forecast: Only reinject packets that are marked or from the configured interface
[strongswan.git] / src / libcharon / plugins / forecast / forecast_forwarder.c
1 /*
2 * Copyright (C) 2010-2014 Martin Willi
3 * Copyright (C) 2010-2014 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "forecast_forwarder.h"
17
18 #include <errno.h>
19 #include <unistd.h>
20 #include <netinet/ip.h>
21 #include <netinet/udp.h>
22 #include <linux/socket.h>
23 #include <netinet/if_ether.h>
24 #include <linux/if_packet.h>
25 #include <linux/filter.h>
26 #include <sys/ioctl.h>
27 #include <ifaddrs.h>
28 #include <net/if.h>
29
30 #include <daemon.h>
31 #include <threading/thread.h>
32 #include <processing/jobs/callback_job.h>
33
34 #define BOOTP_SERVER_PORT 67
35 #define BOOTP_CLIENT_PORT 68
36
37 typedef struct private_forecast_forwarder_t private_forecast_forwarder_t;
38 typedef struct private_kernel_listener_t private_kernel_listener_t;
39
40 /**
41 * Private data of registered kernel listener
42 */
43 struct private_kernel_listener_t {
44
45 /**
46 * Implements kernel_listener_t
47 */
48 kernel_listener_t listener;
49
50 /**
51 * Listener that knows active addresses
52 */
53 forecast_listener_t *fc;
54
55 /**
56 * current broadcast address of internal network
57 */
58 uint32_t broadcast;
59
60 /**
61 * LAN interface index
62 */
63 int ifindex;
64
65 /**
66 * Packet socket
67 */
68 int pkt;
69
70 /**
71 * RAW socket
72 */
73 int raw;
74 };
75
76 /**
77 * Private data of an forecast_forwarder_t object.
78 */
79 struct private_forecast_forwarder_t {
80
81 /**
82 * Public forecast_forwarder_t interface.
83 */
84 forecast_forwarder_t public;
85
86 /**
87 * Public kernel_listener_t interface.
88 */
89 private_kernel_listener_t kernel;
90 };
91
92 /**
93 * Send a broadcast/multicast packet to a network
94 */
95 static void send_net(private_forecast_forwarder_t *this,
96 struct sockaddr_ll *addr, void *buf, size_t len)
97 {
98 if (sendto(this->kernel.pkt, buf, len, 0,
99 (struct sockaddr*)addr, sizeof(*addr)) != len)
100 {
101 DBG1(DBG_NET, "forecast send_net() failed: %s", strerror(errno));
102 }
103 }
104
105 /**
106 * Send a broadcast/multicast packet to a peer
107 */
108 static void send_peer(private_forecast_forwarder_t *this, uint32_t dst,
109 void *buf, size_t len, int mark)
110 {
111 struct sockaddr_in addr = {
112 .sin_family = AF_INET,
113 .sin_addr.s_addr = dst,
114 };
115
116 if (setsockopt(this->kernel.raw, SOL_SOCKET, SO_MARK,
117 &mark, sizeof(mark)) != 0)
118 {
119 DBG1(DBG_NET, "forecast setting SO_MARK failed: %s", strerror(errno));
120 }
121 if (sendto(this->kernel.raw, buf, len, 0,
122 (struct sockaddr*)&addr, sizeof(addr)) != len)
123 {
124 DBG1(DBG_NET, "forecast send_peer() failed: %s", strerror(errno));
125 }
126 }
127
128 /**
129 * Check if an IP packet is BOOTP/DHCP
130 */
131 static bool is_bootp(void *buf, size_t len)
132 {
133 struct __attribute__((__packed__)) {
134 struct iphdr ip;
135 struct udphdr udp;
136 } *pkt = buf;
137
138 if (len > sizeof(*pkt))
139 {
140 if (ntohs(pkt->udp.source) == BOOTP_CLIENT_PORT &&
141 ntohs(pkt->udp.dest) == BOOTP_SERVER_PORT)
142 {
143 return TRUE;
144 }
145 if (ntohs(pkt->udp.source) == BOOTP_SERVER_PORT &&
146 ntohs(pkt->udp.dest) == BOOTP_CLIENT_PORT)
