Home | History | Annotate | Download | only in android-clat
      1 /*
      2  * Copyright 2011 Daniel Drown
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  * http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  *
     16  * translate.c - CLAT functions / partial implementation of rfc6145
     17  */
     18 #include <string.h>
     19 #include <sys/uio.h>
     20 
     21 #include "icmp.h"
     22 #include "translate.h"
     23 #include "checksum.h"
     24 #include "clatd.h"
     25 #include "config.h"
     26 #include "logging.h"
     27 #include "debug.h"
     28 
     29 /* function: packet_checksum
     30  * calculates the checksum over all the packet components starting from pos
     31  * checksum - checksum of packet components before pos
     32  * packet   - packet to calculate the checksum of
     33  * pos      - position to start counting from
     34  * returns  - the completed 16-bit checksum, ready to write into a checksum header field
     35  */
     36 uint16_t packet_checksum(uint32_t checksum, clat_packet packet, int pos) {
     37   int i;
     38   for (i = pos; i < CLAT_POS_MAX; i++) {
     39     if (packet[i].iov_len > 0) {
     40       checksum = ip_checksum_add(checksum, packet[i].iov_base, packet[i].iov_len);
     41     }
     42   }
     43   return ip_checksum_finish(checksum);
     44 }
     45 
     46 /* function: packet_length
     47  * returns the total length of all the packet components after pos
     48  * packet - packet to calculate the length of
     49  * pos    - position to start counting after
     50  * returns: the total length of the packet components after pos
     51  */
     52 uint16_t packet_length(clat_packet packet, int pos) {
     53   size_t len = 0;
     54   int i;
     55   for (i = pos + 1; i < CLAT_POS_MAX; i++) {
     56     len += packet[i].iov_len;
     57   }
     58   return len;
     59 }
     60 
     61 /* function: is_in_plat_subnet
     62  * returns true iff the given IPv6 address is in the plat subnet.
     63  * addr - IPv6 address
     64  */
     65 int is_in_plat_subnet(const struct in6_addr *addr6) {
     66   // Assumes a /96 plat subnet.
     67   return (addr6 != NULL) && (memcmp(addr6, &Global_Clatd_Config.plat_subnet, 12) == 0);
     68 }
     69 
     70 /* function: ipv6_addr_to_ipv4_addr
     71  * return the corresponding ipv4 address for the given ipv6 address
     72  * addr6 - ipv6 address
     73  * returns: the IPv4 address
     74  */
     75 uint32_t ipv6_addr_to_ipv4_addr(const struct in6_addr *addr6) {
     76   if (is_in_plat_subnet(addr6)) {
     77     // Assumes a /96 plat subnet.
     78     return addr6->s6_addr32[3];
     79   } else if (IN6_ARE_ADDR_EQUAL(addr6, &Global_Clatd_Config.ipv6_local_subnet)) {
     80     // Special-case our own address.
     81     return Global_Clatd_Config.ipv4_local_subnet.s_addr;
     82   } else {
     83     // Third party packet. Let the caller deal with it.
     84     return INADDR_NONE;
     85   }
     86 }
     87 
     88 /* function: ipv4_addr_to_ipv6_addr
     89  * return the corresponding ipv6 address for the given ipv4 address
     90  * addr4 - ipv4 address
     91  */
     92 struct in6_addr ipv4_addr_to_ipv6_addr(uint32_t addr4) {
     93   struct in6_addr addr6;
     94   // Both addresses are in network byte order (addr4 comes from a network packet, and the config
     95   // file entry is read using inet_ntop).
     96   if (addr4 == Global_Clatd_Config.ipv4_local_subnet.s_addr) {
     97     return Global_Clatd_Config.ipv6_local_subnet;
     98   } else {
     99     // Assumes a /96 plat subnet.
