[userv-utils] / ipif / udptunnel

#!/usr/bin/perl
# Simple tunnel for userv-ipif tunnels.
#
# usage:
#  udptunnel
#        [ -l[<local-command/arg>] ... .
#        | -e <encryption-mech>[/<encryption-parameter>...]
#        | -m   (`masquerade support': subcommand gets `Wait' instead of our addr/port)
#        | -d   (`dump keys': when no subcmd, spew keys rather than reading them;
#                we always send keys to our subcmd if there is one)
#        | -Dcrypto  (debug crypto - use with care, prints keys, packets &c on screen!)
#        | -f<path-to-udptunnel-forwarder>
#          ...
#        ]
#            <public-local-addr>,<public-local-port>
#            <public-remote-addr>,<public-remote-port>
#            <private-local-addr>,<private-remote-addr>,<mtu>,<proto>
#            <keepalive>,<timeout>
#            <extra-local-nets> <extra-remote-nets>
#          [ <remote-command> [<remote-args> ...] ]
#
# proto may be slip or cslip
#
# Any <..-addr> may also be hostname
#
# Local addr's and ports may also be:
#    `Print'     choose one ourselves and print both port and addr
#    `Any'       choose one ourselves and do not print it
# Remote addr's and ports may also be:
#    `Wait'      wait to receive a packet before assigning address
#    `Command'   run a subcommand and wait for it to tell us the values
# When any addr or port is `Command' then <remote-command> must be specified.
#
# If <remote-command> is specified it should run udptunnel at the
# remote end; it will be invoked as
#    <remote-command> [ <-e arguments passed along> ]
#                     <public-remote-addr'>,<public-remote-port'>
#                     <public-local-addr'>,<public-local-port'>
#                     <private-remote-addr>,<private-local-addr>,<mtu>,<proto>
#                     <keepalive>,<timeout>
#                     <extra-remote-nets> <extra-local-nets>
#

# If it was given Print for <public-remote-foo'>, this command's first
# stdout output should be the real
# <public-remote-addr>,<public-remote-port> pair (and of course this
# udptunnel's output will be).  It may then produce more stdout which,
# if any, will be forwarded to the local end's stdout as debugging info.
#
# After this, if any encryption was specified, the encryption
# parameters will be fed into its stdin.  See the documentation in the
# mech-*.c files for details of the parameters.  udptunnel will
# arrange to feed the keys fd of udptunnel-forwarder into the stdin of
# the remote command.
#
# <public-remote-foo'> is as follows:
#   <public-remote-foo>  <public-remote-foo'>
#   actual addr/port     that addr/port
#   `Command'            `Print'
#   `Wait'               `Any'
#
# <public-local-foo'> is as follows:
#   <public-local-foo>   <public-local-foo'>     <public-local-foo'>
#                        (-m not specified)      (-m specified)
#   actual addr/port     that addr/port       	 `Wait'
#   `Wait'               the chosen address 	 `Wait'
#   `Print'              the chosen address 	 `Wait'
#
# udptunnel will userv ipif locally, as
#    userv root ipif <private-local-addr>,<private-remote-addr>,<mtu>,<proto>
#                    <extra-local-nets>
# or, if -l was given, userv root ipif is replaced with the argument(s)
# following -l option(s) until `.'.
#
# udptunnel will also run udptunnel-forwarder with appropriate options
#
# recommended encryption parameters are:
#   -e nonce                            (prepend 32 bit counter)
#   -e timestamp/<max-skew>/<max-age>   (prepend 32 bit time_t, and check on receipt)
#   -e pkcs5/8                          (pad as per PKCS#5 to 8-byte boundary)
#   -e blowfish-cbcmac/128              (prepend CBC MAC with random IV and 128 bit key)
#   -e blowfish-cbc/128                 (encrypt with CBC, random IV and 128 bit key)
# where <max-skew> is perhaps 10 and <max-age> perhaps 30.

