2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2022 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
39 #include "address_cache.h"
42 #include "connection.h"
43 #include "compression.h"
58 /* The minimum size of a probe is 14 bytes, but since we normally use CBC mode
59 encryption, we can add a few extra random bytes without increasing the
60 resulting packet size. */
61 #define MIN_PROBE_SIZE 18
65 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
70 #ifdef HAVE_LZ4_BUILTIN
71 static LZ4_stream_t lz4_stream;
73 static void *lz4_state = NULL;
74 #endif // HAVE_LZ4_BUILTIN
78 static void send_udppacket(node_t *, vpn_packet_t *);
80 unsigned replaywin = 32;
81 bool localdiscovery = true;
82 bool udp_discovery = true;
83 int udp_discovery_keepalive_interval = 10;
84 int udp_discovery_interval = 2;
85 int udp_discovery_timeout = 30;
87 #define MAX_SEQNO 1073741824
89 static void try_fix_mtu(node_t *n) {
90 if(n->mtuprobes < 0) {
94 if(n->mtuprobes == 20 || n->minmtu >= n->maxmtu) {
95 if(n->minmtu > n->maxmtu) {
96 n->minmtu = n->maxmtu;
98 n->maxmtu = n->minmtu;
102 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
107 static void reduce_mtu(node_t *n, int mtu) {
112 if(n->maxmtu > mtu) {
123 static void udp_probe_timeout_handler(void *data) {
126 if(!n->status.udp_confirmed) {
130 logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname);
131 n->status.udp_confirmed = false;
132 n->udp_ping_rtt = -1;
139 static void send_udp_probe_reply(node_t *n, vpn_packet_t *packet, length_t len) {
140 if(!n->status.sptps && !n->status.validkey) {
141 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP probe reply to %s (%s) but we don't have his key yet", n->name, n->hostname);
145 /* Type 2 probe replies were introduced in protocol 17.3 */
146 if((n->options >> 24) >= 3) {
148 uint16_t len16 = htons(len);
149 memcpy(DATA(packet) + 1, &len16, 2);
150 packet->len = MIN_PROBE_SIZE;
151 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 2 probe reply length %u to %s (%s)", len, n->name, n->hostname);
154 /* Legacy protocol: n won't understand type 2 probe replies. */
156 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 1 probe reply length %u to %s (%s)", len, n->name, n->hostname);
159 /* Temporarily set udp_confirmed, so that the reply is sent
160 back exactly the way it came in. */
162 bool udp_confirmed = n->status.udp_confirmed;
163 n->status.udp_confirmed = true;
164 send_udppacket(n, packet);
165 n->status.udp_confirmed = udp_confirmed;
168 static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
169 if(!DATA(packet)[0]) {
170 logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
171 send_udp_probe_reply(n, packet, len);
175 if(DATA(packet)[0] == 2) {
176 // It's a type 2 probe reply, use the length field inside the packet
178 memcpy(&len16, DATA(packet) + 1, 2);
182 if(n->status.ping_sent) { // a probe in flight
183 gettimeofday(&now, NULL);
185 timersub(&now, &n->udp_ping_sent, &rtt);
186 n->udp_ping_rtt = (int)(rtt.tv_sec * 1000000 + rtt.tv_usec);
187 n->status.ping_sent = false;
188 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s) rtt=%d.%03d", DATA(packet)[0], len, n->name, n->hostname, n->udp_ping_rtt / 1000, n->udp_ping_rtt % 1000);
190 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], len, n->name, n->hostname);
193 /* It's a valid reply: now we know bidirectional communication
194 is possible using the address and socket that the reply
196 if(!n->status.udp_confirmed) {
197 n->status.udp_confirmed = true;
199 if(!n->address_cache) {
200 n->address_cache = open_address_cache(n);
203 reset_address_cache(n->address_cache, &n->address);
206 // Reset the UDP ping timer.
209 timeout_del(&n->udp_ping_timeout);
210 timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval) {
211 udp_discovery_timeout, 0
215 if(len > n->maxmtu) {
216 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
219 /* Set mtuprobes to 1 so that try_mtu() doesn't reset maxmtu */
222 } else if(n->mtuprobes < 0 && len == n->maxmtu) {
223 /* We got a maxmtu sized packet, confirming the PMTU is still valid. */
225 n->mtu_ping_sent = now;
228 /* If applicable, raise the minimum supported MTU */
230 if(n->minmtu < len) {
237 static length_t compress_packet_lz4(uint8_t *dest, const uint8_t *source, length_t len) {
238 #ifdef HAVE_LZ4_BUILTIN
239 return LZ4_compress_fast_extState(&lz4_stream, (const char *) source, (char *) dest, len, MAXSIZE, 0);
242 /* @FIXME: Put this in a better place, and free() it too. */
243 if(lz4_state == NULL) {
244 lz4_state = malloc(LZ4_sizeofState());
247 if(lz4_state == NULL) {
248 logger(DEBUG_ALWAYS, LOG_ERR, "Failed to allocate lz4_state, error: %i", errno);
252 return LZ4_compress_fast_extState(lz4_state, (const char *) source, (char *) dest, len, MAXSIZE, 0);
253 #endif /* HAVE_LZ4_BUILTIN */
255 #endif /* HAVE_LZ4 */
258 static length_t compress_packet_lzo(uint8_t *dest, const uint8_t *source, length_t len, compression_level_t level) {
259 lzo_uint lzolen = MAXSIZE;
262 if(level == COMPRESS_LZO_HI) {
263 result = lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
