2 net.c -- most of the network code
3 Copyright (C) 1998,1999,2000 Ivo Timmermans <zarq@iname.com>
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; either version 2 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program; if not, write to the Free Software
17 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 #include <arpa/inet.h>
26 #include <netinet/in.h>
30 #include <sys/signal.h>
31 #include <sys/socket.h>
33 #include <sys/types.h>
50 int total_tap_out = 0;
51 int total_socket_in = 0;
52 int total_socket_out = 0;
54 /* The global list of existing connections */
55 conn_list_t *conn_list = NULL;
56 conn_list_t *myself = NULL;
59 strip off the MAC adresses of an ethernet frame
61 void strip_mac_addresses(vpn_packet_t *p)
63 unsigned char tmp[MAXSIZE];
65 memcpy(tmp, p->data, p->len);
67 memcpy(p->data, &tmp[12], p->len);
72 reassemble MAC addresses
74 void add_mac_addresses(vpn_packet_t *p)
76 unsigned char tmp[MAXSIZE];
78 memcpy(&tmp[12], p->data, p->len);
80 tmp[0] = tmp[6] = 0xfe;
81 tmp[1] = tmp[7] = 0xfd;
82 *((ip_t*)(&tmp[2])) = (ip_t)(htonl(myself->vpn_ip));
83 *((ip_t*)(&tmp[8])) = *((ip_t*)(&tmp[26]));
84 memcpy(p->data, &tmp[0], p->len);
88 int xsend(conn_list_t *cl, void *packet)
93 do_encrypt((vpn_packet_t*)packet, &rp, cl->key);
94 rp.from = htonl(myself->vpn_ip);
95 rp.data.len = htons(rp.data.len);
96 rp.len = htons(rp.len);
99 syslog(LOG_ERR, "Sent %d bytes to %lx", ntohs(rp.len), cl->vpn_ip);
101 if((r = send(cl->socket, (char*)&rp, ntohs(rp.len), 0)) < 0)
103 syslog(LOG_ERR, "Error sending data: %m");
107 total_socket_out += r;
114 int xrecv(conn_list_t *cl, void *packet)
119 do_decrypt((real_packet_t*)packet, &vp, cl->key);
120 add_mac_addresses(&vp);
122 if((lenin = write(tap_fd, &vp, vp.len + sizeof(vp.len))) < 0)
123 syslog(LOG_ERR, "Can't write to tap device: %m");
125 total_tap_out += lenin;
128 cl->last_ping_time = time(NULL);
134 add the given packet of size s to the
135 queue q, be it the send or receive queue
137 void add_queue(packet_queue_t **q, void *packet, size_t s)
142 syslog(LOG_DEBUG, "packet to queue: %d", s);
144 e = xmalloc(sizeof(*e));
145 e->packet = xmalloc(s);
146 memcpy(e->packet, packet, s);
150 *q = xmalloc(sizeof(**q));
151 (*q)->head = (*q)->tail = NULL;
154 e->next = NULL; /* We insert at the tail */
156 if((*q)->tail) /* Do we have a tail? */
158 (*q)->tail->next = e;
159 e->prev = (*q)->tail;
161 else /* No tail -> no head too */
171 /* Remove a queue element */
172 void del_queue(packet_queue_t **q, queue_element_t *e)
177 if(e->next) /* There is a successor, so we are not tail */
179 if(e->prev) /* There is a predecessor, so we are not head */
181 e->next->prev = e->prev;
182 e->prev->next = e->next;
184 else /* We are head */
186 e->next->prev = NULL;
187 (*q)->head = e->next;
190 else /* We are tail (or all alone!) */
192 if(e->prev) /* We are not alone :) */
194 e->prev->next = NULL;
195 (*q)->tail = e->prev;
209 flush a queue by calling function for
210 each packet, and removing it when that
211 returned a zero exit code
213 void flush_queue(conn_list_t *cl, packet_queue_t **pq,
214 int (*function)(conn_list_t*,void*))
216 queue_element_t *p, *next = NULL;
218 for(p = (*pq)->head; p != NULL; )
222 if(!function(cl, p->packet))
229 syslog(LOG_DEBUG, "queue flushed");
234 flush the send&recv queues
235 void because nothing goes wrong here, packets
236 remain in the queue if something goes wrong
238 void flush_queues(conn_list_t *cl)
244 syslog(LOG_DEBUG, "Flushing send queue for " IP_ADDR_S,
245 IP_ADDR_V(cl->vpn_ip));
246 flush_queue(cl, &(cl->sq), xsend);
252 syslog(LOG_DEBUG, "Flushing receive queue for " IP_ADDR_S,
253 IP_ADDR_V(cl->vpn_ip));
254 flush_queue(cl, &(cl->rq), xrecv);
260 send a packet to the given vpn ip.
