1 /* $OpenBSD: ip_ipip.c,v 1.22 2001/12/06 20:14:53 angelos Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * The original version of this code was written by John Ioannidis 8 * for BSD/OS in Athens, Greece, in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 /* 39 * IP-inside-IP processing 40 */ 41 42 #include <sys/param.h> 43 #include <sys/systm.h> 44 #include <sys/mbuf.h> 45 #include <sys/socket.h> 46 #include <sys/sysctl.h> 47 48 #include <net/if.h> 49 #include <net/route.h> 50 #include <net/netisr.h> 51 #include <net/bpf.h> 52 53 #include <netinet/in.h> 54 #include <netinet/in_systm.h> 55 #include <netinet/ip.h> 56 #include <netinet/in_pcb.h> 57 #include <netinet/in_var.h> 58 #include <netinet/ip_var.h> 59 #include <netinet/ip_ecn.h> 60 61 #ifdef MROUTING 62 #include <netinet/ip_mroute.h> 63 #endif 64 65 #include <netinet/ip_ipsp.h> 66 #include <netinet/ip_ipip.h> 67 68 #include "bpfilter.h" 69 70 #ifdef ENCDEBUG 71 #define DPRINTF(x) if (encdebug) printf x 72 #else 73 #define DPRINTF(x) 74 #endif 75 76 /* 77 * We can control the acceptance of IP4 packets by altering the sysctl 78 * net.inet.ipip.allow value. Zero means drop them, all else is acceptance. 79 */ 80 int ipip_allow = 0; 81 82 struct ipipstat ipipstat; 83 84 #ifdef INET6 85 /* 86 * Really only a wrapper for ipip_input(), for use with IPv6. 87 */ 88 int 89 ip4_input6(struct mbuf **m, int *offp, int proto) 90 { 91 /* If we do not accept IPv4 explicitly, drop. */ 92 if (!ipip_allow && ((*m)->m_flags & (M_AUTH|M_CONF)) == 0) { 93 DPRINTF(("ip4_input6(): dropped due to policy\n")); 94 ipipstat.ipips_pdrops++; 95 m_freem(*m); 96 return IPPROTO_DONE; 97 } 98 99 ipip_input(*m, *offp, NULL); 100 return IPPROTO_DONE; 101 } 102 #endif /* INET6 */ 103 104 #ifdef INET 105 /* 106 * Really only a wrapper for ipip_input(), for use with IPv4. 107 */ 108 void 109 ip4_input(struct mbuf *m, ...) 110 { 111 va_list ap; 112 int iphlen; 113 114 /* If we do not accept IPv4 explicitly, drop. */ 115 if (!ipip_allow && (m->m_flags & (M_AUTH|M_CONF)) == 0) { 116 DPRINTF(("ip4_input(): dropped due to policy\n")); 117 ipipstat.ipips_pdrops++; 118 m_freem(m); 119 return; 120 } 121 122 va_start(ap, m); 123 iphlen = va_arg(ap, int); 124 va_end(ap); 125 126 ipip_input(m, iphlen, NULL); 127 } 128 #endif /* INET */ 129 130 /* 131 * ipip_input gets called when we receive an IP{46} encapsulated packet, 132 * either because we got it at a real interface, or because AH or ESP 133 * were being used in tunnel mode (in which case the rcvif element will 134 * contain the address of the encX interface associated with the tunnel. 