264 } else { // level == COMPRESS_LZO_LO
265 result = lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
268 if(result == LZO_E_OK) {
276 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, compression_level_t level) {
281 return compress_packet_lz4(dest, source, len);
286 case COMPRESS_LZO_HI:
287 case COMPRESS_LZO_LO:
288 return compress_packet_lzo(dest, source, len, level);
292 case COMPRESS_ZLIB_9:
293 case COMPRESS_ZLIB_8:
294 case COMPRESS_ZLIB_7:
295 case COMPRESS_ZLIB_6:
296 case COMPRESS_ZLIB_5:
297 case COMPRESS_ZLIB_4:
298 case COMPRESS_ZLIB_3:
299 case COMPRESS_ZLIB_2:
300 case COMPRESS_ZLIB_1: {
301 unsigned long dest_len = MAXSIZE;
303 if(compress2(dest, &dest_len, source, len, level) == Z_OK) {
313 memcpy(dest, source, len);
321 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, compression_level_t level) {
326 return LZ4_decompress_safe((char *)source, (char *) dest, len, MAXSIZE);
331 case COMPRESS_LZO_HI:
332 case COMPRESS_LZO_LO: {
333 lzo_uint dst_len = MAXSIZE;
335 if(lzo1x_decompress_safe(source, len, dest, &dst_len, NULL) == LZO_E_OK) {
345 case COMPRESS_ZLIB_9:
346 case COMPRESS_ZLIB_8:
347 case COMPRESS_ZLIB_7:
348 case COMPRESS_ZLIB_6:
349 case COMPRESS_ZLIB_5:
350 case COMPRESS_ZLIB_4:
351 case COMPRESS_ZLIB_3:
352 case COMPRESS_ZLIB_2:
353 case COMPRESS_ZLIB_1: {
354 unsigned long destlen = MAXSIZE;
355 static z_stream stream;
358 inflateReset(&stream);
360 inflateInit(&stream);
363 stream.next_in = source;
364 stream.avail_in = len;
365 stream.next_out = dest;
366 stream.avail_out = destlen;
367 stream.total_out = 0;
369 if(inflate(&stream, Z_FINISH) == Z_STREAM_END) {
370 return stream.total_out;
379 memcpy(dest, source, len);
389 static void receive_packet(node_t *n, vpn_packet_t *packet) {
390 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
391 packet->len, n->name, n->hostname);
394 n->in_bytes += packet->len;
399 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
400 if(n->status.sptps) {
401 return sptps_verify_datagram(&n->sptps, DATA(inpkt), inpkt->len);
404 #ifdef DISABLE_LEGACY
408 if(!n->status.validkey_in || !digest_active(n->indigest) || (size_t)inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
412 return digest_verify(n->indigest, inpkt->data, inpkt->len - digest_length(n->indigest), inpkt->data + inpkt->len - digest_length(n->indigest));
416 static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
417 if(n->status.sptps) {
418 if(!n->sptps.state) {
419 if(!n->status.waitingforkey) {
420 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
423 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
429 n->status.udppacket = true;
430 bool result = sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len);
431 n->status.udppacket = false;
434 /* Uh-oh. It might be that the tunnel is stuck in some corrupted state,
435 so let's restart SPTPS in case that helps. But don't do that too often
436 to prevent storms, and because that would make life a little too easy
437 for external attackers trying to DoS us. */
438 if(n->last_req_key < now.tv_sec - 10) {
439 logger(DEBUG_PROTOCOL, LOG_ERR, "Failed to decode raw TCP packet from %s (%s), restarting SPTPS", n->name, n->hostname);
449 #ifdef DISABLE_LEGACY
452 vpn_packet_t pkt1, pkt2;
453 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
456 pkt1.offset = DEFAULT_PACKET_OFFSET;
457 pkt2.offset = DEFAULT_PACKET_OFFSET;
459 if(!n->status.validkey_in) {
460 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
464 /* Check packet length */
466 if((size_t)inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
467 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
468 n->name, n->hostname);
472 /* It's a legacy UDP packet, the data starts after the seqno */
474 inpkt->offset += sizeof(seqno_t);
476 /* Check the message authentication code */
478 if(digest_active(n->indigest)) {
479 inpkt->len -= digest_length(n->indigest);
481 if(!digest_verify(n->indigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
482 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
487 /* Decrypt the packet */
489 if(cipher_active(n->incipher)) {
490 vpn_packet_t *outpkt = pkt[nextpkt++];
493 if(!cipher_decrypt(n->incipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
494 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
498 outpkt->len = outlen;
502 /* Check the sequence number */
505 memcpy(&seqno, SEQNO(inpkt), sizeof(seqno));
506 seqno = ntohl(seqno);
507 inpkt->len -= sizeof(seqno);
510 if(seqno != n->received_seqno + 1) {
511 if(seqno >= n->received_seqno + replaywin * 8) {
512 if(n->farfuture++ < replaywin >> 2) {
513 logger(DEBUG_TRAFFIC, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
514 n->name, n->hostname, seqno - n->received_seqno - 1, n->farfuture);
518 logger(DEBUG_TRAFFIC, LOG_WARNING, "Lost %d packets from %s (%s)",
519 seqno - n->received_seqno - 1, n->name, n->hostname);
520 memset(n->late, 0, replaywin);
521 } else if(seqno <= n->received_seqno) {
522 if((n->received_seqno >= replaywin * 8 && seqno <= n->received_seqno - replaywin * 8) || !(n->late[(seqno / 8) % replaywin] & (1 << seqno % 8))) {
