[qemu.git] / net / l2tpv3.c

/*
 * QEMU System Emulator
 *
 * Copyright (c) 2003-2008 Fabrice Bellard
 * Copyright (c) 2012-2014 Cisco Systems
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in
 * all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 * THE SOFTWARE.
 */

#include <linux/ip.h>
#include <netdb.h>
#include "config-host.h"
#include "net/net.h"
#include "clients.h"
#include "monitor/monitor.h"
#include "qemu-common.h"
#include "qemu/error-report.h"
#include "qemu/option.h"
#include "qemu/sockets.h"
#include "qemu/iov.h"
#include "qemu/main-loop.h"


/* The buffer size needs to be investigated for optimum numbers and
 * optimum means of paging in on different systems. This size is
 * chosen to be sufficient to accommodate one packet with some headers
 */

#define BUFFER_ALIGN sysconf(_SC_PAGESIZE)
#define BUFFER_SIZE 2048
#define IOVSIZE 2
#define MAX_L2TPV3_MSGCNT 64
#define MAX_L2TPV3_IOVCNT (MAX_L2TPV3_MSGCNT * IOVSIZE)

/* Header set to 0x30000 signifies a data packet */

#define L2TPV3_DATA_PACKET 0x30000

/* IANA-assigned IP protocol ID for L2TPv3 */

#ifndef IPPROTO_L2TP
#define IPPROTO_L2TP 0x73
#endif

typedef struct NetL2TPV3State {
    NetClientState nc;
    int fd;

    /*
     * these are used for xmit - that happens packet a time
     * and for first sign of life packet (easier to parse that once)
     */

    uint8_t *header_buf;
    struct iovec *vec;

    /*
     * these are used for receive - try to "eat" up to 32 packets at a time
     */

    struct mmsghdr *msgvec;

    /*
     * peer address
     */

    struct sockaddr_storage *dgram_dst;
    uint32_t dst_size;

    /*
     * L2TPv3 parameters
     */

    uint64_t rx_cookie;
    uint64_t tx_cookie;
    uint32_t rx_session;
    uint32_t tx_session;
    uint32_t header_size;
    uint32_t counter;

    /*
    * DOS avoidance in error handling
    */

    bool header_mismatch;

    /*
     * Ring buffer handling
     */

    int queue_head;
    int queue_tail;
    int queue_depth;

    /*
     * Precomputed offsets
     */

    uint32_t offset;
    uint32_t cookie_offset;
    uint32_t counter_offset;
    uint32_t session_offset;

    /* Poll Control */

    bool read_poll;
    bool write_poll;

    /* Flags */

    bool ipv6;
    bool udp;
    bool has_counter;
    bool pin_counter;
    bool cookie;
    bool cookie_is_64;

} NetL2TPV3State;

static int l2tpv3_can_send(void *opaque);
static void net_l2tpv3_send(void *opaque);
static void l2tpv3_writable(void *opaque);

static void l2tpv3_update_fd_handler(NetL2TPV3State *s)
{
    qemu_set_fd_handler2(s->fd,
                         s->read_poll ? l2tpv3_can_send : NULL,
                         s->read_poll ? net_l2tpv3_send     : NULL,
                         s->write_poll ? l2tpv3_writable : NULL,
                         s);
}

static void l2tpv3_read_poll(NetL2TPV3State *s, bool enable)
{
    if (s->read_poll != enable) {
        s->read_poll = enable;
        l2tpv3_update_fd_handler(s);
    }
}

static void l2tpv3_write_poll(NetL2TPV3State *s, bool enable)
{
    if (s->write_poll != enable) {
        s->write_poll = enable;
        l2tpv3_update_fd_handler(s);
    }
}

static void l2tpv3_writable(void *opaque)
{
    NetL2TPV3State *s = opaque;
    l2tpv3_write_poll(s, false);
    qemu_flush_queued_packets(&s->nc);
}

static int l2tpv3_can_send(void *opaque)
{
    NetL2TPV3State *s = opaque;

    return qemu_can_send_packet(&s->nc);
}

static void l2tpv3_send_completed(NetClientState *nc, ssize_t len)
{
    NetL2TPV3State *s = DO_UPCAST(NetL2TPV3State, nc, nc);
    l2tpv3_read_poll(s, true);
}

static void l2tpv3_poll(NetClientState *nc, bool enable)
{
    NetL2TPV3State *s = DO_UPCAST(NetL2TPV3State, nc, nc);
    l2tpv3_write_poll(s, enable);
    l2tpv3_read_poll(s, enable);
}

static void l2tpv3_form_header(NetL2TPV3State *s)
{
    uint32_t *counter;

    if (s->udp) {
        stl_be_p((uint32_t *) s->header_buf, L2TPV3_DATA_PACKET);
    }
    stl_be_p(
            (uint32_t *) (s->header_buf + s->session_offset),
            s->tx_session
        );
    if (s->cookie) {
        if (s->cookie_is_64) {
            stq_be_p(
                (uint64_t *)(s->header_buf + s->cookie_offset),
                s->tx_cookie
            );
        } else {
            stl_be_p(
                (uint32_t *) (s->header_buf + s->cookie_offset),
                s->tx_cookie
            );
        }
    }
    if (s->has_counter) {
        counter = (uint32_t *)(s->header_buf + s->counter_offset);
        if (s->pin_counter) {
            *counter = 0;
        } else {
            stl_be_p(counter, ++s->counter);
        }
    }
}

static ssize_t net_l2tpv3_receive_dgram_iov(NetClientState *nc,
                    const struct iovec *iov,
                    int iovcnt)
{
    NetL2TPV3State *s = DO_UPCAST(NetL2TPV3State, nc, nc);

    struct msghdr message;
    int ret;

