gtp.c (46325B)
1// SPDX-License-Identifier: GPL-2.0-or-later 2/* GTP according to GSM TS 09.60 / 3GPP TS 29.060 3 * 4 * (C) 2012-2014 by sysmocom - s.f.m.c. GmbH 5 * (C) 2016 by Pablo Neira Ayuso <pablo@netfilter.org> 6 * 7 * Author: Harald Welte <hwelte@sysmocom.de> 8 * Pablo Neira Ayuso <pablo@netfilter.org> 9 * Andreas Schultz <aschultz@travelping.com> 10 */ 11 12#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 13 14#include <linux/module.h> 15#include <linux/skbuff.h> 16#include <linux/udp.h> 17#include <linux/rculist.h> 18#include <linux/jhash.h> 19#include <linux/if_tunnel.h> 20#include <linux/net.h> 21#include <linux/file.h> 22#include <linux/gtp.h> 23 24#include <net/net_namespace.h> 25#include <net/protocol.h> 26#include <net/ip.h> 27#include <net/udp.h> 28#include <net/udp_tunnel.h> 29#include <net/icmp.h> 30#include <net/xfrm.h> 31#include <net/genetlink.h> 32#include <net/netns/generic.h> 33#include <net/gtp.h> 34 35/* An active session for the subscriber. */ 36struct pdp_ctx { 37 struct hlist_node hlist_tid; 38 struct hlist_node hlist_addr; 39 40 union { 41 struct { 42 u64 tid; 43 u16 flow; 44 } v0; 45 struct { 46 u32 i_tei; 47 u32 o_tei; 48 } v1; 49 } u; 50 u8 gtp_version; 51 u16 af; 52 53 struct in_addr ms_addr_ip4; 54 struct in_addr peer_addr_ip4; 55 56 struct sock *sk; 57 struct net_device *dev; 58 59 atomic_t tx_seq; 60 struct rcu_head rcu_head; 61}; 62 63/* One instance of the GTP device. */ 64struct gtp_dev { 65 struct list_head list; 66 67 struct sock *sk0; 68 struct sock *sk1u; 69 u8 sk_created; 70 71 struct net_device *dev; 72 struct net *net; 73 74 unsigned int role; 75 unsigned int hash_size; 76 struct hlist_head *tid_hash; 77 struct hlist_head *addr_hash; 78 79 u8 restart_count; 80}; 81 82struct echo_info { 83 struct in_addr ms_addr_ip4; 84 struct in_addr peer_addr_ip4; 85 u8 gtp_version; 86}; 87 88static unsigned int gtp_net_id __read_mostly; 89 90struct gtp_net { 91 struct list_head gtp_dev_list; 92}; 93 94static u32 gtp_h_initval; 95 96static struct genl_family gtp_genl_family; 97 98enum gtp_multicast_groups { 99 GTP_GENL_MCGRP, 100}; 101 102static const struct genl_multicast_group gtp_genl_mcgrps[] = { 103 [GTP_GENL_MCGRP] = { .name = GTP_GENL_MCGRP_NAME }, 104}; 105 106static void pdp_context_delete(struct pdp_ctx *pctx); 107 108static inline u32 gtp0_hashfn(u64 tid) 109{ 110 u32 *tid32 = (u32 *) &tid; 111 return jhash_2words(tid32[0], tid32[1], gtp_h_initval); 112} 113 114static inline u32 gtp1u_hashfn(u32 tid) 115{ 116 return jhash_1word(tid, gtp_h_initval); 117} 118 119static inline u32 ipv4_hashfn(__be32 ip) 120{ 121 return jhash_1word((__force u32)ip, gtp_h_initval); 122} 123 124/* Resolve a PDP context structure based on the 64bit TID. */ 125static struct pdp_ctx *gtp0_pdp_find(struct gtp_dev *gtp, u64 tid) 126{ 127 struct hlist_head *head; 128 struct pdp_ctx *pdp; 129 130 head = >p->tid_hash[gtp0_hashfn(tid) % gtp->hash_size]; 131 132 hlist_for_each_entry_rcu(pdp, head, hlist_tid) { 133 if (pdp->gtp_version == GTP_V0 && 134 pdp->u.v0.tid == tid) 135 return pdp; 136 } 137 return NULL; 138} 139 140/* Resolve a PDP context structure based on the 32bit TEI. */ 141static struct pdp_ctx *gtp1_pdp_find(struct gtp_dev *gtp, u32 tid) 142{ 143 struct hlist_head *head; 144 struct pdp_ctx *pdp; 145 146 head = >p->tid_hash[gtp1u_hashfn(tid) % gtp->hash_size]; 147 148 hlist_for_each_entry_rcu(pdp, head, hlist_tid) { 149 if (pdp->gtp_version == GTP_V1 && 150 pdp->u.v1.i_tei == tid) 151 return pdp; 152 } 153 return NULL; 154} 155 156/* Resolve a PDP context based on IPv4 address of MS. */ 157static struct pdp_ctx *ipv4_pdp_find(struct gtp_dev *gtp, __be32 ms_addr) 158{ 159 struct hlist_head *head; 160 struct pdp_ctx *pdp; 161 162 head = >p->addr_hash[ipv4_hashfn(ms_addr) % gtp->hash_size]; 163 164 hlist_for_each_entry_rcu(pdp, head, hlist_addr) { 165 if (pdp->af == AF_INET && 166 pdp->ms_addr_ip4.s_addr == ms_addr) 167 return pdp; 168 } 169 170 return NULL; 171} 172 173static bool gtp_check_ms_ipv4(struct sk_buff *skb, struct pdp_ctx *pctx, 174 unsigned int hdrlen, unsigned int role) 175{ 176 struct iphdr *iph; 177 178 if (!pskb_may_pull(skb, hdrlen + sizeof(struct iphdr))) 179 return false; 180 181 iph = (struct iphdr *)(skb->data + hdrlen); 182 183 if (role == GTP_ROLE_SGSN) 184 return iph->daddr == pctx->ms_addr_ip4.s_addr; 185 else 186 return iph->saddr == pctx->ms_addr_ip4.s_addr; 187} 188 189/* Check if the inner IP address in this packet is assigned to any 190 * existing mobile subscriber. 191 */ 192static bool gtp_check_ms(struct sk_buff *skb, struct pdp_ctx *pctx, 193 unsigned int hdrlen, unsigned int role) 194{ 195 switch (ntohs(skb->protocol)) { 196 case ETH_P_IP: 197 return gtp_check_ms_ipv4(skb, pctx, hdrlen, role); 198 } 199 return false; 200} 201 202static int gtp_rx(struct pdp_ctx *pctx, struct sk_buff *skb, 203 unsigned int hdrlen, unsigned int role) 204{ 205 if (!gtp_check_ms(skb, pctx, hdrlen, role)) { 206 netdev_dbg(pctx->dev, "No PDP ctx for this MS\n"); 207 return 1; 208 } 209 210 /* Get rid of the GTP + UDP headers. */ 211 if (iptunnel_pull_header(skb, hdrlen, skb->protocol, 212 !net_eq(sock_net(pctx->sk), dev_net(pctx->dev)))) { 213 pctx->dev->stats.rx_length_errors++; 214 goto err; 215 } 216 217 netdev_dbg(pctx->dev, "forwarding packet from GGSN to uplink\n"); 218 219 /* Now that the UDP and the GTP header have been removed, set up the 220 * new network header. This is required by the upper layer to 221 * calculate the transport header. 222 */ 223 skb_reset_network_header(skb); 224 skb_reset_mac_header(skb); 225 226 skb->dev = pctx->dev; 227 228 dev_sw_netstats_rx_add(pctx->dev, skb->len); 229 230 __netif_rx(skb); 231 return 0; 232 233err: 234 pctx->dev->stats.rx_dropped++; 235 return -1; 236} 237 238static struct rtable *ip4_route_output_gtp(struct flowi4 *fl4, 239 const struct sock *sk, 240 __be32 daddr, __be32 saddr) 241{ 242 memset(fl4, 0, sizeof(*fl4)); 243 fl4->flowi4_oif = sk->sk_bound_dev_if; 244 fl4->daddr = daddr; 245 fl4->saddr = saddr; 246 fl4->flowi4_tos = RT_CONN_FLAGS(sk); 247 fl4->flowi4_proto = sk->sk_protocol; 248 249 return ip_route_output_key(sock_net(sk), fl4); 250} 251 252/* GSM TS 09.60. 7.3 253 * In all Path Management messages: 254 * - TID: is not used and shall be set to 0. 255 * - Flow Label is not used and shall be set to 0 256 * In signalling messages: 257 * - number: this field is not yet used in signalling messages. 