1 /* $OpenBSD: ip_ipip.c,v 1.51 2013/10/24 11:31:43 mpi Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * The original version of this code was written by John Ioannidis 8 * for BSD/OS in Athens, Greece, in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 /* 39 * IP-inside-IP processing 40 */ 41 42 #include "pf.h" 43 44 #include <sys/param.h> 45 #include <sys/systm.h> 46 #include <sys/mbuf.h> 47 #include <sys/socket.h> 48 #include <sys/proc.h> 49 #include <sys/sysctl.h> 50 51 #include <net/if.h> 52 #include <net/route.h> 53 #include <net/netisr.h> 54 #include <net/bpf.h> 55 56 #include <netinet/in.h> 57 #include <netinet/in_systm.h> 58 #include <netinet/ip.h> 59 #include <netinet/in_pcb.h> 60 #include <netinet/ip_var.h> 61 #include <netinet/ip_ecn.h> 62 63 #ifdef MROUTING 64 #include <netinet/ip_mroute.h> 65 #endif 66 67 #include <netinet/ip_ipsp.h> 68 #include <netinet/ip_ipip.h> 69 70 #include "bpfilter.h" 71 72 #if NPF > 0 73 #include <net/pfvar.h> 74 #endif 75 76 #ifdef ENCDEBUG 77 #define DPRINTF(x) if (encdebug) printf x 78 #else 79 #define DPRINTF(x) 80 #endif 81 82 /* 83 * We can control the acceptance of IP4 packets by altering the sysctl 84 * net.inet.ipip.allow value. Zero means drop them, all else is acceptance. 85 */ 86 int ipip_allow = 0; 87 88 struct ipipstat ipipstat; 89 90 #ifdef INET6 91 /* 92 * Really only a wrapper for ipip_input(), for use with IPv6. 93 */ 94 int 95 ip4_input6(struct mbuf **m, int *offp, int proto) 96 { 97 /* If we do not accept IP-in-IP explicitly, drop. */ 98 if (!ipip_allow && ((*m)->m_flags & (M_AUTH|M_CONF)) == 0) { 99 DPRINTF(("ip4_input6(): dropped due to policy\n")); 100 ipipstat.ipips_pdrops++; 101 m_freem(*m); 102 return IPPROTO_DONE; 103 } 104 105 ipip_input(*m, *offp, NULL, proto); 106 return IPPROTO_DONE; 107 } 108 #endif /* INET6 */ 109 110 #ifdef INET 111 /* 112 * Really only a wrapper for ipip_input(), for use with IPv4. 113 */ 114 void 115 ip4_input(struct mbuf *m, ...) 116 { 117 struct ip *ip; 118 va_list ap; 119 int iphlen; 120 121 /* If we do not accept IP-in-IP explicitly, drop. */ 122 if (!ipip_allow && (m->m_flags & (M_AUTH|M_CONF)) == 0) { 123 DPRINTF(("ip4_input(): dropped due to policy\n")); 124 ipipstat.ipips_pdrops++; 125 m_freem(m); 126 return; 127 } 128 129 va_start(ap, m); 130 iphlen = va_arg(ap, int); 131 va_end(ap); 132 133 ip = mtod(m, struct ip *); 134 135 ipip_input(m, iphlen, NULL, ip->ip_p); 136 } 137 #endif /* INET */ 138 139 /* 140 * ipip_input gets called when we receive an IP{46} encapsulated packet, 141 * either because we got it at a real interface, or because AH or ESP 142 * were being used in tunnel mode (in which case the rcvif element will 143 * contain the address of the encX interface associated with the tunnel. 