2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2022 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
39 #include "address_cache.h"
42 #include "connection.h"
43 #include "compression.h"
57 /* The minimum size of a probe is 14 bytes, but since we normally use CBC mode
58 encryption, we can add a few extra random bytes without increasing the
59 resulting packet size. */
60 #define MIN_PROBE_SIZE 18
64 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
69 #ifdef HAVE_LZ4_BUILTIN
70 static LZ4_stream_t lz4_stream;
72 static void *lz4_state = NULL;
73 #endif // HAVE_LZ4_BUILTIN
77 static void send_udppacket(node_t *, vpn_packet_t *);
79 unsigned replaywin = 32;
80 bool localdiscovery = true;
81 bool udp_discovery = true;
82 int udp_discovery_keepalive_interval = 10;
83 int udp_discovery_interval = 2;
84 int udp_discovery_timeout = 30;
86 #define MAX_SEQNO 1073741824
88 static void try_fix_mtu(node_t *n) {
89 if(n->mtuprobes < 0) {
93 if(n->mtuprobes == 20 || n->minmtu >= n->maxmtu) {
94 if(n->minmtu > n->maxmtu) {
95 n->minmtu = n->maxmtu;
97 n->maxmtu = n->minmtu;
101 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
106 static void reduce_mtu(node_t *n, int mtu) {
111 if(n->maxmtu > mtu) {
122 static void udp_probe_timeout_handler(void *data) {
125 if(!n->status.udp_confirmed) {
129 logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname);
130 n->status.udp_confirmed = false;
131 n->udp_ping_rtt = -1;
138 static void send_udp_probe_reply(node_t *n, vpn_packet_t *packet, length_t len) {
139 if(!n->status.sptps && !n->status.validkey) {
140 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP probe reply to %s (%s) but we don't have his key yet", n->name, n->hostname);
144 /* Type 2 probe replies were introduced in protocol 17.3 */
145 if((n->options >> 24) >= 3) {
147 uint16_t len16 = htons(len);
148 memcpy(DATA(packet) + 1, &len16, 2);
149 packet->len = MIN_PROBE_SIZE;
150 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 2 probe reply length %u to %s (%s)", len, n->name, n->hostname);
153 /* Legacy protocol: n won't understand type 2 probe replies. */
155 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 1 probe reply length %u to %s (%s)", len, n->name, n->hostname);
158 /* Temporarily set udp_confirmed, so that the reply is sent
159 back exactly the way it came in. */
161 bool udp_confirmed = n->status.udp_confirmed;
162 n->status.udp_confirmed = true;
163 send_udppacket(n, packet);
164 n->status.udp_confirmed = udp_confirmed;
167 static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
168 if(!DATA(packet)[0]) {
169 logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
170 send_udp_probe_reply(n, packet, len);
174 if(DATA(packet)[0] == 2) {
175 // It's a type 2 probe reply, use the length field inside the packet
177 memcpy(&len16, DATA(packet) + 1, 2);
181 if(n->status.ping_sent) { // a probe in flight
182 gettimeofday(&now, NULL);
184 timersub(&now, &n->udp_ping_sent, &rtt);
185 n->udp_ping_rtt = (int)(rtt.tv_sec * 1000000 + rtt.tv_usec);
186 n->status.ping_sent = false;
187 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s) rtt=%d.%03d", DATA(packet)[0], len, n->name, n->hostname, n->udp_ping_rtt / 1000, n->udp_ping_rtt % 1000);
189 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], len, n->name, n->hostname);
192 /* It's a valid reply: now we know bidirectional communication
193 is possible using the address and socket that the reply
195 if(!n->status.udp_confirmed) {
196 n->status.udp_confirmed = true;
198 if(!n->address_cache) {
199 n->address_cache = open_address_cache(n);
202 reset_address_cache(n->address_cache, &n->address);
205 // Reset the UDP ping timer.
208 timeout_del(&n->udp_ping_timeout);
209 timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval) {
210 udp_discovery_timeout, 0
214 if(len > n->maxmtu) {
215 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
218 /* Set mtuprobes to 1 so that try_mtu() doesn't reset maxmtu */
221 } else if(n->mtuprobes < 0 && len == n->maxmtu) {
222 /* We got a maxmtu sized packet, confirming the PMTU is still valid. */
224 n->mtu_ping_sent = now;
227 /* If applicable, raise the minimum supported MTU */
229 if(n->minmtu < len) {
236 static length_t compress_packet_lz4(uint8_t *dest, const uint8_t *source, length_t len) {
237 #ifdef HAVE_LZ4_BUILTIN
238 return LZ4_compress_fast_extState(&lz4_stream, (const char *) source, (char *) dest, len, MAXSIZE, 0);
241 /* @FIXME: Put this in a better place, and free() it too. */
242 if(lz4_state == NULL) {
243 lz4_state = malloc(LZ4_sizeofState());
246 if(lz4_state == NULL) {
247 logger(DEBUG_ALWAYS, LOG_ERR, "Failed to allocate lz4_state, error: %i", errno);
251 return LZ4_compress_fast_extState(lz4_state, (const char *) source, (char *) dest, len, MAXSIZE, 0);
252 #endif /* HAVE_LZ4_BUILTIN */
254 #endif /* HAVE_LZ4 */
257 static length_t compress_packet_lzo(uint8_t *dest, const uint8_t *source, length_t len, compression_level_t level) {
258 lzo_uint lzolen = MAXSIZE;
261 if(level == COMPRESS_LZO_HI) {
262 result = lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
