4 * Copyright (c) 2008,2009,2010 Katalix Systems Ltd
6 * This file contains some code of the original L2TPv2 pppol2tp
7 * driver, which has the following copyright:
9 * Authors: Martijn van Oosterhout <kleptog@svana.org>
10 * James Chapman (jchapman@katalix.com)
12 * Michal Ostrowski <mostrows@speakeasy.net>
13 * Arnaldo Carvalho de Melo <acme@xconectiva.com.br>
14 * David S. Miller (davem@redhat.com)
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2 as
18 * published by the Free Software Foundation.
21 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
23 #include <linux/module.h>
24 #include <linux/string.h>
25 #include <linux/list.h>
26 #include <linux/rculist.h>
27 #include <linux/uaccess.h>
29 #include <linux/kernel.h>
30 #include <linux/spinlock.h>
31 #include <linux/kthread.h>
32 #include <linux/sched.h>
33 #include <linux/slab.h>
34 #include <linux/errno.h>
35 #include <linux/jiffies.h>
37 #include <linux/netdevice.h>
38 #include <linux/net.h>
39 #include <linux/inetdevice.h>
40 #include <linux/skbuff.h>
41 #include <linux/init.h>
44 #include <linux/udp.h>
45 #include <linux/l2tp.h>
46 #include <linux/hash.h>
47 #include <linux/sort.h>
48 #include <linux/file.h>
49 #include <linux/nsproxy.h>
50 #include <net/net_namespace.h>
51 #include <net/netns/generic.h>
55 #include <net/udp_tunnel.h>
56 #include <net/inet_common.h>
58 #include <net/protocol.h>
59 #include <net/inet6_connection_sock.h>
60 #include <net/inet_ecn.h>
61 #include <net/ip6_route.h>
62 #include <net/ip6_checksum.h>
64 #include <asm/byteorder.h>
65 #include <linux/atomic.h>
67 #include "l2tp_core.h"
69 #define L2TP_DRV_VERSION "V2.0"
71 /* L2TP header constants */
72 #define L2TP_HDRFLAG_T 0x8000
73 #define L2TP_HDRFLAG_L 0x4000
74 #define L2TP_HDRFLAG_S 0x0800
75 #define L2TP_HDRFLAG_O 0x0200
76 #define L2TP_HDRFLAG_P 0x0100
78 #define L2TP_HDR_VER_MASK 0x000F
79 #define L2TP_HDR_VER_2 0x0002
80 #define L2TP_HDR_VER_3 0x0003
82 /* L2TPv3 default L2-specific sublayer */
83 #define L2TP_SLFLAG_S 0x40000000
84 #define L2TP_SL_SEQ_MASK 0x00ffffff
86 #define L2TP_HDR_SIZE_MAX 14
88 /* Default trace flags */
89 #define L2TP_DEFAULT_DEBUG_FLAGS 0
91 /* Private data stored for received packets in the skb.
97 unsigned long expires;
100 #define L2TP_SKB_CB(skb) ((struct l2tp_skb_cb *) &skb->cb[sizeof(struct inet_skb_parm)])
102 static atomic_t l2tp_tunnel_count;
103 static atomic_t l2tp_session_count;
104 static struct workqueue_struct *l2tp_wq;
106 /* per-net private data for this module */
107 static unsigned int l2tp_net_id;
109 struct list_head l2tp_tunnel_list;
110 spinlock_t l2tp_tunnel_list_lock;
111 struct hlist_head l2tp_session_hlist[L2TP_HASH_SIZE_2];
112 spinlock_t l2tp_session_hlist_lock;
116 static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk)
118 return sk->sk_user_data;
121 static inline struct l2tp_net *l2tp_pernet(const struct net *net)
125 return net_generic(net, l2tp_net_id);
128 /* Session hash global list for L2TPv3.
129 * The session_id SHOULD be random according to RFC3931, but several
130 * L2TP implementations use incrementing session_ids. So we do a real
131 * hash on the session_id, rather than a simple bitmask.
133 static inline struct hlist_head *
134 l2tp_session_id_hash_2(struct l2tp_net *pn, u32 session_id)
136 return &pn->l2tp_session_hlist[hash_32(session_id, L2TP_HASH_BITS_2)];
140 /* Lookup the tunnel socket, possibly involving the fs code if the socket is
141 * owned by userspace. A struct sock returned from this function must be
142 * released using l2tp_tunnel_sock_put once you're done with it.
144 static struct sock *l2tp_tunnel_sock_lookup(struct l2tp_tunnel *tunnel)
147 struct socket *sock = NULL;
148 struct sock *sk = NULL;
153 if (tunnel->fd >= 0) {
154 /* Socket is owned by userspace, who might be in the process
155 * of closing it. Look the socket up using the fd to ensure
158 sock = sockfd_lookup(tunnel->fd, &err);
162 /* Socket is owned by kernelspace */
171 /* Drop a reference to a tunnel socket obtained via. l2tp_tunnel_sock_put */
172 static void l2tp_tunnel_sock_put(struct sock *sk)
174 struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
176 if (tunnel->fd >= 0) {
177 /* Socket is owned by userspace */
178 sockfd_put(sk->sk_socket);
185 /* Session hash list.
186 * The session_id SHOULD be random according to RFC2661, but several
187 * L2TP implementations (Cisco and Microsoft) use incrementing
188 * session_ids. So we do a real hash on the session_id, rather than a
191 static inline struct hlist_head *
192 l2tp_session_id_hash(struct l2tp_tunnel *tunnel, u32 session_id)
194 return &tunnel->session_hlist[hash_32(session_id, L2TP_HASH_BITS)];
197 /* Lookup a tunnel. A new reference is held on the returned tunnel. */
198 struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id)
200 const struct l2tp_net *pn = l2tp_pernet(net);
201 struct l2tp_tunnel *tunnel;
204 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
205 if (tunnel->tunnel_id == tunnel_id) {
206 l2tp_tunnel_inc_refcount(tunnel);
207 rcu_read_unlock_bh();
212 rcu_read_unlock_bh();
216 EXPORT_SYMBOL_GPL(l2tp_tunnel_get);
218 /* Lookup a session. A new reference is held on the returned session.
219 * Optionally calls session->ref() too if do_ref is true.
