unsigned replaywin = 16;
bool localdiscovery = true;
bool udp_discovery = true;
-int udp_discovery_keepalive_interval = 9;
+int udp_discovery_keepalive_interval = 10;
int udp_discovery_interval = 2;
int udp_discovery_timeout = 30;
logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname);
n->status.udp_confirmed = false;
+ n->maxrecentlen = 0;
n->mtuprobes = 0;
n->minmtu = 0;
n->maxmtu = MTU;
}
-static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
- if(!DATA(packet)[0]) {
- /* It's a probe request, send back a reply */
+static void send_udp_probe_reply(node_t *n, vpn_packet_t *packet, length_t len) {
+ if(!n->status.sptps && !n->status.validkey) {
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP probe reply to %s (%s) but we don't have his key yet", n->name, n->hostname);
+ return;
+ }
- if(!n->status.sptps && !n->status.validkey) {
- // But not if we don't have his key.
- logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request from %s (%s) but we don't have his key yet", n->name, n->hostname);
- return;
- }
+ /* Type 2 probe replies were introduced in protocol 17.3 */
+ if ((n->options >> 24) >= 3) {
+ DATA(packet)[0] = 2;
+ uint16_t len16 = htons(len);
+ memcpy(DATA(packet) + 1, &len16, 2);
+ packet->len = MIN_PROBE_SIZE;
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 2 probe reply length %u to %s (%s)", len, n->name, n->hostname);
+ } else {
+ /* Legacy protocol: n won't understand type 2 probe replies. */
+ DATA(packet)[0] = 1;
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 1 probe reply length %u to %s (%s)", len, n->name, n->hostname);
+ }
+
+ /* Temporarily set udp_confirmed, so that the reply is sent
+ back exactly the way it came in. */
+
+ bool udp_confirmed = n->status.udp_confirmed;
+ n->status.udp_confirmed = true;
+ send_udppacket(n, packet);
+ n->status.udp_confirmed = udp_confirmed;
+}
+
+static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
+ if(!DATA(packet)[0]) {
logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
+ return send_udp_probe_reply(n, packet, len);
+ }
- /* Type 2 probe replies were introduced in protocol 17.3 */
- if ((n->options >> 24) >= 3) {
- uint8_t *data = DATA(packet);
- *data++ = 2;
- uint16_t len16 = htons(len); memcpy(data, &len16, 2); data += 2;
- packet->len = MIN_PROBE_SIZE;
- } else {
- /* Legacy protocol: n won't understand type 2 probe replies. */
- DATA(packet)[0] = 1;
- }
+ if (DATA(packet)[0] == 2) {
+ // It's a type 2 probe reply, use the length field inside the packet
+ uint16_t len16;
+ memcpy(&len16, DATA(packet) + 1, 2);
+ len = ntohs(len16);
+ }
- /* Temporarily set udp_confirmed, so that the reply is sent
- back exactly the way it came in. */
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], len, n->name, n->hostname);
- bool udp_confirmed = n->status.udp_confirmed;
- n->status.udp_confirmed = true;
- send_udppacket(n, packet);
- n->status.udp_confirmed = udp_confirmed;
- } else {
- length_t probelen = len;
- if (DATA(packet)[0] == 2) {
- if (len < 3)
- logger(DEBUG_TRAFFIC, LOG_WARNING, "Received invalid (too short) UDP probe reply from %s (%s)", n->name, n->hostname);
- else {
- uint16_t probelen16; memcpy(&probelen16, DATA(packet) + 1, 2); probelen = ntohs(probelen16);
- }
- }
- logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], probelen, n->name, n->hostname);
+ /* It's a valid reply: now we know bidirectional communication
+ is possible using the address and socket that the reply
+ packet used. */
+ n->status.udp_confirmed = true;
- /* It's a valid reply: now we know bidirectional communication
- is possible using the address and socket that the reply
- packet used. */
- n->status.udp_confirmed = true;
+ // Reset the UDP ping timer.
