2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
35 #include "connection.h"
51 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
54 static void send_udppacket(node_t *, vpn_packet_t *);
56 unsigned replaywin = 16;
57 bool localdiscovery = true;
59 #define MAX_SEQNO 1073741824
61 /* mtuprobes == 1..30: initial discovery, send bursts with 1 second interval
62 mtuprobes == 31: sleep pinginterval seconds
63 mtuprobes == 32: send 1 burst, sleep pingtimeout second
64 mtuprobes == 33: no response from other side, restart PMTU discovery process
66 Probes are sent in batches of at least three, with random sizes between the
67 lower and upper boundaries for the MTU thus far discovered.
69 After the initial discovery, a fourth packet is added to each batch with a
70 size larger than the currently known PMTU, to test if the PMTU has increased.
72 In case local discovery is enabled, another packet is added to each batch,
73 which will be broadcast to the local network.
77 static void send_mtu_probe_handler(void *data) {
83 if(!n->status.reachable || !n->status.validkey) {
84 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname);
89 if(n->mtuprobes > 32) {
92 timeout = pinginterval;
96 logger(DEBUG_TRAFFIC, LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname);
97 n->status.udp_confirmed = false;
103 if(n->mtuprobes >= 10 && n->mtuprobes < 32 && !n->minmtu) {
104 logger(DEBUG_TRAFFIC, LOG_INFO, "No response to MTU probes from %s (%s)", n->name, n->hostname);
108 if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) {
109 if(n->minmtu > n->maxmtu)
110 n->minmtu = n->maxmtu;
112 n->maxmtu = n->minmtu;
114 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
118 if(n->mtuprobes == 31) {
119 timeout = pinginterval;
121 } else if(n->mtuprobes == 32) {
122 timeout = pingtimeout;
125 for(int i = 0; i < 4 + localdiscovery; i++) {
129 if(n->mtuprobes < 30 || n->maxmtu + 8 >= MTU)
132 } else if(n->maxmtu <= n->minmtu) {
135 len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
142 packet.offset = DEFAULT_PACKET_OFFSET;
143 memset(DATA(&packet), 0, 14);
144 randomize(DATA(&packet) + 14, len - 14);
147 n->status.send_locally = i >= 4 && n->mtuprobes <= 10 && n->prevedge;
149 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname);
151 send_udppacket(n, &packet);
154 n->status.send_locally = false;
155 n->probe_counter = 0;
156 gettimeofday(&n->probe_time, NULL);
158 /* Calculate the packet loss of incoming traffic by comparing the rate of
159 packets received to the rate with which the sequence number has increased.
162 if(n->received > n->prev_received)
163 n->packetloss = 1.0 - (n->received - n->prev_received) / (float)(n->received_seqno - n->prev_received_seqno);
165 n->packetloss = n->received_seqno <= n->prev_received_seqno;
167 n->prev_received_seqno = n->received_seqno;
168 n->prev_received = n->received;
171 timeout_set(&n->mtutimeout, &(struct timeval){timeout, rand() % 100000});
174 void send_mtu_probe(node_t *n) {
175 timeout_add(&n->mtutimeout, send_mtu_probe_handler, n, &(struct timeval){1, 0});
176 send_mtu_probe_handler(n);
179 static void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
180 if(!DATA(packet)[0]) {
181 logger(DEBUG_TRAFFIC, LOG_INFO, "Got MTU probe request %d from %s (%s)", packet->len, n->name, n->hostname);
183 /* It's a probe request, send back a reply */
185 /* Type 2 probe replies were introduced in protocol 17.3 */
186 if ((n->options >> 24) >= 3) {
187 uint8_t *data = DATA(packet);
189 uint16_t len16 = htons(len); memcpy(data, &len16, 2); data += 2;
191 gettimeofday(&now, NULL);
