2 * Linux NET3: IP/IP protocol decoder.
5 * Sam Lantinga (slouken@cs.ucdavis.edu) 02/01/95
8 * Alan Cox : Merged and made usable non modular (its so tiny its silly as
9 * a module taking up 2 pages).
10 * Alan Cox : Fixed bug with 1.3.18 and IPIP not working (now needs to set skb->h.iph)
11 * to keep ip_forward happy.
12 * Alan Cox : More fixes for 1.3.21, and firewall fix. Maybe this will work soon 8).
13 * Kai Schulte : Fixed #defines for IP_FIREWALL->FIREWALL
14 * David Woodhouse : Perform some basic ICMP handling.
15 * IPIP Routing without decapsulation.
16 * Carlos Picoto : GRE over IP support
17 * Alexey Kuznetsov: Reworked. Really, now it is truncated version of ipv4/ip_gre.c.
18 * I do not want to merge them together.
20 * This program is free software; you can redistribute it and/or
21 * modify it under the terms of the GNU General Public License
22 * as published by the Free Software Foundation; either version
23 * 2 of the License, or (at your option) any later version.
27 /* tunnel.c: an IP tunnel driver
29 The purpose of this driver is to provide an IP tunnel through
30 which you can tunnel network traffic transparently across subnets.
32 This was written by looking at Nick Holloway's dummy driver
33 Thanks for the great code!
35 -Sam Lantinga (slouken@cs.ucdavis.edu) 02/01/95
38 Cleaned up the code a little and added some pre-1.3.0 tweaks.
39 dev->hard_header/hard_header_len changed to use no headers.
40 Comments/bracketing tweaked.
41 Made the tunnels use dev->name not tunnel: when error reporting.
44 -Alan Cox (alan@lxorguk.ukuu.org.uk) 21 March 95
47 Changed to tunnel to destination gateway in addition to the
48 tunnel's pointopoint address
49 Almost completely rewritten
50 Note: There is currently no firewall or ICMP handling done.
52 -Sam Lantinga (slouken@cs.ucdavis.edu) 02/13/96
56 /* Things I wish I had known when writing the tunnel driver:
58 When the tunnel_xmit() function is called, the skb contains the
59 packet to be sent (plus a great deal of extra info), and dev
60 contains the tunnel device that _we_ are.
62 When we are passed a packet, we are expected to fill in the
63 source address with our source IP address.
65 What is the proper way to allocate, copy and free a buffer?
66 After you allocate it, it is a "0 length" chunk of memory
67 starting at zero. If you want to add headers to the buffer
68 later, you'll have to call "skb_reserve(skb, amount)" with
69 the amount of memory you want reserved. Then, you call
70 "skb_put(skb, amount)" with the amount of space you want in
71 the buffer. skb_put() returns a pointer to the top (#0) of
72 that buffer. skb->len is set to the amount of space you have
73 "allocated" with skb_put(). You can then write up to skb->len
74 bytes to that buffer. If you need more, you can call skb_put()
75 again with the additional amount of space you need. You can
76 find out how much more space you can allocate by calling
78 Now, to add header space, call "skb_push(skb, header_len)".
79 This creates space at the beginning of the buffer and returns
80 a pointer to this new space. If later you need to strip a
81 header from a buffer, call "skb_pull(skb, header_len)".
82 skb_headroom() will return how much space is left at the top
83 of the buffer (before the main data). Remember, this headroom
84 space must be reserved before the skb_put() function is called.
