2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2022 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
39 #include "address_cache.h"
42 #include "connection.h"
43 #include "compression.h"
58 /* The minimum size of a probe is 14 bytes, but since we normally use CBC mode
59 encryption, we can add a few extra random bytes without increasing the
60 resulting packet size. */
61 #define MIN_PROBE_SIZE 18
65 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
70 #ifdef HAVE_LZ4_BUILTIN
71 static LZ4_stream_t lz4_stream;
73 static void *lz4_state = NULL;
74 #endif // HAVE_LZ4_BUILTIN
78 static void send_udppacket(node_t *, vpn_packet_t *);
80 unsigned replaywin = 32;
81 bool localdiscovery = true;
82 bool udp_discovery = true;
83 int udp_discovery_keepalive_interval = 10;
84 int udp_discovery_interval = 2;
85 int udp_discovery_timeout = 30;
87 #define MAX_SEQNO 1073741824
89 static void try_fix_mtu(node_t *n) {
90 if(n->mtuprobes < 0) {
94 if(n->mtuprobes == 20 || n->minmtu >= n->maxmtu) {
95 if(n->minmtu > n->maxmtu) {
96 n->minmtu = n->maxmtu;
98 n->maxmtu = n->minmtu;
102 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
107 static void reduce_mtu(node_t *n, int mtu) {
112 if(n->maxmtu > mtu) {
123 static void udp_probe_timeout_handler(void *data) {
126 if(!n->status.udp_confirmed) {
130 logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname);
131 n->status.udp_confirmed = false;
132 n->udp_ping_rtt = -1;
139 static void send_udp_probe_reply(node_t *n, vpn_packet_t *packet, length_t len) {
140 if(!n->status.sptps && !n->status.validkey) {
141 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP probe reply to %s (%s) but we don't have his key yet", n->name, n->hostname);
145 /* Type 2 probe replies were introduced in protocol 17.3 */
146 if((n->options >> 24) >= 3) {
148 uint16_t len16 = htons(len);
149 memcpy(DATA(packet) + 1, &len16, 2);
150 packet->len = MIN_PROBE_SIZE;
151 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 2 probe reply length %u to %s (%s)", len, n->name, n->hostname);
154 /* Legacy protocol: n won't understand type 2 probe replies. */
156 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 1 probe reply length %u to %s (%s)", len, n->name, n->hostname);
159 /* Temporarily set udp_confirmed, so that the reply is sent
160 back exactly the way it came in. */
162 bool udp_confirmed = n->status.udp_confirmed;
163 n->status.udp_confirmed = true;
164 send_udppacket(n, packet);
165 n->status.udp_confirmed = udp_confirmed;
168 static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
169 if(!DATA(packet)[0]) {
170 logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
171 send_udp_probe_reply(n, packet, len);
175 if(DATA(packet)[0] == 2) {
176 // It's a type 2 probe reply, use the length field inside the packet
178 memcpy(&len16, DATA(packet) + 1, 2);
182 if(n->status.ping_sent) { // a probe in flight
183 gettimeofday(&now, NULL);
185 timersub(&now, &n->udp_ping_sent, &rtt);
186 n->udp_ping_rtt = (int)(rtt.tv_sec * 1000000 + rtt.tv_usec);
187 n->status.ping_sent = false;
188 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s) rtt=%d.%03d", DATA(packet)[0], len, n->name, n->hostname, n->udp_ping_rtt / 1000, n->udp_ping_rtt % 1000);
190 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], len, n->name, n->hostname);
193 /* It's a valid reply: now we know bidirectional communication
194 is possible using the address and socket that the reply
196 if(!n->status.udp_confirmed) {
197 n->status.udp_confirmed = true;
199 if(!n->address_cache) {
200 n->address_cache = open_address_cache(n);
203 if(n->connection && n->connection->edge) {
204 reset_address_cache(n->address_cache);
205 add_recent_address(n->address_cache, &n->connection->edge->address);
209 // Reset the UDP ping timer.
212 timeout_del(&n->udp_ping_timeout);
213 timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval) {
214 udp_discovery_timeout, 0
218 if(len > n->maxmtu) {
219 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
222 /* Set mtuprobes to 1 so that try_mtu() doesn't reset maxmtu */
225 } else if(n->mtuprobes < 0 && len == n->maxmtu) {
226 /* We got a maxmtu sized packet, confirming the PMTU is still valid. */
228 n->mtu_ping_sent = now;
231 /* If applicable, raise the minimum supported MTU */
233 if(n->minmtu < len) {
240 static length_t compress_packet_lz4(uint8_t *dest, const uint8_t *source, length_t len) {
241 #ifdef HAVE_LZ4_BUILTIN
242 return LZ4_compress_fast_extState(&lz4_stream, (const char *) source, (char *) dest, len, MAXSIZE, 0);
245 /* @FIXME: Put this in a better place, and free() it too. */
246 if(lz4_state == NULL) {
247 lz4_state = malloc(LZ4_sizeofState());
250 if(lz4_state == NULL) {
251 logger(DEBUG_ALWAYS, LOG_ERR, "Failed to allocate lz4_state, error: %i", errno);
255 return LZ4_compress_fast_extState(lz4_state, (const char *) source, (char *) dest, len, MAXSIZE, 0);
256 #endif /* HAVE_LZ4_BUILTIN */
258 #endif /* HAVE_LZ4 */
261 static length_t compress_packet_lzo(uint8_t *dest, const uint8_t *source, length_t len, compression_level_t level) {
262 lzo_uint lzolen = MAXSIZE;
