2 net.c -- most of the network code
3 Copyright (C) 1998,1999,2000 Ivo Timmermans <zarq@iname.com>
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; either version 2 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program; if not, write to the Free Software
17 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 #include <arpa/inet.h>
26 #include <netinet/in.h>
30 #include <sys/signal.h>
31 #include <sys/socket.h>
33 #include <sys/types.h>
50 int total_tap_out = 0;
51 int total_socket_in = 0;
52 int total_socket_out = 0;
54 /* The global list of existing connections */
55 conn_list_t *conn_list = NULL;
56 conn_list_t *myself = NULL;
59 strip off the MAC adresses of an ethernet frame
61 void strip_mac_addresses(vpn_packet_t *p)
63 unsigned char tmp[MAXSIZE];
65 memcpy(tmp, p->data, p->len);
67 memcpy(p->data, &tmp[12], p->len);
72 reassemble MAC addresses
74 void add_mac_addresses(vpn_packet_t *p)
76 unsigned char tmp[MAXSIZE];
78 memcpy(&tmp[12], p->data, p->len);
80 tmp[0] = tmp[6] = 0xfe;
81 tmp[1] = tmp[7] = 0xfd;
82 *((ip_t*)(&tmp[2])) = (ip_t)(htonl(myself->vpn_ip));
83 *((ip_t*)(&tmp[8])) = *((ip_t*)(&tmp[26]));
84 memcpy(p->data, &tmp[0], p->len);
88 int xsend(conn_list_t *cl, void *packet)
93 do_encrypt((vpn_packet_t*)packet, &rp, cl->key);
94 rp.from = htonl(myself->vpn_ip);
95 rp.data.len = htons(rp.data.len);
96 rp.len = htons(rp.len);
99 syslog(LOG_ERR, "Sent %d bytes to %lx", ntohs(rp.len), cl->vpn_ip);
101 if((r = send(cl->socket, (char*)&rp, ntohs(rp.len), 0)) < 0)
103 syslog(LOG_ERR, "Error sending data: %m");
107 total_socket_out += r;
114 int xrecv(conn_list_t *cl, void *packet)
119 do_decrypt((real_packet_t*)packet, &vp, cl->key);
120 add_mac_addresses(&vp);
122 if((lenin = write(tap_fd, &vp, vp.len + sizeof(vp.len))) < 0)
123 syslog(LOG_ERR, "Can't write to tap device: %m");
125 total_tap_out += lenin;
128 cl->last_ping_time = time(NULL);
134 add the given packet of size s to the
135 queue q, be it the send or receive queue
137 void add_queue(packet_queue_t **q, void *packet, size_t s)
142 syslog(LOG_DEBUG, "packet to queue: %d", s);
144 e = xmalloc(sizeof(*e));
145 e->packet = xmalloc(s);
146 memcpy(e->packet, packet, s);
150 *q = xmalloc(sizeof(**q));
151 (*q)->head = (*q)->tail = NULL;
154 e->next = NULL; /* We insert at the tail */
156 if((*q)->tail) /* Do we have a tail? */
158 (*q)->tail->next = e;
159 e->prev = (*q)->tail;
161 else /* No tail -> no head too */
171 /* Remove a queue element */
172 void del_queue(packet_queue_t **q, queue_element_t *e)
177 if(e->next) /* There is a successor, so we are not tail */
179 if(e->prev) /* There is a predecessor, so we are not head */
181 e->next->prev = e->prev;
182 e->prev->next = e->next;
184 else /* We are head */
186 e->next->prev = NULL;
187 (*q)->head = e->next;
190 else /* We are tail (or all alone!) */
192 if(e->prev) /* We are not alone :) */
194 e->prev->next = NULL;
195 (*q)->tail = e->prev;
209 flush a queue by calling function for
210 each packet, and removing it when that
211 returned a zero exit code
213 void flush_queue(conn_list_t *cl, packet_queue_t **pq,
214 int (*function)(conn_list_t*,void*))
216 queue_element_t *p, *next = NULL;
218 for(p = (*pq)->head; p != NULL; )
222 if(!function(cl, p->packet))
229 syslog(LOG_DEBUG, "queue flushed");
234 flush the send&recv queues
235 void because nothing goes wrong here, packets
236 remain in the queue if something goes wrong
238 void flush_queues(conn_list_t *cl)
244 syslog(LOG_DEBUG, "Flushing send queue for " IP_ADDR_S,
245 IP_ADDR_V(cl->vpn_ip));
246 flush_queue(cl, &(cl->sq), xsend);
252 syslog(LOG_DEBUG, "Flushing receive queue for " IP_ADDR_S,
253 IP_ADDR_V(cl->vpn_ip));
254 flush_queue(cl, &(cl->rq), xrecv);
260 send a packet to the given vpn ip.
