udp: Connection tracking for ephemeral, local ports, and related fixes

As we support UDP forwarding for packets that are sent to local
ports, we actually need some kind of connection tracking for UDP.
While at it, this commit introduces a number of vaguely related fixes
for issues observed while trying this out. In detail:

- implement an explicit, albeit minimalistic, connection tracking
  for UDP, to allow usage of ephemeral ports by the guest and by
  the host at the same time, by binding them dynamically as needed,
  and to allow mapping address changes for packets with a loopback
  address as destination

- set the guest MAC address whenever we receive a packet from tap
  instead of waiting for an ARP request, and set it to broadcast on
  start, otherwise DHCPv6 might not work if all DHCPv6 requests time
  out before the guest starts talking IPv4

- split context IPv6 address into address we assign, global or site
  address seen on tap, and link-local address seen on tap, and make
  sure we use the addresses we've seen as destination (link-local
  choice depends on source address). Similarly, for IPv4, split into
  address we assign and address we observe, and use the address we
  observe as destination

- introduce a clock_gettime() syscall right after epoll_wait() wakes
  up, so that we can remove all the other ones and pass the current
  timestamp to tap and socket handlers -- this is additionally needed
  by UDP to time out bindings to ephemeral ports and mappings between
  loopback address and a local address

- rename sock_l4_add() to sock_l4(), no semantic changes intended

- include <arpa/inet.h> in passt.c before kernel headers so that we
  can use <netinet/in.h> macros to check IPv6 address types, and
  remove a duplicate <linux/ip.h> inclusion

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
Stefano Brivio 2021-04-29 16:59:20 +02:00
parent 50bcddabc9
commit 605af213c5
14 changed files with 440 additions and 135 deletions

View file

@ -188,7 +188,8 @@ can't practically run on the host:
For IPv4, the guest is assigned, via DHCP, the same address as the upstream For IPv4, the guest is assigned, via DHCP, the same address as the upstream
interface of the host, and the same default gateway as the default gateway of interface of the host, and the same default gateway as the default gateway of
the host. Addresses are never translated. the host. Addresses are translated in case the guest is seen using a different
address from the assigned one.
For IPv6, the guest is assigned, via SLAAC, the same prefix as the upstream For IPv6, the guest is assigned, via SLAAC, the same prefix as the upstream
interface of the host, the same default route as the default route of the interface of the host, the same default route as the default route of the
@ -197,6 +198,12 @@ the upstream address of the host. This means that, with a DHCPv6 client on the
guest, addresses don't need to be translated. Should the client use a different guest, addresses don't need to be translated. Should the client use a different
address, the destination address is translated for packets going to the guest. address, the destination address is translated for packets going to the guest.
For UDP and TCP, for both IPv4 and IPv6, packets addressed to a loopback address
are forwarded to the guest with their source address changed to the address of
the gateway or first hop of the default route. This mapping is reversed as the
guest replies to those packets (on the same TCP connection, or using destination
port and address that were used as source for UDP).
## Protocols ## Protocols
_passt_ supports TCP, UDP and ICMP/ICMPv6 echo (requests and replies). More _passt_ supports TCP, UDP and ICMP/ICMPv6 echo (requests and replies). More
@ -209,9 +216,11 @@ An IGMP proxy is currently work in progress.
## Ports ## Ports
To avoid the need for explicit port mapping configuration, _passt_ binds to all To avoid the need for explicit port mapping configuration, _passt_ binds to all
unbound non-ephemeral (0-49152) TCP ports and all unbound (0-65536) UDP ports. unbound non-ephemeral (0-49152) TCP and UDP ports. Binding to low ports (0-1023)
Binding to low ports (0-1023) will fail without additional capabilities, and will fail without additional capabilities, and ports already bound (service
ports already bound (service proxies, etc.) will also not be used. proxies, etc.) will also not be used.
UDP ephemeral ports are bound dynamically, as the guest uses them.
Service proxies and other services running in the container need to be started Service proxies and other services running in the container need to be started
before _passt_ starts. before _passt_ starts.

2
arp.c
View file

@ -77,8 +77,6 @@ int arp(struct ctx *c, struct ethhdr *eh, size_t len)
len = sizeof(*eh) + sizeof(*ah) + sizeof(*am); len = sizeof(*eh) + sizeof(*ah) + sizeof(*am);
memcpy(eh->h_dest, eh->h_source, ETH_ALEN); memcpy(eh->h_dest, eh->h_source, ETH_ALEN);
/* HACK */
memcpy(c->mac_guest, eh->h_source, ETH_ALEN);
memcpy(eh->h_source, c->mac, ETH_ALEN); memcpy(eh->h_source, c->mac, ETH_ALEN);
if (tap_send(c->fd_unix, eh, len, 0) < 0) if (tap_send(c->fd_unix, eh, len, 0) < 0)

View file

@ -383,7 +383,7 @@ int dhcpv6(struct ctx *c, struct ethhdr *eh, size_t len)
mlen < sizeof(struct msg_hdr)) mlen < sizeof(struct msg_hdr))
return -1; return -1;
c->addr6_guest = ip6h->saddr; c->addr6_ll_seen = ip6h->saddr;
mh = (struct msg_hdr *)(uh + 1); mh = (struct msg_hdr *)(uh + 1);
mlen -= sizeof(struct msg_hdr); mlen -= sizeof(struct msg_hdr);
@ -483,6 +483,7 @@ int dhcpv6(struct ctx *c, struct ethhdr *eh, size_t len)
resp.hdr.xid = mh->xid; resp.hdr.xid = mh->xid;
tap_ip_send(c, &c->gw6, IPPROTO_UDP, (char *)&resp, n); tap_ip_send(c, &c->gw6, IPPROTO_UDP, (char *)&resp, n);
c->addr6_seen = c->addr6;
return 1; return 1;
} }

13
icmp.c
View file

@ -38,8 +38,10 @@
* @c: Execution context * @c: Execution context
* @s: File descriptor number for socket * @s: File descriptor number for socket
* @events: epoll events bitmap * @events: epoll events bitmap
* @now: Current timestamp, unused
*/ */
void icmp_sock_handler(struct ctx *c, int s, uint32_t events) void icmp_sock_handler(struct ctx *c, int s, uint32_t events,
struct timespec *now)
{ {
struct in6_addr a6 = { .s6_addr = { 0, 0, 0, 0, struct in6_addr a6 = { .s6_addr = { 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0,
@ -51,6 +53,7 @@ void icmp_sock_handler(struct ctx *c, int s, uint32_t events)
ssize_t n; ssize_t n;
(void)events; (void)events;
(void)now;
n = recvfrom(s, buf, sizeof(buf), MSG_DONTWAIT, n = recvfrom(s, buf, sizeof(buf), MSG_DONTWAIT,
(struct sockaddr *)&sr, &slen); (struct sockaddr *)&sr, &slen);
@ -79,13 +82,15 @@ void icmp_sock_handler(struct ctx *c, int s, uint32_t events)
* @af: Address family, AF_INET or AF_INET6 * @af: Address family, AF_INET or AF_INET6
* @msg: Input message * @msg: Input message
* @count: Message count (always 1 for ICMP) * @count: Message count (always 1 for ICMP)
* @now: Current timestamp, unused
* *
* Return: count of consumed packets (always 1, even if malformed) * Return: count of consumed packets (always 1, even if malformed)
*/ */
int icmp_tap_handler(struct ctx *c, int af, void *addr, int icmp_tap_handler(struct ctx *c, int af, void *addr,
struct tap_msg *msg, int count) struct tap_msg *msg, int count, struct timespec *now)
{ {
(void)count; (void)count;
(void)now;
if (af == AF_INET) { if (af == AF_INET) {
struct icmphdr *ih = (struct icmphdr *)msg[0].l4h; struct icmphdr *ih = (struct icmphdr *)msg[0].l4h;
@ -138,10 +143,10 @@ int icmp_sock_init(struct ctx *c)
c->icmp.fd_min = INT_MAX; c->icmp.fd_min = INT_MAX;
c->icmp.fd_max = 0; c->icmp.fd_max = 0;
if (c->v4 && (c->icmp.s4 = sock_l4_add(c, 4, IPPROTO_ICMP, 0)) < 0) if (c->v4 && (c->icmp.s4 = sock_l4(c, AF_INET, IPPROTO_ICMP, 0)) < 0)
return -1; return -1;
if (c->v6 && (c->icmp.s6 = sock_l4_add(c, 6, IPPROTO_ICMPV6, 0)) < 0) if (c->v6 && (c->icmp.s6 = sock_l4(c, AF_INET6, IPPROTO_ICMPV6, 0)) < 0)
return -1; return -1;
return 0; return 0;

