3 Copyright (C) 2000-2005 Ivo Timmermans,
4 2000-2018 Guus Sliepen <guus@tinc-vpn.org>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License along
17 with this program; if not, write to the Free Software Foundation, Inc.,
18 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 #include "connection.h"
24 #include "control_common.h"
36 rmode_t routing_mode = RMODE_ROUTER;
37 fmode_t forwarding_mode = FMODE_INTERNAL;
38 bmode_t broadcast_mode = BMODE_MST;
39 bool decrement_ttl = false;
40 bool directonly = false;
41 bool priorityinheritance = false;
43 bool overwrite_mac = false;
44 mac_t mymac = {{0xFE, 0xFD, 0, 0, 0, 0}};
47 /* Sizes of various headers */
49 static const size_t ether_size = sizeof(struct ether_header);
50 static const size_t arp_size = sizeof(struct ether_arp);
51 static const size_t ip_size = sizeof(struct ip);
52 static const size_t icmp_size = sizeof(struct icmp) - sizeof(struct ip);
53 static const size_t ip6_size = sizeof(struct ip6_hdr);
54 static const size_t icmp6_size = sizeof(struct icmp6_hdr);
55 static const size_t ns_size = sizeof(struct nd_neighbor_solicit);
56 static const size_t opt_size = sizeof(struct nd_opt_hdr);
59 #define MAX(a, b) ((a) > (b) ? (a) : (b))
62 static timeout_t age_subnets_timeout;
66 static uint16_t inet_checksum(void *vdata, int len, uint16_t prevsum) {
67 uint8_t *data = vdata;
69 uint32_t checksum = prevsum ^ 0xFFFF;
72 memcpy(&word, data, sizeof(word));
82 while(checksum >> 16) {
83 checksum = (checksum & 0xFFFF) + (checksum >> 16);
89 static bool ratelimit(int frequency) {
90 static time_t lasttime = 0;
93 if(lasttime == now.tv_sec) {
94 if(count >= frequency) {
98 lasttime = now.tv_sec;
106 static bool checklength(node_t *source, vpn_packet_t *packet, length_t length) {
107 if(packet->len < length) {
108 logger(DEBUG_TRAFFIC, LOG_WARNING, "Got too short packet from %s (%s)", source->name, source->hostname);
115 static void swap_mac_addresses(vpn_packet_t *packet) {
117 memcpy(&tmp, &DATA(packet)[0], sizeof(tmp));
118 memcpy(&DATA(packet)[0], &DATA(packet)[6], sizeof(tmp));
119 memcpy(&DATA(packet)[6], &tmp, sizeof(tmp));
124 static void route_ipv4_unreachable(node_t *source, vpn_packet_t *packet, length_t ether_size, uint8_t type, uint8_t code) {
126 struct icmp icmp = {0};
128 struct in_addr ip_src;
129 struct in_addr ip_dst;
136 /* Swap Ethernet source and destination addresses */
138 swap_mac_addresses(packet);
140 /* Copy headers from packet into properly aligned structs on the stack */
142 memcpy(&ip, DATA(packet) + ether_size, ip_size);
144 /* Remember original source and destination */
149 /* Try to reply with an IP address assigned to the local machine */
151 if(type == ICMP_TIME_EXCEEDED && code == ICMP_EXC_TTL) {
152 int sockfd = socket(AF_INET, SOCK_DGRAM, 0);
155 struct sockaddr_in addr;
156 memset(&addr, 0, sizeof(addr));
157 addr.sin_family = AF_INET;
158 addr.sin_addr = ip.ip_src;
160 if(!connect(sockfd, (const struct sockaddr *) &addr, sizeof(addr))) {
161 memset(&addr, 0, sizeof(addr));
162 addr.sin_family = AF_INET;
163 socklen_t addrlen = sizeof(addr);
165 if(!getsockname(sockfd, (struct sockaddr *) &addr, &addrlen) && (size_t)addrlen <= sizeof(addr)) {
166 ip_dst = addr.sin_addr;
174 oldlen = packet->len - ether_size;