147 {
148 return TRUE;
149 }
150 }
151 return FALSE;
152 }
153
154 /**
155 * Broadcast/Multicast receiver
156 */
157 static bool receive_casts(private_forecast_forwarder_t *this)
158 {
159 struct __attribute__((packed)) {
160 struct iphdr hdr;
161 char data[2048];
162 } buf;
163 char *type;
164 ssize_t len;
165 u_int mark, origin = 0;
166 host_t *src, *dst;
167 traffic_selector_t *ts;
168 enumerator_t *enumerator;
169 struct sockaddr_ll addr;
170 socklen_t alen = sizeof(addr);
171 bool reinject;
172
173 len = recvfrom(this->kernel.pkt, &buf, sizeof(buf), MSG_DONTWAIT,
174 (struct sockaddr*)&addr, &alen);
175 if (len < 0)
176 {
177 if (errno != EAGAIN && errno != EWOULDBLOCK)
178 {
179 DBG1(DBG_NET, "receiving from forecast socket failed: %s",
180 strerror(errno));
181 }
182 return TRUE;
183 }
184 else if (len < sizeof(struct iphdr))
185 {
186 DBG1(DBG_NET, "received short forecast packet: %zd bytes", len);
187 return TRUE;
188 }
189 if (is_bootp(&buf, len))
190 { /* don't forward DHCP broadcasts */
191 return TRUE;
192 }
193
194 src = host_create_from_chunk(AF_INET, chunk_from_thing(buf.hdr.saddr), 0);
195 dst = host_create_from_chunk(AF_INET, chunk_from_thing(buf.hdr.daddr), 0);
196
197 /* create valid broadcast/multicast MAC to send out */
198 if (IN_MULTICAST(ntohl(buf.hdr.daddr)))
199 {
200 type = "multi";
201 ETHER_MAP_IP_MULTICAST(&buf.hdr.daddr, addr.sll_addr);
202 }
203 else
204 {
205 type = "broad";
206 memset(&addr.sll_addr, 0xFF, sizeof(addr.sll_addr));
207 }
208 DBG2(DBG_NET, "forecast intercepted packet: %H to %H", src, dst);
209
210 /* find mark of originating tunnel */
211 enumerator = this->kernel.fc->create_enumerator(this->kernel.fc, FALSE);
212 while (enumerator->enumerate(enumerator, &ts, &mark, &reinject))
213 {
214 if (ts->includes(ts, src))
215 {
216 origin = mark;
217 break;
218 }
219 }
220 enumerator->destroy(enumerator);
221
222 /* send packet over all tunnels, but not the packets origin */
223 enumerator = this->kernel.fc->create_enumerator(this->kernel.fc, FALSE);
224 while (enumerator->enumerate(enumerator, &ts, &mark, &reinject))
225 {
226 if (ts->includes(ts, dst))
227 {
228 if ((reinject && origin != mark) || origin == 0)
229 {
230 DBG2(DBG_NET, "forwarding a %H %scast from %H to peer %R (%u)",
231 dst, type, src, ts, mark);
232 send_peer(this, buf.hdr.daddr, &buf, len, mark);
233 }
234 }
235 }
236 enumerator->destroy(enumerator);
237
238 if (origin)
239 {
240 /* forward broadcast/multicast from client to network */
241 DBG2(DBG_NET, "forwarding a %H %scast from peer %H to internal network",
242 dst, type, src);
243 addr.sll_ifindex = this->kernel.ifindex;
244 send_net(this, &addr, &buf, len);
245 }
246
247 dst->destroy(dst);
248 src->destroy(src);
249
250 return TRUE;
251 }
252
253 /**
254 * Join a multicast group
255 */
256 static void join_group(private_kernel_listener_t *this, char *group,
257 struct sockaddr *addr)
258 {
259 struct sockaddr_in *in;
260 struct ip_mreqn mreq;
261 host_t *host;
262
263 host = host_create_from_string(group, 0);
264 if (host)
265 {
266 memset(&mreq, 0, sizeof(mreq));
267 memcpy(&mreq.imr_multiaddr.s_addr, host->get_address(host).ptr, 4);
268 if (addr->sa_family == AF_INET)
269 {
270 in = (struct sockaddr_in*)addr;
