1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
|
/*
* OpenVPN -- An application to securely tunnel IP networks
* over a single TCP/UDP port, with support for SSL/TLS-based
* session authentication and key exchange,
* packet encryption, packet authentication, and
* packet compression.
*
* Copyright (C) 2002-2021 OpenVPN Technologies, Inc. <sales@openvpn.net>
* Copyright (C) 2010 Fabian Knittel <fabian.knittel@lettink.de>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
#include "config.h"
#elif defined(_MSC_VER)
#include "config-msvc.h"
#endif
#include "syshead.h"
#include "multi.h"
#include "options.h"
#include "vlan.h"
/*
* Retrieve the VLAN Identifier (VID) from the IEEE 802.1Q header.
*
* @param hdr Pointer to the Ethernet header with IEEE 802.1Q tagging.
* @return Returns the VID in host byte order.
*/
static uint16_t
vlanhdr_get_vid(const struct openvpn_8021qhdr *hdr)
{
return ntohs(hdr->pcp_cfi_vid & OPENVPN_8021Q_MASK_VID);
}
/*
* Set the VLAN Identifier (VID) in an IEEE 802.1Q header.
*
* @param hdr Pointer to the Ethernet header with IEEE 802.1Q tagging.
* @param vid The VID to set (in host byte order).
*/
static void
vlanhdr_set_vid(struct openvpn_8021qhdr *hdr, const uint16_t vid)
{
hdr->pcp_cfi_vid = (hdr->pcp_cfi_vid & ~OPENVPN_8021Q_MASK_VID)
| (htons(vid) & OPENVPN_8021Q_MASK_VID);
}
/*
* vlan_decapsulate - remove 802.1q header and return VID
*
* For vlan_accept == VLAN_ONLY_UNTAGGED_OR_PRIORITY:
* Only untagged frames and frames that are priority-tagged (VID == 0) are
* accepted. (This means that VLAN-tagged frames are dropped.) For frames
* that aren't dropped, the global vlan_pvid is returned as VID.
*
* For vlan_accept == VLAN_ONLY_TAGGED:
* If a frame is VLAN-tagged the tagging is removed and the embedded VID is
* returned. Any included priority information is lost.
* If a frame isn't VLAN-tagged, the frame is dropped.
*
* For vlan_accept == VLAN_ALL:
* Accepts both VLAN-tagged and untagged (or priority-tagged) frames and
* and handles them as described above.
*
* @param c The global context.
* @param buf The ethernet frame.
* @return Returns -1 if the frame is dropped or the VID if it is accepted.
*/
int16_t
vlan_decapsulate(const struct context *c, struct buffer *buf)
{
const struct openvpn_8021qhdr *vlanhdr;
struct openvpn_ethhdr *ethhdr;
uint16_t vid;
/* assume untagged frame */
if (BLEN(buf) < sizeof(*ethhdr))
{
goto drop;
}
ethhdr = (struct openvpn_ethhdr *)BPTR(buf);
if (ethhdr->proto != htons(OPENVPN_ETH_P_8021Q))
{
/* reject untagged frame */
if (c->options.vlan_accept == VLAN_ONLY_TAGGED)
{
msg(D_VLAN_DEBUG,
"dropping frame without vlan-tag (proto/len 0x%04x)",
ntohs(ethhdr->proto));
goto drop;
}
/* untagged frame is accepted and associated with the global VID */
msg(D_VLAN_DEBUG,
"assuming pvid for frame without vlan-tag, pvid: %u (proto/len 0x%04x)",
c->options.vlan_pvid, ntohs(ethhdr->proto));
return c->options.vlan_pvid;
}
/* tagged frame */
if (BLEN(buf) < sizeof(*vlanhdr))
{
goto drop;
}
vlanhdr = (const struct openvpn_8021qhdr *)BPTR(buf);
vid = vlanhdr_get_vid(vlanhdr);
switch (c->options.vlan_accept)
{
case VLAN_ONLY_UNTAGGED_OR_PRIORITY:
/* VLAN-tagged frame: drop packet */
if (vid != 0)
{
msg(D_VLAN_DEBUG, "dropping frame with vlan-tag, vid: %u (proto/len 0x%04x)",
vid, ntohs(vlanhdr->proto));
goto drop;
}
/* vid == 0 means prio-tagged packet: don't drop and fall-through */
case VLAN_ONLY_TAGGED:
case VLAN_ALL:
/* tagged frame can be accepted: extract vid and strip encapsulation */
/* in case of prio-tagged frame (vid == 0), assume the sender
* knows what he is doing and forward the packet as it is, so to
* keep the priority information intact.