263 } else { // level == COMPRESS_LZO_LO
264 result = lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
267 if(result == LZO_E_OK) {
275 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, compression_level_t level) {
280 return compress_packet_lz4(dest, source, len);
285 case COMPRESS_LZO_HI:
286 case COMPRESS_LZO_LO:
287 return compress_packet_lzo(dest, source, len, level);
291 case COMPRESS_ZLIB_9:
292 case COMPRESS_ZLIB_8:
293 case COMPRESS_ZLIB_7:
294 case COMPRESS_ZLIB_6:
295 case COMPRESS_ZLIB_5:
296 case COMPRESS_ZLIB_4:
297 case COMPRESS_ZLIB_3:
298 case COMPRESS_ZLIB_2:
299 case COMPRESS_ZLIB_1: {
300 unsigned long dest_len = MAXSIZE;
302 if(compress2(dest, &dest_len, source, len, level) == Z_OK) {
312 memcpy(dest, source, len);
320 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, compression_level_t level) {
325 return LZ4_decompress_safe((char *)source, (char *) dest, len, MAXSIZE);
330 case COMPRESS_LZO_HI:
331 case COMPRESS_LZO_LO: {
332 lzo_uint dst_len = MAXSIZE;
334 if(lzo1x_decompress_safe(source, len, dest, &dst_len, NULL) == LZO_E_OK) {
344 case COMPRESS_ZLIB_9:
345 case COMPRESS_ZLIB_8:
346 case COMPRESS_ZLIB_7:
347 case COMPRESS_ZLIB_6:
348 case COMPRESS_ZLIB_5:
349 case COMPRESS_ZLIB_4:
350 case COMPRESS_ZLIB_3:
351 case COMPRESS_ZLIB_2:
352 case COMPRESS_ZLIB_1: {
353 unsigned long destlen = MAXSIZE;
354 static z_stream stream;
357 inflateReset(&stream);
359 inflateInit(&stream);
362 stream.next_in = source;
363 stream.avail_in = len;
364 stream.next_out = dest;
365 stream.avail_out = destlen;
366 stream.total_out = 0;
368 if(inflate(&stream, Z_FINISH) == Z_STREAM_END) {
369 return stream.total_out;
378 memcpy(dest, source, len);
388 static void receive_packet(node_t *n, vpn_packet_t *packet) {
389 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
390 packet->len, n->name, n->hostname);
393 n->in_bytes += packet->len;
398 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
399 if(n->status.sptps) {
400 return sptps_verify_datagram(&n->sptps, DATA(inpkt), inpkt->len);
403 #ifdef DISABLE_LEGACY
407 if(!n->status.validkey_in || !digest_active(n->indigest) || (size_t)inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
411 return digest_verify(n->indigest, inpkt->data, inpkt->len - digest_length(n->indigest), inpkt->data + inpkt->len - digest_length(n->indigest));
415 static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
416 if(n->status.sptps) {
417 if(!n->sptps.state) {
418 if(!n->status.waitingforkey) {
419 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
422 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
428 n->status.udppacket = true;
429 bool result = sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len);
430 n->status.udppacket = false;
433 /* Uh-oh. It might be that the tunnel is stuck in some corrupted state,
434 so let's restart SPTPS in case that helps. But don't do that too often
435 to prevent storms, and because that would make life a little too easy
436 for external attackers trying to DoS us. */
437 if(n->last_req_key < now.tv_sec - 10) {
438 logger(DEBUG_PROTOCOL, LOG_ERR, "Failed to decode raw TCP packet from %s (%s), restarting SPTPS", n->name, n->hostname);
448 #ifdef DISABLE_LEGACY
451 vpn_packet_t pkt1, pkt2;
452 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
455 pkt1.offset = DEFAULT_PACKET_OFFSET;
456 pkt2.offset = DEFAULT_PACKET_OFFSET;
458 if(!n->status.validkey_in) {
459 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
463 /* Check packet length */
465 if((size_t)inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
466 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
467 n->name, n->hostname);
471 /* It's a legacy UDP packet, the data starts after the seqno */
473 inpkt->offset += sizeof(seqno_t);
475 /* Check the message authentication code */
477 if(digest_active(n->indigest)) {
478 inpkt->len -= digest_length(n->indigest);
480 if(!digest_verify(n->indigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
481 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
486 /* Decrypt the packet */
488 if(cipher_active(n->incipher)) {
489 vpn_packet_t *outpkt = pkt[nextpkt++];
492 if(!cipher_decrypt(n->incipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
493 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
497 outpkt->len = outlen;
501 /* Check the sequence number */
504 memcpy(&seqno, SEQNO(inpkt), sizeof(seqno));
505 seqno = ntohl(seqno);
506 inpkt->len -= sizeof(seqno);
509 if(seqno != n->received_seqno + 1) {
510 if(seqno >= n->received_seqno + replaywin * 8) {
511 if(n->farfuture++ < replaywin >> 2) {
512 logger(DEBUG_TRAFFIC, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
513 n->name, n->hostname, seqno - n->received_seqno - 1, n->farfuture);
517 logger(DEBUG_TRAFFIC, LOG_WARNING, "Lost %d packets from %s (%s)",
518 seqno - n->received_seqno - 1, n->name, n->hostname);
519 memset(n->late, 0, replaywin);
520 } else if(seqno <= n->received_seqno) {
521 if((n->received_seqno >= replaywin * 8 && seqno <= n->received_seqno - replaywin * 8) || !(n->late[(seqno / 8) % replaywin] & (1 << seqno % 8))) {
