2 net.c -- most of the network code
3 Copyright (C) 1998,1999,2000 Ivo Timmermans <zarq@iname.com>
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; either version 2 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program; if not, write to the Free Software
17 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 #include <arpa/inet.h>
26 #include <netinet/in.h>
30 #include <sys/signal.h>
31 #include <sys/socket.h>
33 #include <sys/types.h>
50 int total_tap_out = 0;
51 int total_socket_in = 0;
52 int total_socket_out = 0;
54 static int seconds_till_retry;
56 /* The global list of existing connections */
57 conn_list_t *conn_list = NULL;
58 conn_list_t *myself = NULL;
61 strip off the MAC adresses of an ethernet frame
63 void strip_mac_addresses(vpn_packet_t *p)
65 unsigned char tmp[MAXSIZE];
67 memcpy(tmp, p->data, p->len);
69 memcpy(p->data, &tmp[12], p->len);
74 reassemble MAC addresses
76 void add_mac_addresses(vpn_packet_t *p)
78 unsigned char tmp[MAXSIZE];
80 memcpy(&tmp[12], p->data, p->len);
82 tmp[0] = tmp[6] = 0xfe;
83 tmp[1] = tmp[7] = 0xfd;
84 *((ip_t*)(&tmp[2])) = (ip_t)(htonl(myself->vpn_ip));
85 *((ip_t*)(&tmp[8])) = *((ip_t*)(&tmp[26]));
86 memcpy(p->data, &tmp[0], p->len);
90 int xsend(conn_list_t *cl, void *packet)
95 do_encrypt((vpn_packet_t*)packet, &rp, cl->key);
96 rp.from = htonl(myself->vpn_ip);
97 rp.data.len = htons(rp.data.len);
98 rp.len = htons(rp.len);
101 syslog(LOG_ERR, "Sent %d bytes to %lx", ntohs(rp.len), cl->vpn_ip);
103 if((r = send(cl->socket, (char*)&rp, ntohs(rp.len), 0)) < 0)
105 syslog(LOG_ERR, "Error sending data: %m");
109 total_socket_out += r;
116 int xrecv(conn_list_t *cl, void *packet)
121 do_decrypt((real_packet_t*)packet, &vp, cl->key);
122 add_mac_addresses(&vp);
124 if((lenin = write(tap_fd, &vp, vp.len + sizeof(vp.len))) < 0)
125 syslog(LOG_ERR, "Can't write to tap device: %m");
127 total_tap_out += lenin;
130 cl->last_ping_time = time(NULL);
136 add the given packet of size s to the
137 queue q, be it the send or receive queue
139 void add_queue(packet_queue_t **q, void *packet, size_t s)
144 syslog(LOG_DEBUG, "packet to queue: %d", s);
146 e = xmalloc(sizeof(*e));
147 e->packet = xmalloc(s);
148 memcpy(e->packet, packet, s);
152 *q = xmalloc(sizeof(**q));
153 (*q)->head = (*q)->tail = NULL;
156 e->next = NULL; /* We insert at the tail */
158 if((*q)->tail) /* Do we have a tail? */
160 (*q)->tail->next = e;
161 e->prev = (*q)->tail;
163 else /* No tail -> no head too */
173 /* Remove a queue element */
174 void del_queue(packet_queue_t **q, queue_element_t *e)
179 if(e->next) /* There is a successor, so we are not tail */
181 if(e->prev) /* There is a predecessor, so we are not head */
183 e->next->prev = e->prev;
184 e->prev->next = e->next;
186 else /* We are head */
188 e->next->prev = NULL;
189 (*q)->head = e->next;
192 else /* We are tail (or all alone!) */
194 if(e->prev) /* We are not alone :) */
196 e->prev->next = NULL;
197 (*q)->tail = e->prev;
211 flush a queue by calling function for
212 each packet, and removing it when that
213 returned a zero exit code
215 void flush_queue(conn_list_t *cl, packet_queue_t **pq,
216 int (*function)(conn_list_t*,void*))
218 queue_element_t *p, *next = NULL;
220 for(p = (*pq)->head; p != NULL; )
224 if(!function(cl, p->packet))
231 syslog(LOG_DEBUG, "queue flushed");
236 flush the send&recv queues
237 void because nothing goes wrong here, packets
238 remain in the queue if something goes wrong
240 void flush_queues(conn_list_t *cl)
246 syslog(LOG_DEBUG, "Flushing send queue for " IP_ADDR_S,
247 IP_ADDR_V(cl->vpn_ip));
248 flush_queue(cl, &(cl->sq), xsend);
254 syslog(LOG_DEBUG, "Flushing receive queue for " IP_ADDR_S,
255 IP_ADDR_V(cl->vpn_ip));
256 flush_queue(cl, &(cl->rq), xrecv);
262 send a packet to the given vpn ip.
