diff options
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/in_gif.c | 38 | ||||
-rw-r--r-- | sys/netinet/in_gif.h | 4 | ||||
-rw-r--r-- | sys/netinet/in_proto.c | 23 | ||||
-rw-r--r-- | sys/netinet/ip_ether.c | 362 | ||||
-rw-r--r-- | sys/netinet/ip_ether.h | 7 | ||||
-rw-r--r-- | sys/netinet/ip_ipip.c | 87 | ||||
-rw-r--r-- | sys/netinet/ip_ipsp.h | 9 |
7 files changed, 355 insertions, 175 deletions
diff --git a/sys/netinet/in_gif.c b/sys/netinet/in_gif.c index e2a92c0c57c..3cf02f75490 100644 --- a/sys/netinet/in_gif.c +++ b/sys/netinet/in_gif.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in_gif.c,v 1.37 2009/11/21 14:08:14 claudio Exp $ */ +/* $OpenBSD: in_gif.c,v 1.38 2010/05/11 09:36:07 claudio Exp $ */ /* $KAME: in_gif.c,v 1.50 2001/01/22 07:27:16 itojun Exp $ */ /* @@ -54,13 +54,16 @@ #include "gif.h" #include "bridge.h" +#if NBRIDGE > 0 +#include <netinet/ip_ether.h> +#endif #if NPF > 0 #include <net/pfvar.h> #endif int -in_gif_output(struct ifnet *ifp, int family, struct mbuf *m) +in_gif_output(struct ifnet *ifp, int family, struct mbuf **m0) { struct gif_softc *sc = (struct gif_softc*)ifp; struct sockaddr_in *sin_src = (struct sockaddr_in *)sc->gif_psrc; @@ -68,7 +71,7 @@ in_gif_output(struct ifnet *ifp, int family, struct mbuf *m) struct tdb tdb; struct xformsw xfs; int error; - struct mbuf *mp; + struct mbuf *m = *m0; if (sin_src == NULL || sin_dst == NULL || sin_src->sin_family != AF_INET || @@ -85,7 +88,7 @@ in_gif_output(struct ifnet *ifp, int family, struct mbuf *m) } #endif - /* setup dummy tdb. it highly depends on ipipoutput() code. */ + /* setup dummy tdb. it highly depends on ipip_output() code. */ bzero(&tdb, sizeof(tdb)); bzero(&xfs, sizeof(xfs)); tdb.tdb_src.sin.sin_family = AF_INET; @@ -107,7 +110,11 @@ in_gif_output(struct ifnet *ifp, int family, struct mbuf *m) #if NBRIDGE > 0 case AF_LINK: break; -#endif /* NBRIDGE */ +#endif +#if MPLS + case AF_MPLS: + break; +#endif default: #ifdef DEBUG printf("in_gif_output: warning: unknown family %d passed\n", @@ -118,26 +125,30 @@ in_gif_output(struct ifnet *ifp, int family, struct mbuf *m) } /* encapsulate into IPv4 packet */ - mp = NULL; + *m0 = NULL; #if NBRIDGE > 0 if (family == AF_LINK) - error = etherip_output(m, &tdb, &mp, 0, 0); + error = etherip_output(m, &tdb, m0, IPPROTO_ETHERIP); else #endif /* NBRIDGE */ - error = ipip_output(m, &tdb, &mp, 0, 0); +#ifdef MPLS + if (family == AF_MPLS) + error = etherip_output(m, &tdb, m0, IPPROTO_MPLS); + else +#endif + error = ipip_output(m, &tdb, m0, 0, 0); if (error) return error; - else if (mp == NULL) + else if (*m0 == NULL) return EFAULT; - m = mp; + m = *m0; m->m_pkthdr.rdomain = sc->gif_rtableid; #if NPF > 0 pf_pkt_addr_changed(m); #endif - return ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL, - (void *)NULL); + return 0; } void @@ -186,7 +197,8 @@ in_gif_input(struct mbuf *m, ...) m->m_pkthdr.rdomain = gifp->if_rdomain; gifp->if_ipackets++; gifp->if_ibytes += m->m_pkthdr.len; - ipip_input(m, off, gifp); /* We have a configured GIF */ + /* We have a configured GIF */ + ipip_input(m, off, gifp, ip->ip_p); return; } diff --git a/sys/netinet/in_gif.h b/sys/netinet/in_gif.h index 3a12d06dd91..aa4b660a2b6 100644 --- a/sys/netinet/in_gif.h +++ b/sys/netinet/in_gif.h @@ -1,4 +1,4 @@ -/* $OpenBSD: in_gif.h,v 1.5 2007/02/10 15:34:22 claudio Exp $ */ +/* $OpenBSD: in_gif.h,v 1.6 2010/05/11 09:36:07 claudio Exp $ */ /* $KAME: in_gif.h,v 1.5 2000/04/14 08:36:02 itojun Exp $ */ /* @@ -34,6 +34,6 @@ #define _NETINET_IN_GIF_H_ void in_gif_input(struct mbuf *, ...); -int in_gif_output(struct ifnet *, int, struct mbuf *); +int in_gif_output(struct ifnet *, int, struct mbuf **); #endif /*_NETINET_IN_GIF_H_*/ diff --git a/sys/netinet/in_proto.c b/sys/netinet/in_proto.c index f30b585dc4a..0ecac5bd043 100644 --- a/sys/netinet/in_proto.c +++ b/sys/netinet/in_proto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in_proto.c,v 1.52 2010/01/12 23:33:24 yasuoka Exp $ */ +/* $OpenBSD: in_proto.c,v 1.53 2010/05/11 09:36:07 claudio Exp $ */ /* $NetBSD: in_proto.c,v 1.14 1996/02/18 18:58:32 christos Exp $ */ /* @@ -210,13 +210,25 @@ struct protosw inetsw[] = { rip_usrreq, 0, 0, 0, 0, ipip_sysctl }, +{ SOCK_RAW, &inetdomain, IPPROTO_ETHERIP, PR_ATOMIC|PR_ADDR, + etherip_input, rip_output, 0, rip_ctloutput, + rip_usrreq, + 0, 0, 0, 0, etherip_sysctl +}, #ifdef INET6 { SOCK_RAW, &inetdomain, IPPROTO_IPV6, PR_ATOMIC|PR_ADDR, in_gif_input, rip_output, 0, 0, rip_usrreq, /*XXX*/ 0, 0, 0, 0, }, -#endif /* INET6 */ +#endif +#ifdef MPLS +{ SOCK_RAW, &inetdomain, IPPROTO_MPLS, PR_ATOMIC|PR_ADDR, + etherip_input, rip_output, 0, 0, + rip_usrreq, + 0, 0, 0, 0, +}, +#endif #else /* NGIF */ { SOCK_RAW, &inetdomain, IPPROTO_IPIP, PR_ATOMIC|PR_ADDR, ip4_input, rip_output, 0, rip_ctloutput, @@ -229,7 +241,7 @@ struct protosw inetsw[] = { rip_usrreq, /*XXX*/ 0, 0, 0, 0, }, -#endif /* INET6 */ +#endif #endif /*NGIF*/ { SOCK_RAW, &inetdomain, IPPROTO_IGMP, PR_ATOMIC|PR_ADDR, igmp_input, rip_output, 0, rip_ctloutput, @@ -254,11 +266,6 @@ struct protosw inetsw[] = { rip_usrreq, 0, 0, 0, 0, esp_sysctl }, -{ SOCK_RAW, &inetdomain, IPPROTO_ETHERIP, PR_ATOMIC|PR_ADDR, - etherip_input, rip_output, 0, rip_ctloutput, - rip_usrreq, - 0, 0, 0, 0, etherip_sysctl -}, { SOCK_RAW, &inetdomain, IPPROTO_IPCOMP, PR_ATOMIC|PR_ADDR, ipcomp4_input, rip_output, 0, rip_ctloutput, rip_usrreq, diff --git a/sys/netinet/ip_ether.c b/sys/netinet/ip_ether.c index d337aee1bac..1a40db89819 100644 --- a/sys/netinet/ip_ether.c +++ b/sys/netinet/ip_ether.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ether.c,v 1.53 2010/04/20 22:05:43 tedu Exp $ */ +/* $OpenBSD: ip_ether.c,v 1.54 2010/05/11 09:36:07 claudio Exp $ */ /* * The author of this code is Angelos D. Keromytis (kermit@adk.gr) * @@ -35,9 +35,10 @@ #include <sys/proc.h> #include <sys/sysctl.h> +#include <net/bpf.h> #include <net/if.h> +#include <net/netisr.h> #include <net/route.h> -#include <net/bpf.h> #ifdef INET #include <netinet/in.h> @@ -49,10 +50,16 @@ #include <netinet/ip_ether.h> #include <netinet/if_ether.h> -#include <net/if_bridge.h> + #include <net/if_gif.h> -#include "gif.h" +#if NBRIDGE > 0 +#include <net/if_bridge.h> +#endif +#ifdef MPLS +#include <netmpls/mpls.h> +#endif + #include "bpfilter.h" #ifdef ENCDEBUG @@ -61,6 +68,14 @@ #define DPRINTF(x) #endif +#if NBRIDGE > 0 +void etherip_decap(struct mbuf *, int); +#endif +#ifdef MPLS +void mplsip_decap(struct mbuf *, int); +#endif +struct gif_softc *etherip_getgif(struct mbuf *); + /* * We can control the acceptance of EtherIP packets by altering the sysctl * net.inet.etherip.allow value. Zero means drop them, all else is acceptance. @@ -69,43 +84,93 @@ int etherip_allow = 0; struct etheripstat etheripstat; +#ifdef INET /* - * etherip_input gets called when we receive an encapsulated packet, - * either because we got it at a real interface, or because AH or ESP - * were being used in tunnel mode (in which case the rcvif element will - * contain the address of the encX interface associated with the tunnel. + * etherip_input gets called when we receive an encapsulated packet. + * Only a wrapper for the IPv4 case. */ - void etherip_input(struct mbuf *m, ...) { - union sockaddr_union ssrc, sdst; - struct ether_header eh; - int iphlen; - struct etherip_header eip; - u_int8_t v; + struct ip *ip; va_list ap; + int iphlen; -#if NGIF > 0 - struct gif_softc *sc; -#if NBRIDGE > 0 - int s; -#endif /* NBRIDGE */ -#endif /* NGIF */ + ip = mtod(m, struct ip *); va_start(ap, m); iphlen = va_arg(ap, int); va_end(ap); - etheripstat.etherip_ipackets++; - - /* If we do not accept EtherIP explicitly, drop. */ - if (!etherip_allow && (m->m_flags & (M_AUTH|M_CONF)) == 0) { - DPRINTF(("etherip_input(): dropped due to policy\n")); + switch (ip->ip_p) { +#if NBRIDGE > 0 + case IPPROTO_ETHERIP: + /* If we do not accept EtherIP explicitly, drop. */ + if (!etherip_allow && (m->m_flags & (M_AUTH|M_CONF)) == 0) { + DPRINTF(("etherip_input(): dropped due to policy\n")); + etheripstat.etherip_pdrops++; + m_freem(m); + return; + } + etherip_decap(m, iphlen); + return; +#endif +#ifdef MPLS + case IPPROTO_MPLS: + mplsip_decap(m, iphlen); + return; +#endif + default: + DPRINTF(("etherip_input(): dropped, unhandled protcol \n")); etheripstat.etherip_pdrops++; m_freem(m); return; } +} +#endif + +#ifdef INET6 +int +etherip_input6(struct mbuf **m, int *offp, int proto) +{ + switch (proto) { +#if NBRIDGE > 0 + case IPPROTO_ETHERIP: + /* If we do not accept EtherIP explicitly, drop. */ + if (proto == IPPROTO_ETHERIP && !etherip_allow && + ((*m)->m_flags & (M_AUTH|M_CONF)) == 0) { + DPRINTF(("etherip_input6(): dropped due to policy\n")); + etheripstat.etherip_pdrops++; + m_freem(*m); + return IPPROTO_DONE; + } + etherip_decap(*m, *offp); + return IPPROTO_DONE; +#endif +#ifdef MPLS + case IPPROTO_MPLS: + mplsip_decap(*m, *offp); + return IPPROTO_DONE; +#endif + default: + DPRINTF(("etherip_input6(): dropped, unhandled protcol \n")); + etheripstat.etherip_pdrops++; + m_freem(*m); + return IPPROTO_DONE; + } +} +#endif + +#if NBRIDGE > 0 +void +etherip_decap(struct mbuf *m, int iphlen) +{ + struct ether_header eh; + struct etherip_header eip; + struct gif_softc *sc; + int s; + + etheripstat.etherip_ipackets++; /* * Make sure there's at least an ethernet header's and an EtherIP @@ -123,7 +188,7 @@ etherip_input(struct