262 int send_packet(ip_t to, vpn_packet_t *packet)
266 if((cl = lookup_conn(to)) == NULL)
270 syslog(LOG_NOTICE, "trying to look up " IP_ADDR_S " in connection list failed.",
273 for(cl = conn_list; cl != NULL && !cl->status.outgoing; cl = cl->next);
275 { /* No open outgoing connection has been found. */
277 syslog(LOG_NOTICE, "There is no remote host I can send this packet to.");
282 if(my_key_expiry <= time(NULL))
285 if(!cl->status.dataopen)
286 if(setup_vpn_connection(cl) < 0)
289 if(!cl->status.validkey)
291 add_queue(&(cl->sq), packet, packet->len + 2);
292 if(!cl->status.waitingforkey)
293 send_key_request(cl->vpn_ip); /* Keys should be sent to the host running the tincd */
297 if(!cl->status.active)
299 add_queue(&(cl->sq), packet, packet->len + 2);
301 syslog(LOG_INFO, IP_ADDR_S " is not ready, queueing packet.", IP_ADDR_V(cl->vpn_ip));
302 return 0; /* We don't want to mess up, do we? */
305 /* can we send it? can we? can we? huh? */
307 return xsend(cl, packet);
311 open the local ethertap device
313 int setup_tap_fd(void)
316 const char *tapfname;
319 if((cfg = get_config_val(tapdevice)) == NULL)
320 tapfname = "/dev/tap0";
322 tapfname = cfg->data.ptr;
324 if((nfd = open(tapfname, O_RDWR | O_NONBLOCK)) < 0)
326 syslog(LOG_ERR, "Could not open %s: %m", tapfname);
336 set up the socket that we listen on for incoming
339 int setup_listen_meta_socket(int port)
342 struct sockaddr_in a;
345 if((nfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
347 syslog(LOG_ERR, "Creating metasocket failed: %m");
351 if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)))
353 syslog(LOG_ERR, "setsockopt: %m");
357 flags = fcntl(nfd, F_GETFL);
358 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
360 syslog(LOG_ERR, "fcntl: %m");
364 memset(&a, 0, sizeof(a));
365 a.sin_family = AF_INET;
366 a.sin_port = htons(port);
367 a.sin_addr.s_addr = htonl(INADDR_ANY);
369 if(bind(nfd, (struct sockaddr *)&a, sizeof(struct sockaddr)))
371 syslog(LOG_ERR, "Can't bind to port %hd/tcp: %m", port);
377 syslog(LOG_ERR, "listen: %m");
385 setup the socket for incoming encrypted
388 int setup_vpn_in_socket(int port)
391 struct sockaddr_in a;
394 if((nfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0)
396 syslog(LOG_ERR, "Creating socket failed: %m");
400 if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)))
402 syslog(LOG_ERR, "setsockopt: %m");
406 flags = fcntl(nfd, F_GETFL);
407 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
409 syslog(LOG_ERR, "fcntl: %m");
413 memset(&a, 0, sizeof(a));
414 a.sin_family = AF_INET;
415 a.sin_port = htons(port);
416 a.sin_addr.s_addr = htonl(INADDR_ANY);
418 if(bind(nfd, (struct sockaddr *)&a, sizeof(struct sockaddr)))
420 syslog(LOG_ERR, "Can't bind to port %hd/udp: %m", port);
428 setup an outgoing meta (tcp) socket
430 int setup_outgoing_meta_socket(conn_list_t *cl)
433 struct sockaddr_in a;
436 if((cfg = get_config_val(upstreamport)) == NULL)
439 cl->port = cfg->data.val;
441 cl->meta_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
442 if(cl->meta_socket == -1)
444 syslog(LOG_ERR, "Creating socket failed: %m");
448 a.sin_family = AF_INET;
449 a.sin_port = htons(cl->port);
450 a.sin_addr.s_addr = htonl(cl->real_ip);
452 if(connect(cl->meta_socket, (struct sockaddr *)&a, sizeof(a)) == -1)
454 syslog(LOG_ERR, IP_ADDR_S ":%d: %m", IP_ADDR_V(cl->real_ip), cl->port);
458 flags = fcntl(cl->meta_socket, F_GETFL);
459 if(fcntl(cl->meta_socket, F_SETFL, flags | O_NONBLOCK) < 0)
461 syslog(LOG_ERR, "fcntl: %m");
465 cl->hostname = hostlookup(htonl(cl->real_ip));
467 syslog(LOG_INFO, "Connected to %s:%hd" , cl->hostname, cl->port);
473 setup an outgoing connection. It's not
474 necessary to also open an udp socket as
475 well, because the other host will initiate
476 an authentication sequence during which
477 we will do just that.
