+static bool do_decrement_ttl(node_t *source, vpn_packet_t *packet) {
+ uint16_t type = DATA(packet)[12] << 8 | DATA(packet)[13];
+ length_t ethlen = ether_size;
+
+ if(type == ETH_P_8021Q) {
+ type = DATA(packet)[16] << 8 | DATA(packet)[17];
+ ethlen += 4;
+ }
+
+ switch(type) {
+ case ETH_P_IP:
+ if(!checklength(source, packet, ethlen + ip_size)) {
+ return false;
+ }
+
+ if(DATA(packet)[ethlen + 8] <= 1) {
+ if(DATA(packet)[ethlen + 11] != IPPROTO_ICMP || DATA(packet)[ethlen + 32] != ICMP_TIME_EXCEEDED) {
+ route_ipv4_unreachable(source, packet, ethlen, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL);
+ }
+
+ return false;
+ }
+
+ uint16_t old = DATA(packet)[ethlen + 8] << 8 | DATA(packet)[ethlen + 9];
+ DATA(packet)[ethlen + 8]--;
+ uint16_t new = DATA(packet)[ethlen + 8] << 8 | DATA(packet)[ethlen + 9];
+
+ uint32_t checksum = DATA(packet)[ethlen + 10] << 8 | DATA(packet)[ethlen + 11];
+ checksum += old + (~new & 0xFFFF);
+
+ while(checksum >> 16) {
+ checksum = (checksum & 0xFFFF) + (checksum >> 16);
+ }
+
+ DATA(packet)[ethlen + 10] = checksum >> 8;
+ DATA(packet)[ethlen + 11] = checksum & 0xff;
+
+ return true;
+
+ case ETH_P_IPV6:
+ if(!checklength(source, packet, ethlen + ip6_size)) {
+ return false;
+ }
+
+ if(DATA(packet)[ethlen + 7] <= 1) {
+ if(DATA(packet)[ethlen + 6] != IPPROTO_ICMPV6 || DATA(packet)[ethlen + 40] != ICMP6_TIME_EXCEEDED) {
+ route_ipv6_unreachable(source, packet, ethlen, ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_TRANSIT);
+ }
+
+ return false;
+ }
+
+ DATA(packet)[ethlen + 7]--;
+
+ return true;
+
+ default:
+ return true;
+ }
+}
+
+static void clamp_mss(const node_t *source, const node_t *via, vpn_packet_t *packet) {
+ if(!source || !via || !(via->options & OPTION_CLAMP_MSS)) {
+ return;
+ }
+
+ uint16_t mtu = source->mtu;
+
+ if(via != myself && via->mtu < mtu) {
+ mtu = via->mtu;
+ }
+
+ /* Find TCP header */
+ int start = ether_size;
+ uint16_t type = DATA(packet)[12] << 8 | DATA(packet)[13];
+
+ if(type == ETH_P_8021Q) {
+ start += 4;
+ type = DATA(packet)[16] << 8 | DATA(packet)[17];
+ }
+
+ if(type == ETH_P_IP && DATA(packet)[start + 9] == 6) {
+ start += (DATA(packet)[start] & 0xf) * 4;
+ } else if(type == ETH_P_IPV6 && DATA(packet)[start + 6] == 6) {
+ start += 40;
+ } else {
+ return;
+ }
+
+ if(packet->len <= start + 20) {
+ return;
+ }
+
+ /* Use data offset field to calculate length of options field */
+ int len = ((DATA(packet)[start + 12] >> 4) - 5) * 4;
+
+ if(packet->len < start + 20 + len) {
+ return;
+ }
+
+ /* Search for MSS option header */
+ for(int i = 0; i < len;) {
+ if(DATA(packet)[start + 20 + i] == 0) {
+ break;
+ }
+
+ if(DATA(packet)[start + 20 + i] == 1) {
+ i++;
+ continue;
+ }
+
+ if(i > len - 2 || i > len - DATA(packet)[start + 21 + i]) {
+ break;
+ }
+
+ if(DATA(packet)[start + 20 + i] != 2) {
+ if(DATA(packet)[start + 21 + i] < 2) {
+ break;
+ }
+
+ i += DATA(packet)[start + 21 + i];
+ continue;
+ }
+
+ if(DATA(packet)[start + 21] != 4) {
+ break;
+ }
+
+ /* Found it */
+ uint16_t oldmss = DATA(packet)[start + 22 + i] << 8 | DATA(packet)[start + 23 + i];
