in_gif.c revision 105340
198944Sobrien/* $FreeBSD: head/sys/netinet/in_gif.c 105340 2002-10-17 17:47:55Z ume $ */ 298944Sobrien/* $KAME: in_gif.c,v 1.54 2001/05/14 14:02:16 itojun Exp $ */ 398944Sobrien 498944Sobrien/* 598944Sobrien * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 698944Sobrien * All rights reserved. 798944Sobrien * 819370Spst * Redistribution and use in source and binary forms, with or without 998944Sobrien * modification, are permitted provided that the following conditions 1098944Sobrien * are met: 1119370Spst * 1. Redistributions of source code must retain the above copyright 1298944Sobrien * notice, this list of conditions and the following disclaimer. 1398944Sobrien * 2. Redistributions in binary form must reproduce the above copyright 1498944Sobrien * notice, this list of conditions and the following disclaimer in the 1598944Sobrien * documentation and/or other materials provided with the distribution. 1619370Spst * 3. Neither the name of the project nor the names of its contributors 1798944Sobrien * may be used to endorse or promote products derived from this software 1898944Sobrien * without specific prior written permission. 1998944Sobrien * 2098944Sobrien * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 2119370Spst * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 2298944Sobrien * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2398944Sobrien * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 2498944Sobrien * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2598944Sobrien * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2619370Spst * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2719370Spst * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2819370Spst * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2919370Spst * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 3019370Spst * SUCH DAMAGE. 3198944Sobrien */ 3219370Spst 3319370Spst#include "opt_mrouting.h" 3419370Spst#include "opt_inet.h" 3519370Spst#include "opt_inet6.h" 3619370Spst 3719370Spst#include <sys/param.h> 3819370Spst#include <sys/systm.h> 3919370Spst#include <sys/socket.h> 4019370Spst#include <sys/sockio.h> 4119370Spst#include <sys/mbuf.h> 4219370Spst#include <sys/errno.h> 4319370Spst#include <sys/kernel.h> 4419370Spst#include <sys/sysctl.h> 4519370Spst#include <sys/protosw.h> 4619370Spst 4719370Spst#include <sys/malloc.h> 4819370Spst 4919370Spst#include <net/if.h> 5019370Spst#include <net/route.h> 5119370Spst 5219370Spst#include <netinet/in.h> 5346283Sdfr#include <netinet/in_systm.h> 5446283Sdfr#include <netinet/ip.h> 5546283Sdfr#include <netinet/ip_var.h> 5646283Sdfr#include <netinet/in_gif.h> 5746283Sdfr#include <netinet/in_var.h> 5846283Sdfr#include <netinet/ip_encap.h> 5946283Sdfr#include <netinet/ip_ecn.h> 6046283Sdfr 6119370Spst#ifdef INET6 6219370Spst#include <netinet/ip6.h> 6319370Spst#endif 6419370Spst 6519370Spst#ifdef MROUTING 6619370Spst#include <netinet/ip_mroute.h> 6719370Spst#endif /* MROUTING */ 6819370Spst 6919370Spst#include <net/if_gif.h> 7019370Spst 7119370Spst#include <net/net_osdep.h> 7219370Spst 7319370Spststatic int gif_validate4(const struct ip *, struct gif_softc *, 7419370Spst struct ifnet *); 7519370Spst 7619370Spstextern struct domain inetdomain; 7719370Spststruct protosw in_gif_protosw = 7819370Spst{ SOCK_RAW, &inetdomain, 0/*IPPROTO_IPV[46]*/, PR_ATOMIC|PR_ADDR, 7919370Spst in_gif_input, (pr_output_t*)rip_output, 0, rip_ctloutput, 8019370Spst 0, 8119370Spst 0, 0, 0, 0, 8219370Spst &rip_usrreqs 8319370Spst}; 8419370Spst 8519370Spststatic int ip_gif_ttl = GIF_TTL; 8619370SpstSYSCTL_INT(_net_inet_ip, IPCTL_GIF_TTL, gifttl, CTLFLAG_RW, 8719370Spst &ip_gif_ttl, 0, ""); 8819370Spst 8919370Spstint 9019370Spstin_gif_output(ifp, family, m) 9119370Spst struct ifnet *ifp; 9219370Spst int family; 9319370Spst struct mbuf *m; 9419370Spst{ 