Add IPv6 prefix handling to unix tun interface

2025-10-29 19:08:32 -07:00 · 2025-10-29 19:08:32 -07:00 · 3fb0269d7c
commit 3fb0269d7c
parent 848efac15d
10 changed files with 229 additions and 41 deletions
--- a/tun/src/options.rs
+++ b/tun/src/options.rs
@ -1,5 +1,7 @@
+#[cfg(all(any(target_os = "linux", target_vendor = "apple"), feature = "tokio"))]
 use std::io::Error;

+#[cfg(all(any(target_os = "linux", target_vendor = "apple"), feature = "tokio"))]
 use fehler::throws;

 #[cfg(any(target_os = "linux", target_vendor = "apple"))]
--- a/tun/src/unix/address.rs
+++ b/tun/src/unix/address.rs
@ -0,0 +1,120 @@
+use std::io::{Error, ErrorKind};
+use std::net::IpAddr;
+
+use fehler::throws;
+
+#[throws]
+pub(crate) fn ensure_valid_ipv6_prefix(prefix_len: u8) {
+    if prefix_len > 128 {
+        Err(Error::new(
+            ErrorKind::InvalidInput,
+            "IPv6 prefix length must be between 0 and 128",
+        ))?;
+    }
+}
+
+#[cfg_attr(not(any(test, target_vendor = "apple")), allow(dead_code))]
+#[throws]
+pub(crate) fn ipv6_prefix_octets(prefix_len: u8) -> [u8; 16] {
+    ensure_valid_ipv6_prefix(prefix_len)?;
+
+    let mut octets = [0u8; 16];
+    for bit in 0..prefix_len {
+        let idx = (bit / 8) as usize;
+        let offset = (bit % 8) as u8;
+        octets[idx] |= 0x80 >> offset;
+    }
+
+    octets
+}
+
+#[cfg_attr(not(any(test, target_vendor = "apple")), allow(dead_code))]
+pub(crate) fn parse_addr_spec(spec: &str) -> Result<Option<(IpAddr, Option<u8>)>, Error> {
+    let (addr_str, prefix) = match spec.split_once('/') {
+        Some((addr, prefix)) => (addr, Some(prefix)),
+        None => (spec, None),
+    };
+
+    let addr: IpAddr = match addr_str.parse() {
+        Ok(addr) => addr,
+        Err(_) => return Ok(None),
+    };
+
+    let prefix_len = if let Some(prefix) = prefix {
+        let parsed = prefix
+            .parse::<u8>()
+            .map_err(|_| Error::new(ErrorKind::InvalidInput, "Invalid prefix length"))?;
+        ensure_valid_ipv6_prefix(parsed)?;
+        Some(parsed)
+    } else {
+        None
+    };
+
+    Ok(Some((addr, prefix_len)))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
+
+    #[test]
+    fn parse_ipv4_without_prefix() {
+        let parsed = parse_addr_spec("192.0.2.1").expect("parse succeeds");
+        assert_eq!(
+            parsed,
+            Some((IpAddr::V4(Ipv4Addr::new(192, 0, 2, 1)), None))
+        );
+    }
+
+    #[test]
+    fn parse_ipv6_with_prefix() {
+        let parsed = parse_addr_spec("2001:db8::1/64").expect("parse succeeds");
+        assert_eq!(
+            parsed,
+            Some((
+                IpAddr::V6("2001:db8::1".parse::<Ipv6Addr>().unwrap()),
+                Some(64),
+            ))
+        );
+    }
+
+    #[test]
+    fn parse_invalid_addr_returns_none() {
+        assert_eq!(parse_addr_spec("not-an-ip").unwrap(), None);
+    }
+
+    #[test]
+    fn parse_invalid_prefix_string_errors() {
+        assert!(parse_addr_spec("::1/not-a-number").is_err());
+    }
+
+    #[test]
+    fn parse_prefix_out_of_range_errors() {
+        assert!(parse_addr_spec("::1/129").is_err());
+    }
+
+    #[test]
+    fn ensure_valid_ipv6_prefix_accepts_bounds() {
+        ensure_valid_ipv6_prefix(0).expect("zero prefix is allowed");
+        ensure_valid_ipv6_prefix(128).expect("max prefix is allowed");
+    }
+
+    #[test]
+    fn ensure_valid_ipv6_prefix_rejects_invalid() {
+        assert!(ensure_valid_ipv6_prefix(129).is_err());
+    }
+
+    #[test]
+    fn ipv6_prefix_octets_zero_prefix() {
+        assert_eq!(ipv6_prefix_octets(0).unwrap(), [0u8; 16]);
+    }
+
+    #[test]
+    fn ipv6_prefix_octets_sets_bits_correctly() {
+        let mask = ipv6_prefix_octets(65).unwrap();
+        assert_eq!(mask[0..8], [0xFF; 8]);
+        assert_eq!(mask[8], 0x80);
+        assert_eq!(mask[9..], [0u8; 7]);
+    }
+}
--- a/tun/src/unix/apple/mod.rs
+++ b/tun/src/unix/apple/mod.rs
@ -1,8 +1,8 @@
 use std::{
    ffi::CStr,
-    io::{Error, IoSlice},
+    io::{Error, ErrorKind, IoSlice},
    mem,
-    net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddrV4},
+    net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddrV4, SocketAddrV6},
    os::fd::{AsRawFd, FromRawFd, RawFd},
 };

