2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
35 #include "connection.h"
50 #define MAX(a, b) ((a) > (b) ? (a) : (b))
55 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
58 static void send_udppacket(node_t *, vpn_packet_t *);
60 unsigned replaywin = 16;
61 bool localdiscovery = true;
62 bool udp_discovery = true;
63 int udp_discovery_interval = 9;
64 int udp_discovery_timeout = 30;
66 #define MAX_SEQNO 1073741824
68 static void try_fix_mtu(node_t *n) {
72 if(n->mtuprobes == 90 || n->minmtu >= n->maxmtu) {
73 if(n->minmtu > n->maxmtu)
74 n->minmtu = n->maxmtu;
76 n->maxmtu = n->minmtu;
78 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
83 static void udp_probe_timeout_handler(void *data) {
85 if(!n->status.udp_confirmed)
88 logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname);
89 n->status.udp_confirmed = false;
95 static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
96 if(!DATA(packet)[0]) {
97 logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
99 /* It's a probe request, send back a reply */
101 /* Type 2 probe replies were introduced in protocol 17.3 */
102 if ((n->options >> 24) >= 3) {
103 uint8_t *data = DATA(packet);
105 uint16_t len16 = htons(len); memcpy(data, &len16, 2); data += 2;
107 gettimeofday(&now, NULL);
108 uint32_t sec = htonl(now.tv_sec); memcpy(data, &sec, 4); data += 4;
109 uint32_t usec = htonl(now.tv_usec); memcpy(data, &usec, 4); data += 4;
112 /* Legacy protocol: n won't understand type 2 probe replies. */
116 /* Temporarily set udp_confirmed, so that the reply is sent
117 back exactly the way it came in. */
119 bool udp_confirmed = n->status.udp_confirmed;
120 n->status.udp_confirmed = true;
121 send_udppacket(n, packet);
122 n->status.udp_confirmed = udp_confirmed;
124 length_t probelen = len;
125 if (DATA(packet)[0] == 2) {
127 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received invalid (too short) UDP probe reply from %s (%s)", n->name, n->hostname);
129 uint16_t probelen16; memcpy(&probelen16, DATA(packet) + 1, 2); probelen = ntohs(probelen16);
132 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], probelen, n->name, n->hostname);
134 /* It's a valid reply: now we know bidirectional communication
135 is possible using the address and socket that the reply
137 n->status.udp_confirmed = true;
140 timeout_del(&n->udp_ping_timeout);
141 timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval){udp_discovery_timeout, 0});
144 if(probelen >= n->maxmtu + 8) {
145 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
151 /* If applicable, raise the minimum supported MTU */
153 if(probelen > n->maxmtu)
154 probelen = n->maxmtu;
155 if(n->minmtu < probelen) {
156 n->minmtu = probelen;
160 /* Calculate RTT and bandwidth.
161 The RTT is the time between the MTU probe burst was sent and the first
162 reply is received. The bandwidth is measured using the time between the
163 arrival of the first and third probe reply (or type 2 probe requests).
