2 /* $KAME: if_stf.c,v 1.73 2001/12/03 11:08:30 keiichi Exp $ */
5 * Copyright (C) 2000 WIDE Project.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * 6to4 interface, based on RFC3056.
36 * 6to4 interface is NOT capable of link-layer (I mean, IPv4) multicasting.
37 * There is no address mapping defined from IPv6 multicast address to IPv4
38 * address. Therefore, we do not have IFF_MULTICAST on the interface.
40 * Due to the lack of address mapping for link-local addresses, we cannot
41 * throw packets toward link-local addresses (fe80::x). Also, we cannot throw
42 * packets to link-local multicast addresses (ff02::x).
44 * Here are interesting symptoms due to the lack of link-local address:
46 * Unicast routing exchange:
47 * - RIPng: Impossible. Uses link-local multicast packet toward ff02::9,
48 * and link-local addresses as nexthop.
49 * - OSPFv6: Impossible. OSPFv6 assumes that there's link-local address
50 * assigned to the link, and makes use of them. Also, HELLO packets use
51 * link-local multicast addresses (ff02::5 and ff02::6).
52 * - BGP4+: Maybe. You can only use global address as nexthop, and global
53 * address as TCP endpoint address.
55 * Multicast routing protocols:
56 * - PIM: Hello packet cannot be used to discover adjacent PIM routers.
57 * Adjacent PIM routers must be configured manually (is it really spec-wise
58 * correct thing to do?).
61 * - Redirects cannot be used due to the lack of link-local address.
63 * stf interface does not have, and will not need, a link-local address.
64 * It seems to have no real benefit and does not help the above symptoms much.
65 * Even if we assign link-locals to interface, we cannot really
66 * use link-local unicast/multicast on top of 6to4 cloud (since there's no
67 * encapsulation defined for link-local address), and the above analysis does
68 * not change. RFC3056 does not mandate the assignment of link-local address
71 * 6to4 interface has security issues. Refer to
72 * http://playground.iijlab.net/i-d/draft-itojun-ipv6-transition-abuse-00.txt
73 * for details. The code tries to filter out some of malicious packets.
74 * Note that there is no way to be 100% secure.
78 #include "opt_inet6.h"
80 #include <sys/param.h>
81 #include <sys/systm.h>
82 #include <sys/socket.h>
83 #include <sys/sockio.h>
85 #include <sys/errno.h>
86 #include <sys/kernel.h>
87 #include <sys/module.h>
88 #include <sys/protosw.h>
90 #include <sys/queue.h>
91 #include <sys/sysctl.h>
92 #include <machine/cpu.h>
94 #include <sys/malloc.h>
97 #include <net/if_clone.h>
98 #include <net/route.h>
99 #include <net/netisr.h>
100 #include <net/if_types.h>
101 #include <net/if_stf.h>
102 #include <net/vnet.h>
104 #include <netinet/in.h>
105 #include <netinet/in_systm.h>
106 #include <netinet/ip.h>
107 #include <netinet/ip_var.h>
108 #include <netinet/in_var.h>
110 #include <netinet/ip6.h>
111 #include <netinet6/ip6_var.h>
112 #include <netinet6/in6_var.h>
113 #include <netinet/ip_ecn.h>
115 #include <netinet/ip_encap.h>
117 #include <machine/stdarg.h>
121 #include <security/mac/mac_framework.h>
123 SYSCTL_DECL(_net_link);
124 static SYSCTL_NODE(_net_link, IFT_STF, stf, CTLFLAG_RW, 0, "6to4 Interface");
126 static int stf_route_cache = 1;
127 SYSCTL_INT(_net_link_stf, OID_AUTO, route_cache, CTLFLAG_RW,
128 &stf_route_cache, 0, "Caching of IPv4 routes for 6to4 Output");
130 static int stf_permit_rfc1918 = 0;
131 TUNABLE_INT("net.link.stf.permit_rfc1918", &stf_permit_rfc1918);
132 SYSCTL_INT(_net_link_stf, OID_AUTO, permit_rfc1918, CTLFLAG_RW | CTLFLAG_TUN,
133 &stf_permit_rfc1918, 0, "Permit the use of private IPv4 addresses");
135 #define STFNAME "stf"
138 #define IN6_IS_ADDR_6TO4(x) (ntohs((x)->s6_addr16[0]) == 0x2002)
141 * XXX: Return a pointer with 16-bit aligned. Don't cast it to
142 * struct in_addr *; use bcopy() instead.
