2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
35 #include "connection.h"
52 #define MAX(a, b) ((a) > (b) ? (a) : (b))
55 /* The minimum size of a probe is 14 bytes, but since we normally use CBC mode
56 encryption, we can add a few extra random bytes without increasing the
57 resulting packet size. */
58 #define MIN_PROBE_SIZE 18
62 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
65 static void send_udppacket(node_t *, vpn_packet_t *);
67 unsigned replaywin = 16;
68 bool localdiscovery = true;
69 bool udp_discovery = true;
70 int udp_discovery_keepalive_interval = 9;
71 int udp_discovery_interval = 2;
72 int udp_discovery_timeout = 30;
74 #define MAX_SEQNO 1073741824
76 static void try_fix_mtu(node_t *n) {
80 if(n->mtuprobes == 20 || n->minmtu >= n->maxmtu) {
81 if(n->minmtu > n->maxmtu)
82 n->minmtu = n->maxmtu;
84 n->maxmtu = n->minmtu;
86 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
91 static void udp_probe_timeout_handler(void *data) {
93 if(!n->status.udp_confirmed)
96 logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname);
97 n->status.udp_confirmed = false;
104 static void send_udp_probe_reply(node_t *n, vpn_packet_t *packet, length_t len) {
105 if(!n->status.sptps && !n->status.validkey) {
106 // But not if we don't have his key.
107 logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request from %s (%s) but we don't have his key yet", n->name, n->hostname);
111 logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
113 /* Type 2 probe replies were introduced in protocol 17.3 */
114 if ((n->options >> 24) >= 3) {
115 uint8_t *data = DATA(packet);
117 uint16_t len16 = htons(len);
118 memcpy(data, &len16, 2);
119 packet->len = MIN_PROBE_SIZE;
121 /* Legacy protocol: n won't understand type 2 probe replies. */
125 /* Temporarily set udp_confirmed, so that the reply is sent
126 back exactly the way it came in. */
128 bool udp_confirmed = n->status.udp_confirmed;
129 n->status.udp_confirmed = true;
130 send_udppacket(n, packet);
131 n->status.udp_confirmed = udp_confirmed;
134 static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
135 if(!DATA(packet)[0]) {
136 /* It's a probe request, send back a reply */
137 return send_udp_probe_reply(n, packet, len);
140 if (DATA(packet)[0] == 2) {
141 // It's a type 2 probe reply, use the length field inside the packet
143 memcpy(&len16, DATA(packet) + 1, 2);
147 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], len, n->name, n->hostname);
149 /* It's a valid reply: now we know bidirectional communication
150 is possible using the address and socket that the reply
152 n->status.udp_confirmed = true;
155 timeout_del(&n->udp_ping_timeout);
156 timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval){udp_discovery_timeout, 0});
159 if(len > n->maxmtu) {
160 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
163 /* Set mtuprobes to 1 so that try_mtu() doesn't reset maxmtu */
166 } else if(n->mtuprobes < 0 && len == n->maxmtu) {
167 /* We got a maxmtu sized packet, confirming the PMTU is still valid. */
169 n->mtu_ping_sent = now;
172 /* If applicable, raise the minimum supported MTU */
174 if(n->minmtu < len) {
180 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
182 memcpy(dest, source, len);
184 } else if(level == 10) {
186 lzo_uint lzolen = MAXSIZE;
187 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
192 } else if(level < 10) {
194 unsigned long destlen = MAXSIZE;
195 if(compress2(dest, &destlen, source, len, level) == Z_OK)
202 lzo_uint lzolen = MAXSIZE;
203 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
213 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
215 memcpy(dest, source, len);
217 } else if(level > 9) {
219 lzo_uint lzolen = MAXSIZE;
220 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
228 unsigned long destlen = MAXSIZE;
229 if(uncompress(dest, &destlen, source, len) == Z_OK)
241 static void receive_packet(node_t *n, vpn_packet_t *packet) {
242 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
243 packet->len, n->name, n->hostname);
246 n->in_bytes += packet->len;
251 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
253 return sptps_verify_datagram(&n->sptps, DATA(inpkt), inpkt->len);
255 #ifdef DISABLE_LEGACY
258 if(!digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest))
261 return digest_verify(n->indigest, SEQNO(inpkt), inpkt->len - digest_length(n->indigest), DATA(inpkt) + inpkt->len - digest_length(n->indigest));
