2 This file is part of GNUnet.
3 Copyright (C) 2010 GNUnet e.V.
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 * @file src/nat/gnunet-helper-nat-client.c
21 * @brief Tool to help bypass NATs using ICMP method; must run as root (SUID will do)
22 * This code will work under GNU/Linux only.
23 * @author Christian Grothoff
25 * This program will send ONE ICMP message using RAW sockets
26 * to the IP address specified as the second argument. Since
27 * it uses RAW sockets, it must be installed SUID or run as 'root'.
28 * In order to keep the security risk of the resulting SUID binary
29 * minimal, the program ONLY opens the RAW socket with root
30 * privileges, then drops them and only then starts to process
31 * command line arguments. The code also does not link against
32 * any shared libraries (except libc) and is strictly minimal
33 * (except for checking for errors). The following list of people
34 * have reviewed this code and considered it safe since the last
35 * modification (if you reviewed it, please have your name added
38 * - Christian Grothoff
40 * - Benjamin Kuperman (22 Aug 2010)
43 /* Just needed for HAVE_SOCKADDR_IN_SIN_LEN test macro! */
44 #include "gnunet_config.h"
48 #include <sys/types.h>
49 #include <sys/socket.h>
50 #include <arpa/inet.h>
51 #include <sys/types.h>
58 #include <netinet/ip.h>
59 #include <netinet/ip_icmp.h>
60 #include <netinet/in.h>
62 /* The following constant is missing from FreeBSD 9.2 */
63 #ifndef ICMP_TIME_EXCEEDED
64 #define ICMP_TIME_EXCEEDED 11
68 * Call memcpy() but check for @a n being 0 first. In the latter
69 * case, it is now safe to pass NULL for @a src or @a dst.
70 * Unlike traditional memcpy(), returns nothing.
72 * @param dst destination of the copy, may be NULL if @a n is zero
73 * @param src source of the copy, may be NULL if @a n is zero
74 * @param n number of bytes to copy
76 #define GNUNET_memcpy(dst,src,n) do { if (0 != n) { (void) memcpy (dst,src,n); } } while (0)
79 * Must match IP given in the server.
81 #define DUMMY_IP "192.0.2.86"
83 #define NAT_TRAV_PORT 22225
86 * Must match packet ID used by gnunet-helper-nat-server.c
97 * Version (4 bits) + Internet header length (4 bits)
117 * Flags (3 bits) + Fragment offset (13 bits)
119 uint16_t flags_frag_offset;
142 * Destination address
148 * Format of ICMP packet.
150 struct icmp_ttl_exceeded_header
160 /* followed by original payload */
163 struct icmp_echo_header
175 * Beginning of UDP packet.
189 * Socket we use to send our fake ICMP replies.
194 * Target "dummy" address of the packet we pretend to respond to.
196 static struct in_addr dummy;
201 static uint16_t port;
205 * CRC-16 for IP/ICMP headers.
207 * @param data what to calculate the CRC over
208 * @param bytes number of bytes in data (must be multiple of 2)
209 * @return the CRC 16.
212 calc_checksum (const uint16_t * data, unsigned int bytes)
218 for (i = 0; i < bytes / 2; i++)
220 sum = (sum & 0xffff) + (sum >> 16);
221 sum = htons (0xffff - sum);
227 * Send an ICMP message to the target.
