tinc
9 years agoTry to reply with node address only when decrementing the TTL.
Vittorio Gambaletta (VittGam) [Fri, 4 Sep 2015 15:04:03 +0000 (17:04 +0200)]
Try to reply with node address only when decrementing the TTL.

Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
9 years agoFix source IP address for ICMP unreachable packets generated by tinc.
Vittorio Gambaletta (VittGam) [Fri, 4 Sep 2015 02:00:57 +0000 (04:00 +0200)]
Fix source IP address for ICMP unreachable packets generated by tinc.

Try to send ICMP unreachable replies from an address assigned to the
local machine, instead of the destination address of the original
packet.

The address is found by looking up the route towards the sender of
the packet that generated the error; in usual configurations, this
is the tinc interface.

This also fixes the traceroute display in mtr when using the
DecrementTTL option.

Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
9 years agoFix DecrementTTL option.
Vittorio Gambaletta (VittGam) [Thu, 3 Sep 2015 14:02:50 +0000 (16:02 +0200)]
Fix DecrementTTL option.

The option was not actually working, as it could be seen on traceroute or mtr.

The problem is that it was checking if the TTL was < 1 (so equal to 0) before decrementing it.

This meant that a packet with a TTL of 1 was being sent with a TTL of 0 on the VPN, instead of being discarded with the ICMP error message.

Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
9 years agoFix NAME variable in subnet-* scripts for local subnets.
Florian Weik [Fri, 28 Aug 2015 12:52:21 +0000 (14:52 +0200)]
Fix NAME variable in subnet-* scripts for local subnets.

9 years agoReleasing 1.0.26. release-1.0.26
Guus Sliepen [Sun, 5 Jul 2015 14:12:07 +0000 (16:12 +0200)]
Releasing 1.0.26.

9 years agoDon't try to call res_init() if ./configure told us it doesn't exist.
Guus Sliepen [Sun, 5 Jul 2015 14:04:11 +0000 (16:04 +0200)]
Don't try to call res_init() if ./configure told us it doesn't exist.

9 years agoFix unputenv() on Windows.
Guus Sliepen [Sun, 5 Jul 2015 14:03:22 +0000 (16:03 +0200)]
Fix unputenv() on Windows.

9 years agoOnly check for -fno-strict-overflow if -fwrapv does not work.
Guus Sliepen [Sun, 5 Jul 2015 14:03:03 +0000 (16:03 +0200)]
Only check for -fno-strict-overflow if -fwrapv does not work.

9 years agoAttribution for various contributors.
Guus Sliepen [Sun, 5 Jul 2015 13:31:24 +0000 (15:31 +0200)]
Attribution for various contributors.

9 years agoUpdate copyright notices.
Guus Sliepen [Sun, 5 Jul 2015 13:26:57 +0000 (15:26 +0200)]
Update copyright notices.

9 years agoFix spelling of FORTIFY_SOURCE.
Guus Sliepen [Sun, 5 Jul 2015 13:26:03 +0000 (15:26 +0200)]
Fix spelling of FORTIFY_SOURCE.

9 years agoFix autoconf check for function attributes.
Guus Sliepen [Sun, 7 Jun 2015 20:25:22 +0000 (22:25 +0200)]
Fix autoconf check for function attributes.

GCC warns when a function attribute has no effect. The autoconf check
turns warnings about attributes into errors, therefore thinking that
they did not work. The reason was that the test function returned void,
which is not suitable for checking both __malloc__ and
__warn_unused_result__.

9 years agoReturn non-zero exit code when encountering configuration errors during startup.
Guus Sliepen [Sun, 5 Jul 2015 12:42:18 +0000 (14:42 +0200)]
Return non-zero exit code when encountering configuration errors during startup.

9 years agofix musl compatibility
Jo-Philipp Wich [Thu, 18 Jun 2015 21:58:31 +0000 (23:58 +0200)]
fix musl compatibility

Let configure include sys/if_tun.h when testing for netinet/if_ether.h
to detect the Kernel/libc header conflict on musl.

