1 /* $OpenBSD: ip_ipip.c,v 1.21 2001/08/19 06:31:56 angelos Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * The original version of this code was written by John Ioannidis 8 * for BSD/OS in Athens, Greece, in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 /* 39 * IP-inside-IP processing 40 */ 41 42 #include <sys/param.h> 43 #include <sys/systm.h> 44 #include <sys/mbuf.h> 45 #include <sys/socket.h> 46 #include <sys/sysctl.h> 47 48 #include <net/if.h> 49 #include <net/route.h> 50 #include <net/netisr.h> 51 #include <net/bpf.h> 52 53 #include <netinet/in.h> 54 #include <netinet/in_systm.h> 55 #include <netinet/ip.h> 56 #include <netinet/in_pcb.h> 57 #include <netinet/in_var.h> 58 #include <netinet/ip_var.h> 59 #include <netinet/ip_ecn.h> 60 61 #ifdef MROUTING 62 #include <netinet/ip_mroute.h> 63 #endif 64 65 #include <netinet/ip_ipsp.h> 66 #include <netinet/ip_ipip.h> 67 68 #include "bpfilter.h" 69 70 #ifdef ENCDEBUG 71 #define DPRINTF(x) if (encdebug) printf x 72 #else 73 #define DPRINTF(x) 74 #endif 75 76 /* 77 * We can control the acceptance of IP4 packets by altering the sysctl 78 * net.inet.ipip.allow value. Zero means drop them, all else is acceptance. 79 */ 80 int ipip_allow = 0; 81 82 struct ipipstat ipipstat; 83 84 #ifdef INET6 85 /* 86 * Really only a wrapper for ipip_input(), for use with IPv6. 87 */ 88 int 89 ip4_input6(struct mbuf **m, int *offp, int proto) 90 { 91 /* If we do not accept IPv4 explicitly, drop. */ 92 if (!ipip_allow && ((*m)->m_flags & (M_AUTH|M_CONF)) == 0) { 93 DPRINTF(("ip4_input6(): dropped due to policy\n")); 94 ipipstat.ipips_pdrops++; 95 m_freem(*m); 96 return IPPROTO_DONE; 97 } 98 99 ipip_input(*m, *offp, NULL); 100 return IPPROTO_DONE; 101 } 102 #endif /* INET6 */ 103 104 #ifdef INET 105 /* 106 * Really only a wrapper for ipip_input(), for use with IPv4. 107 */ 108 void 109 ip4_input(struct mbuf *m, ...) 110 { 111 va_list ap; 112 int iphlen; 113 114 /* If we do not accept IPv4 explicitly, drop. */ 115 if (!ipip_allow && (m->m_flags & (M_AUTH|M_CONF)) == 0) { 116 DPRINTF(("ip4_input(): dropped due to policy\n")); 117 ipipstat.ipips_pdrops++; 118 m_freem(m); 119 return; 120 } 121 122 va_start(ap, m); 123 iphlen = va_arg(ap, int); 124 va_end(ap); 125 126 ipip_input(m, iphlen, NULL); 127 } 128 #endif /* INET */ 129 130 /* 131 * ipip_input gets called when we receive an IP{46} encapsulated packet, 132 * either because we got it at a real interface, or because AH or ESP 133 * were being used in tunnel mode (in which case the rcvif element will 134 * contain the address of the encX interface associated with the tunnel. 