1 /* $OpenBSD: ip_ipip.c,v 1.48 2012/03/15 16:37:11 markus Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * The original version of this code was written by John Ioannidis 8 * for BSD/OS in Athens, Greece, in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 /* 39 * IP-inside-IP processing 40 */ 41 42 #include "pf.h" 43 44 #include <sys/param.h> 45 #include <sys/systm.h> 46 #include <sys/mbuf.h> 47 #include <sys/socket.h> 48 #include <sys/proc.h> 49 #include <sys/sysctl.h> 50 51 #include <net/if.h> 52 #include <net/route.h> 53 #include <net/netisr.h> 54 #include <net/bpf.h> 55 56 #include <netinet/in.h> 57 #include <netinet/in_systm.h> 58 #include <netinet/ip.h> 59 #include <netinet/in_pcb.h> 60 #include <netinet/in_var.h> 61 #include <netinet/ip_var.h> 62 #include <netinet/ip_ecn.h> 63 64 #ifdef MROUTING 65 #include <netinet/ip_mroute.h> 66 #endif 67 68 #include <netinet/ip_ipsp.h> 69 #include <netinet/ip_ipip.h> 70 71 #include "bpfilter.h" 72 73 #if NPF > 0 74 #include <net/pfvar.h> 75 #endif 76 77 #ifdef ENCDEBUG 78 #define DPRINTF(x) if (encdebug) printf x 79 #else 80 #define DPRINTF(x) 81 #endif 82 83 /* 84 * We can control the acceptance of IP4 packets by altering the sysctl 85 * net.inet.ipip.allow value. Zero means drop them, all else is acceptance. 86 */ 87 int ipip_allow = 0; 88 89 struct ipipstat ipipstat; 90 91 #ifdef INET6 92 /* 93 * Really only a wrapper for ipip_input(), for use with IPv6. 94 */ 95 int 96 ip4_input6(struct mbuf **m, int *offp, int proto) 97 { 98 /* If we do not accept IP-in-IP explicitly, drop. */ 99 if (!ipip_allow && ((*m)->m_flags & (M_AUTH|M_CONF)) == 0) { 100 DPRINTF(("ip4_input6(): dropped due to policy\n")); 101 ipipstat.ipips_pdrops++; 102 m_freem(*m); 103 return IPPROTO_DONE; 104 } 105 106 ipip_input(*m, *offp, NULL, proto); 107 return IPPROTO_DONE; 108 } 109 #endif /* INET6 */ 110 111 #ifdef INET 112 /* 113 * Really only a wrapper for ipip_input(), for use with IPv4. 114 */ 115 void 116 ip4_input(struct mbuf *m, ...) 117 { 118 struct ip *ip; 119 va_list ap; 120 int iphlen; 121 122 /* If we do not accept IP-in-IP explicitly, drop. */ 123 if (!ipip_allow && (m->m_flags & (M_AUTH|M_CONF)) == 0) { 124 DPRINTF(("ip4_input(): dropped due to policy\n")); 125 ipipstat.ipips_pdrops++; 126 m_freem(m); 127 return; 128 } 129 130 va_start(ap, m); 131 iphlen = va_arg(ap, int); 132 va_end(ap); 133 134 ip = mtod(m, struct ip *); 135 136 ipip_input(m, iphlen, NULL, ip->ip_p); 137 } 138 #endif /* INET */ 139 140 /* 141 * ipip_input gets called when we receive an IP{46} encapsulated packet, 142 * either because we got it at a real interface, or because AH or ESP 143 * were being used in tunnel mode (in which case the rcvif element will 144 * contain the address of the encX interface associated with the tunnel. 