-* Thu Jan 13 2005 Brendan O'Dea <bod@optusnet.com.au> 2.1.0
-- Add IPv6 support from Jonathan McDowell (work in progress).
+* Tue Jan 25 2005 Brendan O'Dea <bod@optusnet.com.au> 2.1.0
+- Add IPv6 support from Jonathan McDowell.
- Add CHAP support from Jordan Hrycaj (work in progress).
- Sanity check that cluster_send_session is not called from a child
process.
// vim: sw=8 ts=8
char const *cvs_name = "$Name: $";
-char const *cvs_id_cli = "$Id: cli.c,v 1.51 2005-01-13 08:26:25 bodea Exp $";
+char const *cvs_id_cli = "$Id: cli.c,v 1.52 2005-01-25 04:19:05 bodea Exp $";
#include <stdio.h>
#include <stdarg.h>
}
// Show Summary
- cli_print(cli, "%5s %4s %-32s %-15s %s %s %s %10s %10s %10s %4s %-15s %s",
+ cli_print(cli, "%5s %4s %-32s %-15s %s %s %s %s %10s %10s %10s %4s %-15s %s",
"SID",
"TID",
"Username",
"I",
"T",
"G",
+ "6",
"opened",
"downloaded",
"uploaded",
for (i = 1; i < MAXSESSION; i++)
{
if (!session[i].opened) continue;
- cli_print(cli, "%5d %4d %-32s %-15s %s %s %s %10u %10lu %10lu %4u %-15s %s",
+ cli_print(cli, "%5d %4d %-32s %-15s %s %s %s %s %10u %10lu %10lu %4u %-15s %s",
i,
session[i].tunnel,
session[i].user[0] ? session[i].user : "*",
(session[i].snoop_ip && session[i].snoop_port) ? "Y" : "N",
(session[i].throttle_in || session[i].throttle_out) ? "Y" : "N",
(session[i].walled_garden) ? "Y" : "N",
+ (session[i].flags & SF_IPV6CP_ACKED) ? "Y" : "N",
abs(time_now - (unsigned long)session[i].opened),
(unsigned long)session[i].total_cout,
(unsigned long)session[i].total_cin,
cli_print(cli, "-----------------------------------------");
cli_print(cli, "%-30s%u", "call_processtun", GET_STAT(call_processtun));
cli_print(cli, "%-30s%u", "call_processipout", GET_STAT(call_processipout));
+ cli_print(cli, "%-30s%u", "call_processipv6out", GET_STAT(call_processipv6out));
cli_print(cli, "%-30s%u", "call_processudp", GET_STAT(call_processudp));
cli_print(cli, "%-30s%u", "call_processpap", GET_STAT(call_processpap));
cli_print(cli, "%-30s%u", "call_processchap", GET_STAT(call_processchap));
cli_print(cli, "%-30s%u", "call_processlcp", GET_STAT(call_processlcp));
cli_print(cli, "%-30s%u", "call_processipcp", GET_STAT(call_processipcp));
+ cli_print(cli, "%-30s%u", "call_processipv6cp", GET_STAT(call_processipv6cp));
cli_print(cli, "%-30s%u", "call_processipin", GET_STAT(call_processipin));
+ cli_print(cli, "%-30s%u", "call_processipv6in", GET_STAT(call_processipv6in));
cli_print(cli, "%-30s%u", "call_processccp", GET_STAT(call_processccp));
cli_print(cli, "%-30s%u", "call_processrad", GET_STAT(call_processrad));
cli_print(cli, "%-30s%u", "call_sendarp", GET_STAT(call_sendarp));
cli_print(cli, "%-30s%u", "call_sendipcp", GET_STAT(call_sendipcp));
cli_print(cli, "%-30s%u", "call_sendchap", GET_STAT(call_sendchap));
cli_print(cli, "%-30s%u", "call_sessionbyip", GET_STAT(call_sessionbyip));
+ cli_print(cli, "%-30s%u", "call_sessionbyipv6", GET_STAT(call_sessionbyipv6));
cli_print(cli, "%-30s%u", "call_sessionbyuser", GET_STAT(call_sessionbyuser));
cli_print(cli, "%-30s%u", "call_tunnelsend", GET_STAT(call_tunnelsend));
cli_print(cli, "%-30s%u", "call_tunnelkill", GET_STAT(call_tunnelkill));
// L2TPNS: icmp
-char const *cvs_id_icmp = "$Id: icmp.c,v 1.6 2004-12-16 08:49:53 bodea Exp $";
+char const *cvs_id_icmp = "$Id: icmp.c,v 1.7 2005-01-25 04:19:05 bodea Exp $";
#include <arpa/inet.h>
#include <netdb.h>
#include <asm/types.h>
#include <linux/ip.h>
#include <linux/icmp.h>
+#include <netinet/icmp6.h>
#include <stdio.h>
#include <sys/socket.h>
#include <unistd.h>
static uint16_t _checksum(unsigned char *addr, int count);
