2 net.c -- most of the network code
3 Copyright (C) 1998,99 Ivo Timmermans <zarq@iname.com>
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; either version 2 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program; if not, write to the Free Software
17 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 #include <arpa/inet.h>
26 #include <netinet/in.h>
30 #include <sys/signal.h>
31 #include <sys/socket.h>
33 #include <sys/types.h>
50 int total_tap_out = 0;
51 int total_socket_in = 0;
52 int total_socket_out = 0;
54 time_t last_ping_time = 0;
56 /* The global list of existing connections */
57 conn_list_t *conn_list = NULL;
58 conn_list_t *myself = NULL;
61 strip off the MAC adresses of an ethernet frame
63 void strip_mac_addresses(vpn_packet_t *p)
65 unsigned char tmp[MAXSIZE];
67 memcpy(tmp, p->data, p->len);
69 memcpy(p->data, &tmp[12], p->len);
74 reassemble MAC addresses
76 void add_mac_addresses(vpn_packet_t *p)
78 unsigned char tmp[MAXSIZE];
80 memcpy(&tmp[12], p->data, p->len);
82 tmp[0] = tmp[6] = 0xfe;
83 tmp[1] = tmp[7] = 0xfd;
84 *((ip_t*)(&tmp[2])) = (ip_t)(htonl(myself->vpn_ip));
85 *((ip_t*)(&tmp[8])) = *((ip_t*)(&tmp[26]));
86 memcpy(p->data, &tmp[0], p->len);
90 int xsend(conn_list_t *cl, void *packet)
95 do_encrypt((vpn_packet_t*)packet, &rp, cl->key);
96 rp.from = htonl(myself->vpn_ip);
97 rp.data.len = htons(rp.data.len);
98 rp.len = htons(rp.len);
101 syslog(LOG_ERR, "Sent %d bytes to %lx", ntohs(rp.len), cl->vpn_ip);
103 if((r = send(cl->socket, (char*)&rp, ntohs(rp.len), 0)) < 0)
105 syslog(LOG_ERR, "Error sending data: %m");
109 total_socket_out += r;
114 int xrecv(conn_list_t *cl, void *packet)
119 do_decrypt((real_packet_t*)packet, &vp, cl->key);
120 add_mac_addresses(&vp);
122 if((lenin = write(tap_fd, &vp, vp.len + sizeof(vp.len))) < 0)
123 syslog(LOG_ERR, "Can't write to tap device: %m");
125 total_tap_out += lenin;
131 add the given packet of size s to the
132 queue q, be it the send or receive queue
134 void add_queue(packet_queue_t **q, void *packet, size_t s)
139 syslog(LOG_DEBUG, "packet to queue: %d", s);
141 e = xmalloc(sizeof(*e));
142 e->packet = xmalloc(s);
143 memcpy(e->packet, packet, s);
147 *q = xmalloc(sizeof(**q));
148 (*q)->head = (*q)->tail = NULL;
151 e->next = NULL; /* We insert at the tail */
153 if((*q)->tail) /* Do we have a tail? */
155 (*q)->tail->next = e;
156 e->prev = (*q)->tail;
158 else /* No tail -> no head too */
168 /* Remove a queue element */
169 void del_queue(packet_queue_t **q, queue_element_t *e)
174 if(e->next) /* There is a successor, so we are not tail */
176 if(e->prev) /* There is a predecessor, so we are not head */
178 e->next->prev = e->prev;
179 e->prev->next = e->next;
181 else /* We are head */
183 e->next->prev = NULL;
184 (*q)->head = e->next;
187 else /* We are tail (or all alone!) */
189 if(e->prev) /* We are not alone :) */
191 e->prev->next = NULL;
192 (*q)->tail = e->prev;
206 flush a queue by calling function for
207 each packet, and removing it when that
208 returned a zero exit code
210 void flush_queue(conn_list_t *cl, packet_queue_t **pq,
211 int (*function)(conn_list_t*,void*))
213 queue_element_t *p, *next = NULL;
215 for(p = (*pq)->head; p != NULL; )
219 if(!function(cl, p->packet))
226 syslog(LOG_DEBUG, "queue flushed");
231 flush the send&recv queues
232 void because nothing goes wrong here, packets
233 remain in the queue if something goes wrong
235 void flush_queues(conn_list_t *cl)
241 syslog(LOG_DEBUG, "Flushing send queue for " IP_ADDR_S,
242 IP_ADDR_V(cl->vpn_ip));
243 flush_queue(cl, &(cl->sq), xsend);
249 syslog(LOG_DEBUG, "Flushing receive queue for " IP_ADDR_S,
250 IP_ADDR_V(cl->vpn_ip));
251 flush_queue(cl, &(cl->rq), xrecv);
257 send a packet to the given vpn ip.