# Copyright (C) 1999-2000 Ian Jackson
#
# This is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with userv-utils; if not, write to the Free Software
# Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#
# $Id: udptunnel,v 1.12 2000/05/30 23:06:46 ian Exp $

use Socket;
use POSIX;
use Fcntl;

$progname= $0; $progname =~ s,.*/,,;
$|=1;

chomp($hostname= `uname -n`);
$? and die "$progname: cannot get hostname (uname failed with code $?)\n";

sub quit ($) { die "$progname - $hostname: fatal error: $_[0]\n"; }
sub debug ($) { print "$progname - $hostname: debug: $_[0]\n"; }
sub fail ($) { quit("unexpected system call failure: $_[0]: $!"); }
sub warning ($) { warn "$progname - $hostname: $_[0]\n"; }

sub eat_addr_port ($) {
    my ($x) = @_;
    @ARGV or quit("<addr>,<port> missing");
    $_= shift(@ARGV);
    (m/^$x,/i && m/^[a-z]/ || m/,$x$/i && m/,[a-z]/)
	and warning("$_: use Mixed Case for special values");
    m/^([0-9a-z][0-9a-z-+.]+|$x)\,(\d+|$x)$/
	or quit("$_: <host/addr>,<port> bad syntax".
		(m/[A-Z]/ ? ' (use lowercase for hostnames)' : ''));
    return ($1,$2);
}
sub conv_host_addr ($) {
    my ($s,$r,@h) = @_;
    return INADDR_ANY() if $s =~ m/^[A-Z][a-z]/;
    return $r if defined($r= inet_aton($s));
    @h= gethostbyname($s) or quit("$s: cannot get address");
    $h[2] eq &AF_INET or quit("$s: address is not IPv4");
    @h < 5 or quit("$s: name maps to no addresses");
    $r= $h[4];
    @h == 5 or warning("$s: name has several addresses, using ".inet_ntoa($r));
    return $r;
}
sub conv_port_number ($) {
    my ($s,$r) = @_;
    return 0 if $s =~ m/^[A-Z][a-z]/;
    $r= $s+0;
    $r>0 && $r<65536 or quit("$s: port out of range");
    return $r;
}
sub show_addr ($) {
    my ($s,@s) = @_;
    @s= unpack_sockaddr_in($s);
    return inet_ntoa($s[1]);
}
sub show_port ($) {
    my ($s,@s) = @_;
    @s= unpack_sockaddr_in($s);
    return $s[0];
}
sub show_addr_port ($) {
    my ($s) = @_;
    return show_addr($s).','.show_port($s);
}
sub arg_value ($$) {
    my ($val,$opt);
    $_= '-';
    return $val if length $val;
    @ARGV or quit("$opt needs value");
    return shift @ARGV;
}

$|=1;

@lcmd= ();
@encryption= ();
$masq= 0;
$dump= 0;
$fcmd= 'udptunnel-forwarder';
$xfwdopts= '';

while ($ARGV[0] =~ m/^-/) {
    $_= shift @ARGV;
    last if m/^--?$/;
    while (!m/^-$/) {
	if (s/^-l//) {
	    push @lcmd,$_ if length;
	    while (@ARGV && ($_= shift @ARGV) ne '.') { push @lcmd, $_; }
	    $_= '-'
	} elsif (s/^-f//) {
	    $fcmd= arg_value($_,'-f');
	} elsif (s/^-e//) {
	    $encrarg= arg_value($_,'-e');
	    push @encrargs, "-e$encrarg";
	    push @encryption, split m#/#, $encrarg;
	} elsif (s/^-m/-/) {
	    $masq= 1;
	} elsif (s/^-d/-/) {
	    $dump= 1;
	} elsif (s/^-Dcrypto$/-/) {
	    $xfwdopts.= 'K';
	} else {
	    quit("unknown option \`$_'");
	}
    }
}

# Variables \$[lr]a?p?(|s|d|r)
# Local/Remote  Address&/Port
#    actualvalue/Specified/Displaypassdown/fromRemote/passtoForwarder
#
($las,$lps)= eat_addr_port('Print|Any');
$la= conv_host_addr($las);
$lp= conv_port_number($lps);
$ls= pack_sockaddr_in $lp,$la;

($ras,$rps)= eat_addr_port('Wait|Command');
$ra= conv_host_addr($ras);
$rp= conv_port_number($rps);
$rs= pack_sockaddr_in $rp,$ra;

$_= shift @ARGV;
m/^([.0-9]+),([.0-9]+),(\d+),(slip|cslip)$/
    or quit("lvaddr,rvaddr,mtu,proto missing or bad syntax or proto not [c]slip");
($lva,$rva,$mtu,$proto) = ($1,$2,$3,$4);