166 struct timeval now, diff;
167 gettimeofday(&now, NULL);
168 timersub(&now, &n->probe_time, &diff);
170 struct timeval probe_timestamp = now;
171 if (DATA(packet)[0] == 2 && packet->len >= 11) {
172 uint32_t sec; memcpy(&sec, DATA(packet) + 3, 4);
173 uint32_t usec; memcpy(&usec, DATA(packet) + 7, 4);
174 probe_timestamp.tv_sec = ntohl(sec);
175 probe_timestamp.tv_usec = ntohl(usec);
180 if(n->probe_counter == 1) {
181 n->rtt = diff.tv_sec + diff.tv_usec * 1e-6;
182 n->probe_time = probe_timestamp;
183 } else if(n->probe_counter == 3) {
184 /* TODO: this will never fire - we're not sending batches of three anymore. */
185 struct timeval probe_timestamp_diff;
186 timersub(&probe_timestamp, &n->probe_time, &probe_timestamp_diff);
187 n->bandwidth = 2.0 * probelen / (probe_timestamp_diff.tv_sec + probe_timestamp_diff.tv_usec * 1e-6);
188 logger(DEBUG_TRAFFIC, LOG_DEBUG, "%s (%s) RTT %.2f ms, burst bandwidth %.3f Mbit/s, rx packet loss %.2f %%", n->name, n->hostname, n->rtt * 1e3, n->bandwidth * 8e-6, n->packetloss * 1e2);
193 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
195 memcpy(dest, source, len);
197 } else if(level == 10) {
199 lzo_uint lzolen = MAXSIZE;
200 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
205 } else if(level < 10) {
207 unsigned long destlen = MAXSIZE;
208 if(compress2(dest, &destlen, source, len, level) == Z_OK)
215 lzo_uint lzolen = MAXSIZE;
216 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
226 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
228 memcpy(dest, source, len);
230 } else if(level > 9) {
232 lzo_uint lzolen = MAXSIZE;
233 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
241 unsigned long destlen = MAXSIZE;
242 if(uncompress(dest, &destlen, source, len) == Z_OK)
254 static void receive_packet(node_t *n, vpn_packet_t *packet) {
255 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
256 packet->len, n->name, n->hostname);
259 n->in_bytes += packet->len;
264 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
266 return sptps_verify_datagram(&n->sptps, DATA(inpkt), inpkt->len);
268 #ifdef DISABLE_LEGACY
271 if(!digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest))
274 return digest_verify(n->indigest, SEQNO(inpkt), inpkt->len - digest_length(n->indigest), DATA(inpkt) + inpkt->len - digest_length(n->indigest));
278 static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
279 vpn_packet_t pkt1, pkt2;
280 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
283 pkt1.offset = DEFAULT_PACKET_OFFSET;
284 pkt2.offset = DEFAULT_PACKET_OFFSET;
286 if(n->status.sptps) {
287 if(!n->sptps.state) {
288 if(!n->status.waitingforkey) {
289 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
292 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
296 inpkt->offset += 2 * sizeof(node_id_t);
297 if(!sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len - 2 * sizeof(node_id_t))) {
298 logger(DEBUG_TRAFFIC, LOG_ERR, "Got bad packet from %s (%s)", n->name, n->hostname);
304 #ifdef DISABLE_LEGACY
307 if(!n->status.validkey) {
308 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
312 /* Check packet length */
314 if(inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
315 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
316 n->name, n->hostname);
320 /* It's a legacy UDP packet, the data starts after the seqno */
322 inpkt->offset += sizeof(seqno_t);
324 /* Check the message authentication code */
326 if(digest_active(n->indigest)) {
327 inpkt->len -= digest_length(n->indigest);
328 if(!digest_verify(n->indigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
329 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
333 /* Decrypt the packet */
335 if(cipher_active(n->incipher)) {
336 vpn_packet_t *outpkt = pkt[nextpkt++];
339 if(!cipher_decrypt(n->incipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
340 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
344 outpkt->len = outlen;
348 /* Check the sequence number */
351 memcpy(&seqno, SEQNO(inpkt), sizeof seqno);
352 seqno = ntohl(seqno);
353 inpkt->len -= sizeof seqno;
356 if(seqno != n->received_seqno + 1) {
357 if(seqno >= n->received_seqno + replaywin * 8) {
358 if(n->farfuture++ < replaywin >> 2) {
359 logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
360 n->name, n->hostname, seqno - n->received_seqno - 1, n->farfuture);
