linux/net/ipv6/ip6_vti.c
<<
>>
Prefs
   1/*
   2 *      IPv6 virtual tunneling interface
   3 *
   4 *      Copyright (C) 2013 secunet Security Networks AG
   5 *
   6 *      Author:
   7 *      Steffen Klassert <steffen.klassert@secunet.com>
   8 *
   9 *      Based on:
  10 *      net/ipv6/ip6_tunnel.c
  11 *
  12 *      This program is free software; you can redistribute it and/or
  13 *      modify it under the terms of the GNU General Public License
  14 *      as published by the Free Software Foundation; either version
  15 *      2 of the License, or (at your option) any later version.
  16 */
  17
  18#include <linux/module.h>
  19#include <linux/capability.h>
  20#include <linux/errno.h>
  21#include <linux/types.h>
  22#include <linux/sockios.h>
  23#include <linux/icmp.h>
  24#include <linux/if.h>
  25#include <linux/in.h>
  26#include <linux/ip.h>
  27#include <linux/net.h>
  28#include <linux/in6.h>
  29#include <linux/netdevice.h>
  30#include <linux/if_arp.h>
  31#include <linux/icmpv6.h>
  32#include <linux/init.h>
  33#include <linux/route.h>
  34#include <linux/rtnetlink.h>
  35#include <linux/netfilter_ipv6.h>
  36#include <linux/slab.h>
  37#include <linux/hash.h>
  38
  39#include <linux/uaccess.h>
  40#include <linux/atomic.h>
  41
  42#include <net/icmp.h>
  43#include <net/ip.h>
  44#include <net/ip_tunnels.h>
  45#include <net/ipv6.h>
  46#include <net/ip6_route.h>
  47#include <net/addrconf.h>
  48#include <net/ip6_tunnel.h>
  49#include <net/xfrm.h>
  50#include <net/net_namespace.h>
  51#include <net/netns/generic.h>
  52#include <linux/etherdevice.h>
  53
  54#define IP6_VTI_HASH_SIZE_SHIFT  5
  55#define IP6_VTI_HASH_SIZE (1 << IP6_VTI_HASH_SIZE_SHIFT)
  56
  57static u32 HASH(const struct in6_addr *addr1, const struct in6_addr *addr2)
  58{
  59        u32 hash = ipv6_addr_hash(addr1) ^ ipv6_addr_hash(addr2);
  60
  61        return hash_32(hash, IP6_VTI_HASH_SIZE_SHIFT);
  62}
  63
  64static int vti6_dev_init(struct net_device *dev);
  65static void vti6_dev_setup(struct net_device *dev);
  66static struct rtnl_link_ops vti6_link_ops __read_mostly;
  67
  68static unsigned int vti6_net_id __read_mostly;
  69struct vti6_net {
  70        /* the vti6 tunnel fallback device */
  71        struct net_device *fb_tnl_dev;
  72        /* lists for storing tunnels in use */
  73        struct ip6_tnl __rcu *tnls_r_l[IP6_VTI_HASH_SIZE];
  74        struct ip6_tnl __rcu *tnls_wc[1];
  75        struct ip6_tnl __rcu **tnls[2];
  76};
  77
  78#define for_each_vti6_tunnel_rcu(start) \
  79        for (t = rcu_dereference(start); t; t = rcu_dereference(t->next))
  80
  81/**
  82 * vti6_tnl_lookup - fetch tunnel matching the end-point addresses
  83 *   @net: network namespace
  84 *   @remote: the address of the tunnel exit-point
  85 *   @local: the address of the tunnel entry-point
  86 *
  87 * Return:
  88 *   tunnel matching given end-points if found,
  89 *   else fallback tunnel if its device is up,
  90 *   else %NULL
  91 **/
  92static struct ip6_tnl *
  93vti6_tnl_lookup(struct net *net, const struct in6_addr *remote,
  94                const struct in6_addr *local)
  95{
  96        unsigned int hash = HASH(remote, local);
  97        struct ip6_tnl *t;
  98        struct vti6_net *ip6n = net_generic(net, vti6_net_id);
  99        struct in6_addr any;
 100
 101        for_each_vti6_tunnel_rcu(ip6n->tnls_r_l[hash]) {
 102                if (ipv6_addr_equal(local, &t->parms.laddr) &&
 103                    ipv6_addr_equal(remote, &t->parms.raddr) &&
 104                    (t->dev->flags & IFF_UP))
 105                        return t;
 106        }
 107
 108        memset(&any, 0, sizeof(any));
 109        hash = HASH(&any, local);
 110        for_each_vti6_tunnel_rcu(ip6n->tnls_r_l[hash]) {
 111                if (ipv6_addr_equal(local, &t->parms.laddr) &&
 112                    (t->dev->flags & IFF_UP))
 113                        return t;
 114        }
 115
 116        hash = HASH(remote, &any);
 117        for_each_vti6_tunnel_rcu(ip6n->tnls_r_l[hash]) {
 118                if (ipv6_addr_equal(remote, &t->parms.raddr) &&
 119                    (t->dev->flags & IFF_UP))
 120                        return t;
 121        }
 122
 123        t = rcu_dereference(ip6n->tnls_wc[0]);
 124        if (t && (t->dev->flags & IFF_UP))
 125                return t;
 126
 127        return NULL;
 128}
 129
 130/**
 131 * vti6_tnl_bucket - get head of list matching given tunnel parameters
 132 *   @p: parameters containing tunnel end-points
 133 *
 134 * Description:
 135 *   vti6_tnl_bucket() returns the head of the list matching the
 136 *   &struct in6_addr entries laddr and raddr in @p.
