From: reyk Date: Wed, 19 Apr 2017 15:38:32 +0000 (+0000) Subject: Add support for dynamic "NAT" interfaces (-L/local interface). X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=470adcf5f09468c440f98fb57a26d5d9f66eb933;p=openbsd Add support for dynamic "NAT" interfaces (-L/local interface). When a local interface is configured, vmd configures a /31 address on the tap(4) interface of the host and provides another IP in the same subnet via DHCP (BOOTP) to the VM. vmd runs an internal BOOTP server that replies with IP, gateway, and DNS addresses to the VM. The built-in server only ever responds to the VM on the inside and cannot leak its DHCP responses to the outside. Thanks to Uwe Werler, Josh Grosse, and some others for testing! OK deraadt@ --- diff --git a/usr.sbin/vmctl/main.c b/usr.sbin/vmctl/main.c index da27fd6c913..20ced9884e7 100644 --- a/usr.sbin/vmctl/main.c +++ b/usr.sbin/vmctl/main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.25 2017/04/06 18:07:13 reyk Exp $ */ +/* $OpenBSD: main.c,v 1.26 2017/04/19 15:38:32 reyk Exp $ */ /* * Copyright (c) 2015 Reyk Floeter @@ -65,7 +65,7 @@ struct ctl_command ctl_commands[] = { { "reload", CMD_RELOAD, ctl_reload, "" }, { "reset", CMD_RESET, ctl_reset, "[all|vms|switches]" }, { "start", CMD_START, ctl_start, "\"name\"" - " [-c] [-b image] [-m size]\n" + " [-Lc] [-b image] [-m size]\n" "\t\t[-n switch] [-i count] [-d disk]*" }, { "status", CMD_STATUS, ctl_status, "[id]" }, { "stop", CMD_STOP, ctl_stop, "id" }, @@ -539,7 +539,7 @@ ctl_start(struct parse_result *res, int argc, char *argv[]) argc--; argv++; - while ((ch = getopt(argc, argv, "b:cm:n:d:i:")) != -1) { + while ((ch = getopt(argc, argv, "b:cLm:n:d:i:")) != -1) { switch (ch) { case 'b': if (res->path) @@ -552,6 +552,10 @@ ctl_start(struct parse_result *res, int argc, char *argv[]) case 'c': tty_autoconnect = 1; break; + case 'L': + if (parse_network(res, ".") != 0) + errx(1, "invalid network: %s", optarg); + break; case 'm': if (res->size) errx(1, "memory specified multiple times"); diff --git a/usr.sbin/vmctl/vmctl.8 b/usr.sbin/vmctl/vmctl.8 index aed2816f15f..71a0aa4e7f6 100644 --- a/usr.sbin/vmctl/vmctl.8 +++ b/usr.sbin/vmctl/vmctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: vmctl.8,v 1.28 2017/04/14 00:53:28 mlarkin Exp $ +.\" $OpenBSD: vmctl.8,v 1.29 2017/04/19 15:38:32 reyk Exp $ .\" .\" Copyright (c) 2015 Mike Larkin .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: April 14 2017 $ +.Dd $Mdocdate: April 19 2017 $ .Dt VMCTL 8 .Os .Sh NAME @@ -72,8 +72,8 @@ Reset the configured switches. .It Cm reset vms Reset and terminate all VMs. .It Xo Cm start Ar name +.Op Fl Lc .Op Fl b Ar path -.Op Fl c .Op Fl d Ar path .Op Fl i Ar count .Op Fl m Ar size @@ -91,6 +91,12 @@ Automatically connect to the VM console. Disk image file (may be specified multiple times to add multiple disk images). .It Fl i Ar count Number of network interfaces to add to the VM. +.It Fl L +Add a local network interface. +.Xr vmd 8 +will auto-generate an IPv4 subnet for the interface, +configure a gateway address on the VM host side, +and run a simple DHCP (BOOTP) server for the VM. .It Fl m Ar size Memory .Ar size diff --git a/usr.sbin/vmctl/vmctl.c b/usr.sbin/vmctl/vmctl.c index 39d1615d8f2..ee9c6db0e9d 100644 --- a/usr.sbin/vmctl/vmctl.c +++ b/usr.sbin/vmctl/vmctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vmctl.c,v 1.29 2017/04/06 18:07:13 reyk Exp $ */ +/* $OpenBSD: vmctl.c,v 1.30 2017/04/19 15:38:32 reyk Exp $ */ /* * Copyright (c) 2014 Mike Larkin @@ -123,8 +123,16 @@ vm_start(uint32_t start_id, const char *name, int memsize, int nnics, for (i = 0 ; i < ndisks; i++) strlcpy(vcp->vcp_disks[i], disks[i], VMM_MAX_PATH_DISK); for (i = 0 ; i < nnics; i++) { - strlcpy(vmc->vmc_ifswitch[i], nics[i], IF_NAMESIZE); vmc->vmc_ifflags[i] = VMIFF_UP; + + if (strcmp(".", nics[i]) == 0) { + /* Add a "local" interface */ + strlcpy(vmc->vmc_ifswitch[i], "", IF_NAMESIZE); + vmc->vmc_ifflags[i] |= VMIFF_LOCAL; + } else { + /* Add a interface to a switch */ + strlcpy(vmc->vmc_ifswitch[i], nics[i], IF_NAMESIZE); + } } if (name != NULL) strlcpy(vcp->vcp_name, name, VMM_MAX_NAME_LEN); diff --git a/usr.sbin/vmd/Makefile b/usr.sbin/vmd/Makefile index 09a9c263dee..9144d92cf76 100644 --- a/usr.sbin/vmd/Makefile +++ b/usr.sbin/vmd/Makefile @@ -1,11 +1,11 @@ -# $OpenBSD: Makefile,v 1.13 2017/03/01 18:00:50 reyk Exp $ +# $OpenBSD: Makefile,v 1.14 2017/04/19 15:38:32 reyk Exp $ .if ${MACHINE} == "amd64" || ${MACHINE} == "i386" PROG= vmd SRCS= vmd.c control.c log.c priv.c proc.c config.c vmm.c SRCS+= vm.c loadfile_elf.c pci.c virtio.c i8259.c mc146818.c -SRCS+= ns8250.c i8253.c vmboot.c ufs.c disklabel.c +SRCS+= ns8250.c i8253.c vmboot.c ufs.c disklabel.c dhcp.c packet.c SRCS+= parse.y CFLAGS+= -Wall -I${.CURDIR} diff --git a/usr.sbin/vmd/dhcp.c