Tool to help bypass NATs using ICMP method; must run as root (SUID will do) This code will work under GNU/Linux only. More...

#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <stdlib.h>
#include <stdint.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/in.h>

Include dependency graph for gnunet-helper-nat-client.c:

Data Structures
struct	ip_header
	IPv4 header. More...

struct	icmp_ttl_exceeded_header
	Format of ICMP packet. More...

struct	icmp_echo_header

struct	udp_header
	Beginning of UDP packet. More...

Macros
#define	_GNU_SOURCE

#define	ICMP_TIME_EXCEEDED 11

#define	GNUNET_memcpy(dst, src, n)
	Call memcpy() but check for n being 0 first. More...

#define	DUMMY_IP "192.0.2.86"
	Must match IP given in the server. More...

#define	NAT_TRAV_PORT 22225

#define	PACKET_ID 256
	Must match packet ID used by gnunet-helper-nat-server.c. More...

Functions
static uint16_t	calc_checksum (const uint16_t *data, unsigned int bytes)
	CRC-16 for IP/ICMP headers. More...

static void	send_icmp_udp (const struct in_addr my_ip, const struct in_addr other)
	Send an ICMP message to the target. More...

static void	send_icmp (const struct in_addr my_ip, const struct in_addr other)
	Send an ICMP message to the target. More...

int	main (int argc, char const argv)

Variables
static int	rawsock
	Socket we use to send our fake ICMP replies. More...

static struct in_addr	dummy
	Target "dummy" address of the packet we pretend to respond to. More...

static uint16_t	port
	Our "source" port. More...

Detailed Description

Tool to help bypass NATs using ICMP method; must run as root (SUID will do) This code will work under GNU/Linux only.

Author: Christian Grothoff

This program will send ONE ICMP message using RAW sockets to the IP address specified as the second argument. Since it uses RAW sockets, it must be installed SUID or run as 'root'. In order to keep the security risk of the resulting SUID binary minimal, the program ONLY opens the RAW socket with root privileges, then drops them and only then starts to process command line arguments. The code also does not link against any shared libraries (except libc) and is strictly minimal (except for checking for errors). The following list of people have reviewed this code and considered it safe since the last modification (if you reviewed it, please have your name added to the list):

Christian Grothoff
Nathan Evans
Benjamin Kuperman (22 Aug 2010)

Definition in file gnunet-helper-nat-client.c.

Macro Definition Documentation

◆ _GNU_SOURCE

#define _GNU_SOURCE

Definition at line 49 of file gnunet-helper-nat-client.c.

◆ ICMP_TIME_EXCEEDED

#define ICMP_TIME_EXCEEDED 11

Definition at line 67 of file gnunet-helper-nat-client.c.

◆ GNUNET_memcpy

#define GNUNET_memcpy	(	dst,
		src,
		n
	)

Value:

                                                                     do { if (0 != n) { (void) memcpy (dst, src, \
                                                                     n); \
                                        } } while (0)

Call memcpy() but check for n being 0 first.

In the latter case, it is now safe to pass NULL for src or dst. Unlike traditional memcpy(), returns nothing.

Parameters

dst	destination of the copy, may be NULL if n is zero
src	source of the copy, may be NULL if n is zero
n	number of bytes to copy

Definition at line 79 of file gnunet-helper-nat-client.c.

◆ DUMMY_IP

#define DUMMY_IP "192.0.2.86"

Must match IP given in the server.

Definition at line 86 of file gnunet-helper-nat-client.c.

◆ NAT_TRAV_PORT

#define NAT_TRAV_PORT 22225

Definition at line 88 of file gnunet-helper-nat-client.c.

◆ PACKET_ID

#define PACKET_ID 256

Must match packet ID used by gnunet-helper-nat-server.c.

Definition at line 93 of file gnunet-helper-nat-client.c.

Function Documentation

◆ calc_checksum()

static uint16_t calc_checksum	(	const uint16_t *	data,
		unsigned int	bytes
	)

static

CRC-16 for IP/ICMP headers.

Parameters

data	what to calculate the CRC over
bytes	number of bytes in data (must be multiple of 2)

Returns: the CRC 16.

Definition at line 216 of file gnunet-helper-nat-client.c.

 {
   uint32_t sum;
   unsigned int i;
  
   sum = 0;
   for (i = 0; i < bytes / 2; i++)
     sum += data[i];
   sum = (sum & 0xffff) + (sum >> 16);
   sum = htons (0xffff - sum);
   return sum;
 }

References data, and consensus-simulation::sum.

Referenced by send_icmp(), and send_icmp_udp().

