From: fendo Date: Fri, 19 Sep 2014 10:20:47 +0000 (+0200) Subject: Merge from Master X-Git-Tag: 2.2.1-2sames3.15 X-Git-Url: http://git.sameswireless.fr/l2tpns.git/commitdiff_plain/781b0fde104ecf5f22c9c5322e58180f0b4a88a5?hp=ba1c3362c6dc0d65eb3d06368c47b75aa135456b Merge from Master --- diff --git a/cluster.c b/cluster.c index 8e604db..329711a 100644 --- a/cluster.c +++ b/cluster.c @@ -1538,6 +1538,128 @@ struct oldsession { char reserved_3[11]; }; +struct oldsessionV7 { + sessionidt next; // next session in linked list + sessionidt far; // far end session ID + tunnelidt tunnel; // near end tunnel ID + uint8_t flags; // session flags: see SESSION_* + struct { + uint8_t phase; // PPP phase + uint8_t lcp:4; // LCP state + uint8_t ipcp:4; // IPCP state + uint8_t ipv6cp:4; // IPV6CP state + uint8_t ccp:4; // CCP state + } ppp; + uint16_t mru; // maximum receive unit + in_addr_t ip; // IP of session set by RADIUS response (host byte order). + int ip_pool_index; // index to IP pool + uint32_t unique_id; // unique session id + uint32_t magic; // ppp magic number + uint32_t pin, pout; // packet counts + uint32_t cin, cout; // byte counts + uint32_t cin_wrap, cout_wrap; // byte counter wrap count (RADIUS accounting giagawords) + uint32_t cin_delta, cout_delta; // byte count changes (for dump_session()) + uint16_t throttle_in; // upstream throttle rate (kbps) + uint16_t throttle_out; // downstream throttle rate + uint8_t filter_in; // input filter index (to ip_filters[N-1]; 0 if none) + uint8_t filter_out; // output filter index + uint16_t snoop_port; // Interception destination port + in_addr_t snoop_ip; // Interception destination IP + clockt opened; // when started + clockt die; // being closed, when to finally free + uint32_t session_timeout; // Maximum session time in seconds + uint32_t idle_timeout; // Maximum idle time in seconds + time_t last_packet; // Last packet from the user (used for idle timeouts) + time_t last_data; // Last data packet to/from the user (used for idle timeouts) + in_addr_t dns1, dns2; // DNS servers + routet route[MAXROUTE]; // static routes + uint16_t tbf_in; // filter bucket for throttling in from the user. + uint16_t tbf_out; // filter bucket for throttling out to the user. + int random_vector_length; + uint8_t random_vector[MAXTEL]; + char user[MAXUSER]; // user (needed in session for radius stop messages) + char called[MAXTEL]; // called number + char calling[MAXTEL]; // calling number + uint32_t tx_connect_speed; + uint32_t rx_connect_speed; + clockt timeout; // Session timeout + uint32_t mrru; // Multilink Max-Receive-Reconstructed-Unit + epdist epdis; // Multilink Endpoint Discriminator + bundleidt bundle; // Multilink Bundle Identifier + uint8_t mssf; // Multilink Short Sequence Number Header Format + uint8_t walled_garden; // is this session gardened? + uint8_t classlen; // class (needed for radius accounting messages) + char class[MAXCLASS]; + uint8_t ipv6prefixlen; // IPv6 route prefix length + struct in6_addr ipv6route; // Static IPv6 route + sessionidt forwardtosession; // LNS id_session to forward + uint8_t src_hwaddr[ETH_ALEN]; // MAC addr source (for pppoe sessions 6 bytes) + char reserved[4]; // Space to expand structure without changing HB_VERSION +}; + +struct oldsessionV8 { + sessionidt next; // next session in linked list + sessionidt far; // far end session ID + tunnelidt tunnel; // near end tunnel ID + uint8_t flags; // session flags: see SESSION_* + struct { + uint8_t phase; // PPP phase + uint8_t lcp:4; // LCP state + uint8_t ipcp:4; // IPCP state + uint8_t ipv6cp:4; // IPV6CP state + uint8_t ccp:4; // CCP state + } ppp; + uint16_t mru; // maximum receive unit + in_addr_t ip; // IP of session set by RADIUS response (host byte order). + int ip_pool_index; // index to IP pool + uint32_t unique_id; // unique session id + uint32_t magic; // ppp magic number + uint32_t pin, pout; // packet counts + uint32_t cin, cout; // byte counts + uint32_t cin_wrap, cout_wrap; // byte counter wrap count (RADIUS accounting giagawords) + uint32_t