262 int send_packet(ip_t to, vpn_packet_t *packet)
266 if((cl = lookup_conn(to)) == NULL)
270 syslog(LOG_NOTICE, "trying to look up " IP_ADDR_S " in connection list failed.",
273 for(cl = conn_list; cl != NULL && !cl->status.outgoing; cl = cl->next);
275 { /* No open outgoing connection has been found. */
277 syslog(LOG_NOTICE, "There is no remote host I can send this packet to.");
282 if(my_key_expiry <= time(NULL))
285 if(!cl->status.dataopen)
286 if(setup_vpn_connection(cl) < 0)
289 if(!cl->status.validkey)
291 add_queue(&(cl->sq), packet, packet->len + 2);
292 if(!cl->status.waitingforkey)
293 send_key_request(cl->vpn_ip); /* Keys should be sent to the host running the tincd */
297 if(!cl->status.active)
299 add_queue(&(cl->sq), packet, packet->len + 2);
301 syslog(LOG_INFO, IP_ADDR_S " is not ready, queueing packet.", IP_ADDR_V(cl->vpn_ip));
302 return 0; /* We don't want to mess up, do we? */
305 /* can we send it? can we? can we? huh? */
307 return xsend(cl, packet);
311 open the local ethertap device
313 int setup_tap_fd(void)
316 const char *tapfname;
319 if((cfg = get_config_val(tapdevice)) == NULL)
320 tapfname = "/dev/tap0";
322 tapfname = cfg->data.ptr;
324 if((nfd = open(tapfname, O_RDWR | O_NONBLOCK)) < 0)
326 syslog(LOG_ERR, "Could not open %s: %m", tapfname);
336 set up the socket that we listen on for incoming
339 int setup_listen_meta_socket(int port)
342 struct sockaddr_in a;
345 if((nfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
347 syslog(LOG_ERR, "Creating metasocket failed: %m");
351 if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)))
353 syslog(LOG_ERR, "setsockopt: %m");
357 flags = fcntl(nfd, F_GETFL);
358 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
360 syslog(LOG_ERR, "fcntl: %m");
364 memset(&a, 0, sizeof(a));
365 a.sin_family = AF_INET;
366 a.sin_port = htons(port);
367 a.sin_addr.s_addr = htonl(INADDR_ANY);
369 if(bind(nfd, (struct sockaddr *)&a, sizeof(struct sockaddr)))
371 syslog(LOG_ERR, "Can't bind to port %hd/tcp: %m", port);
377 syslog(LOG_ERR, "listen: %m");
385 setup the socket for incoming encrypted
388 int setup_vpn_in_socket(int port)
391 struct sockaddr_in a;
394 if((nfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0)
396 syslog(LOG_ERR, "Creating socket failed: %m");
400 if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)))
402 syslog(LOG_ERR, "setsockopt: %m");
406 flags = fcntl(nfd, F_GETFL);
407 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
409 syslog(LOG_ERR, "fcntl: %m");
413 memset(&a, 0, sizeof(a));
414 a.sin_family = AF_INET;
415 a.sin_port = htons(port);
416 a.sin_addr.s_addr = htonl(INADDR_ANY);
418 if(bind(nfd, (struct sockaddr *)&a, sizeof(struct sockaddr)))
420 syslog(LOG_ERR, "Can't bind to port %hd/udp: %m", port);
428 setup an outgoing meta (tcp) socket
430 int setup_outgoing_meta_socket(conn_list_t *cl)
433 struct sockaddr_in a;
436 if((cfg = get_config_val(upstreamport)) == NULL)
439 cl->port = cfg->data.val;
441 cl->meta_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
442 if(cl->meta_socket == -1)
444 syslog(LOG_ERR, "Creating socket failed: %m");
448 a.sin_family = AF_INET;
449 a.sin_port = htons(cl->port);
450 a.sin_addr.s_addr = htonl(cl->real_ip);
452 if(connect(cl->meta_socket, (struct sockaddr *)&a, sizeof(a)) == -1)
454 syslog(LOG_ERR, IP_ADDR_S ":%d: %m", IP_ADDR_V(cl->real_ip), cl->port);
458 flags = fcntl(cl->meta_socket, F_GETFL);
459 if(fcntl(cl->meta_socket, F_SETFL, flags | O_NONBLOCK) < 0)
461 syslog(LOG_ERR, "fcntl: %m");
465 cl->hostname = hostlookup(htonl(cl->real_ip));
467 syslog(LOG_INFO, "Connected to %s:%hd" , cl->hostname, cl->port);
473 setup an outgoing connection. It's not
474 necessary to also open an udp socket as
475 well, because the other host will initiate
476 an authentication sequence during which
477 we will do just that.