Here is the caller graph for this function:

◆ send_icmp_udp()

static void send_icmp_udp	(	const struct in_addr *	my_ip,
		const struct in_addr *	other
	)

static

Send an ICMP message to the target.

Parameters

my_ip	source address
other	target address

Definition at line 237 of file gnunet-helper-nat-client.c.

 {
   char packet[sizeof(struct ip_header) * 2
               + sizeof(struct icmp_ttl_exceeded_header)
               + sizeof(struct udp_header)];
   struct ip_header ip_pkt;
   struct icmp_ttl_exceeded_header icmp_pkt;
   struct udp_header udp_pkt;
   struct sockaddr_in dst;
   size_t off;
   int err;
  
   /* ip header: send to (known) ip address */
   off = 0;
   ip_pkt.vers_ihl = 0x45;
   ip_pkt.tos = 0;
   /* should this be BSD only? */
 #if defined(BSD) && defined(__FreeBSD__) && defined(__FreeBSD_kernel__)
   ip_pkt.pkt_len = sizeof(packet);  /* Workaround PR kern/21737 */
 #else
   ip_pkt.pkt_len = htons (sizeof(packet));
 #endif
   ip_pkt.id = htons (PACKET_ID);
   ip_pkt.flags_frag_offset = 0;
   ip_pkt.ttl = 128;
   ip_pkt.proto = IPPROTO_ICMP;
   ip_pkt.checksum = 0;
   ip_pkt.src_ip = my_ip->s_addr;
   ip_pkt.dst_ip = other->s_addr;
   ip_pkt.checksum =
     htons (calc_checksum ((uint16_t *) &ip_pkt, sizeof(struct ip_header)));
   GNUNET_memcpy (&packet[off],
                  &ip_pkt,
                  sizeof(struct ip_header));
   off += sizeof(struct ip_header);
  
   icmp_pkt.type = ICMP_TIME_EXCEEDED;
   icmp_pkt.code = 0;
   icmp_pkt.checksum = 0;
   icmp_pkt.unused = 0;
   GNUNET_memcpy (&packet[off],
                  &icmp_pkt,
                  sizeof(struct icmp_ttl_exceeded_header));
   off += sizeof(struct icmp_ttl_exceeded_header);
  
   /* ip header of the presumably 'lost' udp packet */
   ip_pkt.vers_ihl = 0x45;
   ip_pkt.tos = 0;
   ip_pkt.pkt_len =
     htons (sizeof(struct ip_header) + sizeof(struct udp_header));
   ip_pkt.id = htons (0);
   ip_pkt.flags_frag_offset = 0;
   ip_pkt.ttl = 128;
   ip_pkt.proto = IPPROTO_UDP;
   ip_pkt.checksum = 0;
   ip_pkt.src_ip = other->s_addr;
   ip_pkt.dst_ip = dummy.s_addr;
   ip_pkt.checksum =
     htons (calc_checksum ((uint16_t *) &ip_pkt, sizeof(struct ip_header)));
   GNUNET_memcpy (&packet[off],
                  &ip_pkt,
                  sizeof(struct ip_header));
   off += sizeof(struct ip_header);
  
   /* build UDP header */
   udp_pkt.src_port = htons (NAT_TRAV_PORT);
   udp_pkt.dst_port = htons (NAT_TRAV_PORT);
   udp_pkt.length = htons (port);
   udp_pkt.crc = 0;
   GNUNET_memcpy (&packet[off],
                  &udp_pkt,
                  sizeof(struct udp_header));
   off += sizeof(struct udp_header);
  
   /* set ICMP checksum */
   icmp_pkt.checksum =
     htons (calc_checksum
              ((uint16_t *) &packet[sizeof(struct ip_header)],
              sizeof(struct icmp_ttl_exceeded_header)
              + sizeof(struct ip_header) + sizeof(struct udp_header)));
   GNUNET_memcpy (&packet[sizeof(struct ip_header)],
                  &icmp_pkt,
                  sizeof(struct icmp_ttl_exceeded_header));
  
   memset (&dst, 0, sizeof(dst));
   dst.sin_family = AF_INET;
 #if HAVE_SOCKADDR_IN_SIN_LEN
   dst.sin_len = sizeof(struct sockaddr_in);
 #endif
   dst.sin_addr = *other;
   err =
     sendto (rawsock, packet, sizeof(packet), 0, (struct sockaddr *) &dst,
             sizeof(dst));
   if (err < 0)
   {
     fprintf (stderr, "sendto failed: %s\n", strerror (errno));
   }
   else if (sizeof(packet) != (size_t) err)
   {
     fprintf (stderr, "Error: partial send of ICMP message with size %lu\n",
              (unsigned long) off);
   }
 }

References calc_checksum(), ip_header::checksum, icmp_ttl_exceeded_header::checksum, icmp_ttl_exceeded_header::code, udp_header::crc, ip_header::dst_ip, udp_header::dst_port, dummy, ip_header::flags_frag_offset, GNUNET_memcpy, ICMP_TIME_EXCEEDED, ip_header::id, udp_header::length, NAT_TRAV_PORT, PACKET_ID, ip_header::pkt_len, port, ip_header::proto, rawsock, ip_header::src_ip, udp_header::src_port, ip_header::tos, ip_header::ttl, icmp_ttl_exceeded_header::type, icmp_ttl_exceeded_header::unused, and ip_header::vers_ihl.