5
icmp.h
View file

@ -3,9 +3,10 @@
struct ctx; struct ctx;
void icmp_sock_handler(struct ctx *c, int s, uint32_t events); void icmp_sock_handler(struct ctx *c, int s, uint32_t events,
struct timespec *now);
int icmp_tap_handler(struct ctx *c, int af, void *addr, int icmp_tap_handler(struct ctx *c, int af, void *addr,
struct tap_msg *msg, int count); struct tap_msg *msg, int count, struct timespec *now);
int icmp_sock_init(struct ctx *c); int icmp_sock_init(struct ctx *c);
/** /**

100
passt.c
View file

@ -24,6 +24,7 @@
#include <ifaddrs.h> #include <ifaddrs.h>
#include <linux/if_ether.h> #include <linux/if_ether.h>
#include <linux/if_packet.h> #include <linux/if_packet.h>
#include <arpa/inet.h>
#include <linux/ip.h> #include <linux/ip.h>
#include <linux/ipv6.h> #include <linux/ipv6.h>
#include <linux/tcp.h> #include <linux/tcp.h>
@ -33,12 +34,10 @@
#include <net/ethernet.h> #include <net/ethernet.h>
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h> #include <unistd.h>
#include <arpa/inet.h>
#include <net/if.h> #include <net/if.h>
#include <netdb.h> #include <netdb.h>
#include <string.h> #include <string.h>
#include <errno.h> #include <errno.h>
#include <linux/ip.h>
#include <linux/netlink.h> #include <linux/netlink.h>
#include <linux/rtnetlink.h> #include <linux/rtnetlink.h>
#include <time.h> #include <time.h>
@ -61,7 +60,7 @@
#define TAP_BUF_FILL (TAP_BUF_BYTES - ETH_MAX_MTU - sizeof(uint32_t)) #define TAP_BUF_FILL (TAP_BUF_BYTES - ETH_MAX_MTU - sizeof(uint32_t))
#define TAP_MSGS (TAP_BUF_BYTES / sizeof(struct ethhdr) + 1) #define TAP_MSGS (TAP_BUF_BYTES / sizeof(struct ethhdr) + 1)
#define TIMER_INTERVAL 20 /* ms, for protocol periodic handlers */ #define TIMER_INTERVAL MIN(TCP_TIMER_INTERVAL, UDP_TIMER_INTERVAL)
/** /**
* sock_unix() - Create and bind AF_UNIX socket, add to epoll list * sock_unix() - Create and bind AF_UNIX socket, add to epoll list
@ -232,7 +231,7 @@ static void get_addrs(struct ctx *c)
if (ifa->ifa_addr->sa_family == AF_INET && !v4) { if (ifa->ifa_addr->sa_family == AF_INET && !v4) {
in_addr = (struct sockaddr_in *)ifa->ifa_addr; in_addr = (struct sockaddr_in *)ifa->ifa_addr;
c->addr4 = in_addr->sin_addr.s_addr; c->addr4_seen = c->addr4 = in_addr->sin_addr.s_addr;
in_addr = (struct sockaddr_in *)ifa->ifa_netmask; in_addr = (struct sockaddr_in *)ifa->ifa_netmask;
c->mask4 = in_addr->sin_addr.s_addr; c->mask4 = in_addr->sin_addr.s_addr;
v4 = 1; v4 = 1;
@ -240,6 +239,10 @@ static void get_addrs(struct ctx *c)
in6_addr = (struct sockaddr_in6 *)ifa->ifa_addr; in6_addr = (struct sockaddr_in6 *)ifa->ifa_addr;
memcpy(&c->addr6, &in6_addr->sin6_addr, memcpy(&c->addr6, &in6_addr->sin6_addr,
sizeof(c->addr6)); sizeof(c->addr6));
memcpy(&c->addr6_seen, &in6_addr->sin6_addr,
sizeof(c->addr6_seen));
memcpy(&c->addr6_ll_seen, &in6_addr->sin6_addr,
sizeof(c->addr6_seen));
v6 = 1; v6 = 1;
} }
@ -310,10 +313,12 @@ static void get_dns(struct ctx *c)
* @c: Execution context * @c: Execution context
* @msg: Array of messages with the same L3 protocol * @msg: Array of messages with the same L3 protocol
* @count: Count of messages with the same L3 protocol * @count: Count of messages with the same L3 protocol
* @now: Current timestamp
* *
* Return: count of packets consumed by handlers * Return: count of packets consumed by handlers
*/ */
static int tap4_handler(struct ctx *c, struct tap_msg *msg, size_t count) static int tap4_handler(struct ctx *c, struct tap_msg *msg, size_t count,
struct timespec *now)
{ {
char buf_s[INET_ADDRSTRLEN] __attribute((__unused__)); char buf_s[INET_ADDRSTRLEN] __attribute((__unused__));
char buf_d[INET_ADDRSTRLEN] __attribute((__unused__)); char buf_d[INET_ADDRSTRLEN] __attribute((__unused__));
@ -342,6 +347,8 @@ static int tap4_handler(struct ctx *c, struct tap_msg *msg, size_t count)
iph = (struct iphdr *)(eh + 1); iph = (struct iphdr *)(eh + 1);
l4h = (char *)iph + iph->ihl * 4; l4h = (char *)iph + iph->ihl * 4;
c->addr4_seen = iph->saddr;
msg[i].l4h = l4h; msg[i].l4h = l4h;
msg[i].l4_len = len - ((intptr_t)l4h - (intptr_t)eh); msg[i].l4_len = len - ((intptr_t)l4h - (intptr_t)eh);
@ -397,13 +404,13 @@ static int tap4_handler(struct ctx *c, struct tap_msg *msg, size_t count)
} }
if (iph->protocol == IPPROTO_TCP) if (iph->protocol == IPPROTO_TCP)
return tcp_tap_handler(c, AF_INET, &iph->daddr, msg, i); return tcp_tap_handler(c, AF_INET, &iph->daddr, msg, i, now);
if (iph->protocol == IPPROTO_UDP) if (iph->protocol == IPPROTO_UDP)
return udp_tap_handler(c, AF_INET, &iph->daddr, msg, i); return udp_tap_handler(c, AF_INET, &iph->daddr, msg, i, now);
if (iph->protocol == IPPROTO_ICMP) if (iph->protocol == IPPROTO_ICMP)
icmp_tap_handler(c, AF_INET, &iph->daddr, msg, 1); icmp_tap_handler(c, AF_INET, &iph->daddr, msg, 1, now);
return 1; return 1;
} }
@ -413,8 +420,10 @@ static int tap4_handler(struct ctx *c, struct tap_msg *msg, size_t count)
* @c: Execution context * @c: Execution context
* @msg: Array of messages with the same L3 protocol * @msg: Array of messages with the same L3 protocol
* @count: Count of messages with the same L3 protocol * @count: Count of messages with the same L3 protocol
* @now: Current timestamp
*/ */
static int tap6_handler(struct ctx *c, struct tap_msg *msg, size_t count) static int tap6_handler(struct ctx *c, struct tap_msg *msg, size_t count,
struct timespec *now)
{ {
char buf_s[INET6_ADDRSTRLEN] __attribute((__unused__)); char buf_s[INET6_ADDRSTRLEN] __attribute((__unused__));
char buf_d[INET6_ADDRSTRLEN] __attribute((__unused__)); char buf_d[INET6_ADDRSTRLEN] __attribute((__unused__));
@ -449,7 +458,11 @@ static int tap6_handler(struct ctx *c, struct tap_msg *msg, size_t count)
msg[i].l4h = l4h; msg[i].l4h = l4h;
msg[i].l4_len = len - ((intptr_t)l4h - (intptr_t)eh); msg[i].l4_len = len - ((intptr_t)l4h - (intptr_t)eh);
c->addr6_guest = ip6h->saddr; if (IN6_IS_ADDR_LINKLOCAL(&ip6h->saddr))
c->addr6_ll_seen = ip6h->saddr;
else
c->addr6_seen = ip6h->saddr;
ip6h->saddr = c->addr6; ip6h->saddr = c->addr6;
if (proto != IPPROTO_TCP && proto != IPPROTO_UDP) if (proto != IPPROTO_TCP && proto != IPPROTO_UDP)
@ -506,13 +519,13 @@ static int tap6_handler(struct ctx *c, struct tap_msg *msg, size_t count)
} }
if (proto == IPPROTO_TCP) if (proto == IPPROTO_TCP)
return tcp_tap_handler(c, AF_INET6, &ip6h->daddr, msg, i); return tcp_tap_handler(c, AF_INET6, &ip6h->daddr, msg, i, now);
if (proto == IPPROTO_UDP) if (proto == IPPROTO_UDP)
return udp_tap_handler(c, AF_INET6, &ip6h->daddr, msg, i); return udp_tap_handler(c, AF_INET6, &ip6h->daddr, msg, i, now);
if (proto == IPPROTO_ICMPV6) if (proto == IPPROTO_ICMPV6)
icmp_tap_handler(c, AF_INET6, &ip6h->daddr, msg, 1); icmp_tap_handler(c, AF_INET6, &ip6h->daddr, msg, 1, now);
return 1; return 1;
} }
@ -522,10 +535,11 @@ static char tap_buf[TAP_BUF_BYTES];
/** /**
* tap_handler() - Packet handler for tap file descriptor * tap_handler() - Packet handler for tap file descriptor
* @c: Execution context * @c: Execution context
* @now: Current timestamp
* *
* Return: -ECONNRESET if tap connection was lost, 0 otherwise * Return: -ECONNRESET if tap connection was lost, 0 otherwise
*/ */
static int tap_handler(struct ctx *c) static int tap_handler(struct ctx *c, struct timespec *now)
{ {
struct tap_msg msg[TAP_MSGS]; struct tap_msg msg[TAP_MSGS];
int msg_count, same, i; int msg_count, same, i;
@ -563,9 +577,12 @@ static int tap_handler(struct ctx *c)
i = 0; i = 0;
while (i < msg_count) { while (i < msg_count) {
eh = (struct ethhdr *)msg[i].start; eh = (struct ethhdr *)msg[i].start;
memcpy(c->mac_guest, eh->h_source, ETH_ALEN);
switch (ntohs(eh->h_proto)) { switch (ntohs(eh->h_proto)) {
case ETH_P_ARP: case ETH_P_ARP:
tap4_handler(c, msg + i, 1); tap4_handler(c, msg + i, 1, now);
i++; i++;
break; break;
case ETH_P_IP: case ETH_P_IP:
@ -578,7 +595,7 @@ static int tap_handler(struct ctx *c)
break; break;
} }
i += tap4_handler(c, msg + i, same); i += tap4_handler(c, msg + i, same, now);
break; break;
case ETH_P_IPV6: case ETH_P_IPV6:
for (same = 1; i + same < msg_count && for (same = 1; i + same < msg_count &&
@ -590,7 +607,7 @@ static int tap_handler(struct ctx *c)
break; break;
} }
i += tap6_handler(c, msg + i, same); i += tap6_handler(c, msg + i, same, now);
break; break;
default: default:
i++; i++;
@ -614,9 +631,11 @@ static int tap_handler(struct ctx *c)
* sock_handler() - Event handler for L4 sockets * sock_handler() - Event handler for L4 sockets
* @c: Execution context * @c: Execution context
* @s: Socket associated to event * @s: Socket associated to event
* @events epoll events * @events: epoll events
* @now: Current timestamp
*/ */
static void sock_handler(struct ctx *c, int s, uint32_t events) static void sock_handler(struct ctx *c, int s, uint32_t events,
struct timespec *now)
{ {
socklen_t sl; socklen_t sl;
int proto; int proto;
@ -641,29 +660,29 @@ static void sock_handler(struct ctx *c, int s, uint32_t events)
debug("%s: packet from socket %i", getprotobynumber(proto)->p_name, s); debug("%s: packet from socket %i", getprotobynumber(proto)->p_name, s);
if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6) if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6)
icmp_sock_handler(c, s, events); icmp_sock_handler(c, s, events, now);
else if (proto == IPPROTO_TCP) else if (proto == IPPROTO_TCP)
tcp_sock_handler(c, s, events); tcp_sock_handler(c, s, events, now);
else if (proto == IPPROTO_UDP) else if (proto == IPPROTO_UDP)
udp_sock_handler(c, s, events); udp_sock_handler(c, s, events, now);
} }
/** /**
* timer_handler() - Run periodic tasks for L4 protocol handlers * timer_handler() - Run periodic tasks for L4 protocol handlers
* @c: Execution context * @c: Execution context
* @last: Timestamp of last run, updated on return * @now: Current timestamp
*/ */
static void timer_handler(struct ctx *c, struct timespec *last) static void timer_handler(struct ctx *c, struct timespec *now)
{ {
struct timespec tmp; if (timespec_diff_ms(now, &c->tcp.timer_run) >= TCP_TIMER_INTERVAL) {
tcp_timer(c, now);
c->tcp.timer_run = *now;
}
clock_gettime(CLOCK_MONOTONIC, &tmp); if (timespec_diff_ms(now, &c->udp.timer_run) >= UDP_TIMER_INTERVAL) {
if (timespec_diff_ms(&tmp, last) < TIMER_INTERVAL) udp_timer(c, now);
return; c->udp.timer_run = *now;
}
tcp_timer(c, &tmp);
*last = tmp;
} }
/** /**
@ -690,15 +709,15 @@ int main(int argc, char **argv)
char buf6[3][INET6_ADDRSTRLEN]; char buf6[3][INET6_ADDRSTRLEN];
char buf4[4][INET_ADDRSTRLEN]; char buf4[4][INET_ADDRSTRLEN];
struct epoll_event ev = { 0 }; struct epoll_event ev = { 0 };
struct timespec last_time;
struct ctx c = { 0 }; struct ctx c = { 0 };
int nfds, i, fd_unix; int nfds, i, fd_unix;
struct rlimit limit; struct rlimit limit;
struct timespec now;
if (argc != 1) if (argc != 1)
usage(argv[0]); usage(argv[0]);
if (clock_gettime(CLOCK_MONOTONIC, &last_time)) { if (clock_gettime(CLOCK_MONOTONIC, &now)) {
perror("clock_gettime"); perror("clock_gettime");
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
@ -741,6 +760,8 @@ int main(int argc, char **argv)
if (c.v6) if (c.v6)
dhcpv6_init(&c); dhcpv6_init(&c);
memset(&c.mac_guest, 0xff, sizeof(c.mac_guest));
if (c.v4) { if (c.v4) {
info("ARP:"); info("ARP:");
info(" address: %02x:%02x:%02x:%02x:%02x:%02x from %s", info(" address: %02x:%02x:%02x:%02x:%02x:%02x from %s",
@ -781,8 +802,6 @@ listen:
ev.data.fd = c.fd_unix; ev.data.fd = c.fd_unix;
epoll_ctl(c.epollfd, EPOLL_CTL_ADD, c.fd_unix, &ev); epoll_ctl(c.epollfd, EPOLL_CTL_ADD, c.fd_unix, &ev);
clock_gettime(CLOCK_MONOTONIC, &last_time);
loop: loop:
nfds = epoll_wait(c.epollfd, events, EPOLL_EVENTS, TIMER_INTERVAL); nfds = epoll_wait(c.epollfd, events, EPOLL_EVENTS, TIMER_INTERVAL);
if (nfds == -1 && errno != EINTR) { if (nfds == -1 && errno != EINTR) {
@ -790,19 +809,22 @@ loop:
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
clock_gettime(CLOCK_MONOTONIC, &now);
for (i = 0; i < nfds; i++) { for (i = 0; i < nfds; i++) {
if (events[i].data.fd == c.fd_unix) { if (events[i].data.fd == c.fd_unix) {
if (events[i].events & EPOLLRDHUP || if (events[i].events & EPOLLRDHUP ||
events[i].events & EPOLLHUP || events[i].events & EPOLLHUP ||
events[i].events & EPOLLERR || events[i].events & EPOLLERR ||
tap_handler(&c)) tap_handler(&c, &now))
goto listen; goto listen;
} else { } else {
sock_handler(&c, events[i].data.fd, events[i].events); sock_handler(&c, events[i].data.fd, events[i].events,
&now);
} }
} }
timer_handler(&c, &last_time); timer_handler(&c, &now);
goto loop; goto loop;

