2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
35 #include "connection.h"
50 #define MAX(a, b) ((a) > (b) ? (a) : (b))
55 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
58 static void send_udppacket(node_t *, vpn_packet_t *);
60 unsigned replaywin = 16;
61 bool localdiscovery = true;
62 bool udp_discovery = true;
63 int udp_discovery_interval = 9;
64 int udp_discovery_timeout = 30;
66 #define MAX_SEQNO 1073741824
68 static void try_fix_mtu(node_t *n) {
72 if(n->mtuprobes == 90 || n->minmtu >= n->maxmtu) {
73 if(n->minmtu > n->maxmtu)
74 n->minmtu = n->maxmtu;
76 n->maxmtu = n->minmtu;
78 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
83 static void udp_probe_timeout_handler(void *data) {
85 if(!n->status.udp_confirmed)
88 logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname);
89 n->status.udp_confirmed = false;
95 static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
96 if(!DATA(packet)[0]) {
97 logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
99 /* It's a probe request, send back a reply */
101 /* Type 2 probe replies were introduced in protocol 17.3 */
102 if ((n->options >> 24) >= 3) {
103 uint8_t *data = DATA(packet);
105 uint16_t len16 = htons(len); memcpy(data, &len16, 2); data += 2;
107 gettimeofday(&now, NULL);
108 uint32_t sec = htonl(now.tv_sec); memcpy(data, &sec, 4); data += 4;
109 uint32_t usec = htonl(now.tv_usec); memcpy(data, &usec, 4); data += 4;
112 /* Legacy protocol: n won't understand type 2 probe replies. */
116 /* Temporarily set udp_confirmed, so that the reply is sent
117 back exactly the way it came in. */
119 bool udp_confirmed = n->status.udp_confirmed;
120 n->status.udp_confirmed = true;
121 send_udppacket(n, packet);
122 n->status.udp_confirmed = udp_confirmed;
124 length_t probelen = len;
125 if (DATA(packet)[0] == 2) {
127 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received invalid (too short) UDP probe reply from %s (%s)", n->name, n->hostname);
129 uint16_t probelen16; memcpy(&probelen16, DATA(packet) + 1, 2); probelen = ntohs(probelen16);
132 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], probelen, n->name, n->hostname);
134 /* It's a valid reply: now we know bidirectional communication
135 is possible using the address and socket that the reply
137 n->status.udp_confirmed = true;
140 timeout_del(&n->udp_ping_timeout);
141 timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval){udp_discovery_timeout, 0});
144 if(probelen >= n->maxmtu + 8) {
145 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
151 /* If applicable, raise the minimum supported MTU */
153 if(probelen > n->maxmtu)
154 probelen = n->maxmtu;
155 if(n->minmtu < probelen) {
156 n->minmtu = probelen;
161 The RTT is the time between the MTU probe burst was sent and the first
165 struct timeval now, diff;
166 gettimeofday(&now, NULL);
167 timersub(&now, &n->probe_time, &diff);
169 struct timeval probe_timestamp = now;
170 if (DATA(packet)[0] == 2 && packet->len >= 11) {
171 uint32_t sec; memcpy(&sec, DATA(packet) + 3, 4);
172 uint32_t usec; memcpy(&usec, DATA(packet) + 7, 4);
173 probe_timestamp.tv_sec = ntohl(sec);
174 probe_timestamp.tv_usec = ntohl(usec);
179 if(n->probe_counter == 1) {
180 n->rtt = diff.tv_sec + diff.tv_usec * 1e-6;
181 n->probe_time = probe_timestamp;
182 logger(DEBUG_TRAFFIC, LOG_DEBUG, "%s (%s) RTT %.2f ms, rx packet loss %.2f %%", n->name, n->hostname, n->rtt * 1e3, n->packetloss * 1e2);
187 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
189 memcpy(dest, source, len);
191 } else if(level == 10) {
193 lzo_uint lzolen = MAXSIZE;
194 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
199 } else if(level < 10) {
201 unsigned long destlen = MAXSIZE;
202 if(compress2(dest, &destlen, source, len, level) == Z_OK)
209 lzo_uint lzolen = MAXSIZE;
210 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
220 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
222 memcpy(dest, source, len);
224 } else if(level > 9) {
226 lzo_uint lzolen = MAXSIZE;
227 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
235 unsigned long destlen = MAXSIZE;
236 if(uncompress(dest, &destlen, source, len) == Z_OK)
248 static void receive_packet(node_t *n, vpn_packet_t *packet) {
249 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
250 packet->len, n->name, n->hostname);
253 n->in_bytes += packet->len;
258 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
260 return sptps_verify_datagram(&n->sptps, DATA(inpkt), inpkt->len);
262 #ifdef DISABLE_LEGACY
