3 Copyright (C) 2000-2005 Ivo Timmermans,
4 2000-2013 Guus Sliepen <guus@tinc-vpn.org>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License along
17 with this program; if not, write to the Free Software Foundation, Inc.,
18 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 #include "connection.h"
24 #include "control_common.h"
36 rmode_t routing_mode = RMODE_ROUTER;
37 fmode_t forwarding_mode = FMODE_INTERNAL;
38 bmode_t broadcast_mode = BMODE_MST;
39 bool decrement_ttl = false;
40 bool directonly = false;
41 bool priorityinheritance = false;
43 bool overwrite_mac = false;
44 mac_t mymac = {{0xFE, 0xFD, 0, 0, 0, 0}};
47 /* Sizes of various headers */
49 static const size_t ether_size = sizeof(struct ether_header);
50 static const size_t arp_size = sizeof(struct ether_arp);
51 static const size_t ip_size = sizeof(struct ip);
52 static const size_t icmp_size = sizeof(struct icmp) - sizeof(struct ip);
53 static const size_t ip6_size = sizeof(struct ip6_hdr);
54 static const size_t icmp6_size = sizeof(struct icmp6_hdr);
55 static const size_t ns_size = sizeof(struct nd_neighbor_solicit);
56 static const size_t opt_size = sizeof(struct nd_opt_hdr);
58 static bool do_decrement_ttl(node_t *source, vpn_packet_t *packet);
61 #define MAX(a, b) ((a) > (b) ? (a) : (b))
64 static timeout_t age_subnets_timeout;
68 static uint16_t inet_checksum(void *data, int len, uint16_t prevsum) {
70 uint32_t checksum = prevsum ^ 0xFFFF;
78 checksum += *(uint8_t *)p;
81 checksum = (checksum & 0xFFFF) + (checksum >> 16);
86 static bool ratelimit(int frequency) {
87 static time_t lasttime = 0;
90 if(lasttime == now.tv_sec) {
91 if(count >= frequency)
94 lasttime = now.tv_sec;
102 static bool checklength(node_t *source, vpn_packet_t *packet, length_t length) {
103 if(packet->len < length) {
104 logger(DEBUG_TRAFFIC, LOG_WARNING, "Got too short packet from %s (%s)", source->name, source->hostname);
110 static void clamp_mss(const node_t *source, const node_t *via, vpn_packet_t *packet) {
111 if(!source || !via || !(via->options & OPTION_CLAMP_MSS))
114 uint16_t mtu = source->mtu;
115 if(via != myself && via->mtu < mtu)
118 /* Find TCP header */
119 int start = ether_size;
120 uint16_t type = DATA(packet)[12] << 8 | DATA(packet)[13];
122 if(type == ETH_P_8021Q) {
124 type = DATA(packet)[16] << 8 | DATA(packet)[17];
127 if(type == ETH_P_IP && DATA(packet)[start + 9] == 6)
128 start += (DATA(packet)[start] & 0xf) * 4;
129 else if(type == ETH_P_IPV6 && DATA(packet)[start + 6] == 6)
134 if(packet->len <= start + 20)
137 /* Use data offset field to calculate length of options field */
138 int len = ((DATA(packet)[start + 12] >> 4) - 5) * 4;
140 if(packet->len < start + 20 + len)
143 /* Search for MSS option header */
144 for(int i = 0; i < len;) {
145 if(DATA(packet)[start + 20 + i] == 0)
148 if(DATA(packet)[start + 20 + i] == 1) {
153 if(i > len - 2 || i > len - DATA(packet)[start + 21 + i])
156 if(DATA(packet)[start + 20 + i] != 2) {
157 if(DATA(packet)[start + 21 + i] < 2)
159 i += DATA(packet)[start + 21 + i];
163 if(DATA(packet)[start + 21] != 4)
167 uint16_t oldmss = DATA(packet)[start + 22 + i] << 8 | DATA(packet)[start + 23 + i];
168 uint16_t newmss = mtu - start - 20;
