1 /* 2 * Copyright 2011 Daniel Drown 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 * 16 * translate.c - CLAT functions / partial implementation of rfc6145 17 */ 18 #include <string.h> 19 20 #include "icmp.h" 21 #include "translate.h" 22 #include "checksum.h" 23 #include "clatd.h" 24 #include "config.h" 25 #include "logging.h" 26 #include "debug.h" 27 #include "tun.h" 28 29 /* function: packet_checksum 30 * calculates the checksum over all the packet components starting from pos 31 * checksum - checksum of packet components before pos 32 * packet - packet to calculate the checksum of 33 * pos - position to start counting from 34 * returns - the completed 16-bit checksum, ready to write into a checksum header field 35 */ 36 uint16_t packet_checksum(uint32_t checksum, clat_packet packet, clat_packet_index pos) { 37 int i; 38 for (i = pos; i < CLAT_POS_MAX; i++) { 39 if (packet[i].iov_len > 0) { 40 checksum = ip_checksum_add(checksum, packet[i].iov_base, packet[i].iov_len); 41 } 42 } 43 return ip_checksum_finish(checksum); 44 } 45 46 /* function: packet_length 47 * returns the total length of all the packet components after pos 48 * packet - packet to calculate the length of 49 * pos - position to start counting after 50 * returns: the total length of the packet components after pos 51 */ 52 uint16_t packet_length(clat_packet packet, clat_packet_index pos) { 53 size_t len = 0; 54 int i; 55 for (i = pos + 1; i < CLAT_POS_MAX; i++) { 56 len += packet[i].iov_len; 57 } 58 return len; 59 } 60 61 /* function: is_in_plat_subnet 62 * returns true iff the given IPv6 address is in the plat subnet. 63 * addr - IPv6 address 64 */ 65 int is_in_plat_subnet(const struct in6_addr *addr6) { 66 // Assumes a /96 plat subnet. 67 return (addr6 != NULL) && (memcmp(addr6, &Global_Clatd_Config.plat_subnet, 12) == 0); 68 } 69 70 /* function: ipv6_addr_to_ipv4_addr 71 * return the corresponding ipv4 address for the given ipv6 address 72 * addr6 - ipv6 address 73 * returns: the IPv4 address 74 */ 75 uint32_t ipv6_addr_to_ipv4_addr(const struct in6_addr *addr6) { 76 if (is_in_plat_subnet(addr6)) { 77 // Assumes a /96 plat subnet. 78 return addr6->s6_addr32[3]; 79 } else if (IN6_ARE_ADDR_EQUAL(addr6, &Global_Clatd_Config.ipv6_local_subnet)) { 80 // Special-case our own address. 81 return Global_Clatd_Config.ipv4_local_subnet.s_addr; 82 } else { 83 // Third party packet. Let the caller deal with it. 84 return INADDR_NONE; 85 } 86 } 87 88 /* function: ipv4_addr_to_ipv6_addr 89 * return the corresponding ipv6 address for the given ipv4 address 90 * addr4 - ipv4 address 91 */ 92 struct in6_addr ipv4_addr_to_ipv6_addr(uint32_t addr4) { 93 struct in6_addr addr6; 94 // Both addresses are in network byte order (addr4 comes from a network packet, and the config 95 // file entry is read using inet_ntop). 96 if (addr4 == Global_Clatd_Config.ipv4_local_subnet.s_addr) { 97 return Global_Clatd_Config.ipv6_local_subnet; 98 } else { 99 // Assumes a /96 plat subnet. 