root/netinet/ip_ether.c

DEFINITIONS

1. etherip_input
2. etherip_output
3. etherip_sysctl

    1 /*      $OpenBSD: ip_ether.c,v 1.50 2007/02/20 19:37:40 claudio Exp $  */
    2 /*
    3  * The author of this code is Angelos D. Keromytis (kermit@adk.gr)
    4  *
    5  * This code was written by Angelos D. Keromytis for OpenBSD in October 1999.
    6  *
    7  * Copyright (C) 1999-2001 Angelos D. Keromytis.
    8  *
    9  * Permission to use, copy, and modify this software with or without fee
   10  * is hereby granted, provided that this entire notice is included in
   11  * all copies of any software which is or includes a copy or
   12  * modification of this software.
   13  * You may use this code under the GNU public license if you so wish. Please
   14  * contribute changes back to the authors under this freer than GPL license
   15  * so that we may further the use of strong encryption without limitations to
   16  * all.
   17  *
   18  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
   19  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
   20  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
   21  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
   22  * PURPOSE.
   23  */
   25 /*
   26  * Ethernet-inside-IP processing (RFC3378).
   27  */
   29 #include "bridge.h"
   31 #include <sys/param.h>
   32 #include <sys/systm.h>
   33 #include <sys/mbuf.h>
   34 #include <sys/socket.h>
   35 #include <sys/sysctl.h>
   37 #include <net/if.h>
   38 #include <net/route.h>
   39 #include <net/bpf.h>
   41 #ifdef INET
   42 #include <netinet/in.h>
   43 #include <netinet/in_systm.h>
   44 #include <netinet/ip.h>
   45 #include <netinet/in_pcb.h>
   46 #include <netinet/ip_var.h>
   47 #endif /* INET */
   49 #include <netinet/ip_ether.h>
   50 #include <netinet/if_ether.h>
   51 #include <net/if_bridge.h>
   52 #include <net/if_gif.h>
   54 #include "gif.h"
   55 #include "bpfilter.h"
   57 #ifdef ENCDEBUG
   58 #define DPRINTF(x)      if (encdebug) printf x
   59 #else
   60 #define DPRINTF(x)
   61 #endif
   63 /*
   64  * We can control the acceptance of EtherIP packets by altering the sysctl
   65  * net.inet.etherip.allow value. Zero means drop them, all else is acceptance.
   66  */
   67 int etherip_allow = 0;
   69 struct etheripstat etheripstat;
   71 /*
   72  * etherip_input gets called when we receive an encapsulated packet,
   73  * either because we got it at a real interface, or because AH or ESP
   74  * were being used in tunnel mode (in which case the rcvif element will
   75  * contain the address of the encX interface associated with the tunnel.
   76  */
   78 void
etherip_input(struct mbuf *m, ...)
   80 {
   81         union sockaddr_union ssrc, sdst;
   82         struct ether_header eh;
   83         int iphlen;
   84         struct etherip_header eip;
u_int8_t v;
va_list ap;
   88 #if NGIF > 0
   89         struct gif_softc *sc;
   90 #if NBRIDGE > 0
   91         int s;
   92 #endif /* NBRIDGE */
   93 #endif /* NGIF */
va_start(ap, m);
iphlen = va_arg(ap, int);
va_end(ap);
etheripstat.etherip_ipackets++;
  101         /* If we do not accept EtherIP explicitly, drop. */
  102         if (!etherip_allow && (m->m_flags & (M_AUTH|M_CONF)) == 0) {
DPRINTF(("etherip_input(): dropped due to policy\n"));
etheripstat.etherip_pdrops++;
m_freem(m);
  106                 return;
  107         }
  109         /*
  110          * Make sure there's at least an ethernet header's and an EtherIP
  111          * header's of worth of data after the outer IP header.
