From: Etienne Dechamps Date: Mon, 29 Dec 2014 10:34:39 +0000 (+0000) Subject: Add UDP discovery mechanism. X-Git-Tag: release-1.1pre12~244 X-Git-Url: https://tinc-vpn.org/git/browse?a=commitdiff_plain;h=7939ee12836bf2ef772f2a6a1e805ee0d64a8e70;p=tinc Add UDP discovery mechanism. This adds a new mechanism by which tinc can determine if a node is reachable via UDP. The new mechanism is currently redundant with the PMTU discovery mechanism - that will be fixed in a future commit. Conceptually, the UDP discovery mechanism works similarly to PMTU discovery: it sends UDP probes (of minmtu size, to make sure the tunnel is fully usable), and assumes UDP is usable if it gets replies. It assumes UDP is broken if too much time has passed since the last reply. The big difference with the current PMTU discovery mechanism, however, is that UDP discovery probes are only triggered as part of the packet TX path (through try_tx()). This is quite interesting, because it means tinc will never send UDP pings more often than normal packets, and most importantly, it will automatically stop sending pings as soon as packets stop flowing, thereby nicely reducing network chatter. Of course, there are small drawbacks in some edge cases: for example, if a node only sends one packet every minute to another node, these packets will only be sent over TCP, because the interval between packets is too long for tinc to maintain the UDP tunnel. I consider this a feature, not a bug: I believe it is appropriate to use TCP in scenarios where traffic is negligible, so that we don't pollute the network with pings just to maintain a UDP tunnel that's seeing negligible usage. --- diff --git a/bash_completion.d/tinc b/bash_completion.d/tinc index 240326f9..b5784e17 100644 --- a/bash_completion.d/tinc +++ b/bash_completion.d/tinc @@ -4,7 +4,7 @@ _tinc() { cur="${COMP_WORDS[COMP_CWORD]}" prev="${COMP_WORDS[COMP_CWORD-1]}" opts="-c -d -D -K -n -o -L -R -U --config --no-detach --debug --net --option --mlock --logfile --pidfile --chroot --user --help --version" - confvars="Address AddressFamily BindToAddress BindToInterface Broadcast BroadcastSubnet Cipher ClampMSS Compression ConnectTo DecrementTTL Device DeviceStandby DeviceType Digest DirectOnly Ed25519PrivateKeyFile Ed25519PublicKey Ed25519PublicKeyFile ExperimentalProtocol Forwarding GraphDumpFile Hostnames IffOneQueue IndirectData Interface KeyExpire ListenAddress LocalDiscovery MACExpire MACLength MaxOutputBufferSize MaxTimeout Mode Name PMTU PMTUDiscovery PingInterval PingTimeout Port PriorityInheritance PrivateKeyFile ProcessPriority Proxy PublicKeyFile ReplayWindow StrictSubnets Subnet TCPOnly TunnelServer UDPRcvBuf UDPSndBuf VDEGroup VDEPort Weight" + confvars="Address AddressFamily BindToAddress BindToInterface Broadcast BroadcastSubnet Cipher ClampMSS Compression ConnectTo DecrementTTL Device DeviceStandby DeviceType Digest DirectOnly Ed25519PrivateKeyFile Ed25519PublicKey Ed25519PublicKeyFile ExperimentalProtocol Forwarding GraphDumpFile Hostnames IffOneQueue IndirectData Interface KeyExpire ListenAddress LocalDiscovery MACExpire MACLength MaxOutputBufferSize MaxTimeout Mode Name PMTU PMTUDiscovery PingInterval PingTimeout Port PriorityInheritance PrivateKeyFile ProcessPriority Proxy PublicKeyFile ReplayWindow StrictSubnets Subnet TCPOnly TunnelServer UDPDiscovery UDPDiscoveryInterval UDPDiscoveryTimeout UDPRcvBuf UDPSndBuf VDEGroup VDEPort Weight" commands="add connect debug del disconnect dump edit export export-all generate-ed25519-keys generate-keys generate-rsa-keys get help import info init invite join log network pcap pid purge reload restart retry set start stop top version" case ${prev} in diff --git a/doc/tinc.conf.5.in b/doc/tinc.conf.5.in index 9d9bf76f..48c3df50 100644 --- a/doc/tinc.conf.5.in +++ b/doc/tinc.conf.5.in @@ -485,6 +485,18 @@ and will only allow connections with nodes for which host config files are prese .