229 * @param my_ip source address
230 * @param other target address
233 send_icmp_udp (const struct in_addr *my_ip, const struct in_addr *other)
235 char packet[sizeof (struct ip_header) * 2 +
236 sizeof (struct icmp_ttl_exceeded_header) +
237 sizeof (struct udp_header)];
238 struct ip_header ip_pkt;
239 struct icmp_ttl_exceeded_header icmp_pkt;
240 struct udp_header udp_pkt;
241 struct sockaddr_in dst;
245 /* ip header: send to (known) ip address */
247 ip_pkt.vers_ihl = 0x45;
250 ip_pkt.pkt_len = sizeof (packet); /* Workaround PR kern/21737 */
252 ip_pkt.pkt_len = htons (sizeof (packet));
254 ip_pkt.id = htons (PACKET_ID);
255 ip_pkt.flags_frag_offset = 0;
257 ip_pkt.proto = IPPROTO_ICMP;
259 ip_pkt.src_ip = my_ip->s_addr;
260 ip_pkt.dst_ip = other->s_addr;
262 htons (calc_checksum ((uint16_t *) & ip_pkt, sizeof (struct ip_header)));
263 GNUNET_memcpy (&packet[off],
265 sizeof (struct ip_header));
266 off += sizeof (struct ip_header);
268 icmp_pkt.type = ICMP_TIME_EXCEEDED;
270 icmp_pkt.checksum = 0;
272 GNUNET_memcpy (&packet[off],
274 sizeof (struct icmp_ttl_exceeded_header));
275 off += sizeof (struct icmp_ttl_exceeded_header);
277 /* ip header of the presumably 'lost' udp packet */
278 ip_pkt.vers_ihl = 0x45;
281 htons (sizeof (struct ip_header) + sizeof (struct udp_header));
282 ip_pkt.id = htons (0);
283 ip_pkt.flags_frag_offset = 0;
285 ip_pkt.proto = IPPROTO_UDP;
287 ip_pkt.src_ip = other->s_addr;
288 ip_pkt.dst_ip = dummy.s_addr;
290 htons (calc_checksum ((uint16_t *) & ip_pkt, sizeof (struct ip_header)));
291 GNUNET_memcpy (&packet[off],
293 sizeof (struct ip_header));
294 off += sizeof (struct ip_header);
296 /* build UDP header */
297 udp_pkt.src_port = htons (NAT_TRAV_PORT);
298 udp_pkt.dst_port = htons (NAT_TRAV_PORT);
299 udp_pkt.length = htons (port);
301 GNUNET_memcpy (&packet[off],
303 sizeof (struct udp_header));
304 off += sizeof (struct udp_header);
306 /* set ICMP checksum */
309 ((uint16_t *) & packet[sizeof (struct ip_header)],
310 sizeof (struct icmp_ttl_exceeded_header) +
311 sizeof (struct ip_header) + sizeof (struct udp_header)));
312 GNUNET_memcpy (&packet[sizeof (struct ip_header)],
314 sizeof (struct icmp_ttl_exceeded_header));
316 memset (&dst, 0, sizeof (dst));
317 dst.sin_family = AF_INET;
318 #if HAVE_SOCKADDR_IN_SIN_LEN
319 dst.sin_len = sizeof (struct sockaddr_in);
321 dst.sin_addr = *other;
323 sendto (rawsock, packet, sizeof (packet), 0, (struct sockaddr *) &dst,
327 fprintf (stderr, "sendto failed: %s\n", strerror (errno));
329 else if (sizeof (packet) != (size_t) err)
331 fprintf (stderr, "Error: partial send of ICMP message with size %lu\n", (unsigned long) off);
337 * Send an ICMP message to the target.
339 * @param my_ip source address
340 * @param other target address
343 send_icmp (const struct in_addr *my_ip, const struct in_addr *other)
345 struct ip_header ip_pkt;
346 struct icmp_ttl_exceeded_header icmp_ttl;
347 struct icmp_echo_header icmp_echo;
348 struct sockaddr_in dst;
349 char packet[sizeof (struct ip_header) * 2 +
350 sizeof (struct icmp_ttl_exceeded_header) +
351 sizeof (struct icmp_echo_header)];
355 /* ip header: send to (known) ip address */
357 ip_pkt.vers_ihl = 0x45;
360 ip_pkt.pkt_len = sizeof (packet); /* Workaround PR kern/21737 */
362 ip_pkt.pkt_len = htons (sizeof (packet));
364 ip_pkt.id = htons (PACKET_ID);
365 ip_pkt.flags_frag_offset = 0;
366 ip_pkt.ttl = IPDEFTTL;
367 ip_pkt.proto = IPPROTO_ICMP;
369 ip_pkt.src_ip = my_ip->s_addr;
370 ip_pkt.dst_ip = other->s_addr;
372 htons (calc_checksum ((uint16_t *) & ip_pkt, sizeof (struct ip_header)));
