1 /* 2 * L2TP core. 3 * 4 * Copyright (c) 2008,2009,2010 Katalix Systems Ltd 5 * 6 * This file contains some code of the original L2TPv2 pppol2tp 7 * driver, which has the following copyright: 8 * 9 * Authors: Martijn van Oosterhout <kleptog@svana.org> 10 * James Chapman (jchapman@katalix.com) 11 * Contributors: 12 * Michal Ostrowski <mostrows@speakeasy.net> 13 * Arnaldo Carvalho de Melo <acme@xconectiva.com.br> 14 * David S. Miller (davem@redhat.com) 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2 as 18 * published by the Free Software Foundation. 19 */ 20 21 #include <linux/module.h> 22 #include <linux/string.h> 23 #include <linux/list.h> 24 #include <linux/rculist.h> 25 #include <linux/uaccess.h> 26 27 #include <linux/kernel.h> 28 #include <linux/spinlock.h> 29 #include <linux/kthread.h> 30 #include <linux/sched.h> 31 #include <linux/slab.h> 32 #include <linux/errno.h> 33 #include <linux/jiffies.h> 34 35 #include <linux/netdevice.h> 36 #include <linux/net.h> 37 #include <linux/inetdevice.h> 38 #include <linux/skbuff.h> 39 #include <linux/init.h> 40 #include <linux/in.h> 41 #include <linux/ip.h> 42 #include <linux/udp.h> 43 #include <linux/l2tp.h> 44 #include <linux/hash.h> 45 #include <linux/sort.h> 46 #include <linux/file.h> 47 #include <linux/nsproxy.h> 48 #include <net/net_namespace.h> 49 #include <net/netns/generic.h> 50 #include <net/dst.h> 51 #include <net/ip.h> 52 #include <net/udp.h> 53 #include <net/inet_common.h> 54 #include <net/xfrm.h> 55 #include <net/protocol.h> 56 57 #include <asm/byteorder.h> 58 #include <linux/atomic.h> 59 60 #include "l2tp_core.h" 61 62 #define L2TP_DRV_VERSION "V2.0" 63 64 /* L2TP header constants */ 65 #define L2TP_HDRFLAG_T 0x8000 66 #define L2TP_HDRFLAG_L 0x4000 67 #define L2TP_HDRFLAG_S 0x0800 68 #define L2TP_HDRFLAG_O 0x0200 69 #define L2TP_HDRFLAG_P 0x0100 70 71 #define L2TP_HDR_VER_MASK 0x000F 72 #define L2TP_HDR_VER_2 0x0002 73 #define L2TP_HDR_VER_3 0x0003 74 75 /* L2TPv3 default L2-specific sublayer */ 76 #define L2TP_SLFLAG_S 0x40000000 77 #define L2TP_SL_SEQ_MASK 0x00ffffff 78 79 #define L2TP_HDR_SIZE_SEQ 10 80 #define L2TP_HDR_SIZE_NOSEQ 6 81 82 /* Default trace flags */ 83 #define L2TP_DEFAULT_DEBUG_FLAGS 0 84 85 #define PRINTK(_mask, _type, _lvl, _fmt, args...) \ 86 do { \ 87 if ((_mask) & (_type)) \ 88 printk(_lvl "L2TP: " _fmt, ##args); \ 89 } while (0) 90 91 /* Private data stored for received packets in the skb. 92 */ 93 struct l2tp_skb_cb { 94 u32 ns; 95 u16 has_seq; 96 u16 length; 97 unsigned long expires; 98 }; 99 100 #define L2TP_SKB_CB(skb) ((struct l2tp_skb_cb *) &skb->cb[sizeof(struct inet_skb_parm)]) 101 102 static atomic_t l2tp_tunnel_count; 103 static atomic_t l2tp_session_count; 104 105 /* per-net private data for this module */ 106 static unsigned int l2tp_net_id; 107 struct l2tp_net { 108 struct list_head l2tp_tunnel_list; 109 spinlock_t l2tp_tunnel_list_lock; 110 struct hlist_head l2tp_session_hlist[L2TP_HASH_SIZE_2]; 111 spinlock_t l2tp_session_hlist_lock; 112 }; 113 114 static void l2tp_session_set_header_len(struct l2tp_session *session, int version); 115 static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel); 116 static void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel); 117 118 static inline struct l2tp_net *l2tp_pernet(struct net *net) 119 { 120 BUG_ON(!net); 121 122 return net_generic(net, l2tp_net_id); 123 } 124 125 126 /* Tunnel reference counts. Incremented per session that is added to 127 * the tunnel. 128 */ 129 static inline void l2tp_tunnel_inc_refcount_1(struct l2tp_tunnel *tunnel) 130 { 131 atomic_inc(&tunnel->ref_count); 132 } 133 134 static inline void l2tp_tunnel_dec_refcount_1(struct l2tp_tunnel *tunnel) 135 { 136 if (atomic_dec_and_test(&tunnel->ref_count)) 137 l2tp_tunnel_free(tunnel); 138 } 139 #ifdef L2TP_REFCNT_DEBUG 140 #define l2tp_tunnel_inc_refcount(_t) do { \ 141 printk(KERN_DEBUG "l2tp_tunnel_inc_refcount: %s:%d %s: cnt=%d\n", __func__, __LINE__, (_t)->name, atomic_read(&_t->ref_count)); \ 142 l2tp_tunnel_inc_refcount_1(_t); \ 143 } while (0) 144 #define l2tp_tunnel_dec_refcount(_t) do { \ 145 printk(KERN_DEBUG "l2tp_tunnel_dec_refcount: %s:%d %s: cnt=%d\n", __func__, __LINE__, (_t)->name, atomic_read(&_t->ref_count)); \ 146 l2tp_tunnel_dec_refcount_1(_t); \ 147 } while (0) 148 #else 149 #define l2tp_tunnel_inc_refcount(t) l2tp_tunnel_inc_refcount_1(t) 150 #define l2tp_tunnel_dec_refcount(t) l2tp_tunnel_dec_refcount_1(t) 151 #endif 152 153 /* Session hash global list for L2TPv3. 154 * The session_id SHOULD be random according to RFC3931, but several 155 * L2TP implementations use incrementing session_ids. So we do a real 156 * hash on the session_id, rather than a simple bitmask. 157 */ 158 static inline struct hlist_head * 159 l2tp_session_id_hash_2(struct l2tp_net *pn, u32 session_id) 160 { 161 return &pn->l2tp_session_hlist[hash_32(session_id, L2TP_HASH_BITS_2)]; 162 163 } 164 165 /* Lookup a session by id in the global session list 166 */ 167 static struct l2tp_session *l2tp_session_find_2(struct net *net, u32 session_id) 168 { 169 struct l2tp_net *pn = l2tp_pernet(net); 170 struct hlist_head *session_list = 171 l2tp_session_id_hash_2(pn, session_id); 172 struct l2tp_session *session; 173 struct hlist_node *walk; 174 175 rcu_read_lock_bh(); 176 hlist_for_each_entry_rcu(session, walk, session_list, global_hlist) { 177 if (session->session_id == session_id) { 178 rcu_read_unlock_bh(); 179 return session; 180 } 181 } 182 rcu_read_unlock_bh(); 183 184 return NULL; 185 } 186 187 /* Session hash list. 188 * The session_id SHOULD be random according to RFC2661, but several 189 * L2TP implementations (Cisco and Microsoft) use incrementing 190 * session_ids. So we do a real hash on the session_id, rather than a 191 * simple bitmask. 192 */ 193 static inline struct hlist_head * 194 l2tp_session_id_hash(struct l2tp_tunnel *tunnel, u32 session_id) 195 { 196 return &tunnel->session_hlist[hash_32(session_id, L2TP_HASH_BITS)]; 197 } 198 199 /* Lookup a session by id 200 */ 201 struct l2tp_session *l2tp_session_find(struct net *net, struct l2tp_tunnel *tunnel, u32 session_id) 202 { 203 struct hlist_head *session_list; 204 struct l2tp_session *session; 205 struct hlist_node *walk; 206 207 /* In L2TPv3, session_ids are unique over all tunnels and we 208 * sometimes need to look them up before we know the 209 * tunnel. 