363 logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
364 seqno - n->received_seqno - 1, n->name, n->hostname);
365 memset(n->late, 0, replaywin);
366 } else if (seqno <= n->received_seqno) {
367 if((n->received_seqno >= replaywin * 8 && seqno <= n->received_seqno - replaywin * 8) || !(n->late[(seqno / 8) % replaywin] & (1 << seqno % 8))) {
368 logger(DEBUG_ALWAYS, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
369 n->name, n->hostname, seqno, n->received_seqno);
373 for(int i = n->received_seqno + 1; i < seqno; i++)
374 n->late[(i / 8) % replaywin] |= 1 << i % 8;
379 n->late[(seqno / 8) % replaywin] &= ~(1 << seqno % 8);
382 if(seqno > n->received_seqno)
383 n->received_seqno = seqno;
387 if(n->received_seqno > MAX_SEQNO)
390 /* Decompress the packet */
392 length_t origlen = inpkt->len;
394 if(n->incompression) {
395 vpn_packet_t *outpkt = pkt[nextpkt++];
397 if((outpkt->len = uncompress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->incompression)) < 0) {
398 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
399 n->name, n->hostname);
405 origlen -= MTU/64 + 20;
410 if(!DATA(inpkt)[12] && !DATA(inpkt)[13])
411 udp_probe_h(n, inpkt, origlen);
413 receive_packet(n, inpkt);
418 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
420 outpkt.offset = DEFAULT_PACKET_OFFSET;
422 if(len > sizeof outpkt.data - outpkt.offset)
426 if(c->options & OPTION_TCPONLY)
429 outpkt.priority = -1;
430 memcpy(DATA(&outpkt), buffer, len);
432 receive_packet(c->node, &outpkt);
435 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
436 if(!n->status.validkey && !n->connection)
442 if(!(DATA(origpkt)[12] | DATA(origpkt)[13])) {
443 sptps_send_record(&n->sptps, PKT_PROBE, (char *)DATA(origpkt), origpkt->len);
447 if(routing_mode == RMODE_ROUTER)
452 if(origpkt->len < offset)
457 if(n->outcompression) {
459 int len = compress_packet(DATA(&outpkt) + offset, DATA(origpkt) + offset, origpkt->len - offset, n->outcompression);
461 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
462 } else if(len < origpkt->len - offset) {
463 outpkt.len = len + offset;
465 type |= PKT_COMPRESSED;
469 /* If we have a direct metaconnection to n, and we can't use UDP, then
470 don't bother with SPTPS and just use a "plaintext" PACKET message.
471 We don't really care about end-to-end security since we're not
472 sending the message through any intermediate nodes. */
473 if(n->connection && origpkt->len > n->minmtu)
474 send_tcppacket(n->connection, origpkt);
476 sptps_send_record(&n->sptps, type, DATA(origpkt) + offset, origpkt->len - offset);
480 static void adapt_socket(const sockaddr_t *sa, int *sock) {
481 /* Make sure we have a suitable socket for the chosen address */
482 if(listen_socket[*sock].sa.sa.sa_family != sa->sa.sa_family) {
483 for(int i = 0; i < listen_sockets; i++) {
484 if(listen_socket[i].sa.sa.sa_family == sa->sa.sa_family) {
492 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, int *sock) {
497 /* If the UDP address is confirmed, use it. */
498 if(n->status.udp_confirmed)
501 /* Send every third packet to n->address; that could be set
502 to the node's reflexive UDP address discovered during key
511 /* Otherwise, address are found in edges to this node.
512 So we pick a random edge and a random socket. */
515 int j = rand() % n->edge_tree->count;
516 edge_t *candidate = NULL;
518 for splay_each(edge_t, e, n->edge_tree) {
520 candidate = e->reverse;
526 *sa = &candidate->address;
527 *sock = rand() % listen_sockets;
530 adapt_socket(*sa, sock);
533 static void choose_local_address(const node_t *n, const sockaddr_t **sa, int *sock) {
536 /* Pick one of the edges from this node at random, then use its local address. */
539 int j = rand() % n->edge_tree->count;
540 edge_t *candidate = NULL;
542 for splay_each(edge_t, e, n->edge_tree) {
549 if (candidate && candidate->local_address.sa.sa_family) {
550 *sa = &candidate->local_address;
551 *sock = rand() % listen_sockets;
552 adapt_socket(*sa, sock);
556 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
557 vpn_packet_t pkt1, pkt2;
558 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
559 vpn_packet_t *inpkt = origpkt;
561 vpn_packet_t *outpkt;
562 int origlen = origpkt->len;
564 #if defined(SOL_IP) && defined(IP_TOS)
565 static int priority = 0;
566 int origpriority = origpkt->priority;
569 pkt1.offset = DEFAULT_PACKET_OFFSET;
570 pkt2.offset = DEFAULT_PACKET_OFFSET;
