2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2021 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
40 #include "address_cache.h"
43 #include "connection.h"
60 #define MAX(a, b) ((a) > (b) ? (a) : (b))
63 /* The minimum size of a probe is 14 bytes, but since we normally use CBC mode
64 encryption, we can add a few extra random bytes without increasing the
65 resulting packet size. */
66 #define MIN_PROBE_SIZE 18
70 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
73 #ifdef HAVE_LZ4_BUILTIN
74 static LZ4_stream_t lz4_stream;
76 static void *lz4_state = NULL;
77 #endif /* HAVE_LZ4_BUILTIN */
79 static void send_udppacket(node_t *, vpn_packet_t *);
81 unsigned replaywin = 32;
82 bool localdiscovery = true;
83 bool udp_discovery = true;
84 int udp_discovery_keepalive_interval = 10;
85 int udp_discovery_interval = 2;
86 int udp_discovery_timeout = 30;
88 #define MAX_SEQNO 1073741824
90 static void try_fix_mtu(node_t *n) {
91 if(n->mtuprobes < 0) {
95 if(n->mtuprobes == 20 || n->minmtu >= n->maxmtu) {
96 if(n->minmtu > n->maxmtu) {
97 n->minmtu = n->maxmtu;
99 n->maxmtu = n->minmtu;
103 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
108 static void udp_probe_timeout_handler(void *data) {
111 if(!n->status.udp_confirmed) {
115 logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname);
116 n->status.udp_confirmed = false;
117 n->udp_ping_rtt = -1;
124 static void send_udp_probe_reply(node_t *n, vpn_packet_t *packet, length_t len) {
125 if(!n->status.sptps && !n->status.validkey) {
126 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP probe reply to %s (%s) but we don't have his key yet", n->name, n->hostname);
130 /* Type 2 probe replies were introduced in protocol 17.3 */
131 if((n->options >> 24) >= 3) {
133 uint16_t len16 = htons(len);
134 memcpy(DATA(packet) + 1, &len16, 2);
135 packet->len = MIN_PROBE_SIZE;
136 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 2 probe reply length %u to %s (%s)", len, n->name, n->hostname);
139 /* Legacy protocol: n won't understand type 2 probe replies. */
141 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 1 probe reply length %u to %s (%s)", len, n->name, n->hostname);
144 /* Temporarily set udp_confirmed, so that the reply is sent
145 back exactly the way it came in. */
147 bool udp_confirmed = n->status.udp_confirmed;
148 n->status.udp_confirmed = true;
149 send_udppacket(n, packet);
150 n->status.udp_confirmed = udp_confirmed;
153 static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
154 if(!DATA(packet)[0]) {
155 logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
156 send_udp_probe_reply(n, packet, len);
160 if(DATA(packet)[0] == 2) {
161 // It's a type 2 probe reply, use the length field inside the packet
163 memcpy(&len16, DATA(packet) + 1, 2);
167 if(n->status.ping_sent) { // a probe in flight
168 gettimeofday(&now, NULL);
170 timersub(&now, &n->udp_ping_sent, &rtt);
171 n->udp_ping_rtt = rtt.tv_sec * 1000000 + rtt.tv_usec;
172 n->status.ping_sent = false;
173 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s) rtt=%d.%03d", DATA(packet)[0], len, n->name, n->hostname, n->udp_ping_rtt / 1000, n->udp_ping_rtt % 1000);
175 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], len, n->name, n->hostname);
178 /* It's a valid reply: now we know bidirectional communication
179 is possible using the address and socket that the reply
181 if(!n->status.udp_confirmed) {
182 n->status.udp_confirmed = true;
184 if(!n->address_cache) {
185 n->address_cache = open_address_cache(n);
188 reset_address_cache(n->address_cache, &n->address);
191 // Reset the UDP ping timer.
194 timeout_del(&n->udp_ping_timeout);
195 timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval) {
196 udp_discovery_timeout, 0
200 if(len > n->maxmtu) {
201 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
204 /* Set mtuprobes to 1 so that try_mtu() doesn't reset maxmtu */
207 } else if(n->mtuprobes < 0 && len == n->maxmtu) {
208 /* We got a maxmtu sized packet, confirming the PMTU is still valid. */
210 n->mtu_ping_sent = now;
213 /* If applicable, raise the minimum supported MTU */
215 if(n->minmtu < len) {
222 static length_t compress_packet_lz4(uint8_t *dest, const uint8_t *source, length_t len) {
223 #ifdef HAVE_LZ4_BUILTIN
224 return LZ4_compress_fast_extState(&lz4_stream, (const char *) source, (char *) dest, len, MAXSIZE, 0);
227 /* @FIXME: Put this in a better place, and free() it too. */
228 if(lz4_state == NULL) {
229 lz4_state = malloc(LZ4_sizeofState());
232 if(lz4_state == NULL) {
233 logger(DEBUG_ALWAYS, LOG_ERR, "Failed to allocate lz4_state, error: %i", errno);
237 return LZ4_compress_fast_extState(lz4_state, (const char *) source, (char *) dest, len, MAXSIZE, 0);
238 #endif /* HAVE_LZ4_BUILTIN */
240 #endif /* HAVE_LZ4 */
243 static length_t compress_packet_lzo(uint8_t *dest, const uint8_t *source, length_t len, int level) {
244 assert(level == 10 || level == 11);
246 lzo_uint lzolen = MAXSIZE;
250 result = lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
251 } else { // level == 10
252 result = lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
255 if(result == LZO_E_OK) {
263 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
268 return compress_packet_lz4(dest, source, len);
275 return compress_packet_lzo(dest, source, len, level);
288 unsigned long dest_len = MAXSIZE;
290 if(compress2(dest, (unsigned long *) &dest_len, source, len, level) == Z_OK) {
300 memcpy(dest, source, len);
308 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
313 return LZ4_decompress_safe((char *)source, (char *) dest, len, MAXSIZE);
320 lzo_uint dst_len = MAXSIZE;
322 if(lzo1x_decompress_safe(source, len, dest, (lzo_uint *) &dst_len, NULL) == LZO_E_OK) {
341 unsigned long destlen = MAXSIZE;
342 static z_stream stream;
345 inflateReset(&stream);
347 inflateInit(&stream);
350 stream.next_in = source;
351 stream.avail_in = len;
352 stream.next_out = dest;
353 stream.avail_out = destlen;
