HardenedBSD/sys/netgraph/ng_vlan.c
Warner Losh 95ee2897e9 sys: Remove $FreeBSD$: two-line .h pattern
Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
2023-08-16 11:54:11 -06:00

708 lines
18 KiB
C

/*-
* SPDX-License-Identifier: BSD-2-Clause
*
* Copyright (c) 2003 IPNET Internet Communication Company
* Copyright (c) 2011 - 2012 Rozhuk Ivan <rozhuk.im@gmail.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* Author: Ruslan Ermilov <ru@FreeBSD.org>
*/
#include <sys/param.h>
#include <sys/errno.h>
#include <sys/kernel.h>
#include <sys/malloc.h>
#include <sys/mbuf.h>
#include <sys/queue.h>
#include <sys/socket.h>
#include <sys/systm.h>
#include <net/ethernet.h>
#include <net/if.h>
#include <net/if_vlan_var.h>
#include <netgraph/ng_message.h>
#include <netgraph/ng_parse.h>
#include <netgraph/ng_vlan.h>
#include <netgraph/netgraph.h>
struct ng_vlan_private {
hook_p downstream_hook;
hook_p nomatch_hook;
uint32_t decap_enable;
uint32_t encap_enable;
uint16_t encap_proto;
hook_p vlan_hook[(EVL_VLID_MASK + 1)];
};
typedef struct ng_vlan_private *priv_p;
#define ETHER_VLAN_HDR_LEN (ETHER_HDR_LEN + ETHER_VLAN_ENCAP_LEN)
#define VLAN_TAG_MASK 0xFFFF
#define HOOK_VLAN_TAG_SET_MASK ((uintptr_t)((~0) & ~(VLAN_TAG_MASK)))
#define IS_HOOK_VLAN_SET(hdata) \
((((uintptr_t)hdata) & HOOK_VLAN_TAG_SET_MASK) == HOOK_VLAN_TAG_SET_MASK)
static ng_constructor_t ng_vlan_constructor;
static ng_rcvmsg_t ng_vlan_rcvmsg;
static ng_shutdown_t ng_vlan_shutdown;
static ng_newhook_t ng_vlan_newhook;
static ng_rcvdata_t ng_vlan_rcvdata;
static ng_disconnect_t ng_vlan_disconnect;
/* Parse type for struct ng_vlan_filter. */
static const struct ng_parse_struct_field ng_vlan_filter_fields[] =
NG_VLAN_FILTER_FIELDS;
static const struct ng_parse_type ng_vlan_filter_type = {
&ng_parse_struct_type,
&ng_vlan_filter_fields
};
static int
ng_vlan_getTableLength(const struct ng_parse_type *type,
const u_char *start, const u_char *buf)
{
const struct ng_vlan_table *const table =
(const struct ng_vlan_table *)(buf - sizeof(u_int32_t));
return table->n;
}
/* Parse type for struct ng_vlan_table. */
static const struct ng_parse_array_info ng_vlan_table_array_info = {
&ng_vlan_filter_type,
ng_vlan_getTableLength
};
static const struct ng_parse_type ng_vlan_table_array_type = {
&ng_parse_array_type,
&ng_vlan_table_array_info
};
static const struct ng_parse_struct_field ng_vlan_table_fields[] =
NG_VLAN_TABLE_FIELDS;
static const struct ng_parse_type ng_vlan_table_type = {
&ng_parse_struct_type,
&ng_vlan_table_fields
};
/* List of commands and how to convert arguments to/from ASCII. */
static const struct ng_cmdlist ng_vlan_cmdlist[] = {
{
NGM_VLAN_COOKIE,
NGM_VLAN_ADD_FILTER,
"addfilter",
&ng_vlan_filter_type,
NULL
},
{
NGM_VLAN_COOKIE,
NGM_VLAN_DEL_FILTER,
"delfilter",
&ng_parse_hookbuf_type,
NULL
},
{
NGM_VLAN_COOKIE,
NGM_VLAN_GET_TABLE,
"gettable",
NULL,
&ng_vlan_table_type
},
{
NGM_VLAN_COOKIE,
NGM_VLAN_DEL_VID_FLT,
"delvidflt",
&ng_parse_uint16_type,
NULL
},
{
NGM_VLAN_COOKIE,
NGM_VLAN_GET_DECAP,
"getdecap",
NULL,
&ng_parse_hint32_type
},
{
NGM_VLAN_COOKIE,
NGM_VLAN_SET_DECAP,
"setdecap",
&ng_parse_hint32_type,
NULL
},
{
NGM_VLAN_COOKIE,
NGM_VLAN_GET_ENCAP,
"getencap",
NULL,
&ng_parse_hint32_type
},
{
NGM_VLAN_COOKIE,
NGM_VLAN_SET_ENCAP,
"setencap",
&ng_parse_hint32_type,
NULL
},
{
NGM_VLAN_COOKIE,
NGM_VLAN_GET_ENCAP_PROTO,
"getencapproto",
NULL,
&ng_parse_hint16_type
},
{
NGM_VLAN_COOKIE,
NGM_VLAN_SET_ENCAP_PROTO,
"setencapproto",
&ng_parse_hint16_type,
NULL
},
{ 0 }
};
static struct ng_type ng_vlan_typestruct = {
.version = NG_ABI_VERSION,
.name = NG_VLAN_NODE_TYPE,
.constructor = ng_vlan_constructor,
.rcvmsg = ng_vlan_rcvmsg,
.shutdown = ng_vlan_shutdown,
.newhook = ng_vlan_newhook,
.rcvdata = ng_vlan_rcvdata,
.disconnect = ng_vlan_disconnect,
.cmdlist = ng_vlan_cmdlist,
};
NETGRAPH_INIT(vlan, &ng_vlan_typestruct);
/*
* Helper functions.