$_= shift @ARGV;
m/^(\d+),(\d+)$/ or quit("keepalive,timeout missing or bad syntax");
($keepalive,$timeout)= ($1,$2);
$keepalive && ($timeout > $keepalive*2) or quit("timeout must be < 2*keepalive")
    if $timeout;

# Variables \$[lr]exn
# Local/Remote Extra Nets
$lexn= shift @ARGV;
$rexn= shift @ARGV;

defined($udp= getprotobyname('udp')) or fail("getprotobyname udp");

socket(L,PF_INET,SOCK_DGRAM,$udp) or fail("socket");
bind(L,$ls) or quit("bind failed: $!");
defined($ls= getsockname(L)) or fail("getsockname");
$lad= show_addr($ls);
$lpd= show_port($ls);
$lapd= "$lad,$lpd";

print "$lapd\n" or fail("print addr/port") if ($las eq 'Print' || $lps eq 'Print');

$rapcmd= ($ras eq 'Command' || $rps eq 'Command');
quit("need remote-command if Command for remote addr/port") if $rapcmd && !@ARGV;

sub xform_remote ($$) {
    my ($showed,$spec) = @_;
    return 'Print' if $spec eq 'Command';
    return 'Any' if $spec eq 'Wait';
    return $showed;
}

if (@ARGV) {
    warning("-d specified with remote command, ignoring") if $dump;
    $dump= 1;
    
    $rad= xform_remote(show_addr($rs),$ras);
    $rpd= xform_remote(show_port($rs),$rps);
    @rcmd= (@ARGV,
	    @encrargs,
	    "$rad,$rpd",
	    $masq ? 'Wait,Wait' : $lapd,
	    "$rva,$lva,$mtu,$proto",
	    "$keepalive,$timeout",
	    $rexn, $lexn);
    debug("remote command @rcmd");

    if ($rapcmd) {
	pipe(RAPREAD,RCMDREADSUB) or fail("pipe");
	select(RCMDREADSUB); $|=1; select(STDOUT);
    }
    pipe(DUMPKEYS,RCMDWRITESUB) or fail("pipe");
    defined($c_rcmd= fork) or fail("fork for remote");
    if (!$c_rcmd) {
	open STDIN, ">&RCMDWRITESUB" or fail("reopen stdin for remote command");
	open STDOUT, ">&RCMDREADSUB" or fail("reopen stdout for remote command")
	    if $rapcmd;
	close RAPREAD if $rapcmd;
	close DUMPKEYS;
	close RCMDWRITESUB;
	close RCMDREADSUB;
	close L;
	exec @rcmd; fail("failed to execute remote command $rcmd[0]");
    }
    close RCMDWRITESUB;
    
    if ($rapcmd) {
	close RCMDREADSUB if $rapcmd;
	$!=0; $_= <RAPREAD>; $e="$!";

	defined($c_catremdebug= fork) or fail("fork for cat remote debug");
	if (!$c_catremdebug) {
	    open(STDIN,"<&RAPREAD") or fail("redirect remote debug");
	    close RAPREAD;
	    close DUMPKEYS;
	    close L;
	    exec "cat"; fail("execute cat");
	}
	close RAPREAD;
	
	if (!length) {
	    close DUMPKEYS;
	    waitpid $c_rcmd,0 or fail("wait for remote command");
	    quit($? ? "remote command failed (code $?)" :
		 $e ? "read error from remote command: $e" :
		 "no details received from remote");
	}
	chomp;
	m/^([.0-9]+)\,(\d+)$/ or quit("invalid details from remote end: \`$_'");
	($rar,$rpr) = ($1,$2);
	$ra= conv_host_addr($rar);
	$rp= conv_port_number($rpr);
    }
} elsif ($dump) {
    open DUMPKEYS, ">&STDOUT" or fail("reopen stdout for key material");
    $dump= 1;
} else {
    open DUMPKEYS, "<&STDIN" or fail("reopen stdout for key material");
}

$rs= pack_sockaddr_in $rp,$ra;

if ($ras eq 'Wait' || $rps eq 'Wait') {
    @rapf= ('');
    $rapd= ('Wait,Wait');
} else {
    @rapf= (show_addr($rs), show_port($rs));
    $rapd= show_addr_port($rs);
}
@lcmd= qw(userv root ipif) unless @lcmd;

debug("using remote $rapd local $lapd");
push @lcmd, ("$lva,$rva,$mtu,$proto",$lexn);
debug("local command @lcmd.");

pipe(UR,UW) or fail("up pipe");
pipe(DR,DW) or fail("down pipe");

defined($c_lcmd= fork) or fail("fork for local command");
if (!$c_lcmd) {
    close UR; close DW;
    open(STDIN,"<&DR") or fail("reopen stdin for packets");
    open(STDOUT,">&UW") or fail("reopen stdout for packets");
    exec @lcmd;
    quit("cannot execute $lcmd[0]: $!");
}
close UW;
close DR;

