123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466 |
- /*
- * 6in4 - tunnel client for automatic 6to4 or configured v6-in-v4 tunnels.
- * see rfc3056.
- */
- #include <u.h>
- #include <libc.h>
- #include <ip.h>
- /*
- * IPv6 and related IP protocols & their numbers:
- *
- * ipv6 41 IPv6 # Internet Protocol, version 6
- * ipv6-route 43 IPv6-Route # Routing Header for IPv6
- * ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6
- * esp 50 ESP # Encapsulating Security Payload
- * ah 51 AH # Authentication Header
- * ipv6-icmp 58 IPv6-ICMP icmp6 # ICMP version 6
- * ipv6-nonxt 59 IPv6-NoNxt # No Next Header for IPv6
- * ipv6-opts 60 IPv6-Opts # Destination Options for IPv6
- */
- enum {
- IP_IPV6PROTO = 41, /* IPv4 protocol number for IPv6 */
- IP_ESPPROTO = 50, /* IP v4 and v6 protocol number */
- IP_AHPROTO = 51, /* IP v4 and v6 protocol number */
- IP_ICMPV6PROTO = 58,
- V6to4pfx = 0x2002,
- };
- typedef struct Iphdr Iphdr;
- struct Iphdr
- {
- uchar vihl; /* Version and header length */
- uchar tos; /* Type of service */
- uchar length[2]; /* packet length */
- uchar id[2]; /* Identification */
- uchar frag[2]; /* Fragment information */
- uchar ttl; /* Time to live */
- uchar proto; /* Protocol */
- uchar cksum[2]; /* Header checksum */
- uchar src[4]; /* Ip source (uchar ordering unimportant) */
- uchar dst[4]; /* Ip destination (uchar ordering unimportant) */
- uchar payload[];
- };
- #define STFHDR offsetof(Iphdr, payload[0])
- int anysender;
- int gateway;
- int debug;
- uchar local6[IPaddrlen];
- uchar remote6[IPaddrlen];
- uchar remote4[IPaddrlen];
- uchar localmask[IPaddrlen];
- uchar localnet[IPaddrlen];
- uchar myip[IPaddrlen];
- /* magic anycast address from rfc3068 */
- uchar anycast6to4[IPv4addrlen] = { 192, 88, 99, 1 };
- static char *net = "/net";
- static int badipv4(uchar*);
- static int badipv6(uchar*);
- static void ip2tunnel(int, int);
- static void tunnel2ip(int, int);
- static void
- usage(void)
- {
- fprint(2, "usage: %s [-ag] [-x mtpt] [local6[/mask]] [remote4 [remote6]]\n",
- argv0);
- exits("Usage");
- }
- static char *
- defv6addr(void)
- {
- uchar *ipv4 = &myip[IPaddrlen - IPv4addrlen];
- return smprint("%ux:%2.2x%2.2x:%2.2x%2.2x::1/48", V6to4pfx,
- ipv4[0], ipv4[1], ipv4[2], ipv4[3]);
- }
- /* process non-option arguments */
- static void
- procargs(int argc, char **argv)
- {
- char *p, *loc6;
- if (argc < 1)
- loc6 = defv6addr();
- else if (strcmp(argv[0], "-") == 0) {
- loc6 = defv6addr();
- argv++;
- argc--;
- } else {
- loc6 = *argv++;
- argc--;
- }
- /* local v6 address (mask defaults to /128) */
- memcpy(localmask, IPallbits, sizeof localmask);
- p = strchr(loc6, '/');
- if (p != nil) {
- parseipmask(localmask, p);
- *p = 0;
- }
- if (parseip(local6, loc6) == -1)
- sysfatal("bad local v6 address %s", loc6);
- if (isv4(local6))
- usage();
- if (argc >= 1 && argv[0][0] == '/') {
- parseipmask(localmask, *argv++);
- argc--;
- }
- if (debug)
- fprint(2, "local6 %I %M\n", local6, localmask);
- /* remote v4 address (defaults to anycast 6to4) */
- if (argc >= 1) {
- if (parseip(remote4, *argv++) == -1)
- sysfatal("bad remote v4 address %s", argv[-1]);
- argc--;
- if (!isv4(remote4))
- usage();
- } else {
- v4tov6(remote4, anycast6to4);
- anysender++;
- }
- if (debug)
- fprint(2, "remote4 %I\n", remote4);
- /* remote v6 address (defaults to link-local w/ v4 as interface part) */
- if (argc >= 1) {
- if (parseip(remote6, *argv++) == -1)
- sysfatal("bad remote v6 address %s", argv[-1]);
- argc--;
- } else {
- remote6[0] = 0xFE; /* link local */
- remote6[1] = 0x80;
