4 * Copyright (c) 2008,2009,2010 Katalix Systems Ltd
6 * This file contains some code of the original L2TPv2 pppol2tp
7 * driver, which has the following copyright:
9 * Authors: Martijn van Oosterhout <kleptog@svana.org>
10 * James Chapman (jchapman@katalix.com)
12 * Michal Ostrowski <mostrows@speakeasy.net>
13 * Arnaldo Carvalho de Melo <acme@xconectiva.com.br>
14 * David S. Miller (davem@redhat.com)
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2 as
18 * published by the Free Software Foundation.
21 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
23 #include <linux/module.h>
24 #include <linux/string.h>
25 #include <linux/list.h>
26 #include <linux/rculist.h>
27 #include <linux/uaccess.h>
29 #include <linux/kernel.h>
30 #include <linux/spinlock.h>
31 #include <linux/kthread.h>
32 #include <linux/sched.h>
33 #include <linux/slab.h>
34 #include <linux/errno.h>
35 #include <linux/jiffies.h>
37 #include <linux/netdevice.h>
38 #include <linux/net.h>
39 #include <linux/inetdevice.h>
40 #include <linux/skbuff.h>
41 #include <linux/init.h>
44 #include <linux/udp.h>
45 #include <linux/l2tp.h>
46 #include <linux/hash.h>
47 #include <linux/sort.h>
48 #include <linux/file.h>
49 #include <linux/nsproxy.h>
50 #include <net/net_namespace.h>
51 #include <net/netns/generic.h>
55 #include <net/udp_tunnel.h>
56 #include <net/inet_common.h>
58 #include <net/protocol.h>
59 #include <net/inet6_connection_sock.h>
60 #include <net/inet_ecn.h>
61 #include <net/ip6_route.h>
62 #include <net/ip6_checksum.h>
64 #include <asm/byteorder.h>
65 #include <linux/atomic.h>
67 #include "l2tp_core.h"
69 #define L2TP_DRV_VERSION "V2.0"
71 /* L2TP header constants */
72 #define L2TP_HDRFLAG_T 0x8000
73 #define L2TP_HDRFLAG_L 0x4000
74 #define L2TP_HDRFLAG_S 0x0800
75 #define L2TP_HDRFLAG_O 0x0200
76 #define L2TP_HDRFLAG_P 0x0100
78 #define L2TP_HDR_VER_MASK 0x000F
79 #define L2TP_HDR_VER_2 0x0002
80 #define L2TP_HDR_VER_3 0x0003
82 /* L2TPv3 default L2-specific sublayer */
83 #define L2TP_SLFLAG_S 0x40000000
84 #define L2TP_SL_SEQ_MASK 0x00ffffff
86 #define L2TP_HDR_SIZE_SEQ 10
87 #define L2TP_HDR_SIZE_NOSEQ 6
89 /* Default trace flags */
90 #define L2TP_DEFAULT_DEBUG_FLAGS 0
92 /* Private data stored for received packets in the skb.
98 unsigned long expires;
101 #define L2TP_SKB_CB(skb) ((struct l2tp_skb_cb *) &skb->cb[sizeof(struct inet_skb_parm)])
103 static atomic_t l2tp_tunnel_count;
104 static atomic_t l2tp_session_count;
105 static struct workqueue_struct *l2tp_wq;
107 /* per-net private data for this module */
108 static unsigned int l2tp_net_id;
110 struct list_head l2tp_tunnel_list;
111 spinlock_t l2tp_tunnel_list_lock;
112 struct hlist_head l2tp_session_hlist[L2TP_HASH_SIZE_2];
113 spinlock_t l2tp_session_hlist_lock;
116 static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel);
118 static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk)
120 return sk->sk_user_data;
123 static inline struct l2tp_net *l2tp_pernet(struct net *net)
127 return net_generic(net, l2tp_net_id);
130 /* Tunnel reference counts. Incremented per session that is added to
133 static inline void l2tp_tunnel_inc_refcount_1(struct l2tp_tunnel *tunnel)
135 atomic_inc(&tunnel->ref_count);
138 static inline void l2tp_tunnel_dec_refcount_1(struct l2tp_tunnel *tunnel)
140 if (atomic_dec_and_test(&tunnel->ref_count))
141 l2tp_tunnel_free(tunnel);
143 #ifdef L2TP_REFCNT_DEBUG
144 #define l2tp_tunnel_inc_refcount(_t) \
146 pr_debug("l2tp_tunnel_inc_refcount: %s:%d %s: cnt=%d\n", \
147 __func__, __LINE__, (_t)->name, \
148 atomic_read(&_t->ref_count)); \
149 l2tp_tunnel_inc_refcount_1(_t); \
151 #define l2tp_tunnel_dec_refcount(_t) \
153 pr_debug("l2tp_tunnel_dec_refcount: %s:%d %s: cnt=%d\n", \
154 __func__, __LINE__, (_t)->name, \
155 atomic_read(&_t->ref_count)); \
156 l2tp_tunnel_dec_refcount_1(_t); \
159 #define l2tp_tunnel_inc_refcount(t) l2tp_tunnel_inc_refcount_1(t)
160 #define l2tp_tunnel_dec_refcount(t) l2tp_tunnel_dec_refcount_1(t)
163 /* Session hash global list for L2TPv3.
164 * The session_id SHOULD be random according to RFC3931, but several
165 * L2TP implementations use incrementing session_ids. So we do a real
166 * hash on the session_id, rather than a simple bitmask.
168 static inline struct hlist_head *
169 l2tp_session_id_hash_2(struct l2tp_net *pn, u32 session_id)
171 return &pn->l2tp_session_hlist[hash_32(session_id, L2TP_HASH_BITS_2)];
175 /* Lookup the tunnel socket, possibly involving the fs code if the socket is
176 * owned by userspace. A struct sock returned from this function must be
177 * released using l2tp_tunnel_sock_put once you're done with it.
179 static struct sock *l2tp_tunnel_sock_lookup(struct l2tp_tunnel *tunnel)
182 struct socket *sock = NULL;
183 struct sock *sk = NULL;
188 if (tunnel->fd >= 0) {
189 /* Socket is owned by userspace, who might be in the process
190 * of closing it. Look the socket up using the fd to ensure
193 sock = sockfd_lookup(tunnel->fd, &err);
197 /* Socket is owned by kernelspace */
206 /* Drop a reference to a tunnel socket obtained via. l2tp_tunnel_sock_put */
207 static void l2tp_tunnel_sock_put(struct sock *sk)
209 struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
211 if (tunnel->fd >= 0) {
212 /* Socket is owned by userspace */
213 sockfd_put(sk->sk_socket);
220 /* Lookup a session by id in the global session list
222 static struct l2tp_session *l2tp_session_find_2(struct net *net, u32 session_id)
224 struct l2tp_net *pn = l2tp_pernet(net);
225 struct hlist_head *session_list =
226 l2tp_session_id_hash_2(pn, session_id);
227 struct l2tp_session *session;
230 hlist_for_each_entry_rcu(session, session_list, global_hlist) {
231 if (session->session_id == session_id) {
232 rcu_read_unlock_bh();
236 rcu_read_unlock_bh();
241 /* Session hash list.
