2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2021 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
34 #include "address_cache.h"
37 #include "connection.h"
54 #define MAX(a, b) ((a) > (b) ? (a) : (b))
57 /* The minimum size of a probe is 14 bytes, but since we normally use CBC mode
58 encryption, we can add a few extra random bytes without increasing the
59 resulting packet size. */
60 #define MIN_PROBE_SIZE 18
64 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
67 static void send_udppacket(node_t *, vpn_packet_t *);
69 unsigned replaywin = 32;
70 bool localdiscovery = true;
71 bool udp_discovery = true;
72 int udp_discovery_keepalive_interval = 10;
73 int udp_discovery_interval = 2;
74 int udp_discovery_timeout = 30;
76 #define MAX_SEQNO 1073741824
78 static void try_fix_mtu(node_t *n) {
79 if(n->mtuprobes < 0) {
83 if(n->mtuprobes == 20 || n->minmtu >= n->maxmtu) {
84 if(n->minmtu > n->maxmtu) {
85 n->minmtu = n->maxmtu;
87 n->maxmtu = n->minmtu;
91 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
96 static void udp_probe_timeout_handler(void *data) {
99 if(!n->status.udp_confirmed) {
103 logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname);
104 n->status.udp_confirmed = false;
105 n->udp_ping_rtt = -1;
112 static void send_udp_probe_reply(node_t *n, vpn_packet_t *packet, length_t len) {
113 if(!n->status.sptps && !n->status.validkey) {
114 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP probe reply to %s (%s) but we don't have his key yet", n->name, n->hostname);
118 /* Type 2 probe replies were introduced in protocol 17.3 */
119 if((n->options >> 24) >= 3) {
121 uint16_t len16 = htons(len);
122 memcpy(DATA(packet) + 1, &len16, 2);
123 packet->len = MIN_PROBE_SIZE;
124 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 2 probe reply length %u to %s (%s)", len, n->name, n->hostname);
127 /* Legacy protocol: n won't understand type 2 probe replies. */
129 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 1 probe reply length %u to %s (%s)", len, n->name, n->hostname);
132 /* Temporarily set udp_confirmed, so that the reply is sent
133 back exactly the way it came in. */
135 bool udp_confirmed = n->status.udp_confirmed;
136 n->status.udp_confirmed = true;
137 send_udppacket(n, packet);
138 n->status.udp_confirmed = udp_confirmed;
141 static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
142 if(!DATA(packet)[0]) {
143 logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
144 send_udp_probe_reply(n, packet, len);
148 if(DATA(packet)[0] == 2) {
149 // It's a type 2 probe reply, use the length field inside the packet
151 memcpy(&len16, DATA(packet) + 1, 2);
155 if(n->status.ping_sent) { // a probe in flight
156 gettimeofday(&now, NULL);
158 timersub(&now, &n->udp_ping_sent, &rtt);
159 n->udp_ping_rtt = rtt.tv_sec * 1000000 + rtt.tv_usec;
160 n->status.ping_sent = false;
161 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s) rtt=%d.%03d", DATA(packet)[0], len, n->name, n->hostname, n->udp_ping_rtt / 1000, n->udp_ping_rtt % 1000);
163 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], len, n->name, n->hostname);
166 /* It's a valid reply: now we know bidirectional communication
167 is possible using the address and socket that the reply
169 if(!n->status.udp_confirmed) {
170 n->status.udp_confirmed = true;
172 if(!n->address_cache) {
173 n->address_cache = open_address_cache(n);
176 reset_address_cache(n->address_cache, &n->address);
179 // Reset the UDP ping timer.
182 timeout_del(&n->udp_ping_timeout);
183 timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval) {
184 udp_discovery_timeout, 0
188 if(len > n->maxmtu) {
189 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
192 /* Set mtuprobes to 1 so that try_mtu() doesn't reset maxmtu */
195 } else if(n->mtuprobes < 0 && len == n->maxmtu) {
196 /* We got a maxmtu sized packet, confirming the PMTU is still valid. */
198 n->mtu_ping_sent = now;
201 /* If applicable, raise the minimum supported MTU */
203 if(n->minmtu < len) {
209 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
211 memcpy(dest, source, len);
213 } else if(level == 10) {
215 lzo_uint lzolen = MAXSIZE;
216 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
221 } else if(level < 10) {
223 unsigned long destlen = MAXSIZE;
225 if(compress2(dest, &destlen, source, len, level) == Z_OK) {
232 lzo_uint lzolen = MAXSIZE;
233 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
243 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
245 memcpy(dest, source, len);
247 } else if(level > 9) {
249 lzo_uint lzolen = MAXSIZE;
251 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK) {
260 unsigned long destlen = MAXSIZE;
261 static z_stream stream;
264 inflateReset(&stream);
266 inflateInit(&stream);
269 stream.next_in = source;
270 stream.avail_in = len;
271 stream.next_out = dest;
272 stream.avail_out = destlen;
273 stream.total_out = 0;
275 if(inflate(&stream, Z_FINISH) == Z_STREAM_END) {
276 return stream.total_out;
289 static void receive_packet(node_t *n, vpn_packet_t *packet) {
290 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
291 packet->len, n->name, n->hostname);
294 n->in_bytes += packet->len;
299 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
300 if(n->status.sptps) {
301 return sptps_verify_datagram(&n->sptps, DATA(inpkt), inpkt->len);
304 #ifdef DISABLE_LEGACY
