2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
35 #include "connection.h"
50 #define MAX(a, b) ((a) > (b) ? (a) : (b))
55 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
58 static void send_udppacket(node_t *, vpn_packet_t *);
60 unsigned replaywin = 16;
61 bool localdiscovery = true;
62 bool udp_discovery = true;
63 int udp_discovery_interval = 9;
64 int udp_discovery_timeout = 30;
66 #define MAX_SEQNO 1073741824
68 static void send_udp_probe_packet(node_t *n, int len) {
70 packet.offset = DEFAULT_PACKET_OFFSET;
71 memset(DATA(&packet), 0, 14);
72 randomize(DATA(&packet) + 14, len - 14);
76 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending UDP probe length %d to %s (%s)", len, n->name, n->hostname);
78 send_udppacket(n, &packet);
81 static void send_mtu_probe_handler(void *data) {
84 if(!n->status.reachable || !n->status.validkey) {
85 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname);
90 /* mtuprobes == 1..30: initial discovery, send bursts with 1 second interval
91 mtuprobes == 31: sleep pinginterval seconds
92 mtuprobes == 32: send 1 burst, sleep pingtimeout second
93 mtuprobes == 33: no response from other side, restart PMTU discovery process */
98 if(n->mtuprobes > 32) {
101 timeout = pinginterval;
105 logger(DEBUG_TRAFFIC, LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname);
106 n->status.udp_confirmed = false;
112 if(n->mtuprobes >= 10 && n->mtuprobes < 32 && !n->minmtu) {
113 logger(DEBUG_TRAFFIC, LOG_INFO, "No response to MTU probes from %s (%s)", n->name, n->hostname);
117 if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) {
118 if(n->minmtu > n->maxmtu)
119 n->minmtu = n->maxmtu;
121 n->maxmtu = n->minmtu;
123 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
127 if(n->mtuprobes == 31) {
128 timeout = pinginterval;
130 } else if(n->mtuprobes == 32) {
131 timeout = pingtimeout;
134 /* After the initial discovery, a fourth packet is added to each batch with a
135 size larger than the currently known PMTU, to test if the PMTU has increased. */
136 if (n->mtuprobes >= 30 && n->maxmtu + 8 < MTU)
137 send_udp_probe_packet(n, n->maxmtu + 8);
139 /* Probes are sent in batches of three, with random sizes between the
140 lower and upper boundaries for the MTU thus far discovered. */
141 for (int i = 0; i < 3; i++) {
143 if(n->minmtu < n->maxmtu)
144 len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
146 send_udp_probe_packet(n, MAX(len, 64));
149 /* In case local discovery is enabled, another packet is added to each batch,
150 which will be broadcast to the local network. */
151 if(localdiscovery && n->mtuprobes <= 10 && n->prevedge) {
152 n->status.send_locally = true;
153 send_udp_probe_packet(n, 16);
154 n->status.send_locally = false;
157 n->probe_counter = 0;
158 gettimeofday(&n->probe_time, NULL);
160 /* Calculate the packet loss of incoming traffic by comparing the rate of
161 packets received to the rate with which the sequence number has increased.
