2 net.c -- most of the network code
3 Copyright (C) 1998,99 Ivo Timmermans <zarq@iname.com>
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; either version 2 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program; if not, write to the Free Software
17 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 #include <arpa/inet.h>
26 #include <netinet/in.h>
30 #include <sys/signal.h>
31 #include <sys/socket.h>
33 #include <sys/types.h>
50 int total_tap_out = 0;
51 int total_socket_in = 0;
52 int total_socket_out = 0;
54 time_t last_ping_time = 0;
56 /* The global list of existing connections */
57 conn_list_t *conn_list = NULL;
58 conn_list_t *myself = NULL;
61 strip off the MAC adresses of an ethernet frame
63 void strip_mac_addresses(vpn_packet_t *p)
65 unsigned char tmp[MAXSIZE];
67 memcpy(tmp, p->data, p->len);
69 memcpy(p->data, &tmp[12], p->len);
74 reassemble MAC addresses
76 void add_mac_addresses(vpn_packet_t *p)
78 unsigned char tmp[MAXSIZE];
80 memcpy(&tmp[12], p->data, p->len);
82 tmp[0] = tmp[6] = 0xfe;
83 tmp[1] = tmp[7] = 0xfd;
84 *((ip_t*)(&tmp[2])) = (ip_t)(htonl(myself->vpn_ip));
85 *((ip_t*)(&tmp[8])) = *((ip_t*)(&tmp[26]));
86 memcpy(p->data, &tmp[0], p->len);
90 int xsend(conn_list_t *cl, void *packet)
95 do_encrypt((vpn_packet_t*)packet, &rp, cl->key);
96 rp.from = myself->vpn_ip;
99 syslog(LOG_ERR, "Sent %d bytes to %lx", rp.len, cl->vpn_ip);
101 if((r = send(cl->socket, (char*)&rp, rp.len, 0)) < 0)
103 syslog(LOG_ERR, "Error sending data: %m");
107 total_socket_out += r;
113 write as many bytes as possible to the tap
114 device, possibly in multiple turns.
116 int write_n(int fd, void *buf, size_t len)
122 if((r = write(fd, buf, len)) < 0)
133 int xrecv(conn_list_t *cl, void *packet)
138 do_decrypt((real_packet_t*)packet, &vp, cl->key);
139 add_mac_addresses(&vp);
141 if((lenin = write_n(tap_fd, &vp, vp.len + 2)) < 0)
142 syslog(LOG_ERR, "Can't write to tap device: %m");
144 total_tap_out += lenin;
150 add the given packet of size s to the
151 queue q, be it the send or receive queue
153 void add_queue(packet_queue_t **q, void *packet, size_t s)
158 syslog(LOG_DEBUG, "packet to queue: %d", s);
160 e = xmalloc(sizeof(queue_element_t));
161 e->packet = xmalloc(s);
162 memcpy(e->packet, packet, s);
166 *q = xmalloc(sizeof(packet_queue_t));
167 (*q)->head = (*q)->tail = NULL;
170 e->next = NULL; /* We insert at the tail */
172 if((*q)->tail) /* Do we have a tail? */
174 (*q)->tail->next = e;
175 e->prev = (*q)->tail;
177 else /* No tail -> no head too */
187 /* Remove a queue element */
188 void del_queue(packet_queue_t **q, queue_element_t *e)
193 if(e->next) /* There is a successor, so we are not tail */
195 if(e->prev) /* There is a predecessor, so we are not head */
197 e->next->prev = e->prev;
198 e->prev->next = e->next;
200 else /* We are head */
202 e->next->prev = NULL;
203 (*q)->head = e->next;
206 else /* We are tail (or all alone!) */
208 if(e->prev) /* We are not alone :) */
210 e->prev->next = NULL;
211 (*q)->tail = e->prev;
225 flush a queue by calling function for
226 each packet, and removing it when that
227 returned a zero exit code
229 void flush_queue(conn_list_t *cl, packet_queue_t **pq,
230 int (*function)(conn_list_t*,void*))
232 queue_element_t *p, *next = NULL;
234 for(p = (*pq)->head; p != NULL; )
238 if(!function(cl, p->packet))
245 syslog(LOG_DEBUG, "queue flushed");
250 flush the send&recv queues
251 void because nothing goes wrong here, packets
252 remain in the queue if something goes wrong
254 void flush_queues(conn_list_t *cl)
260 syslog(LOG_DEBUG, "Flushing send queue for " IP_ADDR_S,
261 IP_ADDR_V(cl->vpn_ip));
262 flush_queue(cl, &(cl->sq), xsend);
268 syslog(LOG_DEBUG, "Flushing receive queue for " IP_ADDR_S,
269 IP_ADDR_V(cl->vpn_ip));
270 flush_queue(cl, &(cl->rq), xrecv);
276 send a packet to the given vpn ip.
