/*
net_packet.c -- Handles in- and outgoing VPN packets
Copyright (C) 1998-2005 Ivo Timmermans,
- 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
+ 2000-2016 Guus Sliepen <guus@tinc-vpn.org>
2010 Timothy Redaelli <timothy@redaelli.eu>
2010 Brandon Black <blblack@gmail.com>
#define MAX(a, b) ((a) > (b) ? (a) : (b))
#endif
+/* The minimum size of a probe is 14 bytes, but since we normally use CBC mode
+ encryption, we can add a few extra random bytes without increasing the
+ resulting packet size. */
+#define MIN_PROBE_SIZE 18
+
int keylifetime = 0;
#ifdef HAVE_LZO
static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
static void send_udppacket(node_t *, vpn_packet_t *);
-unsigned replaywin = 16;
+unsigned replaywin = 32;
bool localdiscovery = true;
bool udp_discovery = true;
-int udp_discovery_keepalive_interval = 9;
+int udp_discovery_keepalive_interval = 10;
int udp_discovery_interval = 2;
int udp_discovery_timeout = 30;
logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname);
n->status.udp_confirmed = false;
+ n->maxrecentlen = 0;
n->mtuprobes = 0;
n->minmtu = 0;
n->maxmtu = MTU;
}
-static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
- if(!DATA(packet)[0]) {
- /* It's a probe request, send back a reply */
+static void send_udp_probe_reply(node_t *n, vpn_packet_t *packet, length_t len) {
+ if(!n->status.sptps && !n->status.validkey) {
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP probe reply to %s (%s) but we don't have his key yet", n->name, n->hostname);
+ return;
+ }
- if(!n->status.sptps && !n->status.validkey) {
- // But not if we don't have his key.
- logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request from %s (%s) but we don't have his key yet", n->name, n->hostname);
- return;
- }
+ /* Type 2 probe replies were introduced in protocol 17.3 */
+ if ((n->options >> 24) >= 3) {
+ DATA(packet)[0] = 2;
+ uint16_t len16 = htons(len);
+ memcpy(DATA(packet) + 1, &len16, 2);
+ packet->len = MIN_PROBE_SIZE;
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 2 probe reply length %u to %s (%s)", len, n->name, n->hostname);
- logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
+ } else {
+ /* Legacy protocol: n won't understand type 2 probe replies. */
+ DATA(packet)[0] = 1;
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 1 probe reply length %u to %s (%s)", len, n->name, n->hostname);
+ }
- /* Type 2 probe replies were introduced in protocol 17.3 */
- if ((n->options >> 24) >= 3) {
- uint8_t *data = DATA(packet);
- *data++ = 2;
- uint16_t len16 = htons(len); memcpy(data, &len16, 2); data += 2;
- struct timeval now;
- gettimeofday(&now, NULL);
- uint32_t sec = htonl(now.tv_sec); memcpy(data, &sec, 4); data += 4;
- uint32_t usec = htonl(now.tv_usec); memcpy(data, &usec, 4); data += 4;
- packet->len = 14; // Minimum size for any probe packet.
- } else {
- /* Legacy protocol: n won't understand type 2 probe replies. */
- DATA(packet)[0] = 1;
- }
+ /* Temporarily set udp_confirmed, so that the reply is sent
+ back exactly the way it came in. */
- /* Temporarily set udp_confirmed, so that the reply is sent
- back exactly the way it came in. */
+ bool udp_confirmed = n->status.udp_confirmed;
+ n->status.udp_confirmed = true;
+ send_udppacket(n, packet);
+ n->status.udp_confirmed = udp_confirmed;
+}
- bool udp_confirmed = n->status.udp_confirmed;
- n->status.udp_confirmed = true;
- send_udppacket(n, packet);
- n->status.udp_confirmed = udp_confirmed;
- } else {
- length_t probelen = len;
- if (DATA(packet)[0] == 2) {
- if (len < 3)
- logger(DEBUG_TRAFFIC, LOG_WARNING, "Received invalid (too short) UDP probe reply from %s (%s)", n->name, n->hostname);
- else {
- uint16_t probelen16; memcpy(&probelen16, DATA(packet) + 1, 2); probelen = ntohs(probelen16);
- }
- }
- logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], probelen, n->name, n->hostname);
+static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
+ if(!DATA(packet)[0]) {
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
+ return send_udp_probe_reply(n, packet, len);
+ }
- /* It's a valid reply: now we know bidirectional communication
- is possible using the address and socket that the reply
- packet used. */
- n->status.udp_confirmed = true;
+ if (DATA(packet)[0] == 2) {
+ // It's a type 2 probe reply, use the length field inside the packet
+ uint16_t len16;
+ memcpy(&len16, DATA(packet) + 1, 2);
+ len = ntohs(len16);
+ }
- if(udp_discovery) {
- timeout_del(&n->udp_ping_timeout);
- timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval){udp_discovery_timeout, 0});
- }
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], len, n->name, n->hostname);
- if(probelen >= n->maxmtu + 1) {
- logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
- n->maxmtu = MTU;
- /* Set mtuprobes to 1 so that try_mtu() doesn't reset maxmtu */
- n->mtuprobes = 1;
- return;
- }
+ /* It's a valid reply: now we know bidirectional communication
+ is possible using the address and socket that the reply
+ packet used. */
+ n->status.udp_confirmed = true;
- /* If applicable, raise the minimum supported MTU */
+ // Reset the UDP ping timer.
+ n->udp_ping_sent = now;
- if(probelen > n->maxmtu)
- probelen = n->maxmtu;
- if(n->minmtu < probelen) {
- n->minmtu = probelen;
- try_fix_mtu(n);
- }
+ if(udp_discovery) {
+ timeout_del(&n->udp_ping_timeout);
+ timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval){udp_discovery_timeout, 0});
+ }
- /* Calculate RTT.
- The RTT is the time between the MTU probe burst was sent and the first
- reply is received.
- */
-
- struct timeval now, diff;
- gettimeofday(&now, NULL);
- timersub(&now, &n->probe_time, &diff);
-
- struct timeval probe_timestamp = now;
- if (DATA(packet)[0] == 2 && packet->len >= 11) {
- uint32_t sec; memcpy(&sec, DATA(packet) + 3, 4);
- uint32_t usec; memcpy(&usec, DATA(packet) + 7, 4);
- probe_timestamp.tv_sec = ntohl(sec);
- probe_timestamp.tv_usec = ntohl(usec);
- }
-
- n->probe_counter++;
+ if(len > n->maxmtu) {
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
+ n->minmtu = len;
+ n->maxmtu = MTU;
+ /* Set mtuprobes to 1 so that try_mtu() doesn't reset maxmtu */
+ n->mtuprobes = 1;
+ return;
+ } else if(n->mtuprobes < 0 && len == n->maxmtu) {
+ /* We got a maxmtu sized packet, confirming the PMTU is still valid. */
+ n->mtuprobes = -1;
+ n->mtu_ping_sent = now;
+ }
- if(n->probe_counter == 1) {
- n->rtt = diff.tv_sec + diff.tv_usec * 1e-6;
- n->probe_time = probe_timestamp;
- logger(DEBUG_TRAFFIC, LOG_DEBUG, "%s (%s) RTT %.2f ms, rx packet loss %.2f %%", n->name, n->hostname, n->rtt * 1e3, n->packetloss * 1e2);
- }
+ /* If applicable, raise the minimum supported MTU */
+
+ if(n->minmtu < len) {
+ n->minmtu = len;
+ try_fix_mtu(n);
}
}
#ifdef DISABLE_LEGACY
return false;
#else
- if(!digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest))
+ if(!n->status.validkey_in || !digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest))
