2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2013 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
35 #include "connection.h"
51 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
54 static void send_udppacket(node_t *, vpn_packet_t *);
56 unsigned replaywin = 16;
57 bool localdiscovery = false;
58 sockaddr_t localdiscovery_address;
60 #define MAX_SEQNO 1073741824
62 /* mtuprobes == 1..30: initial discovery, send bursts with 1 second interval
63 mtuprobes == 31: sleep pinginterval seconds
64 mtuprobes == 32: send 1 burst, sleep pingtimeout second
65 mtuprobes == 33: no response from other side, restart PMTU discovery process
67 Probes are sent in batches of at least three, with random sizes between the
68 lower and upper boundaries for the MTU thus far discovered.
70 After the initial discovery, a fourth packet is added to each batch with a
71 size larger than the currently known PMTU, to test if the PMTU has increased.
73 In case local discovery is enabled, another packet is added to each batch,
74 which will be broadcast to the local network.
78 static void send_mtu_probe_handler(void *data) {
84 if(!n->status.reachable || !n->status.validkey) {
85 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname);
90 if(n->mtuprobes > 32) {
93 timeout = pinginterval;
97 logger(DEBUG_TRAFFIC, LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname);
98 n->status.udp_confirmed = false;
104 if(n->mtuprobes >= 10 && n->mtuprobes < 32 && !n->minmtu) {
105 logger(DEBUG_TRAFFIC, LOG_INFO, "No response to MTU probes from %s (%s)", n->name, n->hostname);
109 if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) {
110 if(n->minmtu > n->maxmtu)
111 n->minmtu = n->maxmtu;
113 n->maxmtu = n->minmtu;
115 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
119 if(n->mtuprobes == 31) {
120 timeout = pinginterval;
122 } else if(n->mtuprobes == 32) {
123 timeout = pingtimeout;
126 for(int i = 0; i < 4 + localdiscovery; i++) {
130 if(n->mtuprobes < 30 || n->maxmtu + 8 >= MTU)
133 } else if(n->maxmtu <= n->minmtu) {
136 len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
143 memset(packet.data, 0, 14);
144 randomize(packet.data + 14, len - 14);
147 n->status.send_locally = i >= 4 && n->mtuprobes <= 10 && n->prevedge;
149 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname);
151 send_udppacket(n, &packet);
154 n->status.send_locally = false;
155 n->probe_counter = 0;
156 gettimeofday(&n->probe_time, NULL);
158 /* Calculate the packet loss of incoming traffic by comparing the rate of
159 packets received to the rate with which the sequence number has increased.
162 if(n->received > n->prev_received)
163 n->packetloss = 1.0 - (n->received - n->prev_received) / (float)(n->received_seqno - n->prev_received_seqno);
165 n->packetloss = n->received_seqno <= n->prev_received_seqno;
167 n->prev_received_seqno = n->received_seqno;
168 n->prev_received = n->received;
171 timeout_set(&n->mtutimeout, &(struct timeval){timeout, rand() % 100000});
174 void send_mtu_probe(node_t *n) {
175 timeout_add(&n->mtutimeout, send_mtu_probe_handler, n, &(struct timeval){1, 0});
176 send_mtu_probe_handler(n);
179 static void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
180 if(!packet->data[0]) {
181 logger(DEBUG_TRAFFIC, LOG_INFO, "Got MTU probe request %d from %s (%s)", packet->len, n->name, n->hostname);
183 /* It's a probe request, send back a reply */
185 /* Type 2 probe replies were introduced in protocol 17.3 */
186 if ((n->options >> 24) == 3) {
187 uint8_t* data = packet->data;
189 uint16_t len16 = htons(len); memcpy(data, &len16, 2); data += 2;
191 gettimeofday(&now, NULL);
192 uint32_t sec = htonl(now.tv_sec); memcpy(data, &sec, 4); data += 4;
193 uint32_t usec = htonl(now.tv_usec); memcpy(data, &usec, 4); data += 4;
194 packet->len = data - packet->data;
196 /* Legacy protocol: n won't understand type 2 probe replies. */
200 /* Temporarily set udp_confirmed, so that the reply is sent
201 back exactly the way it came in. */
203 bool udp_confirmed = n->status.udp_confirmed;
204 n->status.udp_confirmed = true;
205 send_udppacket(n, packet);
206 n->status.udp_confirmed = udp_confirmed;
