doxygen/vlan_8c_source.html

 /*
  *  OpenVPN -- An application to securely tunnel IP networks
  *             over a single TCP/UDP port, with support for SSL/TLS-based
  *             session authentication and key exchange,
  *             packet encryption, packet authentication, and
  *             packet compression.
  *
  *  Copyright (C) 2002-2019 OpenVPN Technologies, Inc. <sales@openvpn.net>
  *  Copyright (C) 2010      Fabian Knittel <fabian.knittel@lettink.de>
  *
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License version 2
  *  as published by the Free Software Foundation.
  *
  *  This program is distributed in the hope that it will be useful,
  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  *  GNU General Public License for more details.
  *
  *  You should have received a copy of the GNU General Public License along
  *  with this program; if not, write to the Free Software Foundation, Inc.,
  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */

 #ifdef HAVE_CONFIG_H
 #include "config.h"
 #elif defined(_MSC_VER)
 #include "config-msvc.h"
 #endif

 #include "syshead.h"

 #include "multi.h"
 #include "options.h"
 #include "vlan.h"

 /*
  * Retrieve the VLAN Identifier (VID) from the IEEE 802.1Q header.
  *
  * @param hdr Pointer to the Ethernet header with IEEE 802.1Q tagging.
  * @return    Returns the VID in host byte order.
  */
 static uint16_t
 vlanhdr_get_vid(const struct openvpn_8021qhdr *hdr)
 {
     return ntohs(hdr->pcp_cfi_vid & OPENVPN_8021Q_MASK_VID);
 }

 /*
  * Set the VLAN Identifier (VID) in an IEEE 802.1Q header.
  *
  * @param hdr Pointer to the Ethernet header with IEEE 802.1Q tagging.
  * @param vid The VID to set (in host byte order).
  */
 static void
 vlanhdr_set_vid(struct openvpn_8021qhdr *hdr, const uint16_t vid)
 {
     hdr->pcp_cfi_vid = (hdr->pcp_cfi_vid & ~OPENVPN_8021Q_MASK_VID)
                        | (htons(vid) & OPENVPN_8021Q_MASK_VID);
 }

 /*
  * vlan_decapsulate - remove 802.1q header and return VID
  *
  * For vlan_accept == VLAN_ONLY_UNTAGGED_OR_PRIORITY:
  *   Only untagged frames and frames that are priority-tagged (VID == 0) are
  *   accepted.  (This means that VLAN-tagged frames are dropped.)  For frames
  *   that aren't dropped, the global vlan_pvid is returned as VID.
  *
  * For vlan_accept == VLAN_ONLY_TAGGED:
  *   If a frame is VLAN-tagged the tagging is removed and the embedded VID is
  *   returned.  Any included priority information is lost.
  *   If a frame isn't VLAN-tagged, the frame is dropped.
  *
  * For vlan_accept == VLAN_ALL:
  *   Accepts both VLAN-tagged and untagged (or priority-tagged) frames and
  *   and handles them as described above.
  *
  * @param c   The global context.
  * @param buf The ethernet frame.
  * @return    Returns -1 if the frame is dropped or the VID if it is accepted.
  */
 int16_t
 vlan_decapsulate(const struct context *c, struct buffer *buf)
 {
     const struct openvpn_8021qhdr *vlanhdr;
     struct openvpn_ethhdr *ethhdr;
     uint16_t vid;

     /* assume untagged frame */
     if (BLEN(buf) < sizeof(*ethhdr))
     {
         goto drop;
     }

     ethhdr = (struct openvpn_ethhdr *)BPTR(buf);
     if (ethhdr->proto != htons(OPENVPN_ETH_P_8021Q))
     {
         /* reject untagged frame */
         if (c->options.vlan_accept == VLAN_ONLY_TAGGED)
         {
             msg(D_VLAN_DEBUG,
                 "dropping frame without vlan-tag (proto/len 0x%04x)",
                 ntohs(ethhdr->proto));
             goto drop;
         }

         /* untagged frame is accepted and associated with the global VID */
         msg(D_VLAN_DEBUG,
             "assuming pvid for frame without vlan-tag, pvid: %u (proto/len 0x%04x)",
             c->options.vlan_pvid, ntohs(ethhdr->proto));

         return c->options.vlan_pvid;
     }

     /* tagged frame */
     if (BLEN(buf) < sizeof(*vlanhdr))
     {
         goto drop;
     }

     vlanhdr = (const struct openvpn_8021qhdr *)BPTR(buf);
     vid = vlanhdr_get_vid(vlanhdr);

     switch (c->options.vlan_accept)
     {
         case VLAN_ONLY_UNTAGGED_OR_PRIORITY:
             /* VLAN-tagged frame: drop packet */
             if (vid != 0)
             {
                 msg(D_VLAN_DEBUG, "dropping frame with vlan-tag, vid: %u (proto/len 0x%04x)",
                     vid, ntohs(vlanhdr->proto));
                 goto drop;
             }

