1 // SPDX-License-Identifier: GPL-2.0-or-later
3 * Linux NET3: IP/IP protocol decoder.
6 * Sam Lantinga (slouken@cs.ucdavis.edu) 02/01/95
9 * Alan Cox : Merged and made usable non modular (its so tiny its silly as
10 * a module taking up 2 pages).
11 * Alan Cox : Fixed bug with 1.3.18 and IPIP not working (now needs to set skb->h.iph)
12 * to keep ip_forward happy.
13 * Alan Cox : More fixes for 1.3.21, and firewall fix. Maybe this will work soon 8).
14 * Kai Schulte : Fixed #defines for IP_FIREWALL->FIREWALL
15 * David Woodhouse : Perform some basic ICMP handling.
16 * IPIP Routing without decapsulation.
17 * Carlos Picoto : GRE over IP support
18 * Alexey Kuznetsov: Reworked. Really, now it is truncated version of ipv4/ip_gre.c.
19 * I do not want to merge them together.
22 /* tunnel.c: an IP tunnel driver
24 The purpose of this driver is to provide an IP tunnel through
25 which you can tunnel network traffic transparently across subnets.
27 This was written by looking at Nick Holloway's dummy driver
28 Thanks for the great code!
30 -Sam Lantinga (slouken@cs.ucdavis.edu) 02/01/95
33 Cleaned up the code a little and added some pre-1.3.0 tweaks.
34 dev->hard_header/hard_header_len changed to use no headers.
35 Comments/bracketing tweaked.
36 Made the tunnels use dev->name not tunnel: when error reporting.
39 -Alan Cox (alan@lxorguk.ukuu.org.uk) 21 March 95
42 Changed to tunnel to destination gateway in addition to the
43 tunnel's pointopoint address
44 Almost completely rewritten
45 Note: There is currently no firewall or ICMP handling done.
47 -Sam Lantinga (slouken@cs.ucdavis.edu) 02/13/96
51 /* Things I wish I had known when writing the tunnel driver:
53 When the tunnel_xmit() function is called, the skb contains the
54 packet to be sent (plus a great deal of extra info), and dev
55 contains the tunnel device that _we_ are.
57 When we are passed a packet, we are expected to fill in the
58 source address with our source IP address.
60 What is the proper way to allocate, copy and free a buffer?
61 After you allocate it, it is a "0 length" chunk of memory
62 starting at zero. If you want to add headers to the buffer
63 later, you'll have to call "skb_reserve(skb, amount)" with
64 the amount of memory you want reserved. Then, you call
65 "skb_put(skb, amount)" with the amount of space you want in
66 the buffer. skb_put() returns a pointer to the top (#0) of
67 that buffer. skb->len is set to the amount of space you have
68 "allocated" with skb_put(). You can then write up to skb->len
69 bytes to that buffer. If you need more, you can call skb_put()
70 again with the additional amount of space you need. You can
71 find out how much more space you can allocate by calling
73 Now, to add header space, call "skb_push(skb, header_len)".
74 This creates space at the beginning of the buffer and returns
75 a pointer to this new space. If later you need to strip a
76 header from a buffer, call "skb_pull(skb, header_len)".
77 skb_headroom() will return how much space is left at the top
78 of the buffer (before the main data). Remember, this headroom
79 space must be reserved before the skb_put() function is called.
83 This version of net/ipv4/ipip.c is cloned of net/ipv4/ip_gre.c
85 For comments look at net/ipv4/ip_gre.c --ANK
89 #include <linux/capability.h>
90 #include <linux/module.h>
91 #include <linux/types.h>
92 #include <linux/kernel.h>
93 #include <linux/slab.h>
94 #include <linux/uaccess.h>
95 #include <linux/skbuff.h>
96 #include <linux/netdevice.h>
98 #include <linux/tcp.h>
99 #include <linux/udp.h>
100 #include <linux/if_arp.h>
101 #include <linux/init.h>
102 #include <linux/netfilter_ipv4.h>
103 #include <linux/if_ether.h>
105 #include <net/sock.h>
107 #include <net/icmp.h>
108 #include <net/ip_tunnels.h>
109 #include <net/inet_ecn.h>
110 #include <net/xfrm.h>
111 #include <net/net_namespace.h>
112 #include <net/netns/generic.h>
113 #include <net/dst_metadata.h>
115 static bool log_ecn_error = true;
116 module_param(log_ecn_error, bool, 0644);
117 MODULE_PARM_DESC(log_ecn_error, "Log packets received with corrupted ECN");
119 static unsigned int ipip_net_id __read_mostly;
121 static int ipip_tunnel_init(struct net_device *dev);
122 static struct rtnl_link_ops ipip_link_ops __read_mostly;
124 static int ipip_err(struct sk_buff *skb, u32 info)
126 /* All the routers (except for Linux) return only
127 * 8 bytes of packet payload. It means, that precise relaying of
128 * ICMP in the real Internet is absolutely infeasible.