*/
static __inline int
m_chk(struct mbuf **mp, int len)
{
if ((*mp)->m_pkthdr.len < len) {
m_freem((*mp));
(*mp) = NULL;
return (EINVAL);
}
if ((*mp)->m_len < len && ((*mp) = m_pullup((*mp), len)) == NULL)
return (ENOBUFS);
return (0);
}
/*
* Netgraph node functions.
*/
static int
ng_vlan_constructor(node_p node)
{
priv_p priv;
priv = malloc(sizeof(*priv), M_NETGRAPH, M_WAITOK | M_ZERO);
priv->decap_enable = 0;
priv->encap_enable = VLAN_ENCAP_FROM_FILTER;
priv->encap_proto = htons(ETHERTYPE_VLAN);
NG_NODE_SET_PRIVATE(node, priv);
return (0);
}
static int
ng_vlan_newhook(node_p node, hook_p hook, const char *name)
{
const priv_p priv = NG_NODE_PRIVATE(node);
if (strcmp(name, NG_VLAN_HOOK_DOWNSTREAM) == 0)
priv->downstream_hook = hook;
else if (strcmp(name, NG_VLAN_HOOK_NOMATCH) == 0)
priv->nomatch_hook = hook;
else {
/*
* Any other hook name is valid and can
* later be associated with a filter rule.
*/
}
NG_HOOK_SET_PRIVATE(hook, NULL);
return (0);
}
static int
ng_vlan_rcvmsg(node_p node, item_p item, hook_p lasthook)
{
const priv_p priv = NG_NODE_PRIVATE(node);
struct ng_mesg *msg, *resp = NULL;
struct ng_vlan_filter *vf;
hook_p hook;
struct ng_vlan_table *t;
uintptr_t hook_data;
int i, vlan_count;
uint16_t vid;
int error = 0;
NGI_GET_MSG(item, msg);
/* Deal with message according to cookie and command. */
switch (msg->header.typecookie) {
case NGM_VLAN_COOKIE:
switch (msg->header.cmd) {
case NGM_VLAN_ADD_FILTER:
/* Check that message is long enough. */
if (msg->header.arglen != sizeof(*vf)) {
error = EINVAL;
break;
}
vf = (struct ng_vlan_filter *)msg->data;
/* Sanity check the VLAN ID value. */
#ifdef NG_VLAN_USE_OLD_VLAN_NAME
if (vf->vid == 0 && vf->vid != vf->vlan) {
vf->vid = vf->vlan;
} else if (vf->vid != 0 && vf->vlan != 0 &&
vf->vid != vf->vlan) {
error = EINVAL;
break;
}
#endif
if (vf->vid & ~EVL_VLID_MASK ||
vf->pcp & ~7 ||
vf->cfi & ~1) {
error = EINVAL;
break;
}
/* Check that a referenced hook exists. */
hook = ng_findhook(node, vf->hook_name);
if (hook == NULL) {
error = ENOENT;
break;
}
/* And is not one of the special hooks. */
if (hook == priv->downstream_hook ||
hook == priv->nomatch_hook) {
error = EINVAL;
break;
}
/* And is not already in service. */
if (IS_HOOK_VLAN_SET(NG_HOOK_PRIVATE(hook))) {
error = EEXIST;
break;
}
/* Check we don't already trap this VLAN. */
if (priv->vlan_hook[vf->vid] != NULL) {
error = EEXIST;
break;
}
/* Link vlan and hook together. */
NG_HOOK_SET_PRIVATE(hook,
(void *)(HOOK_VLAN_TAG_SET_MASK |
EVL_MAKETAG(vf->vid, vf->pcp, vf->cfi)));
priv->vlan_hook[vf->vid] = hook;
break;
case NGM_VLAN_DEL_FILTER:
/* Check that message is long enough. */
if (msg->header.arglen != NG_HOOKSIZ) {
error = EINVAL;
break;
}
/* Check that hook exists and is active. */
hook = ng_findhook(node, (char *)msg->data);
if (hook == NULL) {
error = ENOENT;
