2 net.c -- most of the network code
3 Copyright (C) 1998,1999,2000 Ivo Timmermans <itimmermans@bigfoot.com>,
4 2000 Guus Sliepen <guus@sliepen.warande.net>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20 $Id: net.c,v 1.35 2000/05/31 18:23:05 zarq Exp $
25 #include <arpa/inet.h>
29 #include <netinet/in.h>
33 #include <sys/signal.h>
34 #include <sys/socket.h>
36 #include <sys/types.h>
55 int total_tap_out = 0;
56 int total_socket_in = 0;
57 int total_socket_out = 0;
59 static int seconds_till_retry;
61 /* The global list of existing connections */
62 conn_list_t *conn_list = NULL;
63 conn_list_t *myself = NULL;
66 strip off the MAC adresses of an ethernet frame
68 void strip_mac_addresses(vpn_packet_t *p)
70 unsigned char tmp[MAXSIZE];
72 memcpy(tmp, p->data, p->len);
74 memcpy(p->data, &tmp[12], p->len);
79 reassemble MAC addresses
81 void add_mac_addresses(vpn_packet_t *p)
83 unsigned char tmp[MAXSIZE];
85 memcpy(&tmp[12], p->data, p->len);
87 tmp[0] = tmp[6] = 0xfe;
88 tmp[1] = tmp[7] = 0xfd;
89 *((ip_t*)(&tmp[2])) = (ip_t)(htonl(myself->vpn_ip));
90 *((ip_t*)(&tmp[8])) = *((ip_t*)(&tmp[26]));
91 memcpy(p->data, &tmp[0], p->len);
95 int xsend(conn_list_t *cl, void *packet)
100 do_encrypt((vpn_packet_t*)packet, &rp, cl->key);
101 rp.from = htonl(myself->vpn_ip);
102 rp.data.len = htons(rp.data.len);
103 rp.len = htons(rp.len);
106 syslog(LOG_ERR, _("Sent %d bytes to %lx"), ntohs(rp.len), cl->vpn_ip);
108 if((r = send(cl->socket, (char*)&rp, ntohs(rp.len), 0)) < 0)
110 syslog(LOG_ERR, _("Error sending data: %m"));
114 total_socket_out += r;
121 int xrecv(conn_list_t *cl, void *packet)
126 do_decrypt((real_packet_t*)packet, &vp, cl->key);
127 add_mac_addresses(&vp);
129 if((lenin = write(tap_fd, &vp, vp.len + sizeof(vp.len))) < 0)
130 syslog(LOG_ERR, _("Can't write to tap device: %m"));
132 total_tap_out += lenin;
135 cl->last_ping_time = time(NULL);
141 add the given packet of size s to the
142 queue q, be it the send or receive queue
144 void add_queue(packet_queue_t **q, void *packet, size_t s)
149 syslog(LOG_DEBUG, _("packet to queue: %d"), s);
151 e = xmalloc(sizeof(*e));
152 e->packet = xmalloc(s);
153 memcpy(e->packet, packet, s);
157 *q = xmalloc(sizeof(**q));
158 (*q)->head = (*q)->tail = NULL;
161 e->next = NULL; /* We insert at the tail */
163 if((*q)->tail) /* Do we have a tail? */
165 (*q)->tail->next = e;
166 e->prev = (*q)->tail;
168 else /* No tail -> no head too */
178 /* Remove a queue element */
179 void del_queue(packet_queue_t **q, queue_element_t *e)
184 if(e->next) /* There is a successor, so we are not tail */
186 if(e->prev) /* There is a predecessor, so we are not head */
188 e->next->prev = e->prev;
189 e->prev->next = e->next;
191 else /* We are head */
193 e->next->prev = NULL;
194 (*q)->head = e->next;
197 else /* We are tail (or all alone!) */
199 if(e->prev) /* We are not alone :) */
201 e->prev->next = NULL;
202 (*q)->tail = e->prev;
216 flush a queue by calling function for
217 each packet, and removing it when that
218 returned a zero exit code
220 void flush_queue(conn_list_t *cl, packet_queue_t **pq,
221 int (*function)(conn_list_t*,void*))
223 queue_element_t *p, *next = NULL;
225 for(p = (*pq)->head; p != NULL; )
229 if(!function(cl, p->packet))
236 syslog(LOG_DEBUG, _("queue flushed"));
241 flush the send&recv queues
242 void because nothing goes wrong here, packets
243 remain in the queue if something goes wrong
245 void flush_queues(conn_list_t *cl)
251 syslog(LOG_DEBUG, _("Flushing send queue for " IP_ADDR_S),
252 IP_ADDR_V(cl->vpn_ip));
253 flush_queue(cl, &(cl->sq), xsend);
259 syslog(LOG_DEBUG, _("Flushing receive queue for " IP_ADDR_S),
260 IP_ADDR_V(cl->vpn_ip));
261 flush_queue(cl, &(cl->rq), xrecv);
267 send a packet to the given vpn ip.