    100     addr6 = Global_Clatd_Config.plat_subnet;
    101     addr6.s6_addr32[3] = addr4;
    102     return addr6;
    103   }
    104 }
    105 
    106 /* function: fill_tun_header
    107  * fill in the header for the tun fd
    108  * tun_header - tunnel header, already allocated
    109  * proto      - ethernet protocol id: ETH_P_IP(ipv4) or ETH_P_IPV6(ipv6)
    110  */
    111 void fill_tun_header(struct tun_pi *tun_header, uint16_t proto) {
    112   tun_header->flags = 0;
    113   tun_header->proto = htons(proto);
    114 }
    115 
    116 /* function: fill_ip_header
    117  * generate an ipv4 header from an ipv6 header
    118  * ip_targ     - (ipv4) target packet header, source: original ipv4 addr, dest: local subnet addr
    119  * payload_len - length of other data inside packet
    120  * protocol    - protocol number (tcp, udp, etc)
    121  * old_header  - (ipv6) source packet header, source: nat64 prefix, dest: local subnet prefix
    122  */
    123 void fill_ip_header(struct iphdr *ip, uint16_t payload_len, uint8_t protocol,
    124                     const struct ip6_hdr *old_header) {
    125   int ttl_guess;
    126   memset(ip, 0, sizeof(struct iphdr));
    127 
    128   ip->ihl = 5;
    129   ip->version = 4;
    130   ip->tos = 0;
    131   ip->tot_len = htons(sizeof(struct iphdr) + payload_len);
    132   ip->id = 0;
    133   ip->frag_off = htons(IP_DF);
    134   ip->ttl = old_header->ip6_hlim;
    135   ip->protocol = protocol;
    136   ip->check = 0;
    137 
    138   ip->saddr = ipv6_addr_to_ipv4_addr(&old_header->ip6_src);
    139   ip->daddr = ipv6_addr_to_ipv4_addr(&old_header->ip6_dst);
    140 
    141   // Third-party ICMPv6 message. This may have been originated by an native IPv6 address.
    142   // In that case, the source IPv6 address can't be translated and we need to make up an IPv4
    143   // source address. For now, use 255.0.0.<ttl>, which at least looks useful in traceroute.
    144   if ((uint32_t) ip->saddr == INADDR_NONE) {
    145     ttl_guess = icmp_guess_ttl(old_header->ip6_hlim);
    146     ip->saddr = htonl((0xff << 24) + ttl_guess);
    147   }
    148 }
    149 
    150 /* function: fill_ip6_header
    151  * generate an ipv6 header from an ipv4 header
    152  * ip6         - (ipv6) target packet header, source: local subnet prefix, dest: nat64 prefix
    153  * payload_len - length of other data inside packet
    154  * protocol    - protocol number (tcp, udp, etc)
    155  * old_header  - (ipv4) source packet header, source: local subnet addr, dest: internet's ipv4 addr
    156  */
    157 void fill_ip6_header(struct ip6_hdr *ip6, uint16_t payload_len, uint8_t protocol,
    158                      const struct iphdr *old_header) {
    159   memset(ip6, 0, sizeof(struct ip6_hdr));
    160 
    161   ip6->ip6_vfc = 6 << 4;
    162   ip6->ip6_plen = htons(payload_len);
    163   ip6->ip6_nxt = protocol;
    164   ip6->ip6_hlim = old_header->ttl;
    165 
    166   ip6->ip6_src = ipv4_addr_to_ipv6_addr(old_header->saddr);
    167   ip6->ip6_dst = ipv4_addr_to_ipv6_addr(old_header->daddr);
    168 }
    169 
    170 /* function: maybe_fill_frag_header
    171  * fills a fragmentation header
    172  * generate an ipv6 fragment header from an ipv4 header
    173  * frag_hdr    - target (ipv6) fragmentation header
    174  * ip6_targ    - target (ipv6) header
    175  * old_header  - (ipv4) source packet header
    176  * returns: the length of the fragmentation header if present, or zero if not present
    177  */
    178 size_t maybe_fill_frag_header(struct ip6_frag *frag_hdr, struct ip6_hdr *ip6_targ,
    179                               const struct iphdr *old_header) {
    180   uint16_t frag_flags = ntohs(old_header->frag_off);
    181   uint16_t frag_off = frag_flags & IP_OFFMASK;
    182   if (frag_off == 0 && (frag_flags & IP_MF) == 0) {
    183     // Not a fragment.
    184     return 0;
    185   }
    186 
    187   frag_hdr->ip6f_nxt = ip6_targ->ip6_nxt;
    188   frag_hdr->ip6f_reserved = 0;
    189   // In IPv4, the offset is the bottom 13 bits; in IPv6 it's the top 13 bits.