135 */ 136 137 void 138 ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) 139 { 140 register struct sockaddr_in *sin; 141 register struct ifnet *ifp; 142 register struct ifaddr *ifa; 143 struct ifqueue *ifq = NULL; 144 struct ip *ipo; 145 #ifdef INET6 146 register struct sockaddr_in6 *sin6; 147 struct ip6_hdr *ip6 = NULL; 148 u_int8_t itos; 149 #endif 150 u_int8_t nxt; 151 int isr; 152 u_int8_t otos; 153 u_int8_t v; 154 int hlen, s; 155 156 ipipstat.ipips_ipackets++; 157 158 m_copydata(m, 0, 1, &v); 159 160 switch (v >> 4) { 161 #ifdef INET 162 case 4: 163 hlen = sizeof(struct ip); 164 break; 165 #endif /* INET */ 166 167 #ifdef INET6 168 case 6: 169 hlen = sizeof(struct ip6_hdr); 170 break; 171 #endif 172 default: 173 m_freem(m); 174 return /* EAFNOSUPPORT */; 175 } 176 177 /* Bring the IP header in the first mbuf, if not there already */ 178 if (m->m_len < hlen) { 179 if ((m = m_pullup(m, hlen)) == NULL) { 180 DPRINTF(("ipip_input(): m_pullup() failed\n")); 181 ipipstat.ipips_hdrops++; 182 return; 183 } 184 } 185 186 ipo = mtod(m, struct ip *); 187 188 #ifdef MROUTING 189 if (ipo->ip_v == IPVERSION && ipo->ip_p == IPPROTO_IPV4) { 190 if (IN_MULTICAST(((struct ip *)((char *) ipo + iphlen))->ip_dst.s_addr)) { 191 ipip_mroute_input (m, iphlen); 192 return; 193 } 194 } 195 #endif /* MROUTING */ 196 197 /* Keep outer ecn field. */ 198 #ifdef INET 199 if ((v >> 4) == 4) 200 otos = ipo->ip_tos; 201 #endif /* INET */ 202 203 #ifdef INET6 204 if ((v >> 4) == 6) 205 otos = (ntohl(mtod(m, struct ip6_hdr *)->ip6_flow) >> 20) & 0xff; 206 #endif 207 208 /* Remove outer IP header */ 209 m_adj(m, iphlen); 210 211 /* Sanity check */ 212 if (m->m_pkthdr.len < sizeof(struct ip)) { 213 ipipstat.ipips_hdrops++; 214 m_freem(m); 215 return; 216 } 217 218 m_copydata(m, 0, 1, &v); 219 220 switch (v >> 4) { 221 #ifdef INET 222 case 4: 223 hlen = sizeof(struct ip); 224 break; 225 #endif /* INET */ 226 227 #ifdef INET6 228 case 6: 229 hlen = sizeof(struct ip6_hdr); 230 break; 231 #endif 232 } 233 234 /* 235 * Bring the inner IP header in the first mbuf, if not there already. 236 */ 237 if (m->m_len < hlen) { 238 if ((m = m_pullup(m, hlen)) == NULL) { 239 DPRINTF(("ipip_input(): m_pullup() failed\n")); 240 ipipstat.ipips_hdrops++; 241 return; 242 } 243 } 244 245 /* 246 * RFC 1853 specifies that the inner TTL should not be touched on 247 * decapsulation. There's no reason this comment should be here, but 248 * this is as good as any a position. 249 */ 250 251 /* Some sanity checks in the inner IPv4 header */ 252 switch (v >> 4) { 253 #ifdef INET 254 case 4: 255 ipo = mtod(m, struct ip *); 256 nxt = ipo->ip_p; 257 ip_ecn_egress(ECN_ALLOWED, &otos, &ipo->ip_tos); 258 break; 259 #endif /* INET */ 260 261 #ifdef INET6 262 case 6: 263 ip6 = (struct ip6_hdr *) ipo; 264 nxt = ip6->ip6_nxt; 265 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 266 ip_ecn_egress(ECN_ALLOWED, &otos, &itos); 267 ip6->ip6_flow &= ~htonl(0xff << 20); 268 ip6->ip6_flow |= htonl((u_int32_t) itos << 20); 269 break; 270 #endif 271 } 272 273 /* Check for local address spoofing. */ 274 if ((m->m_pkthdr.rcvif == NULL || 275 !