Index: share/man/man4/gif.4 =================================================================== --- share/man/man4/gif.4 +++ share/man/man4/gif.4 @@ -207,15 +207,6 @@ .Nm to talk with IPsec devices that use IPsec tunnel mode. .Pp -The current code does not check if the ingress address -(outer source address) -configured in the -.Nm -interface makes sense. -Make sure to specify an address which belongs to your node. -Otherwise, your node will not be able to receive packets from the peer, -and it will generate packets with a spoofed source address. -.Pp If the outer protocol is IPv4, .Nm does not try to perform path MTU discovery for the encapsulated packet Index: sys/net/if.c =================================================================== --- sys/net/if.c +++ sys/net/if.c @@ -329,18 +329,6 @@ MALLOC_DEFINE(M_IFADDR, "ifaddr", "interface address"); MALLOC_DEFINE(M_IFMADDR, "ether_multi", "link-level multicast address"); -/* - * Support for old ifaddr_event. - */ -static void -ifaddr_event_compat(void *arg __unused, struct ifnet *ifp, - struct ifaddr *ifa __unused, int event __unused) -{ - - EVENTHANDLER_INVOKE(ifaddr_event, ifp); -} -EVENTHANDLER_DEFINE(ifaddr_event_ext, ifaddr_event_compat, NULL, 0); - struct ifnet * ifnet_byindex_locked(u_short idx) { Index: sys/net/if_gif.h =================================================================== --- sys/net/if_gif.h +++ sys/net/if_gif.h @@ -63,6 +63,7 @@ } gif_uhdr; CK_LIST_ENTRY(gif_softc) chain; + CK_LIST_ENTRY(gif_softc) srchash; }; CK_LIST_HEAD(gif_list, gif_softc); MALLOC_DECLARE(M_GIF); Index: sys/net/if_gif.c =================================================================== --- sys/net/if_gif.c +++ sys/net/if_gif.c @@ -284,6 +284,7 @@ sc = ifp->if_softc; if ((ifp->if_flags & IFF_MONITOR) != 0 || (ifp->if_flags & IFF_UP) == 0 || + (ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 || sc->gif_family == 0 || (error = if_tunnel_check_nesting(ifp, m, MTAG_GIF, V_max_gif_nesting)) != 0) { @@ -674,7 +675,6 @@ cmd == SIOCSIFPHYADDR_IN6 || #endif 0) { - ifp->if_drv_flags |= IFF_DRV_RUNNING; if_link_state_change(ifp, LINK_STATE_UP); } } @@ -689,6 +689,7 @@ sx_assert(&gif_ioctl_sx, SA_XLOCKED); if (sc->gif_family != 0) { + CK_LIST_REMOVE(sc, srchash); CK_LIST_REMOVE(sc, chain); /* Wait until it become safe to free gif_hdr */ GIF_WAIT(); Index: sys/netinet/in_gif.c =================================================================== --- sys/netinet/in_gif.c +++ sys/netinet/in_gif.c @@ -82,12 +82,16 @@ * Interfaces with GIF_IGNORE_SOURCE flag are linked into plain list. */ VNET_DEFINE_STATIC(struct gif_list *, ipv4_hashtbl) = NULL; +VNET_DEFINE_STATIC(struct gif_list *, ipv4_srchashtbl) = NULL; VNET_DEFINE_STATIC(struct gif_list, ipv4_list) = CK_LIST_HEAD_INITIALIZER(); #define V_ipv4_hashtbl VNET(ipv4_hashtbl) +#define V_ipv4_srchashtbl VNET(ipv4_srchashtbl) #define V_ipv4_list VNET(ipv4_list) #define GIF_HASH(src, dst) (V_ipv4_hashtbl[\ in_gif_hashval((src), (dst)) & (GIF_HASH_SIZE - 1)]) +#define GIF_SRCHASH(src) (V_ipv4_srchashtbl[\ + fnv_32_buf(&(src), sizeof(src), FNV1_32_INIT) & (GIF_HASH_SIZE - 1)]) #define GIF_HASH_SC(sc) GIF_HASH((sc)->gif_iphdr->ip_src.s_addr,\ (sc)->gif_iphdr->ip_dst.s_addr) static