. Neither the name of the project nor the names of its contributors
90075Sobrien *    may be used to endorse or promote products derived from this software
90075Sobrien *    without specific prior written permission.
90075Sobrien *
18334Speter * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18334Speter * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
90075Sobrien * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
169689Skan * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
169689Skan * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18334Speter * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
169689Skan * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
169689Skan * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
169689Skan * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
169689Skan * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
169689Skan * SUCH DAMAGE.
169689Skan *
169689Skan *	$KAME: in6_gif.c,v 1.49 2001/05/14 14:02:17 itojun Exp $
169689Skan */
169689Skan
169689Skan#include <sys/cdefs.h>
169689Skan__FBSDID("$FreeBSD: head/sys/netinet6/in6_gif.c 189494 2009-03-07 19:08:58Z marius $");
169689Skan
169689Skan#include "opt_inet.h"
169689Skan#include "opt_inet6.h"
169689Skan
18334Speter#include <sys/param.h>
18334Speter#include <sys/systm.h>
18334Speter#include <sys/socket.h>
18334Speter#include <sys/sockio.h>
18334Speter#include <sys/mbuf.h>
18334Speter#include <sys/errno.h>
117395Skan#include <sys/queue.h>
169689Skan#include <sys/syslog.h>
18334Speter#include <sys/protosw.h>
18334Speter#include <sys/malloc.h>
18334Speter#include <sys/vimage.h>
50397Sobrien
117395Skan#include <net/if.h>
117395Skan#include <net/route.h>
117395Skan
169689Skan#include <netinet/in.h>
117395Skan#include <netinet/in_systm.h>
117395Skan#ifdef INET
18334Speter#include <netinet/ip.h>
52284Sobrien#endif
52284Sobrien#include <netinet/ip_encap.h>
52284Sobrien#ifdef INET6
52284Sobrien#include <netinet/ip6.h>
52284Sobrien#include <netinet6/ip6_var.h>
52284Sobrien#include <netinet6/in6_gif.h>
52284Sobrien#include <netinet6/in6_var.h>
18334Speter#endif
132718Skan#include <netinet6/ip6protosw.h>
169689Skan#include <netinet/ip_ecn.h>
132718Skan#ifdef INET6
132718Skan#include <netinet6/ip6_ecn.h>
169689Skan#include <netinet6/vinet6.h>
132718Skan#endif
132718Skan
132718Skan#include <net/if_gif.h>
132718Skan
132718Skanstatic int gif_validate6(const struct ip6_hdr *, struct gif_softc *,
132718Skan			 struct ifnet *);
132718Skan
132718Skanextern  struct domain inet6domain;
169689Skanstruct ip6protosw in6_gif_protosw = {
132718Skan	.pr_type =	SOCK_RAW,
132718Skan	.pr_domain =	&inet6domain,
169689Skan	.pr_protocol =	0,			/* IPPROTO_IPV[46] */
132718Skan	.pr_flags =	PR_ATOMIC|PR_ADDR,
132718Skan	.pr_input =	in6_gif_input,
132718Skan	.pr_output =	rip6_output,
132718Skan	.pr_ctloutput =	rip6_ctloutput,
132718Skan	.pr_usrreqs =	&rip6_usrreqs
132718Skan};
132718Skan
132718Skanint