         /* vid == 0 means prio-tagged packet: don't drop and fall-through */
         case VLAN_ONLY_TAGGED:
         case VLAN_ALL:
             /* tagged frame can be accepted: extract vid and strip encapsulation */

             /* in case of prio-tagged frame (vid == 0), assume the sender
              * knows what he is doing and forward the packet as it is, so to
              * keep the priority information intact.
              */
             if (vid == 0)
             {
                 /* return the global VID for priority-tagged frames */
                 return c->options.vlan_pvid;
             }

             /* here we have a proper VLAN tagged frame: perform decapsulation
              * and return embedded VID
              */
             msg(D_VLAN_DEBUG,
                 "removing vlan-tag from frame: vid: %u, wrapped proto/len: 0x%04x",
                 vid, ntohs(vlanhdr->proto));

             /* save inner protocol to be restored later after decapsulation */
             uint16_t proto = vlanhdr->proto;
             /* move the buffer head forward to adjust the headroom to a
              * non-tagged frame
              */
             buf_advance(buf, SIZE_ETH_TO_8021Q_HDR);
             /* move the content of the 802.1q header to the new head, so that
              * src/dst addresses are copied over
              */
             ethhdr = memmove(BPTR(buf), vlanhdr, sizeof(*ethhdr));
             /* restore the inner protocol value */
             ethhdr->proto = proto;

             return vid;
     }

 drop:
     buf->len = 0;
     return -1;
 }

 /*
  * vlan_encapsulate - add 802.1q header and set the context related VID
  *
  * Assumes vlan_accept == VLAN_ONLY_TAGGED
  *
  * @param c   The current context.
  * @param buf The ethernet frame to encapsulate.
  */
 void
 vlan_encapsulate(const struct context *c, struct buffer *buf)
 {
     const struct openvpn_ethhdr *ethhdr;
     struct openvpn_8021qhdr *vlanhdr;

     if (BLEN(buf) < sizeof(*ethhdr))
     {
         goto drop;
     }

     ethhdr = (const struct openvpn_ethhdr *)BPTR(buf);
     if (ethhdr->proto == htons(OPENVPN_ETH_P_8021Q))
     {
         /* Priority-tagged frame. (VLAN-tagged frames have been dropped before
          * getting to this point)
          */

         /* Frame too small for header type? */
         if (BLEN(buf) < sizeof(*vlanhdr))
         {
             goto drop;
         }

         vlanhdr = (struct openvpn_8021qhdr *)BPTR(buf);

         /* sanity check: ensure this packet is really just prio-tagged */
         uint16_t vid = vlanhdr_get_vid(vlanhdr);
         if (vid != 0)
         {
             goto drop;
         }
     }
     else
     {
         /* Untagged frame. */

         /* Not enough head room for VLAN tag? */
         if (buf_reverse_capacity(buf) < SIZE_ETH_TO_8021Q_HDR)
         {
             goto drop;
         }

         vlanhdr = (struct openvpn_8021qhdr *)buf_prepend(buf,
                                                          SIZE_ETH_TO_8021Q_HDR);

         /* Initialise VLAN/802.1q header.
          * Move the Eth header so to keep dst/src addresses the same and then
          * assign the other fields.
          *
          * Also, save the inner protocol first, so that it can be restored later
          * after the memmove()
          */
         uint16_t proto = ethhdr->proto;
         memmove(vlanhdr, ethhdr, sizeof(*ethhdr));
         vlanhdr->tpid = htons(OPENVPN_ETH_P_8021Q);
         vlanhdr->pcp_cfi_vid = 0;
         vlanhdr->proto = proto;
     }

     /* set the VID corresponding to the current context (client) */
     vlanhdr_set_vid(vlanhdr, c->options.vlan_pvid);

     msg(D_VLAN_DEBUG, "tagging frame: vid %u (wrapping proto/len: %04x)",
         c->options.vlan_pvid, vlanhdr->proto);
     return;

 drop:
     /* Drop the frame. */
     buf->len = 0;
 }

 /*
  * vlan_is_tagged - check if a packet is VLAN-tagged
  *
  * Checks whether ethernet frame is VLAN-tagged.
  *
  * @param buf The ethernet frame.
  * @return    Returns true if the frame is VLAN-tagged, false otherwise.
  */
 bool
 vlan_is_tagged(const struct buffer *buf)
 {
     const struct openvpn_8021qhdr *vlanhdr;
     uint16_t vid;

     if (BLEN(buf) < sizeof(struct openvpn_8021qhdr))
     {
         /* frame too small to be VLAN-tagged */
         return false;
     }

     vlanhdr = (const struct openvpn_8021qhdr *)BPTR(buf);

     if (ntohs(vlanhdr->tpid) != OPENVPN_ETH_P_8021Q)
     {
         /* non tagged frame */
         return false;
     }

     vid = vlanhdr_get_vid(vlanhdr);
     if (vid == 0)
     {
         /* no vid: piority tagged only */
         return false;
     }

