3 Copyright (C) 2000-2005 Ivo Timmermans,
4 2000-2010 Guus Sliepen <guus@tinc-vpn.org>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License along
17 with this program; if not, write to the Free Software Foundation, Inc.,
18 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 #include "splay_tree.h"
24 #include "connection.h"
25 #include "control_common.h"
37 rmode_t routing_mode = RMODE_ROUTER;
38 fmode_t forwarding_mode = FMODE_INTERNAL;
39 bool decrement_ttl = true;
40 bool directonly = false;
41 bool priorityinheritance = false;
43 bool overwrite_mac = false;
44 bool broadcast = true;
45 mac_t mymac = {{0xFE, 0xFD, 0, 0, 0, 0}};
48 /* Sizes of various headers */
50 static const size_t ether_size = sizeof(struct ether_header);
51 static const size_t arp_size = sizeof(struct ether_arp);
52 static const size_t ip_size = sizeof(struct ip);
53 static const size_t icmp_size = sizeof(struct icmp) - sizeof(struct ip);
54 static const size_t ip6_size = sizeof(struct ip6_hdr);
55 static const size_t icmp6_size = sizeof(struct icmp6_hdr);
56 static const size_t ns_size = sizeof(struct nd_neighbor_solicit);
57 static const size_t opt_size = sizeof(struct nd_opt_hdr);
60 #define MAX(a, b) ((a) > (b) ? (a) : (b))
63 static struct event age_subnets_event;
67 static uint16_t inet_checksum(void *data, int len, uint16_t prevsum) {
69 uint32_t checksum = prevsum ^ 0xFFFF;
77 checksum += *(uint8_t *)p;
80 checksum = (checksum & 0xFFFF) + (checksum >> 16);
85 static bool ratelimit(int frequency) {
86 static time_t lasttime = 0;
88 time_t now = time(NULL);
91 if(++count > frequency)
101 static bool checklength(node_t *source, vpn_packet_t *packet, length_t length) {
102 if(packet->len < length) {
103 ifdebug(TRAFFIC) logger(LOG_WARNING, "Got too short packet from %s (%s)", source->name, source->hostname);
109 static void clamp_mss(const node_t *source, const node_t *via, vpn_packet_t *packet) {
110 if(!source || !via || !(via->options & OPTION_CLAMP_MSS))
113 uint16_t mtu = source->mtu;
114 if(via != myself && via->mtu < mtu)
117 /* Find TCP header */
119 uint16_t type = packet->data[12] << 8 | packet->data[13];
121 if(type == ETH_P_IP && packet->data[23] == 6)
122 start = 14 + (packet->data[14] & 0xf) * 4;
123 else if(type == ETH_P_IPV6 && packet->data[20] == 6)
126 if(!start || packet->len <= start + 20)
129 /* Use data offset field to calculate length of options field */
130 int len = ((packet->data[start + 12] >> 4) - 5) * 4;
132 if(packet->len < start + 20 + len)
135 /* Search for MSS option header */
136 for(int i = 0; i < len;) {
137 if(packet->data[start + 20 + i] == 0)
140 if(packet->data[start + 20 + i] == 1) {
145 if(i > len - 2 || i > len - packet->data[start + 21 + i])
148 if(packet->data[start + 20 + i] != 2) {
149 if(packet->data[start + 21 + i] < 2)
151 i += packet->data[start + 21 + i];
155 if(packet->data[start + 21] != 4)
159 uint16_t oldmss = packet->data[start + 22 + i] << 8 | packet->data[start + 23 + i];
160 uint16_t newmss = mtu - start - 20;
161 uint16_t csum = packet->data[start + 16] << 8 | packet->data[start + 17];
166 ifdebug(TRAFFIC) logger(LOG_INFO, "Clamping MSS of packet from %s to %s to %d", source->name, via->name, newmss);
168 /* Update the MSS value and the checksum */
169 packet->data[start + 22 + i] = newmss >> 8;
