2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2021 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
40 #include "address_cache.h"
43 #include "connection.h"
44 #include "compression.h"
58 /* The minimum size of a probe is 14 bytes, but since we normally use CBC mode
59 encryption, we can add a few extra random bytes without increasing the
60 resulting packet size. */
61 #define MIN_PROBE_SIZE 18
65 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
68 #ifdef HAVE_LZ4_BUILTIN
69 static LZ4_stream_t lz4_stream;
71 static void *lz4_state = NULL;
72 #endif /* HAVE_LZ4_BUILTIN */
74 static void send_udppacket(node_t *, vpn_packet_t *);
76 unsigned replaywin = 32;
77 bool localdiscovery = true;
78 bool udp_discovery = true;
79 int udp_discovery_keepalive_interval = 10;
80 int udp_discovery_interval = 2;
81 int udp_discovery_timeout = 30;
83 #define MAX_SEQNO 1073741824
85 static void try_fix_mtu(node_t *n) {
86 if(n->mtuprobes < 0) {
90 if(n->mtuprobes == 20 || n->minmtu >= n->maxmtu) {
91 if(n->minmtu > n->maxmtu) {
92 n->minmtu = n->maxmtu;
94 n->maxmtu = n->minmtu;
98 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
103 static void udp_probe_timeout_handler(void *data) {
106 if(!n->status.udp_confirmed) {
110 logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname);
111 n->status.udp_confirmed = false;
112 n->udp_ping_rtt = -1;
119 static void send_udp_probe_reply(node_t *n, vpn_packet_t *packet, length_t len) {
120 if(!n->status.sptps && !n->status.validkey) {
121 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP probe reply to %s (%s) but we don't have his key yet", n->name, n->hostname);
125 /* Type 2 probe replies were introduced in protocol 17.3 */
126 if((n->options >> 24) >= 3) {
128 uint16_t len16 = htons(len);
129 memcpy(DATA(packet) + 1, &len16, 2);
130 packet->len = MIN_PROBE_SIZE;
131 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 2 probe reply length %u to %s (%s)", len, n->name, n->hostname);
134 /* Legacy protocol: n won't understand type 2 probe replies. */
136 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 1 probe reply length %u to %s (%s)", len, n->name, n->hostname);
139 /* Temporarily set udp_confirmed, so that the reply is sent
140 back exactly the way it came in. */
142 bool udp_confirmed = n->status.udp_confirmed;
143 n->status.udp_confirmed = true;
144 send_udppacket(n, packet);
145 n->status.udp_confirmed = udp_confirmed;
148 static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
149 if(!DATA(packet)[0]) {
150 logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
151 send_udp_probe_reply(n, packet, len);
155 if(DATA(packet)[0] == 2) {
156 // It's a type 2 probe reply, use the length field inside the packet
158 memcpy(&len16, DATA(packet) + 1, 2);
162 if(n->status.ping_sent) { // a probe in flight
163 gettimeofday(&now, NULL);
165 timersub(&now, &n->udp_ping_sent, &rtt);
166 n->udp_ping_rtt = (int)(rtt.tv_sec * 1000000 + rtt.tv_usec);
167 n->status.ping_sent = false;
168 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s) rtt=%d.%03d", DATA(packet)[0], len, n->name, n->hostname, n->udp_ping_rtt / 1000, n->udp_ping_rtt % 1000);
170 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], len, n->name, n->hostname);
173 /* It's a valid reply: now we know bidirectional communication
174 is possible using the address and socket that the reply
176 if(!n->status.udp_confirmed) {
177 n->status.udp_confirmed = true;
179 if(!n->address_cache) {
180 n->address_cache = open_address_cache(n);
183 reset_address_cache(n->address_cache, &n->address);
186 // Reset the UDP ping timer.
189 timeout_del(&n->udp_ping_timeout);
190 timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval) {
191 udp_discovery_timeout, 0
195 if(len > n->maxmtu) {
196 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
199 /* Set mtuprobes to 1 so that try_mtu() doesn't reset maxmtu */
202 } else if(n->mtuprobes < 0 && len == n->maxmtu) {
203 /* We got a maxmtu sized packet, confirming the PMTU is still valid. */
205 n->mtu_ping_sent = now;
208 /* If applicable, raise the minimum supported MTU */
210 if(n->minmtu < len) {
217 static length_t compress_packet_lz4(uint8_t *dest, const uint8_t *source, length_t len) {
218 #ifdef HAVE_LZ4_BUILTIN
219 return LZ4_compress_fast_extState(&lz4_stream, (const char *) source, (char *) dest, len, MAXSIZE, 0);
222 /* @FIXME: Put this in a better place, and free() it too. */
223 if(lz4_state == NULL) {
224 lz4_state = malloc(LZ4_sizeofState());
227 if(lz4_state == NULL) {
228 logger(DEBUG_ALWAYS, LOG_ERR, "Failed to allocate lz4_state, error: %i", errno);
232 return LZ4_compress_fast_extState(lz4_state, (const char *) source, (char *) dest, len, MAXSIZE, 0);
233 #endif /* HAVE_LZ4_BUILTIN */
235 #endif /* HAVE_LZ4 */
238 static length_t compress_packet_lzo(uint8_t *dest, const uint8_t *source, length_t len, compression_level_t level) {
239 assert(level == COMPRESS_LZO_LO || level == COMPRESS_LZO_HI);
241 lzo_uint lzolen = MAXSIZE;
244 if(level == COMPRESS_LZO_HI) {
245 result = lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