*/
if (vid == 0)
{
/* return the global VID for priority-tagged frames */
return c->options.vlan_pvid;
}
/* here we have a proper VLAN tagged frame: perform decapsulation
* and return embedded VID
*/
msg(D_VLAN_DEBUG,
"removing vlan-tag from frame: vid: %u, wrapped proto/len: 0x%04x",
vid, ntohs(vlanhdr->proto));
/* save inner protocol to be restored later after decapsulation */
uint16_t proto = vlanhdr->proto;
/* move the buffer head forward to adjust the headroom to a
* non-tagged frame
*/
buf_advance(buf, SIZE_ETH_TO_8021Q_HDR);
/* move the content of the 802.1q header to the new head, so that
* src/dst addresses are copied over
*/
ethhdr = memmove(BPTR(buf), vlanhdr, sizeof(*ethhdr));
/* restore the inner protocol value */
ethhdr->proto = proto;
return vid;
}
drop:
buf->len = 0;
return -1;
}
/*
* vlan_encapsulate - add 802.1q header and set the context related VID
*
* Assumes vlan_accept == VLAN_ONLY_TAGGED
*
* @param c The current context.
* @param buf The ethernet frame to encapsulate.
*/
void
vlan_encapsulate(const struct context *c, struct buffer *buf)
{
const struct openvpn_ethhdr *ethhdr;
struct openvpn_8021qhdr *vlanhdr;
if (BLEN(buf) < sizeof(*ethhdr))
{
goto drop;
}
ethhdr = (const struct openvpn_ethhdr *)BPTR(buf);
if (ethhdr->proto == htons(OPENVPN_ETH_P_8021Q))
{
/* Priority-tagged frame. (VLAN-tagged frames have been dropped before
* getting to this point)
*/
/* Frame too small for header type? */
if (BLEN(buf) < sizeof(*vlanhdr))
{
goto drop;
}
vlanhdr = (struct openvpn_8021qhdr *)BPTR(buf);
/* sanity check: ensure this packet is really just prio-tagged */
uint16_t vid = vlanhdr_get_vid(vlanhdr);
if (vid != 0)
{
goto drop;
}
}
else
{
/* Untagged frame. */
/* Not enough head room for VLAN tag? */
if (buf_reverse_capacity(buf) < SIZE_ETH_TO_8021Q_HDR)
{
goto drop;
}
vlanhdr = (struct openvpn_8021qhdr *)buf_prepend(buf,
SIZE_ETH_TO_8021Q_HDR);
/* Initialise VLAN/802.1q header.
* Move the Eth header so to keep dst/src addresses the same and then
* assign the other fields.
*
* Also, save the inner protocol first, so that it can be restored later
* after the memmove()
*/
uint16_t proto = ethhdr->proto;
memmove(vlanhdr, ethhdr, sizeof(*ethhdr));
vlanhdr->tpid = htons(OPENVPN_ETH_P_8021Q);
vlanhdr->pcp_cfi_vid = 0;
vlanhdr->proto = proto;
}
/* set the VID corresponding to the current context (client) */
vlanhdr_set_vid(vlanhdr, c->options.vlan_pvid);
msg(D_VLAN_DEBUG, "tagging frame: vid %u (wrapping proto/len: %04x)",
c->options.vlan_pvid, vlanhdr->proto);
return;
drop:
/* Drop the frame. */
buf->len = 0;
}
/*
* vlan_is_tagged - check if a packet is VLAN-tagged
*
* Checks whether ethernet frame is VLAN-tagged.
*
* @param buf The ethernet frame.
* @return Returns true if the frame is VLAN-tagged, false otherwise.
*/
bool
vlan_is_tagged(const struct buffer *buf)
{
const struct openvpn_8021qhdr *vlanhdr;
uint16_t vid;
if (BLEN(buf) < sizeof(struct openvpn_8021qhdr))
{
/* frame too small to be VLAN-tagged */
return false;
}
vlanhdr = (const struct openvpn_8021qhdr *)BPTR(buf);
if (ntohs(vlanhdr->tpid) != OPENVPN_ETH_P_8021Q)
{
/* non tagged frame */
return false;
}
vid = vlanhdr_get_vid(vlanhdr);
if (vid == 0)
{
/* no vid: piority tagged only */
return false;
}
return true;
}
void
vlan_process_outgoing_tun(struct multi_context *m, struct multi_instance *mi)
{
if (!m->top.options.vlan_tagging)
{
return;
}
if (m->top.options.vlan_accept == VLAN_ONLY_UNTAGGED_OR_PRIORITY)
{
/* Packets forwarded to the TAP devices aren't VLAN-tagged. Only packets
* matching the PVID configured globally are allowed to be received
*/
if (m->top.options.vlan_pvid != mi->context.options.vlan_pvid)
{
/* Packet is coming from the wrong VID, drop it. */
mi->context.c2.to_tun.len = 0;
}
}
else if (m->top.options.vlan_accept == VLAN_ALL)
{
/* Packets either need to be VLAN-tagged or not, depending on the
* packet's originating VID and the port's native VID (PVID). */
if (m->top.options.vlan_pvid != mi->context.options.vlan_pvid)
{
/* Packets need to be VLAN-tagged, because the packet's VID does not
* match the port's PVID. */
vlan_encapsulate(&mi->context, &mi->context.c2.to_tun);
}
}
else if (m->top.options.vlan_accept == VLAN_ONLY_TAGGED)
{
/* All packets on the port (the tap device) need to be VLAN-tagged. */
vlan_encapsulate(&mi->context, &mi->context.c2.to_tun);
}
}
|