210 */ 211 if (tunnel == NULL) 212 return l2tp_session_find_2(net, session_id); 213 214 session_list = l2tp_session_id_hash(tunnel, session_id); 215 read_lock_bh(&tunnel->hlist_lock); 216 hlist_for_each_entry(session, walk, session_list, hlist) { 217 if (session->session_id == session_id) { 218 read_unlock_bh(&tunnel->hlist_lock); 219 return session; 220 } 221 } 222 read_unlock_bh(&tunnel->hlist_lock); 223 224 return NULL; 225 } 226 EXPORT_SYMBOL_GPL(l2tp_session_find); 227 228 struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth) 229 { 230 int hash; 231 struct hlist_node *walk; 232 struct l2tp_session *session; 233 int count = 0; 234 235 read_lock_bh(&tunnel->hlist_lock); 236 for (hash = 0; hash < L2TP_HASH_SIZE; hash++) { 237 hlist_for_each_entry(session, walk, &tunnel->session_hlist[hash], hlist) { 238 if (++count > nth) { 239 read_unlock_bh(&tunnel->hlist_lock); 240 return session; 241 } 242 } 243 } 244 245 read_unlock_bh(&tunnel->hlist_lock); 246 247 return NULL; 248 } 249 EXPORT_SYMBOL_GPL(l2tp_session_find_nth); 250 251 /* Lookup a session by interface name. 252 * This is very inefficient but is only used by management interfaces. 253 */ 254 struct l2tp_session *l2tp_session_find_by_ifname(struct net *net, char *ifname) 255 { 256 struct l2tp_net *pn = l2tp_pernet(net); 257 int hash; 258 struct hlist_node *walk; 259 struct l2tp_session *session; 260 261 rcu_read_lock_bh(); 262 for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) { 263 hlist_for_each_entry_rcu(session, walk, &pn->l2tp_session_hlist[hash], global_hlist) { 264 if (!strcmp(session->ifname, ifname)) { 265 rcu_read_unlock_bh(); 266 return session; 267 } 268 } 269 } 270 271 rcu_read_unlock_bh(); 272 273 return NULL; 274 } 275 EXPORT_SYMBOL_GPL(l2tp_session_find_by_ifname); 276 277 /* Lookup a tunnel by id 278 */ 279 struct l2tp_tunnel *l2tp_tunnel_find(struct net *net, u32 tunnel_id) 280 { 281 struct l2tp_tunnel *tunnel; 282 struct l2tp_net *pn = l2tp_pernet(net); 283 284 rcu_read_lock_bh(); 285 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) { 286 if (tunnel->tunnel_id == tunnel_id) { 287 rcu_read_unlock_bh(); 288 return tunnel; 289 } 290 } 291 rcu_read_unlock_bh(); 292 293 return NULL; 294 } 295 EXPORT_SYMBOL_GPL(l2tp_tunnel_find); 296 297 struct l2tp_tunnel *l2tp_tunnel_find_nth(struct net *net, int nth) 298 { 299 struct l2tp_net *pn = l2tp_pernet(net); 300 struct l2tp_tunnel *tunnel; 301 int count = 0; 302 303 rcu_read_lock_bh(); 304 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) { 305 if (++count > nth) { 306 rcu_read_unlock_bh(); 307 return tunnel; 308 } 309 } 310 311 rcu_read_unlock_bh(); 312 313 return NULL; 314 } 315 EXPORT_SYMBOL_GPL(l2tp_tunnel_find_nth); 316 317 /***************************************************************************** 318 * Receive data handling 319 *****************************************************************************/ 320 321 /* Queue a skb in order. We come here only if the skb has an L2TP sequence 322 * number. 323 */ 324 static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *skb) 325 { 326 struct sk_buff *skbp; 327 struct sk_buff *tmp; 328 u32 ns = L2TP_SKB_CB(skb)->ns; 329 330 spin_lock_bh(&session->reorder_q.lock); 331 skb_queue_walk_safe(&session->reorder_q, skbp, tmp) { 332 if (L2TP_SKB_CB(skbp)->ns > ns) { 333 __skb_queue_before(&session->reorder_q, skbp, skb); 334 PRINTK(session->debug, L2TP_MSG_SEQ, KERN_DEBUG, 335 "%s: pkt %hu, inserted before %hu, reorder_q len=%d\n", 336 session->name, ns, L2TP_SKB_CB(skbp)->ns, 337 skb_queue_len(&session->reorder_q)); 338 session->stats.rx_oos_packets++; 339 goto out; 340 } 341 } 342 343 __skb_queue_tail(&session->reorder_q, skb); 344 345 out: 346 spin_unlock_bh(&session->reorder_q.lock); 347 } 348 349 /* Dequeue a single skb. 350 */ 351 static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *skb) 352 { 353 struct l2tp_tunnel *tunnel = session->tunnel; 354 int length = L2TP_SKB_CB(skb)->length; 355 356 /* We're about to requeue the skb, so return resources 357 * to its current owner (a socket receive buffer). 358 */ 359 skb_orphan(skb); 360 361 tunnel->stats.rx_packets++; 362 tunnel->stats.rx_bytes += length; 363 session->stats.rx_packets++; 364 session->stats.rx_bytes += length; 365 366 if (L2TP_SKB_CB(skb)->has_seq) { 367 /* Bump our Nr */ 368 session->nr++; 369 if (tunnel->version == L2TP_HDR_VER_2) 370 session->nr &= 0xffff; 371 else 372 session->nr &= 0xffffff; 373 374 PRINTK(session->debug, L2TP_MSG_SEQ, KERN_DEBUG, 375 "%s: updated nr to %hu\n", session->name, session->nr); 376 } 377 378 /* call private receive handler */ 379 if (session->recv_skb != NULL) 380 (*session->recv_skb)(session, skb, L2TP_SKB_CB(skb)->length); 381 else 382 kfree_skb(skb); 383 384 if (session->deref) 385 (*session->deref)(session); 386 } 387 388 /* Dequeue skbs from the session's reorder_q, subject to packet order. 389 * Skbs that have been in the queue for too long are simply discarded. 390 */ 391 static void l2tp_recv_dequeue(struct l2tp_session *session) 392 { 393 struct sk_buff *skb; 394 struct sk_buff *tmp; 395 396 /* If the pkt at the head of the queue has the nr that we 397 * expect to send up next, dequeue it and any other 398 * in-sequence packets behind it. 399 */ 400 start: 401 spin_lock_bh(&session->reorder_q.lock); 402 skb_queue_walk_safe(&session->reorder_q, skb, tmp) { 403 if (time_after(jiffies, L2TP_SKB_CB(skb)->expires)) { 404 session->stats.rx_seq_discards++; 405 session->stats.rx_errors++; 406 PRINTK(session->debug, L2TP_MSG_SEQ, KERN_DEBUG, 407 "%s: oos pkt %u len %d discarded (too old), " 408 "waiting for %u, reorder_q_len=%d\n", 409 session->name, L2TP_SKB_CB(skb)->ns, 410 L2TP_SKB_CB(skb)->length, session->nr, 411 skb_queue_len(&session->reorder_q)); 412 __skb_unlink(skb, &session->reorder_q); 413 kfree_skb(skb); 414 if (session->deref) 415 (*session->deref)(session); 416 continue; 417 } 418 419 if (L2TP_SKB_CB(skb)->has_seq) { 420 if (L2TP_SKB_CB(skb)->ns != session->nr) { 421 PRINTK(session->debug, L2TP_MSG_SEQ, KERN_DEBUG, 422 "%s: holding oos pkt %u len %d, " 423 "waiting for %u, reorder_q_len=%d\n", 424 session->name, L2TP_SKB_CB(skb)->ns, 425 L2TP_SKB_CB(skb)->length, session->nr, 426 skb_queue_len(&session->reorder_q)); 427 goto out; 428 } 429 } 430 __skb_unlink(skb, &session->reorder_q); 431 432 /* Process the skb. We release the queue lock while we 433 * do so to let other contexts process the queue. 