if_gif.c revision 284074
1/*- 2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the project nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 * $KAME: if_gif.c,v 1.87 2001/10/19 08:50:27 itojun Exp $ 30 */ 31 32#include <sys/cdefs.h> 33__FBSDID("$FreeBSD: stable/10/sys/net/if_gif.c 284074 2015-06-06 13:37:11Z ae $"); 34 35#include "opt_inet.h" 36#include "opt_inet6.h" 37 38#include <sys/param.h> 39#include <sys/systm.h> 40#include <sys/jail.h> 41#include <sys/kernel.h> 42#include <sys/lock.h> 43#include <sys/malloc.h> 44#include <sys/mbuf.h> 45#include <sys/module.h> 46#include <sys/rmlock.h> 47#include <sys/socket.h> 48#include <sys/sockio.h> 49#include <sys/sx.h> 50#include <sys/errno.h> 51#include <sys/time.h> 52#include <sys/sysctl.h> 53#include <sys/syslog.h> 54#include <sys/priv.h> 55#include <sys/proc.h> 56#include <sys/protosw.h> 57#include <sys/conf.h> 58#include <machine/cpu.h> 59 60#include <net/if.h> 61#include <net/if_var.h> 62#include <net/if_clone.h> 63#include <net/if_types.h> 64#include <net/netisr.h> 65#include <net/route.h> 66#include <net/bpf.h> 67#include <net/vnet.h> 68 69#include <netinet/in.h> 70#include <netinet/in_systm.h> 71#include <netinet/ip.h> 72#include <netinet/ip_ecn.h> 73#ifdef INET 74#include <netinet/in_var.h> 75#include <netinet/ip_var.h> 76#endif /* INET */ 77 78#ifdef INET6 79#ifndef INET 80#include <netinet/in.h> 81#endif 82#include <netinet6/in6_var.h> 83#include <netinet/ip6.h> 84#include <netinet6/ip6_ecn.h> 85#include <netinet6/ip6_var.h> 86#include <netinet6/scope6_var.h> 87#include <netinet6/ip6protosw.h> 88#endif /* INET6 */ 89 90#include <netinet/ip_encap.h> 91#include <net/ethernet.h> 92#include <net/if_bridgevar.h> 93#include <net/if_gif.h> 94 95#include <security/mac/mac_framework.h> 96 97static const char gifname[] = "gif"; 98 99/* 100 * gif_mtx protects a per-vnet gif_softc_list. 101 */ 102static VNET_DEFINE(struct mtx, gif_mtx); 103#define V_gif_mtx VNET(gif_mtx) 104static MALLOC_DEFINE(M_GIF, "gif", "Generic Tunnel Interface"); 105static VNET_DEFINE(LIST_HEAD(, gif_softc), gif_softc_list); 106#define V_gif_softc_list VNET(gif_softc_list) 107static struct sx gif_ioctl_sx; 108SX_SYSINIT(gif_ioctl_sx, &gif_ioctl_sx, "gif_ioctl"); 109 110#define GIF_LIST_LOCK_INIT(x) mtx_init(&V_gif_mtx, "gif_mtx", \ 111 NULL, MTX_DEF) 112#define GIF_LIST_LOCK_DESTROY(x) mtx_destroy(&V_gif_mtx) 113#define GIF_LIST_LOCK(x) mtx_lock(&V_gif_mtx) 114#define GIF_LIST_UNLOCK(x) mtx_unlock(&V_gif_mtx) 115 116void (*ng_gif_input_p)(struct ifnet *ifp, struct mbuf **mp, int af); 117void (*ng_gif_input_orphan_p)(struct ifnet *ifp, struct mbuf *m, int af); 118void (*ng_gif_attach_p)(struct ifnet *ifp); 119void (*ng_gif_detach_p)(struct ifnet *ifp); 120 121static int gif_check_nesting(struct ifnet *, struct mbuf *); 122static int gif_set_tunnel(struct ifnet *, struct sockaddr *, 123 struct sockaddr *); 124static void gif_delete_tunnel(struct ifnet *); 125static int gif_ioctl(struct ifnet *, u_long, caddr_t); 126static int gif_transmit(struct ifnet *, struct mbuf *); 127static void gif_qflush(struct ifnet *); 128static int gif_clone_create(struct if_clone *, int, caddr_t); 129static void gif_clone_destroy(struct ifnet *); 130static VNET_DEFINE(struct if_clone *, gif_cloner); 131#define V_gif_cloner VNET(gif_cloner) 132 133static int gifmodevent(module_t, int, void *); 134 135SYSCTL_DECL(_net_link); 136static SYSCTL_NODE(_net_link, IFT_GIF, gif, CTLFLAG_RW, 0, 137 "Generic Tunnel Interface"); 138#ifndef MAX_GIF_NEST 139/* 140 * This macro controls the default upper limitation on nesting of gif tunnels. 