265 if(!digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest))
268 return digest_verify(n->indigest, SEQNO(inpkt), inpkt->len - digest_length(n->indigest), DATA(inpkt) + inpkt->len - digest_length(n->indigest));
272 static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
273 vpn_packet_t pkt1, pkt2;
274 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
277 pkt1.offset = DEFAULT_PACKET_OFFSET;
278 pkt2.offset = DEFAULT_PACKET_OFFSET;
280 if(n->status.sptps) {
281 if(!n->sptps.state) {
282 if(!n->status.waitingforkey) {
283 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
286 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
290 inpkt->offset += 2 * sizeof(node_id_t);
291 if(!sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len - 2 * sizeof(node_id_t))) {
292 logger(DEBUG_TRAFFIC, LOG_ERR, "Got bad packet from %s (%s)", n->name, n->hostname);
298 #ifdef DISABLE_LEGACY
301 if(!n->status.validkey) {
302 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
306 /* Check packet length */
308 if(inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
309 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
310 n->name, n->hostname);
314 /* It's a legacy UDP packet, the data starts after the seqno */
316 inpkt->offset += sizeof(seqno_t);
318 /* Check the message authentication code */
320 if(digest_active(n->indigest)) {
321 inpkt->len -= digest_length(n->indigest);
322 if(!digest_verify(n->indigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
323 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
327 /* Decrypt the packet */
329 if(cipher_active(n->incipher)) {
330 vpn_packet_t *outpkt = pkt[nextpkt++];
333 if(!cipher_decrypt(n->incipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
334 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
338 outpkt->len = outlen;
342 /* Check the sequence number */
345 memcpy(&seqno, SEQNO(inpkt), sizeof seqno);
346 seqno = ntohl(seqno);
347 inpkt->len -= sizeof seqno;
350 if(seqno != n->received_seqno + 1) {
351 if(seqno >= n->received_seqno + replaywin * 8) {
352 if(n->farfuture++ < replaywin >> 2) {
353 logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
354 n->name, n->hostname, seqno - n->received_seqno - 1, n->farfuture);
357 logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
358 seqno - n->received_seqno - 1, n->name, n->hostname);
359 memset(n->late, 0, replaywin);
360 } else if (seqno <= n->received_seqno) {
361 if((n->received_seqno >= replaywin * 8 && seqno <= n->received_seqno - replaywin * 8) || !(n->late[(seqno / 8) % replaywin] & (1 << seqno % 8))) {
362 logger(DEBUG_ALWAYS, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
363 n->name, n->hostname, seqno, n->received_seqno);
367 for(int i = n->received_seqno + 1; i < seqno; i++)
368 n->late[(i / 8) % replaywin] |= 1 << i % 8;
373 n->late[(seqno / 8) % replaywin] &= ~(1 << seqno % 8);
376 if(seqno > n->received_seqno)
377 n->received_seqno = seqno;
381 if(n->received_seqno > MAX_SEQNO)
384 /* Decompress the packet */
386 length_t origlen = inpkt->len;
388 if(n->incompression) {
389 vpn_packet_t *outpkt = pkt[nextpkt++];
391 if((outpkt->len = uncompress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->incompression)) < 0) {
392 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
393 n->name, n->hostname);
399 origlen -= MTU/64 + 20;
404 if(!DATA(inpkt)[12] && !DATA(inpkt)[13])
405 udp_probe_h(n, inpkt, origlen);
407 receive_packet(n, inpkt);
412 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
414 outpkt.offset = DEFAULT_PACKET_OFFSET;
416 if(len > sizeof outpkt.data - outpkt.offset)
420 if(c->options & OPTION_TCPONLY)
423 outpkt.priority = -1;
424 memcpy(DATA(&outpkt), buffer, len);
426 receive_packet(c->node, &outpkt);
429 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
430 if(!n->status.validkey && !n->connection)
436 if(!(DATA(origpkt)[12] | DATA(origpkt)[13])) {
437 sptps_send_record(&n->sptps, PKT_PROBE, (char *)DATA(origpkt), origpkt->len);
441 if(routing_mode == RMODE_ROUTER)
446 if(origpkt->len < offset)
451 if(n->outcompression) {
453 int len = compress_packet(DATA(&outpkt) + offset, DATA(origpkt) + offset, origpkt->len - offset, n->outcompression);
455 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
456 } else if(len < origpkt->len - offset) {
457 outpkt.len = len + offset;
459 type |= PKT_COMPRESSED;
463 /* If we have a direct metaconnection to n, and we can't use UDP, then
464 don't bother with SPTPS and just use a "plaintext" PACKET message.