308 if(!n->status.validkey_in || !digest_active(n->indigest) || (size_t)inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
312 return digest_verify(n->indigest, inpkt->data, inpkt->len - digest_length(n->indigest), inpkt->data + inpkt->len - digest_length(n->indigest));
316 static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
317 if(n->status.sptps) {
318 if(!n->sptps.state) {
319 if(!n->status.waitingforkey) {
320 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
323 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
329 n->status.udppacket = true;
330 bool result = sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len);
331 n->status.udppacket = false;
334 /* Uh-oh. It might be that the tunnel is stuck in some corrupted state,
335 so let's restart SPTPS in case that helps. But don't do that too often
336 to prevent storms, and because that would make life a little too easy
337 for external attackers trying to DoS us. */
338 if(n->last_req_key < now.tv_sec - 10) {
339 logger(DEBUG_PROTOCOL, LOG_ERR, "Failed to decode raw TCP packet from %s (%s), restarting SPTPS", n->name, n->hostname);
349 #ifdef DISABLE_LEGACY
352 vpn_packet_t pkt1, pkt2;
353 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
356 pkt1.offset = DEFAULT_PACKET_OFFSET;
357 pkt2.offset = DEFAULT_PACKET_OFFSET;
359 if(!n->status.validkey_in) {
360 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
364 /* Check packet length */
366 if((size_t)inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
367 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
368 n->name, n->hostname);
372 /* It's a legacy UDP packet, the data starts after the seqno */
374 inpkt->offset += sizeof(seqno_t);
376 /* Check the message authentication code */
378 if(digest_active(n->indigest)) {
379 inpkt->len -= digest_length(n->indigest);
381 if(!digest_verify(n->indigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
382 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
387 /* Decrypt the packet */
389 if(cipher_active(n->incipher)) {
390 vpn_packet_t *outpkt = pkt[nextpkt++];
393 if(!cipher_decrypt(n->incipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
394 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
398 outpkt->len = outlen;
402 /* Check the sequence number */
405 memcpy(&seqno, SEQNO(inpkt), sizeof(seqno));
406 seqno = ntohl(seqno);
407 inpkt->len -= sizeof(seqno);
410 if(seqno != n->received_seqno + 1) {
411 if(seqno >= n->received_seqno + replaywin * 8) {
412 if(n->farfuture++ < replaywin >> 2) {
413 logger(DEBUG_TRAFFIC, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
414 n->name, n->hostname, seqno - n->received_seqno - 1, n->farfuture);
418 logger(DEBUG_TRAFFIC, LOG_WARNING, "Lost %d packets from %s (%s)",
419 seqno - n->received_seqno - 1, n->name, n->hostname);
420 memset(n->late, 0, replaywin);
421 } else if(seqno <= n->received_seqno) {
422 if((n->received_seqno >= replaywin * 8 && seqno <= n->received_seqno - replaywin * 8) || !(n->late[(seqno / 8) % replaywin] & (1 << seqno % 8))) {
423 logger(DEBUG_TRAFFIC, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
424 n->name, n->hostname, seqno, n->received_seqno);
428 for(seqno_t i = n->received_seqno + 1; i < seqno; i++) {
429 n->late[(i / 8) % replaywin] |= 1 << i % 8;
435 n->late[(seqno / 8) % replaywin] &= ~(1 << seqno % 8);
438 if(seqno > n->received_seqno) {
439 n->received_seqno = seqno;
444 if(n->received_seqno > MAX_SEQNO) {
448 /* Decompress the packet */
450 length_t origlen = inpkt->len;
452 if(n->incompression) {
453 vpn_packet_t *outpkt = pkt[nextpkt++];
455 if(!(outpkt->len = uncompress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->incompression))) {
456 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
457 n->name, n->hostname);
463 if(origlen > MTU / 64 + 20) {
464 origlen -= MTU / 64 + 20;
470 if(inpkt->len > n->maxrecentlen) {
471 n->maxrecentlen = inpkt->len;
476 if(!DATA(inpkt)[12] && !DATA(inpkt)[13]) {
477 udp_probe_h(n, inpkt, origlen);
479 receive_packet(n, inpkt);
486 void receive_tcppacket(connection_t *c, const char *buffer, size_t len) {
488 outpkt.offset = DEFAULT_PACKET_OFFSET;
490 if(len > sizeof(outpkt.data) - outpkt.offset) {
496 if(c->options & OPTION_TCPONLY) {
499 outpkt.priority = -1;
502 memcpy(DATA(&outpkt), buffer, len);
504 receive_packet(c->node, &outpkt);
507 bool receive_tcppacket_sptps(connection_t *c, const char *data, size_t len) {
508 if(len < sizeof(node_id_t) + sizeof(node_id_t)) {
509 logger(DEBUG_PROTOCOL, LOG_ERR, "Got too short TCP SPTPS packet from %s (%s)", c->name, c->hostname);
513 node_t *to = lookup_node_id((node_id_t *)data);
514 data += sizeof(node_id_t);
515 len -= sizeof(node_id_t);
518 logger(DEBUG_PROTOCOL, LOG_ERR, "Got TCP SPTPS packet from %s (%s) with unknown destination ID", c->name, c->hostname);
522 node_t *from = lookup_node_id((node_id_t *)data);
523 data += sizeof(node_id_t);
524 len -= sizeof(node_id_t);
527 logger(DEBUG_PROTOCOL, LOG_ERR, "Got TCP SPTPS packet from %s (%s) with unknown source ID", c->name, c->hostname);
531 if(!to->status.reachable) {
532 /* This can happen in the form of a race condition
533 if the node just became unreachable. */
534 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot relay TCP packet from %s (%s) because the destination, %s (%s), is unreachable", from->name, from->hostname, to->name, to->hostname);
538 /* Help the sender reach us over UDP.
