I / O with Tun interface

Question

I / O with Tun interface

The goal is for the program to intercept the collection of IP packets and read its raw contents, and then return it to the network after it has redid it.

My approach is based on configuring the Tuntap interface (especially for the tunnel), and then iptables and the like redirect the necessary packets to this tunnel interface.

For testing purposes, I wrote this short shell script that configures the Tun interface and adds the necessary rules. At the moment, I intend to check this on any packet sent from my local computer with destination 123.123.123.123 . This runs the script:

 # Set up the tunnel ip tuntap add dev maintun mode tun ifconfig maintun inet 10.10.10.1 netmask 255.255.255.0 up # Mark packets for forwarding to tun iptables -t mangle -A PREROUTING -d 123.123.123.123 -j MARK --set-mark 2 # Apply ClientRouter table to mark 2 as it defined in /etc/iproute2/rt_tables # 201 ClientRouter ip rule add fwmark 2 table ClientRouter # Apply gw if to ClienRouter ip route add default via 10.10.10.1 dev maintun table ClientRouter

I started writing a perl script to read from the Tun device, but I got stuck at several points at once:

It seems to me that the way to do this is for the script to create the interface itself by calling ioctl() on the file descriptor on /dev/net/tun , but I'm not sure about the other arguments ioctl() wants.This leads me to the following two points:
I see references to the second argument of TUNSETIFF . All I know is that it must be numeric. What is he asking for?
From what I gathered, the third argument should be some kind of flag, but I could not find information about them. Presumably, one flag will choose whether it should be a Tun or Tap tunnel. Any info on this?

Since I'm stuck with the ioctl () flag, I would like to take a step back and ask: how to programmatically read from a Tun device, preferably a pre-configured, pre-configured?

Also, if someone sees something wrong with a startup script, feel free to scream.

Ideally, the solution would be in perl, it is not necessary, just that the language that I can read is the simplest. Java will also be decent. Unfortunately, my C literacy is not even as good as necessary.

Edit:

If a different approach than Tun / Tap would allow me to do as described in the first paragraph, any suggestions, of course, would be welcome.

Note:

I went over this question and at the same time it does not give an answer to the ioctl () arguments. However, this meant calling ioctl() .

+6

linux shell perl iptables tunnel

Jarmund May 25, '15 at 22:14

source share

1 answer

larsks · Accepted Answer · 2015-05-27T14:30:38+0000

Firstly, the TUN / TAP interface is documented in the Linux kernel documentation , which is worth reading if you haven’t seen it yet. Examples in C are, of course, but hopefully still useful.

I see references to the second argument of TUNSETIFF . All I know is that it must be numeric. What is he asking for?

This is a constant of the C library, the value of which you can determine using the following code:

 #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/ioctl.h> #include <linux/if.h> #include <linux/if_tun.h> int main(int argc, char **argv) { printf("TUNSETIFF: %d\n", TUNSETIFF); return 0; }

Which of my system returns:

 TUNSETIFF: 1074025674

From what I gathered, the third argument should be some kind of flag, but I could not find information about them. Presumably, one flag will choose whether it should be a Tun or Tap tunnel. Any info on this?

The third argument is a pointer to a structure that has an ifr_name containing the name of the device, and an ifr_flags attribute containing flags. The kernel documentation provides the following code example:

  /* Flags: IFF_TUN - TUN device (no Ethernet headers) * IFF_TAP - TAP device * * IFF_NO_PI - Do not provide packet information */ ifr.ifr_flags = IFF_TUN; if( *dev ) strncpy(ifr.ifr_name, dev, IFNAMSIZ); if( (err = ioctl(fd, TUNSETIFF, (void *) &ifr)) < 0 ){ close(fd); return err; }

You can find the values for different flags ( IFF_TUN , IFF_TAP ) using the same code above that we used to find the TUNSETIFF value.

If you write code in Perl, you need a way to create an appropriate C-compatible structure. My Perl is too rusty to offer the right solution from the head.

However, there seem to be several Perl modules available that simplify the whole process:

I / O with Tun interface

More articles: