4 * Copyright (c) 2008,2009,2010 Katalix Systems Ltd
6 * This file contains some code of the original L2TPv2 pppol2tp
7 * driver, which has the following copyright:
9 * Authors: Martijn van Oosterhout <kleptog@svana.org>
10 * James Chapman (jchapman@katalix.com)
12 * Michal Ostrowski <mostrows@speakeasy.net>
13 * Arnaldo Carvalho de Melo <acme@xconectiva.com.br>
14 * David S. Miller (davem@redhat.com)
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2 as
18 * published by the Free Software Foundation.
21 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
23 #include <linux/module.h>
24 #include <linux/string.h>
25 #include <linux/list.h>
26 #include <linux/rculist.h>
27 #include <linux/uaccess.h>
29 #include <linux/kernel.h>
30 #include <linux/spinlock.h>
31 #include <linux/kthread.h>
32 #include <linux/sched.h>
33 #include <linux/slab.h>
34 #include <linux/errno.h>
35 #include <linux/jiffies.h>
37 #include <linux/netdevice.h>
38 #include <linux/net.h>
39 #include <linux/inetdevice.h>
40 #include <linux/skbuff.h>
41 #include <linux/init.h>
44 #include <linux/udp.h>
45 #include <linux/l2tp.h>
46 #include <linux/hash.h>
47 #include <linux/sort.h>
48 #include <linux/file.h>
49 #include <linux/nsproxy.h>
50 #include <net/net_namespace.h>
51 #include <net/netns/generic.h>
55 #include <net/udp_tunnel.h>
56 #include <net/inet_common.h>
58 #include <net/protocol.h>
59 #include <net/inet6_connection_sock.h>
60 #include <net/inet_ecn.h>
61 #include <net/ip6_route.h>
62 #include <net/ip6_checksum.h>
64 #include <asm/byteorder.h>
65 #include <linux/atomic.h>
67 #include "l2tp_core.h"
69 #define L2TP_DRV_VERSION "V2.0"
71 /* L2TP header constants */
72 #define L2TP_HDRFLAG_T 0x8000
73 #define L2TP_HDRFLAG_L 0x4000
74 #define L2TP_HDRFLAG_S 0x0800
75 #define L2TP_HDRFLAG_O 0x0200
76 #define L2TP_HDRFLAG_P 0x0100
78 #define L2TP_HDR_VER_MASK 0x000F
79 #define L2TP_HDR_VER_2 0x0002
80 #define L2TP_HDR_VER_3 0x0003
82 /* L2TPv3 default L2-specific sublayer */
83 #define L2TP_SLFLAG_S 0x40000000
84 #define L2TP_SL_SEQ_MASK 0x00ffffff
86 #define L2TP_HDR_SIZE_SEQ 10
87 #define L2TP_HDR_SIZE_NOSEQ 6
89 /* Default trace flags */
90 #define L2TP_DEFAULT_DEBUG_FLAGS 0
92 /* Private data stored for received packets in the skb.
98 unsigned long expires;
101 #define L2TP_SKB_CB(skb) ((struct l2tp_skb_cb *) &skb->cb[sizeof(struct inet_skb_parm)])
103 static struct workqueue_struct *l2tp_wq;
105 /* per-net private data for this module */
106 static unsigned int l2tp_net_id;
108 struct list_head l2tp_tunnel_list;
109 spinlock_t l2tp_tunnel_list_lock;
110 struct hlist_head l2tp_session_hlist[L2TP_HASH_SIZE_2];
111 spinlock_t l2tp_session_hlist_lock;
115 static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk)
117 return sk->sk_user_data;
120 static inline struct l2tp_net *l2tp_pernet(const struct net *net)
124 return net_generic(net, l2tp_net_id);
127 /* Session hash global list for L2TPv3.
128 * The session_id SHOULD be random according to RFC3931, but several
129 * L2TP implementations use incrementing session_ids. So we do a real
130 * hash on the session_id, rather than a simple bitmask.
132 static inline struct hlist_head *
133 l2tp_session_id_hash_2(struct l2tp_net *pn, u32 session_id)
135 return &pn->l2tp_session_hlist[hash_32(session_id, L2TP_HASH_BITS_2)];
139 /* Lookup the tunnel socket, possibly involving the fs code if the socket is
140 * owned by userspace. A struct sock returned from this function must be
141 * released using l2tp_tunnel_sock_put once you're done with it.
143 static struct sock *l2tp_tunnel_sock_lookup(struct l2tp_tunnel *tunnel)
146 struct socket *sock = NULL;
147 struct sock *sk = NULL;
152 if (tunnel->fd >= 0) {
153 /* Socket is owned by userspace, who might be in the process
154 * of closing it. Look the socket up using the fd to ensure
157 sock = sockfd_lookup(tunnel->fd, &err);
161 /* Socket is owned by kernelspace */
170 /* Drop a reference to a tunnel socket obtained via. l2tp_tunnel_sock_put */
171 static void l2tp_tunnel_sock_put(struct sock *sk)
173 struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
175 if (tunnel->fd >= 0) {
176 /* Socket is owned by userspace */
177 sockfd_put(sk->sk_socket);
184 /* Session hash list.
185 * The session_id SHOULD be random according to RFC2661, but several
186 * L2TP implementations (Cisco and Microsoft) use incrementing
187 * session_ids. So we do a real hash on the session_id, rather than a
190 static inline struct hlist_head *
191 l2tp_session_id_hash(struct l2tp_tunnel *tunnel, u32 session_id)
193 return &tunnel->session_hlist[hash_32(session_id, L2TP_HASH_BITS)];
196 /* Lookup a tunnel. A new reference is held on the returned tunnel. */
197 struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id)
199 const struct l2tp_net *pn = l2tp_pernet(net);
200 struct l2tp_tunnel *tunnel;
203 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
204 if (tunnel->tunnel_id == tunnel_id) {
205 l2tp_tunnel_inc_refcount(tunnel);
206 rcu_read_unlock_bh();
211 rcu_read_unlock_bh();
215 EXPORT_SYMBOL_GPL(l2tp_tunnel_get);
217 /* Lookup a session. A new reference is held on the returned session. */
218 struct l2tp_session *l2tp_session_get(const struct net *net,
219 struct l2tp_tunnel *tunnel,
222 struct hlist_head *session_list;
223 struct l2tp_session *session;
226 struct l2tp_net *pn = l2tp_pernet(net);
228 session_list = l2tp_session_id_hash_2(pn, session_id);
231 hlist_for_each_entry_rcu(session, session_list, global_hlist) {
232 if (session->session_id == session_id) {
233 l2tp_session_inc_refcount(session);
234 rcu_read_unlock_bh();
239 rcu_read_unlock_bh();
244 session_list = l2tp_session_id_hash(tunnel, session_id);
245 read_lock_bh(&tunnel->hlist_lock);
246 hlist_for_each_entry(session, session_list, hlist) {
247 if (session->session_id == session_id) {
248 l2tp_session_inc_refcount(session);
249 read_unlock_bh(&tunnel->hlist_lock);
254 read_unlock_bh(&tunnel->hlist_lock);
258 EXPORT_SYMBOL_GPL(l2tp_session_get);
260 struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth)
263 struct l2tp_session *session;
266 read_lock_bh(&tunnel->hlist_lock);
267 for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
268 hlist_for_each_entry(session, &tunnel->session_hlist[hash], hlist) {
270 l2tp_session_inc_refcount(session);
271 read_unlock_bh(&tunnel->hlist_lock);
277 read_unlock_bh(&tunnel->hlist_lock);
281 EXPORT_SYMBOL_GPL(l2tp_session_get_nth);
283 /* Lookup a session by interface name.