258 * It shall be set to 255 by the sender and shall be ignored 259 * by the receiver 260 * Returns true if the echo req was correct, false otherwise. 261 */ 262static bool gtp0_validate_echo_hdr(struct gtp0_header *gtp0) 263{ 264 return !(gtp0->tid || (gtp0->flags ^ 0x1e) || 265 gtp0->number != 0xff || gtp0->flow); 266} 267 268/* msg_type has to be GTP_ECHO_REQ or GTP_ECHO_RSP */ 269static void gtp0_build_echo_msg(struct gtp0_header *hdr, __u8 msg_type) 270{ 271 int len_pkt, len_hdr; 272 273 hdr->flags = 0x1e; /* v0, GTP-non-prime. */ 274 hdr->type = msg_type; 275 /* GSM TS 09.60. 7.3 In all Path Management Flow Label and TID 276 * are not used and shall be set to 0. 277 */ 278 hdr->flow = 0; 279 hdr->tid = 0; 280 hdr->number = 0xff; 281 hdr->spare[0] = 0xff; 282 hdr->spare[1] = 0xff; 283 hdr->spare[2] = 0xff; 284 285 len_pkt = sizeof(struct gtp0_packet); 286 len_hdr = sizeof(struct gtp0_header); 287 288 if (msg_type == GTP_ECHO_RSP) 289 hdr->length = htons(len_pkt - len_hdr); 290 else 291 hdr->length = 0; 292} 293 294static int gtp0_send_echo_resp(struct gtp_dev *gtp, struct sk_buff *skb) 295{ 296 struct gtp0_packet *gtp_pkt; 297 struct gtp0_header *gtp0; 298 struct rtable *rt; 299 struct flowi4 fl4; 300 struct iphdr *iph; 301 __be16 seq; 302 303 gtp0 = (struct gtp0_header *)(skb->data + sizeof(struct udphdr)); 304 305 if (!gtp0_validate_echo_hdr(gtp0)) 306 return -1; 307 308 seq = gtp0->seq; 309 310 /* pull GTP and UDP headers */ 311 skb_pull_data(skb, sizeof(struct gtp0_header) + sizeof(struct udphdr)); 312 313 gtp_pkt = skb_push(skb, sizeof(struct gtp0_packet)); 314 memset(gtp_pkt, 0, sizeof(struct gtp0_packet)); 315 316 gtp0_build_echo_msg(>p_pkt->gtp0_h, GTP_ECHO_RSP); 317 318 /* GSM TS 09.60. 7.3 The Sequence Number in a signalling response 319 * message shall be copied from the signalling request message 320 * that the GSN is replying to. 321 */ 322 gtp_pkt->gtp0_h.seq = seq; 323 324 gtp_pkt->ie.tag = GTPIE_RECOVERY; 325 gtp_pkt->ie.val = gtp->restart_count; 326 327 iph = ip_hdr(skb); 328 329 /* find route to the sender, 330 * src address becomes dst address and vice versa. 331 */ 332 rt = ip4_route_output_gtp(&fl4, gtp->sk0, iph->saddr, iph->daddr); 333 if (IS_ERR(rt)) { 334 netdev_dbg(gtp->dev, "no route for echo response from %pI4\n", 335 &iph->saddr); 336 return -1; 337 } 338 339 udp_tunnel_xmit_skb(rt, gtp->sk0, skb, 340 fl4.saddr, fl4.daddr, 341 iph->tos, 342 ip4_dst_hoplimit(&rt->dst), 343 0, 344 htons(GTP0_PORT), htons(GTP0_PORT), 345 !net_eq(sock_net(gtp->sk1u), 346 dev_net(gtp->dev)), 347 false); 348 return 0; 349} 350 351static int gtp_genl_fill_echo(struct sk_buff *skb, u32 snd_portid, u32 snd_seq, 352 int flags, u32 type, struct echo_info echo) 353{ 354 void *genlh; 355 356 genlh = genlmsg_put(skb, snd_portid, snd_seq, >p_genl_family, flags, 357 type); 358 if (!genlh) 359 goto failure; 360 361 if (nla_put_u32(skb, GTPA_VERSION, echo.gtp_version) || 362 nla_put_be32(skb, GTPA_PEER_ADDRESS, echo.peer_addr_ip4.s_addr) || 363 nla_put_be32(skb, GTPA_MS_ADDRESS, echo.ms_addr_ip4.s_addr)) 364 goto failure; 365 366 genlmsg_end(skb, genlh); 367 return 0; 368 369failure: 370 genlmsg_cancel(skb, genlh); 371 return -EMSGSIZE; 372} 373 374static int gtp0_handle_echo_resp(struct gtp_dev *gtp, struct sk_buff *skb) 375{ 376 struct gtp0_header *gtp0; 377 struct echo_info echo; 378 struct sk_buff *msg; 379 struct iphdr *iph; 380 int ret; 381 382 gtp0 = (struct gtp0_header *)(skb->data + sizeof(struct udphdr)); 383 384 if (!gtp0_validate_echo_hdr(gtp0)) 385 return -1; 386 387 iph = ip_hdr(skb); 388 echo.ms_addr_ip4.s_addr = iph->daddr; 389 echo.peer_addr_ip4.s_addr = iph->saddr; 390 echo.gtp_version = GTP_V0; 391 392 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 393 if (!msg) 394 return -ENOMEM; 395 396 ret = gtp_genl_fill_echo(msg, 0, 0, 0, GTP_CMD_ECHOREQ, echo); 397 if (ret < 0) { 398 nlmsg_free(msg); 399 return ret; 400 } 401 402 return genlmsg_multicast_netns(>p_genl_family, dev_net(gtp->dev), 403 msg, 0, GTP_GENL_MCGRP, GFP_ATOMIC); 404} 405 406/* 1 means pass up to the stack, -1 means drop and 0 means decapsulated. */ 407static int gtp0_udp_encap_recv(struct gtp_dev *gtp, struct sk_buff *skb) 408{ 409 unsigned int hdrlen = sizeof(struct udphdr) + 410 sizeof(struct gtp0_header); 411 struct gtp0_header *gtp0; 412 struct pdp_ctx *pctx; 413 414 if (!pskb_may_pull(skb, hdrlen)) 415 return -1; 416 417 gtp0 = (struct gtp0_header *)(skb->data + sizeof(struct udphdr)); 418 419 if ((gtp0->flags >> 5) != GTP_V0) 420 return 1; 421 422 /* If the sockets were created in kernel, it means that 423 * there is no daemon running in userspace which would 424 * handle echo request. 425 */ 426 if (gtp0->type == GTP_ECHO_REQ && gtp->sk_created) 427 return gtp0_send_echo_resp(gtp, skb); 428 429 if (gtp0->type == GTP_ECHO_RSP && gtp->sk_created) 430 return gtp0_handle_echo_resp(gtp, skb); 431 432 if (gtp0->type != GTP_TPDU) 433 return 1; 434 435 pctx = gtp0_pdp_find(gtp, be64_to_cpu(gtp0->tid)); 436 if (!pctx) { 437 netdev_dbg(gtp->dev, "No PDP ctx to decap skb=%p\n", skb); 438 return 1; 439 } 440 441 return gtp_rx(pctx, skb, hdrlen, gtp->role); 442} 443 444/* msg_type has to be GTP_ECHO_REQ or GTP_ECHO_RSP */ 445static void gtp1u_build_echo_msg(struct gtp1_header_long *hdr, __u8 msg_type) 446{ 447 int len_pkt, len_hdr; 448 449 /* S flag must be set to 1 */ 450 hdr->flags = 0x32; /* v1, GTP-non-prime. */ 451 hdr->type = msg_type; 452 /* 3GPP TS 29.281 5.1 - TEID has to be set to 0 */ 453 hdr->tid = 0; 454 455 /* seq, npdu and next should be counted to the length of the GTP packet 456 * that's why szie of gtp1_header should be subtracted, 457 * not size of gtp1_header_long. 458 */ 459 460 len_hdr = sizeof(struct gtp1_header); 461 462 if (msg_type == GTP_ECHO_RSP) { 463 len_pkt = sizeof(struct gtp1u_packet); 464 hdr->length = htons(len_pkt - len_hdr); 465 } else { 466 /* GTP_ECHO_REQ does not carry GTP Information Element, 467 * the why gtp1_header_long is used here. 468 */ 469 len_pkt = sizeof(struct gtp1_header_long); 470 hdr->length = htons(len_pkt - len_hdr); 471 } 472} 473 474static int gtp1u_send_echo_resp(struct gtp_dev *gtp, struct sk_buff *skb) 475{ 476 struct gtp1_header_long *gtp1u; 477 struct gtp1u_packet *gtp_pkt; 478 struct rtable *rt; 479 struct flowi4 fl4; 480 struct iphdr *iph; 481 482 gtp1u = (struct gtp1_header_long *)(skb->data + sizeof(struct udphdr)); 483 484 /* 3GPP TS 29.281 5.1 - For the Echo Request, Echo Response, 485 * Error Indication and Supported Extension Headers Notification 486 * messages, the S flag shall be set to 1 and TEID shall be set to 0. 