164 if(n->received > n->prev_received)
165 n->packetloss = 1.0 - (n->received - n->prev_received) / (float)(n->received_seqno - n->prev_received_seqno);
167 n->packetloss = n->received_seqno <= n->prev_received_seqno;
169 n->prev_received_seqno = n->received_seqno;
170 n->prev_received = n->received;
173 timeout_set(&n->mtutimeout, &(struct timeval){timeout, rand() % 100000});
176 void send_mtu_probe(node_t *n) {
177 timeout_add(&n->mtutimeout, send_mtu_probe_handler, n, &(struct timeval){1, 0});
178 send_mtu_probe_handler(n);
181 static void udp_probe_timeout_handler(void *data) {
183 if(!n->status.udp_confirmed)
186 logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname);
187 n->status.udp_confirmed = false;
193 static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
194 if(!DATA(packet)[0]) {
195 logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
197 /* It's a probe request, send back a reply */
199 /* Type 2 probe replies were introduced in protocol 17.3 */
200 if ((n->options >> 24) >= 3) {
201 uint8_t *data = DATA(packet);
203 uint16_t len16 = htons(len); memcpy(data, &len16, 2); data += 2;
205 gettimeofday(&now, NULL);
206 uint32_t sec = htonl(now.tv_sec); memcpy(data, &sec, 4); data += 4;
207 uint32_t usec = htonl(now.tv_usec); memcpy(data, &usec, 4); data += 4;
210 /* Legacy protocol: n won't understand type 2 probe replies. */
214 /* Temporarily set udp_confirmed, so that the reply is sent
215 back exactly the way it came in. */
217 bool udp_confirmed = n->status.udp_confirmed;
218 n->status.udp_confirmed = true;
219 send_udppacket(n, packet);
220 n->status.udp_confirmed = udp_confirmed;
222 length_t probelen = len;
223 if (DATA(packet)[0] == 2) {
225 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received invalid (too short) UDP probe reply from %s (%s)", n->name, n->hostname);
227 uint16_t probelen16; memcpy(&probelen16, DATA(packet) + 1, 2); probelen = ntohs(probelen16);
230 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], probelen, n->name, n->hostname);
232 /* It's a valid reply: now we know bidirectional communication
233 is possible using the address and socket that the reply
235 n->status.udp_confirmed = true;
238 timeout_del(&n->udp_ping_timeout);
239 timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval){udp_discovery_timeout, 0});
242 /* If we haven't established the PMTU yet, restart the discovery process. */
244 if(n->mtuprobes > 30) {
245 if (probelen == n->maxmtu + 8) {
246 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
258 /* If applicable, raise the minimum supported MTU */
260 if(probelen > n->maxmtu)
261 probelen = n->maxmtu;
262 if(n->minmtu < probelen)
263 n->minmtu = probelen;
265 /* Calculate RTT and bandwidth.
266 The RTT is the time between the MTU probe burst was sent and the first
267 reply is received. The bandwidth is measured using the time between the
268 arrival of the first and third probe reply (or type 2 probe requests).
271 struct timeval now, diff;
272 gettimeofday(&now, NULL);
273 timersub(&now, &n->probe_time, &diff);
275 struct timeval probe_timestamp = now;
276 if (DATA(packet)[0] == 2 && packet->len >= 11) {
277 uint32_t sec; memcpy(&sec, DATA(packet) + 3, 4);
278 uint32_t usec; memcpy(&usec, DATA(packet) + 7, 4);
279 probe_timestamp.tv_sec = ntohl(sec);
280 probe_timestamp.tv_usec = ntohl(usec);
285 if(n->probe_counter == 1) {
286 n->rtt = diff.tv_sec + diff.tv_usec * 1e-6;
287 n->probe_time = probe_timestamp;
288 } else if(n->probe_counter == 3) {
289 struct timeval probe_timestamp_diff;
290 timersub(&probe_timestamp, &n->probe_time, &probe_timestamp_diff);
291 n->bandwidth = 2.0 * probelen / (probe_timestamp_diff.tv_sec + probe_timestamp_diff.tv_usec * 1e-6);
292 logger(DEBUG_TRAFFIC, LOG_DEBUG, "%s (%s) RTT %.2f ms, burst bandwidth %.3f Mbit/s, rx packet loss %.2f %%", n->name, n->hostname, n->rtt * 1e3, n->bandwidth * 8e-6, n->packetloss * 1e2);
297 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
299 memcpy(dest, source, len);
301 } else if(level == 10) {
303 lzo_uint lzolen = MAXSIZE;
304 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
309 } else if(level < 10) {
311 unsigned long destlen = MAXSIZE;
312 if(compress2(dest, &destlen, source, len, level) == Z_OK)
319 lzo_uint lzolen = MAXSIZE;
320 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
330 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
332 memcpy(dest, source, len);
334 } else if(level > 9) {
336 lzo_uint lzolen = MAXSIZE;
337 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
345 unsigned long destlen = MAXSIZE;
346 if(uncompress(dest, &destlen, source, len) == Z_OK)
358 static void receive_packet(node_t *n, vpn_packet_t *packet) {
359 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