@ -17,6 +17,7 @@ pub mod sys;

 use kern_control::SysControlSocket;

+use super::address::{ensure_valid_ipv6_prefix, ipv6_prefix_octets, parse_addr_spec};
 use super::{ifname_to_string, string_to_ifname};
 use crate::TunOptions;

@ -72,11 +73,11 @@ impl TunInterface {

    #[throws]
    fn configure(&self, options: TunOptions) {
-        for addr in options.address {
-            if let Ok(addr) = addr.parse::<IpAddr>() {
+        for spec in options.address {
+            if let Some((addr, prefix_len)) = parse_addr_spec(&spec)? {
                match addr {
                    IpAddr::V4(addr) => self.set_ipv4_addr(addr)?,
-                    IpAddr::V6(addr) => self.set_ipv6_addr(addr)?,
+                    IpAddr::V6(addr) => self.add_ipv6_addr(addr, prefix_len.unwrap_or(128))?,
                }
            }
        }
@ -149,18 +150,38 @@ impl TunInterface {
    }

    #[throws]
-    pub fn set_ipv6_addr(&self, _addr: Ipv6Addr) {
-        // let addr = SockAddr::from(SocketAddrV6::new(addr, 0, 0, 0));
-        // println!("addr: {:?}", addr);
-        // let mut iff = self.in6_ifreq()?;
-        // let sto = addr.as_storage();
-        // let ifadddr_ptr: *const sockaddr_in6 = addr_of!(sto).cast();
-        // iff.ifr_ifru.ifru_addr = unsafe { *ifadddr_ptr };
-        // println!("ifru addr set");
-        // println!("{:?}", sys::SIOCSIFADDR_IN6);
-        // self.perform6(|fd| unsafe { sys::if_set_addr6(fd, &iff) })?;
-        // tracing::info!("ipv6_addr_set");
-        tracing::warn!("Setting IPV6 address on MacOS CLI mode is not supported yet.");
+    #[instrument]
+    pub fn add_ipv6_addr(&self, addr: Ipv6Addr, prefix_len: u8) {
+        ensure_valid_ipv6_prefix(prefix_len)?;
+
+        let mut req: sys::in6_aliasreq = unsafe { mem::zeroed() };
+        req.ifra_name = string_to_ifname(&self.name()?);
+        req.ifra_addr = ipv6_to_sockaddr(addr);
+        req.ifra_prefixmask = ipv6_prefix_mask(prefix_len)?;
+        self.perform6(|fd| unsafe { sys::if_add_addr6(fd, &req) })?;
+        tracing::info!(
+            "ipv6_addr_added: {:?}/{} (fd: {:?})",
+            addr,
+            prefix_len,
+            self.as_raw_fd()
+        );
+    }
+
+    #[throws]
+    #[instrument]
+    pub fn remove_ipv6_addr(&self, addr: Ipv6Addr, prefix_len: u8) {
+        ensure_valid_ipv6_prefix(prefix_len)?;
+
+        let mut iff = self.in6_ifreq()?;
+        iff.ifr_ifru.ifru_addr = ipv6_to_sockaddr(addr);
+        iff.ifr_ifru.ifru_prefixmask = ipv6_prefix_mask(prefix_len)?;
+        self.perform6(|fd| unsafe { sys::if_del_addr6(fd, &iff) })?;
+        tracing::info!(
+            "ipv6_addr_removed: {:?}/{} (fd: {:?})",
+            addr,
+            prefix_len,
+            self.as_raw_fd()
+        );
    }