208 length_t probelen = len;
209 if (packet->data[0] == 2) {
211 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received invalid (too short) MTU probe reply from %s (%s)", n->name, n->hostname);
213 uint16_t probelen16; memcpy(&probelen16, packet->data + 1, 2); probelen = ntohs(probelen16);
216 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d MTU probe reply %d from %s (%s)", packet->data[0], probelen, n->name, n->hostname);
218 /* It's a valid reply: now we know bidirectional communication
219 is possible using the address and socket that the reply
222 n->status.udp_confirmed = true;
224 /* If we haven't established the PMTU yet, restart the discovery process. */
226 if(n->mtuprobes > 30) {
227 if (probelen == n->maxmtu + 8) {
228 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
240 /* If applicable, raise the minimum supported MTU */
242 if(probelen > n->maxmtu)
243 probelen = n->maxmtu;
244 if(n->minmtu < probelen)
245 n->minmtu = probelen;
247 /* Calculate RTT and bandwidth.
248 The RTT is the time between the MTU probe burst was sent and the first
249 reply is received. The bandwidth is measured using the time between the
250 arrival of the first and third probe reply (or type 2 probe requests).
253 struct timeval now, diff;
254 gettimeofday(&now, NULL);
255 timersub(&now, &n->probe_time, &diff);
257 struct timeval probe_timestamp = now;
258 if (packet->data[0] == 2 && packet->len >= 11) {
259 uint32_t sec; memcpy(&sec, packet->data + 3, 4);
260 uint32_t usec; memcpy(&usec, packet->data + 7, 4);
261 probe_timestamp.tv_sec = ntohl(sec);
262 probe_timestamp.tv_usec = ntohl(usec);
267 if(n->probe_counter == 1) {
268 n->rtt = diff.tv_sec + diff.tv_usec * 1e-6;
269 n->probe_time = probe_timestamp;
270 } else if(n->probe_counter == 3) {
271 struct timeval probe_timestamp_diff;
272 timersub(&probe_timestamp, &n->probe_time, &probe_timestamp_diff);
273 n->bandwidth = 2.0 * probelen / (probe_timestamp_diff.tv_sec + probe_timestamp_diff.tv_usec * 1e-6);
274 logger(DEBUG_TRAFFIC, LOG_DEBUG, "%s (%s) RTT %.2f ms, burst bandwidth %.3f Mbit/s, rx packet loss %.2f %%", n->name, n->hostname, n->rtt * 1e3, n->bandwidth * 8e-6, n->packetloss * 1e2);
279 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
281 memcpy(dest, source, len);
283 } else if(level == 10) {
285 lzo_uint lzolen = MAXSIZE;
286 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
291 } else if(level < 10) {
293 unsigned long destlen = MAXSIZE;
294 if(compress2(dest, &destlen, source, len, level) == Z_OK)
301 lzo_uint lzolen = MAXSIZE;
302 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
312 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
314 memcpy(dest, source, len);
316 } else if(level > 9) {
318 lzo_uint lzolen = MAXSIZE;
319 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
327 unsigned long destlen = MAXSIZE;
328 if(uncompress(dest, &destlen, source, len) == Z_OK)
340 static void receive_packet(node_t *n, vpn_packet_t *packet) {
341 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
342 packet->len, n->name, n->hostname);
345 n->in_bytes += packet->len;
350 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
352 return sptps_verify_datagram(&n->sptps, (char *)&inpkt->seqno, inpkt->len);
354 if(!digest_active(n->indigest) || inpkt->len < sizeof inpkt->seqno + digest_length(n->indigest))
357 return digest_verify(n->indigest, &inpkt->seqno, inpkt->len - digest_length(n->indigest), (const char *)&inpkt->seqno + inpkt->len - digest_length(n->indigest));
360 static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
361 vpn_packet_t pkt1, pkt2;
362 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
364 vpn_packet_t *outpkt = pkt[0];
367 if(n->status.sptps) {
368 if(!n->sptps.state) {
369 if(!n->status.waitingforkey) {
370 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
373 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
377 sptps_receive_data(&n->sptps, (char *)&inpkt->seqno, inpkt->len);
381 if(!n->status.validkey) {
382 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
386 /* Check packet length */
388 if(inpkt->len < sizeof inpkt->seqno + digest_length(n->indigest)) {
