1 /* $OpenBSD: ip_ipip.c,v 1.69 2016/03/07 18:44:00 naddy Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * The original version of this code was written by John Ioannidis 8 * for BSD/OS in Athens, Greece, in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 /* 39 * IP-inside-IP processing 40 */ 41 42 #include "pf.h" 43 44 #include <sys/param.h> 45 #include <sys/systm.h> 46 #include <sys/mbuf.h> 47 #include <sys/socket.h> 48 #include <sys/sysctl.h> 49 50 #include <net/if.h> 51 #include <net/if_var.h> 52 #include <net/route.h> 53 #include <net/netisr.h> 54 #include <net/bpf.h> 55 56 #include <netinet/in.h> 57 #include <netinet/ip.h> 58 #include <netinet/in_pcb.h> 59 #include <netinet/ip_var.h> 60 #include <netinet/ip_ecn.h> 61 62 #ifdef MROUTING 63 #include <netinet/ip_mroute.h> 64 #endif 65 66 #include <netinet/ip_ipsp.h> 67 #include <netinet/ip_ipip.h> 68 69 #include "bpfilter.h" 70 71 #if NPF > 0 72 #include <net/pfvar.h> 73 #endif 74 75 #ifdef ENCDEBUG 76 #define DPRINTF(x) if (encdebug) printf x 77 #else 78 #define DPRINTF(x) 79 #endif 80 81 /* 82 * We can control the acceptance of IP4 packets by altering the sysctl 83 * net.inet.ipip.allow value. Zero means drop them, all else is acceptance. 84 */ 85 int ipip_allow = 0; 86 87 struct ipipstat ipipstat; 88 89 #ifdef INET6 90 /* 91 * Really only a wrapper for ipip_input(), for use with IPv6. 92 */ 93 int 94 ip4_input6(struct mbuf **mp, int *offp, int proto) 95 { 96 /* If we do not accept IP-in-IP explicitly, drop. */ 97 if (!ipip_allow && ((*mp)->m_flags & (M_AUTH|M_CONF)) == 0) { 98 DPRINTF(("ip4_input6(): dropped due to policy\n")); 99 ipipstat.ipips_pdrops++; 100 m_freem(*mp); 101 return IPPROTO_DONE; 102 } 103 104 ipip_input(*mp, *offp, NULL, proto); 105 return IPPROTO_DONE; 106 } 107 #endif /* INET6 */ 108 109 /* 110 * Really only a wrapper for ipip_input(), for use with IPv4. 111 */ 112 void 113 ip4_input(struct mbuf *m, ...) 114 { 115 struct ip *ip; 116 va_list ap; 117 int iphlen; 118 119 /* If we do not accept IP-in-IP explicitly, drop. */ 120 if (!ipip_allow && (m->m_flags & (M_AUTH|M_CONF)) == 0) { 121 DPRINTF(("ip4_input(): dropped due to policy\n")); 122 ipipstat.ipips_pdrops++; 123 m_freem(m); 124 return; 125 } 126 127 va_start(ap, m); 128 iphlen = va_arg(ap, int); 129 va_end(ap); 130 131 ip = mtod(m, struct ip *); 132 133 ipip_input(m, iphlen, NULL, ip->ip_p); 134 } 135 136 /* 137 * ipip_input gets called when we receive an IP{46} encapsulated packet, 138 * either because we got it at a real interface, or because AH or ESP 139 * were being used in tunnel mode (in which case the ph_ifidx element 140 * will contain the index of the encX interface associated with the 141 * tunnel. 