4 * Copyright (c) 2008,2009,2010 Katalix Systems Ltd
6 * This file contains some code of the original L2TPv2 pppol2tp
7 * driver, which has the following copyright:
9 * Authors: Martijn van Oosterhout <kleptog@svana.org>
10 * James Chapman (jchapman@katalix.com)
12 * Michal Ostrowski <mostrows@speakeasy.net>
13 * Arnaldo Carvalho de Melo <acme@xconectiva.com.br>
14 * David S. Miller (davem@redhat.com)
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2 as
18 * published by the Free Software Foundation.
21 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
23 #include <linux/module.h>
24 #include <linux/string.h>
25 #include <linux/list.h>
26 #include <linux/rculist.h>
27 #include <linux/uaccess.h>
29 #include <linux/kernel.h>
30 #include <linux/spinlock.h>
31 #include <linux/kthread.h>
32 #include <linux/sched.h>
33 #include <linux/slab.h>
34 #include <linux/errno.h>
35 #include <linux/jiffies.h>
37 #include <linux/netdevice.h>
38 #include <linux/net.h>
39 #include <linux/inetdevice.h>
40 #include <linux/skbuff.h>
41 #include <linux/init.h>
44 #include <linux/udp.h>
45 #include <linux/l2tp.h>
46 #include <linux/hash.h>
47 #include <linux/sort.h>
48 #include <linux/file.h>
49 #include <linux/nsproxy.h>
50 #include <net/net_namespace.h>
51 #include <net/netns/generic.h>
55 #include <net/udp_tunnel.h>
56 #include <net/inet_common.h>
58 #include <net/protocol.h>
59 #include <net/inet6_connection_sock.h>
60 #include <net/inet_ecn.h>
61 #include <net/ip6_route.h>
62 #include <net/ip6_checksum.h>
64 #include <asm/byteorder.h>
65 #include <linux/atomic.h>
67 #include "l2tp_core.h"
69 #define L2TP_DRV_VERSION "V2.0"
71 /* L2TP header constants */
72 #define L2TP_HDRFLAG_T 0x8000
73 #define L2TP_HDRFLAG_L 0x4000
74 #define L2TP_HDRFLAG_S 0x0800
75 #define L2TP_HDRFLAG_O 0x0200
76 #define L2TP_HDRFLAG_P 0x0100
78 #define L2TP_HDR_VER_MASK 0x000F
79 #define L2TP_HDR_VER_2 0x0002
80 #define L2TP_HDR_VER_3 0x0003
82 /* L2TPv3 default L2-specific sublayer */
83 #define L2TP_SLFLAG_S 0x40000000
84 #define L2TP_SL_SEQ_MASK 0x00ffffff
86 #define L2TP_HDR_SIZE_MAX 14
88 /* Default trace flags */
89 #define L2TP_DEFAULT_DEBUG_FLAGS 0
91 /* Private data stored for received packets in the skb.
97 unsigned long expires;
100 #define L2TP_SKB_CB(skb) ((struct l2tp_skb_cb *) &skb->cb[sizeof(struct inet_skb_parm)])
102 static atomic_t l2tp_tunnel_count;
103 static atomic_t l2tp_session_count;
104 static struct workqueue_struct *l2tp_wq;
106 /* per-net private data for this module */
107 static unsigned int l2tp_net_id;
109 struct list_head l2tp_tunnel_list;
110 spinlock_t l2tp_tunnel_list_lock;
111 struct hlist_head l2tp_session_hlist[L2TP_HASH_SIZE_2];
112 spinlock_t l2tp_session_hlist_lock;
116 static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk)
118 return sk->sk_user_data;
121 static inline struct l2tp_net *l2tp_pernet(const struct net *net)
125 return net_generic(net, l2tp_net_id);
128 /* Session hash global list for L2TPv3.
129 * The session_id SHOULD be random according to RFC3931, but several
130 * L2TP implementations use incrementing session_ids. So we do a real
131 * hash on the session_id, rather than a simple bitmask.
133 static inline struct hlist_head *
134 l2tp_session_id_hash_2(struct l2tp_net *pn, u32 session_id)
136 return &pn->l2tp_session_hlist[hash_32(session_id, L2TP_HASH_BITS_2)];
140 /* Lookup the tunnel socket, possibly involving the fs code if the socket is
141 * owned by userspace. A struct sock returned from this function must be
142 * released using l2tp_tunnel_sock_put once you're done with it.
144 static struct sock *l2tp_tunnel_sock_lookup(struct l2tp_tunnel *tunnel)
147 struct socket *sock = NULL;
148 struct sock *sk = NULL;
153 if (tunnel->fd >= 0) {
154 /* Socket is owned by userspace, who might be in the process
155 * of closing it. Look the socket up using the fd to ensure
158 sock = sockfd_lookup(tunnel->fd, &err);
162 /* Socket is owned by kernelspace */
171 /* Drop a reference to a tunnel socket obtained via. l2tp_tunnel_sock_put */
172 static void l2tp_tunnel_sock_put(struct sock *sk)
174 struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
176 if (tunnel->fd >= 0) {
177 /* Socket is owned by userspace */
178 sockfd_put(sk->sk_socket);
185 /* Session hash list.
186 * The session_id SHOULD be random according to RFC2661, but several
187 * L2TP implementations (Cisco and Microsoft) use incrementing
188 * session_ids. So we do a real hash on the session_id, rather than a
191 static inline struct hlist_head *
192 l2tp_session_id_hash(struct l2tp_tunnel *tunnel, u32 session_id)
194 return &tunnel->session_hlist[hash_32(session_id, L2TP_HASH_BITS)];
197 /* Lookup a tunnel. A new reference is held on the returned tunnel. */
198 struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id)
200 const struct l2tp_net *pn = l2tp_pernet(net);
201 struct l2tp_tunnel *tunnel;
204 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
205 if (tunnel->tunnel_id == tunnel_id) {
206 l2tp_tunnel_inc_refcount(tunnel);
207 rcu_read_unlock_bh();
212 rcu_read_unlock_bh();
216 EXPORT_SYMBOL_GPL(l2tp_tunnel_get);
218 /* Lookup a session. A new reference is held on the returned session.
219 * Optionally calls session->ref() too if do_ref is true.