465 We don't really care about end-to-end security since we're not
466 sending the message through any intermediate nodes. */
467 if(n->connection && origpkt->len > n->minmtu)
468 send_tcppacket(n->connection, origpkt);
470 sptps_send_record(&n->sptps, type, DATA(origpkt) + offset, origpkt->len - offset);
474 static void adapt_socket(const sockaddr_t *sa, int *sock) {
475 /* Make sure we have a suitable socket for the chosen address */
476 if(listen_socket[*sock].sa.sa.sa_family != sa->sa.sa_family) {
477 for(int i = 0; i < listen_sockets; i++) {
478 if(listen_socket[i].sa.sa.sa_family == sa->sa.sa_family) {
486 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, int *sock) {
491 /* If the UDP address is confirmed, use it. */
492 if(n->status.udp_confirmed)
495 /* Send every third packet to n->address; that could be set
496 to the node's reflexive UDP address discovered during key
505 /* Otherwise, address are found in edges to this node.
506 So we pick a random edge and a random socket. */
509 int j = rand() % n->edge_tree->count;
510 edge_t *candidate = NULL;
512 for splay_each(edge_t, e, n->edge_tree) {
514 candidate = e->reverse;
520 *sa = &candidate->address;
521 *sock = rand() % listen_sockets;
524 adapt_socket(*sa, sock);
527 static void choose_local_address(const node_t *n, const sockaddr_t **sa, int *sock) {
530 /* Pick one of the edges from this node at random, then use its local address. */
533 int j = rand() % n->edge_tree->count;
534 edge_t *candidate = NULL;
536 for splay_each(edge_t, e, n->edge_tree) {
543 if (candidate && candidate->local_address.sa.sa_family) {
544 *sa = &candidate->local_address;
545 *sock = rand() % listen_sockets;
546 adapt_socket(*sa, sock);
550 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
551 vpn_packet_t pkt1, pkt2;
552 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
553 vpn_packet_t *inpkt = origpkt;
555 vpn_packet_t *outpkt;
556 int origlen = origpkt->len;
558 #if defined(SOL_IP) && defined(IP_TOS)
559 static int priority = 0;
560 int origpriority = origpkt->priority;
563 pkt1.offset = DEFAULT_PACKET_OFFSET;
564 pkt2.offset = DEFAULT_PACKET_OFFSET;
566 if(!n->status.reachable) {
567 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
572 return send_sptps_packet(n, origpkt);
574 #ifdef DISABLE_LEGACY
577 /* Make sure we have a valid key */
579 if(!n->status.validkey) {
580 logger(DEBUG_TRAFFIC, LOG_INFO,
581 "No valid key known yet for %s (%s), forwarding via TCP",
582 n->name, n->hostname);
583 send_tcppacket(n->nexthop->connection, origpkt);
587 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (DATA(inpkt)[12] | DATA(inpkt)[13])) {
588 logger(DEBUG_TRAFFIC, LOG_INFO,
589 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
590 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
593 send_packet(n->nexthop, origpkt);
595 send_tcppacket(n->nexthop->connection, origpkt);
600 /* Compress the packet */
602 if(n->outcompression) {
603 outpkt = pkt[nextpkt++];
605 if((outpkt->len = compress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->outcompression)) < 0) {
606 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
607 n->name, n->hostname);
614 /* Add sequence number */
616 seqno_t seqno = htonl(++(n->sent_seqno));
617 memcpy(SEQNO(inpkt), &seqno, sizeof seqno);
618 inpkt->len += sizeof seqno;
620 /* Encrypt the packet */
622 if(cipher_active(n->outcipher)) {
623 outpkt = pkt[nextpkt++];
626 if(!cipher_encrypt(n->outcipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
627 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
631 outpkt->len = outlen;
635 /* Add the message authentication code */
637 if(digest_active(n->outdigest)) {
638 if(!digest_create(n->outdigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
639 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
643 inpkt->len += digest_length(n->outdigest);
646 /* Send the packet */
648 const sockaddr_t *sa = NULL;
651 if(n->status.send_locally)
652 choose_local_address(n, &sa, &sock);
654 choose_udp_address(n, &sa, &sock);
656 #if defined(SOL_IP) && defined(IP_TOS)