142 */ 143 144 void 145 ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp, int proto) 146 { 147 struct sockaddr_in *sin; 148 struct ifnet *ifp; 149 struct niqueue *ifq = NULL; 150 struct ip *ipo; 151 #ifdef INET6 152 struct sockaddr_in6 *sin6; 153 struct ip6_hdr *ip6; 154 #endif 155 int mode, hlen; 156 u_int8_t itos, otos; 157 u_int8_t v; 158 sa_family_t af; 159 160 ipipstat.ipips_ipackets++; 161 162 m_copydata(m, 0, 1, &v); 163 164 switch (v >> 4) { 165 case 4: 166 hlen = sizeof(struct ip); 167 break; 168 #ifdef INET6 169 case 6: 170 hlen = sizeof(struct ip6_hdr); 171 break; 172 #endif 173 default: 174 ipipstat.ipips_family++; 175 m_freem(m); 176 return /* EAFNOSUPPORT */; 177 } 178 179 /* Bring the IP header in the first mbuf, if not there already */ 180 if (m->m_len < hlen) { 181 if ((m = m_pullup(m, hlen)) == NULL) { 182 DPRINTF(("ipip_input(): m_pullup() failed\n")); 183 ipipstat.ipips_hdrops++; 184 return; 185 } 186 } 187 188 189 /* Keep outer ecn field. */ 190 switch (v >> 4) { 191 case 4: 192 ipo = mtod(m, struct ip *); 193 otos = ipo->ip_tos; 194 break; 195 #ifdef INET6 196 case 6: 197 ip6 = mtod(m, struct ip6_hdr *); 198 otos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 199 break; 200 #endif 201 default: 202 panic("ipip_input: should never reach here"); 203 } 204 205 /* Remove outer IP header */ 206 m_adj(m, iphlen); 207 208 /* Sanity check */ 209 if (m->m_pkthdr.len < sizeof(struct ip)) { 210 ipipstat.ipips_hdrops++; 211 m_freem(m); 212 return; 213 } 214 215 switch (proto) { 216 case IPPROTO_IPV4: 217 hlen = sizeof(struct ip); 218 break; 219 220 #ifdef INET6 221 case IPPROTO_IPV6: 222 hlen = sizeof(struct ip6_hdr); 223 break; 224 #endif 225 default: 226 ipipstat.ipips_family++; 227 m_freem(m); 228 return; /* EAFNOSUPPORT */ 229 } 230 231 /* 232 * Bring the inner header into the first mbuf, if not there already. 233 */ 234 if (m->m_len < hlen) { 235 if ((m = m_pullup(m, hlen)) == NULL) { 236 DPRINTF(("ipip_input(): m_pullup() failed\n")); 237 ipipstat.ipips_hdrops++; 238 return; 239 } 240 } 241 242 /* 243 * RFC 1853 specifies that the inner TTL should not be touched on 244 * decapsulation. There's no reason this comment should be here, but 245 * this is as good as any a position. 246 */ 247 248 /* Some sanity checks in the inner IP header */ 249 switch (proto) { 250 case IPPROTO_IPV4: 251 ipo = mtod(m, struct ip *); 252 #ifdef INET6 253 ip6 = NULL; 254 #endif 255 itos = ipo->ip_tos; 256 mode = m->m_flags & (M_AUTH|M_CONF) ? 257 ECN_ALLOWED_IPSEC : ECN_ALLOWED; 258 if (!ip_ecn_egress(mode, &otos, &ipo->ip_tos)) { 259 DPRINTF(("ipip_input(): ip_ecn_egress() failed")); 260 ipipstat.ipips_pdrops++; 261 m_freem(m); 262 return; 263 } 264 /* re-calculate the checksum if ip_tos was changed */ 265 if (itos != ipo->ip_tos) { 266 hlen = ipo->ip_hl << 2; 267 if (m->m_pkthdr.len >= hlen) { 268 ipo->ip_sum = 0; 269 ipo->ip_sum = in_cksum(m, hlen); 270 } 271 } 272 break; 273 #ifdef INET6 274 case IPPROTO_IPV6: 275 ipo = NULL; 276 ip6 = mtod(m, struct ip6_hdr *); 277 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 278 if (!ip_ecn_egress(ECN_ALLOWED, &otos, &itos)) { 279 DPRINTF(("ipip_input(): ip_ecn_egress() failed")); 280 ipipstat.ipips_pdrops++; 281 m_freem(m); 282 return; 283 } 284 ip6->ip6_flow &= ~htonl(0xff << 20); 285 ip6->ip6_flow |= htonl((u_int32_t) itos << 20); 286 break; 287 #endif 288 default: 289 ipo = NULL; 290 #ifdef INET6 291 ip6 = NULL; 292 #endif 293 } 294 295 /* Check for local address spoofing. */ 296 ifp = if_get(m->m_pkthdr.ph_ifidx); 297 if (((ifp == NULL) || !