221 struct l2tp_session *l2tp_session_get(const struct net *net,
222 struct l2tp_tunnel *tunnel,
223 u32 session_id, bool do_ref)
225 struct hlist_head *session_list;
226 struct l2tp_session *session;
229 struct l2tp_net *pn = l2tp_pernet(net);
231 session_list = l2tp_session_id_hash_2(pn, session_id);
234 hlist_for_each_entry_rcu(session, session_list, global_hlist) {
235 if (session->session_id == session_id) {
236 l2tp_session_inc_refcount(session);
237 if (do_ref && session->ref)
238 session->ref(session);
239 rcu_read_unlock_bh();
244 rcu_read_unlock_bh();
249 session_list = l2tp_session_id_hash(tunnel, session_id);
250 read_lock_bh(&tunnel->hlist_lock);
251 hlist_for_each_entry(session, session_list, hlist) {
252 if (session->session_id == session_id) {
253 l2tp_session_inc_refcount(session);
254 if (do_ref && session->ref)
255 session->ref(session);
256 read_unlock_bh(&tunnel->hlist_lock);
261 read_unlock_bh(&tunnel->hlist_lock);
265 EXPORT_SYMBOL_GPL(l2tp_session_get);
267 struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth,
271 struct l2tp_session *session;
274 read_lock_bh(&tunnel->hlist_lock);
275 for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
276 hlist_for_each_entry(session, &tunnel->session_hlist[hash], hlist) {
278 l2tp_session_inc_refcount(session);
279 if (do_ref && session->ref)
280 session->ref(session);
281 read_unlock_bh(&tunnel->hlist_lock);
287 read_unlock_bh(&tunnel->hlist_lock);
291 EXPORT_SYMBOL_GPL(l2tp_session_get_nth);
293 /* Lookup a session by interface name.
294 * This is very inefficient but is only used by management interfaces.
296 struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net,
300 struct l2tp_net *pn = l2tp_pernet(net);
302 struct l2tp_session *session;
305 for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) {
306 hlist_for_each_entry_rcu(session, &pn->l2tp_session_hlist[hash], global_hlist) {
307 if (!strcmp(session->ifname, ifname)) {
308 l2tp_session_inc_refcount(session);
309 if (do_ref && session->ref)
310 session->ref(session);
311 rcu_read_unlock_bh();
318 rcu_read_unlock_bh();
322 EXPORT_SYMBOL_GPL(l2tp_session_get_by_ifname);
324 int l2tp_session_register(struct l2tp_session *session,
325 struct l2tp_tunnel *tunnel)
327 struct l2tp_session *session_walk;
328 struct hlist_head *g_head;
329 struct hlist_head *head;
333 head = l2tp_session_id_hash(tunnel, session->session_id);
335 write_lock_bh(&tunnel->hlist_lock);
336 if (!tunnel->acpt_newsess) {
341 hlist_for_each_entry(session_walk, head, hlist)
342 if (session_walk->session_id == session->session_id) {
347 if (tunnel->version == L2TP_HDR_VER_3) {
348 pn = l2tp_pernet(tunnel->l2tp_net);
349 g_head = l2tp_session_id_hash_2(l2tp_pernet(tunnel->l2tp_net),
350 session->session_id);
352 spin_lock_bh(&pn->l2tp_session_hlist_lock);
354 /* IP encap expects session IDs to be globally unique, while
357 hlist_for_each_entry(session_walk, g_head, global_hlist)
358 if (session_walk->session_id == session->session_id &&
359 (session_walk->tunnel->encap == L2TP_ENCAPTYPE_IP ||
360 tunnel->encap == L2TP_ENCAPTYPE_IP)) {
362 goto err_tlock_pnlock;
365 l2tp_tunnel_inc_refcount(tunnel);
366 sock_hold(tunnel->sock);
367 hlist_add_head_rcu(&session->global_hlist, g_head);
369 spin_unlock_bh(&pn->l2tp_session_hlist_lock);
371 l2tp_tunnel_inc_refcount(tunnel);
372 sock_hold(tunnel->sock);
375 hlist_add_head(&session->hlist, head);
376 write_unlock_bh(&tunnel->hlist_lock);
378 /* Ignore management session in session count value */
379 if (session->session_id != 0)
380 atomic_inc(&l2tp_session_count);
385 spin_unlock_bh(&pn->l2tp_session_hlist_lock);
387 write_unlock_bh(&tunnel->hlist_lock);
391 EXPORT_SYMBOL_GPL(l2tp_session_register);
393 /* Lookup a tunnel by id
395 struct l2tp_tunnel *l2tp_tunnel_find(const struct net *net, u32 tunnel_id)
397 struct l2tp_tunnel *tunnel;
398 struct l2tp_net *pn = l2tp_pernet(net);
401 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
402 if (tunnel->tunnel_id == tunnel_id) {
403 rcu_read_unlock_bh();
407 rcu_read_unlock_bh();
411 EXPORT_SYMBOL_GPL(l2tp_tunnel_find);
413 struct l2tp_tunnel *l2tp_tunnel_find_nth(const struct net *net, int nth)
415 struct l2tp_net *pn = l2tp_pernet(net);
416 struct l2tp_tunnel *tunnel;
420 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
422 rcu_read_unlock_bh();
427 rcu_read_unlock_bh();
431 EXPORT_SYMBOL_GPL(l2tp_tunnel_find_nth);
433 /*****************************************************************************
434 * Receive data handling
435 *****************************************************************************/
437 /* Queue a skb in order. We come here only if the skb has an L2TP sequence
440 static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *skb)
442 struct sk_buff *skbp;
444 u32 ns = L2TP_SKB_CB(skb)->ns;
446 spin_lock_bh(&session->reorder_q.lock);
447 skb_queue_walk_safe(&session->reorder_q, skbp, tmp) {
448 if (L2TP_SKB_CB(skbp)->ns > ns) {
449 __skb_queue_before(&session->reorder_q, skbp, skb);
450 l2tp_dbg(session, L2TP_MSG_SEQ,
451 "%s: pkt %hu, inserted before %hu, reorder_q len=%d\n",
452 session->name, ns, L2TP_SKB_CB(skbp)->ns,
453 skb_queue_len(&session->reorder_q));
454 atomic_long_inc(&session->stats.rx_oos_packets);
459 __skb_queue_tail(&session->reorder_q, skb);
462 spin_unlock_bh(&session->reorder_q.lock);
465 /* Dequeue a single skb.
467 static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *skb)
469 struct l2tp_tunnel *tunnel = session->tunnel;
470 int length = L2TP_SKB_CB(skb)->length;
472 /* We're about to requeue the skb, so return resources
473 * to its current owner (a socket receive buffer).
477 atomic_long_inc(&tunnel->stats.rx_packets);
478 atomic_long_add(length, &tunnel->stats.rx_bytes);
479 atomic_long_inc(&session->stats.rx_packets);
480 atomic_long_add(length, &session->stats.rx_bytes);
482 if (L2TP_SKB_CB(skb)->has_seq) {
485 session->nr &= session->nr_max;
487 l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated nr to %hu\n",
488 session->name, session->nr);
491 /* call private receive handler */
492 if (session->recv_skb != NULL)
493 (*session->recv_skb)(session, skb, L2TP_SKB_CB(skb)->length);
498 (*session->deref)(session);
501 /* Dequeue skbs from the session's reorder_q, subject to packet order.
502 * Skbs that have been in the queue for too long are simply discarded.
504 static void l2tp_recv_dequeue(struct l2tp_session *session)
509 /* If the pkt at the head of the queue has the nr that we
510 * expect to send up next, dequeue it and any other
511 * in-sequence packets behind it.