479 int setup_outgoing_connection(ip_t ip)
483 ncn = new_conn_list();
486 if(setup_outgoing_meta_socket(ncn) < 0)
488 syslog(LOG_ERR, "Could not set up a meta connection.");
489 free_conn_element(ncn);
493 ncn->status.meta = 1;
494 ncn->status.outgoing = 1;
495 ncn->next = conn_list;
502 set up the local sockets (listen only)
504 int setup_myself(void)
508 myself = new_conn_list();
510 if(!(cfg = get_config_val(myvpnip)))
512 syslog(LOG_ERR, "No value for my VPN IP given");
516 myself->vpn_ip = cfg->data.ip->ip;
517 myself->vpn_mask = cfg->data.ip->mask;
519 if(!(cfg = get_config_val(listenport)))
522 myself->port = cfg->data.val;
524 if((myself->meta_socket = setup_listen_meta_socket(myself->port)) < 0)
526 syslog(LOG_ERR, "Unable to set up a listening socket");
530 if((myself->socket = setup_vpn_in_socket(myself->port)) < 0)
532 syslog(LOG_ERR, "Unable to set up an incoming vpn data socket");
533 close(myself->meta_socket);
537 myself->status.active = 1;
539 syslog(LOG_NOTICE, "Ready: listening on port %d.", myself->port);
545 setup all initial network connections
547 int setup_network_connections(void)
551 if((cfg = get_config_val(pingtimeout)) == NULL)
554 timeout = cfg->data.val;
556 if(setup_tap_fd() < 0)
559 if(setup_myself() < 0)
562 if((cfg = get_config_val(upstreamip)) == NULL)
563 /* No upstream IP given, we're listen only. */
566 if(setup_outgoing_connection(cfg->data.ip->ip))
573 sigalrm_handler(int a)
576 static int seconds_till_retry;
578 cfg = get_config_val(upstreamip);
580 if(!setup_outgoing_connection(cfg->data.ip->ip))
582 signal(SIGALRM, SIG_IGN);
583 seconds_till_retry = 5;
587 signal(SIGALRM, sigalrm_handler);
588 seconds_till_retry += 5;
589 alarm(seconds_till_retry);
590 syslog(LOG_ERR, "Still failed to connect to other. Will retry in %d seconds.",
597 close all open network connections
599 void close_network_connections(void)
603 for(p = conn_list; p != NULL; p = p->next)
605 if(p->status.dataopen)
607 shutdown(p->socket, 0); /* No more receptions */
613 shutdown(p->meta_socket, 0); /* No more receptions */
614 close(p->meta_socket);
619 if(myself->status.active)
621 close(myself->meta_socket);
622 close(myself->socket);
628 syslog(LOG_NOTICE, "Terminating.");
634 create a data (udp) socket
636 int setup_vpn_connection(conn_list_t *cl)
639 struct sockaddr_in a;
642 syslog(LOG_DEBUG, "Opening UDP socket to " IP_ADDR_S, IP_ADDR_V(cl->real_ip));
644 nfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
647 syslog(LOG_ERR, "Creating data socket failed: %m");
651 a.sin_family = AF_INET;
652 a.sin_port = htons(cl->port);
653 a.sin_addr.s_addr = htonl(cl->real_ip);
655 if(connect(nfd, (struct sockaddr *)&a, sizeof(a)) == -1)
657 syslog(LOG_ERR, "Connecting to " IP_ADDR_S ":%d failed: %m",
658 IP_ADDR_V(cl->real_ip), cl->port);
662 flags = fcntl(nfd, F_GETFL);
663 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
665 syslog(LOG_ERR, "This is a bug: %s:%d: %d:%m", __FILE__, __LINE__, nfd);
670 cl->status.dataopen = 1;
676 handle an incoming tcp connect call and open
679 conn_list_t *create_new_connection(int sfd)
682 struct sockaddr_in ci;
683 int len = sizeof(ci);
687 if(getpeername(sfd, &ci, &len) < 0)
689 syslog(LOG_ERR, "Error: getpeername: %m");
693 p->hostname = hostlookup(ci.sin_addr.s_addr);
694 p->real_ip = ntohl(ci.sin_addr.s_addr);
695 p->meta_socket = sfd;
698 p->last_ping_time = time(NULL);