221 struct l2tp_session *l2tp_session_get(const struct net *net,
222 struct l2tp_tunnel *tunnel,
223 u32 session_id, bool do_ref)
225 struct hlist_head *session_list;
226 struct l2tp_session *session;
229 struct l2tp_net *pn = l2tp_pernet(net);
231 session_list = l2tp_session_id_hash_2(pn, session_id);
234 hlist_for_each_entry_rcu(session, session_list, global_hlist) {
235 if (session->session_id == session_id) {
236 l2tp_session_inc_refcount(session);
237 if (do_ref && session->ref)
238 session->ref(session);
239 rcu_read_unlock_bh();
244 rcu_read_unlock_bh();
249 session_list = l2tp_session_id_hash(tunnel, session_id);
250 read_lock_bh(&tunnel->hlist_lock);
251 hlist_for_each_entry(session, session_list, hlist) {
252 if (session->session_id == session_id) {
253 l2tp_session_inc_refcount(session);
254 if (do_ref && session->ref)
255 session->ref(session);
256 read_unlock_bh(&tunnel->hlist_lock);
261 read_unlock_bh(&tunnel->hlist_lock);
265 EXPORT_SYMBOL_GPL(l2tp_session_get);
267 struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth,
271 struct l2tp_session *session;
274 read_lock_bh(&tunnel->hlist_lock);
275 for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
276 hlist_for_each_entry(session, &tunnel->session_hlist[hash], hlist) {
278 l2tp_session_inc_refcount(session);
279 if (do_ref && session->ref)
280 session->ref(session);
281 read_unlock_bh(&tunnel->hlist_lock);
287 read_unlock_bh(&tunnel->hlist_lock);
291 EXPORT_SYMBOL_GPL(l2tp_session_get_nth);
293 /* Lookup a session by interface name.
294 * This is very inefficient but is only used by management interfaces.
296 struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net,
300 struct l2tp_net *pn = l2tp_pernet(net);
302 struct l2tp_session *session;
305 for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) {
306 hlist_for_each_entry_rcu(session, &pn->l2tp_session_hlist[hash], global_hlist) {
307 if (!strcmp(session->ifname, ifname)) {
308 l2tp_session_inc_refcount(session);
309 if (do_ref && session->ref)
310 session->ref(session);
311 rcu_read_unlock_bh();
318 rcu_read_unlock_bh();
322 EXPORT_SYMBOL_GPL(l2tp_session_get_by_ifname);
324 int l2tp_session_register(struct l2tp_session *session,
325 struct l2tp_tunnel *tunnel)
327 struct l2tp_session *session_walk;
328 struct hlist_head *g_head;
329 struct hlist_head *head;
333 head = l2tp_session_id_hash(tunnel, session->session_id);
335 write_lock_bh(&tunnel->hlist_lock);
336 if (!tunnel->acpt_newsess) {
341 hlist_for_each_entry(session_walk, head, hlist)
342 if (session_walk->session_id == session->session_id) {
347 if (tunnel->version == L2TP_HDR_VER_3) {
348 pn = l2tp_pernet(tunnel->l2tp_net);
349 g_head = l2tp_session_id_hash_2(l2tp_pernet(tunnel->l2tp_net),
350 session->session_id);
352 spin_lock_bh(&pn->l2tp_session_hlist_lock);
354 /* IP encap expects session IDs to be globally unique, while
357 hlist_for_each_entry(session_walk, g_head, global_hlist)
358 if (session_walk->session_id == session->session_id &&
359 (session_walk->tunnel->encap == L2TP_ENCAPTYPE_IP ||
360 tunnel->encap == L2TP_ENCAPTYPE_IP)) {
362 goto err_tlock_pnlock;
365 l2tp_tunnel_inc_refcount(tunnel);
366 sock_hold(tunnel->sock);
367 hlist_add_head_rcu(&session->global_hlist, g_head);
369 spin_unlock_bh(&pn->l2tp_session_hlist_lock);
371 l2tp_tunnel_inc_refcount(tunnel);
372 sock_hold(tunnel->sock);
375 hlist_add_head(&session->hlist, head);
376 write_unlock_bh(&tunnel->hlist_lock);
378 /* Ignore management session in session count value */
379 if (session->session_id != 0)
380 atomic_inc(&l2tp_session_count);
385 spin_unlock_bh(&pn->l2tp_session_hlist_lock);
387 write_unlock_bh(&tunnel->hlist_lock);
391 EXPORT_SYMBOL_GPL(l2tp_session_register);
393 /* Lookup a tunnel by id
395 struct l2tp_tunnel *l2tp_tunnel_find(const struct net *net, u32 tunnel_id)
397 struct l2tp_tunnel *tunnel;
398 struct l2tp_net *pn = l2tp_pernet(net);
401 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
402 if (tunnel->tunnel_id == tunnel_id) {
403 rcu_read_unlock_bh();
407 rcu_read_unlock_bh();
411 EXPORT_SYMBOL_GPL(l2tp_tunnel_find);
413 struct l2tp_tunnel *l2tp_tunnel_find_nth(const struct net *net, int nth)
415 struct l2tp_net *pn = l2tp_pernet(net);
416 struct l2tp_tunnel *tunnel;
420 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
422 rcu_read_unlock_bh();
427 rcu_read_unlock_bh();
431 EXPORT_SYMBOL_GPL(l2tp_tunnel_find_nth);
433 /*****************************************************************************
434 * Receive data handling
435 *****************************************************************************/
437 /* Queue a skb in order. We come here only if the skb has an L2TP sequence
440 static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *skb)
442 struct sk_buff *skbp;
444 u32 ns = L2TP_SKB_CB(skb)->ns;
446 spin_lock_bh(&session->reorder_q.lock);
447 skb_queue_walk_safe(&session->reorder_q, skbp, tmp) {
448 if (L2TP_SKB_CB(skbp)->ns > ns) {
449 __skb_queue_before(&session->reorder_q, skbp, skb);
450 l2tp_dbg(session, L2TP_MSG_SEQ,
451 "%s: pkt %hu, inserted before %hu, reorder_q len=%d\n",
452 session->name, ns, L2TP_SKB_CB(skbp)->ns,
453 skb_queue_len(&session->reorder_q));
454 atomic_long_inc(&session->stats.rx_oos_packets);
459 __skb_queue_tail(&session->reorder_q, skb);
462 spin_unlock_bh(&session->reorder_q.lock);
465 /* Dequeue a single skb.
467 static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *skb)
469 struct l2tp_tunnel *tunnel = session->tunnel;
470 int length = L2TP_SKB_CB(skb)->length;
472 /* We're about to requeue the skb, so return resources
473 * to its current owner (a socket receive buffer).
477 atomic_long_inc(&tunnel->stats.rx_packets);
478 atomic_long_add(length, &tunnel->stats.rx_bytes);
479 atomic_long_inc(&session->stats.rx_packets);
480 atomic_long_add(length, &session->stats.rx_bytes);
482 if (L2TP_SKB_CB(skb)->has_seq) {
485 session->nr &= session->nr_max;
487 l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated nr to %hu\n",
488 session->name, session->nr);
491 /* call private receive handler */
492 if (session->recv_skb != NULL)
493 (*session->recv_skb)(session, skb, L2TP_SKB_CB(skb)->length);
498 (*session->deref)(session);
501 /* Dequeue skbs from the session's reorder_q, subject to packet order.
502 * Skbs that have been in the queue for too long are simply discarded.
504 static void l2tp_recv_dequeue(struct l2tp_session *session)
509 /* If the pkt at the head of the queue has the nr that we
510 * expect to send up next, dequeue it and any other
511 * in-sequence packets behind it.
