summaryrefslogtreecommitdiffstats
path: root/src/helpers/dhcpv6.c
blob: f87b6cebfe1578076fd166c3ead50ebb5dfd2569 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
/*
 * (C) 2013 by Pablo Neira Ayuso <pablo@netfilter.org>
 *
 * Adapted from:
 *
 * DHCPv6 multicast connection tracking helper.
 *
 * (c) 2012 Google Inc.
 *
 * Original author: Darren Willis <djw@google.com>
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version
 * 2 of the License, or (at your option) any later version.
 */

#include "conntrackd.h"
#include "helper.h"
#include "myct.h"
#include "log.h"
#include <errno.h>
#include <netinet/ip.h>
#include <netinet/ip6.h>
#include <netinet/udp.h>
#include <libmnl/libmnl.h>
#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
#include <libnetfilter_queue/libnetfilter_queue.h>
#include <libnetfilter_queue/libnetfilter_queue_udp.h>
#include <libnetfilter_queue/pktbuff.h>
#include <linux/netfilter.h>

#define DHCPV6_CLIENT_PORT 546

static uint16_t dhcpv6_port;

/* Timeouts for DHCPv6 replies, in seconds, indexed by message type. */
static const int dhcpv6_timeouts[] = {
	0,	/* No message has type 0. */
	120,	/* Solicit. */
	0,	/* Advertise. */
	30,	/* Request. */
	4,	/* Confirm. */
	600,	/* Renew. */
	600,	/* Rebind. */
	0,	/* Reply. */
	1,	/* Release. */
	1,	/* Decline. */
	0,	/* Reconfigure. */
	120,	/* Information Request. */
	0,	/* Relay-forward. */
	0	/* Relay-reply. */
};

static inline int ipv6_addr_is_multicast(const struct in6_addr *addr)
{
	return (addr->s6_addr32[0] & htonl(0xFF000000)) == htonl(0xFF000000);
}

static int
dhcpv6_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
		 struct myct *myct, uint32_t ctinfo)
{
	struct iphdr *iph = (struct iphdr *)pktb_network_header(pkt);
	struct ip6_hdr *ip6h = (struct ip6_hdr *)pktb_network_header(pkt);
	int dir = CTINFO2DIR(ctinfo);
	union nfct_attr_grp_addr addr;
	struct nf_expect *exp;
	uint8_t *dhcpv6_msg_type;

	if (iph->version != 6 || !ipv6_addr_is_multicast(&ip6h->ip6_dst))
		return NF_ACCEPT;

	dhcpv6_msg_type = pktb_network_header(pkt) + protoff + sizeof(struct udphdr);
	if (*dhcpv6_msg_type >= ARRAY_SIZE(dhcpv6_timeouts)) {
		printf("Dropping DHCPv6 message with bad type %u\n",
			*dhcpv6_msg_type);
		return NF_DROP;
	}

	exp = nfexp_new();
	if (exp == NULL)
		return NF_ACCEPT;

	cthelper_get_addr_src(myct->ct, dir, &addr);

	if (cthelper_expect_init(exp, myct->ct, 0, NULL, &addr,
				 IPPROTO_UDP, NULL, &dhcpv6_port,
				 NF_CT_EXPECT_PERMANENT)) {
		nfexp_destroy(exp);
		return NF_DROP;
	}

	myct->exp = exp;

	if (dhcpv6_timeouts[*dhcpv6_msg_type] > 0) {
		nfct_set_attr_u32(myct->ct, ATTR_TIMEOUT,
				  dhcpv6_timeouts[*dhcpv6_msg_type]);
	}

	return NF_ACCEPT;
}

static struct ctd_helper dhcpv6_helper = {
	.name		= "dhcpv6",
	.l4proto	= IPPROTO_UDP,
	.cb		= dhcpv6_helper_cb,
	.policy		= {
		[0] = {
			.name			= "dhcpv6",
			.expect_max		= 1,
			.expect_timeout		= 300,
		},
	},
};

void __attribute__ ((constructor)) dhcpv6_init(void);

void dhcpv6_init(void)
{
	dhcpv6_port = htons(DHCPV6_CLIENT_PORT);
	helper_register(&dhcpv6_helper);
}