View file

@ -26,11 +26,14 @@ struct tap_msg {
* @mac: Host MAC address * @mac: Host MAC address
* @mac_guest: Guest MAC address * @mac_guest: Guest MAC address
* @addr4: IPv4 address for external, routable interface * @addr4: IPv4 address for external, routable interface
* @addr4_seen: Latest IPv4 address seen as source from tap
* @mask4: IPv4 netmask, network order * @mask4: IPv4 netmask, network order
* @gw4: Default IPv4 gateway, network order * @gw4: Default IPv4 gateway, network order
* @dns4: IPv4 DNS address, network order * @dns4: IPv4 DNS address, network order
* @v6: Enable IPv6 transport * @v6: Enable IPv6 transport
* @addr6: IPv6 address for external, routable interface * @addr6: IPv6 address for external, routable interface
* @addr6_seen: Latest IPv6 global/site address seen as source from tap
* @addr6_ll_seen: Latest IPv6 link-local address seen as source from tap
* @gw6: Default IPv6 gateway * @gw6: Default IPv6 gateway
* @dns4: IPv6 DNS address * @dns4: IPv6 DNS address
* @ifn: Name of routable interface * @ifn: Name of routable interface
@ -43,13 +46,15 @@ struct ctx {
int v4; int v4;
uint32_t addr4; uint32_t addr4;
uint32_t addr4_seen;
uint32_t mask4; uint32_t mask4;
uint32_t gw4; uint32_t gw4;
uint32_t dns4; uint32_t dns4;
int v6; int v6;
struct in6_addr addr6; struct in6_addr addr6;
struct in6_addr addr6_guest; struct in6_addr addr6_seen;
struct in6_addr addr6_ll_seen;
struct in6_addr gw6; struct in6_addr gw6;
struct in6_addr dns6; struct in6_addr dns6;

7
tap.c
View file

@ -76,7 +76,7 @@ void tap_ip_send(struct ctx *c, struct in6_addr *src, uint8_t proto,
iph->frag_off = 0; iph->frag_off = 0;
iph->ttl = 255; iph->ttl = 255;
iph->protocol = proto; iph->protocol = proto;
iph->daddr = c->addr4; iph->daddr = c->addr4_seen;
memcpy(&iph->saddr, &src->s6_addr[12], 4); memcpy(&iph->saddr, &src->s6_addr[12], 4);
iph->check = 0; iph->check = 0;
@ -104,7 +104,10 @@ void tap_ip_send(struct ctx *c, struct in6_addr *src, uint8_t proto,
ip6h->priority = 0; ip6h->priority = 0;
ip6h->saddr = *src; ip6h->saddr = *src;
ip6h->daddr = c->addr6_guest; if (IN6_IS_ADDR_LINKLOCAL(src))
ip6h->daddr = c->addr6_ll_seen;
else
ip6h->daddr = c->addr6_seen;
memcpy(data, in, len); memcpy(data, in, len);