After this patch, configure will correctly detect netinet/if_ether.h as
unusable and the subsequent compilation will not attempt to use it.

9 years agoNever call putenv() with data on the stack.
Guus Sliepen [Sun, 3 May 2015 18:06:12 +0000 (20:06 +0200)]
Never call putenv() with data on the stack.

Even though we are using putenv() here to remove items from the
environment, there is no guarantee that putenv() doesn't add the
argument to the environment anyway. In that case, we have to make sure
that it doesn't go away. We also don't want a memory leak, so keep a
list of things we unputenv()ed around, so we can reuse things.

Thanks to Poul-Henning Kamp for pointing out this problem.

9 years agoFix --logfile without a filename on Windows.
Guus Sliepen [Tue, 14 Apr 2015 09:20:24 +0000 (11:20 +0200)]
Fix --logfile without a filename on Windows.

On Windows, the log filename now defaults to "tinc.log" in the same
directory as tinc.conf.

9 years agoAlways call res_init() before getaddrinfo().
Guus Sliepen [Mon, 9 Feb 2015 14:06:12 +0000 (15:06 +0100)]
Always call res_init() before getaddrinfo().

Unfortunately, glibc assumes that /etc/resolv.conf is a static file that
never changes. Even on servers, /etc/resolv.conf might be a dynamically
generated file, and we never know when it changes. So just call
res_init() every time, so glibc uses up-to-date nameserver information.

9 years agoAttribution for Saverio Proto.
Guus Sliepen [Mon, 9 Feb 2015 14:05:57 +0000 (15:05 +0100)]
Attribution for Saverio Proto.

9 years agoUse VittGam's real name.
Guus Sliepen [Mon, 22 Dec 2014 19:57:38 +0000 (20:57 +0100)]
Use VittGam's real name.

9 years agoReleasing 1.0.25. release-1.0.25
Guus Sliepen [Mon, 22 Dec 2014 17:20:25 +0000 (18:20 +0100)]
Releasing 1.0.25.

9 years agoCheck whether res_init() really lives in libresolv.
Guus Sliepen [Mon, 22 Dec 2014 17:17:11 +0000 (18:17 +0100)]
Check whether res_init() really lives in libresolv.

On some platforms (Mac OS X for example), the res_init() function requires
linking with libresolv. On others (Linux, OpenBSD for example), res_init()
lives in libc.

9 years agoUpdate documentation for Mac OS X.
Guus Sliepen [Mon, 22 Dec 2014 15:29:23 +0000 (16:29 +0100)]
Update documentation for Mac OS X.

9 years agoAutomatically choose a tap device on Mac OS X when using switch Mode.
Guus Sliepen [Mon, 22 Dec 2014 15:28:41 +0000 (16:28 +0100)]
Automatically choose a tap device on Mac OS X when using switch Mode.

9 years agoAttribution for various contributors.
Guus Sliepen [Mon, 22 Dec 2014 14:33:35 +0000 (15:33 +0100)]
Attribution for various contributors.

9 years agoRemember ToS/Diffserv priority for each socket individually.
Guus Sliepen [Mon, 22 Dec 2014 14:18:17 +0000 (15:18 +0100)]
Remember ToS/Diffserv priority for each socket individually.

9 years agoSupport ToS/DiffServ priority handling for IPv6 meta and UDP connections.
VittGam [Sun, 21 Dec 2014 13:29:40 +0000 (14:29 +0100)]
Support ToS/DiffServ priority handling for IPv6 meta and UDP connections.

10 years agoConfigure minimum reconnect timeouts.
Tomislav Čohar [Tue, 26 Aug 2014 22:25:12 +0000 (00:25 +0200)]
Configure minimum reconnect timeouts.