259 int send_packet(ip_t to, vpn_packet_t *packet)
264 if(!(cfg = get_config_val(proxymode))) /* In case we are in proxy mode, just send everything to our uplink. */
267 cl = lookup_conn(to);
269 if((cl = lookup_conn(to)) == NULL)
273 syslog(LOG_NOTICE, "trying to look up " IP_ADDR_S " in connection list failed.",
276 for(cl = conn_list; cl != NULL && !cl->status.outgoing; cl = cl->next);
278 { /* No open outgoing connection has been found. */
280 syslog(LOG_NOTICE, "There is no remote host I can send this packet to.");
285 if(my_key_expiry <= time(NULL))
288 if(!cl->status.dataopen)
289 if(setup_vpn_connection(cl) < 0)
292 if(!cl->status.validkey)
294 add_queue(&(cl->sq), packet, packet->len + 2);
295 if(!cl->status.waitingforkey)
296 send_key_request(cl->vpn_ip); /* Keys should be sent to the host running the tincd */
300 if(!cl->status.active)
302 add_queue(&(cl->sq), packet, packet->len + 2);
304 syslog(LOG_INFO, IP_ADDR_S " is not ready, queueing packet.", IP_ADDR_V(cl->vpn_ip));
305 return 0; /* We don't want to mess up, do we? */
308 /* can we send it? can we? can we? huh? */
310 return xsend(cl, packet);
313 int send_broadcast(conn_list_t *cl, vpn_packet_t *packet)
317 for(p = cl; p != NULL; p = p->next)
318 if(send_packet(p->real_ip, packet) < 0)
320 syslog(LOG_ERR, "Could not send a broadcast packet to %08lx (%08lx): %m",
321 p->vpn_ip, p->real_ip);
322 break; /* FIXME: should retry later, and send a ping over the metaconnection. */
329 open the local ethertap device
331 int setup_tap_fd(void)
334 const char *tapfname;
337 if((cfg = get_config_val(tapdevice)) == NULL)
338 tapfname = "/dev/tap0";
340 tapfname = cfg->data.ptr;
342 if((nfd = open(tapfname, O_RDWR | O_NONBLOCK)) < 0)
344 syslog(LOG_ERR, "Could not open %s: %m", tapfname);
354 set up the socket that we listen on for incoming
357 int setup_listen_meta_socket(int port)
360 struct sockaddr_in a;
363 if((nfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
365 syslog(LOG_ERR, "Creating metasocket failed: %m");
369 if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)))
371 syslog(LOG_ERR, "setsockopt: %m");
375 flags = fcntl(nfd, F_GETFL);
376 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
378 syslog(LOG_ERR, "fcntl: %m");
382 memset(&a, 0, sizeof(a));
383 a.sin_family = AF_INET;
384 a.sin_port = htons(port);
385 a.sin_addr.s_addr = htonl(INADDR_ANY);
387 if(bind(nfd, (struct sockaddr *)&a, sizeof(struct sockaddr)))
389 syslog(LOG_ERR, "Can't bind to port %hd/tcp: %m", port);
395 syslog(LOG_ERR, "listen: %m");
403 setup the socket for incoming encrypted
406 int setup_vpn_in_socket(int port)
409 struct sockaddr_in a;
412 if((nfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0)
414 syslog(LOG_ERR, "Creating socket failed: %m");
418 if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)))
420 syslog(LOG_ERR, "setsockopt: %m");
424 flags = fcntl(nfd, F_GETFL);
425 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
427 syslog(LOG_ERR, "fcntl: %m");
431 memset(&a, 0, sizeof(a));
432 a.sin_family = AF_INET;
433 a.sin_port = htons(port);
434 a.sin_addr.s_addr = htonl(INADDR_ANY);
436 if(bind(nfd, (struct sockaddr *)&a, sizeof(struct sockaddr)))
438 syslog(LOG_ERR, "Can't bind to port %hd/udp: %m", port);
446 setup an outgoing meta (tcp) socket
448 int setup_outgoing_meta_socket(conn_list_t *cl)
451 struct sockaddr_in a;
454 if((cfg = get_config_val(upstreamport)) == NULL)
457 cl->port = cfg->data.val;
459 cl->meta_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
460 if(cl->meta_socket == -1)
462 syslog(LOG_ERR, "Creating socket failed: %m");
466 a.sin_family = AF_INET;
467 a.sin_port = htons(cl->port);
468 a.sin_addr.s_addr = htonl(cl->real_ip);
470 if(connect(cl->meta_socket, (struct sockaddr *)&a, sizeof(a)) == -1)
472 syslog(LOG_ERR, IP_ADDR_S ":%d: %m", IP_ADDR_V(cl->real_ip), cl->port);
476 flags = fcntl(cl->meta_socket, F_GETFL);
477 if(fcntl(cl->meta_socket, F_SETFL, flags | O_NONBLOCK) < 0)
479 syslog(LOG_ERR, "fcntl: %m");
483 cl->hostname = hostlookup(htonl(cl->real_ip));
485 syslog(LOG_INFO, "Connected to %s:%hd" , cl->hostname, cl->port);
491 setup an outgoing connection. It's not
492 necessary to also open an udp socket as
493 well, because the other host will initiate
494 an authentication sequence during which
495 we will do just that.