354 stream.total_out = 0;
356 if(inflate(&stream, Z_FINISH) == Z_STREAM_END) {
357 return stream.total_out;
366 memcpy(dest, source, len);
376 static void receive_packet(node_t *n, vpn_packet_t *packet) {
377 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
378 packet->len, n->name, n->hostname);
381 n->in_bytes += packet->len;
386 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
387 if(n->status.sptps) {
388 return sptps_verify_datagram(&n->sptps, DATA(inpkt), inpkt->len);
391 #ifdef DISABLE_LEGACY
395 if(!n->status.validkey_in || !digest_active(n->indigest) || (size_t)inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
399 return digest_verify(n->indigest, inpkt->data, inpkt->len - digest_length(n->indigest), inpkt->data + inpkt->len - digest_length(n->indigest));
403 static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
404 if(n->status.sptps) {
405 if(!n->sptps.state) {
406 if(!n->status.waitingforkey) {
407 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
410 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
416 n->status.udppacket = true;
417 bool result = sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len);
418 n->status.udppacket = false;
421 /* Uh-oh. It might be that the tunnel is stuck in some corrupted state,
422 so let's restart SPTPS in case that helps. But don't do that too often
423 to prevent storms, and because that would make life a little too easy
424 for external attackers trying to DoS us. */
425 if(n->last_req_key < now.tv_sec - 10) {
426 logger(DEBUG_PROTOCOL, LOG_ERR, "Failed to decode raw TCP packet from %s (%s), restarting SPTPS", n->name, n->hostname);
436 #ifdef DISABLE_LEGACY
439 vpn_packet_t pkt1, pkt2;
440 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
443 pkt1.offset = DEFAULT_PACKET_OFFSET;
444 pkt2.offset = DEFAULT_PACKET_OFFSET;
446 if(!n->status.validkey_in) {
447 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
451 /* Check packet length */
453 if((size_t)inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
454 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
455 n->name, n->hostname);
459 /* It's a legacy UDP packet, the data starts after the seqno */
461 inpkt->offset += sizeof(seqno_t);
463 /* Check the message authentication code */
465 if(digest_active(n->indigest)) {
466 inpkt->len -= digest_length(n->indigest);
468 if(!digest_verify(n->indigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
469 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
474 /* Decrypt the packet */
476 if(cipher_active(n->incipher)) {
477 vpn_packet_t *outpkt = pkt[nextpkt++];
480 if(!cipher_decrypt(n->incipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
481 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
485 outpkt->len = outlen;
489 /* Check the sequence number */
492 memcpy(&seqno, SEQNO(inpkt), sizeof(seqno));
493 seqno = ntohl(seqno);
494 inpkt->len -= sizeof(seqno);
497 if(seqno != n->received_seqno + 1) {
498 if(seqno >= n->received_seqno + replaywin * 8) {
499 if(n->farfuture++ < replaywin >> 2) {
500 logger(DEBUG_TRAFFIC, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
501 n->name, n->hostname, seqno - n->received_seqno - 1, n->farfuture);
505 logger(DEBUG_TRAFFIC, LOG_WARNING, "Lost %d packets from %s (%s)",
506 seqno - n->received_seqno - 1, n->name, n->hostname);
507 memset(n->late, 0, replaywin);
508 } else if(seqno <= n->received_seqno) {
509 if((n->received_seqno >= replaywin * 8 && seqno <= n->received_seqno - replaywin * 8) || !(n->late[(seqno / 8) % replaywin] & (1 << seqno % 8))) {
510 logger(DEBUG_TRAFFIC, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
511 n->name, n->hostname, seqno, n->received_seqno);
515 for(seqno_t i = n->received_seqno + 1; i < seqno; i++) {
516 n->late[(i / 8) % replaywin] |= 1 << i % 8;
522 n->late[(seqno / 8) % replaywin] &= ~(1 << seqno % 8);
525 if(seqno > n->received_seqno) {
526 n->received_seqno = seqno;
531 if(n->received_seqno > MAX_SEQNO) {
535 /* Decompress the packet */
537 length_t origlen = inpkt->len;
539 if(n->incompression) {
540 vpn_packet_t *outpkt = pkt[nextpkt++];
542 if(!(outpkt->len = uncompress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->incompression))) {
543 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
544 n->name, n->hostname);
550 if(origlen > MTU / 64 + 20) {
551 origlen -= MTU / 64 + 20;
557 if(inpkt->len > n->maxrecentlen) {
558 n->maxrecentlen = inpkt->len;
563 if(!DATA(inpkt)[12] && !DATA(inpkt)[13]) {
564 udp_probe_h(n, inpkt, origlen);
566 receive_packet(n, inpkt);
573 void receive_tcppacket(connection_t *c, const char *buffer, size_t len) {
575 outpkt.offset = DEFAULT_PACKET_OFFSET;
577 if(len > sizeof(outpkt.data) - outpkt.offset) {
583 if(c->options & OPTION_TCPONLY) {
586 outpkt.priority = -1;
589 memcpy(DATA(&outpkt), buffer, len);
591 receive_packet(c->node, &outpkt);
594 bool receive_tcppacket_sptps(connection_t *c, const char *data, size_t len) {
595 if(len < sizeof(node_id_t) + sizeof(node_id_t)) {
596 logger(DEBUG_PROTOCOL, LOG_ERR, "Got too short TCP SPTPS packet from %s (%s)", c->name, c->hostname);
600 node_t *to = lookup_node_id((node_id_t *)data);
601 data += sizeof(node_id_t);
602 len -= sizeof(node_id_t);
605 logger(DEBUG_PROTOCOL, LOG_ERR, "Got TCP SPTPS packet from %s (%s) with unknown destination ID", c->name, c->hostname);
609 node_t *from = lookup_node_id((node_id_t *)data);
610 data += sizeof(node_id_t);
611 len -= sizeof(node_id_t);
614 logger(DEBUG_PROTOCOL, LOG_ERR, "Got TCP SPTPS packet from %s (%s) with unknown source ID", c->name, c->hostname);
618 if(!to->status.reachable) {
619 /* This can happen in the form of a race condition
620 if the node just became unreachable. */
621 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot relay TCP packet from %s (%s) because the destination, %s (%s), is unreachable", from->name, from->hostname, to->name, to->hostname);
625 /* Help the sender reach us over UDP.
