in6_gif.c revision 1.82
1/* $NetBSD: in6_gif.c,v 1.82 2016/12/14 11:19:15 knakahara Exp $ */ 2/* $KAME: in6_gif.c,v 1.62 2001/07/29 04:27:25 itojun Exp $ */ 3 4/* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33#include <sys/cdefs.h> 34__KERNEL_RCSID(0, "$NetBSD: in6_gif.c,v 1.82 2016/12/14 11:19:15 knakahara Exp $"); 35 36#ifdef _KERNEL_OPT 37#include "opt_inet.h" 38#endif 39 40#include <sys/param.h> 41#include <sys/systm.h> 42#include <sys/socket.h> 43#include <sys/sockio.h> 44#include <sys/mbuf.h> 45#include <sys/errno.h> 46#include <sys/ioctl.h> 47#include <sys/queue.h> 48#include <sys/syslog.h> 49#include <sys/kernel.h> 50 51#include <net/if.h> 52#include <net/route.h> 53 54#include <netinet/in.h> 55#include <netinet/in_systm.h> 56#ifdef INET 57#include <netinet/ip.h> 58#endif 59#include <netinet/ip_encap.h> 60#ifdef INET6 61#include <netinet/ip6.h> 62#include <netinet6/ip6_var.h> 63#include <netinet6/ip6_private.h> 64#include <netinet6/in6_gif.h> 65#include <netinet6/in6_var.h> 66#endif 67#include <netinet6/ip6protosw.h> /* for struct ip6ctlparam */ 68#include <netinet/ip_ecn.h> 69 70#include <net/if_gif.h> 71 72#include <net/net_osdep.h> 73 74static int gif_validate6(const struct ip6_hdr *, struct gif_softc *, 75 struct ifnet *); 76 77int ip6_gif_hlim = GIF_HLIM; 78 79static const struct encapsw in6_gif_encapsw; 80 81/* 82 * family - family of the packet to be encapsulate. 83 */ 84 85int 86in6_gif_output(struct ifnet *ifp, int family, struct mbuf *m) 87{ 88 struct rtentry *rt; 89 struct route *ro; 90 struct gif_softc *sc = ifp->if_softc; 91 struct sockaddr_in6 *sin6_src = satosin6(sc->gif_psrc); 92 struct sockaddr_in6 *sin6_dst = satosin6(sc->gif_pdst); 93 struct ip6_hdr *ip6; 94 int proto, error; 95 u_int8_t itos, otos; 96 union { 97 struct sockaddr dst; 98 struct sockaddr_in6 dst6; 99 } u; 100 101 if (sin6_src == NULL || sin6_dst == NULL || 102 sin6_src->sin6_family != AF_INET6 || 103 sin6_dst->sin6_family != AF_INET6) { 104 m_freem(m); 105 return EAFNOSUPPORT; 106 } 107 108 switch (family) { 109#ifdef INET 110 case AF_INET: 111 { 112 struct ip *ip; 113 114 proto = IPPROTO_IPV4; 115 if (m->m_len < sizeof(*ip)) { 116 m = m_pullup(m, sizeof(*ip)); 117 if (!m) 118 return ENOBUFS; 119 } 120 ip = mtod(m, struct ip *); 121 itos = ip->ip_tos; 122 break; 123 } 124#endif 125#ifdef INET6 126 case AF_INET6: 127 { 128 proto = IPPROTO_IPV6; 129 if (m->m_len < sizeof(*ip6)) { 130 m = m_pullup(m, sizeof(*ip6)); 131 if (!m) 132 return ENOBUFS; 133 } 134 ip6 = mtod(m, struct ip6_hdr *); 135 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 136 break; 137 } 138#endif 139 default: 140#ifdef DEBUG 141 printf("in6_gif_output: warning: unknown family %d passed\n", 142 family); 143#endif 144 m_freem(m); 145 return EAFNOSUPPORT; 146 } 147 148 /* prepend new IP header */ 149 