1 /* $FreeBSD$ */
2 /* $KAME: ip_encap.c,v 1.41 2001/03/15 08:35:08 itojun Exp $ */
3
4 /*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32 /*
33 * My grandfather said that there's a devil inside tunnelling technology...
34 *
35 * We have surprisingly many protocols that want packets with IP protocol
36 * #4 or #41. Here's a list of protocols that want protocol #41:
37 * RFC1933 configured tunnel
38 * RFC1933 automatic tunnel
39 * RFC2401 IPsec tunnel
40 * RFC2473 IPv6 generic packet tunnelling
41 * RFC2529 6over4 tunnel
42 * mobile-ip6 (uses RFC2473)
43 * RFC3056 6to4 tunnel
44 * isatap tunnel
45 * Here's a list of protocol that want protocol #4:
46 * RFC1853 IPv4-in-IPv4 tunnelling
47 * RFC2003 IPv4 encapsulation within IPv4
48 * RFC2344 reverse tunnelling for mobile-ip4
49 * RFC2401 IPsec tunnel
50 * Well, what can I say. They impose different en/decapsulation mechanism
51 * from each other, so they need separate protocol handler. The only one
52 * we can easily determine by protocol # is IPsec, which always has
53 * AH/ESP/IPComp header right after outer IP header.
54 *
55 * So, clearly good old protosw does not work for protocol #4 and #41.
56 * The code will let you match protocol via src/dst address pair.
57 */
58 /* XXX is M_NETADDR correct? */
59
60 #include "opt_inet.h"
61 #include "opt_inet6.h"
62
63 #include <sys/param.h>
64 #include <sys/systm.h>
65 #include <sys/socket.h>
66 #include <sys/sockio.h>
67 #include <sys/mbuf.h>
68 #include <sys/errno.h>
69 #include <sys/protosw.h>
70 #include <sys/queue.h>
71
72 #include <net/if.h>
73 #include <net/route.h>
74
75 #include <netinet/in.h>
76 #include <netinet/in_systm.h>
77 #include <netinet/ip.h>
78 #include <netinet/ip_var.h>
79 #include <netinet/ip_encap.h>
80 #include <netinet/ipprotosw.h>
81
82 #ifdef INET6
83 #include <netinet/ip6.h>
84 #include <netinet6/ip6_var.h>
85 #include <netinet6/ip6protosw.h>
86 #endif
87
88 #include <machine/stdarg.h>
89
90 #include <net/net_osdep.h>
91
92 #include <sys/kernel.h>
93 #include <sys/malloc.h>
94 MALLOC_DEFINE(M_NETADDR, "Export Host", "Export host address structure");
95
96 static void encap_add __P((struct encaptab *));
97 static int mask_match __P((const struct encaptab *, const struct sockaddr *,
98 const struct sockaddr *));
99 static void encap_fillarg __P((struct mbuf *, const struct encaptab *));
100
101 #ifndef LIST_HEAD_INITIALIZER
102 /* rely upon BSS initialization */
103 LIST_HEAD(, encaptab) encaptab;
104 #else
105 LIST_HEAD(, encaptab) encaptab = LIST_HEAD_INITIALIZER(&encaptab);
106 #endif
107
108 void (*ipip_input)(struct mbuf *, int, int); /* hook for mrouting */
109
110 void
111 encap_init()
112 {
113 static int initialized = 0;
114
115 if (initialized)
116 return;
117 initialized++;
118 #if 0
119 /*
120 * we cannot use LIST_INIT() here, since drivers may want to call
121 * encap_attach(), on driver attach. encap_init() will be called
122 * on AF_INET{,6} initialization, which happens after driver
123 * initialization - using LIST_INIT() here can nuke encap_attach()
124 * from drivers.