626 Note that we only do this if we're the destination or the static relay;
627 otherwise every hop would initiate its own UDP info message, resulting in elevated chatter. */
628 if(to->via == myself) {
629 send_udp_info(myself, from);
632 /* If we're not the final recipient, relay the packet. */
635 if(to->status.validkey) {
636 send_sptps_data(to, from, 0, data, len);
643 /* The packet is for us */
645 if(!sptps_receive_data(&from->sptps, data, len)) {
646 /* Uh-oh. It might be that the tunnel is stuck in some corrupted state,
647 so let's restart SPTPS in case that helps. But don't do that too often
648 to prevent storms. */
649 if(from->last_req_key < now.tv_sec - 10) {
650 logger(DEBUG_PROTOCOL, LOG_ERR, "Failed to decode raw TCP packet from %s (%s), restarting SPTPS", from->name, from->hostname);
657 send_mtu_info(myself, from, MTU);
661 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
662 if(!n->status.validkey && !n->connection) {
669 if((!(DATA(origpkt)[12] | DATA(origpkt)[13])) && (n->sptps.outstate)) {
670 sptps_send_record(&n->sptps, PKT_PROBE, (char *)DATA(origpkt), origpkt->len);
674 if(routing_mode == RMODE_ROUTER) {
680 if(origpkt->len < offset) {
686 if(n->outcompression) {
688 length_t len = compress_packet(DATA(&outpkt) + offset, DATA(origpkt) + offset, origpkt->len - offset, n->outcompression);
691 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
692 } else if(len < origpkt->len - offset) {
693 outpkt.len = len + offset;
695 type |= PKT_COMPRESSED;
699 /* If we have a direct metaconnection to n, and we can't use UDP, then
700 don't bother with SPTPS and just use a "plaintext" PACKET message.
701 We don't really care about end-to-end security since we're not
702 sending the message through any intermediate nodes. */
703 if(n->connection && origpkt->len > n->minmtu) {
704 send_tcppacket(n->connection, origpkt);
706 sptps_send_record(&n->sptps, type, DATA(origpkt) + offset, origpkt->len - offset);
712 static void adapt_socket(const sockaddr_t *sa, int *sock) {
713 /* Make sure we have a suitable socket for the chosen address */
714 if(listen_socket[*sock].sa.sa.sa_family != sa->sa.sa_family) {
715 for(int i = 0; i < listen_sockets; i++) {
716 if(listen_socket[i].sa.sa.sa_family == sa->sa.sa_family) {
724 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, int *sock) {
729 /* If the UDP address is confirmed, use it. */
730 if(n->status.udp_confirmed) {
734 /* Send every third packet to n->address; that could be set
735 to the node's reflexive UDP address discovered during key
745 /* Otherwise, address are found in edges to this node.