176 if(type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) {
177 icmp.icmp_nextmtu = htons(packet->len - ether_size);
180 if(oldlen >= IP_MSS - ip_size - icmp_size) {
181 oldlen = IP_MSS - ip_size - icmp_size;
184 /* Copy first part of original contents to ICMP message */
186 memmove(DATA(packet) + ether_size + ip_size + icmp_size, DATA(packet) + ether_size, oldlen);
188 /* Fill in IPv4 header */
191 ip.ip_hl = ip_size / 4;
193 ip.ip_len = htons(ip_size + icmp_size + oldlen);
197 ip.ip_p = IPPROTO_ICMP;
202 ip.ip_sum = inet_checksum(&ip, ip_size, ~0);
204 /* Fill in ICMP header */
206 icmp.icmp_type = type;
207 icmp.icmp_code = code;
210 icmp.icmp_cksum = inet_checksum(&icmp, icmp_size, ~0);
211 icmp.icmp_cksum = inet_checksum(DATA(packet) + ether_size + ip_size + icmp_size, oldlen, icmp.icmp_cksum);
213 /* Copy structs on stack back to packet */
215 memcpy(DATA(packet) + ether_size, &ip, ip_size);
216 memcpy(DATA(packet) + ether_size + ip_size, &icmp, icmp_size);
218 packet->len = ether_size + ip_size + icmp_size + oldlen;
220 send_packet(source, packet);
225 static void route_ipv6_unreachable(node_t *source, vpn_packet_t *packet, length_t ether_size, uint8_t type, uint8_t code) {
227 struct icmp6_hdr icmp6 = {0};
231 struct in6_addr ip6_src; /* source address */
232 struct in6_addr ip6_dst; /* destination address */
241 /* Swap Ethernet source and destination addresses */
243 swap_mac_addresses(packet);
245 /* Copy headers from packet to structs on the stack */
247 memcpy(&ip6, DATA(packet) + ether_size, ip6_size);
249 /* Remember original source and destination */
251 pseudo.ip6_src = ip6.ip6_dst;
252 pseudo.ip6_dst = ip6.ip6_src;
254 /* Try to reply with an IP address assigned to the local machine */
256 if(type == ICMP6_TIME_EXCEEDED && code == ICMP6_TIME_EXCEED_TRANSIT) {
257 int sockfd = socket(AF_INET6, SOCK_DGRAM, 0);
260 struct sockaddr_in6 addr;
261 memset(&addr, 0, sizeof(addr));
262 addr.sin6_family = AF_INET6;
263 addr.sin6_addr = ip6.ip6_src;
265 if(!connect(sockfd, (const struct sockaddr *) &addr, sizeof(addr))) {
266 memset(&addr, 0, sizeof(addr));
267 addr.sin6_family = AF_INET6;
268 socklen_t addrlen = sizeof(addr);
270 if(!getsockname(sockfd, (struct sockaddr *) &addr, &addrlen) && (size_t)addrlen <= sizeof(addr)) {
271 pseudo.ip6_src = addr.sin6_addr;
279 pseudo.length = packet->len - ether_size;
281 if(type == ICMP6_PACKET_TOO_BIG) {
282 icmp6.icmp6_mtu = htonl(pseudo.length);
285 if(pseudo.length >= IP_MSS - ip6_size - icmp6_size) {
286 pseudo.length = IP_MSS - ip6_size - icmp6_size;
289 /* Copy first part of original contents to ICMP message */
291 memmove(DATA(packet) + ether_size + ip6_size + icmp6_size, DATA(packet) + ether_size, pseudo.length);
293 /* Fill in IPv6 header */
295 ip6.ip6_flow = htonl(0x60000000UL);
296 ip6.ip6_plen = htons(icmp6_size + pseudo.length);
297 ip6.ip6_nxt = IPPROTO_ICMPV6;
299 ip6.ip6_src = pseudo.ip6_src;
300 ip6.ip6_dst = pseudo.ip6_dst;
302 /* Fill in ICMP header */
304 icmp6.icmp6_type = type;
305 icmp6.icmp6_code = code;
306 icmp6.icmp6_cksum = 0;
308 /* Create pseudo header */
310 pseudo.length = htonl(icmp6_size + pseudo.length);
311 pseudo.next = htonl(IPPROTO_ICMPV6);
313 /* Generate checksum */
315 checksum = inet_checksum(&pseudo, sizeof(pseudo), ~0);
