2 /* $KAME: if_stf.c,v 1.73 2001/12/03 11:08:30 keiichi Exp $ */
5 * Copyright (C) 2000 WIDE Project.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * 6to4 interface, based on RFC3056.
36 * 6to4 interface is NOT capable of link-layer (I mean, IPv4) multicasting.
37 * There is no address mapping defined from IPv6 multicast address to IPv4
38 * address. Therefore, we do not have IFF_MULTICAST on the interface.
40 * Due to the lack of address mapping for link-local addresses, we cannot
41 * throw packets toward link-local addresses (fe80::x). Also, we cannot throw
42 * packets to link-local multicast addresses (ff02::x).
44 * Here are interesting symptoms due to the lack of link-local address:
46 * Unicast routing exchange:
47 * - RIPng: Impossible. Uses link-local multicast packet toward ff02::9,
48 * and link-local addresses as nexthop.
49 * - OSPFv6: Impossible. OSPFv6 assumes that there's link-local address
50 * assigned to the link, and makes use of them. Also, HELLO packets use
51 * link-local multicast addresses (ff02::5 and ff02::6).
52 * - BGP4+: Maybe. You can only use global address as nexthop, and global
53 * address as TCP endpoint address.
55 * Multicast routing protocols:
56 * - PIM: Hello packet cannot be used to discover adjacent PIM routers.
57 * Adjacent PIM routers must be configured manually (is it really spec-wise
58 * correct thing to do?).
61 * - Redirects cannot be used due to the lack of link-local address.
63 * stf interface does not have, and will not need, a link-local address.
64 * It seems to have no real benefit and does not help the above symptoms much.
65 * Even if we assign link-locals to interface, we cannot really
66 * use link-local unicast/multicast on top of 6to4 cloud (since there's no
67 * encapsulation defined for link-local address), and the above analysis does
68 * not change. RFC3056 does not mandate the assignment of link-local address
71 * 6to4 interface has security issues. Refer to
72 * http://playground.iijlab.net/i-d/draft-itojun-ipv6-transition-abuse-00.txt
73 * for details. The code tries to filter out some of malicious packets.
74 * Note that there is no way to be 100% secure.
77 #include <sys/param.h>
78 #include <sys/systm.h>
79 #include <sys/socket.h>
80 #include <sys/sockio.h>
82 #include <sys/errno.h>
83 #include <sys/kernel.h>
85 #include <sys/module.h>
86 #include <sys/protosw.h>
88 #include <sys/queue.h>
89 #include <sys/rmlock.h>
90 #include <sys/sysctl.h>
91 #include <machine/cpu.h>
93 #include <sys/malloc.h>
96 #include <net/if_var.h>
97 #include <net/if_clone.h>
98 #include <net/route.h>
99 #include <net/netisr.h>
100 #include <net/if_types.h>
101 #include <net/vnet.h>
103 #include <netinet/in.h>
104 #include <netinet/in_fib.h>
105 #include <netinet/in_systm.h>
106 #include <netinet/ip.h>
107 #include <netinet/ip_var.h>
108 #include <netinet/in_var.h>
110 #include <netinet/ip6.h>
111 #include <netinet6/ip6_var.h>
112 #include <netinet6/in6_var.h>
113 #include <netinet/ip_ecn.h>
115 #include <netinet/ip_encap.h>
117 #include <machine/stdarg.h>
121 #include <security/mac/mac_framework.h>
123 SYSCTL_DECL(_net_link
);
124 static SYSCTL_NODE(_net_link
, IFT_STF
, stf
, CTLFLAG_RW
, 0, "6to4 Interface");
126 static int stf_permit_rfc1918
= 0;
127 SYSCTL_INT(_net_link_stf
, OID_AUTO
, permit_rfc1918
, CTLFLAG_RWTUN
,
128 &stf_permit_rfc1918
, 0, "Permit the use of private IPv4 addresses");
132 #define IN6_IS_ADDR_6TO4(x) (ntohs((x)->s6_addr16[0]) == 0x2002)
135 * XXX: Return a pointer with 16-bit aligned. Don't cast it to
136 * struct in_addr *; use bcopy() instead.
138 #define GET_V4(x) (&(x)->s6_addr16[1])
141 struct ifnet
*sc_ifp
;
142 struct mtx sc_ro_mtx
;
144 const struct encaptab
*encap_cookie
;
146 #define STF2IFP(sc) ((sc)->sc_ifp)
148 static const char stfname
[] = "stf";
151 * Note that mutable fields in the softc are not currently locked.
152 * We do lock sc_ro in stf_output though.
