evan/protomask
1
Fork 0
Code

Merge pull request #15 from ewpratten/ewpratten/reorg2

Browse Source 
Split into two binaries, clean things up
This commit is contained in:
Evan Pratten 2024-02-12 09:47:11 -05:00 committed by GitHub
commit 9de65c2e90
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
99 changed files with 3289 additions and 2548 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.cargo/config.toml Normal file
View File

@ -0,0 +1,2 @@
[registries.crates-io]
protocol = "sparse"

5
.github/workflows/audit.yml vendored
View File

@ -1,4 +1,4 @@
name: Security audit
name: Audit
on:
push:
@ -17,7 +17,8 @@ permissions:
contents: read
jobs:
security_audit:
rust_audit:
name: Rust Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1

78
.github/workflows/build.yml vendored
View File

@ -3,30 +3,90 @@ name: Build
on:
pull_request:
push:
paths:
- '.github/workflows/build.yml'
- '**/Cargo.toml'
- '**/Cargo.lock'
- '**/src/*'
paths:
- ".github/workflows/build.yml"
- "**/Cargo.toml"
- "**/Cargo.lock"
- "**/src/*"
jobs:
build_and_test:
name: Rust project
name: Build & Test
# Use a build matrix to run this job targeting all supported platforms
runs-on: ubuntu-latest
strategy:
matrix:
# All supported targets
target:
- x86_64-unknown-linux-musl
- aarch64-unknown-linux-musl
# All supported Rust channels
rust_channel:
- stable
# Common build steps
steps:
- uses: actions/checkout@v2
- uses: actions-rs/toolchain@v1
with:
toolchain: stable
toolchain: ${{ matrix.rust_channel }}
override: true
# Builds targeting aarch64 require `aarch64-linux-gnu-strip`
- name: Install aarch64-linux-gnu-strip
if: matrix.target == 'aarch64-unknown-linux-musl'
run: sudo apt-get update && sudo apt-get install -y binutils-aarch64-linux-gnu
- name: Install cargo-deb
uses: actions-rs/cargo@v1
with:
command: install
args: cargo-deb
- name: Compile
uses: actions-rs/cargo@v1
with:
use-cross: true
command: build
args: --release
args: --release --target ${{ matrix.target }}
- name: Run Tests
uses: actions-rs/cargo@v1
with:
use-cross: true
command: test
args: --release
args: --all --release --target ${{ matrix.target }}
- name: Package DEB
uses: actions-rs/cargo@v1
with:
use-cross: false
command: deb
args: --target ${{ matrix.target }} --no-build
- name: Upload DEB
uses: actions/upload-artifact@v3
with:
name: debian-packages
path: target/${{ matrix.target }}/debian/*.deb
- name: Determine binary sizes
id: get-bin-size-info
run: |
body="$(du -h target/${{ matrix.target }}/release/protomask{,-clat,-6over4} | sort -hr)"
delimiter="$(openssl rand -hex 8)"
echo "body<<$delimiter" >> $GITHUB_OUTPUT
echo "$body" >> $GITHUB_OUTPUT
echo "$delimiter" >> $GITHUB_OUTPUT
- name: Add binary size info to commit
uses: peter-evans/commit-comment@v2
with:
body: |
## Binary sizes for `${{ matrix.target }}`
**Channel:** `${{ matrix.rust_channel }}`
```
${{ steps.get-bin-size-info.outputs.body }}
```

23
.github/workflows/clippy.yml vendored
View File

@ -1,23 +0,0 @@
name: Clippy check
on:
push:
paths:
- '.github/workflows/clippy.yml'
- '**/Cargo.toml'
- '**/*.rs'
permissions:
checks: write
contents: read
jobs:
clippy_check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- run: rustup component add clippy
- uses: actions-rs/clippy-check@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
args: --all-features

36
.github/workflows/lint.yml vendored Normal file
View File

@ -0,0 +1,36 @@
name: Lint
on:
push:
paths:
- '.github/workflows/lint.yml'
- '**/Cargo.toml'
- '**/*.rs'
permissions:
checks: write
contents: read
jobs:
clippy:
name: Clippy
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- name: Install clippy
run: rustup component add clippy
- name: Run clippy
uses: actions-rs/clippy-check@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
args: --all-features
rustfmt:
name: rustfmt
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- name: Install rustfmt
run: rustup component add rustfmt
- name: Check formatting
run: cargo fmt --all --check

5
.markdownlint.json Normal file
View File

@ -0,0 +1,5 @@
{
"MD033": false,
"MD013": false,
"MD022": false
}

17
.vscode/settings.json vendored
View File

@ -5,5 +5,20 @@
"pnet",
"Protomask",
"rtnetlink"
]
],
"[yaml]": {
"editor.insertSpaces": true,
"editor.tabSize": 2,
"editor.autoIndent": "advanced",
"diffEditor.ignoreTrimWhitespace": false
},
"files.associations": {
"*.json.liquid": "json",
"*.yaml.liquid": "yaml",
"*.md.liquid": "markdown",
"*.js.liquid": "liquid-javascript",
"*.css.liquid": "liquid-css",
"*.scss.liquid": "liquid-scss",
"docs/website/_redirects": "plaintext"
}
}

23
.vscode/tasks.json vendored
View File

@ -4,6 +4,9 @@
{
"type": "cargo",
"command": "build",
"args": [
"--workspace"
],
"problemMatcher": [
"$rustc",
"$rust-panic"
@ -14,12 +17,30 @@
{
"type": "cargo",
"command": "test",
"args": [
"--workspace"
],
"problemMatcher": [
"$rustc",
"$rust-panic"
],
"group": "test",
"label": "rust: cargo test"
}
},
{
"type": "cargo",
"command": "doc",
"args": [
"--no-deps",
"--workspace",
"--document-private-items"
],
"problemMatcher": [
"$rustc",
"$rust-panic"
],
"group": "build",
"label": "rust: cargo doc"
}
]
}

1
CODEOWNERS Normal file
View File

@ -0,0 +1 @@
* @ewpratten

127
Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "protomask"
version = "0.2.0"
version = "1.0.0"
authors = ["Evan Pratten <ewpratten@gmail.com>"]
edition = "2021"
description = "A user space NAT64 implementation"
@ -11,46 +11,107 @@ repository = "https://github.com/ewpratten/protomask"
license = "GPL-3.0"
keywords = []
categories = []
exclude = ["/.github/", "/.vscode/"]
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
protomask-tun = { path = "protomask-tun", version = "0.1.0" }
tokio = { version = "1.29.1", features = [
"macros",
"rt-multi-thread",
# "process",
"sync"
] }
clap = { version = "4.3.11", features = ["derive"] }
serde = { version = "1.0.171", features = ["derive"] }
ipnet = { version = "2.8.0", features = ["serde"] }
hyper = { version = "0.14.27", features = ["server", "http1", "tcp"] }
owo-colors = { version = "3.5.0", features = ["supports-colors"] }
toml = "0.7.6"
log = "0.4.19"
fern = "0.6.2"
serde_path_to_error = "0.1.13"
thiserror = "1.0.43"
tun-tap = "0.1.3"
bimap = "0.6.3"
pnet_packet = "0.34.0"
rtnetlink = "0.13.0"
futures = "0.3.28"
prometheus = "0.13.3"
lazy_static = "1.4.0"
[workspace]
members = [
"libs/easy-tun",
"libs/fast-nat",
"libs/interproto",
"libs/rfc6052",
"libs/rtnl",
"libs/protomask-metrics",
]
[features]
default = []
profiler = [
"puffin",
"puffin_http",
"easy-tun/profile-puffin",
"fast-nat/profile-puffin",
"interproto/profile-puffin",
]
[[bin]]
name = "protomask"
path = "src/cli/main.rs"
path = "src/protomask.rs"
[[bin]]
name = "protomask-clat"
path = "src/protomask-clat.rs"
[[bin]]
name = "protomask-6over4"
path = "src/protomask-6over4.rs"
[dependencies]
# Internal dependencies
easy-tun = { path = "libs/easy-tun" }
fast-nat = { path = "libs/fast-nat" }
interproto = { path = "libs/interproto", features = ["metrics"] }
rfc6052 = { path = "libs/rfc6052" }
rtnl = { path = "libs/rtnl", features = ["tokio"] }
protomask-metrics = { path = "libs/protomask-metrics" }
# External Dependencies
tokio = { version = "1.29.1", features = ["macros", "rt-multi-thread"] }
owo-colors = { version = "3.5.0", features = ["supports-colors"] }
clap = { version = "4.3.11", features = ["derive"] }
ipnet = { version = "2.8.0", features = ["serde"] }
puffin_http = { version = "0.13.0", optional = true }
puffin = { version = "0.16.0", optional = true }
serde = { version = "^1.0", features = ["derive"] }
serde_json = "^1.0"
log = "0.4.19"
fern = "0.6.2"
nix = "0.26.2"
thiserror = "1.0.44"
cfg-if = "1.0.0"
profiling = "1.0.9"
[profile.release]
opt-level = 3
lto = true
[package.metadata.deb]
section = "network"
assets = [
["target/release/protomask", "/usr/local/bin/protomask", "755"],
["./protomask.toml", "/etc/protomask.toml", "644"],
["README.md", "usr/share/doc/protomask/README.md", "644"]
[
"target/release/protomask",
"/usr/local/bin/protomask",
"755",
],
[
"target/release/protomask-clat",
"/usr/local/bin/protomask-clat",
"755",
],
[
"target/release/protomask-6over4",
"/usr/local/bin/protomask-6over4",
"755",
],
[
"config/protomask.json",
"/etc/protomask/protomask.json",
"644",
],
[
"config/protomask-clat.json",
"/etc/protomask/protomask-clat.json",
"644",
],
[
"README.md",
"/usr/share/doc/protomask/README.md",
"644",
],
]
conf-files = ["/etc/protomask.toml"]
conf-files = []
depends = []
maintainer-scripts = "./debian/"
systemd-units = { enable = false }
systemd-units = [
{ unit-name = "protomask-service", enable = false },
{ unit-name = "protomask-clat-service", enable = false },
]

17
Makefile
View File

@ -1,17 +0,0 @@
# All sources used to build the protomask binary
SRC = Cargo.toml $(shell find src/ -type f -name '*.rs') $(shell find protomask-tun/src/ -type f -name '*.rs')
# Used to auto-version things
CRATE_VERSION = $(shell sed -n -r "s/^version = \"([0-9\.]+)\"/\1/p" Cargo.toml)
target/x86_64-unknown-linux-musl/release/protomask: $(SRC)
cross build --target x86_64-unknown-linux-musl --release
target/aarch64-unknown-linux-musl/release/protomask: $(SRC)
cross build --target aarch64-unknown-linux-musl --release
target/x86_64-unknown-linux-musl/debian/protomask_${CRATE_VERSION}_amd64.deb: target/x86_64-unknown-linux-musl/release/protomask
cargo deb --target x86_64-unknown-linux-musl --no-build
target/aarch64-unknown-linux-musl/debian/protomask_${CRATE_VERSION}_arm64.deb: target/aarch64-unknown-linux-musl/release/protomask
cargo deb --target aarch64-unknown-linux-musl --no-build

