1/* 2 * Copyright 2011 Daniel Drown 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 * 16 * ipv6.c - takes ipv6 packets, finds their headers, and then calls translation functions on them 17 */ 18#include <string.h> 19 20#include <netinet/in.h> 21#include <netinet/ip.h> 22#include <netinet/ip_icmp.h> 23#include <netinet/udp.h> 24#include <netinet/tcp.h> 25#include <netinet/ip6.h> 26#include <netinet/icmp6.h> 27#include <linux/icmp.h> 28#include <arpa/inet.h> 29 30#include "translate.h" 31#include "checksum.h" 32#include "ipv6.h" 33#include "logging.h" 34#include "dump.h" 35#include "config.h" 36#include "debug.h" 37 38/* function: icmp6_packet 39 * takes an icmp6 packet and sets it up for translation 40 * out - output packet 41 * icmp6 - pointer to icmp6 header in packet 42 * checksum - pseudo-header checksum (unused) 43 * len - size of ip payload 44 * returns: the highest position in the output clat_packet that's filled in 45 */ 46int icmp6_packet(clat_packet out, int pos, const struct icmp6_hdr *icmp6, uint32_t checksum, 47 size_t len) { 48 const char *payload; 49 size_t payload_size; 50 51 if(len < sizeof(struct icmp6_hdr)) { 52 logmsg_dbg(ANDROID_LOG_ERROR, "icmp6_packet/(too small)"); 53 return 0; 54 } 55 56 payload = (const char *) (icmp6 + 1); 57 payload_size = len - sizeof(struct icmp6_hdr); 58 59 return icmp6_to_icmp(out, pos, icmp6, checksum, payload, payload_size); 60} 61 62/* function: log_bad_address 63 * logs a bad address to android's log buffer if debugging is turned on 64 * fmt - printf-style format, use %s to place the address 65 * badaddr - the bad address in question 66 */ 67void log_bad_address(const char *fmt, const struct in6_addr *src, const struct in6_addr *dst) { 68#if CLAT_DEBUG 69 char srcstr[INET6_ADDRSTRLEN]; 70 char dststr[INET6_ADDRSTRLEN]; 71 72 inet_ntop(AF_INET6, src, srcstr, sizeof(srcstr)); 73 inet_ntop(AF_INET6, dst, dststr, sizeof(dststr)); 74 logmsg_dbg(ANDROID_LOG_ERROR, fmt, srcstr, dststr); 75#endif 76} 77 78/* function: ipv6_packet 79 * takes an ipv6 packet and hands it off to the layer 4 protocol function 80 * out - output packet 81 * packet - packet data 82 * len - size of packet 83 * returns: the highest position in the output clat_packet that's filled in 84 */ 85int ipv6_packet(clat_packet out, int pos, const char *packet, size_t len) { 86 const struct ip6_hdr *ip6 = (struct ip6_hdr *) packet; 87 struct iphdr *ip_targ = (struct iphdr *) out[pos].iov_base; 88 uint8_t protocol; 89 const char *next_header; 90 size_t len_left; 91 uint32_t checksum; 92 int iov_len; 93 int i; 94 95 if(len < sizeof(struct ip6_hdr)) { 96 logmsg_dbg(ANDROID_LOG_ERROR, "ipv6_packet/too short for an ip6 header: %d", len); 97 return 0; 98 } 99 100 if(IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 101 log_bad_address("ipv6_packet/multicast %s->%s", &ip6->ip6_src, &ip6->ip6_dst); 102 return 0; // silently ignore 103 } 104 105 // If the packet is not from the plat subnet to the local subnet, or vice versa, drop it, unless 106 // it's an ICMP packet (which can come from anywhere). We do not send IPv6 packets from the plat 107 // subnet to the local subnet, but these can appear as inner packets in ICMP errors, so we need 108 // to translate them. We accept third-party ICMPv6 errors, even though their source addresses 109 // cannot be translated, so that things like unreachables and traceroute will work. fill_ip_header 110 // takes care of faking a source address for them. 111 if (!(is_in_plat_subnet(&ip6->ip6_src) && 112 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &Global_Clatd_Config.ipv6_local_subnet)) && 113 !(is_in_plat_subnet(&ip6->ip6_dst) && 114 IN6_ARE_ADDR_EQUAL(&ip6->ip6_src, &Global_Clatd_Config.ipv6_local_subnet)) && 115 ip6->ip6_nxt != IPPROTO_ICMPV6) { 116 log_bad_address("ipv6_packet/wrong source address: %s->%s", &ip6->ip6_src, &ip6->ip6_dst); 117 return 0; 118 } 119 120 next_header = packet + sizeof(struct ip6_hdr); 121 len_left = len - sizeof(struct ip6_hdr); 122 123 protocol = ip6->ip6_nxt; 124 if (protocol == IPPROTO_ICMPV6) { 125 // ICMP and ICMPv6 have different protocol numbers. 126 protocol = IPPROTO_ICMP; 127 } 128 129 /* Fill in the IPv4 header. We need to do this before we translate the packet because TCP and 130 * UDP include parts of the IP header in the checksum. Set the length to zero because we don't 131 * know it yet. 132 */ 133 fill_ip_header(ip_targ, 0, protocol, ip6); 134 out[pos].iov_len = sizeof(struct iphdr); 135 136 // Calculate the pseudo-header checksum. 137 checksum = ipv4_pseudo_header_checksum(0, ip_targ, len_left); 138 139 // does not support IPv6 extension headers, this will drop any packet with them 140 if(protocol == IPPROTO_ICMP) { 141 iov_len = icmp6_packet(out, pos + 1, (const struct icmp6_hdr *) next_header, checksum, 142 len_left); 143 } else if(ip6->ip6_nxt == IPPROTO_TCP) { 144 iov_len = tcp_packet(out, pos + 1, (const struct tcphdr *) next_header, checksum, 145 len_left); 146 } else if(ip6->ip6_nxt == IPPROTO_UDP) { 147 iov_len = udp_packet(out, pos + 1, (const struct udphdr *) next_header, checksum, 148 len_left); 149 } else { 150#if CLAT_DEBUG 151 logmsg(ANDROID_LOG_ERROR, "ipv6_packet/unknown next header type: %x", ip6->ip6_nxt); 152 logcat_hexdump("ipv6/nxthdr", packet, len); 153#endif 154 return 0; 155 } 156 157 // Set the length and calculate the checksum. 158 ip_targ->tot_len = htons(ntohs(ip_targ->tot_len) + packet_length(out, pos)); 159 ip_targ->check = ip_checksum(ip_targ, sizeof(struct iphdr)); 160 return iov_len; 161} 162