360 packet->len, n->name, n->hostname);
363 n->in_bytes += packet->len;
368 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
370 return sptps_verify_datagram(&n->sptps, DATA(inpkt), inpkt->len);
372 #ifdef DISABLE_LEGACY
375 if(!digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest))
378 return digest_verify(n->indigest, SEQNO(inpkt), inpkt->len - digest_length(n->indigest), DATA(inpkt) + inpkt->len - digest_length(n->indigest));
382 static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
383 vpn_packet_t pkt1, pkt2;
384 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
387 pkt1.offset = DEFAULT_PACKET_OFFSET;
388 pkt2.offset = DEFAULT_PACKET_OFFSET;
390 if(n->status.sptps) {
391 if(!n->sptps.state) {
392 if(!n->status.waitingforkey) {
393 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
396 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
400 inpkt->offset += 2 * sizeof(node_id_t);
401 if(!sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len - 2 * sizeof(node_id_t))) {
402 logger(DEBUG_TRAFFIC, LOG_ERR, "Got bad packet from %s (%s)", n->name, n->hostname);
408 #ifdef DISABLE_LEGACY
411 if(!n->status.validkey) {
412 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
416 /* Check packet length */
418 if(inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
419 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
420 n->name, n->hostname);
424 /* It's a legacy UDP packet, the data starts after the seqno */
426 inpkt->offset += sizeof(seqno_t);
428 /* Check the message authentication code */
430 if(digest_active(n->indigest)) {
431 inpkt->len -= digest_length(n->indigest);
432 if(!digest_verify(n->indigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
433 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
437 /* Decrypt the packet */
439 if(cipher_active(n->incipher)) {
440 vpn_packet_t *outpkt = pkt[nextpkt++];
443 if(!cipher_decrypt(n->incipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
444 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
448 outpkt->len = outlen;
452 /* Check the sequence number */
455 memcpy(&seqno, SEQNO(inpkt), sizeof seqno);
456 seqno = ntohl(seqno);
457 inpkt->len -= sizeof seqno;
460 if(seqno != n->received_seqno + 1) {
461 if(seqno >= n->received_seqno + replaywin * 8) {
462 if(n->farfuture++ < replaywin >> 2) {
463 logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
464 n->name, n->hostname, seqno - n->received_seqno - 1, n->farfuture);
467 logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
468 seqno - n->received_seqno - 1, n->name, n->hostname);
469 memset(n->late, 0, replaywin);
470 } else if (seqno <= n->received_seqno) {
471 if((n->received_seqno >= replaywin * 8 && seqno <= n->received_seqno - replaywin * 8) || !(n->late[(seqno / 8) % replaywin] & (1 << seqno % 8))) {
472 logger(DEBUG_ALWAYS, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
473 n->name, n->hostname, seqno, n->received_seqno);
477 for(int i = n->received_seqno + 1; i < seqno; i++)
478 n->late[(i / 8) % replaywin] |= 1 << i % 8;
483 n->late[(seqno / 8) % replaywin] &= ~(1 << seqno % 8);
486 if(seqno > n->received_seqno)
487 n->received_seqno = seqno;
491 if(n->received_seqno > MAX_SEQNO)
494 /* Decompress the packet */
496 length_t origlen = inpkt->len;
498 if(n->incompression) {
499 vpn_packet_t *outpkt = pkt[nextpkt++];
501 if((outpkt->len = uncompress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->incompression)) < 0) {
502 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
503 n->name, n->hostname);
509 origlen -= MTU/64 + 20;
514 if(!DATA(inpkt)[12] && !DATA(inpkt)[13])
515 udp_probe_h(n, inpkt, origlen);
517 receive_packet(n, inpkt);
522 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
524 outpkt.offset = DEFAULT_PACKET_OFFSET;
526 if(len > sizeof outpkt.data - outpkt.offset)
530 if(c->options & OPTION_TCPONLY)
533 outpkt.priority = -1;
534 memcpy(DATA(&outpkt), buffer, len);
536 receive_packet(c->node, &outpkt);
539 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
540 if(!n->status.validkey && !n->connection)
546 if(!(DATA(origpkt)[12] | DATA(origpkt)[13])) {
547 sptps_send_record(&n->sptps, PKT_PROBE, (char *)DATA(origpkt), origpkt->len);
551 if(routing_mode == RMODE_ROUTER)
556 if(origpkt->len < offset)
561 if(n->outcompression) {
563 int len = compress_packet(DATA(&outpkt) + offset, DATA(origpkt) + offset, origpkt->len - offset, n->outcompression);
565 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
566 } else if(len < origpkt->len - offset) {
567 outpkt.len = len + offset;
569 type |= PKT_COMPRESSED;
573 /* If we have a direct metaconnection to n, and we can't use UDP, then
574 don't bother with SPTPS and just use a "plaintext" PACKET message.