169 uint32_t csum = DATA(packet)[start + 16] << 8 | DATA(packet)[start + 17];
174 logger(DEBUG_TRAFFIC, LOG_INFO, "Clamping MSS of packet from %s to %s to %d", source->name, via->name, newmss);
176 /* Update the MSS value and the checksum */
177 DATA(packet)[start + 22 + i] = newmss >> 8;
178 DATA(packet)[start + 23 + i] = newmss & 0xff;
180 csum += oldmss ^ 0xffff;
182 csum = (csum & 0xffff) + (csum >> 16);
185 DATA(packet)[start + 16] = csum >> 8;
186 DATA(packet)[start + 17] = csum;
191 static void swap_mac_addresses(vpn_packet_t *packet) {
193 memcpy(&tmp, &DATA(packet)[0], sizeof tmp);
194 memcpy(&DATA(packet)[0], &DATA(packet)[6], sizeof tmp);
195 memcpy(&DATA(packet)[6], &tmp, sizeof tmp);
198 static void age_subnets(void *data) {
201 for splay_each(subnet_t, s, myself->subnet_tree) {
202 if(s->expires && s->expires < now.tv_sec) {
203 if(debug_level >= DEBUG_TRAFFIC) {
204 char netstr[MAXNETSTR];
205 if(net2str(netstr, sizeof netstr, s))
206 logger(DEBUG_TRAFFIC, LOG_INFO, "Subnet %s expired", netstr);
209 for list_each(connection_t, c, connection_list)
211 send_del_subnet(c, s);
213 subnet_del(myself, s);
221 timeout_set(&age_subnets_timeout, &(struct timeval){10, rand() % 100000});
224 static void learn_mac(mac_t *address) {
225 subnet_t *subnet = lookup_subnet_mac(myself, address);
227 /* If we don't know this MAC address yet, store it */
230 logger(DEBUG_TRAFFIC, LOG_INFO, "Learned new MAC address %x:%x:%x:%x:%x:%x",
231 address->x[0], address->x[1], address->x[2], address->x[3],
232 address->x[4], address->x[5]);
234 subnet = new_subnet();
235 subnet->type = SUBNET_MAC;
236 subnet->expires = now.tv_sec + macexpire;
237 subnet->net.mac.address = *address;
239 subnet_add(myself, subnet);
240 subnet_update(myself, subnet, true);
242 /* And tell all other tinc daemons it's our MAC */
244 for list_each(connection_t, c, connection_list)
246 send_add_subnet(c, subnet);
248 timeout_add(&age_subnets_timeout, age_subnets, NULL, &(struct timeval){10, rand() % 100000});
251 subnet->expires = now.tv_sec + macexpire;
255 static void route_broadcast(node_t *source, vpn_packet_t *packet) {
256 if(decrement_ttl && source != myself)
257 if(!do_decrement_ttl(source, packet))
260 broadcast_packet(source, packet);
265 static void route_ipv4_unreachable(node_t *source, vpn_packet_t *packet, length_t ether_size, uint8_t type, uint8_t code) {
267 struct icmp icmp = {0};
269 struct in_addr ip_src;
270 struct in_addr ip_dst;
276 /* Swap Ethernet source and destination addresses */
278 swap_mac_addresses(packet);
280 /* Copy headers from packet into properly aligned structs on the stack */
282 memcpy(&ip, DATA(packet) + ether_size, ip_size);
284 /* Remember original source and destination */
289 /* Try to reply with an IP address assigned to the local machine */
291 if (type == ICMP_TIME_EXCEEDED && code == ICMP_EXC_TTL) {
292 int sockfd = socket(AF_INET, SOCK_DGRAM, 0);
294 struct sockaddr_in addr;
295 memset(&addr, 0, sizeof(addr));
296 addr.sin_family = AF_INET;
297 addr.sin_addr = ip.ip_src;
298 if (!connect(sockfd, (const struct sockaddr*) &addr, sizeof(addr))) {
299 memset(&addr, 0, sizeof(addr));
300 addr.sin_family = AF_INET;
301 socklen_t addrlen = sizeof(addr);