514 spin_lock_bh(&session->reorder_q.lock);
515 skb_queue_walk_safe(&session->reorder_q, skb, tmp) {
516 if (time_after(jiffies, L2TP_SKB_CB(skb)->expires)) {
517 atomic_long_inc(&session->stats.rx_seq_discards);
518 atomic_long_inc(&session->stats.rx_errors);
519 l2tp_dbg(session, L2TP_MSG_SEQ,
520 "%s: oos pkt %u len %d discarded (too old), waiting for %u, reorder_q_len=%d\n",
521 session->name, L2TP_SKB_CB(skb)->ns,
522 L2TP_SKB_CB(skb)->length, session->nr,
523 skb_queue_len(&session->reorder_q));
524 session->reorder_skip = 1;
525 __skb_unlink(skb, &session->reorder_q);
528 (*session->deref)(session);
532 if (L2TP_SKB_CB(skb)->has_seq) {
533 if (session->reorder_skip) {
534 l2tp_dbg(session, L2TP_MSG_SEQ,
535 "%s: advancing nr to next pkt: %u -> %u",
536 session->name, session->nr,
537 L2TP_SKB_CB(skb)->ns);
538 session->reorder_skip = 0;
539 session->nr = L2TP_SKB_CB(skb)->ns;
541 if (L2TP_SKB_CB(skb)->ns != session->nr) {
542 l2tp_dbg(session, L2TP_MSG_SEQ,
543 "%s: holding oos pkt %u len %d, waiting for %u, reorder_q_len=%d\n",
544 session->name, L2TP_SKB_CB(skb)->ns,
545 L2TP_SKB_CB(skb)->length, session->nr,
546 skb_queue_len(&session->reorder_q));
550 __skb_unlink(skb, &session->reorder_q);
552 /* Process the skb. We release the queue lock while we
553 * do so to let other contexts process the queue.
555 spin_unlock_bh(&session->reorder_q.lock);
556 l2tp_recv_dequeue_skb(session, skb);
561 spin_unlock_bh(&session->reorder_q.lock);
564 static int l2tp_seq_check_rx_window(struct l2tp_session *session, u32 nr)
568 if (nr >= session->nr)
569 nws = nr - session->nr;
571 nws = (session->nr_max + 1) - (session->nr - nr);
573 return nws < session->nr_window_size;
576 /* If packet has sequence numbers, queue it if acceptable. Returns 0 if
577 * acceptable, else non-zero.
579 static int l2tp_recv_data_seq(struct l2tp_session *session, struct sk_buff *skb)
581 if (!l2tp_seq_check_rx_window(session, L2TP_SKB_CB(skb)->ns)) {
582 /* Packet sequence number is outside allowed window.
585 l2tp_dbg(session, L2TP_MSG_SEQ,
586 "%s: pkt %u len %d discarded, outside window, nr=%u\n",
587 session->name, L2TP_SKB_CB(skb)->ns,
588 L2TP_SKB_CB(skb)->length, session->nr);
592 if (session->reorder_timeout != 0) {
593 /* Packet reordering enabled. Add skb to session's
594 * reorder queue, in order of ns.
596 l2tp_recv_queue_skb(session, skb);
600 /* Packet reordering disabled. Discard out-of-sequence packets, while
601 * tracking the number if in-sequence packets after the first OOS packet
602 * is seen. After nr_oos_count_max in-sequence packets, reset the
603 * sequence number to re-enable packet reception.
605 if (L2TP_SKB_CB(skb)->ns == session->nr) {
606 skb_queue_tail(&session->reorder_q, skb);
608 u32 nr_oos = L2TP_SKB_CB(skb)->ns;
609 u32 nr_next = (session->nr_oos + 1) & session->nr_max;
611 if (nr_oos == nr_next)
612 session->nr_oos_count++;
614 session->nr_oos_count = 0;
616 session->nr_oos = nr_oos;
617 if (session->nr_oos_count > session->nr_oos_count_max) {
618 session->reorder_skip = 1;
619 l2tp_dbg(session, L2TP_MSG_SEQ,
620 "%s: %d oos packets received. Resetting sequence numbers\n",
621 session->name, session->nr_oos_count);
623 if (!session->reorder_skip) {
624 atomic_long_inc(&session->stats.rx_seq_discards);
625 l2tp_dbg(session, L2TP_MSG_SEQ,
626 "%s: oos pkt %u len %d discarded, waiting for %u, reorder_q_len=%d\n",
627 session->name, L2TP_SKB_CB(skb)->ns,
628 L2TP_SKB_CB(skb)->length, session->nr,
629 skb_queue_len(&session->reorder_q));
632 skb_queue_tail(&session->reorder_q, skb);
642 /* Do receive processing of L2TP data frames. We handle both L2TPv2
643 * and L2TPv3 data frames here.
645 * L2TPv2 Data Message Header
648 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
649 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
650 * |T|L|x|x|S|x|O|P|x|x|x|x| Ver | Length (opt) |
651 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
652 * | Tunnel ID | Session ID |
653 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
654 * | Ns (opt) | Nr (opt) |
655 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
656 * | Offset Size (opt) | Offset pad... (opt)
657 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
659 * Data frames are marked by T=0. All other fields are the same as
660 * those in L2TP control frames.
662 * L2TPv3 Data Message Header
664 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
665 * | L2TP Session Header |
666 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
667 * | L2-Specific Sublayer |
668 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
669 * | Tunnel Payload ...
670 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
672 * L2TPv3 Session Header Over IP
675 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
676 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
678 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
679 * | Cookie (optional, maximum 64 bits)...
680 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
682 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
684 * L2TPv3 L2-Specific Sublayer Format
687 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
688 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
689 * |x|S|x|x|x|x|x|x| Sequence Number |
690 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
692 * Cookie value, sublayer format and offset (pad) are negotiated with
693 * the peer when the session is set up. Unlike L2TPv2, we do not need
694 * to parse the packet header to determine if optional fields are
697 * Caller must already have parsed the frame and determined that it is
698 * a data (not control) frame before coming here. Fields up to the
699 * session-id have already been parsed and ptr points to the data
700 * after the session-id.
702 * session->ref() must have been called prior to l2tp_recv_common().
703 * session->deref() will be called automatically after skb is processed.
705 void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
706 unsigned char *ptr, unsigned char *optr, u16 hdrflags,
707 int length, int (*payload_hook)(struct sk_buff *skb))
709 struct l2tp_tunnel *tunnel = session->tunnel;
713 /* Parse and check optional cookie */
714 if (session->peer_cookie_len > 0) {
715 if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
716 l2tp_info(tunnel, L2TP_MSG_DATA,
717 "%s: cookie mismatch (%u/%u). Discarding.\n",
718 tunnel->name, tunnel->tunnel_id,
719 session->session_id);
720 atomic_long_inc(&session->stats.rx_cookie_discards);
723 ptr += session->peer_cookie_len;
726 /* Handle the optional sequence numbers. Sequence numbers are
727 * in different places for L2TPv2 and L2TPv3.
729 * If we are the LAC, enable/disable sequence numbers under
730 * the control of the LNS. If no sequence numbers present but
731 * we were expecting them, discard frame.