    if (iovcnt > MAX_L2TPV3_IOVCNT - 1) {
        error_report(
            "iovec too long %d > %d, change l2tpv3.h",
            iovcnt, MAX_L2TPV3_IOVCNT
        );
        return -1;
    }
    l2tpv3_form_header(s);
    memcpy(s->vec + 1, iov, iovcnt * sizeof(struct iovec));
    s->vec->iov_base = s->header_buf;
    s->vec->iov_len = s->offset;
    message.msg_name = s->dgram_dst;
    message.msg_namelen = s->dst_size;
    message.msg_iov = s->vec;
    message.msg_iovlen = iovcnt + 1;
    message.msg_control = NULL;
    message.msg_controllen = 0;
    message.msg_flags = 0;
    do {
        ret = sendmsg(s->fd, &message, 0);
    } while ((ret == -1) && (errno == EINTR));
    if (ret > 0) {
        ret -= s->offset;
    } else if (ret == 0) {
        /* belt and braces - should not occur on DGRAM
        * we should get an error and never a 0 send
        */
        ret = iov_size(iov, iovcnt);
    } else {
        /* signal upper layer that socket buffer is full */
        ret = -errno;
        if (ret == -EAGAIN || ret == -ENOBUFS) {
            l2tpv3_write_poll(s, true);
            ret = 0;
        }
    }
    return ret;
}

static ssize_t net_l2tpv3_receive_dgram(NetClientState *nc,
                    const uint8_t *buf,
                    size_t size)
{
    NetL2TPV3State *s = DO_UPCAST(NetL2TPV3State, nc, nc);

    struct iovec *vec;
    struct msghdr message;
    ssize_t ret = 0;

    l2tpv3_form_header(s);
    vec = s->vec;
    vec->iov_base = s->header_buf;
    vec->iov_len = s->offset;
    vec++;
    vec->iov_base = (void *) buf;
    vec->iov_len = size;
    message.msg_name = s->dgram_dst;
    message.msg_namelen = s->dst_size;
    message.msg_iov = s->vec;
    message.msg_iovlen = 2;
    message.msg_control = NULL;
    message.msg_controllen = 0;
    message.msg_flags = 0;
    do {
        ret = sendmsg(s->fd, &message, 0);
    } while ((ret == -1) && (errno == EINTR));
    if (ret > 0) {
        ret -= s->offset;
    } else if (ret == 0) {
        /* belt and braces - should not occur on DGRAM
        * we should get an error and never a 0 send
        */
        ret = size;
    } else {
        ret = -errno;
        if (ret == -EAGAIN || ret == -ENOBUFS) {
            /* signal upper layer that socket buffer is full */
            l2tpv3_write_poll(s, true);
            ret = 0;
        }
    }
    return ret;
}

static int l2tpv3_verify_header(NetL2TPV3State *s, uint8_t *buf)
{

    uint32_t *session;
    uint64_t cookie;

    if ((!s->udp) && (!s->ipv6)) {
        buf += sizeof(struct iphdr) /* fix for ipv4 raw */;
    }

    /* we do not do a strict check for "data" packets as per
    * the RFC spec because the pure IP spec does not have
    * that anyway.
    */

    if (s->cookie) {
        if (s->cookie_is_64) {
            cookie = ldq_be_p(buf + s->cookie_offset);
        } else {
            cookie = ldl_be_p(buf + s->cookie_offset);
        }
        if (cookie != s->rx_cookie) {
            if (!s->header_mismatch) {
                error_report("unknown cookie id");
            }
            return -1;
        }
    }
    session = (uint32_t *) (buf + s->session_offset);
    if (ldl_be_p(session) != s->rx_session) {
        if (!s->header_mismatch) {
            error_report("session mismatch");
        }
        return -1;
    }
    return 0;
}

static void net_l2tpv3_process_queue(NetL2TPV3State *s)
{
    int size = 0;
    struct iovec *vec;
    bool bad_read;
    int data_size;
    struct mmsghdr *msgvec;

    /* go into ring mode only if there is a "pending" tail */
    if (s->queue_depth > 0) {
        do {
            msgvec = s->msgvec + s->queue_tail;
            if (msgvec->msg_len > 0) {
                data_size = msgvec->msg_len - s->header_size;
                vec = msgvec->msg_hdr.msg_iov;
                if ((data_size > 0) &&
                    (l2tpv3_verify_header(s, vec->iov_base) == 0)) {
                    vec++;
                    /* Use the legacy delivery for now, we will
                     * switch to using our own ring as a queueing mechanism
                     * at a later date
                     */
                    size = qemu_send_packet_async(
                            &s->nc,
                            vec->iov_base,
                            data_size,
                            l2tpv3_send_completed
                        );
                    if (size == 0) {
                        l2tpv3_read_poll(s, false);
                    }
                    bad_read = false;
                } else {
                    bad_read = true;
                    if (!s->header_mismatch) {
                        /* report error only once */
                        error_report("l2tpv3 header verification failed");
                        s->header_mismatch = true;
                    }
                }
            } else {
                bad_read = true;
            }
            s->queue_tail = (s->queue_tail + 1) % MAX_L2TPV3_MSGCNT;
            s->queue_depth--;
        } while (
                (s->queue_depth > 0) &&
                 qemu_can_send_packet(&s->nc) &&
                ((size > 0) || bad_read)
            );
    }
}

static void net_l2tpv3_send(void *opaque)
{
    NetL2TPV3State *s = opaque;
    int target_count, count;
    struct mmsghdr *msgvec;

    /* go into ring mode only if there is a "pending" tail */

    if (s->queue_depth) {

        /* The ring buffer we use has variable intake
         * count of how much we can read varies - adjust accordingly
         */

        target_count = MAX_L2TPV3_MSGCNT - s->queue_depth;

        /* Ensure we do not overrun the ring when we have
         * a lot of enqueued packets
         */

        if (s->queue_head + target_count > MAX_L2TPV3_MSGCNT) {
            target_count = MAX_L2TPV3_MSGCNT - s->queue_head;
        }
    } else {

