X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=src%2Fexit%2Fgnunet-daemon-exit.c;h=92f38665b5e3a1d82b8d4aefb2d3334dc91a0367;hb=a250da032ba65252d9da96e8429b22e265c69980;hp=4986b934478ca95d3ea653d8dc45223e5fc5afd2;hpb=cdfe91f4823e6733e588acd1bbc5cb6c1a197938;p=oweals%2Fgnunet.git diff --git a/src/exit/gnunet-daemon-exit.c b/src/exit/gnunet-daemon-exit.c index 4986b9344..92f38665b 100644 --- a/src/exit/gnunet-daemon-exit.c +++ b/src/exit/gnunet-daemon-exit.c @@ -23,119 +23,50 @@ * @brief tool to allow IP traffic exit from the GNUnet mesh to the Internet * @author Philipp Toelke * @author Christian Grothoff + * + * TODO: + * - test + * + * Design: + * - which code should advertise services? the service model is right + * now a bit odd, especially as this code DOES the exit and knows + * the DNS "name", but OTOH this is clearly NOT the place to advertise + * the service's existence; maybe the daemon should turn into a + * service with an API to add local-exit services dynamically? */ -#include -#include -#include -#include -#include -#include -#include -#include - - -/* see http://www.iana.org/assignments/ethernet-numbers */ -#ifndef ETH_P_IPV4 -#define ETH_P_IPV4 0x0800 -#endif - -#ifndef ETH_P_IPV6 -#define ETH_P_IPV6 0x86DD -#endif - - -GNUNET_NETWORK_STRUCT_BEGIN -/** - * Header from Linux TUN interface. - */ -struct tun_header -{ - /** - * Some flags (unused). - */ - uint16_t flags; - - /** - * Here we get an ETH_P_-number. - */ - uint16_t proto; -}; +#include "platform.h" +#include "gnunet_util_lib.h" +#include "gnunet_protocols.h" +#include "gnunet_applications.h" +#include "gnunet_mesh_service.h" +#include "gnunet_dnsparser_lib.h" +#include "gnunet_dnsstub_lib.h" +#include "gnunet_statistics_service.h" +#include "gnunet_constants.h" +#include "gnunet_tun_lib.h" +#include "gnunet_regex_lib.h" +#include "exit.h" /** - * Standard IPv4 header. + * Maximum path compression length for mesh regex announcing for IPv4 address + * based regex. */ -struct ip4_header -{ - unsigned header_length:4 GNUNET_PACKED; - unsigned version:4 GNUNET_PACKED; - uint8_t diff_serv; - uint16_t total_length GNUNET_PACKED; - uint16_t identification GNUNET_PACKED; - unsigned flags:3 GNUNET_PACKED; - unsigned fragmentation_offset:13 GNUNET_PACKED; - uint8_t ttl; - uint8_t protocol; - uint16_t checksum GNUNET_PACKED; - struct in_addr source_address GNUNET_PACKED; - struct in_addr destination_address GNUNET_PACKED; -}; +#define REGEX_MAX_PATH_LEN_IPV4 4 /** - * Standard IPv6 header. + * Maximum path compression length for mesh regex announcing for IPv6 address + * based regex. */ -struct ip6_header -{ - unsigned traffic_class_h:4 GNUNET_PACKED; - unsigned version:4 GNUNET_PACKED; - unsigned traffic_class_l:4 GNUNET_PACKED; - unsigned flow_label:20 GNUNET_PACKED; - uint16_t payload_length GNUNET_PACKED; - uint8_t next_header; - uint8_t hop_limit; - struct in6_addr source_address GNUNET_PACKED; - struct in6_addr destination_address GNUNET_PACKED; -}; - -#define TCP_FLAG_SYN 2 +#define REGEX_MAX_PATH_LEN_IPV6 8 -struct tcp_packet -{ - unsigned spt:16 GNUNET_PACKED; - unsigned dpt:16 GNUNET_PACKED; - unsigned seq:32 GNUNET_PACKED; - unsigned ack:32 GNUNET_PACKED; - unsigned off:4 GNUNET_PACKED; - unsigned rsv:4 GNUNET_PACKED; - unsigned flg:8 GNUNET_PACKED; - unsigned wsz:16 GNUNET_PACKED; - unsigned crc:16 GNUNET_PACKED; - unsigned urg:16 GNUNET_PACKED; -}; /** - * UDP packet header. + * Generic logging shorthand */ -struct udp_packet -{ - uint16_t spt GNUNET_PACKED; - uint16_t dpt GNUNET_PACKED; - uint16_t len GNUNET_PACKED; - uint16_t crc GNUNET_PACKED; -}; +#define LOG(kind, ...) \ + GNUNET_log_from (kind, "exit", __VA_ARGS__); + -/** - * DNS header. - */ -struct dns_header -{ - uint16_t id GNUNET_PACKED; - uint16_t flags GNUNET_PACKED; - uint16_t qdcount GNUNET_PACKED; - uint16_t ancount GNUNET_PACKED; - uint16_t nscount GNUNET_PACKED; - uint16_t arcount GNUNET_PACKED; -}; -GNUNET_NETWORK_STRUCT_END /** * Information about an address. @@ -275,43 +206,94 @@ struct TunnelState struct GNUNET_MESH_Tunnel *tunnel; /** - * Heap node for this state in the connections_heap. + * Active tunnel transmission request (or NULL). */ - struct GNUNET_CONTAINER_HeapNode *heap_node; + struct GNUNET_MESH_TransmitHandle *th; /** - * Key this state has in the connections_map. + * GNUNET_NO if this is a tunnel for TCP/UDP, + * GNUNET_YES if this is a tunnel for DNS, + * GNUNET_SYSERR if the tunnel is not yet initialized. */ - GNUNET_HashCode state_key; + int is_dns; - /** - * Associated service record, or NULL for no service. - */ - struct LocalService *serv; + union + { + struct + { - /** - * Head of DLL of messages for this tunnel. - */ - struct TunnelMessageQueue *head; + /** + * Heap node for this state in the connections_heap. + */ + struct GNUNET_CONTAINER_HeapNode *heap_node; + + /** + * Key this state has in the connections_map. + */ + struct GNUNET_HashCode state_key; + + /** + * Associated service record, or NULL for no service. + */ + struct LocalService *serv; + + /** + * Head of DLL of messages for this tunnel. + */ + struct TunnelMessageQueue *head; + + /** + * Tail of DLL of messages for this tunnel. + */ + struct TunnelMessageQueue *tail; + + /** + * Primary redirection information for this connection. + */ + struct RedirectInformation ri; + } tcp_udp; - /** - * Tail of DLL of messages for this tunnel. - */ - struct TunnelMessageQueue *tail; + struct + { - /** - * Active tunnel transmission request (or NULL). - */ - struct GNUNET_MESH_TransmitHandle *th; + /** + * DNS reply ready for transmission. + */ + char *reply; + + /** + * Socket we are using to transmit this request (must match if we receive + * a response). + */ + struct GNUNET_DNSSTUB_RequestSocket *rs; + + /** + * Number of bytes in 'reply'. + */ + size_t reply_length; + + /** + * Original DNS request ID as used by the client. + */ + uint16_t original_id; + + /** + * DNS request ID that we used for forwarding. + */ + uint16_t my_id; + + } dns; - /** - * Primary redirection information for this connection. - */ - struct RedirectInformation ri; + } specifics; }; +/** + * Return value from 'main'. + */ +static int global_ret; + /** * The handle to the configuration used throughout the process */ @@ -325,13 +307,33 @@ static struct GNUNET_HELPER_Handle *helper_handle; /** * Arguments to the exit helper. */ -static char *exit_argv[7]; +static char *exit_argv[8]; + +/** + * IPv6 address of our TUN interface. + */ +static struct in6_addr exit_ipv6addr; /** * IPv6 prefix (0..127) from configuration file. */ static unsigned long long ipv6prefix; +/** + * IPv4 address of our TUN interface. + */ +static struct in_addr exit_ipv4addr; + +/** + * IPv4 netmask of our TUN interface. + */ +static struct in_addr exit_ipv4mask; + +/** + * Statistics. + */ +static struct GNUNET_STATISTICS_Handle *stats; + /** * The handle to mesh */ @@ -351,7 +353,7 @@ static struct GNUNET_CONTAINER_Heap *connections_heap; /** * If there are at least this many connections, old ones will be removed */ -static long long unsigned int max_connections = 200; +static unsigned long long max_connections; /** * This hashmaps saves interesting things about the configured UDP services @@ -363,6 +365,190 @@ static struct GNUNET_CONTAINER_MultiHashMap *udp_services; */ static struct GNUNET_CONTAINER_MultiHashMap *tcp_services; +/** + * Array of all open DNS requests from tunnels. + */ +static struct TunnelState *tunnels[UINT16_MAX + 1]; + +/** + * Handle to the DNS Stub resolver. + */ +static struct GNUNET_DNSSTUB_Context *dnsstub; + +/** + * Are we an IPv4-exit? + */ +static int ipv4_exit; + +/** + * Are we an IPv6-exit? + */ +static int ipv6_exit; + +/** + * Do we support IPv4 at all on the TUN interface? + */ +static int ipv4_enabled; + +/** + * Do we support IPv6 at all on the TUN interface? + */ +static int ipv6_enabled; + + +/** + * We got a reply from DNS for a request of a MESH tunnel. Send it + * via the tunnel (after changing the request ID back). + * + * @param cls the 'struct TunnelState' + * @param size number of bytes available in buf + * @param buf where to copy the reply + * @return number of bytes written to buf + */ +static size_t +transmit_reply_to_mesh (void *cls, + size_t size, + void *buf) +{ + struct TunnelState *ts = cls; + size_t off; + size_t ret; + char *cbuf = buf; + struct GNUNET_MessageHeader hdr; + struct GNUNET_TUN_DnsHeader dns; + + GNUNET_assert (GNUNET_YES == ts->is_dns); + ts->th = NULL; + GNUNET_assert (ts->specifics.dns.reply != NULL); + if (size == 0) + return 0; + ret = sizeof (struct GNUNET_MessageHeader) + ts->specifics.dns.reply_length; + GNUNET_assert (ret <= size); + hdr.size = htons (ret); + hdr.type = htons (GNUNET_MESSAGE_TYPE_VPN_DNS_FROM_INTERNET); + memcpy (&dns, ts->specifics.dns.reply, sizeof (dns)); + dns.id = ts->specifics.dns.original_id; + off = 0; + memcpy (&cbuf[off], &hdr, sizeof (hdr)); + off += sizeof (hdr); + memcpy (&cbuf[off], &dns, sizeof (dns)); + off += sizeof (dns); + memcpy (&cbuf[off], &ts->specifics.dns.reply[sizeof (dns)], ts->specifics.dns.reply_length - sizeof (dns)); + off += ts->specifics.dns.reply_length - sizeof (dns); + GNUNET_free (ts->specifics.dns.reply); + ts->specifics.dns.reply = NULL; + ts->specifics.dns.reply_length = 0; + GNUNET_assert (ret == off); + return ret; +} + + +/** + * Callback called from DNSSTUB resolver when a resolution + * succeeded. + * + * @param cls NULL + * @param rs the socket that received the response + * @param dns the response itself + * @param r number of bytes in dns + */ +static void +process_dns_result (void *cls, + struct GNUNET_DNSSTUB_RequestSocket *rs, + const struct GNUNET_TUN_DnsHeader *dns, + size_t r) +{ + struct TunnelState *ts; + + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Processing DNS result from stub resolver\n"); + GNUNET_assert (NULL == cls); + /* Handle case that this is a reply to a request from a MESH DNS tunnel */ + ts = tunnels[dns->id]; + if ( (NULL == ts) || + (ts->specifics.dns.rs != rs) ) + return; + LOG (GNUNET_ERROR_TYPE_DEBUG, + "Got a response from the stub resolver for DNS request received via MESH!\n"); + tunnels[dns->id] = NULL; + GNUNET_free_non_null (ts->specifics.dns.reply); + ts->specifics.dns.reply = GNUNET_malloc (r); + ts->specifics.dns.reply_length = r; + memcpy (ts->specifics.dns.reply, dns, r); + if (NULL != ts->th) + GNUNET_MESH_notify_transmit_ready_cancel (ts->th); + ts->th = GNUNET_MESH_notify_transmit_ready (ts->tunnel, + GNUNET_NO, + GNUNET_TIME_UNIT_FOREVER_REL, + NULL, + sizeof (struct GNUNET_MessageHeader) + r, + &transmit_reply_to_mesh, + ts); +} + + +/** + * Process a request via mesh to perform a DNS query. + * + * @param cls closure, NULL + * @param tunnel connection to the other end + * @param tunnel_ctx pointer to our 'struct TunnelState *' + * @param sender who sent the message + * @param message the actual message + * @param atsi performance data for the connection + * @return GNUNET_OK to keep the connection open, + * GNUNET_SYSERR to close it (signal serious error) + */ +static int +receive_dns_request (void *cls GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel, + void **tunnel_ctx, + const struct GNUNET_PeerIdentity *sender GNUNET_UNUSED, + const struct GNUNET_MessageHeader *message, + const struct GNUNET_ATS_Information *atsi GNUNET_UNUSED) +{ + struct TunnelState *ts = *tunnel_ctx; + const struct GNUNET_TUN_DnsHeader *dns; + size_t mlen = ntohs (message->size); + size_t dlen = mlen - sizeof (struct GNUNET_MessageHeader); + char buf[dlen] GNUNET_ALIGN; + struct GNUNET_TUN_DnsHeader *dout; + + if (NULL == dnsstub) + return GNUNET_SYSERR; + if (GNUNET_NO == ts->is_dns) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + if (GNUNET_SYSERR == ts->is_dns) + { + /* tunnel is DNS from now on */ + ts->is_dns = GNUNET_YES; + } + if (dlen < sizeof (struct GNUNET_TUN_DnsHeader)) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + dns = (const struct GNUNET_TUN_DnsHeader *) &message[1]; + ts->specifics.dns.original_id = dns->id; + if (tunnels[ts->specifics.dns.my_id] == ts) + tunnels[ts->specifics.dns.my_id] = NULL; + ts->specifics.dns.my_id = (uint16_t) GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_WEAK, + UINT16_MAX + 1); + tunnels[ts->specifics.dns.my_id] = ts; + memcpy (buf, dns, dlen); + dout = (struct GNUNET_TUN_DnsHeader *) buf; + dout->id = ts->specifics.dns.my_id; + ts->specifics.dns.rs = GNUNET_DNSSTUB_resolve2 (dnsstub, + buf, dlen, + &process_dns_result, + NULL); + if (NULL == ts->specifics.dns.rs) + return GNUNET_SYSERR; + return GNUNET_OK; +} + /** * Given IP information about a connection, calculate the respective @@ -372,12 +558,12 @@ static struct GNUNET_CONTAINER_MultiHashMap *tcp_services; * @param ri information about the connection */ static void -hash_redirect_info (GNUNET_HashCode *hash, +hash_redirect_info (struct GNUNET_HashCode *hash, const struct RedirectInformation *ri) { char *off; - memset (hash, 0, sizeof (GNUNET_HashCode)); + memset (hash, 0, sizeof (struct GNUNET_HashCode)); /* the GNUnet hashmap only uses the first sizeof(unsigned int) of the hash, so we put the IP address in there (and hope for few collisions) */ off = (char*) hash; @@ -436,12 +622,19 @@ get_redirect_state (int af, uint16_t destination_port, const void *local_ip, uint16_t local_port, - GNUNET_HashCode *state_key) + struct GNUNET_HashCode *state_key) { struct RedirectInformation ri; - GNUNET_HashCode key; + struct GNUNET_HashCode key; struct TunnelState *state; + if ( ( (af == AF_INET) && (protocol == IPPROTO_ICMP) ) || + ( (af == AF_INET6) && (protocol == IPPROTO_ICMPV6) ) ) + { + /* ignore ports */ + destination_port = 0; + local_port = 0; + } ri.remote_address.af = af; if (af == AF_INET) ri.remote_address.address.ipv4 = *((struct in_addr*) destination_ip); @@ -463,9 +656,10 @@ get_redirect_state (int af, if (NULL == state) return NULL; /* Mark this connection as freshly used */ - GNUNET_CONTAINER_heap_update_cost (connections_heap, - state->heap_node, - GNUNET_TIME_absolute_get ().abs_value); + if (NULL == state_key) + GNUNET_CONTAINER_heap_update_cost (connections_heap, + state->specifics.tcp_udp.heap_node, + GNUNET_TIME_absolute_get ().abs_value); return state; } @@ -476,20 +670,20 @@ get_redirect_state (int af, * * @param service_map map of services (TCP or UDP) * @param desc service descriptor - * @param dpt destination port + * @param destination_port destination port * @return NULL if we are not aware of such a service */ -struct LocalService * +static struct LocalService * find_service (struct GNUNET_CONTAINER_MultiHashMap *service_map, - const GNUNET_HashCode *desc, - uint16_t dpt) + const struct GNUNET_HashCode *desc, + uint16_t destination_port) { - char key[sizeof (GNUNET_HashCode) + sizeof (uint16_t)]; + char key[sizeof (struct GNUNET_HashCode) + sizeof (uint16_t)]; - memcpy (&key[0], &dpt, sizeof (uint16_t)); - memcpy (&key[sizeof(uint16_t)], desc, sizeof (GNUNET_HashCode)); + memcpy (&key[0], &destination_port, sizeof (uint16_t)); + memcpy (&key[sizeof(uint16_t)], desc, sizeof (struct GNUNET_HashCode)); return GNUNET_CONTAINER_multihashmap_get (service_map, - (GNUNET_HashCode *) key); + (struct GNUNET_HashCode *) key); } @@ -503,7 +697,7 @@ find_service (struct GNUNET_CONTAINER_MultiHashMap *service_map, */ static int free_service_record (void *cls, - const GNUNET_HashCode *key, + const struct GNUNET_HashCode *key, void *value) { struct LocalService *service = value; @@ -520,33 +714,33 @@ free_service_record (void *cls, * * @param service_map map of services (TCP or UDP) * @param name name of the service - * @param dpt destination port + * @param destination_port destination port * @param service service information record to store (service->name will be set). */ static void store_service (struct GNUNET_CONTAINER_MultiHashMap *service_map, const char *name, - uint16_t dpt, + uint16_t destination_port, struct LocalService *service) { - char key[sizeof (GNUNET_HashCode) + sizeof (uint16_t)]; - GNUNET_HashCode desc; + char key[sizeof (struct GNUNET_HashCode) + sizeof (uint16_t)]; + struct GNUNET_HashCode desc; GNUNET_CRYPTO_hash (name, strlen (name) + 1, &desc); service->name = GNUNET_strdup (name); - memcpy (&key[0], &dpt, sizeof (uint16_t)); - memcpy (&key[sizeof(uint16_t)], &desc, sizeof (GNUNET_HashCode)); + memcpy (&key[0], &destination_port, sizeof (uint16_t)); + memcpy (&key[sizeof(uint16_t)], &desc, sizeof (struct GNUNET_HashCode)); if (GNUNET_OK != GNUNET_CONTAINER_multihashmap_put (service_map, - (GNUNET_HashCode *) key, + (struct GNUNET_HashCode *) key, service, GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY)) { - free_service_record (NULL, (GNUNET_HashCode *) key, service); + free_service_record (NULL, (struct GNUNET_HashCode *) key, service); GNUNET_log (GNUNET_ERROR_TYPE_WARNING, _("Got duplicate service records for `%s:%u'\n"), name, - (unsigned int) dpt); + (unsigned int) destination_port); } } @@ -567,23 +761,38 @@ send_to_peer_notify_callback (void *cls, size_t size, void *buf) struct TunnelMessageQueue *tnq; s->th = NULL; - tnq = s->head; + tnq = s->specifics.tcp_udp.head; + if (NULL == tnq) + return 0; + if (0 == size) + { + s->th = GNUNET_MESH_notify_transmit_ready (tunnel, + GNUNET_NO /* corking */, + GNUNET_TIME_UNIT_FOREVER_REL, + NULL, + tnq->len, + &send_to_peer_notify_callback, + s); + return 0; + } GNUNET_assert (size >= tnq->len); memcpy (buf, tnq->payload, tnq->len); size = tnq->len; - GNUNET_CONTAINER_DLL_remove (s->head, - s->tail, + GNUNET_CONTAINER_DLL_remove (s->specifics.tcp_udp.head, + s->specifics.tcp_udp.tail, tnq); GNUNET_free (tnq); - if (NULL != (tnq = s->head)) + if (NULL != (tnq = s->specifics.tcp_udp.head)) s->th = GNUNET_MESH_notify_transmit_ready (tunnel, GNUNET_NO /* corking */, - 0 /* priority */, GNUNET_TIME_UNIT_FOREVER_REL, NULL, tnq->len, &send_to_peer_notify_callback, s); + GNUNET_STATISTICS_update (stats, + gettext_noop ("# Bytes transmitted via mesh tunnels"), + size, GNUNET_NO); return size; } @@ -592,55 +801,213 @@ send_to_peer_notify_callback (void *cls, size_t size, void *buf) * Send the given packet via the mesh tunnel. * * @param mesh_tunnel destination - * @param payload message to transmit - * @param payload_length number of bytes in payload - * @param desc descriptor to add before payload (optional) - * @param mtype message type to use + * @param tnq message to queue */ static void send_packet_to_mesh_tunnel (struct GNUNET_MESH_Tunnel *mesh_tunnel, - const void *payload, - size_t payload_length, - const GNUNET_HashCode *desc, - uint16_t mtype) + struct TunnelMessageQueue *tnq) { struct TunnelState *s; + + s = GNUNET_MESH_tunnel_get_data (mesh_tunnel); + GNUNET_assert (NULL != s); + GNUNET_CONTAINER_DLL_insert_tail (s->specifics.tcp_udp.head, s->specifics.tcp_udp.tail, tnq); + if (NULL == s->th) + s->th = GNUNET_MESH_notify_transmit_ready (mesh_tunnel, + GNUNET_NO /* cork */, + GNUNET_TIME_UNIT_FOREVER_REL, + NULL, tnq->len, + &send_to_peer_notify_callback, + s); +} + + +/** + * @brief Handles an ICMP packet received from the helper. + * + * @param icmp A pointer to the Packet + * @param pktlen number of bytes in 'icmp' + * @param af address family (AFINET or AF_INET6) + * @param destination_ip destination IP-address of the IP packet (should + * be our local address) + * @param source_ip original source IP-address of the IP packet (should + * be the original destination address) + */ +static void +icmp_from_helper (const struct GNUNET_TUN_IcmpHeader *icmp, + size_t pktlen, + int af, + const void *destination_ip, + const void *source_ip) +{ + struct TunnelState *state; struct TunnelMessageQueue *tnq; - struct GNUNET_MessageHeader *msg; - size_t len; - GNUNET_HashCode *dp; + struct GNUNET_EXIT_IcmpToVPNMessage *i2v; + const struct GNUNET_TUN_IPv4Header *ipv4; + const struct GNUNET_TUN_IPv6Header *ipv6; + const struct GNUNET_TUN_UdpHeader *udp; + size_t mlen; + uint16_t source_port; + uint16_t destination_port; + uint8_t protocol; - len = sizeof (struct GNUNET_MessageHeader) + sizeof (GNUNET_HashCode) + payload_length; - if (len >= GNUNET_SERVER_MAX_MESSAGE_SIZE) { + char sbuf[INET6_ADDRSTRLEN]; + char dbuf[INET6_ADDRSTRLEN]; + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Received ICMP packet going from %s to %s\n", + inet_ntop (af, + source_ip, + sbuf, sizeof (sbuf)), + inet_ntop (af, + destination_ip, + dbuf, sizeof (dbuf))); + } + if (pktlen < sizeof (struct GNUNET_TUN_IcmpHeader)) + { + /* blame kernel */ GNUNET_break (0); return; } - tnq = GNUNET_malloc (sizeof (struct TunnelMessageQueue) + len); - tnq->payload = &tnq[1]; - tnq->len = len; - msg = (struct GNUNET_MessageHeader *) &tnq[1]; - msg->size = htons ((uint16_t) len); - msg->type = htons (mtype); - if (NULL != desc) + + /* Find out if this is an ICMP packet in response to an existing + TCP/UDP packet and if so, figure out ports / protocol of the + existing session from the IP data in the ICMP payload */ + source_port = 0; + destination_port = 0; + switch (af) + { + case AF_INET: + protocol = IPPROTO_ICMP; + switch (icmp->type) + { + case GNUNET_TUN_ICMPTYPE_ECHO_REPLY: + case GNUNET_TUN_ICMPTYPE_ECHO_REQUEST: + break; + case GNUNET_TUN_ICMPTYPE_DESTINATION_UNREACHABLE: + case GNUNET_TUN_ICMPTYPE_SOURCE_QUENCH: + case GNUNET_TUN_ICMPTYPE_TIME_EXCEEDED: + if (pktlen < + sizeof (struct GNUNET_TUN_IcmpHeader) + + sizeof (struct GNUNET_TUN_IPv4Header) + 8) + { + /* blame kernel */ + GNUNET_break (0); + return; + } + ipv4 = (const struct GNUNET_TUN_IPv4Header *) &icmp[1]; + protocol = ipv4->protocol; + /* could be TCP or UDP, but both have the ports in the right + place, so that doesn't matter here */ + udp = (const struct GNUNET_TUN_UdpHeader *) &ipv4[1]; + /* swap ports, as they are from the original message */ + destination_port = ntohs (udp->source_port); + source_port = ntohs (udp->destination_port); + /* throw away ICMP payload, won't be useful for the other side anyway */ + pktlen = sizeof (struct GNUNET_TUN_IcmpHeader); + break; + default: + GNUNET_STATISTICS_update (stats, + gettext_noop ("# ICMPv4 packets dropped (type not allowed)"), + 1, GNUNET_NO); + return; + } + break; + case AF_INET6: + protocol = IPPROTO_ICMPV6; + switch (icmp->type) + { + case GNUNET_TUN_ICMPTYPE6_DESTINATION_UNREACHABLE: + case GNUNET_TUN_ICMPTYPE6_PACKET_TOO_BIG: + case GNUNET_TUN_ICMPTYPE6_TIME_EXCEEDED: + case GNUNET_TUN_ICMPTYPE6_PARAMETER_PROBLEM: + if (pktlen < + sizeof (struct GNUNET_TUN_IcmpHeader) + + sizeof (struct GNUNET_TUN_IPv6Header) + 8) + { + /* blame kernel */ + GNUNET_break (0); + return; + } + ipv6 = (const struct GNUNET_TUN_IPv6Header *) &icmp[1]; + protocol = ipv6->next_header; + /* could be TCP or UDP, but both have the ports in the right + place, so that doesn't matter here */ + udp = (const struct GNUNET_TUN_UdpHeader *) &ipv6[1]; + /* swap ports, as they are from the original message */ + destination_port = ntohs (udp->source_port); + source_port = ntohs (udp->destination_port); + /* throw away ICMP payload, won't be useful for the other side anyway */ + pktlen = sizeof (struct GNUNET_TUN_IcmpHeader); + break; + case GNUNET_TUN_ICMPTYPE6_ECHO_REQUEST: + case GNUNET_TUN_ICMPTYPE6_ECHO_REPLY: + break; + default: + GNUNET_STATISTICS_update (stats, + gettext_noop ("# ICMPv6 packets dropped (type not allowed)"), + 1, GNUNET_NO); + return; + } + break; + default: + GNUNET_assert (0); + } + switch (protocol) { - dp = (GNUNET_HashCode *) &msg[1]; - *dp = *desc; - memcpy (&dp[1], payload, payload_length); + case IPPROTO_ICMP: + state = get_redirect_state (af, IPPROTO_ICMP, + source_ip, 0, + destination_ip, 0, + NULL); + break; + case IPPROTO_ICMPV6: + state = get_redirect_state (af, IPPROTO_ICMPV6, + source_ip, 0, + destination_ip, 0, + NULL); + break; + case IPPROTO_UDP: + state = get_redirect_state (af, IPPROTO_UDP, + source_ip, + source_port, + destination_ip, + destination_port, + NULL); + break; + case IPPROTO_TCP: + state = get_redirect_state (af, IPPROTO_TCP, + source_ip, + source_port, + destination_ip, + destination_port, + NULL); + break; + default: + GNUNET_STATISTICS_update (stats, + gettext_noop ("# ICMP packets dropped (not allowed)"), + 1, GNUNET_NO); + return; } - else + if (NULL == state) { - memcpy (&msg[1], payload, payload_length); + GNUNET_log (GNUNET_ERROR_TYPE_INFO, + _("ICMP Packet dropped, have no matching connection information\n")); + return; } - s = GNUNET_MESH_tunnel_get_data (mesh_tunnel); - GNUNET_assert (NULL != s); - GNUNET_CONTAINER_DLL_insert_tail (s->head, s->tail, tnq); - if (NULL == s->th) - s->th = GNUNET_MESH_notify_transmit_ready (mesh_tunnel, GNUNET_NO /* cork */, 0 /* priority */, - GNUNET_TIME_UNIT_FOREVER_REL, - NULL, len, - &send_to_peer_notify_callback, - s); + mlen = sizeof (struct GNUNET_EXIT_IcmpToVPNMessage) + pktlen - sizeof (struct GNUNET_TUN_IcmpHeader); + tnq = GNUNET_malloc (sizeof (struct TunnelMessageQueue) + mlen); + tnq->payload = &tnq[1]; + tnq->len = mlen; + i2v = (struct GNUNET_EXIT_IcmpToVPNMessage *) &tnq[1]; + i2v->header.size = htons ((uint16_t) mlen); + i2v->header.type = htons (GNUNET_MESSAGE_TYPE_VPN_ICMP_TO_VPN); + i2v->af = htonl (af); + memcpy (&i2v->icmp_header, + icmp, + pktlen); + send_packet_to_mesh_tunnel (state->tunnel, + tnq); } @@ -656,15 +1023,32 @@ send_packet_to_mesh_tunnel (struct GNUNET_MESH_Tunnel *mesh_tunnel, * be the original destination address) */ static void -udp_from_helper (const struct udp_packet *udp, +udp_from_helper (const struct GNUNET_TUN_UdpHeader *udp, size_t pktlen, int af, const void *destination_ip, const void *source_ip) { struct TunnelState *state; + struct TunnelMessageQueue *tnq; + struct GNUNET_EXIT_UdpReplyMessage *urm; + size_t mlen; - if (pktlen < sizeof (struct udp_packet)) + { + char sbuf[INET6_ADDRSTRLEN]; + char dbuf[INET6_ADDRSTRLEN]; + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Received UDP packet going from %s:%u to %s:%u\n", + inet_ntop (af, + source_ip, + sbuf, sizeof (sbuf)), + (unsigned int) ntohs (udp->source_port), + inet_ntop (af, + destination_ip, + dbuf, sizeof (dbuf)), + (unsigned int) ntohs (udp->destination_port)); + } + if (pktlen < sizeof (struct GNUNET_TUN_UdpHeader)) { /* blame kernel */ GNUNET_break (0); @@ -678,22 +1062,30 @@ udp_from_helper (const struct udp_packet *udp, } state = get_redirect_state (af, IPPROTO_UDP, source_ip, - ntohs (udp->spt), + ntohs (udp->source_port), destination_ip, - ntohs (udp->dpt), + ntohs (udp->destination_port), NULL); if (NULL == state) { GNUNET_log (GNUNET_ERROR_TYPE_INFO, - _("Packet dropped, have no matching connection information\n")); + _("UDP Packet dropped, have no matching connection information\n")); return; } + mlen = sizeof (struct GNUNET_EXIT_UdpReplyMessage) + pktlen - sizeof (struct GNUNET_TUN_UdpHeader); + tnq = GNUNET_malloc (sizeof (struct TunnelMessageQueue) + mlen); + tnq->payload = &tnq[1]; + tnq->len = mlen; + urm = (struct GNUNET_EXIT_UdpReplyMessage *) &tnq[1]; + urm->header.size = htons ((uint16_t) mlen); + urm->header.type = htons (GNUNET_MESSAGE_TYPE_VPN_UDP_REPLY); + urm->source_port = htons (0); + urm->destination_port = htons (0); + memcpy (&urm[1], + &udp[1], + pktlen - sizeof (struct GNUNET_TUN_UdpHeader)); send_packet_to_mesh_tunnel (state->tunnel, - &udp[1], pktlen - sizeof (struct udp_packet), - NULL, - state->serv != NULL - ? GNUNET_MESSAGE_TYPE_VPN_SERVICE_UDP_BACK - : GNUNET_MESSAGE_TYPE_VPN_REMOTE_UDP_BACK); + tnq); } @@ -701,7 +1093,7 @@ udp_from_helper (const struct udp_packet *udp, * @brief Handles a TCP packet received from the helper. * * @param tcp A pointer to the Packet - * @param pktlen the length of the packet, including its header + * @param pktlen the length of the packet, including its TCP header * @param af address family (AFINET or AF_INET6) * @param destination_ip destination IP-address of the IP packet (should * be our local address) @@ -709,17 +1101,35 @@ udp_from_helper (const struct udp_packet *udp, * be the original destination address) */ static void -tcp_from_helper (const struct tcp_packet *tcp, +tcp_from_helper (const struct GNUNET_TUN_TcpHeader *tcp, size_t pktlen, int af, const void *destination_ip, const void *source_ip) { struct TunnelState *state; - char buf[pktlen]; - struct tcp_packet *mtcp; + char buf[pktlen] GNUNET_ALIGN; + struct GNUNET_TUN_TcpHeader *mtcp; + struct GNUNET_EXIT_TcpDataMessage *tdm; + struct TunnelMessageQueue *tnq; + size_t mlen; - if (pktlen < sizeof (struct tcp_packet)) + { + char sbuf[INET6_ADDRSTRLEN]; + char dbuf[INET6_ADDRSTRLEN]; + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Received TCP packet with %u bytes going from %s:%u to %s:%u\n", + pktlen - sizeof (struct GNUNET_TUN_TcpHeader), + inet_ntop (af, + source_ip, + sbuf, sizeof (sbuf)), + (unsigned int) ntohs (tcp->source_port), + inet_ntop (af, + destination_ip, + dbuf, sizeof (dbuf)), + (unsigned int) ntohs (tcp->destination_port)); + } + if (pktlen < sizeof (struct GNUNET_TUN_TcpHeader)) { /* blame kernel */ GNUNET_break (0); @@ -727,30 +1137,44 @@ tcp_from_helper (const struct tcp_packet *tcp, } state = get_redirect_state (af, IPPROTO_TCP, source_ip, - ntohs (tcp->spt), + ntohs (tcp->source_port), destination_ip, - ntohs (tcp->dpt), + ntohs (tcp->destination_port), NULL); if (NULL == state) { GNUNET_log (GNUNET_ERROR_TYPE_INFO, - _("Packet