/* $OpenBSD: ip_ip4.c,v 1.40 1999/12/09 17:55:35 downsj Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and * Niels Provos (provos@physnet.uni-hamburg.de). * * This code was written by John Ioannidis for BSD/OS in Athens, Greece, * in November 1995. * * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, * by Angelos D. Keromytis. * * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis * and Niels Provos. * * Additional features in 1999 by Angelos D. Keromytis. * * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, * Angelos D. Keromytis and Niels Provos. * * Permission to use, copy, and modify this software without fee * is hereby granted, provided that this entire notice is included in * all copies of any software which is or includes a copy or * modification of this software. * You may use this code under the GNU public license if you so wish. Please * contribute changes back to the authors under this freer than GPL license * so that we may further the use of strong encryption without limitations to * all. * * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR * PURPOSE. */ /* * IP-inside-IP processing */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef MROUTING #include #endif #include #include #include #include #include #ifdef ENCDEBUG #define DPRINTF(x) if (encdebug) printf x #else #define DPRINTF(x) #endif #ifndef offsetof #define offsetof(s, e) ((int)&((s *)0)->e) #endif /* * We can control the acceptance of IP4 packets by altering the sysctl * net.inet.ip4.allow value. Zero means drop them, all else is acceptance. */ int ip4_allow = 0; struct ip4stat ip4stat; /* * ip4_input gets called when we receive an IPv4 encapsulated packet, * either because we got it at a real interface, or because AH or ESP * were being used in tunnel mode (in which case the rcvif element will * contain the address of the encX interface associated with the tunnel. */ void #if __STDC__ ip4_input(struct mbuf *m, ...) #else ip4_input(m, va_alist) struct mbuf *m; va_dcl #endif { register struct sockaddr_in *sin; register struct ifnet *ifp; register struct ifaddr *ifa; struct ifqueue *ifq = NULL; struct ip *ipo; int s, iphlen; va_list ap; va_start(ap, m); iphlen = va_arg(ap, int); va_end(ap); ip4stat.ip4s_ipackets++; #ifdef MROUTING /* Bring the IP(v4) header in the first mbuf, if not there already */ if (m->m_len < sizeof(struct ip)) { if ((m = m_pullup(m, sizeof(struct ip))) == 0) { DPRINTF(("ip4_input(): m_pullup() failed\n")); ip4stat.ip4s_hdrops++; m_freem(m); return; } } ipo = mtod(m, struct ip *); if (ipo->ip_v == IPVERSION) { if (IN_MULTICAST(((struct ip *)((char *)ipo + iphlen))->ip_dst.s_addr)) { ipip_input (m, iphlen); return; } } #endif MROUTING /* If we do not accept IP4 explicitly, drop. */ if (!ip4_allow && (m->m_flags & (M_AUTH|M_CONF)) == 0) { DPRINTF(("ip4_input(): dropped due to policy\n")); ip4stat.ip4s_pdrops++; m_freem(m); return; } /* Remove outter IP header */ m_adj(m, iphlen); /* Bring the inner IP(v4) header in the first mbuf, if not there already */ if (m->m_len < sizeof(struct ip)) { if ((m = m_pullup(m, sizeof(struct ip))) == 0) { DPRINTF(("ip4_input(): m_pullup() failed\n")); ip4stat.ip4s_hdrops++; return; } } ipo = mtod(m, struct ip *); /* * RFC 1853 specifies that the inner TTL should not be touched on * decapsulation. There's no reason this comment should be here, but * this is as good as any a position. */ /* Some sanity checks in the inner IPv4 header */ if (ipo->ip_v != IPVERSION) { DPRINTF(("ip4_input(): wrong version %d on packet from %s to %s (%s->%s)\n", ipo->ip_v, inet_ntoa4(ipo->ip_src), inet_ntoa4(ipo->ip_dst), inet_ntoa4(ipo->ip_src), inet_ntoa4(ipo->ip_dst))); ip4stat.ip4s_family++; m_freem(m); return; } /* * If we do not accept IP4 other than as part of ESP & AH, we should * not accept a packet with double ip4 headers neither. */ if (!ip4_allow && ((ipo->ip_p == IPPROTO_IPIP) || (ipo->ip_p == IPPROTO_IPV6))) { DPRINTF(("ip4_input(): dropped due to policy\n")); ip4stat.ip4s_pdrops++; m_freem(m); return; } /* Check for local address spoofing. */ if (m->m_pkthdr.rcvif == NULL || !(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) { for (ifp = ifnet.tqh_first; ifp != 0; ifp = ifp->if_list.tqe_next) for (ifa = ifp->if_addrlist.tqh_first; ifa != 0; ifa = ifa->ifa_list.tqe_next) { if (ifa->ifa_addr->sa_family != AF_INET) continue; sin = (struct sockaddr_in *) ifa->ifa_addr; if (sin->sin_addr.s_addr == ipo->ip_src.s_addr) { DPRINTF(("ip_input(): possible local address spoofing detected on packet from %s to %s (%s->%s)\n", inet_ntoa4(ipo->ip_src), inet_ntoa4(ipo->ip_dst), inet_ntoa4(ipo->ip_src), inet_ntoa4(ipo->ip_dst))); ip4stat.ip4s_spoof++; m_freem(m); return; } } } /* Statistics */ ip4stat.ip4s_ibytes += m->m_pkthdr.len - iphlen; /* tdbi is only set in ESP or AH, if the next protocol is UDP or TCP */ if (m->m_flags & (M_CONF|M_AUTH)) m->m_pkthdr.tdbi = NULL; /* * Interface pointer stays the same; if no IPsec processing has * been done (or will be done), this will point to a normal * interface. Otherwise, it'll point to an enc interface, which * will allow a packet filter to distinguish between secure and * untrusted packets. */ ifq = &ipintrq; s = splimp(); /* isn't it already? */ if (IF_QFULL(ifq)) { IF_DROP(ifq); m_freem(m); ip4stat.ip4s_qfull++; splx(s); DPRINTF(("ip4_input(): packet dropped because of full queue\n")); return; } IF_ENQUEUE(ifq, m); schednetisr(NETISR_IP); splx(s); return; } #ifdef IPSEC int ipe4_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, int protoff) { u_int8_t tp; #ifdef INET u_int8_t itos; struct ip *ipo; #endif /* INET */ #ifdef INET6 struct ip6_hdr *ip6o; u_int8_t otos; #endif /* INET6 */ /* Deal with empty TDB source/destination addresses */ /* XXX */ m_copydata(m, 0, 1, &tp); tp = (tp >> 4) & 0xff; /* Get the IP version number */ switch (tdb->tdb_dst.sa.sa_family) { #ifdef INET case AF_INET: if ((tdb->tdb_src.sa.sa_family != AF_INET) || (tdb->tdb_src.sin.sin_addr.s_addr == INADDR_ANY) || (tdb->tdb_dst.sin.sin_addr.s_addr == INADDR_ANY)) { DPRINTF(("ipe4_output(): unspecified tunnel endpoind address in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); ip4stat.ip4s_unspec++; return ENOBUFS; } M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); if (m == 0) { DPRINTF(("ipe4_output(): M_PREPEND failed\n")); ip4stat.ip4s_hdrops++; return ENOBUFS; } ipo = mtod(m, struct ip *); ipo->ip_v = IPVERSION; ipo->ip_hl = 5; ipo->ip_len = htons(m->m_pkthdr.len); ipo->ip_ttl = ip_defttl; ipo->ip_sum = 0; ipo->ip_src = tdb->tdb_src.sin.sin_addr; ipo->ip_dst = tdb->tdb_dst.sin.sin_addr; /* * We do the htons() to prevent snoopers from determining our * endianness. */ ipo->ip_id = htons(ip_randomid()); /* If the inner protocol is IP */ if (tp == IPVERSION) { /* Save ECN notification */ m_copydata(m, sizeof(struct ip) + offsetof(struct ip, ip_tos), sizeof(u_int8_t), (caddr_t) &itos); ipo->ip_p = IPPROTO_IPIP; /* * We should be keeping tunnel soft-state and send back ICMPs * if needed. */ m_copydata(m, sizeof(struct ip) + offsetof(struct ip, ip_off), sizeof(u_int16_t), (caddr_t) &ipo->ip_off); ipo->ip_off &= ~(IP_DF | IP_MF | IP_OFFMASK); } #ifdef INET6 if (tp == IPPROTO_IPV6) { /* Save ECN notification */ m_copydata(m, sizeof(struct ip) + offsetof(struct ip6_hdr, ip6_flow), sizeof(u_int32_t), (caddr_t) &itos); itos = ntohl(itos) >> 20; ipo->ip_p = IPPROTO_IPV6; ipo->ip_off = 0; } #endif /* INET6 */ ip_ecn_ingress(ECN_ALLOWED, &ipo->ip_tos, &itos); break; #endif /* INET */ #ifdef INET6 case AF_INET6: if (IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_dst.sin6.sin6_addr) || (tdb->tdb_src.sa.sa_family != AF_INET6) || IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_src.sin6.sin6_addr)) { DPRINTF(("ipe4_output(): unspecified tunnel endpoind address in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); ip4stat.ip4s_unspec++; return ENOBUFS; } M_PREPEND(m, sizeof(struct ip6_hdr), M_DONTWAIT); if (m == 0) { DPRINTF(("ipe4_output(): M_PREPEND failed\n")); ip4stat.ip4s_hdrops++; return ENOBUFS; } /* Initialize IPv6 header */ ip6o = mtod(m, struct ip6_hdr *); ip6o->ip6_flow = 0; ip6o->ip6_vfc = IPV6_VERSION; ip6o->ip6_plen = htons(m->m_pkthdr.len); ip6o->ip6_hlim = ip_defttl; ip6o->ip6_dst = tdb->tdb_dst.sin6.sin6_addr; ip6o->ip6_src = tdb->tdb_src.sin6.sin6_addr; #ifdef INET if (tp == IPVERSION) { /* Save ECN notification */ m_copydata(m, sizeof(struct ip6_hdr) + offsetof(struct ip, ip_tos), sizeof(u_int8_t), (caddr_t) &itos); ip6o->ip6_nxt = IPPROTO_IPIP; /* This is really IPVERSION */ } #endif /* INET */ if (tp == IPPROTO_IPV6) { /* Save ECN notification */ m_copydata(m, sizeof(struct ip6_hdr) + offsetof(struct ip6_hdr, ip6_flow), sizeof(u_int32_t), (caddr_t) &itos); itos = ntohl(itos) >> 20; ip6o->ip6_nxt = IPPROTO_IPV6; } ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); ip6o->ip6_flow |= htonl((u_int32_t) otos << 20); break; #endif /* INET6 */ default: DPRINTF(("ipe4_output(): unsupported protocol family %d\n", tdb->tdb_dst.sa.sa_family)); m_freem(m); ip4stat.ip4s_family++; return ENOBUFS; } ip4stat.ip4s_opackets++; *mp = m; #ifdef INET if (tdb->tdb_dst.sa.sa_family == AF_INET) { if (tdb->tdb_xform->xf_type == XF_IP4) tdb->tdb_cur_bytes += m->m_pkthdr.len - sizeof(struct ip); ip4stat.ip4s_obytes += m->m_pkthdr.len - sizeof(struct ip); } #endif /* INET */ #ifdef INET6 if (tdb->tdb_dst.sa.sa_family == AF_INET6) { if (tdb->tdb_xform->xf_type == XF_IP4) tdb->tdb_cur_bytes += m->m_pkthdr.len - sizeof(struct ip6_hdr); ip4stat.ip4s_obytes += m->m_pkthdr.len - sizeof(struct ip6_hdr); } #endif /* INET6 */ return 0; } int ipe4_attach() { return 0; } int ipe4_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) { tdbp->tdb_xform = xsp; return 0; } int ipe4_zeroize(struct tdb *tdbp) { return 0; } void ipe4_input(struct mbuf *m, ...) { /* This is a rather serious mistake, so no conditional printing */ printf("ipe4_input(): should never be called\n"); if (m) m_freem(m); } #endif /* IPSEC */ int ip4_sysctl(name, namelen, oldp, oldlenp, newp, newlen) int *name; u_int namelen; void *oldp; size_t *oldlenp; void *newp; size_t newlen; { /* All sysctl names at this level are terminal. */ if (namelen != 1) return (ENOTDIR); switch (name[0]) { case IP4CTL_ALLOW: return (sysctl_int(oldp, oldlenp, newp, newlen, &ip4_allow)); default: return (ENOPROTOOPT); } /* NOTREACHED */ }