  112          */
  113         if (m->m_pkthdr.len < iphlen + sizeof(struct ether_header) +
  114             sizeof(struct etherip_header)) {
DPRINTF(("etherip_input(): encapsulated packet too short\n"));
etheripstat.etherip_hdrops++;
m_freem(m);
  118                 return;
  119         }
  121         /* Verify EtherIP version number */
m_copydata(m, iphlen, sizeof(struct etherip_header), (caddr_t)&eip);
  123         if ((eip.eip_ver & ETHERIP_VER_VERS_MASK) != ETHERIP_VERSION) {
DPRINTF(("etherip_input(): received EtherIP version number "
  125                     "%d not suppoorted\n", (v >> 4) & 0xff));
etheripstat.etherip_adrops++;
m_freem(m);
  128                 return;
  129         }
  131         /*
  132          * Note that the other potential failure of the above check is that the
  133          * second nibble of the EtherIP header (the reserved part) is not
  134          * zero; this is also invalid protocol behaviour.
  135          */
  136         if (eip.eip_ver & ETHERIP_VER_RSVD_MASK) {
DPRINTF(("etherip_input(): received EtherIP invalid EtherIP "
  138                     "header (reserved field non-zero\n"));
etheripstat.etherip_adrops++;
m_freem(m);
  141                 return;
  142         }
  144         /* Finally, the pad value must be zero. */
  145         if (eip.eip_pad) {
DPRINTF(("etherip_input(): received EtherIP invalid "
  147                     "pad value\n"));
etheripstat.etherip_adrops++;
m_freem(m);
  150                 return;
  151         }
  153         /* Make sure the ethernet header at least is in the first mbuf. */
  154         if (m->m_len < iphlen + sizeof(struct ether_header) +
  155             sizeof(struct etherip_header)) {
  156                 if ((m = m_pullup(m, iphlen + sizeof(struct ether_header) +
  157                     sizeof(struct etherip_header))) == NULL) {
DPRINTF(("etherip_input(): m_pullup() failed\n"));
etheripstat.etherip_adrops++;
  160                         return;
  161                 }
  162         }
  164         /* Copy the addresses for use later. */
bzero(&ssrc, sizeof(ssrc));
bzero(&sdst, sizeof(sdst));
v = *mtod(m, u_int8_t *);
  169         switch (v >> 4) {
  170 #ifdef INET
  171         case 4:
ssrc.sa.sa_len = sdst.sa.sa_len = sizeof(struct sockaddr_in);
ssrc.sa.sa_family = sdst.sa.sa_family = AF_INET;
m_copydata(m, offsetof(struct ip, ip_src),
  175                     sizeof(struct in_addr),
  176                     (caddr_t) &ssrc.sin.sin_addr);
m_copydata(m, offsetof(struct ip, ip_dst),
  178                     sizeof(struct in_addr),
  179                     (caddr_t) &sdst.sin.sin_addr);
  180                 break;
  181 #endif /* INET */
  182 #ifdef INET6
  183         case 6:
ssrc.sa.sa_len = sdst.sa.sa_len = sizeof(struct sockaddr_in6);
ssrc.sa.sa_family = sdst.sa.sa_family = AF_INET6;
m_copydata(m, offsetof(struct ip6_hdr, ip6_src),
  187                     sizeof(struct in6_addr),
  188                     (caddr_t) &ssrc.sin6.sin6_addr);
m_copydata(m, offsetof(struct ip6_hdr, ip6_dst),
  190                     sizeof(struct in6_addr),
  191                     (caddr_t) &sdst.sin6.sin6_addr);
  192                 break;
  193 #endif /* INET6 */
  194         default:
DPRINTF(("etherip_input(): invalid protocol %d\n", v));
m_freem(m);
etheripstat.etherip_hdrops++;
  198                 return /* EAFNOSUPPORT */;
  199         }
  201         /* Chop off the `outer' IP and EtherIP headers and reschedule. */