+ uint16_t newmss = mtu - start - 20;
+ uint32_t csum = DATA(packet)[start + 16] << 8 | DATA(packet)[start + 17];
+
+ if(oldmss <= newmss) {
+ break;
+ }
+
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Clamping MSS of packet from %s to %s to %d", source->name, via->name, newmss);
+
+ /* Update the MSS value and the checksum */
+ DATA(packet)[start + 22 + i] = newmss >> 8;
+ DATA(packet)[start + 23 + i] = newmss & 0xff;
+ csum ^= 0xffff;
+ csum += oldmss ^ 0xffff;
+ csum += newmss;
+ csum = (csum & 0xffff) + (csum >> 16);
+ csum += csum >> 16;
+ csum ^= 0xffff;
+ DATA(packet)[start + 16] = csum >> 8;
+ DATA(packet)[start + 17] = csum;
+ break;
+ }
+}
+
+static void age_subnets(void *data) {
+ bool left = false;
+
+ for splay_each(subnet_t, s, myself->subnet_tree) {
+ if(s->expires && s->expires < now.tv_sec) {
+ if(debug_level >= DEBUG_TRAFFIC) {
+ char netstr[MAXNETSTR];
+
+ if(net2str(netstr, sizeof(netstr), s)) {
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Subnet %s expired", netstr);
+ }
+ }
+
+ for list_each(connection_t, c, connection_list)
+ if(c->edge) {
+ send_del_subnet(c, s);
+ }
+
+ subnet_del(myself, s);
+ } else {
+ if(s->expires) {
+ left = true;
+ }
+ }
+ }
+
+ if(left)
+ timeout_set(&age_subnets_timeout, &(struct timeval) {
+ 10, rand() % 100000
+ });
+}
+
+static void learn_mac(mac_t *address) {
+ subnet_t *subnet = lookup_subnet_mac(myself, address);
+
+ /* If we don't know this MAC address yet, store it */
+
+ if(!subnet) {
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Learned new MAC address %x:%x:%x:%x:%x:%x",
+ address->x[0], address->x[1], address->x[2], address->x[3],
+ address->x[4], address->x[5]);
+
+ subnet = new_subnet();
+ subnet->type = SUBNET_MAC;
+ subnet->expires = now.tv_sec + macexpire;
+ subnet->net.mac.address = *address;
+ subnet->weight = 10;
+ subnet_add(myself, subnet);
+ subnet_update(myself, subnet, true);
+
+ /* And tell all other tinc daemons it's our MAC */
+
+ for list_each(connection_t, c, connection_list)
+ if(c->edge) {
+ send_add_subnet(c, subnet);
+ }
+
+ timeout_add(&age_subnets_timeout, age_subnets, NULL, &(struct timeval) {
+ 10, rand() % 100000
+ });
+ } else {
+ if(subnet->expires) {
+ subnet->expires = now.tv_sec + macexpire;
+ }
+ }
+}
+
+static void route_broadcast(node_t *source, vpn_packet_t *packet) {
+ if(decrement_ttl && source != myself)
+ if(!do_decrement_ttl(source, packet)) {
+ return;
+ }
+
+ broadcast_packet(source, packet);
+}
+
+/* RFC 791 */
+
+static void fragment_ipv4_packet(node_t *dest, vpn_packet_t *packet, length_t ether_size) {
+ struct ip ip;
+ vpn_packet_t fragment;
+ int maxlen, todo;
+ uint8_t *offset;
+ uint16_t ip_off, origf;
+
+ memcpy(&ip, DATA(packet) + ether_size, ip_size);
+ fragment.priority = packet->priority;
+ fragment.offset = DEFAULT_PACKET_OFFSET;
+
+ if(ip.ip_hl != ip_size / 4) {
+ return;
+ }
+
+ todo = ntohs(ip.ip_len) - ip_size;
+
+ if(ether_size + ip_size + todo != packet->len) {
+ logger(DEBUG_TRAFFIC, LOG_WARNING, "Length of packet (%d) doesn't match length in IPv4 header (%d)", packet->len, (int)(ether_size + ip_size + todo));
+ return;
+ }