539 Note that we only do this if we're the destination or the static relay;
540 otherwise every hop would initiate its own UDP info message, resulting in elevated chatter. */
541 if(to->via == myself) {
542 send_udp_info(myself, from);
545 /* If we're not the final recipient, relay the packet. */
548 if(to->status.validkey) {
549 send_sptps_data(to, from, 0, data, len);
556 /* The packet is for us */
558 if(!sptps_receive_data(&from->sptps, data, len)) {
559 /* Uh-oh. It might be that the tunnel is stuck in some corrupted state,
560 so let's restart SPTPS in case that helps. But don't do that too often
561 to prevent storms. */
562 if(from->last_req_key < now.tv_sec - 10) {
563 logger(DEBUG_PROTOCOL, LOG_ERR, "Failed to decode raw TCP packet from %s (%s), restarting SPTPS", from->name, from->hostname);
570 send_mtu_info(myself, from, MTU);
574 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
575 if(!n->status.validkey && !n->connection) {
582 if((!(DATA(origpkt)[12] | DATA(origpkt)[13])) && (n->sptps.outstate)) {
583 sptps_send_record(&n->sptps, PKT_PROBE, (char *)DATA(origpkt), origpkt->len);
587 if(routing_mode == RMODE_ROUTER) {
593 if(origpkt->len < offset) {
599 if(n->outcompression) {
601 length_t len = compress_packet(DATA(&outpkt) + offset, DATA(origpkt) + offset, origpkt->len - offset, n->outcompression);
604 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
605 } else if(len < origpkt->len - offset) {
606 outpkt.len = len + offset;
608 type |= PKT_COMPRESSED;
612 /* If we have a direct metaconnection to n, and we can't use UDP, then
613 don't bother with SPTPS and just use a "plaintext" PACKET message.
614 We don't really care about end-to-end security since we're not
615 sending the message through any intermediate nodes. */
616 if(n->connection && origpkt->len > n->minmtu) {
617 send_tcppacket(n->connection, origpkt);
619 sptps_send_record(&n->sptps, type, DATA(origpkt) + offset, origpkt->len - offset);
625 static void adapt_socket(const sockaddr_t *sa, int *sock) {
626 /* Make sure we have a suitable socket for the chosen address */
627 if(listen_socket[*sock].sa.sa.sa_family != sa->sa.sa_family) {
628 for(int i = 0; i < listen_sockets; i++) {
629 if(listen_socket[i].sa.sa.sa_family == sa->sa.sa_family) {
637 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, int *sock) {
642 /* If the UDP address is confirmed, use it. */
643 if(n->status.udp_confirmed) {
647 /* Send every third packet to n->address; that could be set
648 to the node's reflexive UDP address discovered during key
658 /* Otherwise, address are found in edges to this node.
659 So we pick a random edge and a random socket. */
662 int j = rand() % n->edge_tree->count;
663 edge_t *candidate = NULL;
665 for splay_each(edge_t, e, n->edge_tree) {
667 candidate = e->reverse;
673 *sa = &candidate->address;
674 *sock = rand() % listen_sockets;
677 adapt_socket(*sa, sock);
680 static void choose_local_address(const node_t *n, const sockaddr_t **sa, int *sock) {
683 /* Pick one of the edges from this node at random, then use its local address. */
686 int j = rand() % n->edge_tree->count;
687 edge_t *candidate = NULL;
689 for splay_each(edge_t, e, n->edge_tree) {
696 if(candidate && candidate->local_address.sa.sa_family) {
697 *sa = &candidate->local_address;
698 *sock = rand() % listen_sockets;
699 adapt_socket(*sa, sock);
703 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
704 if(!n->status.reachable) {
705 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
709 if(n->status.sptps) {
710 send_sptps_packet(n, origpkt);
714 #ifdef DISABLE_LEGACY
717 vpn_packet_t pkt1, pkt2;
718 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
719 vpn_packet_t *inpkt = origpkt;
721 vpn_packet_t *outpkt;
722 int origlen = origpkt->len;
724 int origpriority = origpkt->priority;
726 pkt1.offset = DEFAULT_PACKET_OFFSET;
727 pkt2.offset = DEFAULT_PACKET_OFFSET;
729 /* Make sure we have a valid key */
731 if(!n->status.validkey) {
732 logger(DEBUG_TRAFFIC, LOG_INFO,
733 "No valid key known yet for %s (%s), forwarding via TCP",
734 n->name, n->hostname);
735 send_tcppacket(n->nexthop->connection, origpkt);
739 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (DATA(inpkt)[12] | DATA(inpkt)[13])) {
740 logger(DEBUG_TRAFFIC, LOG_INFO,
741 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
742 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
744 if(n != n->nexthop) {
745 send_packet(n->nexthop, origpkt);
747 send_tcppacket(n->nexthop->connection, origpkt);
753 /* Compress the packet */
755 if(n->outcompression) {
756 outpkt = pkt[nextpkt++];
758 if(!(outpkt->len = compress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->outcompression))) {
759 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
760 n->name, n->hostname);
767 /* Add sequence number */
769 seqno_t seqno = htonl(++(n->sent_seqno));
770 memcpy(SEQNO(inpkt), &seqno, sizeof(seqno));
771 inpkt->len += sizeof(seqno);
773 /* Encrypt the packet */
775 if(cipher_active(n->outcipher)) {
776 outpkt = pkt[nextpkt++];
