2 * Copyright (C) 2006-2013 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2010 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
7 * Copyright (C) secunet Security Networks AG
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 /* for struct in6_pktinfo */
24 #define __EXTENSIONS__
26 /* make sure to use the proper defs on Mac OS X */
27 #define __APPLE_USE_RFC_3542
29 #include "socket_default_socket.h"
31 #include <sys/types.h>
32 #include <sys/socket.h>
38 #include <sys/ioctl.h>
39 #include <netinet/in_systm.h>
40 #include <netinet/in.h>
41 #include <netinet/ip.h>
42 #include <netinet/udp.h>
46 #include <threading/thread.h>
48 /* these are not defined on some platforms */
50 #define SOL_IP IPPROTO_IP
53 #define SOL_IPV6 IPPROTO_IPV6
56 #define IPV6_TCLASS 67
59 /* IPV6_RECVPKTINFO is defined in RFC 3542 which obsoletes RFC 2292 that
60 * previously defined IPV6_PKTINFO */
61 #ifndef IPV6_RECVPKTINFO
62 #define IPV6_RECVPKTINFO IPV6_PKTINFO
65 #ifndef IN6ADDR_ANY_INIT
66 #define IN6ADDR_ANY_INIT {{{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}}
69 #ifndef HAVE_IN6ADDR_ANY
70 static const struct in6_addr in6addr_any
= IN6ADDR_ANY_INIT
;
73 typedef struct private_socket_default_socket_t private_socket_default_socket_t
;
76 * Private data of an socket_t object
78 struct private_socket_default_socket_t
{
83 socket_default_socket_t
public;
86 * Configured port (or random, if initially 0)
91 * Configured port for NAT-T (or random, if initially 0)
96 * IPv4 socket (500 or port)
101 * IPv4 socket for NAT-T (4500 or natt)
106 * IPv6 socket (500 or port)
111 * IPv6 socket for NAT-T (4500 or natt)
116 * DSCP value set on IPv4 socket
121 * DSCP value set on IPv4 socket for NAT-T (4500 or natt)
126 * DSCP value set on IPv6 socket (500 or port)
131 * DSCP value set on IPv6 socket for NAT-T (4500 or natt)
136 * Maximum packet size to receive
141 * TRUE if the source address should be set on outbound packets
146 * TRUE to force sending source interface on outbound packets
151 * A counter to implement round-robin selection of read sockets
157 * Get the destination IPv4 address of a received packet, depending on the
158 * available mechanism.
162 static host_t
*get_dst_v4(struct cmsghdr
*cmsgptr
, uint16_t port
)
164 struct sockaddr_in dst
= {
165 .sin_family
= AF_INET
,
166 .sin_port
= htons(port
),
168 struct in_pktinfo
*pktinfo
;
169 struct in_addr
*addr
;
171 if (cmsgptr
->cmsg_type
== IP_PKTINFO
)
173 pktinfo
= (struct in_pktinfo
*)CMSG_DATA(cmsgptr
);
174 addr
= &pktinfo
->ipi_addr
;
175 memcpy(&dst
.sin_addr
, addr
, sizeof(dst
.sin_addr
));
176 return host_create_from_sockaddr((sockaddr_t
*)&dst
);
181 #elif defined(IP_RECVDSTADDR)
183 static host_t
*get_dst_v4(struct cmsghdr
*cmsgptr
, uint16_t port
)
185 struct sockaddr_in dst
= {
186 .sin_family
= AF_INET
,
187 .sin_port
= htons(port
),
189 struct in_addr
*addr
;
191 if (cmsgptr
->cmsg_type
== IP_RECVDSTADDR
)
193 addr
= (struct in_addr
*)CMSG_DATA(cmsgptr
);
194 memcpy(&dst
.sin_addr
, addr
, sizeof(dst
.sin_addr
));
195 return host_create_from_sockaddr((sockaddr_t
*)&dst
);
200 #else /* IP_PKTINFO || IP_RECVDSTADDR */
202 static host_t
*get_dst_v4(struct cmsghdr
*cmsgptr
, uint16_t port
)
207 #endif /* IP_PKTINFO || IP_RECVDSTADDR */
210 * Get the destination IPv6 address of a received packet, depending on the
211 * available mechanism.
