1 /* $OpenBSD: ip_ipip.c,v 1.87 2017/10/09 08:35:38 mpi Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * The original version of this code was written by John Ioannidis 8 * for BSD/OS in Athens, Greece, in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 /* 39 * IP-inside-IP processing 40 */ 41 42 #include "bpfilter.h" 43 #include "gif.h" 44 #include "pf.h" 45 46 #include <sys/param.h> 47 #include <sys/systm.h> 48 #include <sys/mbuf.h> 49 #include <sys/socket.h> 50 #include <sys/sysctl.h> 51 52 #include <net/if.h> 53 #include <net/if_types.h> 54 #include <net/if_var.h> 55 #include <net/route.h> 56 #include <net/netisr.h> 57 #include <net/bpf.h> 58 59 #include <netinet/in.h> 60 #include <netinet/ip.h> 61 #include <netinet/in_pcb.h> 62 #include <netinet/ip_var.h> 63 #include <netinet/ip_ecn.h> 64 #include <netinet/ip_ipip.h> 65 66 #ifdef MROUTING 67 #include <netinet/ip_mroute.h> 68 #endif 69 70 #if NPF > 0 71 #include <net/pfvar.h> 72 #endif 73 74 #ifdef ENCDEBUG 75 #define DPRINTF(x) if (encdebug) printf x 76 #else 77 #define DPRINTF(x) 78 #endif 79 80 /* 81 * We can control the acceptance of IP4 packets by altering the sysctl 82 * net.inet.ipip.allow value. Zero means drop them, all else is acceptance. 83 */ 84 int ipip_allow = 0; 85 86 struct cpumem *ipipcounters; 87 88 void 89 ipip_init(void) 90 { 91 ipipcounters = counters_alloc(ipips_ncounters); 92 } 93 94 /* 95 * Really only a wrapper for ipip_input_if(), for use with pr_input. 96 */ 97 int 98 ipip_input(struct mbuf **mp, int *offp, int nxt, int af) 99 { 100 struct ifnet *ifp; 101 102 /* If we do not accept IP-in-IP explicitly, drop. */ 103 if (!ipip_allow && ((*mp)->m_flags & (M_AUTH|M_CONF)) == 0) { 104 DPRINTF(("%s: dropped due to policy\n", __func__)); 105 ipipstat_inc(ipips_pdrops); 106 m_freemp(mp); 107 return IPPROTO_DONE; 108 } 109 110 ifp = if_get((*mp)->m_pkthdr.ph_ifidx); 111 if (ifp == NULL) { 112 m_freemp(mp); 113 return IPPROTO_DONE; 114 } 115 nxt = ipip_input_if(mp, offp, nxt, af, ifp); 116 if_put(ifp); 117 118 return nxt; 119 } 120 121 /* 122 * ipip_input gets called when we receive an IP{46} encapsulated packet, 123 * either because we got it at a real interface, or because AH or ESP 124 * were being used in tunnel mode (in which case the ph_ifidx element 125 * will contain the index of the encX interface associated with the 126 * tunnel. 127 */ 128 129 int 130 ipip_input_if(struct mbuf **mp, int *offp, int proto, int oaf, 131 struct ifnet *ifp) 132 { 133 struct mbuf *m = *mp; 134 struct sockaddr_in *sin; 135 struct ip *ip; 136 #ifdef INET6 137 struct sockaddr_in6 *sin6; 138 struct ip6_hdr *ip6; 139 #endif 140 int mode, hlen; 141 u_int8_t itos, otos; 142 sa_family_t iaf; 143 144 ipipstat_inc(ipips_ipackets); 145 146 switch (oaf) { 147 case AF_INET: 148 hlen = sizeof(struct ip); 149 break; 150 #ifdef INET6 151 case AF_INET6: 152 hlen = sizeof(struct ip6_hdr); 153 break; 154 #endif 155 default: 156 