734 L2TP_SKB_CB(skb)->has_seq = 0;
735 if (tunnel->version == L2TP_HDR_VER_2) {
736 if (hdrflags & L2TP_HDRFLAG_S) {
737 ns = ntohs(*(__be16 *) ptr);
739 nr = ntohs(*(__be16 *) ptr);
742 /* Store L2TP info in the skb */
743 L2TP_SKB_CB(skb)->ns = ns;
744 L2TP_SKB_CB(skb)->has_seq = 1;
746 l2tp_dbg(session, L2TP_MSG_SEQ,
747 "%s: recv data ns=%u, nr=%u, session nr=%u\n",
748 session->name, ns, nr, session->nr);
750 } else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
751 u32 l2h = ntohl(*(__be32 *) ptr);
753 if (l2h & 0x40000000) {
754 ns = l2h & 0x00ffffff;
756 /* Store L2TP info in the skb */
757 L2TP_SKB_CB(skb)->ns = ns;
758 L2TP_SKB_CB(skb)->has_seq = 1;
760 l2tp_dbg(session, L2TP_MSG_SEQ,
761 "%s: recv data ns=%u, session nr=%u\n",
762 session->name, ns, session->nr);
767 if (L2TP_SKB_CB(skb)->has_seq) {
768 /* Received a packet with sequence numbers. If we're the LNS,
769 * check if we sre sending sequence numbers and if not,
772 if ((!session->lns_mode) && (!session->send_seq)) {
773 l2tp_info(session, L2TP_MSG_SEQ,
774 "%s: requested to enable seq numbers by LNS\n",
776 session->send_seq = -1;
777 l2tp_session_set_header_len(session, tunnel->version);
780 /* No sequence numbers.
781 * If user has configured mandatory sequence numbers, discard.
783 if (session->recv_seq) {
784 l2tp_warn(session, L2TP_MSG_SEQ,
785 "%s: recv data has no seq numbers when required. Discarding.\n",
787 atomic_long_inc(&session->stats.rx_seq_discards);
791 /* If we're the LAC and we're sending sequence numbers, the
792 * LNS has requested that we no longer send sequence numbers.
793 * If we're the LNS and we're sending sequence numbers, the
794 * LAC is broken. Discard the frame.
796 if ((!session->lns_mode) && (session->send_seq)) {
797 l2tp_info(session, L2TP_MSG_SEQ,
798 "%s: requested to disable seq numbers by LNS\n",
800 session->send_seq = 0;
801 l2tp_session_set_header_len(session, tunnel->version);
802 } else if (session->send_seq) {
803 l2tp_warn(session, L2TP_MSG_SEQ,
804 "%s: recv data has no seq numbers when required. Discarding.\n",
806 atomic_long_inc(&session->stats.rx_seq_discards);
811 /* Session data offset is handled differently for L2TPv2 and
812 * L2TPv3. For L2TPv2, there is an optional 16-bit value in
813 * the header. For L2TPv3, the offset is negotiated using AVPs
814 * in the session setup control protocol.
816 if (tunnel->version == L2TP_HDR_VER_2) {
817 /* If offset bit set, skip it. */
818 if (hdrflags & L2TP_HDRFLAG_O) {
819 offset = ntohs(*(__be16 *)ptr);
823 ptr += session->offset;
826 if (!pskb_may_pull(skb, offset))
829 __skb_pull(skb, offset);
831 /* If caller wants to process the payload before we queue the
835 if ((*payload_hook)(skb))
838 /* Prepare skb for adding to the session's reorder_q. Hold
839 * packets for max reorder_timeout or 1 second if not
842 L2TP_SKB_CB(skb)->length = length;
843 L2TP_SKB_CB(skb)->expires = jiffies +
844 (session->reorder_timeout ? session->reorder_timeout : HZ);
846 /* Add packet to the session's receive queue. Reordering is done here, if
847 * enabled. Saved L2TP protocol info is stored in skb->sb[].
849 if (L2TP_SKB_CB(skb)->has_seq) {
850 if (l2tp_recv_data_seq(session, skb))
853 /* No sequence numbers. Add the skb to the tail of the
854 * reorder queue. This ensures that it will be
855 * delivered after all previous sequenced skbs.
857 skb_queue_tail(&session->reorder_q, skb);
860 /* Try to dequeue as many skbs from reorder_q as we can. */
861 l2tp_recv_dequeue(session);
866 atomic_long_inc(&session->stats.rx_errors);
870 (*session->deref)(session);
872 EXPORT_SYMBOL(l2tp_recv_common);
874 /* Drop skbs from the session's reorder_q
876 int l2tp_session_queue_purge(struct l2tp_session *session)
878 struct sk_buff *skb = NULL;
880 BUG_ON(session->magic != L2TP_SESSION_MAGIC);
881 while ((skb = skb_dequeue(&session->reorder_q))) {
882 atomic_long_inc(&session->stats.rx_errors);
885 (*session->deref)(session);
889 EXPORT_SYMBOL_GPL(l2tp_session_queue_purge);
891 /* Internal UDP receive frame. Do the real work of receiving an L2TP data frame
892 * here. The skb is not on a list when we get here.
893 * Returns 0 if the packet was a data packet and was successfully passed on.
894 * Returns 1 if the packet was not a good data packet and could not be
895 * forwarded. All such packets are passed up to userspace to deal with.
897 static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
898 int (*payload_hook)(struct sk_buff *skb))
900 struct l2tp_session *session = NULL;
901 unsigned char *ptr, *optr;
903 u32 tunnel_id, session_id;
907 /* UDP has verifed checksum */
909 /* UDP always verifies the packet length. */
910 __skb_pull(skb, sizeof(struct udphdr));
913 if (!pskb_may_pull(skb, L2TP_HDR_SIZE_MAX)) {
914 l2tp_info(tunnel, L2TP_MSG_DATA,
915 "%s: recv short packet (len=%d)\n",
916 tunnel->name, skb->len);
920 /* Trace packet contents, if enabled */
921 if (tunnel->debug & L2TP_MSG_DATA) {
922 length = min(32u, skb->len);
923 if (!pskb_may_pull(skb, length))
926 pr_debug("%s: recv\n", tunnel->name);
927 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, skb->data, length);
930 /* Point to L2TP header */
931 optr = ptr = skb->data;
933 /* Get L2TP header flags */
934 hdrflags = ntohs(*(__be16 *) ptr);
936 /* Check protocol version */
937 version = hdrflags & L2TP_HDR_VER_MASK;
938 if (version != tunnel->version) {
939 l2tp_info(tunnel, L2TP_MSG_DATA,
940 "%s: recv protocol version mismatch: got %d expected %d\n",
941 tunnel->name, version, tunnel->version);
945 /* Get length of L2TP packet */
948 /* If type is control packet, it is handled by userspace. */
949 if (hdrflags & L2TP_HDRFLAG_T) {
950 l2tp_dbg(tunnel, L2TP_MSG_DATA,
951 "%s: recv control packet, len=%d\n",
952 tunnel->name, length);
959 if (tunnel->version == L2TP_HDR_VER_2) {
960 /* If length is present, skip it */
961 if (hdrflags & L2TP_HDRFLAG_L)
964 /* Extract tunnel and session ID */
965 tunnel_id = ntohs(*(__be16 *) ptr);
967 session_id = ntohs(*(__be16 *) ptr);
970 ptr += 2; /* skip reserved bits */
971 tunnel_id = tunnel->tunnel_id;
972 session_id = ntohl(*(__be32 *) ptr);
976 /* Find the session context */
977 session = l2tp_session_get(tunnel->l2tp_net, tunnel, session_id, true);
978 if (!session || !session->recv_skb) {
981 session->deref(session);
982 l2tp_session_dec_refcount(session);
985 /* Not found? Pass to userspace to deal with */
986 l2tp_info(tunnel, L2TP_MSG_DATA,
987 "%s: no session found (%u/%u). Passing up.\n",
988 tunnel->name, tunnel_id, session_id);
992 if (tunnel->version == L2TP_HDR_VER_3 &&
993 l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) {
994 l2tp_session_dec_refcount(session);
998 l2tp_recv_common(session, skb, ptr, optr, hdrflags, length, payload_hook);
999 l2tp_session_dec_refcount(session);
1004 /* Put UDP header back */
1005 __skb_push(skb, sizeof(struct udphdr));
1010 /* UDP encapsulation receive handler. See net/ipv4/udp.c.
