2 net.c -- most of the network code
3 Copyright (C) 1998,1999,2000 Ivo Timmermans <zarq@iname.com>
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; either version 2 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program; if not, write to the Free Software
17 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 #include <arpa/inet.h>
26 #include <netinet/in.h>
30 #include <sys/signal.h>
31 #include <sys/socket.h>
33 #include <sys/types.h>
50 int total_tap_out = 0;
51 int total_socket_in = 0;
52 int total_socket_out = 0;
54 /* The global list of existing connections */
55 conn_list_t *conn_list = NULL;
56 conn_list_t *myself = NULL;
59 strip off the MAC adresses of an ethernet frame
61 void strip_mac_addresses(vpn_packet_t *p)
63 unsigned char tmp[MAXSIZE];
65 memcpy(tmp, p->data, p->len);
67 memcpy(p->data, &tmp[12], p->len);
72 reassemble MAC addresses
74 void add_mac_addresses(vpn_packet_t *p)
76 unsigned char tmp[MAXSIZE];
78 memcpy(&tmp[12], p->data, p->len);
80 tmp[0] = tmp[6] = 0xfe;
81 tmp[1] = tmp[7] = 0xfd;
82 *((ip_t*)(&tmp[2])) = (ip_t)(htonl(myself->vpn_ip));
83 *((ip_t*)(&tmp[8])) = *((ip_t*)(&tmp[26]));
84 memcpy(p->data, &tmp[0], p->len);
88 int xsend(conn_list_t *cl, void *packet)
93 do_encrypt((vpn_packet_t*)packet, &rp, cl->key);
94 rp.from = htonl(myself->vpn_ip);
95 rp.data.len = htons(rp.data.len);
96 rp.len = htons(rp.len);
99 syslog(LOG_ERR, "Sent %d bytes to %lx", ntohs(rp.len), cl->vpn_ip);
101 if((r = send(cl->socket, (char*)&rp, ntohs(rp.len), 0)) < 0)
103 syslog(LOG_ERR, "Error sending data: %m");
107 total_socket_out += r;
114 int xrecv(conn_list_t *cl, void *packet)
119 do_decrypt((real_packet_t*)packet, &vp, cl->key);
120 add_mac_addresses(&vp);
122 if((lenin = write(tap_fd, &vp, vp.len + sizeof(vp.len))) < 0)
123 syslog(LOG_ERR, "Can't write to tap device: %m");
125 total_tap_out += lenin;
128 cl->last_ping_time = time(NULL);
134 add the given packet of size s to the
135 queue q, be it the send or receive queue
137 void add_queue(packet_queue_t **q, void *packet, size_t s)
142 syslog(LOG_DEBUG, "packet to queue: %d", s);
144 e = xmalloc(sizeof(*e));
145 e->packet = xmalloc(s);
146 memcpy(e->packet, packet, s);
150 *q = xmalloc(sizeof(**q));
151 (*q)->head = (*q)->tail = NULL;
154 e->next = NULL; /* We insert at the tail */
156 if((*q)->tail) /* Do we have a tail? */
158 (*q)->tail->next = e;
159 e->prev = (*q)->tail;
161 else /* No tail -> no head too */
171 /* Remove a queue element */
172 void del_queue(packet_queue_t **q, queue_element_t *e)
177 if(e->next) /* There is a successor, so we are not tail */
179 if(e->prev) /* There is a predecessor, so we are not head */
181 e->next->prev = e->prev;
182 e->prev->next = e->next;
184 else /* We are head */
186 e->next->prev = NULL;
187 (*q)->head = e->next;
190 else /* We are tail (or all alone!) */
192 if(e->prev) /* We are not alone :) */
194 e->prev->next = NULL;
195 (*q)->tail = e->prev;
209 flush a queue by calling function for
210 each packet, and removing it when that
211 returned a zero exit code
213 void flush_queue(conn_list_t *cl, packet_queue_t **pq,
214 int (*function)(conn_list_t*,void*))
216 queue_element_t *p, *next = NULL;
218 for(p = (*pq)->head; p != NULL; )
222 if(!function(cl, p->packet))
229 syslog(LOG_DEBUG, "queue flushed");
234 flush the send&recv queues
235 void because nothing goes wrong here, packets
236 remain in the queue if something goes wrong
238 void flush_queues(conn_list_t *cl)
244 syslog(LOG_DEBUG, "Flushing send queue for " IP_ADDR_S,
245 IP_ADDR_V(cl->vpn_ip));
246 flush_queue(cl, &(cl->sq), xsend);
252 syslog(LOG_DEBUG, "Flushing receive queue for " IP_ADDR_S,
253 IP_ADDR_V(cl->vpn_ip));
254 flush_queue(cl, &(cl->rq), xrecv);
260 send a packet to the given vpn ip.