497 int setup_outgoing_connection(ip_t ip)
501 ncn = new_conn_list();
504 if(setup_outgoing_meta_socket(ncn) < 0)
506 syslog(LOG_ERR, "Could not set up a meta connection.");
507 free_conn_element(ncn);
511 ncn->status.meta = 1;
512 ncn->status.outgoing = 1;
513 ncn->next = conn_list;
520 set up the local sockets (listen only)
522 int setup_myself(void)
526 myself = new_conn_list();
528 if(!(cfg = get_config_val(myvpnip)))
530 syslog(LOG_ERR, "No value for my VPN IP given");
534 myself->vpn_ip = cfg->data.ip->ip;
535 myself->vpn_mask = cfg->data.ip->mask;
537 if(!(cfg = get_config_val(listenport)))
540 myself->port = cfg->data.val;
542 if((myself->meta_socket = setup_listen_meta_socket(myself->port)) < 0)
544 syslog(LOG_ERR, "Unable to set up a listening socket");
548 if((myself->socket = setup_vpn_in_socket(myself->port)) < 0)
550 syslog(LOG_ERR, "Unable to set up an incoming vpn data socket");
551 close(myself->meta_socket);
555 myself->status.active = 1;
557 syslog(LOG_NOTICE, "Ready: listening on port %d.", myself->port);
563 setup all initial network connections
565 int setup_network_connections(void)
569 if((cfg = get_config_val(pingtimeout)) == NULL)
572 timeout = cfg->data.val;
574 if(setup_tap_fd() < 0)
577 if(setup_myself() < 0)
580 if((cfg = get_config_val(upstreamip)) == NULL)
581 /* No upstream IP given, we're listen only. */
584 if(setup_outgoing_connection(cfg->data.ip->ip))
591 sigalrm_handler(int a)
594 static int seconds_till_retry;
596 cfg = get_config_val(upstreamip);
598 if(!setup_outgoing_connection(cfg->data.ip->ip))
600 signal(SIGALRM, SIG_IGN);
601 seconds_till_retry = 5;
605 signal(SIGALRM, sigalrm_handler);
606 seconds_till_retry += 5;
607 alarm(seconds_till_retry);
608 syslog(LOG_ERR, "Still failed to connect to other. Will retry in %d seconds.",
615 close all open network connections
617 void close_network_connections(void)
621 for(p = conn_list; p != NULL; p = p->next)
623 if(p->status.dataopen)
625 shutdown(p->socket, 0); /* No more receptions */
631 shutdown(p->meta_socket, 0); /* No more receptions */
632 close(p->meta_socket);
637 if(myself->status.active)
639 close(myself->meta_socket);
640 close(myself->socket);
646 syslog(LOG_NOTICE, "Terminating.");
652 create a data (udp) socket
654 int setup_vpn_connection(conn_list_t *cl)
657 struct sockaddr_in a;
660 syslog(LOG_DEBUG, "Opening UDP socket to " IP_ADDR_S, IP_ADDR_V(cl->real_ip));
662 nfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
665 syslog(LOG_ERR, "Creating data socket failed: %m");
669 a.sin_family = AF_INET;
670 a.sin_port = htons(cl->port);
671 a.sin_addr.s_addr = htonl(cl->real_ip);
673 if(connect(nfd, (struct sockaddr *)&a, sizeof(a)) == -1)
675 syslog(LOG_ERR, "Create connection to %08lx:%d failed: %m", ntohs(cl->real_ip),
680 flags = fcntl(nfd, F_GETFL);
681 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
683 syslog(LOG_ERR, "This is a bug: %s:%d: %d:%m", __FILE__, __LINE__, nfd);
688 cl->status.dataopen = 1;
694 handle an incoming tcp connect call and open
697 conn_list_t *create_new_connection(int sfd)
700 struct sockaddr_in ci;
701 int len = sizeof(ci);
705 if(getpeername(sfd, &ci, &len) < 0)
707 syslog(LOG_ERR, "Error: getpeername: %m");
711 p->hostname = hostlookup(ci.sin_addr.s_addr);
712 p->real_ip = ntohl(ci.sin_addr.s_addr);
713 p->meta_socket = sfd;