746 So we pick a random edge and a random socket. */
749 int j = rand() % n->edge_tree->count;
750 edge_t *candidate = NULL;
752 for splay_each(edge_t, e, n->edge_tree) {
754 candidate = e->reverse;
760 *sa = &candidate->address;
761 *sock = rand() % listen_sockets;
764 adapt_socket(*sa, sock);
767 static void choose_local_address(const node_t *n, const sockaddr_t **sa, int *sock) {
770 /* Pick one of the edges from this node at random, then use its local address. */
773 int j = rand() % n->edge_tree->count;
774 edge_t *candidate = NULL;
776 for splay_each(edge_t, e, n->edge_tree) {
783 if(candidate && candidate->local_address.sa.sa_family) {
784 *sa = &candidate->local_address;
785 *sock = rand() % listen_sockets;
786 adapt_socket(*sa, sock);
790 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
791 if(!n->status.reachable) {
792 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
796 if(n->status.sptps) {
797 send_sptps_packet(n, origpkt);
801 #ifdef DISABLE_LEGACY
804 vpn_packet_t pkt1, pkt2;
805 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
806 vpn_packet_t *inpkt = origpkt;
808 vpn_packet_t *outpkt;
809 int origlen = origpkt->len;
811 int origpriority = origpkt->priority;
813 pkt1.offset = DEFAULT_PACKET_OFFSET;
814 pkt2.offset = DEFAULT_PACKET_OFFSET;
816 /* Make sure we have a valid key */
818 if(!n->status.validkey) {
819 logger(DEBUG_TRAFFIC, LOG_INFO,
820 "No valid key known yet for %s (%s), forwarding via TCP",
821 n->name, n->hostname);
822 send_tcppacket(n->nexthop->connection, origpkt);
826 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (DATA(inpkt)[12] | DATA(inpkt)[13])) {
827 logger(DEBUG_TRAFFIC, LOG_INFO,
828 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
829 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
831 if(n != n->nexthop) {
832 send_packet(n->nexthop, origpkt);
834 send_tcppacket(n->nexthop->connection, origpkt);
840 /* Compress the packet */
842 if(n->outcompression) {
843 outpkt = pkt[nextpkt++];
845 if(!(outpkt->len = compress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->outcompression))) {
846 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
847 n->name, n->hostname);
854 /* Add sequence number */
856 seqno_t seqno = htonl(++(n->sent_seqno));
857 memcpy(SEQNO(inpkt), &seqno, sizeof(seqno));
858 inpkt->len += sizeof(seqno);
860 /* Encrypt the packet */
862 if(cipher_active(n->outcipher)) {
863 outpkt = pkt[nextpkt++];
866 if(!cipher_encrypt(n->outcipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
867 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
871 outpkt->len = outlen;
875 /* Add the message authentication code */
877 if(digest_active(n->outdigest)) {
878 if(!digest_create(n->outdigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
879 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
883 inpkt->len += digest_length(n->outdigest);
886 /* Send the packet */
888 const sockaddr_t *sa = NULL;
891 if(n->status.send_locally) {
892 choose_local_address(n, &sa, &sock);
896 choose_udp_address(n, &sa, &sock);
899 if(priorityinheritance && origpriority != listen_socket[sock].priority) {
900 listen_socket[sock].priority = origpriority;
902 switch(sa->sa.sa_family) {
906 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting IPv4 outgoing packet priority to %d", origpriority);
908 if(setsockopt(listen_socket[sock].udp.fd, IPPROTO_IP, IP_TOS, (void *)&origpriority, sizeof(origpriority))) { /* SO_PRIORITY doesn't seem to work */
909 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
914 #if defined(IPV6_TCLASS)
917 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting IPv6 outgoing packet priority to %d", origpriority);
919 if(setsockopt(listen_socket[sock].udp.fd, IPPROTO_IPV6, IPV6_TCLASS, (void *)&origpriority, sizeof(origpriority))) { /* SO_PRIORITY doesn't seem to work */
920 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
931 if(sendto(listen_socket[sock].udp.fd, (void *)SEQNO(inpkt), inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
932 if(sockmsgsize(sockerrno)) {
933 if(n->maxmtu >= origlen) {
934 n->maxmtu = origlen - 1;
937 if(n->mtu >= origlen) {
938 n->mtu = origlen - 1;
943 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
948 origpkt->len = origlen;
952 bool send_sptps_data(node_t *to, node_t *from, int type, const void *data, size_t len) {
953 node_t *relay = (to->via != myself && (type == PKT_PROBE || (len - SPTPS_DATAGRAM_OVERHEAD) <= to->via->minmtu)) ? to->via : to->nexthop;
954 bool direct = from == myself && to == relay;
955 bool relay_supported = (relay->options >> 24) >= 4;
956 bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
958 /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU. */
960 if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && (len - SPTPS_DATAGRAM_OVERHEAD) > relay->minmtu)) {
961 if(type != SPTPS_HANDSHAKE && (to->nexthop->connection->options >> 24) >= 7) {
962 char buf[len + sizeof(to->id) + sizeof(from->id)];
964 memcpy(buf_ptr, &to->id, sizeof(to->id));
965 buf_ptr += sizeof(to->id);
966 memcpy(buf_ptr, &from->id, sizeof(from->id));
967 buf_ptr += sizeof(from->id);
968 memcpy(buf_ptr, data, len);
969 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s) (TCP)", from->name, from->hostname, to->name, to->hostname, to->nexthop->name, to->nexthop->hostname);
970 return send_sptps_tcppacket(to->nexthop->connection, buf, sizeof(buf));
973 char buf[len * 4 / 3 + 5];
974 b64encode(data, buf, len);
976 /* If this is a handshake packet, use ANS_KEY instead of REQ_KEY, for two reasons:
977 - We don't want intermediate nodes to switch to UDP to relay these packets;
978 - ANS_KEY allows us to learn the reflexive UDP address. */
979 if(type == SPTPS_HANDSHAKE) {
980 to->incompression = myself->incompression;
981 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, from->name, to->name, buf, to->incompression);
983 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, from->name, to->name, SPTPS_PACKET, buf);
989 if(relay_supported) {
990 overhead += sizeof(to->id) + sizeof(from->id);
993 char buf[len + overhead];
996 if(relay_supported) {
998 /* Inform the recipient that this packet was sent directly. */
999 node_id_t nullid = {0};
1000 memcpy(buf_ptr, &nullid, sizeof(nullid));
1001 buf_ptr += sizeof(nullid);
1003 memcpy(buf_ptr, &to->id, sizeof(to->id));
1004 buf_ptr += sizeof(to->id);
1007 memcpy(buf_ptr, &from->id, sizeof(from->id));