434 */ 435 spin_unlock_bh(&session->reorder_q.lock); 436 l2tp_recv_dequeue_skb(session, skb); 437 goto start; 438 } 439 440 out: 441 spin_unlock_bh(&session->reorder_q.lock); 442 } 443 444 static inline int l2tp_verify_udp_checksum(struct sock *sk, 445 struct sk_buff *skb) 446 { 447 struct udphdr *uh = udp_hdr(skb); 448 u16 ulen = ntohs(uh->len); 449 struct inet_sock *inet; 450 __wsum psum; 451 452 if (sk->sk_no_check || skb_csum_unnecessary(skb) || !uh->check) 453 return 0; 454 455 inet = inet_sk(sk); 456 psum = csum_tcpudp_nofold(inet->inet_saddr, inet->inet_daddr, ulen, 457 IPPROTO_UDP, 0); 458 459 if ((skb->ip_summed == CHECKSUM_COMPLETE) && 460 !csum_fold(csum_add(psum, skb->csum))) 461 return 0; 462 463 skb->csum = psum; 464 465 return __skb_checksum_complete(skb); 466 } 467 468 /* Do receive processing of L2TP data frames. We handle both L2TPv2 469 * and L2TPv3 data frames here. 470 * 471 * L2TPv2 Data Message Header 472 * 473 * 0 1 2 3 474 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 475 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 476 * |T|L|x|x|S|x|O|P|x|x|x|x| Ver | Length (opt) | 477 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 478 * | Tunnel ID | Session ID | 479 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 480 * | Ns (opt) | Nr (opt) | 481 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 482 * | Offset Size (opt) | Offset pad... (opt) 483 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 484 * 485 * Data frames are marked by T=0. All other fields are the same as 486 * those in L2TP control frames. 487 * 488 * L2TPv3 Data Message Header 489 * 490 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 491 * | L2TP Session Header | 492 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 493 * | L2-Specific Sublayer | 494 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 495 * | Tunnel Payload ... 496 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 497 * 498 * L2TPv3 Session Header Over IP 499 * 500 * 0 1 2 3 501 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 502 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 503 * | Session ID | 504 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 505 * | Cookie (optional, maximum 64 bits)... 506 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 507 * | 508 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 509 * 510 * L2TPv3 L2-Specific Sublayer Format 511 * 512 * 0 1 2 3 513 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 514 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 515 * |x|S|x|x|x|x|x|x| Sequence Number | 516 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 517 * 518 * Cookie value, sublayer format and offset (pad) are negotiated with 519 * the peer when the session is set up. Unlike L2TPv2, we do not need 520 * to parse the packet header to determine if optional fields are 521 * present. 522 * 523 * Caller must already have parsed the frame and determined that it is 524 * a data (not control) frame before coming here. Fields up to the 525 * session-id have already been parsed and ptr points to the data 526 * after the session-id. 527 */ 528 void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb, 529 unsigned char *ptr, unsigned char *optr, u16 hdrflags, 530 int length, int (*payload_hook)(struct sk_buff *skb)) 531 { 532 struct l2tp_tunnel *tunnel = session->tunnel; 533 int offset; 534 u32 ns, nr; 535 536 /* The ref count is increased since we now hold a pointer to 537 * the session. Take care to decrement the refcnt when exiting 538 * this function from now on... 539 */ 540 l2tp_session_inc_refcount(session); 541 if (session->ref) 542 (*session->ref)(session); 543 544 /* Parse and check optional cookie */ 545 if (session->peer_cookie_len > 0) { 546 if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) { 547 PRINTK(tunnel->debug, L2TP_MSG_DATA, KERN_INFO, 548 "%s: cookie mismatch (%u/%u). Discarding.\n", 549 tunnel->name, tunnel->tunnel_id, session->session_id); 550 session->stats.rx_cookie_discards++; 551 goto discard; 552 } 553 ptr += session->peer_cookie_len; 554 } 555 556 /* Handle the optional sequence numbers. Sequence numbers are 557 * in different places for L2TPv2 and L2TPv3. 558 * 559 * If we are the LAC, enable/disable sequence numbers under 560 * the control of the LNS. If no sequence numbers present but 561 * we were expecting them, discard frame. 562 */ 563 ns = nr = 0; 564 L2TP_SKB_CB(skb)->has_seq = 0; 565 if (tunnel->version == L2TP_HDR_VER_2) { 566 if (hdrflags & L2TP_HDRFLAG_S) { 567 ns = ntohs(*(__be16 *) ptr); 568 ptr += 2; 569 nr = ntohs(*(__be16 *) ptr); 570 ptr += 2; 571 572 /* Store L2TP info in the skb */ 573 L2TP_SKB_CB(skb)->ns = ns; 574 L2TP_SKB_CB(skb)->has_seq = 1; 575 576 PRINTK(session->debug, L2TP_MSG_SEQ, KERN_DEBUG, 577 "%s: recv data ns=%u, nr=%u, session nr=%u\n", 578 session->name, ns, nr, session->nr); 579 } 580 } else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) { 581 u32 l2h = ntohl(*(__be32 *) ptr); 582 583 if (l2h & 0x40000000) { 584 ns = l2h & 0x00ffffff; 585 586 /* Store L2TP info in the skb */ 587 L2TP_SKB_CB(skb)->ns = ns; 588 L2TP_SKB_CB(skb)->has_seq = 1; 589 590 PRINTK(session->debug, L2TP_MSG_SEQ, KERN_DEBUG, 591 "%s: recv data ns=%u, session nr=%u\n", 592 session->name, ns, session->nr); 593 } 594 } 595 596 /* Advance past L2-specific header, if present */ 597 ptr += session->l2specific_len; 598 599 if (L2TP_SKB_CB(skb)->has_seq) { 600 /* Received a packet with sequence numbers. If we're the LNS, 601 * check if we sre sending sequence numbers and if not, 602 * configure it so. 603 */ 604 if ((!session->lns_mode) && (!session->send_seq)) { 605 PRINTK(session->debug, L2TP_MSG_SEQ, KERN_INFO, 606 "%s: requested to enable seq numbers by LNS\n", 607 session->name); 608 session->send_seq = -1; 609 l2tp_session_set_header_len(session, tunnel->version); 610 } 611 } else { 612 /* No sequence numbers. 613 * If user has configured mandatory sequence numbers, discard. 614 */ 615 if (session->recv_seq) { 616 PRINTK(session->debug, L2TP_MSG_SEQ, KERN_WARNING, 617 "%s: recv data has no seq numbers when required. " 618 "Discarding\n", session->name); 619 session->stats.rx_seq_discards++; 620 goto discard; 621 } 622 623 /* If we're the LAC and we're sending sequence numbers, the 624 * LNS has requested that we no longer send sequence numbers. 