284 * This is very inefficient but is only used by management interfaces.
286 struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net,
289 struct l2tp_net *pn = l2tp_pernet(net);
291 struct l2tp_session *session;
294 for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) {
295 hlist_for_each_entry_rcu(session, &pn->l2tp_session_hlist[hash], global_hlist) {
296 if (!strcmp(session->ifname, ifname)) {
297 l2tp_session_inc_refcount(session);
298 rcu_read_unlock_bh();
305 rcu_read_unlock_bh();
309 EXPORT_SYMBOL_GPL(l2tp_session_get_by_ifname);
311 int l2tp_session_register(struct l2tp_session *session,
312 struct l2tp_tunnel *tunnel)
314 struct l2tp_session *session_walk;
315 struct hlist_head *g_head;
316 struct hlist_head *head;
320 head = l2tp_session_id_hash(tunnel, session->session_id);
322 write_lock_bh(&tunnel->hlist_lock);
323 if (!tunnel->acpt_newsess) {
328 hlist_for_each_entry(session_walk, head, hlist)
329 if (session_walk->session_id == session->session_id) {
334 if (tunnel->version == L2TP_HDR_VER_3) {
335 pn = l2tp_pernet(tunnel->l2tp_net);
336 g_head = l2tp_session_id_hash_2(l2tp_pernet(tunnel->l2tp_net),
337 session->session_id);
339 spin_lock_bh(&pn->l2tp_session_hlist_lock);
341 hlist_for_each_entry(session_walk, g_head, global_hlist)
342 if (session_walk->session_id == session->session_id) {
344 goto err_tlock_pnlock;
347 l2tp_tunnel_inc_refcount(tunnel);
348 sock_hold(tunnel->sock);
349 hlist_add_head_rcu(&session->global_hlist, g_head);
351 spin_unlock_bh(&pn->l2tp_session_hlist_lock);
353 l2tp_tunnel_inc_refcount(tunnel);
354 sock_hold(tunnel->sock);
357 hlist_add_head(&session->hlist, head);
358 write_unlock_bh(&tunnel->hlist_lock);
363 spin_unlock_bh(&pn->l2tp_session_hlist_lock);
365 write_unlock_bh(&tunnel->hlist_lock);
369 EXPORT_SYMBOL_GPL(l2tp_session_register);
371 /* Lookup a tunnel by id
373 struct l2tp_tunnel *l2tp_tunnel_find(const struct net *net, u32 tunnel_id)
375 struct l2tp_tunnel *tunnel;
376 struct l2tp_net *pn = l2tp_pernet(net);
379 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
380 if (tunnel->tunnel_id == tunnel_id) {
381 rcu_read_unlock_bh();
385 rcu_read_unlock_bh();
389 EXPORT_SYMBOL_GPL(l2tp_tunnel_find);
391 struct l2tp_tunnel *l2tp_tunnel_find_nth(const struct net *net, int nth)
393 struct l2tp_net *pn = l2tp_pernet(net);
394 struct l2tp_tunnel *tunnel;
398 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
400 rcu_read_unlock_bh();
405 rcu_read_unlock_bh();
409 EXPORT_SYMBOL_GPL(l2tp_tunnel_find_nth);
411 /*****************************************************************************
412 * Receive data handling
413 *****************************************************************************/
415 /* Queue a skb in order. We come here only if the skb has an L2TP sequence
418 static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *skb)
420 struct sk_buff *skbp;
422 u32 ns = L2TP_SKB_CB(skb)->ns;
424 spin_lock_bh(&session->reorder_q.lock);
425 skb_queue_walk_safe(&session->reorder_q, skbp, tmp) {
426 if (L2TP_SKB_CB(skbp)->ns > ns) {
427 __skb_queue_before(&session->reorder_q, skbp, skb);
428 l2tp_dbg(session, L2TP_MSG_SEQ,
429 "%s: pkt %hu, inserted before %hu, reorder_q len=%d\n",
430 session->name, ns, L2TP_SKB_CB(skbp)->ns,
431 skb_queue_len(&session->reorder_q));
432 atomic_long_inc(&session->stats.rx_oos_packets);
437 __skb_queue_tail(&session->reorder_q, skb);
440 spin_unlock_bh(&session->reorder_q.lock);
443 /* Dequeue a single skb.
445 static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *skb)
447 struct l2tp_tunnel *tunnel = session->tunnel;
448 int length = L2TP_SKB_CB(skb)->length;
450 /* We're about to requeue the skb, so return resources
451 * to its current owner (a socket receive buffer).
455 atomic_long_inc(&tunnel->stats.rx_packets);
456 atomic_long_add(length, &tunnel->stats.rx_bytes);
457 atomic_long_inc(&session->stats.rx_packets);
458 atomic_long_add(length, &session->stats.rx_bytes);
460 if (L2TP_SKB_CB(skb)->has_seq) {
463 session->nr &= session->nr_max;
465 l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated nr to %hu\n",
466 session->name, session->nr);
469 /* call private receive handler */
470 if (session->recv_skb != NULL)
471 (*session->recv_skb)(session, skb, L2TP_SKB_CB(skb)->length);
476 /* Dequeue skbs from the session's reorder_q, subject to packet order.
477 * Skbs that have been in the queue for too long are simply discarded.
479 static void l2tp_recv_dequeue(struct l2tp_session *session)
484 /* If the pkt at the head of the queue has the nr that we
485 * expect to send up next, dequeue it and any other
486 * in-sequence packets behind it.
