3 Copyright (C) 2000-2005 Ivo Timmermans,
4 2000-2013 Guus Sliepen <guus@tinc-vpn.org>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License along
17 with this program; if not, write to the Free Software Foundation, Inc.,
18 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 #include "connection.h"
24 #include "control_common.h"
36 rmode_t routing_mode = RMODE_ROUTER;
37 fmode_t forwarding_mode = FMODE_INTERNAL;
38 bmode_t broadcast_mode = BMODE_MST;
39 bool decrement_ttl = false;
40 bool directonly = false;
41 bool priorityinheritance = false;
43 bool overwrite_mac = false;
44 mac_t mymac = {{0xFE, 0xFD, 0, 0, 0, 0}};
47 /* Sizes of various headers */
49 static const size_t ether_size = sizeof(struct ether_header);
50 static const size_t arp_size = sizeof(struct ether_arp);
51 static const size_t ip_size = sizeof(struct ip);
52 static const size_t icmp_size = sizeof(struct icmp) - sizeof(struct ip);
53 static const size_t ip6_size = sizeof(struct ip6_hdr);
54 static const size_t icmp6_size = sizeof(struct icmp6_hdr);
55 static const size_t ns_size = sizeof(struct nd_neighbor_solicit);
56 static const size_t opt_size = sizeof(struct nd_opt_hdr);
59 #define MAX(a, b) ((a) > (b) ? (a) : (b))
62 static timeout_t age_subnets_timeout;
66 static uint16_t inet_checksum(void *data, int len, uint16_t prevsum) {
68 uint32_t checksum = prevsum ^ 0xFFFF;
76 checksum += *(uint8_t *)p;
79 checksum = (checksum & 0xFFFF) + (checksum >> 16);
84 static bool ratelimit(int frequency) {
85 static time_t lasttime = 0;
88 if(lasttime == now.tv_sec) {
89 if(count >= frequency)
92 lasttime = now.tv_sec;
100 static bool checklength(node_t *source, vpn_packet_t *packet, length_t length) {
101 if(packet->len < length) {
102 logger(DEBUG_TRAFFIC, LOG_WARNING, "Got too short packet from %s (%s)", source->name, source->hostname);
108 static void clamp_mss(const node_t *source, const node_t *via, vpn_packet_t *packet) {
109 if(!source || !via || !(via->options & OPTION_CLAMP_MSS))
112 uint16_t mtu = source->mtu;
113 if(via != myself && via->mtu < mtu)
116 /* Find TCP header */
117 int start = ether_size;
118 uint16_t type = packet->data[12] << 8 | packet->data[13];
120 if(type == ETH_P_8021Q) {
122 type = packet->data[16] << 8 | packet->data[17];
125 if(type == ETH_P_IP && packet->data[start + 9] == 6)
126 start += (packet->data[start] & 0xf) * 4;
127 else if(type == ETH_P_IPV6 && packet->data[start + 6] == 6)
132 if(packet->len <= start + 20)
135 /* Use data offset field to calculate length of options field */
136 int len = ((packet->data[start + 12] >> 4) - 5) * 4;
138 if(packet->len < start + 20 + len)
141 /* Search for MSS option header */
142 for(int i = 0; i < len;) {
143 if(packet->data[start + 20 + i] == 0)
146 if(packet->data[start + 20 + i] == 1) {
151 if(i > len - 2 || i > len - packet->data[start + 21 + i])
154 if(packet->data[start + 20 + i] != 2) {
155 if(packet->data[start + 21 + i] < 2)
157 i += packet->data[start + 21 + i];
161 if(packet->data[start + 21] != 4)
165 uint16_t oldmss = packet->data[start + 22 + i] << 8 | packet->data[start + 23 + i];
166 uint16_t newmss = mtu - start - 20;
167 uint16_t csum = packet->data[start + 16] << 8 | packet->data[start + 17];
172 logger(DEBUG_TRAFFIC, LOG_INFO, "Clamping MSS of packet from %s to %s to %d", source->name, via->name, newmss);
174 /* Update the MSS value and the checksum */