246 } else { // level == COMPRESS_LZO_LO
247 result = lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
250 if(result == LZO_E_OK) {
258 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, compression_level_t level) {
263 return compress_packet_lz4(dest, source, len);
268 case COMPRESS_LZO_HI:
269 case COMPRESS_LZO_LO:
270 return compress_packet_lzo(dest, source, len, level);
274 case COMPRESS_ZLIB_9:
275 case COMPRESS_ZLIB_8:
276 case COMPRESS_ZLIB_7:
277 case COMPRESS_ZLIB_6:
278 case COMPRESS_ZLIB_5:
279 case COMPRESS_ZLIB_4:
280 case COMPRESS_ZLIB_3:
281 case COMPRESS_ZLIB_2:
282 case COMPRESS_ZLIB_1: {
283 unsigned long dest_len = MAXSIZE;
285 if(compress2(dest, &dest_len, source, len, level) == Z_OK) {
295 memcpy(dest, source, len);
303 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, compression_level_t level) {
308 return LZ4_decompress_safe((char *)source, (char *) dest, len, MAXSIZE);
313 case COMPRESS_LZO_HI:
314 case COMPRESS_LZO_LO: {
315 lzo_uint dst_len = MAXSIZE;
317 if(lzo1x_decompress_safe(source, len, dest, &dst_len, NULL) == LZO_E_OK) {
327 case COMPRESS_ZLIB_9:
328 case COMPRESS_ZLIB_8:
329 case COMPRESS_ZLIB_7:
330 case COMPRESS_ZLIB_6:
331 case COMPRESS_ZLIB_5:
332 case COMPRESS_ZLIB_4:
333 case COMPRESS_ZLIB_3:
334 case COMPRESS_ZLIB_2:
335 case COMPRESS_ZLIB_1: {
336 unsigned long destlen = MAXSIZE;
337 static z_stream stream;
340 inflateReset(&stream);
342 inflateInit(&stream);
345 stream.next_in = source;
346 stream.avail_in = len;
347 stream.next_out = dest;
348 stream.avail_out = destlen;
349 stream.total_out = 0;
351 if(inflate(&stream, Z_FINISH) == Z_STREAM_END) {
352 return stream.total_out;
361 memcpy(dest, source, len);
371 static void receive_packet(node_t *n, vpn_packet_t *packet) {
372 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
373 packet->len, n->name, n->hostname);
376 n->in_bytes += packet->len;
381 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
382 if(n->status.sptps) {
383 return sptps_verify_datagram(&n->sptps, DATA(inpkt), inpkt->len);
386 #ifdef DISABLE_LEGACY
390 if(!n->status.validkey_in || !digest_active(n->indigest) || (size_t)inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
394 return digest_verify(n->indigest, inpkt->data, inpkt->len - digest_length(n->indigest), inpkt->data + inpkt->len - digest_length(n->indigest));
398 static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
399 if(n->status.sptps) {
400 if(!n->sptps.state) {
401 if(!n->status.waitingforkey) {
402 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
405 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
411 n->status.udppacket = true;
412 bool result = sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len);
413 n->status.udppacket = false;
416 /* Uh-oh. It might be that the tunnel is stuck in some corrupted state,
417 so let's restart SPTPS in case that helps. But don't do that too often
418 to prevent storms, and because that would make life a little too easy
419 for external attackers trying to DoS us. */
420 if(n->last_req_key < now.tv_sec - 10) {
421 logger(DEBUG_PROTOCOL, LOG_ERR, "Failed to decode raw TCP packet from %s (%s), restarting SPTPS", n->name, n->hostname);
431 #ifdef DISABLE_LEGACY
434 vpn_packet_t pkt1, pkt2;
435 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
438 pkt1.offset = DEFAULT_PACKET_OFFSET;
439 pkt2.offset = DEFAULT_PACKET_OFFSET;
441 if(!n->status.validkey_in) {
442 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
446 /* Check packet length */
448 if((size_t)inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
449 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
450 n->name, n->hostname);
454 /* It's a legacy UDP packet, the data starts after the seqno */
456 inpkt->offset += sizeof(seqno_t);
458 /* Check the message authentication code */
460 if(digest_active(n->indigest)) {
461 inpkt->len -= digest_length(n->indigest);
463 if(!digest_verify(n->indigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
464 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
469 /* Decrypt the packet */
471 if(cipher_active(n->incipher)) {
472 vpn_packet_t *outpkt = pkt[nextpkt++];
475 if(!cipher_decrypt(n->incipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
476 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
480 outpkt->len = outlen;
484 /* Check the sequence number */
487 memcpy(&seqno, SEQNO(inpkt), sizeof(seqno));
488 seqno = ntohl(seqno);
489 inpkt->len -= sizeof(seqno);
492 if(seqno != n->received_seqno + 1) {
493 if(seqno >= n->received_seqno + replaywin * 8) {
494 if(n->farfuture++ < replaywin >> 2) {
495 logger(DEBUG_TRAFFIC, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
496 n->name, n->hostname, seqno - n->received_seqno - 1, n->farfuture);
500 logger(DEBUG_TRAFFIC, LOG_WARNING, "Lost %d packets from %s (%s)",
501 seqno - n->received_seqno - 1, n->name, n->hostname);
502 memset(n->late, 0, replaywin);
503 } else if(seqno <= n->received_seqno) {
504 if((n->received_seqno >= replaywin * 8 && seqno <= n->received_seqno - replaywin * 8) || !(n->late[(seqno / 8) % replaywin] & (1 << seqno % 8))) {
