1 // SPDX-License-Identifier: GPL-2.0-only
5 * Copyright (c) 2008,2009,2010 Katalix Systems Ltd
7 * This file contains some code of the original L2TPv2 pppol2tp
8 * driver, which has the following copyright:
10 * Authors: Martijn van Oosterhout <kleptog@svana.org>
11 * James Chapman (jchapman@katalix.com)
13 * Michal Ostrowski <mostrows@speakeasy.net>
14 * Arnaldo Carvalho de Melo <acme@xconectiva.com.br>
15 * David S. Miller (davem@redhat.com)
18 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
20 #include <linux/module.h>
21 #include <linux/string.h>
22 #include <linux/list.h>
23 #include <linux/rculist.h>
24 #include <linux/uaccess.h>
26 #include <linux/kernel.h>
27 #include <linux/spinlock.h>
28 #include <linux/kthread.h>
29 #include <linux/sched.h>
30 #include <linux/slab.h>
31 #include <linux/errno.h>
32 #include <linux/jiffies.h>
34 #include <linux/netdevice.h>
35 #include <linux/net.h>
36 #include <linux/inetdevice.h>
37 #include <linux/skbuff.h>
38 #include <linux/init.h>
41 #include <linux/udp.h>
42 #include <linux/l2tp.h>
43 #include <linux/hash.h>
44 #include <linux/sort.h>
45 #include <linux/file.h>
46 #include <linux/nsproxy.h>
47 #include <net/net_namespace.h>
48 #include <net/netns/generic.h>
52 #include <net/udp_tunnel.h>
53 #include <net/inet_common.h>
55 #include <net/protocol.h>
56 #include <net/inet6_connection_sock.h>
57 #include <net/inet_ecn.h>
58 #include <net/ip6_route.h>
59 #include <net/ip6_checksum.h>
61 #include <asm/byteorder.h>
62 #include <linux/atomic.h>
64 #include "l2tp_core.h"
66 #define L2TP_DRV_VERSION "V2.0"
68 /* L2TP header constants */
69 #define L2TP_HDRFLAG_T 0x8000
70 #define L2TP_HDRFLAG_L 0x4000
71 #define L2TP_HDRFLAG_S 0x0800
72 #define L2TP_HDRFLAG_O 0x0200
73 #define L2TP_HDRFLAG_P 0x0100
75 #define L2TP_HDR_VER_MASK 0x000F
76 #define L2TP_HDR_VER_2 0x0002
77 #define L2TP_HDR_VER_3 0x0003
79 /* L2TPv3 default L2-specific sublayer */
80 #define L2TP_SLFLAG_S 0x40000000
81 #define L2TP_SL_SEQ_MASK 0x00ffffff
83 #define L2TP_HDR_SIZE_MAX 14
85 /* Default trace flags */
86 #define L2TP_DEFAULT_DEBUG_FLAGS 0
88 /* Private data stored for received packets in the skb.
94 unsigned long expires;
97 #define L2TP_SKB_CB(skb) ((struct l2tp_skb_cb *) &skb->cb[sizeof(struct inet_skb_parm)])
99 static struct workqueue_struct *l2tp_wq;
101 /* per-net private data for this module */
102 static unsigned int l2tp_net_id;
104 struct list_head l2tp_tunnel_list;
105 spinlock_t l2tp_tunnel_list_lock;
106 struct hlist_head l2tp_session_hlist[L2TP_HASH_SIZE_2];
107 spinlock_t l2tp_session_hlist_lock;
110 #if IS_ENABLED(CONFIG_IPV6)
111 static bool l2tp_sk_is_v6(struct sock *sk)
113 return sk->sk_family == PF_INET6 &&
114 !ipv6_addr_v4mapped(&sk->sk_v6_daddr);
118 static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk)
120 return sk->sk_user_data;
123 static inline struct l2tp_net *l2tp_pernet(const struct net *net)
127 return net_generic(net, l2tp_net_id);
130 /* Session hash global list for L2TPv3.
131 * The session_id SHOULD be random according to RFC3931, but several
132 * L2TP implementations use incrementing session_ids. So we do a real
133 * hash on the session_id, rather than a simple bitmask.
135 static inline struct hlist_head *
136 l2tp_session_id_hash_2(struct l2tp_net *pn, u32 session_id)
138 return &pn->l2tp_session_hlist[hash_32(session_id, L2TP_HASH_BITS_2)];
142 /* Session hash list.
143 * The session_id SHOULD be random according to RFC2661, but several
144 * L2TP implementations (Cisco and Microsoft) use incrementing
145 * session_ids. So we do a real hash on the session_id, rather than a
148 static inline struct hlist_head *
149 l2tp_session_id_hash(struct l2tp_tunnel *tunnel, u32 session_id)
151 return &tunnel->session_hlist[hash_32(session_id, L2TP_HASH_BITS)];
154 void l2tp_tunnel_free(struct l2tp_tunnel *tunnel)
156 sock_put(tunnel->sock);
157 /* the tunnel is freed in the socket destructor */
159 EXPORT_SYMBOL(l2tp_tunnel_free);
161 /* Lookup a tunnel. A new reference is held on the returned tunnel. */
162 struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id)
164 const struct l2tp_net *pn = l2tp_pernet(net);
165 struct l2tp_tunnel *tunnel;
168 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
169 if (tunnel->tunnel_id == tunnel_id &&
170 refcount_inc_not_zero(&tunnel->ref_count)) {
171 rcu_read_unlock_bh();
176 rcu_read_unlock_bh();
180 EXPORT_SYMBOL_GPL(l2tp_tunnel_get);
182 struct l2tp_tunnel *l2tp_tunnel_get_nth(const struct net *net, int nth)
184 const struct l2tp_net *pn = l2tp_pernet(net);
185 struct l2tp_tunnel *tunnel;
189 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
191 refcount_inc_not_zero(&tunnel->ref_count)) {
192 rcu_read_unlock_bh();
196 rcu_read_unlock_bh();
200 EXPORT_SYMBOL_GPL(l2tp_tunnel_get_nth);
202 struct l2tp_session *l2tp_tunnel_get_session(struct l2tp_tunnel *tunnel,
205 struct hlist_head *session_list;
206 struct l2tp_session *session;
208 session_list = l2tp_session_id_hash(tunnel, session_id);
210 read_lock_bh(&tunnel->hlist_lock);
211 hlist_for_each_entry(session, session_list, hlist)
212 if (session->session_id == session_id) {
213 l2tp_session_inc_refcount(session);
214 read_unlock_bh(&tunnel->hlist_lock);
218 read_unlock_bh(&tunnel->hlist_lock);
222 EXPORT_SYMBOL_GPL(l2tp_tunnel_get_session);
224 struct l2tp_session *l2tp_session_get(const struct net *net, u32 session_id)
226 struct hlist_head *session_list;
227 struct l2tp_session *session;
229 session_list = l2tp_session_id_hash_2(l2tp_pernet(net), session_id);
232 hlist_for_each_entry_rcu(session, session_list, global_hlist)
233 if (session->session_id == session_id) {
234 l2tp_session_inc_refcount(session);
235 rcu_read_unlock_bh();
239 rcu_read_unlock_bh();
243 EXPORT_SYMBOL_GPL(l2tp_session_get);
245 struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth)
248 struct l2tp_session *session;
251 read_lock_bh(&tunnel->hlist_lock);
252 for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
253 hlist_for_each_entry(session, &tunnel->session_hlist[hash], hlist) {
255 l2tp_session_inc_refcount(session);
256 read_unlock_bh(&tunnel->hlist_lock);
262 read_unlock_bh(&tunnel->hlist_lock);
266 EXPORT_SYMBOL_GPL(l2tp_session_get_nth);
268 /* Lookup a session by interface name.