unhandled_af(oaf); 157 } 158 159 /* Bring the IP header in the first mbuf, if not there already */ 160 if (m->m_len < hlen) { 161 if ((m = *mp = m_pullup(m, hlen)) == NULL) { 162 DPRINTF(("%s: m_pullup() failed\n", __func__)); 163 ipipstat_inc(ipips_hdrops); 164 goto bad; 165 } 166 } 167 168 /* Keep outer ecn field. */ 169 switch (oaf) { 170 case AF_INET: 171 ip = mtod(m, struct ip *); 172 otos = ip->ip_tos; 173 break; 174 #ifdef INET6 175 case AF_INET6: 176 ip6 = mtod(m, struct ip6_hdr *); 177 otos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 178 break; 179 #endif 180 } 181 182 /* Remove outer IP header */ 183 KASSERT(*offp > 0); 184 m_adj(m, *offp); 185 *offp = 0; 186 ip = NULL; 187 #ifdef INET6 188 ip6 = NULL; 189 #endif 190 191 switch (proto) { 192 case IPPROTO_IPV4: 193 hlen = sizeof(struct ip); 194 break; 195 196 #ifdef INET6 197 case IPPROTO_IPV6: 198 hlen = sizeof(struct ip6_hdr); 199 break; 200 #endif 201 default: 202 ipipstat_inc(ipips_family); 203 goto bad; 204 } 205 206 /* Sanity check */ 207 if (m->m_pkthdr.len < hlen) { 208 ipipstat_inc(ipips_hdrops); 209 goto bad; 210 } 211 212 /* 213 * Bring the inner header into the first mbuf, if not there already. 214 */ 215 if (m->m_len < hlen) { 216 if ((m = *mp = m_pullup(m, hlen)) == NULL) { 217 DPRINTF(("%s: m_pullup() failed\n", __func__)); 218 ipipstat_inc(ipips_hdrops); 219 goto bad; 220 } 221 } 222 223 /* 224 * RFC 1853 specifies that the inner TTL should not be touched on 225 * decapsulation. There's no reason this comment should be here, but 226 * this is as good as any a position. 227 */ 228 229 /* Some sanity checks in the inner IP header */ 230 switch (proto) { 231 case IPPROTO_IPV4: 232 iaf = AF_INET; 233 ip = mtod(m, struct ip *); 234 hlen = ip->ip_hl << 2; 235 if (m->m_pkthdr.len < hlen) { 236 ipipstat_inc(ipips_hdrops); 237 goto bad; 238 } 239 itos = ip->ip_tos; 240 mode = m->m_flags & (M_AUTH|M_CONF) ? 241 ECN_ALLOWED_IPSEC : ECN_ALLOWED; 242 if (!ip_ecn_egress(mode, &otos, &ip->ip_tos)) { 243 DPRINTF(("%s: ip_ecn_egress() failed\n", __func__)); 244 ipipstat_inc(ipips_pdrops); 245 goto bad; 246 } 247 /* re-calculate the checksum if ip_tos was changed */ 248 if (itos != ip->ip_tos) { 249 ip->ip_sum = 0; 250 ip->ip_sum = in_cksum(m, hlen); 251 } 252 break; 253 #ifdef INET6 254 case IPPROTO_IPV6: 255 iaf = AF_INET6; 256 ip6 = mtod(m, struct ip6_hdr *); 257 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 258 if (!ip_ecn_egress(ECN_ALLOWED, &otos, &itos)) { 259 DPRINTF(("%s: ip_ecn_egress() failed\n", __func__)); 260 ipipstat_inc(ipips_pdrops); 261 goto bad; 262 } 263 ip6->ip6_flow &= ~htonl(0xff << 20); 264 ip6->ip6_flow |= htonl((u_int32_t) itos << 20); 265 break; 266 #endif 267 } 268 269 /* Check for local address spoofing. */ 270 if (!