72
tcp.c
View file

@ -846,17 +846,16 @@ static void tcp_clamp_window(int s, struct tcphdr *th, int len, int init)
* @addr: Remote address, pointer to sin_addr or sin6_addr * @addr: Remote address, pointer to sin_addr or sin6_addr
* @dstport: Destination port, connection-wise, network order * @dstport: Destination port, connection-wise, network order
* @srcport: Source port, connection-wise, network order * @srcport: Source port, connection-wise, network order
* @now: Current timestamp
* *
* Return: initial TCP sequence * Return: initial TCP sequence
*/ */
static uint32_t tcp_seq_init(struct ctx *c, int af, void *addr, static uint32_t tcp_seq_init(struct ctx *c, int af, void *addr,
in_port_t dstport, in_port_t srcport) in_port_t dstport, in_port_t srcport,
struct timespec *now)
{ {
struct timespec ts = { 0 };
uint32_t ns, seq = 0; uint32_t ns, seq = 0;
clock_gettime(CLOCK_MONOTONIC, &ts);
if (af == AF_INET) { if (af == AF_INET) {
struct { struct {
struct in_addr src; struct in_addr src;
@ -887,8 +886,8 @@ static uint32_t tcp_seq_init(struct ctx *c, int af, void *addr,
seq = siphash_36b((uint8_t *)&in, c->tcp.hash_secret); seq = siphash_36b((uint8_t *)&in, c->tcp.hash_secret);
} }
ns = ts.tv_sec * 1E9; ns = now->tv_sec * 1E9;
ns += ts.tv_nsec >> 5; /* 32ns ticks, overflows 32 bits every 137s */ ns += now->tv_nsec >> 5; /* 32ns ticks, overflows 32 bits every 137s */
return seq + ns; return seq + ns;
} }
@ -900,9 +899,11 @@ static uint32_t tcp_seq_init(struct ctx *c, int af, void *addr,
* @addr: Remote address, pointer to sin_addr or sin6_addr * @addr: Remote address, pointer to sin_addr or sin6_addr
* @th: TCP header from tap * @th: TCP header from tap
* @len: Packet length at L4 * @len: Packet length at L4
* @now: Current timestamp
*/ */
static void tcp_conn_from_tap(struct ctx *c, int af, void *addr, static void tcp_conn_from_tap(struct ctx *c, int af, void *addr,
struct tcphdr *th, size_t len) struct tcphdr *th, size_t len,
struct timespec *now)
{ {
struct sockaddr_in addr4 = { struct sockaddr_in addr4 = {
.sin_family = AF_INET, .sin_family = AF_INET,
@ -948,9 +949,7 @@ static void tcp_conn_from_tap(struct ctx *c, int af, void *addr,
tc[s].sock_port = th->dest; tc[s].sock_port = th->dest;
tc[s].tap_port = th->source; tc[s].tap_port = th->source;
clock_gettime(CLOCK_MONOTONIC, &tc[s].ts_sock); tc[s].ts_sock = tc[s].ts_tap = tc[s].ts_ack_tap = *now;
clock_gettime(CLOCK_MONOTONIC, &tc[s].ts_tap);
clock_gettime(CLOCK_MONOTONIC, &tc[s].ts_ack_tap);
tcp_act_set(s); tcp_act_set(s);
@ -961,7 +960,7 @@ static void tcp_conn_from_tap(struct ctx *c, int af, void *addr,
tc[s].seq_from_tap = tc[s].seq_init_from_tap + 1; tc[s].seq_from_tap = tc[s].seq_init_from_tap + 1;
tc[s].seq_ack_to_tap = tc[s].seq_from_tap; tc[s].seq_ack_to_tap = tc[s].seq_from_tap;
tc[s].seq_to_tap = tcp_seq_init(c, af, addr, th->dest, th->source); tc[s].seq_to_tap = tcp_seq_init(c, af, addr, th->dest, th->source, now);
tc[s].seq_ack_from_tap = tc[s].seq_to_tap + 1; tc[s].seq_ack_from_tap = tc[s].seq_to_tap + 1;
tcp_sock_hash_insert(c, s, af, addr, th->source, th->dest); tcp_sock_hash_insert(c, s, af, addr, th->source, th->dest);
@ -988,8 +987,9 @@ static void tcp_conn_from_tap(struct ctx *c, int af, void *addr,
* tcp_conn_from_sock() - Handle new connection request from listening socket * tcp_conn_from_sock() - Handle new connection request from listening socket
* @c: Execution context * @c: Execution context
* @fd: File descriptor number for listening socket * @fd: File descriptor number for listening socket
* @now: Current timestamp
*/ */
static void tcp_conn_from_sock(struct ctx *c, int fd) static void tcp_conn_from_sock(struct ctx *c, int fd, struct timespec *now)
{ {
struct sockaddr_storage sa_r, sa_l; struct sockaddr_storage sa_r, sa_l;
socklen_t sa_len = sizeof(sa_l); socklen_t sa_len = sizeof(sa_l);
@ -1023,7 +1023,8 @@ static void tcp_conn_from_sock(struct ctx *c, int fd)
tc[s].seq_to_tap = tcp_seq_init(c, AF_INET, &sa4->sin_addr, tc[s].seq_to_tap = tcp_seq_init(c, AF_INET, &sa4->sin_addr,
tc[s].sock_port, tc[s].sock_port,
tc[s].tap_port); tc[s].tap_port,
now);
tcp_sock_hash_insert(c, s, AF_INET, &sa4->sin_addr, tcp_sock_hash_insert(c, s, AF_INET, &sa4->sin_addr,
tc[s].tap_port, tc[s].sock_port); tc[s].tap_port, tc[s].sock_port);
@ -1040,7 +1041,8 @@ static void tcp_conn_from_sock(struct ctx *c, int fd)
tc[s].seq_to_tap = tcp_seq_init(c, AF_INET6, &sa6->sin6_addr, tc[s].seq_to_tap = tcp_seq_init(c, AF_INET6, &sa6->sin6_addr,
tc[s].sock_port, tc[s].sock_port,
tc[s].tap_port); tc[s].tap_port,
now);
tcp_sock_hash_insert(c, s, AF_INET6, &sa6->sin6_addr, tcp_sock_hash_insert(c, s, AF_INET6, &sa6->sin6_addr,
tc[s].tap_port, tc[s].sock_port); tc[s].tap_port, tc[s].sock_port);
@ -1051,9 +1053,7 @@ static void tcp_conn_from_sock(struct ctx *c, int fd)
tc[s].tap_window = WINDOW_DEFAULT; tc[s].tap_window = WINDOW_DEFAULT;
tc[s].ws_allowed = 1; tc[s].ws_allowed = 1;
clock_gettime(CLOCK_MONOTONIC, &tc[s].ts_sock); tc[s].ts_sock = tc[s].ts_tap = tc[s].ts_ack_tap = *now;
clock_gettime(CLOCK_MONOTONIC, &tc[s].ts_tap);
clock_gettime(CLOCK_MONOTONIC, &tc[s].ts_ack_tap);
tcp_act_set(s); tcp_act_set(s);
@ -1143,10 +1143,11 @@ static void tcp_sock_consume(int s, uint32_t ack_seq)
* tcp_data_from_sock() - Handle new data from socket, queue to tap, in window * tcp_data_from_sock() - Handle new data from socket, queue to tap, in window
* @c: Execution context * @c: Execution context
* @s: File descriptor number for socket * @s: File descriptor number for socket
* @now: Current timestamp
* *
* Return: negative on connection reset, 1 on pending data, 0 otherwise * Return: negative on connection reset, 1 on pending data, 0 otherwise
*/ */
static int tcp_data_from_sock(struct ctx *c, int s) static int tcp_data_from_sock(struct ctx *c, int s, struct timespec *now)
{ {
int len, err, offset, left, send; int len, err, offset, left, send;
@ -1188,7 +1189,7 @@ static int tcp_data_from_sock(struct ctx *c, int s)