88 This version of net/ipv4/ipip.c is cloned of net/ipv4/ip_gre.c
90 For comments look at net/ipv4/ip_gre.c --ANK
94 #include <linux/capability.h>
95 #include <linux/module.h>
96 #include <linux/types.h>
97 #include <linux/kernel.h>
98 #include <asm/uaccess.h>
99 #include <linux/skbuff.h>
100 #include <linux/netdevice.h>
101 #include <linux/in.h>
102 #include <linux/tcp.h>
103 #include <linux/udp.h>
104 #include <linux/if_arp.h>
105 #include <linux/mroute.h>
106 #include <linux/init.h>
107 #include <linux/netfilter_ipv4.h>
108 #include <linux/if_ether.h>
110 #include <net/sock.h>
112 #include <net/icmp.h>
113 #include <net/ipip.h>
114 #include <net/inet_ecn.h>
115 #include <net/xfrm.h>
116 #include <net/net_namespace.h>
117 #include <net/netns/generic.h>
120 #define HASH(addr) (((__force u32)addr^((__force u32)addr>>4))&0xF)
122 static int ipip_net_id __read_mostly;
124 struct ip_tunnel *tunnels_r_l[HASH_SIZE];
125 struct ip_tunnel *tunnels_r[HASH_SIZE];
126 struct ip_tunnel *tunnels_l[HASH_SIZE];
127 struct ip_tunnel *tunnels_wc[1];
128 struct ip_tunnel **tunnels[4];
130 struct net_device *fb_tunnel_dev;
133 static void ipip_tunnel_init(struct net_device *dev);
134 static void ipip_tunnel_setup(struct net_device *dev);
137 * Locking : hash tables are protected by RCU and a spinlock
139 static DEFINE_SPINLOCK(ipip_lock);
141 #define for_each_ip_tunnel_rcu(start) \
142 for (t = rcu_dereference(start); t; t = rcu_dereference(t->next))
144 static struct ip_tunnel * ipip_tunnel_lookup(struct net *net,
145 __be32 remote, __be32 local)
147 unsigned h0 = HASH(remote);
148 unsigned h1 = HASH(local);
150 struct ipip_net *ipn = net_generic(net, ipip_net_id);
152 for_each_ip_tunnel_rcu(ipn->tunnels_r_l[h0 ^ h1])
153 if (local == t->parms.iph.saddr &&
154 remote == t->parms.iph.daddr && (t->dev->flags&IFF_UP))
157 for_each_ip_tunnel_rcu(ipn->tunnels_r[h0])
158 if (remote == t->parms.iph.daddr && (t->dev->flags&IFF_UP))
161 for_each_ip_tunnel_rcu(ipn->tunnels_l[h1])
162 if (local == t->parms.iph.saddr && (t->dev->flags&IFF_UP))
165 t = rcu_dereference(ipn->tunnels_wc[0]);
166 if (t && (t->dev->flags&IFF_UP))
171 static struct ip_tunnel **__ipip_bucket(struct ipip_net *ipn,
172 struct ip_tunnel_parm *parms)
174 __be32 remote = parms->iph.daddr;
175 __be32 local = parms->iph.saddr;
187 return &ipn->tunnels[prio][h];
190 static inline struct ip_tunnel **ipip_bucket(struct ipip_net *ipn,
193 return __ipip_bucket(ipn, &t->parms);
196 static void ipip_tunnel_unlink(struct ipip_net *ipn, struct ip_tunnel *t)
198 struct ip_tunnel **tp;
200 for (tp = ipip_bucket(ipn, t); *tp; tp = &(*tp)->next) {
202 spin_lock_bh(&ipip_lock);
204 spin_unlock_bh(&ipip_lock);
210 static void ipip_tunnel_link(struct ipip_net *ipn, struct ip_tunnel *t)
212 struct ip_tunnel **tp = ipip_bucket(ipn, t);
214 spin_lock_bh(&ipip_lock);
216 rcu_assign_pointer(*tp, t);
217 spin_unlock_bh(&ipip_lock);
220 static struct ip_tunnel * ipip_tunnel_locate(struct net *net,