+struct ipv6_pseudo_hdr {
+ struct in6_addr src;
+ struct in6_addr dest;
+ uint32_t ulp_length;
+ uint32_t zero : 24;
+ uint32_t nexthdr : 8;
+};
+
void host_unreachable(in_addr_t destination, uint16_t id, in_addr_t source, char *packet, int packet_len)
{
char buf[128] = {0};
return htons((uint16_t) sum);
}
+
+void send_ipv6_ra(tunnelidt t, sessionidt s, struct in6_addr *ip)
+{
+ struct nd_opt_prefix_info *pinfo;
+ struct ipv6_pseudo_hdr *phdr;
+ uint8_t b[MAXETHER + 20];
+ uint8_t c[MAXETHER + 20];
+ int l;
+ uint8_t *o;
+
+ LOG(3, s, t, "Sending IPv6 RA\n");
+
+ memset(b, 0, sizeof(b));
+ o = makeppp(b, sizeof(b), 0, 0, t, s, PPPIPV6);
+
+ if (!o)
+ {
+ LOG(3, s, t, "failed to send IPv6 RA\n");
+ return;
+ }
+
+ *o = 0x60; // IPv6
+ *(o+1) = 0;
+ *(o+5) = 48; // Length of payload (not header)
+ *(o+6) = 58; // icmp6 is next
+ *(o+7) = 255; // Hop limit
+ memset(o+8, 0, 16); // source = FE80::1
+ *(o+8) = 0xFE;
+ *(o+9) = 0x80;
+ *(o+23) = 1;
+ if (ip != NULL)
+ memcpy(o+24, ip, 16); // dest = ip
+ else
+ {
+ // FF02::1 - all hosts
+ *(o+24) = 0xFF;
+ *(o+25) = 2;
+ *(o+39) = 1;
+ }
+ *(o+40) = 134; // RA message
+ *(o+41) = 0; // Code
+ *(o+42) = *(o+43) = 0; // Checksum
+ *(o+44) = 64; // Hop count
+ *(o+45) = 0; // Flags
+ *(o+46) = *(o+47) = 255; // Lifetime
+ *(uint32_t *)(o+48) = 0; // Reachable time
+ *(uint32_t *)(o+52) = 0; // Retrans timer
+ pinfo = (struct nd_opt_prefix_info *)(o+56);
+ pinfo->nd_opt_pi_type = ND_OPT_PREFIX_INFORMATION;
+ pinfo->nd_opt_pi_len = 4;
+ pinfo->nd_opt_pi_prefix_len = 64; // prefix length
+ pinfo->nd_opt_pi_flags_reserved = ND_OPT_PI_FLAG_ONLINK;
+ pinfo->nd_opt_pi_flags_reserved |= ND_OPT_PI_FLAG_AUTO;
+ pinfo->nd_opt_pi_valid_time = htonl(2592000);
+ pinfo->nd_opt_pi_preferred_time = htonl(604800);
+ pinfo->nd_opt_pi_reserved2 = 0;
+ pinfo->nd_opt_pi_prefix = config->ipv6_prefix;
+ l = sizeof(*pinfo) + 56;
+
+ memset(c, 0, sizeof(c));
+ phdr = (struct ipv6_pseudo_hdr *) c;
+ memcpy(&phdr->src, o+8, 16);
+ memcpy(&phdr->dest, o+24, 16);
+ phdr->ulp_length = htonl(l - 40);
+ phdr->nexthdr = IPPROTO_ICMPV6;
+
+ memcpy(c + sizeof(*phdr), o + 40, l - 40);
+
+ // Checksum is over the icmp6 payload plus the pseudo header
+ *(uint16_t *)(o+42) = _checksum(c, l - 40 + sizeof(*phdr));
+
+ tunnelsend(b, l + (o-b), t); // send it...
+ return;
+}
// Copyright (c) 2002 FireBrick (Andrews & Arnold Ltd / Watchfront Ltd) - GPL licenced
// vim: sw=8 ts=8
-char const *cvs_id_l2tpns = "$Id: l2tpns.c,v 1.79 2005-01-13 08:42:52 bodea Exp $";
+char const *cvs_id_l2tpns = "$Id: l2tpns.c,v 1.80 2005-01-25 04:19:05 bodea Exp $";
#include <arpa/inet.h>
#include <assert.h>
#include <sys/mman.h>
#include <netdb.h>
#include <netinet/in.h>
+#include <netinet/ip6.h>
#include <stdarg.h>
#include <stdlib.h>
#include <stdio.h>
int snoopfd = -1; // UDP file handle for sending out intercept data
int *radfds = NULL; // RADIUS requests file handles
int ifrfd = -1; // File descriptor for routing, etc
+int ifr6fd = -1; // File descriptor for IPv6 routing, etc
static int rand_fd = -1; // Random data source
time_t basetime = 0; // base clock
char hostname[1000] = ""; // us.
+static int tunidx; // ifr_ifindex of tun device
static uint32_t sessionid = 0; // session id for radius accounting
static int syslog_log = 0; // are we logging to syslog
static FILE *log_stream = NULL; // file handle for direct logging (i.e. direct into file, not via syslog).
struct cli_tunnel_actions *cli_tunnel_actions = NULL; // Pending tunnel changes required by CLI
static void *ip_hash[256]; // Mapping from IP address to session structures.