572 if(!n->status.reachable) {
573 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
578 return send_sptps_packet(n, origpkt);
580 #ifdef DISABLE_LEGACY
583 /* Make sure we have a valid key */
585 if(!n->status.validkey) {
586 logger(DEBUG_TRAFFIC, LOG_INFO,
587 "No valid key known yet for %s (%s), forwarding via TCP",
588 n->name, n->hostname);
589 send_tcppacket(n->nexthop->connection, origpkt);
593 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (DATA(inpkt)[12] | DATA(inpkt)[13])) {
594 logger(DEBUG_TRAFFIC, LOG_INFO,
595 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
596 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
599 send_packet(n->nexthop, origpkt);
601 send_tcppacket(n->nexthop->connection, origpkt);
606 /* Compress the packet */
608 if(n->outcompression) {
609 outpkt = pkt[nextpkt++];
611 if((outpkt->len = compress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->outcompression)) < 0) {
612 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
613 n->name, n->hostname);
620 /* Add sequence number */
622 seqno_t seqno = htonl(++(n->sent_seqno));
623 memcpy(SEQNO(inpkt), &seqno, sizeof seqno);
624 inpkt->len += sizeof seqno;
626 /* Encrypt the packet */
628 if(cipher_active(n->outcipher)) {
629 outpkt = pkt[nextpkt++];
632 if(!cipher_encrypt(n->outcipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
633 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
637 outpkt->len = outlen;
641 /* Add the message authentication code */
643 if(digest_active(n->outdigest)) {
644 if(!digest_create(n->outdigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
645 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
649 inpkt->len += digest_length(n->outdigest);
652 /* Send the packet */
654 const sockaddr_t *sa = NULL;
657 if(n->status.send_locally)
658 choose_local_address(n, &sa, &sock);
660 choose_udp_address(n, &sa, &sock);
662 #if defined(SOL_IP) && defined(IP_TOS)
663 if(priorityinheritance && origpriority != priority
664 && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
665 priority = origpriority;
666 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
667 if(setsockopt(listen_socket[n->sock].udp.fd, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
668 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
672 if(sendto(listen_socket[sock].udp.fd, SEQNO(inpkt), inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
673 if(sockmsgsize(sockerrno)) {
674 if(n->maxmtu >= origlen)
675 n->maxmtu = origlen - 1;
676 if(n->mtu >= origlen)
677 n->mtu = origlen - 1;
680 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
684 origpkt->len = origlen;
688 static bool send_sptps_data_priv(node_t *to, node_t *from, int type, const void *data, size_t len) {
689 node_t *relay = (to->via != myself && (type == PKT_PROBE || (len - SPTPS_DATAGRAM_OVERHEAD) <= to->via->minmtu)) ? to->via : to->nexthop;
690 bool direct = from == myself && to == relay;
691 bool relay_supported = (relay->options >> 24) >= 4;
692 bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
694 /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU.
695 TODO: When relaying, the original sender does not know the end-to-end PMTU (it only knows the PMTU of the first hop).
696 This can lead to scenarios where large packets are sent over UDP to relay, but then relay has no choice but fall back to TCP. */
698 if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && (len - SPTPS_DATAGRAM_OVERHEAD) > relay->minmtu)) {
699 char buf[len * 4 / 3 + 5];
700 b64encode(data, buf, len);
701 /* If no valid key is known yet, send the packets using ANS_KEY requests,
702 to ensure we get to learn the reflexive UDP address. */
703 if(from == myself && !to->status.validkey) {
704 to->incompression = myself->incompression;
705 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, from->name, to->name, buf, to->incompression);
707 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, from->name, to->name, REQ_SPTPS, buf);
712 if(relay_supported) overhead += sizeof to->id + sizeof from->id;
713 char buf[len + overhead]; char* buf_ptr = buf;
714 if(relay_supported) {
716 /* Inform the recipient that this packet was sent directly. */
717 node_id_t nullid = {};
718 memcpy(buf_ptr, &nullid, sizeof nullid); buf_ptr += sizeof nullid;
720 memcpy(buf_ptr, &to->id, sizeof to->id); buf_ptr += sizeof to->id;