269 * This is very inefficient but is only used by management interfaces.
271 struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net,
274 struct l2tp_net *pn = l2tp_pernet(net);
276 struct l2tp_session *session;
279 for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) {
280 hlist_for_each_entry_rcu(session, &pn->l2tp_session_hlist[hash], global_hlist) {
281 if (!strcmp(session->ifname, ifname)) {
282 l2tp_session_inc_refcount(session);
283 rcu_read_unlock_bh();
290 rcu_read_unlock_bh();
294 EXPORT_SYMBOL_GPL(l2tp_session_get_by_ifname);
296 int l2tp_session_register(struct l2tp_session *session,
297 struct l2tp_tunnel *tunnel)
299 struct l2tp_session *session_walk;
300 struct hlist_head *g_head;
301 struct hlist_head *head;
305 head = l2tp_session_id_hash(tunnel, session->session_id);
307 write_lock_bh(&tunnel->hlist_lock);
308 if (!tunnel->acpt_newsess) {
313 hlist_for_each_entry(session_walk, head, hlist)
314 if (session_walk->session_id == session->session_id) {
319 if (tunnel->version == L2TP_HDR_VER_3) {
320 pn = l2tp_pernet(tunnel->l2tp_net);
321 g_head = l2tp_session_id_hash_2(pn, session->session_id);
323 spin_lock_bh(&pn->l2tp_session_hlist_lock);
325 /* IP encap expects session IDs to be globally unique, while
328 hlist_for_each_entry(session_walk, g_head, global_hlist)
329 if (session_walk->session_id == session->session_id &&
330 (session_walk->tunnel->encap == L2TP_ENCAPTYPE_IP ||
331 tunnel->encap == L2TP_ENCAPTYPE_IP)) {
333 goto err_tlock_pnlock;
336 l2tp_tunnel_inc_refcount(tunnel);
337 hlist_add_head_rcu(&session->global_hlist, g_head);
339 spin_unlock_bh(&pn->l2tp_session_hlist_lock);
341 l2tp_tunnel_inc_refcount(tunnel);
344 hlist_add_head(&session->hlist, head);
345 write_unlock_bh(&tunnel->hlist_lock);
350 spin_unlock_bh(&pn->l2tp_session_hlist_lock);
352 write_unlock_bh(&tunnel->hlist_lock);
356 EXPORT_SYMBOL_GPL(l2tp_session_register);
358 /*****************************************************************************
359 * Receive data handling
360 *****************************************************************************/
362 /* Queue a skb in order. We come here only if the skb has an L2TP sequence
365 static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *skb)
367 struct sk_buff *skbp;
369 u32 ns = L2TP_SKB_CB(skb)->ns;
371 spin_lock_bh(&session->reorder_q.lock);
372 skb_queue_walk_safe(&session->reorder_q, skbp, tmp) {
373 if (L2TP_SKB_CB(skbp)->ns > ns) {
374 __skb_queue_before(&session->reorder_q, skbp, skb);
375 l2tp_dbg(session, L2TP_MSG_SEQ,
376 "%s: pkt %hu, inserted before %hu, reorder_q len=%d\n",
377 session->name, ns, L2TP_SKB_CB(skbp)->ns,
378 skb_queue_len(&session->reorder_q));
379 atomic_long_inc(&session->stats.rx_oos_packets);
384 __skb_queue_tail(&session->reorder_q, skb);
387 spin_unlock_bh(&session->reorder_q.lock);
390 /* Dequeue a single skb.
392 static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *skb)
394 struct l2tp_tunnel *tunnel = session->tunnel;
395 int length = L2TP_SKB_CB(skb)->length;
397 /* We're about to requeue the skb, so return resources
398 * to its current owner (a socket receive buffer).
402 atomic_long_inc(&tunnel->stats.rx_packets);
403 atomic_long_add(length, &tunnel->stats.rx_bytes);
404 atomic_long_inc(&session->stats.rx_packets);
405 atomic_long_add(length, &session->stats.rx_bytes);
407 if (L2TP_SKB_CB(skb)->has_seq) {
410 session->nr &= session->nr_max;
412 l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated nr to %hu\n",
413 session->name, session->nr);
416 /* call private receive handler */
417 if (session->recv_skb != NULL)
418 (*session->recv_skb)(session, skb, L2TP_SKB_CB(skb)->length);
423 /* Dequeue skbs from the session's reorder_q, subject to packet order.
424 * Skbs that have been in the queue for too long are simply discarded.
426 static void l2tp_recv_dequeue(struct l2tp_session *session)
431 /* If the pkt at the head of the queue has the nr that we
432 * expect to send up next, dequeue it and any other
433 * in-sequence packets behind it.