Enable the configuration of minimum reconnect timeout via a
configuration directive "MinTimeout". This functionality is missing in
the default tinc stable distribution. The minimum timeout is, in code,
set to 0 seconds. This patch makes it configurable.

You might ask yourself why is that needed at all ?

Well, we've been using tinc with success for quite some time in a cross DC
setup. Tinc is used to create a virtual network switch and to connect our
distributed database nodes into a virtual local network. Our database nodes
exchange information, synchronize and do failover over the created
tinc-backed network.

Every now and then, when a node has a physical networking issue and is
unreachable by some or all neighboring nodes, tinc will relay traffic over
reachable neighboring nodes and thus save our cluster. But, sometimes,
especially when BGP route changes take place, minor outages of physical
connectivity towards some nodes may cause tinc to become as reliable as
packet-loss is :).

Tinc is fast, it can and does re-establish a lost connection in a jiffy,
but it cannot detect the reason for the loss of the connection. A
re-established connection might last for a few seconds (ping timeout) to
get lost again just because the packet loss is huge at that time. Then it
reconnects again and the story repeats itself.

This process keeps repeating until the physical network stabilizes. Packet
loss on a physical link means disaster in a database replication scenario.
In such cases it is better for tinc to remain disconnected from the
unreachable/destabilized nodes for some time and relay traffic over the
reachable (unaffected) nodes then to use an unreliable route.

This patch enables us to slow down the re-connection process and eliminate
application level issues we had.

10 years agoFixed tinc-up script calling on Win32.
Borg [Sat, 28 Jun 2014 12:58:09 +0000 (14:58 +0200)]
Fixed tinc-up script calling on Win32.

It was called too early. Simple sleep fixes the issue.

10 years agoGet MAC of TAP device.
Borg [Sat, 28 Jun 2014 12:33:07 +0000 (14:33 +0200)]
Get MAC of TAP device.

This fixes initial communication problems since
mymac is NOT properly initialized.

10 years agoFix some typos in the manual.
Jochen Voss [Thu, 26 Jun 2014 11:10:46 +0000 (12:10 +0100)]
Fix some typos in the manual.

10 years agoFixed scripts calling under Win32.
Borg [Mon, 23 Jun 2014 21:13:03 +0000 (23:13 +0200)]
Fixed scripts calling under Win32.

When using 'ScriptsInterpreter' variable, we incorrectly
checked for '.bat' ending scripts while later building
scriptname without extension.

10 years agoAdd support to link against libresolv Mac OS X
Alexis Hildebrandt [Sun, 22 Jun 2014 14:43:15 +0000 (16:43 +0200)]
Add support to link against libresolv Mac OS X

10 years agoUse the description from the 1.1 man page for the IndirectData option
Baptiste Jonglez [Fri, 20 Jun 2014 06:56:30 +0000 (15:56 +0900)]
Use the description from the 1.1 man page for the IndirectData option

10 years agoFix date of last NEWS entry.
Guus Sliepen [Sun, 15 Jun 2014 10:06:20 +0000 (12:06 +0200)]
Fix date of last NEWS entry.

10 years agoUpdate README.android
David Pflug [Wed, 11 Jun 2014 12:00:02 +0000 (08:00 -0400)]
Update README.android

- More openssl security fixes.
- The tinc repo doesn't need to be cloned into openssl's directory.

10 years agoReleasing 1.0.24. release-1.0.24
Guus Sliepen [Sun, 11 May 2014 15:22:22 +0000 (17:22 +0200)]
Releasing 1.0.24.

10 years agoRemove the warnings when IP_DONTFRAGMENT/IPV6-DONTFRAG is not supported.
Guus Sliepen [Sun, 11 May 2014 15:11:02 +0000 (17:11 +0200)]
Remove the warnings when IP_DONTFRAGMENT/IPV6-DONTFRAG is not supported.

There is nothing we can do about it, and tinc will run fine anyway.

