Releasing 1.0.27.
[tinc] / src / net_packet.c
1 /*
2     net_packet.c -- Handles in- and outgoing VPN packets
3     Copyright (C) 1998-2005 Ivo Timmermans,
4                   2000-2015 Guus Sliepen <guus@tinc-vpn.org>
5                   2010      Timothy Redaelli <timothy@redaelli.eu>
6                   2010      Brandon Black <blblack@gmail.com>
7
8     This program is free software; you can redistribute it and/or modify
9     it under the terms of the GNU General Public License as published by
10     the Free Software Foundation; either version 2 of the License, or
11     (at your option) any later version.
12
13     This program is distributed in the hope that it will be useful,
14     but WITHOUT ANY WARRANTY; without even the implied warranty of
15     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16     GNU General Public License for more details.
17
18     You should have received a copy of the GNU General Public License along
19     with this program; if not, write to the Free Software Foundation, Inc.,
20     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22
23 #include "system.h"
24
25 #include <openssl/rand.h>
26 #include <openssl/err.h>
27 #include <openssl/evp.h>
28 #include <openssl/pem.h>
29 #include <openssl/hmac.h>
30
31 #ifdef HAVE_ZLIB
32 #include <zlib.h>
33 #endif
34
35 #ifdef HAVE_LZO
36 #include LZO1X_H
37 #endif
38
39 #include "avl_tree.h"
40 #include "conf.h"
41 #include "connection.h"
42 #include "device.h"
43 #include "ethernet.h"
44 #include "event.h"
45 #include "graph.h"
46 #include "logger.h"
47 #include "net.h"
48 #include "netutl.h"
49 #include "protocol.h"
50 #include "process.h"
51 #include "route.h"
52 #include "utils.h"
53 #include "xalloc.h"
54
55 int keylifetime = 0;
56 int keyexpires = 0;
57 #ifdef HAVE_LZO
58 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
59 #endif
60
61 static void send_udppacket(node_t *, vpn_packet_t *);
62
63 unsigned replaywin = 16;
64 bool localdiscovery = false;
65
66 #define MAX_SEQNO 1073741824
67
68 /* mtuprobes == 1..30: initial discovery, send bursts with 1 second interval
69    mtuprobes ==    31: sleep pinginterval seconds
70    mtuprobes ==    32: send 1 burst, sleep pingtimeout second
71    mtuprobes ==    33: no response from other side, restart PMTU discovery process
72
73    Probes are sent in batches of at least three, with random sizes between the
74    lower and upper boundaries for the MTU thus far discovered.
75
76    After the initial discovery, a fourth packet is added to each batch with a
77    size larger than the currently known PMTU, to test if the PMTU has increased.
78
79    In case local discovery is enabled, another packet is added to each batch,
80    which will be broadcast to the local network.
81
82 */
83
84 void send_mtu_probe(node_t *n) {
85         vpn_packet_t packet;
86         int len, i;
87         int timeout = 1;
88         
89         n->mtuprobes++;
90         n->mtuevent = NULL;
91
92         if(!n->status.reachable || !n->status.validkey) {
93                 ifdebug(TRAFFIC) logger(LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname);
94                 n->mtuprobes = 0;
95                 return;
96         }
97
98         if(n->mtuprobes > 32) {
99                 if(!n->minmtu) {
100                         n->mtuprobes = 31;
101                         timeout = pinginterval;
102                         goto end;
103                 }
104
105                 ifdebug(TRAFFIC) logger(LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname);
106                 n->mtuprobes = 1;
107                 n->minmtu = 0;
108                 n->maxmtu = MTU;
109         }
110
111         if(n->mtuprobes >= 10 && n->mtuprobes < 32 && !n->minmtu) {
112                 ifdebug(TRAFFIC) logger(LOG_INFO, "No response to MTU probes from %s (%s)", n->name, n->hostname);
113                 n->mtuprobes = 31;
114         }
115
116         if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) {
117                 if(n->minmtu > n->maxmtu)
118                         n->minmtu = n->maxmtu;
119                 else
120                         n->maxmtu = n->minmtu;
121                 n->mtu = n->minmtu;
122                 ifdebug(TRAFFIC) logger(LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
123                 n->mtuprobes = 31;
124         }
125
126         if(n->mtuprobes == 31) {
127                 timeout = pinginterval;
128                 goto end;
129         } else if(n->mtuprobes == 32) {
130                 timeout = pingtimeout;
131         }
132
133         for(i = 0; i < 4 + localdiscovery; i++) {
134                 if(i == 0) {
