- struct ether_arp *arp;
- subnet_t *subnet;
- unsigned char ipbuf[4];
- ipv4_t dest;
-cp
- /* First, snatch the source address from the ARP packet */
-
- memcpy(mymac.net.mac.address.x, packet->data + 6, 6);
-
- /* This routine generates replies to ARP requests.
- You don't need to set NOARP flag on the interface anymore (which is broken on FreeBSD).
- Most of the code here is taken from choparp.c by Takamichi Tateoka (tree@mma.club.uec.ac.jp)
- */
-
- arp = (struct ether_arp *)(packet->data + 14);
-
- /* Check if this is a valid ARP request */
-
- if(ntohs(arp->arp_hrd) != ARPHRD_ETHER ||
- ntohs(arp->arp_pro) != ETHERTYPE_IP ||
- (int) (arp->arp_hln) != ETHER_ADDR_LEN ||
- (int) (arp->arp_pln) != 4 ||
- ntohs(arp->arp_op) != ARPOP_REQUEST )
- {
- if(debug_lvl > DEBUG_TRAFFIC)
- {
- syslog(LOG_WARNING, _("Cannot route packet: received unknown type ARP request"));
- }
- return;
- }
-
- /* Check if the IP address exists on the VPN */
-
- dest = ntohl(*((unsigned long*)(arp->arp_tpa)));
- subnet = lookup_subnet_ipv4(&dest);
-
- if(!subnet)
- {
- if(debug_lvl >= DEBUG_TRAFFIC)
- {
- syslog(LOG_WARNING, _("Cannot route packet: ARP request for unknown address %d.%d.%d.%d"),
- arp->arp_tpa[0], arp->arp_tpa[1], arp->arp_tpa[2], arp->arp_tpa[3]);
- }
-
- return;
- }
-
- /* Check if it is for our own subnet */
-
- if(subnet->owner == myself)
- return; /* silently ignore */
-
- memcpy(packet->data, packet->data + ETHER_ADDR_LEN, ETHER_ADDR_LEN); /* copy destination address */
- packet->data[ETHER_ADDR_LEN*2 - 1] ^= 0xFF; /* mangle source address so it looks like it's not from us */
-
- memcpy(ipbuf, arp->arp_tpa, 4); /* save protocol addr */
- memcpy(arp->arp_tpa, arp->arp_spa, 4); /* swap destination and source protocol address */
- memcpy(arp->arp_spa, ipbuf, 4); /* ... */
-
- memcpy(arp->arp_tha, arp->arp_sha, 10); /* set target hard/proto addr */
- memcpy(arp->arp_sha, packet->data + ETHER_ADDR_LEN, ETHER_ADDR_LEN); /* add fake source hard addr */
- arp->arp_op = htons(ARPOP_REPLY);
-
- accept_packet(packet);
-cp
+ subnet_t *subnet;
+
+ cp();
+
+ subnet = lookup_subnet_ipv6((ipv6_t *) & packet->data[38]);
+
+ if(!subnet) {
+ ifdebug(TRAFFIC) logger(LOG_WARNING, _("Cannot route packet: unknown IPv6 destination address %hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx"),
+ ntohs(*(uint16_t *) & packet->data[38]),
+ ntohs(*(uint16_t *) & packet->data[40]),
+ ntohs(*(uint16_t *) & packet->data[42]),
+ ntohs(*(uint16_t *) & packet->data[44]),
+ ntohs(*(uint16_t *) & packet->data[46]),
+ ntohs(*(uint16_t *) & packet->data[48]),
+ ntohs(*(uint16_t *) & packet->data[50]),
+ ntohs(*(uint16_t *) & packet->data[52]));
+ route_ipv6_unreachable(packet, ICMP6_DST_UNREACH_ADDR);
+
+ return NULL;
+ }
+
+ if(!subnet->owner->status.reachable)
+ route_ipv6_unreachable(packet, ICMP6_DST_UNREACH_NOROUTE);
+