479 int setup_outgoing_connection(ip_t ip)
483 ncn = new_conn_list();
486 if(setup_outgoing_meta_socket(ncn) < 0)
488 syslog(LOG_ERR, "Could not set up a meta connection.");
489 free_conn_element(ncn);
493 ncn->status.meta = 1;
494 ncn->status.outgoing = 1;
495 ncn->next = conn_list;
502 set up the local sockets (listen only)
504 int setup_myself(void)
508 myself = new_conn_list();
510 if(!(cfg = get_config_val(myvpnip)))
512 syslog(LOG_ERR, "No value for my VPN IP given");
516 myself->vpn_ip = cfg->data.ip->ip;
517 myself->vpn_mask = cfg->data.ip->mask;
519 if(!(cfg = get_config_val(listenport)))
522 myself->port = cfg->data.val;
524 if((myself->meta_socket = setup_listen_meta_socket(myself->port)) < 0)
526 syslog(LOG_ERR, "Unable to set up a listening socket");
530 if((myself->socket = setup_vpn_in_socket(myself->port)) < 0)
532 syslog(LOG_ERR, "Unable to set up an incoming vpn data socket");
533 close(myself->meta_socket);
537 myself->status.active = 1;
539 syslog(LOG_NOTICE, "Ready: listening on port %d.", myself->port);
545 setup all initial network connections
547 int setup_network_connections(void)
551 if((cfg = get_config_val(pingtimeout)) == NULL)
554 timeout = cfg->data.val;
556 if(setup_tap_fd() < 0)
559 if(setup_myself() < 0)
562 if((cfg = get_config_val(upstreamip)) == NULL)
563 /* No upstream IP given, we're listen only. */
566 if(setup_outgoing_connection(cfg->data.ip->ip))
573 sigalrm_handler(int a)
576 static int seconds_till_retry;
578 cfg = get_config_val(upstreamip);
580 if(!setup_outgoing_connection(cfg->data.ip->ip))
582 signal(SIGALRM, SIG_IGN);
583 seconds_till_retry = 5;
587 signal(SIGALRM, sigalrm_handler);
588 seconds_till_retry += 5;
589 alarm(seconds_till_retry);
590 syslog(LOG_ERR, "Still failed to connect to other. Will retry in %d seconds.",
597 close all open network connections
599 void close_network_connections(void)
603 for(p = conn_list; p != NULL; p = p->next)
605 if(p->status.dataopen)
607 shutdown(p->socket, 0); /* No more receptions */
613 shutdown(p->meta_socket, 0); /* No more receptions */
614 close(p->meta_socket);
619 if(myself->status.active)
621 close(myself->meta_socket);
622 close(myself->socket);
628 syslog(LOG_NOTICE, "Terminating.");
634 create a data (udp) socket
636 int setup_vpn_connection(conn_list_t *cl)
639 struct sockaddr_in a;
642 syslog(LOG_DEBUG, "Opening UDP socket to " IP_ADDR_S, IP_ADDR_V(cl->real_ip));
644 nfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
647 syslog(LOG_ERR, "Creating data socket failed: %m");
651 a.sin_family = AF_INET;
652 a.sin_port = htons(cl->port);
653 a.sin_addr.s_addr = htonl(cl->real_ip);
655 if(connect(nfd, (struct sockaddr *)&a, sizeof(a)) == -1)
657 syslog(LOG_ERR, "Create connection to %08lx:%d failed: %m", ntohs(cl->real_ip),
662 flags = fcntl(nfd, F_GETFL);
663 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
665 syslog(LOG_ERR, "This is a bug: %s:%d: %d:%m", __FILE__, __LINE__, nfd);
670 cl->status.dataopen = 1;
676 handle an incoming tcp connect call and open
679 conn_list_t *create_new_connection(int sfd)
682 struct sockaddr_in ci;
683 int len = sizeof(ci);
687 if(getpeername(sfd, &ci, &len) < 0)
689 syslog(LOG_ERR, "Error: getpeername: %m");
693 p->hostname = hostlookup(ci.sin_addr.s_addr);
694 p->real_ip = ntohl(ci.sin_addr.s_addr);
695 p->meta_socket = sfd;
698 p->last_ping_time = time(NULL);
701 syslog(LOG_NOTICE, "Connection from %s:%d", p->hostname, htons(ci.sin_port));