135                         if(n->mtuprobes < 30 || n->maxmtu + 8 >= MTU)
136                                 continue;
137                         len = n->maxmtu + 8;
138                 } else if(n->maxmtu <= n->minmtu) {
139                         len = n->maxmtu;
140                 } else {
141                         len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
142                 }
143
144                 if(len < 64)
145                         len = 64;
146                 
147                 memset(packet.data, 0, 14);
148                 RAND_pseudo_bytes(packet.data + 14, len - 14);
149                 packet.len = len;
150                 if(i >= 4 && n->mtuprobes <= 10)
151                         packet.priority = -1;
152                 else
153                         packet.priority = 0;
154
155                 ifdebug(TRAFFIC) logger(LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname);
156
157                 send_udppacket(n, &packet);
158         }
159
160 end:
161         n->mtuevent = new_event();
162         n->mtuevent->handler = (event_handler_t)send_mtu_probe;
163         n->mtuevent->data = n;
164         n->mtuevent->time = now + timeout;
165         event_add(n->mtuevent);
166 }
167
168 void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
169         ifdebug(TRAFFIC) logger(LOG_INFO, "Got MTU probe length %d from %s (%s)", packet->len, n->name, n->hostname);
170
171         if(!packet->data[0]) {
172                 packet->data[0] = 1;
173                 send_udppacket(n, packet);
174         } else {
175                 if(n->mtuprobes > 30) {
176                         if (len == n->maxmtu + 8) {
177                                 ifdebug(TRAFFIC) logger(LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
178                                 n->maxmtu = MTU;
179                                 n->mtuprobes = 10;
180                                 return;
181                         }
182
183                         if(n->minmtu)
184                                 n->mtuprobes = 30;
185                         else
186                                 n->mtuprobes = 1;
187                 }
188
189                 if(len > n->maxmtu)
190                         len = n->maxmtu;
191                 if(n->minmtu < len)
192                         n->minmtu = len;
193         }
194 }
195
196 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
197         if(level == 0) {
198                 memcpy(dest, source, len);
199                 return len;
200         } else if(level == 10) {
201 #ifdef HAVE_LZO
202                 lzo_uint lzolen = MAXSIZE;
203                 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
204                 return lzolen;
205 #else
206                 return -1;
207 #endif
208         } else if(level < 10) {
209 #ifdef HAVE_ZLIB
210                 unsigned long destlen = MAXSIZE;
211                 if(compress2(dest, &destlen, source, len, level) == Z_OK)
212                         return destlen;
213                 else
214 #endif
215                         return -1;
216         } else {
217 #ifdef HAVE_LZO
218                 lzo_uint lzolen = MAXSIZE;
219                 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
220                 return lzolen;
221 #else
222                 return -1;
223 #endif
224         }
225         
226         return -1;
227 }
228
229 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
230         if(level == 0) {
231                 memcpy(dest, source, len);
232                 return len;
233         } else if(level > 9) {
234 #ifdef HAVE_LZO
235                 lzo_uint lzolen = MAXSIZE;
236                 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
237                         return lzolen;
238                 else
239 #endif
240                         return -1;
241         }
242 #ifdef HAVE_ZLIB
243         else {
244                 unsigned long destlen = MAXSIZE;
245                 if(uncompress(dest, &destlen, source, len) == Z_OK)
246                         return destlen;
247                 else
248                         return -1;
249         }
250 #endif
251
252         return -1;
253 }
254
255 /* VPN packet I/O */
256
257 static void receive_packet(node_t *n, vpn_packet_t *packet) {
258         ifdebug(TRAFFIC) logger(LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
259                            packet->len, n->name, n->hostname);
260
261         route(n, packet);
262 }
263
264 static bool try_mac(const node_t *n, const vpn_packet_t *inpkt) {
265         unsigned char hmac[EVP_MAX_MD_SIZE];
266