316 checksum = inet_checksum(&icmp6, icmp6_size, checksum);
317 checksum = inet_checksum(DATA(packet) + ether_size + ip6_size + icmp6_size, ntohl(pseudo.length) - icmp6_size, checksum);
319 icmp6.icmp6_cksum = checksum;
321 /* Copy structs on stack back to packet */
323 memcpy(DATA(packet) + ether_size, &ip6, ip6_size);
324 memcpy(DATA(packet) + ether_size + ip6_size, &icmp6, icmp6_size);
326 packet->len = ether_size + ip6_size + ntohl(pseudo.length);
328 send_packet(source, packet);
331 static bool do_decrement_ttl(node_t *source, vpn_packet_t *packet) {
332 uint16_t type = DATA(packet)[12] << 8 | DATA(packet)[13];
333 length_t ethlen = ether_size;
335 if(type == ETH_P_8021Q) {
336 type = DATA(packet)[16] << 8 | DATA(packet)[17];
342 if(!checklength(source, packet, ethlen + ip_size)) {
346 if(DATA(packet)[ethlen + 8] <= 1) {
347 if(DATA(packet)[ethlen + 11] != IPPROTO_ICMP || DATA(packet)[ethlen + 32] != ICMP_TIME_EXCEEDED) {
348 route_ipv4_unreachable(source, packet, ethlen, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL);
354 uint16_t old = DATA(packet)[ethlen + 8] << 8 | DATA(packet)[ethlen + 9];
355 DATA(packet)[ethlen + 8]--;
356 uint16_t new = DATA(packet)[ethlen + 8] << 8 | DATA(packet)[ethlen + 9];
358 uint32_t checksum = DATA(packet)[ethlen + 10] << 8 | DATA(packet)[ethlen + 11];
359 checksum += old + (~new & 0xFFFF);
361 while(checksum >> 16) {
362 checksum = (checksum & 0xFFFF) + (checksum >> 16);
365 DATA(packet)[ethlen + 10] = checksum >> 8;
366 DATA(packet)[ethlen + 11] = checksum & 0xff;
371 if(!checklength(source, packet, ethlen + ip6_size)) {
375 if(DATA(packet)[ethlen + 7] <= 1) {
376 if(DATA(packet)[ethlen + 6] != IPPROTO_ICMPV6 || DATA(packet)[ethlen + 40] != ICMP6_TIME_EXCEEDED) {
377 route_ipv6_unreachable(source, packet, ethlen, ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_TRANSIT);
383 DATA(packet)[ethlen + 7]--;
392 static void clamp_mss(const node_t *source, const node_t *via, vpn_packet_t *packet) {
393 if(!source || !via || !(via->options & OPTION_CLAMP_MSS)) {
397 uint16_t mtu = source->mtu;
399 if(via != myself && via->mtu < mtu) {
403 /* Find TCP header */
404 int start = ether_size;
405 uint16_t type = DATA(packet)[12] << 8 | DATA(packet)[13];
407 if(type == ETH_P_8021Q) {
409 type = DATA(packet)[16] << 8 | DATA(packet)[17];
412 /* IP in IP (RFC 2003) packet */
413 if(type == ETH_P_IP && DATA(packet)[start + 9] == 4) {
417 if(packet->len <= start + 20) {
421 if(type == ETH_P_IP && DATA(packet)[start + 9] == 6) {
422 start += (DATA(packet)[start] & 0xf) * 4;
423 } else if(type == ETH_P_IPV6 && DATA(packet)[start + 6] == 6) {
429 if(packet->len <= start + 20) {
433 /* Use data offset field to calculate length of options field */
434 int len = ((DATA(packet)[start + 12] >> 4) - 5) * 4;
436 if(packet->len < start + 20 + len) {
440 /* Search for MSS option header */
441 for(int i = 0; i < len;) {
442 if(DATA(packet)[start + 20 + i] == 0) {
446 if(DATA(packet)[start + 20 + i] == 1) {
451 if(i > len - 2 || i > len - DATA(packet)[start + 21 + i]) {
455 if(DATA(packet)[start + 20 + i] != 2) {
456 if(DATA(packet)[start + 21 + i] < 2) {
460 i += DATA(packet)[start + 21 + i];
464 if(DATA(packet)[start + 21] != 4) {
469 uint16_t oldmss = DATA(packet)[start + 22 + i] << 8 | DATA(packet)[start + 23 + i];
