2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2021 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
40 #include "address_cache.h"
43 #include "connection.h"
58 #define MAX(a, b) ((a) > (b) ? (a) : (b))
61 /* The minimum size of a probe is 14 bytes, but since we normally use CBC mode
62 encryption, we can add a few extra random bytes without increasing the
63 resulting packet size. */
64 #define MIN_PROBE_SIZE 18
68 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
71 #ifdef HAVE_LZ4_BUILTIN
72 static LZ4_stream_t lz4_stream;
74 static void *lz4_state = NULL;
75 #endif /* HAVE_LZ4_BUILTIN */
77 static void send_udppacket(node_t *, vpn_packet_t *);
79 unsigned replaywin = 32;
80 bool localdiscovery = true;
81 bool udp_discovery = true;
82 int udp_discovery_keepalive_interval = 10;
83 int udp_discovery_interval = 2;
84 int udp_discovery_timeout = 30;
86 #define MAX_SEQNO 1073741824
88 static void try_fix_mtu(node_t *n) {
89 if(n->mtuprobes < 0) {
93 if(n->mtuprobes == 20 || n->minmtu >= n->maxmtu) {
94 if(n->minmtu > n->maxmtu) {
95 n->minmtu = n->maxmtu;
97 n->maxmtu = n->minmtu;
101 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
106 static void udp_probe_timeout_handler(void *data) {
109 if(!n->status.udp_confirmed) {
113 logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname);
114 n->status.udp_confirmed = false;
115 n->udp_ping_rtt = -1;
122 static void send_udp_probe_reply(node_t *n, vpn_packet_t *packet, length_t len) {
123 if(!n->status.sptps && !n->status.validkey) {
124 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP probe reply to %s (%s) but we don't have his key yet", n->name, n->hostname);
128 /* Type 2 probe replies were introduced in protocol 17.3 */
129 if((n->options >> 24) >= 3) {
131 uint16_t len16 = htons(len);
132 memcpy(DATA(packet) + 1, &len16, 2);
133 packet->len = MIN_PROBE_SIZE;
134 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 2 probe reply length %u to %s (%s)", len, n->name, n->hostname);
137 /* Legacy protocol: n won't understand type 2 probe replies. */
139 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 1 probe reply length %u to %s (%s)", len, n->name, n->hostname);
142 /* Temporarily set udp_confirmed, so that the reply is sent
143 back exactly the way it came in. */
145 bool udp_confirmed = n->status.udp_confirmed;
146 n->status.udp_confirmed = true;
147 send_udppacket(n, packet);
148 n->status.udp_confirmed = udp_confirmed;
151 static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
152 if(!DATA(packet)[0]) {
153 logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
154 send_udp_probe_reply(n, packet, len);
158 if(DATA(packet)[0] == 2) {
159 // It's a type 2 probe reply, use the length field inside the packet
161 memcpy(&len16, DATA(packet) + 1, 2);
165 if(n->status.ping_sent) { // a probe in flight
166 gettimeofday(&now, NULL);
168 timersub(&now, &n->udp_ping_sent, &rtt);
169 n->udp_ping_rtt = rtt.tv_sec * 1000000 + rtt.tv_usec;
170 n->status.ping_sent = false;
171 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s) rtt=%d.%03d", DATA(packet)[0], len, n->name, n->hostname, n->udp_ping_rtt / 1000, n->udp_ping_rtt % 1000);
173 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], len, n->name, n->hostname);
176 /* It's a valid reply: now we know bidirectional communication
177 is possible using the address and socket that the reply
179 if(!n->status.udp_confirmed) {
180 n->status.udp_confirmed = true;
182 if(!n->address_cache) {
183 n->address_cache = open_address_cache(n);
186 reset_address_cache(n->address_cache, &n->address);
189 // Reset the UDP ping timer.
192 timeout_del(&n->udp_ping_timeout);
193 timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval) {
194 udp_discovery_timeout, 0
198 if(len > n->maxmtu) {
199 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
202 /* Set mtuprobes to 1 so that try_mtu() doesn't reset maxmtu */
205 } else if(n->mtuprobes < 0 && len == n->maxmtu) {
206 /* We got a maxmtu sized packet, confirming the PMTU is still valid. */
208 n->mtu_ping_sent = now;
211 /* If applicable, raise the minimum supported MTU */
213 if(n->minmtu < len) {
220 static length_t compress_packet_lz4(uint8_t *dest, const uint8_t *source, length_t len) {
221 #ifdef HAVE_LZ4_BUILTIN
222 return LZ4_compress_fast_extState(&lz4_stream, (const char *) source, (char *) dest, len, MAXSIZE, 0);
225 /* @FIXME: Put this in a better place, and free() it too. */
226 if(lz4_state == NULL) {
227 lz4_state = malloc(LZ4_sizeofState());
230 if(lz4_state == NULL) {
231 logger(DEBUG_ALWAYS, LOG_ERR, "Failed to allocate lz4_state, error: %i", errno);
235 return LZ4_compress_fast_extState(lz4_state, (const char *) source, (char *) dest, len, MAXSIZE, 0);
236 #endif /* HAVE_LZ4_BUILTIN */
238 #endif /* HAVE_LZ4 */
241 static length_t compress_packet_lzo(uint8_t *dest, const uint8_t *source, length_t len, int level) {
242 assert(level == 10 || level == 11);
244 lzo_uint lzolen = MAXSIZE;
248 result = lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
249 } else { // level == 10
250 result = lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
253 if(result == LZO_E_OK) {
261 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
266 return compress_packet_lz4(dest, source, len);
273 return compress_packet_lzo(dest, source, len, level);
286 unsigned long dest_len = MAXSIZE;
288 if(compress2(dest, (unsigned long *) &dest_len, source, len, level) == Z_OK) {
298 memcpy(dest, source, len);
306 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
311 return LZ4_decompress_safe((char *)source, (char *) dest, len, MAXSIZE);
318 lzo_uint dst_len = MAXSIZE;
320 if(lzo1x_decompress_safe(source, len, dest, (lzo_uint *) &dst_len, NULL) == LZO_E_OK) {
339 unsigned long destlen = MAXSIZE;
340 static z_stream stream;
343 inflateReset(&stream);
345 inflateInit(&stream);
348 stream.next_in = source;
349 stream.avail_in = len;
350 stream.next_out = dest;
351 stream.avail_out = destlen;