1014 * >0: skb should be passed up to userspace as UDP.
1016 int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
1018 struct l2tp_tunnel *tunnel;
1020 tunnel = l2tp_sock_to_tunnel(sk);
1024 l2tp_dbg(tunnel, L2TP_MSG_DATA, "%s: received %d bytes\n",
1025 tunnel->name, skb->len);
1027 if (l2tp_udp_recv_core(tunnel, skb, tunnel->recv_payload_hook))
1038 EXPORT_SYMBOL_GPL(l2tp_udp_encap_recv);
1040 /************************************************************************
1042 ***********************************************************************/
1044 /* Build an L2TP header for the session into the buffer provided.
1046 static int l2tp_build_l2tpv2_header(struct l2tp_session *session, void *buf)
1048 struct l2tp_tunnel *tunnel = session->tunnel;
1051 u16 flags = L2TP_HDR_VER_2;
1052 u32 tunnel_id = tunnel->peer_tunnel_id;
1053 u32 session_id = session->peer_session_id;
1055 if (session->send_seq)
1056 flags |= L2TP_HDRFLAG_S;
1058 /* Setup L2TP header. */
1059 *bufp++ = htons(flags);
1060 *bufp++ = htons(tunnel_id);
1061 *bufp++ = htons(session_id);
1062 if (session->send_seq) {
1063 *bufp++ = htons(session->ns);
1066 session->ns &= 0xffff;
1067 l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated ns to %u\n",
1068 session->name, session->ns);
1074 static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
1076 struct l2tp_tunnel *tunnel = session->tunnel;
1080 /* Setup L2TP header. The header differs slightly for UDP and
1081 * IP encapsulations. For UDP, there is 4 bytes of flags.
1083 if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
1084 u16 flags = L2TP_HDR_VER_3;
1085 *((__be16 *) bufp) = htons(flags);
1087 *((__be16 *) bufp) = 0;
1091 *((__be32 *) bufp) = htonl(session->peer_session_id);
1093 if (session->cookie_len) {
1094 memcpy(bufp, &session->cookie[0], session->cookie_len);
1095 bufp += session->cookie_len;
1097 if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
1100 if (session->send_seq) {
1101 l2h = 0x40000000 | session->ns;
1103 session->ns &= 0xffffff;
1104 l2tp_dbg(session, L2TP_MSG_SEQ,
1105 "%s: updated ns to %u\n",
1106 session->name, session->ns);
1109 *((__be32 *)bufp) = htonl(l2h);
1112 if (session->offset)
1113 bufp += session->offset;
1118 static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
1119 struct flowi *fl, size_t data_len)
1121 struct l2tp_tunnel *tunnel = session->tunnel;
1122 unsigned int len = skb->len;
1126 if (session->send_seq)
1127 l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %Zd bytes, ns=%u\n",
1128 session->name, data_len, session->ns - 1);
1130 l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %Zd bytes\n",
1131 session->name, data_len);
1133 if (session->debug & L2TP_MSG_DATA) {
1134 int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1135 unsigned char *datap = skb->data + uhlen;
1137 pr_debug("%s: xmit\n", session->name);
1138 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET,
1139 datap, min_t(size_t, 32, len - uhlen));
1142 /* Queue the packet to IP for output */
1145 #if IS_ENABLED(CONFIG_IPV6)
1146 if (tunnel->sock->sk_family == PF_INET6 && !tunnel->v4mapped)
1147 error = inet6_csk_xmit(tunnel->sock, skb, NULL);
1150 error = ip_queue_xmit(tunnel->sock, skb, fl);
1154 atomic_long_inc(&tunnel->stats.tx_packets);
1155 atomic_long_add(len, &tunnel->stats.tx_bytes);
1156 atomic_long_inc(&session->stats.tx_packets);
1157 atomic_long_add(len, &session->stats.tx_bytes);
1159 atomic_long_inc(&tunnel->stats.tx_errors);
1160 atomic_long_inc(&session->stats.tx_errors);
1166 /* If caller requires the skb to have a ppp header, the header must be
1167 * inserted in the skb data before calling this function.
1169 int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len)
1171 int data_len = skb->len;
1172 struct l2tp_tunnel *tunnel = session->tunnel;
1173 struct sock *sk = tunnel->sock;
1176 struct inet_sock *inet;
1178 int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1180 int ret = NET_XMIT_SUCCESS;
1182 /* Check that there's enough headroom in the skb to insert IP,
1183 * UDP and L2TP headers. If not enough, expand it to
1184 * make room. Adjust truesize.
1186 headroom = NET_SKB_PAD + sizeof(struct iphdr) +
1188 if (skb_cow_head(skb, headroom)) {
1190 return NET_XMIT_DROP;
1193 /* Setup L2TP header */
1194 session->build_header(session, __skb_push(skb, hdr_len));
1196 /* Reset skb netfilter state */
1197 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
1198 IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
1203 if (sock_owned_by_user(sk)) {
1205 ret = NET_XMIT_DROP;
1210 fl = &inet->cork.fl;
1211 switch (tunnel->encap) {
1212 case L2TP_ENCAPTYPE_UDP:
1213 /* Setup UDP header */
1214 __skb_push(skb, sizeof(*uh));
1215 skb_reset_transport_header(skb);
1217 uh->source = inet->inet_sport;
1218 uh->dest = inet->inet_dport;
1219 udp_len = uhlen + hdr_len + data_len;
1220 uh->len = htons(udp_len);
1222 /* Calculate UDP checksum if configured to do so */
1223 #if IS_ENABLED(CONFIG_IPV6)
1224 if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
1225 udp6_set_csum(udp_get_no_check6_tx(sk),
1226 skb, &inet6_sk(sk)->saddr,
1227 &sk->sk_v6_daddr, udp_len);
1230 udp_set_csum(sk->sk_no_check_tx, skb, inet->inet_saddr,
1231 inet->inet_daddr, udp_len);
1234 case L2TP_ENCAPTYPE_IP:
1238 l2tp_xmit_core(session, skb, fl, data_len);
1244 EXPORT_SYMBOL_GPL(l2tp_xmit_skb);
1246 /*****************************************************************************
1247 * Tinnel and session create/destroy.
