1 /*- 2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the project nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 * $KAME: if_gif.c,v 1.87 2001/10/19 08:50:27 itojun Exp $ 30 */ 31 32 #include <sys/cdefs.h> 33 __FBSDID("$FreeBSD$"); 34 35 #include "opt_inet.h" 36 #include "opt_inet6.h" 37 38 #include <sys/param.h> 39 #include <sys/systm.h> 40 #include <sys/jail.h> 41 #include <sys/kernel.h> 42 #include <sys/lock.h> 43 #include <sys/malloc.h> 44 #include <sys/mbuf.h> 45 #include <sys/module.h> 46 #include <sys/rmlock.h> 47 #include <sys/socket.h> 48 #include <sys/sockio.h> 49 #include <sys/sx.h> 50 #include <sys/errno.h> 51 #include <sys/time.h> 52 #include <sys/sysctl.h> 53 #include <sys/syslog.h> 54 #include <sys/priv.h> 55 #include <sys/proc.h> 56 #include <sys/protosw.h> 57 #include <sys/conf.h> 58 #include <machine/cpu.h> 59 60 #include <net/if.h> 61 #include <net/if_var.h> 62 #include <net/if_clone.h> 63 #include <net/if_types.h> 64 #include <net/netisr.h> 65 #include <net/route.h> 66 #include <net/bpf.h> 67 #include <net/vnet.h> 68 69 #include <netinet/in.h> 70 #include <netinet/in_systm.h> 71 #include <netinet/ip.h> 72 #include <netinet/ip_ecn.h> 73 #ifdef INET 74 #include <netinet/in_var.h> 75 #include <netinet/in_gif.h> 76 #include <netinet/ip_var.h> 77 #endif /* INET */ 78 79 #ifdef INET6 80 #ifndef INET 81 #include <netinet/in.h> 82 #endif 83 #include <netinet6/in6_var.h> 84 #include <netinet/ip6.h> 85 #include <netinet6/ip6_ecn.h> 86 #include <netinet6/ip6_var.h> 87 #include <netinet6/scope6_var.h> 88 #include <netinet6/in6_gif.h> 89 #include <netinet6/ip6protosw.h> 90 #endif /* INET6 */ 91 92 #include <netinet/ip_encap.h> 93 #include <net/ethernet.h> 94 #include <net/if_bridgevar.h> 95 #include <net/if_gif.h> 96 97 #include <security/mac/mac_framework.h> 98 99 static const char gifname[] = "gif"; 100 101 /* 102 * gif_mtx protects a per-vnet gif_softc_list. 103 */ 104 static VNET_DEFINE(struct mtx, gif_mtx); 105 #define V_gif_mtx VNET(gif_mtx) 106 static MALLOC_DEFINE(M_GIF, "gif", "Generic Tunnel Interface"); 107 static VNET_DEFINE(LIST_HEAD(, gif_softc), gif_softc_list); 108 #define V_gif_softc_list VNET(gif_softc_list) 109 static struct sx gif_ioctl_sx; 110 SX_SYSINIT(gif_ioctl_sx, &gif_ioctl_sx, "gif_ioctl"); 111 112 #define GIF_LIST_LOCK_INIT(x) mtx_init(&V_gif_mtx, "gif_mtx", \ 113 NULL, MTX_DEF) 114 #define GIF_LIST_LOCK_DESTROY(x) mtx_destroy(&V_gif_mtx) 115 #define GIF_LIST_LOCK(x) mtx_lock(&V_gif_mtx) 116 #define GIF_LIST_UNLOCK(x) mtx_unlock(&V_gif_mtx) 117 118 void (*ng_gif_input_p)(struct ifnet *ifp, struct mbuf **mp, int af); 119 void (*ng_gif_input_orphan_p)(struct ifnet *ifp, struct mbuf *m, int af); 120 void (*ng_gif_attach_p)(struct ifnet *ifp); 121 void (*ng_gif_detach_p)(struct ifnet *ifp); 122 123 static int gif_set_tunnel(struct ifnet *, struct sockaddr *, 124 struct sockaddr *); 125 static void gif_delete_tunnel(struct ifnet *); 126 static int gif_ioctl(struct ifnet *, u_long, caddr_t); 127 static int gif_transmit(struct ifnet *, struct mbuf *); 128 static void gif_qflush(struct ifnet *); 129 static int gif_clone_create(struct if_clone *, int, caddr_t); 130 static void gif_clone_destroy(struct ifnet *); 131 static VNET_DEFINE(struct if_clone *, gif_cloner); 132 #define V_gif_cloner VNET(gif_cloner) 133 134 static int gifmodevent(module_t, int, void *); 135 136 SYSCTL_DECL(_net_link); 137 static SYSCTL_NODE(_net_link, IFT_GIF, gif, CTLFLAG_RW, 0, 138 "Generic Tunnel Interface"); 139 #ifndef MAX_GIF_NEST 140 /* 141 * This macro controls the default upper limitation on nesting of gif tunnels. 