703 if(send_basic_info(p) < 0)
713 put all file descriptors in an fd_set array
715 void build_fdset(fd_set *fs)
721 for(p = conn_list; p != NULL; p = p->next)
724 FD_SET(p->meta_socket, fs);
725 if(p->status.dataopen)
726 FD_SET(p->socket, fs);
729 FD_SET(myself->meta_socket, fs);
730 FD_SET(myself->socket, fs);
736 receive incoming data from the listening
737 udp socket and write it to the ethertap
738 device after being decrypted
740 int handle_incoming_vpn_data(conn_list_t *cl)
744 int x, l = sizeof(x);
747 if(getsockopt(cl->socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0)
749 syslog(LOG_ERR, "This is a bug: %s:%d: %d:%m", __FILE__, __LINE__, cl->socket);
754 syslog(LOG_ERR, "Incoming data socket error: %s", sys_errlist[x]);
759 lenin = recvfrom(cl->socket, &rp, MTU, 0, NULL, NULL);
762 syslog(LOG_ERR, "Receiving data failed: %m");
765 total_socket_in += lenin;
767 rp.data.len = ntohs(rp.data.len);
768 rp.len = ntohs(rp.len);
769 rp.from = ntohl(rp.from);
773 f = lookup_conn(rp.from);
775 syslog(LOG_DEBUG, "packet from " IP_ADDR_S " (len %d)",
776 IP_ADDR_V(rp.from), rp.len);
779 syslog(LOG_ERR, "Got packet from unknown source " IP_ADDR_S,
784 if(f->status.validkey)
788 add_queue(&(f->rq), &rp, rp.len);
789 if(!cl->status.waitingforkey)
790 send_key_request(rp.from);
793 if(my_key_expiry <= time(NULL))
801 terminate a connection and notify the other
802 end before closing the sockets
804 void terminate_connection(conn_list_t *cl)
807 if(cl->status.remove)
811 syslog(LOG_NOTICE, "Closing connection with %s.", cl->hostname);
813 if(cl->status.timeout)
815 else if(!cl->status.termreq)
820 close(cl->meta_socket);
822 if(cl->status.outgoing)
825 signal(SIGALRM, sigalrm_handler);
826 syslog(LOG_NOTICE, "Try to re-establish outgoing connection in 5 seconds.");
829 cl->status.remove = 1;
834 Check if the other end is active.
835 If we have sent packets, but didn't receive any,
836 then possibly the other end is dead. We send a
837 PING request over the meta connection. If the other
838 end does not reply in time, we consider them dead
839 and close the connection.
841 int check_dead_connections(void)
847 for(p = conn_list; p != NULL; p = p->next)
851 if(p->status.active && p->status.meta)
853 if(p->last_ping_time + timeout < now)
854 if(p->status.pinged && !p->status.got_pong)
856 syslog(LOG_INFO, "%s (" IP_ADDR_S ") didn't respond to ping",
857 p->hostname, IP_ADDR_V(p->vpn_ip));
858 p->status.timeout = 1;
859 terminate_connection(p);
861 else if(p->want_ping)
864 p->last_ping_time = now;
865 p->status.pinged = 1;
866 p->status.get_pong = 0;
876 accept a new tcp connect and create a
879 int handle_new_meta_connection(conn_list_t *cl)
882 struct sockaddr client;
883 int nfd, len = sizeof(client);
885 if((nfd = accept(cl->meta_socket, &client, &len)) < 0)
887 syslog(LOG_ERR, "Accepting a new connection failed: %m");
891 if((ncn = create_new_connection(nfd)) == NULL)
895 syslog(LOG_NOTICE, "Closed attempted connection.");
899 ncn->status.meta = 1;
900 ncn->next = conn_list;
907 dispatch any incoming meta requests
909 int handle_incoming_meta_data(conn_list_t *cl)
911 int x, l = sizeof(x);
912 int request, oldlen, i;
915 if(getsockopt(cl->meta_socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0)
917 syslog(LOG_ERR, "This is a bug: %s:%d: %d:%m", __FILE__, __LINE__, cl->meta_socket);