1248 *****************************************************************************/
1250 /* Tunnel socket destruct hook.
1251 * The tunnel context is deleted only when all session sockets have been
1254 static void l2tp_tunnel_destruct(struct sock *sk)
1256 struct l2tp_tunnel *tunnel = l2tp_tunnel(sk);
1257 struct l2tp_net *pn;
1262 l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing...\n", tunnel->name);
1265 /* Disable udp encapsulation */
1266 switch (tunnel->encap) {
1267 case L2TP_ENCAPTYPE_UDP:
1268 /* No longer an encapsulation socket. See net/ipv4/udp.c */
1269 (udp_sk(sk))->encap_type = 0;
1270 (udp_sk(sk))->encap_rcv = NULL;
1271 (udp_sk(sk))->encap_destroy = NULL;
1273 case L2TP_ENCAPTYPE_IP:
1277 /* Remove hooks into tunnel socket */
1278 sk->sk_destruct = tunnel->old_sk_destruct;
1279 sk->sk_user_data = NULL;
1281 /* Remove the tunnel struct from the tunnel list */
1282 pn = l2tp_pernet(tunnel->l2tp_net);
1283 spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1284 list_del_rcu(&tunnel->list);
1285 spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1286 atomic_dec(&l2tp_tunnel_count);
1288 l2tp_tunnel_closeall(tunnel);
1290 tunnel->sock = NULL;
1291 l2tp_tunnel_dec_refcount(tunnel);
1293 /* Call the original destructor */
1294 if (sk->sk_destruct)
1295 (*sk->sk_destruct)(sk);
1300 /* When the tunnel is closed, all the attached sessions need to go too.
1302 void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)
1305 struct hlist_node *walk;
1306 struct hlist_node *tmp;
1307 struct l2tp_session *session;
1309 BUG_ON(tunnel == NULL);
1311 l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing all sessions...\n",
1314 write_lock_bh(&tunnel->hlist_lock);
1315 tunnel->acpt_newsess = false;
1316 for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
1318 hlist_for_each_safe(walk, tmp, &tunnel->session_hlist[hash]) {
1319 session = hlist_entry(walk, struct l2tp_session, hlist);
1321 l2tp_info(session, L2TP_MSG_CONTROL,
1322 "%s: closing session\n", session->name);
1324 hlist_del_init(&session->hlist);
1326 if (test_and_set_bit(0, &session->dead))
1329 if (session->ref != NULL)
1330 (*session->ref)(session);
1332 write_unlock_bh(&tunnel->hlist_lock);
1334 __l2tp_session_unhash(session);
1335 l2tp_session_queue_purge(session);
1337 if (session->session_close != NULL)
1338 (*session->session_close)(session);
1340 if (session->deref != NULL)
1341 (*session->deref)(session);
1343 l2tp_session_dec_refcount(session);
1345 write_lock_bh(&tunnel->hlist_lock);
1347 /* Now restart from the beginning of this hash
1348 * chain. We always remove a session from the
1349 * list so we are guaranteed to make forward
1355 write_unlock_bh(&tunnel->hlist_lock);
1357 EXPORT_SYMBOL_GPL(l2tp_tunnel_closeall);
1359 /* Tunnel socket destroy hook for UDP encapsulation */
1360 static void l2tp_udp_encap_destroy(struct sock *sk)
1362 struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
1364 l2tp_tunnel_closeall(tunnel);
1369 /* Workqueue tunnel deletion function */
1370 static void l2tp_tunnel_del_work(struct work_struct *work)
1372 struct l2tp_tunnel *tunnel = NULL;
1373 struct socket *sock = NULL;
1374 struct sock *sk = NULL;
1376 tunnel = container_of(work, struct l2tp_tunnel, del_work);
1378 l2tp_tunnel_closeall(tunnel);
1380 sk = l2tp_tunnel_sock_lookup(tunnel);
1384 sock = sk->sk_socket;
1386 /* If the tunnel socket was created by userspace, then go through the
1387 * inet layer to shut the socket down, and let userspace close it.
1388 * Otherwise, if we created the socket directly within the kernel, use
1389 * the sk API to release it here.
1390 * In either case the tunnel resources are freed in the socket
1391 * destructor when the tunnel socket goes away.
1393 if (tunnel->fd >= 0) {
1395 inet_shutdown(sock, 2);
1398 kernel_sock_shutdown(sock, SHUT_RDWR);
1403 l2tp_tunnel_sock_put(sk);
1405 l2tp_tunnel_dec_refcount(tunnel);
1408 /* Create a socket for the tunnel, if one isn't set up by
1409 * userspace. This is used for static tunnels where there is no
1410 * managing L2TP daemon.
1412 * Since we don't want these sockets to keep a namespace alive by
1413 * themselves, we drop the socket's namespace refcount after creation.