701 syslog(LOG_NOTICE, "Connection from %s:%d", p->hostname, htons(ci.sin_port));
703 if(send_basic_info(p) < 0)
713 put all file descriptors in an fd_set array
715 void build_fdset(fd_set *fs)
721 for(p = conn_list; p != NULL; p = p->next)
724 FD_SET(p->meta_socket, fs);
725 if(p->status.dataopen)
726 FD_SET(p->socket, fs);
729 FD_SET(myself->meta_socket, fs);
730 FD_SET(myself->socket, fs);
736 receive incoming data from the listening
737 udp socket and write it to the ethertap
738 device after being decrypted
740 int handle_incoming_vpn_data(conn_list_t *cl)
744 int x, l = sizeof(x);
747 if(getsockopt(cl->socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0)
749 syslog(LOG_ERR, "This is a bug: %s:%d: %d:%m", __FILE__, __LINE__, cl->socket);
754 syslog(LOG_ERR, "Incoming data socket error: %s", sys_errlist[x]);
759 lenin = recvfrom(cl->socket, &rp, MTU, 0, NULL, NULL);
762 syslog(LOG_ERR, "Receiving data failed: %m");
765 total_socket_in += lenin;
767 rp.data.len = ntohs(rp.data.len);
768 rp.len = ntohs(rp.len);
769 rp.from = ntohl(rp.from);
773 f = lookup_conn(rp.from);
775 syslog(LOG_DEBUG, "packet from " IP_ADDR_S " (len %d)",
776 IP_ADDR_V(rp.from), rp.len);
779 syslog(LOG_ERR, "Got packet from unknown source " IP_ADDR_S,
784 if(f->status.validkey)
788 add_queue(&(f->rq), &rp, rp.len);
789 if(!cl->status.waitingforkey)
790 send_key_request(rp.from);
793 if(my_key_expiry <= time(NULL))
801 terminate a connection and notify the other
802 end before closing the sockets
804 void terminate_connection(conn_list_t *cl)
807 if(cl->status.remove)
811 syslog(LOG_NOTICE, "Closing connection with %s.", cl->hostname);
813 if(cl->status.timeout)
815 else if(!cl->status.termreq)
820 close(cl->meta_socket);
822 if(cl->status.outgoing)
824 signal(SIGALRM, sigalrm_handler);
826 syslog(LOG_NOTICE, "Try to re-establish outgoing connection in 5 seconds.");
829 cl->status.active = 0;
830 cl->status.remove = 1;
835 Check if the other end is active.
836 If we have sent packets, but didn't receive any,
837 then possibly the other end is dead. We send a
838 PING request over the meta connection. If the other
839 end does not reply in time, we consider them dead
840 and close the connection.
842 int check_dead_connections(void)
848 for(p = conn_list; p != NULL; p = p->next)
852 if(p->status.active && p->status.meta)
854 if(p->last_ping_time + timeout < now)
856 if(p->status.pinged && !p->status.got_pong)
858 syslog(LOG_INFO, "%s (" IP_ADDR_S ") didn't respond to ping",
859 p->hostname, IP_ADDR_V(p->vpn_ip));
860 p->status.timeout = 1;
861 terminate_connection(p);
863 else if(p->want_ping)
866 p->last_ping_time = now;
867 p->status.pinged = 1;
868 p->status.got_pong = 0;
878 accept a new tcp connect and create a
881 int handle_new_meta_connection(conn_list_t *cl)
884 struct sockaddr client;
885 int nfd, len = sizeof(client);
887 if((nfd = accept(cl->meta_socket, &client, &len)) < 0)
889 syslog(LOG_ERR, "Accepting a new connection failed: %m");
893 if((ncn = create_new_connection(nfd)) == NULL)
897 syslog(LOG_NOTICE, "Closed attempted connection.");
901 ncn->status.meta = 1;
902 ncn->next = conn_list;
909 dispatch any incoming meta requests
911 int handle_incoming_meta_data(conn_list_t *cl)
913 int x, l = sizeof(x);
914 int request, oldlen, i;
917 if(getsockopt(cl->meta_socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0)
919 syslog(LOG_ERR, "This is a bug: %s:%d: %d:%m", __FILE__, __LINE__, cl->meta_socket);
924 syslog(LOG_ERR, "Metadata socket error: %s", sys_errlist[x]);
928 if(cl->buflen >= MAXBUFSIZE)
930 syslog(LOG_ERR, "Metadata read buffer full! Discarding contents.");
934 lenin = read(cl->meta_socket, cl->buffer, MAXBUFSIZE-cl->buflen);
938 syslog(LOG_ERR, "Metadata socket read error: %m");
949 for(i = oldlen; i < cl->buflen; i++)
951 if(cl->buffer[i] == '\n')
953 cl->buffer[i] = 0; /* replace end-of-line by end-of-string so we can use sscanf */
961 if(sscanf(cl->buffer, "%d", &request) == 1)
963 if(request_handlers[request] == NULL)
965 syslog(LOG_ERR, "Unknown request: %s", cl->buffer);
970 syslog(LOG_DEBUG, "Got request: %s", cl->buffer);
972 request_handlers[request](cl);
976 syslog(LOG_ERR, "Bogus data received: %s", cl->buffer);
979 cl->buflen -= cl->reqlen;
980 memmove(cl->buffer, cl->buffer + cl->reqlen, cl->buflen);
989 cl->last_ping_time = time(NULL);
996 check all connections to see if anything
997 happened on their sockets
999 void check_network_activity(fd_set *f)
1002 int x, l = sizeof(x);
1004 for(p = conn_list; p != NULL; p = p->next)
1006 if(p->status.remove)
1009 if(p->status.dataopen)
1010 if(FD_ISSET(p->socket, f))
1013 The only thing that can happen to get us here is apparently an
1014 error on this outgoing(!) UDP socket that isn't immediate (i.e.
1015 something that will not trigger an error directly on send()).
1016 I've once got here when it said `No route to host'.
1018 getsockopt(p->socket, SOL_SOCKET, SO_ERROR, &x, &l);
1019 syslog(LOG_ERR, "Outgoing data socket error: %s", sys_errlist[x]);
1020 terminate_connection(p);
1025 if(FD_ISSET(p->meta_socket, f))
1026 if(handle_incoming_meta_data(p) < 0)
1028 terminate_connection(p);
1033 if(FD_ISSET(myself->socket, f))
1034 handle_incoming_vpn_data(myself);
1036 if(FD_ISSET(myself->meta_socket, f))
1037 handle_new_meta_connection(myself);
1042 read, encrypt and send data that is
1043 available through the ethertap device
1045 void handle_tap_input(void)
1049 int ether_type, lenin;
1051 memset(&vp, 0, sizeof(vp));
1052 if((lenin = read(tap_fd, &vp, MTU)) <= 0)
1054 syslog(LOG_ERR, "Error while reading from tapdevice: %m");
1058 total_tap_in += lenin;
1060 ether_type = ntohs(*((unsigned short*)(&vp.data[12])));
1061 if(ether_type != 0x0800)
1064 syslog(LOG_INFO, "Non-IP ethernet frame %04x from " MAC_ADDR_S,
1065 ether_type, MAC_ADDR_V(vp.data[6]));
1072 syslog(LOG_INFO, "Dropping short packet");
1076 from = ntohl(*((unsigned long*)(&vp.data[26])));
1077 to = ntohl(*((unsigned long*)(&vp.data[30])));
1080 syslog(LOG_DEBUG, "An IP packet (%04x) for " IP_ADDR_S " from " IP_ADDR_S,
1081 ether_type, IP_ADDR_V(to), IP_ADDR_V(from));
1083 syslog(LOG_DEBUG, MAC_ADDR_S " to " MAC_ADDR_S,
1084 MAC_ADDR_V(vp.data[0]), MAC_ADDR_V(vp.data[6]));
1086 vp.len = (length_t)lenin - 2;
1088 strip_mac_addresses(&vp);
1090 send_packet(to, &vp);
1095 this is where it all happens...
1097 void main_loop(void)
1102 time_t last_ping_check;
1104 last_ping_check = time(NULL);
1108 tv.tv_sec = timeout;
1114 if((r = select(FD_SETSIZE, &fset, NULL, NULL, &tv)) < 0)
1116 if(errno == EINTR) /* because of alarm */
1118 syslog(LOG_ERR, "Error while waiting for input: %m");
1122 if(last_ping_check + timeout < time(NULL))
1123 /* Let's check if everybody is still alive */
1125 check_dead_connections();
1126 last_ping_check = time(NULL);
1130 check_network_activity(&fset);
1132 /* local tap data */
1133 if(FD_ISSET(tap_fd, &fset))