265 if(level == COMPRESS_LZO_HI) {
266 result = lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
267 } else { // level == COMPRESS_LZO_LO
268 result = lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
271 if(result == LZO_E_OK) {
279 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, compression_level_t level) {
284 return compress_packet_lz4(dest, source, len);
289 case COMPRESS_LZO_HI:
290 case COMPRESS_LZO_LO:
291 return compress_packet_lzo(dest, source, len, level);
295 case COMPRESS_ZLIB_9:
296 case COMPRESS_ZLIB_8:
297 case COMPRESS_ZLIB_7:
298 case COMPRESS_ZLIB_6:
299 case COMPRESS_ZLIB_5:
300 case COMPRESS_ZLIB_4:
301 case COMPRESS_ZLIB_3:
302 case COMPRESS_ZLIB_2:
303 case COMPRESS_ZLIB_1: {
304 unsigned long dest_len = MAXSIZE;
306 if(compress2(dest, &dest_len, source, len, level) == Z_OK) {
316 memcpy(dest, source, len);
324 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, compression_level_t level) {
329 return LZ4_decompress_safe((char *)source, (char *) dest, len, MAXSIZE);
334 case COMPRESS_LZO_HI:
335 case COMPRESS_LZO_LO: {
336 lzo_uint dst_len = MAXSIZE;
338 if(lzo1x_decompress_safe(source, len, dest, &dst_len, NULL) == LZO_E_OK) {
348 case COMPRESS_ZLIB_9:
349 case COMPRESS_ZLIB_8:
350 case COMPRESS_ZLIB_7:
351 case COMPRESS_ZLIB_6:
352 case COMPRESS_ZLIB_5:
353 case COMPRESS_ZLIB_4:
354 case COMPRESS_ZLIB_3:
355 case COMPRESS_ZLIB_2:
356 case COMPRESS_ZLIB_1: {
357 unsigned long destlen = MAXSIZE;
358 static z_stream stream;
361 inflateReset(&stream);
363 inflateInit(&stream);
366 stream.next_in = source;
367 stream.avail_in = len;
368 stream.next_out = dest;
369 stream.avail_out = destlen;
370 stream.total_out = 0;
372 if(inflate(&stream, Z_FINISH) == Z_STREAM_END) {
373 return stream.total_out;
382 memcpy(dest, source, len);
392 static void receive_packet(node_t *n, vpn_packet_t *packet) {
393 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
394 packet->len, n->name, n->hostname);
397 n->in_bytes += packet->len;
402 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
403 if(n->status.sptps) {
404 return sptps_verify_datagram(&n->sptps, DATA(inpkt), inpkt->len);
407 #ifdef DISABLE_LEGACY
411 if(!n->status.validkey_in || !digest_active(n->indigest) || (size_t)inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
415 return digest_verify(n->indigest, inpkt->data, inpkt->len - digest_length(n->indigest), inpkt->data + inpkt->len - digest_length(n->indigest));
419 static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
420 if(n->status.sptps) {
421 if(!n->sptps.state) {
422 if(!n->status.waitingforkey) {
423 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
426 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
432 n->status.udppacket = true;
433 bool result = sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len);
434 n->status.udppacket = false;
437 /* Uh-oh. It might be that the tunnel is stuck in some corrupted state,
438 so let's restart SPTPS in case that helps. But don't do that too often
439 to prevent storms, and because that would make life a little too easy
440 for external attackers trying to DoS us. */
441 if(n->last_req_key < now.tv_sec - 10) {
442 logger(DEBUG_PROTOCOL, LOG_ERR, "Failed to decode raw TCP packet from %s (%s), restarting SPTPS", n->name, n->hostname);
452 #ifdef DISABLE_LEGACY
455 vpn_packet_t pkt1, pkt2;
456 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
459 pkt1.offset = DEFAULT_PACKET_OFFSET;
460 pkt2.offset = DEFAULT_PACKET_OFFSET;
462 if(!n->status.validkey_in) {
463 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
467 /* Check packet length */
469 if((size_t)inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
470 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
471 n->name, n->hostname);
475 /* It's a legacy UDP packet, the data starts after the seqno */
477 inpkt->offset += sizeof(seqno_t);
479 /* Check the message authentication code */
481 if(digest_active(n->indigest)) {
482 inpkt->len -= digest_length(n->indigest);
484 if(!digest_verify(n->indigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
485 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
490 /* Decrypt the packet */
492 if(cipher_active(n->incipher)) {
493 vpn_packet_t *outpkt = pkt[nextpkt++];
496 if(!cipher_decrypt(n->incipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
497 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
501 outpkt->len = outlen;
505 /* Check the sequence number */
508 memcpy(&seqno, SEQNO(inpkt), sizeof(seqno));
509 seqno = ntohl(seqno);
510 inpkt->len -= sizeof(seqno);
513 if(seqno != n->received_seqno + 1) {
514 if(seqno >= n->received_seqno + replaywin * 8) {
515 if(n->farfuture++ < replaywin >> 2) {
516 logger(DEBUG_TRAFFIC, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
517 n->name, n->hostname, seqno - n->received_seqno - 1, n->farfuture);
521 logger(DEBUG_TRAFFIC, LOG_WARNING, "Lost %d packets from %s (%s)",
522 seqno - n->received_seqno - 1, n->name, n->hostname);
523 memset(n->late, 0, replaywin);
524 } else if(seqno <= n->received_seqno) {