+ return subnet->owner;
+}
+
+/* RFC 2461 */
+
+static void route_neighborsol(vpn_packet_t *packet)
+{
+ struct ip6_hdr *hdr;
+ struct nd_neighbor_solicit *ns;
+ struct nd_opt_hdr *opt;
+ subnet_t *subnet;
+ uint16_t checksum;
+
+ struct {
+ struct in6_addr ip6_src; /* source address */
+ struct in6_addr ip6_dst; /* destination address */
+ uint32_t length;
+ uint32_t next;
+ } pseudo;
+
+ cp();
+
+ hdr = (struct ip6_hdr *)(packet->data + 14);
+ ns = (struct nd_neighbor_solicit *)(packet->data + 14 + sizeof(*hdr));
+ opt = (struct nd_opt_hdr *)(packet->data + 14 + sizeof(*hdr) + sizeof(*ns));
+
+ /* First, snatch the source address from the neighbor solicitation packet */
+
+ if(overwrite_mac)
+ memcpy(mymac.x, packet->data + 6, 6);
+
+ /* Check if this is a valid neighbor solicitation request */
+
+ if(ns->nd_ns_hdr.icmp6_type != ND_NEIGHBOR_SOLICIT ||
+ opt->nd_opt_type != ND_OPT_SOURCE_LINKADDR) {
+ ifdebug(TRAFFIC) logger(LOG_WARNING, _("Cannot route packet: received unknown type neighbor solicitation request"));
+ return;
+ }
+
+ /* Create pseudo header */
+
+ memcpy(&pseudo.ip6_src, &hdr->ip6_src, 16);
+ memcpy(&pseudo.ip6_dst, &hdr->ip6_dst, 16);
+ pseudo.length = htonl(sizeof(*ns) + sizeof(*opt) + 6);
+ pseudo.next = htonl(IPPROTO_ICMPV6);
+
+ /* Generate checksum */
+
+ checksum = inet_checksum(&pseudo, sizeof(pseudo), ~0);
+ checksum = inet_checksum(ns, sizeof(*ns) + 8, checksum);
+
+ if(checksum) {
+ ifdebug(TRAFFIC) logger(LOG_WARNING, _("Cannot route packet: checksum error for neighbor solicitation request"));
+ return;
+ }
+
+ /* Check if the IPv6 address exists on the VPN */
+
+ subnet = lookup_subnet_ipv6((ipv6_t *) & ns->nd_ns_target);
+
+ if(!subnet) {
+ ifdebug(TRAFFIC) logger(LOG_WARNING, _("Cannot route packet: neighbor solicitation request for unknown address %hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx"),
+ ntohs(((uint16_t *) & ns->nd_ns_target)[0]),
+ ntohs(((uint16_t *) & ns->nd_ns_target)[1]),
+ ntohs(((uint16_t *) & ns->nd_ns_target)[2]),
+ ntohs(((uint16_t *) & ns->nd_ns_target)[3]),
+ ntohs(((uint16_t *) & ns->nd_ns_target)[4]),
+ ntohs(((uint16_t *) & ns->nd_ns_target)[5]),
+ ntohs(((uint16_t *) & ns->nd_ns_target)[6]),
+ ntohs(((uint16_t *) & ns->nd_ns_target)[7]));
+
+ return;
+ }
+
+ /* Check if it is for our own subnet */
+
+ if(subnet->owner == myself)
+ return; /* silently ignore */
+
+ /* Create neighbor advertation reply */
+
+ memcpy(packet->data, packet->data + ETHER_ADDR_LEN, ETHER_ADDR_LEN); /* copy destination address */
+ packet->data[ETHER_ADDR_LEN * 2 - 1] ^= 0xFF; /* mangle source address so it looks like it's not from us */
+
+ memcpy(&hdr->ip6_dst, &hdr->ip6_src, 16); /* swap destination and source protocol address */
+ memcpy(&hdr->ip6_src, &ns->nd_ns_target, 16); /* ... */
+
+ memcpy((char *) opt + sizeof(*opt), packet->data + ETHER_ADDR_LEN, 6); /* add fake source hard addr */