dropped, have no matching connection information\n")); + _("TCP Packet dropped, have no matching connection information\n")); return; } /* mug port numbers and crc to avoid information leakage; sender will need to lookup the correct values anyway */ memcpy (buf, tcp, pktlen); - mtcp = (struct tcp_packet *) buf; - mtcp->spt = 0; - mtcp->dpt = 0; + mtcp = (struct GNUNET_TUN_TcpHeader *) buf; + mtcp->source_port = 0; + mtcp->destination_port = 0; mtcp->crc = 0; + + mlen = sizeof (struct GNUNET_EXIT_TcpDataMessage) + (pktlen - sizeof (struct GNUNET_TUN_TcpHeader)); + if (mlen >= GNUNET_SERVER_MAX_MESSAGE_SIZE) + { + GNUNET_break (0); + return; + } + + tnq = GNUNET_malloc (sizeof (struct TunnelMessageQueue) + mlen); + tnq->payload = &tnq[1]; + tnq->len = mlen; + tdm = (struct GNUNET_EXIT_TcpDataMessage *) &tnq[1]; + tdm->header.size = htons ((uint16_t) mlen); + tdm->header.type = htons (GNUNET_MESSAGE_TYPE_VPN_TCP_DATA_TO_VPN); + tdm->reserved = htonl (0); + memcpy (&tdm->tcp_header, + buf, + pktlen); send_packet_to_mesh_tunnel (state->tunnel, - mtcp, pktlen, - NULL, - state->serv != NULL - ? GNUNET_MESSAGE_TYPE_VPN_SERVICE_TCP_BACK - : GNUNET_MESSAGE_TYPE_VPN_REMOTE_TCP_BACK); + tnq); } @@ -761,108 +1185,134 @@ tcp_from_helper (const struct tcp_packet *tcp, * @param client unsued * @param message message received from helper */ -static void +static int message_token (void *cls GNUNET_UNUSED, void *client GNUNET_UNUSED, const struct GNUNET_MessageHeader *message) { - const struct tun_header *pkt_tun; + const struct GNUNET_TUN_Layer2PacketHeader *pkt_tun; size_t size; + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Got %u-byte message of type %u from gnunet-helper-exit\n", + ntohs (message->size), + ntohs (message->type)); + GNUNET_STATISTICS_update (stats, + gettext_noop ("# Packets received from TUN"), + 1, GNUNET_NO); if (ntohs (message->type) != GNUNET_MESSAGE_TYPE_VPN_HELPER) { GNUNET_break (0); - return; + return GNUNET_OK; } size = ntohs (message->size); - if (size < sizeof (struct tun_header) + sizeof (struct GNUNET_MessageHeader)) + if (size < sizeof (struct GNUNET_TUN_Layer2PacketHeader) + sizeof (struct GNUNET_MessageHeader)) { GNUNET_break (0); - return; + return GNUNET_OK; } - pkt_tun = (const struct tun_header *) &message[1]; - size -= sizeof (struct tun_header) + sizeof (struct GNUNET_MessageHeader); + GNUNET_STATISTICS_update (stats, + gettext_noop ("# Bytes received from TUN"), + size, GNUNET_NO); + pkt_tun = (const struct GNUNET_TUN_Layer2PacketHeader *) &message[1]; + size -= sizeof (struct GNUNET_TUN_Layer2PacketHeader) + sizeof (struct GNUNET_MessageHeader); switch (ntohs (pkt_tun->proto)) { - case ETH_P_IPV6: + case ETH_P_IPV4: { - const struct ip6_header *pkt6; + const struct GNUNET_TUN_IPv4Header *pkt4; - if (size < sizeof (struct ip6_header)) + if (size < sizeof (struct GNUNET_TUN_IPv4Header)) { /* Kernel to blame? */ GNUNET_break (0); - return; + return GNUNET_OK; } - pkt6 = (struct ip6_header *) &pkt_tun[1]; - if (size != ntohs (pkt6->payload_length)) + pkt4 = (const struct GNUNET_TUN_IPv4Header *) &pkt_tun[1]; + if (size != ntohs (pkt4->total_length)) { /* Kernel to blame? */ GNUNET_break (0); - return; + return GNUNET_OK; } - size -= sizeof (struct ip6_header); - switch (pkt6->next_header) + if (pkt4->header_length * 4 != sizeof (struct GNUNET_TUN_IPv4Header)) + { + GNUNET_log (GNUNET_ERROR_TYPE_WARNING, + _("IPv4 packet options received. Ignored.\n")); + return GNUNET_OK; + } + + size -= sizeof (struct GNUNET_TUN_IPv4Header); + switch (pkt4->protocol) { case IPPROTO_UDP: - udp_from_helper ((const struct udp_packet *) &pkt6[1], size, - AF_INET6, - &pkt6->destination_address, - &pkt6->source_address); + udp_from_helper ((const struct GNUNET_TUN_UdpHeader *) &pkt4[1], size, + AF_INET, + &pkt4->destination_address, + &pkt4->source_address); break; case IPPROTO_TCP: - tcp_from_helper ((const struct tcp_packet *) &pkt6[1], size, - AF_INET6, - &pkt6->destination_address, - &pkt6->source_address); - break; + tcp_from_helper ((const struct GNUNET_TUN_TcpHeader *) &pkt4[1], size, + AF_INET, + &pkt4->destination_address, + &pkt4->source_address); + break; + case IPPROTO_ICMP: + icmp_from_helper ((const struct GNUNET_TUN_IcmpHeader *) &pkt4[1], size, + AF_INET, + &pkt4->destination_address, + &pkt4->source_address); + break; default: GNUNET_log (GNUNET_ERROR_TYPE_WARNING, - _("IPv6 packet with unsupported next header received. Ignored.\n")); - return; + _("IPv4 packet with unsupported next header %u received. Ignored.\n"), + (int) pkt4->protocol); + return GNUNET_OK; } } break; - case ETH_P_IPV4: + case ETH_P_IPV6: { - const struct ip4_header *pkt4; + const struct GNUNET_TUN_IPv6Header *pkt6; - if (size < sizeof (struct ip4_header)) + if (size < sizeof (struct GNUNET_TUN_IPv6Header)) { /* Kernel to blame? */ GNUNET_break (0); - return; + return GNUNET_OK; } - pkt4 = (const struct ip4_header *) &pkt_tun[1]; - if (size != ntohs (pkt4->total_length)) + pkt6 = (struct GNUNET_TUN_IPv6Header *) &pkt_tun[1]; + if (size != ntohs (pkt6->payload_length) + sizeof (struct GNUNET_TUN_IPv6Header)) { /* Kernel to blame? */ GNUNET_break (0); - return; - } - if (pkt4->header_length * 4 != sizeof (struct ip4_header)) - { - GNUNET_log (GNUNET_ERROR_TYPE_WARNING, - _("IPv4 packet options received. Ignored.\n")); - return; + return GNUNET_OK; } - size -= sizeof (struct ip4_header); - switch (pkt4->protocol) + size -= sizeof (struct GNUNET_TUN_IPv6Header); + switch (pkt6->next_header) { case IPPROTO_UDP: - udp_from_helper ((const struct udp_packet *) &pkt4[1], size, - AF_INET, - &pkt4->destination_address, - &pkt4->source_address); + udp_from_helper ((const struct GNUNET_TUN_UdpHeader *) &pkt6[1], size, + AF_INET6, + &pkt6->destination_address, + &pkt6->source_address); + break; case IPPROTO_TCP: - tcp_from_helper ((const struct tcp_packet *) &pkt4[1], size, - AF_INET, - &pkt4->destination_address, - &pkt4->source_address); + tcp_from_helper ((const struct GNUNET_TUN_TcpHeader *) &pkt6[1], size, + AF_INET6, + &pkt6->destination_address, + &pkt6->source_address); + break; + case IPPROTO_ICMPV6: + icmp_from_helper ((const struct GNUNET_TUN_IcmpHeader *) &pkt6[1], size, + AF_INET6, + &pkt6->destination_address, + &pkt6->source_address); break; default: GNUNET_log (GNUNET_ERROR_TYPE_WARNING, - _("IPv4 packet with unsupported next header received. Ignored.\n")); - return; + _("IPv6 packet with unsupported next header %d received. Ignored.\n"), + pkt6->next_header); + return GNUNET_OK; } } break; @@ -872,77 +1322,267 @@ message_token (void *cls GNUNET_UNUSED, void *client GNUNET_UNUSED, ntohs (pkt_tun->proto)); break; } + return GNUNET_OK; } +/** + * We need to create a (unique) fresh local address (IP+port). + * Fill one in. + * + * @param af desired address family + * @param proto desired protocol (IPPROTO_UDP or IPPROTO_TCP) + * @param local_address address to initialize + */ +static void +setup_fresh_address (int af, + uint8_t proto, + struct SocketAddress *local_address) +{ + local_address->af = af; + local_address->proto = (uint8_t) proto; + /* default "local" port range is often 32768--61000, + so we pick a random value in that range */ + if ( ( (af == AF_INET) && (proto == IPPROTO_ICMP) ) || + ( (af == AF_INET6) && (proto == IPPROTO_ICMPV6) ) ) + local_address->port = 0; + else + local_address->port + = (uint16_t) 32768 + GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_WEAK, + 28232); + switch (af) + { + case AF_INET: + { + struct in_addr addr; + struct in_addr mask; + struct in_addr rnd; + addr = exit_ipv4addr; + mask = exit_ipv4mask; + if (0 == ~mask.s_addr) + { + /* only one valid IP anyway */ + local_address->address.ipv4 = addr; + return; + } + /* Given 192.168.0.1/255.255.0.0, we want a mask + of '192.168.255.255', thus: */ + mask.s_addr = addr.s_addr | ~mask.s_addr; + /* Pick random IPv4 address within the subnet, except 'addr' or 'mask' itself */ + do + { + rnd.s_addr = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_WEAK, + UINT32_MAX); + local_address->address.ipv4.s_addr = (addr.s_addr | rnd.s_addr) & mask.s_addr; + } + while ( (local_address->address.ipv4.s_addr == addr.s_addr) || + (local_address->address.ipv4.s_addr == mask.s_addr) ); + } + break; + case AF_INET6: + { + struct in6_addr addr; + struct in6_addr mask; + struct in6_addr rnd; + int i; + + addr = exit_ipv6addr; + GNUNET_assert (ipv6prefix < 128); + if (ipv6prefix == 127) + { + /* only one valid IP anyway */ + local_address->address.ipv6 = addr; + return; + } + /* Given ABCD::/96, we want a mask of 'ABCD::FFFF:FFFF, + thus: */ + mask = addr; + for (i=127;i>=ipv6prefix;i--) + mask.s6_addr[i / 8] |= (1 << (i % 8)); + + /* Pick random IPv6 address within the subnet, except 'addr' or 'mask' itself */ + do + { + for (i=0;i<16;i++) + { + rnd.s6_addr[i] = (unsigned char) GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_WEAK, + 256); + local_address->address.ipv6.s6_addr[i] + = (addr.s6_addr[i] | rnd.s6_addr[i]) & mask.s6_addr[i]; + } + } + while ( (0 == memcmp (&local_address->address.ipv6, + &addr, + sizeof (struct in6_addr))) || + (0 == memcmp (&local_address->address.ipv6, + &mask, + sizeof (struct in6_addr))) ); + } + break; + default: + GNUNET_assert (0); + } +} +/** + * We are starting a fresh connection (TCP or UDP) and need + * to pick a source port and IP address (within the correct + * range and address family) to associate replies with the + * connection / correct mesh tunnel. This function generates + * a "fresh" source IP and source port number for a connection + * After picking a good source address, this function sets up + * the state in the 'connections_map' and 'connections_heap' + * to allow finding the state when needed later. The function + * also makes sure that we remain within memory limits by + * cleaning up 'old' states. + * + * @param state skeleton state to setup a record for; should + * 'state->specifics.tcp_udp.ri.remote_address' filled in so that + * this code can determine which AF/protocol is + * going to be used (the 'tunnel' should also + * already be set); after calling this function, + * heap_node and the local_address will be + * also initialized (heap_node != NULL can be + * used to test if a state has been fully setup). + */ +static void +setup_state_record (struct TunnelState *state) +{ + struct GNUNET_HashCode key; + struct TunnelState *s; + + /* generate fresh, unique address */ + do + { + if (NULL == state->specifics.tcp_udp.serv) + setup_fresh_address (state->specifics.tcp_udp.ri.remote_address.af, + state->specifics.tcp_udp.ri.remote_address.proto, + &state->specifics.tcp_udp.ri.local_address); + else + setup_fresh_address (state->specifics.tcp_udp.serv->address.af, + state->specifics.tcp_udp.serv->address.proto, + &state->specifics.tcp_udp.ri.local_address); + } while (NULL != get_redirect_state (state->specifics.tcp_udp.ri.remote_address.af, + state->specifics.tcp_udp.ri.remote_address.proto, + &state->specifics.tcp_udp.ri.remote_address.address, + state->specifics.tcp_udp.ri.remote_address.port, + &state->specifics.tcp_udp.ri.local_address.address, + state->specifics.tcp_udp.ri.local_address.port, + &key)); + { + char buf[INET6_ADDRSTRLEN]; + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Picked local address %s:%u for new connection\n", + inet_ntop (state->specifics.tcp_udp.ri.local_address.af, + &state->specifics.tcp_udp.ri.local_address.address, + buf, sizeof (buf)), + (unsigned int) state->specifics.tcp_udp.ri.local_address.port); + } + state->specifics.tcp_udp.state_key = key; + GNUNET_assert (GNUNET_OK == + GNUNET_CONTAINER_multihashmap_put (connections_map, + &key, state, + GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY)); + state->specifics.tcp_udp.heap_node = GNUNET_CONTAINER_heap_insert (connections_heap, + state, + GNUNET_TIME_absolute_get ().abs_value); + while (GNUNET_CONTAINER_heap_get_size (connections_heap) > max_connections) + { + s = GNUNET_CONTAINER_heap_remove_root (connections_heap); + GNUNET_assert (state != s); + s->specifics.tcp_udp.heap_node = NULL; + GNUNET_MESH_tunnel_destroy (s->tunnel); + GNUNET_assert (GNUNET_OK == + GNUNET_CONTAINER_multihashmap_remove (connections_map, + &s->specifics.tcp_udp.state_key, + s)); + GNUNET_free (s); + } +} + -void -prepare_ipv4_packet (size_t len, - uint16_t pktlen, void *payload, - uint8_t protocol, - void *ipaddress, void *tunnel, - struct RedirectInformation * - state, struct ip4_header *pkt4) +/** + * Prepare an IPv4 packet for transmission via the TUN interface. + * Initializes the IP header and calculates checksums (IP+UDP/TCP). + * For UDP, the UDP header will be fully created, whereas for TCP + * only the ports and checksum will be filled in. So for TCP, + * a skeleton TCP header must be part of the provided payload. + * + * @param payload payload of the packet (starting with UDP payload or + * TCP header, depending on protocol) + * @param payload_length number of bytes in 'payload' + * @param protocol IPPROTO_UDP or IPPROTO_TCP + * @param tcp_header skeleton of the TCP header, NULL for UDP + * @param src_address source address to use (IP and port) + * @param dst_address destination address to use (IP and port) + * @param pkt4 where to write the assembled packet; must + * contain enough space for the IP header, UDP/TCP header + * AND the payload + */ +static void +prepare_ipv4_packet (const void *payload, size_t payload_length, + int protocol, + const struct GNUNET_TUN_TcpHeader *tcp_header, + const struct SocketAddress *src_address, + const struct SocketAddress *dst_address, + struct GNUNET_TUN_IPv4Header *pkt4) { - const char *ipv4addr = exit_argv[4]; - const char *ipv4mask = exit_argv[5]; - uint32_t tmp; - uint32_t tmp2; - - GNUNET_assert (1 == inet_pton (AF_INET, ipv4addr, &tmp)); - GNUNET_assert (1 == inet_pton (AF_INET, ipv4mask, &tmp2)); - memcpy (&pkt4[1], payload, pktlen); - pkt4->version = 4; - pkt4->header_length = sizeof (struct ip4_header) / 4; - pkt4->diff_serv = 0; - pkt4->total_length = htons (sizeof (struct ip4_header) + pktlen); - pkt4->identification = 0; // FIXME! - pkt4->flags = 0; - pkt4->fragmentation_offset = 0; - pkt4->ttl = 255; - pkt4->protocol = protocol; - pkt4->checksum = 0; /* Will be calculated later */ - - memcpy (&pkt4->destination_address, ipaddress, sizeof (struct in_addr)); - - /* Generate a new src-address -- FIXME: not always, right!? */ - - /* This should be a noop */ - tmp = tmp & tmp2; - tmp |= ntohl (*((uint32_t *) tunnel)) & (~tmp2); - - pkt4->source_address.s_addr = tmp; - pkt4->checksum = GNUNET_CRYPTO_crc16_n (pkt4, sizeof (struct ip4_header)); - - // FIXME: memcpy (&state->addr, &tmp, 4); + size_t len; + + len = payload_length; + switch (protocol) + { + case IPPROTO_UDP: + len += sizeof (struct GNUNET_TUN_UdpHeader); + break; + case IPPROTO_TCP: + len += sizeof (struct GNUNET_TUN_TcpHeader); + GNUNET_assert (NULL != tcp_header); + break; + default: + GNUNET_break (0); + return; + } + if (len + sizeof (struct GNUNET_TUN_IPv4Header) > UINT16_MAX) + { + GNUNET_break (0); + return; + } + GNUNET_TUN_initialize_ipv4_header (pkt4, + protocol, + len, + &src_address->address.ipv4, + &dst_address->address.ipv4); switch (protocol) { case IPPROTO_UDP: { - struct udp_packet *pkt4_udp = (struct udp_packet *) &pkt4[1]; - // FIXME: state->pt = pkt4_udp->spt; - pkt4_udp->crc = 0; /* Optional for IPv4 */ + struct GNUNET_TUN_UdpHeader *pkt4_udp = (struct GNUNET_TUN_UdpHeader *) &pkt4[1]; + + pkt4_udp->source_port = htons (src_address->port); + pkt4_udp->destination_port = htons (dst_address->port); + pkt4_udp->len = htons ((uint16_t) payload_length); + GNUNET_TUN_calculate_udp4_checksum (pkt4, + pkt4_udp, + payload, payload_length); + memcpy (&pkt4_udp[1], payload, payload_length); } break; case IPPROTO_TCP: { - struct tcp_packet *pkt4_tcp = (struct tcp_packet *) &pkt4[1]; + struct GNUNET_TUN_TcpHeader *pkt4_tcp = (struct GNUNET_TUN_TcpHeader *) &pkt4[1]; - // FIXME: state->pt = pkt4_tcp->spt; - pkt4_tcp->crc = 0; - uint32_t sum = 0; - sum = GNUNET_CRYPTO_crc16_step (sum, - &pkt4->source_address, - sizeof (struct in_addr) * 2); - tmp = (protocol << 16) | (0xffff & pktlen); - tmp = htonl (tmp); - sum = GNUNET_CRYPTO_crc16_step (sum, & tmp, 4); - sum = GNUNET_CRYPTO_crc16_step (sum, & pkt4_tcp, pktlen); - pkt4_tcp->crc = GNUNET_CRYPTO_crc16_finish (sum); + *pkt4_tcp = *tcp_header; + pkt4_tcp->source_port = htons (src_address->port); + pkt4_tcp->destination_port = htons (dst_address->port); + GNUNET_TUN_calculate_tcp4_checksum (pkt4, + pkt4_tcp, + payload, + payload_length); + memcpy (&pkt4_tcp[1], payload, payload_length); } break; default: @@ -951,423 +1591,1310 @@ prepare_ipv4_packet (size_t len, } -void -prepare_ipv6_packet (size_t len, uint16_t pktlen, void *payload, - uint16_t protocol, void *ipaddress, void *tunnel, - struct RedirectInformation *state, struct ip6_header *pkt6) +/** + * Prepare an IPv6 packet for transmission via the TUN interface. + * Initializes the IP header and calculates checksums (IP+UDP/TCP). + * For UDP, the UDP header will be fully created, whereas for TCP + * only the ports and checksum will be filled in. So for TCP, + * a skeleton TCP header must be part of the provided payload. + * + * @param payload payload of the packet (starting with UDP payload or + * TCP header, depending on protocol) + * @param payload_length number of bytes in 'payload' + * @param protocol IPPROTO_UDP or IPPROTO_TCP + * @param tcp_header skeleton TCP header data to send, NULL for UDP + * @param src_address source address to use (IP and port) + * @param dst_address destination address to use (IP and port) + * @param pkt6 where to write the assembled packet; must + * contain enough space for the IP header, UDP/TCP header + * AND the payload + */ +static void +prepare_ipv6_packet (const void *payload, size_t payload_length, + int protocol, + const struct GNUNET_TUN_TcpHeader *tcp_header, + const struct SocketAddress *src_address, + const struct SocketAddress *dst_address, + struct GNUNET_TUN_IPv6Header *pkt6) { - const char *ipv6addr = exit_argv[2]; - uint32_t tmp; + size_t len; + len = payload_length; + switch (protocol) + { + case IPPROTO_UDP: + len += sizeof (struct GNUNET_TUN_UdpHeader); + break; + case IPPROTO_TCP: + len += sizeof (struct GNUNET_TUN_TcpHeader); + break; + default: + GNUNET_break (0); + return; + } + if (len > UINT16_MAX) + { + GNUNET_break (0); + return; + } - memcpy (&pkt6[1], payload, pktlen); + GNUNET_TUN_initialize_ipv6_header (pkt6, + protocol, + len, + &src_address->address.ipv6, + &dst_address->address.ipv6); - pkt6->version = 6; - pkt6->next_header = protocol; - pkt6->payload_length = htons (pktlen); - pkt6->hop_limit = 64; + switch (protocol) + { + case IPPROTO_UDP: + { + struct GNUNET_TUN_UdpHeader *pkt6_udp = (struct GNUNET_TUN_UdpHeader *) &pkt6[1]; + + pkt6_udp->source_port = htons (src_address->port); + pkt6_udp->destination_port = htons (dst_address->port); + pkt6_udp->len = htons ((uint16_t) payload_length); + GNUNET_TUN_calculate_udp6_checksum (pkt6, + pkt6_udp, + payload, + payload_length); + memcpy (&pkt6_udp[1], payload, payload_length); + } + break; + case IPPROTO_TCP: + { + struct GNUNET_TUN_TcpHeader *pkt6_tcp = (struct GNUNET_TUN_TcpHeader *) &pkt6[1]; + + /* memcpy first here as some TCP header fields are initialized this way! */ + *pkt6_tcp = *tcp_header; + pkt6_tcp->source_port = htons (src_address->port); + pkt6_tcp->destination_port = htons (dst_address->port); + GNUNET_TUN_calculate_tcp6_checksum (pkt6, + pkt6_tcp, + payload, + payload_length); + memcpy (&pkt6_tcp[1], payload, payload_length); + } + break; + default: + GNUNET_assert (0); + break; + } +} - memcpy (&pkt6->destination_address, ipaddress, sizeof (struct in6_addr)); - /* Generate a new src-address - * This takes as much from the address of the tunnel as fits into - * the host-mask*/ +/** + * Send a TCP packet via the TUN interface. + * + * @param destination_address IP and port to use for the TCP packet's destination + * @param source_address IP and port to use for the TCP packet's source + * @param tcp_header header template to use + * @param payload payload of the TCP packet + * @param payload_length number of bytes in 'payload' + */ +static void +send_tcp_packet_via_tun (const struct SocketAddress *destination_address, + const struct SocketAddress *source_address, + const struct GNUNET_TUN_TcpHeader *tcp_header, + const void *payload, size_t payload_length) +{ + size_t len; - unsigned long long ipv6prefix_r = (ipv6prefix + 7) / 8; + GNUNET_STATISTICS_update (stats, + gettext_noop ("# TCP packets sent via TUN"), + 1, GNUNET_NO); + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Sending packet with %u bytes TCP payload via TUN\n", + (unsigned int) payload_length); + len = sizeof (struct GNUNET_MessageHeader) + sizeof (struct GNUNET_TUN_Layer2PacketHeader); + switch (source_address->af) + { + case AF_INET: + len += sizeof (struct GNUNET_TUN_IPv4Header); + break; + case AF_INET6: + len += sizeof (struct GNUNET_TUN_IPv6Header); + break; + default: + GNUNET_break (0); + return; + } + len += sizeof (struct GNUNET_TUN_TcpHeader); + len += payload_length; + if (len >= GNUNET_SERVER_MAX_MESSAGE_SIZE) + { + GNUNET_break (0); + return; + } + { + char buf[len] GNUNET_ALIGN; + struct GNUNET_MessageHeader *hdr; + struct GNUNET_TUN_Layer2PacketHeader *tun; + + hdr = (struct GNUNET_MessageHeader *) buf; + hdr->type = htons (GNUNET_MESSAGE_TYPE_VPN_HELPER); + hdr->size = htons (len); + tun = (struct GNUNET_TUN_Layer2PacketHeader*) &hdr[1]; + tun->flags = htons (0); + switch (source_address->af) + { + case AF_INET: + { + struct GNUNET_TUN_IPv4Header * ipv4 = (struct GNUNET_TUN_IPv4Header*) &tun[1]; + + tun->proto = htons (ETH_P_IPV4); + prepare_ipv4_packet (payload, payload_length, + IPPROTO_TCP, + tcp_header, + source_address, + destination_address, + ipv4); + } + break; + case AF_INET6: + { + struct GNUNET_TUN_IPv6Header * ipv6 = (struct GNUNET_TUN_IPv6Header*) &tun[1]; + + tun->proto = htons (ETH_P_IPV6); + prepare_ipv6_packet (payload, payload_length, + IPPROTO_TCP, + tcp_header, + source_address, + destination_address, + ipv6); + } + break; + default: + GNUNET_assert (0); + break; + } + if (NULL != helper_handle) + (void) GNUNET_HELPER_send (helper_handle, + (const struct GNUNET_MessageHeader*) buf, + GNUNET_YES, + NULL, NULL); + } +} - inet_pton (AF_INET6, ipv6addr, &pkt6->source_address); - if (ipv6prefix_r < (16 - sizeof (void *))) - ipv6prefix_r = 16 - sizeof (void *); +/** + * Process a request via mesh to send a request to a TCP service + * offered by this system. + * + * @param cls closure, NULL + * @param tunnel connection to the other end + * @param tunnel_ctx pointer to our 'struct TunnelState *' + * @param sender who sent the message + * @param message the actual message + * @param atsi performance data for the connection + * @return GNUNET_OK to keep the connection open, + * GNUNET_SYSERR to close it (signal serious error) + */ +static int +receive_tcp_service (void *cls GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel, + void **tunnel_ctx GNUNET_UNUSED, + const struct GNUNET_PeerIdentity *sender GNUNET_UNUSED, + const struct GNUNET_MessageHeader *message, + const struct GNUNET_ATS_Information *atsi GNUNET_UNUSED) +{ + struct TunnelState *state = *tunnel_ctx; + const struct GNUNET_EXIT_TcpServiceStartMessage *start; + uint16_t pkt_len = ntohs (message->size); - unsigned int offset = ipv6prefix_r - (16 - sizeof (void *)); + if (GNUNET_YES == state->is_dns) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + if (GNUNET_SYSERR == state->is_dns) + { + /* tunnel is UDP/TCP from now on */ + state->is_dns = GNUNET_NO; + } + GNUNET_STATISTICS_update (stats, + gettext_noop ("# TCP service creation requests received via mesh"), + 1, GNUNET_NO); + GNUNET_STATISTICS_update (stats, + gettext_noop ("# Bytes received from MESH"), + pkt_len, GNUNET_NO); + /* check that we got at least a valid header */ + if (pkt_len < sizeof (struct GNUNET_EXIT_TcpServiceStartMessage)) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + start = (const struct GNUNET_EXIT_TcpServiceStartMessage*) message; + pkt_len -= sizeof (struct GNUNET_EXIT_TcpServiceStartMessage); + if ( (NULL == state) || + (NULL != state->specifics.tcp_udp.serv) || + (NULL != state->specifics.tcp_udp.heap_node) ) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + if (start->tcp_header.off * 4 < sizeof (struct GNUNET_TUN_TcpHeader)) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + GNUNET_break_op (ntohl (start->reserved) == 0); + /* setup fresh connection */ + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Received data from %s for forwarding to TCP service %s on port %u\n", + GNUNET_i2s (sender), + GNUNET_h2s (&start->service_descriptor), + (unsigned int) ntohs (start->tcp_header.destination_port)); + if (NULL == (state->specifics.tcp_udp.serv = find_service (tcp_services, &start->service_descriptor, + ntohs (start->tcp_header.destination_port)))) + { + GNUNET_log (GNUNET_ERROR_TYPE_INFO, + _("No service found for %s on port %d!\n"), + "TCP", + ntohs (start->tcp_header.destination_port)); + GNUNET_STATISTICS_update (stats, + gettext_noop ("# TCP requests dropped (no such service)"), + 1, GNUNET_NO); + return GNUNET_SYSERR; + } + state->specifics.tcp_udp.ri.remote_address = state->specifics.tcp_udp.serv->address; + setup_state_record (state); + send_tcp_packet_via_tun (&state->specifics.tcp_udp.ri.remote_address, + &state->specifics.tcp_udp.ri.local_address, + &start->tcp_header, + &start[1], pkt_len); + return GNUNET_YES; +} - memcpy ((((char *) &pkt6->source_address)) + ipv6prefix_r, - ((char *) &tunnel) + offset, 16 - ipv6prefix_r); - /* copy the needed information into the state */ - // FIXME: memcpy (&state->addr, &pkt6->source_address, 16); +/** + * Process a request to forward TCP data to the Internet via this peer. + * + * @param cls closure, NULL + * @param tunnel connection to the other end + * @param tunnel_ctx pointer to our 'struct TunnelState *' + * @param sender who sent the message + * @param message the actual message + * @param atsi performance data for the connection + * @return GNUNET_OK to keep the connection open, + * GNUNET_SYSERR to close it (signal serious error) + */ +static int +receive_tcp_remote (void *cls GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel, + void **tunnel_ctx GNUNET_UNUSED, + const struct GNUNET_PeerIdentity *sender GNUNET_UNUSED, + const struct GNUNET_MessageHeader *message, + const struct GNUNET_ATS_Information *atsi GNUNET_UNUSED) +{ + struct TunnelState *state = *tunnel_ctx; + const struct GNUNET_EXIT_TcpInternetStartMessage *start; + uint16_t pkt_len = ntohs (message->size); + const struct in_addr *v4; + const struct in6_addr *v6; + const void *payload; + int af; - switch (protocol) + if (GNUNET_YES == state->is_dns) { - case IPPROTO_UDP: + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + if (GNUNET_SYSERR == state->is_dns) + { + /* tunnel is UDP/TCP from now on */ + state->is_dns = GNUNET_NO; + } + GNUNET_STATISTICS_update (stats, + gettext_noop ("# Bytes received from MESH"), + pkt_len, GNUNET_NO); + GNUNET_STATISTICS_update (stats, + gettext_noop ("# TCP IP-exit creation requests received via mesh"), + 1, GNUNET_NO); + if (pkt_len < sizeof (struct GNUNET_EXIT_TcpInternetStartMessage)) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + start = (const struct GNUNET_EXIT_TcpInternetStartMessage*) message; + pkt_len -= sizeof (struct GNUNET_EXIT_TcpInternetStartMessage); + if ( (NULL == state) || + (NULL != state->specifics.tcp_udp.serv) || + (NULL != state->specifics.tcp_udp.heap_node) ) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + if (start->tcp_header.off * 4 < sizeof (struct GNUNET_TUN_TcpHeader)) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + af = (int) ntohl (start->af); + state->specifics.tcp_udp.ri.remote_address.af = af; + switch (af) + { + case AF_INET: + if (pkt_len < sizeof (struct in_addr)) { - struct udp_packet *pkt6_udp = (struct udp_packet *) &pkt6[1]; - - // FIXME: state->pt = pkt6_udp->spt; - pkt6_udp->crc = 0; - uint32_t sum = 0; - sum = - GNUNET_CRYPTO_crc16_step (sum, & pkt6->source_address, - 16 * 2); - tmp = (htons (pktlen) & 0xffff); - sum = GNUNET_CRYPTO_crc16_step (sum, & tmp, 4); - tmp = htons (pkt6->next_header & 0x00ff); - sum = GNUNET_CRYPTO_crc16_step (sum, & tmp, 4); - sum = - GNUNET_CRYPTO_crc16_step (sum, pkt6_udp, - ntohs (pkt6_udp->len)); - pkt6_udp->crc = GNUNET_CRYPTO_crc16_finish (sum); + GNUNET_break_op (0); + return GNUNET_SYSERR; } + if (! ipv4_exit) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + v4 = (const struct in_addr*) &start[1]; + payload = &v4[1]; + pkt_len -= sizeof (struct in_addr); + state->specifics.tcp_udp.ri.remote_address.address.ipv4 = *v4; break; - case IPPROTO_TCP: + case AF_INET6: + if (pkt_len < sizeof (struct in6_addr)) { - struct tcp_packet *pkt6_tcp = (struct tcp_packet *) pkt6; - - // FIXME: state->pt = pkt6_tcp->spt; - pkt6_tcp->crc = 0; - uint32_t sum = 0; - - sum = - GNUNET_CRYPTO_crc16_step (sum, & pkt6->source_address, 16 * 2); - tmp = htonl (pktlen); - sum = GNUNET_CRYPTO_crc16_step (sum, & tmp, 4); - tmp = htonl (((pkt6->next_header & 0x000000ff))); - sum = GNUNET_CRYPTO_crc16_step (sum, & tmp, 