514 spin_lock_bh(&session->reorder_q.lock);
515 skb_queue_walk_safe(&session->reorder_q, skb, tmp) {
516 if (time_after(jiffies, L2TP_SKB_CB(skb)->expires)) {
517 atomic_long_inc(&session->stats.rx_seq_discards);
518 atomic_long_inc(&session->stats.rx_errors);
519 l2tp_dbg(session, L2TP_MSG_SEQ,
520 "%s: oos pkt %u len %d discarded (too old), waiting for %u, reorder_q_len=%d\n",
521 session->name, L2TP_SKB_CB(skb)->ns,
522 L2TP_SKB_CB(skb)->length, session->nr,
523 skb_queue_len(&session->reorder_q));
524 session->reorder_skip = 1;
525 __skb_unlink(skb, &session->reorder_q);
528 (*session->deref)(session);
532 if (L2TP_SKB_CB(skb)->has_seq) {
533 if (session->reorder_skip) {
534 l2tp_dbg(session, L2TP_MSG_SEQ,
535 "%s: advancing nr to next pkt: %u -> %u",
536 session->name, session->nr,
537 L2TP_SKB_CB(skb)->ns);
538 session->reorder_skip = 0;
539 session->nr = L2TP_SKB_CB(skb)->ns;
541 if (L2TP_SKB_CB(skb)->ns != session->nr) {
542 l2tp_dbg(session, L2TP_MSG_SEQ,
543 "%s: holding oos pkt %u len %d, waiting for %u, reorder_q_len=%d\n",
544 session->name, L2TP_SKB_CB(skb)->ns,
545 L2TP_SKB_CB(skb)->length, session->nr,
546 skb_queue_len(&session->reorder_q));
550 __skb_unlink(skb, &session->reorder_q);
552 /* Process the skb. We release the queue lock while we
553 * do so to let other contexts process the queue.
555 spin_unlock_bh(&session->reorder_q.lock);
556 l2tp_recv_dequeue_skb(session, skb);
561 spin_unlock_bh(&session->reorder_q.lock);
564 static int l2tp_seq_check_rx_window(struct l2tp_session *session, u32 nr)
568 if (nr >= session->nr)
569 nws = nr - session->nr;
571 nws = (session->nr_max + 1) - (session->nr - nr);
573 return nws < session->nr_window_size;
576 /* If packet has sequence numbers, queue it if acceptable. Returns 0 if
577 * acceptable, else non-zero.
579 static int l2tp_recv_data_seq(struct l2tp_session *session, struct sk_buff *skb)
581 if (!l2tp_seq_check_rx_window(session, L2TP_SKB_CB(skb)->ns)) {
582 /* Packet sequence number is outside allowed window.
585 l2tp_dbg(session, L2TP_MSG_SEQ,
586 "%s: pkt %u len %d discarded, outside window, nr=%u\n",
587 session->name, L2TP_SKB_CB(skb)->ns,
588 L2TP_SKB_CB(skb)->length, session->nr);
592 if (session->reorder_timeout != 0) {
593 /* Packet reordering enabled. Add skb to session's
594 * reorder queue, in order of ns.
596 l2tp_recv_queue_skb(session, skb);
600 /* Packet reordering disabled. Discard out-of-sequence packets, while
601 * tracking the number if in-sequence packets after the first OOS packet
602 * is seen. After nr_oos_count_max in-sequence packets, reset the
603 * sequence number to re-enable packet reception.
605 if (L2TP_SKB_CB(skb)->ns == session->nr) {
606 skb_queue_tail(&session->reorder_q, skb);
608 u32 nr_oos = L2TP_SKB_CB(skb)->ns;
609 u32 nr_next = (session->nr_oos + 1) & session->nr_max;
611 if (nr_oos == nr_next)
612 session->nr_oos_count++;
614 session->nr_oos_count = 0;
616 session->nr_oos = nr_oos;
617 if (session->nr_oos_count > session->nr_oos_count_max) {
618 session->reorder_skip = 1;
619 l2tp_dbg(session, L2TP_MSG_SEQ,
620 "%s: %d oos packets received. Resetting sequence numbers\n",
621 session->name, session->nr_oos_count);
623 if (!session->reorder_skip) {
624 atomic_long_inc(&session->stats.rx_seq_discards);
625 l2tp_dbg(session, L2TP_MSG_SEQ,
626 "%s: oos pkt %u len %d discarded, waiting for %u, reorder_q_len=%d\n",
627 session->name, L2TP_SKB_CB(skb)->ns,
628 L2TP_SKB_CB(skb)->length, session->nr,
629 skb_queue_len(&session->reorder_q));
632 skb_queue_tail(&session->reorder_q, skb);
642 /* Do receive processing of L2TP data frames. We handle both L2TPv2
643 * and L2TPv3 data frames here.
645 * L2TPv2 Data Message Header
648 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
649 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
650 * |T|L|x|x|S|x|O|P|x|x|x|x| Ver | Length (opt) |
651 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
652 * | Tunnel ID | Session ID |
653 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
654 * | Ns (opt) | Nr (opt) |
655 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
656 * | Offset Size (opt) | Offset pad... (opt)
657 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
659 * Data frames are marked by T=0. All other fields are the same as
660 * those in L2TP control frames.
662 * L2TPv3 Data Message Header
664 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
665 * | L2TP Session Header |
666 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
667 * | L2-Specific Sublayer |
668 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
669 * | Tunnel Payload ...
670 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
672 * L2TPv3 Session Header Over IP
675 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
676 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
678 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
679 * | Cookie (optional, maximum 64 bits)...
680 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
682 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
684 * L2TPv3 L2-Specific Sublayer Format
687 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
688 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
689 * |x|S|x|x|x|x|x|x| Sequence Number |
690 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
692 * Cookie value, sublayer format and offset (pad) are negotiated with
693 * the peer when the session is set up. Unlike L2TPv2, we do not need
694 * to parse the packet header to determine if optional fields are
697 * Caller must already have parsed the frame and determined that it is
698 * a data (not control) frame before coming here. Fields up to the
699 * session-id have already been parsed and ptr points to the data
700 * after the session-id.
702 * session->ref() must have been called prior to l2tp_recv_common().
703 * session->deref() will be called automatically after skb is processed.
705 void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
706 unsigned char *ptr, unsigned char *optr, u16 hdrflags,
707 int length, int (*payload_hook)(struct sk_buff *skb))
709 struct l2tp_tunnel *tunnel = session->tunnel;
713 /* Parse and check optional cookie */
714 if (session->peer_cookie_len > 0) {
715 if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
716 l2tp_info(tunnel, L2TP_MSG_DATA,
717 "%s: cookie mismatch (%u/%u). Discarding.\n",
718 tunnel->name, tunnel->tunnel_id,
719 session->session_id);
720 atomic_long_inc(&session->stats.rx_cookie_discards);
723 ptr += session->peer_cookie_len;
726 /* Handle the optional sequence numbers. Sequence numbers are
727 * in different places for L2TPv2 and L2TPv3.
729 * If we are the LAC, enable/disable sequence numbers under
730 * the control of the LNS. If no sequence numbers present but
731 * we were expecting them, discard frame.
