1 /*
2  * Copyright 2011 Daniel Drown
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  *
16  * ipv6.c - takes ipv6 packets, finds their headers, and then calls translation functions on them
17  */
18 #include <string.h>
19 
20 #include <arpa/inet.h>
21 
22 #include "translate.h"
23 #include "checksum.h"
24 #include "logging.h"
25 #include "dump.h"
26 #include "config.h"
27 #include "debug.h"
28 
29 /* function: icmp6_packet
30  * takes an icmp6 packet and sets it up for translation
31  * out      - output packet
32  * icmp6    - pointer to icmp6 header in packet
33  * checksum - pseudo-header checksum (unused)
34  * len      - size of ip payload
35  * returns: the highest position in the output clat_packet that's filled in
36  */
icmp6_packet(clat_packet out,clat_packet_index pos,const struct icmp6_hdr * icmp6,size_t len)37 int icmp6_packet(clat_packet out, clat_packet_index pos, const struct icmp6_hdr *icmp6,
38                  size_t len) {
39   const uint8_t *payload;
40   size_t payload_size;
41 
42   if(len < sizeof(struct icmp6_hdr)) {
43     logmsg_dbg(ANDROID_LOG_ERROR, "icmp6_packet/(too small)");
44     return 0;
45   }
46 
47   payload = (const uint8_t *) (icmp6 + 1);
48   payload_size = len - sizeof(struct icmp6_hdr);
49 
50   return icmp6_to_icmp(out, pos, icmp6, payload, payload_size);
51 }
52 
53 /* function: log_bad_address
54  * logs a bad address to android's log buffer if debugging is turned on
55  * fmt     - printf-style format, use %s to place the address
56  * badaddr - the bad address in question
57  */
58 #if CLAT_DEBUG
log_bad_address(const char * fmt,const struct in6_addr * src,const struct in6_addr * dst)59 void log_bad_address(const char *fmt, const struct in6_addr *src, const struct in6_addr *dst) {
60   char srcstr[INET6_ADDRSTRLEN];
61   char dststr[INET6_ADDRSTRLEN];
62 
63   inet_ntop(AF_INET6, src, srcstr, sizeof(srcstr));
64   inet_ntop(AF_INET6, dst, dststr, sizeof(dststr));
65   logmsg_dbg(ANDROID_LOG_ERROR, fmt, srcstr, dststr);
66 }
67 #else
68 #define log_bad_address(fmt, src, dst)
69 #endif
70 
71 /* function: ipv6_packet
72  * takes an ipv6 packet and hands it off to the layer 4 protocol function
73  * out    - output packet
74  * packet - packet data
75  * len    - size of packet
76  * returns: the highest position in the output clat_packet that's filled in
77  */
ipv6_packet(clat_packet out,clat_packet_index pos,const uint8_t * packet,size_t len)78 int ipv6_packet(clat_packet out, clat_packet_index pos, const uint8_t *packet, size_t len) {
79   const struct ip6_hdr *ip6 = (struct ip6_hdr *) packet;
80   struct iphdr *ip_targ = (struct iphdr *) out[pos].iov_base;
81   struct ip6_frag *frag_hdr = NULL;
82   uint8_t protocol;
83   const uint8_t *next_header;
84   size_t len_left;
85   uint32_t old_sum, new_sum;
86   int iov_len;
87 
88   if(len < sizeof(struct ip6_hdr)) {
89     logmsg_dbg(ANDROID_LOG_ERROR, "ipv6_packet/too short for an ip6 header: %d", len);
90     return 0;
91   }
92 
93   if(IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
94     log_bad_address("ipv6_packet/multicast %s->%s", &ip6->ip6_src, &ip6->ip6_dst);
95     return 0; // silently ignore
96   }
97 
98   // If the packet is not from the plat subnet to the local subnet, or vice versa, drop it, unless
99   // it's an ICMP packet (which can come from anywhere). We do not send IPv6 packets from the plat
100   // subnet to the local subnet, but these can appear as inner packets in ICMP errors, so we need
101   // to translate them. We accept third-party ICMPv6 errors, even though their source addresses
102   // cannot be translated, so that things like unreachables and traceroute will work. fill_ip_header
103   // takes care of faking a source address for them.