(ifp->if_flags & IFF_LOOPBACK)) && 298 ipip_allow != 2) { 299 struct sockaddr_storage ss; 300 struct rtentry *rt; 301 302 if_put(ifp); 303 304 memset(&ss, 0, sizeof(ss)); 305 306 if (ipo) { 307 sin = (struct sockaddr_in *)&ss; 308 sin->sin_family = AF_INET; 309 sin->sin_len = sizeof(*sin); 310 sin->sin_addr = ipo->ip_src; 311 #ifdef INET6 312 } else if (ip6) { 313 sin6 = (struct sockaddr_in6 *)&ss; 314 sin6->sin6_family = AF_INET6; 315 sin6->sin6_len = sizeof(*sin6); 316 sin6->sin6_addr = ip6->ip6_src; 317 #endif /* INET6 */ 318 } 319 rt = rtalloc((struct sockaddr *)&ss, 0, 320 m->m_pkthdr.ph_rtableid); 321 if ((rt != NULL) && (rt->rt_flags & RTF_LOCAL)) { 322 ipipstat.ipips_spoof++; 323 m_freem(m); 324 rtfree(rt); 325 return; 326 } 327 rtfree(rt); 328 } else { 329 if_put(ifp); 330 } 331 332 /* Statistics */ 333 ipipstat.ipips_ibytes += m->m_pkthdr.len - iphlen; 334 335 /* 336 * Interface pointer stays the same; if no IPsec processing has 337 * been done (or will be done), this will point to a normal 338 * interface. Otherwise, it'll point to an enc interface, which 339 * will allow a packet filter to distinguish between secure and 340 * untrusted packets. 341 */ 342 343 switch (proto) { 344 case IPPROTO_IPV4: 345 ifq = &ipintrq; 346 af = AF_INET; 347 break; 348 #ifdef INET6 349 case IPPROTO_IPV6: 350 ifq = &ip6intrq; 351 af = AF_INET6; 352 break; 353 #endif 354 default: 355 panic("ipip_input: should never reach here"); 356 } 357 358 #if NBPFILTER > 0 359 if (gifp && gifp->if_bpf) 360 bpf_mtap_af(gifp->if_bpf, af, m, BPF_DIRECTION_IN); 361 #endif 362 #if NPF > 0 363 pf_pkt_addr_changed(m); 364 #endif 365 366 if (niq_enqueue(ifq, m) != 0) { 367 ipipstat.ipips_qfull++; 368 DPRINTF(("ipip_input(): packet dropped because of full " 369 "queue\n")); 370 return; 371 } 372 } 373 374 int 375 ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int dummy, 376 int dummy2) 377 { 378 u_int8_t tp, otos; 379 380 u_int8_t itos; 381 struct ip *ipo; 382 383 #ifdef INET6 384 struct ip6_hdr *ip6, *ip6o; 385 #endif /* INET6 */ 386 #ifdef ENCDEBUG 387 char buf[INET6_ADDRSTRLEN]; 388 #endif 389 390 /* XXX Deal with empty TDB source/destination addresses. */ 391 392 m_copydata(m, 0, 1, &tp); 393 tp = (tp >> 4) & 0xff; /* Get the IP version number. */ 394 395 switch (tdb->tdb_dst.sa.sa_family) { 396 case AF_INET: 397 if (tdb->tdb_src.sa.sa_family != AF_INET || 398 tdb->tdb_src.sin.sin_addr.s_addr == INADDR_ANY || 399 tdb->tdb_dst.sin.sin_addr.s_addr == INADDR_ANY) { 400 401 DPRINTF(("ipip_output(): unspecified tunnel endpoind " 402 "address in SA %s/%08x\n", 403 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 404 ntohl(tdb->tdb_spi))); 405 406 ipipstat.ipips_unspec++; 407 m_freem(m); 408 *mp = NULL; 