389 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
390 n->name, n->hostname);
394 /* Check the message authentication code */
396 if(digest_active(n->indigest)) {
397 inpkt->len -= digest_length(n->indigest);
398 if(!digest_verify(n->indigest, &inpkt->seqno, inpkt->len, (const char *)&inpkt->seqno + inpkt->len)) {
399 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
403 /* Decrypt the packet */
405 if(cipher_active(n->incipher)) {
406 outpkt = pkt[nextpkt++];
409 if(!cipher_decrypt(n->incipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
410 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
414 outpkt->len = outlen;
418 /* Check the sequence number */
420 inpkt->len -= sizeof inpkt->seqno;
421 inpkt->seqno = ntohl(inpkt->seqno);
424 if(inpkt->seqno != n->received_seqno + 1) {
425 if(inpkt->seqno >= n->received_seqno + replaywin * 8) {
426 if(n->farfuture++ < replaywin >> 2) {
427 logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
428 n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture);
431 logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
432 inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
433 memset(n->late, 0, replaywin);
434 } else if (inpkt->seqno <= n->received_seqno) {
435 if((n->received_seqno >= replaywin * 8 && inpkt->seqno <= n->received_seqno - replaywin * 8) || !(n->late[(inpkt->seqno / 8) % replaywin] & (1 << inpkt->seqno % 8))) {
436 logger(DEBUG_ALWAYS, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
437 n->name, n->hostname, inpkt->seqno, n->received_seqno);
441 for(int i = n->received_seqno + 1; i < inpkt->seqno; i++)
442 n->late[(i / 8) % replaywin] |= 1 << i % 8;
447 n->late[(inpkt->seqno / 8) % replaywin] &= ~(1 << inpkt->seqno % 8);
450 if(inpkt->seqno > n->received_seqno)
451 n->received_seqno = inpkt->seqno;
455 if(n->received_seqno > MAX_SEQNO)
458 /* Decompress the packet */
460 length_t origlen = inpkt->len;
462 if(n->incompression) {
463 outpkt = pkt[nextpkt++];
465 if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, n->incompression)) < 0) {
466 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
467 n->name, n->hostname);
473 origlen -= MTU/64 + 20;
478 if(!inpkt->data[12] && !inpkt->data[13])
479 mtu_probe_h(n, inpkt, origlen);
481 receive_packet(n, inpkt);
484 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
487 if(len > sizeof outpkt.data)
491 if(c->options & OPTION_TCPONLY)
494 outpkt.priority = -1;
495 memcpy(outpkt.data, buffer, len);
497 receive_packet(c->node, &outpkt);
500 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
501 if(!n->status.validkey) {
502 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
503 if(!n->status.waitingforkey)
505 else if(n->last_req_key + 10 < now.tv_sec) {
506 logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
507 sptps_stop(&n->sptps);
508 n->status.waitingforkey = false;
517 if(!(origpkt->data[12] | origpkt->data[13])) {
518 sptps_send_record(&n->sptps, PKT_PROBE, (char *)origpkt->data, origpkt->len);
522 if(routing_mode == RMODE_ROUTER)
527 if(origpkt->len < offset)
532 if(n->outcompression) {
533 int len = compress_packet(outpkt.data + offset, origpkt->data + offset, origpkt->len - offset, n->outcompression);
535 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
536 } else if(len < origpkt->len - offset) {
537 outpkt.len = len + offset;
539 type |= PKT_COMPRESSED;
543 sptps_send_record(&n->sptps, type, (char *)origpkt->data + offset, origpkt->len - offset);
547 static void adapt_socket(const sockaddr_t *sa, int *sock) {
548 /* Make sure we have a suitable socket for the chosen address */
549 if(listen_socket[*sock].sa.sa.sa_family != sa->sa.sa_family) {
550 for(int i = 0; i < listen_sockets; i++) {
551 if(listen_socket[i].sa.sa.sa_family == sa->sa.sa_family) {
559 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, int *sock) {
564 /* If the UDP address is confirmed, use it. */
565 if(n->status.udp_confirmed)
568 /* Send every third packet to n->address; that could be set
569 to the node's reflexive UDP address discovered during key
578 /* Otherwise, address are found in edges to this node.