278 int send_packet(ip_t to, vpn_packet_t *packet)
282 if((cl = lookup_conn(to)) == NULL)
286 syslog(LOG_NOTICE, "trying to look up " IP_ADDR_S " in connection list failed.",
289 for(cl = conn_list; cl != NULL && !cl->status.outgoing; cl = cl->next);
291 { /* No open outgoing connection has been found. */
293 syslog(LOG_NOTICE, "There is no remote host I can send this packet to.");
298 if(my_key_expiry <= time(NULL))
301 if(!cl->status.dataopen)
302 if(setup_vpn_connection(cl) < 0)
305 if(!cl->status.validkey)
307 add_queue(&(cl->sq), packet, packet->len + 2);
308 if(!cl->status.waitingforkey)
309 send_key_request(to);
313 if(!cl->status.active)
315 add_queue(&(cl->sq), packet, packet->len + 2);
317 syslog(LOG_INFO, IP_ADDR_S " is not ready, queueing packet.", IP_ADDR_V(cl->vpn_ip));
318 return 0; /* We don't want to mess up, do we? */
321 /* can we send it? can we? can we? huh? */
323 return xsend(cl, packet);
326 int send_broadcast(conn_list_t *cl, vpn_packet_t *packet)
330 for(p = cl; p != NULL; p = p->next)
331 if(send_packet(p->real_ip, packet) < 0)
333 syslog(LOG_ERR, "Could not send a broadcast packet to %08lx (%08lx): %m",
334 p->vpn_ip, p->real_ip);
335 break; /* FIXME: should retry later, and send a ping over the metaconnection. */
342 open the local ethertap device
344 int setup_tap_fd(void)
347 const char *tapfname;
350 if((cfg = get_config_val(tapdevice)) == NULL)
351 tapfname = "/dev/tap0";
353 tapfname = cfg->data.ptr;
355 if((nfd = open(tapfname, O_RDWR | O_NONBLOCK)) < 0)
357 syslog(LOG_ERR, "Could not open %s: %m", tapfname);
367 set up the socket that we listen on for incoming
370 int setup_listen_meta_socket(int port)
373 struct sockaddr_in a;
376 if((nfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
378 syslog(LOG_ERR, "Creating metasocket failed: %m");
382 if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)))
384 syslog(LOG_ERR, "setsockopt: %m");
388 flags = fcntl(nfd, F_GETFL);
389 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
391 syslog(LOG_ERR, "fcntl: %m");
395 memset(&a, 0, sizeof(a));
396 a.sin_family = AF_INET;
397 a.sin_port = htons(port);
398 a.sin_addr.s_addr = htonl(INADDR_ANY);
400 if(bind(nfd, (struct sockaddr *)&a, sizeof(struct sockaddr)))
402 syslog(LOG_ERR, "Can't bind to port %hd/tcp: %m", port);
408 syslog(LOG_ERR, "listen: %m");
416 setup the socket for incoming encrypted
419 int setup_vpn_in_socket(int port)
422 struct sockaddr_in a;
425 if((nfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0)
427 syslog(LOG_ERR, "Creating socket failed: %m");
431 if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)))
433 syslog(LOG_ERR, "setsockopt: %m");
437 flags = fcntl(nfd, F_GETFL);
438 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
440 syslog(LOG_ERR, "fcntl: %m");
444 memset(&a, 0, sizeof(a));
445 a.sin_family = AF_INET;
446 a.sin_port = htons(port);
447 a.sin_addr.s_addr = htonl(INADDR_ANY);
449 if(bind(nfd, (struct sockaddr *)&a, sizeof(struct sockaddr)))
451 syslog(LOG_ERR, "Can't bind to port %hd/udp: %m", port);
459 setup an outgoing meta (tcp) socket
461 int setup_outgoing_meta_socket(conn_list_t *cl)
464 struct sockaddr_in a;
467 if((cfg = get_config_val(upstreamport)) == NULL)
470 cl->port = cfg->data.val;
472 cl->meta_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
473 if(cl->meta_socket == -1)
475 syslog(LOG_ERR, "Creating socket failed: %m");
479 a.sin_family = AF_INET;
480 a.sin_port = htons(cl->port);
481 a.sin_addr.s_addr = htonl(cl->real_ip);
483 if(connect(cl->meta_socket, (struct sockaddr *)&a, sizeof(a)) == -1)
485 syslog(LOG_ERR, IP_ADDR_S ":%d: %m", IP_ADDR_V(cl->real_ip), cl->port);
489 flags = fcntl(cl->meta_socket, F_GETFL);
490 if(fcntl(cl->meta_socket, F_SETFL, flags | O_NONBLOCK) < 0)
492 syslog(LOG_ERR, "fcntl: %m");
496 cl->hostname = hostlookup(htonl(cl->real_ip));
498 syslog(LOG_INFO, "Connected to %s:%hd" , cl->hostname, cl->port);
504 setup an outgoing connection. It's not
505 necessary to also open an udp socket as
506 well, because the other host will initiate
507 an authentication sequence during which
508 we will do just that.