+struct ipv6radix {
+ int sess;
+ struct ipv6radix *branch;
+} ipv6_hash[256]; // Mapping from IPv6 address to session structures.
// Traffic counters.
static uint32_t udp_rx = 0, udp_rx_pkt = 0, udp_tx = 0;
CONFIG("cluster_interface", cluster_interface, STRING),
CONFIG("cluster_hb_interval", cluster_hb_interval, INT),
CONFIG("cluster_hb_timeout", cluster_hb_timeout, INT),
+ CONFIG("ipv6_prefix", ipv6_prefix, IPv6),
{ NULL, 0, 0, 0 },
};
static void cache_ipmap(in_addr_t ip, int s);
static void uncache_ipmap(in_addr_t ip);
+static void cache_ipv6map(struct in6_addr ip, int prefixlen, int s);
static void free_ip_address(sessionidt s);
static void dump_acct_info(int all);
static void sighup_handler(int sig);
}
}
+void route6set(sessionidt s, struct in6_addr ip, int prefixlen, int add)
+{
+ struct in6_rtmsg rt;
+ char ipv6addr[INET6_ADDRSTRLEN];
+
+ if (ifr6fd < 0)
+ {
+ LOG(0, 0, 0, "Asked to set IPv6 route, but IPv6 not setup.\n");
+ return;
+ }
+
+ memset(&rt, 0, sizeof(rt));
+
+ memcpy(&rt.rtmsg_dst, &ip, sizeof(struct in6_addr));
+ rt.rtmsg_dst_len = prefixlen;
+ rt.rtmsg_metric = 1;
+ rt.rtmsg_flags = RTF_UP;
+ rt.rtmsg_ifindex = tunidx;
+
+ LOG(1, 0, 0, "Route %s %s/%d\n",
+ add ? "add" : "del",
+ inet_ntop(AF_INET6, &ip, ipv6addr, INET6_ADDRSTRLEN),
+ prefixlen);
+
+ if (ioctl(ifr6fd, add ? SIOCADDRT : SIOCDELRT, (void *) &rt) < 0)
+ LOG(0, 0, 0, "route6set() error in ioctl: %s\n",
+ strerror(errno));
+
+ // FIXME: need to add BGP routing (RFC2858)
+
+ if (s)
+ {
+ if (!add) // Are we deleting a route?
+ s = 0; // Caching the session as '0' is the same as uncaching.
+
+ cache_ipv6map(ip, prefixlen, s);
+ }
+
+ return;
+}
+
+// defined in linux/ipv6.h, but tricky to include from user-space
+// TODO: move routing to use netlink rather than ioctl
+struct in6_ifreq {
+ struct in6_addr ifr6_addr;
+ __u32 ifr6_prefixlen;
+ unsigned int ifr6_ifindex;
+};
+
//
// Set up TUN interface
static void inittun(void)
{
struct ifreq ifr;
+ struct in6_ifreq ifr6;
struct sockaddr_in sin = {0};
memset(&ifr, 0, sizeof(ifr));
ifr.ifr_flags = IFF_TUN;
LOG(0, 0, 0, "Error setting tun flags: %s\n", strerror(errno));
exit(1);
}
+ if (ioctl(ifrfd, SIOCGIFINDEX, (void *) &ifr) < 0)
+ {
+ LOG(0, 0, 0, "Error getting tun ifindex: %s\n", strerror(errno));
+ exit(1);
+ }
+ tunidx = ifr.ifr_ifindex;
+
+ // Only setup IPv6 on the tun device if we have a configured prefix
+ if (config->ipv6_prefix.s6_addr[0] > 0) {
+ ifr6fd = socket(PF_INET6, SOCK_DGRAM, 0);
+
+ // Link local address is FE80::1
+ memset(&ifr6.ifr6_addr, 0, sizeof(ifr6.ifr6_addr));
+ ifr6.ifr6_addr.s6_addr[0] = 0xFE;
+ ifr6.ifr6_addr.s6_addr[1] = 0x80;
+ ifr6.ifr6_addr.s6_addr[15] = 1;
+ ifr6.ifr6_prefixlen = 64;
+ ifr6.ifr6_ifindex = ifr.ifr_ifindex;
+ if (ioctl(ifr6fd, SIOCSIFADDR, (void *) &ifr6) < 0)
+ {
+ LOG(0, 0, 0, "Error setting tun IPv6 link local address:"
+ " %s\n", strerror(errno));
+ }
+
+ // Global address is prefix::1
+ memset(&ifr6.ifr6_addr, 0, sizeof(ifr6.ifr6_addr));
+ ifr6.ifr6_addr = config->ipv6_prefix;
+ ifr6.ifr6_addr.s6_addr[15] = 1;
+ ifr6.ifr6_prefixlen = 64;
+ ifr6.ifr6_ifindex = ifr.ifr_ifindex;
+ if (ioctl(ifr6fd, SIOCSIFADDR, (void *) &ifr6) < 0)
+ {
+ LOG(0, 0, 0, "Error setting tun IPv6 global address: %s\n",