213 #ifdef HAVE_IN6_PKTINFO
215 static host_t
*get_dst_v6(struct cmsghdr
*cmsgptr
, uint16_t port
)
217 struct in6_pktinfo
*pktinfo
;
218 struct sockaddr_in6 dst
= {
219 .sin6_family
= AF_INET6
,
220 .sin6_port
= htons(port
),
223 if (cmsgptr
->cmsg_type
== IPV6_PKTINFO
)
225 pktinfo
= (struct in6_pktinfo
*)CMSG_DATA(cmsgptr
);
226 memcpy(&dst
.sin6_addr
, &pktinfo
->ipi6_addr
, sizeof(dst
.sin6_addr
));
227 return host_create_from_sockaddr((sockaddr_t
*)&dst
);
232 #else /* HAVE_IN6_PKTINFO */
234 static host_t
*get_dst_v6(struct cmsghdr
*cmsgptr
, uint16_t port
)
239 #endif /* HAVE_IN6_PKTINFO */
241 METHOD(socket_t
, receiver
, status_t
,
242 private_socket_default_socket_t
*this, packet_t
**packet
)
244 char buffer
[this->max_packet
];
247 host_t
*source
= NULL
, *dest
= NULL
;
248 int i
, rr
, index
, bytes_read
= 0, selected
= -1;
251 struct pollfd pfd
[] = {
252 { .fd
= this->ipv4
, .events
= POLLIN
},
253 { .fd
= this->ipv4_natt
, .events
= POLLIN
},
254 { .fd
= this->ipv6
, .events
= POLLIN
},
255 { .fd
= this->ipv6_natt
, .events
= POLLIN
},
258 /* port numbers associated to pollfds */
259 this->port
, this->natt
, this->port
, this->natt
,
262 DBG2(DBG_NET
, "waiting for data on sockets");
263 oldstate
= thread_cancelability(TRUE
);
264 if (poll(pfd
, countof(pfd
), -1) <= 0)
266 thread_cancelability(oldstate
);
269 thread_cancelability(oldstate
);
271 rr
= this->rr_counter
++;
272 for (i
= 0; i
< countof(pfd
); i
++)
274 /* To serve all ports with equal priority, we use a round-robin
275 * scheme to choose the one to process in this invocation */
276 index
= (rr
+ i
) % countof(pfd
);
277 if (pfd
[index
].revents
& POLLIN
)
279 selected
= pfd
[index
].fd
;
287 struct cmsghdr
*cmsgptr
;
291 struct sockaddr_in in4
;
292 struct sockaddr_in6 in6
;
296 msg
.msg_namelen
= sizeof(src
);
297 iov
.iov_base
= buffer
;
298 iov
.iov_len
= this->max_packet
;
301 msg
.msg_control
= ancillary
;
302 msg
.msg_controllen
= sizeof(ancillary
);
304 bytes_read
= recvmsg(selected
, &msg
, 0);
307 DBG1(DBG_NET
, "error reading socket: %s", strerror(errno
));
310 if (msg
.msg_flags
& MSG_TRUNC
)
312 DBG1(DBG_NET
, "receive buffer too small, packet discarded");
315 DBG3(DBG_NET
, "received packet %b", buffer
, bytes_read
);
317 /* read ancillary data to get destination address */
318 for (cmsgptr
= CMSG_FIRSTHDR(&msg
); cmsgptr
!= NULL
;
319 cmsgptr
= CMSG_NXTHDR(&msg
, cmsgptr
))
321 if (cmsgptr
->cmsg_len
== 0)
323 DBG1(DBG_NET
, "error reading ancillary data");
326 if (cmsgptr
->cmsg_level
== SOL_IP
)
328 dest
= get_dst_v4(cmsgptr
, port
);
330 else if (cmsgptr
->cmsg_level
== SOL_IPV6
)
332 dest
= get_dst_v6(cmsgptr
, port
);
341 DBG1(DBG_NET
, "error reading IP header");
344 source
= host_create_from_sockaddr((sockaddr_t
*)&src
);
346 pkt
= packet_create();
347 pkt
->set_source(pkt
, source
);
348 pkt
->set_destination(pkt
, dest
);
349 DBG2(DBG_NET
, "received packet: from %#H to %#H", source
, dest
);
350 data
= chunk_create(buffer
, bytes_read
);
351 pkt
->set_data(pkt
, chunk_clone(data
));
355 /* oops, shouldn't happen */
364 * Generic function to send a message.