(ifp->if_flags & IFF_LOOPBACK) && ipip_allow != 2) { 271 struct sockaddr_storage ss; 272 struct rtentry *rt; 273 274 memset(&ss, 0, sizeof(ss)); 275 276 if (ip) { 277 sin = (struct sockaddr_in *)&ss; 278 sin->sin_family = AF_INET; 279 sin->sin_len = sizeof(*sin); 280 sin->sin_addr = ip->ip_src; 281 #ifdef INET6 282 } else if (ip6) { 283 sin6 = (struct sockaddr_in6 *)&ss; 284 sin6->sin6_family = AF_INET6; 285 sin6->sin6_len = sizeof(*sin6); 286 sin6->sin6_addr = ip6->ip6_src; 287 #endif /* INET6 */ 288 } 289 rt = rtalloc(sstosa(&ss), 0, m->m_pkthdr.ph_rtableid); 290 if ((rt != NULL) && (rt->rt_flags & RTF_LOCAL)) { 291 ipipstat_inc(ipips_spoof); 292 rtfree(rt); 293 goto bad; 294 } 295 rtfree(rt); 296 } 297 298 /* Statistics */ 299 ipipstat_add(ipips_ibytes, m->m_pkthdr.len - hlen); 300 301 #if NBPFILTER > 0 && NGIF > 0 302 if (ifp->if_type == IFT_GIF && ifp->if_bpf != NULL) 303 bpf_mtap_af(ifp->if_bpf, iaf, m, BPF_DIRECTION_IN); 304 #endif 305 #if NPF > 0 306 pf_pkt_addr_changed(m); 307 #endif 308 309 /* 310 * Interface pointer stays the same; if no IPsec processing has 311 * been done (or will be done), this will point to a normal 312 * interface. Otherwise, it'll point to an enc interface, which 313 * will allow a packet filter to distinguish between secure and 314 * untrusted packets. 315 */ 316 317 switch (proto) { 318 case IPPROTO_IPV4: 319 return ip_input_if(mp, offp, proto, oaf, ifp); 320 #ifdef INET6 321 case IPPROTO_IPV6: 322 return ip6_input_if(mp, offp, proto, oaf, ifp); 323 #endif 324 } 325 bad: 326 m_freemp(mp); 327 return IPPROTO_DONE; 328 } 329 330 int 331 ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int dummy, 332 int dummy2) 333 { 334 u_int8_t tp, otos; 335 336 u_int8_t itos; 337 struct ip *ipo; 338 339 #ifdef INET6 340 struct ip6_hdr *ip6, *ip6o; 341 #endif /* INET6 */ 342 #ifdef ENCDEBUG 343 char buf[INET6_ADDRSTRLEN]; 344 #endif 345 346 /* XXX Deal with empty TDB source/destination addresses. */ 347 348 m_copydata(m, 0, 1, &tp); 349 tp = (tp >> 4) & 0xff; /* Get the IP version number. */ 350 351 switch (tdb->tdb_dst.sa.sa_family) { 352 case AF_INET: 353 if (tdb->tdb_src.sa.sa_family != AF_INET || 354 tdb->tdb_src.sin.sin_addr.s_addr == INADDR_ANY || 355 tdb->tdb_dst.sin.sin_addr.s_addr == INADDR_ANY) { 356 357 DPRINTF(("%s: unspecified tunnel endpoind " 358 "address in SA %s/%08x\n", __func__, 359 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 360 ntohl(tdb->tdb_spi))); 361 362 ipipstat_inc(ipips_unspec); 363 m_freem(m); 364 *mp = NULL; 365 return EINVAL; 366 } 367 368 M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); 369 if (m == NULL) { 370 DPRINTF(("%s: M_PREPEND failed\n", __func__)); 371 ipipstat_inc(ipips_hdrops); 372 *mp = NULL; 373 return ENOBUFS; 374 } 375 376 ipo = mtod(m, struct ip *); 377 378 ipo->ip_v = IPVERSION; 379 ipo->ip_hl = 5; 380 ipo->ip_len = htons(m->m_pkthdr.len); 381 ipo->ip_ttl = ip_defttl; 382 ipo->ip_sum = 0; 383 ipo->ip_src = tdb->tdb_src.sin.sin_addr; 384 ipo->ip_dst = tdb->tdb_dst.sin.sin_addr; 385 386 /* 387 * We do the htons() to prevent snoopers from determining our 388 * endianness. 