1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
|
/*
client facing interfaces:
ifid, remoteid, subscriberid , trusted
intercept traffic to ff02::1:2 udp port 547
drop these message types:
o ADVERTISE (2)
o REPLY (7)
o RECONFIGURE (10)
o RELAY-REPL (13)
o RELAY-FORW (12) unless trusted
copy ll and ip source and destination
create RELAY-FORW
network facing interfaces:
intercept traffic from link local to link local udp dest port 547
drop any message except
o RELAY-REPL (13)
generic sanity:
If a Relay-Message would exceed the MTU of the outgoing interface, it
MUST be discarded, and an error condition SHOULD be logged.
code sample:
http://aschauf.landshut.org/fh/linux/udp_vs_raw/ch01s03.html
*/
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netpacket/packet.h>
#include <linux/if_ether.h>
#include <linux/filter.h>
#include <netinet/in.h>
#include <netinet/ip6.h>
#include <netinet/udp.h>
#include "dhcpv6.h"
/* attempting to filter out IPv6 to udp port 547
NOTE: This filter is created as short as possible for sorting out
the interesting packets. The packets need further sanity checking
after matching this. Addresses, source ports and DHCPv6 message
types should be verified later.
*/
static struct sock_filter ipv6udp547[] = {
/* verify IPv6 */
BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), /* 6 byte dst + 6 byte src */
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETH_P_IPV6, 0, 5), /* 86dd */
/* verify next header = udp (NOTE: ingoring any additional headers!) */
BPF_STMT(BPF_LD+BPF_B+BPF_ABS, 20), /* 14 byte ethernet + 4 byte ipver/class/flow + 2byte payload len */
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IPPROTO_UDP, 0, 3), /* udp = 17 */
/* src IPv6 addr = 22, dst IPv6 addr = 38 - do not check these here */
/* verify destination port */
BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 56), /* 14 byte ethernet + 40 byte IPv6 + 2 byte src port */
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 547, 0, 1),
BPF_STMT(BPF_RET+BPF_K, (u_int)-1),
BPF_STMT(BPF_RET+BPF_K, 0),
};
/* TODO: create an alternate VLAN matching filter to allow us to use VLAN tags as interface IDs? */
int print_mac(const char *mac) {
fprintf(stderr, "%02hhx:%02hhx:%02hhx:%02hhx:%02hhx:%02hhx",
mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]);
}
int print_hex(const char *buf, size_t len) {
char *p;
unsigned int i = 0;
for (p = (char *)buf; p < (buf + len); p++) {
if (i % 16 == 0)
fprintf(stderr, "\n%04x", i);
if (i % 8 == 0)
fprintf(stderr, " ");
fprintf(stderr, " %02hhx", *p);
i++;
}
fprintf(stderr, "\n\n");
}
int main(int argc, char *argv[]) {
int domain, s, i;
char str[INET6_ADDRSTRLEN];
struct sockaddr_ll ll;
char *buf;
int fromlen, len = 0;
struct sock_fprog fprog;
struct ethhdr *eth;
struct ip6_hdr *ip6;
struct udphdr *udp;
struct dhcpv6_msg *dhcpv6;
s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); /* use ETH_P_IPV6 ? */
if (s == -1) {
fprintf(stderr, "%s(): socket failed: %m\n", __FUNCTION__);
return(0);
}
/* from packet(7):
By default all packets of the specified protocol type are passed to a packet
socket. To only get packets from a specific interface use bind(2) specifying
an address in a struct sockaddr_ll to bind the packet socket to an interface.
Only the sll_protocol and the sll_ifindex address fields are used for purposes
of binding.
from socket(7):
BUGS
The CONFIG_FILTER socket options SO_ATTACH_FILTER and SO_DETACH_FILTER are not documented. The suggested
interface to use them is via the libpcap library.
from linux/Documentation/networking/filter.txt :
setsockopt(sockfd, SOL_SOCKET, SO_ATTACH_FILTER, &Filter, sizeof(Filter));
setsockopt(sockfd, SOL_SOCKET, SO_DETACH_FILTER, &value, sizeof(value));
See the BSD bpf.4 manpage and the BSD Packet Filter paper written by
Steven McCanne and Van Jacobson of Lawrence Berkeley Laboratory.
see also linux/net/core/filter.c
and /usr/include/linux/filter.h
*/
fprog.len = sizeof(ipv6udp547)/sizeof(struct sock_filter);
fprog.filter = ipv6udp547;
setsockopt(s, SOL_SOCKET, SO_ATTACH_FILTER, &fprog, sizeof(fprog));
fromlen = sizeof(ll);
buf = malloc(ETH_FRAME_LEN);
len = recvfrom(s, buf, ETH_FRAME_LEN, 0, (struct sockaddr *)&ll, &fromlen);
if (len == -1) {
fprintf(stderr, "%s(): recvfrom failed: %m\n", __FUNCTION__);
return(0);
}
fprintf(stderr, "%s(): received %d bytes from address with len=%d\n", __FUNCTION__, len, ll.sll_halen );
print_mac((char *)ll.sll_addr);
fprintf(stderr,"\n");
print_hex(buf, len);
/* TODO:
verify that packet arrived on one of the interfaces we're wathcing,
and decide whether it is going up or down based on interface.
up:
verify that destination address is ff02::1:2
verify that source address is link local
verify that source port is 546
verify that message type is not one of the forbidden ones
get hop count from original packet if type is RELAY-FORW
and interface is trusted
insert new options, including DHCPPACKET attribute between
udp header and original DHCP packet
outgoing interface is the predefined upstream interface
down:
verify that destination and source address is link local
verify that source port is 547
verify that message type is RELAY-REPL (13)
strip away the outer RELAY envelope, using the interface-id to select outgoing interface
common code:
fixup both IPv6 payload length and UDP length
verify that the new length doesn't exceed outgoing interface MTU (or log error)
fixup UDP checksum
transmit on the selected outgoing interface (FIMXE: support multiple upstream interfaces?)
*/
eth = (struct ethhdr *)buf;
ip6 = (struct ip6_hdr *)(buf + sizeof(struct ethhdr));
udp = (struct udphdr *)(buf + sizeof(struct ethhdr) + sizeof(struct ip6_hdr));
dhcpv6 = (struct dhcpv6_msg *)(buf + sizeof(struct ethhdr) + sizeof(struct ip6_hdr) + sizeof(struct udphdr));
fprintf(stderr,"ip6.ip6_plen=%hd, udp.len=%hd, dhcpv6.msg_type=%hhd\n",
ntohs(ip6->ip6_plen), ntohs(udp->len), dhcpv6->msg_type);
return(0);
}
|