436 spin_lock_bh(&session->reorder_q.lock);
437 skb_queue_walk_safe(&session->reorder_q, skb, tmp) {
438 if (time_after(jiffies, L2TP_SKB_CB(skb)->expires)) {
439 atomic_long_inc(&session->stats.rx_seq_discards);
440 atomic_long_inc(&session->stats.rx_errors);
441 l2tp_dbg(session, L2TP_MSG_SEQ,
442 "%s: oos pkt %u len %d discarded (too old), waiting for %u, reorder_q_len=%d\n",
443 session->name, L2TP_SKB_CB(skb)->ns,
444 L2TP_SKB_CB(skb)->length, session->nr,
445 skb_queue_len(&session->reorder_q));
446 session->reorder_skip = 1;
447 __skb_unlink(skb, &session->reorder_q);
452 if (L2TP_SKB_CB(skb)->has_seq) {
453 if (session->reorder_skip) {
454 l2tp_dbg(session, L2TP_MSG_SEQ,
455 "%s: advancing nr to next pkt: %u -> %u",
456 session->name, session->nr,
457 L2TP_SKB_CB(skb)->ns);
458 session->reorder_skip = 0;
459 session->nr = L2TP_SKB_CB(skb)->ns;
461 if (L2TP_SKB_CB(skb)->ns != session->nr) {
462 l2tp_dbg(session, L2TP_MSG_SEQ,
463 "%s: holding oos pkt %u len %d, waiting for %u, reorder_q_len=%d\n",
464 session->name, L2TP_SKB_CB(skb)->ns,
465 L2TP_SKB_CB(skb)->length, session->nr,
466 skb_queue_len(&session->reorder_q));
470 __skb_unlink(skb, &session->reorder_q);
472 /* Process the skb. We release the queue lock while we
473 * do so to let other contexts process the queue.
475 spin_unlock_bh(&session->reorder_q.lock);
476 l2tp_recv_dequeue_skb(session, skb);
481 spin_unlock_bh(&session->reorder_q.lock);
484 static int l2tp_seq_check_rx_window(struct l2tp_session *session, u32 nr)
488 if (nr >= session->nr)
489 nws = nr - session->nr;
491 nws = (session->nr_max + 1) - (session->nr - nr);
493 return nws < session->nr_window_size;
496 /* If packet has sequence numbers, queue it if acceptable. Returns 0 if
497 * acceptable, else non-zero.
499 static int l2tp_recv_data_seq(struct l2tp_session *session, struct sk_buff *skb)
501 if (!l2tp_seq_check_rx_window(session, L2TP_SKB_CB(skb)->ns)) {
502 /* Packet sequence number is outside allowed window.
505 l2tp_dbg(session, L2TP_MSG_SEQ,
506 "%s: pkt %u len %d discarded, outside window, nr=%u\n",
507 session->name, L2TP_SKB_CB(skb)->ns,
508 L2TP_SKB_CB(skb)->length, session->nr);
512 if (session->reorder_timeout != 0) {
513 /* Packet reordering enabled. Add skb to session's
514 * reorder queue, in order of ns.
516 l2tp_recv_queue_skb(session, skb);
520 /* Packet reordering disabled. Discard out-of-sequence packets, while
521 * tracking the number if in-sequence packets after the first OOS packet
522 * is seen. After nr_oos_count_max in-sequence packets, reset the
523 * sequence number to re-enable packet reception.
525 if (L2TP_SKB_CB(skb)->ns == session->nr) {
526 skb_queue_tail(&session->reorder_q, skb);
528 u32 nr_oos = L2TP_SKB_CB(skb)->ns;
529 u32 nr_next = (session->nr_oos + 1) & session->nr_max;
531 if (nr_oos == nr_next)
532 session->nr_oos_count++;
534 session->nr_oos_count = 0;
536 session->nr_oos = nr_oos;
537 if (session->nr_oos_count > session->nr_oos_count_max) {
538 session->reorder_skip = 1;
539 l2tp_dbg(session, L2TP_MSG_SEQ,
540 "%s: %d oos packets received. Resetting sequence numbers\n",
541 session->name, session->nr_oos_count);
543 if (!session->reorder_skip) {
544 atomic_long_inc(&session->stats.rx_seq_discards);
545 l2tp_dbg(session, L2TP_MSG_SEQ,
546 "%s: oos pkt %u len %d discarded, waiting for %u, reorder_q_len=%d\n",
547 session->name, L2TP_SKB_CB(skb)->ns,
548 L2TP_SKB_CB(skb)->length, session->nr,
549 skb_queue_len(&session->reorder_q));
552 skb_queue_tail(&session->reorder_q, skb);
562 /* Do receive processing of L2TP data frames. We handle both L2TPv2
563 * and L2TPv3 data frames here.
565 * L2TPv2 Data Message Header
568 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
569 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
570 * |T|L|x|x|S|x|O|P|x|x|x|x| Ver | Length (opt) |
571 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
572 * | Tunnel ID | Session ID |
573 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
574 * | Ns (opt) | Nr (opt) |
575 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
576 * | Offset Size (opt) | Offset pad... (opt)
577 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
579 * Data frames are marked by T=0. All other fields are the same as
580 * those in L2TP control frames.
582 * L2TPv3 Data Message Header
584 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
585 * | L2TP Session Header |
586 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
587 * | L2-Specific Sublayer |
588 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
589 * | Tunnel Payload ...
590 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
592 * L2TPv3 Session Header Over IP
595 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
596 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
598 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
599 * | Cookie (optional, maximum 64 bits)...
600 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
602 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
604 * L2TPv3 L2-Specific Sublayer Format
607 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
608 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
609 * |x|S|x|x|x|x|x|x| Sequence Number |
610 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
612 * Cookie value and sublayer format are negotiated with the peer when
613 * the session is set up. Unlike L2TPv2, we do not need to parse the
614 * packet header to determine if optional fields are present.
616 * Caller must already have parsed the frame and determined that it is
617 * a data (not control) frame before coming here. Fields up to the
618 * session-id have already been parsed and ptr points to the data
619 * after the session-id.
621 void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
622 unsigned char *ptr, unsigned char *optr, u16 hdrflags,
625 struct l2tp_tunnel *tunnel = session->tunnel;
629 /* Parse and check optional cookie */
630 if (session->peer_cookie_len > 0) {
631 if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
632 l2tp_info(tunnel, L2TP_MSG_DATA,
633 "%s: cookie mismatch (%u/%u). Discarding.\n",
634 tunnel->name, tunnel->tunnel_id,
635 session->session_id);
636 atomic_long_inc(&session->stats.rx_cookie_discards);
639 ptr += session->peer_cookie_len;
642 /* Handle the optional sequence numbers. Sequence numbers are
643 * in different places for L2TPv2 and L2TPv3.
645 * If we are the LAC, enable/disable sequence numbers under
646 * the control of the LNS. If no sequence numbers present but
647 * we were expecting them, discard frame.
