1 /* $OpenBSD: ip_ipip.c,v 1.20 2001/07/04 23:14:55 espie Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * The original version of this code was written by John Ioannidis 8 * for BSD/OS in Athens, Greece, in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 /* 39 * IP-inside-IP processing 40 */ 41 42 #include <sys/param.h> 43 #include <sys/systm.h> 44 #include <sys/mbuf.h> 45 #include <sys/socket.h> 46 #include <sys/sysctl.h> 47 48 #include <net/if.h> 49 #include <net/route.h> 50 #include <net/netisr.h> 51 52 #include <netinet/in.h> 53 #include <netinet/in_systm.h> 54 #include <netinet/ip.h> 55 #include <netinet/in_pcb.h> 56 #include <netinet/in_var.h> 57 #include <netinet/ip_var.h> 58 #include <netinet/ip_ecn.h> 59 60 #ifdef MROUTING 61 #include <netinet/ip_mroute.h> 62 #endif 63 64 #include <netinet/ip_ipsp.h> 65 #include <netinet/ip_ipip.h> 66 67 #ifdef ENCDEBUG 68 #define DPRINTF(x) if (encdebug) printf x 69 #else 70 #define DPRINTF(x) 71 #endif 72 73 /* 74 * We can control the acceptance of IP4 packets by altering the sysctl 75 * net.inet.ipip.allow value. Zero means drop them, all else is acceptance. 76 */ 77 int ipip_allow = 0; 78 79 struct ipipstat ipipstat; 80 81 #ifdef INET6 82 /* 83 * Really only a wrapper for ipip_input(), for use with IPv6. 84 */ 85 int 86 ip4_input6(struct mbuf **m, int *offp, int proto) 87 { 88 /* If we do not accept IPv4 explicitly, drop. */ 89 if (!ipip_allow && ((*m)->m_flags & (M_AUTH|M_CONF)) == 0) { 90 DPRINTF(("ip4_input6(): dropped due to policy\n")); 91 ipipstat.ipips_pdrops++; 92 m_freem(*m); 93 return IPPROTO_DONE; 94 } 95 96 ipip_input(*m, *offp); 97 return IPPROTO_DONE; 98 } 99 #endif /* INET6 */ 100 101 #ifdef INET 102 /* 103 * Really only a wrapper for ipip_input(), for use with IPv4. 104 */ 105 void 106 ip4_input(struct mbuf *m, ...) 107 { 108 va_list ap; 109 int iphlen; 110 111 /* If we do not accept IPv4 explicitly, drop. */ 112 if (!ipip_allow && (m->m_flags & (M_AUTH|M_CONF)) == 0) { 113 DPRINTF(("ip4_input(): dropped due to policy\n")); 114 ipipstat.ipips_pdrops++; 115 m_freem(m); 116 return; 117 } 118 119 va_start(ap, m); 120 iphlen = va_arg(ap, int); 121 va_end(ap); 122 123 ipip_input(m, iphlen); 124 } 125 #endif /* INET */ 126 127 /* 128 * ipip_input gets called when we receive an IP{46} encapsulated packet, 129 * either because we got it at a real interface, or because AH or ESP 130 * were being used in tunnel mode (in which case the rcvif element will 131 * contain the address of the encX interface associated with the tunnel. 132 */ 133 134 void 135 ipip_input(struct mbuf *m, int iphlen) 136 { 137 register struct sockaddr_in *sin; 138 register struct ifnet *ifp; 139 register struct ifaddr *ifa; 140 struct ifqueue *ifq = NULL; 141 struct ip *ipo; 142 #ifdef INET6 143 register struct sockaddr_in6 *sin6; 144 struct ip6_hdr *ip6 = NULL; 145 u_int8_t itos; 146 #endif 147 u_int8_t nxt; 148 int isr; 149 u_int8_t otos; 150 u_int8_t v; 151 int hlen, s; 152 153 ipipstat.ipips_ipackets++; 154 155 m_copydata(m, 0, 1, &v); 156 157 switch (v >> 4) { 158 #ifdef INET 159 case 4: 160 hlen = sizeof(struct ip); 161 break; 162 #endif /* INET */ 163 164 #ifdef INET6 165 case 6: 166 hlen = sizeof(struct ip6_hdr); 167 break; 168 #endif 169 default: 170 m_freem(m); 171 return /* EAFNOSUPPORT */; 172 } 173 174 /* Bring the IP header in the first mbuf, if not there already */ 175 if (m->m_len < hlen) { 176 if ((m = m_pullup(m, hlen)) == NULL) { 177 DPRINTF(("ipip_input(): m_pullup() failed\n")); 