242 * The session_id SHOULD be random according to RFC2661, but several
243 * L2TP implementations (Cisco and Microsoft) use incrementing
244 * session_ids. So we do a real hash on the session_id, rather than a
247 static inline struct hlist_head *
248 l2tp_session_id_hash(struct l2tp_tunnel *tunnel, u32 session_id)
250 return &tunnel->session_hlist[hash_32(session_id, L2TP_HASH_BITS)];
253 /* Lookup a session by id
255 struct l2tp_session *l2tp_session_find(struct net *net, struct l2tp_tunnel *tunnel, u32 session_id)
257 struct hlist_head *session_list;
258 struct l2tp_session *session;
260 /* In L2TPv3, session_ids are unique over all tunnels and we
261 * sometimes need to look them up before we know the
265 return l2tp_session_find_2(net, session_id);
267 session_list = l2tp_session_id_hash(tunnel, session_id);
268 read_lock_bh(&tunnel->hlist_lock);
269 hlist_for_each_entry(session, session_list, hlist) {
270 if (session->session_id == session_id) {
271 read_unlock_bh(&tunnel->hlist_lock);
275 read_unlock_bh(&tunnel->hlist_lock);
279 EXPORT_SYMBOL_GPL(l2tp_session_find);
281 struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth)
284 struct l2tp_session *session;
287 read_lock_bh(&tunnel->hlist_lock);
288 for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
289 hlist_for_each_entry(session, &tunnel->session_hlist[hash], hlist) {
291 read_unlock_bh(&tunnel->hlist_lock);
297 read_unlock_bh(&tunnel->hlist_lock);
301 EXPORT_SYMBOL_GPL(l2tp_session_find_nth);
303 /* Lookup a session by interface name.
304 * This is very inefficient but is only used by management interfaces.
306 struct l2tp_session *l2tp_session_find_by_ifname(struct net *net, char *ifname)
308 struct l2tp_net *pn = l2tp_pernet(net);
310 struct l2tp_session *session;
313 for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) {
314 hlist_for_each_entry_rcu(session, &pn->l2tp_session_hlist[hash], global_hlist) {
315 if (!strcmp(session->ifname, ifname)) {
316 rcu_read_unlock_bh();
322 rcu_read_unlock_bh();
326 EXPORT_SYMBOL_GPL(l2tp_session_find_by_ifname);
328 /* Lookup a tunnel by id
330 struct l2tp_tunnel *l2tp_tunnel_find(struct net *net, u32 tunnel_id)
332 struct l2tp_tunnel *tunnel;
333 struct l2tp_net *pn = l2tp_pernet(net);
336 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
337 if (tunnel->tunnel_id == tunnel_id) {
338 rcu_read_unlock_bh();
342 rcu_read_unlock_bh();
346 EXPORT_SYMBOL_GPL(l2tp_tunnel_find);
348 struct l2tp_tunnel *l2tp_tunnel_find_nth(struct net *net, int nth)
350 struct l2tp_net *pn = l2tp_pernet(net);
351 struct l2tp_tunnel *tunnel;
355 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
357 rcu_read_unlock_bh();
362 rcu_read_unlock_bh();
366 EXPORT_SYMBOL_GPL(l2tp_tunnel_find_nth);
368 /*****************************************************************************
369 * Receive data handling
370 *****************************************************************************/
372 /* Queue a skb in order. We come here only if the skb has an L2TP sequence
375 static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *skb)
377 struct sk_buff *skbp;
379 u32 ns = L2TP_SKB_CB(skb)->ns;
381 spin_lock_bh(&session->reorder_q.lock);
382 skb_queue_walk_safe(&session->reorder_q, skbp, tmp) {
383 if (L2TP_SKB_CB(skbp)->ns > ns) {
384 __skb_queue_before(&session->reorder_q, skbp, skb);
385 l2tp_dbg(session, L2TP_MSG_SEQ,
386 "%s: pkt %hu, inserted before %hu, reorder_q len=%d\n",
387 session->name, ns, L2TP_SKB_CB(skbp)->ns,
388 skb_queue_len(&session->reorder_q));
389 atomic_long_inc(&session->stats.rx_oos_packets);
394 __skb_queue_tail(&session->reorder_q, skb);
397 spin_unlock_bh(&session->reorder_q.lock);
400 /* Dequeue a single skb.
402 static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *skb)
404 struct l2tp_tunnel *tunnel = session->tunnel;
405 int length = L2TP_SKB_CB(skb)->length;
407 /* We're about to requeue the skb, so return resources
408 * to its current owner (a socket receive buffer).
412 atomic_long_inc(&tunnel->stats.rx_packets);
413 atomic_long_add(length, &tunnel->stats.rx_bytes);
414 atomic_long_inc(&session->stats.rx_packets);
415 atomic_long_add(length, &session->stats.rx_bytes);
417 if (L2TP_SKB_CB(skb)->has_seq) {
420 session->nr &= session->nr_max;
422 l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated nr to %hu\n",
423 session->name, session->nr);
426 /* call private receive handler */
427 if (session->recv_skb != NULL)
428 (*session->recv_skb)(session, skb, L2TP_SKB_CB(skb)->length);
433 (*session->deref)(session);
436 /* Dequeue skbs from the session's reorder_q, subject to packet order.
437 * Skbs that have been in the queue for too long are simply discarded.
439 static void l2tp_recv_dequeue(struct l2tp_session *session)
444 /* If the pkt at the head of the queue has the nr that we
445 * expect to send up next, dequeue it and any other
446 * in-sequence packets behind it.
449 spin_lock_bh(&session->reorder_q.lock);
450 skb_queue_walk_safe(&session->reorder_q, skb, tmp) {
451 if (time_after(jiffies, L2TP_SKB_CB(skb)->expires)) {
452 atomic_long_inc(&session->stats.rx_seq_discards);
453 atomic_long_inc(&session->stats.rx_errors);
454 l2tp_dbg(session, L2TP_MSG_SEQ,
455 "%s: oos pkt %u len %d discarded (too old), waiting for %u, reorder_q_len=%d\n",
456 session->name, L2TP_SKB_CB(skb)->ns,
457 L2TP_SKB_CB(skb)->length, session->nr,
458 skb_queue_len(&session->reorder_q));
459 session->reorder_skip = 1;
460 __skb_unlink(skb, &session->reorder_q);
463 (*session->deref)(session);
467 if (L2TP_SKB_CB(skb)->has_seq) {
468 if (session->reorder_skip) {
469 l2tp_dbg(session, L2TP_MSG_SEQ,
470 "%s: advancing nr to next pkt: %u -> %u",
471 session->name, session->nr,
472 L2TP_SKB_CB(skb)->ns);
473 session->reorder_skip = 0;
474 session->nr = L2TP_SKB_CB(skb)->ns;
476 if (L2TP_SKB_CB(skb)->ns != session->nr) {
477 l2tp_dbg(session, L2TP_MSG_SEQ,
478 "%s: holding oos pkt %u len %d, waiting for %u, reorder_q_len=%d\n",
479 session->name, L2TP_SKB_CB(skb)->ns,
480 L2TP_SKB_CB(skb)->length, session->nr,
481 skb_queue_len(&session->reorder_q));
485 __skb_unlink(skb, &session->reorder_q);
487 /* Process the skb. We release the queue lock while we
488 * do so to let other contexts process the queue.