221 struct ip_tunnel_parm *parms, int create)
223 __be32 remote = parms->iph.daddr;
224 __be32 local = parms->iph.saddr;
225 struct ip_tunnel *t, **tp, *nt;
226 struct net_device *dev;
228 struct ipip_net *ipn = net_generic(net, ipip_net_id);
230 for (tp = __ipip_bucket(ipn, parms); (t = *tp) != NULL; tp = &t->next) {
231 if (local == t->parms.iph.saddr && remote == t->parms.iph.daddr)
238 strlcpy(name, parms->name, IFNAMSIZ);
240 sprintf(name, "tunl%%d");
242 dev = alloc_netdev(sizeof(*t), name, ipip_tunnel_setup);
246 dev_net_set(dev, net);
248 if (strchr(name, '%')) {
249 if (dev_alloc_name(dev, name) < 0)
253 nt = netdev_priv(dev);
256 ipip_tunnel_init(dev);
258 if (register_netdevice(dev) < 0)
262 ipip_tunnel_link(ipn, nt);
270 static void ipip_tunnel_uninit(struct net_device *dev)
272 struct net *net = dev_net(dev);
273 struct ipip_net *ipn = net_generic(net, ipip_net_id);
275 if (dev == ipn->fb_tunnel_dev) {
276 spin_lock_bh(&ipip_lock);
277 ipn->tunnels_wc[0] = NULL;
278 spin_unlock_bh(&ipip_lock);
280 ipip_tunnel_unlink(ipn, netdev_priv(dev));
284 static int ipip_err(struct sk_buff *skb, u32 info)
287 /* All the routers (except for Linux) return only
288 8 bytes of packet payload. It means, that precise relaying of
289 ICMP in the real Internet is absolutely infeasible.
291 struct iphdr *iph = (struct iphdr *)skb->data;
292 const int type = icmp_hdr(skb)->type;
293 const int code = icmp_hdr(skb)->code;
299 case ICMP_PARAMETERPROB:
302 case ICMP_DEST_UNREACH:
305 case ICMP_PORT_UNREACH:
306 /* Impossible event. */
308 case ICMP_FRAG_NEEDED:
309 /* Soft state for pmtu is maintained by IP core. */
312 /* All others are translated to HOST_UNREACH.
313 rfc2003 contains "deep thoughts" about NET_UNREACH,
314 I believe they are just ether pollution. --ANK
319 case ICMP_TIME_EXCEEDED:
320 if (code != ICMP_EXC_TTL)
328 t = ipip_tunnel_lookup(dev_net(skb->dev), iph->daddr, iph->saddr);
329 if (t == NULL || t->parms.iph.daddr == 0)
333 if (t->parms.iph.ttl == 0 && type == ICMP_TIME_EXCEEDED)
336 if (time_before(jiffies, t->err_time + IPTUNNEL_ERR_TIMEO))
340 t->err_time = jiffies;
346 static inline void ipip_ecn_decapsulate(const struct iphdr *outer_iph,
349 struct iphdr *inner_iph = ip_hdr(skb);
351 if (INET_ECN_is_ce(outer_iph->tos))
352 IP_ECN_set_ce(inner_iph);
355 static int ipip_rcv(struct sk_buff *skb)
357 struct ip_tunnel *tunnel;
358 const struct iphdr *iph = ip_hdr(skb);
361 if ((tunnel = ipip_tunnel_lookup(dev_net(skb->dev),
362 iph->saddr, iph->daddr)) != NULL) {
363 if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {
371 skb->mac_header = skb->network_header;
372 skb_reset_network_header(skb);
373 skb->protocol = htons(ETH_P_IP);
374 skb->pkt_type = PACKET_HOST;
376 tunnel->dev->stats.rx_packets++;
377 tunnel->dev->stats.rx_bytes += skb->len;
378 skb->dev = tunnel->dev;
381 ipip_ecn_decapsulate(iph, skb);
392 * This function assumes it is being called from dev_queue_xmit()
393 * and that skb is filled properly by that function.
