├── test ├── README.md ├── nf_openvpn.c ├── LICENSE └── tun_for_ovpn_data_channel.c /test: -------------------------------------------------------------------------------- 1 | test 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | OpenVPN-Linux-kernel 2 | ==================== 3 | 4 | 在内核处理OpenVPN数据通道 5 | 控制通道依然在OpenVPN本身进行处理,数据通道被移植进了Linux内核。 6 | 增加了几个tun的ioctl命令,用来: 7 | 1.将一个UDP socket和tun连接起来,用于数据通道的短路操作; 8 | 2.添加multi_instance进内核; 9 | 3.为multi_instance增加一个虚拟地址; 10 | 4.为一个multi_instance设置密钥; 11 | ... 12 | TODO 13 | -------------------------------------------------------------------------------- /nf_openvpn.c: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | */ 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #include 11 | 12 | #include "ovpn_func.h" 13 | 14 | MODULE_LICENSE("GPL"); 15 | MODULE_AUTHOR("Wangran "); 16 | MODULE_DESCRIPTION("OpenVPN connection helper"); 17 | MODULE_ALIAS("ip_conntrack_ovpn"); 18 | MODULE_ALIAS_NFCT_HELPER("ovpn"); 19 | 20 | /* 21 | * 此端口难道就这么写死成1194吗?难道不是需要注册的吗 :( 22 | **/ 23 | #define OVPN_PORT 1194 24 | 25 | 26 | struct ovpn_instance { 27 | __be32 saddr; 28 | __be32 daddr; 29 | __be16 sport; 30 | __be16 dport; 31 | __be32 packet_id; 32 | /* 请恕我这么写,反正没有实际实现 */ 33 | unsigned char *info[0]; 34 | }; 35 | 36 | /* fake struct nf_conn_counter*/ 37 | struct instance_info { 38 | u_int64_t i; 39 | u_int64_t j; 40 | __be32 saddr; 41 | __be32 daddr; 42 | __be16 sport; 43 | __be16 dport; 44 | __be32 packet_id; 45 | }; 46 | 47 | /* 真实的packet_id应该从慢速路径或者控制路径的Netlink消息传递到conn的extend中 */ 48 | __be32 static_fake_packet_id = 0; 49 | 50 | 51 | static int ovpn_nf_pre_routing(struct sk_buff *skb) 52 | { 53 | /* nothing to do */ 54 | return NF_ACCEPT; 55 | } 56 | 57 | /* 第二个参数真的需要吗,因为加密所需要的cipher_info以及封装需要的udp头,ip头信息全部 58 | * 而不是部分地保存在了conntrack info信息中了啊啊啊 59 | * 60 | * 注意:这里的参数并不符合规范,因为我盗取了heler的结构体,但是思想是一致的! 61 | **/ 62 | static int encap_xmit(struct sk_buff *skb, struct ovpn_instance *ovpn) 63 | { 64 | /* 65 | * 正如我一贯的风格,我总是无情推翻昨天的自大,将欢乐瞬间变成悲哀 66 | * 我没有调用ovpn_data_channel_encap_xmit这个tun网卡的HOOK函数,因为 67 | * 我觉得太垃圾了,其实我正在逐步还原tun.c,就像这次一样,我力图使用 68 | * Netfilter进行短路操作,而不再触摸tun.c以及UDP socket。就像你看到 69 | * 的那样,你依然可以加载系统自带的原生态tun.ko 70 | **/ 71 | int ret = NF_DROP; 72 | int copy = 0; 73 | unsigned int max_headroom; 74 | struct sk_buff *skb_to_encap; 75 | __be32 saddr = ovpn->saddr; 76 | __be32 daddr = ovpn->daddr; 77 | __be16 sport = ovpn->sport; 78 | __be16 dport = ovpn->dport; 79 | __be32 packet_id = ovpn->packet_id; 80 | struct iphdr *old = ip_hdr(skb); 81 | /* but 怎么判断OpenVPN是UDP的 82 | * 很简单,一切都在nf_conn的extend中, 83 | * 只是,我这里没有写而已! 84 | **/ 85 | 86 | #define I_THINK_THIS_LENGTH_ENOUGH_BECAUSE_OF_XXX 78 87 | max_headroom = (I_THINK_THIS_LENGTH_ENOUGH_BECAUSE_OF_XXX + 88 | sizeof(struct iphdr) + 89 | sizeof(struct udphdr) + 90 | sizeof(struct ovpnhdr)); 91 | 92 | if (skb_headroom(skb) < max_headroom || !skb_clone_writable(skb, 0)) { 93 | struct sk_buff *new_skb = skb_realloc_headroom(skb, max_headroom); 94 | if (!new_skb) { 95 | goto out; 96 | } 97 | skb_dst_set(new_skb, skb_dst(skb)); 98 | 99 | skb_to_encap = new_skb; 100 | copy = 1; 101 | } else { 102 | skb_to_encap = skb; 103 | } 104 | /* ##################### encap OpenVPN #################### */ 105 | { 106 | struct ovpnhdr *ohdr; 107 | skb_push(skb_to_encap, sizeof(struct ovpnhdr)); 108 | ohdr = ovpn_hdr(skb_to_encap); 109 | /* 慢速路径的packet_id必须反映到快速路径中来!! */ 110 | ohdr->id = htonl(packet_id); 111 | ohdr->ocode = (P_DATA_V1 << P_OPCODE_SHIFT) | 0x0; 112 | } 113 | /* ##################### encap UDP #################### */ 114 | { 115 | struct udphdr *uh; 116 | 117 | skb_push(skb_to_encap, sizeof(struct udphdr)); 118 | skb_reset_transport_header(skb_to_encap); 119 | 120 | uh = udp_hdr(skb_to_encap); 121 | uh->source = sport; 122 | uh->dest = dport; 123 | uh->len = htons(skb_to_encap->len); 124 | uh->check = 0; 125 | uh->check = csum_tcpudp_magic(saddr, daddr, skb_to_encap->len, 126 | IPPROTO_UDP, csum_partial(uh, 127 | skb_to_encap->len, 128 | 0)); 129 | } 130 | /* ##################### encap IP #################### */ 131 | { 132 | struct iphdr *iph; 133 | struct dst_entry *dst; 134 | 135 | skb_push(skb_to_encap, sizeof(struct iphdr)); 136 | skb_reset_network_header(skb_to_encap); 137 | iph = ip_hdr(skb_to_encap); 138 | iph->version = 4; 139 | iph->ihl = sizeof(struct iphdr)>>2; 140 | iph->frag_off = 0;//old->frag_off; 141 | iph->protocol = IPPROTO_UDP; 142 | iph->tos = old->tos; 143 | iph->daddr = daddr; 144 | iph->saddr = saddr; 145 | iph->ttl = old->ttl; 146 | /* 这个reroute频繁用于OUTPUT Netfilter HOOK,但问Rusty本人, 147 | * Netfilter的OUTPUT设计为何如何之好 */ 148 | if (ip_route_me_harder(skb_to_encap, RTN_LOCAL)!= 0) { 149 | /* 无论如何都要STOLEN的 */ 150 | if (copy) { 151 | kfree_skb(skb_to_encap); 152 | } 153 | goto out; 154 | } 155 | dst = skb_dst(skb_to_encap); 156 | 157 | ip_select_ident(iph, dst, NULL); 158 | } 159 | ip_local_out(skb_to_encap); 160 | /* 偷走数据包,不再在曾经的路上继续 */ 161 | ret = NF_STOLEN; 162 | out: 163 | return ret; 164 | 165 | } 166 | 167 | static unsigned int ipv4_ovpn_in_local( unsigned int hook, 168 | struct sk_buff *skb, 169 | const struct net_device *in, 170 | const struct net_device *out, 171 | int (*okfn)(struct sk_buff *)) 172 | { 173 | int ret = NF_ACCEPT; 174 | struct nf_conn *ct; 175 | enum ip_conntrack_info ctinfo; 176 | struct net_device *dev = NULL; 177 | struct tun_struct *tun = NULL; 178 | 179 | ct = nf_ct_get(skb, &ctinfo); 180 | if (!ct) { 181 | goto out; 182 | } 183 | if (ct == &nf_conntrack_untracked) { 184 | goto out; 185 | } 186 | 187 | dev = dev_get_by_name(&init_net, "tun0"); 188 | if (!dev) { 189 | goto out_not_put; 190 | } 191 | 192 | tun = netdev_priv(dev);; 193 | if (!tun) { 194 | goto out; 195 | } 196 | 197 | if (out && dev == out) { 198 | /* 199 | * 这里要取出保存在conn中的所有信息,包括加密密钥 200 | */ 201 | /* 202 | * cipher_info = (struct instance_info *)nf_conn_acct_find(ct); 203 | * if (cipher_info != NULL) { 204 | * if (cipher_info->saddr != 0 && 205 | * cipher_info->daddr != 0) { 206 | */ 207 | struct ovpn_instance ovpn; 208 | ovpn.saddr = 0x32c7a8c0;/*cipher_info->daddr;*/ 209 | ovpn.daddr = 0xe9c7a8c0;/*cipher_info->saddr;*/ 210 | ovpn.sport = 0xaa04;/*cipher_info->dport;*/ 211 | ovpn.dport = 0xaa04;/*cipher_info->sport;*/ 212 | ++ static_fake_packet_id;/*cipher_info->packet_id;*/ 213 | ovpn.packet_id = static_fake_packet_id;/*cipher_info->packet_id;*/ 214 | ret = encap_xmit(skb, &ovpn); 215 | goto out; 216 | 217 | } 218 | out: 219 | dev_put(dev); 220 | out_not_put: 221 | return ret; 222 | } 223 | static unsigned int ipv4_ovpn_in( unsigned int hook, 224 | struct sk_buff *skb, 225 | const struct net_device *in, 226 | const struct net_device *out, 227 | int (*okfn)(struct sk_buff *)) 228 | { 229 | int ret = NF_ACCEPT; 230 | struct nf_conn *ct; 231 | enum ip_conntrack_info ctinfo; 232 | struct iphdr *hdr = ip_hdr(skb); 233 | struct udphdr *uh; 234 | struct net_device *dev = NULL; 235 | struct tun_struct *tun = NULL; 236 | __be32 saddr, daddr; 237 | __be16 sport, dport; 238 | int dir; 239 | 240 | ct = nf_ct_get(skb, &ctinfo); 241 | if (!ct) { 242 | goto out; 243 | } 244 | if (ct == &nf_conntrack_untracked) { 245 | goto out; 246 | } 247 | 248 | dev = dev_get_by_name(&init_net, "tun0"); 249 | if (!dev) { 250 | goto out_not_put; 251 | } 252 | 253 | if ((in && in == dev) || (in && in == init_net.loopback_dev)) { 254 | goto out; 255 | } 256 | 257 | tun = netdev_priv(dev);; 258 | if (!tun) { 259 | goto out; 260 | } 261 | 262 | switch (tun->flags & TUN_TYPE_MASK) { 263 | case TUN_TAP_DEV: 264 | goto out; 265 | } 266 | 267 | saddr = hdr->saddr; 268 | daddr = hdr->daddr; 269 | 270 | /* 到达此处的数据包有以下几类: 271 | * 1.正方向的UDP到将欲到达OpenVPN的数据包 272 | * 1.1.控制通道数据包 273 | * 这类数据包将最终穿过INPUT,完成conntrack的confirm,至此conntrack建立 274 | * 1.2.数据通道的数据包 275 | * 这类数据包就是我要截获,解密,进而STOLEN的。This is it!!! 276 | * 2.从OpenVPN进程socket发出的数据包 277 | * 2.1.控制通道数据包 278 | * 这类数据包来自OpenVPN进程,用于SSL握手以及PING(keepablive) 279 | * 2.2.数据通道数据包 280 | * 这类数据包本来来自OpenVPN进程,由其加密,但是由于它们将在tun的xmit中被截获自行进行OpenVPN/UDP/IP封装, 281 | * 因此并不会到达此处,也可以在OUTPUT/PREROUTING中被识别并自行进行OpenVPN/UDP/IP封装并被STOLEN到dev_queue_xmit 282 | * ...... 283 | * 284 | **/ 285 | dir = CTINFO2DIR(ctinfo); 286 | if (dir != IP_CT_DIR_ORIGINAL) { 287 | goto check_encap_xmit; 288 | } 289 | /* 此处没加锁啊没加锁!!! */ 290 | if (hdr->protocol != IPPROTO_UDP) { 291 | /* 292 | * 这里彻底呈现了UDP的优势 293 | * 你可能不信!但是如果是TCP,你将不能在中间任何地方截获(STOLEN)数据! 294 | * 因为TCP是端到端流协议,你要是截获了数据,怎么发送回执?? 295 | * 你没法ACK数据,TCP将不再继续!除非... 296 | * 除非你连ACK也伪造!连带的,你难道要自己实现TCP的语义?? 297 | **/ 298 | goto check_encap_xmit; 299 | } 300 | 301 | skb_pull(skb, ip_hdrlen(skb)); 302 | skb_reset_transport_header(skb); 303 | /* 此处省略了UDP接收的例行校验检查 */ 304 | uh = udp_hdr(skb); 305 | 306 | if (uh->dest != htons(OVPN_PORT)) { 307 | skb_push(skb, ip_hdrlen(skb)); 308 | skb_reset_network_header(skb); 309 | goto check_encap_xmit; 310 | } 311 | sport = uh->source; 312 | dport = uh->dest; 313 | { 314 | /* 315 | * 这里要取出保存在conn中的所有信息,包括解密密钥 316 | * ct_inner = nf_ct_get(skb, &ctinfo_inner); 317 | * cipher_info = nf_conn_acct_find((const struct nf_conn *)ct_inner); 318 | * if (cipher_info == NULL) { 319 | * ... 320 | * ... 321 | * 322 | */ 323 | } 324 | /* decrypt 325 | * 很显然,这是关键!数据解密! 326 | * 但是谁能告诉我内核中怎么高效使用加解密,如果不能高效, 327 | * 那么起码保证灵活,就像OpenSSL那样!进入了内核态,我突然 328 | * 突然想到了OpenSSL的好,人,不能忘本啊 :< 329 | */ 330 | /* 331 | * 以上是我在udp_encap_rcv版本中的注释!!但是,但是 332 | * 天啊!饶恕我的贪婪吧! 333 | * 在nf_conntrack_helper版本中,我连封装的力气都没有了,为了尽快验证, 334 | * 我将代码写死! 335 | * 解密算法:AES-128-ECB 336 | * 解密密钥:128位的0! 337 | */ 338 | /* ################################################################### */ 339 | /* 验证伊始,推进一个udp头 */ 340 | skb_pull(skb, sizeof(struct udphdr)); 341 | { 342 | /* PRE Decrypt--对齐数据,验证操作码 */ 343 | u8 *data = skb->data; 344 | u8 ocode = data[0]; 345 | int op = ocode >> P_OPCODE_SHIFT; 346 | if (op != P_DATA_V1) { 347 | skb_push(skb, sizeof(struct udphdr)); 348 | skb_push(skb, ip_hdrlen(skb)); 349 | skb_reset_network_header(skb); 350 | skb_reset_transport_header(skb); 351 | goto out; 352 | } 353 | } 354 | /* ################################################################### */ 355 | { 356 | /* Decrypt--调用内核接口解密数据 */ 357 | /*int i; 358 | struct crypto_cipher *tfm; 359 | unsigned char key1[16] = {0}; 360 | unsigned char *data; 361 | 362 | tfm = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC); 363 | if (!tfm) { 364 | return NF_DROP; 365 | } 366 | crypto_cipher_setkey(tfm, (const u8 *)&key1[0], 16); 367 | data = skb->data + 1; 368 | for (i = 0; i < skb->len - 1; i += crypto_cipher_blocksize(tfm)) { 369 | crypto_cipher_decrypt_one(tfm, data + i, data + i); 370 | } 371 | crypto_free_cipher(tfm); 372 | */ 373 | /* 解密完成,推进一个OpenVPN头的长度 */ 374 | skb_pull(skb, sizeof(struct ovpnhdr)); 375 | } 376 | /* ################################################################### */ 377 | 378 | switch (tun->flags & TUN_TYPE_MASK) { 379 | case TUN_TUN_DEV: 380 | switch (skb->data[0] & 0xf0) { 381 | /* 当前只支持IPv4 */ 382 | case 0x40: 383 | break; 384 | default: 385 | /* 解密发现不是IPv4,不再恢复skb指针 */ 386 | ret = NF_DROP; 387 | goto out; 388 | 389 | } 390 | skb_reset_mac_header(skb); 391 | skb_reset_network_header(skb); 392 | skb_reset_transport_header(skb); 393 | /* 是时候丢掉西装外衣了,口袋里的通行证会将你引入深渊, 394 | * 不信的话,注释此言,在OpenVPN客户端机器上ping一下 395 | * 服务端的虚拟IP试一试 396 | **/ 397 | skb_dst_drop(skb); 398 | skb->protocol = htons(ETH_P_IP);; 399 | skb->dev = dev; 400 | ret = NF_STOLEN; 401 | break; 402 | } 403 | 404 | /* 模拟TUN虚拟网卡接收,此时截获处理正式完成, 405 | * 告诉UDP,嗨,你的数据我已经帮你处理了 406 | **/ 407 | /* 遍历PREROUTING旨在创建被OpenVPN封装流量的conntrack, 408 | * 因为只有在这里才能从OpenVPN数据通道的conntrack中的info信息得到加密密钥: 409 | * 1.