X-Git-Url: https://tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Fnet_packet.c;h=46fc875bf53c6869f564037339e8e76803035063;hp=8419d6a0f8bf3ceb373cba6d9ff6771d593e0c41;hb=8e717ddb602f01f656369106ec0398efbe9ca4a4;hpb=82ebfc923ddb050c88bdf5d65ac943a15ca8748a diff --git a/src/net_packet.c b/src/net_packet.c index 8419d6a0..46fc875b 100644 --- a/src/net_packet.c +++ b/src/net_packet.c @@ -1,7 +1,9 @@ /* net_packet.c -- Handles in- and outgoing VPN packets - Copyright (C) 1998-2002 Ivo Timmermans , - 2000-2002 Guus Sliepen + Copyright (C) 1998-2005 Ivo Timmermans, + 2000-2011 Guus Sliepen + 2010 Timothy Redaelli + 2010 Brandon Black This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -13,420 +15,628 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - - $Id: net_packet.c,v 1.1.2.19 2002/09/04 13:48:52 guus Exp $ + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ -#include "config.h" - -#include -#include -#include -#include -#ifdef HAVE_NETINET_IN_SYSTM_H - #include -#endif -#ifdef HAVE_NETINET_IP_H - #include -#endif -#ifdef HAVE_NETINET_TCP_H - #include -#endif -#include -#include -#include -#include -#include -#include -#include -#include -#include -/* SunOS really wants sys/socket.h BEFORE net/if.h, - and FreeBSD wants these lines below the rest. */ -#include -#include -#include +#include "system.h" #include +#include #include #include #include +#ifdef HAVE_ZLIB #include +#endif -#include -#include -#include -#include +#ifdef HAVE_LZO +#include LZO1X_H +#endif +#include "avl_tree.h" #include "conf.h" #include "connection.h" -#include "meta.h" +#include "device.h" +#include "ethernet.h" +#include "event.h" +#include "graph.h" +#include "logger.h" #include "net.h" #include "netutl.h" -#include "process.h" #include "protocol.h" -#include "subnet.h" -#include "graph.h" #include "process.h" #include "route.h" -#include "device.h" -#include "event.h" - -#include "system.h" +#include "utils.h" +#include "xalloc.h" int keylifetime = 0; int keyexpires = 0; +#ifdef HAVE_LZO +static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS]; +#endif + +static void send_udppacket(node_t *, vpn_packet_t *); + +unsigned replaywin = 16; #define MAX_SEQNO 1073741824 +// mtuprobes == 1..30: initial discovery, send bursts with 1 second interval +// mtuprobes == 31: sleep pinginterval seconds +// mtuprobes == 32: send 1 burst, sleep pingtimeout second +// mtuprobes == 33: no response from other side, restart PMTU discovery process + +void send_mtu_probe(node_t *n) { + vpn_packet_t packet; + int len, i; + int timeout = 1; + + n->mtuprobes++; + n->mtuevent = NULL; + + if(!n->status.reachable || !n->status.validkey) { + ifdebug(TRAFFIC) logger(LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname); + n->mtuprobes = 0; + return; + } + + if(n->mtuprobes > 32) { + if(!n->minmtu) { + n->mtuprobes = 31; + timeout = pinginterval; + goto end; + } + + ifdebug(TRAFFIC) logger(LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname); + n->mtuprobes = 1; + n->minmtu = 0; + n->maxmtu = MTU; + } + + if(n->mtuprobes >= 10 && n->mtuprobes < 32 && !n->minmtu) { + ifdebug(TRAFFIC) logger(LOG_INFO, "No response to MTU probes from %s (%s)", n->name, n->hostname); + n->mtuprobes = 31; + } + + if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) { + if(n->minmtu > n->maxmtu) + n->minmtu = n->maxmtu; + else + n->maxmtu = n->minmtu; + n->mtu = n->minmtu; + ifdebug(TRAFFIC) logger(LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes); + n->mtuprobes = 31; + } + + if(n->mtuprobes == 31) { + timeout = pinginterval; + goto end; + } else if(n->mtuprobes == 32) { + timeout = pingtimeout; + } + + for(i = 0; i < 3; i++) { + if(n->maxmtu <= n->minmtu) + len = n->maxmtu; + else + len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu); + + if(len < 64) + len = 64; + + memset(packet.data, 0, 14); + RAND_pseudo_bytes(packet.data + 14, len - 14); + packet.len = len; + packet.priority = 0; + + ifdebug(TRAFFIC) logger(LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname); + + send_udppacket(n, &packet); + } + +end: + n->mtuevent = new_event(); + n->mtuevent->handler = (event_handler_t)send_mtu_probe; + n->mtuevent->data = n; + n->mtuevent->time = now + timeout; + event_add(n->mtuevent); +} + +void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) { + ifdebug(TRAFFIC) logger(LOG_INFO, "Got MTU probe length %d from %s (%s)", packet->len, n->name, n->hostname); + + if(!packet->data[0]) { + packet->data[0] = 1; + send_udppacket(n, packet); + } else { + if(n->mtuprobes > 30) { + if(n->minmtu) + n->mtuprobes = 30; + else + n->mtuprobes = 1; + } + + if(len > n->maxmtu) + len = n->maxmtu; + if(n->minmtu < len) + n->minmtu = len; + } +} + +static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) { + if(level == 0) { + memcpy(dest, source, len); + return len; + } else if(level == 10) { +#ifdef HAVE_LZO + lzo_uint lzolen = MAXSIZE; + lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem); + return lzolen; +#else + return -1; +#endif + } else if(level < 10) { +#ifdef HAVE_ZLIB + unsigned long destlen = MAXSIZE; + if(compress2(dest, &destlen, source, len, level) == Z_OK) + return destlen; + else +#endif + return -1; + } else { +#ifdef HAVE_LZO + lzo_uint lzolen = MAXSIZE; + lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem); + return lzolen; +#else + return -1; +#endif + } + + return -1; +} + +static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) { + if(level == 0) { + memcpy(dest, source, len); + return len; + } else if(level > 9) { +#ifdef HAVE_LZO + lzo_uint lzolen = MAXSIZE; + if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK) + return lzolen; + else +#endif + return -1; + } +#ifdef HAVE_ZLIB + else { + unsigned long destlen = MAXSIZE; + if(uncompress(dest, &destlen, source, len) == Z_OK) + return destlen; + else + return -1; + } +#endif + + return -1; +} + /* VPN packet I/O */ -void receive_udppacket(node_t *n, vpn_packet_t *inpkt) -{ - vpn_packet_t pkt1, pkt2; - vpn_packet_t *pkt[] = {&pkt1, &pkt2, &pkt1, &pkt2}; - int nextpkt = 0; - vpn_packet_t *outpkt = pkt[0]; - int outlen, outpad; - long int complen = MTU + 12; - EVP_CIPHER_CTX ctx; - char hmac[EVP_MAX_MD_SIZE]; -cp - /* Check the message authentication code */ - - if(myself->digest && myself->maclength) - { - inpkt->len -= myself->maclength; - HMAC(myself->digest, myself->key, myself->keylength, (char *)&inpkt->seqno, inpkt->len, hmac, NULL); - if(memcmp(hmac, (char *)&inpkt->seqno + inpkt->len, myself->maclength)) - { - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"), n->name, n->hostname); - return; - } - } - - /* Decrypt the packet */ - - if(myself->cipher) - { - outpkt = pkt[nextpkt++]; - - EVP_DecryptInit(&ctx, myself->cipher, myself->key, myself->key + myself->cipher->key_len); - EVP_DecryptUpdate(&ctx, (char *)&outpkt->seqno, &outlen, (char *)&inpkt->seqno, inpkt->len); - EVP_DecryptFinal(&ctx, (char *)&outpkt->seqno + outlen, &outpad); - - outpkt->len = outlen + outpad; - inpkt = outpkt; - } - - /* Check the sequence number */ - - inpkt->len -= sizeof(inpkt->seqno); - inpkt->seqno = ntohl(inpkt->seqno); - - if(inpkt->seqno <= n->received_seqno) - { - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_DEBUG, _("Got late or replayed packet from %s (%s), seqno %d"), n->name, n->hostname, inpkt->seqno); - return; - } - - n->received_seqno = inpkt->seqno; - - if(n->received_seqno > MAX_SEQNO) - keyexpires = 0; - - /* Decompress the packet */ - - if(myself->compression) - { - outpkt = pkt[nextpkt++]; - - if(uncompress(outpkt->data, &complen, inpkt->data, inpkt->len) != Z_OK) - { - syslog(LOG_ERR, _("Error while uncompressing packet from %s (%s)"), n->name, n->hostname); - return; - } - - outpkt->len = complen; - inpkt = outpkt; - } - - receive_packet(n, inpkt); -cp +static void receive_packet(node_t *n, vpn_packet_t *packet) { + ifdebug(TRAFFIC) logger(LOG_DEBUG, "Received packet of %d bytes from %s (%s)", + packet->len, n->name, n->hostname); + + route(n, packet); } -void receive_tcppacket(connection_t *c, char *buffer, int len) -{ - vpn_packet_t outpkt; -cp - outpkt.len = len; - memcpy(outpkt.data, buffer, len); +static bool try_mac(const node_t *n, const vpn_packet_t *inpkt) { + unsigned char hmac[EVP_MAX_MD_SIZE]; + + if(!n->indigest || !n->inmaclength || !n->inkey || inpkt->len < sizeof inpkt->seqno + n->inmaclength) + return false; - receive_packet(c->node, &outpkt); -cp + HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len - n->inmaclength, (unsigned char *)hmac, NULL); + + return !memcmp(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength); +} + +static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) { + vpn_packet_t pkt1, pkt2; + vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 }; + int nextpkt = 0; + vpn_packet_t *outpkt = pkt[0]; + int outlen, outpad; + unsigned char hmac[EVP_MAX_MD_SIZE]; + int i; + + if(!n->inkey) { + ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", + n->name, n->hostname); + return; + } + + /* Check packet length */ + + if(inpkt->len < sizeof(inpkt->seqno) + n->inmaclength) { + ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got too short packet from %s (%s)", + n->name, n->hostname); + return; + } + + /* Check the message authentication code */ + + if(n->indigest && n->inmaclength) { + inpkt->len -= n->inmaclength; + HMAC(n->indigest, n->inkey, n->inkeylength, + (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL); + + if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) { + ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got unauthenticated packet from %s (%s)", + n->name, n->hostname); + return; + } + } + + /* Decrypt the packet */ + + if(n->incipher) { + outpkt = pkt[nextpkt++]; + + if(!EVP_DecryptInit_ex(&n->inctx, NULL, NULL, NULL, NULL) + || !EVP_DecryptUpdate(&n->inctx, (unsigned char *) &outpkt->seqno, &outlen, + (unsigned char *) &inpkt->seqno, inpkt->len) + || !EVP_DecryptFinal_ex(&n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { + ifdebug(TRAFFIC) logger(LOG_DEBUG, "Error decrypting packet from %s (%s): %s", + n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL)); + return; + } + + outpkt->len = outlen + outpad; + inpkt = outpkt; + } + + /* Check the sequence number */ + + inpkt->len -= sizeof(inpkt->seqno); + inpkt->seqno = ntohl(inpkt->seqno); + + if(replaywin) { + if(inpkt->seqno != n->received_seqno + 1) { + if(inpkt->seqno >= n->received_seqno + replaywin * 8) { + if(n->farfuture++ < replaywin >> 2) { + logger(LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)", + n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture); + return; + } + logger(LOG_WARNING, "Lost %d packets from %s (%s)", + inpkt->seqno - n->received_seqno - 1, n->name, n->hostname); + memset(n->late, 0, replaywin); + } else if (inpkt->seqno <= n->received_seqno) { + if((n->received_seqno >= replaywin * 8 && inpkt->seqno <= n->received_seqno - replaywin * 8) || !