396 static netdev_tx_t ipip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
398 struct ip_tunnel *tunnel = netdev_priv(dev);
399 struct net_device_stats *stats = &dev->stats;
400 struct netdev_queue *txq = netdev_get_tx_queue(dev, 0);
401 struct iphdr *tiph = &tunnel->parms.iph;
402 u8 tos = tunnel->parms.iph.tos;
403 __be16 df = tiph->frag_off;
404 struct rtable *rt; /* Route to the other host */
405 struct net_device *tdev; /* Device to other host */
406 struct iphdr *old_iph = ip_hdr(skb);
407 struct iphdr *iph; /* Our new IP header */
408 unsigned int max_headroom; /* The extra header space needed */
409 __be32 dst = tiph->daddr;
412 if (skb->protocol != htons(ETH_P_IP))
420 if ((rt = skb_rtable(skb)) == NULL) {
421 stats->tx_fifo_errors++;
424 if ((dst = rt->rt_gateway) == 0)
429 struct flowi fl = { .oif = tunnel->parms.link,
432 .saddr = tiph->saddr,
433 .tos = RT_TOS(tos) } },
434 .proto = IPPROTO_IPIP };
435 if (ip_route_output_key(dev_net(dev), &rt, &fl)) {
436 stats->tx_carrier_errors++;
440 tdev = rt->u.dst.dev;
448 df |= old_iph->frag_off & htons(IP_DF);
451 mtu = dst_mtu(&rt->u.dst) - sizeof(struct iphdr);
460 skb_dst(skb)->ops->update_pmtu(skb_dst(skb), mtu);
462 if ((old_iph->frag_off & htons(IP_DF)) &&
463 mtu < ntohs(old_iph->tot_len)) {
464 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
471 if (tunnel->err_count > 0) {
472 if (time_before(jiffies,
473 tunnel->err_time + IPTUNNEL_ERR_TIMEO)) {
475 dst_link_failure(skb);
477 tunnel->err_count = 0;
481 * Okay, now see if we can stuff it in the buffer as-is.
483 max_headroom = (LL_RESERVED_SPACE(tdev)+sizeof(struct iphdr));
485 if (skb_headroom(skb) < max_headroom || skb_shared(skb) ||
486 (skb_cloned(skb) && !skb_clone_writable(skb, 0))) {
487 struct sk_buff *new_skb = skb_realloc_headroom(skb, max_headroom);
495 skb_set_owner_w(new_skb, skb->sk);
498 old_iph = ip_hdr(skb);
501 skb->transport_header = skb->network_header;
502 skb_push(skb, sizeof(struct iphdr));
503 skb_reset_network_header(skb);
504 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
505 IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
508 skb_dst_set(skb, &rt->u.dst);
511 * Push down and install the IPIP header.
516 iph->ihl = sizeof(struct iphdr)>>2;
518 iph->protocol = IPPROTO_IPIP;
519 iph->tos = INET_ECN_encapsulate(tos, old_iph->tos);
520 iph->daddr = rt->rt_dst;
521 iph->saddr = rt->rt_src;
523 if ((iph->ttl = tiph->ttl) == 0)
524 iph->ttl = old_iph->ttl;
532 dst_link_failure(skb);
539 static void ipip_tunnel_bind_dev(struct net_device *dev)
541 struct net_device *tdev = NULL;
542 struct ip_tunnel *tunnel;
545 tunnel = netdev_priv(dev);
546 iph = &tunnel->parms.iph;
549 struct flowi fl = { .oif = tunnel->parms.link,
551 { .daddr = iph->daddr,
553 .tos = RT_TOS(iph->tos) } },
554 .proto = IPPROTO_IPIP };