505 logger(DEBUG_TRAFFIC, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
506 n->name, n->hostname, seqno, n->received_seqno);
510 for(seqno_t i = n->received_seqno + 1; i < seqno; i++) {
511 n->late[(i / 8) % replaywin] |= 1 << i % 8;
517 n->late[(seqno / 8) % replaywin] &= ~(1 << seqno % 8);
520 if(seqno > n->received_seqno) {
521 n->received_seqno = seqno;
526 if(n->received_seqno > MAX_SEQNO) {
530 /* Decompress the packet */
532 length_t origlen = inpkt->len;
534 if(n->incompression != COMPRESS_NONE) {
535 vpn_packet_t *outpkt = pkt[nextpkt++];
537 if(!(outpkt->len = uncompress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->incompression))) {
538 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
539 n->name, n->hostname);
545 if(origlen > MTU / 64 + 20) {
546 origlen -= MTU / 64 + 20;
552 if(inpkt->len > n->maxrecentlen) {
553 n->maxrecentlen = inpkt->len;
558 if(!DATA(inpkt)[12] && !DATA(inpkt)[13]) {
559 udp_probe_h(n, inpkt, origlen);
561 receive_packet(n, inpkt);
568 void receive_tcppacket(connection_t *c, const char *buffer, size_t len) {
570 outpkt.offset = DEFAULT_PACKET_OFFSET;
572 if(len > sizeof(outpkt.data) - outpkt.offset) {
578 if(c->options & OPTION_TCPONLY) {
581 outpkt.priority = -1;
584 memcpy(DATA(&outpkt), buffer, len);
586 receive_packet(c->node, &outpkt);
589 bool receive_tcppacket_sptps(connection_t *c, const char *data, size_t len) {
590 if(len < sizeof(node_id_t) + sizeof(node_id_t)) {
591 logger(DEBUG_PROTOCOL, LOG_ERR, "Got too short TCP SPTPS packet from %s (%s)", c->name, c->hostname);
595 node_t *to = lookup_node_id((node_id_t *)data);
596 data += sizeof(node_id_t);
597 len -= sizeof(node_id_t);
600 logger(DEBUG_PROTOCOL, LOG_ERR, "Got TCP SPTPS packet from %s (%s) with unknown destination ID", c->name, c->hostname);
604 node_t *from = lookup_node_id((node_id_t *)data);
605 data += sizeof(node_id_t);
606 len -= sizeof(node_id_t);
609 logger(DEBUG_PROTOCOL, LOG_ERR, "Got TCP SPTPS packet from %s (%s) with unknown source ID", c->name, c->hostname);
613 if(!to->status.reachable) {
614 /* This can happen in the form of a race condition
615 if the node just became unreachable. */
616 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot relay TCP packet from %s (%s) because the destination, %s (%s), is unreachable", from->name, from->hostname, to->name, to->hostname);
620 /* Help the sender reach us over UDP.
621 Note that we only do this if we're the destination or the static relay;
622 otherwise every hop would initiate its own UDP info message, resulting in elevated chatter. */
623 if(to->via == myself) {
624 send_udp_info(myself, from);
627 /* If we're not the final recipient, relay the packet. */
630 if(to->status.validkey) {
631 send_sptps_data(to, from, 0, data, len);
638 /* The packet is for us */
640 if(!sptps_receive_data(&from->sptps, data, len)) {
641 /* Uh-oh. It might be that the tunnel is stuck in some corrupted state,
642 so let's restart SPTPS in case that helps. But don't do that too often
643 to prevent storms. */
644 if(from->last_req_key < now.tv_sec - 10) {
645 logger(DEBUG_PROTOCOL, LOG_ERR, "Failed to decode raw TCP packet from %s (%s), restarting SPTPS", from->name, from->hostname);
652 send_mtu_info(myself, from, MTU);
656 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
657 if(!n->status.validkey && !n->connection) {
664 if((!(DATA(origpkt)[12] | DATA(origpkt)[13])) && (n->sptps.outstate)) {
665 sptps_send_record(&n->sptps, PKT_PROBE, DATA(origpkt), origpkt->len);
669 if(routing_mode == RMODE_ROUTER) {
675 if(origpkt->len < offset) {
681 if(n->outcompression != COMPRESS_NONE) {
683 length_t len = compress_packet(DATA(&outpkt) + offset, DATA(origpkt) + offset, origpkt->len - offset, n->outcompression);
686 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
687 } else if(len < origpkt->len - offset) {
688 outpkt.len = len + offset;
690 type |= PKT_COMPRESSED;
694 /* If we have a direct metaconnection to n, and we can't use UDP, then
695 don't bother with SPTPS and just use a "plaintext" PACKET message.
696 We don't really care about end-to-end security since we're not
697 sending the message through any intermediate nodes. */
698 if(n->connection && origpkt->len > n->minmtu) {
699 send_tcppacket(n->connection, origpkt);
701 sptps_send_record(&n->sptps, type, DATA(origpkt) + offset, origpkt->len - offset);
705 static void adapt_socket(const sockaddr_t *sa, size_t *sock) {
706 /* Make sure we have a suitable socket for the chosen address */
707 if(listen_socket[*sock].sa.sa.sa_family != sa->sa.sa_family) {
708 for(int i = 0; i < listen_sockets; i++) {
709 if(listen_socket[i].sa.sa.sa_family == sa->sa.sa_family) {
717 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, size_t *sock) {
722 /* If the UDP address is confirmed, use it. */
723 if(n->status.udp_confirmed) {
727 /* Send every third packet to n->address; that could be set
728 to the node's reflexive UDP address discovered during key
738 /* Otherwise, address are found in edges to this node.