        /* we do not have any pending packets - we can use
        * the whole message vector linearly instead of using
        * it as a ring
        */

        s->queue_head = 0;
        s->queue_tail = 0;
        target_count = MAX_L2TPV3_MSGCNT;
    }

    msgvec = s->msgvec + s->queue_head;
    if (target_count > 0) {
        do {
            count = recvmmsg(
                s->fd,
                msgvec,
                target_count, MSG_DONTWAIT, NULL);
        } while ((count == -1) && (errno == EINTR));
        if (count < 0) {
            /* Recv error - we still need to flush packets here,
             * (re)set queue head to current position
             */
            count = 0;
        }
        s->queue_head = (s->queue_head + count) % MAX_L2TPV3_MSGCNT;
        s->queue_depth += count;
    }
    net_l2tpv3_process_queue(s);
}

static void destroy_vector(struct mmsghdr *msgvec, int count, int iovcount)
{
    int i, j;
    struct iovec *iov;
    struct mmsghdr *cleanup = msgvec;
    if (cleanup) {
        for (i = 0; i < count; i++) {
            if (cleanup->msg_hdr.msg_iov) {
                iov = cleanup->msg_hdr.msg_iov;
                for (j = 0; j < iovcount; j++) {
                    g_free(iov->iov_base);
                    iov++;
                }
                g_free(cleanup->msg_hdr.msg_iov);
            }
            cleanup++;
        }
        g_free(msgvec);
    }
}

static struct mmsghdr *build_l2tpv3_vector(NetL2TPV3State *s, int count)
{
    int i;
    struct iovec *iov;
    struct mmsghdr *msgvec, *result;

    msgvec = g_new(struct mmsghdr, count);
    result = msgvec;
    for (i = 0; i < count ; i++) {
        msgvec->msg_hdr.msg_name = NULL;
        msgvec->msg_hdr.msg_namelen = 0;
        iov =  g_new(struct iovec, IOVSIZE);
        msgvec->msg_hdr.msg_iov = iov;
        iov->iov_base = g_malloc(s->header_size);
        iov->iov_len = s->header_size;
        iov++ ;
        iov->iov_base = qemu_memalign(BUFFER_ALIGN, BUFFER_SIZE);
        iov->iov_len = BUFFER_SIZE;
        msgvec->msg_hdr.msg_iovlen = 2;
        msgvec->msg_hdr.msg_control = NULL;
        msgvec->msg_hdr.msg_controllen = 0;
        msgvec->msg_hdr.msg_flags = 0;
        msgvec++;
    }
    return result;
}

static void net_l2tpv3_cleanup(NetClientState *nc)
{
    NetL2TPV3State *s = DO_UPCAST(NetL2TPV3State, nc, nc);
    qemu_purge_queued_packets(nc);
    l2tpv3_read_poll(s, false);
    l2tpv3_write_poll(s, false);
    if (s->fd >= 0) {
        close(s->fd);
    }
    destroy_vector(s->msgvec, MAX_L2TPV3_MSGCNT, IOVSIZE);
    g_free(s->vec);
    g_free(s->header_buf);
    g_free(s->dgram_dst);
}

static NetClientInfo net_l2tpv3_info = {
    .type = NET_CLIENT_OPTIONS_KIND_L2TPV3,
    .size = sizeof(NetL2TPV3State),
    .receive = net_l2tpv3_receive_dgram,
    .receive_iov = net_l2tpv3_receive_dgram_iov,
    .poll = l2tpv3_poll,
    .cleanup = net_l2tpv3_cleanup,
};

int net_init_l2tpv3(const NetClientOptions *opts,
                    const char *name,
                    NetClientState *peer)
{


    const NetdevL2TPv3Options *l2tpv3;
    NetL2TPV3State *s;
    NetClientState *nc;
    int fd = -1, gairet;
    struct addrinfo hints;
    struct addrinfo *result = NULL;
    char *srcport, *dstport;

    nc = qemu_new_net_client(&net_l2tpv3_info, peer, "l2tpv3", name);

    s = DO_UPCAST(NetL2TPV3State, nc, nc);

    s->queue_head = 0;
    s->queue_tail = 0;
    s->header_mismatch = false;

    assert(opts->kind == NET_CLIENT_OPTIONS_KIND_L2TPV3);
    l2tpv3 = opts->l2tpv3;

    if (l2tpv3->has_ipv6 && l2tpv3->ipv6) {
        s->ipv6 = l2tpv3->ipv6;
    } else {
        s->ipv6 = false;
    }

    if ((l2tpv3->has_offset) && (l2tpv3->offset > 256)) {
        error_report("l2tpv3_open : offset must be less than 256 bytes");
        goto outerr;
    }

    if (l2tpv3->has_rxcookie || l2tpv3->has_txcookie) {
        if (l2tpv3->has_rxcookie && l2tpv3->has_txcookie) {
            s->cookie = true;
        } else {
            goto outerr;
        }
    } else {
        s->cookie = false;
    }

    if (l2tpv3->has_cookie64 || l2tpv3->cookie64) {
        s->cookie_is_64  = true;
    } else {
        s->cookie_is_64  = false;
    }

    if (l2tpv3->has_udp && l2tpv3->udp) {
        s->udp = true;
        if (!(l2tpv3->has_srcport && l2tpv3->has_dstport)) {
            error_report("l2tpv3_open : need both src and dst port for udp");
            goto outerr;
        } else {
            srcport = l2tpv3->srcport;
            dstport = l2tpv3->dstport;
        }
    } else {
        s->udp = false;
        srcport = NULL;
        dstport = NULL;
    }


    s->offset = 4;
    s->session_offset = 0;
    s->cookie_offset = 4;
    s->counter_offset = 4;

    s->tx_session = l2tpv3->txsession;
    if (l2tpv3->has_rxsession) {
        s->rx_session = l2tpv3->rxsession;
    } else {
        s->rx_session = s->tx_session;
    }