575 We don't really care about end-to-end security since we're not
576 sending the message through any intermediate nodes. */
577 if(n->connection && origpkt->len > n->minmtu)
578 send_tcppacket(n->connection, origpkt);
580 sptps_send_record(&n->sptps, type, DATA(origpkt) + offset, origpkt->len - offset);
584 static void adapt_socket(const sockaddr_t *sa, int *sock) {
585 /* Make sure we have a suitable socket for the chosen address */
586 if(listen_socket[*sock].sa.sa.sa_family != sa->sa.sa_family) {
587 for(int i = 0; i < listen_sockets; i++) {
588 if(listen_socket[i].sa.sa.sa_family == sa->sa.sa_family) {
596 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, int *sock) {
601 /* If the UDP address is confirmed, use it. */
602 if(n->status.udp_confirmed)
605 /* Send every third packet to n->address; that could be set
606 to the node's reflexive UDP address discovered during key
615 /* Otherwise, address are found in edges to this node.
616 So we pick a random edge and a random socket. */
619 int j = rand() % n->edge_tree->count;
620 edge_t *candidate = NULL;
622 for splay_each(edge_t, e, n->edge_tree) {
624 candidate = e->reverse;
630 *sa = &candidate->address;
631 *sock = rand() % listen_sockets;
634 adapt_socket(*sa, sock);
637 static void choose_local_address(const node_t *n, const sockaddr_t **sa, int *sock) {
640 /* Pick one of the edges from this node at random, then use its local address. */
643 int j = rand() % n->edge_tree->count;
644 edge_t *candidate = NULL;
646 for splay_each(edge_t, e, n->edge_tree) {
653 if (candidate && candidate->local_address.sa.sa_family) {
654 *sa = &candidate->local_address;
655 *sock = rand() % listen_sockets;
656 adapt_socket(*sa, sock);
660 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
661 vpn_packet_t pkt1, pkt2;
662 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
663 vpn_packet_t *inpkt = origpkt;
665 vpn_packet_t *outpkt;
666 int origlen = origpkt->len;
668 #if defined(SOL_IP) && defined(IP_TOS)
669 static int priority = 0;
670 int origpriority = origpkt->priority;
673 pkt1.offset = DEFAULT_PACKET_OFFSET;
674 pkt2.offset = DEFAULT_PACKET_OFFSET;
676 if(!n->status.reachable) {
677 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
682 return send_sptps_packet(n, origpkt);
684 #ifdef DISABLE_LEGACY
687 /* Make sure we have a valid key */
689 if(!n->status.validkey) {
690 logger(DEBUG_TRAFFIC, LOG_INFO,
691 "No valid key known yet for %s (%s), forwarding via TCP",
692 n->name, n->hostname);
693 send_tcppacket(n->nexthop->connection, origpkt);
697 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (DATA(inpkt)[12] | DATA(inpkt)[13])) {
698 logger(DEBUG_TRAFFIC, LOG_INFO,
699 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
700 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
703 send_packet(n->nexthop, origpkt);
705 send_tcppacket(n->nexthop->connection, origpkt);
710 /* Compress the packet */
712 if(n->outcompression) {
713 outpkt = pkt[nextpkt++];
715 if((outpkt->len = compress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->outcompression)) < 0) {
716 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
717 n->name, n->hostname);
724 /* Add sequence number */
726 seqno_t seqno = htonl(++(n->sent_seqno));
727 memcpy(SEQNO(inpkt), &seqno, sizeof seqno);
728 inpkt->len += sizeof seqno;
730 /* Encrypt the packet */
732 if(cipher_active(n->outcipher)) {
733 outpkt = pkt[nextpkt++];
736 if(!cipher_encrypt(n->outcipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
737 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
741 outpkt->len = outlen;
745 /* Add the message authentication code */
747 if(digest_active(n->outdigest)) {
748 if(!digest_create(n->outdigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
749 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
753 inpkt->len += digest_length(n->outdigest);
756 /* Send the packet */
758 const sockaddr_t *sa = NULL;
761 if(n->status.send_locally)
762 choose_local_address(n, &sa, &sock);
764 choose_udp_address(n, &sa, &sock);
766 #if defined(SOL_IP) && defined(IP_TOS)
767 if(priorityinheritance && origpriority != priority
768 && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
769 priority = origpriority;
770 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