487 */ 488 if (!(gtp1u->flags & GTP1_F_SEQ) || gtp1u->tid) 489 return -1; 490 491 /* pull GTP and UDP headers */ 492 skb_pull_data(skb, 493 sizeof(struct gtp1_header_long) + sizeof(struct udphdr)); 494 495 gtp_pkt = skb_push(skb, sizeof(struct gtp1u_packet)); 496 memset(gtp_pkt, 0, sizeof(struct gtp1u_packet)); 497 498 gtp1u_build_echo_msg(>p_pkt->gtp1u_h, GTP_ECHO_RSP); 499 500 /* 3GPP TS 29.281 7.7.2 - The Restart Counter value in the 501 * Recovery information element shall not be used, i.e. it shall 502 * be set to zero by the sender and shall be ignored by the receiver. 503 * The Recovery information element is mandatory due to backwards 504 * compatibility reasons. 505 */ 506 gtp_pkt->ie.tag = GTPIE_RECOVERY; 507 gtp_pkt->ie.val = 0; 508 509 iph = ip_hdr(skb); 510 511 /* find route to the sender, 512 * src address becomes dst address and vice versa. 513 */ 514 rt = ip4_route_output_gtp(&fl4, gtp->sk1u, iph->saddr, iph->daddr); 515 if (IS_ERR(rt)) { 516 netdev_dbg(gtp->dev, "no route for echo response from %pI4\n", 517 &iph->saddr); 518 return -1; 519 } 520 521 udp_tunnel_xmit_skb(rt, gtp->sk1u, skb, 522 fl4.saddr, fl4.daddr, 523 iph->tos, 524 ip4_dst_hoplimit(&rt->dst), 525 0, 526 htons(GTP1U_PORT), htons(GTP1U_PORT), 527 !net_eq(sock_net(gtp->sk1u), 528 dev_net(gtp->dev)), 529 false); 530 return 0; 531} 532 533static int gtp1u_handle_echo_resp(struct gtp_dev *gtp, struct sk_buff *skb) 534{ 535 struct gtp1_header_long *gtp1u; 536 struct echo_info echo; 537 struct sk_buff *msg; 538 struct iphdr *iph; 539 int ret; 540 541 gtp1u = (struct gtp1_header_long *)(skb->data + sizeof(struct udphdr)); 542 543 /* 3GPP TS 29.281 5.1 - For the Echo Request, Echo Response, 544 * Error Indication and Supported Extension Headers Notification 545 * messages, the S flag shall be set to 1 and TEID shall be set to 0. 546 */ 547 if (!(gtp1u->flags & GTP1_F_SEQ) || gtp1u->tid) 548 return -1; 549 550 iph = ip_hdr(skb); 551 echo.ms_addr_ip4.s_addr = iph->daddr; 552 echo.peer_addr_ip4.s_addr = iph->saddr; 553 echo.gtp_version = GTP_V1; 554 555 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 556 if (!msg) 557 return -ENOMEM; 558 559 ret = gtp_genl_fill_echo(msg, 0, 0, 0, GTP_CMD_ECHOREQ, echo); 560 if (ret < 0) { 561 nlmsg_free(msg); 562 return ret; 563 } 564 565 return genlmsg_multicast_netns(>p_genl_family, dev_net(gtp->dev), 566 msg, 0, GTP_GENL_MCGRP, GFP_ATOMIC); 567} 568 569static int gtp1u_udp_encap_recv(struct gtp_dev *gtp, struct sk_buff *skb) 570{ 571 unsigned int hdrlen = sizeof(struct udphdr) + 572 sizeof(struct gtp1_header); 573 struct gtp1_header *gtp1; 574 struct pdp_ctx *pctx; 575 576 if (!pskb_may_pull(skb, hdrlen)) 577 return -1; 578 579 gtp1 = (struct gtp1_header *)(skb->data + sizeof(struct udphdr)); 580 581 if ((gtp1->flags >> 5) != GTP_V1) 582 return 1; 583 584 /* If the sockets were created in kernel, it means that 585 * there is no daemon running in userspace which would 586 * handle echo request. 587 */ 588 if (gtp1->type == GTP_ECHO_REQ && gtp->sk_created) 589 return gtp1u_send_echo_resp(gtp, skb); 590 591 if (gtp1->type == GTP_ECHO_RSP && gtp->sk_created) 592 return gtp1u_handle_echo_resp(gtp, skb); 593 594 if (gtp1->type != GTP_TPDU) 595 return 1; 596 597 /* From 29.060: "This field shall be present if and only if any one or 598 * more of the S, PN and E flags are set.". 599 * 600 * If any of the bit is set, then the remaining ones also have to be 601 * set. 602 */ 603 if (gtp1->flags & GTP1_F_MASK) 604 hdrlen += 4; 605 606 /* Make sure the header is larger enough, including extensions. */ 607 if (!pskb_may_pull(skb, hdrlen)) 608 return -1; 609 610 gtp1 = (struct gtp1_header *)(skb->data + sizeof(struct udphdr)); 611 612 pctx = gtp1_pdp_find(gtp, ntohl(gtp1->tid)); 613 if (!pctx) { 614 netdev_dbg(gtp->dev, "No PDP ctx to decap skb=%p\n", skb); 615 return 1; 616 } 617 618 return gtp_rx(pctx, skb, hdrlen, gtp->role); 619} 620 621static void __gtp_encap_destroy(struct sock *sk) 622{ 623 struct gtp_dev *gtp; 624 625 lock_sock(sk); 626 gtp = sk->sk_user_data; 627 if (gtp) { 628 if (gtp->sk0 == sk) 629 gtp->sk0 = NULL; 630 else 631 gtp->sk1u = NULL; 632 udp_sk(sk)->encap_type = 0; 633 rcu_assign_sk_user_data(sk, NULL); 634 sock_put(sk); 635 } 636 release_sock(sk); 637} 638 639static void gtp_encap_destroy(struct sock *sk) 640{ 641 rtnl_lock(); 642 __gtp_encap_destroy(sk); 643 rtnl_unlock(); 644} 645 646static void gtp_encap_disable_sock(struct sock *sk) 647{ 648 if (!sk) 649 return; 650 651 __gtp_encap_destroy(sk); 652} 653 654static void gtp_encap_disable(struct gtp_dev *gtp) 655{ 656 if (gtp->sk_created) { 657 udp_tunnel_sock_release(gtp->sk0->sk_socket); 658 udp_tunnel_sock_release(gtp->sk1u->sk_socket); 659 gtp->sk_created = false; 660 gtp->sk0 = NULL; 661 gtp->sk1u = NULL; 662 } else { 663 gtp_encap_disable_sock(gtp->sk0); 664 gtp_encap_disable_sock(gtp->sk1u); 665 } 666} 667 668/* UDP encapsulation receive handler. See net/ipv4/udp.c. 669 * Return codes: 0: success, <0: error, >0: pass up to userspace UDP socket. 670 */ 671static int gtp_encap_recv(struct sock *sk, struct sk_buff *skb) 672{ 673 struct gtp_dev *gtp; 674 int ret = 0; 675 676 gtp = rcu_dereference_sk_user_data(sk); 677 if (!gtp) 678 return 1; 679 680 netdev_dbg(gtp->dev, "encap_recv sk=%p\n", sk); 681 682 switch (udp_sk(sk)->encap_type) { 683 case UDP_ENCAP_GTP0: 684 netdev_dbg(gtp->dev, "received GTP0 packet\n"); 685 ret = gtp0_udp_encap_recv(gtp, skb); 686 break; 687 case UDP_ENCAP_GTP1U: 688 netdev_dbg(gtp->dev, "received GTP1U packet\n"); 689 ret = gtp1u_udp_encap_recv(gtp, skb); 690 break; 691 default: 692 ret = -1; /* Shouldn't happen. */ 693 } 694 695 switch (ret) { 696 case 1: 697 netdev_dbg(gtp->dev, "pass up to the process\n"); 698 break; 699 case 0: 700 break; 701 case -1: 702 netdev_dbg(gtp->dev, "GTP packet has been dropped\n"); 703 kfree_skb(skb); 704 ret = 0; 705 break; 706 } 707 708 return ret; 709} 710 711static int gtp_dev_init(struct net_device *dev) 712{ 713 struct gtp_dev *gtp = netdev_priv(dev); 714 715 gtp->dev = dev; 716 717 dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats); 718 if (!dev->tstats) 719 return -ENOMEM; 720 721 return 0; 722} 723 724static void gtp_dev_uninit(struct net_device *dev) 725{ 726 struct gtp_dev *gtp = netdev_priv(dev); 727 728 gtp_encap_disable(gtp); 729 free_percpu(dev->tstats); 730} 731 732static inline void gtp0_push_header(struct