141 * Since, setting a large value to this macro with a careless configuration 142 * may introduce system crash, we don't allow any nestings by default. 143 * If you need to configure nested gif tunnels, you can define this macro 144 * in your kernel configuration file. However, if you do so, please be 145 * careful to configure the tunnels so that it won't make a loop. 146 */ 147#define MAX_GIF_NEST 1 148#endif 149static VNET_DEFINE(int, max_gif_nesting) = MAX_GIF_NEST; 150#define V_max_gif_nesting VNET(max_gif_nesting) 151SYSCTL_VNET_INT(_net_link_gif, OID_AUTO, max_nesting, CTLFLAG_RW, 152 &VNET_NAME(max_gif_nesting), 0, "Max nested tunnels"); 153 154/* 155 * By default, we disallow creation of multiple tunnels between the same 156 * pair of addresses. Some applications require this functionality so 157 * we allow control over this check here. 158 */ 159#ifdef XBONEHACK 160static VNET_DEFINE(int, parallel_tunnels) = 1; 161#else 162static VNET_DEFINE(int, parallel_tunnels) = 0; 163#endif 164#define V_parallel_tunnels VNET(parallel_tunnels) 165SYSCTL_VNET_INT(_net_link_gif, OID_AUTO, parallel_tunnels, CTLFLAG_RW, 166 &VNET_NAME(parallel_tunnels), 0, "Allow parallel tunnels?"); 167 168/* copy from src/sys/net/if_ethersubr.c */ 169static const u_char etherbroadcastaddr[ETHER_ADDR_LEN] = 170 { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 171#ifndef ETHER_IS_BROADCAST 172#define ETHER_IS_BROADCAST(addr) \ 173 (bcmp(etherbroadcastaddr, (addr), ETHER_ADDR_LEN) == 0) 174#endif 175 176static int 177gif_clone_create(struct if_clone *ifc, int unit, caddr_t params) 178{ 179 struct gif_softc *sc; 180 181 sc = malloc(sizeof(struct gif_softc), M_GIF, M_WAITOK | M_ZERO); 182 sc->gif_fibnum = curthread->td_proc->p_fibnum; 183 GIF2IFP(sc) = if_alloc(IFT_GIF); 184 GIF_LOCK_INIT(sc); 185 GIF2IFP(sc)->if_softc = sc; 186 if_initname(GIF2IFP(sc), gifname, unit); 187 188 GIF2IFP(sc)->if_addrlen = 0; 189 GIF2IFP(sc)->if_mtu = GIF_MTU; 190 GIF2IFP(sc)->if_flags = IFF_POINTOPOINT | IFF_MULTICAST; 191#if 0 192 /* turn off ingress filter */ 193 GIF2IFP(sc)->if_flags |= IFF_LINK2; 194#endif 195 GIF2IFP(sc)->if_ioctl = gif_ioctl; 196 GIF2IFP(sc)->if_transmit = gif_transmit; 197 GIF2IFP(sc)->if_qflush = gif_qflush; 198 GIF2IFP(sc)->if_output = gif_output; 199 if_attach(GIF2IFP(sc)); 200 bpfattach(GIF2IFP(sc), DLT_NULL, sizeof(u_int32_t)); 201 if (ng_gif_attach_p != NULL) 202 (*ng_gif_attach_p)(GIF2IFP(sc)); 203 204 GIF_LIST_LOCK(); 205 LIST_INSERT_HEAD(&V_gif_softc_list, sc, gif_list); 206 GIF_LIST_UNLOCK(); 207 return (0); 208} 209 210static void 211gif_clone_destroy(struct ifnet *ifp) 212{ 213 struct gif_softc *sc; 214 215 sx_xlock(&gif_ioctl_sx); 216 sc = ifp->if_softc; 217 gif_delete_tunnel(ifp); 218 GIF_LIST_LOCK(); 219 LIST_REMOVE(sc, gif_list); 220 GIF_LIST_UNLOCK(); 221 if (ng_gif_detach_p != NULL) 222 (*ng_gif_detach_p)(ifp); 223 bpfdetach(ifp); 224 if_detach(ifp); 225 ifp->if_softc = NULL; 226 sx_xunlock(&gif_ioctl_sx); 227 228 if_free(ifp); 229 GIF_LOCK_DESTROY(sc); 230 free(sc, M_GIF); 231} 232 233static void 234vnet_gif_init(const void *unused __unused) 235{ 236 237 LIST_INIT(&V_gif_softc_list); 238 GIF_LIST_LOCK_INIT(); 239 V_gif_cloner = if_clone_simple(gifname, gif_clone_create, 240 gif_clone_destroy, 0); 241} 242VNET_SYSINIT(vnet_gif_init, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY, 243 vnet_gif_init, NULL); 244 245static void 246vnet_gif_uninit(const void *unused __unused) 247{ 248 249 if_clone_detach(V_gif_cloner); 250 GIF_LIST_LOCK_DESTROY(); 251} 252VNET_SYSUNINIT(vnet_gif_uninit, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY, 253 vnet_gif_uninit, NULL); 254 255static int 256gifmodevent(module_t mod, int type, void *data) 257{ 258 259 switch (type) { 260 case MOD_LOAD: 261 case MOD_UNLOAD: 262 break; 263 default: 264 return (EOPNOTSUPP); 265 } 266 return (0); 267} 268 269static moduledata_t gif_mod = { 270 "if_gif", 271 gifmodevent, 272 0 273}; 274 275DECLARE_MODULE(if_gif, gif_mod, SI_SUB_PSEUDO, SI_ORDER_ANY); 276MODULE_VERSION(if_gif, 1); 277 278int 279gif_encapcheck(const struct mbuf *m, int off, int proto, void *arg) 280{ 281 GIF_RLOCK_TRACKER; 282 struct gif_softc *sc; 283 int ret; 284 uint8_t ver; 285 286 sc = (struct gif_softc *)arg; 287 if (sc == NULL || (GIF2IFP(sc)->if_flags & IFF_UP) == 0) 288 return (0); 289 290 ret = 0; 291 GIF_RLOCK(sc); 292 293 /* no physical address */ 294 if (sc->gif_family == 0) 295 goto done; 296 297 switch (proto) { 298#ifdef INET 299 case IPPROTO_IPV4: 300#endif 301#ifdef INET6 302 case IPPROTO_IPV6: 303#endif 304 case IPPROTO_ETHERIP: 305 break; 306 default: 307 goto done; 308 } 309 310 /* Bail on short packets */ 311 if (m->m_pkthdr.len < sizeof(struct ip)) 312 goto done; 313 314 m_copydata(m, 0, 1, &ver); 315 switch (ver >> 4) { 316#ifdef INET 317 case 4: 318 if (sc->gif_family != AF_INET) 319 goto done; 320 ret = in_gif_encapcheck(m, off, proto, arg); 321 break; 322#endif 323#ifdef INET6 324 case 6: 325 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) 326 goto done; 327 if (sc->gif_family != AF_INET6) 328 goto done; 329 ret = in6_gif_encapcheck(m, off, proto, arg); 330 break; 331#endif 332 } 333done: 334 GIF_RUNLOCK(sc); 335 return (ret); 336} 337 338static int 339gif_transmit(struct ifnet *ifp, struct mbuf *m) 340{ 341 struct gif_softc *sc; 342 struct etherip_header *eth; 343#ifdef INET 344 struct ip *ip; 345#endif 346#ifdef INET6 347 struct ip6_hdr *ip6; 348 uint32_t t; 349#endif 350 uint32_t af; 351 uint8_t proto, ecn; 352 int error; 353 354#ifdef MAC 355 error = mac_ifnet_check_transmit(ifp, m); 356 if (error) { 357 m_freem(m); 358 goto err; 359 } 360#endif 361 error = ENETDOWN; 362 sc = ifp->if_softc; 363 if ((ifp->if_flags & IFF_MONITOR) != 0 || 364 (ifp->if_flags & IFF_UP) == 0 || 365 sc->gif_family == 0 || 366 (error = gif_check_nesting(ifp, m)) != 0) { 367 m_freem(m); 368 goto err; 369 } 370 /* Now pull back the af that we stashed in the csum_data. */ 371 if (ifp->if_bridge) 372 af = AF_LINK; 373 else 374 af = m->m_pkthdr.csum_data; 375 m->m_flags &= ~(M_BCAST|M_MCAST); 376 M_SETFIB(m, sc->gif_fibnum); 377 BPF_MTAP2(ifp, &af, sizeof(af), m); 378 if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1); 379 if_inc_counter(ifp, IFCOUNTER_OBYTES, m->m_pkthdr.len); 380 /* inner AF-specific encapsulation */ 381 ecn = 0; 382 switch (af) { 383#ifdef INET 384 case AF_INET: 385 proto = IPPROTO_IPV4; 386 if (m->m_len < sizeof(struct ip)) 387 m = m_pullup(m, sizeof(struct ip)); 388 if (m == NULL) { 389 error = ENOBUFS; 390 goto err; 391 } 392 ip = mtod(m, struct ip *); 393 ip_ecn_ingress((ifp->if_flags & IFF_LINK1) ? ECN_ALLOWED: 394 ECN_NOCARE, &ecn, &ip->ip_tos); 395 break; 396#endif 397#ifdef INET6 398 case AF_INET6: 399 proto = IPPROTO_IPV6; 400 if (m->m_len < sizeof(struct ip6_hdr)) 401 m = m_pullup(m, sizeof(struct ip6_hdr)); 402 if (m == NULL) { 403 error = ENOBUFS; 404 goto err; 405 } 406 t = 0; 407 ip6 = mtod(m, struct ip6_hdr *); 408 ip6_ecn_ingress((ifp->if_flags & IFF_LINK1) ? ECN_ALLOWED: 409 ECN_NOCARE, &t, &ip6->ip6_flow); 410 ecn = (ntohl(t) >> 20) & 0xff; 411 break; 412#endif 413 case AF_LINK: 414 proto = IPPROTO_ETHERIP; 415 M_PREPEND(m, sizeof(struct etherip_header), M_NOWAIT); 416 if (m == NULL) { 417 error = ENOBUFS; 418 goto err; 419 } 420 eth = mtod(m, struct etherip_header *); 421 eth->eip_resvh = 0; 422 if ((sc->gif_options & GIF_SEND_REVETHIP) != 0) { 423 eth->eip_ver = 0; 424 eth->eip_resvl = ETHERIP_VERSION; 425 } else { 426 eth->eip_ver = ETHERIP_VERSION; 427 eth->eip_resvl = 0; 428 } 429 break; 430 default: 431 error = EAFNOSUPPORT; 432 m_freem(m); 433 goto err; 434 } 435 /* XXX should we check if our outer source is legal? */ 436 /* dispatch to output logic based on outer AF */ 437 switch (sc->gif_family) { 438#ifdef INET 439 case AF_INET: 440 error = in_gif_output(ifp, m, proto, ecn); 441 break; 442#endif 443#ifdef INET6 444 case AF_INET6: 445 error = in6_gif_output(ifp, m, proto, ecn); 446 break; 447#endif 448 default: 449 m_freem(m); 450 } 451err: 452 if (error) 453 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 454 return (error); 455} 456 457static void 458gif_qflush(struct ifnet *ifp __unused) 459{ 460 461} 462 463#define MTAG_GIF 1080679712 464static int 465gif_check_nesting(struct ifnet *ifp, struct mbuf *m) 466{ 467 struct m_tag *mtag; 468 int count; 469 470 /* 471 * gif may cause infinite recursion calls when misconfigured. 472 * We'll prevent this by detecting loops. 473 * 474 * High nesting level may cause stack exhaustion. 475 * We'll prevent this by introducing upper limit. 476 */ 477 count = 1; 478 mtag = NULL; 479 while ((mtag = m_tag_locate(m, MTAG_GIF, 0, mtag)) != NULL) { 480 if (*(struct ifnet **)(mtag + 1) == ifp) { 481 log(LOG_NOTICE, "%s: loop detected\n", ifp->if_xname); 482 return (EIO); 483 } 484 count++; 485 } 486 if (count > V_max_gif_nesting) { 487 log(LOG_NOTICE, 488 "%s: if_output recursively called too many times(%d)\n", 489 if_name(ifp), count); 490 return (EIO); 491 } 492 mtag = m_tag_alloc(MTAG_GIF, 0, sizeof(struct ifnet *), M_NOWAIT); 493 if (mtag == NULL) 494 return (ENOMEM); 495 *(struct ifnet **)(mtag + 1) = ifp; 496 m_tag_prepend(m, mtag); 497 return (0); 498} 499 500int 501gif_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, 502 struct route *ro) 503{ 504 uint32_t af; 505 506 if (dst->sa_family == AF_UNSPEC) 507 bcopy(dst->sa_data, &af, sizeof(af)); 508 else 509 af = dst->sa_family; 510 /* 511 * Now save the af in the inbound pkt csum data, this is a cheat since 512 * we are using the inbound csum_data field to carry the af over to 513 * the gif_transmit() routine, avoiding using yet another mtag. 514 */ 515 m->m_pkthdr.csum_data = af; 516 return (ifp->if_transmit(ifp, m)); 517} 518 519void 520gif_input(struct mbuf *m, struct ifnet *ifp, int proto, uint8_t ecn) 521{ 522 struct etherip_header *eip; 523#ifdef INET 524 struct ip *ip; 525#endif 526#ifdef INET6 527 struct ip6_hdr *ip6; 528 uint32_t t; 529#endif 530 struct gif_softc *sc; 531 struct