657 if(priorityinheritance && origpriority != priority
658 && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
659 priority = origpriority;
660 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
661 if(setsockopt(listen_socket[n->sock].udp.fd, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
662 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
666 if(sendto(listen_socket[sock].udp.fd, SEQNO(inpkt), inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
667 if(sockmsgsize(sockerrno)) {
668 if(n->maxmtu >= origlen)
669 n->maxmtu = origlen - 1;
670 if(n->mtu >= origlen)
671 n->mtu = origlen - 1;
674 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
678 origpkt->len = origlen;
682 static bool send_sptps_data_priv(node_t *to, node_t *from, int type, const void *data, size_t len) {
683 node_t *relay = (to->via != myself && (type == PKT_PROBE || (len - SPTPS_DATAGRAM_OVERHEAD) <= to->via->minmtu)) ? to->via : to->nexthop;
684 bool direct = from == myself && to == relay;
685 bool relay_supported = (relay->options >> 24) >= 4;
686 bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
688 /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU.
689 TODO: When relaying, the original sender does not know the end-to-end PMTU (it only knows the PMTU of the first hop).
690 This can lead to scenarios where large packets are sent over UDP to relay, but then relay has no choice but fall back to TCP. */
692 if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && (len - SPTPS_DATAGRAM_OVERHEAD) > relay->minmtu)) {
693 char buf[len * 4 / 3 + 5];
694 b64encode(data, buf, len);
695 /* If no valid key is known yet, send the packets using ANS_KEY requests,
696 to ensure we get to learn the reflexive UDP address. */
697 if(from == myself && !to->status.validkey) {
698 to->incompression = myself->incompression;
699 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, from->name, to->name, buf, to->incompression);
701 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, from->name, to->name, REQ_SPTPS, buf);
706 if(relay_supported) overhead += sizeof to->id + sizeof from->id;
707 char buf[len + overhead]; char* buf_ptr = buf;
708 if(relay_supported) {
710 /* Inform the recipient that this packet was sent directly. */
711 node_id_t nullid = {};
712 memcpy(buf_ptr, &nullid, sizeof nullid); buf_ptr += sizeof nullid;
714 memcpy(buf_ptr, &to->id, sizeof to->id); buf_ptr += sizeof to->id;
716 memcpy(buf_ptr, &from->id, sizeof from->id); buf_ptr += sizeof from->id;
719 /* TODO: if this copy turns out to be a performance concern, change sptps_send_record() to add some "pre-padding" to the buffer and use that instead */
720 memcpy(buf_ptr, data, len); buf_ptr += len;
722 const sockaddr_t *sa = NULL;
724 if(relay->status.send_locally)
725 choose_local_address(relay, &sa, &sock);
727 choose_udp_address(relay, &sa, &sock);
728 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s)", from->name, from->hostname, to->name, to->hostname, relay->name, relay->hostname);
729 if(sendto(listen_socket[sock].udp.fd, buf, buf_ptr - buf, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
730 if(sockmsgsize(sockerrno)) {
731 // Compensate for SPTPS overhead
732 len -= SPTPS_DATAGRAM_OVERHEAD;
733 if(relay->maxmtu >= len)
734 relay->maxmtu = len - 1;
735 if(relay->mtu >= len)
736 relay->mtu = len - 1;
739 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", relay->name, relay->hostname, sockstrerror(sockerrno));
747 bool send_sptps_data(void *handle, uint8_t type, const void *data, size_t len) {
748 return send_sptps_data_priv(handle, myself, type, data, len);
751 bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t len) {
752 node_t *from = handle;
754 if(type == SPTPS_HANDSHAKE) {
755 if(!from->status.validkey) {
756 from->status.validkey = true;
757 from->status.waitingforkey = false;
758 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
764 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
769 inpkt.offset = DEFAULT_PACKET_OFFSET;
771 if(type == PKT_PROBE) {
773 memcpy(DATA(&inpkt), data, len);