return false;
- return digest_verify(n->indigest, SEQNO(inpkt), inpkt->len - digest_length(n->indigest), DATA(inpkt) + inpkt->len - digest_length(n->indigest));
+ return digest_verify(n->indigest, inpkt->data, inpkt->len - digest_length(n->indigest), inpkt->data + inpkt->len - digest_length(n->indigest));
#endif
}
}
return false;
}
- inpkt->offset += 2 * sizeof(node_id_t);
- if(!sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len - 2 * sizeof(node_id_t))) {
- logger(DEBUG_TRAFFIC, LOG_ERR, "Got bad packet from %s (%s)", n->name, n->hostname);
+ n->status.udppacket = true;
+ bool result = sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len);
+ n->status.udppacket = false;
+
+ if(!result) {
+ /* Uh-oh. It might be that the tunnel is stuck in some corrupted state,
+ so let's restart SPTPS in case that helps. But don't do that too often
+ to prevent storms, and because that would make life a little too easy
+ for external attackers trying to DoS us. */
+ if(n->last_req_key < now.tv_sec - 10) {
+ logger(DEBUG_PROTOCOL, LOG_ERR, "Failed to decode raw TCP packet from %s (%s), restarting SPTPS", n->name, n->hostname);
+ send_req_key(n);
+ }
return false;
}
return true;
origlen -= MTU/64 + 20;
}
+ if(inpkt->len > n->maxrecentlen)
+ n->maxrecentlen = inpkt->len;
+
inpkt->priority = 0;
if(!DATA(inpkt)[12] && !DATA(inpkt)[13])
receive_packet(c->node, &outpkt);
}
+bool receive_tcppacket_sptps(connection_t *c, const char *data, int len) {
+ if (len < sizeof(node_id_t) + sizeof(node_id_t)) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Got too short TCP SPTPS packet from %s (%s)", c->name, c->hostname);
+ return false;
+ }
+
+ node_t *to = lookup_node_id((node_id_t *)data);
+ data += sizeof(node_id_t); len -= sizeof(node_id_t);
+ if(!to) {
+ logger(DEBUG_PROTOCOL, LOG_ERR, "Got TCP SPTPS packet from %s (%s) with unknown destination ID", c->name, c->hostname);
+ return true;
+ }
+
+ node_t *from = lookup_node_id((node_id_t *)data);
+ data += sizeof(node_id_t); len -= sizeof(node_id_t);
+ if(!from) {
+ logger(DEBUG_PROTOCOL, LOG_ERR, "Got TCP SPTPS packet from %s (%s) with unknown source ID", c->name, c->hostname);
+ return true;
+ }
+
+ if(!to->status.reachable) {
+ /* This can happen in the form of a race condition
+ if the node just became unreachable. */
+ logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot relay TCP packet from %s (%s) because the destination, %s (%s), is unreachable", from->name, from->hostname, to->name, to->hostname);
+ return true;
+ }
+
+ /* Help the sender reach us over UDP.
+ Note that we only do this if we're the destination or the static relay;
+ otherwise every hop would initiate its own UDP info message, resulting in elevated chatter. */
+ if(to->via == myself)
+ send_udp_info(myself, from);
+
+ /* If we're not the final recipient, relay the packet. */
+
+ if(to != myself) {
+ send_sptps_data(to, from, 0, data, len);
+ try_tx(to, true);
+ return true;
+ }
+
+ /* The packet is for us */
+
+ if(!sptps_receive_data(&from->sptps, data, len)) {
+ /* Uh-oh. It might be that the tunnel is stuck in some corrupted state,
+ so let's restart SPTPS in case that helps. But don't do that too often
+ to prevent storms. */
+ if(from->last_req_key < now.tv_sec - 10) {
+ logger(DEBUG_PROTOCOL, LOG_ERR, "Failed to decode raw TCP packet from %s (%s), restarting SPTPS", from->name, from->hostname);
+ send_req_key(from);
+ }
+ return true;
+ }
+
+ send_mtu_info(myself, from, MTU);
+ return true;
+}
+
static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
if(!n->status.validkey && !n->connection)
return;
vpn_packet_t *outpkt;
int origlen = origpkt->len;
size_t outlen;
-#if defined(SOL_IP) && defined(IP_TOS)
- static int priority = 0;
int origpriority = origpkt->priority;
-#endif
pkt1.offset = DEFAULT_PACKET_OFFSET;
pkt2.offset = DEFAULT_PACKET_OFFSET;
if(!sa)
choose_udp_address(n, &sa, &sock);
+ if(priorityinheritance && origpriority != listen_socket[sock].priority) {
+ listen_socket[sock].priority = origpriority;
+ switch(sa->sa.sa_family) {
#if defined(SOL_IP) && defined(IP_TOS)