722 memcpy(buf_ptr, &from->id, sizeof from->id); buf_ptr += sizeof from->id;
725 /* TODO: if this copy turns out to be a performance concern, change sptps_send_record() to add some "pre-padding" to the buffer and use that instead */
726 memcpy(buf_ptr, data, len); buf_ptr += len;
728 const sockaddr_t *sa = NULL;
730 if(relay->status.send_locally)
731 choose_local_address(relay, &sa, &sock);
733 choose_udp_address(relay, &sa, &sock);
734 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s)", from->name, from->hostname, to->name, to->hostname, relay->name, relay->hostname);
735 if(sendto(listen_socket[sock].udp.fd, buf, buf_ptr - buf, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
736 if(sockmsgsize(sockerrno)) {
737 // Compensate for SPTPS overhead
738 len -= SPTPS_DATAGRAM_OVERHEAD;
739 if(relay->maxmtu >= len)
740 relay->maxmtu = len - 1;
741 if(relay->mtu >= len)
742 relay->mtu = len - 1;
745 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", relay->name, relay->hostname, sockstrerror(sockerrno));
753 bool send_sptps_data(void *handle, uint8_t type, const void *data, size_t len) {
754 return send_sptps_data_priv(handle, myself, type, data, len);
757 bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t len) {
758 node_t *from = handle;
760 if(type == SPTPS_HANDSHAKE) {
761 if(!from->status.validkey) {
762 from->status.validkey = true;
763 from->status.waitingforkey = false;
764 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
770 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
775 inpkt.offset = DEFAULT_PACKET_OFFSET;
777 if(type == PKT_PROBE) {
779 memcpy(DATA(&inpkt), data, len);
780 udp_probe_h(from, &inpkt, len);
784 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
785 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
789 /* Check if we have the headers we need */
790 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
791 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
793 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
794 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
797 int offset = (type & PKT_MAC) ? 0 : 14;
798 if(type & PKT_COMPRESSED) {
799 length_t ulen = uncompress_packet(DATA(&inpkt) + offset, (const uint8_t *)data, len, from->incompression);
803 inpkt.len = ulen + offset;
805 if(inpkt.len > MAXSIZE)
808 memcpy(DATA(&inpkt) + offset, data, len);
809 inpkt.len = len + offset;
812 /* Generate the Ethernet packet type if necessary */
814 switch(DATA(&inpkt)[14] >> 4) {
816 DATA(&inpkt)[12] = 0x08;
817 DATA(&inpkt)[13] = 0x00;
820 DATA(&inpkt)[12] = 0x86;
821 DATA(&inpkt)[13] = 0xDD;
824 logger(DEBUG_TRAFFIC, LOG_ERR,
825 "Unknown IP version %d while reading packet from %s (%s)",
826 DATA(&inpkt)[14] >> 4, from->name, from->hostname);
831 receive_packet(from, &inpkt);
835 // This function tries to get SPTPS keys, if they aren't already known.
836 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if the keys are available.
837 static void try_sptps(node_t *n) {
838 if(n->status.validkey)
841 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
843 if(!n->status.waitingforkey)
845 else if(n->last_req_key + 10 < now.tv_sec) {
846 logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
847 sptps_stop(&n->sptps);
848 n->status.waitingforkey = false;
855 static void send_udp_probe_packet(node_t *n, int len) {
857 packet.offset = DEFAULT_PACKET_OFFSET;
858 memset(DATA(&packet), 0, 14);
859 randomize(DATA(&packet) + 14, len - 14);
863 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending UDP probe length %d to %s (%s)", len, n->name, n->hostname);
865 send_udppacket(n, &packet);
868 // This function tries to establish a UDP tunnel to a node so that packets can be sent.
869 // If a tunnel is already established, it makes sure it stays up.
870 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if UDP is usable.
871 static void try_udp(node_t* n) {
876 gettimeofday(&now, NULL);
877 struct timeval ping_tx_elapsed;
878 timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
880 if(ping_tx_elapsed.tv_sec >= udp_discovery_interval) {
881 send_udp_probe_packet(n, MAX(n->minmtu, 16));
882 n->udp_ping_sent = now;
884 if(localdiscovery && !n->status.udp_confirmed && n->prevedge) {
885 n->status.send_locally = true;
886 send_udp_probe_packet(n, 16);
887 n->status.send_locally = false;
892 // This function tries to determines the MTU of a node.