    #[throws]
@ -269,7 +290,6 @@ impl TunInterface {
    #[throws]
    #[instrument]
    pub fn send(&self, buf: &[u8]) -> usize {
-        use std::io::ErrorKind;
        let proto = match buf[0] >> 4 {
            6 => Ok(AF_INET6),
            4 => Ok(AF_INET),
@ -294,5 +314,16 @@ impl TunInterface {

 #[inline]
 fn in6_addr_octets(addr: libc::in6_addr) -> [u8; 16] {
-    unsafe { addr.__u6_addr.__u6_addr8 }
+    addr.s6_addr
+}
+
+fn ipv6_to_sockaddr(addr: Ipv6Addr) -> libc::sockaddr_in6 {
+    let sockaddr = SockAddr::from(SocketAddrV6::new(addr, 0, 0, 0));
+    unsafe { *(sockaddr.as_ptr() as *const libc::sockaddr_in6) }
+}
+
+#[throws]
+fn ipv6_prefix_mask(prefix_len: u8) -> libc::sockaddr_in6 {
+    let octets = ipv6_prefix_octets(prefix_len)?;
+    ipv6_to_sockaddr(Ipv6Addr::from(octets))
 }
--- a/tun/src/unix/apple/sys.rs
+++ b/tun/src/unix/apple/sys.rs
@ -2,20 +2,11 @@ use std::mem;

 use libc::{c_char, c_int, c_short, c_uint, c_ulong, sockaddr, sockaddr_in6, time_t};
 pub use libc::{
-    c_void,
-    sockaddr_ctl,
-    sockaddr_in,
-    socklen_t,
-    AF_SYSTEM,
-    AF_SYS_CONTROL,
-    IFNAMSIZ,
+    c_void, sockaddr_ctl, sockaddr_in, socklen_t, AF_SYSTEM, AF_SYS_CONTROL, IFNAMSIZ,
    SYSPROTO_CONTROL,
 };
 use nix::{
-    ioctl_read_bad,
-    ioctl_readwrite,
-    ioctl_write_ptr_bad,
-    request_code_readwrite,
+    ioctl_read_bad, ioctl_readwrite, ioctl_write_ptr_bad, request_code_readwrite,
    request_code_write,
 };

@ -77,7 +68,7 @@ pub struct ifreq {

 #[repr(C)]
 #[derive(Copy, Clone, Debug)]
-pub struct in6_addrlifetime{
+pub struct in6_addrlifetime {
    pub ia6t_expire: time_t,
    pub ia6t_preferred: time_t,
    pub ia6t_vltime: u32,
@ -157,6 +148,7 @@ pub struct icmp6_ifstat {
 pub union ifr_ifru6 {
    pub ifru_addr: sockaddr_in6,
    pub ifru_dstaddr: sockaddr_in6,
+    pub ifru_prefixmask: sockaddr_in6,
    pub ifru_flags: c_int,
    pub ifru_flags6: c_int,
    pub ifru_metric: c_int,
@ -165,7 +157,7 @@ pub union ifr_ifru6 {
    pub ifru_lifetime: in6_addrlifetime, // ifru_lifetime
    pub ifru_stat: in6_ifstat,
    pub ifru_icmp6stat: icmp6_ifstat,
-    pub ifru_scope_id: [u32; SCOPE6_ID_MAX]
+    pub ifru_scope_id: [u32; SCOPE6_ID_MAX],
 }