522 logger(DEBUG_TRAFFIC, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
523 n->name, n->hostname, seqno, n->received_seqno);
527 for(seqno_t i = n->received_seqno + 1; i < seqno; i++) {
528 n->late[(i / 8) % replaywin] |= 1 << i % 8;
534 n->late[(seqno / 8) % replaywin] &= ~(1 << seqno % 8);
537 if(seqno > n->received_seqno) {
538 n->received_seqno = seqno;
543 if(n->received_seqno > MAX_SEQNO) {
547 /* Decompress the packet */
549 length_t origlen = inpkt->len;
551 if(n->incompression != COMPRESS_NONE) {
552 vpn_packet_t *outpkt = pkt[nextpkt++];
554 if(!(outpkt->len = uncompress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->incompression))) {
555 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
556 n->name, n->hostname);
562 if(origlen > MTU / 64 + 20) {
563 origlen -= MTU / 64 + 20;
569 if(inpkt->len > n->maxrecentlen) {
570 n->maxrecentlen = inpkt->len;
575 if(!DATA(inpkt)[12] && !DATA(inpkt)[13]) {
576 udp_probe_h(n, inpkt, origlen);
578 receive_packet(n, inpkt);
585 void receive_tcppacket(connection_t *c, const char *buffer, size_t len) {
587 outpkt.offset = DEFAULT_PACKET_OFFSET;
589 if(len > sizeof(outpkt.data) - outpkt.offset) {
595 if(c->options & OPTION_TCPONLY) {
598 outpkt.priority = -1;
601 memcpy(DATA(&outpkt), buffer, len);
603 receive_packet(c->node, &outpkt);
606 bool receive_tcppacket_sptps(connection_t *c, const char *data, size_t len) {
607 if(len < sizeof(node_id_t) + sizeof(node_id_t)) {
608 logger(DEBUG_PROTOCOL, LOG_ERR, "Got too short TCP SPTPS packet from %s (%s)", c->name, c->hostname);
612 node_t *to = lookup_node_id((node_id_t *)data);
613 data += sizeof(node_id_t);
614 len -= sizeof(node_id_t);
617 logger(DEBUG_PROTOCOL, LOG_ERR, "Got TCP SPTPS packet from %s (%s) with unknown destination ID", c->name, c->hostname);
621 node_t *from = lookup_node_id((node_id_t *)data);
622 data += sizeof(node_id_t);
623 len -= sizeof(node_id_t);
626 logger(DEBUG_PROTOCOL, LOG_ERR, "Got TCP SPTPS packet from %s (%s) with unknown source ID", c->name, c->hostname);
630 if(!to->status.reachable) {
631 /* This can happen in the form of a race condition
632 if the node just became unreachable. */
633 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot relay TCP packet from %s (%s) because the destination, %s (%s), is unreachable", from->name, from->hostname, to->name, to->hostname);
637 /* Help the sender reach us over UDP.
638 Note that we only do this if we're the destination or the static relay;
639 otherwise every hop would initiate its own UDP info message, resulting in elevated chatter. */
640 if(to->via == myself) {
641 send_udp_info(myself, from);
644 /* If we're not the final recipient, relay the packet. */
647 if(to->status.validkey) {
648 send_sptps_data(to, from, 0, data, len);
655 /* The packet is for us */
657 if(!sptps_receive_data(&from->sptps, data, len)) {
658 /* Uh-oh. It might be that the tunnel is stuck in some corrupted state,
659 so let's restart SPTPS in case that helps. But don't do that too often
660 to prevent storms. */
661 if(from->last_req_key < now.tv_sec - 10) {
662 logger(DEBUG_PROTOCOL, LOG_ERR, "Failed to decode raw TCP packet from %s (%s), restarting SPTPS", from->name, from->hostname);
669 send_mtu_info(myself, from, MTU);
673 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
674 if(!n->status.validkey && !n->connection) {
681 if((!(DATA(origpkt)[12] | DATA(origpkt)[13])) && (n->sptps.outstate)) {
682 sptps_send_record(&n->sptps, PKT_PROBE, DATA(origpkt), origpkt->len);
686 if(routing_mode == RMODE_ROUTER) {
692 if(origpkt->len < offset) {
698 if(n->outcompression != COMPRESS_NONE) {
700 length_t len = compress_packet(DATA(&outpkt) + offset, DATA(origpkt) + offset, origpkt->len - offset, n->outcompression);
703 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
704 } else if(len < origpkt->len - offset) {
705 outpkt.len = len + offset;
707 type |= PKT_COMPRESSED;
711 /* If we have a direct metaconnection to n, and we can't use UDP, then
712 don't bother with SPTPS and just use a "plaintext" PACKET message.
713 We don't really care about end-to-end security since we're not
714 sending the message through any intermediate nodes. */
715 if(n->connection && origpkt->len > n->minmtu) {
716 send_tcppacket(n->connection, origpkt);
718 sptps_send_record(&n->sptps, type, DATA(origpkt) + offset, origpkt->len - offset);
722 static void adapt_socket(const sockaddr_t *sa, size_t *sock) {
723 /* Make sure we have a suitable socket for the chosen address */
724 if(listen_socket[*sock].sa.sa.sa_family != sa->sa.sa_family) {
725 for(int i = 0; i < listen_sockets; i++) {
726 if(listen_socket[i].sa.sa.sa_family == sa->sa.sa_family) {
734 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, size_t *sock) {
739 /* If the UDP address is confirmed, use it. */
740 if(n->status.udp_confirmed) {
744 /* Send every third packet to n->address; that could be set
745 to the node's reflexive UDP address discovered during key
755 /* Otherwise, address are found in edges to this node.