779 if(!cipher_encrypt(n->outcipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
780 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
784 outpkt->len = outlen;
788 /* Add the message authentication code */
790 if(digest_active(n->outdigest)) {
791 if(!digest_create(n->outdigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
792 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
796 inpkt->len += digest_length(n->outdigest);
799 /* Send the packet */
801 const sockaddr_t *sa = NULL;
804 if(n->status.send_locally) {
805 choose_local_address(n, &sa, &sock);
809 choose_udp_address(n, &sa, &sock);
812 if(priorityinheritance && origpriority != listen_socket[sock].priority) {
813 listen_socket[sock].priority = origpriority;
815 switch(sa->sa.sa_family) {
819 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting IPv4 outgoing packet priority to %d", origpriority);
821 if(setsockopt(listen_socket[sock].udp.fd, IPPROTO_IP, IP_TOS, (void *)&origpriority, sizeof(origpriority))) { /* SO_PRIORITY doesn't seem to work */
822 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
827 #if defined(IPV6_TCLASS)
830 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting IPv6 outgoing packet priority to %d", origpriority);
832 if(setsockopt(listen_socket[sock].udp.fd, IPPROTO_IPV6, IPV6_TCLASS, (void *)&origpriority, sizeof(origpriority))) { /* SO_PRIORITY doesn't seem to work */
833 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
844 if(sendto(listen_socket[sock].udp.fd, (void *)SEQNO(inpkt), inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
845 if(sockmsgsize(sockerrno)) {
846 if(n->maxmtu >= origlen) {
847 n->maxmtu = origlen - 1;
850 if(n->mtu >= origlen) {
851 n->mtu = origlen - 1;
856 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
861 origpkt->len = origlen;
865 bool send_sptps_data(node_t *to, node_t *from, int type, const void *data, size_t len) {
866 node_t *relay = (to->via != myself && (type == PKT_PROBE || (len - SPTPS_DATAGRAM_OVERHEAD) <= to->via->minmtu)) ? to->via : to->nexthop;
867 bool direct = from == myself && to == relay;
868 bool relay_supported = (relay->options >> 24) >= 4;
869 bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
871 /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU. */
873 if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && (len - SPTPS_DATAGRAM_OVERHEAD) > relay->minmtu)) {
874 if(type != SPTPS_HANDSHAKE && (to->nexthop->connection->options >> 24) >= 7) {
875 char buf[len + sizeof(to->id) + sizeof(from->id)];
877 memcpy(buf_ptr, &to->id, sizeof(to->id));
878 buf_ptr += sizeof(to->id);
879 memcpy(buf_ptr, &from->id, sizeof(from->id));
880 buf_ptr += sizeof(from->id);
881 memcpy(buf_ptr, data, len);
882 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s) (TCP)", from->name, from->hostname, to->name, to->hostname, to->nexthop->name, to->nexthop->hostname);
883 return send_sptps_tcppacket(to->nexthop->connection, buf, sizeof(buf));
886 char buf[len * 4 / 3 + 5];
887 b64encode(data, buf, len);
889 /* If this is a handshake packet, use ANS_KEY instead of REQ_KEY, for two reasons:
890 - We don't want intermediate nodes to switch to UDP to relay these packets;
891 - ANS_KEY allows us to learn the reflexive UDP address. */
892 if(type == SPTPS_HANDSHAKE) {
893 to->incompression = myself->incompression;
894 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, from->name, to->name, buf, to->incompression);
896 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, from->name, to->name, SPTPS_PACKET, buf);
902 if(relay_supported) {
903 overhead += sizeof(to->id) + sizeof(from->id);
906 char buf[len + overhead];
909 if(relay_supported) {
911 /* Inform the recipient that this packet was sent directly. */
912 node_id_t nullid = {0};
913 memcpy(buf_ptr, &nullid, sizeof(nullid));
914 buf_ptr += sizeof(nullid);
916 memcpy(buf_ptr, &to->id, sizeof(to->id));
917 buf_ptr += sizeof(to->id);
920 memcpy(buf_ptr, &from->id, sizeof(from->id));
921 buf_ptr += sizeof(from->id);
925 /* TODO: if this copy turns out to be a performance concern, change sptps_send_record() to add some "pre-padding" to the buffer and use that instead */
926 memcpy(buf_ptr, data, len);
929 const sockaddr_t *sa = NULL;
932 if(relay->status.send_locally) {
933 choose_local_address(relay, &sa, &sock);
937 choose_udp_address(relay, &sa, &sock);
940 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s) (UDP)", from->name, from->hostname, to->name, to->hostname, relay->name, relay->hostname);
942 if(sendto(listen_socket[sock].udp.fd, buf, buf_ptr - buf, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
943 if(sockmsgsize(sockerrno)) {
944 // Compensate for SPTPS overhead
945 len -= SPTPS_DATAGRAM_OVERHEAD;
947 if(relay->maxmtu >= len) {
948 relay->maxmtu = len - 1;
951 if(relay->mtu >= len) {
952 relay->mtu = len - 1;
957 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", relay->name, relay->hostname, sockstrerror(sockerrno));
965 bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t len) {
966 node_t *from = handle;
968 if(type == SPTPS_HANDSHAKE) {