650 L2TP_SKB_CB(skb)->has_seq = 0;
651 if (tunnel->version == L2TP_HDR_VER_2) {
652 if (hdrflags & L2TP_HDRFLAG_S) {
653 ns = ntohs(*(__be16 *) ptr);
655 nr = ntohs(*(__be16 *) ptr);
658 /* Store L2TP info in the skb */
659 L2TP_SKB_CB(skb)->ns = ns;
660 L2TP_SKB_CB(skb)->has_seq = 1;
662 l2tp_dbg(session, L2TP_MSG_SEQ,
663 "%s: recv data ns=%u, nr=%u, session nr=%u\n",
664 session->name, ns, nr, session->nr);
666 } else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
667 u32 l2h = ntohl(*(__be32 *) ptr);
669 if (l2h & 0x40000000) {
670 ns = l2h & 0x00ffffff;
672 /* Store L2TP info in the skb */
673 L2TP_SKB_CB(skb)->ns = ns;
674 L2TP_SKB_CB(skb)->has_seq = 1;
676 l2tp_dbg(session, L2TP_MSG_SEQ,
677 "%s: recv data ns=%u, session nr=%u\n",
678 session->name, ns, session->nr);
683 if (L2TP_SKB_CB(skb)->has_seq) {
684 /* Received a packet with sequence numbers. If we're the LNS,
685 * check if we sre sending sequence numbers and if not,
688 if ((!session->lns_mode) && (!session->send_seq)) {
689 l2tp_info(session, L2TP_MSG_SEQ,
690 "%s: requested to enable seq numbers by LNS\n",
692 session->send_seq = 1;
693 l2tp_session_set_header_len(session, tunnel->version);
696 /* No sequence numbers.
697 * If user has configured mandatory sequence numbers, discard.
699 if (session->recv_seq) {
700 l2tp_warn(session, L2TP_MSG_SEQ,
701 "%s: recv data has no seq numbers when required. Discarding.\n",
703 atomic_long_inc(&session->stats.rx_seq_discards);
707 /* If we're the LAC and we're sending sequence numbers, the
708 * LNS has requested that we no longer send sequence numbers.
709 * If we're the LNS and we're sending sequence numbers, the
710 * LAC is broken. Discard the frame.
712 if ((!session->lns_mode) && (session->send_seq)) {
713 l2tp_info(session, L2TP_MSG_SEQ,
714 "%s: requested to disable seq numbers by LNS\n",
716 session->send_seq = 0;
717 l2tp_session_set_header_len(session, tunnel->version);
718 } else if (session->send_seq) {
719 l2tp_warn(session, L2TP_MSG_SEQ,
720 "%s: recv data has no seq numbers when required. Discarding.\n",
722 atomic_long_inc(&session->stats.rx_seq_discards);
727 /* Session data offset is defined only for L2TPv2 and is
728 * indicated by an optional 16-bit value in the header.
730 if (tunnel->version == L2TP_HDR_VER_2) {
731 /* If offset bit set, skip it. */
732 if (hdrflags & L2TP_HDRFLAG_O) {
733 offset = ntohs(*(__be16 *)ptr);
739 if (!pskb_may_pull(skb, offset))
742 __skb_pull(skb, offset);
744 /* Prepare skb for adding to the session's reorder_q. Hold
745 * packets for max reorder_timeout or 1 second if not
748 L2TP_SKB_CB(skb)->length = length;
749 L2TP_SKB_CB(skb)->expires = jiffies +
750 (session->reorder_timeout ? session->reorder_timeout : HZ);
752 /* Add packet to the session's receive queue. Reordering is done here, if
753 * enabled. Saved L2TP protocol info is stored in skb->sb[].
755 if (L2TP_SKB_CB(skb)->has_seq) {
756 if (l2tp_recv_data_seq(session, skb))
759 /* No sequence numbers. Add the skb to the tail of the
760 * reorder queue. This ensures that it will be
761 * delivered after all previous sequenced skbs.
763 skb_queue_tail(&session->reorder_q, skb);
766 /* Try to dequeue as many skbs from reorder_q as we can. */
767 l2tp_recv_dequeue(session);
772 atomic_long_inc(&session->stats.rx_errors);
775 EXPORT_SYMBOL(l2tp_recv_common);
777 /* Drop skbs from the session's reorder_q
779 static int l2tp_session_queue_purge(struct l2tp_session *session)
781 struct sk_buff *skb = NULL;
783 BUG_ON(session->magic != L2TP_SESSION_MAGIC);
784 while ((skb = skb_dequeue(&session->reorder_q))) {
785 atomic_long_inc(&session->stats.rx_errors);
791 /* Internal UDP receive frame. Do the real work of receiving an L2TP data frame
792 * here. The skb is not on a list when we get here.
793 * Returns 0 if the packet was a data packet and was successfully passed on.
794 * Returns 1 if the packet was not a good data packet and could not be
795 * forwarded. All such packets are passed up to userspace to deal with.
797 static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb)
799 struct l2tp_session *session = NULL;
800 unsigned char *ptr, *optr;
802 u32 tunnel_id, session_id;
806 /* UDP has verifed checksum */
808 /* UDP always verifies the packet length. */
809 __skb_pull(skb, sizeof(struct udphdr));
812 if (!pskb_may_pull(skb, L2TP_HDR_SIZE_MAX)) {
813 l2tp_info(tunnel, L2TP_MSG_DATA,
814 "%s: recv short packet (len=%d)\n",
815 tunnel->name, skb->len);
819 /* Trace packet contents, if enabled */
820 if (tunnel->debug & L2TP_MSG_DATA) {
821 length = min(32u, skb->len);
822 if (!pskb_may_pull(skb, length))
825 pr_debug("%s: recv\n", tunnel->name);
826 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, skb->data, length);
829 /* Point to L2TP header */
830 optr = ptr = skb->data;
832 /* Get L2TP header flags */
833 hdrflags = ntohs(*(__be16 *) ptr);
835 /* Check protocol version */
836 version = hdrflags & L2TP_HDR_VER_MASK;
837 if (version != tunnel->version) {
838 l2tp_info(tunnel, L2TP_MSG_DATA,
839 "%s: recv protocol version mismatch: got %d expected %d\n",
840 tunnel->name, version, tunnel->version);
844 /* Get length of L2TP packet */
847 /* If type is control packet, it is handled by userspace. */
848 if (hdrflags & L2TP_HDRFLAG_T) {
849 l2tp_dbg(tunnel, L2TP_MSG_DATA,
850 "%s: recv control packet, len=%d\n",
851 tunnel->name, length);
858 if (tunnel->version == L2TP_HDR_VER_2) {
859 /* If length is present, skip it */
860 if (hdrflags & L2TP_HDRFLAG_L)
863 /* Extract tunnel and session ID */
864 tunnel_id = ntohs(*(__be16 *) ptr);
866 session_id = ntohs(*(__be16 *) ptr);
869 ptr += 2; /* skip reserved bits */
870 tunnel_id = tunnel->tunnel_id;
871 session_id = ntohl(*(__be32 *) ptr);
875 /* Find the session context */
876 session = l2tp_tunnel_get_session(tunnel, session_id);
877 if (!session || !session->recv_skb) {
879 l2tp_session_dec_refcount(session);
881 /* Not found? Pass to userspace to deal with */
882 l2tp_info(tunnel, L2TP_MSG_DATA,
883 "%s: no session found (%u/%u). Passing up.\n",
884 tunnel->name, tunnel_id, session_id);
888 if (tunnel->version == L2TP_HDR_VER_3 &&
889 l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) {
890 l2tp_session_dec_refcount(session);
894 l2tp_recv_common(session, skb, ptr, optr, hdrflags, length);
895 l2tp_session_dec_refcount(session);
900 /* Put UDP header back */
901 __skb_push(skb, sizeof(struct udphdr));
906 /* UDP encapsulation receive handler. See net/ipv4/udp.c.