 #[repr(C)]
@ -174,8 +166,21 @@ pub struct in6_ifreq {
    pub ifr_ifru: ifr_ifru6,
 }

+#[repr(C)]
+#[derive(Copy, Clone, Debug)]
+pub struct in6_aliasreq {
+    pub ifra_name: [c_char; IFNAMSIZ],
+    pub ifra_addr: sockaddr_in6,
+    pub ifra_dstaddr: sockaddr_in6,
+    pub ifra_prefixmask: sockaddr_in6,
+    pub ifra_lifetime: in6_addrlifetime,
+    pub ifra_flags: c_int,
+}
+
 pub const SIOCSIFADDR: c_ulong = request_code_write!(b'i', 12, mem::size_of::<ifreq>());
 pub const SIOCSIFADDR_IN6: c_ulong = request_code_write!(b'i', 12, mem::size_of::<in6_ifreq>());
+pub const SIOCAIFADDR_IN6: c_ulong = request_code_write!(b'i', 30, mem::size_of::<in6_aliasreq>());
+pub const SIOCDIFADDR_IN6: c_ulong = request_code_write!(b'i', 25, mem::size_of::<in6_ifreq>());
 pub const SIOCGIFMTU: c_ulong = request_code_readwrite!(b'i', 51, mem::size_of::<ifreq>());
 pub const SIOCSIFMTU: c_ulong = request_code_write!(b'i', 52, mem::size_of::<ifreq>());
 pub const SIOCGIFNETMASK: c_ulong = request_code_readwrite!(b'i', 37, mem::size_of::<ifreq>());
@ -198,6 +203,7 @@ ioctl_read_bad!(if_get_addr, libc::SIOCGIFADDR, ifreq);
 ioctl_read_bad!(if_get_mtu, SIOCGIFMTU, ifreq);
 ioctl_read_bad!(if_get_netmask, SIOCGIFNETMASK, ifreq);
 ioctl_write_ptr_bad!(if_set_addr, SIOCSIFADDR, ifreq);
-ioctl_write_ptr_bad!(if_set_addr6, SIOCSIFADDR_IN6, in6_ifreq);
+ioctl_write_ptr_bad!(if_add_addr6, SIOCAIFADDR_IN6, in6_aliasreq);
+ioctl_write_ptr_bad!(if_del_addr6, SIOCDIFADDR_IN6, in6_ifreq);
 ioctl_write_ptr_bad!(if_set_mtu, SIOCSIFMTU, ifreq);
 ioctl_write_ptr_bad!(if_set_netmask, SIOCSIFNETMASK, ifreq);
--- a/tun/src/unix/linux/mod.rs
+++ b/tun/src/unix/linux/mod.rs
@ -15,6 +15,7 @@ use libc::{in6_ifreq, AF_INET6};
 use socket2::{Domain, SockAddr, Socket, Type};
 use tracing::{info, instrument};

+use super::address::ensure_valid_ipv6_prefix;
 use super::{ifname_to_string, string_to_ifname};
 use crate::TunOptions;