9519370Spst struct gif_softc *sc = (struct gif_softc*)ifp; 9619370Spst struct sockaddr_in *dst = (struct sockaddr_in *)&sc->gif_ro.ro_dst; 9719370Spst struct sockaddr_in *sin_src = (struct sockaddr_in *)sc->gif_psrc; 9819370Spst struct sockaddr_in *sin_dst = (struct sockaddr_in *)sc->gif_pdst; 9919370Spst struct ip iphdr; /* capsule IP header, host byte ordered */ 10019370Spst int proto, error; 10119370Spst u_int8_t tos; 10219370Spst 10319370Spst if (sin_src == NULL || sin_dst == NULL || 10419370Spst sin_src->sin_family != AF_INET || 10598944Sobrien sin_dst->sin_family != AF_INET) { 10698944Sobrien m_freem(m); 10798944Sobrien return EAFNOSUPPORT; 10898944Sobrien } 10919370Spst 11019370Spst switch (family) { 11119370Spst#ifdef INET 11219370Spst case AF_INET: 11398944Sobrien { 11419370Spst struct ip *ip; 11598944Sobrien 11619370Spst proto = IPPROTO_IPV4; 11798944Sobrien if (m->m_len < sizeof(*ip)) { 11898944Sobrien m = m_pullup(m, sizeof(*ip)); 11998944Sobrien if (!m) 12098944Sobrien return ENOBUFS; 12119370Spst } 12298944Sobrien ip = mtod(m, struct ip *); 123 tos = ip->ip_tos; 124 break; 125 } 126#endif /* INET */ 127#ifdef INET6 128 case AF_INET6: 129 { 130 struct ip6_hdr *ip6; 131 proto = IPPROTO_IPV6; 132 if (m->m_len < sizeof(*ip6)) { 133 m = m_pullup(m, sizeof(*ip6)); 134 if (!m) 135 return ENOBUFS; 136 } 137 ip6 = mtod(m, struct ip6_hdr *); 138 tos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 139 break; 140 } 141#endif /* INET6 */ 142 default: 143#ifdef DEBUG 144 printf("in_gif_output: warning: unknown family %d passed\n", 145 family); 146#endif 147 m_freem(m); 148 return EAFNOSUPPORT; 149 } 150 151 bzero(&iphdr, sizeof(iphdr)); 152 iphdr.ip_src = sin_src->sin_addr; 153 /* bidirectional configured tunnel mode */ 154 if (sin_dst->sin_addr.s_addr != INADDR_ANY) 155 iphdr.ip_dst = sin_dst->sin_addr; 156 else { 157 m_freem(m); 158 return ENETUNREACH; 159 } 160 iphdr.ip_p = proto; 161 /* version will be set in ip_output() */ 162 iphdr.ip_ttl = ip_gif_ttl; 163 iphdr.ip_len = m->m_pkthdr.len + sizeof(struct ip); 164 if (ifp->if_flags & IFF_LINK1) 165 ip_ecn_ingress(ECN_ALLOWED, &iphdr.ip_tos, &tos); 166 else 167 ip_ecn_ingress(ECN_NOCARE, &iphdr.ip_tos, &tos); 168 169 /* prepend new IP header */ 170 M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); 171 if (m && m->m_len < sizeof(struct ip)) 172 m = m_pullup(m, sizeof(struct ip)); 173 if (m == NULL) { 174 printf("ENOBUFS in in_gif_output %d\n", __LINE__); 175 return ENOBUFS; 176 } 177 bcopy(&iphdr, mtod(m, struct ip *), sizeof(struct ip)); 178 179 if (dst->sin_family != sin_dst->sin_family || 180 dst->sin_addr.s_addr != sin_dst->sin_addr.s_addr) { 181 /* cache route doesn't match */ 182 dst->sin_family = sin_dst->sin_family; 183 dst->sin_len = sizeof(struct sockaddr_in); 184 dst->sin_addr = sin_dst->sin_addr; 185 if (sc->gif_ro.ro_rt) { 186 RTFREE(sc->gif_ro.ro_rt); 187 sc->gif_ro.ro_rt = NULL; 188 } 189#if 0 190 sc->gif_if.if_mtu = GIF_MTU; 191#endif 192 } 193 194 if (sc->gif_ro.ro_rt == NULL) { 195 rtalloc(&sc->gif_ro); 196 if (sc->gif_ro.ro_rt == NULL) { 197 m_freem(m); 198 return ENETUNREACH; 199 } 200 201 /* if it constitutes infinite encapsulation, punt. */ 202 if (sc->gif_ro.ro_rt->rt_ifp == ifp) { 203 m_freem(m); 204 return ENETUNREACH; /* XXX */ 205 } 206#if 0 207 ifp->if_mtu = sc->gif_ro.ro_rt->rt_ifp->if_mtu 208 - sizeof(struct ip); 209#endif 210 } 211 212 error = ip_output(m, NULL, &sc->gif_ro, 0, NULL, NULL); 213 return(error); 214} 215 216void 217in_gif_input(m, off) 218 struct mbuf *m; 219 int off; 220{ 221 struct ifnet *gifp = NULL; 222 struct ip *ip; 223 int af; 224 u_int8_t otos; 225 int proto; 226 227 ip = mtod(m, struct ip *); 228 proto = ip->ip_p; 229 230 gifp = (struct ifnet *)encap_getarg(m); 231 232 if (gifp == NULL || (gifp->if_flags & IFF_UP) == 0) { 233 m_freem(m); 234 ipstat.ips_nogif++; 235 return; 