192 uint32_t sec = htonl(now.tv_sec); memcpy(data, &sec, 4); data += 4;
193 uint32_t usec = htonl(now.tv_usec); memcpy(data, &usec, 4); data += 4;
196 /* Legacy protocol: n won't understand type 2 probe replies. */
200 /* Temporarily set udp_confirmed, so that the reply is sent
201 back exactly the way it came in. */
203 bool udp_confirmed = n->status.udp_confirmed;
204 n->status.udp_confirmed = true;
205 send_udppacket(n, packet);
206 n->status.udp_confirmed = udp_confirmed;
208 length_t probelen = len;
209 if (DATA(packet)[0] == 2) {
211 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received invalid (too short) MTU probe reply from %s (%s)", n->name, n->hostname);
213 uint16_t probelen16; memcpy(&probelen16, DATA(packet) + 1, 2); probelen = ntohs(probelen16);
216 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d MTU probe reply %d from %s (%s)", DATA(packet)[0], probelen, n->name, n->hostname);
218 /* It's a valid reply: now we know bidirectional communication
219 is possible using the address and socket that the reply
222 n->status.udp_confirmed = true;
224 /* If we haven't established the PMTU yet, restart the discovery process. */
226 if(n->mtuprobes > 30) {
227 if (probelen == n->maxmtu + 8) {
228 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
240 /* If applicable, raise the minimum supported MTU */
242 if(probelen > n->maxmtu)
243 probelen = n->maxmtu;
244 if(n->minmtu < probelen)
245 n->minmtu = probelen;
247 /* Calculate RTT and bandwidth.
248 The RTT is the time between the MTU probe burst was sent and the first
249 reply is received. The bandwidth is measured using the time between the
250 arrival of the first and third probe reply (or type 2 probe requests).
253 struct timeval now, diff;
254 gettimeofday(&now, NULL);
255 timersub(&now, &n->probe_time, &diff);
257 struct timeval probe_timestamp = now;
258 if (DATA(packet)[0] == 2 && packet->len >= 11) {
259 uint32_t sec; memcpy(&sec, DATA(packet) + 3, 4);
260 uint32_t usec; memcpy(&usec, DATA(packet) + 7, 4);
261 probe_timestamp.tv_sec = ntohl(sec);
262 probe_timestamp.tv_usec = ntohl(usec);
267 if(n->probe_counter == 1) {
268 n->rtt = diff.tv_sec + diff.tv_usec * 1e-6;
269 n->probe_time = probe_timestamp;
270 } else if(n->probe_counter == 3) {
271 struct timeval probe_timestamp_diff;
272 timersub(&probe_timestamp, &n->probe_time, &probe_timestamp_diff);
273 n->bandwidth = 2.0 * probelen / (probe_timestamp_diff.tv_sec + probe_timestamp_diff.tv_usec * 1e-6);
274 logger(DEBUG_TRAFFIC, LOG_DEBUG, "%s (%s) RTT %.2f ms, burst bandwidth %.3f Mbit/s, rx packet loss %.2f %%", n->name, n->hostname, n->rtt * 1e3, n->bandwidth * 8e-6, n->packetloss * 1e2);
279 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
281 memcpy(dest, source, len);
283 } else if(level == 10) {
285 lzo_uint lzolen = MAXSIZE;
286 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
291 } else if(level < 10) {
293 unsigned long destlen = MAXSIZE;
294 if(compress2(dest, &destlen, source, len, level) == Z_OK)
301 lzo_uint lzolen = MAXSIZE;
302 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
312 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
314 memcpy(dest, source, len);
316 } else if(level > 9) {
318 lzo_uint lzolen = MAXSIZE;
319 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
327 unsigned long destlen = MAXSIZE;
328 if(uncompress(dest, &destlen, source, len) == Z_OK)
340 static void receive_packet(node_t *n, vpn_packet_t *packet) {
341 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
342 packet->len, n->name, n->hostname);
345 n->in_bytes += packet->len;
350 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