$xfwdopts.= 'w' if $dump;

@fcmd= ($fcmd, $xfwdopts,
	fileno(L), fileno(DW), fileno(UR), fileno(DUMPKEYS),
	$mtu, $keepalive, $timeout,
	@rapf,
	@encryption);
debug("forwarding command @fcmd.");

defined($c_fwd= fork) or fail("fork for udptunnel-forwarder");
if (!$c_fwd) {
    foreach $fd (qw(L DW UR)) {
	fcntl($fd, F_SETFD, 0) or fail("set no-close-on-exec $fd");
    }
    exec @fcmd; fail("cannot execute $fcmd[0]");
}

close L;
close DUMPKEYS;
close UR;
close DW;

%procs= ($c_fwd, 'forwarder',
	 $c_lcmd, 'local command');
$procs{$c_rcmd}= 'remote command' if $c_rcmd;
$procs{$c_catremdebug}= 'debug cat' if $c_catremdebug;

$estatus= 0;

while (keys %procs) {
    ($c= wait) >0 or
	fail("wait failed (expecting ". join('; ',keys %procs). ")");
    warning("unexpected child reaped: pid $c, code $?"), next
	unless exists $procs{$c};
    $str= $procs{$c};
    delete $procs{$c};
    $? ? warning("subprocess $str failed with code $?")
	: debug("subprocess $str finished");
    if ($c==$c_lcmd || $c==$c_fwd || $c==$c_rcmd) {
	kill 15, grep (exists $procs{$_}, $c_fwd, $c_rcmd);
    }
    $estatus=1 unless $c == $c_catremdebug;
}

debug("all processes terminated, exiting with status $estatus");