352 stream.total_out = 0;
354 if(inflate(&stream, Z_FINISH) == Z_STREAM_END) {
355 return stream.total_out;
364 memcpy(dest, source, len);
374 static void receive_packet(node_t *n, vpn_packet_t *packet) {
375 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
376 packet->len, n->name, n->hostname);
379 n->in_bytes += packet->len;
384 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
385 if(n->status.sptps) {
386 return sptps_verify_datagram(&n->sptps, DATA(inpkt), inpkt->len);
389 #ifdef DISABLE_LEGACY
393 if(!n->status.validkey_in || !digest_active(n->indigest) || (size_t)inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
397 return digest_verify(n->indigest, inpkt->data, inpkt->len - digest_length(n->indigest), inpkt->data + inpkt->len - digest_length(n->indigest));
401 static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
402 if(n->status.sptps) {
403 if(!n->sptps.state) {
404 if(!n->status.waitingforkey) {
405 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
408 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
414 n->status.udppacket = true;
415 bool result = sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len);
416 n->status.udppacket = false;
419 /* Uh-oh. It might be that the tunnel is stuck in some corrupted state,
420 so let's restart SPTPS in case that helps. But don't do that too often
421 to prevent storms, and because that would make life a little too easy
422 for external attackers trying to DoS us. */
423 if(n->last_req_key < now.tv_sec - 10) {
424 logger(DEBUG_PROTOCOL, LOG_ERR, "Failed to decode raw TCP packet from %s (%s), restarting SPTPS", n->name, n->hostname);
434 #ifdef DISABLE_LEGACY
437 vpn_packet_t pkt1, pkt2;
438 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
441 pkt1.offset = DEFAULT_PACKET_OFFSET;
442 pkt2.offset = DEFAULT_PACKET_OFFSET;
444 if(!n->status.validkey_in) {
445 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
449 /* Check packet length */
451 if((size_t)inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
452 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
453 n->name, n->hostname);
457 /* It's a legacy UDP packet, the data starts after the seqno */
459 inpkt->offset += sizeof(seqno_t);
461 /* Check the message authentication code */
463 if(digest_active(n->indigest)) {
464 inpkt->len -= digest_length(n->indigest);
466 if(!digest_verify(n->indigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
467 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
472 /* Decrypt the packet */
474 if(cipher_active(n->incipher)) {
475 vpn_packet_t *outpkt = pkt[nextpkt++];
478 if(!cipher_decrypt(n->incipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
479 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
483 outpkt->len = outlen;
487 /* Check the sequence number */
490 memcpy(&seqno, SEQNO(inpkt), sizeof(seqno));
491 seqno = ntohl(seqno);
492 inpkt->len -= sizeof(seqno);
495 if(seqno != n->received_seqno + 1) {
496 if(seqno >= n->received_seqno + replaywin * 8) {
497 if(n->farfuture++ < replaywin >> 2) {
498 logger(DEBUG_TRAFFIC, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
499 n->name, n->hostname, seqno - n->received_seqno - 1, n->farfuture);
503 logger(DEBUG_TRAFFIC, LOG_WARNING, "Lost %d packets from %s (%s)",
504 seqno - n->received_seqno - 1, n->name, n->hostname);
505 memset(n->late, 0, replaywin);
506 } else if(seqno <= n->received_seqno) {
507 if((n->received_seqno >= replaywin * 8 && seqno <= n->received_seqno - replaywin * 8) || !(n->late[(seqno / 8) % replaywin] & (1 << seqno % 8))) {
508 logger(DEBUG_TRAFFIC, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
509 n->name, n->hostname, seqno, n->received_seqno);
513 for(seqno_t i = n->received_seqno + 1; i < seqno; i++) {
514 n->late[(i / 8) % replaywin] |= 1 << i % 8;
520 n->late[(seqno / 8) % replaywin] &= ~(1 << seqno % 8);
523 if(seqno > n->received_seqno) {
524 n->received_seqno = seqno;
529 if(n->received_seqno > MAX_SEQNO) {
533 /* Decompress the packet */
535 length_t origlen = inpkt->len;
537 if(n->incompression) {
538 vpn_packet_t *outpkt = pkt[nextpkt++];
540 if(!(outpkt->len = uncompress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->incompression))) {
541 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
542 n->name, n->hostname);
548 if(origlen > MTU / 64 + 20) {
549 origlen -= MTU / 64 + 20;
555 if(inpkt->len > n->maxrecentlen) {
556 n->maxrecentlen = inpkt->len;
561 if(!DATA(inpkt)[12] && !DATA(inpkt)[13]) {
562 udp_probe_h(n, inpkt, origlen);
564 receive_packet(n, inpkt);
571 void receive_tcppacket(connection_t *c, const char *buffer, size_t len) {
573 outpkt.offset = DEFAULT_PACKET_OFFSET;
575 if(len > sizeof(outpkt.data) - outpkt.offset) {
581 if(c->options & OPTION_TCPONLY) {
584 outpkt.priority = -1;
587 memcpy(DATA(&outpkt), buffer, len);
589 receive_packet(c->node, &outpkt);
592 bool receive_tcppacket_sptps(connection_t *c, const char *data, size_t len) {
593 if(len < sizeof(node_id_t) + sizeof(node_id_t)) {
594 logger(DEBUG_PROTOCOL, LOG_ERR, "Got too short TCP SPTPS packet from %s (%s)", c->name, c->hostname);
598 node_t *to = lookup_node_id((node_id_t *)data);
599 data += sizeof(node_id_t);
600 len -= sizeof(node_id_t);
603 logger(DEBUG_PROTOCOL, LOG_ERR, "Got TCP SPTPS packet from %s (%s) with unknown destination ID", c->name, c->hostname);
607 node_t *from = lookup_node_id((node_id_t *)data);
608 data += sizeof(node_id_t);
609 len -= sizeof(node_id_t);
612 logger(DEBUG_PROTOCOL, LOG_ERR, "Got TCP SPTPS packet from %s (%s) with unknown source ID", c->name, c->hostname);
616 if(!to->status.reachable) {
617 /* This can happen in the form of a race condition
618 if the node just became unreachable. */
619 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot relay TCP packet from %s (%s) because the destination, %s (%s), is unreachable", from->name, from->hostname, to->name, to->hostname);
623 /* Help the sender reach us over UDP.