1008 buf_ptr += sizeof(from->id);
1012 /* TODO: if this copy turns out to be a performance concern, change sptps_send_record() to add some "pre-padding" to the buffer and use that instead */
1013 memcpy(buf_ptr, data, len);
1016 const sockaddr_t *sa = NULL;
1019 if(relay->status.send_locally) {
1020 choose_local_address(relay, &sa, &sock);
1024 choose_udp_address(relay, &sa, &sock);
1027 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s) (UDP)", from->name, from->hostname, to->name, to->hostname, relay->name, relay->hostname);
1029 if(sendto(listen_socket[sock].udp.fd, buf, buf_ptr - buf, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
1030 if(sockmsgsize(sockerrno)) {
1031 // Compensate for SPTPS overhead
1032 len -= SPTPS_DATAGRAM_OVERHEAD;
1034 if(relay->maxmtu >= len) {
1035 relay->maxmtu = len - 1;
1038 if(relay->mtu >= len) {
1039 relay->mtu = len - 1;
1044 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", relay->name, relay->hostname, sockstrerror(sockerrno));
1052 bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t len) {
1053 node_t *from = handle;
1055 if(type == SPTPS_HANDSHAKE) {
1056 if(!from->status.validkey) {
1057 from->status.validkey = true;
1058 from->status.waitingforkey = false;
1059 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) successful", from->name, from->hostname);
1066 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
1071 inpkt.offset = DEFAULT_PACKET_OFFSET;
1074 if(type == PKT_PROBE) {
1075 if(!from->status.udppacket) {
1076 logger(DEBUG_ALWAYS, LOG_ERR, "Got SPTPS PROBE packet from %s (%s) via TCP", from->name, from->hostname);
1081 memcpy(DATA(&inpkt), data, len);
1083 if(inpkt.len > from->maxrecentlen) {
1084 from->maxrecentlen = inpkt.len;
1087 udp_probe_h(from, &inpkt, len);
1091 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
1092 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
1096 /* Check if we have the headers we need */
1097 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
1098 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
1100 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
1101 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
1104 int offset = (type & PKT_MAC) ? 0 : 14;
1106 if(type & PKT_COMPRESSED) {
1107 length_t ulen = uncompress_packet(DATA(&inpkt) + offset, (const uint8_t *)data, len, from->incompression);
1112 inpkt.len = ulen + offset;
1115 if(inpkt.len > MAXSIZE) {
1119 memcpy(DATA(&inpkt) + offset, data, len);
1120 inpkt.len = len + offset;
1123 /* Generate the Ethernet packet type if necessary */
1125 switch(DATA(&inpkt)[14] >> 4) {
1127 DATA(&inpkt)[12] = 0x08;
1128 DATA(&inpkt)[13] = 0x00;
1132 DATA(&inpkt)[12] = 0x86;
1133 DATA(&inpkt)[13] = 0xDD;
1137 logger(DEBUG_TRAFFIC, LOG_ERR,
1138 "Unknown IP version %d while reading packet from %s (%s)",
1139 DATA(&inpkt)[14] >> 4, from->name, from->hostname);
1144 if(from->status.udppacket && inpkt.len > from->maxrecentlen) {
1145 from->maxrecentlen = inpkt.len;
1148 receive_packet(from, &inpkt);
1152 // This function tries to get SPTPS keys, if they aren't already known.
1153 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if the keys are available.
1154 static void try_sptps(node_t *n) {
1155 if(n->status.validkey) {
1159 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
1161 if(!n->status.waitingforkey) {
1163 } else if(n->last_req_key + 10 < now.tv_sec) {
1164 logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
1165 sptps_stop(&n->sptps);
1166 n->status.waitingforkey = false;
1173 static void send_udp_probe_packet(node_t *n, int len) {
1174 vpn_packet_t packet;
1176 if(len > sizeof(packet.data)) {
1177 logger(DEBUG_TRAFFIC, LOG_INFO, "Truncating probe length %d to %s (%s)", len, n->name, n->hostname);
1178 len = sizeof(packet.data);
1181 packet.offset = DEFAULT_PACKET_OFFSET;
1182 memset(DATA(&packet), 0, 14);
1183 randomize(DATA(&packet) + 14, len - 14);
1185 packet.priority = 0;
1187 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending UDP probe length %d to %s (%s)", len, n->name, n->hostname);
1189 send_udppacket(n, &packet);
1192 // This function tries to establish a UDP tunnel to a node so that packets can be sent.
1193 // If a tunnel is already established, it makes sure it stays up.
1194 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if UDP is usable.
1195 static void try_udp(node_t *n) {
1196 if(!udp_discovery) {
1200 /* Send gratuitous probe replies to 1.1 nodes. */
1202 if((n->options >> 24) >= 3 && n->status.udp_confirmed) {
1203 struct timeval ping_tx_elapsed;
1204 timersub(&now, &n->udp_reply_sent, &ping_tx_elapsed);
1206 if(ping_tx_elapsed.tv_sec >= udp_discovery_keepalive_interval - 1) {
1207 n->udp_reply_sent = now;
1209 if(n->maxrecentlen) {
1211 pkt.len = n->maxrecentlen;
1212 pkt.offset = DEFAULT_PACKET_OFFSET;
1213 memset(DATA(&pkt), 0, 14);
1214 randomize(DATA(&pkt) + 14, MIN_PROBE_SIZE - 14);
1215 send_udp_probe_reply(n, &pkt, pkt.len);
1216 n->maxrecentlen = 0;
1223 struct timeval ping_tx_elapsed;
1224 timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
1226 int interval = n->status.udp_confirmed ? udp_discovery_keepalive_interval : udp_discovery_interval;
1228 if(ping_tx_elapsed.tv_sec >= interval) {
1229 gettimeofday(&now, NULL);
1230 n->udp_ping_sent = now; // a probe in flight
1231 n->status.ping_sent = true;
1232 send_udp_probe_packet(n, MIN_PROBE_SIZE);
1234 if(localdiscovery && !n->status.udp_confirmed && n->prevedge) {
1235 n->status.send_locally = true;
1236 send_udp_probe_packet(n, MIN_PROBE_SIZE);
1237 n->status.send_locally = false;
1242 static length_t choose_initial_maxmtu(node_t *n) {
1247 const sockaddr_t *sa = NULL;
1249 choose_udp_address(n, &sa, &sockindex);
1255 sock = socket(sa->sa.sa_family, SOCK_DGRAM, IPPROTO_UDP);
1258 logger(DEBUG_TRAFFIC, LOG_ERR, "Creating MTU assessment socket for %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1262 if(connect(sock, &sa->sa, SALEN(sa->sa))) {
1263 logger(DEBUG_TRAFFIC, LOG_ERR, "Connecting MTU assessment socket for %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1269 socklen_t ip_mtu_len = sizeof(ip_mtu);
1271 if(getsockopt(sock, IPPROTO_IP, IP_MTU, &ip_mtu, &ip_mtu_len)) {
1272 logger(DEBUG_TRAFFIC, LOG_ERR, "getsockopt(IP_MTU) on %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1279 /* getsockopt(IP_MTU) returns the MTU of the physical interface.