该类流量在netif_rx_ni->netif_receive_skb->ip_rcv...路径中径直通过PREROUTING; 410 | * 2.该类流量的reply流量直接使用其conntrack info中的加密密钥进行加密 411 | **/ 412 | nf_reset(skb); 413 | /* 溜达溜达,一直溜达到skb的conntrack被设置,所以我使用了带有condition的版本 */ 414 | NF_HOOK_COND(PF_INET, NF_INET_PRE_ROUTING, skb, skb->dev, NULL, 415 | ovpn_nf_pre_routing, skb->nfct != NULL); 416 | { 417 | /*struct nf_conn *ct_inner;*/ 418 | /*enum ip_conntrack_info ctinfo_inner;*/ 419 | /*struct instance_info *cipher_info; */ 420 | /* OK! 此时的ct应该就是OpenVPN裸skb的ct了! */ 421 | /* 422 | * 注意,这里可能比较绕!对于ct_inner,很显然它是OpenVPN数据协议封装的内部skb的ct,那么 423 | * 它的方向有两个,一个是正一个反, 424 | * 1.对于正方向,很显然它是我们在上面的ovpn_nf_pre_routing 425 | * 这个fake HOOK中建立的,理所当然它的cipher_info就是在这里创建的 426 | * 2.对于反方向,它走的是慢速路径,即它走的是OpenVPN进程(这是为什么呢?为什么呢? 427 | * 因为: 428 | * skb来自某个物理网口,显然最终它要从tun0中xmit出去,这一路上它是不可能获得 429 | * 任何关于multi_instance的信息的,所以只好走入慢速路径中,由OpenVPN进程从字符 430 | * 设备读取该数据包,然后由OpenVPN进程加密,封装,传输之) 431 | * 只要有反向发起的数据包的正向(即从OpenVPNclient到OpenVPNserver方向)返回包经由此处,它将 432 | * 建立cipher_info。 433 | * 因此,此处并不区分对待ct的方向! 434 | **/ 435 | 436 | /* 437 | ct_inner = nf_ct_get(skb, &ctinfo_inner); 438 | cipher_info = (struct instance_info *)nf_conn_acct_find((const struct nf_conn *)ct_inner); 439 | if (cipher_info == NULL) { 440 | cipher_info = (struct instance_info *)nf_ct_acct_ext_add(ct_inner, GFP_ATOMIC); 441 | if (cipher_info == NULL) { 442 | ret = NF_DROP; 443 | goto out; 444 | } 445 | goto alloc_info; 446 | } else { 447 | // 注意:最终的成型info extend中,需要在destroy里面释放 JUST test!! 448 | if (cipher_info->saddr == 0 && cipher_info->daddr == 0) { 449 | alloc_info: 450 | cipher_info->saddr = saddr; 451 | cipher_info->daddr = daddr; 452 | cipher_info->sport = sport; 453 | cipher_info->dport = dport; 454 | // info 就是cipher 455 | } 456 | } 457 | */ 458 | } 459 | /* 真是谢天谢地!谢什么?答曰: 460 | * 在调用netif_rx的时候竟然还能保留nf信息,比如保留nf_conn... 461 | * 其实这也没什么大不了的,难道bridge模块没有这么玩吗?难道bonding,vlan没有这么玩吗? 462 | * 如果你不懂,没关系,试试看: 463 | * sysctl -w net.bridge.bridge-nf-call-iptables=1 464 | * 然后跟一下代码... 465 | **/ 466 | netif_rx_ni(skb); 467 | goto out; 468 | 469 | check_encap_xmit: 470 | /* 此处find conntrack的info信息,如果数据包从物理网卡接收,最终需要通过tun网卡发出进行加密,那么: 471 | * 1.该数据包所属的流在从OpenVPN客户端过来的时候在PREROUTING中被解密,然后在PREROUTING中溜达到conn创建, 472 | * 此时,该流可以查到,直接取出info信息,调用encap_xmit进行加密; 473 | * 2.该数据包所属的流是主动从OpenVPN服务端发往OpenVPN客户端方向的,那么它在这个HOOK就应该直接返回,进入 474 | * OpenVPN这个慢速路径进行加密,如果有从OpenVPN客户端回来的包,那么在这个HOOK中就会被在conntrack的info 475 | * 中设置info信息。 476 | * :)也已经深了,我以上如此清晰的思路想必可以代替代码吧,此处我就直接通过了。 477 | **/ 478 | { 479 | int check = 0; /* 真正的check! */ 480 | if (check) { 481 | struct ovpn_instance ovpn; 482 | ret = encap_xmit(skb, &ovpn); 483 | } 484 | } 485 | 486 | out: 487 | dev_put(dev); 488 | out_not_put: 489 | return ret; 490 | } 491 | 492 | static struct nf_hook_ops ipv4_ovpn_ops[] __read_mostly = { 493 | { .hook = ipv4_ovpn_in, 494 | .owner = THIS_MODULE, 495 | .pf = NFPROTO_IPV4, 496 | .hooknum = NF_INET_PRE_ROUTING, 497 | .priority = NF_IP_PRI_CONNTRACK + 1, 498 | }, 499 | { .hook = ipv4_ovpn_in_local, 500 | .owner = THIS_MODULE, 501 | .pf = NFPROTO_IPV4, 502 | .hooknum = NF_INET_LOCAL_OUT, 503 | .priority = NF_IP_PRI_CONNTRACK + 1, 504 | }, 505 | }; 506 | 507 | 508 | static void nf_conntrack_openvpn_fini(void) 509 | { 510 | nf_unregister_hooks(ipv4_ovpn_ops, ARRAY_SIZE(ipv4_ovpn_ops)); 511 | } 512 | 513 | static int __init nf_conntrack_openvpn_init(void) 514 | { 515 | int ret = 0; 516 | 517 | ret = nf_register_hooks(ipv4_ovpn_ops, ARRAY_SIZE(ipv4_ovpn_ops)); 518 | if (ret) { 519 | printk("nf_ct_ovpn: failed to register\n"); 520 | return ret; 521 | } 522 | printk("nf_ct_ovpn: OKOK\n"); 523 | return 0; 524 | } 525 | 526 | module_init(nf_conntrack_openvpn_init); 527 | module_exit(nf_conntrack_openvpn_fini); 528 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | {description} 294 | Copyright (C) {year} {fullname} 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | {signature of Ty Coon}, 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. 340 | 341 | -------------------------------------------------------------------------------- /tun_for_ovpn_data_channel.c: -------------------------------------------------------------------------------- 1 | /* 2 | * TUN - Universal TUN/TAP device driver. 3 | * Copyright (C) 1999-2002 Maxim Krasnyansky 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published by 7 | * the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * $Id: tun.c,v 1.15 2002/03/01 02:44:24 maxk Exp $ 16 | */ 17 | 18 | /* 19 | * Changes: 20 | * 21 | * Mike Kershaw 2005/08/14 22 | * Add TUNSETLINK ioctl to set the link encapsulation 23 | * 24 | * Mark Smith 25 | * Use random_ether_addr() for tap MAC address. 26 | * 27 | * Harald Roelle 2004/04/20 28 | * Fixes in packet dropping, queue length setting and queue wakeup. 29 | * Increased default tx queue length. 30 | * Added ethtool API. 31 | * Minor cleanups 32 | * 33 | * Daniel Podlejski 34 | * Modifications for 2.3.99-pre5 kernel. 35 | */ 36 | 37 | /* 38 | * 我,又一次自私地使用了tun.c,不过这次的工作和tun本身并没有太大的关系, 39 | * 只是想做一个简单的OpenVPN短路hack,仅此而已,我使用tun做修改是因为简单, 40 | * 毕竟我只是需要将一个socket和tun联系起来,仅此而已,我需要做的就是短接 41 | * UDP socket和tun网卡,仅此而已.... :) 42 | * 43 | * 数据通道进入内核的好处是显而易见的,多处理操作的效率由softirq分发系统决定, 44 | * 而这个是简单的,在8核心处理器上,经过测试,使用Intel 82583多队列卡,按照 45 | * tuple做hash中断分发,保持cache活性的基础上,也能首先OpenVPN协议的高速解析, 46 | * 任何用户态的多线程架构与之相比都爆弱。但是此时问题浮现: 47 | * 48 | * 1.不是说内核态处理控制面而用户态处理数据面吗?对于OpenVPN,怎么反过来了啊, 49 | * 有点懵了!是的,数据面放到用户态只善作个幻象,现如今不是还没有很好的实例嘛... 50 | * 我并非说用户态多线程不好,只是对OpenVPN而言的,不信你试试。好了,在PF RING 51 | * 还玩不转的时候,我只能这样,也不容易。 52 | * 2.这里没有使用加密,接口是有了,但是没有高效的实现,我可不想OpenVPN成为Yet 53 | * Another IPSec 54 | * 55 | * 问题多多,marywangran@126.com,还是这个邮箱 56 | * 57 | **/ 58 | 59 | #define DRV_NAME "tun" 60 | #define DRV_VERSION "1.6" 61 | #define DRV_DESCRIPTION "Universal TUN/TAP device driver" 62 | #define DRV_COPYRIGHT "(C) 1999-2004 Max Krasnyansky " 63 | 64 | #include 65 | #include 66 | #include 67 | #include 68 | #include 69 | #include 70 | #include 71 | #include 72 | #include 73 | #include 74 | #include 75 | #include 76 | #include 77 | #include 78 | #include 79 | #include 80 | #include 81 | #include 82 | #include 83 | #include 84 | #include 85 | #include 86 | #include 87 | #include 88 | #include 89 | #include 90 | #include 91 | #include 92 | #include 93 | #include 94 | #include 95 | #include 96 | #include 97 | #include 98 | #include 99 | #include 100 | #include 101 | 102 | #include 103 | #include 104 | 105 | 106 | #include 107 | #include 108 | 109 | /* Uncomment to enable debugging */ 110 | /* #define TUN_DEBUG 1 */ 111 | 112 | #ifdef TUN_DEBUG 113 | static int debug; 114 | 115 | #define DBG if(tun->debug)printk 116 | #define DBG1 if(debug==2)printk 117 | #else 118 | #define DBG( a... ) 119 | #define DBG1( a... ) 120 | #endif 121 | 122 | /* 定义一个OpenVPN封装类型 */ 123 | #define UDP_ENCAP_OVPN 20 124 | /* 连接一个UDP套接字和TUN网卡的ioctl命令 */ 125 | #define TUNLINKOVPN _IOW('T', 216, int) 126 | /* 添加一个multi_instance的ioctl命令 */ 127 | #define TUNADDMILTI _IOW('T', 217, int) 128 | /* 为一个multi_instance添加一个虚拟地址的ioctl命令 */ 129 | #define TUNSETMIVIP _IOW('T', 218, int) 130 | /* 删除一个multi_instance的ioctl命令 */ 131 | #define TUNDELMILTI _IOW('T', 219, int) 132 | /* 设置密钥的ioctl命令 */ 133 | #define TUNSETMKEY _IOW('T', 220, int) 134 | /* 获取密钥的ioctl命令 */ 135 | #define TUNGETMKEY _IOW('T', 221, int) 136 | 137 | #define OVPN_OPT_DEC 0 138 | #define OVPN_OPT_ENC 1 139 | 140 | void hexdump(char *desc, unsigned char *buf, int len) 141 | { 142 | if (debug == 0) { 143 | return; 144 | } 145 | printk("\n##########DESC:%s\n", desc); 146 | while(len--) { 147 | printk("%02x",*buf++); 148 | } 149 | printk("\n####### END #######\n"); 150 | } 151 | 152 | 153 | /* 154 | * 用于封装ioctl命令,但不经常,也不绝对... 155 | **/ 156 | struct sockfd { 157 | int fd; 158 | }; 159 | 160 | #define FLT_EXACT_COUNT 8 161 | struct tap_filter { 162 | unsigned int count; /* Number of addrs. Zero means disabled */ 163 | u32 mask[2]; /* Mask of the hashed addrs */ 164 | unsigned char addr[FLT_EXACT_COUNT][ETH_ALEN]; 165 | }; 166 | 167 | struct tun_file { 168 | atomic_t count; 169 | struct tun_struct *tun; 170 | struct net *net; 171 | }; 172 | 173 | struct tun_sock; 174 | 175 | 176 | /* UDP的encap返回正常路径 */ 177 | #define UDP_DECAP_PASS 1 178 | /* UDP的encap自己消费了数据包 */ 179 | #define UDP_DECAP_STOLEN 0 180 | /* 以上的规范详细情况自行看UDP处理以及IPSec/L2TP作为一个例子的实现 */ 181 | 182 | /* 183 | * OpenVPN的常量定义,我是不是该准备一个头文件和C文件呢? 184 | * 借用tun.c总不是什么长久之事!tun又不是只用于OpenVPN啊, 185 | * 然而tun.c确实该加一个HOOK机制了... 186 | **/ 187 | #define MAX_HASH_BUCKETS 256 188 | /* 暂时先这么多 */ 189 | #define MAX_KEY_LENGTH 512 190 | #define P_DATA_V1 6 191 | #define P_OPCODE_SHIFT 3 192 | 193 | /* 这个锁的粒度有点粗 */ 194 | DEFINE_SPINLOCK(ovpn_lock); 195 | 196 | typedef u32 packet_id_type; 197 | typedef u32 net_time_t ; 198 | 199 | /* 200 | * 使用IP地址/端口对建立multi_instance 201 | **/ 202 | struct instance_req { 203 | u32 real_addr; 204 | __be16 port; 205 | }; 206 | 207 | /* 208 | * 为一个multi_instance添加一个虚拟IP地址,此结构体目前仅适用于 209 | * TUN模式。因为对于TAP模式需要实现一个列表,基于该列表实现一个 210 | * 虚拟交换机,哦,是的,虚拟交换机... 211 | * */ 212 | struct instance_vreq { 213 | u32 real_addr; 214 | u32 vaddr; 215 | __be16 port; 216 | }; 217 | 218 | /* 用于向内核传递密钥或者反过来传递密钥 */ 219 | /* 是不是应该用PF_KEY啊,小小说不能,我就不用了 */ 220 | struct key_block { 221 | struct instance_req ir; 222 | unsigned char key1[MAX_KEY_LENGTH]; 223 | unsigned char key2[MAX_KEY_LENGTH]; 224 | unsigned char key3[MAX_KEY_LENGTH]; 225 | unsigned char key4[MAX_KEY_LENGTH]; 226 | }; 227 | 228 | /* 229 | * 用于实现OpenVPN的防重放机制 230 | **/ 231 | struct packet_id_send 232 | { 233 | packet_id_type id; 234 | time_t time; 235 | }; 236 | 237 | /* 238 | * 用于实现OpenVPN的防重放机制,但是天啊...