265 static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
266 vpn_packet_t pkt1, pkt2;
267 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
270 pkt1.offset = DEFAULT_PACKET_OFFSET;
271 pkt2.offset = DEFAULT_PACKET_OFFSET;
273 if(n->status.sptps) {
274 if(!n->sptps.state) {
275 if(!n->status.waitingforkey) {
276 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
279 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
283 inpkt->offset += 2 * sizeof(node_id_t);
284 if(!sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len - 2 * sizeof(node_id_t))) {
285 logger(DEBUG_TRAFFIC, LOG_ERR, "Got bad packet from %s (%s)", n->name, n->hostname);
291 #ifdef DISABLE_LEGACY
294 if(!n->status.validkey_in) {
295 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
299 /* Check packet length */
301 if(inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
302 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
303 n->name, n->hostname);
307 /* It's a legacy UDP packet, the data starts after the seqno */
309 inpkt->offset += sizeof(seqno_t);
311 /* Check the message authentication code */
313 if(digest_active(n->indigest)) {
314 inpkt->len -= digest_length(n->indigest);
315 if(!digest_verify(n->indigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
316 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
320 /* Decrypt the packet */
322 if(cipher_active(n->incipher)) {
323 vpn_packet_t *outpkt = pkt[nextpkt++];
326 if(!cipher_decrypt(n->incipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
327 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
331 outpkt->len = outlen;
335 /* Check the sequence number */
338 memcpy(&seqno, SEQNO(inpkt), sizeof seqno);
339 seqno = ntohl(seqno);
340 inpkt->len -= sizeof seqno;
343 if(seqno != n->received_seqno + 1) {
344 if(seqno >= n->received_seqno + replaywin * 8) {
345 if(n->farfuture++ < replaywin >> 2) {
346 logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
347 n->name, n->hostname, seqno - n->received_seqno - 1, n->farfuture);
350 logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
351 seqno - n->received_seqno - 1, n->name, n->hostname);
352 memset(n->late, 0, replaywin);
353 } else if (seqno <= n->received_seqno) {
354 if((n->received_seqno >= replaywin * 8 && seqno <= n->received_seqno - replaywin * 8) || !(n->late[(seqno / 8) % replaywin] & (1 << seqno % 8))) {
355 logger(DEBUG_ALWAYS, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
356 n->name, n->hostname, seqno, n->received_seqno);
360 for(int i = n->received_seqno + 1; i < seqno; i++)
361 n->late[(i / 8) % replaywin] |= 1 << i % 8;
366 n->late[(seqno / 8) % replaywin] &= ~(1 << seqno % 8);
369 if(seqno > n->received_seqno)
370 n->received_seqno = seqno;
374 if(n->received_seqno > MAX_SEQNO)
377 /* Decompress the packet */
379 length_t origlen = inpkt->len;
381 if(n->incompression) {
382 vpn_packet_t *outpkt = pkt[nextpkt++];
384 if((outpkt->len = uncompress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->incompression)) < 0) {
385 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
386 n->name, n->hostname);
392 origlen -= MTU/64 + 20;
395 if(inpkt->len > n->maxrecentlen)
396 n->maxrecentlen = inpkt->len;
400 if(!DATA(inpkt)[12] && !DATA(inpkt)[13])
401 udp_probe_h(n, inpkt, origlen);
403 receive_packet(n, inpkt);
408 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
410 outpkt.offset = DEFAULT_PACKET_OFFSET;
412 if(len > sizeof outpkt.data - outpkt.offset)
416 if(c->options & OPTION_TCPONLY)
419 outpkt.priority = -1;
420 memcpy(DATA(&outpkt), buffer, len);
422 receive_packet(c->node, &outpkt);
425 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
426 if(!n->status.validkey && !n->connection)
432 if(!(DATA(origpkt)[12] | DATA(origpkt)[13])) {
433 sptps_send_record(&n->sptps, PKT_PROBE, (char *)DATA(origpkt), origpkt->len);
437 if(routing_mode == RMODE_ROUTER)
442 if(origpkt->len < offset)
447 if(n->outcompression) {
449 int len = compress_packet(DATA(&outpkt) + offset, DATA(origpkt) + offset, origpkt->len - offset, n->outcompression);
451 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
452 } else if(len < origpkt->len - offset) {
453 outpkt.len = len + offset;
455 type |= PKT_COMPRESSED;
459 /* If we have a direct metaconnection to n, and we can't use UDP, then
460 don't bother with SPTPS and just use a "plaintext" PACKET message.