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ directory. Setting this options also implicitly sets StrictSubnets. +.It Va UDPDiscovery Li = yes | no Po yes Pc +When this option is enabled tinc will try to establish UDP connectivity to nodes, +using TCP while it determines if a node is reachable over UDP. If it is disabled, +tinc always assumes a node is reachable over UDP. +Note that tinc will never use UDP with nodes that have +.Va TCPOnly +enabled. +.It Va UDPDiscoveryInterval Li = Ar seconds Pq 9 +The minimum amount of time between sending UDP ping datagrams to test UDP connectivity. +.It Va UDPDiscoveryTimeout Li = Ar seconds Pq 30 +If tinc doesn't receive any UDP ping replies over the specified interval, +it will assume UDP communication is broken and will fall back to TCP. .It Va UDPRcvBuf Li = Ar bytes Pq OS default Sets the socket receive buffer size for the UDP socket, in bytes. If unset, the default buffer size will be used by the operating system. diff --git a/doc/tinc.texi b/doc/tinc.texi index 2cb55a79..c940eddb 100644 --- a/doc/tinc.texi +++ b/doc/tinc.texi @@ -1232,6 +1232,22 @@ and will only allow connections with nodes for which host config files are prese @file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory. Setting this options also implicitly sets StrictSubnets. +@cindex UDPDiscovey +@item UDPDiscovery = (yes) +When this option is enabled tinc will try to establish UDP connectivity to nodes, +using TCP while it determines if a node is reachable over UDP. If it is disabled, +tinc always assumes a node is reachable over UDP. +Note that tinc will never use UDP with nodes that have TCPOnly enabled. + +@cindex UDPDiscoveryInterval +@item UDPDiscoveryInterval = (9) +The minimum amount of time between sending UDP ping datagrams to test UDP connectivity. + +@cindex UDPDiscoveryTimeout +@item UDPDiscoveryTimeout = (30) +If tinc doesn't receive any UDP ping replies over the specified interval, +it will assume UDP communication is broken and will fall back to TCP. + @cindex UDPRcvBuf @item UDPRcvBuf = (OS default) Sets the socket receive buffer size for the UDP socket, in bytes. diff --git a/src/graph.c b/src/graph.c index 70d65731..c0a5d0a6 100644 --- a/src/graph.c +++ b/src/graph.c @@ -241,6 +241,7 @@ static void check_reachability(void) { n->minmtu = 0; n->mtuprobes = 0; + timeout_del(&n->udp_ping_timeout); timeout_del(&n->mtutimeout); char *name; diff --git a/src/net.h b/src/net.h index dcc99a4a..35e87997 100644 --- a/src/net.h +++ b/src/net.h @@ -138,6 +138,10 @@ extern int addressfamily; extern unsigned replaywin; extern bool localdiscovery; +extern bool udp_discovery; +extern int udp_discovery_interval; +extern int udp_discovery_timeout; + extern listen_socket_t listen_socket[MAXSOCKETS]; extern int listen_sockets; extern io_t unix_socket; diff --git a/src/net_packet.c b/src/net_packet.c index 51237d20..131f52ec 100644 --- a/src/net_packet.c +++ b/src/net_packet.c @@ -59,10 +59,13 @@ static void send_udppacket(node_t *, vpn_packet_t *); unsigned replaywin = 16; bool localdiscovery = true; +bool udp_discovery = true; +int udp_discovery_interval = 9; +int udp_discovery_timeout = 30; #define MAX_SEQNO 1073741824 -static void send_mtu_probe_packet(node_t *n, int len) { +static void send_udp_probe_packet(node_t *n, int len) { vpn_packet_t packet; packet.offset = DEFAULT_PACKET_OFFSET; memset(DATA(&packet), 