- if(priorityinheritance && origpriority != priority
- && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
- priority = origpriority;
- logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
- if(setsockopt(listen_socket[n->sock].udp.fd, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
- logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
- }
+ case AF_INET:
+ logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting IPv4 outgoing packet priority to %d", origpriority);
+ if(setsockopt(listen_socket[sock].udp.fd, SOL_IP, IP_TOS, &origpriority, sizeof origpriority)) /* SO_PRIORITY doesn't seem to work */
+ logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
+ break;
+#endif
+#if defined(IPPROTO_IPV6) & defined(IPV6_TCLASS)
+ case AF_INET6:
+ logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting IPv6 outgoing packet priority to %d", origpriority);
+ if(setsockopt(listen_socket[sock].udp.fd, IPPROTO_IPV6, IPV6_TCLASS, &origpriority, sizeof origpriority)) /* SO_PRIORITY doesn't seem to work */
+ logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
+ break;
#endif
+ default:
+ break;
+ }
+ }
if(sendto(listen_socket[sock].udp.fd, SEQNO(inpkt), inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
if(sockmsgsize(sockerrno)) {
#endif
}
-static bool send_sptps_data_priv(node_t *to, node_t *from, int type, const void *data, size_t len) {
+bool send_sptps_data(node_t *to, node_t *from, int type, const void *data, size_t len) {
node_t *relay = (to->via != myself && (type == PKT_PROBE || (len - SPTPS_DATAGRAM_OVERHEAD) <= to->via->minmtu)) ? to->via : to->nexthop;
bool direct = from == myself && to == relay;
bool relay_supported = (relay->options >> 24) >= 4;
bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
- /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU.
- TODO: When relaying, the original sender does not know the end-to-end PMTU (it only knows the PMTU of the first hop).
- This can lead to scenarios where large packets are sent over UDP to relay, but then relay has no choice but fall back to TCP. */
+ /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU. */
if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && (len - SPTPS_DATAGRAM_OVERHEAD) > relay->minmtu)) {
+ if(type != SPTPS_HANDSHAKE && (to->nexthop->connection->options >> 24) >= 7) {
+ char buf[len + sizeof to->id + sizeof from->id]; char* buf_ptr = buf;
+ memcpy(buf_ptr, &to->id, sizeof to->id); buf_ptr += sizeof to->id;
+ memcpy(buf_ptr, &from->id, sizeof from->id); buf_ptr += sizeof from->id;
+ memcpy(buf_ptr, data, len); buf_ptr += len;
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s) (TCP)", from->name, from->hostname, to->name, to->hostname, to->nexthop->name, to->nexthop->hostname);
+ return send_sptps_tcppacket(to->nexthop->connection, buf, sizeof buf);
+ }
+
char buf[len * 4 / 3 + 5];
b64encode(data, buf, len);
- /* If no valid key is known yet, send the packets using ANS_KEY requests,
- to ensure we get to learn the reflexive UDP address. */
- if(from == myself && !to->status.validkey) {
+ /* If this is a handshake packet, use ANS_KEY instead of REQ_KEY, for two reasons:
+ - We don't want intermediate nodes to switch to UDP to relay these packets;
+ - ANS_KEY allows us to learn the reflexive UDP address. */
+ if(type == SPTPS_HANDSHAKE) {
to->incompression = myself->incompression;
return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, from->name, to->name, buf, to->incompression);
} else {
- return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, from->name, to->name, REQ_SPTPS, buf);
+ return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, from->name, to->name, SPTPS_PACKET, buf);
}
}
choose_local_address(relay, &sa, &sock);
if(!sa)
choose_udp_address(relay, &sa, &sock);
- logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s)", from->name, from->hostname, to->name, to->hostname, relay->name, relay->hostname);
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s) (UDP)", from->name, from->hostname, to->name, to->hostname, relay->name, relay->hostname);