里面的字段在协议移植阶段 239 | * 是没有任何用武之地的,是的,没有用... 240 | * */ 241 | struct packet_id_rec 242 | { 243 | time_t last_reap; /* last call of packet_id_reap */ 244 | time_t time; /* highest time stamp received */ 245 | packet_id_type id; /* highest sequence number received */ 246 | int seq_backtrack; /* set from --replay-window */ 247 | int time_backtrack; /* set from --replay-window */ 248 | int max_backtrack_stat; /* maximum backtrack seen so far */ 249 | int initialized; /* true if packet_id_init was called */ 250 | struct seq_list *seq_list; /* packet-id "memory" */ 251 | const char *name; 252 | int unit; 253 | }; 254 | 255 | /* 256 | * 用于实现OpenVPN的防重放机制,目前的版本仅仅是为了例行公事,发送前 257 | * 在OpenVPN头中封装一个递增的packet ID,但是注意,不支持LONG FORM!! 258 | * */ 259 | struct packet_id 260 | { 261 | struct packet_id_send send; 262 | struct packet_id_rec rec; 263 | }; 264 | 265 | /* 266 | * 万恶又万能的multi_instance,是不是有点熟悉呢??对!This is it! 267 | * */ 268 | struct multi_instance { 269 | struct list_head list; 270 | struct hlist_node rhnode; 271 | struct hlist_node vhnode; 272 | struct sock *sk; 273 | struct packet_id packet_id; 274 | struct key_block mikb; 275 | u32 saddr; 276 | u32 daddr; 277 | unsigned char hsaddr[ETH_ALEN]; 278 | /* for a learning Vswitch , it is a list! TODO */ 279 | unsigned char hdaddr[ETH_ALEN]; 280 | u32 real_saddr; 281 | u32 real_daddr; 282 | __be16 dport; 283 | void (*mi_destroy)(struct multi_instance *); 284 | }; 285 | 286 | /* 287 | * 我的本意并不是移植OpenVPN,而是实现一个新的协议,but,but,but,but 288 | * 苦于没有客户端,我为何不使用现成的OpenVPN呢??它的协议足够简单啊足够简单! 289 | * */ 290 | #define CIPHER_NAME_LENGTH 32 291 | struct encap_context { 292 | struct hlist_head hash[MAX_HASH_BUCKETS]; 293 | struct hlist_head vhash[MAX_HASH_BUCKETS]; 294 | /* 最终还是说服了自己,解除了OpenVPN和tun之间的耦合 :) */ 295 | int (*encap_xmit)(struct tun_struct *tun, struct sk_buff *skb); 296 | /* 我并没有区分cipher和auth,也就是说,我把加密运算和HMAC统一使用一套回调函数完成 :>| */ 297 | /* 暂时,我使用了Linux内核的tfm框架 */ 298 | struct crypto_cipher *tfm; 299 | char cipher_name[CIPHER_NAME_LENGTH]; 300 | int (*cipher_init)(void *); 301 | int (*cipher_pre_enc)(struct encap_context *, struct sk_buff *, int, struct multi_instance *); 302 | int (*cipher_setkey)(struct multi_instance *, struct crypto_cipher *, const u8 *, unsigned int); 303 | struct sk_buff * (*cipher_enc)(struct encap_context *, struct sk_buff *, int, void *); 304 | int (*cipher_fini)(void *); 305 | }; 306 | 307 | /* 308 | * 就是它!这就是OpenVPN协议的本质!瞧瞧看吧,你仅仅需要设置3个字段足矣! 309 | * ocode:这个字段其实包含以下两个部分 310 | * opt :很显然,我在内核中只处理数据通道,那么它是P_DATA_V1常量 311 | * key_id :这个keyid用于切换密钥。目前使用定值0,即版本0.1不支持密钥重协商, 312 | * 然则这只是个开始... 313 | * id: 此字段用于封装将要发送的数据包的ID,防重放攻击 314 | * 可见,关键的关键就是如何填充以下结构体的问题...对了,我可以说填充UDP头和IP头不是个事儿 315 | * 吗?如果它们都成了事儿,还怎么好意思说自己比较喜欢折腾内核协议栈呢... :( 316 | **/ 317 | struct ovpnhdr { 318 | u8 ocode; 319 | packet_id_type id; 320 | /* 注意,不要按照最长字段自然对齐,这是在玩网络,而不是内存! */ 321 | } __attribute__((packed)); 322 | 323 | struct tun_struct { 324 | struct tun_file *tfile; 325 | unsigned int flags; 326 | uid_t owner; 327 | gid_t group; 328 | 329 | struct net_device *dev; 330 | struct fasync_struct *fasync; 331 | 332 | struct tap_filter txflt; 333 | struct socket socket; 334 | struct sock *encap_sock; 335 | /* pass THIS into encap_xmit like OO ?? */ 336 | /* 对于这个回调函数,我该说些什么呢?实际上,我真的该将其放在encap_context里面 */ 337 | /* int (*encap_xmit)(struct tun_struct *tun, struct sk_buff *skb);*/ 338 | struct encap_context ctx; 339 | 340 | #ifdef TUN_DEBUG 341 | int debug; 342 | #endif 343 | }; 344 | 345 | struct tun_sock { 346 | struct sock sk; 347 | struct tun_struct *tun; 348 | }; 349 | 350 | /* 351 | * 这个destroy函数用于清理一个multi_instance,一个析构 352 | **/ 353 | void ovpn_destroy(struct multi_instance *mi) 354 | { 355 | return; 356 | } 357 | 358 | /* 359 | * 根据一个IP地址和端口删除一个multi_instance 360 | **/ 361 | static void ovpn_del_real_instance( struct tun_struct *tun, 362 | u32 real_addr, 363 | __be16 port) 364 | { 365 | struct multi_instance *tmi; 366 | struct multi_instance *mi; 367 | struct hlist_node *node; 368 | unsigned int hash = jhash_2words(real_addr, port, 0); 369 | 370 | spin_lock_bh(&ovpn_lock); 371 | hlist_for_each_entry(tmi, node, &tun->ctx.hash[hash % MAX_HASH_BUCKETS], rhnode) { 372 | if (real_addr == tmi->real_daddr && 373 | port == tmi->dport) { 374 | mi = tmi; 375 | } 376 | } 377 | if (!mi) { 378 | spin_unlock_bh(&ovpn_lock); 379 | return ; 380 | } 381 | hlist_del(&mi->rhnode); 382 | hlist_del(&mi->vhnode); 383 | spin_unlock_bh(&ovpn_lock); 384 | kfree(mi); 385 | } 386 | 387 | /* 388 | * 添加一个multi_instance 389 | **/ 390 | static struct multi_instance *ovpn_add_real_instance( struct tun_struct *tun, 391 | u32 real_addr, 392 | __be16 port) 393 | { 394 | struct multi_instance *ret = NULL; 395 | struct multi_instance *tmi; 396 | struct hlist_node *node; 397 | unsigned int hash = jhash_2words(real_addr, port, 0); 398 | 399 | spin_lock_bh(&ovpn_lock); 400 | hlist_for_each_entry(tmi, node, &tun->ctx.hash[hash % MAX_HASH_BUCKETS], rhnode) { 401 | if (real_addr == tmi->real_daddr && 402 | port == tmi->dport) { 403 | spin_unlock_bh(&ovpn_lock); 404 | return tmi; 405 | } 406 | } 407 | ret = kzalloc(sizeof(struct multi_instance), GFP_ATOMIC); 408 | if (!ret) { 409 | spin_unlock_bh(&ovpn_lock); 410 | return NULL; 411 | } 412 | ret->dport = port; 413 | ret->real_daddr = real_addr; 414 | ret->sk = tun->encap_sock; 415 | ret->mi_destroy = ovpn_destroy; 416 | ret->real_saddr = inet_sk(ret->sk)->saddr; 417 | hash = jhash_2words(ret->real_daddr, ret->dport, 0); 418 | INIT_HLIST_NODE(&ret->rhnode); 419 | INIT_HLIST_NODE(&ret->vhnode); 420 | hlist_add_head(&ret->rhnode, &tun->ctx.hash[hash % MAX_HASH_BUCKETS]); 421 | spin_unlock_bh(&ovpn_lock); 422 | /* setkey 应该在专门的ioctl 中 */ 423 | tun->ctx.cipher_setkey(ret, tun->ctx.tfm, NULL, 0); 424 | return ret; 425 | } 426 | 427 | /* 428 | * 为一个multi_instance添加一个虚拟IP地址,这个本来应该实现成一个虚拟交换机的 429 | * BUT对于TUN模式而言,我采用了替换模式,也就是说,我的这个版本并不支持iroute 430 | * 不支持又怎么样呢?早晚的事吧。希望,真心希望James Yonan不要打我哦。。。 431 | **/ 432 | static int ovpn_add_virtual_instance( struct tun_struct *tun, 433 | u32 real_addr, 434 | __be16 port, 435 | u32 addr) 436 | { 437 | struct multi_instance *mi; 438 | struct multi_instance *tmi; 439 | struct hlist_node *node; 440 | unsigned int hash = jhash_2words(real_addr, port, 0); 441 | 442 | spin_lock_bh(&ovpn_lock); 443 | hlist_for_each_entry(tmi, node, &tun->ctx.hash[hash % MAX_HASH_BUCKETS], rhnode) { 444 | if (real_addr == tmi->real_daddr && 445 | port == tmi->dport) { 446 | mi = tmi; 447 | break; 448 | } 449 | } 450 | if (!mi) { 451 | spin_unlock_bh(&ovpn_lock); 452 | return -1; 453 | } 454 | hlist_del_init(&mi->vhnode); 455 | mi->daddr = addr; 456 | hash = jhash_1word(mi->daddr, 0); 457 | hlist_add_head(&mi->vhnode, &tun->ctx.vhash[hash % MAX_HASH_BUCKETS]); 458 | spin_unlock_bh(&ovpn_lock); 459 | return 0; 460 | } 461 | 462 | struct ovpnhdr *ovpn_hdr(struct sk_buff *skb) 463 | { 464 | return (struct ovpnhdr*)(skb->data); 465 | } 466 | 467 | static struct sk_buff *ovpn_pre_endecrypt(int mode, 468 | struct tun_struct *tun, 469 | struct sk_buff *skb, 470 | struct multi_instance *mi) 471 | { 472 | u8 *data; 473 | u8 ocode = 0; 474 | struct sk_buff *sk_ret = NULL; 475 | int op; 476 | if (mode == OVPN_OPT_DEC) { 477 | data = skb->data; 478 | ocode = data[0]; 479 | op = ocode >> P_OPCODE_SHIFT; 480 | if (op != P_DATA_V1) { 481 | sk_ret = NULL; 482 | goto out; 483 | } 484 | sk_ret = skb; 485 | } else if (mode == OVPN_OPT_ENC){ 486 | /* 我在这里添加padding以及设置packet id */ 487 | /* 早先在仅仅移植协议的时候,我将设置packet id 488 | * 放在了post里面,由于packet id也是要加密的,所以必须放在 489 | * pre里面 490 | **/ 491 | struct ovpnhdr *ohdr; 492 | ohdr = ovpn_hdr(skb); 493 | ++mi->packet_id.send.id; 494 | ohdr->id = htonl(mi->packet_id.send.id); 495 | ohdr->ocode = (P_DATA_V1 << P_OPCODE_SHIFT) | 0x0; 496 | if (tun->ctx.cipher_pre_enc(&tun->ctx, skb, mode, mi)){ 497 | sk_ret = NULL; 498 | goto out; 499 | } 500 | sk_ret = skb; 501 | } else { 502 | sk_ret = NULL; 503 | goto out; 504 | } 505 | out: 506 | return sk_ret; 507 | } 508 | 509 | static struct sk_buff * ovpn_endecrypt(int mode, 510 | struct tun_struct *tun, 511 | struct sk_buff *skb, 512 | struct multi_instance *mi) 513 | { 514 | 515 | /* return tun->ctx.endecrypt(tun, skb); */ 516 | tun->ctx.cipher_enc(&tun->ctx, skb, mode, NULL); 517 | return skb; 518 | } 519 | 520 | static struct sk_buff *ovpn_post_endecrypt(int mode, 521 | struct tun_struct *tun, 522 | struct sk_buff *skb, 523 | struct multi_instance *mi) 524 | { 525 | struct sk_buff *sk_ret = NULL; 526 | if (mode == OVPN_OPT_ENC) { 527 | //skb_pull(skb, sizeof(struct ovpnhdr) - 1); 528 | sk_ret = skb; 529 | } else if (mode == OVPN_OPT_DEC) { 530 | sk_ret = skb; 531 | } else { 532 | sk_ret = NULL; 533 | goto out; 534 | } 535 | out: 536 | return sk_ret; 537 | } 538 | 539 | /* 540 | * 真正的亡灵序曲在这里大肆打折! 541 | * 它截取了UDP的receive处理流程,它可以自行处理数据包,也可以将数据包返回给正常的UDP receive流程 542 | * 点赞的说,它就是一个UDP Netfilter,或者叫做UDPFilter更好!它也有自己的规范: 543 | * 544 | * This is an encapsulation socket so pass the skb to 545 | * the socket's udp_encap_rcv() hook. Otherwise, just 546 | * fall through and pass this up the UDP socket. 547 | * up->encap_rcv() returns the following value: 548 | * =0 if skb was successfully passed to the encap 549 | * handler or was discarded by it. 550 | * >0 if skb should be passed on to UDP. 551 | * <0 if skb should be resubmitted as proto -N 552 | * 553 | * 有点蹩脚,但是毕竟是一种HOOK机制,实用主义者会说,就是它了! 554 | */ 555 | static int ovpn_data_channel_decap_recv(struct sock *sk, struct sk_buff *skb) 556 | { 557 | struct sk_buff *skb2 = NULL; 558 | struct tun_struct *tun = NULL; 559 | struct multi_instance *mi = NULL; 560 | struct multi_instance *tmi; 561 | struct hlist_node *node; 562 | struct iphdr *hdr = ip_hdr(skb); 563 | struct udphdr *ud = udp_hdr(skb); 564 | int ret = UDP_DECAP_PASS; 565 | u32 addr = hdr->saddr; 566 | __be16 port = ud->source; 567 | unsigned int hash = jhash_2words(addr, port, 0); 568 | 569 | tun = (struct tun_struct *)sk->sk_user_data; 570 | 571 | 572 | spin_lock_bh(&ovpn_lock); 573 | hlist_for_each_entry(tmi, node, &tun->ctx.hash[hash % MAX_HASH_BUCKETS], rhnode) { 574 | if (addr == tmi->real_daddr && 575 | port == tmi->dport) { 576 | mi = tmi; 577 | break; 578 | } 579 | } 580 | spin_unlock_bh(&ovpn_lock); 581 | if (!mi) { 582 | goto out; 583 | } 584 | 585 | skb_pull(skb, sizeof(struct udphdr)); 586 | 587 | /* decrypt 588 | * 很显然,这是关键!数据解密! 589 | * 但是谁能告诉我内核中怎么高效使用加解密,如果不能高效, 590 | * 那么起码保证灵活,就像OpenSSL那样!