0, 14); @@ -70,7 +73,7 @@ static void send_mtu_probe_packet(node_t *n, int len) { packet.len = len; packet.priority = 0; - logger(DEBUG_TRAFFIC, LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname); + logger(DEBUG_TRAFFIC, LOG_INFO, "Sending UDP probe length %d to %s (%s)", len, n->name, n->hostname); send_udppacket(n, &packet); } @@ -131,7 +134,7 @@ static void send_mtu_probe_handler(void *data) { /* After the initial discovery, a fourth packet is added to each batch with a size larger than the currently known PMTU, to test if the PMTU has increased. */ if (n->mtuprobes >= 30 && n->maxmtu + 8 < MTU) - send_mtu_probe_packet(n, n->maxmtu + 8); + send_udp_probe_packet(n, n->maxmtu + 8); /* Probes are sent in batches of three, with random sizes between the lower and upper boundaries for the MTU thus far discovered. */ @@ -140,14 +143,14 @@ static void send_mtu_probe_handler(void *data) { if(n->minmtu < n->maxmtu) len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu); - send_mtu_probe_packet(n, MAX(len, 64)); + send_udp_probe_packet(n, MAX(len, 64)); } /* In case local discovery is enabled, another packet is added to each batch, which will be broadcast to the local network. */ if(localdiscovery && n->mtuprobes <= 10 && n->prevedge) { n->status.send_locally = true; - send_mtu_probe_packet(n, 16); + send_udp_probe_packet(n, 16); n->status.send_locally = false; } @@ -175,9 +178,21 @@ void send_mtu_probe(node_t *n) { send_mtu_probe_handler(n); } -static void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) { +static void udp_probe_timeout_handler(void *data) { + node_t *n = data; + if(!n->status.udp_confirmed) + return; + + logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname); + n->status.udp_confirmed = false; + n->mtuprobes = 1; + n->minmtu = 0; + n->maxmtu = MTU; +} + +static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) { if(!DATA(packet)[0]) { - logger(DEBUG_TRAFFIC, LOG_INFO, "Got MTU probe request %d from %s (%s)", packet->len, n->name, n->hostname); + logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname); /* It's a probe request, send back a reply */ @@ -207,19 +222,23 @@ static void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) { length_t probelen = len; if (DATA(packet)[0] == 2) { if (len < 3) - logger(DEBUG_TRAFFIC, LOG_WARNING, "Received invalid (too short) MTU probe reply from %s (%s)", n->name, n->hostname); + logger(DEBUG_TRAFFIC, LOG_WARNING, "Received invalid (too short) UDP probe reply from %s (%s)", n->name, n->hostname); else { uint16_t probelen16; memcpy(&probelen16, DATA(packet) + 1, 2); probelen = ntohs(probelen16); } } - logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d MTU probe reply %d from %s (%s)", DATA(packet)[0], probelen, n->name, n->hostname); + logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], probelen, n->name, n->hostname); /* It's a valid reply: now we know bidirectional communication is possible using the address and socket that the reply packet used. */ - n->status.udp_confirmed = true; + if(udp_discovery) { + timeout_del(&n->udp_ping_timeout); + timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval){udp_discovery_timeout, 0}); + } + /* If we haven't established the PMTU yet, restart the discovery process. */ if(n->mtuprobes > 30) { @@ -493,7 +512,7 @@ static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) { inpkt->priority = 0; if(!DATA(inpkt)[12] && !DATA(inpkt)[13]) - mtu_probe_h(n, inpkt, origlen); + udp_probe_h(n, inpkt, origlen); else receive_packet(n, inpkt); return true; @@ -860,7 +879,7 @@ bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t if(type == PKT_PROBE) { inpkt.len = len; memcpy(DATA(&inpkt), data, len); - mtu_probe_h(from, &inpkt, len); + udp_probe_h(from, &inpkt, len); return true; } @@ -935,6 +954,24 @@ static void try_sptps(node_t *n) { return; } +// This function tries to establish a UDP tunnel to a node so that packets can be sent. +// If a tunnel is already established, it makes sure it stays up. +// This function makes no guarantees - it is up to the caller to check the node's state to figure out if UDP is usable. +static void try_udp(node_t* n) { + if(!udp_discovery) + return; + + struct timeval now; + gettimeofday(&now, NULL); + struct timeval ping_tx_elapsed; + timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed); + + if(ping_tx_elapsed.tv_sec >= udp_discovery_interval) { + send_udp_probe_packet(n, MAX(n->minmtu, 16)); + n->udp_ping_sent = now; + } +} + // This function tries to establish a tunnel to a node (or its relay) so that packets can be sent (e.g. get SPTPS keys). // If a tunnel is already established, it tries to improve it (e.g. by trying to establish a UDP tunnel instead of TCP). // This function makes no guarantees - it is up to the caller to check the node's state to figure out if TCP and/or UDP is usable. @@ -958,7 +995,8 @@ static void try_tx(node_t *n) { if(!n->status.sptps && !via->status.validkey && via->last_req_key + 10 <= now.tv_sec) { send_req_key(via); via->last_req_key = now.tv_sec; - } + } else if(via == n || !n->status.sptps || (via->options >> 24) >= 4) + try_udp(via); /* If we don't know how to reach "via" yet, then try to reach it through a relay. */ if(n->status.sptps && !via->status.udp_confirmed && via->nexthop != via && (via->nexthop->options >> 24) >= 4) diff --git a/src/net_setup.c b/src/net_setup.c index 1007f699..97f3d2a4 100644 --- a/src/net_setup.c +++ b/src/net_setup.c @@ -510,6 +510,10 @@ bool setup_myself_reloadable(void) { if(myself->options & OPTION_TCPONLY) myself->options |= OPTION_INDIRECT; + get_config_bool(lookup_config(config_tree, "UDPDiscovery"), &udp_discovery); + get_config_int(lookup_config(config_tree, "UDPDiscoveryInterval"), &udp_discovery_interval); + get_config_int(lookup_config(config_tree, "UDPDiscoveryTimeout"), &udp_discovery_timeout); + get_config_bool(lookup_config(config_tree, "DirectOnly"), &directonly); get_config_bool(lookup_config(config_tree, "LocalDiscovery"), &localdiscovery); diff --git a/src/node.c b/src/node.c index 71f55b85..0da7e605 100644 --- a/src/node.c +++ b/src/node.c @@ -92,6 +92,7 @@ void free_node(node_t *n) { ecdsa_free(n->ecdsa); sptps_stop(&n->sptps); + timeout_del(&n->udp_ping_timeout); timeout_del(&n->mtutimeout); if(n->hostname) diff --git a/src/node.h b/src/node.h index bd10add7..1863db94 100644 --- a/src/node.h +++ b/src/node.h @@ -87,6 +87,9 @@ typedef struct node_t { uint32_t farfuture; /* Packets in a row that have arrived from the far future */ unsigned char* late; /* Bitfield marking late packets */ + struct timeval udp_ping_sent; /* Last time a ping probe was sent */ + timeout_t udp_ping_timeout; /* Ping timeout event */ + length_t mtu; /* Maximum size of packets to send to this node */ length_t minmtu; /* Probed minimum MTU */ length_t maxmtu; /* Probed maximum MTU */ diff --git a/src/tincctl.c b/src/tincctl.c index ba536197..2e382035 100644 --- a/src/tincctl.c +++ b/src/tincctl.c @@ -1364,6 +1364,9 @@ const var_t variables[] = { {"ScriptsInterpreter", VAR_SERVER}, {"StrictSubnets", VAR_SERVER}, {"TunnelServer", VAR_SERVER}, + {"UDPDiscovery", VAR_SERVER}, + {"UDPDiscoveryInterval", VAR_SERVER}, + {"UDPDiscoveryTimeout", VAR_SERVER}, {"UDPRcvBuf", VAR_SERVER}, {"UDPSndBuf", VAR_SERVER}, {"VDEGroup", VAR_SERVER},