267         if(!n->indigest || !n->inmaclength || !n->inkey || inpkt->len < sizeof inpkt->seqno + n->inmaclength)
268                 return false;
269
270         HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len - n->inmaclength, (unsigned char *)hmac, NULL);
271
272         return !memcmp_constant_time(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength);
273 }
274
275 static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
276         vpn_packet_t pkt1, pkt2;
277         vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
278         int nextpkt = 0;
279         vpn_packet_t *outpkt;
280         int outlen, outpad;
281         unsigned char hmac[EVP_MAX_MD_SIZE];
282         int i;
283
284         if(!n->inkey) {
285                 ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet",
286                                         n->name, n->hostname);
287                 return;
288         }
289
290         /* Check packet length */
291
292         if(inpkt->len < sizeof(inpkt->seqno) + n->inmaclength) {
293                 ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got too short packet from %s (%s)",
294                                         n->name, n->hostname);
295                 return;
296         }
297
298         /* Check the message authentication code */
299
300         if(n->indigest && n->inmaclength) {
301                 inpkt->len -= n->inmaclength;
302                 HMAC(n->indigest, n->inkey, n->inkeylength,
303                          (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL);
304
305                 if(memcmp_constant_time(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) {
306                         ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got unauthenticated packet from %s (%s)",
307                                            n->name, n->hostname);
308                         return;
309                 }
310         }
311
312         /* Decrypt the packet */
313
314         if(n->incipher) {
315                 outpkt = pkt[nextpkt++];
316
317                 if(!EVP_DecryptInit_ex(&n->inctx, NULL, NULL, NULL, NULL)
318                                 || !EVP_DecryptUpdate(&n->inctx, (unsigned char *) &outpkt->seqno, &outlen,
319                                         (unsigned char *) &inpkt->seqno, inpkt->len)
320                                 || !EVP_DecryptFinal_ex(&n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
321                         ifdebug(TRAFFIC) logger(LOG_DEBUG, "Error decrypting packet from %s (%s): %s",
322                                                 n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
323                         return;
324                 }
325                 
326                 outpkt->len = outlen + outpad;
327                 inpkt = outpkt;
328         }
329
330         /* Check the sequence number */
331
332         inpkt->len -= sizeof(inpkt->seqno);
333         inpkt->seqno = ntohl(inpkt->seqno);
334
335         if(replaywin) {
336                 if(inpkt->seqno != n->received_seqno + 1) {
337                         if(inpkt->seqno >= n->received_seqno + replaywin * 8) {
338                                 if(n->farfuture++ < replaywin >> 2) {
339                                         logger(LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
340                                                 n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture);
341                                         return;
342                                 }
343                                 logger(LOG_WARNING, "Lost %d packets from %s (%s)",
344                                                 inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
345                                 memset(n->late, 0, replaywin);
346                         } else if (inpkt->seqno <= n->received_seqno) {
347                                 if((n->received_seqno >= replaywin * 8 && inpkt->seqno <= n->received_seqno - replaywin * 8) || !(n->late[(inpkt->seqno / 8) % replaywin] & (1 << inpkt->seqno % 8))) {
348                                         logger(LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
349                                                 n->name, n->hostname, inpkt->seqno, n->received_seqno);
350                                         return;
351                                 }
352                         } else {
353                                 for(i = n->received_seqno + 1; i < inpkt->seqno; i++)
354                                         n->late[(i / 8) % replaywin] |= 1 << i % 8;
355                         }
356                 }
357
358                 n->farfuture = 0;