进入了内核态,我突然 591 | * 突然想到了OpenSSL的好,人,不能忘本啊 :< 592 | */ 593 | 594 | /* 首先,判断是否是数据通道,进行例行检查,获取必要的密钥套件 */ 595 | if ((skb2 = ovpn_pre_endecrypt(OVPN_OPT_DEC, tun, skb, mi)) == NULL) { 596 | skb_push(skb, sizeof(struct udphdr)); 597 | goto out; 598 | } 599 | skb = skb2; 600 | 601 | /* 实际的解密操作,注意在内部可能要进行skb的realloc操作 */ 602 | if ((skb2 = ovpn_endecrypt(OVPN_OPT_DEC, tun, skb, mi)) == NULL) { 603 | skb_push(skb, sizeof(struct udphdr)); 604 | goto out; 605 | } 606 | skb = skb2; 607 | 608 | /* 参考OpenVPN的post decrypt操作 */ 609 | if ((skb2 = ovpn_post_endecrypt(OVPN_OPT_DEC, tun, skb, mi)) == NULL) { 610 | skb_push(skb, sizeof(struct udphdr)); 611 | goto out; 612 | } 613 | skb = skb2; 614 | 615 | /* 解密完成,推进一个OpenVPN头的长度 */ 616 | skb_pull(skb, sizeof(struct ovpnhdr)); 617 | switch (tun->flags & TUN_TYPE_MASK) { 618 | case TUN_TUN_DEV: 619 | switch (skb->data[0] & 0xf0) { 620 | /* 当前只支持IPv4 */ 621 | case 0x40: 622 | break; 623 | default: 624 | skb_push(skb, sizeof(struct ovpnhdr)); 625 | skb_push(skb, sizeof(struct udphdr)); 626 | goto out; 627 | 628 | } 629 | skb_reset_mac_header(skb); 630 | /* 是时候丢掉西装外衣了,口袋里的通行证会将你引入深渊, 631 | * 不信的话,注释此言,在OpenVPN客户端机器上ping一下 632 | * 服务端的虚拟IP试一试 633 | **/ 634 | skb_dst_drop(skb); 635 | skb->protocol = htons(ETH_P_IP);; 636 | skb->dev = tun->dev; 637 | ret = UDP_DECAP_STOLEN; 638 | break; 639 | case TUN_TAP_DEV: 640 | // TODO 641 | goto out; 642 | break; 643 | } 644 | /* 模拟TUN虚拟网卡接收,此时截获处理正式完成, 645 | * 告诉UDP,嗨,你的数据我已经帮你处理了 646 | **/ 647 | netif_rx_ni(skb); 648 | 649 | out: 650 | return ret; 651 | } 652 | 653 | /* 654 | * 封装UDP 655 | * 本来想直接调用socket的sendto/sendmsg的,然而太过恶心与繁琐,加之需要skb和msg之间的拷贝 656 | * 为了省事而影响效率这样不值!还是自己封装吧,反正也不难 657 | **/ 658 | static int encap_udp(struct sk_buff *skb, struct multi_instance *mi, unsigned int *pdlen) 659 | { 660 | struct udphdr *uh; 661 | struct inet_sock *inet = inet_sk(mi->sk); 662 | int len = *pdlen + sizeof(struct udphdr); 663 | 664 | skb_push(skb, sizeof(struct udphdr)); 665 | skb_reset_transport_header(skb); 666 | 667 | uh = udp_hdr(skb); 668 | uh->source = htons(inet->num); 669 | uh->dest = mi->dport; 670 | uh->len = htons(len); 671 | uh->check = 0; 672 | 673 | /* 注意这里有优化空间,ufo是否启用,硬件是否能帮我计算checksum呢?? */ 674 | uh->check = 0; 675 | uh->check = csum_tcpudp_magic(mi->real_saddr, mi->real_daddr, len, 676 | mi->sk->sk_protocol, csum_partial(uh, 677 | len, 678 | 0)); 679 | 680 | return 0; 681 | } 682 | 683 | /* 684 | * IP层的封装与发送函数,注意,这里很不方便使用ip_queue_xmit 685 | **/ 686 | static int encap_ip_xmit(struct sk_buff *skb, struct multi_instance *mi, struct iphdr *old) 687 | { 688 | struct iphdr *iph; 689 | struct dst_entry *dst; 690 | 691 | skb_push(skb, sizeof(struct iphdr)); 692 | /* 如影随形 */ 693 | skb_reset_network_header(skb); 694 | 695 | iph = ip_hdr(skb); 696 | iph->version = 4; 697 | iph->ihl = sizeof(struct iphdr)>>2; 698 | iph->frag_off = 0;//old->frag_off; 699 | iph->protocol = IPPROTO_UDP; 700 | iph->tos = old->tos; 701 | iph->daddr = mi->real_daddr; 702 | iph->saddr = mi->real_saddr; 703 | iph->ttl = old->ttl; 704 | /* 这个reroute频繁用于OUTPUT Netfilter HOOK,但问Rusty本人, 705 | * Netfilter的OUTPUT设计为何如何之好 */ 706 | if (ip_route_me_harder(skb, RTN_LOCAL)!= 0) { 707 | return -1; 708 | } 709 | dst = skb_dst(skb); 710 | 711 | ip_select_ident(iph, dst, NULL); 712 | return ip_local_out(skb); 713 | } 714 | 715 | 716 | static struct sk_buff *encap_ovpn(struct sk_buff *skb, struct multi_instance *mi, int *pdlen) 717 | { 718 | struct sk_buff *skb2 = NULL; 719 | struct tun_struct *tun; 720 | 721 | 722 | if (!mi) { 723 | goto out; 724 | } 725 | 726 | tun = mi->sk->sk_user_data; 727 | if (!tun) { 728 | goto out; 729 | } 730 | 731 | /* encrypt 732 | * 很显然,这是关键!数据解密! 733 | * 但是谁能告诉我内核中怎么高效使用加解密,如果不能高效, 734 | * 那么起码保证灵活,就像OpenSSL那样!进入了内核态,我突然 735 | * 突然想到了OpenSSL的好,人,不能忘本啊 :< 736 | */ 737 | 738 | /* 如影随形 */ 739 | skb_push(skb, sizeof(struct ovpnhdr)); 740 | *pdlen += sizeof(struct ovpnhdr); 741 | 742 | /* 首先,判断是否是数据通道,进行例行检查,获取必要的密钥套件 */ 743 | if ((skb2 = ovpn_pre_endecrypt(OVPN_OPT_ENC, tun, skb, mi)) == NULL) { 744 | skb = NULL; 745 | goto out; 746 | } 747 | skb = skb2; 748 | *pdlen = skb->len; 749 | 750 | /* 实际的解密操作,注意在内部可能要进行skb的realloc操作 */ 751 | if ((skb2 = ovpn_endecrypt(OVPN_OPT_ENC, tun, skb, mi)) == NULL) { 752 | skb = NULL; 753 | goto out; 754 | } 755 | skb = skb2; 756 | *pdlen = skb->len; 757 | 758 | /* 参考OpenVPN的post decrypt操作 */ 759 | if ((skb2 = ovpn_post_endecrypt(OVPN_OPT_ENC, tun, skb, mi)) == NULL) { 760 | skb = NULL; 761 | goto out; 762 | } 763 | skb = skb2; 764 | *pdlen = skb->len; 765 | 766 | out: 767 | return skb; 768 | } 769 | 770 | /* 771 | * hard_xmit中的封装函数,用于短路处理 772 | **/ 773 | static int ovpn_data_channel_encap_xmit(struct tun_struct *tun, struct sk_buff *skb) 774 | { 775 | unsigned int max_headroom; 776 | int ret = 0; 777 | struct sock *sk; 778 | struct sk_buff *skb2 = NULL; 779 | struct multi_instance *mi = NULL; 780 | struct hlist_node *node; 781 | struct iphdr *old_iphdr = NULL; 782 | unsigned int dlen = skb->len; 783 | 784 | sk = tun->encap_sock; 785 | if (!sk) { 786 | ret = -1; 787 | goto out; 788 | } 789 | if (sk->sk_protocol != IPPROTO_UDP) { 790 | ret = -1; 791 | goto out; 792 | } 793 | 794 | /* 足够了吧!连诸多加密算法携带的padding都TMD够了!够了够了!想起了在哈尔滨的时候, 795 | * 因为我让全班的人熬到7点才吃晚饭...只因为我在老师下课的时候说了句:够了! 796 | **/ 797 | #define I_THINK_THIS_LENGTH_ENOUGH_BECAUSE_OF_XXX 64 798 | max_headroom = (I_THINK_THIS_LENGTH_ENOUGH_BECAUSE_OF_XXX + 799 | LL_RESERVED_SPACE(tun->dev) + 800 | sizeof(struct iphdr) + 801 | sizeof(struct udphdr) + 802 | sizeof(struct ovpnhdr)); 803 | 804 | switch (tun->flags & TUN_TYPE_MASK){ 805 | case TUN_TUN_DEV: 806 | { 807 | struct iphdr *hdr = ip_hdr(skb); 808 | u32 addr = hdr->daddr; 809 | struct multi_instance *tmi; 810 | unsigned int hash = jhash_1word(addr, 0); 811 | 812 | old_iphdr = hdr; 813 | spin_lock_bh(&ovpn_lock); 814 | hlist_for_each_entry(tmi, node, &tun->ctx.vhash[hash % MAX_HASH_BUCKETS], vhnode) { 815 | if (addr == tmi->daddr) { 816 | mi = tmi; 817 | break; 818 | } 819 | } 820 | spin_unlock_bh(&ovpn_lock); 821 | } 822 | break; 823 | case TUN_TAP_DEV: 824 | { 825 | // TODO 826 | ret = -1; 827 | 828 | } 829 | break; 830 | 831 | } 832 | if (!mi) { 833 | ret = -1; 834 | goto out; 835 | } 836 | if (skb_headroom(skb) < max_headroom || !skb_clone_writable(skb, 0)) { 837 | struct sk_buff *new_skb = skb_realloc_headroom(skb, max_headroom); 838 | if (!new_skb) { 839 | ret = -1; 840 | goto out; 841 | } 842 | skb_dst_set(new_skb, skb_dst(skb)); 843 | 844 | dev_kfree_skb(skb); 845 | skb = new_skb; 846 | } 847 | 848 | if ((skb2 = encap_ovpn(skb, mi, &dlen)) == NULL) { 849 | ret = 1; 850 | dev_kfree_skb(skb); 851 | goto out; 852 | } 853 | skb = skb2; 854 | 855 | if (encap_udp(skb, mi, &dlen)) { 856 | dev_kfree_skb(skb); 857 | ret = 1; 858 | goto out; 859 | } 860 | /* GO AWAY?? 注意返回值转换 */ 861 | ret = encap_ip_xmit(skb, mi, old_iphdr); 862 | if (ret < 0) { 863 | ret = 1; 864 | } 865 | out: 866 | return ret; 867 | } 868 | 869 | static inline struct tun_sock *tun_sk(struct sock *sk) 870 | { 871 | return container_of(sk, struct tun_sock, sk); 872 | } 873 | 874 | static int tun_attach(struct tun_struct *tun, struct file *file) 875 | { 876 | struct tun_file *tfile = file->private_data; 877 | int err; 878 | 879 | ASSERT_RTNL(); 880 | 881 | netif_tx_lock_bh(tun->dev); 882 | 883 | err = -EINVAL; 884 | if (tfile->tun) 885 | goto out; 886 | 887 | err = -EBUSY; 888 | if (tun->tfile) 889 | goto out; 890 | 891 | err = 0; 892 | tfile->tun = tun; 893 | tun->tfile = tfile; 894 | dev_hold(tun->dev); 895 | sock_hold(tun->socket.sk); 896 | atomic_inc(&tfile->count); 897 | 898 | out: 899 | netif_tx_unlock_bh(tun->dev); 900 | return err; 901 | } 902 | 903 | static void __tun_detach(struct tun_struct *tun) 904 | { 905 | struct sock *sk; 906 | /* Detach from net device */ 907 | netif_tx_lock_bh(tun->dev); 908 | /**/ 909 | sk = tun->encap_sock; 910 | if (sk) { 911 | int i; 912 | /* 重置操作 */ 913 | (udp_sk(sk))->encap_type = 0; 914 | (udp_sk(sk))->encap_rcv = NULL; 915 | sk->sk_user_data = NULL; 916 | tun->encap_sock = NULL; 917 | tun->ctx.encap_xmit = NULL; 918 | for (i = 0; i < MAX_HASH_BUCKETS; i++) { 919 | struct multi_instance *mi; 920 | struct hlist_head *head; 921 | struct hlist_node *node, *tmp; 922 | head = &tun->ctx.hash[i]; 923 | hlist_for_each_entry_safe(mi, node, tmp, head, rhnode) { 924 | hlist_del(node); 925 | hlist_del(&mi->vhnode); 926 | if (mi->mi_destroy) { 927 | mi->mi_destroy(mi/* THIS ? self ? Okey,thinking in JAVA */); 928 | } 929 | kfree(mi); 930 | } 931 | } 932 | /* 这里才减少引用计数!因为你并不晓得且不能假设tun和socket的关闭顺序 */ 933 | if (sk) { 934 | sockfd_put(sk->sk_socket); 935 | } 936 | } 937 | tun->tfile = NULL; 938 | netif_tx_unlock_bh(tun->dev); 939 | 940 | /* Drop read queue */ 941 | skb_queue_purge(&tun->socket.sk->sk_receive_queue); 942 | 943 | /* Drop the extra count on the net device */ 944 | dev_put(tun->dev); 945 | } 946 | 947 | static void tun_detach(struct tun_struct *tun) 948 | { 949 | rtnl_lock(); 950 | __tun_detach(tun); 951 | rtnl_unlock(); 952 | } 953 | 954 | static struct tun_struct *__tun_get(struct tun_file *tfile) 955 | { 956 | struct tun_struct *tun = NULL; 957 | 958 | if (atomic_inc_not_zero(&tfile->count)) 959 | tun = tfile->tun; 960 | 961 | return tun; 962 | } 963 | 964 | static struct tun_struct *tun_get(struct file *file) 965 | { 966 | return __tun_get(file->private_data); 967 | } 968 | 969 | static void tun_put(struct tun_struct *tun) 970 | { 971 | struct tun_file *tfile = tun->tfile; 972 | 973 | if (atomic_dec_and_test(&tfile->count)) 974 | tun_detach(tfile->tun); 975 | } 976 | 977 | /* TAP filterting */ 978 | static void addr_hash_set(u32 *mask, const u8 *addr) 979 | { 980 | int n = ether_crc(ETH_ALEN, addr) >> 26; 981 | mask[n >> 5] |= (1 << (n & 31)); 982 | } 983 | 984 | static unsigned int addr_hash_test(const u32 *mask, const u8 *addr) 985 | { 986 | int n = ether_crc(ETH_ALEN, addr) >> 26; 987 | return mask[n >> 5] & (1 << (n & 31)); 988 | } 989 | 990 | static int update_filter(struct tap_filter *filter, void __user *arg) 991 | { 992 | struct { u8 u[ETH_ALEN]; } *addr; 993 | struct tun_filter uf; 994 | int err, alen, n, nexact; 995 | 996 | if (copy_from_user(&uf, arg, sizeof(uf))) 997 | return -EFAULT; 998 | 999 | if (!uf.count) { 1000 | /* Disabled */ 1001 | filter->count = 0; 1002 | return 0; 1003 | } 1004 | 1005 | alen = ETH_ALEN * uf.count; 1006 | addr = kmalloc(alen, GFP_KERNEL); 1007 | if (!addr) 1008 | return -ENOMEM; 1009 | 1010 | if (copy_from_user(addr, arg + sizeof(uf), alen)) { 1011 | err = -EFAULT; 1012 | goto done; 1013 | } 1014 | 1015 | /* The filter is updated without holding any locks. Which is 1016 | * perfectly safe. We disable it first and in the worst 1017 | * case we'll accept a few undesired packets. */ 1018 | filter->count = 0; 1019 | wmb(); 1020 | 1021 | /* Use first set of addresses as an exact filter */ 1022 | for (n = 0; n < uf.count && n < FLT_EXACT_COUNT; n++) 1023 | memcpy(filter->addr[n], addr[n].u, ETH_ALEN); 1024 | 1025 | nexact = n; 1026 | 1027 | /* Remaining multicast addresses are hashed, 1028 | * unicast will leave the filter disabled. */ 1029 | memset(filter->mask, 0, sizeof(filter->mask)); 1030 | for (; n < uf.count; n++) { 1031 | if (!is_multicast_ether_addr(addr[n].u)) { 1032 | err = 0; /* no filter */ 1033 | goto done; 1034 | } 1035 | addr_hash_set(filter->mask, addr[n].u); 1036 | } 1037 | 1038 | /* For ALLMULTI just set the mask to all ones. 1039 | * This overrides the mask populated above. */ 1040 | if ((uf.flags & TUN_FLT_ALLMULTI)) 1041 | memset(filter->mask, ~0, sizeof(filter->mask)); 1042 | 1043 | /* Now enable the filter */ 1044 | wmb(); 1045 | filter->count = nexact; 1046 | 1047 | /* Return the number of exact filters */ 1048 | err = nexact; 1049 | 1050 | done: 1051 | kfree(addr); 1052 | return err; 1053 | } 1054 | 1055 | /* Returns: 0 - drop, !