+
+ ns->nd_ns_hdr.icmp6_cksum = 0;
+ ns->nd_ns_hdr.icmp6_type = ND_NEIGHBOR_ADVERT;
+ ns->nd_ns_hdr.icmp6_dataun.icmp6_un_data8[0] = 0x40; /* Set solicited flag */
+ ns->nd_ns_hdr.icmp6_dataun.icmp6_un_data8[1] =
+ ns->nd_ns_hdr.icmp6_dataun.icmp6_un_data8[2] =
+ ns->nd_ns_hdr.icmp6_dataun.icmp6_un_data8[3] = 0;
+ opt->nd_opt_type = ND_OPT_TARGET_LINKADDR;
+
+ /* Create pseudo header */
+
+ memcpy(&pseudo.ip6_src, &hdr->ip6_src, 16);
+ memcpy(&pseudo.ip6_dst, &hdr->ip6_dst, 16);
+ pseudo.length = htonl(sizeof(*ns) + sizeof(*opt) + 6);
+ pseudo.next = htonl(IPPROTO_ICMPV6);
+
+ /* Generate checksum */
+
+ checksum = inet_checksum(&pseudo, sizeof(pseudo), ~0);
+ checksum = inet_checksum(ns, sizeof(*ns) + 8, checksum);
+
+ ns->nd_ns_hdr.icmp6_cksum = checksum;
+
+ write_packet(packet);
+}
+
+/* RFC 826 */
+
+static void route_arp(vpn_packet_t *packet)
+{
+ struct ether_arp *arp;
+ subnet_t *subnet;
+ uint8_t ipbuf[4];
+
+ cp();
+
+ /* First, snatch the source address from the ARP packet */
+
+ if(overwrite_mac)
+ memcpy(mymac.x, packet->data + 6, 6);
+
+ /* This routine generates replies to ARP requests.
+ You don't need to set NOARP flag on the interface anymore (which is broken on FreeBSD).
+ Most of the code here is taken from choparp.c by Takamichi Tateoka (tree@mma.club.uec.ac.jp)
+ */
+
+ arp = (struct ether_arp *)(packet->data + 14);
+
+ /* Check if this is a valid ARP request */
+
+ if(ntohs(arp->arp_hrd) != ARPHRD_ETHER || ntohs(arp->arp_pro) != ETHERTYPE_IP ||
+ arp->arp_hln != ETHER_ADDR_LEN || arp->arp_pln != 4 || ntohs(arp->arp_op) != ARPOP_REQUEST) {
+ ifdebug(TRAFFIC) logger(LOG_WARNING, _("Cannot route packet: received unknown type ARP request"));
+ return;
+ }
+
+ /* Check if the IPv4 address exists on the VPN */
+
+ subnet = lookup_subnet_ipv4((ipv4_t *) arp->arp_tpa);
+
+ if(!subnet) {
+ ifdebug(TRAFFIC) logger(LOG_WARNING, _("Cannot route packet: ARP request for unknown address %d.%d.%d.%d"),
+ arp->arp_tpa[0], arp->arp_tpa[1], arp->arp_tpa[2],
+ arp->arp_tpa[3]);
+ return;
+ }
+
+ /* Check if it is for our own subnet */
+
+ if(subnet->owner == myself)
+ return; /* silently ignore */
+
+ memcpy(packet->data, packet->data + ETHER_ADDR_LEN, ETHER_ADDR_LEN); /* copy destination address */
+ packet->data[ETHER_ADDR_LEN * 2 - 1] ^= 0xFF; /* mangle source address so it looks like it's not from us */
+
+ memcpy(ipbuf, arp->arp_tpa, 4); /* save protocol addr */
+ memcpy(arp->arp_tpa, arp->arp_spa, 4); /* swap destination and source protocol address */
+ memcpy(arp->arp_spa, ipbuf, 4); /* ... */
+
+ memcpy(arp->arp_tha, arp->arp_sha, 10); /* set target hard/proto addr */
+ memcpy(arp->arp_sha, packet->data + ETHER_ADDR_LEN, ETHER_ADDR_LEN); /* add fake source hard addr */
+ arp->arp_op = htons(ARPOP_REPLY);
+
+ write_packet(packet);