1 /* $OpenBSD: ip_ipip.c,v 1.29 2003/05/03 01:43:07 itojun Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * The original version of this code was written by John Ioannidis 8 * for BSD/OS in Athens, Greece, in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 /* 39 * IP-inside-IP processing 40 */ 41 42 #include <sys/param.h> 43 #include <sys/systm.h> 44 #include <sys/mbuf.h> 45 #include <sys/socket.h> 46 #include <sys/sysctl.h> 47 48 #include <net/if.h> 49 #include <net/route.h> 50 #include <net/netisr.h> 51 #include <net/bpf.h> 52 53 #include <netinet/in.h> 54 #include <netinet/in_systm.h> 55 #include <netinet/ip.h> 56 #include <netinet/in_pcb.h> 57 #include <netinet/in_var.h> 58 #include <netinet/ip_var.h> 59 #include <netinet/ip_ecn.h> 60 61 #ifdef MROUTING 62 #include <netinet/ip_mroute.h> 63 #endif 64 65 #include <netinet/ip_ipsp.h> 66 #include <netinet/ip_ipip.h> 67 68 #include "bpfilter.h" 69 70 #ifdef ENCDEBUG 71 #define DPRINTF(x) if (encdebug) printf x 72 #else 73 #define DPRINTF(x) 74 #endif 75 76 /* 77 * We can control the acceptance of IP4 packets by altering the sysctl 78 * net.inet.ipip.allow value. Zero means drop them, all else is acceptance. 79 */ 80 int ipip_allow = 0; 81 82 struct ipipstat ipipstat; 83 84 #ifdef INET6 85 /* 86 * Really only a wrapper for ipip_input(), for use with IPv6. 87 */ 88 int 89 ip4_input6(struct mbuf **m, int *offp, int proto) 90 { 91 /* If we do not accept IP-in-IP explicitly, drop. */ 92 if (!ipip_allow && ((*m)->m_flags & (M_AUTH|M_CONF)) == 0) { 93 DPRINTF(("ip4_input6(): dropped due to policy\n")); 94 ipipstat.ipips_pdrops++; 95 m_freem(*m); 96 return IPPROTO_DONE; 97 } 98 99 ipip_input(*m, *offp, NULL); 100 return IPPROTO_DONE; 101 } 102 #endif /* INET6 */ 103 104 #ifdef INET 105 /* 106 * Really only a wrapper for ipip_input(), for use with IPv4. 107 */ 108 void 109 ip4_input(struct mbuf *m, ...) 110 { 111 va_list ap; 112 int iphlen; 113 114 /* If we do not accept IP-in-IP explicitly, drop. */ 115 if (!ipip_allow && (m->m_flags & (M_AUTH|M_CONF)) == 0) { 116 DPRINTF(("ip4_input(): dropped due to policy\n")); 117 ipipstat.ipips_pdrops++; 118 m_freem(m); 119 return; 120 } 121 122 va_start(ap, m); 123 iphlen = va_arg(ap, int); 124 va_end(ap); 125 126 ipip_input(m, iphlen, NULL); 127 } 128 #endif /* INET */ 129 130 /* 131 * ipip_input gets called when we receive an IP{46} encapsulated packet, 132 * either because we got it at a real interface, or because AH or ESP 133 * were being used in tunnel mode (in which case the rcvif element will 134 * contain the address of the encX interface associated with the tunnel. 