154 static MALLOC_DEFINE(M_STF
, stfname
, "6to4 Tunnel Interface");
155 static const int ip_stf_ttl
= 40;
157 extern struct domain inetdomain
;
158 static int in_stf_input(struct mbuf
**, int *, int);
159 static struct protosw in_stf_protosw
= {
161 .pr_domain
= &inetdomain
,
162 .pr_protocol
= IPPROTO_IPV6
,
163 .pr_flags
= PR_ATOMIC
|PR_ADDR
,
164 .pr_input
= in_stf_input
,
165 .pr_output
= rip_output
,
166 .pr_ctloutput
= rip_ctloutput
,
167 .pr_usrreqs
= &rip_usrreqs
170 static char *stfnames
[] = {"stf0", "stf", "6to4", NULL
};
172 static int stfmodevent(module_t
, int, void *);
173 static int stf_encapcheck(const struct mbuf
*, int, int, void *);
174 static int stf_getsrcifa6(struct ifnet
*, struct in6_addr
*, struct in6_addr
*);
175 static int stf_output(struct ifnet
*, struct mbuf
*, const struct sockaddr
*,
177 static int isrfc1918addr(struct in_addr
*);
178 static int stf_checkaddr4(struct stf_softc
*, struct in_addr
*,
180 static int stf_checkaddr6(struct stf_softc
*, struct in6_addr
*,
182 static int stf_ioctl(struct ifnet
*, u_long
, caddr_t
);
184 static int stf_clone_match(struct if_clone
*, const char *);
185 static int stf_clone_create(struct if_clone
*, char *, size_t, caddr_t
);
186 static int stf_clone_destroy(struct if_clone
*, struct ifnet
*);
187 static struct if_clone
*stf_cloner
;
190 stf_clone_match(struct if_clone
*ifc
, const char *name
)
194 for(i
= 0; stfnames
[i
] != NULL
; i
++) {
195 if (strcmp(stfnames
[i
], name
) == 0)
203 stf_clone_create(struct if_clone
*ifc
, char *name
, size_t len
, caddr_t params
)
206 struct stf_softc
*sc
;
210 * We can only have one unit, but since unit allocation is
211 * already locked, we use it to keep from allocating extra
215 err
= ifc_alloc_unit(ifc
, &unit
);
219 sc
= malloc(sizeof(struct stf_softc
), M_STF
, M_WAITOK
| M_ZERO
);
220 ifp
= STF2IFP(sc
) = if_alloc(IFT_STF
);
223 ifc_free_unit(ifc
, unit
);
227 sc
->sc_fibnum
= curthread
->td_proc
->p_fibnum
;
230 * Set the name manually rather then using if_initname because
231 * we don't conform to the default naming convention for interfaces.
233 strlcpy(ifp
->if_xname
, name
, IFNAMSIZ
);
234 ifp
->if_dname
= stfname
;
235 ifp
->if_dunit
= IF_DUNIT_NONE
;
237 mtx_init(&(sc
)->sc_ro_mtx
, "stf ro", NULL
, MTX_DEF
);
238 sc
->encap_cookie
= encap_attach_func(AF_INET
, IPPROTO_IPV6
,
239 stf_encapcheck
, &in_stf_protosw
, sc
);
240 if (sc
->encap_cookie
== NULL
) {
241 if_printf(ifp
, "attach failed\n");
243 ifc_free_unit(ifc
, unit
);
247 ifp
->if_mtu
= IPV6_MMTU
;
248 ifp
->if_ioctl
= stf_ioctl
;
249 ifp
->if_output
= stf_output
;
250 ifp
->if_snd
.ifq_maxlen
= ifqmaxlen
;
252 bpfattach(ifp
, DLT_NULL
, sizeof(u_int32_t
));
257 stf_clone_destroy(struct if_clone
*ifc
, struct ifnet
*ifp
)
259 struct stf_softc
*sc
= ifp
->if_softc
;
262 err
= encap_detach(sc
->encap_cookie
);
263 KASSERT(err
== 0, ("Unexpected error detaching encap_cookie"));
264 mtx_destroy(&(sc
)->sc_ro_mtx
);
270 ifc_free_unit(ifc
, STFUNIT
);
276 stfmodevent(module_t mod
, int type
, void *data
)
281 stf_cloner
= if_clone_advanced(stfname
, 0, stf_clone_match
,
282 stf_clone_create
, stf_clone_destroy
);
285 if_clone_detach(stf_cloner
);
294 static moduledata_t stf_mod
= {
300 DECLARE_MODULE(if_stf
, stf_mod
, SI_SUB_PSEUDO
, SI_ORDER_ANY
);
303 stf_encapcheck(const struct mbuf
*m
, int off
, int proto
, void *arg
)
306 struct stf_softc
*sc
;
307 struct in_addr a
, b
, mask
;
308 struct in6_addr addr6
, mask6
;
310 sc
= (struct stf_softc
*)arg
;
314 if ((STF2IFP(sc
)->if_flags
& IFF_UP
) == 0)
317 /* IFF_LINK0 means "no decapsulation" */
318 if ((STF2IFP(sc
)->if_flags
& IFF_LINK0
) != 0)
321 if (proto
!= IPPROTO_IPV6
)
324 /* LINTED const cast */
325 m_copydata((struct mbuf
*)(uintptr_t)m
, 0, sizeof(ip
), (caddr_t
)&ip
);
330 if (stf_getsrcifa6(STF2IFP(sc
), &addr6
, &mask6
) != 0)
334 * check if IPv4 dst matches the IPv4 address derived from the
335 * local 6to4 address.
