From e88b3fb52fb375cd8ab233a671f38ed2240ed828 Mon Sep 17 00:00:00 2001
From: Guus Sliepen <guus@tinc-vpn.org>
Date: Wed, 25 Oct 2017 21:08:29 +0200
Subject: [PATCH] Only forward SPTPS packets if Forwarding = internal.

This tries to match what is done for packets using the legacy protocol.
However, since SPTPS is end-to-end encrypted, Forwarding = kernel cannot
be implemented. In that case, we also drop the packets.
---
 doc/tinc.conf.5.in | 4 +++-
 doc/tinc.texi      | 4 +++-
 src/protocol_key.c | 7 +++++--
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/doc/tinc.conf.5.in b/doc/tinc.conf.5.in
index cb7d1b18..53440a11 100644
--- a/doc/tinc.conf.5.in
+++ b/doc/tinc.conf.5.in
@@ -306,9 +306,11 @@ Incoming packets that are meant for another node are forwarded by tinc internall
 .Pp
 This is the default mode, and unless you really know you need another forwarding mode, don't change it.
 .It kernel
-Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
+Incoming packets using the legacy protocol are always sent to the TUN/TAP device,
+even if the packets are not for the local node.
 This is less efficient, but allows the kernel to apply its routing and firewall rules on them,
 and can also help debugging.
+Incoming packets using the SPTPS protocol are dropped, since they are end-to-end encrypted.
 .El
 .It Va Hostnames Li = yes | no Pq no
 This option selects whether IP addresses (both real and on the VPN) should
diff --git a/doc/tinc.texi b/doc/tinc.texi
index 987c36ea..0c2f8c05 100644
--- a/doc/tinc.texi
+++ b/doc/tinc.texi
@@ -1048,9 +1048,11 @@ Incoming packets that are meant for another node are forwarded by tinc internall
 This is the default mode, and unless you really know you need another forwarding mode, don't change it.
 
 @item kernel
-Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
+Incoming packets using the legacy protocol are always sent to the TUN/TAP device,
+even if the packets are not for the local node.
 This is less efficient, but allows the kernel to apply its routing and firewall rules on them,
 and can also help debugging.
+Incoming packets using the SPTPS protocol are dropped, since they are end-to-end encrypted.
 @end table
 
 @cindex Hostnames
diff --git a/src/protocol_key.c b/src/protocol_key.c
index a7de07e3..a0a18462 100644
--- a/src/protocol_key.c
+++ b/src/protocol_key.c
@@ -29,6 +29,7 @@
 #include "node.h"
 #include "prf.h"
 #include "protocol.h"
+#include "route.h"
 #include "sptps.h"
 #include "utils.h"
 #include "xalloc.h"
@@ -150,8 +151,10 @@ static bool req_key_ext_h(connection_t *c, const char *request, node_t *from, no
 
 		if(to != myself) {
 			/* We don't just forward the request, because we want to use UDP if it's available. */
-			send_sptps_data(to, from, 0, buf, len);
-			try_tx(to, true);
+			if(forwarding_mode == FMODE_INTERNAL) {
+				send_sptps_data(to, from, 0, buf, len);
+				try_tx(to, true);
+			}
 		} else {
 			/* The packet is for us */
 			if(!sptps_receive_data(&from->sptps, buf, len)) {
-- 
2.20.1