    190   frag_hdr->ip6f_offlg = htons(frag_off << 3);
    191   if (frag_flags & IP_MF) {
    192     frag_hdr->ip6f_offlg |= IP6F_MORE_FRAG;
    193   }
    194   frag_hdr->ip6f_ident = htonl(ntohs(old_header->id));
    195   ip6_targ->ip6_nxt = IPPROTO_FRAGMENT;
    196 
    197   return sizeof(*frag_hdr);
    198 }
    199 
    200 /* function: parse_frag_header
    201  * return the length of the fragmentation header if present, or zero if not present
    202  * generate an ipv6 fragment header from an ipv4 header
    203  * frag_hdr    - (ipv6) fragmentation header
    204  * ip_targ     - target (ipv4) header
    205  * returns: the next header value
    206  */
    207 uint8_t parse_frag_header(const struct ip6_frag *frag_hdr, struct iphdr *ip_targ) {
    208   uint16_t frag_off = (ntohs(frag_hdr->ip6f_offlg & IP6F_OFF_MASK) >> 3);
    209   if (frag_hdr->ip6f_offlg & IP6F_MORE_FRAG) {
    210     frag_off |= IP_MF;
    211   }
    212   ip_targ->frag_off = htons(frag_off);
    213   ip_targ->id = htons(ntohl(frag_hdr->ip6f_ident) & 0xffff);
    214   ip_targ->protocol = frag_hdr->ip6f_nxt;
    215   return frag_hdr->ip6f_nxt;
    216 }
    217 
    218 /* function: icmp_to_icmp6
    219  * translate ipv4 icmp to ipv6 icmp
    220  * out          - output packet
    221  * icmp         - source packet icmp header
    222  * checksum     - pseudo-header checksum
    223  * payload      - icmp payload
    224  * payload_size - size of payload
    225  * returns: the highest position in the output clat_packet that's filled in
    226  */
    227 int icmp_to_icmp6(clat_packet out, int pos, const struct icmphdr *icmp, uint32_t checksum,
    228                   const char *payload, size_t payload_size) {
    229   struct icmp6_hdr *icmp6_targ = out[pos].iov_base;
    230   uint8_t icmp6_type;
    231   int clat_packet_len;
    232 
    233   memset(icmp6_targ, 0, sizeof(struct icmp6_hdr));
    234 
    235   icmp6_type = icmp_to_icmp6_type(icmp->type, icmp->code);
    236   icmp6_targ->icmp6_type = icmp6_type;
    237   icmp6_targ->icmp6_code = icmp_to_icmp6_code(icmp->type, icmp->code);
    238 
    239   out[pos].iov_len = sizeof(struct icmp6_hdr);
    240 
    241   if (pos == CLAT_POS_TRANSPORTHDR &&
    242       is_icmp_error(icmp->type) &&
    243       icmp6_type != ICMP6_PARAM_PROB) {
    244     // An ICMP error we understand, one level deep.
    245     // Translate the nested packet (the one that caused the error).
    246     clat_packet_len = ipv4_packet(out, pos + 1, payload, payload_size);
    247 
    248     // The pseudo-header checksum was calculated on the transport length of the original IPv4
    249     // packet that we were asked to translate. This transport length is 20 bytes smaller than it
    250     // needs to be, because the ICMP error contains an IPv4 header, which we will be translating to
    251     // an IPv6 header, which is 20 bytes longer. Fix it up here.
    252     // We only need to do this for ICMP->ICMPv6, not ICMPv6->ICMP, because ICMP does not use the
    253     // pseudo-header when calculating its checksum (as the IPv4 header has its own checksum).
    254     checksum = checksum + htons(20);
    255   } else if (icmp6_type == ICMP6_ECHO_REQUEST || icmp6_type == ICMP6_ECHO_REPLY) {
    256     // Ping packet.
    257     icmp6_targ->icmp6_id = icmp->un.echo.id;
    258     icmp6_targ->icmp6_seq = icmp->un.echo.sequence;
    259     out[CLAT_POS_PAYLOAD].iov_base = (char *) payload;
    260     out[CLAT_POS_PAYLOAD].iov_len = payload_size;
    261     clat_packet_len = CLAT_POS_PAYLOAD + 1;
    262   } else {
    263     // Unknown type/code. The type/code conversion functions have already logged an error.