144 #define GET_V4(x) ((caddr_t)(&(x)->s6_addr16[1]))
147 struct ifnet *sc_ifp;
149 struct route __sc_ro4;
150 struct route_in6 __sc_ro6; /* just for safety */
152 #define sc_ro __sc_ro46.__sc_ro4
153 struct mtx sc_ro_mtx;
155 const struct encaptab *encap_cookie;
157 #define STF2IFP(sc) ((sc)->sc_ifp)
160 * Note that mutable fields in the softc are not currently locked.
161 * We do lock sc_ro in stf_output though.
163 static MALLOC_DEFINE(M_STF, STFNAME, "6to4 Tunnel Interface");
164 static const int ip_stf_ttl = 40;
166 extern struct domain inetdomain;
167 struct protosw in_stf_protosw = {
169 .pr_domain = &inetdomain,
170 .pr_protocol = IPPROTO_IPV6,
171 .pr_flags = PR_ATOMIC|PR_ADDR,
172 .pr_input = in_stf_input,
173 .pr_output = (pr_output_t *)rip_output,
174 .pr_ctloutput = rip_ctloutput,
175 .pr_usrreqs = &rip_usrreqs
178 static char *stfnames[] = {"stf0", "stf", "6to4", NULL};
180 static int stfmodevent(module_t, int, void *);
181 static int stf_encapcheck(const struct mbuf *, int, int, void *);
182 static struct in6_ifaddr *stf_getsrcifa6(struct ifnet *);
183 static int stf_output(struct ifnet *, struct mbuf *, struct sockaddr *,
185 static int isrfc1918addr(struct in_addr *);
186 static int stf_checkaddr4(struct stf_softc *, struct in_addr *,
188 static int stf_checkaddr6(struct stf_softc *, struct in6_addr *,
190 static void stf_rtrequest(int, struct rtentry *, struct rt_addrinfo *);
191 static int stf_ioctl(struct ifnet *, u_long, caddr_t);
193 static int stf_clone_match(struct if_clone *, const char *);
194 static int stf_clone_create(struct if_clone *, char *, size_t, caddr_t);
195 static int stf_clone_destroy(struct if_clone *, struct ifnet *);
196 struct if_clone stf_cloner = IFC_CLONE_INITIALIZER(STFNAME, NULL, 0,
197 NULL, stf_clone_match, stf_clone_create, stf_clone_destroy);
200 stf_clone_match(struct if_clone *ifc, const char *name)
204 for(i = 0; stfnames[i] != NULL; i++) {
205 if (strcmp(stfnames[i], name) == 0)
213 stf_clone_create(struct if_clone *ifc, char *name, size_t len, caddr_t params)
216 struct stf_softc *sc;
220 * We can only have one unit, but since unit allocation is
221 * already locked, we use it to keep from allocating extra
225 err = ifc_alloc_unit(ifc, &unit);
229 sc = malloc(sizeof(struct stf_softc), M_STF, M_WAITOK | M_ZERO);
230 ifp = STF2IFP(sc) = if_alloc(IFT_STF);
233 ifc_free_unit(ifc, unit);
237 sc->sc_fibnum = curthread->td_proc->p_fibnum;
240 * Set the name manually rather then using if_initname because
241 * we don't conform to the default naming convention for interfaces.