175 packet->data[start + 22 + i] = newmss >> 8;
176 packet->data[start + 23 + i] = newmss & 0xff;
181 packet->data[start + 16] = csum >> 8;
182 packet->data[start + 17] = csum & 0xff;
187 static void swap_mac_addresses(vpn_packet_t *packet) {
189 memcpy(&tmp, &packet->data[0], sizeof tmp);
190 memcpy(&packet->data[0], &packet->data[6], sizeof tmp);
191 memcpy(&packet->data[6], &tmp, sizeof tmp);
194 static void age_subnets(void *data) {
197 for splay_each(subnet_t, s, myself->subnet_tree) {
198 if(s->expires && s->expires < now.tv_sec) {
199 if(debug_level >= DEBUG_TRAFFIC) {
200 char netstr[MAXNETSTR];
201 if(net2str(netstr, sizeof netstr, s))
202 logger(DEBUG_TRAFFIC, LOG_INFO, "Subnet %s expired", netstr);
205 for list_each(connection_t, c, connection_list)
207 send_del_subnet(c, s);
209 subnet_del(myself, s);
217 timeout_set(&age_subnets_timeout, &(struct timeval){10, rand() % 100000});
220 static void learn_mac(mac_t *address) {
221 subnet_t *subnet = lookup_subnet_mac(myself, address);
223 /* If we don't know this MAC address yet, store it */
226 logger(DEBUG_TRAFFIC, LOG_INFO, "Learned new MAC address %hx:%hx:%hx:%hx:%hx:%hx",
227 address->x[0], address->x[1], address->x[2], address->x[3],
228 address->x[4], address->x[5]);
230 subnet = new_subnet();
231 subnet->type = SUBNET_MAC;
232 subnet->expires = now.tv_sec + macexpire;
233 subnet->net.mac.address = *address;
235 subnet_add(myself, subnet);
236 subnet_update(myself, subnet, true);
238 /* And tell all other tinc daemons it's our MAC */
240 for list_each(connection_t, c, connection_list)
242 send_add_subnet(c, subnet);
244 timeout_add(&age_subnets_timeout, age_subnets, NULL, &(struct timeval){10, rand() % 100000});
247 subnet->expires = now.tv_sec + macexpire;
253 static void route_ipv4_unreachable(node_t *source, vpn_packet_t *packet, length_t ether_size, uint8_t type, uint8_t code) {
255 struct icmp icmp = {0};
257 struct in_addr ip_src;
258 struct in_addr ip_dst;
264 /* Swap Ethernet source and destination addresses */
266 swap_mac_addresses(packet);
268 /* Copy headers from packet into properly aligned structs on the stack */
270 memcpy(&ip, packet->data + ether_size, ip_size);
272 /* Remember original source and destination */
277 oldlen = packet->len - ether_size;
279 if(type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED)
280 icmp.icmp_nextmtu = htons(packet->len - ether_size);
282 if(oldlen >= IP_MSS - ip_size - icmp_size)
283 oldlen = IP_MSS - ip_size - icmp_size;
285 /* Copy first part of original contents to ICMP message */
287 memmove(packet->data + ether_size + ip_size + icmp_size, packet->data + ether_size, oldlen);
289 /* Fill in IPv4 header */
292 ip.ip_hl = ip_size / 4;
294 ip.ip_len = htons(ip_size + icmp_size + oldlen);
298 ip.ip_p = IPPROTO_ICMP;
303 ip.ip_sum = inet_checksum(&ip, ip_size, ~0);
305 /* Fill in ICMP header */
307 icmp.icmp_type = type;
308 icmp.icmp_code = code;
311 icmp.icmp_cksum = inet_checksum(&icmp, icmp_size, ~0);
312 icmp.icmp_cksum = inet_checksum(packet->data + ether_size + ip_size + icmp_size, oldlen, icmp.icmp_cksum);
314 /* Copy structs on stack back to packet */
316 memcpy(packet->data + ether_size, &ip, ip_size);
317 memcpy(packet->data + ether_size + ip_size, &icmp, icmp_size);
319 packet->len = ether_size + ip_size + icmp_size + oldlen;
321 send_packet(source, packet);
326 static void fragment_ipv4_packet(node_t *dest, vpn_packet_t *packet, length_t ether_size) {
