Google Git
Sign in
android/platform/packages/modules/DnsResolver/refs/heads/android12L-dev/./tests/tun_forwarder.cpp
blob: 3e40a783d19fcdaec75d269c82ee133ab26744f9 [file] [log] [blame] [edit]
/*
* Copyright (C) 2020 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
#define LOG_TAG "TunForwarder"
#include "tun_forwarder.h"
#include <arpa/inet.h>
#include <linux/if.h>
#include <linux/if_tun.h>
#include <linux/ioctl.h>
#include <netinet/ip6.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <sys/eventfd.h>
#include <sys/poll.h>
#include <android-base/logging.h>
extern "C" {
#include <netutils/checksum.h>
}
using android::base::Error;
using android::base::Result;
using android::base::unique_fd;
using android::netdutils::Slice;
namespace android::net {
static constexpr int MAXMTU = 1500;
static constexpr ssize_t TUN_HDRLEN = sizeof(struct tun_pi);
static constexpr ssize_t IP4_HDRLEN = sizeof(struct iphdr);
static constexpr ssize_t IP6_HDRLEN = sizeof(struct ip6_hdr);
static constexpr ssize_t TCP_HDRLEN = sizeof(struct tcphdr);
static constexpr ssize_t UDP_HDRLEN = sizeof(struct udphdr);
namespace {
bool operator==(const in6_addr& x, const in6_addr& y) {
return std::memcmp(x.s6_addr, y.s6_addr, 16) == 0;
}
bool operator!=(const in6_addr& x, const in6_addr& y) {
return !(x == y);
}
bool operator<(const in6_addr& x, const in6_addr& y) {
return std::memcmp(x.s6_addr, y.s6_addr, 16) < 0;
}
} // namespace
Result<TunForwarder::v4pair> TunForwarder::v4pair::makePair(
const std::array<std::string, 2>& addrs) {
v4pair pair;
if (inet_pton(AF_INET, addrs[0].c_str(), &pair.src) != 1 ||
inet_pton(AF_INET, addrs[1].c_str(), &pair.dst) != 1) {
return Error() << "Failed to make v4pair";
}
return pair;
}
bool TunForwarder::v4pair::operator==(const v4pair& o) const {
return std::tie(src.s_addr, dst.s_addr) == std::tie(o.src.s_addr, o.dst.s_addr);
}
bool TunForwarder::v4pair::operator<(const v4pair& o) const {
return std::tie(src.s_addr, dst.s_addr) < std::tie(o.src.s_addr, o.dst.s_addr);
}
Result<TunForwarder::v6pair> TunForwarder::v6pair::makePair(
const std::array<std::string, 2>& addrs) {
v6pair pair;
if (inet_pton(AF_INET6, addrs[0].c_str(), &pair.src) != 1 ||
inet_pton(AF_INET6, addrs[1].c_str(), &pair.dst) != 1) {
return Error() << "Failed to make v6pair";
}
return pair;
}
bool TunForwarder::v6pair::operator==(const v6pair& o) const {
return src == o.src && dst == o.dst;
}
bool TunForwarder::v6pair::operator<(const v6pair& o) const {
if (src != o.src) return src < o.src;
return dst < o.dst;
}
TunForwarder::TunForwarder(unique_fd tunFd) : mTunFd(std::move(tunFd)) {
mEventFd.reset(eventfd(0, EFD_NONBLOCK | EFD_CLOEXEC));
}
TunForwarder::~TunForwarder() {
stopForwarding();
if (mForwarder.joinable()) {
mForwarder.join();
}
}
bool TunForwarder::startForwarding() {
if (mForwarder.joinable()) return false;
mForwarder = std::thread(&TunForwarder::loop, this);
return true;
}
bool TunForwarder::stopForwarding() {
return signalEventFd();
}
// Assume all of the strings in |from| and |to| are the IP addresses of the same IP version.