269 int send_packet(ip_t to, vpn_packet_t *packet)
273 if((cl = lookup_conn(to)) == NULL)
277 syslog(LOG_NOTICE, _("trying to look up " IP_ADDR_S " in connection list failed."),
280 for(cl = conn_list; cl != NULL && !cl->status.outgoing; cl = cl->next);
282 { /* No open outgoing connection has been found. */
284 syslog(LOG_NOTICE, _("There is no remote host I can send this packet to."));
289 if(my_key_expiry <= time(NULL))
292 if(!cl->status.dataopen)
293 if(setup_vpn_connection(cl) < 0)
296 if(!cl->status.validkey)
298 add_queue(&(cl->sq), packet, packet->len + 2);
299 if(!cl->status.waitingforkey)
300 send_key_request(cl->vpn_ip); /* Keys should be sent to the host running the tincd */
304 if(!cl->status.active)
306 add_queue(&(cl->sq), packet, packet->len + 2);
308 syslog(LOG_INFO, _(IP_ADDR_S " is not ready, queueing packet."), IP_ADDR_V(cl->vpn_ip));
309 return 0; /* We don't want to mess up, do we? */
312 /* can we send it? can we? can we? huh? */
314 return xsend(cl, packet);
318 open the local ethertap device
320 int setup_tap_fd(void)
323 const char *tapfname;
326 if((cfg = get_config_val(tapdevice)) == NULL)
327 tapfname = "/dev/tap0";
329 tapfname = cfg->data.ptr;
331 if((nfd = open(tapfname, O_RDWR | O_NONBLOCK)) < 0)
333 syslog(LOG_ERR, _("Could not open %s: %m"), tapfname);
343 set up the socket that we listen on for incoming
346 int setup_listen_meta_socket(int port)
349 struct sockaddr_in a;
352 if((nfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
354 syslog(LOG_ERR, _("Creating metasocket failed: %m"));
358 if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)))
360 syslog(LOG_ERR, _("setsockopt: %m"));
364 flags = fcntl(nfd, F_GETFL);
365 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
367 syslog(LOG_ERR, _("fcntl: %m"));
371 memset(&a, 0, sizeof(a));
372 a.sin_family = AF_INET;
373 a.sin_port = htons(port);
374 a.sin_addr.s_addr = htonl(INADDR_ANY);
376 if(bind(nfd, (struct sockaddr *)&a, sizeof(struct sockaddr)))
378 syslog(LOG_ERR, _("Can't bind to port %hd/tcp: %m"), port);
384 syslog(LOG_ERR, _("listen: %m"));
392 setup the socket for incoming encrypted
395 int setup_vpn_in_socket(int port)
398 struct sockaddr_in a;
401 if((nfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0)
403 syslog(LOG_ERR, _("Creating socket failed: %m"));
407 if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)))
409 syslog(LOG_ERR, _("setsockopt: %m"));
413 flags = fcntl(nfd, F_GETFL);
414 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
416 syslog(LOG_ERR, _("fcntl: %m"));
420 memset(&a, 0, sizeof(a));
421 a.sin_family = AF_INET;
422 a.sin_port = htons(port);
423 a.sin_addr.s_addr = htonl(INADDR_ANY);
425 if(bind(nfd, (struct sockaddr *)&a, sizeof(struct sockaddr)))
427 syslog(LOG_ERR, _("Can't bind to port %hd/udp: %m"), port);
435 setup an outgoing meta (tcp) socket
437 int setup_outgoing_meta_socket(conn_list_t *cl)
440 struct sockaddr_in a;
443 if((cfg = get_config_val(upstreamport)) == NULL)
446 cl->port = cfg->data.val;
448 cl->meta_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
449 if(cl->meta_socket == -1)
451 syslog(LOG_ERR, _("Creating socket failed: %m"));
455 a.sin_family = AF_INET;
456 a.sin_port = htons(cl->port);
457 a.sin_addr.s_addr = htonl(cl->real_ip);