525 if((n->received_seqno >= replaywin * 8 && seqno <= n->received_seqno - replaywin * 8) || !(n->late[(seqno / 8) % replaywin] & (1 << seqno % 8))) {
526 logger(DEBUG_TRAFFIC, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
527 n->name, n->hostname, seqno, n->received_seqno);
531 for(seqno_t i = n->received_seqno + 1; i < seqno; i++) {
532 n->late[(i / 8) % replaywin] |= 1 << i % 8;
538 n->late[(seqno / 8) % replaywin] &= ~(1 << seqno % 8);
541 if(seqno > n->received_seqno) {
542 n->received_seqno = seqno;
547 if(n->received_seqno > MAX_SEQNO) {
551 /* Decompress the packet */
553 length_t origlen = inpkt->len;
555 if(n->incompression != COMPRESS_NONE) {
556 vpn_packet_t *outpkt = pkt[nextpkt++];
558 if(!(outpkt->len = uncompress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->incompression))) {
559 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
560 n->name, n->hostname);
566 if(origlen > MTU / 64 + 20) {
567 origlen -= MTU / 64 + 20;
573 if(inpkt->len > n->maxrecentlen) {
574 n->maxrecentlen = inpkt->len;
579 if(!DATA(inpkt)[12] && !DATA(inpkt)[13]) {
580 udp_probe_h(n, inpkt, origlen);
582 receive_packet(n, inpkt);
589 void receive_tcppacket(connection_t *c, const char *buffer, size_t len) {
591 outpkt.offset = DEFAULT_PACKET_OFFSET;
593 if(len > sizeof(outpkt.data) - outpkt.offset) {
599 if(c->options & OPTION_TCPONLY) {
602 outpkt.priority = -1;
605 memcpy(DATA(&outpkt), buffer, len);
607 receive_packet(c->node, &outpkt);
610 bool receive_tcppacket_sptps(connection_t *c, const char *data, size_t len) {
611 if(len < sizeof(node_id_t) + sizeof(node_id_t)) {
612 logger(DEBUG_PROTOCOL, LOG_ERR, "Got too short TCP SPTPS packet from %s (%s)", c->name, c->hostname);
616 node_t *to = lookup_node_id((node_id_t *)data);
617 data += sizeof(node_id_t);
618 len -= sizeof(node_id_t);
621 logger(DEBUG_PROTOCOL, LOG_ERR, "Got TCP SPTPS packet from %s (%s) with unknown destination ID", c->name, c->hostname);
625 node_t *from = lookup_node_id((node_id_t *)data);
626 data += sizeof(node_id_t);
627 len -= sizeof(node_id_t);
630 logger(DEBUG_PROTOCOL, LOG_ERR, "Got TCP SPTPS packet from %s (%s) with unknown source ID", c->name, c->hostname);
634 if(!to->status.reachable) {
635 /* This can happen in the form of a race condition
636 if the node just became unreachable. */
637 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot relay TCP packet from %s (%s) because the destination, %s (%s), is unreachable", from->name, from->hostname, to->name, to->hostname);
641 /* Help the sender reach us over UDP.
642 Note that we only do this if we're the destination or the static relay;
643 otherwise every hop would initiate its own UDP info message, resulting in elevated chatter. */
644 if(to->via == myself) {
645 send_udp_info(myself, from);
648 /* If we're not the final recipient, relay the packet. */
651 if(to->status.validkey) {
652 send_sptps_data(to, from, 0, data, len);
659 /* The packet is for us */
661 if(!sptps_receive_data(&from->sptps, data, len)) {
662 /* Uh-oh. It might be that the tunnel is stuck in some corrupted state,
663 so let's restart SPTPS in case that helps. But don't do that too often
664 to prevent storms. */
665 if(from->last_req_key < now.tv_sec - 10) {
666 logger(DEBUG_PROTOCOL, LOG_ERR, "Failed to decode raw TCP packet from %s (%s), restarting SPTPS", from->name, from->hostname);
673 send_mtu_info(myself, from, MTU);
677 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
678 if(!n->status.validkey && !n->connection) {
685 if((!(DATA(origpkt)[12] | DATA(origpkt)[13])) && (n->sptps.outstate)) {
686 sptps_send_record(&n->sptps, PKT_PROBE, DATA(origpkt), origpkt->len);
690 if(routing_mode == RMODE_ROUTER) {
696 if(origpkt->len < offset) {
702 if(n->outcompression != COMPRESS_NONE) {
704 length_t len = compress_packet(DATA(&outpkt) + offset, DATA(origpkt) + offset, origpkt->len - offset, n->outcompression);
707 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
708 } else if(len < origpkt->len - offset) {
709 outpkt.len = len + offset;
711 type |= PKT_COMPRESSED;
715 /* If we have a direct metaconnection to n, and we can't use UDP, then
716 don't bother with SPTPS and just use a "plaintext" PACKET message.
717 We don't really care about end-to-end security since we're not
718 sending the message through any intermediate nodes. */
719 if(n->connection && origpkt->len > n->minmtu) {
720 send_tcppacket(n->connection, origpkt);
722 sptps_send_record(&n->sptps, type, DATA(origpkt) + offset, origpkt->len - offset);
726 static void adapt_socket(const sockaddr_t *sa, size_t *sock) {
727 /* Make sure we have a suitable socket for the chosen address */
728 if(listen_socket[*sock].sa.sa.sa_family != sa->sa.sa_family) {
729 for(int i = 0; i < listen_sockets; i++) {
730 if(listen_socket[i].sa.sa.sa_family == sa->sa.sa_family) {
738 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, size_t *sock) {
743 /* If the UDP address is confirmed, use it. */
744 if(n->status.udp_confirmed) {
748 /* Send every third packet to n->address; that could be set
749 to the node's reflexive UDP address discovered during key
759 /* Otherwise, address are found in edges to this node.