mbuf *m, ...) m_copydata(m, iphlen, sizeof(struct etherip_header), (caddr_t)&eip); if ((eip.eip_ver & ETHERIP_VER_VERS_MASK) != ETHERIP_VERSION) { DPRINTF(("etherip_input(): received EtherIP version number " - "%d not suppoorted\n", (v >> 4) & 0xff)); + "%d not suppoorted\n", eip.eip_ver)); etheripstat.etherip_adrops++; m_freem(m); return; @@ -162,6 +227,149 @@ etherip_input(struct mbuf *m, ...) } } + sc = etherip_getgif(m); + if (sc == NULL) + return; + if (sc->gif_if.if_bridge == NULL) { + DPRINTF(("etherip_input(): interface not part of bridge\n")); + etheripstat.etherip_noifdrops++; + m_freem(m); + return; + } + + /* Chop off the `outer' IP and EtherIP headers and reschedule. */ + m_adj(m, iphlen + sizeof(struct etherip_header)); + + /* Statistics */ + etheripstat.etherip_ibytes += m->m_pkthdr.len; + + /* Copy ethernet header */ + m_copydata(m, 0, sizeof(eh), (void *) &eh); + + /* Reset the flags based on the inner packet */ + m->m_flags &= ~(M_BCAST|M_MCAST|M_AUTH|M_CONF|M_AUTH_AH); + if (eh.ether_dhost[0] & 1) { + if (bcmp((caddr_t) etherbroadcastaddr, + (caddr_t)eh.ether_dhost, sizeof(etherbroadcastaddr)) == 0) + m->m_flags |= M_BCAST; + else + m->m_flags |= M_MCAST; + } + +#if NBPFILTER > 0 + if (sc->gif_if.if_bpf) + bpf_mtap_af(sc->gif_if.if_bpf, AF_LINK, m, BPF_DIRECTION_IN); +#endif + + /* Trim the beginning of the mbuf, to remove the ethernet header. */ + m_adj(m, sizeof(struct ether_header)); + + /* + * Tap the packet off here for a bridge. bridge_input() returns + * NULL if it has consumed the packet. In the case of gif's, + * bridge_input() returns non-NULL when an error occurs. + */ +#if NPF > 0 + pf_pkt_addr_changed(m); +#endif + m->m_pkthdr.rcvif = &sc->gif_if; + m->m_pkthdr.rdomain = sc->gif_if.if_rdomain; + if (m->m_flags & (M_BCAST|M_MCAST)) + sc->gif_if.if_imcasts++; + + s = splnet(); + m = bridge_input(&sc->gif_if, &eh, m); + splx(s); + if (m == NULL) + return; + + etheripstat.etherip_noifdrops++; + m_freem(m); + return; +} +#endif + +#ifdef MPLS +void +mplsip_decap(struct mbuf *m, int iphlen) +{ + struct gif_softc *sc; + struct ifqueue *ifq; + int s; + + etheripstat.etherip_ipackets++; + + /* + * Make sure there's at least one MPLS label worth of data after + * the outer IP header. + */ + if (m->m_pkthdr.len < iphlen + sizeof(struct shim_hdr)) { + DPRINTF(("mplsip_input(): encapsulated packet too short\n")); + etheripstat.etherip_hdrops++; + m_freem(m); + return; + } + + /* Make sure the mpls label at least is in the first mbuf. */ + if (m->m_len < iphlen + sizeof(struct shim_hdr)) { + if ((m = m_pullup(m, iphlen + sizeof(struct shim_hdr))) == + NULL) { + DPRINTF(("mplsip_input(): m_pullup() failed\n")); + etheripstat.etherip_adrops++; + return; + } + } + + sc = etherip_getgif(m); + if (sc == NULL) + return; + + /* Chop off the `outer' IP header and reschedule. */ + m_adj(m, iphlen); + + /* Statistics */ + etheripstat.etherip_ibytes += m->m_pkthdr.len; + + /* Reset the flags based */ + m->m_flags &= ~(M_BCAST|M_MCAST); + +#if NBPFILTER > 0 + if (sc->gif_if.if_bpf) + bpf_mtap_af(sc->gif_if.if_bpf, AF_MPLS, m, BPF_DIRECTION_IN); +#endif + + m->m_pkthdr.rcvif = &sc->gif_if; + m->m_pkthdr.rdomain = sc->gif_if.if_rdomain; +#if NPF > 0 + pf_pkt_addr_changed(m); +#endif + + ifq = &mplsintrq; + s = splnet(); + if (IF_QFULL(ifq)) { + IF_DROP(ifq); + m_freem(m); + etheripstat.etherip_qfull++; + splx(s); + + DPRINTF(("mplsip_input(): packet dropped because of full " + "queue\n")); + return; + } + IF_ENQUEUE(ifq, m); + schednetisr(NETISR_MPLS); + splx(s); + return; +} +#endif + +struct gif_softc * +etherip_getgif(struct mbuf *m) +{ + union sockaddr_union ssrc, sdst; + struct gif_softc *sc; + u_int8_t v; + /* Copy the addresses for use later. */ bzero(&ssrc, sizeof(ssrc)); bzero(&sdst, sizeof(sdst)); @@ -196,29 +404,9 @@ etherip_input(struct mbuf *m, ...) DPRINTF(("etherip_input(): invalid protocol %d\n", v)); m_freem(m); etheripstat.etherip_hdrops++; - return /* EAFNOSUPPORT */; + return NULL; } - /* Chop off the `outer' IP and EtherIP headers and reschedule. */ - m_adj(m, iphlen + sizeof(struct etherip_header)); - - /* Statistics */ - etheripstat.etherip_ibytes += m->m_pkthdr.len; - - /* Copy ethernet header */ - m_copydata(m, 0, sizeof(eh), (void *) &eh); - - /* Reset the flags based on the inner packet */ - m->m_flags &= ~(M_BCAST|M_MCAST|M_AUTH|M_CONF|M_AUTH_AH); - if (eh.ether_dhost[0] & 1) { - if (bcmp((caddr_t) etherbroadcastaddr, - (caddr_t)eh.ether_dhost, sizeof(etherbroadcastaddr)) == 0) - m->m_flags |= M_BCAST; - else - m->m_flags |= M_MCAST; - } - -#if NGIF > 0 /* Find appropriate gif(4) interface */ LIST_FOREACH(sc, &gif_softc_list, gif_list) { if ((sc->gif_psrc == NULL) || @@ -227,8 +415,7 @@ etherip_input(struct mbuf *m, ...) continue; if (!bcmp(sc->gif_psrc, &sdst, sc->gif_psrc->sa_len) && - !bcmp(sc->gif_pdst, &ssrc, sc->gif_pdst->sa_len) && - sc->gif_if.if_bridge != NULL) + !bcmp(sc->gif_pdst, &ssrc, sc->gif_pdst->sa_len)) break; } @@ -237,54 +424,22 @@ etherip_input(struct mbuf *m, ...) DPRINTF(("etherip_input(): no interface found\n")); etheripstat.etherip_noifdrops++; m_freem(m); - return; + return NULL; } -#if NBPFILTER > 0 - if (sc->gif_if.if_bpf) - bpf_mtap_af(sc->gif_if.if_bpf, AF_LINK, m, BPF_DIRECTION_IN); -#endif - - /* Trim the beginning of the mbuf, to remove the ethernet header. */ - m_adj(m, sizeof(struct ether_header)); -#if NBRIDGE > 0 - /* - * Tap the packet off here for a bridge. bridge_input() returns - * NULL if it has consumed the packet. In the case of gif's, - * bridge_input() returns non-NULL when an error occurs. - */ - m->m_pkthdr.rcvif = &sc->gif_if; - m->m_pkthdr.rdomain = sc->gif_if.if_rdomain; - if (m->m_flags & (M_BCAST|M_MCAST)) - sc->gif_if.if_imcasts++; - - s = splnet(); - m = bridge_input(&sc->gif_if, &eh, m); - splx(s); - if (m == NULL) - return; -#endif /* NBRIDGE */ -#endif /* NGIF */ - - etheripstat.etherip_noifdrops++; - m_freem(m); - return; + return sc; } int -etherip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, - int protoff) +etherip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int proto) { #ifdef INET struct ip *ipo; #endif /* INET */ - #ifdef INET6 struct ip6_hdr *ip6; #endif /* INET6 */ - struct etherip_header eip; - struct mbuf *m0; ushort hlen; /* Some address family sanity checks. */ @@ -335,27 +490,16 @@ etherip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, return EINVAL; } - /* Don't forget the EtherIP header. */ - hlen += sizeof(struct etherip_header); - - if (!