459 if(connect(cl->meta_socket, (struct sockaddr *)&a, sizeof(a)) == -1)
461 syslog(LOG_ERR, _(IP_ADDR_S ":%d: %m"), IP_ADDR_V(cl->real_ip), cl->port);
465 flags = fcntl(cl->meta_socket, F_GETFL);
466 if(fcntl(cl->meta_socket, F_SETFL, flags | O_NONBLOCK) < 0)
468 syslog(LOG_ERR, _("fcntl: %m"));
472 cl->hostname = hostlookup(htonl(cl->real_ip));
474 syslog(LOG_INFO, _("Connected to %s:%hd"), cl->hostname, cl->port);
480 setup an outgoing connection. It's not
481 necessary to also open an udp socket as
482 well, because the other host will initiate
483 an authentication sequence during which
484 we will do just that.
486 int setup_outgoing_connection(ip_t ip)
490 ncn = new_conn_list();
493 if(setup_outgoing_meta_socket(ncn) < 0)
495 syslog(LOG_ERR, _("Could not set up a meta connection."));
496 free_conn_element(ncn);
500 ncn->status.meta = 1;
501 ncn->status.outgoing = 1;
502 ncn->next = conn_list;
509 set up the local sockets (listen only)
511 int setup_myself(void)
515 myself = new_conn_list();
517 if(!(cfg = get_config_val(myvpnip)))
519 syslog(LOG_ERR, _("No value for my VPN IP given"));
523 myself->vpn_ip = cfg->data.ip->ip;
524 myself->vpn_mask = cfg->data.ip->mask;
526 if(!(cfg = get_config_val(listenport)))
529 myself->port = cfg->data.val;
531 if((myself->meta_socket = setup_listen_meta_socket(myself->port)) < 0)
533 syslog(LOG_ERR, _("Unable to set up a listening socket"));
537 if((myself->socket = setup_vpn_in_socket(myself->port)) < 0)
539 syslog(LOG_ERR, _("Unable to set up an incoming vpn data socket"));
540 close(myself->meta_socket);
544 myself->status.active = 1;
546 syslog(LOG_NOTICE, _("Ready: listening on port %d."), myself->port);
552 sigalrm_handler(int a)
556 cfg = get_config_val(upstreamip);
558 if(!setup_outgoing_connection(cfg->data.ip->ip))
560 signal(SIGALRM, SIG_IGN);
564 signal(SIGALRM, sigalrm_handler);
565 seconds_till_retry += 5;
566 if(seconds_till_retry>300) /* Don't wait more than 5 minutes. */
567 seconds_till_retry = 300;
568 alarm(seconds_till_retry);
569 syslog(LOG_ERR, _("Still failed to connect to other. Will retry in %d seconds."),
576 setup all initial network connections
578 int setup_network_connections(void)
582 if((cfg = get_config_val(pingtimeout)) == NULL)
585 timeout = cfg->data.val;
587 if(setup_tap_fd() < 0)
590 if(setup_myself() < 0)
593 if((cfg = get_config_val(upstreamip)) == NULL)
594 /* No upstream IP given, we're listen only. */
597 if(setup_outgoing_connection(cfg->data.ip->ip))
599 signal(SIGALRM, sigalrm_handler);
600 seconds_till_retry = 300;
601 alarm(seconds_till_retry);
602 syslog(LOG_NOTICE, _("Try to re-establish outgoing connection in 5 minutes."));
609 close all open network connections
611 void close_network_connections(void)
615 for(p = conn_list; p != NULL; p = p->next)
617 if(p->status.dataopen)
619 shutdown(p->socket, 0); /* No more receptions */
625 shutdown(p->meta_socket, 0); /* No more receptions */
626 close(p->meta_socket);
631 if(myself->status.active)
633 close(myself->meta_socket);
634 close(myself->socket);
640 syslog(LOG_NOTICE, _("Terminating."));
646 create a data (udp) socket
648 int setup_vpn_connection(conn_list_t *cl)
651 struct sockaddr_in a;
654 syslog(LOG_DEBUG, _("Opening UDP socket to " IP_ADDR_S), IP_ADDR_V(cl->real_ip));