470 uint16_t newmss = mtu - start - 20;
471 uint32_t csum = DATA(packet)[start + 16] << 8 | DATA(packet)[start + 17];
473 if(oldmss <= newmss) {
477 logger(DEBUG_TRAFFIC, LOG_INFO, "Clamping MSS of packet from %s to %s to %d", source->name, via->name, newmss);
479 /* Update the MSS value and the checksum */
480 DATA(packet)[start + 22 + i] = newmss >> 8;
481 DATA(packet)[start + 23 + i] = newmss & 0xff;
483 csum += oldmss ^ 0xffff;
485 csum = (csum & 0xffff) + (csum >> 16);
488 DATA(packet)[start + 16] = csum >> 8;
489 DATA(packet)[start + 17] = csum;
494 static void age_subnets(void *data) {
498 for splay_each(subnet_t, s, myself->subnet_tree) {
499 if(s->expires && s->expires < now.tv_sec) {
500 if(debug_level >= DEBUG_TRAFFIC) {
501 char netstr[MAXNETSTR];
503 if(net2str(netstr, sizeof(netstr), s)) {
504 logger(DEBUG_TRAFFIC, LOG_INFO, "Subnet %s expired", netstr);
508 for list_each(connection_t, c, connection_list)
510 send_del_subnet(c, s);
513 subnet_del(myself, s);
522 timeout_set(&age_subnets_timeout, &(struct timeval) {
527 static void learn_mac(mac_t *address) {
528 subnet_t *subnet = lookup_subnet_mac(myself, address);
530 /* If we don't know this MAC address yet, store it */
533 logger(DEBUG_TRAFFIC, LOG_INFO, "Learned new MAC address %x:%x:%x:%x:%x:%x",
534 address->x[0], address->x[1], address->x[2], address->x[3],
535 address->x[4], address->x[5]);
537 subnet = new_subnet();
538 subnet->type = SUBNET_MAC;
539 subnet->expires = now.tv_sec + macexpire;
540 subnet->net.mac.address = *address;
542 subnet_add(myself, subnet);
543 subnet_update(myself, subnet, true);
545 /* And tell all other tinc daemons it's our MAC */
547 for list_each(connection_t, c, connection_list)
549 send_add_subnet(c, subnet);
552 timeout_add(&age_subnets_timeout, age_subnets, NULL, &(struct timeval) {
556 if(subnet->expires) {
557 subnet->expires = now.tv_sec + macexpire;
562 static void route_broadcast(node_t *source, vpn_packet_t *packet) {
563 if(decrement_ttl && source != myself)
564 if(!do_decrement_ttl(source, packet)) {
568 broadcast_packet(source, packet);
573 static void fragment_ipv4_packet(node_t *dest, vpn_packet_t *packet, length_t ether_size) {
575 vpn_packet_t fragment;
578 uint16_t ip_off, origf;
580 memcpy(&ip, DATA(packet) + ether_size, ip_size);
581 fragment.priority = packet->priority;
582 fragment.offset = DEFAULT_PACKET_OFFSET;
584 if(ip.ip_hl != ip_size / 4) {
588 todo = ntohs(ip.ip_len) - ip_size;
590 if(ether_size + ip_size + todo != packet->len) {
591 logger(DEBUG_TRAFFIC, LOG_WARNING, "Length of packet (%d) doesn't match length in IPv4 header (%d)", packet->len, (int)(ether_size + ip_size + todo));
595 logger(DEBUG_TRAFFIC, LOG_INFO, "Fragmenting packet of %d bytes to %s (%s)", packet->len, dest->name, dest->hostname);
597 offset = DATA(packet) + ether_size + ip_size;
598 maxlen = (MAX(dest->mtu, 590) - ether_size - ip_size) & ~0x7;
599 ip_off = ntohs(ip.ip_off);
600 origf = ip_off & ~IP_OFFMASK;
601 ip_off &= IP_OFFMASK;
604 int len = todo > maxlen ? maxlen : todo;
605 memcpy(DATA(&fragment) + ether_size + ip_size, offset, len);
609 ip.ip_len = htons(ip_size + len);
610 ip.ip_off = htons(ip_off | origf | (todo ? IP_MF : 0));
612 ip.ip_sum = inet_checksum(&ip, ip_size, ~0);
613 memcpy(DATA(&fragment), DATA(packet), ether_size);