910 * >0: skb should be passed up to userspace as UDP.
912 int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
914 struct l2tp_tunnel *tunnel;
916 tunnel = rcu_dereference_sk_user_data(sk);
920 l2tp_dbg(tunnel, L2TP_MSG_DATA, "%s: received %d bytes\n",
921 tunnel->name, skb->len);
923 if (l2tp_udp_recv_core(tunnel, skb))
931 EXPORT_SYMBOL_GPL(l2tp_udp_encap_recv);
933 /************************************************************************
935 ***********************************************************************/
937 /* Build an L2TP header for the session into the buffer provided.
939 static int l2tp_build_l2tpv2_header(struct l2tp_session *session, void *buf)
941 struct l2tp_tunnel *tunnel = session->tunnel;
944 u16 flags = L2TP_HDR_VER_2;
945 u32 tunnel_id = tunnel->peer_tunnel_id;
946 u32 session_id = session->peer_session_id;
948 if (session->send_seq)
949 flags |= L2TP_HDRFLAG_S;
951 /* Setup L2TP header. */
952 *bufp++ = htons(flags);
953 *bufp++ = htons(tunnel_id);
954 *bufp++ = htons(session_id);
955 if (session->send_seq) {
956 *bufp++ = htons(session->ns);
959 session->ns &= 0xffff;
960 l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated ns to %u\n",
961 session->name, session->ns);
967 static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
969 struct l2tp_tunnel *tunnel = session->tunnel;
973 /* Setup L2TP header. The header differs slightly for UDP and
974 * IP encapsulations. For UDP, there is 4 bytes of flags.
976 if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
977 u16 flags = L2TP_HDR_VER_3;
978 *((__be16 *) bufp) = htons(flags);
980 *((__be16 *) bufp) = 0;
984 *((__be32 *) bufp) = htonl(session->peer_session_id);
986 if (session->cookie_len) {
987 memcpy(bufp, &session->cookie[0], session->cookie_len);
988 bufp += session->cookie_len;
990 if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
993 if (session->send_seq) {
994 l2h = 0x40000000 | session->ns;
996 session->ns &= 0xffffff;
997 l2tp_dbg(session, L2TP_MSG_SEQ,
998 "%s: updated ns to %u\n",
999 session->name, session->ns);
1002 *((__be32 *)bufp) = htonl(l2h);
1009 static void l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
1010 struct flowi *fl, size_t data_len)
1012 struct l2tp_tunnel *tunnel = session->tunnel;
1013 unsigned int len = skb->len;
1017 if (session->send_seq)
1018 l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %zd bytes, ns=%u\n",
1019 session->name, data_len, session->ns - 1);
1021 l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %zd bytes\n",
1022 session->name, data_len);
1024 if (session->debug & L2TP_MSG_DATA) {
1025 int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1026 unsigned char *datap = skb->data + uhlen;
1028 pr_debug("%s: xmit\n", session->name);
1029 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET,
1030 datap, min_t(size_t, 32, len - uhlen));
1033 /* Queue the packet to IP for output */
1036 #if IS_ENABLED(CONFIG_IPV6)
1037 if (l2tp_sk_is_v6(tunnel->sock))
1038 error = inet6_csk_xmit(tunnel->sock, skb, NULL);
1041 error = ip_queue_xmit(tunnel->sock, skb, fl);
1045 atomic_long_inc(&tunnel->stats.tx_packets);
1046 atomic_long_add(len, &tunnel->stats.tx_bytes);
1047 atomic_long_inc(&session->stats.tx_packets);
1048 atomic_long_add(len, &session->stats.tx_bytes);
1050 atomic_long_inc(&tunnel->stats.tx_errors);
1051 atomic_long_inc(&session->stats.tx_errors);
1055 /* If caller requires the skb to have a ppp header, the header must be
1056 * inserted in the skb data before calling this function.
1058 int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len)
1060 int data_len = skb->len;
1061 struct l2tp_tunnel *tunnel = session->tunnel;
1062 struct sock *sk = tunnel->sock;
1065 struct inet_sock *inet;
1067 int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1069 int ret = NET_XMIT_SUCCESS;
1071 /* Check that there's enough headroom in the skb to insert IP,
1072 * UDP and L2TP headers. If not enough, expand it to
1073 * make room. Adjust truesize.
1075 headroom = NET_SKB_PAD + sizeof(struct iphdr) +
1077 if (skb_cow_head(skb, headroom)) {
1079 return NET_XMIT_DROP;
1082 /* Setup L2TP header */
1083 session->build_header(session, __skb_push(skb, hdr_len));
1085 /* Reset skb netfilter state */
1086 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
1087 IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
1092 if (sock_owned_by_user(sk)) {
1094 ret = NET_XMIT_DROP;
1098 /* The user-space may change the connection status for the user-space
1099 * provided socket at run time: we must check it under the socket lock
1101 if (tunnel->fd >= 0 && sk->sk_state != TCP_ESTABLISHED) {
1103 ret = NET_XMIT_DROP;
1108 fl = &inet->cork.fl;
1109 switch (tunnel->encap) {
1110 case L2TP_ENCAPTYPE_UDP:
1111 /* Setup UDP header */
1112 __skb_push(skb, sizeof(*uh));
1113 skb_reset_transport_header(skb);
1115 uh->source = inet->inet_sport;
1116 uh->dest = inet->inet_dport;
1117 udp_len = uhlen + hdr_len + data_len;
1118 uh->len = htons(udp_len);
1120 /* Calculate UDP checksum if configured to do so */
1121 #if IS_ENABLED(CONFIG_IPV6)
1122 if (l2tp_sk_is_v6(sk))
1123 udp6_set_csum(udp_get_no_check6_tx(sk),
1124 skb, &inet6_sk(sk)->saddr,
1125 &sk->sk_v6_daddr, udp_len);
1128 udp_set_csum(sk->sk_no_check_tx, skb, inet->inet_saddr,
1129 inet->inet_daddr, udp_len);
1132 case L2TP_ENCAPTYPE_IP:
1136 l2tp_xmit_core(session, skb, fl, data_len);
1142 EXPORT_SYMBOL_GPL(l2tp_xmit_skb);
1144 /*****************************************************************************
1145 * Tinnel and session create/destroy.