734 L2TP_SKB_CB(skb)->has_seq = 0;
735 if (tunnel->version == L2TP_HDR_VER_2) {
736 if (hdrflags & L2TP_HDRFLAG_S) {
737 ns = ntohs(*(__be16 *) ptr);
739 nr = ntohs(*(__be16 *) ptr);
742 /* Store L2TP info in the skb */
743 L2TP_SKB_CB(skb)->ns = ns;
744 L2TP_SKB_CB(skb)->has_seq = 1;
746 l2tp_dbg(session, L2TP_MSG_SEQ,
747 "%s: recv data ns=%u, nr=%u, session nr=%u\n",
748 session->name, ns, nr, session->nr);
750 } else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
751 u32 l2h = ntohl(*(__be32 *) ptr);
753 if (l2h & 0x40000000) {
754 ns = l2h & 0x00ffffff;
756 /* Store L2TP info in the skb */
757 L2TP_SKB_CB(skb)->ns = ns;
758 L2TP_SKB_CB(skb)->has_seq = 1;
760 l2tp_dbg(session, L2TP_MSG_SEQ,
761 "%s: recv data ns=%u, session nr=%u\n",
762 session->name, ns, session->nr);
767 if (L2TP_SKB_CB(skb)->has_seq) {
768 /* Received a packet with sequence numbers. If we're the LNS,
769 * check if we sre sending sequence numbers and if not,
772 if ((!session->lns_mode) && (!session->send_seq)) {
773 l2tp_info(session, L2TP_MSG_SEQ,
774 "%s: requested to enable seq numbers by LNS\n",
776 session->send_seq = -1;
777 l2tp_session_set_header_len(session, tunnel->version);
780 /* No sequence numbers.
781 * If user has configured mandatory sequence numbers, discard.
783 if (session->recv_seq) {
784 l2tp_warn(session, L2TP_MSG_SEQ,
785 "%s: recv data has no seq numbers when required. Discarding.\n",
787 atomic_long_inc(&session->stats.rx_seq_discards);
791 /* If we're the LAC and we're sending sequence numbers, the
792 * LNS has requested that we no longer send sequence numbers.
793 * If we're the LNS and we're sending sequence numbers, the
794 * LAC is broken. Discard the frame.
796 if ((!session->lns_mode) && (session->send_seq)) {
797 l2tp_info(session, L2TP_MSG_SEQ,
798 "%s: requested to disable seq numbers by LNS\n",
800 session->send_seq = 0;
801 l2tp_session_set_header_len(session, tunnel->version);
802 } else if (session->send_seq) {
803 l2tp_warn(session, L2TP_MSG_SEQ,
804 "%s: recv data has no seq numbers when required. Discarding.\n",
806 atomic_long_inc(&session->stats.rx_seq_discards);
811 /* Session data offset is handled differently for L2TPv2 and
812 * L2TPv3. For L2TPv2, there is an optional 16-bit value in
813 * the header. For L2TPv3, the offset is negotiated using AVPs
814 * in the session setup control protocol.
816 if (tunnel->version == L2TP_HDR_VER_2) {
817 /* If offset bit set, skip it. */
818 if (hdrflags & L2TP_HDRFLAG_O) {
819 offset = ntohs(*(__be16 *)ptr);
823 ptr += session->offset;
826 if (!pskb_may_pull(skb, offset))
829 __skb_pull(skb, offset);
831 /* If caller wants to process the payload before we queue the
835 if ((*payload_hook)(skb))
838 /* Prepare skb for adding to the session's reorder_q. Hold
839 * packets for max reorder_timeout or 1 second if not
842 L2TP_SKB_CB(skb)->length = length;
843 L2TP_SKB_CB(skb)->expires = jiffies +
844 (session->reorder_timeout ? session->reorder_timeout : HZ);
846 /* Add packet to the session's receive queue. Reordering is done here, if
847 * enabled. Saved L2TP protocol info is stored in skb->sb[].
849 if (L2TP_SKB_CB(skb)->has_seq) {
850 if (l2tp_recv_data_seq(session, skb))
853 /* No sequence numbers. Add the skb to the tail of the
854 * reorder queue. This ensures that it will be
855 * delivered after all previous sequenced skbs.
857 skb_queue_tail(&session->reorder_q, skb);
860 /* Try to dequeue as many skbs from reorder_q as we can. */
861 l2tp_recv_dequeue(session);
866 atomic_long_inc(&session->stats.rx_errors);
870 (*session->deref)(session);
872 EXPORT_SYMBOL(l2tp_recv_common);
874 /* Drop skbs from the session's reorder_q
876 int l2tp_session_queue_purge(struct l2tp_session *session)
878 struct sk_buff *skb = NULL;
880 BUG_ON(session->magic != L2TP_SESSION_MAGIC);
881 while ((skb = skb_dequeue(&session->reorder_q))) {
882 atomic_long_inc(&session->stats.rx_errors);
885 (*session->deref)(session);
889 EXPORT_SYMBOL_GPL(l2tp_session_queue_purge);
891 /* Internal UDP receive frame. Do the real work of receiving an L2TP data frame
892 * here. The skb is not on a list when we get here.
893 * Returns 0 if the packet was a data packet and was successfully passed on.
894 * Returns 1 if the packet was not a good data packet and could not be
895 * forwarded. All such packets are passed up to userspace to deal with.
897 static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
898 int (*payload_hook)(struct sk_buff *skb))
900 struct l2tp_session *session = NULL;
901 unsigned char *ptr, *optr;
903 u32 tunnel_id, session_id;
907 /* UDP has verifed checksum */
909 /* UDP always verifies the packet length. */
910 __skb_pull(skb, sizeof(struct udphdr));
913 if (!pskb_may_pull(skb, L2TP_HDR_SIZE_MAX)) {
914 l2tp_info(tunnel, L2TP_MSG_DATA,
915 "%s: recv short packet (len=%d)\n",
916 tunnel->name, skb->len);
920 /* Trace packet contents, if enabled */
921 if (tunnel->debug & L2TP_MSG_DATA) {
922 length = min(32u, skb->len);
923 if (!pskb_may_pull(skb, length))
926 pr_debug("%s: recv\n", tunnel->name);
927 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, skb->data, length);
930 /* Point to L2TP header */
931 optr = ptr = skb->data;
933 /* Get L2TP header flags */
934 hdrflags = ntohs(*(__be16 *) ptr);
936 /* Check protocol version */
937 version = hdrflags & L2TP_HDR_VER_MASK;
938 if (version != tunnel->version) {
939 l2tp_info(tunnel, L2TP_MSG_DATA,
940 "%s: recv protocol version mismatch: got %d expected %d\n",
941 tunnel->name, version, tunnel->version);
945 /* Get length of L2TP packet */
948 /* If type is control packet, it is handled by userspace. */
949 if (hdrflags & L2TP_HDRFLAG_T) {
950 l2tp_dbg(tunnel, L2TP_MSG_DATA,
951 "%s: recv control packet, len=%d\n",
952 tunnel->name, length);
959 if (tunnel->version == L2TP_HDR_VER_2) {
960 /* If length is present, skip it */
961 if (hdrflags & L2TP_HDRFLAG_L)
964 /* Extract tunnel and session ID */
965 tunnel_id = ntohs(*(__be16 *) ptr);
967 session_id = ntohs(*(__be16 *) ptr);
970 ptr += 2; /* skip reserved bits */
971 tunnel_id = tunnel->tunnel_id;
972 session_id = ntohl(*(__be32 *) ptr);
976 /* Find the session context */
977 session = l2tp_session_get(tunnel->l2tp_net, tunnel, session_id, true);
978 if (!session || !session->recv_skb) {
981 session->deref(session);
982 l2tp_session_dec_refcount(session);
985 /* Not found? Pass to userspace to deal with */
986 l2tp_info(tunnel, L2TP_MSG_DATA,
987 "%s: no session found (%u/%u). Passing up.\n",
988 tunnel->name, tunnel_id, session_id);
992 if (tunnel->version == L2TP_HDR_VER_3 &&
993 l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr))
996 l2tp_recv_common(session, skb, ptr, optr, hdrflags, length, payload_hook);
997 l2tp_session_dec_refcount(session);
1002 /* Put UDP header back */
1003 __skb_push(skb, sizeof(struct udphdr));
1008 /* UDP encapsulation receive handler. See net/ipv4/udp.c.