145 */ 146 147 void 148 ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp, int proto) 149 { 150 struct sockaddr_in *sin; 151 struct ifnet *ifp; 152 struct ifaddr *ifa; 153 struct ifqueue *ifq = NULL; 154 struct ip *ipo; 155 u_int rdomain; 156 #ifdef INET6 157 struct sockaddr_in6 *sin6; 158 struct ip6_hdr *ip6; 159 #endif 160 int isr; 161 int mode, hlen, s; 162 u_int8_t itos, otos; 163 u_int8_t v; 164 sa_family_t af; 165 166 ipipstat.ipips_ipackets++; 167 168 m_copydata(m, 0, 1, &v); 169 170 switch (v >> 4) { 171 #ifdef INET 172 case 4: 173 hlen = sizeof(struct ip); 174 break; 175 #endif /* INET */ 176 #ifdef INET6 177 case 6: 178 hlen = sizeof(struct ip6_hdr); 179 break; 180 #endif 181 default: 182 ipipstat.ipips_family++; 183 m_freem(m); 184 return /* EAFNOSUPPORT */; 185 } 186 187 /* Bring the IP header in the first mbuf, if not there already */ 188 if (m->m_len < hlen) { 189 if ((m = m_pullup(m, hlen)) == NULL) { 190 DPRINTF(("ipip_input(): m_pullup() failed\n")); 191 ipipstat.ipips_hdrops++; 192 return; 193 } 194 } 195 196 197 /* Keep outer ecn field. */ 198 switch (v >> 4) { 199 #ifdef INET 200 case 4: 201 ipo = mtod(m, struct ip *); 202 otos = ipo->ip_tos; 203 break; 204 #endif /* INET */ 205 #ifdef INET6 206 case 6: 207 ip6 = mtod(m, struct ip6_hdr *); 208 otos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 209 break; 210 #endif 211 default: 212 panic("ipip_input: should never reach here"); 213 } 214 215 /* Remove outer IP header */ 216 m_adj(m, iphlen); 217 218 /* Sanity check */ 219 if (m->m_pkthdr.len < sizeof(struct ip)) { 220 ipipstat.ipips_hdrops++; 221 m_freem(m); 222 return; 223 } 224 225 switch (proto) { 226 #ifdef INET 227 case IPPROTO_IPV4: 228 hlen = sizeof(struct ip); 229 break; 230 #endif /* INET */ 231 232 #ifdef INET6 233 case IPPROTO_IPV6: 234 hlen = sizeof(struct ip6_hdr); 235 break; 236 #endif 237 default: 238 ipipstat.ipips_family++; 239 m_freem(m); 240 return; /* EAFNOSUPPORT */ 241 } 242 243 /* 244 * Bring the inner header into the first mbuf, if not there already. 245 */ 246 if (m->m_len < hlen) { 247 if ((m = m_pullup(m, hlen)) == NULL) { 248 DPRINTF(("ipip_input(): m_pullup() failed\n")); 249 ipipstat.ipips_hdrops++; 250 return; 251 } 252 } 253 254 /* 255 * RFC 1853 specifies that the inner TTL should not be touched on 256 * decapsulation. There's no reason this comment should be here, but 257 * this is as good as any a position. 258 */ 259 260 /* Some sanity checks in the inner IP header */ 261 switch (proto) { 262 #ifdef INET 263 case IPPROTO_IPV4: 264 ipo = mtod(m, struct ip *); 265 #ifdef INET6 266 ip6 = NULL; 267 #endif 268 itos = ipo->ip_tos; 269 mode = m->m_flags & (M_AUTH|M_CONF) ? 270 ECN_ALLOWED_IPSEC : ECN_ALLOWED; 271 if (!ip_ecn_egress(mode, &otos, &ipo->ip_tos)) { 272 DPRINTF(("ipip_input(): ip_ecn_egress() failed")); 273 ipipstat.ipips_pdrops++; 274 m_freem(m); 275 return; 276 } 277 /* re-calculate the checksum if ip_tos was changed */ 278 if (itos != ipo->ip_tos) { 279 hlen = ipo->ip_hl << 2; 280 if (m->m_pkthdr.len >= hlen) { 281 ipo->ip_sum = 0; 282 ipo->ip_sum = in_cksum(m, hlen); 283 } 284 } 285 break; 286 #endif /* INET */ 287 #ifdef INET6 288 case IPPROTO_IPV6: 289 #ifdef INET 290 ipo = NULL; 291 #endif 292 ip6 = mtod(m, struct ip6_hdr *); 293 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 294 if (!ip_ecn_egress(ECN_ALLOWED, &otos, &itos)) { 295 DPRINTF(("ipip_input(): ip_ecn_egress() failed")); 296 ipipstat.ipips_pdrops++; 297 m_freem(m); 298 return; 299 } 300 ip6->ip6_flow &= ~htonl(0xff << 20); 301 ip6->ip6_flow |= htonl((u_int32_t) itos << 20); 302 break; 303 #endif 304 default: 305 #ifdef INET 306 ipo = NULL; 307 #endif 308 #ifdef INET6 309 ip6 = NULL; 310 #endif 311 } 312 313 /* Check for local address spoofing. */ 314 if ((m->m_pkthdr.rcvif == NULL || 315 !