624 Note that we only do this if we're the destination or the static relay;
625 otherwise every hop would initiate its own UDP info message, resulting in elevated chatter. */
626 if(to->via == myself) {
627 send_udp_info(myself, from);
630 /* If we're not the final recipient, relay the packet. */
633 if(to->status.validkey) {
634 send_sptps_data(to, from, 0, data, len);
641 /* The packet is for us */
643 if(!sptps_receive_data(&from->sptps, data, len)) {
644 /* Uh-oh. It might be that the tunnel is stuck in some corrupted state,
645 so let's restart SPTPS in case that helps. But don't do that too often
646 to prevent storms. */
647 if(from->last_req_key < now.tv_sec - 10) {
648 logger(DEBUG_PROTOCOL, LOG_ERR, "Failed to decode raw TCP packet from %s (%s), restarting SPTPS", from->name, from->hostname);
655 send_mtu_info(myself, from, MTU);
659 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
660 if(!n->status.validkey && !n->connection) {
667 if((!(DATA(origpkt)[12] | DATA(origpkt)[13])) && (n->sptps.outstate)) {
668 sptps_send_record(&n->sptps, PKT_PROBE, (char *)DATA(origpkt), origpkt->len);
672 if(routing_mode == RMODE_ROUTER) {
678 if(origpkt->len < offset) {
684 if(n->outcompression) {
686 length_t len = compress_packet(DATA(&outpkt) + offset, DATA(origpkt) + offset, origpkt->len - offset, n->outcompression);
689 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
690 } else if(len < origpkt->len - offset) {
691 outpkt.len = len + offset;
693 type |= PKT_COMPRESSED;
697 /* If we have a direct metaconnection to n, and we can't use UDP, then
698 don't bother with SPTPS and just use a "plaintext" PACKET message.
699 We don't really care about end-to-end security since we're not
700 sending the message through any intermediate nodes. */
701 if(n->connection && origpkt->len > n->minmtu) {
702 send_tcppacket(n->connection, origpkt);
704 sptps_send_record(&n->sptps, type, DATA(origpkt) + offset, origpkt->len - offset);
710 static void adapt_socket(const sockaddr_t *sa, int *sock) {
711 /* Make sure we have a suitable socket for the chosen address */
712 if(listen_socket[*sock].sa.sa.sa_family != sa->sa.sa_family) {
713 for(int i = 0; i < listen_sockets; i++) {
714 if(listen_socket[i].sa.sa.sa_family == sa->sa.sa_family) {
722 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, int *sock) {
727 /* If the UDP address is confirmed, use it. */
728 if(n->status.udp_confirmed) {
732 /* Send every third packet to n->address; that could be set
733 to the node's reflexive UDP address discovered during key
743 /* Otherwise, address are found in edges to this node.