614 memcpy(DATA(&fragment) + ether_size, &ip, ip_size);
615 fragment.len = ether_size + ip_size + len;
617 send_packet(dest, &fragment);
623 static void route_ipv4(node_t *source, vpn_packet_t *packet) {
624 if(!checklength(source, packet, ether_size + ip_size)) {
632 memcpy(&dest, &DATA(packet)[30], sizeof(dest));
633 subnet = lookup_subnet_ipv4(&dest);
636 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet from %s (%s): unknown IPv4 destination address %d.%d.%d.%d",
637 source->name, source->hostname,
643 route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_UNKNOWN);
648 route_broadcast(source, packet);
652 if(subnet->owner == source) {
653 logger(DEBUG_TRAFFIC, LOG_WARNING, "Packet looping back to %s (%s)!", source->name, source->hostname);
657 if(!subnet->owner->status.reachable) {
658 route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_UNREACH);
662 if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself) {
663 route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_ANO);
667 if(decrement_ttl && source != myself && subnet->owner != myself)
668 if(!do_decrement_ttl(source, packet)) {
672 if(priorityinheritance) {
673 packet->priority = DATA(packet)[15];
676 via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
679 logger(DEBUG_TRAFFIC, LOG_ERR, "Routing loop for packet from %s (%s)!", source->name, source->hostname);
683 if(directonly && subnet->owner != via) {
684 route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_ANO);
688 if(via && packet->len > MAX(via->mtu, 590) && via != myself) {
689 logger(DEBUG_TRAFFIC, LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
691 if(DATA(packet)[20] & 0x40) {
692 packet->len = MAX(via->mtu, 590);
693 route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED);
695 fragment_ipv4_packet(via, packet, ether_size);
701 clamp_mss(source, via, packet);
703 send_packet(subnet->owner, packet);
706 static void route_neighborsol(node_t *source, vpn_packet_t *packet);
708 static void route_ipv6(node_t *source, vpn_packet_t *packet) {
709 if(!checklength(source, packet, ether_size + ip6_size)) {
713 if(DATA(packet)[20] == IPPROTO_ICMPV6 && checklength(source, packet, ether_size + ip6_size + icmp6_size) && DATA(packet)[54] == ND_NEIGHBOR_SOLICIT) {
714 route_neighborsol(source, packet);
722 memcpy(&dest, &DATA(packet)[38], sizeof(dest));
723 subnet = lookup_subnet_ipv6(&dest);
726 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet from %s (%s): unknown IPv6 destination address %hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx",
727 source->name, source->hostname,
737 route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADDR);
742 route_broadcast(source, packet);
746 if(subnet->owner == source) {
747 logger(DEBUG_TRAFFIC, LOG_WARNING, "Packet looping back to %s (%s)!", source->name, source->hostname);
751 if(!subnet->owner->status.reachable) {
752 route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOROUTE);
756 if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself) {
757 route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
761 if(decrement_ttl && source != myself && subnet->owner != myself)
762 if(!do_decrement_ttl(source, packet)) {
766 if(priorityinheritance) {