+ n->udp_ping_sent = now;
- if(udp_discovery) {
- timeout_del(&n->udp_ping_timeout);
- timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval){udp_discovery_timeout, 0});
- }
+ if(udp_discovery) {
+ timeout_del(&n->udp_ping_timeout);
+ timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval){udp_discovery_timeout, 0});
+ }
- if(probelen >= n->maxmtu + 1) {
- logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
- n->maxmtu = MTU;
- /* Set mtuprobes to 1 so that try_mtu() doesn't reset maxmtu */
- n->mtuprobes = 1;
- return;
- }
+ if(len > n->maxmtu) {
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
+ n->minmtu = len;
+ n->maxmtu = MTU;
+ /* Set mtuprobes to 1 so that try_mtu() doesn't reset maxmtu */
+ n->mtuprobes = 1;
+ return;
+ } else if(n->mtuprobes < 0 && len == n->maxmtu) {
+ /* We got a maxmtu sized packet, confirming the PMTU is still valid. */
+ n->mtuprobes = -1;
+ n->mtu_ping_sent = now;
+ }
- /* If applicable, raise the minimum supported MTU */
+ /* If applicable, raise the minimum supported MTU */
- if(probelen > n->maxmtu)
- probelen = n->maxmtu;
- if(n->minmtu < probelen) {
- n->minmtu = probelen;
- try_fix_mtu(n);
- }
+ if(n->minmtu < len) {
+ n->minmtu = len;
+ try_fix_mtu(n);
}
}
#ifdef DISABLE_LEGACY
return false;
#else
- if(!digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest))
+ if(!n->status.validkey_in || !digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest))
return false;
return digest_verify(n->indigest, SEQNO(inpkt), inpkt->len - digest_length(n->indigest), DATA(inpkt) + inpkt->len - digest_length(n->indigest));
return false;
}
inpkt->offset += 2 * sizeof(node_id_t);
- if(!sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len - 2 * sizeof(node_id_t))) {
+ n->status.udppacket = true;
+ bool result = sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len - 2 * sizeof(node_id_t));
+ n->status.udppacket = false;
+
+ if(!result) {
logger(DEBUG_TRAFFIC, LOG_ERR, "Got bad packet from %s (%s)", n->name, n->hostname);
return false;
}
origlen -= MTU/64 + 20;
}
+ if(inpkt->len > n->maxrecentlen)
+ n->maxrecentlen = inpkt->len;
+
inpkt->priority = 0;
if(!DATA(inpkt)[12] && !DATA(inpkt)[13])
inpkt.offset = DEFAULT_PACKET_OFFSET;
if(type == PKT_PROBE) {
+ if(!from->status.udppacket) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Got SPTPS PROBE packet from %s (%s) via TCP", from->name, from->hostname);
+ return false;
+ }
inpkt.len = len;
memcpy(DATA(&inpkt), data, len);
+ if(inpkt.len > from->maxrecentlen)
+ from->maxrecentlen = inpkt.len;
udp_probe_h(from, &inpkt, len);
return true;
}
}
}
+ if(from->status.udppacket && inpkt.len > from->maxrecentlen)
+ from->maxrecentlen = inpkt.len;
+
receive_packet(from, &inpkt);
return true;
}
if(!udp_discovery)
return;
+ /* Send gratuitous probe replies to 1.1 nodes. */
+
+ if((n->options >> 24) >= 3 && n->status.udp_confirmed) {
+ struct timeval ping_tx_elapsed;
+ timersub(&now, &n->udp_reply_sent, &ping_tx_elapsed);
+
+ if(ping_tx_elapsed.tv_sec >= udp_discovery_keepalive_interval - 1) {
+ n->udp_reply_sent = now;
+ if(n->maxrecentlen) {
+ vpn_packet_t pkt;
+ pkt.len = n->maxrecentlen;
+ pkt.offset = DEFAULT_PACKET_OFFSET;
+ memset(DATA(&pkt), 0, 14);
+ randomize(DATA(&pkt) + 14, MIN_PROBE_SIZE - 14);
+ send_udp_probe_reply(n, &pkt, pkt.len);
+ n->maxrecentlen = 0;
+ }
+ }
+ }
+
+ /* Probe request */
+
struct timeval ping_tx_elapsed;
timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
