1 /* $OpenBSD: if_bridge.c,v 1.356 2021/07/07 20:19:01 sashan Exp $ */ 2 3 /* 4 * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net) 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 18 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, 20 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 24 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 25 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 * POSSIBILITY OF SUCH DAMAGE. 27 * 28 * Effort sponsored in part by the Defense Advanced Research Projects 29 * Agency (DARPA) and Air Force Research Laboratory, Air Force 30 * Materiel Command, USAF, under agreement number F30602-01-2-0537. 31 * 32 */ 33 34 #include "bpfilter.h" 35 #include "gif.h" 36 #include "pf.h" 37 #include "carp.h" 38 #include "vlan.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/mbuf.h> 43 #include <sys/socket.h> 44 #include <sys/ioctl.h> 45 #include <sys/kernel.h> 46 47 #include <net/if.h> 48 #include <net/if_types.h> 49 #include <net/if_llc.h> 50 #include <net/netisr.h> 51 52 #include <netinet/in.h> 53 #include <netinet/ip.h> 54 #include <netinet/ip_var.h> 55 #include <netinet/if_ether.h> 56 #include <netinet/ip_icmp.h> 57 58 #ifdef IPSEC 59 #include <netinet/ip_ipsp.h> 60 #include <net/if_enc.h> 61 #endif 62 63 #ifdef INET6 64 #include <netinet6/in6_var.h> 65 #include <netinet/ip6.h> 66 #include <netinet6/ip6_var.h> 67 #endif 68 69 #if NPF > 0 70 #include <net/pfvar.h> 71 #define BRIDGE_IN PF_IN 72 #define BRIDGE_OUT PF_OUT 73 #else 74 #define BRIDGE_IN 0 75 #define BRIDGE_OUT 1 76 #endif 77 78 #if NBPFILTER > 0 79 #include <net/bpf.h> 80 #endif 81 82 #if NCARP > 0 83 #include <netinet/ip_carp.h> 84 #endif 85 86 #if NVLAN > 0 87 #include <net/if_vlan_var.h> 88 #endif 89 90 #include <net/if_bridge.h> 91 92 /* 93 * Maximum number of addresses to cache 94 */ 95 #ifndef BRIDGE_RTABLE_MAX 96 #define BRIDGE_RTABLE_MAX 100 97 #endif 98 99 /* 100 * Timeout (in seconds) for entries learned dynamically 101 */ 102 #ifndef BRIDGE_RTABLE_TIMEOUT 103 #define BRIDGE_RTABLE_TIMEOUT 240 104 #endif 105 106 void bridgeattach(int); 107 int bridge_ioctl(struct ifnet *, u_long, caddr_t); 108 void bridge_ifdetach(void *); 109 void bridge_spandetach(void *); 110 int bridge_ifremove(struct bridge_iflist *); 111 void bridge_spanremove(struct bridge_iflist *); 112 struct mbuf * 113 bridge_input(struct ifnet *, struct mbuf *, uint64_t, void *); 114 void bridge_process(struct ifnet *, struct mbuf *); 115 void bridgeintr_frame(struct ifnet *, struct ifnet *, struct mbuf *); 116 void bridge_bifgetstp(struct bridge_softc *, struct bridge_iflist *, 117 struct ifbreq *); 118 void bridge_broadcast(struct bridge_softc *, struct ifnet *, 119 struct ether_header *, struct mbuf *); 120 int bridge_localbroadcast(struct ifnet *, struct ether_header *, 121 struct mbuf *); 122 void bridge_span(struct ifnet *, struct mbuf *); 123 void bridge_stop(struct bridge_softc *); 124 void bridge_init(struct bridge_softc *); 125 int bridge_bifconf(struct bridge_softc *, struct ifbifconf *); 126 int bridge_blocknonip(struct ether_header *, struct mbuf *); 127 void bridge_ifinput(struct ifnet *, struct mbuf *); 128 int bridge_dummy_output(struct ifnet *, struct mbuf *, struct sockaddr *, 129 struct rtentry *); 130 void bridge_send_icmp_err(struct ifnet *, struct ether_header *, 131 struct mbuf *, int, struct llc *, int, int, int); 132 int bridge_ifenqueue(struct ifnet *, struct ifnet *, struct mbuf *); 133 struct mbuf *bridge_ip(struct ifnet *, int, struct ifnet *, 134 struct ether_header *, struct mbuf *); 135 #ifdef IPSEC 136 int bridge_ipsec(struct ifnet *, struct ether_header *, int, struct llc *, 137 int, int, int, struct mbuf *); 138 #endif 139 int bridge_clone_create(struct if_clone *, int); 140 int bridge_clone_destroy(struct ifnet *); 141 void bridge_take(void *); 142 void bridge_rele(void *); 143 144 #define ETHERADDR_IS_IP_MCAST(a) \ 145 /* struct etheraddr *a; */ \ 146 ((a)->ether_addr_octet[0] == 0x01 && \ 147 (a)->ether_addr_octet[1] == 0x00 && \ 148 (a)->ether_addr_octet[2] == 0x5e) 149 150 struct niqueue bridgeintrq = NIQUEUE_INITIALIZER(1024, NETISR_BRIDGE); 151 152 struct if_clone bridge_cloner = 153 IF_CLONE_INITIALIZER("bridge", bridge_clone_create, bridge_clone_destroy); 154 155 const struct ether_brport bridge_brport = { 156 bridge_input, 157 bridge_take, 158 bridge_rele, 159 NULL, 160 }; 161 162 void 163 bridgeattach(int n) 164 { 165 if_clone_attach(&bridge_cloner); 166 } 167 168 int 169 bridge_clone_create(struct if_clone *ifc, int unit) 170 { 171 struct bridge_softc *sc; 172 struct ifnet *ifp; 173 int i; 174 175 sc = malloc(sizeof(*sc), M_DEVBUF, M_WAITOK|M_ZERO); 176 sc->sc_stp = bstp_create(); 177 if (!sc->sc_stp) { 178 free(sc, M_DEVBUF, sizeof *sc); 179 return (ENOMEM); 180 } 181 182 sc->sc_brtmax = BRIDGE_RTABLE_MAX; 183 sc->sc_brttimeout = BRIDGE_RTABLE_TIMEOUT; 184 timeout_set(&sc->sc_brtimeout, bridge_rtage, sc); 185 SMR_SLIST_INIT(&sc->sc_iflist); 186 SMR_SLIST_INIT(&sc->sc_spanlist); 187 mtx_init(&sc->sc_mtx, IPL_MPFLOOR); 188 for (i = 0; i < BRIDGE_RTABLE_SIZE; i++) 189 LIST_INIT(&sc->sc_rts[i]); 190 arc4random_buf(&sc->sc_hashkey, sizeof(sc->sc_hashkey)); 191 ifp = &sc->sc_if; 192 snprintf(ifp->if_xname, sizeof ifp->if_xname, "%s%d", ifc->ifc_name, 193 unit); 194 ifp->if_softc = sc; 195 ifp->if_mtu = ETHERMTU; 196 ifp->if_ioctl = bridge_ioctl; 197 ifp->if_output = bridge_dummy_output; 198 ifp->if_xflags = IFXF_CLONED; 199 ifp->if_start = NULL; 200 ifp->if_type = IFT_BRIDGE; 201 ifp->if_hdrlen = ETHER_HDR_LEN; 202 203 if_attach(ifp); 204 if_alloc_sadl(ifp); 205 206 #if NBPFILTER > 0 207 bpfattach(&sc->sc_if.if_bpf, ifp, 208 DLT_EN10MB, ETHER_HDR_LEN); 209 #endif 210 211 return (0); 212 } 213 214 int 215 bridge_dummy_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, 216 struct rtentry *rt) 217 { 218 m_freem(m); 219 return (EAFNOSUPPORT); 220 } 221 222 int 223 bridge_clone_destroy(struct ifnet *ifp) 224 { 225 struct bridge_softc *sc = ifp->if_softc; 226 struct bridge_iflist *bif; 227 228 /* 229 * bridge(4) detach hook doesn't need the NET_LOCK(), worst the 230 * use of smr_barrier() while holding the lock might lead to a 231 * deadlock situation. 