1 /*
2 * Copyright 2012 Daniel Drown
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 * clatd.c - tun interface setup and main event loop
17 */
18 #include <arpa/inet.h>
19 #include <errno.h>
20 #include <fcntl.h>
21 #include <poll.h>
22 #include <signal.h>
23 #include <stdbool.h>
24 #include <stdio.h>
25 #include <stdlib.h>
26 #include <string.h>
27 #include <sys/ioctl.h>
28 #include <sys/prctl.h>
29 #include <sys/stat.h>
30 #include <sys/types.h>
31 #include <time.h>
32 #include <unistd.h>
33
34 #include <linux/filter.h>
35 #include <linux/if.h>
36 #include <linux/if_ether.h>
37 #include <linux/if_packet.h>
38 #include <linux/if_tun.h>
39 #include <linux/virtio_net.h>
40 #include <net/if.h>
41 #include <sys/uio.h>
42
43 #include "clatd.h"
44 #include "checksum.h"
45 #include "config.h"
46 #include "dump.h"
47 #include "logging.h"
48 #include "translate.h"
49
50 struct clat_config Global_Clatd_Config;
51
52 volatile sig_atomic_t running = 1;
53
54 // reads IPv6 packet from AF_PACKET socket, translates to IPv4, writes to tun
process_packet_6_to_4(struct tun_data * tunnel)55 void process_packet_6_to_4(struct tun_data *tunnel) {
56 // ethernet header is 14 bytes, plus 4 for a normal VLAN tag or 8 for Q-in-Q
57 // we don't really support vlans (or especially Q-in-Q)...
58 // but a few bytes of extra buffer space doesn't hurt...
59 struct {
60 struct virtio_net_hdr vnet;
61 uint8_t payload[22 + MAXMTU];
62 char pad; // +1 to make packet truncation obvious
63 } buf;
64 struct iovec iov = {
65 .iov_base = &buf,
66 .iov_len = sizeof(buf),
67 };
68 char cmsg_buf[CMSG_SPACE(sizeof(struct tpacket_auxdata))];
69 struct msghdr msgh = {
70 .msg_iov = &iov,
71 .msg_iovlen = 1,
72 .msg_control = cmsg_buf,
73 .msg_controllen = sizeof(cmsg_buf),
74 };
75 ssize_t readlen = recvmsg(tunnel->read_fd6, &msgh, /*flags*/ 0);
76
77 if (readlen < 0) {
78 if (errno != EAGAIN) {
79 logmsg(ANDROID_LOG_WARN, "%s: read error: %s", __func__, strerror(errno));
80 }
81 return;
82 } else if (readlen == 0) {
83 logmsg(ANDROID_LOG_WARN, "%s: packet socket removed?", __func__);
84 running = 0;
85 return;
86 } else if (readlen >= sizeof(buf)) {
87 logmsg(ANDROID_LOG_WARN, "%s: read truncation - ignoring pkt", __func__);
88 return;
89 }
90
91 bool ok = false;
92 __u32 tp_status = 0;
93 __u16 tp_net = 0;
94
95 for (struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msgh); cmsg != NULL; cmsg = CMSG_NXTHDR(&msgh,cmsg)) {
96 if (cmsg->cmsg_level == SOL_PACKET && cmsg->cmsg_type == PACKET_AUXDATA) {
97 struct tpacket_auxdata *aux = (struct tpacket_auxdata *)CMSG_DATA(cmsg);
98 ok = true;
99 tp_status = aux->tp_status;
100 tp_net = aux->tp_net;
101 break;
102 }
103 }
104
105 if (!ok) {
106 // theoretically this should not happen...