bool TunForwarder::addForwardingRule(const std::array<std::string, 2>& from,
const std::array<std::string, 2>& to) {
const bool isV4 = (from[0].find(':') == from[0].npos);
if (isV4) {
auto k = v4pair::makePair(from);
auto v = v4pair::makePair(to);
if (!k.ok() || !v.ok()) return false;
mRulesIpv4[k.value()] = v.value();
} else {
auto k = v6pair::makePair(from);
auto v = v6pair::makePair(to);
if (!k.ok() || !v.ok()) return false;
mRulesIpv6[k.value()] = v.value();
}
return true;
}
unique_fd TunForwarder::createTun(const std::string& ifname) {
unique_fd fd(open("/dev/tun", O_RDWR | O_NONBLOCK | O_CLOEXEC));
if (!fd.ok() == -1) {
return {};
}
ifreq ifr = {
.ifr_ifru = {.ifru_flags = IFF_TUN},
};
strlcpy(ifr.ifr_name, ifname.data(), sizeof(ifr.ifr_name));
if (ioctl(fd.get(), TUNSETIFF, &ifr) == -1) {
PLOG(WARNING) << "failed to bring up tun " << ifr.ifr_name;
return {};
}
unique_fd inet6CtrlSock(socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0));
ifr.ifr_flags = IFF_UP;
if (ioctl(inet6CtrlSock.get(), SIOCSIFFLAGS, &ifr) == -1) {
PLOG(WARNING) << "failed on SIOCSIFFLAGS " << ifr.ifr_name;
return {};
}
return fd;
}
void TunForwarder::loop() {
while (true) {
struct pollfd wait_fd[] = {
{mEventFd, POLLIN, 0},
{mTunFd.get(), POLLIN, 0},
};
if (int ret = poll(wait_fd, std::size(wait_fd), kPollTimeoutMs); ret <= 0) {
break;
}
if (wait_fd[0].revents & (POLLIN | POLLERR)) {
uint64_t value = 0;
eventfd_read(mEventFd, &value);
break;
}
if (wait_fd[1].revents & (POLLIN | POLLERR)) {
handlePacket(wait_fd[1].fd);
}
}
}
void TunForwarder::handlePacket(int fd) const {
uint8_t buf[MAXMTU + TUN_HDRLEN];
ssize_t readlen = read(fd, buf, std::size(buf));
if (readlen < 0) {
PLOG(ERROR) << "failed to read packets from tun";
return;
} else if (readlen == 0) {
PLOG(ERROR) << "tun interface removed";
return;
}
// Filter the packet. Only TCP and UDP packets are allowed.
const Slice tunPacket(buf, readlen);
if (auto result = validatePacket(tunPacket); !result.ok()) {
LOG(DEBUG) << "validatePacket failed: " << result.error();
return;
}
// Change the packet's source/destination address and checksum.
if (auto result = translatePacket(tunPacket); !result.ok()) {
LOG(ERROR) << "translatePacket failed: " << result.error();
}
// Write the new packet to the fd, causing the kernel to receive it on the tun interface.
