Support translating ICMP errors.
When receiving ICMPv6 messages from IPv6-only nodes, use
255.0.0.<ttl> as a fake IPv4 source address. It's better than
nothing.
Bug: 8276725
Change-Id: Iae93f75764cb9cd875af9bb5f1862a0dce2c2fa7
diff --git a/Android.mk b/Android.mk
index 2d1b3a6..42cc168 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1,7 +1,7 @@
LOCAL_PATH:= $(call my-dir)
include $(CLEAR_VARS)
-LOCAL_SRC_FILES:=clatd.c dump.c checksum.c translate.c ipv4.c ipv6.c config.c dns64.c logging.c getaddr.c getroute.c netlink_callbacks.c netlink_msg.c setif.c setroute.c mtu.c
+LOCAL_SRC_FILES:=clatd.c dump.c checksum.c translate.c icmp.c ipv4.c ipv6.c config.c dns64.c logging.c getaddr.c getroute.c netlink_callbacks.c netlink_msg.c setif.c setroute.c mtu.c
LOCAL_C_INCLUDES := external/libnl-headers
LOCAL_STATIC_LIBRARIES := libnl_2
diff --git a/clatd.c b/clatd.c
index a914f02..063026d 100644
--- a/clatd.c
+++ b/clatd.c
@@ -317,12 +317,16 @@
struct tun_pi tun_targ;
char iphdr[sizeof(struct ip6_hdr)];
char transporthdr[MAX_TCP_HDR];
+ char icmp_iphdr[sizeof(struct ip6_hdr)];
+ char icmp_transporthdr[MAX_TCP_HDR];
// iovec of the packets we'll send. This gets passed down to the translation functions.
clat_packet out = {
{ &tun_targ, sizeof(tun_targ) }, // Tunnel header.
{ iphdr, 0 }, // IP header.
{ transporthdr, 0 }, // Transport layer header.
+ { icmp_iphdr, 0 }, // ICMP error inner IP header.
+ { icmp_transporthdr, 0 }, // ICMP error transport layer header.
{ NULL, 0 }, // Payload. No buffer, it's a pointer to the original payload.
};
diff --git a/icmp.c b/icmp.c
new file mode 100644
index 0000000..af96b83
--- /dev/null
+++ b/icmp.c
@@ -0,0 +1,181 @@
+/*
+ * Copyright (C) 2013 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * icmp.c - convenience functions for translating ICMP and ICMPv6 packets.
+ */
+
+#include <netinet/in.h>
+#include <netinet/ip_icmp.h>
+#include <netinet/icmp6.h>
+#include <linux/icmp.h>
+
+#include "logging.h"
+#include "icmp.h"
+
+/* function: icmp_guess_ttl
+ * Guesses the number of hops a received packet has traversed based on its TTL.
+ * ttl - the ttl of the received packet.
+ */
+uint8_t icmp_guess_ttl(uint8_t ttl) {
+ if (ttl > 128) {
+ return 255 - ttl;
+ } else if (ttl > 64) {
+ return 128 - ttl;
+ } else if (ttl > 32) {
+ return 64 - ttl;
+ } else {
+ return 32 - ttl;
+ }
+}
+
+/* function: is_icmp_error
+ * Determines whether an ICMP type is an error message.
+ * type: the ICMP type
+ */
+int is_icmp_error(uint8_t type) {
+ return type == 3 || type == 11 || type == 12;
+}
+
+/* function: is_icmp6_error
+ * Determines whether an ICMPv6 type is an error message.
+ * type: the ICMPv6 type
+ */
+int is_icmp6_error(uint8_t type) {
+ return type < 128;
+}
+
+/* function: icmp_to_icmp6_type
+ * Maps ICMP types to ICMPv6 types. Partial implementation of RFC 6145, section 4.2.
+ * type - the ICMPv6 type
+ */
+uint8_t icmp_to_icmp6_type(uint8_t type, uint8_t code) {
+ switch (type) {
+ case ICMP_ECHO:
+ return ICMP6_ECHO_REQUEST;
+
+ case ICMP_ECHOREPLY:
+ return ICMP6_ECHO_REPLY;
+
+ case ICMP_TIME_EXCEEDED:
+ return ICMP6_TIME_EXCEEDED;
+
+ case ICMP_DEST_UNREACH:
+ // These two types need special translation which we don't support yet.
