1 /* $OpenBSD: ip_ipip.c,v 1.43 2009/06/05 00:05:22 claudio Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * The original version of this code was written by John Ioannidis 8 * for BSD/OS in Athens, Greece, in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 /* 39 * IP-inside-IP processing 40 */ 41 42 #include "pf.h" 43 44 #include <sys/param.h> 45 #include <sys/systm.h> 46 #include <sys/mbuf.h> 47 #include <sys/socket.h> 48 #include <sys/sysctl.h> 49 50 #include <net/if.h> 51 #include <net/route.h> 52 #include <net/netisr.h> 53 #include <net/bpf.h> 54 55 #include <netinet/in.h> 56 #include <netinet/in_systm.h> 57 #include <netinet/ip.h> 58 #include <netinet/in_pcb.h> 59 #include <netinet/in_var.h> 60 #include <netinet/ip_var.h> 61 #include <netinet/ip_ecn.h> 62 63 #ifdef MROUTING 64 #include <netinet/ip_mroute.h> 65 #endif 66 67 #include <netinet/ip_ipsp.h> 68 #include <netinet/ip_ipip.h> 69 70 #include "bpfilter.h" 71 72 #if NPF > 0 73 #include <net/pfvar.h> 74 #endif 75 76 #ifdef ENCDEBUG 77 #define DPRINTF(x) if (encdebug) printf x 78 #else 79 #define DPRINTF(x) 80 #endif 81 82 /* 83 * We can control the acceptance of IP4 packets by altering the sysctl 84 * net.inet.ipip.allow value. Zero means drop them, all else is acceptance. 85 */ 86 int ipip_allow = 0; 87 88 struct ipipstat ipipstat; 89 90 #ifdef INET6 91 /* 92 * Really only a wrapper for ipip_input(), for use with IPv6. 93 */ 94 int 95 ip4_input6(struct mbuf **m, int *offp, int proto) 96 { 97 /* If we do not accept IP-in-IP explicitly, drop. */ 98 if (!ipip_allow && ((*m)->m_flags & (M_AUTH|M_CONF)) == 0) { 99 DPRINTF(("ip4_input6(): dropped due to policy\n")); 100 ipipstat.ipips_pdrops++; 101 m_freem(*m); 102 return IPPROTO_DONE; 103 } 104 105 ipip_input(*m, *offp, NULL); 106 return IPPROTO_DONE; 107 } 108 #endif /* INET6 */ 109 110 #ifdef INET 111 /* 112 * Really only a wrapper for ipip_input(), for use with IPv4. 113 */ 114 void 115 ip4_input(struct mbuf *m, ...) 116 { 117 va_list ap; 118 int iphlen; 119 120 /* If we do not accept IP-in-IP explicitly, drop. */ 121 if (!ipip_allow && (m->m_flags & (M_AUTH|M_CONF)) == 0) { 122 DPRINTF(("ip4_input(): dropped due to policy\n")); 123 ipipstat.ipips_pdrops++; 124 m_freem(m); 125 return; 126 } 127 128 va_start(ap, m); 129 iphlen = va_arg(ap, int); 130 va_end(ap); 131 132 ipip_input(m, iphlen, NULL); 133 } 134 #endif /* INET */ 135 136 /* 137 * ipip_input gets called when we receive an IP{46} encapsulated packet, 138 * either because we got it at a real interface, or because AH or ESP 139 * were being used in tunnel mode (in which case the rcvif element will 140 * contain the address of the encX interface associated with the tunnel. 