break;
}
hook_data = (uintptr_t)NG_HOOK_PRIVATE(hook);
if (IS_HOOK_VLAN_SET(hook_data) == 0) {
error = ENOENT;
break;
}
KASSERT(priv->vlan_hook[EVL_VLANOFTAG(hook_data)] == hook,
("%s: NGM_VLAN_DEL_FILTER: Invalid VID for Hook = %s\n",
__func__, (char *)msg->data));
/* Purge a rule that refers to this hook. */
priv->vlan_hook[EVL_VLANOFTAG(hook_data)] = NULL;
NG_HOOK_SET_PRIVATE(hook, NULL);
break;
case NGM_VLAN_DEL_VID_FLT:
/* Check that message is long enough. */
if (msg->header.arglen != sizeof(uint16_t)) {
error = EINVAL;
break;
}
vid = (*((uint16_t *)msg->data));
/* Sanity check the VLAN ID value. */
if (vid & ~EVL_VLID_MASK) {
error = EINVAL;
break;
}
/* Check that hook exists and is active. */
hook = priv->vlan_hook[vid];
if (hook == NULL) {
error = ENOENT;
break;
}
hook_data = (uintptr_t)NG_HOOK_PRIVATE(hook);
if (IS_HOOK_VLAN_SET(hook_data) == 0) {
error = ENOENT;
break;
}
KASSERT(EVL_VLANOFTAG(hook_data) == vid,
("%s: NGM_VLAN_DEL_VID_FLT:"
" Invalid VID Hook = %us, must be: %us\n",
__func__, (uint16_t )EVL_VLANOFTAG(hook_data),
vid));
/* Purge a rule that refers to this hook. */
priv->vlan_hook[vid] = NULL;
NG_HOOK_SET_PRIVATE(hook, NULL);
break;
case NGM_VLAN_GET_TABLE:
/* Calculate vlans. */
vlan_count = 0;
for (i = 0; i < (EVL_VLID_MASK + 1); i ++) {
if (priv->vlan_hook[i] != NULL &&
NG_HOOK_IS_VALID(priv->vlan_hook[i]))
vlan_count ++;
}
/* Allocate memory for response. */
NG_MKRESPONSE(resp, msg, sizeof(*t) +
vlan_count * sizeof(*t->filter), M_NOWAIT);
if (resp == NULL) {
error = ENOMEM;
break;
}
/* Pack data to response. */
t = (struct ng_vlan_table *)resp->data;
t->n = 0;
vf = &t->filter[0];
for (i = 0; i < (EVL_VLID_MASK + 1); i ++) {
hook = priv->vlan_hook[i];
if (hook == NULL || NG_HOOK_NOT_VALID(hook))
continue;
hook_data = (uintptr_t)NG_HOOK_PRIVATE(hook);
if (IS_HOOK_VLAN_SET(hook_data) == 0)
continue;
KASSERT(EVL_VLANOFTAG(hook_data) == i,
("%s: NGM_VLAN_GET_TABLE:"
" hook %s VID = %us, must be: %i\n",
__func__, NG_HOOK_NAME(hook),
(uint16_t)EVL_VLANOFTAG(hook_data), i));
#ifdef NG_VLAN_USE_OLD_VLAN_NAME
vf->vlan = i;
#endif
vf->vid = i;
vf->pcp = EVL_PRIOFTAG(hook_data);
vf->cfi = EVL_CFIOFTAG(hook_data);
strncpy(vf->hook_name,
NG_HOOK_NAME(hook), NG_HOOKSIZ);
vf ++;
t->n ++;
}
break;
case NGM_VLAN_GET_DECAP:
NG_MKRESPONSE(resp, msg, sizeof(uint32_t), M_NOWAIT);
if (resp == NULL) {
error = ENOMEM;
break;
}
(*((uint32_t *)resp->data)) = priv->decap_enable;
break;
case NGM_VLAN_SET_DECAP:
if (msg->header.arglen != sizeof(uint32_t)) {
error = EINVAL;
break;
}
priv->decap_enable = (*((uint32_t *)msg->data));
break;
case NGM_VLAN_GET_ENCAP:
NG_MKRESPONSE(resp, msg, sizeof(uint32_t), M_NOWAIT);
if (resp == NULL) {
error = ENOMEM;
break;
}
(*((uint32_t *)resp->data)) = priv->encap_enable;
break;
case NGM_VLAN_SET_ENCAP:
if (msg->header.arglen != sizeof(uint32_t)) {