243 strlcpy(ifp->if_xname, name, IFNAMSIZ);
244 ifp->if_dname = ifc->ifc_name;
245 ifp->if_dunit = IF_DUNIT_NONE;
247 mtx_init(&(sc)->sc_ro_mtx, "stf ro", NULL, MTX_DEF);
248 sc->encap_cookie = encap_attach_func(AF_INET, IPPROTO_IPV6,
249 stf_encapcheck, &in_stf_protosw, sc);
250 if (sc->encap_cookie == NULL) {
251 if_printf(ifp, "attach failed\n");
253 ifc_free_unit(ifc, unit);
257 ifp->if_mtu = IPV6_MMTU;
258 ifp->if_ioctl = stf_ioctl;
259 ifp->if_output = stf_output;
260 ifp->if_snd.ifq_maxlen = ifqmaxlen;
262 bpfattach(ifp, DLT_NULL, sizeof(u_int32_t));
267 stf_clone_destroy(struct if_clone *ifc, struct ifnet *ifp)
269 struct stf_softc *sc = ifp->if_softc;
272 err = encap_detach(sc->encap_cookie);
273 KASSERT(err == 0, ("Unexpected error detaching encap_cookie"));
274 mtx_destroy(&(sc)->sc_ro_mtx);
280 ifc_free_unit(ifc, STFUNIT);
286 stfmodevent(mod, type, data)
294 if_clone_attach(&stf_cloner);
297 if_clone_detach(&stf_cloner);
306 static moduledata_t stf_mod = {
312 DECLARE_MODULE(if_stf, stf_mod, SI_SUB_PSEUDO, SI_ORDER_ANY);
315 stf_encapcheck(m, off, proto, arg)
316 const struct mbuf *m;
322 struct in6_ifaddr *ia6;
323 struct stf_softc *sc;
324 struct in_addr a, b, mask;
326 sc = (struct stf_softc *)arg;
330 if ((STF2IFP(sc)->if_flags & IFF_UP) == 0)
333 /* IFF_LINK0 means "no decapsulation" */
334 if ((STF2IFP(sc)->if_flags & IFF_LINK0) != 0)
337 if (proto != IPPROTO_IPV6)
340 /* LINTED const cast */
341 m_copydata((struct mbuf *)(uintptr_t)m, 0, sizeof(ip), (caddr_t)&ip);
346 ia6 = stf_getsrcifa6(STF2IFP(sc));
351 * check if IPv4 dst matches the IPv4 address derived from the
352 * local 6to4 address.
353 * success on: dst = 10.1.1.1, ia6->ia_addr = 2002:0a01:0101:...
355 if (bcmp(GET_V4(&ia6->ia_addr.sin6_addr), &ip.ip_dst,
356 sizeof(ip.ip_dst)) != 0) {
357 ifa_free(&ia6->ia_ifa);
362 * check if IPv4 src matches the IPv4 address derived from the
363 * local 6to4 address masked by prefixmask.