510 int setup_outgoing_connection(ip_t ip)
514 ncn = new_conn_list();
517 if(setup_outgoing_meta_socket(ncn) < 0)
519 syslog(LOG_ERR, "Could not set up a meta connection.");
520 free_conn_element(ncn);
524 ncn->status.meta = 1;
525 ncn->status.outgoing = 1;
526 ncn->next = conn_list;
533 set up the local sockets (listen only)
535 int setup_myself(void)
539 myself = new_conn_list();
541 if(!(cfg = get_config_val(myvpnip)))
543 syslog(LOG_ERR, "No value for my VPN IP given");
547 myself->vpn_ip = cfg->data.ip->ip;
548 myself->vpn_mask = cfg->data.ip->mask;
550 if(!(cfg = get_config_val(listenport)))
553 myself->port = cfg->data.val;
555 if((myself->meta_socket = setup_listen_meta_socket(myself->port)) < 0)
557 syslog(LOG_ERR, "Unable to set up a listening socket");
561 if((myself->socket = setup_vpn_in_socket(myself->port)) < 0)
563 syslog(LOG_ERR, "Unable to set up an incoming vpn data socket");
564 close(myself->meta_socket);
568 myself->status.active = 1;
570 syslog(LOG_NOTICE, "Ready: listening on port %d.", myself->port);
576 setup all initial network connections
578 int setup_network_connections(void)
582 if((cfg = get_config_val(pingtimeout)) == NULL)
585 timeout = cfg->data.val;
587 if(setup_tap_fd() < 0)
590 if(setup_myself() < 0)
593 if((cfg = get_config_val(upstreamip)) == NULL)
594 /* No upstream IP given, we're listen only. */
597 if(setup_outgoing_connection(cfg->data.ip->ip))
604 sigalrm_handler(int a)
607 static int seconds_till_retry;
609 cfg = get_config_val(upstreamip);
611 if(!setup_outgoing_connection(cfg->data.ip->ip))
613 signal(SIGALRM, SIG_IGN);
614 seconds_till_retry = 5;
618 signal(SIGALRM, sigalrm_handler);
619 seconds_till_retry += 5;
620 alarm(seconds_till_retry);
621 syslog(LOG_ERR, "Still failed to connect to other. Will retry in %d seconds.",
628 close all open network connections
630 void close_network_connections(void)
634 for(p = conn_list; p != NULL; p = p->next)
636 if(p->status.dataopen)
638 shutdown(p->socket, 0); /* No more receptions */
644 shutdown(p->meta_socket, 0); /* No more receptions */
645 close(p->meta_socket);
650 if(myself->status.active)
652 close(myself->meta_socket);
653 close(myself->socket);
659 syslog(LOG_NOTICE, "Terminating.");
665 create a data (udp) socket
667 int setup_vpn_connection(conn_list_t *cl)
670 struct sockaddr_in a;
673 syslog(LOG_DEBUG, "Opening UDP socket to " IP_ADDR_S, IP_ADDR_V(cl->real_ip));
675 nfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
678 syslog(LOG_ERR, "Creating data socket failed: %m");
682 a.sin_family = AF_INET;
683 a.sin_port = htons(cl->port);
684 a.sin_addr.s_addr = htonl(cl->real_ip);
686 if(connect(nfd, (struct sockaddr *)&a, sizeof(a)) == -1)
688 syslog(LOG_ERR, "Create connection to %08lx:%d failed: %m", ntohs(cl->real_ip),
693 flags = fcntl(nfd, F_GETFL);
694 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
696 syslog(LOG_ERR, "This is a bug: %s:%d: %d:%m", __FILE__, __LINE__, nfd);
701 cl->status.dataopen = 1;
707 handle an incoming tcp connect call and open
710 conn_list_t *create_new_connection(int sfd)
713 struct sockaddr_in ci;
714 int len = sizeof(ci);
718 if(getpeername(sfd, &ci, &len) < 0)
