2 /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */
4 * The authors of this code are John Ioannidis (ji@tla.org),
5 * Angelos D. Keromytis (kermit@csd.uch.gr) and
6 * Niels Provos (provos@physnet.uni-hamburg.de).
8 * The original version of this code was written by John Ioannidis
9 * for BSD/OS in Athens, Greece, in November 1995.
11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 * by Angelos D. Keromytis.
14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
17 * Additional features in 1999 by Angelos D. Keromytis.
19 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
20 * Angelos D. Keromytis and Niels Provos.
21 * Copyright (c) 2001, Angelos D. Keromytis.
23 * Permission to use, copy, and modify this software with or without fee
24 * is hereby granted, provided that this entire notice is included in
25 * all copies of any software which is or includes a copy or
26 * modification of this software.
27 * You may use this code under the GNU public license if you so wish. Please
28 * contribute changes back to the authors under this freer than GPL license
29 * so that we may further the use of strong encryption without limitations to
32 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
33 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
34 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
35 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
40 * IP-inside-IP processing
43 #include "opt_inet6.h"
46 #include <sys/param.h>
47 #include <sys/systm.h>
49 #include <sys/socket.h>
50 #include <sys/kernel.h>
51 #include <sys/protosw.h>
52 #include <sys/sysctl.h>
55 #include <net/if_var.h>
57 #include <net/route.h>
58 #include <net/netisr.h>
61 #include <netinet/in.h>
62 #include <netinet/in_systm.h>
63 #include <netinet/in_var.h>
64 #include <netinet/ip.h>
65 #include <netinet/ip_ecn.h>
66 #include <netinet/ip_var.h>
67 #include <netinet/ip_encap.h>
69 #include <netipsec/ipsec.h>
70 #include <netipsec/xform.h>
72 #include <netipsec/ipip_var.h>
75 #include <netinet/ip6.h>
76 #include <netipsec/ipsec6.h>
77 #include <netinet6/ip6_ecn.h>
78 #include <netinet6/in6_var.h>
79 #include <netinet6/ip6protosw.h>
82 #include <netipsec/key.h>
83 #include <netipsec/key_debug.h>
85 #include <machine/stdarg.h>
88 * We can control the acceptance of IP4 packets by altering the sysctl
89 * net.inet.ipip.allow value. Zero means drop them, all else is acceptance.
91 VNET_DEFINE(int, ipip_allow) = 0;
92 VNET_PCPUSTAT_DEFINE(struct ipipstat, ipipstat);
93 VNET_PCPUSTAT_SYSINIT(ipipstat);
96 VNET_PCPUSTAT_SYSUNINIT(ipipstat);
99 SYSCTL_DECL(_net_inet_ipip);
100 SYSCTL_VNET_INT(_net_inet_ipip, OID_AUTO,
101 ipip_allow, CTLFLAG_RW, &VNET_NAME(ipip_allow), 0, "");
102 SYSCTL_VNET_PCPUSTAT(_net_inet_ipip, IPSECCTL_STATS, stats,
103 struct ipipstat, ipipstat,
104 "IPIP statistics (struct ipipstat, netipsec/ipip_var.h)");
107 #define M_IPSEC (M_AUTHIPHDR|M_AUTHIPDGM|M_DECRYPTED)
109 static void _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp);
113 * Really only a wrapper for ipip_input(), for use with IPv6.
116 ip4_input6(struct mbuf **m, int *offp, int proto)
119 /* If we do not accept IP-in-IP explicitly, drop. */
120 if (!V_ipip_allow && ((*m)->m_flags & M_IPSEC) == 0) {
121 DPRINTF(("%s: dropped due to policy\n", __func__));
122 IPIPSTAT_INC(ipips_pdrops);
127 _ipip_input(*m, *offp, NULL);
134 * Really only a wrapper for ipip_input(), for use with IPv4.
137 ip4_input(struct mbuf **mp, int *offp, int proto)
140 /* If we do not accept IP-in-IP explicitly, drop. */
141 if (!V_ipip_allow && (m->m_flags & M_IPSEC) == 0) {
142 DPRINTF(("%s: dropped due to policy\n", __func__));
143 IPIPSTAT_INC(ipips_pdrops);
148 _ipip_input(*mp, *offp, NULL);
149 return (IPPROTO_DONE);
154 * ipip_input gets called when we receive an IP{46} encapsulated packet,
155 * either because we got it at a real interface, or because AH or ESP
156 * were being used in tunnel mode (in which case the rcvif element will
157 * contain the address of the encX interface associated with the tunnel.