132718Skanin6_gif_output(struct ifnet *ifp,
18334Speter    int family,			/* family of the packet to be encapsulate */
90075Sobrien    struct mbuf *m)
90075Sobrien{
90075Sobrien	INIT_VNET_GIF(ifp->if_vnet);
18334Speter	struct gif_softc *sc = ifp->if_softc;
18334Speter	struct sockaddr_in6 *dst = (struct sockaddr_in6 *)&sc->gif_ro6.ro_dst;
18334Speter	struct sockaddr_in6 *sin6_src = (struct sockaddr_in6 *)sc->gif_psrc;
50397Sobrien	struct sockaddr_in6 *sin6_dst = (struct sockaddr_in6 *)sc->gif_pdst;
18334Speter	struct ip6_hdr *ip6;
18334Speter	struct etherip_header eiphdr;
18334Speter	int error, len, proto;
132718Skan	u_int8_t itos, otos;
132718Skan
132718Skan	GIF_LOCK_ASSERT(sc);
132718Skan
132718Skan	if (sin6_src == NULL || sin6_dst == NULL ||
132718Skan	    sin6_src->sin6_family != AF_INET6 ||
132718Skan	    sin6_dst->sin6_family != AF_INET6) {
132718Skan		m_freem(m);
132718Skan		return EAFNOSUPPORT;
132718Skan	}
132718Skan
132718Skan	switch (family) {
132718Skan#ifdef INET
132718Skan	case AF_INET:
132718Skan	    {
132718Skan		struct ip *ip;
132718Skan
132718Skan		proto = IPPROTO_IPV4;
169689Skan		if (m->m_len < sizeof(*ip)) {
169689Skan			m = m_pullup(m, sizeof(*ip));
132718Skan			if (!m)
132718Skan				return ENOBUFS;
18334Speter		}
18334Speter		ip = mtod(m, struct ip *);
169689Skan		itos = ip->ip_tos;
169689Skan		break;
169689Skan	    }
169689Skan#endif
169689Skan#ifdef INET6
169689Skan	case AF_INET6:
169689Skan	    {
169689Skan		struct ip6_hdr *ip6;
169689Skan		proto = IPPROTO_IPV6;
169689Skan		if (m->m_len < sizeof(*ip6)) {
96263Sobrien			m = m_pullup(m, sizeof(*ip6));
18334Speter			if (!m)
169689Skan				return ENOBUFS;
169689Skan		}
169689Skan		ip6 = mtod(m, struct ip6_hdr *);
169689Skan		itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
169689Skan		break;
169689Skan	    }
169689Skan#endif
169689Skan	case AF_LINK:
169689Skan		proto = IPPROTO_ETHERIP;
169689Skan		eiphdr.eip_ver = ETHERIP_VERSION & ETHERIP_VER_VERS_MASK;
169689Skan		eiphdr.eip_pad = 0;
96263Sobrien		/* prepend Ethernet-in-IP header */
18334Speter		M_PREPEND(m, sizeof(struct etherip_header), M_DONTWAIT);
90075Sobrien		if (m && m->m_len < sizeof(struct etherip_header))
90075Sobrien			m = m_pullup(m, sizeof(struct etherip_header));
90075Sobrien		if (m == NULL)
90075Sobrien			return ENOBUFS;
169689Skan		bcopy(&eiphdr, mtod(m, struct etherip_header *),
96263Sobrien		    sizeof(struct etherip_header));
90075Sobrien		break;
18334Speter
90075Sobrien	default:
90075Sobrien#ifdef DEBUG
169689Skan		printf("in6_gif_output: warning: unknown family %d passed\n",
18334Speter			family);
18334Speter#endif
18334Speter		m_freem(m);
18334Speter		return EAFNOSUPPORT;
18334Speter	}
132718Skan
18334Speter	/* prepend new IP header */
18334Speter	len = sizeof(struct ip6_hdr);
18334Speter#ifndef __NO_STRICT_ALIGNMENT
18334Speter	if (family == AF_LINK)
18334Speter		len += ETHERIP_ALIGN;
18334Speter#endif
18334Speter	M_PREPEND(m, len, M_DONTWAIT);