264 int send_packet(ip_t to, vpn_packet_t *packet)
268 if((cl = lookup_conn(to)) == NULL)
272 syslog(LOG_NOTICE, "trying to look up " IP_ADDR_S " in connection list failed.",
275 for(cl = conn_list; cl != NULL && !cl->status.outgoing; cl = cl->next);
277 { /* No open outgoing connection has been found. */
279 syslog(LOG_NOTICE, "There is no remote host I can send this packet to.");
284 if(my_key_expiry <= time(NULL))
287 if(!cl->status.dataopen)
288 if(setup_vpn_connection(cl) < 0)
291 if(!cl->status.validkey)
293 add_queue(&(cl->sq), packet, packet->len + 2);
294 if(!cl->status.waitingforkey)
295 send_key_request(cl->vpn_ip); /* Keys should be sent to the host running the tincd */
299 if(!cl->status.active)
301 add_queue(&(cl->sq), packet, packet->len + 2);
303 syslog(LOG_INFO, IP_ADDR_S " is not ready, queueing packet.", IP_ADDR_V(cl->vpn_ip));
304 return 0; /* We don't want to mess up, do we? */
307 /* can we send it? can we? can we? huh? */
309 return xsend(cl, packet);
313 open the local ethertap device
315 int setup_tap_fd(void)
318 const char *tapfname;
321 if((cfg = get_config_val(tapdevice)) == NULL)
322 tapfname = "/dev/tap0";
324 tapfname = cfg->data.ptr;
326 if((nfd = open(tapfname, O_RDWR | O_NONBLOCK)) < 0)
328 syslog(LOG_ERR, "Could not open %s: %m", tapfname);
338 set up the socket that we listen on for incoming
341 int setup_listen_meta_socket(int port)
344 struct sockaddr_in a;
347 if((nfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
349 syslog(LOG_ERR, "Creating metasocket failed: %m");
353 if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)))
355 syslog(LOG_ERR, "setsockopt: %m");
359 flags = fcntl(nfd, F_GETFL);
360 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
362 syslog(LOG_ERR, "fcntl: %m");
366 memset(&a, 0, sizeof(a));
367 a.sin_family = AF_INET;
368 a.sin_port = htons(port);
369 a.sin_addr.s_addr = htonl(INADDR_ANY);
371 if(bind(nfd, (struct sockaddr *)&a, sizeof(struct sockaddr)))
373 syslog(LOG_ERR, "Can't bind to port %hd/tcp: %m", port);
379 syslog(LOG_ERR, "listen: %m");
387 setup the socket for incoming encrypted
390 int setup_vpn_in_socket(int port)
393 struct sockaddr_in a;
396 if((nfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0)
398 syslog(LOG_ERR, "Creating socket failed: %m");
402 if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)))
404 syslog(LOG_ERR, "setsockopt: %m");
408 flags = fcntl(nfd, F_GETFL);
409 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
411 syslog(LOG_ERR, "fcntl: %m");
415 memset(&a, 0, sizeof(a));
416 a.sin_family = AF_INET;
417 a.sin_port = htons(port);
418 a.sin_addr.s_addr = htonl(INADDR_ANY);
420 if(bind(nfd, (struct sockaddr *)&a, sizeof(struct sockaddr)))
422 syslog(LOG_ERR, "Can't bind to port %hd/udp: %m", port);
430 setup an outgoing meta (tcp) socket
432 int setup_outgoing_meta_socket(conn_list_t *cl)
435 struct sockaddr_in a;
438 if((cfg = get_config_val(upstreamport)) == NULL)
441 cl->port = cfg->data.val;
443 cl->meta_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
444 if(cl->meta_socket == -1)
446 syslog(LOG_ERR, "Creating socket failed: %m");
450 a.sin_family = AF_INET;
451 a.sin_port = htons(cl->port);
452 a.sin_addr.s_addr = htonl(cl->real_ip);
454 if(connect(cl->meta_socket, (struct sockaddr *)&a, sizeof(a)) == -1)
456 syslog(LOG_ERR, IP_ADDR_S ":%d: %m", IP_ADDR_V(cl->real_ip), cl->port);
460 flags = fcntl(cl->meta_socket, F_GETFL);
461 if(fcntl(cl->meta_socket, F_SETFL, flags | O_NONBLOCK) < 0)
463 syslog(LOG_ERR, "fcntl: %m");
467 cl->hostname = hostlookup(htonl(cl->real_ip));
469 syslog(LOG_INFO, "Connected to %s:%hd" , cl->hostname, cl->port);
475 setup an outgoing connection. It's not
476 necessary to also open an udp socket as
477 well, because the other host will initiate
478 an authentication sequence during which
479 we will do just that.