461 We don't really care about end-to-end security since we're not
462 sending the message through any intermediate nodes. */
463 if(n->connection && origpkt->len > n->minmtu)
464 send_tcppacket(n->connection, origpkt);
466 sptps_send_record(&n->sptps, type, DATA(origpkt) + offset, origpkt->len - offset);
470 static void adapt_socket(const sockaddr_t *sa, int *sock) {
471 /* Make sure we have a suitable socket for the chosen address */
472 if(listen_socket[*sock].sa.sa.sa_family != sa->sa.sa_family) {
473 for(int i = 0; i < listen_sockets; i++) {
474 if(listen_socket[i].sa.sa.sa_family == sa->sa.sa_family) {
482 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, int *sock) {
487 /* If the UDP address is confirmed, use it. */
488 if(n->status.udp_confirmed)
491 /* Send every third packet to n->address; that could be set
492 to the node's reflexive UDP address discovered during key
501 /* Otherwise, address are found in edges to this node.
502 So we pick a random edge and a random socket. */
505 int j = rand() % n->edge_tree->count;
506 edge_t *candidate = NULL;
508 for splay_each(edge_t, e, n->edge_tree) {
510 candidate = e->reverse;
516 *sa = &candidate->address;
517 *sock = rand() % listen_sockets;
520 adapt_socket(*sa, sock);
523 static void choose_local_address(const node_t *n, const sockaddr_t **sa, int *sock) {
526 /* Pick one of the edges from this node at random, then use its local address. */
529 int j = rand() % n->edge_tree->count;
530 edge_t *candidate = NULL;
532 for splay_each(edge_t, e, n->edge_tree) {
539 if (candidate && candidate->local_address.sa.sa_family) {
540 *sa = &candidate->local_address;
541 *sock = rand() % listen_sockets;
542 adapt_socket(*sa, sock);
546 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
547 vpn_packet_t pkt1, pkt2;
548 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
549 vpn_packet_t *inpkt = origpkt;
551 vpn_packet_t *outpkt;
552 int origlen = origpkt->len;
554 #if defined(SOL_IP) && defined(IP_TOS)
555 static int priority = 0;
556 int origpriority = origpkt->priority;
559 pkt1.offset = DEFAULT_PACKET_OFFSET;
560 pkt2.offset = DEFAULT_PACKET_OFFSET;
562 if(!n->status.reachable) {
563 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
568 return send_sptps_packet(n, origpkt);
570 #ifdef DISABLE_LEGACY
573 /* Make sure we have a valid key */
575 if(!n->status.validkey) {
576 logger(DEBUG_TRAFFIC, LOG_INFO,
577 "No valid key known yet for %s (%s), forwarding via TCP",
578 n->name, n->hostname);
579 send_tcppacket(n->nexthop->connection, origpkt);
583 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (DATA(inpkt)[12] | DATA(inpkt)[13])) {
584 logger(DEBUG_TRAFFIC, LOG_INFO,
585 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
586 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
589 send_packet(n->nexthop, origpkt);
591 send_tcppacket(n->nexthop->connection, origpkt);
596 /* Compress the packet */
598 if(n->outcompression) {
599 outpkt = pkt[nextpkt++];
601 if((outpkt->len = compress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->outcompression)) < 0) {
602 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
603 n->name, n->hostname);
610 /* Add sequence number */
612 seqno_t seqno = htonl(++(n->sent_seqno));
613 memcpy(SEQNO(inpkt), &seqno, sizeof seqno);
614 inpkt->len += sizeof seqno;
616 /* Encrypt the packet */
618 if(cipher_active(n->outcipher)) {
619 outpkt = pkt[nextpkt++];
622 if(!cipher_encrypt(n->outcipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
623 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
627 outpkt->len = outlen;
631 /* Add the message authentication code */
633 if(digest_active(n->outdigest)) {
634 if(!digest_create(n->outdigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
635 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
639 inpkt->len += digest_length(n->outdigest);
642 /* Send the packet */