262 int send_packet(ip_t to, vpn_packet_t *packet)
266 if((cl = lookup_conn(to)) == NULL)
270 syslog(LOG_NOTICE, "trying to look up " IP_ADDR_S " in connection list failed.",
273 for(cl = conn_list; cl != NULL && !cl->status.outgoing; cl = cl->next);
275 { /* No open outgoing connection has been found. */
277 syslog(LOG_NOTICE, "There is no remote host I can send this packet to.");
282 if(my_key_expiry <= time(NULL))
285 if(!cl->status.dataopen)
286 if(setup_vpn_connection(cl) < 0)
289 if(!cl->status.validkey)
291 add_queue(&(cl->sq), packet, packet->len + 2);
292 if(!cl->status.waitingforkey)
293 send_key_request(cl->vpn_ip); /* Keys should be sent to the host running the tincd */
297 if(!cl->status.active)
299 add_queue(&(cl->sq), packet, packet->len + 2);
301 syslog(LOG_INFO, IP_ADDR_S " is not ready, queueing packet.", IP_ADDR_V(cl->vpn_ip));
302 return 0; /* We don't want to mess up, do we? */
305 /* can we send it? can we? can we? huh? */
307 return xsend(cl, packet);
311 open the local ethertap device
313 int setup_tap_fd(void)
316 const char *tapfname;
319 if((cfg = get_config_val(tapdevice)) == NULL)
320 tapfname = "/dev/tap0";
322 tapfname = cfg->data.ptr;
324 if((nfd = open(tapfname, O_RDWR | O_NONBLOCK)) < 0)
326 syslog(LOG_ERR, "Could not open %s: %m", tapfname);
336 set up the socket that we listen on for incoming
339 int setup_listen_meta_socket(int port)
342 struct sockaddr_in a;
345 if((nfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
347 syslog(LOG_ERR, "Creating metasocket failed: %m");
351 if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)))
353 syslog(LOG_ERR, "setsockopt: %m");
357 flags = fcntl(nfd, F_GETFL);
358 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
360 syslog(LOG_ERR, "fcntl: %m");
364 memset(&a, 0, sizeof(a));
365 a.sin_family = AF_INET;
366 a.sin_port = htons(port);
367 a.sin_addr.s_addr = htonl(INADDR_ANY);
369 if(bind(nfd, (struct sockaddr *)&a, sizeof(struct sockaddr)))
371 syslog(LOG_ERR, "Can't bind to port %hd/tcp: %m", port);
377 syslog(LOG_ERR, "listen: %m");
385 setup the socket for incoming encrypted
388 int setup_vpn_in_socket(int port)
391 struct sockaddr_in a;
394 if((nfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0)
396 syslog(LOG_ERR, "Creating socket failed: %m");
400 if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)))
402 syslog(LOG_ERR, "setsockopt: %m");
406 flags = fcntl(nfd, F_GETFL);
407 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
409 syslog(LOG_ERR, "fcntl: %m");
413 memset(&a, 0, sizeof(a));
414 a.sin_family = AF_INET;
415 a.sin_port = htons(port);
416 a.sin_addr.s_addr = htonl(INADDR_ANY);
418 if(bind(nfd, (struct sockaddr *)&a, sizeof(struct sockaddr)))
420 syslog(LOG_ERR, "Can't bind to port %hd/udp: %m", port);
428 setup an outgoing meta (tcp) socket
430 int setup_outgoing_meta_socket(conn_list_t *cl)
433 struct sockaddr_in a;
436 if((cfg = get_config_val(upstreamport)) == NULL)
439 cl->port = cfg->data.val;
441 cl->meta_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
442 if(cl->meta_socket == -1)
444 syslog(LOG_ERR, "Creating socket failed: %m");
448 a.sin_family = AF_INET;
449 a.sin_port = htons(cl->port);
450 a.sin_addr.s_addr = htonl(cl->real_ip);
452 if(connect(cl->meta_socket, (struct sockaddr *)&a, sizeof(a)) == -1)
454 syslog(LOG_ERR, IP_ADDR_S ":%d: %m", IP_ADDR_V(cl->real_ip), cl->port);
458 flags = fcntl(cl->meta_socket, F_GETFL);
459 if(fcntl(cl->meta_socket, F_SETFL, flags | O_NONBLOCK) < 0)
461 syslog(LOG_ERR, "fcntl: %m");
465 cl->hostname = hostlookup(htonl(cl->real_ip));
467 syslog(LOG_INFO, "Connected to %s:%hd" , cl->hostname, cl->port);
473 setup an outgoing connection. It's not
474 necessary to also open an udp socket as
475 well, because the other host will initiate
476 an authentication sequence during which
477 we will do just that.