366 static ssize_t
send_msg_generic(int skt
, struct msghdr
*msg
)
368 return sendmsg(skt
, msg
, 0);
371 #if defined(IP_PKTINFO) || defined(HAVE_IN6_PKTINFO)
374 * Find the interface index a source address is installed on
376 static int find_srcif(host_t
*src
)
381 if (charon
->kernel
->get_interface(charon
->kernel
, src
, &ifname
))
383 idx
= if_nametoindex(ifname
);
389 #endif /* IP_PKTINFO || HAVE_IN6_PKTINFO */
392 * Send a message with the IPv4 source address set, if possible.
396 static ssize_t
send_msg_v4(private_socket_default_socket_t
*this, int skt
,
397 struct msghdr
*msg
, host_t
*src
)
399 char buf
[CMSG_SPACE(sizeof(struct in_pktinfo
))] = {};
400 struct cmsghdr
*cmsg
;
401 struct in_addr
*addr
;
402 struct in_pktinfo
*pktinfo
;
403 struct sockaddr_in
*sin
;
405 msg
->msg_control
= buf
;
406 msg
->msg_controllen
= sizeof(buf
);
407 cmsg
= CMSG_FIRSTHDR(msg
);
408 cmsg
->cmsg_level
= SOL_IP
;
409 cmsg
->cmsg_type
= IP_PKTINFO
;
410 cmsg
->cmsg_len
= CMSG_LEN(sizeof(struct in_pktinfo
));
412 pktinfo
= (struct in_pktinfo
*)CMSG_DATA(cmsg
);
413 if (this->set_sourceif
)
415 pktinfo
->ipi_ifindex
= find_srcif(src
);
417 addr
= &pktinfo
->ipi_spec_dst
;
419 sin
= (struct sockaddr_in
*)src
->get_sockaddr(src
);
420 memcpy(addr
, &sin
->sin_addr
, sizeof(struct in_addr
));
421 return send_msg_generic(skt
, msg
);
424 #elif defined(IP_SENDSRCADDR)
426 static ssize_t
send_msg_v4(private_socket_default_socket_t
*this, int skt
,
427 struct msghdr
*msg
, host_t
*src
)
429 char buf
[CMSG_SPACE(sizeof(struct in_addr
))] = {};
430 struct cmsghdr
*cmsg
;
431 struct in_addr
*addr
;
432 struct sockaddr_in
*sin
;
434 msg
->msg_control
= buf
;
435 msg
->msg_controllen
= sizeof(buf
);
436 cmsg
= CMSG_FIRSTHDR(msg
);
437 cmsg
->cmsg_level
= SOL_IP
;
438 cmsg
->cmsg_type
= IP_SENDSRCADDR
;
439 cmsg
->cmsg_len
= CMSG_LEN(sizeof(struct in_addr
));
441 addr
= (struct in_addr
*)CMSG_DATA(cmsg
);
443 sin
= (struct sockaddr_in
*)src
->get_sockaddr(src
);
444 memcpy(addr
, &sin
->sin_addr
, sizeof(struct in_addr
));
445 return send_msg_generic(skt
, msg
);
448 #else /* IP_PKTINFO || IP_RECVDSTADDR */
450 static ssize_t
send_msg_v4(private_socket_default_socket_t
*this,
451 int skt
, struct msghdr
*msg
, host_t
*src
)
453 return send_msg_generic(skt
, msg
);
456 #endif /* IP_PKTINFO || IP_RECVDSTADDR */
459 * Send a message with the IPv6 source address set, if possible.
