2 net.c -- most of the network code
3 Copyright (C) 1998,1999,2000 Ivo Timmermans <zarq@iname.com>
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; either version 2 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program; if not, write to the Free Software
17 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 #include <arpa/inet.h>
26 #include <netinet/in.h>
30 #include <sys/signal.h>
31 #include <sys/socket.h>
33 #include <sys/types.h>
50 int total_tap_out = 0;
51 int total_socket_in = 0;
52 int total_socket_out = 0;
54 time_t last_ping_time = 0;
56 /* The global list of existing connections */
57 conn_list_t *conn_list = NULL;
58 conn_list_t *myself = NULL;
61 strip off the MAC adresses of an ethernet frame
63 void strip_mac_addresses(vpn_packet_t *p)
65 unsigned char tmp[MAXSIZE];
67 memcpy(tmp, p->data, p->len);
69 memcpy(p->data, &tmp[12], p->len);
74 reassemble MAC addresses
76 void add_mac_addresses(vpn_packet_t *p)
78 unsigned char tmp[MAXSIZE];
80 memcpy(&tmp[12], p->data, p->len);
82 tmp[0] = tmp[6] = 0xfe;
83 tmp[1] = tmp[7] = 0xfd;
84 *((ip_t*)(&tmp[2])) = (ip_t)(htonl(myself->vpn_ip));
85 *((ip_t*)(&tmp[8])) = *((ip_t*)(&tmp[26]));
86 memcpy(p->data, &tmp[0], p->len);
90 int xsend(conn_list_t *cl, void *packet)
95 do_encrypt((vpn_packet_t*)packet, &rp, cl->key);
96 rp.from = htonl(myself->vpn_ip);
97 rp.data.len = htons(rp.data.len);
98 rp.len = htons(rp.len);
101 syslog(LOG_ERR, "Sent %d bytes to %lx", ntohs(rp.len), cl->vpn_ip);
103 if((r = send(cl->socket, (char*)&rp, ntohs(rp.len), 0)) < 0)
105 syslog(LOG_ERR, "Error sending data: %m");
109 total_socket_out += r;
114 int xrecv(conn_list_t *cl, void *packet)
119 do_decrypt((real_packet_t*)packet, &vp, cl->key);
120 add_mac_addresses(&vp);
122 if((lenin = write(tap_fd, &vp, vp.len + sizeof(vp.len))) < 0)
123 syslog(LOG_ERR, "Can't write to tap device: %m");
125 total_tap_out += lenin;
131 add the given packet of size s to the
132 queue q, be it the send or receive queue
134 void add_queue(packet_queue_t **q, void *packet, size_t s)
139 syslog(LOG_DEBUG, "packet to queue: %d", s);
141 e = xmalloc(sizeof(*e));
142 e->packet = xmalloc(s);
143 memcpy(e->packet, packet, s);
147 *q = xmalloc(sizeof(**q));
148 (*q)->head = (*q)->tail = NULL;
151 e->next = NULL; /* We insert at the tail */
153 if((*q)->tail) /* Do we have a tail? */
155 (*q)->tail->next = e;
156 e->prev = (*q)->tail;
158 else /* No tail -> no head too */
168 /* Remove a queue element */
169 void del_queue(packet_queue_t **q, queue_element_t *e)
174 if(e->next) /* There is a successor, so we are not tail */
176 if(e->prev) /* There is a predecessor, so we are not head */
178 e->next->prev = e->prev;
179 e->prev->next = e->next;
181 else /* We are head */
183 e->next->prev = NULL;
184 (*q)->head = e->next;
187 else /* We are tail (or all alone!) */
189 if(e->prev) /* We are not alone :) */
191 e->prev->next = NULL;
192 (*q)->tail = e->prev;
206 flush a queue by calling function for
207 each packet, and removing it when that
208 returned a zero exit code
210 void flush_queue(conn_list_t *cl, packet_queue_t **pq,
211 int (*function)(conn_list_t*,void*))
213 queue_element_t *p, *next = NULL;
215 for(p = (*pq)->head; p != NULL; )
219 if(!function(cl, p->packet))
226 syslog(LOG_DEBUG, "queue flushed");
231 flush the send&recv queues
232 void because nothing goes wrong here, packets
233 remain in the queue if something goes wrong
235 void flush_queues(conn_list_t *cl)
241 syslog(LOG_DEBUG, "Flushing send queue for " IP_ADDR_S,
242 IP_ADDR_V(cl->vpn_ip));
243 flush_queue(cl, &(cl->sq), xsend);
249 syslog(LOG_DEBUG, "Flushing receive queue for " IP_ADDR_S,
250 IP_ADDR_V(cl->vpn_ip));
251 flush_queue(cl, &(cl->rq), xrecv);
257 send a packet to the given vpn ip.