ether_header *eh; 532 struct ifnet *oldifp; 533 uint32_t gif_options; 534 int isr, n, af; 535 536 if (ifp == NULL) { 537 /* just in case */ 538 m_freem(m); 539 return; 540 } 541 sc = ifp->if_softc; 542 gif_options = sc->gif_options; 543 m->m_pkthdr.rcvif = ifp; 544 m_clrprotoflags(m); 545 switch (proto) { 546#ifdef INET 547 case IPPROTO_IPV4: 548 af = AF_INET; 549 if (m->m_len < sizeof(struct ip)) 550 m = m_pullup(m, sizeof(struct ip)); 551 if (m == NULL) 552 goto drop; 553 ip = mtod(m, struct ip *); 554 if (ip_ecn_egress((ifp->if_flags & IFF_LINK1) ? ECN_ALLOWED: 555 ECN_NOCARE, &ecn, &ip->ip_tos) == 0) { 556 m_freem(m); 557 goto drop; 558 } 559 break; 560#endif 561#ifdef INET6 562 case IPPROTO_IPV6: 563 af = AF_INET6; 564 if (m->m_len < sizeof(struct ip6_hdr)) 565 m = m_pullup(m, sizeof(struct ip6_hdr)); 566 if (m == NULL) 567 goto drop; 568 t = htonl((uint32_t)ecn << 20); 569 ip6 = mtod(m, struct ip6_hdr *); 570 if (ip6_ecn_egress((ifp->if_flags & IFF_LINK1) ? ECN_ALLOWED: 571 ECN_NOCARE, &t, &ip6->ip6_flow) == 0) { 572 m_freem(m); 573 goto drop; 574 } 575 break; 576#endif 577 case IPPROTO_ETHERIP: 578 af = AF_LINK; 579 break; 580 default: 581 m_freem(m); 582 goto drop; 583 } 584 585#ifdef MAC 586 mac_ifnet_create_mbuf(ifp, m); 587#endif 588 589 if (bpf_peers_present(ifp->if_bpf)) { 590 uint32_t af1 = af; 591 bpf_mtap2(ifp->if_bpf, &af1, sizeof(af1), m); 592 } 593 594 if ((ifp->if_flags & IFF_MONITOR) != 0) { 595 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 596 if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len); 597 m_freem(m); 598 return; 599 } 600 601 if (ng_gif_input_p != NULL) { 602 (*ng_gif_input_p)(ifp, &m, af); 603 if (m == NULL) 604 goto drop; 605 } 606 607 /* 608 * Put the packet to the network layer input queue according to the 609 * specified address family. 610 * Note: older versions of gif_input directly called network layer 611 * input functions, e.g. ip6_input, here. We changed the policy to 612 * prevent too many recursive calls of such input functions, which 613 * might cause kernel panic. But the change may introduce another 614 * problem; if the input queue is full, packets are discarded. 615 * The kernel stack overflow really happened, and we believed 616 * queue-full rarely occurs, so we changed the policy. 617 */ 618 switch (af) { 619#ifdef INET 620 case AF_INET: 621 isr = NETISR_IP; 622 break; 623#endif 624#ifdef INET6 625 case AF_INET6: 626 isr = NETISR_IPV6; 627 break; 628#endif 629 case AF_LINK: 630 n = sizeof(struct etherip_header) + sizeof(struct ether_header); 631 if (n > m->m_len) 632 m = m_pullup(m, n); 633 if (m == NULL) 634 goto drop; 635 eip = mtod(m, struct etherip_header *); 636 /* 637 * GIF_ACCEPT_REVETHIP (enabled by default) intentionally 638 * accepts an EtherIP packet with revered version field in 639 * the header. This is a knob for backward compatibility 640 * with FreeBSD 7.2R or prior. 641 */ 642 if (eip->eip_ver != ETHERIP_VERSION) { 643 if ((gif_options & GIF_ACCEPT_REVETHIP) == 0 || 644 eip->eip_resvl != ETHERIP_VERSION) { 645 /* discard unknown versions */ 646 m_freem(m); 647 goto drop; 648 } 649 } 650 m_adj(m, sizeof(struct etherip_header)); 651 652 m->m_flags &= ~(M_BCAST|M_MCAST); 653 m->m_pkthdr.rcvif = ifp; 654 655 if (ifp->if_bridge) { 656 oldifp = ifp; 657 eh = mtod(m, struct ether_header *); 658 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 659 if (ETHER_IS_BROADCAST(eh->ether_dhost)) 660 m->m_flags |= M_BCAST; 661 else 662 m->m_flags |= M_MCAST; 663 if_inc_counter(ifp, IFCOUNTER_IMCASTS, 1); 664 } 665 BRIDGE_INPUT(ifp, m); 666 667 if (m != NULL && ifp != oldifp) { 668 /* 669 * The bridge gave us back itself or one of the 670 * members for which the frame is addressed. 