1146 *****************************************************************************/
1148 /* Tunnel socket destruct hook.
1149 * The tunnel context is deleted only when all session sockets have been
1152 static void l2tp_tunnel_destruct(struct sock *sk)
1154 struct l2tp_tunnel *tunnel = l2tp_tunnel(sk);
1159 l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing...\n", tunnel->name);
1161 /* Disable udp encapsulation */
1162 switch (tunnel->encap) {
1163 case L2TP_ENCAPTYPE_UDP:
1164 /* No longer an encapsulation socket. See net/ipv4/udp.c */
1165 (udp_sk(sk))->encap_type = 0;
1166 (udp_sk(sk))->encap_rcv = NULL;
1167 (udp_sk(sk))->encap_destroy = NULL;
1169 case L2TP_ENCAPTYPE_IP:
1173 /* Remove hooks into tunnel socket */
1174 sk->sk_destruct = tunnel->old_sk_destruct;
1175 sk->sk_user_data = NULL;
1177 /* Call the original destructor */
1178 if (sk->sk_destruct)
1179 (*sk->sk_destruct)(sk);
1181 kfree_rcu(tunnel, rcu);
1186 /* When the tunnel is closed, all the attached sessions need to go too.
1188 static void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)
1191 struct hlist_node *walk;
1192 struct hlist_node *tmp;
1193 struct l2tp_session *session;
1195 BUG_ON(tunnel == NULL);
1197 l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing all sessions...\n",
1200 write_lock_bh(&tunnel->hlist_lock);
1201 tunnel->acpt_newsess = false;
1202 for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
1204 hlist_for_each_safe(walk, tmp, &tunnel->session_hlist[hash]) {
1205 session = hlist_entry(walk, struct l2tp_session, hlist);
1207 l2tp_info(session, L2TP_MSG_CONTROL,
1208 "%s: closing session\n", session->name);
1210 hlist_del_init(&session->hlist);
1212 if (test_and_set_bit(0, &session->dead))
1215 write_unlock_bh(&tunnel->hlist_lock);
1217 __l2tp_session_unhash(session);
1218 l2tp_session_queue_purge(session);
1220 if (session->session_close != NULL)
1221 (*session->session_close)(session);
1223 l2tp_session_dec_refcount(session);
1225 write_lock_bh(&tunnel->hlist_lock);
1227 /* Now restart from the beginning of this hash
1228 * chain. We always remove a session from the
1229 * list so we are guaranteed to make forward
1235 write_unlock_bh(&tunnel->hlist_lock);
1238 /* Tunnel socket destroy hook for UDP encapsulation */
1239 static void l2tp_udp_encap_destroy(struct sock *sk)
1241 struct l2tp_tunnel *tunnel = l2tp_tunnel(sk);
1244 l2tp_tunnel_delete(tunnel);
1247 /* Workqueue tunnel deletion function */
1248 static void l2tp_tunnel_del_work(struct work_struct *work)
1250 struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel,
1252 struct sock *sk = tunnel->sock;
1253 struct socket *sock = sk->sk_socket;
1254 struct l2tp_net *pn;
1256 l2tp_tunnel_closeall(tunnel);
1258 /* If the tunnel socket was created within the kernel, use
1259 * the sk API to release it here.
1261 if (tunnel->fd < 0) {
1263 kernel_sock_shutdown(sock, SHUT_RDWR);
1268 /* Remove the tunnel struct from the tunnel list */
1269 pn = l2tp_pernet(tunnel->l2tp_net);
1270 spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1271 list_del_rcu(&tunnel->list);
1272 spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1274 /* drop initial ref */
1275 l2tp_tunnel_dec_refcount(tunnel);
1277 /* drop workqueue ref */
1278 l2tp_tunnel_dec_refcount(tunnel);
1281 /* Create a socket for the tunnel, if one isn't set up by
1282 * userspace. This is used for static tunnels where there is no
1283 * managing L2TP daemon.
1285 * Since we don't want these sockets to keep a namespace alive by
1286 * themselves, we drop the socket's namespace refcount after creation.