352 return sptps_verify_datagram(&n->sptps, DATA(inpkt), inpkt->len);
354 if(!digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest))
357 return digest_verify(n->indigest, SEQNO(inpkt), inpkt->len - digest_length(n->indigest), DATA(inpkt) + inpkt->len - digest_length(n->indigest));
360 static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
361 vpn_packet_t pkt1, pkt2;
362 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
365 pkt1.offset = DEFAULT_PACKET_OFFSET;
366 pkt2.offset = DEFAULT_PACKET_OFFSET;
368 if(n->status.sptps) {
369 if(!n->sptps.state) {
370 if(!n->status.waitingforkey) {
371 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
374 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
378 inpkt->offset += 2 * sizeof(node_id_t);
379 if(!sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len - 2 * sizeof(node_id_t))) {
380 logger(DEBUG_TRAFFIC, LOG_ERR, "Got bad packet from %s (%s)", n->name, n->hostname);
386 if(!n->status.validkey) {
387 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
391 /* Check packet length */
393 if(inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
394 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
395 n->name, n->hostname);
399 /* It's a legacy UDP packet, the data starts after the seqno */
401 inpkt->offset += sizeof(seqno_t);
403 /* Check the message authentication code */
405 if(digest_active(n->indigest)) {
406 inpkt->len -= digest_length(n->indigest);
407 if(!digest_verify(n->indigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
408 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
412 /* Decrypt the packet */
414 if(cipher_active(n->incipher)) {
415 vpn_packet_t *outpkt = pkt[nextpkt++];
418 if(!cipher_decrypt(n->incipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
419 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
423 outpkt->len = outlen;
427 /* Check the sequence number */
430 memcpy(&seqno, SEQNO(inpkt), sizeof seqno);
431 seqno = ntohl(seqno);
432 inpkt->len -= sizeof seqno;
435 if(seqno != n->received_seqno + 1) {
436 if(seqno >= n->received_seqno + replaywin * 8) {
437 if(n->farfuture++ < replaywin >> 2) {
438 logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
439 n->name, n->hostname, seqno - n->received_seqno - 1, n->farfuture);
442 logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
443 seqno - n->received_seqno - 1, n->name, n->hostname);
444 memset(n->late, 0, replaywin);
445 } else if (seqno <= n->received_seqno) {
446 if((n->received_seqno >= replaywin * 8 && seqno <= n->received_seqno - replaywin * 8) || !(n->late[(seqno / 8) % replaywin] & (1 << seqno % 8))) {
447 logger(DEBUG_ALWAYS, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
448 n->name, n->hostname, seqno, n->received_seqno);
452 for(int i = n->received_seqno + 1; i < seqno; i++)
453 n->late[(i / 8) % replaywin] |= 1 << i % 8;
458 n->late[(seqno / 8) % replaywin] &= ~(1 << seqno % 8);
461 if(seqno > n->received_seqno)
462 n->received_seqno = seqno;
466 if(n->received_seqno > MAX_SEQNO)
469 /* Decompress the packet */
471 length_t origlen = inpkt->len;
473 if(n->incompression) {
474 vpn_packet_t *outpkt = pkt[nextpkt++];
476 if((outpkt->len = uncompress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->incompression)) < 0) {
477 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
478 n->name, n->hostname);
484 origlen -= MTU/64 + 20;
489 if(!DATA(inpkt)[12] && !DATA(inpkt)[13])
490 mtu_probe_h(n, inpkt, origlen);
492 receive_packet(n, inpkt);
496 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
498 outpkt.offset = DEFAULT_PACKET_OFFSET;