1012 * >0: skb should be passed up to userspace as UDP.
1014 int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
1016 struct l2tp_tunnel *tunnel;
1018 tunnel = l2tp_sock_to_tunnel(sk);
1022 l2tp_dbg(tunnel, L2TP_MSG_DATA, "%s: received %d bytes\n",
1023 tunnel->name, skb->len);
1025 if (l2tp_udp_recv_core(tunnel, skb, tunnel->recv_payload_hook))
1036 EXPORT_SYMBOL_GPL(l2tp_udp_encap_recv);
1038 /************************************************************************
1040 ***********************************************************************/
1042 /* Build an L2TP header for the session into the buffer provided.
1044 static int l2tp_build_l2tpv2_header(struct l2tp_session *session, void *buf)
1046 struct l2tp_tunnel *tunnel = session->tunnel;
1049 u16 flags = L2TP_HDR_VER_2;
1050 u32 tunnel_id = tunnel->peer_tunnel_id;
1051 u32 session_id = session->peer_session_id;
1053 if (session->send_seq)
1054 flags |= L2TP_HDRFLAG_S;
1056 /* Setup L2TP header. */
1057 *bufp++ = htons(flags);
1058 *bufp++ = htons(tunnel_id);
1059 *bufp++ = htons(session_id);
1060 if (session->send_seq) {
1061 *bufp++ = htons(session->ns);
1064 session->ns &= 0xffff;
1065 l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated ns to %u\n",
1066 session->name, session->ns);
1072 static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
1074 struct l2tp_tunnel *tunnel = session->tunnel;
1078 /* Setup L2TP header. The header differs slightly for UDP and
1079 * IP encapsulations. For UDP, there is 4 bytes of flags.
1081 if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
1082 u16 flags = L2TP_HDR_VER_3;
1083 *((__be16 *) bufp) = htons(flags);
1085 *((__be16 *) bufp) = 0;
1089 *((__be32 *) bufp) = htonl(session->peer_session_id);
1091 if (session->cookie_len) {
1092 memcpy(bufp, &session->cookie[0], session->cookie_len);
1093 bufp += session->cookie_len;
1095 if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
1098 if (session->send_seq) {
1099 l2h = 0x40000000 | session->ns;
1101 session->ns &= 0xffffff;
1102 l2tp_dbg(session, L2TP_MSG_SEQ,
1103 "%s: updated ns to %u\n",
1104 session->name, session->ns);
1107 *((__be32 *)bufp) = htonl(l2h);
1110 if (session->offset)
1111 bufp += session->offset;
1116 static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
1117 struct flowi *fl, size_t data_len)
1119 struct l2tp_tunnel *tunnel = session->tunnel;
1120 unsigned int len = skb->len;
1124 if (session->send_seq)
1125 l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %Zd bytes, ns=%u\n",
1126 session->name, data_len, session->ns - 1);
1128 l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %Zd bytes\n",
1129 session->name, data_len);
1131 if (session->debug & L2TP_MSG_DATA) {
1132 int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1133 unsigned char *datap = skb->data + uhlen;
1135 pr_debug("%s: xmit\n", session->name);
1136 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET,
1137 datap, min_t(size_t, 32, len - uhlen));
1140 /* Queue the packet to IP for output */
1143 #if IS_ENABLED(CONFIG_IPV6)
1144 if (tunnel->sock->sk_family == PF_INET6 && !tunnel->v4mapped)
1145 error = inet6_csk_xmit(tunnel->sock, skb, NULL);
1148 error = ip_queue_xmit(tunnel->sock, skb, fl);
1152 atomic_long_inc(&tunnel->stats.tx_packets);
1153 atomic_long_add(len, &tunnel->stats.tx_bytes);
1154 atomic_long_inc(&session->stats.tx_packets);
1155 atomic_long_add(len, &session->stats.tx_bytes);
1157 atomic_long_inc(&tunnel->stats.tx_errors);
1158 atomic_long_inc(&session->stats.tx_errors);
1164 /* If caller requires the skb to have a ppp header, the header must be
1165 * inserted in the skb data before calling this function.
1167 int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len)
1169 int data_len = skb->len;
1170 struct l2tp_tunnel *tunnel = session->tunnel;
1171 struct sock *sk = tunnel->sock;
1174 struct inet_sock *inet;
1176 int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1178 int ret = NET_XMIT_SUCCESS;
1180 /* Check that there's enough headroom in the skb to insert IP,
1181 * UDP and L2TP headers. If not enough, expand it to
1182 * make room. Adjust truesize.
1184 headroom = NET_SKB_PAD + sizeof(struct iphdr) +
1186 if (skb_cow_head(skb, headroom)) {
1188 return NET_XMIT_DROP;
1191 /* Setup L2TP header */
1192 session->build_header(session, __skb_push(skb, hdr_len));
1194 /* Reset skb netfilter state */
1195 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
1196 IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
1201 if (sock_owned_by_user(sk)) {
1203 ret = NET_XMIT_DROP;
1208 fl = &inet->cork.fl;
1209 switch (tunnel->encap) {
1210 case L2TP_ENCAPTYPE_UDP:
1211 /* Setup UDP header */
1212 __skb_push(skb, sizeof(*uh));
1213 skb_reset_transport_header(skb);
1215 uh->source = inet->inet_sport;
1216 uh->dest = inet->inet_dport;
1217 udp_len = uhlen + hdr_len + data_len;
1218 uh->len = htons(udp_len);
1220 /* Calculate UDP checksum if configured to do so */
1221 #if IS_ENABLED(CONFIG_IPV6)
1222 if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
1223 udp6_set_csum(udp_get_no_check6_tx(sk),
1224 skb, &inet6_sk(sk)->saddr,
1225 &sk->sk_v6_daddr, udp_len);
1228 udp_set_csum(sk->sk_no_check_tx, skb, inet->inet_saddr,
1229 inet->inet_daddr, udp_len);
1232 case L2TP_ENCAPTYPE_IP:
1236 l2tp_xmit_core(session, skb, fl, data_len);
1242 EXPORT_SYMBOL_GPL(l2tp_xmit_skb);
1244 /*****************************************************************************
1245 * Tinnel and session create/destroy.