328 vpn_packet_t fragment;
329 int len, maxlen, todo;
331 uint16_t ip_off, origf;
333 memcpy(&ip, packet->data + ether_size, ip_size);
334 fragment.priority = packet->priority;
336 if(ip.ip_hl != ip_size / 4)
339 todo = ntohs(ip.ip_len) - ip_size;
341 if(ether_size + ip_size + todo != packet->len) {
342 logger(DEBUG_TRAFFIC, LOG_WARNING, "Length of packet (%d) doesn't match length in IPv4 header (%d)", packet->len, (int)(ether_size + ip_size + todo));
346 logger(DEBUG_TRAFFIC, LOG_INFO, "Fragmenting packet of %d bytes to %s (%s)", packet->len, dest->name, dest->hostname);
348 offset = packet->data + ether_size + ip_size;
349 maxlen = (dest->mtu - ether_size - ip_size) & ~0x7;
350 ip_off = ntohs(ip.ip_off);
351 origf = ip_off & ~IP_OFFMASK;
352 ip_off &= IP_OFFMASK;
355 len = todo > maxlen ? maxlen : todo;
356 memcpy(fragment.data + ether_size + ip_size, offset, len);
360 ip.ip_len = htons(ip_size + len);
361 ip.ip_off = htons(ip_off | origf | (todo ? IP_MF : 0));
363 ip.ip_sum = inet_checksum(&ip, ip_size, ~0);
364 memcpy(fragment.data, packet->data, ether_size);
365 memcpy(fragment.data + ether_size, &ip, ip_size);
366 fragment.len = ether_size + ip_size + len;
368 send_packet(dest, &fragment);
374 static void route_ipv4(node_t *source, vpn_packet_t *packet) {
375 if(!checklength(source, packet, ether_size + ip_size))
382 memcpy(&dest, &packet->data[30], sizeof dest);
383 subnet = lookup_subnet_ipv4(&dest);
386 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet from %s (%s): unknown IPv4 destination address %d.%d.%d.%d",
387 source->name, source->hostname,
393 route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_UNKNOWN);
397 if (!subnet->owner) {
398 broadcast_packet(source, packet);
402 if(subnet->owner == source) {
403 logger(DEBUG_TRAFFIC, LOG_WARNING, "Packet looping back to %s (%s)!", source->name, source->hostname);
407 if(!subnet->owner->status.reachable)
408 return route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_UNREACH);
410 if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
411 return route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_ANO);
413 if(priorityinheritance)
414 packet->priority = packet->data[15];
416 via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
419 logger(DEBUG_TRAFFIC, LOG_ERR, "Routing loop for packet from %s (%s)!", source->name, source->hostname);
423 if(directonly && subnet->owner != via)
424 return route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_ANO);
426 if(via && packet->len > MAX(via->mtu, 590) && via != myself) {
427 logger(DEBUG_TRAFFIC, LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
428 if(packet->data[20] & 0x40) {
429 packet->len = MAX(via->mtu, 590);
430 route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED);
432 fragment_ipv4_packet(via, packet, ether_size);
438 clamp_mss(source, via, packet);
440 send_packet(subnet->owner, packet);
445 static void route_ipv6_unreachable(node_t *source, vpn_packet_t *packet, length_t ether_size, uint8_t type, uint8_t code) {
447 struct icmp6_hdr icmp6 = {0};
451 struct in6_addr ip6_src; /* source address */
452 struct in6_addr ip6_dst; /* destination address */
460 /* Swap Ethernet source and destination addresses */
462 swap_mac_addresses(packet);
464 /* Copy headers from packet to structs on the stack */
466 memcpy(&ip6, packet->data + ether_size, ip6_size);
