1 /* $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */
2 /* $DragonFly: src/sys/netproto/ipsec/xform_ipip.c,v 1.5 2003/11/09 02:22:36 dillon Exp $ */
3 /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */
5 * The authors of this code are John Ioannidis (ji@tla.org),
6 * Angelos D. Keromytis (kermit@csd.uch.gr) and
7 * Niels Provos (provos@physnet.uni-hamburg.de).
9 * The original version of this code was written by John Ioannidis
10 * for BSD/OS in Athens, Greece, in November 1995.
12 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
13 * by Angelos D. Keromytis.
15 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
18 * Additional features in 1999 by Angelos D. Keromytis.
20 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
21 * Angelos D. Keromytis and Niels Provos.
22 * Copyright (c) 2001, Angelos D. Keromytis.
24 * Permission to use, copy, and modify this software with or without fee
25 * is hereby granted, provided that this entire notice is included in
26 * all copies of any software which is or includes a copy or
27 * modification of this software.
28 * You may use this code under the GNU public license if you so wish. Please
29 * contribute changes back to the authors under this freer than GPL license
30 * so that we may further the use of strong encryption without limitations to
33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
41 * IP-inside-IP processing
44 #include "opt_inet6.h"
45 #include "opt_random_ip_id.h"
47 #include <sys/param.h>
48 #include <sys/systm.h>
50 #include <sys/socket.h>
51 #include <sys/kernel.h>
52 #include <sys/protosw.h>
53 #include <sys/sysctl.h>
56 #include <net/route.h>
57 #include <net/netisr.h>
59 #include <netinet/in.h>
60 #include <netinet/in_systm.h>
61 #include <netinet/in_var.h>
62 #include <netinet/ip.h>
63 #include <netinet/ip_ecn.h>
64 #include <netinet/ip_var.h>
65 #include <netinet/ip_encap.h>
66 #include <netinet/ipprotosw.h>
74 #include <netinet/ip_mroute.h>
78 #include <netinet/ip6.h>
80 #include <netinet6/ip6_ecn.h>
81 #include <netinet6/in6_var.h>
82 #include <netinet6/ip6protosw.h>
86 #include "key_debug.h"
88 #include <machine/stdarg.h>
90 typedef void pr_in_input_t (struct mbuf *, int, int); /* XXX FIX THIS */
93 * We can control the acceptance of IP4 packets by altering the sysctl
94 * net.inet.ipip.allow value. Zero means drop them, all else is acceptance.
97 struct ipipstat ipipstat;
99 SYSCTL_DECL(_net_inet_ipip);
100 SYSCTL_INT(_net_inet_ipip, OID_AUTO,
101 ipip_allow, CTLFLAG_RW, &ipip_allow, 0, "");
102 SYSCTL_STRUCT(_net_inet_ipip, IPSECCTL_STATS,
103 stats, CTLFLAG_RD, &ipipstat, ipipstat, "");
106 #define M_IPSEC (M_AUTHIPHDR|M_AUTHIPDGM|M_DECRYPTED)
108 static void _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp);
112 * Really only a wrapper for ipip_input(), for use with IPv6.
115 ip4_input6(struct mbuf **m, int *offp, int proto)
118 /* If we do not accept IP-in-IP explicitly, drop. */
119 if (!ipip_allow && ((*m)->m_flags & M_IPSEC) == 0) {
120 DPRINTF(("ip4_input6: dropped due to policy\n"));
121 ipipstat.ipips_pdrops++;
126 _ipip_input(*m, *offp, NULL);
133 * Really only a wrapper for ipip_input(), for use with IPv4.
136 ip4_input(struct mbuf *m, ...)
142 /* If we do not accept IP-in-IP explicitly, drop. */
143 if (!ipip_allow && (m->m_flags & M_IPSEC) == 0) {
144 DPRINTF(("ip4_input: dropped due to policy\n"));
145 ipipstat.ipips_pdrops++;
151 iphlen = __va_arg(ap, int);
154 _ipip_input(m, iphlen, NULL);
159 * ipip_input gets called when we receive an IP{46} encapsulated packet,
160 * either because we got it at a real interface, or because AH or ESP
161 * were being used in tunnel mode (in which case the rcvif element will
162 * contain the address of the encX interface associated with the tunnel.