    if (s->cookie) {
        s->rx_cookie = l2tpv3->rxcookie;
        s->tx_cookie = l2tpv3->txcookie;
        if (s->cookie_is_64 == true) {
            /* 64 bit cookie */
            s->offset += 8;
            s->counter_offset += 8;
        } else {
            /* 32 bit cookie */
            s->offset += 4;
            s->counter_offset += 4;
        }
    }

    memset(&hints, 0, sizeof(hints));

    if (s->ipv6) {
        hints.ai_family = AF_INET6;
    } else {
        hints.ai_family = AF_INET;
    }
    if (s->udp) {
        hints.ai_socktype = SOCK_DGRAM;
        hints.ai_protocol = 0;
        s->offset += 4;
        s->counter_offset += 4;
        s->session_offset += 4;
        s->cookie_offset += 4;
    } else {
        hints.ai_socktype = SOCK_RAW;
        hints.ai_protocol = IPPROTO_L2TP;
    }

    gairet = getaddrinfo(l2tpv3->src, srcport, &hints, &result);

    if ((gairet != 0) || (result == NULL)) {
        error_report(
            "l2tpv3_open : could not resolve src, errno = %s",
            gai_strerror(gairet)
        );
        goto outerr;
    }
    fd = socket(result->ai_family, result->ai_socktype, result->ai_protocol);
    if (fd == -1) {
        fd = -errno;
        error_report("l2tpv3_open : socket creation failed, errno = %d", -fd);
        goto outerr;
    }
    if (bind(fd, (struct sockaddr *) result->ai_addr, result->ai_addrlen)) {
        error_report("l2tpv3_open :  could not bind socket err=%i", errno);
        goto outerr;
    }
    if (result) {
        freeaddrinfo(result);
    }

    memset(&hints, 0, sizeof(hints));

    if (s->ipv6) {
        hints.ai_family = AF_INET6;
    } else {
        hints.ai_family = AF_INET;
    }
    if (s->udp) {
        hints.ai_socktype = SOCK_DGRAM;
        hints.ai_protocol = 0;
    } else {
        hints.ai_socktype = SOCK_RAW;
        hints.ai_protocol = IPPROTO_L2TP;
    }

    result = NULL;
    gairet = getaddrinfo(l2tpv3->dst, dstport, &hints, &result);
    if ((gairet != 0) || (result == NULL)) {
        error_report(
            "l2tpv3_open : could not resolve dst, error = %s",
            gai_strerror(gairet)
        );
        goto outerr;
    }

    s->dgram_dst = g_new0(struct sockaddr_storage, 1);
    memcpy(s->dgram_dst, result->ai_addr, result->ai_addrlen);
    s->dst_size = result->ai_addrlen;

    if (result) {
        freeaddrinfo(result);
    }

    if (l2tpv3->has_counter && l2tpv3->counter) {
        s->has_counter = true;
        s->offset += 4;
    } else {
        s->has_counter = false;
    }

    if (l2tpv3->has_pincounter && l2tpv3->pincounter) {
        s->has_counter = true;  /* pin counter implies that there is counter */
        s->pin_counter = true;
    } else {
        s->pin_counter = false;
    }

    if (l2tpv3->has_offset) {
        /* extra offset */
        s->offset += l2tpv3->offset;
    }

    if ((s->ipv6) || (s->udp)) {
        s->header_size = s->offset;
    } else {
        s->header_size = s->offset + sizeof(struct iphdr);
    }

    s->msgvec = build_l2tpv3_vector(s, MAX_L2TPV3_MSGCNT);
    s->vec = g_new(struct iovec, MAX_L2TPV3_IOVCNT);
    s->header_buf = g_malloc(s->header_size);

    qemu_set_nonblock(fd);

    s->fd = fd;
    s->counter = 0;

    l2tpv3_read_poll(s, true);