144 */ 145 146 void 147 ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp, int proto) 148 { 149 struct sockaddr_in *sin; 150 struct ifnet *ifp; 151 struct ifaddr *ifa; 152 struct ifqueue *ifq = NULL; 153 struct ip *ipo; 154 u_int rdomain; 155 #ifdef INET6 156 struct sockaddr_in6 *sin6; 157 struct ip6_hdr *ip6; 158 #endif 159 int isr; 160 int mode, hlen, s; 161 u_int8_t itos, otos; 162 u_int8_t v; 163 sa_family_t af; 164 165 ipipstat.ipips_ipackets++; 166 167 m_copydata(m, 0, 1, &v); 168 169 switch (v >> 4) { 170 #ifdef INET 171 case 4: 172 hlen = sizeof(struct ip); 173 break; 174 #endif /* INET */ 175 #ifdef INET6 176 case 6: 177 hlen = sizeof(struct ip6_hdr); 178 break; 179 #endif 180 default: 181 ipipstat.ipips_family++; 182 m_freem(m); 183 return /* EAFNOSUPPORT */; 184 } 185 186 /* Bring the IP header in the first mbuf, if not there already */ 187 if (m->m_len < hlen) { 188 if ((m = m_pullup(m, hlen)) == NULL) { 189 DPRINTF(("ipip_input(): m_pullup() failed\n")); 190 ipipstat.ipips_hdrops++; 191 return; 192 } 193 } 194 195 196 /* Keep outer ecn field. */ 197 switch (v >> 4) { 198 #ifdef INET 199 case 4: 200 ipo = mtod(m, struct ip *); 201 otos = ipo->ip_tos; 202 break; 203 #endif /* INET */ 204 #ifdef INET6 205 case 6: 206 ip6 = mtod(m, struct ip6_hdr *); 207 otos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 208 break; 209 #endif 210 default: 211 panic("ipip_input: should never reach here"); 212 } 213 214 /* Remove outer IP header */ 215 m_adj(m, iphlen); 216 217 /* Sanity check */ 218 if (m->m_pkthdr.len < sizeof(struct ip)) { 219 ipipstat.ipips_hdrops++; 220 m_freem(m); 221 return; 222 } 223 224 switch (proto) { 225 #ifdef INET 226 case IPPROTO_IPV4: 227 hlen = sizeof(struct ip); 228 break; 229 #endif /* INET */ 230 231 #ifdef INET6 232 case IPPROTO_IPV6: 233 hlen = sizeof(struct ip6_hdr); 234 break; 235 #endif 236 default: 237 ipipstat.ipips_family++; 238 m_freem(m); 239 return; /* EAFNOSUPPORT */ 240 } 241 242 /* 243 * Bring the inner header into the first mbuf, if not there already. 244 */ 245 if (m->m_len < hlen) { 246 if ((m = m_pullup(m, hlen)) == NULL) { 247 DPRINTF(("ipip_input(): m_pullup() failed\n")); 248 ipipstat.ipips_hdrops++; 249 return; 250 } 251 } 252 253 /* 254 * RFC 1853 specifies that the inner TTL should not be touched on 255 * decapsulation. There's no reason this comment should be here, but 256 * this is as good as any a position. 257 */ 258 259 /* Some sanity checks in the inner IP header */ 260 switch (proto) { 261 #ifdef INET 262 case IPPROTO_IPV4: 263 ipo = mtod(m, struct ip *); 264 #ifdef INET6 265 ip6 = NULL; 266 #endif 267 itos = ipo->ip_tos; 268 mode = m->m_flags & (M_AUTH|M_CONF) ? 269 ECN_ALLOWED_IPSEC : ECN_ALLOWED; 270 if (!ip_ecn_egress(mode, &otos, &ipo->ip_tos)) { 271 DPRINTF(("ipip_input(): ip_ecn_egress() failed")); 272 ipipstat.ipips_pdrops++; 273 m_freem(m); 274 return; 275 } 276 /* re-calculate the checksum if ip_tos was changed */ 277 if (itos != ipo->ip_tos) { 278 hlen = ipo->ip_hl << 2; 279 if (m->m_pkthdr.len >= hlen) { 280 ipo->ip_sum = 0; 281 ipo->ip_sum = in_cksum(m, hlen); 282 } 283 } 284 break; 285 #endif /* INET */ 286 #ifdef INET6 287 case IPPROTO_IPV6: 288 #ifdef INET 289 ipo = NULL; 290 #endif 291 ip6 = mtod(m, struct ip6_hdr *); 292 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 293 if (!ip_ecn_egress(ECN_ALLOWED, &otos, &itos)) { 294 DPRINTF(("ipip_input(): ip_ecn_egress() failed")); 295 ipipstat.ipips_pdrops++; 296 m_freem(m); 297 return; 298 } 299 ip6->ip6_flow &= ~htonl(0xff << 20); 300 ip6->ip6_flow |= htonl((u_int32_t) itos << 20); 301 break; 302 #endif 303 default: 304 #ifdef INET 305 ipo = NULL; 306 #endif 307 #ifdef INET6 308 ip6 = NULL; 309 #endif 310 } 311 312 /* Check for local address spoofing. */ 313 if ((m->m_pkthdr.rcvif == NULL || 314 !