166 _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
168 struct sockaddr_in *sin;
171 struct ifqueue *ifq = NULL;
174 struct sockaddr_in6 *sin6;
175 struct ip6_hdr *ip6 = NULL;
184 ipipstat.ipips_ipackets++;
186 m_copydata(m, 0, 1, &v);
191 hlen = sizeof(struct ip);
196 hlen = sizeof(struct ip6_hdr);
200 DPRINTF(("_ipip_input: bad protocol version 0x%x (%u) "
201 "for outer header\n", v, v>>4));
202 ipipstat.ipips_family++;
204 return /* EAFNOSUPPORT */;
207 /* Bring the IP header in the first mbuf, if not there already */
208 if (m->m_len < hlen) {
209 if ((m = m_pullup(m, hlen)) == NULL) {
210 DPRINTF(("ipip_input: m_pullup (1) failed\n"));
211 ipipstat.ipips_hdrops++;
216 ipo = mtod(m, struct ip *);
219 if (ipo->ip_v == IPVERSION && ipo->ip_p == IPPROTO_IPV4) {
220 if (IN_MULTICAST(((struct ip *)((char *) ipo + iphlen))->ip_dst.s_addr)) {
221 ipip_mroute_input (m, iphlen);
225 #endif /* MROUTING */
227 /* Keep outer ecn field. */
236 otos = (ntohl(mtod(m, struct ip6_hdr *)->ip6_flow) >> 20) & 0xff;
240 panic("ipip_input: unknown ip version %u (outer)", v>>4);
243 /* Remove outer IP header */
247 if (m->m_pkthdr.len < sizeof(struct ip)) {
248 ipipstat.ipips_hdrops++;
253 m_copydata(m, 0, 1, &v);
258 hlen = sizeof(struct ip);
264 hlen = sizeof(struct ip6_hdr);
268 DPRINTF(("_ipip_input: bad protocol version 0x%x (%u) "
269 "for inner header\n", v, v>>4));
270 ipipstat.ipips_family++;
272 return; /* EAFNOSUPPORT */
276 * Bring the inner IP header in the first mbuf, if not there already.
278 if (m->m_len < hlen) {
279 if ((m = m_pullup(m, hlen)) == NULL) {
280 DPRINTF(("ipip_input: m_pullup (2) failed\n"));
281 ipipstat.ipips_hdrops++;
287 * RFC 1853 specifies that the inner TTL should not be touched on
288 * decapsulation. There's no reason this comment should be here, but
289 * this is as good as any a position.
292 /* Some sanity checks in the inner IP header */
296 ipo = mtod(m, struct ip *);
298 ip_ecn_egress(ip4_ipsec_ecn, &otos, &ipo->ip_tos);
303 ip6 = (struct ip6_hdr *) ipo;
305 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
306 ip_ecn_egress(ip6_ipsec_ecn, &otos, &itos);
307 ip6->ip6_flow &= ~htonl(0xff << 20);
308 ip6->ip6_flow |= htonl((u_int32_t) itos << 20);
312 panic("ipip_input: unknown ip version %u (inner)", v>>4);
315 /* Check for local address spoofing. */
316 if ((m->m_pkthdr.rcvif == NULL ||
317 !(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) &&
319 for (ifp = ifnet.tqh_first; ifp != 0;
320 ifp = ifp->if_list.tqe_next) {
321 for (ifa = ifp->if_addrlist.tqh_first; ifa != 0;
322 ifa = ifa->ifa_list.tqe_next) {
325 if (ifa->ifa_addr->sa_family !=
329 sin = (struct sockaddr_in *) ifa->ifa_addr;
331 if (sin->sin_addr.s_addr ==
332 ipo->ip_src.s_addr) {
333 ipipstat.ipips_spoof++;
342 if (ifa->ifa_addr->sa_family !=
346 sin6 = (struct sockaddr_in6 *) ifa->ifa_addr;
348 if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) {
349 ipipstat.ipips_spoof++;
361 ipipstat.ipips_ibytes += m->m_pkthdr.len - iphlen;
364 * Interface pointer stays the same; if no IPsec processing has
365 * been done (or will be done), this will point to a normal
366 * interface. Otherwise, it'll point to an enc interface, which