523 logger(DEBUG_TRAFFIC, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
524 n->name, n->hostname, seqno, n->received_seqno);
528 for(seqno_t i = n->received_seqno + 1; i < seqno; i++) {
529 n->late[(i / 8) % replaywin] |= 1 << i % 8;
535 n->late[(seqno / 8) % replaywin] &= ~(1 << seqno % 8);
538 if(seqno > n->received_seqno) {
539 n->received_seqno = seqno;
544 if(n->received_seqno > MAX_SEQNO) {
548 /* Decompress the packet */
550 length_t origlen = inpkt->len;
552 if(n->incompression != COMPRESS_NONE) {
553 vpn_packet_t *outpkt = pkt[nextpkt++];
555 if(!(outpkt->len = uncompress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->incompression))) {
556 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
557 n->name, n->hostname);
563 if(origlen > MTU / 64 + 20) {
564 origlen -= MTU / 64 + 20;
570 if(inpkt->len > n->maxrecentlen) {
571 n->maxrecentlen = inpkt->len;
576 if(!DATA(inpkt)[12] && !DATA(inpkt)[13]) {
577 udp_probe_h(n, inpkt, origlen);
579 receive_packet(n, inpkt);
586 void receive_tcppacket(connection_t *c, const char *buffer, size_t len) {
588 outpkt.offset = DEFAULT_PACKET_OFFSET;
590 if(len > sizeof(outpkt.data) - outpkt.offset) {
596 if(c->options & OPTION_TCPONLY) {
599 outpkt.priority = -1;
602 memcpy(DATA(&outpkt), buffer, len);
604 receive_packet(c->node, &outpkt);
607 bool receive_tcppacket_sptps(connection_t *c, const char *data, size_t len) {
608 if(len < sizeof(node_id_t) + sizeof(node_id_t)) {
609 logger(DEBUG_PROTOCOL, LOG_ERR, "Got too short TCP SPTPS packet from %s (%s)", c->name, c->hostname);
613 node_t *to = lookup_node_id((node_id_t *)data);
614 data += sizeof(node_id_t);
615 len -= sizeof(node_id_t);
618 logger(DEBUG_PROTOCOL, LOG_ERR, "Got TCP SPTPS packet from %s (%s) with unknown destination ID", c->name, c->hostname);
622 node_t *from = lookup_node_id((node_id_t *)data);
623 data += sizeof(node_id_t);
624 len -= sizeof(node_id_t);
627 logger(DEBUG_PROTOCOL, LOG_ERR, "Got TCP SPTPS packet from %s (%s) with unknown source ID", c->name, c->hostname);
631 if(!to->status.reachable) {
632 /* This can happen in the form of a race condition
633 if the node just became unreachable. */
634 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot relay TCP packet from %s (%s) because the destination, %s (%s), is unreachable", from->name, from->hostname, to->name, to->hostname);
638 /* Help the sender reach us over UDP.
639 Note that we only do this if we're the destination or the static relay;
640 otherwise every hop would initiate its own UDP info message, resulting in elevated chatter. */
641 if(to->via == myself) {
642 send_udp_info(myself, from);
645 /* If we're not the final recipient, relay the packet. */
648 if(to->status.validkey) {
649 send_sptps_data(to, from, 0, data, len);
656 /* The packet is for us */
658 if(!sptps_receive_data(&from->sptps, data, len)) {
659 /* Uh-oh. It might be that the tunnel is stuck in some corrupted state,
660 so let's restart SPTPS in case that helps. But don't do that too often
661 to prevent storms. */
662 if(from->last_req_key < now.tv_sec - 10) {
663 logger(DEBUG_PROTOCOL, LOG_ERR, "Failed to decode raw TCP packet from %s (%s), restarting SPTPS", from->name, from->hostname);
670 send_mtu_info(myself, from, MTU);
674 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
675 if(!n->status.validkey && !n->connection) {
682 if((!(DATA(origpkt)[12] | DATA(origpkt)[13])) && (n->sptps.outstate)) {
683 sptps_send_record(&n->sptps, PKT_PROBE, DATA(origpkt), origpkt->len);
687 if(routing_mode == RMODE_ROUTER) {
693 if(origpkt->len < offset) {
699 if(n->outcompression != COMPRESS_NONE) {
701 length_t len = compress_packet(DATA(&outpkt) + offset, DATA(origpkt) + offset, origpkt->len - offset, n->outcompression);
704 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
705 } else if(len < origpkt->len - offset) {
706 outpkt.len = len + offset;
708 type |= PKT_COMPRESSED;
712 /* If we have a direct metaconnection to n, and we can't use UDP, then
713 don't bother with SPTPS and just use a "plaintext" PACKET message.
714 We don't really care about end-to-end security since we're not
715 sending the message through any intermediate nodes. */
716 if(n->connection && origpkt->len > n->minmtu) {
717 send_tcppacket(n->connection, origpkt);
719 sptps_send_record(&n->sptps, type, DATA(origpkt) + offset, origpkt->len - offset);
723 static void adapt_socket(const sockaddr_t *sa, size_t *sock) {
724 /* Make sure we have a suitable socket for the chosen address */
725 if(listen_socket[*sock].sa.sa.sa_family != sa->sa.sa_family) {
726 for(int i = 0; i < listen_sockets; i++) {
727 if(listen_socket[i].sa.sa.sa_family == sa->sa.sa_family) {
735 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, size_t *sock) {
740 /* If the UDP address is confirmed, use it. */
741 if(n->status.udp_confirmed) {
745 /* Send every third packet to n->address; that could be set
746 to the node's reflexive UDP address discovered during key
756 /* Otherwise, address are found in edges to this node.