+ if (code != ICMP_UNREACH_PROTOCOL && code != ICMP_UNREACH_NEEDFRAG) {
+ return ICMP6_DST_UNREACH;
+ }
+ }
+
+ // We don't understand this ICMP type. Return parameter problem so the caller will bail out.
+ logmsg_dbg(ANDROID_LOG_DEBUG, "icmp_to_icmp6_type: unhandled ICMP type %d", type);
+ return ICMP6_PARAM_PROB;
+}
+
+/* function: icmp_to_icmp6_code
+ * Maps ICMP codes to ICMPv6 codes. Partial implementation of RFC 6145, section 4.2.
+ * type - the ICMP type
+ * code - the ICMP code
+ */
+uint8_t icmp_to_icmp6_code(uint8_t type, uint8_t code) {
+ switch (type) {
+ case ICMP_ECHO:
+ case ICMP_ECHOREPLY:
+ return 0;
+
+ case ICMP_TIME_EXCEEDED:
+ return code;
+
+ case ICMP_DEST_UNREACH:
+ switch (code) {
+ case ICMP_UNREACH_NET:
+ case ICMP_UNREACH_HOST:
+ return ICMP6_DST_UNREACH_NOROUTE;
+
+ case ICMP_UNREACH_PORT:
+ return ICMP6_DST_UNREACH_NOPORT;
+
+ case ICMP_UNREACH_NET_PROHIB:
+ case ICMP_UNREACH_HOST_PROHIB:
+ case ICMP_UNREACH_FILTER_PROHIB:
+ case ICMP_UNREACH_PRECEDENCE_CUTOFF:
+ return ICMP6_DST_UNREACH_ADMIN;
+
+ // Otherwise, we don't understand this ICMP type/code combination. Fall through.
+ }
+ }
+ logmsg_dbg(ANDROID_LOG_DEBUG, "icmp_to_icmp6_code: unhandled ICMP type/code %d/%d", type, code);
+ return 0;
+}
+
+/* function: icmp6_to_icmp_type
+ * Maps ICMPv6 types to ICMP types. Partial implementation of RFC 6145, section 5.2.
+ * type - the ICMP type
+ */
+uint8_t icmp6_to_icmp_type(uint8_t type, uint8_t code) {
+ switch (type) {
+ case ICMP6_ECHO_REQUEST:
+ return ICMP_ECHO;
+
+ case ICMP6_ECHO_REPLY:
+ return ICMP_ECHOREPLY;
+
+ case ICMP6_DST_UNREACH:
+ return ICMP_DEST_UNREACH;
+
+ case ICMP6_TIME_EXCEEDED:
+ return ICMP_TIME_EXCEEDED;
+ }
+
+ // We don't understand this ICMP type. Return parameter problem so the caller will bail out.
+ logmsg_dbg(ANDROID_LOG_DEBUG, "icmp6_to_icmp_type: unhandled ICMP type %d", type);
+ return ICMP_PARAMETERPROB;
+}
+
+/* function: icmp6_to_icmp_code
+ * Maps ICMPv6 codes to ICMP codes. Partial implementation of RFC 6145, section 5.2.
+ * type - the ICMPv6 type
+ * code - the ICMPv6 code
+ */
+uint8_t icmp6_to_icmp_code(uint8_t type, uint8_t code) {
+ switch (type) {
+ case ICMP6_ECHO_REQUEST:
+ case ICMP6_ECHO_REPLY:
+ case ICMP6_TIME_EXCEEDED:
+ return code;
+
+ case ICMP6_DST_UNREACH:
+ switch (code) {
+ case ICMP6_DST_UNREACH_NOROUTE:
+ return ICMP_UNREACH_HOST;
+
+ case ICMP6_DST_UNREACH_ADMIN:
+ return ICMP_UNREACH_HOST_PROHIB;
+
+ case ICMP6_DST_UNREACH_BEYONDSCOPE:
+ return ICMP_UNREACH_HOST;
+
+ case ICMP6_DST_UNREACH_ADDR:
+ return ICMP_HOST_UNREACH;
+
+ case ICMP6_DST_UNREACH_NOPORT:
+ return ICMP_UNREACH_PORT;
+
+ // Otherwise, we don't understand this ICMPv6 type/code combination. Fall through.
