#include /* $KAME: ip_encap.c,v 1.41 2001/03/15 08:35:08 itojun Exp $ */ /*- * SPDX-License-Identifier: BSD-3-Clause * * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * Copyright (c) 2018 Andrey V. Elsukov * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* * My grandfather said that there's a devil inside tunnelling technology... * * We have surprisingly many protocols that want packets with IP protocol * #4 or #41. Here's a list of protocols that want protocol #41: * RFC1933 configured tunnel * RFC1933 automatic tunnel * RFC2401 IPsec tunnel * RFC2473 IPv6 generic packet tunnelling * RFC2529 6over4 tunnel * mobile-ip6 (uses RFC2473) * RFC3056 6to4 tunnel * isatap tunnel * Here's a list of protocol that want protocol #4: * RFC1853 IPv4-in-IPv4 tunnelling * RFC2003 IPv4 encapsulation within IPv4 * RFC2344 reverse tunnelling for mobile-ip4 * RFC2401 IPsec tunnel * Well, what can I say. They impose different en/decapsulation mechanism * from each other, so they need separate protocol handler. The only one * we can easily determine by protocol # is IPsec, which always has * AH/ESP/IPComp header right after outer IP header. * * So, clearly good old protosw does not work for protocol #4 and #41. * The code will let you match protocol via src/dst address pair. */ #include __FBSDID("$FreeBSD$"); #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef INET6 #include #endif static MALLOC_DEFINE(M_NETADDR, "encap_export_host", "Export host address structure"); struct encaptab { CK_LIST_ENTRY(encaptab) chain; int proto; int min_length; int exact_match; void *arg; encap_lookup_t lookup; encap_check_t check; encap_input_t input; }; struct srcaddrtab { CK_LIST_ENTRY(srcaddrtab) chain; encap_srcaddr_t srcaddr; void *arg; }; CK_LIST_HEAD(encaptab_head, encaptab); CK_LIST_HEAD(srcaddrtab_head, srcaddrtab); #ifdef INET static struct encaptab_head ipv4_encaptab = CK_LIST_HEAD_INITIALIZER(); static struct srcaddrtab_head ipv4_srcaddrtab = CK_LIST_HEAD_INITIALIZER(); #endif #ifdef INET6 static struct encaptab_head ipv6_encaptab = CK_LIST_HEAD_INITIALIZER(); static struct srcaddrtab_head ipv6_srcaddrtab = CK_LIST_HEAD_INITIALIZER(); #endif static struct mtx encapmtx, srcaddrmtx; MTX_SYSINIT(encapmtx, &encapmtx, "encapmtx", MTX_DEF); MTX_SYSINIT(srcaddrmtx, &srcaddrmtx, "srcaddrmtx", MTX_DEF); #define ENCAP_WLOCK() mtx_lock(&encapmtx) #define ENCAP_WUNLOCK() mtx_unlock(&encapmtx) #define ENCAP_RLOCK_TRACKER struct epoch_tracker encap_et #define ENCAP_RLOCK() \ epoch_enter_preempt(net_epoch_preempt, &encap_et) #define ENCAP_RUNLOCK() \ epoch_exit_preempt(net_epoch_preempt, &encap_et) #define ENCAP_WAIT() epoch_wait_preempt(net_epoch_preempt) #define SRCADDR_WLOCK() mtx_lock(&srcaddrmtx) #define SRCADDR_WUNLOCK() mtx_unlock(&srcaddrmtx) #define SRCADDR_RLOCK_TRACKER struct epoch_tracker srcaddr_et #define SRCADDR_RLOCK() \ epoch_enter_preempt(net_epoch_preempt, &srcaddr_et) #define SRCADDR_RUNLOCK() \ epoch_exit_preempt(net_epoch_preempt, &srcaddr_et) #define SRCADDR_WAIT() epoch_wait_preempt(net_epoch_preempt) /* * ifaddr_event_ext handler. * * Tunnelling interfaces may request the kernel to notify when * some interface addresses appears or disappears. Usually tunnelling * interface must use an address configured on the local machine as * ingress address to be able receive datagramms and do not send * spoofed packets. */ static void srcaddr_change_event(void *arg __unused, struct ifnet *ifp, struct ifaddr *ifa, int event) { SRCADDR_RLOCK_TRACKER; struct srcaddrtab_head *head; struct srcaddrtab *p; /* Support for old ifaddr_event. */ EVENTHANDLER_INVOKE(ifaddr_event, ifp); switch (ifa->ifa_addr->sa_family) { #ifdef INET case AF_INET: head = &ipv4_srcaddrtab; break; #endif #ifdef INET6 case AF_INET6: head = &ipv6_srcaddrtab; break; #endif default: /* ignore event */ return; } SRCADDR_RLOCK(); CK_LIST_FOREACH(p, head, chain) { (*p->srcaddr)(p->arg, ifa->ifa_addr, event); } SRCADDR_RUNLOCK(); } EVENTHANDLER_DEFINE(ifaddr_event_ext, srcaddr_change_event, NULL, 0); static struct srcaddrtab * encap_register_srcaddr(struct srcaddrtab_head *head, encap_srcaddr_t func, void *arg, int mflags) { struct srcaddrtab *p, *tmp; if (func == NULL) return (NULL); p = malloc(sizeof(*p), M_NETADDR, mflags); if (p == NULL) return (NULL); p->srcaddr = func; p->arg = arg; SRCADDR_WLOCK(); CK_LIST_FOREACH(tmp, head, chain) { if (func == tmp->srcaddr && arg == tmp->arg) break; } if (tmp == NULL) CK_LIST_INSERT_HEAD(head, p, chain); SRCADDR_WUNLOCK(); if (tmp != NULL) { free(p, M_NETADDR); p = tmp; } return (p); } static int encap_unregister_srcaddr(struct srcaddrtab_head *head, const struct srcaddrtab *cookie) { struct srcaddrtab *p; SRCADDR_WLOCK(); CK_LIST_FOREACH(p, head, chain) { if (p == cookie) { CK_LIST_REMOVE(p, chain); SRCADDR_WUNLOCK(); SRCADDR_WAIT(); free(p, M_NETADDR); return (0); } } SRCADDR_WUNLOCK(); return (EINVAL); } static struct encaptab * encap_attach(struct encaptab_head *head, const struct encap_config *cfg, void *arg, int mflags) { struct encaptab *ep, *tmp; if (cfg == NULL || cfg->input == NULL || (cfg->check == NULL && cfg->lookup == NULL) || (cfg->lookup != NULL && cfg->exact_match != ENCAP_DRV_LOOKUP) || (cfg->exact_match == ENCAP_DRV_LOOKUP && cfg->lookup == NULL)) return (NULL); ep = malloc(sizeof(*ep), M_NETADDR, mflags); if (ep == NULL) return (NULL); ep->proto = cfg->proto; ep->min_length = cfg->min_length; ep->exact_match = cfg->exact_match; ep->arg = arg; ep->lookup = cfg->exact_match == ENCAP_DRV_LOOKUP ? cfg->lookup: NULL; ep->check = cfg->exact_match != ENCAP_DRV_LOOKUP ? cfg->check: NULL; ep->input = cfg->input; ENCAP_WLOCK(); CK_LIST_FOREACH(tmp, head, chain) { if (tmp->exact_match <= ep->exact_match) break; } if (tmp == NULL) CK_LIST_INSERT_HEAD(head, ep, chain); else CK_LIST_INSERT_BEFORE(tmp, ep, chain); ENCAP_WUNLOCK(); return (ep); } static int encap_detach(struct encaptab_head *head, const struct encaptab *cookie) { struct encaptab *ep; ENCAP_WLOCK(); CK_LIST_FOREACH(ep, head, chain) { if (ep == cookie) { CK_LIST_REMOVE(ep, chain); ENCAP_WUNLOCK(); ENCAP_WAIT(); free(ep, M_NETADDR); return (0); } } ENCAP_WUNLOCK(); return (EINVAL); } static int encap_input(struct encaptab_head *head, struct mbuf *m, int off, int proto) { ENCAP_RLOCK_TRACKER; struct encaptab *ep, *match; void *arg; int matchprio, ret; match = NULL; matchprio = 0; ENCAP_RLOCK(); CK_LIST_FOREACH(ep, head, chain) { if (ep->proto >= 0 && ep->proto != proto) continue; if (ep->min_length > m->m_pkthdr.len) continue; if (ep->exact_match == ENCAP_DRV_LOOKUP) ret = (*ep->lookup)(m, off, proto, &arg); else ret = (*ep->check)(m, off, proto, ep->arg); if (ret <= 0) continue; if (ret > matchprio) { match = ep; if (ep->exact_match != ENCAP_DRV_LOOKUP) arg = ep->arg; /* * No need to continue the search, we got the * exact match. */ if (ret >= ep->exact_match) break; matchprio = ret; } } if (match != NULL) { /* found a match, "match" has the best one */ ret = (*match->input)(m, off, proto, arg); ENCAP_RUNLOCK(); MPASS(ret == IPPROTO_DONE); return (IPPROTO_DONE); } ENCAP_RUNLOCK(); return (0); } #ifdef INET const struct srcaddrtab * ip_encap_register_srcaddr(encap_srcaddr_t func, void *arg, int mflags) { return (encap_register_srcaddr(&ipv4_srcaddrtab, func, arg, mflags)); } int ip_encap_unregister_srcaddr(const struct srcaddrtab *cookie) { return (encap_unregister_srcaddr(&ipv4_srcaddrtab, cookie)); } const struct encaptab * ip_encap_attach(const struct encap_config *cfg, void *arg, int mflags) { return (encap_attach(&ipv4_encaptab, cfg, arg, mflags)); } int ip_encap_detach(const struct encaptab *cookie) { return (encap_detach(&ipv4_encaptab, cookie)); } int encap4_input(struct mbuf **mp, int *offp, int proto) { if (encap_input(&ipv4_encaptab, *mp, *offp, proto) != IPPROTO_DONE) return (rip_input(mp, offp, proto)); return (IPPROTO_DONE); } #endif /* INET */ #ifdef INET6 const struct srcaddrtab * ip6_encap_register_srcaddr(encap_srcaddr_t func, void *arg, int mflags) { return (encap_register_srcaddr(&ipv6_srcaddrtab, func, arg, mflags)); } int ip6_encap_unregister_srcaddr(const struct srcaddrtab *cookie) { return (encap_unregister_srcaddr(&ipv6_srcaddrtab, cookie)); } const struct encaptab * ip6_encap_attach(const struct encap_config *cfg, void *arg, int mflags) { return (encap_attach(&ipv6_encaptab, cfg, arg, mflags)); } int ip6_encap_detach(const struct encaptab *cookie) { return (encap_detach(&ipv6_encaptab, cookie)); } int encap6_input(struct mbuf **mp, int *offp, int proto) { if (encap_input(&ipv6_encaptab, *mp, *offp, proto) != IPPROTO_DONE) return (rip6_input(mp, offp, proto)); return (IPPROTO_DONE); } #endif /* INET6 */