259 int send_packet(ip_t to, vpn_packet_t *packet)
263 if((cl = lookup_conn(to)) == NULL)
267 syslog(LOG_NOTICE, "trying to look up " IP_ADDR_S " in connection list failed.",
270 for(cl = conn_list; cl != NULL && !cl->status.outgoing; cl = cl->next);
272 { /* No open outgoing connection has been found. */
274 syslog(LOG_NOTICE, "There is no remote host I can send this packet to.");
279 if(my_key_expiry <= time(NULL))
282 if(!cl->status.dataopen)
283 if(setup_vpn_connection(cl) < 0)
286 if(!cl->status.validkey)
288 add_queue(&(cl->sq), packet, packet->len + 2);
289 if(!cl->status.waitingforkey)
290 send_key_request(cl->vpn_ip); /* Keys should be sent to the host running the tincd */
294 if(!cl->status.active)
296 add_queue(&(cl->sq), packet, packet->len + 2);
298 syslog(LOG_INFO, IP_ADDR_S " is not ready, queueing packet.", IP_ADDR_V(cl->vpn_ip));
299 return 0; /* We don't want to mess up, do we? */
302 /* can we send it? can we? can we? huh? */
304 return xsend(cl, packet);
308 open the local ethertap device
310 int setup_tap_fd(void)
313 const char *tapfname;
316 if((cfg = get_config_val(tapdevice)) == NULL)
317 tapfname = "/dev/tap0";
319 tapfname = cfg->data.ptr;
321 if((nfd = open(tapfname, O_RDWR | O_NONBLOCK)) < 0)
323 syslog(LOG_ERR, "Could not open %s: %m", tapfname);
333 set up the socket that we listen on for incoming
336 int setup_listen_meta_socket(int port)
339 struct sockaddr_in a;
342 if((nfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
344 syslog(LOG_ERR, "Creating metasocket failed: %m");
348 if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)))
350 syslog(LOG_ERR, "setsockopt: %m");
354 flags = fcntl(nfd, F_GETFL);
355 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
357 syslog(LOG_ERR, "fcntl: %m");
361 memset(&a, 0, sizeof(a));
362 a.sin_family = AF_INET;
363 a.sin_port = htons(port);
364 a.sin_addr.s_addr = htonl(INADDR_ANY);
366 if(bind(nfd, (struct sockaddr *)&a, sizeof(struct sockaddr)))
368 syslog(LOG_ERR, "Can't bind to port %hd/tcp: %m", port);
374 syslog(LOG_ERR, "listen: %m");
382 setup the socket for incoming encrypted
385 int setup_vpn_in_socket(int port)
388 struct sockaddr_in a;
391 if((nfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0)
393 syslog(LOG_ERR, "Creating socket failed: %m");
397 if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)))
399 syslog(LOG_ERR, "setsockopt: %m");
403 flags = fcntl(nfd, F_GETFL);
404 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
406 syslog(LOG_ERR, "fcntl: %m");
410 memset(&a, 0, sizeof(a));
411 a.sin_family = AF_INET;
412 a.sin_port = htons(port);
413 a.sin_addr.s_addr = htonl(INADDR_ANY);
415 if(bind(nfd, (struct sockaddr *)&a, sizeof(struct sockaddr)))
417 syslog(LOG_ERR, "Can't bind to port %hd/udp: %m", port);
425 setup an outgoing meta (tcp) socket
427 int setup_outgoing_meta_socket(conn_list_t *cl)
430 struct sockaddr_in a;
433 if((cfg = get_config_val(upstreamport)) == NULL)
436 cl->port = cfg->data.val;
438 cl->meta_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
439 if(cl->meta_socket == -1)
441 syslog(LOG_ERR, "Creating socket failed: %m");
445 a.sin_family = AF_INET;
446 a.sin_port = htons(cl->port);
447 a.sin_addr.s_addr = htonl(cl->real_ip);
449 if(connect(cl->meta_socket, (struct sockaddr *)&a, sizeof(a)) == -1)
451 syslog(LOG_ERR, IP_ADDR_S ":%d: %m", IP_ADDR_V(cl->real_ip), cl->port);
455 flags = fcntl(cl->meta_socket, F_GETFL);
456 if(fcntl(cl->meta_socket, F_SETFL, flags | O_NONBLOCK) < 0)
458 syslog(LOG_ERR, "fcntl: %m");
462 cl->hostname = hostlookup(htonl(cl->real_ip));
464 syslog(LOG_INFO, "Connected to %s:%hd" , cl->hostname, cl->port);
470 setup an outgoing connection. It's not
471 necessary to also open an udp socket as
472 well, because the other host will initiate
473 an authentication sequence during which
474 we will do just that.