 137 *
 138 * Return: head of IPv6 tunnel list
 139 **/
 140static struct ip6_tnl __rcu **
 141vti6_tnl_bucket(struct vti6_net *ip6n, const struct __ip6_tnl_parm *p)
 142{
 143        const struct in6_addr *remote = &p->raddr;
 144        const struct in6_addr *local = &p->laddr;
 145        unsigned int h = 0;
 146        int prio = 0;
 147
 148        if (!ipv6_addr_any(remote) || !ipv6_addr_any(local)) {
 149                prio = 1;
 150                h = HASH(remote, local);
 151        }
 152        return &ip6n->tnls[prio][h];
 153}
 154
 155static void
 156vti6_tnl_link(struct vti6_net *ip6n, struct ip6_tnl *t)
 157{
 158        struct ip6_tnl __rcu **tp = vti6_tnl_bucket(ip6n, &t->parms);
 159
 160        rcu_assign_pointer(t->next , rtnl_dereference(*tp));
 161        rcu_assign_pointer(*tp, t);
 162}
 163
 164static void
 165vti6_tnl_unlink(struct vti6_net *ip6n, struct ip6_tnl *t)
 166{
 167        struct ip6_tnl __rcu **tp;
 168        struct ip6_tnl *iter;
 169
 170        for (tp = vti6_tnl_bucket(ip6n, &t->parms);
 171             (iter = rtnl_dereference(*tp)) != NULL;
 172             tp = &iter->next) {
 173                if (t == iter) {
 174                        rcu_assign_pointer(*tp, t->next);
 175                        break;
 176                }
 177        }
 178}
 179
 180static void vti6_dev_free(struct net_device *dev)
 181{
 182        free_percpu(dev->tstats);
 183}
 184
 185static int vti6_tnl_create2(struct net_device *dev)
 186{
 187        struct ip6_tnl *t = netdev_priv(dev);
 188        struct net *net = dev_net(dev);
 189        struct vti6_net *ip6n = net_generic(net, vti6_net_id);
 190        int err;
 191
 192        dev->rtnl_link_ops = &vti6_link_ops;
 193        err = register_netdevice(dev);
 194        if (err < 0)
 195                goto out;
 196
 197        strcpy(t->parms.name, dev->name);
 198
 199        dev_hold(dev);
 200        vti6_tnl_link(ip6n, t);
 201
 202        return 0;
 203
 204out:
 205        return err;
 206}
 207
 208static struct ip6_tnl *vti6_tnl_create(struct net *net, struct __ip6_tnl_parm *p)
 209{
 210        struct net_device *dev;
 211        struct ip6_tnl *t;
 212        char name[IFNAMSIZ];
 213        int err;
 214
 215        if (p->name[0]) {
 216                if (!dev_valid_name(p->name))
 217                        goto failed;
 218                strlcpy(name, p->name, IFNAMSIZ);
 219        } else {
 220                sprintf(name, "ip6_vti%%d");
 221        }
 222
 223        dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, vti6_dev_setup);
 224        if (!dev)
 225                goto failed;
 226
 227        dev_net_set(dev, net);
 228
 229        t = netdev_priv(dev);
 230        t->parms = *p;
 231        t->net = dev_net(dev);
 232
 233        err = vti6_tnl_create2(dev);
 234        if (err < 0)
 235                goto failed_free;
 236
 237        return t;
 238
 239failed_free:
 240        free_netdev(dev);
 241failed:
 242        return NULL;
 243}
 244
 245/**
 246 * vti6_locate - find or create tunnel matching given parameters
 247 *   @net: network namespace
 248 *   @p: tunnel parameters
 249 *   @create: != 0 if allowed to create new tunnel if no match found
 250 *
 251 * Description:
 252 *   vti6_locate() first tries to locate an existing tunnel
 253 *   based on @parms. If this is unsuccessful, but @create is set a new
 254 *   tunnel device is created and registered for use.
 255 *
 256 * Return:
 257 *   matching tunnel or NULL
 258 **/
 259static struct ip6_tnl *vti6_locate(struct net *net, struct __ip6_tnl_parm *p,
 260                                   int create)
 261{
 262        const struct in6_addr *remote = &p->raddr;
 263        const struct in6_addr *local = &p->laddr;
 264        struct ip6_tnl __rcu **tp;
 265        struct ip6_tnl *t;
 266        struct vti6_net *ip6n = net_generic(net, vti6_net_id);
 267
 268        for (tp = vti6_tnl_bucket(ip6n, p);
 269             (t = rtnl_dereference(*tp)) != NULL;
 270             tp = &t->next) {
 271                if (ipv6_addr_equal(local, &t->parms.laddr) &&
 272                    ipv6_addr_equal(remote, &t->parms.raddr)) {
 273                        if (create)
 274                                return NULL;
 275
 276                        return t;
 277                }
 278        }
 279        if (!create)
 280                return NULL;
 281        return vti6_tnl_create(net, p);
 282}
 283
 284/**
 285 * vti6_dev_uninit - tunnel device uninitializer
 286 *   @dev: the device to be destroyed
 287 *
 288 * Description:
 289 *   vti6_dev_uninit() removes tunnel from its list
 290 **/
 291static void vti6_dev_uninit(struct net_device *dev)
 292{
 293        struct ip6_tnl *t = netdev_priv(dev);
 294        struct vti6_net *ip6n = net_generic(t->net, vti6_net_id);
 295
 296        if (dev == ip6n->fb_tnl_dev)
 297                RCU_INIT_POINTER(ip6n->tnls_wc[0], NULL);
 298        else
 299                vti6_tnl_unlink(ip6n, t);
 300        dev_put(dev);
 301}
 302
 303static int vti6_rcv(struct sk_buff *skb)
 304{
 305        struct ip6_tnl *t;
 306        const struct ipv6hdr *ipv6h = ipv6_hdr(skb);
 307
 308        rcu_read_lock();
 309        t = vti6_tnl_lookup(dev_net(skb->dev), &ipv6h->saddr, &ipv6h->daddr);
 310        if (t) {
 311                if (t->parms.proto != IPPROTO_IPV6 && t->parms.proto != 0) {
 312                        rcu_read_unlock();
 313                        goto discard;