130 struct net *net = dev_net(skb->dev);
131 struct ip_tunnel_net *itn = net_generic(net, ipip_net_id);
132 const struct iphdr *iph = (const struct iphdr *)skb->data;
133 IP_TUNNEL_DECLARE_FLAGS(flags) = { };
134 const int type = icmp_hdr(skb)->type;
135 const int code = icmp_hdr(skb)->code;
139 __set_bit(IP_TUNNEL_NO_KEY_BIT, flags);
141 t = ip_tunnel_lookup(itn, skb->dev->ifindex, flags, iph->daddr,
149 case ICMP_DEST_UNREACH:
152 /* Impossible event. */
155 /* All others are translated to HOST_UNREACH.
156 * rfc2003 contains "deep thoughts" about NET_UNREACH,
157 * I believe they are just ether pollution. --ANK
163 case ICMP_TIME_EXCEEDED:
164 if (code != ICMP_EXC_TTL)
175 if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) {
176 ipv4_update_pmtu(skb, net, info, t->parms.link, iph->protocol);
180 if (type == ICMP_REDIRECT) {
181 ipv4_redirect(skb, net, t->parms.link, iph->protocol);
185 if (t->parms.iph.daddr == 0) {
190 if (t->parms.iph.ttl == 0 && type == ICMP_TIME_EXCEEDED)
193 if (time_before(jiffies, t->err_time + IPTUNNEL_ERR_TIMEO))
197 t->err_time = jiffies;
203 static const struct tnl_ptk_info ipip_tpi = {
204 /* no tunnel info required for ipip. */
205 .proto = htons(ETH_P_IP),
208 #if IS_ENABLED(CONFIG_MPLS)
209 static const struct tnl_ptk_info mplsip_tpi = {
210 /* no tunnel info required for mplsip. */
211 .proto = htons(ETH_P_MPLS_UC),
215 static int ipip_tunnel_rcv(struct sk_buff *skb, u8 ipproto)
217 struct net *net = dev_net(skb->dev);
218 struct ip_tunnel_net *itn = net_generic(net, ipip_net_id);
219 IP_TUNNEL_DECLARE_FLAGS(flags) = { };
220 struct metadata_dst *tun_dst = NULL;
221 struct ip_tunnel *tunnel;
222 const struct iphdr *iph;
224 __set_bit(IP_TUNNEL_NO_KEY_BIT, flags);
227 tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, flags, iph->saddr,
230 const struct tnl_ptk_info *tpi;
232 if (tunnel->parms.iph.protocol != ipproto &&
233 tunnel->parms.iph.protocol != 0)
236 if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
238 #if IS_ENABLED(CONFIG_MPLS)
239 if (ipproto == IPPROTO_MPLS)
244 if (iptunnel_pull_header(skb, 0, tpi->proto, false))
246 if (tunnel->collect_md) {
247 ip_tunnel_flags_zero(flags);
249 tun_dst = ip_tun_rx_dst(skb, flags, 0, 0);
252 ip_tunnel_md_udp_encap(skb, &tun_dst->u.tun_info);
254 skb_reset_mac_header(skb);
256 return ip_tunnel_rcv(tunnel, skb, tpi, tun_dst, log_ecn_error);
266 static int ipip_rcv(struct sk_buff *skb)
268 return ipip_tunnel_rcv(skb, IPPROTO_IPIP);
271 #if IS_ENABLED(CONFIG_MPLS)
272 static int mplsip_rcv(struct sk_buff *skb)
274 return ipip_tunnel_rcv(skb, IPPROTO_MPLS);
279 * This function assumes it is being called from dev_queue_xmit()
280 * and that skb is filled properly by that function.