1287 * These sockets are freed when the namespace exits using the pernet
1290 static int l2tp_tunnel_sock_create(struct net *net,
1293 struct l2tp_tunnel_cfg *cfg,
1294 struct socket **sockp)
1297 struct socket *sock = NULL;
1298 struct udp_port_cfg udp_conf;
1300 switch (cfg->encap) {
1301 case L2TP_ENCAPTYPE_UDP:
1302 memset(&udp_conf, 0, sizeof(udp_conf));
1304 #if IS_ENABLED(CONFIG_IPV6)
1305 if (cfg->local_ip6 && cfg->peer_ip6) {
1306 udp_conf.family = AF_INET6;
1307 memcpy(&udp_conf.local_ip6, cfg->local_ip6,
1308 sizeof(udp_conf.local_ip6));
1309 memcpy(&udp_conf.peer_ip6, cfg->peer_ip6,
1310 sizeof(udp_conf.peer_ip6));
1311 udp_conf.use_udp6_tx_checksums =
1312 ! cfg->udp6_zero_tx_checksums;
1313 udp_conf.use_udp6_rx_checksums =
1314 ! cfg->udp6_zero_rx_checksums;
1318 udp_conf.family = AF_INET;
1319 udp_conf.local_ip = cfg->local_ip;
1320 udp_conf.peer_ip = cfg->peer_ip;
1321 udp_conf.use_udp_checksums = cfg->use_udp_checksums;
1324 udp_conf.local_udp_port = htons(cfg->local_udp_port);
1325 udp_conf.peer_udp_port = htons(cfg->peer_udp_port);
1327 err = udp_sock_create(net, &udp_conf, &sock);
1333 case L2TP_ENCAPTYPE_IP:
1334 #if IS_ENABLED(CONFIG_IPV6)
1335 if (cfg->local_ip6 && cfg->peer_ip6) {
1336 struct sockaddr_l2tpip6 ip6_addr = {0};
1338 err = sock_create_kern(net, AF_INET6, SOCK_DGRAM,
1339 IPPROTO_L2TP, &sock);
1343 ip6_addr.l2tp_family = AF_INET6;
1344 memcpy(&ip6_addr.l2tp_addr, cfg->local_ip6,
1345 sizeof(ip6_addr.l2tp_addr));
1346 ip6_addr.l2tp_conn_id = tunnel_id;
1347 err = kernel_bind(sock, (struct sockaddr *) &ip6_addr,
1352 ip6_addr.l2tp_family = AF_INET6;
1353 memcpy(&ip6_addr.l2tp_addr, cfg->peer_ip6,
1354 sizeof(ip6_addr.l2tp_addr));
1355 ip6_addr.l2tp_conn_id = peer_tunnel_id;
1356 err = kernel_connect(sock,
1357 (struct sockaddr *) &ip6_addr,
1358 sizeof(ip6_addr), 0);
1364 struct sockaddr_l2tpip ip_addr = {0};
1366 err = sock_create_kern(net, AF_INET, SOCK_DGRAM,
1367 IPPROTO_L2TP, &sock);
1371 ip_addr.l2tp_family = AF_INET;
1372 ip_addr.l2tp_addr = cfg->local_ip;
1373 ip_addr.l2tp_conn_id = tunnel_id;
1374 err = kernel_bind(sock, (struct sockaddr *) &ip_addr,
1379 ip_addr.l2tp_family = AF_INET;
1380 ip_addr.l2tp_addr = cfg->peer_ip;
1381 ip_addr.l2tp_conn_id = peer_tunnel_id;
1382 err = kernel_connect(sock, (struct sockaddr *) &ip_addr,
1383 sizeof(ip_addr), 0);
1395 if ((err < 0) && sock) {
1396 kernel_sock_shutdown(sock, SHUT_RDWR);
1404 static struct lock_class_key l2tp_socket_class;
1406 int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
1408 struct l2tp_tunnel *tunnel = NULL;
1410 enum l2tp_encap_type encap = L2TP_ENCAPTYPE_UDP;
1415 tunnel = kzalloc(sizeof(struct l2tp_tunnel), GFP_KERNEL);
1416 if (tunnel == NULL) {
1421 tunnel->version = version;
1422 tunnel->tunnel_id = tunnel_id;
1423 tunnel->peer_tunnel_id = peer_tunnel_id;
1424 tunnel->debug = L2TP_DEFAULT_DEBUG_FLAGS;
1426 tunnel->magic = L2TP_TUNNEL_MAGIC;
1427 sprintf(&tunnel->name[0], "tunl %u", tunnel_id);
1428 rwlock_init(&tunnel->hlist_lock);
1429 tunnel->acpt_newsess = true;
1432 tunnel->debug = cfg->debug;
1434 tunnel->encap = encap;
1436 refcount_set(&tunnel->ref_count, 1);
1439 /* Init delete workqueue struct */
1440 INIT_WORK(&tunnel->del_work, l2tp_tunnel_del_work);
1442 INIT_LIST_HEAD(&tunnel->list);
1451 EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
1453 static int l2tp_validate_socket(const struct sock *sk, const struct net *net,
1454 enum l2tp_encap_type encap)
1456 if (!net_eq(sock_net(sk), net))
1459 if (sk->sk_type != SOCK_DGRAM)
1460 return -EPROTONOSUPPORT;
1462 if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
1463 return -EPROTONOSUPPORT;
1465 if ((encap == L2TP_ENCAPTYPE_UDP && sk->sk_protocol != IPPROTO_UDP) ||
1466 (encap == L2TP_ENCAPTYPE_IP && sk->sk_protocol != IPPROTO_L2TP))
1467 return -EPROTONOSUPPORT;
1469 if (sk->sk_user_data)
1475 int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
1476 struct l2tp_tunnel_cfg *cfg)
1478 struct l2tp_tunnel *tunnel_walk;
1479 struct l2tp_net *pn;
1480 struct socket *sock;
1484 if (tunnel->fd < 0) {
1485 ret = l2tp_tunnel_sock_create(net, tunnel->tunnel_id,
1486 tunnel->peer_tunnel_id, cfg,
1491 sock = sockfd_lookup(tunnel->fd, &ret);
1495 ret = l2tp_validate_socket(sock->sk, net, tunnel->encap);
1500 tunnel->l2tp_net = net;
1501 pn = l2tp_pernet(net);
1503 spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1504 list_for_each_entry(tunnel_walk, &pn->l2tp_tunnel_list, list) {
1505 if (tunnel_walk->tunnel_id == tunnel->tunnel_id) {
1506 spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1512 list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
1513 spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1519 if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
1520 struct udp_tunnel_sock_cfg udp_cfg = {
1521 .sk_user_data = tunnel,
1522 .encap_type = UDP_ENCAP_L2TPINUDP,
1523 .encap_rcv = l2tp_udp_encap_recv,
1524 .encap_destroy = l2tp_udp_encap_destroy,
1527 setup_udp_tunnel_sock(net, sock, &udp_cfg);
1529 sk->sk_user_data = tunnel;
1532 tunnel->old_sk_destruct = sk->sk_destruct;
1533 sk->sk_destruct = &l2tp_tunnel_destruct;
1534 lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class,
1536 sk->sk_allocation = GFP_ATOMIC;
1538 if (tunnel->fd >= 0)
1551 EXPORT_SYMBOL_GPL(l2tp_tunnel_register);
1553 /* This function is used by the netlink TUNNEL_DELETE command.
1555 void l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
1557 if (!test_and_set_bit(0, &tunnel->dead)) {
1558 l2tp_tunnel_inc_refcount(tunnel);
1559 queue_work(l2tp_wq, &tunnel->del_work);
1562 EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
1564 /* Really kill the session.
1566 void l2tp_session_free(struct l2tp_session *session)
1568 struct l2tp_tunnel *tunnel = session->tunnel;
1570 BUG_ON(refcount_read(&session->ref_count) != 0);
1573 BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
1574 l2tp_tunnel_dec_refcount(tunnel);
1579 EXPORT_SYMBOL_GPL(l2tp_session_free);
1581 /* Remove an l2tp session from l2tp_core's hash lists.