756 So we pick a random edge and a random socket. */
759 unsigned int j = prng(n->edge_tree.count);
760 edge_t *candidate = NULL;
762 for splay_each(edge_t, e, &n->edge_tree) {
764 candidate = e->reverse;
770 *sa = &candidate->address;
771 *sock = prng(listen_sockets);
774 adapt_socket(*sa, sock);
777 static void choose_local_address(const node_t *n, const sockaddr_t **sa, size_t *sock) {
780 /* Pick one of the edges from this node at random, then use its local address. */
783 unsigned int j = prng(n->edge_tree.count);
784 edge_t *candidate = NULL;
786 for splay_each(edge_t, e, &n->edge_tree) {
793 if(candidate && candidate->local_address.sa.sa_family) {
794 *sa = &candidate->local_address;
795 *sock = prng(listen_sockets);
796 adapt_socket(*sa, sock);
800 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
801 if(!n->status.reachable) {
802 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
806 if(n->status.sptps) {
807 send_sptps_packet(n, origpkt);
811 #ifdef DISABLE_LEGACY
814 vpn_packet_t pkt1, pkt2;
815 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
816 vpn_packet_t *inpkt = origpkt;
818 vpn_packet_t *outpkt;
819 int origlen = origpkt->len;
821 int origpriority = origpkt->priority;
823 pkt1.offset = DEFAULT_PACKET_OFFSET;
824 pkt2.offset = DEFAULT_PACKET_OFFSET;
826 /* Make sure we have a valid key */
828 if(!n->status.validkey) {
829 logger(DEBUG_TRAFFIC, LOG_INFO,
830 "No valid key known yet for %s (%s), forwarding via TCP",
831 n->name, n->hostname);
832 send_tcppacket(n->nexthop->connection, origpkt);
836 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (DATA(inpkt)[12] | DATA(inpkt)[13])) {
837 logger(DEBUG_TRAFFIC, LOG_INFO,
838 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
839 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
841 if(n != n->nexthop) {
842 send_packet(n->nexthop, origpkt);
844 send_tcppacket(n->nexthop->connection, origpkt);
850 /* Compress the packet */
852 if(n->outcompression != COMPRESS_NONE) {
853 outpkt = pkt[nextpkt++];
855 if(!(outpkt->len = compress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->outcompression))) {
856 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
857 n->name, n->hostname);
864 /* Add sequence number */
866 seqno_t seqno = htonl(++(n->sent_seqno));
867 memcpy(SEQNO(inpkt), &seqno, sizeof(seqno));
868 inpkt->len += sizeof(seqno);
870 /* Encrypt the packet */
872 if(cipher_active(n->outcipher)) {
873 outpkt = pkt[nextpkt++];
876 if(!cipher_encrypt(n->outcipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
877 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
881 outpkt->len = outlen;
885 /* Add the message authentication code */
887 if(digest_active(n->outdigest)) {
888 if(!digest_create(n->outdigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
889 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
893 inpkt->len += digest_length(n->outdigest);
896 /* Send the packet */
898 const sockaddr_t *sa = NULL;
901 if(n->status.send_locally) {
902 choose_local_address(n, &sa, &sock);
906 choose_udp_address(n, &sa, &sock);
909 if(priorityinheritance && origpriority != listen_socket[sock].priority) {
910 listen_socket[sock].priority = origpriority;
912 switch(sa->sa.sa_family) {
916 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting IPv4 outgoing packet priority to %d", origpriority);
918 if(setsockopt(listen_socket[sock].udp.fd, IPPROTO_IP, IP_TOS, (void *)&origpriority, sizeof(origpriority))) { /* SO_PRIORITY doesn't seem to work */
919 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
924 #if defined(IPV6_TCLASS)
927 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting IPv6 outgoing packet priority to %d", origpriority);
929 if(setsockopt(listen_socket[sock].udp.fd, IPPROTO_IPV6, IPV6_TCLASS, (void *)&origpriority, sizeof(origpriority))) { /* SO_PRIORITY doesn't seem to work */
930 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
941 if(sendto(listen_socket[sock].udp.fd, (void *)SEQNO(inpkt), inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
942 if(sockmsgsize(sockerrno)) {
943 reduce_mtu(n, origlen - 1);
945 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
950 origpkt->len = origlen;
954 bool send_sptps_data(node_t *to, node_t *from, int type, const void *data, size_t len) {
955 size_t origlen = len - SPTPS_DATAGRAM_OVERHEAD;
956 node_t *relay = (to->via != myself && (type == PKT_PROBE || origlen <= to->via->minmtu)) ? to->via : to->nexthop;
957 bool direct = from == myself && to == relay;
958 bool relay_supported = (relay->options >> 24) >= 4;
959 bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
961 /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU. */
963 if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && origlen > relay->minmtu)) {
964 if(type != SPTPS_HANDSHAKE && (to->nexthop->connection->options >> 24) >= 7) {
965 const size_t buflen = len + sizeof(to->id) + sizeof(from->id);
966 uint8_t *buf = alloca(buflen);
967 uint8_t *buf_ptr = buf;
968 memcpy(buf_ptr, &to->id, sizeof(to->id));
969 buf_ptr += sizeof(to->id);
970 memcpy(buf_ptr, &from->id, sizeof(from->id));
971 buf_ptr += sizeof(from->id);
972 memcpy(buf_ptr, data, len);
973 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s) (TCP)", from->name, from->hostname, to->name, to->hostname, to->nexthop->name, to->nexthop->hostname);
974 return send_sptps_tcppacket(to->nexthop->connection, buf, buflen);
977 char *buf = alloca(B64_SIZE(len));
978 b64encode_tinc(data, buf, len);
980 /* If this is a handshake packet, use ANS_KEY instead of REQ_KEY, for two reasons:
981 - We don't want intermediate nodes to switch to UDP to relay these packets;
982 - ANS_KEY allows us to learn the reflexive UDP address. */
983 if(type == SPTPS_HANDSHAKE) {
984 to->incompression = myself->incompression;
985 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, from->name, to->name, buf, to->incompression);
987 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, from->name, to->name, SPTPS_PACKET, buf);
993 if(relay_supported) {
994 overhead += sizeof(to->id) + sizeof(from->id);
997 char *buf = alloca(len + overhead);
1000 if(relay_supported) {
1002 /* Inform the recipient that this packet was sent directly. */
1003 node_id_t nullid = {0};
1004 memcpy(buf_ptr, &nullid, sizeof(nullid));
1005 buf_ptr += sizeof(nullid);
1007 memcpy(buf_ptr, &to->id, sizeof(to->id));
1008 buf_ptr += sizeof(to->id);
1011 memcpy(buf_ptr, &from->id, sizeof(from->id));