mtu -= SPTPS_DATAGRAM_OVERHEAD;
if((n->options >> 24) >= 4)
mtu -= sizeof(node_id_t) + sizeof(node_id_t);
+#ifndef DISABLE_LEGACY
} else {
mtu -= digest_length(n->outdigest);
}
mtu -= 4; // seqno
+#endif
}
if (mtu < 512) {
return;
if(udp_discovery && !n->status.udp_confirmed) {
+ n->maxrecentlen = 0;
n->mtuprobes = 0;
n->minmtu = 0;
n->maxmtu = MTU;
/* mtuprobes == 0..19: initial discovery, send bursts with 1 second interval, mtuprobes++
mtuprobes == 20: fix MTU, and go to -1
- mtuprobes == -1: send one >maxmtu probe every pinginterval */
+ mtuprobes == -1: send one maxmtu and one maxmtu+1 probe every pinginterval
+ mtuprobes ==-2..-3: send one maxmtu probe every second
+ mtuprobes == -4: maxmtu no longer valid, reset minmtu and maxmtu and go to 0 */
struct timeval elapsed;
timersub(&now, &n->mtu_ping_sent, &elapsed);
if(n->mtuprobes != 0 && elapsed.tv_sec == 0 && elapsed.tv_usec < 333333)
return;
} else {
- if(elapsed.tv_sec < pinginterval)
- return;
+ if(n->mtuprobes < -1) {
+ if(elapsed.tv_sec < 1)
+ return;
+ } else {
+ if(elapsed.tv_sec < pinginterval)
+ return;
+ }
}
n->mtu_ping_sent = now;
try_fix_mtu(n);
+ if(n->mtuprobes < -3) {
+ /* We lost three MTU probes, restart discovery */
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Decrease in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
+ n->mtuprobes = 0;
+ n->minmtu = 0;
+ }
+
if(n->mtuprobes < 0) {
/* After the initial discovery, we only send one maxmtu and one
maxmtu+1 probe to detect PMTU increases. */
send_udp_probe_packet(n, n->maxmtu);
- if(n->maxmtu + 1 < MTU)
+ if(n->mtuprobes == -1 && n->maxmtu + 1 < MTU)
send_udp_probe_packet(n, n->maxmtu + 1);
+ n->mtuprobes--;
} else {
/* Before initial discovery begins, set maxmtu to the most likely value.
If it's underestimated, we will correct it after initial discovery. */
}
}
+/* We got a packet from some IP address, but we don't know who sent it. Try to
+ verify the message authentication code against all active session keys.
+ Since this is actually an expensive operation, we only do a full check once
+ a minute, the rest of the time we only check against nodes for which we know
+ an IP address that matches the one from the packet. */
+
static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
- node_t *n = NULL;
+ node_t *match = NULL;
bool hard = false;
static time_t last_hard_try = 0;
- for splay_each(edge_t, e, edge_weight_tree) {
- if(!e->to->status.reachable || e->to == myself)
+ for splay_each(node_t, n, node_tree) {
+ if(!n->status.reachable || n == myself)
+ continue;
+
+ if((n->status.sptps && !n->sptps.instate) || !n->status.validkey_in)
continue;
- if(sockaddrcmp_noport(from, &e->address)) {
+ bool soft = false;
+
+ for splay_each(edge_t, e, n->edge_tree) {
+ if(!e->reverse)
+ continue;
+ if(!sockaddrcmp_noport(from, &e->reverse->address)) {
+ soft = true;
+ break;
+ }
+ }
+
+ if(!soft) {
if(last_hard_try == now.tv_sec)
continue;
hard = true;
}
- if(!try_mac(e->to, pkt))
+ if(!try_mac(n, pkt))
continue;
- n = e->to;
+ match = n;
break;
}
if(hard)
last_hard_try = now.tv_sec;
- last_hard_try = now.tv_sec;
- return n;
+ return match;
}
void handle_incoming_vpn_data(void *data, int flags) {
node_t *n = lookup_node_udp(&addr);
+ if(n && !n->status.udp_confirmed)
+ n = NULL; // Don't believe it if we don't have confirmation yet.
+
if(!n) {
// It might be from a 1.1 node, which might have a source ID in the packet.
pkt.offset = 2 * sizeof(node_id_t);