M_PREPEND(m, sizeof(struct ip6_hdr), M_DONTWAIT); 150 if (m && m->m_len < sizeof(struct ip6_hdr)) 151 m = m_pullup(m, sizeof(struct ip6_hdr)); 152 if (m == NULL) 153 return ENOBUFS; 154 155 ip6 = mtod(m, struct ip6_hdr *); 156 ip6->ip6_flow = 0; 157 ip6->ip6_vfc &= ~IPV6_VERSION_MASK; 158 ip6->ip6_vfc |= IPV6_VERSION; 159#if 0 /* ip6->ip6_plen will be filled by ip6_output */ 160 ip6->ip6_plen = htons((u_int16_t)m->m_pkthdr.len); 161#endif 162 ip6->ip6_nxt = proto; 163 ip6->ip6_hlim = ip6_gif_hlim; 164 ip6->ip6_src = sin6_src->sin6_addr; 165 /* bidirectional configured tunnel mode */ 166 if (!IN6_IS_ADDR_UNSPECIFIED(&sin6_dst->sin6_addr)) 167 ip6->ip6_dst = sin6_dst->sin6_addr; 168 else { 169 m_freem(m); 170 return ENETUNREACH; 171 } 172 if (ifp->if_flags & IFF_LINK1) 173 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 174 else 175 ip_ecn_ingress(ECN_NOCARE, &otos, &itos); 176 ip6->ip6_flow &= ~ntohl(0xff00000); 177 ip6->ip6_flow |= htonl((u_int32_t)otos << 20); 178 179 sockaddr_in6_init(&u.dst6, &sin6_dst->sin6_addr, 0, 0, 0); 180 ro = percpu_getref(sc->gif_ro_percpu); 181 rt = rtcache_lookup(ro, &u.dst); 182 if (rt == NULL) { 183 percpu_putref(sc->gif_ro_percpu); 184 m_freem(m); 185 return ENETUNREACH; 186 } 187 188 /* If the route constitutes infinite encapsulation, punt. */ 189 if (rt->rt_ifp == ifp) { 190 rtcache_unref(rt, ro); 191 rtcache_free(ro); 192 percpu_putref(sc->gif_ro_percpu); 193 m_freem(m); 194 return ENETUNREACH; /* XXX */ 195 } 196 rtcache_unref(rt, ro); 197 198#ifdef IPV6_MINMTU 199 /* 200 * force fragmentation to minimum MTU, to avoid path MTU discovery. 201 * it is too painful to ask for resend of inner packet, to achieve 202 * path MTU discovery for encapsulated packets. 203 */ 204 error = ip6_output(m, 0, ro, IPV6_MINMTU, NULL, NULL, NULL); 205#else 206 error = ip6_output(m, 0, ro, 0, NULL, NULL, NULL); 207#endif 208 percpu_putref(sc->gif_ro_percpu); 209 return (error); 210} 211 212int 213in6_gif_input(struct mbuf **mp, int *offp, int proto) 214{ 215 struct mbuf *m = *mp; 216 struct ifnet *gifp = NULL; 217 struct ip6_hdr *ip6; 218 int af = 0; 219 u_int32_t otos; 220 221 ip6 = mtod(m, struct ip6_hdr *); 222 223 gifp = (struct ifnet *)encap_getarg(m); 224 225 if (gifp == NULL || (gifp->if_flags & (IFF_UP|IFF_RUNNING)) 226 != (IFF_UP|IFF_RUNNING)) { 227 m_freem(m); 228 IP6_STATINC(IP6_STAT_NOGIF); 229 return IPPROTO_DONE; 230 } 231#ifndef GIF_ENCAPCHECK 232 struct gif_softc *sc = (struct gif_softc *)gifp->if_softc; 233 /* other CPU do delete_tunnel */ 234 if (sc->gif_psrc == NULL || sc->gif_pdst == NULL) { 235 m_freem(m); 236 IP6_STATINC(IP6_STAT_NOGIF); 237 return IPPROTO_DONE; 238 } 239 240 struct psref psref; 241 struct ifnet *rcvif = m_get_rcvif_psref(m, &psref); 242 if (rcvif == NULL || !gif_validate6(ip6, sc, rcvif)) { 243 m_put_rcvif_psref(rcvif, &psref); 