uint32_t @@ -119,6 +123,42 @@ return (0); } +/* + * Check that ingress address belongs to local host. + */ +static void +in_gif_set_running(struct gif_softc *sc) +{ + + if (in_localip(sc->gif_iphdr->ip_src)) + GIF2IFP(sc)->if_drv_flags |= IFF_DRV_RUNNING; + else + GIF2IFP(sc)->if_drv_flags &= ~IFF_DRV_RUNNING; +} + +/* + * ifaddr_event handler. + * Clear IFF_DRV_RUNNING flag when ingress address disappears to prevent + * source address spoofing. + */ +static void +in_gif_srcaddr(void *arg __unused, const struct sockaddr *sa, int event) +{ + const struct sockaddr_in *sin; + struct gif_softc *sc; + + if (V_ipv4_srchashtbl == NULL) + return; + + MPASS(in_epoch(net_epoch_preempt)); + sin = (const struct sockaddr_in *)sa; + CK_LIST_FOREACH(sc, &GIF_SRCHASH(sin->sin_addr.s_addr), srchash) { + if (sc->gif_iphdr->ip_src.s_addr != sin->sin_addr.s_addr) + continue; + in_gif_set_running(sc); + } +} + static void in_gif_attach(struct gif_softc *sc) { @@ -127,6 +167,9 @@ CK_LIST_INSERT_HEAD(&V_ipv4_list, sc, chain); else CK_LIST_INSERT_HEAD(&GIF_HASH_SC(sc), sc, chain); + + CK_LIST_INSERT_HEAD(&GIF_SRCHASH(sc->gif_iphdr->ip_src.s_addr), + sc, srchash); } int @@ -139,6 +182,7 @@ if ((options & GIF_IGNORE_SOURCE) != (sc->gif_options & GIF_IGNORE_SOURCE)) { + CK_LIST_REMOVE(sc, srchash); CK_LIST_REMOVE(sc, chain); sc->gif_options = options; in_gif_attach(sc); @@ -172,8 +216,10 @@ error = EADDRNOTAVAIL; break; } - if (V_ipv4_hashtbl == NULL) + if (V_ipv4_hashtbl == NULL) { V_ipv4_hashtbl = gif_hashinit(); + V_ipv4_srchashtbl = gif_hashinit(); + } error = in_gif_checkdup(sc, src->sin_addr.s_addr, dst->sin_addr.s_addr); if (error == EADDRNOTAVAIL) @@ -188,6 +234,7 @@ ip->ip_dst.s_addr = dst->sin_addr.s_addr; if (sc->gif_family != 0) { /* Detach existing tunnel first */ + CK_LIST_REMOVE(sc, srchash); CK_LIST_REMOVE(sc, chain); GIF_WAIT(); free(sc->gif_hdr, M_GIF); @@ -196,6 +243,7 @@ sc->gif_family = AF_INET; sc->gif_iphdr = ip; in_gif_attach(sc); + in_gif_set_running(sc); break; case SIOCGIFPSRCADDR: case SIOCGIFPDSTADDR: @@ -342,6 +390,7 @@ return (ret); } +static const struct srcaddrtab *ipv4_srcaddrtab; static struct { const struct encap_config encap; const struct encaptab *cookie; @@ -387,6 +436,9 @@ if (!IS_DEFAULT_VNET(curvnet)) return; + + ipv4_srcaddrtab = ip_encap_register_srcaddr(in_gif_srcaddr, + NULL, M_WAITOK); for (i = 0; i < nitems(ipv4_encap_cfg); i++) ipv4_encap_cfg[i].cookie = ip_encap_attach( &ipv4_encap_cfg[i].encap, NULL, M_WAITOK); @@ -400,8 +452,11 @@ if (IS_DEFAULT_VNET(curvnet)) { for (i = 0; i < nitems(ipv4_encap_cfg); i++) ip_encap_detach(ipv4_encap_cfg[i].cookie); + ip_encap_unregister_srcaddr(ipv4_srcaddrtab); } - if (V_ipv4_hashtbl != NULL) + if (V_ipv4_hashtbl != NULL) { gif_hashdestroy(V_ipv4_hashtbl); + gif_hashdestroy(V_ipv4_srchashtbl); + } } Index: sys/netinet/ip_encap.h =================================================================== --- sys/netinet/ip_encap.h +++ sys/netinet/ip_encap.h @@ -43,7 +43,8 @@ typedef int (*encap_lookup_t)(const struct mbuf *, int, int, void **); typedef int (*encap_check_t)(const struct mbuf *, int, int, void *); -typedef int (*encap_input_t)(struct mbuf *, int , int, void *); +typedef int (*encap_input_t)(struct mbuf *, int, int, void *); +typedef void (*encap_srcaddr_t)(void *, const struct sockaddr *, int); struct encap_config { int proto; /* protocol */ @@ -57,12 +58,20 @@ }; struct encaptab; +struct srcaddrtab; const struct encaptab *ip_encap_attach(const struct encap_config *, void *arg, int mflags); const struct encaptab *ip6_encap_attach(const struct encap_config *, void *arg, int mflags); +const struct srcaddrtab *ip_encap_register_srcaddr(encap_srcaddr_t, + void *arg, int mflags); +const struct srcaddrtab *ip6_encap_register_srcaddr(encap_srcaddr_t, + void *arg, int mflags); + +int ip_encap_unregister_srcaddr(const struct srcaddrtab *); +int ip6_encap_unregister_srcaddr(const struct srcaddrtab *); int ip_encap_detach(const struct encaptab *); int ip6_encap_detach(const struct encaptab *); #endif Index: sys/netinet/ip_encap.c =================================================================== --- sys/netinet/ip_encap.c +++ sys/netinet/ip_encap.c @@ -100,22 +100,139 @@ encap_input_t input; }; +struct srcaddrtab { + CK_LIST_ENTRY(srcaddrtab) chain; + + encap_srcaddr_t srcaddr; + void *arg; +}; + CK_LIST_HEAD(encaptab_head, encaptab); +CK_LIST_HEAD(srcaddrtab_head, srcaddrtab); #ifdef INET static struct encaptab_head ipv4_encaptab = CK_LIST_HEAD_INITIALIZER(); +static struct srcaddrtab_head ipv4_srcaddrtab = CK_LIST_HEAD_INITIALIZER(); #endif #ifdef INET6 static struct encaptab_head ipv6_encaptab = CK_LIST_HEAD_INITIALIZER(); +static struct srcaddrtab_head ipv6_srcaddrtab = CK_LIST_HEAD_INITIALIZER(); #endif -static struct mtx encapmtx; +static struct mtx encapmtx, srcaddrmtx; MTX_SYSINIT(encapmtx, &encapmtx, "encapmtx", MTX_DEF); +MTX_SYSINIT(srcaddrmtx, &srcaddrmtx, "srcaddrmtx", MTX_DEF); #define ENCAP_WLOCK() mtx_lock(&encapmtx) #define ENCAP_WUNLOCK() mtx_unlock(&encapmtx) -#define ENCAP_RLOCK() struct epoch_tracker encap_et; epoch_enter_preempt(net_epoch_preempt, &encap_et) -#define ENCAP_RUNLOCK() epoch_exit_preempt(net_epoch_preempt, &encap_et) +#define ENCAP_RLOCK_TRACKER struct epoch_tracker encap_et +#define ENCAP_RLOCK() \ + epoch_enter_preempt(net_epoch_preempt, &encap_et) +#define ENCAP_RUNLOCK() \ + epoch_exit_preempt(net_epoch_preempt, &encap_et) #define ENCAP_WAIT() epoch_wait_preempt(net_epoch_preempt) +#define SRCADDR_WLOCK() mtx_lock(&srcaddrmtx) +#define SRCADDR_WUNLOCK() mtx_unlock(&srcaddrmtx) +#define SRCADDR_RLOCK_TRACKER struct epoch_tracker srcaddr_et +#define SRCADDR_RLOCK() \ + epoch_enter_preempt(net_epoch_preempt, &srcaddr_et) +#define SRCADDR_RUNLOCK() \ + epoch_exit_preempt(net_epoch_preempt, &srcaddr_et) +#define SRCADDR_WAIT() epoch_wait_preempt(net_epoch_preempt) + +/* + * ifaddr_event_ext handler. + * + * Tunnelling interfaces may request the kernel to notify when + * some interface addresses appears or disappears. Usually tunnelling + * interface must use an address configured on the local machine as + * ingress address to be able receive datagramms and do not send + * spoofed packets. + */ +static void +srcaddr_change_event(void *arg __unused, struct ifnet *ifp, + struct ifaddr *ifa, int event) +{ + SRCADDR_RLOCK_TRACKER; + struct srcaddrtab_head *head; + struct srcaddrtab *p; + + /* Support for