760 So we pick a random edge and a random socket. */
763 unsigned int j = prng(n->edge_tree.count);
764 edge_t *candidate = NULL;
766 for splay_each(edge_t, e, &n->edge_tree) {
768 candidate = e->reverse;
774 *sa = &candidate->address;
775 *sock = prng(listen_sockets);
778 adapt_socket(*sa, sock);
781 static void choose_local_address(const node_t *n, const sockaddr_t **sa, size_t *sock) {
784 /* Pick one of the edges from this node at random, then use its local address. */
787 unsigned int j = prng(n->edge_tree.count);
788 edge_t *candidate = NULL;
790 for splay_each(edge_t, e, &n->edge_tree) {
797 if(candidate && candidate->local_address.sa.sa_family) {
798 *sa = &candidate->local_address;
799 *sock = prng(listen_sockets);
800 adapt_socket(*sa, sock);
804 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
805 if(!n->status.reachable) {
806 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
810 if(n->status.sptps) {
811 send_sptps_packet(n, origpkt);
815 #ifdef DISABLE_LEGACY
818 vpn_packet_t pkt1, pkt2;
819 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
820 vpn_packet_t *inpkt = origpkt;
822 vpn_packet_t *outpkt;
823 int origlen = origpkt->len;
825 int origpriority = origpkt->priority;
827 pkt1.offset = DEFAULT_PACKET_OFFSET;
828 pkt2.offset = DEFAULT_PACKET_OFFSET;
830 /* Make sure we have a valid key */
832 if(!n->status.validkey) {
833 logger(DEBUG_TRAFFIC, LOG_INFO,
834 "No valid key known yet for %s (%s), forwarding via TCP",
835 n->name, n->hostname);
836 send_tcppacket(n->nexthop->connection, origpkt);
840 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (DATA(inpkt)[12] | DATA(inpkt)[13])) {
841 logger(DEBUG_TRAFFIC, LOG_INFO,
842 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
843 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
845 if(n != n->nexthop) {
846 send_packet(n->nexthop, origpkt);
848 send_tcppacket(n->nexthop->connection, origpkt);
854 /* Compress the packet */
856 if(n->outcompression != COMPRESS_NONE) {
857 outpkt = pkt[nextpkt++];
859 if(!(outpkt->len = compress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->outcompression))) {
860 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
861 n->name, n->hostname);
868 /* Add sequence number */
870 seqno_t seqno = htonl(++(n->sent_seqno));
871 memcpy(SEQNO(inpkt), &seqno, sizeof(seqno));
872 inpkt->len += sizeof(seqno);
874 /* Encrypt the packet */
876 if(cipher_active(n->outcipher)) {
877 outpkt = pkt[nextpkt++];
880 if(!cipher_encrypt(n->outcipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
881 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
885 outpkt->len = outlen;
889 /* Add the message authentication code */
891 if(digest_active(n->outdigest)) {
892 if(!digest_create(n->outdigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
893 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
897 inpkt->len += digest_length(n->outdigest);
900 /* Send the packet */
902 const sockaddr_t *sa = NULL;
905 if(n->status.send_locally) {
906 choose_local_address(n, &sa, &sock);
910 choose_udp_address(n, &sa, &sock);
913 if(priorityinheritance && origpriority != listen_socket[sock].priority) {
914 listen_socket[sock].priority = origpriority;
916 switch(sa->sa.sa_family) {
920 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting IPv4 outgoing packet priority to %d", origpriority);
922 if(setsockopt(listen_socket[sock].udp.fd, IPPROTO_IP, IP_TOS, (void *)&origpriority, sizeof(origpriority))) { /* SO_PRIORITY doesn't seem to work */
923 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
928 #if defined(IPV6_TCLASS)
931 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting IPv6 outgoing packet priority to %d", origpriority);
933 if(setsockopt(listen_socket[sock].udp.fd, IPPROTO_IPV6, IPV6_TCLASS, (void *)&origpriority, sizeof(origpriority))) { /* SO_PRIORITY doesn't seem to work */
934 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
945 if(sendto(listen_socket[sock].udp.fd, (void *)SEQNO(inpkt), inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
946 if(sockmsgsize(sockerrno)) {
947 reduce_mtu(n, origlen - 1);
949 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
954 origpkt->len = origlen;
958 bool send_sptps_data(node_t *to, node_t *from, int type, const void *data, size_t len) {
959 size_t origlen = len - SPTPS_DATAGRAM_OVERHEAD;
960 node_t *relay = (to->via != myself && (type == PKT_PROBE || origlen <= to->via->minmtu)) ? to->via : to->nexthop;
961 bool direct = from == myself && to == relay;
962 bool relay_supported = (relay->options >> 24) >= 4;
963 bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
965 /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU. */
967 if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && origlen > relay->minmtu)) {
968 if(type != SPTPS_HANDSHAKE && (to->nexthop->connection->options >> 24) >= 7) {
969 const size_t buflen = len + sizeof(to->id) + sizeof(from->id);
970 uint8_t *buf = alloca(buflen);
971 uint8_t *buf_ptr = buf;
972 memcpy(buf_ptr, &to->id, sizeof(to->id));
973 buf_ptr += sizeof(to->id);
974 memcpy(buf_ptr, &from->id, sizeof(from->id));
975 buf_ptr += sizeof(from->id);
976 memcpy(buf_ptr, data, len);
977 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s) (TCP)", from->name, from->hostname, to->name, to->hostname, to->nexthop->name, to->nexthop->hostname);