1012 buf_ptr += sizeof(from->id);
1016 /* TODO: if this copy turns out to be a performance concern, change sptps_send_record() to add some "pre-padding" to the buffer and use that instead */
1017 memcpy(buf_ptr, data, len);
1020 const sockaddr_t *sa = NULL;
1023 if(relay->status.send_locally) {
1024 choose_local_address(relay, &sa, &sock);
1028 choose_udp_address(relay, &sa, &sock);
1031 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s) (UDP)", from->name, from->hostname, to->name, to->hostname, relay->name, relay->hostname);
1033 if(sendto(listen_socket[sock].udp.fd, buf, buf_ptr - buf, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
1034 if(sockmsgsize(sockerrno)) {
1035 reduce_mtu(relay, (int)origlen - 1);
1037 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", relay->name, relay->hostname, sockstrerror(sockerrno));
1045 bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t len) {
1046 node_t *from = handle;
1048 if(type == SPTPS_HANDSHAKE) {
1049 if(!from->status.validkey) {
1050 from->status.validkey = true;
1051 from->status.waitingforkey = false;
1052 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) successful", from->name, from->hostname);
1059 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
1064 inpkt.offset = DEFAULT_PACKET_OFFSET;
1067 if(type == PKT_PROBE) {
1068 if(!from->status.udppacket) {
1069 logger(DEBUG_ALWAYS, LOG_ERR, "Got SPTPS PROBE packet from %s (%s) via TCP", from->name, from->hostname);
1074 memcpy(DATA(&inpkt), data, len);
1076 if(inpkt.len > from->maxrecentlen) {
1077 from->maxrecentlen = inpkt.len;
1080 udp_probe_h(from, &inpkt, len);
1084 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
1085 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
1089 /* Check if we have the headers we need */
1090 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
1091 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
1093 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
1094 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
1097 int offset = (type & PKT_MAC) ? 0 : 14;
1099 if(type & PKT_COMPRESSED) {
1100 length_t ulen = uncompress_packet(DATA(&inpkt) + offset, (const uint8_t *)data, len, from->incompression);
1105 inpkt.len = ulen + offset;
1108 if(inpkt.len > MAXSIZE) {
1112 memcpy(DATA(&inpkt) + offset, data, len);
1113 inpkt.len = len + offset;
1116 /* Generate the Ethernet packet type if necessary */
1118 switch(DATA(&inpkt)[14] >> 4) {
1120 DATA(&inpkt)[12] = 0x08;
1121 DATA(&inpkt)[13] = 0x00;
1125 DATA(&inpkt)[12] = 0x86;
1126 DATA(&inpkt)[13] = 0xDD;
1130 logger(DEBUG_TRAFFIC, LOG_ERR,
1131 "Unknown IP version %d while reading packet from %s (%s)",
1132 DATA(&inpkt)[14] >> 4, from->name, from->hostname);
1137 if(from->status.udppacket && inpkt.len > from->maxrecentlen) {
1138 from->maxrecentlen = inpkt.len;
1141 receive_packet(from, &inpkt);
1145 // This function tries to get SPTPS keys, if they aren't already known.
1146 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if the keys are available.
1147 static void try_sptps(node_t *n) {
1148 if(n->status.validkey) {
1152 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
1154 if(!n->status.waitingforkey) {
1156 } else if(n->last_req_key + 10 < now.tv_sec) {
1157 logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
1158 sptps_stop(&n->sptps);
1159 n->status.waitingforkey = false;
1166 static void send_udp_probe_packet(node_t *n, size_t len) {
1167 vpn_packet_t packet;
1169 if(len > sizeof(packet.data)) {
1170 logger(DEBUG_TRAFFIC, LOG_INFO, "Truncating probe length %lu to %s (%s)", (unsigned long)len, n->name, n->hostname);
1171 len = sizeof(packet.data);
1174 len = MAX(len, MIN_PROBE_SIZE);
1175 packet.offset = DEFAULT_PACKET_OFFSET;
1176 memset(DATA(&packet), 0, 14);
1177 randomize(DATA(&packet) + 14, len - 14);
1179 packet.priority = 0;
1181 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending UDP probe length %lu to %s (%s)", (unsigned long)len, n->name, n->hostname);
1183 send_udppacket(n, &packet);
1186 // This function tries to establish a UDP tunnel to a node so that packets can be sent.
1187 // If a tunnel is already established, it makes sure it stays up.
1188 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if UDP is usable.
1189 static void try_udp(node_t *n) {
1190 if(!udp_discovery) {
1194 /* Send gratuitous probe replies to 1.1 nodes. */
1196 if((n->options >> 24) >= 3 && n->status.udp_confirmed) {
1197 struct timeval ping_tx_elapsed;
1198 timersub(&now, &n->udp_reply_sent, &ping_tx_elapsed);
1200 if(ping_tx_elapsed.tv_sec >= udp_discovery_keepalive_interval - 1) {
1201 n->udp_reply_sent = now;
1203 if(n->maxrecentlen) {
1205 pkt.len = n->maxrecentlen;
1206 pkt.offset = DEFAULT_PACKET_OFFSET;
1207 memset(DATA(&pkt), 0, 14);
1208 randomize(DATA(&pkt) + 14, MIN_PROBE_SIZE - 14);
1209 send_udp_probe_reply(n, &pkt, pkt.len);
1210 n->maxrecentlen = 0;
1217 struct timeval ping_tx_elapsed;
1218 timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
1220 int interval = n->status.udp_confirmed
1221 ? udp_discovery_keepalive_interval
1222 : udp_discovery_interval;
1224 if(ping_tx_elapsed.tv_sec >= interval) {
1225 gettimeofday(&now, NULL);
1226 n->udp_ping_sent = now; // a probe in flight
1227 n->status.ping_sent = true;
1228 send_udp_probe_packet(n, MIN_PROBE_SIZE);
1230 if(localdiscovery && !n->status.udp_confirmed && n->prevedge) {
1231 n->status.send_locally = true;
1232 send_udp_probe_packet(n, MIN_PROBE_SIZE);
1233 n->status.send_locally = false;
1238 static length_t choose_initial_maxmtu(node_t *n) {
1243 const sockaddr_t *sa = NULL;
1245 choose_udp_address(n, &sa, &sockindex);
1251 sock = socket(sa->sa.sa_family, SOCK_DGRAM, IPPROTO_UDP);
1254 logger(DEBUG_TRAFFIC, LOG_ERR, "Creating MTU assessment socket for %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1258 if(connect(sock, &sa->sa, SALEN(sa->sa))) {
1259 logger(DEBUG_TRAFFIC, LOG_ERR, "Connecting MTU assessment socket for %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1265 socklen_t ip_mtu_len = sizeof(ip_mtu);
1267 if(getsockopt(sock, IPPROTO_IP, IP_MTU, (void *)&ip_mtu, &ip_mtu_len)) {
1268 logger(DEBUG_TRAFFIC, LOG_ERR, "getsockopt(IP_MTU) on %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1275 if(ip_mtu < MINMTU) {
1276 logger(DEBUG_TRAFFIC, LOG_ERR, "getsockopt(IP_MTU) on %s (%s) returned absurdly small value: %d", n->name, n->hostname, ip_mtu);
1280 /* getsockopt(IP_MTU) returns the MTU of the physical interface.