@ -141,11 +142,36 @@ impl TunInterface {

    #[throws]
    #[instrument]
-    pub fn set_ipv6_addr(&self, addr: Ipv6Addr) {
+    pub fn add_ipv6_addr(&self, addr: Ipv6Addr, prefix_len: u8) {
+        ensure_valid_ipv6_prefix(prefix_len)?;
+
        let mut iff = self.in6_ifreq()?;
        iff.ifr6_addr.s6_addr = addr.octets();
-        self.perform6(|fd| unsafe { sys::if_set_addr6(fd, &iff) })?;
-        info!("ipv6_addr_set: {:?} (fd: {:?})", addr, self.as_raw_fd())
+        iff.ifr6_prefixlen = prefix_len.into();
+        self.perform6(|fd| unsafe { sys::if_add_addr6(fd, &iff) })?;
+        info!(
+            "ipv6_addr_added: {:?}/{} (fd: {:?})",
+            addr,
+            prefix_len,
+            self.as_raw_fd()
+        )
+    }
+
+    #[throws]
+    #[instrument]
+    pub fn remove_ipv6_addr(&self, addr: Ipv6Addr, prefix_len: u8) {
+        ensure_valid_ipv6_prefix(prefix_len)?;
+
+        let mut iff = self.in6_ifreq()?;
+        iff.ifr6_addr.s6_addr = addr.octets();
+        iff.ifr6_prefixlen = prefix_len.into();
+        self.perform6(|fd| unsafe { sys::if_del_addr6(fd, &iff) })?;
+        info!(
+            "ipv6_addr_removed: {:?}/{} (fd: {:?})",
+            addr,
+            prefix_len,
+            self.as_raw_fd()
+        )
    }

    #[throws]
--- a/tun/src/unix/linux/sys.rs
+++ b/tun/src/unix/linux/sys.rs
@ -20,7 +20,8 @@ ioctl_read_bad!(if_get_mtu, libc::SIOCGIFMTU, libc::ifreq);
 ioctl_read_bad!(if_get_netmask, libc::SIOCGIFNETMASK, libc::ifreq);

 ioctl_write_ptr_bad!(if_set_addr, libc::SIOCSIFADDR, libc::ifreq);
-ioctl_write_ptr_bad!(if_set_addr6, libc::SIOCSIFADDR, libc::in6_ifreq);
+ioctl_write_ptr_bad!(if_add_addr6, libc::SIOCSIFADDR, libc::in6_ifreq);
+ioctl_write_ptr_bad!(if_del_addr6, libc::SIOCDIFADDR, libc::in6_ifreq);
 ioctl_write_ptr_bad!(if_set_brdaddr, libc::SIOCSIFBRDADDR, libc::ifreq);
 ioctl_write_ptr_bad!(if_set_mtu, libc::SIOCSIFMTU, libc::ifreq);
 ioctl_write_ptr_bad!(if_set_netmask, libc::SIOCSIFNETMASK, libc::ifreq);
--- a/tun/src/unix/mod.rs
+++ b/tun/src/unix/mod.rs
@ -6,6 +6,7 @@ use std::{

 use tracing::instrument;

+mod address;
 mod queue;

 #[cfg(target_vendor = "apple")]
--- a/tun/tests/configure.rs
+++ b/tun/tests/configure.rs
@ -46,7 +46,7 @@ fn test_set_get_ipv6() {
    let tun = TunInterface::new()?;

    let addr = Ipv6Addr::new(1, 1, 1, 1, 1, 1, 1, 1);
-    tun.set_ipv6_addr(addr)?;
+    tun.add_ipv6_addr(addr, 128)?;

    // let result = tun.ipv6_addr()?;
    // assert_eq!(addr, result);
--- a/tun/tests/packets.rs
+++ b/tun/tests/packets.rs
@ -1,5 +1,5 @@
-use std::{io::Error, net::Ipv4Addr};
 use std::net::Ipv6Addr;
+use std::{io::Error, net::Ipv4Addr};

 use fehler::throws;
 use tun::TunInterface;
@ -44,5 +44,5 @@ fn set_ipv6() {
    println!("tun name: {:?}", tun.name()?);
    let targ_addr: Ipv6Addr = "::1".parse().unwrap();
    println!("v6 addr: {:?}", targ_addr);
-    tun.set_ipv6_addr(targ_addr)?;
-}
+    tun.add_ipv6_addr(targ_addr, 128)?;
+}
--- a/tun/tests/tokio.rs
+++ b/tun/tests/tokio.rs
@ -1,3 +1,4 @@
+#[cfg(all(feature = "tokio", not(target_os = "windows")))]
 use std::net::Ipv4Addr;

 #[tokio::test]