893 // By calling this function repeatedly, n->minmtu will be progressively increased, and at some point, n->mtu will be fixed to n->minmtu.
894 // If the MTU is already fixed, this function checks if it can be increased.
895 static void try_mtu(node_t *n) {
896 if(!(n->options & OPTION_PMTU_DISCOVERY))
899 if(udp_discovery && !n->status.udp_confirmed) {
906 /* mtuprobes == 0..89: initial discovery, send bursts with 1 second interval, mtuprobes++
907 mtuprobes == 90: fix MTU, and go to -1
908 mtuprobes == -1: send one >maxmtu probe every pingtimeout */
911 gettimeofday(&now, NULL);
912 struct timeval elapsed;
913 timersub(&now, &n->probe_sent_time, &elapsed);
914 if(n->mtuprobes >= 0) {
915 if(n->mtuprobes != 0 && elapsed.tv_sec == 0 && elapsed.tv_usec < 333333)
918 if(elapsed.tv_sec < pingtimeout)
925 if(n->mtuprobes < 0) {
926 /* After the initial discovery, we only send one >maxmtu probe
927 to detect PMTU increases. */
928 if(n->maxmtu + 8 < MTU)
929 send_udp_probe_packet(n, n->maxmtu + 8);
931 /* Probes are sent with random sizes between the
932 lower and upper boundaries for the MTU thus far discovered. */
934 if(n->minmtu < n->maxmtu)
935 len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
936 send_udp_probe_packet(n, MAX(len, 64));
938 if(n->mtuprobes >= 0)
942 n->probe_counter = 0;
943 n->probe_sent_time = now;
946 /* Calculate the packet loss of incoming traffic by comparing the rate of
947 packets received to the rate with which the sequence number has increased.
948 TODO: this is unrelated to PMTU discovery - it should be moved elsewhere.
951 if(n->received > n->prev_received)
952 n->packetloss = 1.0 - (n->received - n->prev_received) / (float)(n->received_seqno - n->prev_received_seqno);
954 n->packetloss = n->received_seqno <= n->prev_received_seqno;
956 n->prev_received_seqno = n->received_seqno;
957 n->prev_received = n->received;
960 // This function tries to establish a tunnel to a node (or its relay) so that packets can be sent (e.g. get SPTPS keys).
961 // If a tunnel is already established, it tries to improve it (e.g. by trying to establish a UDP tunnel instead of TCP).
962 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if TCP and/or UDP is usable.
963 // By calling this function repeatedly, the tunnel is gradually improved until we hit the wall imposed by the underlying network environment.
964 // It is recommended to call this function every time a packet is sent (or intended to be sent) to a node,
965 // so that the tunnel keeps improving as packets flow, and then gracefully downgrades itself as it goes idle.
966 static void try_tx(node_t *n) {
967 /* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET
968 messages anyway, so there's no need for SPTPS at all. Otherwise, get the keys. */
969 if(n->status.sptps && !(n->connection && ((myself->options | n->options) & OPTION_TCPONLY))) {
971 if (!n->status.validkey)
975 node_t *via = (n->via == myself) ? n->nexthop : n->via;
977 if((myself->options | via->options) & OPTION_TCPONLY)
980 if(!n->status.sptps && !via->status.validkey && via->last_req_key + 10 <= now.tv_sec) {
982 via->last_req_key = now.tv_sec;
983 } else if(via == n || !n->status.sptps || (via->options >> 24) >= 4) {
988 /* If we don't know how to reach "via" yet, then try to reach it through a relay. */
989 if(n->status.sptps && !via->status.udp_confirmed && via->nexthop != via && (via->nexthop->options >> 24) >= 4)
990 try_tx(via->nexthop);
994 send a packet to the given vpn ip.
996 void send_packet(node_t *n, vpn_packet_t *packet) {
1001 memcpy(DATA(packet), mymac.x, ETH_ALEN);
1003 n->out_bytes += packet->len;
1004 devops.write(packet);
1008 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)",
1009 packet->len, n->name, n->hostname);
1011 if(!n->status.reachable) {
1012 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable",
1013 n->name, n->hostname);
1018 n->out_bytes += packet->len;
1020 if(n->status.sptps) {
1021 send_sptps_packet(n, packet);
1025 via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
1028 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)",
1029 n->name, via->name, n->via->hostname);
1031 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
1032 if(!send_tcppacket(via->connection, packet))
1033 terminate_connection(via->connection, true);
1035 send_udppacket(via, packet);
1038 /* Try to improve the tunnel.
