in6_gif.c revision 195699
1/*- 2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the project nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 * $KAME: in6_gif.c,v 1.49 2001/05/14 14:02:17 itojun Exp $ 30 */ 31 32#include <sys/cdefs.h> 33__FBSDID("$FreeBSD: head/sys/netinet6/in6_gif.c 195699 2009-07-14 22:48:30Z rwatson $"); 34 35#include "opt_inet.h" 36#include "opt_inet6.h" 37 38#include <sys/param.h> 39#include <sys/systm.h> 40#include <sys/socket.h> 41#include <sys/sockio.h> 42#include <sys/mbuf.h> 43#include <sys/errno.h> 44#include <sys/queue.h> 45#include <sys/syslog.h> 46#include <sys/protosw.h> 47#include <sys/malloc.h> 48#include <sys/vimage.h> 49 50#include <net/if.h> 51#include <net/route.h> 52 53#include <netinet/in.h> 54#include <netinet/in_systm.h> 55#ifdef INET 56#include <netinet/ip.h> 57#endif 58#include <netinet/ip_encap.h> 59#ifdef INET6 60#include <netinet/ip6.h> 61#include <netinet6/ip6_var.h> 62#include <netinet6/in6_gif.h> 63#include <netinet6/in6_var.h> 64#endif 65#include <netinet6/ip6protosw.h> 66#include <netinet/ip_ecn.h> 67#ifdef INET6 68#include <netinet6/ip6_ecn.h> 69#endif 70 71#include <net/if_gif.h> 72 73static int gif_validate6(const struct ip6_hdr *, struct gif_softc *, 74 struct ifnet *); 75 76extern struct domain inet6domain; 77struct ip6protosw in6_gif_protosw = { 78 .pr_type = SOCK_RAW, 79 .pr_domain = &inet6domain, 80 .pr_protocol = 0, /* IPPROTO_IPV[46] */ 81 .pr_flags = PR_ATOMIC|PR_ADDR, 82 .pr_input = in6_gif_input, 83 .pr_output = rip6_output, 84 .pr_ctloutput = rip6_ctloutput, 85 .pr_usrreqs = &rip6_usrreqs 86}; 87 88int 89in6_gif_output(struct ifnet *ifp, 90 int family, /* family of the packet to be encapsulate */ 91 struct mbuf *m) 92{ 93 struct gif_softc *sc = ifp->if_softc; 94 struct sockaddr_in6 *dst = (struct sockaddr_in6 *)&sc->gif_ro6.ro_dst; 95 struct sockaddr_in6 *sin6_src = (struct sockaddr_in6 *)sc->gif_psrc; 96 struct sockaddr_in6 *sin6_dst = (struct sockaddr_in6 *)sc->gif_pdst; 97 struct ip6_hdr *ip6; 98 struct etherip_header eiphdr; 99 int error, len, proto; 100 u_int8_t itos, otos; 101 102 GIF_LOCK_ASSERT(sc); 103 104 if (sin6_src == NULL || sin6_dst == NULL || 105 sin6_src->sin6_family != AF_INET6 || 106 sin6_dst->sin6_family != AF_INET6) { 107 m_freem(m); 108 return EAFNOSUPPORT; 109 } 110 111 switch (family) { 112#ifdef INET 113 case AF_INET: 114 { 115 struct ip *ip; 116 117 proto = IPPROTO_IPV4; 118 if (m->m_len < sizeof(*ip)) { 119 m = m_pullup(m, sizeof(*ip)); 120 if (!m) 121 return ENOBUFS; 122 } 123 ip = mtod(m, struct ip *); 124 itos = ip->ip_tos; 125 break; 126 } 127#endif 128#ifdef INET6 129 case AF_INET6: 130 { 131 struct ip6_hdr *ip6; 132 proto = IPPROTO_IPV6; 133 if (m->m_len < sizeof(*ip6)) { 134 m = m_pullup(m, sizeof(*ip6)); 135 if (!m) 136 return ENOBUFS; 137 } 138 ip6 = mtod(m, struct ip6_hdr *); 139 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 140 break; 141 } 142#endif 143 case AF_LINK: 144 proto = IPPROTO_ETHERIP; 145 146 /* 147 * GIF_SEND_REVETHIP (disabled by default) intentionally 148 * sends an EtherIP packet with revered version field in 149 * the header. This is a knob for backward compatibility 150 * with FreeBSD 7.2R or prior. 151 */ 152 if ((sc->gif_options & GIF_SEND_REVETHIP)) { 153 eiphdr.eip_ver = 0; 154 eiphdr.eip_resvl = ETHERIP_VERSION; 155 eiphdr.eip_resvh = 0; 156 } else { 157 eiphdr.eip_ver = ETHERIP_VERSION; 158 eiphdr.eip_resvl = 0; 159 eiphdr.eip_resvh = 0; 160 } 161 /* prepend Ethernet-in-IP header */ 162 M_PREPEND(m, sizeof(struct etherip_header), M_DONTWAIT); 163 if (m && m->m_len < sizeof(struct etherip_header)) 164 m = m_pullup(m, sizeof(struct etherip_header)); 165 if (m == NULL) 166 return ENOBUFS; 167 bcopy(&eiphdr, mtod(m, struct etherip_header *), 168 sizeof(struct etherip_header)); 169 break; 170 171 default: 172#ifdef DEBUG 173 printf("in6_gif_output: warning: unknown family %d passed\n", 174 family); 175#endif 176 m_freem(m); 177 return EAFNOSUPPORT; 178 } 179 180 /* prepend new IP header */ 181 len = sizeof(struct ip6_hdr); 182#ifndef __NO_STRICT_ALIGNMENT 183 if (family == AF_LINK) 184 len += ETHERIP_ALIGN; 185#endif 186 M_PREPEND(m, len, M_DONTWAIT); 187 if (m != NULL && m->m_len < len) 188 m = m_pullup(m, len); 189 if (m == NULL) { 190 printf("ENOBUFS in in6_gif_output %d\n", __LINE__); 191 return ENOBUFS; 192 } 193#ifndef __NO_STRICT_ALIGNMENT 194 if (family == AF_LINK) { 195 len = mtod(m, vm_offset_t) & 3; 196 KASSERT(len == 0 || len == ETHERIP_ALIGN, 197 ("in6_gif_output: unexpected misalignment")); 198 m->m_data += len; 199 m->m_len -= ETHERIP_ALIGN; 200 } 201#endif 202 203 ip6 = mtod(m, struct ip6_hdr *); 204 ip6->ip6_flow = 0; 205 ip6->ip6_vfc &= ~IPV6_VERSION_MASK; 206 ip6->ip6_vfc |= IPV6_VERSION; 207 ip6->ip6_plen = htons((u_short)m->m_pkthdr.len); 208 ip6->ip6_nxt = proto; 209 ip6->ip6_hlim = V_ip6_gif_hlim; 210 ip6->ip6_src = sin6_src->sin6_addr; 211 /* bidirectional configured tunnel mode */ 212 if (!IN6_IS_ADDR_UNSPECIFIED(&sin6_dst->sin6_addr)) 213 ip6->ip6_dst = sin6_dst->sin6_addr; 214 else { 215 m_freem(m); 216 return ENETUNREACH; 217 } 218 ip_ecn_ingress((ifp->if_flags & IFF_LINK1) ? ECN_ALLOWED : ECN_NOCARE, 219 &otos, &itos); 220 ip6->ip6_flow &= ~htonl(0xff << 20); 221 ip6->ip6_flow |= htonl((u_int32_t)otos << 20); 222 223 if (dst->sin6_family != sin6_dst->sin6_family || 224 !IN6_ARE_ADDR_EQUAL(&dst->sin6_addr, &sin6_dst->sin6_addr)) { 225 /* cache route doesn't match */ 226 bzero(dst, sizeof(*dst)); 227 dst->sin6_family = sin6_dst->sin6_family; 228 dst->sin6_len = sizeof(struct