exit $estatus;
Commit	Line	Data
46ab1c83	1	#!/usr/bin/perl
	2	# Simple tunnel for userv-ipif tunnels.
	3	#
	4	# usage:
	5	# udptunnel
84f87e82	6	# [ -l[<local-command/arg>] ... .
62ccb81a	7	# \| -e <encryption-mech>[/<encryption-parameter>...]
	8	# \| -m (`masquerade support': subcommand gets `Wait' instead of our addr/port)
	9	# \| -d (`dump keys': when no subcmd, spew keys rather than reading them;
	10	# we always send keys to our subcmd if there is one)
d31674ca	11	# \| -Dcrypto (debug crypto - use with care, prints keys, packets &c on screen!)
62ccb81a	12	# \| -f<path-to-udptunnel-forwarder>
84f87e82	13	# ...
	14	# ]
	15	# <public-local-addr>,<public-local-port>
	16	# <public-remote-addr>,<public-remote-port>
46ab1c83	17	# <private-local-addr>,<private-remote-addr>,<mtu>,<proto>
	18	# <keepalive>,<timeout>
	19	# <extra-local-nets> <extra-remote-nets>
	20	# [ <remote-command> [<remote-args> ...] ]
	21	#
62ccb81a	22	# proto may be slip or cslip
84f87e82	23	#
62ccb81a	24	# Any <..-addr> may also be hostname
84f87e82	25	#
62ccb81a	26	# Local addr's and ports may also be:
	27	# `Print' choose one ourselves and print both port and addr
	28	# `Any' choose one ourselves and do not print it
	29	# Remote addr's and ports may also be:
	30	# `Wait' wait to receive a packet before assigning address
	31	# `Command' run a subcommand and wait for it to tell us the values
	32	# When any addr or port is `Command' then <remote-command> must be specified.
46ab1c83	33	#
62ccb81a	34	# If <remote-command> is specified it should run udptunnel at the
46ab1c83	35	# remote end; it will be invoked as
62ccb81a	36	# <remote-command> [ <-e arguments passed along> ]
	37	# <public-remote-addr'>,<public-remote-port'>
	38	# <public-local-addr'>,<public-local-port'>
46ab1c83	39	# <private-remote-addr>,<private-local-addr>,<mtu>,<proto>
217afbe6	40	# <keepalive>,<timeout>
217afbe6	41	# <extra-remote-nets> <extra-local-nets>
46ab1c83	42	#
62ccb81a	43
	44	# If it was given Print for <public-remote-foo'>, this command's first
	45	# stdout output should be the real
	46	# <public-remote-addr>,<public-remote-port> pair (and of course this
	47	# udptunnel's output will be). It may then produce more stdout which,
	48	# if any, will be forwarded to the local end's stdout as debugging info.
	49	#
	50	# After this, if any encryption was specified, the encryption
	51	# parameters will be fed into its stdin. See the documentation in the
	52	# mech-*.c files for details of the parameters. udptunnel will
	53	# arrange to feed the keys fd of udptunnel-forwarder into the stdin of
	54	# the remote command.
	55	#
	56	# <public-remote-foo'> is as follows:
	57	# <public-remote-foo> <public-remote-foo'>
	58	# actual addr/port that addr/port
	59	# `Command' `Print'
	60	# `Wait' `Any'
	61	#
	62	# <public-local-foo'> is as follows:
	63	# <public-local-foo> <public-local-foo'> <public-local-foo'>
	64	# (-m not specified) (-m specified)
	65	# actual addr/port that addr/port `Wait'
	66	# `Wait' the chosen address `Wait'
	67	# `Print' the chosen address `Wait'
	68	#
46ab1c83	69	# udptunnel will userv ipif locally, as
217afbe6	70	# userv root ipif <private-local-addr>,<private-remote-addr>,<mtu>,<proto>
217afbe6	71	# <extra-local-nets>
62ccb81a	72	# or, if -l was given, userv root ipif is replaced with the argument(s)
	73	# following -l option(s) until `.'.
	74	#
	75	# udptunnel will also run udptunnel-forwarder with appropriate options
	76	#
	77	# recommended encryption parameters are:
	78	# -e nonce (prepend 32 bit counter)
	79	# -e timestamp/<max-skew>/<max-age> (prepend 32 bit time_t, and check on receipt)