978 return send_sptps_tcppacket(to->nexthop->connection, buf, buflen);
981 char *buf = alloca(B64_SIZE(len));
982 b64encode_tinc(data, buf, len);
984 /* If this is a handshake packet, use ANS_KEY instead of REQ_KEY, for two reasons:
985 - We don't want intermediate nodes to switch to UDP to relay these packets;
986 - ANS_KEY allows us to learn the reflexive UDP address. */
987 if(type == SPTPS_HANDSHAKE) {
988 to->incompression = myself->incompression;
989 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, from->name, to->name, buf, to->incompression);
991 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, from->name, to->name, SPTPS_PACKET, buf);
997 if(relay_supported) {
998 overhead += sizeof(to->id) + sizeof(from->id);
1001 char *buf = alloca(len + overhead);
1002 char *buf_ptr = buf;
1004 if(relay_supported) {
1006 /* Inform the recipient that this packet was sent directly. */
1007 node_id_t nullid = {0};
1008 memcpy(buf_ptr, &nullid, sizeof(nullid));
1009 buf_ptr += sizeof(nullid);
1011 memcpy(buf_ptr, &to->id, sizeof(to->id));
1012 buf_ptr += sizeof(to->id);
1015 memcpy(buf_ptr, &from->id, sizeof(from->id));
1016 buf_ptr += sizeof(from->id);
1020 /* TODO: if this copy turns out to be a performance concern, change sptps_send_record() to add some "pre-padding" to the buffer and use that instead */
1021 memcpy(buf_ptr, data, len);
1024 const sockaddr_t *sa = NULL;
1027 if(relay->status.send_locally) {
1028 choose_local_address(relay, &sa, &sock);
1032 choose_udp_address(relay, &sa, &sock);
1035 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s) (UDP)", from->name, from->hostname, to->name, to->hostname, relay->name, relay->hostname);
1037 if(sendto(listen_socket[sock].udp.fd, buf, buf_ptr - buf, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
1038 if(sockmsgsize(sockerrno)) {
1039 reduce_mtu(relay, (int)origlen - 1);
1041 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", relay->name, relay->hostname, sockstrerror(sockerrno));
1049 bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t len) {
1050 node_t *from = handle;
1052 if(type == SPTPS_HANDSHAKE) {
1053 if(!from->status.validkey) {
1054 from->status.validkey = true;
1055 from->status.waitingforkey = false;
1056 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) successful", from->name, from->hostname);
1063 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
1068 inpkt.offset = DEFAULT_PACKET_OFFSET;
1071 if(type == PKT_PROBE) {
1072 if(!from->status.udppacket) {
1073 logger(DEBUG_ALWAYS, LOG_ERR, "Got SPTPS PROBE packet from %s (%s) via TCP", from->name, from->hostname);
1078 memcpy(DATA(&inpkt), data, len);
1080 if(inpkt.len > from->maxrecentlen) {
1081 from->maxrecentlen = inpkt.len;
1084 udp_probe_h(from, &inpkt, len);
1088 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
1089 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
1093 /* Check if we have the headers we need */
1094 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
1095 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
1097 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
1098 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
1101 int offset = (type & PKT_MAC) ? 0 : 14;
1103 if(type & PKT_COMPRESSED) {
1104 length_t ulen = uncompress_packet(DATA(&inpkt) + offset, (const uint8_t *)data, len, from->incompression);
1109 inpkt.len = ulen + offset;
1112 if(inpkt.len > MAXSIZE) {
1116 memcpy(DATA(&inpkt) + offset, data, len);
1117 inpkt.len = len + offset;
1120 /* Generate the Ethernet packet type if necessary */
1122 switch(DATA(&inpkt)[14] >> 4) {
1124 DATA(&inpkt)[12] = 0x08;
1125 DATA(&inpkt)[13] = 0x00;
1129 DATA(&inpkt)[12] = 0x86;
1130 DATA(&inpkt)[13] = 0xDD;
1134 logger(DEBUG_TRAFFIC, LOG_ERR,
1135 "Unknown IP version %d while reading packet from %s (%s)",
1136 DATA(&inpkt)[14] >> 4, from->name, from->hostname);
1141 if(from->status.udppacket && inpkt.len > from->maxrecentlen) {
1142 from->maxrecentlen = inpkt.len;
1145 receive_packet(from, &inpkt);
1149 // This function tries to get SPTPS keys, if they aren't already known.
1150 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if the keys are available.
1151 static void try_sptps(node_t *n) {
1152 if(n->status.validkey) {
1156 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
1158 if(!n->status.waitingforkey) {
1160 } else if(n->last_req_key + 10 < now.tv_sec) {
1161 logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
1162 sptps_stop(&n->sptps);
1163 n->status.waitingforkey = false;
1170 static void send_udp_probe_packet(node_t *n, size_t len) {
1171 vpn_packet_t packet;
1173 if(len > sizeof(packet.data)) {
1174 logger(DEBUG_TRAFFIC, LOG_INFO, "Truncating probe length %lu to %s (%s)", (unsigned long)len, n->name, n->hostname);
1175 len = sizeof(packet.data);
1178 len = MAX(len, MIN_PROBE_SIZE);
1179 packet.offset = DEFAULT_PACKET_OFFSET;
1180 memset(DATA(&packet), 0, 14);
1181 randomize(DATA(&packet) + 14, len - 14);
1183 packet.priority = 0;
1185 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending UDP probe length %lu to %s (%s)", (unsigned long)len, n->name, n->hostname);
1187 send_udppacket(n, &packet);
1190 // This function tries to establish a UDP tunnel to a node so that packets can be sent.
1191 // If a tunnel is already established, it makes sure it stays up.
1192 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if UDP is usable.