1414 * These sockets are freed when the namespace exits using the pernet
1417 static int l2tp_tunnel_sock_create(struct net *net,
1420 struct l2tp_tunnel_cfg *cfg,
1421 struct socket **sockp)
1424 struct socket *sock = NULL;
1425 struct udp_port_cfg udp_conf;
1427 switch (cfg->encap) {
1428 case L2TP_ENCAPTYPE_UDP:
1429 memset(&udp_conf, 0, sizeof(udp_conf));
1431 #if IS_ENABLED(CONFIG_IPV6)
1432 if (cfg->local_ip6 && cfg->peer_ip6) {
1433 udp_conf.family = AF_INET6;
1434 memcpy(&udp_conf.local_ip6, cfg->local_ip6,
1435 sizeof(udp_conf.local_ip6));
1436 memcpy(&udp_conf.peer_ip6, cfg->peer_ip6,
1437 sizeof(udp_conf.peer_ip6));
1438 udp_conf.use_udp6_tx_checksums =
1439 cfg->udp6_zero_tx_checksums;
1440 udp_conf.use_udp6_rx_checksums =
1441 cfg->udp6_zero_rx_checksums;
1445 udp_conf.family = AF_INET;
1446 udp_conf.local_ip = cfg->local_ip;
1447 udp_conf.peer_ip = cfg->peer_ip;
1448 udp_conf.use_udp_checksums = cfg->use_udp_checksums;
1451 udp_conf.local_udp_port = htons(cfg->local_udp_port);
1452 udp_conf.peer_udp_port = htons(cfg->peer_udp_port);
1454 err = udp_sock_create(net, &udp_conf, &sock);
1460 case L2TP_ENCAPTYPE_IP:
1461 #if IS_ENABLED(CONFIG_IPV6)
1462 if (cfg->local_ip6 && cfg->peer_ip6) {
1463 struct sockaddr_l2tpip6 ip6_addr = {0};
1465 err = sock_create_kern(net, AF_INET6, SOCK_DGRAM,
1466 IPPROTO_L2TP, &sock);
1470 ip6_addr.l2tp_family = AF_INET6;
1471 memcpy(&ip6_addr.l2tp_addr, cfg->local_ip6,
1472 sizeof(ip6_addr.l2tp_addr));
1473 ip6_addr.l2tp_conn_id = tunnel_id;
1474 err = kernel_bind(sock, (struct sockaddr *) &ip6_addr,
1479 ip6_addr.l2tp_family = AF_INET6;
1480 memcpy(&ip6_addr.l2tp_addr, cfg->peer_ip6,
1481 sizeof(ip6_addr.l2tp_addr));
1482 ip6_addr.l2tp_conn_id = peer_tunnel_id;
1483 err = kernel_connect(sock,
1484 (struct sockaddr *) &ip6_addr,
1485 sizeof(ip6_addr), 0);
1491 struct sockaddr_l2tpip ip_addr = {0};
1493 err = sock_create_kern(net, AF_INET, SOCK_DGRAM,
1494 IPPROTO_L2TP, &sock);
1498 ip_addr.l2tp_family = AF_INET;
1499 ip_addr.l2tp_addr = cfg->local_ip;
1500 ip_addr.l2tp_conn_id = tunnel_id;
1501 err = kernel_bind(sock, (struct sockaddr *) &ip_addr,
1506 ip_addr.l2tp_family = AF_INET;
1507 ip_addr.l2tp_addr = cfg->peer_ip;
1508 ip_addr.l2tp_conn_id = peer_tunnel_id;
1509 err = kernel_connect(sock, (struct sockaddr *) &ip_addr,
1510 sizeof(ip_addr), 0);
1522 if ((err < 0) && sock) {
1523 kernel_sock_shutdown(sock, SHUT_RDWR);
1531 static struct lock_class_key l2tp_socket_class;
1533 int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
1535 struct l2tp_tunnel *tunnel = NULL;
1537 struct socket *sock = NULL;
1538 struct sock *sk = NULL;
1539 struct l2tp_net *pn;
1540 enum l2tp_encap_type encap = L2TP_ENCAPTYPE_UDP;
1542 /* Get the tunnel socket from the fd, which was opened by
1543 * the userspace L2TP daemon. If not specified, create a
1547 err = l2tp_tunnel_sock_create(net, tunnel_id, peer_tunnel_id,
1552 sock = sockfd_lookup(fd, &err);
1554 pr_err("tunl %u: sockfd_lookup(fd=%d) returned %d\n",
1555 tunnel_id, fd, err);
1560 /* Reject namespace mismatches */
1561 if (!net_eq(sock_net(sock->sk), net)) {
1562 pr_err("tunl %u: netns mismatch\n", tunnel_id);
1573 /* Quick sanity checks */
1574 err = -EPROTONOSUPPORT;
1575 if (sk->sk_type != SOCK_DGRAM) {
1576 pr_debug("tunl %hu: fd %d wrong socket type\n",
1580 if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
1583 case L2TP_ENCAPTYPE_UDP:
1584 if (sk->sk_protocol != IPPROTO_UDP) {
1585 pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1586 tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP);
1590 case L2TP_ENCAPTYPE_IP:
1591 if (sk->sk_protocol != IPPROTO_L2TP) {
1592 pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1593 tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP);
1599 /* Check if this socket has already been prepped */
1600 tunnel = l2tp_tunnel(sk);
1601 if (tunnel != NULL) {
1602 /* This socket has already been prepped */
1607 tunnel = kzalloc(sizeof(struct l2tp_tunnel), GFP_KERNEL);
1608 if (tunnel == NULL) {
1613 tunnel->version = version;
1614 tunnel->tunnel_id = tunnel_id;
1615 tunnel->peer_tunnel_id = peer_tunnel_id;
1616 tunnel->debug = L2TP_DEFAULT_DEBUG_FLAGS;
1618 tunnel->magic = L2TP_TUNNEL_MAGIC;
1619 sprintf(&tunnel->name[0], "tunl %u", tunnel_id);
1620 rwlock_init(&tunnel->hlist_lock);
1621 tunnel->acpt_newsess = true;
1623 /* The net we belong to */
1624 tunnel->l2tp_net = net;
1625 pn = l2tp_pernet(net);
1628 tunnel->debug = cfg->debug;
1630 #if IS_ENABLED(CONFIG_IPV6)
1631 if (sk->sk_family == PF_INET6) {
1632 struct ipv6_pinfo *np = inet6_sk(sk);
1634 if (ipv6_addr_v4mapped(&np->saddr) &&
1635 ipv6_addr_v4mapped(&sk->sk_v6_daddr)) {
1636 struct inet_sock *inet = inet_sk(sk);
1638 tunnel->v4mapped = true;
1639 inet->inet_saddr = np->saddr.s6_addr32[3];
1640 inet->inet_rcv_saddr = sk->sk_v6_rcv_saddr.s6_addr32[3];
1641 inet->inet_daddr = sk->sk_v6_daddr.s6_addr32[3];
1643 tunnel->v4mapped = false;
1648 /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
1649 tunnel->encap = encap;
1650 if (encap == L2TP_ENCAPTYPE_UDP) {
1651 struct udp_tunnel_sock_cfg udp_cfg = { };
1653 udp_cfg.sk_user_data = tunnel;
1654 udp_cfg.encap_type = UDP_ENCAP_L2TPINUDP;
1655 udp_cfg.encap_rcv = l2tp_udp_encap_recv;
1656 udp_cfg.encap_destroy = l2tp_udp_encap_destroy;
1658 setup_udp_tunnel_sock(net, sock, &udp_cfg);
1660 sk->sk_user_data = tunnel;
1663 /* Hook on the tunnel socket destructor so that we can cleanup
1664 * if the tunnel socket goes away.
1666 tunnel->old_sk_destruct = sk->sk_destruct;
1667 sk->sk_destruct = &l2tp_tunnel_destruct;
1670 lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, "l2tp_sock");
1672 sk->sk_allocation = GFP_ATOMIC;
1674 /* Init delete workqueue struct */
1675 INIT_WORK(&tunnel->del_work, l2tp_tunnel_del_work);
1677 /* Add tunnel to our list */
1678 INIT_LIST_HEAD(&tunnel->list);
1679 atomic_inc(&l2tp_tunnel_count);
1681 /* Bump the reference count. The tunnel context is deleted
1682 * only when this drops to zero. Must be done before list insertion
1684 l2tp_tunnel_inc_refcount(tunnel);
1685 spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1686 list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
1687 spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1694 /* If tunnel's socket was created by the kernel, it doesn't
1697 if (sock && sock->file)
1702 EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
1704 /* This function is used by the netlink TUNNEL_DELETE command.
1706 void l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
1708 if (!test_and_set_bit(0, &tunnel->dead)) {
1709 l2tp_tunnel_inc_refcount(tunnel);
1710 queue_work(l2tp_wq, &tunnel->del_work);
1713 EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
1715 /* Really kill the session.