132718Skan	if (m != NULL && m->m_len < len)
132718Skan		m = m_pullup(m, len);
132718Skan	if (m == NULL) {
132718Skan		printf("ENOBUFS in in6_gif_output %d\n", __LINE__);
18334Speter		return ENOBUFS;
18334Speter	}
18334Speter#ifndef __NO_STRICT_ALIGNMENT
18334Speter	if (family == AF_LINK) {
18334Speter		len = mtod(m, vm_offset_t) & 3;
117395Skan		KASSERT(len == 0 || len == ETHERIP_ALIGN,
18334Speter		    ("in6_gif_output: unexpected misalignment"));
18334Speter		m->m_data += len;
18334Speter		m->m_len -= ETHERIP_ALIGN;
18334Speter	}
50397Sobrien#endif
50397Sobrien
50397Sobrien	ip6 = mtod(m, struct ip6_hdr *);
50397Sobrien	ip6->ip6_flow	= 0;
50397Sobrien	ip6->ip6_vfc	&= ~IPV6_VERSION_MASK;
50397Sobrien	ip6->ip6_vfc	|= IPV6_VERSION;
50397Sobrien	ip6->ip6_plen	= htons((u_short)m->m_pkthdr.len);
50397Sobrien	ip6->ip6_nxt	= proto;
50397Sobrien	ip6->ip6_hlim	= V_ip6_gif_hlim;
50397Sobrien	ip6->ip6_src	= sin6_src->sin6_addr;
50397Sobrien	/* bidirectional configured tunnel mode */
50397Sobrien	if (!IN6_IS_ADDR_UNSPECIFIED(&sin6_dst->sin6_addr))
50397Sobrien		ip6->ip6_dst = sin6_dst->sin6_addr;
50397Sobrien	else  {
50397Sobrien		m_freem(m);
50397Sobrien		return ENETUNREACH;
50397Sobrien	}
50397Sobrien	ip_ecn_ingress((ifp->if_flags & IFF_LINK1) ? ECN_ALLOWED : ECN_NOCARE,
50397Sobrien		       &otos, &itos);
50397Sobrien	ip6->ip6_flow &= ~htonl(0xff << 20);
50397Sobrien	ip6->ip6_flow |= htonl((u_int32_t)otos << 20);
50397Sobrien
50397Sobrien	if (dst->sin6_family != sin6_dst->sin6_family ||
50397Sobrien	     !IN6_ARE_ADDR_EQUAL(&dst->sin6_addr, &sin6_dst->sin6_addr)) {
50397Sobrien		/* cache route doesn't match */
50397Sobrien		bzero(dst, sizeof(*dst));
50397Sobrien		dst->sin6_family = sin6_dst->sin6_family;
50397Sobrien		dst->sin6_len = sizeof(struct sockaddr_in6);
50397Sobrien		dst->sin6_addr = sin6_dst->sin6_addr;
50397Sobrien		if (sc->gif_ro6.ro_rt) {
50397Sobrien			RTFREE(sc->gif_ro6.ro_rt);
50397Sobrien			sc->gif_ro6.ro_rt = NULL;
50397Sobrien		}
50397Sobrien#if 0
50397Sobrien		GIF2IFP(sc)->if_mtu = GIF_MTU;
50397Sobrien#endif
50397Sobrien	}
50397Sobrien
50397Sobrien	if (sc->gif_ro6.ro_rt == NULL) {
50397Sobrien		rtalloc((struct route *)&sc->gif_ro6);
50397Sobrien		if (sc->gif_ro6.ro_rt == NULL) {
50397Sobrien			m_freem(m);
50397Sobrien			return ENETUNREACH;
50397Sobrien		}
50397Sobrien
50397Sobrien		/* if it constitutes infinite encapsulation, punt. */
50397Sobrien		if (sc->gif_ro.ro_rt->rt_ifp == ifp) {
50397Sobrien			m_freem(m);
50397Sobrien			return ENETUNREACH;	/*XXX*/
50397Sobrien		}
50397Sobrien#if 0
50397Sobrien		ifp->if_mtu = sc->gif_ro6.ro_rt->rt_ifp->if_mtu
50397Sobrien			- sizeof(struct ip6_hdr);
18334Speter#endif
90075Sobrien	}
90075Sobrien
18334Speter#ifdef IPV6_MINMTU
90075Sobrien	/*
90075Sobrien	 * force fragmentation to minimum MTU, to avoid path MTU discovery.
90075Sobrien	 * it is too painful to ask for resend of inner packet, to achieve
90075Sobrien	 * path MTU discovery for encapsulated packets.