170 packet->data[start + 23 + i] = newmss & 0xff;
175 packet->data[start + 16] = csum >> 8;
176 packet->data[start + 17] = csum & 0xff;
181 static void swap_mac_addresses(vpn_packet_t *packet) {
183 memcpy(&tmp, &packet->data[0], sizeof tmp);
184 memcpy(&packet->data[0], &packet->data[6], sizeof tmp);
185 memcpy(&packet->data[6], &tmp, sizeof tmp);
188 static void age_subnets(int fd, short events, void *data) {
191 splay_node_t *node, *next, *node2;
193 time_t now = time(NULL);
195 for(node = myself->subnet_tree->head; node; node = next) {
198 if(s->expires && s->expires < now) {
200 char netstr[MAXNETSTR];
201 if(net2str(netstr, sizeof netstr, s))
202 logger(LOG_INFO, "Subnet %s expired", netstr);
205 for(node2 = connection_tree->head; node2; node2 = node2->next) {
208 send_del_subnet(c, s);
211 subnet_del(myself, s);
219 event_add(&age_subnets_event, &(struct timeval){10, 0});
222 static void learn_mac(mac_t *address) {
227 subnet = lookup_subnet_mac(myself, address);
229 /* If we don't know this MAC address yet, store it */
232 ifdebug(TRAFFIC) logger(LOG_INFO, "Learned new MAC address %hx:%hx:%hx:%hx:%hx:%hx",
233 address->x[0], address->x[1], address->x[2], address->x[3],
234 address->x[4], address->x[5]);
236 subnet = new_subnet();
237 subnet->type = SUBNET_MAC;
238 subnet->expires = time(NULL) + macexpire;
239 subnet->net.mac.address = *address;
241 subnet_add(myself, subnet);
242 subnet_update(myself, subnet, true);
244 /* And tell all other tinc daemons it's our MAC */
246 for(node = connection_tree->head; node; node = node->next) {
249 send_add_subnet(c, subnet);
252 if(!timeout_initialized(&age_subnets_event))
253 timeout_set(&age_subnets_event, age_subnets, NULL);
254 event_add(&age_subnets_event, &(struct timeval){10, 0});
257 subnet->expires = time(NULL) + macexpire;
263 static void route_ipv4_unreachable(node_t *source, vpn_packet_t *packet, uint8_t type, uint8_t code) {
265 struct icmp icmp = {0};
267 struct in_addr ip_src;
268 struct in_addr ip_dst;
274 /* Swap Ethernet source and destination addresses */
276 swap_mac_addresses(packet);
278 /* Copy headers from packet into properly aligned structs on the stack */
280 memcpy(&ip, packet->data + ether_size, ip_size);
282 /* Remember original source and destination */
287 oldlen = packet->len - ether_size;
289 if(type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED)
290 icmp.icmp_nextmtu = htons(packet->len - ether_size);
292 if(oldlen >= IP_MSS - ip_size - icmp_size)
293 oldlen = IP_MSS - ip_size - icmp_size;
295 /* Copy first part of original contents to ICMP message */
297 memmove(packet->data + ether_size + ip_size + icmp_size, packet->data + ether_size, oldlen);
299 /* Fill in IPv4 header */
302 ip.ip_hl = ip_size / 4;
304 ip.ip_len = htons(ip_size + icmp_size + oldlen);
308 ip.ip_p = IPPROTO_ICMP;
313 ip.ip_sum = inet_checksum(&ip, ip_size, ~0);
315 /* Fill in ICMP header */
317 icmp.icmp_type = type;
318 icmp.icmp_code = code;
321 icmp.icmp_cksum = inet_checksum(&icmp, icmp_size, ~0);
322 icmp.icmp_cksum = inet_checksum(packet->data + ether_size + ip_size + icmp_size, oldlen, icmp.icmp_cksum);
324 /* Copy structs on stack back to packet */
326 memcpy(packet->data + ether_size, &ip, ip_size);
327 memcpy(packet->data + ether_size + ip_size, &icmp, icmp_size);