10 years agoFIx the autoconf checks for res_init().
Guus Sliepen [Sun, 11 May 2014 15:09:25 +0000 (17:09 +0200)]
FIx the autoconf checks for res_init().

10 years agoFix a bug that could prevent tinc from starting correctly on Windows.
Guus Sliepen [Sun, 11 May 2014 15:07:44 +0000 (17:07 +0200)]
Fix a bug that could prevent tinc from starting correctly on Windows.

10 years agoDrop h and hh length modifiers from printf format strings.
Guus Sliepen [Sun, 11 May 2014 14:35:37 +0000 (16:35 +0200)]
Drop h and hh length modifiers from printf format strings.

C already guarantees that chars and shorts get passed as int. The few uses in tinc are mainly
to print fields of struct addrinfo, and fields like ai_family have different sizes on different
platforms, which actually caused some warnings to be generated.

10 years agoFix a few more issues found by Coverity.
Guus Sliepen [Tue, 6 May 2014 20:34:06 +0000 (22:34 +0200)]
Fix a few more issues found by Coverity.

10 years agoFix a few more issues found by Coverity.
Guus Sliepen [Tue, 6 May 2014 20:12:47 +0000 (22:12 +0200)]
Fix a few more issues found by Coverity.

10 years agoFix warnings found by GCC 4.9.
Guus Sliepen [Tue, 6 May 2014 19:40:25 +0000 (21:40 +0200)]
Fix warnings found by GCC 4.9.

Too many arguments for format string in a few error messages.

10 years agoFix issues found by Coverity.
Guus Sliepen [Tue, 6 May 2014 19:34:26 +0000 (21:34 +0200)]
Fix issues found by Coverity.

Most of the problems found were resource leaks in error paths, some NULL
pointer dereferences that do not happen in practice, and a few other issues.
They have all been fixed now anyway.

10 years agoNexthop calculation should always use the shortest path.
Guus Sliepen [Tue, 6 May 2014 10:39:59 +0000 (12:39 +0200)]
Nexthop calculation should always use the shortest path.

When tinc runs the graph algorithms and updates the nexthop and via pointers,
it uses a breadth-first search, but it can sometimes revisit nodes that have
already been visited if the previous path is marked as being indirect, and
there is a longer path that is "direct". The via pointer should be updated in
this case, because this points to the closest hop to the destination that can
be reached directly. However, the nexthop pointer should not be updated.

This fixes a bug where there could potentially be a routing loop if a node in
the graph has an edge with the indirect flag set, and some other edge without
that flag, the indirect edge is part of the minimum spanning tree, and a
broadcast packet is being sent.

10 years agoCheck RAND_bytes() return value, fail when getting random fails.
Steffan Karger [Tue, 29 Apr 2014 20:03:43 +0000 (22:03 +0200)]
Check RAND_bytes() return value, fail when getting random fails.

When RAND_bytes() does not return success, the buffer contents cannot be
used. This patch makes sure the return code is checked, and the connection
fails when keys or challenges cannot be trusted.

Signed-off-by: Steffan Karger <steffan@karger.me>
10 years agoUse cryptographically strong random when generating keys.
Steffan Karger [Tue, 29 Apr 2014 18:28:05 +0000 (20:28 +0200)]
Use cryptographically strong random when generating keys.

From the OpenSSL manual:

"Byte sequences generated by RAND_pseudo_bytes() will be unique
if they are of sufficient length, but are not necessarily unpredictable."

So, replace these call with RAND_bytes() to get cryptographically strong
key material.

Signed-off-by: Steffan Karger <steffan@karger.me>
10 years agoUse constant time memcmp() when comparing packet HMACs.
Steffan Karger [Tue, 29 Apr 2014 20:13:03 +0000 (22:13 +0200)]
Use constant time memcmp() when comparing packet HMACs.