739 So we pick a random edge and a random socket. */
742 unsigned int j = rand() % n->edge_tree.count;
743 edge_t *candidate = NULL;
745 for splay_each(edge_t, e, &n->edge_tree) {
747 candidate = e->reverse;
753 *sa = &candidate->address;
754 *sock = rand() % listen_sockets;
757 adapt_socket(*sa, sock);
760 static void choose_local_address(const node_t *n, const sockaddr_t **sa, size_t *sock) {
763 /* Pick one of the edges from this node at random, then use its local address. */
766 unsigned int j = rand() % n->edge_tree.count;
767 edge_t *candidate = NULL;
769 for splay_each(edge_t, e, &n->edge_tree) {
776 if(candidate && candidate->local_address.sa.sa_family) {
777 *sa = &candidate->local_address;
778 *sock = rand() % listen_sockets;
779 adapt_socket(*sa, sock);
783 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
784 if(!n->status.reachable) {
785 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
789 if(n->status.sptps) {
790 send_sptps_packet(n, origpkt);
794 #ifdef DISABLE_LEGACY
797 vpn_packet_t pkt1, pkt2;
798 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
799 vpn_packet_t *inpkt = origpkt;
801 vpn_packet_t *outpkt;
802 int origlen = origpkt->len;
804 int origpriority = origpkt->priority;
806 pkt1.offset = DEFAULT_PACKET_OFFSET;
807 pkt2.offset = DEFAULT_PACKET_OFFSET;
809 /* Make sure we have a valid key */
811 if(!n->status.validkey) {
812 logger(DEBUG_TRAFFIC, LOG_INFO,
813 "No valid key known yet for %s (%s), forwarding via TCP",
814 n->name, n->hostname);
815 send_tcppacket(n->nexthop->connection, origpkt);
819 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (DATA(inpkt)[12] | DATA(inpkt)[13])) {
820 logger(DEBUG_TRAFFIC, LOG_INFO,
821 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
822 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
824 if(n != n->nexthop) {
825 send_packet(n->nexthop, origpkt);
827 send_tcppacket(n->nexthop->connection, origpkt);
833 /* Compress the packet */
835 if(n->outcompression != COMPRESS_NONE) {
836 outpkt = pkt[nextpkt++];
838 if(!(outpkt->len = compress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->outcompression))) {
839 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
840 n->name, n->hostname);
847 /* Add sequence number */
849 seqno_t seqno = htonl(++(n->sent_seqno));
850 memcpy(SEQNO(inpkt), &seqno, sizeof(seqno));
851 inpkt->len += sizeof(seqno);
853 /* Encrypt the packet */
855 if(cipher_active(n->outcipher)) {
856 outpkt = pkt[nextpkt++];
859 if(!cipher_encrypt(n->outcipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
860 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
864 outpkt->len = outlen;
868 /* Add the message authentication code */
870 if(digest_active(n->outdigest)) {
871 if(!digest_create(n->outdigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
872 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
876 inpkt->len += digest_length(n->outdigest);
879 /* Send the packet */
881 const sockaddr_t *sa = NULL;
884 if(n->status.send_locally) {
885 choose_local_address(n, &sa, &sock);
889 choose_udp_address(n, &sa, &sock);
892 if(priorityinheritance && origpriority != listen_socket[sock].priority) {
893 listen_socket[sock].priority = origpriority;
895 switch(sa->sa.sa_family) {
899 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting IPv4 outgoing packet priority to %d", origpriority);
901 if(setsockopt(listen_socket[sock].udp.fd, IPPROTO_IP, IP_TOS, (void *)&origpriority, sizeof(origpriority))) { /* SO_PRIORITY doesn't seem to work */
902 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
907 #if defined(IPV6_TCLASS)
910 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting IPv6 outgoing packet priority to %d", origpriority);
912 if(setsockopt(listen_socket[sock].udp.fd, IPPROTO_IPV6, IPV6_TCLASS, (void *)&origpriority, sizeof(origpriority))) { /* SO_PRIORITY doesn't seem to work */
913 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
924 if(sendto(listen_socket[sock].udp.fd, (void *)SEQNO(inpkt), inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
925 if(sockmsgsize(sockerrno)) {
926 if(n->maxmtu >= origlen) {
927 n->maxmtu = origlen - 1;
930 if(n->mtu >= origlen) {
931 n->mtu = origlen - 1;
936 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
941 origpkt->len = origlen;
945 bool send_sptps_data(node_t *to, node_t *from, int type, const void *data, size_t len) {
946 node_t *relay = (to->via != myself && (type == PKT_PROBE || (len - SPTPS_DATAGRAM_OVERHEAD) <= to->via->minmtu)) ? to->via : to->nexthop;
947 bool direct = from == myself && to == relay;
948 bool relay_supported = (relay->options >> 24) >= 4;
949 bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
951 /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU. */
953 if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && (len - SPTPS_DATAGRAM_OVERHEAD) > relay->minmtu)) {
954 if(type != SPTPS_HANDSHAKE && (to->nexthop->connection->options >> 24) >= 7) {
955 uint8_t buf[len + sizeof(to->id) + sizeof(from->id)];
956 uint8_t *buf_ptr = buf;
957 memcpy(buf_ptr, &to->id, sizeof(to->id));
958 buf_ptr += sizeof(to->id);
959 memcpy(buf_ptr, &from->id, sizeof(from->id));
960 buf_ptr += sizeof(from->id);
961 memcpy(buf_ptr, data, len);
962 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s) (TCP)", from->name, from->hostname, to->name, to->hostname, to->nexthop->name, to->nexthop->hostname);
963 return send_sptps_tcppacket(to->nexthop->connection, buf, sizeof(buf));
966 char buf[B64_SIZE(len)];
967 b64encode_tinc(data, buf, len);
969 /* If this is a handshake packet, use ANS_KEY instead of REQ_KEY, for two reasons:
970 - We don't want intermediate nodes to switch to UDP to relay these packets;
971 - ANS_KEY allows us to learn the reflexive UDP address. */
972 if(type == SPTPS_HANDSHAKE) {
973 to->incompression = myself->incompression;
974 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, from->name, to->name, buf, to->incompression);
976 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, from->name, to->name, SPTPS_PACKET, buf);
982 if(relay_supported) {
983 overhead += sizeof(to->id) + sizeof(from->id);
986 uint8_t buf[len + overhead];
987 uint8_t *buf_ptr = buf;
989 if(relay_supported) {
991 /* Inform the recipient that this packet was sent directly. */
992 node_id_t nullid = {0};
993 memcpy(buf_ptr, &nullid, sizeof(nullid));
994 buf_ptr += sizeof(nullid);
996 memcpy(buf_ptr, &to->id, sizeof(to->id));
997 buf_ptr += sizeof(to->id);