969 if(!from->status.validkey) {
970 from->status.validkey = true;
971 from->status.waitingforkey = false;
972 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) successful", from->name, from->hostname);
979 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
984 inpkt.offset = DEFAULT_PACKET_OFFSET;
987 if(type == PKT_PROBE) {
988 if(!from->status.udppacket) {
989 logger(DEBUG_ALWAYS, LOG_ERR, "Got SPTPS PROBE packet from %s (%s) via TCP", from->name, from->hostname);
994 memcpy(DATA(&inpkt), data, len);
996 if(inpkt.len > from->maxrecentlen) {
997 from->maxrecentlen = inpkt.len;
1000 udp_probe_h(from, &inpkt, len);
1004 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
1005 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
1009 /* Check if we have the headers we need */
1010 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
1011 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
1013 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
1014 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
1017 int offset = (type & PKT_MAC) ? 0 : 14;
1019 if(type & PKT_COMPRESSED) {
1020 length_t ulen = uncompress_packet(DATA(&inpkt) + offset, (const uint8_t *)data, len, from->incompression);
1025 inpkt.len = ulen + offset;
1028 if(inpkt.len > MAXSIZE) {
1032 memcpy(DATA(&inpkt) + offset, data, len);
1033 inpkt.len = len + offset;
1036 /* Generate the Ethernet packet type if necessary */
1038 switch(DATA(&inpkt)[14] >> 4) {
1040 DATA(&inpkt)[12] = 0x08;
1041 DATA(&inpkt)[13] = 0x00;
1045 DATA(&inpkt)[12] = 0x86;
1046 DATA(&inpkt)[13] = 0xDD;
1050 logger(DEBUG_TRAFFIC, LOG_ERR,
1051 "Unknown IP version %d while reading packet from %s (%s)",
1052 DATA(&inpkt)[14] >> 4, from->name, from->hostname);
1057 if(from->status.udppacket && inpkt.len > from->maxrecentlen) {
1058 from->maxrecentlen = inpkt.len;
1061 receive_packet(from, &inpkt);
1065 // This function tries to get SPTPS keys, if they aren't already known.
1066 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if the keys are available.
1067 static void try_sptps(node_t *n) {
1068 if(n->status.validkey) {
1072 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
1074 if(!n->status.waitingforkey) {
1076 } else if(n->last_req_key + 10 < now.tv_sec) {
1077 logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
1078 sptps_stop(&n->sptps);
1079 n->status.waitingforkey = false;
1086 static void send_udp_probe_packet(node_t *n, int len) {
1087 vpn_packet_t packet;
1088 packet.offset = DEFAULT_PACKET_OFFSET;
1089 memset(DATA(&packet), 0, 14);
1090 randomize(DATA(&packet) + 14, len - 14);
1092 packet.priority = 0;
1094 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending UDP probe length %d to %s (%s)", len, n->name, n->hostname);
1096 send_udppacket(n, &packet);
1099 // This function tries to establish a UDP tunnel to a node so that packets can be sent.
1100 // If a tunnel is already established, it makes sure it stays up.
1101 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if UDP is usable.
1102 static void try_udp(node_t *n) {
1103 if(!udp_discovery) {
1107 /* Send gratuitous probe replies to 1.1 nodes. */
1109 if((n->options >> 24) >= 3 && n->status.udp_confirmed) {
1110 struct timeval ping_tx_elapsed;
1111 timersub(&now, &n->udp_reply_sent, &ping_tx_elapsed);
1113 if(ping_tx_elapsed.tv_sec >= udp_discovery_keepalive_interval - 1) {
1114 n->udp_reply_sent = now;
1116 if(n->maxrecentlen) {
1118 pkt.len = n->maxrecentlen;
1119 pkt.offset = DEFAULT_PACKET_OFFSET;
1120 memset(DATA(&pkt), 0, 14);
1121 randomize(DATA(&pkt) + 14, MIN_PROBE_SIZE - 14);
1122 send_udp_probe_reply(n, &pkt, pkt.len);
1123 n->maxrecentlen = 0;
1130 struct timeval ping_tx_elapsed;
1131 timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
1133 int interval = n->status.udp_confirmed ? udp_discovery_keepalive_interval : udp_discovery_interval;
1135 if(ping_tx_elapsed.tv_sec >= interval) {
1136 gettimeofday(&now, NULL);
1137 n->udp_ping_sent = now; // a probe in flight
1138 n->status.ping_sent = true;
1139 send_udp_probe_packet(n, MIN_PROBE_SIZE);
1141 if(localdiscovery && !n->status.udp_confirmed && n->prevedge) {
1142 n->status.send_locally = true;
1143 send_udp_probe_packet(n, MIN_PROBE_SIZE);
1144 n->status.send_locally = false;
1149 static length_t choose_initial_maxmtu(node_t *n) {
1154 const sockaddr_t *sa = NULL;
1156 choose_udp_address(n, &sa, &sockindex);
1162 sock = socket(sa->sa.sa_family, SOCK_DGRAM, IPPROTO_UDP);
1165 logger(DEBUG_TRAFFIC, LOG_ERR, "Creating MTU assessment socket for %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1169 if(connect(sock, &sa->sa, SALEN(sa->sa))) {
1170 logger(DEBUG_TRAFFIC, LOG_ERR, "Connecting MTU assessment socket for %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1176 socklen_t ip_mtu_len = sizeof(ip_mtu);
1178 if(getsockopt(sock, IPPROTO_IP, IP_MTU, &ip_mtu, &ip_mtu_len)) {
1179 logger(DEBUG_TRAFFIC, LOG_ERR, "getsockopt(IP_MTU) on %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1186 /* getsockopt(IP_MTU) returns the MTU of the physical interface.