- memcpy(remote6 + IPv4off, remote4 + IPv4off, IPv4addrlen);
- }
- USED(argv);
- if (argc != 0)
- usage();
- maskip(local6, localmask, localnet);
- if (debug)
- fprint(2, "localnet %I remote6 %I\n", localnet, remote6);
- }
- static void
- setup(int *v6net, int *tunp)
- {
- int n, cfd;
- char *p, *cl, *ir;
- char buf[128], path[64];
- /*
- * gain access to IPv6-in-IPv4 packets via ipmux
- */
- p = seprint(buf, buf + sizeof buf, "%s/ipmux!proto=%2.2x|%2.2x;dst=%V",
- net, IP_IPV6PROTO, IP_ICMPV6PROTO, myip + IPv4off);
- if (!anysender)
- seprint(p, buf + sizeof buf, ";src=%V", remote4 + IPv4off);
- *tunp = dial(buf, 0, 0, 0);
- if (*tunp < 0)
- sysfatal("can't access ipv6-in-ipv4 with dial str %s: %r", buf);
- if (debug)
- fprint(2, "dialed %s for v6-in-v4 access\n", buf);
- /*
- * open local IPv6 interface (as a packet interface)
- */
- cl = smprint("%s/ipifc/clone", net);
- cfd = open(cl, ORDWR); /* allocate a conversation */
- n = 0;
- if (cfd < 0 || (n = read(cfd, buf, sizeof buf - 1)) <= 0)
- sysfatal("can't make packet interface %s: %r", cl);
- if (debug)
- fprint(2, "cloned %s as local v6 interface\n", cl);
- free(cl);
- buf[n] = 0;
- snprint(path, sizeof path, "%s/ipifc/%s/data", net, buf);
- *v6net = open(path, ORDWR);
- if (*v6net < 0 || fprint(cfd, "bind pkt") < 0)
- sysfatal("can't bind packet interface: %r");
- /* 1280 is MTU, apparently from rfc2460 */
- if (fprint(cfd, "add %I /128 %I 1280", local6, remote6) <= 0)
- sysfatal("can't set local ipv6 address: %r");
- close(cfd);
- if (debug)
- fprint(2, "opened & bound %s as local v6 interface\n", path);
- if (gateway) {
- /* route global addresses through the tunnel to remote6 */
- ir = smprint("%s/iproute", net);
- cfd = open(ir, OWRITE);
- if (cfd >= 0 && debug)
- fprint(2, "injected 2000::/3 %I into %s\n", remote6, ir);
- free(ir);
- if (cfd < 0 || fprint(cfd, "add 2000:: /3 %I", remote6) <= 0)
- sysfatal("can't set default global route: %r");
- }
- }
- static void
- runtunnel(int v6net, int tunnel)
- {
- /* run the tunnel copying in the background */
- switch (rfork(RFPROC|RFNOWAIT|RFMEM|RFNOTEG)) {
- case -1:
- sysfatal("rfork");
- default:
- exits(nil);
- case 0:
- break;
- }
- switch (rfork(RFPROC|RFNOWAIT|RFMEM)) {
- case -1:
- sysfatal("rfork");
- default:
- tunnel2ip(tunnel, v6net);
- break;
- case 0:
- ip2tunnel(v6net, tunnel);
- break;
- }
- exits("tunnel gone");
- }
- void
- main(int argc, char **argv)
- {
- int tunnel, v6net;
- fmtinstall('I', eipfmt);
- fmtinstall('V', eipfmt);
- fmtinstall('M', eipfmt);
- ARGBEGIN {
- case 'a':
- anysender++;
- break;
- case 'd':
- debug++;
- break;
- case 'g':
- gateway++;
- break;
- case 'x':
- net = EARGF(usage());
- break;
- default:
- usage();
- } ARGEND
- if (myipaddr(myip, net) < 0)
- sysfatal("can't find my ipv4 address on %s", net);
- if (!isv4(myip))
- sysfatal("my ip, %I, is not a v4 address", myip);
- procargs(argc, argv);
- setup(&v6net, &tunnel);
- runtunnel(v6net, tunnel);
- exits(0);
- }
- /*
- * based on libthread's threadsetname, but drags in less library code.
- * actually just sets the arguments displayed.
- */
- void
- procsetname(char *fmt, ...)
- {
- int fd;
- char *cmdname;
- char buf[128];
- va_list arg;
- va_start(arg, fmt);
- cmdname = vsmprint(fmt, arg);
- va_end(arg);
- if (cmdname == nil)
- return;
- snprint(buf, sizeof buf, "#p/%d/args", getpid());
- if((fd = open(buf, OWRITE)) >= 0){
- write(fd, cmdname, strlen(cmdname)+1);
- close(fd);
- }
- free(cmdname);
- }
- /*
- * encapsulate v6 packets from the packet interface in v4 ones
- * and send them into the tunnel.