468 /* Remember original source and destination */
470 pseudo.ip6_src = ip6.ip6_dst;
471 pseudo.ip6_dst = ip6.ip6_src;
473 pseudo.length = packet->len - ether_size;
475 if(type == ICMP6_PACKET_TOO_BIG)
476 icmp6.icmp6_mtu = htonl(pseudo.length);
478 if(pseudo.length >= IP_MSS - ip6_size - icmp6_size)
479 pseudo.length = IP_MSS - ip6_size - icmp6_size;
481 /* Copy first part of original contents to ICMP message */
483 memmove(packet->data + ether_size + ip6_size + icmp6_size, packet->data + ether_size, pseudo.length);
485 /* Fill in IPv6 header */
487 ip6.ip6_flow = htonl(0x60000000UL);
488 ip6.ip6_plen = htons(icmp6_size + pseudo.length);
489 ip6.ip6_nxt = IPPROTO_ICMPV6;
491 ip6.ip6_src = pseudo.ip6_src;
492 ip6.ip6_dst = pseudo.ip6_dst;
494 /* Fill in ICMP header */
496 icmp6.icmp6_type = type;
497 icmp6.icmp6_code = code;
498 icmp6.icmp6_cksum = 0;
500 /* Create pseudo header */
502 pseudo.length = htonl(icmp6_size + pseudo.length);
503 pseudo.next = htonl(IPPROTO_ICMPV6);
505 /* Generate checksum */
507 checksum = inet_checksum(&pseudo, sizeof pseudo, ~0);
508 checksum = inet_checksum(&icmp6, icmp6_size, checksum);
509 checksum = inet_checksum(packet->data + ether_size + ip6_size + icmp6_size, ntohl(pseudo.length) - icmp6_size, checksum);
511 icmp6.icmp6_cksum = checksum;
513 /* Copy structs on stack back to packet */
515 memcpy(packet->data + ether_size, &ip6, ip6_size);
516 memcpy(packet->data + ether_size + ip6_size, &icmp6, icmp6_size);
518 packet->len = ether_size + ip6_size + ntohl(pseudo.length);
520 send_packet(source, packet);
523 static void route_neighborsol(node_t *source, vpn_packet_t *packet);
525 static void route_ipv6(node_t *source, vpn_packet_t *packet) {
526 if(!checklength(source, packet, ether_size + ip6_size))
529 if(packet->data[20] == IPPROTO_ICMPV6 && checklength(source, packet, ether_size + ip6_size + icmp6_size) && packet->data[54] == ND_NEIGHBOR_SOLICIT) {
530 route_neighborsol(source, packet);
538 memcpy(&dest, &packet->data[38], sizeof dest);
539 subnet = lookup_subnet_ipv6(&dest);
542 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet from %s (%s): unknown IPv6 destination address %hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx",
543 source->name, source->hostname,
553 route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADDR);
557 if (!subnet->owner) {
558 broadcast_packet(source, packet);
562 if(subnet->owner == source) {
563 logger(DEBUG_TRAFFIC, LOG_WARNING, "Packet looping back to %s (%s)!", source->name, source->hostname);
567 if(!subnet->owner->status.reachable)
568 return route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOROUTE);
570 if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
571 return route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
573 via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
576 logger(DEBUG_TRAFFIC, LOG_ERR, "Routing loop for packet from %s (%s)!", source->name, source->hostname);
580 if(directonly && subnet->owner != via)
581 return route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
583 if(via && packet->len > MAX(via->mtu, 1294) && via != myself) {
584 logger(DEBUG_TRAFFIC, LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
585 packet->len = MAX(via->mtu, 1294);
586 route_ipv6_unreachable(source, packet, ether_size, ICMP6_PACKET_TOO_BIG, 0);
590 clamp_mss(source, via, packet);
592 send_packet(subnet->owner, packet);