135
README.md
View File

@ -1,42 +1,72 @@
# protomask
[![Crates.io](https://img.shields.io/crates/v/protomask)](https://crates.io/crates/protomask)
[![Docs.rs](https://docs.rs/protomask/badge.svg)](https://docs.rs/protomask)
[![Build](https://github.com/Ewpratten/protomask/actions/workflows/build.yml/badge.svg)](https://github.com/Ewpratten/protomask/actions/workflows/build.yml)
# `protomask`: Fast & reliable user space NAT64
[![GitHub release](https://img.shields.io/github/v/release/ewpratten/protomask)](https://github.com/ewpratten/protomask/releases/latest)
[![Build](https://github.com/Ewpratten/protomask/actions/workflows/build.yml/badge.svg)](https://github.com/ewpratten/protomask/actions/workflows/build.yml)
[![Audit](https://github.com/ewpratten/protomask/actions/workflows/audit.yml/badge.svg)](https://github.com/ewpratten/protomask/actions/workflows/audit.yml)
**A user space [NAT64](https://en.wikipedia.org/wiki/NAT64) implementation.**
> The protomask tool suite is a collection of user space tools that translate packets between OSI layer 3 protocol versions
Protomask started as a challenge to create a NAT64 implementation in a weekend. The goal of protomask is to *keep things simple*.
This repository (referred to as the *protomask tool suite*) contains the following sub-projects:
There aren't many knobs to tweak, so stateful NAT or source address filtering will require protomask to be paired with a utility like `iptables`.
## How it works
Protomask operates by listening on an IPv6 `/96` prefix for incoming traffic.
When a new IPv6 host sends traffic through protomask, it is dynamically assigned an IPv4 address from a pool of addresses on a first-come-first-serve basis.
From then on, all subsequent packets coming from that same IPv6 host will be NATed through the assigned IPv4 address until the reservation period expires. Likewise, a similar process occurs for return traffic.
For hosts that necessitate a consistent IPv4 address, it is possible to configure a static mapping in the configuration file. This ensures it always communicates using the same IPv4 address no matter how long it is offline for. This is useful for single-stack hosts that need IPv4 DNS entries.
## Configuration
Protomask uses a [TOML](https://toml.io) configuration file. Here is a functional example:
```toml
# The NAT64 prefix to route to protomask
Nat64Prefix = "64:ff9b::/96"
# Setting this will enable prometheus metrics
Prometheus = "[::1]:8080" # Optional, defaults to disabled
[Pool]
# All prefixes in the pool
Prefixes = ["192.0.2.0/24"]
# The maximum duration an ipv4 address from the pool will be reserved for after becoming idle
MaxIdleDuration = 7200 # Optional, seconds. Defaults to 7200 (2 hours)
# Permanent address mappings
Static = [{ v4 = "192.0.2.2", v6 = "2001:db8:1::2" }]
```
<table>
<thead>
<tr>
<td><strong>Crate</strong></td>
<td><strong>Info</strong></td>
<td><strong>Latest Version</strong></td>
</tr>
</thead>
<tbody>
<tr>
<td><a href="./src/protomask.rs"><code>protomask</code></a></td>
<td>User space NAT64 implementation</td>
<td><a href="https://crates.io/crates/protomask"><img src="https://img.shields.io/crates/v/protomask" alt="crates.io"></a></td>
</tr>
<tr>
<td><a href="./src/protomask-clat.rs"><code>protomask-clat</code></a></td>
<td>User space Customer-side transLATor (CLAT) implementation</td>
<td><a href="https://crates.io/crates/protomask"><img src="https://img.shields.io/crates/v/protomask" alt="crates.io"></a></td>
</tr>
<tr>
<td><a href="./libs/easy-tun/"><code>easy-tun</code></a></td>
<td>A pure-rust TUN interface library</td>
<td>
<a href="https://crates.io/crates/easy-tun"><img src="https://img.shields.io/crates/v/easy-tun" alt="crates.io"></a>
<a href="https://docs.rs/easy-tun"><img src="https://docs.rs/easy-tun/badge.svg" alt="docs.rs"></a>
</td>
</tr>
<tr>
<td><a href="./libs/fast-nat/"><code>fast-nat</code></a></td>
<td>An OSI layer 3 Network Address Table built for speed</td>
<td>
<a href="https://crates.io/crates/fast-nat"><img src="https://img.shields.io/crates/v/fast-nat" alt="crates.io"></a>
<a href="https://docs.rs/fast-nat"><img src="https://docs.rs/fast-nat/badge.svg" alt="docs.rs"></a>
</td>
</tr>
<tr>
<td><a href="./libs/interproto/"><code>interproto</code></a></td>
<td>Utilities for translating packets between IPv4 and IPv6</td>
<td>
<a href="https://crates.io/crates/interproto"><img src="https://img.shields.io/crates/v/interproto" alt="crates.io"></a>
<a href="https://docs.rs/interproto"><img src="https://docs.rs/interproto/badge.svg" alt="docs.rs"></a>
</td>
</tr>
<tr>
<td><a href="./libs/rfc6052/"><code>rfc6052</code></a></td>
<td>A Rust implementation of RFC6052</td>
<td>
<a href="https://crates.io/crates/rfc6052"><img src="https://img.shields.io/crates/v/rfc6052" alt="crates.io"></a>
<a href="https://docs.rs/rfc6052"><img src="https://docs.rs/rfc6052/badge.svg" alt="docs.rs"></a>
</td>
</tr>
<tr>
<td><a href="./libs/rtnl/"><code>rtnl</code></a></td>
<td>Slightly sane wrapper around rtnetlink</td>
<td>
<a href="https://crates.io/crates/rtnl"><img src="https://img.shields.io/crates/v/rtnl" alt="crates.io"></a>
<a href="https://docs.rs/rtnl"><img src="https://docs.rs/rtnl/badge.svg" alt="docs.rs"></a>
</td>
</tbody>
</table>
## Installation
@ -51,7 +81,7 @@ Then, install with:
```sh
apt install /path/to/protomask_<version>_<arch>.deb
# You can also edit the config file in /etc/protomask.toml
# You can also edit the config file in /etc/protomask.json
# And once ready, start protomask with
systemctl start protomask
```
@ -64,14 +94,29 @@ cargo install protomask
## Usage
```text
Usage: protomask [OPTIONS] <CONFIG_FILE>
The `protomask` and `protomask-clat` binaries are mostly self-sufficient.
Arguments:
<CONFIG_FILE> Path to the config file
### Nat64
Options:
-v, --verbose Enable verbose logging
-h, --help Print help
-V, --version Print version
To start up a NAT64 server on the Well-Known Prefix (WKP), run:
```bash
protomask --pool-prefix <prefix>
```
Where `<prefix>` is some block of addresses that are routed to the machine running protomask.
For more information, run `protomask --help`. Configuration may also be supplied via a JSON file. See the [example config](./config/protomask.json) for more information.
### CLAT
To start up a CLAT server on the Well-Known Prefix (WKP), run:
```bash
protomask-clat --customer-prefix <prefix>
```
Where `<prefix>` is some block of addresses that are routed to the machine running protomask. This would generally be the address range of a home network when run on CPE. It may also be an individual client address if run on a client device instead of a router.
For more information, run `protomask-clat --help`. Configuration may also be supplied via a JSON file. See the [example config](./config/protomask-clat.json) for more information.

7
config/protomask-clat.json Normal file
View File

@ -0,0 +1,7 @@
{
"via": "64:ff9b::/96",
"customer_pool": [
"192.0.2.0/24"
],
"prometheus_bind_addr": "[::1]:8999"
}

14
config/protomask.json Normal file
View File

@ -0,0 +1,14 @@
{
"prefix": "64:ff9b::/96",
"pool": [
"192.0.2.0/24"
],
"static_map": [
{
"ipv4": "192.0.2.1",
"ipv6": "2001:db8::1"
}
],
"prometheus_bind_addr": "[::1]:8999",
"reservation_timeout": 7200
}

9
debian/protomask-clat-service vendored Normal file
View File

@ -0,0 +1,9 @@
[Unit]
Description = Protomask CLAT
After = network.target
[Service]
ExecStart = /usr/local/bin/protomask-clat --config /etc/protomask/protomask-clat.json
[Install]
WantedBy=multi-user.target

2
debian/service → debian/protomask-service vendored
View File

@ -3,7 +3,7 @@ Description = Protomask
After = network.target
[Service]
ExecStart = /usr/local/bin/protomask /etc/protomask.toml
ExecStart = /usr/local/bin/protomask --config /etc/protomask/protomask.json
[Install]
WantedBy=multi-user.target

27
libs/easy-tun/Cargo.toml Normal file
View File

@ -0,0 +1,27 @@
[package]
name = "easy-tun"
version = "0.1.0"
authors = ["Evan Pratten <ewpratten@gmail.com>"]
edition = "2021"
description = "A pure-rust TUN interface library"
readme = "README.md"
homepage = "https://github.com/ewpratten/protomask/tree/master/libs/easy-tun"
documentation = "https://docs.rs/easy-tun"
repository = "https://github.com/ewpratten/protomask"
license = "GPL-3.0"
keywords = []
categories = []
[features]
default = []
profile-puffin = ["profiling/profile-with-puffin"]
[dependencies]
log = "^0.4"
libc = "^0.2"
ioctl-gen = "^0.1.1"
rtnetlink = "^0.13.0"
profiling = "1.0.9"
[dev-dependencies]
env_logger = "0.10.0"

5
libs/easy-tun/README.md Normal file
View File

@ -0,0 +1,5 @@
# easy-tun
[![Crates.io](https://img.shields.io/crates/v/easy-tun)](https://crates.io/crates/easy-tun)
[![Docs.rs](https://docs.rs/easy-tun/badge.svg)](https://docs.rs/easy-tun)
`easy-tun` is a pure-Rust library that can bring up and manage a TUN interface by directly interacting with the [Universal TUN/TAP Driver](https://docs.kernel.org/networking/tuntap.html).

17
libs/easy-tun/examples/print_traffic.rs Normal file
View File

@ -0,0 +1,17 @@
use easy_tun::Tun;
use std::io::Read;
fn main() {
// Enable logs
env_logger::init();
// Bring up a TUN interface
let mut tun = Tun::new("tun%d").unwrap();
// Loop and read from the interface
let mut buffer = [0u8; 1500];
loop {
let length = tun.read(&mut buffer).unwrap();
println!("{:?}", &buffer[..length]);
}
}

8
libs/easy-tun/src/lib.rs Normal file
View File

@ -0,0 +1,8 @@
#![doc = include_str!("../README.md")]
#![deny(clippy::pedantic)]
#![allow(clippy::module_name_repetitions)]
#![allow(clippy::missing_errors_doc)]
#![allow(clippy::missing_panics_doc)]
mod tun;
pub use tun::Tun;

136
libs/easy-tun/src/tun.rs Normal file
View File

@ -0,0 +1,136 @@
use std::{
fs::{File, OpenOptions},
io::{Read, Write},
mem::size_of,
os::fd::{AsRawFd, IntoRawFd, RawFd},
};
use ioctl_gen::{ioc, iow};
use libc::{__c_anonymous_ifr_ifru, ifreq, ioctl, IFF_NO_PI, IFF_TUN, IF_NAMESIZE};
/// Architecture / target environment specific definitions
mod arch {
#[cfg(all(target_os = "linux", target_env = "gnu"))]
pub type IoctlRequestType = libc::c_ulong;
#[cfg(all(target_os = "linux", target_env = "musl"))]
pub type IoctlRequestType = libc::c_int;
#[cfg(not(any(target_env = "gnu", target_env = "musl")))]
compile_error!(
"Unsupported target environment. Only gnu and musl targets are currently supported."
);
}
/// A TUN device
pub struct Tun {
/// Internal file descriptor for the TUN device
fd: File,
/// Device name
name: String,
}
impl Tun {
/// Creates a new Tun device with the given name.
///
/// The `name` argument must be less than the system's `IFNAMSIZ` constant,
/// and may contain a `%d` format specifier to allow for multiple devices with the same name.
#[allow(clippy::cast_possible_truncation)]
#[allow(clippy::cast_lossless)]
pub fn new(dev: &str) -> Result<Self, std::io::Error> {
log::debug!("Creating new TUN device with requested name:{}", dev);
// Get a file descriptor for `/dev/net/tun`
log::trace!("Opening /dev/net/tun");
let fd = OpenOptions::new()
.read(true)
.write(true)
.open("/dev/net/tun")?;
// Copy the device name into a C string with padding
// NOTE: No zero padding is needed because we pre-init the array to all 0s
let mut dev_cstr: [libc::c_char; IF_NAMESIZE] = [0; IF_NAMESIZE];
let dev_bytes: Vec<libc::c_char> = dev.chars().map(|c| c as libc::c_char).collect();
let dev_len = dev_bytes.len().min(IF_NAMESIZE);
log::trace!("Device name length after truncation: {}", dev_len);
dev_cstr[..dev_len].copy_from_slice(&dev_bytes[..dev_len]);
// Build an `ifreq` struct to send to the kernel
let mut ifr = ifreq {
ifr_name: dev_cstr,
ifr_ifru: __c_anonymous_ifr_ifru {
ifru_flags: (IFF_TUN | IFF_NO_PI) as i16,
},
};
// Make an ioctl call to create the TUN device
log::trace!("Calling ioctl to create TUN device");
let err = unsafe {
ioctl(
fd.as_raw_fd(),
iow!('T', 202, size_of::<libc::c_int>()) as arch::IoctlRequestType,
&mut ifr,
)
};
log::trace!("ioctl returned: {}", err);
// Check for errors
if err < 0 {
log::error!("ioctl failed: {}", err);
return Err(std::io::Error::last_os_error());
}
// Get the name of the device
let name = unsafe { std::ffi::CStr::from_ptr(ifr.ifr_name.as_ptr()) }
.to_str()
.unwrap()
.to_string();
// Log the success
log::debug!("Created TUN device: {}", name);
// Build the TUN struct
Ok(Self { fd, name })
}
/// Get the name of the TUN device
#[must_use]
pub fn name(&self) -> &str {
&self.name
}
/// Get the underlying file descriptor
#[must_use]
pub fn fd(&self) -> &File {
&self.fd
}
}
impl AsRawFd for Tun {
fn as_raw_fd(&self) -> RawFd {
self.fd.as_raw_fd()
}
}
impl IntoRawFd for Tun {
fn into_raw_fd(self) -> RawFd {
self.fd.into_raw_fd()
}
}
impl Read for Tun {
#[profiling::function]
fn read(&mut self, buf: &mut [u8]) -> std::io::Result<usize> {
self.fd.read(buf)
}
}
impl Write for Tun {
#[profiling::function]
fn write(&mut self, buf: &[u8]) -> std::io::Result<usize> {
self.fd.write(buf)
}
#[profiling::function]
fn flush(&mut self) -> std::io::Result<()> {
self.fd.flush()
}
}

24
libs/fast-nat/Cargo.toml Normal file
View File

@ -0,0 +1,24 @@
[package]
name = "fast-nat"
version = "0.1.0"
authors = ["Evan Pratten <ewpratten@gmail.com>"]
edition = "2021"
description = "An OSI layer 3 Network Address Table built for speed"
readme = "README.md"
homepage = "https://github.com/ewpratten/protomask/tree/master/libs/fast-nat"
documentation = "https://docs.rs/fast-nat"
repository = "https://github.com/ewpratten/protomask"
license = "GPL-3.0"
keywords = []
categories = []
[features]
default = []
profile-puffin = ["profiling/profile-with-puffin"]
[dependencies]
log = "^0.4"
rustc-hash = "1.1.0"
thiserror = "^1.0.44"
ipnet = "^2.8.0"
profiling = "1.0.9"

7
libs/fast-nat/README.md Normal file
View File

@ -0,0 +1,7 @@
# Fast Network Address Table
[![Crates.io](https://img.shields.io/crates/v/fast-nat)](https://crates.io/crates/fast-nat)
[![Docs.rs](https://docs.rs/fast-nat/badge.svg)](https://docs.rs/fast-nat)
`fast-nat` is an OSI layer 3 Network Address Table built for speed.
While this library can be used on its own just fine, it was designed for use in `protomask`.

127
libs/fast-nat/src/bimap.rs Normal file
View File

@ -0,0 +1,127 @@
use std::hash::Hash;
use rustc_hash::FxHashMap;
/// A bi-directional hash map
#[derive(Debug, Clone)]
pub struct BiHashMap<Left, Right> {
/// Mapping from a left value to a right value
left_to_right: FxHashMap<Left, Right>,
/// Mapping from a right value to a left value
right_to_left: FxHashMap<Right, Left>,
}
impl<Left, Right> BiHashMap<Left, Right>
where
Left: Eq + Hash + Clone,
Right: Eq + Hash + Clone,
{
/// Construct a new empty `BiHashMap`
pub fn new() -> Self {
Self::default()
}
/// Insert a new mapping into the `BiHashMap`
#[profiling::function]
pub fn insert(&mut self, left: Left, right: Right) {
self.left_to_right.insert(left.clone(), right.clone());
self.right_to_left.insert(right, left);
}
/// Get the right value for a given left value
#[profiling::function]
pub fn get_right(&self, left: &Left) -> Option<&Right> {
self.left_to_right.get(left)
}
/// Get the left value for a given right value
#[profiling::function]
pub fn get_left(&self, right: &Right) -> Option<&Left> {
self.right_to_left.get(right)
}
/// Remove a mapping from the `BiHashMap`
#[profiling::function]
pub fn remove(&mut self, left: &Left, right: &Right) {
self.left_to_right.remove(left);
self.right_to_left.remove(right);
}
/// Remove a mapping from the `BiHashMap` by left value
#[profiling::function]
pub fn remove_left(&mut self, left: &Left) {
if let Some(right) = self.left_to_right.remove(left) {
self.right_to_left.remove(&right);
}
}
/// Remove a mapping from the `BiHashMap` by right value
#[profiling::function]
pub fn remove_right(&mut self, right: &Right) {
if let Some(left) = self.right_to_left.remove(right) {
self.left_to_right.remove(&left);
}
}
/// Get the total number of mappings in the `BiHashMap`
#[profiling::function]
pub fn len(&self) -> usize {
self.left_to_right.len()
}
/// Check if the `BiHashMap` is empty
#[profiling::function]
pub fn is_empty(&self) -> bool {
self.left_to_right.is_empty()
}
}
impl<Left, Right> Default for BiHashMap<Left, Right> {
fn default() -> Self {
Self {
left_to_right: FxHashMap::default(),
right_to_left: FxHashMap::default(),
}
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_insert() {
let mut bimap = BiHashMap::new();
bimap.insert(1, "one");
bimap.insert(2, "two");
bimap.insert(3, "three");
assert_eq!(bimap.get_right(&1), Some(&"one"));
assert_eq!(bimap.get_right(&2), Some(&"two"));
assert_eq!(bimap.get_right(&3), Some(&"three"));
assert_eq!(bimap.get_left(&"one"), Some(&1));
assert_eq!(bimap.get_left(&"two"), Some(&2));
assert_eq!(bimap.get_left(&"three"), Some(&3));
}
#[test]
fn test_remove() {
let mut bimap = BiHashMap::new();
bimap.insert(1, "one");
bimap.insert(2, "two");
bimap.insert(3, "three");
bimap.remove(&1, &"one");
assert_eq!(bimap.get_right(&1), None);
assert_eq!(bimap.get_left(&"one"), None);
bimap.remove_left(&2);
assert_eq!(bimap.get_right(&2), None);
assert_eq!(bimap.get_left(&"two"), None);
bimap.remove_right(&"three");
assert_eq!(bimap.get_right(&3), None);
assert_eq!(bimap.get_left(&"three"), None);
}
}

188
libs/fast-nat/src/cpnat.rs Normal file
View File

@ -0,0 +1,188 @@
use std::{
net::{Ipv4Addr, Ipv6Addr},
time::Duration,
};
use ipnet::Ipv4Net;
use rustc_hash::FxHashMap;
use crate::{bimap::BiHashMap, error::Error, timeout::MaybeTimeout};
/// A table of network address mappings across IPv4 and IPv6
#[derive(Debug)]
pub struct CrossProtocolNetworkAddressTable {
/// Internal address map
addr_map: BiHashMap<u32, u128>,
/// Secondary map used to keep track of timeouts
timeouts: FxHashMap<(u32, u128), MaybeTimeout>,
}
impl CrossProtocolNetworkAddressTable {
/// Construct a new empty `CrossProtocolNetworkAddressTable`
#[must_use]
pub fn new() -> Self {
Self::default()
}
/// Prune all old mappings
#[profiling::function]
pub fn prune(&mut self) {
log::trace!("Pruning old network address mappings");
// Compare all mappings against a common timestamp
let now = std::time::Instant::now();
// Remove all old mappings from both the bimap and the timeouts map
self.timeouts.retain(|(left, right), timeout| {
match timeout {
// Retain all indefinite mappings
MaybeTimeout::Never => true,
// Only retain mappings that haven't timed out yet
MaybeTimeout::After { duration, start } => {
let should_retain = now.duration_since(*start) < *duration;
if !should_retain {
log::trace!(
"Mapping {:?} -> {:?} has timed out and will be removed",
left,
right
);
self.addr_map.remove(left, right);
}
should_retain
}
}
});
}
/// Insert a new indefinite mapping
#[profiling::function]
pub fn insert_indefinite(&mut self, ipv4: Ipv4Addr, ipv6: Ipv6Addr) {
self.prune();
let (ipv4, ipv6) = (ipv4.into(), ipv6.into());
self.addr_map.insert(ipv4, ipv6);
self.timeouts.insert((ipv4, ipv6), MaybeTimeout::Never);
}
/// Insert a new mapping with a finite time-to-live
#[profiling::function]
pub fn insert(&mut self, ipv4: Ipv4Addr, ipv6: Ipv6Addr, duration: Duration) {
self.prune();
let (ipv4, ipv6) = (ipv4.into(), ipv6.into());
self.addr_map.insert(ipv4, ipv6);
self.timeouts.insert(
(ipv4, ipv6),
MaybeTimeout::After {
duration,
start: std::time::Instant::now(),
},
);
}
/// Get the IPv6 address for a given IPv4 address
#[must_use]
#[profiling::function]
pub fn get_ipv6(&self, ipv4: &Ipv4Addr) -> Option<Ipv6Addr> {
self.addr_map
.get_right(&(*ipv4).into())
.map(|addr| (*addr).into())
}
/// Get the IPv4 address for a given IPv6 address
#[must_use]
#[profiling::function]
pub fn get_ipv4(&self, ipv6: &Ipv6Addr) -> Option<Ipv4Addr> {
self.addr_map
.get_left(&(*ipv6).into())
.map(|addr| (*addr).into())
}
/// Get the number of mappings in the table
#[must_use]
#[profiling::function]
pub fn len(&self) -> usize {
self.addr_map.len()
}
/// Check if the table is empty
#[must_use]
#[profiling::function]
pub fn is_empty(&self) -> bool {
self.addr_map.is_empty()
}
}
impl Default for CrossProtocolNetworkAddressTable {
fn default() -> Self {
Self {
addr_map: BiHashMap::new(),
timeouts: FxHashMap::default(),
}
}
}
#[derive(Debug)]
pub struct CrossProtocolNetworkAddressTableWithIpv4Pool {
/// Internal table
table: CrossProtocolNetworkAddressTable,
/// Internal pool of IPv4 prefixes to assign new mappings from
pool: Vec<Ipv4Net>,
/// The timeout to use for new entries
timeout: Duration,
}
impl CrossProtocolNetworkAddressTableWithIpv4Pool {
/// Construct a new Cross-protocol network address table with a given IPv4 pool
#[must_use]
pub fn new(pool: &[Ipv4Net], timeout: Duration) -> Self {
Self {
table: CrossProtocolNetworkAddressTable::default(),
pool: pool.to_vec(),
timeout,
}
}
/// Insert a new static mapping
#[profiling::function]
pub fn insert_static(&mut self, ipv4: Ipv4Addr, ipv6: Ipv6Addr) -> Result<(), Error> {
if !self.pool.iter().any(|prefix| prefix.contains(&ipv4)) {
return Err(Error::InvalidIpv4Address(ipv4));
}
self.table.insert_indefinite(ipv4, ipv6);
Ok(())
}
/// Gets the IPv4 address for a given IPv6 address or inserts a new mapping if one does not exist (if possible)
#[profiling::function]
pub fn get_or_create_ipv4(&mut self, ipv6: &Ipv6Addr) -> Result<Ipv4Addr, Error> {
// Return the known mapping if it exists
if let Some(ipv4) = self.table.get_ipv4(ipv6) {
return Ok(ipv4);
}
// Find the next available IPv4 address in the pool
let new_address = self
.pool
.iter()
.flat_map(Ipv4Net::hosts)
.find(|addr| self.table.get_ipv6(addr).is_none())
.ok_or(Error::Ipv4PoolExhausted)?;
// Insert the new mapping
self.table.insert(new_address, *ipv6, self.timeout);
log::info!(
"New cross-protocol address mapping: {} -> {}",
ipv6,
new_address
);
// Return the new address
Ok(new_address)
}
/// Gets the IPv6 address for a given IPv4 address if it exists
#[must_use]
#[profiling::function]
pub fn get_ipv6(&self, ipv4: &Ipv4Addr) -> Option<Ipv6Addr> {
self.table.get_ipv6(ipv4)
}
}

9
libs/fast-nat/src/error.rs Normal file
View File

@ -0,0 +1,9 @@
use std::net::Ipv4Addr;
#[derive(Debug, thiserror::Error)]