sk_buff *skb, struct pdp_ctx *pctx) 733{ 734 int payload_len = skb->len; 735 struct gtp0_header *gtp0; 736 737 gtp0 = skb_push(skb, sizeof(*gtp0)); 738 739 gtp0->flags = 0x1e; /* v0, GTP-non-prime. */ 740 gtp0->type = GTP_TPDU; 741 gtp0->length = htons(payload_len); 742 gtp0->seq = htons((atomic_inc_return(&pctx->tx_seq) - 1) % 0xffff); 743 gtp0->flow = htons(pctx->u.v0.flow); 744 gtp0->number = 0xff; 745 gtp0->spare[0] = gtp0->spare[1] = gtp0->spare[2] = 0xff; 746 gtp0->tid = cpu_to_be64(pctx->u.v0.tid); 747} 748 749static inline void gtp1_push_header(struct sk_buff *skb, struct pdp_ctx *pctx) 750{ 751 int payload_len = skb->len; 752 struct gtp1_header *gtp1; 753 754 gtp1 = skb_push(skb, sizeof(*gtp1)); 755 756 /* Bits 8 7 6 5 4 3 2 1 757 * +--+--+--+--+--+--+--+--+ 758 * |version |PT| 0| E| S|PN| 759 * +--+--+--+--+--+--+--+--+ 760 * 0 0 1 1 1 0 0 0 761 */ 762 gtp1->flags = 0x30; /* v1, GTP-non-prime. */ 763 gtp1->type = GTP_TPDU; 764 gtp1->length = htons(payload_len); 765 gtp1->tid = htonl(pctx->u.v1.o_tei); 766 767 /* TODO: Support for extension header, sequence number and N-PDU. 768 * Update the length field if any of them is available. 769 */ 770} 771 772struct gtp_pktinfo { 773 struct sock *sk; 774 struct iphdr *iph; 775 struct flowi4 fl4; 776 struct rtable *rt; 777 struct pdp_ctx *pctx; 778 struct net_device *dev; 779 __be16 gtph_port; 780}; 781 782static void gtp_push_header(struct sk_buff *skb, struct gtp_pktinfo *pktinfo) 783{ 784 switch (pktinfo->pctx->gtp_version) { 785 case GTP_V0: 786 pktinfo->gtph_port = htons(GTP0_PORT); 787 gtp0_push_header(skb, pktinfo->pctx); 788 break; 789 case GTP_V1: 790 pktinfo->gtph_port = htons(GTP1U_PORT); 791 gtp1_push_header(skb, pktinfo->pctx); 792 break; 793 } 794} 795 796static inline void gtp_set_pktinfo_ipv4(struct gtp_pktinfo *pktinfo, 797 struct sock *sk, struct iphdr *iph, 798 struct pdp_ctx *pctx, struct rtable *rt, 799 struct flowi4 *fl4, 800 struct net_device *dev) 801{ 802 pktinfo->sk = sk; 803 pktinfo->iph = iph; 804 pktinfo->pctx = pctx; 805 pktinfo->rt = rt; 806 pktinfo->fl4 = *fl4; 807 pktinfo->dev = dev; 808} 809 810static int gtp_build_skb_ip4(struct sk_buff *skb, struct net_device *dev, 811 struct gtp_pktinfo *pktinfo) 812{ 813 struct gtp_dev *gtp = netdev_priv(dev); 814 struct pdp_ctx *pctx; 815 struct rtable *rt; 816 struct flowi4 fl4; 817 struct iphdr *iph; 818 __be16 df; 819 int mtu; 820 821 /* Read the IP destination address and resolve the PDP context. 822 * Prepend PDP header with TEI/TID from PDP ctx. 823 */ 824 iph = ip_hdr(skb); 825 if (gtp->role == GTP_ROLE_SGSN) 826 pctx = ipv4_pdp_find(gtp, iph->saddr); 827 else 828 pctx = ipv4_pdp_find(gtp, iph->daddr); 829 830 if (!pctx) { 831 netdev_dbg(dev, "no PDP ctx found for %pI4, skip\n", 832 &iph->daddr); 833 return -ENOENT; 834 } 835 netdev_dbg(dev, "found PDP context %p\n", pctx); 836 837 rt = ip4_route_output_gtp(&fl4, pctx->sk, pctx->peer_addr_ip4.s_addr, 838 inet_sk(pctx->sk)->inet_saddr); 839 if (IS_ERR(rt)) { 840 netdev_dbg(dev, "no route to SSGN %pI4\n", 841 &pctx->peer_addr_ip4.s_addr); 842 dev->stats.tx_carrier_errors++; 843 goto err; 844 } 845 846 if (rt->dst.dev == dev) { 847 netdev_dbg(dev, "circular route to SSGN %pI4\n", 848 &pctx->peer_addr_ip4.s_addr); 849 dev->stats.collisions++; 850 goto err_rt; 851 } 852 853 /* This is similar to tnl_update_pmtu(). */ 854 df = iph->frag_off; 855 if (df) { 856 mtu = dst_mtu(&rt->dst) - dev->hard_header_len - 857 sizeof(struct iphdr) - sizeof(struct udphdr); 858 switch (pctx->gtp_version) { 859 case GTP_V0: 860 mtu -= sizeof(struct gtp0_header); 861 break; 862 case GTP_V1: 863 mtu -= sizeof(struct gtp1_header); 864 break; 865 } 866 } else { 867 mtu = dst_mtu(&rt->dst); 868 } 869 870 skb_dst_update_pmtu_no_confirm(skb, mtu); 871 872 if (!skb_is_gso(skb) && (iph->frag_off & htons(IP_DF)) && 873 mtu < ntohs(iph->tot_len)) { 874 netdev_dbg(dev, "packet too big, fragmentation needed\n"); 875 icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, 876 htonl(mtu)); 877 goto err_rt; 878 } 879 880 gtp_set_pktinfo_ipv4(pktinfo, pctx->sk, iph, pctx, rt, &fl4, dev); 881 gtp_push_header(skb, pktinfo); 882 883 return 0; 884err_rt: 885 ip_rt_put(rt); 886err: 887 return -EBADMSG; 888} 889 890static netdev_tx_t gtp_dev_xmit(struct sk_buff *skb, struct net_device *dev) 891{ 892 unsigned int proto = ntohs(skb->protocol); 893 struct gtp_pktinfo pktinfo; 894 int err; 895 896 /* Ensure there is sufficient headroom. */ 897 if (skb_cow_head(skb, dev->needed_headroom)) 898 goto tx_err; 899 900 skb_reset_inner_headers(skb); 901 902 /* PDP context lookups in gtp_build_skb_*() need rcu read-side lock. */ 903 rcu_read_lock(); 904 switch (proto) { 905 case ETH_P_IP: 906 err = gtp_build_skb_ip4(skb, dev, &pktinfo); 907 break; 908 default: 909 err = -EOPNOTSUPP; 910 break; 911 } 912 rcu_read_unlock(); 913 914 if (err < 0) 915 goto tx_err; 916 917 switch (proto) { 918 case ETH_P_IP: 919 netdev_dbg(pktinfo.dev, "gtp -> IP src: %pI4 dst: %pI4\n", 920 &pktinfo.iph->saddr, &pktinfo.iph->daddr); 921 udp_tunnel_xmit_skb(pktinfo.rt, pktinfo.sk, skb, 922 pktinfo.fl4.saddr, pktinfo.fl4.daddr, 923 pktinfo.iph->tos, 924 ip4_dst_hoplimit(&pktinfo.rt->dst), 925 0, 926 pktinfo.gtph_port, pktinfo.gtph_port, 927 !net_eq(sock_net(pktinfo.pctx->sk), 928 dev_net(dev)), 929 false); 930 break; 931 } 932 933 return NETDEV_TX_OK; 934tx_err: 935 dev->stats.tx_errors++; 936 dev_kfree_skb(skb); 937 return NETDEV_TX_OK; 938} 939 940static const struct net_device_ops gtp_netdev_ops = { 941 .ndo_init = gtp_dev_init, 942 .ndo_uninit = gtp_dev_uninit, 943 .ndo_start_xmit = gtp_dev_xmit, 944 .ndo_get_stats64 = dev_get_tstats64, 945}; 946 947static const struct device_type gtp_type = { 948 .name = "gtp", 949}; 950 951static void gtp_link_setup(struct net_device *dev) 952{ 953 unsigned int max_gtp_header_len = sizeof(struct iphdr) + 954 sizeof(struct udphdr) + 955 sizeof(struct gtp0_header); 956 957 dev->netdev_ops = >p_netdev_ops; 958 dev->needs_free_netdev = true; 959 SET_NETDEV_DEVTYPE(dev, >p_type); 960 961 dev->hard_header_len = 0; 962 dev->addr_len = 0; 963 dev->mtu = ETH_DATA_LEN - max_gtp_header_len; 964 965 /* Zero header length. */ 966 dev->type = ARPHRD_NONE; 967 dev->flags = IFF_POINTOPOINT | IFF_NOARP | IFF_MULTICAST; 968 969 dev->priv_flags |= IFF_NO_QUEUE; 970 dev->features |= NETIF_F_LLTX; 971 netif_keep_dst(dev); 972 973 dev->needed_headroom = LL_MAX_HEADER + max_gtp_header_len; 974} 975 976static int