232 */ 233 NET_ASSERT_UNLOCKED(); 234 235 bridge_stop(sc); 236 bridge_rtflush(sc, IFBF_FLUSHALL); 237 while ((bif = SMR_SLIST_FIRST_LOCKED(&sc->sc_iflist)) != NULL) 238 bridge_ifremove(bif); 239 while ((bif = SMR_SLIST_FIRST_LOCKED(&sc->sc_spanlist)) != NULL) 240 bridge_spanremove(bif); 241 242 bstp_destroy(sc->sc_stp); 243 244 if_detach(ifp); 245 246 free(sc, M_DEVBUF, sizeof *sc); 247 return (0); 248 } 249 250 int 251 bridge_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) 252 { 253 struct bridge_softc *sc = (struct bridge_softc *)ifp->if_softc; 254 struct ifbreq *req = (struct ifbreq *)data; 255 struct ifbropreq *brop = (struct ifbropreq *)data; 256 struct ifnet *ifs; 257 struct bridge_iflist *bif; 258 struct bstp_port *bp; 259 struct bstp_state *bs = sc->sc_stp; 260 int error = 0; 261 262 /* 263 * bridge(4) data structure aren't protected by the NET_LOCK(). 264 * Idealy it shouldn't be taken before calling `ifp->if_ioctl' 265 * but we aren't there yet. 266 */ 267 NET_UNLOCK(); 268 269 switch (cmd) { 270 case SIOCBRDGADD: 271 /* bridge(4) does not distinguish between routing/forwarding ports */ 272 case SIOCBRDGADDL: 273 if ((error = suser(curproc)) != 0) 274 break; 275 276 ifs = if_unit(req->ifbr_ifsname); 277 if (ifs == NULL) { /* no such interface */ 278 error = ENOENT; 279 break; 280 } 281 if (ifs->if_type != IFT_ETHER) { 282 if_put(ifs); 283 error = EINVAL; 284 break; 285 } 286 if (ifs->if_bridgeidx != 0) { 287 if (ifs->if_bridgeidx == ifp->if_index) 288 error = EEXIST; 289 else 290 error = EBUSY; 291 if_put(ifs); 292 break; 293 } 294 295 error = ether_brport_isset(ifs); 296 if (error != 0) { 297 if_put(ifs); 298 break; 299 } 300 301 /* If it's in the span list, it can't be a member. */ 302 SMR_SLIST_FOREACH_LOCKED(bif, &sc->sc_spanlist, bif_next) { 303 if (bif->ifp == ifs) 304 break; 305 } 306 if (bif != NULL) { 307 if_put(ifs); 308 error = EBUSY; 309 break; 310 } 311 312 bif = malloc(sizeof(*bif), M_DEVBUF, M_NOWAIT|M_ZERO); 313 if (bif == NULL) { 314 if_put(ifs); 315 error = ENOMEM; 316 break; 317 } 318 319 NET_LOCK(); 320 error = ifpromisc(ifs, 1); 321 NET_UNLOCK(); 322 if (error != 0) { 323 if_put(ifs); 324 free(bif, M_DEVBUF, sizeof(*bif)); 325 break; 326 } 327 328 /* 329 * XXX If the NET_LOCK() or ifpromisc() calls above 330 * had to sleep, then something else could have come 331 * along and taken over ifs while the kernel lock was 332 * released. 333 */ 334 335 bif->bridge_sc = sc; 336 bif->ifp = ifs; 337 bif->bif_flags = IFBIF_LEARNING | IFBIF_DISCOVER; 338 SIMPLEQ_INIT(&bif->bif_brlin); 339 SIMPLEQ_INIT(&bif->bif_brlout); 340 ifs->if_bridgeidx = ifp->if_index; 341 task_set(&bif->bif_dtask, bridge_ifdetach, bif); 342 if_detachhook_add(ifs, &bif->bif_dtask); 343 ether_brport_set(bif->ifp, &bridge_brport); 344 SMR_SLIST_INSERT_HEAD_LOCKED(&sc->sc_iflist, bif, bif_next); 345 break; 346 case SIOCBRDGDEL: 347 if ((error = suser(curproc)) != 0) 348 break; 349 error = bridge_findbif(sc, req->ifbr_ifsname, &bif); 350 if (error != 0) 351 break; 352 bridge_ifremove(bif); 353 break; 354 case SIOCBRDGIFS: 355 error = bridge_bifconf(sc, (struct ifbifconf *)data); 356 break; 357 case SIOCBRDGADDS: 358 if ((error = suser(curproc)) != 0) 359 break; 360 ifs = if_unit(req->ifbr_ifsname); 361 if (ifs == NULL) { /* no such interface */ 362 error = ENOENT; 363 break; 364 } 365 if (ifs->if_type != IFT_ETHER) { 366 if_put(ifs); 367 error = EINVAL; 368 break; 369 } 370 if (ifs->if_bridgeidx != 0) { 371 if (ifs->if_bridgeidx == ifp->if_index) 372 error = EEXIST; 373 else 374 error = EBUSY; 375 if_put(ifs); 376 break; 377 } 378 SMR_SLIST_FOREACH_LOCKED(bif, &sc->sc_spanlist, bif_next) { 379 if (bif->ifp == ifs) 380 break; 381 } 382 if (bif != NULL) { 383 if_put(ifs); 384 error = EEXIST; 385 break; 386 } 387 bif = malloc(sizeof(*bif), M_DEVBUF, M_NOWAIT|M_ZERO); 388 if (bif == NULL) { 389 if_put(ifs); 390 error = ENOMEM; 391 break; 392 } 393 bif->bridge_sc = sc; 394 bif->ifp = ifs; 395 bif->bif_flags = IFBIF_SPAN; 396 SIMPLEQ_INIT(&bif->bif_brlin); 397 SIMPLEQ_INIT(&bif->bif_brlout); 398 task_set(&bif->bif_dtask, bridge_spandetach, bif); 399 if_detachhook_add(ifs, &bif->bif_dtask); 400 SMR_SLIST_INSERT_HEAD_LOCKED(&sc->sc_spanlist, bif, bif_next); 401 break; 402 case SIOCBRDGDELS: 403 if ((error = suser(curproc)) != 0) 404 break; 405 ifs = if_unit(req->ifbr_ifsname); 406 if (ifs == NULL) { 407 error = ENOENT; 408 break; 409 } 410 SMR_SLIST_FOREACH_LOCKED(bif, &sc->sc_spanlist, bif_next) { 411 if (bif->ifp == ifs) 412 break; 413 } 414 if_put(ifs); 415 if (bif == NULL) { 416 error = ESRCH; 417 break; 418 } 419 bridge_spanremove(bif); 420 break; 421 case SIOCBRDGGIFFLGS: 422 error = bridge_findbif(sc, req->ifbr_ifsname, &bif); 423 if (error != 0) 424 break; 425 req->ifbr_ifsflags = bif->bif_flags; 426 req->ifbr_portno = bif->ifp->if_index & 0xfff; 427 req->ifbr_protected = bif->bif_protected; 428 if (bif->bif_flags & IFBIF_STP) 429 bridge_bifgetstp(sc, bif, req); 430 break; 431 case SIOCBRDGSIFFLGS: 432 if (req->ifbr_ifsflags & IFBIF_RO_MASK) { 433 error = EINVAL; 434 break; 435 } 436 if ((error = suser(curproc)) != 0) 437 break; 438 error = bridge_findbif(sc, req->ifbr_ifsname, &bif); 439 if (error != 0) 440 break; 441 if (req->ifbr_ifsflags & IFBIF_STP) { 442 if ((bif->bif_flags & IFBIF_STP) == 0) { 443 /* Enable STP */ 444 if ((bif->bif_stp = bstp_add(sc->sc_stp, 445 bif->ifp)) == NULL) { 446 error = ENOMEM; 447 break; 448 } 449 } else { 450 /* Update STP flags */ 451 bstp_ifsflags(bif->bif_stp, req->ifbr_ifsflags); 452 } 453 } else if (bif->bif_flags & IFBIF_STP) { 454 bstp_delete(bif->bif_stp); 455 bif->bif_stp = NULL; 456 } 457 bif->bif_flags = req->ifbr_ifsflags; 458 break; 459 case SIOCSIFFLAGS: 460 if ((ifp->if_flags & IFF_UP) == IFF_UP) 461 bridge_init(sc); 462 463 if ((ifp->if_flags & IFF_UP) == 0) 464 bridge_stop(sc); 465 466 break; 467 case SIOCBRDGGPARAM: 468 if ((bp = bs->bs_root_port) == NULL) 469 brop->ifbop_root_port = 0; 470 else 471 brop->ifbop_root_port = bp->bp_ifindex; 472 brop->ifbop_maxage = bs->bs_bridge_max_age >> 8; 473 brop->ifbop_hellotime = bs->bs_bridge_htime >> 8; 474 brop->ifbop_fwddelay = bs->bs_bridge_fdelay >> 8; 475 brop->ifbop_holdcount = bs->bs_txholdcount; 476 brop->ifbop_priority = bs->bs_bridge_priority; 477 brop->ifbop_protocol = bs->bs_protover; 478 brop->ifbop_root_bridge = bs->bs_root_pv.pv_root_id; 479 brop->ifbop_root_path_cost = bs->bs_root_pv.pv_cost; 480 brop->ifbop_root_port = bs->bs_root_pv.pv_port_id; 