1281 We need to remove various overheads to get to the tinc MTU. */
1282 length_t mtu = ip_mtu;
1283 mtu -= (sa->sa.sa_family == AF_INET6) ? sizeof(struct ip6_hdr) : sizeof(struct ip);
1286 if(n->status.sptps) {
1287 mtu -= SPTPS_DATAGRAM_OVERHEAD;
1289 if((n->options >> 24) >= 4) {
1290 mtu -= sizeof(node_id_t) + sizeof(node_id_t);
1293 #ifndef DISABLE_LEGACY
1295 mtu -= digest_length(n->outdigest);
1297 /* Now it's tricky. We use CBC mode, so the length of the
1298 encrypted payload must be a multiple of the blocksize. The
1299 sequence number is also part of the encrypted payload, so we
1300 must account for it after correcting for the blocksize.
1301 Furthermore, the padding in the last block must be at least
1304 length_t blocksize = cipher_blocksize(n->outcipher);
1320 logger(DEBUG_TRAFFIC, LOG_INFO, "Using system-provided maximum tinc MTU for %s (%s): %hd", n->name, n->hostname, mtu);
1329 /* This function tries to determines the MTU of a node.
1330 By calling this function repeatedly, n->minmtu will be progressively
1331 increased, and at some point, n->mtu will be fixed to n->minmtu. If the MTU
1332 is already fixed, this function checks if it can be increased.
1335 static void try_mtu(node_t *n) {
1336 if(!(n->options & OPTION_PMTU_DISCOVERY)) {
1340 if(udp_discovery && !n->status.udp_confirmed) {
1341 n->maxrecentlen = 0;
1348 /* mtuprobes == 0..19: initial discovery, send bursts with 1 second interval, mtuprobes++
1349 mtuprobes == 20: fix MTU, and go to -1
1350 mtuprobes == -1: send one maxmtu and one maxmtu+1 probe every pinginterval
1351 mtuprobes ==-2..-3: send one maxmtu probe every second
1352 mtuprobes == -4: maxmtu no longer valid, reset minmtu and maxmtu and go to 0 */
1354 struct timeval elapsed;
1355 timersub(&now, &n->mtu_ping_sent, &elapsed);
1357 if(n->mtuprobes >= 0) {
1358 if(n->mtuprobes != 0 && elapsed.tv_sec == 0 && elapsed.tv_usec < 333333) {
1362 if(n->mtuprobes < -1) {
1363 if(elapsed.tv_sec < 1) {
1367 if(elapsed.tv_sec < pinginterval) {
1373 n->mtu_ping_sent = now;
1377 if(n->mtuprobes < -3) {
1378 /* We lost three MTU probes, restart discovery */
1379 logger(DEBUG_TRAFFIC, LOG_INFO, "Decrease in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
1384 if(n->mtuprobes < 0) {
1385 /* After the initial discovery, we only send one maxmtu and one
1386 maxmtu+1 probe to detect PMTU increases. */
1387 send_udp_probe_packet(n, n->maxmtu);
1389 if(n->mtuprobes == -1 && n->maxmtu + 1 < MTU) {
1390 send_udp_probe_packet(n, n->maxmtu + 1);
1395 /* Before initial discovery begins, set maxmtu to the most likely value.
1396 If it's underestimated, we will correct it after initial discovery. */
1397 if(n->mtuprobes == 0) {
1398 n->maxmtu = choose_initial_maxmtu(n);
1402 /* Decreasing the number of probes per cycle might make the algorithm react faster to lost packets,
1403 but it will typically increase convergence time in the no-loss case. */
1404 const length_t probes_per_cycle = 8;
1406 /* This magic value was determined using math simulations.
1407 It will result in a 1329-byte first probe, followed (if there was a reply) by a 1407-byte probe.
1408 Since 1407 is just below the range of tinc MTUs over typical networks,
1409 this fine-tuning allows tinc to cover a lot of ground very quickly.
1410 This fine-tuning is only valid for maxmtu = MTU; if maxmtu is smaller,
1411 then it's better to use a multiplier of 1. Indeed, this leads to an interesting scenario
1412 if choose_initial_maxmtu() returns the actual MTU value - it will get confirmed with one single probe. */
1413 const float multiplier = (n->maxmtu == MTU) ? 0.97f : 1.0f;
1415 const float cycle_position = (float) probes_per_cycle - (float)(n->mtuprobes % probes_per_cycle) - 1.0f;
1416 const length_t minmtu = MAX(n->minmtu, MINMTU);
1417 const float interval = (float)(n->maxmtu - minmtu);
1419 length_t offset = 0;
1421 /* powf can be underflowed if n->maxmtu is less than 512 due to the minmtu MAX bound */
1423 /* The core of the discovery algorithm is this exponential.