597 static void route_neighborsol(node_t *source, vpn_packet_t *packet) {
599 struct nd_neighbor_solicit ns;
600 struct nd_opt_hdr opt;
606 struct in6_addr ip6_src;
607 struct in6_addr ip6_dst;
612 if(!checklength(source, packet, ether_size + ip6_size + ns_size))
615 has_opt = packet->len >= ether_size + ip6_size + ns_size + opt_size + ETH_ALEN;
617 if(source != myself) {
618 logger(DEBUG_TRAFFIC, LOG_WARNING, "Got neighbor solicitation request from %s (%s) while in router mode!", source->name, source->hostname);
622 /* Copy headers from packet to structs on the stack */
624 memcpy(&ip6, packet->data + ether_size, ip6_size);
625 memcpy(&ns, packet->data + ether_size + ip6_size, ns_size);
627 memcpy(&opt, packet->data + ether_size + ip6_size + ns_size, opt_size);
629 /* First, snatch the source address from the neighbor solicitation packet */
632 memcpy(mymac.x, packet->data + ETH_ALEN, ETH_ALEN);
634 /* Check if this is a valid neighbor solicitation request */
636 if(ns.nd_ns_hdr.icmp6_type != ND_NEIGHBOR_SOLICIT ||
637 (has_opt && opt.nd_opt_type != ND_OPT_SOURCE_LINKADDR)) {
638 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet: received unknown type neighbor solicitation request");
642 /* Create pseudo header */
644 pseudo.ip6_src = ip6.ip6_src;
645 pseudo.ip6_dst = ip6.ip6_dst;
647 pseudo.length = htonl(ns_size + opt_size + ETH_ALEN);
649 pseudo.length = htonl(ns_size);
650 pseudo.next = htonl(IPPROTO_ICMPV6);
652 /* Generate checksum */
654 checksum = inet_checksum(&pseudo, sizeof pseudo, ~0);
655 checksum = inet_checksum(&ns, ns_size, checksum);
657 checksum = inet_checksum(&opt, opt_size, checksum);
658 checksum = inet_checksum(packet->data + ether_size + ip6_size + ns_size + opt_size, ETH_ALEN, checksum);
662 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet: checksum error for neighbor solicitation request");
666 /* Check if the IPv6 address exists on the VPN */
668 subnet = lookup_subnet_ipv6((ipv6_t *) &ns.nd_ns_target);
671 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet: neighbor solicitation request for unknown address %hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx",
672 ntohs(((uint16_t *) &ns.nd_ns_target)[0]),
673 ntohs(((uint16_t *) &ns.nd_ns_target)[1]),
674 ntohs(((uint16_t *) &ns.nd_ns_target)[2]),
675 ntohs(((uint16_t *) &ns.nd_ns_target)[3]),
676 ntohs(((uint16_t *) &ns.nd_ns_target)[4]),
677 ntohs(((uint16_t *) &ns.nd_ns_target)[5]),
678 ntohs(((uint16_t *) &ns.nd_ns_target)[6]),
679 ntohs(((uint16_t *) &ns.nd_ns_target)[7]));
684 /* Check if it is for our own subnet */
686 if(subnet->owner == myself)
687 return; /* silently ignore */
689 /* Create neighbor advertation reply */
691 memcpy(packet->data, packet->data + ETH_ALEN, ETH_ALEN); /* copy destination address */
692 packet->data[ETH_ALEN * 2 - 1] ^= 0xFF; /* mangle source address so it looks like it's not from us */
694 ip6.ip6_dst = ip6.ip6_src; /* swap destination and source protocoll address */
695 ip6.ip6_src = ns.nd_ns_target;
698 memcpy(packet->data + ether_size + ip6_size + ns_size + opt_size, packet->data + ETH_ALEN, ETH_ALEN); /* add fake source hard addr */
701 ns.nd_ns_type = ND_NEIGHBOR_ADVERT;
702 ns.nd_ns_reserved = htonl(0x40000000UL); /* Set solicited flag */
703 opt.nd_opt_type = ND_OPT_TARGET_LINKADDR;
705 /* Create pseudo header */
707 pseudo.ip6_src = ip6.ip6_src;
708 pseudo.ip6_dst = ip6.ip6_dst;