100 addr6 = Global_Clatd_Config.plat_subnet; 101 addr6.s6_addr32[3] = addr4; 102 return addr6; 103 } 104 } 105 106 /* function: fill_tun_header 107 * fill in the header for the tun fd 108 * tun_header - tunnel header, already allocated 109 * proto - ethernet protocol id: ETH_P_IP(ipv4) or ETH_P_IPV6(ipv6) 110 */ 111 void fill_tun_header(struct tun_pi *tun_header, uint16_t proto) { 112 tun_header->flags = 0; 113 tun_header->proto = htons(proto); 114 } 115 116 /* function: fill_ip_header 117 * generate an ipv4 header from an ipv6 header 118 * ip_targ - (ipv4) target packet header, source: original ipv4 addr, dest: local subnet addr 119 * payload_len - length of other data inside packet 120 * protocol - protocol number (tcp, udp, etc) 121 * old_header - (ipv6) source packet header, source: nat64 prefix, dest: local subnet prefix 122 */ 123 void fill_ip_header(struct iphdr *ip, uint16_t payload_len, uint8_t protocol, 124 const struct ip6_hdr *old_header) { 125 int ttl_guess; 126 memset(ip, 0, sizeof(struct iphdr)); 127 128 ip->ihl = 5; 129 ip->version = 4; 130 ip->tos = 0; 131 ip->tot_len = htons(sizeof(struct iphdr) + payload_len); 132 ip->id = 0; 133 ip->frag_off = htons(IP_DF); 134 ip->ttl = old_header->ip6_hlim; 135 ip->protocol = protocol; 136 ip->check = 0; 137 138 ip->saddr = ipv6_addr_to_ipv4_addr(&old_header->ip6_src); 139 ip->daddr = ipv6_addr_to_ipv4_addr(&old_header->ip6_dst); 140 141 // Third-party ICMPv6 message. This may have been originated by an native IPv6 address. 142 // In that case, the source IPv6 address can't be translated and we need to make up an IPv4 143 // source address. For now, use 255.0.0.<ttl>, which at least looks useful in traceroute. 144 if ((uint32_t) ip->saddr == INADDR_NONE) { 145 ttl_guess = icmp_guess_ttl(old_header->ip6_hlim); 146 ip->saddr = htonl((0xff << 24) + ttl_guess); 147 } 148 } 149 150 /* function: fill_ip6_header 151 * generate an ipv6 header from an ipv4 header 152 * ip6 - (ipv6) target packet header, source: local subnet prefix, dest: nat64 prefix 153 * payload_len - length of other data inside packet 154 * protocol - protocol number (tcp, udp, etc) 155 * old_header - (ipv4) source packet header, source: local subnet addr, dest: internet's ipv4 addr 156 */ 157 void fill_ip6_header(struct ip6_hdr *ip6, uint16_t payload_len, uint8_t protocol, 158 const struct iphdr *old_header) { 159 memset(ip6, 0, sizeof(struct ip6_hdr)); 160 161 ip6->ip6_vfc = 6 << 4; 162 ip6->ip6_plen = htons(payload_len); 163 ip6->ip6_nxt = protocol; 164 ip6->ip6_hlim = old_header->ttl; 165 166 ip6->ip6_src = ipv4_addr_to_ipv6_addr(old_header->saddr); 167 ip6->ip6_dst = ipv4_addr_to_ipv6_addr(old_header->daddr); 168 } 169 170 /* function: maybe_fill_frag_header 171 * fills a fragmentation header 172 * generate an ipv6 fragment header from an ipv4 header 173 * frag_hdr - target (ipv6) fragmentation header 174 * ip6_targ - target (ipv6) header 175 * old_header - (ipv4) source packet header 176 * returns: the length of the fragmentation header if present, or zero if not present 177 */ 178 size_t maybe_fill_frag_header(struct ip6_frag *frag_hdr, struct ip6_hdr *ip6_targ, 179 const struct iphdr *old_header) { 180 uint16_t frag_flags = ntohs(old_header->frag_off); 181 uint16_t frag_off = frag_flags & IP_OFFMASK; 182 if (frag_off == 0 && (frag_flags & IP_MF) == 0) { 183 // Not a fragment. 