Referenced by main().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ send_icmp()

static void send_icmp	(	const struct in_addr *	my_ip,
		const struct in_addr *	other
	)

static

Send an ICMP message to the target.

Parameters

my_ip	source address
other	target address

Definition at line 349 of file gnunet-helper-nat-client.c.

 {
   struct ip_header ip_pkt;
   struct icmp_ttl_exceeded_header icmp_ttl;
   struct icmp_echo_header icmp_echo;
   struct sockaddr_in dst;
   char packet[sizeof(struct ip_header) * 2
               + sizeof(struct icmp_ttl_exceeded_header)
               + sizeof(struct icmp_echo_header)];
   size_t off;
   int err;
  
   /* ip header: send to (known) ip address */
   off = 0;
   ip_pkt.vers_ihl = 0x45;
   ip_pkt.tos = 0;
 #if defined(BSD) && defined(__FreeBSD__) && defined(__FreeBSD_kernel__)
   ip_pkt.pkt_len = sizeof(packet);  /* Workaround PR kern/21737 */
 #else
   ip_pkt.pkt_len = htons (sizeof(packet));
 #endif
   ip_pkt.id = htons (PACKET_ID);
   ip_pkt.flags_frag_offset = 0;
   ip_pkt.ttl = IPDEFTTL;
   ip_pkt.proto = IPPROTO_ICMP;
   ip_pkt.checksum = 0;
   ip_pkt.src_ip = my_ip->s_addr;
   ip_pkt.dst_ip = other->s_addr;
   ip_pkt.checksum =
     htons (calc_checksum ((uint16_t *) &ip_pkt, sizeof(struct ip_header)));
   GNUNET_memcpy (&packet[off],
                  &ip_pkt,
                  sizeof(struct ip_header));
   off = sizeof(ip_pkt);
  
   /* icmp reply: time exceeded */
   icmp_ttl.type = ICMP_TIME_EXCEEDED;
   icmp_ttl.code = 0;
   icmp_ttl.checksum = 0;
   icmp_ttl.unused = 0;
   GNUNET_memcpy (&packet[off],
                  &icmp_ttl,
                  sizeof(struct icmp_ttl_exceeded_header));
   off += sizeof(struct icmp_ttl_exceeded_header);
  
   /* ip header of the presumably 'lost' udp packet */
   ip_pkt.vers_ihl = 0x45;
   ip_pkt.tos = 0;
   ip_pkt.pkt_len =
     htons (sizeof(struct ip_header) + sizeof(struct icmp_echo_header));
   ip_pkt.id = htons (PACKET_ID);
   ip_pkt.flags_frag_offset = 0;
   ip_pkt.ttl = 1;               /* real TTL would be 1 on a time exceeded packet */
   ip_pkt.proto = IPPROTO_ICMP;
   ip_pkt.src_ip = other->s_addr;
   ip_pkt.dst_ip = dummy.s_addr;
   ip_pkt.checksum = 0;
   ip_pkt.checksum =
     htons (calc_checksum ((uint16_t *) &ip_pkt, sizeof(struct ip_header)));
   GNUNET_memcpy (&packet[off],
                  &ip_pkt,
                  sizeof(struct ip_header));
   off += sizeof(struct ip_header);
  
   icmp_echo.type = ICMP_ECHO;
   icmp_echo.code = 0;
   icmp_echo.reserved = htonl (port);
   icmp_echo.checksum = 0;
   icmp_echo.checksum =
     htons (calc_checksum
              ((uint16_t *) &icmp_echo, sizeof(struct icmp_echo_header)));
   GNUNET_memcpy (&packet[off],
                  &icmp_echo,
                  sizeof(struct icmp_echo_header));
  
   /* no go back to calculate ICMP packet checksum */
   off = sizeof(struct ip_header);
   icmp_ttl.checksum =
     htons (calc_checksum
              ((uint16_t *) &packet[off],
              sizeof(struct icmp_ttl_exceeded_header)
              + sizeof(struct ip_header) + sizeof(struct icmp_echo_header)));
   GNUNET_memcpy (&packet[off],
                  &icmp_ttl,
                  sizeof(struct icmp_ttl_exceeded_header));
  