error = EINVAL;
break;
}
priv->encap_enable = (*((uint32_t *)msg->data));
break;
case NGM_VLAN_GET_ENCAP_PROTO:
NG_MKRESPONSE(resp, msg, sizeof(uint16_t), M_NOWAIT);
if (resp == NULL) {
error = ENOMEM;
break;
}
(*((uint16_t *)resp->data)) = ntohs(priv->encap_proto);
break;
case NGM_VLAN_SET_ENCAP_PROTO:
if (msg->header.arglen != sizeof(uint16_t)) {
error = EINVAL;
break;
}
priv->encap_proto = htons((*((uint16_t *)msg->data)));
break;
default: /* Unknown command. */
error = EINVAL;
break;
}
break;
case NGM_FLOW_COOKIE:
{
struct ng_mesg *copy;
/*
* Flow control messages should come only
* from downstream.
*/
if (lasthook == NULL)
break;
if (lasthook != priv->downstream_hook)
break;
/* Broadcast the event to all uplinks. */
for (i = 0; i < (EVL_VLID_MASK + 1); i ++) {
if (priv->vlan_hook[i] == NULL)
continue;
NG_COPYMESSAGE(copy, msg, M_NOWAIT);
if (copy == NULL)
continue;
NG_SEND_MSG_HOOK(error, node, copy,
priv->vlan_hook[i], 0);
}
break;
}
default: /* Unknown type cookie. */
error = EINVAL;
break;
}
NG_RESPOND_MSG(error, node, item, resp);
NG_FREE_MSG(msg);
return (error);
}
static int
ng_vlan_rcvdata(hook_p hook, item_p item)
{
const priv_p priv = NG_NODE_PRIVATE(NG_HOOK_NODE(hook));
struct ether_header *eh;
struct ether_vlan_header *evl;
int error;
uintptr_t hook_data;
uint16_t vid, eth_vtag;
struct mbuf *m;
hook_p dst_hook;
NGI_GET_M(item, m);
/* Make sure we have an entire header. */
error = m_chk(&m, ETHER_HDR_LEN);
if (error != 0)
goto mchk_err;
eh = mtod(m, struct ether_header *);
if (hook == priv->downstream_hook) {
/*
* If from downstream, select between a match hook
* or the nomatch hook.
*/
dst_hook = priv->nomatch_hook;
/* Skip packets without tag. */
if ((m->m_flags & M_VLANTAG) == 0 &&
eh->ether_type != priv->encap_proto) {
if (dst_hook == NULL)
goto net_down;
goto send_packet;
}
/* Process packets with tag. */
if (m->m_flags & M_VLANTAG) {
/*
* Packet is tagged, m contains a normal
* Ethernet frame; tag is stored out-of-band.
*/
evl = NULL;
vid = EVL_VLANOFTAG(m->m_pkthdr.ether_vtag);
} else { /* eh->ether_type == priv->encap_proto */
error = m_chk(&m, ETHER_VLAN_HDR_LEN);
if (error != 0)
goto mchk_err;
evl = mtod(m, struct ether_vlan_header *);
vid = EVL_VLANOFTAG(ntohs(evl->evl_tag));
}
if (priv->vlan_hook[vid] != NULL) {
/*
* VLAN filter: always remove vlan tags and
* decapsulate packet.
*/
dst_hook = priv->vlan_hook[vid];
if (evl == NULL) { /* m->m_flags & M_VLANTAG */
m->m_pkthdr.ether_vtag = 0;
m->m_flags &= ~M_VLANTAG;
goto send_packet;
}
} else { /* nomatch_hook */
if (dst_hook == NULL)
goto net_down;
if (evl == NULL || priv->decap_enable == 0)
goto send_packet;
/* Save tag out-of-band. */
m->m_pkthdr.ether_vtag = ntohs(evl->evl_tag);
m->m_flags |= M_VLANTAG;
}
/*
* Decapsulate:
* TPID = ether type encap
* Move DstMAC and SrcMAC to ETHER_TYPE.