302 if (!getsockname(sockfd, (struct sockaddr*) &addr, &addrlen) && addrlen <= sizeof(addr)) {
303 ip_dst = addr.sin_addr;
310 oldlen = packet->len - ether_size;
312 if(type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED)
313 icmp.icmp_nextmtu = htons(packet->len - ether_size);
315 if(oldlen >= IP_MSS - ip_size - icmp_size)
316 oldlen = IP_MSS - ip_size - icmp_size;
318 /* Copy first part of original contents to ICMP message */
320 memmove(DATA(packet) + ether_size + ip_size + icmp_size, DATA(packet) + ether_size, oldlen);
322 /* Fill in IPv4 header */
325 ip.ip_hl = ip_size / 4;
327 ip.ip_len = htons(ip_size + icmp_size + oldlen);
331 ip.ip_p = IPPROTO_ICMP;
336 ip.ip_sum = inet_checksum(&ip, ip_size, ~0);
338 /* Fill in ICMP header */
340 icmp.icmp_type = type;
341 icmp.icmp_code = code;
344 icmp.icmp_cksum = inet_checksum(&icmp, icmp_size, ~0);
345 icmp.icmp_cksum = inet_checksum(DATA(packet) + ether_size + ip_size + icmp_size, oldlen, icmp.icmp_cksum);
347 /* Copy structs on stack back to packet */
349 memcpy(DATA(packet) + ether_size, &ip, ip_size);
350 memcpy(DATA(packet) + ether_size + ip_size, &icmp, icmp_size);
352 packet->len = ether_size + ip_size + icmp_size + oldlen;
354 send_packet(source, packet);
359 static void fragment_ipv4_packet(node_t *dest, vpn_packet_t *packet, length_t ether_size) {
361 vpn_packet_t fragment;
362 int len, maxlen, todo;
364 uint16_t ip_off, origf;
366 memcpy(&ip, DATA(packet) + ether_size, ip_size);
367 fragment.priority = packet->priority;
368 fragment.offset = DEFAULT_PACKET_OFFSET;
370 if(ip.ip_hl != ip_size / 4)
373 todo = ntohs(ip.ip_len) - ip_size;
375 if(ether_size + ip_size + todo != packet->len) {
376 logger(DEBUG_TRAFFIC, LOG_WARNING, "Length of packet (%d) doesn't match length in IPv4 header (%d)", packet->len, (int)(ether_size + ip_size + todo));
380 logger(DEBUG_TRAFFIC, LOG_INFO, "Fragmenting packet of %d bytes to %s (%s)", packet->len, dest->name, dest->hostname);
382 offset = DATA(packet) + ether_size + ip_size;
383 maxlen = (dest->mtu - ether_size - ip_size) & ~0x7;
384 ip_off = ntohs(ip.ip_off);
385 origf = ip_off & ~IP_OFFMASK;
386 ip_off &= IP_OFFMASK;
389 len = todo > maxlen ? maxlen : todo;
390 memcpy(DATA(&fragment) + ether_size + ip_size, offset, len);
394 ip.ip_len = htons(ip_size + len);
395 ip.ip_off = htons(ip_off | origf | (todo ? IP_MF : 0));
397 ip.ip_sum = inet_checksum(&ip, ip_size, ~0);
398 memcpy(DATA(&fragment), DATA(packet), ether_size);
399 memcpy(DATA(&fragment) + ether_size, &ip, ip_size);
400 fragment.len = ether_size + ip_size + len;
402 send_packet(dest, &fragment);
408 static void route_ipv4(node_t *source, vpn_packet_t *packet) {
409 if(!checklength(source, packet, ether_size + ip_size))
416 memcpy(&dest, &DATA(packet)[30], sizeof dest);
417 subnet = lookup_subnet_ipv4(&dest);
420 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet from %s (%s): unknown IPv4 destination address %d.%d.%d.%d",
421 source->name, source->hostname,
427 route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_UNKNOWN);
431 if (!subnet->owner) {
432 route_broadcast(source, packet);
436 if(subnet->owner == source) {
437 logger(DEBUG_TRAFFIC, LOG_WARNING, "Packet looping back to %s (%s)!", source->name, source->hostname);