556 if (!ip_route_output_key(dev_net(dev), &rt, &fl)) {
557 tdev = rt->u.dst.dev;
560 dev->flags |= IFF_POINTOPOINT;
563 if (!tdev && tunnel->parms.link)
564 tdev = __dev_get_by_index(dev_net(dev), tunnel->parms.link);
567 dev->hard_header_len = tdev->hard_header_len + sizeof(struct iphdr);
568 dev->mtu = tdev->mtu - sizeof(struct iphdr);
570 dev->iflink = tunnel->parms.link;
574 ipip_tunnel_ioctl (struct net_device *dev, struct ifreq *ifr, int cmd)
577 struct ip_tunnel_parm p;
579 struct net *net = dev_net(dev);
580 struct ipip_net *ipn = net_generic(net, ipip_net_id);
585 if (dev == ipn->fb_tunnel_dev) {
586 if (copy_from_user(&p, ifr->ifr_ifru.ifru_data, sizeof(p))) {
590 t = ipip_tunnel_locate(net, &p, 0);
593 t = netdev_priv(dev);
594 memcpy(&p, &t->parms, sizeof(p));
595 if (copy_to_user(ifr->ifr_ifru.ifru_data, &p, sizeof(p)))
602 if (!capable(CAP_NET_ADMIN))
606 if (copy_from_user(&p, ifr->ifr_ifru.ifru_data, sizeof(p)))
610 if (p.iph.version != 4 || p.iph.protocol != IPPROTO_IPIP ||
611 p.iph.ihl != 5 || (p.iph.frag_off&htons(~IP_DF)))
614 p.iph.frag_off |= htons(IP_DF);
616 t = ipip_tunnel_locate(net, &p, cmd == SIOCADDTUNNEL);
618 if (dev != ipn->fb_tunnel_dev && cmd == SIOCCHGTUNNEL) {
625 if (((dev->flags&IFF_POINTOPOINT) && !p.iph.daddr) ||
626 (!(dev->flags&IFF_POINTOPOINT) && p.iph.daddr)) {
630 t = netdev_priv(dev);
631 ipip_tunnel_unlink(ipn, t);
632 t->parms.iph.saddr = p.iph.saddr;
633 t->parms.iph.daddr = p.iph.daddr;
634 memcpy(dev->dev_addr, &p.iph.saddr, 4);
635 memcpy(dev->broadcast, &p.iph.daddr, 4);
636 ipip_tunnel_link(ipn, t);
637 netdev_state_change(dev);
643 if (cmd == SIOCCHGTUNNEL) {
644 t->parms.iph.ttl = p.iph.ttl;
645 t->parms.iph.tos = p.iph.tos;
646 t->parms.iph.frag_off = p.iph.frag_off;
647 if (t->parms.link != p.link) {
648 t->parms.link = p.link;
649 ipip_tunnel_bind_dev(dev);
650 netdev_state_change(dev);
653 if (copy_to_user(ifr->ifr_ifru.ifru_data, &t->parms, sizeof(p)))
656 err = (cmd == SIOCADDTUNNEL ? -ENOBUFS : -ENOENT);
661 if (!capable(CAP_NET_ADMIN))
664 if (dev == ipn->fb_tunnel_dev) {
666 if (copy_from_user(&p, ifr->ifr_ifru.ifru_data, sizeof(p)))
669 if ((t = ipip_tunnel_locate(net, &p, 0)) == NULL)
672 if (t->dev == ipn->fb_tunnel_dev)
676 unregister_netdevice(dev);
688 static int ipip_tunnel_change_mtu(struct net_device *dev, int new_mtu)
690 if (new_mtu < 68 || new_mtu > 0xFFF8 - sizeof(struct iphdr))
696 static const struct net_device_ops ipip_netdev_ops = {
697 .ndo_uninit = ipip_tunnel_uninit,
698 .ndo_start_xmit = ipip_tunnel_xmit,
699 .ndo_do_ioctl = ipip_tunnel_ioctl,
700 .ndo_change_mtu = ipip_tunnel_change_mtu,
704 static void ipip_tunnel_setup(struct net_device *dev)
706 dev->netdev_ops = &ipip_netdev_ops;
707 dev->destructor = free_netdev;
709 dev->type = ARPHRD_TUNNEL;