476 int setup_outgoing_connection(ip_t ip)
480 ncn = new_conn_list();
483 if(setup_outgoing_meta_socket(ncn) < 0)
485 syslog(LOG_ERR, "Could not set up a meta connection.");
486 free_conn_element(ncn);
490 ncn->status.meta = 1;
491 ncn->status.outgoing = 1;
492 ncn->next = conn_list;
499 set up the local sockets (listen only)
501 int setup_myself(void)
505 myself = new_conn_list();
507 if(!(cfg = get_config_val(myvpnip)))
509 syslog(LOG_ERR, "No value for my VPN IP given");
513 myself->vpn_ip = cfg->data.ip->ip;
514 myself->vpn_mask = cfg->data.ip->mask;
516 if(!(cfg = get_config_val(listenport)))
519 myself->port = cfg->data.val;
521 if((myself->meta_socket = setup_listen_meta_socket(myself->port)) < 0)
523 syslog(LOG_ERR, "Unable to set up a listening socket");
527 if((myself->socket = setup_vpn_in_socket(myself->port)) < 0)
529 syslog(LOG_ERR, "Unable to set up an incoming vpn data socket");
530 close(myself->meta_socket);
534 myself->status.active = 1;
536 syslog(LOG_NOTICE, "Ready: listening on port %d.", myself->port);
542 setup all initial network connections
544 int setup_network_connections(void)
548 if((cfg = get_config_val(pingtimeout)) == NULL)
551 timeout = cfg->data.val;
553 if(setup_tap_fd() < 0)
556 if(setup_myself() < 0)
559 if((cfg = get_config_val(upstreamip)) == NULL)
560 /* No upstream IP given, we're listen only. */
563 if(setup_outgoing_connection(cfg->data.ip->ip))
570 sigalrm_handler(int a)
573 static int seconds_till_retry;
575 cfg = get_config_val(upstreamip);
577 if(!setup_outgoing_connection(cfg->data.ip->ip))
579 signal(SIGALRM, SIG_IGN);
580 seconds_till_retry = 5;
584 signal(SIGALRM, sigalrm_handler);
585 seconds_till_retry += 5;
586 alarm(seconds_till_retry);
587 syslog(LOG_ERR, "Still failed to connect to other. Will retry in %d seconds.",
594 close all open network connections
596 void close_network_connections(void)
600 for(p = conn_list; p != NULL; p = p->next)
602 if(p->status.dataopen)
604 shutdown(p->socket, 0); /* No more receptions */
610 shutdown(p->meta_socket, 0); /* No more receptions */
611 close(p->meta_socket);
616 if(myself->status.active)
618 close(myself->meta_socket);
619 close(myself->socket);
625 syslog(LOG_NOTICE, "Terminating.");
631 create a data (udp) socket
633 int setup_vpn_connection(conn_list_t *cl)
636 struct sockaddr_in a;
639 syslog(LOG_DEBUG, "Opening UDP socket to " IP_ADDR_S, IP_ADDR_V(cl->real_ip));
641 nfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
644 syslog(LOG_ERR, "Creating data socket failed: %m");
648 a.sin_family = AF_INET;
649 a.sin_port = htons(cl->port);
650 a.sin_addr.s_addr = htonl(cl->real_ip);
652 if(connect(nfd, (struct sockaddr *)&a, sizeof(a)) == -1)
654 syslog(LOG_ERR, "Create connection to %08lx:%d failed: %m", ntohs(cl->real_ip),
659 flags = fcntl(nfd, F_GETFL);
660 if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
662 syslog(LOG_ERR, "This is a bug: %s:%d: %d:%m", __FILE__, __LINE__, nfd);
667 cl->status.dataopen = 1;
673 handle an incoming tcp connect call and open
676 conn_list_t *create_new_connection(int sfd)
679 struct sockaddr_in ci;
680 int len = sizeof(ci);
684 if(getpeername(sfd, &ci, &len) < 0)
686 syslog(LOG_ERR, "Error: getpeername: %m");
690 p->hostname = hostlookup(ci.sin_addr.s_addr);
691 p->real_ip = ntohl(ci.sin_addr.s_addr);
692 p->meta_socket = sfd;