441 if(!subnet->owner->status.reachable)
442 return route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_UNREACH);
444 if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
445 return route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_ANO);
447 if(decrement_ttl && source != myself && subnet->owner != myself)
448 if(!do_decrement_ttl(source, packet))
451 if(priorityinheritance)
452 packet->priority = DATA(packet)[15];
454 via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
457 logger(DEBUG_TRAFFIC, LOG_ERR, "Routing loop for packet from %s (%s)!", source->name, source->hostname);
461 if(directonly && subnet->owner != via)
462 return route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_ANO);
464 if(via && packet->len > MAX(via->mtu, 590) && via != myself) {
465 logger(DEBUG_TRAFFIC, LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
466 if(DATA(packet)[20] & 0x40) {
467 packet->len = MAX(via->mtu, 590);
468 route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED);
470 fragment_ipv4_packet(via, packet, ether_size);
476 clamp_mss(source, via, packet);
478 send_packet(subnet->owner, packet);
483 static void route_ipv6_unreachable(node_t *source, vpn_packet_t *packet, length_t ether_size, uint8_t type, uint8_t code) {
485 struct icmp6_hdr icmp6 = {0};
489 struct in6_addr ip6_src; /* source address */
490 struct in6_addr ip6_dst; /* destination address */
498 /* Swap Ethernet source and destination addresses */
500 swap_mac_addresses(packet);
502 /* Copy headers from packet to structs on the stack */
504 memcpy(&ip6, DATA(packet) + ether_size, ip6_size);
506 /* Remember original source and destination */
508 pseudo.ip6_src = ip6.ip6_dst;
509 pseudo.ip6_dst = ip6.ip6_src;
511 /* Try to reply with an IP address assigned to the local machine */
513 if (type == ICMP6_TIME_EXCEEDED && code == ICMP6_TIME_EXCEED_TRANSIT) {
514 int sockfd = socket(AF_INET6, SOCK_DGRAM, 0);
516 struct sockaddr_in6 addr;
517 memset(&addr, 0, sizeof(addr));
518 addr.sin6_family = AF_INET6;
519 addr.sin6_addr = ip6.ip6_src;
520 if (!connect(sockfd, (const struct sockaddr*) &addr, sizeof(addr))) {
521 memset(&addr, 0, sizeof(addr));
522 addr.sin6_family = AF_INET6;
523 socklen_t addrlen = sizeof(addr);
524 if (!getsockname(sockfd, (struct sockaddr*) &addr, &addrlen) && addrlen <= sizeof(addr)) {
525 pseudo.ip6_src = addr.sin6_addr;
532 pseudo.length = packet->len - ether_size;
534 if(type == ICMP6_PACKET_TOO_BIG)
535 icmp6.icmp6_mtu = htonl(pseudo.length);
537 if(pseudo.length >= IP_MSS - ip6_size - icmp6_size)
538 pseudo.length = IP_MSS - ip6_size - icmp6_size;
540 /* Copy first part of original contents to ICMP message */
542 memmove(DATA(packet) + ether_size + ip6_size + icmp6_size, DATA(packet) + ether_size, pseudo.length);
544 /* Fill in IPv6 header */
546 ip6.ip6_flow = htonl(0x60000000UL);
547 ip6.ip6_plen = htons(icmp6_size + pseudo.length);
548 ip6.ip6_nxt = IPPROTO_ICMPV6;
550 ip6.ip6_src = pseudo.ip6_src;
551 ip6.ip6_dst = pseudo.ip6_dst;
553 /* Fill in ICMP header */
555 icmp6.icmp6_type = type;
556 icmp6.icmp6_code = code;
557 icmp6.icmp6_cksum = 0;
559 /* Create pseudo header */