+ strerror(errno));
+ }
+ }
}
// set up UDP port
return (int) (intptr_t) d[(size_t) *a];
}
+int lookup_ipv6map(struct in6_addr ip)
+{
+ struct ipv6radix *curnode;
+ int i;
+ int s;
+ char ipv6addr[INET6_ADDRSTRLEN];
+
+ curnode = &ipv6_hash[ip.s6_addr[0]];
+ i = 1;
+ s = curnode->sess;
+
+ while (s == 0 && i < 15 && curnode->branch != NULL)
+ {
+ curnode = &curnode->branch[ip.s6_addr[i]];
+ s = curnode->sess;
+ i++;
+ }
+
+ LOG(4, s, session[s].tunnel, "Looking up address %s and got %d\n",
+ inet_ntop(AF_INET6, &ip, ipv6addr,
+ INET6_ADDRSTRLEN),
+ s);
+
+ return s;
+}
+
sessionidt sessionbyip(in_addr_t ip)
{
int s = lookup_ipmap(ip);
return 0;
}
+sessionidt sessionbyipv6(struct in6_addr ip)
+{
+ int s;
+ CSTAT(sessionbyipv6);
+
+ if (!memcmp(&config->ipv6_prefix, &ip, 8) ||
+ (ip.s6_addr[0] == 0xFE && ip.s6_addr[1] == 0x80 &&
+ (ip.s6_addr16[1] == ip.s6_addr16[2] == ip.s6_addr16[3] == 0))) {
+ s = lookup_ipmap(*(in_addr_t *) &ip.s6_addr[8]);
+ } else {
+ s = lookup_ipv6map(ip);
+ }
+
+ if (s > 0 && s < MAXSESSION && session[s].tunnel)
+ return s;
+
+ return 0;
+}
+
//
// Take an IP address in HOST byte order and
// add it to the sessionid by IP cache.
cache_ipmap(ip, 0); // Assign it to the NULL session.
}
+static void cache_ipv6map(struct in6_addr ip, int prefixlen, int s)
+{
+ int i;
+ int bytes;
+ struct ipv6radix *curnode;
+ char ipv6addr[INET6_ADDRSTRLEN];
+
+ curnode = &ipv6_hash[ip.s6_addr[0]];
+
+ bytes = prefixlen >> 3;
+ i = 1;
+ while (i < bytes) {
+ if (curnode->branch == NULL)
+ {
+ if (!(curnode->branch = calloc(256,
+ sizeof (struct ipv6radix))))
+ return;
+ }
+ curnode = &curnode->branch[ip.s6_addr[i]];
+ i++;
+ }
+
+ curnode->sess = s;
+
+ if (s > 0)
+ LOG(4, s, session[s].tunnel, "Caching ip address %s/%d\n",
+ inet_ntop(AF_INET6, &ip, ipv6addr,
+ INET6_ADDRSTRLEN),
+ prefixlen);
+ else if (s == 0)
+ LOG(4, 0, 0, "Un-caching ip address %s/%d\n",
+ inet_ntop(AF_INET6, &ip, ipv6addr,
+ INET6_ADDRSTRLEN),
+ prefixlen);
+}
+
//
// CLI list to dump current ipcache.
//
sess_local[s].cout += len; // To send to master..
}
+// process outgoing (to tunnel) IPv6
+//
+void processipv6out(uint8_t * buf, int len)
+{
+ sessionidt s;
+ sessiont *sp;
+ tunnelidt t;
+ in_addr_t ip;
+ struct in6_addr ip6;
+
+ char *data = buf; // Keep a copy of the originals.
+ int size = len;
+
+ uint8_t b[MAXETHER + 20];
+
+ CSTAT(processipv6out);
+
+ if (len < MIN_IP_SIZE)
+ {
+ LOG(1, 0, 0, "Short IPv6, %d bytes\n", len);
+ STAT(tunnel_tx_errors);
+ return;
+ }
+ if (len >= MAXETHER)
+ {
+ LOG(1, 0, 0, "Oversize IPv6 packet %d bytes\n", len);
+ STAT(tunnel_tx_errors);
+ return;
+ }
+
+ // Skip the tun header
+ buf += 4;
+ len -= 4;
+
+ // Got an IP header now
+ if (*(uint8_t *)(buf) >> 4 != 6)
+ {
+ LOG(1, 0, 0, "IP: Don't understand anything except IPv6\n");
+ return;
+ }
+
+ ip6 = *(struct in6_addr *)(buf+24);
+ s = sessionbyipv6(ip6);
+
+ if (s == 0)
+ {
+ ip = *(uint32_t *)(buf + 32);
+ s = sessionbyip(ip);
+ }
+
+ if (s == 0)
+ {
+ // Is this a packet for a session that doesn't exist?
+ static int rate = 0; // Number of ICMP packets we've sent this second.
+ static int last = 0; // Last time we reset the ICMP packet counter 'rate'.