if(sendto(listen_socket[sock].udp.fd, buf, buf_ptr - buf, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
if(sockmsgsize(sockerrno)) {
// Compensate for SPTPS overhead
return true;
}
-bool send_sptps_data(void *handle, uint8_t type, const void *data, size_t len) {
- return send_sptps_data_priv(handle, myself, type, data, len);
-}
-
bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t len) {
node_t *from = handle;
inpkt.offset = DEFAULT_PACKET_OFFSET;
if(type == PKT_PROBE) {
+ if(!from->status.udppacket) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Got SPTPS PROBE packet from %s (%s) via TCP", from->name, from->hostname);
+ return false;
+ }
inpkt.len = len;
memcpy(DATA(&inpkt), data, len);
+ if(inpkt.len > from->maxrecentlen)
+ from->maxrecentlen = inpkt.len;
udp_probe_h(from, &inpkt, len);
return true;
}
}
}
+ if(from->status.udppacket && inpkt.len > from->maxrecentlen)
+ from->maxrecentlen = inpkt.len;
+
receive_packet(from, &inpkt);
return true;
}
if(!udp_discovery)
return;
+ /* Send gratuitous probe replies to 1.1 nodes. */
+
+ if((n->options >> 24) >= 3 && n->status.udp_confirmed) {
+ struct timeval ping_tx_elapsed;
+ timersub(&now, &n->udp_reply_sent, &ping_tx_elapsed);
+
+ if(ping_tx_elapsed.tv_sec >= udp_discovery_keepalive_interval - 1) {
+ n->udp_reply_sent = now;
+ if(n->maxrecentlen) {
+ vpn_packet_t pkt;
+ pkt.len = n->maxrecentlen;
+ pkt.offset = DEFAULT_PACKET_OFFSET;
+ memset(DATA(&pkt), 0, 14);
+ randomize(DATA(&pkt) + 14, MIN_PROBE_SIZE - 14);
+ send_udp_probe_reply(n, &pkt, pkt.len);
+ n->maxrecentlen = 0;
+ }
+ }
+ }
+
+ /* Probe request */
+
struct timeval ping_tx_elapsed;
timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
int interval = n->status.udp_confirmed ? udp_discovery_keepalive_interval : udp_discovery_interval;
if(ping_tx_elapsed.tv_sec >= interval) {
- send_udp_probe_packet(n, MAX(n->minmtu, 16));
+ send_udp_probe_packet(n, MIN_PROBE_SIZE);
n->udp_ping_sent = now;
if(localdiscovery && !n->status.udp_confirmed && n->prevedge) {
n->status.send_locally = true;
- send_udp_probe_packet(n, 16);
+ send_udp_probe_packet(n, MIN_PROBE_SIZE);
n->status.send_locally = false;
}
}
mtu -= SPTPS_DATAGRAM_OVERHEAD;
if((n->options >> 24) >= 4)
mtu -= sizeof(node_id_t) + sizeof(node_id_t);
+#ifndef DISABLE_LEGACY
} else {
mtu -= digest_length(n->outdigest);
}
mtu -= 4; // seqno
+#endif
}
if (mtu < 512) {
return;
if(udp_discovery && !n->status.udp_confirmed) {
+ n->maxrecentlen = 0;
n->mtuprobes = 0;
n->minmtu = 0;
n->maxmtu = MTU;
/* mtuprobes == 0..19: initial discovery, send bursts with 1 second interval, mtuprobes++
mtuprobes == 20: fix MTU, and go to -1
- mtuprobes == -1: send one >maxmtu probe every pingtimeout */
+ mtuprobes == -1: send one maxmtu and one maxmtu+1 probe every pinginterval
+ mtuprobes ==-2..-3: send one maxmtu probe every second
+ mtuprobes == -4: maxmtu no longer valid, reset minmtu and maxmtu and go to 0 */
struct timeval elapsed;
- timersub(&now, &n->probe_sent_time, &elapsed);
+ timersub(&now, &n->mtu_ping_sent, &elapsed);
if(n->mtuprobes >= 0) {
if(n->mtuprobes != 0 && elapsed.tv_sec == 0 && elapsed.tv_usec < 333333)
return;
} else {
- if(elapsed.tv_sec < pingtimeout)
- return;
+ if(n->mtuprobes < -1) {
+ if(elapsed.tv_sec < 1)
+ return;
+ } else {
+ if(elapsed.tv_sec < pinginterval)
+ return;
+ }
}
+ n->mtu_ping_sent = now;
+
try_fix_mtu(n);
+ if(n->mtuprobes < -3) {
+ /* We lost three MTU probes, restart discovery */
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Decrease in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
+ n->mtuprobes = 0;
+ n->minmtu = 0;
+ }
+
if(n->mtuprobes < 0) {
- /* After the initial discovery, we only send one >maxmtu probe
- to detect PMTU increases. */
- if(n->maxmtu + 1 < MTU)
+ /* After the initial discovery, we only send one maxmtu and one
+ maxmtu+1 probe to detect PMTU increases. */
+ send_udp_probe_packet(n, n->maxmtu);
+ if(n->mtuprobes == -1 && n->maxmtu + 1 < MTU)
send_udp_probe_packet(n, n->maxmtu + 1);
+ n->mtuprobes--;
} else {
/* Before initial discovery begins, set maxmtu to the most likely value.