236 } 237 238 otos = ip->ip_tos; 239 m_adj(m, off); 240 241 switch (proto) { 242#ifdef INET 243 case IPPROTO_IPV4: 244 { 245 struct ip *ip; 246 af = AF_INET; 247 if (m->m_len < sizeof(*ip)) { 248 m = m_pullup(m, sizeof(*ip)); 249 if (!m) 250 return; 251 } 252 ip = mtod(m, struct ip *); 253 if (gifp->if_flags & IFF_LINK1) 254 ip_ecn_egress(ECN_ALLOWED, &otos, &ip->ip_tos); 255 else 256 ip_ecn_egress(ECN_NOCARE, &otos, &ip->ip_tos); 257 break; 258 } 259#endif 260#ifdef INET6 261 case IPPROTO_IPV6: 262 { 263 struct ip6_hdr *ip6; 264 u_int8_t itos; 265 af = AF_INET6; 266 if (m->m_len < sizeof(*ip6)) { 267 m = m_pullup(m, sizeof(*ip6)); 268 if (!m) 269 return; 270 } 271 ip6 = mtod(m, struct ip6_hdr *); 272 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 273 if (gifp->if_flags & IFF_LINK1) 274 ip_ecn_egress(ECN_ALLOWED, &otos, &itos); 275 else 276 ip_ecn_egress(ECN_NOCARE, &otos, &itos); 277 ip6->ip6_flow &= ~htonl(0xff << 20); 278 ip6->ip6_flow |= htonl((u_int32_t)itos << 20); 279 break; 280 } 281#endif /* INET6 */ 282 default: 283 ipstat.ips_nogif++; 284 m_freem(m); 285 return; 286 } 287 gif_input(m, af, gifp); 288 return; 289} 290 291/* 292 * validate outer address. 293 */ 294static int 295gif_validate4(ip, sc, ifp) 296 const struct ip *ip; 297 struct gif_softc *sc; 298 struct ifnet *ifp; 299{ 300 struct sockaddr_in *src, *dst; 301 struct in_ifaddr *ia4; 302 303 src = (struct sockaddr_in *)sc->gif_psrc; 304 dst = (struct sockaddr_in *)sc->gif_pdst; 305 306 /* check for address match */ 307 if (src->sin_addr.s_addr != ip->ip_dst.s_addr || 308 dst->sin_addr.s_addr != ip->ip_src.s_addr) 309 return 0; 310 311 /* martian filters on outer source - NOT done in ip_input! */ 312 if (IN_MULTICAST(ntohl(ip->ip_src.s_addr))) 313 return 0; 314 switch ((ntohl(ip->ip_src.s_addr) & 0xff000000) >> 24) { 315 case 0: case 127: case 255: 316 return 0; 317 } 318 /* reject packets with broadcast on source */ 319 TAILQ_FOREACH(ia4, &in_ifaddrhead, ia_link) 320 { 321 if ((ia4->ia_ifa.ifa_ifp->if_flags & IFF_BROADCAST) == 0) 322 continue; 323 if (ip->ip_src.s_addr == ia4->ia_broadaddr.sin_addr.s_addr) 324 return 0; 325 } 326 327 /* ingress filters on outer source */ 328 if ((sc->gif_if.if_flags & IFF_LINK2) == 0 && ifp) { 329 struct sockaddr_in sin; 330 struct rtentry *rt; 331 332 bzero(&sin, sizeof(sin)); 333 sin.sin_family = AF_INET; 334 sin.sin_len = sizeof(struct sockaddr_in); 335 sin.sin_addr = ip->ip_src; 336 rt = rtalloc1((struct sockaddr *)&sin, 0, 0UL); 337 if (!rt || rt->rt_ifp != ifp) { 338#if 0 339 log(LOG_WARNING, "%s: packet from 0x%x dropped " 340 "due to ingress filter\n", if_name(&sc->gif_if), 341 (u_int32_t)ntohl(sin.sin_addr.s_addr)); 342#endif 343 if (rt) 344 rtfree(rt); 345 return 0; 346 } 347 rtfree(rt); 348 } 349 350 return 32 * 2; 351} 352 353/* 354 * we know that we are in IFF_UP, outer address available, and outer family 355 * matched the physical addr family. see gif_encapcheck(). 356 */ 357int 358gif_encapcheck4(m, off, proto, arg) 359 const struct mbuf *m; 360 int off; 361 int proto; 362 void *arg; 363{ 364 struct ip ip; 365 struct gif_softc *sc; 366 struct ifnet *ifp; 367 368 /* sanity check done in caller */ 369 sc = (struct gif_softc *)arg; 370 371 /* LINTED const cast */ 372 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip); 373 ifp = ((m->m_flags & M_PKTHDR) != 0) ? m->m_pkthdr.rcvif : NULL; 374 375 return gif_validate4(&ip, sc, ifp); 376} 377 378int 379in_gif_attach(sc) 380 struct gif_softc *sc; 381{ 382 sc->encap_cookie4 = encap_attach_func(AF_INET, -1, gif_encapcheck, 383 &in_gif_protosw, sc); 384 if (sc->encap_cookie4 == NULL) 385 return EEXIST; 386 return 0; 387} 388 389int 390in_gif_detach(sc) 391 struct gif_softc *sc; 392{ 393 int error; 394 395 error = encap_detach(sc->encap_cookie4); 396 if (error == 0) 397 sc->encap_cookie4 = NULL; 398 return error; 399} 400