184 return 0; 185 } 186 187 frag_hdr->ip6f_nxt = ip6_targ->ip6_nxt; 188 frag_hdr->ip6f_reserved = 0; 189 // In IPv4, the offset is the bottom 13 bits; in IPv6 it's the top 13 bits. 190 frag_hdr->ip6f_offlg = htons(frag_off << 3); 191 if (frag_flags & IP_MF) { 192 frag_hdr->ip6f_offlg |= IP6F_MORE_FRAG; 193 } 194 frag_hdr->ip6f_ident = htonl(ntohs(old_header->id)); 195 ip6_targ->ip6_nxt = IPPROTO_FRAGMENT; 196 197 return sizeof(*frag_hdr); 198 } 199 200 /* function: parse_frag_header 201 * return the length of the fragmentation header if present, or zero if not present 202 * generate an ipv6 fragment header from an ipv4 header 203 * frag_hdr - (ipv6) fragmentation header 204 * ip_targ - target (ipv4) header 205 * returns: the next header value 206 */ 207 uint8_t parse_frag_header(const struct ip6_frag *frag_hdr, struct iphdr *ip_targ) { 208 uint16_t frag_off = (ntohs(frag_hdr->ip6f_offlg & IP6F_OFF_MASK) >> 3); 209 if (frag_hdr->ip6f_offlg & IP6F_MORE_FRAG) { 210 frag_off |= IP_MF; 211 } 212 ip_targ->frag_off = htons(frag_off); 213 ip_targ->id = htons(ntohl(frag_hdr->ip6f_ident) & 0xffff); 214 ip_targ->protocol = frag_hdr->ip6f_nxt; 215 return frag_hdr->ip6f_nxt; 216 } 217 218 /* function: icmp_to_icmp6 219 * translate ipv4 icmp to ipv6 icmp 220 * out - output packet 221 * icmp - source packet icmp header 222 * checksum - pseudo-header checksum 223 * payload - icmp payload 224 * payload_size - size of payload 225 * returns: the highest position in the output clat_packet that's filled in 226 */ 227 int icmp_to_icmp6(clat_packet out, clat_packet_index pos, const struct icmphdr *icmp, 228 uint32_t checksum, const uint8_t *payload, size_t payload_size) { 229 struct icmp6_hdr *icmp6_targ = out[pos].iov_base; 230 uint8_t icmp6_type; 231 int clat_packet_len; 232 233 memset(icmp6_targ, 0, sizeof(struct icmp6_hdr)); 234 235 icmp6_type = icmp_to_icmp6_type(icmp->type, icmp->code); 236 icmp6_targ->icmp6_type = icmp6_type; 237 icmp6_targ->icmp6_code = icmp_to_icmp6_code(icmp->type, icmp->code); 238 239 out[pos].iov_len = sizeof(struct icmp6_hdr); 240 241 if (pos == CLAT_POS_TRANSPORTHDR && 242 is_icmp_error(icmp->type) && 243 icmp6_type != ICMP6_PARAM_PROB) { 244 // An ICMP error we understand, one level deep. 245 // Translate the nested packet (the one that caused the error). 246 clat_packet_len = ipv4_packet(out, pos + 1, payload, payload_size); 247 248 // The pseudo-header checksum was calculated on the transport length of the original IPv4 249 // packet that we were asked to translate. This transport length is 20 bytes smaller than it 250 // needs to be, because the ICMP error contains an IPv4 header, which we will be translating to 251 // an IPv6 header, which is 20 bytes longer. Fix it up here. 252 // We only need to do this for ICMP->ICMPv6, not ICMPv6->ICMP, because ICMP does not use the 253 // pseudo-header when calculating its checksum (as the IPv4 header has its own checksum). 254 checksum = checksum + htons(20); 255 } else if (icmp6_type == ICMP6_ECHO_REQUEST || icmp6_type == ICMP6_ECHO_REPLY) { 256 // Ping packet. 257 icmp6_targ->icmp6_id = icmp->un.echo.id; 258 icmp6_targ->icmp6_seq = icmp->un.echo.sequence; 259 out[CLAT_POS_PAYLOAD].iov_base = (uint8_t *) payload; 260 out[CLAT_POS_PAYLOAD].iov_len = payload_size; 261 clat_packet_len = CLAT_POS_PAYLOAD + 1; 262 } else { 263 // Unknown type/code. The type/code conversion functions have already logged an error. 264 return 0; 265 } 266 267 icmp6_targ->icmp6_cksum = 0; // Checksum field must be 0 when calculating checksum. 