367 * will allow a packet filter to distinguish between secure and
385 panic("ipip_input: should never reach here");
388 if (!IF_HANDOFF(ifq, m, NULL)) {
389 ipipstat.ipips_qfull++;
391 DPRINTF(("ipip_input: packet dropped because of full queue\n"));
400 struct ipsecrequest *isr,
406 struct secasvar *sav;
408 struct secasindex *saidx;
415 struct ip6_hdr *ip6, *ip6o;
418 SPLASSERT(net, "ipip_output");
421 KASSERT(sav != NULL, ("ipip_output: null SA"));
422 KASSERT(sav->sah != NULL, ("ipip_output: null SAH"));
424 /* XXX Deal with empty TDB source/destination addresses. */
426 m_copydata(m, 0, 1, &tp);
427 tp = (tp >> 4) & 0xff; /* Get the IP version number. */
429 saidx = &sav->sah->saidx;
430 switch (saidx->dst.sa.sa_family) {
433 if (saidx->src.sa.sa_family != AF_INET ||
434 saidx->src.sin.sin_addr.s_addr == INADDR_ANY ||
435 saidx->dst.sin.sin_addr.s_addr == INADDR_ANY) {
436 DPRINTF(("ipip_output: unspecified tunnel endpoint "
437 "address in SA %s/%08lx\n",
438 ipsec_address(&saidx->dst),
439 (u_long) ntohl(sav->spi)));
440 ipipstat.ipips_unspec++;
445 M_PREPEND(m, sizeof(struct ip), M_DONTWAIT);
447 DPRINTF(("ipip_output: M_PREPEND failed\n"));
448 ipipstat.ipips_hdrops++;
453 ipo = mtod(m, struct ip *);
455 ipo->ip_v = IPVERSION;
457 ipo->ip_len = htons(m->m_pkthdr.len);
458 ipo->ip_ttl = ip_defttl;
460 ipo->ip_src = saidx->src.sin.sin_addr;
461 ipo->ip_dst = saidx->dst.sin.sin_addr;
464 ipo->ip_id = ip_randomid();
466 ipo->ip_id = htons(ip_id++);
469 /* If the inner protocol is IP... */
470 if (tp == IPVERSION) {
471 /* Save ECN notification */
472 m_copydata(m, sizeof(struct ip) +
473 offsetof(struct ip, ip_tos),
474 sizeof(u_int8_t), (caddr_t) &itos);
476 ipo->ip_p = IPPROTO_IPIP;
479 * We should be keeping tunnel soft-state and
480 * send back ICMPs if needed.
482 m_copydata(m, sizeof(struct ip) +
483 offsetof(struct ip, ip_off),
484 sizeof(u_int16_t), (caddr_t) &ipo->ip_off);
485 ipo->ip_off = ntohs(ipo->ip_off);
486 ipo->ip_off &= ~(IP_DF | IP_MF | IP_OFFMASK);
487 ipo->ip_off = htons(ipo->ip_off);
490 else if (tp == (IPV6_VERSION >> 4)) {
493 /* Save ECN notification. */
494 m_copydata(m, sizeof(struct ip) +
495 offsetof(struct ip6_hdr, ip6_flow),
496 sizeof(u_int32_t), (caddr_t) &itos32);
497 itos = ntohl(itos32) >> 20;
498 ipo->ip_p = IPPROTO_IPV6;
507 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos);
514 if (IN6_IS_ADDR_UNSPECIFIED(&saidx->dst.sin6.sin6_addr) ||
515 saidx->src.sa.sa_family != AF_INET6 ||
516 IN6_IS_ADDR_UNSPECIFIED(&saidx->src.sin6.sin6_addr)) {
517 DPRINTF(("ipip_output: unspecified tunnel endpoint "
518 "address in SA %s/%08lx\n",
519 ipsec_address(&saidx->dst),
520 (u_long) ntohl(sav->spi)));
521 ipipstat.ipips_unspec++;
526 /* scoped address handling */
527 ip6 = mtod(m, struct ip6_hdr *);
528 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src))
529 ip6->ip6_src.s6_addr16[1] = 0;
530 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
531 ip6->ip6_dst.s6_addr16[1] = 0;
533 M_PREPEND(m, sizeof(struct ip6_hdr), M_DONTWAIT);
535 DPRINTF(("ipip_output: M_PREPEND failed\n"));
536 ipipstat.ipips_hdrops++;
542 /* Initialize IPv6 header */
543 ip6o = mtod(m, struct ip6_hdr *);
545 ip6o->ip6_vfc &= ~IPV6_VERSION_MASK;