(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) && 316 ipip_allow != 2) { 317 rdomain = rtable_l2(m->m_pkthdr.rdomain); 318 TAILQ_FOREACH(ifp, &ifnet, if_list) { 319 if (ifp->if_rdomain != rdomain) 320 continue; 321 TAILQ_FOREACH(ifa, &ifp->if_addrlist, ifa_list) { 322 #ifdef INET 323 if (ipo) { 324 if (ifa->ifa_addr->sa_family != 325 AF_INET) 326 continue; 327 328 sin = (struct sockaddr_in *) 329 ifa->ifa_addr; 330 if (sin->sin_addr.s_addr == 331 ipo->ip_src.s_addr) { 332 ipipstat.ipips_spoof++; 333 m_freem(m); 334 return; 335 } 336 } 337 #endif /* INET */ 338 #ifdef INET6 339 if (ip6) { 340 if (ifa->ifa_addr->sa_family != 341 AF_INET6) 342 continue; 343 344 sin6 = (struct sockaddr_in6 *) 345 ifa->ifa_addr; 346 if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, 347 &ip6->ip6_src)) { 348 ipipstat.ipips_spoof++; 349 m_freem(m); 350 return; 351 } 352 353 } 354 #endif /* INET6 */ 355 } 356 } 357 } 358 359 /* Statistics */ 360 ipipstat.ipips_ibytes += m->m_pkthdr.len - iphlen; 361 362 /* 363 * Interface pointer stays the same; if no IPsec processing has 364 * been done (or will be done), this will point to a normal 365 * interface. Otherwise, it'll point to an enc interface, which 366 * will allow a packet filter to distinguish between secure and 367 * untrusted packets. 368 */ 369 370 switch (proto) { 371 #ifdef INET 372 case IPPROTO_IPV4: 373 ifq = &ipintrq; 374 isr = NETISR_IP; 375 af = AF_INET; 376 break; 377 #endif 378 #ifdef INET6 379 case IPPROTO_IPV6: 380 ifq = &ip6intrq; 381 isr = NETISR_IPV6; 382 af = AF_INET6; 383 break; 384 #endif 385 default: 386 panic("ipip_input: should never reach here"); 387 } 388 389 #if NBPFILTER > 0 390 if (gifp && gifp->if_bpf) 391 bpf_mtap_af(gifp->if_bpf, af, m, BPF_DIRECTION_IN); 392 #endif 393 #if NPF > 0 394 pf_pkt_addr_changed(m); 395 #endif 396 397 s = splnet(); /* isn't it already? */ 398 if (IF_QFULL(ifq)) { 399 IF_DROP(ifq); 400 m_freem(m); 401 ipipstat.ipips_qfull++; 402 403 splx(s); 404 405 DPRINTF(("ipip_input(): packet dropped because of full " 406 "queue\n")); 407 return; 408 } 409 410 IF_ENQUEUE(ifq, m); 411 schednetisr(isr); 412 splx(s); 413 return; 414 } 415 416 int 417 ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int dummy, 418 int dummy2) 419 { 420 u_int8_t tp, otos; 421 422 #ifdef INET 423 u_int8_t itos; 424 struct ip *ipo; 425 #endif /* INET */ 426 427 #ifdef INET6 428 struct ip6_hdr *ip6, *ip6o; 429 #endif /* INET6 */ 430 431 /* XXX Deal with empty TDB source/destination addresses. */ 432 433 m_copydata(m, 0, 1, &tp); 434 tp = (tp >> 4) & 0xff; /* Get the IP version number. */ 435 436 switch (tdb->tdb_dst.sa.sa_family) { 437 #ifdef INET 438 case AF_INET: 439 if (tdb->tdb_src.sa.sa_family != AF_INET || 440 tdb->tdb_src.sin.sin_addr.s_addr == INADDR_ANY || 441 tdb->tdb_dst.sin.sin_addr.s_addr == INADDR_ANY) { 442 443 DPRINTF(("ipip_output(): unspecified tunnel endpoind " 444 "address in SA %s/%08x\n", 445 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 446 447 ipipstat.ipips_unspec++; 448 m_freem(m); 449 *mp = NULL; 450 return EINVAL; 451 } 452 453 M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); 454 if (m == 0) { 455 DPRINTF(("ipip_output(): M_PREPEND failed\n")); 456 ipipstat.ipips_hdrops++; 457 *mp = NULL; 458 return ENOBUFS; 459 } 460 461 ipo = mtod(m, struct ip *); 462 463 ipo->ip_v = IPVERSION; 464 ipo->ip_hl = 5; 465 ipo->ip_len = htons(m->m_pkthdr.len); 466 ipo->ip_ttl = ip_defttl; 467 ipo->ip_sum = 0; 468 ipo->ip_src = tdb->tdb_src.sin.sin_addr; 469 ipo->ip_dst = tdb->tdb_dst.sin.sin_addr; 470 471 /* 472 * We do the htons() to prevent snoopers from determining our 473 * endianness. 474 */ 475 ipo->ip_id = htons(ip_randomid()); 476 477 /* If the inner protocol is IP... */ 478 if (tp == IPVERSION) { 479 /* Save ECN notification */ 480 m_copydata(m, sizeof(struct ip) + 481 offsetof(struct ip, ip_tos), 482 sizeof(u_int8_t), (caddr_t) &itos); 483 484 ipo->ip_p = IPPROTO_IPIP; 485 486 /* 487 * We should be keeping tunnel soft-state and 488 * send back ICMPs if needed. 489 */ 490 m_copydata(m, sizeof(struct ip) + 491 offsetof(struct ip, ip_off), 492 sizeof(u_int16_t), (caddr_t) &ipo->ip_off); 493 NTOHS(ipo->ip_off); 494 ipo->ip_off &= ~(IP_DF | IP_MF | IP_OFFMASK); 495 HTONS(ipo->ip_off); 496 } 497 #ifdef INET6 498 else if (tp == (IPV6_VERSION >> 4)) { 499 u_int32_t itos32; 500 501 /* Save ECN notification. */ 502 m_copydata(m, sizeof(struct ip) + 503 offsetof(struct ip6_hdr, ip6_flow), 504 sizeof(u_int32_t), (caddr_t) &itos32); 505 itos = ntohl(itos32) >> 20; 506 ipo->ip_p = IPPROTO_IPV6; 507 ipo->ip_off = 0; 508 } 509 #endif /* INET6 */ 510 else { 511 m_freem(m); 512 *mp = NULL; 513 ipipstat.ipips_family++; 514 return EAFNOSUPPORT; 515 } 516 517 otos = 0; 518 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 519 ipo->ip_tos = otos; 520 break; 521 #endif /* INET */ 522 523 #ifdef INET6 524 case AF_INET6: 525 if (IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_dst.sin6.sin6_addr) || 526 tdb->tdb_src.sa.sa_family != AF_INET6 || 527 IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_src.sin6.sin6_addr)) { 528 529 DPRINTF(("ipip_output(): unspecified tunnel endpoind " 530 "address in SA %s/%08x\n", 531 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 532 533 ipipstat.ipips_unspec++; 534 m_freem(m); 535 *mp = NULL; 536 return ENOBUFS; 537 } 538 539 /* If the inner protocol is IPv6, clear link local scope */ 540 if (tp == (IPV6_VERSION >> 4)) { 541 /* scoped address handling */ 542 ip6 = mtod(m, struct ip6_hdr *); 543 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) 544 ip6->ip6_src.s6_addr16[1] = 0; 545 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) 546 ip6->ip6_dst.s6_addr16[1] = 0; 547 } 548 549 M_PREPEND(m, sizeof(struct ip6_hdr), M_DONTWAIT); 550 if (m == 0) { 551 DPRINTF(("ipip_output(): M_PREPEND failed\n")); 552 ipipstat.ipips_hdrops++; 553 *mp = NULL; 554 return ENOBUFS; 555 } 556 557 /* Initialize IPv6 header */ 558 ip6o = mtod(m, struct ip6_hdr *); 559 ip6o->ip6_flow = 0; 560 ip6o->ip6_vfc &= ~IPV6_VERSION_MASK; 561 ip6o->ip6_vfc |= IPV6_VERSION; 562 ip6o->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6o)); 563 ip6o->ip6_hlim = ip_defttl; 564 in6_embedscope(&ip6o->ip6_src, &tdb->tdb_src.sin6, NULL, NULL); 565 in6_embedscope(&ip6o->ip6_dst, &tdb->tdb_dst.sin6, NULL, NULL); 566 567 #ifdef INET 568 if (tp == IPVERSION) { 569 /* Save ECN notification */ 570 m_copydata(m, sizeof(struct ip6_hdr) + 571 offsetof(struct ip, ip_tos), sizeof(u_int8_t), 572 (caddr_t) &itos); 573 574 /* This is really IPVERSION. */ 575 ip6o->ip6_nxt = IPPROTO_IPIP; 576 } 577 else 578 #endif /* INET */ 579 if (tp == (IPV6_VERSION >> 4)) { 580 u_int32_t itos32; 581 582 /* Save ECN notification. */ 583 m_copydata(m, sizeof(struct ip6_hdr) + 584 offsetof(struct ip6_hdr, ip6_flow), 585 sizeof(u_int32_t), (caddr_t) &itos32); 586 itos = ntohl(itos32) >> 20; 587 588 ip6o->ip6_nxt = IPPROTO_IPV6; 589 } else { 590 m_freem(m); 591 *mp = NULL; 592 ipipstat.ipips_family++; 593 return EAFNOSUPPORT; 594 } 595 596 otos = 0; 597 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 598 ip6o->ip6_flow |= htonl((u_int32_t) otos << 20); 599 break; 600 #endif /* INET6 */ 601 602 default: 603 DPRINTF(("ipip_output(): unsupported protocol family %d\n", 604 tdb->tdb_dst.sa.sa_family)); 605 m_freem(m); 606 *mp = NULL; 607 ipipstat.ipips_family++; 608 return EAFNOSUPPORT; 609 } 610 611 ipipstat.ipips_opackets++; 612 *mp = m; 613 614 #ifdef INET 615 if (tdb->tdb_dst.sa.sa_family == AF_INET) { 616 if (tdb->tdb_xform->xf_type == XF_IP4) 617 tdb->tdb_cur_bytes += 618 m->m_pkthdr.len - sizeof(struct ip); 619 620 ipipstat.ipips_obytes += m->m_pkthdr.len - sizeof(struct ip); 621 } 622 #endif /* INET */ 623 624 #ifdef INET6 625 if (tdb->tdb_dst.sa.sa_family == AF_INET6) { 626 if (tdb->tdb_xform->xf_type == XF_IP4) 627 tdb->tdb_cur_bytes += 628 m->m_pkthdr.len - sizeof(struct ip6_hdr); 629 630 ipipstat.ipips_obytes += 631 m->m_pkthdr.len - sizeof(struct ip6_hdr); 632 } 633 #endif /* INET6 */ 634 635 return 0; 636 } 637 638 #ifdef IPSEC 639 int 640 ipe4_attach() 641 { 642 return 0; 643 } 644 645 int 646 ipe4_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) 647 { 648 tdbp->tdb_xform = xsp; 649 return 0; 650 } 651 652 int 653 ipe4_zeroize(struct tdb *tdbp) 654 { 655 return 0; 656 } 657 658 void 659 ipe4_input(struct mbuf *m, ...) 660 { 661 /* This is a rather serious mistake, so no conditional printing. */ 662 printf("ipe4_input(): should never be called\n"); 663 if (m) 664 m_freem(m); 665 } 666 #endif /* IPSEC */ 667 668 int 669 ipip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 670 size_t newlen) 671 { 672 /* All sysctl names at this level are terminal. */ 673 if (namelen != 1) 674 return (ENOTDIR); 675 676 switch (name[0]) { 677 case IPIPCTL_ALLOW: 678 return (sysctl_int(oldp, oldlenp, newp, newlen, &ipip_allow)); 679 case IPIPCTL_STATS: 680 if (newp != NULL) 681 return (EPERM); 682 return (sysctl_struct(oldp, oldlenp, newp, newlen, 683 &ipipstat, sizeof(ipipstat))); 684 default: 685 return (ENOPROTOOPT); 686 } 687 /* NOTREACHED */ 688 } 689