125 */
126 LIST_INIT(&encaptab);
127 #endif
128 }
129
130 #ifdef INET
131 void
132 encap4_input(struct mbuf *m, int off, int proto)
133 {
134 struct ip *ip;
135 struct sockaddr_in s, d;
136 const struct ipprotosw *psw;
137 struct encaptab *ep, *match;
138 int prio, matchprio;
139
140 ip = mtod(m, struct ip *);
141
142 bzero(&s, sizeof(s));
143 s.sin_family = AF_INET;
144 s.sin_len = sizeof(struct sockaddr_in);
145 s.sin_addr = ip->ip_src;
146 bzero(&d, sizeof(d));
147 d.sin_family = AF_INET;
148 d.sin_len = sizeof(struct sockaddr_in);
149 d.sin_addr = ip->ip_dst;
150
151 match = NULL;
152 matchprio = 0;
153 for (ep = LIST_FIRST(&encaptab); ep; ep = LIST_NEXT(ep, chain)) {
154 if (ep->af != AF_INET)
155 continue;
156 if (ep->proto >= 0 && ep->proto != proto)
157 continue;
158 if (ep->func)
159 prio = (*ep->func)(m, off, proto, ep->arg);
160 else {
161 /*
162 * it's inbound traffic, we need to match in reverse
163 * order
164 */
165 prio = mask_match(ep, (struct sockaddr *)&d,
166 (struct sockaddr *)&s);
167 }
168
169 /*
170 * We prioritize the matches by using bit length of the
171 * matches. mask_match() and user-supplied matching function
172 * should return the bit length of the matches (for example,
173 * if both src/dst are matched for IPv4, 64 should be returned).
174 * 0 or negative return value means "it did not match".
175 *
176 * The question is, since we have two "mask" portion, we
177 * cannot really define total order between entries.
178 * For example, which of these should be preferred?
179 * mask_match() returns 48 (32 + 16) for both of them.
180 * src=3ffe::/16, dst=3ffe:501::/32
181 * src=3ffe:501::/32, dst=3ffe::/16
182 *
183 * We need to loop through all the possible candidates
184 * to get the best match - the search takes O(n) for
185 * n attachments (i.e. interfaces).
186 */
187 if (prio <= 0)
188 continue;
189 if (prio > matchprio) {
190 matchprio = prio;
191 match = ep;
192 }
193 }
194
195 if (match) {
196 /* found a match, "match" has the best one */
197 psw = (const struct ipprotosw *)match->psw;
198 if (psw && psw->pr_input) {
199 encap_fillarg(m, match);
200 (*psw->pr_input)(m, off, proto);
201 } else
202 m_freem(m);
203 return;
204 }
205
206 /* for backward compatibility */
207 if (proto == IPPROTO_IPV4 && ipip_input) {
208 ipip_input(m, off, proto);
209 return;
210 }
211
212 /* last resort: inject to raw socket */
213 rip_input(m, off, proto);
214 }
215 #endif
216
217 #ifdef INET6
218 int
219 encap6_input(mp, offp, proto)
220 struct mbuf **mp;
221 int *offp;
222 int proto;
223 {
224 struct mbuf *m = *mp;
225 struct ip6_hdr *ip6;
226 struct sockaddr_in6 s, d;
227 const struct ip6protosw *psw;
228 struct encaptab *ep, *match;
229 int prio, matchprio;
230
231 ip6 = mtod(m, struct ip6_hdr *);
232
233 bzero(&s, sizeof(s));
234 s.sin6_family = AF_INET6;
235 s.sin6_len = sizeof(struct sockaddr_in6);
236 s.sin6_addr = ip6->ip6_src;
237 bzero(&d, sizeof(d));
238 d.sin6_family = AF_INET6;
239 d.sin6_len = sizeof(struct sockaddr_in6);
240 d.sin6_addr = ip6->ip6_dst;
241
242 match = NULL;
243 matchprio = 0;
244 for (ep = LIST_FIRST(&encaptab); ep; ep = LIST_NEXT(ep, chain)) {
245 if (ep->af != AF_INET6)
246 continue;
247 if (ep->proto >= 0 && ep->proto != proto)
248 continue;
249 if (ep->func)
250 prio = (*ep->func)(m, *offp, proto, ep->arg);
251 else {
252 /*
253 * it's inbound traffic, we need to match in reverse
254 * order
255 */
256 prio = mask_match(ep, (struct sockaddr *)&d,
257 (struct sockaddr *)&s);
258 }
259
260 /* see encap4_input() for issues here */
261 if (prio <= 0)
262 continue;
263 if (prio > matchprio) {
264 matchprio = prio;
265 match = ep;
266 }
267 }
268
269 if (match) {
270 /* found a match */
271 psw = (const struct ip6protosw *)match->psw;
272 if (psw && psw->pr_input) {
273 encap_fillarg(m, match);
274 return (*psw->pr_input)(mp, offp, proto);
275 } else {
276 m_freem(m);
277 return IPPROTO_DONE;
278 }
279 }
280
281 /* last resort: inject to raw socket */
282 return rip6_input(mp, offp, proto);
283 }
284 #endif
285
286 static void
287 encap_add(ep)
288 struct encaptab *ep;
289 {
290
291 LIST_INSERT_HEAD(&encaptab, ep, chain);
292 }
293
294 /*
295 * sp (src ptr) is always my side, and dp (dst ptr) is always remote side.