244 m_freem(m); 245 IP6_STATINC(IP6_STAT_NOGIF); 246 return IPPROTO_DONE; 247 } 248 m_put_rcvif_psref(rcvif, &psref); 249#endif 250 251 otos = ip6->ip6_flow; 252 m_adj(m, *offp); 253 254 switch (proto) { 255#ifdef INET 256 case IPPROTO_IPV4: 257 { 258 struct ip *ip; 259 u_int8_t otos8; 260 af = AF_INET; 261 otos8 = (ntohl(otos) >> 20) & 0xff; 262 if (m->m_len < sizeof(*ip)) { 263 m = m_pullup(m, sizeof(*ip)); 264 if (!m) 265 return IPPROTO_DONE; 266 } 267 ip = mtod(m, struct ip *); 268 if (gifp->if_flags & IFF_LINK1) 269 ip_ecn_egress(ECN_ALLOWED, &otos8, &ip->ip_tos); 270 else 271 ip_ecn_egress(ECN_NOCARE, &otos8, &ip->ip_tos); 272 break; 273 } 274#endif /* INET */ 275#ifdef INET6 276 case IPPROTO_IPV6: 277 { 278 struct ip6_hdr *ip6x; 279 af = AF_INET6; 280 if (m->m_len < sizeof(*ip6x)) { 281 m = m_pullup(m, sizeof(*ip6x)); 282 if (!m) 283 return IPPROTO_DONE; 284 } 285 ip6x = mtod(m, struct ip6_hdr *); 286 if (gifp->if_flags & IFF_LINK1) 287 ip6_ecn_egress(ECN_ALLOWED, &otos, &ip6x->ip6_flow); 288 else 289 ip6_ecn_egress(ECN_NOCARE, &otos, &ip6x->ip6_flow); 290 break; 291 } 292#endif 293 default: 294 IP6_STATINC(IP6_STAT_NOGIF); 295 m_freem(m); 296 return IPPROTO_DONE; 297 } 298 299 gif_input(m, af, gifp); 300 return IPPROTO_DONE; 301} 302 303/* 304 * validate outer address. 305 */ 306static int 307gif_validate6(const struct ip6_hdr *ip6, struct gif_softc *sc, 308 struct ifnet *ifp) 309{ 310 const struct sockaddr_in6 *src, *dst; 311 312 src = satosin6(sc->gif_psrc); 313 dst = satosin6(sc->gif_pdst); 314 315 /* check for address match */ 316 if (!IN6_ARE_ADDR_EQUAL(&src->sin6_addr, &ip6->ip6_dst) || 317 !IN6_ARE_ADDR_EQUAL(&dst->sin6_addr, &ip6->ip6_src)) 318 return 0; 319 320 /* martian filters on outer source - done in ip6_input */ 321 322 /* ingress filters on outer source */ 323 if ((sc->gif_if.if_flags & IFF_LINK2) == 0 && ifp) { 324 union { 325 struct sockaddr sa; 326 struct sockaddr_in6 sin6; 327 } u; 328 struct rtentry *rt; 329 330 /* XXX scopeid */ 331 sockaddr_in6_init(&u.sin6, &ip6->ip6_src, 0, 0, 0); 332 rt = rtalloc1(&u.sa, 0); 333 if (rt == NULL || rt->rt_ifp != ifp) { 334#if 0 335 log(LOG_WARNING, "%s: packet from %s dropped " 336 "due to ingress filter\n", if_name(&sc->gif_if), 337 ip6_sprintf(&u.sin6.sin6_addr)); 338#endif 339 if (rt != NULL) 340 rt_unref(rt); 341 return 0; 342 } 343 rt_unref(rt); 344 } 345 346 return 128 * 2; 347} 348 349#ifdef GIF_ENCAPCHECK 350/* 351 * we know that we are in IFF_UP, outer address available, and outer family 352 * matched the physical addr family. see gif_encapcheck(). 