561 pseudo.length = htonl(icmp6_size + pseudo.length);
562 pseudo.next = htonl(IPPROTO_ICMPV6);
564 /* Generate checksum */
566 checksum = inet_checksum(&pseudo, sizeof pseudo, ~0);
567 checksum = inet_checksum(&icmp6, icmp6_size, checksum);
568 checksum = inet_checksum(DATA(packet) + ether_size + ip6_size + icmp6_size, ntohl(pseudo.length) - icmp6_size, checksum);
570 icmp6.icmp6_cksum = checksum;
572 /* Copy structs on stack back to packet */
574 memcpy(DATA(packet) + ether_size, &ip6, ip6_size);
575 memcpy(DATA(packet) + ether_size + ip6_size, &icmp6, icmp6_size);
577 packet->len = ether_size + ip6_size + ntohl(pseudo.length);
579 send_packet(source, packet);
582 static void route_neighborsol(node_t *source, vpn_packet_t *packet);
584 static void route_ipv6(node_t *source, vpn_packet_t *packet) {
585 if(!checklength(source, packet, ether_size + ip6_size))
588 if(DATA(packet)[20] == IPPROTO_ICMPV6 && checklength(source, packet, ether_size + ip6_size + icmp6_size) && DATA(packet)[54] == ND_NEIGHBOR_SOLICIT) {
589 route_neighborsol(source, packet);
597 memcpy(&dest, &DATA(packet)[38], sizeof dest);
598 subnet = lookup_subnet_ipv6(&dest);
601 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet from %s (%s): unknown IPv6 destination address %hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx",
602 source->name, source->hostname,
612 route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADDR);
616 if (!subnet->owner) {
617 route_broadcast(source, packet);
621 if(subnet->owner == source) {
622 logger(DEBUG_TRAFFIC, LOG_WARNING, "Packet looping back to %s (%s)!", source->name, source->hostname);
626 if(!subnet->owner->status.reachable)
627 return route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOROUTE);
629 if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
630 return route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
632 if(decrement_ttl && source != myself && subnet->owner != myself)
633 if(!do_decrement_ttl(source, packet))
636 via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
639 logger(DEBUG_TRAFFIC, LOG_ERR, "Routing loop for packet from %s (%s)!", source->name, source->hostname);
643 if(directonly && subnet->owner != via)
644 return route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
646 if(via && packet->len > MAX(via->mtu, 1294) && via != myself) {
647 logger(DEBUG_TRAFFIC, LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
648 packet->len = MAX(via->mtu, 1294);
649 route_ipv6_unreachable(source, packet, ether_size, ICMP6_PACKET_TOO_BIG, 0);
653 clamp_mss(source, via, packet);
655 send_packet(subnet->owner, packet);
660 static void route_neighborsol(node_t *source, vpn_packet_t *packet) {
662 struct nd_neighbor_solicit ns;
663 struct nd_opt_hdr opt;
669 struct in6_addr ip6_src;
670 struct in6_addr ip6_dst;
675 if(!checklength(source, packet, ether_size + ip6_size + ns_size))
678 has_opt = packet->len >= ether_size + ip6_size + ns_size + opt_size + ETH_ALEN;
680 if(source != myself) {
681 logger(DEBUG_TRAFFIC, LOG_WARNING, "Got neighbor solicitation request from %s (%s) while in router mode!", source->name, source->hostname);
685 /* Copy headers from packet to structs on the stack */
687 memcpy(&ip6, DATA(packet) + ether_size, ip6_size);