b/usr.sbin/vmd/dhcp.c new file mode 100644 index 00000000000..b8b05000e3a --- /dev/null +++ b/usr.sbin/vmd/dhcp.c @@ -0,0 +1,163 @@ +/* $OpenBSD: dhcp.c,v 1.1 2017/04/19 15:38:32 reyk Exp $ */ + +/* + * Copyright (c) 2017 Reyk Floeter + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include + +#include +#include +#include + +#include +#include +#include + +#include "proc.h" +#include "vmd.h" +#include "dhcp.h" +#include "virtio.h" + +static const uint8_t broadcast[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; + +ssize_t +dhcp_request(struct vionet_dev *dev, char *buf, size_t buflen, char **obuf) +{ + unsigned char *respbuf = NULL; + ssize_t offset, respbuflen = 0; + struct packet_ctx pc; + struct dhcp_packet req, resp; + struct in_addr in, mask; + size_t resplen, o; + + if (buflen < (ssize_t)(BOOTP_MIN_LEN + sizeof(struct ether_header))) + return (-1); + + memset(&pc, 0, sizeof(pc)); + if ((offset = decode_hw_header(buf, buflen, 0, &pc, HTYPE_ETHER)) < 0) + return (-1); + + if (memcmp(pc.pc_smac, dev->mac, ETHER_ADDR_LEN) != 0 || + memcmp(pc.pc_dmac, broadcast, ETHER_ADDR_LEN) != 0) + return (-1); + + if ((offset = decode_udp_ip_header(buf, buflen, offset, &pc)) < 0) + return (-1); + + if (ntohs(ss2sin(&pc.pc_src)->sin_port) != CLIENT_PORT || + ntohs(ss2sin(&pc.pc_dst)->sin_port) != SERVER_PORT) + return (-1); + + memset(&req, 0, sizeof(req)); + memcpy(&req, buf + offset, buflen - offset); + + if (req.op != BOOTREQUEST || + req.htype != pc.pc_htype || + req.hlen != ETHER_ADDR_LEN || + memcmp(dev->mac, req.chaddr, req.hlen) != 0) + return (-1); + + /* Ignore unsupported requests for now */ + if (req.ciaddr.s_addr != 0 || req.file[0] != '\0' || req.hops != 0) + return (-1); + + memset(&resp, 0, sizeof(resp)); + resp.op = BOOTREPLY; + resp.htype = req.htype; + resp.hlen = req.hlen; + resp.xid = req.xid; + + if ((in.s_addr = vm_priv_addr(dev->vm_vmid, dev->idx, 1)) == 0) + return (-1); + memcpy(&resp.yiaddr, &in, sizeof(in)); + memcpy(&ss2sin(&pc.pc_dst)->sin_addr, &in, sizeof(in)); + ss2sin(&pc.pc_dst)->sin_port = htons(CLIENT_PORT); + + if ((in.s_addr = vm_priv_addr(dev->vm_vmid, dev->idx, 0)) == 0) + return (-1); + memcpy(&resp.siaddr, &in, sizeof(in)); + memcpy(&ss2sin(&pc.pc_src)->sin_addr, &in, sizeof(in)); + ss2sin(&pc.pc_src)->sin_port = htons(SERVER_PORT); + + /* Packet is already allocated */ + if (*obuf != NULL) + goto fail; + + buflen = 0; + respbuflen = DHCP_MTU_MAX; + if ((respbuf = calloc(1, respbuflen)) == NULL) + goto fail; + + memcpy(&pc.pc_dmac, dev->mac, sizeof(pc.pc_dmac)); + memcpy(&resp.chaddr, dev->mac, resp.hlen); + memcpy(&pc.pc_smac, dev->mac, sizeof(pc.pc_smac)); + pc.pc_smac[5]++; + if ((offset = assemble_hw_header(respbuf, respbuflen, 0, + &pc, HTYPE_ETHER)) < 0) { + log_debug("%s: assemble_hw_header failed", __func__); + goto fail; + } + + /* BOOTP uses a 64byte vendor field instead of the DHCP options */ + resplen = BOOTP_MIN_LEN; + + /* Add BOOTP Vendor Extensions (DHCP options) */ + o = 0; + memcpy(&resp.options, + DHCP_OPTIONS_COOKIE, DHCP_OPTIONS_COOKIE_LEN); + o+= DHCP_OPTIONS_COOKIE_LEN; + + resp.options[o++] = DHO_SUBNET_MASK; + resp.options[o++] = sizeof(mask); + mask.s_addr = htonl(0xfffffffe); + memcpy(&resp.options[o], &mask, sizeof(mask)); + o += sizeof(mask); + + resp.options[o++] = DHO_ROUTERS; + resp.options[o++] = sizeof(in); + memcpy(&resp.options[o], &in, sizeof(in)); + o += sizeof(in); + + resp.options[o++] = DHO_DOMAIN_NAME_SERVERS; + resp.options[o++] = sizeof(in); + memcpy(&resp.options[o], &in, sizeof(in)); + o += sizeof(in); + + resp.options[o++] = DHO_END; + + resplen = offsetof(struct dhcp_packet, options) + o; + + /* Minimum packet size */ + if (resplen < BOOTP_MIN_LEN) + resplen = BOOTP_MIN_LEN; + + if ((offset = assemble_udp_ip_header(respbuf, respbuflen, offset, &pc, + (unsigned char *)&resp, resplen)) < 0) { + log_debug("%s: assemble_udp_ip_header failed", __func__); + goto fail; + } + + memcpy(respbuf + offset, &resp, sizeof(resp)); + respbuflen = offset + resplen; + + *obuf = respbuf; + return (respbuflen); + fail: + free(respbuf); + return (0); +} + diff --git a/usr.sbin/vmd/dhcp.h b/usr.sbin/vmd/dhcp.h new file mode 100644 index 00000000000..2dccd45a3a6 --- /dev/null +++ b/usr.sbin/vmd/dhcp.h @@ -0,0 +1,181 @@ +/* $OpenBSD: dhcp.h,v 1.1 2017/04/19 15:38:32 reyk Exp $ */ + +/* Protocol structures... */ + +/* + * Copyright (c) 1995, 1996 The Internet Software Consortium. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of The Internet Software Consortium nor the names + * of its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND + * CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * This software has been written for the Internet Software Consortium + * by Ted Lemon in cooperation with Vixie + * Enterprises. To learn more about the Internet Software Consortium, + * see ``http://www.vix.com/isc''. To learn more about Vixie + * Enterprises, see ``http://www.vix.com''. + */ + +#define DHCP_UDP_OVERHEAD (20 + /* IP header */ \ + 8) /* UDP header */ +#define DHCP_SNAME_LEN 64 +#define DHCP_FILE_LEN 128 +#define DHCP_FIXED_NON_UDP 236 +#define DHCP_FIXED_LEN (DHCP_FIXED_NON_UDP + DHCP_UDP_OVERHEAD) + /* Everything but options. */ +#define DHCP_MTU_MAX 1500 +#define DHCP_OPTION_LEN (DHCP_MTU_MAX - DHCP_FIXED_LEN) +/* The option/sub-option maximum length. */ +#define DHCP_OPTION_MAXLEN 255 +/* The option/sub-option header length. */ +#define DHCP_OPTION_HDR_LEN 2 + +#define BOOTP_MIN_LEN 300 + +#define SERVER_PORT 67 +#define CLIENT_PORT 68 + +struct dhcp_packet { + u_int8_t op; /* Message opcode/type */ + u_int8_t htype; /* Hardware addr type (see net/if_types.h) */ + u_int8_t hlen; /* Hardware addr length */ + u_int8_t hops; /* Number of relay agent hops from client */ + u_int32_t xid; /* Transaction ID */ + u_int16_t secs; /* Seconds since client started looking */ + u_int16_t flags; /* Flag bits */ + struct in_addr ciaddr; /* Client IP address (if already in use) */ + struct in_addr yiaddr; /* Client IP address */ + struct in_addr siaddr; /* IP address of next server to talk to */ + struct in_addr giaddr; /* DHCP relay agent IP address */ + unsigned char chaddr[16]; /* Client hardware address */ + char sname[DHCP_SNAME_LEN]; /* Server name */ + char file[DHCP_FILE_LEN]; /* Boot filename */ + unsigned char options[DHCP_OPTION_LEN]; + /* Optional parameters + (actual length dependent on MTU). */ +}; + +/* BOOTP (rfc951) message types */ +#define BOOTREQUEST 1 +#define BOOTREPLY 2 + +/* Possible values for flags field... */ +#define BOOTP_BROADCAST 32768L + +/* Possible values for hardware type (htype) field... */ +#define HTYPE_ETHER 1 /* Ethernet */ +#define HTYPE_IEEE802 6 /* IEEE 802.2 Token Ring... */ +#define HTYPE_FDDI 8 /* FDDI... */ +#define HTYPE_IPSEC_TUNNEL 31 /* IPsec Tunnel (RFC3456) */ + +/* Magic cookie validating dhcp options field (and bootp vendor + extensions field). */ +#define DHCP_OPTIONS_COOKIE "\143\202\123\143" +#define DHCP_OPTIONS_COOKIE_LEN 4 + +/* DHCP Option codes: */ + +#define DHO_PAD 0 +#define DHO_SUBNET_MASK 1 +#define DHO_TIME_OFFSET 2 +#define DHO_ROUTERS 3 +#define DHO_TIME_SERVERS 4 +#define DHO_NAME_SERVERS 5 +#define DHO_DOMAIN_NAME_SERVERS 6 +#define DHO_LOG_SERVERS 7 +#define DHO_COOKIE_SERVERS 8 +#define DHO_LPR_SERVERS 9 +#define DHO_IMPRESS_SERVERS 10 +#define DHO_RESOURCE_LOCATION_SERVERS 11 +#define DHO_HOST_NAME 12 +#define DHO_BOOT_SIZE 13 +#define DHO_MERIT_DUMP 14 +#define DHO_DOMAIN_NAME 15 +#define DHO_SWAP_SERVER 16 +#define DHO_ROOT_PATH 17 +#define DHO_EXTENSIONS_PATH 18 +#define DHO_IP_FORWARDING 19 +#define DHO_NON_LOCAL_SOURCE_ROUTING 20 +#define DHO_POLICY_FILTER 21 +#define DHO_MAX_DGRAM_REASSEMBLY 22 +#define DHO_DEFAULT_IP_TTL 23 +#define DHO_PATH_MTU_AGING_TIMEOUT 24 +#define DHO_PATH_MTU_PLATEAU_TABLE 25 +#define DHO_INTERFACE_MTU 26 +#define DHO_ALL_SUBNETS_LOCAL 27 +#define DHO_BROADCAST_ADDRESS 28 +#define DHO_PERFORM_MASK_DISCOVERY 29 +#define DHO_MASK_SUPPLIER 30 +#define DHO_ROUTER_DISCOVERY 31 +#define DHO_ROUTER_SOLICITATION_ADDRESS 32 +#define DHO_STATIC_ROUTES 33 +#define DHO_TRAILER_ENCAPSULATION 34 +#define DHO_ARP_CACHE_TIMEOUT 35 +#define DHO_IEEE802_3_ENCAPSULATION 36 +#define DHO_DEFAULT_TCP_TTL 37 +#define DHO_TCP_KEEPALIVE_INTERVAL 38 +#define DHO_TCP_KEEPALIVE_GARBAGE 39 +#define DHO_NIS_DOMAIN 40 +#define DHO_NIS_SERVERS 41 +#define DHO_NTP_SERVERS 42 +#define DHO_VENDOR_ENCAPSULATED_OPTIONS 43 +#define DHO_NETBIOS_NAME_SERVERS 44 +#define DHO_NETBIOS_DD_SERVER 45 +#define DHO_NETBIOS_NODE_TYPE 46 +#define DHO_NETBIOS_SCOPE 47 +#define DHO_FONT_SERVERS 48 +#define DHO_X_DISPLAY_MANAGER 49 +#define DHO_DHCP_REQUESTED_ADDRESS 50 +#define DHO_DHCP_LEASE_TIME 51 +#define DHO_DHCP_OPTION_OVERLOAD 52 +#define DHO_DHCP_MESSAGE_TYPE 53 +#define DHO_DHCP_SERVER_IDENTIFIER 54 +#define DHO_DHCP_PARAMETER_REQUEST_LIST 55 +#define DHO_DHCP_MESSAGE 56 +#define DHO_DHCP_MAX_MESSAGE_SIZE 57 +#define DHO_DHCP_RENEWAL_TIME 58 +#define DHO_DHCP_REBINDING_TIME 59 +#define DHO_DHCP_CLASS_IDENTIFIER 60 +#define DHO_DHCP_CLIENT_IDENTIFIER 61 +#define DHO_DHCP_USER_CLASS_ID 77 +#define DHO_RELAY_AGENT_INFORMATION 82 +#define DHO_END 255 + +/* DHCP message types. */ +#define DHCPDISCOVER 1 +#define DHCPOFFER 2 +#define DHCPREQUEST 3 +#define DHCPDECLINE 4 +#define DHCPACK 5 +#define DHCPNAK 6 +#define DHCPRELEASE 7 +#define DHCPINFORM 8 + +/* Relay Agent Information sub-options */ +#define RAI_CIRCUIT_ID 1 +#define RAI_REMOTE_ID 2 +#define RAI_AGENT_ID 3 diff --git a/usr.sbin/vmd/packet.c b/usr.sbin/vmd/packet.c new file mode 100644 index 00000000000..7e2b635335c --- /dev/null +++ b/usr.sbin/vmd/packet.c @@ -0,0 +1,332 @@ +/* $OpenBSD: packet.c,v 1.1 2017/04/19 15:38:32 reyk Exp $ */ + +/* Packet assembly code, originally contributed by Archie Cobbs. */ + +/* + * Copyright (c) 1995, 1996, 1999 The Internet Software Consortium. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of The Internet Software Consortium nor the names + * of its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND + * CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * This software has been written for the Internet Software Consortium + * by Ted Lemon in cooperation with Vixie + * Enterprises. To learn more about the Internet Software Consortium, + * see ``http://www.vix.com/isc''. To learn more about Vixie + * Enterprises, see ``http://www.vix.com''. + */ + +#include +#include + +#include + +#include +#include + +#include +#include +#include +#include + +#include + +#include "dhcp.h" +#include "vmd.h" +#include "proc.h" + +u_int32_t checksum(unsigned char *, u_int32_t, u_int32_t); +u_int32_t wrapsum(u_int32_t); + +u_int32_t +checksum(unsigned char *buf, u_int32_t nbytes, u_int32_t sum) +{ + u_int32_t i; + + /* Checksum all the pairs of bytes first... */ + for (i = 0; i < (nbytes & ~1U); i += 2) { + sum += (u_int16_t)ntohs(*((u_int16_t *)(buf + i))); + if (sum > 0xFFFF) + sum -= 0xFFFF; + } + + /* + * If there's a single byte left over, checksum it, too. + * Network byte order is big-endian, so the remaining byte is + * the high byte. + */ + if (i < nbytes) { + sum += buf[i] << 8; + if (sum > 0xFFFF) + sum -= 0xFFFF; + } + + return (sum); +} + +u_int32_t +wrapsum(u_int32_t sum) +{ + sum = ~sum & 0xFFFF; + return (htons(sum)); +} + +ssize_t +assemble_hw_header(unsigned char *buf, size_t buflen, + size_t offset, struct packet_ctx *pc, unsigned int intfhtype) +{ + struct ether_header eh; + + switch (intfhtype) { + case HTYPE_ETHER: + if (buflen < offset + ETHER_HDR_LEN) + return (-1); + + /* Use the supplied address or let the kernel fill it. */ + memcpy(eh.ether_shost, pc->pc_smac, ETHER_ADDR_LEN); + memcpy(eh.ether_dhost, pc->pc_dmac, ETHER_ADDR_LEN); + + eh.ether_type = htons(ETHERTYPE_IP); + + memcpy(&buf[offset], &eh, ETHER_HDR_LEN); + offset += ETHER_HDR_LEN; + break; + default: + return (-1); + } + + return (offset); +} + +ssize_t +assemble_udp_ip_header(unsigned char *buf, size_t buflen, size_t offset, + struct packet_ctx *pc, unsigned char *data, size_t datalen) +{ + struct ip ip; + struct udphdr udp; + + if (buflen < offset + sizeof(ip) + sizeof(udp)) + return (-1); + + ip.ip_v = 4; + ip.ip_hl = 5; + ip.ip_tos = IPTOS_LOWDELAY; + ip.ip_len = htons(sizeof(ip) + sizeof(udp) + datalen); + ip.ip_id = 0; + ip.ip_off = 0; + ip.ip_ttl = 16; + ip.ip_p = IPPROTO_UDP; + ip.ip_sum = 0; + ip.ip_src.s_addr = ss2sin(&pc->pc_src)->sin_addr.s_addr; + ip.ip_dst.s_addr = ss2sin(&pc->pc_dst)->sin_addr.s_addr; + + ip.ip_sum = wrapsum(checksum((unsigned char *)&ip, sizeof(ip), 0)); + memcpy(&buf[offset], &ip, sizeof(ip)); + offset += sizeof(ip); + + udp.uh_sport = ss2sin(&pc->pc_src)->sin_port; + udp.uh_dport = ss2sin(&pc->pc_dst)->sin_port; + udp.uh_ulen = htons(sizeof(udp) + datalen); + memset(&udp.uh_sum, 0, sizeof(udp.uh_sum)); + + udp.uh_sum = wrapsum(checksum((unsigned char *)&udp, sizeof(udp), + checksum(data, datalen, checksum((unsigned char *)&ip.ip_src, + 2 * sizeof(ip.ip_src), + IPPROTO_UDP + (u_int32_t)ntohs(udp.uh_ulen))))); + + memcpy(&buf[offset], &udp, sizeof(udp)); + offset += sizeof(udp); + + return (offset); +} + +ssize_t +decode_hw_header(unsigned char *buf, size_t buflen, + size_t offset, struct packet_ctx *pc, unsigned int intfhtype) +{ + u_int32_t ip_len; + struct ip *ip; + + switch (intfhtype) { + case HTYPE_IPSEC_TUNNEL: + if (buflen < offset + ENC_HDRLEN + sizeof(*ip)) + return (-1); + offset += ENC_HDRLEN; + ip_len = (buf[offset] & 0xf) << 2; + if (buflen < offset + ip_len) + return (-1); + + ip = (struct ip *)(buf + offset); + + /* Encapsulated IP */ + if (ip->ip_p != IPPROTO_IPIP) + return (-1); + + memset(pc->pc_dmac, 0xff, ETHER_ADDR_LEN); + offset += ip_len; + + pc->pc_htype = ARPHRD_ETHER; + pc->pc_hlen = ETHER_ADDR_LEN; + break; + case HTYPE_ETHER: + if (buflen < offset + ETHER_HDR_LEN) + return (-1); + + memcpy(pc->pc_dmac, buf + offset, ETHER_ADDR_LEN); + memcpy(pc->pc_smac, buf + offset + ETHER_ADDR_LEN, + ETHER_ADDR_LEN); + offset += ETHER_HDR_LEN; + + pc->pc_htype = ARPHRD_ETHER; + pc->pc_hlen = ETHER_ADDR_LEN; + break; + default: + return (-1); + } + + return (offset); +} + +ssize_t +decode_udp_ip_header(unsigned char *buf, size_t buflen, + size_t offset, struct packet_ctx *pc) +{ + struct ip *ip; + struct udphdr *udp; + unsigned char *data; + u_int32_t ip_len; + u_int32_t sum, usum; + static unsigned int ip_packets_seen; + static unsigned int ip_packets_bad_checksum; + static unsigned int