479 int setup_outgoing_connection(ip_t ip)
483 ncn = new_conn_list();
486 if(setup_outgoing_meta_socket(ncn) < 0)
488 syslog(LOG_ERR, "Could not set up a meta connection.");
489 free_conn_element(ncn);
493 ncn->status.meta = 1;
494 ncn->status.outgoing = 1;
495 ncn->next = conn_list;
502 set up the local sockets (listen only)
504 int setup_myself(void)
508 myself = new_conn_list();
510 if(!(cfg = get_config_val(myvpnip)))
512 syslog(LOG_ERR, "No value for my VPN IP given");
516 myself->vpn_ip = cfg->data.ip->ip;
517 myself->vpn_mask = cfg->data.ip->mask;
519 if(!(cfg = get_config_val(listenport)))
522 myself->port = cfg->data.val;
524 if((myself->meta_socket = setup_listen_meta_socket(myself->port)) < 0)
526 syslog(LOG_ERR, "Unable to set up a listening socket");
530 if((myself->socket = setup_vpn_in_socket(myself->port)) < 0)
532 syslog(LOG_ERR, "Unable to set up an incoming vpn data socket");
533 close(myself->meta_socket);
537 myself->status.active = 1;
539 syslog(LOG_NOTICE, "Ready: listening on port %d.", myself->port);
545 setup all initial network connections
547 int setup_network_connections(void)
551 if((cfg = get_config_val(pingtimeout)) == NULL)
554 timeout = cfg->data.val;
556 if(setup_tap_fd() < 0)
559 if(setup_myself() < 0)
562 if((cfg = get_config_val(upstreamip)) == NULL)
563 /* No upstream IP given, we're listen only. */
566 if(setup_outgoing_connection(cfg->data.ip->ip))
573 sigalrm_handler(int a)
576 static int seconds_till_retry;
578 cfg = get_config_val(upstreamip);
580 if(!setup_outgoing_connection(cfg->data.ip->ip))
582 signal(SIGALRM, SIG_IGN);
583 seconds_till_retry = 5;
587 signal(SIGALRM, sigalrm_handler);
588 seconds_till_retry += 5;
589 alarm(seconds_till_retry);
590 syslog(LOG_ERR, "Still failed to connect to other. Will retry in %d seconds.",
597 close all open network connections
599 void close_network_connections(void)
603 for(p = conn_list; p != NULL; p = p->next)
605 if(p->status.dataopen)
607 shutdown(p->socket, 0); /* No more receptions */
613 shutdown(p->meta_socket, 0); /* No more receptions */
614 close(p->meta_socket);
619 if(myself->status.active)
621 close(myself->meta_socket);
622 close(myself->socket);
628 syslog(LOG_NOTICE, "Terminating.");
634 create a data (udp) socket
636 int setup_vpn_connection(conn_list_t *cl)
639 struct sockaddr_in a;
642 syslog(LOG_DEBUG, "Opening UDP socket to " IP_ADDR_S, IP_ADDR_V(cl->real_ip));
644 nfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
647 syslog(LOG_ERR, "Creating data socket failed: %m");
651 a.sin_family = AF_INET;
652 a.sin_port = htons(cl->port);
653 a.sin_addr.s_addr = htonl(cl->real_ip);
655 if(connect(nfd, (struct sockaddr *)&a, sizeof(a)) == -1)
657 syslog(LOG_ERR, "Connecting to " IP_ADDR_S ":%d failed: %m",
658 IP_ADDR_V(cl->real_ip), cl->port);
662 flags = fcntl(nfd, F_GETFL);
663 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
665 syslog(LOG_ERR, "This is a bug: %s:%d: %d:%m", __FILE__, __LINE__, nfd);
670 cl->status.dataopen = 1;
676 handle an incoming tcp connect call and open
679 conn_list_t *create_new_connection(int sfd)
682 struct sockaddr_in ci;
683 int len = sizeof(ci);
687 if(getpeername(sfd, &ci, &len) < 0)
689 syslog(LOG_ERR, "Error: getpeername: %m");
693 p->hostname = hostlookup(ci.sin_addr.s_addr);
694 p->real_ip = ntohl(ci.sin_addr.s_addr);
695 p->meta_socket = sfd;
698 p->last_ping_time = time(NULL);