gtp_hashtable_new(struct gtp_dev *gtp, int hsize); 977static int gtp_encap_enable(struct gtp_dev *gtp, struct nlattr *data[]); 978 979static void gtp_destructor(struct net_device *dev) 980{ 981 struct gtp_dev *gtp = netdev_priv(dev); 982 983 kfree(gtp->addr_hash); 984 kfree(gtp->tid_hash); 985} 986 987static struct sock *gtp_create_sock(int type, struct gtp_dev *gtp) 988{ 989 struct udp_tunnel_sock_cfg tuncfg = {}; 990 struct udp_port_cfg udp_conf = { 991 .local_ip.s_addr = htonl(INADDR_ANY), 992 .family = AF_INET, 993 }; 994 struct net *net = gtp->net; 995 struct socket *sock; 996 int err; 997 998 if (type == UDP_ENCAP_GTP0) 999 udp_conf.local_udp_port = htons(GTP0_PORT); 1000 else if (type == UDP_ENCAP_GTP1U) 1001 udp_conf.local_udp_port = htons(GTP1U_PORT); 1002 else 1003 return ERR_PTR(-EINVAL); 1004 1005 err = udp_sock_create(net, &udp_conf, &sock); 1006 if (err) 1007 return ERR_PTR(err); 1008 1009 tuncfg.sk_user_data = gtp; 1010 tuncfg.encap_type = type; 1011 tuncfg.encap_rcv = gtp_encap_recv; 1012 tuncfg.encap_destroy = NULL; 1013 1014 setup_udp_tunnel_sock(net, sock, &tuncfg); 1015 1016 return sock->sk; 1017} 1018 1019static int gtp_create_sockets(struct gtp_dev *gtp, struct nlattr *data[]) 1020{ 1021 struct sock *sk1u = NULL; 1022 struct sock *sk0 = NULL; 1023 1024 sk0 = gtp_create_sock(UDP_ENCAP_GTP0, gtp); 1025 if (IS_ERR(sk0)) 1026 return PTR_ERR(sk0); 1027 1028 sk1u = gtp_create_sock(UDP_ENCAP_GTP1U, gtp); 1029 if (IS_ERR(sk1u)) { 1030 udp_tunnel_sock_release(sk0->sk_socket); 1031 return PTR_ERR(sk1u); 1032 } 1033 1034 gtp->sk_created = true; 1035 gtp->sk0 = sk0; 1036 gtp->sk1u = sk1u; 1037 1038 return 0; 1039} 1040 1041static int gtp_newlink(struct net *src_net, struct net_device *dev, 1042 struct nlattr *tb[], struct nlattr *data[], 1043 struct netlink_ext_ack *extack) 1044{ 1045 unsigned int role = GTP_ROLE_GGSN; 1046 struct gtp_dev *gtp; 1047 struct gtp_net *gn; 1048 int hashsize, err; 1049 1050 gtp = netdev_priv(dev); 1051 1052 if (!data[IFLA_GTP_PDP_HASHSIZE]) { 1053 hashsize = 1024; 1054 } else { 1055 hashsize = nla_get_u32(data[IFLA_GTP_PDP_HASHSIZE]); 1056 if (!hashsize) 1057 hashsize = 1024; 1058 } 1059 1060 if (data[IFLA_GTP_ROLE]) { 1061 role = nla_get_u32(data[IFLA_GTP_ROLE]); 1062 if (role > GTP_ROLE_SGSN) 1063 return -EINVAL; 1064 } 1065 gtp->role = role; 1066 1067 if (!data[IFLA_GTP_RESTART_COUNT]) 1068 gtp->restart_count = 0; 1069 else 1070 gtp->restart_count = nla_get_u8(data[IFLA_GTP_RESTART_COUNT]); 1071 1072 gtp->net = src_net; 1073 1074 err = gtp_hashtable_new(gtp, hashsize); 1075 if (err < 0) 1076 return err; 1077 1078 if (data[IFLA_GTP_CREATE_SOCKETS]) 1079 err = gtp_create_sockets(gtp, data); 1080 else 1081 err = gtp_encap_enable(gtp, data); 1082 if (err < 0) 1083 goto out_hashtable; 1084 1085 err = register_netdevice(dev); 1086 if (err < 0) { 1087 netdev_dbg(dev, "failed to register new netdev %d\n", err); 1088 goto out_encap; 1089 } 1090 1091 gn = net_generic(dev_net(dev), gtp_net_id); 1092 list_add_rcu(>p->list, &gn->gtp_dev_list); 1093 dev->priv_destructor = gtp_destructor; 1094 1095 netdev_dbg(dev, "registered new GTP interface\n"); 1096 1097 return 0; 1098 1099out_encap: 1100 gtp_encap_disable(gtp); 1101out_hashtable: 1102 kfree(gtp->addr_hash); 1103 kfree(gtp->tid_hash); 1104 return err; 1105} 1106 1107static void gtp_dellink(struct net_device *dev, struct list_head *head) 1108{ 1109 struct gtp_dev *gtp = netdev_priv(dev); 1110 struct pdp_ctx *pctx; 1111 int i; 1112 1113 for (i = 0; i < gtp->hash_size; i++) 1114 hlist_for_each_entry_rcu(pctx, >p->tid_hash[i], hlist_tid) 1115 pdp_context_delete(pctx); 1116 1117 list_del_rcu(>p->list); 1118 unregister_netdevice_queue(dev, head); 1119} 1120 1121static const struct nla_policy gtp_policy[IFLA_GTP_MAX + 1] = { 1122 [IFLA_GTP_FD0] = { .type = NLA_U32 }, 1123 [IFLA_GTP_FD1] = { .type = NLA_U32 }, 1124 [IFLA_GTP_PDP_HASHSIZE] = { .type = NLA_U32 }, 1125 [IFLA_GTP_ROLE] = { .type = NLA_U32 }, 1126 [IFLA_GTP_CREATE_SOCKETS] = { .type = NLA_U8 }, 1127 [IFLA_GTP_RESTART_COUNT] = { .type = NLA_U8 }, 1128}; 1129 1130static int gtp_validate(struct nlattr *tb[], struct nlattr *data[], 1131 struct netlink_ext_ack *extack) 1132{ 1133 if (!data) 1134 return -EINVAL; 1135 1136 return 0; 1137} 1138 1139static size_t gtp_get_size(const struct net_device *dev) 1140{ 1141 return nla_total_size(sizeof(__u32)) + /* IFLA_GTP_PDP_HASHSIZE */ 1142 nla_total_size(sizeof(__u32)) + /* IFLA_GTP_ROLE */ 1143 nla_total_size(sizeof(__u8)); /* IFLA_GTP_RESTART_COUNT */ 1144} 1145 1146static int gtp_fill_info(struct sk_buff *skb, const struct net_device *dev) 1147{ 1148 struct gtp_dev *gtp = netdev_priv(dev); 1149 1150 if (nla_put_u32(skb, IFLA_GTP_PDP_HASHSIZE, gtp->hash_size)) 1151 goto nla_put_failure; 1152 if (nla_put_u32(skb, IFLA_GTP_ROLE, gtp->role)) 1153 goto nla_put_failure; 1154 if (nla_put_u8(skb, IFLA_GTP_RESTART_COUNT, gtp->restart_count)) 1155 goto nla_put_failure; 1156 1157 return 0; 1158 1159nla_put_failure: 1160 return -EMSGSIZE; 1161} 1162 1163static struct rtnl_link_ops gtp_link_ops __read_mostly = { 1164 .kind = "gtp", 1165 .maxtype = IFLA_GTP_MAX, 1166 .policy = gtp_policy, 1167 .priv_size = sizeof(struct gtp_dev), 1168 .setup = gtp_link_setup, 1169 .validate = gtp_validate, 1170 .newlink = gtp_newlink, 1171 .dellink = gtp_dellink, 1172 .get_size = gtp_get_size, 1173 .fill_info = gtp_fill_info, 1174}; 1175 1176static int gtp_hashtable_new(struct gtp_dev *gtp, int hsize) 1177{ 1178 int i; 1179 1180 gtp->addr_hash = kmalloc_array(hsize, sizeof(struct hlist_head), 1181 GFP_KERNEL | __GFP_NOWARN); 1182 if (gtp->addr_hash == NULL) 1183 return -ENOMEM; 1184 1185 gtp->tid_hash = kmalloc_array(hsize, sizeof(struct hlist_head), 1186 GFP_KERNEL | __GFP_NOWARN); 1187 if (gtp->tid_hash == NULL) 1188 goto err1; 1189 1190 gtp->hash_size = hsize; 1191 1192 for (i = 0; i < hsize; i++) { 1193 INIT_HLIST_HEAD(>p->addr_hash[i]); 1194 INIT_HLIST_HEAD(>p->tid_hash[i]); 1195 } 1196 return 0; 1197err1: 1198 kfree(gtp->addr_hash); 1199 return -ENOMEM; 1200} 1201 1202static struct sock *gtp_encap_enable_socket(int fd, int type, 1203 struct gtp_dev *gtp) 1204{ 1205 struct udp_tunnel_sock_cfg tuncfg = {NULL}; 1206 struct socket *sock; 1207 struct sock *sk; 1208 int err; 1209 1210 pr_debug("enable gtp on %d, %d\n", fd, type); 1211 1212 sock = sockfd_lookup(fd, &err); 1213 if (!sock) { 1214 pr_debug("gtp socket fd=%d not found\n", fd); 1215 return NULL; 1216 } 1217 1218 sk = sock->sk; 1219 if (sk->sk_protocol != IPPROTO_UDP || 1220 sk->sk_type != SOCK_DGRAM || 1221 (sk->sk_family != AF_INET && sk->sk_family != AF_INET6)) { 1222 pr_debug("socket fd=%d not UDP\n", fd); 1223 sk = ERR_PTR(-EINVAL); 1224 goto out_sock; 1225 } 1226 1227 lock_sock(sk); 1228 if (sk->sk_user_data) { 1229 sk = ERR_PTR(-EBUSY); 1230 goto out_rel_sock; 1231 } 1232 1233 sock_hold(sk); 1234 1235 tuncfg.sk_user_data = gtp; 1236 tuncfg.encap_type = type; 1237 tuncfg.encap_rcv = gtp_encap_recv; 1238 tuncfg.encap_destroy = gtp_encap_destroy; 1239 1240 setup_udp_tunnel_sock(sock_net(sock->sk), sock, &tuncfg); 1241 1242out_rel_sock: 1243 release_sock(sock->sk); 1244out_sock: 1245 sockfd_put(sock); 1246 return sk; 1247} 1248 1249static int gtp_encap_enable(struct gtp_dev *gtp, struct nlattr *data[]) 1250{ 1251 struct sock *sk1u = NULL; 1252 struct sock *sk0 = NULL; 1253 1254 if (!data[IFLA_GTP_FD0] && !data[IFLA_GTP_FD1]) 1255 return -EINVAL; 1256 1257 if (data[IFLA_GTP_FD0]) { 1258 u32 fd0 = nla_get_u32(data[IFLA_GTP_FD0]); 1259 1260 sk0 = gtp_encap_enable_socket(fd0, UDP_ENCAP_GTP0, gtp); 1261 if (IS_ERR(sk0)) 1262 return PTR_ERR(sk0); 1263 } 1264 1265 if (data[IFLA_GTP_FD1]) { 1266 u32 fd1 = nla_get_u32(data[IFLA_GTP_FD1]); 1267 1268 sk1u = gtp_encap_enable_socket(fd1, UDP_ENCAP_GTP1U, gtp); 1269 if (IS_ERR(sk1u)) { 1270 gtp_encap_disable_sock(sk0); 1271 return PTR_ERR(sk1u); 1272 } 1273 } 1274 1275 gtp->sk0 = sk0; 1276 gtp->sk1u = sk1u; 1277 1278 return 0; 1279} 1280 1281static struct gtp_dev *gtp_find_dev(struct net *src_net, struct nlattr *nla[]) 1282{ 1283 struct gtp_dev *gtp = NULL; 1284 struct net_device *dev; 1285 struct net *net; 1286 1287 /* Examine the link attributes and figure out which network namespace 1288 * we are talking about. 1289 */ 1290 if (nla[GTPA_NET_NS_FD]) 1291 net = get_net_ns_by_fd(nla_get_u32(nla[GTPA_NET_NS_FD])); 1292 else 1293 net = get_net(src_net); 1294 1295 if (IS_ERR(net)) 1296 return NULL; 1297 1298 /* Check if there's an existing gtpX device to configure */ 1299 dev = dev_get_by_index_rcu(net, nla_get_u32(nla[GTPA_LINK])); 1300 if (dev && dev->netdev_ops == >p_netdev_ops) 1301 gtp = netdev_priv(dev); 1302 1303 put_net(net); 1304 return gtp; 1305} 1306 1307static void ipv4_pdp_fill(struct pdp_ctx *pctx, struct genl_info *info) 1308{ 1309 pctx->gtp_version = nla_get_u32(info->attrs[GTPA_VERSION]); 1310 pctx->af = AF_INET; 1311 pctx->peer_addr_ip4.s_addr = 1312 nla_get_be32(info->attrs[GTPA_PEER_ADDRESS]); 1313 pctx->ms_addr_ip4.s_addr = 1314 nla_get_be32(info->attrs[GTPA_MS_ADDRESS]); 1315 1316 switch (pctx->gtp_version) { 1317 case GTP_V0: 1318 /* According to TS 09.60, sections 7.5.1 and 7.5.2, the flow 1319 * label needs to be the same for uplink and downlink packets, 1320 * so let's annotate this. 1321 */ 1322 pctx->u.v0.tid = nla_get_u64(info->attrs[GTPA_TID]); 1323 pctx->u.v0.flow = nla_get_u16(info->attrs[GTPA_FLOW]); 1324 break; 1325 case GTP_V1: 1326 pctx->u.v1.i_tei = nla_get_u32(info->attrs[GTPA_I_TEI]); 1327 pctx->u.v1.o_tei = nla_get_u32(info->attrs[GTPA_O_TEI]); 1328 break; 1329 default: 1330 break; 1331 } 1332} 1333 1334static struct pdp_ctx *gtp_pdp_add(struct gtp_dev *gtp, struct sock *sk, 1335 struct genl_info *info) 1336{ 1337 struct pdp_ctx *pctx, *pctx_tid = NULL; 1338 struct net_device *dev = gtp->dev; 1339 u32 hash_ms, hash_tid = 0; 1340 unsigned int version; 1341 bool found = false; 1342 __be32 ms_addr; 1343 1344 ms_addr = nla_get_be32(info->attrs[GTPA_MS_ADDRESS]); 1345 hash_ms = ipv4_hashfn(ms_addr) % gtp->hash_size; 1346 version = nla_get_u32(info->attrs[GTPA_VERSION]); 1347 1348 pctx = ipv4_pdp_find(gtp, ms_addr); 1349 if (pctx) 1350 found = true; 1351 if (version == GTP_V0) 1352 pctx_tid = gtp0_pdp_find(gtp, 1353 nla_get_u64(info->attrs[GTPA_TID])); 1354 else if (version == GTP_V1) 1355 pctx_tid = gtp1_pdp_find(gtp, 1356 nla_get_u32(info->attrs[GTPA_I_TEI])); 1357 if (pctx_tid) 1358 found = true; 1359 1360 if (found) { 1361 if (info->nlhdr->nlmsg_flags & NLM_F_EXCL) 1362 return ERR_PTR(-EEXIST); 1363 if (info->nlhdr->nlmsg_flags & NLM_F_REPLACE) 1364 return ERR_PTR(-EOPNOTSUPP); 1365 1366 if (pctx && pctx_tid) 1367 return ERR_PTR(-EEXIST); 1368 if (!pctx) 1369 pctx = pctx_tid; 1370 1371 ipv4_pdp_fill(pctx, info); 1372 1373 if (pctx->gtp_version == GTP_V0) 1374 netdev_dbg(dev, "GTPv0-U: update tunnel id = %llx (pdp %p)\n", 1375 pctx->u.v0.tid, pctx); 1376 else if (pctx->gtp_version == GTP_V1) 1377 netdev_dbg(dev, "GTPv1-U: update tunnel id = %x/%x (pdp %p)\n", 1378 pctx->u.v1.i_tei, pctx->u.v1.o_tei, pctx); 1379 1380 return pctx; 1381 1382 } 1383 1384 pctx = kmalloc(sizeof(*pctx), GFP_ATOMIC); 1385 if (pctx == NULL) 1386 return ERR_PTR(-ENOMEM); 1387 1388 sock_hold(sk); 1389 pctx->sk = sk; 1390 pctx->dev = gtp->dev; 1391 ipv4_pdp_fill(pctx, info); 1392 atomic_set(&pctx->tx_seq, 0); 1393 1394 switch (pctx->gtp_version) { 1395 case GTP_V0: 1396 /* TS 09.60: "The flow label identifies unambiguously a GTP 1397 * flow.". We use the tid for this instead, I cannot find a 1398 * situation in which this doesn't unambiguosly identify the 1399 * PDP context. 1400 */ 1401 hash_tid = gtp0_hashfn(pctx->u.v0.tid) % gtp->hash_size; 1402 break; 1403 case GTP_V1: 1404 hash_tid = gtp1u_hashfn(pctx->u.v1.i_tei) % gtp->hash_size; 1405 break; 1406 } 1407 1408 hlist_add_head_rcu(&pctx->hlist_addr, >p->addr_hash[hash_ms]); 1409 hlist_add_head_rcu(&pctx->hlist_tid, >p->tid_hash[hash_tid]); 1410 1411 switch (pctx->gtp_version) { 1412 case GTP_V0: 1413 netdev_dbg(dev, "GTPv0-U: new PDP ctx id=%llx ssgn=%pI4 ms=%pI4 (pdp=%p)\n", 1414 pctx->u.v0.tid, &pctx->peer_addr_ip4, 1415 &pctx->ms_addr_ip4, pctx); 1416 break; 1417 case GTP_V1: 1418 netdev_dbg(dev, "GTPv1-U: new PDP ctx id=%x/%x ssgn=%pI4 ms=%pI4 (pdp=%p)\n", 1419 pctx->u.v1.i_tei, pctx->u.v1.o_tei, 1420 &pctx->peer_addr_ip4, &pctx->ms_addr_ip4, pctx); 1421 break; 1422 } 1423 1424 return pctx; 1425} 1426 1427static void pdp_context_free(struct rcu_head *head) 1428{ 1429 struct pdp_ctx *pctx = container_of(head, struct pdp_ctx, rcu_head); 1430 1431 sock_put(pctx->sk); 1432 kfree(pctx); 1433} 1434 1435static void pdp_context_delete(struct pdp_ctx *pctx) 1436{ 1437 hlist_del_rcu(&pctx->hlist_tid); 1438 hlist_del_rcu(&pctx->hlist_addr); 1439 call_rcu(&pctx->rcu_head, pdp_context_free); 1440} 1441 1442static int gtp_tunnel_notify(struct pdp_ctx *pctx, u8 cmd, gfp_t allocation); 1443 1444static int gtp_genl_new_pdp(struct sk_buff *skb, struct genl_info *info) 1445{ 1446 unsigned int version; 1447 struct pdp_ctx *pctx; 1448 struct gtp_dev *gtp; 1449 struct sock *sk; 1450 int err; 1451 1452 if (!info->attrs[GTPA_VERSION] || 1453 !info->attrs[GTPA_LINK] || 1454 !info->attrs[GTPA_PEER_ADDRESS] || 1455 !info->attrs[GTPA_MS_ADDRESS]) 1456 return -EINVAL; 1457 1458 version = nla_get_u32(info->attrs[GTPA_VERSION]); 1459 1460 switch (version) { 1461 case GTP_V0: 1462 if (!info->attrs[GTPA_TID] || 1463 !info->attrs[GTPA_FLOW]) 1464 return -EINVAL; 1465 break; 1466 case GTP_V1: 1467 if (!info->attrs[GTPA_I_TEI] || 1468 !info->attrs[GTPA_O_TEI]) 1469 return -EINVAL; 1470 break; 1471 1472 default: 1473 return -EINVAL; 1474 } 1475 1476 rtnl_lock(); 1477 1478 gtp = gtp_find_dev(sock_net(skb->sk), info->attrs); 1479 if (!gtp) { 1480 err = -ENODEV; 1481 goto out_unlock; 1482 } 1483 1484 if (version == GTP_V0) 1485 sk = gtp->sk0; 1486 else if (version == GTP_V1) 1487 sk = gtp->sk1u; 1488 else 1489 sk = NULL; 1490 1491 if (!sk) { 1492 err = -ENODEV; 1493 goto out_unlock; 1494 } 1495 1496 pctx = gtp_pdp_add(gtp, sk, info); 1497 if (IS_ERR(pctx)) { 1498 err = PTR_ERR(pctx); 1499 } else { 1500 gtp_tunnel_notify(pctx, GTP_CMD_NEWPDP, GFP_KERNEL); 1501 err = 0; 1502 } 1503 1504out_unlock: 1505 rtnl_unlock(); 1506 return err; 1507} 1508 1509static struct pdp_ctx *gtp_find_pdp_by_link(struct net *net, 1510 struct nlattr *nla[]) 1511{ 1512 struct gtp_dev *gtp; 1513 1514 gtp = gtp_find_dev(net, nla); 1515 if (!gtp) 1516 return ERR_PTR(-ENODEV); 1517 1518 if (nla[GTPA_MS_ADDRESS]) { 1519 __be32 ip = nla_get_be32(nla[GTPA_MS_ADDRESS]); 1520 1521 return ipv4_pdp_find(gtp, ip); 1522 } else if (nla[GTPA_VERSION]) { 1523 u32 gtp_version = nla_get_u32(nla[GTPA_VERSION]); 1524 1525 if (gtp_version == GTP_V0 && nla[GTPA_TID]) 1526 return gtp0_pdp_find(gtp, nla_get_u64(nla[GTPA_TID])); 1527 else if (gtp_version == GTP_V1 && nla[GTPA_I_TEI]) 1528 return gtp1_pdp_find(gtp, nla_get_u32(nla[GTPA_I_TEI])); 1529 } 1530 1531 return ERR_PTR(-EINVAL); 1532} 1533 1534static struct pdp_ctx *gtp_find_pdp(struct net *net, struct nlattr *nla[]) 1535{ 1536 struct pdp_ctx *pctx; 1537 1538 if (nla[GTPA_LINK]) 1539 pctx = gtp_find_pdp_by_link(net, nla); 1540 else 1541 pctx = ERR_PTR(-EINVAL); 1542 1543 if (!pctx) 1544 pctx = ERR_PTR(-ENOENT); 1545 1546 return pctx; 1547} 1548 1549static int gtp_genl_del_pdp(struct sk_buff *skb, struct genl_info *info) 1550{ 1551 struct pdp_ctx *pctx; 1552 int err = 0; 1553 1554 if (!info->attrs[GTPA_VERSION]) 1555 return -EINVAL; 1556 1557 rcu_read_lock(); 1558 1559 pctx = gtp_find_pdp(sock_net(skb->sk), info->attrs); 1560 if (IS_ERR(pctx)) { 1561 err = PTR_ERR(pctx); 1562 goto out_unlock; 1563 } 1564 1565 if (pctx->gtp_version == GTP_V0) 1566 netdev_dbg(pctx->dev, "GTPv0-U: deleting tunnel id = %llx (pdp %p)\n", 1567 pctx->u.v0.tid, pctx); 1568 else if (pctx->gtp_version == GTP_V1) 1569 netdev_dbg(pctx->dev, "GTPv1-U: deleting tunnel id = %x/%x (pdp %p)\n", 1570 pctx->u.v1.i_tei, pctx->u.v1.o_tei, pctx); 1571 1572 gtp_tunnel_notify(pctx, GTP_CMD_DELPDP, GFP_ATOMIC); 1573 pdp_context_delete(pctx); 1574 1575out_unlock: 1576 rcu_read_unlock(); 1577 return err; 1578} 1579 1580static int gtp_genl_fill_info(struct sk_buff *skb, u32 snd_portid, u32 snd_seq, 1581 int flags, u32 type, struct pdp_ctx *pctx) 1582{ 1583 void *genlh; 1584 1585 genlh = genlmsg_put(skb, snd_portid, snd_seq, >p_genl_family, flags, 1586 type); 1587 if (genlh == NULL) 1588 goto nlmsg_failure; 1589 1590 if (nla_put_u32(skb, GTPA_VERSION, pctx->gtp_version) || 1591 nla_put_u32(skb, GTPA_LINK, pctx->dev->ifindex) || 1592 nla_put_be32(skb, GTPA_PEER_ADDRESS, pctx->peer_addr_ip4.s_addr) || 1593 nla_put_be32(skb, GTPA_MS_ADDRESS, pctx->ms_addr_ip4.s_addr)) 1594 goto nla_put_failure; 1595 1596 switch (pctx->gtp_version) { 1597 case GTP_V0: 1598 if (nla_put_u64_64bit(skb, GTPA_TID, pctx->u.v0.tid, GTPA_PAD) || 1599 nla_put_u16(skb, GTPA_FLOW, pctx->u.v0.flow)) 1600 goto nla_put_failure; 1601 break; 1602 case GTP_V1: 1603 if (nla_put_u32(skb, GTPA_I_TEI, pctx->u.v1.i_tei) || 1604 nla_put_u32(skb, GTPA_O_TEI, pctx->u.v1.o_tei)) 1605 goto nla_put_failure; 1606 break; 1607 } 1608 genlmsg_end(skb, genlh); 1609 return 0; 1610 1611nlmsg_failure: 1612nla_put_failure: 1613 genlmsg_cancel(skb, genlh); 1614 return -EMSGSIZE; 1615} 1616 1617static int gtp_tunnel_notify(struct pdp_ctx *pctx, u8 cmd, gfp_t allocation) 1618{ 1619 struct sk_buff *msg; 1620 int ret; 1621 1622 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, allocation); 1623 if (!msg) 1624 return -ENOMEM; 1625 1626 ret = gtp_genl_fill_info(msg, 0, 0, 0, cmd, pctx); 1627 if (ret < 0) { 1628 nlmsg_free(msg); 1629 return ret; 1630 } 1631 1632 ret = genlmsg_multicast_netns(>p_genl_family, dev_net(pctx->dev), msg, 1633 0, GTP_GENL_MCGRP, GFP_ATOMIC); 1634 return ret; 1635} 1636 1637static int gtp_genl_get_pdp(struct sk_buff *skb, struct genl_info *info) 1638{ 1639 struct pdp_ctx *pctx = NULL; 1640 struct sk_buff *skb2; 1641 int err; 1642 1643 if (!info->attrs[GTPA_VERSION]) 1644 return -EINVAL; 1645 1646 rcu_read_lock(); 1647 1648 pctx = gtp_find_pdp(sock_net(skb->sk), info->attrs); 1649 if (IS_ERR(pctx)) { 1650 err = PTR_ERR(pctx); 1651 goto err_unlock; 1652 } 1653 1654 skb2 = genlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC); 1655 if (skb2 == NULL) { 1656 err = -ENOMEM; 1657 goto err_unlock; 1658 } 1659 1660 err = gtp_genl_fill_info(skb2, NETLINK_CB(skb).portid, info->snd_seq, 1661 0, info->nlhdr->nlmsg_type, pctx); 1662 if (err < 0) 1663 goto err_unlock_free; 1664 1665 rcu_read_unlock(); 1666 return genlmsg_unicast(genl_info_net(info), skb2, info->snd_portid); 1667 1668err_unlock_free: 1669 kfree_skb(skb2); 1670err_unlock: 1671 rcu_read_unlock(); 1672 return err; 1673} 1674 1675static int gtp_genl_dump_pdp(struct sk_buff *skb, 1676 struct netlink_callback *cb) 1677{ 1678 struct gtp_dev *last_gtp = (struct gtp_dev *)cb->args[2], *gtp; 1679 int i, j, bucket = cb->args[0], skip = cb->args[1]; 1680 struct net *net = sock_net(skb->sk); 1681 struct pdp_ctx *pctx; 1682 struct gtp_net *gn; 1683 1684 gn = net_generic(net, gtp_net_id); 1685 1686 if (cb->args[4]) 1687 return 0; 1688 1689 rcu_read_lock(); 1690 list_for_each_entry_rcu(gtp, &gn->gtp_dev_list, list) { 1691 if (last_gtp && last_gtp != gtp) 1692 continue; 1693 else 1694 last_gtp = NULL; 1695 1696 for (i = bucket; i < gtp->hash_size; i++) { 1697 j = 0; 1698 hlist_for_each_entry_rcu(pctx, >p->tid_hash[i], 1699 hlist_tid) { 1700 if (j >= skip && 1701 gtp_genl_fill_info(skb, 1702 