481 brop->ifbop_desg_bridge = bs->bs_root_pv.pv_dbridge_id; 482 brop->ifbop_last_tc_time.tv_sec = bs->bs_last_tc_time.tv_sec; 483 brop->ifbop_last_tc_time.tv_usec = bs->bs_last_tc_time.tv_usec; 484 break; 485 case SIOCBRDGSIFPROT: 486 error = bridge_findbif(sc, req->ifbr_ifsname, &bif); 487 if (error != 0) 488 break; 489 bif->bif_protected = req->ifbr_protected; 490 break; 491 case SIOCBRDGRTS: 492 case SIOCBRDGGCACHE: 493 case SIOCBRDGGPRI: 494 case SIOCBRDGGMA: 495 case SIOCBRDGGHT: 496 case SIOCBRDGGFD: 497 case SIOCBRDGGTO: 498 case SIOCBRDGGRL: 499 break; 500 case SIOCBRDGFLUSH: 501 case SIOCBRDGSADDR: 502 case SIOCBRDGDADDR: 503 case SIOCBRDGSCACHE: 504 case SIOCBRDGSTO: 505 case SIOCBRDGARL: 506 case SIOCBRDGFRL: 507 case SIOCBRDGSPRI: 508 case SIOCBRDGSFD: 509 case SIOCBRDGSMA: 510 case SIOCBRDGSHT: 511 case SIOCBRDGSTXHC: 512 case SIOCBRDGSPROTO: 513 case SIOCBRDGSIFPRIO: 514 case SIOCBRDGSIFCOST: 515 error = suser(curproc); 516 break; 517 default: 518 error = ENOTTY; 519 break; 520 } 521 522 if (!error) 523 error = bridgectl_ioctl(ifp, cmd, data); 524 525 if (!error) 526 error = bstp_ioctl(ifp, cmd, data); 527 528 NET_LOCK(); 529 return (error); 530 } 531 532 /* Detach an interface from a bridge. */ 533 int 534 bridge_ifremove(struct bridge_iflist *bif) 535 { 536 struct bridge_softc *sc = bif->bridge_sc; 537 int error; 538 539 SMR_SLIST_REMOVE_LOCKED(&sc->sc_iflist, bif, bridge_iflist, bif_next); 540 if_detachhook_del(bif->ifp, &bif->bif_dtask); 541 ether_brport_clr(bif->ifp); 542 543 smr_barrier(); 544 545 if (bif->bif_flags & IFBIF_STP) { 546 bstp_delete(bif->bif_stp); 547 bif->bif_stp = NULL; 548 } 549 550 bif->ifp->if_bridgeidx = 0; 551 NET_LOCK(); 552 error = ifpromisc(bif->ifp, 0); 553 NET_UNLOCK(); 554 555 bridge_rtdelete(sc, bif->ifp, 0); 556 bridge_flushrule(bif); 557 558 if_put(bif->ifp); 559 bif->ifp = NULL; 560 free(bif, M_DEVBUF, sizeof(*bif)); 561 562 return (error); 563 } 564 565 void 566 bridge_spanremove(struct bridge_iflist *bif) 567 { 568 struct bridge_softc *sc = bif->bridge_sc; 569 570 SMR_SLIST_REMOVE_LOCKED(&sc->sc_spanlist, bif, bridge_iflist, bif_next); 571 if_detachhook_del(bif->ifp, &bif->bif_dtask); 572 573 smr_barrier(); 574 575 if_put(bif->ifp); 576 bif->ifp = NULL; 577 free(bif, M_DEVBUF, sizeof(*bif)); 578 } 579 580 void 581 bridge_ifdetach(void *xbif) 582 { 583 struct bridge_iflist *bif = xbif; 584 585 /* 586 * bridge(4) detach hook doesn't need the NET_LOCK(), worst the 587 * use of smr_barrier() while holding the lock might lead to a 588 * deadlock situation. 589 */ 590 NET_UNLOCK(); 591 bridge_ifremove(bif); 592 NET_LOCK(); 593 } 594 595 void 596 bridge_spandetach(void *xbif) 597 { 598 struct bridge_iflist *bif = xbif; 599 600 /* 601 * bridge(4) detach hook doesn't need the NET_LOCK(), worst the 602 * use of smr_barrier() while holding the lock might lead to a 603 * deadlock situation. 604 */ 605 NET_UNLOCK(); 606 bridge_spanremove(bif); 607 NET_LOCK(); 608 } 609 610 void 611 bridge_bifgetstp(struct bridge_softc *sc, struct bridge_iflist *bif, 612 struct ifbreq *breq) 613 { 614 struct bstp_state *bs = sc->sc_stp; 615 struct bstp_port *bp = bif->bif_stp; 616 617 breq->ifbr_state = bstp_getstate(bs, bp); 618 breq->ifbr_priority = bp->bp_priority; 619 breq->ifbr_path_cost = bp->bp_path_cost; 620 breq->ifbr_proto = bp->bp_protover; 621 breq->ifbr_role = bp->bp_role; 622 breq->ifbr_stpflags = bp->bp_flags; 623 breq->ifbr_fwd_trans = bp->bp_forward_transitions; 624 breq->ifbr_root_bridge = bs->bs_root_pv.pv_root_id; 625 breq->ifbr_root_cost = bs->bs_root_pv.pv_cost; 626 breq->ifbr_root_port = bs->bs_root_pv.pv_port_id; 627 breq->ifbr_desg_bridge = bs->bs_root_pv.pv_dbridge_id; 628 breq->ifbr_desg_port = bs->bs_root_pv.pv_dport_id; 629 630 /* Copy STP state options as flags */ 631 if (bp->bp_operedge) 632 breq->ifbr_ifsflags |= IFBIF_BSTP_EDGE; 633 if (bp->bp_flags & BSTP_PORT_AUTOEDGE) 634 breq->ifbr_ifsflags |= IFBIF_BSTP_AUTOEDGE; 635 if (bp->bp_ptp_link) 636 breq->ifbr_ifsflags |= IFBIF_BSTP_PTP; 637 if (bp->bp_flags & BSTP_PORT_AUTOPTP) 638 breq->ifbr_ifsflags |= IFBIF_BSTP_AUTOPTP; 639 } 640 641 int 642 bridge_bifconf(struct bridge_softc *sc, struct ifbifconf *bifc) 643 { 644 struct bridge_iflist *bif; 645 u_int32_t total = 0, i = 0; 646 int error = 0; 647 struct ifbreq *breq, *breqs = NULL; 648 649 SMR_SLIST_FOREACH_LOCKED(bif, &sc->sc_iflist, bif_next) 650 total++; 651 652 SMR_SLIST_FOREACH_LOCKED(bif, &sc->sc_spanlist, bif_next) 653 total++; 654 655 if (bifc->ifbic_len == 0) { 656 i = total; 657 goto done; 658 } 659 660 breqs = mallocarray(total, sizeof(*breqs), M_TEMP, M_NOWAIT|M_ZERO); 661 if (breqs == NULL) 662 goto done; 663 664 SMR_SLIST_FOREACH_LOCKED(bif, &sc->sc_iflist, bif_next) { 665 if (bifc->ifbic_len < (i + 1) * sizeof(*breqs)) 666 break; 667 breq = &breqs[i]; 668 strlcpy(breq->ifbr_name, sc->sc_if.if_xname, IFNAMSIZ); 669 strlcpy(breq->ifbr_ifsname, bif->ifp->if_xname, IFNAMSIZ); 670 breq->ifbr_ifsflags = bif->bif_flags; 671 breq->ifbr_portno = bif->ifp->if_index & 0xfff; 672 breq->ifbr_protected = bif->bif_protected; 673 if (bif->bif_flags & IFBIF_STP) 674 bridge_bifgetstp(sc, bif, breq); 675 i++; 676 } 677 SMR_SLIST_FOREACH_LOCKED(bif, &sc->sc_spanlist, bif_next) { 678 if (bifc->ifbic_len < (i + 1) * sizeof(*breqs)) 679 break; 680 breq = &breqs[i]; 681 strlcpy(breq->ifbr_name, sc->sc_if.if_xname, IFNAMSIZ); 682 strlcpy(breq->ifbr_ifsname, bif->ifp->if_xname, IFNAMSIZ); 683 breq->ifbr_ifsflags = bif->bif_flags | IFBIF_SPAN; 684 breq->ifbr_portno = bif->ifp->if_index & 0xfff; 685 i++; 686 } 687 688 error = copyout(breqs, bifc->ifbic_req, i * sizeof(*breqs)); 689 done: 690 free(breqs, M_TEMP, total * sizeof(*breq)); 691 bifc->ifbic_len = i * sizeof(*breq); 692 return (error); 693 } 694 695 int 696 bridge_findbif(struct bridge_softc *sc, const char *name, 697 struct bridge_iflist **rbif) 698 { 699 struct ifnet *ifp; 700 struct bridge_iflist *bif; 701 int error = 0; 702 703 KERNEL_ASSERT_LOCKED(); 704 705 if ((ifp = if_unit(name)) == NULL) 706 return (ENOENT); 707 708 if (ifp->if_bridgeidx != sc->sc_if.if_index) { 709 error = ESRCH; 710 goto put; 711 } 712 713 SMR_SLIST_FOREACH_LOCKED(bif, &sc->sc_iflist, bif_next) { 714 if (bif->ifp == ifp) 715 break; 716 } 717 718 if (bif == NULL) { 719 error = ENOENT; 720 goto put; 721 } 722 723 *rbif = bif; 724 put: 725 if_put(ifp); 726 727 return (error); 728 } 729 730 struct bridge_iflist * 731 bridge_getbif(struct ifnet *ifp) 732 { 733 struct bridge_iflist *bif; 734 struct bridge_softc *sc; 735 struct ifnet *bifp; 736 737 KERNEL_ASSERT_LOCKED(); 738 739 bifp = if_get(ifp->if_bridgeidx); 740 if (bifp == NULL) 741 return (NULL); 742 743 sc = bifp->if_softc; 744 SMR_SLIST_FOREACH_LOCKED(bif, &sc->sc_iflist, bif_next) { 745 if (bif->ifp == ifp) 746 break; 747 } 748 749 if_put(bifp); 750 751 return (bif); 752 } 753 754 void 755 bridge_init(struct bridge_softc *sc) 756 { 757 struct ifnet *ifp = &sc->sc_if; 758 759 if (ISSET(ifp->if_flags, IFF_RUNNING)) 760 return; 761 762 bstp_enable(sc->sc_stp, ifp->if_index); 763 764 if (sc->sc_brttimeout != 0) 765 timeout_add_sec(&sc->sc_brtimeout, sc->sc_brttimeout); 766 767 SET(ifp->if_flags, IFF_RUNNING); 768 } 769 770 /* 771 * Stop the bridge and deallocate the routing table. 