644 const sockaddr_t *sa = NULL;
647 if(n->status.send_locally)
648 choose_local_address(n, &sa, &sock);
650 choose_udp_address(n, &sa, &sock);
652 #if defined(SOL_IP) && defined(IP_TOS)
653 if(priorityinheritance && origpriority != priority
654 && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
655 priority = origpriority;
656 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
657 if(setsockopt(listen_socket[n->sock].udp.fd, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
658 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
662 if(sendto(listen_socket[sock].udp.fd, SEQNO(inpkt), inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
663 if(sockmsgsize(sockerrno)) {
664 if(n->maxmtu >= origlen)
665 n->maxmtu = origlen - 1;
666 if(n->mtu >= origlen)
667 n->mtu = origlen - 1;
670 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
674 origpkt->len = origlen;
678 static bool send_sptps_data_priv(node_t *to, node_t *from, int type, const void *data, size_t len) {
679 node_t *relay = (to->via != myself && (type == PKT_PROBE || (len - SPTPS_DATAGRAM_OVERHEAD) <= to->via->minmtu)) ? to->via : to->nexthop;
680 bool direct = from == myself && to == relay;
681 bool relay_supported = (relay->options >> 24) >= 4;
682 bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
684 /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU.
685 TODO: When relaying, the original sender does not know the end-to-end PMTU (it only knows the PMTU of the first hop).
686 This can lead to scenarios where large packets are sent over UDP to relay, but then relay has no choice but fall back to TCP. */
688 if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && (len - SPTPS_DATAGRAM_OVERHEAD) > relay->minmtu)) {
689 char buf[len * 4 / 3 + 5];
690 b64encode(data, buf, len);
691 /* If no valid key is known yet, send the packets using ANS_KEY requests,
692 to ensure we get to learn the reflexive UDP address. */
693 if(from == myself && !to->status.validkey) {
694 to->incompression = myself->incompression;
695 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, from->name, to->name, buf, to->incompression);
697 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, from->name, to->name, REQ_SPTPS, buf);
702 if(relay_supported) overhead += sizeof to->id + sizeof from->id;
703 char buf[len + overhead]; char* buf_ptr = buf;
704 if(relay_supported) {
706 /* Inform the recipient that this packet was sent directly. */
707 node_id_t nullid = {};
708 memcpy(buf_ptr, &nullid, sizeof nullid); buf_ptr += sizeof nullid;
710 memcpy(buf_ptr, &to->id, sizeof to->id); buf_ptr += sizeof to->id;
712 memcpy(buf_ptr, &from->id, sizeof from->id); buf_ptr += sizeof from->id;
715 /* TODO: if this copy turns out to be a performance concern, change sptps_send_record() to add some "pre-padding" to the buffer and use that instead */
716 memcpy(buf_ptr, data, len); buf_ptr += len;
718 const sockaddr_t *sa = NULL;
720 if(relay->status.send_locally)
721 choose_local_address(relay, &sa, &sock);
723 choose_udp_address(relay, &sa, &sock);
724 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s)", from->name, from->hostname, to->name, to->hostname, relay->name, relay->hostname);
725 if(sendto(listen_socket[sock].udp.fd, buf, buf_ptr - buf, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
726 if(sockmsgsize(sockerrno)) {
727 // Compensate for SPTPS overhead
728 len -= SPTPS_DATAGRAM_OVERHEAD;
729 if(relay->maxmtu >= len)
730 relay->maxmtu = len - 1;
731 if(relay->mtu >= len)
732 relay->mtu = len - 1;
735 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", relay->name, relay->hostname, sockstrerror(sockerrno));
743 bool send_sptps_data(void *handle, uint8_t type, const void *data, size_t len) {
744 return send_sptps_data_priv(handle, myself, type, data, len);
747 bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t len) {
748 node_t *from = handle;