142 * Since, setting a large value to this macro with a careless configuration 143 * may introduce system crash, we don't allow any nestings by default. 144 * If you need to configure nested gif tunnels, you can define this macro 145 * in your kernel configuration file. However, if you do so, please be 146 * careful to configure the tunnels so that it won't make a loop. 147 */ 148 #define MAX_GIF_NEST 1 149 #endif 150 static VNET_DEFINE(int, max_gif_nesting) = MAX_GIF_NEST; 151 #define V_max_gif_nesting VNET(max_gif_nesting) 152 SYSCTL_VNET_INT(_net_link_gif, OID_AUTO, max_nesting, CTLFLAG_RW, 153 &VNET_NAME(max_gif_nesting), 0, "Max nested tunnels"); 154 155 /* 156 * By default, we disallow creation of multiple tunnels between the same 157 * pair of addresses. Some applications require this functionality so 158 * we allow control over this check here. 159 */ 160 #ifdef XBONEHACK 161 static VNET_DEFINE(int, parallel_tunnels) = 1; 162 #else 163 static VNET_DEFINE(int, parallel_tunnels) = 0; 164 #endif 165 #define V_parallel_tunnels VNET(parallel_tunnels) 166 SYSCTL_VNET_INT(_net_link_gif, OID_AUTO, parallel_tunnels, CTLFLAG_RW, 167 &VNET_NAME(parallel_tunnels), 0, "Allow parallel tunnels?"); 168 169 /* copy from src/sys/net/if_ethersubr.c */ 170 static const u_char etherbroadcastaddr[ETHER_ADDR_LEN] = 171 { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 172 #ifndef ETHER_IS_BROADCAST 173 #define ETHER_IS_BROADCAST(addr) \ 174 (bcmp(etherbroadcastaddr, (addr), ETHER_ADDR_LEN) == 0) 175 #endif 176 177 static int 178 gif_clone_create(struct if_clone *ifc, int unit, caddr_t params) 179 { 180 struct gif_softc *sc; 181 182 sc = malloc(sizeof(struct gif_softc), M_GIF, M_WAITOK | M_ZERO); 183 sc->gif_fibnum = curthread->td_proc->p_fibnum; 184 GIF2IFP(sc) = if_alloc(IFT_GIF); 185 GIF_LOCK_INIT(sc); 186 GIF2IFP(sc)->if_softc = sc; 187 if_initname(GIF2IFP(sc), gifname, unit); 188 189 GIF2IFP(sc)->if_addrlen = 0; 190 GIF2IFP(sc)->if_mtu = GIF_MTU; 191 GIF2IFP(sc)->if_flags = IFF_POINTOPOINT | IFF_MULTICAST; 192 #if 0 193 /* turn off ingress filter */ 194 GIF2IFP(sc)->if_flags |= IFF_LINK2; 195 #endif 196 GIF2IFP(sc)->if_ioctl = gif_ioctl; 197 GIF2IFP(sc)->if_transmit = gif_transmit; 198 GIF2IFP(sc)->if_qflush = gif_qflush; 199 GIF2IFP(sc)->if_output = gif_output; 200 if_attach(GIF2IFP(sc)); 201 bpfattach(GIF2IFP(sc), DLT_NULL, sizeof(u_int32_t)); 202 if (ng_gif_attach_p != NULL) 203 (*ng_gif_attach_p)(GIF2IFP(sc)); 204 205 GIF_LIST_LOCK(); 206 LIST_INSERT_HEAD(&V_gif_softc_list, sc, gif_list); 207 GIF_LIST_UNLOCK(); 208 return (0); 209 } 210 211 static void 212 gif_clone_destroy(struct ifnet *ifp) 213 { 214 struct gif_softc *sc; 215 216 sx_xlock(&gif_ioctl_sx); 217 sc = ifp->if_softc; 218 gif_delete_tunnel(ifp); 219 GIF_LIST_LOCK(); 220 LIST_REMOVE(sc, gif_list); 221 GIF_LIST_UNLOCK(); 222 if (ng_gif_detach_p != NULL) 223 (*ng_gif_detach_p)(ifp); 224 bpfdetach(ifp); 225 if_detach(ifp); 226 ifp->if_softc = NULL; 227 sx_xunlock(&gif_ioctl_sx); 228 229 if_free(ifp); 230 GIF_LOCK_DESTROY(sc); 231 free(sc, M_GIF); 232 } 233 234 static void 235 vnet_gif_init(const void *unused __unused) 236 { 237 238 LIST_INIT(&V_gif_softc_list); 239 GIF_LIST_LOCK_INIT(); 240 V_gif_cloner = if_clone_simple(gifname, gif_clone_create, 241 gif_clone_destroy, 0); 242 } 243 VNET_SYSINIT(vnet_gif_init, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY, 244 vnet_gif_init, NULL); 245 246 static void 247 vnet_gif_uninit(const void *unused __unused) 248 { 249 250 if_clone_detach(V_gif_cloner); 251 GIF_LIST_LOCK_DESTROY(); 252 } 253 VNET_SYSUNINIT(vnet_gif_uninit, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY, 254 vnet_gif_uninit, NULL); 255 256 static int 257 gifmodevent(module_t mod, int type, void *data) 258 { 259 260 switch (type) { 261 case MOD_LOAD: 262 case MOD_UNLOAD: 263 break; 264 default: 265 return (EOPNOTSUPP); 266 } 267 return (0); 268 } 269 270 static moduledata_t gif_mod = { 271 "if_gif", 272 gifmodevent, 273 0 274 }; 275 276 DECLARE_MODULE(if_gif, gif_mod, SI_SUB_PSEUDO, SI_ORDER_ANY); 277 MODULE_VERSION(if_gif, 1); 278 279 int 280 gif_encapcheck(const struct mbuf *m, int off, int proto, void *arg) 281 { 282 GIF_RLOCK_TRACKER; 283 struct gif_softc *sc; 284 int ret; 285 uint8_t ver; 286 287 sc = (struct gif_softc *)arg; 288 if (sc == NULL || (GIF2IFP(sc)->if_flags & IFF_UP) == 0) 289 return (0); 290 291 ret = 0; 292 GIF_RLOCK(sc); 293 294 /* no physical address */ 295 if (sc->gif_family == 0) 296 goto done; 297 298 switch (proto) { 299 #ifdef INET 300 case IPPROTO_IPV4: 301 #endif 302 #ifdef INET6 303 case IPPROTO_IPV6: 304 #endif 305 case IPPROTO_ETHERIP: 306 break; 307 default: 308 goto done; 309 } 310 311 /* Bail on short packets */ 312 if (m->m_pkthdr.len < sizeof(struct ip)) 313 goto done; 314 315 m_copydata(m, 0, 1, &ver); 316 switch (ver >> 4) { 317 #ifdef INET 318 case 4: 319 if (sc->gif_family != AF_INET) 320 goto done; 321 ret = in_gif_encapcheck(m, off, proto, arg); 322 break; 323 #endif 324 #ifdef INET6 325 case 6: 326 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) 327 goto done; 328 if (sc->gif_family != AF_INET6) 329 goto done; 330 ret = in6_gif_encapcheck(m, off, proto, arg); 331 break; 332 #endif 333 } 334 done: 335 GIF_RUNLOCK(sc); 336 return (ret); 337 } 338 339 static int 340 gif_transmit(struct ifnet *ifp, struct mbuf *m) 341 { 342 struct gif_softc *sc; 343 struct etherip_header *eth; 344 #ifdef INET 345 struct ip *ip; 346 #endif 347 #ifdef INET6 348 struct ip6_hdr *ip6; 349 uint32_t t; 350 #endif 351 uint32_t af; 352 uint8_t proto, ecn; 353 int error; 354 355 error = ENETDOWN; 356 sc = ifp->if_softc; 357 if (sc->gif_family == 0) { 358 m_freem(m); 359 goto err; 360 } 361 /* Now pull back the af that we stashed in the csum_data. */ 362 af = m->m_pkthdr.csum_data; 363 BPF_MTAP2(ifp, &af, sizeof(af), m); 364 if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1); 365 if_inc_counter(ifp, IFCOUNTER_OBYTES, m->m_pkthdr.len); 366 M_SETFIB(m, sc->gif_fibnum); 367 /* inner AF-specific encapsulation */ 368 ecn = 0; 369 switch (af) { 370 #ifdef INET 371 case AF_INET: 372 proto = IPPROTO_IPV4; 373 if (m->m_len < sizeof(struct ip)) 374 m = m_pullup(m, sizeof(struct ip)); 375 if (m == NULL) { 376 error = ENOBUFS; 377 goto err; 378 } 379 ip = mtod(m, struct ip *); 380 ip_ecn_ingress((ifp->if_flags & IFF_LINK1) ? ECN_ALLOWED: 381 ECN_NOCARE, &ecn, &ip->ip_tos); 382 break; 383 #endif 384 #ifdef INET6 385 case AF_INET6: 386 proto = IPPROTO_IPV6; 387 if (m->m_len < sizeof(struct ip6_hdr)) 388 m = m_pullup(m, sizeof(struct ip6_hdr)); 389 if (m == NULL) { 390 error = ENOBUFS; 391 goto err; 392 } 393 t = 