This eliminates a timing side channel vulnerability, which could
potentially allow an attacker to compute a valid HMAC, and insert arbitrary
ciphertext data into the connection. If an attacker also identifies packets
with a plaintext it can guess (e.g. small packets every 1s are probably
pings), the attacker can xor the ciphertext to mangle the packet to
arbitrary plaintext. Although this type of attack is rarely seen in the
wild, it is generally considered technically viable.

Signed-off-by: Steffan Karger <steffan@karger.me>
10 years agofix documentation typo
Loic Dachary [Tue, 29 Apr 2014 14:49:09 +0000 (16:49 +0200)]
fix documentation typo

Signed-off-by: Loic Dachary <loic@dachary.org>
10 years agoAdd an autoconf check for res_init().
Guus Sliepen [Fri, 25 Apr 2014 15:12:07 +0000 (17:12 +0200)]
Add an autoconf check for res_init().

10 years agoreload /etc/resolv.conf in SIGALRM handler
Armin Fisslthaler [Fri, 25 Apr 2014 12:44:06 +0000 (14:44 +0200)]
reload /etc/resolv.conf in SIGALRM handler

10 years agoMerge pull request #14 from luckyhacky/master
Guus Sliepen [Wed, 9 Apr 2014 14:31:52 +0000 (16:31 +0200)]
Merge pull request #14 from luckyhacky/master

Updated android build instruction

10 years agoupdate to openssl version 1.0.1g due to lack of heartbleed bug in prior version of...
luckyhacky [Tue, 8 Apr 2014 21:02:57 +0000 (23:02 +0200)]
update to openssl version 1.0.1g due to lack of heartbleed bug in prior version of openssl

10 years agoRemove useless variable 'hard' from try_harder().
Guus Sliepen [Mon, 7 Apr 2014 19:45:12 +0000 (21:45 +0200)]
Remove useless variable 'hard' from try_harder().

10 years agoUpdate android build instructions. Disable PIE as this is not supported on some devices. 1.0.23-android-1
Vilbrekin [Tue, 11 Mar 2014 22:03:43 +0000 (23:03 +0100)]
Update android build instructions. Disable PIE as this is not supported on some devices.

10 years agoHandle errors from TAP-Win32/64 adapter in a better way.
Guus Sliepen [Fri, 7 Feb 2014 15:34:08 +0000 (16:34 +0100)]
Handle errors from TAP-Win32/64 adapter in a better way.

Before, the tapreader thread would just exit immediately after encountering the
first error, without notifying the main thread. Now, the tapreader thead never
exits itself, but tells the main thread to stop when more than ten errors are
encountered in a row.

10 years agoAttribution for various contributors.
Guus Sliepen [Fri, 7 Feb 2014 18:48:11 +0000 (19:48 +0100)]
Attribution for various contributors.

10 years agoClarify StrictSubnets.
Guus Sliepen [Thu, 16 Jan 2014 13:02:56 +0000 (14:02 +0100)]
Clarify StrictSubnets.

10 years agoRemove or lower the priority of some debug messages.
Guus Sliepen [Fri, 27 Dec 2013 11:14:58 +0000 (12:14 +0100)]
Remove or lower the priority of some debug messages.

10 years agoAdding some documentation around the /etc/tinc/$NET/conf.d directory.
Florent Clairambault [Thu, 26 Dec 2013 22:21:33 +0000 (23:21 +0100)]
Adding some documentation around the /etc/tinc/$NET/conf.d directory.

10 years agoAdding "conf.d" configuration dir support.
Florent Clairambault [Thu, 26 Dec 2013 22:05:17 +0000 (23:05 +0100)]
Adding "conf.d" configuration dir support.

Any file matching the pattern /etc/tinc/$NETWORK/conf.d/$NAME.conf will be parsed after the tinc.conf file.

10 years agoDon't enable -fstack-protector-all.
Guus Sliepen [Tue, 10 Dec 2013 16:02:52 +0000 (17:02 +0100)]
Don't enable -fstack-protector-all.