pub enum Error {
#[error("Ipv4 address does not belong to the NAT pool: {0}")]
InvalidIpv4Address(Ipv4Addr),
#[error("IPv4 pool exhausted")]
Ipv4PoolExhausted,
}

14
libs/fast-nat/src/lib.rs Normal file
View File

@ -0,0 +1,14 @@
#![doc = include_str!("../README.md")]
#![deny(clippy::pedantic)]
#![allow(clippy::module_name_repetitions)]
#![allow(clippy::missing_errors_doc)]
#![allow(clippy::missing_panics_doc)]
mod bimap;
mod cpnat;
pub mod error;
mod nat;
mod timeout;
pub use cpnat::{CrossProtocolNetworkAddressTable, CrossProtocolNetworkAddressTableWithIpv4Pool};
pub use nat::NetworkAddressTable;

101
libs/fast-nat/src/nat.rs Normal file
View File

@ -0,0 +1,101 @@
use crate::{bimap::BiHashMap, timeout::MaybeTimeout};
use rustc_hash::FxHashMap;
use std::{net::Ipv4Addr, time::Duration};
/// A table of network address mappings
#[derive(Debug)]
pub struct NetworkAddressTable {
/// Internal address map
addr_map: BiHashMap<u32, u32>,
/// Secondary map used to keep track of timeouts
timeouts: FxHashMap<(u32, u32), MaybeTimeout>,
}
impl NetworkAddressTable {
/// Construct a new empty `NetworkAddressTable`
#[must_use]
pub fn new() -> Self {
Self::default()
}
/// Prune all old mappings
#[profiling::function]
pub fn prune(&mut self) {
log::trace!("Pruning old network address mappings");
// Compare all mappings against a common timestamp
let now = std::time::Instant::now();
// Remove all old mappings from both the bimap and the timeouts map
self.timeouts.retain(|(left, right), timeout| {
match timeout {
// Retain all indefinite mappings
MaybeTimeout::Never => true,
// Only retain mappings that haven't timed out yet
MaybeTimeout::After { duration, start } => {
let should_retain = now.duration_since(*start) < *duration;
if !should_retain {
log::trace!(
"Mapping {:?} -> {:?} has timed out and will be removed",
left,
right
);
self.addr_map.remove(left, right);
}
should_retain
}
}
});
}
/// Insert a new indefinite mapping
#[profiling::function]
pub fn insert_indefinite(&mut self, left: Ipv4Addr, right: Ipv4Addr) {
self.prune();
let (left, right) = (left.into(), right.into());
self.addr_map.insert(left, right);
self.timeouts.insert((left, right), MaybeTimeout::Never);
}
/// Insert a new mapping with a finite time-to-live
#[profiling::function]
pub fn insert(&mut self, left: Ipv4Addr, right: Ipv4Addr, duration: Duration) {
self.prune();
let (left, right) = (left.into(), right.into());
self.addr_map.insert(left, right);
self.timeouts.insert(
(left, right),
MaybeTimeout::After {
duration,
start: std::time::Instant::now(),
},
);
}
/// Get the right value for a given left value
#[must_use]
#[profiling::function]
pub fn get_right(&self, left: &Ipv4Addr) -> Option<Ipv4Addr> {
self.addr_map
.get_right(&(*left).into())
.map(|addr| (*addr).into())
}
/// Get the left value for a given right value
#[must_use]
#[profiling::function]
pub fn get_left(&self, right: &Ipv4Addr) -> Option<Ipv4Addr> {
self.addr_map
.get_left(&(*right).into())
.map(|addr| (*addr).into())
}
}
impl Default for NetworkAddressTable {
fn default() -> Self {
Self {
addr_map: BiHashMap::new(),
timeouts: FxHashMap::default(),
}
}
}

13
libs/fast-nat/src/timeout.rs Normal file
View File

@ -0,0 +1,13 @@
use std::time::Duration;
/// Describes a possible timeout for a mapping
#[derive(Debug, Clone, Copy)]
pub enum MaybeTimeout {
/// Indicates that a mapping should never time out
Never,
/// Indicates that a mapping should time out after a given duration
After {
duration: Duration,
start: std::time::Instant,
},
}

32
libs/interproto/Cargo.toml Normal file
View File

@ -0,0 +1,32 @@
[package]
name = "interproto"
version = "0.1.0"
authors = ["Evan Pratten <ewpratten@gmail.com>"]
edition = "2021"
description = "Utilities for translating packets between IPv4 and IPv6"
readme = "README.md"
homepage = "https://github.com/ewpratten/protomask/tree/master/libs/interproto"
documentation = "https://docs.rs/interproto"
repository = "https://github.com/ewpratten/protomask"
license = "GPL-3.0"
keywords = []
categories = []
[features]
default = []
metrics = ["protomask-metrics"]
profile-puffin = ["profiling/profile-with-puffin"]
[dependencies]
protomask-metrics = { path = "../protomask-metrics", optional = true }
log = "^0.4"
pnet = "0.34.0"
thiserror = "^1.0.44"
profiling = "1.0.9"
[dev-dependencies]
criterion = { version = "0.5.1", features = ["html_reports"] }
[[bench]]
name = "benchmarks"
harness = false

3
libs/interproto/README.md Normal file
View File

@ -0,0 +1,3 @@
# Interproto: The internet protocol translation library
[![Crates.io](https://img.shields.io/crates/v/interproto)](https://crates.io/crates/interproto)
[![Docs.rs](https://docs.rs/interproto/badge.svg)](https://docs.rs/interproto)

106
libs/interproto/benches/benchmarks.rs Normal file
View File

@ -0,0 +1,106 @@
use criterion::{criterion_group, criterion_main, Criterion};
use interproto::protocols::*;
use pnet::packet::{
tcp::{MutableTcpPacket, TcpPacket},
udp::{MutableUdpPacket, UdpPacket},
};
/// Translate TCP packets from IPv4 to IPv6
fn bench_tcp_4_to_6(c: &mut Criterion) {
// Create a test input packet
let mut input_buffer = vec![0u8; TcpPacket::minimum_packet_size() + 13];
let mut input_packet = MutableTcpPacket::new(&mut input_buffer).unwrap();
input_packet.set_source(1234);
input_packet.set_destination(5678);
input_packet.set_payload(&"Hello, world!".as_bytes().to_vec());
// Pre-calculate the source and dest addrs
let source = "2001:db8::1".parse().unwrap();
let dest = "2001:db8::2".parse().unwrap();
// Build a benchmark group for measuring throughput
let mut group = c.benchmark_group("tcp_4_to_6");
group.throughput(criterion::Throughput::Bytes(input_buffer.len() as u64));
group.bench_function("translate", |b| {
b.iter(|| tcp::recalculate_tcp_checksum_ipv6(&input_buffer, source, dest))
});
group.finish();
}
/// Translate TCP packets from IPv6 to IPv4
fn bench_tcp_6_to_4(c: &mut Criterion) {
// Create a test input packet
let mut input_buffer = vec![0u8; TcpPacket::minimum_packet_size() + 13];
let mut input_packet = MutableTcpPacket::new(&mut input_buffer).unwrap();
input_packet.set_source(1234);
input_packet.set_destination(5678);
input_packet.set_payload(&"Hello, world!".as_bytes().to_vec());
// Pre-calculate the source and dest addrs
let source = "192.0.2.1".parse().unwrap();
let dest = "192.0.2.2".parse().unwrap();
// Build a benchmark group for measuring throughput
let mut group = c.benchmark_group("tcp_6_to_4");
group.throughput(criterion::Throughput::Bytes(input_buffer.len() as u64));
group.bench_function("translate", |b| {
b.iter(|| tcp::recalculate_tcp_checksum_ipv4(&input_buffer, source, dest))
});
group.finish();
}
/// Translate UDP packets from IPv4 to IPv6
fn bench_udp_4_to_6(c: &mut Criterion) {
// Create a test input packet
let mut input_buffer = vec![0u8; UdpPacket::minimum_packet_size() + 13];
let mut udp_packet = MutableUdpPacket::new(&mut input_buffer).unwrap();
udp_packet.set_source(1234);
udp_packet.set_destination(5678);
udp_packet.set_length(13);
udp_packet.set_payload(&"Hello, world!".as_bytes().to_vec());
// Pre-calculate the source and dest addrs
let source = "2001:db8::1".parse().unwrap();
let dest = "2001:db8::2".parse().unwrap();
// Build a benchmark group for measuring throughput
let mut group = c.benchmark_group("udp_4_to_6");
group.throughput(criterion::Throughput::Bytes(input_buffer.len() as u64));
group.bench_function("translate", |b| {
b.iter(|| udp::recalculate_udp_checksum_ipv6(&input_buffer, source, dest))
});
group.finish();
}
/// Translate UDP packets from IPv6 to IPv4
fn bench_udp_6_to_4(c: &mut Criterion) {
// Create a test input packet
let mut input_buffer = vec![0u8; UdpPacket::minimum_packet_size() + 13];
let mut udp_packet = MutableUdpPacket::new(&mut input_buffer).unwrap();
udp_packet.set_source(1234);
udp_packet.set_destination(5678);
udp_packet.set_length(13);
udp_packet.set_payload(&"Hello, world!".as_bytes().to_vec());
// Pre-calculate the source and dest addrs
let source = "192.0.2.1".parse().unwrap();
let dest = "192.0.2.2".parse().unwrap();
// Build a benchmark group for measuring throughput
let mut group = c.benchmark_group("udp_6_to_4");
group.throughput(criterion::Throughput::Bytes(input_buffer.len() as u64));
group.bench_function("translate", |b| {
b.iter(|| udp::recalculate_udp_checksum_ipv4(&input_buffer, source, dest))
});
group.finish();
}
// Generate a main function
criterion_group!(
benches,
bench_tcp_4_to_6,
bench_tcp_6_to_4,
bench_udp_4_to_6,
bench_udp_6_to_4
);
criterion_main!(benches);

13
libs/interproto/src/error.rs Normal file
View File

@ -0,0 +1,13 @@
/// All possible errors thrown by `interproto` functions
#[derive(Debug, thiserror::Error, PartialEq, Eq, Clone)]
pub enum Error {
#[error("Packet too short. Expected at least {expected} bytes, got {actual}")]
PacketTooShort { expected: usize, actual: usize },
#[error("Unsupported ICMP type: {0}")]
UnsupportedIcmpType(u8),
#[error("Unsupported ICMPv6 type: {0}")]
UnsupportedIcmpv6Type(u8),
}
/// Result type for `interproto`
pub type Result<T> = std::result::Result<T, Error>;

9
libs/interproto/src/lib.rs Normal file
View File

@ -0,0 +1,9 @@
#![doc = include_str!("../README.md")]
#![deny(clippy::pedantic)]
#![allow(clippy::module_name_repetitions)]
#![allow(clippy::missing_errors_doc)]
#![allow(clippy::missing_panics_doc)]
#![allow(clippy::doc_markdown)]
pub mod error;
pub mod protocols;

180
libs/interproto/src/protocols/icmp/mod.rs Normal file
View File

@ -0,0 +1,180 @@
use crate::{
error::{Error, Result},
protocols::ip::translate_ipv4_to_ipv6,
};
use pnet::packet::{
icmp::{self, IcmpPacket, IcmpTypes, MutableIcmpPacket},
icmpv6::{self, Icmpv6Packet, Icmpv6Types, MutableIcmpv6Packet},
Packet,
};
use std::net::{Ipv4Addr, Ipv6Addr};
use super::ip::translate_ipv6_to_ipv4;
mod type_code;
/// Translate an ICMP packet to ICMPv6. This will make a best guess at the ICMPv6 type and code since there is no 1:1 mapping.
#[allow(clippy::deprecated_cfg_attr)]
#[profiling::function]
pub fn translate_icmp_to_icmpv6(
icmp_packet: &[u8],
new_source: Ipv6Addr,
new_destination: Ipv6Addr,
) -> Result<Vec<u8>> {
// This scope is used to collect packet drop metrics
{
// Access the ICMP packet data in a safe way
let icmp_packet = IcmpPacket::new(icmp_packet).ok_or(Error::PacketTooShort {
expected: IcmpPacket::minimum_packet_size(),
actual: icmp_packet.len(),
})?;
// Track the incoming packet's type and code
#[cfg(feature = "metrics")]
protomask_metrics::metrics::ICMP_COUNTER
.with_label_values(&[
protomask_metrics::metrics::label_values::PROTOCOL_ICMP,
&icmp_packet.get_icmp_type().0.to_string(),
&icmp_packet.get_icmp_code().0.to_string(),
])
.inc();
// Translate the ICMP type and code to their ICMPv6 equivalents
let (icmpv6_type, icmpv6_code) = type_code::translate_type_and_code_4_to_6(
icmp_packet.get_icmp_type(),
icmp_packet.get_icmp_code(),
)?;
// Some ICMP types require special payload edits
let payload = match icmpv6_type {
Icmpv6Types::TimeExceeded => {
// Time exceeded messages contain the original IPv4 header and part of the payload. (with 4 bytes of forward padding)
// We need to translate the IPv4 header and the payload, but keep the padding
let mut output = vec![0u8; 4];
output.copy_from_slice(&icmp_packet.payload()[..4]);
output.extend_from_slice(&translate_ipv4_to_ipv6(
&icmp_packet.payload()[4..],
new_source,
new_destination,
)?);
output
}
_ => icmp_packet.payload().to_vec(),
};
// Build a buffer to store the new ICMPv6 packet
let mut output_buffer = vec![0u8; IcmpPacket::minimum_packet_size() + payload.len()];
// NOTE: There is no way this can fail since we are creating the buffer with explicitly enough space.
let mut icmpv6_packet =
unsafe { MutableIcmpv6Packet::new(&mut output_buffer).unwrap_unchecked() };
// Set the header fields
icmpv6_packet.set_icmpv6_type(icmpv6_type);
icmpv6_packet.set_icmpv6_code(icmpv6_code);
icmpv6_packet.set_checksum(0);
// Copy the payload
icmpv6_packet.set_payload(&payload);
// Calculate the checksum
icmpv6_packet.set_checksum(icmpv6::checksum(
&icmpv6_packet.to_immutable(),
&new_source,
&new_destination,
));
// Track the translated packet
#[cfg(feature = "metrics")]
protomask_metrics::metric!(PACKET_COUNTER, PROTOCOL_ICMP, STATUS_TRANSLATED).inc();
// Return the translated packet
Ok(output_buffer)
}
.map_err(|error| {
// Track the dropped packet
#[cfg(feature = "metrics")]
protomask_metrics::metric!(PACKET_COUNTER, PROTOCOL_ICMP, STATUS_DROPPED).inc();
// Pass the error through
error
})
}
/// Translate an ICMPv6 packet to ICMP. This will make a best guess at the ICMP type and code since there is no 1:1 mapping.
#[profiling::function]
pub fn translate_icmpv6_to_icmp(
icmpv6_packet: &[u8],
new_source: Ipv4Addr,
new_destination: Ipv4Addr,
) -> Result<Vec<u8>> {
// This scope is used to collect packet drop metrics
{
// Access the ICMPv6 packet data in a safe way
let icmpv6_packet = Icmpv6Packet::new(icmpv6_packet).ok_or(Error::PacketTooShort {
expected: Icmpv6Packet::minimum_packet_size(),
actual: icmpv6_packet.len(),
})?;
// Track the incoming packet's type and code
#[cfg(feature = "metrics")]
protomask_metrics::metrics::ICMP_COUNTER
.with_label_values(&[
protomask_metrics::metrics::label_values::PROTOCOL_ICMPV6,
&icmpv6_packet.get_icmpv6_type().0.to_string(),
&icmpv6_packet.get_icmpv6_code().0.to_string(),
])
.inc();
// Translate the ICMPv6 type and code to their ICMP equivalents
let (icmp_type, icmp_code) = type_code::translate_type_and_code_6_to_4(
icmpv6_packet.get_icmpv6_type(),
icmpv6_packet.get_icmpv6_code(),
)?;
// Some ICMP types require special payload edits
let payload = match icmp_type {
IcmpTypes::TimeExceeded => {
// Time exceeded messages contain the original IPv6 header and part of the payload. (with 4 bytes of forward padding)
// We need to translate the IPv6 header and the payload, but keep the padding
let mut output = vec![0u8; 4];
output.copy_from_slice(&icmpv6_packet.payload()[..4]);
output.extend_from_slice(&translate_ipv6_to_ipv4(
&icmpv6_packet.payload()[4..],
new_source,
new_destination,
)?);
output
}
_ => icmpv6_packet.payload().to_vec(),
};
// Build a buffer to store the new ICMP packet
let mut output_buffer = vec![0u8; Icmpv6Packet::minimum_packet_size() + payload.len()];
// NOTE: There is no way this can fail since we are creating the buffer with explicitly enough space.
let mut icmp_packet =
unsafe { MutableIcmpPacket::new(&mut output_buffer).unwrap_unchecked() };
// Set the header fields
icmp_packet.set_icmp_type(icmp_type);
icmp_packet.set_icmp_code(icmp_code);
// Copy the payload
icmp_packet.set_payload(&payload);
// Calculate the checksum
icmp_packet.set_checksum(icmp::checksum(&icmp_packet.to_immutable()));
// Return the translated packet
Ok(output_buffer)
}
.map_err(|error| {
// Track the dropped packet
#[cfg(feature = "metrics")]
protomask_metrics::metric!(PACKET_COUNTER, PROTOCOL_ICMPV6, STATUS_DROPPED).inc();
// Pass the error through
error
})
}

18
src/packet/xlat/icmp/type_code.rs → libs/interproto/src/protocols/icmp/type_code.rs
View File

@ -1,20 +1,19 @@
//! Functions to map between ICMP and ICMPv6 types/codes
//! Look-up-tables for translating between ICMP (type,code) tuples and ICMPv6 (type,code) tuples.
#![allow(clippy::doc_markdown)]
use pnet_packet::{
use pnet::packet::{
icmp::{destination_unreachable, IcmpCode, IcmpType, IcmpTypes},
icmpv6::{Icmpv6Code, Icmpv6Type, Icmpv6Types},
};
use crate::packet::error::PacketError;
use crate::error::{Error, Result};
/// Best effort translation from an ICMP type and code to an ICMPv6 type and code
#[allow(clippy::deprecated_cfg_attr)]
#[profiling::function]
pub fn translate_type_and_code_4_to_6(
icmp_type: IcmpType,
icmp_code: IcmpCode,
) -> Result<(Icmpv6Type, Icmpv6Code), PacketError> {
) -> Result<(Icmpv6Type, Icmpv6Code)> {
match (icmp_type, icmp_code) {
// Echo Request
(IcmpTypes::EchoRequest, _) => Ok((Icmpv6Types::EchoRequest, Icmpv6Code(0))),
@ -54,16 +53,17 @@ pub fn translate_type_and_code_4_to_6(
}
// Default unsupported
(icmp_type, _) => Err(PacketError::UnsupportedIcmpType(icmp_type.0)),
(icmp_type, _) => Err(Error::UnsupportedIcmpType(icmp_type.0)),
}
}
/// Best effort translation from an ICMPv6 type and code to an ICMP type and code
#[allow(clippy::deprecated_cfg_attr)]
#[profiling::function]
pub fn translate_type_and_code_6_to_4(
icmp_type: Icmpv6Type,
icmp_code: Icmpv6Code,
) -> Result<(IcmpType, IcmpCode), PacketError> {
) -> Result<(IcmpType, IcmpCode)> {
match (icmp_type, icmp_code) {
// Echo Request
(Icmpv6Types::EchoRequest, _) => Ok((IcmpTypes::EchoRequest, IcmpCode(0))),
@ -98,6 +98,6 @@ pub fn translate_type_and_code_6_to_4(
}
// Default unsupported
(icmp_type, _) => Err(PacketError::UnsupportedIcmpv6Type(icmp_type.0)),
(icmp_type, _) => Err(Error::UnsupportedIcmpv6Type(icmp_type.0)),
}
}

179
libs/interproto/src/protocols/ip.rs Normal file
View File

@ -0,0 +1,179 @@
//! Translation functions that can convert packets between IPv4 and IPv6.
use super::{
icmp::{translate_icmp_to_icmpv6, translate_icmpv6_to_icmp},
tcp::{recalculate_tcp_checksum_ipv4, recalculate_tcp_checksum_ipv6},
udp::{recalculate_udp_checksum_ipv4, recalculate_udp_checksum_ipv6},
};
use crate::error::{Error, Result};
use pnet::packet::{
ip::IpNextHeaderProtocols,
ipv4::{self, Ipv4Packet, MutableIpv4Packet},
ipv6::{Ipv6Packet, MutableIpv6Packet},
Packet,
};
use std::net::{Ipv4Addr, Ipv6Addr};
/// Translates an IPv4 packet into an IPv6 packet. The packet payload will be translated recursively as needed.
#[profiling::function]
pub fn translate_ipv4_to_ipv6(
ipv4_packet: &[u8],
new_source: Ipv6Addr,
new_destination: Ipv6Addr,
) -> Result<Vec<u8>> {
// This scope is used to collect packet drop metrics
{
// Access the IPv4 packet data in a safe way
let ipv4_packet = Ipv4Packet::new(ipv4_packet).ok_or(Error::PacketTooShort {
expected: Ipv4Packet::minimum_packet_size(),
actual: ipv4_packet.len(),
})?;
// Perform recursive translation to determine the new payload
let new_payload = match ipv4_packet.get_next_level_protocol() {
// Pass ICMP packets to the icmp-to-icmpv6 translator
IpNextHeaderProtocols::Icmp => {
translate_icmp_to_icmpv6(ipv4_packet.payload(), new_source, new_destination)?
}
// Pass TCP packets to the tcp translator
IpNextHeaderProtocols::Tcp => {
recalculate_tcp_checksum_ipv6(ipv4_packet.payload(), new_source, new_destination)?
}
// Pass UDP packets to the udp translator
IpNextHeaderProtocols::Udp => {
recalculate_udp_checksum_ipv6(ipv4_packet.payload(), new_source, new_destination)?
}
// If the next level protocol is not something we know how to translate,
// just assume the payload can be passed through as-is
protocol => {
log::warn!("Unsupported next level protocol: {:?}", protocol);
ipv4_packet.payload().to_vec()
}
};
// Build a buffer to store the new IPv6 packet
let mut output_buffer = vec![0u8; Ipv6Packet::minimum_packet_size() + new_payload.len()];
// NOTE: There is no way this can fail since we are creating the buffer with explicitly enough space.
let mut ipv6_packet =
unsafe { MutableIpv6Packet::new(&mut output_buffer).unwrap_unchecked() };
// Set the header fields
ipv6_packet.set_version(6);
ipv6_packet.set_next_header(match ipv4_packet.get_next_level_protocol() {
IpNextHeaderProtocols::Icmp => IpNextHeaderProtocols::Icmpv6,
proto => proto,
});
ipv6_packet.set_hop_limit(ipv4_packet.get_ttl());
ipv6_packet.set_source(new_source);
ipv6_packet.set_destination(new_destination);
ipv6_packet.set_payload_length(new_payload.len().try_into().unwrap());
// Copy the payload to the buffer
ipv6_packet.set_payload(&new_payload);
// Track the translated packet
#[cfg(feature = "metrics")]
protomask_metrics::metric!(PACKET_COUNTER, PROTOCOL_IPV4, STATUS_TRANSLATED).inc();
// Return the buffer
Ok(output_buffer)
}
.map_err(|error| {
// Track the dropped packet
#[cfg(feature = "metrics")]
protomask_metrics::metric!(PACKET_COUNTER, PROTOCOL_IPV4, STATUS_DROPPED).inc();
// Pass the error through
error
})
}
/// Translates an IPv6 packet into an IPv4 packet. The packet payload will be translated recursively as needed.
#[profiling::function]
pub fn translate_ipv6_to_ipv4(
ipv6_packet: &[u8],
new_source: Ipv4Addr,
new_destination: Ipv4Addr,
) -> Result<Vec<u8>> {
// This scope is used to collect packet drop metrics
{
// Access the IPv6 packet data in a safe way
let ipv6_packet = Ipv6Packet::new(ipv6_packet).ok_or(Error::PacketTooShort {
expected: Ipv6Packet::minimum_packet_size(),
actual: ipv6_packet.len(),
})?;
// Perform recursive translation to determine the new payload
let new_payload = match ipv6_packet.get_next_header() {
// Pass ICMP packets to the icmpv6-to-icmp translator
IpNextHeaderProtocols::Icmpv6 => {
translate_icmpv6_to_icmp(ipv6_packet.payload(), new_source, new_destination)?
}
// Pass TCP packets to the tcp translator
IpNextHeaderProtocols::Tcp => {
recalculate_tcp_checksum_ipv4(ipv6_packet.payload(), new_source, new_destination)?
}
// Pass UDP packets to the udp translator
IpNextHeaderProtocols::Udp => {
recalculate_udp_checksum_ipv4(ipv6_packet.payload(), new_source, new_destination)?
}
// If the next header is not something we know how to translate,
// just assume the payload can be passed through as-is
protocol => {
log::warn!("Unsupported next header: {:?}", protocol);
ipv6_packet.payload().to_vec()
}
};
// Build a buffer to store the new IPv4 packet
let mut output_buffer = vec![0u8; Ipv4Packet::minimum_packet_size() + new_payload.len()];
// NOTE: There is no way this can fail since we are creating the buffer with explicitly enough space.
let mut ipv4_packet =
unsafe { MutableIpv4Packet::new(&mut output_buffer).unwrap_unchecked() };
// Set the header fields
ipv4_packet.set_version(4);
ipv4_packet.set_header_length(5);
ipv4_packet.set_ttl(ipv6_packet.get_hop_limit());
ipv4_packet.set_next_level_protocol(match ipv6_packet.get_next_header() {
IpNextHeaderProtocols::Icmpv6 => IpNextHeaderProtocols::Icmp,
proto => proto,
});
ipv4_packet.set_source(new_source);
ipv4_packet.set_destination(new_destination);
ipv4_packet.set_total_length(