 314                }
 315
 316                if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
 317                        rcu_read_unlock();
 318                        return 0;
 319                }
 320
 321                ipv6h = ipv6_hdr(skb);
 322                if (!ip6_tnl_rcv_ctl(t, &ipv6h->daddr, &ipv6h->saddr)) {
 323                        t->dev->stats.rx_dropped++;
 324                        rcu_read_unlock();
 325                        goto discard;
 326                }
 327
 328                rcu_read_unlock();
 329
 330                return xfrm6_rcv_tnl(skb, t);
 331        }
 332        rcu_read_unlock();
 333        return -EINVAL;
 334discard:
 335        kfree_skb(skb);
 336        return 0;
 337}
 338
 339static int vti6_rcv_cb(struct sk_buff *skb, int err)
 340{
 341        unsigned short family;
 342        struct net_device *dev;
 343        struct pcpu_sw_netstats *tstats;
 344        struct xfrm_state *x;
 345        struct xfrm_mode *inner_mode;
 346        struct ip6_tnl *t = XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6;
 347        u32 orig_mark = skb->mark;
 348        int ret;
 349
 350        if (!t)
 351                return 1;
 352
 353        dev = t->dev;
 354
 355        if (err) {
 356                dev->stats.rx_errors++;
 357                dev->stats.rx_dropped++;
 358
 359                return 0;
 360        }
 361
 362        x = xfrm_input_state(skb);
 363
 364        inner_mode = x->inner_mode;
 365
 366        if (x->sel.family == AF_UNSPEC) {
 367                inner_mode = xfrm_ip2inner_mode(x, XFRM_MODE_SKB_CB(skb)->protocol);
 368                if (inner_mode == NULL) {
 369                        XFRM_INC_STATS(dev_net(skb->dev),
 370                                       LINUX_MIB_XFRMINSTATEMODEERROR);
 371                        return -EINVAL;
 372                }
 373        }
 374
 375        family = inner_mode->afinfo->family;
 376
 377        skb->mark = be32_to_cpu(t->parms.i_key);
 378        ret = xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family);
 379        skb->mark = orig_mark;
 380
 381        if (!ret)
 382                return -EPERM;
 383
 384        skb_scrub_packet(skb, !net_eq(t->net, dev_net(skb->dev)));
 385        skb->dev = dev;
 386
 387        tstats = this_cpu_ptr(dev->tstats);
 388        u64_stats_update_begin(&tstats->syncp);
 389        tstats->rx_packets++;
 390        tstats->rx_bytes += skb->len;
 391        u64_stats_update_end(&tstats->syncp);
 392
 393        return 0;
 394}
 395
 396/**
 397 * vti6_addr_conflict - compare packet addresses to tunnel's own
 398 *   @t: the outgoing tunnel device
 399 *   @hdr: IPv6 header from the incoming packet
 400 *
 401 * Description:
 402 *   Avoid trivial tunneling loop by checking that tunnel exit-point
 403 *   doesn't match source of incoming packet.
 404 *
 405 * Return:
 406 *   1 if conflict,
 407 *   0 else
 408 **/
 409static inline bool
 410vti6_addr_conflict(const struct ip6_tnl *t, const struct ipv6hdr *hdr)
 411{
 412        return ipv6_addr_equal(&t->parms.raddr, &hdr->saddr);
 413}
 414
 415static bool vti6_state_check(const struct xfrm_state *x,
 416                             const struct in6_addr *dst,
 417                             const struct in6_addr *src)
 418{
 419        xfrm_address_t *daddr = (xfrm_address_t *)dst;
 420        xfrm_address_t *saddr = (xfrm_address_t *)src;
 421
 422        /* if there is no transform then this tunnel is not functional.
 423         * Or if the xfrm is not mode tunnel.
 424         */
 425        if (!x || x->props.mode != XFRM_MODE_TUNNEL ||
 426            x->props.family != AF_INET6)
 427                return false;
 428
 429        if (ipv6_addr_any(dst))
 430                return xfrm_addr_equal(saddr, &x->props.saddr, AF_INET6);
 431
 432        if (!xfrm_state_addr_check(x, daddr, saddr, AF_INET6))
 433                return false;
 434
 435        return true;
 436}
 437
 438/**
 439 * vti6_xmit - send a packet
 440 *   @skb: the outgoing socket buffer
 441 *   @dev: the outgoing tunnel device
 442 *   @fl: the flow informations for the xfrm_lookup
 443 **/
 444static int
 445vti6_xmit(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
 446{
 447        struct ip6_tnl *t = netdev_priv(dev);
 448        struct net_device_stats *stats = &t->dev->stats;
 449        struct dst_entry *dst = skb_dst(skb);
 450        struct net_device *tdev;
 451        struct xfrm_state *x;
 452        int pkt_len = skb->len;
 453        int err = -1;
 454        int mtu;
 455
 456        if (!dst)
 457                goto tx_err_link_failure;
 458
 459        dst_hold(dst);
 460        dst = xfrm_lookup(t->net, dst, fl, NULL, 0);
 461        if (IS_ERR(dst)) {
 462                err = PTR_ERR(dst);
 463                dst = NULL;
 464                goto tx_err_link_failure;
 465        }
 466
 467        x = dst->xfrm;
 468        if (!vti6_state_check(x, &t->parms.raddr, &t->parms.laddr))
 469                goto tx_err_link_failure;
 470
 471        if (!ip6_tnl_xmit_ctl(t, (const struct in6_addr *)&x->props.saddr,
 472                              (const struct in6_addr *)&x->id.daddr))
 473                goto tx_err_link_failure;
 474
 475        tdev = dst->dev;
 476
 477        if (tdev == dev) {
 478                stats->collisions++;
 479                net_warn_ratelimited("%s: Local routing loop detected!\n",