It is not supported on all architectures and is problematic on some
platforms.

10 years agoFix incorrectly merged bits from 80cd2ff73071941a5356555b85a00ee90dfd0e16.
Guus Sliepen [Tue, 10 Dec 2013 16:00:16 +0000 (17:00 +0100)]
Fix incorrectly merged bits from 80cd2ff73071941a5356555b85a00ee90dfd0e16.

10 years agoUse hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris.
Guus Sliepen [Sat, 7 Dec 2013 21:54:02 +0000 (22:54 +0100)]
Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris.

Conflicts:
src/solaris/device.c

10 years agoStricter check for raw socket support.
Guus Sliepen [Sat, 7 Dec 2013 21:20:10 +0000 (22:20 +0100)]
Stricter check for raw socket support.

10 years agoInclude <limits.h> for PATH_MAX.
Guus Sliepen [Sat, 7 Dec 2013 21:19:39 +0000 (22:19 +0100)]
Include <limits.h> for PATH_MAX.

10 years agoUpdate support for Solaris.
Guus Sliepen [Sat, 7 Dec 2013 20:52:41 +0000 (21:52 +0100)]
Update support for Solaris.

Adds support for the latest TAP driver from
http://www.whiteboard.ne.jp/~admin2/tuntap/, so tinc now also works in switch
mode on Solaris 11.

Conflicts:
src/solaris/device.c

10 years agoEnable compiler hardening flags by default.
Guus Sliepen [Tue, 10 Dec 2013 09:17:05 +0000 (10:17 +0100)]
Enable compiler hardening flags by default.

Check whether the compiler supports hardening flags and enable them unless
--disable-hardening is specified.

10 years agoIf no Port is specified, set myport to actual port of first listening socket.
Guus Sliepen [Thu, 5 Dec 2013 13:30:41 +0000 (14:30 +0100)]
If no Port is specified, set myport to actual port of first listening socket.

If the Port statement is not used, there are two other ways to let tinc listen
on a non-default port: either by specifying one or more BindToAddress
statements including port numbers, or by starting it from systemd with socket
activation. Tinc announces its own port to other nodes, but before it only
announced what was set using the Port statement.

10 years agoMention in the manual that multiple Address staments are allowed.
Guus Sliepen [Thu, 5 Dec 2013 13:30:00 +0000 (14:30 +0100)]
Mention in the manual that multiple Address staments are allowed.

11 years agoReleasing 1.0.23. release-1.0.23
Guus Sliepen [Sat, 19 Oct 2013 15:35:20 +0000 (17:35 +0200)]
Releasing 1.0.23.

11 years agoClean up child processes from proxy type exec.
Guus Sliepen [Fri, 18 Oct 2013 15:05:35 +0000 (17:05 +0200)]
Clean up child processes from proxy type exec.

11 years agoAdd description of IffOneQueue and MaxTimeout to the info manual.
Guus Sliepen [Sun, 6 Oct 2013 13:32:55 +0000 (15:32 +0200)]
Add description of IffOneQueue and MaxTimeout to the info manual.

11 years agoGet rid of the splay tree implementation.
Guus Sliepen [Sun, 29 Sep 2013 16:16:36 +0000 (18:16 +0200)]
Get rid of the splay tree implementation.

This is used in the 1.1 branch but not in 1.0.x.

11 years agoModernize the build system.
Guus Sliepen [Sun, 29 Sep 2013 16:06:13 +0000 (18:06 +0200)]
Modernize the build system.

Recent versions of autoconf and automake were giving a lot of warnings. This is
sort of a backport of similar build system changes from the 1.1 banch:

- Fix all autoconf/automake warnings.
- Merge lib/ into src/.
- Don't use symlinks for device.c any more, but use automake conditionals.
- Use explicit paths to local header files.
- Get rid of alloca.c/malloc.c/memcmp.c/realloc.c.