656 nfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
659 syslog(LOG_ERR, _("Creating data socket failed: %m"));
663 a.sin_family = AF_INET;
664 a.sin_port = htons(cl->port);
665 a.sin_addr.s_addr = htonl(cl->real_ip);
667 if(connect(nfd, (struct sockaddr *)&a, sizeof(a)) == -1)
669 syslog(LOG_ERR, _("Connecting to " IP_ADDR_S ":%d failed: %m"),
670 IP_ADDR_V(cl->real_ip), cl->port);
674 flags = fcntl(nfd, F_GETFL);
675 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
677 syslog(LOG_ERR, _("This is a bug: %s:%d: %d:%m"), __FILE__, __LINE__, nfd);
682 cl->status.dataopen = 1;
688 handle an incoming tcp connect call and open
691 conn_list_t *create_new_connection(int sfd)
694 struct sockaddr_in ci;
695 int len = sizeof(ci);
699 if(getpeername(sfd, &ci, &len) < 0)
701 syslog(LOG_ERR, _("Error: getpeername: %m"));
705 p->hostname = hostlookup(ci.sin_addr.s_addr);
706 p->real_ip = ntohl(ci.sin_addr.s_addr);
707 p->meta_socket = sfd;
710 p->last_ping_time = time(NULL);
713 syslog(LOG_NOTICE, _("Connection from %s:%d"), p->hostname, htons(ci.sin_port));
715 if(send_basic_info(p) < 0)
725 put all file descriptors in an fd_set array
727 void build_fdset(fd_set *fs)
733 for(p = conn_list; p != NULL; p = p->next)
736 FD_SET(p->meta_socket, fs);
737 if(p->status.dataopen)
738 FD_SET(p->socket, fs);
741 FD_SET(myself->meta_socket, fs);
742 FD_SET(myself->socket, fs);
748 receive incoming data from the listening
749 udp socket and write it to the ethertap
750 device after being decrypted
752 int handle_incoming_vpn_data(conn_list_t *cl)
756 int x, l = sizeof(x);
759 if(getsockopt(cl->socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0)
761 syslog(LOG_ERR, _("This is a bug: %s:%d: %d:%m"), __FILE__, __LINE__, cl->socket);
766 syslog(LOG_ERR, _("Incoming data socket error: %s"), sys_errlist[x]);
771 lenin = recvfrom(cl->socket, &rp, MTU, 0, NULL, NULL);
774 syslog(LOG_ERR, _("Receiving data failed: %m"));
777 total_socket_in += lenin;
779 rp.data.len = ntohs(rp.data.len);
780 rp.len = ntohs(rp.len);
781 rp.from = ntohl(rp.from);
785 f = lookup_conn(rp.from);
787 syslog(LOG_DEBUG, _("packet from " IP_ADDR_S " (len %d)"),
788 IP_ADDR_V(rp.from), rp.len);
791 syslog(LOG_ERR, _("Got packet from unknown source " IP_ADDR_S),
796 if(f->status.validkey)
800 add_queue(&(f->rq), &rp, rp.len);
801 if(!cl->status.waitingforkey)
802 send_key_request(rp.from);
805 if(my_key_expiry <= time(NULL))
813 terminate a connection and notify the other
814 end before closing the sockets
816 void terminate_connection(conn_list_t *cl)
821 if(cl->status.remove)
825 syslog(LOG_NOTICE, _("Closing connection with %s."), cl->hostname);
827 if(cl->status.timeout)
829 else if(!cl->status.termreq)
834 close(cl->meta_socket);
836 if(cl->status.outgoing)
838 signal(SIGALRM, sigalrm_handler);
839 seconds_till_retry = 5;
840 alarm(seconds_till_retry);
841 syslog(LOG_NOTICE, _("Try to re-establish outgoing connection in 5 seconds."));
844 cl->status.active = 0;
845 cl->status.remove = 1;
848 /* Find all connections that were lost because they were behind cl
849 (the connection that was dropped). */
850 for(p = conn_list; p != NULL; p = p->next)
853 p->status.active = 0;
854 p->status.remove = 1;