490 spin_unlock_bh(&session->reorder_q.lock);
491 l2tp_recv_dequeue_skb(session, skb);
496 spin_unlock_bh(&session->reorder_q.lock);
499 static int l2tp_seq_check_rx_window(struct l2tp_session *session, u32 nr)
503 if (nr >= session->nr)
504 nws = nr - session->nr;
506 nws = (session->nr_max + 1) - (session->nr - nr);
508 return nws < session->nr_window_size;
511 /* If packet has sequence numbers, queue it if acceptable. Returns 0 if
512 * acceptable, else non-zero.
514 static int l2tp_recv_data_seq(struct l2tp_session *session, struct sk_buff *skb)
516 if (!l2tp_seq_check_rx_window(session, L2TP_SKB_CB(skb)->ns)) {
517 /* Packet sequence number is outside allowed window.
520 l2tp_dbg(session, L2TP_MSG_SEQ,
521 "%s: pkt %u len %d discarded, outside window, nr=%u\n",
522 session->name, L2TP_SKB_CB(skb)->ns,
523 L2TP_SKB_CB(skb)->length, session->nr);
527 if (session->reorder_timeout != 0) {
528 /* Packet reordering enabled. Add skb to session's
529 * reorder queue, in order of ns.
531 l2tp_recv_queue_skb(session, skb);
535 /* Packet reordering disabled. Discard out-of-sequence packets, while
536 * tracking the number if in-sequence packets after the first OOS packet
537 * is seen. After nr_oos_count_max in-sequence packets, reset the
538 * sequence number to re-enable packet reception.
540 if (L2TP_SKB_CB(skb)->ns == session->nr) {
541 skb_queue_tail(&session->reorder_q, skb);
543 u32 nr_oos = L2TP_SKB_CB(skb)->ns;
544 u32 nr_next = (session->nr_oos + 1) & session->nr_max;
546 if (nr_oos == nr_next)
547 session->nr_oos_count++;
549 session->nr_oos_count = 0;
551 session->nr_oos = nr_oos;
552 if (session->nr_oos_count > session->nr_oos_count_max) {
553 session->reorder_skip = 1;
554 l2tp_dbg(session, L2TP_MSG_SEQ,
555 "%s: %d oos packets received. Resetting sequence numbers\n",
556 session->name, session->nr_oos_count);
558 if (!session->reorder_skip) {
559 atomic_long_inc(&session->stats.rx_seq_discards);
560 l2tp_dbg(session, L2TP_MSG_SEQ,
561 "%s: oos pkt %u len %d discarded, waiting for %u, reorder_q_len=%d\n",
562 session->name, L2TP_SKB_CB(skb)->ns,
563 L2TP_SKB_CB(skb)->length, session->nr,
564 skb_queue_len(&session->reorder_q));
567 skb_queue_tail(&session->reorder_q, skb);
577 /* Do receive processing of L2TP data frames. We handle both L2TPv2
578 * and L2TPv3 data frames here.
580 * L2TPv2 Data Message Header
583 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
584 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
585 * |T|L|x|x|S|x|O|P|x|x|x|x| Ver | Length (opt) |
586 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
587 * | Tunnel ID | Session ID |
588 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
589 * | Ns (opt) | Nr (opt) |
590 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
591 * | Offset Size (opt) | Offset pad... (opt)
592 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
594 * Data frames are marked by T=0. All other fields are the same as
595 * those in L2TP control frames.
597 * L2TPv3 Data Message Header
599 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
600 * | L2TP Session Header |
601 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
602 * | L2-Specific Sublayer |
603 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
604 * | Tunnel Payload ...
605 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
607 * L2TPv3 Session Header Over IP
610 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
611 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
613 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
614 * | Cookie (optional, maximum 64 bits)...
615 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
617 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
619 * L2TPv3 L2-Specific Sublayer Format
622 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
623 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
624 * |x|S|x|x|x|x|x|x| Sequence Number |
625 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
627 * Cookie value, sublayer format and offset (pad) are negotiated with
628 * the peer when the session is set up. Unlike L2TPv2, we do not need
629 * to parse the packet header to determine if optional fields are
632 * Caller must already have parsed the frame and determined that it is
633 * a data (not control) frame before coming here. Fields up to the
634 * session-id have already been parsed and ptr points to the data
635 * after the session-id.
637 void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
638 unsigned char *ptr, unsigned char *optr, u16 hdrflags,
639 int length, int (*payload_hook)(struct sk_buff *skb))
641 struct l2tp_tunnel *tunnel = session->tunnel;
645 /* The ref count is increased since we now hold a pointer to
646 * the session. Take care to decrement the refcnt when exiting
647 * this function from now on...
649 l2tp_session_inc_refcount(session);
651 (*session->ref)(session);
653 /* Parse and check optional cookie */
654 if (session->peer_cookie_len > 0) {
655 if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
656 l2tp_info(tunnel, L2TP_MSG_DATA,
657 "%s: cookie mismatch (%u/%u). Discarding.\n",
658 tunnel->name, tunnel->tunnel_id,
659 session->session_id);
660 atomic_long_inc(&session->stats.rx_cookie_discards);
663 ptr += session->peer_cookie_len;
666 /* Handle the optional sequence numbers. Sequence numbers are
667 * in different places for L2TPv2 and L2TPv3.
669 * If we are the LAC, enable/disable sequence numbers under
670 * the control of the LNS. If no sequence numbers present but
671 * we were expecting them, discard frame.
674 L2TP_SKB_CB(skb)->has_seq = 0;
675 if (tunnel->version == L2TP_HDR_VER_2) {
676 if (hdrflags & L2TP_HDRFLAG_S) {
677 ns = ntohs(*(__be16 *) ptr);
679 nr = ntohs(*(__be16 *) ptr);
682 /* Store L2TP info in the skb */
683 L2TP_SKB_CB(skb)->ns = ns;
684 L2TP_SKB_CB(skb)->has_seq = 1;
686 l2tp_dbg(session, L2TP_MSG_SEQ,
687 "%s: recv data ns=%u, nr=%u, session nr=%u\n",
688 session->name, ns, nr, session->nr);
690 } else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
691 u32 l2h = ntohl(*(__be32 *) ptr);
693 if (l2h & 0x40000000) {
694 ns = l2h & 0x00ffffff;
696 /* Store L2TP info in the skb */
697 L2TP_SKB_CB(skb)->ns = ns;
698 L2TP_SKB_CB(skb)->has_seq = 1;
700 l2tp_dbg(session, L2TP_MSG_SEQ,
701 "%s: recv data ns=%u, session nr=%u\n",
702 session->name, ns, session->nr);
706 /* Advance past L2-specific header, if present */
707 ptr += session->l2specific_len;
709 if (L2TP_SKB_CB(skb)->has_seq) {
710 /* Received a packet with sequence numbers. If we're the LNS,
711 * check if we sre sending sequence numbers and if not,
714 if ((!session->lns_mode) && (!session->send_seq)) {
715 l2tp_info(session, L2TP_MSG_SEQ,
716 "%s: requested to enable seq numbers by LNS\n",
718 session->send_seq = -1;
719 l2tp_session_set_header_len(session, tunnel->version);
722 /* No sequence numbers.