625 * If we're the LNS and we're sending sequence numbers, the 626 * LAC is broken. Discard the frame. 627 */ 628 if ((!session->lns_mode) && (session->send_seq)) { 629 PRINTK(session->debug, L2TP_MSG_SEQ, KERN_INFO, 630 "%s: requested to disable seq numbers by LNS\n", 631 session->name); 632 session->send_seq = 0; 633 l2tp_session_set_header_len(session, tunnel->version); 634 } else if (session->send_seq) { 635 PRINTK(session->debug, L2TP_MSG_SEQ, KERN_WARNING, 636 "%s: recv data has no seq numbers when required. " 637 "Discarding\n", session->name); 638 session->stats.rx_seq_discards++; 639 goto discard; 640 } 641 } 642 643 /* Session data offset is handled differently for L2TPv2 and 644 * L2TPv3. For L2TPv2, there is an optional 16-bit value in 645 * the header. For L2TPv3, the offset is negotiated using AVPs 646 * in the session setup control protocol. 647 */ 648 if (tunnel->version == L2TP_HDR_VER_2) { 649 /* If offset bit set, skip it. */ 650 if (hdrflags & L2TP_HDRFLAG_O) { 651 offset = ntohs(*(__be16 *)ptr); 652 ptr += 2 + offset; 653 } 654 } else 655 ptr += session->offset; 656 657 offset = ptr - optr; 658 if (!pskb_may_pull(skb, offset)) 659 goto discard; 660 661 __skb_pull(skb, offset); 662 663 /* If caller wants to process the payload before we queue the 664 * packet, do so now. 665 */ 666 if (payload_hook) 667 if ((*payload_hook)(skb)) 668 goto discard; 669 670 /* Prepare skb for adding to the session's reorder_q. Hold 671 * packets for max reorder_timeout or 1 second if not 672 * reordering. 673 */ 674 L2TP_SKB_CB(skb)->length = length; 675 L2TP_SKB_CB(skb)->expires = jiffies + 676 (session->reorder_timeout ? session->reorder_timeout : HZ); 677 678 /* Add packet to the session's receive queue. Reordering is done here, if 679 * enabled. Saved L2TP protocol info is stored in skb->sb[]. 680 */ 681 if (L2TP_SKB_CB(skb)->has_seq) { 682 if (session->reorder_timeout != 0) { 683 /* Packet reordering enabled. Add skb to session's 684 * reorder queue, in order of ns. 685 */ 686 l2tp_recv_queue_skb(session, skb); 687 } else { 688 /* Packet reordering disabled. Discard out-of-sequence 689 * packets 690 */ 691 if (L2TP_SKB_CB(skb)->ns != session->nr) { 692 session->stats.rx_seq_discards++; 693 PRINTK(session->debug, L2TP_MSG_SEQ, KERN_DEBUG, 694 "%s: oos pkt %u len %d discarded, " 695 "waiting for %u, reorder_q_len=%d\n", 696 session->name, L2TP_SKB_CB(skb)->ns, 697 L2TP_SKB_CB(skb)->length, session->nr, 698 skb_queue_len(&session->reorder_q)); 699 goto discard; 700 } 701 skb_queue_tail(&session->reorder_q, skb); 702 } 703 } else { 704 /* No sequence numbers. Add the skb to the tail of the 705 * reorder queue. This ensures that it will be 706 * delivered after all previous sequenced skbs. 707 */ 708 skb_queue_tail(&session->reorder_q, skb); 709 } 710 711 /* Try to dequeue as many skbs from reorder_q as we can. */ 712 l2tp_recv_dequeue(session); 713 714 l2tp_session_dec_refcount(session); 715 716 return; 717 718 discard: 719 session->stats.rx_errors++; 720 kfree_skb(skb); 721 722 if (session->deref) 723 (*session->deref)(session); 724 725 l2tp_session_dec_refcount(session); 726 } 727 EXPORT_SYMBOL(l2tp_recv_common); 728 729 /* Internal UDP receive frame. Do the real work of receiving an L2TP data frame 730 * here. The skb is not on a list when we get here. 731 * Returns 0 if the packet was a data packet and was successfully passed on. 732 * Returns 1 if the packet was not a good data packet and could not be 733 * forwarded. All such packets are passed up to userspace to deal with. 734 */ 735 static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb, 736 int (*payload_hook)(struct sk_buff *skb)) 737 { 738 struct l2tp_session *session = NULL; 739 unsigned char *ptr, *optr; 740 u16 hdrflags; 741 u32 tunnel_id, session_id; 742 int offset; 743 u16 version; 744 int length; 745 746 if (tunnel->sock && l2tp_verify_udp_checksum(tunnel->sock, skb)) 747 goto discard_bad_csum; 748 749 /* UDP always verifies the packet length. */ 750 __skb_pull(skb, sizeof(struct udphdr)); 751 752 /* Short packet? */ 753 if (!pskb_may_pull(skb, L2TP_HDR_SIZE_SEQ)) { 754 PRINTK(tunnel->debug, L2TP_MSG_DATA, KERN_INFO, 755 "%s: recv short packet (len=%d)\n", tunnel->name, skb->len); 756 goto error; 757 } 758 759 /* Point to L2TP header */ 760 optr = ptr = skb->data; 761 762 /* Trace packet contents, if enabled */ 763 if (tunnel->debug & L2TP_MSG_DATA) { 764 length = min(32u, skb->len); 765 if (!pskb_may_pull(skb, length)) 766 goto error; 767 768 printk(KERN_DEBUG "%s: recv: ", tunnel->name); 769 770 offset = 0; 771 do { 772 printk(" %02X", ptr[offset]); 773 } while (++offset < length); 774 775 printk("\n"); 776 } 777 778 /* Get L2TP header flags */ 779 hdrflags = ntohs(*(__be16 *) ptr); 780 781 /* Check protocol version */ 782 version = hdrflags & L2TP_HDR_VER_MASK; 783 if (version != tunnel->version) { 784 PRINTK(tunnel->debug, L2TP_MSG_DATA, KERN_INFO, 785 "%s: recv protocol version mismatch: got %d expected %d\n", 786 tunnel->name, version, tunnel->version); 787 goto error; 788 } 789 790 /* Get length of L2TP packet */ 791 length = skb->len; 792 793 /* If type is control packet, it is handled by userspace. */ 794 if (hdrflags & L2TP_HDRFLAG_T) { 795 PRINTK(tunnel->debug, L2TP_MSG_DATA, KERN_DEBUG, 796 "%s: recv control packet, len=%d\n", tunnel->name, length); 797 goto error; 798 } 799 800 /* Skip flags */ 801 ptr += 2; 802 803 if (tunnel->version == L2TP_HDR_VER_2) { 804 /* If length is present, skip it */ 805 if (hdrflags & L2TP_HDRFLAG_L) 806 ptr += 2; 807 808 /* Extract tunnel and session ID */ 809 tunnel_id = ntohs(*(__be16 *) ptr); 810 ptr += 2; 811 session_id = ntohs(*(__be16 *) ptr); 812 ptr += 2; 813 } else { 814 ptr += 2; /* skip reserved bits */ 815 tunnel_id = tunnel->tunnel_id; 816 session_id = ntohl(*(__be32 *) ptr); 817 ptr += 4; 818 } 819 820 /* Find the session context */ 821 session = l2tp_session_find(tunnel->l2tp_net, tunnel, session_id); 822 if (!session || !session->recv_skb) { 823 /* Not found? Pass to userspace to deal with */ 824 PRINTK(tunnel->debug, L2TP_MSG_DATA, KERN_INFO, 825 "%s: no session found (%u/%u). Passing up.