710 dev->hard_header_len = LL_MAX_HEADER + sizeof(struct iphdr);
711 dev->mtu = ETH_DATA_LEN - sizeof(struct iphdr);
712 dev->flags = IFF_NOARP;
715 dev->features |= NETIF_F_NETNS_LOCAL;
716 dev->priv_flags &= ~IFF_XMIT_DST_RELEASE;
719 static void ipip_tunnel_init(struct net_device *dev)
721 struct ip_tunnel *tunnel = netdev_priv(dev);
724 strcpy(tunnel->parms.name, dev->name);
726 memcpy(dev->dev_addr, &tunnel->parms.iph.saddr, 4);
727 memcpy(dev->broadcast, &tunnel->parms.iph.daddr, 4);
729 ipip_tunnel_bind_dev(dev);
732 static void __net_init ipip_fb_tunnel_init(struct net_device *dev)
734 struct ip_tunnel *tunnel = netdev_priv(dev);
735 struct iphdr *iph = &tunnel->parms.iph;
736 struct ipip_net *ipn = net_generic(dev_net(dev), ipip_net_id);
739 strcpy(tunnel->parms.name, dev->name);
742 iph->protocol = IPPROTO_IPIP;
746 ipn->tunnels_wc[0] = tunnel;
749 static struct xfrm_tunnel ipip_handler = {
751 .err_handler = ipip_err,
755 static const char banner[] __initconst =
756 KERN_INFO "IPv4 over IPv4 tunneling driver\n";
758 static void ipip_destroy_tunnels(struct ipip_net *ipn, struct list_head *head)
762 for (prio = 1; prio < 4; prio++) {
764 for (h = 0; h < HASH_SIZE; h++) {
765 struct ip_tunnel *t = ipn->tunnels[prio][h];
768 unregister_netdevice_queue(t->dev, head);
775 static int __net_init ipip_init_net(struct net *net)
777 struct ipip_net *ipn = net_generic(net, ipip_net_id);
780 ipn->tunnels[0] = ipn->tunnels_wc;
781 ipn->tunnels[1] = ipn->tunnels_l;
782 ipn->tunnels[2] = ipn->tunnels_r;
783 ipn->tunnels[3] = ipn->tunnels_r_l;
785 ipn->fb_tunnel_dev = alloc_netdev(sizeof(struct ip_tunnel),
788 if (!ipn->fb_tunnel_dev) {
792 dev_net_set(ipn->fb_tunnel_dev, net);
794 ipip_fb_tunnel_init(ipn->fb_tunnel_dev);
796 if ((err = register_netdev(ipn->fb_tunnel_dev)))
802 free_netdev(ipn->fb_tunnel_dev);
808 static void __net_exit ipip_exit_net(struct net *net)
810 struct ipip_net *ipn = net_generic(net, ipip_net_id);
814 ipip_destroy_tunnels(ipn, &list);
815 unregister_netdevice_queue(ipn->fb_tunnel_dev, &list);
816 unregister_netdevice_many(&list);
820 static struct pernet_operations ipip_net_ops = {
821 .init = ipip_init_net,
822 .exit = ipip_exit_net,
824 .size = sizeof(struct ipip_net),
827 static int __init ipip_init(void)
833 if (xfrm4_tunnel_register(&ipip_handler, AF_INET)) {
834 printk(KERN_INFO "ipip init: can't register tunnel\n");
838 err = register_pernet_device(&ipip_net_ops);
840 xfrm4_tunnel_deregister(&ipip_handler, AF_INET);
845 static void __exit ipip_fini(void)
847 if (xfrm4_tunnel_deregister(&ipip_handler, AF_INET))
848 printk(KERN_INFO "ipip close: can't deregister tunnel\n");
850 unregister_pernet_device(&ipip_net_ops);
853 module_init(ipip_init);
854 module_exit(ipip_fini);
855 MODULE_LICENSE("GPL");
git://ftp.safe.ca / safe / jmp / linux-2.6 / blob