old ifaddr_event. */ + EVENTHANDLER_INVOKE(ifaddr_event, ifp); + + switch (ifa->ifa_addr->sa_family) { +#ifdef INET + case AF_INET: + head = &ipv4_srcaddrtab; + break; +#endif +#ifdef INET6 + case AF_INET6: + head = &ipv6_srcaddrtab; + break; +#endif + default: + /* ignore event */ + return; + } + + SRCADDR_RLOCK(); + CK_LIST_FOREACH(p, head, chain) { + (*p->srcaddr)(p->arg, ifa->ifa_addr, event); + } + SRCADDR_RUNLOCK(); +} +EVENTHANDLER_DEFINE(ifaddr_event_ext, srcaddr_change_event, NULL, 0); + +static struct srcaddrtab * +encap_register_srcaddr(struct srcaddrtab_head *head, encap_srcaddr_t func, + void *arg, int mflags) +{ + struct srcaddrtab *p, *tmp; + + if (func == NULL) + return (NULL); + p = malloc(sizeof(*p), M_NETADDR, mflags); + if (p == NULL) + return (NULL); + p->srcaddr = func; + p->arg = arg; + + SRCADDR_WLOCK(); + CK_LIST_FOREACH(tmp, head, chain) { + if (func == tmp->srcaddr && arg == tmp->arg) + break; + } + if (tmp == NULL) + CK_LIST_INSERT_HEAD(head, p, chain); + SRCADDR_WUNLOCK(); + + if (tmp != NULL) { + free(p, M_NETADDR); + p = tmp; + } + return (p); +} + +static int +encap_unregister_srcaddr(struct srcaddrtab_head *head, + const struct srcaddrtab *cookie) +{ + struct srcaddrtab *p; + + SRCADDR_WLOCK(); + CK_LIST_FOREACH(p, head, chain) { + if (p == cookie) { + CK_LIST_REMOVE(p, chain); + SRCADDR_WUNLOCK(); + SRCADDR_WAIT(); + free(p, M_NETADDR); + return (0); + } + } + SRCADDR_WUNLOCK(); + return (EINVAL); +} + static struct encaptab * encap_attach(struct encaptab_head *head, const struct encap_config *cfg, void *arg, int mflags) @@ -175,6 +292,7 @@ static int encap_input(struct encaptab_head *head, struct mbuf *m, int off, int proto) { + ENCAP_RLOCK_TRACKER; struct encaptab *ep, *match; void *arg; int matchprio, ret; @@ -220,6 +338,20 @@ } #ifdef INET +const struct srcaddrtab * +ip_encap_register_srcaddr(encap_srcaddr_t func, void *arg, int mflags) +{ + + return (encap_register_srcaddr(&ipv4_srcaddrtab, func, arg, mflags)); +} + +int +ip_encap_unregister_srcaddr(const struct srcaddrtab *cookie) +{ + + return (encap_unregister_srcaddr(&ipv4_srcaddrtab, cookie)); +} + const struct encaptab * ip_encap_attach(const struct encap_config *cfg, void *arg, int mflags) { @@ -245,6 +377,20 @@ #endif /* INET */ #ifdef INET6 +const struct srcaddrtab * +ip6_encap_register_srcaddr(encap_srcaddr_t func, void *arg, int mflags) +{ + + return (encap_register_srcaddr(&ipv6_srcaddrtab, func, arg, mflags)); +} + +int +ip6_encap_unregister_srcaddr(const struct srcaddrtab *cookie) +{ + + return (encap_unregister_srcaddr(&ipv6_srcaddrtab, cookie)); +} + const struct encaptab * ip6_encap_attach(const struct encap_config *cfg, void *arg, int mflags) { Index: sys/netinet6/in6_gif.c =================================================================== --- sys/netinet6/in6_gif.c +++ sys/netinet6/in6_gif.c @@ -87,12 +87,16 @@ * Interfaces with GIF_IGNORE_SOURCE flag are linked into plain list. */ VNET_DEFINE_STATIC(struct gif_list *, ipv6_hashtbl) = NULL; +VNET_DEFINE_STATIC(struct gif_list *, ipv6_srchashtbl) = NULL; VNET_DEFINE_STATIC(struct gif_list, ipv6_list) = CK_LIST_HEAD_INITIALIZER(); #define V_ipv6_hashtbl VNET(ipv6_hashtbl) +#define V_ipv6_srchashtbl