744 So we pick a random edge and a random socket. */
747 int j = rand() % n->edge_tree->count;
748 edge_t *candidate = NULL;
750 for splay_each(edge_t, e, n->edge_tree) {
752 candidate = e->reverse;
758 *sa = &candidate->address;
759 *sock = rand() % listen_sockets;
762 adapt_socket(*sa, sock);
765 static void choose_local_address(const node_t *n, const sockaddr_t **sa, int *sock) {
768 /* Pick one of the edges from this node at random, then use its local address. */
771 int j = rand() % n->edge_tree->count;
772 edge_t *candidate = NULL;
774 for splay_each(edge_t, e, n->edge_tree) {
781 if(candidate && candidate->local_address.sa.sa_family) {
782 *sa = &candidate->local_address;
783 *sock = rand() % listen_sockets;
784 adapt_socket(*sa, sock);
788 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
789 if(!n->status.reachable) {
790 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
794 if(n->status.sptps) {
795 send_sptps_packet(n, origpkt);
799 #ifdef DISABLE_LEGACY
802 vpn_packet_t pkt1, pkt2;
803 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
804 vpn_packet_t *inpkt = origpkt;
806 vpn_packet_t *outpkt;
807 int origlen = origpkt->len;
809 int origpriority = origpkt->priority;
811 pkt1.offset = DEFAULT_PACKET_OFFSET;
812 pkt2.offset = DEFAULT_PACKET_OFFSET;
814 /* Make sure we have a valid key */
816 if(!n->status.validkey) {
817 logger(DEBUG_TRAFFIC, LOG_INFO,
818 "No valid key known yet for %s (%s), forwarding via TCP",
819 n->name, n->hostname);
820 send_tcppacket(n->nexthop->connection, origpkt);
824 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (DATA(inpkt)[12] | DATA(inpkt)[13])) {
825 logger(DEBUG_TRAFFIC, LOG_INFO,
826 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
827 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
829 if(n != n->nexthop) {
830 send_packet(n->nexthop, origpkt);
832 send_tcppacket(n->nexthop->connection, origpkt);
838 /* Compress the packet */
840 if(n->outcompression) {
841 outpkt = pkt[nextpkt++];
843 if(!(outpkt->len = compress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->outcompression))) {
844 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
845 n->name, n->hostname);
852 /* Add sequence number */
854 seqno_t seqno = htonl(++(n->sent_seqno));
855 memcpy(SEQNO(inpkt), &seqno, sizeof(seqno));
856 inpkt->len += sizeof(seqno);
858 /* Encrypt the packet */
860 if(cipher_active(n->outcipher)) {
861 outpkt = pkt[nextpkt++];
864 if(!cipher_encrypt(n->outcipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
865 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
869 outpkt->len = outlen;
873 /* Add the message authentication code */
875 if(digest_active(n->outdigest)) {
876 if(!digest_create(n->outdigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
877 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
881 inpkt->len += digest_length(n->outdigest);
884 /* Send the packet */
886 const sockaddr_t *sa = NULL;
889 if(n->status.send_locally) {
890 choose_local_address(n, &sa, &sock);
894 choose_udp_address(n, &sa, &sock);
897 if(priorityinheritance && origpriority != listen_socket[sock].priority) {
898 listen_socket[sock].priority = origpriority;
900 switch(sa->sa.sa_family) {
904 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting IPv4 outgoing packet priority to %d", origpriority);
906 if(setsockopt(listen_socket[sock].udp.fd, IPPROTO_IP, IP_TOS, (void *)&origpriority, sizeof(origpriority))) { /* SO_PRIORITY doesn't seem to work */
907 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
912 #if defined(IPV6_TCLASS)
915 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting IPv6 outgoing packet priority to %d", origpriority);
917 if(setsockopt(listen_socket[sock].udp.fd, IPPROTO_IPV6, IPV6_TCLASS, (void *)&origpriority, sizeof(origpriority))) { /* SO_PRIORITY doesn't seem to work */
918 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
929 if(sendto(listen_socket[sock].udp.fd, (void *)SEQNO(inpkt), inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
930 if(sockmsgsize(sockerrno)) {
931 if(n->maxmtu >= origlen) {
932 n->maxmtu = origlen - 1;
935 if(n->mtu >= origlen) {
936 n->mtu = origlen - 1;
941 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
946 origpkt->len = origlen;
950 bool send_sptps_data(node_t *to, node_t *from, int type, const void *data, size_t len) {
951 node_t *relay = (to->via != myself && (type == PKT_PROBE || (len - SPTPS_DATAGRAM_OVERHEAD) <= to->via->minmtu)) ? to->via : to->nexthop;
952 bool direct = from == myself && to == relay;
953 bool relay_supported = (relay->options >> 24) >= 4;
954 bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
956 /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU. */
958 if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && (len - SPTPS_DATAGRAM_OVERHEAD) > relay->minmtu)) {
959 if(type != SPTPS_HANDSHAKE && (to->nexthop->connection->options >> 24) >= 7) {
960 char buf[len + sizeof(to->id) + sizeof(from->id)];
962 memcpy(buf_ptr, &to->id, sizeof(to->id));
963 buf_ptr += sizeof(to->id);
964 memcpy(buf_ptr, &from->id, sizeof(from->id));
965 buf_ptr += sizeof(from->id);
966 memcpy(buf_ptr, data, len);
967 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s) (TCP)", from->name, from->hostname, to->name, to->hostname, to->nexthop->name, to->nexthop->hostname);
968 return send_sptps_tcppacket(to->nexthop->connection, buf, sizeof(buf));
971 char buf[len * 4 / 3 + 5];
972 b64encode(data, buf, len);
974 /* If this is a handshake packet, use ANS_KEY instead of REQ_KEY, for two reasons:
975 - We don't want intermediate nodes to switch to UDP to relay these packets;
976 - ANS_KEY allows us to learn the reflexive UDP address. */
977 if(type == SPTPS_HANDSHAKE) {
978 to->incompression = myself->incompression;
979 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, from->name, to->name, buf, to->incompression);
981 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, from->name, to->name, SPTPS_PACKET, buf);
987 if(relay_supported) {
988 overhead += sizeof(to->id) + sizeof(from->id);
991 char buf[len + overhead];
994 if(relay_supported) {
996 /* Inform the recipient that this packet was sent directly. */
997 node_id_t nullid = {0};
998 memcpy(buf_ptr, &nullid, sizeof(nullid));
999 buf_ptr += sizeof(nullid);
1001 memcpy(buf_ptr, &to->id, sizeof(to->id));
1002 buf_ptr += sizeof(to->id);
1005 memcpy(buf_ptr, &from->id, sizeof(from->id));