1000 memcpy(buf_ptr, &from->id, sizeof(from->id));
1001 buf_ptr += sizeof(from->id);
1005 /* TODO: if this copy turns out to be a performance concern, change sptps_send_record() to add some "pre-padding" to the buffer and use that instead */
1006 memcpy(buf_ptr, data, len);
1009 const sockaddr_t *sa = NULL;
1012 if(relay->status.send_locally) {
1013 choose_local_address(relay, &sa, &sock);
1017 choose_udp_address(relay, &sa, &sock);
1020 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s) (UDP)", from->name, from->hostname, to->name, to->hostname, relay->name, relay->hostname);
1022 if(sendto(listen_socket[sock].udp.fd, buf, buf_ptr - buf, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
1023 if(sockmsgsize(sockerrno)) {
1024 // Compensate for SPTPS overhead
1025 len -= SPTPS_DATAGRAM_OVERHEAD;
1027 if(relay->maxmtu >= len) {
1028 relay->maxmtu = len - 1;
1031 if(relay->mtu >= len) {
1032 relay->mtu = len - 1;
1037 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", relay->name, relay->hostname, sockstrerror(sockerrno));
1045 bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t len) {
1046 node_t *from = handle;
1048 if(type == SPTPS_HANDSHAKE) {
1049 if(!from->status.validkey) {
1050 from->status.validkey = true;
1051 from->status.waitingforkey = false;
1052 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) successful", from->name, from->hostname);
1059 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
1064 inpkt.offset = DEFAULT_PACKET_OFFSET;
1067 if(type == PKT_PROBE) {
1068 if(!from->status.udppacket) {
1069 logger(DEBUG_ALWAYS, LOG_ERR, "Got SPTPS PROBE packet from %s (%s) via TCP", from->name, from->hostname);
1074 memcpy(DATA(&inpkt), data, len);
1076 if(inpkt.len > from->maxrecentlen) {
1077 from->maxrecentlen = inpkt.len;
1080 udp_probe_h(from, &inpkt, len);
1084 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
1085 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
1089 /* Check if we have the headers we need */
1090 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
1091 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
1093 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
1094 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
1097 int offset = (type & PKT_MAC) ? 0 : 14;
1099 if(type & PKT_COMPRESSED) {
1100 length_t ulen = uncompress_packet(DATA(&inpkt) + offset, (const uint8_t *)data, len, from->incompression);
1105 inpkt.len = ulen + offset;
1108 if(inpkt.len > MAXSIZE) {
1112 memcpy(DATA(&inpkt) + offset, data, len);
1113 inpkt.len = len + offset;
1116 /* Generate the Ethernet packet type if necessary */
1118 switch(DATA(&inpkt)[14] >> 4) {
1120 DATA(&inpkt)[12] = 0x08;
1121 DATA(&inpkt)[13] = 0x00;
1125 DATA(&inpkt)[12] = 0x86;
1126 DATA(&inpkt)[13] = 0xDD;
1130 logger(DEBUG_TRAFFIC, LOG_ERR,
1131 "Unknown IP version %d while reading packet from %s (%s)",
1132 DATA(&inpkt)[14] >> 4, from->name, from->hostname);
1137 if(from->status.udppacket && inpkt.len > from->maxrecentlen) {
1138 from->maxrecentlen = inpkt.len;
1141 receive_packet(from, &inpkt);
1145 // This function tries to get SPTPS keys, if they aren't already known.
1146 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if the keys are available.
1147 static void try_sptps(node_t *n) {
1148 if(n->status.validkey) {
1152 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
1154 if(!n->status.waitingforkey) {
1156 } else if(n->last_req_key + 10 < now.tv_sec) {
1157 logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
1158 sptps_stop(&n->sptps);
1159 n->status.waitingforkey = false;
1166 static void send_udp_probe_packet(node_t *n, size_t len) {
1167 vpn_packet_t packet;
1169 if(len > sizeof(packet.data)) {
1170 logger(DEBUG_TRAFFIC, LOG_INFO, "Truncating probe length %zu to %s (%s)", len, n->name, n->hostname);
1171 len = sizeof(packet.data);
1174 packet.offset = DEFAULT_PACKET_OFFSET;
1175 memset(DATA(&packet), 0, 14);
1176 randomize(DATA(&packet) + 14, len - 14);
1178 packet.priority = 0;
1180 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending UDP probe length %zu to %s (%s)", len, n->name, n->hostname);
1182 send_udppacket(n, &packet);
1185 // This function tries to establish a UDP tunnel to a node so that packets can be sent.
1186 // If a tunnel is already established, it makes sure it stays up.
1187 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if UDP is usable.
1188 static void try_udp(node_t *n) {
1189 if(!udp_discovery) {
1193 /* Send gratuitous probe replies to 1.1 nodes. */
1195 if((n->options >> 24) >= 3 && n->status.udp_confirmed) {
1196 struct timeval ping_tx_elapsed;
1197 timersub(&now, &n->udp_reply_sent, &ping_tx_elapsed);
1199 if(ping_tx_elapsed.tv_sec >= udp_discovery_keepalive_interval - 1) {
1200 n->udp_reply_sent = now;
1202 if(n->maxrecentlen) {
1204 pkt.len = n->maxrecentlen;
1205 pkt.offset = DEFAULT_PACKET_OFFSET;
1206 memset(DATA(&pkt), 0, 14);
1207 randomize(DATA(&pkt) + 14, MIN_PROBE_SIZE - 14);
1208 send_udp_probe_reply(n, &pkt, pkt.len);
1209 n->maxrecentlen = 0;
1216 struct timeval ping_tx_elapsed;
1217 timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
1219 int interval = n->status.udp_confirmed
1220 ? udp_discovery_keepalive_interval
1221 : udp_discovery_interval;
1223 if(ping_tx_elapsed.tv_sec >= interval) {
1224 gettimeofday(&now, NULL);
1225 n->udp_ping_sent = now; // a probe in flight
1226 n->status.ping_sent = true;
1227 send_udp_probe_packet(n, MIN_PROBE_SIZE);
1229 if(localdiscovery && !n->status.udp_confirmed && n->prevedge) {
1230 n->status.send_locally = true;
1231 send_udp_probe_packet(n, MIN_PROBE_SIZE);
1232 n->status.send_locally = false;
1237 static length_t choose_initial_maxmtu(node_t *n) {
1242 const sockaddr_t *sa = NULL;
1244 choose_udp_address(n, &sa, &sockindex);
1250 sock = socket(sa->sa.sa_family, SOCK_DGRAM, IPPROTO_UDP);
1253 logger(DEBUG_TRAFFIC, LOG_ERR, "Creating MTU assessment socket for %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1257 if(connect(sock, &sa->sa, SALEN(sa->sa))) {
1258 logger(DEBUG_TRAFFIC, LOG_ERR, "Connecting MTU assessment socket for %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1264 socklen_t ip_mtu_len = sizeof(ip_mtu);
1266 if(getsockopt(sock, IPPROTO_IP, IP_MTU, &ip_mtu, &ip_mtu_len)) {
1267 logger(DEBUG_TRAFFIC, LOG_ERR, "getsockopt(IP_MTU) on %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1274 /* getsockopt(IP_MTU) returns the MTU of the physical interface.