1246 *****************************************************************************/
1248 /* Tunnel socket destruct hook.
1249 * The tunnel context is deleted only when all session sockets have been
1252 static void l2tp_tunnel_destruct(struct sock *sk)
1254 struct l2tp_tunnel *tunnel = l2tp_tunnel(sk);
1255 struct l2tp_net *pn;
1260 l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing...\n", tunnel->name);
1263 /* Disable udp encapsulation */
1264 switch (tunnel->encap) {
1265 case L2TP_ENCAPTYPE_UDP:
1266 /* No longer an encapsulation socket. See net/ipv4/udp.c */
1267 (udp_sk(sk))->encap_type = 0;
1268 (udp_sk(sk))->encap_rcv = NULL;
1269 (udp_sk(sk))->encap_destroy = NULL;
1271 case L2TP_ENCAPTYPE_IP:
1275 /* Remove hooks into tunnel socket */
1276 sk->sk_destruct = tunnel->old_sk_destruct;
1277 sk->sk_user_data = NULL;
1279 /* Remove the tunnel struct from the tunnel list */
1280 pn = l2tp_pernet(tunnel->l2tp_net);
1281 spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1282 list_del_rcu(&tunnel->list);
1283 spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1284 atomic_dec(&l2tp_tunnel_count);
1286 l2tp_tunnel_closeall(tunnel);
1288 tunnel->sock = NULL;
1289 l2tp_tunnel_dec_refcount(tunnel);
1291 /* Call the original destructor */
1292 if (sk->sk_destruct)
1293 (*sk->sk_destruct)(sk);
1298 /* When the tunnel is closed, all the attached sessions need to go too.
1300 void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)
1303 struct hlist_node *walk;
1304 struct hlist_node *tmp;
1305 struct l2tp_session *session;
1307 BUG_ON(tunnel == NULL);
1309 l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing all sessions...\n",
1312 write_lock_bh(&tunnel->hlist_lock);
1313 tunnel->acpt_newsess = false;
1314 for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
1316 hlist_for_each_safe(walk, tmp, &tunnel->session_hlist[hash]) {
1317 session = hlist_entry(walk, struct l2tp_session, hlist);
1319 l2tp_info(session, L2TP_MSG_CONTROL,
1320 "%s: closing session\n", session->name);
1322 hlist_del_init(&session->hlist);
1324 if (test_and_set_bit(0, &session->dead))
1327 if (session->ref != NULL)
1328 (*session->ref)(session);
1330 write_unlock_bh(&tunnel->hlist_lock);
1332 __l2tp_session_unhash(session);
1333 l2tp_session_queue_purge(session);
1335 if (session->session_close != NULL)
1336 (*session->session_close)(session);
1338 if (session->deref != NULL)
1339 (*session->deref)(session);
1341 l2tp_session_dec_refcount(session);
1343 write_lock_bh(&tunnel->hlist_lock);
1345 /* Now restart from the beginning of this hash
1346 * chain. We always remove a session from the
1347 * list so we are guaranteed to make forward
1353 write_unlock_bh(&tunnel->hlist_lock);
1355 EXPORT_SYMBOL_GPL(l2tp_tunnel_closeall);
1357 /* Tunnel socket destroy hook for UDP encapsulation */
1358 static void l2tp_udp_encap_destroy(struct sock *sk)
1360 struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
1362 l2tp_tunnel_closeall(tunnel);
1367 /* Workqueue tunnel deletion function */
1368 static void l2tp_tunnel_del_work(struct work_struct *work)
1370 struct l2tp_tunnel *tunnel = NULL;
1371 struct socket *sock = NULL;
1372 struct sock *sk = NULL;
1374 tunnel = container_of(work, struct l2tp_tunnel, del_work);
1376 l2tp_tunnel_closeall(tunnel);
1378 sk = l2tp_tunnel_sock_lookup(tunnel);
1382 sock = sk->sk_socket;
1384 /* If the tunnel socket was created by userspace, then go through the
1385 * inet layer to shut the socket down, and let userspace close it.
1386 * Otherwise, if we created the socket directly within the kernel, use
1387 * the sk API to release it here.
1388 * In either case the tunnel resources are freed in the socket
1389 * destructor when the tunnel socket goes away.
1391 if (tunnel->fd >= 0) {
1393 inet_shutdown(sock, 2);
1396 kernel_sock_shutdown(sock, SHUT_RDWR);
1401 l2tp_tunnel_sock_put(sk);
1403 l2tp_tunnel_dec_refcount(tunnel);
1406 /* Create a socket for the tunnel, if one isn't set up by
1407 * userspace. This is used for static tunnels where there is no
1408 * managing L2TP daemon.
1410 * Since we don't want these sockets to keep a namespace alive by
1411 * themselves, we drop the socket's namespace refcount after creation.