161 _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
165 struct ip6_hdr *ip6 = NULL;
173 IPIPSTAT_INC(ipips_ipackets);
175 m_copydata(m, 0, 1, &v);
180 hlen = sizeof(struct ip);
185 hlen = sizeof(struct ip6_hdr);
189 IPIPSTAT_INC(ipips_family);
191 return /* EAFNOSUPPORT */;
194 /* Bring the IP header in the first mbuf, if not there already */
195 if (m->m_len < hlen) {
196 if ((m = m_pullup(m, hlen)) == NULL) {
197 DPRINTF(("%s: m_pullup (1) failed\n", __func__));
198 IPIPSTAT_INC(ipips_hdrops);
202 ipo = mtod(m, struct ip *);
204 /* Keep outer ecn field. */
213 otos = (ntohl(mtod(m, struct ip6_hdr *)->ip6_flow) >> 20) & 0xff;
217 panic("ipip_input: unknown ip version %u (outer)", v>>4);
220 /* Remove outer IP header */
224 if (m->m_pkthdr.len < sizeof(struct ip)) {
225 IPIPSTAT_INC(ipips_hdrops);
230 m_copydata(m, 0, 1, &v);
235 hlen = sizeof(struct ip);
241 hlen = sizeof(struct ip6_hdr);
245 IPIPSTAT_INC(ipips_family);
247 return; /* EAFNOSUPPORT */
251 * Bring the inner IP header in the first mbuf, if not there already.
253 if (m->m_len < hlen) {
254 if ((m = m_pullup(m, hlen)) == NULL) {
255 DPRINTF(("%s: m_pullup (2) failed\n", __func__));
256 IPIPSTAT_INC(ipips_hdrops);
262 * RFC 1853 specifies that the inner TTL should not be touched on
263 * decapsulation. There's no reason this comment should be here, but
264 * this is as good as any a position.
267 /* Some sanity checks in the inner IP header */
271 ipo = mtod(m, struct ip *);
272 ip_ecn_egress(V_ip4_ipsec_ecn, &otos, &ipo->ip_tos);
277 ip6 = (struct ip6_hdr *) ipo;
278 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
279 ip_ecn_egress(V_ip6_ipsec_ecn, &otos, &itos);
280 ip6->ip6_flow &= ~htonl(0xff << 20);
281 ip6->ip6_flow |= htonl((u_int32_t) itos << 20);
285 panic("ipip_input: unknown ip version %u (inner)", v>>4);
288 /* Check for local address spoofing. */
289 if ((m->m_pkthdr.rcvif == NULL ||
290 !(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) &&
293 if ((v >> 4) == IPVERSION &&
294 in_localip(ipo->ip_src) != 0) {
295 IPIPSTAT_INC(ipips_spoof);
301 if ((v & IPV6_VERSION_MASK) == IPV6_VERSION &&
302 in6_localip(&ip6->ip6_src) != 0) {
303 IPIPSTAT_INC(ipips_spoof);
311 IPIPSTAT_ADD(ipips_ibytes, m->m_pkthdr.len - iphlen);
314 * Interface pointer stays the same; if no IPsec processing has
315 * been done (or will be done), this will point to a normal
316 * interface. Otherwise, it'll point to an enc interface, which
317 * will allow a packet filter to distinguish between secure and
333 panic("%s: bogus ip version %u", __func__, v>>4);
336 if (netisr_queue(isr, m)) { /* (0) on success. */
337 IPIPSTAT_INC(ipips_qfull);
338 DPRINTF(("%s: packet dropped because of full queue\n",
346 struct ipsecrequest *isr,
352 struct secasvar *sav;
354 struct secasindex *saidx;
356 #if defined(INET) || defined(INET6)
363 struct ip6_hdr *ip6, *ip6o;
367 IPSEC_ASSERT(sav != NULL, ("null SA"));
368 IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
370 /* XXX Deal with empty TDB source/destination addresses. */
372 m_copydata(m, 0, 1, &tp);