858 /* Then send a notification about all these connections to all hosts
859 that are still connected to us. */
860 for(p = conn_list; p != NULL; p = p->next)
861 if(!p->status.remove && p->status.meta)
862 for(q = conn_list; q != NULL; q = q->next)
870 Check if the other end is active.
871 If we have sent packets, but didn't receive any,
872 then possibly the other end is dead. We send a
873 PING request over the meta connection. If the other
874 end does not reply in time, we consider them dead
875 and close the connection.
877 int check_dead_connections(void)
883 for(p = conn_list; p != NULL; p = p->next)
887 if(p->status.active && p->status.meta)
889 if(p->last_ping_time + timeout < now)
891 if(p->status.pinged && !p->status.got_pong)
893 syslog(LOG_INFO, _("%s (" IP_ADDR_S ") didn't respond to ping"),
894 p->hostname, IP_ADDR_V(p->vpn_ip));
895 p->status.timeout = 1;
896 terminate_connection(p);
898 else if(p->want_ping)
901 p->last_ping_time = now;
902 p->status.pinged = 1;
903 p->status.got_pong = 0;
913 accept a new tcp connect and create a
916 int handle_new_meta_connection(conn_list_t *cl)
919 struct sockaddr client;
920 int nfd, len = sizeof(client);
922 if((nfd = accept(cl->meta_socket, &client, &len)) < 0)
924 syslog(LOG_ERR, _("Accepting a new connection failed: %m"));
928 if((ncn = create_new_connection(nfd)) == NULL)
932 syslog(LOG_NOTICE, _("Closed attempted connection."));
936 ncn->status.meta = 1;
937 ncn->next = conn_list;
944 dispatch any incoming meta requests
946 int handle_incoming_meta_data(conn_list_t *cl)
948 int x, l = sizeof(x);
949 int request, oldlen, i;
952 if(getsockopt(cl->meta_socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0)
954 syslog(LOG_ERR, _("This is a bug: %s:%d: %d:%m"), __FILE__, __LINE__, cl->meta_socket);
959 syslog(LOG_ERR, _("Metadata socket error: %s"), sys_errlist[x]);
963 if(cl->buflen >= MAXBUFSIZE)
965 syslog(LOG_ERR, _("Metadata read buffer overflow."));
969 lenin = read(cl->meta_socket, cl->buffer, MAXBUFSIZE-cl->buflen);
973 syslog(LOG_ERR, _("Metadata socket read error: %m"));
984 for(i = oldlen; i < cl->buflen; i++)
986 if(cl->buffer[i] == '\n')
988 cl->buffer[i] = 0; /* replace end-of-line by end-of-string so we can use sscanf */
996 if(sscanf(cl->buffer, "%d", &request) == 1)
998 if((request < 0) || (request > 255) || (request_handlers[request] == NULL))
1000 syslog(LOG_ERR, _("Unknown request: %s"), cl->buffer);
1005 syslog(LOG_DEBUG, _("Got request: %s"), cl->buffer);
1007 if(request_handlers[request](cl)) /* Something went wrong. Probably scriptkiddies. Terminate. */
1009 syslog(LOG_ERR, _("Error while processing request from " IP_ADDR_S), IP_ADDR_V(cl->real_ip));
1015 syslog(LOG_ERR, _("Bogus data received."));
1019 cl->buflen -= cl->reqlen;
1020 memmove(cl->buffer, cl->buffer + cl->reqlen, cl->buflen);
1029 cl->last_ping_time = time(NULL);
1036 check all connections to see if anything
1037 happened on their sockets
1039 void check_network_activity(fd_set *f)
1042 int x, l = sizeof(x);
1044 for(p = conn_list; p != NULL; p = p->next)
1046 if(p->status.remove)
1049 if(p->status.dataopen)
1050 if(FD_ISSET(p->socket, f))
1053 The only thing that can happen to get us here is apparently an
1054 error on this outgoing(!) UDP socket that isn't immediate (i.e.