135 */ 136 137 void 138 ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) 139 { 140 register struct sockaddr_in *sin; 141 register struct ifnet *ifp; 142 register struct ifaddr *ifa; 143 struct ifqueue *ifq = NULL; 144 struct ip *ipo; 145 #ifdef INET6 146 register struct sockaddr_in6 *sin6; 147 struct ip6_hdr *ip6 = NULL; 148 u_int8_t itos; 149 #endif 150 u_int8_t nxt; 151 int isr; 152 u_int8_t otos; 153 u_int8_t v; 154 int hlen, s; 155 156 ipipstat.ipips_ipackets++; 157 158 m_copydata(m, 0, 1, &v); 159 160 switch (v >> 4) { 161 #ifdef INET 162 case 4: 163 hlen = sizeof(struct ip); 164 break; 165 #endif /* INET */ 166 #ifdef INET6 167 case 6: 168 hlen = sizeof(struct ip6_hdr); 169 break; 170 #endif 171 default: 172 ipipstat.ipips_family++; 173 m_freem(m); 174 return /* EAFNOSUPPORT */; 175 } 176 177 /* Bring the IP header in the first mbuf, if not there already */ 178 if (m->m_len < hlen) { 179 if ((m = m_pullup(m, hlen)) == NULL) { 180 DPRINTF(("ipip_input(): m_pullup() failed\n")); 181 ipipstat.ipips_hdrops++; 182 return; 183 } 184 } 185 186 ipo = mtod(m, struct ip *); 187 188 #ifdef MROUTING 189 if (ipo->ip_v == IPVERSION && ipo->ip_p == IPPROTO_IPV4) { 190 if (IN_MULTICAST(((struct ip *)((char *) ipo + iphlen))->ip_dst.s_addr)) { 191 ipip_mroute_input (m, iphlen); 192 return; 193 } 194 } 195 #endif /* MROUTING */ 196 197 /* Keep outer ecn field. */ 198 switch (v >> 4) { 199 #ifdef INET 200 case 4: 201 otos = ipo->ip_tos; 202 break; 203 #endif /* INET */ 204 #ifdef INET6 205 case 6: 206 otos = (ntohl(mtod(m, struct ip6_hdr *)->ip6_flow) >> 20) & 0xff; 207 break; 208 #endif 209 default: 210 panic("ipip_input: should never reach here"); 211 } 212 213 /* Remove outer IP header */ 214 m_adj(m, iphlen); 215 216 /* Sanity check */ 217 if (m->m_pkthdr.len < sizeof(struct ip)) { 218 ipipstat.ipips_hdrops++; 219 m_freem(m); 220 return; 221 } 222 223 m_copydata(m, 0, 1, &v); 224 225 switch (v >> 4) { 226 #ifdef INET 227 case 4: 228 hlen = sizeof(struct ip); 229 break; 230 #endif /* INET */ 231 232 #ifdef INET6 233 case 6: 234 hlen = sizeof(struct ip6_hdr); 235 break; 236 #endif 237 default: 238 ipipstat.ipips_family++; 239 m_freem(m); 240 return; /* EAFNOSUPPORT */ 241 } 242 243 /* 244 * Bring the inner IP header in the first mbuf, if not there already. 245 */ 246 if (m->m_len < hlen) { 247 if ((m = m_pullup(m, hlen)) == NULL) { 248 DPRINTF(("ipip_input(): m_pullup() failed\n")); 249 ipipstat.ipips_hdrops++; 250 return; 251 } 252 } 253 254 /* 255 * RFC 1853 specifies that the inner TTL should not be touched on 256 * decapsulation. There's no reason this comment should be here, but 257 * this is as good as any a position. 258 */ 259 260 /* Some sanity checks in the inner IP header */ 261 switch (v >> 4) { 262 #ifdef INET 263 case 4: 264 ipo = mtod(m, struct ip *); 265 nxt = ipo->ip_p; 266 if (!ip_ecn_egress(ECN_ALLOWED, &otos, &ipo->ip_tos)) { 267 m_freem(m); 268 return; 269 } 270 break; 271 #endif /* INET */ 272 #ifdef INET6 273 case 6: 274 ip6 = (struct ip6_hdr *) ipo; 275 nxt = ip6->ip6_nxt; 276 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 277 if (!ip_ecn_egress(ECN_ALLOWED, &otos, &itos)) { 278 m_freem(m); 279 return; 280 } 281 ip6->ip6_flow &= ~htonl(0xff << 20); 282 ip6->ip6_flow |= htonl((u_int32_t) itos << 20); 283 break; 284 #endif 285 default: 286 panic("ipip_input: should never reach here"); 287 } 288 289 /* Check for local address spoofing. */ 290 if ((m->m_pkthdr.rcvif == NULL || 291 !