11 years agoFix typos in the documentation.
Guus Sliepen [Fri, 27 Sep 2013 08:43:56 +0000 (10:43 +0200)]
Fix typos in the documentation.

Thanks to Thomas Sattler for finding and reporting them.

11 years agoFix segfault when Name = $HOST but $HOST is not set.
Guus Sliepen [Fri, 27 Sep 2013 07:43:39 +0000 (09:43 +0200)]
Fix segfault when Name = $HOST but $HOST is not set.

11 years agoDon't send PING requests on connections which are not active yet.
Guus Sliepen [Wed, 25 Sep 2013 19:24:05 +0000 (21:24 +0200)]
Don't send PING requests on connections which are not active yet.

This happened when sending an ALRM signal to a running tincd, which caused it
to send PING requests on any connection, regardless of its status.

11 years agoCheck for writability when waiting for a socket to finish connecting.
Guus Sliepen [Sun, 1 Sep 2013 09:43:10 +0000 (11:43 +0200)]
Check for writability when waiting for a socket to finish connecting.

This causes daemons that make an outgoing connection to immediately send the ID
message (or proxy handshake), as intended.

11 years agoReleasing 1.0.22. release-1.0.22
Guus Sliepen [Tue, 13 Aug 2013 20:05:08 +0000 (22:05 +0200)]
Releasing 1.0.22.

11 years agoUpdate copyright notices.
Guus Sliepen [Tue, 13 Aug 2013 18:53:05 +0000 (20:53 +0200)]
Update copyright notices.

11 years agoDon't echo broadcast packets back when Broadcast = direct.
Guus Sliepen [Thu, 8 Aug 2013 15:40:43 +0000 (17:40 +0200)]
Don't echo broadcast packets back when Broadcast = direct.

11 years agoDon't use vasprintf() anymore on Windows.
Guus Sliepen [Wed, 17 Jul 2013 16:08:58 +0000 (18:08 +0200)]
Don't use vasprintf() anymore on Windows.

Windows doesn't actually support it, but MinGW provides it. However, with some versions of
MinGW it doesn't work correctly. Instead, we vsnprintf() to a local buffer and xstrdup() the
results.

11 years agoFix combination of Mode = router and DeviceType = tap on Linux.
Etienne Dechamps [Sat, 13 Jul 2013 22:34:42 +0000 (23:34 +0100)]
Fix combination of Mode = router and DeviceType = tap on Linux.

I believe I have found a bug in tinc on Linux when it is used with
Mode = router and DeviceType = tap. This combination is useful because
it allows global broadcast packets to be used in router mode. However,
when tinc receives a packet in this situation, it needs to make sure its
destination MAC address matches the address of the TAP adapter, which is
typically not the case since the sending node doesn't know the MAC
address of the recipient. Unfortunately, this is not the case on Linux,
which breaks connectivity.

11 years agoSet $NAME when calling host-up/down and subnet-up/down scripts.
Guus Sliepen [Fri, 5 Jul 2013 18:51:27 +0000 (20:51 +0200)]
Set $NAME when calling host-up/down and subnet-up/down scripts.

11 years agoFix a typo.
Guus Sliepen [Sat, 8 Jun 2013 11:44:29 +0000 (13:44 +0200)]
Fix a typo.

11 years agoBetter optional argument handling.
Guus Sliepen [Thu, 30 May 2013 14:43:20 +0000 (16:43 +0200)]
Better optional argument handling.

Some options can take an optional argument. However, in this case GNU getopt
requires that the optional argument is right next to the option without
whitespace inbetween. If there is whitespace, getopt will treat it as a
non-option argument, but tinc ignored those without a warning. Now tinc will
allow optional arguments with whitespace inbetween, and will give an error when
it encounters any other non-option arguments.

11 years agoReleasing 1.0.21. release-1.0.21
Guus Sliepen [Mon, 22 Apr 2013 12:12:07 +0000 (14:12 +0200)]
Releasing 1.0.21.