\n", 826 tunnel->name, tunnel_id, session_id); 827 goto error; 828 } 829 830 l2tp_recv_common(session, skb, ptr, optr, hdrflags, length, payload_hook); 831 832 return 0; 833 834 discard_bad_csum: 835 LIMIT_NETDEBUG("%s: UDP: bad checksum\n", tunnel->name); 836 UDP_INC_STATS_USER(tunnel->l2tp_net, UDP_MIB_INERRORS, 0); 837 tunnel->stats.rx_errors++; 838 kfree_skb(skb); 839 840 return 0; 841 842 error: 843 /* Put UDP header back */ 844 __skb_push(skb, sizeof(struct udphdr)); 845 846 return 1; 847 } 848 849 /* UDP encapsulation receive handler. See net/ipv4/udp.c. 850 * Return codes: 851 * 0 : success. 852 * <0: error 853 * >0: skb should be passed up to userspace as UDP. 854 */ 855 int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb) 856 { 857 struct l2tp_tunnel *tunnel; 858 859 tunnel = l2tp_sock_to_tunnel(sk); 860 if (tunnel == NULL) 861 goto pass_up; 862 863 PRINTK(tunnel->debug, L2TP_MSG_DATA, KERN_DEBUG, 864 "%s: received %d bytes\n", tunnel->name, skb->len); 865 866 if (l2tp_udp_recv_core(tunnel, skb, tunnel->recv_payload_hook)) 867 goto pass_up_put; 868 869 sock_put(sk); 870 return 0; 871 872 pass_up_put: 873 sock_put(sk); 874 pass_up: 875 return 1; 876 } 877 EXPORT_SYMBOL_GPL(l2tp_udp_encap_recv); 878 879 /************************************************************************ 880 * Transmit handling 881 ***********************************************************************/ 882 883 /* Build an L2TP header for the session into the buffer provided. 884 */ 885 static int l2tp_build_l2tpv2_header(struct l2tp_session *session, void *buf) 886 { 887 struct l2tp_tunnel *tunnel = session->tunnel; 888 __be16 *bufp = buf; 889 __be16 *optr = buf; 890 u16 flags = L2TP_HDR_VER_2; 891 u32 tunnel_id = tunnel->peer_tunnel_id; 892 u32 session_id = session->peer_session_id; 893 894 if (session->send_seq) 895 flags |= L2TP_HDRFLAG_S; 896 897 /* Setup L2TP header. */ 898 *bufp++ = htons(flags); 899 *bufp++ = htons(tunnel_id); 900 *bufp++ = htons(session_id); 901 if (session->send_seq) { 902 *bufp++ = htons(session->ns); 903 *bufp++ = 0; 904 session->ns++; 905 session->ns &= 0xffff; 906 PRINTK(session->debug, L2TP_MSG_SEQ, KERN_DEBUG, 907 "%s: updated ns to %u\n", session->name, session->ns); 908 } 909 910 return bufp - optr; 911 } 912 913 static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf) 914 { 915 struct l2tp_tunnel *tunnel = session->tunnel; 916 char *bufp = buf; 917 char *optr = bufp; 918 919 /* Setup L2TP header. The header differs slightly for UDP and 920 * IP encapsulations. For UDP, there is 4 bytes of flags. 921 */ 922 if (tunnel->encap == L2TP_ENCAPTYPE_UDP) { 923 u16 flags = L2TP_HDR_VER_3; 924 *((__be16 *) bufp) = htons(flags); 925 bufp += 2; 926 *((__be16 *) bufp) = 0; 927 bufp += 2; 928 } 929 930 *((__be32 *) bufp) = htonl(session->peer_session_id); 931 bufp += 4; 932 if (session->cookie_len) { 933 memcpy(bufp, &session->cookie[0], session->cookie_len); 934 bufp += session->cookie_len; 935 } 936 if (session->l2specific_len) { 937 if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) { 938 u32 l2h = 0; 939 if (session->send_seq) { 940 l2h = 0x40000000 | session->ns; 941 session->ns++; 942 session->ns &= 0xffffff; 943 PRINTK(session->debug, L2TP_MSG_SEQ, KERN_DEBUG, 944 "%s: updated ns to %u\n", session->name, session->ns); 945 } 946 947 *((__be32 *) bufp) = htonl(l2h); 948 } 949 bufp += session->l2specific_len; 950 } 951 if (session->offset) 952 bufp += session->offset; 953 954 return bufp - optr; 955 } 956 957 static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, 958 struct flowi *fl, size_t data_len) 959 { 960 struct l2tp_tunnel *tunnel = session->tunnel; 961 unsigned int len = skb->len; 962 int error; 963 964 /* Debug */ 965 if (session->send_seq) 966 PRINTK(session->debug, L2TP_MSG_DATA, KERN_DEBUG, 967 "%s: send %Zd bytes, ns=%u\n", session->name, 968 data_len, session->ns - 1); 969 else 970 PRINTK(session->debug, L2TP_MSG_DATA, KERN_DEBUG, 971 "%s: send %Zd bytes\n", session->name, data_len); 972 973 if (session->debug & L2TP_MSG_DATA) { 974 int i; 975 int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0; 976 unsigned char *datap = skb->data + uhlen; 977 978 printk(KERN_DEBUG "%s: xmit:", session->name); 979 for (i = 0; i < (len - uhlen); i++) { 980 printk(" %02X", *datap++); 981 if (i == 31) { 982 printk(" ..."); 983 break; 984 } 985 } 986 printk("\n"); 987 } 988 989 /* Queue the packet to IP for output */ 990 skb->local_df = 1; 991 error = ip_queue_xmit(skb, fl); 992 993 /* Update stats */ 994 if (error >= 0) { 995 tunnel->stats.tx_packets++; 996 tunnel->stats.tx_bytes += len; 997 session->stats.tx_packets++; 998 session->stats.tx_bytes += len; 999 } else { 1000 tunnel->stats.tx_errors++; 1001 session->stats.tx_errors++; 1002 } 1003 1004 return 0; 1005 } 1006 1007 /* Automatically called when the skb is freed. 1008 */ 1009 static void l2tp_sock_wfree(struct sk_buff *skb) 1010 { 1011 sock_put(skb->sk); 1012 } 1013 1014 /* For data skbs that we transmit, we associate with the tunnel socket 1015 * but don't do accounting. 1016 */ 1017 static inline void l2tp_skb_set_owner_w(struct sk_buff *skb, struct sock *sk) 1018 { 1019 sock_hold(sk); 1020 skb->sk = sk; 1021 skb->destructor = l2tp_sock_wfree; 1022 } 1023 1024 /* If caller requires the skb to have a ppp header, the header must be 1025 * inserted in the skb data before calling this function. 1026 */ 1027 int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len) 1028 { 1029 int data_len = skb->len; 1030 struct l2tp_tunnel *tunnel = session->tunnel; 1031 struct sock *sk = tunnel->sock; 1032 struct flowi *fl; 1033 struct udphdr *uh; 1034 struct inet_sock *inet; 1035 __wsum csum; 1036 int old_headroom; 1037 int new_headroom; 1038 int headroom; 1039 int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0; 1040 int udp_len; 1041 1042 /* Check that there's enough headroom in the skb to insert IP, 1043 * UDP and L2TP headers. If not enough, expand it to 1044 * make room. Adjust truesize. 