481 int setup_outgoing_connection(ip_t ip)
485 ncn = new_conn_list();
488 if(setup_outgoing_meta_socket(ncn) < 0)
490 syslog(LOG_ERR, "Could not set up a meta connection.");
491 free_conn_element(ncn);
495 ncn->status.meta = 1;
496 ncn->status.outgoing = 1;
497 ncn->next = conn_list;
504 set up the local sockets (listen only)
506 int setup_myself(void)
510 myself = new_conn_list();
512 if(!(cfg = get_config_val(myvpnip)))
514 syslog(LOG_ERR, "No value for my VPN IP given");
518 myself->vpn_ip = cfg->data.ip->ip;
519 myself->vpn_mask = cfg->data.ip->mask;
521 if(!(cfg = get_config_val(listenport)))
524 myself->port = cfg->data.val;
526 if((myself->meta_socket = setup_listen_meta_socket(myself->port)) < 0)
528 syslog(LOG_ERR, "Unable to set up a listening socket");
532 if((myself->socket = setup_vpn_in_socket(myself->port)) < 0)
534 syslog(LOG_ERR, "Unable to set up an incoming vpn data socket");
535 close(myself->meta_socket);
539 myself->status.active = 1;
541 syslog(LOG_NOTICE, "Ready: listening on port %d.", myself->port);
547 sigalrm_handler(int a)
551 cfg = get_config_val(upstreamip);
553 if(!setup_outgoing_connection(cfg->data.ip->ip))
555 signal(SIGALRM, SIG_IGN);
559 signal(SIGALRM, sigalrm_handler);
560 seconds_till_retry += 5;
561 if(seconds_till_retry>300) /* Don't wait more than 5 minutes. */
562 seconds_till_retry = 300;
563 alarm(seconds_till_retry);
564 syslog(LOG_ERR, "Still failed to connect to other. Will retry in %d seconds.",
571 setup all initial network connections
573 int setup_network_connections(void)
577 if((cfg = get_config_val(pingtimeout)) == NULL)
580 timeout = cfg->data.val;
582 if(setup_tap_fd() < 0)
585 if(setup_myself() < 0)
588 if((cfg = get_config_val(upstreamip)) == NULL)
589 /* No upstream IP given, we're listen only. */
592 if(setup_outgoing_connection(cfg->data.ip->ip))
594 signal(SIGALRM, sigalrm_handler);
595 seconds_till_retry = 300;
596 alarm(seconds_till_retry);
597 syslog(LOG_NOTICE, "Try to re-establish outgoing connection in 5 minutes.");
604 close all open network connections
606 void close_network_connections(void)
610 for(p = conn_list; p != NULL; p = p->next)
612 if(p->status.dataopen)
614 shutdown(p->socket, 0); /* No more receptions */
620 shutdown(p->meta_socket, 0); /* No more receptions */
621 close(p->meta_socket);
626 if(myself->status.active)
628 close(myself->meta_socket);
629 close(myself->socket);
635 syslog(LOG_NOTICE, "Terminating.");
641 create a data (udp) socket
643 int setup_vpn_connection(conn_list_t *cl)
646 struct sockaddr_in a;
649 syslog(LOG_DEBUG, "Opening UDP socket to " IP_ADDR_S, IP_ADDR_V(cl->real_ip));
651 nfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
654 syslog(LOG_ERR, "Creating data socket failed: %m");
658 a.sin_family = AF_INET;
659 a.sin_port = htons(cl->port);
660 a.sin_addr.s_addr = htonl(cl->real_ip);
662 if(connect(nfd, (struct sockaddr *)&a, sizeof(a)) == -1)
664 syslog(LOG_ERR, "Connecting to " IP_ADDR_S ":%d failed: %m",
665 IP_ADDR_V(cl->real_ip), cl->port);
669 flags = fcntl(nfd, F_GETFL);
670 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
672 syslog(LOG_ERR, "This is a bug: %s:%d: %d:%m", __FILE__, __LINE__, nfd);
677 cl->status.dataopen = 1;
683 handle an incoming tcp connect call and open
686 conn_list_t *create_new_connection(int sfd)
689 struct sockaddr_in ci;
690 int len = sizeof(ci);
694 if(getpeername(sfd, &ci, &len) < 0)
696 syslog(LOG_ERR, "Error: getpeername: %m");
700 p->hostname = hostlookup(ci.sin_addr.s_addr);