If it's underestimated, we will correct it after initial discovery. */
if(n->mtuprobes >= 0)
n->mtuprobes++;
}
-
- n->probe_counter = 0;
- n->probe_sent_time = now;
- n->probe_time = now;
-
- /* Calculate the packet loss of incoming traffic by comparing the rate of
- packets received to the rate with which the sequence number has increased.
- TODO: this is unrelated to PMTU discovery - it should be moved elsewhere.
- */
-
- if(n->received > n->prev_received)
- n->packetloss = 1.0 - (n->received - n->prev_received) / (float)(n->received_seqno - n->prev_received_seqno);
- else
- n->packetloss = n->received_seqno <= n->prev_received_seqno;
-
- n->prev_received_seqno = n->received_seqno;
- n->prev_received = n->received;
}
/* These functions try to establish a tunnel to a node (or its relay) so that
try_sptps(n);
- /* Do we need to relay packets? */
+ /* Do we need to statically relay packets? */
node_t *via = (n->via == myself) ? n->nexthop : n->via;
- /* If the relay doesn't support SPTPS, everything goes via TCP anyway. */
-
- if((via->options >> 24) < 4)
- return;
+ /* If we do have a static relay, try everything with that one instead, if it supports relaying. */
- /* If we do have a relay, try everything with that one instead. */
+ if(via != n) {
+ if((via->options >> 24) < 4)
+ return;
+ return try_tx(via, mtu);
+ }
- if(via != n)
- return try_tx_sptps(via, mtu);
+ /* Otherwise, try to establish UDP connectivity. */
try_udp(n);
if(mtu)
try_mtu(n);
+
+ /* If we don't have UDP connectivity (yet), we need to use a dynamic relay (nexthop)
+ while we try to establish direct connectivity. */
+
+ if(!n->status.udp_confirmed && n != n->nexthop && (n->nexthop->options >> 24) >= 4)
+ try_tx(n->nexthop, mtu);
}
static void try_tx_legacy(node_t *n, bool mtu) {
}
void try_tx(node_t *n, bool mtu) {
+ if(!n->status.reachable)
+ return;
if(n->status.sptps)
try_tx_sptps(n, mtu);
else
// If it's for myself, write it to the tun/tap device.
if(n == myself) {
- if(overwrite_mac)
+ if(overwrite_mac) {
memcpy(DATA(packet), mymac.x, ETH_ALEN);
+ // Use an arbitrary fake source address.
+ memcpy(DATA(packet) + ETH_ALEN, DATA(packet), ETH_ALEN);
+ DATA(packet)[ETH_ALEN * 2 - 1] ^= 0xFF;
+ }
n->out_packets++;
n->out_bytes += packet->len;
devops.write(packet);
if(n->status.sptps) {
send_sptps_packet(n, packet);
- try_tx_sptps(n, true);
+ try_tx(n, true);
return;
}
}
send_udppacket(via, packet);
- try_tx_legacy(via, true);
+ try_tx(via, true);
}
void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
}
}
+/* We got a packet from some IP address, but we don't know who sent it. Try to
+ verify the message authentication code against all active session keys.