(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) && 276 ipip_allow != 2) { 277 for (ifp = ifnet.tqh_first; ifp != 0; 278 ifp = ifp->if_list.tqe_next) { 279 for (ifa = ifp->if_addrlist.tqh_first; ifa != 0; 280 ifa = ifa->ifa_list.tqe_next) { 281 #ifdef INET 282 if (ipo) { 283 if (ifa->ifa_addr->sa_family != 284 AF_INET) 285 continue; 286 287 sin = (struct sockaddr_in *) ifa->ifa_addr; 288 289 if (sin->sin_addr.s_addr == 290 ipo->ip_src.s_addr) { 291 ipipstat.ipips_spoof++; 292 m_freem(m); 293 return; 294 } 295 } 296 #endif /* INET */ 297 298 #ifdef INET6 299 if (ip6) { 300 if (ifa->ifa_addr->sa_family != 301 AF_INET6) 302 continue; 303 304 sin6 = (struct sockaddr_in6 *) ifa->ifa_addr; 305 306 if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) { 307 ipipstat.ipips_spoof++; 308 m_freem(m); 309 return; 310 } 311 312 } 313 #endif /* INET6 */ 314 } 315 } 316 } 317 318 /* Statistics */ 319 ipipstat.ipips_ibytes += m->m_pkthdr.len - iphlen; 320 321 /* 322 * Interface pointer stays the same; if no IPsec processing has 323 * been done (or will be done), this will point to a normal 324 * interface. Otherwise, it'll point to an enc interface, which 325 * will allow a packet filter to distinguish between secure and 326 * untrusted packets. 327 */ 328 329 #ifdef INET 330 if (ipo) { 331 ifq = &ipintrq; 332 isr = NETISR_IP; 333 } 334 #endif /* INET */ 335 336 #ifdef INET6 337 if (ip6) { 338 ifq = &ip6intrq; 339 isr = NETISR_IPV6; 340 } 341 #endif /* INET6 */ 342 343 #if NBPFILTER > 0 344 if (gifp && gifp->if_bpf) { 345 struct mbuf m0; 346 u_int af; 347 348 if (ipo) 349 af = AF_INET; 350 else 351 af = AF_INET6; 352 353 m0.m_next = m; 354 m0.m_len = 4; 355 m0.m_data = (char *)⁡ 356 357 bpf_mtap(gifp->if_bpf, &m0); 358 } 359 #endif 360 361 s = splimp(); /* isn't it already? */ 362 if (IF_QFULL(ifq)) { 363 IF_DROP(ifq); 364 m_freem(m); 365 ipipstat.ipips_qfull++; 366 367 splx(s); 368 369 DPRINTF(("ipip_input(): packet dropped because of full " 370 "queue\n")); 371 return; 372 } 373 374 IF_ENQUEUE(ifq, m); 375 schednetisr(isr); 376 splx(s); 377 return; 378 } 379 380 int 381 ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, 382 int protoff) 383 { 384 u_int8_t tp, otos; 385 386 #ifdef INET 387 u_int8_t itos; 388 struct ip *ipo; 389 #endif /* INET */ 390 391 #ifdef INET6 392 struct ip6_hdr *ip6, *ip6o; 393 #endif /* INET6 */ 394 395 /* XXX Deal with empty TDB source/destination addresses. */ 396 397 m_copydata(m, 0, 1, &tp); 398 tp = (tp >> 4) & 0xff; /* Get the IP version number. */ 399 400 switch (tdb->tdb_dst.sa.sa_family) { 401 #ifdef INET 402 case AF_INET: 403 if (tdb->tdb_src.sa.sa_family != AF_INET || 404 tdb->tdb_src.sin.sin_addr.s_addr == INADDR_ANY || 405 tdb->tdb_dst.sin.sin_addr.s_addr == INADDR_ANY) { 406 407 DPRINTF(("ipip_output(): unspecified tunnel endpoind " 408 "address in SA %s/%08x\n", 409 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 