178 ipipstat.ipips_hdrops++; 179 return; 180 } 181 } 182 183 ipo = mtod(m, struct ip *); 184 185 #ifdef MROUTING 186 if (ipo->ip_v == IPVERSION && ipo->ip_p == IPPROTO_IPV4) { 187 if (IN_MULTICAST(((struct ip *)((char *) ipo + iphlen))->ip_dst.s_addr)) { 188 ipip_mroute_input (m, iphlen); 189 return; 190 } 191 } 192 #endif /* MROUTING */ 193 194 /* Keep outer ecn field. */ 195 #ifdef INET 196 if ((v >> 4) == 4) 197 otos = ipo->ip_tos; 198 #endif /* INET */ 199 200 #ifdef INET6 201 if ((v >> 4) == 6) 202 otos = (ntohl(mtod(m, struct ip6_hdr *)->ip6_flow) >> 20) & 0xff; 203 #endif 204 205 /* Remove outer IP header */ 206 m_adj(m, iphlen); 207 208 m_copydata(m, 0, 1, &v); 209 210 switch (v >> 4) { 211 #ifdef INET 212 case 4: 213 hlen = sizeof(struct ip); 214 break; 215 #endif /* INET */ 216 217 #ifdef INET6 218 case 6: 219 hlen = sizeof(struct ip6_hdr); 220 break; 221 #endif 222 223 default: 224 m_freem(m); 225 return /* EAFNOSUPPORT */; 226 } 227 228 /* 229 * Bring the inner IP header in the first mbuf, if not there already. 230 */ 231 if (m->m_len < hlen) { 232 if ((m = m_pullup(m, hlen)) == NULL) { 233 DPRINTF(("ipip_input(): m_pullup() failed\n")); 234 ipipstat.ipips_hdrops++; 235 return; 236 } 237 } 238 239 /* 240 * RFC 1853 specifies that the inner TTL should not be touched on 241 * decapsulation. There's no reason this comment should be here, but 242 * this is as good as any a position. 243 */ 244 245 /* Some sanity checks in the inner IPv4 header */ 246 switch (v >> 4) { 247 #ifdef INET 248 case 4: 249 ipo = mtod(m, struct ip *); 250 nxt = ipo->ip_p; 251 ip_ecn_egress(ECN_ALLOWED, &otos, &ipo->ip_tos); 252 break; 253 #endif /* INET */ 254 255 #ifdef INET6 256 case 6: 257 ip6 = (struct ip6_hdr *) ipo; 258 nxt = ip6->ip6_nxt; 259 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 260 ip_ecn_egress(ECN_ALLOWED, &otos, &itos); 261 ip6->ip6_flow &= ~htonl(0xff << 20); 262 ip6->ip6_flow |= htonl((u_int32_t) itos << 20); 263 break; 264 #endif 265 } 266 267 /* Check for local address spoofing. */ 268 if ((m->m_pkthdr.rcvif == NULL || 269 !(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) && 270 ipip_allow != 2) { 271 for (ifp = ifnet.tqh_first; ifp != 0; 272 ifp = ifp->if_list.tqe_next) { 273 for (ifa = ifp->if_addrlist.tqh_first; ifa != 0; 274 ifa = ifa->ifa_list.tqe_next) { 275 #ifdef INET 276 if (ipo) { 277 if (ifa->ifa_addr->sa_family != 278 AF_INET) 279 continue; 280 281 sin = (struct sockaddr_in *) ifa->ifa_addr; 282 283 if (sin->sin_addr.s_addr == 284 ipo->ip_src.s_addr) { 285 ipipstat.ipips_spoof++; 286 m_freem(m); 287 return; 288 } 289 } 290 #endif /* INET */ 291 292 #ifdef INET6 293 if (ip6) { 294 if (ifa->ifa_addr->sa_family != 295 AF_INET6) 296 continue; 297 298 sin6 = (struct sockaddr_in6 *) ifa->ifa_addr; 299 300 if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) { 301 ipipstat.ipips_spoof++; 302 m_freem(m); 303 return; 304 } 305 306 } 307 #endif /* INET6 */ 308 } 309 } 310 } 311 312 /* Statistics */ 313 ipipstat.ipips_ibytes += m->m_pkthdr.len - iphlen; 314 315 /* 316 * Interface pointer stays the same; if no IPsec processing has 317 * been done (or will be done), this will point to a normal 318 * interface. Otherwise, it'll point to an enc interface, which 319 * will allow a packet filter to distinguish between secure and 320 * untrusted packets. 