336 * success on: dst = 10.1.1.1, ia6->ia_addr = 2002:0a01:0101:...
338 if (bcmp(GET_V4(&addr6
), &ip
.ip_dst
, sizeof(ip
.ip_dst
)) != 0)
342 * check if IPv4 src matches the IPv4 address derived from the
343 * local 6to4 address masked by prefixmask.
344 * success on: src = 10.1.1.1, ia6->ia_addr = 2002:0a00:.../24
345 * fail on: src = 10.1.1.1, ia6->ia_addr = 2002:0b00:.../24
347 bzero(&a
, sizeof(a
));
348 bcopy(GET_V4(&addr6
), &a
, sizeof(a
));
349 bcopy(GET_V4(&mask6
), &mask
, sizeof(mask
));
350 a
.s_addr
&= mask
.s_addr
;
352 b
.s_addr
&= mask
.s_addr
;
353 if (a
.s_addr
!= b
.s_addr
)
356 /* stf interface makes single side match only */
361 stf_getsrcifa6(struct ifnet
*ifp
, struct in6_addr
*addr
, struct in6_addr
*mask
)
364 struct in_ifaddr
*ia4
;
365 struct in6_ifaddr
*ia6
;
366 struct sockaddr_in6
*sin6
;
370 TAILQ_FOREACH(ia
, &ifp
->if_addrhead
, ifa_link
) {
371 if (ia
->ifa_addr
->sa_family
!= AF_INET6
)
373 sin6
= (struct sockaddr_in6
*)ia
->ifa_addr
;
374 if (!IN6_IS_ADDR_6TO4(&sin6
->sin6_addr
))
377 bcopy(GET_V4(&sin6
->sin6_addr
), &in
, sizeof(in
));
378 LIST_FOREACH(ia4
, INADDR_HASH(in
.s_addr
), ia_hash
)
379 if (ia4
->ia_addr
.sin_addr
.s_addr
== in
.s_addr
)
384 ia6
= (struct in6_ifaddr
*)ia
;
386 *addr
= sin6
->sin6_addr
;
387 *mask
= ia6
->ia_prefixmask
.sin6_addr
;
388 if_addr_runlock(ifp
);
391 if_addr_runlock(ifp
);
397 stf_output(struct ifnet
*ifp
, struct mbuf
*m
, const struct sockaddr
*dst
,
400 struct stf_softc
*sc
;
401 const struct sockaddr_in6
*dst6
;
407 struct in6_addr addr6
, mask6
;
411 error
= mac_ifnet_check_transmit(ifp
, m
);
419 dst6
= (const struct sockaddr_in6
*)dst
;
422 if ((ifp
->if_flags
& IFF_UP
) == 0) {
424 if_inc_counter(ifp
, IFCOUNTER_OERRORS
, 1);
429 * If we don't have an ip4 address that match my inner ip6 address,
430 * we shouldn't generate output. Without this check, we'll end up
431 * using wrong IPv4 source.
433 if (stf_getsrcifa6(ifp
, &addr6
, &mask6
) != 0) {
435 if_inc_counter(ifp
, IFCOUNTER_OERRORS
, 1);
439 if (m
->m_len
< sizeof(*ip6
)) {
440 m
= m_pullup(m
, sizeof(*ip6
));
442 if_inc_counter(ifp
, IFCOUNTER_OERRORS
, 1);
446 ip6
= mtod(m
, struct ip6_hdr
*);
447 tos
= (ntohl(ip6
->ip6_flow
) >> 20) & 0xff;
450 * Pickup the right outer dst addr from the list of candidates.
451 * ip6_dst has priority as it may be able to give us shorter IPv4 hops.