141 */ 142 143 void 144 ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) 145 { 146 struct sockaddr_in *sin; 147 struct ifnet *ifp; 148 struct ifaddr *ifa; 149 struct ifqueue *ifq = NULL; 150 struct ip *ipo; 151 #ifdef INET6 152 struct sockaddr_in6 *sin6; 153 struct ip6_hdr *ip6 = NULL; 154 u_int8_t itos; 155 #endif 156 u_int8_t nxt; 157 int isr; 158 u_int8_t otos; 159 u_int8_t v; 160 int hlen, s; 161 162 ipipstat.ipips_ipackets++; 163 164 m_copydata(m, 0, 1, &v); 165 166 switch (v >> 4) { 167 #ifdef INET 168 case 4: 169 hlen = sizeof(struct ip); 170 break; 171 #endif /* INET */ 172 #ifdef INET6 173 case 6: 174 hlen = sizeof(struct ip6_hdr); 175 break; 176 #endif 177 default: 178 ipipstat.ipips_family++; 179 m_freem(m); 180 return /* EAFNOSUPPORT */; 181 } 182 183 /* Bring the IP header in the first mbuf, if not there already */ 184 if (m->m_len < hlen) { 185 if ((m = m_pullup(m, hlen)) == NULL) { 186 DPRINTF(("ipip_input(): m_pullup() failed\n")); 187 ipipstat.ipips_hdrops++; 188 return; 189 } 190 } 191 192 ipo = mtod(m, struct ip *); 193 194 /* Keep outer ecn field. */ 195 switch (v >> 4) { 196 #ifdef INET 197 case 4: 198 otos = ipo->ip_tos; 199 break; 200 #endif /* INET */ 201 #ifdef INET6 202 case 6: 203 otos = (ntohl(mtod(m, struct ip6_hdr *)->ip6_flow) >> 20) & 0xff; 204 break; 205 #endif 206 default: 207 panic("ipip_input: should never reach here"); 208 } 209 210 /* Remove outer IP header */ 211 m_adj(m, iphlen); 212 213 /* Sanity check */ 214 if (m->m_pkthdr.len < sizeof(struct ip)) { 215 ipipstat.ipips_hdrops++; 216 m_freem(m); 217 return; 218 } 219 220 m_copydata(m, 0, 1, &v); 221 222 switch (v >> 4) { 223 #ifdef INET 224 case 4: 225 hlen = sizeof(struct ip); 226 break; 227 #endif /* INET */ 228 229 #ifdef INET6 230 case 6: 231 hlen = sizeof(struct ip6_hdr); 232 break; 233 #endif 234 default: 235 ipipstat.ipips_family++; 236 m_freem(m); 237 return; /* EAFNOSUPPORT */ 238 } 239 240 /* 241 * Bring the inner IP header in the first mbuf, if not there already. 242 */ 243 if (m->m_len < hlen) { 244 if ((m = m_pullup(m, hlen)) == NULL) { 245 DPRINTF(("ipip_input(): m_pullup() failed\n")); 246 ipipstat.ipips_hdrops++; 247 return; 248 } 249 } 250 251 /* 252 * RFC 1853 specifies that the inner TTL should not be touched on 253 * decapsulation. There's no reason this comment should be here, but 254 * this is as good as any a position. 255 */ 256 257 /* Some sanity checks in the inner IP header */ 258 switch (v >> 4) { 259 #ifdef INET 260 case 4: 261 ipo = mtod(m, struct ip *); 262 nxt = ipo->ip_p; 263 if (!ip_ecn_egress(ECN_ALLOWED, &otos, &ipo->ip_tos)) { 264 m_freem(m); 265 return; 266 } 267 break; 268 #endif /* INET */ 269 #ifdef INET6 270 case 6: 271 ip6 = (struct ip6_hdr *) ipo; 272 nxt = ip6->ip6_nxt; 273 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 274 if (!ip_ecn_egress(ECN_ALLOWED, &otos, &itos)) { 275 m_freem(m); 276 return; 277 } 278 ip6->ip6_flow &= ~htonl(0xff << 20); 279 ip6->ip6_flow |= htonl((u_int32_t) itos << 20); 280 break; 281 #endif 282 default: 283 panic("ipip_input: should never reach here"); 284 } 285 286 /* Check for local address spoofing. */ 287 if ((m->m_pkthdr.rcvif == NULL || 288 !