1006 buf_ptr += sizeof(from->id);
1010 /* TODO: if this copy turns out to be a performance concern, change sptps_send_record() to add some "pre-padding" to the buffer and use that instead */
1011 memcpy(buf_ptr, data, len);
1014 const sockaddr_t *sa = NULL;
1017 if(relay->status.send_locally) {
1018 choose_local_address(relay, &sa, &sock);
1022 choose_udp_address(relay, &sa, &sock);
1025 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s) (UDP)", from->name, from->hostname, to->name, to->hostname, relay->name, relay->hostname);
1027 if(sendto(listen_socket[sock].udp.fd, buf, buf_ptr - buf, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
1028 if(sockmsgsize(sockerrno)) {
1029 // Compensate for SPTPS overhead
1030 len -= SPTPS_DATAGRAM_OVERHEAD;
1032 if(relay->maxmtu >= len) {
1033 relay->maxmtu = len - 1;
1036 if(relay->mtu >= len) {
1037 relay->mtu = len - 1;
1042 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", relay->name, relay->hostname, sockstrerror(sockerrno));
1050 bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t len) {
1051 node_t *from = handle;
1053 if(type == SPTPS_HANDSHAKE) {
1054 if(!from->status.validkey) {
1055 from->status.validkey = true;
1056 from->status.waitingforkey = false;
1057 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) successful", from->name, from->hostname);
1064 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
1069 inpkt.offset = DEFAULT_PACKET_OFFSET;
1072 if(type == PKT_PROBE) {
1073 if(!from->status.udppacket) {
1074 logger(DEBUG_ALWAYS, LOG_ERR, "Got SPTPS PROBE packet from %s (%s) via TCP", from->name, from->hostname);
1079 memcpy(DATA(&inpkt), data, len);
1081 if(inpkt.len > from->maxrecentlen) {
1082 from->maxrecentlen = inpkt.len;
1085 udp_probe_h(from, &inpkt, len);
1089 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
1090 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
1094 /* Check if we have the headers we need */
1095 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
1096 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
1098 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
1099 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
1102 int offset = (type & PKT_MAC) ? 0 : 14;
1104 if(type & PKT_COMPRESSED) {
1105 length_t ulen = uncompress_packet(DATA(&inpkt) + offset, (const uint8_t *)data, len, from->incompression);
1110 inpkt.len = ulen + offset;
1113 if(inpkt.len > MAXSIZE) {
1117 memcpy(DATA(&inpkt) + offset, data, len);
1118 inpkt.len = len + offset;
1121 /* Generate the Ethernet packet type if necessary */
1123 switch(DATA(&inpkt)[14] >> 4) {
1125 DATA(&inpkt)[12] = 0x08;
1126 DATA(&inpkt)[13] = 0x00;
1130 DATA(&inpkt)[12] = 0x86;
1131 DATA(&inpkt)[13] = 0xDD;
1135 logger(DEBUG_TRAFFIC, LOG_ERR,
1136 "Unknown IP version %d while reading packet from %s (%s)",
1137 DATA(&inpkt)[14] >> 4, from->name, from->hostname);
1142 if(from->status.udppacket && inpkt.len > from->maxrecentlen) {
1143 from->maxrecentlen = inpkt.len;
1146 receive_packet(from, &inpkt);
1150 // This function tries to get SPTPS keys, if they aren't already known.
1151 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if the keys are available.
1152 static void try_sptps(node_t *n) {
1153 if(n->status.validkey) {
1157 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
1159 if(!n->status.waitingforkey) {
1161 } else if(n->last_req_key + 10 < now.tv_sec) {
1162 logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
1163 sptps_stop(&n->sptps);
1164 n->status.waitingforkey = false;
1171 static void send_udp_probe_packet(node_t *n, int len) {
1172 vpn_packet_t packet;
1174 if(len > sizeof(packet.data)) {
1175 logger(DEBUG_TRAFFIC, LOG_INFO, "Truncating probe length %d to %s (%s)", len, n->name, n->hostname);
1176 len = sizeof(packet.data);
1179 packet.offset = DEFAULT_PACKET_OFFSET;
1180 memset(DATA(&packet), 0, 14);
1181 randomize(DATA(&packet) + 14, len - 14);
1183 packet.priority = 0;
1185 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending UDP probe length %d to %s (%s)", len, n->name, n->hostname);
1187 send_udppacket(n, &packet);
1190 // This function tries to establish a UDP tunnel to a node so that packets can be sent.
1191 // If a tunnel is already established, it makes sure it stays up.
1192 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if UDP is usable.
1193 static void try_udp(node_t *n) {
1194 if(!udp_discovery) {
1198 /* Send gratuitous probe replies to 1.1 nodes. */
1200 if((n->options >> 24) >= 3 && n->status.udp_confirmed) {
1201 struct timeval ping_tx_elapsed;
1202 timersub(&now, &n->udp_reply_sent, &ping_tx_elapsed);
1204 if(ping_tx_elapsed.tv_sec >= udp_discovery_keepalive_interval - 1) {
1205 n->udp_reply_sent = now;
1207 if(n->maxrecentlen) {
1209 pkt.len = n->maxrecentlen;
1210 pkt.offset = DEFAULT_PACKET_OFFSET;
1211 memset(DATA(&pkt), 0, 14);
1212 randomize(DATA(&pkt) + 14, MIN_PROBE_SIZE - 14);
1213 send_udp_probe_reply(n, &pkt, pkt.len);
1214 n->maxrecentlen = 0;
1221 struct timeval ping_tx_elapsed;
1222 timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
1224 int interval = n->status.udp_confirmed ? udp_discovery_keepalive_interval : udp_discovery_interval;
1226 if(ping_tx_elapsed.tv_sec >= interval) {
1227 gettimeofday(&now, NULL);
1228 n->udp_ping_sent = now; // a probe in flight
1229 n->status.ping_sent = true;
1230 send_udp_probe_packet(n, MIN_PROBE_SIZE);
1232 if(localdiscovery && !n->status.udp_confirmed && n->prevedge) {
1233 n->status.send_locally = true;
1234 send_udp_probe_packet(n, MIN_PROBE_SIZE);
1235 n->status.send_locally = false;
1240 static length_t choose_initial_maxmtu(node_t *n) {
1245 const sockaddr_t *sa = NULL;
1247 choose_udp_address(n, &sa, &sockindex);
1253 sock = socket(sa->sa.sa_family, SOCK_DGRAM, IPPROTO_UDP);
1256 logger(DEBUG_TRAFFIC, LOG_ERR, "Creating MTU assessment socket for %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1260 if(connect(sock, &sa->sa, SALEN(sa->sa))) {
1261 logger(DEBUG_TRAFFIC, LOG_ERR, "Connecting MTU assessment socket for %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1267 socklen_t ip_mtu_len = sizeof(ip_mtu);
1269 if(getsockopt(sock, IPPROTO_IP, IP_MTU, &ip_mtu, &ip_mtu_len)) {
1270 logger(DEBUG_TRAFFIC, LOG_ERR, "getsockopt(IP_MTU) on %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1277 /* getsockopt(IP_MTU) returns the MTU of the physical interface.