+ Since this is actually an expensive operation, we only do a full check once
+ a minute, the rest of the time we only check against nodes for which we know
+ an IP address that matches the one from the packet. */
+
static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
- node_t *n = NULL;
+ node_t *match = NULL;
bool hard = false;
static time_t last_hard_try = 0;
- for splay_each(edge_t, e, edge_weight_tree) {
- if(!e->to->status.reachable || e->to == myself)
+ for splay_each(node_t, n, node_tree) {
+ if(!n->status.reachable || n == myself)
+ continue;
+
+ if(!n->status.validkey_in && !(n->status.sptps && n->sptps.instate))
continue;
- if(sockaddrcmp_noport(from, &e->address)) {
+ bool soft = false;
+
+ for splay_each(edge_t, e, n->edge_tree) {
+ if(!e->reverse)
+ continue;
+ if(!sockaddrcmp_noport(from, &e->reverse->address)) {
+ soft = true;
+ break;
+ }
+ }
+
+ if(!soft) {
if(last_hard_try == now.tv_sec)
continue;
hard = true;
}
- if(!try_mac(e->to, pkt))
+ if(!try_mac(n, pkt))
continue;
- n = e->to;
+ match = n;
break;
}
if(hard)
last_hard_try = now.tv_sec;
- last_hard_try = now.tv_sec;
- return n;
+ return match;
}
-void handle_incoming_vpn_data(void *data, int flags) {
- listen_socket_t *ls = data;
- vpn_packet_t pkt;
+static void handle_incoming_vpn_packet(listen_socket_t *ls, vpn_packet_t *pkt, sockaddr_t *addr) {
char *hostname;
node_id_t nullid = {};
- sockaddr_t addr = {};
- socklen_t addrlen = sizeof addr;
node_t *from, *to;
bool direct = false;
- pkt.offset = 0;
- int len = recvfrom(ls->udp.fd, DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen);
-
- if(len <= 0 || len > MAXSIZE) {
- if(!sockwouldblock(sockerrno))
- logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
- return;
- }
-
- pkt.len = len;
-
- sockaddrunmap(&addr); /* Some braindead IPv6 implementations do stupid things. */
+ sockaddrunmap(addr); /* Some braindead IPv6 implementations do stupid things. */
// Try to figure out who sent this packet.
- node_t *n = lookup_node_udp(&addr);
+ node_t *n = lookup_node_udp(addr);
+
+ if(n && !n->status.udp_confirmed)
+ n = NULL; // Don't believe it if we don't have confirmation yet.
if(!n) {
// It might be from a 1.1 node, which might have a source ID in the packet.
- pkt.offset = 2 * sizeof(node_id_t);
- from = lookup_node_id(SRCID(&pkt));
- if(from && !memcmp(DSTID(&pkt), &nullid, sizeof nullid) && from->status.sptps) {
- if(sptps_verify_datagram(&from->sptps, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t)))
+ pkt->offset = 2 * sizeof(node_id_t);
+ from = lookup_node_id(SRCID(pkt));
+ if(from && !memcmp(DSTID(pkt), &nullid, sizeof nullid) && from->status.sptps) {
+ if(sptps_verify_datagram(&from->sptps, DATA(pkt), pkt->len - 2 * sizeof(node_id_t)))
n = from;
else
goto skip_harder;
}
if(!n) {
- pkt.offset = 0;
- n = try_harder(&addr, &pkt);
+ pkt->offset = 0;
+ n = try_harder(addr, pkt);
}
skip_harder:
if(!n) {
if(debug_level >= DEBUG_PROTOCOL) {
- hostname = sockaddr2hostname(&addr);
+ hostname = sockaddr2hostname(addr);
logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
free(hostname);
}
return;
}
+ pkt->offset = 0;
+
if(n->status.sptps) {
- pkt.offset = 2 * sizeof(node_id_t);
+ bool relay_enabled = (n->options >> 24) >= 4;
+ if (relay_enabled) {
+ pkt->offset = 2 * sizeof(node_id_t);
+ pkt->len -= pkt->offset;
+ }
- if(!memcmp(DSTID(&pkt), &nullid, sizeof nullid)) {
+ if(!memcmp(DSTID(pkt), &nullid, sizeof nullid) || !relay_enabled) {
direct = true;
from = n;
to = myself;
} else {
- from = lookup_node_id(SRCID(&pkt));
- to = lookup_node_id(DSTID(&pkt));
+ from = lookup_node_id(SRCID(pkt));
+ to = lookup_node_id(DSTID(pkt));
}
if(!from || !to) {
logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from %s (%s) with unknown source and/or destination ID", n->name, n->hostname);
return;
}
+ if(!to->status.reachable) {
+ /* This can happen in the form of a race condition
+ if the node just became unreachable. */
+ logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot relay packet from %s (%s) because the destination, %s (%s), is unreachable", from->name, from->hostname, to->name, to->hostname);
+ return;
+ }
+
+ /* The packet is supposed to come from the originator or its static relay
+ (i.e. with no dynamic relays in between).