772 */ 773 void 774 bridge_stop(struct bridge_softc *sc) 775 { 776 struct ifnet *ifp = &sc->sc_if; 777 778 if (!ISSET(ifp->if_flags, IFF_RUNNING)) 779 return; 780 781 CLR(ifp->if_flags, IFF_RUNNING); 782 783 bstp_disable(sc->sc_stp); 784 785 timeout_del_barrier(&sc->sc_brtimeout); 786 787 bridge_rtflush(sc, IFBF_FLUSHDYN); 788 } 789 790 /* 791 * Send output from the bridge. The mbuf has the ethernet header 792 * already attached. We must enqueue or free the mbuf before exiting. 793 */ 794 int 795 bridge_enqueue(struct ifnet *ifp, struct mbuf *m) 796 { 797 struct ifnet *brifp; 798 struct ether_header *eh; 799 struct ifnet *dst_if = NULL; 800 unsigned int dst_ifidx = 0; 801 #if NBPFILTER > 0 802 caddr_t if_bpf; 803 #endif 804 int error = 0; 805 806 if (m->m_len < sizeof(*eh)) { 807 m = m_pullup(m, sizeof(*eh)); 808 if (m == NULL) 809 return (ENOBUFS); 810 } 811 812 /* ifp must be a member interface of the bridge. */ 813 brifp = if_get(ifp->if_bridgeidx); 814 if (brifp == NULL) { 815 m_freem(m); 816 return (EINVAL); 817 } 818 819 /* 820 * If bridge is down, but original output interface is up, 821 * go ahead and send out that interface. Otherwise the packet 822 * is dropped below. 823 */ 824 if (!ISSET(brifp->if_flags, IFF_RUNNING)) { 825 /* Loop prevention. */ 826 m->m_flags |= M_PROTO1; 827 error = if_enqueue(ifp, m); 828 if_put(brifp); 829 return (error); 830 } 831 832 #if NBPFILTER > 0 833 if_bpf = brifp->if_bpf; 834 if (if_bpf) 835 bpf_mtap(if_bpf, m, BPF_DIRECTION_OUT); 836 #endif 837 ifp->if_opackets++; 838 ifp->if_obytes += m->m_pkthdr.len; 839 840 bridge_span(brifp, m); 841 842 eh = mtod(m, struct ether_header *); 843 if (!ETHER_IS_MULTICAST(eh->ether_dhost)) { 844 struct ether_addr *dst; 845 846 dst = (struct ether_addr *)&eh->ether_dhost[0]; 847 dst_ifidx = bridge_rtlookup(brifp, dst, m); 848 } 849 850 /* 851 * If the packet is a broadcast or we don't know a better way to 852 * get there, send to all interfaces. 853 */ 854 if (dst_ifidx == 0) { 855 struct bridge_softc *sc = brifp->if_softc; 856 struct bridge_iflist *bif; 857 struct mbuf *mc; 858 859 smr_read_enter(); 860 SMR_SLIST_FOREACH(bif, &sc->sc_iflist, bif_next) { 861 dst_if = bif->ifp; 862 if ((dst_if->if_flags & IFF_RUNNING) == 0) 863 continue; 864 865 /* 866 * If this is not the original output interface, 867 * and the interface is participating in spanning 868 * tree, make sure the port is in a state that 869 * allows forwarding. 870 */ 871 if (dst_if != ifp && 872 (bif->bif_flags & IFBIF_STP) && 873 (bif->bif_state == BSTP_IFSTATE_DISCARDING)) 874 continue; 875 if ((bif->bif_flags & IFBIF_DISCOVER) == 0 && 876 (m->m_flags & (M_BCAST | M_MCAST)) == 0) 877 continue; 878 879 if (bridge_filterrule(&bif->bif_brlout, eh, m) == 880 BRL_ACTION_BLOCK) 881 continue; 882 883 mc = m_dup_pkt(m, ETHER_ALIGN, M_NOWAIT); 884 if (mc == NULL) { 885 brifp->if_oerrors++; 886 continue; 887 } 888 889 error = bridge_ifenqueue(brifp, dst_if, mc); 890 if (error) 891 continue; 892 } 893 smr_read_leave(); 894 m_freem(m); 895 goto out; 896 } 897 898 dst_if = if_get(dst_ifidx); 899 if ((dst_if == NULL) || !ISSET(dst_if->if_flags, IFF_RUNNING)) { 900 m_freem(m); 901 if_put(dst_if); 902 error = ENETDOWN; 903 goto out; 904 } 905 906 bridge_ifenqueue(brifp, dst_if, m); 907 if_put(dst_if); 908 out: 909 if_put(brifp); 910 return (error); 911 } 912 913 /* 914 * Loop through each bridge interface and process their input queues. 915 */ 916 void 917 bridgeintr(void) 918 { 919 struct mbuf_list ml; 920 struct mbuf *m; 921 struct ifnet *ifp; 922 923 niq_delist(&bridgeintrq, &ml); 924 if (ml_empty(&ml)) 925 return; 926 927 KERNEL_LOCK(); 928 while ((m = ml_dequeue(&ml)) != NULL) { 929 930 ifp = if_get(m->m_pkthdr.ph_ifidx); 931 if (ifp == NULL) { 932 m_freem(m); 933 continue; 934 } 935 936 bridge_process(ifp, m); 937 938 if_put(ifp); 939 } 940 KERNEL_UNLOCK(); 941 } 942 943 /* 944 * Process a single frame. Frame must be freed or queued before returning. 945 */ 946 void 947 bridgeintr_frame(struct ifnet *brifp, struct ifnet *src_if, struct mbuf *m) 948 { 949 struct bridge_softc *sc = brifp->if_softc; 950 struct ifnet *dst_if = NULL; 951 struct bridge_iflist *bif; 952 struct ether_addr *dst, *src; 953 struct ether_header eh; 954 unsigned int dst_ifidx; 955 u_int32_t protected; 956 int len; 957 958 959 sc->sc_if.if_ipackets++; 960 sc->sc_if.if_ibytes += m->m_pkthdr.len; 961 962 bif = bridge_getbif(src_if); 963 KASSERT(bif != NULL); 964 965 m_copydata(m, 0, ETHER_HDR_LEN, &eh); 966 dst = (struct ether_addr *)&eh.ether_dhost[0]; 967 src = (struct ether_addr *)&eh.ether_shost[0]; 968 969 /* 970 * If interface is learning, and if source address 971 * is not broadcast or multicast, record its address. 972 */ 973 if ((bif->bif_flags & IFBIF_LEARNING) && 974 !ETHER_IS_MULTICAST(eh.ether_shost) && 975 !ETHER_IS_ANYADDR(eh.ether_shost)) 976 bridge_rtupdate(sc, src, src_if, 0, IFBAF_DYNAMIC, m); 977 978 if ((bif->bif_flags & IFBIF_STP) && 979 (bif->bif_state == BSTP_IFSTATE_LEARNING)) { 980 m_freem(m); 981 return; 982 } 983 984 /* 985 * At this point, the port either doesn't participate in stp or 986 * it's in the forwarding state 987 */ 988 989 /* 990 * If packet is unicast, destined for someone on "this" 991 * side of the bridge, drop it. 992 */ 993 if (!ETHER_IS_MULTICAST(eh.ether_dhost)) { 994 dst_ifidx = bridge_rtlookup(brifp, dst, NULL); 995 if (dst_ifidx == src_if->if_index) { 996 m_freem(m); 997 return; 998 } 999 } else { 1000 if (ETHER_IS_BROADCAST(eh.ether_dhost)) 1001 m->m_flags |= M_BCAST; 1002 else 1003 m->m_flags |= M_MCAST; 1004 } 1005 1006 /* 1007 * Multicast packets get handled a little differently: 1008 * If interface is: 1009 * -link0,-link1 (default) Forward all multicast 1010 * as broadcast. 