364 * success on: src = 10.1.1.1, ia6->ia_addr = 2002:0a00:.../24
365 * fail on: src = 10.1.1.1, ia6->ia_addr = 2002:0b00:.../24
367 bzero(&a, sizeof(a));
368 bcopy(GET_V4(&ia6->ia_addr.sin6_addr), &a, sizeof(a));
369 bcopy(GET_V4(&ia6->ia_prefixmask.sin6_addr), &mask, sizeof(mask));
370 ifa_free(&ia6->ia_ifa);
371 a.s_addr &= mask.s_addr;
373 b.s_addr &= mask.s_addr;
374 if (a.s_addr != b.s_addr)
377 /* stf interface makes single side match only */
381 static struct in6_ifaddr *
386 struct in_ifaddr *ia4;
387 struct sockaddr_in6 *sin6;
391 TAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) {
392 if (ia->ifa_addr->sa_family != AF_INET6)
394 sin6 = (struct sockaddr_in6 *)ia->ifa_addr;
395 if (!IN6_IS_ADDR_6TO4(&sin6->sin6_addr))
398 bcopy(GET_V4(&sin6->sin6_addr), &in, sizeof(in));
399 LIST_FOREACH(ia4, INADDR_HASH(in.s_addr), ia_hash)
400 if (ia4->ia_addr.sin_addr.s_addr == in.s_addr)
406 if_addr_runlock(ifp);
407 return (struct in6_ifaddr *)ia;
409 if_addr_runlock(ifp);
415 stf_output(ifp, m, dst, ro)
418 struct sockaddr *dst;
421 struct stf_softc *sc;
422 struct sockaddr_in6 *dst6;
423 struct route *cached_route;
426 struct sockaddr_in *dst4;
430 struct in6_ifaddr *ia6;
435 error = mac_ifnet_check_transmit(ifp, m);
443 dst6 = (struct sockaddr_in6 *)dst;
446 if ((ifp->if_flags & IFF_UP) == 0) {
453 * If we don't have an ip4 address that match my inner ip6 address,
454 * we shouldn't generate output. Without this check, we'll end up
455 * using wrong IPv4 source.
457 ia6 = stf_getsrcifa6(ifp);
464 if (m->m_len < sizeof(*ip6)) {
465 m = m_pullup(m, sizeof(*ip6));
467 ifa_free(&ia6->ia_ifa);
472 ip6 = mtod(m, struct ip6_hdr *);
473 tos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
476 * BPF writes need to be handled specially.
477 * This is a null operation, nothing here checks dst->sa_family.
479 if (dst->sa_family == AF_UNSPEC) {
480 bcopy(dst->sa_data, &af, sizeof(af));
485 * Pickup the right outer dst addr from the list of candidates.
486 * ip6_dst has priority as it may be able to give us shorter IPv4 hops.
489 if (IN6_IS_ADDR_6TO4(&ip6->ip6_dst))
490 ptr = GET_V4(&ip6->ip6_dst);
491 else if (IN6_IS_ADDR_6TO4(&dst6->sin6_addr))
492 ptr = GET_V4(&dst6->sin6_addr);
494 ifa_free(&ia6->ia_ifa);
499 bcopy(ptr, &in4, sizeof(in4));
501 if (bpf_peers_present(ifp->if_bpf)) {
503 * We need to prepend the address family as
504 * a four byte field. Cons up a dummy header
505 * to pacify bpf. This is safe because bpf
506 * will only read from the mbuf (i.e., it won't
507 * try to free it or keep a pointer a to it).
510 bpf_mtap2(ifp->if_bpf, &af, sizeof(af), m);
513 M_PREPEND(m, sizeof(struct ip), M_DONTWAIT);
514 if (m && m->m_len < sizeof(struct ip))
515 m = m_pullup(m, sizeof(struct ip));
517 ifa_free(&ia6->ia_ifa);
521 ip = mtod(m, struct ip *);
523 bzero(ip, sizeof(*ip));
525 bcopy(GET_V4(&((struct sockaddr_in6 *)&ia6->ia_addr)->sin6_addr),
526 &ip->ip_src, sizeof(ip->ip_src));
527 ifa_free(&ia6->ia_ifa);
528 bcopy(&in4, &ip->ip_dst, sizeof(ip->ip_dst));
529 ip->ip_p = IPPROTO_IPV6;
530 ip->ip_ttl = ip_stf_ttl;
531 ip->ip_len = m->m_pkthdr.len; /*host order*/
532 if (ifp->if_flags & IFF_LINK1)
533 ip_ecn_ingress(ECN_ALLOWED, &ip->ip_tos, &tos);
535 ip_ecn_ingress(ECN_NOCARE, &ip->ip_tos, &tos);
537 if (!stf_route_cache) {
543 * Do we have a cached route?