771 if(setsockopt(listen_socket[n->sock].udp.fd, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
772 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
776 if(sendto(listen_socket[sock].udp.fd, SEQNO(inpkt), inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
777 if(sockmsgsize(sockerrno)) {
778 if(n->maxmtu >= origlen)
779 n->maxmtu = origlen - 1;
780 if(n->mtu >= origlen)
781 n->mtu = origlen - 1;
783 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
787 origpkt->len = origlen;
791 static bool send_sptps_data_priv(node_t *to, node_t *from, int type, const void *data, size_t len) {
792 node_t *relay = (to->via != myself && (type == PKT_PROBE || (len - SPTPS_DATAGRAM_OVERHEAD) <= to->via->minmtu)) ? to->via : to->nexthop;
793 bool direct = from == myself && to == relay;
794 bool relay_supported = (relay->options >> 24) >= 4;
795 bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
797 /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU.
798 TODO: When relaying, the original sender does not know the end-to-end PMTU (it only knows the PMTU of the first hop).
799 This can lead to scenarios where large packets are sent over UDP to relay, but then relay has no choice but fall back to TCP. */
801 if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && (len - SPTPS_DATAGRAM_OVERHEAD) > relay->minmtu)) {
802 char buf[len * 4 / 3 + 5];
803 b64encode(data, buf, len);
804 /* If no valid key is known yet, send the packets using ANS_KEY requests,
805 to ensure we get to learn the reflexive UDP address. */
806 if(from == myself && !to->status.validkey) {
807 to->incompression = myself->incompression;
808 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, from->name, to->name, buf, to->incompression);
810 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, from->name, to->name, REQ_SPTPS, buf);
815 if(relay_supported) overhead += sizeof to->id + sizeof from->id;
816 char buf[len + overhead]; char* buf_ptr = buf;
817 if(relay_supported) {
819 /* Inform the recipient that this packet was sent directly. */
820 node_id_t nullid = {};
821 memcpy(buf_ptr, &nullid, sizeof nullid); buf_ptr += sizeof nullid;
823 memcpy(buf_ptr, &to->id, sizeof to->id); buf_ptr += sizeof to->id;
825 memcpy(buf_ptr, &from->id, sizeof from->id); buf_ptr += sizeof from->id;
828 /* TODO: if this copy turns out to be a performance concern, change sptps_send_record() to add some "pre-padding" to the buffer and use that instead */
829 memcpy(buf_ptr, data, len); buf_ptr += len;
831 const sockaddr_t *sa = NULL;
833 if(relay->status.send_locally)
834 choose_local_address(relay, &sa, &sock);
836 choose_udp_address(relay, &sa, &sock);
837 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s)", from->name, from->hostname, to->name, to->hostname, relay->name, relay->hostname);
838 if(sendto(listen_socket[sock].udp.fd, buf, buf_ptr - buf, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
839 if(sockmsgsize(sockerrno)) {
840 // Compensate for SPTPS overhead
841 len -= SPTPS_DATAGRAM_OVERHEAD;
842 if(relay->maxmtu >= len)
843 relay->maxmtu = len - 1;
844 if(relay->mtu >= len)
845 relay->mtu = len - 1;
847 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", relay->name, relay->hostname, sockstrerror(sockerrno));
855 bool send_sptps_data(void *handle, uint8_t type, const void *data, size_t len) {
856 return send_sptps_data_priv(handle, myself, type, data, len);
859 bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t len) {
860 node_t *from = handle;
862 if(type == SPTPS_HANDSHAKE) {
863 if(!from->status.validkey) {
864 from->status.validkey = true;
865 from->status.waitingforkey = false;
866 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
872 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
877 inpkt.offset = DEFAULT_PACKET_OFFSET;
879 if(type == PKT_PROBE) {
881 memcpy(DATA(&inpkt), data, len);
882 udp_probe_h(from, &inpkt, len);
886 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
887 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
891 /* Check if we have the headers we need */
892 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
893 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
895 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