410 411 ipipstat.ipips_unspec++; 412 m_freem(m); 413 *mp = NULL; 414 return EINVAL; 415 } 416 417 M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); 418 if (m == 0) { 419 DPRINTF(("ipip_output(): M_PREPEND failed\n")); 420 ipipstat.ipips_hdrops++; 421 *mp = NULL; 422 return ENOBUFS; 423 } 424 425 ipo = mtod(m, struct ip *); 426 427 ipo->ip_v = IPVERSION; 428 ipo->ip_hl = 5; 429 ipo->ip_len = htons(m->m_pkthdr.len); 430 ipo->ip_ttl = ip_defttl; 431 ipo->ip_sum = 0; 432 ipo->ip_src = tdb->tdb_src.sin.sin_addr; 433 ipo->ip_dst = tdb->tdb_dst.sin.sin_addr; 434 435 /* 436 * We do the htons() to prevent snoopers from determining our 437 * endianness. 438 */ 439 ipo->ip_id = htons(ip_randomid()); 440 441 /* If the inner protocol is IP... */ 442 if (tp == IPVERSION) { 443 /* Save ECN notification */ 444 m_copydata(m, sizeof(struct ip) + 445 offsetof(struct ip, ip_tos), 446 sizeof(u_int8_t), (caddr_t) &itos); 447 448 ipo->ip_p = IPPROTO_IPIP; 449 450 /* 451 * We should be keeping tunnel soft-state and 452 * send back ICMPs if needed. 453 */ 454 m_copydata(m, sizeof(struct ip) + 455 offsetof(struct ip, ip_off), 456 sizeof(u_int16_t), (caddr_t) &ipo->ip_off); 457 NTOHS(ipo->ip_off); 458 ipo->ip_off &= ~(IP_DF | IP_MF | IP_OFFMASK); 459 HTONS(ipo->ip_off); 460 } 461 #ifdef INET6 462 else if (tp == (IPV6_VERSION >> 4)) { 463 u_int32_t itos32; 464 465 /* Save ECN notification. */ 466 m_copydata(m, sizeof(struct ip) + 467 offsetof(struct ip6_hdr, ip6_flow), 468 sizeof(u_int32_t), (caddr_t) &itos32); 469 itos = ntohl(itos32) >> 20; 470 ipo->ip_p = IPPROTO_IPV6; 471 ipo->ip_off = 0; 472 } 473 #endif /* INET6 */ 474 else { 475 m_freem(m); 476 *mp = NULL; 477 return EAFNOSUPPORT; 478 } 479 480 otos = 0; 481 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 482 ipo->ip_tos = otos; 483 break; 484 #endif /* INET */ 485 486 #ifdef INET6 487 case AF_INET6: 488 if (IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_dst.sin6.sin6_addr) || 489 tdb->tdb_src.sa.sa_family != AF_INET6 || 490 IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_src.sin6.sin6_addr)) { 491 492 DPRINTF(("ipip_output(): unspecified tunnel endpoind " 493 "address in SA %s/%08x\n", 494 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 495 496 ipipstat.ipips_unspec++; 497 m_freem(m); 498 *mp = NULL; 499 return ENOBUFS; 500 } 501 502 /* scoped address handling */ 503 ip6 = mtod(m, struct ip6_hdr *); 504 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) 505 ip6->ip6_src.s6_addr16[1] = 0; 506 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) 507 ip6->ip6_dst.s6_addr16[1] = 0; 508 509 M_PREPEND(m, sizeof(struct ip6_hdr), M_DONTWAIT); 510 if (m == 0) { 511 DPRINTF(("ipip_output(): M_PREPEND failed\n")); 512 ipipstat.ipips_hdrops++; 513 *mp = NULL; 514 return ENOBUFS; 515 } 516 517 /* Initialize IPv6 header */ 518 ip6o = mtod(m, struct