500 if(len > sizeof outpkt.data - outpkt.offset)
504 if(c->options & OPTION_TCPONLY)
507 outpkt.priority = -1;
508 memcpy(DATA(&outpkt), buffer, len);
510 receive_packet(c->node, &outpkt);
513 static bool try_sptps(node_t *n) {
514 if(n->status.validkey)
517 /* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET
518 messages anyway, so there's no need for SPTPS at all. */
519 if(n->connection && ((myself->options | n->options) & OPTION_TCPONLY))
522 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
524 if(!n->status.waitingforkey)
526 else if(n->last_req_key + 10 < now.tv_sec) {
527 logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
528 sptps_stop(&n->sptps);
529 n->status.waitingforkey = false;
536 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
537 /* Note: condition order is as intended - even if we have a direct
538 metaconnection, we want to try SPTPS anyway as it's the only way to
540 if(!try_sptps(n) && !n->connection)
546 if(!(DATA(origpkt)[12] | DATA(origpkt)[13])) {
547 sptps_send_record(&n->sptps, PKT_PROBE, (char *)DATA(origpkt), origpkt->len);
551 if(routing_mode == RMODE_ROUTER)
556 if(origpkt->len < offset)
561 if(n->outcompression) {
563 int len = compress_packet(DATA(&outpkt) + offset, DATA(origpkt) + offset, origpkt->len - offset, n->outcompression);
565 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
566 } else if(len < origpkt->len - offset) {
567 outpkt.len = len + offset;
569 type |= PKT_COMPRESSED;
573 /* If we have a direct metaconnection to n, and we can't use UDP, then
574 don't bother with SPTPS and just use a "plaintext" PACKET message.
575 We don't really care about end-to-end security since we're not
576 sending the message through any intermediate nodes. */
577 if(n->connection && origpkt->len > n->minmtu)
578 send_tcppacket(n->connection, origpkt);
580 sptps_send_record(&n->sptps, type, DATA(origpkt) + offset, origpkt->len - offset);
584 static void adapt_socket(const sockaddr_t *sa, int *sock) {
585 /* Make sure we have a suitable socket for the chosen address */
586 if(listen_socket[*sock].sa.sa.sa_family != sa->sa.sa_family) {
587 for(int i = 0; i < listen_sockets; i++) {
588 if(listen_socket[i].sa.sa.sa_family == sa->sa.sa_family) {
596 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, int *sock) {
601 /* If the UDP address is confirmed, use it. */
602 if(n->status.udp_confirmed)
605 /* Send every third packet to n->address; that could be set
606 to the node's reflexive UDP address discovered during key
615 /* Otherwise, address are found in edges to this node.
616 So we pick a random edge and a random socket. */
619 int j = rand() % n->edge_tree->count;
620 edge_t *candidate = NULL;
622 for splay_each(edge_t, e, n->edge_tree) {
624 candidate = e->reverse;
630 *sa = &candidate->address;
631 *sock = rand() % listen_sockets;
634 adapt_socket(*sa, sock);
637 static void choose_local_address(const node_t *n, const sockaddr_t **sa, int *sock) {
640 /* Pick one of the edges from this node at random, then use its local address. */
643 int j = rand() % n->edge_tree->count;
644 edge_t *candidate = NULL;
646 for splay_each(edge_t, e, n->edge_tree) {
653 if (candidate && candidate->local_address.sa.sa_family) {
654 *sa = &candidate->local_address;
655 *sock = rand() % listen_sockets;
656 adapt_socket(*sa, sock);
660 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
661 vpn_packet_t pkt1, pkt2;
662 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
663 vpn_packet_t *inpkt = origpkt;
665 vpn_packet_t *outpkt;
666 int origlen = origpkt->len;
668 #if defined(SOL_IP) && defined(IP_TOS)