0; 394 ip6 = mtod(m, struct ip6_hdr *); 395 ip6_ecn_ingress((ifp->if_flags & IFF_LINK1) ? ECN_ALLOWED: 396 ECN_NOCARE, &t, &ip6->ip6_flow); 397 ecn = (ntohl(t) >> 20) & 0xff; 398 break; 399 #endif 400 case AF_LINK: 401 proto = IPPROTO_ETHERIP; 402 M_PREPEND(m, sizeof(struct etherip_header), M_NOWAIT); 403 if (m == NULL) { 404 error = ENOBUFS; 405 goto err; 406 } 407 eth = mtod(m, struct etherip_header *); 408 eth->eip_resvh = 0; 409 if ((sc->gif_options & GIF_SEND_REVETHIP) != 0) { 410 eth->eip_ver = 0; 411 eth->eip_resvl = ETHERIP_VERSION; 412 } else { 413 eth->eip_ver = ETHERIP_VERSION; 414 eth->eip_resvl = 0; 415 } 416 break; 417 default: 418 error = EAFNOSUPPORT; 419 m_freem(m); 420 goto err; 421 } 422 /* XXX should we check if our outer source is legal? */ 423 /* dispatch to output logic based on outer AF */ 424 switch (sc->gif_family) { 425 #ifdef INET 426 case AF_INET: 427 error = in_gif_output(ifp, m, proto, ecn); 428 break; 429 #endif 430 #ifdef INET6 431 case AF_INET6: 432 error = in6_gif_output(ifp, m, proto, ecn); 433 break; 434 #endif 435 default: 436 m_freem(m); 437 } 438 err: 439 if (error) 440 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 441 return (error); 442 } 443 444 static void 445 gif_qflush(struct ifnet *ifp __unused) 446 { 447 448 } 449 450 int 451 gif_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, 452 struct route *ro) 453 { 454 struct m_tag *mtag; 455 uint32_t af; 456 int gif_called; 457 int error = 0; 458 #ifdef MAC 459 error = mac_ifnet_check_transmit(ifp, m); 460 if (error) 461 goto err; 462 #endif 463 if ((ifp->if_flags & IFF_MONITOR) != 0 || 464 (ifp->if_flags & IFF_UP) == 0) { 465 error = ENETDOWN; 466 goto err; 467 } 468 469 /* 470 * gif may cause infinite recursion calls when misconfigured. 471 * We'll prevent this by detecting loops. 472 * 473 * High nesting level may cause stack exhaustion. 474 * We'll prevent this by introducing upper limit. 475 */ 476 gif_called = 1; 477 mtag = m_tag_locate(m, MTAG_GIF, MTAG_GIF_CALLED, NULL); 478 while (mtag != NULL) { 479 if (*(struct ifnet **)(mtag + 1) == ifp) { 480 log(LOG_NOTICE, 481 "gif_output: loop detected on %s\n", 482 (*(struct ifnet **)(mtag + 1))->if_xname); 483 error = EIO; /* is there better errno? */ 484 goto err; 485 } 486 mtag = m_tag_locate(m, MTAG_GIF, MTAG_GIF_CALLED, mtag); 487 gif_called++; 488 } 489 if (gif_called > V_max_gif_nesting) { 490 log(LOG_NOTICE, 491 "gif_output: recursively called too many times(%d)\n", 492 gif_called); 493 error = EIO; /* is there better errno? */ 494 goto err; 495 } 496 mtag = m_tag_alloc(MTAG_GIF, MTAG_GIF_CALLED, sizeof(struct ifnet *), 497 M_NOWAIT); 498 if (mtag == NULL) { 499 error = ENOMEM; 500 goto err; 501 } 502 *(struct ifnet **)(mtag + 1) = ifp; 503 m_tag_prepend(m, mtag); 504 505 m->m_flags &= ~(M_BCAST|M_MCAST); 506 if (dst->sa_family == AF_UNSPEC) 507 bcopy(dst->sa_data, &af, sizeof(af)); 508 else 509 af = dst->sa_family; 510 if (ifp->if_bridge) 511 af = AF_LINK; 512 /* 513 * Now save the af in the inbound pkt csum data, this is a cheat since 514 * we are using the inbound csum_data field to carry the af over to 515 * the gif_transmit() routine, avoiding using yet another mtag. 516 */ 517 m->m_pkthdr.csum_data = af; 518 return (ifp->if_transmit(ifp, m)); 519 err: 520 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 521 m_freem(m); 522 return (error); 523 } 524 525 void 526 gif_input(struct