+/* RFC 791 */
+
+static void fragment_ipv4_packet(node_t *dest, vpn_packet_t *packet, length_t ether_size) {
+ struct ip ip;
+ vpn_packet_t fragment;
+ int maxlen, todo;
+ uint8_t *offset;
+ uint16_t ip_off, origf;
+
+ memcpy(&ip, DATA(packet) + ether_size, ip_size);
+ fragment.priority = packet->priority;
+ fragment.offset = DEFAULT_PACKET_OFFSET;
+
+ if(ip.ip_hl != ip_size / 4) {
+ return;
+ }
+
+ todo = ntohs(ip.ip_len) - ip_size;
+
+ if(ether_size + ip_size + todo != packet->len) {
+ logger(DEBUG_TRAFFIC, LOG_WARNING, "Length of packet (%d) doesn't match length in IPv4 header (%d)", packet->len, (int)(ether_size + ip_size + todo));
+ return;
+ }
+
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Fragmenting packet of %d bytes to %s (%s)", packet->len, dest->name, dest->hostname);
+
+ offset = DATA(packet) + ether_size + ip_size;
+ maxlen = (MAX(dest->mtu, 590) - ether_size - ip_size) & ~0x7;
+ ip_off = ntohs(ip.ip_off);
+ origf = ip_off & ~IP_OFFMASK;
+ ip_off &= IP_OFFMASK;
+
+ while(todo) {
+ int len = todo > maxlen ? maxlen : todo;
+ memcpy(DATA(&fragment) + ether_size + ip_size, offset, len);
+ todo -= len;
+ offset += len;
+
+ ip.ip_len = htons(ip_size + len);
+ ip.ip_off = htons(ip_off | origf | (todo ? IP_MF : 0));
+ ip.ip_sum = 0;
+ ip.ip_sum = inet_checksum(&ip, ip_size, ~0);
+ memcpy(DATA(&fragment), DATA(packet), ether_size);
+ memcpy(DATA(&fragment) + ether_size, &ip, ip_size);
+ fragment.len = ether_size + ip_size + len;
+
+ send_packet(dest, &fragment);
+
+ ip_off += len / 8;
+ }
+}
+
+static void route_ipv4(node_t *source, vpn_packet_t *packet) {
+ if(!checklength(source, packet, ether_size + ip_size)) {
+ return;
+ }
+
+ subnet_t *subnet;
+ node_t *via;
+ ipv4_t dest;
+
+ memcpy(&dest, &DATA(packet)[30], sizeof(dest));
+ subnet = lookup_subnet_ipv4(&dest);
+
+ if(!subnet) {
+ logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet from %s (%s): unknown IPv4 destination address %d.%d.%d.%d",
+ source->name, source->hostname,
+ dest.x[0],
+ dest.x[1],
+ dest.x[2],
+ dest.x[3]);
+
+ route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_UNKNOWN);
+ return;
+ }
+
+ if(!subnet->owner) {
+ route_broadcast(source, packet);
+ return;
+ }
+
+ if(subnet->owner == source) {
+ logger(DEBUG_TRAFFIC, LOG_WARNING, "Packet looping back to %s (%s)!", source->name, source->hostname);
+ return;
+ }
+
+ if(!subnet->owner->status.reachable) {
+ route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_UNREACH);
+ return;
+ }
+
+ if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself) {
+ route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_ANO);
+ return;
+ }
+
+ if(decrement_ttl && source != myself && subnet->owner != myself)
+ if(!do_decrement_ttl(source, packet)) {
+ return;
+ }
+
+ if(priorityinheritance) {
+ packet->priority = DATA(packet)[15];
+ }
+
+ via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
+
+ if(via == source) {
+ logger(DEBUG_TRAFFIC, LOG_ERR, "Routing loop for packet from %s (%s)!", source->name, source->hostname);
+ return;
+ }
+
+ if(directonly && subnet->owner != via) {
+ route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_ANO);
+ return;
+ }
+
+ if(via && packet->len > MAX(via->mtu, 590) && via != myself) {
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
+
+ if(DATA(packet)[20] & 0x40) {
+ packet->len = MAX(via->mtu, 590);
+ route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED);
+ } else {
+ fragment_ipv4_packet(via, packet, ether_size);
+ }
+
+ return;
+ }
+
+ clamp_mss(source, via, packet);
+
+ send_packet(subnet->owner, packet);
+}
+
+static void route_neighborsol(node_t *source, vpn_packet_t *packet);
+
+static void route_ipv6(node_t *source, vpn_packet_t *packet) {
+ if(!checklength(source, packet, ether_size + ip6_size)) {
+ return;
+ }
+
+ if(DATA(packet)[20] == IPPROTO_ICMPV6 && checklength(source, packet, ether_size + ip6_size + icmp6_size) && DATA(packet)[54] == ND_NEIGHBOR_SOLICIT) {
+ route_neighborsol(source, packet);
+ return;
+ }
+
+ subnet_t *subnet;
+ node_t *via;
+ ipv6_t dest;
+
+ memcpy(&dest, &DATA(packet)[38], sizeof(dest));
+ subnet = lookup_subnet_ipv6(&dest);
+
+ if(!subnet) {
+ logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet from %s (%s): unknown IPv6 destination address %hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx",
+ source->name, source->hostname,
+ ntohs(dest.x[0]),
+ ntohs(dest.x[1]),
+ ntohs(dest.x[2]),
+ ntohs(dest.x[3]),
+ ntohs(dest.x[4]),
+ ntohs(dest.x[5]),
+ ntohs(dest.x[6]),
+ ntohs(dest.x[7]));
+
+ route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADDR);
+ return;
+ }
+
+ if(!subnet->owner) {
+ route_broadcast(source, packet);
+ return;
+ }
+
+ if(subnet->owner == source) {
+ logger(DEBUG_TRAFFIC, LOG_WARNING, "Packet looping back to %s (%s)!", source->name, source->hostname);
+ return;
+ }
+
+ if(!subnet->owner->status.reachable) {
+ route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOROUTE);
+ return;
+ }
+
+ if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself) {
+ route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
+ return;
+ }
+
+ if(decrement_ttl && source != myself && subnet->owner != myself)
+ if(!do_decrement_ttl(source, packet)) {
+ return;
+ }
+
+ if(priorityinheritance) {
+ packet->priority = ((DATA(packet)[14] & 0x0f) << 4) | (DATA(packet)[15] >> 4);
+ }
+
+ via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
+
+ if(via == source) {
+ logger(DEBUG_TRAFFIC, LOG_ERR, "Routing loop for packet from %s (%s)!", source->name, source->hostname);
+ return;
+ }
+
+ if(directonly && subnet->owner != via) {
+ route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
+ return;
+ }
+
+ if(via && packet->len > MAX(via->mtu, 1294) && via != myself) {
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
+ packet->len = MAX(via->mtu, 1294);
+ route_ipv6_unreachable(source, packet, ether_size, ICMP6_PACKET_TOO_BIG, 0);
+ return;
+ }
+
+ clamp_mss(source, via, packet);
+
+ send_packet(subnet->owner, packet);
+}