373 tp = (tp >> 4) & 0xff; /* Get the IP version number. */
375 saidx = &sav->sah->saidx;
376 switch (saidx->dst.sa.sa_family) {
379 if (saidx->src.sa.sa_family != AF_INET ||
380 saidx->src.sin.sin_addr.s_addr == INADDR_ANY ||
381 saidx->dst.sin.sin_addr.s_addr == INADDR_ANY) {
382 DPRINTF(("%s: unspecified tunnel endpoint "
383 "address in SA %s/%08lx\n", __func__,
384 ipsec_address(&saidx->dst),
385 (u_long) ntohl(sav->spi)));
386 IPIPSTAT_INC(ipips_unspec);
391 M_PREPEND(m, sizeof(struct ip), M_NOWAIT);
393 DPRINTF(("%s: M_PREPEND failed\n", __func__));
394 IPIPSTAT_INC(ipips_hdrops);
399 ipo = mtod(m, struct ip *);
401 ipo->ip_v = IPVERSION;
403 ipo->ip_len = htons(m->m_pkthdr.len);
404 ipo->ip_ttl = V_ip_defttl;
406 ipo->ip_src = saidx->src.sin.sin_addr;
407 ipo->ip_dst = saidx->dst.sin.sin_addr;
409 ipo->ip_id = ip_newid();
411 /* If the inner protocol is IP... */
414 /* Save ECN notification */
415 m_copydata(m, sizeof(struct ip) +
416 offsetof(struct ip, ip_tos),
417 sizeof(u_int8_t), (caddr_t) &itos);
419 ipo->ip_p = IPPROTO_IPIP;
422 * We should be keeping tunnel soft-state and
423 * send back ICMPs if needed.
425 m_copydata(m, sizeof(struct ip) +
426 offsetof(struct ip, ip_off),
427 sizeof(u_int16_t), (caddr_t) &ipo->ip_off);
428 ipo->ip_off = ntohs(ipo->ip_off);
429 ipo->ip_off &= ~(IP_DF | IP_MF | IP_OFFMASK);
430 ipo->ip_off = htons(ipo->ip_off);
433 case (IPV6_VERSION >> 4):
437 /* Save ECN notification. */
438 m_copydata(m, sizeof(struct ip) +
439 offsetof(struct ip6_hdr, ip6_flow),
440 sizeof(u_int32_t), (caddr_t) &itos32);
441 itos = ntohl(itos32) >> 20;
442 ipo->ip_p = IPPROTO_IPV6;
452 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos);
459 if (IN6_IS_ADDR_UNSPECIFIED(&saidx->dst.sin6.sin6_addr) ||
460 saidx->src.sa.sa_family != AF_INET6 ||
461 IN6_IS_ADDR_UNSPECIFIED(&saidx->src.sin6.sin6_addr)) {
462 DPRINTF(("%s: unspecified tunnel endpoint "
463 "address in SA %s/%08lx\n", __func__,
464 ipsec_address(&saidx->dst),
465 (u_long) ntohl(sav->spi)));
466 IPIPSTAT_INC(ipips_unspec);
471 /* scoped address handling */
472 ip6 = mtod(m, struct ip6_hdr *);
473 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src))
474 ip6->ip6_src.s6_addr16[1] = 0;
475 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
476 ip6->ip6_dst.s6_addr16[1] = 0;
478 M_PREPEND(m, sizeof(struct ip6_hdr), M_NOWAIT);
480 DPRINTF(("%s: M_PREPEND failed\n", __func__));
481 IPIPSTAT_INC(ipips_hdrops);
486 /* Initialize IPv6 header */
487 ip6o = mtod(m, struct ip6_hdr *);
489 ip6o->ip6_vfc &= ~IPV6_VERSION_MASK;
490 ip6o->ip6_vfc |= IPV6_VERSION;
491 ip6o->ip6_plen = htons(m->m_pkthdr.len);
492 ip6o->ip6_hlim = IPV6_DEFHLIM;
493 ip6o->ip6_dst = saidx->dst.sin6.sin6_addr;
494 ip6o->ip6_src = saidx->src.sin6.sin6_addr;
496 /* Fix payload length */
497 ip6o->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6));
502 /* Save ECN notification */
503 m_copydata(m, sizeof(struct ip6_hdr) +
504 offsetof(struct ip, ip_tos), sizeof(u_int8_t),
507 /* This is really IPVERSION. */
508 ip6o->ip6_nxt = IPPROTO_IPIP;
511 case (IPV6_VERSION >> 4):
515 /* Save ECN notification. */