767 packet->priority = ((DATA(packet)[14] & 0x0f) << 4) | (DATA(packet)[15] >> 4);
770 via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
773 logger(DEBUG_TRAFFIC, LOG_ERR, "Routing loop for packet from %s (%s)!", source->name, source->hostname);
777 if(directonly && subnet->owner != via) {
778 route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
782 if(via && packet->len > MAX(via->mtu, 1294) && via != myself) {
783 logger(DEBUG_TRAFFIC, LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
784 packet->len = MAX(via->mtu, 1294);
785 route_ipv6_unreachable(source, packet, ether_size, ICMP6_PACKET_TOO_BIG, 0);
789 clamp_mss(source, via, packet);
791 send_packet(subnet->owner, packet);
796 static void route_neighborsol(node_t *source, vpn_packet_t *packet) {
798 struct nd_neighbor_solicit ns;
799 struct nd_opt_hdr opt;
805 struct in6_addr ip6_src;
806 struct in6_addr ip6_dst;
811 if(!checklength(source, packet, ether_size + ip6_size + ns_size)) {
815 has_opt = packet->len >= ether_size + ip6_size + ns_size + opt_size + ETH_ALEN;
817 if(source != myself) {
818 logger(DEBUG_TRAFFIC, LOG_WARNING, "Got neighbor solicitation request from %s (%s) while in router mode!", source->name, source->hostname);
822 /* Copy headers from packet to structs on the stack */
824 memcpy(&ip6, DATA(packet) + ether_size, ip6_size);
825 memcpy(&ns, DATA(packet) + ether_size + ip6_size, ns_size);
828 memcpy(&opt, DATA(packet) + ether_size + ip6_size + ns_size, opt_size);
831 /* First, snatch the source address from the neighbor solicitation packet */
834 memcpy(mymac.x, DATA(packet) + ETH_ALEN, ETH_ALEN);
837 /* Check if this is a valid neighbor solicitation request */
839 if(ns.nd_ns_hdr.icmp6_type != ND_NEIGHBOR_SOLICIT ||
840 (has_opt && opt.nd_opt_type != ND_OPT_SOURCE_LINKADDR)) {
841 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet: received unknown type neighbor solicitation request");
845 /* Create pseudo header */
847 pseudo.ip6_src = ip6.ip6_src;
848 pseudo.ip6_dst = ip6.ip6_dst;
851 pseudo.length = htonl(ns_size + opt_size + ETH_ALEN);
853 pseudo.length = htonl(ns_size);
856 pseudo.next = htonl(IPPROTO_ICMPV6);
858 /* Generate checksum */
860 checksum = inet_checksum(&pseudo, sizeof(pseudo), ~0);
861 checksum = inet_checksum(&ns, ns_size, checksum);
864 checksum = inet_checksum(&opt, opt_size, checksum);
865 checksum = inet_checksum(DATA(packet) + ether_size + ip6_size + ns_size + opt_size, ETH_ALEN, checksum);
869 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet: checksum error for neighbor solicitation request");
873 /* Check if the IPv6 address exists on the VPN */
875 subnet = lookup_subnet_ipv6((ipv6_t *) &ns.nd_ns_target);
878 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet: neighbor solicitation request for unknown address %hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx",
879 ntohs(((uint16_t *) &ns.nd_ns_target)[0]),
880 ntohs(((uint16_t *) &ns.nd_ns_target)[1]),
881 ntohs(((uint16_t *) &ns.nd_ns_target)[2]),
882 ntohs(((uint16_t *) &ns.nd_ns_target)[3]),
883 ntohs(((uint16_t *) &ns.nd_ns_target)[4]),
884 ntohs(((uint16_t *) &ns.nd_ns_target)[5]),
885 ntohs(((uint16_t *) &ns.nd_ns_target)[6]),
886 ntohs(((uint16_t *) &ns.nd_ns_target)[7]));
891 /* Check if it is for our own subnet */
893 if(subnet->owner == myself) {