 480                                     t->parms.name);
 481                goto tx_err_dst_release;
 482        }
 483
 484        mtu = dst_mtu(dst);
 485        if (skb->len > mtu) {
 486                skb_dst_update_pmtu(skb, mtu);
 487
 488                if (skb->protocol == htons(ETH_P_IPV6)) {
 489                        if (mtu < IPV6_MIN_MTU)
 490                                mtu = IPV6_MIN_MTU;
 491
 492                        icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
 493                } else {
 494                        icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
 495                                  htonl(mtu));
 496                }
 497
 498                err = -EMSGSIZE;
 499                goto tx_err_dst_release;
 500        }
 501
 502        skb_scrub_packet(skb, !net_eq(t->net, dev_net(dev)));
 503        skb_dst_set(skb, dst);
 504        skb->dev = skb_dst(skb)->dev;
 505
 506        err = dst_output(t->net, skb->sk, skb);
 507        if (net_xmit_eval(err) == 0)
 508                err = pkt_len;
 509        iptunnel_xmit_stats(dev, err);
 510
 511        return 0;
 512tx_err_link_failure:
 513        stats->tx_carrier_errors++;
 514        dst_link_failure(skb);
 515tx_err_dst_release:
 516        dst_release(dst);
 517        return err;
 518}
 519
 520static netdev_tx_t
 521vti6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
 522{
 523        struct ip6_tnl *t = netdev_priv(dev);
 524        struct net_device_stats *stats = &t->dev->stats;
 525        struct ipv6hdr *ipv6h;
 526        struct flowi fl;
 527        int ret;
 528
 529        memset(&fl, 0, sizeof(fl));
 530
 531        switch (skb->protocol) {
 532        case htons(ETH_P_IPV6):
 533                ipv6h = ipv6_hdr(skb);
 534
 535                if ((t->parms.proto != IPPROTO_IPV6 && t->parms.proto != 0) ||
 536                    vti6_addr_conflict(t, ipv6h))
 537                        goto tx_err;
 538
 539                xfrm_decode_session(skb, &fl, AF_INET6);
 540                memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
 541                break;
 542        case htons(ETH_P_IP):
 543                xfrm_decode_session(skb, &fl, AF_INET);
 544                memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
 545                break;
 546        default:
 547                goto tx_err;
 548        }
 549
 550        /* override mark with tunnel output key */
 551        fl.flowi_mark = be32_to_cpu(t->parms.o_key);
 552
 553        ret = vti6_xmit(skb, dev, &fl);
 554        if (ret < 0)
 555                goto tx_err;
 556
 557        return NETDEV_TX_OK;
 558
 559tx_err:
 560        stats->tx_errors++;
 561        stats->tx_dropped++;
 562        kfree_skb(skb);
 563        return NETDEV_TX_OK;
 564}
 565
 566static int vti6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
 567                    u8 type, u8 code, int offset, __be32 info)
 568{
 569        __be32 spi;
 570        __u32 mark;
 571        struct xfrm_state *x;
 572        struct ip6_tnl *t;
 573        struct ip_esp_hdr *esph;
 574        struct ip_auth_hdr *ah;
 575        struct ip_comp_hdr *ipch;
 576        struct net *net = dev_net(skb->dev);
 577        const struct ipv6hdr *iph = (const struct ipv6hdr *)skb->data;
 578        int protocol = iph->nexthdr;
 579
 580        t = vti6_tnl_lookup(dev_net(skb->dev), &iph->daddr, &iph->saddr);
 581        if (!t)
 582                return -1;
 583
 584        mark = be32_to_cpu(t->parms.o_key);
 585
 586        switch (protocol) {
 587        case IPPROTO_ESP:
 588                esph = (struct ip_esp_hdr *)(skb->data + offset);
 589                spi = esph->spi;
 590                break;
 591        case IPPROTO_AH:
 592                ah = (struct ip_auth_hdr *)(skb->data + offset);
 593                spi = ah->spi;
 594                break;
 595        case IPPROTO_COMP:
 596                ipch = (struct ip_comp_hdr *)(skb->data + offset);
 597                spi = htonl(ntohs(ipch->cpi));
 598                break;
 599        default:
 600                return 0;
 601        }
 602
 603        if (type != ICMPV6_PKT_TOOBIG &&
 604            type != NDISC_REDIRECT)
 605                return 0;
 606
 607        x = xfrm_state_lookup(net, mark, (const xfrm_address_t *)&iph->daddr,
 608                              spi, protocol, AF_INET6);
 609        if (!x)
 610                return 0;
 611
 612        if (type == NDISC_REDIRECT)
 613                ip6_redirect(skb, net, skb->dev->ifindex, 0,
 614                             sock_net_uid(net, NULL));
 615        else
 616                ip6_update_pmtu(skb, net, info, 0, 0, sock_net_uid(net, NULL));
 617        xfrm_state_put(x);
 618
 619        return 0;
 620}
 621
 622static void vti6_link_config(struct ip6_tnl *t, bool keep_mtu)
 623{
 624        struct net_device *dev = t->dev;
 625        struct __ip6_tnl_parm *p = &t->parms;
 626        struct net_device *tdev = NULL;
 627        int mtu;
 628
 629        memcpy(dev->dev_addr, &p->laddr, sizeof(struct in6_addr));
 630        memcpy(dev->broadcast, &p->raddr, sizeof(struct in6_addr));
 631
 632        p->flags &= ~(IP6_TNL_F_CAP_XMIT | IP6_TNL_F_CAP_RCV |
 633                      IP6_TNL_F_CAP_PER_PACKET);
 634        p->flags |= ip6_tnl_get_cap(t, &p->laddr, &p->raddr);
 635
 636        if (p->flags & IP6_TNL_F_CAP_XMIT && p->flags & IP6_TNL_F_CAP_RCV)
 637                dev->flags |= IFF_POINTOPOINT;