454 if (IN6_IS_ADDR_6TO4(&ip6
->ip6_dst
))
455 ptr
= GET_V4(&ip6
->ip6_dst
);
456 else if (IN6_IS_ADDR_6TO4(&dst6
->sin6_addr
))
457 ptr
= GET_V4(&dst6
->sin6_addr
);
460 if_inc_counter(ifp
, IFCOUNTER_OERRORS
, 1);
463 bcopy(ptr
, &in4
, sizeof(in4
));
465 if (bpf_peers_present(ifp
->if_bpf
)) {
467 * We need to prepend the address family as
468 * a four byte field. Cons up a dummy header
469 * to pacify bpf. This is safe because bpf
470 * will only read from the mbuf (i.e., it won't
471 * try to free it or keep a pointer a to it).
474 bpf_mtap2(ifp
->if_bpf
, &af
, sizeof(af
), m
);
477 M_PREPEND(m
, sizeof(struct ip
), M_NOWAIT
);
479 if_inc_counter(ifp
, IFCOUNTER_OERRORS
, 1);
482 ip
= mtod(m
, struct ip
*);
484 bzero(ip
, sizeof(*ip
));
486 bcopy(GET_V4(&addr6
), &ip
->ip_src
, sizeof(ip
->ip_src
));
487 bcopy(&in4
, &ip
->ip_dst
, sizeof(ip
->ip_dst
));
488 ip
->ip_p
= IPPROTO_IPV6
;
489 ip
->ip_ttl
= ip_stf_ttl
;
490 ip
->ip_len
= htons(m
->m_pkthdr
.len
);
491 if (ifp
->if_flags
& IFF_LINK1
)
492 ip_ecn_ingress(ECN_ALLOWED
, &ip
->ip_tos
, &tos
);
494 ip_ecn_ingress(ECN_NOCARE
, &ip
->ip_tos
, &tos
);
496 M_SETFIB(m
, sc
->sc_fibnum
);
497 if_inc_counter(ifp
, IFCOUNTER_OPACKETS
, 1);
498 error
= ip_output(m
, NULL
, NULL
, 0, NULL
, NULL
);
504 isrfc1918addr(struct in_addr
*in
)
507 * returns 1 if private address range:
508 * 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
510 if (stf_permit_rfc1918
== 0 && (
511 (ntohl(in
->s_addr
) & 0xff000000) >> 24 == 10 ||
512 (ntohl(in
->s_addr
) & 0xfff00000) >> 16 == 172 * 256 + 16 ||
513 (ntohl(in
->s_addr
) & 0xffff0000) >> 16 == 192 * 256 + 168))
520 stf_checkaddr4(struct stf_softc
*sc
, struct in_addr
*in
, struct ifnet
*inifp
)
522 struct rm_priotracker in_ifa_tracker
;
523 struct in_ifaddr
*ia4
;
526 * reject packets with the following address:
527 * 224.0.0.0/4 0.0.0.0/8 127.0.0.0/8 255.0.0.0/8
529 if (IN_MULTICAST(ntohl(in
->s_addr
)))
531 switch ((ntohl(in
->s_addr
) & 0xff000000) >> 24) {
532 case 0: case 127: case 255:
537 * reject packets with private address range.
538 * (requirement from RFC3056 section 2 1st paragraph)
540 if (isrfc1918addr(in
))
544 * reject packets with broadcast
546 IN_IFADDR_RLOCK(&in_ifa_tracker
);
547 TAILQ_FOREACH(ia4
, &V_in_ifaddrhead
, ia_link
) {
548 if ((ia4
->ia_ifa
.ifa_ifp
->if_flags
& IFF_BROADCAST
) == 0)
550 if (in
->s_addr
== ia4
->ia_broadaddr
.sin_addr
.s_addr
) {
551 IN_IFADDR_RUNLOCK(&in_ifa_tracker
);
555 IN_IFADDR_RUNLOCK(&in_ifa_tracker
);
558 * perform ingress filter
560 if (sc
&& (STF2IFP(sc
)->if_flags
& IFF_LINK2
) == 0 && inifp
) {
561 struct nhop4_basic nh4
;
563 if (fib4_lookup_nh_basic(sc
->sc_fibnum
, *in
, 0, 0, &nh4
) != 0)
566 if (nh4
.nh_ifp
!= inifp
)
574 stf_checkaddr6(struct stf_softc
*sc
, struct in6_addr
*in6
, struct ifnet
*inifp
)
577 * check 6to4 addresses
579 if (IN6_IS_ADDR_6TO4(in6
)) {
581 bcopy(GET_V4(in6
), &in4
, sizeof(in4
));
582 return stf_checkaddr4(sc
, &in4
, inifp
);
586 * reject anything that look suspicious. the test is implemented
587 * in ip6_input too, but we check here as well to
588 * (1) reject bad packets earlier, and
589 * (2) to be safe against future ip6_input change.