+ }
+ }
+
+ logmsg_dbg(ANDROID_LOG_DEBUG, "icmp6_to_icmp_code: unhandled ICMP type/code %d/%d", type, code);
+ return 0;
+}
diff --git a/icmp.h b/icmp.h
new file mode 100644
index 0000000..632e92d
--- /dev/null
+++ b/icmp.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2013 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * icmp.c - convenience functions for translating ICMP and ICMPv6 packets.
+ */
+
+#ifndef __ICMP_H__
+#define __ICMP_H__
+
+#include <stdint.h>
+
+// Guesses the number of hops a received packet has traversed based on its TTL.
+uint8_t icmp_guess_ttl(uint8_t ttl);
+
+// Determines whether an ICMP type is an error message.
+int is_icmp_error(uint8_t type);
+
+// Determines whether an ICMPv6 type is an error message.
+int is_icmp6_error(uint8_t type);
+
+// Maps ICMP types to ICMPv6 types. Partial implementation of RFC 6145, section 4.2.
+uint8_t icmp_to_icmp6_type(uint8_t type, uint8_t code);
+
+// Maps ICMP codes to ICMPv6 codes. Partial implementation of RFC 6145, section 4.2.
+uint8_t icmp_to_icmp6_code(uint8_t type, uint8_t code);
+
+// Maps ICMPv6 types to ICMP types. Partial implementation of RFC 6145, section 5.2.
+uint8_t icmp6_to_icmp_type(uint8_t type, uint8_t code);
+
+// Maps ICMPv6 codes to ICMP codes. Partial implementation of RFC 6145, section 5.2.
+uint8_t icmp6_to_icmp_code(uint8_t type, uint8_t code);
+
+#endif /* __ICMP_H__ */
diff --git a/ipv6.c b/ipv6.c
index bb1dc24..ef1e62f 100644
--- a/ipv6.c
+++ b/ipv6.c
@@ -64,12 +64,14 @@
* fmt - printf-style format, use %s to place the address
* badaddr - the bad address in question
*/
-void log_bad_address(const char *fmt, const struct in6_addr *badaddr) {
+void log_bad_address(const char *fmt, const struct in6_addr *src, const struct in6_addr *dst) {
#if CLAT_DEBUG
- char badaddr_str[INET6_ADDRSTRLEN];
+ char srcstr[INET6_ADDRSTRLEN];
+ char dststr[INET6_ADDRSTRLEN];
- inet_ntop(AF_INET6, badaddr, badaddr_str, sizeof(badaddr_str));
- logmsg_dbg(ANDROID_LOG_ERROR,fmt,badaddr_str);
+ inet_ntop(AF_INET6, src, srcstr, sizeof(srcstr));
+ inet_ntop(AF_INET6, dst, dststr, sizeof(dststr));
+ logmsg_dbg(ANDROID_LOG_ERROR, fmt, srcstr, dststr);
#endif
}
@@ -91,22 +93,27 @@
int i;
if(len < sizeof(struct ip6_hdr)) {
- logmsg_dbg(ANDROID_LOG_ERROR, "ipv6_packet/too short for an ip6 header");
+ logmsg_dbg(ANDROID_LOG_ERROR, "ipv6_packet/too short for an ip6 header: %d", len);
return 0;
}
if(IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
- log_bad_address("ipv6_packet/multicast %s", &ip6->ip6_dst);
+ log_bad_address("ipv6_packet/multicast %s->%s", &ip6->ip6_src, &ip6->ip6_dst);
return 0; // silently ignore
}
- if (!is_in_plat_subnet(&ip6->ip6_src) && ip6->ip6_nxt) {
- log_bad_address("ipv6_packet/wrong source address: %s", &ip6->ip6_src);
- return 0;
- }
-
- if(!IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &Global_Clatd_Config.ipv6_local_subnet)) {
- log_bad_address("ipv6_packet/wrong destination address: %s", &ip6->ip6_dst);
+ // If the packet is not from the plat subnet to the local subnet, or vice versa, drop it, unless
+ // it's an ICMP packet (which can come from anywhere). We do not send IPv6 packets from the plat
+ // subnet to the local subnet, but these can appear as inner packets in ICMP errors, so we need
+ // to translate them. We accept third-party ICMPv6 errors, even though their source addresses
+ // cannot be translated, so that things like unreachables and traceroute will work. fill_ip_header
+ // takes care of faking a source address for them.