90075Sobrien	 */
90075Sobrien	error = ip6_output(m, 0, &sc->gif_ro6, IPV6_MINMTU, 0, NULL, NULL);
18334Speter#else
18334Speter	error = ip6_output(m, 0, &sc->gif_ro6, 0, 0, NULL, NULL);
18334Speter#endif
18334Speter
18334Speter	if (!(GIF2IFP(sc)->if_flags & IFF_LINK0) &&
18334Speter	    sc->gif_ro6.ro_rt != NULL) {
18334Speter		RTFREE(sc->gif_ro6.ro_rt);
18334Speter		sc->gif_ro6.ro_rt = NULL;
18334Speter	}
18334Speter
90075Sobrien	return (error);
90075Sobrien}
90075Sobrien
132718Skanint
132718Skanin6_gif_input(struct mbuf **mp, int *offp, int proto)
132718Skan{
132718Skan	INIT_VNET_INET6(curvnet);
18334Speter	struct mbuf *m = *mp;
90075Sobrien	struct ifnet *gifp = NULL;
90075Sobrien	struct gif_softc *sc;
132718Skan	struct ip6_hdr *ip6;
18334Speter	int af = 0;
90075Sobrien	u_int32_t otos;
132718Skan
18334Speter	ip6 = mtod(m, struct ip6_hdr *);
90075Sobrien
90075Sobrien	sc = (struct gif_softc *)encap_getarg(m);
169689Skan	if (sc == NULL) {
132718Skan		m_freem(m);
132718Skan		V_ip6stat.ip6s_nogif++;
132718Skan		return IPPROTO_DONE;
132718Skan	}
132718Skan
132718Skan	gifp = GIF2IFP(sc);
132718Skan	if (gifp == NULL || (gifp->if_flags & IFF_UP) == 0) {
18334Speter		m_freem(m);
117395Skan		V_ip6stat.ip6s_nogif++;
52284Sobrien		return IPPROTO_DONE;
132718Skan	}
132718Skan
52284Sobrien	otos = ip6->ip6_flow;
18334Speter	m_adj(m, *offp);
132718Skan
18334Speter	switch (proto) {
169689Skan#ifdef INET
169689Skan	case IPPROTO_IPV4:
169689Skan	    {
169689Skan		struct ip *ip;
169689Skan		u_int8_t otos8;
18334Speter		af = AF_INET;
18334Speter		otos8 = (ntohl(otos) >> 20) & 0xff;
132718Skan		if (m->m_len < sizeof(*ip)) {
132718Skan			m = m_pullup(m, sizeof(*ip));
18334Speter			if (!m)
117395Skan				return IPPROTO_DONE;
132718Skan		}
50397Sobrien		ip = mtod(m, struct ip *);
18334Speter		if (ip_ecn_egress((gifp->if_flags & IFF_LINK1) ?
132718Skan				  ECN_ALLOWED : ECN_NOCARE,
132718Skan				  &otos8, &ip->ip_tos) == 0) {
18334Speter			m_freem(m);
169689Skan			return IPPROTO_DONE;
169689Skan		}
169689Skan		break;
169689Skan	    }
169689Skan#endif /* INET */
18334Speter#ifdef INET6
18334Speter	case IPPROTO_IPV6:
18334Speter	    {
18334Speter		struct ip6_hdr *ip6;
18334Speter		af = AF_INET6;
132718Skan		if (m->m_len < sizeof(*ip6)) {
18334Speter			m = m_pullup(m, sizeof(*ip6));
18334Speter			if (!m)
132718Skan				return IPPROTO_DONE;
18334Speter		}
18334Speter		ip6 = mtod(m, struct ip6_hdr *);
132718Skan		if (ip6_ecn_egress((gifp->if_flags & IFF_LINK1) ?
132718Skan				   ECN_ALLOWED : ECN_NOCARE,
18334Speter				   &otos, &ip6->ip6_flow) == 0) {
50397Sobrien			m_freem(m);
132718Skan			return IPPROTO_DONE;
132718Skan		}
18334Speter		break;
90075Sobrien	    }
132718Skan#endif
132718Skan	case IPPROTO_ETHERIP:
132718Skan		af = AF_LINK;
132718Skan		break;
132718Skan
132718Skan	default:
132718Skan		V_ip6stat.ip6s_nogif++;
132718Skan		m_freem(m);
90075Sobrien		return IPPROTO_DONE;
18334Speter	}
18334Speter
18334Speter	gif_input(m, af, gifp);
18334Speter	return IPPROTO_DONE;
132718Skan}
18334Speter
18334Speter/*
132718Skan * validate outer address.