268 icmp6_targ->icmp6_cksum = packet_checksum(checksum, out, pos); 269 270 return clat_packet_len; 271 } 272 273 /* function: icmp6_to_icmp 274 * translate ipv6 icmp to ipv4 icmp 275 * out - output packet 276 * icmp6 - source packet icmp6 header 277 * payload - icmp6 payload 278 * payload_size - size of payload 279 * returns: the highest position in the output clat_packet that's filled in 280 */ 281 int icmp6_to_icmp(clat_packet out, clat_packet_index pos, const struct icmp6_hdr *icmp6, 282 const uint8_t *payload, size_t payload_size) { 283 struct icmphdr *icmp_targ = out[pos].iov_base; 284 uint8_t icmp_type; 285 int clat_packet_len; 286 287 memset(icmp_targ, 0, sizeof(struct icmphdr)); 288 289 icmp_type = icmp6_to_icmp_type(icmp6->icmp6_type, icmp6->icmp6_code); 290 icmp_targ->type = icmp_type; 291 icmp_targ->code = icmp6_to_icmp_code(icmp6->icmp6_type, icmp6->icmp6_code); 292 293 out[pos].iov_len = sizeof(struct icmphdr); 294 295 if (pos == CLAT_POS_TRANSPORTHDR && 296 is_icmp6_error(icmp6->icmp6_type) && 297 icmp_type != ICMP_PARAMETERPROB) { 298 // An ICMPv6 error we understand, one level deep. 299 // Translate the nested packet (the one that caused the error). 300 clat_packet_len = ipv6_packet(out, pos + 1, payload, payload_size); 301 } else if (icmp_type == ICMP_ECHO || icmp_type == ICMP_ECHOREPLY) { 302 // Ping packet. 303 icmp_targ->un.echo.id = icmp6->icmp6_id; 304 icmp_targ->un.echo.sequence = icmp6->icmp6_seq; 305 out[CLAT_POS_PAYLOAD].iov_base = (uint8_t *) payload; 306 out[CLAT_POS_PAYLOAD].iov_len = payload_size; 307 clat_packet_len = CLAT_POS_PAYLOAD + 1; 308 } else { 309 // Unknown type/code. The type/code conversion functions have already logged an error. 310 return 0; 311 } 312 313 icmp_targ->checksum = 0; // Checksum field must be 0 when calculating checksum. 314 icmp_targ->checksum = packet_checksum(0, out, pos); 315 316 return clat_packet_len; 317 } 318 319 /* function: generic_packet 320 * takes a generic IP packet and sets it up for translation 321 * out - output packet 322 * pos - position in the output packet of the transport header 323 * payload - pointer to IP payload 324 * len - size of ip payload 325 * returns: the highest position in the output clat_packet that's filled in 326 */ 327 int generic_packet(clat_packet out, clat_packet_index pos, const uint8_t *payload, size_t len) { 328 out[pos].iov_len = 0; 329 out[CLAT_POS_PAYLOAD].iov_base = (uint8_t *) payload; 330 out[CLAT_POS_PAYLOAD].iov_len = len; 331 332 return CLAT_POS_PAYLOAD + 1; 333 } 334 335 /* function: udp_packet 336 * takes a udp packet and sets it up for translation 337 * out - output packet 338 * udp - pointer to udp header in packet 339 * old_sum - pseudo-header checksum of old header 340 * new_sum - pseudo-header checksum of new header 341 * len - size of ip payload 342 */ 343 int udp_packet(clat_packet out, clat_packet_index pos, const struct udphdr *udp, 344 uint32_t old_sum, uint32_t new_sum, size_t len) { 345 const uint8_t *payload; 346 size_t payload_size; 347 348 if(len < sizeof(struct udphdr)) { 349 logmsg_dbg(ANDROID_LOG_ERROR,"udp_packet/(too small)"); 350 return 0; 351 } 352 353 payload = (const uint8_t *) (udp + 1); 354 payload_size = len - sizeof(struct udphdr); 355 356 return udp_translate(out, pos, udp, old_sum, new_sum, payload, payload_size); 357 } 358 359 /* function: tcp_packet 360 * takes a tcp packet and sets it up for translation 361 * out - output packet 362 * tcp - pointer to tcp header in packet 363 * checksum - pseudo-header checksum 364 * len - size of ip payload 365 * returns: the highest position in the output clat_packet that's filled in 366 */ 367 int tcp_packet(clat_packet out, clat_packet_index pos, const struct tcphdr *tcp, 368 uint32_t old_sum, uint32_t new_sum, size_t len) { 369 const uint8_t *payload; 370 size_t payload_size, header_size; 371 372 if(len < sizeof(struct tcphdr)) { 373 logmsg_dbg(ANDROID_LOG_ERROR,"tcp_packet/(too small)"); 374 return 0; 375 } 376 377 if(tcp->doff < 5) { 378 logmsg_dbg(ANDROID_LOG_ERROR,"tcp_packet/tcp header length set to less than 5: %x", tcp->doff); 379 return 0; 380 } 381 382 if((size_t) tcp->doff*4 > len) { 383 logmsg_dbg(ANDROID_LOG_ERROR,"tcp_packet/tcp header length set too large: %x", tcp->doff); 384 return 0; 385 } 386 387 header_size = tcp->doff * 4; 388 payload = ((const uint8_t *) tcp) + header_size; 389 payload_size = len - header_size; 390 391 return tcp_translate(out, pos, tcp, header_size, old_sum, new_sum, payload, payload_size); 392 } 393 394 /* function: udp_translate 395 * common between ipv4/ipv6 - setup checksum and send udp packet 396 * out - output packet 397 * udp - udp header 398 * old_sum - pseudo-header checksum of old header 399 * new_sum - pseudo-header checksum of new header 400 * payload - tcp payload 401 * payload_size - size of payload 402 * returns: the highest position in the output clat_packet that's filled in 403 */ 404 int udp_translate(clat_packet out, clat_packet_index pos, const struct udphdr *udp, 405 uint32_t old_sum, uint32_t new_sum, const uint8_t *payload, size_t payload_size) { 406 struct udphdr *udp_targ = out[pos].iov_base; 407 408 memcpy(udp_targ, udp, sizeof(struct udphdr)); 409 410 out[pos].iov_len = sizeof(struct udphdr); 411 out[CLAT_POS_PAYLOAD].iov_base = (uint8_t *) payload; 412 out[CLAT_POS_PAYLOAD].iov_len = payload_size; 413 414 if (udp_targ->check) { 415 udp_targ->check = ip_checksum_adjust(udp->check, old_sum, new_sum); 416 } else { 417 // Zero checksums are special. RFC 768 says, "An all zero transmitted checksum value means that 418 // the transmitter generated no checksum (for debugging or for higher level protocols that 419 // don't care)." However, in IPv6 zero UDP checksums were only permitted by RFC 6935 (2013). So 420 // for safety we recompute it. 421 udp_targ->check = 0; // Checksum field must be 0 when calculating checksum. 422 udp_targ->check = packet_checksum(new_sum, out, pos); 423 } 424 425 // RFC 768: "If the computed checksum is zero, it is transmitted as all ones (the equivalent 426 // in one's complement arithmetic)." 427 if (!udp_targ->check) { 428 udp_targ->check = 0xffff; 429 } 430 431 return CLAT_POS_PAYLOAD + 1; 432 } 433 434 /* function: tcp_translate 435 * common between ipv4/ipv6 - setup checksum and send tcp packet 436 * out - output packet 437 * tcp - tcp header 438 * header_size - size of tcp header including options 439 * checksum - partial checksum covering ipv4/ipv6 header 440 * payload - tcp payload 441 * payload_size - size of payload 442 * returns: the highest position in the output clat_packet that's filled in 443 */ 444 int tcp_translate(clat_packet out, clat_packet_index pos, const struct tcphdr *tcp, 445 size_t header_size, uint32_t old_sum, uint32_t new_sum, 446 const uint8_t *payload, size_t payload_size) { 447 struct tcphdr *tcp_targ = out[pos].iov_base; 448 out[pos].iov_len = header_size; 449 450 if (header_size > MAX_TCP_HDR) { 451 // A TCP header cannot be more than MAX_TCP_HDR bytes long because it's a 4-bit field that 452 // counts in 4-byte words. So this can never happen unless there is a bug in the caller. 