774 udp_probe_h(from, &inpkt, len);
778 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
779 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
783 /* Check if we have the headers we need */
784 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
785 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
787 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
788 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
791 int offset = (type & PKT_MAC) ? 0 : 14;
792 if(type & PKT_COMPRESSED) {
793 length_t ulen = uncompress_packet(DATA(&inpkt) + offset, (const uint8_t *)data, len, from->incompression);
797 inpkt.len = ulen + offset;
799 if(inpkt.len > MAXSIZE)
802 memcpy(DATA(&inpkt) + offset, data, len);
803 inpkt.len = len + offset;
806 /* Generate the Ethernet packet type if necessary */
808 switch(DATA(&inpkt)[14] >> 4) {
810 DATA(&inpkt)[12] = 0x08;
811 DATA(&inpkt)[13] = 0x00;
814 DATA(&inpkt)[12] = 0x86;
815 DATA(&inpkt)[13] = 0xDD;
818 logger(DEBUG_TRAFFIC, LOG_ERR,
819 "Unknown IP version %d while reading packet from %s (%s)",
820 DATA(&inpkt)[14] >> 4, from->name, from->hostname);
825 receive_packet(from, &inpkt);
829 // This function tries to get SPTPS keys, if they aren't already known.
830 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if the keys are available.
831 static void try_sptps(node_t *n) {
832 if(n->status.validkey)
835 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
837 if(!n->status.waitingforkey)
839 else if(n->last_req_key + 10 < now.tv_sec) {
840 logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
841 sptps_stop(&n->sptps);
842 n->status.waitingforkey = false;
849 static void send_udp_probe_packet(node_t *n, int len) {
851 packet.offset = DEFAULT_PACKET_OFFSET;
852 memset(DATA(&packet), 0, 14);
853 randomize(DATA(&packet) + 14, len - 14);
857 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending UDP probe length %d to %s (%s)", len, n->name, n->hostname);
859 send_udppacket(n, &packet);
862 // This function tries to establish a UDP tunnel to a node so that packets can be sent.
863 // If a tunnel is already established, it makes sure it stays up.
864 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if UDP is usable.
865 static void try_udp(node_t* n) {
870 gettimeofday(&now, NULL);
871 struct timeval ping_tx_elapsed;
872 timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
874 if(ping_tx_elapsed.tv_sec >= udp_discovery_interval) {
875 send_udp_probe_packet(n, MAX(n->minmtu, 16));
876 n->udp_ping_sent = now;
878 if(localdiscovery && !n->status.udp_confirmed && n->prevedge) {
879 n->status.send_locally = true;
880 send_udp_probe_packet(n, 16);
881 n->status.send_locally = false;
886 // This function tries to determines the MTU of a node.
887 // By calling this function repeatedly, n->minmtu will be progressively increased, and at some point, n->mtu will be fixed to n->minmtu.
888 // If the MTU is already fixed, this function checks if it can be increased.
889 static void try_mtu(node_t *n) {
890 if(!(n->options & OPTION_PMTU_DISCOVERY))
893 if(udp_discovery && !n->status.udp_confirmed) {
900 /* mtuprobes == 0..89: initial discovery, send bursts with 1 second interval, mtuprobes++
901 mtuprobes == 90: fix MTU, and go to -1
902 mtuprobes == -1: send one >maxmtu probe every pingtimeout */
905 gettimeofday(&now, NULL);
906 struct timeval elapsed;
907 timersub(&now, &n->probe_sent_time, &elapsed);
908 if(n->mtuprobes >= 0) {
909 if(n->mtuprobes != 0 && elapsed.tv_sec == 0 && elapsed.tv_usec < 333333)
912 if(elapsed.tv_sec < pingtimeout)
919 if(n->mtuprobes < 0) {
920 /* After the initial discovery, we only send one >maxmtu probe
921 to detect PMTU increases. */
922 if(n->maxmtu + 8 < MTU)
923 send_udp_probe_packet(n, n->maxmtu + 8);
925 /* Decreasing the number of probes per cycle might make the algorithm react faster to lost packets,
926 but it will typically increase convergence time in the no-loss case. */
927 const length_t probes_per_cycle = 8;
929 /* This magic value was determined using math simulations.