(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) && 292 ipip_allow != 2) { 293 for (ifp = ifnet.tqh_first; ifp != 0; 294 ifp = ifp->if_list.tqe_next) { 295 for (ifa = ifp->if_addrlist.tqh_first; ifa != 0; 296 ifa = ifa->ifa_list.tqe_next) { 297 #ifdef INET 298 if (ipo) { 299 if (ifa->ifa_addr->sa_family != 300 AF_INET) 301 continue; 302 303 sin = (struct sockaddr_in *) ifa->ifa_addr; 304 305 if (sin->sin_addr.s_addr == 306 ipo->ip_src.s_addr) { 307 ipipstat.ipips_spoof++; 308 m_freem(m); 309 return; 310 } 311 } 312 #endif /* INET */ 313 314 #ifdef INET6 315 if (ip6) { 316 if (ifa->ifa_addr->sa_family != 317 AF_INET6) 318 continue; 319 320 sin6 = (struct sockaddr_in6 *) ifa->ifa_addr; 321 322 if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) { 323 ipipstat.ipips_spoof++; 324 m_freem(m); 325 return; 326 } 327 328 } 329 #endif /* INET6 */ 330 } 331 } 332 } 333 334 /* Statistics */ 335 ipipstat.ipips_ibytes += m->m_pkthdr.len - iphlen; 336 337 /* 338 * Interface pointer stays the same; if no IPsec processing has 339 * been done (or will be done), this will point to a normal 340 * interface. Otherwise, it'll point to an enc interface, which 341 * will allow a packet filter to distinguish between secure and 342 * untrusted packets. 343 */ 344 345 switch (v >> 4) { 346 #ifdef INET 347 case 4: 348 ifq = &ipintrq; 349 isr = NETISR_IP; 350 break; 351 #endif 352 #ifdef INET6 353 case 6: 354 ifq = &ip6intrq; 355 isr = NETISR_IPV6; 356 break; 357 #endif 358 default: 359 panic("ipip_input: should never reach here"); 360 } 361 362 #if NBPFILTER > 0 363 if (gifp && gifp->if_bpf) { 364 struct mbuf m0; 365 u_int af; 366 367 if (ifq == &ipintrq) 368 af = AF_INET; 369 else 370 af = AF_INET6; 371 372 m0.m_flags = 0; 373 m0.m_next = m; 374 m0.m_len = 4; 375 m0.m_data = (char *)⁡ 376 377 bpf_mtap(gifp->if_bpf, &m0); 378 } 379 #endif 380 381 s = splimp(); /* isn't it already? */ 382 if (IF_QFULL(ifq)) { 383 IF_DROP(ifq); 384 m_freem(m); 385 ipipstat.ipips_qfull++; 386 387 splx(s); 388 389 DPRINTF(("ipip_input(): packet dropped because of full " 390 "queue\n")); 391 return; 392 } 393 394 IF_ENQUEUE(ifq, m); 395 schednetisr(isr); 396 splx(s); 397 return; 398 } 399 400 int 401 ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, 402 int protoff) 403 { 404 u_int8_t tp, otos; 405 406 #ifdef INET 407 u_int8_t itos; 408 struct ip *ipo; 409 #endif /* INET */ 410 411 #ifdef INET6 412 struct ip6_hdr *ip6, *ip6o; 413 #endif /* INET6 */ 414 415 /* XXX Deal with empty TDB source/destination addresses. */ 416 417 m_copydata(m, 0, 1, &tp); 418 tp = (tp >> 4) & 0xff; /* Get the IP version number. */ 419 420 switch (tdb->tdb_dst.sa.sa_family) { 421 #ifdef INET 422 case AF_INET: 423 if (tdb->tdb_src.sa.sa_family != AF_INET || 424 tdb->tdb_src.sin.sin_addr.s_addr == INADDR_ANY || 425 tdb->tdb_dst.sin.sin_addr.s_addr == INADDR_ANY) { 426 427 DPRINTF(("ipip_output(): unspecified tunnel endpoind " 428 "address in SA %s/%08x\n", 429 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 430 431 ipipstat.ipips_unspec++; 432 m_freem(m); 433 *mp = NULL; 434 return EINVAL; 435 } 436 437 M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); 438 if (m == 0) { 439 DPRINTF(("ipip_output(): M_PREPEND failed\n")); 440 ipipstat.ipips_hdrops++; 441 *mp = NULL; 442 return ENOBUFS; 443 } 444 445 ipo = mtod(m, struct ip *); 446 447 ipo->ip_v = IPVERSION; 448 ipo->ip_hl = 5; 449 ipo->ip_len = htons(m->m_pkthdr.len); 450 ipo->ip_ttl = ip_defttl; 451 ipo->ip_sum = 0; 452 ipo->ip_src = tdb->tdb_src.sin.sin_addr; 453 ipo->ip_dst = tdb->tdb_dst.sin.sin_addr; 454 455 /* 456 * We do the htons() to prevent snoopers from determining our 457 * endianness. 458 */ 459 ipo->ip_id = htons(ip_randomid()); 460 461 /* If the inner protocol is IP... */ 462 if (tp == IPVERSION) { 463 /* Save ECN notification */ 464 m_copydata(m, sizeof(struct ip) + 465 offsetof(struct ip, ip_tos), 466 sizeof(u_int8_t), (caddr_t) &itos); 467 468 ipo->ip_p = IPPROTO_IPIP; 469 470 /* 471 * We should be keeping tunnel soft-state and 472 * send back ICMPs if needed. 473 */ 474 m_copydata(m, sizeof(struct ip) + 475 offsetof(struct ip, ip_off), 476 sizeof(u_int16_t), (caddr_t) &ipo->ip_off); 477 NTOHS(ipo->ip_off); 478 ipo->ip_off &= ~(IP_DF | IP_MF | IP_OFFMASK); 479 HTONS(ipo->ip_off); 480 } 481 #ifdef INET6 482 else if (tp == (IPV6_VERSION >> 4)) { 483 u_int32_t itos32; 484 485 /* Save ECN notification. */ 486 m_copydata(m, sizeof(struct ip) + 487 offsetof(struct ip6_hdr, ip6_flow), 488 sizeof(u_int32_t), (caddr_t) &itos32); 489 itos = ntohl(itos32) >> 20; 490 ipo->ip_p = IPPROTO_IPV6; 491 ipo->ip_off = 0; 492 } 493 #endif /* INET6 */ 494 else { 495 m_freem(m); 496 *mp = NULL; 497 ipipstat.ipips_family++; 498 return EAFNOSUPPORT; 499 } 500 501 otos = 0; 502 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 503 ipo->ip_tos = otos; 504 break; 505 #endif /* INET */ 506 507 #ifdef INET6 508 case AF_INET6: 509 if (IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_dst.sin6.sin6_addr) || 510 tdb->tdb_src.sa.sa_family != AF_INET6 || 511 IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_src.sin6.sin6_addr)) { 512 513 DPRINTF(("ipip_output(): unspecified tunnel endpoind " 514 "address in SA %s/%08x\n", 515 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 516 517 ipipstat.ipips_unspec++; 518 m_freem(m); 519 *mp = NULL; 520 return ENOBUFS; 521 } 522 523 /* scoped address handling */ 524 ip6 = mtod(m, struct ip6_hdr *); 525 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) 526 ip6->ip6_src.s6_addr16[1] = 0; 527 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) 528 ip6->ip6_dst.s6_addr16[1] = 0; 529 530 M_PREPEND(m, sizeof(struct ip6_hdr), M_DONTWAIT); 531 if (m == 0) { 532 DPRINTF(("ipip_output(): M_PREPEND failed\n")); 533 ipipstat.ipips_hdrops++; 534 *mp = NULL; 535 return ENOBUFS; 