- struct ether_arp *arp;
- subnet_t *subnet;
- unsigned char ipbuf[4];
- ipv4_t dest;
-cp
- /* First, snatch the source address from the ARP packet */
-
- memcpy(mymac.net.mac.address.x, packet->data + 6, 6);
-
- /* This routine generates replies to ARP requests.
- You don't need to set NOARP flag on the interface anymore (which is broken on FreeBSD).
- Most of the code here is taken from choparp.c by Takamichi Tateoka (tree@mma.club.uec.ac.jp)
- */
-
- arp = (struct ether_arp *)(packet->data + 14);
-
- /* Check if this is a valid ARP request */
-
- if(ntohs(arp->arp_hrd) != ARPHRD_ETHER ||
- ntohs(arp->arp_pro) != ETHERTYPE_IP ||
- (int) (arp->arp_hln) != ETHER_ADDR_LEN ||
- (int) (arp->arp_pln) != 4 ||
- ntohs(arp->arp_op) != ARPOP_REQUEST )
- {
- if(debug_lvl > DEBUG_TRAFFIC)
- {
- syslog(LOG_WARNING, _("Cannot route packet: received unknown type ARP request"));
- }
- return;
- }
-
- /* Check if the IP address exists on the VPN */
-
- dest = ntohl(*((unsigned long*)(arp->arp_tpa)));
- subnet = lookup_subnet_ipv4(&dest);
-
- if(!subnet)
- {
- if(debug_lvl >= DEBUG_TRAFFIC)
- {
- syslog(LOG_WARNING, _("Cannot route packet: ARP request for unknown address %d.%d.%d.%d"),
- arp->arp_tpa[0], arp->arp_tpa[1], arp->arp_tpa[2], arp->arp_tpa[3]);
- }
-
- return;
- }
-
- /* Check if it is for our own subnet */
-
- if(subnet->owner == myself)
- return; /* silently ignore */
-
- memcpy(packet->data, packet->data + ETHER_ADDR_LEN, ETHER_ADDR_LEN); /* copy destination address */
- packet->data[ETHER_ADDR_LEN*2 - 1] ^= 0xFF; /* mangle source address so it looks like it's not from us */
-
- memcpy(ipbuf, arp->arp_tpa, 4); /* save protocol addr */
- memcpy(arp->arp_tpa, arp->arp_spa, 4); /* swap destination and source protocol address */
- memcpy(arp->arp_spa, ipbuf, 4); /* ... */
-
- memcpy(arp->arp_tha, arp->arp_sha, 10); /* set target hard/proto addr */
- memcpy(arp->arp_sha, packet->data + ETHER_ADDR_LEN, ETHER_ADDR_LEN); /* add fake source hard addr */
- arp->arp_op = htons(ARPOP_REPLY);
-
- accept_packet(packet);
-cp
+ uint32_t checksum = prevsum ^ 0xFFFF;
+
+ while(len--)
+ checksum += ntohs(*data++);
+
+ while(checksum >> 16)
+ checksum = (checksum & 0xFFFF) + (checksum >> 16);
+
+ return checksum ^ 0xFFFF;
+}
+
+void route_neighborsol(vpn_packet_t * packet)
+{
+ struct ip6_hdr *hdr;
+ struct nd_neighbor_solicit *ns;
+ struct nd_opt_hdr *opt;
+ subnet_t *subnet;
+ uint16_t checksum;
+
+ struct {
+ struct in6_addr ip6_src; /* source address */
+ struct in6_addr ip6_dst; /* destination address */
+ uint32_t length;
+ uint8_t junk[4];
+ } pseudo;
+
+ cp();
+
+ hdr = (struct ip6_hdr *) (packet->data + 14);
+ ns = (struct nd_neighbor_solicit *) (packet->data + 14 + sizeof(*hdr));