750 if(type == SPTPS_HANDSHAKE) {
751 if(!from->status.validkey) {
752 from->status.validkey = true;
753 from->status.waitingforkey = false;
754 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
760 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
765 inpkt.offset = DEFAULT_PACKET_OFFSET;
767 if(type == PKT_PROBE) {
769 memcpy(DATA(&inpkt), data, len);
770 udp_probe_h(from, &inpkt, len);
774 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
775 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
779 /* Check if we have the headers we need */
780 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
781 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
783 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
784 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
787 int offset = (type & PKT_MAC) ? 0 : 14;
788 if(type & PKT_COMPRESSED) {
789 length_t ulen = uncompress_packet(DATA(&inpkt) + offset, (const uint8_t *)data, len, from->incompression);
793 inpkt.len = ulen + offset;
795 if(inpkt.len > MAXSIZE)
798 memcpy(DATA(&inpkt) + offset, data, len);
799 inpkt.len = len + offset;
802 /* Generate the Ethernet packet type if necessary */
804 switch(DATA(&inpkt)[14] >> 4) {
806 DATA(&inpkt)[12] = 0x08;
807 DATA(&inpkt)[13] = 0x00;
810 DATA(&inpkt)[12] = 0x86;
811 DATA(&inpkt)[13] = 0xDD;
814 logger(DEBUG_TRAFFIC, LOG_ERR,
815 "Unknown IP version %d while reading packet from %s (%s)",
816 DATA(&inpkt)[14] >> 4, from->name, from->hostname);
821 receive_packet(from, &inpkt);
825 // This function tries to get SPTPS keys, if they aren't already known.
826 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if the keys are available.
827 static void try_sptps(node_t *n) {
828 if(n->status.validkey)
831 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
833 if(!n->status.waitingforkey)
835 else if(n->last_req_key + 10 < now.tv_sec) {
836 logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
837 sptps_stop(&n->sptps);
838 n->status.waitingforkey = false;
845 static void send_udp_probe_packet(node_t *n, int len) {
847 packet.offset = DEFAULT_PACKET_OFFSET;
848 memset(DATA(&packet), 0, 14);
849 randomize(DATA(&packet) + 14, len - 14);
853 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending UDP probe length %d to %s (%s)", len, n->name, n->hostname);
855 send_udppacket(n, &packet);
858 // This function tries to establish a UDP tunnel to a node so that packets can be sent.
859 // If a tunnel is already established, it makes sure it stays up.
860 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if UDP is usable.
861 static void try_udp(node_t* n) {
865 struct timeval ping_tx_elapsed;
866 timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
868 int interval = n->status.udp_confirmed ? udp_discovery_keepalive_interval : udp_discovery_interval;
870 if(ping_tx_elapsed.tv_sec >= interval) {
871 send_udp_probe_packet(n, MIN_PROBE_SIZE);
872 n->udp_ping_sent = now;
874 if(localdiscovery && !n->status.udp_confirmed && n->prevedge) {
875 n->status.send_locally = true;
876 send_udp_probe_packet(n, MIN_PROBE_SIZE);
877 n->status.send_locally = false;
882 static length_t choose_initial_maxmtu(node_t *n) {
887 const sockaddr_t *sa = NULL;
889 choose_udp_address(n, &sa, &sockindex);
893 sock = socket(sa->sa.sa_family, SOCK_DGRAM, IPPROTO_UDP);
895 logger(DEBUG_TRAFFIC, LOG_ERR, "Creating MTU assessment socket for %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
899 if(connect(sock, &sa->sa, SALEN(sa->sa))) {
900 logger(DEBUG_TRAFFIC, LOG_ERR, "Connecting MTU assessment socket for %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
906 socklen_t ip_mtu_len = sizeof ip_mtu;
907 if(getsockopt(sock, IPPROTO_IP, IP_MTU, &ip_mtu, &ip_mtu_len)) {
908 logger(DEBUG_TRAFFIC, LOG_ERR, "getsockopt(IP_MTU) on %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
915 /* getsockopt(IP_MTU) returns the MTU of the physical interface.