373 GNUNET_memcpy (&packet[off],
375 sizeof (struct ip_header));
376 off = sizeof (ip_pkt);
378 /* icmp reply: time exceeded */
379 icmp_ttl.type = ICMP_TIME_EXCEEDED;
381 icmp_ttl.checksum = 0;
383 GNUNET_memcpy (&packet[off],
385 sizeof (struct icmp_ttl_exceeded_header));
386 off += sizeof (struct icmp_ttl_exceeded_header);
388 /* ip header of the presumably 'lost' udp packet */
389 ip_pkt.vers_ihl = 0x45;
392 htons (sizeof (struct ip_header) + sizeof (struct icmp_echo_header));
393 ip_pkt.id = htons (PACKET_ID);
394 ip_pkt.flags_frag_offset = 0;
395 ip_pkt.ttl = 1; /* real TTL would be 1 on a time exceeded packet */
396 ip_pkt.proto = IPPROTO_ICMP;
397 ip_pkt.src_ip = other->s_addr;
398 ip_pkt.dst_ip = dummy.s_addr;
401 htons (calc_checksum ((uint16_t *) & ip_pkt, sizeof (struct ip_header)));
402 GNUNET_memcpy (&packet[off],
404 sizeof (struct ip_header));
405 off += sizeof (struct ip_header);
407 icmp_echo.type = ICMP_ECHO;
409 icmp_echo.reserved = htonl (port);
410 icmp_echo.checksum = 0;
413 ((uint16_t *) &icmp_echo, sizeof (struct icmp_echo_header)));
414 GNUNET_memcpy (&packet[off],
416 sizeof (struct icmp_echo_header));
418 /* no go back to calculate ICMP packet checksum */
419 off = sizeof (struct ip_header);
422 ((uint16_t *) & packet[off],
423 sizeof (struct icmp_ttl_exceeded_header) +
424 sizeof (struct ip_header) + sizeof (struct icmp_echo_header)));
425 GNUNET_memcpy (&packet[off],
427 sizeof (struct icmp_ttl_exceeded_header));
429 /* prepare for transmission */
430 memset (&dst, 0, sizeof (dst));
431 dst.sin_family = AF_INET;
432 #if HAVE_SOCKADDR_IN_SIN_LEN
433 dst.sin_len = sizeof (struct sockaddr_in);
435 dst.sin_addr = *other;
437 sendto (rawsock, packet, sizeof (packet), 0, (struct sockaddr *) &dst,
441 fprintf (stderr, "sendto failed: %s\n", strerror (errno));
443 else if (sizeof (packet) != (size_t) err)
445 fprintf (stderr, "Error: partial send of ICMP message\n");
451 main (int argc, char *const *argv)
454 struct in_addr external;
455 struct in_addr target;
461 /* Create an ICMP raw socket for writing (only operation that requires root) */
462 rawsock = socket (AF_INET, SOCK_RAW, IPPROTO_RAW);
463 raw_eno = errno; /* for later error checking */
465 /* now drop root privileges */
467 #ifdef HAVE_SETRESUID
468 if (0 != setresuid (uid, uid, uid))
470 fprintf (stderr, "Failed to setresuid: %s\n", strerror (errno));
475 if (0 != (setuid (uid) | seteuid (uid)))
477 fprintf (stderr, "Failed to setuid: %s\n", strerror (errno));
484 fprintf (stderr, "Error opening RAW socket: %s\n", strerror (raw_eno));
489 setsockopt (rawsock, SOL_SOCKET, SO_BROADCAST, (char *) &one, sizeof (one)))
491 fprintf (stderr, "setsockopt failed: %s\n", strerror (errno));
496 setsockopt (rawsock, IPPROTO_IP, IP_HDRINCL, (char *) &one, sizeof (one)))
498 fprintf (stderr, "setsockopt failed: %s\n", strerror (errno));
506 "This program must be started with our IP, the targets external IP, and our port as arguments.\n");
510 if ((1 != inet_pton (AF_INET, argv[1], &external)) ||
511 (1 != inet_pton (AF_INET, argv[2], &target)))
513 fprintf (stderr, "Error parsing IPv4 address: %s\n", strerror (errno));
517 if ((1 != sscanf (argv[3], "%u", &p)) || (0 == p) || (0xFFFF < p))
519 fprintf (stderr, "Error parsing port value `%s'\n", argv[3]);
524 if (1 != inet_pton (AF_INET, DUMMY_IP, &dummy))
526 fprintf (stderr, "Internal error converting dummy IP to binary.\n");
530 send_icmp (&external, &target);
531 send_icmp_udp (&external, &target);
535 (void) close (rawsock);
539 /* end of gnunet-helper-nat-client.c */