2 /* $KAME: ip_encap.c,v 1.41 2001/03/15 08:35:08 itojun Exp $ */
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * My grandfather said that there's a devil inside tunnelling technology...
35 * We have surprisingly many protocols that want packets with IP protocol
36 * #4 or #41. Here's a list of protocols that want protocol #41:
37 * RFC1933 configured tunnel
38 * RFC1933 automatic tunnel
39 * RFC2401 IPsec tunnel
40 * RFC2473 IPv6 generic packet tunnelling
41 * RFC2529 6over4 tunnel
42 * mobile-ip6 (uses RFC2473)
45 * Here's a list of protocol that want protocol #4:
46 * RFC1853 IPv4-in-IPv4 tunnelling
47 * RFC2003 IPv4 encapsulation within IPv4
48 * RFC2344 reverse tunnelling for mobile-ip4
49 * RFC2401 IPsec tunnel
50 * Well, what can I say. They impose different en/decapsulation mechanism
51 * from each other, so they need separate protocol handler. The only one
52 * we can easily determine by protocol # is IPsec, which always has
53 * AH/ESP/IPComp header right after outer IP header.
55 * So, clearly good old protosw does not work for protocol #4 and #41.
56 * The code will let you match protocol via src/dst address pair.
58 /* XXX is M_NETADDR correct? */
60 #include "opt_mrouting.h"
62 #include "opt_inet6.h"
64 #include <sys/param.h>
65 #include <sys/systm.h>
66 #include <sys/socket.h>
67 #include <sys/sockio.h>
69 #include <sys/errno.h>
70 #include <sys/protosw.h>
71 #include <sys/queue.h>
74 #include <net/route.h>
76 #include <netinet/in.h>
77 #include <netinet/in_systm.h>
78 #include <netinet/ip.h>
79 #include <netinet/ip_var.h>
80 #include <netinet/ip_encap.h>
83 #include <netinet/ip6.h>
84 #include <netinet6/ip6_var.h>
85 #include <netinet6/ip6protosw.h>
88 #include <machine/stdarg.h>
90 #include <sys/kernel.h>
91 #include <sys/malloc.h>
92 static MALLOC_DEFINE(M_NETADDR, "encap_export_host", "Export host address structure");
94 static void encap_add(struct encaptab *);
95 static int mask_match(const struct encaptab *, const struct sockaddr *,
96 const struct sockaddr *);
97 static void encap_fillarg(struct mbuf *, const struct encaptab *);
100 * All global variables in ip_encap.c are locked using encapmtx.
102 static struct mtx encapmtx;
103 MTX_SYSINIT(encapmtx, &encapmtx, "encapmtx", MTX_DEF);
104 LIST_HEAD(, encaptab) encaptab = LIST_HEAD_INITIALIZER(&encaptab);
107 * We currently keey encap_init() for source code compatibility reasons --
108 * it's referenced by KAME pieces in netinet6.
117 encap4_input(struct mbuf *m, int off)
121 struct sockaddr_in s, d;
122 const struct protosw *psw;
123 struct encaptab *ep, *match;
126 ip = mtod(m, struct ip *);
129 bzero(&s, sizeof(s));
130 s.sin_family = AF_INET;
131 s.sin_len = sizeof(struct sockaddr_in);
132 s.sin_addr = ip->ip_src;
133 bzero(&d, sizeof(d));
134 d.sin_family = AF_INET;
135 d.sin_len = sizeof(struct sockaddr_in);
136 d.sin_addr = ip->ip_dst;
141 LIST_FOREACH(ep, &encaptab, chain) {
142 if (ep->af != AF_INET)
144 if (ep->proto >= 0 && ep->proto != proto)
147 prio = (*ep->func)(m, off, proto, ep->arg);
150 * it's inbound traffic, we need to match in reverse
153 prio = mask_match(ep, (struct sockaddr *)&d,
154 (struct sockaddr *)&s);
158 * We prioritize the matches by using bit length of the
159 * matches. mask_match() and user-supplied matching function
160 * should return the bit length of the matches (for example,
161 * if both src/dst are matched for IPv4, 64 should be returned).
162 * 0 or negative return value means "it did not match".
164 * The question is, since we have two "mask" portion, we
165 * cannot really define total order between entries.
166 * For example, which of these should be preferred?
167 * mask_match() returns 48 (32 + 16) for both of them.
168 * src=3ffe::/16, dst=3ffe:501::/32
169 * src=3ffe:501::/32, dst=3ffe::/16
171 * We need to loop through all the possible candidates
172 * to get the best match - the search takes O(n) for
173 * n attachments (i.e. interfaces).