669 static int priority = 0;
670 int origpriority = origpkt->priority;
673 pkt1.offset = DEFAULT_PACKET_OFFSET;
674 pkt2.offset = DEFAULT_PACKET_OFFSET;
676 if(!n->status.reachable) {
677 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
682 return send_sptps_packet(n, origpkt);
684 /* Make sure we have a valid key */
686 if(!n->status.validkey) {
687 logger(DEBUG_TRAFFIC, LOG_INFO,
688 "No valid key known yet for %s (%s), forwarding via TCP",
689 n->name, n->hostname);
691 if(n->last_req_key + 10 <= now.tv_sec) {
693 n->last_req_key = now.tv_sec;
696 send_tcppacket(n->nexthop->connection, origpkt);
701 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (DATA(inpkt)[12] | DATA(inpkt)[13])) {
702 logger(DEBUG_TRAFFIC, LOG_INFO,
703 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
704 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
707 send_packet(n->nexthop, origpkt);
709 send_tcppacket(n->nexthop->connection, origpkt);
714 /* Compress the packet */
716 if(n->outcompression) {
717 outpkt = pkt[nextpkt++];
719 if((outpkt->len = compress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->outcompression)) < 0) {
720 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
721 n->name, n->hostname);
728 /* Add sequence number */
730 seqno_t seqno = htonl(++(n->sent_seqno));
731 memcpy(SEQNO(inpkt), &seqno, sizeof seqno);
732 inpkt->len += sizeof seqno;
734 /* Encrypt the packet */
736 if(cipher_active(n->outcipher)) {
737 outpkt = pkt[nextpkt++];
740 if(!cipher_encrypt(n->outcipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
741 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
745 outpkt->len = outlen;
749 /* Add the message authentication code */
751 if(digest_active(n->outdigest)) {
752 if(!digest_create(n->outdigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
753 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
757 inpkt->len += digest_length(n->outdigest);
760 /* Send the packet */
762 const sockaddr_t *sa = NULL;
765 if(n->status.send_locally)
766 choose_local_address(n, &sa, &sock);
768 choose_udp_address(n, &sa, &sock);
770 #if defined(SOL_IP) && defined(IP_TOS)
771 if(priorityinheritance && origpriority != priority
772 && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
773 priority = origpriority;
774 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
775 if(setsockopt(listen_socket[n->sock].udp.fd, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
776 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
780 if(sendto(listen_socket[sock].udp.fd, SEQNO(inpkt), inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
781 if(sockmsgsize(sockerrno)) {
782 if(n->maxmtu >= origlen)
783 n->maxmtu = origlen - 1;
784 if(n->mtu >= origlen)
785 n->mtu = origlen - 1;
787 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
791 origpkt->len = origlen;
794 static bool send_sptps_data_priv(node_t *to, node_t *from, int type, const void *data, size_t len) {
795 node_t *relay = (to->via != myself && (type == PKT_PROBE || (len - SPTPS_DATAGRAM_OVERHEAD) <= to->via->minmtu)) ? to->via : to->nexthop;
796 bool direct = from == myself && to == relay;
797 bool relay_supported = (relay->options >> 24) >= 4;
798 bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
800 /* We don't really need the relay's key, but we need to establish a UDP tunnel with it and discover its MTU. */
801 if (!direct && relay_supported && !tcponly)
804 /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU.
805 TODO: When relaying, the original sender does not know the end-to-end PMTU (it only knows the PMTU of the first hop).