(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) && 289 ipip_allow != 2) { 290 TAILQ_FOREACH(ifp, &ifnet, if_list) { 291 if (ifp->if_rdomain != m->m_pkthdr.rdomain) 292 continue; 293 TAILQ_FOREACH(ifa, &ifp->if_addrlist, ifa_list) { 294 #ifdef INET 295 if (ipo) { 296 if (ifa->ifa_addr->sa_family != 297 AF_INET) 298 continue; 299 300 sin = (struct sockaddr_in *) ifa->ifa_addr; 301 302 if (sin->sin_addr.s_addr == 303 ipo->ip_src.s_addr) { 304 ipipstat.ipips_spoof++; 305 m_freem(m); 306 return; 307 } 308 } 309 #endif /* INET */ 310 311 #ifdef INET6 312 if (ip6) { 313 if (ifa->ifa_addr->sa_family != 314 AF_INET6) 315 continue; 316 317 sin6 = (struct sockaddr_in6 *) ifa->ifa_addr; 318 319 if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) { 320 ipipstat.ipips_spoof++; 321 m_freem(m); 322 return; 323 } 324 325 } 326 #endif /* INET6 */ 327 } 328 } 329 } 330 331 /* Statistics */ 332 ipipstat.ipips_ibytes += m->m_pkthdr.len - iphlen; 333 334 /* 335 * Interface pointer stays the same; if no IPsec processing has 336 * been done (or will be done), this will point to a normal 337 * interface. Otherwise, it'll point to an enc interface, which 338 * will allow a packet filter to distinguish between secure and 339 * untrusted packets. 340 */ 341 342 switch (v >> 4) { 343 #ifdef INET 344 case 4: 345 ifq = &ipintrq; 346 isr = NETISR_IP; 347 break; 348 #endif 349 #ifdef INET6 350 case 6: 351 ifq = &ip6intrq; 352 isr = NETISR_IPV6; 353 break; 354 #endif 355 default: 356 panic("ipip_input: should never reach here"); 357 } 358 359 #if NBPFILTER > 0 360 if (gifp && gifp->if_bpf) 361 bpf_mtap_af(gifp->if_bpf, ifq == &ipintrq ? AF_INET : AF_INET6, 362 m, BPF_DIRECTION_IN); 363 #endif 364 #if NPF > 0 365 pf_pkt_addr_changed(m); 366 #endif 367 368 s = splnet(); /* isn't it already? */ 369 if (IF_QFULL(ifq)) { 370 IF_DROP(ifq); 371 m_freem(m); 372 ipipstat.ipips_qfull++; 373 374 splx(s); 375 376 DPRINTF(("ipip_input(): packet dropped because of full " 377 "queue\n")); 378 return; 379 } 380 381 IF_ENQUEUE(ifq, m); 382 schednetisr(isr); 383 splx(s); 384 return; 385 } 386 387 int 388 ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int dummy, 389 int dummy2) 390 { 391 u_int8_t tp, otos; 392 393 #ifdef INET 394 u_int8_t itos; 395 struct ip *ipo; 396 #endif /* INET */ 397 398 #ifdef INET6 399 struct ip6_hdr *ip6, *ip6o; 400 #endif /* INET6 */ 401 402 /* XXX Deal with empty TDB source/destination addresses. */ 403 404 m_copydata(m, 0, 1, &tp); 405 tp = (tp >> 4) & 0xff; /* Get the IP version number. */ 406 407 switch (tdb->tdb_dst.sa.sa_family) { 408 #ifdef INET 409 case AF_INET: 410 if (tdb->tdb_src.sa.sa_family != AF_INET || 411 tdb->tdb_src.sin.sin_addr.s_addr == INADDR_ANY || 412 tdb->tdb_dst.sin.sin_addr.s_addr == INADDR_ANY) { 413 414 DPRINTF(("ipip_output(): unspecified tunnel endpoind " 415 "address in SA %s/%08x\n", 416 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 417 418 ipipstat.ipips_unspec++; 419 m_freem(m); 420 *mp = NULL; 421 return EINVAL; 422 } 423 424 M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); 