489 spin_lock_bh(&session->reorder_q.lock);
490 skb_queue_walk_safe(&session->reorder_q, skb, tmp) {
491 if (time_after(jiffies, L2TP_SKB_CB(skb)->expires)) {
492 atomic_long_inc(&session->stats.rx_seq_discards);
493 atomic_long_inc(&session->stats.rx_errors);
494 l2tp_dbg(session, L2TP_MSG_SEQ,
495 "%s: oos pkt %u len %d discarded (too old), waiting for %u, reorder_q_len=%d\n",
496 session->name, L2TP_SKB_CB(skb)->ns,
497 L2TP_SKB_CB(skb)->length, session->nr,
498 skb_queue_len(&session->reorder_q));
499 session->reorder_skip = 1;
500 __skb_unlink(skb, &session->reorder_q);
505 if (L2TP_SKB_CB(skb)->has_seq) {
506 if (session->reorder_skip) {
507 l2tp_dbg(session, L2TP_MSG_SEQ,
508 "%s: advancing nr to next pkt: %u -> %u",
509 session->name, session->nr,
510 L2TP_SKB_CB(skb)->ns);
511 session->reorder_skip = 0;
512 session->nr = L2TP_SKB_CB(skb)->ns;
514 if (L2TP_SKB_CB(skb)->ns != session->nr) {
515 l2tp_dbg(session, L2TP_MSG_SEQ,
516 "%s: holding oos pkt %u len %d, waiting for %u, reorder_q_len=%d\n",
517 session->name, L2TP_SKB_CB(skb)->ns,
518 L2TP_SKB_CB(skb)->length, session->nr,
519 skb_queue_len(&session->reorder_q));
523 __skb_unlink(skb, &session->reorder_q);
525 /* Process the skb. We release the queue lock while we
526 * do so to let other contexts process the queue.
528 spin_unlock_bh(&session->reorder_q.lock);
529 l2tp_recv_dequeue_skb(session, skb);
534 spin_unlock_bh(&session->reorder_q.lock);
537 static int l2tp_seq_check_rx_window(struct l2tp_session *session, u32 nr)
541 if (nr >= session->nr)
542 nws = nr - session->nr;
544 nws = (session->nr_max + 1) - (session->nr - nr);
546 return nws < session->nr_window_size;
549 /* If packet has sequence numbers, queue it if acceptable. Returns 0 if
550 * acceptable, else non-zero.
552 static int l2tp_recv_data_seq(struct l2tp_session *session, struct sk_buff *skb)
554 if (!l2tp_seq_check_rx_window(session, L2TP_SKB_CB(skb)->ns)) {
555 /* Packet sequence number is outside allowed window.
558 l2tp_dbg(session, L2TP_MSG_SEQ,
559 "%s: pkt %u len %d discarded, outside window, nr=%u\n",
560 session->name, L2TP_SKB_CB(skb)->ns,
561 L2TP_SKB_CB(skb)->length, session->nr);
565 if (session->reorder_timeout != 0) {
566 /* Packet reordering enabled. Add skb to session's
567 * reorder queue, in order of ns.
569 l2tp_recv_queue_skb(session, skb);
573 /* Packet reordering disabled. Discard out-of-sequence packets, while
574 * tracking the number if in-sequence packets after the first OOS packet
575 * is seen. After nr_oos_count_max in-sequence packets, reset the
576 * sequence number to re-enable packet reception.
578 if (L2TP_SKB_CB(skb)->ns == session->nr) {
579 skb_queue_tail(&session->reorder_q, skb);
581 u32 nr_oos = L2TP_SKB_CB(skb)->ns;
582 u32 nr_next = (session->nr_oos + 1) & session->nr_max;
584 if (nr_oos == nr_next)
585 session->nr_oos_count++;
587 session->nr_oos_count = 0;
589 session->nr_oos = nr_oos;
590 if (session->nr_oos_count > session->nr_oos_count_max) {
591 session->reorder_skip = 1;
592 l2tp_dbg(session, L2TP_MSG_SEQ,
593 "%s: %d oos packets received. Resetting sequence numbers\n",
594 session->name, session->nr_oos_count);
596 if (!session->reorder_skip) {
597 atomic_long_inc(&session->stats.rx_seq_discards);
598 l2tp_dbg(session, L2TP_MSG_SEQ,
599 "%s: oos pkt %u len %d discarded, waiting for %u, reorder_q_len=%d\n",
600 session->name, L2TP_SKB_CB(skb)->ns,
601 L2TP_SKB_CB(skb)->length, session->nr,
602 skb_queue_len(&session->reorder_q));
605 skb_queue_tail(&session->reorder_q, skb);
615 /* Do receive processing of L2TP data frames. We handle both L2TPv2
616 * and L2TPv3 data frames here.
618 * L2TPv2 Data Message Header
621 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
622 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
623 * |T|L|x|x|S|x|O|P|x|x|x|x| Ver | Length (opt) |
624 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
625 * | Tunnel ID | Session ID |
626 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
627 * | Ns (opt) | Nr (opt) |
628 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
629 * | Offset Size (opt) | Offset pad... (opt)
630 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
632 * Data frames are marked by T=0. All other fields are the same as
633 * those in L2TP control frames.
635 * L2TPv3 Data Message Header
637 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
638 * | L2TP Session Header |
639 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
640 * | L2-Specific Sublayer |
641 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
642 * | Tunnel Payload ...
643 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
645 * L2TPv3 Session Header Over IP
648 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
649 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
651 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
652 * | Cookie (optional, maximum 64 bits)...
653 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
655 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
657 * L2TPv3 L2-Specific Sublayer Format
660 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
661 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
662 * |x|S|x|x|x|x|x|x| Sequence Number |
663 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
665 * Cookie value, sublayer format and offset (pad) are negotiated with
666 * the peer when the session is set up. Unlike L2TPv2, we do not need
667 * to parse the packet header to determine if optional fields are
670 * Caller must already have parsed the frame and determined that it is
671 * a data (not control) frame before coming here. Fields up to the
672 * session-id have already been parsed and ptr points to the data
673 * after the session-id.
675 void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
676 unsigned char *ptr, unsigned char *optr, u16 hdrflags,
677 int length, int (*payload_hook)(struct sk_buff *skb))
679 struct l2tp_tunnel *tunnel = session->tunnel;
683 /* Parse and check optional cookie */
684 if (session->peer_cookie_len > 0) {
685 if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
686 l2tp_info(tunnel, L2TP_MSG_DATA,
687 "%s: cookie mismatch (%u/%u). Discarding.\n",
688 tunnel->name, tunnel->tunnel_id,
689 session->session_id);
690 atomic_long_inc(&session->stats.rx_cookie_discards);
693 ptr += session->peer_cookie_len;
696 /* Handle the optional sequence numbers. Sequence numbers are
697 * in different places for L2TPv2 and L2TPv3.
699 * If we are the LAC, enable/disable sequence numbers under
700 * the control of the LNS. If no sequence numbers present but
701 * we were expecting them, discard frame.