688 memcpy(&ns, DATA(packet) + ether_size + ip6_size, ns_size);
690 memcpy(&opt, DATA(packet) + ether_size + ip6_size + ns_size, opt_size);
692 /* First, snatch the source address from the neighbor solicitation packet */
695 memcpy(mymac.x, DATA(packet) + ETH_ALEN, ETH_ALEN);
697 /* Check if this is a valid neighbor solicitation request */
699 if(ns.nd_ns_hdr.icmp6_type != ND_NEIGHBOR_SOLICIT ||
700 (has_opt && opt.nd_opt_type != ND_OPT_SOURCE_LINKADDR)) {
701 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet: received unknown type neighbor solicitation request");
705 /* Create pseudo header */
707 pseudo.ip6_src = ip6.ip6_src;
708 pseudo.ip6_dst = ip6.ip6_dst;
710 pseudo.length = htonl(ns_size + opt_size + ETH_ALEN);
712 pseudo.length = htonl(ns_size);
713 pseudo.next = htonl(IPPROTO_ICMPV6);
715 /* Generate checksum */
717 checksum = inet_checksum(&pseudo, sizeof pseudo, ~0);
718 checksum = inet_checksum(&ns, ns_size, checksum);
720 checksum = inet_checksum(&opt, opt_size, checksum);
721 checksum = inet_checksum(DATA(packet) + ether_size + ip6_size + ns_size + opt_size, ETH_ALEN, checksum);
725 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet: checksum error for neighbor solicitation request");
729 /* Check if the IPv6 address exists on the VPN */
731 subnet = lookup_subnet_ipv6((ipv6_t *) &ns.nd_ns_target);
734 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet: neighbor solicitation request for unknown address %hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx",
735 ntohs(((uint16_t *) &ns.nd_ns_target)[0]),
736 ntohs(((uint16_t *) &ns.nd_ns_target)[1]),
737 ntohs(((uint16_t *) &ns.nd_ns_target)[2]),
738 ntohs(((uint16_t *) &ns.nd_ns_target)[3]),
739 ntohs(((uint16_t *) &ns.nd_ns_target)[4]),
740 ntohs(((uint16_t *) &ns.nd_ns_target)[5]),
741 ntohs(((uint16_t *) &ns.nd_ns_target)[6]),
742 ntohs(((uint16_t *) &ns.nd_ns_target)[7]));
747 /* Check if it is for our own subnet */
749 if(subnet->owner == myself)
750 return; /* silently ignore */
753 if(!do_decrement_ttl(source, packet))
756 /* Create neighbor advertation reply */
758 memcpy(DATA(packet), DATA(packet) + ETH_ALEN, ETH_ALEN); /* copy destination address */
759 DATA(packet)[ETH_ALEN * 2 - 1] ^= 0xFF; /* mangle source address so it looks like it's not from us */
761 ip6.ip6_dst = ip6.ip6_src; /* swap destination and source protocoll address */
762 ip6.ip6_src = ns.nd_ns_target;
765 memcpy(DATA(packet) + ether_size + ip6_size + ns_size + opt_size, DATA(packet) + ETH_ALEN, ETH_ALEN); /* add fake source hard addr */
768 ns.nd_ns_type = ND_NEIGHBOR_ADVERT;
769 ns.nd_ns_reserved = htonl(0x40000000UL); /* Set solicited flag */
770 opt.nd_opt_type = ND_OPT_TARGET_LINKADDR;
772 /* Create pseudo header */
774 pseudo.ip6_src = ip6.ip6_src;
775 pseudo.ip6_dst = ip6.ip6_dst;
777 pseudo.length = htonl(ns_size + opt_size + ETH_ALEN);
779 pseudo.length = htonl(ns_size);
780 pseudo.next = htonl(IPPROTO_ICMPV6);
782 /* Generate checksum */
784 checksum = inet_checksum(&pseudo, sizeof pseudo, ~0);
785 checksum = inet_checksum(&ns, ns_size, checksum);
787 checksum = inet_checksum(&opt, opt_size, checksum);
788 checksum = inet_checksum(DATA(packet) + ether_size + ip6_size + ns_size + opt_size, ETH_ALEN, checksum);