579 So we pick a random edge and a random socket. */
582 int j = rand() % n->edge_tree->count;
583 edge_t *candidate = NULL;
585 for splay_each(edge_t, e, n->edge_tree) {
587 candidate = e->reverse;
593 *sa = &candidate->address;
594 *sock = rand() % listen_sockets;
597 adapt_socket(*sa, sock);
600 static void choose_local_address(const node_t *n, const sockaddr_t **sa, int *sock) {
601 /* Pick one of the edges from this node at random, then use its local address. */
604 int j = rand() % n->edge_tree->count;
605 edge_t *candidate = NULL;
607 for splay_each(edge_t, e, n->edge_tree) {
614 if (candidate && candidate->local_address.sa.sa_family) {
615 *sa = &candidate->local_address;
616 *sock = rand() % listen_sockets;
617 adapt_socket(*sa, sock);
621 /* No candidate? Use broadcasts instead. */
623 static sockaddr_t broadcast_ipv4 = {
625 .sin_family = AF_INET,
626 .sin_addr.s_addr = -1,
630 static sockaddr_t broadcast_ipv6 = {
632 .sin6_family = AF_INET6,
633 .sin6_addr.s6_addr[0x0] = 0xff,
634 .sin6_addr.s6_addr[0x1] = 0x02,
635 .sin6_addr.s6_addr[0xf] = 0x01,
639 *sock = rand() % listen_sockets;
641 if(listen_socket[*sock].sa.sa.sa_family == AF_INET6) {
642 if(localdiscovery_address.sa.sa_family == AF_INET6) {
643 localdiscovery_address.in6.sin6_port = n->prevedge->address.in.sin_port;
644 *sa = &localdiscovery_address;
646 broadcast_ipv6.in6.sin6_port = n->prevedge->address.in.sin_port;
647 broadcast_ipv6.in6.sin6_scope_id = listen_socket[*sock].sa.in6.sin6_scope_id;
648 *sa = &broadcast_ipv6;
651 if(localdiscovery_address.sa.sa_family == AF_INET) {
652 localdiscovery_address.in.sin_port = n->prevedge->address.in.sin_port;
653 *sa = &localdiscovery_address;
655 broadcast_ipv4.in.sin_port = n->prevedge->address.in.sin_port;
656 *sa = &broadcast_ipv4;
661 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
662 vpn_packet_t pkt1, pkt2;
663 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
664 vpn_packet_t *inpkt = origpkt;
666 vpn_packet_t *outpkt;
667 int origlen = origpkt->len;
669 #if defined(SOL_IP) && defined(IP_TOS)
670 static int priority = 0;
672 int origpriority = origpkt->priority;
674 if(!n->status.reachable) {
675 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
680 return send_sptps_packet(n, origpkt);
682 /* Make sure we have a valid key */
684 if(!n->status.validkey) {
685 logger(DEBUG_TRAFFIC, LOG_INFO,
686 "No valid key known yet for %s (%s), forwarding via TCP",
687 n->name, n->hostname);
689 if(n->last_req_key + 10 <= now.tv_sec) {
691 n->last_req_key = now.tv_sec;
694 send_tcppacket(n->nexthop->connection, origpkt);
699 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (inpkt->data[12] | inpkt->data[13])) {
700 logger(DEBUG_TRAFFIC, LOG_INFO,
701 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
702 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
705 send_packet(n->nexthop, origpkt);
707 send_tcppacket(n->nexthop->connection, origpkt);
712 /* Compress the packet */
714 if(n->outcompression) {
715 outpkt = pkt[nextpkt++];
717 if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->outcompression)) < 0) {
718 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
719 n->name, n->hostname);
726 /* Add sequence number */
728 inpkt->seqno = htonl(++(n->sent_seqno));
729 inpkt->len += sizeof inpkt->seqno;
731 /* Encrypt the packet */
733 if(cipher_active(n->outcipher)) {
734 outpkt = pkt[nextpkt++];
737 if(!cipher_encrypt(n->outcipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
738 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
742 outpkt->len = outlen;
746 /* Add the message authentication code */
748 if(digest_active(n->outdigest)) {
749 if(!digest_create(n->outdigest, &inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len)) {
750 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
754 inpkt->len += digest_length(n->outdigest);
757 /* Send the packet */