425 if (m == 0) { 426 DPRINTF(("ipip_output(): M_PREPEND failed\n")); 427 ipipstat.ipips_hdrops++; 428 *mp = NULL; 429 return ENOBUFS; 430 } 431 432 ipo = mtod(m, struct ip *); 433 434 ipo->ip_v = IPVERSION; 435 ipo->ip_hl = 5; 436 ipo->ip_len = htons(m->m_pkthdr.len); 437 ipo->ip_ttl = ip_defttl; 438 ipo->ip_sum = 0; 439 ipo->ip_src = tdb->tdb_src.sin.sin_addr; 440 ipo->ip_dst = tdb->tdb_dst.sin.sin_addr; 441 442 /* 443 * We do the htons() to prevent snoopers from determining our 444 * endianness. 445 */ 446 ipo->ip_id = htons(ip_randomid()); 447 448 /* If the inner protocol is IP... */ 449 if (tp == IPVERSION) { 450 /* Save ECN notification */ 451 m_copydata(m, sizeof(struct ip) + 452 offsetof(struct ip, ip_tos), 453 sizeof(u_int8_t), (caddr_t) &itos); 454 455 ipo->ip_p = IPPROTO_IPIP; 456 457 /* 458 * We should be keeping tunnel soft-state and 459 * send back ICMPs if needed. 460 */ 461 m_copydata(m, sizeof(struct ip) + 462 offsetof(struct ip, ip_off), 463 sizeof(u_int16_t), (caddr_t) &ipo->ip_off); 464 NTOHS(ipo->ip_off); 465 ipo->ip_off &= ~(IP_DF | IP_MF | IP_OFFMASK); 466 HTONS(ipo->ip_off); 467 } 468 #ifdef INET6 469 else if (tp == (IPV6_VERSION >> 4)) { 470 u_int32_t itos32; 471 472 /* Save ECN notification. */ 473 m_copydata(m, sizeof(struct ip) + 474 offsetof(struct ip6_hdr, ip6_flow), 475 sizeof(u_int32_t), (caddr_t) &itos32); 476 itos = ntohl(itos32) >> 20; 477 ipo->ip_p = IPPROTO_IPV6; 478 ipo->ip_off = 0; 479 } 480 #endif /* INET6 */ 481 else { 482 m_freem(m); 483 *mp = NULL; 484 ipipstat.ipips_family++; 485 return EAFNOSUPPORT; 486 } 487 488 otos = 0; 489 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 490 ipo->ip_tos = otos; 491 break; 492 #endif /* INET */ 493 494 #ifdef INET6 495 case AF_INET6: 496 if (IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_dst.sin6.sin6_addr) || 497 tdb->tdb_src.sa.sa_family != AF_INET6 || 498 IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_src.sin6.sin6_addr)) { 499 500 DPRINTF(("ipip_output(): unspecified tunnel endpoind " 501 "address in SA %s/%08x\n", 502 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 503 504 ipipstat.ipips_unspec++; 505 m_freem(m); 506 *mp = NULL; 507 return ENOBUFS; 508 } 509 510 /* If the inner protocol is IPv6, clear link local scope */ 511 if (tp == (IPV6_VERSION >> 4)) { 512 /* scoped address handling */ 513 ip6 = mtod(m, struct ip6_hdr *); 514 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) 515 ip6->ip6_src.s6_addr16[1] = 0; 516 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) 517 ip6->ip6_dst.s6_addr16[1] = 0; 518 } 519 520 M_PREPEND(m, sizeof(struct ip6_hdr), M_DONTWAIT); 521 if (m == 0) { 522 DPRINTF(("ipip_output(): M_PREPEND failed\n")); 523 ipipstat.ipips_hdrops++; 524 *mp = NULL; 525 return ENOBUFS; 526 } 527 528 /* Initialize IPv6 header */ 529 ip6o = mtod(m, struct ip6_hdr *); 530 ip6o->ip6_flow = 0; 531 ip6o->ip6_vfc &= ~IPV6_VERSION_MASK; 532 ip6o->ip6_vfc |= IPV6_VERSION; 533 