sockaddr_in6); 229 dst->sin6_addr = sin6_dst->sin6_addr; 230 if (sc->gif_ro6.ro_rt) { 231 RTFREE(sc->gif_ro6.ro_rt); 232 sc->gif_ro6.ro_rt = NULL; 233 } 234#if 0 235 GIF2IFP(sc)->if_mtu = GIF_MTU; 236#endif 237 } 238 239 if (sc->gif_ro6.ro_rt == NULL) { 240 rtalloc((struct route *)&sc->gif_ro6); 241 if (sc->gif_ro6.ro_rt == NULL) { 242 m_freem(m); 243 return ENETUNREACH; 244 } 245 246 /* if it constitutes infinite encapsulation, punt. */ 247 if (sc->gif_ro.ro_rt->rt_ifp == ifp) { 248 m_freem(m); 249 return ENETUNREACH; /*XXX*/ 250 } 251#if 0 252 ifp->if_mtu = sc->gif_ro6.ro_rt->rt_ifp->if_mtu 253 - sizeof(struct ip6_hdr); 254#endif 255 } 256 257#ifdef IPV6_MINMTU 258 /* 259 * force fragmentation to minimum MTU, to avoid path MTU discovery. 260 * it is too painful to ask for resend of inner packet, to achieve 261 * path MTU discovery for encapsulated packets. 262 */ 263 error = ip6_output(m, 0, &sc->gif_ro6, IPV6_MINMTU, 0, NULL, NULL); 264#else 265 error = ip6_output(m, 0, &sc->gif_ro6, 0, 0, NULL, NULL); 266#endif 267 268 if (!(GIF2IFP(sc)->if_flags & IFF_LINK0) && 269 sc->gif_ro6.ro_rt != NULL) { 270 RTFREE(sc->gif_ro6.ro_rt); 271 sc->gif_ro6.ro_rt = NULL; 272 } 273 274 return (error); 275} 276 277int 278in6_gif_input(struct mbuf **mp, int *offp, int proto) 279{ 280 struct mbuf *m = *mp; 281 struct ifnet *gifp = NULL; 282 struct gif_softc *sc; 283 struct ip6_hdr *ip6; 284 int af = 0; 285 u_int32_t otos; 286 287 ip6 = mtod(m, struct ip6_hdr *); 288 289 sc = (struct gif_softc *)encap_getarg(m); 290 if (sc == NULL) { 291 m_freem(m); 292 V_ip6stat.ip6s_nogif++; 293 return IPPROTO_DONE; 294 } 295 296 gifp = GIF2IFP(sc); 297 if (gifp == NULL || (gifp->if_flags & IFF_UP) == 0) { 298 m_freem(m); 299 V_ip6stat.ip6s_nogif++; 300 return IPPROTO_DONE; 301 } 302 303 otos = ip6->ip6_flow; 304 m_adj(m, *offp); 305 306 switch (proto) { 307#ifdef INET 308 case IPPROTO_IPV4: 309 { 310 struct ip *ip; 311 u_int8_t otos8; 312 af = AF_INET; 313 otos8 = (ntohl(otos) >> 20) & 0xff; 314 if (m->m_len < sizeof(*ip)) { 315 m = m_pullup(m, sizeof(*ip)); 316 if (!m) 317 return IPPROTO_DONE; 318 } 319 ip = mtod(m, struct ip *); 320 if (ip_ecn_egress((gifp->if_flags & IFF_LINK1) ? 321 ECN_ALLOWED : ECN_NOCARE, 322 &otos8, &ip->ip_tos) == 0) { 323 m_freem(m); 324 return IPPROTO_DONE; 325 } 326 break; 327 } 328#endif /* INET */ 329#ifdef INET6 330 case IPPROTO_IPV6: 331 { 332 struct ip6_hdr *ip6; 333 af = AF_INET6; 334 if (m->m_len < sizeof(*ip6)) { 335 m = m_pullup(m, sizeof(*ip6)); 336 if (!m) 337 return IPPROTO_DONE; 338 } 339 ip6 = mtod(m, struct ip6_hdr *); 340 if (ip6_ecn_egress((gifp->if_flags & IFF_LINK1) ? 