} }
out: out:
clock_gettime(CLOCK_MONOTONIC, &tc[s].ts_sock); tc[s].ts_sock = *now;
return !!left; return !!left;
} }
@ -1199,11 +1200,12 @@ out:
* @af: Address family, AF_INET or AF_INET6 * @af: Address family, AF_INET or AF_INET6
* @msg: Input messages * @msg: Input messages
* @count: Message count * @count: Message count
* @now: Current timestamp
* *
* Return: count of consumed packets * Return: count of consumed packets
*/ */
int tcp_tap_handler(struct ctx *c, int af, void *addr, int tcp_tap_handler(struct ctx *c, int af, void *addr,
struct tap_msg *msg, int count) struct tap_msg *msg, int count, struct timespec *now)
{ {
/* TODO: Implement message batching for TCP */ /* TODO: Implement message batching for TCP */
struct tcphdr *th = (struct tcphdr *)msg[0].l4h; struct tcphdr *th = (struct tcphdr *)msg[0].l4h;
@ -1224,7 +1226,7 @@ int tcp_tap_handler(struct ctx *c, int af, void *addr,
if ((s = tcp_sock_hash_lookup(c, af, addr, th->source, th->dest)) < 0) { if ((s = tcp_sock_hash_lookup(c, af, addr, th->source, th->dest)) < 0) {
if (th->syn) if (th->syn)
tcp_conn_from_tap(c, af, addr, th, len); tcp_conn_from_tap(c, af, addr, th, len, now);
return 1; return 1;
} }
@ -1235,7 +1237,7 @@ int tcp_tap_handler(struct ctx *c, int af, void *addr,
tcp_clamp_window(s, th, len, th->syn && th->ack); tcp_clamp_window(s, th, len, th->syn && th->ack);
clock_gettime(CLOCK_MONOTONIC, &tc[s].ts_tap); tc[s].ts_tap = *now;
if (ntohl(th->seq) < tc[s].seq_from_tap) if (ntohl(th->seq) < tc[s].seq_from_tap)
skip = tc[s].seq_from_tap - ntohl(th->seq); skip = tc[s].seq_from_tap - ntohl(th->seq);
@ -1275,7 +1277,7 @@ int tcp_tap_handler(struct ctx *c, int af, void *addr,
/* The client might have sent data already, which we didn't /* The client might have sent data already, which we didn't
* dequeue waiting for SYN,ACK from tap -- check now. * dequeue waiting for SYN,ACK from tap -- check now.
*/ */
tcp_data_from_sock(c, s); tcp_data_from_sock(c, s, now);
ev.events = EPOLLIN | EPOLLET | EPOLLRDHUP | EPOLLHUP; ev.events = EPOLLIN | EPOLLET | EPOLLRDHUP | EPOLLHUP;
ev.data.fd = s; ev.data.fd = s;
@ -1298,7 +1300,7 @@ int tcp_tap_handler(struct ctx *c, int af, void *addr,
break; break;
case ESTABLISHED: case ESTABLISHED:
case ESTABLISHED_SOCK_FIN: case ESTABLISHED_SOCK_FIN:
clock_gettime(CLOCK_MONOTONIC, &tc[s].ts_ack_tap); tc[s].ts_ack_tap = *now;
if (ntohl(th->seq) > tc[s].seq_from_tap) { if (ntohl(th->seq) > tc[s].seq_from_tap) {
tc[s].seq_from_tap = tc[s].seq_ack_to_tap; tc[s].seq_from_tap = tc[s].seq_ack_to_tap;
@ -1318,7 +1320,7 @@ int tcp_tap_handler(struct ctx *c, int af, void *addr,
tc[s].seq_to_tap = tc[s].seq_ack_from_tap; tc[s].seq_to_tap = tc[s].seq_ack_from_tap;
if (tc[s].s == ESTABLISHED_SOCK_FIN) { if (tc[s].s == ESTABLISHED_SOCK_FIN) {
if (!tcp_data_from_sock(c, s)) if (!tcp_data_from_sock(c, s, now))
tcp_set_state(s, CLOSE_WAIT); tcp_set_state(s, CLOSE_WAIT);
} }
} }
@ -1400,8 +1402,10 @@ static void tcp_connect_finish(struct ctx *c, int s)
* @c: Execution context * @c: Execution context
* @s: File descriptor number for socket * @s: File descriptor number for socket
* @events: epoll events bitmap * @events: epoll events bitmap
* @now: Current timestamp
*/ */
void tcp_sock_handler(struct ctx *c, int s, uint32_t events) void tcp_sock_handler(struct ctx *c, int s, uint32_t events,
struct timespec *now)
{ {
socklen_t sl; socklen_t sl;
int accept; int accept;
@ -1434,7 +1438,7 @@ void tcp_sock_handler(struct ctx *c, int s, uint32_t events)
} }
if (accept) { if (accept) {
tcp_conn_from_sock(c, s); tcp_conn_from_sock(c, s, now);
return; return;
} }
@ -1444,18 +1448,18 @@ void tcp_sock_handler(struct ctx *c, int s, uint32_t events)
} }
if (tc[s].s == ESTABLISHED) if (tc[s].s == ESTABLISHED)
tcp_data_from_sock(c, s); tcp_data_from_sock(c, s, now);
if (events & EPOLLRDHUP || events & EPOLLHUP) { if (events & EPOLLRDHUP || events & EPOLLHUP) {
if (tc[s].s == ESTABLISHED) { if (tc[s].s == ESTABLISHED) {
tcp_set_state(s, ESTABLISHED_SOCK_FIN); tcp_set_state(s, ESTABLISHED_SOCK_FIN);
shutdown(s, SHUT_RD); shutdown(s, SHUT_RD);
tcp_data_from_sock(c, s); tcp_data_from_sock(c, s, now);
tcp_send_to_tap(c, s, FIN | ACK, NULL, 0); tcp_send_to_tap(c, s, FIN | ACK, NULL, 0);
} else if (tc[s].s == FIN_WAIT_1) { } else if (tc[s].s == FIN_WAIT_1) {
tcp_set_state(s, FIN_WAIT_1_SOCK_FIN); tcp_set_state(s, FIN_WAIT_1_SOCK_FIN);
shutdown(s, SHUT_RD); shutdown(s, SHUT_RD);
tcp_data_from_sock(c, s); tcp_data_from_sock(c, s, now);
tcp_send_to_tap(c, s, FIN | ACK, NULL, 0); tcp_send_to_tap(c, s, FIN | ACK, NULL, 0);
tcp_sock_consume(s, tc[s].seq_ack_from_tap); tcp_sock_consume(s, tc[s].seq_ack_from_tap);
} }
@ -1477,15 +1481,15 @@ int tcp_sock_init(struct ctx *c)
c->tcp.fd_max = c->tcp.fd_listen_max = c->tcp.fd_conn_max = 0; c->tcp.fd_max = c->tcp.fd_listen_max = c->tcp.fd_conn_max = 0;
CHECK_SET_MIN_MAX(c->tcp.fd_listen_, s); CHECK_SET_MIN_MAX(c->tcp.fd_listen_, s);
for (port = 0; port < (1 << 15) + (1 << 14); port++) { for (port = 0; !PORT_IS_EPHEMERAL(port); port++) {
if (c->v4) { if (c->v4) {
if ((s = sock_l4_add(c, 4, IPPROTO_TCP, port)) < 0) if ((s = sock_l4(c, AF_INET, IPPROTO_TCP, port)) < 0)
return -1; return -1;
CHECK_SET_MIN_MAX(c->tcp.fd_listen_, s); CHECK_SET_MIN_MAX(c->tcp.fd_listen_, s);
} }
if (c->v6) { if (c->v6) {
if ((s = sock_l4_add(c, 6, IPPROTO_TCP, port)) < 0) if ((s = sock_l4(c, AF_INET6, IPPROTO_TCP, port)) < 0)
return -1; return -1;
CHECK_SET_MIN_MAX(c->tcp.fd_listen_, s); CHECK_SET_MIN_MAX(c->tcp.fd_listen_, s);
} }
@ -1540,7 +1544,7 @@ static void tcp_timer_one(struct ctx *c, int s, struct timespec *ts)
if (tc[s].seq_ack_from_tap < tc[s].seq_to_tap) { if (tc[s].seq_ack_from_tap < tc[s].seq_to_tap) {
tc[s].seq_to_tap = tc[s].seq_ack_from_tap; tc[s].seq_to_tap = tc[s].seq_ack_from_tap;
tc[s].ts_ack_tap = *ts; tc[s].ts_ack_tap = *ts;
tcp_data_from_sock(c, s); tcp_data_from_sock(c, s, ts);
} }
} }