135 */ 136 137 void 138 ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) 139 { 140 register struct sockaddr_in *sin; 141 register struct ifnet *ifp; 142 register struct ifaddr *ifa; 143 struct ifqueue *ifq = NULL; 144 struct ip *ipo; 145 #ifdef INET6 146 register struct sockaddr_in6 *sin6; 147 struct ip6_hdr *ip6 = NULL; 148 u_int8_t itos; 149 #endif 150 u_int8_t nxt; 151 int isr; 152 u_int8_t otos; 153 u_int8_t v; 154 int hlen, s; 155 156 ipipstat.ipips_ipackets++; 157 158 m_copydata(m, 0, 1, &v); 159 160 switch (v >> 4) { 161 #ifdef INET 162 case 4: 163 hlen = sizeof(struct ip); 164 break; 165 #endif /* INET */ 166 167 #ifdef INET6 168 case 6: 169 hlen = sizeof(struct ip6_hdr); 170 break; 171 #endif 172 default: 173 m_freem(m); 174 return /* EAFNOSUPPORT */; 175 } 176 177 /* Bring the IP header in the first mbuf, if not there already */ 178 if (m->m_len < hlen) { 179 if ((m = m_pullup(m, hlen)) == NULL) { 180 DPRINTF(("ipip_input(): m_pullup() failed\n")); 181 ipipstat.ipips_hdrops++; 182 return; 183 } 184 } 185 186 ipo = mtod(m, struct ip *); 187 188 #ifdef MROUTING 189 if (ipo->ip_v == IPVERSION && ipo->ip_p == IPPROTO_IPV4) { 190 if (IN_MULTICAST(((struct ip *)((char *) ipo + iphlen))->ip_dst.s_addr)) { 191 ipip_mroute_input (m, iphlen); 192 return; 193 } 194 } 195 #endif /* MROUTING */ 196 197 /* Keep outer ecn field. */ 198 #ifdef INET 199 if ((v >> 4) == 4) 200 otos = ipo->ip_tos; 201 #endif /* INET */ 202 203 #ifdef INET6 204 if ((v >> 4) == 6) 205 otos = (ntohl(mtod(m, struct ip6_hdr *)->ip6_flow) >> 20) & 0xff; 206 #endif 207 208 /* Remove outer IP header */ 209 m_adj(m, iphlen); 210 211 m_copydata(m, 0, 1, &v); 212 213 switch (v >> 4) { 214 #ifdef INET 215 case 4: 216 hlen = sizeof(struct ip); 217 break; 218 #endif /* INET */ 219 220 #ifdef INET6 221 case 6: 222 hlen = sizeof(struct ip6_hdr); 223 break; 224 #endif 225 } 226 227 /* 228 * Bring the inner IP header in the first mbuf, if not there already. 229 */ 230 if (m->m_len < hlen) { 231 if ((m = m_pullup(m, hlen)) == NULL) { 232 DPRINTF(("ipip_input(): m_pullup() failed\n")); 233 ipipstat.ipips_hdrops++; 234 return; 235 } 236 } 237 238 /* 239 * RFC 1853 specifies that the inner TTL should not be touched on 240 * decapsulation. There's no reason this comment should be here, but 241 * this is as good as any a position. 242 */ 243 244 /* Some sanity checks in the inner IPv4 header */ 245 switch (v >> 4) { 246 #ifdef INET 247 case 4: 248 ipo = mtod(m, struct ip *); 249 nxt = ipo->ip_p; 250 ip_ecn_egress(ECN_ALLOWED, &otos, &ipo->ip_tos); 251 break; 252 #endif /* INET */ 253 254 #ifdef INET6 255 case 6: 256 ip6 = (struct ip6_hdr *) ipo; 257 nxt = ip6->ip6_nxt; 258 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 259 ip_ecn_egress(ECN_ALLOWED, &otos, &itos); 260 ip6->ip6_flow &= ~htonl(0xff << 20); 261 ip6->ip6_flow |= htonl((u_int32_t) itos << 20); 262 break; 263 #endif 264 } 265 266 /* Check for local address spoofing. */ 267 if ((m->m_pkthdr.rcvif == NULL || 268 !