671 */ 672 ether_demux(ifp, m); 673 return; 674 } 675 } 676 if (m != NULL) 677 m_freem(m); 678 return; 679 680 default: 681 if (ng_gif_input_orphan_p != NULL) 682 (*ng_gif_input_orphan_p)(ifp, m, af); 683 else 684 m_freem(m); 685 return; 686 } 687 688 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 689 if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len); 690 M_SETFIB(m, ifp->if_fib); 691 netisr_dispatch(isr, m); 692 return; 693drop: 694 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); 695} 696 697/* XXX how should we handle IPv6 scope on SIOC[GS]IFPHYADDR? */ 698int 699gif_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) 700{ 701 GIF_RLOCK_TRACKER; 702 struct ifreq *ifr = (struct ifreq*)data; 703 struct sockaddr *dst, *src; 704 struct gif_softc *sc; 705#ifdef INET 706 struct sockaddr_in *sin = NULL; 707#endif 708#ifdef INET6 709 struct sockaddr_in6 *sin6 = NULL; 710#endif 711 u_int options; 712 int error; 713 714 switch (cmd) { 715 case SIOCSIFADDR: 716 ifp->if_flags |= IFF_UP; 717 case SIOCADDMULTI: 718 case SIOCDELMULTI: 719 case SIOCGIFMTU: 720 case SIOCSIFFLAGS: 721 return (0); 722 case SIOCSIFMTU: 723 if (ifr->ifr_mtu < GIF_MTU_MIN || 724 ifr->ifr_mtu > GIF_MTU_MAX) 725 return (EINVAL); 726 else 727 ifp->if_mtu = ifr->ifr_mtu; 728 return (0); 729 } 730 sx_xlock(&gif_ioctl_sx); 731 sc = ifp->if_softc; 732 if (sc == NULL) { 733 error = ENXIO; 734 goto bad; 735 } 736 error = 0; 737 switch (cmd) { 738 case SIOCSIFPHYADDR: 739#ifdef INET6 740 case SIOCSIFPHYADDR_IN6: 741#endif 742 error = EINVAL; 743 switch (cmd) { 744#ifdef INET 745 case SIOCSIFPHYADDR: 746 src = (struct sockaddr *) 747 &(((struct in_aliasreq *)data)->ifra_addr); 748 dst = (struct sockaddr *) 749 &(((struct in_aliasreq *)data)->ifra_dstaddr); 750 break; 751#endif 752#ifdef INET6 753 case SIOCSIFPHYADDR_IN6: 754 src = (struct sockaddr *) 755 &(((struct in6_aliasreq *)data)->ifra_addr); 756 dst = (struct sockaddr *) 757 &(((struct in6_aliasreq *)data)->ifra_dstaddr); 758 break; 759#endif 760 default: 761 goto bad; 762 } 763 /* sa_family must be equal */ 764 if (src->sa_family != dst->sa_family || 765 src->sa_len != dst->sa_len) 766 goto bad; 767 768 /* validate sa_len */ 769 switch (src->sa_family) { 770#ifdef INET 771 case AF_INET: 772 if (src->sa_len != sizeof(struct sockaddr_in)) 773 goto bad; 774 break; 775#endif 776#ifdef INET6 777 case AF_INET6: 778 if (src->sa_len != sizeof(struct sockaddr_in6)) 779 goto bad; 780 break; 781#endif 782 default: 783 error = EAFNOSUPPORT; 784 goto bad; 785 } 786 /* check sa_family looks sane for the cmd */ 787 error = EAFNOSUPPORT; 788 switch (cmd) { 789#ifdef INET 790 case SIOCSIFPHYADDR: 791 if (src->sa_family == AF_INET) 792 break; 793 goto bad; 794#endif 795#ifdef INET6 796 case SIOCSIFPHYADDR_IN6: 797 if (src->sa_family == AF_INET6) 798 break; 799 goto bad; 800#endif 801 } 802 error = EADDRNOTAVAIL; 803 switch (src->sa_family) { 804#ifdef INET 805 case AF_INET: 806 if (satosin(src)->sin_addr.s_addr == INADDR_ANY || 807 satosin(dst)->sin_addr.s_addr == INADDR_ANY) 808 goto bad; 809 break; 810#endif 811#ifdef INET6 812 case AF_INET6: 813 if (IN6_IS_ADDR_UNSPECIFIED(&satosin6(src)->sin6_addr) 814 || 815 IN6_IS_ADDR_UNSPECIFIED(&satosin6(dst)->sin6_addr)) 816 goto bad; 817 /* 818 * Check validity of the scope zone ID of the 819 * addresses, and convert it into the kernel 820 * internal form if necessary. 