321 */ 322 323 #ifdef INET 324 if (ipo) { 325 ifq = &ipintrq; 326 isr = NETISR_IP; 327 } 328 #endif /* INET */ 329 330 #ifdef INET6 331 if (ip6) { 332 ifq = &ip6intrq; 333 isr = NETISR_IPV6; 334 } 335 #endif /* INET6 */ 336 337 s = splimp(); /* isn't it already? */ 338 if (IF_QFULL(ifq)) { 339 IF_DROP(ifq); 340 m_freem(m); 341 ipipstat.ipips_qfull++; 342 343 splx(s); 344 345 DPRINTF(("ipip_input(): packet dropped because of full " 346 "queue\n")); 347 return; 348 } 349 350 IF_ENQUEUE(ifq, m); 351 schednetisr(isr); 352 splx(s); 353 return; 354 } 355 356 int 357 ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, 358 int protoff) 359 { 360 u_int8_t tp, otos; 361 362 #ifdef INET 363 u_int8_t itos; 364 struct ip *ipo; 365 #endif /* INET */ 366 367 #ifdef INET6 368 struct ip6_hdr *ip6, *ip6o; 369 #endif /* INET6 */ 370 371 /* XXX Deal with empty TDB source/destination addresses. */ 372 373 m_copydata(m, 0, 1, &tp); 374 tp = (tp >> 4) & 0xff; /* Get the IP version number. */ 375 376 switch (tdb->tdb_dst.sa.sa_family) { 377 #ifdef INET 378 case AF_INET: 379 if (tdb->tdb_src.sa.sa_family != AF_INET || 380 tdb->tdb_src.sin.sin_addr.s_addr == INADDR_ANY || 381 tdb->tdb_dst.sin.sin_addr.s_addr == INADDR_ANY) { 382 383 DPRINTF(("ipip_output(): unspecified tunnel endpoind " 384 "address in SA %s/%08x\n", 385 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 386 387 ipipstat.ipips_unspec++; 388 m_freem(m); 389 *mp = NULL; 390 return EINVAL; 391 } 392 393 M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); 394 if (m == 0) { 395 DPRINTF(("ipip_output(): M_PREPEND failed\n")); 396 ipipstat.ipips_hdrops++; 397 *mp = NULL; 398 return ENOBUFS; 399 } 400 401 ipo = mtod(m, struct ip *); 402 403 ipo->ip_v = IPVERSION; 404 ipo->ip_hl = 5; 405 ipo->ip_len = htons(m->m_pkthdr.len); 406 ipo->ip_ttl = ip_defttl; 407 ipo->ip_sum = 0; 408 ipo->ip_src = tdb->tdb_src.sin.sin_addr; 409 ipo->ip_dst = tdb->tdb_dst.sin.sin_addr; 410 411 /* 412 * We do the htons() to prevent snoopers from determining our 413 * endianness. 414 */ 415 ipo->ip_id = htons(ip_randomid()); 416 417 /* If the inner protocol is IP... */ 418 if (tp == IPVERSION) { 419 /* Save ECN notification */ 420 m_copydata(m, sizeof(struct ip) + 421 offsetof(struct ip, ip_tos), 422 sizeof(u_int8_t), (caddr_t) &itos); 423 424 ipo->ip_p = IPPROTO_IPIP; 425 426 /* 427 * We should be keeping tunnel soft-state and 428 * send back ICMPs if needed. 429 */ 430 m_copydata(m, sizeof(struct ip) + 431 offsetof(struct ip, ip_off), 432 sizeof(u_int16_t), (caddr_t) &ipo->ip_off); 433 NTOHS(ipo->ip_off); 434 ipo->ip_off &= ~(IP_DF | IP_MF | IP_OFFMASK); 435 HTONS(ipo->ip_off); 436 } 437 #ifdef INET6 438 else if (tp == (IPV6_VERSION >> 4)) { 439 u_int32_t itos32; 440 441 /* Save ECN notification. */ 442 m_copydata(m, sizeof(struct ip) + 443 offsetof(struct ip6_hdr, ip6_flow), 444 sizeof(u_int32_t), (caddr_t) &itos32); 445 itos = ntohl(itos32) >> 20; 446 ipo->ip_p = IPPROTO_IPV6; 447 ipo->ip_off = 0; 448 } 449 #endif /* INET6 */ 450 else { 451 m_freem(m); 452 *mp = NULL; 453 return EAFNOSUPPORT; 454 } 455 456 otos = 0; 457 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 458 ipo->ip_tos = otos; 459 break; 460 #endif /* INET */ 461 462 #ifdef INET6 463 case AF_INET6: 464 if (IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_dst.sin6.sin6_addr) || 465 tdb->tdb_src.sa.sa_family != AF_INET6 || 466 IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_src.sin6.sin6_addr)) { 467 468 DPRINTF(("ipip_output(): unspecified tunnel endpoind " 469 "address in SA %s/%08x\n", 470 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 