1193 static void try_udp(node_t *n) {
1194 if(!udp_discovery) {
1198 /* Send gratuitous probe replies to 1.1 nodes. */
1200 if((n->options >> 24) >= 3 && n->status.udp_confirmed) {
1201 struct timeval ping_tx_elapsed;
1202 timersub(&now, &n->udp_reply_sent, &ping_tx_elapsed);
1204 if(ping_tx_elapsed.tv_sec >= udp_discovery_keepalive_interval - 1) {
1205 n->udp_reply_sent = now;
1207 if(n->maxrecentlen) {
1209 pkt.len = n->maxrecentlen;
1210 pkt.offset = DEFAULT_PACKET_OFFSET;
1211 memset(DATA(&pkt), 0, 14);
1212 randomize(DATA(&pkt) + 14, MIN_PROBE_SIZE - 14);
1213 send_udp_probe_reply(n, &pkt, pkt.len);
1214 n->maxrecentlen = 0;
1221 struct timeval ping_tx_elapsed;
1222 timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
1224 int interval = n->status.udp_confirmed
1225 ? udp_discovery_keepalive_interval
1226 : udp_discovery_interval;
1228 if(ping_tx_elapsed.tv_sec >= interval) {
1229 gettimeofday(&now, NULL);
1230 n->udp_ping_sent = now; // a probe in flight
1231 n->status.ping_sent = true;
1232 send_udp_probe_packet(n, MIN_PROBE_SIZE);
1234 if(localdiscovery && !n->status.udp_confirmed && n->prevedge) {
1235 n->status.send_locally = true;
1236 send_udp_probe_packet(n, MIN_PROBE_SIZE);
1237 n->status.send_locally = false;
1242 static length_t choose_initial_maxmtu(node_t *n) {
1247 const sockaddr_t *sa = NULL;
1249 choose_udp_address(n, &sa, &sockindex);
1255 sock = socket(sa->sa.sa_family, SOCK_DGRAM, IPPROTO_UDP);
1258 logger(DEBUG_TRAFFIC, LOG_ERR, "Creating MTU assessment socket for %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1262 if(connect(sock, &sa->sa, SALEN(sa->sa))) {
1263 logger(DEBUG_TRAFFIC, LOG_ERR, "Connecting MTU assessment socket for %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1269 socklen_t ip_mtu_len = sizeof(ip_mtu);
1271 if(getsockopt(sock, IPPROTO_IP, IP_MTU, (void *)&ip_mtu, &ip_mtu_len)) {
1272 logger(DEBUG_TRAFFIC, LOG_ERR, "getsockopt(IP_MTU) on %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1279 if(ip_mtu < MINMTU) {
1280 logger(DEBUG_TRAFFIC, LOG_ERR, "getsockopt(IP_MTU) on %s (%s) returned absurdly small value: %d", n->name, n->hostname, ip_mtu);
1284 /* getsockopt(IP_MTU) returns the MTU of the physical interface.
1285 We need to remove various overheads to get to the tinc MTU. */
1286 length_t mtu = ip_mtu;
1287 mtu -= (sa->sa.sa_family == AF_INET6) ? sizeof(struct ip6_hdr) : sizeof(struct ip);
1290 if(n->status.sptps) {
1291 mtu -= SPTPS_DATAGRAM_OVERHEAD;
1293 if((n->options >> 24) >= 4) {
1294 mtu -= sizeof(node_id_t) + sizeof(node_id_t);
1297 #ifndef DISABLE_LEGACY
1299 mtu -= digest_length(n->outdigest);
1301 /* Now it's tricky. We use CBC mode, so the length of the
1302 encrypted payload must be a multiple of the blocksize. The
1303 sequence number is also part of the encrypted payload, so we
1304 must account for it after correcting for the blocksize.
1305 Furthermore, the padding in the last block must be at least
1308 length_t blocksize = cipher_blocksize(n->outcipher);
1324 logger(DEBUG_TRAFFIC, LOG_INFO, "Using system-provided maximum tinc MTU for %s (%s): %hd", n->name, n->hostname, mtu);
1333 /* This function tries to determines the MTU of a node.
1334 By calling this function repeatedly, n->minmtu will be progressively
1335 increased, and at some point, n->mtu will be fixed to n->minmtu. If the MTU
1336 is already fixed, this function checks if it can be increased.
1339 static void try_mtu(node_t *n) {
1340 if(!(n->options & OPTION_PMTU_DISCOVERY)) {
1344 if(udp_discovery && !n->status.udp_confirmed) {
1345 n->maxrecentlen = 0;
1352 /* mtuprobes == 0..19: initial discovery, send bursts with 1 second interval, mtuprobes++
1353 mtuprobes == 20: fix MTU, and go to -1
1354 mtuprobes == -1: send one maxmtu and one maxmtu+1 probe every pinginterval
1355 mtuprobes ==-2..-3: send one maxmtu probe every second
1356 mtuprobes == -4: maxmtu no longer valid, reset minmtu and maxmtu and go to 0 */
1358 struct timeval elapsed;
1359 timersub(&now, &n->mtu_ping_sent, &elapsed);
1361 if(n->mtuprobes >= 0) {
1362 if(n->mtuprobes != 0 && elapsed.tv_sec == 0 && elapsed.tv_usec < 333333) {
1366 if(n->mtuprobes < -1) {
1367 if(elapsed.tv_sec < 1) {
1371 if(elapsed.tv_sec < pinginterval) {
1377 n->mtu_ping_sent = now;
1381 if(n->mtuprobes < -3) {
1382 /* We lost three MTU probes, restart discovery */
1383 logger(DEBUG_TRAFFIC, LOG_INFO, "Decrease in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
1388 if(n->mtuprobes < 0) {
1389 /* After the initial discovery, we only send one maxmtu and one
1390 maxmtu+1 probe to detect PMTU increases. */
1391 send_udp_probe_packet(n, n->maxmtu);
1393 if(n->mtuprobes == -1 && n->maxmtu + 1 < MTU) {
1394 send_udp_probe_packet(n, n->maxmtu + 1);
1399 /* Before initial discovery begins, set maxmtu to the most likely value.
1400 If it's underestimated, we will correct it after initial discovery. */
1401 if(n->mtuprobes == 0) {
1402 n->maxmtu = choose_initial_maxmtu(n);
1406 /* Decreasing the number of probes per cycle might make the algorithm react faster to lost packets,
1407 but it will typically increase convergence time in the no-loss case. */
1408 const length_t probes_per_cycle = 8;
1410 /* This magic value was determined using math simulations.
1411 It will result in a 1329-byte first probe, followed (if there was a reply) by a 1407-byte probe.
1412 Since 1407 is just below the range of tinc MTUs over typical networks,
1413 this fine-tuning allows tinc to cover a lot of ground very quickly.
1414 This fine-tuning is only valid for maxmtu = MTU; if maxmtu is smaller,
1415 then it's better to use a multiplier of 1. Indeed, this leads to an interesting scenario
1416 if choose_initial_maxmtu() returns the actual MTU value - it will get confirmed with one single probe. */
1417 const float multiplier = (n->maxmtu == MTU) ? 0.97f : 1.0f;
1419 const float cycle_position = (float) probes_per_cycle - (float)(n->mtuprobes % probes_per_cycle) - 1.0f;
1420 const length_t minmtu = MAX(n->minmtu, MINMTU);
1421 const float interval = (float)(n->maxmtu - minmtu);
1423 length_t offset = 0;
1425 /* powf can be underflowed if n->maxmtu is less than 512 due to the minmtu MAX bound */
1427 /* The core of the discovery algorithm is this exponential.