1278 We need to remove various overheads to get to the tinc MTU. */
1279 length_t mtu = ip_mtu;
1280 mtu -= (sa->sa.sa_family == AF_INET6) ? sizeof(struct ip6_hdr) : sizeof(struct ip);
1283 if(n->status.sptps) {
1284 mtu -= SPTPS_DATAGRAM_OVERHEAD;
1286 if((n->options >> 24) >= 4) {
1287 mtu -= sizeof(node_id_t) + sizeof(node_id_t);
1290 #ifndef DISABLE_LEGACY
1292 mtu -= digest_length(n->outdigest);
1294 /* Now it's tricky. We use CBC mode, so the length of the
1295 encrypted payload must be a multiple of the blocksize. The
1296 sequence number is also part of the encrypted payload, so we
1297 must account for it after correcting for the blocksize.
1298 Furthermore, the padding in the last block must be at least
1301 length_t blocksize = cipher_blocksize(n->outcipher);
1314 logger(DEBUG_TRAFFIC, LOG_ERR, "getsockopt(IP_MTU) on %s (%s) returned absurdly small value: %d", n->name, n->hostname, ip_mtu);
1322 logger(DEBUG_TRAFFIC, LOG_INFO, "Using system-provided maximum tinc MTU for %s (%s): %hd", n->name, n->hostname, mtu);
1331 /* This function tries to determines the MTU of a node.
1332 By calling this function repeatedly, n->minmtu will be progressively
1333 increased, and at some point, n->mtu will be fixed to n->minmtu. If the MTU
1334 is already fixed, this function checks if it can be increased.
1337 static void try_mtu(node_t *n) {
1338 if(!(n->options & OPTION_PMTU_DISCOVERY)) {
1342 if(udp_discovery && !n->status.udp_confirmed) {
1343 n->maxrecentlen = 0;
1350 /* mtuprobes == 0..19: initial discovery, send bursts with 1 second interval, mtuprobes++
1351 mtuprobes == 20: fix MTU, and go to -1
1352 mtuprobes == -1: send one maxmtu and one maxmtu+1 probe every pinginterval
1353 mtuprobes ==-2..-3: send one maxmtu probe every second
1354 mtuprobes == -4: maxmtu no longer valid, reset minmtu and maxmtu and go to 0 */
1356 struct timeval elapsed;
1357 timersub(&now, &n->mtu_ping_sent, &elapsed);
1359 if(n->mtuprobes >= 0) {
1360 if(n->mtuprobes != 0 && elapsed.tv_sec == 0 && elapsed.tv_usec < 333333) {
1364 if(n->mtuprobes < -1) {
1365 if(elapsed.tv_sec < 1) {
1369 if(elapsed.tv_sec < pinginterval) {
1375 n->mtu_ping_sent = now;
1379 if(n->mtuprobes < -3) {
1380 /* We lost three MTU probes, restart discovery */
1381 logger(DEBUG_TRAFFIC, LOG_INFO, "Decrease in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
1386 if(n->mtuprobes < 0) {
1387 /* After the initial discovery, we only send one maxmtu and one
1388 maxmtu+1 probe to detect PMTU increases. */
1389 send_udp_probe_packet(n, n->maxmtu);
1391 if(n->mtuprobes == -1 && n->maxmtu + 1 < MTU) {
1392 send_udp_probe_packet(n, n->maxmtu + 1);
1397 /* Before initial discovery begins, set maxmtu to the most likely value.
1398 If it's underestimated, we will correct it after initial discovery. */
1399 if(n->mtuprobes == 0) {
1400 n->maxmtu = choose_initial_maxmtu(n);
1404 /* Decreasing the number of probes per cycle might make the algorithm react faster to lost packets,
1405 but it will typically increase convergence time in the no-loss case. */
1406 const length_t probes_per_cycle = 8;
1408 /* This magic value was determined using math simulations.
1409 It will result in a 1329-byte first probe, followed (if there was a reply) by a 1407-byte probe.
1410 Since 1407 is just below the range of tinc MTUs over typical networks,
1411 this fine-tuning allows tinc to cover a lot of ground very quickly.
1412 This fine-tuning is only valid for maxmtu = MTU; if maxmtu is smaller,
1413 then it's better to use a multiplier of 1. Indeed, this leads to an interesting scenario
1414 if choose_initial_maxmtu() returns the actual MTU value - it will get confirmed with one single probe. */
1415 const float multiplier = (n->maxmtu == MTU) ? 0.97 : 1;
1417 const float cycle_position = probes_per_cycle - (n->mtuprobes % probes_per_cycle) - 1;
1418 const length_t minmtu = MAX(n->minmtu, 512);
1419 const float interval = n->maxmtu - minmtu;
1421 length_t offset = 0;
1423 /* powf can be underflowed if n->maxmtu is less than 512 due to the minmtu MAX bound */
1425 /* The core of the discovery algorithm is this exponential.