922 syslog(LOG_ERR, "Metadata socket error: %s", sys_errlist[x]);
926 if(cl->buflen >= MAXBUFSIZE)
928 syslog(LOG_ERR, "Metadata read buffer full! Discarding contents.");
932 lenin = read(cl->meta_socket, cl->buffer, MAXBUFSIZE-cl->buflen);
936 syslog(LOG_ERR, "Metadata socket read error: %m");
947 for(i = oldlen; i < cl->buflen; i++)
949 if(cl->buffer[i] == '\n')
951 cl->buffer[i] = 0; /* replace end-of-line by end-of-string so we can use sscanf */
959 if(sscanf(cl->buffer, "%d", &request) == 1)
961 if(request_handlers[request] == NULL)
963 syslog(LOG_ERR, "Unknown request: %s", cl->buffer);
968 syslog(LOG_DEBUG, "Got request: %s", cl->buffer);
970 request_handlers[request](cl);
974 syslog(LOG_ERR, "Bogus data received: %s", cl->buffer);
977 cl->buflen -= cl->reqlen;
978 memmove(cl->buffer, cl->buffer + cl->reqlen, cl->buflen);
987 cl->last_ping_time = time(NULL);
994 check all connections to see if anything
995 happened on their sockets
997 void check_network_activity(fd_set *f)
1000 int x, l = sizeof(x);
1002 for(p = conn_list; p != NULL; p = p->next)
1004 if(p->status.remove)
1007 if(p->status.dataopen)
1008 if(FD_ISSET(p->socket, f))
1011 The only thing that can happen to get us here is apparently an
1012 error on this outgoing(!) UDP socket that isn't immediate (i.e.
1013 something that will not trigger an error directly on send()).
1014 I've once got here when it said `No route to host'.
1016 getsockopt(p->socket, SOL_SOCKET, SO_ERROR, &x, &l);
1017 syslog(LOG_ERR, "Outgoing data socket error: %s", sys_errlist[x]);
1018 terminate_connection(p);
1023 if(FD_ISSET(p->meta_socket, f))
1024 if(handle_incoming_meta_data(p) < 0)
1026 terminate_connection(p);
1031 if(FD_ISSET(myself->socket, f))
1032 handle_incoming_vpn_data(myself);
1034 if(FD_ISSET(myself->meta_socket, f))
1035 handle_new_meta_connection(myself);
1040 read, encrypt and send data that is
1041 available through the ethertap device
1043 void handle_tap_input(void)
1047 int ether_type, lenin;
1049 memset(&vp, 0, sizeof(vp));
1050 if((lenin = read(tap_fd, &vp, MTU)) <= 0)
1052 syslog(LOG_ERR, "Error while reading from tapdevice: %m");
1056 total_tap_in += lenin;
1058 ether_type = ntohs(*((unsigned short*)(&vp.data[12])));
1059 if(ether_type != 0x0800)
1062 syslog(LOG_INFO, "Non-IP ethernet frame %04x from " MAC_ADDR_S,
1063 ether_type, MAC_ADDR_V(vp.data[6]));
1070 syslog(LOG_INFO, "Dropping short packet");
1074 from = ntohl(*((unsigned long*)(&vp.data[26])));
1075 to = ntohl(*((unsigned long*)(&vp.data[30])));
1078 syslog(LOG_DEBUG, "An IP packet (%04x) for " IP_ADDR_S " from " IP_ADDR_S,
1079 ether_type, IP_ADDR_V(to), IP_ADDR_V(from));
1081 syslog(LOG_DEBUG, MAC_ADDR_S " to " MAC_ADDR_S,
1082 MAC_ADDR_V(vp.data[0]), MAC_ADDR_V(vp.data[6]));
1084 vp.len = (length_t)lenin - 2;
1086 strip_mac_addresses(&vp);
1088 send_packet(to, &vp);
1093 this is where it all happens...
1095 void main_loop(void)
1100 time_t last_ping_check;
1102 last_ping_check = time(NULL);
1106 tv.tv_sec = timeout;
1112 if((r = select(FD_SETSIZE, &fset, NULL, NULL, &tv)) < 0)
1114 if(errno == EINTR) /* because of alarm */
1116 syslog(LOG_ERR, "Error while waiting for input: %m");
1120 if(last_ping_check + timeout < time(NULL))
1121 /* Let's check if everybody is still alive */
1123 check_dead_connections();
1124 last_ping_check = time(NULL);
1128 check_network_activity(&fset);
1130 /* local tap data */
1131 if(FD_ISSET(tap_fd, &fset))