271 memcpy(&mreq.imr_address, &in->sin_addr.s_addr,
272 sizeof(in->sin_addr.s_addr));
273 }
274 mreq.imr_ifindex = this->ifindex;
275 if (setsockopt(this->raw, IPPROTO_IP, IP_ADD_MEMBERSHIP,
276 &mreq, sizeof(mreq)) == -1)
277 {
278 if (errno != EADDRINUSE)
279 {
280 DBG1(DBG_NET, "forecast multicast join to %s failed: %s",
281 group, strerror(errno));
282 }
283 }
284 else
285 {
286 DBG2(DBG_NET, "forwarding multicast group %s", group);
287 }
288 host->destroy(host);
289 }
290 }
291
292 /**
293 * (Re-)Join all multicast groups we want to forward
294 */
295 static void join_groups(private_kernel_listener_t *this, struct sockaddr *addr)
296 {
297 enumerator_t *enumerator;
298 char *groups, *group;
299 static char *def =
300 "224.0.0.1," /* host multicast */
301 "224.0.0.22," /* IGMP */
302 "224.0.0.251," /* mDNS */
303 "224.0.0.252," /* LLMNR */
304 "239.255.255.250"; /* SSDP/WS-discovery */
305
306 groups = lib->settings->get_str(lib->settings,
307 "%s.plugins.forecast.groups", def, lib->ns);
308 DBG1(DBG_CFG, "joining forecast multicast groups: %s", groups);
309 enumerator = enumerator_create_token(groups, ",", " ");
310 while (enumerator->enumerate(enumerator, &group))
311 {
312 join_group(this, group, addr);
313 }
314 enumerator->destroy(enumerator);
315 }
316
317 /**
318 * Attach the socket filter to the socket
319 */
320 static bool attach_filter(int fd, uint32_t broadcast, uint32_t ifindex)
321 {
322 struct sock_filter filter_code[] = {
323 /* handle any marked packets (from clients) */
324 BPF_STMT(BPF_LD+BPF_B+BPF_ABS, SKF_AD_OFF+SKF_AD_MARK),
325 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 2),
326 /* and those from the internal interface */
327 BPF_STMT(BPF_LD+BPF_B+BPF_ABS, SKF_AD_OFF+SKF_AD_IFINDEX),
328 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ifindex, 0, 5),
329 /* destination address: is ... */
330 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct iphdr, daddr)),
331 /* broadcast, as received from the local network */
332 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ntohl(broadcast), 4, 0),
333 /* broadcast, as Win7 sends them */
334 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0xFFFFFFFF, 3, 0),
335 /* any multicast, 224.0.0.0/4 */
336 BPF_STMT(BPF_ALU+BPF_AND+BPF_K, 0xF0000000),
337 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0xE0000000, 1, 0),
338 BPF_STMT(BPF_RET+BPF_K, 0),
339 BPF_STMT(BPF_LD+BPF_W+BPF_LEN, 0),
340 BPF_STMT(BPF_RET+BPF_A, 0),
341 };
342 struct sock_fprog filter = {
343 sizeof(filter_code) / sizeof(struct sock_filter),
344 filter_code,
345 };
346
347 if (setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER,
348 &filter, sizeof(filter)) < 0)
349 {
350 DBG1(DBG_NET, "installing forecast PACKET socket filter failed: %s",
351 strerror(errno));
352 return FALSE;
353 }
354 return TRUE;
355 }
356
357 /**
358 * Get the interface index of an interface name
359 */
360 static int get_ifindex(private_kernel_listener_t *this, char *ifname)
361 {
362 struct ifreq ifr = {};
363
364 strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
365 if (ioctl(this->raw, SIOCGIFINDEX, &ifr) == 0)
366 {
367 return ifr.ifr_ifindex;
368 }
369 return 0;
370 }
371
372 /**
373 * Set up the interface for broad/multicast forwarding