1428 It produces very large probes early in the cycle, and then it very quickly decreases the probe size.
1429 This reflects the fact that in the most difficult cases, we don't get any feedback for probes that
1430 are too large, and therefore we need to concentrate on small offsets so that we can quickly converge
1431 on the precise MTU as we are approaching it.
1432 The last probe of the cycle is always 1 byte in size - this is to make sure we'll get at least one
1433 reply per cycle so that we can make progress. */
1434 offset = lrintf(powf(interval, multiplier * cycle_position / (float)(probes_per_cycle - 1)));
1437 length_t maxmtu = n->maxmtu;
1438 send_udp_probe_packet(n, minmtu + offset);
1440 /* If maxmtu changed, it means the probe was rejected by the system because it was too large.
1441 In that case, we recalculate with the new maxmtu and try again. */
1442 if(n->mtuprobes < 0 || maxmtu == n->maxmtu) {
1447 if(n->mtuprobes >= 0) {
1453 /* These functions try to establish a tunnel to a node (or its relay) so that
1454 packets can be sent (e.g. exchange keys).
1455 If a tunnel is already established, it tries to improve it (e.g. by trying
1456 to establish a UDP tunnel instead of TCP). This function makes no
1457 guarantees - it is up to the caller to check the node's state to figure out
1458 if TCP and/or UDP is usable. By calling this function repeatedly, the
1459 tunnel is gradually improved until we hit the wall imposed by the underlying
1460 network environment. It is recommended to call this function every time a
1461 packet is sent (or intended to be sent) to a node, so that the tunnel keeps
1462 improving as packets flow, and then gracefully downgrades itself as it goes
1466 static void try_tx_sptps(node_t *n, bool mtu) {
1467 /* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET
1468 messages anyway, so there's no need for SPTPS at all. */
1470 if(n->connection && ((myself->options | n->options) & OPTION_TCPONLY)) {
1474 /* Otherwise, try to do SPTPS authentication with n if necessary. */
1478 /* Do we need to statically relay packets? */
1480 node_t *via = (n->via == myself) ? n->nexthop : n->via;
1482 /* If we do have a static relay, try everything with that one instead, if it supports relaying. */
1485 if((via->options >> 24) < 4) {
1493 /* Otherwise, try to establish UDP connectivity. */
1501 /* If we don't have UDP connectivity (yet), we need to use a dynamic relay (nexthop)
1502 while we try to establish direct connectivity. */
1504 if(!n->status.udp_confirmed && n != n->nexthop && (n->nexthop->options >> 24) >= 4) {
1505 try_tx(n->nexthop, mtu);
1509 static void try_tx_legacy(node_t *n, bool mtu) {
1510 /* Does he have our key? If not, send one. */
1512 if(!n->status.validkey_in) {
1516 /* Check if we already have a key, or request one. */
1518 if(!n->status.validkey) {
1519 if(n->last_req_key + 10 <= now.tv_sec) {
1521 n->last_req_key = now.tv_sec;
1534 void try_tx(node_t *n, bool mtu) {
1535 if(!n->status.reachable) {
1539 if(n->status.sptps) {
1540 try_tx_sptps(n, mtu);
1542 try_tx_legacy(n, mtu);
1546 void send_packet(node_t *n, vpn_packet_t *packet) {
1547 // If it's for myself, write it to the tun/tap device.
1551 memcpy(DATA(packet), mymac.x, ETH_ALEN);
1552 // Use an arbitrary fake source address.
1553 memcpy(DATA(packet) + ETH_ALEN, DATA(packet), ETH_ALEN);
1554 DATA(packet)[ETH_ALEN * 2 - 1] ^= 0xFF;
1558 n->out_bytes += packet->len;
1559 devops.write(packet);
1563 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)", packet->len, n->name, n->hostname);
1565 // If the node is not reachable, drop it.
1567 if(!n->status.reachable) {
1568 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable", n->name, n->hostname);
1572 // Keep track of packet statistics.
1575 n->out_bytes += packet->len;
1577 // Check if it should be sent as an SPTPS packet.
1579 if(n->status.sptps) {
1580 send_sptps_packet(n, packet);
1585 // Determine which node to actually send it to.
1587 node_t *via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
1590 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)", n->name, via->name, n->via->hostname);
1593 // Try to send via UDP, unless TCP is forced.
1595 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
1596 if(!send_tcppacket(via->connection, packet)) {
1597 terminate_connection(via->connection, true);
1603 send_udppacket(via, packet);
1607 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
1608 // Always give ourself a copy of the packet.
1609 if(from != myself) {
1610 send_packet(myself, packet);
1613 // In TunnelServer mode, do not forward broadcast packets.
1614 // The MST might not be valid and create loops.
1615 if(tunnelserver || broadcast_mode == BMODE_NONE) {
1619 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
1620 packet->len, from->name, from->hostname);
1622 switch(broadcast_mode) {
1623 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
1624 // This guarantees all nodes receive the broadcast packet, and
1625 // usually distributes the sending of broadcast packets over all nodes.
1627 for list_each(connection_t, c, &connection_list)
1628 if(c->edge && c->status.mst && c != from->nexthop->connection) {
1629 send_packet(c->node, packet);
1634 // In direct mode, we send copies to each node we know of.
1635 // However, this only reaches nodes that can be reached in a single hop.
1636 // We don't have enough information to forward broadcast packets in this case.
1638 if(from != myself) {
1642 for splay_each(node_t, n, &node_tree)
1643 if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n)) {
1644 send_packet(n, packet);
1655 /* We got a packet from some IP address, but we don't know who sent it. Try to
1656 verify the message authentication code against all active session keys.