107 static bool logged = false;
108 if (!logged) {
109 logmsg(ANDROID_LOG_ERROR, "%s: failed to fetch tpacket_auxdata cmsg", __func__);
110 logged = true;
111 }
112 }
113
114 const int payload_offset = offsetof(typeof(buf), payload);
115 if (readlen < payload_offset + tp_net) {
116 logmsg(ANDROID_LOG_WARN, "%s: ignoring %zd byte pkt shorter than %d+%u L2 header",
117 __func__, readlen, payload_offset, tp_net);
118 return;
119 }
120
121 const int pkt_len = readlen - payload_offset;
122
123 // This will detect a skb->ip_summed == CHECKSUM_PARTIAL packet with non-final L4 checksum
124 if (tp_status & TP_STATUS_CSUMNOTREADY) {
125 static bool logged = false;
126 if (!logged) {
127 logmsg(ANDROID_LOG_WARN, "%s: L4 checksum calculation required", __func__);
128 logged = true;
129 }
130
131 // These are non-negative by virtue of csum_start/offset being u16
132 const int cs_start = buf.vnet.csum_start;
133 const int cs_offset = cs_start + buf.vnet.csum_offset;
134 if (cs_start > pkt_len) {
135 logmsg(ANDROID_LOG_ERROR, "%s: out of range - checksum start %d > %d",
136 __func__, cs_start, pkt_len);
137 } else if (cs_offset + 1 >= pkt_len) {
138 logmsg(ANDROID_LOG_ERROR, "%s: out of range - checksum offset %d + 1 >= %d",
139 __func__, cs_offset, pkt_len);
140 } else {
141 uint16_t csum = ip_checksum(buf.payload + cs_start, pkt_len - cs_start);
142 if (!csum) csum = 0xFFFF; // required fixup for UDP, TCP must live with it
143 buf.payload[cs_offset] = csum & 0xFF;
144 buf.payload[cs_offset + 1] = csum >> 8;
145 }
146 }
147
148 translate_packet(tunnel->fd4, 0 /* to_ipv6 */, buf.payload + tp_net, pkt_len - tp_net);
149 }
150
151 // reads TUN_PI + L3 IPv4 packet from tun, translates to IPv6, writes to AF_INET6/RAW socket
process_packet_4_to_6(struct tun_data * tunnel)152 void process_packet_4_to_6(struct tun_data *tunnel) {
153 struct {
154 struct tun_pi pi;
155 uint8_t payload[MAXMTU];
156 char pad; // +1 byte to make packet truncation obvious
157 } buf;
158 ssize_t readlen = read(tunnel->fd4, &buf, sizeof(buf));
159
160 if (readlen < 0) {
161 if (errno != EAGAIN) {
162 logmsg(ANDROID_LOG_WARN, "%s: read error: %s", __func__, strerror(errno));
163 }
164 return;
165 } else if (readlen == 0) {
166 logmsg(ANDROID_LOG_WARN, "%s: tun interface removed", __func__);
167 running = 0;
168 return;
169 } else if (readlen >= sizeof(buf)) {
170 logmsg(ANDROID_LOG_WARN, "%s: read truncation - ignoring pkt", __func__);
171 return;
172 }
173
174 const int payload_offset = offsetof(typeof(buf), payload);
175
176 if (readlen < payload_offset) {
177 logmsg(ANDROID_LOG_WARN, "%s: short read: got %ld bytes", __func__, readlen);
178 return;
179 }
180
181 const int pkt_len = readlen - payload_offset;
182
183 uint16_t proto = ntohs(buf.pi.proto);
184 if (proto != ETH_P_IP) {
185 logmsg(ANDROID_LOG_WARN, "%s: unknown packet type = 0x%x", __func__, proto);
186 return;
187 }
188
189 if (buf.pi.flags != 0) {
190 logmsg(ANDROID_LOG_WARN, "%s: unexpected flags = %d", __func__, buf.pi.flags);
191 }
192
193 translate_packet(tunnel->write_fd6, 1 /* to_ipv6 */, buf.payload, pkt_len);
194 }
195
196 // IPv6 DAD packet format:
197 // Ethernet header (if needed) will be added by the kernel:
198 // u8[6] src_mac; u8[6] dst_mac '33:33:ff:XX:XX:XX'; be16 ethertype '0x86DD'
199 // IPv6 header:
200 // be32 0x60000000 - ipv6, tclass 0, flowlabel 0
201 // be16 payload_length '32'; u8 nxt_hdr ICMPv6 '58'; u8 hop limit '255'
202 // u128 src_ip6 '::'
203 // u128 dst_ip6 'ff02::1:ffXX:XXXX'
204 // ICMPv6 header:
205 // u8 type '135'; u8 code '0'; u16 icmp6 checksum; u32 reserved '0'
206 // ICMPv6 neighbour solicitation payload:
207 // u128 tgt_ip6
208 // ICMPv6 ND options:
209 // u8 opt nr '14'; u8 length '1'; u8[6] nonce '6 random bytes'
send_dad(int fd,const struct in6_addr * tgt)210 void send_dad(int fd, const struct in6_addr* tgt) {
211 struct {
212 struct ip6_hdr ip6h;
213 struct nd_neighbor_solicit ns;
214 uint8_t ns_opt_nr;
215 uint8_t ns_opt_len;
216 uint8_t ns_opt_nonce[6];
217 } dad_pkt = {
218 .ip6h = {
219 .ip6_flow = htonl(6 << 28), // v6, 0 tclass, 0 flowlabel