1011 * -link0,link1 Drop non-IP multicast, forward 1012 * as broadcast IP multicast. 1013 * link0,-link1 Drop IP multicast, forward as 1014 * broadcast non-IP multicast. 1015 * link0,link1 Drop all multicast. 1016 */ 1017 if (m->m_flags & M_MCAST) { 1018 if ((sc->sc_if.if_flags & 1019 (IFF_LINK0 | IFF_LINK1)) == 1020 (IFF_LINK0 | IFF_LINK1)) { 1021 m_freem(m); 1022 return; 1023 } 1024 if (sc->sc_if.if_flags & IFF_LINK0 && 1025 ETHERADDR_IS_IP_MCAST(dst)) { 1026 m_freem(m); 1027 return; 1028 } 1029 if (sc->sc_if.if_flags & IFF_LINK1 && 1030 !ETHERADDR_IS_IP_MCAST(dst)) { 1031 m_freem(m); 1032 return; 1033 } 1034 } 1035 1036 if (bif->bif_flags & IFBIF_BLOCKNONIP && bridge_blocknonip(&eh, m)) { 1037 m_freem(m); 1038 return; 1039 } 1040 1041 if (bridge_filterrule(&bif->bif_brlin, &eh, m) == BRL_ACTION_BLOCK) { 1042 m_freem(m); 1043 return; 1044 } 1045 m = bridge_ip(&sc->sc_if, BRIDGE_IN, src_if, &eh, m); 1046 if (m == NULL) 1047 return; 1048 /* 1049 * If the packet is a multicast or broadcast OR if we don't 1050 * know any better, forward it to all interfaces. 1051 */ 1052 if ((m->m_flags & (M_BCAST | M_MCAST)) || dst_ifidx == 0) { 1053 sc->sc_if.if_imcasts++; 1054 bridge_broadcast(sc, src_if, &eh, m); 1055 return; 1056 } 1057 protected = bif->bif_protected; 1058 1059 dst_if = if_get(dst_ifidx); 1060 if (dst_if == NULL) 1061 goto bad; 1062 1063 /* 1064 * At this point, we're dealing with a unicast frame going to a 1065 * different interface 1066 */ 1067 if (!ISSET(dst_if->if_flags, IFF_RUNNING)) 1068 goto bad; 1069 bif = bridge_getbif(dst_if); 1070 if ((bif == NULL) || ((bif->bif_flags & IFBIF_STP) && 1071 (bif->bif_state == BSTP_IFSTATE_DISCARDING))) 1072 goto bad; 1073 /* 1074 * Do not transmit if both ports are part of the same protected 1075 * domain. 1076 */ 1077 if (protected != 0 && (protected & bif->bif_protected)) 1078 goto bad; 1079 if (bridge_filterrule(&bif->bif_brlout, &eh, m) == BRL_ACTION_BLOCK) 1080 goto bad; 1081 m = bridge_ip(&sc->sc_if, BRIDGE_OUT, dst_if, &eh, m); 1082 if (m == NULL) 1083 goto bad; 1084 1085 len = m->m_pkthdr.len; 1086 #if NVLAN > 0 1087 if ((m->m_flags & M_VLANTAG) && 1088 (dst_if->if_capabilities & IFCAP_VLAN_HWTAGGING) == 0) 1089 len += ETHER_VLAN_ENCAP_LEN; 1090 #endif 1091 if ((len - ETHER_HDR_LEN) > dst_if->if_mtu) 1092 bridge_fragment(&sc->sc_if, dst_if, &eh, m); 1093 else { 1094 bridge_ifenqueue(&sc->sc_if, dst_if, m); 1095 } 1096 m = NULL; 1097 bad: 1098 if_put(dst_if); 1099 m_freem(m); 1100 } 1101 1102 /* 1103 * Return 1 if `ena' belongs to `bif', 0 otherwise. 1104 */ 1105 int 1106 bridge_ourether(struct ifnet *ifp, uint8_t *ena) 1107 { 1108 struct arpcom *ac = (struct arpcom *)ifp; 1109 1110 if (memcmp(ac->ac_enaddr, ena, ETHER_ADDR_LEN) == 0) 1111 return (1); 1112 1113 #if NCARP > 0 1114 if (carp_ourether(ifp, ena)) 1115 return (1); 1116 #endif 1117 1118 return (0); 1119 } 1120 1121 /* 1122 * Receive input from an interface. Queue the packet for bridging if its 1123 * not for us, and schedule an interrupt. 1124 */ 1125 struct mbuf * 1126 bridge_input(struct ifnet *ifp, struct mbuf *m, uint64_t dst, void *null) 1127 { 1128 KASSERT(m->m_flags & M_PKTHDR); 1129 1130 if (m->m_flags & M_PROTO1) { 1131 m->m_flags &= ~M_PROTO1; 1132 return (m); 1133 } 1134 1135 niq_enqueue(&bridgeintrq, m); 1136 1137 return (NULL); 1138 } 1139 1140 void 1141 bridge_process(struct ifnet *ifp, struct mbuf *m) 1142 { 1143 struct ifnet *brifp; 1144 struct bridge_softc *sc; 1145 struct bridge_iflist *bif = NULL, *bif0 = NULL; 1146 struct ether_header *eh; 1147 struct mbuf *mc; 1148 #if NBPFILTER > 0 1149 caddr_t if_bpf; 1150 #endif 1151 1152 KERNEL_ASSERT_LOCKED(); 1153 1154 brifp = if_get(ifp->if_bridgeidx); 1155 if ((brifp == NULL) || !ISSET(brifp->if_flags, IFF_RUNNING)) 1156 goto reenqueue; 1157 1158 if (m->m_pkthdr.len < sizeof(*eh)) 1159 goto bad; 1160 1161 #if NVLAN > 0 1162 /* 1163 * If the underlying interface removed the VLAN header itself, 1164 * add it back. 1165 */ 1166 if (ISSET(m->m_flags, M_VLANTAG)) { 1167 m = vlan_inject(m, ETHERTYPE_VLAN, m->m_pkthdr.ether_vtag); 1168 if (m == NULL) 1169 goto bad; 1170 } 1171 #endif 1172 1173 #if NBPFILTER > 0 1174 if_bpf = brifp->if_bpf; 1175 if (if_bpf) 1176 bpf_mtap_ether(if_bpf, m, BPF_DIRECTION_IN); 1177 #endif 1178 1179 eh = mtod(m, struct ether_header *); 1180 1181 sc = brifp->if_softc; 1182 SMR_SLIST_FOREACH_LOCKED(bif, &sc->sc_iflist, bif_next) { 1183 struct arpcom *ac = (struct arpcom *)bif->ifp; 1184 if (memcmp(ac->ac_enaddr, eh->ether_shost, ETHER_ADDR_LEN) == 0) 1185 goto bad; 1186 if (bif->ifp == ifp) 1187 bif0 = bif; 1188 } 1189 if (bif0 == NULL) 1190 goto reenqueue; 1191 1192 bridge_span(brifp, m); 1193 1194 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 1195 /* 1196 * Reserved destination MAC addresses (01:80:C2:00:00:0x) 1197 * should not be forwarded to bridge members according to 1198 * section 7.12.6 of the 802.1D-2004 specification. The 1199 * STP destination address (as stored in bstp_etheraddr) 1200 * is the first of these. 1201 */ 1202 if (memcmp(eh->ether_dhost, bstp_etheraddr, 1203 ETHER_ADDR_LEN - 1) == 0) { 1204 if (eh->ether_dhost[ETHER_ADDR_LEN - 1] == 0) { 1205 /* STP traffic */ 1206 m = bstp_input(sc->sc_stp, bif0->bif_stp, eh, 1207 m); 1208 if (m == NULL) 1209 goto bad; 1210 } else if (eh->ether_dhost[ETHER_ADDR_LEN - 1] <= 0xf) 1211 goto bad; 1212 } 1213 1214 /* 1215 * No need to process frames for ifs in the discarding state 1216 */ 1217 if ((bif0->bif_flags & IFBIF_STP) && 1218 (bif0->bif_state == BSTP_IFSTATE_DISCARDING)) 1219 goto reenqueue; 1220 1221 mc = m_dup_pkt(m, ETHER_ALIGN, M_NOWAIT); 1222 if (mc == NULL) 1223 goto reenqueue; 1224 1225 bridge_ifinput(ifp, mc); 1226 1227 bridgeintr_frame(brifp, ifp, m); 1228 if_put(brifp); 1229 return; 1230 } 1231 1232 /* 1233 * Unicast, make sure it's not for us. 1234 */ 1235 if (bridge_ourether(bif0->ifp, eh->ether_dhost)) { 1236 bif = bif0; 1237 } else { 1238 SMR_SLIST_FOREACH_LOCKED(bif, &sc->sc_iflist, bif_next) { 1239 if (bif->ifp == ifp) 1240 continue; 1241 if (bridge_ourether(bif->ifp, eh->ether_dhost)) 1242 break; 1243 } 1244 } 1245 if (bif != NULL) { 1246 if (bif0->bif_flags & IFBIF_LEARNING) 1247 bridge_rtupdate(sc, 1248 (struct ether_addr *)&eh->ether_shost, 1249 ifp, 0, IFBAF_DYNAMIC, m); 1250 if (bridge_filterrule(&bif0->bif_brlin, eh, m) == 1251 BRL_ACTION_BLOCK) { 1252 goto bad; 1253 } 1254 1255 /* Count for the bridge */ 1256 brifp->if_ipackets++; 1257 brifp->if_ibytes += m->m_pkthdr.len; 1258 1259 ifp = bif->ifp; 1260 goto reenqueue; 1261 } 1262 1263 bridgeintr_frame(brifp, ifp, m); 1264 if_put(brifp); 1265 return; 1266 1267 reenqueue: 1268 bridge_ifinput(ifp, m); 1269 m = NULL; 1270 bad: 1271 m_freem(m); 1272 if_put(brifp); 1273 } 1274 1275 /* 1276 * Send a frame to all interfaces that are members of the bridge 1277 * (except the one it came in on). 