4); - - sum = - GNUNET_CRYPTO_crc16_step (sum, pkt6_tcp, - ntohs (pkt6->payload_length)); - pkt6_tcp->crc = GNUNET_CRYPTO_crc16_finish (sum); + GNUNET_break_op (0); + return GNUNET_SYSERR; } + if (! ipv6_exit) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + v6 = (const struct in6_addr*) &start[1]; + payload = &v6[1]; + pkt_len -= sizeof (struct in6_addr); + state->specifics.tcp_udp.ri.remote_address.address.ipv6 = *v6; break; default: - GNUNET_assert (0); + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + { + char buf[INET6_ADDRSTRLEN]; + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Received data from %s for starting TCP stream to %s:%u\n", + GNUNET_i2s (sender), + inet_ntop (af, + &state->specifics.tcp_udp.ri.remote_address.address, + buf, sizeof (buf)), + (unsigned int) ntohs (start->tcp_header.destination_port)); + } + state->specifics.tcp_udp.ri.remote_address.proto = IPPROTO_TCP; + state->specifics.tcp_udp.ri.remote_address.port = ntohs (start->tcp_header.destination_port); + setup_state_record (state); + send_tcp_packet_via_tun (&state->specifics.tcp_udp.ri.remote_address, + &state->specifics.tcp_udp.ri.local_address, + &start->tcp_header, + payload, pkt_len); + return GNUNET_YES; +} + + +/** + * Process a request to forward TCP data on an established + * connection via this peer. + * + * @param cls closure, NULL + * @param tunnel connection to the other end + * @param tunnel_ctx pointer to our 'struct TunnelState *' + * @param sender who sent the message + * @param message the actual message + * @param atsi performance data for the connection + * @return GNUNET_OK to keep the connection open, + * GNUNET_SYSERR to close it (signal serious error) + */ +static int +receive_tcp_data (void *cls GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel, + void **tunnel_ctx GNUNET_UNUSED, + const struct GNUNET_PeerIdentity *sender GNUNET_UNUSED, + const struct GNUNET_MessageHeader *message, + const struct GNUNET_ATS_Information *atsi GNUNET_UNUSED) +{ + struct TunnelState *state = *tunnel_ctx; + const struct GNUNET_EXIT_TcpDataMessage *data; + uint16_t pkt_len = ntohs (message->size); + + if (GNUNET_YES == state->is_dns) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + if (GNUNET_SYSERR == state->is_dns) + { + /* tunnel is UDP/TCP from now on */ + state->is_dns = GNUNET_NO; + } + GNUNET_STATISTICS_update (stats, + gettext_noop ("# Bytes received from MESH"), + pkt_len, GNUNET_NO); + GNUNET_STATISTICS_update (stats, + gettext_noop ("# TCP data requests received via mesh"), + 1, GNUNET_NO); + if (pkt_len < sizeof (struct GNUNET_EXIT_TcpDataMessage)) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + data = (const struct GNUNET_EXIT_TcpDataMessage*) message; + pkt_len -= sizeof (struct GNUNET_EXIT_TcpDataMessage); + if ( (NULL == state) || + (NULL == state->specifics.tcp_udp.heap_node) ) + { + /* connection should have been up! */ + GNUNET_STATISTICS_update (stats, + gettext_noop ("# TCP DATA requests dropped (no session)"), + 1, GNUNET_NO); + return GNUNET_SYSERR; + } + if (data->tcp_header.off * 4 < sizeof (struct GNUNET_TUN_TcpHeader)) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + + GNUNET_break_op (ntohl (data->reserved) == 0); + { + char buf[INET6_ADDRSTRLEN]; + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Received additional %u bytes of data from %s for TCP stream to %s:%u\n", + pkt_len, + GNUNET_i2s (sender), + inet_ntop (state->specifics.tcp_udp.ri.remote_address.af, + &state->specifics.tcp_udp.ri.remote_address.address, + buf, sizeof (buf)), + (unsigned int) state->specifics.tcp_udp.ri.remote_address.port); + } + + send_tcp_packet_via_tun (&state->specifics.tcp_udp.ri.remote_address, + &state->specifics.tcp_udp.ri.local_address, + &data->tcp_header, + &data[1], pkt_len); + return GNUNET_YES; +} + + +/** + * Send an ICMP packet via the TUN interface. + * + * @param destination_address IP to use for the ICMP packet's destination + * @param source_address IP to use for the ICMP packet's source + * @param icmp_header ICMP header to send + * @param payload payload of the ICMP packet (does NOT include ICMP header) + * @param payload_length number of bytes of data in payload + */ +static void +send_icmp_packet_via_tun (const struct SocketAddress *destination_address, + const struct SocketAddress *source_address, + const struct GNUNET_TUN_IcmpHeader *icmp_header, + const void *payload, size_t payload_length) +{ + size_t len; + struct GNUNET_TUN_IcmpHeader *icmp; + + GNUNET_STATISTICS_update (stats, + gettext_noop ("# ICMP packets sent via TUN"), + 1, GNUNET_NO); + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Sending packet with %u bytes ICMP payload via TUN\n", + (unsigned int) payload_length); + len = sizeof (struct GNUNET_MessageHeader) + sizeof (struct GNUNET_TUN_Layer2PacketHeader); + switch (destination_address->af) + { + case AF_INET: + len += sizeof (struct GNUNET_TUN_IPv4Header); break; + case AF_INET6: + len += sizeof (struct GNUNET_TUN_IPv6Header); + break; + default: + GNUNET_break (0); + return; + } + len += sizeof (struct GNUNET_TUN_IcmpHeader); + len += payload_length; + if (len >= GNUNET_SERVER_MAX_MESSAGE_SIZE) + { + GNUNET_break (0); + return; + } + { + char buf[len] GNUNET_ALIGN; + struct GNUNET_MessageHeader *hdr; + struct GNUNET_TUN_Layer2PacketHeader *tun; + + hdr= (struct GNUNET_MessageHeader *) buf; + hdr->type = htons (GNUNET_MESSAGE_TYPE_VPN_HELPER); + hdr->size = htons (len); + tun = (struct GNUNET_TUN_Layer2PacketHeader*) &hdr[1]; + tun->flags = htons (0); + switch (source_address->af) + { + case AF_INET: + { + struct GNUNET_TUN_IPv4Header * ipv4 = (struct GNUNET_TUN_IPv4Header*) &tun[1]; + + tun->proto = htons (ETH_P_IPV4); + GNUNET_TUN_initialize_ipv4_header (ipv4, + IPPROTO_ICMP, + sizeof (struct GNUNET_TUN_IcmpHeader) + payload_length, + &source_address->address.ipv4, + &destination_address->address.ipv4); + icmp = (struct GNUNET_TUN_IcmpHeader*) &ipv4[1]; + } + break; + case AF_INET6: + { + struct GNUNET_TUN_IPv6Header * ipv6 = (struct GNUNET_TUN_IPv6Header*) &tun[1]; + + tun->proto = htons (ETH_P_IPV6); + GNUNET_TUN_initialize_ipv6_header (ipv6, + IPPROTO_ICMPV6, + sizeof (struct GNUNET_TUN_IcmpHeader) + payload_length, + &source_address->address.ipv6, + &destination_address->address.ipv6); + icmp = (struct GNUNET_TUN_IcmpHeader*) &ipv6[1]; + } + break; + default: + GNUNET_assert (0); + break; + } + *icmp = *icmp_header; + memcpy (&icmp[1], + payload, + payload_length); + GNUNET_TUN_calculate_icmp_checksum (icmp, + payload, + payload_length); + if (NULL != helper_handle) + (void) GNUNET_HELPER_send (helper_handle, + (const struct GNUNET_MessageHeader*) buf, + GNUNET_YES, + NULL, NULL); } } /** - * We've just experienced a connection in use. Track it, or if it is - * already tracked, update the tracking. + * Synthesize a plausible ICMP payload for an ICMPv4 error + * response on the given tunnel. * - * @param u_i IP-level connection tracking state - * @param tunnel associated mesh tunnel - * @param desc service descriptor (or NULL) - * @param serv service information - */ -void -update_state_map (const struct RedirectInformation *ri, - struct GNUNET_MESH_Tunnel *tunnel, - const GNUNET_HashCode *desc, - struct LocalService *serv) + * @param state tunnel information + * @param ipp IPv6 header to fill in (ICMP payload) + * @param udp "UDP" header to fill in (ICMP payload); might actually + * also be the first 8 bytes of the TCP header + */ +static void +make_up_icmpv4_payload (struct TunnelState *state, + struct GNUNET_TUN_IPv4Header *ipp, + struct GNUNET_TUN_UdpHeader *udp) { - struct TunnelState *state; - GNUNET_HashCode state_key; + GNUNET_TUN_initialize_ipv4_header (ipp, + state->specifics.tcp_udp.ri.remote_address.proto, + sizeof (struct GNUNET_TUN_TcpHeader), + &state->specifics.tcp_udp.ri.remote_address.address.ipv4, + &state->specifics.tcp_udp.ri.local_address.address.ipv4); + udp->source_port = htons (state->specifics.tcp_udp.ri.remote_address.port); + udp->destination_port = htons (state->specifics.tcp_udp.ri.local_address.port); + udp->len = htons (0); + udp->crc = htons (0); +} - hash_redirect_info (&state_key, - ri); - state = GNUNET_CONTAINER_multihashmap_get (connections_map, &state_key); - if (NULL == state) + +/** + * Synthesize a plausible ICMP payload for an ICMPv6 error + * response on the given tunnel. + * + * @param state tunnel information + * @param ipp IPv6 header to fill in (ICMP payload) + * @param udp "UDP" header to fill in (ICMP payload); might actually + * also be the first 8 bytes of the TCP header + */ +static void +make_up_icmpv6_payload (struct TunnelState *state, + struct GNUNET_TUN_IPv6Header *ipp, + struct GNUNET_TUN_UdpHeader *udp) +{ + GNUNET_TUN_initialize_ipv6_header (ipp, + state->specifics.tcp_udp.ri.remote_address.proto, + sizeof (struct GNUNET_TUN_TcpHeader), + &state->specifics.tcp_udp.ri.remote_address.address.ipv6, + &state->specifics.tcp_udp.ri.local_address.address.ipv6); + udp->source_port = htons (state->specifics.tcp_udp.ri.remote_address.port); + udp->destination_port = htons (state->specifics.tcp_udp.ri.local_address.port); + udp->len = htons (0); + udp->crc = htons (0); +} + + +/** + * Process a request to forward ICMP data to the Internet via this peer. + * + * @param cls closure, NULL + * @param tunnel connection to the other end + * @param tunnel_ctx pointer to our 'struct TunnelState *' + * @param sender who sent the message + * @param message the actual message + * @param atsi performance data for the connection + * @return GNUNET_OK to keep the connection open, + * GNUNET_SYSERR to close it (signal serious error) + */ +static int +receive_icmp_remote (void *cls GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel, + void **tunnel_ctx GNUNET_UNUSED, + const struct GNUNET_PeerIdentity *sender GNUNET_UNUSED, + const struct GNUNET_MessageHeader *message, + const struct GNUNET_ATS_Information *atsi GNUNET_UNUSED) +{ + struct TunnelState *state = *tunnel_ctx; + const struct GNUNET_EXIT_IcmpInternetMessage *msg; + uint16_t pkt_len = ntohs (message->size); + const struct in_addr *v4; + const struct in6_addr *v6; + const void *payload; + char buf[sizeof (struct GNUNET_TUN_IPv6Header) + 8] GNUNET_ALIGN; + int af; + + if (GNUNET_YES == state->is_dns) { - state = GNUNET_malloc (sizeof (struct TunnelState)); - state->tunnel = tunnel; - state->state_key = state_key; - state->serv = serv; - // FIXME? if (NULL != desc) state->desc = *desc; - // FIXME? state->redirect_info = *ri; - GNUNET_assert (GNUNET_OK == - GNUNET_CONTAINER_multihashmap_put (connections_map, &state_key, state, - GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY)); - state->heap_node = - GNUNET_CONTAINER_heap_insert (connections_heap, - state, - GNUNET_TIME_absolute_get ().abs_value); + GNUNET_break_op (0); + return GNUNET_SYSERR; } - else + if (GNUNET_SYSERR == state->is_dns) + { + /* tunnel is UDP/TCP from now on */ + state->is_dns = GNUNET_NO; + } + GNUNET_STATISTICS_update (stats, + gettext_noop ("# Bytes received from MESH"), + pkt_len, GNUNET_NO); + GNUNET_STATISTICS_update (stats, + gettext_noop ("# ICMP IP-exit requests received via mesh"), + 1, GNUNET_NO); + if (pkt_len < sizeof (struct GNUNET_EXIT_IcmpInternetMessage)) { - if (state->tunnel != tunnel) + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + msg = (const struct GNUNET_EXIT_IcmpInternetMessage*) message; + pkt_len -= sizeof (struct GNUNET_EXIT_IcmpInternetMessage); + + af = (int) ntohl (msg->af); + if ( (NULL != state->specifics.tcp_udp.heap_node) && + (af != state->specifics.tcp_udp.ri.remote_address.af) ) + { + /* other peer switched AF on this tunnel; not allowed */ + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + + switch (af) + { + case AF_INET: + if (pkt_len < sizeof (struct in_addr)) { - /* Stats / warning: two tunnels got exactly the same connection state!? */ - GNUNET_log (GNUNET_ERROR_TYPE_WARNING, - _("Two different mesh tunnels got the same connection state. Oops.\n")); - return; + GNUNET_break_op (0); + return GNUNET_SYSERR; } - GNUNET_CONTAINER_heap_update_cost (connections_heap, - state->heap_node, - GNUNET_TIME_absolute_get ().abs_value); + if (! ipv4_exit) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + v4 = (const struct in_addr*) &msg[1]; + payload = &v4[1]; + pkt_len -= sizeof (struct in_addr); + state->specifics.tcp_udp.ri.remote_address.address.ipv4 = *v4; + if (NULL == state->specifics.tcp_udp.heap_node) + { + state->specifics.tcp_udp.ri.remote_address.af = af; + state->specifics.tcp_udp.ri.remote_address.proto = IPPROTO_ICMP; + setup_state_record (state); + } + /* check that ICMP type is something we want to support + and possibly make up payload! */ + switch (msg->icmp_header.type) + { + case GNUNET_TUN_ICMPTYPE_ECHO_REPLY: + case GNUNET_TUN_ICMPTYPE_ECHO_REQUEST: + break; + case GNUNET_TUN_ICMPTYPE_DESTINATION_UNREACHABLE: + case GNUNET_TUN_ICMPTYPE_SOURCE_QUENCH: + case GNUNET_TUN_ICMPTYPE_TIME_EXCEEDED: + if (0 != pkt_len) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + /* make up payload */ + { + struct GNUNET_TUN_IPv4Header *ipp = (struct GNUNET_TUN_IPv4Header *) buf; + struct GNUNET_TUN_UdpHeader *udp = (struct GNUNET_TUN_UdpHeader *) &ipp[1]; + + GNUNET_assert (8 == sizeof (struct GNUNET_TUN_UdpHeader)); + pkt_len = sizeof (struct GNUNET_TUN_IPv4Header) + 8; + make_up_icmpv4_payload (state, + ipp, + udp); + payload = ipp; + } + break; + default: + GNUNET_break_op (0); + GNUNET_STATISTICS_update (stats, + gettext_noop ("# ICMPv4 packets dropped (type not allowed)"), + 1, GNUNET_NO); + return GNUNET_SYSERR; + } + /* end AF_INET */ + break; + case AF_INET6: + if (pkt_len < sizeof (struct in6_addr)) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + if (! ipv6_exit) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + v6 = (const struct in6_addr*) &msg[1]; + payload = &v6[1]; + pkt_len -= sizeof (struct in6_addr); + state->specifics.tcp_udp.ri.remote_address.address.ipv6 = *v6; + if (NULL == state->specifics.tcp_udp.heap_node) + { + state->specifics.tcp_udp.ri.remote_address.af = af; + state->specifics.tcp_udp.ri.remote_address.proto = IPPROTO_ICMPV6; + setup_state_record (state); + } + /* check that ICMP type is something we want to support + and possibly make up payload! */ + switch (msg->icmp_header.type) + { + case GNUNET_TUN_ICMPTYPE6_ECHO_REPLY: + case GNUNET_TUN_ICMPTYPE6_ECHO_REQUEST: + break; + case GNUNET_TUN_ICMPTYPE6_DESTINATION_UNREACHABLE: + case GNUNET_TUN_ICMPTYPE6_PACKET_TOO_BIG: + case GNUNET_TUN_ICMPTYPE6_TIME_EXCEEDED: + case GNUNET_TUN_ICMPTYPE6_PARAMETER_PROBLEM: + if (0 != pkt_len) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + /* make up payload */ + { + struct GNUNET_TUN_IPv6Header *ipp = (struct GNUNET_TUN_IPv6Header *) buf; + struct GNUNET_TUN_UdpHeader *udp = (struct GNUNET_TUN_UdpHeader *) &ipp[1]; + + GNUNET_assert (8 == sizeof (struct GNUNET_TUN_UdpHeader)); + pkt_len = sizeof (struct GNUNET_TUN_IPv6Header) + 8; + make_up_icmpv6_payload (state, + ipp, + udp); + payload = ipp; + } + break; + default: + GNUNET_break_op (0); + GNUNET_STATISTICS_update (stats, + gettext_noop ("# ICMPv6 packets dropped (type not allowed)"), + 1, GNUNET_NO); + return GNUNET_SYSERR; + } + /* end AF_INET6 */ + break; + default: + /* bad AF */ + GNUNET_break_op (0); + return GNUNET_SYSERR; } - while (GNUNET_CONTAINER_heap_get_size (connections_heap) > max_connections) + { - state = GNUNET_CONTAINER_heap_remove_root (connections_heap); - state->heap_node = NULL; - GNUNET_MESH_tunnel_destroy (state->tunnel); - GNUNET_assert (GNUNET_OK == - GNUNET_CONTAINER_multihashmap_remove (connections_map, - &state->state_key, - state)); - GNUNET_free (state); + char buf[INET6_ADDRSTRLEN]; + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Received ICMP data from %s for forwarding to %s\n", + GNUNET_i2s (sender), + inet_ntop (af, + &state->specifics.tcp_udp.ri.remote_address.address, + buf, sizeof (buf))); } + send_icmp_packet_via_tun (&state->specifics.tcp_udp.ri.remote_address, + &state->specifics.tcp_udp.ri.local_address, + &msg->icmp_header, + payload, pkt_len); + return GNUNET_YES; } - + +/** + * Setup ICMP payload for ICMP error messages. Called + * for both IPv4 and IPv6 addresses. + * + * @param state context for creating the IP Packet + * @param buf where to create the payload, has at least + * sizeof (struct GNUNET_TUN_IPv6Header) + 8 bytes + * @return number of bytes of payload we created in buf + */ +static uint16_t +make_up_icmp_service_payload (struct TunnelState *state, + char *buf) +{ + switch (state->specifics.tcp_udp.serv->address.af) + { + case AF_INET: + { + struct GNUNET_TUN_IPv4Header *ipv4; + struct GNUNET_TUN_UdpHeader *udp; + + ipv4 = (struct GNUNET_TUN_IPv4Header *)buf; + udp = (struct GNUNET_TUN_UdpHeader *) &ipv4[1]; + make_up_icmpv4_payload (state, + ipv4, + udp); + GNUNET_assert (8 == sizeof (struct GNUNET_TUN_UdpHeader)); + return sizeof (struct GNUNET_TUN_IPv4Header) + 8; + } + break; + case AF_INET6: + { + struct GNUNET_TUN_IPv6Header *ipv6; + struct GNUNET_TUN_UdpHeader *udp; + + ipv6 = (struct GNUNET_TUN_IPv6Header *)buf; + udp = (struct GNUNET_TUN_UdpHeader *) &ipv6[1]; + make_up_icmpv6_payload (state, + ipv6, + udp); + GNUNET_assert (8 == sizeof (struct GNUNET_TUN_UdpHeader)); + return sizeof (struct GNUNET_TUN_IPv6Header) + 8; + } + break; + default: + GNUNET_break (0); + } + return 0; +} /** - * The messages are one GNUNET_HashCode for the service followed by a struct tcp_packet + * Process a request via mesh to send ICMP data to a service + * offered by this system. + * + * @param cls closure, NULL + * @param tunnel connection to the other end + * @param tunnel_ctx pointer to our 'struct TunnelState *' + * @param sender who sent the message + * @param message the actual message + * @param atsi performance data for the connection + * @return GNUNET_OK to keep the connection open, + * GNUNET_SYSERR to close it (signal serious error) */ static int -receive_tcp_service (void *unused GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel, - void **tunnel_ctx GNUNET_UNUSED, - const struct GNUNET_PeerIdentity *sender GNUNET_UNUSED, - const struct GNUNET_MessageHeader *message, - const struct GNUNET_ATS_Information *atsi GNUNET_UNUSED) +receive_icmp_service (void *cls GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel, + void **tunnel_ctx, + const struct GNUNET_PeerIdentity *sender GNUNET_UNUSED, + const struct GNUNET_MessageHeader *message, + const struct GNUNET_ATS_Information *atsi GNUNET_UNUSED) +{ + struct TunnelState *state = *tunnel_ctx; + const struct GNUNET_EXIT_IcmpServiceMessage *msg; + uint16_t pkt_len = ntohs (message->size); + struct GNUNET_TUN_IcmpHeader icmp; + char buf[sizeof (struct GNUNET_TUN_IPv6Header) + 8] GNUNET_ALIGN; + const void *payload; + + if (GNUNET_YES == state->is_dns) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + if (GNUNET_SYSERR == state->is_dns) + { + /* tunnel is UDP/TCP from now on */ + state->is_dns = GNUNET_NO; + } + GNUNET_STATISTICS_update (stats, + gettext_noop ("# Bytes received from MESH"), + pkt_len, GNUNET_NO); + GNUNET_STATISTICS_update (stats, + gettext_noop ("# ICMP service requests received via mesh"), + 1, GNUNET_NO); + /* check that we got at least a valid header */ + if (pkt_len < sizeof (struct GNUNET_EXIT_IcmpServiceMessage)) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + msg = (const struct GNUNET_EXIT_IcmpServiceMessage*) message; + pkt_len -= sizeof (struct GNUNET_EXIT_IcmpServiceMessage); + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Received data from %s for forwarding to ICMP service %s\n", + GNUNET_i2s (sender), + GNUNET_h2s (&msg->service_descriptor)); + if (NULL == state->specifics.tcp_udp.serv) + { + /* first packet to service must not be ICMP (cannot determine service!) */ + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + icmp = msg->icmp_header; + payload = &msg[1]; + state->specifics.tcp_udp.ri.remote_address = state->specifics.tcp_udp.serv->address; + setup_state_record (state); + + /* check that ICMP type is something we want to support, + perform ICMP PT if needed ans possibly make up payload */ + switch (msg->af) + { + case AF_INET: + switch (msg->icmp_header.type) + { + case GNUNET_TUN_ICMPTYPE_ECHO_REPLY: + if (state->specifics.tcp_udp.serv->address.af == AF_INET6) + icmp.type = GNUNET_TUN_ICMPTYPE6_ECHO_REPLY; + break; + case GNUNET_TUN_ICMPTYPE_ECHO_REQUEST: + if (state->specifics.tcp_udp.serv->address.af == AF_INET6) + icmp.type = GNUNET_TUN_ICMPTYPE6_ECHO_REQUEST; + break; + case GNUNET_TUN_ICMPTYPE_DESTINATION_UNREACHABLE: + if (state->specifics.tcp_udp.serv->address.af == AF_INET6) + icmp.type = GNUNET_TUN_ICMPTYPE6_DESTINATION_UNREACHABLE; + if (0 != pkt_len) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + payload = buf; + pkt_len = make_up_icmp_service_payload (state, buf); + break; + case GNUNET_TUN_ICMPTYPE_TIME_EXCEEDED: + if (state->specifics.tcp_udp.serv->address.af == AF_INET6) + icmp.type = GNUNET_TUN_ICMPTYPE6_TIME_EXCEEDED; + if (0 != pkt_len) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + payload = buf; + pkt_len = make_up_icmp_service_payload (state, buf); + break; + case GNUNET_TUN_ICMPTYPE_SOURCE_QUENCH: + if (state->specifics.tcp_udp.serv->address.af == AF_INET6) + { + GNUNET_STATISTICS_update (stats, + gettext_noop ("# ICMPv4 packets dropped (impossible PT to v6)"), + 1, GNUNET_NO); + return GNUNET_OK; + } + if (0 != pkt_len) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + payload = buf; + pkt_len = make_up_icmp_service_payload (state, buf); + break; + default: + GNUNET_break_op (0); + GNUNET_STATISTICS_update (stats, + gettext_noop ("# ICMPv4 packets dropped (type not allowed)"), + 1, GNUNET_NO); + return GNUNET_SYSERR; + } + /* end of AF_INET */ + break; + case AF_INET6: + switch (msg->icmp_header.type) + { + case GNUNET_TUN_ICMPTYPE6_ECHO_REPLY: + if (state->specifics.tcp_udp.serv->address.af == AF_INET) + icmp.type = GNUNET_TUN_ICMPTYPE_ECHO_REPLY; + break; + case GNUNET_TUN_ICMPTYPE6_ECHO_REQUEST: + if (state->specifics.tcp_udp.serv->address.af == AF_INET) + icmp.type = GNUNET_TUN_ICMPTYPE_ECHO_REQUEST; + break; + case GNUNET_TUN_ICMPTYPE6_DESTINATION_UNREACHABLE: + if (state->specifics.tcp_udp.serv->address.af == AF_INET) + icmp.type = GNUNET_TUN_ICMPTYPE_DESTINATION_UNREACHABLE; + if (0 != pkt_len) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + payload = buf; + pkt_len = make_up_icmp_service_payload (state, buf); + break; + case GNUNET_TUN_ICMPTYPE6_TIME_EXCEEDED: + if (state->specifics.tcp_udp.serv->address.af == AF_INET) + icmp.type = GNUNET_TUN_ICMPTYPE_TIME_EXCEEDED; + if (0 != pkt_len) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + payload = buf; + pkt_len = make_up_icmp_service_payload (state, buf); + break; + case GNUNET_TUN_ICMPTYPE6_PACKET_TOO_BIG: + case GNUNET_TUN_ICMPTYPE6_PARAMETER_PROBLEM: + if (state->specifics.tcp_udp.serv->address.af == AF_INET) + { + GNUNET_STATISTICS_update (stats, + gettext_noop ("# ICMPv6 packets dropped (impossible PT to v4)"), + 1, GNUNET_NO); + return GNUNET_OK; + } + if (0 != pkt_len) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + payload = buf; + pkt_len = make_up_icmp_service_payload (state, buf); + break; + default: + GNUNET_break_op (0); + GNUNET_STATISTICS_update (stats, + gettext_noop ("# ICMPv6 packets dropped (type not allowed)"), + 1, GNUNET_NO); + return GNUNET_SYSERR; + } + /* end of AF_INET6 */ + break; + default: + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + + send_icmp_packet_via_tun (&state->specifics.tcp_udp.ri.remote_address, + &state->specifics.tcp_udp.ri.local_address, + &icmp, + payload, pkt_len); + return GNUNET_YES; +} + + +/** + * Send a UDP packet via the TUN interface. + * + * @param destination_address IP and port to use for the UDP packet's destination + * @param source_address IP and port to use for the UDP packet's source + * @param payload payload of the UDP packet (does NOT include UDP header) + * @param payload_length number of bytes of data in payload + */ +static void +send_udp_packet_via_tun (const struct SocketAddress *destination_address, + const struct SocketAddress *source_address, + const void *payload, size_t payload_length) { -#if 0 - const GNUNET_HashCode *desc = (const GNUNET_HashCode *) &message[1]; - const struct tcp_packet *pkt = (const struct tcp_packet *) &desc[1]; - uint16_t pkt_len = ntohs (message->size); - struct LocalService *serv; - struct RedirectInformation u_i; - GNUNET_HashCode state_key; + size_t len; - /* check that we got at least a valid header */ - if (pkt_len < sizeof (struct GNUNET_MessageHeader) + sizeof (GNUNET_HashCode) + sizeof (struct tcp_packet)) + GNUNET_STATISTICS_update (stats, + gettext_noop ("# UDP packets sent via TUN"), + 1, GNUNET_NO); + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Sending packet with %u bytes UDP payload via TUN\n", + (unsigned int) payload_length); + len = sizeof (struct GNUNET_MessageHeader) + sizeof (struct GNUNET_TUN_Layer2PacketHeader); + switch (source_address->af) { - GNUNET_break_op (0); - return GNUNET_YES; + case AF_INET: + len += sizeof (struct GNUNET_TUN_IPv4Header); + break; + case AF_INET6: + len += sizeof (struct GNUNET_TUN_IPv6Header); + break; + default: + GNUNET_break (0); + return; } - pkt_len -= (sizeof (struct GNUNET_MessageHeader) + sizeof (GNUNET_HashCode)); - - if (NULL == (serv = find_service (tcp_services, desc, ntohs (pkt->dpt)))) + len += sizeof (struct GNUNET_TUN_UdpHeader); + len += payload_length; + if (len >= GNUNET_SERVER_MAX_MESSAGE_SIZE) { - GNUNET_log (GNUNET_ERROR_TYPE_INFO, - _("No service found for %s on port %d!\n"), - "TCP", - ntohs (pkt->dpt)); - return GNUNET_YES; + GNUNET_break (0); + return; } - pkt->dpt = htons (serv->remote_port); - - /* At this point it would be possible to check against some kind of ACL. */ - - switch (serv->version) + { + char buf[len] GNUNET_ALIGN; + struct GNUNET_MessageHeader *hdr; + struct GNUNET_TUN_Layer2PacketHeader *tun; + + hdr= (struct GNUNET_MessageHeader *) buf; + hdr->type = htons (GNUNET_MESSAGE_TYPE_VPN_HELPER); + hdr->size = htons (len); + tun = (struct GNUNET_TUN_Layer2PacketHeader*) &hdr[1]; + tun->flags = htons (0); + switch (source_address->af) { - case 4: + case AF_INET: { - size_t len = - sizeof (struct GNUNET_MessageHeader) + sizeof (struct tun_header) + - sizeof (struct ip4_header) + pkt_len; - char buf[len]; - struct tun_header *hdr; - struct GNUNET_MessageHeader *mhdr; + struct GNUNET_TUN_IPv4Header * ipv4 = (struct GNUNET_TUN_IPv4Header*) &tun[1]; - memset (buf, 0, len); - mhdr = (struct GNUNET_MessageHeader*) buf; - hdr = (struct tun_header *) &mhdr[1]; - mhdr->type = htons (GNUNET_MESSAGE_TYPE_VPN_HELPER); - mhdr->size = htons (len); - hdr->flags = 0; - hdr->proto = htons (0x0800); - prepare_ipv4_packet (len, pkt_len, pkt, IPPROTO_TCP, &serv->v4.ip4address, - tunnel, &u_i, (struct ip4_header *) &hdr[1]); - /* FIXME: here, flow-control with mesh would be nice to have... */ - (void) GNUNET_HELPER_send (helper_handle, - mhdr, - GNUNET_YES, - NULL, NULL); - break; + tun->proto = htons (ETH_P_IPV4); + prepare_ipv4_packet (payload, payload_length, + IPPROTO_UDP, + NULL, + source_address, + destination_address, + ipv4); } - case 6: + break; + case AF_INET6: { - size_t len = - sizeof (struct GNUNET_MessageHeader) + sizeof (struct tun_header) + - sizeof (struct ip6_header) + pkt_len; - char buf[len]; - struct tun_header *hdr; - struct GNUNET_MessageHeader *mhdr; + struct GNUNET_TUN_IPv6Header * ipv6 = (struct GNUNET_TUN_IPv6Header*) &tun[1]; - memset (buf, 0, len); - mhdr = (struct GNUNET_MessageHeader*) buf; - hdr = (struct tun_header *) &mhdr[1]; - mhdr->type = htons (GNUNET_MESSAGE_TYPE_VPN_HELPER); - mhdr->size = htons (len); - hdr->flags = 0; - hdr->proto = htons (0x86dd); - prepare_ipv6_packet (len, pkt_len, pkt, IPPROTO_TCP, &serv->v6.ip6address, - tunnel, &u_i, (struct ip6_header *) buf); - /* FIXME: here, flow-control with mesh would be nice to have... */ - (void) GNUNET_HELPER_send (helper_handle, - (const struct GNUNET_MessageHeader*) buf, - GNUNET_YES, - NULL, NULL); - - break; + tun->proto = htons (ETH_P_IPV6); + prepare_ipv6_packet (payload, payload_length, + IPPROTO_UDP, + NULL, + source_address, + destination_address, + ipv6); } + break; default: GNUNET_assert (0); break; } - - - update_state_map (&u_i, desc, tunnel, serv); -#endif - return GNUNET_YES; + if (NULL != helper_handle) + (void) GNUNET_HELPER_send (helper_handle, + (const struct GNUNET_MessageHeader*) buf, + GNUNET_YES, + NULL, NULL); + } } +/** + * Process a request to forward UDP data to the Internet via this peer. + * + * @param cls closure, NULL + * @param tunnel connection to the other end + * @param tunnel_ctx pointer to our 'struct TunnelState *' + * @param sender who sent the message + * @param message the actual message + * @param atsi performance data for the connection + * @return GNUNET_OK to keep the connection open, + * GNUNET_SYSERR to close it (signal serious error) + */ static int -receive_tcp_remote (void *cls GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel, +receive_udp_remote (void *cls GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel, void **tunnel_ctx GNUNET_UNUSED, const struct GNUNET_PeerIdentity *sender GNUNET_UNUSED, const struct GNUNET_MessageHeader *message, const struct GNUNET_ATS_Information *atsi GNUNET_UNUSED) { - // FIXME -#if 0 - GNUNET_HashCode *desc = (GNUNET_HashCode *) (message + 1); - struct tcp_packet *pkt = (struct tcp_packet *) (desc + 1); - struct remote_addr *s = (struct remote_addr *) desc; - char *buf; - size_t len; - uint16_t pkt_len = - ntohs (message->size) - sizeof (struct GNUNET_MessageHeader) - - sizeof (GNUNET_HashCode); - - struct TunnelState *state = GNUNET_malloc (sizeof (struct TunnelState)); - - state->tunnel = tunnel; - state->type = REMOTE; - state->hashmap = tcp_connections; - memcpy (&state->remote, s, sizeof (struct remote_addr)); - - hash_redirect_info (&state->hash, &state->redirect_info, s->addrlen); + struct TunnelState *state = *tunnel_ctx; + const struct GNUNET_EXIT_UdpInternetMessage *msg; + uint16_t pkt_len = ntohs (message->size); + const struct in_addr *v4; + const struct in6_addr *v6; + const void *payload; + int af; - if (GNUNET_NO == - GNUNET_CONTAINER_multihashmap_contains (tcp_connections, &state->hash)) + if (GNUNET_YES == state->is_dns) { - GNUNET_CONTAINER_multihashmap_put (tcp_connections, &state->hash, state, - GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY); - - state->heap_node = - GNUNET_CONTAINER_heap_insert (tcp_connections_heap, state, - GNUNET_TIME_absolute_get ().abs_value); - - if (GNUNET_CONTAINER_heap_get_size (tcp_connections_heap) > - max_tcp_connections) - GNUNET_SCHEDULER_add_now (collect_connections, tcp_connections_heap); + GNUNET_break_op (0); + return GNUNET_SYSERR; } - else - GNUNET_free (state); - - - - len = - sizeof (struct GNUNET_MessageHeader) + sizeof (struct pkt_tun) + - sizeof (struct ip6_hdr) + pkt_len; - buf = alloca (len); - - memset (buf, 0, len); - - switch (s->addrlen) + if (GNUNET_SYSERR == state->is_dns) { - case 4: - prepare_ipv4_packet (len, pkt_len, pkt, IPPROTO_TCP, &s->addr, tunnel, - state, (struct ip4_header *) buf); - break; - case 16: - prepare_ipv6_packet (len, pkt_len, pkt, IPPROTO_TCP, &s->addr, tunnel, - state, (struct ip6_header *) buf); - break; - default: - GNUNET_free (state); + /* tunnel is UDP/TCP from now on */ + state->is_dns = GNUNET_NO; + } + GNUNET_STATISTICS_update (stats, + gettext_noop ("# Bytes received from MESH"), + pkt_len, GNUNET_NO); + GNUNET_STATISTICS_update (stats, + gettext_noop ("# UDP IP-exit requests received via mesh"), + 1, GNUNET_NO); + if (pkt_len < sizeof (struct GNUNET_EXIT_UdpInternetMessage)) + { + GNUNET_break_op (0); return GNUNET_SYSERR; } - - /* FIXME: here, flow-control with mesh would be nice to have... */ - (void) GNUNET_HELPER_send (helper_handle, - (const struct GNUNET_MessageHeader*) buf, - GNUNET_YES, - NULL, NULL); - -#endif - return GNUNET_YES; -} - -static int -receive_udp_remote (void *cls GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel, - void **tunnel_ctx GNUNET_UNUSED, - const struct GNUNET_PeerIdentity *sender GNUNET_UNUSED, - const struct GNUNET_MessageHeader *message, - const struct GNUNET_ATS_Information *atsi GNUNET_UNUSED) -{ - // FIXME -#if 0 - GNUNET_HashCode *desc = (GNUNET_HashCode *) (message + 1); - struct udp_packet *pkt = (struct udp_packet *) (desc + 1); - struct remote_addr *s = (struct remote_addr *) desc; - char *buf; - size_t len; - - GNUNET_assert (ntohs (pkt->len) == - ntohs (message->size) - sizeof (struct GNUNET_MessageHeader) - - sizeof (GNUNET_HashCode)); - - /* Prepare the state. - * This will be saved in the hashmap, so that the receiving procedure knows - * through which tunnel this connection has to be routed. - */ - struct TunnelState *state = GNUNET_malloc (sizeof (struct TunnelState)); - - state->tunnel = tunnel; - state->hashmap = udp_connections; - state->type = REMOTE; - memcpy (&state->remote, s, sizeof (struct remote_addr)); - - len = - sizeof (struct GNUNET_MessageHeader) + sizeof (struct pkt_tun) + - sizeof (struct ip6_hdr) + ntohs (pkt->len); - buf = alloca (len); - - memset (buf, 0, len); - - switch (s->addrlen) + msg = (const struct GNUNET_EXIT_UdpInternetMessage*) message; + pkt_len -= sizeof (struct GNUNET_EXIT_UdpInternetMessage); + af = (int) ntohl (msg->af); + state->specifics.tcp_udp.ri.remote_address.af = af; + switch (af) { - case 4: - prepare_ipv4_packet (len, ntohs (pkt->len), pkt, IPPROTO_UDP, &s->addr, - tunnel, state, (struct ip4_header *) buf); + case AF_INET: + if (pkt_len < sizeof (struct in_addr)) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + if (! ipv4_exit) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + v4 = (const struct in_addr*) &msg[1]; + payload = &v4[1]; + pkt_len -= sizeof (struct in_addr); + state->specifics.tcp_udp.ri.remote_address.address.ipv4 = *v4; break; - case 16: - prepare_ipv6_packet (len, ntohs (pkt->len), pkt, IPPROTO_UDP, &s->addr, - tunnel, state, (struct ip6_header *) buf); + case AF_INET6: + if (pkt_len < sizeof (struct in6_addr)) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + if (! ipv6_exit) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + v6 = (const struct in6_addr*) &msg[1]; + payload = &v6[1]; + pkt_len -= sizeof (struct in6_addr); + state->specifics.tcp_udp.ri.remote_address.address.ipv6 = *v6; break; default: - GNUNET_assert (0); - break; + GNUNET_break_op (0); + return GNUNET_SYSERR; } - - hash_redirect_info (&state->hash, &state->redirect_info, s->addrlen); - - (void) GNUNET_HELPER_send (helper_handle, - (const struct GNUNET_MessageHeader*) buf, - GNUNET_YES, - NULL, NULL); - - - if (GNUNET_NO == - GNUNET_CONTAINER_multihashmap_contains (udp_connections, &state->hash)) { - GNUNET_CONTAINER_multihashmap_put (udp_connections, &state->hash, state, - GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY); - - state->heap_node = - GNUNET_CONTAINER_heap_insert (udp_connections_heap, state, - GNUNET_TIME_absolute_get ().abs_value); - - if (GNUNET_CONTAINER_heap_get_size (udp_connections_heap) > - max_udp_connections) - GNUNET_SCHEDULER_add_now (collect_connections, udp_connections_heap); + char buf[INET6_ADDRSTRLEN]; + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Received data from %s for forwarding to UDP %s:%u\n", + GNUNET_i2s (sender), + inet_ntop (af, + &state->specifics.tcp_udp.ri.remote_address.address, + buf, sizeof (buf)), + (unsigned int) ntohs (msg->destination_port)); } - else - GNUNET_free (state); -#endif + state->specifics.tcp_udp.ri.remote_address.proto = IPPROTO_UDP; + state->specifics.tcp_udp.ri.remote_address.port = msg->destination_port; + if (NULL == state->specifics.tcp_udp.heap_node) + setup_state_record (state); + if (0 != ntohs (msg->source_port)) + state->specifics.tcp_udp.ri.local_address.port = msg->source_port; + send_udp_packet_via_tun (&state->specifics.tcp_udp.ri.remote_address, + &state->specifics.tcp_udp.ri.local_address, + payload, pkt_len); return GNUNET_YES; } /** - * The messages are one GNUNET_HashCode for the service, followed by a struct udp_packet + * Process a request via mesh to send a request to a UDP service + * offered by this system. + * + * @param cls closure, NULL + * @param tunnel connection to the other end + * @param tunnel_ctx pointer to our 'struct TunnelState *' + * @param sender who sent the message + * @param message the actual message + * @param atsi performance data for the connection + * @return GNUNET_OK to keep the connection open, + * GNUNET_SYSERR to close it (signal serious error) */ static int receive_udp_service (void *cls GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel, @@ -1376,116 +2903,62 @@ receive_udp_service (void *cls GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel, const struct GNUNET_MessageHeader *message, const struct GNUNET_ATS_Information *atsi GNUNET_UNUSED) { - // FIXME -#if 0 - const GNUNET_HashCode *desc = (const GNUNET_HashCode *) &message[1]; - const struct udp_packet *pkt = (const struct udp_packet *) &desc[1]; + struct TunnelState *state = *tunnel_ctx; + const struct GNUNET_EXIT_UdpServiceMessage *msg; uint16_t pkt_len = ntohs (message->size); - struct LocalService *serv; - struct TunnelState *state; - struct tunnel_state *s; - char *buf; - size_t len; - /* check that we got at least a valid header */ - if (pkt_len < sizeof (struct GNUNET_MessageHeader) + sizeof (GNUNET_HashCode) + sizeof (struct udp_packet)) + if (GNUNET_YES == state->is_dns) { GNUNET_break_op (0); - return GNUNET_YES; + return GNUNET_SYSERR; } - pkt_len -= (sizeof (struct GNUNET_MessageHeader) + sizeof (GNUNET_HashCode)); - - GNUNET_assert (ntohs (pkt->len) == - ntohs (message->size) - sizeof (struct GNUNET_MessageHeader) - - sizeof (GNUNET_HashCode)); - - if (NULL == (serv = find_service (udp_services, desc, ntohs (pkt->dpt)))) + if (GNUNET_SYSERR == state->is_dns) { - GNUNET_log (GNUNET_ERROR_TYPE_INFO, - _("No service found for %s on port %d!\n"), - "UDP", - ntohs (pkt->dpt)); - return GNUNET_YES; + /* tunnel is UDP/TCP from now on */ + state->is_dns = GNUNET_NO; } - pkt->dpt = htons (serv->remote_port); - - /* At this point it would be possible to check against some kind of ACL. */ - - s = GNUNET_MESH_tunnel_get_data (tunnel); - - - /* Prepare the state. - * This will be saved in the hashmap, so that the receiving procedure knows - * through which tunnel this connection has to be routed. - */ - - state = GNUNET_malloc (sizeof (struct TunnelState)); - - state->tunnel = tunnel; - state->serv = serv; - state->type = SERVICE; - state->hashmap = udp_connections; - memcpy (&state->desc, desc, sizeof (GNUNET_HashCode)); - - len = - sizeof (struct GNUNET_MessageHeader) + sizeof (struct pkt_tun) + - sizeof (struct ip6_hdr) + ntohs (pkt->len); - buf = alloca (len); - - memset (buf, 0, len); - - switch (serv->version) + GNUNET_STATISTICS_update (stats, + gettext_noop ("# Bytes received from MESH"), + pkt_len, GNUNET_NO); + GNUNET_STATISTICS_update (stats, + gettext_noop ("# UDP service requests received via mesh"), + 1, GNUNET_NO); + /* check that we got at least a valid header */ + if (pkt_len < sizeof (struct GNUNET_EXIT_UdpServiceMessage)) { - case 4: - prepare_ipv4_packet (len, ntohs (pkt->len), pkt, IPPROTO_UDP, - &serv->v4.ip4address, tunnel, state, - (struct ip4_header *) buf); - break; - case 6: - prepare_ipv6_packet (len, ntohs (pkt->len), pkt, IPPROTO_UDP, - &serv->v6.ip6address, tunnel, state, - (struct ip6_header *) buf); - - break; - default: - GNUNET_assert (0); - break; + GNUNET_break_op (0); + return GNUNET_SYSERR; } - - hash_redirect_info (&state->hash, &state->redirect_info, - serv->version == 4 ? 4 : 16); - - if (GNUNET_NO == - GNUNET_CONTAINER_multihashmap_contains (udp_connections, &state->hash)) + msg = (const struct GNUNET_EXIT_UdpServiceMessage*) message; + pkt_len -= sizeof (struct GNUNET_EXIT_UdpServiceMessage); + LOG (GNUNET_ERROR_TYPE_DEBUG, + "Received data from %s for forwarding to UDP service %s on port %u\n", + GNUNET_i2s (sender), + GNUNET_h2s (&msg->service_descriptor), + (unsigned int) ntohs (msg->destination_port)); + if (NULL == (state->specifics.tcp_udp.serv = find_service (udp_services, &msg->service_descriptor, + ntohs (msg->destination_port)))) { - GNUNET_CONTAINER_multihashmap_put (udp_connections, &state->hash, state, - GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY); - - state->heap_node = - GNUNET_CONTAINER_heap_insert (udp_connections_heap, state, - GNUNET_TIME_absolute_get ().abs_value); - - if (GNUNET_CONTAINER_heap_get_size (udp_connections_heap) > - max_udp_connections) - GNUNET_SCHEDULER_add_now (collect_connections, udp_connections_heap); + GNUNET_log (GNUNET_ERROR_TYPE_INFO, + _("No service found for %s on port %d!\n"), + "UDP", + ntohs (msg->destination_port)); + GNUNET_STATISTICS_update (stats, + gettext_noop ("# UDP requests dropped (no such service)"), + 1, GNUNET_NO); + return GNUNET_SYSERR; } - else - GNUNET_free (state); - - (void) GNUNET_HELPER_send (helper_handle, - (const struct GNUNET_MessageHeader*) buf, - GNUNET_YES, - NULL, NULL); -#endif + state->specifics.tcp_udp.ri.remote_address = state->specifics.tcp_udp.serv->address; + setup_state_record (state); + if (0 != ntohs (msg->source_port)) + state->specifics.tcp_udp.ri.local_address.port = msg->source_port; + send_udp_packet_via_tun (&state->specifics.tcp_udp.ri.remote_address, + &state->specifics.tcp_udp.ri.local_address, + &msg[1], pkt_len); return GNUNET_YES; } - - - - - /** * Callback from GNUNET_MESH for new tunnels. * @@ -1498,10 +2971,17 @@ receive_udp_service (void *cls GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel, static void * new_tunnel (void *cls GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel, const struct GNUNET_PeerIdentity *initiator GNUNET_UNUSED, - const struct GNUNET_ATS_Information *ats GNUNET_UNUSED) + const struct GNUNET_ATS_Information *atsi GNUNET_UNUSED) { struct TunnelState *s = GNUNET_malloc (sizeof (struct TunnelState)); - + + s->is_dns = GNUNET_SYSERR; + GNUNET_STATISTICS_update (stats, + gettext_noop ("# Inbound MESH tunnels created"), + 1, GNUNET_NO); + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Received inbound tunnel from `%s'\n", + GNUNET_i2s (initiator)); s->tunnel = tunnel; return s; } @@ -1523,21 +3003,37 @@ clean_tunnel (void *cls GNUNET_UNUSED, const struct GNUNET_MESH_Tunnel *tunnel, struct TunnelState *s = tunnel_ctx; struct TunnelMessageQueue *tnq; - while (NULL != (tnq = s->head)) + LOG (GNUNET_ERROR_TYPE_DEBUG, + "Tunnel destroyed\n"); + if (GNUNET_SYSERR == s->is_dns) { - GNUNET_CONTAINER_DLL_remove (s->head, - s->tail, - tnq); - GNUNET_free (tnq); + GNUNET_free (s); + return; } - if (s->heap_node != NULL) + if (GNUNET_YES == s->is_dns) { - GNUNET_assert (GNUNET_YES == - GNUNET_CONTAINER_multihashmap_remove (connections_map, - &s->state_key, - s)); - GNUNET_CONTAINER_heap_remove_node (s->heap_node); - s->heap_node = NULL; + if (tunnels[s->specifics.dns.my_id] == s) + tunnels[s->specifics.dns.my_id] = NULL; + GNUNET_free_non_null (s->specifics.dns.reply); + } + else + { + while (NULL != (tnq = s->specifics.tcp_udp.head)) + { + GNUNET_CONTAINER_DLL_remove (s->specifics.tcp_udp.head, + s->specifics.tcp_udp.tail, + tnq); + GNUNET_free (tnq); + } + if (NULL != s->specifics.tcp_udp.heap_node) + { + GNUNET_assert (GNUNET_YES == + GNUNET_CONTAINER_multihashmap_remove (connections_map, + &s->specifics.tcp_udp.state_key, + s)); + GNUNET_CONTAINER_heap_remove_node (s->specifics.tcp_udp.heap_node); + s->specifics.tcp_udp.heap_node = NULL; + } } if (NULL != s->th) { @@ -1557,7 +3053,7 @@ clean_tunnel (void *cls GNUNET_UNUSED, const struct GNUNET_MESH_Tunnel *tunnel, */ static int free_iterate (void *cls GNUNET_UNUSED, - const GNUNET_HashCode * hash GNUNET_UNUSED, void *value) + const struct GNUNET_HashCode * hash GNUNET_UNUSED, void *value) { GNUNET_free (value); return GNUNET_YES; @@ -1573,6 +3069,9 @@ cleanup (void *cls GNUNET_UNUSED, { unsigned int i; + GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, + "Exit service is shutting down now\n"); + if (helper_handle != NULL) { GNUNET_HELPER_stop (helper_handle); @@ -1606,7 +3105,17 @@ cleanup (void *cls GNUNET_UNUSED, GNUNET_CONTAINER_multihashmap_destroy (udp_services); udp_services = NULL; } - for (i=0;i<5;i++) + if (NULL != dnsstub) + { + GNUNET_DNSSTUB_stop (dnsstub); + dnsstub = NULL; + } + if (stats != NULL) + { + GNUNET_STATISTICS_destroy (stats, GNUNET_NO); + stats = NULL; + } + for (i=0;i<8;i++) GNUNET_free_non_null (exit_argv[i]); } @@ -1671,18 +3180,19 @@ add_services (int proto, } serv = GNUNET_malloc (sizeof (struct LocalService)); + serv->address.proto = proto; serv->my_port = (uint16_t) local_port; serv->address.port = remote_port; if (0 == strcmp ("localhost4", hostname)) { - const char *ip4addr = exit_argv[4]; + const char *ip4addr = exit_argv[5]; serv->address.af = AF_INET; - GNUNET_assert (1 != inet_pton (AF_INET, ip4addr, &serv->address.address.ipv4)); + GNUNET_assert (1 == inet_pton (AF_INET, ip4addr, &serv->address.address.ipv4)); } else if (0 == strcmp ("localhost6", hostname)) { - const char *ip6addr = exit_argv[2]; + const char *ip6addr = exit_argv[3]; serv->address.af = AF_INET6; GNUNET_assert (1 == inet_pton (AF_INET6, ip6addr, &serv->address.address.ipv6)); @@ -1706,12 +3216,30 @@ add_services (int proto, serv->address.af = res->ai_family; switch (res->ai_family) { - case AF_INET: - serv->address.address.ipv4 = ((struct sockaddr_in *) res->ai_addr)->sin_addr; - break; - case AF_INET6: - serv->address.address.ipv6 = ((struct sockaddr_in6 *) res->ai_addr)->sin6_addr; - break; + case AF_INET: + if (! ipv4_enabled) + { + GNUNET_log (GNUNET_ERROR_TYPE_WARNING, + _("Service `%s' configured for IPv4, but IPv4 is disabled!