296 * length of mask (sm and dm) is assumed to be same as sp/dp.
297 * Return value will be necessary as input (cookie) for encap_detach().
298 */
299 const struct encaptab *
300 encap_attach(af, proto, sp, sm, dp, dm, psw, arg)
301 int af;
302 int proto;
303 const struct sockaddr *sp, *sm;
304 const struct sockaddr *dp, *dm;
305 const struct protosw *psw;
306 void *arg;
307 {
308 struct encaptab *ep;
309 int error;
310 int s;
311
312 s = splnet();
313 /* sanity check on args */
314 if (sp->sa_len > sizeof(ep->src) || dp->sa_len > sizeof(ep->dst)) {
315 error = EINVAL;
316 goto fail;
317 }
318 if (sp->sa_len != dp->sa_len) {
319 error = EINVAL;
320 goto fail;
321 }
322 if (af != sp->sa_family || af != dp->sa_family) {
323 error = EINVAL;
324 goto fail;
325 }
326
327 /* check if anyone have already attached with exactly same config */
328 for (ep = LIST_FIRST(&encaptab); ep; ep = LIST_NEXT(ep, chain)) {
329 if (ep->af != af)
330 continue;
331 if (ep->proto != proto)
332 continue;
333 if (ep->src.ss_len != sp->sa_len ||
334 bcmp(&ep->src, sp, sp->sa_len) != 0 ||
335 bcmp(&ep->srcmask, sm, sp->sa_len) != 0)
336 continue;
337 if (ep->dst.ss_len != dp->sa_len ||
338 bcmp(&ep->dst, dp, dp->sa_len) != 0 ||
339 bcmp(&ep->dstmask, dm, dp->sa_len) != 0)
340 continue;
341
342 error = EEXIST;
343 goto fail;
344 }
345
346 ep = malloc(sizeof(*ep), M_NETADDR, M_NOWAIT); /*XXX*/
347 if (ep == NULL) {
348 error = ENOBUFS;
349 goto fail;
350 }
351 bzero(ep, sizeof(*ep));
352
353 ep->af = af;
354 ep->proto = proto;
355 bcopy(sp, &ep->src, sp->sa_len);
356 bcopy(sm, &ep->srcmask, sp->sa_len);
357 bcopy(dp, &ep->dst, dp->sa_len);
358 bcopy(dm, &ep->dstmask, dp->sa_len);
359 ep->psw = psw;
360 ep->arg = arg;
361
362 encap_add(ep);
363
364 error = 0;
365 splx(s);
366 return ep;
367
368 fail:
369 splx(s);
370 return NULL;
371 }
372
373 const struct encaptab *
374 encap_attach_func(af, proto, func, psw, arg)
375 int af;
376 int proto;
377 int (*func) __P((const struct mbuf *, int, int, void *));
378 const struct protosw *psw;
379 void *arg;
380 {
381 struct encaptab *ep;
382 int error;
383 int s;
384
385 s = splnet();
386 /* sanity check on args */
387 if (!func) {
388 error = EINVAL;
389 goto fail;
390 }
391
392 ep = malloc(sizeof(*ep), M_NETADDR, M_NOWAIT); /*XXX*/
393 if (ep == NULL) {
394 error = ENOBUFS;
395 goto fail;
396 }
397 bzero(ep, sizeof(*ep));
398
399 ep->af = af;
400 ep->proto = proto;