545 mtx_lock(&(sc)->sc_ro_mtx);
546 dst4 = (struct sockaddr_in *)&sc->sc_ro.ro_dst;
547 if (dst4->sin_family != AF_INET ||
548 bcmp(&dst4->sin_addr, &ip->ip_dst, sizeof(ip->ip_dst)) != 0) {
549 /* cache route doesn't match */
550 dst4->sin_family = AF_INET;
551 dst4->sin_len = sizeof(struct sockaddr_in);
552 bcopy(&ip->ip_dst, &dst4->sin_addr, sizeof(dst4->sin_addr));
553 if (sc->sc_ro.ro_rt) {
554 RTFREE(sc->sc_ro.ro_rt);
555 sc->sc_ro.ro_rt = NULL;
559 if (sc->sc_ro.ro_rt == NULL) {
560 rtalloc_fib(&sc->sc_ro, sc->sc_fibnum);
561 if (sc->sc_ro.ro_rt == NULL) {
563 mtx_unlock(&(sc)->sc_ro_mtx);
568 cached_route = &sc->sc_ro;
571 M_SETFIB(m, sc->sc_fibnum);
573 error = ip_output(m, NULL, cached_route, 0, NULL, NULL);
575 if (cached_route != NULL)
576 mtx_unlock(&(sc)->sc_ro_mtx);
585 * returns 1 if private address range:
586 * 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
588 if (stf_permit_rfc1918 == 0 && (
589 (ntohl(in->s_addr) & 0xff000000) >> 24 == 10 ||
590 (ntohl(in->s_addr) & 0xfff00000) >> 16 == 172 * 256 + 16 ||
591 (ntohl(in->s_addr) & 0xffff0000) >> 16 == 192 * 256 + 168))
598 stf_checkaddr4(sc, in, inifp)
599 struct stf_softc *sc;
601 struct ifnet *inifp; /* incoming interface */
603 struct in_ifaddr *ia4;
606 * reject packets with the following address:
607 * 224.0.0.0/4 0.0.0.0/8 127.0.0.0/8 255.0.0.0/8
609 if (IN_MULTICAST(ntohl(in->s_addr)))
611 switch ((ntohl(in->s_addr) & 0xff000000) >> 24) {
612 case 0: case 127: case 255:
617 * reject packets with private address range.
618 * (requirement from RFC3056 section 2 1st paragraph)
620 if (isrfc1918addr(in))
624 * reject packets with broadcast
627 for (ia4 = TAILQ_FIRST(&V_in_ifaddrhead);
629 ia4 = TAILQ_NEXT(ia4, ia_link))
631 if ((ia4->ia_ifa.ifa_ifp->if_flags & IFF_BROADCAST) == 0)
633 if (in->s_addr == ia4->ia_broadaddr.sin_addr.s_addr) {
641 * perform ingress filter
643 if (sc && (STF2IFP(sc)->if_flags & IFF_LINK2) == 0 && inifp) {
644 struct sockaddr_in sin;
647 bzero(&sin, sizeof(sin));
648 sin.sin_family = AF_INET;
649 sin.sin_len = sizeof(struct sockaddr_in);
651 rt = rtalloc1_fib((struct sockaddr *)&sin, 0,
653 if (!rt || rt->rt_ifp != inifp) {
655 log(LOG_WARNING, "%s: packet from 0x%x dropped "
656 "due to ingress filter\n", if_name(STF2IFP(sc)),
657 (u_int32_t)ntohl(sin.sin_addr.s_addr));
670 stf_checkaddr6(sc, in6, inifp)
671 struct stf_softc *sc;
672 struct in6_addr *in6;
673 struct ifnet *inifp; /* incoming interface */
676 * check 6to4 addresses
678 if (IN6_IS_ADDR_6TO4(in6)) {
680 bcopy(GET_V4(in6), &in4, sizeof(in4));
681 return stf_checkaddr4(sc, &in4, inifp);
685 * reject anything that look suspicious. the test is implemented
686 * in ip6_input too, but we check here as well to
687 * (1) reject bad packets earlier, and
688 * (2) to be safe against future ip6_input change.