cin_delta, cout_delta; // byte count changes (for dump_session()) + uint16_t throttle_in; // upstream throttle rate (kbps) + uint16_t throttle_out; // downstream throttle rate + uint8_t filter_in; // input filter index (to ip_filters[N-1]; 0 if none) + uint8_t filter_out; // output filter index + uint16_t snoop_port; // Interception destination port + in_addr_t snoop_ip; // Interception destination IP + clockt opened; // when started + clockt die; // being closed, when to finally free + uint32_t session_timeout; // Maximum session time in seconds + uint32_t idle_timeout; // Maximum idle time in seconds + time_t last_packet; // Last packet from the user (used for idle timeouts) + time_t last_data; // Last data packet to/from the user (used for idle timeouts) + in_addr_t dns1, dns2; // DNS servers + routet route[MAXROUTE]; // static routes + uint16_t tbf_in; // filter bucket for throttling in from the user. + uint16_t tbf_out; // filter bucket for throttling out to the user. + int random_vector_length; + uint8_t random_vector[MAXTEL]; + char user[MAXUSER]; // user (needed in session for radius stop messages) + char called[MAXTEL]; // called number + char calling[MAXTEL]; // calling number + uint32_t tx_connect_speed; + uint32_t rx_connect_speed; + clockt timeout; // Session timeout + uint32_t mrru; // Multilink Max-Receive-Reconstructed-Unit + epdist epdis; // Multilink Endpoint Discriminator + bundleidt bundle; // Multilink Bundle Identifier + uint8_t mssf; // Multilink Short Sequence Number Header Format + uint8_t walled_garden; // is this session gardened? + uint8_t classlen; // class (needed for radius accounting messages) + char class[MAXCLASS]; + uint8_t ipv6prefixlen; // IPv6 route prefix length + struct in6_addr ipv6route; // Static IPv6 route + sessionidt forwardtosession; // LNS id_session to forward + uint8_t src_hwaddr[ETH_ALEN]; // MAC addr source (for pppoe sessions 6 bytes) + uint32_t dhcpv6_prefix_iaid; // prefix iaid requested by client + uint32_t dhcpv6_iana_iaid; // iaid of iana requested by client + struct in6_addr ipv6address; // Framed Ipv6 address + struct dhcp6_opt_clientid dhcpv6_client_id; // Size max (headers + DUID) + char reserved[4]; // Space to expand structure without changing HB_VERSION +}; + static uint8_t *convert_session(struct oldsession *old) { static sessiont new; @@ -1592,16 +1714,162 @@ static uint8_t *convert_session(struct oldsession *old) new.snoop_ip = old->snoop_ip; new.snoop_port = old->snoop_port; new.walled_garden = old->walled_garden; - new.ipv6prefixlen = old->ipv6prefixlen; - new.ipv6route = old->ipv6route; + new.route6[0].ipv6prefixlen = old->ipv6prefixlen; + new.route6[0].ipv6route = old->ipv6route; + + memcpy(new.random_vector, old->random_vector, sizeof(new.random_vector)); + memcpy(new.user, old->user, sizeof(new.user)); + memcpy(new.called, old->called, sizeof(new.called)); + memcpy(new.calling, old->calling, sizeof(new.calling)); + + for (i = 0; i < MAXROUTE; i++) + memcpy(&new.route[i], &old->route[i], sizeof(new.route[i])); + + return (uint8_t *) &new; +} +static uint8_t *convert_sessionV7(struct oldsessionV7 *old) +{ + static sessiont new; + int i; + + memset(&new, 0, sizeof(new)); + + new.next = old->next; + new.far = old->far; + new.tunnel = old->tunnel; + new.flags = old->flags; + new.ppp.phase = old->ppp.phase; + new.ppp.lcp = old->ppp.lcp; + new.ppp.ipcp = old->ppp.ipcp; + new.ppp.ipv6cp = old->ppp.ipv6cp; + new.ppp.ccp = old->ppp.ccp; + new.mru = old->mru; + new.ip = old->ip; + new.ip_pool_index = old->ip_pool_index; + new.unique_id = old->unique_id; + new.magic = old->magic; + new.pin = old->pin; + new.pout = old->pout; + new.cin = old->cin; + new.cout = old->cout; + new.cin_wrap = old->cin_wrap; + new.cout_wrap = old->cout_wrap; + new.cin_delta = old->cin_delta; + new.cout_delta = old->cout_delta; + new.throttle_in = old->throttle_in; + new.throttle_out = old->throttle_out; + new.filter_in = old->filter_in; + new.filter_out = old->filter_out; + new.snoop_port = old->snoop_port; + new.snoop_ip = old->snoop_ip; + new.opened = old->opened; + new.die = old->die; + new.session_timeout = old->session_timeout; + new.idle_timeout = old->idle_timeout; + new.last_packet = old->last_packet; + new.last_data = old->last_data; + new.dns1 = old->dns1; + new.dns2 = old->dns2; + for (i = 0; i < MAXROUTE; i++) + memcpy(&new.route[i], &old->route[i], sizeof(new.route[i])); + new.tbf_in = old->tbf_in; + new.tbf_out = old->tbf_out; + new.random_vector_length = old->random_vector_length; memcpy(new.random_vector, old->random_vector, sizeof(new.random_vector)); memcpy(new.user, old->user, sizeof(new.user)); memcpy(new.called, old->called, sizeof(new.called)); memcpy(new.calling, old->calling, sizeof(new.calling)); + new.tx_connect_speed = old->tx_connect_speed; + new.rx_connect_speed = old->rx_connect_speed; + new.timeout = old->timeout; + new.mrru = old->mrru; + new.epdis = old->epdis; + new.bundle = old->bundle; + new.mssf = old->mssf; + new.walled_garden = old->walled_garden; + new.classlen = old->classlen; + memcpy(new.class, old->class, sizeof(new.class)); + new.route6[0].ipv6prefixlen = old->ipv6prefixlen; + new.route6[0].ipv6route = old->ipv6route; + + new.forwardtosession = old->forwardtosession; + memcpy(new.src_hwaddr, old->src_hwaddr, sizeof(new.src_hwaddr)); + + return (uint8_t *) &new; +} + +static uint8_t *convert_sessionV8(struct oldsessionV8 *old) +{ + static sessiont new; + int i; + memset(&new, 0, sizeof(new)); + + new.next = old->next; + new.far = old->far; + new.tunnel = old->tunnel; + new.flags = old->flags; + new.ppp.phase = old->ppp.phase; + new.ppp.lcp = old->ppp.lcp; + new.ppp.ipcp = old->ppp.ipcp; + new.ppp.ipv6cp = old->ppp.ipv6cp; + new.ppp.ccp = old->ppp.ccp; + new.mru = old->mru; + new.ip = old->ip; + new.ip_pool_index = old->ip_pool_index; + new.unique_id = old->unique_id; + new.magic = old->magic; + new.pin = old->pin; + new.pout = old->pout; + new.cin = old->cin; + new.cout = old->cout; + new.cin_wrap = old->cin_wrap; + new.cout_wrap = old->cout_wrap; + new.cin_delta = old->cin_delta; + new.cout_delta = old->cout_delta; + new.throttle_in = old->throttle_in; + new.throttle_out = old->throttle_out; + new.filter_in = old->filter_in; + new.filter_out = old->filter_out; + new.snoop_port = old->snoop_port; + new.snoop_ip = old->snoop_ip; + new.opened = old->opened; + new.die = old->die; + new.session_timeout = old->session_timeout; + new.idle_timeout = old->idle_timeout; + new.last_packet = old->last_packet; + new.last_data = old->last_data; + new.dns1 = old->dns1; + new.dns2 = old->dns2; for (i = 0; i < MAXROUTE; i++) memcpy(&new.route[i], &old->route[i], sizeof(new.route[i])); + new.tbf_in = old->tbf_in; + new.tbf_out = old->tbf_out; + new.random_vector_length = old->random_vector_length; + memcpy(new.random_vector, old->random_vector, sizeof(new.random_vector)); + memcpy(new.user, old->user, sizeof(new.user)); + memcpy(new.called, old->called, sizeof(new.called)); + memcpy(new.calling, old->calling, sizeof(new.calling)); + new.tx_connect_speed = old->tx_connect_speed; + new.rx_connect_speed = old->rx_connect_speed; + new.timeout = old->timeout; + new.mrru = old->mrru; + new.epdis = old->epdis; + new.bundle = old->bundle; + new.mssf = old->mssf; + new.walled_garden = old->walled_garden; + new.classlen = old->classlen; + memcpy(new.class, old->class, sizeof(new.class)); + new.route6[0].ipv6prefixlen = old->ipv6prefixlen; + new.route6[0].ipv6route = old->ipv6route; + + new.forwardtosession = old->forwardtosession; + memcpy(new.src_hwaddr, old->src_hwaddr, sizeof(new.src_hwaddr)); + new.dhcpv6_prefix_iaid = old->dhcpv6_prefix_iaid; + new.dhcpv6_iana_iaid = old->dhcpv6_iana_iaid; + new.ipv6address = old->ipv6address; + new.dhcpv6_client_id = old->dhcpv6_client_id; return (uint8_t *) &new; } @@ -1618,7 +1886,7 @@ static int cluster_process_heartbeat(uint8_t *data, int size, int more, uint8_t int i, type; int hb_ver = more; -#if HB_VERSION != 8 +#if HB_VERSION != 9 # error "need to update cluster_process_heartbeat()" #endif @@ -1799,10 +2067,13 @@ static int cluster_process_heartbeat(uint8_t *data, int size, int more, uint8_t if (size != sizeof(sessiont)) { // Ouch! Very very bad! if ((hb_ver < HB_VERSION) && (size < sizeof(sessiont))) { - // set to 0 the unused variables - memset(&c[size], 0, (sizeof(sessiont) - size)); - LOG(3, 0, 0, "WARNING: Received a CSESSION from %s hb_version %d != %d current version !