1055 something that will not trigger an error directly on send()).
1056 I've once got here when it said `No route to host'.
1058 getsockopt(p->socket, SOL_SOCKET, SO_ERROR, &x, &l);
1059 syslog(LOG_ERR, _("Outgoing data socket error: %s"), sys_errlist[x]);
1060 terminate_connection(p);
1065 if(FD_ISSET(p->meta_socket, f))
1066 if(handle_incoming_meta_data(p) < 0)
1068 terminate_connection(p);
1073 if(FD_ISSET(myself->socket, f))
1074 handle_incoming_vpn_data(myself);
1076 if(FD_ISSET(myself->meta_socket, f))
1077 handle_new_meta_connection(myself);
1082 read, encrypt and send data that is
1083 available through the ethertap device
1085 void handle_tap_input(void)
1089 int ether_type, lenin;
1091 memset(&vp, 0, sizeof(vp));
1092 if((lenin = read(tap_fd, &vp, MTU)) <= 0)
1094 syslog(LOG_ERR, _("Error while reading from tapdevice: %m"));
1098 total_tap_in += lenin;
1100 ether_type = ntohs(*((unsigned short*)(&vp.data[12])));
1101 if(ether_type != 0x0800)
1104 syslog(LOG_INFO, _("Non-IP ethernet frame %04x from " MAC_ADDR_S),
1105 ether_type, MAC_ADDR_V(vp.data[6]));
1112 syslog(LOG_INFO, _("Dropping short packet"));
1116 from = ntohl(*((unsigned long*)(&vp.data[26])));
1117 to = ntohl(*((unsigned long*)(&vp.data[30])));
1120 syslog(LOG_DEBUG, _("An IP packet (%04x) for " IP_ADDR_S " from " IP_ADDR_S),
1121 ether_type, IP_ADDR_V(to), IP_ADDR_V(from));
1123 syslog(LOG_DEBUG, _(MAC_ADDR_S " to " MAC_ADDR_S),
1124 MAC_ADDR_V(vp.data[0]), MAC_ADDR_V(vp.data[6]));
1126 vp.len = (length_t)lenin - 2;
1128 strip_mac_addresses(&vp);
1130 send_packet(to, &vp);
1135 this is where it all happens...
1137 void main_loop(void)
1142 time_t last_ping_check;
1144 last_ping_check = time(NULL);
1148 tv.tv_sec = timeout;
1154 if((r = select(FD_SETSIZE, &fset, NULL, NULL, &tv)) < 0)
1156 if(errno == EINTR) /* because of alarm */
1158 syslog(LOG_ERR, _("Error while waiting for input: %m"));
1162 if(last_ping_check + timeout < time(NULL))
1163 /* Let's check if everybody is still alive */
1165 check_dead_connections();
1166 last_ping_check = time(NULL);
1170 check_network_activity(&fset);
1172 /* local tap data */
1173 if(FD_ISSET(tap_fd, &fset))