NETLINK_CB(cb->skb).portid, 1703 cb->nlh->nlmsg_seq, 1704 NLM_F_MULTI, 1705 cb->nlh->nlmsg_type, pctx)) { 1706 cb->args[0] = i; 1707 cb->args[1] = j; 1708 cb->args[2] = (unsigned long)gtp; 1709 goto out; 1710 } 1711 j++; 1712 } 1713 skip = 0; 1714 } 1715 bucket = 0; 1716 } 1717 cb->args[4] = 1; 1718out: 1719 rcu_read_unlock(); 1720 return skb->len; 1721} 1722 1723static int gtp_genl_send_echo_req(struct sk_buff *skb, struct genl_info *info) 1724{ 1725 struct sk_buff *skb_to_send; 1726 __be32 src_ip, dst_ip; 1727 unsigned int version; 1728 struct gtp_dev *gtp; 1729 struct flowi4 fl4; 1730 struct rtable *rt; 1731 struct sock *sk; 1732 __be16 port; 1733 int len; 1734 1735 if (!info->attrs[GTPA_VERSION] || 1736 !info->attrs[GTPA_LINK] || 1737 !info->attrs[GTPA_PEER_ADDRESS] || 1738 !info->attrs[GTPA_MS_ADDRESS]) 1739 return -EINVAL; 1740 1741 version = nla_get_u32(info->attrs[GTPA_VERSION]); 1742 dst_ip = nla_get_be32(info->attrs[GTPA_PEER_ADDRESS]); 1743 src_ip = nla_get_be32(info->attrs[GTPA_MS_ADDRESS]); 1744 1745 gtp = gtp_find_dev(sock_net(skb->sk), info->attrs); 1746 if (!gtp) 1747 return -ENODEV; 1748 1749 if (!gtp->sk_created) 1750 return -EOPNOTSUPP; 1751 if (!(gtp->dev->flags & IFF_UP)) 1752 return -ENETDOWN; 1753 1754 if (version == GTP_V0) { 1755 struct gtp0_header *gtp0_h; 1756 1757 len = LL_RESERVED_SPACE(gtp->dev) + sizeof(struct gtp0_header) + 1758 sizeof(struct iphdr) + sizeof(struct udphdr); 1759 1760 skb_to_send = netdev_alloc_skb_ip_align(gtp->dev, len); 1761 if (!skb_to_send) 1762 return -ENOMEM; 1763 1764 sk = gtp->sk0; 1765 port = htons(GTP0_PORT); 1766 1767 gtp0_h = skb_push(skb_to_send, sizeof(struct gtp0_header)); 1768 memset(gtp0_h, 0, sizeof(struct gtp0_header)); 1769 gtp0_build_echo_msg(gtp0_h, GTP_ECHO_REQ); 1770 } else if (version == GTP_V1) { 1771 struct gtp1_header_long *gtp1u_h; 1772 1773 len = LL_RESERVED_SPACE(gtp->dev) + 1774 sizeof(struct gtp1_header_long) + 1775 sizeof(struct iphdr) + sizeof(struct udphdr); 1776 1777 skb_to_send = netdev_alloc_skb_ip_align(gtp->dev, len); 1778 if (!skb_to_send) 1779 return -ENOMEM; 1780 1781 sk = gtp->sk1u; 1782 port = htons(GTP1U_PORT); 1783 1784 gtp1u_h = skb_push(skb_to_send, 1785 sizeof(struct gtp1_header_long)); 1786 memset(gtp1u_h, 0, sizeof(struct gtp1_header_long)); 1787 gtp1u_build_echo_msg(gtp1u_h, GTP_ECHO_REQ); 1788 } else { 1789 return -ENODEV; 1790 } 1791 1792 rt = ip4_route_output_gtp(&fl4, sk, dst_ip, src_ip); 1793 if (IS_ERR(rt)) { 1794 netdev_dbg(gtp->dev, "no route for echo request to %pI4\n", 1795 &dst_ip); 1796 kfree_skb(skb_to_send); 1797 return -ENODEV; 1798 } 1799 1800 udp_tunnel_xmit_skb(rt, sk, skb_to_send, 1801 fl4.saddr, fl4.daddr, 1802 fl4.flowi4_tos, 1803 ip4_dst_hoplimit(&rt->dst), 1804 0, 1805 port, port, 1806 !net_eq(sock_net(sk), 1807 dev_net(gtp->dev)), 1808 false); 1809 return 0; 1810} 1811 1812static const struct nla_policy gtp_genl_policy[GTPA_MAX + 1] = { 1813 [GTPA_LINK] = { .type = NLA_U32, }, 1814 [GTPA_VERSION] = { .type = NLA_U32, }, 1815 [GTPA_TID] = { .type = NLA_U64, }, 1816 [GTPA_PEER_ADDRESS] = { .type = NLA_U32, }, 1817 [GTPA_MS_ADDRESS] = { .type = NLA_U32, }, 1818 [GTPA_FLOW] = { .type = NLA_U16, }, 1819 [GTPA_NET_NS_FD] = { .type = NLA_U32, }, 1820 [GTPA_I_TEI] = { .type = NLA_U32, }, 1821 [GTPA_O_TEI] = { .type = NLA_U32, }, 1822}; 1823 1824static const struct genl_small_ops gtp_genl_ops[] = { 1825 { 1826 .cmd = GTP_CMD_NEWPDP, 1827 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 1828 .doit = gtp_genl_new_pdp, 1829 .flags = GENL_ADMIN_PERM, 1830 }, 1831 { 1832 .cmd = GTP_CMD_DELPDP, 1833 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 1834 .doit = gtp_genl_del_pdp, 1835 .flags = GENL_ADMIN_PERM, 1836 }, 1837 { 1838 .cmd = GTP_CMD_GETPDP, 1839 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 1840 .doit = gtp_genl_get_pdp, 1841 .dumpit = gtp_genl_dump_pdp, 1842 .flags = GENL_ADMIN_PERM, 1843 }, 1844 { 1845 .cmd = GTP_CMD_ECHOREQ, 1846 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 1847 .doit = gtp_genl_send_echo_req, 1848 .flags = GENL_ADMIN_PERM, 1849 }, 1850}; 1851 1852static struct genl_family gtp_genl_family __ro_after_init = { 1853 .name = "gtp", 1854 .version = 0, 1855 .hdrsize = 0, 1856 .maxattr = GTPA_MAX, 1857 .policy = gtp_genl_policy, 1858 .netnsok = true, 1859 .module = THIS_MODULE, 1860 .small_ops = gtp_genl_ops, 1861 .n_small_ops = ARRAY_SIZE(gtp_genl_ops), 1862 .mcgrps = gtp_genl_mcgrps, 1863 .n_mcgrps = ARRAY_SIZE(gtp_genl_mcgrps), 1864}; 1865 1866static int __net_init gtp_net_init(struct net *net) 1867{ 1868 struct gtp_net *gn = net_generic(net, gtp_net_id); 1869 1870 INIT_LIST_HEAD(&gn->gtp_dev_list); 1871 return 0; 1872} 1873 1874static void __net_exit gtp_net_exit(struct net *net) 1875{ 1876 struct gtp_net *gn = net_generic(net, gtp_net_id); 1877 struct gtp_dev *gtp; 1878 LIST_HEAD(list); 1879 1880 rtnl_lock(); 1881 list_for_each_entry(gtp, &gn->gtp_dev_list, list) 1882 gtp_dellink(gtp->dev, &list); 1883 1884 unregister_netdevice_many(&list); 1885 rtnl_unlock(); 1886} 1887 1888static struct pernet_operations gtp_net_ops = { 1889 .init = gtp_net_init, 1890 .exit = gtp_net_exit, 1891 .id = >p_net_id, 1892 .size = sizeof(struct gtp_net), 1893}; 1894 1895static int __init gtp_init(void) 1896{ 1897 int err; 1898 1899 get_random_bytes(>p_h_initval, sizeof(gtp_h_initval)); 1900 1901 err = rtnl_link_register(>p_link_ops); 1902 if (err < 0) 1903 goto error_out; 1904 1905 err = genl_register_family(>p_genl_family); 1906 if (err < 0) 1907 goto unreg_rtnl_link; 1908 1909 err = register_pernet_subsys(>p_net_ops); 1910 if (err < 0) 1911 goto unreg_genl_family; 1912 1913 pr_info("GTP module loaded (pdp ctx size %zd bytes)\n", 1914 sizeof(struct pdp_ctx)); 1915 return 0; 1916 1917unreg_genl_family: 1918 genl_unregister_family(>p_genl_family); 1919unreg_rtnl_link: 1920 rtnl_link_unregister(>p_link_ops); 1921error_out: 1922 pr_err("error loading GTP module loaded\n"); 1923 return err; 1924} 1925late_initcall(gtp_init); 1926 1927static void __exit gtp_fini(void) 1928{ 1929 genl_unregister_family(>p_genl_family); 1930 rtnl_link_unregister(>p_link_ops); 1931 unregister_pernet_subsys(>p_net_ops); 1932 1933 pr_info("GTP module unloaded\n"); 1934} 1935module_exit(gtp_fini); 1936 1937MODULE_LICENSE("GPL"); 1938MODULE_AUTHOR("Harald Welte <hwelte@sysmocom.de>"); 1939MODULE_DESCRIPTION("Interface driver for GTP encapsulated traffic"); 1940MODULE_ALIAS_RTNL_LINK("gtp"); 1941MODULE_ALIAS_GENL_FAMILY("gtp");