=0 - accept */ 1056 | static int run_filter(struct tap_filter *filter, const struct sk_buff *skb) 1057 | { 1058 | /* Cannot use eth_hdr(skb) here because skb_mac_hdr() is incorrect 1059 | * at this point. */ 1060 | struct ethhdr *eh = (struct ethhdr *) skb->data; 1061 | int i; 1062 | 1063 | /* Exact match */ 1064 | for (i = 0; i < filter->count; i++) 1065 | if (!compare_ether_addr(eh->h_dest, filter->addr[i])) 1066 | return 1; 1067 | 1068 | /* Inexact match (multicast only) */ 1069 | if (is_multicast_ether_addr(eh->h_dest)) 1070 | return addr_hash_test(filter->mask, eh->h_dest); 1071 | 1072 | return 0; 1073 | } 1074 | 1075 | /* 1076 | * Checks whether the packet is accepted or not. 1077 | * Returns: 0 - drop, !=0 - accept 1078 | */ 1079 | static int check_filter(struct tap_filter *filter, const struct sk_buff *skb) 1080 | { 1081 | if (!filter->count) 1082 | return 1; 1083 | 1084 | return run_filter(filter, skb); 1085 | } 1086 | 1087 | /* Network device part of the driver */ 1088 | 1089 | static const struct ethtool_ops tun_ethtool_ops; 1090 | 1091 | /* Net device detach from fd. */ 1092 | static void tun_net_uninit(struct net_device *dev) 1093 | { 1094 | struct tun_struct *tun = netdev_priv(dev); 1095 | struct tun_file *tfile = tun->tfile; 1096 | 1097 | /* Inform the methods they need to stop using the dev. 1098 | */ 1099 | if (tfile) { 1100 | wake_up_all(&tun->socket.wait); 1101 | if (atomic_dec_and_test(&tfile->count)) 1102 | __tun_detach(tun); 1103 | } 1104 | } 1105 | 1106 | static void tun_free_netdev(struct net_device *dev) 1107 | { 1108 | struct tun_struct *tun = netdev_priv(dev); 1109 | 1110 | sock_put(tun->socket.sk); 1111 | } 1112 | 1113 | /* Net device open. */ 1114 | static int tun_net_open(struct net_device *dev) 1115 | { 1116 | netif_start_queue(dev); 1117 | return 0; 1118 | } 1119 | 1120 | /* Net device close. */ 1121 | static int tun_net_close(struct net_device *dev) 1122 | { 1123 | netif_stop_queue(dev); 1124 | return 0; 1125 | } 1126 | 1127 | /* Net device start xmit */ 1128 | static netdev_tx_t tun_net_xmit(struct sk_buff *skb, struct net_device *dev) 1129 | { 1130 | struct tun_struct *tun = netdev_priv(dev); 1131 | 1132 | DBG(KERN_INFO "%s: tun_net_xmit %d\n", tun->dev->name, skb->len); 1133 | 1134 | /* Drop packet if interface is not attached */ 1135 | if (!tun->tfile) 1136 | goto drop; 1137 | 1138 | /* Drop if the filter does not like it. 1139 | * This is a noop if the filter is disabled. 1140 | * Filter can be enabled only for the TAP devices. */ 1141 | if (!check_filter(&tun->txflt, skb)) 1142 | goto drop; 1143 | 1144 | /* ?? */ 1145 | if (tun->ctx.encap_xmit) { 1146 | 1147 | int ret = tun->ctx.encap_xmit(tun/*this就是那个叫做JAVA编程思想的!GEB之大成*/, skb); 1148 | /* Is this Okay?I don't known */ 1149 | /* Refer to the return value of UDP encap_rcv callback!*/ 1150 | if (ret == 0) { 1151 | /* encap_xmit drop skb*/ 1152 | goto out; 1153 | } else if (ret > 0) { 1154 | goto out; 1155 | } 1156 | /* fall through */ 1157 | } 1158 | 1159 | if (skb_queue_len(&tun->socket.sk->sk_receive_queue) >= dev->tx_queue_len) { 1160 | if (!(tun->flags & TUN_ONE_QUEUE)) { 1161 | /* Normal queueing mode. */ 1162 | /* Packet scheduler handles dropping of further packets. */ 1163 | netif_stop_queue(dev); 1164 | 1165 | /* We won't see all dropped packets individually, so overrun 1166 | * error is more appropriate. */ 1167 | dev->stats.tx_fifo_errors++; 1168 | } else { 1169 | /* Single queue mode. 1170 | * Driver handles dropping of all packets itself. */ 1171 | goto drop; 1172 | } 1173 | } 1174 | 1175 | /* Enqueue packet */ 1176 | skb_queue_tail(&tun->socket.sk->sk_receive_queue, skb); 1177 | dev->trans_start = jiffies; 1178 | 1179 | /* Notify and wake up reader process */ 1180 | if (tun->flags & TUN_FASYNC) 1181 | kill_fasync(&tun->fasync, SIGIO, POLL_IN); 1182 | wake_up_interruptible(&tun->socket.wait); 1183 | return NETDEV_TX_OK; 1184 | 1185 | drop: 1186 | dev->stats.tx_dropped++; 1187 | kfree_skb(skb); 1188 | out: 1189 | return NETDEV_TX_OK; 1190 | } 1191 | 1192 | static void tun_net_mclist(struct net_device *dev) 1193 | { 1194 | /* 1195 | * This callback is supposed to deal with mc filter in 1196 | * _rx_ path and has nothing to do with the _tx_ path. 1197 | * In rx path we always accept everything userspace gives us. 1198 | */ 1199 | return; 1200 | } 1201 | 1202 | #define MIN_MTU 68 1203 | #define MAX_MTU 65535 1204 | 1205 | static int 1206 | tun_net_change_mtu(struct net_device *dev, int new_mtu) 1207 | { 1208 | if (new_mtu < MIN_MTU || new_mtu + dev->hard_header_len > MAX_MTU) 1209 | return -EINVAL; 1210 | dev->mtu = new_mtu; 1211 | return 0; 1212 | } 1213 | 1214 | static const struct net_device_ops tun_netdev_ops = { 1215 | .ndo_uninit = tun_net_uninit, 1216 | .ndo_open = tun_net_open, 1217 | .ndo_stop = tun_net_close, 1218 | .ndo_start_xmit = tun_net_xmit, 1219 | .ndo_change_mtu = tun_net_change_mtu, 1220 | }; 1221 | 1222 | static const struct net_device_ops tap_netdev_ops = { 1223 | .ndo_uninit = tun_net_uninit, 1224 | .ndo_open = tun_net_open, 1225 | .ndo_stop = tun_net_close, 1226 | .ndo_start_xmit = tun_net_xmit, 1227 | .ndo_change_mtu = tun_net_change_mtu, 1228 | .ndo_set_multicast_list = tun_net_mclist, 1229 | .ndo_set_mac_address = eth_mac_addr, 1230 | .ndo_validate_addr = eth_validate_addr, 1231 | }; 1232 | 1233 | /* Initialize net device. */ 1234 | static void tun_net_init(struct net_device *dev) 1235 | { 1236 | struct tun_struct *tun = netdev_priv(dev); 1237 | 1238 | switch (tun->flags & TUN_TYPE_MASK) { 1239 | case TUN_TUN_DEV: 1240 | dev->netdev_ops = &tun_netdev_ops; 1241 | 1242 | /* Point-to-Point TUN Device */ 1243 | dev->hard_header_len = 0; 1244 | dev->addr_len = 0; 1245 | dev->mtu = 1500; 1246 | 1247 | /* Zero header length */ 1248 | dev->type = ARPHRD_NONE; 1249 | dev->flags = IFF_POINTOPOINT | IFF_NOARP | IFF_MULTICAST; 1250 | dev->tx_queue_len = TUN_READQ_SIZE; /* We prefer our own queue length */ 1251 | break; 1252 | 1253 | case TUN_TAP_DEV: 1254 | dev->netdev_ops = &tap_netdev_ops; 1255 | /* Ethernet TAP Device */ 1256 | ether_setup(dev); 1257 | 1258 | random_ether_addr(dev->dev_addr); 1259 | 1260 | dev->tx_queue_len = TUN_READQ_SIZE; /* We prefer our own queue length */ 1261 | break; 1262 | } 1263 | dev->priv_flags &= ~IFF_XMIT_DST_RELEASE; 1264 | } 1265 | 1266 | /* Character device part */ 1267 | 1268 | /* Poll */ 1269 | static unsigned int tun_chr_poll(struct file *file, poll_table * wait) 1270 | { 1271 | struct tun_file *tfile = file->private_data; 1272 | struct tun_struct *tun = __tun_get(tfile); 1273 | struct sock *sk; 1274 | unsigned int mask = 0; 1275 | 1276 | if (!tun) 1277 | return POLLERR; 1278 | 1279 | sk = tun->socket.sk; 1280 | 1281 | DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name); 1282 | 1283 | poll_wait(file, &tun->socket.wait, wait); 1284 | 1285 | if (!skb_queue_empty(&sk->sk_receive_queue)) 1286 | mask |= POLLIN | POLLRDNORM; 1287 | 1288 | if (sock_writeable(sk) || 1289 | (!test_and_set_bit(SOCK_ASYNC_NOSPACE, &sk->sk_socket->flags) && 1290 | sock_writeable(sk))) 1291 | mask |= POLLOUT | POLLWRNORM; 1292 | 1293 | if (tun->dev->reg_state != NETREG_REGISTERED) 1294 | mask = POLLERR; 1295 | 1296 | tun_put(tun); 1297 | return mask; 1298 | } 1299 | 1300 | /* prepad is the amount to reserve at front. len is length after that. 1301 | * linear is a hint as to how much to copy (usually headers). */ 1302 | static inline struct sk_buff *tun_alloc_skb(struct tun_struct *tun, 1303 | size_t prepad, size_t len, 1304 | size_t linear, int noblock) 1305 | { 1306 | struct sock *sk = tun->socket.sk; 1307 | struct sk_buff *skb; 1308 | int err; 1309 | 1310 | /* Under a page? Don't bother with paged skb. */ 1311 | if (prepad + len < PAGE_SIZE || !linear) 1312 | linear = len; 1313 | 1314 | skb = sock_alloc_send_pskb(sk, prepad + linear, len - linear, noblock, 1315 | &err); 1316 | if (!skb) 1317 | return ERR_PTR(err); 1318 | 1319 | skb_reserve(skb, prepad); 1320 | skb_put(skb, linear); 1321 | skb->data_len = len - linear; 1322 | skb->len += len - linear; 1323 | 1324 | return skb; 1325 | } 1326 | 1327 | /* Get packet from user space buffer */ 1328 | static __inline__ ssize_t tun_get_user(struct tun_struct *tun, 1329 | const struct iovec *iv, size_t count, 1330 | int noblock) 1331 | { 1332 | struct tun_pi pi = { 0, cpu_to_be16(ETH_P_IP) }; 1333 | struct sk_buff *skb; 1334 | size_t len = count, align = 0; 1335 | struct virtio_net_hdr gso = { 0 }; 1336 | int offset = 0; 1337 | 1338 | if (!