930 It will result in a 1339-byte first probe, followed (if there was a reply) by a 1417-byte probe.
931 Since 1417 is just below the range of tinc MTUs over typical networks,
932 this fine-tuning allows tinc to cover a lot of ground very quickly. */
933 const float multiplier = 0.982;
935 const float cycle_position = probes_per_cycle - (n->mtuprobes % probes_per_cycle) - 1;
936 const length_t minmtu = MAX(n->minmtu, 64);
937 const float interval = n->maxmtu - minmtu;
939 /* The core of the discovery algorithm is this exponential.
940 It produces very large probes early in the cycle, and then it very quickly decreases the probe size.
941 This reflects the fact that in the most difficult cases, we don't get any feedback for probes that
942 are too large, and therefore we need to concentrate on small offsets so that we can quickly converge
943 on the precise MTU as we are approaching it.
944 The last probe of the cycle is always 1 byte in size - this is to make sure we'll get at least one
945 reply per cycle so that we can make progress. */
946 const length_t offset = powf(interval, multiplier * cycle_position / (probes_per_cycle - 1));
948 send_udp_probe_packet(n, minmtu + offset);
949 if(n->mtuprobes >= 0)
953 n->probe_counter = 0;
954 n->probe_sent_time = now;
957 /* Calculate the packet loss of incoming traffic by comparing the rate of
958 packets received to the rate with which the sequence number has increased.
959 TODO: this is unrelated to PMTU discovery - it should be moved elsewhere.
962 if(n->received > n->prev_received)
963 n->packetloss = 1.0 - (n->received - n->prev_received) / (float)(n->received_seqno - n->prev_received_seqno);
965 n->packetloss = n->received_seqno <= n->prev_received_seqno;
967 n->prev_received_seqno = n->received_seqno;
968 n->prev_received = n->received;
971 // This function tries to establish a tunnel to a node (or its relay) so that packets can be sent (e.g. get SPTPS keys).
972 // If a tunnel is already established, it tries to improve it (e.g. by trying to establish a UDP tunnel instead of TCP).
973 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if TCP and/or UDP is usable.
974 // By calling this function repeatedly, the tunnel is gradually improved until we hit the wall imposed by the underlying network environment.
975 // It is recommended to call this function every time a packet is sent (or intended to be sent) to a node,
976 // so that the tunnel keeps improving as packets flow, and then gracefully downgrades itself as it goes idle.
977 static void try_tx(node_t *n) {
978 /* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET
979 messages anyway, so there's no need for SPTPS at all. Otherwise, get the keys. */
980 if(n->status.sptps && !(n->connection && ((myself->options | n->options) & OPTION_TCPONLY))) {
982 if (!n->status.validkey)
986 node_t *via = (n->via == myself) ? n->nexthop : n->via;
988 if((myself->options | via->options) & OPTION_TCPONLY)
991 if(!n->status.sptps && !via->status.validkey && via->last_req_key + 10 <= now.tv_sec) {
993 via->last_req_key = now.tv_sec;
994 } else if(via == n || !n->status.sptps || (via->options >> 24) >= 4) {
999 /* If we don't know how to reach "via" yet, then try to reach it through a relay. */
1000 if(n->status.sptps && !via->status.udp_confirmed && via->nexthop != via && (via->nexthop->options >> 24) >= 4)
1001 try_tx(via->nexthop);
1005 send a packet to the given vpn ip.
1007 void send_packet(node_t *n, vpn_packet_t *packet) {
1012 memcpy(DATA(packet), mymac.x, ETH_ALEN);
1014 n->out_bytes += packet->len;
1015 devops.write(packet);
1019 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)",
1020 packet->len, n->name, n->hostname);
1022 if(!n->status.reachable) {
1023 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable",
1024 n->name, n->hostname);
1029 n->out_bytes += packet->len;
1031 if(n->status.sptps) {
1032 send_sptps_packet(n, packet);
1036 via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
1039 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)",
1040 n->name, via->name, n->via->hostname);
1042 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
1043 if(!send_tcppacket(via->connection, packet))
1044 terminate_connection(via->connection, true);
1046 send_udppacket(via, packet);
1049 /* Try to improve the tunnel.