806 This can lead to scenarios where large packets are sent over UDP to relay, but then relay has no choice but fall back to TCP. */
808 if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && (len - SPTPS_DATAGRAM_OVERHEAD) > relay->minmtu)) {
809 char buf[len * 4 / 3 + 5];
810 b64encode(data, buf, len);
811 /* If no valid key is known yet, send the packets using ANS_KEY requests,
812 to ensure we get to learn the reflexive UDP address. */
813 if(from == myself && !to->status.validkey) {
814 to->incompression = myself->incompression;
815 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, from->name, to->name, buf, to->incompression);
817 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, from->name, to->name, REQ_SPTPS, buf);
822 if(relay_supported) overhead += sizeof to->id + sizeof from->id;
823 char buf[len + overhead]; char* buf_ptr = buf;
824 if(relay_supported) {
826 /* Inform the recipient that this packet was sent directly. */
827 node_id_t nullid = {};
828 memcpy(buf_ptr, &nullid, sizeof nullid); buf_ptr += sizeof nullid;
830 memcpy(buf_ptr, &to->id, sizeof to->id); buf_ptr += sizeof to->id;
832 memcpy(buf_ptr, &from->id, sizeof from->id); buf_ptr += sizeof from->id;
835 /* TODO: if this copy turns out to be a performance concern, change sptps_send_record() to add some "pre-padding" to the buffer and use that instead */
836 memcpy(buf_ptr, data, len); buf_ptr += len;
838 const sockaddr_t *sa = NULL;
840 if(relay->status.send_locally)
841 choose_local_address(relay, &sa, &sock);
843 choose_udp_address(relay, &sa, &sock);
844 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s)", from->name, from->hostname, to->name, to->hostname, relay->name, relay->hostname);
845 if(sendto(listen_socket[sock].udp.fd, buf, buf_ptr - buf, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
846 if(sockmsgsize(sockerrno)) {
847 // Compensate for SPTPS overhead
848 len -= SPTPS_DATAGRAM_OVERHEAD;
849 if(relay->maxmtu >= len)
850 relay->maxmtu = len - 1;
851 if(relay->mtu >= len)
852 relay->mtu = len - 1;
854 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", relay->name, relay->hostname, sockstrerror(sockerrno));
862 bool send_sptps_data(void *handle, uint8_t type, const void *data, size_t len) {
863 return send_sptps_data_priv(handle, myself, type, data, len);
866 bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t len) {
867 node_t *from = handle;
869 if(type == SPTPS_HANDSHAKE) {
870 if(!from->status.validkey) {
871 from->status.validkey = true;
872 from->status.waitingforkey = false;
873 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
879 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
884 inpkt.offset = DEFAULT_PACKET_OFFSET;
886 if(type == PKT_PROBE) {
888 memcpy(DATA(&inpkt), data, len);
889 mtu_probe_h(from, &inpkt, len);
893 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
894 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
898 /* Check if we have the headers we need */
899 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
900 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
902 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
903 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
906 int offset = (type & PKT_MAC) ? 0 : 14;
907 if(type & PKT_COMPRESSED) {
908 length_t ulen = uncompress_packet(DATA(&inpkt) + offset, (const uint8_t *)data, len, from->incompression);
912 inpkt.len = ulen + offset;
914 if(inpkt.len > MAXSIZE)
917 memcpy(DATA(&inpkt) + offset, data, len);
918 inpkt.len = len + offset;
921 /* Generate the Ethernet packet type if necessary */
923 switch(DATA(&inpkt)[14] >> 4) {
925 DATA(&inpkt)[12] = 0x08;
926 DATA(&inpkt)[13] = 0x00;
929 DATA(&inpkt)[12] = 0x86;
930 DATA(&inpkt)[13] = 0xDD;
933 logger(DEBUG_TRAFFIC, LOG_ERR,
934 "Unknown IP version %d while reading packet from %s (%s)",
935 DATA(&inpkt)[14] >> 4, from->name, from->hostname);
940 receive_packet(from, &inpkt);
945 send a packet to the given vpn ip.
947 void send_packet(node_t *n, vpn_packet_t *packet) {
952 memcpy(DATA(packet), mymac.x, ETH_ALEN);
954 n->out_bytes += packet->len;
955 devops.write(packet);
959 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)",
960 packet->len, n->name, n->hostname);
962 if(!n->status.reachable) {
963 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable",
964 n->name, n->hostname);
969 n->out_bytes += packet->len;
971 if(n->status.sptps) {
972 send_sptps_packet(n, packet);
976 via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
979 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)",
980 n->name, via->name, n->via->hostname);
982 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
983 if(!send_tcppacket(via->connection, packet))
984 terminate_connection(via->connection, true);
986 send_udppacket(via, packet);
989 /* Broadcast a packet using the minimum spanning tree */
991 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
992 // Always give ourself a copy of the packet.