720 syslog(LOG_ERR, "Error: getpeername: %m");
724 p->hostname = hostlookup(ci.sin_addr.s_addr);
725 p->real_ip = ntohl(ci.sin_addr.s_addr);
726 p->meta_socket = sfd;
729 syslog(LOG_NOTICE, "Connection from %s:%d", p->hostname, htons(ci.sin_port));
731 if(send_basic_info(p) < 0)
741 put all file descriptors in an fd_set array
743 void build_fdset(fd_set *fs)
749 for(p = conn_list; p != NULL; p = p->next)
752 FD_SET(p->meta_socket, fs);
753 if(p->status.dataopen)
754 FD_SET(p->socket, fs);
757 FD_SET(myself->meta_socket, fs);
758 FD_SET(myself->socket, fs);
764 receive incoming data from the listening
765 udp socket and write it to the ethertap
766 device after being decrypted
768 int handle_incoming_vpn_data(conn_list_t *cl)
772 int x, l = sizeof(x);
775 if(getsockopt(cl->socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0)
777 syslog(LOG_ERR, "This is a bug: %s:%d: %d:%m", __FILE__, __LINE__, cl->socket);
782 syslog(LOG_ERR, "Incoming data socket error: %s", sys_errlist[x]);
787 lenin = recvfrom(cl->socket, &rp, MTU, 0, NULL, NULL);
790 syslog(LOG_ERR, "Receiving data failed: %m");
793 total_socket_in += lenin;
796 f = lookup_conn(rp.from);
798 syslog(LOG_DEBUG, "packet from " IP_ADDR_S " (len %d)",
799 IP_ADDR_V(rp.from), rp.len);
802 syslog(LOG_ERR, "Got packet from unknown source " IP_ADDR_S,
807 if(f->status.validkey)
811 add_queue(&(f->rq), &rp, rp.len);
812 if(!cl->status.waitingforkey)
813 send_key_request(rp.from);
816 if(my_key_expiry <= time(NULL))
824 terminate a connection and notify the other
825 end before closing the sockets
827 void terminate_connection(conn_list_t *cl)
830 if(cl->status.remove)
834 syslog(LOG_NOTICE, "Closing connection with %s.", cl->hostname);
836 if(cl->status.timeout)
838 else if(!cl->status.termreq)
843 close(cl->meta_socket);
845 if(cl->status.outgoing)
848 signal(SIGALRM, sigalrm_handler);
849 syslog(LOG_NOTICE, "Try to re-establish outgoing connection in 5 seconds.");
852 cl->status.remove = 1;
857 send out a ping request to all active
860 int send_broadcast_ping(void)
864 for(p = conn_list; p != NULL; p = p->next)
868 if(p->status.active && p->status.meta)
871 terminate_connection(p);
874 p->status.pinged = 1;
875 p->status.got_pong = 0;
880 last_ping_time = time(NULL);
886 end all connections that did not respond
887 to the ping probe in time
889 int check_dead_connections(void)
893 for(p = conn_list; p != NULL; p = p->next)
897 if(p->status.active && p->status.meta && p->status.pinged && !p->status.got_pong)
899 syslog(LOG_INFO, "%s (" IP_ADDR_S ") didn't respond to ping",
900 p->hostname, IP_ADDR_V(p->vpn_ip));
901 p->status.timeout = 1;
902 terminate_connection(p);
910 accept a new tcp connect and create a
913 int handle_new_meta_connection(conn_list_t *cl)
916 struct sockaddr client;
917 int nfd, len = sizeof(struct sockaddr);
919 if((nfd = accept(cl->meta_socket, &client, &len)) < 0)
921 syslog(LOG_ERR, "Accepting a new connection failed: %m");
925 if((ncn = create_new_connection(nfd)) == NULL)
929 syslog(LOG_NOTICE, "Closed attempted connection.");
933 ncn->status.meta = 1;
934 ncn->next = conn_list;
941 dispatch any incoming meta requests