    264     return 0;
    265   }
    266 
    267   icmp6_targ->icmp6_cksum = 0;  // Checksum field must be 0 when calculating checksum.
    268   icmp6_targ->icmp6_cksum = packet_checksum(checksum, out, pos);
    269 
    270   return clat_packet_len;
    271 }
    272 
    273 /* function: icmp6_to_icmp
    274  * translate ipv6 icmp to ipv4 icmp
    275  * out          - output packet
    276  * icmp6        - source packet icmp6 header
    277  * payload      - icmp6 payload
    278  * payload_size - size of payload
    279  * returns: the highest position in the output clat_packet that's filled in
    280  */
    281 int icmp6_to_icmp(clat_packet out, int pos, const struct icmp6_hdr *icmp6,
    282                   const char *payload, size_t payload_size) {
    283   struct icmphdr *icmp_targ = out[pos].iov_base;
    284   uint8_t icmp_type;
    285   int clat_packet_len;
    286 
    287   memset(icmp_targ, 0, sizeof(struct icmphdr));
    288 
    289   icmp_type = icmp6_to_icmp_type(icmp6->icmp6_type, icmp6->icmp6_code);
    290   icmp_targ->type = icmp_type;
    291   icmp_targ->code = icmp6_to_icmp_code(icmp6->icmp6_type, icmp6->icmp6_code);
    292 
    293   out[pos].iov_len = sizeof(struct icmphdr);
    294 
    295   if (pos == CLAT_POS_TRANSPORTHDR &&
    296       is_icmp6_error(icmp6->icmp6_type) &&
    297       icmp_type != ICMP_PARAMETERPROB) {
    298     // An ICMPv6 error we understand, one level deep.
    299     // Translate the nested packet (the one that caused the error).
    300     clat_packet_len = ipv6_packet(out, pos + 1, payload, payload_size);
    301   } else if (icmp_type == ICMP_ECHO || icmp_type == ICMP_ECHOREPLY) {
    302     // Ping packet.
    303     icmp_targ->un.echo.id = icmp6->icmp6_id;
    304     icmp_targ->un.echo.sequence = icmp6->icmp6_seq;
    305     out[CLAT_POS_PAYLOAD].iov_base = (char *) payload;
    306     out[CLAT_POS_PAYLOAD].iov_len = payload_size;
    307     clat_packet_len = CLAT_POS_PAYLOAD + 1;
    308   } else {
    309       // Unknown type/code. The type/code conversion functions have already logged an error.
    310     return 0;
    311   }
    312 
    313   icmp_targ->checksum = 0;  // Checksum field must be 0 when calculating checksum.
    314   icmp_targ->checksum = packet_checksum(0, out, pos);
    315 
    316   return clat_packet_len;
    317 }
    318 
    319 /* function: generic_packet
    320  * takes a generic IP packet and sets it up for translation
    321  * out      - output packet
    322  * pos      - position in the output packet of the transport header
    323  * payload  - pointer to IP payload
    324  * len      - size of ip payload
    325  * returns: the highest position in the output clat_packet that's filled in
    326  */
    327 int generic_packet(clat_packet out, int pos, const char *payload, size_t len) {
    328   out[pos].iov_len = 0;
    329   out[CLAT_POS_PAYLOAD].iov_base = (char *) payload;
    330   out[CLAT_POS_PAYLOAD].iov_len = len;
    331 
    332   return CLAT_POS_PAYLOAD + 1;
    333 }
    334 
    335 /* function: udp_packet
    336  * takes a udp packet and sets it up for translation
    337  * out      - output packet
    338  * udp      - pointer to udp header in packet
    339  * old_sum  - pseudo-header checksum of old header
    340  * new_sum  - pseudo-header checksum of new header
    341  * len      - size of ip payload
    342  */
    343 int udp_packet(clat_packet out, int pos, const struct udphdr *udp,
    344                uint32_t old_sum, uint32_t new_sum, size_t len) {
    345   const char *payload;