701 syslog(LOG_NOTICE, "Connection from %s:%d", p->hostname, htons(ci.sin_port));
703 if(send_basic_info(p) < 0)
713 put all file descriptors in an fd_set array
715 void build_fdset(fd_set *fs)
721 for(p = conn_list; p != NULL; p = p->next)
724 FD_SET(p->meta_socket, fs);
725 if(p->status.dataopen)
726 FD_SET(p->socket, fs);
729 FD_SET(myself->meta_socket, fs);
730 FD_SET(myself->socket, fs);
736 receive incoming data from the listening
737 udp socket and write it to the ethertap
738 device after being decrypted
740 int handle_incoming_vpn_data(conn_list_t *cl)
744 int x, l = sizeof(x);
747 if(getsockopt(cl->socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0)
749 syslog(LOG_ERR, "This is a bug: %s:%d: %d:%m", __FILE__, __LINE__, cl->socket);
754 syslog(LOG_ERR, "Incoming data socket error: %s", sys_errlist[x]);
759 lenin = recvfrom(cl->socket, &rp, MTU, 0, NULL, NULL);
762 syslog(LOG_ERR, "Receiving data failed: %m");
765 total_socket_in += lenin;
767 rp.data.len = ntohs(rp.data.len);
768 rp.len = ntohs(rp.len);
769 rp.from = ntohl(rp.from);
773 f = lookup_conn(rp.from);
775 syslog(LOG_DEBUG, "packet from " IP_ADDR_S " (len %d)",
776 IP_ADDR_V(rp.from), rp.len);
779 syslog(LOG_ERR, "Got packet from unknown source " IP_ADDR_S,
784 if(f->status.validkey)
788 add_queue(&(f->rq), &rp, rp.len);
789 if(!cl->status.waitingforkey)
790 send_key_request(rp.from);
793 if(my_key_expiry <= time(NULL))
801 terminate a connection and notify the other
802 end before closing the sockets
804 void terminate_connection(conn_list_t *cl)
807 if(cl->status.remove)
811 syslog(LOG_NOTICE, "Closing connection with %s.", cl->hostname);
813 if(cl->status.timeout)
815 else if(!cl->status.termreq)
820 close(cl->meta_socket);
822 if(cl->status.outgoing)
824 signal(SIGALRM, sigalrm_handler);
826 syslog(LOG_NOTICE, "Try to re-establish outgoing connection in 5 seconds.");
829 cl->status.remove = 1;
834 Check if the other end is active.
835 If we have sent packets, but didn't receive any,
836 then possibly the other end is dead. We send a
837 PING request over the meta connection. If the other
838 end does not reply in time, we consider them dead
839 and close the connection.
841 int check_dead_connections(void)
847 for(p = conn_list; p != NULL; p = p->next)
851 if(p->status.active && p->status.meta)
853 if(p->last_ping_time + timeout < now)
855 if(p->status.pinged && !p->status.got_pong)
857 syslog(LOG_INFO, "%s (" IP_ADDR_S ") didn't respond to ping",
858 p->hostname, IP_ADDR_V(p->vpn_ip));
859 p->status.timeout = 1;
860 terminate_connection(p);
862 else if(p->want_ping)
865 p->last_ping_time = now;
866 p->status.pinged = 1;
867 p->status.got_pong = 0;
877 accept a new tcp connect and create a
880 int handle_new_meta_connection(conn_list_t *cl)
883 struct sockaddr client;
884 int nfd, len = sizeof(client);
886 if((nfd = accept(cl->meta_socket, &client, &len)) < 0)
888 syslog(LOG_ERR, "Accepting a new connection failed: %m");
892 if((ncn = create_new_connection(nfd)) == NULL)
896 syslog(LOG_NOTICE, "Closed attempted connection.");
900 ncn->status.meta = 1;
901 ncn->next = conn_list;
908 dispatch any incoming meta requests
910 int handle_incoming_meta_data(conn_list_t *cl)
912 int x, l = sizeof(x);
913 int request, oldlen, i;
916 if(getsockopt(cl->meta_socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0)
918 syslog(LOG_ERR, "This is a bug: %s:%d: %d:%m", __FILE__, __LINE__, cl->meta_socket);