401 ep->func = func;
402 ep->psw = psw;
403 ep->arg = arg;
404
405 encap_add(ep);
406
407 error = 0;
408 splx(s);
409 return ep;
410
411 fail:
412 splx(s);
413 return NULL;
414 }
415
416 int
417 encap_detach(cookie)
418 const struct encaptab *cookie;
419 {
420 const struct encaptab *ep = cookie;
421 struct encaptab *p;
422
423 for (p = LIST_FIRST(&encaptab); p; p = LIST_NEXT(p, chain)) {
424 if (p == ep) {
425 LIST_REMOVE(p, chain);
426 free(p, M_NETADDR); /*XXX*/
427 return 0;
428 }
429 }
430
431 return EINVAL;
432 }
433
434 static int
435 mask_match(ep, sp, dp)
436 const struct encaptab *ep;
437 const struct sockaddr *sp;
438 const struct sockaddr *dp;
439 {
440 struct sockaddr_storage s;
441 struct sockaddr_storage d;
442 int i;
443 const u_int8_t *p, *q;
444 u_int8_t *r;
445 int matchlen;
446
447 if (sp->sa_len > sizeof(s) || dp->sa_len > sizeof(d))
448 return 0;
449 if (sp->sa_family != ep->af || dp->sa_family != ep->af)
450 return 0;
451 if (sp->sa_len != ep->src.ss_len || dp->sa_len != ep->dst.ss_len)
452 return 0;
453
454 matchlen = 0;
455
456 p = (const u_int8_t *)sp;
457 q = (const u_int8_t *)&ep->srcmask;
458 r = (u_int8_t *)&s;
459 for (i = 0 ; i < sp->sa_len; i++) {
460 r[i] = p[i] & q[i];
461 /* XXX estimate */
462 matchlen += (q[i] ? 8 : 0);
463 }
464
465 p = (const u_int8_t *)dp;
466 q = (const u_int8_t *)&ep->dstmask;
467 r = (u_int8_t *)&d;
468 for (i = 0 ; i < dp->sa_len; i++) {
469 r[i] = p[i] & q[i];
470 /* XXX rough estimate */
471 matchlen += (q[i] ? 8 : 0);
472 }
473
474 /* need to overwrite len/family portion as we don't compare them */
475 s.ss_len = sp->sa_len;
476 s.ss_family = sp->sa_family;
477 d.ss_len = dp->sa_len;
478 d.ss_family = dp->sa_family;
479
480 if (bcmp(&s, &ep->src, ep->src.ss_len) == 0 &&
481 bcmp(&d, &ep->dst, ep->dst.ss_len) == 0) {
482 return matchlen;
483 } else
484 return 0;
485 }
486
487 static void
488 encap_fillarg(m, ep)
489 struct mbuf *m;
490 const struct encaptab *ep;
491 {
492 struct m_tag *tag;
493
494 tag = m_tag_get(PACKET_TAG_ENCAP, sizeof (void*), M_NOWAIT);
495 if (tag) {
496 *(void**)(tag+1) = ep->arg;
497 m_tag_prepend(m, tag);
498 }
499 }
500
501 void *
502 encap_getarg(m)
503 struct mbuf *m;
504 {
505 void *p = NULL;
506 struct m_tag *tag;
507
508 tag = m_tag_find(m, PACKET_TAG_ENCAP, NULL);
509 if (tag) {
510 p = *(void**)(tag+1);
511 m_tag_delete(m, tag);
512 }
513 return p;
514 }
Cache object: 9db2b75ab43a8f891fe570f389b12687
|