717 syslog(LOG_NOTICE, "Connection from %s:%d", p->hostname, htons(ci.sin_port));
719 if(send_basic_info(p) < 0)
729 put all file descriptors in an fd_set array
731 void build_fdset(fd_set *fs)
737 for(p = conn_list; p != NULL; p = p->next)
740 FD_SET(p->meta_socket, fs);
741 if(p->status.dataopen)
742 FD_SET(p->socket, fs);
745 FD_SET(myself->meta_socket, fs);
746 FD_SET(myself->socket, fs);
752 receive incoming data from the listening
753 udp socket and write it to the ethertap
754 device after being decrypted
756 int handle_incoming_vpn_data(conn_list_t *cl)
760 int x, l = sizeof(x);
763 if(getsockopt(cl->socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0)
765 syslog(LOG_ERR, "This is a bug: %s:%d: %d:%m", __FILE__, __LINE__, cl->socket);
770 syslog(LOG_ERR, "Incoming data socket error: %s", sys_errlist[x]);
775 lenin = recvfrom(cl->socket, &rp, MTU, 0, NULL, NULL);
778 syslog(LOG_ERR, "Receiving data failed: %m");
781 total_socket_in += lenin;
783 rp.data.len = ntohs(rp.data.len);
784 rp.len = ntohs(rp.len);
785 rp.from = ntohl(rp.from);
789 f = lookup_conn(rp.from);
791 syslog(LOG_DEBUG, "packet from " IP_ADDR_S " (len %d)",
792 IP_ADDR_V(rp.from), rp.len);
795 syslog(LOG_ERR, "Got packet from unknown source " IP_ADDR_S,
800 if(f->status.validkey)
804 add_queue(&(f->rq), &rp, rp.len);
805 if(!cl->status.waitingforkey)
806 send_key_request(rp.from);
809 if(my_key_expiry <= time(NULL))
817 terminate a connection and notify the other
818 end before closing the sockets
820 void terminate_connection(conn_list_t *cl)
823 if(cl->status.remove)
827 syslog(LOG_NOTICE, "Closing connection with %s.", cl->hostname);
829 if(cl->status.timeout)
831 else if(!cl->status.termreq)
836 close(cl->meta_socket);
838 if(cl->status.outgoing)
841 signal(SIGALRM, sigalrm_handler);
842 syslog(LOG_NOTICE, "Try to re-establish outgoing connection in 5 seconds.");
845 cl->status.remove = 1;
850 send out a ping request to all active
853 int send_broadcast_ping(void)
857 for(p = conn_list; p != NULL; p = p->next)
861 if(p->status.active && p->status.meta)
864 terminate_connection(p);
867 p->status.pinged = 1;
868 p->status.got_pong = 0;
873 last_ping_time = time(NULL);
879 end all connections that did not respond
880 to the ping probe in time
882 int check_dead_connections(void)
886 for(p = conn_list; p != NULL; p = p->next)
890 if(p->status.active && p->status.meta && p->status.pinged && !p->status.got_pong)
892 syslog(LOG_INFO, "%s (" IP_ADDR_S ") didn't respond to ping",
893 p->hostname, IP_ADDR_V(p->vpn_ip));
894 p->status.timeout = 1;
895 terminate_connection(p);
903 accept a new tcp connect and create a
906 int handle_new_meta_connection(conn_list_t *cl)
909 struct sockaddr client;
910 int nfd, len = sizeof(client);
912 if((nfd = accept(cl->meta_socket, &client, &len)) < 0)
914 syslog(LOG_ERR, "Accepting a new connection failed: %m");
918 if((ncn = create_new_connection(nfd)) == NULL)
922 syslog(LOG_NOTICE, "Closed attempted connection.");
926 ncn->status.meta = 1;
927 ncn->next = conn_list;
934 dispatch any incoming meta requests
936 int handle_incoming_meta_data(conn_list_t *cl)
938 int x, l = sizeof(x);
939 int request, oldlen, i;
942 if(getsockopt(cl->meta_socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0)
944 syslog(LOG_ERR, "This is a bug: %s:%d: %d:%m", __FILE__, __LINE__, cl->meta_socket);