723 * If user has configured mandatory sequence numbers, discard.
725 if (session->recv_seq) {
726 l2tp_warn(session, L2TP_MSG_SEQ,
727 "%s: recv data has no seq numbers when required. Discarding.\n",
729 atomic_long_inc(&session->stats.rx_seq_discards);
733 /* If we're the LAC and we're sending sequence numbers, the
734 * LNS has requested that we no longer send sequence numbers.
735 * If we're the LNS and we're sending sequence numbers, the
736 * LAC is broken. Discard the frame.
738 if ((!session->lns_mode) && (session->send_seq)) {
739 l2tp_info(session, L2TP_MSG_SEQ,
740 "%s: requested to disable seq numbers by LNS\n",
742 session->send_seq = 0;
743 l2tp_session_set_header_len(session, tunnel->version);
744 } else if (session->send_seq) {
745 l2tp_warn(session, L2TP_MSG_SEQ,
746 "%s: recv data has no seq numbers when required. Discarding.\n",
748 atomic_long_inc(&session->stats.rx_seq_discards);
753 /* Session data offset is handled differently for L2TPv2 and
754 * L2TPv3. For L2TPv2, there is an optional 16-bit value in
755 * the header. For L2TPv3, the offset is negotiated using AVPs
756 * in the session setup control protocol.
758 if (tunnel->version == L2TP_HDR_VER_2) {
759 /* If offset bit set, skip it. */
760 if (hdrflags & L2TP_HDRFLAG_O) {
761 offset = ntohs(*(__be16 *)ptr);
765 ptr += session->offset;
768 if (!pskb_may_pull(skb, offset))
771 __skb_pull(skb, offset);
773 /* If caller wants to process the payload before we queue the
777 if ((*payload_hook)(skb))
780 /* Prepare skb for adding to the session's reorder_q. Hold
781 * packets for max reorder_timeout or 1 second if not
784 L2TP_SKB_CB(skb)->length = length;
785 L2TP_SKB_CB(skb)->expires = jiffies +
786 (session->reorder_timeout ? session->reorder_timeout : HZ);
788 /* Add packet to the session's receive queue. Reordering is done here, if
789 * enabled. Saved L2TP protocol info is stored in skb->sb[].
791 if (L2TP_SKB_CB(skb)->has_seq) {
792 if (l2tp_recv_data_seq(session, skb))
795 /* No sequence numbers. Add the skb to the tail of the
796 * reorder queue. This ensures that it will be
797 * delivered after all previous sequenced skbs.
799 skb_queue_tail(&session->reorder_q, skb);
802 /* Try to dequeue as many skbs from reorder_q as we can. */
803 l2tp_recv_dequeue(session);
805 l2tp_session_dec_refcount(session);
810 atomic_long_inc(&session->stats.rx_errors);
814 (*session->deref)(session);
816 l2tp_session_dec_refcount(session);
818 EXPORT_SYMBOL(l2tp_recv_common);
820 /* Drop skbs from the session's reorder_q
822 int l2tp_session_queue_purge(struct l2tp_session *session)
824 struct sk_buff *skb = NULL;
826 BUG_ON(session->magic != L2TP_SESSION_MAGIC);
827 while ((skb = skb_dequeue(&session->reorder_q))) {
828 atomic_long_inc(&session->stats.rx_errors);
831 (*session->deref)(session);
835 EXPORT_SYMBOL_GPL(l2tp_session_queue_purge);
837 /* Internal UDP receive frame. Do the real work of receiving an L2TP data frame
838 * here. The skb is not on a list when we get here.
839 * Returns 0 if the packet was a data packet and was successfully passed on.
840 * Returns 1 if the packet was not a good data packet and could not be
841 * forwarded. All such packets are passed up to userspace to deal with.
843 static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
844 int (*payload_hook)(struct sk_buff *skb))
846 struct l2tp_session *session = NULL;
847 unsigned char *ptr, *optr;
849 u32 tunnel_id, session_id;
853 /* UDP has verifed checksum */
855 /* UDP always verifies the packet length. */
856 __skb_pull(skb, sizeof(struct udphdr));
859 if (!pskb_may_pull(skb, L2TP_HDR_SIZE_SEQ)) {
860 l2tp_info(tunnel, L2TP_MSG_DATA,
861 "%s: recv short packet (len=%d)\n",
862 tunnel->name, skb->len);
866 /* Trace packet contents, if enabled */
867 if (tunnel->debug & L2TP_MSG_DATA) {
868 length = min(32u, skb->len);
869 if (!pskb_may_pull(skb, length))
872 pr_debug("%s: recv\n", tunnel->name);
873 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, skb->data, length);
876 /* Point to L2TP header */
877 optr = ptr = skb->data;
879 /* Get L2TP header flags */
880 hdrflags = ntohs(*(__be16 *) ptr);
882 /* Check protocol version */
883 version = hdrflags & L2TP_HDR_VER_MASK;
884 if (version != tunnel->version) {
885 l2tp_info(tunnel, L2TP_MSG_DATA,
886 "%s: recv protocol version mismatch: got %d expected %d\n",
887 tunnel->name, version, tunnel->version);
891 /* Get length of L2TP packet */
894 /* If type is control packet, it is handled by userspace. */
895 if (hdrflags & L2TP_HDRFLAG_T) {
896 l2tp_dbg(tunnel, L2TP_MSG_DATA,
897 "%s: recv control packet, len=%d\n",
898 tunnel->name, length);
905 if (tunnel->version == L2TP_HDR_VER_2) {
906 /* If length is present, skip it */
907 if (hdrflags & L2TP_HDRFLAG_L)
910 /* Extract tunnel and session ID */
911 tunnel_id = ntohs(*(__be16 *) ptr);
913 session_id = ntohs(*(__be16 *) ptr);
916 ptr += 2; /* skip reserved bits */
917 tunnel_id = tunnel->tunnel_id;
918 session_id = ntohl(*(__be32 *) ptr);
922 /* Find the session context */
923 session = l2tp_session_find(tunnel->l2tp_net, tunnel, session_id);
924 if (!session || !session->recv_skb) {
925 /* Not found? Pass to userspace to deal with */
926 l2tp_info(tunnel, L2TP_MSG_DATA,
927 "%s: no session found (%u/%u). Passing up.\n",
928 tunnel->name, tunnel_id, session_id);
932 l2tp_recv_common(session, skb, ptr, optr, hdrflags, length, payload_hook);
937 /* Put UDP header back */
938 __skb_push(skb, sizeof(struct udphdr));
943 /* UDP encapsulation receive handler. See net/ipv4/udp.c.