943 int handle_incoming_meta_data(conn_list_t *cl)
945 int x, l = sizeof(x), lenin;
946 unsigned char tmp[1600];
949 if(getsockopt(cl->meta_socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0)
951 syslog(LOG_ERR, "This is a bug: %s:%d: %d:%m", __FILE__, __LINE__, cl->meta_socket);
956 syslog(LOG_ERR, "Metadata socket error: %s", sys_errlist[x]);
960 if((lenin = recv(cl->meta_socket, &tmp, sizeof(tmp), 0)) <= 0)
962 syslog(LOG_ERR, "Receive failed: %m");
966 request = (int)(tmp[0]);
969 syslog(LOG_DEBUG, "got request %d", request);
971 if(request_handlers[request] == NULL)
972 syslog(LOG_ERR, "Unknown request %d.", request);
974 if(request_handlers[request](cl, tmp, lenin) < 0)
981 check all connections to see if anything
982 happened on their sockets
984 void check_network_activity(fd_set *f)
987 int x, l = sizeof(x);
989 for(p = conn_list; p != NULL; p = p->next)
995 if(FD_ISSET(p->socket, f))
998 The only thing that can happen to get us here is apparently an
999 error on this outgoing(!) UDP socket that isn't immediate (i.e.
1000 something that will not trigger an error directly on send()).
1001 I've once got here when it said `No route to host'.
1003 getsockopt(p->socket, SOL_SOCKET, SO_ERROR, &x, &l);
1004 syslog(LOG_ERR, "Outgoing data socket error: %s", sys_errlist[x]);
1005 terminate_connection(p);
1010 if(FD_ISSET(p->meta_socket, f))
1011 if(handle_incoming_meta_data(p) < 0)
1013 terminate_connection(p);
1018 if(FD_ISSET(myself->socket, f))
1019 handle_incoming_vpn_data(myself);
1021 if(FD_ISSET(myself->meta_socket, f))
1022 handle_new_meta_connection(myself);
1027 read, encrypt and send data that is
1028 available through the ethertap device
1030 void handle_tap_input(void)
1034 int ether_type, lenin;
1036 memset(&vp, 0, sizeof(vp));
1037 if((lenin = read(tap_fd, &vp, MTU)) <= 0)
1039 syslog(LOG_ERR, "Error while reading from tapdevice: %m");
1043 total_tap_in += lenin;
1045 ether_type = ntohs(*((unsigned short*)(&vp.data[12])));
1046 if(ether_type != 0x0800)
1049 syslog(LOG_INFO, "Non-IP ethernet frame %04x from " MAC_ADDR_S,
1050 ether_type, MAC_ADDR_V(vp.data[6]));
1057 syslog(LOG_INFO, "Dropping short packet");
1061 from = ntohl(*((unsigned long*)(&vp.data[26])));
1062 to = ntohl(*((unsigned long*)(&vp.data[30])));
1065 syslog(LOG_DEBUG, "An IP packet (%04x) for " IP_ADDR_S " from " IP_ADDR_S,
1066 ether_type, IP_ADDR_V(to), IP_ADDR_V(from));
1068 syslog(LOG_DEBUG, MAC_ADDR_S " to " MAC_ADDR_S,
1069 MAC_ADDR_V(vp.data[0]), MAC_ADDR_V(vp.data[6]));
1071 vp.len = (length_t)lenin - 2;
1073 strip_mac_addresses(&vp);
1075 send_packet(to, &vp);
1080 this is where it al happens...
1082 void main_loop(void)
1088 last_ping_time = time(NULL);
1092 tv.tv_sec = timeout;
1098 if((r = select(FD_SETSIZE, &fset, NULL, NULL, &tv)) < 0)
1100 if(errno == EINTR) /* because of alarm */
1102 syslog(LOG_ERR, "Error while waiting for input: %m");
1106 if(r == 0 || last_ping_time + timeout < time(NULL))
1107 /* Timeout... hm... something might be wrong. */
1109 check_dead_connections();
1110 send_broadcast_ping();
1114 check_network_activity(&fset);
1116 /* local tap data */
1117 if(FD_ISSET(tap_fd, &fset))