1187 We need to remove various overheads to get to the tinc MTU. */
1188 length_t mtu = ip_mtu;
1189 mtu -= (sa->sa.sa_family == AF_INET6) ? sizeof(struct ip6_hdr) : sizeof(struct ip);
1192 if(n->status.sptps) {
1193 mtu -= SPTPS_DATAGRAM_OVERHEAD;
1195 if((n->options >> 24) >= 4) {
1196 mtu -= sizeof(node_id_t) + sizeof(node_id_t);
1199 #ifndef DISABLE_LEGACY
1201 mtu -= digest_length(n->outdigest);
1203 /* Now it's tricky. We use CBC mode, so the length of the
1204 encrypted payload must be a multiple of the blocksize. The
1205 sequence number is also part of the encrypted payload, so we
1206 must account for it after correcting for the blocksize.
1207 Furthermore, the padding in the last block must be at least
1210 length_t blocksize = cipher_blocksize(n->outcipher);
1223 logger(DEBUG_TRAFFIC, LOG_ERR, "getsockopt(IP_MTU) on %s (%s) returned absurdly small value: %d", n->name, n->hostname, ip_mtu);
1231 logger(DEBUG_TRAFFIC, LOG_INFO, "Using system-provided maximum tinc MTU for %s (%s): %hd", n->name, n->hostname, mtu);
1240 /* This function tries to determines the MTU of a node.
1241 By calling this function repeatedly, n->minmtu will be progressively
1242 increased, and at some point, n->mtu will be fixed to n->minmtu. If the MTU
1243 is already fixed, this function checks if it can be increased.
1246 static void try_mtu(node_t *n) {
1247 if(!(n->options & OPTION_PMTU_DISCOVERY)) {
1251 if(udp_discovery && !n->status.udp_confirmed) {
1252 n->maxrecentlen = 0;
1259 /* mtuprobes == 0..19: initial discovery, send bursts with 1 second interval, mtuprobes++
1260 mtuprobes == 20: fix MTU, and go to -1
1261 mtuprobes == -1: send one maxmtu and one maxmtu+1 probe every pinginterval
1262 mtuprobes ==-2..-3: send one maxmtu probe every second
1263 mtuprobes == -4: maxmtu no longer valid, reset minmtu and maxmtu and go to 0 */
1265 struct timeval elapsed;
1266 timersub(&now, &n->mtu_ping_sent, &elapsed);
1268 if(n->mtuprobes >= 0) {
1269 if(n->mtuprobes != 0 && elapsed.tv_sec == 0 && elapsed.tv_usec < 333333) {
1273 if(n->mtuprobes < -1) {
1274 if(elapsed.tv_sec < 1) {
1278 if(elapsed.tv_sec < pinginterval) {
1284 n->mtu_ping_sent = now;
1288 if(n->mtuprobes < -3) {
1289 /* We lost three MTU probes, restart discovery */
1290 logger(DEBUG_TRAFFIC, LOG_INFO, "Decrease in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
1295 if(n->mtuprobes < 0) {
1296 /* After the initial discovery, we only send one maxmtu and one
1297 maxmtu+1 probe to detect PMTU increases. */
1298 send_udp_probe_packet(n, n->maxmtu);
1300 if(n->mtuprobes == -1 && n->maxmtu + 1 < MTU) {
1301 send_udp_probe_packet(n, n->maxmtu + 1);
1306 /* Before initial discovery begins, set maxmtu to the most likely value.
1307 If it's underestimated, we will correct it after initial discovery. */
1308 if(n->mtuprobes == 0) {
1309 n->maxmtu = choose_initial_maxmtu(n);
1313 /* Decreasing the number of probes per cycle might make the algorithm react faster to lost packets,
1314 but it will typically increase convergence time in the no-loss case. */
1315 const length_t probes_per_cycle = 8;
1317 /* This magic value was determined using math simulations.
1318 It will result in a 1329-byte first probe, followed (if there was a reply) by a 1407-byte probe.
1319 Since 1407 is just below the range of tinc MTUs over typical networks,
1320 this fine-tuning allows tinc to cover a lot of ground very quickly.
1321 This fine-tuning is only valid for maxmtu = MTU; if maxmtu is smaller,
1322 then it's better to use a multiplier of 1. Indeed, this leads to an interesting scenario
1323 if choose_initial_maxmtu() returns the actual MTU value - it will get confirmed with one single probe. */
1324 const float multiplier = (n->maxmtu == MTU) ? 0.97 : 1;
1326 const float cycle_position = probes_per_cycle - (n->mtuprobes % probes_per_cycle) - 1;
1327 const length_t minmtu = MAX(n->minmtu, 512);
1328 const float interval = n->maxmtu - minmtu;
1330 /* The core of the discovery algorithm is this exponential.
1331 It produces very large probes early in the cycle, and then it very quickly decreases the probe size.
1332 This reflects the fact that in the most difficult cases, we don't get any feedback for probes that
1333 are too large, and therefore we need to concentrate on small offsets so that we can quickly converge
1334 on the precise MTU as we are approaching it.