- */
- static void
- ip2tunnel(int in, int out)
- {
- int n, m;
- char buf[64*1024];
- Iphdr *op;
- Ip6hdr *ip;
- if (anysender)
- procsetname("v6 %I -> tunnel", local6);
- else
- procsetname("v6 %I -> tunnel %I %I", local6, remote4, remote6);
- /* populate v4 header */
- op = (Iphdr*)buf;
- op->vihl = IP_VER4 | 5; /* hdr is 5 longs? */
- memcpy(op->src, myip + IPv4off, sizeof op->src);
- op->proto = IP_IPV6PROTO; /* inner protocol */
- op->ttl = 100;
- /* get a V6 packet destined for the tunnel */
- ip = (Ip6hdr*)(buf + STFHDR);
- while ((n = read(in, ip, sizeof buf - STFHDR)) > 0) {
- /* if not IPV6, drop it */
- if ((ip->vcf[0] & 0xF0) != IP_VER6)
- continue;
- /* check length: drop if too short, trim if too long */
- m = nhgets(ip->ploadlen) + IPV6HDR_LEN;
- if (m > n)
- continue;
- if (m < n)
- n = m;
- /* drop if v6 source or destination address is naughty */
- if (badipv6(ip->src)) {
- syslog(0, "6in4", "egress filtered %I -> %I; bad src",
- ip->src, ip->dst);
- continue;
- }
- if ((!equivip6(ip->dst, remote6) && badipv6(ip->dst))) {
- syslog(0, "6in4", "egress filtered %I -> %I; "
- "bad dst not remote", ip->src, ip->dst);
- continue;
- }
- if (debug > 1)
- fprint(2, "v6 to tunnel %I -> %I\n", ip->src, ip->dst);
- /* send 6to4 packets directly to ipv4 target */
- if ((ip->dst[0]<<8 | ip->dst[1]) == V6to4pfx)
- memcpy(op->dst, ip->dst+2, sizeof op->dst);
- else
- memcpy(op->dst, remote4+IPv4off, sizeof op->dst);
- n += STFHDR;
- /* pass packet to the other end of the tunnel */
- if (write(out, op, n) != n) {
- syslog(0, "6in4", "error writing to tunnel (%r), giving up");
- break;
- }
- }
- }
- /*
- * decapsulate v6 packets from v4 ones from the tunnel
- * and forward them to the packet interface
- */
- static void
- tunnel2ip(int in, int out)
- {
- int n, m;
- char buf[64*1024];
- uchar a[IPaddrlen];
- Ip6hdr *op;
- Iphdr *ip;
- if (anysender)
- procsetname("tunnel -> v6 %I", local6);
- else
- procsetname("tunnel %I %I -> v6 %I", remote4, remote6, local6);
- for (;;) {
- /* get a packet from the tunnel */
- n = read(in, buf, sizeof buf);
- ip = (Iphdr*)(buf + IPaddrlen);
- n -= IPaddrlen;
- if (n <= 0) {
- syslog(0, "6in4", "error reading from tunnel (%r), giving up");
- break;
- }
- /* if not IPv4 nor IPv4 protocol IPv6 nor ICMPv6, drop it */
- if ((ip->vihl & 0xF0) != IP_VER4 ||
- ip->proto != IP_IPV6PROTO && ip->proto != IP_ICMPV6PROTO) {
- syslog(0, "6in4",
- "dropping pkt from tunnel with inner proto %d",
- ip->proto);
- continue;
- }
- /* check length: drop if too short, trim if too long */
- m = nhgets(ip->length);
- if (m > n)
- continue;
- if (m < n)
- n = m;
- op = (Ip6hdr*)(buf + IPaddrlen + STFHDR);
- n -= STFHDR;
- /*
- * don't relay: just accept packets for local host/subnet
- * (this blocks link-local and multicast addresses as well)
- */
- maskip(op->dst, localmask, a);
- if (!equivip6(a, localnet)) {
- syslog(0, "6in4", "ingress filtered %I -> %I; "
- "dst not on local net", op->src, op->dst);
- continue;
- }
- if (debug > 1)
- fprint(2, "tunnel to v6 %I -> %I\n", op->src, op->dst);
- /* pass V6 packet to the interface */
- if (write(out, op, n) != n) {
- syslog(0, "6in4", "error writing to packet interface (%r), giving up");
- break;
- }
- }
- }
- static int
- badipv4(uchar *a)
- {
- switch (a[0]) {
- case 0: /* unassigned */
- case 10: /* private */
- case 127: /* loopback */
- return 1;
- case 172:
- return a[1] >= 16; /* 172.16.0.0/12 private */
- case 192:
- return a[1] == 168; /* 192.168.0.0/16 private */
- case 169:
- return a[1] == 254; /* 169.254.0.0/16 DHCP link-local */
- }
- /* 224.0.0.0/4 multicast, 240.0.0.0/4 reserved, broadcast */
- return a[0] >= 240;
- }
- /*
- * 0x0000/16 prefix = v4 compatible, v4 mapped, loopback, unspecified...
- * site-local is now deprecated, rfc3879
- */
- static int
- badipv6(uchar *a)
- {
- int h = a[0]<<8 | a[1];
- return h == 0 || ISIPV6MCAST(a) || ISIPV6LINKLOCAL(a) ||
- h == V6to4pfx && badipv4(a+2);
- }
|