(tun->flags & TUN_NO_PI)) { 1339 | if ((len -= sizeof(pi)) > count) 1340 | return -EINVAL; 1341 | 1342 | if (memcpy_fromiovecend((void *)&pi, iv, 0, sizeof(pi))) 1343 | return -EFAULT; 1344 | offset += sizeof(pi); 1345 | } 1346 | 1347 | if (tun->flags & TUN_VNET_HDR) { 1348 | if ((len -= sizeof(gso)) > count) 1349 | return -EINVAL; 1350 | 1351 | if (memcpy_fromiovecend((void *)&gso, iv, offset, sizeof(gso))) 1352 | return -EFAULT; 1353 | 1354 | if ((gso.flags & VIRTIO_NET_HDR_F_NEEDS_CSUM) && 1355 | gso.csum_start + gso.csum_offset + 2 > gso.hdr_len) 1356 | gso.hdr_len = gso.csum_start + gso.csum_offset + 2; 1357 | 1358 | if (gso.hdr_len > len) 1359 | return -EINVAL; 1360 | offset += sizeof(gso); 1361 | } 1362 | 1363 | if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV) { 1364 | align = NET_IP_ALIGN; 1365 | if (unlikely(len < ETH_HLEN || 1366 | (gso.hdr_len && gso.hdr_len < ETH_HLEN))) 1367 | return -EINVAL; 1368 | } 1369 | 1370 | skb = tun_alloc_skb(tun, align, len, gso.hdr_len, noblock); 1371 | if (IS_ERR(skb)) { 1372 | if (PTR_ERR(skb) != -EAGAIN) 1373 | tun->dev->stats.rx_dropped++; 1374 | return PTR_ERR(skb); 1375 | } 1376 | 1377 | if (skb_copy_datagram_from_iovec(skb, 0, iv, offset, len)) { 1378 | tun->dev->stats.rx_dropped++; 1379 | kfree_skb(skb); 1380 | return -EFAULT; 1381 | } 1382 | 1383 | if (gso.flags & VIRTIO_NET_HDR_F_NEEDS_CSUM) { 1384 | if (!skb_partial_csum_set(skb, gso.csum_start, 1385 | gso.csum_offset)) { 1386 | tun->dev->stats.rx_frame_errors++; 1387 | kfree_skb(skb); 1388 | return -EINVAL; 1389 | } 1390 | } else if (tun->flags & TUN_NOCHECKSUM) 1391 | skb->ip_summed = CHECKSUM_UNNECESSARY; 1392 | 1393 | switch (tun->flags & TUN_TYPE_MASK) { 1394 | case TUN_TUN_DEV: 1395 | if (tun->flags & TUN_NO_PI) { 1396 | switch (skb->data[0] & 0xf0) { 1397 | case 0x40: 1398 | pi.proto = htons(ETH_P_IP); 1399 | break; 1400 | case 0x60: 1401 | pi.proto = htons(ETH_P_IPV6); 1402 | break; 1403 | default: 1404 | tun->dev->stats.rx_dropped++; 1405 | kfree_skb(skb); 1406 | return -EINVAL; 1407 | } 1408 | } 1409 | 1410 | skb_reset_mac_header(skb); 1411 | skb->protocol = pi.proto; 1412 | skb->dev = tun->dev; 1413 | break; 1414 | case TUN_TAP_DEV: 1415 | skb->protocol = eth_type_trans(skb, tun->dev); 1416 | break; 1417 | }; 1418 | 1419 | if (gso.gso_type != VIRTIO_NET_HDR_GSO_NONE) { 1420 | pr_debug("GSO!\n"); 1421 | switch (gso.gso_type & ~VIRTIO_NET_HDR_GSO_ECN) { 1422 | case VIRTIO_NET_HDR_GSO_TCPV4: 1423 | skb_shinfo(skb)->gso_type = SKB_GSO_TCPV4; 1424 | break; 1425 | case VIRTIO_NET_HDR_GSO_TCPV6: 1426 | skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6; 1427 | break; 1428 | case VIRTIO_NET_HDR_GSO_UDP: 1429 | skb_shinfo(skb)->gso_type = SKB_GSO_UDP; 1430 | break; 1431 | default: 1432 | tun->dev->stats.rx_frame_errors++; 1433 | kfree_skb(skb); 1434 | return -EINVAL; 1435 | } 1436 | 1437 | if (gso.gso_type & VIRTIO_NET_HDR_GSO_ECN) 1438 | skb_shinfo(skb)->gso_type |= SKB_GSO_TCP_ECN; 1439 | 1440 | skb_shinfo(skb)->gso_size = gso.gso_size; 1441 | if (skb_shinfo(skb)->gso_size == 0) { 1442 | tun->dev->stats.rx_frame_errors++; 1443 | kfree_skb(skb); 1444 | return -EINVAL; 1445 | } 1446 | 1447 | /* Header must be checked, and gso_segs computed. */ 1448 | skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY; 1449 | skb_shinfo(skb)->gso_segs = 0; 1450 | } 1451 | 1452 | netif_rx_ni(skb); 1453 | 1454 | tun->dev->stats.rx_packets++; 1455 | tun->dev->stats.rx_bytes += len; 1456 | 1457 | return count; 1458 | } 1459 | 1460 | static ssize_t tun_chr_aio_write(struct kiocb *iocb, const struct iovec *iv, 1461 | unsigned long count, loff_t pos) 1462 | { 1463 | struct file *file = iocb->ki_filp; 1464 | struct tun_struct *tun = tun_get(file); 1465 | ssize_t result; 1466 | 1467 | if (!tun) 1468 | return -EBADFD; 1469 | 1470 | DBG(KERN_INFO "%s: tun_chr_write %ld\n", tun->dev->name, count); 1471 | 1472 | result = tun_get_user(tun, iv, iov_length(iv, count), 1473 | file->f_flags & O_NONBLOCK); 1474 | 1475 | tun_put(tun); 1476 | return result; 1477 | } 1478 | 1479 | /* Put packet to the user space buffer */ 1480 | static __inline__ ssize_t tun_put_user(struct tun_struct *tun, 1481 | struct sk_buff *skb, 1482 | const struct iovec *iv, int len) 1483 | { 1484 | struct tun_pi pi = { 0, skb->protocol }; 1485 | ssize_t total = 0; 1486 | 1487 | if (!(tun->flags & TUN_NO_PI)) { 1488 | if ((len -= sizeof(pi)) < 0) 1489 | return -EINVAL; 1490 | 1491 | if (len < skb->len) { 1492 | /* Packet will be striped */ 1493 | pi.flags |= TUN_PKT_STRIP; 1494 | } 1495 | 1496 | if (memcpy_toiovecend(iv, (void *) &pi, 0, sizeof(pi))) 1497 | return -EFAULT; 1498 | total += sizeof(pi); 1499 | } 1500 | 1501 | if (tun->flags & TUN_VNET_HDR) { 1502 | struct virtio_net_hdr gso = { 0 }; /* no info leak */ 1503 | if ((len -= sizeof(gso)) < 0) 1504 | return -EINVAL; 1505 | 1506 | if (skb_is_gso(skb)) { 1507 | struct skb_shared_info *sinfo = skb_shinfo(skb); 1508 | 1509 | /* This is a hint as to how much should be linear. */ 1510 | gso.hdr_len = skb_headlen(skb); 1511 | gso.gso_size = sinfo->gso_size; 1512 | if (sinfo->gso_type & SKB_GSO_TCPV4) 1513 | gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV4; 1514 | else if (sinfo->gso_type & SKB_GSO_TCPV6) 1515 | gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV6; 1516 | else if (sinfo->gso_type & SKB_GSO_UDP) 1517 | gso.gso_type = VIRTIO_NET_HDR_GSO_UDP; 1518 | else 1519 | BUG(); 1520 | if (sinfo->gso_type & SKB_GSO_TCP_ECN) 1521 | gso.gso_type |= VIRTIO_NET_HDR_GSO_ECN; 1522 | } else 1523 | gso.gso_type = VIRTIO_NET_HDR_GSO_NONE; 1524 | 1525 | if (skb->ip_summed == CHECKSUM_PARTIAL) { 1526 | gso.flags = VIRTIO_NET_HDR_F_NEEDS_CSUM; 1527 | gso.csum_start = skb->csum_start - skb_headroom(skb); 1528 | gso.csum_offset = skb->csum_offset; 1529 | } /* else everything is zero */ 1530 | 1531 | if (unlikely(memcpy_toiovecend(iv, (void *)&gso, total, 1532 | sizeof(gso)))) 1533 | return -EFAULT; 1534 | total += sizeof(gso); 1535 | } 1536 | 1537 | len = min_t(int, skb->len, len); 1538 | 1539 | skb_copy_datagram_const_iovec(skb, 0, iv, total, len); 1540 | total += len; 1541 | 1542 | tun->dev->stats.tx_packets++; 1543 | tun->dev->stats.tx_bytes += len; 1544 | 1545 | return total; 1546 | } 1547 | 1548 | static ssize_t tun_chr_aio_read(struct kiocb *iocb, const struct iovec *iv, 1549 | unsigned long count, loff_t pos) 1550 | { 1551 | struct file *file = iocb->ki_filp; 1552 | struct tun_file *tfile = file->private_data; 1553 | struct tun_struct *tun = __tun_get(tfile); 1554 | DECLARE_WAITQUEUE(wait, current); 1555 | struct sk_buff *skb; 1556 | ssize_t len, ret = 0; 1557 | 1558 | if (!tun) 1559 | return -EBADFD; 1560 | 1561 | DBG(KERN_INFO "%s: tun_chr_read\n", tun->dev->name); 1562 | 1563 | len = iov_length(iv, count); 1564 | if (len < 0) { 1565 | ret = -EINVAL; 1566 | goto out; 1567 | } 1568 | 1569 | add_wait_queue(&tun->socket.wait, &wait); 1570 | while (len) { 1571 | current->state = TASK_INTERRUPTIBLE; 1572 | 1573 | /* Read frames from the queue */ 1574 | if (!(skb=skb_dequeue(&tun->socket.sk->sk_receive_queue))) { 1575 | if (file->f_flags & O_NONBLOCK) { 1576 | ret = -EAGAIN; 1577 | break; 1578 | } 1579 | if (signal_pending(current)) { 1580 | ret = -ERESTARTSYS; 1581 | break; 1582 | } 1583 | if (tun->dev->reg_state != NETREG_REGISTERED) { 1584 | ret = -EIO; 1585 | break; 1586 | } 1587 | 1588 | /* Nothing to read, let's sleep */ 1589 | schedule(); 1590 | continue; 1591 | } 1592 | netif_wake_queue(tun->dev); 1593 | 1594 | ret = tun_put_user(tun, skb, iv, len); 1595 | kfree_skb(skb); 1596 | break; 1597 | } 1598 | 1599 | current->state = TASK_RUNNING; 1600 | remove_wait_queue(&tun->socket.wait, &wait); 1601 | 1602 | out: 1603 | tun_put(tun); 1604 | return ret; 1605 | } 1606 | 1607 | static void tun_setup(struct net_device *dev) 1608 | { 1609 | struct tun_struct *tun = netdev_priv(dev); 1610 | 1611 | tun->owner = -1; 1612 | tun->group = -1; 1613 | 1614 | dev->ethtool_ops = &tun_ethtool_ops; 1615 | dev->destructor = tun_free_netdev; 1616 | } 1617 | 1618 | /* Trivial set of netlink ops to allow deleting tun or tap 1619 | * device with netlink. 1620 | */ 1621 | static int tun_validate(struct nlattr *tb[], struct nlattr *data[]) 1622 | { 1623 | return -EINVAL; 1624 | } 1625 | 1626 | static struct rtnl_link_ops tun_link_ops __read_mostly = { 1627 | .kind = DRV_NAME, 1628 | .priv_size = sizeof(struct tun_struct), 1629 | .setup = tun_setup, 1630 | .validate = tun_validate, 1631 | }; 1632 | 1633 | static void tun_sock_write_space(struct sock *sk) 1634 | { 1635 | struct tun_struct *tun; 1636 | 1637 | if (!sock_writeable(sk)) 1638 | return; 1639 | 1640 | if (!test_and_clear_bit(SOCK_ASYNC_NOSPACE, &sk->sk_socket->flags)) 1641 | return; 1642 | 1643 | if (sk->sk_sleep && waitqueue_active(sk->sk_sleep)) 1644 | wake_up_interruptible_sync(sk->sk_sleep); 1645 | 1646 | tun = container_of(sk, struct tun_sock, sk)->tun; 1647 | kill_fasync(&tun->fasync, SIGIO, POLL_OUT); 1648 | } 1649 | 1650 | static void tun_sock_destruct(struct sock *sk) 1651 | { 1652 | free_netdev(container_of(sk, struct tun_sock, sk)->tun->dev); 1653 | } 1654 | 1655 | static struct proto tun_proto = { 1656 | .name = "tun", 1657 | .owner = THIS_MODULE, 1658 | .obj_size = sizeof(struct tun_sock), 1659 | }; 1660 | 1661 | static int tun_flags(struct tun_struct *tun) 1662 | { 1663 | int flags = 0; 1664 | 1665 | if (tun->flags & TUN_TUN_DEV) 1666 | flags |= IFF_TUN; 1667 | else 1668 | flags |= IFF_TAP; 1669 | 1670 | if (tun->flags & TUN_NO_PI) 1671 | flags |= IFF_NO_PI; 1672 | 1673 | if (tun->flags & TUN_ONE_QUEUE) 1674 | flags |= IFF_ONE_QUEUE; 1675 | 1676 | if (tun->flags & TUN_VNET_HDR) 1677 | flags |= IFF_VNET_HDR; 1678 | 1679 | return flags; 1680 | } 1681 | 1682 | static ssize_t tun_show_flags(struct device *dev, struct device_attribute *attr, 1683 | char *buf) 1684 | { 1685 | struct tun_struct *tun = netdev_priv(to_net_dev(dev)); 1686 | return sprintf(buf, "0x%x\n", tun_flags(tun)); 1687 | } 1688 | 1689 | static ssize_t tun_show_owner(struct device *dev, struct device_attribute *attr, 1690 | char *buf) 1691 | { 1692 | struct tun_struct *tun = netdev_priv(to_net_dev(dev)); 1693 | return sprintf(buf, "%d\n", tun->owner); 1694 | } 1695 | 1696 | static ssize_t tun_show_group(struct device *dev, struct device_attribute *attr, 1697 | char *buf) 1698 | { 1699 | struct tun_struct *tun = netdev_priv(to_net_dev(dev)); 1700 | return sprintf(buf, "%d\n", tun->group); 1701 | } 1702 | 1703 | static DEVICE_ATTR(tun_flags, 0444, tun_show_flags, NULL); 1704 | static DEVICE_ATTR(owner, 0444, tun_show_owner, NULL); 1705 | static DEVICE_ATTR(group, 0444, tun_show_group, NULL); 1706 | 1707 | static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) 1708 | { 1709 | struct sock *sk; 1710 | struct tun_struct *tun; 1711 | struct net_device *dev; 1712 | int err; 1713 | 1714 | dev = __dev_get_by_name(net, ifr->ifr_name); 1715 | if (dev) { 1716 | const struct cred *cred = current_cred(); 1717 | 1718 | if (ifr->ifr_flags & IFF_TUN_EXCL) 1719 | return -EBUSY; 1720 | if ((ifr->ifr_flags & IFF_TUN) && dev->netdev_ops == &tun_netdev_ops) 1721 | tun = netdev_priv(dev); 1722 | else if ((ifr->ifr_flags & IFF_TAP) && dev->netdev_ops == &tap_netdev_ops) 1723 | tun = netdev_priv(dev); 1724 | else 1725 | return -EINVAL; 1726 | 1727 | if (((tun->owner != -1 && cred->euid != tun->owner) || 1728 | (tun->group != -1 && !in_egroup_p(tun->group))) && 1729 | !capable(CAP_NET_ADMIN)) 1730 | return -EPERM; 1731 | err = security_tun_dev_attach(tun->socket.sk); 