759 const sockaddr_t *sa;
762 if(n->status.send_locally)
763 choose_local_address(n, &sa, &sock);
765 choose_udp_address(n, &sa, &sock);
767 #if defined(SOL_IP) && defined(IP_TOS)
768 if(priorityinheritance && origpriority != priority
769 && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
770 priority = origpriority;
771 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
772 if(setsockopt(listen_socket[n->sock].udp.fd, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
773 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
777 if(sendto(listen_socket[sock].udp.fd, (char *) &inpkt->seqno, inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
778 if(sockmsgsize(sockerrno)) {
779 if(n->maxmtu >= origlen)
780 n->maxmtu = origlen - 1;
781 if(n->mtu >= origlen)
782 n->mtu = origlen - 1;
784 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
788 origpkt->len = origlen;
791 bool send_sptps_data(void *handle, uint8_t type, const char *data, size_t len) {
794 /* Send it via TCP if it is a handshake packet, TCPOnly is in use, or this packet is larger than the MTU. */
796 if(type >= SPTPS_HANDSHAKE || ((myself->options | to->options) & OPTION_TCPONLY) || (type != PKT_PROBE && (len - SPTPS_DATAGRAM_OVERHEAD) > to->minmtu)) {
797 char buf[len * 4 / 3 + 5];
798 b64encode(data, buf, len);
799 /* If no valid key is known yet, send the packets using ANS_KEY requests,
800 to ensure we get to learn the reflexive UDP address. */
801 if(!to->status.validkey) {
802 to->incompression = myself->incompression;
803 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, myself->name, to->name, buf, to->incompression);
805 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, myself->name, to->name, REQ_SPTPS, buf);
809 /* Otherwise, send the packet via UDP */
811 const sockaddr_t *sa;
814 if(to->status.send_locally)
815 choose_local_address(to, &sa, &sock);
817 choose_udp_address(to, &sa, &sock);
819 if(sendto(listen_socket[sock].udp.fd, data, len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
820 if(sockmsgsize(sockerrno)) {
821 // Compensate for SPTPS overhead
822 len -= SPTPS_DATAGRAM_OVERHEAD;
823 if(to->maxmtu >= len)
824 to->maxmtu = len - 1;
828 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", to->name, to->hostname, sockstrerror(sockerrno));
836 bool receive_sptps_record(void *handle, uint8_t type, const char *data, uint16_t len) {
837 node_t *from = handle;
839 if(type == SPTPS_HANDSHAKE) {
840 if(!from->status.validkey) {
841 from->status.validkey = true;
842 from->status.waitingforkey = false;
843 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
849 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
855 if(type == PKT_PROBE) {
857 memcpy(inpkt.data, data, len);
858 mtu_probe_h(from, &inpkt, len);
862 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
863 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
867 /* Check if we have the headers we need */
868 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
869 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
871 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
872 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
875 int offset = (type & PKT_MAC) ? 0 : 14;
876 if(type & PKT_COMPRESSED) {
877 length_t ulen = uncompress_packet(inpkt.data + offset, (const uint8_t *)data, len, from->incompression);
881 inpkt.len = ulen + offset;
883 if(inpkt.len > MAXSIZE)
886 memcpy(inpkt.data + offset, data, len);
887 inpkt.len = len + offset;
890 /* Generate the Ethernet packet type if necessary */
892 switch(inpkt.data[14] >> 4) {
894 inpkt.data[12] = 0x08;
895 inpkt.data[13] = 0x00;
898 inpkt.data[12] = 0x86;
899 inpkt.data[13] = 0xDD;
902 logger(DEBUG_TRAFFIC, LOG_ERR,
903 "Unknown IP version %d while reading packet from %s (%s)",
904 inpkt.data[14] >> 4, from->name, from->hostname);
909 receive_packet(from, &inpkt);
914 send a packet to the given vpn ip.