9
tcp.h
View file

@ -1,11 +1,14 @@
#ifndef TCP_H #ifndef TCP_H
#define TCP_H #define TCP_H
#define TCP_TIMER_INTERVAL 20 /* ms */
struct ctx; struct ctx;
void tcp_sock_handler(struct ctx *c, int s, uint32_t events); void tcp_sock_handler(struct ctx *c, int s, uint32_t events,
struct timespec *now);
int tcp_tap_handler(struct ctx *c, int af, void *addr, int tcp_tap_handler(struct ctx *c, int af, void *addr,
struct tap_msg *msg, int count); struct tap_msg *msg, int count, struct timespec *now);
int tcp_sock_init(struct ctx *c); int tcp_sock_init(struct ctx *c);
void tcp_timer(struct ctx *c, struct timespec *ts); void tcp_timer(struct ctx *c, struct timespec *ts);
@ -18,6 +21,7 @@ void tcp_timer(struct ctx *c, struct timespec *ts);
* @fd_listen_max: Highest file descriptor number for listening sockets * @fd_listen_max: Highest file descriptor number for listening sockets
* @fd_conn_min: Lowest file descriptor number for connected sockets * @fd_conn_min: Lowest file descriptor number for connected sockets
* @fd_conn_max: Highest file descriptor number for connected sockets * @fd_conn_max: Highest file descriptor number for connected sockets
* @timer_run: Timestamp of most recent timer run
*/ */
struct tcp_ctx { struct tcp_ctx {
uint64_t hash_secret[2]; uint64_t hash_secret[2];
@ -27,6 +31,7 @@ struct tcp_ctx {
int fd_listen_max; int fd_listen_max;
int fd_conn_min; int fd_conn_min;
int fd_conn_max; int fd_conn_max;
struct timespec timer_run;
}; };
#endif /* TCP_H */ #endif /* TCP_H */