VNET(ipv6_srchashtbl) #define V_ipv6_list VNET(ipv6_list) #define GIF_HASH(src, dst) (V_ipv6_hashtbl[\ in6_gif_hashval((src), (dst)) & (GIF_HASH_SIZE - 1)]) +#define GIF_SRCHASH(src) (V_ipv6_srchashtbl[\ + fnv_32_buf((src), sizeof(*src), FNV1_32_INIT) & (GIF_HASH_SIZE - 1)]) #define GIF_HASH_SC(sc) GIF_HASH(&(sc)->gif_ip6hdr->ip6_src,\ &(sc)->gif_ip6hdr->ip6_dst) static uint32_t @@ -125,6 +129,43 @@ return (0); } +/* + * Check that ingress address belongs to local host. + */ +static void +in6_gif_set_running(struct gif_softc *sc) +{ + + if (in6_localip(&sc->gif_ip6hdr->ip6_src)) + GIF2IFP(sc)->if_drv_flags |= IFF_DRV_RUNNING; + else + GIF2IFP(sc)->if_drv_flags &= ~IFF_DRV_RUNNING; +} + +/* + * ifaddr_event handler. + * Clear IFF_DRV_RUNNING flag when ingress address disappears to prevent + * source address spoofing. + */ +static void +in6_gif_srcaddr(void *arg __unused, const struct sockaddr *sa, int event) +{ + const struct sockaddr_in6 *sin; + struct gif_softc *sc; + + if (V_ipv6_srchashtbl == NULL) + return; + + MPASS(in_epoch(net_epoch_preempt)); + sin = (const struct sockaddr_in6 *)sa; + CK_LIST_FOREACH(sc, &GIF_SRCHASH(&sin->sin6_addr), srchash) { + if (IN6_ARE_ADDR_EQUAL(&sc->gif_ip6hdr->ip6_src, + &sin->sin6_addr) == 0) + continue; + in6_gif_set_running(sc); + } +} + static void in6_gif_attach(struct gif_softc *sc) { @@ -133,6 +174,9 @@ CK_LIST_INSERT_HEAD(&V_ipv6_list, sc, chain); else CK_LIST_INSERT_HEAD(&GIF_HASH_SC(sc), sc, chain); + + CK_LIST_INSERT_HEAD(&GIF_SRCHASH(&sc->gif_ip6hdr->ip6_src), + sc, srchash); } int @@ -145,6 +189,7 @@ if ((options & GIF_IGNORE_SOURCE) != (sc->gif_options & GIF_IGNORE_SOURCE)) { + CK_LIST_REMOVE(sc, srchash); CK_LIST_REMOVE(sc, chain); sc->gif_options = options; in6_gif_attach(sc); @@ -187,8 +232,10 @@ (error = sa6_embedscope(dst, 0)) != 0) break; - if (V_ipv6_hashtbl == NULL) + if (V_ipv6_hashtbl == NULL) { V_ipv6_hashtbl = gif_hashinit(); + V_ipv6_srchashtbl = gif_hashinit(); + } error = in6_gif_checkdup(sc, &src->sin6_addr, &dst->sin6_addr); if (error == EADDRNOTAVAIL) @@ -204,6 +251,7 @@ ip6->ip6_vfc = IPV6_VERSION; if (sc->gif_family != 0) { /* Detach existing tunnel first */ + CK_LIST_REMOVE(sc, srchash); CK_LIST_REMOVE(sc, chain); GIF_WAIT(); free(sc->gif_hdr, M_GIF); @@ -212,6 +260,7 @@ sc->gif_family = AF_INET6; sc->gif_ip6hdr = ip6; in6_gif_attach(sc); + in6_gif_set_running(sc); break; case SIOCGIFPSRCADDR_IN6: case SIOCGIFPDSTADDR_IN6: @@ -365,6 +414,7 @@ return (ret); } +static const struct srcaddrtab *ipv6_srcaddrtab; static struct { const struct encap_config encap; const struct encaptab *cookie; @@ -410,6 +460,9 @@ if (!IS_DEFAULT_VNET(curvnet)) return; + + ipv6_srcaddrtab = ip6_encap_register_srcaddr(in6_gif_srcaddr, + NULL, M_WAITOK); for (i = 0; i < nitems(ipv6_encap_cfg); i++) ipv6_encap_cfg[i].cookie = ip6_encap_attach( &ipv6_encap_cfg[i].encap, NULL, M_WAITOK); @@ -423,7 +476,10 @@ if (IS_DEFAULT_VNET(curvnet)) { for (i = 0; i < nitems(ipv6_encap_cfg); i++) ip6_encap_detach(ipv6_encap_cfg[i].cookie); + ip6_encap_unregister_srcaddr(ipv6_srcaddrtab); } - if (V_ipv6_hashtbl != NULL) + if (V_ipv6_hashtbl != NULL) { gif_hashdestroy(V_ipv6_hashtbl); + gif_hashdestroy(V_ipv6_srchashtbl); + } }