+
+ if (last != time_now)
+ {
+ last = time_now;
+ rate = 0;
+ }
+
+ if (rate++ < config->icmp_rate) // Only send a max of icmp_rate per second.
+ {
+ // FIXME: Should send icmp6 host unreachable
+ }
+ return;
+ }
+ t = session[s].tunnel;
+ sp = &session[s];
+
+ // FIXME: add DoS prevention/filters?
+
+ if (sp->tbf_out)
+ {
+ // Are we throttling this session?
+ if (config->cluster_iam_master)
+ tbf_queue_packet(sp->tbf_out, data, size);
+ else
+ master_throttle_packet(sp->tbf_out, data, size);
+ return;
+ }
+ else if (sp->walled_garden && !config->cluster_iam_master)
+ {
+ // We are walled-gardening this
+ master_garden_packet(s, data, size);
+ return;
+ }
+
+ LOG(5, s, t, "Ethernet -> Tunnel (%d bytes)\n", len);
+
+ // Add on L2TP header
+ {
+ uint8_t *p = makeppp(b, sizeof(b), buf, len, t, s, PPPIPV6);
+ if (!p) return;
+ tunnelsend(b, len + (p-b), t); // send it...
+ }
+
+ // Snooping this session, send it to intercept box
+ if (sp->snoop_ip && sp->snoop_port)
+ snoop_send_packet(buf, len, sp->snoop_ip, sp->snoop_port);
+
+ sp->cout += len; // byte count
+ sp->total_cout += len; // byte count
+ sp->pout++;
+ udp_tx += len;
+ sess_local[s].cout += len; // To send to master..
+}
+
//
// Helper routine for the TBF filters.
// Used to send queued data in to the user!
}
else
free_ip_address(s);
+
+ // unroute IPv6, if setup
+ if (session[s].flags & SF_IPV6_ROUTED)
+ route6set(s, session[s].ipv6route, session[s].ipv6prefixlen, 0);
}
if (session[s].throttle_in || session[s].throttle_out) // Unthrottle if throttled.
tunnelsend(buf, 10 + (q - buf), t); // send it
session[s].flags &= ~SF_IPCP_ACKED; // Clear flag.
+
+ // If we have an IPv6 prefix length configured, assume we should
+ // try to negotiate an IPv6 session as well. Unless we've had a
+ // (N)ACK for IPV6CP.
+ if (config->ipv6_prefix.s6_addr[0] > 0 &&
+ !(session[s].flags & SF_IPV6CP_ACKED) &&
+ !(session[s].flags & SF_IPV6_NACKED))
+ {
+ q = makeppp(buf,sizeof(buf), 0, 0, t, s, PPPIPV6CP);
+ if (!q) return;
+
+ *q = ConfigReq;
+ q[1] = r << RADIUS_SHIFT; // ID, don't care, we
+ // only send one type
+ // of request
+ *(uint16_t *) (q + 2) = htons(14);
+ q[4] = 1;
+ q[5] = 10;
+ *(uint32_t *) (q + 6) = 0; // We'll be prefix::1
+ *(uint32_t *) (q + 10) = 0;
+ q[13] = 1;
+
+ tunnelsend(buf, 14 + (q - buf), t); // send it
+ }
}
// kill a session now
if (!config->cluster_iam_master) { master_forward_packet(buf, len, addr->sin_addr.s_addr, addr->sin_port); return; }
processipcp(t, s, p, l);
}
+ else if (prot == PPPIPV6CP)
+ {
+ if (config->ipv6_prefix.s6_addr[0] > 0)
+ {
+ session[s].last_packet = time_now;
+ if (!config->cluster_iam_master) { master_forward_packet(buf, len, addr->sin_addr.s_addr, addr->sin_port); return; }
+ processipv6cp(t, s, p, l);
+ }
+ else
+ {
+ LOG(1, s, t, "IPv6 not configured; ignoring IPv6CP\n");
+ }
+ }
else if (prot == PPPCCP)
{
session[s].last_packet = time_now;
processipin(t, s, p, l);
}
+ else if (prot == PPPIPV6)
+ {
+ if (!config->ipv6_prefix.s6_addr[0] > 0)
+ {
+ LOG(1, s, t, "IPv6 not configured; yet received IPv6 packet. Ignoring.\n");
+ return;
+ }
+ if (session[s].die)
+ {
+ LOG(4, s, t, "Session %d is closing. Don't process PPP packets\n", s);
+ return; // closing session, PPP not processed
+ }
+
+ session[s].last_packet = time_now;
+ if (session[s].walled_garden && !config->cluster_iam_master)
+ {
+ master_forward_packet(buf, len, addr->sin_addr.s_addr, addr->sin_port);
+ return;
+ }
+
+ processipv6in(t, s, p, l);
+ }
else
{
STAT(tunnel_rx_errors);
if (*(uint16_t *) (buf + 2) == htons(PKTIP)) // IPv4
processipout(buf, len);
+ else if (*(uint16_t *) (buf + 2) == htons(PKTIPV6) // IPV6
+ && config->ipv6_prefix.s6_addr[0] > 0)
+ processipv6out(buf, len);
+
// Else discard.