 638        else
 639                dev->flags &= ~IFF_POINTOPOINT;
 640
 641        if (keep_mtu && dev->mtu) {
 642                dev->mtu = clamp(dev->mtu, dev->min_mtu, dev->max_mtu);
 643                return;
 644        }
 645
 646        if (p->flags & IP6_TNL_F_CAP_XMIT) {
 647                int strict = (ipv6_addr_type(&p->raddr) &
 648                              (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL));
 649                struct rt6_info *rt = rt6_lookup(t->net,
 650                                                 &p->raddr, &p->laddr,
 651                                                 p->link, NULL, strict);
 652
 653                if (rt)
 654                        tdev = rt->dst.dev;
 655                ip6_rt_put(rt);
 656        }
 657
 658        if (!tdev && p->link)
 659                tdev = __dev_get_by_index(t->net, p->link);
 660
 661        if (tdev)
 662                mtu = tdev->mtu - sizeof(struct ipv6hdr);
 663        else
 664                mtu = ETH_DATA_LEN - LL_MAX_HEADER - sizeof(struct ipv6hdr);
 665
 666        dev->mtu = max_t(int, mtu, IPV4_MIN_MTU);
 667}
 668
 669/**
 670 * vti6_tnl_change - update the tunnel parameters
 671 *   @t: tunnel to be changed
 672 *   @p: tunnel configuration parameters
 673 *   @keep_mtu: MTU was set from userspace, don't re-compute it
 674 *
 675 * Description:
 676 *   vti6_tnl_change() updates the tunnel parameters
 677 **/
 678static int
 679vti6_tnl_change(struct ip6_tnl *t, const struct __ip6_tnl_parm *p,
 680                bool keep_mtu)
 681{
 682        t->parms.laddr = p->laddr;
 683        t->parms.raddr = p->raddr;
 684        t->parms.link = p->link;
 685        t->parms.i_key = p->i_key;
 686        t->parms.o_key = p->o_key;
 687        t->parms.proto = p->proto;
 688        t->parms.fwmark = p->fwmark;
 689        dst_cache_reset(&t->dst_cache);
 690        vti6_link_config(t, keep_mtu);
 691        return 0;
 692}
 693
 694static int vti6_update(struct ip6_tnl *t, struct __ip6_tnl_parm *p,
 695                       bool keep_mtu)
 696{
 697        struct net *net = dev_net(t->dev);
 698        struct vti6_net *ip6n = net_generic(net, vti6_net_id);
 699        int err;
 700
 701        vti6_tnl_unlink(ip6n, t);
 702        synchronize_net();
 703        err = vti6_tnl_change(t, p, keep_mtu);
 704        vti6_tnl_link(ip6n, t);
 705        netdev_state_change(t->dev);
 706        return err;
 707}
 708
 709static void
 710vti6_parm_from_user(struct __ip6_tnl_parm *p, const struct ip6_tnl_parm2 *u)
 711{
 712        p->laddr = u->laddr;
 713        p->raddr = u->raddr;
 714        p->link = u->link;
 715        p->i_key = u->i_key;
 716        p->o_key = u->o_key;
 717        p->proto = u->proto;
 718
 719        memcpy(p->name, u->name, sizeof(u->name));
 720}
 721
 722static void
 723vti6_parm_to_user(struct ip6_tnl_parm2 *u, const struct __ip6_tnl_parm *p)
 724{
 725        u->laddr = p->laddr;
 726        u->raddr = p->raddr;
 727        u->link = p->link;
 728        u->i_key = p->i_key;
 729        u->o_key = p->o_key;
 730        if (u->i_key)
 731                u->i_flags |= GRE_KEY;
 732        if (u->o_key)
 733                u->o_flags |= GRE_KEY;
 734        u->proto = p->proto;
 735
 736        memcpy(u->name, p->name, sizeof(u->name));
 737}
 738
 739/**
 740 * vti6_ioctl - configure vti6 tunnels from userspace
 741 *   @dev: virtual device associated with tunnel
 742 *   @ifr: parameters passed from userspace
 743 *   @cmd: command to be performed
 744 *
 745 * Description:
 746 *   vti6_ioctl() is used for managing vti6 tunnels
 747 *   from userspace.
 748 *
 749 *   The possible commands are the following:
 750 *     %SIOCGETTUNNEL: get tunnel parameters for device
 751 *     %SIOCADDTUNNEL: add tunnel matching given tunnel parameters
 752 *     %SIOCCHGTUNNEL: change tunnel parameters to those given
 753 *     %SIOCDELTUNNEL: delete tunnel
 754 *
 755 *   The fallback device "ip6_vti0", created during module
 756 *   initialization, can be used for creating other tunnel devices.
 757 *
 758 * Return:
 759 *   0 on success,
 760 *   %-EFAULT if unable to copy data to or from userspace,
 761 *   %-EPERM if current process hasn't %CAP_NET_ADMIN set
 762 *   %-EINVAL if passed tunnel parameters are invalid,
 763 *   %-EEXIST if changing a tunnel's parameters would cause a conflict
 764 *   %-ENODEV if attempting to change or delete a nonexisting device
 765 **/
 766static int
 767vti6_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
 768{
 769        int err = 0;
 770        struct ip6_tnl_parm2 p;
 771        struct __ip6_tnl_parm p1;
 772        struct ip6_tnl *t = NULL;
 773        struct net *net = dev_net(dev);
 774        struct vti6_net *ip6n = net_generic(net, vti6_net_id);
 775
 776        switch (cmd) {
 777        case SIOCGETTUNNEL:
 778                if (dev == ip6n->fb_tnl_dev) {
 779                        if (copy_from_user(&p, ifr->ifr_ifru.ifru_data, sizeof(p))) {
 780                                err = -EFAULT;
 781                                break;
 782                        }
 783                        vti6_parm_from_user(&p1, &p);
 784                        t = vti6_locate(net, &p1, 0);
 785                } else {
 786                        memset(&p, 0, sizeof(p));
 787                }
 788                if (!t)
 789                        t = netdev_priv(dev);