461 #ifdef HAVE_IN6_PKTINFO
463 static ssize_t
send_msg_v6(private_socket_default_socket_t
*this, int skt
,
464 struct msghdr
*msg
, host_t
*src
)
466 char buf
[CMSG_SPACE(sizeof(struct in6_pktinfo
))] = {};
467 struct cmsghdr
*cmsg
;
468 struct in6_pktinfo
*pktinfo
;
469 struct sockaddr_in6
*sin
;
471 msg
->msg_control
= buf
;
472 msg
->msg_controllen
= sizeof(buf
);
473 cmsg
= CMSG_FIRSTHDR(msg
);
474 cmsg
->cmsg_level
= SOL_IPV6
;
475 cmsg
->cmsg_type
= IPV6_PKTINFO
;
476 cmsg
->cmsg_len
= CMSG_LEN(sizeof(struct in6_pktinfo
));
477 pktinfo
= (struct in6_pktinfo
*)CMSG_DATA(cmsg
);
478 if (this->set_sourceif
)
480 pktinfo
->ipi6_ifindex
= find_srcif(src
);
482 sin
= (struct sockaddr_in6
*)src
->get_sockaddr(src
);
483 memcpy(&pktinfo
->ipi6_addr
, &sin
->sin6_addr
, sizeof(struct in6_addr
));
484 return send_msg_generic(skt
, msg
);
487 #else /* HAVE_IN6_PKTINFO */
489 static ssize_t
send_msg_v6(private_socket_default_socket_t
*this,
490 int skt
, struct msghdr
*msg
, host_t
*src
)
492 return send_msg_generic(skt
, msg
);
495 #endif /* HAVE_IN6_PKTINFO */
497 METHOD(socket_t
, sender
, status_t
,
498 private_socket_default_socket_t
*this, packet_t
*packet
)
500 int sport
, skt
= -1, family
;
508 src
= packet
->get_source(packet
);
509 dst
= packet
->get_destination(packet
);
510 data
= packet
->get_data(packet
);
512 DBG2(DBG_NET
, "sending packet: from %#H to %#H", src
, dst
);
515 sport
= src
->get_port(src
);
516 family
= dst
->get_family(dst
);
517 if (sport
== 0 || sport
== this->port
)
533 else if (sport
== this->natt
)
538 skt
= this->ipv4_natt
;
539 dscp
= &this->dscp4_natt
;
542 skt
= this->ipv6_natt
;
543 dscp
= &this->dscp6_natt
;
551 DBG1(DBG_NET
, "no socket found to send IPv%d packet from port %d",
552 family
== AF_INET
? 4 : 6, sport
);
556 /* setting DSCP values per-packet in a cmsg seems not to be supported
557 * on Linux. We instead setsockopt() before sending it, this should be
558 * safe as only a single thread calls send(). */
559 if (*dscp
!= packet
->get_dscp(packet
))
561 if (family
== AF_INET
)
569 ds4
= packet
->get_dscp(packet
) << 2;
570 if (setsockopt(skt
, SOL_IP
, IP_TOS
, &ds4
, sizeof(ds4
)) == 0)
572 *dscp
= packet
->get_dscp(packet
);
576 DBG1(DBG_NET
, "unable to set IP_TOS on socket: %s",
584 ds6
= packet
->get_dscp(packet
) << 2;
585 if (setsockopt(skt
, SOL_IPV6
, IPV6_TCLASS
, &ds6
, sizeof(ds6
)) == 0)
587 *dscp
= packet
->get_dscp(packet
);
591 DBG1(DBG_NET
, "unable to set IPV6_TCLASS on socket: %s",
597 memset(&msg
, 0, sizeof(struct msghdr
));
598 msg
.msg_name
= dst
->get_sockaddr(dst
);;
599 msg
.msg_namelen
= *dst
->get_sockaddr_len(dst
);
600 iov
.iov_base
= data
.ptr
;
601 iov
.iov_len
= data
.len
;
606 if (this->set_source
&& !src
->is_anyaddr(src
))
608 if (family
== AF_INET
)
610 bytes_sent
= send_msg_v4(this, skt
, &msg
, src
);
614 bytes_sent
= send_msg_v6(this, skt
, &msg
, src
);
619 bytes_sent
= send_msg_generic(skt
, &msg
);
622 if (bytes_sent
!= data
.len
)