+ opt = (struct nd_opt_hdr *) (packet->data + 14 + sizeof(*hdr) + sizeof(*ns));
+
+ /* First, snatch the source address from the neighbor solicitation packet */
+
+ memcpy(mymac.net.mac.address.x, packet->data + 6, 6);
+
+ /* Check if this is a valid neighbor solicitation request */
+
+ if(ns->nd_ns_hdr.icmp6_type != ND_NEIGHBOR_SOLICIT ||
+ opt->nd_opt_type != ND_OPT_SOURCE_LINKADDR) {
+ if(debug_lvl > DEBUG_TRAFFIC) {
+ syslog(LOG_WARNING, _("Cannot route packet: received unknown type neighbor solicitation request"));
+ }
+ return;
+ }
+
+ /* Create pseudo header */
+
+ memcpy(&pseudo.ip6_src, &hdr->ip6_src, 16);
+ memcpy(&pseudo.ip6_dst, &hdr->ip6_dst, 16);
+ pseudo.length = htonl(sizeof(*ns) + sizeof(*opt) + 6);
+ pseudo.junk[0] = pseudo.junk[1] = pseudo.junk[2] = 0;
+ pseudo.junk[3] = IPPROTO_ICMPV6;
+
+ /* Generate checksum */
+
+ checksum = inet_checksum((uint16_t *) & pseudo, sizeof(pseudo) / 2, ~0);
+ checksum = inet_checksum((uint16_t *) ns, sizeof(*ns) / 2 + 4, checksum);
+
+ if(checksum) {
+ if(debug_lvl >= DEBUG_TRAFFIC)
+ syslog(LOG_WARNING, _("Cannot route packet: checksum error for neighbor solicitation request"));
+ return;
+ }
+
+ /* Check if the IPv6 address exists on the VPN */
+
+ subnet = lookup_subnet_ipv6((ipv6_t *) & ns->nd_ns_target);
+
+ if(!subnet) {
+ if(debug_lvl >= DEBUG_TRAFFIC) {
+ syslog(LOG_WARNING, _("Cannot route packet: neighbor solicitation request for unknown address %hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx"),
+ ntohs(((uint16_t *) & ns->nd_ns_target)[0]),
+ ntohs(((uint16_t *) & ns->nd_ns_target)[1]),
+ ntohs(((uint16_t *) & ns->nd_ns_target)[2]),
+ ntohs(((uint16_t *) & ns->nd_ns_target)[3]),
+ ntohs(((uint16_t *) & ns->nd_ns_target)[4]),
+ ntohs(((uint16_t *) & ns->nd_ns_target)[5]),
+ ntohs(((uint16_t *) & ns->nd_ns_target)[6]),
+ ntohs(((uint16_t *) & ns->nd_ns_target)[7]));
+ }
+
+ return;
+ }
+
+ /* Check if it is for our own subnet */
+
+ if(subnet->owner == myself)
+ return; /* silently ignore */
+
+ /* Create neighbor advertation reply */
+
+ memcpy(packet->data, packet->data + ETHER_ADDR_LEN, ETHER_ADDR_LEN); /* copy destination address */
+ packet->data[ETHER_ADDR_LEN * 2 - 1] ^= 0xFF; /* mangle source address so it looks like it's not from us */
+
+ memcpy(&hdr->ip6_dst, &hdr->ip6_src, 16); /* swap destination and source protocol address */
+ memcpy(&hdr->ip6_src, &ns->nd_ns_target, 16); /* ... */
+
+ memcpy((char *) opt + sizeof(*opt), packet->data + ETHER_ADDR_LEN, 6); /* add fake source hard addr */
+
+ ns->nd_ns_hdr.icmp6_cksum = 0;
+ ns->nd_ns_hdr.icmp6_type = ND_NEIGHBOR_ADVERT;
+ ns->nd_ns_hdr.icmp6_dataun.icmp6_un_data8[0] = 0x40; /* Set solicited flag */
+ ns->nd_ns_hdr.icmp6_dataun.icmp6_un_data8[1] =