(Ipv4Packet::minimum_packet_size() + new_payload.len())
.try_into()
.unwrap(),
);
// Copy the payload to the buffer
ipv4_packet.set_payload(&new_payload);
// Calculate the checksum
ipv4_packet.set_checksum(ipv4::checksum(&ipv4_packet.to_immutable()));
// Track the translated packet
#[cfg(feature = "metrics")]
protomask_metrics::metric!(PACKET_COUNTER, PROTOCOL_IPV6, STATUS_TRANSLATED).inc();
// Return the buffer
Ok(output_buffer)
}
.map_err(|error| {
// Track the dropped packet
#[cfg(feature = "metrics")]
protomask_metrics::metric!(PACKET_COUNTER, PROTOCOL_IPV6, STATUS_DROPPED).inc();
// Pass the error through
error
})
}

2
src/packet/xlat/mod.rs → libs/interproto/src/protocols/mod.rs
View File

@ -1,5 +1,3 @@
//! Protocol translation logic
pub mod icmp;
pub mod ip;
pub mod tcp;

142
libs/interproto/src/protocols/tcp.rs Normal file
View File

@ -0,0 +1,142 @@
use std::net::{Ipv4Addr, Ipv6Addr};
use pnet::packet::tcp::{self, MutableTcpPacket, TcpPacket};
use crate::error::{Error, Result};
/// Re-calculates a TCP packet's checksum with a new IPv6 pseudo-header.
#[profiling::function]
pub fn recalculate_tcp_checksum_ipv6(
tcp_packet: &[u8],
new_source: Ipv6Addr,
new_destination: Ipv6Addr,
) -> Result<Vec<u8>> {
// This scope is used to collect packet drop metrics
{
// Clone the packet so we can modify it
let mut tcp_packet_buffer = tcp_packet.to_vec();
// Get safe mutable access to the packet
let mut tcp_packet =
MutableTcpPacket::new(&mut tcp_packet_buffer).ok_or(Error::PacketTooShort {
expected: TcpPacket::minimum_packet_size(),
actual: tcp_packet.len(),
})?;
// Edit the packet's checksum
tcp_packet.set_checksum(0);
tcp_packet.set_checksum(tcp::ipv6_checksum(
&tcp_packet.to_immutable(),
&new_source,
&new_destination,
));
// Track the translated packet
#[cfg(feature = "metrics")]
protomask_metrics::metric!(PACKET_COUNTER, PROTOCOL_TCP, STATUS_TRANSLATED).inc();
// Return the translated packet
Ok(tcp_packet_buffer)
}
.map_err(|error| {
// Track the dropped packet
#[cfg(feature = "metrics")]
protomask_metrics::metric!(PACKET_COUNTER, PROTOCOL_TCP, STATUS_DROPPED).inc();
// Pass the error through
error
})
}
/// Re-calculates a TCP packet's checksum with a new IPv4 pseudo-header.
#[profiling::function]
pub fn recalculate_tcp_checksum_ipv4(
tcp_packet: &[u8],
new_source: Ipv4Addr,
new_destination: Ipv4Addr,
) -> Result<Vec<u8>> {
// This scope is used to collect packet drop metrics
{
// Clone the packet so we can modify it
let mut tcp_packet_buffer = tcp_packet.to_vec();
// Get safe mutable access to the packet
let mut tcp_packet =
MutableTcpPacket::new(&mut tcp_packet_buffer).ok_or(Error::PacketTooShort {
expected: TcpPacket::minimum_packet_size(),
actual: tcp_packet.len(),
})?;
// Edit the packet's checksum
tcp_packet.set_checksum(0);
tcp_packet.set_checksum(tcp::ipv4_checksum(
&tcp_packet.to_immutable(),
&new_source,
&new_destination,
));
// Track the translated packet
#[cfg(feature = "metrics")]
protomask_metrics::metric!(PACKET_COUNTER, PROTOCOL_TCP, STATUS_TRANSLATED).inc();
// Return the translated packet
Ok(tcp_packet_buffer)
}
.map_err(|error| {
// Track the dropped packet
#[cfg(feature = "metrics")]
protomask_metrics::metric!(PACKET_COUNTER, PROTOCOL_TCP, STATUS_DROPPED).inc();
// Pass the error through
error
})
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_checksum_recalculate_ipv6() {
// Create an input packet
let mut input_buffer = vec![0u8; TcpPacket::minimum_packet_size() + 13];
let mut input_packet = MutableTcpPacket::new(&mut input_buffer).unwrap();
input_packet.set_source(1234);
input_packet.set_destination(5678);
input_packet.set_payload(&"Hello, world!".as_bytes().to_vec());
// Recalculate the checksum
let recalculated_buffer = recalculate_tcp_checksum_ipv6(
&input_buffer,
"2001:db8::1".parse().unwrap(),
"2001:db8::2".parse().unwrap(),
)
.unwrap();
// Verify the checksum
let recalculated_packet = TcpPacket::new(&recalculated_buffer).unwrap();
assert_eq!(recalculated_packet.get_checksum(), 0x4817);
}
#[test]
fn test_checksum_recalculate_ipv4() {
// Create an input packet
let mut input_buffer = vec![0u8; TcpPacket::minimum_packet_size() + 13];
let mut input_packet = MutableTcpPacket::new(&mut input_buffer).unwrap();
input_packet.set_source(1234);
input_packet.set_destination(5678);
input_packet.set_payload(&"Hello, world!".as_bytes().to_vec());
// Recalculate the checksum
let recalculated_buffer = recalculate_tcp_checksum_ipv4(
&input_buffer,
"192.0.2.1".parse().unwrap(),
"192.0.2.2".parse().unwrap(),
)
.unwrap();
// Verify the checksum
let recalculated_packet = TcpPacket::new(&recalculated_buffer).unwrap();
assert_eq!(recalculated_packet.get_checksum(), 0x1f88);
}
}

142
libs/interproto/src/protocols/udp.rs Normal file
View File

@ -0,0 +1,142 @@
use std::net::{Ipv4Addr, Ipv6Addr};
use pnet::packet::udp::{self, MutableUdpPacket, UdpPacket};
use crate::error::{Error, Result};
/// Re-calculates a UDP packet's checksum with a new IPv6 pseudo-header.
#[profiling::function]
pub fn recalculate_udp_checksum_ipv6(
udp_packet: &[u8],
new_source: Ipv6Addr,
new_destination: Ipv6Addr,
) -> Result<Vec<u8>> {
// This scope is used to collect packet drop metrics
{
// Clone the packet so we can modify it
let mut udp_packet_buffer = udp_packet.to_vec();
// Get safe mutable access to the packet
let mut udp_packet =
MutableUdpPacket::new(&mut udp_packet_buffer).ok_or(Error::PacketTooShort {
expected: UdpPacket::minimum_packet_size(),
actual: udp_packet.len(),
})?;
// Edit the packet's checksum
udp_packet.set_checksum(0);
udp_packet.set_checksum(udp::ipv6_checksum(
&udp_packet.to_immutable(),
&new_source,
&new_destination,
));
// Track the translated packet
#[cfg(feature = "metrics")]
protomask_metrics::metric!(PACKET_COUNTER, PROTOCOL_UDP, STATUS_TRANSLATED).inc();
// Return the translated packet
Ok(udp_packet_buffer)
}
.map_err(|error| {
// Track the dropped packet
#[cfg(feature = "metrics")]
protomask_metrics::metric!(PACKET_COUNTER, PROTOCOL_UDP, STATUS_DROPPED).inc();
// Pass the error through
error
})
}
/// Re-calculates a UDP packet's checksum with a new IPv4 pseudo-header.
#[profiling::function]
pub fn recalculate_udp_checksum_ipv4(
udp_packet: &[u8],
new_source: Ipv4Addr,
new_destination: Ipv4Addr,
) -> Result<Vec<u8>> {
// This scope is used to collect packet drop metrics
{
// Clone the packet so we can modify it
let mut udp_packet_buffer = udp_packet.to_vec();
// Get safe mutable access to the packet
let mut udp_packet =
MutableUdpPacket::new(&mut udp_packet_buffer).ok_or(Error::PacketTooShort {
expected: UdpPacket::minimum_packet_size(),
actual: udp_packet.len(),
})?;
// Edit the packet's checksum
udp_packet.set_checksum(0);
udp_packet.set_checksum(udp::ipv4_checksum(
&udp_packet.to_immutable(),
&new_source,
&new_destination,
));
// Track the translated packet
#[cfg(feature = "metrics")]
protomask_metrics::metric!(PACKET_COUNTER, PROTOCOL_UDP, STATUS_TRANSLATED).inc();
// Return the translated packet
Ok(udp_packet_buffer)
}
.map_err(|error| {
// Track the dropped packet
#[cfg(feature = "metrics")]
protomask_metrics::metric!(PACKET_COUNTER, PROTOCOL_UDP, STATUS_DROPPED).inc();
// Pass the error through
error
})
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_recalculate_udp_checksum_ipv6() {
let mut input_buffer = vec![0u8; UdpPacket::minimum_packet_size() + 13];
let mut udp_packet = MutableUdpPacket::new(&mut input_buffer).unwrap();
udp_packet.set_source(1234);
udp_packet.set_destination(5678);
udp_packet.set_length(13);
udp_packet.set_payload(&"Hello, world!".as_bytes().to_vec());
// Recalculate the checksum
let recalculated_buffer = recalculate_udp_checksum_ipv6(
&input_buffer,
"2001:db8::1".parse().unwrap(),
"2001:db8::2".parse().unwrap(),
)
.unwrap();
// Check that the checksum is correct
let recalculated_packet = UdpPacket::new(&recalculated_buffer).unwrap();
assert_eq!(recalculated_packet.get_checksum(), 0x480b);
}
#[test]
fn test_recalculate_udp_checksum_ipv4() {
let mut input_buffer = vec![0u8; UdpPacket::minimum_packet_size() + 13];
let mut udp_packet = MutableUdpPacket::new(&mut input_buffer).unwrap();
udp_packet.set_source(1234);
udp_packet.set_destination(5678);
udp_packet.set_length(13);
udp_packet.set_payload(&"Hello, world!".as_bytes().to_vec());
// Recalculate the checksum
let recalculated_buffer = recalculate_udp_checksum_ipv4(
&input_buffer,
"192.0.2.1".parse().unwrap(),
"192.0.2.2".parse().unwrap(),
)
.unwrap();
// Check that the checksum is correct
let recalculated_packet = UdpPacket::new(&recalculated_buffer).unwrap();
assert_eq!(recalculated_packet.get_checksum(), 0x1f7c);
}
}

19
libs/protomask-metrics/Cargo.toml Normal file
View File

@ -0,0 +1,19 @@
[package]
name = "protomask-metrics"
version = "0.1.0"
authors = ["Evan Pratten <ewpratten@gmail.com>"]
edition = "2021"
description = "Internal metrics library used by protomask"
readme = "README.md"
homepage = "https://github.com/ewpratten/protomask/tree/master/libs/protomask-metrics"
documentation = "https://docs.rs/protomask-metrics"
repository = "https://github.com/ewpratten/protomask"
license = "GPL-3.0"
keywords = []
categories = []
[dependencies]
hyper = { version = "0.14.27", features = ["server", "http1", "tcp"] }
log = "^0.4"
prometheus = "0.13.3"
lazy_static = "1.4.0"

1
libs/protomask-metrics/README.md Normal file
View File

@ -0,0 +1 @@
**`protomask-metrics` is exclusively for use in `protomask` and is not intended to be used on its own.**

3
src/metrics/http.rs → libs/protomask-metrics/src/http.rs
View File

@ -1,10 +1,9 @@
use std::{convert::Infallible, net::SocketAddr};
use hyper::{
service::{make_service_fn, service_fn},
Body, Method, Request, Response, Server,
};
use prometheus::{Encoder, TextEncoder};
use std::{convert::Infallible, net::SocketAddr};
/// Handle an HTTP request
#[allow(clippy::unused_async)]

12
src/lib.rs → libs/protomask-metrics/src/lib.rs
View File

@ -1,12 +1,12 @@
//! # Protomask library
//!
//! *Note: There is a fair chance you are looking for `src/cli/main.rs` instead of this file.*
#![doc = include_str!("../README.md")]
#![deny(clippy::pedantic)]
#![allow(clippy::module_name_repetitions)]
#![allow(clippy::missing_errors_doc)]
#![allow(clippy::missing_panics_doc)]
#![allow(clippy::doc_markdown)]
pub mod http;
pub mod metrics;
pub mod nat;
mod packet;
#[macro_use]
pub mod macros;

9
libs/protomask-metrics/src/macros.rs Normal file
View File

@ -0,0 +1,9 @@
/// A short-hand way to access one of the metrics in `protomask_metrics::metrics`
#[macro_export]
macro_rules! metric {
// Accept and name and multiple labels
($metric_name: ident, $($label_name: ident),+) => {
protomask_metrics::metrics::$metric_name.with_label_values(&[$(protomask_metrics::metrics::label_values::$label_name),+])
};
}

37
libs/protomask-metrics/src/metrics.rs Normal file
View File

@ -0,0 +1,37 @@
use lazy_static::lazy_static;
pub mod label_values {
/// IPv4 protocol
pub const PROTOCOL_IPV4: &str = "ipv4";
/// IPv6 protocol
pub const PROTOCOL_IPV6: &str = "ipv6";
/// ICMP protocol
pub const PROTOCOL_ICMP: &str = "icmp";
/// ICMPv6 protocol
pub const PROTOCOL_ICMPV6: &str = "icmpv6";
/// TCP protocol
pub const PROTOCOL_TCP: &str = "tcp";
/// UDP protocol
pub const PROTOCOL_UDP: &str = "udp";
/// Dropped status
pub const STATUS_DROPPED: &str = "dropped";
/// Translated status
pub const STATUS_TRANSLATED: &str = "translated";
}
lazy_static! {
/// Counter for the number of packets processed
pub static ref PACKET_COUNTER: prometheus::IntCounterVec = prometheus::register_int_counter_vec!(
"protomask_packets",
"Number of packets processed",
&["protocol", "status"]
).unwrap();
/// Counter for the number of different types of ICMP packets received
pub static ref ICMP_COUNTER: prometheus::IntCounterVec = prometheus::register_int_counter_vec!(
"protomask_icmp_packets_recv",
"Number of ICMP packets received",
&["protocol", "icmp_type", "icmp_code"]
).unwrap();
}

17
libs/rfc6052/Cargo.toml Normal file
View File

@ -0,0 +1,17 @@
[package]
name = "rfc6052"
version = "1.0.0"
authors = ["Evan Pratten <ewpratten@gmail.com>"]
edition = "2021"
description = "Rust functions for interacting with RFC6052 IPv4-Embedded IPv6 Addresses"
readme = "README.md"
homepage = "https://github.com/ewpratten/protomask/tree/master/libs/rfc6052"
documentation = "https://docs.rs/rfc6052"
repository = "https://github.com/ewpratten/protomask"
license = "GPL-3.0"
keywords = ["rfc6052", "ipv4-embedded-ipv6", "address-translation", "ipv4", "ipv6"]
categories = ["algorithms", "encoding", "network-programming"]
[dependencies]
thiserror = "^1.0.44"
ipnet = "^2.8.0"

35
libs/rfc6052/README.md Normal file
View File

@ -0,0 +1,35 @@
# RFC6052 for Rust
[![Crates.io](https://img.shields.io/crates/v/rfc6052)](https://crates.io/crates/rfc6052)
[![Docs.rs](https://docs.rs/rfc6052/badge.svg)](https://docs.rs/rfc6052)
[RFC6052](https://datatracker.ietf.org/doc/html/rfc6052) defines *"the algorithmic translation of an IPv6 address to a corresponding IPv4 address, and vice versa, using only statically configured information"*. In simpler terms, this means *embedding IPv4 address into IPv6 addresses*. The primary use case of which being NAT64 translators.
The RFC defines the following scheme for embedding IPv4 addresses into IPv6 addresses:
```text
+--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
|PL| 0-------------32--40--48--56--64--72--80--88--96--104---------|
+--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
|32| prefix |v4(32) | u | suffix |
+--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
|40| prefix |v4(24) | u |(8)| suffix |
+--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
|48| prefix |v4(16) | u | (16) | suffix |
+--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
|56| prefix |(8)| u | v4(24) | suffix |
+--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
|64| prefix | u | v4(32) | suffix |
+--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
|96| prefix | v4(32) |
+--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
```
- `PL` is the prefix length
- `u` is a reserved byte that **must** be set to `0`
## Safe vs. Unsafe
This library provides both a "regular" and "unchecked" version of the functions for embedding and extracting IPv4 addresses from IPv6 addresses.
The "regular" functions enforce the restricted set of IPv6 prefix lengths allowed by the RFC (32, 40, 48, 56, 64, and 96 bits long). The "unchecked" functions do not enforce this restriction, and will happily accept any prefix length at the cost of non-compliance with the RFC.

174
libs/rfc6052/src/embed.rs Normal file
View File

@ -0,0 +1,174 @@
//! IPv4 address embedding functions
use ipnet::Ipv6Net;
use std::cmp::{max, min};
use std::net::{Ipv4Addr, Ipv6Addr};
use crate::error::Error;
use crate::ALLOWED_PREFIX_LENS;
/// Embeds an IPv4 address into an IPv6 prefix following the method defined in [RFC6052 Section 2.2](https://datatracker.ietf.org/doc/html/rfc6052#section-2.2)
///
/// # Examples
///
/// ```
/// # use ipnet::{Ipv6Net};
/// # use std::net::{Ipv4Addr, Ipv6Addr};
/// use rfc6052::embed_ipv4_addr;
///
/// // An IPv4 address can be embedded into an IPv6 prefix of acceptable length
/// assert_eq!(
/// embed_ipv4_addr(
/// "192.0.2.1".parse().unwrap(),
/// "64:ff9b::/32".parse().unwrap()
/// ),
/// Ok("64:ff9b:c000:0201::".parse::<Ipv6Addr>().unwrap())
/// );
///
/// // Using a prefix that is not an RFC-approved length (in this case 66) will fail
/// assert_eq!(
/// embed_ipv4_addr(
/// "192.0.2.1".parse().unwrap(),
/// "64:ff9b::/66".parse().unwrap()
/// ),
/// Err(rfc6052::Error::InvalidPrefixLength(66))
/// );
/// ```
pub fn embed_ipv4_addr(ipv4_addr: Ipv4Addr, ipv6_prefix: Ipv6Net) -> Result<Ipv6Addr, Error> {
// Fail if the prefix length is invalid
if !ALLOWED_PREFIX_LENS.contains(&ipv6_prefix.prefix_len()) {
return Err(Error::InvalidPrefixLength(ipv6_prefix.prefix_len()));
}
// Fall through to the unchecked version of this function
Ok(unsafe { embed_ipv4_addr_unchecked(ipv4_addr, ipv6_prefix) })
}
/// Embeds an IPv4 address into an IPv6 prefix following the method defined in [RFC6052 Section 2.2](https://datatracker.ietf.org/doc/html/rfc6052#section-2.2)
///
/// **Warning:** This function does not check that the prefix length is valid according to the RFC. Use `embed_ipv4_addr` instead.
///
/// # Examples
///
/// ```
/// # use ipnet::{Ipv6Net};
/// # use std::net::{Ipv4Addr, Ipv6Addr};
/// use rfc6052::embed_ipv4_addr_unchecked;
///
/// // Using a prefix that is not an RFC-approved length (in this case 66) will *succeed*
/// // This is *not* the behavior of `embed_ipv4_addr`
/// assert_eq!(
/// unsafe {
/// embed_ipv4_addr_unchecked(
/// "192.0.2.1".parse().unwrap(),
/// "64:ff9b::/66".parse().unwrap()
/// )
/// },
/// "64:ff9b::30:0:8040:0".parse::<Ipv6Addr>().unwrap()
/// );
/// ```
#[must_use]
#[allow(clippy::cast_lossless)]
#[allow(clippy::cast_possible_truncation)]
pub unsafe fn embed_ipv4_addr_unchecked(ipv4_addr: Ipv4Addr, ipv6_prefix: Ipv6Net) -> Ipv6Addr {
// Convert to integer types
let ipv4_addr = u32::from(ipv4_addr);
let prefix_len = ipv6_prefix.prefix_len() as i16;
let ipv6_prefix = u128::from(ipv6_prefix.addr());
// According to the RFC, the IPv4 address must be split on the boundary of bits 64..71.
// To accomplish this, we split the IPv4 address into two parts so we can separately mask
// and shift them into place on each side of the boundary
Ipv6Addr::from(
ipv6_prefix
| ((ipv4_addr as u128 & (0xffff_ffffu128 << (32 + min(0, prefix_len - 64))))
<< (128 - prefix_len - 32))
| (((ipv4_addr as u128) << max(0, 128 - prefix_len - 32 - 8)) & 0x00ff_ffff_ffff_ffff),
)
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_embed_len_32() {
unsafe {
assert_eq!(
embed_ipv4_addr_unchecked(
"192.0.2.1".parse().unwrap(),
"64:ff9b::/32".parse().unwrap()
),
"64:ff9b:c000:0201::".parse::<Ipv6Addr>().unwrap()
);
}
}
#[test]
fn test_embed_len_40() {
unsafe {
assert_eq!(
embed_ipv4_addr_unchecked(
"192.0.2.1".parse().unwrap(),
"64:ff9b::/40".parse().unwrap(),
),
"64:ff9b:00c0:0002:0001::".parse::<Ipv6Addr>().unwrap()
);
}
}
#[test]
fn test_embed_len_48() {
unsafe {
assert_eq!(
embed_ipv4_addr_unchecked(
"192.0.2.1".parse().unwrap(),
"64:ff9b::/48".parse().unwrap(),
),
"64:ff9b:0000:c000:0002:0100::".parse::<Ipv6Addr>().unwrap()
);
}
}
#[test]
fn test_embed_len_56() {
unsafe {
assert_eq!(
embed_ipv4_addr_unchecked(
"192.0.2.1".parse().unwrap(),
"64:ff9b::/56".parse().unwrap(),
),
"64:ff9b:0000:00c0:0000:0201::".parse::<Ipv6Addr>().unwrap()
);
}
}
#[test]
fn test_embed_len_64() {
unsafe {
assert_eq!(
embed_ipv4_addr_unchecked(
"192.0.2.1".parse().unwrap(),
"64:ff9b::/64".parse().unwrap(),
),
"64:ff9b:0000:0000:00c0:0002:0100::"
.parse::<Ipv6Addr>()
.unwrap()
);
}
}
#[test]
fn test_embed_len_96() {
unsafe {
assert_eq!(
embed_ipv4_addr_unchecked(
"192.0.2.1".parse().unwrap(),
"64:ff9b::/96".parse().unwrap(),
),
"64:ff9b:0000:0000:0000:0000:c000:0201"
.parse::<Ipv6Addr>()
.unwrap()
);
}
}
}

7
libs/rfc6052/src/error.rs Normal file
View File

@ -0,0 +1,7 @@
//! Error types for this library
#[derive(Debug, thiserror::Error, PartialEq)]
pub enum Error {
#[error("Invalid IPv6 prefix length: {0}. Must be one of 32, 40, 48, 56, 64, or 96")]
InvalidPrefixLength(u8),
}

139
libs/rfc6052/src/extract.rs Normal file
View File

@ -0,0 +1,139 @@
//! IPv4 address extraction functions
use crate::{error::Error, ALLOWED_PREFIX_LENS};
use std::cmp::max;
use std::net::{Ipv4Addr, Ipv6Addr};
/// Extracts an IPv4 address from an IPv6 prefix following the method defined in [RFC6052 Section 2.2](https://datatracker.ietf.org/doc/html/rfc6052#section-2.2)
///
/// # Examples
///
/// ```
/// # use std::net::{Ipv4Addr, Ipv6Addr};
/// use rfc6052::extract_ipv4_addr;
///
/// // An IPv4 address can be extracted from an IPv6 prefix of acceptable length
/// assert_eq!(
/// extract_ipv4_addr("64:ff9b:c000:0201::".parse().unwrap(), 32),
/// Ok("192.0.2.1".parse::<Ipv4Addr>().unwrap())
/// );
///
/// // Using a prefix that is not an RFC-approved length (in this case 66) will fail
/// assert_eq!(
/// extract_ipv4_addr("64:ff9b:c000:0201::".parse().unwrap(), 66),
/// Err(rfc6052::Error::InvalidPrefixLength(66))
/// );
/// ```
pub fn extract_ipv4_addr(ipv6_addr: Ipv6Addr, prefix_length: u8) -> Result<Ipv4Addr, Error> {
// Fail if the prefix length is invalid
if !ALLOWED_PREFIX_LENS.contains(&prefix_length) {
return Err(Error::InvalidPrefixLength(prefix_length));
}
// Fall through to the unchecked version of this function
Ok(unsafe { extract_ipv4_addr_unchecked(ipv6_addr, prefix_length) })
}
/// Extracts an IPv4 address from an IPv6 prefix following the method defined in [RFC6052 Section 2.2](https://datatracker.ietf.org/doc/html/rfc6052#section-2.2)
///
/// **Warning:** This function does not check that the prefix length is valid according to the RFC. Use `extract_ipv4_addr` instead.
///
/// # Examples
///
/// ```
/// # use std::net::{Ipv4Addr, Ipv6Addr};
/// use rfc6052::extract_ipv4_addr_unchecked;
///
/// // Using a prefix that is not an RFC-approved length (in this case 66) will *succeed*
/// // This is *not* the behavior of `extract_ipv4_addr`
/// assert_eq!(
/// unsafe { extract_ipv4_addr_unchecked("64:ff9b::30:0:8040:0".parse().unwrap(), 66) },
/// "192.0.2.1".parse::<Ipv4Addr>().unwrap()
/// );
/// ```
#[must_use]
#[allow(clippy::cast_lossless)]
#[allow(clippy::cast_possible_truncation)]
pub unsafe fn extract_ipv4_addr_unchecked(ipv6_addr: Ipv6Addr, prefix_length: u8) -> Ipv4Addr {
// Convert the IPv6 address to a number for easier manipulation
let ipv6_addr = u128::from(ipv6_addr);
let host_part = ipv6_addr & ((1 << (128 - prefix_length)) - 1);
// Extract the IPv4 address from the IPv6 address
Ipv4Addr::from(
(((host_part & 0xffff_ffff_ffff_ffff_0000_0000_0000_0000)
| (host_part & 0x00ff_ffff_ffff_ffff) << 8)
>> max(8, 128 - prefix_length - 32)) as u32,
)
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_extract_len_32() {
unsafe {
assert_eq!(
extract_ipv4_addr_unchecked("64:ff9b:c000:0201::".parse().unwrap(), 32),