+ if (!(is_in_plat_subnet(&ip6->ip6_src) &&
+ IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &Global_Clatd_Config.ipv6_local_subnet)) &&
+ !(is_in_plat_subnet(&ip6->ip6_dst) &&
+ IN6_ARE_ADDR_EQUAL(&ip6->ip6_src, &Global_Clatd_Config.ipv6_local_subnet)) &&
+ ip6->ip6_nxt != IPPROTO_ICMPV6) {
+ log_bad_address("ipv6_packet/wrong source address: %s->%s", &ip6->ip6_src, &ip6->ip6_dst);
return 0;
}
@@ -141,7 +148,7 @@
len_left);
} else {
#if CLAT_DEBUG
- logmsg(ANDROID_LOG_ERROR, "ipv6_packet/unknown next header type: %x",ip6->ip6_nxt);
+ logmsg(ANDROID_LOG_ERROR, "ipv6_packet/unknown next header type: %x", ip6->ip6_nxt);
logcat_hexdump("ipv6/nxthdr", packet, len);
#endif
return 0;
diff --git a/translate.c b/translate.c
index 4092bcc..fc70f3d 100644
--- a/translate.c
+++ b/translate.c
@@ -26,6 +26,7 @@
#include <netinet/icmp6.h>
#include <linux/icmp.h>
+#include "icmp.h"
#include "translate.h"
#include "checksum.h"
#include "clatd.h"
@@ -53,7 +54,7 @@
/* function: packet_length
* returns the total length of all the packet components after pos
* packet - packet to calculate the length of
- * pos - position to start counting from
+ * pos - position to start counting after
* returns: the total length of the packet components after pos
*/
uint16_t packet_length(clat_packet packet, int pos) {
@@ -80,13 +81,15 @@
* returns: the IPv4 address
*/
uint32_t ipv6_addr_to_ipv4_addr(const struct in6_addr *addr6) {
-
if (is_in_plat_subnet(addr6)) {
// Assumes a /96 plat subnet.
return addr6->s6_addr32[3];
- } else {
- // Currently this can only be our own address; other packets are dropped by ipv6_packet.
+ } else if (IN6_ARE_ADDR_EQUAL(addr6, &Global_Clatd_Config.ipv6_local_subnet)) {
+ // Special-case our own address.
return Global_Clatd_Config.ipv4_local_subnet.s_addr;
+ } else {
+ // Third party packet. Let the caller deal with it.
+ return INADDR_NONE;
}
}
@@ -127,6 +130,7 @@
*/
void fill_ip_header(struct iphdr *ip, uint16_t payload_len, uint8_t protocol,
const struct ip6_hdr *old_header) {
+ int ttl_guess;
memset(ip, 0, sizeof(struct iphdr));
ip->ihl = 5;
@@ -141,6 +145,14 @@
ip->saddr = ipv6_addr_to_ipv4_addr(&old_header->ip6_src);
ip->daddr = ipv6_addr_to_ipv4_addr(&old_header->ip6_dst);
+
+ // Third-party ICMPv6 message. This may have been originated by an native IPv6 address.
+ // In that case, the source IPv6 address can't be translated and we need to make up an IPv4
+ // source address. For now, use 255.0.0.<ttl>, which at least looks useful in traceroute.