994 send_packet(myself, packet);
996 // In TunnelServer mode, do not forward broadcast packets.
997 // The MST might not be valid and create loops.
998 if(tunnelserver || broadcast_mode == BMODE_NONE)
1001 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
1002 packet->len, from->name, from->hostname);
1004 switch(broadcast_mode) {
1005 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
1006 // This guarantees all nodes receive the broadcast packet, and
1007 // usually distributes the sending of broadcast packets over all nodes.
1009 for list_each(connection_t, c, connection_list)
1010 if(c->edge && c->status.mst && c != from->nexthop->connection)
1011 send_packet(c->node, packet);
1014 // In direct mode, we send copies to each node we know of.
1015 // However, this only reaches nodes that can be reached in a single hop.
1016 // We don't have enough information to forward broadcast packets in this case.
1021 for splay_each(node_t, n, node_tree)
1022 if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n))
1023 send_packet(n, packet);
1031 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
1034 static time_t last_hard_try = 0;
1036 for splay_each(edge_t, e, edge_weight_tree) {
1037 if(!e->to->status.reachable || e->to == myself)
1040 if(sockaddrcmp_noport(from, &e->address)) {
1041 if(last_hard_try == now.tv_sec)
1046 if(!try_mac(e->to, pkt))
1054 last_hard_try = now.tv_sec;
1056 last_hard_try = now.tv_sec;
1060 void handle_incoming_vpn_data(void *data, int flags) {
1061 listen_socket_t *ls = data;
1064 node_id_t nullid = {};
1065 sockaddr_t addr = {};
1066 socklen_t addrlen = sizeof addr;
1068 bool direct = false;
1071 int len = recvfrom(ls->udp.fd, DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen);
1073 if(len <= 0 || len > MAXSIZE) {
1074 if(!sockwouldblock(sockerrno))
1075 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1081 sockaddrunmap(&addr); /* Some braindead IPv6 implementations do stupid things. */
1083 // Try to figure out who sent this packet.
1085 node_t *n = lookup_node_udp(&addr);
1088 // It might be from a 1.1 node, which might have a source ID in the packet.
1089 pkt.offset = 2 * sizeof(node_id_t);
1090 from = lookup_node_id(SRCID(&pkt));
1091 if(from && !memcmp(DSTID(&pkt), &nullid, sizeof nullid) && from->status.sptps) {
1092 if(sptps_verify_datagram(&from->sptps, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t)))
1101 n = try_harder(&addr, &pkt);
1106 if(debug_level >= DEBUG_PROTOCOL) {
1107 hostname = sockaddr2hostname(&addr);
1108 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
1114 if(n->status.sptps) {
1115 pkt.offset = 2 * sizeof(node_id_t);
1117 if(!memcmp(DSTID(&pkt), &nullid, sizeof nullid)) {
1122 from = lookup_node_id(SRCID(&pkt));
1123 to = lookup_node_id(DSTID(&pkt));
1126 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from %s (%s) with unknown source and/or destination ID", n->name, n->hostname);
1131 send_sptps_data_priv(to, n, 0, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t));
1140 if(!receive_udppacket(from, &pkt))
1143 n->sock = ls - listen_socket;
1144 if(direct && sockaddrcmp(&addr, &n->address))
1145 update_node_udp(n, &addr);
1148 void handle_device_data(void *data, int flags) {
1149 vpn_packet_t packet;
1150 packet.offset = DEFAULT_PACKET_OFFSET;
1151 packet.priority = 0;
1153 if(devops.read(&packet)) {
1154 myself->in_packets++;
1155 myself->in_bytes += packet.len;
1156 route(myself, &packet);
projects / tinc / blob