1335 The last probe of the cycle is always 1 byte in size - this is to make sure we'll get at least one
1336 reply per cycle so that we can make progress. */
1337 const length_t offset = powf(interval, multiplier * cycle_position / (probes_per_cycle - 1));
1339 length_t maxmtu = n->maxmtu;
1340 send_udp_probe_packet(n, minmtu + offset);
1342 /* If maxmtu changed, it means the probe was rejected by the system because it was too large.
1343 In that case, we recalculate with the new maxmtu and try again. */
1344 if(n->mtuprobes < 0 || maxmtu == n->maxmtu) {
1349 if(n->mtuprobes >= 0) {
1355 /* These functions try to establish a tunnel to a node (or its relay) so that
1356 packets can be sent (e.g. exchange keys).
1357 If a tunnel is already established, it tries to improve it (e.g. by trying
1358 to establish a UDP tunnel instead of TCP). This function makes no
1359 guarantees - it is up to the caller to check the node's state to figure out
1360 if TCP and/or UDP is usable. By calling this function repeatedly, the
1361 tunnel is gradually improved until we hit the wall imposed by the underlying
1362 network environment. It is recommended to call this function every time a
1363 packet is sent (or intended to be sent) to a node, so that the tunnel keeps
1364 improving as packets flow, and then gracefully downgrades itself as it goes
1368 static void try_tx_sptps(node_t *n, bool mtu) {
1369 /* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET
1370 messages anyway, so there's no need for SPTPS at all. */
1372 if(n->connection && ((myself->options | n->options) & OPTION_TCPONLY)) {
1376 /* Otherwise, try to do SPTPS authentication with n if necessary. */
1380 /* Do we need to statically relay packets? */
1382 node_t *via = (n->via == myself) ? n->nexthop : n->via;
1384 /* If we do have a static relay, try everything with that one instead, if it supports relaying. */
1387 if((via->options >> 24) < 4) {
1395 /* Otherwise, try to establish UDP connectivity. */
1403 /* If we don't have UDP connectivity (yet), we need to use a dynamic relay (nexthop)
1404 while we try to establish direct connectivity. */
1406 if(!n->status.udp_confirmed && n != n->nexthop && (n->nexthop->options >> 24) >= 4) {
1407 try_tx(n->nexthop, mtu);
1411 static void try_tx_legacy(node_t *n, bool mtu) {
1412 /* Does he have our key? If not, send one. */
1414 if(!n->status.validkey_in) {
1418 /* Check if we already have a key, or request one. */
1420 if(!n->status.validkey) {
1421 if(n->last_req_key + 10 <= now.tv_sec) {
1423 n->last_req_key = now.tv_sec;
1436 void try_tx(node_t *n, bool mtu) {
1437 if(!n->status.reachable) {
1441 if(n->status.sptps) {
1442 try_tx_sptps(n, mtu);
1444 try_tx_legacy(n, mtu);
1448 void send_packet(node_t *n, vpn_packet_t *packet) {
1449 // If it's for myself, write it to the tun/tap device.
1453 memcpy(DATA(packet), mymac.x, ETH_ALEN);
1454 // Use an arbitrary fake source address.
1455 memcpy(DATA(packet) + ETH_ALEN, DATA(packet), ETH_ALEN);
1456 DATA(packet)[ETH_ALEN * 2 - 1] ^= 0xFF;
1460 n->out_bytes += packet->len;
1461 devops.write(packet);
1465 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)", packet->len, n->name, n->hostname);
1467 // If the node is not reachable, drop it.
1469 if(!n->status.reachable) {
1470 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable", n->name, n->hostname);
1474 // Keep track of packet statistics.
1477 n->out_bytes += packet->len;
1479 // Check if it should be sent as an SPTPS packet.
1481 if(n->status.sptps) {
1482 send_sptps_packet(n, packet);
1487 // Determine which node to actually send it to.
1489 node_t *via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
1492 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)", n->name, via->name, n->via->hostname);
1495 // Try to send via UDP, unless TCP is forced.
1497 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
1498 if(!send_tcppacket(via->connection, packet)) {
1499 terminate_connection(via->connection, true);
1505 send_udppacket(via, packet);
1509 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
1510 // Always give ourself a copy of the packet.
1511 if(from != myself) {
1512 send_packet(myself, packet);
1515 // In TunnelServer mode, do not forward broadcast packets.
1516 // The MST might not be valid and create loops.
1517 if(tunnelserver || broadcast_mode == BMODE_NONE) {
1521 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
1522 packet->len, from->name, from->hostname);
1524 switch(broadcast_mode) {
1525 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
1526 // This guarantees all nodes receive the broadcast packet, and
1527 // usually distributes the sending of broadcast packets over all nodes.
1529 for list_each(connection_t, c, connection_list)
1530 if(c->edge && c->status.mst && c != from->nexthop->connection) {
1531 send_packet(c->node, packet);
1536 // In direct mode, we send copies to each node we know of.
1537 // However, this only reaches nodes that can be reached in a single hop.
1538 // We don't have enough information to forward broadcast packets in this case.
1540 if(from != myself) {
1544 for splay_each(node_t, n, node_tree)
1545 if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n)) {
1546 send_packet(n, packet);
1556 /* We got a packet from some IP address, but we don't know who sent it. Try to
1557 verify the message authentication code against all active session keys.