177 if (prio > matchprio) {
182 mtx_unlock(&encapmtx);
185 /* found a match, "match" has the best one */
187 if (psw && psw->pr_input) {
188 encap_fillarg(m, match);
189 (*psw->pr_input)(m, off);
195 /* last resort: inject to raw socket */
202 encap6_input(struct mbuf **mp, int *offp, int proto)
204 struct mbuf *m = *mp;
206 struct sockaddr_in6 s, d;
207 const struct ip6protosw *psw;
208 struct encaptab *ep, *match;
211 ip6 = mtod(m, struct ip6_hdr *);
213 bzero(&s, sizeof(s));
214 s.sin6_family = AF_INET6;
215 s.sin6_len = sizeof(struct sockaddr_in6);
216 s.sin6_addr = ip6->ip6_src;
217 bzero(&d, sizeof(d));
218 d.sin6_family = AF_INET6;
219 d.sin6_len = sizeof(struct sockaddr_in6);
220 d.sin6_addr = ip6->ip6_dst;
225 LIST_FOREACH(ep, &encaptab, chain) {
226 if (ep->af != AF_INET6)
228 if (ep->proto >= 0 && ep->proto != proto)
231 prio = (*ep->func)(m, *offp, proto, ep->arg);
234 * it's inbound traffic, we need to match in reverse
237 prio = mask_match(ep, (struct sockaddr *)&d,
238 (struct sockaddr *)&s);
241 /* see encap4_input() for issues here */
244 if (prio > matchprio) {
249 mtx_unlock(&encapmtx);
253 psw = (const struct ip6protosw *)match->psw;
254 if (psw && psw->pr_input) {
255 encap_fillarg(m, match);
256 return (*psw->pr_input)(mp, offp, proto);
263 /* last resort: inject to raw socket */
264 return rip6_input(mp, offp, proto);
268 /*lint -sem(encap_add, custodial(1)) */
270 encap_add(struct encaptab *ep)
273 mtx_assert(&encapmtx, MA_OWNED);
274 LIST_INSERT_HEAD(&encaptab, ep, chain);
278 * sp (src ptr) is always my side, and dp (dst ptr) is always remote side.
279 * length of mask (sm and dm) is assumed to be same as sp/dp.
280 * Return value will be necessary as input (cookie) for encap_detach().
282 const struct encaptab *
283 encap_attach(int af, int proto, const struct sockaddr *sp,
284 const struct sockaddr *sm, const struct sockaddr *dp,
285 const struct sockaddr *dm, const struct protosw *psw, void *arg)
289 /* sanity check on args */
290 if (sp->sa_len > sizeof(ep->src) || dp->sa_len > sizeof(ep->dst))
292 if (sp->sa_len != dp->sa_len)
294 if (af != sp->sa_family || af != dp->sa_family)
297 /* check if anyone have already attached with exactly same config */
299 LIST_FOREACH(ep, &encaptab, chain) {
302 if (ep->proto != proto)
304 if (ep->src.ss_len != sp->sa_len ||
305 bcmp(&ep->src, sp, sp->sa_len) != 0 ||
306 bcmp(&ep->srcmask, sm, sp->sa_len) != 0)
308 if (ep->dst.ss_len != dp->sa_len ||
309 bcmp(&ep->dst, dp, dp->sa_len) != 0 ||
310 bcmp(&ep->dstmask, dm, dp->sa_len) != 0)
313 mtx_unlock(&encapmtx);
317 ep = malloc(sizeof(*ep), M_NETADDR, M_NOWAIT); /*XXX*/
319 mtx_unlock(&encapmtx);
322 bzero(ep, sizeof(*ep));
326 bcopy(sp, &ep->src, sp->sa_len);
327 bcopy(sm, &ep->srcmask, sp->sa_len);
328 bcopy(dp, &ep->dst, dp->sa_len);
329 bcopy(dm, &ep->dstmask, dp->sa_len);
334 mtx_unlock(&encapmtx);
338 const struct encaptab *
339 encap_attach_func(int af, int proto,
340 int (*func)(const struct mbuf *, int, int, void *),
341 const struct protosw *psw, void *arg)
345 /* sanity check on args */
349 ep = malloc(sizeof(*ep), M_NETADDR, M_NOWAIT); /*XXX*/
352 bzero(ep, sizeof(*ep));
362 mtx_unlock(&encapmtx);
367 encap_detach(const struct encaptab *cookie)
369 const struct encaptab *ep = cookie;
373 LIST_FOREACH(p, &encaptab, chain) {
375 LIST_REMOVE(p, chain);
376 mtx_unlock(&encapmtx);
377 free(p, M_NETADDR); /*XXX*/
381 mtx_unlock(&encapmtx);
387 mask_match(const struct encaptab *ep, const struct sockaddr *sp,
388 const struct sockaddr *dp)
390 struct sockaddr_storage s;
391 struct sockaddr_storage d;
393 const u_int8_t *p, *q;
397 if (sp->sa_len > sizeof(s) || dp->sa_len > sizeof(d))
399 if (sp->sa_family != ep->af || dp->sa_family != ep->af)
401 if (sp->sa_len != ep->src.ss_len || dp->sa_len != ep->dst.ss_len)
406 p = (const u_int8_t *)sp;
407 q = (const u_int8_t *)&ep->srcmask;
409 for (i = 0 ; i < sp->sa_len; i++) {
412 matchlen += (q[i] ? 8 : 0);
415 p = (const u_int8_t *)dp;
416 q = (const u_int8_t *)&ep->dstmask;
418 for (i = 0 ; i < dp->sa_len; i++) {
420 /* XXX rough estimate */
421 matchlen += (q[i] ? 8 : 0);
424 /* need to overwrite len/family portion as we don't compare them */
425 s.ss_len = sp->sa_len;
426 s.ss_family = sp->sa_family;
427 d.ss_len = dp->sa_len;
428 d.ss_family = dp->sa_family;
430 if (bcmp(&s, &ep->src, ep->src.ss_len) == 0 &&
431 bcmp(&d, &ep->dst, ep->dst.ss_len) == 0) {
438 encap_fillarg(struct mbuf *m, const struct encaptab *ep)
442 tag = m_tag_get(PACKET_TAG_ENCAP, sizeof (void*), M_NOWAIT);
444 *(void**)(tag+1) = ep->arg;
445 m_tag_prepend(m, tag);
450 encap_getarg(struct mbuf *m)
455 tag = m_tag_find(m, PACKET_TAG_ENCAP, NULL);
457 p = *(void**)(tag+1);
458 m_tag_delete(m, tag);