(n->late[(inpkt->seqno / 8) % replaywin] & (1 << inpkt->seqno % 8))) { + logger(LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d", + n->name, n->hostname, inpkt->seqno, n->received_seqno); + return; + } + } else { + for(i = n->received_seqno + 1; i < inpkt->seqno; i++) + n->late[(i / 8) % replaywin] |= 1 << i % 8; + } + } + + n->farfuture = 0; + n->late[(inpkt->seqno / 8) % replaywin] &= ~(1 << inpkt->seqno % 8); + } + + if(inpkt->seqno > n->received_seqno) + n->received_seqno = inpkt->seqno; + + if(n->received_seqno > MAX_SEQNO) + keyexpires = 0; + + /* Decompress the packet */ + + length_t origlen = inpkt->len; + + if(n->incompression) { + outpkt = pkt[nextpkt++]; + + if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, n->incompression)) < 0) { + ifdebug(TRAFFIC) logger(LOG_ERR, "Error while uncompressing packet from %s (%s)", + n->name, n->hostname); + return; + } + + inpkt = outpkt; + + origlen -= MTU/64 + 20; + } + + inpkt->priority = 0; + + if(!inpkt->data[12] && !inpkt->data[13]) + mtu_probe_h(n, inpkt, origlen); + else + receive_packet(n, inpkt); } -void receive_packet(node_t *n, vpn_packet_t *packet) -{ -cp - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_DEBUG, _("Received packet of %d bytes from %s (%s)"), packet->len, n->name, n->hostname); +void receive_tcppacket(connection_t *c, const char *buffer, int len) { + vpn_packet_t outpkt; + + outpkt.len = len; + if(c->options & OPTION_TCPONLY) + outpkt.priority = 0; + else + outpkt.priority = -1; + memcpy(outpkt.data, buffer, len); - route_incoming(n, packet); -cp + receive_packet(c->node, &outpkt); } -void send_udppacket(node_t *n, vpn_packet_t *inpkt) -{ - vpn_packet_t pkt1, pkt2; - vpn_packet_t *pkt[] = {&pkt1, &pkt2, &pkt1, &pkt2}; - int nextpkt = 0; - vpn_packet_t *outpkt; - int origlen; - int outlen, outpad; - long int complen = MTU + 12; - EVP_CIPHER_CTX ctx; - vpn_packet_t *copy; - static int priority = 0; - int origpriority; - int sock; -cp - /* Make sure we have a valid key */ +static void send_udppacket(node_t *n, vpn_packet_t *origpkt) { + vpn_packet_t pkt1, pkt2; + vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 }; + vpn_packet_t *inpkt = origpkt; + int nextpkt = 0; + vpn_packet_t *outpkt; + int origlen; + int outlen, outpad; +#if defined(SOL_IP) && defined(IP_TOS) + static int priority = 0; +#endif + int origpriority; + + if(!n->status.reachable) { + ifdebug(TRAFFIC) logger(LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname); + return; + } - if(!n->status.validkey) - { - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_INFO, _("No valid key known yet for %s (%s), queueing packet"), - n->name, n->hostname); + /* Make sure we have a valid key */ - /* Since packet is on the stack of handle_tap_input(), - we have to make a copy of it first. */ + if(!n->status.validkey) { + ifdebug(TRAFFIC) logger(LOG_INFO, + "No valid key known yet for %s (%s), forwarding via TCP", + n->name, n->hostname); - copy = xmalloc(sizeof(vpn_packet_t)); - memcpy(copy, inpkt, sizeof(vpn_packet_t)); + if(n->last_req_key + 10 <= now) { + send_req_key(n); + n->last_req_key = now; + } - list_insert_tail(n->queue, copy); + send_tcppacket(n->nexthop->connection, origpkt); - if(n->queue->count > MAXQUEUELENGTH) - list_delete_head(n->queue); + return; + } - if(!n->status.waitingforkey) - send_req_key(n->nexthop->connection, myself, n); + if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (inpkt->data[12] | inpkt->data[13])) { + ifdebug(TRAFFIC) logger(LOG_INFO, + "Packet for %s (%s) larger than minimum MTU, forwarding via %s", + n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP"); - n->status.waitingforkey = 1; + if(n != n->nexthop) + send_packet(n->nexthop, origpkt); + else + send_tcppacket(n->nexthop->connection, origpkt); - return; - } + return; + } - origlen = inpkt->len; - origpriority = inpkt->priority; + origlen = inpkt->len; + origpriority = inpkt->priority; - /* Compress the packet */ + /* Compress the packet */ - if(n->compression) - { - outpkt = pkt[nextpkt++]; + if(n->outcompression) { + outpkt = pkt[nextpkt++]; - if(compress2(outpkt->data, &complen, inpkt->data, inpkt->len, n->compression) != Z_OK) - { - syslog(LOG_ERR, _("Error while compressing packet to %s (%s)"), n->name, n->hostname); - return; - } - - outpkt->len = complen; - inpkt = outpkt; - } + if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->outcompression)) < 0) { + ifdebug(TRAFFIC) logger(LOG_ERR, "Error while compressing packet to %s (%s)", + n->name, n->hostname); + return; + } - /* Add sequence number */ + inpkt = outpkt; + } - inpkt->seqno = htonl(++(n->sent_seqno)); - inpkt->len += sizeof(inpkt->seqno); + /* Add sequence number */ - /* Encrypt the packet */ + inpkt->seqno = htonl(++(n->sent_seqno)); + inpkt->len += sizeof(inpkt->seqno); - if(n->cipher) - { - outpkt = pkt[nextpkt++]; + /* Encrypt the packet */ - EVP_EncryptInit(&ctx, n->cipher, n->key, n->key + n->cipher->key_len); - EVP_EncryptUpdate(&ctx, (char *)&outpkt->seqno, &outlen, (char *)&inpkt->seqno, inpkt->len); - EVP_EncryptFinal(&ctx, (char *)&outpkt->seqno + outlen, &outpad); + if(n->outcipher) { + outpkt = pkt[nextpkt++]; - outpkt->len = outlen + outpad; - inpkt = outpkt; - } + if(!EVP_EncryptInit_ex(&n->outctx, NULL, NULL, NULL, NULL) + || !EVP_EncryptUpdate(&n->outctx, (unsigned char *) &outpkt->seqno, &outlen, + (unsigned char *) &inpkt->seqno, inpkt->len) + || !EVP_EncryptFinal_ex(&n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { + ifdebug(TRAFFIC) logger(LOG_ERR, "Error while encrypting packet to %s (%s): %s", + n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL)); + goto end; + } - /* Add the message authentication code */ + outpkt->len = outlen + outpad; + inpkt = outpkt; + } - if(n->digest && n->maclength) - { - HMAC(n->digest, n->key, n->keylength, (char *)&inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len, &outlen); - inpkt->len += n->maclength; - } + /* Add the message authentication code */ - /* Determine which socket we have to use */ + if(n->outdigest && n->outmaclength) { + HMAC(n->outdigest, n->outkey, n->outkeylength, (unsigned char *) &inpkt->seqno, + inpkt->len, (unsigned char *) &inpkt->seqno + inpkt->len, NULL); + inpkt->len += n->outmaclength; + } - for(sock = 0; sock < listen_sockets; sock++) - if(n->address.sa.sa_family == listen_socket[sock].sa.sa.sa_family) - break; + /* Determine which socket we have to use */ - if(sock >= listen_sockets) - sock = 0; /* If none is available, just use the first and hope for the best. */ - - /* Send the packet */ + if(n->address.sa.sa_family != listen_socket[n->sock].sa.sa.sa_family) { + for(int sock = 0; sock < listen_sockets; sock++) { + if(n->address.sa.sa_family == listen_socket[sock].sa.sa.sa_family) { + n->sock = sock; + break; + } + } + } + + /* Send the packet */ #if defined(SOL_IP) && defined(IP_TOS) - if(priorityinheritance && origpriority != priority && listen_socket[sock].sa.sa.sa_family == AF_INET) - { - priority = origpriority; - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_DEBUG, _("Setting outgoing packet priority to %d"), priority); - if(setsockopt(sock, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */ - syslog(LOG_ERR, _("System call `%s' failed: %s"), "setsockopt", strerror(errno)); - } + if(priorityinheritance && origpriority != priority + && listen_socket[n->sock].sa.sa.sa_family == AF_INET) { + priority = origpriority; + ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting outgoing packet priority to %d", priority); + if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */ + logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno)); + } #endif - if((sendto(listen_socket[sock].udp, (char *)&inpkt->seqno, inpkt->len, 0, &(n->address.sa), SALEN(n->address.sa))) < 0) - { - syslog(LOG_ERR, _("Error sending packet to %s (%s): %s"), - n->name, n->hostname, strerror(errno)); - return; - } - - inpkt->len = origlen; -cp + if(sendto(listen_socket[n->sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, &(n->address.sa), SALEN(n->address.sa)) < 0 && !sockwouldblock(sockerrno)) { + if(sockmsgsize(sockerrno)) { + if(n->maxmtu >= origlen) + n->maxmtu = origlen - 1; + if(n->mtu >= origlen) + n->mtu = origlen - 1; + } else + logger(LOG_ERR, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno)); + } + +end: + origpkt->len = origlen; } /* send a packet to the given vpn ip. */ -void send_packet(node_t *n, vpn_packet_t *packet) -{ - node_t *via; -cp - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"), - packet->len, n->name, n->hostname); - - if(n == myself) - { - if(debug_lvl >= DEBUG_TRAFFIC) - { - syslog(LOG_NOTICE, _("Packet is looping back to us!")); - } - - return; - } - - if(!n->status.reachable) - { - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_INFO, _("Node %s (%s) is not reachable"), - n->name, n->hostname); - return; - } - - via = (n->via == myself)?n->nexthop:n->via; - - if(via != n && debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_ERR, _("Sending packet to %s via %s (%s)"), - n->name, via->name, n->via->hostname); - - if((myself->options | via->options) & OPTION_TCPONLY) - { - if(send_tcppacket(via->connection, packet)) - terminate_connection(via->connection, 1); - } - else - send_udppacket(via, packet); +void send_packet(const node_t *n, vpn_packet_t *packet) { + node_t *via; + + if(n == myself) { + if(overwrite_mac) + memcpy(packet->data, mymac.x, ETH_ALEN); + devops.write(packet); + return; + } + + ifdebug(TRAFFIC) logger(LOG_ERR, "Sending packet of %d bytes to %s (%s)", + packet->len, n->name, n->hostname); + + if(!n->status.reachable) { + ifdebug(TRAFFIC) logger(LOG_INFO, "Node %s (%s) is not reachable", + n->name, n->hostname); + return; + } + + via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via; + + if(via != n) + ifdebug(TRAFFIC) logger(LOG_INFO, "Sending packet to %s via %s (%s)", + n->name, via->name, n->via->hostname); + + if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) { + if(!send_tcppacket(via->connection, packet)) + terminate_connection(via->connection, true); + } else + send_udppacket(via, packet); } /* Broadcast a packet using the minimum spanning tree */ -void broadcast_packet(node_t *from, vpn_packet_t *packet) -{ - avl_node_t *node; - connection_t *c; -cp - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_INFO, _("Broadcasting packet of %d bytes from %s (%s)"), - packet->len, from->name, from->hostname); - - for(node = connection_tree->head; node; node = node->next) - { - c = (connection_t *)node->data; - if(c->status.active && c->status.mst && c != from->nexthop->connection) - send_packet(c->node, packet); - } -cp -} +void broadcast_packet(const node_t *from, vpn_packet_t *packet) { + avl_node_t *node; + connection_t *c; + + ifdebug(TRAFFIC) logger(LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)", + packet->len, from->name, from->hostname); + + if(from != myself) { + send_packet(myself, packet); -void flush_queue(node_t *n) -{ - list_node_t *node, *next; -cp - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_INFO, _("Flushing queue for %s (%s)"), n->name, n->hostname); - - for(node = n->queue->head; node; node = next) - { - next = node->next; - send_udppacket(n, (vpn_packet_t *)node->data); - list_delete_node(n->queue, node); - } -cp + // In TunnelServer mode, do not forward broadcast packets. + // The MST might not be valid and create loops. + if(tunnelserver) + return; + } + + for(node = connection_tree->head; node; node = node->next) { + c = node->data; + + if(c->status.active && c->status.mst && c != from->nexthop->connection) + send_packet(c->node, packet); + } } -void handle_incoming_vpn_data(int sock) -{ - vpn_packet_t pkt; - int x, l = sizeof(x); - char *hostname; - sockaddr_t from; - socklen_t fromlen = sizeof(from); - node_t *n; -cp - if(getsockopt(sock, SOL_SOCKET, SO_ERROR, &x, &l) < 0) - { - syslog(LOG_ERR, _("This is a bug: %s:%d: %d:%s"), - __FILE__, __LINE__, sock, strerror(errno)); - cp_trace(); - exit(1); - } - if(x) - { - syslog(LOG_ERR, _("Incoming data socket error: %s"), strerror(x)); - return; - } - - if((pkt.len = recvfrom(sock, (char *)&pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen)) <= 0) - { - syslog(LOG_ERR, _("Receiving packet failed: %s"), strerror(errno)); - return; - } - - sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */ - - n = lookup_node_udp(&from); - - if(!n) - { - hostname = sockaddr2hostname(&from); - syslog(LOG_WARNING, _("Received UDP packet from unknown source %s"), hostname); - free(hostname); - return; - } - - if(n->connection) - n->connection->last_ping_time = now; - - receive_udppacket(n, &pkt); -cp +static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) { + avl_node_t *node; + edge_t *e; + node_t *n = NULL; + bool hard = false; + static time_t last_hard_try = 0; + + for(node = edge_weight_tree->head; node; node = node->next) { + e = node->data; + + if(e->to == myself) + continue; + + if(sockaddrcmp_noport(from, &e->address)) { + if(last_hard_try == now) + continue; + hard = true; + } + + if(!try_mac(e->to, pkt)) + continue; + + n = e->to; + break; + } + + if(hard) + last_hard_try = now; + + return n; } +void handle_incoming_vpn_data(int sock) { + vpn_packet_t pkt; + char *hostname; + sockaddr_t from; + socklen_t fromlen = sizeof(from); + node_t *n; + + pkt.len = recvfrom(listen_socket[sock].udp, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen); + + if(pkt.len < 0) { + if(!sockwouldblock(sockerrno)) + logger(LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno)); + return; + } + + sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */ + + n = lookup_node_udp(&from); + + if(!n) { + n = try_harder(&from, &pkt); + if(n) + update_node_udp(n, &from); + else ifdebug(PROTOCOL) { + hostname = sockaddr2hostname(&from); + logger(LOG_WARNING, "Received UDP packet from unknown source %s", hostname); + free(hostname); + return; + } + else + return; + } + + n->sock = sock; + + receive_udppacket(n, &pkt); +}