624 DBG1(DBG_NET
, "error writing to socket: %s", strerror(errno
));
630 METHOD(socket_t
, get_port
, uint16_t,
631 private_socket_default_socket_t
*this, bool nat_t
)
633 return nat_t
? this->natt
: this->port
;
636 METHOD(socket_t
, supported_families
, socket_family_t
,
637 private_socket_default_socket_t
*this)
639 socket_family_t families
= SOCKET_FAMILY_NONE
;
641 if (this->ipv4
!= -1 || this->ipv4_natt
!= -1)
643 families
|= SOCKET_FAMILY_IPV4
;
645 if (this->ipv6
!= -1 || this->ipv6_natt
!= -1)
647 families
|= SOCKET_FAMILY_IPV6
;
653 * open a socket to send and receive packets
655 static int open_socket(private_socket_default_socket_t
*this,
656 int family
, uint16_t *port
)
660 struct sockaddr sockaddr
;
661 struct sockaddr_in sin
;
662 struct sockaddr_in6 sin6
;
665 u_int sol
, pktinfo
= 0;
668 memset(&addr
, 0, sizeof(addr
));
669 addr
.sockaddr
.sa_family
= family
;
670 /* precalculate constants depending on address family */
674 addr
.sin
.sin_addr
.s_addr
= htonl(INADDR_ANY
);
675 addr
.sin
.sin_port
= htons(*port
);
676 addrlen
= sizeof(addr
.sin
);
679 pktinfo
= IP_PKTINFO
;
680 #elif defined(IP_RECVDSTADDR)
681 pktinfo
= IP_RECVDSTADDR
;
685 memcpy(&addr
.sin6
.sin6_addr
, &in6addr_any
, sizeof(in6addr_any
));
686 addr
.sin6
.sin6_port
= htons(*port
);
687 addrlen
= sizeof(addr
.sin6
);
689 pktinfo
= IPV6_RECVPKTINFO
;
695 skt
= socket(family
, SOCK_DGRAM
, IPPROTO_UDP
);
698 DBG1(DBG_NET
, "could not open socket: %s", strerror(errno
));
701 if (setsockopt(skt
, SOL_SOCKET
, SO_REUSEADDR
, (void*)&on
, sizeof(on
)) < 0)
703 DBG1(DBG_NET
, "unable to set SO_REUSEADDR on socket: %s", strerror(errno
));
708 /* bind the socket */
709 if (bind(skt
, &addr
.sockaddr
, addrlen
) < 0)
711 DBG1(DBG_NET
, "unable to bind socket: %s", strerror(errno
));
716 /* retrieve randomly allocated port if needed */
719 if (getsockname(skt
, &addr
.sockaddr
, &addrlen
) < 0)
721 DBG1(DBG_NET
, "unable to determine port: %s", strerror(errno
));
728 *port
= ntohs(addr
.sin
.sin_port
);
731 *port
= ntohs(addr
.sin6
.sin6_port
);
736 /* get additional packet info on receive */
739 if (setsockopt(skt
, sol
, pktinfo
, &on
, sizeof(on
)) < 0)
741 DBG1(DBG_NET
, "unable to set IP_PKTINFO on socket: %s", strerror(errno
));
747 { /* set optional MARK on socket (requires CAP_NET_ADMIN) */
751 fwmark
= lib
->settings
->get_str(lib
->settings
,
752 "%s.plugins.socket-default.fwmark", NULL
, lib
->ns
);
753 if (fwmark
&& mark_from_string(fwmark
, MARK_OP_NONE
, &mark
))
755 if (setsockopt(skt
, SOL_SOCKET
, SO_MARK
, &mark
.value
,
756 sizeof(mark
.value
)) < 0)
758 DBG1(DBG_NET
, "unable to set SO_MARK on socket: %s",
765 if (!charon
->kernel
->bypass_socket(charon
->kernel
, skt
, family
))
767 DBG1(DBG_NET
, "installing IKE bypass policy failed");
770 /* enable UDP decapsulation for NAT-T sockets */
771 if (port
== &this->natt
&&
772 !charon
->kernel
->enable_udp_decap(charon
->kernel
, skt
, family
,
775 DBG1(DBG_NET