690 if (IN6_IS_ADDR_V4COMPAT(in6) || IN6_IS_ADDR_V4MAPPED(in6))
702 struct stf_softc *sc;
708 proto = mtod(m, struct ip *)->ip_p;
710 if (proto != IPPROTO_IPV6) {
715 ip = mtod(m, struct ip *);
717 sc = (struct stf_softc *)encap_getarg(m);
719 if (sc == NULL || (STF2IFP(sc)->if_flags & IFF_UP) == 0) {
727 mac_ifnet_create_mbuf(ifp, m);
731 * perform sanity check against outer src/dst.
732 * for source, perform ingress filter as well.
734 if (stf_checkaddr4(sc, &ip->ip_dst, NULL) < 0 ||
735 stf_checkaddr4(sc, &ip->ip_src, m->m_pkthdr.rcvif) < 0) {
743 if (m->m_len < sizeof(*ip6)) {
744 m = m_pullup(m, sizeof(*ip6));
748 ip6 = mtod(m, struct ip6_hdr *);
751 * perform sanity check against inner src/dst.
752 * for source, perform ingress filter as well.
754 if (stf_checkaddr6(sc, &ip6->ip6_dst, NULL) < 0 ||
755 stf_checkaddr6(sc, &ip6->ip6_src, m->m_pkthdr.rcvif) < 0) {
760 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
761 if ((ifp->if_flags & IFF_LINK1) != 0)
762 ip_ecn_egress(ECN_ALLOWED, &otos, &itos);
764 ip_ecn_egress(ECN_NOCARE, &otos, &itos);
765 ip6->ip6_flow &= ~htonl(0xff << 20);
766 ip6->ip6_flow |= htonl((u_int32_t)itos << 20);
768 m->m_pkthdr.rcvif = ifp;
770 if (bpf_peers_present(ifp->if_bpf)) {
772 * We need to prepend the address family as
773 * a four byte field. Cons up a dummy header
774 * to pacify bpf. This is safe because bpf
775 * will only read from the mbuf (i.e., it won't
776 * try to free it or keep a pointer a to it).
778 u_int32_t af = AF_INET6;
779 bpf_mtap2(ifp->if_bpf, &af, sizeof(af), m);
783 * Put the packet to the network layer input queue according to the
784 * specified address family.
785 * See net/if_gif.c for possible issues with packet processing
786 * reorder due to extra queueing.
789 ifp->if_ibytes += m->m_pkthdr.len;
790 M_SETFIB(m, ifp->if_fib);
791 netisr_dispatch(NETISR_IPV6, m);
796 stf_rtrequest(cmd, rt, info)
799 struct rt_addrinfo *info;
802 rt->rt_rmx.rmx_mtu = rt->rt_ifp->if_mtu;
806 stf_ioctl(ifp, cmd, data)
813 struct sockaddr_in6 *sin6;
820 ifa = (struct ifaddr *)data;
821 if (ifa == NULL || ifa->ifa_addr->sa_family != AF_INET6) {
822 error = EAFNOSUPPORT;
825 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr;
826 if (!IN6_IS_ADDR_6TO4(&sin6->sin6_addr)) {
830 bcopy(GET_V4(&sin6->sin6_addr), &addr, sizeof(addr));
831 if (isrfc1918addr(&addr)) {
836 ifa->ifa_rtrequest = stf_rtrequest;
837 ifp->if_flags |= IFF_UP;
842 ifr = (struct ifreq *)data;
843 if (ifr && ifr->ifr_addr.sa_family == AF_INET6)
846 error = EAFNOSUPPORT;
853 ifr = (struct ifreq *)data;
855 /* RFC 4213 3.2 ideal world MTU */
856 if (mtu < IPV6_MINMTU || mtu > IF_MAXMTU - 20)