821 */ 822 error = sa6_embedscope(satosin6(src), 0); 823 if (error != 0) 824 goto bad; 825 error = sa6_embedscope(satosin6(dst), 0); 826 if (error != 0) 827 goto bad; 828#endif 829 }; 830 error = gif_set_tunnel(ifp, src, dst); 831 break; 832 case SIOCDIFPHYADDR: 833 gif_delete_tunnel(ifp); 834 break; 835 case SIOCGIFPSRCADDR: 836 case SIOCGIFPDSTADDR: 837#ifdef INET6 838 case SIOCGIFPSRCADDR_IN6: 839 case SIOCGIFPDSTADDR_IN6: 840#endif 841 if (sc->gif_family == 0) { 842 error = EADDRNOTAVAIL; 843 break; 844 } 845 GIF_RLOCK(sc); 846 switch (cmd) { 847#ifdef INET 848 case SIOCGIFPSRCADDR: 849 case SIOCGIFPDSTADDR: 850 if (sc->gif_family != AF_INET) { 851 error = EADDRNOTAVAIL; 852 break; 853 } 854 sin = (struct sockaddr_in *)&ifr->ifr_addr; 855 memset(sin, 0, sizeof(*sin)); 856 sin->sin_family = AF_INET; 857 sin->sin_len = sizeof(*sin); 858 break; 859#endif 860#ifdef INET6 861 case SIOCGIFPSRCADDR_IN6: 862 case SIOCGIFPDSTADDR_IN6: 863 if (sc->gif_family != AF_INET6) { 864 error = EADDRNOTAVAIL; 865 break; 866 } 867 sin6 = (struct sockaddr_in6 *) 868 &(((struct in6_ifreq *)data)->ifr_addr); 869 memset(sin6, 0, sizeof(*sin6)); 870 sin6->sin6_family = AF_INET6; 871 sin6->sin6_len = sizeof(*sin6); 872 break; 873#endif 874 default: 875 error = EAFNOSUPPORT; 876 } 877 if (error == 0) { 878 switch (cmd) { 879#ifdef INET 880 case SIOCGIFPSRCADDR: 881 sin->sin_addr = sc->gif_iphdr->ip_src; 882 break; 883 case SIOCGIFPDSTADDR: 884 sin->sin_addr = sc->gif_iphdr->ip_dst; 885 break; 886#endif 887#ifdef INET6 888 case SIOCGIFPSRCADDR_IN6: 889 sin6->sin6_addr = sc->gif_ip6hdr->ip6_src; 890 break; 891 case SIOCGIFPDSTADDR_IN6: 892 sin6->sin6_addr = sc->gif_ip6hdr->ip6_dst; 893 break; 894#endif 895 } 896 } 897 GIF_RUNLOCK(sc); 898 if (error != 0) 899 break; 900 switch (cmd) { 901#ifdef INET 902 case SIOCGIFPSRCADDR: 903 case SIOCGIFPDSTADDR: 904 error = prison_if(curthread->td_ucred, 905 (struct sockaddr *)sin); 906 if (error != 0) 907 memset(sin, 0, sizeof(*sin)); 908 break; 909#endif 910#ifdef INET6 911 case SIOCGIFPSRCADDR_IN6: 912 case SIOCGIFPDSTADDR_IN6: 913 error = prison_if(curthread->td_ucred, 914 (struct sockaddr *)sin6); 915 if (error == 0) 916 error = sa6_recoverscope(sin6); 917 if (error != 0) 918 memset(sin6, 0, sizeof(*sin6)); 919#endif 920 } 921 break; 922 case SIOCGTUNFIB: 923 ifr->ifr_fib = sc->gif_fibnum; 924 break; 925 case SIOCSTUNFIB: 926 if ((error = priv_check(curthread, PRIV_NET_GIF)) != 0) 927 break; 928 if (ifr->ifr_fib >= rt_numfibs) 929 error = EINVAL; 930 else 931 sc->gif_fibnum = ifr->ifr_fib; 932 break; 933 case GIFGOPTS: 934 options = sc->gif_options; 935 error = copyout(&options, ifr->ifr_data, sizeof(options)); 936 break; 937 case GIFSOPTS: 938 if ((error = priv_check(curthread, PRIV_NET_GIF)) != 0) 939 break; 940 error = copyin(ifr->ifr_data, &options, sizeof(options)); 941 if (error) 942 break; 943 if (options & ~GIF_OPTMASK) 944 error = EINVAL; 945 else 946 sc->gif_options = options; 947 break; 948 default: 949 error = EINVAL; 950 break; 951 } 952bad: 953 sx_xunlock(&gif_ioctl_sx); 954 return (error); 955} 956 957static void 958gif_detach(struct gif_softc *sc) 959{ 960 961 sx_assert(&gif_ioctl_sx, SA_XLOCKED); 962 if (sc->gif_ecookie != NULL) 963 encap_detach(sc->gif_ecookie); 964 sc->gif_ecookie = NULL; 965} 966 967static int 968gif_attach(struct gif_softc *sc, int af) 969{ 970 971 sx_assert(&gif_ioctl_sx, SA_XLOCKED); 972 switch (af) { 973#ifdef INET 974 case AF_INET: 975 return (in_gif_attach(sc)); 976#endif 977#ifdef INET6 978 case AF_INET6: 979 return (in6_gif_attach(sc)); 980#endif 981 } 982 return (EAFNOSUPPORT); 983} 984 985static int 986gif_set_tunnel(struct ifnet *ifp, struct sockaddr *src, struct sockaddr *dst) 987{ 988 struct gif_softc *sc = ifp->if_softc; 989 struct gif_softc *tsc; 990#ifdef INET 991 struct ip *ip; 992#endif 993#ifdef INET6 994 struct ip6_hdr *ip6; 995#endif 996 void *hdr; 997 int error = 0; 998 999 if (sc == NULL) 1000 return (ENXIO); 1001 /* Disallow parallel tunnels unless instructed otherwise. */ 1002 if (V_parallel_tunnels == 0) { 1003 GIF_LIST_LOCK(); 1004 LIST_FOREACH(tsc, &V_gif_softc_list, gif_list) { 1005 if (tsc == sc || tsc->gif_family != src->sa_family) 1006 continue; 1007#ifdef INET 1008 if (tsc->gif_family == AF_INET && 1009 tsc->gif_iphdr->ip_src.s_addr == 1010 satosin(src)->sin_addr.s_addr && 1011 tsc->gif_iphdr->ip_dst.s_addr == 1012 satosin(dst)->sin_addr.s_addr) { 1013 error = EADDRNOTAVAIL; 1014 GIF_LIST_UNLOCK(); 1015 goto bad; 1016 } 1017#endif 1018#ifdef INET6 1019 if (tsc->gif_family == AF_INET6 && 1020 IN6_ARE_ADDR_EQUAL(&tsc->gif_ip6hdr->ip6_src, 1021 &satosin6(src)->sin6_addr) && 1022 IN6_ARE_ADDR_EQUAL(&tsc->gif_ip6hdr->ip6_dst, 1023 &satosin6(dst)->sin6_addr)) { 1024 error = EADDRNOTAVAIL; 1025 GIF_LIST_UNLOCK(); 1026 goto bad; 1027 } 1028#endif 1029 } 1030 GIF_LIST_UNLOCK(); 1031 } 1032 switch (src->sa_family) { 1033#ifdef INET 1034 case AF_INET: 1035 hdr = ip = malloc(sizeof(struct ip), M_GIF, 1036 M_WAITOK | M_ZERO); 1037 ip->ip_src.s_addr = satosin(src)->sin_addr.s_addr; 1038 ip->ip_dst.s_addr = satosin(dst)->sin_addr.s_addr; 1039 break; 1040#endif 1041#ifdef INET6 1042 case AF_INET6: 1043 hdr = ip6 = malloc(sizeof(struct ip6_hdr), M_GIF, 1044 M_WAITOK | M_ZERO); 1045 ip6->ip6_src = satosin6(src)->sin6_addr; 1046 ip6->ip6_dst = satosin6(dst)->sin6_addr; 1047 ip6->ip6_vfc = IPV6_VERSION; 1048 break; 1049#endif 1050 default: 1051 return (EAFNOSUPPORT); 1052 }; 1053 1054 if (sc->gif_family != src->sa_family) 1055 gif_detach(sc); 1056 if (sc->gif_family == 0 || 1057 sc->gif_family != src->sa_family) 1058 error = gif_attach(sc, src->sa_family); 1059 1060 GIF_WLOCK(sc); 1061 if (sc->gif_family != 0) 1062 free(sc->gif_hdr, M_GIF); 1063 sc->gif_family = src->sa_family; 1064 sc->gif_hdr = hdr; 1065 GIF_WUNLOCK(sc); 1066#if defined(INET) || defined(INET6) 1067bad: 1068#endif 1069 if (error == 0 && sc->gif_family != 0) 1070 ifp->if_drv_flags |= IFF_DRV_RUNNING; 1071 else 1072 ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 1073 return (error); 1074} 1075 1076static void 1077gif_delete_tunnel(struct ifnet *ifp) 1078{ 1079 struct gif_softc *sc = ifp->if_softc; 1080 int family; 1081 1082 if (sc == NULL) 1083 return; 1084 1085 GIF_WLOCK(sc); 1086 family = sc->gif_family; 1087 sc->gif_family = 0; 1088 GIF_WUNLOCK(sc); 1089 if (family != 0) { 1090 gif_detach(sc); 1091 free(sc->gif_hdr, M_GIF); 1092 } 1093 ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 1094} 1095