791 ns.nd_ns_hdr.icmp6_cksum = checksum;
793 /* Copy structs on stack back to packet */
795 memcpy(DATA(packet) + ether_size, &ip6, ip6_size);
796 memcpy(DATA(packet) + ether_size + ip6_size, &ns, ns_size);
798 memcpy(DATA(packet) + ether_size + ip6_size + ns_size, &opt, opt_size);
800 send_packet(source, packet);
805 static void route_arp(node_t *source, vpn_packet_t *packet) {
806 struct ether_arp arp;
810 if(!checklength(source, packet, ether_size + arp_size))
813 if(source != myself) {
814 logger(DEBUG_TRAFFIC, LOG_WARNING, "Got ARP request from %s (%s) while in router mode!", source->name, source->hostname);
818 /* First, snatch the source address from the ARP packet */
821 memcpy(mymac.x, DATA(packet) + ETH_ALEN, ETH_ALEN);
823 /* Copy headers from packet to structs on the stack */
825 memcpy(&arp, DATA(packet) + ether_size, arp_size);
827 /* Check if this is a valid ARP request */
829 if(ntohs(arp.arp_hrd) != ARPHRD_ETHER || ntohs(arp.arp_pro) != ETH_P_IP ||
830 arp.arp_hln != ETH_ALEN || arp.arp_pln != sizeof addr || ntohs(arp.arp_op) != ARPOP_REQUEST) {
831 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet: received unknown type ARP request");
835 /* Check if the IPv4 address exists on the VPN */
837 subnet = lookup_subnet_ipv4((ipv4_t *) &arp.arp_tpa);
840 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet: ARP request for unknown address %d.%d.%d.%d",
841 arp.arp_tpa[0], arp.arp_tpa[1], arp.arp_tpa[2],
846 /* Check if it is for our own subnet */
848 if(subnet->owner == myself)
849 return; /* silently ignore */
852 if(!do_decrement_ttl(source, packet))
855 memcpy(&addr, arp.arp_tpa, sizeof addr); /* save protocol addr */
856 memcpy(arp.arp_tpa, arp.arp_spa, sizeof addr); /* swap destination and source protocol address */
857 memcpy(arp.arp_spa, &addr, sizeof addr); /* ... */
859 memcpy(arp.arp_tha, arp.arp_sha, ETH_ALEN); /* set target hard/proto addr */
860 memcpy(arp.arp_sha, DATA(packet) + ETH_ALEN, ETH_ALEN); /* set source hard/proto addr */
861 arp.arp_sha[ETH_ALEN - 1] ^= 0xFF; /* for consistency with route_packet() */
862 arp.arp_op = htons(ARPOP_REPLY);
864 /* Copy structs on stack back to packet */
866 memcpy(DATA(packet) + ether_size, &arp, arp_size);
868 send_packet(source, packet);
871 static void route_mac(node_t *source, vpn_packet_t *packet) {
875 /* Learn source address */
877 if(source == myself) {
879 memcpy(&src, &DATA(packet)[6], sizeof src);
883 /* Lookup destination address */
885 memcpy(&dest, &DATA(packet)[0], sizeof dest);
886 subnet = lookup_subnet_mac(NULL, &dest);
888 if(!subnet || !subnet->owner) {
889 route_broadcast(source, packet);
893 if(subnet->owner == source) {
894 logger(DEBUG_TRAFFIC, LOG_WARNING, "Packet looping back to %s (%s)!", source->name, source->hostname);
898 if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
901 if(decrement_ttl && source != myself && subnet->owner != myself)
902 if(!do_decrement_ttl(source, packet))
905 uint16_t type = DATA(packet)[12] << 8 | DATA(packet)[13];
907 if(priorityinheritance && type == ETH_P_IP && packet->len >= ether_size + ip_size)
908 packet->priority = DATA(packet)[15];
910 // Handle packets larger than PMTU