\n", fmtaddr(addr, 2), hb_ver, HB_VERSION); - // New feature not activated until the master has not been upgraded. + if ((hb_ver == 7) && (size == sizeof(struct oldsessionV7))) + cluster_recv_session(more, convert_sessionV7((struct oldsessionV7 *) c)); + else if (size == sizeof(struct oldsessionV8)) + cluster_recv_session(more, convert_sessionV8((struct oldsessionV8 *) c)); + else + LOG(0, 0, 0, "DANGER: Received a CSESSION version=%d that didn't decompress correctly!\n", hb_ver); + break; } else { diff --git a/cluster.h b/cluster.h index 290c589..3df6c4d 100644 --- a/cluster.h +++ b/cluster.h @@ -29,7 +29,7 @@ #define C_CGROUPE 22 // Compressed groupe structure. -#define HB_VERSION 8 // Protocol version number.. +#define HB_VERSION 9 // Protocol version number.. #define HB_MAX_SEQ (1<<30) // Maximum sequence number. (MUST BE A POWER OF 2!) #define HB_HISTORY_SIZE 64 // How many old heartbeats we remember?? (Must be a factor of HB_MAX_SEQ) diff --git a/debian/changelog b/debian/changelog index 1c96e14..14b5b52 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +l2tpns (2.2.1-2sames3.15) unstable; urgency=low + + * new feature: If the user attribute "Framed-IPv6-Address" is defined then the ICMPv6_RA advertise this IPv6 address. + * Fix: Incorrect delegation of IPv6 prefixes when multiple of 4 bits (nibble) (eg: /44, /52 ...). + * Added ability to define up to 5 IPv6 prefix delegation by user. + + -- Fernando Alves Thu, 18 Sep 2014 18:36:43 +0200 + l2tpns (2.2.1-2sames3.14) unstable; urgency=low * Fix cluster slave; reset to 0, the end of the session when the master version < slave version. @@ -7,7 +15,7 @@ l2tpns (2.2.1-2sames3.14) unstable; urgency=low -- Fernando Alves Sun, 14 Sep 2014 18:27:09 +0200 -l2tpns (2.2.1-2sames3.12) UNRELEASED; urgency=low +l2tpns (2.2.1-2sames3.12) unstable; urgency=low * Fix: throttle ipv6 out. * Fix: remove old IPV6 routes on slave diff --git a/dhcp6.c b/dhcp6.c index e422df5..171c1f0 100644 --- a/dhcp6.c +++ b/dhcp6.c @@ -98,21 +98,33 @@ static void dhcp6_send_reply(sessionidt s, tunnelidt t, struct in6_addr *ip6_src } else { + struct dhcp6_opt_h *p_opt_head; + int r; + uint16_t lenopt; + if (list_option.p_mess_hdr->type == DHCP6_REQUEST || list_option.p_opt_rapidcommit) { session[s].dhcpv6_prefix_iaid = ((struct dhcp6_opt_ia_pd *)list_option.p_opt_ia_pd)->iaid; } - p_opt->len = htons(sizeof(struct dhcp6_opt_ia_pd) - sizeof(*p_opt) + sizeof(struct dhcp6_opt_ia_prefix)); + p_opt_head = p_opt; + lenopt = sizeof(struct dhcp6_opt_ia_pd) - sizeof(*p_opt); + p_opt = (struct dhcp6_opt_h *) &((struct dhcp6_opt_ia_pd *)p_opt)[1]; - ((struct dhcp6_opt_ia_prefix *)p_opt)->hdr.code = htons(D6_OPT_IAPREFIX); - ((struct dhcp6_opt_ia_prefix *)p_opt)->hdr.len = htons(sizeof(struct dhcp6_opt_ia_prefix) - sizeof(*p_opt)); - ((struct dhcp6_opt_ia_prefix *)p_opt)->pref_lifetime= (config->dhcp6_preferred_lifetime > 0) ? htonl(config->dhcp6_preferred_lifetime) : 0xFFFFFFFF; - ((struct dhcp6_opt_ia_prefix *)p_opt)->valid_lifetime= (config->dhcp6_valid_lifetime > 0) ? htonl(config->dhcp6_valid_lifetime) : 0xFFFFFFFF; - ((struct dhcp6_opt_ia_prefix *)p_opt)->prefix_len = session[s].ipv6prefixlen; - ((struct dhcp6_opt_ia_prefix *)p_opt)->prefix = session[s].ipv6route; - p_opt = (struct dhcp6_opt_h *) &((struct dhcp6_opt_ia_prefix *)p_opt)[1]; // next option + for (r = 0; r < MAXROUTE6 && session[s].route6[r].ipv6route.s6_addr[0] && session[s].route6[r].ipv6prefixlen; r++) + { + ((struct dhcp6_opt_ia_prefix *)p_opt)->hdr.code = htons(D6_OPT_IAPREFIX); + ((struct dhcp6_opt_ia_prefix *)p_opt)->hdr.len = htons(sizeof(struct dhcp6_opt_ia_prefix) - sizeof(*p_opt)); + ((struct dhcp6_opt_ia_prefix *)p_opt)->pref_lifetime= (config->dhcp6_preferred_lifetime > 0) ? htonl(config->dhcp6_preferred_lifetime) : 0xFFFFFFFF; + ((struct dhcp6_opt_ia_prefix *)p_opt)->valid_lifetime= (config->dhcp6_valid_lifetime > 0) ? htonl(config->dhcp6_valid_lifetime) : 0xFFFFFFFF; + ((struct dhcp6_opt_ia_prefix *)p_opt)->prefix_len = session[s].route6[r].ipv6prefixlen; + ((struct dhcp6_opt_ia_prefix *)p_opt)->prefix = session[s].route6[r].ipv6route; + + p_opt = (struct dhcp6_opt_h *) &((struct dhcp6_opt_ia_prefix *)p_opt)[1]; // next option + lenopt += sizeof(struct dhcp6_opt_ia_prefix); + } + p_opt_head->len = htons(lenopt); } } @@ -257,6 +269,46 @@ static void dhcp6_send_reply(sessionidt s, tunnelidt t, struct in6_addr *ip6_src tunnelsend(b, len + (((uint8_t *) p_ip6_hdr)-b), t); // send it... } +static char * get_msg_type(uint8_t type) +{ + switch(type) + { + case DHCP6_SOLICIT: + { + return "Solicit"; + } + break; + + case DHCP6_REQUEST: + return "Request"; + break; + + case DHCP6_RENEW: + return "Renew"; + break; + + case DHCP6_INFORMATION_REQUEST: + return "Information Request"; + break; + + case DHCP6_REBIND: + return "Rebind"; + break; + + case DHCP6_RELEASE: + return "Release"; + break; + + case DHCP6_DECLINE: + return "Decline"; + break; + + default: + return "Unknown"; + break; + } +} + void dhcpv6_process(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l) { struct ip6_hdr *p_ip6_hdr_in; @@ -270,9 +322,9 @@ void dhcpv6_process(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l) p_ip6_hdr_in = (struct ip6_hdr *) p; p_mess_hdr = (struct dhcp6_mess_hdr *) (p + 48); - LOG(3, s, t, "Got DHCPv6 message Type: %d\n", p_mess_hdr->type); + LOG(3, s, t, "Got DHCPv6 message Type: %s(%d)\n", get_msg_type(p_mess_hdr->type), p_mess_hdr->type); - if (!session[s].ipv6route.s6_addr[0] || !session[s].ipv6prefixlen) + if (!session[s].route6[0].ipv6route.s6_addr[0] || !session[s].route6[0].ipv6prefixlen) return; p_opt = (struct dhcp6_opt_h *) &p_mess_hdr[1]; @@ -326,8 +378,6 @@ void dhcpv6_process(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l) { case DHCP6_SOLICIT: { - LOG(3, s, t, "..(Type %d = Solicit)\n", p_mess_hdr->type); - if (!list_option.p_opt_clientid) { LOG(3, s, t, "DHCPv6: error no Client-ID\n"); @@ -369,8 +419,6 @@ void dhcpv6_process(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l) case DHCP6_REQUEST: { - LOG(3, s, t, "..(Type %d = Request)\n", p_mess_hdr->type); - if (!list_option.p_opt_clientid) { LOG(3, s, t, "DHCPv6: error no Client-ID\n"); @@ -416,8 +464,6 @@ void dhcpv6_process(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l) case DHCP6_RENEW: { - LOG(3, s, t, "..(Type %d = Renew)\n", p_mess_hdr->type); - if (!list_option.p_opt_clientid) { LOG(3, s, t, "DHCPv6: error no Client-ID\n"); @@ -448,8 +494,6 @@ void dhcpv6_process(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l) case DHCP6_INFORMATION_REQUEST: { - LOG(3, s, t, "..(Type %d = Information Request)\n", p_mess_hdr->type); - if (!list_option.p_opt_clientid) { LOG(3, s, t, "DHCPv6: error no Client-ID\n"); @@ -462,24 +506,20 @@ void dhcpv6_process(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l) case DHCP6_REBIND: { - LOG(3, s, t, "..(Type %d = Rebind)\n", p_mess_hdr->type); } break; case DHCP6_RELEASE: { - LOG(3, s, t, "..(Type %d = Release)\n", p_mess_hdr->type); } break; case DHCP6_DECLINE: { - LOG(3, s, t, "..(Type %d = Decline)\n", p_mess_hdr->type); } break; default: - LOG(3, s, t, "Got unknown DHCPv6 Type: %d\n", *(p + 38)); break; } diff --git a/icmp.c b/icmp.c index e458741..d03b60b 100644 --- a/icmp.c +++ b/icmp.c @@ -144,7 +144,13 @@ void send_ipv6_ra(sessionidt s, tunnelidt t, struct in6_addr *ip) pinfo->nd_opt_pi_preferred_time = htonl(604800); pinfo->nd_opt_pi_reserved2 = 0; pinfo->nd_opt_pi_prefix_len = 64; // prefix length - pinfo->nd_opt_pi_prefix = config->ipv6_prefix; + if (session[s].ipv6address.s6_addr[0]) + { + // MSB 64bits of assigned IPv6 address to user (see radius attribut Framed-IPv6-Address) + memcpy(&pinfo->nd_opt_pi_prefix, &session[s].ipv6address.s6_addr[0], 8); + } + else + pinfo->nd_opt_pi_prefix = config->ipv6_prefix; // // Length of payload (not header) p_ip6_hdr->ip6_plen = htons(sizeof(*pinfo) + sizeof(*p_nra)); diff --git a/l2tpns.c b/l2tpns.c index 5403364..5c887ec 100644 --- a/l2tpns.c +++ b/l2tpns.c @@ -99,7 +99,7 @@ union iphash ip_hash[256]; // Mapping from IP address to session structures. struct ipv6radix { sessionidt sess; struct ipv6radix *branch; -} ipv6_hash[256]; // Mapping from IPv6 address to session structures. +} ipv6_hash[16]; // Mapping from IPv6 address to session structures. // Traffic counters. static uint32_t udp_rx = 0, udp_rx_pkt = 0, udp_tx = 0; @@ -980,19 +980,24 @@ static sessionidt lookup_ipv6map(struct in6_addr ip) char ipv6addr[INET6_ADDRSTRLEN]; curnode = &ipv6_hash[ip.s6_addr[0]]; + curnode = &ipv6_hash[((ip.s6_addr[0]) & 0xF0)>>4]; i = 1; s = curnode->sess; - while (s == 0 && i < 15 && curnode->branch != NULL) + while (s == 0 && i < 32 && curnode->branch != NULL) { - curnode = &curnode->branch[ip.s6_addr[i]]; + if (i & 1) + curnode = &curnode->branch[ip.s6_addr[i>>1] & 0x0F]; + else + curnode = &curnode->branch[(ip.s6_addr[i>>1] & 0xF0)>>4]; + s = curnode->sess; i++; } LOG(4, s, session[s].tunnel, "Looking up address %s and got %d\n", - inet_ntop(AF_INET6, &ip, ipv6addr, - INET6_ADDRSTRLEN), + inet_ntop(AF_INET6, &ip, ipv6addr, + INET6_ADDRSTRLEN), s); return s; @@ -1033,6 +1038,19 @@ sessionidt sessionbyipv6(struct in6_addr ip) return 0; } +sessionidt sessionbyipv6new(struct in6_addr ip) +{ + sessionidt s; + CSTAT(sessionbyipv6new); + + s = lookup_ipv6map(ip); + + if (s > 0 && s < MAXSESSION && session[s].opened) + return s; + + return 0; +} + // // Take an IP address in HOST byte order and // add it to the sessionid by IP cache. @@ -1072,22 +1090,28 @@ static void uncache_ipmap(in_addr_t ip) static void cache_ipv6map(struct in6_addr ip, int prefixlen, sessionidt s) { int i; - int bytes; + int niblles; struct ipv6radix *curnode; char ipv6addr[INET6_ADDRSTRLEN]; - curnode = &ipv6_hash[ip.s6_addr[0]]; + curnode = &ipv6_hash[((ip.s6_addr[0]) & 0xF0)>>4]; - bytes = prefixlen >> 3; + niblles = prefixlen >> 2; i = 1; - while (i < bytes) { + + while (i < niblles) + { if (curnode->branch == NULL) { - if (!(curnode->branch = calloc(256, - sizeof (struct ipv6radix)))) + if (!(curnode->branch = calloc(16, sizeof (struct ipv6radix)))) return; } - curnode = &curnode->branch[ip.s6_addr[i]]; + + if (i & 1) + curnode = &curnode->branch[ip.s6_addr[i>>1] & 0x0F]; + else + curnode = &curnode->branch[(ip.s6_addr[i>>1] & 0xF0)>>4]; + i++; } @@ -1095,13 +1119,13 @@ static void cache_ipv6map(struct in6_addr ip, int prefixlen, sessionidt s) if (s > 0) LOG(4, s, session[s].tunnel, "Caching ip address %s/%d\n", - inet_ntop(AF_INET6, &ip, ipv6addr, - INET6_ADDRSTRLEN), + inet_ntop(AF_INET6, &ip, ipv6addr, + INET6_ADDRSTRLEN), prefixlen); else if (s == 0) LOG(4, 0, 0, "Un-caching ip address %s/%d\n", - inet_ntop(AF_INET6, &ip, ipv6addr, - INET6_ADDRSTRLEN), + inet_ntop(AF_INET6, &ip, ipv6addr, + INET6_ADDRSTRLEN), prefixlen); } @@ -1152,7 +1176,6 @@ int cmd_show_ipcache(struct cli_def *cli, const char *command, char **argv, int return CLI_OK; } - // Find session by username, 0 for not found // walled garden users aren't authenticated, so the username is // reasonably useless. Ignore them to avoid incorrect actions @@ -1714,7 +1737,6 @@ static void processipv6out(uint8_t * buf, int len) sessionidt s; sessiont *sp; tunnelidt t; - in_addr_t ip; struct in6_addr ip6; uint8_t *data = buf; // Keep a copy of the originals. @@ -1753,10 +1775,9 @@ static void processipv6out(uint8_t * buf, int len) if (s == 0) { - ip = *(uint32_t *)(buf + 32); - s = sessionbyip(ip); + s = sessionbyipv6new(ip6); } - + if (s == 0) { // Is this a packet for a session that doesn't exist? @@ -2150,8 +2171,11 @@ void sessionshutdown(sessionidt s, char const *reason, int cdn_result, int cdn_e free_ip_address(s); // unroute IPv6, if setup - if (session[s].ipv6route.s6_addr[0] && session[s].ipv6prefixlen && del_routes) - route6set(s, session[s].ipv6route, session[s].ipv6prefixlen, 