m_adj(m, iphlen + sizeof(struct etherip_header));
  204         /* Statistics */
etheripstat.etherip_ibytes += m->m_pkthdr.len;
  207         /* Copy ethernet header */
m_copydata(m, 0, sizeof(eh), (void *) &eh);
  210         /* Reset the flags based on the inner packet */
m->m_flags &= ~(M_BCAST|M_MCAST|M_AUTH|M_CONF|M_AUTH_AH);
  212         if (eh.ether_dhost[0] & 1) {
  213                 if (bcmp((caddr_t) etherbroadcastaddr,
  214                     (caddr_t)eh.ether_dhost, sizeof(etherbroadcastaddr)) == 0)
m->m_flags |= M_BCAST;
  216                 else
m->m_flags |= M_MCAST;
  218         }
  220 #if NGIF > 0
  221         /* Find appropriate gif(4) interface */
LIST_FOREACH(sc, &gif_softc_list, gif_list) {
  223                 if ((sc->gif_psrc == NULL) ||
  224                     (sc->gif_pdst == NULL) ||
  225                     !(sc->gif_if.if_flags & (IFF_UP|IFF_RUNNING)))
  226                         continue;
  228                 if (!bcmp(sc->gif_psrc, &sdst, sc->gif_psrc->sa_len) &&
  229                     !bcmp(sc->gif_pdst, &ssrc, sc->gif_pdst->sa_len) &&
sc->gif_if.if_bridge != NULL)
  231                         break;
  232         }
  234         /* None found. */
  235         if (sc == NULL) {
DPRINTF(("etherip_input(): no interface found\n"));
etheripstat.etherip_noifdrops++;
m_freem(m);
  239                 return;
  240         }
  241 #if NBPFILTER > 0
  242         if (sc->gif_if.if_bpf)
bpf_mtap_af(sc->gif_if.if_bpf, AF_LINK, m, BPF_DIRECTION_IN);
  244 #endif
  246         /* Trim the beginning of the mbuf, to remove the ethernet header. */
m_adj(m, sizeof(struct ether_header));
  249 #if NBRIDGE > 0
  250         /*
  251          * Tap the packet off here for a bridge. bridge_input() returns
  252          * NULL if it has consumed the packet.  In the case of gif's,
  253          * bridge_input() returns non-NULL when an error occurs.
  254          */
m->m_pkthdr.rcvif = &sc->gif_if;
  256         if (m->m_flags & (M_BCAST|M_MCAST))
sc->gif_if.if_imcasts++;
s = splnet();
m = bridge_input(&sc->gif_if, &eh, m);
splx(s);
  262         if (m == NULL)
  263                 return;
  264 #endif /* NBRIDGE */
  265 #endif /* NGIF */
etheripstat.etherip_noifdrops++;
m_freem(m);
  269         return;
  270 }
  272 int
etherip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
  274                int protoff)
  275 {
  276 #ifdef INET
  277         struct ip *ipo;
  278 #endif /* INET */
  280 #ifdef INET6
  281         struct ip6_hdr *ip6;
  282 #endif /* INET6 */
  284         struct etherip_header eip;
  285         struct mbuf *m0;
ushort hlen;
  288         /* Some address family sanity checks. */
  289         if ((tdb->tdb_src.sa.sa_family != 0) &&
  290             (tdb->tdb_src.sa.sa_family != AF_INET) &&
  291             (tdb->tdb_src.sa.sa_family != AF_INET6)) {
DPRINTF(("etherip_output(): IP in protocol-family <%d> "
  293                     "attempted, aborting", tdb->tdb_src.sa.sa_family));
etheripstat.etherip_adrops++;
m_freem(m);
  296                 return EINVAL;
  297         }
  299         if ((tdb->tdb_dst.sa.sa_family != AF_INET) &&
  300             (tdb->tdb_dst.sa.sa_family != AF_INET6)) {
DPRINTF(("etherip_output(): IP in protocol-family <%d> "
  302                     "attempted, aborting", tdb->tdb_dst.sa.sa_family));
etheripstat.etherip_adrops++;
m_freem(m);
  305                 return EINVAL;
  306         }
  308         if (tdb->tdb_dst.sa.sa_family != tdb->tdb_src.sa.sa_family) {