916 We need to remove various overheads to get to the tinc MTU. */
917 length_t mtu = ip_mtu;
918 mtu -= (sa->sa.sa_family == AF_INET6) ? sizeof(struct ip6_hdr) : sizeof(struct ip);
920 if(n->status.sptps) {
921 mtu -= SPTPS_DATAGRAM_OVERHEAD;
922 if((n->options >> 24) >= 4)
923 mtu -= sizeof(node_id_t) + sizeof(node_id_t);
925 mtu -= digest_length(n->outdigest);
927 /* Now it's tricky. We use CBC mode, so the length of the
928 encrypted payload must be a multiple of the blocksize. The
929 sequence number is also part of the encrypted payload, so we
930 must account for it after correcting for the blocksize.
931 Furthermore, the padding in the last block must be at least
934 length_t blocksize = cipher_blocksize(n->outcipher);
946 logger(DEBUG_TRAFFIC, LOG_ERR, "getsockopt(IP_MTU) on %s (%s) returned absurdly small value: %d", n->name, n->hostname, ip_mtu);
952 logger(DEBUG_TRAFFIC, LOG_INFO, "Using system-provided maximum tinc MTU for %s (%s): %hd", n->name, n->hostname, mtu);
962 /* This function tries to determines the MTU of a node.
963 By calling this function repeatedly, n->minmtu will be progressively
964 increased, and at some point, n->mtu will be fixed to n->minmtu. If the MTU
965 is already fixed, this function checks if it can be increased.
968 static void try_mtu(node_t *n) {
969 if(!(n->options & OPTION_PMTU_DISCOVERY))
972 if(udp_discovery && !n->status.udp_confirmed) {
980 /* mtuprobes == 0..19: initial discovery, send bursts with 1 second interval, mtuprobes++
981 mtuprobes == 20: fix MTU, and go to -1
982 mtuprobes == -1: send one maxmtu and one maxmtu+1 probe every pinginterval
983 mtuprobes ==-2..-3: send one maxmtu probe every second
984 mtuprobes == -4: maxmtu no longer valid, reset minmtu and maxmtu and go to 0 */
986 struct timeval elapsed;
987 timersub(&now, &n->mtu_ping_sent, &elapsed);
988 if(n->mtuprobes >= 0) {
989 if(n->mtuprobes != 0 && elapsed.tv_sec == 0 && elapsed.tv_usec < 333333)
992 if(n->mtuprobes < -1) {
993 if(elapsed.tv_sec < 1)
996 if(elapsed.tv_sec < pinginterval)
1001 n->mtu_ping_sent = now;
1005 if(n->mtuprobes < -3) {
1006 /* We lost three MTU probes, restart discovery */
1007 logger(DEBUG_TRAFFIC, LOG_INFO, "Decrease in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
1012 if(n->mtuprobes < 0) {
1013 /* After the initial discovery, we only send one maxmtu and one
1014 maxmtu+1 probe to detect PMTU increases. */
1015 send_udp_probe_packet(n, n->maxmtu);
1016 if(n->mtuprobes == -1 && n->maxmtu + 1 < MTU)
1017 send_udp_probe_packet(n, n->maxmtu + 1);
1020 /* Before initial discovery begins, set maxmtu to the most likely value.
1021 If it's underestimated, we will correct it after initial discovery. */
1022 if(n->mtuprobes == 0)
1023 n->maxmtu = choose_initial_maxmtu(n);
1026 /* Decreasing the number of probes per cycle might make the algorithm react faster to lost packets,
1027 but it will typically increase convergence time in the no-loss case. */
1028 const length_t probes_per_cycle = 8;
1030 /* This magic value was determined using math simulations.
1031 It will result in a 1329-byte first probe, followed (if there was a reply) by a 1407-byte probe.
1032 Since 1407 is just below the range of tinc MTUs over typical networks,
1033 this fine-tuning allows tinc to cover a lot of ground very quickly.