     return true;
 }

 void
 vlan_process_outgoing_tun(struct multi_context *m, struct multi_instance *mi)
 {
     if (!m->top.options.vlan_tagging)
     {
         return;
     }

     if (m->top.options.vlan_accept == VLAN_ONLY_UNTAGGED_OR_PRIORITY)
     {
         /* Packets forwarded to the TAP devices aren't VLAN-tagged. Only packets
          * matching the PVID configured globally are allowed to be received
          */
         if (m->top.options.vlan_pvid != mi->context.options.vlan_pvid)
         {
             /* Packet is coming from the wrong VID, drop it.  */
             mi->context.c2.to_tun.len = 0;
         }
     }
     else if (m->top.options.vlan_accept == VLAN_ALL)
     {
         /* Packets either need to be VLAN-tagged or not, depending on the
          * packet's originating VID and the port's native VID (PVID).  */

         if (m->top.options.vlan_pvid != mi->context.options.vlan_pvid)
         {
             /* Packets need to be VLAN-tagged, because the packet's VID does not
              * match the port's PVID.  */
             vlan_encapsulate(&mi->context, &mi->context.c2.to_tun);
         }
     }
     else if (m->top.options.vlan_accept == VLAN_ONLY_TAGGED)
     {
         /* All packets on the port (the tap device) need to be VLAN-tagged.  */
         vlan_encapsulate(&mi->context, &mi->context.c2.to_tun);
     }
 }
syshead.h

context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:505

openvpn_8021qhdr::proto
uint16_t proto
Definition: proto.h:77

buf_advance
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:639

context
Contains all state information for one tunnel.
Definition: openvpn.h:503

VLAN_ONLY_TAGGED
Definition: options.h:174

OPENVPN_ETH_P_8021Q
#define OPENVPN_ETH_P_8021Q
Definition: proto.h:63

openvpn_ethhdr
Definition: proto.h:55

vlan_encapsulate
void vlan_encapsulate(const struct context *c, struct buffer *buf)
Definition: vlan.c:188

config.h

openvpn_ethhdr::proto
uint16_t proto
Definition: proto.h:64

vlan_process_outgoing_tun
void vlan_process_outgoing_tun(struct multi_context *m, struct multi_instance *mi)
Definition: vlan.c:298

buf_reverse_capacity
static int buf_reverse_capacity(const struct buffer *buf)
Definition: buffer.h:598

buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66

vlan_is_tagged
bool vlan_is_tagged(const struct buffer *buf)
Definition: vlan.c:268

BPTR
#define BPTR(buf)
Definition: buffer.h:124

openvpn_8021qhdr
Definition: proto.h:67

buf_prepend
static uint8_t * buf_prepend(struct buffer *buf, int size)
Definition: buffer.h:627

options::vlan_pvid
uint16_t vlan_pvid
Definition: options.h:644

multi_instance::context
struct context context
The context structure storing state for this VPN tunnel.
Definition: multi.h:133

options::vlan_tagging
bool vlan_tagging
Definition: options.h:642

openvpn_8021qhdr::pcp_cfi_vid
uint16_t pcp_cfi_vid
Definition: proto.h:76

multi.h

msg
#define msg
Definition: error.h:173

context::c2
struct context_2 c2
Level 2 context.
Definition: openvpn.h:544

openvpn_8021qhdr::tpid
uint16_t tpid
Definition: proto.h:72

config-msvc.h

vlanhdr_get_vid
static uint16_t vlanhdr_get_vid(const struct openvpn_8021qhdr *hdr)
Definition: vlan.c:44

BLEN
#define BLEN(buf)
Definition: buffer.h:127

options::vlan_accept
enum vlan_acceptable_frames vlan_accept
Definition: options.h:643

D_VLAN_DEBUG
#define D_VLAN_DEBUG
Definition: errlevel.h:152

multi_context
Main OpenVPN server state structure.
Definition: multi.h:152

vlan_decapsulate
int16_t vlan_decapsulate(const struct context *c, struct buffer *buf)
Definition: vlan.c:84

buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60

VLAN_ONLY_UNTAGGED_OR_PRIORITY
Definition: options.h:175

VLAN_ALL
Definition: options.h:176

vlan.h

multi_context::top
struct context top
Storage structure for process-wide configuration.
Definition: multi.h:199

uint16_t
unsigned __int16 uint16_t
Definition: config-msvc.h:158

options.h

multi_instance
Server-mode state structure for one single VPN tunnel.
Definition: multi.h:100

context_2::to_tun
struct buffer to_tun
Definition: openvpn.h:398

SIZE_ETH_TO_8021Q_HDR
#define SIZE_ETH_TO_8021Q_HDR
Definition: proto.h:84

vlanhdr_set_vid
static void vlanhdr_set_vid(struct openvpn_8021qhdr *hdr, const uint16_t vid)
Definition: vlan.c:56

int16_t
__int16 int16_t
Definition: config-msvc.h:162

OPENVPN_8021Q_MASK_VID
#define OPENVPN_8021Q_MASK_VID
Definition: proto.h:75