DPRINTF(("etherip_output(): mismatch in tunnel source and "
  310                     "destination address protocol families (%d/%d), aborting",
tdb->tdb_src.sa.sa_family, tdb->tdb_dst.sa.sa_family));
etheripstat.etherip_adrops++;
m_freem(m);
  314                 return EINVAL;
  315         }
  317         switch (tdb->tdb_dst.sa.sa_family) {
  318 #ifdef INET
  319         case AF_INET:
hlen = sizeof(struct ip);
  321                 break;
  322 #endif /* INET */
  323 #ifdef INET6
  324         case AF_INET6:
hlen = sizeof(struct ip6_hdr);
  326                 break;
  327 #endif /* INET6 */
  328         default:
DPRINTF(("etherip_output(): unsupported tunnel protocol "
  330                     "family <%d>, aborting", tdb->tdb_dst.sa.sa_family));
etheripstat.etherip_adrops++;
m_freem(m);
  333                 return EINVAL;
  334         }
  336         /* Don't forget the EtherIP header. */
hlen += sizeof(struct etherip_header);
  339         if (!(m->m_flags & M_PKTHDR)) {
DPRINTF(("etherip_output(): mbuf is not a header\n"));
m_freem(m);
  342                 return (ENOBUFS);
  343         }
MGETHDR(m0, M_DONTWAIT, MT_DATA);
  346         if (m0 == NULL) {
DPRINTF(("etherip_output(): M_GETHDR failed\n"));
etheripstat.etherip_adrops++;
m_freem(m);
  350                 return ENOBUFS;
  351         }
M_MOVE_PKTHDR(m0, m);
m0->m_next = m;
m0->m_len = hlen;
m0->m_pkthdr.len += hlen;
m = m0;
  358         /* Statistics */
etheripstat.etherip_opackets++;
etheripstat.etherip_obytes += m->m_pkthdr.len - hlen;
  362         switch (tdb->tdb_dst.sa.sa_family) {
  363 #ifdef INET
  364         case AF_INET:
ipo = mtod(m, struct ip *);
ipo->ip_v = IPVERSION;
ipo->ip_hl = 5;
ipo->ip_len = htons(m->m_pkthdr.len);
ipo->ip_ttl = ip_defttl;
ipo->ip_p = IPPROTO_ETHERIP;
ipo->ip_tos = 0;
ipo->ip_off = 0;
ipo->ip_sum = 0;
ipo->ip_id = htons(ip_randomid());
  377                 /*
  378                  * We should be keeping tunnel soft-state and send back
  379                  * ICMPs as needed.
  380                  */
ipo->ip_src = tdb->tdb_src.sin.sin_addr;
ipo->ip_dst = tdb->tdb_dst.sin.sin_addr;
  384                 break;
  385 #endif /* INET */
  386 #ifdef INET6
  387         case AF_INET6:
ip6 = mtod(m, struct ip6_hdr *);
ip6->ip6_flow = 0;
ip6->ip6_nxt = IPPROTO_ETHERIP;
ip6->ip6_vfc &= ~IPV6_VERSION_MASK;
ip6->ip6_vfc |= IPV6_VERSION;
ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6));
ip6->ip6_hlim = ip_defttl;
ip6->ip6_dst = tdb->tdb_dst.sin6.sin6_addr;
ip6->ip6_src = tdb->tdb_src.sin6.sin6_addr;
  398                 break;
  399 #endif /* INET6 */
  400         }
  402         /* Set the version number */
eip.eip_ver = ETHERIP_VERSION & ETHERIP_VER_VERS_MASK;
eip.eip_pad = 0;
m_copyback(m, hlen - sizeof(struct etherip_header),
  406             sizeof(struct etherip_header), &eip);
  408         *mp = m;
  410         return 0;
  411 }
  413 int
etherip_sysctl(name, namelen, oldp, oldlenp, newp, newlen)
  415         int *name;
u_int namelen;
  417         void *oldp, *newp;
size_t *oldlenp, newlen;
  419 {
  420         /* All sysctl names at this level are terminal. */
  421         if (namelen != 1)
  422                 return (ENOTDIR);
  424         switch (name[0]) {
  425         case ETHERIPCTL_ALLOW:
  426                 return (sysctl_int(oldp, oldlenp, newp, newlen,
  427                     &etherip_allow));
  428         default:
  429                 return (ENOPROTOOPT);
  430         }
  431         /* NOTREACHED */
  432 }