409 return EINVAL; 410 } 411 412 M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); 413 if (m == NULL) { 414 DPRINTF(("ipip_output(): M_PREPEND failed\n")); 415 ipipstat.ipips_hdrops++; 416 *mp = NULL; 417 return ENOBUFS; 418 } 419 420 ipo = mtod(m, struct ip *); 421 422 ipo->ip_v = IPVERSION; 423 ipo->ip_hl = 5; 424 ipo->ip_len = htons(m->m_pkthdr.len); 425 ipo->ip_ttl = ip_defttl; 426 ipo->ip_sum = 0; 427 ipo->ip_src = tdb->tdb_src.sin.sin_addr; 428 ipo->ip_dst = tdb->tdb_dst.sin.sin_addr; 429 430 /* 431 * We do the htons() to prevent snoopers from determining our 432 * endianness. 433 */ 434 ipo->ip_id = htons(ip_randomid()); 435 436 /* If the inner protocol is IP... */ 437 if (tp == IPVERSION) { 438 /* Save ECN notification */ 439 m_copydata(m, sizeof(struct ip) + 440 offsetof(struct ip, ip_tos), 441 sizeof(u_int8_t), (caddr_t) &itos); 442 443 ipo->ip_p = IPPROTO_IPIP; 444 445 /* 446 * We should be keeping tunnel soft-state and 447 * send back ICMPs if needed. 448 */ 449 m_copydata(m, sizeof(struct ip) + 450 offsetof(struct ip, ip_off), 451 sizeof(u_int16_t), (caddr_t) &ipo->ip_off); 452 ipo->ip_off = ntohs(ipo->ip_off); 453 ipo->ip_off &= ~(IP_DF | IP_MF | IP_OFFMASK); 454 ipo->ip_off = htons(ipo->ip_off); 455 } 456 #ifdef INET6 457 else if (tp == (IPV6_VERSION >> 4)) { 458 u_int32_t itos32; 459 460 /* Save ECN notification. */ 461 m_copydata(m, sizeof(struct ip) + 462 offsetof(struct ip6_hdr, ip6_flow), 463 sizeof(u_int32_t), (caddr_t) &itos32); 464 itos = ntohl(itos32) >> 20; 465 ipo->ip_p = IPPROTO_IPV6; 466 ipo->ip_off = 0; 467 } 468 #endif /* INET6 */ 469 else { 470 m_freem(m); 471 *mp = NULL; 472 ipipstat.ipips_family++; 473 return EAFNOSUPPORT; 474 } 475 476 otos = 0; 477 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 478 ipo->ip_tos = otos; 479 break; 480 481 #ifdef INET6 482 case AF_INET6: 483 if (IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_dst.sin6.sin6_addr) || 484 tdb->tdb_src.sa.sa_family != AF_INET6 || 485 IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_src.sin6.sin6_addr)) { 486 487 DPRINTF(("ipip_output(): unspecified tunnel endpoind " 488 "address in SA %s/%08x\n", 489 ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), 490 ntohl(tdb->tdb_spi))); 491 492 ipipstat.ipips_unspec++; 493 m_freem(m); 494 *mp = NULL; 495 return ENOBUFS; 496 } 497 498 /* If the inner protocol is IPv6, clear link local scope */ 499 if (tp == (IPV6_VERSION >> 4)) { 500 /* scoped address handling */ 501 ip6 = mtod(m, struct ip6_hdr *); 502 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) 503 ip6->ip6_src.s6_addr16[1] = 0; 504 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) 505 ip6->ip6_dst.s6_addr16[1] = 0; 506 } 507 508 M_PREPEND(m, sizeof(struct ip6_hdr), M_DONTWAIT); 509 if (m == NULL) { 510 DPRINTF(("ipip_output(): M_PREPEND failed\n")); 511 ipipstat.ipips_hdrops++; 512 *mp = NULL; 513 return ENOBUFS; 514 } 515 516 /* Initialize IPv6 header */ 517 ip6o = mtod(m, struct ip6_hdr *); 518 ip6o->ip6_flow = 0; 519 ip6o->ip6_vfc &= ~IPV6_VERSION_MASK; 520 ip6o->ip6_vfc |= IPV6_VERSION; 521 ip6o->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6o)); 522 ip6o->ip6_hlim = ip_defttl; 523 in6_embedscope(&ip6o->ip6_src, &tdb->tdb_src.sin6, NULL); 524 in6_embedscope(&ip6o->ip6_dst, &tdb->tdb_dst.sin6, NULL); 525 526 if (tp == IPVERSION) { 527 /* Save ECN notification */ 528 m_copydata(m, sizeof(struct ip6_hdr) + 529 offsetof(struct ip, ip_tos), sizeof(u_int8_t), 530 (caddr_t) &itos); 531 532 /* This is really IPVERSION. */ 533 ip6o->ip6_nxt = IPPROTO_IPIP; 534 } 535 else 536 if (tp == (IPV6_VERSION >> 4)) { 537 u_int32_t itos32; 538 539 /* Save ECN notification. */ 540 m_copydata(m, sizeof(struct ip6_hdr) + 541 offsetof(struct ip6_hdr, ip6_flow), 542 sizeof(u_int32_t), (caddr_t) &itos32); 543 itos = ntohl(itos32) >> 20; 544 545 ip6o->ip6_nxt = IPPROTO_IPV6; 546 } else { 547 m_freem(m); 548 *mp = NULL; 549 ipipstat.ipips_family++; 550 return EAFNOSUPPORT; 551 } 552 553 otos = 0; 554 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 555 ip6o->ip6_flow |= htonl((u_int32_t) otos << 20); 556 break; 557 #endif /* INET6 */ 558 559 default: 560 DPRINTF(("ipip_output(): unsupported protocol family %d\n", 561 tdb->tdb_dst.sa.sa_family)); 562 m_freem(m); 563 *mp = NULL; 564 ipipstat.ipips_family++; 565 return EAFNOSUPPORT; 566 } 567 568 ipipstat.ipips_opackets++; 569 *mp = m; 570 571 if (tdb->tdb_dst.sa.sa_family == AF_INET) { 572 if (tdb->tdb_xform->xf_type == XF_IP4) 573 tdb->tdb_cur_bytes += 574 m->m_pkthdr.len - sizeof(struct ip); 575 576 ipipstat.ipips_obytes += m->m_pkthdr.len - sizeof(struct ip); 577 } 578 579 #ifdef INET6 580 if (tdb->tdb_dst.sa.sa_family == AF_INET6) { 581 if (tdb->tdb_xform->xf_type == XF_IP4) 582 tdb->tdb_cur_bytes += 583 m->m_pkthdr.len - sizeof(struct ip6_hdr); 584 585 ipipstat.ipips_obytes += 586 m->m_pkthdr.len - sizeof(struct ip6_hdr); 587 } 588 #endif /* INET6 */ 589 590 return 0; 591 } 592 593 #ifdef IPSEC 594 int 595 ipe4_attach(void) 596 { 597 return 0; 598 } 599 600 int 601 ipe4_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) 602 { 603 tdbp->tdb_xform = xsp; 604 return 0; 605 } 606 607 int 608 ipe4_zeroize(struct tdb *tdbp) 609 { 610 return 0; 611 } 612 613 void 614 ipe4_input(struct mbuf *m, ...) 615 { 616 /* This is a rather serious mistake, so no conditional printing. */ 617 printf("ipe4_input(): should never be called\n"); 618 m_freem(m); 619 } 620 #endif /* IPSEC */ 621 622 int 623 ipip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 624 size_t newlen) 625 { 626 /* All sysctl names at this level are terminal. */ 627 if (namelen != 1) 628 return (ENOTDIR); 629 630 switch (name[0]) { 631 case IPIPCTL_ALLOW: 632 return (sysctl_int(oldp, oldlenp, newp, newlen, &ipip_allow)); 633 case IPIPCTL_STATS: 634 if (newp != NULL) 635 return (EPERM); 636 return (sysctl_struct(oldp, oldlenp, newp, newlen, 637 &ipipstat, sizeof(ipipstat))); 638 default: 639 return (ENOPROTOOPT); 640 } 641 /* NOTREACHED */ 642 } 643