329 packet->len = ether_size + ip_size + icmp_size + oldlen;
331 send_packet(source, packet);
336 static void fragment_ipv4_packet(node_t *dest, vpn_packet_t *packet) {
338 vpn_packet_t fragment;
339 int len, maxlen, todo;
341 uint16_t ip_off, origf;
343 memcpy(&ip, packet->data + ether_size, ip_size);
344 fragment.priority = packet->priority;
346 if(ip.ip_hl != ip_size / 4)
349 todo = ntohs(ip.ip_len) - ip_size;
351 if(ether_size + ip_size + todo != packet->len) {
352 ifdebug(TRAFFIC) logger(LOG_WARNING, "Length of packet (%d) doesn't match length in IPv4 header (%d)", packet->len, (int)(ether_size + ip_size + todo));
356 ifdebug(TRAFFIC) logger(LOG_INFO, "Fragmenting packet of %d bytes to %s (%s)", packet->len, dest->name, dest->hostname);
358 offset = packet->data + ether_size + ip_size;
359 maxlen = (dest->mtu - ether_size - ip_size) & ~0x7;
360 ip_off = ntohs(ip.ip_off);
361 origf = ip_off & ~IP_OFFMASK;
362 ip_off &= IP_OFFMASK;
365 len = todo > maxlen ? maxlen : todo;
366 memcpy(fragment.data + ether_size + ip_size, offset, len);
370 ip.ip_len = htons(ip_size + len);
371 ip.ip_off = htons(ip_off | origf | (todo ? IP_MF : 0));
373 ip.ip_sum = inet_checksum(&ip, ip_size, ~0);
374 memcpy(fragment.data, packet->data, ether_size);
375 memcpy(fragment.data + ether_size, &ip, ip_size);
376 fragment.len = ether_size + ip_size + len;
378 send_packet(dest, &fragment);
384 static void route_ipv4_unicast(node_t *source, vpn_packet_t *packet) {
389 memcpy(&dest, &packet->data[30], sizeof dest);
390 subnet = lookup_subnet_ipv4(&dest);
393 ifdebug(TRAFFIC) logger(LOG_WARNING, "Cannot route packet from %s (%s): unknown IPv4 destination address %d.%d.%d.%d",
394 source->name, source->hostname,
400 route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_UNKNOWN);
404 if(subnet->owner == source) {
405 ifdebug(TRAFFIC) logger(LOG_WARNING, "Packet looping back to %s (%s)!", source->name, source->hostname);
409 if(!subnet->owner->status.reachable)
410 return route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_UNREACH);
412 if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
413 return route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_ANO);
415 if(priorityinheritance)
416 packet->priority = packet->data[15];
418 via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
420 if(directonly && subnet->owner != via)
421 return route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_ANO);
423 if(via && packet->len > MAX(via->mtu, 590) && via != myself) {
424 ifdebug(TRAFFIC) logger(LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
425 if(packet->data[20] & 0x40) {
426 packet->len = MAX(via->mtu, 590);
427 route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED);
429 fragment_ipv4_packet(via, packet);
435 clamp_mss(source, via, packet);
437 send_packet(subnet->owner, packet);
440 static void route_ipv4(node_t *source, vpn_packet_t *packet) {
441 if(!checklength(source, packet, ether_size + ip_size))
444 if(broadcast && (((packet->data[30] & 0xf0) == 0xe0) || (
445 packet->data[30] == 255 &&
446 packet->data[31] == 255 &&
447 packet->data[32] == 255 &&
448 packet->data[33] == 255)))
449 broadcast_packet(source, packet);
451 route_ipv4_unicast(source, packet);