276
udp.c
View file

@ -13,10 +13,20 @@
* DOC: Theory of Operation * DOC: Theory of Operation
* *
* *
* For UDP, no state machine or any particular tracking is required. Try to * For UDP, a reduced version of port-based connection tracking is implemented
* create and bind sets of 2^16 sockets, one for IPv4 and one for IPv6. Binding * with two purposes:
* will fail on ports that are already bound, or low ports depending on * - binding ephemeral ports when they're used as source port by the guest, so
* capabilities. * that replies on those ports can be forwarded back to the guest, with a
* fixed 180s timeout for this binding
* - packets received from the local host get their source changed to a local
* address (gateway address) so that they can be forwarded to the guest, and
* packets sent as replies by the guest need their destination address to
* be changed back to the address of the local host. This is dynamic to allow
* connections from the gateway as well, and uses the same fixed 180s timeout
*
* Sockets for ephemeral and non-ephemeral ports are created and at
* initialisation time, one set for IPv4 and one for IPv6. Non-ephemeral ports
* are bound at initialisation time, ephemeral ports are bound dynamically.
* *
* Packets are forwarded back and forth, by prepending and stripping UDP headers * Packets are forwarded back and forth, by prepending and stripping UDP headers
* in the obvious way, with no port translation. * in the obvious way, with no port translation.
@ -47,16 +57,82 @@
#include "tap.h" #include "tap.h"
#include "util.h" #include "util.h"
static int udp4_sock_port[USHRT_MAX]; #define UDP_CONN_TIMEOUT 180 /* s, timeout for ephemeral or local bind */
static int udp6_sock_port[USHRT_MAX];
struct udp_port {
int s;
time_t ts_ephemeral;
time_t ts_local;
};
static struct udp_port up4[USHRT_MAX];
static struct udp_port up6[USHRT_MAX];
/* Bitmaps, activity monitoring needed for port */
static uint8_t udp4_act[USHRT_MAX / 8];
static uint8_t udp6_act[USHRT_MAX / 8];
/**
* udp_act_set() - Set port in bitmap for timed events
* @af: Protocol family
* @s: Port number
*/
static void udp_act_set(int af, int p)
{
if (af == AF_INET)
udp4_act[p / 8] |= 1 << (p % 8);
else
udp6_act[p / 8] |= 1 << (p % 8);
}
/**
* udp_act_clear() - Clear port from bitmap for timed events
* @af: Protocol family
* @s: Port number
*/
static void udp_act_clear(int af, int p)
{
if (af == AF_INET)
udp4_act[p / 8] &= ~(1 << (p % 8));
else
udp6_act[p / 8] &= ~(1 << (p % 8));
}
/**
* udp_sock_handler_local() - Replace address if local, update timestamp
* @c: Execution context
* @sa: Socket address as struct sockaddr_in or sockaddr_in6
* @now: Current timestamp
*/
static void udp_sock_handler_local(struct ctx *c, int af, void *sa,
struct timespec *now)
{
if (af == AF_INET) {
struct sockaddr_in *s_in = (struct sockaddr_in *)sa;
s_in->sin_addr.s_addr = c->gw4;
up4[ntohs(s_in->sin_port)].ts_local = now->tv_sec;
udp_act_set(AF_INET, ntohs(s_in->sin_port));
} else {
struct sockaddr_in6 *s_in6 = (struct sockaddr_in6 *)sa;
memcpy(&s_in6->sin6_addr, &c->gw6, sizeof(c->gw6));
up6[ntohs(s_in6->sin6_port)].ts_local = now->tv_sec;
udp_act_set(AF_INET6, ntohs(s_in6->sin6_port));
}
}
/** /**
* udp_sock_handler() - Handle new data from socket * udp_sock_handler() - Handle new data from socket
* @c: Execution context * @c: Execution context
* @s: File descriptor number for socket * @s: File descriptor number for socket
* @events: epoll events bitmap * @events: epoll events bitmap
* @now: Current timestamp
*/ */
void udp_sock_handler(struct ctx *c, int s, uint32_t events) void udp_sock_handler(struct ctx *c, int s, uint32_t events,
struct timespec *now)
{ {
struct in6_addr a6 = { .s6_addr = { 0, 0, 0, 0, struct in6_addr a6 = { .s6_addr = { 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0,
@ -87,7 +163,7 @@ void udp_sock_handler(struct ctx *c, int s, uint32_t events)
if (ntohl(sr4->sin_addr.s_addr) == INADDR_LOOPBACK || if (ntohl(sr4->sin_addr.s_addr) == INADDR_LOOPBACK ||
ntohl(sr4->sin_addr.s_addr) == INADDR_ANY) ntohl(sr4->sin_addr.s_addr) == INADDR_ANY)
sr4->sin_addr.s_addr = c->gw4; udp_sock_handler_local(c, AF_INET, sr4, now);
memcpy(&a6.s6_addr[12], &sr4->sin_addr, sizeof(sr4->sin_addr)); memcpy(&a6.s6_addr[12], &sr4->sin_addr, sizeof(sr4->sin_addr));
uh->source = sr4->sin_port; uh->source = sr4->sin_port;
@ -100,7 +176,7 @@ void udp_sock_handler(struct ctx *c, int s, uint32_t events)
struct sockaddr_in6 *sl6 = (struct sockaddr_in6 *)&sl; struct sockaddr_in6 *sl6 = (struct sockaddr_in6 *)&sl;
if (IN6_IS_ADDR_LOOPBACK(&sr6->sin6_addr)) if (IN6_IS_ADDR_LOOPBACK(&sr6->sin6_addr))
memcpy(&sr6->sin6_addr, &c->gw6, sizeof(c->gw6)); udp_sock_handler_local(c, AF_INET6, sr6, now);
uh->source = sr6->sin6_port; uh->source = sr6->sin6_port;
uh->dest = sl6->sin6_port; uh->dest = sl6->sin6_port;
@ -111,17 +187,95 @@ void udp_sock_handler(struct ctx *c, int s, uint32_t events)
} }
} }
/**
* udp_tap_handler_ephemeral() - Bind ephemeral source port, update timestamp
* @af: Address family, AF_INET or AF_INET6
* @src: Source port, host order
* @now: Current timestamp
*/
static void udp_tap_handler_ephemeral(int af, in_port_t src,
struct timespec *now)
{
struct sockaddr *addr = NULL;
struct sockaddr_in6 s_in6 = {
.sin6_family = AF_INET6,
.sin6_port = htons(src),
.sin6_addr = IN6ADDR_ANY_INIT,
};
struct sockaddr_in s_in = {
.sin_family = AF_INET,
.sin_port = htons(src),
.sin_addr = { .s_addr = INADDR_ANY },
};
socklen_t sl;
int s;
if (af == AF_INET) {
if (!up4[src].ts_ephemeral) {
s = up4[src].s;
addr = (struct sockaddr *)&s_in;
sl = sizeof(s_in);
}
} else {
if (!up6[src].ts_ephemeral) {
s = up6[src].s;
addr = (struct sockaddr *)&s_in6;
sl = sizeof(s_in6);
}
}
if (addr) {
if (bind(s, addr, sl))
return;
udp_act_set(af, src);
}
if (af == AF_INET)
up4[src].ts_ephemeral = now->tv_sec;
else
up6[src].ts_ephemeral = now->tv_sec;
}
/**
* udp_tap_handler_local() - Set address to local if needed, update timestamp
* @af: Address family, AF_INET or AF_INET6
* @dst: Destination port, host order
* @sa: Socket address as struct sockaddr_in or sockaddr_in6 to modify
* @now: Current timestamp
*/
static void udp_tap_handler_local(int af, in_port_t dst, void *sa,
struct timespec *now)
{
if (af == AF_INET) {
if (up4[dst].ts_local) {
struct sockaddr_in *s_in = (struct sockaddr_in *)sa;
s_in->sin_addr.s_addr = htonl(INADDR_LOOPBACK);
up4[dst].ts_local = now->tv_sec;
}
} else {
if (up6[dst].ts_local) {
struct sockaddr_in6 *s_in6 = (struct sockaddr_in6 *)sa;
s_in6->sin6_addr = in6addr_loopback;
up6[dst].ts_local = now->tv_sec;
}
}
}
/** /**
* udp_tap_handler() - Handle packets from tap * udp_tap_handler() - Handle packets from tap
* @c: Execution context * @c: Execution context
* @af: Address family, AF_INET or AF_INET6 * @af: Address family, AF_INET or AF_INET6
* @msg: Input messages * @msg: Input messages
* @count: Message count * @count: Message count
* @now: Current timestamp
* *
* Return: count of consumed packets * Return: count of consumed packets
*/ */
int udp_tap_handler(struct ctx *c, int af, void *addr, int udp_tap_handler(struct ctx *c, int af, void *addr,
struct tap_msg *msg, int count) struct tap_msg *msg, int count, struct timespec *now)
{ {
/* The caller already checks that all the messages have the same source /* The caller already checks that all the messages have the same source
* and destination, so we can just take those from the first message. * and destination, so we can just take those from the first message.
@ -132,11 +286,18 @@ int udp_tap_handler(struct ctx *c, int af, void *addr,
struct sockaddr_in6 s_in6; struct sockaddr_in6 s_in6;
struct sockaddr_in s_in; struct sockaddr_in s_in;
struct sockaddr *sa; struct sockaddr *sa;
in_port_t src, dst;
socklen_t sl; socklen_t sl;
int i, s; int i, s;
(void)c; (void)c;
if (msg[0].l4_len < sizeof(*uh))
return 1;
src = ntohs(uh->source);
dst = ntohs(uh->dest);
if (af == AF_INET) { if (af == AF_INET) {
s_in = (struct sockaddr_in) { s_in = (struct sockaddr_in) {
.sin_family = AF_INET, .sin_family = AF_INET,
@ -171,15 +332,22 @@ int udp_tap_handler(struct ctx *c, int af, void *addr,
} }
if (af == AF_INET) { if (af == AF_INET) {
if (!(s = udp4_sock_port[ntohs(uh->source)])) if (!(s = up4[src].s))
return count;
} else if (af == AF_INET6) {
if (!(s = udp6_sock_port[ntohs(uh->source)]))
return count; return count;
if (s_in.sin_addr.s_addr == c->gw4)
udp_tap_handler_local(AF_INET, dst, &s_in, now);
} else { } else {
if (!(s = up6[src].s))
return count; return count;
if (!memcmp(addr, &c->gw6, sizeof(c->gw6)))
udp_tap_handler_local(AF_INET6, dst, &s_in6, now);
} }
if (PORT_IS_EPHEMERAL(src))
udp_tap_handler_ephemeral(af, src, now);
count = sendmmsg(s, mm, count, MSG_DONTWAIT | MSG_NOSIGNAL); count = sendmmsg(s, mm, count, MSG_DONTWAIT | MSG_NOSIGNAL);
if (count < 0) if (count < 0)
return 1; return 1;
@ -203,19 +371,91 @@ int udp_sock_init(struct ctx *c)
for (port = 0; port < USHRT_MAX; port++) { for (port = 0; port < USHRT_MAX; port++) {
if (c->v4) { if (c->v4) {
if ((s = sock_l4_add(c, 4, IPPROTO_UDP, port)) < 0) if ((s = sock_l4(c, AF_INET, IPPROTO_UDP, port)) < 0)
return -1; return -1;
udp4_sock_port[port] = s; up4[port].s = s;
} }
if (c->v6) { if (c->v6) {
if ((s = sock_l4_add(c, 6, IPPROTO_UDP, port)) < 0) if ((s = sock_l4(c, AF_INET6, IPPROTO_UDP, port)) < 0)
return -1; return -1;
udp6_sock_port[port] = s; up6[port].s = s;
} }
} }
return 0; return 0;
} }
/**
* udp_timer_one() - Handler for timed events on one port
* @af: Address family, AF_INET or AF_INET6
* @p: Port number, host order
* @ts: Timestamp from caller
*/
static void udp_timer_one(struct ctx *c, int af, in_port_t p,
struct timespec *ts)
{
int s = -1;
if (af == AF_INET) {
if (ts->tv_sec - up4[p].ts_ephemeral > UDP_CONN_TIMEOUT)
up4[p].ts_ephemeral = 0;
if (ts->tv_sec - up4[p].ts_local > UDP_CONN_TIMEOUT)
up4[p].ts_local = 0;
if (!up4[p].ts_ephemeral && !up4[p].ts_local) {
udp_act_clear(AF_INET, p);
s = up4[p].s;
}
} else {
if (ts->tv_sec - up6[p].ts_ephemeral > UDP_CONN_TIMEOUT)
up6[p].ts_ephemeral = 0;
if (ts->tv_sec - up6[p].ts_local > UDP_CONN_TIMEOUT)
up6[p].ts_local = 0;
if (!up6[p].ts_ephemeral && !up6[p].ts_local) {
udp_act_clear(AF_INET6, p);
s = up6[p].s;
}
}
if (s != -1) {
epoll_ctl(c->epollfd, EPOLL_CTL_DEL, s, NULL);
close(s);
sock_l4(c, af, IPPROTO_UDP, p);
}
}
/**
* udp_timer() - Scan activity bitmap for ports with associated timed events
* @c: Execution context
* @ts: Timestamp from caller
*/
void udp_timer(struct ctx *c, struct timespec *ts)
{
long *word, tmp;
unsigned int i;
int n;
word = (long *)udp4_act;
for (i = 0; i < sizeof(udp4_act) / sizeof(long); i++, word++) {
tmp = *word;
while ((n = ffsl(tmp))) {
tmp &= ~(1UL << (n - 1));
udp_timer_one(c, AF_INET,
i * sizeof(long) * 8 + n - 1, ts);
}
}
word = (long *)udp6_act;
for (i = 0; i < sizeof(udp6_act) / sizeof(long); i++, word++) {
tmp = *word;
while ((n = ffsl(tmp))) {
tmp &= ~(1UL << (n - 1));
udp_timer_one(c, AF_INET6,
i * sizeof(long) * 8 + n - 1, ts);
}
}
}