mbuf *m, struct ifnet *ifp, int proto, uint8_t ecn) 527 { 528 struct etherip_header *eip; 529 #ifdef INET 530 struct ip *ip; 531 #endif 532 #ifdef INET6 533 struct ip6_hdr *ip6; 534 uint32_t t; 535 #endif 536 struct gif_softc *sc; 537 struct ether_header *eh; 538 struct ifnet *oldifp; 539 uint32_t gif_options; 540 int isr, n, af; 541 542 if (ifp == NULL) { 543 /* just in case */ 544 m_freem(m); 545 return; 546 } 547 sc = ifp->if_softc; 548 gif_options = sc->gif_options; 549 m->m_pkthdr.rcvif = ifp; 550 m_clrprotoflags(m); 551 switch (proto) { 552 #ifdef INET 553 case IPPROTO_IPV4: 554 af = AF_INET; 555 if (m->m_len < sizeof(struct ip)) 556 m = m_pullup(m, sizeof(struct ip)); 557 if (m == NULL) 558 goto drop; 559 ip = mtod(m, struct ip *); 560 if (ip_ecn_egress((ifp->if_flags & IFF_LINK1) ? ECN_ALLOWED: 561 ECN_NOCARE, &ecn, &ip->ip_tos) == 0) { 562 m_freem(m); 563 goto drop; 564 } 565 break; 566 #endif 567 #ifdef INET6 568 case IPPROTO_IPV6: 569 af = AF_INET6; 570 if (m->m_len < sizeof(struct ip6_hdr)) 571 m = m_pullup(m, sizeof(struct ip6_hdr)); 572 if (m == NULL) 573 goto drop; 574 t = htonl((uint32_t)ecn << 20); 575 ip6 = mtod(m, struct ip6_hdr *); 576 if (ip6_ecn_egress((ifp->if_flags & IFF_LINK1) ? ECN_ALLOWED: 577 ECN_NOCARE, &t, &ip6->ip6_flow) == 0) { 578 m_freem(m); 579 goto drop; 580 } 581 break; 582 #endif 583 case IPPROTO_ETHERIP: 584 af = AF_LINK; 585 break; 586 default: 587 m_freem(m); 588 goto drop; 589 } 590 591 #ifdef MAC 592 mac_ifnet_create_mbuf(ifp, m); 593 #endif 594 595 if (bpf_peers_present(ifp->if_bpf)) { 596 uint32_t af1 = af; 597 bpf_mtap2(ifp->if_bpf, &af1, sizeof(af1), m); 598 } 599 600 if ((ifp->if_flags & IFF_MONITOR) != 0) { 601 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 602 if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len); 603 m_freem(m); 604 return; 605 } 606 607 if (ng_gif_input_p != NULL) { 608 (*ng_gif_input_p)(ifp, &m, af); 609 if (m == NULL) 610 goto drop; 611 } 612 613 /* 614 * Put the packet to the network layer input queue according to the 615 * specified address family. 616 * Note: older versions of gif_input directly called network layer 617 * input functions, e.g. ip6_input, here. We changed the policy to 618 * prevent too many recursive calls of such input functions, which 619 * might cause kernel panic. But the change may introduce another 620 * problem; if the input queue is full, packets are discarded. 621 * The kernel stack overflow really happened, and we believed 622 * queue-full rarely occurs, so we changed the policy. 623 */ 624 switch (af) { 625 #ifdef INET 626 case AF_INET: 627 isr = NETISR_IP; 628 break; 629 #endif 630 #ifdef INET6 631 case AF_INET6: 632 isr = NETISR_IPV6; 633 break; 634 #endif 635 case AF_LINK: 636 n = sizeof(struct etherip_header) + sizeof(struct ether_header); 637 if (n > m->m_len) 638 m = m_pullup(m, n); 639 if (m == NULL) 640 goto drop; 641 eip = mtod(m, struct etherip_header *); 642 /* 643 * GIF_ACCEPT_REVETHIP (enabled by default) intentionally 644 * accepts an EtherIP packet with revered version field in 645 * the header. This is a knob for backward compatibility 646 * with FreeBSD 7.2R or prior. 