1717 void l2tp_session_free(struct l2tp_session *session)
1719 struct l2tp_tunnel *tunnel = session->tunnel;
1721 BUG_ON(atomic_read(&session->ref_count) != 0);
1724 BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
1725 if (session->session_id != 0)
1726 atomic_dec(&l2tp_session_count);
1727 sock_put(tunnel->sock);
1728 session->tunnel = NULL;
1729 l2tp_tunnel_dec_refcount(tunnel);
1734 EXPORT_SYMBOL_GPL(l2tp_session_free);
1736 /* Remove an l2tp session from l2tp_core's hash lists.
1737 * Provides a tidyup interface for pseudowire code which can't just route all
1738 * shutdown via. l2tp_session_delete and a pseudowire-specific session_close
1741 void __l2tp_session_unhash(struct l2tp_session *session)
1743 struct l2tp_tunnel *tunnel = session->tunnel;
1745 /* Remove the session from core hashes */
1747 /* Remove from the per-tunnel hash */
1748 write_lock_bh(&tunnel->hlist_lock);
1749 hlist_del_init(&session->hlist);
1750 write_unlock_bh(&tunnel->hlist_lock);
1752 /* For L2TPv3 we have a per-net hash: remove from there, too */
1753 if (tunnel->version != L2TP_HDR_VER_2) {
1754 struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1755 spin_lock_bh(&pn->l2tp_session_hlist_lock);
1756 hlist_del_init_rcu(&session->global_hlist);
1757 spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1762 EXPORT_SYMBOL_GPL(__l2tp_session_unhash);
1764 /* This function is used by the netlink SESSION_DELETE command and by
1767 int l2tp_session_delete(struct l2tp_session *session)
1769 if (test_and_set_bit(0, &session->dead))
1773 (*session->ref)(session);
1774 __l2tp_session_unhash(session);
1775 l2tp_session_queue_purge(session);
1776 if (session->session_close != NULL)
1777 (*session->session_close)(session);
1779 (*session->deref)(session);
1780 l2tp_session_dec_refcount(session);
1783 EXPORT_SYMBOL_GPL(l2tp_session_delete);
1785 /* We come here whenever a session's send_seq, cookie_len or
1786 * l2specific_type parameters are set.
1788 void l2tp_session_set_header_len(struct l2tp_session *session, int version)
1790 if (version == L2TP_HDR_VER_2) {
1791 session->hdr_len = 6;
1792 if (session->send_seq)
1793 session->hdr_len += 4;
1795 session->hdr_len = 4 + session->cookie_len + session->offset;
1796 session->hdr_len += l2tp_get_l2specific_len(session);
1797 if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP)
1798 session->hdr_len += 4;
1802 EXPORT_SYMBOL_GPL(l2tp_session_set_header_len);
1804 struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg)
1806 struct l2tp_session *session;
1808 session = kzalloc(sizeof(struct l2tp_session) + priv_size, GFP_KERNEL);
1809 if (session != NULL) {
1810 session->magic = L2TP_SESSION_MAGIC;
1811 session->tunnel = tunnel;
1813 session->session_id = session_id;
1814 session->peer_session_id = peer_session_id;
1816 if (tunnel->version == L2TP_HDR_VER_2)
1817 session->nr_max = 0xffff;
1819 session->nr_max = 0xffffff;
1820 session->nr_window_size = session->nr_max / 2;
1821 session->nr_oos_count_max = 4;
1823 /* Use NR of first received packet */
1824 session->reorder_skip = 1;
1826 sprintf(&session->name[0], "sess %u/%u",
1827 tunnel->tunnel_id, session->session_id);
1829 skb_queue_head_init(&session->reorder_q);
1831 INIT_HLIST_NODE(&session->hlist);
1832 INIT_HLIST_NODE(&session->global_hlist);
1834 /* Inherit debug options from tunnel */
1835 session->debug = tunnel->debug;
1838 session->pwtype = cfg->pw_type;
1839 session->debug = cfg->debug;
1840 session->mtu = cfg->mtu;
1841 session->mru = cfg->mru;
1842 session->send_seq = cfg->send_seq;
1843 session->recv_seq = cfg->recv_seq;
1844 session->lns_mode = cfg->lns_mode;
1845 session->reorder_timeout = cfg->reorder_timeout;
1846 session->offset = cfg->offset;
1847 session->l2specific_type = cfg->l2specific_type;
1848 session->l2specific_len = cfg->l2specific_len;
1849 session->cookie_len = cfg->cookie_len;
1850 memcpy(&session->cookie[0], &cfg->cookie[0], cfg->cookie_len);
1851 session->peer_cookie_len = cfg->peer_cookie_len;
1852 memcpy(&session->peer_cookie[0], &cfg->peer_cookie[0], cfg->peer_cookie_len);
1855 if (tunnel->version == L2TP_HDR_VER_2)
1856 session->build_header = l2tp_build_l2tpv2_header;
1858 session->build_header = l2tp_build_l2tpv3_header;
1860 l2tp_session_set_header_len(session, tunnel->version);
1862 l2tp_session_inc_refcount(session);
1867 return ERR_PTR(-ENOMEM);
1869 EXPORT_SYMBOL_GPL(l2tp_session_create);
1871 /*****************************************************************************
1873 *****************************************************************************/
1875 static __net_init int l2tp_init_net(struct net *net)
1877 struct l2tp_net *pn = net_generic(net, l2tp_net_id);
1880 INIT_LIST_HEAD(&pn->l2tp_tunnel_list);
1881 spin_lock_init(&pn->l2tp_tunnel_list_lock);
1883 for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
1884 INIT_HLIST_HEAD(&pn->l2tp_session_hlist[hash]);
1886 spin_lock_init(&pn->l2tp_session_hlist_lock);
1891 static __net_exit void l2tp_exit_net(struct net *net)
1893 struct l2tp_net *pn = l2tp_pernet(net);
1894 struct l2tp_tunnel *tunnel = NULL;
1897 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
1898 l2tp_tunnel_delete(tunnel);
1900 rcu_read_unlock_bh();
1902 flush_workqueue(l2tp_wq);
1906 static struct pernet_operations l2tp_net_ops = {
1907 .init = l2tp_init_net,
1908 .exit = l2tp_exit_net,
1910 .size = sizeof(struct l2tp_net),
1913 static int __init l2tp_init(void)
1917 rc = register_pernet_device(&l2tp_net_ops);
1921 l2tp_wq = alloc_workqueue("l2tp", WQ_UNBOUND, 0);
1923 pr_err("alloc_workqueue failed\n");
1924 unregister_pernet_device(&l2tp_net_ops);
1929 pr_info("L2TP core driver, %s\n", L2TP_DRV_VERSION);
1935 static void __exit l2tp_exit(void)
1937 unregister_pernet_device(&l2tp_net_ops);
1939 destroy_workqueue(l2tp_wq);
1944 module_init(l2tp_init);
1945 module_exit(l2tp_exit);
1947 MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
1948 MODULE_DESCRIPTION("L2TP core");
1949 MODULE_LICENSE("GPL");
1950 MODULE_VERSION(L2TP_DRV_VERSION);