+ if (ip->saddr == (uint32_t) INADDR_NONE) {
+ ttl_guess = icmp_guess_ttl(old_header->ip6_hlim);
+ ip->saddr = htonl((0xff << 24) + ttl_guess);
+ }
}
/* function: fill_ip6_header
@@ -164,7 +176,7 @@
}
/* function: icmp_to_icmp6
- * translate ipv4 icmp to ipv6 icmp (only currently supports echo/echo reply)
+ * translate ipv4 icmp to ipv6 icmp
* out - output packet
* icmp - source packet icmp header
* checksum - pseudo-header checksum
@@ -175,31 +187,53 @@
int icmp_to_icmp6(clat_packet out, int pos, const struct icmphdr *icmp, uint32_t checksum,
const char *payload, size_t payload_size) {
struct icmp6_hdr *icmp6_targ = out[pos].iov_base;
- uint32_t checksum_temp;
-
- if((icmp->type != ICMP_ECHO) && (icmp->type != ICMP_ECHOREPLY)) {
- logmsg_dbg(ANDROID_LOG_WARN,"icmp_to_icmp6/unhandled icmp type: 0x%x", icmp->type);
- return 0;
- }
+ uint8_t icmp6_type;
+ int clat_packet_len;
memset(icmp6_targ, 0, sizeof(struct icmp6_hdr));
- icmp6_targ->icmp6_type = (icmp->type == ICMP_ECHO) ? ICMP6_ECHO_REQUEST : ICMP6_ECHO_REPLY;
- icmp6_targ->icmp6_code = 0;
- icmp6_targ->icmp6_id = icmp->un.echo.id;
- icmp6_targ->icmp6_seq = icmp->un.echo.sequence;
+
+ icmp6_type = icmp_to_icmp6_type(icmp->type, icmp->code);
+ icmp6_targ->icmp6_type = icmp6_type;
+ icmp6_targ->icmp6_code = icmp_to_icmp6_code(icmp->type, icmp->code);
out[pos].iov_len = sizeof(struct icmp6_hdr);
- out[CLAT_POS_PAYLOAD].iov_base = (char *) payload;
- out[CLAT_POS_PAYLOAD].iov_len = payload_size;
+
+ if (pos == CLAT_POS_TRANSPORTHDR &&
+ is_icmp_error(icmp->type) &&
+ icmp6_type != ICMP6_PARAM_PROB) {
+ // An ICMP error we understand, one level deep.
+ // Translate the nested packet (the one that caused the error).
+ clat_packet_len = ipv4_packet(out, pos + 1, payload, payload_size);
+
+ // The pseudo-header checksum was calculated on the transport length of the original IPv4
+ // packet that we were asked to translate. This transport length is 20 bytes smaller than it
+ // needs to be, because the ICMP error contains an IPv4 header, which we will be translating to
+ // an IPv6 header, which is 20 bytes longer. Fix it up here. This is simpler than the
+ // alternative, which is to always update the pseudo-header checksum in all UDP/TCP/ICMP
+ // translation functions (rather than pre-calculating it when translating the IPv4 header).
+ // We only need to do this for ICMP->ICMPv6, not ICMPv6->ICMP, because ICMP does not use the
+ // pseudo-header when calculating its checksum (as the IPv4 header has its own checksum).
+ checksum = htonl(ntohl(checksum) + 20);
+ } else if (icmp6_type == ICMP6_ECHO_REQUEST || icmp6_type == ICMP6_ECHO_REPLY) {
+ // Ping packet.
+ icmp6_targ->icmp6_id = icmp->un.echo.id;
+ icmp6_targ->icmp6_seq = icmp->un.echo.sequence;
+ out[CLAT_POS_PAYLOAD].iov_base = (char *) payload;
+ out[CLAT_POS_PAYLOAD].iov_len = payload_size;
+ clat_packet_len = CLAT_POS_PAYLOAD + 1;
+ } else {
+ // Unknown type/code. The type/code conversion functions have already logged an error.