647 */ 648 if (eip->eip_ver != ETHERIP_VERSION) { 649 if ((gif_options & GIF_ACCEPT_REVETHIP) == 0 || 650 eip->eip_resvl != ETHERIP_VERSION) { 651 /* discard unknown versions */ 652 m_freem(m); 653 goto drop; 654 } 655 } 656 m_adj(m, sizeof(struct etherip_header)); 657 658 m->m_flags &= ~(M_BCAST|M_MCAST); 659 m->m_pkthdr.rcvif = ifp; 660 661 if (ifp->if_bridge) { 662 oldifp = ifp; 663 eh = mtod(m, struct ether_header *); 664 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 665 if (ETHER_IS_BROADCAST(eh->ether_dhost)) 666 m->m_flags |= M_BCAST; 667 else 668 m->m_flags |= M_MCAST; 669 if_inc_counter(ifp, IFCOUNTER_IMCASTS, 1); 670 } 671 BRIDGE_INPUT(ifp, m); 672 673 if (m != NULL && ifp != oldifp) { 674 /* 675 * The bridge gave us back itself or one of the 676 * members for which the frame is addressed. 677 */ 678 ether_demux(ifp, m); 679 return; 680 } 681 } 682 if (m != NULL) 683 m_freem(m); 684 return; 685 686 default: 687 if (ng_gif_input_orphan_p != NULL) 688 (*ng_gif_input_orphan_p)(ifp, m, af); 689 else 690 m_freem(m); 691 return; 692 } 693 694 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 695 if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len); 696 M_SETFIB(m, ifp->if_fib); 697 netisr_dispatch(isr, m); 698 return; 699 drop: 700 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 701 } 702 703 /* XXX how should we handle IPv6 scope on SIOC[GS]IFPHYADDR? */ 704 int 705 gif_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) 706 { 707 GIF_RLOCK_TRACKER; 708 struct ifreq *ifr = (struct ifreq*)data; 709 struct sockaddr *dst, *src; 710 struct gif_softc *sc; 711 #ifdef INET 712 struct sockaddr_in *sin = NULL; 713 #endif 714 #ifdef INET6 715 struct sockaddr_in6 *sin6 = NULL; 716 #endif 717 u_int options; 718 int error; 719 720 switch (cmd) { 721 case SIOCSIFADDR: 722 ifp->if_flags |= IFF_UP; 723 case SIOCADDMULTI: 724 case SIOCDELMULTI: 725 case SIOCGIFMTU: 726 case SIOCSIFFLAGS: 727 return (0); 728 case SIOCSIFMTU: 729 if (ifr->ifr_mtu < GIF_MTU_MIN || 730 ifr->ifr_mtu > GIF_MTU_MAX) 731 return (EINVAL); 732 else 733 ifp->if_mtu = ifr->ifr_mtu; 734 return (0); 735 } 736 sx_xlock(&gif_ioctl_sx); 737 sc = ifp->if_softc; 738 if (sc == NULL) { 739 error = ENXIO; 740 goto bad; 741 } 742 error = 0; 743 switch (cmd) { 744 case SIOCSIFPHYADDR: 745 #ifdef INET6 746 case SIOCSIFPHYADDR_IN6: 747 #endif 748 error = EINVAL; 749 switch (cmd) { 750 #ifdef INET 751 case SIOCSIFPHYADDR: 752 src = (struct sockaddr *) 753 &(((struct in_aliasreq *)data)->ifra_addr); 754 dst = (struct sockaddr *) 755 &(((struct in_aliasreq *)data)->ifra_dstaddr); 756 break; 757 #endif 758 #ifdef INET6 759 case SIOCSIFPHYADDR_IN6: 760 src = (struct sockaddr *) 761 &(((struct in6_aliasreq *)data)->ifra_addr); 762 dst = (struct sockaddr *) 763 &(((struct in6_aliasreq *)data)->ifra_dstaddr); 764 break; 765 #endif 766 default: 767 goto bad; 768 } 769 /* sa_family must be equal */ 770 if (src->sa_family != dst->sa_family || 771 src->sa_len != dst->sa_len) 772 goto bad; 773 774 /* validate sa_len */ 775 switch (src->sa_family) { 776 #ifdef INET 777 case AF_INET: 778 if (src->sa_len != sizeof(struct sockaddr_in)) 779 goto bad; 780 break; 781 #endif 782 #ifdef INET6 783 case AF_INET6: 784 if (src->sa_len != sizeof(struct sockaddr_in6)) 785 goto bad; 786 break; 787 #endif 788 default: 789 error = EAFNOSUPPORT; 790 goto bad; 791 } 792 /* check sa_family looks sane for the cmd */ 793 error = EAFNOSUPPORT; 794 switch (cmd) { 795 #ifdef INET 796 case SIOCSIFPHYADDR: 797 if (src->sa_family == AF_INET) 798 break; 799 goto bad; 800 #endif 801 #ifdef INET6 802 case SIOCSIFPHYADDR_IN6: 803 if (src->sa_family == AF_INET6) 804 