udp_packets_seen; + static unsigned int udp_packets_bad_checksum; + static unsigned int udp_packets_length_checked; + static unsigned int udp_packets_length_overflow; + int len; + + /* Assure that an entire IP header is within the buffer. */ + if (buflen < offset + sizeof(*ip)) + return (-1); + ip_len = (buf[offset] & 0xf) << 2; + if (buflen < offset + ip_len) + return (-1); + + ip = (struct ip *)(buf + offset); + ip_packets_seen++; + + /* Check the IP header checksum - it should be zero. */ + if (wrapsum(checksum(buf + offset, ip_len, 0)) != 0) { + ip_packets_bad_checksum++; + if (ip_packets_seen > 4 && ip_packets_bad_checksum != 0 && + (ip_packets_seen / ip_packets_bad_checksum) < 2) { + log_info("%u bad IP checksums seen in %u packets", + ip_packets_bad_checksum, ip_packets_seen); + ip_packets_seen = ip_packets_bad_checksum = 0; + } + return (-1); + } + + pc->pc_src.ss_len = sizeof(struct sockaddr_in); + pc->pc_src.ss_family = AF_INET; + memcpy(&ss2sin(&pc->pc_src)->sin_addr, &ip->ip_src, + sizeof(ss2sin(&pc->pc_src)->sin_addr)); + + pc->pc_dst.ss_len = sizeof(struct sockaddr_in); + pc->pc_dst.ss_family = AF_INET; + memcpy(&ss2sin(&pc->pc_dst)->sin_addr, &ip->ip_dst, + sizeof(ss2sin(&pc->pc_dst)->sin_addr)); + +#ifdef DEBUG + if (buflen != offset + ntohs(ip->ip_len)) + log_debug("ip length %d disagrees with bytes received %zd.", + ntohs(ip->ip_len), buflen - offset); +#endif + + /* Assure that the entire IP packet is within the buffer. */ + if (buflen < offset + ntohs(ip->ip_len)) + return (-1); + + /* Assure that the UDP header is within the buffer. */ + if (buflen < offset + ip_len + sizeof(*udp)) + return (-1); + udp = (struct udphdr *)(buf + offset + ip_len); + udp_packets_seen++; + + /* Assure that the entire UDP packet is within the buffer. */ + if (buflen < offset + ip_len + ntohs(udp->uh_ulen)) + return (-1); + data = buf + offset + ip_len + sizeof(*udp); + + /* + * Compute UDP checksums, including the ``pseudo-header'', the + * UDP header and the data. If the UDP checksum field is zero, + * we're not supposed to do a checksum. + */ + udp_packets_length_checked++; + len = ntohs(udp->uh_ulen) - sizeof(*udp); + if ((len < 0) || (len + data > buf + buflen)) { + udp_packets_length_overflow++; + if (udp_packets_length_checked > 4 && + udp_packets_length_overflow != 0 && + (udp_packets_length_checked / + udp_packets_length_overflow) < 2) { + log_info("%u udp packets in %u too long - dropped", + udp_packets_length_overflow, + udp_packets_length_checked); + udp_packets_length_overflow = + udp_packets_length_checked = 0; + } + return (-1); + } + if (len + data != buf + buflen) + log_debug("accepting packet with data after udp payload."); + + usum = udp->uh_sum; + udp->uh_sum = 0; + + sum = wrapsum(checksum((unsigned char *)udp, sizeof(*udp), + checksum(data, len, checksum((unsigned char *)&ip->ip_src, + 2 * sizeof(ip->ip_src), + IPPROTO_UDP + (u_int32_t)ntohs(udp->uh_ulen))))); + + udp_packets_seen++; + if (usum && usum != sum) { + udp_packets_bad_checksum++; + if (udp_packets_seen > 4 && udp_packets_bad_checksum != 0 && + (udp_packets_seen / udp_packets_bad_checksum) < 2) { + log_info("%u bad udp checksums in %u packets", + udp_packets_bad_checksum, udp_packets_seen); + udp_packets_seen = udp_packets_bad_checksum = 0; + } + return (-1); + } + + ss2sin(&pc->pc_src)->sin_port = udp->uh_sport; + ss2sin(&pc->pc_dst)->sin_port = udp->uh_dport; + + return (offset + ip_len + sizeof(*udp)); +} diff --git a/usr.sbin/vmd/parse.y b/usr.sbin/vmd/parse.y index 935e13b4106..cf181701ada 100644 --- a/usr.sbin/vmd/parse.y +++ b/usr.sbin/vmd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.24 2017/04/06 21:35:22 reyk Exp $ */ +/* $OpenBSD: parse.y,v 1.25 2017/04/19 15:38:32 reyk Exp $ */ /* * Copyright (c) 2007-2016 Reyk Floeter @@ -116,10 +116,11 @@ typedef struct { %token INCLUDE ERROR %token ADD DISK DOWN GROUP INTERFACE NIFS PATH SIZE SWITCH UP VMID -%token ENABLE DISABLE VM BOOT LLADDR MEMORY OWNER LOCKED +%token ENABLE DISABLE VM BOOT LLADDR MEMORY OWNER LOCKED LOCAL %token STRING %token NUMBER %type disable +%type local %type locked %type updown %type lladdr @@ -325,36 +326,38 @@ vm_opts : disable { free($2); vmc.vmc_flags |= VMOP_CREATE_DISK; } - | INTERFACE optstring iface_opts_o { + | local INTERFACE optstring iface_opts_o { unsigned int i; char type[IF_NAMESIZE]; i = vcp_nnics; if (++vcp_nnics > VMM_MAX_NICS_PER_VM) { yyerror("too many interfaces: %zu", vcp_nnics); - free($2); + free($3); YYERROR; } - if ($2 != NULL) { - if (strcmp($2, "tap") != 0 && - (priv_getiftype($2, type, NULL) == -1 || + if ($1) + vmc.vmc_ifflags[i] |= VMIFF_LOCAL; + if ($3 != NULL) { + if (strcmp($3, "tap") != 0 && + (priv_getiftype($3, type, NULL) == -1 || strcmp(type, "tap") != 0)) { - yyerror("invalid interface: %s", $2); - free($2); + yyerror("invalid