1039 Note that we do this *after* we send the packet because sending actual packets take priority
1040 with regard to the send buffer space and latency. */
1044 /* Broadcast a packet using the minimum spanning tree */
1046 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
1047 // Always give ourself a copy of the packet.
1049 send_packet(myself, packet);
1051 // In TunnelServer mode, do not forward broadcast packets.
1052 // The MST might not be valid and create loops.
1053 if(tunnelserver || broadcast_mode == BMODE_NONE)
1056 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
1057 packet->len, from->name, from->hostname);
1059 switch(broadcast_mode) {
1060 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
1061 // This guarantees all nodes receive the broadcast packet, and
1062 // usually distributes the sending of broadcast packets over all nodes.
1064 for list_each(connection_t, c, connection_list)
1065 if(c->edge && c->status.mst && c != from->nexthop->connection)
1066 send_packet(c->node, packet);
1069 // In direct mode, we send copies to each node we know of.
1070 // However, this only reaches nodes that can be reached in a single hop.
1071 // We don't have enough information to forward broadcast packets in this case.
1076 for splay_each(node_t, n, node_tree)
1077 if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n))
1078 send_packet(n, packet);
1086 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
1089 static time_t last_hard_try = 0;
1091 for splay_each(edge_t, e, edge_weight_tree) {
1092 if(!e->to->status.reachable || e->to == myself)
1095 if(sockaddrcmp_noport(from, &e->address)) {
1096 if(last_hard_try == now.tv_sec)
1101 if(!try_mac(e->to, pkt))
1109 last_hard_try = now.tv_sec;
1111 last_hard_try = now.tv_sec;
1115 void handle_incoming_vpn_data(void *data, int flags) {
1116 listen_socket_t *ls = data;
1119 node_id_t nullid = {};
1120 sockaddr_t addr = {};
1121 socklen_t addrlen = sizeof addr;
1123 bool direct = false;
1126 int len = recvfrom(ls->udp.fd, DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen);
1128 if(len <= 0 || len > MAXSIZE) {
1129 if(!sockwouldblock(sockerrno))
1130 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1136 sockaddrunmap(&addr); /* Some braindead IPv6 implementations do stupid things. */
1138 // Try to figure out who sent this packet.
1140 node_t *n = lookup_node_udp(&addr);
1143 // It might be from a 1.1 node, which might have a source ID in the packet.
1144 pkt.offset = 2 * sizeof(node_id_t);
1145 from = lookup_node_id(SRCID(&pkt));
1146 if(from && !memcmp(DSTID(&pkt), &nullid, sizeof nullid) && from->status.sptps) {
1147 if(sptps_verify_datagram(&from->sptps, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t)))
1156 n = try_harder(&addr, &pkt);
1161 if(debug_level >= DEBUG_PROTOCOL) {
1162 hostname = sockaddr2hostname(&addr);
1163 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
1169 if(n->status.sptps) {
1170 pkt.offset = 2 * sizeof(node_id_t);
1172 if(!memcmp(DSTID(&pkt), &nullid, sizeof nullid)) {
1177 from = lookup_node_id(SRCID(&pkt));
1178 to = lookup_node_id(DSTID(&pkt));
1181 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from %s (%s) with unknown source and/or destination ID", n->name, n->hostname);
1186 send_sptps_data_priv(to, n, 0, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t));
1195 if(!receive_udppacket(from, &pkt))
1198 n->sock = ls - listen_socket;
1199 if(direct && sockaddrcmp(&addr, &n->address))
1200 update_node_udp(n, &addr);
1203 void handle_device_data(void *data, int flags) {
1204 vpn_packet_t packet;
1205 packet.offset = DEFAULT_PACKET_OFFSET;
1206 packet.priority = 0;
1208 if(devops.read(&packet)) {
1209 myself->in_packets++;
1210 myself->in_bytes += packet.len;
1211 route(myself, &packet);