710 pseudo.length = htonl(ns_size + opt_size + ETH_ALEN);
712 pseudo.length = htonl(ns_size);
713 pseudo.next = htonl(IPPROTO_ICMPV6);
715 /* Generate checksum */
717 checksum = inet_checksum(&pseudo, sizeof pseudo, ~0);
718 checksum = inet_checksum(&ns, ns_size, checksum);
720 checksum = inet_checksum(&opt, opt_size, checksum);
721 checksum = inet_checksum(packet->data + ether_size + ip6_size + ns_size + opt_size, ETH_ALEN, checksum);
724 ns.nd_ns_hdr.icmp6_cksum = checksum;
726 /* Copy structs on stack back to packet */
728 memcpy(packet->data + ether_size, &ip6, ip6_size);
729 memcpy(packet->data + ether_size + ip6_size, &ns, ns_size);
731 memcpy(packet->data + ether_size + ip6_size + ns_size, &opt, opt_size);
733 send_packet(source, packet);
738 static void route_arp(node_t *source, vpn_packet_t *packet) {
739 struct ether_arp arp;
743 if(!checklength(source, packet, ether_size + arp_size))
746 if(source != myself) {
747 logger(DEBUG_TRAFFIC, LOG_WARNING, "Got ARP request from %s (%s) while in router mode!", source->name, source->hostname);
751 /* First, snatch the source address from the ARP packet */
754 memcpy(mymac.x, packet->data + ETH_ALEN, ETH_ALEN);
756 /* Copy headers from packet to structs on the stack */
758 memcpy(&arp, packet->data + ether_size, arp_size);
760 /* Check if this is a valid ARP request */
762 if(ntohs(arp.arp_hrd) != ARPHRD_ETHER || ntohs(arp.arp_pro) != ETH_P_IP ||
763 arp.arp_hln != ETH_ALEN || arp.arp_pln != sizeof addr || ntohs(arp.arp_op) != ARPOP_REQUEST) {
764 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet: received unknown type ARP request");
768 /* Check if the IPv4 address exists on the VPN */
770 subnet = lookup_subnet_ipv4((ipv4_t *) &arp.arp_tpa);
773 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet: ARP request for unknown address %d.%d.%d.%d",
774 arp.arp_tpa[0], arp.arp_tpa[1], arp.arp_tpa[2],
779 /* Check if it is for our own subnet */
781 if(subnet->owner == myself)
782 return; /* silently ignore */
784 memcpy(packet->data, packet->data + ETH_ALEN, ETH_ALEN); /* copy destination address */
785 packet->data[ETH_ALEN * 2 - 1] ^= 0xFF; /* mangle source address so it looks like it's not from us */
787 memcpy(&addr, arp.arp_tpa, sizeof addr); /* save protocol addr */
788 memcpy(arp.arp_tpa, arp.arp_spa, sizeof addr); /* swap destination and source protocol address */
789 memcpy(arp.arp_spa, &addr, sizeof addr); /* ... */
791 memcpy(arp.arp_tha, arp.arp_sha, ETH_ALEN); /* set target hard/proto addr */
792 memcpy(arp.arp_sha, packet->data + ETH_ALEN, ETH_ALEN); /* add fake source hard addr */
793 arp.arp_op = htons(ARPOP_REPLY);
795 /* Copy structs on stack back to packet */
797 memcpy(packet->data + ether_size, &arp, arp_size);
799 send_packet(source, packet);
802 static void route_mac(node_t *source, vpn_packet_t *packet) {
806 /* Learn source address */
808 if(source == myself) {
810 memcpy(&src, &packet->data[6], sizeof src);
814 /* Lookup destination address */
816 memcpy(&dest, &packet->data[0], sizeof dest);
817 subnet = lookup_subnet_mac(NULL, &dest);
819 if(!subnet || !subnet->owner) {
820 broadcast_packet(source, packet);
824 if(subnet->owner == source) {
825 logger(DEBUG_TRAFFIC, LOG_WARNING, "Packet looping back to %s (%s)!", source->name, source->hostname);
829 if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
832 uint16_t type = packet->data[12] << 8 | packet->data[13];