912 node_t *via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
914 if(directonly && subnet->owner != via)
917 if(via && packet->len > via->mtu && via != myself) {
918 logger(DEBUG_TRAFFIC, LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
919 length_t ethlen = 14;
921 if(type == ETH_P_8021Q) {
922 type = DATA(packet)[16] << 8 | DATA(packet)[17];
926 if(type == ETH_P_IP && packet->len > 576 + ethlen) {
927 if(DATA(packet)[6 + ethlen] & 0x40) {
928 packet->len = via->mtu;
929 route_ipv4_unreachable(source, packet, ethlen, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED);
931 fragment_ipv4_packet(via, packet, ethlen);
934 } else if(type == ETH_P_IPV6 && packet->len > 1280 + ethlen) {
935 packet->len = via->mtu;
936 route_ipv6_unreachable(source, packet, ethlen, ICMP6_PACKET_TOO_BIG, 0);
941 clamp_mss(source, via, packet);
943 send_packet(subnet->owner, packet);
946 static void send_pcap(vpn_packet_t *packet) {
949 for list_each(connection_t, c, connection_list) {
954 int len = packet->len;
955 if(c->outmaclength && c->outmaclength < len)
956 len = c->outmaclength;
958 if(send_request(c, "%d %d %d", CONTROL, REQ_PCAP, len))
959 send_meta(c, (char *)DATA(packet), len);
963 static bool do_decrement_ttl(node_t *source, vpn_packet_t *packet) {
964 uint16_t type = DATA(packet)[12] << 8 | DATA(packet)[13];
965 length_t ethlen = ether_size;
967 if(type == ETH_P_8021Q) {
968 type = DATA(packet)[16] << 8 | DATA(packet)[17];
974 if(!checklength(source, packet, ethlen + ip_size))
977 if(DATA(packet)[ethlen + 8] <= 1) {
978 if(DATA(packet)[ethlen + 11] != IPPROTO_ICMP || DATA(packet)[ethlen + 32] != ICMP_TIME_EXCEEDED)
979 route_ipv4_unreachable(source, packet, ethlen, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL);
983 uint16_t old = DATA(packet)[ethlen + 8] << 8 | DATA(packet)[ethlen + 9];
984 DATA(packet)[ethlen + 8]--;
985 uint16_t new = DATA(packet)[ethlen + 8] << 8 | DATA(packet)[ethlen + 9];
987 uint32_t checksum = DATA(packet)[ethlen + 10] << 8 | DATA(packet)[ethlen + 11];
988 checksum += old + (~new & 0xFFFF);
989 while(checksum >> 16)
990 checksum = (checksum & 0xFFFF) + (checksum >> 16);
991 DATA(packet)[ethlen + 10] = checksum >> 8;
992 DATA(packet)[ethlen + 11] = checksum & 0xff;
997 if(!checklength(source, packet, ethlen + ip6_size))
1000 if(DATA(packet)[ethlen + 7] <= 1) {
1001 if(DATA(packet)[ethlen + 6] != IPPROTO_ICMPV6 || DATA(packet)[ethlen + 40] != ICMP6_TIME_EXCEEDED)
1002 route_ipv6_unreachable(source, packet, ethlen, ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_TRANSIT);
1006 DATA(packet)[ethlen + 7]--;
1015 void route(node_t *source, vpn_packet_t *packet) {
1019 if(forwarding_mode == FMODE_KERNEL && source != myself) {
1020 send_packet(myself, packet);
1024 if(!checklength(source, packet, ether_size))
1027 uint16_t type = DATA(packet)[12] << 8 | DATA(packet)[13];
1029 switch (routing_mode) {
1033 route_arp(source, packet);
1037 route_ipv4(source, packet);
1041 route_ipv6(source, packet);
1045 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet from %s (%s): unknown type %hx", source->name, source->hostname, type);
1051 route_mac(source, packet);
1055 route_broadcast(source, packet);
projects / tinc / blob