696 syslog(LOG_NOTICE, "Connection from %s:%d", p->hostname, htons(ci.sin_port));
698 if(send_basic_info(p) < 0)
708 put all file descriptors in an fd_set array
710 void build_fdset(fd_set *fs)
716 for(p = conn_list; p != NULL; p = p->next)
719 FD_SET(p->meta_socket, fs);
720 if(p->status.dataopen)
721 FD_SET(p->socket, fs);
724 FD_SET(myself->meta_socket, fs);
725 FD_SET(myself->socket, fs);
731 receive incoming data from the listening
732 udp socket and write it to the ethertap
733 device after being decrypted
735 int handle_incoming_vpn_data(conn_list_t *cl)
739 int x, l = sizeof(x);
742 if(getsockopt(cl->socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0)
744 syslog(LOG_ERR, "This is a bug: %s:%d: %d:%m", __FILE__, __LINE__, cl->socket);
749 syslog(LOG_ERR, "Incoming data socket error: %s", sys_errlist[x]);
754 lenin = recvfrom(cl->socket, &rp, MTU, 0, NULL, NULL);
757 syslog(LOG_ERR, "Receiving data failed: %m");
760 total_socket_in += lenin;
762 rp.data.len = ntohs(rp.data.len);
763 rp.len = ntohs(rp.len);
764 rp.from = ntohl(rp.from);
768 f = lookup_conn(rp.from);
770 syslog(LOG_DEBUG, "packet from " IP_ADDR_S " (len %d)",
771 IP_ADDR_V(rp.from), rp.len);
774 syslog(LOG_ERR, "Got packet from unknown source " IP_ADDR_S,
779 if(f->status.validkey)
783 add_queue(&(f->rq), &rp, rp.len);
784 if(!cl->status.waitingforkey)
785 send_key_request(rp.from);
788 if(my_key_expiry <= time(NULL))
796 terminate a connection and notify the other
797 end before closing the sockets
799 void terminate_connection(conn_list_t *cl)
802 if(cl->status.remove)
806 syslog(LOG_NOTICE, "Closing connection with %s.", cl->hostname);
808 if(cl->status.timeout)
810 else if(!cl->status.termreq)
815 close(cl->meta_socket);
817 if(cl->status.outgoing)
820 signal(SIGALRM, sigalrm_handler);
821 syslog(LOG_NOTICE, "Try to re-establish outgoing connection in 5 seconds.");
824 cl->status.remove = 1;
829 send out a ping request to all active
832 int send_broadcast_ping(void)
836 for(p = conn_list; p != NULL; p = p->next)
840 if(p->status.active && p->status.meta)
843 terminate_connection(p);
846 p->status.pinged = 1;
847 p->status.got_pong = 0;
852 last_ping_time = time(NULL);
858 end all connections that did not respond
859 to the ping probe in time
861 int check_dead_connections(void)
865 for(p = conn_list; p != NULL; p = p->next)
869 if(p->status.active && p->status.meta && p->status.pinged && !p->status.got_pong)
871 syslog(LOG_INFO, "%s (" IP_ADDR_S ") didn't respond to ping",
872 p->hostname, IP_ADDR_V(p->vpn_ip));
873 p->status.timeout = 1;
874 terminate_connection(p);
882 accept a new tcp connect and create a
885 int handle_new_meta_connection(conn_list_t *cl)
888 struct sockaddr client;
889 int nfd, len = sizeof(client);
891 if((nfd = accept(cl->meta_socket, &client, &len)) < 0)
893 syslog(LOG_ERR, "Accepting a new connection failed: %m");
897 if((ncn = create_new_connection(nfd)) == NULL)
901 syslog(LOG_NOTICE, "Closed attempted connection.");
905 ncn->status.meta = 1;
906 ncn->next = conn_list;
913 dispatch any incoming meta requests
915 int handle_incoming_meta_data(conn_list_t *cl)
917 int x, l = sizeof(x);
918 int request, oldlen, i;
921 if(getsockopt(cl->meta_socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0)
923 syslog(LOG_ERR, "This is a bug: %s:%d: %d:%m", __FILE__, __LINE__, cl->meta_socket);