456 static void route_ipv6_unreachable(node_t *source, vpn_packet_t *packet, uint8_t type, uint8_t code) {
458 struct icmp6_hdr icmp6 = {0};
462 struct in6_addr ip6_src; /* source address */
463 struct in6_addr ip6_dst; /* destination address */
471 /* Swap Ethernet source and destination addresses */
473 swap_mac_addresses(packet);
475 /* Copy headers from packet to structs on the stack */
477 memcpy(&ip6, packet->data + ether_size, ip6_size);
479 /* Remember original source and destination */
481 pseudo.ip6_src = ip6.ip6_dst;
482 pseudo.ip6_dst = ip6.ip6_src;
484 pseudo.length = packet->len - ether_size;
486 if(type == ICMP6_PACKET_TOO_BIG)
487 icmp6.icmp6_mtu = htonl(pseudo.length);
489 if(pseudo.length >= IP_MSS - ip6_size - icmp6_size)
490 pseudo.length = IP_MSS - ip6_size - icmp6_size;
492 /* Copy first part of original contents to ICMP message */
494 memmove(packet->data + ether_size + ip6_size + icmp6_size, packet->data + ether_size, pseudo.length);
496 /* Fill in IPv6 header */
498 ip6.ip6_flow = htonl(0x60000000UL);
499 ip6.ip6_plen = htons(icmp6_size + pseudo.length);
500 ip6.ip6_nxt = IPPROTO_ICMPV6;
502 ip6.ip6_src = pseudo.ip6_src;
503 ip6.ip6_dst = pseudo.ip6_dst;
505 /* Fill in ICMP header */
507 icmp6.icmp6_type = type;
508 icmp6.icmp6_code = code;
509 icmp6.icmp6_cksum = 0;
511 /* Create pseudo header */
513 pseudo.length = htonl(icmp6_size + pseudo.length);
514 pseudo.next = htonl(IPPROTO_ICMPV6);
516 /* Generate checksum */
518 checksum = inet_checksum(&pseudo, sizeof pseudo, ~0);
519 checksum = inet_checksum(&icmp6, icmp6_size, checksum);
520 checksum = inet_checksum(packet->data + ether_size + ip6_size + icmp6_size, ntohl(pseudo.length) - icmp6_size, checksum);
522 icmp6.icmp6_cksum = checksum;
524 /* Copy structs on stack back to packet */
526 memcpy(packet->data + ether_size, &ip6, ip6_size);
527 memcpy(packet->data + ether_size + ip6_size, &icmp6, icmp6_size);
529 packet->len = ether_size + ip6_size + ntohl(pseudo.length);
531 send_packet(source, packet);
534 static void route_ipv6_unicast(node_t *source, vpn_packet_t *packet) {
539 memcpy(&dest, &packet->data[38], sizeof dest);
540 subnet = lookup_subnet_ipv6(&dest);
543 ifdebug(TRAFFIC) logger(LOG_WARNING, "Cannot route packet from %s (%s): unknown IPv6 destination address %hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx",
544 source->name, source->hostname,
554 route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADDR);
558 if(subnet->owner == source) {
559 ifdebug(TRAFFIC) logger(LOG_WARNING, "Packet looping back to %s (%s)!", source->name, source->hostname);
563 if(!subnet->owner->status.reachable)
564 return route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOROUTE);
566 if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
567 return route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
569 via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
571 if(directonly && subnet->owner != via)
572 return route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
574 if(via && packet->len > MAX(via->mtu, 1294) && via != myself) {
575 ifdebug(TRAFFIC) logger(LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
576 packet->len = MAX(via->mtu, 1294);
577 route_ipv6_unreachable(source, packet, ICMP6_PACKET_TOO_BIG, 0);
581 clamp_mss(source, via, packet);
583 send_packet(subnet->owner, packet);