947 * >0: skb should be passed up to userspace as UDP.
949 int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
951 struct l2tp_tunnel *tunnel;
953 tunnel = l2tp_sock_to_tunnel(sk);
957 l2tp_dbg(tunnel, L2TP_MSG_DATA, "%s: received %d bytes\n",
958 tunnel->name, skb->len);
960 if (l2tp_udp_recv_core(tunnel, skb, tunnel->recv_payload_hook))
971 EXPORT_SYMBOL_GPL(l2tp_udp_encap_recv);
973 /************************************************************************
975 ***********************************************************************/
977 /* Build an L2TP header for the session into the buffer provided.
979 static int l2tp_build_l2tpv2_header(struct l2tp_session *session, void *buf)
981 struct l2tp_tunnel *tunnel = session->tunnel;
984 u16 flags = L2TP_HDR_VER_2;
985 u32 tunnel_id = tunnel->peer_tunnel_id;
986 u32 session_id = session->peer_session_id;
988 if (session->send_seq)
989 flags |= L2TP_HDRFLAG_S;
991 /* Setup L2TP header. */
992 *bufp++ = htons(flags);
993 *bufp++ = htons(tunnel_id);
994 *bufp++ = htons(session_id);
995 if (session->send_seq) {
996 *bufp++ = htons(session->ns);
999 session->ns &= 0xffff;
1000 l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated ns to %u\n",
1001 session->name, session->ns);
1007 static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
1009 struct l2tp_tunnel *tunnel = session->tunnel;
1013 /* Setup L2TP header. The header differs slightly for UDP and
1014 * IP encapsulations. For UDP, there is 4 bytes of flags.
1016 if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
1017 u16 flags = L2TP_HDR_VER_3;
1018 *((__be16 *) bufp) = htons(flags);
1020 *((__be16 *) bufp) = 0;
1024 *((__be32 *) bufp) = htonl(session->peer_session_id);
1026 if (session->cookie_len) {
1027 memcpy(bufp, &session->cookie[0], session->cookie_len);
1028 bufp += session->cookie_len;
1030 if (session->l2specific_len) {
1031 if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
1033 if (session->send_seq) {
1034 l2h = 0x40000000 | session->ns;
1036 session->ns &= 0xffffff;
1037 l2tp_dbg(session, L2TP_MSG_SEQ,
1038 "%s: updated ns to %u\n",
1039 session->name, session->ns);
1042 *((__be32 *) bufp) = htonl(l2h);
1044 bufp += session->l2specific_len;
1046 if (session->offset)
1047 bufp += session->offset;
1052 static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
1053 struct flowi *fl, size_t data_len)
1055 struct l2tp_tunnel *tunnel = session->tunnel;
1056 unsigned int len = skb->len;
1060 if (session->send_seq)
1061 l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %Zd bytes, ns=%u\n",
1062 session->name, data_len, session->ns - 1);
1064 l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %Zd bytes\n",
1065 session->name, data_len);
1067 if (session->debug & L2TP_MSG_DATA) {
1068 int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1069 unsigned char *datap = skb->data + uhlen;
1071 pr_debug("%s: xmit\n", session->name);
1072 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET,
1073 datap, min_t(size_t, 32, len - uhlen));
1076 /* Queue the packet to IP for output */
1078 #if IS_ENABLED(CONFIG_IPV6)
1079 if (tunnel->sock->sk_family == PF_INET6 && !tunnel->v4mapped)
1080 error = inet6_csk_xmit(tunnel->sock, skb, NULL);
1083 error = ip_queue_xmit(tunnel->sock, skb, fl);
1087 atomic_long_inc(&tunnel->stats.tx_packets);
1088 atomic_long_add(len, &tunnel->stats.tx_bytes);
1089 atomic_long_inc(&session->stats.tx_packets);
1090 atomic_long_add(len, &session->stats.tx_bytes);
1092 atomic_long_inc(&tunnel->stats.tx_errors);
1093 atomic_long_inc(&session->stats.tx_errors);
1099 /* If caller requires the skb to have a ppp header, the header must be
1100 * inserted in the skb data before calling this function.
1102 int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len)
1104 int data_len = skb->len;
1105 struct l2tp_tunnel *tunnel = session->tunnel;
1106 struct sock *sk = tunnel->sock;
1109 struct inet_sock *inet;
1111 int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1113 int ret = NET_XMIT_SUCCESS;
1115 /* Check that there's enough headroom in the skb to insert IP,
1116 * UDP and L2TP headers. If not enough, expand it to
1117 * make room. Adjust truesize.
1119 headroom = NET_SKB_PAD + sizeof(struct iphdr) +
1121 if (skb_cow_head(skb, headroom)) {
1123 return NET_XMIT_DROP;
1126 /* Setup L2TP header */
1127 session->build_header(session, __skb_push(skb, hdr_len));
1129 /* Reset skb netfilter state */
1130 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
1131 IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
1136 if (sock_owned_by_user(sk)) {
1138 ret = NET_XMIT_DROP;
1142 /* Get routing info from the tunnel socket */
1144 skb_dst_set(skb, dst_clone(__sk_dst_check(sk, 0)));
1147 fl = &inet->cork.fl;
1148 switch (tunnel->encap) {
1149 case L2TP_ENCAPTYPE_UDP:
1150 /* Setup UDP header */
1151 __skb_push(skb, sizeof(*uh));
1152 skb_reset_transport_header(skb);
1154 uh->source = inet->inet_sport;
1155 uh->dest = inet->inet_dport;
1156 udp_len = uhlen + hdr_len + data_len;
1157 uh->len = htons(udp_len);
1159 /* Calculate UDP checksum if configured to do so */
1160 #if IS_ENABLED(CONFIG_IPV6)
1161 if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
1162 udp6_set_csum(udp_get_no_check6_tx(sk),
1163 skb, &inet6_sk(sk)->saddr,
1164 &sk->sk_v6_daddr, udp_len);
1167 udp_set_csum(sk->sk_no_check_tx, skb, inet->inet_saddr,
1168 inet->inet_daddr, udp_len);
1171 case L2TP_ENCAPTYPE_IP:
1175 l2tp_xmit_core(session, skb, fl, data_len);
1181 EXPORT_SYMBOL_GPL(l2tp_xmit_skb);
1183 /*****************************************************************************
1184 * Tinnel and session create/destroy.
1185 *****************************************************************************/
1187 /* Tunnel socket destruct hook.