1280 We need to remove various overheads to get to the tinc MTU. */
1281 length_t mtu = ip_mtu;
1282 mtu -= (sa->sa.sa_family == AF_INET6) ? sizeof(struct ip6_hdr) : sizeof(struct ip);
1285 if(n->status.sptps) {
1286 mtu -= SPTPS_DATAGRAM_OVERHEAD;
1288 if((n->options >> 24) >= 4) {
1289 mtu -= sizeof(node_id_t) + sizeof(node_id_t);
1292 #ifndef DISABLE_LEGACY
1294 mtu -= digest_length(n->outdigest);
1296 /* Now it's tricky. We use CBC mode, so the length of the
1297 encrypted payload must be a multiple of the blocksize. The
1298 sequence number is also part of the encrypted payload, so we
1299 must account for it after correcting for the blocksize.
1300 Furthermore, the padding in the last block must be at least
1303 length_t blocksize = cipher_blocksize(n->outcipher);
1316 logger(DEBUG_TRAFFIC, LOG_ERR, "getsockopt(IP_MTU) on %s (%s) returned absurdly small value: %d", n->name, n->hostname, ip_mtu);
1324 logger(DEBUG_TRAFFIC, LOG_INFO, "Using system-provided maximum tinc MTU for %s (%s): %hd", n->name, n->hostname, mtu);
1333 /* This function tries to determines the MTU of a node.
1334 By calling this function repeatedly, n->minmtu will be progressively
1335 increased, and at some point, n->mtu will be fixed to n->minmtu. If the MTU
1336 is already fixed, this function checks if it can be increased.
1339 static void try_mtu(node_t *n) {
1340 if(!(n->options & OPTION_PMTU_DISCOVERY)) {
1344 if(udp_discovery && !n->status.udp_confirmed) {
1345 n->maxrecentlen = 0;
1352 /* mtuprobes == 0..19: initial discovery, send bursts with 1 second interval, mtuprobes++
1353 mtuprobes == 20: fix MTU, and go to -1
1354 mtuprobes == -1: send one maxmtu and one maxmtu+1 probe every pinginterval
1355 mtuprobes ==-2..-3: send one maxmtu probe every second
1356 mtuprobes == -4: maxmtu no longer valid, reset minmtu and maxmtu and go to 0 */
1358 struct timeval elapsed;
1359 timersub(&now, &n->mtu_ping_sent, &elapsed);
1361 if(n->mtuprobes >= 0) {
1362 if(n->mtuprobes != 0 && elapsed.tv_sec == 0 && elapsed.tv_usec < 333333) {
1366 if(n->mtuprobes < -1) {
1367 if(elapsed.tv_sec < 1) {
1371 if(elapsed.tv_sec < pinginterval) {
1377 n->mtu_ping_sent = now;
1381 if(n->mtuprobes < -3) {
1382 /* We lost three MTU probes, restart discovery */
1383 logger(DEBUG_TRAFFIC, LOG_INFO, "Decrease in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
1388 if(n->mtuprobes < 0) {
1389 /* After the initial discovery, we only send one maxmtu and one
1390 maxmtu+1 probe to detect PMTU increases. */
1391 send_udp_probe_packet(n, n->maxmtu);
1393 if(n->mtuprobes == -1 && n->maxmtu + 1 < MTU) {
1394 send_udp_probe_packet(n, n->maxmtu + 1);
1399 /* Before initial discovery begins, set maxmtu to the most likely value.
1400 If it's underestimated, we will correct it after initial discovery. */
1401 if(n->mtuprobes == 0) {
1402 n->maxmtu = choose_initial_maxmtu(n);
1406 /* Decreasing the number of probes per cycle might make the algorithm react faster to lost packets,
1407 but it will typically increase convergence time in the no-loss case. */
1408 const length_t probes_per_cycle = 8;
1410 /* This magic value was determined using math simulations.
1411 It will result in a 1329-byte first probe, followed (if there was a reply) by a 1407-byte probe.
1412 Since 1407 is just below the range of tinc MTUs over typical networks,
1413 this fine-tuning allows tinc to cover a lot of ground very quickly.
1414 This fine-tuning is only valid for maxmtu = MTU; if maxmtu is smaller,
1415 then it's better to use a multiplier of 1. Indeed, this leads to an interesting scenario
1416 if choose_initial_maxmtu() returns the actual MTU value - it will get confirmed with one single probe. */
1417 const float multiplier = (n->maxmtu == MTU) ? 0.97 : 1;
1419 const float cycle_position = probes_per_cycle - (n->mtuprobes % probes_per_cycle) - 1;
1420 const length_t minmtu = MAX(n->minmtu, 512);
1421 const float interval = n->maxmtu - minmtu;
1423 length_t offset = 0;
1425 /* powf can be underflowed if n->maxmtu is less than 512 due to the minmtu MAX bound */
1427 /* The core of the discovery algorithm is this exponential.