interface: %s", $3); + free($3); YYERROR; } - if (strlcpy(vmc.vmc_ifnames[i], $2, + if (strlcpy(vmc.vmc_ifnames[i], $3, sizeof(vmc.vmc_ifnames[i])) >= sizeof(vmc.vmc_ifnames[i])) { yyerror("interface name too long: %s", - $2); - free($2); + $3); + free($3); YYERROR; } } - free($2); + free($3); vmc.vmc_flags |= VMOP_CREATE_NETWORK; } | BOOT string { @@ -547,6 +550,10 @@ lladdr : STRING { } ; +local : /* empty */ { $$ = 0; } + | LOCAL { $$ = 1; } + ; + locked : /* empty */ { $$ = 0; } | LOCKED { $$ = 1; } ; @@ -616,6 +623,7 @@ lookup(char *s) { "interface", INTERFACE }, { "interfaces", NIFS }, { "lladdr", LLADDR }, + { "local", LOCAL }, { "locked", LOCKED }, { "memory", MEMORY }, { "owner", OWNER }, diff --git a/usr.sbin/vmd/priv.c b/usr.sbin/vmd/priv.c index 2b99a246259..c0f1c36fd25 100644 --- a/usr.sbin/vmd/priv.c +++ b/usr.sbin/vmd/priv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: priv.c,v 1.6 2017/03/02 07:33:37 reyk Exp $ */ +/* $OpenBSD: priv.c,v 1.7 2017/04/19 15:38:32 reyk Exp $ */ /* * Copyright (c) 2016 Reyk Floeter @@ -29,6 +29,8 @@ #include #include +#include + #include #include #include @@ -80,6 +82,7 @@ priv_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg) struct ifreq ifr; struct ifbreq ifbr; struct ifgroupreq ifgr; + struct ifaliasreq ifra; char type[IF_NAMESIZE]; switch (imsg->hdr.type) { @@ -89,6 +92,7 @@ priv_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg) case IMSG_VMDOP_PRIV_IFUP: case IMSG_VMDOP_PRIV_IFDOWN: case IMSG_VMDOP_PRIV_IFGROUP: + case IMSG_VMDOP_PRIV_IFADDR: IMSG_SIZE_CHECK(imsg, &vfr); memcpy(&vfr, imsg->data, sizeof(vfr)); @@ -160,6 +164,25 @@ priv_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg) errno != EEXIST) log_warn("SIOCAIFGROUP"); break; + case IMSG_VMDOP_PRIV_IFADDR: + memset(&ifra, 0, sizeof(ifra)); + + /* Set the interface address */ + strlcpy(ifra.ifra_name, vfr.vfr_name, sizeof(ifra.ifra_name)); + + memcpy(&ifra.ifra_addr, &vfr.vfr_ifra.ifra_addr, + sizeof(ifra.ifra_addr)); + ifra.ifra_addr.sa_family = AF_INET; + ifra.ifra_addr.sa_len = sizeof(struct sockaddr_in); + + memcpy(&ifra.ifra_mask, &vfr.vfr_ifra.ifra_mask, + sizeof(ifra.ifra_mask)); + ifra.ifra_mask.sa_family = AF_INET; + ifra.ifra_mask.sa_len = sizeof(struct sockaddr_in); + + if (ioctl(env->vmd_fd, SIOCAIFADDR, &ifra) < 0) + log_warn("SIOCAIFADDR"); + break; default: return (-1); } @@ -227,6 +250,7 @@ vm_priv_ifconfig(struct privsep *ps, struct vmd_vm *vm) struct vmd_switch *vsw; unsigned int i; struct vmop_ifreq vfr, vfbr; + struct sockaddr_in *sin4; for (i = 0; i < VMM_MAX_NICS_PER_VM; i++) { vif = &vm->vm_ifs[i]; @@ -298,6 +322,27 @@ vm_priv_ifconfig(struct privsep *ps, struct vmd_vm *vm) proc_compose(ps, PROC_PRIV, (vif->vif_flags & VMIFF_UP) ? IMSG_VMDOP_PRIV_IFUP : IMSG_VMDOP_PRIV_IFDOWN, &vfr, sizeof(vfr)); + + if (vm->vm_params.vmc_ifflags[i] & VMIFF_LOCAL) { + sin4 = (struct sockaddr_in *)&vfr.vfr_ifra.ifra_mask; + sin4->sin_family = AF_INET; + sin4->sin_len = sizeof(*sin4); + sin4->sin_addr.s_addr = htonl(0xfffffffe); + + sin4 = (struct sockaddr_in *)&vfr.vfr_ifra.ifra_addr; + sin4->sin_family = AF_INET; + sin4->sin_len = sizeof(*sin4); + if ((sin4->sin_addr.s_addr = + vm_priv_addr(vm->vm_vmid, i, 0)) == 0) + return (-1); + + log_debug("%s: interface %s address %s/31", + __func__, vfr.vfr_name, + inet_ntoa(sin4->sin_addr)); + + proc_compose(ps, PROC_PRIV, IMSG_VMDOP_PRIV_IFADDR, + &vfr, sizeof(vfr)); + } } return (0); @@ -346,3 +391,46 @@ vm_priv_brconfig(struct privsep *ps, struct vmd_switch *vsw) vsw->sw_running = 1; return (0); } + +uint32_t +vm_priv_addr(uint32_t vmid, int idx, int isvm) +{ + in_addr_t prefix, mask, addr; + + /* + * 1. Set the address prefix and mask, 100.64.0.0/10 by default. + * XXX make the global prefix configurable. + */ + prefix = inet_addr(VMD_DHCP_PREFIX); + mask = prefixlen2mask(VMD_DHCP_PREFIXLEN); + + /* 2. Encode the VM ID as a per-VM subnet range N, 10.64.N.0/24. */ + addr = vmid << 8; + + /* + * 3. Assign a /31 subnet M per VM interface, 10.64.N.M/31. + * Each subnet contains exactly two IP addresses; skip the + * first subnet to avoid a gateway address ending with .0. + */ + addr |= (idx + 1) * 2; + + /* 4. Use the first address for the gateway, the second for the VM. */ + if (isvm) + addr++; + + /* 5. Convert to network byte order and add the prefix. */ + addr = htonl(addr) | prefix; + + /* + * Validate the results: + * - the address should not exceed the prefix (eg. VM ID to high). + * - up to 126 interfaces can be encoded per VM. + */ + if (prefix != (addr & mask) || idx >= 0x7f) { + log_warnx("%s: dhcp address range exceeded," + " vm id %u interface %d", __func__, vmid, idx); + return (0); + } + + return (addr); +} diff --git a/usr.sbin/vmd/virtio.c b/usr.sbin/vmd/virtio.c index 4dd35923d00..5bdb999092d 100644 --- a/usr.sbin/vmd/virtio.c +++ b/usr.sbin/vmd/virtio.c @@ -1,4 +1,4 @@ -/* $OpenBSD: virtio.c,v 1.41 2017/04/08 19:08:18 mlarkin Exp $ */ +/* $OpenBSD: virtio.c,v 1.42 2017/04/19 15:38:32 reyk Exp $ */ /* * Copyright (c) 2015 Mike Larkin @@ -1251,15 +1251,17 @@ vionet_notifyq(struct vionet_dev *dev) uint32_t vr_sz; uint16_t idx, pkt_desc_idx, hdr_desc_idx, dxx; size_t pktsz; - int ret, num_enq, ofs; - char *vr, *pkt; + ssize_t dhcpsz; + int ret, num_enq, ofs, spc; + char *vr, *pkt, *dhcppkt; struct vring_desc *desc, *pkt_desc, *hdr_desc; struct vring_avail *avail; struct vring_used *used; struct ether_header *eh; - vr = pkt = NULL; - ret = 0; + vr = pkt = dhcppkt = NULL; + ret = spc = 0; + dhcpsz = 0; /* Invalid queue? */ if (dev->cfg.queue_notify != 1) { @@ -1373,8 +1375,13 @@ vionet_notifyq(struct vionet_dev *dev) log_debug("vionet: wrong source address %s for vm %d", ether_ntoa((struct ether_addr *) eh->ether_shost), dev->vm_id); + else if (dev->local && dhcpsz == 0 && + (dhcpsz = dhcp_request(dev, pkt, pktsz, &dhcppkt)) != -1) { + log_debug("vionet: dhcp request," + " local response size %zd", dhcpsz); + /* XXX signed vs unsigned here, funky cast */ - else if (write(dev->fd, pkt, pktsz) != (int)pktsz) { + } else if (write(dev->fd, pkt, pktsz) != (int)pktsz) { log_warnx("vionet: tx failed writing to tap: " "%d", errno); goto out; @@ -1398,9 +1405,15 @@ vionet_notifyq(struct vionet_dev *dev) log_warnx("vionet: tx error writing vio ring"); } + if (dhcpsz > 0) { + if (vionet_enq_rx(dev, dhcppkt, dhcpsz, &spc)) + ret = 1; + } + out: free(vr); free(pkt); + free(dhcppkt); return (ret); } @@ -1582,8 +1595,9 @@ vmmci_io(int dir, uint16_t reg, uint32_t *data, uint8_t *intr, } void -virtio_init(struct vmop_create_params *vmc, int *child_disks, int *child_taps) +virtio_init(struct vmd_vm *vm, int *child_disks, int *child_taps) { + struct vmop_create_params *vmc = &vm->vm_params; struct vm_create_params *vcp = &vmc->vmc_params; static const uint8_t zero_mac[6]; uint8_t id; @@ -1713,6 +1727,7 @@ virtio_init(struct vmop_create_params *vmc, int *child_disks, int *child_taps) vionet[i].fd = child_taps[i]; vionet[i].rx_pending = 0; vionet[i].vm_id = vcp->vcp_id; + vionet[i].vm_vmid = vm->vm_vmid; vionet[i].irq = pci_get_dev_irq(id); event_set(&vionet[i].event, vionet[i].fd, @@ -1747,11 +1762,15 @@ virtio_init(struct vmop_create_params *vmc, int *child_disks, int *child_taps) } vionet[i].lockedmac = vmc->vmc_ifflags[i] & VMIFF_LOCKED ? 1 : 0; + vionet[i].local = + vmc->vmc_ifflags[i] & VMIFF_LOCAL ? 1 : 0; + vionet[i].idx = i; - log_debug("%s: vm \"%s\" vio%u lladdr %s%s", + log_debug("%s: vm \"%s\" vio%u lladdr %s%s%s", __func__, vcp->vcp_name, i, ether_ntoa((void *)vionet[i].mac), - vionet[i].lockedmac ? " (locked)" : ""); + vionet[i].lockedmac ? ", locked" : "", + vionet[i].local ? ", local" : ""); } } diff --git a/usr.sbin/vmd/virtio.h b/usr.sbin/vmd/virtio.h index 04b81ea472d..a830d1738d0 100644 --- a/usr.sbin/vmd/virtio.h +++ b/usr.sbin/vmd/virtio.h @@ -1,4 +1,4 @@ -/* $OpenBSD: virtio.h,v 1.14 2017/03/27 00:28:04 deraadt Exp $ */ +/* $OpenBSD: virtio.h,v 1.15 2017/04/19 15:38:32 reyk Exp $ */ /* * Copyright (c) 2015 Mike Larkin @@ -118,9 +118,13 @@ struct vionet_dev { int fd, rx_added; int rx_pending; uint32_t vm_id; + uint32_t vm_vmid; int irq; uint8_t mac[6]; + + int idx; int lockedmac; + int local; }; struct virtio_net_hdr { @@ -154,7 +158,8 @@ struct vmmci_dev { int irq; }; -void virtio_init(struct vmop_create_params *, int *, int *); +/* virtio.c */ +void virtio_init(struct vmd_vm *, int *, int *); uint32_t vring_size(uint32_t); int virtio_rnd_io(int, uint16_t, uint32_t *, uint8_t *, void *, uint8_t); @@ -181,3 +186,6 @@ void vmmci_ack(unsigned int); void vmmci_timeout(int, short, void *); const char *vioblk_cmd_name(uint32_t); + +/* dhcp.c */ +ssize_t dhcp_request(struct vionet_dev *, char *, size_t, char **); diff --git a/usr.sbin/vmd/vm.c b/usr.sbin/vmd/vm.c index b833d8da897..6ce5f519f52 100644 --- a/usr.sbin/vmd/vm.c +++ b/usr.sbin/vmd/vm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vm.c,v 1.11 2017/03/27 00:28:04 deraadt Exp $ */ +/* $OpenBSD: vm.c,v 1.12 2017/04/19 15:38:32 reyk Exp $ */ /* * Copyright (c) 2015 Mike Larkin @@ -656,7 +656,7 @@ init_emulated_hw(struct vmop_create_params *vmc, int *child_disks, pci_init(); /* Initialize virtio devices */ - virtio_init(vmc, child_disks, child_taps); + virtio_init(current_vm, child_disks, child_taps); } /* diff --git a/usr.sbin/vmd/vm.conf.5 b/usr.sbin/vmd/vm.conf.5 index 6093c9d7cf4..ad610b30b8a 100644 --- a/usr.sbin/vmd/vm.conf.5 +++ b/usr.sbin/vmd/vm.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: vm.conf.5,v 1.17 2017/03/25 16:28:25 reyk Exp $ +.\" $OpenBSD: vm.conf.5,v 1.18 2017/04/19 15:38:32 reyk Exp $ .\" .\" Copyright (c) 2015 Mike Larkin .