1582 * Provides a tidyup interface for pseudowire code which can't just route all
1583 * shutdown via. l2tp_session_delete and a pseudowire-specific session_close
1586 void __l2tp_session_unhash(struct l2tp_session *session)
1588 struct l2tp_tunnel *tunnel = session->tunnel;
1590 /* Remove the session from core hashes */
1592 /* Remove from the per-tunnel hash */
1593 write_lock_bh(&tunnel->hlist_lock);
1594 hlist_del_init(&session->hlist);
1595 write_unlock_bh(&tunnel->hlist_lock);
1597 /* For L2TPv3 we have a per-net hash: remove from there, too */
1598 if (tunnel->version != L2TP_HDR_VER_2) {
1599 struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1600 spin_lock_bh(&pn->l2tp_session_hlist_lock);
1601 hlist_del_init_rcu(&session->global_hlist);
1602 spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1607 EXPORT_SYMBOL_GPL(__l2tp_session_unhash);
1609 /* This function is used by the netlink SESSION_DELETE command and by
1612 int l2tp_session_delete(struct l2tp_session *session)
1614 if (test_and_set_bit(0, &session->dead))
1617 __l2tp_session_unhash(session);
1618 l2tp_session_queue_purge(session);
1619 if (session->session_close != NULL)
1620 (*session->session_close)(session);
1622 l2tp_session_dec_refcount(session);
1626 EXPORT_SYMBOL_GPL(l2tp_session_delete);
1628 /* We come here whenever a session's send_seq, cookie_len or
1629 * l2specific_type parameters are set.
1631 void l2tp_session_set_header_len(struct l2tp_session *session, int version)
1633 if (version == L2TP_HDR_VER_2) {
1634 session->hdr_len = 6;
1635 if (session->send_seq)
1636 session->hdr_len += 4;
1638 session->hdr_len = 4 + session->cookie_len;
1639 session->hdr_len += l2tp_get_l2specific_len(session);
1640 if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP)
1641 session->hdr_len += 4;
1645 EXPORT_SYMBOL_GPL(l2tp_session_set_header_len);
1647 struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg)
1649 struct l2tp_session *session;
1651 session = kzalloc(sizeof(struct l2tp_session) + priv_size, GFP_KERNEL);
1652 if (session != NULL) {
1653 session->magic = L2TP_SESSION_MAGIC;
1654 session->tunnel = tunnel;
1656 session->session_id = session_id;
1657 session->peer_session_id = peer_session_id;
1659 if (tunnel->version == L2TP_HDR_VER_2)
1660 session->nr_max = 0xffff;
1662 session->nr_max = 0xffffff;
1663 session->nr_window_size = session->nr_max / 2;
1664 session->nr_oos_count_max = 4;
1666 /* Use NR of first received packet */
1667 session->reorder_skip = 1;
1669 sprintf(&session->name[0], "sess %u/%u",
1670 tunnel->tunnel_id, session->session_id);
1672 skb_queue_head_init(&session->reorder_q);
1674 INIT_HLIST_NODE(&session->hlist);
1675 INIT_HLIST_NODE(&session->global_hlist);
1677 /* Inherit debug options from tunnel */
1678 session->debug = tunnel->debug;
1681 session->pwtype = cfg->pw_type;
1682 session->debug = cfg->debug;
1683 session->send_seq = cfg->send_seq;
1684 session->recv_seq = cfg->recv_seq;
1685 session->lns_mode = cfg->lns_mode;
1686 session->reorder_timeout = cfg->reorder_timeout;
1687 session->l2specific_type = cfg->l2specific_type;
1688 session->cookie_len = cfg->cookie_len;
1689 memcpy(&session->cookie[0], &cfg->cookie[0], cfg->cookie_len);
1690 session->peer_cookie_len = cfg->peer_cookie_len;
1691 memcpy(&session->peer_cookie[0], &cfg->peer_cookie[0], cfg->peer_cookie_len);
1694 if (tunnel->version == L2TP_HDR_VER_2)
1695 session->build_header = l2tp_build_l2tpv2_header;
1697 session->build_header = l2tp_build_l2tpv3_header;
1699 l2tp_session_set_header_len(session, tunnel->version);
1701 refcount_set(&session->ref_count, 1);
1706 return ERR_PTR(-ENOMEM);
1708 EXPORT_SYMBOL_GPL(l2tp_session_create);
1710 /*****************************************************************************
1712 *****************************************************************************/
1714 static __net_init int l2tp_init_net(struct net *net)
1716 struct l2tp_net *pn = net_generic(net, l2tp_net_id);
1719 INIT_LIST_HEAD(&pn->l2tp_tunnel_list);
1720 spin_lock_init(&pn->l2tp_tunnel_list_lock);
1722 for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
1723 INIT_HLIST_HEAD(&pn->l2tp_session_hlist[hash]);
1725 spin_lock_init(&pn->l2tp_session_hlist_lock);
1730 static __net_exit void l2tp_exit_net(struct net *net)
1732 struct l2tp_net *pn = l2tp_pernet(net);
1733 struct l2tp_tunnel *tunnel = NULL;
1737 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
1738 l2tp_tunnel_delete(tunnel);
1740 rcu_read_unlock_bh();
1743 flush_workqueue(l2tp_wq);
1746 for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
1747 WARN_ON_ONCE(!hlist_empty(&pn->l2tp_session_hlist[hash]));
1750 static struct pernet_operations l2tp_net_ops = {
1751 .init = l2tp_init_net,
1752 .exit = l2tp_exit_net,
1754 .size = sizeof(struct l2tp_net),
1757 static int __init l2tp_init(void)
1761 rc = register_pernet_device(&l2tp_net_ops);
1765 l2tp_wq = alloc_workqueue("l2tp", WQ_UNBOUND, 0);
1767 pr_err("alloc_workqueue failed\n");
1768 unregister_pernet_device(&l2tp_net_ops);
1773 pr_info("L2TP core driver, %s\n", L2TP_DRV_VERSION);
1779 static void __exit l2tp_exit(void)
1781 unregister_pernet_device(&l2tp_net_ops);
1783 destroy_workqueue(l2tp_wq);
1788 module_init(l2tp_init);
1789 module_exit(l2tp_exit);
1791 MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
1792 MODULE_DESCRIPTION("L2TP core");
1793 MODULE_LICENSE("GPL");
1794 MODULE_VERSION(L2TP_DRV_VERSION);