104   if (!(is_in_plat_subnet(&ip6->ip6_src) &&
105         IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &Global_Clatd_Config.ipv6_local_subnet)) &&
106       !(is_in_plat_subnet(&ip6->ip6_dst) &&
107         IN6_ARE_ADDR_EQUAL(&ip6->ip6_src, &Global_Clatd_Config.ipv6_local_subnet)) &&
108       ip6->ip6_nxt != IPPROTO_ICMPV6) {
109     log_bad_address("ipv6_packet/wrong source address: %s->%s", &ip6->ip6_src, &ip6->ip6_dst);
110     return 0;
111   }
112 
113   next_header = packet + sizeof(struct ip6_hdr);
114   len_left = len - sizeof(struct ip6_hdr);
115 
116   protocol = ip6->ip6_nxt;
117 
118   /* Fill in the IPv4 header. We need to do this before we translate the packet because TCP and
119    * UDP include parts of the IP header in the checksum. Set the length to zero because we don't
120    * know it yet.
121    */
122   fill_ip_header(ip_targ, 0, protocol, ip6);
123   out[pos].iov_len = sizeof(struct iphdr);
124 
125   // If there's a Fragment header, parse it and decide what the next header is.
126   // Do this before calculating the pseudo-header checksum because it updates the next header value.
127   if (protocol == IPPROTO_FRAGMENT) {
128     frag_hdr = (struct ip6_frag *) next_header;
129     if (len_left < sizeof(*frag_hdr)) {
130       logmsg_dbg(ANDROID_LOG_ERROR, "ipv6_packet/too short for fragment header: %d", len);
131       return 0;
132     }
133 
134     next_header += sizeof(*frag_hdr);
135     len_left -= sizeof(*frag_hdr);
136 
137     protocol = parse_frag_header(frag_hdr, ip_targ);
138   }
139 
140   // ICMP and ICMPv6 have different protocol numbers.
141   if (protocol == IPPROTO_ICMPV6) {
142     protocol = IPPROTO_ICMP;
143     ip_targ->protocol = IPPROTO_ICMP;
144   }
145 
146   /* Calculate the pseudo-header checksum.
147    * Technically, the length that is used in the pseudo-header checksum is the transport layer
148    * length, which is not the same as len_left in the case of fragmented packets. But since
149    * translation does not change the transport layer length, the checksum is unaffected.
150    */
151   old_sum = ipv6_pseudo_header_checksum(ip6, len_left, protocol);
152   new_sum = ipv4_pseudo_header_checksum(ip_targ, len_left);
153 
154   // Does not support IPv6 extension headers except Fragment.
155   if (frag_hdr && (frag_hdr->ip6f_offlg & IP6F_OFF_MASK)) {
156     iov_len = generic_packet(out, pos + 2, next_header, len_left);
157   } else if (protocol == IPPROTO_ICMP) {
158     iov_len = icmp6_packet(out, pos + 2, (const struct icmp6_hdr *) next_header, len_left);
159   } else if (protocol == IPPROTO_TCP) {
160     iov_len = tcp_packet(out, pos + 2, (const struct tcphdr *) next_header, old_sum, new_sum,
161                          len_left);
162   } else if (protocol == IPPROTO_UDP) {
163     iov_len = udp_packet(out, pos + 2, (const struct udphdr *) next_header, old_sum, new_sum,
164                          len_left);
165   } else if (protocol == IPPROTO_GRE) {
166     iov_len = generic_packet(out, pos + 2, next_header, len_left);
167   } else {
168 #if CLAT_DEBUG
169     logmsg(ANDROID_LOG_ERROR, "ipv6_packet/unknown next header type: %x", ip6->ip6_nxt);
170     logcat_hexdump("ipv6/nxthdr", packet, len);
171 #endif
172     return 0;
173   }
174 
175   // Set the length and calculate the checksum.
176   ip_targ->tot_len = htons(ntohs(ip_targ->tot_len) + packet_length(out, pos));
177   ip_targ->check = ip_checksum(ip_targ, sizeof(struct iphdr));
178   return iov_len;
179 }
180