546 ip6o->ip6_vfc |= IPV6_VERSION;
547 ip6o->ip6_plen = htons(m->m_pkthdr.len);
548 ip6o->ip6_hlim = ip_defttl;
549 ip6o->ip6_dst = saidx->dst.sin6.sin6_addr;
550 ip6o->ip6_src = saidx->src.sin6.sin6_addr;
553 if (tp == IPVERSION) {
554 /* Save ECN notification */
555 m_copydata(m, sizeof(struct ip6_hdr) +
556 offsetof(struct ip, ip_tos), sizeof(u_int8_t),
559 /* This is really IPVERSION. */
560 ip6o->ip6_nxt = IPPROTO_IPIP;
563 if (tp == (IPV6_VERSION >> 4)) {
566 /* Save ECN notification. */
567 m_copydata(m, sizeof(struct ip6_hdr) +
568 offsetof(struct ip6_hdr, ip6_flow),
569 sizeof(u_int32_t), (caddr_t) &itos32);
570 itos = ntohl(itos32) >> 20;
572 ip6o->ip6_nxt = IPPROTO_IPV6;
578 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos);
579 ip6o->ip6_flow |= htonl((u_int32_t) otos << 20);
585 DPRINTF(("ipip_output: unsupported protocol family %u\n",
586 saidx->dst.sa.sa_family));
587 ipipstat.ipips_family++;
588 error = EAFNOSUPPORT; /* XXX diffs from openbsd */
592 ipipstat.ipips_opackets++;
596 if (saidx->dst.sa.sa_family == AF_INET) {
598 if (sav->tdb_xform->xf_type == XF_IP4)
599 tdb->tdb_cur_bytes +=
600 m->m_pkthdr.len - sizeof(struct ip);
602 ipipstat.ipips_obytes += m->m_pkthdr.len - sizeof(struct ip);
607 if (saidx->dst.sa.sa_family == AF_INET6) {
609 if (sav->tdb_xform->xf_type == XF_IP4)
610 tdb->tdb_cur_bytes +=
611 m->m_pkthdr.len - sizeof(struct ip6_hdr);
613 ipipstat.ipips_obytes +=
614 m->m_pkthdr.len - sizeof(struct ip6_hdr);
621 m_freem(m), *mp = NULL;
627 ipe4_init(struct secasvar *sav, struct xformsw *xsp)
629 sav->tdb_xform = xsp;
634 ipe4_zeroize(struct secasvar *sav)
636 sav->tdb_xform = NULL;
641 ipe4_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
643 /* This is a rather serious mistake, so no conditional printing. */
644 printf("ipe4_input: should never be called\n");
650 static struct xformsw ipe4_xformsw = {
651 XF_IP4, 0, "IPv4 Simple Encapsulation",
652 ipe4_init, ipe4_zeroize, ipe4_input, ipip_output,
655 extern struct domain inetdomain;
656 static struct ipprotosw ipe4_protosw[] = {
657 { SOCK_RAW, &inetdomain, IPPROTO_IPV4, PR_ATOMIC|PR_ADDR|PR_LASTHDR,
658 (pr_in_input_t*) ip4_input,
665 { SOCK_RAW, &inetdomain, IPPROTO_IPV6, PR_ATOMIC|PR_ADDR|PR_LASTHDR,
666 (pr_in_input_t*) ip4_input,
676 * Check the encapsulated packet to see if we want it
679 ipe4_encapcheck(const struct mbuf *m, int off, int proto, void *arg)
682 * Only take packets coming from IPSEC tunnels; the rest
683 * must be handled by the gif tunnel code. Note that we
684 * also return a minimum priority when we want the packet
685 * so any explicit gif tunnels take precedence.
687 return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0);
693 xform_register(&ipe4_xformsw);
694 /* attach to encapsulation framework */
695 /* XXX save return cookie for detach on module remove */
696 (void) encap_attach_func(AF_INET, -1,
697 ipe4_encapcheck, (struct protosw*) &ipe4_protosw[0], NULL);
699 (void) encap_attach_func(AF_INET6, -1,
700 ipe4_encapcheck, (struct protosw*) &ipe4_protosw[1], NULL);
703 SYSINIT(ipe4_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipe4_attach, NULL);
704 #endif /* FAST_IPSEC */
tuxillo's projects / dragonfly.git / blob