282 static netdev_tx_t ipip_tunnel_xmit(struct sk_buff *skb,
283 struct net_device *dev)
285 struct ip_tunnel *tunnel = netdev_priv(dev);
286 const struct iphdr *tiph = &tunnel->parms.iph;
289 if (!pskb_inet_may_pull(skb))
292 switch (skb->protocol) {
293 case htons(ETH_P_IP):
294 ipproto = IPPROTO_IPIP;
296 #if IS_ENABLED(CONFIG_MPLS)
297 case htons(ETH_P_MPLS_UC):
298 ipproto = IPPROTO_MPLS;
305 if (tiph->protocol != ipproto && tiph->protocol != 0)
308 if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP4))
311 skb_set_inner_ipproto(skb, ipproto);
313 if (tunnel->collect_md)
314 ip_md_tunnel_xmit(skb, dev, ipproto, 0);
316 ip_tunnel_xmit(skb, dev, tiph, ipproto);
322 DEV_STATS_INC(dev, tx_errors);
326 static bool ipip_tunnel_ioctl_verify_protocol(u8 ipproto)
331 #if IS_ENABLED(CONFIG_MPLS)
341 ipip_tunnel_ctl(struct net_device *dev, struct ip_tunnel_parm_kern *p, int cmd)
343 if (cmd == SIOCADDTUNNEL || cmd == SIOCCHGTUNNEL) {
344 if (p->iph.version != 4 ||
345 !ipip_tunnel_ioctl_verify_protocol(p->iph.protocol) ||
346 p->iph.ihl != 5 || (p->iph.frag_off & htons(~IP_DF)))
350 p->i_key = p->o_key = 0;
351 ip_tunnel_flags_zero(p->i_flags);
352 ip_tunnel_flags_zero(p->o_flags);
353 return ip_tunnel_ctl(dev, p, cmd);
356 static const struct net_device_ops ipip_netdev_ops = {
357 .ndo_init = ipip_tunnel_init,
358 .ndo_uninit = ip_tunnel_uninit,
359 .ndo_start_xmit = ipip_tunnel_xmit,
360 .ndo_siocdevprivate = ip_tunnel_siocdevprivate,
361 .ndo_change_mtu = ip_tunnel_change_mtu,
362 .ndo_get_stats64 = dev_get_tstats64,
363 .ndo_get_iflink = ip_tunnel_get_iflink,
364 .ndo_tunnel_ctl = ipip_tunnel_ctl,
367 #define IPIP_FEATURES (NETIF_F_SG | \
370 NETIF_F_GSO_SOFTWARE | \
373 static void ipip_tunnel_setup(struct net_device *dev)
375 dev->netdev_ops = &ipip_netdev_ops;
376 dev->header_ops = &ip_tunnel_header_ops;
378 dev->type = ARPHRD_TUNNEL;
379 dev->flags = IFF_NOARP;
384 dev->features |= IPIP_FEATURES;
385 dev->hw_features |= IPIP_FEATURES;
386 ip_tunnel_setup(dev, ipip_net_id);
389 static int ipip_tunnel_init(struct net_device *dev)
391 struct ip_tunnel *tunnel = netdev_priv(dev);
393 __dev_addr_set(dev, &tunnel->parms.iph.saddr, 4);
394 memcpy(dev->broadcast, &tunnel->parms.iph.daddr, 4);
396 tunnel->tun_hlen = 0;
397 tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen;
398 return ip_tunnel_init(dev);
401 static int ipip_tunnel_validate(struct nlattr *tb[], struct nlattr *data[],
402 struct netlink_ext_ack *extack)
406 if (!data || !data[IFLA_IPTUN_PROTO])
409 proto = nla_get_u8(data[IFLA_IPTUN_PROTO]);
410 if (proto != IPPROTO_IPIP && proto != IPPROTO_MPLS && proto != 0)
416 static void ipip_netlink_parms(struct nlattr *data[],
417 struct ip_tunnel_parm_kern *parms,
418 bool *collect_md, __u32 *fwmark)
420 memset(parms, 0, sizeof(*parms));
422 parms->iph.version = 4;
423 parms->iph.protocol = IPPROTO_IPIP;
430 ip_tunnel_netlink_parms(data, parms);
432 if (data[IFLA_IPTUN_COLLECT_METADATA])
435 if (data[IFLA_IPTUN_FWMARK])