    346   size_t payload_size;
    347 
    348   if(len < sizeof(struct udphdr)) {
    349     logmsg_dbg(ANDROID_LOG_ERROR,"udp_packet/(too small)");
    350     return 0;
    351   }
    352 
    353   payload = (const char *) (udp + 1);
    354   payload_size = len - sizeof(struct udphdr);
    355 
    356   return udp_translate(out, pos, udp, old_sum, new_sum, payload, payload_size);
    357 }
    358 
    359 /* function: tcp_packet
    360  * takes a tcp packet and sets it up for translation
    361  * out      - output packet
    362  * tcp      - pointer to tcp header in packet
    363  * checksum - pseudo-header checksum
    364  * len      - size of ip payload
    365  * returns: the highest position in the output clat_packet that's filled in
    366  */
    367 int tcp_packet(clat_packet out, int pos, const struct tcphdr *tcp,
    368                uint32_t old_sum, uint32_t new_sum, size_t len) {
    369   const char *payload;
    370   size_t payload_size, header_size;
    371 
    372   if(len < sizeof(struct tcphdr)) {
    373     logmsg_dbg(ANDROID_LOG_ERROR,"tcp_packet/(too small)");
    374     return 0;
    375   }
    376 
    377   if(tcp->doff < 5) {
    378     logmsg_dbg(ANDROID_LOG_ERROR,"tcp_packet/tcp header length set to less than 5: %x", tcp->doff);
    379     return 0;
    380   }
    381 
    382   if((size_t) tcp->doff*4 > len) {
    383     logmsg_dbg(ANDROID_LOG_ERROR,"tcp_packet/tcp header length set too large: %x", tcp->doff);
    384     return 0;
    385   }
    386 
    387   header_size = tcp->doff * 4;
    388   payload = ((const char *) tcp) + header_size;
    389   payload_size = len - header_size;
    390 
    391   return tcp_translate(out, pos, tcp, header_size, old_sum, new_sum, payload, payload_size);
    392 }
    393 
    394 /* function: udp_translate
    395  * common between ipv4/ipv6 - setup checksum and send udp packet
    396  * out          - output packet
    397  * udp          - udp header
    398  * old_sum      - pseudo-header checksum of old header
    399  * new_sum      - pseudo-header checksum of new header
    400  * payload      - tcp payload
    401  * payload_size - size of payload
    402  * returns: the highest position in the output clat_packet that's filled in
    403  */
    404 int udp_translate(clat_packet out, int pos, const struct udphdr *udp, uint32_t old_sum,
    405                   uint32_t new_sum, const char *payload, size_t payload_size) {
    406   struct udphdr *udp_targ = out[pos].iov_base;
    407 
    408   memcpy(udp_targ, udp, sizeof(struct udphdr));
    409 
    410   out[pos].iov_len = sizeof(struct udphdr);
    411   out[CLAT_POS_PAYLOAD].iov_base = (char *) payload;
    412   out[CLAT_POS_PAYLOAD].iov_len = payload_size;
    413 
    414   if (udp_targ->check) {
    415     udp_targ->check = ip_checksum_adjust(udp->check, old_sum, new_sum);
    416   } else {
    417     // Zero checksums are special. RFC 768 says, "An all zero transmitted checksum value means that
    418     // the transmitter generated no checksum (for debugging or for higher level protocols that
    419     // don't care)." However, in IPv6 zero UDP checksums were only permitted by RFC 6935 (2013). So
    420     // for safety we recompute it.
    421     udp_targ->check = 0;  // Checksum field must be 0 when calculating checksum.
    422     udp_targ->check = packet_checksum(new_sum, out, pos);
    423   }
    424 
    425   // RFC 768: "If the computed checksum is zero, it is transmitted as all ones (the equivalent
    426   // in one's complement arithmetic)."