(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) && 315 ipip_allow != 2) { 316 rdomain = rtable_l2(m->m_pkthdr.rdomain); 317 TAILQ_FOREACH(ifp, &ifnet, if_list) { 318 if (ifp->if_rdomain != rdomain) 319 continue; 320 TAILQ_FOREACH(ifa, &ifp->if_addrlist, ifa_list) { 321 #ifdef INET 322 if (ipo) { 323 if (ifa->ifa_addr->sa_family != 324 AF_INET) 325 continue; 326 327 sin = (struct sockaddr_in *) 328 ifa->ifa_addr; 329 if (sin->sin_addr.s_addr == 330 ipo->ip_src.s_addr) { 331 ipipstat.ipips_spoof++; 332 m_freem(m); 333 return; 334 } 335 } 336 #endif /* INET */ 337 #ifdef INET6 338 if (ip6) { 339 if (ifa->ifa_addr->sa_family != 340 AF_INET6) 341 continue; 342 343 sin6 = (struct sockaddr_in6 *) 344 ifa->ifa_addr; 345 if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, 346 &ip6->ip6_src)) { 347 ipipstat.ipips_spoof++; 348 m_freem(m); 349 return; 350 } 351 352 } 353 #endif /* INET6 */ 354 } 355 } 356 } 357 358 /* Statistics */ 359 ipipstat.ipips_ibytes += m->m_pkthdr.len - iphlen; 360 361 /* 362 * Interface pointer stays the same; if no IPsec processing has 363 * been done (or will be done), this will point to a normal 364 * interface. Otherwise, it'll point to an enc interface, which 365 * will allow a packet filter to distinguish between secure and 366 * untrusted packets. 367 */ 368 369 switch (proto) { 370 #ifdef INET 371 case IPPROTO_IPV4: 372 ifq = &ipintrq; 373 isr = NETISR_IP; 374 af = AF_INET; 375 break; 376 #endif 377 #ifdef INET6 378 case IPPROTO_IPV6: 379 ifq = &ip6intrq; 380 isr = NETISR_IPV6; 381 af = AF_INET6; 382 break; 383 #endif 384 default: 385 panic("ipip_input: should never reach here"); 386 } 387 388 #if NBPFILTER > 0 389 if (gifp && gifp->if_bpf) 390 bpf_mtap_af(gifp->if_bpf, af, m, BPF_DIRECTION_IN); 391 #endif 392 #if NPF > 0 393 pf_pkt_addr_changed(m); 394 #endif 395 396 s = splnet(); /* isn't it already? */ 397 if (IF_QFULL(ifq)) { 398 IF_DROP(ifq); 399 m_freem(m); 400 ipipstat.ipips_qfull++; 401 402 splx(s); 403 404 DPRINTF(("ipip_input(): packet dropped because of full " 405 "queue\n")); 406 return; 407 } 408 409 IF_ENQUEUE(ifq, m); 410 schednetisr(isr); 411 splx(s); 412 return; 413 } 414 415 int 416 ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int dummy, 417 int dummy2) 418 { 419 u_int8_t tp, otos; 420 421 #ifdef INET 422 u_int8_t itos; 423 struct ip *ipo; 424 #endif /* INET */ 425 426 #ifdef INET6 427 struct ip6_hdr *ip6, *ip6o; 428 #endif /* INET6 */ 429 430 /* XXX Deal with empty TDB source/destination addresses. */ 431 432 m_copydata(m, 0, 1, &tp); 433 tp = (tp >> 4) & 0xff; /* Get the IP version number. */ 434 435 switch (tdb->tdb_dst.sa.sa_family) { 436 #ifdef INET 437 case AF_INET: 438 if (tdb->tdb_src.sa.sa_family != AF_INET || 439 tdb->tdb_src.sin.sin_addr.s_addr == INADDR_ANY || 440 tdb->tdb_dst.sin.sin_addr.s_addr == INADDR_ANY) { 