break; 805 goto bad; 806 #endif 807 } 808 error = EADDRNOTAVAIL; 809 switch (src->sa_family) { 810 #ifdef INET 811 case AF_INET: 812 if (satosin(src)->sin_addr.s_addr == INADDR_ANY || 813 satosin(dst)->sin_addr.s_addr == INADDR_ANY) 814 goto bad; 815 break; 816 #endif 817 #ifdef INET6 818 case AF_INET6: 819 if (IN6_IS_ADDR_UNSPECIFIED(&satosin6(src)->sin6_addr) 820 || 821 IN6_IS_ADDR_UNSPECIFIED(&satosin6(dst)->sin6_addr)) 822 goto bad; 823 /* 824 * Check validity of the scope zone ID of the 825 * addresses, and convert it into the kernel 826 * internal form if necessary. 827 */ 828 error = sa6_embedscope(satosin6(src), 0); 829 if (error != 0) 830 goto bad; 831 error = sa6_embedscope(satosin6(dst), 0); 832 if (error != 0) 833 goto bad; 834 #endif 835 }; 836 error = gif_set_tunnel(ifp, src, dst); 837 break; 838 case SIOCDIFPHYADDR: 839 gif_delete_tunnel(ifp); 840 break; 841 case SIOCGIFPSRCADDR: 842 case SIOCGIFPDSTADDR: 843 #ifdef INET6 844 case SIOCGIFPSRCADDR_IN6: 845 case SIOCGIFPDSTADDR_IN6: 846 #endif 847 if (sc->gif_family == 0) { 848 error = EADDRNOTAVAIL; 849 break; 850 } 851 GIF_RLOCK(sc); 852 switch (cmd) { 853 #ifdef INET 854 case SIOCGIFPSRCADDR: 855 case SIOCGIFPDSTADDR: 856 if (sc->gif_family != AF_INET) { 857 error = EADDRNOTAVAIL; 858 break; 859 } 860 sin = (struct sockaddr_in *)&ifr->ifr_addr; 861 memset(sin, 0, sizeof(*sin)); 862 sin->sin_family = AF_INET; 863 sin->sin_len = sizeof(*sin); 864 break; 865 #endif 866 #ifdef INET6 867 case SIOCGIFPSRCADDR_IN6: 868 case SIOCGIFPDSTADDR_IN6: 869 if (sc->gif_family != AF_INET6) { 870 error = EADDRNOTAVAIL; 871 break; 872 } 873 sin6 = (struct sockaddr_in6 *) 874 &(((struct in6_ifreq *)data)->ifr_addr); 875 memset(sin6, 0, sizeof(*sin6)); 876 sin6->sin6_family = AF_INET6; 877 sin6->sin6_len = sizeof(*sin6); 878 break; 879 #endif 880 default: 881 error = EAFNOSUPPORT; 882 } 883 if (error == 0) { 884 switch (cmd) { 885 #ifdef INET 886 case SIOCGIFPSRCADDR: 887 sin->sin_addr = sc->gif_iphdr->ip_src; 888 break; 889 case SIOCGIFPDSTADDR: 890 sin->sin_addr = sc->gif_iphdr->ip_dst; 891 break; 892 #endif 893 #ifdef INET6 894 case SIOCGIFPSRCADDR_IN6: 895 sin6->sin6_addr = sc->gif_ip6hdr->ip6_src; 896 break; 897 case SIOCGIFPDSTADDR_IN6: 898 sin6->sin6_addr = sc->gif_ip6hdr->ip6_dst; 899 break; 900 #endif 901 } 902 } 903 GIF_RUNLOCK(sc); 904 if (error != 0) 905 break; 906 switch (cmd) { 907 #ifdef INET 908 case SIOCGIFPSRCADDR: 909 case SIOCGIFPDSTADDR: 910 error = prison_if(curthread->td_ucred, 911 (struct sockaddr *)sin); 912 if (error != 0) 913 memset(sin, 0, sizeof(*sin)); 914 break; 915 #endif 916 #ifdef INET6 917 case SIOCGIFPSRCADDR_IN6: 918 case SIOCGIFPDSTADDR_IN6: 919 error = prison_if(curthread->td_ucred, 920 (struct sockaddr *)sin6); 921 if (error == 0) 922 error = sa6_recoverscope(sin6); 923 if (error != 0) 924 memset(sin6, 0, sizeof(*sin6)); 925 #endif 926 } 927 break; 928 case GIFGOPTS: 929 options = sc->gif_options; 930 error = copyout(&options, ifr->ifr_data, sizeof(options)); 931 break; 932 case GIFSOPTS: 933 if ((error = priv_check(curthread, PRIV_NET_GIF)) != 0) 934 break; 935 error = copyin(ifr->ifr_data, &options, sizeof(options)); 936 if (error) 937 break; 938 if (options & ~GIF_OPTMASK) 939 error = EINVAL; 940 else 941 sc->gif_options = options; 942 break; 943 944 default: 945 error = EINVAL; 946 break; 947 } 948 bad: 949 sx_xunlock(&gif_ioctl_sx); 950 return (error); 951 } 