374 */
375 static void setup_interface(private_kernel_listener_t *this)
376 {
377 struct ifaddrs *addrs, *current;
378 struct sockaddr_in *in;
379 host_t *host;
380 char *name;
381
382 name = lib->settings->get_str(lib->settings,
383 "%s.plugins.forecast.interface", NULL, lib->ns);
384 if (getifaddrs(&addrs) == 0)
385 {
386 for (current = addrs; current; current = current->ifa_next)
387 {
388 if (name && !streq(name, current->ifa_name))
389 {
390 continue;
391 }
392 if (current->ifa_flags & IFF_BROADCAST &&
393 current->ifa_broadaddr &&
394 current->ifa_broadaddr->sa_family == AF_INET)
395 {
396 DBG1(DBG_NET, "using forecast interface %s", current->ifa_name);
397 this->ifindex = get_ifindex(this, current->ifa_name);
398 in = (struct sockaddr_in*)current->ifa_broadaddr;
399 attach_filter(this->pkt, in->sin_addr.s_addr, this->ifindex);
400 join_groups(this, current->ifa_addr);
401 host = host_create_from_sockaddr(current->ifa_broadaddr);
402 if (host)
403 {
404 this->fc->set_broadcast(this->fc, host);
405 host->destroy(host);
406 }
407 break;
408 }
409 }
410 }
411 freeifaddrs(addrs);
412 }
413
414 METHOD(kernel_listener_t, roam, bool,
415 private_kernel_listener_t *this, bool address)
416 {
417 if (address)
418 {
419 setup_interface(this);
420 }
421 return TRUE;
422 }
423
424 METHOD(forecast_forwarder_t, destroy, void,
425 private_forecast_forwarder_t *this)
426 {
427 if (this->kernel.raw != -1)
428 {
429 close(this->kernel.raw);
430 }
431 if (this->kernel.pkt != -1)
432 {
433 lib->watcher->remove(lib->watcher, this->kernel.pkt);
434 close(this->kernel.pkt);
435 }
436 charon->kernel->remove_listener(charon->kernel, &this->kernel.listener);
437 free(this);
438 }
439
440 /**
441 * See header
442 */
443 forecast_forwarder_t *forecast_forwarder_create(forecast_listener_t *listener)
444 {
445 private_forecast_forwarder_t *this;
446 int on = 1;
447
448 INIT(this,
449 .public = {
450 .destroy = _destroy,
451 },
452 .kernel = {
453 .listener = {
454 .roam = _roam,
455 },
456 .raw = -1,
457 .pkt = -1,
458 .fc = listener,
459 },
460 );
461
462 this->kernel.pkt = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_IP));
463 if (this->kernel.pkt == -1)
464 {
465 DBG1(DBG_NET, "opening PACKET socket failed: %s", strerror(errno));
466 destroy(this);
467 return NULL;
468 }
469 this->kernel.raw = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
470 if (this->kernel.raw == -1)
471 {
472 DBG1(DBG_NET, "opening RAW socket failed: %s", strerror(errno));
473 destroy(this);
474 return NULL;
475 }
476 if (setsockopt(this->kernel.raw, IPPROTO_IP, IP_HDRINCL,
477 &on, sizeof(on)) == -1)
478 {
479 DBG1(DBG_NET, "forecast socket HDRINCL failed: %s", strerror(errno));
480 destroy(this);
481 return NULL;
482 }
483 if (setsockopt(this->kernel.raw, SOL_SOCKET, SO_BROADCAST,
484 &on, sizeof(on)) == -1)
485 {
486 DBG1(DBG_NET, "forecast socket BROADCAST failed: %s", strerror(errno));
487 destroy(this);
488 return NULL;
489 }
490
491 setup_interface(&this->kernel);
492
493 charon->kernel->add_listener(charon->kernel,
494 &this->kernel.listener);
495
496 lib->watcher->add(lib->watcher, this->kernel.pkt, WATCHER_READ,
497 (watcher_cb_t)receive_casts, this);
498
499 return &this->public;
500 }