896 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
899 int offset = (type & PKT_MAC) ? 0 : 14;
900 if(type & PKT_COMPRESSED) {
901 length_t ulen = uncompress_packet(DATA(&inpkt) + offset, (const uint8_t *)data, len, from->incompression);
905 inpkt.len = ulen + offset;
907 if(inpkt.len > MAXSIZE)
910 memcpy(DATA(&inpkt) + offset, data, len);
911 inpkt.len = len + offset;
914 /* Generate the Ethernet packet type if necessary */
916 switch(DATA(&inpkt)[14] >> 4) {
918 DATA(&inpkt)[12] = 0x08;
919 DATA(&inpkt)[13] = 0x00;
922 DATA(&inpkt)[12] = 0x86;
923 DATA(&inpkt)[13] = 0xDD;
926 logger(DEBUG_TRAFFIC, LOG_ERR,
927 "Unknown IP version %d while reading packet from %s (%s)",
928 DATA(&inpkt)[14] >> 4, from->name, from->hostname);
933 receive_packet(from, &inpkt);
937 // This function tries to get SPTPS keys, if they aren't already known.
938 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if the keys are available.
939 static void try_sptps(node_t *n) {
940 if(n->status.validkey)
943 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
945 if(!n->status.waitingforkey)
947 else if(n->last_req_key + 10 < now.tv_sec) {
948 logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
949 sptps_stop(&n->sptps);
950 n->status.waitingforkey = false;
957 // This function tries to establish a UDP tunnel to a node so that packets can be sent.
958 // If a tunnel is already established, it makes sure it stays up.
959 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if UDP is usable.
960 static void try_udp(node_t* n) {
965 gettimeofday(&now, NULL);
966 struct timeval ping_tx_elapsed;
967 timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
969 if(ping_tx_elapsed.tv_sec >= udp_discovery_interval) {
970 send_udp_probe_packet(n, MAX(n->minmtu, 16));
971 n->udp_ping_sent = now;
975 // This function tries to establish a tunnel to a node (or its relay) so that packets can be sent (e.g. get SPTPS keys).
976 // If a tunnel is already established, it tries to improve it (e.g. by trying to establish a UDP tunnel instead of TCP).
977 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if TCP and/or UDP is usable.
978 // By calling this function repeatedly, the tunnel is gradually improved until we hit the wall imposed by the underlying network environment.
979 // It is recommended to call this function every time a packet is sent (or intended to be sent) to a node,
980 // so that the tunnel keeps improving as packets flow, and then gracefully downgrades itself as it goes idle.
981 static void try_tx(node_t *n) {
982 /* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET
983 messages anyway, so there's no need for SPTPS at all. Otherwise, get the keys. */
984 if(n->status.sptps && !(n->connection && ((myself->options | n->options) & OPTION_TCPONLY))) {
986 if (!n->status.validkey)
990 node_t *via = (n->via == myself) ? n->nexthop : n->via;
992 if((myself->options | via->options) & OPTION_TCPONLY)
995 if(!n->status.sptps && !via->status.validkey && via->last_req_key + 10 <= now.tv_sec) {
997 via->last_req_key = now.tv_sec;
998 } else if(via == n || !n->status.sptps || (via->options >> 24) >= 4)
1001 /* If we don't know how to reach "via" yet, then try to reach it through a relay. */
1002 if(n->status.sptps && !via->status.udp_confirmed && via->nexthop != via && (via->nexthop->options >> 24) >= 4)
1003 try_tx(via->nexthop);
1007 send a packet to the given vpn ip.
1009 void send_packet(node_t *n, vpn_packet_t *packet) {
1014 memcpy(DATA(packet), mymac.x, ETH_ALEN);
1016 n->out_bytes += packet->len;
1017 devops.write(packet);
1021 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)",
1022 packet->len, n->name, n->hostname);
1024 if(!n->status.reachable) {
1025 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable",
1026 n->name, n->hostname);
1031 n->out_bytes += packet->len;
1033 if(n->status.sptps) {
1034 send_sptps_packet(n, packet);
1038 via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
1041 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)",
1042 n->name, via->name, n->via->hostname);
1044 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
1045 if(!send_tcppacket(via->connection, packet))
1046 terminate_connection(via->connection, true);
1048 send_udppacket(via, packet);
1051 /* Try to improve the tunnel.