(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) && 269 ipip_allow != 2) { 270 for (ifp = ifnet.tqh_first; ifp != 0; 271 ifp = ifp->if_list.tqe_next) { 272 for (ifa = ifp->if_addrlist.tqh_first; ifa != 0; 273 ifa = ifa->ifa_list.tqe_next) { 274 #ifdef INET 275 if (ipo) { 276 if (ifa->ifa_addr->sa_family != 277 AF_INET) 278 continue; 279 280 sin = (struct sockaddr_in *) ifa->ifa_addr; 281 282 if (sin->sin_addr.s_addr == 283 ipo->ip_src.s_addr) { 284 ipipstat.ipips_spoof++; 285 m_freem(m); 286 return; 287 } 288 } 289 #endif /* INET */ 290 291 #ifdef INET6 292 if (ip6) { 293 if (ifa->ifa_addr->sa_family != 294 AF_INET6) 295 continue; 296 297 sin6 = (struct sockaddr_in6 *) ifa->ifa_addr; 298 299 if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) { 300 ipipstat.ipips_spoof++; 301 m_freem(m); 302 return; 303 } 304 305 } 306 #endif /* INET6 */ 307 } 308 } 309 } 310 311 /* Statistics */ 312 ipipstat.ipips_ibytes += m->m_pkthdr.len - iphlen; 313 314 /* 315 * Interface pointer stays the same; if no IPsec processing has 316 * been done (or will be done), this will point to a normal 317 * interface. Otherwise, it'll point to an enc interface, which 318 * will allow a packet filter to distinguish between secure and 319 * untrusted packets. 320 */ 321 322 #ifdef INET 323 if (ipo) { 324 ifq = &ipintrq; 325 isr = NETISR_IP; 326 } 327 #endif /* INET */ 328 329 #ifdef INET6 330 if (ip6) { 331 ifq = &ip6intrq; 332 isr = NETISR_IPV6; 333 } 334 #endif /* INET6 */ 335 336 #if NBPFILTER > 0 337 if (gifp && gifp->if_bpf) { 338 struct mbuf m0; 339 u_int af; 340 341 if (ipo) 342 af = AF_INET; 343 else 344 af = AF_INET6; 345 346 m0.m_next = m; 347 m0.m_len = 4; 348 m0.m_data = (char *)⁡ 349 350 bpf_mtap(gifp->if_bpf, &m0); 351 } 352 #endif 353 354 s = splimp(); /* isn't it already? */ 355 if (IF_QFULL(ifq)) { 356 IF_DROP(ifq); 357 m_freem(m); 358 ipipstat.ipips_qfull++; 359 360 splx(s); 361 362 DPRINTF(("ipip_input(): packet dropped because of full " 363 "queue\n")); 364 return; 365 } 366 367 IF_ENQUEUE(ifq, m); 368 schednetisr(isr); 369 splx(s); 370 return; 371 } 372 373 int 374 ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, 375 int protoff) 376 { 377 u_int8_t tp, otos; 378 379 #ifdef INET 380 u_int8_t itos; 381 struct ip *ipo; 382 #endif /* INET */ 383 384 #ifdef INET6 385 struct ip6_hdr *ip6, *ip6o; 386 #endif /* INET6 */ 387 388 /* XXX Deal with empty TDB source/destination addresses. */ 389 390 m_copydata(m, 0, 1, &tp); 391 tp = (tp >> 4) & 0xff; /* Get the IP version number. */ 392 393 switch (tdb->tdb_dst.sa.sa_family) { 394 #ifdef INET 395 case AF_INET: 396 if (tdb->tdb_src.sa.sa_family != AF_INET || 397 tdb->tdb_src.sin.sin_addr.s_addr == INADDR_ANY || 398 tdb->tdb_dst.sin.sin_addr.s_addr == INADDR_ANY) { 399 400 DPRINTF(("ipip_output(): unspecified tunnel endpoind " 401 "address in SA %s/%08x\n", 402 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 403 404 ipipstat.ipips_unspec++; 