1428 It produces very large probes early in the cycle, and then it very quickly decreases the probe size.
1429 This reflects the fact that in the most difficult cases, we don't get any feedback for probes that
1430 are too large, and therefore we need to concentrate on small offsets so that we can quickly converge
1431 on the precise MTU as we are approaching it.
1432 The last probe of the cycle is always 1 byte in size - this is to make sure we'll get at least one
1433 reply per cycle so that we can make progress. */
1434 offset = powf(interval, multiplier * cycle_position / (probes_per_cycle - 1));
1437 length_t maxmtu = n->maxmtu;
1438 send_udp_probe_packet(n, minmtu + offset);
1440 /* If maxmtu changed, it means the probe was rejected by the system because it was too large.
1441 In that case, we recalculate with the new maxmtu and try again. */
1442 if(n->mtuprobes < 0 || maxmtu == n->maxmtu) {
1447 if(n->mtuprobes >= 0) {
1453 /* These functions try to establish a tunnel to a node (or its relay) so that
1454 packets can be sent (e.g. exchange keys).
1455 If a tunnel is already established, it tries to improve it (e.g. by trying
1456 to establish a UDP tunnel instead of TCP). This function makes no
1457 guarantees - it is up to the caller to check the node's state to figure out
1458 if TCP and/or UDP is usable. By calling this function repeatedly, the
1459 tunnel is gradually improved until we hit the wall imposed by the underlying
1460 network environment. It is recommended to call this function every time a
1461 packet is sent (or intended to be sent) to a node, so that the tunnel keeps
1462 improving as packets flow, and then gracefully downgrades itself as it goes
1466 static void try_tx_sptps(node_t *n, bool mtu) {
1467 /* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET
1468 messages anyway, so there's no need for SPTPS at all. */
1470 if(n->connection && ((myself->options | n->options) & OPTION_TCPONLY)) {
1474 /* Otherwise, try to do SPTPS authentication with n if necessary. */
1478 /* Do we need to statically relay packets? */
1480 node_t *via = (n->via == myself) ? n->nexthop : n->via;
1482 /* If we do have a static relay, try everything with that one instead, if it supports relaying. */
1485 if((via->options >> 24) < 4) {
1493 /* Otherwise, try to establish UDP connectivity. */
1501 /* If we don't have UDP connectivity (yet), we need to use a dynamic relay (nexthop)
1502 while we try to establish direct connectivity. */
1504 if(!n->status.udp_confirmed && n != n->nexthop && (n->nexthop->options >> 24) >= 4) {
1505 try_tx(n->nexthop, mtu);
1509 static void try_tx_legacy(node_t *n, bool mtu) {
1510 /* Does he have our key? If not, send one. */
1512 if(!n->status.validkey_in) {
1516 /* Check if we already have a key, or request one. */
1518 if(!n->status.validkey) {
1519 if(n->last_req_key + 10 <= now.tv_sec) {
1521 n->last_req_key = now.tv_sec;
1534 void try_tx(node_t *n, bool mtu) {
1535 if(!n->status.reachable) {
1539 if(n->status.sptps) {
1540 try_tx_sptps(n, mtu);
1542 try_tx_legacy(n, mtu);
1546 void send_packet(node_t *n, vpn_packet_t *packet) {
1547 // If it's for myself, write it to the tun/tap device.
1551 memcpy(DATA(packet), mymac.x, ETH_ALEN);
1552 // Use an arbitrary fake source address.
1553 memcpy(DATA(packet) + ETH_ALEN, DATA(packet), ETH_ALEN);
1554 DATA(packet)[ETH_ALEN * 2 - 1] ^= 0xFF;
1558 n->out_bytes += packet->len;
1559 devops.write(packet);
1563 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)", packet->len, n->name, n->hostname);
1565 // If the node is not reachable, drop it.
1567 if(!n->status.reachable) {
1568 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable", n->name, n->hostname);
1572 // Keep track of packet statistics.
1575 n->out_bytes += packet->len;
1577 // Check if it should be sent as an SPTPS packet.
1579 if(n->status.sptps) {
1580 send_sptps_packet(n, packet);
1585 // Determine which node to actually send it to.
1587 node_t *via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
1590 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)", n->name, via->name, n->via->hostname);
1593 // Try to send via UDP, unless TCP is forced.
1595 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
1596 if(!send_tcppacket(via->connection, packet)) {
1597 terminate_connection(via->connection, true);
1603 send_udppacket(via, packet);
1607 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
1608 // Always give ourself a copy of the packet.
1609 if(from != myself) {
1610 send_packet(myself, packet);
1613 // In TunnelServer mode, do not forward broadcast packets.
1614 // The MST might not be valid and create loops.
1615 if(tunnelserver || broadcast_mode == BMODE_NONE) {
1619 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
1620 packet->len, from->name, from->hostname);
1622 switch(broadcast_mode) {
1623 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
1624 // This guarantees all nodes receive the broadcast packet, and
1625 // usually distributes the sending of broadcast packets over all nodes.
1627 for list_each(connection_t, c, connection_list)
1628 if(c->edge && c->status.mst && c != from->nexthop->connection) {
1629 send_packet(c->node, packet);
1634 // In direct mode, we send copies to each node we know of.
1635 // However, this only reaches nodes that can be reached in a single hop.
1636 // We don't have enough information to forward broadcast packets in this case.
1638 if(from != myself) {
1642 for splay_each(node_t, n, node_tree)
1643 if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n)) {
1644 send_packet(n, packet);
1654 /* We got a packet from some IP address, but we don't know who sent it. Try to
1655 verify the message authentication code against all active session keys.