1050 Note that we do this *after* we send the packet because sending actual packets take priority
1051 with regard to the send buffer space and latency. */
1055 /* Broadcast a packet using the minimum spanning tree */
1057 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
1058 // Always give ourself a copy of the packet.
1060 send_packet(myself, packet);
1062 // In TunnelServer mode, do not forward broadcast packets.
1063 // The MST might not be valid and create loops.
1064 if(tunnelserver || broadcast_mode == BMODE_NONE)
1067 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
1068 packet->len, from->name, from->hostname);
1070 switch(broadcast_mode) {
1071 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
1072 // This guarantees all nodes receive the broadcast packet, and
1073 // usually distributes the sending of broadcast packets over all nodes.
1075 for list_each(connection_t, c, connection_list)
1076 if(c->edge && c->status.mst && c != from->nexthop->connection)
1077 send_packet(c->node, packet);
1080 // In direct mode, we send copies to each node we know of.
1081 // However, this only reaches nodes that can be reached in a single hop.
1082 // We don't have enough information to forward broadcast packets in this case.
1087 for splay_each(node_t, n, node_tree)
1088 if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n))
1089 send_packet(n, packet);
1097 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
1100 static time_t last_hard_try = 0;
1102 for splay_each(edge_t, e, edge_weight_tree) {
1103 if(!e->to->status.reachable || e->to == myself)
1106 if(sockaddrcmp_noport(from, &e->address)) {
1107 if(last_hard_try == now.tv_sec)
1112 if(!try_mac(e->to, pkt))
1120 last_hard_try = now.tv_sec;
1122 last_hard_try = now.tv_sec;
1126 void handle_incoming_vpn_data(void *data, int flags) {
1127 listen_socket_t *ls = data;
1130 node_id_t nullid = {};
1131 sockaddr_t addr = {};
1132 socklen_t addrlen = sizeof addr;
1134 bool direct = false;
1137 int len = recvfrom(ls->udp.fd, DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen);
1139 if(len <= 0 || len > MAXSIZE) {
1140 if(!sockwouldblock(sockerrno))
1141 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1147 sockaddrunmap(&addr); /* Some braindead IPv6 implementations do stupid things. */
1149 // Try to figure out who sent this packet.
1151 node_t *n = lookup_node_udp(&addr);
1154 // It might be from a 1.1 node, which might have a source ID in the packet.
1155 pkt.offset = 2 * sizeof(node_id_t);
1156 from = lookup_node_id(SRCID(&pkt));
1157 if(from && !memcmp(DSTID(&pkt), &nullid, sizeof nullid) && from->status.sptps) {
1158 if(sptps_verify_datagram(&from->sptps, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t)))
1167 n = try_harder(&addr, &pkt);
1172 if(debug_level >= DEBUG_PROTOCOL) {
1173 hostname = sockaddr2hostname(&addr);
1174 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
1180 if(n->status.sptps) {
1181 pkt.offset = 2 * sizeof(node_id_t);
1183 if(!memcmp(DSTID(&pkt), &nullid, sizeof nullid)) {
1188 from = lookup_node_id(SRCID(&pkt));
1189 to = lookup_node_id(DSTID(&pkt));
1192 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from %s (%s) with unknown source and/or destination ID", n->name, n->hostname);
1197 send_sptps_data_priv(to, n, 0, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t));
1206 if(!receive_udppacket(from, &pkt))
1209 n->sock = ls - listen_socket;
1210 if(direct && sockaddrcmp(&addr, &n->address))
1211 update_node_udp(n, &addr);
1214 void handle_device_data(void *data, int flags) {
1215 vpn_packet_t packet;
1216 packet.offset = DEFAULT_PACKET_OFFSET;
1217 packet.priority = 0;
1219 if(devops.read(&packet)) {
1220 myself->in_packets++;
1221 myself->in_bytes += packet.len;
1222 route(myself, &packet);
projects / tinc / blob