757 So we pick a random edge and a random socket. */
760 unsigned int j = prng(n->edge_tree.count);
761 edge_t *candidate = NULL;
763 for splay_each(edge_t, e, &n->edge_tree) {
765 candidate = e->reverse;
771 *sa = &candidate->address;
772 *sock = prng(listen_sockets);
775 adapt_socket(*sa, sock);
778 static void choose_local_address(const node_t *n, const sockaddr_t **sa, size_t *sock) {
781 /* Pick one of the edges from this node at random, then use its local address. */
784 unsigned int j = prng(n->edge_tree.count);
785 edge_t *candidate = NULL;
787 for splay_each(edge_t, e, &n->edge_tree) {
794 if(candidate && candidate->local_address.sa.sa_family) {
795 *sa = &candidate->local_address;
796 *sock = prng(listen_sockets);
797 adapt_socket(*sa, sock);
801 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
802 if(!n->status.reachable) {
803 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
807 if(n->status.sptps) {
808 send_sptps_packet(n, origpkt);
812 #ifdef DISABLE_LEGACY
815 vpn_packet_t pkt1, pkt2;
816 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
817 vpn_packet_t *inpkt = origpkt;
819 vpn_packet_t *outpkt;
820 int origlen = origpkt->len;
822 int origpriority = origpkt->priority;
824 pkt1.offset = DEFAULT_PACKET_OFFSET;
825 pkt2.offset = DEFAULT_PACKET_OFFSET;
827 /* Make sure we have a valid key */
829 if(!n->status.validkey) {
830 logger(DEBUG_TRAFFIC, LOG_INFO,
831 "No valid key known yet for %s (%s), forwarding via TCP",
832 n->name, n->hostname);
833 send_tcppacket(n->nexthop->connection, origpkt);
837 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (DATA(inpkt)[12] | DATA(inpkt)[13])) {
838 logger(DEBUG_TRAFFIC, LOG_INFO,
839 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
840 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
842 if(n != n->nexthop) {
843 send_packet(n->nexthop, origpkt);
845 send_tcppacket(n->nexthop->connection, origpkt);
851 /* Compress the packet */
853 if(n->outcompression != COMPRESS_NONE) {
854 outpkt = pkt[nextpkt++];
856 if(!(outpkt->len = compress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->outcompression))) {
857 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
858 n->name, n->hostname);
865 /* Add sequence number */
867 seqno_t seqno = htonl(++(n->sent_seqno));
868 memcpy(SEQNO(inpkt), &seqno, sizeof(seqno));
869 inpkt->len += sizeof(seqno);
871 /* Encrypt the packet */
873 if(cipher_active(n->outcipher)) {
874 outpkt = pkt[nextpkt++];
877 if(!cipher_encrypt(n->outcipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
878 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
882 outpkt->len = outlen;
886 /* Add the message authentication code */
888 if(digest_active(n->outdigest)) {
889 if(!digest_create(n->outdigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
890 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
894 inpkt->len += digest_length(n->outdigest);
897 /* Send the packet */
899 const sockaddr_t *sa = NULL;
902 if(n->status.send_locally) {
903 choose_local_address(n, &sa, &sock);
907 choose_udp_address(n, &sa, &sock);
910 if(priorityinheritance && origpriority != listen_socket[sock].priority) {
911 listen_socket[sock].priority = origpriority;
913 switch(sa->sa.sa_family) {
917 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting IPv4 outgoing packet priority to %d", origpriority);
919 if(setsockopt(listen_socket[sock].udp.fd, IPPROTO_IP, IP_TOS, (void *)&origpriority, sizeof(origpriority))) { /* SO_PRIORITY doesn't seem to work */
920 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
925 #if defined(IPV6_TCLASS)
928 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting IPv6 outgoing packet priority to %d", origpriority);
930 if(setsockopt(listen_socket[sock].udp.fd, IPPROTO_IPV6, IPV6_TCLASS, (void *)&origpriority, sizeof(origpriority))) { /* SO_PRIORITY doesn't seem to work */
931 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
942 if(sendto(listen_socket[sock].udp.fd, (void *)SEQNO(inpkt), inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
943 if(sockmsgsize(sockerrno)) {
944 reduce_mtu(n, origlen - 1);
946 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
951 origpkt->len = origlen;
955 bool send_sptps_data(node_t *to, node_t *from, int type, const void *data, size_t len) {
956 size_t origlen = len - SPTPS_DATAGRAM_OVERHEAD;
957 node_t *relay = (to->via != myself && (type == PKT_PROBE || origlen <= to->via->minmtu)) ? to->via : to->nexthop;
958 bool direct = from == myself && to == relay;
959 bool relay_supported = (relay->options >> 24) >= 4;
960 bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
962 /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU. */
964 if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && origlen > relay->minmtu)) {
965 if(type != SPTPS_HANDSHAKE && (to->nexthop->connection->options >> 24) >= 7) {
966 const size_t buflen = len + sizeof(to->id) + sizeof(from->id);
967 uint8_t *buf = alloca(buflen);
968 uint8_t *buf_ptr = buf;
969 memcpy(buf_ptr, &to->id, sizeof(to->id));
970 buf_ptr += sizeof(to->id);
971 memcpy(buf_ptr, &from->id, sizeof(from->id));
972 buf_ptr += sizeof(from->id);
973 memcpy(buf_ptr, data, len);
974 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s) (TCP)", from->name, from->hostname, to->name, to->hostname, to->nexthop->name, to->nexthop->hostname);
975 return send_sptps_tcppacket(to->nexthop->connection, buf, buflen);
978 char *buf = alloca(B64_SIZE(len));
979 b64encode_tinc(data, buf, len);
981 /* If this is a handshake packet, use ANS_KEY instead of REQ_KEY, for two reasons:
982 - We don't want intermediate nodes to switch to UDP to relay these packets;
983 - ANS_KEY allows us to learn the reflexive UDP address. */
984 if(type == SPTPS_HANDSHAKE) {
985 to->incompression = myself->incompression;
986 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, from->name, to->name, buf, to->incompression);
988 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, from->name, to->name, SPTPS_PACKET, buf);
994 if(relay_supported) {
995 overhead += sizeof(to->id) + sizeof(from->id);
998 char *buf = alloca(len + overhead);
1001 if(relay_supported) {
1003 /* Inform the recipient that this packet was sent directly. */
1004 node_id_t nullid = {0};
1005 memcpy(buf_ptr, &nullid, sizeof(nullid));
1006 buf_ptr += sizeof(nullid);
1008 memcpy(buf_ptr, &to->id, sizeof(to->id));
1009 buf_ptr += sizeof(to->id);
1012 memcpy(buf_ptr, &from->id, sizeof(from->id));