701 p->real_ip = ntohl(ci.sin_addr.s_addr);
702 p->meta_socket = sfd;
705 p->last_ping_time = time(NULL);
708 syslog(LOG_NOTICE, "Connection from %s:%d", p->hostname, htons(ci.sin_port));
710 if(send_basic_info(p) < 0)
720 put all file descriptors in an fd_set array
722 void build_fdset(fd_set *fs)
728 for(p = conn_list; p != NULL; p = p->next)
731 FD_SET(p->meta_socket, fs);
732 if(p->status.dataopen)
733 FD_SET(p->socket, fs);
736 FD_SET(myself->meta_socket, fs);
737 FD_SET(myself->socket, fs);
743 receive incoming data from the listening
744 udp socket and write it to the ethertap
745 device after being decrypted
747 int handle_incoming_vpn_data(conn_list_t *cl)
751 int x, l = sizeof(x);
754 if(getsockopt(cl->socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0)
756 syslog(LOG_ERR, "This is a bug: %s:%d: %d:%m", __FILE__, __LINE__, cl->socket);
761 syslog(LOG_ERR, "Incoming data socket error: %s", sys_errlist[x]);
766 lenin = recvfrom(cl->socket, &rp, MTU, 0, NULL, NULL);
769 syslog(LOG_ERR, "Receiving data failed: %m");
772 total_socket_in += lenin;
774 rp.data.len = ntohs(rp.data.len);
775 rp.len = ntohs(rp.len);
776 rp.from = ntohl(rp.from);
780 f = lookup_conn(rp.from);
782 syslog(LOG_DEBUG, "packet from " IP_ADDR_S " (len %d)",
783 IP_ADDR_V(rp.from), rp.len);
786 syslog(LOG_ERR, "Got packet from unknown source " IP_ADDR_S,
791 if(f->status.validkey)
795 add_queue(&(f->rq), &rp, rp.len);
796 if(!cl->status.waitingforkey)
797 send_key_request(rp.from);
800 if(my_key_expiry <= time(NULL))
808 terminate a connection and notify the other
809 end before closing the sockets
811 void terminate_connection(conn_list_t *cl)
814 if(cl->status.remove)
818 syslog(LOG_NOTICE, "Closing connection with %s.", cl->hostname);
820 if(cl->status.timeout)
822 else if(!cl->status.termreq)
827 close(cl->meta_socket);
829 if(cl->status.outgoing)
831 signal(SIGALRM, sigalrm_handler);
832 seconds_till_retry = 5;
833 alarm(seconds_till_retry);
834 syslog(LOG_NOTICE, "Try to re-establish outgoing connection in 5 seconds.");
837 cl->status.active = 0;
838 cl->status.remove = 1;
843 Check if the other end is active.
844 If we have sent packets, but didn't receive any,
845 then possibly the other end is dead. We send a
846 PING request over the meta connection. If the other
847 end does not reply in time, we consider them dead
848 and close the connection.
850 int check_dead_connections(void)
856 for(p = conn_list; p != NULL; p = p->next)
860 if(p->status.active && p->status.meta)
862 if(p->last_ping_time + timeout < now)
864 if(p->status.pinged && !p->status.got_pong)
866 syslog(LOG_INFO, "%s (" IP_ADDR_S ") didn't respond to ping",
867 p->hostname, IP_ADDR_V(p->vpn_ip));
868 p->status.timeout = 1;
869 terminate_connection(p);
871 else if(p->want_ping)
874 p->last_ping_time = now;
875 p->status.pinged = 1;
876 p->status.got_pong = 0;
886 accept a new tcp connect and create a
889 int handle_new_meta_connection(conn_list_t *cl)
892 struct sockaddr client;
893 int nfd, len = sizeof(client);
895 if((nfd = accept(cl->meta_socket, &client, &len)) < 0)
897 syslog(LOG_ERR, "Accepting a new connection failed: %m");
901 if((ncn = create_new_connection(nfd)) == NULL)
905 syslog(LOG_NOTICE, "Closed attempted connection.");
909 ncn->status.meta = 1;
910 ncn->next = conn_list;
917 dispatch any incoming meta requests
919 int handle_incoming_meta_data(conn_list_t *cl)
921 int x, l = sizeof(x);
922 int request, oldlen, i;
925 if(getsockopt(cl->meta_socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0)