1052 Note that we do this *after* we send the packet because sending actual packets take priority
1053 with regard to the send buffer space and latency. */
1057 /* Broadcast a packet using the minimum spanning tree */
1059 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
1060 // Always give ourself a copy of the packet.
1062 send_packet(myself, packet);
1064 // In TunnelServer mode, do not forward broadcast packets.
1065 // The MST might not be valid and create loops.
1066 if(tunnelserver || broadcast_mode == BMODE_NONE)
1069 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
1070 packet->len, from->name, from->hostname);
1072 switch(broadcast_mode) {
1073 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
1074 // This guarantees all nodes receive the broadcast packet, and
1075 // usually distributes the sending of broadcast packets over all nodes.
1077 for list_each(connection_t, c, connection_list)
1078 if(c->edge && c->status.mst && c != from->nexthop->connection)
1079 send_packet(c->node, packet);
1082 // In direct mode, we send copies to each node we know of.
1083 // However, this only reaches nodes that can be reached in a single hop.
1084 // We don't have enough information to forward broadcast packets in this case.
1089 for splay_each(node_t, n, node_tree)
1090 if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n))
1091 send_packet(n, packet);
1099 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
1102 static time_t last_hard_try = 0;
1104 for splay_each(edge_t, e, edge_weight_tree) {
1105 if(!e->to->status.reachable || e->to == myself)
1108 if(sockaddrcmp_noport(from, &e->address)) {
1109 if(last_hard_try == now.tv_sec)
1114 if(!try_mac(e->to, pkt))
1122 last_hard_try = now.tv_sec;
1124 last_hard_try = now.tv_sec;
1128 void handle_incoming_vpn_data(void *data, int flags) {
1129 listen_socket_t *ls = data;
1132 node_id_t nullid = {};
1133 sockaddr_t addr = {};
1134 socklen_t addrlen = sizeof addr;
1136 bool direct = false;
1139 int len = recvfrom(ls->udp.fd, DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen);
1141 if(len <= 0 || len > MAXSIZE) {
1142 if(!sockwouldblock(sockerrno))
1143 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1149 sockaddrunmap(&addr); /* Some braindead IPv6 implementations do stupid things. */
1151 // Try to figure out who sent this packet.
1153 node_t *n = lookup_node_udp(&addr);
1156 // It might be from a 1.1 node, which might have a source ID in the packet.
1157 pkt.offset = 2 * sizeof(node_id_t);
1158 from = lookup_node_id(SRCID(&pkt));
1159 if(from && !memcmp(DSTID(&pkt), &nullid, sizeof nullid) && from->status.sptps) {
1160 if(sptps_verify_datagram(&from->sptps, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t)))
1169 n = try_harder(&addr, &pkt);
1174 if(debug_level >= DEBUG_PROTOCOL) {
1175 hostname = sockaddr2hostname(&addr);
1176 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
1182 if(n->status.sptps) {
1183 pkt.offset = 2 * sizeof(node_id_t);
1185 if(!memcmp(DSTID(&pkt), &nullid, sizeof nullid)) {
1190 from = lookup_node_id(SRCID(&pkt));
1191 to = lookup_node_id(DSTID(&pkt));
1194 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from %s (%s) with unknown source and/or destination ID", n->name, n->hostname);
1199 send_sptps_data_priv(to, n, 0, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t));
1208 if(!receive_udppacket(from, &pkt))
1211 n->sock = ls - listen_socket;
1212 if(direct && sockaddrcmp(&addr, &n->address))
1213 update_node_udp(n, &addr);
1216 void handle_device_data(void *data, int flags) {
1217 vpn_packet_t packet;
1218 packet.offset = DEFAULT_PACKET_OFFSET;
1219 packet.priority = 0;
1221 if(devops.read(&packet)) {
1222 myself->in_packets++;
1223 myself->in_bytes += packet.len;
1224 route(myself, &packet);