1013 buf_ptr += sizeof(from->id);
1017 /* TODO: if this copy turns out to be a performance concern, change sptps_send_record() to add some "pre-padding" to the buffer and use that instead */
1018 memcpy(buf_ptr, data, len);
1021 const sockaddr_t *sa = NULL;
1024 if(relay->status.send_locally) {
1025 choose_local_address(relay, &sa, &sock);
1029 choose_udp_address(relay, &sa, &sock);
1032 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s) (UDP)", from->name, from->hostname, to->name, to->hostname, relay->name, relay->hostname);
1034 if(sendto(listen_socket[sock].udp.fd, buf, buf_ptr - buf, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
1035 if(sockmsgsize(sockerrno)) {
1036 reduce_mtu(relay, (int)origlen - 1);
1038 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", relay->name, relay->hostname, sockstrerror(sockerrno));
1046 bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t len) {
1047 node_t *from = handle;
1049 if(type == SPTPS_HANDSHAKE) {
1050 if(!from->status.validkey) {
1051 from->status.validkey = true;
1052 from->status.waitingforkey = false;
1053 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) successful", from->name, from->hostname);
1060 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
1065 inpkt.offset = DEFAULT_PACKET_OFFSET;
1068 if(type == PKT_PROBE) {
1069 if(!from->status.udppacket) {
1070 logger(DEBUG_ALWAYS, LOG_ERR, "Got SPTPS PROBE packet from %s (%s) via TCP", from->name, from->hostname);
1075 memcpy(DATA(&inpkt), data, len);
1077 if(inpkt.len > from->maxrecentlen) {
1078 from->maxrecentlen = inpkt.len;
1081 udp_probe_h(from, &inpkt, len);
1085 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
1086 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
1090 /* Check if we have the headers we need */
1091 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
1092 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
1094 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
1095 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
1098 int offset = (type & PKT_MAC) ? 0 : 14;
1100 if(type & PKT_COMPRESSED) {
1101 length_t ulen = uncompress_packet(DATA(&inpkt) + offset, (const uint8_t *)data, len, from->incompression);
1106 inpkt.len = ulen + offset;
1109 if(inpkt.len > MAXSIZE) {
1113 memcpy(DATA(&inpkt) + offset, data, len);
1114 inpkt.len = len + offset;
1117 /* Generate the Ethernet packet type if necessary */
1119 switch(DATA(&inpkt)[14] >> 4) {
1121 DATA(&inpkt)[12] = 0x08;
1122 DATA(&inpkt)[13] = 0x00;
1126 DATA(&inpkt)[12] = 0x86;
1127 DATA(&inpkt)[13] = 0xDD;
1131 logger(DEBUG_TRAFFIC, LOG_ERR,
1132 "Unknown IP version %d while reading packet from %s (%s)",
1133 DATA(&inpkt)[14] >> 4, from->name, from->hostname);
1138 if(from->status.udppacket && inpkt.len > from->maxrecentlen) {
1139 from->maxrecentlen = inpkt.len;
1142 receive_packet(from, &inpkt);
1146 // This function tries to get SPTPS keys, if they aren't already known.
1147 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if the keys are available.
1148 static void try_sptps(node_t *n) {
1149 if(n->status.validkey) {
1153 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
1155 if(!n->status.waitingforkey) {
1157 } else if(n->last_req_key + 10 < now.tv_sec) {
1158 logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
1159 sptps_stop(&n->sptps);
1160 n->status.waitingforkey = false;
1167 static void send_udp_probe_packet(node_t *n, size_t len) {
1168 vpn_packet_t packet;
1170 if(len > sizeof(packet.data)) {
1171 logger(DEBUG_TRAFFIC, LOG_INFO, "Truncating probe length %lu to %s (%s)", (unsigned long)len, n->name, n->hostname);
1172 len = sizeof(packet.data);
1175 len = MAX(len, MIN_PROBE_SIZE);
1176 packet.offset = DEFAULT_PACKET_OFFSET;
1177 memset(DATA(&packet), 0, 14);
1178 randomize(DATA(&packet) + 14, len - 14);
1180 packet.priority = 0;
1182 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending UDP probe length %lu to %s (%s)", (unsigned long)len, n->name, n->hostname);
1184 send_udppacket(n, &packet);
1187 // This function tries to establish a UDP tunnel to a node so that packets can be sent.
1188 // If a tunnel is already established, it makes sure it stays up.
1189 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if UDP is usable.
1190 static void try_udp(node_t *n) {
1191 if(!udp_discovery) {
1195 /* Send gratuitous probe replies to 1.1 nodes. */
1197 if((n->options >> 24) >= 3 && n->status.udp_confirmed) {
1198 struct timeval ping_tx_elapsed;
1199 timersub(&now, &n->udp_reply_sent, &ping_tx_elapsed);
1201 if(ping_tx_elapsed.tv_sec >= udp_discovery_keepalive_interval - 1) {
1202 n->udp_reply_sent = now;
1204 if(n->maxrecentlen) {
1206 pkt.len = n->maxrecentlen;
1207 pkt.offset = DEFAULT_PACKET_OFFSET;
1208 memset(DATA(&pkt), 0, 14);
1209 randomize(DATA(&pkt) + 14, MIN_PROBE_SIZE - 14);
1210 send_udp_probe_reply(n, &pkt, pkt.len);
1211 n->maxrecentlen = 0;
1218 struct timeval ping_tx_elapsed;
1219 timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
1221 int interval = n->status.udp_confirmed
1222 ? udp_discovery_keepalive_interval
1223 : udp_discovery_interval;
1225 if(ping_tx_elapsed.tv_sec >= interval) {
1226 gettimeofday(&now, NULL);
1227 n->udp_ping_sent = now; // a probe in flight
1228 n->status.ping_sent = true;
1229 send_udp_probe_packet(n, MIN_PROBE_SIZE);
1231 if(localdiscovery && !n->status.udp_confirmed && n->prevedge) {
1232 n->status.send_locally = true;
1233 send_udp_probe_packet(n, MIN_PROBE_SIZE);
1234 n->status.send_locally = false;
1239 static length_t choose_initial_maxmtu(node_t *n) {
1244 const sockaddr_t *sa = NULL;
1246 choose_udp_address(n, &sa, &sockindex);
1252 sock = socket(sa->sa.sa_family, SOCK_DGRAM, IPPROTO_UDP);
1255 logger(DEBUG_TRAFFIC, LOG_ERR, "Creating MTU assessment socket for %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1259 if(connect(sock, &sa->sa, SALEN(sa->sa))) {
1260 logger(DEBUG_TRAFFIC, LOG_ERR, "Connecting MTU assessment socket for %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1266 socklen_t ip_mtu_len = sizeof(ip_mtu);
1268 if(getsockopt(sock, IPPROTO_IP, IP_MTU, (void *)&ip_mtu, &ip_mtu_len)) {
1269 logger(DEBUG_TRAFFIC, LOG_ERR, "getsockopt(IP_MTU) on %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1276 if(ip_mtu < MINMTU) {
1277 logger(DEBUG_TRAFFIC, LOG_ERR, "getsockopt(IP_MTU) on %s (%s) returned absurdly small value: %d", n->name, n->hostname, ip_mtu);
1281 /* getsockopt(IP_MTU) returns the MTU of the physical interface.