1732 | if (err < 0) 1733 | return err; 1734 | 1735 | err = tun_attach(tun, file); 1736 | if (err < 0) 1737 | return err; 1738 | } 1739 | else { 1740 | char *name; 1741 | unsigned long flags = 0; 1742 | 1743 | if (!capable(CAP_NET_ADMIN)) 1744 | return -EPERM; 1745 | err = security_tun_dev_create(); 1746 | if (err < 0) 1747 | return err; 1748 | 1749 | /* Set dev type */ 1750 | if (ifr->ifr_flags & IFF_TUN) { 1751 | /* TUN device */ 1752 | flags |= TUN_TUN_DEV; 1753 | name = "tun%d"; 1754 | } else if (ifr->ifr_flags & IFF_TAP) { 1755 | /* TAP device */ 1756 | flags |= TUN_TAP_DEV; 1757 | name = "tap%d"; 1758 | } else 1759 | return -EINVAL; 1760 | 1761 | if (*ifr->ifr_name) 1762 | name = ifr->ifr_name; 1763 | 1764 | dev = alloc_netdev(sizeof(struct tun_struct), name, 1765 | tun_setup); 1766 | if (!dev) 1767 | return -ENOMEM; 1768 | 1769 | dev_net_set(dev, net); 1770 | dev->rtnl_link_ops = &tun_link_ops; 1771 | 1772 | tun = netdev_priv(dev); 1773 | tun->dev = dev; 1774 | tun->flags = flags; 1775 | tun->txflt.count = 0; 1776 | 1777 | err = -ENOMEM; 1778 | sk = sk_alloc(net, AF_UNSPEC, GFP_KERNEL, &tun_proto); 1779 | if (!sk) 1780 | goto err_free_dev; 1781 | 1782 | init_waitqueue_head(&tun->socket.wait); 1783 | sock_init_data(&tun->socket, sk); 1784 | sk->sk_write_space = tun_sock_write_space; 1785 | sk->sk_sndbuf = INT_MAX; 1786 | 1787 | container_of(sk, struct tun_sock, sk)->tun = tun; 1788 | 1789 | security_tun_dev_post_create(sk); 1790 | 1791 | tun_net_init(dev); 1792 | 1793 | if (strchr(dev->name, '%')) { 1794 | err = dev_alloc_name(dev, dev->name); 1795 | if (err < 0) 1796 | goto err_free_sk; 1797 | } 1798 | 1799 | err = register_netdevice(tun->dev); 1800 | if (err < 0) 1801 | goto err_free_sk; 1802 | 1803 | if (!net_eq(dev_net(tun->dev), &init_net) || 1804 | device_create_file(&tun->dev->dev, &dev_attr_tun_flags) || 1805 | device_create_file(&tun->dev->dev, &dev_attr_owner) || 1806 | device_create_file(&tun->dev->dev, &dev_attr_group)) 1807 | printk(KERN_ERR "Failed to create tun sysfs files\n"); 1808 | 1809 | sk->sk_destruct = tun_sock_destruct; 1810 | 1811 | err = tun_attach(tun, file); 1812 | if (err < 0) 1813 | goto failed; 1814 | } 1815 | 1816 | DBG(KERN_INFO "%s: tun_set_iff\n", tun->dev->name); 1817 | 1818 | if (ifr->ifr_flags & IFF_NO_PI) 1819 | tun->flags |= TUN_NO_PI; 1820 | else 1821 | tun->flags &= ~TUN_NO_PI; 1822 | 1823 | if (ifr->ifr_flags & IFF_ONE_QUEUE) 1824 | tun->flags |= TUN_ONE_QUEUE; 1825 | else 1826 | tun->flags &= ~TUN_ONE_QUEUE; 1827 | 1828 | if (ifr->ifr_flags & IFF_VNET_HDR) 1829 | tun->flags |= TUN_VNET_HDR; 1830 | else 1831 | tun->flags &= ~TUN_VNET_HDR; 1832 | 1833 | /* Make sure persistent devices do not get stuck in 1834 | * xoff state. 1835 | */ 1836 | if (netif_running(tun->dev)) 1837 | netif_wake_queue(tun->dev); 1838 | 1839 | strcpy(ifr->ifr_name, tun->dev->name); 1840 | return 0; 1841 | 1842 | err_free_sk: 1843 | sock_put(sk); 1844 | err_free_dev: 1845 | free_netdev(dev); 1846 | failed: 1847 | return err; 1848 | } 1849 | 1850 | static int tun_get_iff(struct net *net, struct tun_struct *tun, 1851 | struct ifreq *ifr) 1852 | { 1853 | DBG(KERN_INFO "%s: tun_get_iff\n", tun->dev->name); 1854 | 1855 | strcpy(ifr->ifr_name, tun->dev->name); 1856 | 1857 | ifr->ifr_flags = tun_flags(tun); 1858 | 1859 | return 0; 1860 | } 1861 | 1862 | /* This is like a cut-down ethtool ops, except done via tun fd so no 1863 | * privs required. */ 1864 | static int set_offload(struct net_device *dev, unsigned long arg) 1865 | { 1866 | unsigned int old_features, features; 1867 | 1868 | old_features = dev->features; 1869 | /* Unset features, set them as we chew on the arg. */ 1870 | features = (old_features & ~(NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST 1871 | |NETIF_F_TSO_ECN|NETIF_F_TSO|NETIF_F_TSO6 1872 | |NETIF_F_UFO)); 1873 | 1874 | if (arg & TUN_F_CSUM) { 1875 | features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; 1876 | arg &= ~TUN_F_CSUM; 1877 | 1878 | if (arg & (TUN_F_TSO4|TUN_F_TSO6)) { 1879 | if (arg & TUN_F_TSO_ECN) { 1880 | features |= NETIF_F_TSO_ECN; 1881 | arg &= ~TUN_F_TSO_ECN; 1882 | } 1883 | if (arg & TUN_F_TSO4) 1884 | features |= NETIF_F_TSO; 1885 | if (arg & TUN_F_TSO6) 1886 | features |= NETIF_F_TSO6; 1887 | arg &= ~(TUN_F_TSO4|TUN_F_TSO6); 1888 | } 1889 | 1890 | if (arg & TUN_F_UFO) { 1891 | features |= NETIF_F_UFO; 1892 | arg &= ~TUN_F_UFO; 1893 | } 1894 | } 1895 | 1896 | /* This gives the user a way to test for new features in future by 1897 | * trying to set them. */ 1898 | if (arg) 1899 | return -EINVAL; 1900 | 1901 | dev->features = features; 1902 | if (old_features != dev->features) 1903 | netdev_features_change(dev); 1904 | 1905 | return 0; 1906 | } 1907 | 1908 | int ovpn_cipher_init(void *arg) 1909 | { 1910 | int ret = 0; 1911 | struct tun_struct *tun = (struct tun_struct *)arg; 1912 | 1913 | tun->ctx.tfm = crypto_alloc_cipher("aes"/*ctx.cipher_name*/, 0/*CRYPTO_TFM_MODE_ECB*/, CRYPTO_ALG_ASYNC); 1914 | if (IS_ERR(tun->ctx.tfm)) { 1915 | ret = -1; 1916 | goto out; 1917 | } else { 1918 | } 1919 | out: 1920 | return ret; 1921 | } 1922 | 1923 | int ovpn_cipher_setkey(struct multi_instance *mi, 1924 | struct crypto_cipher *tfm, 1925 | const u8 *key, 1926 | unsigned int keylen) 1927 | { 1928 | /* 此处应该转换crypto框架的return value为OpenVPN内核版的return value. 1929 | * 好在都是一个规则:0为成功,非0为失败 1930 | **/ 1931 | unsigned char key1[16] = {0}; 1932 | /* 这么玩是错误的,tfm应该和一个multi_instance绑定而不是和tun绑定,毕竟 1933 | * 它不是全局的,很显然每一个mi都有一套自己的cipher上下文 1934 | **/ 1935 | return crypto_cipher_setkey(tfm, (const u8 *)&key1[0], 16); 1936 | //return crypto_cipher_setkey(tfm, key, keylen); 1937 | } 1938 | 1939 | static int ovpn_cipher_pre_enc(struct encap_context *ctx, 1940 | struct sk_buff *skb, 1941 | int mode, 1942 | struct multi_instance *mi) 1943 | { 1944 | int ret = 0; 1945 | if (mode == OVPN_OPT_ENC){ 1946 | int left; 1947 | left = (skb->len - 1) % crypto_cipher_blocksize(ctx->tfm); 1948 | if (left >= 0) { 1949 | /* 1950 | * 测试版本仅仅支持AES-128-ECB算法,下面的这个padding规则是我折腾出来的, 1951 | * 我dump了正常的数据包解密后的数据,发现padding是很有规律的,规则如下: 1952 | * 0x? 0x?..一共?个0x? 1953 | * 也许懂AES padding的人会笑话我,笑就笑吧,反正我是真不懂,但是我觉得 1954 | * 我的思路是对的,不看书而自己发现规律难道不更好吗。我想问问,有多少 1955 | * 知识是从书上学的或者老师教的呢? 1956 | **/ 1957 | int oldlen = skb->len; 1958 | unsigned char padding = 0x00; 1959 | int oleft = left; 1960 | padding = 0x10 - (u8)oleft; 1961 | left = crypto_cipher_blocksize(ctx->tfm) - left; 1962 | 1963 | skb_push(skb, left); 1964 | memmove(skb->data, skb->data + left, oldlen); 1965 | memset(skb->data + oldlen, padding, left); 1966 | } 1967 | } else if (mode == OVPN_OPT_DEC) { 1968 | 1969 | } else { 1970 | ret = -1; 1971 | goto out; 1972 | } 1973 | out: 1974 | return ret; 1975 | 1976 | } 1977 | 1978 | struct sk_buff *ovpn_cipher_enc(struct encap_context *ctx, 1979 | struct sk_buff *skb, 1980 | int mode, 1981 | void *arg) 1982 | { 1983 | /* setkey必须在这里完成,但是由于加密框架还没有完成,mi必须作为参数传入。 1984 | * key是定死的,所以不必费事了。 1985 | **/ 1986 | if (mode == OVPN_OPT_ENC) { 1987 | int i; 1988 | unsigned char *data = skb->data + 1; 1989 | hexdump("RAW", data, skb->len - 1); 1990 | for (i = 0; i < skb->len - 1; i += crypto_cipher_blocksize(ctx->tfm)) { 1991 | crypto_cipher_encrypt_one(ctx->tfm, 1992 | data + i, 1993 | data + i); 1994 | } 1995 | hexdump("ENC", data, skb->len - 1); 1996 | 1997 | } else if (mode == OVPN_OPT_DEC) { 1998 | int i; 1999 | unsigned char *data = skb->data + 1; 2000 | for (i = 0; i < skb->len - 1; i += crypto_cipher_blocksize(ctx->tfm)) { 2001 | crypto_cipher_decrypt_one(ctx->tfm, 2002 | data + i, 2003 | data + i); 2004 | } 2005 | hexdump("DEC", data, skb->len - 1); 2006 | } else { 2007 | goto out; 2008 | } 2009 | out: 2010 | return skb; 2011 | } 2012 | 2013 | int ovpn_cipher_fini(void *arg) 2014 | { 2015 | struct tun_struct *tun = (struct tun_struct *)arg; 2016 | struct encap_context *ctx = &tun->ctx; 2017 | 2018 | crypto_free_cipher(ctx->tfm); 2019 | return 0; 2020 | } 2021 | 2022 | static long tun_chr_ioctl(struct file *file, unsigned int cmd, 2023 | unsigned long arg) 2024 | { 2025 | struct tun_file *tfile = file->private_data; 2026 | struct tun_struct *tun; 2027 | void __user* argp = (void __user*)arg; 2028 | struct ifreq ifr; 2029 | int sndbuf; 2030 | int ret; 2031 | 2032 | if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) 2033 | if (copy_from_user(&ifr, argp, sizeof ifr)) 2034 | return -EFAULT; 2035 | 2036 | if (cmd == TUNGETFEATURES) { 2037 | /* Currently this just means: "what IFF flags are valid?". 2038 | * This is needed because we never checked for invalid flags on 2039 | * TUNSETIFF. */ 2040 | return put_user(IFF_TUN | IFF_TAP | IFF_NO_PI | IFF_ONE_QUEUE | 2041 | IFF_VNET_HDR, 2042 | (unsigned int __user*)argp); 2043 | } 2044 | 2045 | rtnl_lock(); 2046 | 2047 | tun = __tun_get(tfile); 2048 | if (cmd == TUNSETIFF && !tun) { 2049 | ifr.ifr_name[IFNAMSIZ-1] = '\0'; 2050 | 2051 | ret = tun_set_iff(tfile->net, file, &ifr); 2052 | 2053 | if (ret) 2054 | goto unlock; 2055 | 2056 | if (copy_to_user(argp, &ifr, sizeof(ifr))) 2057 | ret = -EFAULT; 2058 | goto unlock; 2059 | } 2060 | 2061 | ret = -EBADFD; 2062 | if (!tun) 2063 | goto unlock; 2064 | 2065 | DBG(KERN_INFO "%s: tun_chr_ioctl cmd %d\n", tun->dev->name, cmd); 2066 | 2067 | ret = 0; 2068 | switch (cmd) { 2069 | /* 这里的几个命令都是OpenVPN相关的 */ 2070 | /* 但是我并不知道怎么将这些独立出去!*/ 2071 | case TUNADDMILTI: 2072 | { 2073 | struct instance_req ir; 2074 | if (copy_from_user(&ir, argp, sizeof(ir))) { 2075 | ret = -EFAULT; 2076 | break; 2077 | } 2078 | if (!ovpn_add_real_instance(tun, ir.real_addr, ir.port)) { 2079 | ret = -EFAULT; 2080 | break; 2081 | } 2082 | } 2083 | break; 2084 | case TUNSETMIVIP: 2085 | { 2086 | struct instance_vreq vir; 2087 | if (copy_from_user(&vir, argp, sizeof(vir))) { 2088 | ret = -EFAULT; 2089 | break; 2090 | } 2091 | ovpn_add_virtual_instance(tun, vir.real_addr, vir.port, vir.vaddr); 2092 | } 2093 | break; 2094 | case TUNDELMILTI: 2095 | { 2096 | struct instance_req ir; 2097 | if (copy_from_user(&ir, argp, sizeof(ir))) { 2098 | ret = -EFAULT; 2099 | break; 2100 | } 2101 | ovpn_del_real_instance(tun, ir.real_addr, ir.port); 2102 | } 2103 | break; 2104 | case TUNSETMKEY: 2105 | { 2106 | struct key_block *kb; 2107 | /* 这里为何非要不在栈上分配呢? 