, "enabling UDP decapsulation for %s on port %d failed",
776 family
== AF_INET
? "IPv4" : "IPv6", this->natt
);
783 * Check if we should use the given family
785 static bool use_family(int family
)
790 return lib
->settings
->get_bool(lib
->settings
,
791 "%s.plugins.socket-default.use_ipv4", TRUE
, lib
->ns
);
793 return lib
->settings
->get_bool(lib
->settings
,
794 "%s.plugins.socket-default.use_ipv6", TRUE
, lib
->ns
);
801 * Open a socket pair (normal and NAT traversal) for a given address family
803 static void open_socketpair(private_socket_default_socket_t
*this, int family
,
804 int *skt
, int *skt_natt
, char *label
)
806 if (!use_family(family
))
813 *skt
= open_socket(this, family
, &this->port
);
817 DBG1(DBG_NET
, "could not open %s socket, %s disabled", label
, label
);
821 *skt_natt
= open_socket(this, family
, &this->natt
);
824 DBG1(DBG_NET
, "could not open %s NAT-T socket", label
);
829 METHOD(socket_t
, destroy
, void,
830 private_socket_default_socket_t
*this)
832 if (this->ipv4
!= -1)
836 if (this->ipv4_natt
!= -1)
838 close(this->ipv4_natt
);
840 if (this->ipv6
!= -1)
844 if (this->ipv6_natt
!= -1)
846 close(this->ipv6_natt
);
852 * See header for description
854 socket_default_socket_t
*socket_default_socket_create()
856 private_socket_default_socket_t
*this;
862 .receive
= _receiver
,
863 .get_port
= _get_port
,
864 .supported_families
= _supported_families
,
868 .port
= lib
->settings
->get_int(lib
->settings
,
869 "%s.port", CHARON_UDP_PORT
, lib
->ns
),
870 .natt
= lib
->settings
->get_int(lib
->settings
,
871 "%s.port_nat_t", CHARON_NATT_PORT
, lib
->ns
),
872 .max_packet
= lib
->settings
->get_int(lib
->settings
,
873 "%s.max_packet", PACKET_MAX_DEFAULT
, lib
->ns
),
874 .set_source
= lib
->settings
->get_bool(lib
->settings
,
875 "%s.plugins.socket-default.set_source", TRUE
,
877 .set_sourceif
= lib
->settings
->get_bool(lib
->settings
,
878 "%s.plugins.socket-default.set_sourceif", FALSE
,
882 if (this->port
&& this->port
== this->natt
)
884 DBG1(DBG_NET
, "IKE ports can't be equal, will allocate NAT-T "
889 if ((this->port
&& this->port
< 1024) || (this->natt
&& this->natt
< 1024))
891 if (!lib
->caps
->check(lib
->caps
, CAP_NET_BIND_SERVICE
))
893 /* required to bind ports < 1024 */
894 DBG1(DBG_NET
, "socket-default plugin requires CAP_NET_BIND_SERVICE "
901 /* we allocate IPv6 sockets first as that will reserve randomly allocated
902 * ports also for IPv4. On OS X, we have to do it the other way round
903 * for the same effect. */
905 open_socketpair(this, AF_INET
, &this->ipv4
, &this->ipv4_natt
, "IPv4");
906 open_socketpair(this, AF_INET6
, &this->ipv6
, &this->ipv6_natt
, "IPv6");
907 #else /* !__APPLE__ */
908 open_socketpair(this, AF_INET6
, &this->ipv6
, &this->ipv6_natt
, "IPv6");
909 open_socketpair(this, AF_INET
, &this->ipv4
, &this->ipv4_natt
, "IPv4");
910 #endif /* __APPLE__ */
912 if (this->ipv4
== -1 && this->ipv6
== -1)
914 DBG1(DBG_NET
, "could not create any sockets");
919 return &this->public;