\" Copyright (c) 2015 Reyk Floeter @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: March 25 2017 $ +.Dd $Mdocdate: April 19 2017 $ .Dt VM.CONF 5 .Os .Sh NAME @@ -112,7 +112,7 @@ is specified. Do not start this VM. .It Cm disk Ar path Disk image file (may be specified multiple times to add multiple disk images). -.It Cm interface Oo name Oc Op Brq ... +.It Oo Cm local Oc Cm interface Oo name Oc Op Brq ... Network interface to add to the VM. The optional .Ar name @@ -123,6 +123,7 @@ to select the next available interface on the VM host side (the default) or .Ar tapN to select a specific one. +.Pp Valid options are: .Bl -tag -width Ds .It Cm group Ar group-name @@ -158,6 +159,13 @@ This is the default. .It Cm down Stop the interface from forwarding packets. .El +.Pp +A +.Cm local +interface will auto-generate an IPv4 subnet for the interface, +configure a gateway address on the VM host side, +and run a simple DHCP (BOOTP) server for the VM. +This option can be used for layer 3 mode without configuring a switch. .It Cm interfaces Ar count Optional minimum number of network interfaces to add to the VM. If the diff --git a/usr.sbin/vmd/vmd.c b/usr.sbin/vmd/vmd.c index 3bcfed30965..fcd2c3696b9 100644 --- a/usr.sbin/vmd/vmd.c +++ b/usr.sbin/vmd/vmd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vmd.c,v 1.56 2017/04/06 18:07:13 reyk Exp $ */ +/* $OpenBSD: vmd.c,v 1.57 2017/04/19 15:38:32 reyk Exp $ */ /* * Copyright (c) 2015 Reyk Floeter @@ -1045,3 +1045,15 @@ get_string(uint8_t *ptr, size_t len) return strndup(ptr, i); } + +uint32_t +prefixlen2mask(uint8_t prefixlen) +{ + if (prefixlen == 0) + return (0); + + if (prefixlen > 32) + prefixlen = 32; + + return (htonl(0xffffffff << (32 - prefixlen))); +} diff --git a/usr.sbin/vmd/vmd.h b/usr.sbin/vmd/vmd.h index 3e51d964702..5dc0bb4d81d 100644 --- a/usr.sbin/vmd/vmd.h +++ b/usr.sbin/vmd/vmd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: vmd.h,v 1.50 2017/04/06 18:07:13 reyk Exp $ */ +/* $OpenBSD: vmd.h,v 1.51 2017/04/19 15:38:32 reyk Exp $ */ /* * Copyright (c) 2015 Mike Larkin @@ -23,6 +23,8 @@ #include #include +#include +#include #include #include @@ -48,6 +50,10 @@ #define VMD_SWITCH_TYPE "bridge" #define VM_DEFAULT_MEMORY 512 +/* 100.64.0.0/10 from rfc6598 (IPv4 Prefix for Shared Address Space) */ +#define VMD_DHCP_PREFIX "100.64.0.0" +#define VMD_DHCP_PREFIXLEN 10 + #ifdef VMD_DEBUG #define dprintf(x...) do { log_debug(x); } while(0) #else @@ -74,6 +80,7 @@ enum imsg_type { IMSG_VMDOP_PRIV_IFUP, IMSG_VMDOP_PRIV_IFDOWN, IMSG_VMDOP_PRIV_IFGROUP, + IMSG_VMDOP_PRIV_IFADDR, IMSG_VMDOP_VM_SHUTDOWN, IMSG_VMDOP_VM_REBOOT }; @@ -102,6 +109,7 @@ struct vmop_ifreq { uint32_t vfr_id; char vfr_name[IF_NAMESIZE]; char vfr_value[VM_NAME_MAX]; + struct ifaliasreq vfr_ifra; }; struct vmop_create_params { @@ -116,7 +124,8 @@ struct vmop_create_params { unsigned int vmc_ifflags[VMM_MAX_NICS_PER_VM]; #define VMIFF_UP 0x01 #define VMIFF_LOCKED 0x02 -#define VMIFF_OPTMASK VMIFF_LOCKED +#define VMIFF_LOCAL 0x04 +#define VMIFF_OPTMASK (VMIFF_LOCKED|VMIFF_LOCAL) char vmc_ifnames[VMM_MAX_NICS_PER_VM][IF_NAMESIZE]; char vmc_ifswitch[VMM_MAX_NICS_PER_VM][VM_NAME_MAX]; char vmc_ifgroup[VMM_MAX_NICS_PER_VM][IF_NAMESIZE]; @@ -198,6 +207,38 @@ struct vmd { int vmd_ptmfd; }; +static inline struct sockaddr_in * +ss2sin(struct sockaddr_storage *ss) +{ + return ((struct sockaddr_in *)ss); +} + +static inline struct sockaddr_in6 * +ss2sin6(struct sockaddr_storage *ss) +{ + return ((struct sockaddr_in6 *)ss); +} + +struct packet_ctx { + uint8_t pc_htype; + uint8_t pc_hlen; + uint8_t pc_smac[ETHER_ADDR_LEN]; + uint8_t pc_dmac[ETHER_ADDR_LEN]; + + struct sockaddr_storage pc_src; + struct sockaddr_storage pc_dst; +}; + +/* packet.c */ +ssize_t assemble_hw_header(unsigned char *, size_t, size_t, + struct packet_ctx *, unsigned int); +ssize_t assemble_udp_ip_header(unsigned char *, size_t, size_t, + struct packet_ctx *pc, unsigned char *, size_t); +ssize_t decode_hw_header(unsigned char *, size_t, size_t, struct packet_ctx *, + unsigned int); +ssize_t decode_udp_ip_header(unsigned char *, size_t, size_t, + struct packet_ctx *); + /* vmd.c */ void vmd_reload(unsigned int, const char *); struct vmd_vm *vm_getbyid(uint32_t); @@ -216,6 +257,7 @@ void vm_closetty(struct vmd_vm *); void switch_remove(struct vmd_switch *); struct vmd_switch *switch_getbyname(const char *); char *get_string(uint8_t *, size_t); +uint32_t prefixlen2mask(uint8_t); /* priv.c */ void priv(struct privsep *, struct privsep_proc *); @@ -224,6 +266,7 @@ int priv_findname(const char *, const char **); int priv_validgroup(const char *); int vm_priv_ifconfig(struct privsep *, struct vmd_vm *); int vm_priv_brconfig(struct privsep *, struct vmd_switch *); +uint32_t vm_priv_addr(uint32_t, int, int); /* vmm.c */ void vmm(struct privsep *, struct privsep_proc *);