894 return; /* silently ignore */
898 if(!do_decrement_ttl(source, packet)) {
902 /* Create neighbor advertation reply */
904 memcpy(DATA(packet), DATA(packet) + ETH_ALEN, ETH_ALEN); /* copy destination address */
905 DATA(packet)[ETH_ALEN * 2 - 1] ^= 0xFF; /* mangle source address so it looks like it's not from us */
907 ip6.ip6_dst = ip6.ip6_src; /* swap destination and source protocol address */
908 ip6.ip6_src = ns.nd_ns_target;
911 memcpy(DATA(packet) + ether_size + ip6_size + ns_size + opt_size, DATA(packet) + ETH_ALEN, ETH_ALEN); /* add fake source hard addr */
915 ns.nd_ns_type = ND_NEIGHBOR_ADVERT;
916 ns.nd_ns_reserved = htonl(0x40000000UL); /* Set solicited flag */
917 opt.nd_opt_type = ND_OPT_TARGET_LINKADDR;
919 /* Create pseudo header */
921 pseudo.ip6_src = ip6.ip6_src;
922 pseudo.ip6_dst = ip6.ip6_dst;
925 pseudo.length = htonl(ns_size + opt_size + ETH_ALEN);
927 pseudo.length = htonl(ns_size);
930 pseudo.next = htonl(IPPROTO_ICMPV6);
932 /* Generate checksum */
934 checksum = inet_checksum(&pseudo, sizeof(pseudo), ~0);
935 checksum = inet_checksum(&ns, ns_size, checksum);
938 checksum = inet_checksum(&opt, opt_size, checksum);
939 checksum = inet_checksum(DATA(packet) + ether_size + ip6_size + ns_size + opt_size, ETH_ALEN, checksum);
942 ns.nd_ns_hdr.icmp6_cksum = checksum;
944 /* Copy structs on stack back to packet */
946 memcpy(DATA(packet) + ether_size, &ip6, ip6_size);
947 memcpy(DATA(packet) + ether_size + ip6_size, &ns, ns_size);
950 memcpy(DATA(packet) + ether_size + ip6_size + ns_size, &opt, opt_size);
953 send_packet(source, packet);
958 static void route_arp(node_t *source, vpn_packet_t *packet) {
959 struct ether_arp arp;
963 if(!checklength(source, packet, ether_size + arp_size)) {
967 if(source != myself) {
968 logger(DEBUG_TRAFFIC, LOG_WARNING, "Got ARP request from %s (%s) while in router mode!", source->name, source->hostname);
972 /* First, snatch the source address from the ARP packet */
975 memcpy(mymac.x, DATA(packet) + ETH_ALEN, ETH_ALEN);
978 /* Copy headers from packet to structs on the stack */
980 memcpy(&arp, DATA(packet) + ether_size, arp_size);
982 /* Check if this is a valid ARP request */
984 if(ntohs(arp.arp_hrd) != ARPHRD_ETHER || ntohs(arp.arp_pro) != ETH_P_IP ||
985 arp.arp_hln != ETH_ALEN || arp.arp_pln != sizeof(addr) || ntohs(arp.arp_op) != ARPOP_REQUEST) {
986 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet: received unknown type ARP request");
990 /* Check if the IPv4 address exists on the VPN */
992 subnet = lookup_subnet_ipv4((ipv4_t *) &arp.arp_tpa);
995 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet: ARP request for unknown address %d.%d.%d.%d",
996 arp.arp_tpa[0], arp.arp_tpa[1], arp.arp_tpa[2],
1001 /* Check if it is for our own subnet */
1003 if(subnet->owner == myself) {
1004 return; /* silently ignore */
1008 if(!do_decrement_ttl(source, packet)) {
1012 memcpy(&addr, arp.arp_tpa, sizeof(addr)); /* save protocol addr */
1013 memcpy(arp.arp_tpa, arp.arp_spa, sizeof(addr)); /* swap destination and source protocol address */
1014 memcpy(arp.arp_spa, &addr, sizeof(addr)); /* ... */
1016 memcpy(arp.arp_tha, arp.arp_sha, ETH_ALEN); /* set target hard/proto addr */
1017 memcpy(arp.arp_sha, DATA(packet) + ETH_ALEN, ETH_ALEN); /* set source hard/proto addr */