1412 * These sockets are freed when the namespace exits using the pernet
1415 static int l2tp_tunnel_sock_create(struct net *net,
1418 struct l2tp_tunnel_cfg *cfg,
1419 struct socket **sockp)
1422 struct socket *sock = NULL;
1423 struct udp_port_cfg udp_conf;
1425 switch (cfg->encap) {
1426 case L2TP_ENCAPTYPE_UDP:
1427 memset(&udp_conf, 0, sizeof(udp_conf));
1429 #if IS_ENABLED(CONFIG_IPV6)
1430 if (cfg->local_ip6 && cfg->peer_ip6) {
1431 udp_conf.family = AF_INET6;
1432 memcpy(&udp_conf.local_ip6, cfg->local_ip6,
1433 sizeof(udp_conf.local_ip6));
1434 memcpy(&udp_conf.peer_ip6, cfg->peer_ip6,
1435 sizeof(udp_conf.peer_ip6));
1436 udp_conf.use_udp6_tx_checksums =
1437 cfg->udp6_zero_tx_checksums;
1438 udp_conf.use_udp6_rx_checksums =
1439 cfg->udp6_zero_rx_checksums;
1443 udp_conf.family = AF_INET;
1444 udp_conf.local_ip = cfg->local_ip;
1445 udp_conf.peer_ip = cfg->peer_ip;
1446 udp_conf.use_udp_checksums = cfg->use_udp_checksums;
1449 udp_conf.local_udp_port = htons(cfg->local_udp_port);
1450 udp_conf.peer_udp_port = htons(cfg->peer_udp_port);
1452 err = udp_sock_create(net, &udp_conf, &sock);
1458 case L2TP_ENCAPTYPE_IP:
1459 #if IS_ENABLED(CONFIG_IPV6)
1460 if (cfg->local_ip6 && cfg->peer_ip6) {
1461 struct sockaddr_l2tpip6 ip6_addr = {0};
1463 err = sock_create_kern(net, AF_INET6, SOCK_DGRAM,
1464 IPPROTO_L2TP, &sock);
1468 ip6_addr.l2tp_family = AF_INET6;
1469 memcpy(&ip6_addr.l2tp_addr, cfg->local_ip6,
1470 sizeof(ip6_addr.l2tp_addr));
1471 ip6_addr.l2tp_conn_id = tunnel_id;
1472 err = kernel_bind(sock, (struct sockaddr *) &ip6_addr,
1477 ip6_addr.l2tp_family = AF_INET6;
1478 memcpy(&ip6_addr.l2tp_addr, cfg->peer_ip6,
1479 sizeof(ip6_addr.l2tp_addr));
1480 ip6_addr.l2tp_conn_id = peer_tunnel_id;
1481 err = kernel_connect(sock,
1482 (struct sockaddr *) &ip6_addr,
1483 sizeof(ip6_addr), 0);
1489 struct sockaddr_l2tpip ip_addr = {0};
1491 err = sock_create_kern(net, AF_INET, SOCK_DGRAM,
1492 IPPROTO_L2TP, &sock);
1496 ip_addr.l2tp_family = AF_INET;
1497 ip_addr.l2tp_addr = cfg->local_ip;
1498 ip_addr.l2tp_conn_id = tunnel_id;
1499 err = kernel_bind(sock, (struct sockaddr *) &ip_addr,
1504 ip_addr.l2tp_family = AF_INET;
1505 ip_addr.l2tp_addr = cfg->peer_ip;
1506 ip_addr.l2tp_conn_id = peer_tunnel_id;
1507 err = kernel_connect(sock, (struct sockaddr *) &ip_addr,
1508 sizeof(ip_addr), 0);
1520 if ((err < 0) && sock) {
1521 kernel_sock_shutdown(sock, SHUT_RDWR);
1529 static struct lock_class_key l2tp_socket_class;
1531 int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
1533 struct l2tp_tunnel *tunnel = NULL;
1535 struct socket *sock = NULL;
1536 struct sock *sk = NULL;
1537 struct l2tp_net *pn;
1538 enum l2tp_encap_type encap = L2TP_ENCAPTYPE_UDP;
1540 /* Get the tunnel socket from the fd, which was opened by
1541 * the userspace L2TP daemon. If not specified, create a
1545 err = l2tp_tunnel_sock_create(net, tunnel_id, peer_tunnel_id,
1550 sock = sockfd_lookup(fd, &err);
1552 pr_err("tunl %u: sockfd_lookup(fd=%d) returned %d\n",
1553 tunnel_id, fd, err);
1558 /* Reject namespace mismatches */
1559 if (!net_eq(sock_net(sock->sk), net)) {
1560 pr_err("tunl %u: netns mismatch\n", tunnel_id);
1571 /* Quick sanity checks */
1572 err = -EPROTONOSUPPORT;
1573 if (sk->sk_type != SOCK_DGRAM) {
1574 pr_debug("tunl %hu: fd %d wrong socket type\n",
1578 if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
1581 case L2TP_ENCAPTYPE_UDP:
1582 if (sk->sk_protocol != IPPROTO_UDP) {
1583 pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1584 tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP);
1588 case L2TP_ENCAPTYPE_IP:
1589 if (sk->sk_protocol != IPPROTO_L2TP) {
1590 pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1591 tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP);
1597 /* Check if this socket has already been prepped */
1598 tunnel = l2tp_tunnel(sk);
1599 if (tunnel != NULL) {
1600 /* This socket has already been prepped */
1605 tunnel = kzalloc(sizeof(struct l2tp_tunnel), GFP_KERNEL);
1606 if (tunnel == NULL) {
1611 tunnel->version = version;
1612 tunnel->tunnel_id = tunnel_id;
1613 tunnel->peer_tunnel_id = peer_tunnel_id;
1614 tunnel->debug = L2TP_DEFAULT_DEBUG_FLAGS;
1616 tunnel->magic = L2TP_TUNNEL_MAGIC;
1617 sprintf(&tunnel->name[0], "tunl %u", tunnel_id);
1618 rwlock_init(&tunnel->hlist_lock);
1619 tunnel->acpt_newsess = true;
1621 /* The net we belong to */
1622 tunnel->l2tp_net = net;
1623 pn = l2tp_pernet(net);
1626 tunnel->debug = cfg->debug;
1628 #if IS_ENABLED(CONFIG_IPV6)
1629 if (sk->sk_family == PF_INET6) {
1630 struct ipv6_pinfo *np = inet6_sk(sk);
1632 if (ipv6_addr_v4mapped(&np->saddr) &&
1633 ipv6_addr_v4mapped(&sk->sk_v6_daddr)) {
1634 struct inet_sock *inet = inet_sk(sk);
1636 tunnel->v4mapped = true;
1637 inet->inet_saddr = np->saddr.s6_addr32[3];
1638 inet->inet_rcv_saddr = sk->sk_v6_rcv_saddr.s6_addr32[3];
1639 inet->inet_daddr = sk->sk_v6_daddr.s6_addr32[3];
1641 tunnel->v4mapped = false;
1646 /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
1647 tunnel->encap = encap;
1648 if (encap == L2TP_ENCAPTYPE_UDP) {
1649 struct udp_tunnel_sock_cfg udp_cfg = { };
1651 udp_cfg.sk_user_data = tunnel;
1652 udp_cfg.encap_type = UDP_ENCAP_L2TPINUDP;
1653 udp_cfg.encap_rcv = l2tp_udp_encap_recv;
1654 udp_cfg.encap_destroy = l2tp_udp_encap_destroy;
1656 setup_udp_tunnel_sock(net, sock, &udp_cfg);
1658 sk->sk_user_data = tunnel;
1661 /* Hook on the tunnel socket destructor so that we can cleanup
1662 * if the tunnel socket goes away.
1664 tunnel->old_sk_destruct = sk->sk_destruct;
1665 sk->sk_destruct = &l2tp_tunnel_destruct;
1668 lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, "l2tp_sock");
1670 sk->sk_allocation = GFP_ATOMIC;
1672 /* Init delete workqueue struct */
1673 INIT_WORK(&tunnel->del_work, l2tp_tunnel_del_work);
1675 /* Add tunnel to our list */
1676 INIT_LIST_HEAD(&tunnel->list);
1677 atomic_inc(&l2tp_tunnel_count);
1679 /* Bump the reference count. The tunnel context is deleted
1680 * only when this drops to zero. Must be done before list insertion
1682 l2tp_tunnel_inc_refcount(tunnel);
1683 spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1684 list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
1685 spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1692 /* If tunnel's socket was created by the kernel, it doesn't
1695 if (sock && sock->file)
1700 EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
1702 /* This function is used by the netlink TUNNEL_DELETE command.
1704 void l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
1706 if (!test_and_set_bit(0, &tunnel->dead)) {
1707 l2tp_tunnel_inc_refcount(tunnel);
1708 queue_work(l2tp_wq, &tunnel->del_work);
1711 EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
1713 /* Really kill the session.