704 L2TP_SKB_CB(skb)->has_seq = 0;
705 if (tunnel->version == L2TP_HDR_VER_2) {
706 if (hdrflags & L2TP_HDRFLAG_S) {
707 ns = ntohs(*(__be16 *) ptr);
709 nr = ntohs(*(__be16 *) ptr);
712 /* Store L2TP info in the skb */
713 L2TP_SKB_CB(skb)->ns = ns;
714 L2TP_SKB_CB(skb)->has_seq = 1;
716 l2tp_dbg(session, L2TP_MSG_SEQ,
717 "%s: recv data ns=%u, nr=%u, session nr=%u\n",
718 session->name, ns, nr, session->nr);
720 } else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
721 u32 l2h = ntohl(*(__be32 *) ptr);
723 if (l2h & 0x40000000) {
724 ns = l2h & 0x00ffffff;
726 /* Store L2TP info in the skb */
727 L2TP_SKB_CB(skb)->ns = ns;
728 L2TP_SKB_CB(skb)->has_seq = 1;
730 l2tp_dbg(session, L2TP_MSG_SEQ,
731 "%s: recv data ns=%u, session nr=%u\n",
732 session->name, ns, session->nr);
736 /* Advance past L2-specific header, if present */
737 ptr += session->l2specific_len;
739 if (L2TP_SKB_CB(skb)->has_seq) {
740 /* Received a packet with sequence numbers. If we're the LNS,
741 * check if we sre sending sequence numbers and if not,
744 if ((!session->lns_mode) && (!session->send_seq)) {
745 l2tp_info(session, L2TP_MSG_SEQ,
746 "%s: requested to enable seq numbers by LNS\n",
748 session->send_seq = 1;
749 l2tp_session_set_header_len(session, tunnel->version);
752 /* No sequence numbers.
753 * If user has configured mandatory sequence numbers, discard.
755 if (session->recv_seq) {
756 l2tp_warn(session, L2TP_MSG_SEQ,
757 "%s: recv data has no seq numbers when required. Discarding.\n",
759 atomic_long_inc(&session->stats.rx_seq_discards);
763 /* If we're the LAC and we're sending sequence numbers, the
764 * LNS has requested that we no longer send sequence numbers.
765 * If we're the LNS and we're sending sequence numbers, the
766 * LAC is broken. Discard the frame.
768 if ((!session->lns_mode) && (session->send_seq)) {
769 l2tp_info(session, L2TP_MSG_SEQ,
770 "%s: requested to disable seq numbers by LNS\n",
772 session->send_seq = 0;
773 l2tp_session_set_header_len(session, tunnel->version);
774 } else if (session->send_seq) {
775 l2tp_warn(session, L2TP_MSG_SEQ,
776 "%s: recv data has no seq numbers when required. Discarding.\n",
778 atomic_long_inc(&session->stats.rx_seq_discards);
783 /* Session data offset is handled differently for L2TPv2 and
784 * L2TPv3. For L2TPv2, there is an optional 16-bit value in
785 * the header. For L2TPv3, the offset is negotiated using AVPs
786 * in the session setup control protocol.
788 if (tunnel->version == L2TP_HDR_VER_2) {
789 /* If offset bit set, skip it. */
790 if (hdrflags & L2TP_HDRFLAG_O) {
791 offset = ntohs(*(__be16 *)ptr);
795 ptr += session->offset;
798 if (!pskb_may_pull(skb, offset))
801 __skb_pull(skb, offset);
803 /* If caller wants to process the payload before we queue the
807 if ((*payload_hook)(skb))
810 /* Prepare skb for adding to the session's reorder_q. Hold
811 * packets for max reorder_timeout or 1 second if not
814 L2TP_SKB_CB(skb)->length = length;
815 L2TP_SKB_CB(skb)->expires = jiffies +
816 (session->reorder_timeout ? session->reorder_timeout : HZ);
818 /* Add packet to the session's receive queue. Reordering is done here, if
819 * enabled. Saved L2TP protocol info is stored in skb->sb[].
821 if (L2TP_SKB_CB(skb)->has_seq) {
822 if (l2tp_recv_data_seq(session, skb))
825 /* No sequence numbers. Add the skb to the tail of the
826 * reorder queue. This ensures that it will be
827 * delivered after all previous sequenced skbs.
829 skb_queue_tail(&session->reorder_q, skb);
832 /* Try to dequeue as many skbs from reorder_q as we can. */
833 l2tp_recv_dequeue(session);
838 atomic_long_inc(&session->stats.rx_errors);
841 EXPORT_SYMBOL(l2tp_recv_common);
843 /* Drop skbs from the session's reorder_q
845 int l2tp_session_queue_purge(struct l2tp_session *session)
847 struct sk_buff *skb = NULL;
849 BUG_ON(session->magic != L2TP_SESSION_MAGIC);
850 while ((skb = skb_dequeue(&session->reorder_q))) {
851 atomic_long_inc(&session->stats.rx_errors);
856 EXPORT_SYMBOL_GPL(l2tp_session_queue_purge);
858 /* Internal UDP receive frame. Do the real work of receiving an L2TP data frame
859 * here. The skb is not on a list when we get here.
860 * Returns 0 if the packet was a data packet and was successfully passed on.
861 * Returns 1 if the packet was not a good data packet and could not be
862 * forwarded. All such packets are passed up to userspace to deal with.
864 static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
865 int (*payload_hook)(struct sk_buff *skb))
867 struct l2tp_session *session = NULL;
868 unsigned char *ptr, *optr;
870 u32 tunnel_id, session_id;
874 /* UDP has verifed checksum */
876 /* UDP always verifies the packet length. */
877 __skb_pull(skb, sizeof(struct udphdr));
880 if (!pskb_may_pull(skb, L2TP_HDR_SIZE_SEQ)) {
881 l2tp_info(tunnel, L2TP_MSG_DATA,
882 "%s: recv short packet (len=%d)\n",
883 tunnel->name, skb->len);
887 /* Trace packet contents, if enabled */
888 if (tunnel->debug & L2TP_MSG_DATA) {
889 length = min(32u, skb->len);
890 if (!pskb_may_pull(skb, length))
893 pr_debug("%s: recv\n", tunnel->name);
894 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, skb->data, length);
897 /* Point to L2TP header */
898 optr = ptr = skb->data;
900 /* Get L2TP header flags */
901 hdrflags = ntohs(*(__be16 *) ptr);
903 /* Check protocol version */
904 version = hdrflags & L2TP_HDR_VER_MASK;
905 if (version != tunnel->version) {
906 l2tp_info(tunnel, L2TP_MSG_DATA,
907 "%s: recv protocol version mismatch: got %d expected %d\n",
908 tunnel->name, version, tunnel->version);
912 /* Get length of L2TP packet */
915 /* If type is control packet, it is handled by userspace. */
916 if (hdrflags & L2TP_HDRFLAG_T) {
917 l2tp_dbg(tunnel, L2TP_MSG_DATA,
918 "%s: recv control packet, len=%d\n",
919 tunnel->name, length);
926 if (tunnel->version == L2TP_HDR_VER_2) {
927 /* If length is present, skip it */
928 if (hdrflags & L2TP_HDRFLAG_L)
931 /* Extract tunnel and session ID */
932 tunnel_id = ntohs(*(__be16 *) ptr);
934 session_id = ntohs(*(__be16 *) ptr);
937 ptr += 2; /* skip reserved bits */
938 tunnel_id = tunnel->tunnel_id;
939 session_id = ntohl(*(__be32 *) ptr);
943 /* Find the session context */
944 session = l2tp_session_get(tunnel->l2tp_net, tunnel, session_id);
945 if (!session || !session->recv_skb) {
947 l2tp_session_dec_refcount(session);
949 /* Not found? Pass to userspace to deal with */
950 l2tp_info(tunnel, L2TP_MSG_DATA,
951 "%s: no session found (%u/%u). Passing up.\n",
952 tunnel->name, tunnel_id, session_id);
956 l2tp_recv_common(session, skb, ptr, optr, hdrflags, length, payload_hook);
957 l2tp_session_dec_refcount(session);
962 /* Put UDP header back */
963 __skb_push(skb, sizeof(struct udphdr));
968 /* UDP encapsulation receive handler. See net/ipv4/udp.c.