359                 n->late[(inpkt->seqno / 8) % replaywin] &= ~(1 << inpkt->seqno % 8);
360         }
361
362         if(inpkt->seqno > n->received_seqno)
363                 n->received_seqno = inpkt->seqno;
364                         
365         if(n->received_seqno > MAX_SEQNO)
366                 keyexpires = 0;
367
368         /* Decompress the packet */
369
370         length_t origlen = inpkt->len;
371
372         if(n->incompression) {
373                 outpkt = pkt[nextpkt++];
374
375                 if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, n->incompression)) < 0) {
376                         ifdebug(TRAFFIC) logger(LOG_ERR, "Error while uncompressing packet from %s (%s)",
377                                                  n->name, n->hostname);
378                         return;
379                 }
380
381                 inpkt = outpkt;
382
383                 origlen -= MTU/64 + 20;
384         }
385
386         inpkt->priority = 0;
387
388         if(!inpkt->data[12] && !inpkt->data[13])
389                 mtu_probe_h(n, inpkt, origlen);
390         else
391                 receive_packet(n, inpkt);
392 }
393
394 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
395         vpn_packet_t outpkt;
396
397         if(len > sizeof outpkt.data)
398                 return;
399
400         outpkt.len = len;
401         if(c->options & OPTION_TCPONLY)
402                 outpkt.priority = 0;
403         else
404                 outpkt.priority = -1;
405         memcpy(outpkt.data, buffer, len);
406
407         receive_packet(c->node, &outpkt);
408 }
409
410 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
411         vpn_packet_t pkt1, pkt2;
412         vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
413         vpn_packet_t *inpkt = origpkt;
414         int nextpkt = 0;
415         vpn_packet_t *outpkt;
416         int origlen;
417         int outlen, outpad;
418         int origpriority;
419
420         if(!n->status.reachable) {
421                 ifdebug(TRAFFIC) logger(LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
422                 return;
423         }
424
425         /* Make sure we have a valid key */
426
427         if(!n->status.validkey) {
428                 ifdebug(TRAFFIC) logger(LOG_INFO,
429                                    "No valid key known yet for %s (%s), forwarding via TCP",
430                                    n->name, n->hostname);
431
432                 if(n->last_req_key + 10 <= now) {
433                         send_req_key(n);
434                         n->last_req_key = now;
435                 }
436
437                 send_tcppacket(n->nexthop->connection, origpkt);
438
439                 return;
440         }
441
442         if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (inpkt->data[12] | inpkt->data[13])) {
443                 ifdebug(TRAFFIC) logger(LOG_INFO,
444                                 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
445                                 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
446
447                 if(n != n->nexthop)
448                         send_packet(n->nexthop, origpkt);
449                 else
450                         send_tcppacket(n->nexthop->connection, origpkt);
451
452                 return;
453         }
454
455         origlen = inpkt->len;
456         origpriority = inpkt->priority;
457
458         /* Compress the packet */
459
460         if(n->outcompression) {
461                 outpkt = pkt[nextpkt++];
462
463                 if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->outcompression)) < 0) {
464                         ifdebug(TRAFFIC) logger(LOG_ERR, "Error while compressing packet to %s (%s)",
465                                    n->name, n->hostname);
466                         return;
467                 }
468
469                 inpkt = outpkt;
470         }
471
472         /* Add sequence number */
473
474         inpkt->seqno = htonl(++(n->sent_seqno));
475         inpkt->len += sizeof(inpkt->seqno);
476
477         /* Encrypt the packet */
478
479         if(n->outcipher) {
480                 outpkt = pkt[nextpkt++];
481
482                 if(!EVP_EncryptInit_ex(&n->outctx, NULL, NULL, NULL, NULL)
483                                 || !EVP_EncryptUpdate(&n->outctx, (unsigned char *) &outpkt->seqno, &outlen,
484                                         (unsigned char *) &inpkt->seqno, inpkt->len)
485                                 || !EVP_EncryptFinal_ex(&n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
486                         ifdebug(TRAFFIC) logger(LOG_ERR, "Error while encrypting packet to %s (%s): %s",