11 years agoDrop packets forwarded via TCP if they are too big (CVE-2013-1428).
Guus Sliepen [Fri, 12 Apr 2013 15:15:05 +0000 (17:15 +0200)]
Drop packets forwarded via TCP if they are too big (CVE-2013-1428).

Normally all requests sent via the meta connections are checked so that they
cannot be larger than the input buffer. However, when packets are forwarded via
meta connections, they are copied into a packet buffer without checking whether
it fits into it. Since the packet buffer is allocated on the stack, this in
effect allows an authenticated remote node to cause a stack overflow.

This issue was found by Martin Schobert.

11 years agoReleasing 1.0.20. release-1.0.20
Guus Sliepen [Sun, 3 Mar 2013 20:06:25 +0000 (21:06 +0100)]
Releasing 1.0.20.

11 years agoFix detection of rejected SOCKS5 proxy requests.
Guus Sliepen [Sun, 3 Mar 2013 19:51:36 +0000 (20:51 +0100)]
Fix detection of rejected SOCKS5 proxy requests.

11 years agoFix compiler warnings on Windows.
Guus Sliepen [Sun, 3 Mar 2013 19:44:18 +0000 (20:44 +0100)]
Fix compiler warnings on Windows.

11 years agoDon't send proxy requests for incoming connections.
Guus Sliepen [Thu, 7 Feb 2013 13:23:31 +0000 (14:23 +0100)]
Don't send proxy requests for incoming connections.

11 years agoFix segmentation fault when trying to connect via a SOCKS5 proxy.
Guus Sliepen [Wed, 6 Feb 2013 13:34:39 +0000 (14:34 +0100)]
Fix segmentation fault when trying to connect via a SOCKS5 proxy.

11 years agoFix a compiler warning.
Guus Sliepen [Thu, 31 Jan 2013 15:03:24 +0000 (16:03 +0100)]
Fix a compiler warning.

11 years agoDetect increases in PMTU.
Guus Sliepen [Thu, 31 Jan 2013 14:58:33 +0000 (15:58 +0100)]
Detect increases in PMTU.

Tinc never restarts PMTU discovery unless a node becomes unreachable. However,
it can be that the PMTU was very low during the initial discovery, but has
increased later. To detect this, tinc now tries to send an extra packet every
PingInterval, with a size slightly higher than the currently known PMTU. If
this packet is succesfully received back, we partially restart PMTU discovery
to find out the new maximum.

11 years agoMake sure PriorityInheritance also works in switch mode.
Guus Sliepen [Sun, 20 Jan 2013 14:16:13 +0000 (15:16 +0100)]
Make sure PriorityInheritance also works in switch mode.

11 years agoFix support for tunemu on iOS devices.
Guus Sliepen [Sun, 16 Dec 2012 14:36:06 +0000 (15:36 +0100)]
Fix support for tunemu on iOS devices.

The actual code was fine but the #ifdefs tested for the wrong preprocessor
variable.

12 years agoRemove text saying you must have one of PrivateKey or PrivateKeyFile in tinc.conf.
Guus Sliepen [Wed, 14 Nov 2012 09:44:35 +0000 (10:44 +0100)]
Remove text saying you must have one of PrivateKey or PrivateKeyFile in tinc.conf.

12 years agoSend broadcast packets using a random socket, and properly support IPv6.
Guus Sliepen [Tue, 13 Nov 2012 14:05:41 +0000 (15:05 +0100)]
Send broadcast packets using a random socket, and properly support IPv6.

Before it would always use the first socket, and always send an IPv4 broadcast packet. That
works fine in a lot of situations, but it is better to try all sockets, and to send IPv6 packets
on IPv6 sockets. This is especially important for users that are on IPv6-only networks or that
have multiple physical network interfaces, although in the latter case it probably requires
them to use the ListenAddress variable to create a separate socket for each interface.

Conflicts:
src/net_packet.c