588 static void route_neighborsol(node_t *source, vpn_packet_t *packet) {
590 struct nd_neighbor_solicit ns;
591 struct nd_opt_hdr opt;
597 struct in6_addr ip6_src; /* source address */
598 struct in6_addr ip6_dst; /* destination address */
603 if(!checklength(source, packet, ether_size + ip6_size + ns_size))
606 has_opt = packet->len >= ether_size + ip6_size + ns_size + opt_size + ETH_ALEN;
608 if(source != myself) {
609 ifdebug(TRAFFIC) logger(LOG_WARNING, "Got neighbor solicitation request from %s (%s) while in router mode!", source->name, source->hostname);
613 /* Copy headers from packet to structs on the stack */
615 memcpy(&ip6, packet->data + ether_size, ip6_size);
616 memcpy(&ns, packet->data + ether_size + ip6_size, ns_size);
618 memcpy(&opt, packet->data + ether_size + ip6_size + ns_size, opt_size);
620 /* First, snatch the source address from the neighbor solicitation packet */
623 memcpy(mymac.x, packet->data + ETH_ALEN, ETH_ALEN);
625 /* Check if this is a valid neighbor solicitation request */
627 if(ns.nd_ns_hdr.icmp6_type != ND_NEIGHBOR_SOLICIT ||
628 (has_opt && opt.nd_opt_type != ND_OPT_SOURCE_LINKADDR)) {
629 ifdebug(TRAFFIC) logger(LOG_WARNING, "Cannot route packet: received unknown type neighbor solicitation request");
633 /* Create pseudo header */
635 pseudo.ip6_src = ip6.ip6_src;
636 pseudo.ip6_dst = ip6.ip6_dst;
638 pseudo.length = htonl(ns_size + opt_size + ETH_ALEN);
640 pseudo.length = htonl(ns_size);
641 pseudo.next = htonl(IPPROTO_ICMPV6);
643 /* Generate checksum */
645 checksum = inet_checksum(&pseudo, sizeof pseudo, ~0);
646 checksum = inet_checksum(&ns, ns_size, checksum);
648 checksum = inet_checksum(&opt, opt_size, checksum);
649 checksum = inet_checksum(packet->data + ether_size + ip6_size + ns_size + opt_size, ETH_ALEN, checksum);
653 ifdebug(TRAFFIC) logger(LOG_WARNING, "Cannot route packet: checksum error for neighbor solicitation request");
657 /* Check if the IPv6 address exists on the VPN */
659 subnet = lookup_subnet_ipv6((ipv6_t *) &ns.nd_ns_target);
662 ifdebug(TRAFFIC) logger(LOG_WARNING, "Cannot route packet: neighbor solicitation request for unknown address %hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx",
663 ntohs(((uint16_t *) &ns.nd_ns_target)[0]),
664 ntohs(((uint16_t *) &ns.nd_ns_target)[1]),
665 ntohs(((uint16_t *) &ns.nd_ns_target)[2]),
666 ntohs(((uint16_t *) &ns.nd_ns_target)[3]),
667 ntohs(((uint16_t *) &ns.nd_ns_target)[4]),
668 ntohs(((uint16_t *) &ns.nd_ns_target)[5]),
669 ntohs(((uint16_t *) &ns.nd_ns_target)[6]),
670 ntohs(((uint16_t *) &ns.nd_ns_target)[7]));
675 /* Check if it is for our own subnet */
677 if(subnet->owner == myself)
678 return; /* silently ignore */
680 /* Create neighbor advertation reply */
682 memcpy(packet->data, packet->data + ETH_ALEN, ETH_ALEN); /* copy destination address */
683 packet->data[ETH_ALEN * 2 - 1] ^= 0xFF; /* mangle source address so it looks like it's not from us */
685 ip6.ip6_dst = ip6.ip6_src; /* swap destination and source protocoll address */
686 ip6.ip6_src = ns.nd_ns_target;
689 memcpy(packet->data + ether_size + ip6_size + ns_size + opt_size, packet->data + ETH_ALEN, ETH_ALEN); /* add fake source hard addr */
692 ns.nd_ns_type = ND_NEIGHBOR_ADVERT;
693 ns.nd_ns_reserved = htonl(0x40000000UL); /* Set solicited flag */