927 syslog(LOG_ERR, "This is a bug: %s:%d: %d:%m", __FILE__, __LINE__, cl->meta_socket);
932 syslog(LOG_ERR, "Metadata socket error: %s", sys_errlist[x]);
936 if(cl->buflen >= MAXBUFSIZE)
938 syslog(LOG_ERR, "Metadata read buffer full! Discarding contents.");
942 lenin = read(cl->meta_socket, cl->buffer, MAXBUFSIZE-cl->buflen);
946 syslog(LOG_ERR, "Metadata socket read error: %m");
957 for(i = oldlen; i < cl->buflen; i++)
959 if(cl->buffer[i] == '\n')
961 cl->buffer[i] = 0; /* replace end-of-line by end-of-string so we can use sscanf */
969 if(sscanf(cl->buffer, "%d", &request) == 1)
971 if(request_handlers[request] == NULL)
973 syslog(LOG_ERR, "Unknown request: %s", cl->buffer);
978 syslog(LOG_DEBUG, "Got request: %s", cl->buffer);
980 request_handlers[request](cl);
984 syslog(LOG_ERR, "Bogus data received: %s", cl->buffer);
987 cl->buflen -= cl->reqlen;
988 memmove(cl->buffer, cl->buffer + cl->reqlen, cl->buflen);
997 cl->last_ping_time = time(NULL);
1004 check all connections to see if anything
1005 happened on their sockets
1007 void check_network_activity(fd_set *f)
1010 int x, l = sizeof(x);
1012 for(p = conn_list; p != NULL; p = p->next)
1014 if(p->status.remove)
1017 if(p->status.dataopen)
1018 if(FD_ISSET(p->socket, f))
1021 The only thing that can happen to get us here is apparently an
1022 error on this outgoing(!) UDP socket that isn't immediate (i.e.
1023 something that will not trigger an error directly on send()).
1024 I've once got here when it said `No route to host'.
1026 getsockopt(p->socket, SOL_SOCKET, SO_ERROR, &x, &l);
1027 syslog(LOG_ERR, "Outgoing data socket error: %s", sys_errlist[x]);
1028 terminate_connection(p);
1033 if(FD_ISSET(p->meta_socket, f))
1034 if(handle_incoming_meta_data(p) < 0)
1036 terminate_connection(p);
1041 if(FD_ISSET(myself->socket, f))
1042 handle_incoming_vpn_data(myself);
1044 if(FD_ISSET(myself->meta_socket, f))
1045 handle_new_meta_connection(myself);
1050 read, encrypt and send data that is
1051 available through the ethertap device
1053 void handle_tap_input(void)
1057 int ether_type, lenin;
1059 memset(&vp, 0, sizeof(vp));
1060 if((lenin = read(tap_fd, &vp, MTU)) <= 0)
1062 syslog(LOG_ERR, "Error while reading from tapdevice: %m");
1066 total_tap_in += lenin;
1068 ether_type = ntohs(*((unsigned short*)(&vp.data[12])));
1069 if(ether_type != 0x0800)
1072 syslog(LOG_INFO, "Non-IP ethernet frame %04x from " MAC_ADDR_S,
1073 ether_type, MAC_ADDR_V(vp.data[6]));
1080 syslog(LOG_INFO, "Dropping short packet");
1084 from = ntohl(*((unsigned long*)(&vp.data[26])));
1085 to = ntohl(*((unsigned long*)(&vp.data[30])));
1088 syslog(LOG_DEBUG, "An IP packet (%04x) for " IP_ADDR_S " from " IP_ADDR_S,
1089 ether_type, IP_ADDR_V(to), IP_ADDR_V(from));
1091 syslog(LOG_DEBUG, MAC_ADDR_S " to " MAC_ADDR_S,
1092 MAC_ADDR_V(vp.data[0]), MAC_ADDR_V(vp.data[6]));
1094 vp.len = (length_t)lenin - 2;
1096 strip_mac_addresses(&vp);
1098 send_packet(to, &vp);
1103 this is where it all happens...
1105 void main_loop(void)
1110 time_t last_ping_check;
1112 last_ping_check = time(NULL);
1116 tv.tv_sec = timeout;
1122 if((r = select(FD_SETSIZE, &fset, NULL, NULL, &tv)) < 0)
1124 if(errno == EINTR) /* because of alarm */
1126 syslog(LOG_ERR, "Error while waiting for input: %m");
1130 if(last_ping_check + timeout < time(NULL))
1131 /* Let's check if everybody is still alive */
1133 check_dead_connections();
1134 last_ping_check = time(NULL);
1138 check_network_activity(&fset);
1140 /* local tap data */
1141 if(FD_ISSET(tap_fd, &fset))