    snprintf(s->nc.info_str, sizeof(s->nc.info_str),
             "l2tpv3: connected");
    return 0;
outerr:
    qemu_del_net_client(nc);
    if (fd >= 0) {
        close(fd);
    }
    if (result) {
        freeaddrinfo(result);
    }
    return -1;
}
Commit	Line	Data
3fb69aa1 AI	1	/*
	2	* QEMU System Emulator
	3	*
	4	* Copyright (c) 2003-2008 Fabrice Bellard
	5	* Copyright (c) 2012-2014 Cisco Systems
	6	*
	7	* Permission is hereby granted, free of charge, to any person obtaining a copy
	8	* of this software and associated documentation files (the "Software"), to deal
	9	* in the Software without restriction, including without limitation the rights
	10	* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
	11	* copies of the Software, and to permit persons to whom the Software is
	12	* furnished to do so, subject to the following conditions:
	13	*
	14	* The above copyright notice and this permission notice shall be included in
	15	* all copies or substantial portions of the Software.
	16	*
	17	* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
	18	* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	19	* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
	20	* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
	21	* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
	22	* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
	23	* THE SOFTWARE.
	24	*/
	25
	26	#include <linux/ip.h>
	27	#include <netdb.h>
	28	#include "config-host.h"
	29	#include "net/net.h"
	30	#include "clients.h"
	31	#include "monitor/monitor.h"
	32	#include "qemu-common.h"
	33	#include "qemu/error-report.h"
	34	#include "qemu/option.h"
	35	#include "qemu/sockets.h"
	36	#include "qemu/iov.h"
	37	#include "qemu/main-loop.h"
	38
	39
	40	/* The buffer size needs to be investigated for optimum numbers and
	41	* optimum means of paging in on different systems. This size is
	42	* chosen to be sufficient to accommodate one packet with some headers
	43	*/
	44
	45	#define BUFFER_ALIGN sysconf(_SC_PAGESIZE)
	46	#define BUFFER_SIZE 2048
	47	#define IOVSIZE 2
	48	#define MAX_L2TPV3_MSGCNT 64
	49	#define MAX_L2TPV3_IOVCNT (MAX_L2TPV3_MSGCNT * IOVSIZE)
	50
	51	/* Header set to 0x30000 signifies a data packet */
	52
	53	#define L2TPV3_DATA_PACKET 0x30000
	54
	55	/* IANA-assigned IP protocol ID for L2TPv3 */
	56
	57	#ifndef IPPROTO_L2TP
	58	#define IPPROTO_L2TP 0x73
	59	#endif
	60
	61	typedef struct NetL2TPV3State {
	62	NetClientState nc;
	63	int fd;
	64
65	/*
66	* these are used for xmit - that happens packet a time
67	* and for first sign of life packet (easier to parse that once)
68	*/
69
70	uint8_t *header_buf;
71	struct iovec *vec;
72
73	/*
74	* these are used for receive - try to "eat" up to 32 packets at a time
75	*/
76
77	struct mmsghdr *msgvec;
78
79	/*
80	* peer address
81	*/
82
83	struct sockaddr_storage *dgram_dst;
84	uint32_t dst_size;
85
86	/*
87	* L2TPv3 parameters
88	*/
89
90	uint64_t rx_cookie;
91	uint64_t tx_cookie;
92	uint32_t rx_session;
93	uint32_t tx_session;
94	uint32_t header_size;
95	uint32_t counter;
96
97	/*
98	* DOS avoidance in error handling
99	*/
100
101	bool header_mismatch;
102
103	/*
104	* Ring buffer handling
105	*/
106
107	int queue_head;
108	int queue_tail;
109	int queue_depth;
110
111	/*
112	* Precomputed offsets
113	*/
114
115	uint32_t offset;
116	uint32_t cookie_offset;
117	uint32_t counter_offset;
118	uint32_t session_offset;
119
120	/* Poll Control */
121
122	bool read_poll;
123	bool write_poll;
124
125	/* Flags */
126
127	bool ipv6;
128	bool udp;
129	bool has_counter;
130	bool pin_counter;
131	bool cookie;
132	bool cookie_is_64;
133
134	} NetL2TPV3State;
135
136	static int l2tpv3_can_send(void *opaque);
137	static void net_l2tpv3_send(void *opaque);
138	static void l2tpv3_writable(void *opaque);
139
140	static void l2tpv3_update_fd_handler(NetL2TPV3State *s)
141	{
142	qemu_set_fd_handler2(s->fd,
143	s->read_poll ? l2tpv3_can_send : NULL,
144	s->read_poll ? net_l2tpv3_send : NULL,
145	s->write_poll ? l2tpv3_writable : NULL,
146	s);
147	}
148
149	static void l2tpv3_read_poll(NetL2TPV3State *s, bool enable)
150	{
151	if (s->read_poll != enable) {
152	s->read_poll = enable;
153	l2tpv3_update_fd_handler(s);
154	}
155	}
156
157	static void l2tpv3_write_poll(NetL2TPV3State *s, bool enable)
158	{
159	if (s->write_poll != enable) {
160	s->write_poll = enable;
161	l2tpv3_update_fd_handler(s);
162	}
163	}
164
165	static void l2tpv3_writable(void *opaque)
166	{
167	NetL2TPV3State *s = opaque;
168	l2tpv3_write_poll(s, false);
169	qemu_flush_queued_packets(&s->nc);
170	}
171
172	static int l2tpv3_can_send(void *opaque)
173	{
174	NetL2TPV3State *s = opaque;
175
176	return qemu_can_send_packet(&s->nc);
177	}
178
179	static void l2tpv3_send_completed(NetClientState *nc, ssize_t len)
180	{
181	NetL2TPV3State *s = DO_UPCAST(NetL2TPV3State, nc, nc);