923 syslog(LOG_ERR, "Metadata socket error: %s", sys_errlist[x]);
927 if(cl->buflen >= MAXBUFSIZE)
929 syslog(LOG_ERR, "Metadata read buffer full! Discarding contents.");
933 lenin = read(cl->meta_socket, cl->buffer, MAXBUFSIZE-cl->buflen);
937 syslog(LOG_ERR, "Metadata socket read error: %m");
948 for(i = oldlen; i < cl->buflen; i++)
950 if(cl->buffer[i] == '\n')
952 cl->buffer[i] = 0; /* replace end-of-line by end-of-string so we can use sscanf */
960 if(sscanf(cl->buffer, "%d", &request) == 1)
962 if(request_handlers[request] == NULL)
964 syslog(LOG_ERR, "Unknown request: %s", cl->buffer);
969 syslog(LOG_DEBUG, "Got request: %s", cl->buffer);
971 request_handlers[request](cl);
975 syslog(LOG_ERR, "Bogus data received: %s", cl->buffer);
978 cl->buflen -= cl->reqlen;
979 memmove(cl->buffer, cl->buffer + cl->reqlen, cl->buflen);
988 cl->last_ping_time = time(NULL);
995 check all connections to see if anything
996 happened on their sockets
998 void check_network_activity(fd_set *f)
1001 int x, l = sizeof(x);
1003 for(p = conn_list; p != NULL; p = p->next)
1005 if(p->status.remove)
1008 if(p->status.dataopen)
1009 if(FD_ISSET(p->socket, f))
1012 The only thing that can happen to get us here is apparently an
1013 error on this outgoing(!) UDP socket that isn't immediate (i.e.
1014 something that will not trigger an error directly on send()).
1015 I've once got here when it said `No route to host'.
1017 getsockopt(p->socket, SOL_SOCKET, SO_ERROR, &x, &l);
1018 syslog(LOG_ERR, "Outgoing data socket error: %s", sys_errlist[x]);
1019 terminate_connection(p);
1024 if(FD_ISSET(p->meta_socket, f))
1025 if(handle_incoming_meta_data(p) < 0)
1027 terminate_connection(p);
1032 if(FD_ISSET(myself->socket, f))
1033 handle_incoming_vpn_data(myself);
1035 if(FD_ISSET(myself->meta_socket, f))
1036 handle_new_meta_connection(myself);
1041 read, encrypt and send data that is
1042 available through the ethertap device
1044 void handle_tap_input(void)
1048 int ether_type, lenin;
1050 memset(&vp, 0, sizeof(vp));
1051 if((lenin = read(tap_fd, &vp, MTU)) <= 0)
1053 syslog(LOG_ERR, "Error while reading from tapdevice: %m");
1057 total_tap_in += lenin;
1059 ether_type = ntohs(*((unsigned short*)(&vp.data[12])));
1060 if(ether_type != 0x0800)
1063 syslog(LOG_INFO, "Non-IP ethernet frame %04x from " MAC_ADDR_S,
1064 ether_type, MAC_ADDR_V(vp.data[6]));
1071 syslog(LOG_INFO, "Dropping short packet");
1075 from = ntohl(*((unsigned long*)(&vp.data[26])));
1076 to = ntohl(*((unsigned long*)(&vp.data[30])));
1079 syslog(LOG_DEBUG, "An IP packet (%04x) for " IP_ADDR_S " from " IP_ADDR_S,
1080 ether_type, IP_ADDR_V(to), IP_ADDR_V(from));
1082 syslog(LOG_DEBUG, MAC_ADDR_S " to " MAC_ADDR_S,
1083 MAC_ADDR_V(vp.data[0]), MAC_ADDR_V(vp.data[6]));
1085 vp.len = (length_t)lenin - 2;
1087 strip_mac_addresses(&vp);
1089 send_packet(to, &vp);
1094 this is where it all happens...
1096 void main_loop(void)
1101 time_t last_ping_check;
1103 last_ping_check = time(NULL);
1107 tv.tv_sec = timeout;
1113 if((r = select(FD_SETSIZE, &fset, NULL, NULL, &tv)) < 0)
1115 if(errno == EINTR) /* because of alarm */
1117 syslog(LOG_ERR, "Error while waiting for input: %m");
1121 if(last_ping_check + timeout < time(NULL))
1122 /* Let's check if everybody is still alive */
1124 check_dead_connections();
1125 last_ping_check = time(NULL);
1129 check_network_activity(&fset);
1131 /* local tap data */
1132 if(FD_ISSET(tap_fd, &fset))