	80	# -e pkcs5/8 (pad as per PKCS#5 to 8-byte boundary)
	81	# -e blowfish-cbcmac/128 (prepend CBC MAC with random IV and 128 bit key)
	82	# -e blowfish-cbc/128 (encrypt with CBC, random IV and 128 bit key)
	83	# where <max-skew> is perhaps 10 and <max-age> perhaps 30.
46ab1c83	84
62ccb81a	85	# Copyright (C) 1999-2000 Ian Jackson
12ecfeab	86	#
	87	# This is free software; you can redistribute it and/or modify it
	88	# under the terms of the GNU General Public License as published by
	89	# the Free Software Foundation; either version 2 of the License, or
	90	# (at your option) any later version.
	91	#
	92	# This program is distributed in the hope that it will be useful, but
	93	# WITHOUT ANY WARRANTY; without even the implied warranty of
	94	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	95	# General Public License for more details.
	96	#
	97	# You should have received a copy of the GNU General Public License
	98	# along with userv-utils; if not, write to the Free Software
	99	# Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	100	#
d31674ca	101	# $Id: udptunnel,v 1.12 2000/05/30 23:06:46 ian Exp $
12ecfeab	102
46ab1c83	103	use Socket;
	104	use POSIX;
	105	use Fcntl;
	106
	107	$progname= $0; $progname =~ s,.*/,,;
	108	$\|=1;
	109
	110	chomp($hostname= `uname -n`);
	111	$? and die "$progname: cannot get hostname (uname failed with code $?)\n";
	112
	113	sub quit ($) { die "$progname - $hostname: fatal error: $_[0]\n"; }
	114	sub debug ($) { print "$progname - $hostname: debug: $_[0]\n"; }
62ccb81a	115	sub fail ($) { quit("unexpected system call failure: $_[0]: $!"); }
46ab1c83	116	sub warning ($) { warn "$progname - $hostname: $_[0]\n"; }
	117
	118	sub eat_addr_port ($) {
	119	my ($x) = @_;
84f87e82	120	@ARGV or quit("<addr>,<port> missing");
46ab1c83	121	$_= shift(@ARGV);
62ccb81a	122	(m/^$x,/i && m/^[a-z]/ \|\| m/,$x$/i && m/,[a-z]/)
	123	and warning("$_: use Mixed Case for special values");
	124	m/^([0-9a-z][0-9a-z-+.]+\|$x)\,(\d+\|$x)$/
	125	or quit("$_: <host/addr>,<port> bad syntax".
	126	(m/[A-Z]/ ? ' (use lowercase for hostnames)' : ''));
46ab1c83	127	return ($1,$2);
	128	}
	129	sub conv_host_addr ($) {
62ccb81a	130	my ($s,$r,@h) = @_;
	131	return INADDR_ANY() if $s =~ m/^[A-Z][a-z]/;
	132	return $r if defined($r= inet_aton($s));
	133	@h= gethostbyname($s) or quit("$s: cannot get address");
	134	$h[2] eq &AF_INET or quit("$s: address is not IPv4");
	135	@h < 5 or quit("$s: name maps to no addresses");
	136	$r= $h[4];
	137	@h == 5 or warning("$s: name has several addresses, using ".inet_ntoa($r));
46ab1c83	138	return $r;
46ab1c83	139	}
217afbe6	140	sub conv_port_number ($) {
46ab1c83	141	my ($s,$r) = @_;
62ccb81a	142	return 0 if $s =~ m/^[A-Z][a-z]/;
	143	$r= $s+0;
	144	$r>0 && $r<65536 or quit("$s: port out of range");
46ab1c83	145	return $r;
46ab1c83	146	}
62ccb81a	147	sub show_addr ($) {
	148	my ($s,@s) = @_;
	149	@s= unpack_sockaddr_in($s);
	150	return inet_ntoa($s[1]);
	151	}
	152	sub show_port ($) {
46ab1c83	153	my ($s,@s) = @_;
46ab1c83	154	@s= unpack_sockaddr_in($s);
62ccb81a	155	return $s[0];
	156	}
	157	sub show_addr_port ($) {
	158	my ($s) = @_;
	159	return show_addr($s).','.show_port($s);
46ab1c83	160	}
62ccb81a	161	sub arg_value ($$) {
	162	my ($val,$opt);
	163	$_= '-';
	164	return $val if length $val;
	165	@ARGV or quit("$opt needs value");
	166	return shift @ARGV;
	167	}
	168
	169	$\|=1;
46ab1c83	170
abe75cda	171	@lcmd= ();
62ccb81a	172	@encryption= ();
	173	$masq= 0;
	174	$dump= 0;
	175	$fcmd= 'udptunnel-forwarder';
d31674ca	176	$xfwdopts= '';
abe75cda	177
	178	while ($ARGV[0] =~ m/^-/) {
	179	$_= shift @ARGV;