834 if(priorityinheritance && type == ETH_P_IP && packet->len >= ether_size + ip_size)
835 packet->priority = packet->data[15];
837 // Handle packets larger than PMTU
839 node_t *via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
841 if(directonly && subnet->owner != via)
844 if(via && packet->len > via->mtu && via != myself) {
845 logger(DEBUG_TRAFFIC, LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
846 length_t ethlen = 14;
848 if(type == ETH_P_8021Q) {
849 type = packet->data[16] << 8 | packet->data[17];
853 if(type == ETH_P_IP && packet->len > 576 + ethlen) {
854 if(packet->data[6 + ethlen] & 0x40) {
855 packet->len = via->mtu;
856 route_ipv4_unreachable(source, packet, ethlen, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED);
858 fragment_ipv4_packet(via, packet, ethlen);
861 } else if(type == ETH_P_IPV6 && packet->len > 1280 + ethlen) {
862 packet->len = via->mtu;
863 route_ipv6_unreachable(source, packet, ethlen, ICMP6_PACKET_TOO_BIG, 0);
868 clamp_mss(source, via, packet);
870 send_packet(subnet->owner, packet);
873 static void send_pcap(vpn_packet_t *packet) {
876 for list_each(connection_t, c, connection_list) {
881 int len = packet->len;
882 if(c->outmaclength && c->outmaclength < len)
883 len = c->outmaclength;
885 if(send_request(c, "%d %d %d", CONTROL, REQ_PCAP, len))
886 send_meta(c, (char *)packet->data, len);
890 static bool do_decrement_ttl(node_t *source, vpn_packet_t *packet) {
891 uint16_t type = packet->data[12] << 8 | packet->data[13];
892 length_t ethlen = ether_size;
894 if(type == ETH_P_8021Q) {
895 type = packet->data[16] << 8 | packet->data[17];
901 if(!checklength(source, packet, ethlen + ip_size))
904 if(packet->data[ethlen + 8] < 1) {
905 if(packet->data[ethlen + 11] != IPPROTO_ICMP || packet->data[ethlen + 32] != ICMP_TIME_EXCEEDED)
906 route_ipv4_unreachable(source, packet, ethlen, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL);
910 uint16_t old = packet->data[ethlen + 8] << 8 | packet->data[ethlen + 9];
911 packet->data[ethlen + 8]--;
912 uint16_t new = packet->data[ethlen + 8] << 8 | packet->data[ethlen + 9];
914 uint32_t checksum = packet->data[ethlen + 10] << 8 | packet->data[ethlen + 11];
915 checksum += old + (~new & 0xFFFF);
916 while(checksum >> 16)
917 checksum = (checksum & 0xFFFF) + (checksum >> 16);
918 packet->data[ethlen + 10] = checksum >> 8;
919 packet->data[ethlen + 11] = checksum & 0xff;
924 if(!checklength(source, packet, ethlen + ip6_size))
927 if(packet->data[ethlen + 7] < 1) {
928 if(packet->data[ethlen + 6] != IPPROTO_ICMPV6 || packet->data[ethlen + 40] != ICMP6_TIME_EXCEEDED)
929 route_ipv6_unreachable(source, packet, ethlen, ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_TRANSIT);
933 packet->data[ethlen + 7]--;
942 void route(node_t *source, vpn_packet_t *packet) {
946 if(forwarding_mode == FMODE_KERNEL && source != myself) {
947 send_packet(myself, packet);
951 if(!checklength(source, packet, ether_size))
954 if(decrement_ttl && source != myself)
955 if(!do_decrement_ttl(source, packet))
958 uint16_t type = packet->data[12] << 8 | packet->data[13];
960 switch (routing_mode) {
964 route_arp(source, packet);
968 route_ipv4(source, packet);
972 route_ipv6(source, packet);
976 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet from %s (%s): unknown type %hx", source->name, source->hostname, type);
982 route_mac(source, packet);
986 broadcast_packet(source, packet);