182	l2tpv3_read_poll(s, true);
183	}
184
185	static void l2tpv3_poll(NetClientState *nc, bool enable)
186	{
187	NetL2TPV3State *s = DO_UPCAST(NetL2TPV3State, nc, nc);
188	l2tpv3_write_poll(s, enable);
189	l2tpv3_read_poll(s, enable);
190	}
191
192	static void l2tpv3_form_header(NetL2TPV3State *s)
193	{
194	uint32_t *counter;
195
196	if (s->udp) {
197	stl_be_p((uint32_t *) s->header_buf, L2TPV3_DATA_PACKET);
198	}
199	stl_be_p(
200	(uint32_t *) (s->header_buf + s->session_offset),
201	s->tx_session
202	);
203	if (s->cookie) {
204	if (s->cookie_is_64) {
205	stq_be_p(
206	(uint64_t *)(s->header_buf + s->cookie_offset),
207	s->tx_cookie
208	);
209	} else {
210	stl_be_p(
211	(uint32_t *) (s->header_buf + s->cookie_offset),
212	s->tx_cookie
213	);
214	}
215	}
216	if (s->has_counter) {
217	counter = (uint32_t *)(s->header_buf + s->counter_offset);
218	if (s->pin_counter) {
219	*counter = 0;
220	} else {
221	stl_be_p(counter, ++s->counter);
222	}
223	}
224	}
225
226	static ssize_t net_l2tpv3_receive_dgram_iov(NetClientState *nc,
227	const struct iovec *iov,
228	int iovcnt)
229	{
230	NetL2TPV3State *s = DO_UPCAST(NetL2TPV3State, nc, nc);
231
232	struct msghdr message;
233	int ret;
234
235	if (iovcnt > MAX_L2TPV3_IOVCNT - 1) {
236	error_report(
237	"iovec too long %d > %d, change l2tpv3.h",
238	iovcnt, MAX_L2TPV3_IOVCNT
239	);
240	return -1;
241	}
242	l2tpv3_form_header(s);
243	memcpy(s->vec + 1, iov, iovcnt * sizeof(struct iovec));
244	s->vec->iov_base = s->header_buf;
245	s->vec->iov_len = s->offset;
246	message.msg_name = s->dgram_dst;
247	message.msg_namelen = s->dst_size;
248	message.msg_iov = s->vec;
249	message.msg_iovlen = iovcnt + 1;
250	message.msg_control = NULL;
251	message.msg_controllen = 0;
252	message.msg_flags = 0;
253	do {
254	ret = sendmsg(s->fd, &message, 0);
255	} while ((ret == -1) && (errno == EINTR));
256	if (ret > 0) {
257	ret -= s->offset;
258	} else if (ret == 0) {
259	/* belt and braces - should not occur on DGRAM
260	* we should get an error and never a 0 send
261	*/
262	ret = iov_size(iov, iovcnt);
263	} else {
264	/* signal upper layer that socket buffer is full */
265	ret = -errno;
266	if (ret == -EAGAIN \|\| ret == -ENOBUFS) {
267	l2tpv3_write_poll(s, true);
268	ret = 0;
269	}
270	}
271	return ret;
272	}
273
274	static ssize_t net_l2tpv3_receive_dgram(NetClientState *nc,
275	const uint8_t *buf,
276	size_t size)
277	{
278	NetL2TPV3State *s = DO_UPCAST(NetL2TPV3State, nc, nc);
279
280	struct iovec *vec;
281	struct msghdr message;
282	ssize_t ret = 0;
283
284	l2tpv3_form_header(s);
285	vec = s->vec;
286	vec->iov_base = s->header_buf;
287	vec->iov_len = s->offset;
288	vec++;
289	vec->iov_base = (void *) buf;
290	vec->iov_len = size;
291	message.msg_name = s->dgram_dst;
292	message.msg_namelen = s->dst_size;
293	message.msg_iov = s->vec;
294	message.msg_iovlen = 2;
295	message.msg_control = NULL;
296	message.msg_controllen = 0;
297	message.msg_flags = 0;
298	do {
299	ret = sendmsg(s->fd, &message, 0);
300	} while ((ret == -1) && (errno == EINTR));
301	if (ret > 0) {
302	ret -= s->offset;
303	} else if (ret == 0) {
304	/* belt and braces - should not occur on DGRAM
305	* we should get an error and never a 0 send
306	*/
307	ret = size;
308	} else {
309	ret = -errno;
310	if (ret == -EAGAIN \|\| ret == -ENOBUFS) {
311	/* signal upper layer that socket buffer is full */
312	l2tpv3_write_poll(s, true);
313	ret = 0;
314	}
315	}
316	return ret;
317	}
318
319	static int l2tpv3_verify_header(NetL2TPV3State s, uint8_t buf)
320	{
321
322	uint32_t *session;
323	uint64_t cookie;
324
325	if ((!s->udp) && (!s->ipv6)) {
326	buf += sizeof(struct iphdr) /* fix for ipv4 raw */;
327	}
328
329	/* we do not do a strict check for "data" packets as per
330	* the RFC spec because the pure IP spec does not have
331	* that anyway.
332	*/
333
334	if (s->cookie) {
335	if (s->cookie_is_64) {
336	cookie = ldq_be_p(buf + s->cookie_offset);
337	} else {
338	cookie = ldl_be_p(buf + s->cookie_offset);
339	}
340	if (cookie != s->rx_cookie) {
341	if (!s->header_mismatch) {
342	error_report("unknown cookie id");
343	}
344	return -1;
345	}
346	}
347	session = (uint32_t *) (buf + s->session_offset);
348	if (ldl_be_p(session) != s->rx_session) {
349	if (!s->header_mismatch) {
350	error_report("session mismatch");
351	}
352	return -1;
353	}
354	return 0;
355	}
356
357	static void net_l2tpv3_process_queue(NetL2TPV3State *s)
358	{
359	int size = 0;
360	struct iovec *vec;
361	bool bad_read;
362	int data_size;
363	struct mmsghdr *msgvec;
364
365	/* go into ring mode only if there is a "pending" tail */
366	if (s->queue_depth > 0) {
367	do {
368	msgvec = s->msgvec + s->queue_tail;
369	if (msgvec->msg_len > 0) {
370	data_size = msgvec->msg_len - s->header_size;
371	vec = msgvec->msg_hdr.msg_iov;
372	if ((data_size > 0) &&
373	(l2tpv3_verify_header(s, vec->iov_base) == 0)) {