1426 It produces very large probes early in the cycle, and then it very quickly decreases the probe size.
1427 This reflects the fact that in the most difficult cases, we don't get any feedback for probes that
1428 are too large, and therefore we need to concentrate on small offsets so that we can quickly converge
1429 on the precise MTU as we are approaching it.
1430 The last probe of the cycle is always 1 byte in size - this is to make sure we'll get at least one
1431 reply per cycle so that we can make progress. */
1432 offset = powf(interval, multiplier * cycle_position / (probes_per_cycle - 1));
1435 length_t maxmtu = n->maxmtu;
1436 send_udp_probe_packet(n, minmtu + offset);
1438 /* If maxmtu changed, it means the probe was rejected by the system because it was too large.
1439 In that case, we recalculate with the new maxmtu and try again. */
1440 if(n->mtuprobes < 0 || maxmtu == n->maxmtu) {
1445 if(n->mtuprobes >= 0) {
1451 /* These functions try to establish a tunnel to a node (or its relay) so that
1452 packets can be sent (e.g. exchange keys).
1453 If a tunnel is already established, it tries to improve it (e.g. by trying
1454 to establish a UDP tunnel instead of TCP). This function makes no
1455 guarantees - it is up to the caller to check the node's state to figure out
1456 if TCP and/or UDP is usable. By calling this function repeatedly, the
1457 tunnel is gradually improved until we hit the wall imposed by the underlying
1458 network environment. It is recommended to call this function every time a
1459 packet is sent (or intended to be sent) to a node, so that the tunnel keeps
1460 improving as packets flow, and then gracefully downgrades itself as it goes
1464 static void try_tx_sptps(node_t *n, bool mtu) {
1465 /* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET
1466 messages anyway, so there's no need for SPTPS at all. */
1468 if(n->connection && ((myself->options | n->options) & OPTION_TCPONLY)) {
1472 /* Otherwise, try to do SPTPS authentication with n if necessary. */
1476 /* Do we need to statically relay packets? */
1478 node_t *via = (n->via == myself) ? n->nexthop : n->via;
1480 /* If we do have a static relay, try everything with that one instead, if it supports relaying. */
1483 if((via->options >> 24) < 4) {
1491 /* Otherwise, try to establish UDP connectivity. */
1499 /* If we don't have UDP connectivity (yet), we need to use a dynamic relay (nexthop)
1500 while we try to establish direct connectivity. */
1502 if(!n->status.udp_confirmed && n != n->nexthop && (n->nexthop->options >> 24) >= 4) {
1503 try_tx(n->nexthop, mtu);
1507 static void try_tx_legacy(node_t *n, bool mtu) {
1508 /* Does he have our key? If not, send one. */
1510 if(!n->status.validkey_in) {
1514 /* Check if we already have a key, or request one. */
1516 if(!n->status.validkey) {
1517 if(n->last_req_key + 10 <= now.tv_sec) {
1519 n->last_req_key = now.tv_sec;
1532 void try_tx(node_t *n, bool mtu) {
1533 if(!n->status.reachable) {
1537 if(n->status.sptps) {
1538 try_tx_sptps(n, mtu);
1540 try_tx_legacy(n, mtu);
1544 void send_packet(node_t *n, vpn_packet_t *packet) {
1545 // If it's for myself, write it to the tun/tap device.
1549 memcpy(DATA(packet), mymac.x, ETH_ALEN);
1550 // Use an arbitrary fake source address.
1551 memcpy(DATA(packet) + ETH_ALEN, DATA(packet), ETH_ALEN);
1552 DATA(packet)[ETH_ALEN * 2 - 1] ^= 0xFF;
1556 n->out_bytes += packet->len;
1557 devops.write(packet);
1561 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)", packet->len, n->name, n->hostname);
1563 // If the node is not reachable, drop it.
1565 if(!n->status.reachable) {
1566 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable", n->name, n->hostname);
1570 // Keep track of packet statistics.
1573 n->out_bytes += packet->len;
1575 // Check if it should be sent as an SPTPS packet.
1577 if(n->status.sptps) {
1578 send_sptps_packet(n, packet);
1583 // Determine which node to actually send it to.
1585 node_t *via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
1588 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)", n->name, via->name, n->via->hostname);
1591 // Try to send via UDP, unless TCP is forced.
1593 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
1594 if(!send_tcppacket(via->connection, packet)) {
1595 terminate_connection(via->connection, true);
1601 send_udppacket(via, packet);
1605 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
1606 // Always give ourself a copy of the packet.
1607 if(from != myself) {
1608 send_packet(myself, packet);
1611 // In TunnelServer mode, do not forward broadcast packets.
1612 // The MST might not be valid and create loops.
1613 if(tunnelserver || broadcast_mode == BMODE_NONE) {
1617 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
1618 packet->len, from->name, from->hostname);
1620 switch(broadcast_mode) {
1621 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
1622 // This guarantees all nodes receive the broadcast packet, and
1623 // usually distributes the sending of broadcast packets over all nodes.
1625 for list_each(connection_t, c, connection_list)
1626 if(c->edge && c->status.mst && c != from->nexthop->connection) {
1627 send_packet(c->node, packet);
1632 // In direct mode, we send copies to each node we know of.
1633 // However, this only reaches nodes that can be reached in a single hop.
1634 // We don't have enough information to forward broadcast packets in this case.
1636 if(from != myself) {
1640 for splay_each(node_t, n, node_tree)
1641 if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n)) {
1642 send_packet(n, packet);
1652 /* We got a packet from some IP address, but we don't know who sent it. Try to
1653 verify the message authentication code against all active session keys.