1278 */ 1279 void 1280 bridge_broadcast(struct bridge_softc *sc, struct ifnet *ifp, 1281 struct ether_header *eh, struct mbuf *m) 1282 { 1283 struct bridge_iflist *bif; 1284 struct mbuf *mc; 1285 struct ifnet *dst_if; 1286 int len, used = 0; 1287 u_int32_t protected; 1288 1289 bif = bridge_getbif(ifp); 1290 KASSERT(bif != NULL); 1291 protected = bif->bif_protected; 1292 1293 SMR_SLIST_FOREACH_LOCKED(bif, &sc->sc_iflist, bif_next) { 1294 dst_if = bif->ifp; 1295 1296 if ((dst_if->if_flags & IFF_RUNNING) == 0) 1297 continue; 1298 1299 if ((bif->bif_flags & IFBIF_STP) && 1300 (bif->bif_state == BSTP_IFSTATE_DISCARDING)) 1301 continue; 1302 1303 if ((bif->bif_flags & IFBIF_DISCOVER) == 0 && 1304 (m->m_flags & (M_BCAST | M_MCAST)) == 0) 1305 continue; 1306 1307 /* Drop non-IP frames if the appropriate flag is set. */ 1308 if (bif->bif_flags & IFBIF_BLOCKNONIP && 1309 bridge_blocknonip(eh, m)) 1310 continue; 1311 1312 /* 1313 * Do not transmit if both ports are part of the same 1314 * protected domain. 1315 */ 1316 if (protected != 0 && (protected & bif->bif_protected)) 1317 continue; 1318 1319 if (bridge_filterrule(&bif->bif_brlout, eh, m) == 1320 BRL_ACTION_BLOCK) 1321 continue; 1322 1323 /* 1324 * Don't retransmit out of the same interface where 1325 * the packet was received from. 1326 */ 1327 if (dst_if->if_index == ifp->if_index) 1328 continue; 1329 1330 if (bridge_localbroadcast(dst_if, eh, m)) 1331 sc->sc_if.if_oerrors++; 1332 1333 /* If last one, reuse the passed-in mbuf */ 1334 if (SMR_SLIST_NEXT_LOCKED(bif, bif_next) == NULL) { 1335 mc = m; 1336 used = 1; 1337 } else { 1338 mc = m_dup_pkt(m, ETHER_ALIGN, M_NOWAIT); 1339 if (mc == NULL) { 1340 sc->sc_if.if_oerrors++; 1341 continue; 1342 } 1343 } 1344 1345 mc = bridge_ip(&sc->sc_if, BRIDGE_OUT, dst_if, eh, mc); 1346 if (mc == NULL) 1347 continue; 1348 1349 len = mc->m_pkthdr.len; 1350 #if NVLAN > 0 1351 if ((mc->m_flags & M_VLANTAG) && 1352 (dst_if->if_capabilities & IFCAP_VLAN_HWTAGGING) == 0) 1353 len += ETHER_VLAN_ENCAP_LEN; 1354 #endif 1355 if ((len - ETHER_HDR_LEN) > dst_if->if_mtu) 1356 bridge_fragment(&sc->sc_if, dst_if, eh, mc); 1357 else { 1358 bridge_ifenqueue(&sc->sc_if, dst_if, mc); 1359 } 1360 } 1361 1362 if (!used) 1363 m_freem(m); 1364 } 1365 1366 int 1367 bridge_localbroadcast(struct ifnet *ifp, struct ether_header *eh, 1368 struct mbuf *m) 1369 { 1370 struct mbuf *m1; 1371 u_int16_t etype; 1372 1373 /* 1374 * quick optimisation, don't send packets up the stack if no 1375 * corresponding address has been specified. 1376 */ 1377 etype = ntohs(eh->ether_type); 1378 if (!(m->m_flags & M_VLANTAG) && etype == ETHERTYPE_IP) { 1379 struct ifaddr *ifa; 1380 TAILQ_FOREACH(ifa, &ifp->if_addrlist, ifa_list) { 1381 if (ifa->ifa_addr->sa_family == AF_INET) 1382 break; 1383 } 1384 if (ifa == NULL) 1385 return (0); 1386 } 1387 1388 m1 = m_dup_pkt(m, ETHER_ALIGN, M_NOWAIT); 1389 if (m1 == NULL) 1390 return (1); 1391 1392 #if NPF > 0 1393 pf_pkt_addr_changed(m1); 1394 #endif /* NPF */ 1395 1396 bridge_ifinput(ifp, m1); 1397 1398 return (0); 1399 } 1400 1401 void 1402 bridge_span(struct ifnet *brifp, struct mbuf *m) 1403 { 1404 struct bridge_softc *sc = brifp->if_softc; 1405 struct bridge_iflist *bif; 1406 struct ifnet *ifp; 1407 struct mbuf *mc; 1408 int error; 1409 1410 smr_read_enter(); 1411 SMR_SLIST_FOREACH(bif, &sc->sc_spanlist, bif_next) { 1412 ifp = bif->ifp; 1413 1414 if ((ifp->if_flags & IFF_RUNNING) == 0) 1415 continue; 1416 1417 mc = m_copym(m, 0, M_COPYALL, M_DONTWAIT); 1418 if (mc == NULL) { 1419 brifp->if_oerrors++; 1420 continue; 1421 } 1422 1423 error = bridge_ifenqueue(brifp, ifp, mc); 1424 if (error) 1425 continue; 1426 } 1427 smr_read_leave(); 1428 } 1429 1430 /* 1431 * Block non-ip frames: 1432 * Returns 0 if frame is ip, and 1 if it should be dropped. 1433 */ 1434 int 1435 bridge_blocknonip(struct ether_header *eh, struct mbuf *m) 1436 { 1437 struct llc llc; 1438 u_int16_t etype; 1439 1440 if (m->m_pkthdr.len < ETHER_HDR_LEN) 1441 return (1); 1442 1443 #if NVLAN > 0 1444 if (m->m_flags & M_VLANTAG) 1445 return (1); 1446 #endif 1447 1448 etype = ntohs(eh->ether_type); 1449 switch (etype) { 1450 case ETHERTYPE_ARP: 1451 case ETHERTYPE_REVARP: 1452 case ETHERTYPE_IP: 1453 case ETHERTYPE_IPV6: 1454 return (0); 1455 } 1456 1457 if (etype > ETHERMTU) 1458 return (1); 1459 1460 if (m->m_pkthdr.len < 1461 (ETHER_HDR_LEN + LLC_SNAPFRAMELEN)) 1462 return (1); 1463 1464 m_copydata(m, ETHER_HDR_LEN, LLC_SNAPFRAMELEN, &llc); 1465 1466 etype = ntohs(llc.llc_snap.ether_type); 1467 if (llc.llc_dsap == LLC_SNAP_LSAP && 1468 llc.llc_ssap == LLC_SNAP_LSAP && 1469 llc.llc_control == LLC_UI && 1470 llc.llc_snap.org_code[0] == 0 && 1471 llc.llc_snap.org_code[1] == 0 && 1472 llc.llc_snap.org_code[2] == 0 && 1473 (etype == ETHERTYPE_ARP || etype == ETHERTYPE_REVARP || 1474 etype == ETHERTYPE_IP || etype == ETHERTYPE_IPV6)) { 1475 return (0); 1476 } 1477 1478 return (1); 1479 } 1480 1481 #ifdef IPSEC 1482 int 1483 bridge_ipsec(struct ifnet *ifp, struct ether_header *eh, int hassnap, 1484 struct llc *llc, int dir, int af, int hlen, struct mbuf *m) 1485 { 1486 union sockaddr_union dst; 1487 struct tdb *tdb; 1488 u_int32_t spi; 1489 u_int16_t cpi; 1490 int error, off; 1491 u_int8_t proto = 0; 1492 struct ip *ip; 1493 #ifdef INET6 1494 struct ip6_hdr *ip6; 1495 #endif /* INET6 */ 1496 #if NPF > 0 1497 struct ifnet *encif; 1498 #endif 1499 1500 if (dir == BRIDGE_IN) { 1501 switch (af) { 1502 case AF_INET: 1503 if (m->m_pkthdr.len - hlen < 2 * sizeof(u_int32_t)) 1504 goto skiplookup; 1505 1506 ip = mtod(m, struct ip *); 1507 proto = ip->ip_p; 1508 off = offsetof(struct ip, ip_p); 1509 1510 if (proto != IPPROTO_ESP && proto != IPPROTO_AH && 1511 proto != IPPROTO_IPCOMP) 1512 goto skiplookup; 1513 1514 bzero(&dst, sizeof(union sockaddr_union)); 1515 dst.sa.sa_family = AF_INET; 1516 dst.sin.sin_len = sizeof(struct sockaddr_in); 1517 m_copydata(m, offsetof(struct ip, ip_dst), 1518 sizeof(struct in_addr), &dst.sin.sin_addr); 1519 1520 break; 1521 #ifdef INET6 1522 case AF_INET6: 1523 if (m->m_pkthdr.len - hlen < 2 * sizeof(u_int32_t)) 1524 goto skiplookup; 1525 1526 ip6 = mtod(m, struct ip6_hdr *); 1527 1528 /* XXX We should chase down the header chain */ 1529 proto = ip6->ip6_nxt; 1530 off = offsetof(struct ip6_hdr, ip6_nxt); 1531 1532 if (proto != IPPROTO_ESP && proto != IPPROTO_AH && 1533 proto != IPPROTO_IPCOMP) 1534 goto skiplookup; 1535 1536 bzero(&dst, sizeof(union sockaddr_union)); 1537 dst.sa.sa_family = AF_INET6; 1538 dst.sin6.sin6_len = sizeof(struct sockaddr_in6); 1539 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 1540 sizeof(struct in6_addr), &dst.sin6.sin6_addr); 1541 1542 break; 1543 #endif /* INET6 */ 1544 default: 1545 return (0); 1546 } 1547 1548 switch (proto) { 1549 case IPPROTO_ESP: 1550 m_copydata(m, hlen, sizeof(u_int32_t), &spi); 1551 break; 1552 case IPPROTO_AH: 1553 m_copydata(m, hlen + sizeof(u_int32_t), 1554 sizeof(u_int32_t), &spi); 1555 break; 1556 case IPPROTO_IPCOMP: 1557 m_copydata(m, hlen + sizeof(u_int16_t), 1558 sizeof(u_int16_t), &cpi); 1559 spi = htonl(ntohs(cpi)); 1560 break; 1561 } 1562 1563 NET_ASSERT_LOCKED(); 1564 1565 tdb = gettdb(ifp->if_rdomain, spi, &dst, proto); 1566 if (tdb != NULL && (tdb->tdb_flags & TDBF_INVALID) == 0 && 1567 tdb->tdb_xform != NULL) { 1568 if (tdb->tdb_first_use == 0) { 1569 tdb->tdb_first_use = gettime(); 1570 if (tdb->tdb_flags & TDBF_FIRSTUSE) 1571 timeout_add_sec(&tdb->tdb_first_tmo, 1572 tdb->tdb_exp_first_use); 1573 if (tdb->tdb_flags & TDBF_SOFT_FIRSTUSE) 1574 timeout_add_sec(&tdb->tdb_sfirst_tmo, 1575 tdb->tdb_soft_first_use); 1576 } 1577 1578 (*(tdb->tdb_xform->xf_input))(m, tdb, hlen, off); 1579 return (1); 1580 } else { 1581 skiplookup: 1582 /* XXX do an input policy lookup */ 1583 return (0); 1584 } 1585 } else { /* Outgoing from the bridge. */ 1586 tdb = ipsp_spd_lookup(m, af, hlen, &error, 1587 IPSP_DIRECTION_OUT, NULL, NULL, 0); 1588 if (tdb != NULL) { 1589 /* 1590 * We don't need to do loop detection, the 1591 * bridge will do that for us. 1592 */ 1593 #if NPF > 0 1594 if ((encif = enc_getif(tdb->tdb_rdomain, 1595 tdb->tdb_tap)) == NULL || 1596 pf_test(af, dir, encif, &m) != PF_PASS) { 1597 m_freem(m); 1598 return (1); 1599 } 1600 if (m == NULL) 1601 return (1); 1602 else if (af == AF_INET) 1603 in_proto_cksum_out(m, encif); 1604 #ifdef INET6 1605 else if (af == AF_INET6) 1606 in6_proto_cksum_out(m, encif); 1607 #endif /* INET6 */ 1608 #endif /* NPF */ 1609 1610 ip = mtod(m, struct ip *); 1611 if ((af == AF_INET) && 1612 ip_mtudisc && (ip->ip_off & htons(IP_DF)) && 1613 tdb->tdb_mtu && ntohs(ip->ip_len) > tdb->tdb_mtu && 1614 tdb->tdb_mtutimeout > gettime()) 1615 bridge_send_icmp_err(ifp, eh, m, 1616 hassnap, llc, tdb->tdb_mtu, 1617 ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG); 1618 else 1619 error = ipsp_process_packet(m, tdb, af, 0); 1620 return (1); 1621 } else 1622 return (0); 1623 } 1624 1625 return (0); 1626 } 1627 #endif /* IPSEC */ 1628 1629 /* 1630 * Filter IP packets by peeking into the ethernet frame. This violates 1631 * the ISO model, but allows us to act as a IP filter at the data link 1632 * layer. As a result, most of this code will look familiar to those 1633 * who've read net/if_ethersubr.c and netinet/ip_input.c 1634 */ 1635 struct mbuf * 1636 bridge_ip(struct ifnet *brifp, int dir, struct ifnet *ifp, 1637 struct ether_header *eh, struct mbuf *m) 1638 { 1639 struct llc llc; 1640 int hassnap = 0; 1641 struct ip *ip; 1642 int hlen; 1643 u_int16_t etype; 1644 1645 #if NVLAN > 0 1646 if (m->m_flags & M_VLANTAG) 1647 return (m); 1648 #endif 1649 1650 etype = ntohs(eh->ether_type); 1651 1652 if (etype != ETHERTYPE_IP && etype != ETHERTYPE_IPV6) { 1653 if (etype > ETHERMTU || 1654 m->m_pkthdr.len < (LLC_SNAPFRAMELEN + 1655 ETHER_HDR_LEN)) 1656 return (m); 1657 1658 m_copydata(m, ETHER_HDR_LEN, LLC_SNAPFRAMELEN, &llc); 1659 1660 if (llc.llc_dsap != LLC_SNAP_LSAP || 1661 llc.llc_ssap != LLC_SNAP_LSAP || 1662 llc.llc_control != LLC_UI || 1663 llc.llc_snap.org_code[0] || 1664 llc.llc_snap.org_code[1] || 1665 llc.llc_snap.org_code[2]) 1666 return (m); 1667 1668 etype = ntohs(llc.llc_snap.ether_type); 1669 if (etype != ETHERTYPE_IP && etype != ETHERTYPE_IPV6) 1670 return (m); 1671 hassnap = 1; 1672 } 1673 1674 m_adj(m, ETHER_HDR_LEN); 1675 if (hassnap) 1676 m_adj(m, LLC_SNAPFRAMELEN); 1677 1678 switch (etype) { 1679 1680 case ETHERTYPE_IP: 1681 m = ipv4_check(ifp, m); 1682 if (m == NULL) 1683 return (NULL); 1684 1685 ip = mtod(m, struct ip *); 1686 hlen = ip->ip_hl << 2; 1687 1688 #ifdef IPSEC 1689 if ((brifp->if_flags & IFF_LINK2) == IFF_LINK2 && 1690 bridge_ipsec(ifp, eh, hassnap, &llc, dir, AF_INET, hlen, m)) 1691 return (NULL); 1692 #endif /* IPSEC */ 1693 #if NPF > 0 1694 /* Finally, we get to filter the packet! */ 1695 if (pf_test(AF_INET, dir, ifp, &m) != PF_PASS) 1696 goto dropit; 1697 if (m == NULL) 1698 goto dropit; 1699 #endif /* NPF > 0 */ 1700 1701 /* Rebuild the IP header */ 1702 if (m->m_len < hlen && ((m = m_pullup(m, hlen)) == NULL)) 1703 return (NULL); 1704 if (m->m_len < sizeof(struct ip)) 1705 goto dropit; 1706 in_proto_cksum_out(m, ifp); 1707 ip = mtod(m, struct ip *); 1708 ip->ip_sum = 0; 1709 if (0 && (ifp->if_capabilities & IFCAP_CSUM_IPv4)) 1710 m->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT; 1711 else { 1712 ipstat_inc(ips_outswcsum); 1713 ip->ip_sum = in_cksum(m, hlen); 1714 } 1715 1716 #if NPF > 0 1717 if (dir == BRIDGE_IN && 1718 m->m_pkthdr.pf.flags & PF_TAG_DIVERTED) { 1719 m_resethdr(m); 1720 m->m_pkthdr.ph_ifidx = ifp->if_index; 1721 m->m_pkthdr.ph_rtableid = ifp->if_rdomain; 1722 ipv4_input(ifp, m); 1723 return (NULL); 1724 } 1725 #endif /* NPF > 0 */ 1726 1727 break; 1728 1729 #ifdef INET6 1730 case ETHERTYPE_IPV6: 1731 m = ipv6_check(ifp, m); 1732 if (m == NULL) 1733 