ip6_hdr *); 519 ip6o->ip6_flow = 0; 520 ip6o->ip6_vfc &= ~IPV6_VERSION_MASK; 521 ip6o->ip6_vfc |= IPV6_VERSION; 522 ip6o->ip6_plen = htons(m->m_pkthdr.len); 523 ip6o->ip6_hlim = ip_defttl; 524 ip6o->ip6_dst = tdb->tdb_dst.sin6.sin6_addr; 525 ip6o->ip6_src = tdb->tdb_src.sin6.sin6_addr; 526 527 #ifdef INET 528 if (tp == IPVERSION) { 529 /* Save ECN notification */ 530 m_copydata(m, sizeof(struct ip6_hdr) + 531 offsetof(struct ip, ip_tos), sizeof(u_int8_t), 532 (caddr_t) &itos); 533 534 /* This is really IPVERSION. */ 535 ip6o->ip6_nxt = IPPROTO_IPIP; 536 } 537 else 538 #endif /* INET */ 539 if (tp == (IPV6_VERSION >> 4)) { 540 u_int32_t itos32; 541 542 /* Save ECN notification. */ 543 m_copydata(m, sizeof(struct ip6_hdr) + 544 offsetof(struct ip6_hdr, ip6_flow), 545 sizeof(u_int32_t), (caddr_t) &itos32); 546 itos = ntohl(itos32) >> 20; 547 548 ip6o->ip6_nxt = IPPROTO_IPV6; 549 } else { 550 m_freem(m); 551 *mp = NULL; 552 return EAFNOSUPPORT; 553 } 554 555 otos = 0; 556 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 557 ip6o->ip6_flow |= htonl((u_int32_t) otos << 20); 558 break; 559 #endif /* INET6 */ 560 561 default: 562 DPRINTF(("ipip_output(): unsupported protocol family %d\n", 563 tdb->tdb_dst.sa.sa_family)); 564 m_freem(m); 565 *mp = NULL; 566 ipipstat.ipips_family++; 567 return ENOBUFS; 568 } 569 570 ipipstat.ipips_opackets++; 571 *mp = m; 572 573 #ifdef INET 574 if (tdb->tdb_dst.sa.sa_family == AF_INET) { 575 if (tdb->tdb_xform->xf_type == XF_IP4) 576 tdb->tdb_cur_bytes += 577 m->m_pkthdr.len - sizeof(struct ip); 578 579 ipipstat.ipips_obytes += m->m_pkthdr.len - sizeof(struct ip); 580 } 581 #endif /* INET */ 582 583 #ifdef INET6 584 if (tdb->tdb_dst.sa.sa_family == AF_INET6) { 585 if (tdb->tdb_xform->xf_type == XF_IP4) 586 tdb->tdb_cur_bytes += 587 m->m_pkthdr.len - sizeof(struct ip6_hdr); 588 589 ipipstat.ipips_obytes += 590 m->m_pkthdr.len - sizeof(struct ip6_hdr); 591 } 592 #endif /* INET6 */ 593 594 return 0; 595 } 596 597 #ifdef IPSEC 598 int 599 ipe4_attach() 600 { 601 return 0; 602 } 603 604 int 605 ipe4_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) 606 { 607 tdbp->tdb_xform = xsp; 608 return 0; 609 } 610 611 int 612 ipe4_zeroize(struct tdb *tdbp) 613 { 614 return 0; 615 } 616 617 void 618 ipe4_input(struct mbuf *m, ...) 619 { 620 /* This is a rather serious mistake, so no conditional printing. */ 621 printf("ipe4_input(): should never be called\n"); 622 if (m) 623 m_freem(m); 624 } 625 #endif /* IPSEC */ 626 627 int 628 ipip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 629 size_t newlen) 630 { 631 /* All sysctl names at this level are terminal. */ 632 if (namelen != 1) 633 return (ENOTDIR); 634 635 switch (name[0]) { 636 case IPIPCTL_ALLOW: 637 return (sysctl_int(oldp, oldlenp, newp, newlen, &ipip_allow)); 638 default: 639 return (ENOPROTOOPT); 640 } 641 /* NOTREACHED */ 642 } 643