1656 Since this is actually an expensive operation, we only do a full check once
1657 a minute, the rest of the time we only check against nodes for which we know
1658 an IP address that matches the one from the packet. */
1660 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
1661 node_t *match = NULL;
1663 static time_t last_hard_try = 0;
1665 for splay_each(node_t, n, node_tree) {
1666 if(!n->status.reachable || n == myself) {
1670 if(!n->status.validkey_in && !(n->status.sptps && n->sptps.instate)) {
1676 for splay_each(edge_t, e, n->edge_tree) {
1681 if(!sockaddrcmp_noport(from, &e->reverse->address)) {
1688 if(last_hard_try == now.tv_sec) {
1695 if(!try_mac(n, pkt)) {
1704 last_hard_try = now.tv_sec;
1710 static void handle_incoming_vpn_packet(listen_socket_t *ls, vpn_packet_t *pkt, sockaddr_t *addr) {
1712 node_id_t nullid = {0};
1714 bool direct = false;
1716 sockaddrunmap(addr); /* Some braindead IPv6 implementations do stupid things. */
1718 // Try to figure out who sent this packet.
1720 node_t *n = lookup_node_udp(addr);
1722 if(n && !n->status.udp_confirmed) {
1723 n = NULL; // Don't believe it if we don't have confirmation yet.
1727 // It might be from a 1.1 node, which might have a source ID in the packet.
1728 pkt->offset = 2 * sizeof(node_id_t);
1729 from = lookup_node_id(SRCID(pkt));
1731 if(from && from->status.sptps && !memcmp(DSTID(pkt), &nullid, sizeof(nullid))) {
1732 if(sptps_verify_datagram(&from->sptps, DATA(pkt), pkt->len - 2 * sizeof(node_id_t))) {
1742 n = try_harder(addr, pkt);
1748 if(debug_level >= DEBUG_PROTOCOL) {
1749 hostname = sockaddr2hostname(addr);
1750 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
1759 if(n->status.sptps) {
1760 bool relay_enabled = (n->options >> 24) >= 4;
1763 pkt->offset = 2 * sizeof(node_id_t);
1764 pkt->len -= pkt->offset;
1767 if(!relay_enabled || !memcmp(DSTID(pkt), &nullid, sizeof(nullid))) {
1772 from = lookup_node_id(SRCID(pkt));
1773 to = lookup_node_id(DSTID(pkt));
1777 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from %s (%s) with unknown source and/or destination ID", n->name, n->hostname);
1781 if(!to->status.reachable) {
1782 /* This can happen in the form of a race condition
1783 if the node just became unreachable. */
1784 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot relay packet from %s (%s) because the destination, %s (%s), is unreachable", from->name, from->hostname, to->name, to->hostname);
1788 /* The packet is supposed to come from the originator or its static relay
1789 (i.e. with no dynamic relays in between).
1790 If it did not, "help" the static relay by sending it UDP info.
1791 Note that we only do this if we're the destination or the static relay;
1792 otherwise every hop would initiate its own UDP info message, resulting in elevated chatter. */
1794 if(n != from->via && to->via == myself) {
1795 send_udp_info(myself, from);
1798 /* If we're not the final recipient, relay the packet. */
1801 send_sptps_data(to, from, 0, DATA(pkt), pkt->len);
1810 if(!receive_udppacket(from, pkt)) {
1814 n->sock = ls - listen_socket;
1816 if(direct && sockaddrcmp(addr, &n->address)) {
1817 update_node_udp(n, addr);
1820 /* If the packet went through a relay, help the sender find the appropriate MTU
1821 through the relay path. */
1824 send_mtu_info(myself, n, MTU);
1828 void handle_incoming_vpn_data(void *data, int flags) {
1831 listen_socket_t *ls = data;
1833 #ifdef HAVE_RECVMMSG
1835 static int num = MAX_MSG;
1836 static vpn_packet_t pkt[MAX_MSG];
1837 static sockaddr_t addr[MAX_MSG];
1838 static struct mmsghdr msg[MAX_MSG];
1839 static struct iovec iov[MAX_MSG];
1841 for(int i = 0; i < num; i++) {
1844 iov[i] = (struct iovec) {
1845 .iov_base = DATA(&pkt[i]),
1849 msg[i].msg_hdr = (struct msghdr) {
1850 .msg_name = &addr[i].sa,
1851 .msg_namelen = sizeof(addr)[i],
1857 num = recvmmsg(ls->udp.fd, msg, MAX_MSG, MSG_DONTWAIT, NULL);
1860 if(!sockwouldblock(sockerrno)) {
1861 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1867 for(int i = 0; i < num; i++) {
1868 pkt[i].len = msg[i].msg_len;
1870 if(pkt[i].len <= 0 || pkt[i].len > MAXSIZE) {
1874 handle_incoming_vpn_packet(ls, &pkt[i], &addr[i]);
1879 sockaddr_t addr = {0};
1880 socklen_t addrlen = sizeof(addr);
1883 int len = recvfrom(ls->udp.fd, (void *)DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen);
1885 if(len <= 0 || (size_t)len > MAXSIZE) {
1886 if(!sockwouldblock(sockerrno)) {
1887 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1895 handle_incoming_vpn_packet(ls, &pkt, &addr);
1899 void handle_device_data(void *data, int flags) {
1902 vpn_packet_t packet;
1903 packet.offset = DEFAULT_PACKET_OFFSET;
1904 packet.priority = 0;
1905 static int errors = 0;
1907 if(devops.read(&packet)) {
1909 myself->in_packets++;
1910 myself->in_bytes += packet.len;
1911 route(myself, &packet);
1913 usleep(errors * 50000);
1917 logger(DEBUG_ALWAYS, LOG_ERR, "Too many errors from %s, exiting!", device);
projects / tinc / blob