1654 Since this is actually an expensive operation, we only do a full check once
1655 a minute, the rest of the time we only check against nodes for which we know
1656 an IP address that matches the one from the packet. */
1658 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
1659 node_t *match = NULL;
1661 static time_t last_hard_try = 0;
1663 for splay_each(node_t, n, node_tree) {
1664 if(!n->status.reachable || n == myself) {
1668 if(!n->status.validkey_in && !(n->status.sptps && n->sptps.instate)) {
1674 for splay_each(edge_t, e, n->edge_tree) {
1679 if(!sockaddrcmp_noport(from, &e->reverse->address)) {
1686 if(last_hard_try == now.tv_sec) {
1693 if(!try_mac(n, pkt)) {
1702 last_hard_try = now.tv_sec;
1708 static void handle_incoming_vpn_packet(listen_socket_t *ls, vpn_packet_t *pkt, sockaddr_t *addr) {
1710 node_id_t nullid = {0};
1712 bool direct = false;
1714 sockaddrunmap(addr); /* Some braindead IPv6 implementations do stupid things. */
1716 // Try to figure out who sent this packet.
1718 node_t *n = lookup_node_udp(addr);
1720 if(n && !n->status.udp_confirmed) {
1721 n = NULL; // Don't believe it if we don't have confirmation yet.
1725 // It might be from a 1.1 node, which might have a source ID in the packet.
1726 pkt->offset = 2 * sizeof(node_id_t);
1727 from = lookup_node_id(SRCID(pkt));
1729 if(from && from->status.sptps && !memcmp(DSTID(pkt), &nullid, sizeof(nullid))) {
1730 if(sptps_verify_datagram(&from->sptps, DATA(pkt), pkt->len - 2 * sizeof(node_id_t))) {
1740 n = try_harder(addr, pkt);
1746 if(debug_level >= DEBUG_PROTOCOL) {
1747 hostname = sockaddr2hostname(addr);
1748 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
1757 if(n->status.sptps) {
1758 bool relay_enabled = (n->options >> 24) >= 4;
1761 pkt->offset = 2 * sizeof(node_id_t);
1762 pkt->len -= pkt->offset;
1765 if(!relay_enabled || !memcmp(DSTID(pkt), &nullid, sizeof(nullid))) {
1770 from = lookup_node_id(SRCID(pkt));
1771 to = lookup_node_id(DSTID(pkt));
1775 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from %s (%s) with unknown source and/or destination ID", n->name, n->hostname);
1779 if(!to->status.reachable) {
1780 /* This can happen in the form of a race condition
1781 if the node just became unreachable. */
1782 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot relay packet from %s (%s) because the destination, %s (%s), is unreachable", from->name, from->hostname, to->name, to->hostname);
1786 /* The packet is supposed to come from the originator or its static relay
1787 (i.e. with no dynamic relays in between).
1788 If it did not, "help" the static relay by sending it UDP info.
1789 Note that we only do this if we're the destination or the static relay;
1790 otherwise every hop would initiate its own UDP info message, resulting in elevated chatter. */
1792 if(n != from->via && to->via == myself) {
1793 send_udp_info(myself, from);
1796 /* If we're not the final recipient, relay the packet. */
1799 send_sptps_data(to, from, 0, DATA(pkt), pkt->len);
1808 if(!receive_udppacket(from, pkt)) {
1812 n->sock = ls - listen_socket;
1814 if(direct && sockaddrcmp(addr, &n->address)) {
1815 update_node_udp(n, addr);
1818 /* If the packet went through a relay, help the sender find the appropriate MTU
1819 through the relay path. */
1822 send_mtu_info(myself, n, MTU);
1826 void handle_incoming_vpn_data(void *data, int flags) {
1829 listen_socket_t *ls = data;
1831 #ifdef HAVE_RECVMMSG
1833 static int num = MAX_MSG;
1834 static vpn_packet_t pkt[MAX_MSG];
1835 static sockaddr_t addr[MAX_MSG];
1836 static struct mmsghdr msg[MAX_MSG];
1837 static struct iovec iov[MAX_MSG];
1839 for(int i = 0; i < num; i++) {
1842 iov[i] = (struct iovec) {
1843 .iov_base = DATA(&pkt[i]),
1847 msg[i].msg_hdr = (struct msghdr) {
1848 .msg_name = &addr[i].sa,
1849 .msg_namelen = sizeof(addr)[i],
1855 num = recvmmsg(ls->udp.fd, msg, MAX_MSG, MSG_DONTWAIT, NULL);
1858 if(!sockwouldblock(sockerrno)) {
1859 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1865 for(int i = 0; i < num; i++) {
1866 pkt[i].len = msg[i].msg_len;
1868 if(pkt[i].len <= 0 || pkt[i].len > MAXSIZE) {
1872 handle_incoming_vpn_packet(ls, &pkt[i], &addr[i]);
1877 sockaddr_t addr = {0};
1878 socklen_t addrlen = sizeof(addr);
1881 int len = recvfrom(ls->udp.fd, (void *)DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen);
1883 if(len <= 0 || (size_t)len > MAXSIZE) {
1884 if(!sockwouldblock(sockerrno)) {
1885 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1893 handle_incoming_vpn_packet(ls, &pkt, &addr);
1897 void handle_device_data(void *data, int flags) {
1900 vpn_packet_t packet;
1901 packet.offset = DEFAULT_PACKET_OFFSET;
1902 packet.priority = 0;
1903 static int errors = 0;
1905 if(devops.read(&packet)) {
1907 myself->in_packets++;
1908 myself->in_bytes += packet.len;
1909 route(myself, &packet);
1911 usleep(errors * 50000);
1915 logger(DEBUG_ALWAYS, LOG_ERR, "Too many errors from %s, exiting!", device);
projects / tinc / blob