1282 We need to remove various overheads to get to the tinc MTU. */
1283 length_t mtu = ip_mtu;
1284 mtu -= (sa->sa.sa_family == AF_INET6) ? sizeof(struct ip6_hdr) : sizeof(struct ip);
1287 if(n->status.sptps) {
1288 mtu -= SPTPS_DATAGRAM_OVERHEAD;
1290 if((n->options >> 24) >= 4) {
1291 mtu -= sizeof(node_id_t) + sizeof(node_id_t);
1294 #ifndef DISABLE_LEGACY
1296 mtu -= digest_length(n->outdigest);
1298 /* Now it's tricky. We use CBC mode, so the length of the
1299 encrypted payload must be a multiple of the blocksize. The
1300 sequence number is also part of the encrypted payload, so we
1301 must account for it after correcting for the blocksize.
1302 Furthermore, the padding in the last block must be at least
1305 length_t blocksize = cipher_blocksize(n->outcipher);
1321 logger(DEBUG_TRAFFIC, LOG_INFO, "Using system-provided maximum tinc MTU for %s (%s): %hd", n->name, n->hostname, mtu);
1330 /* This function tries to determines the MTU of a node.
1331 By calling this function repeatedly, n->minmtu will be progressively
1332 increased, and at some point, n->mtu will be fixed to n->minmtu. If the MTU
1333 is already fixed, this function checks if it can be increased.
1336 static void try_mtu(node_t *n) {
1337 if(!(n->options & OPTION_PMTU_DISCOVERY)) {
1341 if(udp_discovery && !n->status.udp_confirmed) {
1342 n->maxrecentlen = 0;
1349 /* mtuprobes == 0..19: initial discovery, send bursts with 1 second interval, mtuprobes++
1350 mtuprobes == 20: fix MTU, and go to -1
1351 mtuprobes == -1: send one maxmtu and one maxmtu+1 probe every pinginterval
1352 mtuprobes ==-2..-3: send one maxmtu probe every second
1353 mtuprobes == -4: maxmtu no longer valid, reset minmtu and maxmtu and go to 0 */
1355 struct timeval elapsed;
1356 timersub(&now, &n->mtu_ping_sent, &elapsed);
1358 if(n->mtuprobes >= 0) {
1359 if(n->mtuprobes != 0 && elapsed.tv_sec == 0 && elapsed.tv_usec < 333333) {
1363 if(n->mtuprobes < -1) {
1364 if(elapsed.tv_sec < 1) {
1368 if(elapsed.tv_sec < pinginterval) {
1374 n->mtu_ping_sent = now;
1378 if(n->mtuprobes < -3) {
1379 /* We lost three MTU probes, restart discovery */
1380 logger(DEBUG_TRAFFIC, LOG_INFO, "Decrease in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
1385 if(n->mtuprobes < 0) {
1386 /* After the initial discovery, we only send one maxmtu and one
1387 maxmtu+1 probe to detect PMTU increases. */
1388 send_udp_probe_packet(n, n->maxmtu);
1390 if(n->mtuprobes == -1 && n->maxmtu + 1 < MTU) {
1391 send_udp_probe_packet(n, n->maxmtu + 1);
1396 /* Before initial discovery begins, set maxmtu to the most likely value.
1397 If it's underestimated, we will correct it after initial discovery. */
1398 if(n->mtuprobes == 0) {
1399 n->maxmtu = choose_initial_maxmtu(n);
1403 /* Decreasing the number of probes per cycle might make the algorithm react faster to lost packets,
1404 but it will typically increase convergence time in the no-loss case. */
1405 const length_t probes_per_cycle = 8;
1407 /* This magic value was determined using math simulations.
1408 It will result in a 1329-byte first probe, followed (if there was a reply) by a 1407-byte probe.
1409 Since 1407 is just below the range of tinc MTUs over typical networks,
1410 this fine-tuning allows tinc to cover a lot of ground very quickly.
1411 This fine-tuning is only valid for maxmtu = MTU; if maxmtu is smaller,
1412 then it's better to use a multiplier of 1. Indeed, this leads to an interesting scenario
1413 if choose_initial_maxmtu() returns the actual MTU value - it will get confirmed with one single probe. */
1414 const float multiplier = (n->maxmtu == MTU) ? 0.97f : 1.0f;
1416 const float cycle_position = (float) probes_per_cycle - (float)(n->mtuprobes % probes_per_cycle) - 1.0f;
1417 const length_t minmtu = MAX(n->minmtu, MINMTU);
1418 const float interval = (float)(n->maxmtu - minmtu);
1420 length_t offset = 0;
1422 /* powf can be underflowed if n->maxmtu is less than 512 due to the minmtu MAX bound */
1424 /* The core of the discovery algorithm is this exponential.