1188 * The tunnel context is deleted only when all session sockets have been
1191 static void l2tp_tunnel_destruct(struct sock *sk)
1193 struct l2tp_tunnel *tunnel = l2tp_tunnel(sk);
1194 struct l2tp_net *pn;
1199 l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing...\n", tunnel->name);
1202 /* Disable udp encapsulation */
1203 switch (tunnel->encap) {
1204 case L2TP_ENCAPTYPE_UDP:
1205 /* No longer an encapsulation socket. See net/ipv4/udp.c */
1206 (udp_sk(sk))->encap_type = 0;
1207 (udp_sk(sk))->encap_rcv = NULL;
1208 (udp_sk(sk))->encap_destroy = NULL;
1210 case L2TP_ENCAPTYPE_IP:
1214 /* Remove hooks into tunnel socket */
1215 sk->sk_destruct = tunnel->old_sk_destruct;
1216 sk->sk_user_data = NULL;
1217 tunnel->sock = NULL;
1219 /* Remove the tunnel struct from the tunnel list */
1220 pn = l2tp_pernet(tunnel->l2tp_net);
1221 spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1222 list_del_rcu(&tunnel->list);
1223 spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1224 atomic_dec(&l2tp_tunnel_count);
1226 l2tp_tunnel_closeall(tunnel);
1227 l2tp_tunnel_dec_refcount(tunnel);
1229 /* Call the original destructor */
1230 if (sk->sk_destruct)
1231 (*sk->sk_destruct)(sk);
1236 /* When the tunnel is closed, all the attached sessions need to go too.
1238 void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)
1241 struct hlist_node *walk;
1242 struct hlist_node *tmp;
1243 struct l2tp_session *session;
1245 BUG_ON(tunnel == NULL);
1247 l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing all sessions...\n",
1250 write_lock_bh(&tunnel->hlist_lock);
1251 for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
1253 hlist_for_each_safe(walk, tmp, &tunnel->session_hlist[hash]) {
1254 session = hlist_entry(walk, struct l2tp_session, hlist);
1256 l2tp_info(session, L2TP_MSG_CONTROL,
1257 "%s: closing session\n", session->name);
1259 hlist_del_init(&session->hlist);
1261 if (session->ref != NULL)
1262 (*session->ref)(session);
1264 write_unlock_bh(&tunnel->hlist_lock);
1266 __l2tp_session_unhash(session);
1267 l2tp_session_queue_purge(session);
1269 if (session->session_close != NULL)
1270 (*session->session_close)(session);
1272 if (session->deref != NULL)
1273 (*session->deref)(session);
1275 l2tp_session_dec_refcount(session);
1277 write_lock_bh(&tunnel->hlist_lock);
1279 /* Now restart from the beginning of this hash
1280 * chain. We always remove a session from the
1281 * list so we are guaranteed to make forward
1287 write_unlock_bh(&tunnel->hlist_lock);
1289 EXPORT_SYMBOL_GPL(l2tp_tunnel_closeall);
1291 /* Tunnel socket destroy hook for UDP encapsulation */
1292 static void l2tp_udp_encap_destroy(struct sock *sk)
1294 struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
1296 l2tp_tunnel_closeall(tunnel);
1301 /* Really kill the tunnel.
1302 * Come here only when all sessions have been cleared from the tunnel.
1304 static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel)
1306 BUG_ON(atomic_read(&tunnel->ref_count) != 0);
1307 BUG_ON(tunnel->sock != NULL);
1308 l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: free...\n", tunnel->name);
1309 kfree_rcu(tunnel, rcu);
1312 /* Workqueue tunnel deletion function */
1313 static void l2tp_tunnel_del_work(struct work_struct *work)
1315 struct l2tp_tunnel *tunnel = NULL;
1316 struct socket *sock = NULL;
1317 struct sock *sk = NULL;
1319 tunnel = container_of(work, struct l2tp_tunnel, del_work);
1320 sk = l2tp_tunnel_sock_lookup(tunnel);
1324 sock = sk->sk_socket;
1326 /* If the tunnel socket was created by userspace, then go through the
1327 * inet layer to shut the socket down, and let userspace close it.
1328 * Otherwise, if we created the socket directly within the kernel, use
1329 * the sk API to release it here.
1330 * In either case the tunnel resources are freed in the socket
1331 * destructor when the tunnel socket goes away.
1333 if (tunnel->fd >= 0) {
1335 inet_shutdown(sock, 2);
1338 kernel_sock_shutdown(sock, SHUT_RDWR);
1339 sk_release_kernel(sk);
1342 l2tp_tunnel_sock_put(sk);
1345 /* Create a socket for the tunnel, if one isn't set up by
1346 * userspace. This is used for static tunnels where there is no
1347 * managing L2TP daemon.
1349 * Since we don't want these sockets to keep a namespace alive by
1350 * themselves, we drop the socket's namespace refcount after creation.
1351 * These sockets are freed when the namespace exits using the pernet
1354 static int l2tp_tunnel_sock_create(struct net *net,
1357 struct l2tp_tunnel_cfg *cfg,
1358 struct socket **sockp)
1361 struct socket *sock = NULL;
1362 struct udp_port_cfg udp_conf;
1364 switch (cfg->encap) {
1365 case L2TP_ENCAPTYPE_UDP:
1366 memset(&udp_conf, 0, sizeof(udp_conf));
1368 #if IS_ENABLED(CONFIG_IPV6)
1369 if (cfg->local_ip6 && cfg->peer_ip6) {
1370 udp_conf.family = AF_INET6;
1371 memcpy(&udp_conf.local_ip6, cfg->local_ip6,
1372 sizeof(udp_conf.local_ip6));
1373 memcpy(&udp_conf.peer_ip6, cfg->peer_ip6,
1374 sizeof(udp_conf.peer_ip6));
1375 udp_conf.use_udp6_tx_checksums =
1376 cfg->udp6_zero_tx_checksums;
1377 udp_conf.use_udp6_rx_checksums =
1378 cfg->udp6_zero_rx_checksums;
1382 udp_conf.family = AF_INET;
1383 udp_conf.local_ip = cfg->local_ip;
1384 udp_conf.peer_ip = cfg->peer_ip;
1385 udp_conf.use_udp_checksums = cfg->use_udp_checksums;
1388 udp_conf.local_udp_port = htons(cfg->local_udp_port);
1389 udp_conf.peer_udp_port = htons(cfg->peer_udp_port);
1391 err = udp_sock_create(net, &udp_conf, &sock);
1397 case L2TP_ENCAPTYPE_IP:
1398 #if IS_ENABLED(CONFIG_IPV6)
1399 if (cfg->local_ip6 && cfg->peer_ip6) {
1400 struct sockaddr_l2tpip6 ip6_addr = {0};
1402 err = sock_create_kern(AF_INET6, SOCK_DGRAM,
1403 IPPROTO_L2TP, &sock);
1407 sk_change_net(sock->sk, net);
1409 ip6_addr.l2tp_family = AF_INET6;