* Before:
* [dmac] [smac] [TPID] [PCP/CFI/VID] [ether_type] [payload]
* |-----------| >>>>>>>>>>>>>>>>>>>> |--------------------|
* After:
* [free space ] [dmac] [smac] [ether_type] [payload]
* |-----------| |--------------------|
*/
bcopy((char *)evl, ((char *)evl + ETHER_VLAN_ENCAP_LEN),
(ETHER_ADDR_LEN * 2));
m_adj(m, ETHER_VLAN_ENCAP_LEN);
} else {
/*
* It is heading towards the downstream.
* If from nomatch, pass it unmodified.
* Otherwise, do the VLAN encapsulation.
*/
dst_hook = priv->downstream_hook;
if (dst_hook == NULL)
goto net_down;
if (hook != priv->nomatch_hook) {/* Filter hook. */
hook_data = (uintptr_t)NG_HOOK_PRIVATE(hook);
if (IS_HOOK_VLAN_SET(hook_data) == 0) {
/*
* Packet from hook not in filter
* call addfilter for this hook to fix.
*/
error = EOPNOTSUPP;
goto drop;
}
eth_vtag = (hook_data & VLAN_TAG_MASK);
if ((priv->encap_enable & VLAN_ENCAP_FROM_FILTER) == 0) {
/* Just set packet header tag and send. */
m->m_flags |= M_VLANTAG;
m->m_pkthdr.ether_vtag = eth_vtag;
goto send_packet;
}
} else { /* nomatch_hook */
if ((priv->encap_enable & VLAN_ENCAP_FROM_NOMATCH) == 0 ||
(m->m_flags & M_VLANTAG) == 0)
goto send_packet;
/* Encapsulate tagged packet. */
eth_vtag = m->m_pkthdr.ether_vtag;
m->m_pkthdr.ether_vtag = 0;
m->m_flags &= ~M_VLANTAG;
}
/*
* Transform the Ethernet header into an Ethernet header
* with 802.1Q encapsulation.
* Mod of: ether_vlanencap.
*
* TPID = ether type encap
* Move DstMAC and SrcMAC from ETHER_TYPE.
* Before:
* [free space ] [dmac] [smac] [ether_type] [payload]
* <<<<<<<<<<<<< |-----------| |--------------------|
* After:
* [dmac] [smac] [TPID] [PCP/CFI/VID] [ether_type] [payload]
* |-----------| |-- inserted tag --| |--------------------|
*/
M_PREPEND(m, ETHER_VLAN_ENCAP_LEN, M_NOWAIT);
if (m == NULL)
error = ENOMEM;
else
error = m_chk(&m, ETHER_VLAN_HDR_LEN);
if (error != 0)
goto mchk_err;
evl = mtod(m, struct ether_vlan_header *);
bcopy(((char *)evl + ETHER_VLAN_ENCAP_LEN),
(char *)evl, (ETHER_ADDR_LEN * 2));
evl->evl_encap_proto = priv->encap_proto;
evl->evl_tag = htons(eth_vtag);
}
send_packet:
NG_FWD_NEW_DATA(error, item, dst_hook, m);
return (error);
net_down:
error = ENETDOWN;
drop:
m_freem(m);
mchk_err:
NG_FREE_ITEM(item);
return (error);
}
static int
ng_vlan_shutdown(node_p node)
{
const priv_p priv = NG_NODE_PRIVATE(node);
NG_NODE_SET_PRIVATE(node, NULL);
NG_NODE_UNREF(node);
free(priv, M_NETGRAPH);
return (0);
}
static int
ng_vlan_disconnect(hook_p hook)
{
const priv_p priv = NG_NODE_PRIVATE(NG_HOOK_NODE(hook));
uintptr_t hook_data;
if (hook == priv->downstream_hook)
priv->downstream_hook = NULL;
else if (hook == priv->nomatch_hook)
priv->nomatch_hook = NULL;
else {
/* Purge a rule that refers to this hook. */
hook_data = (uintptr_t)NG_HOOK_PRIVATE(hook);
if (IS_HOOK_VLAN_SET(hook_data))
priv->vlan_hook[EVL_VLANOFTAG(hook_data)] = NULL;
}
NG_HOOK_SET_PRIVATE(hook, NULL);
if ((NG_NODE_NUMHOOKS(NG_HOOK_NODE(hook)) == 0) &&
(NG_NODE_IS_VALID(NG_HOOK_NODE(hook))))
ng_rmnode_self(NG_HOOK_NODE(hook));
return (0);
}