 790                vti6_parm_to_user(&p, &t->parms);
 791                if (copy_to_user(ifr->ifr_ifru.ifru_data, &p, sizeof(p)))
 792                        err = -EFAULT;
 793                break;
 794        case SIOCADDTUNNEL:
 795        case SIOCCHGTUNNEL:
 796                err = -EPERM;
 797                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
 798                        break;
 799                err = -EFAULT;
 800                if (copy_from_user(&p, ifr->ifr_ifru.ifru_data, sizeof(p)))
 801                        break;
 802                err = -EINVAL;
 803                if (p.proto != IPPROTO_IPV6  && p.proto != 0)
 804                        break;
 805                vti6_parm_from_user(&p1, &p);
 806                t = vti6_locate(net, &p1, cmd == SIOCADDTUNNEL);
 807                if (dev != ip6n->fb_tnl_dev && cmd == SIOCCHGTUNNEL) {
 808                        if (t) {
 809                                if (t->dev != dev) {
 810                                        err = -EEXIST;
 811                                        break;
 812                                }
 813                        } else
 814                                t = netdev_priv(dev);
 815
 816                        err = vti6_update(t, &p1, false);
 817                }
 818                if (t) {
 819                        err = 0;
 820                        vti6_parm_to_user(&p, &t->parms);
 821                        if (copy_to_user(ifr->ifr_ifru.ifru_data, &p, sizeof(p)))
 822                                err = -EFAULT;
 823
 824                } else
 825                        err = (cmd == SIOCADDTUNNEL ? -ENOBUFS : -ENOENT);
 826                break;
 827        case SIOCDELTUNNEL:
 828                err = -EPERM;
 829                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
 830                        break;
 831
 832                if (dev == ip6n->fb_tnl_dev) {
 833                        err = -EFAULT;
 834                        if (copy_from_user(&p, ifr->ifr_ifru.ifru_data, sizeof(p)))
 835                                break;
 836                        err = -ENOENT;
 837                        vti6_parm_from_user(&p1, &p);
 838                        t = vti6_locate(net, &p1, 0);
 839                        if (!t)
 840                                break;
 841                        err = -EPERM;
 842                        if (t->dev == ip6n->fb_tnl_dev)
 843                                break;
 844                        dev = t->dev;
 845                }
 846                err = 0;
 847                unregister_netdevice(dev);
 848                break;
 849        default:
 850                err = -EINVAL;
 851        }
 852        return err;
 853}
 854
 855static const struct net_device_ops vti6_netdev_ops = {
 856        .ndo_init       = vti6_dev_init,
 857        .ndo_uninit     = vti6_dev_uninit,
 858        .ndo_start_xmit = vti6_tnl_xmit,
 859        .ndo_do_ioctl   = vti6_ioctl,
 860        .ndo_get_stats64 = ip_tunnel_get_stats64,
 861        .ndo_get_iflink = ip6_tnl_get_iflink,
 862};
 863
 864/**
 865 * vti6_dev_setup - setup virtual tunnel device
 866 *   @dev: virtual device associated with tunnel
 867 *
 868 * Description:
 869 *   Initialize function pointers and device parameters
 870 **/
 871static void vti6_dev_setup(struct net_device *dev)
 872{
 873        dev->netdev_ops = &vti6_netdev_ops;
 874        dev->needs_free_netdev = true;
 875        dev->priv_destructor = vti6_dev_free;
 876
 877        dev->type = ARPHRD_TUNNEL6;
 878        dev->min_mtu = IPV4_MIN_MTU;
 879        dev->max_mtu = IP_MAX_MTU - sizeof(struct ipv6hdr);
 880        dev->flags |= IFF_NOARP;
 881        dev->addr_len = sizeof(struct in6_addr);
 882        netif_keep_dst(dev);
 883        /* This perm addr will be used as interface identifier by IPv6 */
 884        dev->addr_assign_type = NET_ADDR_RANDOM;
 885        eth_random_addr(dev->perm_addr);
 886}
 887
 888/**
 889 * vti6_dev_init_gen - general initializer for all tunnel devices
 890 *   @dev: virtual device associated with tunnel
 891 **/
 892static inline int vti6_dev_init_gen(struct net_device *dev)
 893{
 894        struct ip6_tnl *t = netdev_priv(dev);
 895
 896        t->dev = dev;
 897        t->net = dev_net(dev);
 898        dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
 899        if (!dev->tstats)
 900                return -ENOMEM;
 901        return 0;
 902}
 903
 904/**
 905 * vti6_dev_init - initializer for all non fallback tunnel devices
 906 *   @dev: virtual device associated with tunnel
 907 **/
 908static int vti6_dev_init(struct net_device *dev)
 909{
 910        struct ip6_tnl *t = netdev_priv(dev);
 911        int err = vti6_dev_init_gen(dev);
 912
 913        if (err)
 914                return err;
 915        vti6_link_config(t, true);
 916        return 0;
 917}
 918
 919/**
 920 * vti6_fb_tnl_dev_init - initializer for fallback tunnel device
 921 *   @dev: fallback device
 922 *
 923 * Return: 0
 924 **/
 925static int __net_init vti6_fb_tnl_dev_init(struct net_device *dev)
 926{
 927        struct ip6_tnl *t = netdev_priv(dev);
 928        struct net *net = dev_net(dev);
 929        struct vti6_net *ip6n = net_generic(net, vti6_net_id);
 930
 931        t->parms.proto = IPPROTO_IPV6;
 932        dev_hold(dev);
 933
 934        rcu_assign_pointer(ip6n->tnls_wc[0], t);
 935        return 0;
 936}
 937