\n"), + name); + freeaddrinfo (res); + GNUNET_free (serv); + continue; + } + serv->address.address.ipv4 = ((struct sockaddr_in *) res->ai_addr)->sin_addr; + break; + case AF_INET6: + if (! ipv6_enabled) + { + GNUNET_log (GNUNET_ERROR_TYPE_WARNING, + _("Service `%s' configured for IPv4, but IPv4 is disabled!\n"), + name); + freeaddrinfo (res); + GNUNET_free (serv); + continue; + } + serv->address.address.ipv6 = ((struct sockaddr_in6 *) res->ai_addr)->sin6_addr; + break; default: freeaddrinfo (res); GNUNET_log (GNUNET_ERROR_TYPE_WARNING, @@ -1776,132 +3304,245 @@ run (void *cls, char *const *args GNUNET_UNUSED, const struct GNUNET_CONFIGURATION_Handle *cfg_) { static struct GNUNET_MESH_MessageHandler handlers[] = { - {&receive_udp_service, GNUNET_MESSAGE_TYPE_VPN_SERVICE_UDP, 0}, - {&receive_tcp_service, GNUNET_MESSAGE_TYPE_VPN_SERVICE_TCP, 0}, - {NULL, 0, 0}, - {NULL, 0, 0}, + {&receive_icmp_service, GNUNET_MESSAGE_TYPE_VPN_ICMP_TO_SERVICE, 0}, + {&receive_icmp_remote, GNUNET_MESSAGE_TYPE_VPN_ICMP_TO_INTERNET, 0}, + {&receive_udp_service, GNUNET_MESSAGE_TYPE_VPN_UDP_TO_SERVICE, 0}, + {&receive_udp_remote, GNUNET_MESSAGE_TYPE_VPN_UDP_TO_INTERNET, 0}, + {&receive_tcp_service, GNUNET_MESSAGE_TYPE_VPN_TCP_TO_SERVICE_START, 0}, + {&receive_tcp_remote, GNUNET_MESSAGE_TYPE_VPN_TCP_TO_INTERNET_START, 0}, + {&receive_tcp_data, GNUNET_MESSAGE_TYPE_VPN_TCP_DATA_TO_EXIT, 0}, + {&receive_dns_request, GNUNET_MESSAGE_TYPE_VPN_DNS_TO_INTERNET, 0}, {NULL, 0, 0} }; static GNUNET_MESH_ApplicationType apptypes[] = { + GNUNET_APPLICATION_TYPE_END, GNUNET_APPLICATION_TYPE_END, GNUNET_APPLICATION_TYPE_END, GNUNET_APPLICATION_TYPE_END }; - unsigned int handler_idx; unsigned int app_idx; - int udp; - int tcp; - char *ifname; + char *exit_ifname; + char *tun_ifname; char *ipv6addr; char *ipv6prefix_s; char *ipv4addr; char *ipv4mask; - struct in_addr v4; - struct in6_addr v6; + char *binary; + char *regex; + char *prefixed_regex; + struct in_addr dns_exit4; + struct in6_addr dns_exit6; + char *dns_exit; cfg = cfg_; - GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_FOREVER_REL, &cleanup, cls); - if (GNUNET_OK != - GNUNET_CONFIGURATION_get_value_number (cfg, "exit", "MAX_CONNECTIONS", - &max_connections)) - max_connections = 1024; - exit_argv[0] = GNUNET_strdup ("exit-gnunet"); - if (GNUNET_SYSERR == - GNUNET_CONFIGURATION_get_value_string (cfg, "exit", "IFNAME", &ifname)) + ipv4_exit = GNUNET_CONFIGURATION_get_value_yesno (cfg, "exit", "EXIT_IPV4"); + ipv6_exit = GNUNET_CONFIGURATION_get_value_yesno (cfg, "exit", "EXIT_IPV6"); + ipv4_enabled = GNUNET_CONFIGURATION_get_value_yesno (cfg, "exit", "ENABLE_IPV4"); + ipv6_enabled = GNUNET_CONFIGURATION_get_value_yesno (cfg, "exit", "ENABLE_IPV6"); + if ( (ipv4_exit) || (ipv6_exit) ) { - GNUNET_log (GNUNET_ERROR_TYPE_ERROR, - "No entry 'IFNAME' in configuration!\n"); - GNUNET_SCHEDULER_shutdown (); - return; + binary = GNUNET_OS_get_libexec_binary_path ("gnunet-helper-exit"); + if (GNUNET_YES != + GNUNET_OS_check_helper_binary (binary)) + { + GNUNET_free (binary); + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + _("`%s' must be installed SUID, refusing to run\n"), + "gnunet-helper-exit"); + global_ret = 1; + return; + } + GNUNET_free (binary); } - exit_argv[1] = ifname; - if ( (GNUNET_SYSERR == - GNUNET_CONFIGURATION_get_value_string (cfg, "exit", "IPV6ADDR", - &ipv6addr) || - (1 != inet_pton (AF_INET6, ipv6addr, &v6))) ) + stats = GNUNET_STATISTICS_create ("exit", cfg); + + if ( (ipv4_exit || ipv4_enabled) && + GNUNET_OK != GNUNET_NETWORK_test_pf (PF_INET)) { GNUNET_log (GNUNET_ERROR_TYPE_ERROR, - "No valid entry 'IPV6ADDR' in configuration!\n"); - GNUNET_SCHEDULER_shutdown (); - return; + _("This system does not support IPv4, will disable IPv4 functions despite them being enabled in the configuration\n")); + ipv4_exit = GNUNET_NO; + ipv4_enabled = GNUNET_NO; } - exit_argv[2] = ipv6addr; - if (GNUNET_SYSERR == - GNUNET_CONFIGURATION_get_value_string (cfg, "exit", "IPV6PREFIX", - &ipv6prefix_s)) + if ( (ipv6_exit || ipv6_enabled) && + GNUNET_OK != GNUNET_NETWORK_test_pf (PF_INET6)) { GNUNET_log (GNUNET_ERROR_TYPE_ERROR, - "No entry 'IPV6PREFIX' in configuration!\n"); - GNUNET_SCHEDULER_shutdown (); - return; + _("This system does not support IPv6, will disable IPv6 functions despite them being enabled in the configuration\n")); + ipv6_exit = GNUNET_NO; + ipv6_enabled = GNUNET_NO; } - exit_argv[3] = ipv6prefix_s; - if ( (GNUNET_OK != - GNUNET_CONFIGURATION_get_value_number (cfg, "exit", - "IPV6PREFIX", - &ipv6prefix)) || - (ipv6prefix >= 127) ) + if (ipv4_exit && (! ipv4_enabled)) { - GNUNET_SCHEDULER_shutdown (); - return; + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + _("Cannot enable IPv4 exit but disable IPv4 on TUN interface, will use ENABLE_IPv4=YES\n")); + ipv4_enabled = GNUNET_YES; } - - if ( (GNUNET_SYSERR == - GNUNET_CONFIGURATION_get_value_string (cfg, "exit", "IPV4ADDR", - &ipv4addr) || - (1 != inet_pton (AF_INET, ipv4addr, &v4))) ) + if (ipv6_exit && (! ipv6_enabled)) { GNUNET_log (GNUNET_ERROR_TYPE_ERROR, - "No valid entry for 'IPV4ADDR' in configuration!\n"); - GNUNET_SCHEDULER_shutdown (); - return; + _("Cannot enable IPv6 exit but disable IPv6 on TUN interface, will use ENABLE_IPv6=YES\n")); + ipv6_enabled = GNUNET_YES; } - exit_argv[4] = ipv4addr; - if ( (GNUNET_SYSERR == - GNUNET_CONFIGURATION_get_value_string (cfg, "exit", "IPV4MASK", - &ipv4mask) || - (1 != inet_pton (AF_INET, ipv4mask, &v4))) ) + if (! (ipv4_enabled || ipv6_enabled)) { GNUNET_log (GNUNET_ERROR_TYPE_ERROR, - "No valid entry 'IPV4MASK' in configuration!\n"); + _("No useful service enabled. Exiting.\n")); GNUNET_SCHEDULER_shutdown (); - return; + return; + } + + dns_exit = NULL; + if ( (GNUNET_YES == + GNUNET_CONFIGURATION_get_value_yesno (cfg_, "exit", "ENABLE_DNS")) && + ( (GNUNET_OK != + GNUNET_CONFIGURATION_get_value_string (cfg, "exit", + "DNS_RESOLVER", + &dns_exit)) || + ( (1 != inet_pton (AF_INET, dns_exit, &dns_exit4)) && + (1 != inet_pton (AF_INET6, dns_exit, &dns_exit6)) ) ) ) + { + GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR, "dns", "DNS_RESOLVER", + _("need a valid IPv4 or IPv6 address\n")); + GNUNET_free_non_null (dns_exit); + dns_exit = NULL; } - exit_argv[5] = ipv4mask; - exit_argv[6] = NULL; + if (NULL != dns_exit) + dnsstub = GNUNET_DNSSTUB_start (dns_exit); + app_idx = 0; - handler_idx = 2; - udp = GNUNET_CONFIGURATION_get_value_yesno (cfg, "exit", "ENABLE_UDP"); - tcp = GNUNET_CONFIGURATION_get_value_yesno (cfg, "exit", "ENABLE_TCP"); - if (GNUNET_YES == udp) - { - handlers[handler_idx].callback = &receive_udp_remote; - handlers[handler_idx].expected_size = 0; - handlers[handler_idx].type = GNUNET_MESSAGE_TYPE_VPN_REMOTE_UDP; - apptypes[app_idx] = GNUNET_APPLICATION_TYPE_INTERNET_UDP_GATEWAY; - handler_idx++; + if (GNUNET_YES == ipv4_exit) + { + apptypes[app_idx] = GNUNET_APPLICATION_TYPE_IPV4_GATEWAY; app_idx++; } - - if (GNUNET_YES == tcp) + if (GNUNET_YES == ipv6_exit) + { + apptypes[app_idx] = GNUNET_APPLICATION_TYPE_IPV6_GATEWAY; + app_idx++; + } + if (NULL != dns_exit) { - handlers[handler_idx].callback = &receive_tcp_remote; - handlers[handler_idx].expected_size = 0; - handlers[handler_idx].type = GNUNET_MESSAGE_TYPE_VPN_REMOTE_TCP; - apptypes[app_idx] = GNUNET_APPLICATION_TYPE_INTERNET_TCP_GATEWAY; - handler_idx++; + apptypes[app_idx] = GNUNET_APPLICATION_TYPE_INTERNET_RESOLVER; app_idx++; } - udp_services = GNUNET_CONTAINER_multihashmap_create (65536); - tcp_services = GNUNET_CONTAINER_multihashmap_create (65536); + + GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_FOREVER_REL, &cleanup, cls); + + if (GNUNET_OK != + GNUNET_CONFIGURATION_get_value_number (cfg, "exit", "MAX_CONNECTIONS", + &max_connections)) + max_connections = 1024; + exit_argv[0] = GNUNET_strdup ("exit-gnunet"); + if (GNUNET_SYSERR == + GNUNET_CONFIGURATION_get_value_string (cfg, "exit", "TUN_IFNAME", &tun_ifname)) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "No entry 'TUN_IFNAME' in configuration!\n"); + GNUNET_SCHEDULER_shutdown (); + return; + } + exit_argv[1] = tun_ifname; + if (ipv4_enabled) + { + if (GNUNET_SYSERR == + GNUNET_CONFIGURATION_get_value_string (cfg, "exit", "EXIT_IFNAME", &exit_ifname)) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "No entry 'EXIT_IFNAME' in configuration!\n"); + GNUNET_SCHEDULER_shutdown (); + return; + } + exit_argv[2] = exit_ifname; + } + else + { + exit_argv[2] = GNUNET_strdup ("%"); + } + + + if (GNUNET_YES == ipv6_enabled) + { + if ( (GNUNET_SYSERR == + GNUNET_CONFIGURATION_get_value_string (cfg, "exit", "IPV6ADDR", + &ipv6addr) || + (1 != inet_pton (AF_INET6, ipv6addr, &exit_ipv6addr))) ) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "No valid entry 'IPV6ADDR' in configuration!\n"); + GNUNET_SCHEDULER_shutdown (); + return; + } + exit_argv[3] = ipv6addr; + if (GNUNET_SYSERR == + GNUNET_CONFIGURATION_get_value_string (cfg, "exit", "IPV6PREFIX", + &ipv6prefix_s)) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "No entry 'IPV6PREFIX' in configuration!\n"); + GNUNET_SCHEDULER_shutdown (); + return; + } + exit_argv[4] = ipv6prefix_s; + if ( (GNUNET_OK != + GNUNET_CONFIGURATION_get_value_number (cfg, "exit", + "IPV6PREFIX", + &ipv6prefix)) || + (ipv6prefix >= 127) ) + { + GNUNET_SCHEDULER_shutdown (); + return; + } + } + else + { + /* IPv6 explicitly disabled */ + exit_argv[3] = GNUNET_strdup ("-"); + exit_argv[4] = GNUNET_strdup ("-"); + } + if (GNUNET_YES == ipv4_enabled) + { + if ( (GNUNET_SYSERR == + GNUNET_CONFIGURATION_get_value_string (cfg, "exit", "IPV4ADDR", + &ipv4addr) || + (1 != inet_pton (AF_INET, ipv4addr, &exit_ipv4addr))) ) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "No valid entry for 'IPV4ADDR' in configuration!\n"); + GNUNET_SCHEDULER_shutdown (); + return; + } + exit_argv[5] = ipv4addr; + if ( (GNUNET_SYSERR == + GNUNET_CONFIGURATION_get_value_string (cfg, "exit", "IPV4MASK", + &ipv4mask) || + (1 != inet_pton (AF_INET, ipv4mask, &exit_ipv4mask))) ) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "No valid entry 'IPV4MASK' in configuration!\n"); + GNUNET_SCHEDULER_shutdown (); + return; + } + exit_argv[6] = ipv4mask; + } + else + { + /* IPv4 explicitly disabled */ + exit_argv[5] = GNUNET_strdup ("-"); + exit_argv[6] = GNUNET_strdup ("-"); + } + exit_argv[7] = NULL; + + udp_services = GNUNET_CONTAINER_multihashmap_create (65536, GNUNET_NO); + tcp_services = GNUNET_CONTAINER_multihashmap_create (65536, GNUNET_NO); GNUNET_CONFIGURATION_iterate_sections (cfg, &read_service_conf, NULL); - connections_map = GNUNET_CONTAINER_multihashmap_create (65536); + connections_map = GNUNET_CONTAINER_multihashmap_create (65536, GNUNET_NO); connections_heap = GNUNET_CONTAINER_heap_create (GNUNET_CONTAINER_HEAP_ORDER_MIN); mesh_handle - = GNUNET_MESH_connect (cfg, 42 /* queue size */, NULL, + = GNUNET_MESH_connect (cfg, NULL, &new_tunnel, &clean_tunnel, handlers, apptypes); @@ -1910,9 +3551,49 @@ run (void *cls, char *const *args GNUNET_UNUSED, GNUNET_SCHEDULER_shutdown (); return; } - helper_handle = GNUNET_HELPER_start ("gnunet-helper-vpn", - exit_argv, - &message_token, NULL); + + /* Mesh handle acquired, now announce regular expressions matching our exit */ + if ( (GNUNET_YES == ipv4_enabled) && (GNUNET_YES == ipv4_exit) ) + { + if (GNUNET_OK != + GNUNET_CONFIGURATION_get_value_string (cfg, + "exit", + "EXIT_RANGE_IPV4_REGEX", + ®ex)) + regex = GNUNET_strdup ("(0|1)*"); + (void) GNUNET_asprintf (&prefixed_regex, "%s%s%s", + GNUNET_APPLICATION_TYPE_EXIT_REGEX_PREFIX, + "4", regex); + GNUNET_MESH_announce_regex (mesh_handle, + prefixed_regex, + REGEX_MAX_PATH_LEN_IPV4); + GNUNET_free (regex); + GNUNET_free (prefixed_regex); + } + + if (GNUNET_YES == ipv6_enabled && GNUNET_YES == ipv6_exit) + { + if (GNUNET_OK != + GNUNET_CONFIGURATION_get_value_string (cfg, + "exit", + "EXIT_RANGE_IPV6_REGEX", + ®ex)) + regex = GNUNET_strdup ("(0|1)*"); + (void) GNUNET_asprintf (&prefixed_regex, "%s%s%s", + GNUNET_APPLICATION_TYPE_EXIT_REGEX_PREFIX, + "6", regex); + GNUNET_MESH_announce_regex (mesh_handle, + prefixed_regex, + REGEX_MAX_PATH_LEN_IPV6); + GNUNET_free (regex); + GNUNET_free (prefixed_regex); + } + if ((ipv4_exit) || (ipv6_exit)) + helper_handle = GNUNET_HELPER_start (GNUNET_NO, + "gnunet-helper-exit", + exit_argv, + &message_token, + NULL, NULL); } @@ -1930,11 +3611,14 @@ main (int argc, char *const *argv) GNUNET_GETOPT_OPTION_END }; + if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv)) + return 2; + return (GNUNET_OK == GNUNET_PROGRAM_run (argc, argv, "gnunet-daemon-exit", gettext_noop ("Daemon to run to provide an IP exit node for the VPN"), - options, &run, NULL)) ? 0 : 1; + options, &run, NULL)) ? global_ret : 1; }