487                                                 n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
488                         goto end;
489                 }
490
491                 outpkt->len = outlen + outpad;
492                 inpkt = outpkt;
493         }
494
495         /* Add the message authentication code */
496
497         if(n->outdigest && n->outmaclength) {
498                 HMAC(n->outdigest, n->outkey, n->outkeylength, (unsigned char *) &inpkt->seqno,
499                          inpkt->len, (unsigned char *) &inpkt->seqno + inpkt->len, NULL);
500                 inpkt->len += n->outmaclength;
501         }
502
503         /* Determine which socket we have to use */
504
505         if(n->address.sa.sa_family != listen_socket[n->sock].sa.sa.sa_family) {
506                 for(int sock = 0; sock < listen_sockets; sock++) {
507                         if(n->address.sa.sa_family == listen_socket[sock].sa.sa.sa_family) {
508                                 n->sock = sock;
509                                 break;
510                         }
511                 }
512         }
513
514         /* Send the packet */
515
516         struct sockaddr *sa;
517         socklen_t sl;
518         int sock;
519         sockaddr_t broadcast;
520
521         /* Overloaded use of priority field: -1 means local broadcast */
522
523         if(origpriority == -1 && n->prevedge) {
524                 sock = rand() % listen_sockets;
525                 memset(&broadcast, 0, sizeof broadcast);
526                 if(listen_socket[sock].sa.sa.sa_family == AF_INET6) {
527                         broadcast.in6.sin6_family = AF_INET6;
528                         broadcast.in6.sin6_addr.s6_addr[0x0] = 0xff;
529                         broadcast.in6.sin6_addr.s6_addr[0x1] = 0x02;
530                         broadcast.in6.sin6_addr.s6_addr[0xf] = 0x01;
531                         broadcast.in6.sin6_port = n->prevedge->address.in.sin_port;
532                         broadcast.in6.sin6_scope_id = listen_socket[sock].sa.in6.sin6_scope_id;
533                 } else {
534                         broadcast.in.sin_family = AF_INET;
535                         broadcast.in.sin_addr.s_addr = -1;
536                         broadcast.in.sin_port = n->prevedge->address.in.sin_port;
537                 }
538                 sa = &broadcast.sa;
539                 sl = SALEN(broadcast.sa);
540         } else {
541                 if(origpriority == -1)
542                         origpriority = 0;
543
544                 sa = &(n->address.sa);
545                 sl = SALEN(n->address.sa);
546                 sock = n->sock;
547         }
548
549         if(priorityinheritance && origpriority != listen_socket[n->sock].priority) {
550                 listen_socket[n->sock].priority = origpriority;
551                 switch(listen_socket[n->sock].sa.sa.sa_family) {
552 #if defined(SOL_IP) && defined(IP_TOS)
553                 case AF_INET:
554                         ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting IPv4 outgoing packet priority to %d", origpriority);
555                         if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, (void *)&origpriority, sizeof(origpriority))) /* SO_PRIORITY doesn't seem to work */
556                                 logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
557                         break;
558 #endif
559 #if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS)
560                 case AF_INET6:
561                         ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting IPv6 outgoing packet priority to %d", origpriority);
562                         if(setsockopt(listen_socket[n->sock].udp, IPPROTO_IPV6, IPV6_TCLASS, (void *)&origpriority, sizeof(origpriority)))
563                                 logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
564                         break;
565 #endif
566                 default:
567                         break;
568                 }
569         }
570
571         if(sendto(listen_socket[sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) {
572                 if(sockmsgsize(sockerrno)) {
573                         if(n->maxmtu >= origlen)
574                                 n->maxmtu = origlen - 1;
575                         if(n->mtu >= origlen)
576                                 n->mtu = origlen - 1;
577                 } else
578                         ifdebug(TRAFFIC) logger(LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
579         }
580
581 end:
582         origpkt->len = origlen;
583 }
584
585 /*
586   send a packet to the given vpn ip.