1410 memcpy(&ip6_addr.l2tp_addr, cfg->local_ip6,
1411 sizeof(ip6_addr.l2tp_addr));
1412 ip6_addr.l2tp_conn_id = tunnel_id;
1413 err = kernel_bind(sock, (struct sockaddr *) &ip6_addr,
1418 ip6_addr.l2tp_family = AF_INET6;
1419 memcpy(&ip6_addr.l2tp_addr, cfg->peer_ip6,
1420 sizeof(ip6_addr.l2tp_addr));
1421 ip6_addr.l2tp_conn_id = peer_tunnel_id;
1422 err = kernel_connect(sock,
1423 (struct sockaddr *) &ip6_addr,
1424 sizeof(ip6_addr), 0);
1430 struct sockaddr_l2tpip ip_addr = {0};
1432 err = sock_create_kern(AF_INET, SOCK_DGRAM,
1433 IPPROTO_L2TP, &sock);
1437 sk_change_net(sock->sk, net);
1439 ip_addr.l2tp_family = AF_INET;
1440 ip_addr.l2tp_addr = cfg->local_ip;
1441 ip_addr.l2tp_conn_id = tunnel_id;
1442 err = kernel_bind(sock, (struct sockaddr *) &ip_addr,
1447 ip_addr.l2tp_family = AF_INET;
1448 ip_addr.l2tp_addr = cfg->peer_ip;
1449 ip_addr.l2tp_conn_id = peer_tunnel_id;
1450 err = kernel_connect(sock, (struct sockaddr *) &ip_addr,
1451 sizeof(ip_addr), 0);
1463 if ((err < 0) && sock) {
1464 kernel_sock_shutdown(sock, SHUT_RDWR);
1465 sk_release_kernel(sock->sk);
1472 static struct lock_class_key l2tp_socket_class;
1474 int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
1476 struct l2tp_tunnel *tunnel = NULL;
1478 struct socket *sock = NULL;
1479 struct sock *sk = NULL;
1480 struct l2tp_net *pn;
1481 enum l2tp_encap_type encap = L2TP_ENCAPTYPE_UDP;
1483 /* Get the tunnel socket from the fd, which was opened by
1484 * the userspace L2TP daemon. If not specified, create a
1488 err = l2tp_tunnel_sock_create(net, tunnel_id, peer_tunnel_id,
1493 sock = sockfd_lookup(fd, &err);
1495 pr_err("tunl %u: sockfd_lookup(fd=%d) returned %d\n",
1496 tunnel_id, fd, err);
1501 /* Reject namespace mismatches */
1502 if (!net_eq(sock_net(sock->sk), net)) {
1503 pr_err("tunl %u: netns mismatch\n", tunnel_id);
1514 /* Quick sanity checks */
1516 case L2TP_ENCAPTYPE_UDP:
1517 err = -EPROTONOSUPPORT;
1518 if (sk->sk_protocol != IPPROTO_UDP) {
1519 pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1520 tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP);
1524 case L2TP_ENCAPTYPE_IP:
1525 err = -EPROTONOSUPPORT;
1526 if (sk->sk_protocol != IPPROTO_L2TP) {
1527 pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1528 tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP);
1534 /* Check if this socket has already been prepped */
1535 tunnel = l2tp_tunnel(sk);
1536 if (tunnel != NULL) {
1537 /* This socket has already been prepped */
1542 tunnel = kzalloc(sizeof(struct l2tp_tunnel), GFP_KERNEL);
1543 if (tunnel == NULL) {
1548 tunnel->version = version;
1549 tunnel->tunnel_id = tunnel_id;
1550 tunnel->peer_tunnel_id = peer_tunnel_id;
1551 tunnel->debug = L2TP_DEFAULT_DEBUG_FLAGS;
1553 tunnel->magic = L2TP_TUNNEL_MAGIC;
1554 sprintf(&tunnel->name[0], "tunl %u", tunnel_id);
1555 rwlock_init(&tunnel->hlist_lock);
1557 /* The net we belong to */
1558 tunnel->l2tp_net = net;
1559 pn = l2tp_pernet(net);
1562 tunnel->debug = cfg->debug;
1564 #if IS_ENABLED(CONFIG_IPV6)
1565 if (sk->sk_family == PF_INET6) {
1566 struct ipv6_pinfo *np = inet6_sk(sk);
1568 if (ipv6_addr_v4mapped(&np->saddr) &&
1569 ipv6_addr_v4mapped(&sk->sk_v6_daddr)) {
1570 struct inet_sock *inet = inet_sk(sk);
1572 tunnel->v4mapped = true;
1573 inet->inet_saddr = np->saddr.s6_addr32[3];
1574 inet->inet_rcv_saddr = sk->sk_v6_rcv_saddr.s6_addr32[3];
1575 inet->inet_daddr = sk->sk_v6_daddr.s6_addr32[3];
1577 tunnel->v4mapped = false;
1582 /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
1583 tunnel->encap = encap;
1584 if (encap == L2TP_ENCAPTYPE_UDP) {
1585 struct udp_tunnel_sock_cfg udp_cfg;
1587 udp_cfg.sk_user_data = tunnel;
1588 udp_cfg.encap_type = UDP_ENCAP_L2TPINUDP;
1589 udp_cfg.encap_rcv = l2tp_udp_encap_recv;
1590 udp_cfg.encap_destroy = l2tp_udp_encap_destroy;
1592 setup_udp_tunnel_sock(net, sock, &udp_cfg);
1594 sk->sk_user_data = tunnel;
1597 /* Hook on the tunnel socket destructor so that we can cleanup
1598 * if the tunnel socket goes away.
1600 tunnel->old_sk_destruct = sk->sk_destruct;
1601 sk->sk_destruct = &l2tp_tunnel_destruct;
1604 lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, "l2tp_sock");
1606 sk->sk_allocation = GFP_ATOMIC;
1608 /* Init delete workqueue struct */
1609 INIT_WORK(&tunnel->del_work, l2tp_tunnel_del_work);
1611 /* Add tunnel to our list */
1612 INIT_LIST_HEAD(&tunnel->list);
1613 atomic_inc(&l2tp_tunnel_count);
1615 /* Bump the reference count. The tunnel context is deleted
1616 * only when this drops to zero. Must be done before list insertion
1618 l2tp_tunnel_inc_refcount(tunnel);
1619 spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1620 list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
1621 spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1628 /* If tunnel's socket was created by the kernel, it doesn't
1631 if (sock && sock->file)
1636 EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
1638 /* This function is used by the netlink TUNNEL_DELETE command.
1640 int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
1642 l2tp_tunnel_closeall(tunnel);
1643 return (false == queue_work(l2tp_wq, &tunnel->del_work));
1645 EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
1647 /* Really kill the session.
1649 void l2tp_session_free(struct l2tp_session *session)
1651 struct l2tp_tunnel *tunnel = session->tunnel;
1653 BUG_ON(atomic_read(&session->ref_count) != 0);
1656 BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
1657 if (session->session_id != 0)
1658 atomic_dec(&l2tp_session_count);
1659 sock_put(tunnel->sock);
1660 session->tunnel = NULL;
1661 l2tp_tunnel_dec_refcount(tunnel);
1666 EXPORT_SYMBOL_GPL(l2tp_session_free);
1668 /* Remove an l2tp session from l2tp_core's hash lists.