1045 */ 1046 headroom = NET_SKB_PAD + sizeof(struct iphdr) + 1047 uhlen + hdr_len; 1048 old_headroom = skb_headroom(skb); 1049 if (skb_cow_head(skb, headroom)) { 1050 dev_kfree_skb(skb); 1051 goto abort; 1052 } 1053 1054 new_headroom = skb_headroom(skb); 1055 skb_orphan(skb); 1056 skb->truesize += new_headroom - old_headroom; 1057 1058 /* Setup L2TP header */ 1059 session->build_header(session, __skb_push(skb, hdr_len)); 1060 1061 /* Reset skb netfilter state */ 1062 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt)); 1063 IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED | 1064 IPSKB_REROUTED); 1065 nf_reset(skb); 1066 1067 bh_lock_sock(sk); 1068 if (sock_owned_by_user(sk)) { 1069 dev_kfree_skb(skb); 1070 goto out_unlock; 1071 } 1072 1073 /* Get routing info from the tunnel socket */ 1074 skb_dst_drop(skb); 1075 skb_dst_set(skb, dst_clone(__sk_dst_get(sk))); 1076 1077 inet = inet_sk(sk); 1078 fl = &inet->cork.fl; 1079 switch (tunnel->encap) { 1080 case L2TP_ENCAPTYPE_UDP: 1081 /* Setup UDP header */ 1082 __skb_push(skb, sizeof(*uh)); 1083 skb_reset_transport_header(skb); 1084 uh = udp_hdr(skb); 1085 uh->source = inet->inet_sport; 1086 uh->dest = inet->inet_dport; 1087 udp_len = uhlen + hdr_len + data_len; 1088 uh->len = htons(udp_len); 1089 uh->check = 0; 1090 1091 /* Calculate UDP checksum if configured to do so */ 1092 if (sk->sk_no_check == UDP_CSUM_NOXMIT) 1093 skb->ip_summed = CHECKSUM_NONE; 1094 else if ((skb_dst(skb) && skb_dst(skb)->dev) && 1095 (!(skb_dst(skb)->dev->features & NETIF_F_V4_CSUM))) { 1096 skb->ip_summed = CHECKSUM_COMPLETE; 1097 csum = skb_checksum(skb, 0, udp_len, 0); 1098 uh->check = csum_tcpudp_magic(inet->inet_saddr, 1099 inet->inet_daddr, 1100 udp_len, IPPROTO_UDP, csum); 1101 if (uh->check == 0) 1102 uh->check = CSUM_MANGLED_0; 1103 } else { 1104 skb->ip_summed = CHECKSUM_PARTIAL; 1105 skb->csum_start = skb_transport_header(skb) - skb->head; 1106 skb->csum_offset = offsetof(struct udphdr, check); 1107 uh->check = ~csum_tcpudp_magic(inet->inet_saddr, 1108 inet->inet_daddr, 1109 udp_len, IPPROTO_UDP, 0); 1110 } 1111 break; 1112 1113 case L2TP_ENCAPTYPE_IP: 1114 break; 1115 } 1116 1117 l2tp_skb_set_owner_w(skb, sk); 1118 1119 l2tp_xmit_core(session, skb, fl, data_len); 1120 out_unlock: 1121 bh_unlock_sock(sk); 1122 1123 abort: 1124 return 0; 1125 } 1126 EXPORT_SYMBOL_GPL(l2tp_xmit_skb); 1127 1128 /***************************************************************************** 1129 * Tinnel and session create/destroy. 1130 *****************************************************************************/ 1131 1132 /* Tunnel socket destruct hook. 1133 * The tunnel context is deleted only when all session sockets have been 1134 * closed. 1135 */ 1136 static void l2tp_tunnel_destruct(struct sock *sk) 1137 { 1138 struct l2tp_tunnel *tunnel; 1139 1140 tunnel = sk->sk_user_data; 1141 if (tunnel == NULL) 1142 goto end; 1143 1144 PRINTK(tunnel->debug, L2TP_MSG_CONTROL, KERN_INFO, 1145 "%s: closing...\n", tunnel->name); 1146 1147 /* Close all sessions */ 1148 l2tp_tunnel_closeall(tunnel); 1149 1150 switch (tunnel->encap) { 1151 case L2TP_ENCAPTYPE_UDP: 1152 /* No longer an encapsulation socket. See net/ipv4/udp.c */ 1153 (udp_sk(sk))->encap_type = 0; 1154 (udp_sk(sk))->encap_rcv = NULL; 1155 break; 1156 case L2TP_ENCAPTYPE_IP: 1157 break; 1158 } 1159 1160 /* Remove hooks into tunnel socket */ 1161 tunnel->sock = NULL; 1162 sk->sk_destruct = tunnel->old_sk_destruct; 1163 sk->sk_user_data = NULL; 1164 1165 /* Call the original destructor */ 1166 if (sk->sk_destruct) 1167 (*sk->sk_destruct)(sk); 1168 1169 /* We're finished with the socket */ 1170 l2tp_tunnel_dec_refcount(tunnel); 1171 1172 end: 1173 return; 1174 } 1175 1176 /* When the tunnel is closed, all the attached sessions need to go too. 1177 */ 1178 static void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel) 1179 { 1180 int hash; 1181 struct hlist_node *walk; 1182 struct hlist_node *tmp; 1183 struct l2tp_session *session; 1184 1185 BUG_ON(tunnel == NULL); 1186 1187 PRINTK(tunnel->debug, L2TP_MSG_CONTROL, KERN_INFO, 1188 "%s: closing all sessions...\n", tunnel->name); 1189 1190 write_lock_bh(&tunnel->hlist_lock); 1191 for (hash = 0; hash < L2TP_HASH_SIZE; hash++) { 1192 again: 1193 hlist_for_each_safe(walk, tmp, &tunnel->session_hlist[hash]) { 1194 session = hlist_entry(walk, struct l2tp_session, hlist); 1195 1196 PRINTK(session->debug, L2TP_MSG_CONTROL, KERN_INFO, 1197 "%s: closing session\n", session->name); 1198 1199 hlist_del_init(&session->hlist); 1200 1201 /* Since we should hold the sock lock while 1202 * doing any unbinding, we need to release the 1203 * lock we're holding before taking that lock. 1204 * Hold a reference to the sock so it doesn't 1205 * disappear as we're jumping between locks. 1206 */ 1207 if (session->ref != NULL) 1208 (*session->ref)(session); 1209 1210 write_unlock_bh(&tunnel->hlist_lock); 1211 1212 if (tunnel->version != L2TP_HDR_VER_2) { 1213 struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net); 1214 1215 spin_lock_bh(&pn->l2tp_session_hlist_lock); 1216 hlist_del_init_rcu(&session->global_hlist); 1217 spin_unlock_bh(&pn->l2tp_session_hlist_lock); 1218 synchronize_rcu(); 1219 } 1220 1221 if (session->session_close != NULL) 1222 (*session->session_close)(session); 1223 1224 if (session->deref != NULL) 1225 (*session->deref)(session); 1226 1227 write_lock_bh(&tunnel->hlist_lock); 1228 1229 /* Now restart from the beginning of this hash 1230 * chain. We always remove a session from the 1231 * list so we are guaranteed to make forward 1232 * progress. 1233 */ 1234 goto again; 1235 } 1236 } 1237 write_unlock_bh(&tunnel->hlist_lock); 1238 } 1239 1240 /* Really kill the tunnel. 1241 * Come here only when all sessions have been cleared from the tunnel. 1242 */ 1243 static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel) 1244 { 1245 struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net); 1246 1247 BUG_ON(atomic_read(&tunnel->ref_count) != 0); 1248 BUG_ON(tunnel->sock != NULL); 1249 1250 PRINTK(tunnel->debug, L2TP_MSG_CONTROL, KERN_INFO, 1251 "%s: free...\n", tunnel->name); 1252 1253 /* Remove from tunnel list */ 1254 spin_lock_bh(&pn->l2tp_tunnel_list_lock); 1255 list_del_rcu(&tunnel->list); 1256 spin_unlock_bh(&pn->l2tp_tunnel_list_lock); 1257 synchronize_rcu(); 1258 1259 atomic_dec(&l2tp_tunnel_count); 1260 kfree(tunnel); 1261 } 1262 1263 /* Create a socket for the tunnel, if one isn't set up by 1264 * userspace. This is used for static tunnels where there is no 1265 * managing L2TP daemon. 