0); + for (r = 0; r < MAXROUTE6 && session[s].route6[r].ipv6route.s6_addr[0] && session[s].route6[r].ipv6prefixlen; r++) + { + if (del_routes) route6set(s, session[s].route6[r].ipv6route, session[s].route6[r].ipv6prefixlen, 0); + memset(&session[s].route6[r], 0, sizeof(session[s].route6[r])); + } if (session[s].ipv6address.s6_addr[0] && del_routes) { @@ -2211,8 +2235,10 @@ void sessionshutdown(sessionidt s, char const *reason, int cdn_result, int cdn_e cache_ipmap(session[new_s].ip, new_s); // IPV6 route - if (session[new_s].ipv6prefixlen) - cache_ipv6map(session[new_s].ipv6route, session[new_s].ipv6prefixlen, new_s); + for (r = 0; r < MAXROUTE6 && session[new_s].route6[r].ipv6prefixlen; r++) + { + cache_ipv6map(session[new_s].route6[r].ipv6route, session[new_s].route6[r].ipv6prefixlen, new_s); + } if (session[new_s].ipv6address.s6_addr[0]) { @@ -5872,7 +5898,7 @@ int load_session(sessionidt s, sessiont *new) // needs update if (newip) { - int routed = 0; + int routed = 0; // remove old routes... for (i = 0; i < MAXROUTE && session[s].route[i].ip; i++) @@ -5896,8 +5922,10 @@ int load_session(sessionidt s, sessiont *new) } // remove old IPV6 routes... - if (session[s].ipv6route.s6_addr[0] && session[s].ipv6prefixlen) - route6set(s, session[s].ipv6route, session[s].ipv6prefixlen, 0); + for (i = 0; i < MAXROUTE6 && session[s].route6[i].ipv6route.s6_addr[0] && session[s].route6[i].ipv6prefixlen; i++) + { + route6set(s, session[s].route6[i].ipv6route, session[s].route6[i].ipv6prefixlen, 0); + } if (session[s].ipv6address.s6_addr[0]) { @@ -5930,8 +5958,10 @@ int load_session(sessionidt s, sessiont *new) } // check v6 routing - if (new->ipv6prefixlen && new->ppp.ipv6cp == Opened && session[s].ppp.ipv6cp != Opened) - route6set(s, new->ipv6route, new->ipv6prefixlen, 1); + for (i = 0; i < MAXROUTE6 && new->route6[i].ipv6prefixlen; i++) + { + route6set(s, new->route6[i].ipv6route, new->route6[i].ipv6prefixlen, 1); + } if (new->ipv6address.s6_addr[0] && new->ppp.ipv6cp == Opened && session[s].ppp.ipv6cp != Opened) { diff --git a/l2tpns.h b/l2tpns.h index 94784d2..a5a89f4 100644 --- a/l2tpns.h +++ b/l2tpns.h @@ -52,6 +52,7 @@ #define MAXPLUGINS 20 // maximum number of plugins to load #define MAXRADSERVER 10 // max radius servers #define MAXROUTE 10 // max static routes per session +#define MAXROUTE6 5 // max static Ipv6 routes per session #define MAXIPPOOL 131072 // max number of ip addresses in pool #define RINGBUFFER_SIZE 10000 // Number of ringbuffer entries to allocate #define MAX_LOG_LENGTH 512 // Maximum size of log message @@ -256,6 +257,14 @@ typedef struct // route } routet; +// structures +typedef struct // route +{ + struct in6_addr ipv6route; // Static IPv6 route + uint8_t ipv6prefixlen; // IPv6 route prefix length +} +routet6; + typedef struct controls // control message { struct controls *next; // next in queue @@ -333,14 +342,13 @@ typedef struct uint8_t walled_garden; // is this session gardened? uint8_t classlen; // class (needed for radius accounting messages) char class[MAXCLASS]; - uint8_t ipv6prefixlen; // IPv6 route prefix length - struct in6_addr ipv6route; // Static IPv6 route sessionidt forwardtosession; // LNS id_session to forward uint8_t src_hwaddr[ETH_ALEN]; // MAC addr source (for pppoe sessions 6 bytes) uint32_t dhcpv6_prefix_iaid; // prefix iaid requested by client uint32_t dhcpv6_iana_iaid; // iaid of iana requested by client struct in6_addr ipv6address; // Framed Ipv6 address struct dhcp6_opt_clientid dhcpv6_client_id; // Size max (headers + DUID) + routet6 route6[MAXROUTE6]; // static IPv6 routes char reserved[4]; // Space to expand structure without changing HB_VERSION } sessiont; @@ -638,6 +646,7 @@ struct Tstats uint32_t call_processudp; uint32_t call_sessionbyip; uint32_t call_sessionbyipv6; + uint32_t call_sessionbyipv6new; uint32_t call_sessionbyuser; uint32_t call_sendarp; uint32_t call_sendipcp; @@ -986,6 +995,7 @@ void send_ipv6_ra(sessionidt s, tunnelidt t, struct in6_addr *ip); void route6set(sessionidt s, struct in6_addr