405 m_freem(m); 406 *mp = NULL; 407 return EINVAL; 408 } 409 410 M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); 411 if (m == 0) { 412 DPRINTF(("ipip_output(): M_PREPEND failed\n")); 413 ipipstat.ipips_hdrops++; 414 *mp = NULL; 415 return ENOBUFS; 416 } 417 418 ipo = mtod(m, struct ip *); 419 420 ipo->ip_v = IPVERSION; 421 ipo->ip_hl = 5; 422 ipo->ip_len = htons(m->m_pkthdr.len); 423 ipo->ip_ttl = ip_defttl; 424 ipo->ip_sum = 0; 425 ipo->ip_src = tdb->tdb_src.sin.sin_addr; 426 ipo->ip_dst = tdb->tdb_dst.sin.sin_addr; 427 428 /* 429 * We do the htons() to prevent snoopers from determining our 430 * endianness. 431 */ 432 ipo->ip_id = htons(ip_randomid()); 433 434 /* If the inner protocol is IP... */ 435 if (tp == IPVERSION) { 436 /* Save ECN notification */ 437 m_copydata(m, sizeof(struct ip) + 438 offsetof(struct ip, ip_tos), 439 sizeof(u_int8_t), (caddr_t) &itos); 440 441 ipo->ip_p = IPPROTO_IPIP; 442 443 /* 444 * We should be keeping tunnel soft-state and 445 * send back ICMPs if needed. 446 */ 447 m_copydata(m, sizeof(struct ip) + 448 offsetof(struct ip, ip_off), 449 sizeof(u_int16_t), (caddr_t) &ipo->ip_off); 450 NTOHS(ipo->ip_off); 451 ipo->ip_off &= ~(IP_DF | IP_MF | IP_OFFMASK); 452 HTONS(ipo->ip_off); 453 } 454 #ifdef INET6 455 else if (tp == (IPV6_VERSION >> 4)) { 456 u_int32_t itos32; 457 458 /* Save ECN notification. */ 459 m_copydata(m, sizeof(struct ip) + 460 offsetof(struct ip6_hdr, ip6_flow), 461 sizeof(u_int32_t), (caddr_t) &itos32); 462 itos = ntohl(itos32) >> 20; 463 ipo->ip_p = IPPROTO_IPV6; 464 ipo->ip_off = 0; 465 } 466 #endif /* INET6 */ 467 else { 468 m_freem(m); 469 *mp = NULL; 470 return EAFNOSUPPORT; 471 } 472 473 otos = 0; 474 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 475 ipo->ip_tos = otos; 476 break; 477 #endif /* INET */ 478 479 #ifdef INET6 480 case AF_INET6: 481 if (IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_dst.sin6.sin6_addr) || 482 tdb->tdb_src.sa.sa_family != AF_INET6 || 483 IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_src.sin6.sin6_addr)) { 484 485 DPRINTF(("ipip_output(): unspecified tunnel endpoind " 486 "address in SA %s/%08x\n", 487 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 488 489 ipipstat.ipips_unspec++; 490 m_freem(m); 491 *mp = NULL; 492 return ENOBUFS; 493 } 494 495 /* scoped address handling */ 496 ip6 = mtod(m, struct ip6_hdr *); 497 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) 498 ip6->ip6_src.s6_addr16[1] = 0; 499 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) 500 ip6->ip6_dst.s6_addr16[1] = 0; 501 502 M_PREPEND(m, sizeof(struct ip6_hdr), M_DONTWAIT); 503 if (m == 0) { 504 DPRINTF(("ipip_output(): M_PREPEND failed\n")); 505 ipipstat.ipips_hdrops++; 506 *mp = NULL; 507 return ENOBUFS; 508 } 509 510 /* Initialize IPv6 header */ 511 ip6o = mtod(m, struct ip6_hdr *); 512 