1669 * Provides a tidyup interface for pseudowire code which can't just route all
1670 * shutdown via. l2tp_session_delete and a pseudowire-specific session_close
1673 void __l2tp_session_unhash(struct l2tp_session *session)
1675 struct l2tp_tunnel *tunnel = session->tunnel;
1677 /* Remove the session from core hashes */
1679 /* Remove from the per-tunnel hash */
1680 write_lock_bh(&tunnel->hlist_lock);
1681 hlist_del_init(&session->hlist);
1682 write_unlock_bh(&tunnel->hlist_lock);
1684 /* For L2TPv3 we have a per-net hash: remove from there, too */
1685 if (tunnel->version != L2TP_HDR_VER_2) {
1686 struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1687 spin_lock_bh(&pn->l2tp_session_hlist_lock);
1688 hlist_del_init_rcu(&session->global_hlist);
1689 spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1694 EXPORT_SYMBOL_GPL(__l2tp_session_unhash);
1696 /* This function is used by the netlink SESSION_DELETE command and by
1699 int l2tp_session_delete(struct l2tp_session *session)
1702 (*session->ref)(session);
1703 __l2tp_session_unhash(session);
1704 l2tp_session_queue_purge(session);
1705 if (session->session_close != NULL)
1706 (*session->session_close)(session);
1708 (*session->deref)(session);
1709 l2tp_session_dec_refcount(session);
1712 EXPORT_SYMBOL_GPL(l2tp_session_delete);
1714 /* We come here whenever a session's send_seq, cookie_len or
1715 * l2specific_len parameters are set.
1717 void l2tp_session_set_header_len(struct l2tp_session *session, int version)
1719 if (version == L2TP_HDR_VER_2) {
1720 session->hdr_len = 6;
1721 if (session->send_seq)
1722 session->hdr_len += 4;
1724 session->hdr_len = 4 + session->cookie_len + session->l2specific_len + session->offset;
1725 if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP)
1726 session->hdr_len += 4;
1730 EXPORT_SYMBOL_GPL(l2tp_session_set_header_len);
1732 struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg)
1734 struct l2tp_session *session;
1736 session = kzalloc(sizeof(struct l2tp_session) + priv_size, GFP_KERNEL);
1737 if (session != NULL) {
1738 session->magic = L2TP_SESSION_MAGIC;
1739 session->tunnel = tunnel;
1741 session->session_id = session_id;
1742 session->peer_session_id = peer_session_id;
1744 if (tunnel->version == L2TP_HDR_VER_2)
1745 session->nr_max = 0xffff;
1747 session->nr_max = 0xffffff;
1748 session->nr_window_size = session->nr_max / 2;
1749 session->nr_oos_count_max = 4;
1751 /* Use NR of first received packet */
1752 session->reorder_skip = 1;
1754 sprintf(&session->name[0], "sess %u/%u",
1755 tunnel->tunnel_id, session->session_id);
1757 skb_queue_head_init(&session->reorder_q);
1759 INIT_HLIST_NODE(&session->hlist);
1760 INIT_HLIST_NODE(&session->global_hlist);
1762 /* Inherit debug options from tunnel */
1763 session->debug = tunnel->debug;
1766 session->pwtype = cfg->pw_type;
1767 session->debug = cfg->debug;
1768 session->mtu = cfg->mtu;
1769 session->mru = cfg->mru;
1770 session->send_seq = cfg->send_seq;
1771 session->recv_seq = cfg->recv_seq;
1772 session->lns_mode = cfg->lns_mode;
1773 session->reorder_timeout = cfg->reorder_timeout;
1774 session->offset = cfg->offset;
1775 session->l2specific_type = cfg->l2specific_type;
1776 session->l2specific_len = cfg->l2specific_len;
1777 session->cookie_len = cfg->cookie_len;
1778 memcpy(&session->cookie[0], &cfg->cookie[0], cfg->cookie_len);
1779 session->peer_cookie_len = cfg->peer_cookie_len;
1780 memcpy(&session->peer_cookie[0], &cfg->peer_cookie[0], cfg->peer_cookie_len);
1783 if (tunnel->version == L2TP_HDR_VER_2)
1784 session->build_header = l2tp_build_l2tpv2_header;
1786 session->build_header = l2tp_build_l2tpv3_header;
1788 l2tp_session_set_header_len(session, tunnel->version);
1790 /* Bump the reference count. The session context is deleted
1791 * only when this drops to zero.
1793 l2tp_session_inc_refcount(session);
1794 l2tp_tunnel_inc_refcount(tunnel);
1796 /* Ensure tunnel socket isn't deleted */
1797 sock_hold(tunnel->sock);
1799 /* Add session to the tunnel's hash list */
1800 write_lock_bh(&tunnel->hlist_lock);
1801 hlist_add_head(&session->hlist,
1802 l2tp_session_id_hash(tunnel, session_id));
1803 write_unlock_bh(&tunnel->hlist_lock);
1805 /* And to the global session list if L2TPv3 */
1806 if (tunnel->version != L2TP_HDR_VER_2) {
1807 struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1809 spin_lock_bh(&pn->l2tp_session_hlist_lock);
1810 hlist_add_head_rcu(&session->global_hlist,
1811 l2tp_session_id_hash_2(pn, session_id));
1812 spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1815 /* Ignore management session in session count value */
1816 if (session->session_id != 0)
1817 atomic_inc(&l2tp_session_count);
1822 EXPORT_SYMBOL_GPL(l2tp_session_create);
1824 /*****************************************************************************
1826 *****************************************************************************/
1828 static __net_init int l2tp_init_net(struct net *net)
1830 struct l2tp_net *pn = net_generic(net, l2tp_net_id);
1833 INIT_LIST_HEAD(&pn->l2tp_tunnel_list);
1834 spin_lock_init(&pn->l2tp_tunnel_list_lock);
1836 for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
1837 INIT_HLIST_HEAD(&pn->l2tp_session_hlist[hash]);
1839 spin_lock_init(&pn->l2tp_session_hlist_lock);
1844 static __net_exit void l2tp_exit_net(struct net *net)
1846 struct l2tp_net *pn = l2tp_pernet(net);
1847 struct l2tp_tunnel *tunnel = NULL;
1850 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
1851 (void)l2tp_tunnel_delete(tunnel);
1853 rcu_read_unlock_bh();
1856 static struct pernet_operations l2tp_net_ops = {
1857 .init = l2tp_init_net,
1858 .exit = l2tp_exit_net,
1860 .size = sizeof(struct l2tp_net),
1863 static int __init l2tp_init(void)
1867 rc = register_pernet_device(&l2tp_net_ops);
1871 l2tp_wq = alloc_workqueue("l2tp", WQ_UNBOUND, 0);
1873 pr_err("alloc_workqueue failed\n");
1874 unregister_pernet_device(&l2tp_net_ops);
1879 pr_info("L2TP core driver, %s\n", L2TP_DRV_VERSION);
1885 static void __exit l2tp_exit(void)
1887 unregister_pernet_device(&l2tp_net_ops);
1889 destroy_workqueue(l2tp_wq);
1894 module_init(l2tp_init);
1895 module_exit(l2tp_exit);
1897 MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
1898 MODULE_DESCRIPTION("L2TP core");
1899 MODULE_LICENSE("GPL");
1900 MODULE_VERSION(L2TP_DRV_VERSION);
Code Review / kvmfornfv.git / blob