516 m_copydata(m, sizeof(struct ip6_hdr) +
517 offsetof(struct ip6_hdr, ip6_flow),
518 sizeof(u_int32_t), (caddr_t) &itos32);
519 itos = ntohl(itos32) >> 20;
521 ip6o->ip6_nxt = IPPROTO_IPV6;
529 ip_ecn_ingress(V_ip6_ipsec_ecn, &otos, &itos);
530 ip6o->ip6_flow |= htonl((u_int32_t) otos << 20);
536 DPRINTF(("%s: unsupported protocol family %u\n", __func__,
537 saidx->dst.sa.sa_family));
538 IPIPSTAT_INC(ipips_family);
539 error = EAFNOSUPPORT; /* XXX diffs from openbsd */
543 IPIPSTAT_INC(ipips_opackets);
547 if (saidx->dst.sa.sa_family == AF_INET) {
549 if (sav->tdb_xform->xf_type == XF_IP4)
550 tdb->tdb_cur_bytes +=
551 m->m_pkthdr.len - sizeof(struct ip);
553 IPIPSTAT_ADD(ipips_obytes,
554 m->m_pkthdr.len - sizeof(struct ip));
559 if (saidx->dst.sa.sa_family == AF_INET6) {
561 if (sav->tdb_xform->xf_type == XF_IP4)
562 tdb->tdb_cur_bytes +=
563 m->m_pkthdr.len - sizeof(struct ip6_hdr);
565 IPIPSTAT_ADD(ipips_obytes,
566 m->m_pkthdr.len - sizeof(struct ip6_hdr));
579 #if defined(INET) || defined(INET6)
581 ipe4_init(struct secasvar *sav, struct xformsw *xsp)
583 sav->tdb_xform = xsp;
588 ipe4_zeroize(struct secasvar *sav)
590 sav->tdb_xform = NULL;
595 ipe4_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
597 /* This is a rather serious mistake, so no conditional printing. */
598 printf("%s: should never be called\n", __func__);
604 static struct xformsw ipe4_xformsw = {
605 XF_IP4, 0, "IPv4 Simple Encapsulation",
606 ipe4_init, ipe4_zeroize, ipe4_input, ipip_output,
609 extern struct domain inetdomain;
610 #endif /* INET || INET6 */
612 static struct protosw ipe4_protosw = {
614 .pr_domain = &inetdomain,
615 .pr_protocol = IPPROTO_IPV4,
616 .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR,
617 .pr_input = ip4_input,
618 .pr_ctloutput = rip_ctloutput,
619 .pr_usrreqs = &rip_usrreqs
622 #if defined(INET6) && defined(INET)
623 static struct protosw ipe6_protosw = {
625 .pr_domain = &inetdomain,
626 .pr_protocol = IPPROTO_IPV6,
627 .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR,
628 .pr_input = ip4_input6,
629 .pr_ctloutput = rip_ctloutput,
630 .pr_usrreqs = &rip_usrreqs
632 #endif /* INET6 && INET */
636 * Check the encapsulated packet to see if we want it
639 ipe4_encapcheck(const struct mbuf *m, int off, int proto, void *arg)
642 * Only take packets coming from IPSEC tunnels; the rest
643 * must be handled by the gif tunnel code. Note that we
644 * also return a minimum priority when we want the packet
645 * so any explicit gif tunnels take precedence.
647 return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0);
655 xform_register(&ipe4_xformsw);
656 /* attach to encapsulation framework */
657 /* XXX save return cookie for detach on module remove */
659 (void) encap_attach_func(AF_INET, -1,
660 ipe4_encapcheck, &ipe4_protosw, NULL);
662 #if defined(INET6) && defined(INET)
663 (void) encap_attach_func(AF_INET6, -1,
664 ipe4_encapcheck, (struct protosw *)&ipe6_protosw, NULL);
667 SYSINIT(ipe4_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipe4_attach, NULL);
projects / FreeBSD / FreeBSD.git / blob