1266 */ 1267 static int l2tp_tunnel_sock_create(u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct socket **sockp) 1268 { 1269 int err = -EINVAL; 1270 struct sockaddr_in udp_addr; 1271 struct sockaddr_l2tpip ip_addr; 1272 struct socket *sock = NULL; 1273 1274 switch (cfg->encap) { 1275 case L2TP_ENCAPTYPE_UDP: 1276 err = sock_create(AF_INET, SOCK_DGRAM, 0, sockp); 1277 if (err < 0) 1278 goto out; 1279 1280 sock = *sockp; 1281 1282 memset(&udp_addr, 0, sizeof(udp_addr)); 1283 udp_addr.sin_family = AF_INET; 1284 udp_addr.sin_addr = cfg->local_ip; 1285 udp_addr.sin_port = htons(cfg->local_udp_port); 1286 err = kernel_bind(sock, (struct sockaddr *) &udp_addr, sizeof(udp_addr)); 1287 if (err < 0) 1288 goto out; 1289 1290 udp_addr.sin_family = AF_INET; 1291 udp_addr.sin_addr = cfg->peer_ip; 1292 udp_addr.sin_port = htons(cfg->peer_udp_port); 1293 err = kernel_connect(sock, (struct sockaddr *) &udp_addr, sizeof(udp_addr), 0); 1294 if (err < 0) 1295 goto out; 1296 1297 if (!cfg->use_udp_checksums) 1298 sock->sk->sk_no_check = UDP_CSUM_NOXMIT; 1299 1300 break; 1301 1302 case L2TP_ENCAPTYPE_IP: 1303 err = sock_create(AF_INET, SOCK_DGRAM, IPPROTO_L2TP, sockp); 1304 if (err < 0) 1305 goto out; 1306 1307 sock = *sockp; 1308 1309 memset(&ip_addr, 0, sizeof(ip_addr)); 1310 ip_addr.l2tp_family = AF_INET; 1311 ip_addr.l2tp_addr = cfg->local_ip; 1312 ip_addr.l2tp_conn_id = tunnel_id; 1313 err = kernel_bind(sock, (struct sockaddr *) &ip_addr, sizeof(ip_addr)); 1314 if (err < 0) 1315 goto out; 1316 1317 ip_addr.l2tp_family = AF_INET; 1318 ip_addr.l2tp_addr = cfg->peer_ip; 1319 ip_addr.l2tp_conn_id = peer_tunnel_id; 1320 err = kernel_connect(sock, (struct sockaddr *) &ip_addr, sizeof(ip_addr), 0); 1321 if (err < 0) 1322 goto out; 1323 1324 break; 1325 1326 default: 1327 goto out; 1328 } 1329 1330 out: 1331 if ((err < 0) && sock) { 1332 sock_release(sock); 1333 *sockp = NULL; 1334 } 1335 1336 return err; 1337 } 1338 1339 int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp) 1340 { 1341 struct l2tp_tunnel *tunnel = NULL; 1342 int err; 1343 struct socket *sock = NULL; 1344 struct sock *sk = NULL; 1345 struct l2tp_net *pn; 1346 enum l2tp_encap_type encap = L2TP_ENCAPTYPE_UDP; 1347 1348 /* Get the tunnel socket from the fd, which was opened by 1349 * the userspace L2TP daemon. If not specified, create a 1350 * kernel socket. 1351 */ 1352 if (fd < 0) { 1353 err = l2tp_tunnel_sock_create(tunnel_id, peer_tunnel_id, cfg, &sock); 1354 if (err < 0) 1355 goto err; 1356 } else { 1357 err = -EBADF; 1358 sock = sockfd_lookup(fd, &err); 1359 if (!sock) { 1360 printk(KERN_ERR "tunl %hu: sockfd_lookup(fd=%d) returned %d\n", 1361 tunnel_id, fd, err); 1362 goto err; 1363 } 1364 } 1365 1366 sk = sock->sk; 1367 1368 if (cfg != NULL) 1369 encap = cfg->encap; 1370 1371 /* Quick sanity checks */ 1372 switch (encap) { 1373 case L2TP_ENCAPTYPE_UDP: 1374 err = -EPROTONOSUPPORT; 1375 if (sk->sk_protocol != IPPROTO_UDP) { 1376 printk(KERN_ERR "tunl %hu: fd %d wrong protocol, got %d, expected %d\n", 1377 tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP); 1378 goto err; 1379 } 1380 break; 1381 case L2TP_ENCAPTYPE_IP: 1382 err = -EPROTONOSUPPORT; 1383 if (sk->sk_protocol != IPPROTO_L2TP) { 1384 printk(KERN_ERR "tunl %hu: fd %d wrong protocol, got %d, expected %d\n", 1385 tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP); 1386 goto err; 1387 } 1388 break; 1389 } 1390 1391 /* Check if this socket has already been prepped */ 1392 tunnel = (struct l2tp_tunnel *)sk->sk_user_data; 1393 if (tunnel != NULL) { 1394 /* This socket has already been prepped */ 1395 err = -EBUSY; 1396 goto err; 1397 } 1398 1399 tunnel = kzalloc(sizeof(struct l2tp_tunnel), GFP_KERNEL); 1400 if (tunnel == NULL) { 1401 err = -ENOMEM; 1402 goto err; 1403 } 1404 1405 tunnel->version = version; 1406 tunnel->tunnel_id = tunnel_id; 1407 tunnel->peer_tunnel_id = peer_tunnel_id; 1408 tunnel->debug = L2TP_DEFAULT_DEBUG_FLAGS; 1409 1410 tunnel->magic = L2TP_TUNNEL_MAGIC; 1411 sprintf(&tunnel->name[0], "tunl %u", tunnel_id); 1412 rwlock_init(&tunnel->hlist_lock); 1413 1414 /* The net we belong to */ 1415 tunnel->l2tp_net = net; 1416 pn = l2tp_pernet(net); 1417 1418 if (cfg != NULL) 1419 tunnel->debug = cfg->debug; 1420 1421 /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */ 1422 tunnel->encap = encap; 1423 if (encap == L2TP_ENCAPTYPE_UDP) { 1424 /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */ 1425 udp_sk(sk)->encap_type = UDP_ENCAP_L2TPINUDP; 1426 udp_sk(sk)->encap_rcv = l2tp_udp_encap_recv; 1427 } 1428 1429 sk->sk_user_data = tunnel; 1430 1431 /* Hook on the tunnel socket destructor so that we can cleanup 1432 * if the tunnel socket goes away. 1433 */ 1434 tunnel->old_sk_destruct = sk->sk_destruct; 1435 sk->sk_destruct = &l2tp_tunnel_destruct; 1436 tunnel->sock = sk; 1437 sk->sk_allocation = GFP_ATOMIC; 1438 1439 /* Add tunnel to our list */ 1440 INIT_LIST_HEAD(&tunnel->list); 1441 atomic_inc(&l2tp_tunnel_count); 1442 1443 /* Bump the reference count. The tunnel context is deleted 1444 * only when this drops to zero. Must be done before list insertion 1445 */ 1446 l2tp_tunnel_inc_refcount(tunnel); 1447 spin_lock_bh(&pn->l2tp_tunnel_list_lock); 1448 list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list); 1449 spin_unlock_bh(&pn->l2tp_tunnel_list_lock); 1450 1451 err = 0; 1452 err: 1453 if (tunnelp) 1454 *tunnelp = tunnel; 1455 1456 /* If tunnel's socket was created by the kernel, it doesn't 1457 * have a file. 1458 */ 1459 if (sock && sock->file) 1460 sockfd_put(sock); 1461 1462 return err; 1463 } 1464 EXPORT_SYMBOL_GPL(l2tp_tunnel_create); 1465 1466 /* This function is used by the netlink TUNNEL_DELETE command. 1467 */ 1468 int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel) 1469 { 1470 int err = 0; 1471 struct socket *sock = tunnel->sock ? tunnel->sock->sk_socket : NULL; 1472 1473 /* Force the tunnel socket to close. This will eventually 1474 * cause the tunnel to be deleted via the normal socket close 1475 * mechanisms when userspace closes the tunnel socket. 1476 */ 1477 if (sock != NULL) { 1478 err = inet_shutdown(sock, 2); 1479 1480 /* If the tunnel's socket was created by the kernel, 1481 * close the socket here since the socket was not 1482 * created by userspace. 1483 */ 1484 if (sock->file == NULL) 1485 err = inet_release(sock); 1486 } 1487 1488 return err; 1489 } 1490 EXPORT_SYMBOL_GPL(l2tp_tunnel_delete); 1491 1492 /* Really kill the session. 