write(fd, buf, readlen);
}
Result<void> TunForwarder::validatePacket(Slice tunPacket) const {
if (tunPacket.size() < TUN_HDRLEN) {
return Error() << "Too short for a tun header";
}
const tun_pi* const tunHeader = reinterpret_cast<tun_pi*>(tunPacket.base());
if (tunHeader->flags != 0) {
return Error() << "Unexpected tun flags " << static_cast<int>(tunHeader->flags);
}
switch (uint16_t proto = ntohs(tunHeader->proto); proto) {
case ETH_P_IP:
return validateIpv4Packet(drop(tunPacket, TUN_HDRLEN));
case ETH_P_IPV6:
return validateIpv6Packet(drop(tunPacket, TUN_HDRLEN));
default:
return Error() << "Unsupported packet type 0x" << std::hex << static_cast<int>(proto);
}
}
Result<void> TunForwarder::validateIpv4Packet(Slice ipv4Packet) const {
if (ipv4Packet.size() < IP4_HDRLEN) {
return Error() << "Too short for an ip header";
}
const iphdr* const ipHeader = reinterpret_cast<iphdr*>(ipv4Packet.base());
if (ipHeader->ihl < 5) {
return Error() << "IP header length set to less than 5";
}
if (ipHeader->ihl * 4 > ipv4Packet.size()) {
return Error() << "IP header length set too large: " << ipHeader->ihl;
}
if (ipHeader->version != 4) {
return Error() << "IP header version not 4: " << ipHeader->version;
}
if (mRulesIpv4.find({ipHeader->saddr, ipHeader->daddr}) == mRulesIpv4.end()) {
return Error() << "Can't find any v4 rule. Packet hex dump: " << toHex(ipv4Packet, 32);
}
switch (ipHeader->protocol) {
case IPPROTO_UDP:
return validateUdpPacket(drop(ipv4Packet, ipHeader->ihl * 4));
case IPPROTO_TCP:
return validateTcpPacket(drop(ipv4Packet, ipHeader->ihl * 4));
default:
return Error() << "Unsupported transport protocol "
<< static_cast<int>(ipHeader->protocol);
}
}
Result<void> TunForwarder::validateIpv6Packet(Slice ipv6Packet) const {
if (ipv6Packet.size() < IP6_HDRLEN) {
return Error() << "Too short for an ipv6 header";
}
const ip6_hdr* const ipv6Header = reinterpret_cast<ip6_hdr*>(ipv6Packet.base());
if (mRulesIpv6.find({ipv6Header->ip6_src, ipv6Header->ip6_dst}) == mRulesIpv6.end()) {
return Error() << "Can't find any v6 rule. Packet hex dump: " << toHex(ipv6Packet, 32);
}
switch (ipv6Header->ip6_nxt) {
case IPPROTO_UDP:
return validateUdpPacket(drop(ipv6Packet, IP6_HDRLEN));
case IPPROTO_TCP:
return validateTcpPacket(drop(ipv6Packet, IP6_HDRLEN));
default:
return Error() << "Expect TCP/UDP in ipv6 next header: "
<< static_cast<int>(ipv6Header->ip6_nxt);
}
}
Result<void> TunForwarder::validateUdpPacket(Slice udpPacket) const {
if (udpPacket.size() < UDP_HDRLEN) {
return Error() << "Too short for a udp header";
}
return {};
}
Result<void> TunForwarder::validateTcpPacket(Slice tcpPacket) const {
if (tcpPacket.size() < TCP_HDRLEN) {
return Error() << "Too short for a tcp header";
}
const tcphdr* const tcpHeader = reinterpret_cast<tcphdr*>(tcpPacket.base());
if (tcpHeader->doff < 5) {
return Error() << "TCP header length set to less than 5";
}
if (tcpHeader->doff * 4 > tcpPacket.size()) {
return Error() << "TCP header length set too large: " << tcpHeader->doff;
}
return {};
}
Result<void> TunForwarder::translatePacket(Slice tunPacket) const {
const tun_pi* const tunHeader = reinterpret_cast<tun_pi*>(tunPacket.base());
switch (uint16_t proto = ntohs(tunHeader->proto); proto) {
case ETH_P_IP:
return translateIpv4Packet(drop(tunPacket, TUN_HDRLEN));