453 logmsg(ANDROID_LOG_ERROR, "tcp_translate: header too long %d > %d, truncating", 454 header_size, MAX_TCP_HDR); 455 header_size = MAX_TCP_HDR; 456 } 457 458 memcpy(tcp_targ, tcp, header_size); 459 460 out[CLAT_POS_PAYLOAD].iov_base = (uint8_t *) payload; 461 out[CLAT_POS_PAYLOAD].iov_len = payload_size; 462 463 tcp_targ->check = ip_checksum_adjust(tcp->check, old_sum, new_sum); 464 465 return CLAT_POS_PAYLOAD + 1; 466 } 467 468 // Weak symbol so we can override it in the unit test. 469 void send_rawv6(int fd, clat_packet out, int iov_len) __attribute__((weak)); 470 471 void send_rawv6(int fd, clat_packet out, int iov_len) { 472 // A send on a raw socket requires a destination address to be specified even if the socket's 473 // protocol is IPPROTO_RAW. This is the address that will be used in routing lookups; the 474 // destination address in the packet header only affects what appears on the wire, not where the 475 // packet is sent to. 476 static struct sockaddr_in6 sin6 = { AF_INET6, 0, 0, { { { 0, 0, 0, 0 } } }, 0 }; 477 static struct msghdr msg = { 478 .msg_name = &sin6, 479 .msg_namelen = sizeof(sin6), 480 }; 481 482 msg.msg_iov = out, 483 msg.msg_iovlen = iov_len, 484 sin6.sin6_addr = ((struct ip6_hdr *) out[CLAT_POS_IPHDR].iov_base)->ip6_dst; 485 sendmsg(fd, &msg, 0); 486 } 487 488 /* function: translate_packet 489 * takes a packet, translates it, and writes it to fd 490 * fd - fd to write translated packet to 491 * to_ipv6 - true if translating to ipv6, false if translating to ipv4 492 * packet - packet 493 * packetsize - size of packet 494 */ 495 void translate_packet(int fd, int to_ipv6, const uint8_t *packet, size_t packetsize) { 496 int iov_len = 0; 497 498 // Allocate buffers for all packet headers. 499 struct tun_pi tun_targ; 500 char iphdr[sizeof(struct ip6_hdr)]; 501 char fraghdr[sizeof(struct ip6_frag)]; 502 char transporthdr[MAX_TCP_HDR]; 503 char icmp_iphdr[sizeof(struct ip6_hdr)]; 504 char icmp_fraghdr[sizeof(struct ip6_frag)]; 505 char icmp_transporthdr[MAX_TCP_HDR]; 506 507 // iovec of the packets we'll send. This gets passed down to the translation functions. 508 clat_packet out = { 509 { &tun_targ, 0 }, // Tunnel header. 510 { iphdr, 0 }, // IP header. 511 { fraghdr, 0 }, // Fragment header. 512 { transporthdr, 0 }, // Transport layer header. 513 { icmp_iphdr, 0 }, // ICMP error inner IP header. 514 { icmp_fraghdr, 0 }, // ICMP error fragmentation header. 515 { icmp_transporthdr, 0 }, // ICMP error transport layer header. 516 { NULL, 0 }, // Payload. No buffer, it's a pointer to the original payload. 517 }; 518 519 if (to_ipv6) { 520 iov_len = ipv4_packet(out, CLAT_POS_IPHDR, packet, packetsize); 521 if (iov_len > 0) { 522 send_rawv6(fd, out, iov_len); 523 } 524 } else { 525 iov_len = ipv6_packet(out, CLAT_POS_IPHDR, packet, packetsize); 526 if (iov_len > 0) { 527 fill_tun_header(&tun_targ, ETH_P_IP); 528 out[CLAT_POS_TUNHDR].iov_len = sizeof(tun_targ); 529 send_tun(fd, out, iov_len); 530 } 531 } 532 } 533