1425 It produces very large probes early in the cycle, and then it very quickly decreases the probe size.
1426 This reflects the fact that in the most difficult cases, we don't get any feedback for probes that
1427 are too large, and therefore we need to concentrate on small offsets so that we can quickly converge
1428 on the precise MTU as we are approaching it.
1429 The last probe of the cycle is always 1 byte in size - this is to make sure we'll get at least one
1430 reply per cycle so that we can make progress. */
1431 offset = lrintf(powf(interval, multiplier * cycle_position / (float)(probes_per_cycle - 1)));
1434 length_t maxmtu = n->maxmtu;
1435 send_udp_probe_packet(n, minmtu + offset);
1437 /* If maxmtu changed, it means the probe was rejected by the system because it was too large.
1438 In that case, we recalculate with the new maxmtu and try again. */
1439 if(n->mtuprobes < 0 || maxmtu == n->maxmtu) {
1444 if(n->mtuprobes >= 0) {
1450 /* These functions try to establish a tunnel to a node (or its relay) so that
1451 packets can be sent (e.g. exchange keys).
1452 If a tunnel is already established, it tries to improve it (e.g. by trying
1453 to establish a UDP tunnel instead of TCP). This function makes no
1454 guarantees - it is up to the caller to check the node's state to figure out
1455 if TCP and/or UDP is usable. By calling this function repeatedly, the
1456 tunnel is gradually improved until we hit the wall imposed by the underlying
1457 network environment. It is recommended to call this function every time a
1458 packet is sent (or intended to be sent) to a node, so that the tunnel keeps
1459 improving as packets flow, and then gracefully downgrades itself as it goes
1463 static void try_tx_sptps(node_t *n, bool mtu) {
1464 /* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET
1465 messages anyway, so there's no need for SPTPS at all. */
1467 if(n->connection && ((myself->options | n->options) & OPTION_TCPONLY)) {
1471 /* Otherwise, try to do SPTPS authentication with n if necessary. */
1475 /* Do we need to statically relay packets? */
1477 node_t *via = (n->via == myself) ? n->nexthop : n->via;
1479 /* If we do have a static relay, try everything with that one instead, if it supports relaying. */
1482 if((via->options >> 24) < 4) {
1490 /* Otherwise, try to establish UDP connectivity. */
1498 /* If we don't have UDP connectivity (yet), we need to use a dynamic relay (nexthop)
1499 while we try to establish direct connectivity. */
1501 if(!n->status.udp_confirmed && n != n->nexthop && (n->nexthop->options >> 24) >= 4) {
1502 try_tx(n->nexthop, mtu);
1506 static void try_tx_legacy(node_t *n, bool mtu) {
1507 /* Does he have our key? If not, send one. */
1509 if(!n->status.validkey_in) {
1513 /* Check if we already have a key, or request one. */
1515 if(!n->status.validkey) {
1516 if(n->last_req_key + 10 <= now.tv_sec) {
1518 n->last_req_key = now.tv_sec;
1531 void try_tx(node_t *n, bool mtu) {
1532 if(!n->status.reachable) {
1536 if(n->status.sptps) {
1537 try_tx_sptps(n, mtu);
1539 try_tx_legacy(n, mtu);
1543 void send_packet(node_t *n, vpn_packet_t *packet) {
1544 // If it's for myself, write it to the tun/tap device.
1548 memcpy(DATA(packet), mymac.x, ETH_ALEN);
1549 // Use an arbitrary fake source address.
1550 memcpy(DATA(packet) + ETH_ALEN, DATA(packet), ETH_ALEN);
1551 DATA(packet)[ETH_ALEN * 2 - 1] ^= 0xFF;
1555 n->out_bytes += packet->len;
1556 devops.write(packet);
1560 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)", packet->len, n->name, n->hostname);
1562 // If the node is not reachable, drop it.
1564 if(!n->status.reachable) {
1565 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable", n->name, n->hostname);
1569 // Keep track of packet statistics.
1572 n->out_bytes += packet->len;
1574 // Check if it should be sent as an SPTPS packet.
1576 if(n->status.sptps) {
1577 send_sptps_packet(n, packet);
1582 // Determine which node to actually send it to.
1584 node_t *via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
1587 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)", n->name, via->name, n->via->hostname);
1590 // Try to send via UDP, unless TCP is forced.
1592 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
1593 if(!send_tcppacket(via->connection, packet)) {
1594 terminate_connection(via->connection, true);
1600 send_udppacket(via, packet);
1604 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
1605 // Always give ourself a copy of the packet.
1606 if(from != myself) {
1607 send_packet(myself, packet);
1610 // In TunnelServer mode, do not forward broadcast packets.
1611 // The MST might not be valid and create loops.
1612 if(tunnelserver || broadcast_mode == BMODE_NONE) {
1616 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
1617 packet->len, from->name, from->hostname);
1619 switch(broadcast_mode) {
1620 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
1621 // This guarantees all nodes receive the broadcast packet, and
1622 // usually distributes the sending of broadcast packets over all nodes.
1624 for list_each(connection_t, c, &connection_list)
1625 if(c->edge && c->status.mst && c != from->nexthop->connection) {
1626 send_packet(c->node, packet);
1631 // In direct mode, we send copies to each node we know of.
1632 // However, this only reaches nodes that can be reached in a single hop.
1633 // We don't have enough information to forward broadcast packets in this case.
1635 if(from != myself) {
1639 for splay_each(node_t, n, &node_tree)
1640 if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n)) {
1641 send_packet(n, packet);
1652 /* We got a packet from some IP address, but we don't know who sent it. Try to
1653 verify the message authentication code against all active session keys.