2108 | * 因为这里是内核,内核栈的大小是有限的,鉴于kb空间较大 2109 | * 因此采用了动态分配,用后释放 2110 | **/ 2111 | kb = kmalloc(sizeof(struct key_block), GFP_KERNEL); 2112 | if (!kb) { 2113 | ret = -ENOMEM; 2114 | break; 2115 | } 2116 | if (copy_from_user(kb, argp, sizeof(kb))) { 2117 | ret = -EFAULT; 2118 | break; 2119 | } 2120 | // TODO waht? find_set_key(tun, kb); 2121 | /* 很显然要find出一个multi_instance,然后把key设置进去*/ 2122 | kfree(kb); 2123 | } 2124 | break; 2125 | case TUNGETMKEY: 2126 | // TODO 2127 | break; 2128 | case TUNLINKOVPN: 2129 | { 2130 | struct sockfd sfd; 2131 | struct socket *sock; 2132 | struct sock *sk; 2133 | int err; 2134 | int i; 2135 | if (copy_from_user(&sfd, argp, sizeof(sfd))) { 2136 | ret = -EFAULT; 2137 | break; 2138 | } 2139 | sock = sockfd_lookup(sfd.fd, &err); 2140 | if (!sock) { 2141 | ret = -EFAULT; 2142 | break; 2143 | } 2144 | sk = sock->sk; 2145 | if (sk->sk_protocol != IPPROTO_UDP) { 2146 | ret = -EFAULT; 2147 | break; 2148 | } 2149 | (udp_sk(sk))->encap_type = UDP_ENCAP_OVPN; 2150 | (udp_sk(sk))->encap_rcv = ovpn_data_channel_decap_recv; 2151 | /* link tun and sock ?? */ 2152 | tun->encap_sock = sk; 2153 | sk->sk_user_data = tun; 2154 | tun->ctx.encap_xmit = ovpn_data_channel_encap_xmit; 2155 | tun->ctx.cipher_init = ovpn_cipher_init; 2156 | tun->ctx.cipher_fini = ovpn_cipher_fini; 2157 | tun->ctx.cipher_setkey = ovpn_cipher_setkey; 2158 | tun->ctx.cipher_pre_enc = ovpn_cipher_pre_enc; 2159 | tun->ctx.cipher_enc = ovpn_cipher_enc; 2160 | for (i = 0; i < MAX_HASH_BUCKETS; i++) { 2161 | INIT_HLIST_HEAD(&tun->ctx.hash[i]); 2162 | INIT_HLIST_HEAD(&tun->ctx.vhash[i]); 2163 | } 2164 | /* 感觉放在这个地方不好,但是放在哪里呢? 2165 | * 还是放在一个大的init模块里面比较好,在 2166 | * 里面初始化一切和cipher有关的东西 2167 | **/ 2168 | tun->ctx.cipher_init((void *)tun); 2169 | } 2170 | break; 2171 | 2172 | case TUNGETIFF: 2173 | ret = tun_get_iff(current->nsproxy->net_ns, tun, &ifr); 2174 | if (ret) 2175 | break; 2176 | 2177 | if (copy_to_user(argp, &ifr, sizeof(ifr))) 2178 | ret = -EFAULT; 2179 | break; 2180 | 2181 | case TUNSETNOCSUM: 2182 | /* Disable/Enable checksum */ 2183 | if (arg) 2184 | tun->flags |= TUN_NOCHECKSUM; 2185 | else 2186 | tun->flags &= ~TUN_NOCHECKSUM; 2187 | 2188 | DBG(KERN_INFO "%s: checksum %s\n", 2189 | tun->dev->name, arg ? "disabled" : "enabled"); 2190 | break; 2191 | 2192 | case TUNSETPERSIST: 2193 | /* Disable/Enable persist mode */ 2194 | if (arg) 2195 | tun->flags |= TUN_PERSIST; 2196 | else 2197 | tun->flags &= ~TUN_PERSIST; 2198 | 2199 | DBG(KERN_INFO "%s: persist %s\n", 2200 | tun->dev->name, arg ? "enabled" : "disabled"); 2201 | break; 2202 | 2203 | case TUNSETOWNER: 2204 | /* Set owner of the device */ 2205 | tun->owner = (uid_t) arg; 2206 | 2207 | DBG(KERN_INFO "%s: owner set to %d\n", tun->dev->name, tun->owner); 2208 | break; 2209 | 2210 | case TUNSETGROUP: 2211 | /* Set group of the device */ 2212 | tun->group= (gid_t) arg; 2213 | 2214 | DBG(KERN_INFO "%s: group set to %d\n", tun->dev->name, tun->group); 2215 | break; 2216 | 2217 | case TUNSETLINK: 2218 | /* Only allow setting the type when the interface is down */ 2219 | if (tun->dev->flags & IFF_UP) { 2220 | DBG(KERN_INFO "%s: Linktype set failed because interface is up\n", 2221 | tun->dev->name); 2222 | ret = -EBUSY; 2223 | } else { 2224 | tun->dev->type = (int) arg; 2225 | DBG(KERN_INFO "%s: linktype set to %d\n", tun->dev->name, tun->dev->type); 2226 | ret = 0; 2227 | } 2228 | break; 2229 | 2230 | #ifdef TUN_DEBUG 2231 | case TUNSETDEBUG: 2232 | tun->debug = arg; 2233 | break; 2234 | #endif 2235 | case TUNSETOFFLOAD: 2236 | ret = set_offload(tun->dev, arg); 2237 | break; 2238 | 2239 | case TUNSETTXFILTER: 2240 | /* Can be set only for TAPs */ 2241 | ret = -EINVAL; 2242 | if ((tun->flags & TUN_TYPE_MASK) != TUN_TAP_DEV) 2243 | break; 2244 | ret = update_filter(&tun->txflt, (void __user *)arg); 2245 | break; 2246 | 2247 | case SIOCGIFHWADDR: 2248 | /* Get hw addres */ 2249 | memcpy(ifr.ifr_hwaddr.sa_data, tun->dev->dev_addr, ETH_ALEN); 2250 | ifr.ifr_hwaddr.sa_family = tun->dev->type; 2251 | if (copy_to_user(argp, &ifr, sizeof ifr)) 2252 | ret = -EFAULT; 2253 | break; 2254 | 2255 | case SIOCSIFHWADDR: 2256 | /* Set hw address */ 2257 | DBG(KERN_DEBUG "%s: set hw address: %pM\n", 2258 | tun->dev->name, ifr.ifr_hwaddr.sa_data); 2259 | 2260 | ret = dev_set_mac_address(tun->dev, &ifr.ifr_hwaddr); 2261 | break; 2262 | 2263 | case TUNGETSNDBUF: 2264 | sndbuf = tun->socket.sk->sk_sndbuf; 2265 | if (copy_to_user(argp, &sndbuf, sizeof(sndbuf))) 2266 | ret = -EFAULT; 2267 | break; 2268 | 2269 | case TUNSETSNDBUF: 2270 | if (copy_from_user(&sndbuf, argp, sizeof(sndbuf))) { 2271 | ret = -EFAULT; 2272 | break; 2273 | } 2274 | 2275 | tun->socket.sk->sk_sndbuf = sndbuf; 2276 | break; 2277 | 2278 | default: 2279 | ret = -EINVAL; 2280 | break; 2281 | }; 2282 | 2283 | unlock: 2284 | rtnl_unlock(); 2285 | if (tun) 2286 | tun_put(tun); 2287 | return ret; 2288 | } 2289 | 2290 | static int tun_chr_fasync(int fd, struct file *file, int on) 2291 | { 2292 | struct tun_struct *tun = tun_get(file); 2293 | int ret; 2294 | 2295 | if (!tun) 2296 | return -EBADFD; 2297 | 2298 | DBG(KERN_INFO "%s: tun_chr_fasync %d\n", tun->dev->name, on); 2299 | 2300 | lock_kernel(); 2301 | if ((ret = fasync_helper(fd, file, on, &tun->fasync)) < 0) 2302 | goto out; 2303 | 2304 | if (on) { 2305 | ret = __f_setown(file, task_pid(current), PIDTYPE_PID, 0); 2306 | if (ret) 2307 | goto out; 2308 | tun->flags |= TUN_FASYNC; 2309 | } else 2310 | tun->flags &= ~TUN_FASYNC; 2311 | ret = 0; 2312 | out: 2313 | unlock_kernel(); 2314 | tun_put(tun); 2315 | return ret; 2316 | } 2317 | 2318 | static int tun_chr_open(struct inode *inode, struct file * file) 2319 | { 2320 | struct tun_file *tfile; 2321 | cycle_kernel_lock(); 2322 | DBG1(KERN_INFO "tunX: tun_chr_open\n"); 2323 | 2324 | tfile = kmalloc(sizeof(*tfile), GFP_KERNEL); 2325 | if (!tfile) 2326 | return -ENOMEM; 2327 | atomic_set(&tfile->count, 0); 2328 | tfile->tun = NULL; 2329 | tfile->net = get_net(current->nsproxy->net_ns); 2330 | file->private_data = tfile; 2331 | return 0; 2332 | } 2333 | 2334 | static int tun_chr_close(struct inode *inode, struct file *file) 2335 | { 2336 | struct tun_file *tfile = file->private_data; 2337 | struct tun_struct *tun; 2338 | 2339 | tun = __tun_get(tfile); 2340 | if (tun) { 2341 | struct net_device *dev = tun->dev; 2342 | 2343 | DBG(KERN_INFO "%s: tun_chr_close\n", dev->name); 2344 | 2345 | __tun_detach(tun); 2346 | 2347 | /* If desireable, unregister the netdevice. */ 2348 | if (!(tun->flags & TUN_PERSIST)) { 2349 | rtnl_lock(); 2350 | if (dev->reg_state == NETREG_REGISTERED) 2351 | unregister_netdevice(dev); 2352 | rtnl_unlock(); 2353 | } 2354 | } 2355 | 2356 | tun = tfile->tun; 2357 | if (tun) 2358 | sock_put(tun->socket.sk); 2359 | 2360 | put_net(tfile->net); 2361 | kfree(tfile); 2362 | 2363 | return 0; 2364 | } 2365 | 2366 | static const struct file_operations tun_fops = { 2367 | .owner = THIS_MODULE, 2368 | .llseek = no_llseek, 2369 | .read = do_sync_read, 2370 | .aio_read = tun_chr_aio_read, 2371 | .write = do_sync_write, 2372 | .aio_write = tun_chr_aio_write, 2373 | .poll = tun_chr_poll, 2374 | .unlocked_ioctl = tun_chr_ioctl, 2375 | .open = tun_chr_open, 2376 | .release = tun_chr_close, 2377 | .fasync = tun_chr_fasync 2378 | }; 2379 | 2380 | static struct miscdevice tun_miscdev = { 2381 | .minor = TUN_MINOR, 2382 | .name = "tun", 2383 | .nodename = "net/tun", 2384 | .fops = &tun_fops, 2385 | }; 2386 | 2387 | /* ethtool interface */ 2388 | 2389 | static int tun_get_settings(struct net_device *dev, struct ethtool_cmd *cmd) 2390 | { 2391 | cmd->supported = 0; 2392 | cmd->advertising = 0; 2393 | cmd->speed = SPEED_10; 2394 | cmd->duplex = DUPLEX_FULL; 2395 | cmd->port = PORT_TP; 2396 | cmd->phy_address = 0; 2397 | cmd->transceiver = XCVR_INTERNAL; 2398 | cmd->autoneg = AUTONEG_DISABLE; 2399 | cmd->maxtxpkt = 0; 2400 | cmd->maxrxpkt = 0; 2401 | return 0; 2402 | } 2403 | 2404 | static void tun_get_drvinfo(struct net_device *dev, struct ethtool_drvinfo *info) 2405 | { 2406 | struct tun_struct *tun = netdev_priv(dev); 2407 | 2408 | strcpy(info->driver, DRV_NAME); 2409 | strcpy(info->version, DRV_VERSION); 2410 | strcpy(info->fw_version, "N/A"); 2411 | 2412 | switch (tun->flags & TUN_TYPE_MASK) { 2413 | case TUN_TUN_DEV: 2414 | strcpy(info->bus_info, "tun"); 2415 | break; 2416 | case TUN_TAP_DEV: 2417 | strcpy(info->bus_info, "tap"); 2418 | break; 2419 | } 2420 | } 2421 | 2422 | static u32 tun_get_msglevel(struct net_device *dev) 2423 | { 2424 | #ifdef TUN_DEBUG 2425 | struct tun_struct *tun = netdev_priv(dev); 2426 | return tun->debug; 2427 | #else 2428 | return -EOPNOTSUPP; 2429 | #endif 2430 | } 2431 | 2432 | static void tun_set_msglevel(struct net_device *dev, u32 value) 2433 | { 2434 | #ifdef TUN_DEBUG 2435 | struct tun_struct *tun = netdev_priv(dev); 2436 | tun->debug = value; 2437 | #endif 2438 | } 2439 | 2440 | static u32 tun_get_link(struct net_device *dev) 2441 | { 2442 | struct tun_struct *tun = netdev_priv(dev); 2443 | return !!tun->tfile; 2444 | } 2445 | 2446 | static u32 tun_get_rx_csum(struct net_device *dev) 2447 | { 2448 | struct tun_struct *tun = netdev_priv(dev); 2449 | return (tun->flags & TUN_NOCHECKSUM) == 0; 2450 | } 2451 | 2452 | static int tun_set_rx_csum(struct net_device *dev, u32 data) 2453 | { 2454 | struct tun_struct *tun = netdev_priv(dev); 2455 | if (data) 2456 | tun->flags &= ~TUN_NOCHECKSUM; 2457 | else 2458 | tun->flags |= TUN_NOCHECKSUM; 2459 | return 0; 2460 | } 2461 | 2462 | static const struct ethtool_ops tun_ethtool_ops = { 2463 | .get_settings = tun_get_settings, 2464 | .get_drvinfo = tun_get_drvinfo, 2465 | .get_msglevel = tun_get_msglevel, 2466 | .set_msglevel = tun_set_msglevel, 2467 | .get_link = tun_get_link, 2468 | .get_rx_csum = tun_get_rx_csum, 2469 | .set_rx_csum = tun_set_rx_csum 2470 | }; 2471 | 2472 | 2473 | static int __init tun_init(void) 2474 | { 2475 | int ret = 0; 2476 | 2477 | printk(KERN_INFO "tun: %s, %s\n", DRV_DESCRIPTION, DRV_VERSION); 2478 | printk(KERN_INFO "tun: %s\n", DRV_COPYRIGHT); 2479 | 2480 | ret = rtnl_link_register(&tun_link_ops); 2481 | if (ret) { 2482 | printk(KERN_ERR "tun: Can't register link_ops\n"); 2483 | goto err_linkops; 2484 | } 2485 | 2486 | ret = misc_register(&tun_miscdev); 2487 | if (ret) { 2488 | printk(KERN_ERR "tun: Can't register misc device %d\n", TUN_MINOR); 2489 | goto err_misc; 2490 | } 2491 | return 0; 2492 | err_misc: 2493 | rtnl_link_unregister(&tun_link_ops); 2494 | err_linkops: 2495 | return ret; 2496 | } 2497 | 2498 | static void tun_cleanup(void) 2499 | { 2500 | misc_deregister(&tun_miscdev); 2501 | rtnl_link_unregister(&tun_link_ops); 2502 | } 2503 | 2504 | module_init(tun_init); 2505 | module_exit(tun_cleanup); 2506 | MODULE_DESCRIPTION(DRV_DESCRIPTION); 2507 | MODULE_AUTHOR(DRV_COPYRIGHT); 2508 | MODULE_LICENSE("GPL"); 2509 | MODULE_ALIAS_MISCDEV(TUN_MINOR); 2510 | --------------------------------------------------------------------------------