ip, int prefixlen, int add); sessionidt sessionbyip(in_addr_t ip); sessionidt sessionbyipv6(struct in6_addr ip); +sessionidt sessionbyipv6new(struct in6_addr ip); sessionidt sessionbyuser(char *username); void increment_counter(uint32_t *counter, uint32_t *wrap, uint32_t delta); void random_data(uint8_t *buf, int len); diff --git a/ppp.c b/ppp.c index 0259ab7..c4f9ab4 100644 --- a/ppp.c +++ b/ppp.c @@ -1481,11 +1481,14 @@ void processipcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l) static void ipv6cp_open(sessionidt s, tunnelidt t) { + int i; LOG(3, s, t, "IPV6CP: Opened\n"); change_state(s, ipv6cp, Opened); - if (session[s].ipv6prefixlen) - route6set(s, session[s].ipv6route, session[s].ipv6prefixlen, 1); + for (i = 0; i < MAXROUTE6 && session[s].route6[i].ipv6prefixlen; i++) + { + route6set(s, session[s].route6[i].ipv6route, session[s].route6[i].ipv6prefixlen, 1); + } if (session[s].ipv6address.s6_addr[0]) { @@ -1579,8 +1582,16 @@ void processipv6cp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l) gotip++; // seen address if (o[1] != 10) return; - ident[0] = htonl(session[s].ip); - ident[1] = 0; + if (session[s].ipv6address.s6_addr[0]) + { + // LSB 64bits of assigned IPv6 address to user (see radius attribut Framed-IPv6-Address) + memcpy(&ident[0], &session[s].ipv6address.s6_addr[8], 8); + } + else + { + ident[0] = htonl(session[s].ip); + ident[1] = 0; + } if (memcmp(o + 2, ident, sizeof(ident))) { @@ -2253,7 +2264,18 @@ void processipv6in(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l) return; // no spoof - if ((ipv4 != session[s].ip || memcmp(&config->ipv6_prefix, &ip, 8)) && sessionbyipv6(ip) != s) + if (session[s].ipv6address.s6_addr[0]) + { + if ((sessionbyipv6new(ip) != s) && + (ip.s6_addr[0] != 0xFE || ip.s6_addr[1] != 0x80 || ip.s6_addr16[1] != 0 || ip.s6_addr16[2] != 0 || ip.s6_addr16[3] != 0)) + { + char str[INET6_ADDRSTRLEN]; + LOG(5, s, t, "Dropping packet with spoofed IP %s\n", + inet_ntop(AF_INET6, &ip, str, INET6_ADDRSTRLEN)); + return; + } + } + else if ((ipv4 != session[s].ip || memcmp(&config->ipv6_prefix, &ip, 8)) && sessionbyipv6(ip) != s) { char str[INET6_ADDRSTRLEN]; LOG(5, s, t, "Dropping packet with spoofed IP %s\n", diff --git a/radius.c b/radius.c index 53f28b0..134afe2 100644 --- a/radius.c +++ b/radius.c @@ -534,7 +534,8 @@ void processrad(uint8_t *buf, int len, char socket_index) sessionidt s; tunnelidt t = 0; hasht hash; - uint8_t routes = 0; + int routes = 0; + int routes6 = 0; int r_code; int r_id; int OpentunnelReq = 0; @@ -795,11 +796,17 @@ void processrad(uint8_t *buf, int len, char socket_index) if (prefixlen) { - LOG(3, s, session[s].tunnel, - " Radius reply contains route for %s/%d\n", - n, prefixlen); - session[s].ipv6route = r6; - session[s].ipv6prefixlen = prefixlen; + if (routes6 == MAXROUTE6) + { + LOG(1, s, session[s].tunnel, " Too many IPv6 routes\n"); + } + else + { + LOG(3, s, session[s].tunnel, " Radius reply contains route for %s/%d\n", n, prefixlen); + session[s].route6[routes6].ipv6route = r6; + session[s].route6[routes6].ipv6prefixlen = prefixlen; + routes6++; + } } } else if (*p == 123) @@ -808,10 +815,19 @@ void processrad(uint8_t *buf, int len, char socket_index) if ((p[1] > 4) && (p[3] > 0) && (p[3] <= 128)) { char ipv6addr[INET6_ADDRSTRLEN]; - memcpy(&session[s].ipv6route, &p[4], p[1] - 4); - session[s].ipv6prefixlen = p[3]; - LOG(3, s, session[s].tunnel, " Radius reply contains Delegated IPv6 Prefix %s/%d\n", - inet_ntop(AF_INET6, &session[s].ipv6route, ipv6addr, INET6_ADDRSTRLEN), session[s].ipv6prefixlen); + + if (routes6 == MAXROUTE6) + { + LOG(1, s, session[s].tunnel, " Too many IPv6 routes\n"); + } + else + { + memcpy(&session[s].route6[routes6].ipv6route, &p[4], p[1] - 4); + session[s].route6[routes6].ipv6prefixlen = p[3]; + LOG(3, s, session[s].tunnel, " Radius reply contains Delegated IPv6 Prefix %s/%d\n", + inet_ntop(AF_INET6, &session[s].route6[routes6].ipv6route, ipv6addr, INET6_ADDRSTRLEN), session[s].route6[routes6].ipv6prefixlen); + routes6++; + } } } else if (*p == 168)