+ ns->nd_ns_hdr.icmp6_dataun.icmp6_un_data8[2] =
+ ns->nd_ns_hdr.icmp6_dataun.icmp6_un_data8[3] = 0;
+ opt->nd_opt_type = ND_OPT_TARGET_LINKADDR;
+
+ /* Create pseudo header */
+
+ memcpy(&pseudo.ip6_src, &hdr->ip6_src, 16);
+ memcpy(&pseudo.ip6_dst, &hdr->ip6_dst, 16);
+ pseudo.length = htonl(sizeof(*ns) + sizeof(*opt) + 6);
+ pseudo.junk[0] = pseudo.junk[1] = pseudo.junk[2] = 0;
+ pseudo.junk[3] = IPPROTO_ICMPV6;
+
+ /* Generate checksum */
+
+ checksum = inet_checksum((uint16_t *) & pseudo, sizeof(pseudo) / 2, ~0);
+ checksum = inet_checksum((uint16_t *) ns, sizeof(*ns) / 2 + 4, checksum);
+
+ ns->nd_ns_hdr.icmp6_cksum = htons(checksum);
+
+ write_packet(packet);
+}
+
+void route_arp(vpn_packet_t * packet)
+{
+ struct ether_arp *arp;
+ subnet_t *subnet;
+ uint8_t ipbuf[4];
+
+ cp();
+
+ /* First, snatch the source address from the ARP packet */
+
+ memcpy(mymac.net.mac.address.x, packet->data + 6, 6);
+
+ /* This routine generates replies to ARP requests.
+ You don't need to set NOARP flag on the interface anymore (which is broken on FreeBSD).
+ Most of the code here is taken from choparp.c by Takamichi Tateoka (tree@mma.club.uec.ac.jp)
+ */
+
+ arp = (struct ether_arp *) (packet->data + 14);
+
+ /* Check if this is a valid ARP request */
+
+ if(ntohs(arp->arp_hrd) != ARPHRD_ETHER || ntohs(arp->arp_pro) != ETHERTYPE_IP ||
+ arp->arp_hln != ETHER_ADDR_LEN || arp->arp_pln != 4 || ntohs(arp->arp_op) != ARPOP_REQUEST) {
+ if(debug_lvl > DEBUG_TRAFFIC) {
+ syslog(LOG_WARNING, _("Cannot route packet: received unknown type ARP request"));
+ }
+ return;
+ }
+
+ /* Check if the IPv4 address exists on the VPN */
+
+ subnet = lookup_subnet_ipv4((ipv4_t *) arp->arp_tpa);
+
+ if(!subnet) {
+ if(debug_lvl >= DEBUG_TRAFFIC) {
+ syslog(LOG_WARNING, _("Cannot route packet: ARP request for unknown address %d.%d.%d.%d"),
+ arp->arp_tpa[0], arp->arp_tpa[1], arp->arp_tpa[2],
+ arp->arp_tpa[3]);
+ }
+
+ return;
+ }
+
+ /* Check if it is for our own subnet */
+
+ if(subnet->owner == myself)
+ return; /* silently ignore */
+
+ memcpy(packet->data, packet->data + ETHER_ADDR_LEN, ETHER_ADDR_LEN); /* copy destination address */
+ packet->data[ETHER_ADDR_LEN * 2 - 1] ^= 0xFF; /* mangle source address so it looks like it's not from us */
+
+ memcpy(ipbuf, arp->arp_tpa, 4); /* save protocol addr */
+ memcpy(arp->arp_tpa, arp->arp_spa, 4); /* swap destination and source protocol address */
+ memcpy(arp->arp_spa, ipbuf, 4); /* ... */
+
+ memcpy(arp->arp_tha, arp->arp_sha, 10); /* set target hard/proto addr */
+ memcpy(arp->arp_sha, packet->data + ETHER_ADDR_LEN, ETHER_ADDR_LEN); /* add fake source hard addr */
+ arp->arp_op = htons(ARPOP_REPLY);
+
+ write_packet(packet);