   /* prepare for transmission */
   memset (&dst, 0, sizeof(dst));
   dst.sin_family = AF_INET;
 #if HAVE_SOCKADDR_IN_SIN_LEN
   dst.sin_len = sizeof(struct sockaddr_in);
 #endif
   dst.sin_addr = *other;
   err =
     sendto (rawsock, packet, sizeof(packet), 0, (struct sockaddr *) &dst,
             sizeof(dst));
   if (err < 0)
   {
     fprintf (stderr, "sendto failed: %s\n", strerror (errno));
   }
   else if (sizeof(packet) != (size_t) err)
   {
     fprintf (stderr, "Error: partial send of ICMP message\n");
   }
 }

References calc_checksum(), ip_header::checksum, icmp_ttl_exceeded_header::checksum, icmp_echo_header::checksum, icmp_ttl_exceeded_header::code, icmp_echo_header::code, ip_header::dst_ip, dummy, ip_header::flags_frag_offset, GNUNET_memcpy, ICMP_TIME_EXCEEDED, ip_header::id, PACKET_ID, ip_header::pkt_len, port, ip_header::proto, rawsock, icmp_echo_header::reserved, ip_header::src_ip, ip_header::tos, ip_header::ttl, icmp_ttl_exceeded_header::type, icmp_echo_header::type, icmp_ttl_exceeded_header::unused, and ip_header::vers_ihl.

Referenced by main().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ main()

int main	(	int	argc,
		char const	argv
	)

Definition at line 457 of file gnunet-helper-nat-client.c.

 {
   const int one = 1;
   struct in_addr external;
   struct in_addr target;
   uid_t uid;
   unsigned int p;
   int raw_eno;
   int global_ret;
  
   /* Create an ICMP raw socket for writing (only operation that requires root) */
   rawsock = socket (AF_INET, SOCK_RAW, IPPROTO_RAW);
   raw_eno = errno; /* for later error checking */
  
   /* now drop root privileges */
   uid = getuid ();
 #ifdef HAVE_SETRESUID
   if (0 != setresuid (uid, uid, uid))
   {
     fprintf (stderr, "Failed to setresuid: %s\n", strerror (errno));
     global_ret = 1;
     goto cleanup;
   }
 #else
   if (0 != (setuid (uid) | seteuid (uid)))
   {
     fprintf (stderr, "Failed to setuid: %s\n", strerror (errno));
     global_ret = 2;
     goto cleanup;
   }
 #endif
   if (-1 == rawsock)
   {
     fprintf (stderr, "Error opening RAW socket: %s\n", strerror (raw_eno));
     global_ret = 3;
     goto cleanup;
   }
   if (0 !=
       setsockopt (rawsock, SOL_SOCKET, SO_BROADCAST, (char *) &one,
                   sizeof(one)))
   {
     fprintf (stderr, "setsockopt failed: %s\n", strerror (errno));
     global_ret = 4;
     goto cleanup;
   }
   if (0 !=
       setsockopt (rawsock, IPPROTO_IP, IP_HDRINCL, (char *) &one, sizeof(one)))
   {
     fprintf (stderr, "setsockopt failed: %s\n", strerror (errno));
     global_ret = 5;
     goto cleanup;
   }
  
   if (4 != argc)
   {
     fprintf (stderr,
              "This program must be started with our IP, the targets external IP, and our port as arguments.\n");
     global_ret = 6;
     goto cleanup;
   }
   if ((1 != inet_pton (AF_INET, argv[1], &external)) ||
       (1 != inet_pton (AF_INET, argv[2], &target)))
   {
     fprintf (stderr, "Error parsing IPv4 address: %s\n", strerror (errno));
     global_ret = 7;
     goto cleanup;
   }
   if ((1 != sscanf (argv[3], "%u", &p)) || (0 == p) || (0xFFFF < p))
   {
     fprintf (stderr, "Error parsing port value `%s'\n", argv[3]);
     global_ret = 8;
     goto cleanup;
   }
   port = (uint16_t) p;
   if (1 != inet_pton (AF_INET, DUMMY_IP, &dummy))
   {
     fprintf (stderr, "Internal error converting dummy IP to binary.\n");
     global_ret = 9;
     goto cleanup;
   }
   send_icmp (&external, &target);
   send_icmp_udp (&external, &target);
   global_ret = 0;
 cleanup:
   if (-1 != rawsock)
     (void) close (rawsock);
   return global_ret;
 }