1275 We need to remove various overheads to get to the tinc MTU. */
1276 length_t mtu = ip_mtu;
1277 mtu -= (sa->sa.sa_family == AF_INET6) ? sizeof(struct ip6_hdr) : sizeof(struct ip);
1280 if(n->status.sptps) {
1281 mtu -= SPTPS_DATAGRAM_OVERHEAD;
1283 if((n->options >> 24) >= 4) {
1284 mtu -= sizeof(node_id_t) + sizeof(node_id_t);
1287 #ifndef DISABLE_LEGACY
1289 mtu -= digest_length(n->outdigest);
1291 /* Now it's tricky. We use CBC mode, so the length of the
1292 encrypted payload must be a multiple of the blocksize. The
1293 sequence number is also part of the encrypted payload, so we
1294 must account for it after correcting for the blocksize.
1295 Furthermore, the padding in the last block must be at least
1298 length_t blocksize = cipher_blocksize(n->outcipher);
1311 logger(DEBUG_TRAFFIC, LOG_ERR, "getsockopt(IP_MTU) on %s (%s) returned absurdly small value: %d", n->name, n->hostname, ip_mtu);
1319 logger(DEBUG_TRAFFIC, LOG_INFO, "Using system-provided maximum tinc MTU for %s (%s): %hd", n->name, n->hostname, mtu);
1328 /* This function tries to determines the MTU of a node.
1329 By calling this function repeatedly, n->minmtu will be progressively
1330 increased, and at some point, n->mtu will be fixed to n->minmtu. If the MTU
1331 is already fixed, this function checks if it can be increased.
1334 static void try_mtu(node_t *n) {
1335 if(!(n->options & OPTION_PMTU_DISCOVERY)) {
1339 if(udp_discovery && !n->status.udp_confirmed) {
1340 n->maxrecentlen = 0;
1347 /* mtuprobes == 0..19: initial discovery, send bursts with 1 second interval, mtuprobes++
1348 mtuprobes == 20: fix MTU, and go to -1
1349 mtuprobes == -1: send one maxmtu and one maxmtu+1 probe every pinginterval
1350 mtuprobes ==-2..-3: send one maxmtu probe every second
1351 mtuprobes == -4: maxmtu no longer valid, reset minmtu and maxmtu and go to 0 */
1353 struct timeval elapsed;
1354 timersub(&now, &n->mtu_ping_sent, &elapsed);
1356 if(n->mtuprobes >= 0) {
1357 if(n->mtuprobes != 0 && elapsed.tv_sec == 0 && elapsed.tv_usec < 333333) {
1361 if(n->mtuprobes < -1) {
1362 if(elapsed.tv_sec < 1) {
1366 if(elapsed.tv_sec < pinginterval) {
1372 n->mtu_ping_sent = now;
1376 if(n->mtuprobes < -3) {
1377 /* We lost three MTU probes, restart discovery */
1378 logger(DEBUG_TRAFFIC, LOG_INFO, "Decrease in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
1383 if(n->mtuprobes < 0) {
1384 /* After the initial discovery, we only send one maxmtu and one
1385 maxmtu+1 probe to detect PMTU increases. */
1386 send_udp_probe_packet(n, n->maxmtu);
1388 if(n->mtuprobes == -1 && n->maxmtu + 1 < MTU) {
1389 send_udp_probe_packet(n, n->maxmtu + 1);
1394 /* Before initial discovery begins, set maxmtu to the most likely value.
1395 If it's underestimated, we will correct it after initial discovery. */
1396 if(n->mtuprobes == 0) {
1397 n->maxmtu = choose_initial_maxmtu(n);
1401 /* Decreasing the number of probes per cycle might make the algorithm react faster to lost packets,
1402 but it will typically increase convergence time in the no-loss case. */
1403 const length_t probes_per_cycle = 8;
1405 /* This magic value was determined using math simulations.
1406 It will result in a 1329-byte first probe, followed (if there was a reply) by a 1407-byte probe.
1407 Since 1407 is just below the range of tinc MTUs over typical networks,
1408 this fine-tuning allows tinc to cover a lot of ground very quickly.
1409 This fine-tuning is only valid for maxmtu = MTU; if maxmtu is smaller,
1410 then it's better to use a multiplier of 1. Indeed, this leads to an interesting scenario
1411 if choose_initial_maxmtu() returns the actual MTU value - it will get confirmed with one single probe. */
1412 const float multiplier = (n->maxmtu == MTU) ? 0.97f : 1.0f;
1414 const float cycle_position = (float) probes_per_cycle - (float)(n->mtuprobes % probes_per_cycle) - 1.0f;
1415 const length_t minmtu = MAX(n->minmtu, 512);
1416 const float interval = (float)(n->maxmtu - minmtu);
1418 length_t offset = 0;
1420 /* powf can be underflowed if n->maxmtu is less than 512 due to the minmtu MAX bound */
1422 /* The core of the discovery algorithm is this exponential.