916 void send_packet(node_t *n, vpn_packet_t *packet) {
921 memcpy(packet->data, mymac.x, ETH_ALEN);
923 n->out_bytes += packet->len;
924 devops.write(packet);
928 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)",
929 packet->len, n->name, n->hostname);
931 if(!n->status.reachable) {
932 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable",
933 n->name, n->hostname);
938 n->out_bytes += packet->len;
940 if(n->status.sptps) {
941 send_sptps_packet(n, packet);
945 via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
948 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)",
949 n->name, via->name, n->via->hostname);
951 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
952 if(!send_tcppacket(via->connection, packet))
953 terminate_connection(via->connection, true);
955 send_udppacket(via, packet);
958 /* Broadcast a packet using the minimum spanning tree */
960 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
961 // Always give ourself a copy of the packet.
963 send_packet(myself, packet);
965 // In TunnelServer mode, do not forward broadcast packets.
966 // The MST might not be valid and create loops.
967 if(tunnelserver || broadcast_mode == BMODE_NONE)
970 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
971 packet->len, from->name, from->hostname);
973 switch(broadcast_mode) {
974 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
975 // This guarantees all nodes receive the broadcast packet, and
976 // usually distributes the sending of broadcast packets over all nodes.
978 for list_each(connection_t, c, connection_list)
979 if(c->status.active && c->status.mst && c != from->nexthop->connection)
980 send_packet(c->node, packet);
983 // In direct mode, we send copies to each node we know of.
984 // However, this only reaches nodes that can be reached in a single hop.
985 // We don't have enough information to forward broadcast packets in this case.
990 for splay_each(node_t, n, node_tree)
991 if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n))
992 send_packet(n, packet);
1000 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
1003 static time_t last_hard_try = 0;
1005 for splay_each(edge_t, e, edge_weight_tree) {
1006 if(!e->to->status.reachable || e->to == myself)
1009 if(sockaddrcmp_noport(from, &e->address)) {
1010 if(last_hard_try == now.tv_sec)
1015 if(!try_mac(e->to, pkt))
1023 last_hard_try = now.tv_sec;
1025 last_hard_try = now.tv_sec;
1029 void handle_incoming_vpn_data(void *data, int flags) {
1030 listen_socket_t *ls = data;
1033 sockaddr_t from = {{0}};
1034 socklen_t fromlen = sizeof from;
1038 len = recvfrom(ls->udp.fd, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
1040 if(len <= 0 || len > MAXSIZE) {
1041 if(!sockwouldblock(sockerrno))
1042 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1048 sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */
1050 n = lookup_node_udp(&from);
1053 n = try_harder(&from, &pkt);
1055 update_node_udp(n, &from);
1056 else if(debug_level >= DEBUG_PROTOCOL) {
1057 hostname = sockaddr2hostname(&from);
1058 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
1066 n->sock = ls - listen_socket;
1068 receive_udppacket(n, &pkt);
1071 void handle_device_data(void *data, int flags) {
1072 vpn_packet_t packet;
1074 packet.priority = 0;
1076 if(devops.read(&packet)) {
1077 myself->in_packets++;
1078 myself->in_bytes += packet.len;
1079 route(myself, &packet);
projects / tinc / blob