928 syslog(LOG_ERR, "Metadata socket error: %s", sys_errlist[x]);
932 if(cl->buflen >= MAXBUFSIZE)
934 syslog(LOG_ERR, "Metadata read buffer full! Discarding contents.");
938 lenin = read(cl->meta_socket, cl->buffer, MAXBUFSIZE-cl->buflen);
942 syslog(LOG_ERR, "Metadata socket read error: %m");
953 for(i = oldlen; i < cl->buflen; i++)
955 if(cl->buffer[i] == '\n')
957 cl->buffer[i] = 0; /* replace end-of-line by end-of-string so we can use sscanf */
965 if(sscanf(cl->buffer, "%d", &request) == 1)
967 if(request_handlers[request] == NULL)
969 syslog(LOG_ERR, "Unknown request: %s", cl->buffer);
974 syslog(LOG_DEBUG, "Got request: %s", cl->buffer);
976 request_handlers[request](cl);
980 syslog(LOG_ERR, "Bogus data received: %s", cl->buffer);
983 cl->buflen -= cl->reqlen;
984 memmove(cl->buffer, cl->buffer + cl->reqlen, cl->buflen);
997 check all connections to see if anything
998 happened on their sockets
1000 void check_network_activity(fd_set *f)
1003 int x, l = sizeof(x);
1005 for(p = conn_list; p != NULL; p = p->next)
1007 if(p->status.remove)
1010 if(p->status.dataopen)
1011 if(FD_ISSET(p->socket, f))
1014 The only thing that can happen to get us here is apparently an
1015 error on this outgoing(!) UDP socket that isn't immediate (i.e.
1016 something that will not trigger an error directly on send()).
1017 I've once got here when it said `No route to host'.
1019 getsockopt(p->socket, SOL_SOCKET, SO_ERROR, &x, &l);
1020 syslog(LOG_ERR, "Outgoing data socket error: %s", sys_errlist[x]);
1021 terminate_connection(p);
1026 if(FD_ISSET(p->meta_socket, f))
1027 if(handle_incoming_meta_data(p) < 0)
1029 terminate_connection(p);
1034 if(FD_ISSET(myself->socket, f))
1035 handle_incoming_vpn_data(myself);
1037 if(FD_ISSET(myself->meta_socket, f))
1038 handle_new_meta_connection(myself);
1043 read, encrypt and send data that is
1044 available through the ethertap device
1046 void handle_tap_input(void)
1050 int ether_type, lenin;
1052 memset(&vp, 0, sizeof(vp));
1053 if((lenin = read(tap_fd, &vp, MTU)) <= 0)
1055 syslog(LOG_ERR, "Error while reading from tapdevice: %m");
1059 total_tap_in += lenin;
1061 ether_type = ntohs(*((unsigned short*)(&vp.data[12])));
1062 if(ether_type != 0x0800)
1065 syslog(LOG_INFO, "Non-IP ethernet frame %04x from " MAC_ADDR_S,
1066 ether_type, MAC_ADDR_V(vp.data[6]));
1073 syslog(LOG_INFO, "Dropping short packet");
1077 from = ntohl(*((unsigned long*)(&vp.data[26])));
1078 to = ntohl(*((unsigned long*)(&vp.data[30])));
1081 syslog(LOG_DEBUG, "An IP packet (%04x) for " IP_ADDR_S " from " IP_ADDR_S,
1082 ether_type, IP_ADDR_V(to), IP_ADDR_V(from));
1084 syslog(LOG_DEBUG, MAC_ADDR_S " to " MAC_ADDR_S,
1085 MAC_ADDR_V(vp.data[0]), MAC_ADDR_V(vp.data[6]));
1087 vp.len = (length_t)lenin - 2;
1089 strip_mac_addresses(&vp);
1091 send_packet(to, &vp);
1096 this is where it all happens...
1098 void main_loop(void)
1104 last_ping_time = time(NULL);
1108 tv.tv_sec = timeout;
1114 if((r = select(FD_SETSIZE, &fset, NULL, NULL, &tv)) < 0)
1116 if(errno == EINTR) /* because of alarm */
1118 syslog(LOG_ERR, "Error while waiting for input: %m");
1122 if(r == 0 || last_ping_time + timeout < time(NULL))
1123 /* Timeout... hm... something might be wrong. */
1125 check_dead_connections();
1126 send_broadcast_ping();
1130 check_network_activity(&fset);
1132 /* local tap data */
1133 if(FD_ISSET(tap_fd, &fset))