1715 void l2tp_session_free(struct l2tp_session *session)
1717 struct l2tp_tunnel *tunnel = session->tunnel;
1719 BUG_ON(atomic_read(&session->ref_count) != 0);
1722 BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
1723 if (session->session_id != 0)
1724 atomic_dec(&l2tp_session_count);
1725 sock_put(tunnel->sock);
1726 session->tunnel = NULL;
1727 l2tp_tunnel_dec_refcount(tunnel);
1732 EXPORT_SYMBOL_GPL(l2tp_session_free);
1734 /* Remove an l2tp session from l2tp_core's hash lists.
1735 * Provides a tidyup interface for pseudowire code which can't just route all
1736 * shutdown via. l2tp_session_delete and a pseudowire-specific session_close
1739 void __l2tp_session_unhash(struct l2tp_session *session)
1741 struct l2tp_tunnel *tunnel = session->tunnel;
1743 /* Remove the session from core hashes */
1745 /* Remove from the per-tunnel hash */
1746 write_lock_bh(&tunnel->hlist_lock);
1747 hlist_del_init(&session->hlist);
1748 write_unlock_bh(&tunnel->hlist_lock);
1750 /* For L2TPv3 we have a per-net hash: remove from there, too */
1751 if (tunnel->version != L2TP_HDR_VER_2) {
1752 struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1753 spin_lock_bh(&pn->l2tp_session_hlist_lock);
1754 hlist_del_init_rcu(&session->global_hlist);
1755 spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1760 EXPORT_SYMBOL_GPL(__l2tp_session_unhash);
1762 /* This function is used by the netlink SESSION_DELETE command and by
1765 int l2tp_session_delete(struct l2tp_session *session)
1767 if (test_and_set_bit(0, &session->dead))
1771 (*session->ref)(session);
1772 __l2tp_session_unhash(session);
1773 l2tp_session_queue_purge(session);
1774 if (session->session_close != NULL)
1775 (*session->session_close)(session);
1777 (*session->deref)(session);
1778 l2tp_session_dec_refcount(session);
1781 EXPORT_SYMBOL_GPL(l2tp_session_delete);
1783 /* We come here whenever a session's send_seq, cookie_len or
1784 * l2specific_type parameters are set.
1786 void l2tp_session_set_header_len(struct l2tp_session *session, int version)
1788 if (version == L2TP_HDR_VER_2) {
1789 session->hdr_len = 6;
1790 if (session->send_seq)
1791 session->hdr_len += 4;
1793 session->hdr_len = 4 + session->cookie_len + session->offset;
1794 session->hdr_len += l2tp_get_l2specific_len(session);
1795 if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP)
1796 session->hdr_len += 4;
1800 EXPORT_SYMBOL_GPL(l2tp_session_set_header_len);
1802 struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg)
1804 struct l2tp_session *session;
1806 session = kzalloc(sizeof(struct l2tp_session) + priv_size, GFP_KERNEL);
1807 if (session != NULL) {
1808 session->magic = L2TP_SESSION_MAGIC;
1809 session->tunnel = tunnel;
1811 session->session_id = session_id;
1812 session->peer_session_id = peer_session_id;
1814 if (tunnel->version == L2TP_HDR_VER_2)
1815 session->nr_max = 0xffff;
1817 session->nr_max = 0xffffff;
1818 session->nr_window_size = session->nr_max / 2;
1819 session->nr_oos_count_max = 4;
1821 /* Use NR of first received packet */
1822 session->reorder_skip = 1;
1824 sprintf(&session->name[0], "sess %u/%u",
1825 tunnel->tunnel_id, session->session_id);
1827 skb_queue_head_init(&session->reorder_q);
1829 INIT_HLIST_NODE(&session->hlist);
1830 INIT_HLIST_NODE(&session->global_hlist);
1832 /* Inherit debug options from tunnel */
1833 session->debug = tunnel->debug;
1836 session->pwtype = cfg->pw_type;
1837 session->debug = cfg->debug;
1838 session->mtu = cfg->mtu;
1839 session->mru = cfg->mru;
1840 session->send_seq = cfg->send_seq;
1841 session->recv_seq = cfg->recv_seq;
1842 session->lns_mode = cfg->lns_mode;
1843 session->reorder_timeout = cfg->reorder_timeout;
1844 session->offset = cfg->offset;
1845 session->l2specific_type = cfg->l2specific_type;
1846 session->l2specific_len = cfg->l2specific_len;
1847 session->cookie_len = cfg->cookie_len;
1848 memcpy(&session->cookie[0], &cfg->cookie[0], cfg->cookie_len);
1849 session->peer_cookie_len = cfg->peer_cookie_len;
1850 memcpy(&session->peer_cookie[0], &cfg->peer_cookie[0], cfg->peer_cookie_len);
1853 if (tunnel->version == L2TP_HDR_VER_2)
1854 session->build_header = l2tp_build_l2tpv2_header;
1856 session->build_header = l2tp_build_l2tpv3_header;
1858 l2tp_session_set_header_len(session, tunnel->version);
1860 l2tp_session_inc_refcount(session);
1865 return ERR_PTR(-ENOMEM);
1867 EXPORT_SYMBOL_GPL(l2tp_session_create);
1869 /*****************************************************************************
1871 *****************************************************************************/
1873 static __net_init int l2tp_init_net(struct net *net)
1875 struct l2tp_net *pn = net_generic(net, l2tp_net_id);
1878 INIT_LIST_HEAD(&pn->l2tp_tunnel_list);
1879 spin_lock_init(&pn->l2tp_tunnel_list_lock);
1881 for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
1882 INIT_HLIST_HEAD(&pn->l2tp_session_hlist[hash]);
1884 spin_lock_init(&pn->l2tp_session_hlist_lock);
1889 static __net_exit void l2tp_exit_net(struct net *net)
1891 struct l2tp_net *pn = l2tp_pernet(net);
1892 struct l2tp_tunnel *tunnel = NULL;
1895 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
1896 l2tp_tunnel_delete(tunnel);
1898 rcu_read_unlock_bh();
1900 flush_workqueue(l2tp_wq);
1904 static struct pernet_operations l2tp_net_ops = {
1905 .init = l2tp_init_net,
1906 .exit = l2tp_exit_net,
1908 .size = sizeof(struct l2tp_net),
1911 static int __init l2tp_init(void)
1915 rc = register_pernet_device(&l2tp_net_ops);
1919 l2tp_wq = alloc_workqueue("l2tp", WQ_UNBOUND, 0);
1921 pr_err("alloc_workqueue failed\n");
1922 unregister_pernet_device(&l2tp_net_ops);
1927 pr_info("L2TP core driver, %s\n", L2TP_DRV_VERSION);
1933 static void __exit l2tp_exit(void)
1935 unregister_pernet_device(&l2tp_net_ops);
1937 destroy_workqueue(l2tp_wq);
1942 module_init(l2tp_init);
1943 module_exit(l2tp_exit);
1945 MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
1946 MODULE_DESCRIPTION("L2TP core");
1947 MODULE_LICENSE("GPL");
1948 MODULE_VERSION(L2TP_DRV_VERSION);