341 ECN_ALLOWED : ECN_NOCARE, 342 &otos, &ip6->ip6_flow) == 0) { 343 m_freem(m); 344 return IPPROTO_DONE; 345 } 346 break; 347 } 348#endif 349 case IPPROTO_ETHERIP: 350 af = AF_LINK; 351 break; 352 353 default: 354 V_ip6stat.ip6s_nogif++; 355 m_freem(m); 356 return IPPROTO_DONE; 357 } 358 359 gif_input(m, af, gifp); 360 return IPPROTO_DONE; 361} 362 363/* 364 * validate outer address. 365 */ 366static int 367gif_validate6(const struct ip6_hdr *ip6, struct gif_softc *sc, 368 struct ifnet *ifp) 369{ 370 struct sockaddr_in6 *src, *dst; 371 372 src = (struct sockaddr_in6 *)sc->gif_psrc; 373 dst = (struct sockaddr_in6 *)sc->gif_pdst; 374 375 /* 376 * Check for address match. Note that the check is for an incoming 377 * packet. We should compare the *source* address in our configuration 378 * and the *destination* address of the packet, and vice versa. 379 */ 380 if (!IN6_ARE_ADDR_EQUAL(&src->sin6_addr, &ip6->ip6_dst) || 381 !IN6_ARE_ADDR_EQUAL(&dst->sin6_addr, &ip6->ip6_src)) 382 return 0; 383 384 /* martian filters on outer source - done in ip6_input */ 385 386 /* ingress filters on outer source */ 387 if ((GIF2IFP(sc)->if_flags & IFF_LINK2) == 0 && ifp) { 388 struct sockaddr_in6 sin6; 389 struct rtentry *rt; 390 391 bzero(&sin6, sizeof(sin6)); 392 sin6.sin6_family = AF_INET6; 393 sin6.sin6_len = sizeof(struct sockaddr_in6); 394 sin6.sin6_addr = ip6->ip6_src; 395 sin6.sin6_scope_id = 0; /* XXX */ 396 397 rt = rtalloc1((struct sockaddr *)&sin6, 0, 0UL); 398 if (!rt || rt->rt_ifp != ifp) { 399#if 0 400 char ip6buf[INET6_ADDRSTRLEN]; 401 log(LOG_WARNING, "%s: packet from %s dropped " 402 "due to ingress filter\n", if_name(GIF2IFP(sc)), 403 ip6_sprintf(ip6buf, &sin6.sin6_addr)); 404#endif 405 if (rt) 406 RTFREE_LOCKED(rt); 407 return 0; 408 } 409 RTFREE_LOCKED(rt); 410 } 411 412 return 128 * 2; 413} 414 415/* 416 * we know that we are in IFF_UP, outer address available, and outer family 417 * matched the physical addr family. see gif_encapcheck(). 418 * sanity check for arg should have been done in the caller. 419 */ 420int 421gif_encapcheck6(const struct mbuf *m, int off, int proto, void *arg) 422{ 423 struct ip6_hdr ip6; 424 struct gif_softc *sc; 425 struct ifnet *ifp; 426 427 /* sanity check done in caller */ 428 sc = (struct gif_softc *)arg; 429 430 /* LINTED const cast */ 431 m_copydata(m, 0, sizeof(ip6), (caddr_t)&ip6); 432 ifp = ((m->m_flags & M_PKTHDR) != 0) ? m->m_pkthdr.rcvif : NULL; 433 434 return gif_validate6(&ip6, sc, ifp); 435} 436 437int 438in6_gif_attach(struct gif_softc *sc) 439{ 440 sc->encap_cookie6 = encap_attach_func(AF_INET6, -1, gif_encapcheck, 441 (void *)&in6_gif_protosw, sc); 442 if (sc->encap_cookie6 == NULL) 443 return EEXIST; 444 return 0; 445} 446 447int 448in6_gif_detach(struct gif_softc *sc) 449{ 450 int error; 451 452 error = encap_detach(sc->encap_cookie6); 453 if (error == 0) 454 sc->encap_cookie6 = NULL; 455 return error; 456} 457