436 *fwmark = nla_get_u32(data[IFLA_IPTUN_FWMARK]);
439 static int ipip_newlink(struct net_device *dev,
440 struct rtnl_newlink_params *params,
441 struct netlink_ext_ack *extack)
443 struct ip_tunnel *t = netdev_priv(dev);
444 struct nlattr **data = params->data;
445 struct nlattr **tb = params->tb;
446 struct ip_tunnel_encap ipencap;
447 struct ip_tunnel_parm_kern p;
450 if (ip_tunnel_netlink_encap_parms(data, &ipencap)) {
451 int err = ip_tunnel_encap_setup(t, &ipencap);
457 ipip_netlink_parms(data, &p, &t->collect_md, &fwmark);
458 return ip_tunnel_newlink(params->link_net ? : dev_net(dev), dev, tb, &p,
462 static int ipip_changelink(struct net_device *dev, struct nlattr *tb[],
463 struct nlattr *data[],
464 struct netlink_ext_ack *extack)
466 struct ip_tunnel *t = netdev_priv(dev);
467 struct ip_tunnel_encap ipencap;
468 struct ip_tunnel_parm_kern p;
470 __u32 fwmark = t->fwmark;
472 if (ip_tunnel_netlink_encap_parms(data, &ipencap)) {
473 int err = ip_tunnel_encap_setup(t, &ipencap);
479 ipip_netlink_parms(data, &p, &collect_md, &fwmark);
483 if (((dev->flags & IFF_POINTOPOINT) && !p.iph.daddr) ||
484 (!(dev->flags & IFF_POINTOPOINT) && p.iph.daddr))
487 return ip_tunnel_changelink(dev, tb, &p, fwmark);
490 static size_t ipip_get_size(const struct net_device *dev)
493 /* IFLA_IPTUN_LINK */
495 /* IFLA_IPTUN_LOCAL */
497 /* IFLA_IPTUN_REMOTE */
503 /* IFLA_IPTUN_PROTO */
505 /* IFLA_IPTUN_PMTUDISC */
507 /* IFLA_IPTUN_ENCAP_TYPE */
509 /* IFLA_IPTUN_ENCAP_FLAGS */
511 /* IFLA_IPTUN_ENCAP_SPORT */
513 /* IFLA_IPTUN_ENCAP_DPORT */
515 /* IFLA_IPTUN_COLLECT_METADATA */
517 /* IFLA_IPTUN_FWMARK */
522 static int ipip_fill_info(struct sk_buff *skb, const struct net_device *dev)
524 struct ip_tunnel *tunnel = netdev_priv(dev);
525 struct ip_tunnel_parm_kern *parm = &tunnel->parms;
527 if (nla_put_u32(skb, IFLA_IPTUN_LINK, parm->link) ||
528 nla_put_in_addr(skb, IFLA_IPTUN_LOCAL, parm->iph.saddr) ||
529 nla_put_in_addr(skb, IFLA_IPTUN_REMOTE, parm->iph.daddr) ||
530 nla_put_u8(skb, IFLA_IPTUN_TTL, parm->iph.ttl) ||
531 nla_put_u8(skb, IFLA_IPTUN_TOS, parm->iph.tos) ||
532 nla_put_u8(skb, IFLA_IPTUN_PROTO, parm->iph.protocol) ||
533 nla_put_u8(skb, IFLA_IPTUN_PMTUDISC,
534 !!(parm->iph.frag_off & htons(IP_DF))) ||
535 nla_put_u32(skb, IFLA_IPTUN_FWMARK, tunnel->fwmark))
536 goto nla_put_failure;
538 if (nla_put_u16(skb, IFLA_IPTUN_ENCAP_TYPE,
539 tunnel->encap.type) ||
540 nla_put_be16(skb, IFLA_IPTUN_ENCAP_SPORT,
541 tunnel->encap.sport) ||
542 nla_put_be16(skb, IFLA_IPTUN_ENCAP_DPORT,
543 tunnel->encap.dport) ||
544 nla_put_u16(skb, IFLA_IPTUN_ENCAP_FLAGS,
545 tunnel->encap.flags))
546 goto nla_put_failure;
548 if (tunnel->collect_md)
549 if (nla_put_flag(skb, IFLA_IPTUN_COLLECT_METADATA))
550 goto nla_put_failure;
557 static const struct nla_policy ipip_policy[IFLA_IPTUN_MAX + 1] = {
558 [IFLA_IPTUN_LINK] = { .type = NLA_U32 },
559 [IFLA_IPTUN_LOCAL] = { .type = NLA_U32 },
560 [IFLA_IPTUN_REMOTE] = { .type = NLA_U32 },
561 [IFLA_IPTUN_TTL] = { .type = NLA_U8 },