1034 This fine-tuning is only valid for maxmtu = MTU; if maxmtu is smaller,
1035 then it's better to use a multiplier of 1. Indeed, this leads to an interesting scenario
1036 if choose_initial_maxmtu() returns the actual MTU value - it will get confirmed with one single probe. */
1037 const float multiplier = (n->maxmtu == MTU) ? 0.97 : 1;
1039 const float cycle_position = probes_per_cycle - (n->mtuprobes % probes_per_cycle) - 1;
1040 const length_t minmtu = MAX(n->minmtu, 512);
1041 const float interval = n->maxmtu - minmtu;
1043 /* The core of the discovery algorithm is this exponential.
1044 It produces very large probes early in the cycle, and then it very quickly decreases the probe size.
1045 This reflects the fact that in the most difficult cases, we don't get any feedback for probes that
1046 are too large, and therefore we need to concentrate on small offsets so that we can quickly converge
1047 on the precise MTU as we are approaching it.
1048 The last probe of the cycle is always 1 byte in size - this is to make sure we'll get at least one
1049 reply per cycle so that we can make progress. */
1050 const length_t offset = powf(interval, multiplier * cycle_position / (probes_per_cycle - 1));
1052 length_t maxmtu = n->maxmtu;
1053 send_udp_probe_packet(n, minmtu + offset);
1054 /* If maxmtu changed, it means the probe was rejected by the system because it was too large.
1055 In that case, we recalculate with the new maxmtu and try again. */
1056 if(n->mtuprobes < 0 || maxmtu == n->maxmtu)
1060 if(n->mtuprobes >= 0)
1065 /* These functions try to establish a tunnel to a node (or its relay) so that
1066 packets can be sent (e.g. exchange keys).
1067 If a tunnel is already established, it tries to improve it (e.g. by trying
1068 to establish a UDP tunnel instead of TCP). This function makes no
1069 guarantees - it is up to the caller to check the node's state to figure out
1070 if TCP and/or UDP is usable. By calling this function repeatedly, the
1071 tunnel is gradually improved until we hit the wall imposed by the underlying
1072 network environment. It is recommended to call this function every time a
1073 packet is sent (or intended to be sent) to a node, so that the tunnel keeps
1074 improving as packets flow, and then gracefully downgrades itself as it goes
1078 static void try_tx_sptps(node_t *n, bool mtu) {
1079 /* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET
1080 messages anyway, so there's no need for SPTPS at all. */
1082 if(n->connection && ((myself->options | n->options) & OPTION_TCPONLY))
1085 /* Otherwise, try to do SPTPS authentication with n if necessary. */
1089 /* Do we need to relay packets? */
1091 node_t *via = (n->via == myself) ? n->nexthop : n->via;
1093 /* If the relay doesn't support SPTPS, everything goes via TCP anyway. */
1095 if((via->options >> 24) < 4)
1098 /* If we do have a relay, try everything with that one instead. */
1101 return try_tx_sptps(via, mtu);
1108 static void try_tx_legacy(node_t *n, bool mtu) {
1109 /* Does he have our key? If not, send one. */
1111 if(!n->status.validkey_in)
1114 /* Check if we already have a key, or request one. */
1116 if(!n->status.validkey) {
1117 if(n->last_req_key + 10 <= now.tv_sec) {
1119 n->last_req_key = now.tv_sec;
1129 void try_tx(node_t *n, bool mtu) {
1131 try_tx_sptps(n, mtu);
1133 try_tx_legacy(n, mtu);
1136 void send_packet(node_t *n, vpn_packet_t *packet) {
1137 // If it's for myself, write it to the tun/tap device.
1141 memcpy(DATA(packet), mymac.x, ETH_ALEN);
1143 n->out_bytes += packet->len;
1144 devops.write(packet);
1148 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)", packet->len, n->name, n->hostname);
1150 // If the node is not reachable, drop it.
1152 if(!n->status.reachable) {
1153 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable", n->name, n->hostname);
1157 // Keep track of packet statistics.
1160 n->out_bytes += packet->len;
1162 // Check if it should be sent as an SPTPS packet.