949 syslog(LOG_ERR, "Metadata socket error: %s", sys_errlist[x]);
953 if(cl->buflen >= MAXBUFSIZE)
955 syslog(LOG_ERR, "Metadata read buffer full! Discarding contents.");
959 lenin = read(cl->meta_socket, cl->buffer, MAXBUFSIZE-cl->buflen);
963 syslog(LOG_ERR, "Metadata socket read error: %m");
974 for(i = oldlen; i < cl->buflen; i++)
976 if(cl->buffer[i] == '\n')
978 cl->buffer[i] = 0; /* replace end-of-line by end-of-string so we can use sscanf */
986 if(sscanf(cl->buffer, "%d", &request) == 1)
988 if(request_handlers[request] == NULL)
990 syslog(LOG_ERR, "Unknown request: %s", cl->buffer);
995 syslog(LOG_DEBUG, "Got request: %s", cl->buffer);
997 request_handlers[request](cl);
1001 syslog(LOG_ERR, "Bogus data received: %s", cl->buffer);
1004 cl->buflen -= cl->reqlen;
1005 memmove(cl->buffer, cl->buffer + cl->reqlen, cl->buflen);
1018 check all connections to see if anything
1019 happened on their sockets
1021 void check_network_activity(fd_set *f)
1024 int x, l = sizeof(x);
1026 for(p = conn_list; p != NULL; p = p->next)
1028 if(p->status.remove)
1031 if(p->status.dataopen)
1032 if(FD_ISSET(p->socket, f))
1035 The only thing that can happen to get us here is apparently an
1036 error on this outgoing(!) UDP socket that isn't immediate (i.e.
1037 something that will not trigger an error directly on send()).
1038 I've once got here when it said `No route to host'.
1040 getsockopt(p->socket, SOL_SOCKET, SO_ERROR, &x, &l);
1041 syslog(LOG_ERR, "Outgoing data socket error: %s", sys_errlist[x]);
1042 terminate_connection(p);
1047 if(FD_ISSET(p->meta_socket, f))
1048 if(handle_incoming_meta_data(p) < 0)
1050 terminate_connection(p);
1055 if(FD_ISSET(myself->socket, f))
1056 handle_incoming_vpn_data(myself);
1058 if(FD_ISSET(myself->meta_socket, f))
1059 handle_new_meta_connection(myself);
1064 read, encrypt and send data that is
1065 available through the ethertap device
1067 void handle_tap_input(void)
1071 int ether_type, lenin;
1073 memset(&vp, 0, sizeof(vp));
1074 if((lenin = read(tap_fd, &vp, MTU)) <= 0)
1076 syslog(LOG_ERR, "Error while reading from tapdevice: %m");
1080 total_tap_in += lenin;
1082 ether_type = ntohs(*((unsigned short*)(&vp.data[12])));
1083 if(ether_type != 0x0800)
1086 syslog(LOG_INFO, "Non-IP ethernet frame %04x from " MAC_ADDR_S,
1087 ether_type, MAC_ADDR_V(vp.data[6]));
1094 syslog(LOG_INFO, "Dropping short packet");
1098 from = ntohl(*((unsigned long*)(&vp.data[26])));
1099 to = ntohl(*((unsigned long*)(&vp.data[30])));
1102 syslog(LOG_DEBUG, "An IP packet (%04x) for " IP_ADDR_S " from " IP_ADDR_S,
1103 ether_type, IP_ADDR_V(to), IP_ADDR_V(from));
1105 syslog(LOG_DEBUG, MAC_ADDR_S " to " MAC_ADDR_S,
1106 MAC_ADDR_V(vp.data[0]), MAC_ADDR_V(vp.data[6]));
1108 vp.len = (length_t)lenin - 2;
1110 strip_mac_addresses(&vp);
1112 send_packet(to, &vp);
1117 this is where it all happens...
1119 void main_loop(void)
1125 last_ping_time = time(NULL);
1129 tv.tv_sec = timeout;
1135 if((r = select(FD_SETSIZE, &fset, NULL, NULL, &tv)) < 0)
1137 if(errno == EINTR) /* because of alarm */
1139 syslog(LOG_ERR, "Error while waiting for input: %m");
1143 if(r == 0 || last_ping_time + timeout < time(NULL))
1144 /* Timeout... hm... something might be wrong. */
1146 check_dead_connections();
1147 send_broadcast_ping();
1151 check_network_activity(&fset);
1153 /* local tap data */
1154 if(FD_ISSET(tap_fd, &fset))