1423 It produces very large probes early in the cycle, and then it very quickly decreases the probe size.
1424 This reflects the fact that in the most difficult cases, we don't get any feedback for probes that
1425 are too large, and therefore we need to concentrate on small offsets so that we can quickly converge
1426 on the precise MTU as we are approaching it.
1427 The last probe of the cycle is always 1 byte in size - this is to make sure we'll get at least one
1428 reply per cycle so that we can make progress. */
1429 offset = (length_t) powf(interval, multiplier * cycle_position / ((float) probes_per_cycle - 1.0f));
1432 length_t maxmtu = n->maxmtu;
1433 send_udp_probe_packet(n, minmtu + offset);
1435 /* If maxmtu changed, it means the probe was rejected by the system because it was too large.
1436 In that case, we recalculate with the new maxmtu and try again. */
1437 if(n->mtuprobes < 0 || maxmtu == n->maxmtu) {
1442 if(n->mtuprobes >= 0) {
1448 /* These functions try to establish a tunnel to a node (or its relay) so that
1449 packets can be sent (e.g. exchange keys).
1450 If a tunnel is already established, it tries to improve it (e.g. by trying
1451 to establish a UDP tunnel instead of TCP). This function makes no
1452 guarantees - it is up to the caller to check the node's state to figure out
1453 if TCP and/or UDP is usable. By calling this function repeatedly, the
1454 tunnel is gradually improved until we hit the wall imposed by the underlying
1455 network environment. It is recommended to call this function every time a
1456 packet is sent (or intended to be sent) to a node, so that the tunnel keeps
1457 improving as packets flow, and then gracefully downgrades itself as it goes
1461 static void try_tx_sptps(node_t *n, bool mtu) {
1462 /* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET
1463 messages anyway, so there's no need for SPTPS at all. */
1465 if(n->connection && ((myself->options | n->options) & OPTION_TCPONLY)) {
1469 /* Otherwise, try to do SPTPS authentication with n if necessary. */
1473 /* Do we need to statically relay packets? */
1475 node_t *via = (n->via == myself) ? n->nexthop : n->via;
1477 /* If we do have a static relay, try everything with that one instead, if it supports relaying. */
1480 if((via->options >> 24) < 4) {
1488 /* Otherwise, try to establish UDP connectivity. */
1496 /* If we don't have UDP connectivity (yet), we need to use a dynamic relay (nexthop)
1497 while we try to establish direct connectivity. */
1499 if(!n->status.udp_confirmed && n != n->nexthop && (n->nexthop->options >> 24) >= 4) {
1500 try_tx(n->nexthop, mtu);
1504 static void try_tx_legacy(node_t *n, bool mtu) {
1505 /* Does he have our key? If not, send one. */
1507 if(!n->status.validkey_in) {
1511 /* Check if we already have a key, or request one. */
1513 if(!n->status.validkey) {
1514 if(n->last_req_key + 10 <= now.tv_sec) {
1516 n->last_req_key = now.tv_sec;
1529 void try_tx(node_t *n, bool mtu) {
1530 if(!n->status.reachable) {
1534 if(n->status.sptps) {
1535 try_tx_sptps(n, mtu);
1537 try_tx_legacy(n, mtu);
1541 void send_packet(node_t *n, vpn_packet_t *packet) {
1542 // If it's for myself, write it to the tun/tap device.
1546 memcpy(DATA(packet), mymac.x, ETH_ALEN);
1547 // Use an arbitrary fake source address.
1548 memcpy(DATA(packet) + ETH_ALEN, DATA(packet), ETH_ALEN);
1549 DATA(packet)[ETH_ALEN * 2 - 1] ^= 0xFF;
1553 n->out_bytes += packet->len;
1554 devops.write(packet);
1558 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)", packet->len, n->name, n->hostname);
1560 // If the node is not reachable, drop it.
1562 if(!n->status.reachable) {
1563 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable", n->name, n->hostname);
1567 // Keep track of packet statistics.
1570 n->out_bytes += packet->len;
1572 // Check if it should be sent as an SPTPS packet.
1574 if(n->status.sptps) {
1575 send_sptps_packet(n, packet);
1580 // Determine which node to actually send it to.
1582 node_t *via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
1585 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)", n->name, via->name, n->via->hostname);
1588 // Try to send via UDP, unless TCP is forced.
1590 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
1591 if(!send_tcppacket(via->connection, packet)) {
1592 terminate_connection(via->connection, true);
1598 send_udppacket(via, packet);
1602 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
1603 // Always give ourself a copy of the packet.
1604 if(from != myself) {
1605 send_packet(myself, packet);
1608 // In TunnelServer mode, do not forward broadcast packets.
1609 // The MST might not be valid and create loops.
1610 if(tunnelserver || broadcast_mode == BMODE_NONE) {
1614 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
1615 packet->len, from->name, from->hostname);
1617 switch(broadcast_mode) {
1618 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
1619 // This guarantees all nodes receive the broadcast packet, and
1620 // usually distributes the sending of broadcast packets over all nodes.
1622 for list_each(connection_t, c, &connection_list)
1623 if(c->edge && c->status.mst && c != from->nexthop->connection) {
1624 send_packet(c->node, packet);
1629 // In direct mode, we send copies to each node we know of.
1630 // However, this only reaches nodes that can be reached in a single hop.
1631 // We don't have enough information to forward broadcast packets in this case.
1633 if(from != myself) {
1637 for splay_each(node_t, n, &node_tree)
1638 if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n)) {
1639 send_packet(n, packet);
1649 /* We got a packet from some IP address, but we don't know who sent it. Try to
1650 verify the message authentication code against all active session keys.