536 } 537 538 /* Initialize IPv6 header */ 539 ip6o = mtod(m, struct ip6_hdr *); 540 ip6o->ip6_flow = 0; 541 ip6o->ip6_vfc &= ~IPV6_VERSION_MASK; 542 ip6o->ip6_vfc |= IPV6_VERSION; 543 ip6o->ip6_plen = htons(m->m_pkthdr.len); 544 ip6o->ip6_hlim = ip_defttl; 545 ip6o->ip6_dst = tdb->tdb_dst.sin6.sin6_addr; 546 ip6o->ip6_src = tdb->tdb_src.sin6.sin6_addr; 547 548 #ifdef INET 549 if (tp == IPVERSION) { 550 /* Save ECN notification */ 551 m_copydata(m, sizeof(struct ip6_hdr) + 552 offsetof(struct ip, ip_tos), sizeof(u_int8_t), 553 (caddr_t) &itos); 554 555 /* This is really IPVERSION. */ 556 ip6o->ip6_nxt = IPPROTO_IPIP; 557 } 558 else 559 #endif /* INET */ 560 if (tp == (IPV6_VERSION >> 4)) { 561 u_int32_t itos32; 562 563 /* Save ECN notification. */ 564 m_copydata(m, sizeof(struct ip6_hdr) + 565 offsetof(struct ip6_hdr, ip6_flow), 566 sizeof(u_int32_t), (caddr_t) &itos32); 567 itos = ntohl(itos32) >> 20; 568 569 ip6o->ip6_nxt = IPPROTO_IPV6; 570 } else { 571 m_freem(m); 572 *mp = NULL; 573 ipipstat.ipips_family++; 574 return EAFNOSUPPORT; 575 } 576 577 otos = 0; 578 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 579 ip6o->ip6_flow |= htonl((u_int32_t) otos << 20); 580 break; 581 #endif /* INET6 */ 582 583 default: 584 DPRINTF(("ipip_output(): unsupported protocol family %d\n", 585 tdb->tdb_dst.sa.sa_family)); 586 m_freem(m); 587 *mp = NULL; 588 ipipstat.ipips_family++; 589 return EAFNOSUPPORT; 590 } 591 592 ipipstat.ipips_opackets++; 593 *mp = m; 594 595 #ifdef INET 596 if (tdb->tdb_dst.sa.sa_family == AF_INET) { 597 if (tdb->tdb_xform->xf_type == XF_IP4) 598 tdb->tdb_cur_bytes += 599 m->m_pkthdr.len - sizeof(struct ip); 600 601 ipipstat.ipips_obytes += m->m_pkthdr.len - sizeof(struct ip); 602 } 603 #endif /* INET */ 604 605 #ifdef INET6 606 if (tdb->tdb_dst.sa.sa_family == AF_INET6) { 607 if (tdb->tdb_xform->xf_type == XF_IP4) 608 tdb->tdb_cur_bytes += 609 m->m_pkthdr.len - sizeof(struct ip6_hdr); 610 611 ipipstat.ipips_obytes += 612 m->m_pkthdr.len - sizeof(struct ip6_hdr); 613 } 614 #endif /* INET6 */ 615 616 return 0; 617 } 618 619 #ifdef IPSEC 620 int 621 ipe4_attach() 622 { 623 return 0; 624 } 625 626 int 627 ipe4_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) 628 { 629 tdbp->tdb_xform = xsp; 630 return 0; 631 } 632 633 int 634 ipe4_zeroize(struct tdb *tdbp) 635 { 636 return 0; 637 } 638 639 void 640 ipe4_input(struct mbuf *m, ...) 641 { 642 /* This is a rather serious mistake, so no conditional printing. */ 643 printf("ipe4_input(): should never be called\n"); 644 if (m) 645 m_freem(m); 646 } 647 #endif /* IPSEC */ 648 649 int 650 ipip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 651 size_t newlen) 652 { 653 /* All sysctl names at this level are terminal. */ 654 if (namelen != 1) 655 return (ENOTDIR); 656 657 switch (name[0]) { 658 case IPIPCTL_ALLOW: 659 return (sysctl_int(oldp, oldlenp, newp, newlen, &ipip_allow)); 660 default: 661 return (ENOPROTOOPT); 662 } 663 /* NOTREACHED */ 664 } 665