}
// convered by a Framed-Route. Anything else is part
// of the IP address pool and is already routed, it
// just needs to be added to the IP cache.
+ // IPv6 route setup is done in ppp.c, when IPV6CP is acked.
if (session[s].ip_pool_index == -1) // static ip
{
if (!routed) routeset(s, session[s].ip, 0, 0, 1);
}
}
+ // check v6 routing
+ if (new->flags & SF_IPV6_ROUTED && !(session[s].flags & SF_IPV6_ROUTED))
+ route6set(s, new->ipv6route, new->ipv6prefixlen, 1);
+
// check filters
if (new->filter_in && (new->filter_in > MAXFILTER || !ip_filters[new->filter_in - 1].name[0]))
{
// L2TPNS Global Stuff
-// $Id: l2tpns.h,v 1.53 2005-01-13 07:57:39 bodea Exp $
+// $Id: l2tpns.h,v 1.54 2005-01-25 04:19:05 bodea Exp $
#ifndef __L2TPNS_H__
#define __L2TPNS_H__
uint16_t sid; // near end session id.
uint8_t filter_in; // input filter index (to ip_filters[N-1]; 0 if none)
uint8_t filter_out; // output filter index
- char reserved[18]; // Space to expand structure without changing HB_VERSION
+ struct in6_addr ipv6route; // Static IPv6 route
+ uint8_t ipv6prefixlen; // IPv6 route prefix length
+ char reserved[1]; // Space to expand structure without changing HB_VERSION
}
sessiont;
#define SF_CCP_ACKED 4 // CCP negotiated
#define SF_IPV6CP_ACKED 8 // IPv6 negotiated
#define SF_IPV6_NACKED 16 // IPv6 rejected
+#define SF_IPV6_ROUTED 32 // advertised v6 route
#define AUTHPAP 1 // allow PAP
#define AUTHCHAP 2 // allow CHAP
#ifdef STATISTICS
uint32_t call_processtun;
uint32_t call_processipout;
+ uint32_t call_processipv6out;
uint32_t call_processudp;
uint32_t call_sessionbyip;
+ uint32_t call_sessionbyipv6;
uint32_t call_sessionbyuser;
uint32_t call_sendarp;
uint32_t call_sendipcp;
+ uint32_t call_processipv6cp;
uint32_t call_tunnelsend;
uint32_t call_sessionkill;
uint32_t call_sessionshutdown;
uint32_t call_processlcp;
uint32_t call_processipcp;
uint32_t call_processipin;
+ uint32_t call_processipv6in;
uint32_t call_processccp;
uint32_t call_sendchap;
uint32_t call_processrad;
int cluster_hb_timeout; // How many missed heartbeats trigger an election.
uint64_t cluster_table_version; // # state changes processed by cluster
+ struct in6_addr ipv6_prefix; // Our IPv6 network pool.
+
#ifdef BGP
#define BGP_NUM_PEERS 2
uint16_t as_number;
void processchap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l);
void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l);
void processipcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l);
+void processipv6cp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l);
void processipin(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l);
+void processipv6in(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l);
void processccp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l);
void sendchap(tunnelidt t, sessionidt s);
uint8_t *makeppp(uint8_t *b, int size, uint8_t *p, int l, tunnelidt t, sessionidt s, uint16_t mtype);
// l2tpns.c
clockt backoff(uint8_t try);
+void send_ipv6_ra(tunnelidt t, sessionidt s, struct in6_addr *ip);
+void route6set(sessionidt s, struct in6_addr ip, int prefixlen, int add);
sessionidt sessionbyip(in_addr_t ip);
+sessionidt sessionbyipv6(struct in6_addr ip);
sessionidt sessionbyuser(char *username);
void random_data(uint8_t *buf, int len);
void sessionshutdown(sessionidt s, char *reason);
%attr(644,root,root) /usr/share/man/man[58]/*
%changelog
-* Thu Jan 13 2005 Brendan O'Dea <bod@optusnet.com.au> 2.1.0-1
+* Tue Jan 25 2005 Brendan O'Dea <bod@optusnet.com.au> 2.1.0-1
- 2.1.0 release, see /usr/share/doc/l2tpns-2.1.0/Changes
// L2TPNS PPP Stuff
-char const *cvs_id_ppp = "$Id: ppp.c,v 1.41 2005-01-13 07:57:39 bodea Exp $";
+char const *cvs_id_ppp = "$Id: ppp.c,v 1.42 2005-01-25 04:19:06 bodea Exp $";
#include <stdio.h>
#include <string.h>
if (!r)
{
LOG(1, s, t, "Unexpected CHAP message\n");
-
-// FIXME: Need to drop the session here.