62ccb81a	180	last if m/^--?$/;
	181	while (!m/^-$/) {
	182	if (s/^-l//) {
	183	push @lcmd,$_ if length;
	184	while (@ARGV && ($_= shift @ARGV) ne '.') { push @lcmd, $_; }
	185	$_= '-'
	186	} elsif (s/^-f//) {
	187	$fcmd= arg_value($_,'-f');
	188	} elsif (s/^-e//) {
	189	$encrarg= arg_value($_,'-e');
	190	push @encrargs, "-e$encrarg";
	191	push @encryption, split m#/#, $encrarg;
	192	} elsif (s/^-m/-/) {
	193	$masq= 1;
	194	} elsif (s/^-d/-/) {
	195	$dump= 1;
d31674ca	196	} elsif (s/^-Dcrypto$/-/) {
d31674ca	197	$xfwdopts.= 'K';
62ccb81a	198	} else {
	199	quit("unknown option \`$_'");
	200	}
abe75cda	201	}
	202	}
	203
62ccb81a	204	# Variables \$[lr]a?p?(\|s\|d\|r)
	205	# Local/Remote Address&/Port
	206	# actualvalue/Specified/Displaypassdown/fromRemote/passtoForwarder
	207	#
	208	($las,$lps)= eat_addr_port('Print\|Any');
46ab1c83	209	$la= conv_host_addr($las);
	210	$lp= conv_port_number($lps);
	211	$ls= pack_sockaddr_in $lp,$la;
	212
62ccb81a	213	($ras,$rps)= eat_addr_port('Wait\|Command');
62ccb81a	214	$ra= conv_host_addr($ras);
46ab1c83	215	$rp= conv_port_number($rps);
62ccb81a	216	$rs= pack_sockaddr_in $rp,$ra;
46ab1c83	217
	218	$_= shift @ARGV;
	219	m/^([.0-9]+),([.0-9]+),(\d+),(slip\|cslip)$/
	220	or quit("lvaddr,rvaddr,mtu,proto missing or bad syntax or proto not [c]slip");
217afbe6	221	($lva,$rva,$mtu,$proto) = ($1,$2,$3,$4);
46ab1c83	222
46ab1c83	223	$_= shift @ARGV;
217afbe6	224	m/^(\d+),(\d+)$/ or quit("keepalive,timeout missing or bad syntax");
217afbe6	225	($keepalive,$timeout)= ($1,$2);
46ab1c83	226	$keepalive && ($timeout > $keepalive2) or quit("timeout must be < 2keepalive")
	227	if $timeout;
	228
62ccb81a	229	# Variables \$[lr]exn
	230	# Local/Remote Extra Nets
	231	$lexn= shift @ARGV;
	232	$rexn= shift @ARGV;
46ab1c83	233
	234	defined($udp= getprotobyname('udp')) or fail("getprotobyname udp");
	235
	236	socket(L,PF_INET,SOCK_DGRAM,$udp) or fail("socket");
	237	bind(L,$ls) or quit("bind failed: $!");
	238	defined($ls= getsockname(L)) or fail("getsockname");
62ccb81a	239	$lad= show_addr($ls);
	240	$lpd= show_port($ls);
	241	$lapd= "$lad,$lpd";
	242
	243	print "$lapd\n" or fail("print addr/port") if ($las eq 'Print' \|\| $lps eq 'Print');
46ab1c83	244
62ccb81a	245	$rapcmd= ($ras eq 'Command' \|\| $rps eq 'Command');
	246	quit("need remote-command if Command for remote addr/port") if $rapcmd && !@ARGV;
	247
	248	sub xform_remote ($$) {
	249	my ($showed,$spec) = @_;
	250	return 'Print' if $spec eq 'Command';
	251	return 'Any' if $spec eq 'Wait';
	252	return $showed;
	253	}
	254
	255	if (@ARGV) {
	256	warning("-d specified with remote command, ignoring") if $dump;
	257	$dump= 1;
	258
	259	$rad= xform_remote(show_addr($rs),$ras);
	260	$rpd= xform_remote(show_port($rs),$rps);
	261	@rcmd= (@ARGV,
	262	@encrargs,
	263	"$rad,$rpd",
	264	$masq ? 'Wait,Wait' : $lapd,
	265	"$rva,$lva,$mtu,$proto",
	266	"$keepalive,$timeout",
	267	$rexn, $lexn);
217afbe6	268	debug("remote command @rcmd");
62ccb81a	269
	270	if ($rapcmd) {
	271	pipe(RAPREAD,RCMDREADSUB) or fail("pipe");
	272	select(RCMDREADSUB); $\|=1; select(STDOUT);
46ab1c83	273	}
62ccb81a	274	pipe(DUMPKEYS,RCMDWRITESUB) or fail("pipe");
	275	defined($c_rcmd= fork) or fail("fork for remote");
	276	if (!$c_rcmd) {
	277	open STDIN, ">&RCMDWRITESUB" or fail("reopen stdin for remote command");
	278	open STDOUT, ">&RCMDREADSUB" or fail("reopen stdout for remote command")
	279	if $rapcmd;
	280	close RAPREAD if $rapcmd;
	281	close DUMPKEYS;
	282	close RCMDWRITESUB;
	283	close RCMDREADSUB;
	284	close L;
	285	exec @rcmd; fail("failed to execute remote command $rcmd[0]");
46ab1c83	286	}