972 * >0: skb should be passed up to userspace as UDP.
974 int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
976 struct l2tp_tunnel *tunnel;
978 tunnel = l2tp_sock_to_tunnel(sk);
982 l2tp_dbg(tunnel, L2TP_MSG_DATA, "%s: received %d bytes\n",
983 tunnel->name, skb->len);
985 if (l2tp_udp_recv_core(tunnel, skb, tunnel->recv_payload_hook))
996 EXPORT_SYMBOL_GPL(l2tp_udp_encap_recv);
998 /************************************************************************
1000 ***********************************************************************/
1002 /* Build an L2TP header for the session into the buffer provided.
1004 static int l2tp_build_l2tpv2_header(struct l2tp_session *session, void *buf)
1006 struct l2tp_tunnel *tunnel = session->tunnel;
1009 u16 flags = L2TP_HDR_VER_2;
1010 u32 tunnel_id = tunnel->peer_tunnel_id;
1011 u32 session_id = session->peer_session_id;
1013 if (session->send_seq)
1014 flags |= L2TP_HDRFLAG_S;
1016 /* Setup L2TP header. */
1017 *bufp++ = htons(flags);
1018 *bufp++ = htons(tunnel_id);
1019 *bufp++ = htons(session_id);
1020 if (session->send_seq) {
1021 *bufp++ = htons(session->ns);
1024 session->ns &= 0xffff;
1025 l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated ns to %u\n",
1026 session->name, session->ns);
1032 static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
1034 struct l2tp_tunnel *tunnel = session->tunnel;
1038 /* Setup L2TP header. The header differs slightly for UDP and
1039 * IP encapsulations. For UDP, there is 4 bytes of flags.
1041 if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
1042 u16 flags = L2TP_HDR_VER_3;
1043 *((__be16 *) bufp) = htons(flags);
1045 *((__be16 *) bufp) = 0;
1049 *((__be32 *) bufp) = htonl(session->peer_session_id);
1051 if (session->cookie_len) {
1052 memcpy(bufp, &session->cookie[0], session->cookie_len);
1053 bufp += session->cookie_len;
1055 if (session->l2specific_len) {
1056 if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
1058 if (session->send_seq) {
1059 l2h = 0x40000000 | session->ns;
1061 session->ns &= 0xffffff;
1062 l2tp_dbg(session, L2TP_MSG_SEQ,
1063 "%s: updated ns to %u\n",
1064 session->name, session->ns);
1067 *((__be32 *) bufp) = htonl(l2h);
1069 bufp += session->l2specific_len;
1071 if (session->offset)
1072 bufp += session->offset;
1077 static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
1078 struct flowi *fl, size_t data_len)
1080 struct l2tp_tunnel *tunnel = session->tunnel;
1081 unsigned int len = skb->len;
1085 if (session->send_seq)
1086 l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %zd bytes, ns=%u\n",
1087 session->name, data_len, session->ns - 1);
1089 l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %zd bytes\n",
1090 session->name, data_len);
1092 if (session->debug & L2TP_MSG_DATA) {
1093 int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1094 unsigned char *datap = skb->data + uhlen;
1096 pr_debug("%s: xmit\n", session->name);
1097 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET,
1098 datap, min_t(size_t, 32, len - uhlen));
1101 /* Queue the packet to IP for output */
1103 #if IS_ENABLED(CONFIG_IPV6)
1104 if (tunnel->sock->sk_family == PF_INET6 && !tunnel->v4mapped)
1105 error = inet6_csk_xmit(tunnel->sock, skb, NULL);
1108 error = ip_queue_xmit(tunnel->sock, skb, fl);
1112 atomic_long_inc(&tunnel->stats.tx_packets);
1113 atomic_long_add(len, &tunnel->stats.tx_bytes);
1114 atomic_long_inc(&session->stats.tx_packets);
1115 atomic_long_add(len, &session->stats.tx_bytes);
1117 atomic_long_inc(&tunnel->stats.tx_errors);
1118 atomic_long_inc(&session->stats.tx_errors);
1124 /* If caller requires the skb to have a ppp header, the header must be
1125 * inserted in the skb data before calling this function.
1127 int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len)
1129 int data_len = skb->len;
1130 struct l2tp_tunnel *tunnel = session->tunnel;
1131 struct sock *sk = tunnel->sock;
1134 struct inet_sock *inet;
1136 int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1138 int ret = NET_XMIT_SUCCESS;
1140 /* Check that there's enough headroom in the skb to insert IP,
1141 * UDP and L2TP headers. If not enough, expand it to
1142 * make room. Adjust truesize.
1144 headroom = NET_SKB_PAD + sizeof(struct iphdr) +
1146 if (skb_cow_head(skb, headroom)) {
1148 return NET_XMIT_DROP;
1151 /* Setup L2TP header */
1152 session->build_header(session, __skb_push(skb, hdr_len));
1154 /* Reset skb netfilter state */
1155 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
1156 IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
1161 if (sock_owned_by_user(sk)) {
1163 ret = NET_XMIT_DROP;
1167 /* Get routing info from the tunnel socket */
1169 skb_dst_set(skb, dst_clone(__sk_dst_check(sk, 0)));
1172 fl = &inet->cork.fl;
1173 switch (tunnel->encap) {
1174 case L2TP_ENCAPTYPE_UDP:
1175 /* Setup UDP header */
1176 __skb_push(skb, sizeof(*uh));
1177 skb_reset_transport_header(skb);
1179 uh->source = inet->inet_sport;
1180 uh->dest = inet->inet_dport;
1181 udp_len = uhlen + hdr_len + data_len;
1182 uh->len = htons(udp_len);
1184 /* Calculate UDP checksum if configured to do so */
1185 #if IS_ENABLED(CONFIG_IPV6)
1186 if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
1187 udp6_set_csum(udp_get_no_check6_tx(sk),
1188 skb, &inet6_sk(sk)->saddr,
1189 &sk->sk_v6_daddr, udp_len);
1192 udp_set_csum(sk->sk_no_check_tx, skb, inet->inet_saddr,
1193 inet->inet_daddr, udp_len);
1196 case L2TP_ENCAPTYPE_IP:
1200 l2tp_xmit_core(session, skb, fl, data_len);
1206 EXPORT_SYMBOL_GPL(l2tp_xmit_skb);
1208 /*****************************************************************************
1209 * Tinnel and session create/destroy.