374	vec++;
375	/* Use the legacy delivery for now, we will
376	* switch to using our own ring as a queueing mechanism
377	* at a later date
378	*/
379	size = qemu_send_packet_async(
380	&s->nc,
381	vec->iov_base,
382	data_size,
383	l2tpv3_send_completed
384	);
385	if (size == 0) {
386	l2tpv3_read_poll(s, false);
387	}
388	bad_read = false;
389	} else {
390	bad_read = true;
391	if (!s->header_mismatch) {
392	/* report error only once */
393	error_report("l2tpv3 header verification failed");
394	s->header_mismatch = true;
395	}
396	}
397	} else {
398	bad_read = true;
399	}
400	s->queue_tail = (s->queue_tail + 1) % MAX_L2TPV3_MSGCNT;
401	s->queue_depth--;
402	} while (
403	(s->queue_depth > 0) &&
404	qemu_can_send_packet(&s->nc) &&
405	((size > 0) \|\| bad_read)
406	);
407	}
408	}
409
410	static void net_l2tpv3_send(void *opaque)
411	{
412	NetL2TPV3State *s = opaque;
413	int target_count, count;
414	struct mmsghdr *msgvec;
415
416	/* go into ring mode only if there is a "pending" tail */
417
418	if (s->queue_depth) {
419
420	/* The ring buffer we use has variable intake
421	* count of how much we can read varies - adjust accordingly
422	*/
423
424	target_count = MAX_L2TPV3_MSGCNT - s->queue_depth;
425
426	/* Ensure we do not overrun the ring when we have
427	* a lot of enqueued packets
428	*/
429
430	if (s->queue_head + target_count > MAX_L2TPV3_MSGCNT) {
431	target_count = MAX_L2TPV3_MSGCNT - s->queue_head;
432	}
433	} else {
434
435	/* we do not have any pending packets - we can use
436	* the whole message vector linearly instead of using
437	* it as a ring
438	*/
439
440	s->queue_head = 0;
441	s->queue_tail = 0;
442	target_count = MAX_L2TPV3_MSGCNT;
443	}
444
445	msgvec = s->msgvec + s->queue_head;
446	if (target_count > 0) {
447	do {
448	count = recvmmsg(
449	s->fd,
450	msgvec,
451	target_count, MSG_DONTWAIT, NULL);
452	} while ((count == -1) && (errno == EINTR));
453	if (count < 0) {
454	/* Recv error - we still need to flush packets here,
455	* (re)set queue head to current position
456	*/
457	count = 0;
458	}
459	s->queue_head = (s->queue_head + count) % MAX_L2TPV3_MSGCNT;
460	s->queue_depth += count;
461	}
462	net_l2tpv3_process_queue(s);
463	}
464
465	static void destroy_vector(struct mmsghdr *msgvec, int count, int iovcount)
466	{
467	int i, j;
468	struct iovec *iov;
469	struct mmsghdr *cleanup = msgvec;
470	if (cleanup) {
471	for (i = 0; i < count; i++) {
472	if (cleanup->msg_hdr.msg_iov) {
473	iov = cleanup->msg_hdr.msg_iov;
474	for (j = 0; j < iovcount; j++) {
475	g_free(iov->iov_base);
476	iov++;
477	}
478	g_free(cleanup->msg_hdr.msg_iov);
479	}
480	cleanup++;
481	}
482	g_free(msgvec);
483	}
484	}
485
486	static struct mmsghdr build_l2tpv3_vector(NetL2TPV3State s, int count)
487	{
488	int i;
489	struct iovec *iov;
490	struct mmsghdr msgvec, result;
491
58889fe5	492	msgvec = g_new(struct mmsghdr, count);
3fb69aa1 AI	493	result = msgvec;
	494	for (i = 0; i < count ; i++) {
	495	msgvec->msg_hdr.msg_name = NULL;
	496	msgvec->msg_hdr.msg_namelen = 0;
58889fe5	497	iov = g_new(struct iovec, IOVSIZE);
3fb69aa1 AI	498	msgvec->msg_hdr.msg_iov = iov;
	499	iov->iov_base = g_malloc(s->header_size);
	500	iov->iov_len = s->header_size;
	501	iov++ ;
	502	iov->iov_base = qemu_memalign(BUFFER_ALIGN, BUFFER_SIZE);
	503	iov->iov_len = BUFFER_SIZE;
	504	msgvec->msg_hdr.msg_iovlen = 2;
	505	msgvec->msg_hdr.msg_control = NULL;
	506	msgvec->msg_hdr.msg_controllen = 0;
	507	msgvec->msg_hdr.msg_flags = 0;
	508	msgvec++;
	509	}
	510	return result;
	511	}
	512
	513	static void net_l2tpv3_cleanup(NetClientState *nc)
	514	{
	515	NetL2TPV3State *s = DO_UPCAST(NetL2TPV3State, nc, nc);
	516	qemu_purge_queued_packets(nc);
	517	l2tpv3_read_poll(s, false);
	518	l2tpv3_write_poll(s, false);
d4754a95	519	if (s->fd >= 0) {
3fb69aa1 AI	520	close(s->fd);
	521	}
	522	destroy_vector(s->msgvec, MAX_L2TPV3_MSGCNT, IOVSIZE);
	523	g_free(s->vec);
	524	g_free(s->header_buf);
	525	g_free(s->dgram_dst);
	526	}
	527
	528	static NetClientInfo net_l2tpv3_info = {
	529	.type = NET_CLIENT_OPTIONS_KIND_L2TPV3,
	530	.size = sizeof(NetL2TPV3State),
	531	.receive = net_l2tpv3_receive_dgram,
	532	.receive_iov = net_l2tpv3_receive_dgram_iov,
	533	.poll = l2tpv3_poll,
	534	.cleanup = net_l2tpv3_cleanup,
	535	};
	536
	537	int net_init_l2tpv3(const NetClientOptions *opts,
	538	const char *name,
	539	NetClientState *peer)
	540	{
	541
	542
	543	const NetdevL2TPv3Options *l2tpv3;
	544	NetL2TPV3State *s;
	545	NetClientState *nc;
	546	int fd = -1, gairet;
	547	struct addrinfo hints;
	548	struct addrinfo *result = NULL;
	549	char srcport, dstport;
	550
	551	nc = qemu_new_net_client(&net_l2tpv3_info, peer, "l2tpv3", name);
	552
	553	s = DO_UPCAST(NetL2TPV3State, nc, nc);
	554
	555	s->queue_head = 0;
	556	s->queue_tail = 0;
	557	s->header_mismatch = false;
	558
	559	assert(opts->kind == NET_CLIENT_OPTIONS_KIND_L2TPV3);