591 if (IN6_IS_ADDR_V4COMPAT(in6
) || IN6_IS_ADDR_V4MAPPED(in6
))
598 in_stf_input(struct mbuf
**mp
, int *offp
, int proto
)
600 struct stf_softc
*sc
;
611 if (proto
!= IPPROTO_IPV6
) {
613 return (IPPROTO_DONE
);
616 ip
= mtod(m
, struct ip
*);
618 sc
= (struct stf_softc
*)encap_getarg(m
);
620 if (sc
== NULL
|| (STF2IFP(sc
)->if_flags
& IFF_UP
) == 0) {
622 return (IPPROTO_DONE
);
628 mac_ifnet_create_mbuf(ifp
, m
);
632 * perform sanity check against outer src/dst.
633 * for source, perform ingress filter as well.
635 if (stf_checkaddr4(sc
, &ip
->ip_dst
, NULL
) < 0 ||
636 stf_checkaddr4(sc
, &ip
->ip_src
, m
->m_pkthdr
.rcvif
) < 0) {
638 return (IPPROTO_DONE
);
644 if (m
->m_len
< sizeof(*ip6
)) {
645 m
= m_pullup(m
, sizeof(*ip6
));
647 return (IPPROTO_DONE
);
649 ip6
= mtod(m
, struct ip6_hdr
*);
652 * perform sanity check against inner src/dst.
653 * for source, perform ingress filter as well.
655 if (stf_checkaddr6(sc
, &ip6
->ip6_dst
, NULL
) < 0 ||
656 stf_checkaddr6(sc
, &ip6
->ip6_src
, m
->m_pkthdr
.rcvif
) < 0) {
658 return (IPPROTO_DONE
);
661 itos
= (ntohl(ip6
->ip6_flow
) >> 20) & 0xff;
662 if ((ifp
->if_flags
& IFF_LINK1
) != 0)
663 ip_ecn_egress(ECN_ALLOWED
, &otos
, &itos
);
665 ip_ecn_egress(ECN_NOCARE
, &otos
, &itos
);
666 ip6
->ip6_flow
&= ~htonl(0xff << 20);
667 ip6
->ip6_flow
|= htonl((u_int32_t
)itos
<< 20);
669 m
->m_pkthdr
.rcvif
= ifp
;
671 if (bpf_peers_present(ifp
->if_bpf
)) {
673 * We need to prepend the address family as
674 * a four byte field. Cons up a dummy header
675 * to pacify bpf. This is safe because bpf
676 * will only read from the mbuf (i.e., it won't
677 * try to free it or keep a pointer a to it).
679 u_int32_t af
= AF_INET6
;
680 bpf_mtap2(ifp
->if_bpf
, &af
, sizeof(af
), m
);
684 * Put the packet to the network layer input queue according to the
685 * specified address family.
686 * See net/if_gif.c for possible issues with packet processing
687 * reorder due to extra queueing.
689 if_inc_counter(ifp
, IFCOUNTER_IPACKETS
, 1);
690 if_inc_counter(ifp
, IFCOUNTER_IBYTES
, m
->m_pkthdr
.len
);
691 M_SETFIB(m
, ifp
->if_fib
);
692 netisr_dispatch(NETISR_IPV6
, m
);
693 return (IPPROTO_DONE
);
697 stf_ioctl(struct ifnet
*ifp
, u_long cmd
, caddr_t data
)
701 struct sockaddr_in6
*sin6
;
708 ifa
= (struct ifaddr
*)data
;
709 if (ifa
== NULL
|| ifa
->ifa_addr
->sa_family
!= AF_INET6
) {
710 error
= EAFNOSUPPORT
;
713 sin6
= (struct sockaddr_in6
*)ifa
->ifa_addr
;
714 if (!IN6_IS_ADDR_6TO4(&sin6
->sin6_addr
)) {
718 bcopy(GET_V4(&sin6
->sin6_addr
), &addr
, sizeof(addr
));
719 if (isrfc1918addr(&addr
)) {
724 ifp
->if_flags
|= IFF_UP
;
729 ifr
= (struct ifreq
*)data
;
730 if (ifr
&& ifr
->ifr_addr
.sa_family
== AF_INET6
)
733 error
= EAFNOSUPPORT
;
740 ifr
= (struct ifreq
*)data
;
742 /* RFC 4213 3.2 ideal world MTU */
743 if (mtu
< IPV6_MINMTU
|| mtu
> IF_MAXMTU
- 20)