"192.0.2.1".parse::<Ipv4Addr>().unwrap(),
)
}
}
#[test]
fn test_extract_len_40() {
unsafe {
assert_eq!(
extract_ipv4_addr_unchecked("64:ff9b:00c0:0002:0001::".parse().unwrap(), 40),
"192.0.2.1".parse::<Ipv4Addr>().unwrap(),
)
}
}
#[test]
fn test_extract_len_48() {
unsafe {
assert_eq!(
extract_ipv4_addr_unchecked("64:ff9b:0000:c000:0002:0100::".parse().unwrap(), 48),
"192.0.2.1".parse::<Ipv4Addr>().unwrap(),
)
}
}
#[test]
fn test_extract_len_56() {
unsafe {
assert_eq!(
extract_ipv4_addr_unchecked("64:ff9b:0000:00c0:0000:0201::".parse().unwrap(), 56),
"192.0.2.1".parse::<Ipv4Addr>().unwrap(),
)
}
}
#[test]
fn test_extract_len_64() {
unsafe {
assert_eq!(
extract_ipv4_addr_unchecked(
"64:ff9b:0000:0000:00c0:0002:0100::".parse().unwrap(),
64
),
"192.0.2.1".parse::<Ipv4Addr>().unwrap(),
)
}
}
#[test]
fn test_extract_len_96() {
unsafe {
assert_eq!(
extract_ipv4_addr_unchecked(
"64:ff9b:0000:0000:0000:0000:c000:0201".parse().unwrap(),
96
),
"192.0.2.1".parse::<Ipv4Addr>().unwrap(),
)
}
}
}

25
libs/rfc6052/src/lib.rs Normal file
View File

@ -0,0 +1,25 @@
#![doc = include_str!("../README.md")]
#![deny(clippy::pedantic)]
#![allow(clippy::module_name_repetitions)]
#![allow(clippy::missing_errors_doc)]
#![allow(clippy::missing_panics_doc)]
#![allow(clippy::missing_safety_doc)]
mod embed;
mod error;
mod extract;
pub use embed::{embed_ipv4_addr, embed_ipv4_addr_unchecked};
pub use error::Error;
pub use extract::{extract_ipv4_addr, extract_ipv4_addr_unchecked};
/// All allowed IPv6 prefix lengths according to [RFC6052 Section 2.2](https://datatracker.ietf.org/doc/html/rfc6052#section-2.2)
///
/// While any prefix length between 32 and 96 bits can in theory work with this library,
/// the RFC strictly defines a list of allowed IPv6 prefix to be used for embedding IPv4 addresses. They are:
/// - 32 bits
/// - 40 bits
/// - 48 bits
/// - 56 bits
/// - 64 bits
/// - 96 bits
pub const ALLOWED_PREFIX_LENS: [u8; 6] = [32, 40, 48, 56, 64, 96];

21
libs/rtnl/Cargo.toml Normal file
View File

@ -0,0 +1,21 @@
[package]
name = "rtnl"
version = "0.1.0"
authors = ["Evan Pratten <ewpratten@gmail.com>"]
edition = "2021"
description = "Slightly sane wrapper around rtnetlink"
readme = "README.md"
homepage = "https://github.com/ewpratten/protomask/tree/master/libs/rtnl"
documentation = "https://docs.rs/rtnl"
repository = "https://github.com/ewpratten/protomask"
license = "GPL-3.0"
keywords = []
categories = []
[dependencies]
tokio = { version = "1.29.1", optional = true, features = ["rt-multi-thread"] }
log = "0.4.19"
rtnetlink = "0.13.1"
futures = "0.3.28"
ipnet = "^2.8.0"

5
libs/rtnl/README.md Normal file
View File

@ -0,0 +1,5 @@
# RTNL
[![Crates.io](https://img.shields.io/crates/v/rtnl)](https://crates.io/crates/rtnl)
[![Docs.rs](https://docs.rs/rtnl/badge.svg)](https://docs.rs/rtnl)
A slightly sane wrapper around [`rtnetlink`](https://crates.io/crates/rtnetlink)

71
libs/rtnl/src/ip.rs Normal file
View File

@ -0,0 +1,71 @@
//! Utilities for manipulating the addresses assigned to links
use std::net::IpAddr;
use futures::TryStreamExt;
use rtnetlink::Handle;
/// Add an IP address to a link
pub async fn addr_add(
ip_addr: IpAddr,
prefix_len: u8,
rt_handle: &Handle,
link_index: u32,
) -> Result<(), rtnetlink::Error> {
log::trace!("Adding address {} to link {}", ip_addr, link_index);
rt_handle
.address()
.add(link_index, ip_addr, prefix_len)
.execute()
.await
.map_err(|err| {
log::error!("Failed to add address {} to link {}", ip_addr, link_index);
log::error!("{}", err);
err
})
}
/// Remove an IP address from a link
pub async fn addr_del(
ip_addr: IpAddr,
prefix_len: u8,
rt_handle: &Handle,
link_index: u32,
) -> Result<(), rtnetlink::Error> {
log::trace!("Removing address {} from link {}", ip_addr, link_index);
// Find the address message that matches the given address
if let Some(address_message) = rt_handle
.address()
.get()
.set_link_index_filter(link_index)
.set_address_filter(ip_addr)
.set_prefix_length_filter(prefix_len)
.execute()
.try_next()
.await
.map_err(|err| {
log::error!("Failed to find address {} on link {}", ip_addr, link_index);
log::error!("{}", err);
err
})?
{
// Delete the address
rt_handle
.address()
.del(address_message)
.execute()
.await
.map_err(|err| {
log::error!(
"Failed to remove address {} from link {}",
ip_addr,
link_index
);
log::error!("{}", err);
err
})?;
}
Ok(())
}

22
libs/rtnl/src/lib.rs Normal file
View File

@ -0,0 +1,22 @@
#![doc = include_str!("../README.md")]
#![deny(clippy::pedantic)]
#![allow(clippy::module_name_repetitions)]
#![allow(clippy::missing_errors_doc)]
#![allow(clippy::missing_panics_doc)]
#![allow(clippy::missing_safety_doc)]
pub mod ip;
pub mod link;
pub mod route;
/// Get a handle on a new rtnetlink connection
#[cfg(feature = "tokio")]
pub fn new_handle() -> Result<rtnetlink::Handle, std::io::Error> {
let (rt_connection, rt_handle, _) = rtnetlink::new_connection().map_err(|err| {
log::error!("Failed to open rtnetlink connection");
log::error!("{}", err);
err
})?;
tokio::spawn(rt_connection);
Ok(rt_handle)
}

31
libs/rtnl/src/link.rs Normal file
View File

@ -0,0 +1,31 @@
//! Utilities for operating on a link/interface/device
use futures::TryStreamExt;
use rtnetlink::Handle;
/// Bring up a link by its link index
pub async fn link_up(rt_handle: &Handle, link_index: u32) -> Result<(), rtnetlink::Error> {
log::trace!("Bringing up link {}", link_index);
rt_handle.link().set(link_index).up().execute().await
}
/// Bring down a link by its link index
pub async fn link_down(rt_handle: &Handle, link_index: u32) -> Result<(), rtnetlink::Error> {
log::trace!("Bringing down link {}", link_index);
rt_handle.link().set(link_index).down().execute().await
}
/// Get the link index of a link by its name
pub async fn get_link_index(
rt_handle: &Handle,
link_name: &str,
) -> Result<Option<u32>, rtnetlink::Error> {
Ok(rt_handle
.link()
.get()
.match_name(link_name.to_owned())
.execute()
.try_next()
.await?
.map(|message| message.header.index))
}

41
libs/rtnl/src/route.rs Normal file
View File

@ -0,0 +1,41 @@
//! Utilities for interacting with the routing table
use ipnet::IpNet;
use rtnetlink::Handle;
/// Add a route to a link
pub async fn route_add(
destination: IpNet,
rt_handle: &Handle,
link_index: u32,
) -> Result<(), rtnetlink::Error> {
log::trace!("Adding route {} to link {}", destination, link_index);
match destination {
IpNet::V4(destination) => rt_handle
.route()
.add()
.v4()
.output_interface(link_index)
.destination_prefix(destination.addr(), destination.prefix_len())
.execute()
.await
.map_err(|err| {
log::error!("Failed to add route {} to link", destination);
log::error!("{}", err);
err
}),
IpNet::V6(destination) => rt_handle
.route()
.add()
.v6()
.output_interface(link_index)
.destination_prefix(destination.addr(), destination.prefix_len())
.execute()
.await
.map_err(|err| {
log::error!("Failed to add route {} to link", destination);
log::error!("{}", err);
err
}),
}
}

23
protomask-tun/Cargo.toml
View File

@ -1,23 +0,0 @@
[package]
name = "protomask-tun"
version = "0.1.0"
authors = ["Evan Pratten <ewpratten@gmail.com>"]
edition = "2021"
description = "An async interface to Linux TUN devices"
readme = "README.md"
homepage = "https://github.com/ewpratten/protomask/protomask-tun"
documentation = "https://docs.rs/protomask-tun"
repository = "https://github.com/ewpratten/protomask"
license = "GPL-3.0"
keywords = []
categories = []
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
tokio = { version = "1.29.1", features = ["sync", "rt"] }
log = "0.4.19"
thiserror = "1.0.43"
tun-tap = "0.1.3"
rtnetlink = "0.13.0"
futures = "0.3.28"
ipnet = "^2.8.0"

3
protomask-tun/README.md
View File

@ -1,3 +0,0 @@
# protomask-tun
An async interface to Linux TUN devices. Support library for `protomask`.

10
protomask-tun/src/error.rs
View File

@ -1,10 +0,0 @@
#[derive(Debug, thiserror::Error)]
pub enum Error {
#[error(transparent)]
IoError(#[from] std::io::Error),
#[error(transparent)]
NetlinkError(#[from] rtnetlink::Error),
}
pub type Result<T> = std::result::Result<T, Error>;

5
protomask-tun/src/lib.rs
View File

@ -1,5 +0,0 @@
mod error;
mod tun;
pub use error::{Error, Result};
pub use tun::TunDevice;

226
protomask-tun/src/tun.rs
View File

@ -1,226 +0,0 @@
use std::{
io::{Read, Write},
net::IpAddr,
os::fd::{AsRawFd, FromRawFd},
};
use futures::TryStreamExt;
use ipnet::IpNet;
use tokio::{
sync::{broadcast, mpsc},
task,
};
use tun_tap::Mode;
use crate::Result;
#[derive(Debug)]
pub struct TunDevice {
device: tun_tap::Iface,
rt_handle: rtnetlink::Handle,
link_index: u32,
mtu: usize,
}
impl TunDevice {
/// Create and bring up a new TUN device
///
/// ## Name format
///
/// The name field can be any string. If `%d` is present in the string,
/// it will be replaced with a unique number.
pub async fn new(name: &str) -> Result<Self> {
// Bring up an rtnetlink connection
let (rt_connection, rt_handle, _) = rtnetlink::new_connection().map_err(|err| {
log::error!("Failed to open rtnetlink connection");
log::error!("{}", err);
err
})?;
tokio::spawn(rt_connection);
// Create the TUN device
let tun_device = tun_tap::Iface::without_packet_info(name, Mode::Tun)?;
log::debug!("Created new TUN device: {}", tun_device.name());
// Get access to the link through rtnetlink
// NOTE: I don't think there is any way this can fail, so `except` is probably OK
let tun_link = rt_handle
.link()
.get()
.match_name(tun_device.name().to_owned())
.execute()
.try_next()
.await?
.expect("Failed to access newly created TUN device");
// Bring the link up
rt_handle
.link()
.set(tun_link.header.index)
.up()
.execute()
.await
.map_err(|err| {
log::error!("Failed to bring up link");
log::error!("{}", err);
err
})?;
log::debug!("Brought {} up", tun_device.name());
// Read the link MTU
let mtu: usize =
std::fs::read_to_string(format!("/sys/class/net/{}/mtu", tun_device.name()))
.expect("Failed to read link MTU")
.strip_suffix("\n")
.unwrap()
.parse()
.unwrap();
Ok(Self {
device: tun_device,
rt_handle,
link_index: tun_link.header.index,
mtu,
})
}
/// Add an IP address to this device
pub async fn add_address(&mut self, ip_address: IpAddr, prefix_len: u8) -> Result<()> {
self.rt_handle
.address()
.add(self.link_index, ip_address, prefix_len)
.execute()
.await
.map_err(|err| {
log::error!("Failed to add address {} to link", ip_address);
log::error!("{}", err);
err
})?;
Ok(())
}
/// Remove an IP address from this device
pub async fn remove_address(&mut self, ip_address: IpAddr, prefix_len: u8) -> Result<()> {
// Find the address message that matches the given address
if let Some(address_message) = self
.rt_handle
.address()
.get()
.set_link_index_filter(self.link_index)
.set_address_filter(ip_address)
.set_prefix_length_filter(prefix_len)
.execute()
.try_next()
.await
.map_err(|err| {
log::error!("Failed to find address {} on link", ip_address);
log::error!("{}", err);
err
})?
{
// Delete the address
self.rt_handle
.address()
.del(address_message)
.execute()
.await
.map_err(|err| {
log::error!("Failed to remove address {} from link", ip_address);
log::error!("{}", err);
err
})?;
}
Ok(())
}
/// Add a route to this device
pub async fn add_route(&mut self, destination: IpNet) -> Result<()> {
match destination {
IpNet::V4(destination) => {
self.rt_handle
.route()
.add()
.v4()
.output_interface(self.link_index)
.destination_prefix(destination.addr(), destination.prefix_len())
.execute()
.await
.map_err(|err| {
log::error!("Failed to add route {} to link", destination);
log::error!("{}", err);
err
})?;
}
IpNet::V6(destination) => {
self.rt_handle
.route()
.add()
.v6()
.output_interface(self.link_index)
.destination_prefix(destination.addr(), destination.prefix_len())
.execute()
.await
.map_err(|err| {
log::error!("Failed to add route {} to link", destination);
log::error!("{}", err);
err
})?;
}
}
Ok(())
}
/// Spawns worker threads, and returns a tx/rx pair for the caller to interact with them
pub async fn spawn_worker(&self) -> (mpsc::Sender<Vec<u8>>, broadcast::Receiver<Vec<u8>>) {
// Create a channel for packets to be sent to the caller
let (tx_to_caller, rx_from_worker) = broadcast::channel(65535);
// Create a channel for packets being received from the caller
let (tx_to_worker, mut rx_from_caller) = mpsc::channel(65535);
// Clone some values for use in worker threads
let mtu = self.mtu;
let device_fd = self.device.as_raw_fd();
// Create a task that broadcasts all incoming packets
let _rx_task = task::spawn_blocking(move || {
// Build a buffer to read packets into
let mut buffer = vec![0u8; mtu];
// Create a file to access the TUN device
let mut device = unsafe { std::fs::File::from_raw_fd(device_fd) };
loop {
// Read a packet from the TUN device
let packet_len = device.read(&mut buffer[..]).unwrap();
let packet = buffer[..packet_len].to_vec();
// Broadcast the packet to all listeners
tx_to_caller.send(packet).unwrap();
}
});
// Create a task that sends all outgoing packets
let _tx_task = task::spawn(async move {
// Create a file to access the TUN device
let mut device = unsafe { std::fs::File::from_raw_fd(device_fd) };
loop {
// Wait for a packet to be sent
let packet: Vec<u8> = rx_from_caller.recv().await.unwrap();
// Write the packet to the TUN device
device.write_all(&packet[..]).unwrap();
}
});
// Create a task that sends all outgoing packets
let _tx_task = task::spawn_blocking(|| {});
// Return an rx/tx pair for the caller to interact with the workers
(tx_to_worker, rx_from_worker)
}
}

12
protomask.toml
View File

@ -1,12 +0,0 @@
# The NAT64 prefix to route to protomask
Nat64Prefix = "64:ff9b::/96"
# Setting this will enable prometheus metrics
Prometheus = "[::1]:8080" # Optional, defaults to disabled
[Pool]
# All prefixes in the pool
Prefixes = ["192.0.2.0/24"]
# The maximum duration an ipv4 address from the pool will be reserved for after becoming idle
MaxIdleDuration = 7200 # Optional, seconds. Defaults to 7200 (2 hours)
# Permanent address mappings
Static = [{ v4 = "192.0.2.2", v6 = "2001:db8:1::2" }]

21
src/args/mod.rs Normal file
View File

@ -0,0 +1,21 @@
//! This module contains the definitions for each binary's CLI arguments and config file structure for the sake of readability.
use cfg_if::cfg_if;
pub mod protomask;
pub mod protomask_clat;
// Used to trick the build process into including a CLI argument based on a feature flag
cfg_if! {
if #[cfg(feature = "profiler")] {
#[derive(Debug, clap::Args)]
pub struct ProfilerArgs {
/// Expose the puffin HTTP server on this endpoint
#[clap(long)]
pub puffin_endpoint: Option<std::net::SocketAddr>,
}
} else {
#[derive(Debug, clap::Args)]
pub struct ProfilerArgs;
}
}

109
src/args/protomask.rs Normal file
View File

@ -0,0 +1,109 @@
use std::{
net::{Ipv4Addr, Ipv6Addr, SocketAddr},
path::PathBuf,
};
use ipnet::{Ipv4Net, Ipv6Net};
use crate::common::rfc6052::parse_network_specific_prefix;
use super::ProfilerArgs;
#[derive(clap::Parser)]
#[clap(author, version, about="Fast and simple NAT64", long_about = None)]
pub struct Args {
#[command(flatten)]
config_data: Option<Config>,
/// Path to a config file to read
#[clap(short = 'c', long = "config", conflicts_with = "Config")]
config_file: Option<PathBuf>,
/// Explicitly set the interface name to use
#[clap(short, long, default_value_t = ("nat%d").to_string())]
pub interface: String,
#[command(flatten)]
pub profiler_args: ProfilerArgs,
/// Enable verbose logging
#[clap(short, long)]
pub verbose: bool,
}
impl Args {
#[allow(dead_code)]
pub fn data(&self) -> Result<Config, Box<dyn std::error::Error>> {
match self.config_file {
Some(ref path) => {
// Read the data from the config file
let file = std::fs::File::open(path).map_err(|error| match error.kind() {
std::io::ErrorKind::NotFound => {
log::error!("Config file not found: {}", path.display());
std::process::exit(1)
}
_ => error,
})?;
let data: Config = serde_json::from_reader(file)?;
// We need at least one pool prefix
if data.pool_prefixes.is_empty() {
log::error!("No pool prefixes specified. At least one prefix must be specified in the `pool` property of the config file");
std::process::exit(1);
}
Ok(data)
}
None => match &self.config_data {
Some(data) => Ok(data.clone()),
None => {
log::error!("No configuration provided. Either use --config to specify a file or set the configuration via CLI args (see --help)");
std::process::exit(1)
}
},
}
}
}
/// Program configuration. Specifiable via either CLI args or a config file
#[derive(Debug, clap::Args, serde::Deserialize, Clone)]
#[group()]
pub struct Config {
/// IPv4 prefixes to use as NAT pool address space
#[clap(long = "pool-prefix")]
#[serde(rename = "pool")]
pub pool_prefixes: Vec<Ipv4Net>,
/// Static mapping between IPv4 and IPv6 addresses
#[clap(skip)]
pub static_map: Vec<(Ipv4Addr, Ipv6Addr)>,
/// Enable prometheus metrics on a given address
#[clap(long = "prometheus")]
#[serde(rename = "prometheus_bind_addr")]
pub prom_bind_addr: Option<SocketAddr>,
/// RFC6052 IPv6 translation prefix
#[clap(long, default_value_t = ("64:ff9b::/96").parse().unwrap(), value_parser = parse_network_specific_prefix)]
#[serde(
rename = "prefix",
serialize_with = "crate::common::rfc6052::serialize_network_specific_prefix"
)]
pub translation_prefix: Ipv6Net,
/// NAT reservation timeout in seconds
#[clap(long, default_value = "7200")]
pub reservation_timeout: u64,
}
#[derive(Debug, serde::Deserialize, Clone)]
pub struct StaticMap {
pub ipv4: Ipv4Addr,
pub ipv6: Ipv6Addr,
}
impl From<StaticMap> for (Ipv4Addr, Ipv6Addr) {
fn from(val: StaticMap) -> Self {
(val.ipv4, val.ipv6)
}
}

85
src/args/protomask_clat.rs Normal file
View File

@ -0,0 +1,85 @@
//! Commandline arguments and config file definitions for `protomask-clat`
use super::ProfilerArgs;
use crate::common::rfc6052::parse_network_specific_prefix;
use ipnet::{Ipv4Net, Ipv6Net};
use std::{net::SocketAddr, path::PathBuf};
#[derive(Debug, clap::Parser)]
#[clap(author, version, about="IPv4 to IPv6 Customer-side transLATor (CLAT)", long_about = None)]
pub struct Args {
#[command(flatten)]
config_data: Option<Config>,
/// Path to a config file to read
#[clap(short = 'c', long = "config", conflicts_with = "Config")]
config_file: Option<PathBuf>,
/// Explicitly set the interface name to use
#[clap(short, long, default_value_t = ("clat%d").to_string())]
pub interface: String,
#[command(flatten)]
pub profiler_args: ProfilerArgs,
/// Enable verbose logging
#[clap(short, long)]
pub verbose: bool,
}
impl Args {
#[allow(dead_code)]
pub fn data(&self) -> Result<Config, Box<dyn std::error::Error>> {
match self.config_file {
Some(ref path) => {
// Read the data from the config file
let file = std::fs::File::open(path).map_err(|error| match error.kind() {
std::io::ErrorKind::NotFound => {
log::error!("Config file not found: {}", path.display());
std::process::exit(1)
}
_ => error,
})?;
let data: Config = serde_json::from_reader(file)?;
// We need at least one customer prefix
if data.customer_pool.is_empty() {
log::error!("No customer prefixes specified. At least one prefix must be specified in the `customer_pool` property of the config file");
std::process::exit(1);
}
Ok(data)
}
None => match &self.config_data {
Some(data) => Ok(data.clone()),
None => {
log::error!("No configuration provided. Either use --config to specify a file or set the configuration via CLI args (see --help)");
std::process::exit(1)
}
},
}
}
}
/// Program configuration. Specifiable via either CLI args or a config file
#[derive(Debug, clap::Args, serde::Deserialize, Clone)]
#[group()]
pub struct Config {
/// One or more customer-side IPv4 prefixes to allow through CLAT
#[clap(long = "customer-prefix")]
#[serde(rename = "customer_pool")]
pub customer_pool: Vec<Ipv4Net>,
/// Enable prometheus metrics on a given address
#[clap(long = "prometheus")]
#[serde(rename = "prometheus_bind_addr")]
pub prom_bind_addr: Option<SocketAddr>,
/// RFC6052 IPv6 prefix to encapsulate IPv4 packets within
#[clap(long="via", default_value_t = ("64:ff9b::/96").parse().unwrap(), value_parser = parse_network_specific_prefix)]
#[serde(
rename = "via",
serialize_with = "crate::common::rfc6052::serialize_network_specific_prefix"
)]
pub embed_prefix: Ipv6Net,
}

16
src/cli/cli.rs
View File

@ -1,16 +0,0 @@
//! Command line argument definitions
use std::path::PathBuf;
use clap::Parser;
#[derive(Parser, Debug)]
#[command(author, version, about, long_about = None)]
pub struct Args {
/// Path to the config file
pub config_file: PathBuf,
/// Enable verbose logging
#[clap(short, long)]
pub verbose: bool,
}

94
src/cli/config.rs
View File

@ -1,94 +0,0 @@
//! Serde definitions for the config file
use std::{
net::{Ipv4Addr, Ipv6Addr, SocketAddr},
path::Path,
time::Duration,
};
use ipnet::{Ipv4Net, Ipv6Net};
/// A static mapping rule
#[derive(Debug, serde::Deserialize)]
pub struct AddressMappingRule {
/// IPv4 address
pub v4: Ipv4Addr,
/// IPv6 address
pub v6: Ipv6Addr,
}
/// Used to generate the default reservation duration
fn default_reservation_duration() -> u64 {
7200
}
/// Rules config
#[derive(Debug, serde::Deserialize)]
pub struct PoolConfig {
/// Pool prefixes
#[serde(rename = "Prefixes")]
pub prefixes: Vec<Ipv4Net>,
/// Static mapping rules
#[serde(rename = "Static", default = "Vec::new")]
pub static_map: Vec<AddressMappingRule>,
/// How long to hold a dynamic mapping for
#[serde(rename = "MaxIdleDuration", default = "default_reservation_duration")]
reservation_duration: u64,
}
impl PoolConfig {
/// Get the reservation duration
pub fn reservation_duration(&self) -> Duration {
Duration::from_secs(self.reservation_duration)
}
}
/// Representation of the `protomask.toml` config file
#[derive(Debug, serde::Deserialize)]
pub struct Config {
/// The NAT64 prefix
#[serde(rename = "Nat64Prefix")]
pub nat64_prefix: Ipv6Net,
/// Address to bind to for prometheus support
#[serde(rename = "Prometheus")]
pub prom_bind_addr: Option<SocketAddr>,
/// Pool configuration
#[serde(rename = "Pool")]
pub pool: PoolConfig,
}
impl Config {
/// Load the config from a file
pub fn load<P: AsRef<Path>>(path: P) -> Result<Self, std::io::Error> {
// Load the file