587 */
588 void send_packet(const node_t *n, vpn_packet_t *packet) {
589         node_t *via;
590
591         if(n == myself) {
592                 if(overwrite_mac)
593                          memcpy(packet->data, mymac.x, ETH_ALEN);
594                 devops.write(packet);
595                 return;
596         }
597
598         ifdebug(TRAFFIC) logger(LOG_ERR, "Sending packet of %d bytes to %s (%s)",
599                            packet->len, n->name, n->hostname);
600
601         if(!n->status.reachable) {
602                 ifdebug(TRAFFIC) logger(LOG_INFO, "Node %s (%s) is not reachable",
603                                    n->name, n->hostname);
604                 return;
605         }
606
607         via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
608
609         if(via != n)
610                 ifdebug(TRAFFIC) logger(LOG_INFO, "Sending packet to %s via %s (%s)",
611                            n->name, via->name, n->via->hostname);
612
613         if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
614                 if(!send_tcppacket(via->connection, packet))
615                         terminate_connection(via->connection, true);
616         } else
617                 send_udppacket(via, packet);
618 }
619
620 /* Broadcast a packet using the minimum spanning tree */
621
622 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
623         avl_node_t *node;
624         connection_t *c;
625         node_t *n;
626
627         // Always give ourself a copy of the packet.
628         if(from != myself)
629                 send_packet(myself, packet);
630
631         // In TunnelServer mode, do not forward broadcast packets.
632         // The MST might not be valid and create loops.
633         if(tunnelserver || broadcast_mode == BMODE_NONE)
634                 return;
635
636         ifdebug(TRAFFIC) logger(LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
637                            packet->len, from->name, from->hostname);
638
639         switch(broadcast_mode) {
640                 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
641                 // This guarantees all nodes receive the broadcast packet, and
642                 // usually distributes the sending of broadcast packets over all nodes.
643                 case BMODE_MST:
644                         for(node = connection_tree->head; node; node = node->next) {
645                                 c = node->data;
646
647                                 if(c->status.active && c->status.mst && c != from->nexthop->connection)
648                                         send_packet(c->node, packet);
649                         }
650                         break;
651
652                 // In direct mode, we send copies to each node we know of.
653                 // However, this only reaches nodes that can be reached in a single hop.
654                 // We don't have enough information to forward broadcast packets in this case.
655                 case BMODE_DIRECT:
656                         if(from != myself)
657                                 break;
658
659                         for(node = node_udp_tree->head; node; node = node->next) {
660                                 n = node->data;
661
662                                 if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n))
663                                         send_packet(n, packet);
664                         }
665                         break;
666
667                 default:
668                         break;
669         }
670 }
671
672 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
673         avl_node_t *node;
674         edge_t *e;
675         node_t *n = NULL;
676         static time_t last_hard_try = 0;
677
678         for(node = edge_weight_tree->head; node; node = node->next) {
679                 e = node->data;
680
681                 if(e->to == myself)
682                         continue;
683
684                 if(last_hard_try == now && sockaddrcmp_noport(from, &e->address))
685                         continue;
686
687                 if(!try_mac(e->to, pkt))
688                         continue;
689
690                 n = e->to;
691                 break;
692         }
693
694         last_hard_try = now;
695         return n;
696 }
697
698 void handle_incoming_vpn_data(int sock) {
699         vpn_packet_t pkt;
700         char *hostname;
701         sockaddr_t from;
702         socklen_t fromlen = sizeof(from);
703         node_t *n;
704
705         pkt.len = recvfrom(listen_socket[sock].udp, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
706
707         if(pkt.len < 0) {
708                 if(!sockwouldblock(sockerrno))
709                         logger(LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
710                 return;
711         }
712
713         sockaddrunmap(&from);           /* Some braindead IPv6 implementations do stupid things. */
714
715         n = lookup_node_udp(&from);
716
717         if(!n) {
718                 n = try_harder(&from, &pkt);
719                 if(n)
720                         update_node_udp(n, &from);
721                 else ifdebug(PROTOCOL) {
722                         hostname = sockaddr2hostname(&from);
723                         logger(LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
724                         free(hostname);
725                         return;
726                 }
727                 else
728                         return;
729         }
730
731         n->sock = sock;
732
733         receive_udppacket(n, &pkt);
734 }