1210 *****************************************************************************/
1212 /* Tunnel socket destruct hook.
1213 * The tunnel context is deleted only when all session sockets have been
1216 static void l2tp_tunnel_destruct(struct sock *sk)
1218 struct l2tp_tunnel *tunnel = l2tp_tunnel(sk);
1219 struct l2tp_net *pn;
1224 l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing...\n", tunnel->name);
1227 /* Disable udp encapsulation */
1228 switch (tunnel->encap) {
1229 case L2TP_ENCAPTYPE_UDP:
1230 /* No longer an encapsulation socket. See net/ipv4/udp.c */
1231 (udp_sk(sk))->encap_type = 0;
1232 (udp_sk(sk))->encap_rcv = NULL;
1233 (udp_sk(sk))->encap_destroy = NULL;
1235 case L2TP_ENCAPTYPE_IP:
1239 /* Remove hooks into tunnel socket */
1240 sk->sk_destruct = tunnel->old_sk_destruct;
1241 sk->sk_user_data = NULL;
1243 /* Remove the tunnel struct from the tunnel list */
1244 pn = l2tp_pernet(tunnel->l2tp_net);
1245 spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1246 list_del_rcu(&tunnel->list);
1247 spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1249 tunnel->sock = NULL;
1250 l2tp_tunnel_dec_refcount(tunnel);
1252 /* Call the original destructor */
1253 if (sk->sk_destruct)
1254 (*sk->sk_destruct)(sk);
1259 /* When the tunnel is closed, all the attached sessions need to go too.
1261 void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)
1264 struct hlist_node *walk;
1265 struct hlist_node *tmp;
1266 struct l2tp_session *session;
1268 BUG_ON(tunnel == NULL);
1270 l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing all sessions...\n",
1273 write_lock_bh(&tunnel->hlist_lock);
1274 tunnel->acpt_newsess = false;
1275 for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
1277 hlist_for_each_safe(walk, tmp, &tunnel->session_hlist[hash]) {
1278 session = hlist_entry(walk, struct l2tp_session, hlist);
1280 l2tp_info(session, L2TP_MSG_CONTROL,
1281 "%s: closing session\n", session->name);
1283 hlist_del_init(&session->hlist);
1285 if (test_and_set_bit(0, &session->dead))
1288 write_unlock_bh(&tunnel->hlist_lock);
1290 __l2tp_session_unhash(session);
1291 l2tp_session_queue_purge(session);
1293 if (session->session_close != NULL)
1294 (*session->session_close)(session);
1296 l2tp_session_dec_refcount(session);
1298 write_lock_bh(&tunnel->hlist_lock);
1300 /* Now restart from the beginning of this hash
1301 * chain. We always remove a session from the
1302 * list so we are guaranteed to make forward
1308 write_unlock_bh(&tunnel->hlist_lock);
1310 EXPORT_SYMBOL_GPL(l2tp_tunnel_closeall);
1312 /* Tunnel socket destroy hook for UDP encapsulation */
1313 static void l2tp_udp_encap_destroy(struct sock *sk)
1315 struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
1317 l2tp_tunnel_closeall(tunnel);
1322 /* Workqueue tunnel deletion function */
1323 static void l2tp_tunnel_del_work(struct work_struct *work)
1325 struct l2tp_tunnel *tunnel = NULL;
1326 struct socket *sock = NULL;
1327 struct sock *sk = NULL;
1329 tunnel = container_of(work, struct l2tp_tunnel, del_work);
1331 l2tp_tunnel_closeall(tunnel);
1333 sk = l2tp_tunnel_sock_lookup(tunnel);
1337 sock = sk->sk_socket;
1339 /* If the tunnel socket was created by userspace, then go through the
1340 * inet layer to shut the socket down, and let userspace close it.
1341 * Otherwise, if we created the socket directly within the kernel, use
1342 * the sk API to release it here.
1343 * In either case the tunnel resources are freed in the socket
1344 * destructor when the tunnel socket goes away.
1346 if (tunnel->fd >= 0) {
1348 inet_shutdown(sock, 2);
1351 kernel_sock_shutdown(sock, SHUT_RDWR);
1356 l2tp_tunnel_sock_put(sk);
1358 l2tp_tunnel_dec_refcount(tunnel);
1361 /* Create a socket for the tunnel, if one isn't set up by
1362 * userspace. This is used for static tunnels where there is no
1363 * managing L2TP daemon.
1365 * Since we don't want these sockets to keep a namespace alive by
1366 * themselves, we drop the socket's namespace refcount after creation.
1367 * These sockets are freed when the namespace exits using the pernet
1370 static int l2tp_tunnel_sock_create(struct net *net,
1373 struct l2tp_tunnel_cfg *cfg,
1374 struct socket **sockp)
1377 struct socket *sock = NULL;
1378 struct udp_port_cfg udp_conf;
1380 switch (cfg->encap) {
1381 case L2TP_ENCAPTYPE_UDP:
1382 memset(&udp_conf, 0, sizeof(udp_conf));
1384 #if IS_ENABLED(CONFIG_IPV6)
1385 if (cfg->local_ip6 && cfg->peer_ip6) {
1386 udp_conf.family = AF_INET6;
1387 memcpy(&udp_conf.local_ip6, cfg->local_ip6,
1388 sizeof(udp_conf.local_ip6));
1389 memcpy(&udp_conf.peer_ip6, cfg->peer_ip6,
1390 sizeof(udp_conf.peer_ip6));
1391 udp_conf.use_udp6_tx_checksums =
1392 ! cfg->udp6_zero_tx_checksums;
1393 udp_conf.use_udp6_rx_checksums =
1394 ! cfg->udp6_zero_rx_checksums;
1398 udp_conf.family = AF_INET;
1399 udp_conf.local_ip = cfg->local_ip;
1400 udp_conf.peer_ip = cfg->peer_ip;
1401 udp_conf.use_udp_checksums = cfg->use_udp_checksums;
1404 udp_conf.local_udp_port = htons(cfg->local_udp_port);
1405 udp_conf.peer_udp_port = htons(cfg->peer_udp_port);
1407 err = udp_sock_create(net, &udp_conf, &sock);
1413 case L2TP_ENCAPTYPE_IP:
1414 #if IS_ENABLED(CONFIG_IPV6)
1415 if (cfg->local_ip6 && cfg->peer_ip6) {
1416 struct sockaddr_l2tpip6 ip6_addr = {0};