389 */ 390 ipo->ip_id = htons(ip_randomid()); 391 392 /* If the inner protocol is IP... */ 393 if (tp == IPVERSION) { 394 /* Save ECN notification */ 395 m_copydata(m, sizeof(struct ip) + 396 offsetof(struct ip, ip_tos), 397 sizeof(u_int8_t), (caddr_t) &itos); 398 399 ipo->ip_p = IPPROTO_IPIP; 400 401 /* 402 * We should be keeping tunnel soft-state and 403 * send back ICMPs if needed. 404 */ 405 m_copydata(m, sizeof(struct ip) + 406 offsetof(struct ip, ip_off), 407 sizeof(u_int16_t), (caddr_t) &ipo->ip_off); 408 ipo->ip_off = ntohs(ipo->ip_off); 409 ipo->ip_off &= ~(IP_DF | IP_MF | IP_OFFMASK); 410 ipo->ip_off = htons(ipo->ip_off); 411 } 412 #ifdef INET6 413 else if (tp == (IPV6_VERSION >> 4)) { 414 u_int32_t itos32; 415 416 /* Save ECN notification. */ 417 m_copydata(m, sizeof(struct ip) + 418 offsetof(struct ip6_hdr, ip6_flow), 419 sizeof(u_int32_t), (caddr_t) &itos32); 420 itos = ntohl(itos32) >> 20; 421 ipo->ip_p = IPPROTO_IPV6; 422 ipo->ip_off = 0; 423 } 424 #endif /* INET6 */ 425 else { 426 m_freem(m); 427 *mp = NULL; 428 ipipstat_inc(ipips_family); 429 return EAFNOSUPPORT; 430 } 431 432 otos = 0; 433 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 434 ipo->ip_tos = otos; 435 break; 436 437 #ifdef INET6 438 case AF_INET6: 439 if (IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_dst.sin6.sin6_addr) || 440 tdb->tdb_src.sa.sa_family != AF_INET6 || 441 IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_src.sin6.sin6_addr)) { 442 443 DPRINTF(("%s: unspecified tunnel endpoind " 444 "address in SA %s/%08x\n", __func__, 445 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 446 ntohl(tdb->tdb_spi))); 447 448 ipipstat_inc(ipips_unspec); 449 m_freem(m); 450 *mp = NULL; 451 return ENOBUFS; 452 } 453 454 /* If the inner protocol is IPv6, clear link local scope */ 455 if (tp == (IPV6_VERSION >> 4)) { 456 /* scoped address handling */ 457 ip6 = mtod(m, struct ip6_hdr *); 458 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) 459 ip6->ip6_src.s6_addr16[1] = 0; 460 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) 461 ip6->ip6_dst.s6_addr16[1] = 0; 462 } 463 464 M_PREPEND(m, sizeof(struct ip6_hdr), M_DONTWAIT); 465 if (m == NULL) { 466 DPRINTF(("%s: M_PREPEND failed\n", __func__)); 467 ipipstat_inc(ipips_hdrops); 468 *mp = NULL; 469 return ENOBUFS; 470 } 471 472 /* Initialize IPv6 header */ 473 ip6o = mtod(m, struct ip6_hdr *); 474 ip6o->ip6_flow = 0; 475 ip6o->ip6_vfc &= ~IPV6_VERSION_MASK; 476 ip6o->ip6_vfc |= IPV6_VERSION; 477 ip6o->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6o)); 478 ip6o->ip6_hlim = ip_defttl; 479 in6_embedscope(&ip6o->ip6_src, &tdb->tdb_src.sin6, NULL); 480 in6_embedscope(&ip6o->ip6_dst, &tdb->tdb_dst.sin6, NULL); 481 482 if (tp == IPVERSION) { 483 /* Save ECN notification */ 484 m_copydata(m, sizeof(struct ip6_hdr) + 485 offsetof(struct ip, ip_tos), sizeof(u_int8_t), 486 (caddr_t) &itos); 487 488 /* This is really