1657 Since this is actually an expensive operation, we only do a full check once
1658 a minute, the rest of the time we only check against nodes for which we know
1659 an IP address that matches the one from the packet. */
1661 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
1662 node_t *match = NULL;
1664 static time_t last_hard_try = 0;
1666 for splay_each(node_t, n, &node_tree) {
1667 if(!n->status.reachable || n == myself) {
1671 if(!n->status.validkey_in && !(n->status.sptps && n->sptps.instate)) {
1677 for splay_each(edge_t, e, &n->edge_tree) {
1682 if(!sockaddrcmp_noport(from, &e->reverse->address)) {
1689 if(last_hard_try == now.tv_sec) {
1696 if(!try_mac(n, pkt)) {
1705 last_hard_try = now.tv_sec;
1711 static void handle_incoming_vpn_packet(listen_socket_t *ls, vpn_packet_t *pkt, sockaddr_t *addr) {
1713 node_id_t nullid = {0};
1715 bool direct = false;
1717 sockaddrunmap(addr); /* Some braindead IPv6 implementations do stupid things. */
1719 // Try to figure out who sent this packet.
1721 node_t *n = lookup_node_udp(addr);
1723 if(n && !n->status.udp_confirmed) {
1724 n = NULL; // Don't believe it if we don't have confirmation yet.
1728 // It might be from a 1.1 node, which might have a source ID in the packet.
1729 pkt->offset = 2 * sizeof(node_id_t);
1730 from = lookup_node_id(SRCID(pkt));
1732 if(from && from->status.sptps && !memcmp(DSTID(pkt), &nullid, sizeof(nullid))) {
1733 if(sptps_verify_datagram(&from->sptps, DATA(pkt), pkt->len - 2 * sizeof(node_id_t))) {
1743 n = try_harder(addr, pkt);
1749 if(debug_level >= DEBUG_PROTOCOL) {
1750 hostname = sockaddr2hostname(addr);
1751 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
1760 if(n->status.sptps) {
1761 bool relay_enabled = (n->options >> 24) >= 4;
1764 pkt->offset = 2 * sizeof(node_id_t);
1765 pkt->len -= pkt->offset;
1768 if(!relay_enabled || !memcmp(DSTID(pkt), &nullid, sizeof(nullid))) {
1773 from = lookup_node_id(SRCID(pkt));
1774 to = lookup_node_id(DSTID(pkt));
1778 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from %s (%s) with unknown source and/or destination ID", n->name, n->hostname);
1782 if(!to->status.reachable) {
1783 /* This can happen in the form of a race condition
1784 if the node just became unreachable. */
1785 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot relay packet from %s (%s) because the destination, %s (%s), is unreachable", from->name, from->hostname, to->name, to->hostname);
1789 /* The packet is supposed to come from the originator or its static relay
1790 (i.e. with no dynamic relays in between).
1791 If it did not, "help" the static relay by sending it UDP info.
1792 Note that we only do this if we're the destination or the static relay;
1793 otherwise every hop would initiate its own UDP info message, resulting in elevated chatter. */
1795 if(n != from->via && to->via == myself) {
1796 send_udp_info(myself, from);
1799 /* If we're not the final recipient, relay the packet. */
1802 send_sptps_data(to, from, 0, DATA(pkt), pkt->len);
1811 if(!receive_udppacket(from, pkt)) {
1815 n->sock = ls - listen_socket;
1817 if(direct && sockaddrcmp(addr, &n->address)) {
1818 update_node_udp(n, addr);
1821 /* If the packet went through a relay, help the sender find the appropriate MTU
1822 through the relay path. */
1825 send_mtu_info(myself, n, MTU);
1829 void handle_incoming_vpn_data(void *data, int flags) {
1832 listen_socket_t *ls = data;
1834 #ifdef HAVE_RECVMMSG
1836 static ssize_t num = MAX_MSG;
1837 static vpn_packet_t pkt[MAX_MSG];
1838 static sockaddr_t addr[MAX_MSG];
1839 static struct mmsghdr msg[MAX_MSG];
1840 static struct iovec iov[MAX_MSG];
1842 for(int i = 0; i < num; i++) {
1845 iov[i] = (struct iovec) {
1846 .iov_base = DATA(&pkt[i]),
1850 msg[i].msg_hdr = (struct msghdr) {
1851 .msg_name = &addr[i].sa,
1852 .msg_namelen = sizeof(addr)[i],
1858 num = recvmmsg(ls->udp.fd, msg, MAX_MSG, MSG_DONTWAIT, NULL);
1861 if(!sockwouldblock(sockerrno)) {
1862 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1868 for(int i = 0; i < num; i++) {
1869 pkt[i].len = msg[i].msg_len;
1871 if(pkt[i].len <= 0 || pkt[i].len > MAXSIZE) {
1875 handle_incoming_vpn_packet(ls, &pkt[i], &addr[i]);
1880 sockaddr_t addr = {0};
1881 socklen_t addrlen = sizeof(addr);
1884 ssize_t len = recvfrom(ls->udp.fd, (void *)DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen);
1886 if(len <= 0 || (size_t)len > MAXSIZE) {
1887 if(!sockwouldblock(sockerrno)) {
1888 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1896 handle_incoming_vpn_packet(ls, &pkt, &addr);
1900 void handle_device_data(void *data, int flags) {
1903 vpn_packet_t packet;
1904 packet.offset = DEFAULT_PACKET_OFFSET;
1905 packet.priority = 0;
1906 static int errors = 0;
1908 if(devops.read(&packet)) {
1910 myself->in_packets++;
1911 myself->in_bytes += packet.len;
1912 route(myself, &packet);
1914 sleep_millis(errors * 50);
1918 logger(DEBUG_ALWAYS, LOG_ERR, "Too many errors from %s, exiting!", device);
projects / tinc / blob