1418 err = sock_create_kern(net, AF_INET6, SOCK_DGRAM,
1419 IPPROTO_L2TP, &sock);
1423 ip6_addr.l2tp_family = AF_INET6;
1424 memcpy(&ip6_addr.l2tp_addr, cfg->local_ip6,
1425 sizeof(ip6_addr.l2tp_addr));
1426 ip6_addr.l2tp_conn_id = tunnel_id;
1427 err = kernel_bind(sock, (struct sockaddr *) &ip6_addr,
1432 ip6_addr.l2tp_family = AF_INET6;
1433 memcpy(&ip6_addr.l2tp_addr, cfg->peer_ip6,
1434 sizeof(ip6_addr.l2tp_addr));
1435 ip6_addr.l2tp_conn_id = peer_tunnel_id;
1436 err = kernel_connect(sock,
1437 (struct sockaddr *) &ip6_addr,
1438 sizeof(ip6_addr), 0);
1444 struct sockaddr_l2tpip ip_addr = {0};
1446 err = sock_create_kern(net, AF_INET, SOCK_DGRAM,
1447 IPPROTO_L2TP, &sock);
1451 ip_addr.l2tp_family = AF_INET;
1452 ip_addr.l2tp_addr = cfg->local_ip;
1453 ip_addr.l2tp_conn_id = tunnel_id;
1454 err = kernel_bind(sock, (struct sockaddr *) &ip_addr,
1459 ip_addr.l2tp_family = AF_INET;
1460 ip_addr.l2tp_addr = cfg->peer_ip;
1461 ip_addr.l2tp_conn_id = peer_tunnel_id;
1462 err = kernel_connect(sock, (struct sockaddr *) &ip_addr,
1463 sizeof(ip_addr), 0);
1475 if ((err < 0) && sock) {
1476 kernel_sock_shutdown(sock, SHUT_RDWR);
1484 static struct lock_class_key l2tp_socket_class;
1486 int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
1488 struct l2tp_tunnel *tunnel = NULL;
1490 struct socket *sock = NULL;
1491 struct sock *sk = NULL;
1492 struct l2tp_net *pn;
1493 enum l2tp_encap_type encap = L2TP_ENCAPTYPE_UDP;
1495 /* Get the tunnel socket from the fd, which was opened by
1496 * the userspace L2TP daemon. If not specified, create a
1500 err = l2tp_tunnel_sock_create(net, tunnel_id, peer_tunnel_id,
1505 sock = sockfd_lookup(fd, &err);
1507 pr_err("tunl %u: sockfd_lookup(fd=%d) returned %d\n",
1508 tunnel_id, fd, err);
1513 /* Reject namespace mismatches */
1514 if (!net_eq(sock_net(sock->sk), net)) {
1515 pr_err("tunl %u: netns mismatch\n", tunnel_id);
1526 /* Quick sanity checks */
1528 case L2TP_ENCAPTYPE_UDP:
1529 err = -EPROTONOSUPPORT;
1530 if (sk->sk_protocol != IPPROTO_UDP) {
1531 pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1532 tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP);
1536 case L2TP_ENCAPTYPE_IP:
1537 err = -EPROTONOSUPPORT;
1538 if (sk->sk_protocol != IPPROTO_L2TP) {
1539 pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1540 tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP);
1546 /* Check if this socket has already been prepped */
1547 tunnel = l2tp_tunnel(sk);
1548 if (tunnel != NULL) {
1549 /* This socket has already been prepped */
1554 tunnel = kzalloc(sizeof(struct l2tp_tunnel), GFP_KERNEL);
1555 if (tunnel == NULL) {
1560 tunnel->version = version;
1561 tunnel->tunnel_id = tunnel_id;
1562 tunnel->peer_tunnel_id = peer_tunnel_id;
1563 tunnel->debug = L2TP_DEFAULT_DEBUG_FLAGS;
1565 tunnel->magic = L2TP_TUNNEL_MAGIC;
1566 sprintf(&tunnel->name[0], "tunl %u", tunnel_id);
1567 rwlock_init(&tunnel->hlist_lock);
1568 tunnel->acpt_newsess = true;
1570 /* The net we belong to */
1571 tunnel->l2tp_net = net;
1572 pn = l2tp_pernet(net);
1575 tunnel->debug = cfg->debug;
1577 #if IS_ENABLED(CONFIG_IPV6)
1578 if (sk->sk_family == PF_INET6) {
1579 struct ipv6_pinfo *np = inet6_sk(sk);
1581 if (ipv6_addr_v4mapped(&np->saddr) &&
1582 ipv6_addr_v4mapped(&sk->sk_v6_daddr)) {
1583 struct inet_sock *inet = inet_sk(sk);
1585 tunnel->v4mapped = true;
1586 inet->inet_saddr = np->saddr.s6_addr32[3];
1587 inet->inet_rcv_saddr = sk->sk_v6_rcv_saddr.s6_addr32[3];
1588 inet->inet_daddr = sk->sk_v6_daddr.s6_addr32[3];
1590 tunnel->v4mapped = false;
1595 /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
1596 tunnel->encap = encap;
1597 if (encap == L2TP_ENCAPTYPE_UDP) {
1598 struct udp_tunnel_sock_cfg udp_cfg = { };
1600 udp_cfg.sk_user_data = tunnel;
1601 udp_cfg.encap_type = UDP_ENCAP_L2TPINUDP;
1602 udp_cfg.encap_rcv = l2tp_udp_encap_recv;
1603 udp_cfg.encap_destroy = l2tp_udp_encap_destroy;
1605 setup_udp_tunnel_sock(net, sock, &udp_cfg);
1607 sk->sk_user_data = tunnel;
1610 /* Hook on the tunnel socket destructor so that we can cleanup
1611 * if the tunnel socket goes away.
1613 tunnel->old_sk_destruct = sk->sk_destruct;
1614 sk->sk_destruct = &l2tp_tunnel_destruct;
1617 lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, "l2tp_sock");
1619 sk->sk_allocation = GFP_ATOMIC;
1621 /* Init delete workqueue struct */
1622 INIT_WORK(&tunnel->del_work, l2tp_tunnel_del_work);
1624 /* Add tunnel to our list */
1625 INIT_LIST_HEAD(&tunnel->list);
1627 /* Bump the reference count. The tunnel context is deleted
1628 * only when this drops to zero. Must be done before list insertion
1630 refcount_set(&tunnel->ref_count, 1);
1631 spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1632 list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
1633 spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1640 /* If tunnel's socket was created by the kernel, it doesn't
1643 if (sock && sock->file)
1648 EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
1650 /* This function is used by the netlink TUNNEL_DELETE command.
1652 void l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
1654 if (!test_and_set_bit(0, &tunnel->dead)) {
1655 l2tp_tunnel_inc_refcount(tunnel);
1656 queue_work(l2tp_wq, &tunnel->del_work);
1659 EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
1661 /* Really kill the session.