+ return 0;
+ }
icmp6_targ->icmp6_cksum = 0; // Checksum field must be 0 when calculating checksum.
icmp6_targ->icmp6_cksum = packet_checksum(checksum, out, pos);
- return CLAT_POS_PAYLOAD + 1;
+ return clat_packet_len;
}
/* function: icmp6_to_icmp
- * translate ipv6 icmp to ipv4 icmp (only currently supports echo/echo reply)
+ * translate ipv6 icmp to ipv4 icmp
* out - output packet
* icmp6 - source packet icmp6 header
* checksum - pseudo-header checksum (unused)
@@ -210,27 +244,40 @@
int icmp6_to_icmp(clat_packet out, int pos, const struct icmp6_hdr *icmp6, uint32_t checksum,
const char *payload, size_t payload_size) {
struct icmphdr *icmp_targ = out[pos].iov_base;
-
- if((icmp6->icmp6_type != ICMP6_ECHO_REQUEST) && (icmp6->icmp6_type != ICMP6_ECHO_REPLY)) {
- logmsg_dbg(ANDROID_LOG_WARN,"icmp6_to_icmp/unhandled icmp6 type: 0x%x",icmp6->icmp6_type);
- return 0;
- }
+ uint8_t icmp_type;
+ int ttl;
+ int clat_packet_len;
memset(icmp_targ, 0, sizeof(struct icmphdr));
- icmp_targ->type = (icmp6->icmp6_type == ICMP6_ECHO_REQUEST) ? ICMP_ECHO : ICMP_ECHOREPLY;
- icmp_targ->code = 0x0;
- icmp_targ->un.echo.id = icmp6->icmp6_id;
- icmp_targ->un.echo.sequence = icmp6->icmp6_seq;
+ icmp_type = icmp6_to_icmp_type(icmp6->icmp6_type, icmp6->icmp6_code);
+ icmp_targ->type = icmp_type;
+ icmp_targ->code = icmp6_to_icmp_code(icmp6->icmp6_type, icmp6->icmp6_code);
out[pos].iov_len = sizeof(struct icmphdr);
- out[CLAT_POS_PAYLOAD].iov_base = (char *) payload;
- out[CLAT_POS_PAYLOAD].iov_len = payload_size;
+
+ if (pos == CLAT_POS_TRANSPORTHDR &&
+ is_icmp6_error(icmp6->icmp6_type) &&
+ icmp_type != ICMP_PARAMETERPROB) {
+ // An ICMPv6 error we understand, one level deep.
+ // Translate the nested packet (the one that caused the error).
+ clat_packet_len = ipv6_packet(out, pos + 1, payload, payload_size);
+ } else if (icmp_type == ICMP_ECHO || icmp_type == ICMP_ECHOREPLY) {
+ // Ping packet.
+ icmp_targ->un.echo.id = icmp6->icmp6_id;
+ icmp_targ->un.echo.sequence = icmp6->icmp6_seq;
+ out[CLAT_POS_PAYLOAD].iov_base = (char *) payload;
+ out[CLAT_POS_PAYLOAD].iov_len = payload_size;
+ clat_packet_len = CLAT_POS_PAYLOAD + 1;
+ } else {
+ // Unknown type/code. The type/code conversion functions have already logged an error.
+ return 0;
+ }
icmp_targ->checksum = 0; // Checksum field must be 0 when calculating checksum.
icmp_targ->checksum = packet_checksum(0, out, pos);
- return CLAT_POS_PAYLOAD + 1;
+ return clat_packet_len;
}
/* function: udp_packet
diff --git a/translate.h b/translate.h
index 120fecf..fded251 100644
--- a/translate.h
+++ b/translate.h
@@ -27,6 +27,7 @@
// specific parts of the packet. The packet_* functions operate on all the packet segments past a
// given position.
enum clat_packet_index { CLAT_POS_TUNHDR, CLAT_POS_IPHDR, CLAT_POS_TRANSPORTHDR,
+ CLAT_POS_ICMPERR_IPHDR, CLAT_POS_ICMPERR_TRANSPORTHDR,
CLAT_POS_PAYLOAD, CLAT_POS_MAX };
typedef struct iovec clat_packet[CLAT_POS_MAX];