 938static int vti6_validate(struct nlattr *tb[], struct nlattr *data[],
 939                         struct netlink_ext_ack *extack)
 940{
 941        return 0;
 942}
 943
 944static void vti6_netlink_parms(struct nlattr *data[],
 945                               struct __ip6_tnl_parm *parms)
 946{
 947        memset(parms, 0, sizeof(*parms));
 948
 949        if (!data)
 950                return;
 951
 952        if (data[IFLA_VTI_LINK])
 953                parms->link = nla_get_u32(data[IFLA_VTI_LINK]);
 954
 955        if (data[IFLA_VTI_LOCAL])
 956                parms->laddr = nla_get_in6_addr(data[IFLA_VTI_LOCAL]);
 957
 958        if (data[IFLA_VTI_REMOTE])
 959                parms->raddr = nla_get_in6_addr(data[IFLA_VTI_REMOTE]);
 960
 961        if (data[IFLA_VTI_IKEY])
 962                parms->i_key = nla_get_be32(data[IFLA_VTI_IKEY]);
 963
 964        if (data[IFLA_VTI_OKEY])
 965                parms->o_key = nla_get_be32(data[IFLA_VTI_OKEY]);
 966
 967        if (data[IFLA_VTI_FWMARK])
 968                parms->fwmark = nla_get_u32(data[IFLA_VTI_FWMARK]);
 969}
 970
 971static int vti6_newlink(struct net *src_net, struct net_device *dev,
 972                        struct nlattr *tb[], struct nlattr *data[],
 973                        struct netlink_ext_ack *extack)
 974{
 975        struct net *net = dev_net(dev);
 976        struct ip6_tnl *nt;
 977
 978        nt = netdev_priv(dev);
 979        vti6_netlink_parms(data, &nt->parms);
 980
 981        nt->parms.proto = IPPROTO_IPV6;
 982
 983        if (vti6_locate(net, &nt->parms, 0))
 984                return -EEXIST;
 985
 986        return vti6_tnl_create2(dev);
 987}
 988
 989static void vti6_dellink(struct net_device *dev, struct list_head *head)
 990{
 991        struct net *net = dev_net(dev);
 992        struct vti6_net *ip6n = net_generic(net, vti6_net_id);
 993
 994        if (dev != ip6n->fb_tnl_dev)
 995                unregister_netdevice_queue(dev, head);
 996}
 997
 998static int vti6_changelink(struct net_device *dev, struct nlattr *tb[],
 999                           struct nlattr *data[],
1000                           struct netlink_ext_ack *extack)
1001{
1002        struct ip6_tnl *t;
1003        struct __ip6_tnl_parm p;
1004        struct net *net = dev_net(dev);
1005        struct vti6_net *ip6n = net_generic(net, vti6_net_id);
1006
1007        if (dev == ip6n->fb_tnl_dev)
1008                return -EINVAL;
1009
1010        vti6_netlink_parms(data, &p);
1011
1012        t = vti6_locate(net, &p, 0);
1013
1014        if (t) {
1015                if (t->dev != dev)
1016                        return -EEXIST;
1017        } else
1018                t = netdev_priv(dev);
1019
1020        return vti6_update(t, &p, tb && tb[IFLA_MTU]);
1021}
1022
1023static size_t vti6_get_size(const struct net_device *dev)
1024{
1025        return
1026                /* IFLA_VTI_LINK */
1027                nla_total_size(4) +
1028                /* IFLA_VTI_LOCAL */
1029                nla_total_size(sizeof(struct in6_addr)) +
1030                /* IFLA_VTI_REMOTE */
1031                nla_total_size(sizeof(struct in6_addr)) +
1032                /* IFLA_VTI_IKEY */
1033                nla_total_size(4) +
1034                /* IFLA_VTI_OKEY */
1035                nla_total_size(4) +
1036                /* IFLA_VTI_FWMARK */
1037                nla_total_size(4) +
1038                0;
1039}
1040
1041static int vti6_fill_info(struct sk_buff *skb, const struct net_device *dev)
1042{
1043        struct ip6_tnl *tunnel = netdev_priv(dev);
1044        struct __ip6_tnl_parm *parm = &tunnel->parms;
1045
1046        if (nla_put_u32(skb, IFLA_VTI_LINK, parm->link) ||
1047            nla_put_in6_addr(skb, IFLA_VTI_LOCAL, &parm->laddr) ||
1048            nla_put_in6_addr(skb, IFLA_VTI_REMOTE, &parm->raddr) ||
1049            nla_put_be32(skb, IFLA_VTI_IKEY, parm->i_key) ||
1050            nla_put_be32(skb, IFLA_VTI_OKEY, parm->o_key) ||
1051            nla_put_u32(skb, IFLA_VTI_FWMARK, parm->fwmark))
1052                goto nla_put_failure;
1053        return 0;
1054
1055nla_put_failure:
1056        return -EMSGSIZE;
1057}
1058
1059static const struct nla_policy vti6_policy[IFLA_VTI_MAX + 1] = {
1060        [IFLA_VTI_LINK]         = { .type = NLA_U32 },
1061        [IFLA_VTI_LOCAL]        = { .len = sizeof(struct in6_addr) },
1062        [IFLA_VTI_REMOTE]       = { .len = sizeof(struct in6_addr) },
1063        [IFLA_VTI_IKEY]         = { .type = NLA_U32 },
1064        [IFLA_VTI_OKEY]         = { .type = NLA_U32 },
1065        [IFLA_VTI_FWMARK]       = { .type = NLA_U32 },
1066};
1067
1068static struct rtnl_link_ops vti6_link_ops __read_mostly = {
1069        .kind           = "vti6",
1070        .maxtype        = IFLA_VTI_MAX,
1071        .policy         = vti6_policy,
1072        .priv_size      = sizeof(struct ip6_tnl),
1073        .setup          = vti6_dev_setup,
1074        .validate       = vti6_validate,
1075        .newlink        = vti6_newlink,
1076        .dellink        = vti6_dellink,
1077        .changelink     = vti6_changelink,
1078        .get_size       = vti6_get_size,
1079        .fill_info      = vti6_fill_info,
1080        .get_link_net   = ip6_tnl_get_link_net,
1081};
1082
1083static void __net_exit vti6_destroy_tunnels(struct vti6_net *ip6n,
1084                                            struct list_head *list)
1085{
1086        int h;
1087        struct ip6_tnl *t;
1088
1089        for (h = 0; h < IP6_VTI_HASH_SIZE; h++) {