353 */ 354int 355gif_encapcheck6(struct mbuf *m, int off, int proto, void *arg) 356{ 357 struct ip6_hdr ip6; 358 struct gif_softc *sc; 359 struct ifnet *ifp = NULL; 360 int r; 361 struct psref psref; 362 363 /* sanity check done in caller */ 364 sc = arg; 365 366 m_copydata(m, 0, sizeof(ip6), (void *)&ip6); 367 if ((m->m_flags & M_PKTHDR) != 0) 368 ifp = m_get_rcvif_psref(m, &psref); 369 370 r = gif_validate6(&ip6, sc, ifp); 371 372 m_put_rcvif_psref(ifp, &psref); 373 return r; 374} 375#endif 376 377int 378in6_gif_attach(struct gif_softc *sc) 379{ 380#ifndef GIF_ENCAPCHECK 381 struct sockaddr_in6 mask6; 382 383 memset(&mask6, 0, sizeof(mask6)); 384 mask6.sin6_len = sizeof(struct sockaddr_in6); 385 mask6.sin6_addr.s6_addr32[0] = mask6.sin6_addr.s6_addr32[1] = 386 mask6.sin6_addr.s6_addr32[2] = mask6.sin6_addr.s6_addr32[3] = ~0; 387 388 if (!sc->gif_psrc || !sc->gif_pdst) 389 return EINVAL; 390 sc->encap_cookie6 = encap_attach(AF_INET6, -1, sc->gif_psrc, 391 sin6tosa(&mask6), sc->gif_pdst, sin6tosa(&mask6), 392 (const void *)&in6_gif_encapsw, sc); 393#else 394 sc->encap_cookie6 = encap_attach_func(AF_INET6, -1, gif_encapcheck, 395 &in6_gif_encapsw, sc); 396#endif 397 if (sc->encap_cookie6 == NULL) 398 return EEXIST; 399 return 0; 400} 401 402int 403in6_gif_detach(struct gif_softc *sc) 404{ 405 int error; 406 407 error = in6_gif_pause(sc); 408 409 percpu_foreach(sc->gif_ro_percpu, gif_rtcache_free_pc, NULL); 410 411 return error; 412} 413 414int 415in6_gif_pause(struct gif_softc *sc) 416{ 417 int error; 418 419 error = encap_detach(sc->encap_cookie6); 420 if (error == 0) 421 sc->encap_cookie6 = NULL; 422 423 return error; 424} 425 426void * 427in6_gif_ctlinput(int cmd, const struct sockaddr *sa, void *d, void *eparg) 428{ 429 struct gif_softc *sc = eparg; 430 struct ip6ctlparam *ip6cp = NULL; 431 struct ip6_hdr *ip6; 432 const struct sockaddr_in6 *dst6; 433 struct route *ro; 434 435 if (sa->sa_family != AF_INET6 || 436 sa->sa_len != sizeof(struct sockaddr_in6)) 437 return NULL; 438 439 if ((unsigned)cmd >= PRC_NCMDS) 440 return NULL; 441 if (cmd == PRC_HOSTDEAD) 442 d = NULL; 443 else if (inet6ctlerrmap[cmd] == 0) 444 return NULL; 445 446 /* if the parameter is from icmp6, decode it. */ 447 if (d != NULL) { 448 ip6cp = (struct ip6ctlparam *)d; 449 ip6 = ip6cp->ip6c_ip6; 450 } else { 451 ip6 = NULL; 452 } 453 454 if (!ip6) 455 return NULL; 456 457 if ((sc->gif_if.if_flags & IFF_RUNNING) == 0) 458 return NULL; 459 if (sc->gif_psrc->sa_family != AF_INET6) 460 return NULL; 461 462 ro = percpu_getref(sc->gif_ro_percpu); 463 dst6 = satocsin6(rtcache_getdst(ro)); 464 /* XXX scope */ 465 if (dst6 == NULL) 466 ; 467 else if (IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &dst6->sin6_addr)) 468 rtcache_free(ro); 469 470 percpu_putref(sc->gif_ro_percpu); 471 return NULL; 472} 473 474ENCAP_PR_WRAP_CTLINPUT(in6_gif_ctlinput) 475#define in6_gif_ctlinput in6_gif_ctlinput_wrapper 476 477static const struct encapsw in6_gif_encapsw = { 478 .encapsw6 = { 479 .pr_input = in6_gif_input, 480 .pr_ctlinput = in6_gif_ctlinput, 481 } 482}; 483