ip6o->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6o)); 534 ip6o->ip6_hlim = ip_defttl; 535 in6_embedscope(&ip6o->ip6_src, &tdb->tdb_src.sin6, NULL, NULL); 536 in6_embedscope(&ip6o->ip6_dst, &tdb->tdb_dst.sin6, NULL, NULL); 537 538 #ifdef INET 539 if (tp == IPVERSION) { 540 /* Save ECN notification */ 541 m_copydata(m, sizeof(struct ip6_hdr) + 542 offsetof(struct ip, ip_tos), sizeof(u_int8_t), 543 (caddr_t) &itos); 544 545 /* This is really IPVERSION. */ 546 ip6o->ip6_nxt = IPPROTO_IPIP; 547 } 548 else 549 #endif /* INET */ 550 if (tp == (IPV6_VERSION >> 4)) { 551 u_int32_t itos32; 552 553 /* Save ECN notification. */ 554 m_copydata(m, sizeof(struct ip6_hdr) + 555 offsetof(struct ip6_hdr, ip6_flow), 556 sizeof(u_int32_t), (caddr_t) &itos32); 557 itos = ntohl(itos32) >> 20; 558 559 ip6o->ip6_nxt = IPPROTO_IPV6; 560 } else { 561 m_freem(m); 562 *mp = NULL; 563 ipipstat.ipips_family++; 564 return EAFNOSUPPORT; 565 } 566 567 otos = 0; 568 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 569 ip6o->ip6_flow |= htonl((u_int32_t) otos << 20); 570 break; 571 #endif /* INET6 */ 572 573 default: 574 DPRINTF(("ipip_output(): unsupported protocol family %d\n", 575 tdb->tdb_dst.sa.sa_family)); 576 m_freem(m); 577 *mp = NULL; 578 ipipstat.ipips_family++; 579 return EAFNOSUPPORT; 580 } 581 582 ipipstat.ipips_opackets++; 583 *mp = m; 584 585 #ifdef INET 586 if (tdb->tdb_dst.sa.sa_family == AF_INET) { 587 if (tdb->tdb_xform->xf_type == XF_IP4) 588 tdb->tdb_cur_bytes += 589 m->m_pkthdr.len - sizeof(struct ip); 590 591 ipipstat.ipips_obytes += m->m_pkthdr.len - sizeof(struct ip); 592 } 593 #endif /* INET */ 594 595 #ifdef INET6 596 if (tdb->tdb_dst.sa.sa_family == AF_INET6) { 597 if (tdb->tdb_xform->xf_type == XF_IP4) 598 tdb->tdb_cur_bytes += 599 m->m_pkthdr.len - sizeof(struct ip6_hdr); 600 601 ipipstat.ipips_obytes += 602 m->m_pkthdr.len - sizeof(struct ip6_hdr); 603 } 604 #endif /* INET6 */ 605 606 return 0; 607 } 608 609 #ifdef IPSEC 610 int 611 ipe4_attach() 612 { 613 return 0; 614 } 615 616 int 617 ipe4_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) 618 { 619 tdbp->tdb_xform = xsp; 620 return 0; 621 } 622 623 int 624 ipe4_zeroize(struct tdb *tdbp) 625 { 626 return 0; 627 } 628 629 void 630 ipe4_input(struct mbuf *m, ...) 631 { 632 /* This is a rather serious mistake, so no conditional printing. */ 633 printf("ipe4_input(): should never be called\n"); 634 if (m) 635 m_freem(m); 636 } 637 #endif /* IPSEC */ 638 639 int 640 ipip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 641 size_t newlen) 642 { 643 /* All sysctl names at this level are terminal. */ 644 if (namelen != 1) 645 return (ENOTDIR); 646 647 switch (name[0]) { 648 case IPIPCTL_ALLOW: 649 return (sysctl_int(oldp, oldlenp, newp, newlen, &ipip_allow)); 650 case IPIPCTL_STATS: 651 if (newp != NULL) 652 return (EPERM); 653 return (sysctl_struct(oldp, oldlenp, newp, newlen, 654 &ipipstat, sizeof(ipipstat))); 655 default: 656 return (ENOPROTOOPT); 657 } 658 /* NOTREACHED */ 659 } 660