1090                t = rtnl_dereference(ip6n->tnls_r_l[h]);
1091                while (t) {
1092                        unregister_netdevice_queue(t->dev, list);
1093                        t = rtnl_dereference(t->next);
1094                }
1095        }
1096
1097        t = rtnl_dereference(ip6n->tnls_wc[0]);
1098        if (t)
1099                unregister_netdevice_queue(t->dev, list);
1100}
1101
1102static int __net_init vti6_init_net(struct net *net)
1103{
1104        struct vti6_net *ip6n = net_generic(net, vti6_net_id);
1105        struct ip6_tnl *t = NULL;
1106        int err;
1107
1108        ip6n->tnls[0] = ip6n->tnls_wc;
1109        ip6n->tnls[1] = ip6n->tnls_r_l;
1110
1111        if (!net_has_fallback_tunnels(net))
1112                return 0;
1113        err = -ENOMEM;
1114        ip6n->fb_tnl_dev = alloc_netdev(sizeof(struct ip6_tnl), "ip6_vti0",
1115                                        NET_NAME_UNKNOWN, vti6_dev_setup);
1116
1117        if (!ip6n->fb_tnl_dev)
1118                goto err_alloc_dev;
1119        dev_net_set(ip6n->fb_tnl_dev, net);
1120        ip6n->fb_tnl_dev->rtnl_link_ops = &vti6_link_ops;
1121
1122        err = vti6_fb_tnl_dev_init(ip6n->fb_tnl_dev);
1123        if (err < 0)
1124                goto err_register;
1125
1126        err = register_netdev(ip6n->fb_tnl_dev);
1127        if (err < 0)
1128                goto err_register;
1129
1130        t = netdev_priv(ip6n->fb_tnl_dev);
1131
1132        strcpy(t->parms.name, ip6n->fb_tnl_dev->name);
1133        return 0;
1134
1135err_register:
1136        free_netdev(ip6n->fb_tnl_dev);
1137err_alloc_dev:
1138        return err;
1139}
1140
1141static void __net_exit vti6_exit_batch_net(struct list_head *net_list)
1142{
1143        struct vti6_net *ip6n;
1144        struct net *net;
1145        LIST_HEAD(list);
1146
1147        rtnl_lock();
1148        list_for_each_entry(net, net_list, exit_list) {
1149                ip6n = net_generic(net, vti6_net_id);
1150                vti6_destroy_tunnels(ip6n, &list);
1151        }
1152        unregister_netdevice_many(&list);
1153        rtnl_unlock();
1154}
1155
1156static struct pernet_operations vti6_net_ops = {
1157        .init = vti6_init_net,
1158        .exit_batch = vti6_exit_batch_net,
1159        .id   = &vti6_net_id,
1160        .size = sizeof(struct vti6_net),
1161};
1162
1163static struct xfrm6_protocol vti_esp6_protocol __read_mostly = {
1164        .handler        =       vti6_rcv,
1165        .cb_handler     =       vti6_rcv_cb,
1166        .err_handler    =       vti6_err,
1167        .priority       =       100,
1168};
1169
1170static struct xfrm6_protocol vti_ah6_protocol __read_mostly = {
1171        .handler        =       vti6_rcv,
1172        .cb_handler     =       vti6_rcv_cb,
1173        .err_handler    =       vti6_err,
1174        .priority       =       100,
1175};
1176
1177static struct xfrm6_protocol vti_ipcomp6_protocol __read_mostly = {
1178        .handler        =       vti6_rcv,
1179        .cb_handler     =       vti6_rcv_cb,
1180        .err_handler    =       vti6_err,
1181        .priority       =       100,
1182};
1183
1184/**
1185 * vti6_tunnel_init - register protocol and reserve needed resources
1186 *
1187 * Return: 0 on success
1188 **/
1189static int __init vti6_tunnel_init(void)
1190{
1191        const char *msg;
1192        int err;
1193
1194        msg = "tunnel device";
1195        err = register_pernet_device(&vti6_net_ops);
1196        if (err < 0)
1197                goto pernet_dev_failed;
1198
1199        msg = "tunnel protocols";
1200        err = xfrm6_protocol_register(&vti_esp6_protocol, IPPROTO_ESP);
1201        if (err < 0)
1202                goto xfrm_proto_esp_failed;
1203        err = xfrm6_protocol_register(&vti_ah6_protocol, IPPROTO_AH);
1204        if (err < 0)
1205                goto xfrm_proto_ah_failed;
1206        err = xfrm6_protocol_register(&vti_ipcomp6_protocol, IPPROTO_COMP);
1207        if (err < 0)
1208                goto xfrm_proto_comp_failed;
1209
1210        msg = "netlink interface";
1211        err = rtnl_link_register(&vti6_link_ops);
1212        if (err < 0)
1213                goto rtnl_link_failed;
1214
1215        return 0;
1216
1217rtnl_link_failed:
1218        xfrm6_protocol_deregister(&vti_ipcomp6_protocol, IPPROTO_COMP);
1219xfrm_proto_comp_failed:
1220        xfrm6_protocol_deregister(&vti_ah6_protocol, IPPROTO_AH);
1221xfrm_proto_ah_failed:
1222        xfrm6_protocol_deregister(&vti_esp6_protocol, IPPROTO_ESP);
1223xfrm_proto_esp_failed:
1224        unregister_pernet_device(&vti6_net_ops);
1225pernet_dev_failed:
1226        pr_err("vti6 init: failed to register %s\n", msg);
1227        return err;
1228}
1229
1230/**
1231 * vti6_tunnel_cleanup - free resources and unregister protocol
1232 **/
1233static void __exit vti6_tunnel_cleanup(void)
1234{
1235        rtnl_link_unregister(&vti6_link_ops);
1236        xfrm6_protocol_deregister(&vti_ipcomp6_protocol, IPPROTO_COMP);
1237        xfrm6_protocol_deregister(&vti_ah6_protocol, IPPROTO_AH);
1238        xfrm6_protocol_deregister(&vti_esp6_protocol, IPPROTO_ESP);
1239        unregister_pernet_device(&vti6_net_ops);
1240}
1241
1242module_init(vti6_tunnel_init);
1243module_exit(vti6_tunnel_cleanup);
1244MODULE_LICENSE("GPL");
1245MODULE_ALIAS_RTNL_LINK("vti6");
1246MODULE_ALIAS_NETDEV("ip6_vti0");
1247MODULE_AUTHOR("Steffen Klassert");
1248MODULE_DESCRIPTION("IPv6 virtual tunnel interface");
1249