1493 */ 1494 void l2tp_session_free(struct l2tp_session *session) 1495 { 1496 struct l2tp_tunnel *tunnel; 1497 1498 BUG_ON(atomic_read(&session->ref_count) != 0); 1499 1500 tunnel = session->tunnel; 1501 if (tunnel != NULL) { 1502 BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC); 1503 1504 /* Delete the session from the hash */ 1505 write_lock_bh(&tunnel->hlist_lock); 1506 hlist_del_init(&session->hlist); 1507 write_unlock_bh(&tunnel->hlist_lock); 1508 1509 /* Unlink from the global hash if not L2TPv2 */ 1510 if (tunnel->version != L2TP_HDR_VER_2) { 1511 struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net); 1512 1513 spin_lock_bh(&pn->l2tp_session_hlist_lock); 1514 hlist_del_init_rcu(&session->global_hlist); 1515 spin_unlock_bh(&pn->l2tp_session_hlist_lock); 1516 synchronize_rcu(); 1517 } 1518 1519 if (session->session_id != 0) 1520 atomic_dec(&l2tp_session_count); 1521 1522 sock_put(tunnel->sock); 1523 1524 /* This will delete the tunnel context if this 1525 * is the last session on the tunnel. 1526 */ 1527 session->tunnel = NULL; 1528 l2tp_tunnel_dec_refcount(tunnel); 1529 } 1530 1531 kfree(session); 1532 1533 return; 1534 } 1535 EXPORT_SYMBOL_GPL(l2tp_session_free); 1536 1537 /* This function is used by the netlink SESSION_DELETE command and by 1538 pseudowire modules. 1539 */ 1540 int l2tp_session_delete(struct l2tp_session *session) 1541 { 1542 if (session->session_close != NULL) 1543 (*session->session_close)(session); 1544 1545 l2tp_session_dec_refcount(session); 1546 1547 return 0; 1548 } 1549 EXPORT_SYMBOL_GPL(l2tp_session_delete); 1550 1551 1552 /* We come here whenever a session's send_seq, cookie_len or 1553 * l2specific_len parameters are set. 1554 */ 1555 static void l2tp_session_set_header_len(struct l2tp_session *session, int version) 1556 { 1557 if (version == L2TP_HDR_VER_2) { 1558 session->hdr_len = 6; 1559 if (session->send_seq) 1560 session->hdr_len += 4; 1561 } else { 1562 session->hdr_len = 4 + session->cookie_len + session->l2specific_len + session->offset; 1563 if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP) 1564 session->hdr_len += 4; 1565 } 1566 1567 } 1568 1569 struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg) 1570 { 1571 struct l2tp_session *session; 1572 1573 session = kzalloc(sizeof(struct l2tp_session) + priv_size, GFP_KERNEL); 1574 if (session != NULL) { 1575 session->magic = L2TP_SESSION_MAGIC; 1576 session->tunnel = tunnel; 1577 1578 session->session_id = session_id; 1579 session->peer_session_id = peer_session_id; 1580 session->nr = 1; 1581 1582 sprintf(&session->name[0], "sess %u/%u", 1583 tunnel->tunnel_id, session->session_id); 1584 1585 skb_queue_head_init(&session->reorder_q); 1586 1587 INIT_HLIST_NODE(&session->hlist); 1588 INIT_HLIST_NODE(&session->global_hlist); 1589 1590 /* Inherit debug options from tunnel */ 1591 session->debug = tunnel->debug; 1592 1593 if (cfg) { 1594 session->pwtype = cfg->pw_type; 1595 session->debug = cfg->debug; 1596 session->mtu = cfg->mtu; 1597 session->mru = cfg->mru; 1598 session->send_seq = cfg->send_seq; 1599 session->recv_seq = cfg->recv_seq; 1600 session->lns_mode = cfg->lns_mode; 1601 session->reorder_timeout = cfg->reorder_timeout; 1602 session->offset = cfg->offset; 1603 session->l2specific_type = cfg->l2specific_type; 1604 session->l2specific_len = cfg->l2specific_len; 1605 session->cookie_len = cfg->cookie_len; 1606 memcpy(&session->cookie[0], &cfg->cookie[0], cfg->cookie_len); 1607 session->peer_cookie_len = cfg->peer_cookie_len; 1608 memcpy(&session->peer_cookie[0], &cfg->peer_cookie[0], cfg->peer_cookie_len); 1609 } 1610 1611 if (tunnel->version == L2TP_HDR_VER_2) 1612 session->build_header = l2tp_build_l2tpv2_header; 1613 else 1614 session->build_header = l2tp_build_l2tpv3_header; 1615 1616 l2tp_session_set_header_len(session, tunnel->version); 1617 1618 /* Bump the reference count. The session context is deleted 1619 * only when this drops to zero. 1620 */ 1621 l2tp_session_inc_refcount(session); 1622 l2tp_tunnel_inc_refcount(tunnel); 1623 1624 /* Ensure tunnel socket isn't deleted */ 1625 sock_hold(tunnel->sock); 1626 1627 /* Add session to the tunnel's hash list */ 1628 write_lock_bh(&tunnel->hlist_lock); 1629 hlist_add_head(&session->hlist, 1630 l2tp_session_id_hash(tunnel, session_id)); 1631 write_unlock_bh(&tunnel->hlist_lock); 1632 1633 /* And to the global session list if L2TPv3 */ 1634 if (tunnel->version != L2TP_HDR_VER_2) { 1635 struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net); 1636 1637 spin_lock_bh(&pn->l2tp_session_hlist_lock); 1638 hlist_add_head_rcu(&session->global_hlist, 1639 l2tp_session_id_hash_2(pn, session_id)); 1640 spin_unlock_bh(&pn->l2tp_session_hlist_lock); 1641 } 1642 1643 /* Ignore management session in session count value */ 1644 if (session->session_id != 0) 1645 atomic_inc(&l2tp_session_count); 1646 } 1647 1648 return session; 1649 } 1650 EXPORT_SYMBOL_GPL(l2tp_session_create); 1651 1652 /***************************************************************************** 1653 * Init and cleanup 1654 *****************************************************************************/ 1655 1656 static __net_init int l2tp_init_net(struct net *net) 1657 { 1658 struct l2tp_net *pn = net_generic(net, l2tp_net_id); 1659 int hash; 1660 1661 INIT_LIST_HEAD(&pn->l2tp_tunnel_list); 1662 spin_lock_init(&pn->l2tp_tunnel_list_lock); 1663 1664 for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) 1665 INIT_HLIST_HEAD(&pn->l2tp_session_hlist[hash]); 1666 1667 spin_lock_init(&pn->l2tp_session_hlist_lock); 1668 1669 return 0; 1670 } 1671 1672 static struct pernet_operations l2tp_net_ops = { 1673 .init = l2tp_init_net, 1674 .id = &l2tp_net_id, 1675 .size = sizeof(struct l2tp_net), 1676 }; 1677 1678 static int __init l2tp_init(void) 1679 { 1680 int rc = 0; 1681 1682 rc = register_pernet_device(&l2tp_net_ops); 1683 if (rc) 1684 goto out; 1685 1686 printk(KERN_INFO "L2TP core driver, %s\n", L2TP_DRV_VERSION); 1687 1688 out: 1689 return rc; 1690 } 1691 1692 static void __exit l2tp_exit(void) 1693 { 1694 unregister_pernet_device(&l2tp_net_ops); 1695 } 1696 1697 module_init(l2tp_init); 1698 module_exit(l2tp_exit); 1699 1700 MODULE_AUTHOR("James Chapman <jchapman@katalix.com>"); 1701 MODULE_DESCRIPTION("L2TP core"); 1702 MODULE_LICENSE("GPL"); 1703 MODULE_VERSION(L2TP_DRV_VERSION); 1704 1705