471 472 ipipstat.ipips_unspec++; 473 m_freem(m); 474 *mp = NULL; 475 return ENOBUFS; 476 } 477 478 /* scoped address handling */ 479 ip6 = mtod(m, struct ip6_hdr *); 480 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) 481 ip6->ip6_src.s6_addr16[1] = 0; 482 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) 483 ip6->ip6_dst.s6_addr16[1] = 0; 484 485 M_PREPEND(m, sizeof(struct ip6_hdr), M_DONTWAIT); 486 if (m == 0) { 487 DPRINTF(("ipip_output(): M_PREPEND failed\n")); 488 ipipstat.ipips_hdrops++; 489 *mp = NULL; 490 return ENOBUFS; 491 } 492 493 /* Initialize IPv6 header */ 494 ip6o = mtod(m, struct ip6_hdr *); 495 ip6o->ip6_flow = 0; 496 ip6o->ip6_vfc &= ~IPV6_VERSION_MASK; 497 ip6o->ip6_vfc |= IPV6_VERSION; 498 ip6o->ip6_plen = htons(m->m_pkthdr.len); 499 ip6o->ip6_hlim = ip_defttl; 500 ip6o->ip6_dst = tdb->tdb_dst.sin6.sin6_addr; 501 ip6o->ip6_src = tdb->tdb_src.sin6.sin6_addr; 502 503 #ifdef INET 504 if (tp == IPVERSION) { 505 /* Save ECN notification */ 506 m_copydata(m, sizeof(struct ip6_hdr) + 507 offsetof(struct ip, ip_tos), sizeof(u_int8_t), 508 (caddr_t) &itos); 509 510 /* This is really IPVERSION. */ 511 ip6o->ip6_nxt = IPPROTO_IPIP; 512 } 513 else 514 #endif /* INET */ 515 if (tp == (IPV6_VERSION >> 4)) { 516 u_int32_t itos32; 517 518 /* Save ECN notification. */ 519 m_copydata(m, sizeof(struct ip6_hdr) + 520 offsetof(struct ip6_hdr, ip6_flow), 521 sizeof(u_int32_t), (caddr_t) &itos32); 522 itos = ntohl(itos32) >> 20; 523 524 ip6o->ip6_nxt = IPPROTO_IPV6; 525 } else { 526 m_freem(m); 527 *mp = NULL; 528 return EAFNOSUPPORT; 529 } 530 531 otos = 0; 532 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 533 ip6o->ip6_flow |= htonl((u_int32_t) otos << 20); 534 break; 535 #endif /* INET6 */ 536 537 default: 538 DPRINTF(("ipip_output(): unsupported protocol family %d\n", 539 tdb->tdb_dst.sa.sa_family)); 540 m_freem(m); 541 *mp = NULL; 542 ipipstat.ipips_family++; 543 return ENOBUFS; 544 } 545 546 ipipstat.ipips_opackets++; 547 *mp = m; 548 549 #ifdef INET 550 if (tdb->tdb_dst.sa.sa_family == AF_INET) { 551 if (tdb->tdb_xform->xf_type == XF_IP4) 552 tdb->tdb_cur_bytes += 553 m->m_pkthdr.len - sizeof(struct ip); 554 555 ipipstat.ipips_obytes += m->m_pkthdr.len - sizeof(struct ip); 556 } 557 #endif /* INET */ 558 559 #ifdef INET6 560 if (tdb->tdb_dst.sa.sa_family == AF_INET6) { 561 if (tdb->tdb_xform->xf_type == XF_IP4) 562 tdb->tdb_cur_bytes += 563 m->m_pkthdr.len - sizeof(struct ip6_hdr); 564 565 ipipstat.ipips_obytes += 566 m->m_pkthdr.len - sizeof(struct ip6_hdr); 567 } 568 #endif /* INET6 */ 569 570 return 0; 571 } 572 573 #ifdef IPSEC 574 int 575 ipe4_attach() 576 { 577 return 0; 578 } 579 580 int 581 ipe4_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) 582 { 583 tdbp->tdb_xform = xsp; 584 return 0; 585 } 586 587 int 588 ipe4_zeroize(struct tdb *tdbp) 589 { 590 return 0; 591 } 592 593 void 594 ipe4_input(struct mbuf *m, ...) 595 { 596 /* This is a rather serious mistake, so no conditional printing. */ 597 printf("ipe4_input(): should never be called\n"); 598 if (m) 599 m_freem(m); 600 } 601 #endif /* IPSEC */ 602 603 int 604 ipip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 605 size_t newlen) 606 { 607 /* All sysctl names at this level are terminal. */ 608 if (namelen != 1) 609 return (ENOTDIR); 610 611 switch (name[0]) { 612 case IPIPCTL_ALLOW: 613 return (sysctl_int(oldp, oldlenp, newp, newlen, &ipip_allow)); 614 default: 615 return (ENOPROTOOPT); 616 } 617 /* NOTREACHED */ 618 } 619