1018 arp.arp_sha[ETH_ALEN - 1] ^= 0xFF; /* for consistency with route_packet() */
1019 arp.arp_op = htons(ARPOP_REPLY);
1021 /* Copy structs on stack back to packet */
1023 memcpy(DATA(packet) + ether_size, &arp, arp_size);
1025 send_packet(source, packet);
1028 static void route_mac(node_t *source, vpn_packet_t *packet) {
1032 /* Learn source address */
1034 if(source == myself) {
1036 memcpy(&src, &DATA(packet)[6], sizeof(src));
1040 /* Lookup destination address */
1042 memcpy(&dest, &DATA(packet)[0], sizeof(dest));
1043 subnet = lookup_subnet_mac(NULL, &dest);
1045 if(!subnet || !subnet->owner) {
1046 route_broadcast(source, packet);
1050 if(subnet->owner == source) {
1051 logger(DEBUG_TRAFFIC, LOG_WARNING, "Packet looping back to %s (%s)!", source->name, source->hostname);
1055 if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself) {
1059 if(decrement_ttl && source != myself && subnet->owner != myself)
1060 if(!do_decrement_ttl(source, packet)) {
1064 uint16_t type = DATA(packet)[12] << 8 | DATA(packet)[13];
1066 if(priorityinheritance) {
1067 if(type == ETH_P_IP && packet->len >= ether_size + ip_size) {
1068 packet->priority = DATA(packet)[15];
1069 } else if(type == ETH_P_IPV6 && packet->len >= ether_size + ip6_size) {
1070 packet->priority = ((DATA(packet)[14] & 0x0f) << 4) | (DATA(packet)[15] >> 4);
1074 // Handle packets larger than PMTU
1076 node_t *via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
1078 if(directonly && subnet->owner != via) {
1082 if(via && packet->len > via->mtu && via != myself) {
1083 logger(DEBUG_TRAFFIC, LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
1084 length_t ethlen = 14;
1086 if(type == ETH_P_8021Q) {
1087 type = DATA(packet)[16] << 8 | DATA(packet)[17];
1091 if(type == ETH_P_IP && packet->len > 576 + ethlen) {
1092 if(DATA(packet)[6 + ethlen] & 0x40) {
1093 packet->len = via->mtu;
1094 route_ipv4_unreachable(source, packet, ethlen, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED);
1096 fragment_ipv4_packet(via, packet, ethlen);
1100 } else if(type == ETH_P_IPV6 && packet->len > 1280 + ethlen) {
1101 packet->len = via->mtu;
1102 route_ipv6_unreachable(source, packet, ethlen, ICMP6_PACKET_TOO_BIG, 0);
1107 clamp_mss(source, via, packet);
1109 send_packet(subnet->owner, packet);
1112 static void send_pcap(vpn_packet_t *packet) {
1115 for list_each(connection_t, c, connection_list) {
1116 if(!c->status.pcap) {
1121 int len = packet->len;
1123 if(c->outmaclength && c->outmaclength < len) {
1124 len = c->outmaclength;
1127 if(send_request(c, "%d %d %d", CONTROL, REQ_PCAP, len)) {
1128 send_meta(c, (char *)DATA(packet), len);
1133 void route(node_t *source, vpn_packet_t *packet) {
1138 if(forwarding_mode == FMODE_KERNEL && source != myself) {
1139 send_packet(myself, packet);
1143 if(!checklength(source, packet, ether_size)) {
1147 uint16_t type = DATA(packet)[12] << 8 | DATA(packet)[13];
1149 switch(routing_mode) {
1153 route_arp(source, packet);
1157 route_ipv4(source, packet);
1161 route_ipv6(source, packet);
1165 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot route packet from %s (%s): unknown type %hx", source->name, source->hostname, type);
1172 route_mac(source, packet);
1176 route_broadcast(source, packet);
projects / tinc / blob