let file_contents = std::fs::read_to_string(path)?;
// Build the deserializer
let deserializer = toml::Deserializer::new(&file_contents);
// Parse
match serde_path_to_error::deserialize(deserializer) {
Ok(config) => Ok(config),
// If there is a parsing error, display a reasonable error message
Err(e) => {
eprintln!(
"Failed to parse config file due to:\n {}\n at {}",
e.inner().message(),
e.path()
);
std::process::exit(1);
}
}
}
}
#[cfg(test)]
mod tests {
use super::*;
/// Test that fails if the example file is not valid
#[test]
fn ensure_example_is_valid() {
let _ = Config::load("protomask.toml").unwrap();
}
}

52
src/cli/main.rs
View File

@ -1,52 +0,0 @@
//! This is the entrypoint for `protomask` from the command line.
use clap::Parser;
use config::Config;
use logging::enable_logger;
use protomask::nat::Nat64;
mod cli;
mod config;
mod logging;
#[tokio::main]
pub async fn main() {
// Parse CLI args
let args = cli::Args::parse();
// Set up logging
enable_logger(args.verbose);
// Parse the config file
let config = Config::load(args.config_file).unwrap();
// Currently, only a /96 is supported
if config.nat64_prefix.prefix_len() != 96 {
log::error!("Only a /96 prefix is supported for the NAT64 prefix");
std::process::exit(1);
}
// Create the NAT64 instance
let mut nat64 = Nat64::new(
config.nat64_prefix,
config.pool.prefixes.clone(),
config
.pool
.static_map
.iter()
.map(|rule| (rule.v6, rule.v4))
.collect(),
config.pool.reservation_duration(),
)
.await
.unwrap();
// Handle metrics requests
if let Some(bind_addr) = config.prom_bind_addr {
log::info!("Enabling metrics server on {}", bind_addr);
tokio::spawn(protomask::metrics::serve_metrics(bind_addr));
}
// Handle packets
nat64.run().await.unwrap();
}

0
src/cli/logging.rs → src/common/logging.rs
View File

7
src/common/mod.rs Normal file
View File

@ -0,0 +1,7 @@
//! Common code used across all protomask binaries
pub mod logging;
pub mod packet_handler;
pub mod permissions;
pub mod profiler;
pub mod rfc6052;

180
src/common/packet_handler.rs Normal file
View File

@ -0,0 +1,180 @@
use std::net::{Ipv4Addr, Ipv6Addr};
#[derive(Debug, thiserror::Error)]
pub enum PacketHandlingError {
#[error(transparent)]
InterprotoError(#[from] interproto::error::Error),
#[error(transparent)]
FastNatError(#[from] fast_nat::error::Error),
}
/// Get the layer 3 protocol of a packet
pub fn get_layer_3_proto(packet: &[u8]) -> Option<u8> {
// If the packet is empty, return nothing
if packet.is_empty() {
return None;
}
// Switch on the layer 3 protocol number to call the correct handler
let layer_3_proto = packet[0] >> 4;
log::trace!("New packet with layer 3 protocol: {}", layer_3_proto);
Some(layer_3_proto)
}
/// Get the source and destination addresses of an IPv4 packet
pub fn get_ipv4_src_dst(packet: &[u8]) -> (Ipv4Addr, Ipv4Addr) {
let source_addr = Ipv4Addr::from(u32::from_be_bytes(packet[12..16].try_into().unwrap()));
let destination_addr = Ipv4Addr::from(u32::from_be_bytes(packet[16..20].try_into().unwrap()));
(source_addr, destination_addr)
}
/// Get the source and destination addresses of an IPv6 packet
pub fn get_ipv6_src_dst(packet: &[u8]) -> (Ipv6Addr, Ipv6Addr) {
let source_addr = Ipv6Addr::from(u128::from_be_bytes(packet[8..24].try_into().unwrap()));
let destination_addr = Ipv6Addr::from(u128::from_be_bytes(packet[24..40].try_into().unwrap()));
(source_addr, destination_addr)
}
/// Appropriately handle a translation error
pub fn handle_translation_error(
result: Result<Option<Vec<u8>>, PacketHandlingError>,
) -> Option<Vec<u8>> {
// We may or may not have a warn-able error
match result {
// If we get data, return it
Ok(data) => data,
// If we get an error, handle it and return None
Err(error) => match error {
PacketHandlingError::InterprotoError(interproto::error::Error::PacketTooShort {
expected,
actual,
}) => {
log::warn!(
"Got packet with length {} when expecting at least {} bytes",
actual,
expected
);
None
}
PacketHandlingError::InterprotoError(
interproto::error::Error::UnsupportedIcmpType(icmp_type),
) => {
log::warn!("Got a packet with an unsupported ICMP type: {}", icmp_type);
None
}
PacketHandlingError::InterprotoError(
interproto::error::Error::UnsupportedIcmpv6Type(icmpv6_type),
) => {
log::warn!(
"Got a packet with an unsupported ICMPv6 type: {}",
icmpv6_type
);
None
}
PacketHandlingError::FastNatError(fast_nat::error::Error::Ipv4PoolExhausted) => {
log::warn!("IPv4 pool exhausted. Dropping packet.");
None
}
PacketHandlingError::FastNatError(fast_nat::error::Error::InvalidIpv4Address(addr)) => {
log::warn!("Invalid IPv4 address: {}", addr);
None
}
},
}
}
// /// Handles checking the version number of an IP packet and calling the correct handler with needed data
// pub fn handle_packet<Ipv4Handler, Ipv6Handler>(
// packet: &[u8],
// mut ipv4_handler: Ipv4Handler,
// mut ipv6_handler: Ipv6Handler,
// ) -> Option<Vec<u8>>
// where
// Ipv4Handler: FnMut(&[u8], &Ipv4Addr, &Ipv4Addr) -> Result<Option<Vec<u8>>, PacketHandlingError>,
// Ipv6Handler: FnMut(&[u8], &Ipv6Addr, &Ipv6Addr) -> Result<Option<Vec<u8>>, PacketHandlingError>,
// {
// // If the packet is empty, return nothing
// if packet.is_empty() {
// return None;
// }
// // Switch on the layer 3 protocol number to call the correct handler
// let layer_3_proto = packet[0] >> 4;
// log::trace!("New packet with layer 3 protocol: {}", layer_3_proto);
// let handler_response = match layer_3_proto {
// // IPv4
// 4 => {
// // Extract the source and destination addresses
// let source_addr =
// Ipv4Addr::from(u32::from_be_bytes(packet[12..16].try_into().unwrap()));
// let destination_addr =
// Ipv4Addr::from(u32::from_be_bytes(packet[16..20].try_into().unwrap()));
// // Call the handler
// ipv4_handler(packet, &source_addr, &destination_addr)
// }
// // IPv6
// 6 => {
// // Extract the source and destination addresses
// let source_addr =
// Ipv6Addr::from(u128::from_be_bytes(packet[8..24].try_into().unwrap()));
// let destination_addr =
// Ipv6Addr::from(u128::from_be_bytes(packet[24..40].try_into().unwrap()));
// // Call the handler
// ipv6_handler(packet, &source_addr, &destination_addr)
// }
// // Unknown protocol numbers can't be handled
// proto => {
// log::warn!("Unknown Layer 3 protocol: {}", proto);
// return None;
// }
// };
// // The response from the handler may or may not be a warn-able error
// match handler_response {
// // If we get data, return it
// Ok(data) => data,
// // If we get an error, handle it and return None
// Err(error) => match error {
// PacketHandlingError::InterprotoError(interproto::error::Error::PacketTooShort {
// expected,
// actual,
// }) => {
// log::warn!(
// "Got packet with length {} when expecting at least {} bytes",
// actual,
// expected
// );
// None
// }
// PacketHandlingError::InterprotoError(
// interproto::error::Error::UnsupportedIcmpType(icmp_type),
// ) => {
// log::warn!("Got a packet with an unsupported ICMP type: {}", icmp_type);
// None
// }
// PacketHandlingError::InterprotoError(
// interproto::error::Error::UnsupportedIcmpv6Type(icmpv6_type),
// ) => {
// log::warn!(
// "Got a packet with an unsupported ICMPv6 type: {}",
// icmpv6_type
// );
// None
// }
// PacketHandlingError::FastNatError(fast_nat::error::Error::Ipv4PoolExhausted) => {
// log::warn!("IPv4 pool exhausted. Dropping packet.");
// None
// }
// PacketHandlingError::FastNatError(fast_nat::error::Error::InvalidIpv4Address(addr)) => {
// log::warn!("Invalid IPv4 address: {}", addr);
// None
// }
// },
// }
// }

9
src/common/permissions.rs Normal file
View File

@ -0,0 +1,9 @@
use nix::unistd::Uid;
/// Ensures the binary is being exxecuted as root
pub fn ensure_root() {
if !Uid::effective().is_root() {
log::error!("This program must be run as root");
std::process::exit(1);
}
}

20
src/common/profiler.rs Normal file
View File

@ -0,0 +1,20 @@
use cfg_if::cfg_if;
use crate::args::ProfilerArgs;
cfg_if! {
if #[cfg(feature = "profiler")] {
pub fn start_puffin_server(args: &ProfilerArgs) -> Option<puffin_http::Server> {
if let Some(endpoint) = args.puffin_endpoint {
log::info!("Starting puffin server on {}", endpoint);
puffin::set_scopes_on(true);
Some(puffin_http::Server::new(&endpoint.to_string()).unwrap())
} else {
None
}
}
} else {
#[allow(dead_code)]
pub fn start_puffin_server(_args: &ProfilerArgs){}
}
}

22
src/common/rfc6052.rs Normal file
View File

@ -0,0 +1,22 @@
//! Utilities for interacting with [RFC6052](https://datatracker.ietf.org/doc/html/rfc6052) "IPv4-Embedded IPv6 Addresses"
use std::str::FromStr;
use ipnet::Ipv6Net;
/// Parses an [RFC6052 Section 2.2](https://datatracker.ietf.org/doc/html/rfc6052#section-2.2)-compliant IPv6 prefix from a string
pub fn parse_network_specific_prefix(string: &str) -> Result<Ipv6Net, String> {
// First, parse to an IPv6Net struct
let net = Ipv6Net::from_str(string).map_err(|err| err.to_string())?;
// Ensure the prefix length is one of the allowed lengths according to RFC6052 Section 2.2
if !rfc6052::ALLOWED_PREFIX_LENS.contains(&net.prefix_len()) {
return Err(format!(
"Prefix length must be one of {:?}",
rfc6052::ALLOWED_PREFIX_LENS
));
}
// Return the parsed network struct
Ok(net)
}

34
src/metrics/metrics.rs
View File

@ -1,34 +0,0 @@
use lazy_static::lazy_static;
use prometheus::{
register_int_counter_vec, register_int_gauge, register_int_gauge_vec, IntCounterVec, IntGauge,
IntGaugeVec,
};
lazy_static! {
/// Counter for the number of packets processes
pub static ref PACKET_COUNTER: IntCounterVec = register_int_counter_vec!(
"packets",
"Number of packets processed",
&["protocol", "status"]
).unwrap();
/// Counter for ICMP packet types
pub static ref ICMP_COUNTER: IntCounterVec = register_int_counter_vec!(
"icmp",
"Number of ICMP packets processed",
&["protocol", "type", "code"]
).unwrap();
/// Gauge for the number of addresses in the IPv4 pool
pub static ref IPV4_POOL_SIZE: IntGauge = register_int_gauge!(
"ipv4_pool_size",
"Number of IPv4 addresses in the pool"
).unwrap();
/// Gauge for the number of addresses currently reserved in the IPv4 pool
pub static ref IPV4_POOL_RESERVED: IntGaugeVec = register_int_gauge_vec!(
"ipv4_pool_reserved",
"Number of IPv4 addresses currently reserved",
&["static"]
).unwrap();
}

6
src/metrics/mod.rs
View File

@ -1,6 +0,0 @@
mod http;
#[allow(clippy::module_inception)]
mod metrics;
pub use http::serve_metrics;
pub(crate) use metrics::*;

15
src/nat/error.rs
View File

@ -1,15 +0,0 @@
#[derive(Debug, thiserror::Error)]
pub enum Nat64Error {
#[error(transparent)]
Table(#[from] super::table::TableError),
#[error(transparent)]
Tun(#[from] protomask_tun::Error),
#[error(transparent)]
Io(#[from] std::io::Error),
#[error(transparent)]
PacketHandling(#[from] crate::packet::error::PacketError),
#[error(transparent)]
PacketReceive(#[from] tokio::sync::broadcast::error::RecvError),
#[error(transparent)]
PacketSend(#[from] tokio::sync::mpsc::error::SendError<Vec<u8>>),
}

177
src/nat/mod.rs
View File

@ -1,177 +0,0 @@
use crate::{
metrics::PACKET_COUNTER,
packet::{
protocols::{ipv4::Ipv4Packet, ipv6::Ipv6Packet},
xlat::ip::{translate_ipv4_to_ipv6, translate_ipv6_to_ipv4},
},
};
use self::{
error::Nat64Error,
table::Nat64Table,
utils::{embed_address, extract_address, unwrap_log},
};
use ipnet::{Ipv4Net, Ipv6Net};
use protomask_tun::TunDevice;
use std::{
net::{IpAddr, Ipv4Addr, Ipv6Addr},
time::Duration,
};
use tokio::sync::broadcast;
mod error;
mod table;
mod utils;
pub struct Nat64 {
table: Nat64Table,
interface: TunDevice,
ipv6_nat_prefix: Ipv6Net,
}
impl Nat64 {
/// Construct a new NAT64 instance
pub async fn new(
ipv6_nat_prefix: Ipv6Net,
ipv4_pool: Vec<Ipv4Net>,
static_reservations: Vec<(Ipv6Addr, Ipv4Addr)>,
reservation_duration: Duration,
) -> Result<Self, Nat64Error> {
// Bring up the interface
let mut interface = TunDevice::new("nat64i%d").await?;
// Add the NAT64 prefix as a route
interface.add_route(ipv6_nat_prefix.into()).await?;
// Add the IPv4 pool prefixes as routes
for ipv4_prefix in &ipv4_pool {
interface.add_route((*ipv4_prefix).into()).await?;
}
// Build the table and insert any static reservations
let mut table = Nat64Table::new(ipv4_pool, reservation_duration);
for (v6, v4) in static_reservations {
table.add_infinite_reservation(v6, v4)?;
}
Ok(Self {
table,
interface,
ipv6_nat_prefix,
})
}
/// Block and process all packets
pub async fn run(&mut self) -> Result<(), Nat64Error> {
// Get an rx/tx pair for the interface
let (tx, mut rx) = self.interface.spawn_worker().await;
// Process packets in a loop
loop {
// Try to read a packet
match rx.recv().await {
Ok(packet) => {
// Clone the TX so the worker can respond with data
let tx = tx.clone();
// Separate logic is needed for handling IPv4 vs IPv6 packets, so a check must be done here
match packet[0] >> 4 {
4 => {
// Parse the packet
let packet: Ipv4Packet<Vec<u8>> = packet.try_into()?;
// Drop packets that aren't destined for a destination the table knows about
if !self.table.contains(&IpAddr::V4(packet.destination_address)) {
PACKET_COUNTER.with_label_values(&["ipv4", "dropped"]).inc();
continue;
}
// Get the new source and dest addresses
let new_source =
embed_address(packet.source_address, self.ipv6_nat_prefix);
let new_destination =
self.table.get_reverse(packet.destination_address)?;
// Mark the packet as accepted
PACKET_COUNTER
.with_label_values(&["ipv4", "accepted"])
.inc();
// Spawn a task to process the packet
tokio::spawn(async move {
if let Some(output) = unwrap_log(translate_ipv4_to_ipv6(
packet,
new_source,
new_destination,
)) {
tx.send(output.into()).await.unwrap();
PACKET_COUNTER.with_label_values(&["ipv6", "sent"]).inc();
}
});
}
6 => {
// Parse the packet
let packet: Ipv6Packet<Vec<u8>> = packet.try_into()?;
// Drop packets "coming from" the NAT64 prefix
if self.ipv6_nat_prefix.contains(&packet.source_address) {
log::warn!(
"Dropping packet \"from\" NAT64 prefix: {} -> {}",
packet.source_address,
packet.destination_address
);
PACKET_COUNTER.with_label_values(&["ipv6", "dropped"]).inc();
continue;
}
// Get the new source and dest addresses
let new_source =
self.table.get_or_assign_ipv4(packet.source_address)?;
let new_destination = extract_address(packet.destination_address);
// Drop packets destined for private IPv4 addresses
if new_destination.is_private() {
log::warn!(
"Dropping packet destined for private IPv4 address: {} -> {} ({})",
packet.source_address,
packet.destination_address,
new_destination
);
PACKET_COUNTER.with_label_values(&["ipv6", "dropped"]).inc();
continue;
}
// Mark the packet as accepted
PACKET_COUNTER
.with_label_values(&["ipv6", "accepted"])
.inc();
// Spawn a task to process the packet
tokio::spawn(async move {
if let Some(output) = unwrap_log(translate_ipv6_to_ipv4(
&packet,
new_source,
new_destination,
)) {
tx.send(output.into()).await.unwrap();
PACKET_COUNTER.with_label_values(&["ipv4", "sent"]).inc();
}
});
}
n => {
log::warn!("Unknown IP version: {}", n);
}
}
Ok(())
}
Err(error) => match error {
broadcast::error::RecvError::Lagged(count) => {
log::warn!("Translator running behind! Dropping {} packets", count);
Ok(())
}
error @ broadcast::error::RecvError::Closed => Err(error),
},
}?;
}
}
}

210
src/nat/table.rs
View File

@ -1,210 +0,0 @@
use std::{
collections::HashMap,
net::{IpAddr, Ipv4Addr, Ipv6Addr},
time::{Duration, Instant},
};
use bimap::BiHashMap;
use ipnet::Ipv4Net;
use crate::metrics::{IPV4_POOL_RESERVED, IPV4_POOL_SIZE};
/// Possible errors thrown in the address reservation process
#[derive(Debug, thiserror::Error)]
pub enum TableError {
#[error("Address already reserved: {0}")]
AddressAlreadyReserved(IpAddr),
#[error("IPv4 address has no IPv6 mapping: {0}")]
NoIpv6Mapping(Ipv4Addr),
#[error("Address pool depleted")]
AddressPoolDepleted,
}
/// A NAT address table
#[derive(Debug)]
pub struct Nat64Table {
/// All possible IPv4 addresses that can be used
ipv4_pool: Vec<Ipv4Net>,
/// Current reservations
reservations: BiHashMap<Ipv6Addr, Ipv4Addr>,
/// The timestamp of each reservation (used for pruning)
reservation_times: HashMap<(Ipv6Addr, Ipv4Addr), Option<Instant>>,
/// The maximum amount of time to reserve an address pair for
reservation_timeout: Duration,
}
impl Nat64Table {
/// Construct a new NAT64 table
///
/// **Arguments:**
/// - `ipv4_pool`: The pool of IPv4 addresses to use in the mapping process
/// - `reservation_timeout`: The amount of time to reserve an address pair for
pub fn new(ipv4_pool: Vec<Ipv4Net>, reservation_timeout: Duration) -> Self {
// Track the total pool size
let total_size: usize = ipv4_pool.iter().map(|net| net.hosts().count()).sum();
IPV4_POOL_SIZE.set(total_size as i64);
Self {
ipv4_pool,
reservations: BiHashMap::new(),
reservation_times: HashMap::new(),
reservation_timeout,
}
}
/// Make a reservation for an IP address pair for eternity
pub fn add_infinite_reservation(
&mut self,
ipv6: Ipv6Addr,
ipv4: Ipv4Addr,
) -> Result<(), TableError> {
// Check if either address is already reserved
self.prune();
self.track_utilization();
if self.reservations.contains_left(&ipv6) {
return Err(TableError::AddressAlreadyReserved(ipv6.into()));
} else if self.reservations.contains_right(&ipv4) {
return Err(TableError::AddressAlreadyReserved(ipv4.into()));
}
// Add the reservation
self.reservations.insert(ipv6, ipv4);
self.reservation_times.insert((ipv6, ipv4), None);
log::info!("Added infinite reservation: {} -> {}", ipv6, ipv4);
Ok(())
}
/// Check if a given address exists in the table
pub fn contains(&self, address: &IpAddr) -> bool {
match address {
IpAddr::V4(ipv4) => self.reservations.contains_right(ipv4),
IpAddr::V6(ipv6) => self.reservations.contains_left(ipv6),
}
}
/// Get or assign an IPv4 address for the given IPv6 address
pub fn get_or_assign_ipv4(&mut self, ipv6: Ipv6Addr) -> Result<Ipv4Addr, TableError> {
// Prune old reservations
self.prune();
self.track_utilization();
// If the IPv6 address is already reserved, return the IPv4 address
if let Some(ipv4) = self.reservations.get_by_left(&ipv6) {
// Update the reservation time
self.reservation_times
.insert((ipv6, *ipv4), Some(Instant::now()));
// Return the v4 address
return Ok(*ipv4);
}
// Otherwise, try to assign a new IPv4 address
for ipv4_net in &self.ipv4_pool {
for ipv4 in ipv4_net.hosts() {
// Check if this address is available for use
if !self.reservations.contains_right(&ipv4) {
// Add the reservation
self.reservations.insert(ipv6, ipv4);
self.reservation_times
.insert((ipv6, ipv4), Some(Instant::now()));
log::info!("Assigned new reservation: {} -> {}", ipv6, ipv4);
return Ok(ipv4);
}
}
}
// If we get here, we failed to find an available address
Err(TableError::AddressPoolDepleted)
}
/// Try to find an IPv6 address for the given IPv4 address
pub fn get_reverse(&mut self, ipv4: Ipv4Addr) -> Result<Ipv6Addr, TableError> {
// Prune old reservations
self.prune();
self.track_utilization();
// If the IPv4 address is already reserved, return the IPv6 address
if let Some(ipv6) = self.reservations.get_by_right(&ipv4) {
// Update the reservation time
self.reservation_times
.insert((*ipv6, ipv4), Some(Instant::now()));
// Return the v6 address
return Ok(*ipv6);
}
// Otherwise, there is no matching reservation
Err(TableError::NoIpv6Mapping(ipv4))
}
}
impl Nat64Table {
/// Prune old reservations
fn prune(&mut self) {
let now = Instant::now();
// Prune from the reservation map
self.reservations.retain(|v6, v4| {
if let Some(Some(time)) = self.reservation_times.get(&(*v6, *v4)) {
let keep = now - *time < self.reservation_timeout;
if !keep {
log::info!("Pruned reservation: {} -> {}", v6, v4);
}
keep
} else {
true
}
});
// Remove all times assigned to reservations that no longer exist
self.reservation_times.retain(|(v6, v4), _| {
self.reservations.contains_left(v6) && self.reservations.contains_right(v4)
});
}
fn track_utilization(&self) {
// Count static and dynamic in a single pass
let (total_dynamic_reservations, total_static_reservations) = self
.reservation_times
.iter()
.map(|((_v6, _v4), time)| match time {
Some(_) => (1, 0),
None => (0, 1),
})
.fold((0, 0), |(a1, a2), (b1, b2)| (a1 + b1, a2 + b2));
// Track the values
IPV4_POOL_RESERVED
.with_label_values(&["dynamic"])
.set(i64::from(total_dynamic_reservations));
IPV4_POOL_RESERVED
.with_label_values(&["static"])
.set(i64::from(total_static_reservations));
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_add_infinite_reservation() {
let mut table = Nat64Table::new(
vec![Ipv4Net::new(Ipv4Addr::new(192, 0, 2, 0), 24).unwrap()],
Duration::from_secs(60),
);
// Add a reservation
table
.add_infinite_reservation("2001:db8::1".parse().unwrap(), "192.0.2.1".parse().unwrap())
.unwrap();
// Check that it worked
assert_eq!(
table
.reservations
.get_by_left(&"2001:db8::1".parse().unwrap()),
Some(&"192.0.2.1".parse().unwrap())
);
}
}

57
src/nat/utils.rs
View File

@ -1,57 +0,0 @@
use std::net::{Ipv4Addr, Ipv6Addr};
use ipnet::Ipv6Net;
use crate::packet::error::PacketError;
/// Embed an IPv4 address in an IPv6 prefix
pub fn embed_address(ipv4_address: Ipv4Addr, ipv6_prefix: Ipv6Net) -> Ipv6Addr {
let v4_octets = ipv4_address.octets();
let v6_octets = ipv6_prefix.addr().octets();
Ipv6Addr::new(
u16::from_be_bytes([v6_octets[0], v6_octets[1]]),
u16::from_be_bytes([v6_octets[2], v6_octets[3]]),
u16::from_be_bytes([v6_octets[4], v6_octets[5]]),
u16::from_be_bytes([v6_octets[6], v6_octets[7]]),
u16::from_be_bytes([v6_octets[8], v6_octets[9]]),
u16::from_be_bytes([v6_octets[10], v6_octets[11]]),
u16::from_be_bytes([v4_octets[0], v4_octets[1]]),
u16::from_be_bytes([v4_octets[2], v4_octets[3]]),
)
}
/// Extract an IPv4 address from an IPv6 address
pub fn extract_address(ipv6_address: Ipv6Addr) -> Ipv4Addr {
let octets = ipv6_address.octets();
Ipv4Addr::new(octets[12], octets[13], octets[14], octets[15])
}
/// Logs errors instead of crashing out of them
pub fn unwrap_log<T>(result: Result<T, PacketError>) -> Option<T> {
match result {
Ok(value) => Some(value),
Err(err) => match err {
PacketError::MismatchedAddressFamily(addr_a, addr_b) => {
log::error!(
"Mismatched address family between {} and {}",
addr_a,
addr_b
);
None
}
PacketError::TooShort(len, data) => {