220 .ip6_plen = htons(sizeof(dad_pkt) - sizeof(struct ip6_hdr)), // payload length, ie. 32
221 .ip6_nxt = IPPROTO_ICMPV6, // 58
222 .ip6_hlim = 255,
223 .ip6_src = {}, // ::
224 .ip6_dst.s6_addr = {
225 0xFF, 0x02, 0, 0,
226 0, 0, 0, 0,
227 0, 0, 0, 1,
228 0xFF, tgt->s6_addr[13], tgt->s6_addr[14], tgt->s6_addr[15],
229 }, // ff02::1:ffXX:XXXX - multicast group address derived from bottom 24-bits of tgt
230 },
231 .ns = {
232 .nd_ns_type = ND_NEIGHBOR_SOLICIT, // 135
233 .nd_ns_code = 0,
234 .nd_ns_cksum = 0, // will be calculated later
235 .nd_ns_reserved = 0,
236 .nd_ns_target = *tgt,
237 },
238 .ns_opt_nr = 14, // icmp6 option 'nonce' from RFC3971
239 .ns_opt_len = 1, // in units of 8 bytes, including option nr and len
240 .ns_opt_nonce = {}, // opt_len *8 - sizeof u8(opt_nr) - sizeof u8(opt_len) = 6 ranodmized bytes
241 };
242 arc4random_buf(&dad_pkt.ns_opt_nonce, sizeof(dad_pkt.ns_opt_nonce));
243
244 // 40 byte IPv6 header + 8 byte ICMPv6 header + 16 byte ipv6 target address + 8 byte nonce option
245 _Static_assert(sizeof(dad_pkt) == 40 + 8 + 16 + 8, "sizeof dad packet != 72");
246
247 // IPv6 header checksum is standard negated 16-bit one's complement sum over the icmpv6 pseudo
248 // header (which includes payload length, nextheader, and src/dst ip) and the icmpv6 payload.
249 //
250 // Src/dst ip immediately prefix the icmpv6 header itself, so can be handled along
251 // with the payload. We thus only need to manually account for payload len & next header.
252 //
253 // The magic '8' is simply the offset of the ip6_src field in the ipv6 header,
254 // ie. we're skipping over the ipv6 version, tclass, flowlabel, payload length, next header
255 // and hop limit fields, because they're not quite where we want them to be.
256 //
257 // ip6_plen is already in network order, while ip6_nxt is a single byte and thus needs htons().
258 uint32_t csum = dad_pkt.ip6h.ip6_plen + htons(dad_pkt.ip6h.ip6_nxt);
259 csum = ip_checksum_add(csum, &dad_pkt.ip6h.ip6_src, sizeof(dad_pkt) - 8);
260 dad_pkt.ns.nd_ns_cksum = ip_checksum_finish(csum);
261
262 const struct sockaddr_in6 dst = {
263 .sin6_family = AF_INET6,
264 .sin6_addr = dad_pkt.ip6h.ip6_dst,
265 .sin6_scope_id = if_nametoindex(Global_Clatd_Config.native_ipv6_interface),
266 };
267
268 sendto(fd, &dad_pkt, sizeof(dad_pkt), 0 /*flags*/, (const struct sockaddr *)&dst, sizeof(dst));
269 }
270
271 /* function: event_loop
272 * reads packets from the tun network interface and passes them down the stack
273 * tunnel - tun device data
274 */
event_loop(struct tun_data * tunnel)275 void event_loop(struct tun_data *tunnel) {
276 // Apparently some network gear will refuse to perform NS for IPs that aren't DAD'ed,
277 // this would then result in an ipv6-only network with working native ipv6, working
278 // IPv4 via DNS64, but non-functioning IPv4 via CLAT (ie. IPv4 literals + IPv4 only apps).
279 // The kernel itself doesn't do DAD for anycast ips (but does handle IPV6 MLD and handle ND).
280 // So we'll spoof dad here, and yeah, we really should check for a response and in
281 // case of failure pick a different IP. Seeing as 48-bits of the IP are utterly random
282 // (with the other 16 chosen to guarantee checksum neutrality) this seems like a remote
283 // concern...
284 // TODO: actually perform true DAD
285 send_dad(tunnel->write_fd6, &Global_Clatd_Config.ipv6_local_subnet);
286
287 struct pollfd wait_fd[] = {
288 { tunnel->read_fd6, POLLIN, 0 },
289 { tunnel->fd4, POLLIN, 0 },
290 };
291
292 while (running) {
293 if (poll(wait_fd, ARRAY_SIZE(wait_fd), -1) == -1) {
294 if (errno != EINTR) {
295 logmsg(ANDROID_LOG_WARN, "event_loop/poll returned an error: %s", strerror(errno));
296 }
297 } else {
298 // Call process_packet if the socket has data to be read, but also if an
299 // error is waiting. If we don't call read() after getting POLLERR, a
300 // subsequent poll() will return immediately with POLLERR again,
301 // causing this code to spin in a loop. Calling read() will clear the
302 // socket error flag instead.
303 if (wait_fd[0].revents) process_packet_6_to_4(tunnel);
304 if (wait_fd[1].revents) process_packet_4_to_6(tunnel);
305 }
306 }
307 }
308