-
STAT(tunnel_rx_errors);
return;
}
{
sessionshutdown(s, "Connection closed.");
}
+ else if (*p == ProtocolRej)
+ {
+ if (*(uint16_t *) (p+4) == htons(PPPIPV6CP))
+ {
+ LOG(3, s, t, "IPv6 rejected\n");
+ session[s].flags |= SF_IPV6_NACKED;
+ }
+ else
+ {
+ LOG(1, s, t, "Unexpected LCP protocol reject 0x%X\n",
+ ntohs(*(uint16_t *) (p+4)));
+ STAT(tunnel_rx_errors);
+ }
+ }
else if (*p == EchoReq)
{
LOG(5, s, t, "LCP: Received EchoReq. Sending EchoReply\n");
}
}
+// Process IPV6CP messages
+void processipv6cp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
+{
+
+ CSTAT(processipv6cp);
+
+ LOG_HEX(5, "IPV6CP", p, l);
+ if (l < 4)
+ {
+ LOG(1, s, t, "Short IPV6CP %d bytes\n", l);
+ STAT(tunnel_rx_errors);
+ return ;
+ }
+ if (*p == ConfigAck)
+ {
+ // happy with our IPV6CP
+ session[s].flags |= SF_IPV6CP_ACKED;
+
+ LOG(3, s, t, "IPV6CP Acked, IPv6 is now active\n");
+ // Add a routed block if configured.
+ if (session[s].ipv6prefixlen)
+ {
+ route6set(s, session[s].ipv6route, session[s].ipv6prefixlen, 1);
+ session[s].flags |= SF_IPV6_ROUTED;
+ }
+
+ // Send an initial RA (TODO: Should we send these regularly?)
+ send_ipv6_ra(t, s, NULL);
+ return;
+ }
+ if (*p != ConfigReq)
+ {
+ LOG(1, s, t, "Unexpected IPV6CP code %d\n", *p);
+ STAT(tunnel_rx_errors);
+ return;
+ }
+
+ LOG(4, s, t, "IPV6CP ConfigReq received\n");
+ if (ntohs(*(uint16_t *) (p + 2)) > l)
+ {
+ LOG(1, s, t, "Length mismatch IPV6CP %d/%d\n", ntohs(*(uint16_t *) (p + 2)), l);
+ STAT(tunnel_rx_errors);
+ return ;
+ }
+ if (!session[s].ip)
+ {
+ LOG(3, s, t, "Waiting on radius reply\n");
+ return; // have to wait on RADIUS reply
+ }
+ // form a config reply quoting the IP in the session
+ {
+ uint8_t b[MAXCONTROL];
+ uint8_t *i,
+ *q;
+
+ l = ntohs(*(uint16_t *) (p + 2)); // We must use length from IPV6CP len field
+ q = p + 4;
+ i = p + l;
+ while (q < i && q[1])
+ {
+ if (*q != 1)
+ break;
+ q += q[1];
+ }
+ if (q < i)
+ {
+ // reject
+ uint16_t n = 4;
+ i = p + l;
+ if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPV6CP)))
+ {
+ LOG(2, s, t, "Failed to send IPV6CP ConfigRej\n");
+ return;
+ }
+ *q = ConfigRej;
+ p += 4;
+ while (p < i && p[1])
+ {
+ if (*p != 1)
+ {
+ LOG(2, s, t, "IPV6CP reject %d\n", *p);
+ memcpy(q + n, p, p[1]);
+ n += p[1];
+ }
+ p += p[1];
+ }
+ *(uint16_t *) (q + 2) = htons(n);
+ LOG(4, s, t, "Sending ConfigRej\n");
+ tunnelsend(b, n + (q - b), t); // send it
+ }
+ else
+ {
+ LOG(4, s, t, "Sending ConfigAck\n");
+ *p = ConfigAck;
+ i = findppp(p, 1); // IP address
+ if (!i || i[1] != 10)
+ {
+ LOG(1, s, t, "No IP in IPV6CP request\n");
+ STAT(tunnel_rx_errors);
+ return ;
+ }
+ if ((*(uint32_t *) (i + 2) != htonl(session[s].ip)) ||
+ (*(uint32_t *) (i + 6) != 0))
+ {
+ *(uint32_t *) (i + 2) = htonl(session[s].ip);
+ *(uint32_t *) (i + 6) = 0;
+ *p = ConfigNak;
+ LOG(4, s, t,
+ " No, a ConfigNak, client is "
+ "requesting IP - sending %s\n",
+ fmtaddr(htonl(session[s].ip), 0));
+ }
+ if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPV6CP)))
+ {
+ LOG(2, s, t, " Failed to send IPV6CP packet.\n");
+ return;
+ }
+ tunnelsend(b, l + (q - b), t); // send it
+ }
+ }
+}
+
// process IP packet received
//
// This MUST be called with at least 4 byte behind 'p'.
INC_STAT(tun_tx_bytes, l - 4);
}
+// process IPv6 packet received
+//
+// This MUST be called with at least 4 byte behind 'p'.
+// (i.e. this routine writes to p[-4]).