log::warn!("Received packet that's too short to parse. Length {}", len);
log::debug!("Short packet: {:?}", data);
None
}
PacketError::UnsupportedIcmpType(icmp_type) => {
log::warn!("Unsupported ICMP type {}", icmp_type);
None
}
PacketError::UnsupportedIcmpv6Type(icmp_type) => {
log::warn!("Unsupported ICMPv6 type {}", icmp_type);
None
}
},
}
}

14
src/packet/error.rs
View File

@ -1,14 +0,0 @@
use std::net::IpAddr;
#[derive(Debug, thiserror::Error)]
pub enum PacketError {
#[error("Mismatched source and destination address family: source={0:?}, destination={1:?}")]
MismatchedAddressFamily(IpAddr, IpAddr),
#[error("Packet too short: {0}")]
TooShort(usize, Vec<u8>),
#[error("Unsupported ICMP type: {0}")]
UnsupportedIcmpType(u8),
#[error("Unsupported ICMPv6 type: {0}")]
UnsupportedIcmpv6Type(u8),
}

7
src/packet/mod.rs
View File

@ -1,7 +0,0 @@
//! Custom packet modification utilities
//!
//! pnet isn't quite what we need for this project, so the contents of this module wrap it to make it easier to use.
pub mod error;
pub mod protocols;
pub mod xlat;

106
src/packet/protocols/icmp.rs
View File

@ -1,106 +0,0 @@
use pnet_packet::{
icmp::{IcmpCode, IcmpType},
Packet,
};
use crate::packet::error::PacketError;
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub struct IcmpPacket<T> {
pub icmp_type: IcmpType,
pub icmp_code: IcmpCode,
pub payload: T,
}
impl<T> IcmpPacket<T> {
/// Construct a new `ICMP` packet
pub fn new(icmp_type: IcmpType, icmp_code: IcmpCode, payload: T) -> Self {
Self {
icmp_type,
icmp_code,
payload,
}
}
}
impl<T> TryFrom<Vec<u8>> for IcmpPacket<T>
where
T: TryFrom<Vec<u8>, Error = PacketError>,
{
type Error = PacketError;
fn try_from(bytes: Vec<u8>) -> Result<Self, Self::Error> {
// Parse the packet
let packet = pnet_packet::icmp::IcmpPacket::new(&bytes)
.ok_or(PacketError::TooShort(bytes.len(), bytes.clone()))?;
// Return the packet
Ok(Self {
icmp_type: packet.get_icmp_type(),
icmp_code: packet.get_icmp_code(),
payload: packet.payload().to_vec().try_into()?,
})
}
}
impl<T> From<IcmpPacket<T>> for Vec<u8>
where
T: Into<Vec<u8>>,
{
fn from(packet: IcmpPacket<T>) -> Self {
// Convert the payload into raw bytes
let payload: Vec<u8> = packet.payload.into();
// Allocate a mutable packet to write into
let total_length =
pnet_packet::icmp::MutableIcmpPacket::minimum_packet_size() + payload.len();
let mut output =
pnet_packet::icmp::MutableIcmpPacket::owned(vec![0u8; total_length]).unwrap();
// Write the type and code
output.set_icmp_type(packet.icmp_type);
output.set_icmp_code(packet.icmp_code);
// Write the payload
output.set_payload(&payload);
// Calculate the checksum
output.set_checksum(0);
output.set_checksum(pnet_packet::icmp::checksum(&output.to_immutable()));
// Return the raw bytes
output.packet().to_vec()
}
}
#[cfg(test)]
mod tests {
use pnet_packet::icmp::IcmpTypes;
use super::*;
// Test packet construction
#[test]
#[rustfmt::skip]
fn test_packet_construction() {
// Make a new packet
let packet = IcmpPacket::new(
IcmpTypes::EchoRequest,
IcmpCode(0),
"Hello, world!".as_bytes().to_vec(),
);
// Convert to raw bytes
let packet_bytes: Vec<u8> = packet.into();
// Check the contents
assert!(packet_bytes.len() >= 4 + 13);
assert_eq!(packet_bytes[0], IcmpTypes::EchoRequest.0);
assert_eq!(packet_bytes[1], 0);
assert_eq!(u16::from_be_bytes([packet_bytes[2], packet_bytes[3]]), 0xb6b3);
assert_eq!(
&packet_bytes[4..],
"Hello, world!".as_bytes().to_vec().as_slice()
);
}
}

154
src/packet/protocols/icmpv6.rs
View File

@ -1,154 +0,0 @@
use std::net::Ipv6Addr;
use pnet_packet::{
icmpv6::{Icmpv6Code, Icmpv6Type},
Packet,
};
use crate::packet::error::PacketError;
use super::raw::RawBytes;
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub struct Icmpv6Packet<T> {
pub source_address: Ipv6Addr,
pub destination_address: Ipv6Addr,
pub icmp_type: Icmpv6Type,
pub icmp_code: Icmpv6Code,
pub payload: T,
}
impl<T> Icmpv6Packet<T> {
/// Construct a new `ICMPv6` packet
pub fn new(
source_address: Ipv6Addr,
destination_address: Ipv6Addr,
icmp_type: Icmpv6Type,
icmp_code: Icmpv6Code,
payload: T,
) -> Self {
Self {
source_address,
destination_address,
icmp_type,
icmp_code,
payload,
}
}
}
impl<T> Icmpv6Packet<T>
where
T: From<Vec<u8>>,
{
/// Construct a new `ICMPv6` packet from raw bytes
#[allow(dead_code)]
pub fn new_from_bytes(
bytes: &[u8],
source_address: Ipv6Addr,
destination_address: Ipv6Addr,
) -> Result<Self, PacketError> {
// Parse the packet
let packet = pnet_packet::icmpv6::Icmpv6Packet::new(bytes)
.ok_or(PacketError::TooShort(bytes.len(), bytes.to_vec()))?;
// Return the packet
Ok(Self {
source_address,
destination_address,
icmp_type: packet.get_icmpv6_type(),
icmp_code: packet.get_icmpv6_code(),
payload: packet.payload().to_vec().into(),
})
}
}
impl Icmpv6Packet<RawBytes> {
/// Construct a new `ICMPv6` packet with a raw payload from raw bytes
pub fn new_from_bytes_raw_payload(
bytes: &[u8],
source_address: Ipv6Addr,
destination_address: Ipv6Addr,
) -> Result<Self, PacketError> {
// Parse the packet
let packet = pnet_packet::icmpv6::Icmpv6Packet::new(bytes)
.ok_or(PacketError::TooShort(bytes.len(), bytes.to_vec()))?;
// Return the packet
Ok(Self {
source_address,
destination_address,
icmp_type: packet.get_icmpv6_type(),
icmp_code: packet.get_icmpv6_code(),
payload: RawBytes(packet.payload().to_vec()),
})
}
}
impl<T> From<Icmpv6Packet<T>> for Vec<u8>
where
T: Into<Vec<u8>>,
{
fn from(packet: Icmpv6Packet<T>) -> Self {
// Convert the payload into raw bytes
let payload: Vec<u8> = packet.payload.into();
// Allocate a mutable packet to write into
let total_length =
pnet_packet::icmpv6::MutableIcmpv6Packet::minimum_packet_size() + payload.len();
let mut output =
pnet_packet::icmpv6::MutableIcmpv6Packet::owned(vec![0u8; total_length]).unwrap();
// Write the type and code
output.set_icmpv6_type(packet.icmp_type);
output.set_icmpv6_code(packet.icmp_code);
// Write the payload
output.set_payload(&payload);
// Calculate the checksum
output.set_checksum(0);
output.set_checksum(pnet_packet::icmpv6::checksum(
&output.to_immutable(),
&packet.source_address,
&packet.destination_address,
));
// Return the raw bytes
output.packet().to_vec()
}
}
#[cfg(test)]
mod tests {
use pnet_packet::icmpv6::Icmpv6Types;
use super::*;
// Test packet construction
#[test]
#[rustfmt::skip]
fn test_packet_construction() {
// Make a new packet
let packet = Icmpv6Packet::new(
"2001:db8:1::1".parse().unwrap(),
"2001:db8:1::2".parse().unwrap(),
Icmpv6Types::EchoRequest,
Icmpv6Code(0),
"Hello, world!".as_bytes().to_vec(),
);
// Convert to raw bytes
let packet_bytes: Vec<u8> = packet.into();
// Check the contents
assert!(packet_bytes.len() >= 4 + 13);
assert_eq!(packet_bytes[0], Icmpv6Types::EchoRequest.0);
assert_eq!(packet_bytes[1], 0);
assert_eq!(u16::from_be_bytes([packet_bytes[2], packet_bytes[3]]), 0xe2f0);
assert_eq!(
&packet_bytes[4..],
"Hello, world!".as_bytes().to_vec().as_slice()
);
}
}

133
src/packet/protocols/ipv4.rs
View File

@ -1,133 +0,0 @@
use std::net::Ipv4Addr;
use pnet_packet::{
ip::IpNextHeaderProtocol,
ipv4::{Ipv4Option, Ipv4OptionPacket},
Packet,
};
use crate::packet::error::PacketError;
#[derive(Debug, Clone)]
pub struct Ipv4Packet<T> {
pub dscp: u8,
pub ecn: u8,
pub identification: u16,
pub flags: u8,
pub fragment_offset: u16,
pub ttl: u8,
pub protocol: IpNextHeaderProtocol,
pub source_address: Ipv4Addr,
pub destination_address: Ipv4Addr,
pub options: Vec<Ipv4Option>,
pub payload: T,
}
impl<T> Ipv4Packet<T> {
/// Construct a new IPv4 packet
#[allow(clippy::too_many_arguments)]
pub fn new(
dscp: u8,
ecn: u8,
identification: u16,
flags: u8,
fragment_offset: u16,
ttl: u8,
protocol: IpNextHeaderProtocol,
source_address: Ipv4Addr,
destination_address: Ipv4Addr,
options: Vec<Ipv4Option>,
payload: T,
) -> Self {
Self {
dscp,
ecn,
identification,
flags,
fragment_offset,
ttl,
protocol,
source_address,
destination_address,
options,
payload,
}
}
#[allow(clippy::cast_possible_truncation)]
fn options_length_words(&self) -> u8 {
self.options
.iter()
.map(|option| Ipv4OptionPacket::packet_size(option) as u8)
.sum::<u8>()
/ 4
}
}
impl<T> TryFrom<Vec<u8>> for Ipv4Packet<T>
where
T: From<Vec<u8>>,
{
type Error = PacketError;
fn try_from(bytes: Vec<u8>) -> Result<Self, Self::Error> {
// Parse the packet
let packet = pnet_packet::ipv4::Ipv4Packet::new(&bytes)
.ok_or(PacketError::TooShort(bytes.len(), bytes.clone()))?;
// Return the packet
Ok(Self {
dscp: packet.get_dscp(),
ecn: packet.get_ecn(),
identification: packet.get_identification(),
flags: packet.get_flags(),
fragment_offset: packet.get_fragment_offset(),
ttl: packet.get_ttl(),
protocol: packet.get_next_level_protocol(),
source_address: packet.get_source(),
destination_address: packet.get_destination(),
options: packet.get_options(),
payload: packet.payload().to_vec().into(),
})
}
}
impl<T> From<Ipv4Packet<T>> for Vec<u8>
where
T: Into<Vec<u8>> + Clone,
{
fn from(packet: Ipv4Packet<T>) -> Self {
// Convert the payload into raw bytes
let payload: Vec<u8> = packet.payload.clone().into();
// Build the packet
let total_length = 20 + (packet.options_length_words() as usize * 4) + payload.len();
let mut output =
pnet_packet::ipv4::MutableIpv4Packet::owned(vec![0u8; total_length]).unwrap();
// Set the fields
output.set_version(4);
output.set_header_length(5 + packet.options_length_words());
output.set_dscp(packet.dscp);
output.set_ecn(packet.ecn);
output.set_total_length(total_length.try_into().unwrap());
output.set_identification(packet.identification);
output.set_flags(packet.flags);
output.set_fragment_offset(packet.fragment_offset);
output.set_ttl(packet.ttl);
output.set_next_level_protocol(packet.protocol);
output.set_source(packet.source_address);
output.set_destination(packet.destination_address);
output.set_options(&packet.options);
// Set the payload
output.set_payload(&payload);
// Calculate the checksum
output.set_checksum(0);
output.set_checksum(pnet_packet::ipv4::checksum(&output.to_immutable()));
// Return the packet
output.to_immutable().packet().to_vec()
}
}

95
src/packet/protocols/ipv6.rs
View File

@ -1,95 +0,0 @@
use std::net::Ipv6Addr;
use pnet_packet::{ip::IpNextHeaderProtocol, Packet};
use crate::packet::error::PacketError;
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
pub struct Ipv6Packet<T> {
pub traffic_class: u8,
pub flow_label: u32,
pub next_header: IpNextHeaderProtocol,
pub hop_limit: u8,
pub source_address: Ipv6Addr,
pub destination_address: Ipv6Addr,
pub payload: T,
}
impl<T> Ipv6Packet<T> {
/// Construct a new IPv6 packet
pub fn new(
traffic_class: u8,
flow_label: u32,
next_header: IpNextHeaderProtocol,
hop_limit: u8,
source_address: Ipv6Addr,
destination_address: Ipv6Addr,
payload: T,
) -> Self {
Self {
traffic_class,
flow_label,
next_header,
hop_limit,
source_address,
destination_address,
payload,
}
}
}
impl<T> TryFrom<Vec<u8>> for Ipv6Packet<T>
where
T: From<Vec<u8>>,
{
type Error = PacketError;
fn try_from(bytes: Vec<u8>) -> Result<Self, Self::Error> {
// Parse the packet
let packet = pnet_packet::ipv6::Ipv6Packet::new(&bytes)
.ok_or(PacketError::TooShort(bytes.len(), bytes.clone()))?;
// Return the packet
Ok(Self {
traffic_class: packet.get_traffic_class(),
flow_label: packet.get_flow_label(),
next_header: packet.get_next_header(),
hop_limit: packet.get_hop_limit(),
source_address: packet.get_source(),
destination_address: packet.get_destination(),
payload: packet.payload().to_vec().into(),
})
}
}
impl<T> From<Ipv6Packet<T>> for Vec<u8>
where
T: Into<Vec<u8>>,
{
fn from(packet: Ipv6Packet<T>) -> Self {
// Convert the payload into raw bytes
let payload: Vec<u8> = packet.payload.into();
// Allocate a mutable packet to write into
let total_length =
pnet_packet::ipv6::MutableIpv6Packet::minimum_packet_size() + payload.len();
let mut output =
pnet_packet::ipv6::MutableIpv6Packet::owned(vec![0u8; total_length]).unwrap();
// Write the header
output.set_version(6);
output.set_traffic_class(packet.traffic_class);
output.set_flow_label(packet.flow_label);
output.set_payload_length(u16::try_from(payload.len()).unwrap());
output.set_next_header(packet.next_header);
output.set_hop_limit(packet.hop_limit);
output.set_source(packet.source_address);
output.set_destination(packet.destination_address);
// Write the payload
output.set_payload(&payload);
// Return the packet
output.to_immutable().packet().to_vec()
}
}

7
src/packet/protocols/mod.rs
View File

@ -1,7 +0,0 @@
pub mod icmp;
pub mod icmpv6;
pub mod ipv4;
pub mod ipv6;
pub mod raw;
pub mod tcp;
pub mod udp;

18
src/packet/protocols/raw.rs
View File

@ -1,18 +0,0 @@
use crate::packet::error::PacketError;
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
pub struct RawBytes(pub Vec<u8>);
impl TryFrom<Vec<u8>> for RawBytes {
type Error = PacketError;
fn try_from(bytes: Vec<u8>) -> Result<Self, Self::Error> {
Ok(Self(bytes))
}
}
impl From<RawBytes> for Vec<u8> {
fn from(val: RawBytes) -> Self {
val.0
}
}

246
src/packet/protocols/tcp.rs
View File

@ -1,246 +0,0 @@
use std::net::{IpAddr, SocketAddr};
use pnet_packet::{
tcp::{TcpOption, TcpOptionPacket},
Packet,
};
use super::raw::RawBytes;
use crate::packet::error::PacketError;
/// A TCP packet
#[derive(Debug, Clone)]
pub struct TcpPacket<T> {
source: SocketAddr,
destination: SocketAddr,
pub sequence: u32,
pub ack_number: u32,
pub flags: u8,
pub window_size: u16,
pub urgent_pointer: u16,
pub options: Vec<TcpOption>,
pub payload: T,
}
impl<T> TcpPacket<T> {
/// Construct a new TCP packet
#[allow(clippy::too_many_arguments)]
pub fn new(
source: SocketAddr,
destination: SocketAddr,
sequence: u32,
ack_number: u32,
flags: u8,
window_size: u16,
urgent_pointer: u16,
options: Vec<TcpOption>,
payload: T,
) -> Result<Self, PacketError> {
// Ensure the source and destination addresses are the same type
if source.is_ipv4() != destination.is_ipv4() {
return Err(PacketError::MismatchedAddressFamily(
source.ip(),
destination.ip(),
));
}
// Build the packet
Ok(Self {
source,
destination,
sequence,
ack_number,
flags,
window_size,
urgent_pointer,
options,
payload,
})
}
// Set a new source
#[allow(dead_code)]
pub fn set_source(&mut self, source: SocketAddr) -> Result<(), PacketError> {
// Ensure the source and destination addresses are the same type
if source.is_ipv4() != self.destination.is_ipv4() {
return Err(PacketError::MismatchedAddressFamily(
source.ip(),
self.destination.ip(),
));
}
// Set the source
self.source = source;
Ok(())
}
// Set a new destination
#[allow(dead_code)]
pub fn set_destination(&mut self, destination: SocketAddr) -> Result<(), PacketError> {
// Ensure the source and destination addresses are the same type
if self.source.is_ipv4() != destination.is_ipv4() {
return Err(PacketError::MismatchedAddressFamily(
self.source.ip(),
destination.ip(),
));
}
// Set the destination
self.destination = destination;
Ok(())
}
/// Get the source
pub fn source(&self) -> SocketAddr {
self.source
}
/// Get the destination
pub fn destination(&self) -> SocketAddr {
self.destination
}
/// Get the length of the options in words
#[allow(clippy::cast_possible_truncation)]
fn options_length(&self) -> u8 {
self.options
.iter()
.map(|option| TcpOptionPacket::packet_size(option) as u8)
.sum::<u8>()
}
}
impl<T> TcpPacket<T>
where
T: From<Vec<u8>>,
{
/// Construct a new TCP packet from bytes
#[allow(dead_code)]
pub fn new_from_bytes(
bytes: &[u8],
source_address: IpAddr,
destination_address: IpAddr,
) -> Result<Self, PacketError> {
// Ensure the source and destination addresses are the same type
if source_address.is_ipv4() != destination_address.is_ipv4() {
return Err(PacketError::MismatchedAddressFamily(
source_address,
destination_address,
));
}
// Parse the packet
let parsed = pnet_packet::tcp::TcpPacket::new(bytes)
.ok_or_else(|| PacketError::TooShort(bytes.len(), bytes.to_vec()))?;
// Build the struct
Ok(Self {
source: SocketAddr::new(source_address, parsed.get_source()),
destination: SocketAddr::new(destination_address, parsed.get_destination()),
sequence: parsed.get_sequence(),
ack_number: parsed.get_acknowledgement(),
flags: parsed.get_flags(),
window_size: parsed.get_window(),
urgent_pointer: parsed.get_urgent_ptr(),
options: parsed.get_options().clone(),
payload: parsed.payload().to_vec().into(),
})
}
}
impl TcpPacket<RawBytes> {
/// Construct a new TCP packet with a raw payload from bytes
pub fn new_from_bytes_raw_payload(
bytes: &[u8],
source_address: IpAddr,
destination_address: IpAddr,
) -> Result<Self, PacketError> {
// Ensure the source and destination addresses are the same type
if source_address.is_ipv4() != destination_address.is_ipv4() {
return Err(PacketError::MismatchedAddressFamily(
source_address,
destination_address,
));
}
// Parse the packet
let parsed = pnet_packet::tcp::TcpPacket::new(bytes)
.ok_or_else(|| PacketError::TooShort(bytes.len(), bytes.to_vec()))?;
// Build the struct
Ok(Self {
source: SocketAddr::new(source_address, parsed.get_source()),
destination: SocketAddr::new(destination_address, parsed.get_destination()),
sequence: parsed.get_sequence(),
ack_number: parsed.get_acknowledgement(),
flags: parsed.get_flags(),
window_size: parsed.get_window(),
urgent_pointer: parsed.get_urgent_ptr(),
options: parsed.get_options().clone(),
payload: RawBytes(parsed.payload().to_vec()),
})
}
}
impl<T> From<TcpPacket<T>> for Vec<u8>
where
T: Into<Vec<u8>>,
{
fn from(packet: TcpPacket<T>) -> Self {
// Get the options length in words
let options_length = packet.options_length();
// Convert the payload into raw bytes
let payload: Vec<u8> = packet.payload.into();
// Allocate a mutable packet to write into
let total_length = pnet_packet::tcp::MutableTcpPacket::minimum_packet_size()
+ options_length as usize
+ payload.len();
let mut output =
pnet_packet::tcp::MutableTcpPacket::owned(vec![0u8; total_length]).unwrap();
// Write the source and dest ports
output.set_source(packet.source.port());
output.set_destination(packet.destination.port());
// Write the sequence and ack numbers
output.set_sequence(packet.sequence);
output.set_acknowledgement(packet.ack_number);
// Write the offset
output.set_data_offset(5 + (options_length / 4));
// Write the options
output.set_options(&packet.options);
// Write the flags
output.set_flags(packet.flags);
// Write the window size
output.set_window(packet.window_size);
// Write the urgent pointer
output.set_urgent_ptr(packet.urgent_pointer);
// Write the payload
output.set_payload(&payload);
// Calculate the checksum
output.set_checksum(0);
output.set_checksum(match (packet.source.ip(), packet.destination.ip()) {
(IpAddr::V4(source_ip), IpAddr::V4(destination_ip)) => {
pnet_packet::tcp::ipv4_checksum(&output.to_immutable(), &source_ip, &destination_ip)
}
(IpAddr::V6(source_ip), IpAddr::V6(destination_ip)) => {
pnet_packet::tcp::ipv6_checksum(&output.to_immutable(), &source_ip, &destination_ip)
}
_ => unreachable!(),
});
// Return the raw bytes
output.packet().to_vec()
}
}

215
src/packet/protocols/udp.rs
View File

@ -1,215 +0,0 @@
use std::net::{IpAddr, SocketAddr};
use pnet_packet::Packet;
use super::raw::RawBytes;
use crate::packet::error::PacketError;
/// A UDP packet
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub struct UdpPacket<T> {
source: SocketAddr,
destination: SocketAddr,
pub payload: T,
}
impl<T> UdpPacket<T> {
/// Construct a new UDP packet
pub fn new(
source: SocketAddr,
destination: SocketAddr,
payload: T,
) -> Result<Self, PacketError> {
// Ensure the source and destination addresses are the same type
if source.is_ipv4() != destination.is_ipv4() {
return Err(PacketError::MismatchedAddressFamily(
source.ip(),
destination.ip(),
));
}
// Build the packet
Ok(Self {
source,
destination,
payload,
})
}
// Set a new source
#[allow(dead_code)]
pub fn set_source(&mut self, source: SocketAddr) -> Result<(), PacketError> {
// Ensure the source and destination addresses are the same type
if source.is_ipv4() != self.destination.is_ipv4() {
return Err(PacketError::MismatchedAddressFamily(
source.ip(),
self.destination.ip(),
));
}
// Set the source
self.source = source;
Ok(())
}
// Set a new destination
#[allow(dead_code)]
pub fn set_destination(&mut self, destination: SocketAddr) -> Result<(), PacketError> {
// Ensure the source and destination addresses are the same type
if self.source.is_ipv4() != destination.is_ipv4() {
return Err(PacketError::MismatchedAddressFamily(
self.source.ip(),
destination.ip(),
));
}
// Set the destination
self.destination = destination;
Ok(())
}
/// Get the source
pub fn source(&self) -> SocketAddr {
self.source
}
/// Get the destination
pub fn destination(&self) -> SocketAddr {
self.destination
}
}
impl<T> UdpPacket<T>
where
T: From<Vec<u8>>,
{
/// Construct a new UDP packet from bytes
#[allow(dead_code)]
pub fn new_from_bytes(
bytes: &[u8],
source_address: IpAddr,
destination_address: IpAddr,
) -> Result<Self, PacketError> {
// Ensure the source and destination addresses are the same type
if source_address.is_ipv4() != destination_address.is_ipv4() {
return Err(PacketError::MismatchedAddressFamily(
source_address,
destination_address,
));
}
// Parse the packet
let parsed = pnet_packet::udp::UdpPacket::new(bytes)
.ok_or_else(|| PacketError::TooShort(bytes.len(), bytes.to_vec()))?;
// Build the struct
Ok(Self {
source: SocketAddr::new(source_address, parsed.get_source()),
destination: SocketAddr::new(destination_address, parsed.get_destination()),
payload: parsed.payload().to_vec().into(),
})
}
}
impl UdpPacket<RawBytes> {
/// Construct a new UDP packet with a raw payload from bytes
pub fn new_from_bytes_raw_payload(
bytes: &[u8],
source_address: IpAddr,
destination_address: IpAddr,
) -> Result<Self, PacketError> {
// Ensure the source and destination addresses are the same type
if source_address.is_ipv4() != destination_address.is_ipv4() {
return Err(PacketError::MismatchedAddressFamily(
source_address,
destination_address,
));
}
// Parse the packet
let parsed = pnet_packet::udp::UdpPacket::new(bytes)
.ok_or_else(|| PacketError::TooShort(bytes.len(), bytes.to_vec()))?;
// Build the struct
Ok(Self {
source: SocketAddr::new(source_address, parsed.get_source()),