1164 if(n->status.sptps) {
1165 send_sptps_packet(n, packet);
1166 try_tx_sptps(n, true);
1170 // Determine which node to actually send it to.
1172 node_t *via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
1175 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)", n->name, via->name, n->via->hostname);
1177 // Try to send via UDP, unless TCP is forced.
1179 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
1180 if(!send_tcppacket(via->connection, packet))
1181 terminate_connection(via->connection, true);
1185 send_udppacket(via, packet);
1186 try_tx_legacy(via, true);
1189 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
1190 // Always give ourself a copy of the packet.
1192 send_packet(myself, packet);
1194 // In TunnelServer mode, do not forward broadcast packets.
1195 // The MST might not be valid and create loops.
1196 if(tunnelserver || broadcast_mode == BMODE_NONE)
1199 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
1200 packet->len, from->name, from->hostname);
1202 switch(broadcast_mode) {
1203 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
1204 // This guarantees all nodes receive the broadcast packet, and
1205 // usually distributes the sending of broadcast packets over all nodes.
1207 for list_each(connection_t, c, connection_list)
1208 if(c->edge && c->status.mst && c != from->nexthop->connection)
1209 send_packet(c->node, packet);
1212 // In direct mode, we send copies to each node we know of.
1213 // However, this only reaches nodes that can be reached in a single hop.
1214 // We don't have enough information to forward broadcast packets in this case.
1219 for splay_each(node_t, n, node_tree)
1220 if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n))
1221 send_packet(n, packet);
1229 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
1232 static time_t last_hard_try = 0;
1234 for splay_each(edge_t, e, edge_weight_tree) {
1235 if(!e->to->status.reachable || e->to == myself)
1238 if(sockaddrcmp_noport(from, &e->address)) {
1239 if(last_hard_try == now.tv_sec)
1244 if(!try_mac(e->to, pkt))
1252 last_hard_try = now.tv_sec;
1254 last_hard_try = now.tv_sec;
1258 void handle_incoming_vpn_data(void *data, int flags) {
1259 listen_socket_t *ls = data;
1262 node_id_t nullid = {};
1263 sockaddr_t addr = {};
1264 socklen_t addrlen = sizeof addr;
1266 bool direct = false;
1269 int len = recvfrom(ls->udp.fd, DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen);
1271 if(len <= 0 || len > MAXSIZE) {
1272 if(!sockwouldblock(sockerrno))
1273 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1279 sockaddrunmap(&addr); /* Some braindead IPv6 implementations do stupid things. */
1281 // Try to figure out who sent this packet.
1283 node_t *n = lookup_node_udp(&addr);
1286 // It might be from a 1.1 node, which might have a source ID in the packet.
1287 pkt.offset = 2 * sizeof(node_id_t);
1288 from = lookup_node_id(SRCID(&pkt));
1289 if(from && !memcmp(DSTID(&pkt), &nullid, sizeof nullid) && from->status.sptps) {
1290 if(sptps_verify_datagram(&from->sptps, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t)))
1299 n = try_harder(&addr, &pkt);
1304 if(debug_level >= DEBUG_PROTOCOL) {
1305 hostname = sockaddr2hostname(&addr);
1306 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
1312 if(n->status.sptps) {
1313 pkt.offset = 2 * sizeof(node_id_t);
1315 if(!memcmp(DSTID(&pkt), &nullid, sizeof nullid)) {
1320 from = lookup_node_id(SRCID(&pkt));
1321 to = lookup_node_id(DSTID(&pkt));
1324 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from %s (%s) with unknown source and/or destination ID", n->name, n->hostname);
1329 send_sptps_data_priv(to, n, 0, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t));
1338 if(!receive_udppacket(from, &pkt))
1341 n->sock = ls - listen_socket;
1342 if(direct && sockaddrcmp(&addr, &n->address))
1343 update_node_udp(n, &addr);
1346 void handle_device_data(void *data, int flags) {
1347 vpn_packet_t packet;
1348 packet.offset = DEFAULT_PACKET_OFFSET;
1349 packet.priority = 0;
1351 if(devops.read(&packet)) {
1352 myself->in_packets++;
1353 myself->in_bytes += packet.len;
1354 route(myself, &packet);