ip6o->ip6_flow = 0; 513 ip6o->ip6_vfc &= ~IPV6_VERSION_MASK; 514 ip6o->ip6_vfc |= IPV6_VERSION; 515 ip6o->ip6_plen = htons(m->m_pkthdr.len); 516 ip6o->ip6_hlim = ip_defttl; 517 ip6o->ip6_dst = tdb->tdb_dst.sin6.sin6_addr; 518 ip6o->ip6_src = tdb->tdb_src.sin6.sin6_addr; 519 520 #ifdef INET 521 if (tp == IPVERSION) { 522 /* Save ECN notification */ 523 m_copydata(m, sizeof(struct ip6_hdr) + 524 offsetof(struct ip, ip_tos), sizeof(u_int8_t), 525 (caddr_t) &itos); 526 527 /* This is really IPVERSION. */ 528 ip6o->ip6_nxt = IPPROTO_IPIP; 529 } 530 else 531 #endif /* INET */ 532 if (tp == (IPV6_VERSION >> 4)) { 533 u_int32_t itos32; 534 535 /* Save ECN notification. */ 536 m_copydata(m, sizeof(struct ip6_hdr) + 537 offsetof(struct ip6_hdr, ip6_flow), 538 sizeof(u_int32_t), (caddr_t) &itos32); 539 itos = ntohl(itos32) >> 20; 540 541 ip6o->ip6_nxt = IPPROTO_IPV6; 542 } else { 543 m_freem(m); 544 *mp = NULL; 545 return EAFNOSUPPORT; 546 } 547 548 otos = 0; 549 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 550 ip6o->ip6_flow |= htonl((u_int32_t) otos << 20); 551 break; 552 #endif /* INET6 */ 553 554 default: 555 DPRINTF(("ipip_output(): unsupported protocol family %d\n", 556 tdb->tdb_dst.sa.sa_family)); 557 m_freem(m); 558 *mp = NULL; 559 ipipstat.ipips_family++; 560 return ENOBUFS; 561 } 562 563 ipipstat.ipips_opackets++; 564 *mp = m; 565 566 #ifdef INET 567 if (tdb->tdb_dst.sa.sa_family == AF_INET) { 568 if (tdb->tdb_xform->xf_type == XF_IP4) 569 tdb->tdb_cur_bytes += 570 m->m_pkthdr.len - sizeof(struct ip); 571 572 ipipstat.ipips_obytes += m->m_pkthdr.len - sizeof(struct ip); 573 } 574 #endif /* INET */ 575 576 #ifdef INET6 577 if (tdb->tdb_dst.sa.sa_family == AF_INET6) { 578 if (tdb->tdb_xform->xf_type == XF_IP4) 579 tdb->tdb_cur_bytes += 580 m->m_pkthdr.len - sizeof(struct ip6_hdr); 581 582 ipipstat.ipips_obytes += 583 m->m_pkthdr.len - sizeof(struct ip6_hdr); 584 } 585 #endif /* INET6 */ 586 587 return 0; 588 } 589 590 #ifdef IPSEC 591 int 592 ipe4_attach() 593 { 594 return 0; 595 } 596 597 int 598 ipe4_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) 599 { 600 tdbp->tdb_xform = xsp; 601 return 0; 602 } 603 604 int 605 ipe4_zeroize(struct tdb *tdbp) 606 { 607 return 0; 608 } 609 610 void 611 ipe4_input(struct mbuf *m, ...) 612 { 613 /* This is a rather serious mistake, so no conditional printing. */ 614 printf("ipe4_input(): should never be called\n"); 615 if (m) 616 m_freem(m); 617 } 618 #endif /* IPSEC */ 619 620 int 621 ipip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 622 size_t newlen) 623 { 624 /* All sysctl names at this level are terminal. */ 625 if (namelen != 1) 626 return (ENOTDIR); 627 628 switch (name[0]) { 629 case IPIPCTL_ALLOW: 630 return (sysctl_int(oldp, oldlenp, newp, newlen, &ipip_allow)); 631 default: 632 return (ENOPROTOOPT); 633 } 634 /* NOTREACHED */ 635 } 636