(m->m_flags & M_PKTHDR)) { - DPRINTF(("etherip_output(): mbuf is not a header\n")); - m_freem(m); - return (ENOBUFS); - } + if (proto == IPPROTO_ETHERIP) + /* Don't forget the EtherIP header. */ + hlen += sizeof(struct etherip_header); - MGETHDR(m0, M_DONTWAIT, MT_DATA); - if (m0 == NULL) { - DPRINTF(("etherip_output(): M_GETHDR failed\n")); + M_PREPEND(m, hlen, M_DONTWAIT); + if (m == NULL) { + DPRINTF(("etherip_output(): M_PREPEND failed\n")); etheripstat.etherip_adrops++; - m_freem(m); return ENOBUFS; } - M_MOVE_PKTHDR(m0, m); - m0->m_next = m; - m0->m_len = hlen; - m0->m_pkthdr.len += hlen; - m = m0; /* Statistics */ etheripstat.etherip_opackets++; @@ -370,7 +514,7 @@ etherip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, ipo->ip_hl = 5; ipo->ip_len = htons(m->m_pkthdr.len); ipo->ip_ttl = ip_defttl; - ipo->ip_p = IPPROTO_ETHERIP; + ipo->ip_p = proto; ipo->ip_tos = 0; ipo->ip_off = 0; ipo->ip_sum = 0; @@ -390,7 +534,7 @@ etherip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, ip6 = mtod(m, struct ip6_hdr *); ip6->ip6_flow = 0; - ip6->ip6_nxt = IPPROTO_ETHERIP; + ip6->ip6_nxt = proto; ip6->ip6_vfc &= ~IPV6_VERSION_MASK; ip6->ip6_vfc |= IPV6_VERSION; ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6)); @@ -401,11 +545,13 @@ etherip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, #endif /* INET6 */ } - /* Set the version number */ - eip.eip_ver = ETHERIP_VERSION & ETHERIP_VER_VERS_MASK; - eip.eip_pad = 0; - m_copyback(m, hlen - sizeof(struct etherip_header), - sizeof(struct etherip_header), &eip); + if (proto == IPPROTO_ETHERIP) { + /* Set the version number */ + eip.eip_ver = ETHERIP_VERSION & ETHERIP_VER_VERS_MASK; + eip.eip_pad = 0; + m_copyback(m, hlen - sizeof(struct etherip_header), + sizeof(struct etherip_header), &eip); + } *mp = m; diff --git a/sys/netinet/ip_ether.h b/sys/netinet/ip_ether.h index c2372557bd6..3eca19bf521 100644 --- a/sys/netinet/ip_ether.h +++ b/sys/netinet/ip_ether.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ether.h,v 1.14 2007/12/14 18:33:41 deraadt Exp $ */ +/* $OpenBSD: ip_ether.h,v 1.15 2010/05/11 09:36:07 claudio Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@adk.gr) * @@ -64,6 +64,11 @@ struct etherip_header { } #ifdef _KERNEL +int etherip_output(struct mbuf *, struct tdb *, struct mbuf **, int); +void etherip_input(struct mbuf *, ...); +#ifdef INET6 +int etherip_input6(struct mbuf **, int *, int); +#endif int etherip_sysctl(int *, u_int, void *, size_t *, void *, size_t); extern int etherip_allow; diff --git a/sys/netinet/ip_ipip.c b/sys/netinet/ip_ipip.c index b67f20a566a..6a48e52bb0b 100644 --- a/sys/netinet/ip_ipip.c +++ b/sys/netinet/ip_ipip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipip.c,v 1.46 2010/04/20 22:05:43 tedu Exp $ */ +/* $OpenBSD: ip_ipip.c,v 1.47 2010/05/11 09:36:07 