diff --git a/src/common/mod.rs b/src/common/mod.rs index e568b1f..279de81 100644 --- a/src/common/mod.rs +++ b/src/common/mod.rs @@ -1,3 +1,4 @@ //! Common code used across all protomask binaries pub mod logging; +pub mod rfc6052; \ No newline at end of file diff --git a/src/common/rfc6052.rs b/src/common/rfc6052.rs new file mode 100644 index 0000000..66550b3 --- /dev/null +++ b/src/common/rfc6052.rs @@ -0,0 +1,116 @@ +//! Utilities for interacting with [RFC6052](https://datatracker.ietf.org/doc/html/rfc6052) "IPv4-Embedded IPv6 Addresses" + +use std::{ + cmp::{max, min}, + net::{Ipv4Addr, Ipv6Addr}, + str::FromStr, +}; + +use ipnet::Ipv6Net; + +/// Parses an [RFC6052 Section 2.2](https://datatracker.ietf.org/doc/html/rfc6052#section-2.2)-compliant IPv6 prefix from a string +pub fn parse_network_specific_prefix(string: &str) -> Result { + // First, parse to an IPv6Net struct + let net = Ipv6Net::from_str(string).map_err(|err| err.to_string())?; + + // Ensure the prefix length is one of the allowed lengths according to RFC6052 Section 2.2 + if ![32, 40, 48, 56, 64, 96].contains(&net.prefix_len()) { + return Err("Prefix length must be one of 32, 40, 48, 56, 64, or 96".to_owned()); + } + + // Return the parsed network struct + Ok(net) +} + +/// Embeds an IPv4 address into an IPv6 prefix +pub fn embed_to_ipv6(ipv4_addr: Ipv4Addr, ipv6_prefix: Ipv6Net) -> Ipv6Addr { + // Convert to integer types + let ipv4_addr = u32::from(ipv4_addr); + let prefix_len = ipv6_prefix.prefix_len() as i16; + let ipv6_prefix = u128::from(ipv6_prefix.addr()); + + // According to the RFC, the IPv4 address must be split on the boundary of bits 64..71. + // To accomplish this, we split the IPv4 address into two parts so we can separately mask + // and shift them into place on each side of the boundary + Ipv6Addr::from( + ipv6_prefix + | (((ipv4_addr as u128 & (0xffff_ffffu128 << (32 + min(0, prefix_len - 64)))) as u128) + << (128 - prefix_len - 32)) + | (((ipv4_addr as u128) << max(0, 128 - prefix_len - 32 - 8)) & 0x00ff_ffff_ffff_ffff), + ) +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn test_embed_len_32() { + assert_eq!( + embed_to_ipv6( + "192.0.2.1".parse().unwrap(), + "64:ff9b::/32".parse().unwrap() + ), + "64:ff9b:c000:0201::".parse::().unwrap() + ); + } + + #[test] + fn test_embed_len_40() { + assert_eq!( + embed_to_ipv6( + "192.0.2.1".parse().unwrap(), + "64:ff9b::/40".parse().unwrap(), + ), + "64:ff9b:00c0:0002:0001::".parse::().unwrap() + ); + } + + #[test] + fn test_embed_len_48() { + assert_eq!( + embed_to_ipv6( + "192.0.2.1".parse().unwrap(), + "64:ff9b::/48".parse().unwrap(), + ), + "64:ff9b:0000:c000:0002:0100::".parse::().unwrap() + ); + } + + #[test] + fn test_embed_len_56() { + assert_eq!( + embed_to_ipv6( + "192.0.2.1".parse().unwrap(), + "64:ff9b::/56".parse().unwrap(), + ), + "64:ff9b:0000:00c0:0000:0201::".parse::().unwrap() + ); + } + + #[test] + fn test_embed_len_64() { + assert_eq!( + embed_to_ipv6( + "192.0.2.1".parse().unwrap(), + "64:ff9b::/64".parse().unwrap(), + ), + "64:ff9b:0000:0000:00c0:0002:0100::" + .parse::() + .unwrap() + ); + } + + #[test] + fn test_embed_len_96() { + assert_eq!( + embed_to_ipv6( + "192.0.2.1".parse().unwrap(), + "64:ff9b::/96".parse().unwrap(), + ), + "64:ff9b:0000:0000:0000:0000:c000:0201" + .parse::() + .unwrap() + ); + } +} diff --git a/src/protomask-clat.rs b/src/protomask-clat.rs index 150b650..f586e50 100644 --- a/src/protomask-clat.rs +++ b/src/protomask-clat.rs @@ -4,10 +4,15 @@ //! IPv4 traffic to IPv6 traffic for transmission over an IPv6-only ISP network. use clap::Parser; -use common::logging::enable_logger; +use common::{logging::enable_logger, rfc6052::parse_network_specific_prefix}; use easy_tun::Tun; +use interproto::protocols::ip::{translate_ipv4_to_ipv6, translate_ipv6_to_ipv4}; use ipnet::Ipv6Net; use nix::unistd::Uid; +use std::{ + io::{Read, Write}, + net::Ipv4Addr, +}; mod common; @@ -15,7 +20,7 @@ mod common; #[clap(author, version, about="IPv4 to IPv6 Customer-side transLATor (CLAT)", long_about = None)] struct Args { /// IPv6 prefix to embed IPv4 addresses in - #[clap(long="via", default_value_t = ("64:ff9b::/96").parse().unwrap())] + #[clap(long="via", default_value_t = ("64:ff9b::/96").parse().unwrap(), value_parser = parse_network_specific_prefix)] embed_prefix: Ipv6Net, /// Explicitly set the interface name to use @@ -44,8 +49,47 @@ pub async fn main() { // Bring up a TUN interface let mut tun = Tun::new(&args.interface).unwrap(); + // Translate all incoming packets log::info!("Translating packets on {}", tun.name()); + let mut buffer = vec![0u8; 1500]; loop { + // Read a packet + let len = tun.read(&mut buffer).unwrap(); + // Translate it based on the Layer 3 protocol number + let layer_3_proto = buffer[0] >> 4; + log::trace!("New packet with layer 3 protocol: {}", layer_3_proto); + let output = match layer_3_proto { + // IPv4 + 4 => { + // Get the IPv4 source and destination addresses + let ipv4_source = + u32::from_be_bytes([buffer[12], buffer[13], buffer[14], buffer[15]]); + let ipv4_destination = + u32::from_be_bytes([buffer[16], buffer[17], buffer[18], buffer[19]]); + + // Create a new IPv6 source and destination address by embedding the IPv4 addresses into the clat prefix + let new_source = u128::from(args.embed_prefix.addr()) | (ipv4_source as u128); + let new_destination = + u128::from(args.embed_prefix.addr()) | (ipv4_destination as u128); + + translate_ipv4_to_ipv6(&buffer[..len], new_source.into(), new_destination.into()) + } + + // IPv6 + 6 => translate_ipv6_to_ipv4( + &buffer[..len], + // NOTE: The new source and destination addresses are just the last + // 4 octets of the IPv6 source and destination addresses + Ipv4Addr::new(buffer[20], buffer[21], buffer[22], buffer[23]), + Ipv4Addr::new(buffer[36], buffer[37], buffer[38], buffer[39]), + ), + // Unknown + proto => { + log::warn!("Unknown Layer 3 protocol: {}", proto); + continue; + } + } + .unwrap(); } }