+ If it did not, "help" the static relay by sending it UDP info.
+ Note that we only do this if we're the destination or the static relay;
+ otherwise every hop would initiate its own UDP info message, resulting in elevated chatter. */
+
+ if(n != from->via && to->via == myself)
+ send_udp_info(myself, from);
+
+ /* If we're not the final recipient, relay the packet. */
+
if(to != myself) {
- send_sptps_data_priv(to, n, 0, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t));
+ send_sptps_data(to, from, 0, DATA(pkt), pkt->len);
+ try_tx(to, true);
return;
}
} else {
from = n;
}
- pkt.offset = 0;
- if(!receive_udppacket(from, &pkt))
+ if(!receive_udppacket(from, pkt))
return;
n->sock = ls - listen_socket;
- if(direct && sockaddrcmp(&addr, &n->address))
- update_node_udp(n, &addr);
+ if(direct && sockaddrcmp(addr, &n->address))
+ update_node_udp(n, addr);
+
+ /* If the packet went through a relay, help the sender find the appropriate MTU
+ through the relay path. */
+
+ if(!direct)
+ send_mtu_info(myself, n, MTU);
+}
+
+void handle_incoming_vpn_data(void *data, int flags) {
+ listen_socket_t *ls = data;
+
+#ifdef HAVE_RECVMMSG
+#define MAX_MSG 64
+ static int num = MAX_MSG;
+ static vpn_packet_t pkt[MAX_MSG];
+ static sockaddr_t addr[MAX_MSG];
+ static struct mmsghdr msg[MAX_MSG];
+ static struct iovec iov[MAX_MSG];
+
+ for(int i = 0; i < num; i++) {
+ pkt[i].offset = 0;
+
+ iov[i] = (struct iovec){
+ .iov_base = DATA(&pkt[i]),
+ .iov_len = MAXSIZE,
+ };
+
+ msg[i].msg_hdr = (struct msghdr){
+ .msg_name = &addr[i].sa,
+ .msg_namelen = sizeof addr[i],
+ .msg_iov = &iov[i],
+ .msg_iovlen = 1,
+ };
+ }
+
+ num = recvmmsg(ls->udp.fd, msg, MAX_MSG, MSG_DONTWAIT, NULL);
+
+ if(num < 0) {
+ if(!sockwouldblock(sockerrno))
+ logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
+ return;
+ }
+
+ for(int i = 0; i < num; i++) {
+ pkt[i].len = msg[i].msg_len;
+ if(pkt[i].len <= 0 || pkt[i].len > MAXSIZE)
+ continue;
+ handle_incoming_vpn_packet(ls, &pkt[i], &addr[i]);
+ }
+#else
+ vpn_packet_t pkt;
+ sockaddr_t addr = {};
+ socklen_t addrlen = sizeof addr;
+
+ pkt.offset = 0;
+ int len = recvfrom(ls->udp.fd, DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen);
+
+ if(len <= 0 || len > MAXSIZE) {
+ if(!sockwouldblock(sockerrno))
+ logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
+ return;
+ }
+
+ pkt.len = len;
+
+ handle_incoming_vpn_packet(ls, &pkt, &addr);
+#endif
}
void handle_device_data(void *data, int flags) {