694 opt.nd_opt_type = ND_OPT_TARGET_LINKADDR;
696 /* Create pseudo header */
698 pseudo.ip6_src = ip6.ip6_src;
699 pseudo.ip6_dst = ip6.ip6_dst;
701 pseudo.length = htonl(ns_size + opt_size + ETH_ALEN);
703 pseudo.length = htonl(ns_size);
704 pseudo.next = htonl(IPPROTO_ICMPV6);
706 /* Generate checksum */
708 checksum = inet_checksum(&pseudo, sizeof pseudo, ~0);
709 checksum = inet_checksum(&ns, ns_size, checksum);
711 checksum = inet_checksum(&opt, opt_size, checksum);
712 checksum = inet_checksum(packet->data + ether_size + ip6_size + ns_size + opt_size, ETH_ALEN, checksum);
715 ns.nd_ns_hdr.icmp6_cksum = checksum;
717 /* Copy structs on stack back to packet */
719 memcpy(packet->data + ether_size, &ip6, ip6_size);
720 memcpy(packet->data + ether_size + ip6_size, &ns, ns_size);
722 memcpy(packet->data + ether_size + ip6_size + ns_size, &opt, opt_size);
724 send_packet(source, packet);
727 static void route_ipv6(node_t *source, vpn_packet_t *packet) {
728 if(!checklength(source, packet, ether_size + ip6_size))
731 if(packet->data[20] == IPPROTO_ICMPV6 && checklength(source, packet, ether_size + ip6_size + icmp6_size) && packet->data[54] == ND_NEIGHBOR_SOLICIT) {
732 route_neighborsol(source, packet);
736 if(broadcast && packet->data[38] == 255)
737 broadcast_packet(source, packet);
739 route_ipv6_unicast(source, packet);
744 static void route_arp(node_t *source, vpn_packet_t *packet) {
745 struct ether_arp arp;
749 if(!checklength(source, packet, ether_size + arp_size))
752 if(source != myself) {
753 ifdebug(TRAFFIC) logger(LOG_WARNING, "Got ARP request from %s (%s) while in router mode!", source->name, source->hostname);
757 /* First, snatch the source address from the ARP packet */
760 memcpy(mymac.x, packet->data + ETH_ALEN, ETH_ALEN);
762 /* Copy headers from packet to structs on the stack */
764 memcpy(&arp, packet->data + ether_size, arp_size);
766 /* Check if this is a valid ARP request */
768 if(ntohs(arp.arp_hrd) != ARPHRD_ETHER || ntohs(arp.arp_pro) != ETH_P_IP ||
769 arp.arp_hln != ETH_ALEN || arp.arp_pln != sizeof addr || ntohs(arp.arp_op) != ARPOP_REQUEST) {
770 ifdebug(TRAFFIC) logger(LOG_WARNING, "Cannot route packet: received unknown type ARP request");
774 /* Check if the IPv4 address exists on the VPN */
776 subnet = lookup_subnet_ipv4((ipv4_t *) &arp.arp_tpa);
779 ifdebug(TRAFFIC) logger(LOG_WARNING, "Cannot route packet: ARP request for unknown address %d.%d.%d.%d",
780 arp.arp_tpa[0], arp.arp_tpa[1], arp.arp_tpa[2],
785 /* Check if it is for our own subnet */
787 if(subnet->owner == myself)
788 return; /* silently ignore */
790 memcpy(packet->data, packet->data + ETH_ALEN, ETH_ALEN); /* copy destination address */
791 packet->data[ETH_ALEN * 2 - 1] ^= 0xFF; /* mangle source address so it looks like it's not from us */
793 memcpy(&addr, arp.arp_tpa, sizeof addr); /* save protocol addr */
794 memcpy(arp.arp_tpa, arp.arp_spa, sizeof addr); /* swap destination and source protocol address */
795 memcpy(arp.arp_spa, &addr, sizeof addr); /* ... */
797 memcpy(arp.arp_tha, arp.arp_sha, ETH_ALEN); /* set target hard/proto addr */
798 memcpy(arp.arp_sha, packet->data + ETH_ALEN, ETH_ALEN); /* add fake source hard addr */
799 arp.arp_op = htons(ARPOP_REPLY);
801 /* Copy structs on stack back to packet */