1558 Since this is actually an expensive operation, we only do a full check once
1559 a minute, the rest of the time we only check against nodes for which we know
1560 an IP address that matches the one from the packet. */
1562 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
1563 node_t *match = NULL;
1565 static time_t last_hard_try = 0;
1567 for splay_each(node_t, n, node_tree) {
1568 if(!n->status.reachable || n == myself) {
1572 if(!n->status.validkey_in && !(n->status.sptps && n->sptps.instate)) {
1578 for splay_each(edge_t, e, n->edge_tree) {
1583 if(!sockaddrcmp_noport(from, &e->reverse->address)) {
1590 if(last_hard_try == now.tv_sec) {
1597 if(!try_mac(n, pkt)) {
1606 last_hard_try = now.tv_sec;
1612 static void handle_incoming_vpn_packet(listen_socket_t *ls, vpn_packet_t *pkt, sockaddr_t *addr) {
1614 node_id_t nullid = {0};
1616 bool direct = false;
1618 sockaddrunmap(addr); /* Some braindead IPv6 implementations do stupid things. */
1620 // Try to figure out who sent this packet.
1622 node_t *n = lookup_node_udp(addr);
1624 if(n && !n->status.udp_confirmed) {
1625 n = NULL; // Don't believe it if we don't have confirmation yet.
1629 // It might be from a 1.1 node, which might have a source ID in the packet.
1630 pkt->offset = 2 * sizeof(node_id_t);
1631 from = lookup_node_id(SRCID(pkt));
1633 if(from && !memcmp(DSTID(pkt), &nullid, sizeof(nullid)) && from->status.sptps) {
1634 if(sptps_verify_datagram(&from->sptps, DATA(pkt), pkt->len - 2 * sizeof(node_id_t))) {
1644 n = try_harder(addr, pkt);
1650 if(debug_level >= DEBUG_PROTOCOL) {
1651 hostname = sockaddr2hostname(addr);
1652 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
1661 if(n->status.sptps) {
1662 bool relay_enabled = (n->options >> 24) >= 4;
1665 pkt->offset = 2 * sizeof(node_id_t);
1666 pkt->len -= pkt->offset;
1669 if(!memcmp(DSTID(pkt), &nullid, sizeof(nullid)) || !relay_enabled) {
1674 from = lookup_node_id(SRCID(pkt));
1675 to = lookup_node_id(DSTID(pkt));
1679 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from %s (%s) with unknown source and/or destination ID", n->name, n->hostname);
1683 if(!to->status.reachable) {
1684 /* This can happen in the form of a race condition
1685 if the node just became unreachable. */
1686 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot relay packet from %s (%s) because the destination, %s (%s), is unreachable", from->name, from->hostname, to->name, to->hostname);
1690 /* The packet is supposed to come from the originator or its static relay
1691 (i.e. with no dynamic relays in between).
1692 If it did not, "help" the static relay by sending it UDP info.
1693 Note that we only do this if we're the destination or the static relay;
1694 otherwise every hop would initiate its own UDP info message, resulting in elevated chatter. */
1696 if(n != from->via && to->via == myself) {
1697 send_udp_info(myself, from);
1700 /* If we're not the final recipient, relay the packet. */
1703 send_sptps_data(to, from, 0, DATA(pkt), pkt->len);
1712 if(!receive_udppacket(from, pkt)) {
1716 n->sock = ls - listen_socket;
1718 if(direct && sockaddrcmp(addr, &n->address)) {
1719 update_node_udp(n, addr);
1722 /* If the packet went through a relay, help the sender find the appropriate MTU
1723 through the relay path. */
1726 send_mtu_info(myself, n, MTU);
1730 void handle_incoming_vpn_data(void *data, int flags) {
1733 listen_socket_t *ls = data;
1735 #ifdef HAVE_RECVMMSG
1737 static int num = MAX_MSG;
1738 static vpn_packet_t pkt[MAX_MSG];
1739 static sockaddr_t addr[MAX_MSG];
1740 static struct mmsghdr msg[MAX_MSG];
1741 static struct iovec iov[MAX_MSG];
1743 for(int i = 0; i < num; i++) {
1746 iov[i] = (struct iovec) {
1747 .iov_base = DATA(&pkt[i]),
1751 msg[i].msg_hdr = (struct msghdr) {
1752 .msg_name = &addr[i].sa,
1753 .msg_namelen = sizeof(addr)[i],
1759 num = recvmmsg(ls->udp.fd, msg, MAX_MSG, MSG_DONTWAIT, NULL);
1762 if(!sockwouldblock(sockerrno)) {
1763 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1769 for(int i = 0; i < num; i++) {
1770 pkt[i].len = msg[i].msg_len;
1772 if(pkt[i].len <= 0 || pkt[i].len > MAXSIZE) {
1776 handle_incoming_vpn_packet(ls, &pkt[i], &addr[i]);
1781 sockaddr_t addr = {0};
1782 socklen_t addrlen = sizeof(addr);
1785 int len = recvfrom(ls->udp.fd, (void *)DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen);
1787 if(len <= 0 || (size_t)len > MAXSIZE) {
1788 if(!sockwouldblock(sockerrno)) {
1789 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1797 handle_incoming_vpn_packet(ls, &pkt, &addr);
1801 void handle_device_data(void *data, int flags) {
1804 vpn_packet_t packet;
1805 packet.offset = DEFAULT_PACKET_OFFSET;
1806 packet.priority = 0;
1807 static int errors = 0;
1809 if(devops.read(&packet)) {
1811 myself->in_packets++;
1812 myself->in_bytes += packet.len;
1813 route(myself, &packet);
1815 usleep(errors * 50000);
1819 logger(DEBUG_ALWAYS, LOG_ERR, "Too many errors from %s, exiting!", device);