+void processipv6in(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
+{
+ struct in6_addr ip;
+ in_addr_t ipv4;
+
+ CSTAT(processipv6in);
+
+ LOG_HEX(5, "IPv6", p, l);
+
+ ip = *(struct in6_addr *) (p + 8);
+ ipv4 = ntohl(*(uint32_t *)(p + 16));
+
+ if (l > MAXETHER)
+ {
+ LOG(1, s, t, "IP packet too long %d\n", l);
+ STAT(tunnel_rx_errors);
+ return ;
+ }
+
+ // no spoof
+ if (ipv4 != session[s].ip && memcmp(&config->ipv6_prefix, &ip, 8) && sessionbyipv6(ip) != s)
+ {
+ char str[INET6_ADDRSTRLEN];
+ LOG(5, s, t, "Dropping packet with spoofed IP %s\n",
+ inet_ntop(AF_INET6, &ip, str, INET6_ADDRSTRLEN));
+ return;
+ }
+
+ // Check if it's a Router Solicition message.
+ if (*(p + 6) == 58 && *(p + 7) == 255 && *(p + 24) == 0xFF && *(p + 25) == 2 &&
+ *(uint32_t *)(p + 26) == 0 && *(uint32_t *)(p + 30) == 0 &&
+ *(uint32_t *)(p + 34) == 0 &&
+ *(p + 38) == 0 && *(p + 39) == 2 && *(p + 40) == 133) {
+ LOG(3, s, t, "Got IPv6 RS\n");
+ send_ipv6_ra(t, s, &ip);
+ return;
+ }
+
+ // Add on the tun header
+ p -= 4;
+ *(uint32_t *)p = htonl(PKTIPV6);
+ l += 4;
+
+ // Are we throttled and a slave?
+ if (session[s].tbf_in && !config->cluster_iam_master) {
+ // Pass it to the master for handling.
+ master_throttle_packet(session[s].tbf_in, p, l);
+ return;
+ }
+
+ // Are we throttled and a master?? actually handle the throttled
+ // packets.
+ if (session[s].tbf_in && config->cluster_iam_master) {
+ tbf_queue_packet(session[s].tbf_in, p, l);
+ return;
+ }
+
+ // send to ethernet
+ if (tun_write(p, l) < 0)
+ {
+ STAT(tun_tx_errors);
+ LOG(0, s, t, "Error writing %d bytes to TUN device: %s" " (tunfd=%d, p=%p)\n",
+ l, strerror(errno), tunfd, p);
+ }
+
+ if (session[s].snoop_ip && session[s].snoop_port)
+ {
+ // Snooping this session
+ snoop_send_packet(p, l, session[s].snoop_ip, session[s].snoop_port);
+ }
+
+ session[s].cin += l - 4;
+ session[s].total_cin += l - 4;
+ sess_local[s].cin += l - 4;
+
+ session[s].pin++;
+ eth_tx += l - 4;
+
+ STAT(tun_tx_packets);
+ INC_STAT(tun_tx_bytes, l - 4);
+}
+
//
// Helper routine for the TBF filters.
// Used to send queued data in from the user.
// L2TPNS Radius Stuff
-char const *cvs_id_radius = "$Id: radius.c,v 1.22 2005-01-05 14:35:01 bodea Exp $";
+char const *cvs_id_radius = "$Id: radius.c,v 1.23 2005-01-25 04:19:06 bodea Exp $";
#include <time.h>
#include <stdio.h>
} while (newp);
free(avpair);
}
+ else if (*p == 99)
+ {
+ // Framed-IPv6-Route
+ struct in6_addr r6;
+ int prefixlen;
+ uint8_t *n = p + 2;
+ uint8_t *e = p + p[1];
+ uint8_t *m = strchr(n, '/');
+
+ *m++ = 0;
+ inet_pton(AF_INET6, n, &r6);
+
+ prefixlen = 0;
+ while (m < e && isdigit(*m)) {
+ prefixlen = prefixlen * 10 + *m++ - '0';
+ }
+
+ if (prefixlen)
+ {
+ LOG(3, s, session[s].tunnel,
+ " Radius reply contains route for %s/%d\n",
+ n, prefixlen);
+ session[s].ipv6route = r6;
+ session[s].ipv6prefixlen = prefixlen;
+ }
+ }
}
}
else if (r_code == AccessReject)
{
LOG(2, s, session[s].tunnel, " Authentication denied for %s\n", session[s].user);
-//FIXME: We should tear down the session here!
+ sessionshutdown(s, "Authentication denied");
break;
}
/* Misc util functions */
-char const *cvs_id_util = "$Id: util.c,v 1.9 2004-12-20 07:23:53 bodea Exp $";
+char const *cvs_id_util = "$Id: util.c,v 1.10 2005-01-25 04:19:07 bodea Exp $";
#include <unistd.h>
#include <errno.h>
}
extern int forked;
-extern int udpfd, controlfd, tunfd, snoopfd, ifrfd, cluster_sockfd;
+extern int udpfd, controlfd, tunfd, snoopfd, ifrfd, ifr6fd, cluster_sockfd;
extern int *radfds;
pid_t fork_and_close()
if (controlfd != -1) close(controlfd);
if (snoopfd != -1) close(snoopfd);
if (ifrfd != -1) close(ifrfd);
+ if (ifr6fd != -1) close(ifr6fd);
if (cluster_sockfd != -1) close(cluster_sockfd);
if (clifd != -1) close(clifd);