1663 void l2tp_session_free(struct l2tp_session *session)
1665 struct l2tp_tunnel *tunnel = session->tunnel;
1667 BUG_ON(refcount_read(&session->ref_count) != 0);
1670 BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
1671 sock_put(tunnel->sock);
1672 session->tunnel = NULL;
1673 l2tp_tunnel_dec_refcount(tunnel);
1678 EXPORT_SYMBOL_GPL(l2tp_session_free);
1680 /* Remove an l2tp session from l2tp_core's hash lists.
1681 * Provides a tidyup interface for pseudowire code which can't just route all
1682 * shutdown via. l2tp_session_delete and a pseudowire-specific session_close
1685 void __l2tp_session_unhash(struct l2tp_session *session)
1687 struct l2tp_tunnel *tunnel = session->tunnel;
1689 /* Remove the session from core hashes */
1691 /* Remove from the per-tunnel hash */
1692 write_lock_bh(&tunnel->hlist_lock);
1693 hlist_del_init(&session->hlist);
1694 write_unlock_bh(&tunnel->hlist_lock);
1696 /* For L2TPv3 we have a per-net hash: remove from there, too */
1697 if (tunnel->version != L2TP_HDR_VER_2) {
1698 struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1699 spin_lock_bh(&pn->l2tp_session_hlist_lock);
1700 hlist_del_init_rcu(&session->global_hlist);
1701 spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1706 EXPORT_SYMBOL_GPL(__l2tp_session_unhash);
1708 /* This function is used by the netlink SESSION_DELETE command and by
1711 int l2tp_session_delete(struct l2tp_session *session)
1713 if (test_and_set_bit(0, &session->dead))
1716 __l2tp_session_unhash(session);
1717 l2tp_session_queue_purge(session);
1718 if (session->session_close != NULL)
1719 (*session->session_close)(session);
1721 l2tp_session_dec_refcount(session);
1725 EXPORT_SYMBOL_GPL(l2tp_session_delete);
1727 /* We come here whenever a session's send_seq, cookie_len or
1728 * l2specific_len parameters are set.
1730 void l2tp_session_set_header_len(struct l2tp_session *session, int version)
1732 if (version == L2TP_HDR_VER_2) {
1733 session->hdr_len = 6;
1734 if (session->send_seq)
1735 session->hdr_len += 4;
1737 session->hdr_len = 4 + session->cookie_len + session->l2specific_len + session->offset;
1738 if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP)
1739 session->hdr_len += 4;
1743 EXPORT_SYMBOL_GPL(l2tp_session_set_header_len);
1745 struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg)
1747 struct l2tp_session *session;
1749 session = kzalloc(sizeof(struct l2tp_session) + priv_size, GFP_KERNEL);
1750 if (session != NULL) {
1751 session->magic = L2TP_SESSION_MAGIC;
1752 session->tunnel = tunnel;
1754 session->session_id = session_id;
1755 session->peer_session_id = peer_session_id;
1757 if (tunnel->version == L2TP_HDR_VER_2)
1758 session->nr_max = 0xffff;
1760 session->nr_max = 0xffffff;
1761 session->nr_window_size = session->nr_max / 2;
1762 session->nr_oos_count_max = 4;
1764 /* Use NR of first received packet */
1765 session->reorder_skip = 1;
1767 sprintf(&session->name[0], "sess %u/%u",
1768 tunnel->tunnel_id, session->session_id);
1770 skb_queue_head_init(&session->reorder_q);
1772 INIT_HLIST_NODE(&session->hlist);
1773 INIT_HLIST_NODE(&session->global_hlist);
1775 /* Inherit debug options from tunnel */
1776 session->debug = tunnel->debug;
1779 session->pwtype = cfg->pw_type;
1780 session->debug = cfg->debug;
1781 session->mtu = cfg->mtu;
1782 session->mru = cfg->mru;
1783 session->send_seq = cfg->send_seq;
1784 session->recv_seq = cfg->recv_seq;
1785 session->lns_mode = cfg->lns_mode;
1786 session->reorder_timeout = cfg->reorder_timeout;
1787 session->offset = cfg->offset;
1788 session->l2specific_type = cfg->l2specific_type;
1789 session->l2specific_len = cfg->l2specific_len;
1790 session->cookie_len = cfg->cookie_len;
1791 memcpy(&session->cookie[0], &cfg->cookie[0], cfg->cookie_len);
1792 session->peer_cookie_len = cfg->peer_cookie_len;
1793 memcpy(&session->peer_cookie[0], &cfg->peer_cookie[0], cfg->peer_cookie_len);
1796 if (tunnel->version == L2TP_HDR_VER_2)
1797 session->build_header = l2tp_build_l2tpv2_header;
1799 session->build_header = l2tp_build_l2tpv3_header;
1801 l2tp_session_set_header_len(session, tunnel->version);
1803 refcount_set(&session->ref_count, 1);
1808 return ERR_PTR(-ENOMEM);
1810 EXPORT_SYMBOL_GPL(l2tp_session_create);
1812 /*****************************************************************************
1814 *****************************************************************************/
1816 static __net_init int l2tp_init_net(struct net *net)
1818 struct l2tp_net *pn = net_generic(net, l2tp_net_id);
1821 INIT_LIST_HEAD(&pn->l2tp_tunnel_list);
1822 spin_lock_init(&pn->l2tp_tunnel_list_lock);
1824 for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
1825 INIT_HLIST_HEAD(&pn->l2tp_session_hlist[hash]);
1827 spin_lock_init(&pn->l2tp_session_hlist_lock);
1832 static __net_exit void l2tp_exit_net(struct net *net)
1834 struct l2tp_net *pn = l2tp_pernet(net);
1835 struct l2tp_tunnel *tunnel = NULL;
1839 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
1840 l2tp_tunnel_delete(tunnel);
1842 rcu_read_unlock_bh();
1844 flush_workqueue(l2tp_wq);
1847 for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
1848 WARN_ON_ONCE(!hlist_empty(&pn->l2tp_session_hlist[hash]));
1851 static struct pernet_operations l2tp_net_ops = {
1852 .init = l2tp_init_net,
1853 .exit = l2tp_exit_net,
1855 .size = sizeof(struct l2tp_net),
1858 static int __init l2tp_init(void)
1862 rc = register_pernet_device(&l2tp_net_ops);
1866 l2tp_wq = alloc_workqueue("l2tp", WQ_UNBOUND, 0);
1868 pr_err("alloc_workqueue failed\n");
1869 unregister_pernet_device(&l2tp_net_ops);
1874 pr_info("L2TP core driver, %s\n", L2TP_DRV_VERSION);
1880 static void __exit l2tp_exit(void)
1882 unregister_pernet_device(&l2tp_net_ops);
1884 destroy_workqueue(l2tp_wq);
1889 module_init(l2tp_init);
1890 module_exit(l2tp_exit);
1892 MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
1893 MODULE_DESCRIPTION("L2TP core");
1894 MODULE_LICENSE("GPL");
1895 MODULE_VERSION(L2TP_DRV_VERSION);