10
udp.h
View file

@ -1,19 +1,25 @@
#ifndef UDP_H #ifndef UDP_H
#define UDP_H #define UDP_H
void udp_sock_handler(struct ctx *c, int s, uint32_t events); #define UDP_TIMER_INTERVAL 1000 /* ms */
void udp_sock_handler(struct ctx *c, int s, uint32_t events,
struct timespec *now);
int udp_tap_handler(struct ctx *c, int af, void *addr, int udp_tap_handler(struct ctx *c, int af, void *addr,
struct tap_msg *msg, int count); struct tap_msg *msg, int count, struct timespec *now);
int udp_sock_init(struct ctx *c); int udp_sock_init(struct ctx *c);
void udp_timer(struct ctx *c, struct timespec *ts);
/** /**
* struct udp_ctx - Execution context for UDP * struct udp_ctx - Execution context for UDP
* @fd_min: Lowest file descriptor number for UDP ever used * @fd_min: Lowest file descriptor number for UDP ever used
* @fd_max: Highest file descriptor number for UDP ever used * @fd_max: Highest file descriptor number for UDP ever used
* @timer_run: Timestamp of most recent timer run
*/ */
struct udp_ctx { struct udp_ctx {
int fd_min; int fd_min;
int fd_max; int fd_max;
struct timespec timer_run;
}; };
#endif /* UDP_H */ #endif /* UDP_H */

16
util.c
View file

@ -155,15 +155,15 @@ char *ipv6_l4hdr(struct ipv6hdr *ip6h, uint8_t *proto)
} }
/** /**
* sock_l4_add() - Create and bind socket for given L4, add to epoll list * sock_l4() - Create and bind socket for given L4, add to epoll list
* @c: Execution context * @c: Execution context
* @v: IP protocol, 4 or 6 * @af: Address family, AF_INET or AF_INET6
* @proto: Protocol number, host order * @proto: Protocol number, host order
* @port: Port, network order * @port: Port, host order
* *
* Return: newly created socket, -1 on error * Return: newly created socket, -1 on error
*/ */
int sock_l4_add(struct ctx *c, int v, uint16_t proto, uint16_t port) int sock_l4(struct ctx *c, int af, uint16_t proto, uint16_t port)
{ {
struct sockaddr_in addr4 = { struct sockaddr_in addr4 = {
.sin_family = AF_INET, .sin_family = AF_INET,
@ -183,8 +183,7 @@ int sock_l4_add(struct ctx *c, int v, uint16_t proto, uint16_t port)
proto != IPPROTO_ICMP && proto != IPPROTO_ICMPV6) proto != IPPROTO_ICMP && proto != IPPROTO_ICMPV6)
return -1; /* Not implemented. */ return -1; /* Not implemented. */
fd = socket(v == 4 ? AF_INET : AF_INET6, fd = socket(af, proto == IPPROTO_TCP ? SOCK_STREAM : SOCK_DGRAM, proto);
proto == IPPROTO_TCP ? SOCK_STREAM : SOCK_DGRAM, proto);
if (fd < 0) { if (fd < 0) {
perror("L4 socket"); perror("L4 socket");
return -1; return -1;
@ -198,7 +197,7 @@ int sock_l4_add(struct ctx *c, int v, uint16_t proto, uint16_t port)
if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6) if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6)
goto epoll_add; goto epoll_add;
if (v == 4) { if (af == AF_INET) {
sa = (const struct sockaddr *)&addr4; sa = (const struct sockaddr *)&addr4;
sl = sizeof(addr4); sl = sizeof(addr4);
} else { } else {
@ -208,6 +207,9 @@ int sock_l4_add(struct ctx *c, int v, uint16_t proto, uint16_t port)
setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &one, sizeof(one)); setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &one, sizeof(one));
} }
if (proto == IPPROTO_UDP && PORT_IS_EPHEMERAL(port))
goto epoll_add;
if (bind(fd, sa, sl) < 0) { if (bind(fd, sa, sl) < 0) {
/* We'll fail to bind to low ports if we don't have enough /* We'll fail to bind to low ports if we don't have enough
* capabilities, and we'll fail to bind on already bound ports, * capabilities, and we'll fail to bind on already bound ports,

6
util.h
View file

@ -22,14 +22,18 @@ void debug(const char *format, ...);
CHECK_SET_MIN_MAX(c->proto_ctx.fd_, (fd)); \ CHECK_SET_MIN_MAX(c->proto_ctx.fd_, (fd)); \
} while (0) } while (0)
#define MIN(x, y) (((x) < (y)) ? (x) : (y))
#define IN_INTERVAL(a, b, x) ((x) >= (a) && (x) <= (b)) #define IN_INTERVAL(a, b, x) ((x) >= (a) && (x) <= (b))
#define FD_PROTO(x, proto) \ #define FD_PROTO(x, proto) \
(IN_INTERVAL(c->proto.fd_min, c->proto.fd_max, (x))) (IN_INTERVAL(c->proto.fd_min, c->proto.fd_max, (x)))
#define PORT_IS_EPHEMERAL(port) ((port) >= (1 << 15) + (1 << 14)) /* RFC 6335 */
uint16_t csum_fold(uint32_t sum); uint16_t csum_fold(uint32_t sum);
uint16_t csum_ip4(void *buf, size_t len); uint16_t csum_ip4(void *buf, size_t len);
void csum_tcp4(struct iphdr *iph); void csum_tcp4(struct iphdr *iph);
char *ipv6_l4hdr(struct ipv6hdr *ip6h, uint8_t *proto); char *ipv6_l4hdr(struct ipv6hdr *ip6h, uint8_t *proto);
int sock_l4_add(struct ctx *c, int v, uint16_t proto, uint16_t port); int sock_l4(struct ctx *c, int af, uint16_t proto, uint16_t port);
int timespec_diff_ms(struct timespec *a, struct timespec *b); int timespec_diff_ms(struct timespec *a, struct timespec *b);