return (NULL); 1734 1735 #ifdef IPSEC 1736 hlen = sizeof(struct ip6_hdr); 1737 1738 if ((brifp->if_flags & IFF_LINK2) == IFF_LINK2 && 1739 bridge_ipsec(ifp, eh, hassnap, &llc, dir, AF_INET6, hlen, 1740 m)) 1741 return (NULL); 1742 #endif /* IPSEC */ 1743 1744 #if NPF > 0 1745 if (pf_test(AF_INET6, dir, ifp, &m) != PF_PASS) 1746 goto dropit; 1747 if (m == NULL) 1748 return (NULL); 1749 #endif /* NPF > 0 */ 1750 in6_proto_cksum_out(m, ifp); 1751 1752 #if NPF > 0 1753 if (dir == BRIDGE_IN && 1754 m->m_pkthdr.pf.flags & PF_TAG_DIVERTED) { 1755 m_resethdr(m); 1756 m->m_pkthdr.ph_ifidx = ifp->if_index; 1757 m->m_pkthdr.ph_rtableid = ifp->if_rdomain; 1758 ipv6_input(ifp, m); 1759 return (NULL); 1760 } 1761 #endif /* NPF > 0 */ 1762 1763 break; 1764 #endif /* INET6 */ 1765 1766 default: 1767 goto dropit; 1768 break; 1769 } 1770 1771 /* Reattach SNAP header */ 1772 if (hassnap) { 1773 M_PREPEND(m, LLC_SNAPFRAMELEN, M_DONTWAIT); 1774 if (m == NULL) 1775 goto dropit; 1776 bcopy(&llc, mtod(m, caddr_t), LLC_SNAPFRAMELEN); 1777 } 1778 1779 /* Reattach ethernet header */ 1780 M_PREPEND(m, sizeof(*eh), M_DONTWAIT); 1781 if (m == NULL) 1782 goto dropit; 1783 bcopy(eh, mtod(m, caddr_t), sizeof(*eh)); 1784 1785 return (m); 1786 1787 dropit: 1788 m_freem(m); 1789 return (NULL); 1790 } 1791 1792 void 1793 bridge_fragment(struct ifnet *brifp, struct ifnet *ifp, struct ether_header *eh, 1794 struct mbuf *m) 1795 { 1796 struct llc llc; 1797 struct mbuf_list fml; 1798 int error = 0; 1799 int hassnap = 0; 1800 u_int16_t etype; 1801 struct ip *ip; 1802 1803 etype = ntohs(eh->ether_type); 1804 #if NVLAN > 0 1805 if ((m->m_flags & M_VLANTAG) || etype == ETHERTYPE_VLAN || 1806 etype == ETHERTYPE_QINQ) { 1807 int len = m->m_pkthdr.len; 1808 1809 if (m->m_flags & M_VLANTAG) 1810 len += ETHER_VLAN_ENCAP_LEN; 1811 if ((ifp->if_capabilities & IFCAP_VLAN_MTU) && 1812 (len - sizeof(struct ether_vlan_header) <= ifp->if_mtu)) { 1813 bridge_ifenqueue(brifp, ifp, m); 1814 return; 1815 } 1816 goto dropit; 1817 } 1818 #endif 1819 if (etype != ETHERTYPE_IP) { 1820 if (etype > ETHERMTU || 1821 m->m_pkthdr.len < (LLC_SNAPFRAMELEN + 1822 ETHER_HDR_LEN)) 1823 goto dropit; 1824 1825 m_copydata(m, ETHER_HDR_LEN, LLC_SNAPFRAMELEN, &llc); 1826 1827 if (llc.llc_dsap != LLC_SNAP_LSAP || 1828 llc.llc_ssap != LLC_SNAP_LSAP || 1829 llc.llc_control != LLC_UI || 1830 llc.llc_snap.org_code[0] || 1831 llc.llc_snap.org_code[1] || 1832 llc.llc_snap.org_code[2] || 1833 llc.llc_snap.ether_type != htons(ETHERTYPE_IP)) 1834 goto dropit; 1835 1836 hassnap = 1; 1837 } 1838 1839 m_adj(m, ETHER_HDR_LEN); 1840 if (hassnap) 1841 m_adj(m, LLC_SNAPFRAMELEN); 1842 1843 if (m->m_len < sizeof(struct ip) && 1844 (m = m_pullup(m, sizeof(struct ip))) == NULL) 1845 goto dropit; 1846 ip = mtod(m, struct ip *); 1847 1848 /* Respect IP_DF, return a ICMP_UNREACH_NEEDFRAG. */ 1849 if (ip->ip_off & htons(IP_DF)) { 1850 bridge_send_icmp_err(ifp, eh, m, hassnap, &llc, 1851 ifp->if_mtu, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG); 1852 return; 1853 } 1854 1855 error = ip_fragment(m, &fml, ifp, ifp->if_mtu); 1856 if (error) 1857 return; 1858 1859 while ((m = ml_dequeue(&fml)) != NULL) { 1860 if (hassnap) { 1861 M_PREPEND(m, LLC_SNAPFRAMELEN, M_DONTWAIT); 1862 if (m == NULL) { 1863 error = ENOBUFS; 1864 break; 1865 } 1866 bcopy(&llc, mtod(m, caddr_t), LLC_SNAPFRAMELEN); 1867 } 1868 M_PREPEND(m, sizeof(*eh), M_DONTWAIT); 1869 if (m == NULL) { 1870 error = ENOBUFS; 1871 break; 1872 } 1873 bcopy(eh, mtod(m, caddr_t), sizeof(*eh)); 1874 error = bridge_ifenqueue(brifp, ifp, m); 1875 if (error) 1876 break; 1877 } 1878 if (error) 1879 ml_purge(&fml); 1880 else 1881 ipstat_inc(ips_fragmented); 1882 1883 return; 1884 dropit: 1885 m_freem(m); 1886 } 1887 1888 int 1889 bridge_ifenqueue(struct ifnet *brifp, struct ifnet *ifp, struct mbuf *m) 1890 { 1891 int error, len; 1892 1893 /* Loop prevention. */ 1894 m->m_flags |= M_PROTO1; 1895 1896 len = m->m_pkthdr.len; 1897 1898 error = if_enqueue(ifp, m); 1899 if (error) { 1900 brifp->if_oerrors++; 1901 return (error); 1902 } 1903 1904 brifp->if_opackets++; 1905 brifp->if_obytes += len; 1906 1907 return (0); 1908 } 1909 1910 void 1911 bridge_ifinput(struct ifnet *ifp, struct mbuf *m) 1912 { 1913 struct mbuf_list ml = MBUF_LIST_INITIALIZER(); 1914 1915 m->m_flags |= M_PROTO1; 1916 1917 ml_enqueue(&ml, m); 1918 if_input(ifp, &ml); 1919 } 1920 1921 void 1922 bridge_send_icmp_err(struct ifnet *ifp, 1923 struct ether_header *eh, struct mbuf *n, int hassnap, struct llc *llc, 1924 int mtu, int type, int code) 1925 { 1926 struct ip *ip; 1927 struct icmp *icp; 1928 struct in_addr t; 1929 struct mbuf *m, *n2; 1930 int hlen; 1931 u_int8_t ether_tmp[ETHER_ADDR_LEN]; 1932 1933 n2 = m_copym(n, 0, M_COPYALL, M_DONTWAIT); 1934 if (!n2) { 1935 m_freem(n); 1936 return; 1937 } 1938 m = icmp_do_error(n, type, code, 0, mtu); 1939 if (m == NULL) { 1940 m_freem(n2); 1941 return; 1942 } 1943 1944 n = n2; 1945 1946 ip = mtod(m, struct ip *); 1947 hlen = ip->ip_hl << 2; 1948 t = ip->ip_dst; 1949 ip->ip_dst = ip->ip_src; 1950 ip->ip_src = t; 1951 1952 m->m_data += hlen; 1953 m->m_len -= hlen; 1954 icp = mtod(m, struct icmp *); 1955 icp->icmp_cksum = 0; 1956 icp->icmp_cksum = in_cksum(m, ntohs(ip->ip_len) - hlen); 1957 m->m_data -= hlen; 1958 m->m_len += hlen; 1959 1960 ip->ip_v = IPVERSION; 1961 ip->ip_off &= htons(IP_DF); 1962 ip->ip_id = htons(ip_randomid()); 1963 ip->ip_ttl = MAXTTL; 1964 ip->ip_sum = 0; 1965 ip->ip_sum = in_cksum(m, hlen); 1966 1967 /* Swap ethernet addresses */ 1968 bcopy(&eh->ether_dhost, ðer_tmp, sizeof(ether_tmp)); 1969 bcopy(&eh->ether_shost, &eh->ether_dhost, sizeof(ether_tmp)); 1970 bcopy(ðer_tmp, &eh->ether_shost, sizeof(ether_tmp)); 1971 1972 /* Reattach SNAP header */ 1973 if (hassnap) { 1974 M_PREPEND(m, LLC_SNAPFRAMELEN, M_DONTWAIT); 1975 if (m == NULL) 1976 goto dropit; 1977 bcopy(llc, mtod(m, caddr_t), LLC_SNAPFRAMELEN); 1978 } 1979 1980 /* Reattach ethernet header */ 1981 M_PREPEND(m, sizeof(*eh), M_DONTWAIT); 1982 if (m == NULL) 1983 goto dropit; 1984 bcopy(eh, mtod(m, caddr_t), sizeof(*eh)); 1985 1986 bridge_enqueue(ifp, m); 1987 m_freem(n); 1988 return; 1989 1990 dropit: 1991 m_freem(n); 1992 } 1993 1994 void 1995 bridge_take(void *unused) 1996 { 1997 return; 1998 } 1999 2000 void 2001 bridge_rele(void *unused) 2002 { 2003 return; 2004 } 2005