562 [IFLA_IPTUN_TOS] = { .type = NLA_U8 },
563 [IFLA_IPTUN_PROTO] = { .type = NLA_U8 },
564 [IFLA_IPTUN_PMTUDISC] = { .type = NLA_U8 },
565 [IFLA_IPTUN_ENCAP_TYPE] = { .type = NLA_U16 },
566 [IFLA_IPTUN_ENCAP_FLAGS] = { .type = NLA_U16 },
567 [IFLA_IPTUN_ENCAP_SPORT] = { .type = NLA_U16 },
568 [IFLA_IPTUN_ENCAP_DPORT] = { .type = NLA_U16 },
569 [IFLA_IPTUN_COLLECT_METADATA] = { .type = NLA_FLAG },
570 [IFLA_IPTUN_FWMARK] = { .type = NLA_U32 },
573 static struct rtnl_link_ops ipip_link_ops __read_mostly = {
575 .maxtype = IFLA_IPTUN_MAX,
576 .policy = ipip_policy,
577 .priv_size = sizeof(struct ip_tunnel),
578 .setup = ipip_tunnel_setup,
579 .validate = ipip_tunnel_validate,
580 .newlink = ipip_newlink,
581 .changelink = ipip_changelink,
582 .dellink = ip_tunnel_dellink,
583 .get_size = ipip_get_size,
584 .fill_info = ipip_fill_info,
585 .get_link_net = ip_tunnel_get_link_net,
588 static struct xfrm_tunnel ipip_handler __read_mostly = {
590 .err_handler = ipip_err,
594 #if IS_ENABLED(CONFIG_MPLS)
595 static struct xfrm_tunnel mplsip_handler __read_mostly = {
596 .handler = mplsip_rcv,
597 .err_handler = ipip_err,
602 static int __net_init ipip_init_net(struct net *net)
604 return ip_tunnel_init_net(net, ipip_net_id, &ipip_link_ops, "tunl0");
607 static void __net_exit ipip_exit_rtnl(struct net *net,
608 struct list_head *dev_to_kill)
610 ip_tunnel_delete_net(net, ipip_net_id, &ipip_link_ops, dev_to_kill);
613 static struct pernet_operations ipip_net_ops = {
614 .init = ipip_init_net,
615 .exit_rtnl = ipip_exit_rtnl,
617 .size = sizeof(struct ip_tunnel_net),
620 static int __init ipip_init(void)
624 pr_info("ipip: IPv4 and MPLS over IPv4 tunneling driver\n");
626 err = register_pernet_device(&ipip_net_ops);
629 err = xfrm4_tunnel_register(&ipip_handler, AF_INET);
631 pr_info("%s: can't register tunnel\n", __func__);
632 goto xfrm_tunnel_ipip_failed;
634 #if IS_ENABLED(CONFIG_MPLS)
635 err = xfrm4_tunnel_register(&mplsip_handler, AF_MPLS);
637 pr_info("%s: can't register tunnel\n", __func__);
638 goto xfrm_tunnel_mplsip_failed;
641 err = rtnl_link_register(&ipip_link_ops);
643 goto rtnl_link_failed;
649 #if IS_ENABLED(CONFIG_MPLS)
650 xfrm4_tunnel_deregister(&mplsip_handler, AF_MPLS);
651 xfrm_tunnel_mplsip_failed:
654 xfrm4_tunnel_deregister(&ipip_handler, AF_INET);
655 xfrm_tunnel_ipip_failed:
656 unregister_pernet_device(&ipip_net_ops);
660 static void __exit ipip_fini(void)
662 rtnl_link_unregister(&ipip_link_ops);
663 if (xfrm4_tunnel_deregister(&ipip_handler, AF_INET))
664 pr_info("%s: can't deregister tunnel\n", __func__);
665 #if IS_ENABLED(CONFIG_MPLS)
666 if (xfrm4_tunnel_deregister(&mplsip_handler, AF_MPLS))
667 pr_info("%s: can't deregister tunnel\n", __func__);
669 unregister_pernet_device(&ipip_net_ops);
672 module_init(ipip_init);
673 module_exit(ipip_fini);
674 MODULE_DESCRIPTION("IP/IP protocol decoder library");
675 MODULE_LICENSE("GPL");
676 MODULE_ALIAS_RTNL_LINK("ipip");
677 MODULE_ALIAS_NETDEV("tunl0");
projects / linux-block.git / blob