    427   if (!udp_targ->check) {
    428     udp_targ->check = 0xffff;
    429   }
    430 
    431   return CLAT_POS_PAYLOAD + 1;
    432 }
    433 
    434 /* function: tcp_translate
    435  * common between ipv4/ipv6 - setup checksum and send tcp packet
    436  * out          - output packet
    437  * tcp          - tcp header
    438  * header_size  - size of tcp header including options
    439  * checksum     - partial checksum covering ipv4/ipv6 header
    440  * payload      - tcp payload
    441  * payload_size - size of payload
    442  * returns: the highest position in the output clat_packet that's filled in
    443  */
    444 int tcp_translate(clat_packet out, int pos, const struct tcphdr *tcp, size_t header_size,
    445                   uint32_t old_sum, uint32_t new_sum, const char *payload, size_t payload_size) {
    446   struct tcphdr *tcp_targ = out[pos].iov_base;
    447   out[pos].iov_len = header_size;
    448 
    449   if (header_size > MAX_TCP_HDR) {
    450     // A TCP header cannot be more than MAX_TCP_HDR bytes long because it's a 4-bit field that
    451     // counts in 4-byte words. So this can never happen unless there is a bug in the caller.
    452     logmsg(ANDROID_LOG_ERROR, "tcp_translate: header too long %d > %d, truncating",
    453            header_size, MAX_TCP_HDR);
    454     header_size = MAX_TCP_HDR;
    455   }
    456 
    457   memcpy(tcp_targ, tcp, header_size);
    458 
    459   out[CLAT_POS_PAYLOAD].iov_base = (char *)payload;
    460   out[CLAT_POS_PAYLOAD].iov_len = payload_size;
    461 
    462   tcp_targ->check = ip_checksum_adjust(tcp->check, old_sum, new_sum);
    463 
    464   return CLAT_POS_PAYLOAD + 1;
    465 }
    466 
    467 /* function: translate_packet
    468  * takes a tun header and a packet and sends it down the stack
    469  * tunnel     - tun device data
    470  * tun_header - tun header
    471  * packet     - packet
    472  * packetsize - size of packet
    473  */
    474 void translate_packet(const struct tun_data *tunnel, struct tun_pi *tun_header, const char *packet,
    475                       size_t packetsize) {
    476   int fd;
    477   int iov_len = 0;
    478 
    479   // Allocate buffers for all packet headers.
    480   struct tun_pi tun_targ;
    481   char iphdr[sizeof(struct ip6_hdr)];
    482   char fraghdr[sizeof(struct ip6_frag)];
    483   char transporthdr[MAX_TCP_HDR];
    484   char icmp_iphdr[sizeof(struct ip6_hdr)];
    485   char icmp_fraghdr[sizeof(struct ip6_frag)];
    486   char icmp_transporthdr[MAX_TCP_HDR];
    487 
    488   // iovec of the packets we'll send. This gets passed down to the translation functions.
    489   clat_packet out = {
    490     { &tun_targ, sizeof(tun_targ) },  // Tunnel header.
    491     { iphdr, 0 },                     // IP header.
    492     { fraghdr, 0 },                   // Fragment header.
    493     { transporthdr, 0 },              // Transport layer header.
    494     { icmp_iphdr, 0 },                // ICMP error inner IP header.
    495     { icmp_fraghdr, 0 },              // ICMP error fragmentation header.
    496     { icmp_transporthdr, 0 },         // ICMP error transport layer header.
    497     { NULL, 0 },                      // Payload. No buffer, it's a pointer to the original payload.
    498   };
    499 
    500   if(tun_header->flags != 0) {
    501     logmsg(ANDROID_LOG_WARN, "translate_packet: unexpected flags = %d", tun_header->flags);
    502   }
    503 
    504   if(ntohs(tun_header->proto) == ETH_P_IP) {
    505     fd = tunnel->fd6;
    506     fill_tun_header(&tun_targ, ETH_P_IPV6);
    507     iov_len = ipv4_packet(out, CLAT_POS_IPHDR, packet, packetsize);
    508   } else if(ntohs(tun_header->proto) == ETH_P_IPV6) {
    509     fd = tunnel->fd4;
    510     fill_tun_header(&tun_targ, ETH_P_IP);
    511     iov_len = ipv6_packet(out, CLAT_POS_IPHDR, packet, packetsize);
    512   } else {
    513     logmsg(ANDROID_LOG_WARN, "translate_packet: unknown packet type = %x",tun_header->proto);
    514   }
    515 
    516   if (iov_len > 0) {
    517     writev(fd, out, iov_len);
    518   }
    519 }
    520