1651 Since this is actually an expensive operation, we only do a full check once
1652 a minute, the rest of the time we only check against nodes for which we know
1653 an IP address that matches the one from the packet. */
1655 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
1656 node_t *match = NULL;
1658 static time_t last_hard_try = 0;
1660 for splay_each(node_t, n, &node_tree) {
1661 if(!n->status.reachable || n == myself) {
1665 if(!n->status.validkey_in && !(n->status.sptps && n->sptps.instate)) {
1671 for splay_each(edge_t, e, &n->edge_tree) {
1676 if(!sockaddrcmp_noport(from, &e->reverse->address)) {
1683 if(last_hard_try == now.tv_sec) {
1690 if(!try_mac(n, pkt)) {
1699 last_hard_try = now.tv_sec;
1705 static void handle_incoming_vpn_packet(listen_socket_t *ls, vpn_packet_t *pkt, sockaddr_t *addr) {
1707 node_id_t nullid = {0};
1709 bool direct = false;
1711 sockaddrunmap(addr); /* Some braindead IPv6 implementations do stupid things. */
1713 // Try to figure out who sent this packet.
1715 node_t *n = lookup_node_udp(addr);
1717 if(n && !n->status.udp_confirmed) {
1718 n = NULL; // Don't believe it if we don't have confirmation yet.
1722 // It might be from a 1.1 node, which might have a source ID in the packet.
1723 pkt->offset = 2 * sizeof(node_id_t);
1724 from = lookup_node_id(SRCID(pkt));
1726 if(from && from->status.sptps && !memcmp(DSTID(pkt), &nullid, sizeof(nullid))) {
1727 if(sptps_verify_datagram(&from->sptps, DATA(pkt), pkt->len - 2 * sizeof(node_id_t))) {
1737 n = try_harder(addr, pkt);
1743 if(debug_level >= DEBUG_PROTOCOL) {
1744 hostname = sockaddr2hostname(addr);
1745 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
1754 if(n->status.sptps) {
1755 bool relay_enabled = (n->options >> 24) >= 4;
1758 pkt->offset = 2 * sizeof(node_id_t);
1759 pkt->len -= pkt->offset;
1762 if(!relay_enabled || !memcmp(DSTID(pkt), &nullid, sizeof(nullid))) {
1767 from = lookup_node_id(SRCID(pkt));
1768 to = lookup_node_id(DSTID(pkt));
1772 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from %s (%s) with unknown source and/or destination ID", n->name, n->hostname);
1776 if(!to->status.reachable) {
1777 /* This can happen in the form of a race condition
1778 if the node just became unreachable. */
1779 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot relay packet from %s (%s) because the destination, %s (%s), is unreachable", from->name, from->hostname, to->name, to->hostname);
1783 /* The packet is supposed to come from the originator or its static relay
1784 (i.e. with no dynamic relays in between).
1785 If it did not, "help" the static relay by sending it UDP info.
1786 Note that we only do this if we're the destination or the static relay;
1787 otherwise every hop would initiate its own UDP info message, resulting in elevated chatter. */
1789 if(n != from->via && to->via == myself) {
1790 send_udp_info(myself, from);
1793 /* If we're not the final recipient, relay the packet. */
1796 send_sptps_data(to, from, 0, DATA(pkt), pkt->len);
1805 if(!receive_udppacket(from, pkt)) {
1809 n->sock = ls - listen_socket;
1811 if(direct && sockaddrcmp(addr, &n->address)) {
1812 update_node_udp(n, addr);
1815 /* If the packet went through a relay, help the sender find the appropriate MTU
1816 through the relay path. */
1819 send_mtu_info(myself, n, MTU);
1823 void handle_incoming_vpn_data(void *data, int flags) {
1826 listen_socket_t *ls = data;
1828 #ifdef HAVE_RECVMMSG
1830 static ssize_t num = MAX_MSG;
1831 static vpn_packet_t pkt[MAX_MSG];
1832 static sockaddr_t addr[MAX_MSG];
1833 static struct mmsghdr msg[MAX_MSG];
1834 static struct iovec iov[MAX_MSG];
1836 for(int i = 0; i < num; i++) {
1839 iov[i] = (struct iovec) {
1840 .iov_base = DATA(&pkt[i]),
1844 msg[i].msg_hdr = (struct msghdr) {
1845 .msg_name = &addr[i].sa,
1846 .msg_namelen = sizeof(addr)[i],
1852 num = recvmmsg(ls->udp.fd, msg, MAX_MSG, MSG_DONTWAIT, NULL);
1855 if(!sockwouldblock(sockerrno)) {
1856 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1862 for(int i = 0; i < num; i++) {
1863 pkt[i].len = msg[i].msg_len;
1865 if(pkt[i].len <= 0 || pkt[i].len > MAXSIZE) {
1869 handle_incoming_vpn_packet(ls, &pkt[i], &addr[i]);
1874 sockaddr_t addr = {0};
1875 socklen_t addrlen = sizeof(addr);
1878 ssize_t len = recvfrom(ls->udp.fd, (void *)DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen);
1880 if(len <= 0 || (size_t)len > MAXSIZE) {
1881 if(!sockwouldblock(sockerrno)) {
1882 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1890 handle_incoming_vpn_packet(ls, &pkt, &addr);
1894 void handle_device_data(void *data, int flags) {
1897 vpn_packet_t packet;
1898 packet.offset = DEFAULT_PACKET_OFFSET;
1899 packet.priority = 0;
1900 static int errors = 0;
1902 if(devops.read(&packet)) {
1904 myself->in_packets++;
1905 myself->in_bytes += packet.len;
1906 route(myself, &packet);
1908 usleep(errors * 50000);
1912 logger(DEBUG_ALWAYS, LOG_ERR, "Too many errors from %s, exiting!", device);
projects / tinc / blob