1424 It produces very large probes early in the cycle, and then it very quickly decreases the probe size.
1425 This reflects the fact that in the most difficult cases, we don't get any feedback for probes that
1426 are too large, and therefore we need to concentrate on small offsets so that we can quickly converge
1427 on the precise MTU as we are approaching it.
1428 The last probe of the cycle is always 1 byte in size - this is to make sure we'll get at least one
1429 reply per cycle so that we can make progress. */
1430 offset = lrintf(powf(interval, multiplier * cycle_position / (float)(probes_per_cycle - 1)));
1433 length_t maxmtu = n->maxmtu;
1434 send_udp_probe_packet(n, minmtu + offset);
1436 /* If maxmtu changed, it means the probe was rejected by the system because it was too large.
1437 In that case, we recalculate with the new maxmtu and try again. */
1438 if(n->mtuprobes < 0 || maxmtu == n->maxmtu) {
1443 if(n->mtuprobes >= 0) {
1449 /* These functions try to establish a tunnel to a node (or its relay) so that
1450 packets can be sent (e.g. exchange keys).
1451 If a tunnel is already established, it tries to improve it (e.g. by trying
1452 to establish a UDP tunnel instead of TCP). This function makes no
1453 guarantees - it is up to the caller to check the node's state to figure out
1454 if TCP and/or UDP is usable. By calling this function repeatedly, the
1455 tunnel is gradually improved until we hit the wall imposed by the underlying
1456 network environment. It is recommended to call this function every time a
1457 packet is sent (or intended to be sent) to a node, so that the tunnel keeps
1458 improving as packets flow, and then gracefully downgrades itself as it goes
1462 static void try_tx_sptps(node_t *n, bool mtu) {
1463 /* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET
1464 messages anyway, so there's no need for SPTPS at all. */
1466 if(n->connection && ((myself->options | n->options) & OPTION_TCPONLY)) {
1470 /* Otherwise, try to do SPTPS authentication with n if necessary. */
1474 /* Do we need to statically relay packets? */
1476 node_t *via = (n->via == myself) ? n->nexthop : n->via;
1478 /* If we do have a static relay, try everything with that one instead, if it supports relaying. */
1481 if((via->options >> 24) < 4) {
1489 /* Otherwise, try to establish UDP connectivity. */
1497 /* If we don't have UDP connectivity (yet), we need to use a dynamic relay (nexthop)
1498 while we try to establish direct connectivity. */
1500 if(!n->status.udp_confirmed && n != n->nexthop && (n->nexthop->options >> 24) >= 4) {
1501 try_tx(n->nexthop, mtu);
1505 static void try_tx_legacy(node_t *n, bool mtu) {
1506 /* Does he have our key? If not, send one. */
1508 if(!n->status.validkey_in) {
1512 /* Check if we already have a key, or request one. */
1514 if(!n->status.validkey) {
1515 if(n->last_req_key + 10 <= now.tv_sec) {
1517 n->last_req_key = now.tv_sec;
1530 void try_tx(node_t *n, bool mtu) {
1531 if(!n->status.reachable) {
1535 if(n->status.sptps) {
1536 try_tx_sptps(n, mtu);
1538 try_tx_legacy(n, mtu);
1542 void send_packet(node_t *n, vpn_packet_t *packet) {
1543 // If it's for myself, write it to the tun/tap device.
1547 memcpy(DATA(packet), mymac.x, ETH_ALEN);
1548 // Use an arbitrary fake source address.
1549 memcpy(DATA(packet) + ETH_ALEN, DATA(packet), ETH_ALEN);
1550 DATA(packet)[ETH_ALEN * 2 - 1] ^= 0xFF;
1554 n->out_bytes += packet->len;
1555 devops.write(packet);
1559 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)", packet->len, n->name, n->hostname);
1561 // If the node is not reachable, drop it.
1563 if(!n->status.reachable) {
1564 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable", n->name, n->hostname);
1568 // Keep track of packet statistics.
1571 n->out_bytes += packet->len;
1573 // Check if it should be sent as an SPTPS packet.
1575 if(n->status.sptps) {
1576 send_sptps_packet(n, packet);
1581 // Determine which node to actually send it to.
1583 node_t *via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
1586 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)", n->name, via->name, n->via->hostname);
1589 // Try to send via UDP, unless TCP is forced.
1591 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
1592 if(!send_tcppacket(via->connection, packet)) {
1593 terminate_connection(via->connection, true);
1599 send_udppacket(via, packet);
1603 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
1604 // Always give ourself a copy of the packet.
1605 if(from != myself) {
1606 send_packet(myself, packet);
1609 // In TunnelServer mode, do not forward broadcast packets.
1610 // The MST might not be valid and create loops.
1611 if(tunnelserver || broadcast_mode == BMODE_NONE) {
1615 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
1616 packet->len, from->name, from->hostname);
1618 switch(broadcast_mode) {
1619 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
1620 // This guarantees all nodes receive the broadcast packet, and
1621 // usually distributes the sending of broadcast packets over all nodes.
1623 for list_each(connection_t, c, &connection_list)
1624 if(c->edge && c->status.mst && c != from->nexthop->connection) {
1625 send_packet(c->node, packet);
1630 // In direct mode, we send copies to each node we know of.
1631 // However, this only reaches nodes that can be reached in a single hop.
1632 // We don't have enough information to forward broadcast packets in this case.
1634 if(from != myself) {
1638 for splay_each(node_t, n, &node_tree)
1639 if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n)) {
1640 send_packet(n, packet);
1650 /* We got a packet from some IP address, but we don't know who sent it. Try to
1651 verify the message authentication code against all active session keys.