803 memcpy(packet->data + ether_size, &arp, arp_size);
805 send_packet(source, packet);
808 static void route_mac(node_t *source, vpn_packet_t *packet) {
812 /* Learn source address */
814 if(source == myself) {
816 memcpy(&src, &packet->data[6], sizeof src);
820 /* Lookup destination address */
822 memcpy(&dest, &packet->data[0], sizeof dest);
823 subnet = lookup_subnet_mac(NULL, &dest);
827 broadcast_packet(source, packet);
831 if(subnet->owner == source) {
832 ifdebug(TRAFFIC) logger(LOG_WARNING, "Packet looping back to %s (%s)!", source->name, source->hostname);
836 if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
839 // Handle packets larger than PMTU
841 node_t *via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
843 if(directonly && subnet->owner != via)
846 if(via && packet->len > via->mtu && via != myself) {
847 ifdebug(TRAFFIC) logger(LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
848 uint16_t type = packet->data[12] << 8 | packet->data[13];
849 if(type == ETH_P_IP && packet->len > 590) {
850 if(packet->data[20] & 0x40) {
851 packet->len = via->mtu;
852 route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED);
854 fragment_ipv4_packet(via, packet);
857 } else if(type == ETH_P_IPV6 && packet->len > 1294) {
858 packet->len = via->mtu;
859 route_ipv6_unreachable(source, packet, ICMP6_PACKET_TOO_BIG, 0);
864 clamp_mss(source, via, packet);
866 send_packet(subnet->owner, packet);
869 static void send_pcap(vpn_packet_t *packet) {
871 for(splay_node_t *node = connection_tree->head; node; node = node->next) {
872 connection_t *c = node->data;
877 if(send_request(c, "%d %d %d", CONTROL, REQ_PCAP, packet->len))
878 send_meta(c, (char *)packet->data, packet->len);
882 static bool do_decrement_ttl(node_t *source, vpn_packet_t *packet) {
883 uint16_t type = packet->data[12] << 8 | packet->data[13];
887 if(!checklength(source, packet, 14 + 32))
890 if(packet->data[22] < 1) {
891 route_ipv4_unreachable(source, packet, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL);
895 uint16_t old = packet->data[22] << 8 | packet->data[23];
897 uint16_t new = packet->data[22] << 8 | packet->data[23];
899 uint32_t checksum = packet->data[24] << 8 | packet->data[25];
900 checksum += old + (~new & 0xFFFF);
901 while(checksum >> 16)
902 checksum = (checksum & 0xFFFF) + (checksum >> 16);
903 packet->data[24] = checksum >> 8;
904 packet->data[25] = checksum & 0xff;
909 if(!checklength(source, packet, 14 + 40))
912 if(packet->data[21] < 1) {
913 route_ipv6_unreachable(source, packet, ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_TRANSIT);
926 void route(node_t *source, vpn_packet_t *packet) {
930 if(forwarding_mode == FMODE_KERNEL && source != myself) {
931 send_packet(myself, packet);
935 if(!checklength(source, packet, ether_size))
938 if(decrement_ttl && source != myself)
939 if(!do_decrement_ttl(source, packet))
942 switch (routing_mode) {
945 uint16_t type = packet->data[12] << 8 | packet->data[13];
949 route_arp(source, packet);
953 route_ipv4(source, packet);
957 route_ipv6(source, packet);
961 ifdebug(TRAFFIC) logger(LOG_WARNING, "Cannot route packet from %s (%s): unknown type %hx", source->name, source->hostname, type);
968 route_mac(source, packet);
972 broadcast_packet(source, packet);
projects / tinc / blob