destination: SocketAddr::new(destination_address, parsed.get_destination()),
payload: RawBytes(parsed.payload().to_vec()),
})
}
}
impl<T> From<UdpPacket<T>> for Vec<u8>
where
T: Into<Vec<u8>>,
{
fn from(packet: UdpPacket<T>) -> Self {
// Convert the payload into raw bytes
let payload: Vec<u8> = packet.payload.into();
// Allocate a mutable packet to write into
let total_length =
pnet_packet::udp::MutableUdpPacket::minimum_packet_size() + payload.len();
let mut output =
pnet_packet::udp::MutableUdpPacket::owned(vec![0u8; total_length]).unwrap();
// Write the source and dest ports
output.set_source(packet.source.port());
output.set_destination(packet.destination.port());
// Write the length
output.set_length(u16::try_from(total_length).unwrap());
// Write the payload
output.set_payload(&payload);
// Calculate the checksum
output.set_checksum(0);
output.set_checksum(match (packet.source.ip(), packet.destination.ip()) {
(IpAddr::V4(source_ip), IpAddr::V4(destination_ip)) => {
pnet_packet::udp::ipv4_checksum(&output.to_immutable(), &source_ip, &destination_ip)
}
(IpAddr::V6(source_ip), IpAddr::V6(destination_ip)) => {
pnet_packet::udp::ipv6_checksum(&output.to_immutable(), &source_ip, &destination_ip)
}
_ => unreachable!(),
});
// Return the raw bytes
output.packet().to_vec()
}
}
#[cfg(test)]
mod tests {
use super::*;
// Test packet construction
#[test]
#[rustfmt::skip]
fn test_packet_construction() {
// Make a new packet
let packet = UdpPacket::new(
"192.0.2.1:1234".parse().unwrap(),
"192.0.2.2:5678".parse().unwrap(),
"Hello, world!".as_bytes().to_vec(),
)
.unwrap();
// Convert to raw bytes
let packet_bytes: Vec<u8> = packet.into();
// Check the contents
assert!(packet_bytes.len() >= 8 + 13);
assert_eq!(u16::from_be_bytes([packet_bytes[0], packet_bytes[1]]), 1234);
assert_eq!(u16::from_be_bytes([packet_bytes[2], packet_bytes[3]]), 5678);
assert_eq!(u16::from_be_bytes([packet_bytes[4], packet_bytes[5]]), 8 + 13);
assert_eq!(u16::from_be_bytes([packet_bytes[6], packet_bytes[7]]), 0x1f74);
assert_eq!(
&packet_bytes[8..],
"Hello, world!".as_bytes().to_vec().as_slice()
);
}
}

113
src/packet/xlat/icmp/mod.rs
View File

@ -1,113 +0,0 @@
#![allow(clippy::doc_markdown)]
use std::net::{Ipv4Addr, Ipv6Addr};
use pnet_packet::{icmp::IcmpTypes, icmpv6::Icmpv6Types};
use crate::{
metrics::ICMP_COUNTER,
packet::{
error::PacketError,
protocols::{icmp::IcmpPacket, icmpv6::Icmpv6Packet, raw::RawBytes},
},
};
use super::ip::{translate_ipv4_to_ipv6, translate_ipv6_to_ipv4};
mod type_code;
/// Translates an ICMP packet to an ICMPv6 packet
pub fn translate_icmp_to_icmpv6(
input: IcmpPacket<RawBytes>,
new_source: Ipv6Addr,
new_destination: Ipv6Addr,
) -> Result<Icmpv6Packet<RawBytes>, PacketError> {
ICMP_COUNTER
.with_label_values(&[
"icmp",
&input.icmp_type.0.to_string(),
&input.icmp_code.0.to_string(),
])
.inc();
// Translate the type and code
let (icmpv6_type, icmpv6_code) =
type_code::translate_type_and_code_4_to_6(input.icmp_type, input.icmp_code)?;
// Some ICMP types require special payload edits
let payload = match icmpv6_type {
Icmpv6Types::TimeExceeded => {
// In this case, the current payload looks like: 4bytes + Ipv4(Data)
// This needs to be translated to: 4bytes + Ipv6(Data)
let inner_payload = input.payload.0[4..].to_vec();
// Translate
let inner_payload =
translate_ipv4_to_ipv6(inner_payload.try_into()?, new_source, new_destination)?;
let inner_payload: Vec<u8> = inner_payload.into();
// Build the new payload
RawBytes({
let mut buffer = Vec::with_capacity(4 + inner_payload.len());
buffer.extend_from_slice(&input.payload.0[..4]);
buffer.extend_from_slice(&inner_payload);
buffer
})
}
_ => input.payload,
};
// Build output packet
Ok(Icmpv6Packet::new(
new_source,
new_destination,
icmpv6_type,
icmpv6_code,
payload,
))
}
/// Translates an ICMPv6 packet to an ICMP packet
pub fn translate_icmpv6_to_icmp(
input: Icmpv6Packet<RawBytes>,
new_source: Ipv4Addr,
new_destination: Ipv4Addr,
) -> Result<IcmpPacket<RawBytes>, PacketError> {
ICMP_COUNTER
.with_label_values(&[
"icmpv6",
&input.icmp_type.0.to_string(),
&input.icmp_code.0.to_string(),
])
.inc();
// Translate the type and code
let (icmp_type, icmp_code) =
type_code::translate_type_and_code_6_to_4(input.icmp_type, input.icmp_code)?;
// Some ICMP types require special payload edits
let payload = match icmp_type {
IcmpTypes::TimeExceeded => {
// In this case, the current payload looks like: 4bytes + Ipv6(Data)
// This needs to be translated to: 4bytes + Ipv4(Data)
let inner_payload = input.payload.0[4..].to_vec();
// Translate
let inner_payload =
translate_ipv6_to_ipv4(&inner_payload.try_into()?, new_source, new_destination)?;
let inner_payload: Vec<u8> = inner_payload.into();
// Build the new payload
RawBytes({
let mut buffer = Vec::with_capacity(4 + inner_payload.len());
buffer.extend_from_slice(&input.payload.0[..4]);
buffer.extend_from_slice(&inner_payload);
buffer
})
}
_ => input.payload,
};
// Build output packet
Ok(IcmpPacket::new(icmp_type, icmp_code, payload))
}

129
src/packet/xlat/ip.rs
View File

@ -1,129 +0,0 @@
use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
use pnet_packet::ip::IpNextHeaderProtocols;
use crate::{
packet::protocols::{icmp::IcmpPacket, tcp::TcpPacket, udp::UdpPacket},
packet::{
error::PacketError,
protocols::{icmpv6::Icmpv6Packet, ipv4::Ipv4Packet, ipv6::Ipv6Packet, raw::RawBytes},
},
};
use super::{
icmp::{translate_icmp_to_icmpv6, translate_icmpv6_to_icmp},
tcp::{translate_tcp4_to_tcp6, translate_tcp6_to_tcp4},
udp::{translate_udp4_to_udp6, translate_udp6_to_udp4},
};
/// Translates an IPv4 packet to an IPv6 packet
pub fn translate_ipv4_to_ipv6(
input: Ipv4Packet<Vec<u8>>,
new_source: Ipv6Addr,
new_destination: Ipv6Addr,
) -> Result<Ipv6Packet<Vec<u8>>, PacketError> {
// Perform recursive translation to determine the new payload
let new_payload = match input.protocol {
IpNextHeaderProtocols::Icmp => {
let icmp_input: IcmpPacket<RawBytes> = input.payload.try_into()?;
translate_icmp_to_icmpv6(icmp_input, new_source, new_destination)?.into()
}
IpNextHeaderProtocols::Udp => {
let udp_input: UdpPacket<RawBytes> = UdpPacket::new_from_bytes_raw_payload(
&input.payload,
IpAddr::V4(input.source_address),
IpAddr::V4(input.destination_address),
)?;
translate_udp4_to_udp6(udp_input, new_source, new_destination)?.into()
}
IpNextHeaderProtocols::Tcp => {
let tcp_input: TcpPacket<RawBytes> = TcpPacket::new_from_bytes_raw_payload(
&input.payload,
IpAddr::V4(input.source_address),
IpAddr::V4(input.destination_address),
)?;
translate_tcp4_to_tcp6(tcp_input, new_source, new_destination)?.into()
}
_ => {
log::warn!("Unsupported next level protocol: {}", input.protocol);
input.payload
}
};
// Build the output IPv6 packet
let output = Ipv6Packet::new(
0,
0,
match input.protocol {
IpNextHeaderProtocols::Icmp => IpNextHeaderProtocols::Icmpv6,
proto => proto,
},
input.ttl,
new_source,
new_destination,
new_payload,
);
// Return the output
Ok(output)
}
/// Translates an IPv6 packet to an IPv4 packet
pub fn translate_ipv6_to_ipv4(
input: &Ipv6Packet<Vec<u8>>,
new_source: Ipv4Addr,
new_destination: Ipv4Addr,
) -> Result<Ipv4Packet<Vec<u8>>, PacketError> {
// Perform recursive translation to determine the new payload
let new_payload = match input.next_header {
IpNextHeaderProtocols::Icmpv6 => {
let icmpv6_input: Icmpv6Packet<RawBytes> = Icmpv6Packet::new_from_bytes_raw_payload(
&input.payload,
input.source_address,
input.destination_address,
)?;
Some(translate_icmpv6_to_icmp(icmpv6_input, new_source, new_destination)?.into())
}
IpNextHeaderProtocols::Udp => {
let udp_input: UdpPacket<RawBytes> = UdpPacket::new_from_bytes_raw_payload(
&input.payload,
IpAddr::V6(input.source_address),
IpAddr::V6(input.destination_address),
)?;
Some(translate_udp6_to_udp4(udp_input, new_source, new_destination)?.into())
}
IpNextHeaderProtocols::Tcp => {
let tcp_input: TcpPacket<RawBytes> = TcpPacket::new_from_bytes_raw_payload(
&input.payload,
IpAddr::V6(input.source_address),
IpAddr::V6(input.destination_address),
)?;
Some(translate_tcp6_to_tcp4(tcp_input, new_source, new_destination)?.into())
}
_ => {
log::warn!("Unsupported next level protocol: {}", input.next_header);
None
}
};
// Build the output IPv4 packet
let output = Ipv4Packet::new(
0,
0,
0,
0,
0,
input.hop_limit,
match input.next_header {
IpNextHeaderProtocols::Icmpv6 => IpNextHeaderProtocols::Icmp,
proto => proto,
},
new_source,
new_destination,
vec![],
new_payload.unwrap_or_default(),
);
// Return the output
Ok(output)
}

123
src/packet/xlat/tcp.rs
View File

@ -1,123 +0,0 @@
use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr};
use crate::packet::{
error::PacketError,
protocols::{raw::RawBytes, tcp::TcpPacket},
};
/// Translates an IPv4 TCP packet to an IPv6 TCP packet
pub fn translate_tcp4_to_tcp6(
input: TcpPacket<RawBytes>,
new_source_addr: Ipv6Addr,
new_destination_addr: Ipv6Addr,
) -> Result<TcpPacket<RawBytes>, PacketError> {
// Build the packet
TcpPacket::new(
SocketAddr::new(IpAddr::V6(new_source_addr), input.source().port()),
SocketAddr::new(IpAddr::V6(new_destination_addr), input.destination().port()),
input.sequence,
input.ack_number,
input.flags,
input.window_size,
input.urgent_pointer,
input.options,
input.payload,
)
}
/// Translates an IPv6 TCP packet to an IPv4 TCP packet
pub fn translate_tcp6_to_tcp4(
input: TcpPacket<RawBytes>,
new_source_addr: Ipv4Addr,
new_destination_addr: Ipv4Addr,
) -> Result<TcpPacket<RawBytes>, PacketError> {
// Build the packet
TcpPacket::new(
SocketAddr::new(IpAddr::V4(new_source_addr), input.source().port()),
SocketAddr::new(IpAddr::V4(new_destination_addr), input.destination().port()),
input.sequence,
input.ack_number,
input.flags,
input.window_size,
input.urgent_pointer,
input.options,
input.payload,
)
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_translate_tcp4_to_tcp6() {
let input = TcpPacket::new(
"192.0.2.1:1234".parse().unwrap(),
"192.0.2.2:5678".parse().unwrap(),
123456,
654321,
0,
4096,
0,
Vec::new(),
RawBytes("Hello, world!".as_bytes().to_vec()),
)
.unwrap();
let result = translate_tcp4_to_tcp6(
input,
"2001:db8::1".parse().unwrap(),
"2001:db8::2".parse().unwrap(),
)
.unwrap();
assert_eq!(result.source(), "[2001:db8::1]:1234".parse().unwrap());
assert_eq!(result.destination(), "[2001:db8::2]:5678".parse().unwrap());
assert_eq!(result.sequence, 123456);
assert_eq!(result.ack_number, 654321);
assert_eq!(result.flags, 0);
assert_eq!(result.window_size, 4096);
assert_eq!(result.urgent_pointer, 0);
assert_eq!(result.options.len(), 0);
assert_eq!(
result.payload,
RawBytes("Hello, world!".as_bytes().to_vec())
);
}
#[test]
fn test_translate_tcp6_to_tcp4() {
let input = TcpPacket::new(
"[2001:db8::1]:1234".parse().unwrap(),
"[2001:db8::2]:5678".parse().unwrap(),
123456,
654321,
0,
4096,
0,
Vec::new(),
RawBytes("Hello, world!".as_bytes().to_vec()),
)
.unwrap();
let result = translate_tcp6_to_tcp4(
input,
"192.0.2.1".parse().unwrap(),
"192.0.2.2".parse().unwrap(),
)
.unwrap();
assert_eq!(result.source(), "192.0.2.1:1234".parse().unwrap());
assert_eq!(result.destination(), "192.0.2.2:5678".parse().unwrap());
assert_eq!(result.sequence, 123456);
assert_eq!(result.ack_number, 654321);
assert_eq!(result.flags, 0);
assert_eq!(result.window_size, 4096);
assert_eq!(result.urgent_pointer, 0);
assert_eq!(result.options.len(), 0);
assert_eq!(
result.payload,
RawBytes("Hello, world!".as_bytes().to_vec())
);
}
}

97
src/packet/xlat/udp.rs
View File

@ -1,97 +0,0 @@
use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr};
use crate::packet::{
error::PacketError,
protocols::{raw::RawBytes, udp::UdpPacket},
};
/// Translates an IPv4 UDP packet to an IPv6 UDP packet
pub fn translate_udp4_to_udp6(
input: UdpPacket<RawBytes>,
new_source_addr: Ipv6Addr,
new_destination_addr: Ipv6Addr,
) -> Result<UdpPacket<RawBytes>, PacketError> {
// Build the packet
UdpPacket::new(
SocketAddr::new(IpAddr::V6(new_source_addr), input.source().port()),
SocketAddr::new(IpAddr::V6(new_destination_addr), input.destination().port()),
input.payload,
)
}
/// Translates an IPv6 UDP packet to an IPv4 UDP packet
pub fn translate_udp6_to_udp4(
input: UdpPacket<RawBytes>,
new_source_addr: Ipv4Addr,
new_destination_addr: Ipv4Addr,
) -> Result<UdpPacket<RawBytes>, PacketError> {
// Build the packet
UdpPacket::new(
SocketAddr::new(IpAddr::V4(new_source_addr), input.source().port()),
SocketAddr::new(IpAddr::V4(new_destination_addr), input.destination().port()),
input.payload,
)
}
#[cfg(test)]
mod tests {
use super::*;
use crate::packet::protocols::udp::UdpPacket;
#[test]
fn test_translate_udp4_to_udp6() {
// Create an IPv4 UDP packet
let ipv4_packet = UdpPacket::new(
"192.0.2.1:1234".parse().unwrap(),
"192.0.2.2:5678".parse().unwrap(),
RawBytes("Hello, world!".as_bytes().to_vec()),
)
.unwrap();
// Translate the packet to IPv6
let ipv6_packet = translate_udp4_to_udp6(
ipv4_packet,
"2001:db8::1".parse().unwrap(),
"2001:db8::2".parse().unwrap(),
)
.unwrap();
// Ensure the translation is correct
assert_eq!(ipv6_packet.source(), "[2001:db8::1]:1234".parse().unwrap());
assert_eq!(
ipv6_packet.destination(),
"[2001:db8::2]:5678".parse().unwrap()
);
assert_eq!(
ipv6_packet.payload,
RawBytes("Hello, world!".as_bytes().to_vec())
);
}
#[test]
fn test_translate_udp6_to_udp4() {
// Create an IPv6 UDP packet
let ipv6_packet = UdpPacket::new(
"[2001:db8::1]:1234".parse().unwrap(),
"[2001:db8::2]:5678".parse().unwrap(),
RawBytes("Hello, world!".as_bytes().to_vec()),
)
.unwrap();
// Translate the packet to IPv4
let ipv4_packet = translate_udp6_to_udp4(
ipv6_packet,
"192.0.2.1".parse().unwrap(),
"192.0.2.2".parse().unwrap(),
)
.unwrap();
// Ensure the translation is correct
assert_eq!(ipv4_packet.source(), "192.0.2.1:1234".parse().unwrap());
assert_eq!(ipv4_packet.destination(), "192.0.2.2:5678".parse().unwrap());
assert_eq!(
ipv4_packet.payload,
RawBytes("Hello, world!".as_bytes().to_vec())
);
}
}

5
src/protomask-6over4.rs Normal file
View File

@ -0,0 +1,5 @@
//! This is a placeholder for a future 6over4 implementation
#[tokio::main]
pub async fn main() {
println!("You did it! You found the incomplete binary :)");
}

140
src/protomask-clat.rs Normal file
View File

@ -0,0 +1,140 @@
//! Entrypoint for the `protomask-clat` binary.
//!
//! This binary is a Customer-side transLATor (CLAT) that translates all native
//! IPv4 traffic to IPv6 traffic for transmission over an IPv6-only ISP network.
use crate::common::packet_handler::{
get_ipv4_src_dst, get_ipv6_src_dst, get_layer_3_proto, handle_translation_error,
PacketHandlingError,
};
use crate::common::profiler::start_puffin_server;
use crate::{args::protomask_clat::Args, common::permissions::ensure_root};
use clap::Parser;
use common::logging::enable_logger;
use easy_tun::Tun;
use interproto::protocols::ip::{translate_ipv4_to_ipv6, translate_ipv6_to_ipv4};
use ipnet::{IpNet, Ipv4Net, Ipv6Net};
use rfc6052::{embed_ipv4_addr_unchecked, extract_ipv4_addr_unchecked};
use std::io::{Read, Write};
mod args;
mod common;
#[tokio::main]
pub async fn main() {
// Parse CLI args
let args = Args::parse();
// Initialize logging
enable_logger(args.verbose);
// Load config data
let config = args.data().unwrap();
// We must be root to continue program execution
ensure_root();
// Start profiling
#[allow(clippy::let_unit_value)]
let _server = start_puffin_server(&args.profiler_args);
// Bring up a TUN interface
let mut tun = Tun::new(&args.interface).unwrap();
// Get the interface index
let rt_handle = rtnl::new_handle().unwrap();
let tun_link_idx = rtnl::link::get_link_index(&rt_handle, tun.name())
.await
.unwrap()
.unwrap();
// Bring the interface up
rtnl::link::link_up(&rt_handle, tun_link_idx).await.unwrap();
// Add an IPv4 default route towards the interface
rtnl::route::route_add(IpNet::V4(Ipv4Net::default()), &rt_handle, tun_link_idx)
.await
.unwrap();
// Add an IPv6 route for each customer prefix
for customer_prefix in config.customer_pool {
let embedded_customer_prefix = unsafe {
Ipv6Net::new(
embed_ipv4_addr_unchecked(customer_prefix.addr(), config.embed_prefix),
config.embed_prefix.prefix_len() + customer_prefix.prefix_len(),
)
.unwrap_unchecked()
};
log::debug!(
"Adding route for {} to {}",
embedded_customer_prefix,
tun.name()
);
rtnl::route::route_add(
IpNet::V6(embedded_customer_prefix),
&rt_handle,
tun_link_idx,
)
.await
.unwrap();
}
// If we are configured to serve prometheus metrics, start the server
if let Some(bind_addr) = config.prom_bind_addr {
log::info!("Starting prometheus server on {}", bind_addr);
tokio::spawn(protomask_metrics::http::serve_metrics(bind_addr));
}
// Translate all incoming packets
log::info!("Translating packets on {}", tun.name());
let mut buffer = vec![0u8; 1500];
loop {
// Indicate to the profiler that we are starting a new packet
profiling::finish_frame!();
profiling::scope!("packet");
// Read a packet
let len = tun.read(&mut buffer).unwrap();
// Translate it based on the Layer 3 protocol number
let translation_result: Result<Option<Vec<u8>>, PacketHandlingError> =
match get_layer_3_proto(&buffer[..len]) {
Some(4) => {
let (source, dest) = get_ipv4_src_dst(&buffer[..len]);
translate_ipv4_to_ipv6(
&buffer[..len],
unsafe { embed_ipv4_addr_unchecked(source, config.embed_prefix) },
unsafe { embed_ipv4_addr_unchecked(dest, config.embed_prefix) },
)
.map(Some)
.map_err(PacketHandlingError::from)
}
Some(6) => {
let (source, dest) = get_ipv6_src_dst(&buffer[..len]);
translate_ipv6_to_ipv4(
&buffer[..len],
unsafe {
extract_ipv4_addr_unchecked(source, config.embed_prefix.prefix_len())
},
unsafe {
extract_ipv4_addr_unchecked(dest, config.embed_prefix.prefix_len())
},
)
.map(Some)
.map_err(PacketHandlingError::from)
}
Some(proto) => {
log::warn!("Unknown Layer 3 protocol: {}", proto);
continue;
}
None => {
continue;
}
};
// Handle any errors and write
if let Some(output) = handle_translation_error(translation_result) {
tun.write_all(&output).unwrap();
}
}
}

170
src/protomask.rs Normal file
View File

@ -0,0 +1,170 @@
use crate::common::{
packet_handler::{
get_ipv4_src_dst, get_ipv6_src_dst, get_layer_3_proto, handle_translation_error,
PacketHandlingError,
},
permissions::ensure_root,
profiler::start_puffin_server,
};
use clap::Parser;
use common::logging::enable_logger;
use easy_tun::Tun;
use fast_nat::CrossProtocolNetworkAddressTableWithIpv4Pool;
use interproto::protocols::ip::{translate_ipv4_to_ipv6, translate_ipv6_to_ipv4};
use ipnet::IpNet;
use rfc6052::{embed_ipv4_addr_unchecked, extract_ipv4_addr_unchecked};
use std::{
cell::RefCell,
io::{Read, Write},
time::Duration,
};
mod args;
mod common;
#[tokio::main]
pub async fn main() {
// Parse CLI args
let args = args::protomask::Args::parse();
// Initialize logging
enable_logger(args.verbose);
// Load config data
let config = args.data().unwrap();
// We must be root to continue program execution
ensure_root();
// Start profiling
#[allow(clippy::let_unit_value)]
let _server = start_puffin_server(&args.profiler_args);
// Bring up a TUN interface
log::debug!("Creating new TUN interface");
let mut tun = Tun::new(&args.interface).unwrap();
log::debug!("Created TUN interface: {}", tun.name());
// Get the interface index
let rt_handle = rtnl::new_handle().unwrap();
let tun_link_idx = rtnl::link::get_link_index(&rt_handle, tun.name())
.await
.unwrap()
.unwrap();
// Bring the interface up
rtnl::link::link_up(&rt_handle, tun_link_idx).await.unwrap();
// Add a route for the translation prefix
log::debug!(
"Adding route for {} to {}",
config.translation_prefix,
tun.name()
);
rtnl::route::route_add(
IpNet::V6(config.translation_prefix),
&rt_handle,
tun_link_idx,
)
.await
.unwrap();
// Add a route for each NAT pool prefix
for pool_prefix in &config.pool_prefixes {
log::debug!("Adding route for {} to {}", pool_prefix, tun.name());
rtnl::route::route_add(IpNet::V4(*pool_prefix), &rt_handle, tun_link_idx)
.await
.unwrap();
}
// Set up the address table
let mut addr_table = RefCell::new(CrossProtocolNetworkAddressTableWithIpv4Pool::new(
&config.pool_prefixes,
Duration::from_secs(config.reservation_timeout),
));
for (v4_addr, v6_addr) in &config.static_map {
addr_table
.get_mut()
.insert_static(*v4_addr, *v6_addr)
.unwrap();
}
// If we are configured to serve prometheus metrics, start the server
if let Some(bind_addr) = config.prom_bind_addr {
log::info!("Starting prometheus server on {}", bind_addr);
tokio::spawn(protomask_metrics::http::serve_metrics(bind_addr));
}
// Translate all incoming packets
log::info!("Translating packets on {}", tun.name());
let mut buffer = vec![0u8; 1500];
loop {
// Indicate to the profiler that we are starting a new packet
profiling::finish_frame!();
profiling::scope!("packet");
// Read a packet
let len = tun.read(&mut buffer).unwrap();
// Translate it based on the Layer 3 protocol number
let translation_result: Result<Option<Vec<u8>>, PacketHandlingError> =
match get_layer_3_proto(&buffer[..len]) {
Some(4) => {
let (source, dest) = get_ipv4_src_dst(&buffer[..len]);
match addr_table.borrow().get_ipv6(&dest) {
Some(new_destination) => translate_ipv4_to_ipv6(
&buffer[..len],
unsafe { embed_ipv4_addr_unchecked(source, config.translation_prefix) },
new_destination,
)
.map(Some)
.map_err(PacketHandlingError::from),
None => {
protomask_metrics::metric!(
PACKET_COUNTER,
PROTOCOL_IPV4,
STATUS_DROPPED
);
Ok(None)
}
}
}
Some(6) => {
let (source, dest) = get_ipv6_src_dst(&buffer[..len]);
match addr_table.borrow_mut().get_or_create_ipv4(&source) {
Ok(new_source) => {
translate_ipv6_to_ipv4(&buffer[..len], new_source, unsafe {
extract_ipv4_addr_unchecked(
dest,
config.translation_prefix.prefix_len(),
)
})
.map(Some)
.map_err(PacketHandlingError::from)
}
Err(error) => {
log::error!("Error getting IPv4 address: {}", error);
protomask_metrics::metric!(
PACKET_COUNTER,
PROTOCOL_IPV6,
STATUS_DROPPED
);
Ok(None)
}
}
}
Some(proto) => {
log::warn!("Unknown Layer 3 protocol: {}", proto);
continue;
}
None => {
continue;
}
};
// Handle any errors and write
if let Some(output) = handle_translation_error(translation_result) {
tun.write_all(&output).unwrap();
}
}
}