1652 Since this is actually an expensive operation, we only do a full check once
1653 a minute, the rest of the time we only check against nodes for which we know
1654 an IP address that matches the one from the packet. */
1656 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
1657 node_t *match = NULL;
1659 static time_t last_hard_try = 0;
1661 for splay_each(node_t, n, &node_tree) {
1662 if(!n->status.reachable || n == myself) {
1666 if(!n->status.validkey_in && !(n->status.sptps && n->sptps.instate)) {
1672 for splay_each(edge_t, e, &n->edge_tree) {
1677 if(!sockaddrcmp_noport(from, &e->reverse->address)) {
1684 if(last_hard_try == now.tv_sec) {
1691 if(!try_mac(n, pkt)) {
1700 last_hard_try = now.tv_sec;
1706 static void handle_incoming_vpn_packet(listen_socket_t *ls, vpn_packet_t *pkt, sockaddr_t *addr) {
1708 node_id_t nullid = {0};
1710 bool direct = false;
1712 sockaddrunmap(addr); /* Some braindead IPv6 implementations do stupid things. */
1714 // Try to figure out who sent this packet.
1716 node_t *n = lookup_node_udp(addr);
1718 if(n && !n->status.udp_confirmed) {
1719 n = NULL; // Don't believe it if we don't have confirmation yet.
1723 // It might be from a 1.1 node, which might have a source ID in the packet.
1724 pkt->offset = 2 * sizeof(node_id_t);
1725 from = lookup_node_id(SRCID(pkt));
1727 if(from && from->status.sptps && !memcmp(DSTID(pkt), &nullid, sizeof(nullid))) {
1728 if(sptps_verify_datagram(&from->sptps, DATA(pkt), pkt->len - 2 * sizeof(node_id_t))) {
1738 n = try_harder(addr, pkt);
1744 if(debug_level >= DEBUG_PROTOCOL) {
1745 hostname = sockaddr2hostname(addr);
1746 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
1755 if(n->status.sptps) {
1756 bool relay_enabled = (n->options >> 24) >= 4;
1759 pkt->offset = 2 * sizeof(node_id_t);
1760 pkt->len -= pkt->offset;
1763 if(!relay_enabled || !memcmp(DSTID(pkt), &nullid, sizeof(nullid))) {
1768 from = lookup_node_id(SRCID(pkt));
1769 to = lookup_node_id(DSTID(pkt));
1773 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from %s (%s) with unknown source and/or destination ID", n->name, n->hostname);
1777 if(!to->status.reachable) {
1778 /* This can happen in the form of a race condition
1779 if the node just became unreachable. */
1780 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot relay packet from %s (%s) because the destination, %s (%s), is unreachable", from->name, from->hostname, to->name, to->hostname);
1784 /* The packet is supposed to come from the originator or its static relay
1785 (i.e. with no dynamic relays in between).
1786 If it did not, "help" the static relay by sending it UDP info.
1787 Note that we only do this if we're the destination or the static relay;
1788 otherwise every hop would initiate its own UDP info message, resulting in elevated chatter. */
1790 if(n != from->via && to->via == myself) {
1791 send_udp_info(myself, from);
1794 /* If we're not the final recipient, relay the packet. */
1797 send_sptps_data(to, from, 0, DATA(pkt), pkt->len);
1806 if(!receive_udppacket(from, pkt)) {
1810 n->sock = ls - listen_socket;
1812 if(direct && sockaddrcmp(addr, &n->address)) {
1813 update_node_udp(n, addr);
1816 /* If the packet went through a relay, help the sender find the appropriate MTU
1817 through the relay path. */
1820 send_mtu_info(myself, n, MTU);
1824 void handle_incoming_vpn_data(void *data, int flags) {
1827 listen_socket_t *ls = data;
1829 #ifdef HAVE_RECVMMSG
1831 static ssize_t num = MAX_MSG;
1832 static vpn_packet_t pkt[MAX_MSG];
1833 static sockaddr_t addr[MAX_MSG];
1834 static struct mmsghdr msg[MAX_MSG];
1835 static struct iovec iov[MAX_MSG];
1837 for(int i = 0; i < num; i++) {
1840 iov[i] = (struct iovec) {
1841 .iov_base = DATA(&pkt[i]),
1845 msg[i].msg_hdr = (struct msghdr) {
1846 .msg_name = &addr[i].sa,
1847 .msg_namelen = sizeof(addr)[i],
1853 num = recvmmsg(ls->udp.fd, msg, MAX_MSG, MSG_DONTWAIT, NULL);
1856 if(!sockwouldblock(sockerrno)) {
1857 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1863 for(int i = 0; i < num; i++) {
1864 pkt[i].len = msg[i].msg_len;
1866 if(pkt[i].len <= 0 || pkt[i].len > MAXSIZE) {
1870 handle_incoming_vpn_packet(ls, &pkt[i], &addr[i]);
1875 sockaddr_t addr = {0};
1876 socklen_t addrlen = sizeof(addr);
1879 ssize_t len = recvfrom(ls->udp.fd, (void *)DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen);
1881 if(len <= 0 || (size_t)len > MAXSIZE) {
1882 if(!sockwouldblock(sockerrno)) {
1883 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1891 handle_incoming_vpn_packet(ls, &pkt, &addr);
1895 void handle_device_data(void *data, int flags) {
1898 vpn_packet_t packet;
1899 packet.offset = DEFAULT_PACKET_OFFSET;
1900 packet.priority = 0;
1901 static int errors = 0;
1903 if(devops.read(&packet)) {
1905 myself->in_packets++;
1906 myself->in_bytes += packet.len;
1907 route(myself, &packet);
1909 sleep_millis(errors * 50);
1913 logger(DEBUG_ALWAYS, LOG_ERR, "Too many errors from %s, exiting!", device);
projects / tinc / blob