	560	l2tpv3 = opts->l2tpv3;
	561
	562	if (l2tpv3->has_ipv6 && l2tpv3->ipv6) {
	563	s->ipv6 = l2tpv3->ipv6;
	564	} else {
	565	s->ipv6 = false;
	566	}
	567
	568	if ((l2tpv3->has_offset) && (l2tpv3->offset > 256)) {
	569	error_report("l2tpv3_open : offset must be less than 256 bytes");
	570	goto outerr;
	571	}
	572
	573	if (l2tpv3->has_rxcookie \|\| l2tpv3->has_txcookie) {
	574	if (l2tpv3->has_rxcookie && l2tpv3->has_txcookie) {
	575	s->cookie = true;
	576	} else {
	577	goto outerr;
	578	}
	579	} else {
	580	s->cookie = false;
	581	}
	582
	583	if (l2tpv3->has_cookie64 \|\| l2tpv3->cookie64) {
584	s->cookie_is_64 = true;
585	} else {
586	s->cookie_is_64 = false;
587	}
588
589	if (l2tpv3->has_udp && l2tpv3->udp) {
590	s->udp = true;
591	if (!(l2tpv3->has_srcport && l2tpv3->has_dstport)) {
592	error_report("l2tpv3_open : need both src and dst port for udp");
593	goto outerr;
594	} else {
595	srcport = l2tpv3->srcport;
596	dstport = l2tpv3->dstport;
597	}
598	} else {
599	s->udp = false;
600	srcport = NULL;
601	dstport = NULL;
602	}
603
604
605	s->offset = 4;
606	s->session_offset = 0;
607	s->cookie_offset = 4;
608	s->counter_offset = 4;
609
610	s->tx_session = l2tpv3->txsession;
611	if (l2tpv3->has_rxsession) {
612	s->rx_session = l2tpv3->rxsession;
613	} else {
614	s->rx_session = s->tx_session;
615	}
616
617	if (s->cookie) {
618	s->rx_cookie = l2tpv3->rxcookie;
619	s->tx_cookie = l2tpv3->txcookie;
620	if (s->cookie_is_64 == true) {
621	/* 64 bit cookie */
622	s->offset += 8;
623	s->counter_offset += 8;
624	} else {
625	/* 32 bit cookie */
626	s->offset += 4;
627	s->counter_offset += 4;
628	}
629	}
630
631	memset(&hints, 0, sizeof(hints));
632
633	if (s->ipv6) {
634	hints.ai_family = AF_INET6;
635	} else {
636	hints.ai_family = AF_INET;
637	}
638	if (s->udp) {
639	hints.ai_socktype = SOCK_DGRAM;
640	hints.ai_protocol = 0;
641	s->offset += 4;
642	s->counter_offset += 4;
643	s->session_offset += 4;
644	s->cookie_offset += 4;
645	} else {
646	hints.ai_socktype = SOCK_RAW;
647	hints.ai_protocol = IPPROTO_L2TP;
648	}
649
650	gairet = getaddrinfo(l2tpv3->src, srcport, &hints, &result);
651
652	if ((gairet != 0) \|\| (result == NULL)) {
653	error_report(
654	"l2tpv3_open : could not resolve src, errno = %s",
655	gai_strerror(gairet)
656	);
657	goto outerr;
658	}
659	fd = socket(result->ai_family, result->ai_socktype, result->ai_protocol);
660	if (fd == -1) {
661	fd = -errno;
662	error_report("l2tpv3_open : socket creation failed, errno = %d", -fd);
3fb69aa1 AI	663	goto outerr;
	664	}
	665	if (bind(fd, (struct sockaddr *) result->ai_addr, result->ai_addrlen)) {
	666	error_report("l2tpv3_open : could not bind socket err=%i", errno);
	667	goto outerr;
	668	}
	669	if (result) {
	670	freeaddrinfo(result);
	671	}
	672
	673	memset(&hints, 0, sizeof(hints));
	674
	675	if (s->ipv6) {
	676	hints.ai_family = AF_INET6;
	677	} else {
	678	hints.ai_family = AF_INET;
	679	}
	680	if (s->udp) {
	681	hints.ai_socktype = SOCK_DGRAM;
	682	hints.ai_protocol = 0;
	683	} else {
	684	hints.ai_socktype = SOCK_RAW;
	685	hints.ai_protocol = IPPROTO_L2TP;
	686	}
	687
	688	result = NULL;
	689	gairet = getaddrinfo(l2tpv3->dst, dstport, &hints, &result);
	690	if ((gairet != 0) \|\| (result == NULL)) {
	691	error_report(
	692	"l2tpv3_open : could not resolve dst, error = %s",
	693	gai_strerror(gairet)
	694	);
	695	goto outerr;
	696	}
	697
71e28e3c	698	s->dgram_dst = g_new0(struct sockaddr_storage, 1);
3fb69aa1 AI	699	memcpy(s->dgram_dst, result->ai_addr, result->ai_addrlen);
	700	s->dst_size = result->ai_addrlen;
	701
	702	if (result) {
	703	freeaddrinfo(result);
	704	}
	705
	706	if (l2tpv3->has_counter && l2tpv3->counter) {
	707	s->has_counter = true;
	708	s->offset += 4;
	709	} else {
	710	s->has_counter = false;
	711	}
	712
	713	if (l2tpv3->has_pincounter && l2tpv3->pincounter) {
	714	s->has_counter = true; /* pin counter implies that there is counter */
	715	s->pin_counter = true;
	716	} else {
	717	s->pin_counter = false;
	718	}
	719
	720	if (l2tpv3->has_offset) {
	721	/* extra offset */
	722	s->offset += l2tpv3->offset;
	723	}
	724
	725	if ((s->ipv6) \|\| (s->udp)) {
	726	s->header_size = s->offset;
	727	} else {
	728	s->header_size = s->offset + sizeof(struct iphdr);
	729	}
	730
	731	s->msgvec = build_l2tpv3_vector(s, MAX_L2TPV3_MSGCNT);
58889fe5	732	s->vec = g_new(struct iovec, MAX_L2TPV3_IOVCNT);
3fb69aa1 AI	733	s->header_buf = g_malloc(s->header_size);
	734
	735	qemu_set_nonblock(fd);
	736
	737	s->fd = fd;
	738	s->counter = 0;
	739
	740	l2tpv3_read_poll(s, true);
	741
	742	snprintf(s->nc.info_str, sizeof(s->nc.info_str),
	743	"l2tpv3: connected");
	744	return 0;
	745	outerr:
	746	qemu_del_net_client(nc);
d4754a95	747	if (fd >= 0) {
3fb69aa1 AI	748	close(fd);
	749	}
	750	if (result) {
	751	freeaddrinfo(result);
	752	}
	753	return -1;
	754	}
	755