952 953 static void 954 gif_detach(struct gif_softc *sc) 955 { 956 957 sx_assert(&gif_ioctl_sx, SA_XLOCKED); 958 if (sc->gif_ecookie != NULL) 959 encap_detach(sc->gif_ecookie); 960 sc->gif_ecookie = NULL; 961 } 962 963 static int 964 gif_attach(struct gif_softc *sc, int af) 965 { 966 967 sx_assert(&gif_ioctl_sx, SA_XLOCKED); 968 switch (af) { 969 #ifdef INET 970 case AF_INET: 971 return (in_gif_attach(sc)); 972 #endif 973 #ifdef INET6 974 case AF_INET6: 975 return (in6_gif_attach(sc)); 976 #endif 977 } 978 return (EAFNOSUPPORT); 979 } 980 981 static int 982 gif_set_tunnel(struct ifnet *ifp, struct sockaddr *src, struct sockaddr *dst) 983 { 984 struct gif_softc *sc = ifp->if_softc; 985 struct gif_softc *tsc; 986 #ifdef INET 987 struct ip *ip; 988 #endif 989 #ifdef INET6 990 struct ip6_hdr *ip6; 991 #endif 992 void *hdr; 993 int error = 0; 994 995 if (sc == NULL) 996 return (ENXIO); 997 /* Disallow parallel tunnels unless instructed otherwise. */ 998 if (V_parallel_tunnels == 0) { 999 GIF_LIST_LOCK(); 1000 LIST_FOREACH(tsc, &V_gif_softc_list, gif_list) { 1001 if (tsc == sc || tsc->gif_family != src->sa_family) 1002 continue; 1003 #ifdef INET 1004 if (tsc->gif_family == AF_INET && 1005 tsc->gif_iphdr->ip_src.s_addr == 1006 satosin(src)->sin_addr.s_addr && 1007 tsc->gif_iphdr->ip_dst.s_addr == 1008 satosin(dst)->sin_addr.s_addr) { 1009 error = EADDRNOTAVAIL; 1010 GIF_LIST_UNLOCK(); 1011 goto bad; 1012 } 1013 #endif 1014 #ifdef INET6 1015 if (tsc->gif_family == AF_INET6 && 1016 IN6_ARE_ADDR_EQUAL(&tsc->gif_ip6hdr->ip6_src, 1017 &satosin6(src)->sin6_addr) && 1018 IN6_ARE_ADDR_EQUAL(&tsc->gif_ip6hdr->ip6_dst, 1019 &satosin6(dst)->sin6_addr)) { 1020 error = EADDRNOTAVAIL; 1021 GIF_LIST_UNLOCK(); 1022 goto bad; 1023 } 1024 #endif 1025 } 1026 GIF_LIST_UNLOCK(); 1027 } 1028 switch (src->sa_family) { 1029 #ifdef INET 1030 case AF_INET: 1031 hdr = ip = malloc(sizeof(struct ip), M_GIF, 1032 M_WAITOK | M_ZERO); 1033 ip->ip_src.s_addr = satosin(src)->sin_addr.s_addr; 1034 ip->ip_dst.s_addr = satosin(dst)->sin_addr.s_addr; 1035 break; 1036 #endif 1037 #ifdef INET6 1038 case AF_INET6: 1039 hdr = ip6 = malloc(sizeof(struct ip6_hdr), M_GIF, 1040 M_WAITOK | M_ZERO); 1041 ip6->ip6_src = satosin6(src)->sin6_addr; 1042 ip6->ip6_dst = satosin6(dst)->sin6_addr; 1043 ip6->ip6_vfc = IPV6_VERSION; 1044 break; 1045 #endif 1046 default: 1047 return (EAFNOSUPPORT); 1048 }; 1049 1050 if (sc->gif_family != src->sa_family) 1051 gif_detach(sc); 1052 if (sc->gif_family == 0 || 1053 sc->gif_family != src->sa_family) 1054 error = gif_attach(sc, src->sa_family); 1055 1056 GIF_WLOCK(sc); 1057 if (sc->gif_family != 0) 1058 free(sc->gif_hdr, M_GIF); 1059 sc->gif_family = src->sa_family; 1060 sc->gif_hdr = hdr; 1061 GIF_WUNLOCK(sc); 1062 #if defined(INET) || defined(INET6) 1063 bad: 1064 #endif 1065 if (error == 0 && sc->gif_family != 0) 1066 ifp->if_drv_flags |= IFF_DRV_RUNNING; 1067 else 1068 ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 1069 return (error); 1070 } 1071 1072 static void 1073 gif_delete_tunnel(struct ifnet *ifp) 1074 { 1075 struct gif_softc *sc = ifp->if_softc; 1076 int family; 1077 1078 if (sc == NULL) 1079 return; 1080 1081 GIF_WLOCK(sc); 1082 family = sc->gif_family; 1083 sc->gif_family = 0; 1084 GIF_WUNLOCK(sc); 1085 if (family != 0) { 1086 gif_detach(sc); 1087 free(sc->gif_hdr, M_GIF); 1088 } 1089 ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 1090 } 1091