441 442 DPRINTF(("ipip_output(): unspecified tunnel endpoind " 443 "address in SA %s/%08x\n", 444 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 445 446 ipipstat.ipips_unspec++; 447 m_freem(m); 448 *mp = NULL; 449 return EINVAL; 450 } 451 452 M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); 453 if (m == 0) { 454 DPRINTF(("ipip_output(): M_PREPEND failed\n")); 455 ipipstat.ipips_hdrops++; 456 *mp = NULL; 457 return ENOBUFS; 458 } 459 460 ipo = mtod(m, struct ip *); 461 462 ipo->ip_v = IPVERSION; 463 ipo->ip_hl = 5; 464 ipo->ip_len = htons(m->m_pkthdr.len); 465 ipo->ip_ttl = ip_defttl; 466 ipo->ip_sum = 0; 467 ipo->ip_src = tdb->tdb_src.sin.sin_addr; 468 ipo->ip_dst = tdb->tdb_dst.sin.sin_addr; 469 470 /* 471 * We do the htons() to prevent snoopers from determining our 472 * endianness. 473 */ 474 ipo->ip_id = htons(ip_randomid()); 475 476 /* If the inner protocol is IP... */ 477 if (tp == IPVERSION) { 478 /* Save ECN notification */ 479 m_copydata(m, sizeof(struct ip) + 480 offsetof(struct ip, ip_tos), 481 sizeof(u_int8_t), (caddr_t) &itos); 482 483 ipo->ip_p = IPPROTO_IPIP; 484 485 /* 486 * We should be keeping tunnel soft-state and 487 * send back ICMPs if needed. 488 */ 489 m_copydata(m, sizeof(struct ip) + 490 offsetof(struct ip, ip_off), 491 sizeof(u_int16_t), (caddr_t) &ipo->ip_off); 492 NTOHS(ipo->ip_off); 493 ipo->ip_off &= ~(IP_DF | IP_MF | IP_OFFMASK); 494 HTONS(ipo->ip_off); 495 } 496 #ifdef INET6 497 else if (tp == (IPV6_VERSION >> 4)) { 498 u_int32_t itos32; 499 500 /* Save ECN notification. */ 501 m_copydata(m, sizeof(struct ip) + 502 offsetof(struct ip6_hdr, ip6_flow), 503 sizeof(u_int32_t), (caddr_t) &itos32); 504 itos = ntohl(itos32) >> 20; 505 ipo->ip_p = IPPROTO_IPV6; 506 ipo->ip_off = 0; 507 } 508 #endif /* INET6 */ 509 else { 510 m_freem(m); 511 *mp = NULL; 512 ipipstat.ipips_family++; 513 return EAFNOSUPPORT; 514 } 515 516 otos = 0; 517 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 518 ipo->ip_tos = otos; 519 break; 520 #endif /* INET */ 521 522 #ifdef INET6 523 case AF_INET6: 524 if (IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_dst.sin6.sin6_addr) || 525 tdb->tdb_src.sa.sa_family != AF_INET6 || 526 IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_src.sin6.sin6_addr)) { 527 528 DPRINTF(("ipip_output(): unspecified tunnel endpoind " 529 "address in SA %s/%08x\n", 530 ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); 531 532 ipipstat.ipips_unspec++; 533 m_freem(m); 534 *mp = NULL; 535 return ENOBUFS; 536 } 537 538 /* If the inner protocol is IPv6, clear link local scope */ 539 if (tp == (IPV6_VERSION >> 4)) { 540 /* scoped address handling */ 541 ip6 = mtod(m, struct ip6_hdr *); 542 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) 543 ip6->ip6_src.s6_addr16[1] = 0; 544 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) 545 ip6->ip6_dst.s6_addr16[1] = 0; 546 } 547 548 M_PREPEND(m, sizeof(struct ip6_hdr), M_DONTWAIT); 549 if (m == 0) { 550 DPRINTF(("ipip_output(): M_PREPEND failed\n")); 551 ipipstat.ipips_hdrops++; 552 *mp = NULL; 553 return ENOBUFS; 554 } 555 556 /* Initialize IPv6 header */ 557 ip6o = mtod(m, struct ip6_hdr *); 558 ip6o->ip6_flow = 0; 559 ip6o->ip6_vfc &= ~IPV6_VERSION_MASK; 560 ip6o->ip6_vfc |= IPV6_VERSION; 561 ip6o->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6o)); 562 ip6o->ip6_hlim = ip_defttl; 563 in6_embedscope(&ip6o->ip6_src, &tdb->tdb_src.sin6, NULL, NULL); 564 in6_embedscope(&ip6o->ip6_dst, &tdb->tdb_dst.sin6, NULL, NULL); 565 566 #ifdef INET 567 if (tp == IPVERSION) { 568 /* Save ECN notification */ 569 m_copydata(m, sizeof(struct ip6_hdr) + 570 offsetof(struct ip, ip_tos), sizeof(u_int8_t), 571 (caddr_t) &itos); 572 573 /* This is really IPVERSION. */ 574 ip6o->ip6_nxt = IPPROTO_IPIP; 575 } 576 else 577 #endif /* INET */ 578 if (tp == (IPV6_VERSION >> 4)) { 579 u_int32_t itos32; 580 581 /* Save ECN notification. */ 582 m_copydata(m, sizeof(struct ip6_hdr) + 583 offsetof(struct ip6_hdr, ip6_flow), 584 sizeof(u_int32_t), (caddr_t) &itos32); 585 itos = ntohl(itos32) >> 20; 586 587 ip6o->ip6_nxt = IPPROTO_IPV6; 588 } else { 589 m_freem(m); 590 *mp = NULL; 591 ipipstat.ipips_family++; 592 return EAFNOSUPPORT; 593 } 594 595 otos = 0; 596 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 597 ip6o->ip6_flow |= htonl((u_int32_t) otos << 20); 598 break; 599 #endif /* INET6 */ 600 601 default: 602 DPRINTF(("ipip_output(): unsupported protocol family %d\n", 603 tdb->tdb_dst.sa.sa_family)); 604 m_freem(m); 605 *mp = NULL; 606 ipipstat.ipips_family++; 607 return EAFNOSUPPORT; 608 } 609 610 ipipstat.ipips_opackets++; 611 *mp = m; 612 613 #ifdef INET 614 if (tdb->tdb_dst.sa.sa_family == AF_INET) { 615 if (tdb->tdb_xform->xf_type == XF_IP4) 616 tdb->tdb_cur_bytes += 617 m->m_pkthdr.len - sizeof(struct ip); 618 619 ipipstat.ipips_obytes += m->m_pkthdr.len - sizeof(struct ip); 620 } 621 #endif /* INET */ 622 623 #ifdef INET6 624 if (tdb->tdb_dst.sa.sa_family == AF_INET6) { 625 if (tdb->tdb_xform->xf_type == XF_IP4) 626 tdb->tdb_cur_bytes += 627 m->m_pkthdr.len - sizeof(struct ip6_hdr); 628 629 ipipstat.ipips_obytes += 630 m->m_pkthdr.len - sizeof(struct ip6_hdr); 631 } 632 #endif /* INET6 */ 633 634 return 0; 635 } 636 637 #ifdef IPSEC 638 int 639 ipe4_attach() 640 { 641 return 0; 642 } 643 644 int 645 ipe4_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) 646 { 647 tdbp->tdb_xform = xsp; 648 return 0; 649 } 650 651 int 652 ipe4_zeroize(struct tdb *tdbp) 653 { 654 return 0; 655 } 656 657 void 658 ipe4_input(struct mbuf *m, ...) 659 { 660 /* This is a rather serious mistake, so no conditional printing. */ 661 printf("ipe4_input(): should never be called\n"); 662 if (m) 663 m_freem(m); 664 } 665 #endif /* IPSEC */ 666 667 int 668 ipip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 669 size_t newlen) 670 { 671 /* All sysctl names at this level are terminal. */ 672 if (namelen != 1) 673 return (ENOTDIR); 674 675 switch (name[0]) { 676 case IPIPCTL_ALLOW: 677 return (sysctl_int(oldp, oldlenp, newp, newlen, &ipip_allow)); 678 case IPIPCTL_STATS: 679 if (newp != NULL) 680 return (EPERM); 681 return (sysctl_struct(oldp, oldlenp, newp, newlen, 682 &ipipstat, sizeof(ipipstat))); 683 default: 684 return (ENOPROTOOPT); 685 } 686 /* NOTREACHED */ 687 } 688