1654 Since this is actually an expensive operation, we only do a full check once
1655 a minute, the rest of the time we only check against nodes for which we know
1656 an IP address that matches the one from the packet. */
1658 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
1659 node_t *match = NULL;
1661 static time_t last_hard_try = 0;
1663 for splay_each(node_t, n, &node_tree) {
1664 if(!n->status.reachable || n == myself) {
1668 if(!n->status.validkey_in && !(n->status.sptps && n->sptps.instate)) {
1674 for splay_each(edge_t, e, &n->edge_tree) {
1679 if(!sockaddrcmp_noport(from, &e->reverse->address)) {
1686 if(last_hard_try == now.tv_sec) {
1693 if(!try_mac(n, pkt)) {
1702 last_hard_try = now.tv_sec;
1708 static void handle_incoming_vpn_packet(listen_socket_t *ls, vpn_packet_t *pkt, sockaddr_t *addr) {
1710 node_id_t nullid = {0};
1712 bool direct = false;
1714 sockaddrunmap(addr); /* Some braindead IPv6 implementations do stupid things. */
1716 // Try to figure out who sent this packet.
1718 node_t *n = lookup_node_udp(addr);
1720 if(n && !n->status.udp_confirmed) {
1721 n = NULL; // Don't believe it if we don't have confirmation yet.
1725 // It might be from a 1.1 node, which might have a source ID in the packet.
1726 pkt->offset = 2 * sizeof(node_id_t);
1727 from = lookup_node_id(SRCID(pkt));
1729 if(from && from->status.sptps && !memcmp(DSTID(pkt), &nullid, sizeof(nullid))) {
1730 if(sptps_verify_datagram(&from->sptps, DATA(pkt), pkt->len - 2 * sizeof(node_id_t))) {
1740 n = try_harder(addr, pkt);
1746 if(debug_level >= DEBUG_PROTOCOL) {
1747 hostname = sockaddr2hostname(addr);
1748 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
1757 if(n->status.sptps) {
1758 bool relay_enabled = (n->options >> 24) >= 4;
1761 pkt->offset = 2 * sizeof(node_id_t);
1762 pkt->len -= pkt->offset;
1765 if(!relay_enabled || !memcmp(DSTID(pkt), &nullid, sizeof(nullid))) {
1770 from = lookup_node_id(SRCID(pkt));
1771 to = lookup_node_id(DSTID(pkt));
1775 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from %s (%s) with unknown source and/or destination ID", n->name, n->hostname);
1779 if(!to->status.reachable) {
1780 /* This can happen in the form of a race condition
1781 if the node just became unreachable. */
1782 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot relay packet from %s (%s) because the destination, %s (%s), is unreachable", from->name, from->hostname, to->name, to->hostname);
1786 /* The packet is supposed to come from the originator or its static relay
1787 (i.e. with no dynamic relays in between).
1788 If it did not, "help" the static relay by sending it UDP info.
1789 Note that we only do this if we're the destination or the static relay;
1790 otherwise every hop would initiate its own UDP info message, resulting in elevated chatter. */
1792 if(n != from->via && to->via == myself) {
1793 send_udp_info(myself, from);
1796 /* If we're not the final recipient, relay the packet. */
1799 send_sptps_data(to, from, 0, DATA(pkt), pkt->len);
1808 if(!receive_udppacket(from, pkt)) {
1812 n->sock = ls - listen_socket;
1814 if(direct && sockaddrcmp(addr, &n->address)) {
1815 update_node_udp(n, addr);
1818 /* If the packet went through a relay, help the sender find the appropriate MTU
1819 through the relay path. */
1822 send_mtu_info(myself, n, MTU);
1826 void handle_incoming_vpn_data(void *data, int flags) {
1829 listen_socket_t *ls = data;
1831 #ifdef HAVE_RECVMMSG
1833 static ssize_t num = MAX_MSG;
1834 static vpn_packet_t pkt[MAX_MSG];
1835 static sockaddr_t addr[MAX_MSG];
1836 static struct mmsghdr msg[MAX_MSG];
1837 static struct iovec iov[MAX_MSG];
1839 for(int i = 0; i < num; i++) {
1842 iov[i] = (struct iovec) {
1843 .iov_base = DATA(&pkt[i]),
1847 msg[i].msg_hdr = (struct msghdr) {
1848 .msg_name = &addr[i].sa,
1849 .msg_namelen = sizeof(addr)[i],
1855 num = recvmmsg(ls->udp.fd, msg, MAX_MSG, MSG_DONTWAIT, NULL);
1858 if(!sockwouldblock(sockerrno)) {
1859 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1865 for(int i = 0; i < num; i++) {
1866 pkt[i].len = msg[i].msg_len;
1868 if(pkt[i].len <= 0 || pkt[i].len > MAXSIZE) {
1872 handle_incoming_vpn_packet(ls, &pkt[i], &addr[i]);
1877 sockaddr_t addr = {0};
1878 socklen_t addrlen = sizeof(addr);
1881 ssize_t len = recvfrom(ls->udp.fd, (void *)DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen);
1883 if(len <= 0 || (size_t)len > MAXSIZE) {
1884 if(!sockwouldblock(sockerrno)) {
1885 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1893 handle_incoming_vpn_packet(ls, &pkt, &addr);
1897 void handle_device_data(void *data, int flags) {
1900 vpn_packet_t packet;
1901 packet.offset = DEFAULT_PACKET_OFFSET;
1902 packet.priority = 0;
1903 static int errors = 0;
1905 if(devops.read(&packet)) {
1907 myself->in_packets++;
1908 myself->in_bytes += packet.len;
1909 route(myself, &packet);
1911 sleep_millis(errors * 50);
1915 logger(DEBUG_ALWAYS, LOG_ERR, "Too many errors from %s, exiting!", device);
projects / tinc / blob