case ETH_P_IPV6:
return translateIpv6Packet(drop(tunPacket, TUN_HDRLEN));
default:
return Error() << "translate: Unsupported packet type 0x" << std::hex
<< static_cast<int>(proto);
}
}
Result<void> TunForwarder::translateIpv4Packet(Slice ipv4Packet) const {
iphdr* ipHeader = reinterpret_cast<iphdr*>(ipv4Packet.base());
const size_t ipHeaderLen = ipHeader->ihl * 4;
const size_t transport_len = ipv4Packet.size() - ipHeaderLen;
uint32_t oldPseudoSum = ipv4_pseudo_header_checksum(ipHeader, transport_len);
for (const auto& [from, to] : mRulesIpv4) {
if (ipHeader->saddr == static_cast<int>(from.src.s_addr) &&
ipHeader->daddr == static_cast<int>(from.dst.s_addr)) {
ipHeader->saddr = to.src.s_addr;
ipHeader->daddr = to.dst.s_addr;
break;
}
}
uint32_t newPseudoSum = ipv4_pseudo_header_checksum(ipHeader, transport_len);
ipHeader->check = 0;
ipHeader->check = ip_checksum(ipHeader, sizeof(struct iphdr));
switch (ipHeader->protocol) {
case IPPROTO_UDP:
translateUdpPacket(drop(ipv4Packet, ipHeaderLen), oldPseudoSum, newPseudoSum);
break;
case IPPROTO_TCP:
translateTcpPacket(drop(ipv4Packet, ipHeaderLen), oldPseudoSum, newPseudoSum);
break;
default:
return Error() << "translate: Unsupported transport protocol "
<< static_cast<int>(ipHeader->protocol);
}
return {};
}
Result<void> TunForwarder::translateIpv6Packet(Slice ipv6Packet) const {
ip6_hdr* ipv6Header = reinterpret_cast<ip6_hdr*>(ipv6Packet.base());
const size_t ipHeaderLen = IP6_HDRLEN;
const size_t transport_len = ipv6Packet.size() - ipHeaderLen;
uint32_t oldPseudoSum =
ipv6_pseudo_header_checksum(ipv6Header, transport_len, ipv6Header->ip6_nxt);
for (const auto& [from, to] : mRulesIpv6) {
if (ipv6Header->ip6_src == from.src && ipv6Header->ip6_dst == from.dst) {
ipv6Header->ip6_src = to.src;
ipv6Header->ip6_dst = to.dst;
break;
}
}
uint32_t newPseudoSum =
ipv6_pseudo_header_checksum(ipv6Header, transport_len, ipv6Header->ip6_nxt);
switch (ipv6Header->ip6_nxt) {
case IPPROTO_UDP:
translateUdpPacket(drop(ipv6Packet, ipHeaderLen), oldPseudoSum, newPseudoSum);
break;
case IPPROTO_TCP:
translateTcpPacket(drop(ipv6Packet, ipHeaderLen), oldPseudoSum, newPseudoSum);
break;
default:
return Error() << "transliate: Expect TCP/UDP in ipv6 next header: "
<< static_cast<int>(ipv6Header->ip6_nxt);
}
return {};
}
void TunForwarder::translateUdpPacket(Slice udpPacket, uint32_t oldPseudoSum,
uint32_t newPseudoSum) const {
udphdr* udpHeader = reinterpret_cast<udphdr*>(udpPacket.base());
if (udpHeader->check) {
udpHeader->check = ip_checksum_adjust(udpHeader->check, oldPseudoSum, newPseudoSum);
} else {
uint32_t tmp = ip_checksum_add(newPseudoSum, udpPacket.base(), udpPacket.size());
udpHeader->check = ip_checksum_finish(tmp);
}
// RFC 768: "If the computed checksum is zero, it is transmitted as all ones (the equivalent
// in one's complement arithmetic)."
if (!udpHeader->check) {
udpHeader->check = 0xffff;
}
}
void TunForwarder::translateTcpPacket(Slice tcpPacket, uint32_t oldPseudoSum,
uint32_t newPseudoSum) const {
tcphdr* tcpHeader = reinterpret_cast<tcphdr*>(tcpPacket.base());
tcpHeader->check = ip_checksum_adjust(tcpHeader->check, oldPseudoSum, newPseudoSum);
}
bool TunForwarder::signalEventFd() {
return eventfd_write(mEventFd.get(), 1) == 0;
}
} // namespace android::net