claudio Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -103,7 +103,7 @@ ip4_input6(struct mbuf **m, int *offp, int proto) return IPPROTO_DONE; } - ipip_input(*m, *offp, NULL); + ipip_input(*m, *offp, NULL, proto); return IPPROTO_DONE; } #endif /* INET6 */ @@ -115,6 +115,7 @@ ip4_input6(struct mbuf **m, int *offp, int proto) void ip4_input(struct mbuf *m, ...) { + struct ip *ip; va_list ap; int iphlen; @@ -130,7 +131,9 @@ ip4_input(struct mbuf *m, ...) iphlen = va_arg(ap, int); va_end(ap); - ipip_input(m, iphlen, NULL); + ip = mtod(m, struct ip *); + + ipip_input(m, iphlen, NULL, ip->ip_p); } #endif /* INET */ @@ -142,7 +145,7 @@ ip4_input(struct mbuf *m, ...) */ void -ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) +ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp, int proto) { struct sockaddr_in *sin; struct ifnet *ifp; @@ -152,13 +155,14 @@ ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) u_int rdomain; #ifdef INET6 struct sockaddr_in6 *sin6; - struct ip6_hdr *ip6 = NULL; + struct ip6_hdr *ip6; u_int8_t itos; #endif int isr; + int hlen, s; u_int8_t otos; u_int8_t v; - int hlen, s; + sa_family_t af; ipipstat.ipips_ipackets++; @@ -166,16 +170,16 @@ ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) switch (v >> 4) { #ifdef INET - case 4: + case 4: hlen = sizeof(struct ip); break; #endif /* INET */ #ifdef INET6 - case 6: + case 6: hlen = sizeof(struct ip6_hdr); break; #endif - default: + default: ipipstat.ipips_family++; m_freem(m); return /* EAFNOSUPPORT */; @@ -190,18 +194,19 @@ ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) } } - ipo = mtod(m, struct ip *); /* Keep outer ecn field. */ switch (v >> 4) { #ifdef INET case 4: + ipo = mtod(m, struct ip *); otos = ipo->ip_tos; break; #endif /* INET */ #ifdef INET6 case 6: - otos = (ntohl(mtod(m, struct ip6_hdr *)->ip6_flow) >> 20) & 0xff; + ip6 = mtod(m, struct ip6_hdr *); + otos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; break; #endif default: @@ -218,17 +223,15 @@ ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) return; } - m_copydata(m, 0, 1, &v); - - switch (v >> 4) { + switch (proto) { #ifdef INET - case 4: + case IPPROTO_IPV4: hlen = sizeof(struct ip); break; #endif /* INET */ #ifdef INET6 - case 6: + case IPPROTO_IPV6: hlen = sizeof(struct ip6_hdr); break; #endif @@ -239,7 +242,7 @@ ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) } /* - * Bring the inner IP header in the first mbuf, if not there already. + * Bring the inner header into the first mbuf, if not there already. */ if (m->m_len < hlen) { if ((m = m_pullup(m, hlen)) == NULL) { @@ -256,19 +259,25 @@ ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) */ /* Some sanity checks in the inner IP header */ - switch (v >> 4) { + switch (proto) { #ifdef INET - case 4: - ipo = mtod(m, struct ip *); + case IPPROTO_IPV4: + ipo = mtod(m, struct ip *); +#ifdef INET6 + ip6 = NULL; +#endif if (!ip_ecn_egress(ECN_ALLOWED, &otos, &ipo->ip_tos)) { m_freem(m); return; } - break; + break; #endif /* INET */ #ifdef INET6 - case 6: - ip6 = (struct ip6_hdr *) ipo; + case IPPROTO_IPV6: +#ifdef INET + ipo = NULL; +#endif + ip6 = mtod(m, struct ip6_hdr *); itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; if (!ip_ecn_egress(ECN_ALLOWED, &otos, &itos)) { m_freem(m); @@ -276,10 +285,15 @@ ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) } ip6->ip6_flow &= ~htonl(0xff << 20); ip6->ip6_flow |= htonl((u_int32_t) itos << 20); - break; + break; #endif default: - panic("ipip_input: should never reach here"); +#ifdef INET + ipo = NULL; +#endif +#ifdef INET6 + ip6 = NULL; +#endif } /* Check for local address spoofing. */ @@ -297,8 +311,8 @@ ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) AF_INET) continue; - sin = (struct sockaddr_in *) ifa->ifa_addr; - + sin = (struct sockaddr_in *) + ifa->ifa_addr; if (sin->sin_addr.s_addr == ipo->ip_src.s_addr) { ipipstat.ipips_spoof++; @@ -307,16 +321,16 @@ ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) } } #endif /* INET */ - #ifdef INET6 if (ip6) { if (ifa->ifa_addr->sa_family != AF_INET6) continue; - sin6 = (struct sockaddr_in6 *) ifa->ifa_addr; - - if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) { + sin6 = (struct sockaddr_in6 *) + ifa->ifa_addr; + if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, + &ip6->ip6_src)) { ipipstat.ipips_spoof++; m_freem(m); return; @@ -339,17 +353,19 @@ ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) * untrusted packets. */ - switch (v >> 4) { + switch (proto) { #ifdef INET - case 4: + case IPPROTO_IPV4: ifq = &ipintrq; isr = NETISR_IP; + af = AF_INET; break; #endif #ifdef INET6 - case 6: + case IPPROTO_IPV6: ifq = &ip6intrq; isr = NETISR_IPV6; + af = AF_INET6; break; #endif default: @@ -358,8 +374,7 @@ ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) #if NBPFILTER > 0 if (gifp && gifp->if_bpf) - bpf_mtap_af(gifp->if_bpf, ifq == &ipintrq ? AF_INET : AF_INET6, - m, BPF_DIRECTION_IN); + bpf_mtap_af(gifp->if_bpf, af, m, BPF_DIRECTION_IN); #endif #if NPF > 0 pf_pkt_addr_changed(m); diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h index 01eb0282ffe..8d8f14323d0 100644 --- a/sys/netinet/ip_ipsp.h +++ b/sys/netinet/ip_ipsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.h,v 1.141 2010/05/07 13:33:17 claudio Exp $ */ +/* $OpenBSD: ip_ipsp.h,v 1.142 2010/05/11 09:36:07 claudio Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -534,7 +534,7 @@ extern int ipe4_init(struct tdb *, struct xformsw *, struct ipsecinit *); extern int ipe4_zeroize(struct tdb *); extern int ipip_output(struct mbuf *, struct tdb *, struct mbuf **, int, int); extern void ipe4_input(struct mbuf *, ...); -extern void ipip_input(struct mbuf *, int, struct ifnet *); +extern void ipip_input(struct mbuf *, int, struct ifnet *, int); #ifdef INET extern void ip4_input(struct mbuf *, ...); @@ -544,11 +544,6 @@ extern void ip4_input(struct mbuf *, ...); extern int ip4_input6(struct mbuf **, int *, int); #endif /* INET */ -/* XF_ETHERIP */ -extern int etherip_output(struct mbuf *, struct tdb *, struct mbuf **, - int, int); -extern void etherip_input(struct mbuf *, ...); - /* XF_AH */ extern int ah_attach(void); extern int ah_init(struct tdb *, struct xformsw *, struct ipsecinit *); |