62ccb81a	287	close RCMDWRITESUB;
	288
	289	if ($rapcmd) {
	290	close RCMDREADSUB if $rapcmd;
	291	$!=0; $_= <RAPREAD>; $e="$!";
	292
	293	defined($c_catremdebug= fork) or fail("fork for cat remote debug");
	294	if (!$c_catremdebug) {
	295	open(STDIN,"<&RAPREAD") or fail("redirect remote debug");
	296	close RAPREAD;
	297	close DUMPKEYS;
	298	close L;
	299	exec "cat"; fail("execute cat");
	300	}
	301	close RAPREAD;
	302
	303	if (!length) {
	304	close DUMPKEYS;
	305	waitpid $c_rcmd,0 or fail("wait for remote command");
	306	quit($? ? "remote command failed (code $?)" :
	307	$e ? "read error from remote command: $e" :
	308	"no details received from remote");
	309	}
	310	chomp;
	311	m/^([.0-9]+)\,(\d+)$/ or quit("invalid details from remote end: \`$_'");
	312	($rar,$rpr) = ($1,$2);
	313	$ra= conv_host_addr($rar);
	314	$rp= conv_port_number($rpr);
46ab1c83	315	}
62ccb81a	316	} elsif ($dump) {
	317	open DUMPKEYS, ">&STDOUT" or fail("reopen stdout for key material");
	318	$dump= 1;
46ab1c83	319	} else {
62ccb81a	320	open DUMPKEYS, "<&STDIN" or fail("reopen stdout for key material");
46ab1c83	321	}
	322
	323	$rs= pack_sockaddr_in $rp,$ra;
46ab1c83	324
62ccb81a	325	if ($ras eq 'Wait' \|\| $rps eq 'Wait') {
	326	@rapf= ('');
	327	$rapd= ('Wait,Wait');
	328	} else {
	329	@rapf= (show_addr($rs), show_port($rs));
	330	$rapd= show_addr_port($rs);
	331	}
abe75cda	332	@lcmd= qw(userv root ipif) unless @lcmd;
abe75cda	333
62ccb81a	334	debug("using remote $rapd local $lapd");
	335	push @lcmd, ("$lva,$rva,$mtu,$proto",$lexn);
	336	debug("local command @lcmd.");
46ab1c83	337
	338	pipe(UR,UW) or fail("up pipe");
	339	pipe(DR,DW) or fail("down pipe");
	340
62ccb81a	341	defined($c_lcmd= fork) or fail("fork for local command");
62ccb81a	342	if (!$c_lcmd) {
46ab1c83	343	close UR; close DW;
217afbe6	344	open(STDIN,"<&DR") or fail("reopen stdin for packets");
217afbe6	345	open(STDOUT,">&UW") or fail("reopen stdout for packets");
abe75cda	346	exec @lcmd;
abe75cda	347	quit("cannot execute $lcmd[0]: $!");
46ab1c83	348	}
	349	close UW;
	350	close DR;
	351
d31674ca	352	$xfwdopts.= 'w' if $dump;
	353
	354	@fcmd= ($fcmd, $xfwdopts,
	355	fileno(L), fileno(DW), fileno(UR), fileno(DUMPKEYS),
62ccb81a	356	$mtu, $keepalive, $timeout,
62ccb81a	357	@rapf,
62ccb81a	358	@encryption);
62ccb81a	359	debug("forwarding command @fcmd.");
46ab1c83	360
62ccb81a	361	defined($c_fwd= fork) or fail("fork for udptunnel-forwarder");
	362	if (!$c_fwd) {
	363	foreach $fd (qw(L DW UR)) {
	364	fcntl($fd, F_SETFD, 0) or fail("set no-close-on-exec $fd");
	365	}
	366	exec @fcmd; fail("cannot execute $fcmd[0]");
46ab1c83	367	}
46ab1c83	368
62ccb81a	369	close L;
	370	close DUMPKEYS;
	371	close UR;
	372	close DW;
46ab1c83	373
62ccb81a	374	%procs= ($c_fwd, 'forwarder',
	375	$c_lcmd, 'local command');
	376	$procs{$c_rcmd}= 'remote command' if $c_rcmd;
	377	$procs{$c_catremdebug}= 'debug cat' if $c_catremdebug;
46ab1c83	378
62ccb81a	379	$estatus= 0;
217afbe6	380
62ccb81a	381	while (keys %procs) {
	382	($c= wait) >0 or
	383	fail("wait failed (expecting ". join('; ',keys %procs). ")");
	384	warning("unexpected child reaped: pid $c, code $?"), next
	385	unless exists $procs{$c};
	386	$str= $procs{$c};
	387	delete $procs{$c};
	388	$? ? warning("subprocess $str failed with code $?")
	389	: debug("subprocess $str finished");
	390	if ($c==$c_lcmd \|\| $c==$c_fwd \|\| $c==$c_rcmd) {
	391	kill 15, grep (exists $procs{$_}, $c_fwd, $c_rcmd);
46ab1c83	392	}
62ccb81a	393	$estatus=1 unless $c == $c_catremdebug;
46ab1c83	394	}
62ccb81a	395
	396	debug("all processes terminated, exiting with status $estatus");
	397
	398	exit $estatus;