IPVERSION. */ 489 ip6o->ip6_nxt = IPPROTO_IPIP; 490 } 491 else 492 if (tp == (IPV6_VERSION >> 4)) { 493 u_int32_t itos32; 494 495 /* Save ECN notification. */ 496 m_copydata(m, sizeof(struct ip6_hdr) + 497 offsetof(struct ip6_hdr, ip6_flow), 498 sizeof(u_int32_t), (caddr_t) &itos32); 499 itos = ntohl(itos32) >> 20; 500 501 ip6o->ip6_nxt = IPPROTO_IPV6; 502 } else { 503 m_freem(m); 504 *mp = NULL; 505 ipipstat_inc(ipips_family); 506 return EAFNOSUPPORT; 507 } 508 509 otos = 0; 510 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 511 ip6o->ip6_flow |= htonl((u_int32_t) otos << 20); 512 break; 513 #endif /* INET6 */ 514 515 default: 516 DPRINTF(("%s: unsupported protocol family %d\n", __func__, 517 tdb->tdb_dst.sa.sa_family)); 518 m_freem(m); 519 *mp = NULL; 520 ipipstat_inc(ipips_family); 521 return EAFNOSUPPORT; 522 } 523 524 ipipstat_inc(ipips_opackets); 525 *mp = m; 526 527 if (tdb->tdb_dst.sa.sa_family == AF_INET) { 528 if (tdb->tdb_xform->xf_type == XF_IP4) 529 tdb->tdb_cur_bytes += 530 m->m_pkthdr.len - sizeof(struct ip); 531 532 ipipstat_add(ipips_obytes, m->m_pkthdr.len - sizeof(struct ip)); 533 } 534 535 #ifdef INET6 536 if (tdb->tdb_dst.sa.sa_family == AF_INET6) { 537 if (tdb->tdb_xform->xf_type == XF_IP4) 538 tdb->tdb_cur_bytes += 539 m->m_pkthdr.len - sizeof(struct ip6_hdr); 540 541 ipipstat_add(ipips_obytes, 542 m->m_pkthdr.len - sizeof(struct ip6_hdr)); 543 } 544 #endif /* INET6 */ 545 546 return 0; 547 } 548 549 #ifdef IPSEC 550 int 551 ipe4_attach(void) 552 { 553 return 0; 554 } 555 556 int 557 ipe4_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) 558 { 559 tdbp->tdb_xform = xsp; 560 return 0; 561 } 562 563 int 564 ipe4_zeroize(struct tdb *tdbp) 565 { 566 return 0; 567 } 568 569 int 570 ipe4_input(struct mbuf *m, struct tdb *tdb, int hlen, int proto) 571 { 572 /* This is a rather serious mistake, so no conditional printing. */ 573 printf("ipe4_input(): should never be called\n"); 574 m_freem(m); 575 return EINVAL; 576 } 577 #endif /* IPSEC */ 578 579 int 580 ipip_sysctl_ipipstat(void *oldp, size_t *oldlenp, void *newp) 581 { 582 struct ipipstat ipipstat; 583 584 CTASSERT(sizeof(ipipstat) == (ipips_ncounters * sizeof(uint64_t))); 585 memset(&ipipstat, 0, sizeof ipipstat); 586 counters_read(ipipcounters, (uint64_t *)&ipipstat, ipips_ncounters); 587 return (sysctl_rdstruct(oldp, oldlenp, newp, 588 &ipipstat, sizeof(ipipstat))); 589 } 590 591 int 592 ipip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 593 size_t newlen) 594 { 595 int error; 596 597 /* All sysctl names at this level are terminal. */ 598 if (namelen != 1) 599 return (ENOTDIR); 600 601 switch (name[0]) { 602 case IPIPCTL_ALLOW: 603 NET_LOCK(); 604 error = sysctl_int(oldp, oldlenp, newp, newlen, &ipip_allow); 605 NET_UNLOCK(); 606 return (error); 607 case IPIPCTL_STATS: 608 return (ipip_sysctl_ipipstat(oldp, oldlenp, newp)); 609 default: 610 return (ENOPROTOOPT); 611 } 612 /* NOTREACHED */ 613 } 614