18334Speter */
18334Speterstatic int
18334Spetergif_validate6(const struct ip6_hdr *ip6, struct gif_softc *sc,
132718Skan    struct ifnet *ifp)
18334Speter{
18334Speter	struct sockaddr_in6 *src, *dst;
132718Skan
18334Speter	src = (struct sockaddr_in6 *)sc->gif_psrc;
18334Speter	dst = (struct sockaddr_in6 *)sc->gif_pdst;
132718Skan
18334Speter	/*
18334Speter	 * Check for address match.  Note that the check is for an incoming
18334Speter	 * packet.  We should compare the *source* address in our configuration
117395Skan	 * and the *destination* address of the packet, and vice versa.
117395Skan	 */
117395Skan	if (!IN6_ARE_ADDR_EQUAL(&src->sin6_addr, &ip6->ip6_dst) ||
117395Skan	    !IN6_ARE_ADDR_EQUAL(&dst->sin6_addr, &ip6->ip6_src))
169689Skan		return 0;
169689Skan
169689Skan	/* martian filters on outer source - done in ip6_input */
117395Skan
117395Skan	/* ingress filters on outer source */
132718Skan	if ((GIF2IFP(sc)->if_flags & IFF_LINK2) == 0 && ifp) {
132718Skan		struct sockaddr_in6 sin6;
117395Skan		struct rtentry *rt;
132718Skan
132718Skan		bzero(&sin6, sizeof(sin6));
18334Speter		sin6.sin6_family = AF_INET6;
18334Speter		sin6.sin6_len = sizeof(struct sockaddr_in6);
132718Skan		sin6.sin6_addr = ip6->ip6_src;
18334Speter		sin6.sin6_scope_id = 0; /* XXX */
18334Speter
18334Speter		rt = rtalloc1((struct sockaddr *)&sin6, 0, 0UL);
132718Skan		if (!rt || rt->rt_ifp != ifp) {
18334Speter#if 0
117395Skan			char ip6buf[INET6_ADDRSTRLEN];
132718Skan			log(LOG_WARNING, "%s: packet from %s dropped "
117395Skan			    "due to ingress filter\n", if_name(GIF2IFP(sc)),
50397Sobrien			    ip6_sprintf(ip6buf, &sin6.sin6_addr));
50397Sobrien#endif
132718Skan			if (rt)
90075Sobrien				RTFREE_LOCKED(rt);
169689Skan			return 0;
169689Skan		}
169689Skan		RTFREE_LOCKED(rt);
117395Skan	}
117395Skan
132718Skan	return 128 * 2;
117395Skan}
169689Skan
169689Skan/*
169689Skan * we know that we are in IFF_UP, outer address available, and outer family
50397Sobrien * matched the physical addr family.  see gif_encapcheck().
50397Sobrien * sanity check for arg should have been done in the caller.
132718Skan */
50397Sobrienint
90075Sobriengif_encapcheck6(const struct mbuf *m, int off, int proto, void *arg)
132718Skan{
52284Sobrien	struct ip6_hdr ip6;
18334Speter	struct gif_softc *sc;
132718Skan	struct ifnet *ifp;
90075Sobrien
18334Speter	/* sanity check done in caller */
18334Speter	sc = (struct gif_softc *)arg;
132718Skan
90075Sobrien	/* LINTED const cast */
50397Sobrien	m_copydata(m, 0, sizeof(ip6), (caddr_t)&ip6);
132718Skan	ifp = ((m->m_flags & M_PKTHDR) != 0) ? m->m_pkthdr.rcvif : NULL;
18334Speter
18334Speter	return gif_validate6(&ip6, sc, ifp);
90075Sobrien}
169689Skan
18334Speterint
169689Skanin6_gif_attach(struct gif_softc *sc)
169689Skan{
169689Skan	sc->encap_cookie6 = encap_attach_func(AF_INET6, -1, gif_encapcheck,
132718Skan	    (void *)&in6_gif_protosw, sc);
132718Skan	if (sc->encap_cookie6 == NULL)
132718Skan		return EEXIST;
132718Skan	return 0;
132718Skan}
117395Skan
90075Sobrienint
90075Sobrienin6_gif_detach(struct gif_softc *sc)
90075Sobrien{
90075Sobrien	int error;
132718Skan
132718Skan	error = encap_detach(sc->encap_cookie6);
132718Skan	if (error == 0)
132718Skan		sc->encap_cookie6 = NULL;
90075Sobrien	return error;
90075Sobrien}
90075Sobrien